Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 2.6.32/, 3.0.7/
Date: Wed, 02 Nov 2011 08:55:25
Message-Id: 0b8ddeb011b214aea66f593c6ad5164134b1adc9.blueness@gentoo
1 commit: 0b8ddeb011b214aea66f593c6ad5164134b1adc9
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Wed Nov 2 08:53:32 2011 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 2 08:53:32 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=0b8ddeb0
7
8 Remove everything but patch
9
10 ---
11 2.6.32/0000_README | 52 -
12 2.6.32/4420_Z_5_remove-legacy-pax-ei.patch | 213 -
13 ...0_grsecurity-2.2.2-2.6.32.46-201110200052.patch |82276 --------------------
14 2.6.32/4421_grsec-remove-localversion-grsec.patch | 9 -
15 2.6.32/4422_grsec-mute-warnings.patch | 42 -
16 2.6.32/4423_grsec-remove-protected-paths.patch | 19 -
17 2.6.32/4425_grsec-pax-without-grsec.patch | 88 -
18 2.6.32/4430_grsec-kconfig-default-gids.patch | 77 -
19 2.6.32/4435_grsec-kconfig-gentoo.patch | 314 -
20 2.6.32/4437-grsec-kconfig-proc-user.patch | 26 -
21 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 73 -
22 2.6.32/4445_disable-compat_vdso.patch | 47 -
23 2.6.32/4450_check_ssp_fix.patch | 17 -
24 ...i-pax.patch => 4420_remove-legacy-ei-pax.patch} | 0
25 3.0.7/4421_grsec-remove-localversion-grsec.patch | 9 -
26 3.0.7/4422_grsec-mute-warnings.patch | 42 -
27 3.0.7/4423_grsec-remove-protected-paths.patch | 19 -
28 3.0.7/4425_grsec-pax-without-grsec.patch | 88 -
29 3.0.7/4430_grsec-kconfig-default-gids.patch | 77 -
30 3.0.7/4435_grsec-kconfig-gentoo.patch | 315 -
31 3.0.7/4437-grsec-kconfig-proc-user.patch | 26 -
32 3.0.7/4440_selinux-avc_audit-log-curr_ip.patch | 73 -
33 3.0.7/4445_disable-compat_vdso.patch | 46 -
34 ..._Z_7_add-xt-pax.patch => 4450_add-xt-pax.patch} | 0
35 24 files changed, 0 insertions(+), 83948 deletions(-)
36
37 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
38 deleted file mode 100644
39 index 54860bc..0000000
40 --- a/2.6.32/0000_README
41 +++ /dev/null
42 @@ -1,52 +0,0 @@
43 -README
44 ------------------------------------------------------------------------------
45 -
46 -Individual Patch Descriptions:
47 ------------------------------------------------------------------------------
48 -Patch: 4420_grsecurity-2.2.2-2.6.32.46-201110200052.patch
49 -From: http://www.grsecurity.net
50 -Desc: hardened-sources base patch from upstream grsecurity
51 -
52 -Patch: 4421_grsec-remove-localversion-grsec.patch
53 -From: Kerin Millar <kerframil@×××××.com>
54 -Desc: Removes grsecurity's localversion-grsec file
55 -
56 -Patch: 4422_grsec-mute-warnings.patch
57 -From: Alexander Gabert <gaberta@××××××××.de>
58 - Gordon Malm <gengor@g.o>
59 -Desc: Removes verbose compile warning settings from grsecurity, restores
60 - mainline Linux kernel behavior
61 -
62 -Patch: 4423_grsec-remove-protected-paths.patch
63 -From: Anthony G. Basile <blueness@g.o>
64 -Desc: Removes chmod statements from grsecurity/Makefile
65 -
66 -Patch: 4425_grsec-pax-without-grsec.patch
67 -From: Gordon Malm <gengor@g.o>
68 -Desc: Allows PaX features to be selected without enabling GRKERNSEC
69 -
70 -Patch: 4430_grsec-kconfig-default-gids.patch
71 -From: Kerin Millar <kerframil@×××××.com>
72 -Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
73 - features
74 -
75 -Patch: 4435_grsec-kconfig-gentoo.patch
76 -From: Gordon Malm <gengor@g.o>
77 - Kerin Millar <kerframil@×××××.com>
78 - Anthony G. Basile <blueness@g.o>
79 -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels,
80 - sets Hardened Gentoo [workstation] as default
81 -
82 -Patch: 4440_selinux-avc_audit-log-curr_ip.patch
83 -From: Gordon Malm <gengor@g.o>
84 - Anthony G. Basile <blueness@g.o>
85 -Desc: Configurable option to add src IP address to SELinux log messages
86 -
87 -Patch: 4445_disable-compat_vdso.patch
88 -From: Gordon Malm <gengor@g.o>
89 - Kerin Millar <kerframil@×××××.com>
90 -Desc: Disables VDSO_COMPAT operation completely
91 -
92 -Patch: 4450_check_ssp_fix.patch
93 -From: Magnus Granberg <zorry@g.o>
94 -Desc: Fixes kernel check script for ssp
95
96 diff --git a/2.6.32/4420_Z_5_remove-legacy-pax-ei.patch b/2.6.32/4420_Z_5_remove-legacy-pax-ei.patch
97 deleted file mode 100644
98 index cc6530c..0000000
99 --- a/2.6.32/4420_Z_5_remove-legacy-pax-ei.patch
100 +++ /dev/null
101 @@ -1,213 +0,0 @@
102 -From: Anthony G. Basile <blueness@g.o>
103 -
104 -This patch removes all references to legacy EI_PAX markings
105 -in favor of PT_PAX. It should be applied immediately after
106 -the grsecurity patch.
107 -
108 -diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
109 ---- a/fs/binfmt_elf.c 2011-10-25 17:28:50.000000000 -0400
110 -+++ b/fs/binfmt_elf.c 2011-10-25 17:29:29.000000000 -0400
111 -@@ -557,7 +557,7 @@
112 - return error;
113 - }
114 -
115 --#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
116 -+#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
117 - static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
118 - {
119 - unsigned long pax_flags = 0UL;
120 -@@ -643,50 +643,7 @@
121 - }
122 - #endif
123 -
124 --#ifdef CONFIG_PAX_EI_PAX
125 --static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
126 --{
127 -- unsigned long pax_flags = 0UL;
128 --
129 --#ifdef CONFIG_PAX_PAGEEXEC
130 -- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
131 -- pax_flags |= MF_PAX_PAGEEXEC;
132 --#endif
133 --
134 --#ifdef CONFIG_PAX_SEGMEXEC
135 -- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
136 -- pax_flags |= MF_PAX_SEGMEXEC;
137 --#endif
138 --
139 --#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
140 -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
141 -- if (nx_enabled)
142 -- pax_flags &= ~MF_PAX_SEGMEXEC;
143 -- else
144 -- pax_flags &= ~MF_PAX_PAGEEXEC;
145 -- }
146 --#endif
147 --
148 --#ifdef CONFIG_PAX_EMUTRAMP
149 -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
150 -- pax_flags |= MF_PAX_EMUTRAMP;
151 --#endif
152 --
153 --#ifdef CONFIG_PAX_MPROTECT
154 -- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
155 -- pax_flags |= MF_PAX_MPROTECT;
156 --#endif
157 --
158 --#ifdef CONFIG_PAX_ASLR
159 -- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
160 -- pax_flags |= MF_PAX_RANDMMAP;
161 --#endif
162 --
163 -- return pax_flags;
164 --}
165 --#endif
166 --
167 --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
168 -+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
169 - static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
170 - {
171 - unsigned long pax_flags = 0UL;
172 -@@ -696,10 +653,6 @@
173 - int found_flags = 0;
174 - #endif
175 -
176 --#ifdef CONFIG_PAX_EI_PAX
177 -- pax_flags = pax_parse_ei_pax(elf_ex);
178 --#endif
179 --
180 - #ifdef CONFIG_PAX_PT_PAX_FLAGS
181 - for (i = 0UL; i < elf_ex->e_phnum; i++)
182 - if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
183 -@@ -722,7 +675,7 @@
184 - }
185 - #endif
186 -
187 --#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
188 -+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
189 - if (found_flags == 0) {
190 - struct elf_phdr phdr;
191 - memset(&phdr, 0, sizeof(phdr));
192 -@@ -956,7 +909,7 @@
193 -
194 - current->mm->def_flags = 0;
195 -
196 --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
197 -+#if defined(CONFIG_PAX_PT_PAX_FLAGS)
198 - if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
199 - send_sig(SIGKILL, current, 0);
200 - goto out_free_dentry;
201 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
202 ---- a/grsecurity/Kconfig 2011-10-25 17:28:50.000000000 -0400
203 -+++ b/grsecurity/Kconfig 2011-10-25 17:29:29.000000000 -0400
204 -@@ -47,7 +47,6 @@
205 - config GRKERNSEC_MEDIUM
206 - bool "Medium"
207 - select PAX
208 -- select PAX_EI_PAX
209 - select PAX_PT_PAX_FLAGS
210 - select PAX_HAVE_ACL_FLAGS
211 - select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
212 -@@ -143,7 +142,6 @@
213 - select PAX_RANDMMAP
214 - select PAX_NOEXEC
215 - select PAX_MPROTECT
216 -- select PAX_EI_PAX
217 - select PAX_PT_PAX_FLAGS
218 - select PAX_HAVE_ACL_FLAGS
219 - select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
220 -diff -Naur a/include/linux/elf.h b/include/linux/elf.h
221 ---- a/include/linux/elf.h 2011-10-25 17:28:50.000000000 -0400
222 -+++ b/include/linux/elf.h 2011-10-25 17:30:08.000000000 -0400
223 -@@ -348,8 +348,6 @@
224 - #define EI_OSABI 7
225 - #define EI_PAD 8
226 -
227 --#define EI_PAX 14
228 --
229 - #define ELFMAG0 0x7f /* EI_MAG */
230 - #define ELFMAG1 'E'
231 - #define ELFMAG2 'L'
232 -diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
233 ---- a/include/linux/grsecurity.h 2011-10-25 17:28:50.000000000 -0400
234 -+++ b/include/linux/grsecurity.h 2011-10-25 17:29:29.000000000 -0400
235 -@@ -13,11 +13,11 @@
236 - #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
237 - #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
238 - #endif
239 --#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
240 --#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
241 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
242 -+#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
243 - #endif
244 --#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
245 --#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
246 -+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
247 -+#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
248 - #endif
249 - #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
250 - #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
251 -diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
252 ---- a/include/linux/mm_types.h 2011-10-25 17:28:50.000000000 -0400
253 -+++ b/include/linux/mm_types.h 2011-10-25 17:29:29.000000000 -0400
254 -@@ -290,7 +290,7 @@
255 - struct mmu_notifier_mm *mmu_notifier_mm;
256 - #endif
257 -
258 --#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
259 -+#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
260 - unsigned long pax_flags;
261 - #endif
262 -
263 -diff -Naur a/security/Kconfig b/security/Kconfig
264 ---- a/security/Kconfig 2011-10-25 17:28:51.000000000 -0400
265 -+++ b/security/Kconfig 2011-10-25 17:30:43.000000000 -0400
266 -@@ -51,20 +51,6 @@
267 - line option on boot. Furthermore you can control various PaX features
268 - at runtime via the entries in /proc/sys/kernel/pax.
269 -
270 --config PAX_EI_PAX
271 -- bool 'Use legacy ELF header marking'
272 -- help
273 -- Enabling this option will allow you to control PaX features on
274 -- a per executable basis via the 'chpax' utility available at
275 -- http://pax.grsecurity.net/. The control flags will be read from
276 -- an otherwise reserved part of the ELF header. This marking has
277 -- numerous drawbacks (no support for soft-mode, toolchain does not
278 -- know about the non-standard use of the ELF header) therefore it
279 -- has been deprecated in favour of PT_PAX_FLAGS support.
280 --
281 -- Note that if you enable PT_PAX_FLAGS marking support as well,
282 -- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
283 --
284 - config PAX_PT_PAX_FLAGS
285 - bool 'Use ELF program header marking'
286 - help
287 -@@ -79,9 +65,6 @@
288 - If your toolchain does not support PT_PAX_FLAGS markings,
289 - you can create one in most cases with 'paxctl -C'.
290 -
291 -- Note that if you enable the legacy EI_PAX marking support as well,
292 -- the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
293 --
294 - choice
295 - prompt 'MAC system integration'
296 - default PAX_HAVE_ACL_FLAGS
297 -@@ -113,7 +96,7 @@
298 -
299 - config PAX_NOEXEC
300 - bool "Enforce non-executable pages"
301 -- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
302 -+ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
303 - help
304 - By design some architectures do not allow for protecting memory
305 - pages against execution or even if they do, Linux does not make
306 -@@ -360,7 +343,7 @@
307 -
308 - config PAX_ASLR
309 - bool "Address Space Layout Randomization"
310 -- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
311 -+ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
312 - help
313 - Many if not most exploit techniques rely on the knowledge of
314 - certain addresses in the attacked program. The following options
315
316 diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110200052.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110200052.patch
317 deleted file mode 100644
318 index 64e8748..0000000
319 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110200052.patch
320 +++ /dev/null
321 @@ -1,82276 +0,0 @@
322 -diff -urNp linux-2.6.32.46/Documentation/dontdiff linux-2.6.32.46/Documentation/dontdiff
323 ---- linux-2.6.32.46/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400
324 -+++ linux-2.6.32.46/Documentation/dontdiff 2011-08-21 18:59:02.000000000 -0400
325 -@@ -1,13 +1,16 @@
326 - *.a
327 - *.aux
328 - *.bin
329 -+*.cis
330 - *.cpio
331 - *.csp
332 -+*.dbg
333 - *.dsp
334 - *.dvi
335 - *.elf
336 - *.eps
337 - *.fw
338 -+*.gcno
339 - *.gen.S
340 - *.gif
341 - *.grep
342 -@@ -38,8 +41,10 @@
343 - *.tab.h
344 - *.tex
345 - *.ver
346 -+*.vim
347 - *.xml
348 - *_MODULES
349 -+*_reg_safe.h
350 - *_vga16.c
351 - *~
352 - *.9
353 -@@ -49,11 +54,16 @@
354 - 53c700_d.h
355 - CVS
356 - ChangeSet
357 -+GPATH
358 -+GRTAGS
359 -+GSYMS
360 -+GTAGS
361 - Image
362 - Kerntypes
363 - Module.markers
364 - Module.symvers
365 - PENDING
366 -+PERF*
367 - SCCS
368 - System.map*
369 - TAGS
370 -@@ -76,7 +86,11 @@ btfixupprep
371 - build
372 - bvmlinux
373 - bzImage*
374 -+capability_names.h
375 -+capflags.c
376 - classlist.h*
377 -+clut_vga16.c
378 -+common-cmds.h
379 - comp*.log
380 - compile.h*
381 - conf
382 -@@ -97,19 +111,21 @@ elfconfig.h*
383 - fixdep
384 - fore200e_mkfirm
385 - fore200e_pca_fw.c*
386 -+gate.lds
387 - gconf
388 - gen-devlist
389 - gen_crc32table
390 - gen_init_cpio
391 - genksyms
392 - *_gray256.c
393 -+hash
394 - ihex2fw
395 - ikconfig.h*
396 - initramfs_data.cpio
397 -+initramfs_data.cpio.bz2
398 - initramfs_data.cpio.gz
399 - initramfs_list
400 - kallsyms
401 --kconfig
402 - keywords.c
403 - ksym.c*
404 - ksym.h*
405 -@@ -133,7 +149,9 @@ mkboot
406 - mkbugboot
407 - mkcpustr
408 - mkdep
409 -+mkpiggy
410 - mkprep
411 -+mkregtable
412 - mktables
413 - mktree
414 - modpost
415 -@@ -149,6 +167,7 @@ patches*
416 - pca200e.bin
417 - pca200e_ecd.bin2
418 - piggy.gz
419 -+piggy.S
420 - piggyback
421 - pnmtologo
422 - ppc_defs.h*
423 -@@ -157,12 +176,15 @@ qconf
424 - raid6altivec*.c
425 - raid6int*.c
426 - raid6tables.c
427 -+regdb.c
428 - relocs
429 -+rlim_names.h
430 - series
431 - setup
432 - setup.bin
433 - setup.elf
434 - sImage
435 -+slabinfo
436 - sm_tbl*
437 - split-include
438 - syscalltab.h
439 -@@ -186,14 +208,20 @@ version.h*
440 - vmlinux
441 - vmlinux-*
442 - vmlinux.aout
443 -+vmlinux.bin.all
444 -+vmlinux.bin.bz2
445 - vmlinux.lds
446 -+vmlinux.relocs
447 -+voffset.h
448 - vsyscall.lds
449 - vsyscall_32.lds
450 - wanxlfw.inc
451 - uImage
452 - unifdef
453 -+utsrelease.h
454 - wakeup.bin
455 - wakeup.elf
456 - wakeup.lds
457 - zImage*
458 - zconf.hash.c
459 -+zoffset.h
460 -diff -urNp linux-2.6.32.46/Documentation/kernel-parameters.txt linux-2.6.32.46/Documentation/kernel-parameters.txt
461 ---- linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-03-27 14:31:47.000000000 -0400
462 -+++ linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-04-17 15:56:45.000000000 -0400
463 -@@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
464 - the specified number of seconds. This is to be used if
465 - your oopses keep scrolling off the screen.
466 -
467 -+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
468 -+ virtualization environments that don't cope well with the
469 -+ expand down segment used by UDEREF on X86-32 or the frequent
470 -+ page table updates on X86-64.
471 -+
472 -+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
473 -+
474 - pcbit= [HW,ISDN]
475 -
476 - pcd. [PARIDE]
477 -diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile
478 ---- linux-2.6.32.46/Makefile 2011-08-29 22:24:44.000000000 -0400
479 -+++ linux-2.6.32.46/Makefile 2011-10-08 08:14:40.000000000 -0400
480 -@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
481 -
482 - HOSTCC = gcc
483 - HOSTCXX = g++
484 --HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
485 --HOSTCXXFLAGS = -O2
486 -+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
487 -+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
488 -+HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
489 -
490 - # Decide whether to build built-in, modular, or both.
491 - # Normally, just do built-in.
492 -@@ -342,10 +343,12 @@ LINUXINCLUDE := -Iinclude \
493 - KBUILD_CPPFLAGS := -D__KERNEL__
494 -
495 - KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
496 -+ -W -Wno-unused-parameter -Wno-missing-field-initializers \
497 - -fno-strict-aliasing -fno-common \
498 - -Werror-implicit-function-declaration \
499 - -Wno-format-security \
500 - -fno-delete-null-pointer-checks
501 -+KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
502 - KBUILD_AFLAGS := -D__ASSEMBLY__
503 -
504 - # Read KERNELRELEASE from include/config/kernel.release (if it exists)
505 -@@ -376,8 +379,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
506 - # Rules shared between *config targets and build targets
507 -
508 - # Basic helpers built in scripts/
509 --PHONY += scripts_basic
510 --scripts_basic:
511 -+PHONY += scripts_basic gcc-plugins
512 -+scripts_basic: gcc-plugins
513 - $(Q)$(MAKE) $(build)=scripts/basic
514 -
515 - # To avoid any implicit rule to kick in, define an empty command.
516 -@@ -403,7 +406,7 @@ endif
517 - # of make so .config is not included in this case either (for *config).
518 -
519 - no-dot-config-targets := clean mrproper distclean \
520 -- cscope TAGS tags help %docs check% \
521 -+ cscope gtags TAGS tags help %docs check% \
522 - include/linux/version.h headers_% \
523 - kernelrelease kernelversion
524 -
525 -@@ -526,6 +529,36 @@ else
526 - KBUILD_CFLAGS += -O2
527 - endif
528 -
529 -+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
530 -+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
531 -+ifdef CONFIG_PAX_MEMORY_STACKLEAK
532 -+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
533 -+endif
534 -+ifdef CONFIG_KALLOCSTAT_PLUGIN
535 -+KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
536 -+endif
537 -+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
538 -+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
539 -+endif
540 -+ifdef CONFIG_CHECKER_PLUGIN
541 -+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
542 -+CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
543 -+endif
544 -+endif
545 -+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
546 -+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
547 -+gcc-plugins:
548 -+ $(Q)$(MAKE) $(build)=tools/gcc
549 -+else
550 -+gcc-plugins:
551 -+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
552 -+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
553 -+else
554 -+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
555 -+endif
556 -+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
557 -+endif
558 -+
559 - include $(srctree)/arch/$(SRCARCH)/Makefile
560 -
561 - ifneq ($(CONFIG_FRAME_WARN),0)
562 -@@ -644,7 +677,7 @@ export mod_strip_cmd
563 -
564 -
565 - ifeq ($(KBUILD_EXTMOD),)
566 --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
567 -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
568 -
569 - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
570 - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
571 -@@ -865,6 +898,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
572 -
573 - # The actual objects are generated when descending,
574 - # make sure no implicit rule kicks in
575 -+$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
576 - $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
577 -
578 - # Handle descending into subdirectories listed in $(vmlinux-dirs)
579 -@@ -874,7 +908,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
580 - # Error messages still appears in the original language
581 -
582 - PHONY += $(vmlinux-dirs)
583 --$(vmlinux-dirs): prepare scripts
584 -+$(vmlinux-dirs): gcc-plugins prepare scripts
585 - $(Q)$(MAKE) $(build)=$@
586 -
587 - # Build the kernel release string
588 -@@ -983,6 +1017,7 @@ prepare0: archprepare FORCE
589 - $(Q)$(MAKE) $(build)=. missing-syscalls
590 -
591 - # All the preparing..
592 -+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
593 - prepare: prepare0
594 -
595 - # The asm symlink changes when $(ARCH) changes.
596 -@@ -1124,6 +1159,7 @@ all: modules
597 - # using awk while concatenating to the final file.
598 -
599 - PHONY += modules
600 -+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
601 - modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
602 - $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
603 - @$(kecho) ' Building modules, stage 2.';
604 -@@ -1133,7 +1169,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B
605 -
606 - # Target to prepare building external modules
607 - PHONY += modules_prepare
608 --modules_prepare: prepare scripts
609 -+modules_prepare: gcc-plugins prepare scripts
610 -
611 - # Target to install modules
612 - PHONY += modules_install
613 -@@ -1198,7 +1234,7 @@ MRPROPER_FILES += .config .config.old in
614 - include/linux/autoconf.h include/linux/version.h \
615 - include/linux/utsrelease.h \
616 - include/linux/bounds.h include/asm*/asm-offsets.h \
617 -- Module.symvers Module.markers tags TAGS cscope*
618 -+ Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
619 -
620 - # clean - Delete most, but leave enough to build external modules
621 - #
622 -@@ -1242,7 +1278,7 @@ distclean: mrproper
623 - @find $(srctree) $(RCS_FIND_IGNORE) \
624 - \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
625 - -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
626 -- -o -name '.*.rej' -o -size 0 \
627 -+ -o -name '.*.rej' -o -name '*.so' -o -size 0 \
628 - -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
629 - -type f -print | xargs rm -f
630 -
631 -@@ -1289,6 +1325,7 @@ help:
632 - @echo ' modules_prepare - Set up for building external modules'
633 - @echo ' tags/TAGS - Generate tags file for editors'
634 - @echo ' cscope - Generate cscope index'
635 -+ @echo ' gtags - Generate GNU GLOBAL index'
636 - @echo ' kernelrelease - Output the release version string'
637 - @echo ' kernelversion - Output the version stored in Makefile'
638 - @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
639 -@@ -1390,6 +1427,7 @@ PHONY += $(module-dirs) modules
640 - $(module-dirs): crmodverdir $(objtree)/Module.symvers
641 - $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
642 -
643 -+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
644 - modules: $(module-dirs)
645 - @$(kecho) ' Building modules, stage 2.';
646 - $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
647 -@@ -1445,7 +1483,7 @@ endif # KBUILD_EXTMOD
648 - quiet_cmd_tags = GEN $@
649 - cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
650 -
651 --tags TAGS cscope: FORCE
652 -+tags TAGS cscope gtags: FORCE
653 - $(call cmd,tags)
654 -
655 - # Scripts to check various things for consistency
656 -@@ -1510,17 +1548,19 @@ else
657 - target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
658 - endif
659 -
660 --%.s: %.c prepare scripts FORCE
661 -+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
662 -+%.s: %.c gcc-plugins prepare scripts FORCE
663 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
664 - %.i: %.c prepare scripts FORCE
665 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
666 --%.o: %.c prepare scripts FORCE
667 -+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
668 -+%.o: %.c gcc-plugins prepare scripts FORCE
669 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
670 - %.lst: %.c prepare scripts FORCE
671 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
672 --%.s: %.S prepare scripts FORCE
673 -+%.s: %.S gcc-plugins prepare scripts FORCE
674 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
675 --%.o: %.S prepare scripts FORCE
676 -+%.o: %.S gcc-plugins prepare scripts FORCE
677 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
678 - %.symtypes: %.c prepare scripts FORCE
679 - $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
680 -@@ -1530,11 +1570,13 @@ endif
681 - $(cmd_crmodverdir)
682 - $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
683 - $(build)=$(build-dir)
684 --%/: prepare scripts FORCE
685 -+%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
686 -+%/: gcc-plugins prepare scripts FORCE
687 - $(cmd_crmodverdir)
688 - $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
689 - $(build)=$(build-dir)
690 --%.ko: prepare scripts FORCE
691 -+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
692 -+%.ko: gcc-plugins prepare scripts FORCE
693 - $(cmd_crmodverdir)
694 - $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
695 - $(build)=$(build-dir) $(@:.ko=.o)
696 -diff -urNp linux-2.6.32.46/arch/alpha/include/asm/elf.h linux-2.6.32.46/arch/alpha/include/asm/elf.h
697 ---- linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
698 -+++ linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
699 -@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
700 -
701 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
702 -
703 -+#ifdef CONFIG_PAX_ASLR
704 -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
705 -+
706 -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
707 -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
708 -+#endif
709 -+
710 - /* $0 is set by ld.so to a pointer to a function which might be
711 - registered using atexit. This provides a mean for the dynamic
712 - linker to call DT_FINI functions for shared libraries that have
713 -diff -urNp linux-2.6.32.46/arch/alpha/include/asm/pgtable.h linux-2.6.32.46/arch/alpha/include/asm/pgtable.h
714 ---- linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
715 -+++ linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
716 -@@ -101,6 +101,17 @@ struct vm_area_struct;
717 - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
718 - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
719 - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
720 -+
721 -+#ifdef CONFIG_PAX_PAGEEXEC
722 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
723 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
724 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
725 -+#else
726 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
727 -+# define PAGE_COPY_NOEXEC PAGE_COPY
728 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
729 -+#endif
730 -+
731 - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
732 -
733 - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
734 -diff -urNp linux-2.6.32.46/arch/alpha/kernel/module.c linux-2.6.32.46/arch/alpha/kernel/module.c
735 ---- linux-2.6.32.46/arch/alpha/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
736 -+++ linux-2.6.32.46/arch/alpha/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
737 -@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
738 -
739 - /* The small sections were sorted to the end of the segment.
740 - The following should definitely cover them. */
741 -- gp = (u64)me->module_core + me->core_size - 0x8000;
742 -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
743 - got = sechdrs[me->arch.gotsecindex].sh_addr;
744 -
745 - for (i = 0; i < n; i++) {
746 -diff -urNp linux-2.6.32.46/arch/alpha/kernel/osf_sys.c linux-2.6.32.46/arch/alpha/kernel/osf_sys.c
747 ---- linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-08-09 18:35:28.000000000 -0400
748 -+++ linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400
749 -@@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
750 - /* At this point: (!vma || addr < vma->vm_end). */
751 - if (limit - len < addr)
752 - return -ENOMEM;
753 -- if (!vma || addr + len <= vma->vm_start)
754 -+ if (check_heap_stack_gap(vma, addr, len))
755 - return addr;
756 - addr = vma->vm_end;
757 - vma = vma->vm_next;
758 -@@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
759 - merely specific addresses, but regions of memory -- perhaps
760 - this feature should be incorporated into all ports? */
761 -
762 -+#ifdef CONFIG_PAX_RANDMMAP
763 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
764 -+#endif
765 -+
766 - if (addr) {
767 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
768 - if (addr != (unsigned long) -ENOMEM)
769 -@@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
770 - }
771 -
772 - /* Next, try allocating at TASK_UNMAPPED_BASE. */
773 -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
774 -- len, limit);
775 -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
776 -+
777 - if (addr != (unsigned long) -ENOMEM)
778 - return addr;
779 -
780 -diff -urNp linux-2.6.32.46/arch/alpha/mm/fault.c linux-2.6.32.46/arch/alpha/mm/fault.c
781 ---- linux-2.6.32.46/arch/alpha/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
782 -+++ linux-2.6.32.46/arch/alpha/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
783 -@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
784 - __reload_thread(pcb);
785 - }
786 -
787 -+#ifdef CONFIG_PAX_PAGEEXEC
788 -+/*
789 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
790 -+ *
791 -+ * returns 1 when task should be killed
792 -+ * 2 when patched PLT trampoline was detected
793 -+ * 3 when unpatched PLT trampoline was detected
794 -+ */
795 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
796 -+{
797 -+
798 -+#ifdef CONFIG_PAX_EMUPLT
799 -+ int err;
800 -+
801 -+ do { /* PaX: patched PLT emulation #1 */
802 -+ unsigned int ldah, ldq, jmp;
803 -+
804 -+ err = get_user(ldah, (unsigned int *)regs->pc);
805 -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
806 -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
807 -+
808 -+ if (err)
809 -+ break;
810 -+
811 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
812 -+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
813 -+ jmp == 0x6BFB0000U)
814 -+ {
815 -+ unsigned long r27, addr;
816 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
817 -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
818 -+
819 -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
820 -+ err = get_user(r27, (unsigned long *)addr);
821 -+ if (err)
822 -+ break;
823 -+
824 -+ regs->r27 = r27;
825 -+ regs->pc = r27;
826 -+ return 2;
827 -+ }
828 -+ } while (0);
829 -+
830 -+ do { /* PaX: patched PLT emulation #2 */
831 -+ unsigned int ldah, lda, br;
832 -+
833 -+ err = get_user(ldah, (unsigned int *)regs->pc);
834 -+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
835 -+ err |= get_user(br, (unsigned int *)(regs->pc+8));
836 -+
837 -+ if (err)
838 -+ break;
839 -+
840 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
841 -+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
842 -+ (br & 0xFFE00000U) == 0xC3E00000U)
843 -+ {
844 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
845 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
846 -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
847 -+
848 -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
849 -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
850 -+ return 2;
851 -+ }
852 -+ } while (0);
853 -+
854 -+ do { /* PaX: unpatched PLT emulation */
855 -+ unsigned int br;
856 -+
857 -+ err = get_user(br, (unsigned int *)regs->pc);
858 -+
859 -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
860 -+ unsigned int br2, ldq, nop, jmp;
861 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
862 -+
863 -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
864 -+ err = get_user(br2, (unsigned int *)addr);
865 -+ err |= get_user(ldq, (unsigned int *)(addr+4));
866 -+ err |= get_user(nop, (unsigned int *)(addr+8));
867 -+ err |= get_user(jmp, (unsigned int *)(addr+12));
868 -+ err |= get_user(resolver, (unsigned long *)(addr+16));
869 -+
870 -+ if (err)
871 -+ break;
872 -+
873 -+ if (br2 == 0xC3600000U &&
874 -+ ldq == 0xA77B000CU &&
875 -+ nop == 0x47FF041FU &&
876 -+ jmp == 0x6B7B0000U)
877 -+ {
878 -+ regs->r28 = regs->pc+4;
879 -+ regs->r27 = addr+16;
880 -+ regs->pc = resolver;
881 -+ return 3;
882 -+ }
883 -+ }
884 -+ } while (0);
885 -+#endif
886 -+
887 -+ return 1;
888 -+}
889 -+
890 -+void pax_report_insns(void *pc, void *sp)
891 -+{
892 -+ unsigned long i;
893 -+
894 -+ printk(KERN_ERR "PAX: bytes at PC: ");
895 -+ for (i = 0; i < 5; i++) {
896 -+ unsigned int c;
897 -+ if (get_user(c, (unsigned int *)pc+i))
898 -+ printk(KERN_CONT "???????? ");
899 -+ else
900 -+ printk(KERN_CONT "%08x ", c);
901 -+ }
902 -+ printk("\n");
903 -+}
904 -+#endif
905 -
906 - /*
907 - * This routine handles page faults. It determines the address,
908 -@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
909 - good_area:
910 - si_code = SEGV_ACCERR;
911 - if (cause < 0) {
912 -- if (!(vma->vm_flags & VM_EXEC))
913 -+ if (!(vma->vm_flags & VM_EXEC)) {
914 -+
915 -+#ifdef CONFIG_PAX_PAGEEXEC
916 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
917 -+ goto bad_area;
918 -+
919 -+ up_read(&mm->mmap_sem);
920 -+ switch (pax_handle_fetch_fault(regs)) {
921 -+
922 -+#ifdef CONFIG_PAX_EMUPLT
923 -+ case 2:
924 -+ case 3:
925 -+ return;
926 -+#endif
927 -+
928 -+ }
929 -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
930 -+ do_group_exit(SIGKILL);
931 -+#else
932 - goto bad_area;
933 -+#endif
934 -+
935 -+ }
936 - } else if (!cause) {
937 - /* Allow reads even for write-only mappings */
938 - if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
939 -diff -urNp linux-2.6.32.46/arch/arm/include/asm/elf.h linux-2.6.32.46/arch/arm/include/asm/elf.h
940 ---- linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
941 -+++ linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
942 -@@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
943 - the loader. We need to make sure that it is out of the way of the program
944 - that it will "exec", and that there is sufficient room for the brk. */
945 -
946 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
947 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
948 -+
949 -+#ifdef CONFIG_PAX_ASLR
950 -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
951 -+
952 -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
953 -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
954 -+#endif
955 -
956 - /* When the program starts, a1 contains a pointer to a function to be
957 - registered with atexit, as per the SVR4 ABI. A value of 0 means we
958 -diff -urNp linux-2.6.32.46/arch/arm/include/asm/kmap_types.h linux-2.6.32.46/arch/arm/include/asm/kmap_types.h
959 ---- linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
960 -+++ linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
961 -@@ -19,6 +19,7 @@ enum km_type {
962 - KM_SOFTIRQ0,
963 - KM_SOFTIRQ1,
964 - KM_L2_CACHE,
965 -+ KM_CLEARPAGE,
966 - KM_TYPE_NR
967 - };
968 -
969 -diff -urNp linux-2.6.32.46/arch/arm/include/asm/uaccess.h linux-2.6.32.46/arch/arm/include/asm/uaccess.h
970 ---- linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
971 -+++ linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-06-29 21:02:24.000000000 -0400
972 -@@ -22,6 +22,8 @@
973 - #define VERIFY_READ 0
974 - #define VERIFY_WRITE 1
975 -
976 -+extern void check_object_size(const void *ptr, unsigned long n, bool to);
977 -+
978 - /*
979 - * The exception table consists of pairs of addresses: the first is the
980 - * address of an instruction that is allowed to fault, and the second is
981 -@@ -387,8 +389,23 @@ do { \
982 -
983 -
984 - #ifdef CONFIG_MMU
985 --extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
986 --extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
987 -+extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
988 -+extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
989 -+
990 -+static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
991 -+{
992 -+ if (!__builtin_constant_p(n))
993 -+ check_object_size(to, n, false);
994 -+ return ___copy_from_user(to, from, n);
995 -+}
996 -+
997 -+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
998 -+{
999 -+ if (!__builtin_constant_p(n))
1000 -+ check_object_size(from, n, true);
1001 -+ return ___copy_to_user(to, from, n);
1002 -+}
1003 -+
1004 - extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
1005 - extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
1006 - extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
1007 -@@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
1008 -
1009 - static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
1010 - {
1011 -+ if ((long)n < 0)
1012 -+ return n;
1013 -+
1014 - if (access_ok(VERIFY_READ, from, n))
1015 - n = __copy_from_user(to, from, n);
1016 - else /* security hole - plug it */
1017 -@@ -412,6 +432,9 @@ static inline unsigned long __must_check
1018 -
1019 - static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
1020 - {
1021 -+ if ((long)n < 0)
1022 -+ return n;
1023 -+
1024 - if (access_ok(VERIFY_WRITE, to, n))
1025 - n = __copy_to_user(to, from, n);
1026 - return n;
1027 -diff -urNp linux-2.6.32.46/arch/arm/kernel/armksyms.c linux-2.6.32.46/arch/arm/kernel/armksyms.c
1028 ---- linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-03-27 14:31:47.000000000 -0400
1029 -+++ linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-07-06 19:51:50.000000000 -0400
1030 -@@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
1031 - #ifdef CONFIG_MMU
1032 - EXPORT_SYMBOL(copy_page);
1033 -
1034 --EXPORT_SYMBOL(__copy_from_user);
1035 --EXPORT_SYMBOL(__copy_to_user);
1036 -+EXPORT_SYMBOL(___copy_from_user);
1037 -+EXPORT_SYMBOL(___copy_to_user);
1038 - EXPORT_SYMBOL(__clear_user);
1039 -
1040 - EXPORT_SYMBOL(__get_user_1);
1041 -diff -urNp linux-2.6.32.46/arch/arm/kernel/kgdb.c linux-2.6.32.46/arch/arm/kernel/kgdb.c
1042 ---- linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1043 -+++ linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1044 -@@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
1045 - * and we handle the normal undef case within the do_undefinstr
1046 - * handler.
1047 - */
1048 --struct kgdb_arch arch_kgdb_ops = {
1049 -+const struct kgdb_arch arch_kgdb_ops = {
1050 - #ifndef __ARMEB__
1051 - .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
1052 - #else /* ! __ARMEB__ */
1053 -diff -urNp linux-2.6.32.46/arch/arm/kernel/traps.c linux-2.6.32.46/arch/arm/kernel/traps.c
1054 ---- linux-2.6.32.46/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
1055 -+++ linux-2.6.32.46/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400
1056 -@@ -247,6 +247,8 @@ static void __die(const char *str, int e
1057 -
1058 - DEFINE_SPINLOCK(die_lock);
1059 -
1060 -+extern void gr_handle_kernel_exploit(void);
1061 -+
1062 - /*
1063 - * This function is protected against re-entrancy.
1064 - */
1065 -@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
1066 - if (panic_on_oops)
1067 - panic("Fatal exception");
1068 -
1069 -+ gr_handle_kernel_exploit();
1070 -+
1071 - do_exit(SIGSEGV);
1072 - }
1073 -
1074 -diff -urNp linux-2.6.32.46/arch/arm/lib/copy_from_user.S linux-2.6.32.46/arch/arm/lib/copy_from_user.S
1075 ---- linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-03-27 14:31:47.000000000 -0400
1076 -+++ linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-06-29 20:48:38.000000000 -0400
1077 -@@ -16,7 +16,7 @@
1078 - /*
1079 - * Prototype:
1080 - *
1081 -- * size_t __copy_from_user(void *to, const void *from, size_t n)
1082 -+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
1083 - *
1084 - * Purpose:
1085 - *
1086 -@@ -84,11 +84,11 @@
1087 -
1088 - .text
1089 -
1090 --ENTRY(__copy_from_user)
1091 -+ENTRY(___copy_from_user)
1092 -
1093 - #include "copy_template.S"
1094 -
1095 --ENDPROC(__copy_from_user)
1096 -+ENDPROC(___copy_from_user)
1097 -
1098 - .section .fixup,"ax"
1099 - .align 0
1100 -diff -urNp linux-2.6.32.46/arch/arm/lib/copy_to_user.S linux-2.6.32.46/arch/arm/lib/copy_to_user.S
1101 ---- linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-03-27 14:31:47.000000000 -0400
1102 -+++ linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-06-29 20:46:49.000000000 -0400
1103 -@@ -16,7 +16,7 @@
1104 - /*
1105 - * Prototype:
1106 - *
1107 -- * size_t __copy_to_user(void *to, const void *from, size_t n)
1108 -+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
1109 - *
1110 - * Purpose:
1111 - *
1112 -@@ -88,11 +88,11 @@
1113 - .text
1114 -
1115 - ENTRY(__copy_to_user_std)
1116 --WEAK(__copy_to_user)
1117 -+WEAK(___copy_to_user)
1118 -
1119 - #include "copy_template.S"
1120 -
1121 --ENDPROC(__copy_to_user)
1122 -+ENDPROC(___copy_to_user)
1123 -
1124 - .section .fixup,"ax"
1125 - .align 0
1126 -diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess.S linux-2.6.32.46/arch/arm/lib/uaccess.S
1127 ---- linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-03-27 14:31:47.000000000 -0400
1128 -+++ linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-06-29 20:48:53.000000000 -0400
1129 -@@ -19,7 +19,7 @@
1130 -
1131 - #define PAGE_SHIFT 12
1132 -
1133 --/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
1134 -+/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
1135 - * Purpose : copy a block to user memory from kernel memory
1136 - * Params : to - user memory
1137 - * : from - kernel memory
1138 -@@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
1139 - sub r2, r2, ip
1140 - b .Lc2u_dest_aligned
1141 -
1142 --ENTRY(__copy_to_user)
1143 -+ENTRY(___copy_to_user)
1144 - stmfd sp!, {r2, r4 - r7, lr}
1145 - cmp r2, #4
1146 - blt .Lc2u_not_enough
1147 -@@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
1148 - ldrgtb r3, [r1], #0
1149 - USER( strgtbt r3, [r0], #1) @ May fault
1150 - b .Lc2u_finished
1151 --ENDPROC(__copy_to_user)
1152 -+ENDPROC(___copy_to_user)
1153 -
1154 - .section .fixup,"ax"
1155 - .align 0
1156 - 9001: ldmfd sp!, {r0, r4 - r7, pc}
1157 - .previous
1158 -
1159 --/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
1160 -+/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
1161 - * Purpose : copy a block from user memory to kernel memory
1162 - * Params : to - kernel memory
1163 - * : from - user memory
1164 -@@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
1165 - sub r2, r2, ip
1166 - b .Lcfu_dest_aligned
1167 -
1168 --ENTRY(__copy_from_user)
1169 -+ENTRY(___copy_from_user)
1170 - stmfd sp!, {r0, r2, r4 - r7, lr}
1171 - cmp r2, #4
1172 - blt .Lcfu_not_enough
1173 -@@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
1174 - USER( ldrgtbt r3, [r1], #1) @ May fault
1175 - strgtb r3, [r0], #1
1176 - b .Lcfu_finished
1177 --ENDPROC(__copy_from_user)
1178 -+ENDPROC(___copy_from_user)
1179 -
1180 - .section .fixup,"ax"
1181 - .align 0
1182 -diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c
1183 ---- linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-03-27 14:31:47.000000000 -0400
1184 -+++ linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:44:35.000000000 -0400
1185 -@@ -97,7 +97,7 @@ out:
1186 - }
1187 -
1188 - unsigned long
1189 --__copy_to_user(void __user *to, const void *from, unsigned long n)
1190 -+___copy_to_user(void __user *to, const void *from, unsigned long n)
1191 - {
1192 - /*
1193 - * This test is stubbed out of the main function above to keep
1194 -diff -urNp linux-2.6.32.46/arch/arm/mach-at91/pm.c linux-2.6.32.46/arch/arm/mach-at91/pm.c
1195 ---- linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400
1196 -+++ linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400
1197 -@@ -348,7 +348,7 @@ static void at91_pm_end(void)
1198 - }
1199 -
1200 -
1201 --static struct platform_suspend_ops at91_pm_ops ={
1202 -+static const struct platform_suspend_ops at91_pm_ops ={
1203 - .valid = at91_pm_valid_state,
1204 - .begin = at91_pm_begin,
1205 - .enter = at91_pm_enter,
1206 -diff -urNp linux-2.6.32.46/arch/arm/mach-omap1/pm.c linux-2.6.32.46/arch/arm/mach-omap1/pm.c
1207 ---- linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-03-27 14:31:47.000000000 -0400
1208 -+++ linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-04-17 15:56:45.000000000 -0400
1209 -@@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
1210 -
1211 -
1212 -
1213 --static struct platform_suspend_ops omap_pm_ops ={
1214 -+static const struct platform_suspend_ops omap_pm_ops ={
1215 - .prepare = omap_pm_prepare,
1216 - .enter = omap_pm_enter,
1217 - .finish = omap_pm_finish,
1218 -diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c
1219 ---- linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-03-27 14:31:47.000000000 -0400
1220 -+++ linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-04-17 15:56:45.000000000 -0400
1221 -@@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
1222 - enable_hlt();
1223 - }
1224 -
1225 --static struct platform_suspend_ops omap_pm_ops = {
1226 -+static const struct platform_suspend_ops omap_pm_ops = {
1227 - .prepare = omap2_pm_prepare,
1228 - .enter = omap2_pm_enter,
1229 - .finish = omap2_pm_finish,
1230 -diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c
1231 ---- linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-03-27 14:31:47.000000000 -0400
1232 -+++ linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-04-17 15:56:45.000000000 -0400
1233 -@@ -401,7 +401,7 @@ static void omap3_pm_end(void)
1234 - return;
1235 - }
1236 -
1237 --static struct platform_suspend_ops omap_pm_ops = {
1238 -+static const struct platform_suspend_ops omap_pm_ops = {
1239 - .begin = omap3_pm_begin,
1240 - .end = omap3_pm_end,
1241 - .prepare = omap3_pm_prepare,
1242 -diff -urNp linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c
1243 ---- linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-03-27 14:31:47.000000000 -0400
1244 -+++ linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-04-17 15:56:45.000000000 -0400
1245 -@@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
1246 - (state == PM_SUSPEND_MEM);
1247 - }
1248 -
1249 --static struct platform_suspend_ops pnx4008_pm_ops = {
1250 -+static const struct platform_suspend_ops pnx4008_pm_ops = {
1251 - .enter = pnx4008_pm_enter,
1252 - .valid = pnx4008_pm_valid,
1253 - };
1254 -diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/pm.c linux-2.6.32.46/arch/arm/mach-pxa/pm.c
1255 ---- linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-03-27 14:31:47.000000000 -0400
1256 -+++ linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-04-17 15:56:45.000000000 -0400
1257 -@@ -95,7 +95,7 @@ void pxa_pm_finish(void)
1258 - pxa_cpu_pm_fns->finish();
1259 - }
1260 -
1261 --static struct platform_suspend_ops pxa_pm_ops = {
1262 -+static const struct platform_suspend_ops pxa_pm_ops = {
1263 - .valid = pxa_pm_valid,
1264 - .enter = pxa_pm_enter,
1265 - .prepare = pxa_pm_prepare,
1266 -diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c
1267 ---- linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-03-27 14:31:47.000000000 -0400
1268 -+++ linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-04-17 15:56:45.000000000 -0400
1269 -@@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
1270 - }
1271 -
1272 - #ifdef CONFIG_PM
1273 --static struct platform_suspend_ops sharpsl_pm_ops = {
1274 -+static const struct platform_suspend_ops sharpsl_pm_ops = {
1275 - .prepare = pxa_pm_prepare,
1276 - .finish = pxa_pm_finish,
1277 - .enter = corgi_pxa_pm_enter,
1278 -diff -urNp linux-2.6.32.46/arch/arm/mach-sa1100/pm.c linux-2.6.32.46/arch/arm/mach-sa1100/pm.c
1279 ---- linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-03-27 14:31:47.000000000 -0400
1280 -+++ linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-04-17 15:56:45.000000000 -0400
1281 -@@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
1282 - return virt_to_phys(sp);
1283 - }
1284 -
1285 --static struct platform_suspend_ops sa11x0_pm_ops = {
1286 -+static const struct platform_suspend_ops sa11x0_pm_ops = {
1287 - .enter = sa11x0_pm_enter,
1288 - .valid = suspend_valid_only_mem,
1289 - };
1290 -diff -urNp linux-2.6.32.46/arch/arm/mm/fault.c linux-2.6.32.46/arch/arm/mm/fault.c
1291 ---- linux-2.6.32.46/arch/arm/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1292 -+++ linux-2.6.32.46/arch/arm/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1293 -@@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
1294 - }
1295 - #endif
1296 -
1297 -+#ifdef CONFIG_PAX_PAGEEXEC
1298 -+ if (fsr & FSR_LNX_PF) {
1299 -+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1300 -+ do_group_exit(SIGKILL);
1301 -+ }
1302 -+#endif
1303 -+
1304 - tsk->thread.address = addr;
1305 - tsk->thread.error_code = fsr;
1306 - tsk->thread.trap_no = 14;
1307 -@@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
1308 - }
1309 - #endif /* CONFIG_MMU */
1310 -
1311 -+#ifdef CONFIG_PAX_PAGEEXEC
1312 -+void pax_report_insns(void *pc, void *sp)
1313 -+{
1314 -+ long i;
1315 -+
1316 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1317 -+ for (i = 0; i < 20; i++) {
1318 -+ unsigned char c;
1319 -+ if (get_user(c, (__force unsigned char __user *)pc+i))
1320 -+ printk(KERN_CONT "?? ");
1321 -+ else
1322 -+ printk(KERN_CONT "%02x ", c);
1323 -+ }
1324 -+ printk("\n");
1325 -+
1326 -+ printk(KERN_ERR "PAX: bytes at SP-4: ");
1327 -+ for (i = -1; i < 20; i++) {
1328 -+ unsigned long c;
1329 -+ if (get_user(c, (__force unsigned long __user *)sp+i))
1330 -+ printk(KERN_CONT "???????? ");
1331 -+ else
1332 -+ printk(KERN_CONT "%08lx ", c);
1333 -+ }
1334 -+ printk("\n");
1335 -+}
1336 -+#endif
1337 -+
1338 - /*
1339 - * First Level Translation Fault Handler
1340 - *
1341 -diff -urNp linux-2.6.32.46/arch/arm/mm/mmap.c linux-2.6.32.46/arch/arm/mm/mmap.c
1342 ---- linux-2.6.32.46/arch/arm/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
1343 -+++ linux-2.6.32.46/arch/arm/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
1344 -@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
1345 - if (len > TASK_SIZE)
1346 - return -ENOMEM;
1347 -
1348 -+#ifdef CONFIG_PAX_RANDMMAP
1349 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1350 -+#endif
1351 -+
1352 - if (addr) {
1353 - if (do_align)
1354 - addr = COLOUR_ALIGN(addr, pgoff);
1355 -@@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
1356 - addr = PAGE_ALIGN(addr);
1357 -
1358 - vma = find_vma(mm, addr);
1359 -- if (TASK_SIZE - len >= addr &&
1360 -- (!vma || addr + len <= vma->vm_start))
1361 -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1362 - return addr;
1363 - }
1364 - if (len > mm->cached_hole_size) {
1365 -- start_addr = addr = mm->free_area_cache;
1366 -+ start_addr = addr = mm->free_area_cache;
1367 - } else {
1368 -- start_addr = addr = TASK_UNMAPPED_BASE;
1369 -- mm->cached_hole_size = 0;
1370 -+ start_addr = addr = mm->mmap_base;
1371 -+ mm->cached_hole_size = 0;
1372 - }
1373 -
1374 - full_search:
1375 -@@ -94,14 +97,14 @@ full_search:
1376 - * Start a new search - just in case we missed
1377 - * some holes.
1378 - */
1379 -- if (start_addr != TASK_UNMAPPED_BASE) {
1380 -- start_addr = addr = TASK_UNMAPPED_BASE;
1381 -+ if (start_addr != mm->mmap_base) {
1382 -+ start_addr = addr = mm->mmap_base;
1383 - mm->cached_hole_size = 0;
1384 - goto full_search;
1385 - }
1386 - return -ENOMEM;
1387 - }
1388 -- if (!vma || addr + len <= vma->vm_start) {
1389 -+ if (check_heap_stack_gap(vma, addr, len)) {
1390 - /*
1391 - * Remember the place where we stopped the search:
1392 - */
1393 -diff -urNp linux-2.6.32.46/arch/arm/plat-s3c/pm.c linux-2.6.32.46/arch/arm/plat-s3c/pm.c
1394 ---- linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-03-27 14:31:47.000000000 -0400
1395 -+++ linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-04-17 15:56:45.000000000 -0400
1396 -@@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
1397 - s3c_pm_check_cleanup();
1398 - }
1399 -
1400 --static struct platform_suspend_ops s3c_pm_ops = {
1401 -+static const struct platform_suspend_ops s3c_pm_ops = {
1402 - .enter = s3c_pm_enter,
1403 - .prepare = s3c_pm_prepare,
1404 - .finish = s3c_pm_finish,
1405 -diff -urNp linux-2.6.32.46/arch/avr32/include/asm/elf.h linux-2.6.32.46/arch/avr32/include/asm/elf.h
1406 ---- linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1407 -+++ linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1408 -@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
1409 - the loader. We need to make sure that it is out of the way of the program
1410 - that it will "exec", and that there is sufficient room for the brk. */
1411 -
1412 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1413 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1414 -
1415 -+#ifdef CONFIG_PAX_ASLR
1416 -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1417 -+
1418 -+#define PAX_DELTA_MMAP_LEN 15
1419 -+#define PAX_DELTA_STACK_LEN 15
1420 -+#endif
1421 -
1422 - /* This yields a mask that user programs can use to figure out what
1423 - instruction set this CPU supports. This could be done in user space,
1424 -diff -urNp linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h
1425 ---- linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
1426 -+++ linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
1427 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1428 - D(11) KM_IRQ1,
1429 - D(12) KM_SOFTIRQ0,
1430 - D(13) KM_SOFTIRQ1,
1431 --D(14) KM_TYPE_NR
1432 -+D(14) KM_CLEARPAGE,
1433 -+D(15) KM_TYPE_NR
1434 - };
1435 -
1436 - #undef D
1437 -diff -urNp linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c
1438 ---- linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-03-27 14:31:47.000000000 -0400
1439 -+++ linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-04-17 15:56:45.000000000 -0400
1440 -@@ -176,7 +176,7 @@ out:
1441 - return 0;
1442 - }
1443 -
1444 --static struct platform_suspend_ops avr32_pm_ops = {
1445 -+static const struct platform_suspend_ops avr32_pm_ops = {
1446 - .valid = avr32_pm_valid_state,
1447 - .enter = avr32_pm_enter,
1448 - };
1449 -diff -urNp linux-2.6.32.46/arch/avr32/mm/fault.c linux-2.6.32.46/arch/avr32/mm/fault.c
1450 ---- linux-2.6.32.46/arch/avr32/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1451 -+++ linux-2.6.32.46/arch/avr32/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1452 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1453 -
1454 - int exception_trace = 1;
1455 -
1456 -+#ifdef CONFIG_PAX_PAGEEXEC
1457 -+void pax_report_insns(void *pc, void *sp)
1458 -+{
1459 -+ unsigned long i;
1460 -+
1461 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1462 -+ for (i = 0; i < 20; i++) {
1463 -+ unsigned char c;
1464 -+ if (get_user(c, (unsigned char *)pc+i))
1465 -+ printk(KERN_CONT "???????? ");
1466 -+ else
1467 -+ printk(KERN_CONT "%02x ", c);
1468 -+ }
1469 -+ printk("\n");
1470 -+}
1471 -+#endif
1472 -+
1473 - /*
1474 - * This routine handles page faults. It determines the address and the
1475 - * problem, and then passes it off to one of the appropriate routines.
1476 -@@ -157,6 +174,16 @@ bad_area:
1477 - up_read(&mm->mmap_sem);
1478 -
1479 - if (user_mode(regs)) {
1480 -+
1481 -+#ifdef CONFIG_PAX_PAGEEXEC
1482 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1483 -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1484 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1485 -+ do_group_exit(SIGKILL);
1486 -+ }
1487 -+ }
1488 -+#endif
1489 -+
1490 - if (exception_trace && printk_ratelimit())
1491 - printk("%s%s[%d]: segfault at %08lx pc %08lx "
1492 - "sp %08lx ecr %lu\n",
1493 -diff -urNp linux-2.6.32.46/arch/blackfin/kernel/kgdb.c linux-2.6.32.46/arch/blackfin/kernel/kgdb.c
1494 ---- linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1495 -+++ linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1496 -@@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
1497 - return -1; /* this means that we do not want to exit from the handler */
1498 - }
1499 -
1500 --struct kgdb_arch arch_kgdb_ops = {
1501 -+const struct kgdb_arch arch_kgdb_ops = {
1502 - .gdb_bpt_instr = {0xa1},
1503 - #ifdef CONFIG_SMP
1504 - .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
1505 -diff -urNp linux-2.6.32.46/arch/blackfin/mach-common/pm.c linux-2.6.32.46/arch/blackfin/mach-common/pm.c
1506 ---- linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-03-27 14:31:47.000000000 -0400
1507 -+++ linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-04-17 15:56:45.000000000 -0400
1508 -@@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
1509 - return 0;
1510 - }
1511 -
1512 --struct platform_suspend_ops bfin_pm_ops = {
1513 -+const struct platform_suspend_ops bfin_pm_ops = {
1514 - .enter = bfin_pm_enter,
1515 - .valid = bfin_pm_valid,
1516 - };
1517 -diff -urNp linux-2.6.32.46/arch/frv/include/asm/kmap_types.h linux-2.6.32.46/arch/frv/include/asm/kmap_types.h
1518 ---- linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
1519 -+++ linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
1520 -@@ -23,6 +23,7 @@ enum km_type {
1521 - KM_IRQ1,
1522 - KM_SOFTIRQ0,
1523 - KM_SOFTIRQ1,
1524 -+ KM_CLEARPAGE,
1525 - KM_TYPE_NR
1526 - };
1527 -
1528 -diff -urNp linux-2.6.32.46/arch/frv/mm/elf-fdpic.c linux-2.6.32.46/arch/frv/mm/elf-fdpic.c
1529 ---- linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-03-27 14:31:47.000000000 -0400
1530 -+++ linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-04-17 15:56:45.000000000 -0400
1531 -@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1532 - if (addr) {
1533 - addr = PAGE_ALIGN(addr);
1534 - vma = find_vma(current->mm, addr);
1535 -- if (TASK_SIZE - len >= addr &&
1536 -- (!vma || addr + len <= vma->vm_start))
1537 -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1538 - goto success;
1539 - }
1540 -
1541 -@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1542 - for (; vma; vma = vma->vm_next) {
1543 - if (addr > limit)
1544 - break;
1545 -- if (addr + len <= vma->vm_start)
1546 -+ if (check_heap_stack_gap(vma, addr, len))
1547 - goto success;
1548 - addr = vma->vm_end;
1549 - }
1550 -@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1551 - for (; vma; vma = vma->vm_next) {
1552 - if (addr > limit)
1553 - break;
1554 -- if (addr + len <= vma->vm_start)
1555 -+ if (check_heap_stack_gap(vma, addr, len))
1556 - goto success;
1557 - addr = vma->vm_end;
1558 - }
1559 -diff -urNp linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c
1560 ---- linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-03-27 14:31:47.000000000 -0400
1561 -+++ linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:56:45.000000000 -0400
1562 -@@ -17,7 +17,7 @@
1563 - #include <linux/swiotlb.h>
1564 - #include <asm/machvec.h>
1565 -
1566 --extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1567 -+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1568 -
1569 - /* swiotlb declarations & definitions: */
1570 - extern int swiotlb_late_init_with_default_size (size_t size);
1571 -@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1572 - !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1573 - }
1574 -
1575 --struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1576 -+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1577 - {
1578 - if (use_swiotlb(dev))
1579 - return &swiotlb_dma_ops;
1580 -diff -urNp linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c
1581 ---- linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-03-27 14:31:47.000000000 -0400
1582 -+++ linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:56:45.000000000 -0400
1583 -@@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1584 - },
1585 - };
1586 -
1587 --extern struct dma_map_ops swiotlb_dma_ops;
1588 -+extern const struct dma_map_ops swiotlb_dma_ops;
1589 -
1590 - static int __init
1591 - sba_init(void)
1592 -@@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1593 -
1594 - __setup("sbapagesize=",sba_page_override);
1595 -
1596 --struct dma_map_ops sba_dma_ops = {
1597 -+const struct dma_map_ops sba_dma_ops = {
1598 - .alloc_coherent = sba_alloc_coherent,
1599 - .free_coherent = sba_free_coherent,
1600 - .map_page = sba_map_page,
1601 -diff -urNp linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c
1602 ---- linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-03-27 14:31:47.000000000 -0400
1603 -+++ linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-04-17 15:56:45.000000000 -0400
1604 -@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
1605 -
1606 - #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
1607 -
1608 -+#ifdef CONFIG_PAX_ASLR
1609 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1610 -+
1611 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1612 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1613 -+#endif
1614 -+
1615 - /* Ugly but avoids duplication */
1616 - #include "../../../fs/binfmt_elf.c"
1617 -
1618 -diff -urNp linux-2.6.32.46/arch/ia64/ia32/ia32priv.h linux-2.6.32.46/arch/ia64/ia32/ia32priv.h
1619 ---- linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-03-27 14:31:47.000000000 -0400
1620 -+++ linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-04-17 15:56:45.000000000 -0400
1621 -@@ -296,7 +296,14 @@ typedef struct compat_siginfo {
1622 - #define ELF_DATA ELFDATA2LSB
1623 - #define ELF_ARCH EM_386
1624 -
1625 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
1626 -+#ifdef CONFIG_PAX_RANDUSTACK
1627 -+#define __IA32_DELTA_STACK (current->mm->delta_stack)
1628 -+#else
1629 -+#define __IA32_DELTA_STACK 0UL
1630 -+#endif
1631 -+
1632 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
1633 -+
1634 - #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
1635 - #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
1636 -
1637 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h
1638 ---- linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
1639 -+++ linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
1640 -@@ -12,7 +12,7 @@
1641 -
1642 - #define ARCH_HAS_DMA_GET_REQUIRED_MASK
1643 -
1644 --extern struct dma_map_ops *dma_ops;
1645 -+extern const struct dma_map_ops *dma_ops;
1646 - extern struct ia64_machine_vector ia64_mv;
1647 - extern void set_iommu_machvec(void);
1648 -
1649 -@@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
1650 - static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1651 - dma_addr_t *daddr, gfp_t gfp)
1652 - {
1653 -- struct dma_map_ops *ops = platform_dma_get_ops(dev);
1654 -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1655 - void *caddr;
1656 -
1657 - caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1658 -@@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
1659 - static inline void dma_free_coherent(struct device *dev, size_t size,
1660 - void *caddr, dma_addr_t daddr)
1661 - {
1662 -- struct dma_map_ops *ops = platform_dma_get_ops(dev);
1663 -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1664 - debug_dma_free_coherent(dev, size, caddr, daddr);
1665 - ops->free_coherent(dev, size, caddr, daddr);
1666 - }
1667 -@@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
1668 -
1669 - static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1670 - {
1671 -- struct dma_map_ops *ops = platform_dma_get_ops(dev);
1672 -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1673 - return ops->mapping_error(dev, daddr);
1674 - }
1675 -
1676 - static inline int dma_supported(struct device *dev, u64 mask)
1677 - {
1678 -- struct dma_map_ops *ops = platform_dma_get_ops(dev);
1679 -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1680 - return ops->dma_supported(dev, mask);
1681 - }
1682 -
1683 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/elf.h linux-2.6.32.46/arch/ia64/include/asm/elf.h
1684 ---- linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1685 -+++ linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1686 -@@ -43,6 +43,13 @@
1687 - */
1688 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1689 -
1690 -+#ifdef CONFIG_PAX_ASLR
1691 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1692 -+
1693 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1694 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1695 -+#endif
1696 -+
1697 - #define PT_IA_64_UNWIND 0x70000001
1698 -
1699 - /* IA-64 relocations: */
1700 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/machvec.h linux-2.6.32.46/arch/ia64/include/asm/machvec.h
1701 ---- linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-03-27 14:31:47.000000000 -0400
1702 -+++ linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-04-17 15:56:45.000000000 -0400
1703 -@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1704 - /* DMA-mapping interface: */
1705 - typedef void ia64_mv_dma_init (void);
1706 - typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1707 --typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1708 -+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1709 -
1710 - /*
1711 - * WARNING: The legacy I/O space is _architected_. Platforms are
1712 -@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1713 - # endif /* CONFIG_IA64_GENERIC */
1714 -
1715 - extern void swiotlb_dma_init(void);
1716 --extern struct dma_map_ops *dma_get_ops(struct device *);
1717 -+extern const struct dma_map_ops *dma_get_ops(struct device *);
1718 -
1719 - /*
1720 - * Define default versions so we can extend machvec for new platforms without having
1721 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/pgtable.h linux-2.6.32.46/arch/ia64/include/asm/pgtable.h
1722 ---- linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1723 -+++ linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1724 -@@ -12,7 +12,7 @@
1725 - * David Mosberger-Tang <davidm@××××××.com>
1726 - */
1727 -
1728 --
1729 -+#include <linux/const.h>
1730 - #include <asm/mman.h>
1731 - #include <asm/page.h>
1732 - #include <asm/processor.h>
1733 -@@ -143,6 +143,17 @@
1734 - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1735 - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1736 - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1737 -+
1738 -+#ifdef CONFIG_PAX_PAGEEXEC
1739 -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1740 -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1741 -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1742 -+#else
1743 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1744 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1745 -+# define PAGE_COPY_NOEXEC PAGE_COPY
1746 -+#endif
1747 -+
1748 - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1749 - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1750 - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1751 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/spinlock.h linux-2.6.32.46/arch/ia64/include/asm/spinlock.h
1752 ---- linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
1753 -+++ linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-04-17 15:56:45.000000000 -0400
1754 -@@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1755 - unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1756 -
1757 - asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1758 -- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1759 -+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1760 - }
1761 -
1762 - static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1763 -diff -urNp linux-2.6.32.46/arch/ia64/include/asm/uaccess.h linux-2.6.32.46/arch/ia64/include/asm/uaccess.h
1764 ---- linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
1765 -+++ linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
1766 -@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1767 - const void *__cu_from = (from); \
1768 - long __cu_len = (n); \
1769 - \
1770 -- if (__access_ok(__cu_to, __cu_len, get_fs())) \
1771 -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1772 - __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1773 - __cu_len; \
1774 - })
1775 -@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1776 - long __cu_len = (n); \
1777 - \
1778 - __chk_user_ptr(__cu_from); \
1779 -- if (__access_ok(__cu_from, __cu_len, get_fs())) \
1780 -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1781 - __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1782 - __cu_len; \
1783 - })
1784 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c
1785 ---- linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-03-27 14:31:47.000000000 -0400
1786 -+++ linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:56:45.000000000 -0400
1787 -@@ -3,7 +3,7 @@
1788 - /* Set this to 1 if there is a HW IOMMU in the system */
1789 - int iommu_detected __read_mostly;
1790 -
1791 --struct dma_map_ops *dma_ops;
1792 -+const struct dma_map_ops *dma_ops;
1793 - EXPORT_SYMBOL(dma_ops);
1794 -
1795 - #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1796 -@@ -16,7 +16,7 @@ static int __init dma_init(void)
1797 - }
1798 - fs_initcall(dma_init);
1799 -
1800 --struct dma_map_ops *dma_get_ops(struct device *dev)
1801 -+const struct dma_map_ops *dma_get_ops(struct device *dev)
1802 - {
1803 - return dma_ops;
1804 - }
1805 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/module.c linux-2.6.32.46/arch/ia64/kernel/module.c
1806 ---- linux-2.6.32.46/arch/ia64/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1807 -+++ linux-2.6.32.46/arch/ia64/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1808 -@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1809 - void
1810 - module_free (struct module *mod, void *module_region)
1811 - {
1812 -- if (mod && mod->arch.init_unw_table &&
1813 -- module_region == mod->module_init) {
1814 -+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1815 - unw_remove_unwind_table(mod->arch.init_unw_table);
1816 - mod->arch.init_unw_table = NULL;
1817 - }
1818 -@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1819 - }
1820 -
1821 - static inline int
1822 -+in_init_rx (const struct module *mod, uint64_t addr)
1823 -+{
1824 -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1825 -+}
1826 -+
1827 -+static inline int
1828 -+in_init_rw (const struct module *mod, uint64_t addr)
1829 -+{
1830 -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1831 -+}
1832 -+
1833 -+static inline int
1834 - in_init (const struct module *mod, uint64_t addr)
1835 - {
1836 -- return addr - (uint64_t) mod->module_init < mod->init_size;
1837 -+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1838 -+}
1839 -+
1840 -+static inline int
1841 -+in_core_rx (const struct module *mod, uint64_t addr)
1842 -+{
1843 -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1844 -+}
1845 -+
1846 -+static inline int
1847 -+in_core_rw (const struct module *mod, uint64_t addr)
1848 -+{
1849 -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1850 - }
1851 -
1852 - static inline int
1853 - in_core (const struct module *mod, uint64_t addr)
1854 - {
1855 -- return addr - (uint64_t) mod->module_core < mod->core_size;
1856 -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1857 - }
1858 -
1859 - static inline int
1860 -@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1861 - break;
1862 -
1863 - case RV_BDREL:
1864 -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1865 -+ if (in_init_rx(mod, val))
1866 -+ val -= (uint64_t) mod->module_init_rx;
1867 -+ else if (in_init_rw(mod, val))
1868 -+ val -= (uint64_t) mod->module_init_rw;
1869 -+ else if (in_core_rx(mod, val))
1870 -+ val -= (uint64_t) mod->module_core_rx;
1871 -+ else if (in_core_rw(mod, val))
1872 -+ val -= (uint64_t) mod->module_core_rw;
1873 - break;
1874 -
1875 - case RV_LTV:
1876 -@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1877 - * addresses have been selected...
1878 - */
1879 - uint64_t gp;
1880 -- if (mod->core_size > MAX_LTOFF)
1881 -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1882 - /*
1883 - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1884 - * at the end of the module.
1885 - */
1886 -- gp = mod->core_size - MAX_LTOFF / 2;
1887 -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1888 - else
1889 -- gp = mod->core_size / 2;
1890 -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1891 -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1892 -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1893 - mod->arch.gp = gp;
1894 - DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1895 - }
1896 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-dma.c linux-2.6.32.46/arch/ia64/kernel/pci-dma.c
1897 ---- linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
1898 -+++ linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-04-17 15:56:45.000000000 -0400
1899 -@@ -43,7 +43,7 @@ struct device fallback_dev = {
1900 - .dma_mask = &fallback_dev.coherent_dma_mask,
1901 - };
1902 -
1903 --extern struct dma_map_ops intel_dma_ops;
1904 -+extern const struct dma_map_ops intel_dma_ops;
1905 -
1906 - static int __init pci_iommu_init(void)
1907 - {
1908 -@@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1909 - }
1910 - EXPORT_SYMBOL(iommu_dma_supported);
1911 -
1912 -+extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1913 -+extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1914 -+extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1915 -+extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1916 -+extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1917 -+extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1918 -+extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1919 -+
1920 -+static const struct dma_map_ops intel_iommu_dma_ops = {
1921 -+ /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1922 -+ .alloc_coherent = intel_alloc_coherent,
1923 -+ .free_coherent = intel_free_coherent,
1924 -+ .map_sg = intel_map_sg,
1925 -+ .unmap_sg = intel_unmap_sg,
1926 -+ .map_page = intel_map_page,
1927 -+ .unmap_page = intel_unmap_page,
1928 -+ .mapping_error = intel_mapping_error,
1929 -+
1930 -+ .sync_single_for_cpu = machvec_dma_sync_single,
1931 -+ .sync_sg_for_cpu = machvec_dma_sync_sg,
1932 -+ .sync_single_for_device = machvec_dma_sync_single,
1933 -+ .sync_sg_for_device = machvec_dma_sync_sg,
1934 -+ .dma_supported = iommu_dma_supported,
1935 -+};
1936 -+
1937 - void __init pci_iommu_alloc(void)
1938 - {
1939 -- dma_ops = &intel_dma_ops;
1940 --
1941 -- dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1942 -- dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1943 -- dma_ops->sync_single_for_device = machvec_dma_sync_single;
1944 -- dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1945 -- dma_ops->dma_supported = iommu_dma_supported;
1946 -+ dma_ops = &intel_iommu_dma_ops;
1947 -
1948 - /*
1949 - * The order of these functions is important for
1950 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c
1951 ---- linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
1952 -+++ linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
1953 -@@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1954 - return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1955 - }
1956 -
1957 --struct dma_map_ops swiotlb_dma_ops = {
1958 -+const struct dma_map_ops swiotlb_dma_ops = {
1959 - .alloc_coherent = ia64_swiotlb_alloc_coherent,
1960 - .free_coherent = swiotlb_free_coherent,
1961 - .map_page = swiotlb_map_page,
1962 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c
1963 ---- linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-03-27 14:31:47.000000000 -0400
1964 -+++ linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:56:45.000000000 -0400
1965 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1966 - if (REGION_NUMBER(addr) == RGN_HPAGE)
1967 - addr = 0;
1968 - #endif
1969 -+
1970 -+#ifdef CONFIG_PAX_RANDMMAP
1971 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1972 -+ addr = mm->free_area_cache;
1973 -+ else
1974 -+#endif
1975 -+
1976 - if (!addr)
1977 - addr = mm->free_area_cache;
1978 -
1979 -@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1980 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1981 - /* At this point: (!vma || addr < vma->vm_end). */
1982 - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1983 -- if (start_addr != TASK_UNMAPPED_BASE) {
1984 -+ if (start_addr != mm->mmap_base) {
1985 - /* Start a new search --- just in case we missed some holes. */
1986 -- addr = TASK_UNMAPPED_BASE;
1987 -+ addr = mm->mmap_base;
1988 - goto full_search;
1989 - }
1990 - return -ENOMEM;
1991 - }
1992 -- if (!vma || addr + len <= vma->vm_start) {
1993 -+ if (check_heap_stack_gap(vma, addr, len)) {
1994 - /* Remember the address where we stopped this search: */
1995 - mm->free_area_cache = addr + len;
1996 - return addr;
1997 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/topology.c linux-2.6.32.46/arch/ia64/kernel/topology.c
1998 ---- linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-03-27 14:31:47.000000000 -0400
1999 -+++ linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-04-17 15:56:45.000000000 -0400
2000 -@@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
2001 - return ret;
2002 - }
2003 -
2004 --static struct sysfs_ops cache_sysfs_ops = {
2005 -+static const struct sysfs_ops cache_sysfs_ops = {
2006 - .show = cache_show
2007 - };
2008 -
2009 -diff -urNp linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S
2010 ---- linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
2011 -+++ linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:56:45.000000000 -0400
2012 -@@ -190,7 +190,7 @@ SECTIONS
2013 - /* Per-cpu data: */
2014 - . = ALIGN(PERCPU_PAGE_SIZE);
2015 - PERCPU_VADDR(PERCPU_ADDR, :percpu)
2016 -- __phys_per_cpu_start = __per_cpu_load;
2017 -+ __phys_per_cpu_start = per_cpu_load;
2018 - . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
2019 - * into percpu page size
2020 - */
2021 -diff -urNp linux-2.6.32.46/arch/ia64/mm/fault.c linux-2.6.32.46/arch/ia64/mm/fault.c
2022 ---- linux-2.6.32.46/arch/ia64/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2023 -+++ linux-2.6.32.46/arch/ia64/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2024 -@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
2025 - return pte_present(pte);
2026 - }
2027 -
2028 -+#ifdef CONFIG_PAX_PAGEEXEC
2029 -+void pax_report_insns(void *pc, void *sp)
2030 -+{
2031 -+ unsigned long i;
2032 -+
2033 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2034 -+ for (i = 0; i < 8; i++) {
2035 -+ unsigned int c;
2036 -+ if (get_user(c, (unsigned int *)pc+i))
2037 -+ printk(KERN_CONT "???????? ");
2038 -+ else
2039 -+ printk(KERN_CONT "%08x ", c);
2040 -+ }
2041 -+ printk("\n");
2042 -+}
2043 -+#endif
2044 -+
2045 - void __kprobes
2046 - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
2047 - {
2048 -@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
2049 - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
2050 - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
2051 -
2052 -- if ((vma->vm_flags & mask) != mask)
2053 -+ if ((vma->vm_flags & mask) != mask) {
2054 -+
2055 -+#ifdef CONFIG_PAX_PAGEEXEC
2056 -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
2057 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
2058 -+ goto bad_area;
2059 -+
2060 -+ up_read(&mm->mmap_sem);
2061 -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
2062 -+ do_group_exit(SIGKILL);
2063 -+ }
2064 -+#endif
2065 -+
2066 - goto bad_area;
2067 -
2068 -+ }
2069 -+
2070 - survive:
2071 - /*
2072 - * If for any reason at all we couldn't handle the fault, make
2073 -diff -urNp linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c
2074 ---- linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
2075 -+++ linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:56:45.000000000 -0400
2076 -@@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
2077 - /* At this point: (!vmm || addr < vmm->vm_end). */
2078 - if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
2079 - return -ENOMEM;
2080 -- if (!vmm || (addr + len) <= vmm->vm_start)
2081 -+ if (check_heap_stack_gap(vmm, addr, len))
2082 - return addr;
2083 - addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
2084 - }
2085 -diff -urNp linux-2.6.32.46/arch/ia64/mm/init.c linux-2.6.32.46/arch/ia64/mm/init.c
2086 ---- linux-2.6.32.46/arch/ia64/mm/init.c 2011-03-27 14:31:47.000000000 -0400
2087 -+++ linux-2.6.32.46/arch/ia64/mm/init.c 2011-04-17 15:56:45.000000000 -0400
2088 -@@ -122,6 +122,19 @@ ia64_init_addr_space (void)
2089 - vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
2090 - vma->vm_end = vma->vm_start + PAGE_SIZE;
2091 - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
2092 -+
2093 -+#ifdef CONFIG_PAX_PAGEEXEC
2094 -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
2095 -+ vma->vm_flags &= ~VM_EXEC;
2096 -+
2097 -+#ifdef CONFIG_PAX_MPROTECT
2098 -+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
2099 -+ vma->vm_flags &= ~VM_MAYEXEC;
2100 -+#endif
2101 -+
2102 -+ }
2103 -+#endif
2104 -+
2105 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2106 - down_write(&current->mm->mmap_sem);
2107 - if (insert_vm_struct(current->mm, vma)) {
2108 -diff -urNp linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c
2109 ---- linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-03-27 14:31:47.000000000 -0400
2110 -+++ linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:56:45.000000000 -0400
2111 -@@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
2112 - return ret;
2113 - }
2114 -
2115 --static struct dma_map_ops sn_dma_ops = {
2116 -+static const struct dma_map_ops sn_dma_ops = {
2117 - .alloc_coherent = sn_dma_alloc_coherent,
2118 - .free_coherent = sn_dma_free_coherent,
2119 - .map_page = sn_dma_map_page,
2120 -diff -urNp linux-2.6.32.46/arch/m32r/lib/usercopy.c linux-2.6.32.46/arch/m32r/lib/usercopy.c
2121 ---- linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-03-27 14:31:47.000000000 -0400
2122 -+++ linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-04-17 15:56:45.000000000 -0400
2123 -@@ -14,6 +14,9 @@
2124 - unsigned long
2125 - __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
2126 - {
2127 -+ if ((long)n < 0)
2128 -+ return n;
2129 -+
2130 - prefetch(from);
2131 - if (access_ok(VERIFY_WRITE, to, n))
2132 - __copy_user(to,from,n);
2133 -@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
2134 - unsigned long
2135 - __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
2136 - {
2137 -+ if ((long)n < 0)
2138 -+ return n;
2139 -+
2140 - prefetchw(to);
2141 - if (access_ok(VERIFY_READ, from, n))
2142 - __copy_user_zeroing(to,from,n);
2143 -diff -urNp linux-2.6.32.46/arch/mips/Makefile linux-2.6.32.46/arch/mips/Makefile
2144 ---- linux-2.6.32.46/arch/mips/Makefile 2011-03-27 14:31:47.000000000 -0400
2145 -+++ linux-2.6.32.46/arch/mips/Makefile 2011-08-21 19:26:52.000000000 -0400
2146 -@@ -51,6 +51,8 @@ endif
2147 - cflags-y := -ffunction-sections
2148 - cflags-y += $(call cc-option, -mno-check-zero-division)
2149 -
2150 -+cflags-y += -Wno-sign-compare -Wno-extra
2151 -+
2152 - ifdef CONFIG_32BIT
2153 - ld-emul = $(32bit-emul)
2154 - vmlinux-32 = vmlinux
2155 -diff -urNp linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c
2156 ---- linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-03-27 14:31:47.000000000 -0400
2157 -+++ linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-04-17 15:56:45.000000000 -0400
2158 -@@ -78,7 +78,7 @@ static void db1x_pm_end(void)
2159 -
2160 - }
2161 -
2162 --static struct platform_suspend_ops db1x_pm_ops = {
2163 -+static const struct platform_suspend_ops db1x_pm_ops = {
2164 - .valid = suspend_valid_only_mem,
2165 - .begin = db1x_pm_begin,
2166 - .enter = db1x_pm_enter,
2167 -diff -urNp linux-2.6.32.46/arch/mips/include/asm/elf.h linux-2.6.32.46/arch/mips/include/asm/elf.h
2168 ---- linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2169 -+++ linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2170 -@@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
2171 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2172 - #endif
2173 -
2174 -+#ifdef CONFIG_PAX_ASLR
2175 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
2176 -+
2177 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2178 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2179 -+#endif
2180 -+
2181 - #endif /* _ASM_ELF_H */
2182 -diff -urNp linux-2.6.32.46/arch/mips/include/asm/page.h linux-2.6.32.46/arch/mips/include/asm/page.h
2183 ---- linux-2.6.32.46/arch/mips/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2184 -+++ linux-2.6.32.46/arch/mips/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
2185 -@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2186 - #ifdef CONFIG_CPU_MIPS32
2187 - typedef struct { unsigned long pte_low, pte_high; } pte_t;
2188 - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2189 -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2190 -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2191 - #else
2192 - typedef struct { unsigned long long pte; } pte_t;
2193 - #define pte_val(x) ((x).pte)
2194 -diff -urNp linux-2.6.32.46/arch/mips/include/asm/reboot.h linux-2.6.32.46/arch/mips/include/asm/reboot.h
2195 ---- linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
2196 -+++ linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-08-21 17:35:02.000000000 -0400
2197 -@@ -9,7 +9,7 @@
2198 - #ifndef _ASM_REBOOT_H
2199 - #define _ASM_REBOOT_H
2200 -
2201 --extern void (*_machine_restart)(char *command);
2202 --extern void (*_machine_halt)(void);
2203 -+extern void (*__noreturn _machine_restart)(char *command);
2204 -+extern void (*__noreturn _machine_halt)(void);
2205 -
2206 - #endif /* _ASM_REBOOT_H */
2207 -diff -urNp linux-2.6.32.46/arch/mips/include/asm/system.h linux-2.6.32.46/arch/mips/include/asm/system.h
2208 ---- linux-2.6.32.46/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
2209 -+++ linux-2.6.32.46/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
2210 -@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2211 - */
2212 - #define __ARCH_WANT_UNLOCKED_CTXSW
2213 -
2214 --extern unsigned long arch_align_stack(unsigned long sp);
2215 -+#define arch_align_stack(x) ((x) & ~0xfUL)
2216 -
2217 - #endif /* _ASM_SYSTEM_H */
2218 -diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c
2219 ---- linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-03-27 14:31:47.000000000 -0400
2220 -+++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:56:45.000000000 -0400
2221 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2222 - #undef ELF_ET_DYN_BASE
2223 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2224 -
2225 -+#ifdef CONFIG_PAX_ASLR
2226 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
2227 -+
2228 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2229 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2230 -+#endif
2231 -+
2232 - #include <asm/processor.h>
2233 - #include <linux/module.h>
2234 - #include <linux/elfcore.h>
2235 -diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c
2236 ---- linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-03-27 14:31:47.000000000 -0400
2237 -+++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:56:45.000000000 -0400
2238 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2239 - #undef ELF_ET_DYN_BASE
2240 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2241 -
2242 -+#ifdef CONFIG_PAX_ASLR
2243 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
2244 -+
2245 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2246 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2247 -+#endif
2248 -+
2249 - #include <asm/processor.h>
2250 -
2251 - /*
2252 -diff -urNp linux-2.6.32.46/arch/mips/kernel/kgdb.c linux-2.6.32.46/arch/mips/kernel/kgdb.c
2253 ---- linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
2254 -+++ linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
2255 -@@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
2256 - return -1;
2257 - }
2258 -
2259 -+/* cannot be const */
2260 - struct kgdb_arch arch_kgdb_ops;
2261 -
2262 - /*
2263 -diff -urNp linux-2.6.32.46/arch/mips/kernel/process.c linux-2.6.32.46/arch/mips/kernel/process.c
2264 ---- linux-2.6.32.46/arch/mips/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
2265 -+++ linux-2.6.32.46/arch/mips/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
2266 -@@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
2267 - out:
2268 - return pc;
2269 - }
2270 --
2271 --/*
2272 -- * Don't forget that the stack pointer must be aligned on a 8 bytes
2273 -- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2274 -- */
2275 --unsigned long arch_align_stack(unsigned long sp)
2276 --{
2277 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2278 -- sp -= get_random_int() & ~PAGE_MASK;
2279 --
2280 -- return sp & ALMASK;
2281 --}
2282 -diff -urNp linux-2.6.32.46/arch/mips/kernel/reset.c linux-2.6.32.46/arch/mips/kernel/reset.c
2283 ---- linux-2.6.32.46/arch/mips/kernel/reset.c 2011-03-27 14:31:47.000000000 -0400
2284 -+++ linux-2.6.32.46/arch/mips/kernel/reset.c 2011-08-21 17:35:26.000000000 -0400
2285 -@@ -19,8 +19,8 @@
2286 - * So handle all using function pointers to machine specific
2287 - * functions.
2288 - */
2289 --void (*_machine_restart)(char *command);
2290 --void (*_machine_halt)(void);
2291 -+void (*__noreturn _machine_restart)(char *command);
2292 -+void (*__noreturn _machine_halt)(void);
2293 - void (*pm_power_off)(void);
2294 -
2295 - EXPORT_SYMBOL(pm_power_off);
2296 -@@ -29,16 +29,19 @@ void machine_restart(char *command)
2297 - {
2298 - if (_machine_restart)
2299 - _machine_restart(command);
2300 -+ BUG();
2301 - }
2302 -
2303 - void machine_halt(void)
2304 - {
2305 - if (_machine_halt)
2306 - _machine_halt();
2307 -+ BUG();
2308 - }
2309 -
2310 - void machine_power_off(void)
2311 - {
2312 - if (pm_power_off)
2313 - pm_power_off();
2314 -+ BUG();
2315 - }
2316 -diff -urNp linux-2.6.32.46/arch/mips/kernel/syscall.c linux-2.6.32.46/arch/mips/kernel/syscall.c
2317 ---- linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400
2318 -+++ linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400
2319 -@@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
2320 - do_color_align = 0;
2321 - if (filp || (flags & MAP_SHARED))
2322 - do_color_align = 1;
2323 -+
2324 -+#ifdef CONFIG_PAX_RANDMMAP
2325 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2326 -+#endif
2327 -+
2328 - if (addr) {
2329 - if (do_color_align)
2330 - addr = COLOUR_ALIGN(addr, pgoff);
2331 - else
2332 - addr = PAGE_ALIGN(addr);
2333 - vmm = find_vma(current->mm, addr);
2334 -- if (task_size - len >= addr &&
2335 -- (!vmm || addr + len <= vmm->vm_start))
2336 -+ if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2337 - return addr;
2338 - }
2339 -- addr = TASK_UNMAPPED_BASE;
2340 -+ addr = current->mm->mmap_base;
2341 - if (do_color_align)
2342 - addr = COLOUR_ALIGN(addr, pgoff);
2343 - else
2344 -@@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
2345 - /* At this point: (!vmm || addr < vmm->vm_end). */
2346 - if (task_size - len < addr)
2347 - return -ENOMEM;
2348 -- if (!vmm || addr + len <= vmm->vm_start)
2349 -+ if (check_heap_stack_gap(vmm, addr, len))
2350 - return addr;
2351 - addr = vmm->vm_end;
2352 - if (do_color_align)
2353 -diff -urNp linux-2.6.32.46/arch/mips/mm/fault.c linux-2.6.32.46/arch/mips/mm/fault.c
2354 ---- linux-2.6.32.46/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2355 -+++ linux-2.6.32.46/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2356 -@@ -26,6 +26,23 @@
2357 - #include <asm/ptrace.h>
2358 - #include <asm/highmem.h> /* For VMALLOC_END */
2359 -
2360 -+#ifdef CONFIG_PAX_PAGEEXEC
2361 -+void pax_report_insns(void *pc, void *sp)
2362 -+{
2363 -+ unsigned long i;
2364 -+
2365 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2366 -+ for (i = 0; i < 5; i++) {
2367 -+ unsigned int c;
2368 -+ if (get_user(c, (unsigned int *)pc+i))
2369 -+ printk(KERN_CONT "???????? ");
2370 -+ else
2371 -+ printk(KERN_CONT "%08x ", c);
2372 -+ }
2373 -+ printk("\n");
2374 -+}
2375 -+#endif
2376 -+
2377 - /*
2378 - * This routine handles page faults. It determines the address,
2379 - * and the problem, and then passes it off to one of the appropriate
2380 -diff -urNp linux-2.6.32.46/arch/parisc/include/asm/elf.h linux-2.6.32.46/arch/parisc/include/asm/elf.h
2381 ---- linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2382 -+++ linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2383 -@@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
2384 -
2385 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
2386 -
2387 -+#ifdef CONFIG_PAX_ASLR
2388 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
2389 -+
2390 -+#define PAX_DELTA_MMAP_LEN 16
2391 -+#define PAX_DELTA_STACK_LEN 16
2392 -+#endif
2393 -+
2394 - /* This yields a mask that user programs can use to figure out what
2395 - instruction set this CPU supports. This could be done in user space,
2396 - but it's not easy, and we've already done it here. */
2397 -diff -urNp linux-2.6.32.46/arch/parisc/include/asm/pgtable.h linux-2.6.32.46/arch/parisc/include/asm/pgtable.h
2398 ---- linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2399 -+++ linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2400 -@@ -207,6 +207,17 @@
2401 - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
2402 - #define PAGE_COPY PAGE_EXECREAD
2403 - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
2404 -+
2405 -+#ifdef CONFIG_PAX_PAGEEXEC
2406 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
2407 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
2408 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
2409 -+#else
2410 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
2411 -+# define PAGE_COPY_NOEXEC PAGE_COPY
2412 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
2413 -+#endif
2414 -+
2415 - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
2416 - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
2417 - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
2418 -diff -urNp linux-2.6.32.46/arch/parisc/kernel/module.c linux-2.6.32.46/arch/parisc/kernel/module.c
2419 ---- linux-2.6.32.46/arch/parisc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
2420 -+++ linux-2.6.32.46/arch/parisc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
2421 -@@ -95,16 +95,38 @@
2422 -
2423 - /* three functions to determine where in the module core
2424 - * or init pieces the location is */
2425 -+static inline int in_init_rx(struct module *me, void *loc)
2426 -+{
2427 -+ return (loc >= me->module_init_rx &&
2428 -+ loc < (me->module_init_rx + me->init_size_rx));
2429 -+}
2430 -+
2431 -+static inline int in_init_rw(struct module *me, void *loc)
2432 -+{
2433 -+ return (loc >= me->module_init_rw &&
2434 -+ loc < (me->module_init_rw + me->init_size_rw));
2435 -+}
2436 -+
2437 - static inline int in_init(struct module *me, void *loc)
2438 - {
2439 -- return (loc >= me->module_init &&
2440 -- loc <= (me->module_init + me->init_size));
2441 -+ return in_init_rx(me, loc) || in_init_rw(me, loc);
2442 -+}
2443 -+
2444 -+static inline int in_core_rx(struct module *me, void *loc)
2445 -+{
2446 -+ return (loc >= me->module_core_rx &&
2447 -+ loc < (me->module_core_rx + me->core_size_rx));
2448 -+}
2449 -+
2450 -+static inline int in_core_rw(struct module *me, void *loc)
2451 -+{
2452 -+ return (loc >= me->module_core_rw &&
2453 -+ loc < (me->module_core_rw + me->core_size_rw));
2454 - }
2455 -
2456 - static inline int in_core(struct module *me, void *loc)
2457 - {
2458 -- return (loc >= me->module_core &&
2459 -- loc <= (me->module_core + me->core_size));
2460 -+ return in_core_rx(me, loc) || in_core_rw(me, loc);
2461 - }
2462 -
2463 - static inline int in_local(struct module *me, void *loc)
2464 -@@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
2465 - }
2466 -
2467 - /* align things a bit */
2468 -- me->core_size = ALIGN(me->core_size, 16);
2469 -- me->arch.got_offset = me->core_size;
2470 -- me->core_size += gots * sizeof(struct got_entry);
2471 --
2472 -- me->core_size = ALIGN(me->core_size, 16);
2473 -- me->arch.fdesc_offset = me->core_size;
2474 -- me->core_size += fdescs * sizeof(Elf_Fdesc);
2475 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
2476 -+ me->arch.got_offset = me->core_size_rw;
2477 -+ me->core_size_rw += gots * sizeof(struct got_entry);
2478 -+
2479 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
2480 -+ me->arch.fdesc_offset = me->core_size_rw;
2481 -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
2482 -
2483 - me->arch.got_max = gots;
2484 - me->arch.fdesc_max = fdescs;
2485 -@@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
2486 -
2487 - BUG_ON(value == 0);
2488 -
2489 -- got = me->module_core + me->arch.got_offset;
2490 -+ got = me->module_core_rw + me->arch.got_offset;
2491 - for (i = 0; got[i].addr; i++)
2492 - if (got[i].addr == value)
2493 - goto out;
2494 -@@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
2495 - #ifdef CONFIG_64BIT
2496 - static Elf_Addr get_fdesc(struct module *me, unsigned long value)
2497 - {
2498 -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
2499 -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
2500 -
2501 - if (!value) {
2502 - printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
2503 -@@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
2504 -
2505 - /* Create new one */
2506 - fdesc->addr = value;
2507 -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
2508 -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
2509 - return (Elf_Addr)fdesc;
2510 - }
2511 - #endif /* CONFIG_64BIT */
2512 -@@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
2513 -
2514 - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
2515 - end = table + sechdrs[me->arch.unwind_section].sh_size;
2516 -- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
2517 -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
2518 -
2519 - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
2520 - me->arch.unwind_section, table, end, gp);
2521 -diff -urNp linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c
2522 ---- linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-03-27 14:31:47.000000000 -0400
2523 -+++ linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:56:45.000000000 -0400
2524 -@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
2525 - /* At this point: (!vma || addr < vma->vm_end). */
2526 - if (TASK_SIZE - len < addr)
2527 - return -ENOMEM;
2528 -- if (!vma || addr + len <= vma->vm_start)
2529 -+ if (check_heap_stack_gap(vma, addr, len))
2530 - return addr;
2531 - addr = vma->vm_end;
2532 - }
2533 -@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
2534 - /* At this point: (!vma || addr < vma->vm_end). */
2535 - if (TASK_SIZE - len < addr)
2536 - return -ENOMEM;
2537 -- if (!vma || addr + len <= vma->vm_start)
2538 -+ if (check_heap_stack_gap(vma, addr, len))
2539 - return addr;
2540 - addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
2541 - if (addr < vma->vm_end) /* handle wraparound */
2542 -@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
2543 - if (flags & MAP_FIXED)
2544 - return addr;
2545 - if (!addr)
2546 -- addr = TASK_UNMAPPED_BASE;
2547 -+ addr = current->mm->mmap_base;
2548 -
2549 - if (filp) {
2550 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
2551 -diff -urNp linux-2.6.32.46/arch/parisc/kernel/traps.c linux-2.6.32.46/arch/parisc/kernel/traps.c
2552 ---- linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
2553 -+++ linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-04-17 15:56:45.000000000 -0400
2554 -@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
2555 -
2556 - down_read(&current->mm->mmap_sem);
2557 - vma = find_vma(current->mm,regs->iaoq[0]);
2558 -- if (vma && (regs->iaoq[0] >= vma->vm_start)
2559 -- && (vma->vm_flags & VM_EXEC)) {
2560 --
2561 -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
2562 - fault_address = regs->iaoq[0];
2563 - fault_space = regs->iasq[0];
2564 -
2565 -diff -urNp linux-2.6.32.46/arch/parisc/mm/fault.c linux-2.6.32.46/arch/parisc/mm/fault.c
2566 ---- linux-2.6.32.46/arch/parisc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2567 -+++ linux-2.6.32.46/arch/parisc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2568 -@@ -15,6 +15,7 @@
2569 - #include <linux/sched.h>
2570 - #include <linux/interrupt.h>
2571 - #include <linux/module.h>
2572 -+#include <linux/unistd.h>
2573 -
2574 - #include <asm/uaccess.h>
2575 - #include <asm/traps.h>
2576 -@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
2577 - static unsigned long
2578 - parisc_acctyp(unsigned long code, unsigned int inst)
2579 - {
2580 -- if (code == 6 || code == 16)
2581 -+ if (code == 6 || code == 7 || code == 16)
2582 - return VM_EXEC;
2583 -
2584 - switch (inst & 0xf0000000) {
2585 -@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
2586 - }
2587 - #endif
2588 -
2589 -+#ifdef CONFIG_PAX_PAGEEXEC
2590 -+/*
2591 -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
2592 -+ *
2593 -+ * returns 1 when task should be killed
2594 -+ * 2 when rt_sigreturn trampoline was detected
2595 -+ * 3 when unpatched PLT trampoline was detected
2596 -+ */
2597 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
2598 -+{
2599 -+
2600 -+#ifdef CONFIG_PAX_EMUPLT
2601 -+ int err;
2602 -+
2603 -+ do { /* PaX: unpatched PLT emulation */
2604 -+ unsigned int bl, depwi;
2605 -+
2606 -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
2607 -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
2608 -+
2609 -+ if (err)
2610 -+ break;
2611 -+
2612 -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
2613 -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
2614 -+
2615 -+ err = get_user(ldw, (unsigned int *)addr);
2616 -+ err |= get_user(bv, (unsigned int *)(addr+4));
2617 -+ err |= get_user(ldw2, (unsigned int *)(addr+8));
2618 -+
2619 -+ if (err)
2620 -+ break;
2621 -+
2622 -+ if (ldw == 0x0E801096U &&
2623 -+ bv == 0xEAC0C000U &&
2624 -+ ldw2 == 0x0E881095U)
2625 -+ {
2626 -+ unsigned int resolver, map;
2627 -+
2628 -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
2629 -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
2630 -+ if (err)
2631 -+ break;
2632 -+
2633 -+ regs->gr[20] = instruction_pointer(regs)+8;
2634 -+ regs->gr[21] = map;
2635 -+ regs->gr[22] = resolver;
2636 -+ regs->iaoq[0] = resolver | 3UL;
2637 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
2638 -+ return 3;
2639 -+ }
2640 -+ }
2641 -+ } while (0);
2642 -+#endif
2643 -+
2644 -+#ifdef CONFIG_PAX_EMUTRAMP
2645 -+
2646 -+#ifndef CONFIG_PAX_EMUSIGRT
2647 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
2648 -+ return 1;
2649 -+#endif
2650 -+
2651 -+ do { /* PaX: rt_sigreturn emulation */
2652 -+ unsigned int ldi1, ldi2, bel, nop;
2653 -+
2654 -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
2655 -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
2656 -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
2657 -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
2658 -+
2659 -+ if (err)
2660 -+ break;
2661 -+
2662 -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
2663 -+ ldi2 == 0x3414015AU &&
2664 -+ bel == 0xE4008200U &&
2665 -+ nop == 0x08000240U)
2666 -+ {
2667 -+ regs->gr[25] = (ldi1 & 2) >> 1;
2668 -+ regs->gr[20] = __NR_rt_sigreturn;
2669 -+ regs->gr[31] = regs->iaoq[1] + 16;
2670 -+ regs->sr[0] = regs->iasq[1];
2671 -+ regs->iaoq[0] = 0x100UL;
2672 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
2673 -+ regs->iasq[0] = regs->sr[2];
2674 -+ regs->iasq[1] = regs->sr[2];
2675 -+ return 2;
2676 -+ }
2677 -+ } while (0);
2678 -+#endif
2679 -+
2680 -+ return 1;
2681 -+}
2682 -+
2683 -+void pax_report_insns(void *pc, void *sp)
2684 -+{
2685 -+ unsigned long i;
2686 -+
2687 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2688 -+ for (i = 0; i < 5; i++) {
2689 -+ unsigned int c;
2690 -+ if (get_user(c, (unsigned int *)pc+i))
2691 -+ printk(KERN_CONT "???????? ");
2692 -+ else
2693 -+ printk(KERN_CONT "%08x ", c);
2694 -+ }
2695 -+ printk("\n");
2696 -+}
2697 -+#endif
2698 -+
2699 - int fixup_exception(struct pt_regs *regs)
2700 - {
2701 - const struct exception_table_entry *fix;
2702 -@@ -192,8 +303,33 @@ good_area:
2703 -
2704 - acc_type = parisc_acctyp(code,regs->iir);
2705 -
2706 -- if ((vma->vm_flags & acc_type) != acc_type)
2707 -+ if ((vma->vm_flags & acc_type) != acc_type) {
2708 -+
2709 -+#ifdef CONFIG_PAX_PAGEEXEC
2710 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2711 -+ (address & ~3UL) == instruction_pointer(regs))
2712 -+ {
2713 -+ up_read(&mm->mmap_sem);
2714 -+ switch (pax_handle_fetch_fault(regs)) {
2715 -+
2716 -+#ifdef CONFIG_PAX_EMUPLT
2717 -+ case 3:
2718 -+ return;
2719 -+#endif
2720 -+
2721 -+#ifdef CONFIG_PAX_EMUTRAMP
2722 -+ case 2:
2723 -+ return;
2724 -+#endif
2725 -+
2726 -+ }
2727 -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2728 -+ do_group_exit(SIGKILL);
2729 -+ }
2730 -+#endif
2731 -+
2732 - goto bad_area;
2733 -+ }
2734 -
2735 - /*
2736 - * If for any reason at all we couldn't handle the fault, make
2737 -diff -urNp linux-2.6.32.46/arch/powerpc/Makefile linux-2.6.32.46/arch/powerpc/Makefile
2738 ---- linux-2.6.32.46/arch/powerpc/Makefile 2011-03-27 14:31:47.000000000 -0400
2739 -+++ linux-2.6.32.46/arch/powerpc/Makefile 2011-08-21 19:27:08.000000000 -0400
2740 -@@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH)
2741 - KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
2742 - CPP = $(CC) -E $(KBUILD_CFLAGS)
2743 -
2744 -+cflags-y += -Wno-sign-compare -Wno-extra
2745 -+
2746 - CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
2747 -
2748 - ifeq ($(CONFIG_PPC64),y)
2749 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/device.h linux-2.6.32.46/arch/powerpc/include/asm/device.h
2750 ---- linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
2751 -+++ linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-04-17 15:56:45.000000000 -0400
2752 -@@ -14,7 +14,7 @@ struct dev_archdata {
2753 - struct device_node *of_node;
2754 -
2755 - /* DMA operations on that device */
2756 -- struct dma_map_ops *dma_ops;
2757 -+ const struct dma_map_ops *dma_ops;
2758 -
2759 - /*
2760 - * When an iommu is in use, dma_data is used as a ptr to the base of the
2761 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h
2762 ---- linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
2763 -+++ linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
2764 -@@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2765 - #ifdef CONFIG_PPC64
2766 - extern struct dma_map_ops dma_iommu_ops;
2767 - #endif
2768 --extern struct dma_map_ops dma_direct_ops;
2769 -+extern const struct dma_map_ops dma_direct_ops;
2770 -
2771 --static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2772 -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2773 - {
2774 - /* We don't handle the NULL dev case for ISA for now. We could
2775 - * do it via an out of line call but it is not needed for now. The
2776 -@@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2777 - return dev->archdata.dma_ops;
2778 - }
2779 -
2780 --static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2781 -+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2782 - {
2783 - dev->archdata.dma_ops = ops;
2784 - }
2785 -@@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2786 -
2787 - static inline int dma_supported(struct device *dev, u64 mask)
2788 - {
2789 -- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2790 -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2791 -
2792 - if (unlikely(dma_ops == NULL))
2793 - return 0;
2794 -@@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2795 -
2796 - static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2797 - {
2798 -- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2799 -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2800 -
2801 - if (unlikely(dma_ops == NULL))
2802 - return -EIO;
2803 -@@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2804 - static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2805 - dma_addr_t *dma_handle, gfp_t flag)
2806 - {
2807 -- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2808 -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2809 - void *cpu_addr;
2810 -
2811 - BUG_ON(!dma_ops);
2812 -@@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2813 - static inline void dma_free_coherent(struct device *dev, size_t size,
2814 - void *cpu_addr, dma_addr_t dma_handle)
2815 - {
2816 -- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2817 -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2818 -
2819 - BUG_ON(!dma_ops);
2820 -
2821 -@@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2822 -
2823 - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2824 - {
2825 -- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2826 -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2827 -
2828 - if (dma_ops->mapping_error)
2829 - return dma_ops->mapping_error(dev, dma_addr);
2830 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/elf.h linux-2.6.32.46/arch/powerpc/include/asm/elf.h
2831 ---- linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2832 -+++ linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2833 -@@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2834 - the loader. We need to make sure that it is out of the way of the program
2835 - that it will "exec", and that there is sufficient room for the brk. */
2836 -
2837 --extern unsigned long randomize_et_dyn(unsigned long base);
2838 --#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2839 -+#define ELF_ET_DYN_BASE (0x20000000)
2840 -+
2841 -+#ifdef CONFIG_PAX_ASLR
2842 -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2843 -+
2844 -+#ifdef __powerpc64__
2845 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2846 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2847 -+#else
2848 -+#define PAX_DELTA_MMAP_LEN 15
2849 -+#define PAX_DELTA_STACK_LEN 15
2850 -+#endif
2851 -+#endif
2852 -
2853 - /*
2854 - * Our registers are always unsigned longs, whether we're a 32 bit
2855 -@@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2856 - (0x7ff >> (PAGE_SHIFT - 12)) : \
2857 - (0x3ffff >> (PAGE_SHIFT - 12)))
2858 -
2859 --extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2860 --#define arch_randomize_brk arch_randomize_brk
2861 --
2862 - #endif /* __KERNEL__ */
2863 -
2864 - /*
2865 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/iommu.h linux-2.6.32.46/arch/powerpc/include/asm/iommu.h
2866 ---- linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
2867 -+++ linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-04-17 15:56:45.000000000 -0400
2868 -@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2869 - extern void iommu_init_early_dart(void);
2870 - extern void iommu_init_early_pasemi(void);
2871 -
2872 -+/* dma-iommu.c */
2873 -+extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2874 -+
2875 - #ifdef CONFIG_PCI
2876 - extern void pci_iommu_init(void);
2877 - extern void pci_direct_iommu_init(void);
2878 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h
2879 ---- linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
2880 -+++ linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
2881 -@@ -26,6 +26,7 @@ enum km_type {
2882 - KM_SOFTIRQ1,
2883 - KM_PPC_SYNC_PAGE,
2884 - KM_PPC_SYNC_ICACHE,
2885 -+ KM_CLEARPAGE,
2886 - KM_TYPE_NR
2887 - };
2888 -
2889 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page.h linux-2.6.32.46/arch/powerpc/include/asm/page.h
2890 ---- linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2891 -+++ linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-08-21 16:07:39.000000000 -0400
2892 -@@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2893 - * and needs to be executable. This means the whole heap ends
2894 - * up being executable.
2895 - */
2896 --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2897 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2898 -+#define VM_DATA_DEFAULT_FLAGS32 \
2899 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2900 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2901 -
2902 - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2903 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2904 -@@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2905 - #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2906 - #endif
2907 -
2908 -+#define ktla_ktva(addr) (addr)
2909 -+#define ktva_ktla(addr) (addr)
2910 -+
2911 - #ifndef __ASSEMBLY__
2912 -
2913 - #undef STRICT_MM_TYPECHECKS
2914 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page_64.h linux-2.6.32.46/arch/powerpc/include/asm/page_64.h
2915 ---- linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-03-27 14:31:47.000000000 -0400
2916 -+++ linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-04-17 15:56:45.000000000 -0400
2917 -@@ -180,15 +180,18 @@ do { \
2918 - * stack by default, so in the absense of a PT_GNU_STACK program header
2919 - * we turn execute permission off.
2920 - */
2921 --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2922 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2923 -+#define VM_STACK_DEFAULT_FLAGS32 \
2924 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2925 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2926 -
2927 - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2928 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2929 -
2930 -+#ifndef CONFIG_PAX_PAGEEXEC
2931 - #define VM_STACK_DEFAULT_FLAGS \
2932 - (test_thread_flag(TIF_32BIT) ? \
2933 - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2934 -+#endif
2935 -
2936 - #include <asm-generic/getorder.h>
2937 -
2938 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pci.h linux-2.6.32.46/arch/powerpc/include/asm/pci.h
2939 ---- linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-03-27 14:31:47.000000000 -0400
2940 -+++ linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-04-17 15:56:45.000000000 -0400
2941 -@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2942 - }
2943 -
2944 - #ifdef CONFIG_PCI
2945 --extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2946 --extern struct dma_map_ops *get_pci_dma_ops(void);
2947 -+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2948 -+extern const struct dma_map_ops *get_pci_dma_ops(void);
2949 - #else /* CONFIG_PCI */
2950 - #define set_pci_dma_ops(d)
2951 - #define get_pci_dma_ops() NULL
2952 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h
2953 ---- linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2954 -+++ linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2955 -@@ -2,6 +2,7 @@
2956 - #define _ASM_POWERPC_PGTABLE_H
2957 - #ifdef __KERNEL__
2958 -
2959 -+#include <linux/const.h>
2960 - #ifndef __ASSEMBLY__
2961 - #include <asm/processor.h> /* For TASK_SIZE */
2962 - #include <asm/mmu.h>
2963 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h
2964 ---- linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-03-27 14:31:47.000000000 -0400
2965 -+++ linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:56:45.000000000 -0400
2966 -@@ -21,6 +21,7 @@
2967 - #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2968 - #define _PAGE_USER 0x004 /* usermode access allowed */
2969 - #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2970 -+#define _PAGE_EXEC _PAGE_GUARDED
2971 - #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2972 - #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2973 - #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2974 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h
2975 ---- linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
2976 -+++ linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-08-21 15:53:58.000000000 -0400
2977 -@@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
2978 - } while(0)
2979 -
2980 - struct task_struct;
2981 --extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
2982 -+extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
2983 - extern int ptrace_put_reg(struct task_struct *task, int regno,
2984 - unsigned long data);
2985 -
2986 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/reg.h linux-2.6.32.46/arch/powerpc/include/asm/reg.h
2987 ---- linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400
2988 -+++ linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400
2989 -@@ -191,6 +191,7 @@
2990 - #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2991 - #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2992 - #define DSISR_NOHPTE 0x40000000 /* no translation found */
2993 -+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2994 - #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2995 - #define DSISR_ISSTORE 0x02000000 /* access was a store */
2996 - #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2997 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h
2998 ---- linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-03-27 14:31:47.000000000 -0400
2999 -+++ linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:56:45.000000000 -0400
3000 -@@ -13,7 +13,7 @@
3001 -
3002 - #include <linux/swiotlb.h>
3003 -
3004 --extern struct dma_map_ops swiotlb_dma_ops;
3005 -+extern const struct dma_map_ops swiotlb_dma_ops;
3006 -
3007 - static inline void dma_mark_clean(void *addr, size_t size) {}
3008 -
3009 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/system.h linux-2.6.32.46/arch/powerpc/include/asm/system.h
3010 ---- linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
3011 -+++ linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
3012 -@@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3013 - #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3014 - #endif
3015 -
3016 --extern unsigned long arch_align_stack(unsigned long sp);
3017 -+#define arch_align_stack(x) ((x) & ~0xfUL)
3018 -
3019 - /* Used in very early kernel initialization. */
3020 - extern unsigned long reloc_offset(void);
3021 -diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h
3022 ---- linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3023 -+++ linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
3024 -@@ -13,6 +13,8 @@
3025 - #define VERIFY_READ 0
3026 - #define VERIFY_WRITE 1
3027 -
3028 -+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3029 -+
3030 - /*
3031 - * The fs value determines whether argument validity checking should be
3032 - * performed or not. If get_fs() == USER_DS, checking is performed, with
3033 -@@ -327,52 +329,6 @@ do { \
3034 - extern unsigned long __copy_tofrom_user(void __user *to,
3035 - const void __user *from, unsigned long size);
3036 -
3037 --#ifndef __powerpc64__
3038 --
3039 --static inline unsigned long copy_from_user(void *to,
3040 -- const void __user *from, unsigned long n)
3041 --{
3042 -- unsigned long over;
3043 --
3044 -- if (access_ok(VERIFY_READ, from, n))
3045 -- return __copy_tofrom_user((__force void __user *)to, from, n);
3046 -- if ((unsigned long)from < TASK_SIZE) {
3047 -- over = (unsigned long)from + n - TASK_SIZE;
3048 -- return __copy_tofrom_user((__force void __user *)to, from,
3049 -- n - over) + over;
3050 -- }
3051 -- return n;
3052 --}
3053 --
3054 --static inline unsigned long copy_to_user(void __user *to,
3055 -- const void *from, unsigned long n)
3056 --{
3057 -- unsigned long over;
3058 --
3059 -- if (access_ok(VERIFY_WRITE, to, n))
3060 -- return __copy_tofrom_user(to, (__force void __user *)from, n);
3061 -- if ((unsigned long)to < TASK_SIZE) {
3062 -- over = (unsigned long)to + n - TASK_SIZE;
3063 -- return __copy_tofrom_user(to, (__force void __user *)from,
3064 -- n - over) + over;
3065 -- }
3066 -- return n;
3067 --}
3068 --
3069 --#else /* __powerpc64__ */
3070 --
3071 --#define __copy_in_user(to, from, size) \
3072 -- __copy_tofrom_user((to), (from), (size))
3073 --
3074 --extern unsigned long copy_from_user(void *to, const void __user *from,
3075 -- unsigned long n);
3076 --extern unsigned long copy_to_user(void __user *to, const void *from,
3077 -- unsigned long n);
3078 --extern unsigned long copy_in_user(void __user *to, const void __user *from,
3079 -- unsigned long n);
3080 --
3081 --#endif /* __powerpc64__ */
3082 --
3083 - static inline unsigned long __copy_from_user_inatomic(void *to,
3084 - const void __user *from, unsigned long n)
3085 - {
3086 -@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3087 - if (ret == 0)
3088 - return 0;
3089 - }
3090 -+
3091 -+ if (!__builtin_constant_p(n))
3092 -+ check_object_size(to, n, false);
3093 -+
3094 - return __copy_tofrom_user((__force void __user *)to, from, n);
3095 - }
3096 -
3097 -@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3098 - if (ret == 0)
3099 - return 0;
3100 - }
3101 -+
3102 -+ if (!__builtin_constant_p(n))
3103 -+ check_object_size(from, n, true);
3104 -+
3105 - return __copy_tofrom_user(to, (__force const void __user *)from, n);
3106 - }
3107 -
3108 -@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3109 - return __copy_to_user_inatomic(to, from, size);
3110 - }
3111 -
3112 -+#ifndef __powerpc64__
3113 -+
3114 -+static inline unsigned long __must_check copy_from_user(void *to,
3115 -+ const void __user *from, unsigned long n)
3116 -+{
3117 -+ unsigned long over;
3118 -+
3119 -+ if ((long)n < 0)
3120 -+ return n;
3121 -+
3122 -+ if (access_ok(VERIFY_READ, from, n)) {
3123 -+ if (!__builtin_constant_p(n))
3124 -+ check_object_size(to, n, false);
3125 -+ return __copy_tofrom_user((__force void __user *)to, from, n);
3126 -+ }
3127 -+ if ((unsigned long)from < TASK_SIZE) {
3128 -+ over = (unsigned long)from + n - TASK_SIZE;
3129 -+ if (!__builtin_constant_p(n - over))
3130 -+ check_object_size(to, n - over, false);
3131 -+ return __copy_tofrom_user((__force void __user *)to, from,
3132 -+ n - over) + over;
3133 -+ }
3134 -+ return n;
3135 -+}
3136 -+
3137 -+static inline unsigned long __must_check copy_to_user(void __user *to,
3138 -+ const void *from, unsigned long n)
3139 -+{
3140 -+ unsigned long over;
3141 -+
3142 -+ if ((long)n < 0)
3143 -+ return n;
3144 -+
3145 -+ if (access_ok(VERIFY_WRITE, to, n)) {
3146 -+ if (!__builtin_constant_p(n))
3147 -+ check_object_size(from, n, true);
3148 -+ return __copy_tofrom_user(to, (__force void __user *)from, n);
3149 -+ }
3150 -+ if ((unsigned long)to < TASK_SIZE) {
3151 -+ over = (unsigned long)to + n - TASK_SIZE;
3152 -+ if (!__builtin_constant_p(n))
3153 -+ check_object_size(from, n - over, true);
3154 -+ return __copy_tofrom_user(to, (__force void __user *)from,
3155 -+ n - over) + over;
3156 -+ }
3157 -+ return n;
3158 -+}
3159 -+
3160 -+#else /* __powerpc64__ */
3161 -+
3162 -+#define __copy_in_user(to, from, size) \
3163 -+ __copy_tofrom_user((to), (from), (size))
3164 -+
3165 -+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3166 -+{
3167 -+ if ((long)n < 0 || n > INT_MAX)
3168 -+ return n;
3169 -+
3170 -+ if (!__builtin_constant_p(n))
3171 -+ check_object_size(to, n, false);
3172 -+
3173 -+ if (likely(access_ok(VERIFY_READ, from, n)))
3174 -+ n = __copy_from_user(to, from, n);
3175 -+ else
3176 -+ memset(to, 0, n);
3177 -+ return n;
3178 -+}
3179 -+
3180 -+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3181 -+{
3182 -+ if ((long)n < 0 || n > INT_MAX)
3183 -+ return n;
3184 -+
3185 -+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
3186 -+ if (!__builtin_constant_p(n))
3187 -+ check_object_size(from, n, true);
3188 -+ n = __copy_to_user(to, from, n);
3189 -+ }
3190 -+ return n;
3191 -+}
3192 -+
3193 -+extern unsigned long copy_in_user(void __user *to, const void __user *from,
3194 -+ unsigned long n);
3195 -+
3196 -+#endif /* __powerpc64__ */
3197 -+
3198 - extern unsigned long __clear_user(void __user *addr, unsigned long size);
3199 -
3200 - static inline unsigned long clear_user(void __user *addr, unsigned long size)
3201 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c
3202 ---- linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
3203 -+++ linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-04-17 15:56:45.000000000 -0400
3204 -@@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
3205 - &cache_assoc_attr,
3206 - };
3207 -
3208 --static struct sysfs_ops cache_index_ops = {
3209 -+static const struct sysfs_ops cache_index_ops = {
3210 - .show = cache_index_show,
3211 - };
3212 -
3213 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c
3214 ---- linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-03-27 14:31:47.000000000 -0400
3215 -+++ linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:56:45.000000000 -0400
3216 -@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3217 - }
3218 -
3219 - /* We support DMA to/from any memory page via the iommu */
3220 --static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3221 -+int dma_iommu_dma_supported(struct device *dev, u64 mask)
3222 - {
3223 - struct iommu_table *tbl = get_iommu_table_base(dev);
3224 -
3225 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c
3226 ---- linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
3227 -+++ linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
3228 -@@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3229 - * map_page, and unmap_page on highmem, use normal dma_ops
3230 - * for everything else.
3231 - */
3232 --struct dma_map_ops swiotlb_dma_ops = {
3233 -+const struct dma_map_ops swiotlb_dma_ops = {
3234 - .alloc_coherent = dma_direct_alloc_coherent,
3235 - .free_coherent = dma_direct_free_coherent,
3236 - .map_sg = swiotlb_map_sg_attrs,
3237 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma.c linux-2.6.32.46/arch/powerpc/kernel/dma.c
3238 ---- linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-03-27 14:31:47.000000000 -0400
3239 -+++ linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-04-17 15:56:45.000000000 -0400
3240 -@@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
3241 - }
3242 - #endif
3243 -
3244 --struct dma_map_ops dma_direct_ops = {
3245 -+const struct dma_map_ops dma_direct_ops = {
3246 - .alloc_coherent = dma_direct_alloc_coherent,
3247 - .free_coherent = dma_direct_free_coherent,
3248 - .map_sg = dma_direct_map_sg,
3249 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S
3250 ---- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-03-27 14:31:47.000000000 -0400
3251 -+++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:56:45.000000000 -0400
3252 -@@ -455,6 +455,7 @@ storage_fault_common:
3253 - std r14,_DAR(r1)
3254 - std r15,_DSISR(r1)
3255 - addi r3,r1,STACK_FRAME_OVERHEAD
3256 -+ bl .save_nvgprs
3257 - mr r4,r14
3258 - mr r5,r15
3259 - ld r14,PACA_EXGEN+EX_R14(r13)
3260 -@@ -464,8 +465,7 @@ storage_fault_common:
3261 - cmpdi r3,0
3262 - bne- 1f
3263 - b .ret_from_except_lite
3264 --1: bl .save_nvgprs
3265 -- mr r5,r3
3266 -+1: mr r5,r3
3267 - addi r3,r1,STACK_FRAME_OVERHEAD
3268 - ld r4,_DAR(r1)
3269 - bl .bad_page_fault
3270 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S
3271 ---- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-03-27 14:31:47.000000000 -0400
3272 -+++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:56:45.000000000 -0400
3273 -@@ -818,10 +818,10 @@ handle_page_fault:
3274 - 11: ld r4,_DAR(r1)
3275 - ld r5,_DSISR(r1)
3276 - addi r3,r1,STACK_FRAME_OVERHEAD
3277 -+ bl .save_nvgprs
3278 - bl .do_page_fault
3279 - cmpdi r3,0
3280 - beq+ 13f
3281 -- bl .save_nvgprs
3282 - mr r5,r3
3283 - addi r3,r1,STACK_FRAME_OVERHEAD
3284 - lwz r4,_DAR(r1)
3285 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c
3286 ---- linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-03-27 14:31:47.000000000 -0400
3287 -+++ linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:56:45.000000000 -0400
3288 -@@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
3289 - return 1;
3290 - }
3291 -
3292 --static struct dma_map_ops ibmebus_dma_ops = {
3293 -+static const struct dma_map_ops ibmebus_dma_ops = {
3294 - .alloc_coherent = ibmebus_alloc_coherent,
3295 - .free_coherent = ibmebus_free_coherent,
3296 - .map_sg = ibmebus_map_sg,
3297 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/kgdb.c linux-2.6.32.46/arch/powerpc/kernel/kgdb.c
3298 ---- linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
3299 -+++ linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
3300 -@@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
3301 - if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
3302 - return 0;
3303 -
3304 -- if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
3305 -+ if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
3306 - regs->nip += 4;
3307 -
3308 - return 1;
3309 -@@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
3310 - /*
3311 - * Global data
3312 - */
3313 --struct kgdb_arch arch_kgdb_ops = {
3314 -+const struct kgdb_arch arch_kgdb_ops = {
3315 - .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3316 - };
3317 -
3318 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module.c linux-2.6.32.46/arch/powerpc/kernel/module.c
3319 ---- linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
3320 -+++ linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
3321 -@@ -31,11 +31,24 @@
3322 -
3323 - LIST_HEAD(module_bug_list);
3324 -
3325 -+#ifdef CONFIG_PAX_KERNEXEC
3326 - void *module_alloc(unsigned long size)
3327 - {
3328 - if (size == 0)
3329 - return NULL;
3330 -
3331 -+ return vmalloc(size);
3332 -+}
3333 -+
3334 -+void *module_alloc_exec(unsigned long size)
3335 -+#else
3336 -+void *module_alloc(unsigned long size)
3337 -+#endif
3338 -+
3339 -+{
3340 -+ if (size == 0)
3341 -+ return NULL;
3342 -+
3343 - return vmalloc_exec(size);
3344 - }
3345 -
3346 -@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
3347 - vfree(module_region);
3348 - }
3349 -
3350 -+#ifdef CONFIG_PAX_KERNEXEC
3351 -+void module_free_exec(struct module *mod, void *module_region)
3352 -+{
3353 -+ module_free(mod, module_region);
3354 -+}
3355 -+#endif
3356 -+
3357 - static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
3358 - const Elf_Shdr *sechdrs,
3359 - const char *name)
3360 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module_32.c linux-2.6.32.46/arch/powerpc/kernel/module_32.c
3361 ---- linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-03-27 14:31:47.000000000 -0400
3362 -+++ linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-04-17 15:56:45.000000000 -0400
3363 -@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3364 - me->arch.core_plt_section = i;
3365 - }
3366 - if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3367 -- printk("Module doesn't contain .plt or .init.plt sections.\n");
3368 -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3369 - return -ENOEXEC;
3370 - }
3371 -
3372 -@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3373 -
3374 - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3375 - /* Init, or core PLT? */
3376 -- if (location >= mod->module_core
3377 -- && location < mod->module_core + mod->core_size)
3378 -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3379 -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3380 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3381 -- else
3382 -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3383 -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3384 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3385 -+ else {
3386 -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3387 -+ return ~0UL;
3388 -+ }
3389 -
3390 - /* Find this entry, or if that fails, the next avail. entry */
3391 - while (entry->jump[0]) {
3392 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/pci-common.c linux-2.6.32.46/arch/powerpc/kernel/pci-common.c
3393 ---- linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-03-27 14:31:47.000000000 -0400
3394 -+++ linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-04-17 15:56:45.000000000 -0400
3395 -@@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
3396 - unsigned int ppc_pci_flags = 0;
3397 -
3398 -
3399 --static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
3400 -+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
3401 -
3402 --void set_pci_dma_ops(struct dma_map_ops *dma_ops)
3403 -+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
3404 - {
3405 - pci_dma_ops = dma_ops;
3406 - }
3407 -
3408 --struct dma_map_ops *get_pci_dma_ops(void)
3409 -+const struct dma_map_ops *get_pci_dma_ops(void)
3410 - {
3411 - return pci_dma_ops;
3412 - }
3413 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/process.c linux-2.6.32.46/arch/powerpc/kernel/process.c
3414 ---- linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
3415 -+++ linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
3416 -@@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
3417 - * Lookup NIP late so we have the best change of getting the
3418 - * above info out without failing
3419 - */
3420 -- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
3421 -- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
3422 -+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
3423 -+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
3424 - #endif
3425 - show_stack(current, (unsigned long *) regs->gpr[1]);
3426 - if (!user_mode(regs))
3427 -@@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
3428 - newsp = stack[0];
3429 - ip = stack[STACK_FRAME_LR_SAVE];
3430 - if (!firstframe || ip != lr) {
3431 -- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
3432 -+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
3433 - #ifdef CONFIG_FUNCTION_GRAPH_TRACER
3434 - if ((ip == rth || ip == mrth) && curr_frame >= 0) {
3435 -- printk(" (%pS)",
3436 -+ printk(" (%pA)",
3437 - (void *)current->ret_stack[curr_frame].ret);
3438 - curr_frame--;
3439 - }
3440 -@@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
3441 - struct pt_regs *regs = (struct pt_regs *)
3442 - (sp + STACK_FRAME_OVERHEAD);
3443 - lr = regs->link;
3444 -- printk("--- Exception: %lx at %pS\n LR = %pS\n",
3445 -+ printk("--- Exception: %lx at %pA\n LR = %pA\n",
3446 - regs->trap, (void *)regs->nip, (void *)lr);
3447 - firstframe = 1;
3448 - }
3449 -@@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
3450 - }
3451 -
3452 - #endif /* THREAD_SHIFT < PAGE_SHIFT */
3453 --
3454 --unsigned long arch_align_stack(unsigned long sp)
3455 --{
3456 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3457 -- sp -= get_random_int() & ~PAGE_MASK;
3458 -- return sp & ~0xf;
3459 --}
3460 --
3461 --static inline unsigned long brk_rnd(void)
3462 --{
3463 -- unsigned long rnd = 0;
3464 --
3465 -- /* 8MB for 32bit, 1GB for 64bit */
3466 -- if (is_32bit_task())
3467 -- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
3468 -- else
3469 -- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
3470 --
3471 -- return rnd << PAGE_SHIFT;
3472 --}
3473 --
3474 --unsigned long arch_randomize_brk(struct mm_struct *mm)
3475 --{
3476 -- unsigned long base = mm->brk;
3477 -- unsigned long ret;
3478 --
3479 --#ifdef CONFIG_PPC_STD_MMU_64
3480 -- /*
3481 -- * If we are using 1TB segments and we are allowed to randomise
3482 -- * the heap, we can put it above 1TB so it is backed by a 1TB
3483 -- * segment. Otherwise the heap will be in the bottom 1TB
3484 -- * which always uses 256MB segments and this may result in a
3485 -- * performance penalty.
3486 -- */
3487 -- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
3488 -- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
3489 --#endif
3490 --
3491 -- ret = PAGE_ALIGN(base + brk_rnd());
3492 --
3493 -- if (ret < mm->brk)
3494 -- return mm->brk;
3495 --
3496 -- return ret;
3497 --}
3498 --
3499 --unsigned long randomize_et_dyn(unsigned long base)
3500 --{
3501 -- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3502 --
3503 -- if (ret < base)
3504 -- return base;
3505 --
3506 -- return ret;
3507 --}
3508 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ptrace.c linux-2.6.32.46/arch/powerpc/kernel/ptrace.c
3509 ---- linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
3510 -+++ linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-08-21 15:53:39.000000000 -0400
3511 -@@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
3512 - /*
3513 - * Get contents of register REGNO in task TASK.
3514 - */
3515 --unsigned long ptrace_get_reg(struct task_struct *task, int regno)
3516 -+unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
3517 - {
3518 - if (task->thread.regs == NULL)
3519 - return -EIO;
3520 -@@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
3521 -
3522 - CHECK_FULL_REGS(child->thread.regs);
3523 - if (index < PT_FPR0) {
3524 -- tmp = ptrace_get_reg(child, (int) index);
3525 -+ tmp = ptrace_get_reg(child, index);
3526 - } else {
3527 - flush_fp_to_thread(child);
3528 - tmp = ((unsigned long *)child->thread.fpr)
3529 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_32.c linux-2.6.32.46/arch/powerpc/kernel/signal_32.c
3530 ---- linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400
3531 -+++ linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400
3532 -@@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
3533 - /* Save user registers on the stack */
3534 - frame = &rt_sf->uc.uc_mcontext;
3535 - addr = frame;
3536 -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
3537 -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
3538 - if (save_user_regs(regs, frame, 0, 1))
3539 - goto badframe;
3540 - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
3541 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_64.c linux-2.6.32.46/arch/powerpc/kernel/signal_64.c
3542 ---- linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-03-27 14:31:47.000000000 -0400
3543 -+++ linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-04-17 15:56:45.000000000 -0400
3544 -@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
3545 - current->thread.fpscr.val = 0;
3546 -
3547 - /* Set up to return from userspace. */
3548 -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
3549 -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
3550 - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
3551 - } else {
3552 - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
3553 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c
3554 ---- linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-03-27 14:31:47.000000000 -0400
3555 -+++ linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-04-17 15:56:45.000000000 -0400
3556 -@@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
3557 - if (oldlenp) {
3558 - if (!error) {
3559 - if (get_user(oldlen, oldlenp) ||
3560 -- put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
3561 -+ put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
3562 -+ copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
3563 - error = -EFAULT;
3564 - }
3565 -- copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
3566 - }
3567 - return error;
3568 - }
3569 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/traps.c linux-2.6.32.46/arch/powerpc/kernel/traps.c
3570 ---- linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
3571 -+++ linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400
3572 -@@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
3573 - static inline void pmac_backlight_unblank(void) { }
3574 - #endif
3575 -
3576 -+extern void gr_handle_kernel_exploit(void);
3577 -+
3578 - int die(const char *str, struct pt_regs *regs, long err)
3579 - {
3580 - static struct {
3581 -@@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
3582 - if (panic_on_oops)
3583 - panic("Fatal exception");
3584 -
3585 -+ gr_handle_kernel_exploit();
3586 -+
3587 - oops_exit();
3588 - do_exit(err);
3589 -
3590 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vdso.c linux-2.6.32.46/arch/powerpc/kernel/vdso.c
3591 ---- linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400
3592 -+++ linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400
3593 -@@ -36,6 +36,7 @@
3594 - #include <asm/firmware.h>
3595 - #include <asm/vdso.h>
3596 - #include <asm/vdso_datapage.h>
3597 -+#include <asm/mman.h>
3598 -
3599 - #include "setup.h"
3600 -
3601 -@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
3602 - vdso_base = VDSO32_MBASE;
3603 - #endif
3604 -
3605 -- current->mm->context.vdso_base = 0;
3606 -+ current->mm->context.vdso_base = ~0UL;
3607 -
3608 - /* vDSO has a problem and was disabled, just don't "enable" it for the
3609 - * process
3610 -@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
3611 - vdso_base = get_unmapped_area(NULL, vdso_base,
3612 - (vdso_pages << PAGE_SHIFT) +
3613 - ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
3614 -- 0, 0);
3615 -+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
3616 - if (IS_ERR_VALUE(vdso_base)) {
3617 - rc = vdso_base;
3618 - goto fail_mmapsem;
3619 -diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vio.c linux-2.6.32.46/arch/powerpc/kernel/vio.c
3620 ---- linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-03-27 14:31:47.000000000 -0400
3621 -+++ linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-04-17 15:56:45.000000000 -0400
3622 -@@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
3623 - vio_cmo_dealloc(viodev, alloc_size);
3624 - }
3625 -
3626 --struct dma_map_ops vio_dma_mapping_ops = {
3627 -+static const struct dma_map_ops vio_dma_mapping_ops = {
3628 - .alloc_coherent = vio_dma_iommu_alloc_coherent,
3629 - .free_coherent = vio_dma_iommu_free_coherent,
3630 - .map_sg = vio_dma_iommu_map_sg,
3631 - .unmap_sg = vio_dma_iommu_unmap_sg,
3632 -+ .dma_supported = dma_iommu_dma_supported,
3633 - .map_page = vio_dma_iommu_map_page,
3634 - .unmap_page = vio_dma_iommu_unmap_page,
3635 -
3636 -@@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
3637 -
3638 - static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
3639 - {
3640 -- vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
3641 - viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
3642 - }
3643 -
3644 -diff -urNp linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c
3645 ---- linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
3646 -+++ linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:56:45.000000000 -0400
3647 -@@ -9,22 +9,6 @@
3648 - #include <linux/module.h>
3649 - #include <asm/uaccess.h>
3650 -
3651 --unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3652 --{
3653 -- if (likely(access_ok(VERIFY_READ, from, n)))
3654 -- n = __copy_from_user(to, from, n);
3655 -- else
3656 -- memset(to, 0, n);
3657 -- return n;
3658 --}
3659 --
3660 --unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3661 --{
3662 -- if (likely(access_ok(VERIFY_WRITE, to, n)))
3663 -- n = __copy_to_user(to, from, n);
3664 -- return n;
3665 --}
3666 --
3667 - unsigned long copy_in_user(void __user *to, const void __user *from,
3668 - unsigned long n)
3669 - {
3670 -@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
3671 - return n;
3672 - }
3673 -
3674 --EXPORT_SYMBOL(copy_from_user);
3675 --EXPORT_SYMBOL(copy_to_user);
3676 - EXPORT_SYMBOL(copy_in_user);
3677 -
3678 -diff -urNp linux-2.6.32.46/arch/powerpc/mm/fault.c linux-2.6.32.46/arch/powerpc/mm/fault.c
3679 ---- linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
3680 -+++ linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
3681 -@@ -30,6 +30,10 @@
3682 - #include <linux/kprobes.h>
3683 - #include <linux/kdebug.h>
3684 - #include <linux/perf_event.h>
3685 -+#include <linux/slab.h>
3686 -+#include <linux/pagemap.h>
3687 -+#include <linux/compiler.h>
3688 -+#include <linux/unistd.h>
3689 -
3690 - #include <asm/firmware.h>
3691 - #include <asm/page.h>
3692 -@@ -40,6 +44,7 @@
3693 - #include <asm/uaccess.h>
3694 - #include <asm/tlbflush.h>
3695 - #include <asm/siginfo.h>
3696 -+#include <asm/ptrace.h>
3697 -
3698 -
3699 - #ifdef CONFIG_KPROBES
3700 -@@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
3701 - }
3702 - #endif
3703 -
3704 -+#ifdef CONFIG_PAX_PAGEEXEC
3705 -+/*
3706 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
3707 -+ *
3708 -+ * returns 1 when task should be killed
3709 -+ */
3710 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
3711 -+{
3712 -+ return 1;
3713 -+}
3714 -+
3715 -+void pax_report_insns(void *pc, void *sp)
3716 -+{
3717 -+ unsigned long i;
3718 -+
3719 -+ printk(KERN_ERR "PAX: bytes at PC: ");
3720 -+ for (i = 0; i < 5; i++) {
3721 -+ unsigned int c;
3722 -+ if (get_user(c, (unsigned int __user *)pc+i))
3723 -+ printk(KERN_CONT "???????? ");
3724 -+ else
3725 -+ printk(KERN_CONT "%08x ", c);
3726 -+ }
3727 -+ printk("\n");
3728 -+}
3729 -+#endif
3730 -+
3731 - /*
3732 - * Check whether the instruction at regs->nip is a store using
3733 - * an update addressing form which will update r1.
3734 -@@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
3735 - * indicate errors in DSISR but can validly be set in SRR1.
3736 - */
3737 - if (trap == 0x400)
3738 -- error_code &= 0x48200000;
3739 -+ error_code &= 0x58200000;
3740 - else
3741 - is_write = error_code & DSISR_ISSTORE;
3742 - #else
3743 -@@ -250,7 +282,7 @@ good_area:
3744 - * "undefined". Of those that can be set, this is the only
3745 - * one which seems bad.
3746 - */
3747 -- if (error_code & 0x10000000)
3748 -+ if (error_code & DSISR_GUARDED)
3749 - /* Guarded storage error. */
3750 - goto bad_area;
3751 - #endif /* CONFIG_8xx */
3752 -@@ -265,7 +297,7 @@ good_area:
3753 - * processors use the same I/D cache coherency mechanism
3754 - * as embedded.
3755 - */
3756 -- if (error_code & DSISR_PROTFAULT)
3757 -+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3758 - goto bad_area;
3759 - #endif /* CONFIG_PPC_STD_MMU */
3760 -
3761 -@@ -335,6 +367,23 @@ bad_area:
3762 - bad_area_nosemaphore:
3763 - /* User mode accesses cause a SIGSEGV */
3764 - if (user_mode(regs)) {
3765 -+
3766 -+#ifdef CONFIG_PAX_PAGEEXEC
3767 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3768 -+#ifdef CONFIG_PPC_STD_MMU
3769 -+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3770 -+#else
3771 -+ if (is_exec && regs->nip == address) {
3772 -+#endif
3773 -+ switch (pax_handle_fetch_fault(regs)) {
3774 -+ }
3775 -+
3776 -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3777 -+ do_group_exit(SIGKILL);
3778 -+ }
3779 -+ }
3780 -+#endif
3781 -+
3782 - _exception(SIGSEGV, regs, code, address);
3783 - return 0;
3784 - }
3785 -diff -urNp linux-2.6.32.46/arch/powerpc/mm/mem.c linux-2.6.32.46/arch/powerpc/mm/mem.c
3786 ---- linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-03-27 14:31:47.000000000 -0400
3787 -+++ linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-08-21 15:50:39.000000000 -0400
3788 -@@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
3789 - {
3790 - unsigned long lmb_next_region_start_pfn,
3791 - lmb_region_max_pfn;
3792 -- int i;
3793 -+ unsigned int i;
3794 -
3795 - for (i = 0; i < lmb.memory.cnt - 1; i++) {
3796 - lmb_region_max_pfn =
3797 -diff -urNp linux-2.6.32.46/arch/powerpc/mm/mmap_64.c linux-2.6.32.46/arch/powerpc/mm/mmap_64.c
3798 ---- linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400
3799 -+++ linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400
3800 -@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3801 - */
3802 - if (mmap_is_legacy()) {
3803 - mm->mmap_base = TASK_UNMAPPED_BASE;
3804 -+
3805 -+#ifdef CONFIG_PAX_RANDMMAP
3806 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3807 -+ mm->mmap_base += mm->delta_mmap;
3808 -+#endif
3809 -+
3810 - mm->get_unmapped_area = arch_get_unmapped_area;
3811 - mm->unmap_area = arch_unmap_area;
3812 - } else {
3813 - mm->mmap_base = mmap_base();
3814 -+
3815 -+#ifdef CONFIG_PAX_RANDMMAP
3816 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3817 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3818 -+#endif
3819 -+
3820 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3821 - mm->unmap_area = arch_unmap_area_topdown;
3822 - }
3823 -diff -urNp linux-2.6.32.46/arch/powerpc/mm/slice.c linux-2.6.32.46/arch/powerpc/mm/slice.c
3824 ---- linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-03-27 14:31:47.000000000 -0400
3825 -+++ linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-04-17 15:56:45.000000000 -0400
3826 -@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3827 - if ((mm->task_size - len) < addr)
3828 - return 0;
3829 - vma = find_vma(mm, addr);
3830 -- return (!vma || (addr + len) <= vma->vm_start);
3831 -+ return check_heap_stack_gap(vma, addr, len);
3832 - }
3833 -
3834 - static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3835 -@@ -256,7 +256,7 @@ full_search:
3836 - addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3837 - continue;
3838 - }
3839 -- if (!vma || addr + len <= vma->vm_start) {
3840 -+ if (check_heap_stack_gap(vma, addr, len)) {
3841 - /*
3842 - * Remember the place where we stopped the search:
3843 - */
3844 -@@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3845 - }
3846 - }
3847 -
3848 -- addr = mm->mmap_base;
3849 -- while (addr > len) {
3850 -+ if (mm->mmap_base < len)
3851 -+ addr = -ENOMEM;
3852 -+ else
3853 -+ addr = mm->mmap_base - len;
3854 -+
3855 -+ while (!IS_ERR_VALUE(addr)) {
3856 - /* Go down by chunk size */
3857 -- addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3858 -+ addr = _ALIGN_DOWN(addr, 1ul << pshift);
3859 -
3860 - /* Check for hit with different page size */
3861 - mask = slice_range_to_mask(addr, len);
3862 -@@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3863 - * return with success:
3864 - */
3865 - vma = find_vma(mm, addr);
3866 -- if (!vma || (addr + len) <= vma->vm_start) {
3867 -+ if (check_heap_stack_gap(vma, addr, len)) {
3868 - /* remember the address as a hint for next time */
3869 - if (use_cache)
3870 - mm->free_area_cache = addr;
3871 -@@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3872 - mm->cached_hole_size = vma->vm_start - addr;
3873 -
3874 - /* try just below the current vma->vm_start */
3875 -- addr = vma->vm_start;
3876 -+ addr = skip_heap_stack_gap(vma, len);
3877 - }
3878 -
3879 - /*
3880 -@@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3881 - if (fixed && addr > (mm->task_size - len))
3882 - return -EINVAL;
3883 -
3884 -+#ifdef CONFIG_PAX_RANDMMAP
3885 -+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3886 -+ addr = 0;
3887 -+#endif
3888 -+
3889 - /* If hint, make sure it matches our alignment restrictions */
3890 - if (!fixed && addr) {
3891 - addr = _ALIGN_UP(addr, 1ul << pshift);
3892 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c
3893 ---- linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-03-27 14:31:47.000000000 -0400
3894 -+++ linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-04-17 15:56:45.000000000 -0400
3895 -@@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3896 - lite5200_pm_target_state = PM_SUSPEND_ON;
3897 - }
3898 -
3899 --static struct platform_suspend_ops lite5200_pm_ops = {
3900 -+static const struct platform_suspend_ops lite5200_pm_ops = {
3901 - .valid = lite5200_pm_valid,
3902 - .begin = lite5200_pm_begin,
3903 - .prepare = lite5200_pm_prepare,
3904 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3905 ---- linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-03-27 14:31:47.000000000 -0400
3906 -+++ linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-04-17 15:56:45.000000000 -0400
3907 -@@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3908 - iounmap(mbar);
3909 - }
3910 -
3911 --static struct platform_suspend_ops mpc52xx_pm_ops = {
3912 -+static const struct platform_suspend_ops mpc52xx_pm_ops = {
3913 - .valid = mpc52xx_pm_valid,
3914 - .prepare = mpc52xx_pm_prepare,
3915 - .enter = mpc52xx_pm_enter,
3916 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c
3917 ---- linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-03-27 14:31:47.000000000 -0400
3918 -+++ linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-04-17 15:56:45.000000000 -0400
3919 -@@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3920 - return ret;
3921 - }
3922 -
3923 --static struct platform_suspend_ops mpc83xx_suspend_ops = {
3924 -+static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3925 - .valid = mpc83xx_suspend_valid,
3926 - .begin = mpc83xx_suspend_begin,
3927 - .enter = mpc83xx_suspend_enter,
3928 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c
3929 ---- linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-03-27 14:31:47.000000000 -0400
3930 -+++ linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:56:45.000000000 -0400
3931 -@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3932 -
3933 - static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3934 -
3935 --struct dma_map_ops dma_iommu_fixed_ops = {
3936 -+const struct dma_map_ops dma_iommu_fixed_ops = {
3937 - .alloc_coherent = dma_fixed_alloc_coherent,
3938 - .free_coherent = dma_fixed_free_coherent,
3939 - .map_sg = dma_fixed_map_sg,
3940 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c
3941 ---- linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-03-27 14:31:47.000000000 -0400
3942 -+++ linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:56:45.000000000 -0400
3943 -@@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3944 - return mask >= DMA_BIT_MASK(32);
3945 - }
3946 -
3947 --static struct dma_map_ops ps3_sb_dma_ops = {
3948 -+static const struct dma_map_ops ps3_sb_dma_ops = {
3949 - .alloc_coherent = ps3_alloc_coherent,
3950 - .free_coherent = ps3_free_coherent,
3951 - .map_sg = ps3_sb_map_sg,
3952 -@@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3953 - .unmap_page = ps3_unmap_page,
3954 - };
3955 -
3956 --static struct dma_map_ops ps3_ioc0_dma_ops = {
3957 -+static const struct dma_map_ops ps3_ioc0_dma_ops = {
3958 - .alloc_coherent = ps3_alloc_coherent,
3959 - .free_coherent = ps3_free_coherent,
3960 - .map_sg = ps3_ioc0_map_sg,
3961 -diff -urNp linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig
3962 ---- linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-03-27 14:31:47.000000000 -0400
3963 -+++ linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-04-17 15:56:45.000000000 -0400
3964 -@@ -2,6 +2,8 @@ config PPC_PSERIES
3965 - depends on PPC64 && PPC_BOOK3S
3966 - bool "IBM pSeries & new (POWER5-based) iSeries"
3967 - select MPIC
3968 -+ select PCI_MSI
3969 -+ select XICS
3970 - select PPC_I8259
3971 - select PPC_RTAS
3972 - select RTAS_ERROR_LOGGING
3973 -diff -urNp linux-2.6.32.46/arch/s390/Kconfig linux-2.6.32.46/arch/s390/Kconfig
3974 ---- linux-2.6.32.46/arch/s390/Kconfig 2011-03-27 14:31:47.000000000 -0400
3975 -+++ linux-2.6.32.46/arch/s390/Kconfig 2011-04-17 15:56:45.000000000 -0400
3976 -@@ -194,28 +194,26 @@ config AUDIT_ARCH
3977 -
3978 - config S390_SWITCH_AMODE
3979 - bool "Switch kernel/user addressing modes"
3980 -+ default y
3981 - help
3982 - This option allows to switch the addressing modes of kernel and user
3983 -- space. The kernel parameter switch_amode=on will enable this feature,
3984 -- default is disabled. Enabling this (via kernel parameter) on machines
3985 -- earlier than IBM System z9-109 EC/BC will reduce system performance.
3986 -+ space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3987 -+ will reduce system performance.
3988 -
3989 - Note that this option will also be selected by selecting the execute
3990 -- protection option below. Enabling the execute protection via the
3991 -- noexec kernel parameter will also switch the addressing modes,
3992 -- independent of the switch_amode kernel parameter.
3993 -+ protection option below. Enabling the execute protection will also
3994 -+ switch the addressing modes, independent of this option.
3995 -
3996 -
3997 - config S390_EXEC_PROTECT
3998 - bool "Data execute protection"
3999 -+ default y
4000 - select S390_SWITCH_AMODE
4001 - help
4002 - This option allows to enable a buffer overflow protection for user
4003 - space programs and it also selects the addressing mode option above.
4004 -- The kernel parameter noexec=on will enable this feature and also
4005 -- switch the addressing modes, default is disabled. Enabling this (via
4006 -- kernel parameter) on machines earlier than IBM System z9-109 EC/BC
4007 -- will reduce system performance.
4008 -+ Enabling this on machines earlier than IBM System z9-109 EC/BC will
4009 -+ reduce system performance.
4010 -
4011 - comment "Code generation options"
4012 -
4013 -diff -urNp linux-2.6.32.46/arch/s390/include/asm/elf.h linux-2.6.32.46/arch/s390/include/asm/elf.h
4014 ---- linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
4015 -+++ linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
4016 -@@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
4017 - that it will "exec", and that there is sufficient room for the brk. */
4018 - #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4019 -
4020 -+#ifdef CONFIG_PAX_ASLR
4021 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4022 -+
4023 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4024 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4025 -+#endif
4026 -+
4027 - /* This yields a mask that user programs can use to figure out what
4028 - instruction set this CPU supports. */
4029 -
4030 -diff -urNp linux-2.6.32.46/arch/s390/include/asm/setup.h linux-2.6.32.46/arch/s390/include/asm/setup.h
4031 ---- linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-03-27 14:31:47.000000000 -0400
4032 -+++ linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-04-17 15:56:45.000000000 -0400
4033 -@@ -50,13 +50,13 @@ extern unsigned long memory_end;
4034 - void detect_memory_layout(struct mem_chunk chunk[]);
4035 -
4036 - #ifdef CONFIG_S390_SWITCH_AMODE
4037 --extern unsigned int switch_amode;
4038 -+#define switch_amode (1)
4039 - #else
4040 - #define switch_amode (0)
4041 - #endif
4042 -
4043 - #ifdef CONFIG_S390_EXEC_PROTECT
4044 --extern unsigned int s390_noexec;
4045 -+#define s390_noexec (1)
4046 - #else
4047 - #define s390_noexec (0)
4048 - #endif
4049 -diff -urNp linux-2.6.32.46/arch/s390/include/asm/uaccess.h linux-2.6.32.46/arch/s390/include/asm/uaccess.h
4050 ---- linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
4051 -+++ linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
4052 -@@ -232,6 +232,10 @@ static inline unsigned long __must_check
4053 - copy_to_user(void __user *to, const void *from, unsigned long n)
4054 - {
4055 - might_fault();
4056 -+
4057 -+ if ((long)n < 0)
4058 -+ return n;
4059 -+
4060 - if (access_ok(VERIFY_WRITE, to, n))
4061 - n = __copy_to_user(to, from, n);
4062 - return n;
4063 -@@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
4064 - static inline unsigned long __must_check
4065 - __copy_from_user(void *to, const void __user *from, unsigned long n)
4066 - {
4067 -+ if ((long)n < 0)
4068 -+ return n;
4069 -+
4070 - if (__builtin_constant_p(n) && (n <= 256))
4071 - return uaccess.copy_from_user_small(n, from, to);
4072 - else
4073 -@@ -283,6 +290,10 @@ static inline unsigned long __must_check
4074 - copy_from_user(void *to, const void __user *from, unsigned long n)
4075 - {
4076 - might_fault();
4077 -+
4078 -+ if ((long)n < 0)
4079 -+ return n;
4080 -+
4081 - if (access_ok(VERIFY_READ, from, n))
4082 - n = __copy_from_user(to, from, n);
4083 - else
4084 -diff -urNp linux-2.6.32.46/arch/s390/kernel/module.c linux-2.6.32.46/arch/s390/kernel/module.c
4085 ---- linux-2.6.32.46/arch/s390/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
4086 -+++ linux-2.6.32.46/arch/s390/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
4087 -@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4088 -
4089 - /* Increase core size by size of got & plt and set start
4090 - offsets for got and plt. */
4091 -- me->core_size = ALIGN(me->core_size, 4);
4092 -- me->arch.got_offset = me->core_size;
4093 -- me->core_size += me->arch.got_size;
4094 -- me->arch.plt_offset = me->core_size;
4095 -- me->core_size += me->arch.plt_size;
4096 -+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
4097 -+ me->arch.got_offset = me->core_size_rw;
4098 -+ me->core_size_rw += me->arch.got_size;
4099 -+ me->arch.plt_offset = me->core_size_rx;
4100 -+ me->core_size_rx += me->arch.plt_size;
4101 - return 0;
4102 - }
4103 -
4104 -@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4105 - if (info->got_initialized == 0) {
4106 - Elf_Addr *gotent;
4107 -
4108 -- gotent = me->module_core + me->arch.got_offset +
4109 -+ gotent = me->module_core_rw + me->arch.got_offset +
4110 - info->got_offset;
4111 - *gotent = val;
4112 - info->got_initialized = 1;
4113 -@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4114 - else if (r_type == R_390_GOTENT ||
4115 - r_type == R_390_GOTPLTENT)
4116 - *(unsigned int *) loc =
4117 -- (val + (Elf_Addr) me->module_core - loc) >> 1;
4118 -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4119 - else if (r_type == R_390_GOT64 ||
4120 - r_type == R_390_GOTPLT64)
4121 - *(unsigned long *) loc = val;
4122 -@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4123 - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4124 - if (info->plt_initialized == 0) {
4125 - unsigned int *ip;
4126 -- ip = me->module_core + me->arch.plt_offset +
4127 -+ ip = me->module_core_rx + me->arch.plt_offset +
4128 - info->plt_offset;
4129 - #ifndef CONFIG_64BIT
4130 - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4131 -@@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4132 - val - loc + 0xffffUL < 0x1ffffeUL) ||
4133 - (r_type == R_390_PLT32DBL &&
4134 - val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4135 -- val = (Elf_Addr) me->module_core +
4136 -+ val = (Elf_Addr) me->module_core_rx +
4137 - me->arch.plt_offset +
4138 - info->plt_offset;
4139 - val += rela->r_addend - loc;
4140 -@@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4141 - case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4142 - case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4143 - val = val + rela->r_addend -
4144 -- ((Elf_Addr) me->module_core + me->arch.got_offset);
4145 -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4146 - if (r_type == R_390_GOTOFF16)
4147 - *(unsigned short *) loc = val;
4148 - else if (r_type == R_390_GOTOFF32)
4149 -@@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4150 - break;
4151 - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4152 - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4153 -- val = (Elf_Addr) me->module_core + me->arch.got_offset +
4154 -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4155 - rela->r_addend - loc;
4156 - if (r_type == R_390_GOTPC)
4157 - *(unsigned int *) loc = val;
4158 -diff -urNp linux-2.6.32.46/arch/s390/kernel/setup.c linux-2.6.32.46/arch/s390/kernel/setup.c
4159 ---- linux-2.6.32.46/arch/s390/kernel/setup.c 2011-03-27 14:31:47.000000000 -0400
4160 -+++ linux-2.6.32.46/arch/s390/kernel/setup.c 2011-04-17 15:56:45.000000000 -0400
4161 -@@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
4162 - early_param("mem", early_parse_mem);
4163 -
4164 - #ifdef CONFIG_S390_SWITCH_AMODE
4165 --unsigned int switch_amode = 0;
4166 --EXPORT_SYMBOL_GPL(switch_amode);
4167 --
4168 - static int set_amode_and_uaccess(unsigned long user_amode,
4169 - unsigned long user32_amode)
4170 - {
4171 -@@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
4172 - return 0;
4173 - }
4174 - }
4175 --
4176 --/*
4177 -- * Switch kernel/user addressing modes?
4178 -- */
4179 --static int __init early_parse_switch_amode(char *p)
4180 --{
4181 -- switch_amode = 1;
4182 -- return 0;
4183 --}
4184 --early_param("switch_amode", early_parse_switch_amode);
4185 --
4186 - #else /* CONFIG_S390_SWITCH_AMODE */
4187 - static inline int set_amode_and_uaccess(unsigned long user_amode,
4188 - unsigned long user32_amode)
4189 -@@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
4190 - }
4191 - #endif /* CONFIG_S390_SWITCH_AMODE */
4192 -
4193 --#ifdef CONFIG_S390_EXEC_PROTECT
4194 --unsigned int s390_noexec = 0;
4195 --EXPORT_SYMBOL_GPL(s390_noexec);
4196 --
4197 --/*
4198 -- * Enable execute protection?
4199 -- */
4200 --static int __init early_parse_noexec(char *p)
4201 --{
4202 -- if (!strncmp(p, "off", 3))
4203 -- return 0;
4204 -- switch_amode = 1;
4205 -- s390_noexec = 1;
4206 -- return 0;
4207 --}
4208 --early_param("noexec", early_parse_noexec);
4209 --#endif /* CONFIG_S390_EXEC_PROTECT */
4210 --
4211 - static void setup_addressing_mode(void)
4212 - {
4213 - if (s390_noexec) {
4214 -diff -urNp linux-2.6.32.46/arch/s390/mm/mmap.c linux-2.6.32.46/arch/s390/mm/mmap.c
4215 ---- linux-2.6.32.46/arch/s390/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
4216 -+++ linux-2.6.32.46/arch/s390/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
4217 -@@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
4218 - */
4219 - if (mmap_is_legacy()) {
4220 - mm->mmap_base = TASK_UNMAPPED_BASE;
4221 -+
4222 -+#ifdef CONFIG_PAX_RANDMMAP
4223 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4224 -+ mm->mmap_base += mm->delta_mmap;
4225 -+#endif
4226 -+
4227 - mm->get_unmapped_area = arch_get_unmapped_area;
4228 - mm->unmap_area = arch_unmap_area;
4229 - } else {
4230 - mm->mmap_base = mmap_base();
4231 -+
4232 -+#ifdef CONFIG_PAX_RANDMMAP
4233 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4234 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4235 -+#endif
4236 -+
4237 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4238 - mm->unmap_area = arch_unmap_area_topdown;
4239 - }
4240 -@@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
4241 - */
4242 - if (mmap_is_legacy()) {
4243 - mm->mmap_base = TASK_UNMAPPED_BASE;
4244 -+
4245 -+#ifdef CONFIG_PAX_RANDMMAP
4246 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4247 -+ mm->mmap_base += mm->delta_mmap;
4248 -+#endif
4249 -+
4250 - mm->get_unmapped_area = s390_get_unmapped_area;
4251 - mm->unmap_area = arch_unmap_area;
4252 - } else {
4253 - mm->mmap_base = mmap_base();
4254 -+
4255 -+#ifdef CONFIG_PAX_RANDMMAP
4256 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4257 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4258 -+#endif
4259 -+
4260 - mm->get_unmapped_area = s390_get_unmapped_area_topdown;
4261 - mm->unmap_area = arch_unmap_area_topdown;
4262 - }
4263 -diff -urNp linux-2.6.32.46/arch/score/include/asm/system.h linux-2.6.32.46/arch/score/include/asm/system.h
4264 ---- linux-2.6.32.46/arch/score/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
4265 -+++ linux-2.6.32.46/arch/score/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
4266 -@@ -17,7 +17,7 @@ do { \
4267 - #define finish_arch_switch(prev) do {} while (0)
4268 -
4269 - typedef void (*vi_handler_t)(void);
4270 --extern unsigned long arch_align_stack(unsigned long sp);
4271 -+#define arch_align_stack(x) (x)
4272 -
4273 - #define mb() barrier()
4274 - #define rmb() barrier()
4275 -diff -urNp linux-2.6.32.46/arch/score/kernel/process.c linux-2.6.32.46/arch/score/kernel/process.c
4276 ---- linux-2.6.32.46/arch/score/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
4277 -+++ linux-2.6.32.46/arch/score/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
4278 -@@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
4279 -
4280 - return task_pt_regs(task)->cp0_epc;
4281 - }
4282 --
4283 --unsigned long arch_align_stack(unsigned long sp)
4284 --{
4285 -- return sp;
4286 --}
4287 -diff -urNp linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c
4288 ---- linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-03-27 14:31:47.000000000 -0400
4289 -+++ linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-04-17 15:56:45.000000000 -0400
4290 -@@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
4291 - return 0;
4292 - }
4293 -
4294 --static struct platform_suspend_ops hp6x0_pm_ops = {
4295 -+static const struct platform_suspend_ops hp6x0_pm_ops = {
4296 - .enter = hp6x0_pm_enter,
4297 - .valid = suspend_valid_only_mem,
4298 - };
4299 -diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c
4300 ---- linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-03-27 14:31:47.000000000 -0400
4301 -+++ linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-04-17 15:56:46.000000000 -0400
4302 -@@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
4303 - NULL,
4304 - };
4305 -
4306 --static struct sysfs_ops sq_sysfs_ops = {
4307 -+static const struct sysfs_ops sq_sysfs_ops = {
4308 - .show = sq_sysfs_show,
4309 - .store = sq_sysfs_store,
4310 - };
4311 -diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c
4312 ---- linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-03-27 14:31:47.000000000 -0400
4313 -+++ linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-04-17 15:56:46.000000000 -0400
4314 -@@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
4315 - return 0;
4316 - }
4317 -
4318 --static struct platform_suspend_ops sh_pm_ops = {
4319 -+static const struct platform_suspend_ops sh_pm_ops = {
4320 - .enter = sh_pm_enter,
4321 - .valid = suspend_valid_only_mem,
4322 - };
4323 -diff -urNp linux-2.6.32.46/arch/sh/kernel/kgdb.c linux-2.6.32.46/arch/sh/kernel/kgdb.c
4324 ---- linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
4325 -+++ linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-04-17 15:56:46.000000000 -0400
4326 -@@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
4327 - {
4328 - }
4329 -
4330 --struct kgdb_arch arch_kgdb_ops = {
4331 -+const struct kgdb_arch arch_kgdb_ops = {
4332 - /* Breakpoint instruction: trapa #0x3c */
4333 - #ifdef CONFIG_CPU_LITTLE_ENDIAN
4334 - .gdb_bpt_instr = { 0x3c, 0xc3 },
4335 -diff -urNp linux-2.6.32.46/arch/sh/mm/mmap.c linux-2.6.32.46/arch/sh/mm/mmap.c
4336 ---- linux-2.6.32.46/arch/sh/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
4337 -+++ linux-2.6.32.46/arch/sh/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
4338 -@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
4339 - addr = PAGE_ALIGN(addr);
4340 -
4341 - vma = find_vma(mm, addr);
4342 -- if (TASK_SIZE - len >= addr &&
4343 -- (!vma || addr + len <= vma->vm_start))
4344 -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
4345 - return addr;
4346 - }
4347 -
4348 -@@ -106,7 +105,7 @@ full_search:
4349 - }
4350 - return -ENOMEM;
4351 - }
4352 -- if (likely(!vma || addr + len <= vma->vm_start)) {
4353 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4354 - /*
4355 - * Remember the place where we stopped the search:
4356 - */
4357 -@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
4358 - addr = PAGE_ALIGN(addr);
4359 -
4360 - vma = find_vma(mm, addr);
4361 -- if (TASK_SIZE - len >= addr &&
4362 -- (!vma || addr + len <= vma->vm_start))
4363 -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
4364 - return addr;
4365 - }
4366 -
4367 -@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
4368 - /* make sure it can fit in the remaining address space */
4369 - if (likely(addr > len)) {
4370 - vma = find_vma(mm, addr-len);
4371 -- if (!vma || addr <= vma->vm_start) {
4372 -+ if (check_heap_stack_gap(vma, addr - len, len)) {
4373 - /* remember the address as a hint for next time */
4374 - return (mm->free_area_cache = addr-len);
4375 - }
4376 -@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
4377 - if (unlikely(mm->mmap_base < len))
4378 - goto bottomup;
4379 -
4380 -- addr = mm->mmap_base-len;
4381 -- if (do_colour_align)
4382 -- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4383 -+ addr = mm->mmap_base - len;
4384 -
4385 - do {
4386 -+ if (do_colour_align)
4387 -+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4388 - /*
4389 - * Lookup failure means no vma is above this address,
4390 - * else if new region fits below vma->vm_start,
4391 - * return with success:
4392 - */
4393 - vma = find_vma(mm, addr);
4394 -- if (likely(!vma || addr+len <= vma->vm_start)) {
4395 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4396 - /* remember the address as a hint for next time */
4397 - return (mm->free_area_cache = addr);
4398 - }
4399 -@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
4400 - mm->cached_hole_size = vma->vm_start - addr;
4401 -
4402 - /* try just below the current vma->vm_start */
4403 -- addr = vma->vm_start-len;
4404 -- if (do_colour_align)
4405 -- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4406 -- } while (likely(len < vma->vm_start));
4407 -+ addr = skip_heap_stack_gap(vma, len);
4408 -+ } while (!IS_ERR_VALUE(addr));
4409 -
4410 - bottomup:
4411 - /*
4412 -diff -urNp linux-2.6.32.46/arch/sparc/Makefile linux-2.6.32.46/arch/sparc/Makefile
4413 ---- linux-2.6.32.46/arch/sparc/Makefile 2011-03-27 14:31:47.000000000 -0400
4414 -+++ linux-2.6.32.46/arch/sparc/Makefile 2011-04-17 15:56:46.000000000 -0400
4415 -@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4416 - # Export what is needed by arch/sparc/boot/Makefile
4417 - export VMLINUX_INIT VMLINUX_MAIN
4418 - VMLINUX_INIT := $(head-y) $(init-y)
4419 --VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4420 -+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4421 - VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4422 - VMLINUX_MAIN += $(drivers-y) $(net-y)
4423 -
4424 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h
4425 ---- linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
4426 -+++ linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-08-18 23:11:34.000000000 -0400
4427 -@@ -14,18 +14,40 @@
4428 - #define ATOMIC64_INIT(i) { (i) }
4429 -
4430 - #define atomic_read(v) ((v)->counter)
4431 -+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
4432 -+{
4433 -+ return v->counter;
4434 -+}
4435 - #define atomic64_read(v) ((v)->counter)
4436 -+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
4437 -+{
4438 -+ return v->counter;
4439 -+}
4440 -
4441 - #define atomic_set(v, i) (((v)->counter) = i)
4442 -+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
4443 -+{
4444 -+ v->counter = i;
4445 -+}
4446 - #define atomic64_set(v, i) (((v)->counter) = i)
4447 -+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
4448 -+{
4449 -+ v->counter = i;
4450 -+}
4451 -
4452 - extern void atomic_add(int, atomic_t *);
4453 -+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
4454 - extern void atomic64_add(long, atomic64_t *);
4455 -+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
4456 - extern void atomic_sub(int, atomic_t *);
4457 -+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
4458 - extern void atomic64_sub(long, atomic64_t *);
4459 -+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
4460 -
4461 - extern int atomic_add_ret(int, atomic_t *);
4462 -+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
4463 - extern long atomic64_add_ret(long, atomic64_t *);
4464 -+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
4465 - extern int atomic_sub_ret(int, atomic_t *);
4466 - extern long atomic64_sub_ret(long, atomic64_t *);
4467 -
4468 -@@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
4469 - #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
4470 -
4471 - #define atomic_inc_return(v) atomic_add_ret(1, v)
4472 -+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
4473 -+{
4474 -+ return atomic_add_ret_unchecked(1, v);
4475 -+}
4476 - #define atomic64_inc_return(v) atomic64_add_ret(1, v)
4477 -+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
4478 -+{
4479 -+ return atomic64_add_ret_unchecked(1, v);
4480 -+}
4481 -
4482 - #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
4483 - #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
4484 -
4485 - #define atomic_add_return(i, v) atomic_add_ret(i, v)
4486 -+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
4487 -+{
4488 -+ return atomic_add_ret_unchecked(i, v);
4489 -+}
4490 - #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
4491 -+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
4492 -+{
4493 -+ return atomic64_add_ret_unchecked(i, v);
4494 -+}
4495 -
4496 - /*
4497 - * atomic_inc_and_test - increment and test
4498 -@@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
4499 - * other cases.
4500 - */
4501 - #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
4502 -+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
4503 -+{
4504 -+ return atomic_inc_return_unchecked(v) == 0;
4505 -+}
4506 - #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
4507 -
4508 - #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
4509 -@@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
4510 - #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
4511 -
4512 - #define atomic_inc(v) atomic_add(1, v)
4513 -+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
4514 -+{
4515 -+ atomic_add_unchecked(1, v);
4516 -+}
4517 - #define atomic64_inc(v) atomic64_add(1, v)
4518 -+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
4519 -+{
4520 -+ atomic64_add_unchecked(1, v);
4521 -+}
4522 -
4523 - #define atomic_dec(v) atomic_sub(1, v)
4524 -+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
4525 -+{
4526 -+ atomic_sub_unchecked(1, v);
4527 -+}
4528 - #define atomic64_dec(v) atomic64_sub(1, v)
4529 -+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
4530 -+{
4531 -+ atomic64_sub_unchecked(1, v);
4532 -+}
4533 -
4534 - #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
4535 - #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
4536 -
4537 - #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
4538 -+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
4539 -+{
4540 -+ return cmpxchg(&v->counter, old, new);
4541 -+}
4542 - #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
4543 -+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
4544 -+{
4545 -+ return xchg(&v->counter, new);
4546 -+}
4547 -
4548 - static inline int atomic_add_unless(atomic_t *v, int a, int u)
4549 - {
4550 -- int c, old;
4551 -+ int c, old, new;
4552 - c = atomic_read(v);
4553 - for (;;) {
4554 -- if (unlikely(c == (u)))
4555 -+ if (unlikely(c == u))
4556 - break;
4557 -- old = atomic_cmpxchg((v), c, c + (a));
4558 -+
4559 -+ asm volatile("addcc %2, %0, %0\n"
4560 -+
4561 -+#ifdef CONFIG_PAX_REFCOUNT
4562 -+ "tvs %%icc, 6\n"
4563 -+#endif
4564 -+
4565 -+ : "=r" (new)
4566 -+ : "0" (c), "ir" (a)
4567 -+ : "cc");
4568 -+
4569 -+ old = atomic_cmpxchg(v, c, new);
4570 - if (likely(old == c))
4571 - break;
4572 - c = old;
4573 - }
4574 -- return c != (u);
4575 -+ return c != u;
4576 - }
4577 -
4578 - #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
4579 -@@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
4580 - #define atomic64_cmpxchg(v, o, n) \
4581 - ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
4582 - #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
4583 -+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
4584 -+{
4585 -+ return xchg(&v->counter, new);
4586 -+}
4587 -
4588 - static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
4589 - {
4590 -- long c, old;
4591 -+ long c, old, new;
4592 - c = atomic64_read(v);
4593 - for (;;) {
4594 -- if (unlikely(c == (u)))
4595 -+ if (unlikely(c == u))
4596 - break;
4597 -- old = atomic64_cmpxchg((v), c, c + (a));
4598 -+
4599 -+ asm volatile("addcc %2, %0, %0\n"
4600 -+
4601 -+#ifdef CONFIG_PAX_REFCOUNT
4602 -+ "tvs %%xcc, 6\n"
4603 -+#endif
4604 -+
4605 -+ : "=r" (new)
4606 -+ : "0" (c), "ir" (a)
4607 -+ : "cc");
4608 -+
4609 -+ old = atomic64_cmpxchg(v, c, new);
4610 - if (likely(old == c))
4611 - break;
4612 - c = old;
4613 - }
4614 -- return c != (u);
4615 -+ return c != u;
4616 - }
4617 -
4618 - #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
4619 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/cache.h linux-2.6.32.46/arch/sparc/include/asm/cache.h
4620 ---- linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
4621 -+++ linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
4622 -@@ -8,7 +8,7 @@
4623 - #define _SPARC_CACHE_H
4624 -
4625 - #define L1_CACHE_SHIFT 5
4626 --#define L1_CACHE_BYTES 32
4627 -+#define L1_CACHE_BYTES 32UL
4628 - #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
4629 -
4630 - #ifdef CONFIG_SPARC32
4631 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h
4632 ---- linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
4633 -+++ linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
4634 -@@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
4635 - #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
4636 - #define dma_is_consistent(d, h) (1)
4637 -
4638 --extern struct dma_map_ops *dma_ops, pci32_dma_ops;
4639 -+extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
4640 - extern struct bus_type pci_bus_type;
4641 -
4642 --static inline struct dma_map_ops *get_dma_ops(struct device *dev)
4643 -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
4644 - {
4645 - #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
4646 - if (dev->bus == &pci_bus_type)
4647 -@@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
4648 - static inline void *dma_alloc_coherent(struct device *dev, size_t size,
4649 - dma_addr_t *dma_handle, gfp_t flag)
4650 - {
4651 -- struct dma_map_ops *ops = get_dma_ops(dev);
4652 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
4653 - void *cpu_addr;
4654 -
4655 - cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
4656 -@@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
4657 - static inline void dma_free_coherent(struct device *dev, size_t size,
4658 - void *cpu_addr, dma_addr_t dma_handle)
4659 - {
4660 -- struct dma_map_ops *ops = get_dma_ops(dev);
4661 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
4662 -
4663 - debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
4664 - ops->free_coherent(dev, size, cpu_addr, dma_handle);
4665 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_32.h linux-2.6.32.46/arch/sparc/include/asm/elf_32.h
4666 ---- linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-03-27 14:31:47.000000000 -0400
4667 -+++ linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-04-17 15:56:46.000000000 -0400
4668 -@@ -116,6 +116,13 @@ typedef struct {
4669 -
4670 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
4671 -
4672 -+#ifdef CONFIG_PAX_ASLR
4673 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
4674 -+
4675 -+#define PAX_DELTA_MMAP_LEN 16
4676 -+#define PAX_DELTA_STACK_LEN 16
4677 -+#endif
4678 -+
4679 - /* This yields a mask that user programs can use to figure out what
4680 - instruction set this cpu supports. This can NOT be done in userspace
4681 - on Sparc. */
4682 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_64.h linux-2.6.32.46/arch/sparc/include/asm/elf_64.h
4683 ---- linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-03-27 14:31:47.000000000 -0400
4684 -+++ linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-04-17 15:56:46.000000000 -0400
4685 -@@ -163,6 +163,12 @@ typedef struct {
4686 - #define ELF_ET_DYN_BASE 0x0000010000000000UL
4687 - #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
4688 -
4689 -+#ifdef CONFIG_PAX_ASLR
4690 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
4691 -+
4692 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
4693 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
4694 -+#endif
4695 -
4696 - /* This yields a mask that user programs can use to figure out what
4697 - instruction set this cpu supports. */
4698 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h
4699 ---- linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
4700 -+++ linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
4701 -@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
4702 - BTFIXUPDEF_INT(page_none)
4703 - BTFIXUPDEF_INT(page_copy)
4704 - BTFIXUPDEF_INT(page_readonly)
4705 -+
4706 -+#ifdef CONFIG_PAX_PAGEEXEC
4707 -+BTFIXUPDEF_INT(page_shared_noexec)
4708 -+BTFIXUPDEF_INT(page_copy_noexec)
4709 -+BTFIXUPDEF_INT(page_readonly_noexec)
4710 -+#endif
4711 -+
4712 - BTFIXUPDEF_INT(page_kernel)
4713 -
4714 - #define PMD_SHIFT SUN4C_PMD_SHIFT
4715 -@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
4716 - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
4717 - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
4718 -
4719 -+#ifdef CONFIG_PAX_PAGEEXEC
4720 -+extern pgprot_t PAGE_SHARED_NOEXEC;
4721 -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
4722 -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
4723 -+#else
4724 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
4725 -+# define PAGE_COPY_NOEXEC PAGE_COPY
4726 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
4727 -+#endif
4728 -+
4729 - extern unsigned long page_kernel;
4730 -
4731 - #ifdef MODULE
4732 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h
4733 ---- linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-03-27 14:31:47.000000000 -0400
4734 -+++ linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:56:46.000000000 -0400
4735 -@@ -115,6 +115,13 @@
4736 - SRMMU_EXEC | SRMMU_REF)
4737 - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4738 - SRMMU_EXEC | SRMMU_REF)
4739 -+
4740 -+#ifdef CONFIG_PAX_PAGEEXEC
4741 -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4742 -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4743 -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4744 -+#endif
4745 -+
4746 - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4747 - SRMMU_DIRTY | SRMMU_REF)
4748 -
4749 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h
4750 ---- linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-03-27 14:31:47.000000000 -0400
4751 -+++ linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-08-18 23:19:30.000000000 -0400
4752 -@@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
4753 -
4754 - /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
4755 -
4756 --static void inline arch_read_lock(raw_rwlock_t *lock)
4757 -+static inline void arch_read_lock(raw_rwlock_t *lock)
4758 - {
4759 - unsigned long tmp1, tmp2;
4760 -
4761 - __asm__ __volatile__ (
4762 - "1: ldsw [%2], %0\n"
4763 - " brlz,pn %0, 2f\n"
4764 --"4: add %0, 1, %1\n"
4765 -+"4: addcc %0, 1, %1\n"
4766 -+
4767 -+#ifdef CONFIG_PAX_REFCOUNT
4768 -+" tvs %%icc, 6\n"
4769 -+#endif
4770 -+
4771 - " cas [%2], %0, %1\n"
4772 - " cmp %0, %1\n"
4773 - " bne,pn %%icc, 1b\n"
4774 -@@ -112,10 +117,10 @@ static void inline arch_read_lock(raw_rw
4775 - " .previous"
4776 - : "=&r" (tmp1), "=&r" (tmp2)
4777 - : "r" (lock)
4778 -- : "memory");
4779 -+ : "memory", "cc");
4780 - }
4781 -
4782 --static int inline arch_read_trylock(raw_rwlock_t *lock)
4783 -+static inline int arch_read_trylock(raw_rwlock_t *lock)
4784 - {
4785 - int tmp1, tmp2;
4786 -
4787 -@@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
4788 - "1: ldsw [%2], %0\n"
4789 - " brlz,a,pn %0, 2f\n"
4790 - " mov 0, %0\n"
4791 --" add %0, 1, %1\n"
4792 -+" addcc %0, 1, %1\n"
4793 -+
4794 -+#ifdef CONFIG_PAX_REFCOUNT
4795 -+" tvs %%icc, 6\n"
4796 -+#endif
4797 -+
4798 - " cas [%2], %0, %1\n"
4799 - " cmp %0, %1\n"
4800 - " bne,pn %%icc, 1b\n"
4801 -@@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4802 - return tmp1;
4803 - }
4804 -
4805 --static void inline arch_read_unlock(raw_rwlock_t *lock)
4806 -+static inline void arch_read_unlock(raw_rwlock_t *lock)
4807 - {
4808 - unsigned long tmp1, tmp2;
4809 -
4810 - __asm__ __volatile__(
4811 - "1: lduw [%2], %0\n"
4812 --" sub %0, 1, %1\n"
4813 -+" subcc %0, 1, %1\n"
4814 -+
4815 -+#ifdef CONFIG_PAX_REFCOUNT
4816 -+" tvs %%icc, 6\n"
4817 -+#endif
4818 -+
4819 - " cas [%2], %0, %1\n"
4820 - " cmp %0, %1\n"
4821 - " bne,pn %%xcc, 1b\n"
4822 -@@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4823 - : "memory");
4824 - }
4825 -
4826 --static void inline arch_write_lock(raw_rwlock_t *lock)
4827 -+static inline void arch_write_lock(raw_rwlock_t *lock)
4828 - {
4829 - unsigned long mask, tmp1, tmp2;
4830 -
4831 -@@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4832 - : "memory");
4833 - }
4834 -
4835 --static void inline arch_write_unlock(raw_rwlock_t *lock)
4836 -+static inline void arch_write_unlock(raw_rwlock_t *lock)
4837 - {
4838 - __asm__ __volatile__(
4839 - " stw %%g0, [%0]"
4840 -@@ -186,7 +201,7 @@ static void inline arch_write_unlock(raw
4841 - : "memory");
4842 - }
4843 -
4844 --static int inline arch_write_trylock(raw_rwlock_t *lock)
4845 -+static inline int arch_write_trylock(raw_rwlock_t *lock)
4846 - {
4847 - unsigned long mask, tmp1, tmp2, result;
4848 -
4849 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h
4850 ---- linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-03-27 14:31:47.000000000 -0400
4851 -+++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-06-04 20:46:01.000000000 -0400
4852 -@@ -50,6 +50,8 @@ struct thread_info {
4853 - unsigned long w_saved;
4854 -
4855 - struct restart_block restart_block;
4856 -+
4857 -+ unsigned long lowest_stack;
4858 - };
4859 -
4860 - /*
4861 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h
4862 ---- linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-03-27 14:31:47.000000000 -0400
4863 -+++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-06-04 20:46:21.000000000 -0400
4864 -@@ -68,6 +68,8 @@ struct thread_info {
4865 - struct pt_regs *kern_una_regs;
4866 - unsigned int kern_una_insn;
4867 -
4868 -+ unsigned long lowest_stack;
4869 -+
4870 - unsigned long fpregs[0] __attribute__ ((aligned(64)));
4871 - };
4872 -
4873 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess.h linux-2.6.32.46/arch/sparc/include/asm/uaccess.h
4874 ---- linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
4875 -+++ linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-04-17 15:56:46.000000000 -0400
4876 -@@ -1,5 +1,13 @@
4877 - #ifndef ___ASM_SPARC_UACCESS_H
4878 - #define ___ASM_SPARC_UACCESS_H
4879 -+
4880 -+#ifdef __KERNEL__
4881 -+#ifndef __ASSEMBLY__
4882 -+#include <linux/types.h>
4883 -+extern void check_object_size(const void *ptr, unsigned long n, bool to);
4884 -+#endif
4885 -+#endif
4886 -+
4887 - #if defined(__sparc__) && defined(__arch64__)
4888 - #include <asm/uaccess_64.h>
4889 - #else
4890 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h
4891 ---- linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
4892 -+++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:56:46.000000000 -0400
4893 -@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4894 -
4895 - static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4896 - {
4897 -- if (n && __access_ok((unsigned long) to, n))
4898 -+ if ((long)n < 0)
4899 -+ return n;
4900 -+
4901 -+ if (n && __access_ok((unsigned long) to, n)) {
4902 -+ if (!__builtin_constant_p(n))
4903 -+ check_object_size(from, n, true);
4904 - return __copy_user(to, (__force void __user *) from, n);
4905 -- else
4906 -+ } else
4907 - return n;
4908 - }
4909 -
4910 - static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4911 - {
4912 -+ if ((long)n < 0)
4913 -+ return n;
4914 -+
4915 -+ if (!__builtin_constant_p(n))
4916 -+ check_object_size(from, n, true);
4917 -+
4918 - return __copy_user(to, (__force void __user *) from, n);
4919 - }
4920 -
4921 - static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4922 - {
4923 -- if (n && __access_ok((unsigned long) from, n))
4924 -+ if ((long)n < 0)
4925 -+ return n;
4926 -+
4927 -+ if (n && __access_ok((unsigned long) from, n)) {
4928 -+ if (!__builtin_constant_p(n))
4929 -+ check_object_size(to, n, false);
4930 - return __copy_user((__force void __user *) to, from, n);
4931 -- else
4932 -+ } else
4933 - return n;
4934 - }
4935 -
4936 - static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4937 - {
4938 -+ if ((long)n < 0)
4939 -+ return n;
4940 -+
4941 - return __copy_user((__force void __user *) to, from, n);
4942 - }
4943 -
4944 -diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h
4945 ---- linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
4946 -+++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:56:46.000000000 -0400
4947 -@@ -9,6 +9,7 @@
4948 - #include <linux/compiler.h>
4949 - #include <linux/string.h>
4950 - #include <linux/thread_info.h>
4951 -+#include <linux/kernel.h>
4952 - #include <asm/asi.h>
4953 - #include <asm/system.h>
4954 - #include <asm/spitfire.h>
4955 -@@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4956 - static inline unsigned long __must_check
4957 - copy_from_user(void *to, const void __user *from, unsigned long size)
4958 - {
4959 -- unsigned long ret = ___copy_from_user(to, from, size);
4960 -+ unsigned long ret;
4961 -
4962 -+ if ((long)size < 0 || size > INT_MAX)
4963 -+ return size;
4964 -+
4965 -+ if (!__builtin_constant_p(size))
4966 -+ check_object_size(to, size, false);
4967 -+
4968 -+ ret = ___copy_from_user(to, from, size);
4969 - if (unlikely(ret))
4970 - ret = copy_from_user_fixup(to, from, size);
4971 - return ret;
4972 -@@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4973 - static inline unsigned long __must_check
4974 - copy_to_user(void __user *to, const void *from, unsigned long size)
4975 - {
4976 -- unsigned long ret = ___copy_to_user(to, from, size);
4977 -+ unsigned long ret;
4978 -+
4979 -+ if ((long)size < 0 || size > INT_MAX)
4980 -+ return size;
4981 -+
4982 -+ if (!__builtin_constant_p(size))
4983 -+ check_object_size(from, size, true);
4984 -
4985 -+ ret = ___copy_to_user(to, from, size);
4986 - if (unlikely(ret))
4987 - ret = copy_to_user_fixup(to, from, size);
4988 - return ret;
4989 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/Makefile linux-2.6.32.46/arch/sparc/kernel/Makefile
4990 ---- linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-03-27 14:31:47.000000000 -0400
4991 -+++ linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-04-17 15:56:46.000000000 -0400
4992 -@@ -3,7 +3,7 @@
4993 - #
4994 -
4995 - asflags-y := -ansi
4996 --ccflags-y := -Werror
4997 -+#ccflags-y := -Werror
4998 -
4999 - extra-y := head_$(BITS).o
5000 - extra-y += init_task.o
5001 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/iommu.c linux-2.6.32.46/arch/sparc/kernel/iommu.c
5002 ---- linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-03-27 14:31:47.000000000 -0400
5003 -+++ linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-04-17 15:56:46.000000000 -0400
5004 -@@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5005 - spin_unlock_irqrestore(&iommu->lock, flags);
5006 - }
5007 -
5008 --static struct dma_map_ops sun4u_dma_ops = {
5009 -+static const struct dma_map_ops sun4u_dma_ops = {
5010 - .alloc_coherent = dma_4u_alloc_coherent,
5011 - .free_coherent = dma_4u_free_coherent,
5012 - .map_page = dma_4u_map_page,
5013 -@@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
5014 - .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5015 - };
5016 -
5017 --struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5018 -+const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5019 - EXPORT_SYMBOL(dma_ops);
5020 -
5021 - extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5022 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/ioport.c linux-2.6.32.46/arch/sparc/kernel/ioport.c
5023 ---- linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
5024 -+++ linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
5025 -@@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
5026 - BUG();
5027 - }
5028 -
5029 --struct dma_map_ops sbus_dma_ops = {
5030 -+const struct dma_map_ops sbus_dma_ops = {
5031 - .alloc_coherent = sbus_alloc_coherent,
5032 - .free_coherent = sbus_free_coherent,
5033 - .map_page = sbus_map_page,
5034 -@@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
5035 - .sync_sg_for_device = sbus_sync_sg_for_device,
5036 - };
5037 -
5038 --struct dma_map_ops *dma_ops = &sbus_dma_ops;
5039 -+const struct dma_map_ops *dma_ops = &sbus_dma_ops;
5040 - EXPORT_SYMBOL(dma_ops);
5041 -
5042 - static int __init sparc_register_ioport(void)
5043 -@@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
5044 - }
5045 - }
5046 -
5047 --struct dma_map_ops pci32_dma_ops = {
5048 -+const struct dma_map_ops pci32_dma_ops = {
5049 - .alloc_coherent = pci32_alloc_coherent,
5050 - .free_coherent = pci32_free_coherent,
5051 - .map_page = pci32_map_page,
5052 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c
5053 ---- linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-03-27 14:31:47.000000000 -0400
5054 -+++ linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:56:46.000000000 -0400
5055 -@@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
5056 - {
5057 - }
5058 -
5059 --struct kgdb_arch arch_kgdb_ops = {
5060 -+const struct kgdb_arch arch_kgdb_ops = {
5061 - /* Breakpoint instruction: ta 0x7d */
5062 - .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5063 - };
5064 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c
5065 ---- linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-03-27 14:31:47.000000000 -0400
5066 -+++ linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:56:46.000000000 -0400
5067 -@@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
5068 - {
5069 - }
5070 -
5071 --struct kgdb_arch arch_kgdb_ops = {
5072 -+const struct kgdb_arch arch_kgdb_ops = {
5073 - /* Breakpoint instruction: ta 0x72 */
5074 - .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5075 - };
5076 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c
5077 ---- linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-03-27 14:31:47.000000000 -0400
5078 -+++ linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-04-17 15:56:46.000000000 -0400
5079 -@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
5080 - spin_unlock_irqrestore(&iommu->lock, flags);
5081 - }
5082 -
5083 --static struct dma_map_ops sun4v_dma_ops = {
5084 -+static const struct dma_map_ops sun4v_dma_ops = {
5085 - .alloc_coherent = dma_4v_alloc_coherent,
5086 - .free_coherent = dma_4v_free_coherent,
5087 - .map_page = dma_4v_map_page,
5088 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_32.c linux-2.6.32.46/arch/sparc/kernel/process_32.c
5089 ---- linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-03-27 14:31:47.000000000 -0400
5090 -+++ linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-04-17 15:56:46.000000000 -0400
5091 -@@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
5092 - rw->ins[4], rw->ins[5],
5093 - rw->ins[6],
5094 - rw->ins[7]);
5095 -- printk("%pS\n", (void *) rw->ins[7]);
5096 -+ printk("%pA\n", (void *) rw->ins[7]);
5097 - rw = (struct reg_window32 *) rw->ins[6];
5098 - }
5099 - spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
5100 -@@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
5101 -
5102 - printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
5103 - r->psr, r->pc, r->npc, r->y, print_tainted());
5104 -- printk("PC: <%pS>\n", (void *) r->pc);
5105 -+ printk("PC: <%pA>\n", (void *) r->pc);
5106 - printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5107 - r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
5108 - r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
5109 - printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5110 - r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
5111 - r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
5112 -- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
5113 -+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
5114 -
5115 - printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
5116 - rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
5117 -@@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
5118 - rw = (struct reg_window32 *) fp;
5119 - pc = rw->ins[7];
5120 - printk("[%08lx : ", pc);
5121 -- printk("%pS ] ", (void *) pc);
5122 -+ printk("%pA ] ", (void *) pc);
5123 - fp = rw->ins[6];
5124 - } while (++count < 16);
5125 - printk("\n");
5126 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_64.c linux-2.6.32.46/arch/sparc/kernel/process_64.c
5127 ---- linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-03-27 14:31:47.000000000 -0400
5128 -+++ linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-04-17 15:56:46.000000000 -0400
5129 -@@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
5130 - printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
5131 - rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
5132 - if (regs->tstate & TSTATE_PRIV)
5133 -- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
5134 -+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
5135 - }
5136 -
5137 - void show_regs(struct pt_regs *regs)
5138 - {
5139 - printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
5140 - regs->tpc, regs->tnpc, regs->y, print_tainted());
5141 -- printk("TPC: <%pS>\n", (void *) regs->tpc);
5142 -+ printk("TPC: <%pA>\n", (void *) regs->tpc);
5143 - printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
5144 - regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
5145 - regs->u_regs[3]);
5146 -@@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
5147 - printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
5148 - regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
5149 - regs->u_regs[15]);
5150 -- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
5151 -+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
5152 - show_regwindow(regs);
5153 - }
5154 -
5155 -@@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
5156 - ((tp && tp->task) ? tp->task->pid : -1));
5157 -
5158 - if (gp->tstate & TSTATE_PRIV) {
5159 -- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
5160 -+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
5161 - (void *) gp->tpc,
5162 - (void *) gp->o7,
5163 - (void *) gp->i7,
5164 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c
5165 ---- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-03-27 14:31:47.000000000 -0400
5166 -+++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:56:46.000000000 -0400
5167 -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
5168 - if (ARCH_SUN4C && len > 0x20000000)
5169 - return -ENOMEM;
5170 - if (!addr)
5171 -- addr = TASK_UNMAPPED_BASE;
5172 -+ addr = current->mm->mmap_base;
5173 -
5174 - if (flags & MAP_SHARED)
5175 - addr = COLOUR_ALIGN(addr);
5176 -@@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
5177 - }
5178 - if (TASK_SIZE - PAGE_SIZE - len < addr)
5179 - return -ENOMEM;
5180 -- if (!vmm || addr + len <= vmm->vm_start)
5181 -+ if (check_heap_stack_gap(vmm, addr, len))
5182 - return addr;
5183 - addr = vmm->vm_end;
5184 - if (flags & MAP_SHARED)
5185 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c
5186 ---- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-03-27 14:31:47.000000000 -0400
5187 -+++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:56:46.000000000 -0400
5188 -@@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
5189 - /* We do not accept a shared mapping if it would violate
5190 - * cache aliasing constraints.
5191 - */
5192 -- if ((flags & MAP_SHARED) &&
5193 -+ if ((filp || (flags & MAP_SHARED)) &&
5194 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
5195 - return -EINVAL;
5196 - return addr;
5197 -@@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
5198 - if (filp || (flags & MAP_SHARED))
5199 - do_color_align = 1;
5200 -
5201 -+#ifdef CONFIG_PAX_RANDMMAP
5202 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
5203 -+#endif
5204 -+
5205 - if (addr) {
5206 - if (do_color_align)
5207 - addr = COLOUR_ALIGN(addr, pgoff);
5208 -@@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
5209 - addr = PAGE_ALIGN(addr);
5210 -
5211 - vma = find_vma(mm, addr);
5212 -- if (task_size - len >= addr &&
5213 -- (!vma || addr + len <= vma->vm_start))
5214 -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5215 - return addr;
5216 - }
5217 -
5218 - if (len > mm->cached_hole_size) {
5219 -- start_addr = addr = mm->free_area_cache;
5220 -+ start_addr = addr = mm->free_area_cache;
5221 - } else {
5222 -- start_addr = addr = TASK_UNMAPPED_BASE;
5223 -+ start_addr = addr = mm->mmap_base;
5224 - mm->cached_hole_size = 0;
5225 - }
5226 -
5227 -@@ -175,14 +178,14 @@ full_search:
5228 - vma = find_vma(mm, VA_EXCLUDE_END);
5229 - }
5230 - if (unlikely(task_size < addr)) {
5231 -- if (start_addr != TASK_UNMAPPED_BASE) {
5232 -- start_addr = addr = TASK_UNMAPPED_BASE;
5233 -+ if (start_addr != mm->mmap_base) {
5234 -+ start_addr = addr = mm->mmap_base;
5235 - mm->cached_hole_size = 0;
5236 - goto full_search;
5237 - }
5238 - return -ENOMEM;
5239 - }
5240 -- if (likely(!vma || addr + len <= vma->vm_start)) {
5241 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5242 - /*
5243 - * Remember the place where we stopped the search:
5244 - */
5245 -@@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
5246 - /* We do not accept a shared mapping if it would violate
5247 - * cache aliasing constraints.
5248 - */
5249 -- if ((flags & MAP_SHARED) &&
5250 -+ if ((filp || (flags & MAP_SHARED)) &&
5251 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
5252 - return -EINVAL;
5253 - return addr;
5254 -@@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
5255 - addr = PAGE_ALIGN(addr);
5256 -
5257 - vma = find_vma(mm, addr);
5258 -- if (task_size - len >= addr &&
5259 -- (!vma || addr + len <= vma->vm_start))
5260 -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5261 - return addr;
5262 - }
5263 -
5264 -@@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
5265 - /* make sure it can fit in the remaining address space */
5266 - if (likely(addr > len)) {
5267 - vma = find_vma(mm, addr-len);
5268 -- if (!vma || addr <= vma->vm_start) {
5269 -+ if (check_heap_stack_gap(vma, addr - len, len)) {
5270 - /* remember the address as a hint for next time */
5271 - return (mm->free_area_cache = addr-len);
5272 - }
5273 -@@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
5274 - if (unlikely(mm->mmap_base < len))
5275 - goto bottomup;
5276 -
5277 -- addr = mm->mmap_base-len;
5278 -- if (do_color_align)
5279 -- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5280 -+ addr = mm->mmap_base - len;
5281 -
5282 - do {
5283 -+ if (do_color_align)
5284 -+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5285 - /*
5286 - * Lookup failure means no vma is above this address,
5287 - * else if new region fits below vma->vm_start,
5288 - * return with success:
5289 - */
5290 - vma = find_vma(mm, addr);
5291 -- if (likely(!vma || addr+len <= vma->vm_start)) {
5292 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5293 - /* remember the address as a hint for next time */
5294 - return (mm->free_area_cache = addr);
5295 - }
5296 -@@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
5297 - mm->cached_hole_size = vma->vm_start - addr;
5298 -
5299 - /* try just below the current vma->vm_start */
5300 -- addr = vma->vm_start-len;
5301 -- if (do_color_align)
5302 -- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5303 -- } while (likely(len < vma->vm_start));
5304 -+ addr = skip_heap_stack_gap(vma, len);
5305 -+ } while (!IS_ERR_VALUE(addr));
5306 -
5307 - bottomup:
5308 - /*
5309 -@@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
5310 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
5311 - sysctl_legacy_va_layout) {
5312 - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
5313 -+
5314 -+#ifdef CONFIG_PAX_RANDMMAP
5315 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
5316 -+ mm->mmap_base += mm->delta_mmap;
5317 -+#endif
5318 -+
5319 - mm->get_unmapped_area = arch_get_unmapped_area;
5320 - mm->unmap_area = arch_unmap_area;
5321 - } else {
5322 -@@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
5323 - gap = (task_size / 6 * 5);
5324 -
5325 - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
5326 -+
5327 -+#ifdef CONFIG_PAX_RANDMMAP
5328 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
5329 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5330 -+#endif
5331 -+
5332 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5333 - mm->unmap_area = arch_unmap_area_topdown;
5334 - }
5335 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_32.c linux-2.6.32.46/arch/sparc/kernel/traps_32.c
5336 ---- linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400
5337 -+++ linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400
5338 -@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
5339 - #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
5340 - #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
5341 -
5342 -+extern void gr_handle_kernel_exploit(void);
5343 -+
5344 - void die_if_kernel(char *str, struct pt_regs *regs)
5345 - {
5346 - static int die_counter;
5347 -@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
5348 - count++ < 30 &&
5349 - (((unsigned long) rw) >= PAGE_OFFSET) &&
5350 - !(((unsigned long) rw) & 0x7)) {
5351 -- printk("Caller[%08lx]: %pS\n", rw->ins[7],
5352 -+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
5353 - (void *) rw->ins[7]);
5354 - rw = (struct reg_window32 *)rw->ins[6];
5355 - }
5356 - }
5357 - printk("Instruction DUMP:");
5358 - instruction_dump ((unsigned long *) regs->pc);
5359 -- if(regs->psr & PSR_PS)
5360 -+ if(regs->psr & PSR_PS) {
5361 -+ gr_handle_kernel_exploit();
5362 - do_exit(SIGKILL);
5363 -+ }
5364 - do_exit(SIGSEGV);
5365 - }
5366 -
5367 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_64.c linux-2.6.32.46/arch/sparc/kernel/traps_64.c
5368 ---- linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400
5369 -+++ linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400
5370 -@@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
5371 - i + 1,
5372 - p->trapstack[i].tstate, p->trapstack[i].tpc,
5373 - p->trapstack[i].tnpc, p->trapstack[i].tt);
5374 -- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
5375 -+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
5376 - }
5377 - }
5378 -
5379 -@@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
5380 -
5381 - lvl -= 0x100;
5382 - if (regs->tstate & TSTATE_PRIV) {
5383 -+
5384 -+#ifdef CONFIG_PAX_REFCOUNT
5385 -+ if (lvl == 6)
5386 -+ pax_report_refcount_overflow(regs);
5387 -+#endif
5388 -+
5389 - sprintf(buffer, "Kernel bad sw trap %lx", lvl);
5390 - die_if_kernel(buffer, regs);
5391 - }
5392 -@@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
5393 - void bad_trap_tl1(struct pt_regs *regs, long lvl)
5394 - {
5395 - char buffer[32];
5396 --
5397 -+
5398 - if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
5399 - 0, lvl, SIGTRAP) == NOTIFY_STOP)
5400 - return;
5401 -
5402 -+#ifdef CONFIG_PAX_REFCOUNT
5403 -+ if (lvl == 6)
5404 -+ pax_report_refcount_overflow(regs);
5405 -+#endif
5406 -+
5407 - dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
5408 -
5409 - sprintf (buffer, "Bad trap %lx at tl>0", lvl);
5410 -@@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
5411 - regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
5412 - printk("%s" "ERROR(%d): ",
5413 - (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
5414 -- printk("TPC<%pS>\n", (void *) regs->tpc);
5415 -+ printk("TPC<%pA>\n", (void *) regs->tpc);
5416 - printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
5417 - (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
5418 - (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
5419 -@@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
5420 - smp_processor_id(),
5421 - (type & 0x1) ? 'I' : 'D',
5422 - regs->tpc);
5423 -- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
5424 -+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
5425 - panic("Irrecoverable Cheetah+ parity error.");
5426 - }
5427 -
5428 -@@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
5429 - smp_processor_id(),
5430 - (type & 0x1) ? 'I' : 'D',
5431 - regs->tpc);
5432 -- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
5433 -+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
5434 - }
5435 -
5436 - struct sun4v_error_entry {
5437 -@@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
5438 -
5439 - printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
5440 - regs->tpc, tl);
5441 -- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
5442 -+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
5443 - printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
5444 -- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
5445 -+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
5446 - (void *) regs->u_regs[UREG_I7]);
5447 - printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
5448 - "pte[%lx] error[%lx]\n",
5449 -@@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
5450 -
5451 - printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
5452 - regs->tpc, tl);
5453 -- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
5454 -+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
5455 - printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
5456 -- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
5457 -+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
5458 - (void *) regs->u_regs[UREG_I7]);
5459 - printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
5460 - "pte[%lx] error[%lx]\n",
5461 -@@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
5462 - fp = (unsigned long)sf->fp + STACK_BIAS;
5463 - }
5464 -
5465 -- printk(" [%016lx] %pS\n", pc, (void *) pc);
5466 -+ printk(" [%016lx] %pA\n", pc, (void *) pc);
5467 - } while (++count < 16);
5468 - }
5469 -
5470 -@@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
5471 - return (struct reg_window *) (fp + STACK_BIAS);
5472 - }
5473 -
5474 -+extern void gr_handle_kernel_exploit(void);
5475 -+
5476 - void die_if_kernel(char *str, struct pt_regs *regs)
5477 - {
5478 - static int die_counter;
5479 -@@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
5480 - while (rw &&
5481 - count++ < 30&&
5482 - is_kernel_stack(current, rw)) {
5483 -- printk("Caller[%016lx]: %pS\n", rw->ins[7],
5484 -+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
5485 - (void *) rw->ins[7]);
5486 -
5487 - rw = kernel_stack_up(rw);
5488 -@@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
5489 - }
5490 - user_instruction_dump ((unsigned int __user *) regs->tpc);
5491 - }
5492 -- if (regs->tstate & TSTATE_PRIV)
5493 -+ if (regs->tstate & TSTATE_PRIV) {
5494 -+ gr_handle_kernel_exploit();
5495 - do_exit(SIGKILL);
5496 -+ }
5497 -+
5498 - do_exit(SIGSEGV);
5499 - }
5500 - EXPORT_SYMBOL(die_if_kernel);
5501 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S
5502 ---- linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-03-27 14:31:47.000000000 -0400
5503 -+++ linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-07-13 22:20:05.000000000 -0400
5504 -@@ -127,7 +127,7 @@ do_int_load:
5505 - wr %o5, 0x0, %asi
5506 - retl
5507 - mov 0, %o0
5508 -- .size __do_int_load, .-__do_int_load
5509 -+ .size do_int_load, .-do_int_load
5510 -
5511 - .section __ex_table,"a"
5512 - .word 4b, __retl_efault
5513 -diff -urNp linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c
5514 ---- linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400
5515 -+++ linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400
5516 -@@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
5517 - if (count < 5) {
5518 - last_time = jiffies;
5519 - count++;
5520 -- printk("Kernel unaligned access at TPC[%lx] %pS\n",
5521 -+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
5522 - regs->tpc, (void *) regs->tpc);
5523 - }
5524 - }
5525 -diff -urNp linux-2.6.32.46/arch/sparc/lib/Makefile linux-2.6.32.46/arch/sparc/lib/Makefile
5526 ---- linux-2.6.32.46/arch/sparc/lib/Makefile 2011-03-27 14:31:47.000000000 -0400
5527 -+++ linux-2.6.32.46/arch/sparc/lib/Makefile 2011-05-17 19:26:34.000000000 -0400
5528 -@@ -2,7 +2,7 @@
5529 - #
5530 -
5531 - asflags-y := -ansi -DST_DIV0=0x02
5532 --ccflags-y := -Werror
5533 -+#ccflags-y := -Werror
5534 -
5535 - lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
5536 - lib-$(CONFIG_SPARC32) += memcpy.o memset.o
5537 -diff -urNp linux-2.6.32.46/arch/sparc/lib/atomic_64.S linux-2.6.32.46/arch/sparc/lib/atomic_64.S
5538 ---- linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-03-27 14:31:47.000000000 -0400
5539 -+++ linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-04-17 15:56:46.000000000 -0400
5540 -@@ -18,7 +18,12 @@
5541 - atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
5542 - BACKOFF_SETUP(%o2)
5543 - 1: lduw [%o1], %g1
5544 -- add %g1, %o0, %g7
5545 -+ addcc %g1, %o0, %g7
5546 -+
5547 -+#ifdef CONFIG_PAX_REFCOUNT
5548 -+ tvs %icc, 6
5549 -+#endif
5550 -+
5551 - cas [%o1], %g1, %g7
5552 - cmp %g1, %g7
5553 - bne,pn %icc, 2f
5554 -@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
5555 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5556 - .size atomic_add, .-atomic_add
5557 -
5558 -+ .globl atomic_add_unchecked
5559 -+ .type atomic_add_unchecked,#function
5560 -+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5561 -+ BACKOFF_SETUP(%o2)
5562 -+1: lduw [%o1], %g1
5563 -+ add %g1, %o0, %g7
5564 -+ cas [%o1], %g1, %g7
5565 -+ cmp %g1, %g7
5566 -+ bne,pn %icc, 2f
5567 -+ nop
5568 -+ retl
5569 -+ nop
5570 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5571 -+ .size atomic_add_unchecked, .-atomic_add_unchecked
5572 -+
5573 - .globl atomic_sub
5574 - .type atomic_sub,#function
5575 - atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
5576 - BACKOFF_SETUP(%o2)
5577 - 1: lduw [%o1], %g1
5578 -- sub %g1, %o0, %g7
5579 -+ subcc %g1, %o0, %g7
5580 -+
5581 -+#ifdef CONFIG_PAX_REFCOUNT
5582 -+ tvs %icc, 6
5583 -+#endif
5584 -+
5585 - cas [%o1], %g1, %g7
5586 - cmp %g1, %g7
5587 - bne,pn %icc, 2f
5588 -@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
5589 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5590 - .size atomic_sub, .-atomic_sub
5591 -
5592 -+ .globl atomic_sub_unchecked
5593 -+ .type atomic_sub_unchecked,#function
5594 -+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
5595 -+ BACKOFF_SETUP(%o2)
5596 -+1: lduw [%o1], %g1
5597 -+ sub %g1, %o0, %g7
5598 -+ cas [%o1], %g1, %g7
5599 -+ cmp %g1, %g7
5600 -+ bne,pn %icc, 2f
5601 -+ nop
5602 -+ retl
5603 -+ nop
5604 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5605 -+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
5606 -+
5607 - .globl atomic_add_ret
5608 - .type atomic_add_ret,#function
5609 - atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5610 - BACKOFF_SETUP(%o2)
5611 - 1: lduw [%o1], %g1
5612 -- add %g1, %o0, %g7
5613 -+ addcc %g1, %o0, %g7
5614 -+
5615 -+#ifdef CONFIG_PAX_REFCOUNT
5616 -+ tvs %icc, 6
5617 -+#endif
5618 -+
5619 - cas [%o1], %g1, %g7
5620 - cmp %g1, %g7
5621 - bne,pn %icc, 2f
5622 -@@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
5623 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5624 - .size atomic_add_ret, .-atomic_add_ret
5625 -
5626 -+ .globl atomic_add_ret_unchecked
5627 -+ .type atomic_add_ret_unchecked,#function
5628 -+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5629 -+ BACKOFF_SETUP(%o2)
5630 -+1: lduw [%o1], %g1
5631 -+ addcc %g1, %o0, %g7
5632 -+ cas [%o1], %g1, %g7
5633 -+ cmp %g1, %g7
5634 -+ bne,pn %icc, 2f
5635 -+ add %g7, %o0, %g7
5636 -+ sra %g7, 0, %o0
5637 -+ retl
5638 -+ nop
5639 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5640 -+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
5641 -+
5642 - .globl atomic_sub_ret
5643 - .type atomic_sub_ret,#function
5644 - atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5645 - BACKOFF_SETUP(%o2)
5646 - 1: lduw [%o1], %g1
5647 -- sub %g1, %o0, %g7
5648 -+ subcc %g1, %o0, %g7
5649 -+
5650 -+#ifdef CONFIG_PAX_REFCOUNT
5651 -+ tvs %icc, 6
5652 -+#endif
5653 -+
5654 - cas [%o1], %g1, %g7
5655 - cmp %g1, %g7
5656 - bne,pn %icc, 2f
5657 -@@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
5658 - atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
5659 - BACKOFF_SETUP(%o2)
5660 - 1: ldx [%o1], %g1
5661 -- add %g1, %o0, %g7
5662 -+ addcc %g1, %o0, %g7
5663 -+
5664 -+#ifdef CONFIG_PAX_REFCOUNT
5665 -+ tvs %xcc, 6
5666 -+#endif
5667 -+
5668 - casx [%o1], %g1, %g7
5669 - cmp %g1, %g7
5670 - bne,pn %xcc, 2f
5671 -@@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
5672 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5673 - .size atomic64_add, .-atomic64_add
5674 -
5675 -+ .globl atomic64_add_unchecked
5676 -+ .type atomic64_add_unchecked,#function
5677 -+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5678 -+ BACKOFF_SETUP(%o2)
5679 -+1: ldx [%o1], %g1
5680 -+ addcc %g1, %o0, %g7
5681 -+ casx [%o1], %g1, %g7
5682 -+ cmp %g1, %g7
5683 -+ bne,pn %xcc, 2f
5684 -+ nop
5685 -+ retl
5686 -+ nop
5687 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5688 -+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
5689 -+
5690 - .globl atomic64_sub
5691 - .type atomic64_sub,#function
5692 - atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
5693 - BACKOFF_SETUP(%o2)
5694 - 1: ldx [%o1], %g1
5695 -- sub %g1, %o0, %g7
5696 -+ subcc %g1, %o0, %g7
5697 -+
5698 -+#ifdef CONFIG_PAX_REFCOUNT
5699 -+ tvs %xcc, 6
5700 -+#endif
5701 -+
5702 - casx [%o1], %g1, %g7
5703 - cmp %g1, %g7
5704 - bne,pn %xcc, 2f
5705 -@@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
5706 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5707 - .size atomic64_sub, .-atomic64_sub
5708 -
5709 -+ .globl atomic64_sub_unchecked
5710 -+ .type atomic64_sub_unchecked,#function
5711 -+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
5712 -+ BACKOFF_SETUP(%o2)
5713 -+1: ldx [%o1], %g1
5714 -+ subcc %g1, %o0, %g7
5715 -+ casx [%o1], %g1, %g7
5716 -+ cmp %g1, %g7
5717 -+ bne,pn %xcc, 2f
5718 -+ nop
5719 -+ retl
5720 -+ nop
5721 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5722 -+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
5723 -+
5724 - .globl atomic64_add_ret
5725 - .type atomic64_add_ret,#function
5726 - atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5727 - BACKOFF_SETUP(%o2)
5728 - 1: ldx [%o1], %g1
5729 -- add %g1, %o0, %g7
5730 -+ addcc %g1, %o0, %g7
5731 -+
5732 -+#ifdef CONFIG_PAX_REFCOUNT
5733 -+ tvs %xcc, 6
5734 -+#endif
5735 -+
5736 - casx [%o1], %g1, %g7
5737 - cmp %g1, %g7
5738 - bne,pn %xcc, 2f
5739 -@@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
5740 - 2: BACKOFF_SPIN(%o2, %o3, 1b)
5741 - .size atomic64_add_ret, .-atomic64_add_ret
5742 -
5743 -+ .globl atomic64_add_ret_unchecked
5744 -+ .type atomic64_add_ret_unchecked,#function
5745 -+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5746 -+ BACKOFF_SETUP(%o2)
5747 -+1: ldx [%o1], %g1
5748 -+ addcc %g1, %o0, %g7
5749 -+ casx [%o1], %g1, %g7
5750 -+ cmp %g1, %g7
5751 -+ bne,pn %xcc, 2f
5752 -+ add %g7, %o0, %g7
5753 -+ mov %g7, %o0
5754 -+ retl
5755 -+ nop
5756 -+2: BACKOFF_SPIN(%o2, %o3, 1b)
5757 -+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
5758 -+
5759 - .globl atomic64_sub_ret
5760 - .type atomic64_sub_ret,#function
5761 - atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5762 - BACKOFF_SETUP(%o2)
5763 - 1: ldx [%o1], %g1
5764 -- sub %g1, %o0, %g7
5765 -+ subcc %g1, %o0, %g7
5766 -+
5767 -+#ifdef CONFIG_PAX_REFCOUNT
5768 -+ tvs %xcc, 6
5769 -+#endif
5770 -+
5771 - casx [%o1], %g1, %g7
5772 - cmp %g1, %g7
5773 - bne,pn %xcc, 2f
5774 -diff -urNp linux-2.6.32.46/arch/sparc/lib/ksyms.c linux-2.6.32.46/arch/sparc/lib/ksyms.c
5775 ---- linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-03-27 14:31:47.000000000 -0400
5776 -+++ linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-08-19 23:05:14.000000000 -0400
5777 -@@ -144,12 +144,18 @@ EXPORT_SYMBOL(__downgrade_write);
5778 -
5779 - /* Atomic counter implementation. */
5780 - EXPORT_SYMBOL(atomic_add);
5781 -+EXPORT_SYMBOL(atomic_add_unchecked);
5782 - EXPORT_SYMBOL(atomic_add_ret);
5783 -+EXPORT_SYMBOL(atomic_add_ret_unchecked);
5784 - EXPORT_SYMBOL(atomic_sub);
5785 -+EXPORT_SYMBOL(atomic_sub_unchecked);
5786 - EXPORT_SYMBOL(atomic_sub_ret);
5787 - EXPORT_SYMBOL(atomic64_add);
5788 -+EXPORT_SYMBOL(atomic64_add_unchecked);
5789 - EXPORT_SYMBOL(atomic64_add_ret);
5790 -+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
5791 - EXPORT_SYMBOL(atomic64_sub);
5792 -+EXPORT_SYMBOL(atomic64_sub_unchecked);
5793 - EXPORT_SYMBOL(atomic64_sub_ret);
5794 -
5795 - /* Atomic bit operations. */
5796 -diff -urNp linux-2.6.32.46/arch/sparc/lib/rwsem_64.S linux-2.6.32.46/arch/sparc/lib/rwsem_64.S
5797 ---- linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
5798 -+++ linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-04-17 15:56:46.000000000 -0400
5799 -@@ -11,7 +11,12 @@
5800 - .globl __down_read
5801 - __down_read:
5802 - 1: lduw [%o0], %g1
5803 -- add %g1, 1, %g7
5804 -+ addcc %g1, 1, %g7
5805 -+
5806 -+#ifdef CONFIG_PAX_REFCOUNT
5807 -+ tvs %icc, 6
5808 -+#endif
5809 -+
5810 - cas [%o0], %g1, %g7
5811 - cmp %g1, %g7
5812 - bne,pn %icc, 1b
5813 -@@ -33,7 +38,12 @@ __down_read:
5814 - .globl __down_read_trylock
5815 - __down_read_trylock:
5816 - 1: lduw [%o0], %g1
5817 -- add %g1, 1, %g7
5818 -+ addcc %g1, 1, %g7
5819 -+
5820 -+#ifdef CONFIG_PAX_REFCOUNT
5821 -+ tvs %icc, 6
5822 -+#endif
5823 -+
5824 - cmp %g7, 0
5825 - bl,pn %icc, 2f
5826 - mov 0, %o1
5827 -@@ -51,7 +61,12 @@ __down_write:
5828 - or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5829 - 1:
5830 - lduw [%o0], %g3
5831 -- add %g3, %g1, %g7
5832 -+ addcc %g3, %g1, %g7
5833 -+
5834 -+#ifdef CONFIG_PAX_REFCOUNT
5835 -+ tvs %icc, 6
5836 -+#endif
5837 -+
5838 - cas [%o0], %g3, %g7
5839 - cmp %g3, %g7
5840 - bne,pn %icc, 1b
5841 -@@ -77,7 +92,12 @@ __down_write_trylock:
5842 - cmp %g3, 0
5843 - bne,pn %icc, 2f
5844 - mov 0, %o1
5845 -- add %g3, %g1, %g7
5846 -+ addcc %g3, %g1, %g7
5847 -+
5848 -+#ifdef CONFIG_PAX_REFCOUNT
5849 -+ tvs %icc, 6
5850 -+#endif
5851 -+
5852 - cas [%o0], %g3, %g7
5853 - cmp %g3, %g7
5854 - bne,pn %icc, 1b
5855 -@@ -90,7 +110,12 @@ __down_write_trylock:
5856 - __up_read:
5857 - 1:
5858 - lduw [%o0], %g1
5859 -- sub %g1, 1, %g7
5860 -+ subcc %g1, 1, %g7
5861 -+
5862 -+#ifdef CONFIG_PAX_REFCOUNT
5863 -+ tvs %icc, 6
5864 -+#endif
5865 -+
5866 - cas [%o0], %g1, %g7
5867 - cmp %g1, %g7
5868 - bne,pn %icc, 1b
5869 -@@ -118,7 +143,12 @@ __up_write:
5870 - or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5871 - 1:
5872 - lduw [%o0], %g3
5873 -- sub %g3, %g1, %g7
5874 -+ subcc %g3, %g1, %g7
5875 -+
5876 -+#ifdef CONFIG_PAX_REFCOUNT
5877 -+ tvs %icc, 6
5878 -+#endif
5879 -+
5880 - cas [%o0], %g3, %g7
5881 - cmp %g3, %g7
5882 - bne,pn %icc, 1b
5883 -@@ -143,7 +173,12 @@ __downgrade_write:
5884 - or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5885 - 1:
5886 - lduw [%o0], %g3
5887 -- sub %g3, %g1, %g7
5888 -+ subcc %g3, %g1, %g7
5889 -+
5890 -+#ifdef CONFIG_PAX_REFCOUNT
5891 -+ tvs %icc, 6
5892 -+#endif
5893 -+
5894 - cas [%o0], %g3, %g7
5895 - cmp %g3, %g7
5896 - bne,pn %icc, 1b
5897 -diff -urNp linux-2.6.32.46/arch/sparc/mm/Makefile linux-2.6.32.46/arch/sparc/mm/Makefile
5898 ---- linux-2.6.32.46/arch/sparc/mm/Makefile 2011-03-27 14:31:47.000000000 -0400
5899 -+++ linux-2.6.32.46/arch/sparc/mm/Makefile 2011-04-17 15:56:46.000000000 -0400
5900 -@@ -2,7 +2,7 @@
5901 - #
5902 -
5903 - asflags-y := -ansi
5904 --ccflags-y := -Werror
5905 -+#ccflags-y := -Werror
5906 -
5907 - obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5908 - obj-y += fault_$(BITS).o
5909 -diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_32.c linux-2.6.32.46/arch/sparc/mm/fault_32.c
5910 ---- linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-03-27 14:31:47.000000000 -0400
5911 -+++ linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-04-17 15:56:46.000000000 -0400
5912 -@@ -21,6 +21,9 @@
5913 - #include <linux/interrupt.h>
5914 - #include <linux/module.h>
5915 - #include <linux/kdebug.h>
5916 -+#include <linux/slab.h>
5917 -+#include <linux/pagemap.h>
5918 -+#include <linux/compiler.h>
5919 -
5920 - #include <asm/system.h>
5921 - #include <asm/page.h>
5922 -@@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5923 - return safe_compute_effective_address(regs, insn);
5924 - }
5925 -
5926 -+#ifdef CONFIG_PAX_PAGEEXEC
5927 -+#ifdef CONFIG_PAX_DLRESOLVE
5928 -+static void pax_emuplt_close(struct vm_area_struct *vma)
5929 -+{
5930 -+ vma->vm_mm->call_dl_resolve = 0UL;
5931 -+}
5932 -+
5933 -+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5934 -+{
5935 -+ unsigned int *kaddr;
5936 -+
5937 -+ vmf->page = alloc_page(GFP_HIGHUSER);
5938 -+ if (!vmf->page)
5939 -+ return VM_FAULT_OOM;
5940 -+
5941 -+ kaddr = kmap(vmf->page);
5942 -+ memset(kaddr, 0, PAGE_SIZE);
5943 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
5944 -+ flush_dcache_page(vmf->page);
5945 -+ kunmap(vmf->page);
5946 -+ return VM_FAULT_MAJOR;
5947 -+}
5948 -+
5949 -+static const struct vm_operations_struct pax_vm_ops = {
5950 -+ .close = pax_emuplt_close,
5951 -+ .fault = pax_emuplt_fault
5952 -+};
5953 -+
5954 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5955 -+{
5956 -+ int ret;
5957 -+
5958 -+ vma->vm_mm = current->mm;
5959 -+ vma->vm_start = addr;
5960 -+ vma->vm_end = addr + PAGE_SIZE;
5961 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5962 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5963 -+ vma->vm_ops = &pax_vm_ops;
5964 -+
5965 -+ ret = insert_vm_struct(current->mm, vma);
5966 -+ if (ret)
5967 -+ return ret;
5968 -+
5969 -+ ++current->mm->total_vm;
5970 -+ return 0;
5971 -+}
5972 -+#endif
5973 -+
5974 -+/*
5975 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
5976 -+ *
5977 -+ * returns 1 when task should be killed
5978 -+ * 2 when patched PLT trampoline was detected
5979 -+ * 3 when unpatched PLT trampoline was detected
5980 -+ */
5981 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
5982 -+{
5983 -+
5984 -+#ifdef CONFIG_PAX_EMUPLT
5985 -+ int err;
5986 -+
5987 -+ do { /* PaX: patched PLT emulation #1 */
5988 -+ unsigned int sethi1, sethi2, jmpl;
5989 -+
5990 -+ err = get_user(sethi1, (unsigned int *)regs->pc);
5991 -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5992 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5993 -+
5994 -+ if (err)
5995 -+ break;
5996 -+
5997 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5998 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
5999 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
6000 -+ {
6001 -+ unsigned int addr;
6002 -+
6003 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6004 -+ addr = regs->u_regs[UREG_G1];
6005 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6006 -+ regs->pc = addr;
6007 -+ regs->npc = addr+4;
6008 -+ return 2;
6009 -+ }
6010 -+ } while (0);
6011 -+
6012 -+ { /* PaX: patched PLT emulation #2 */
6013 -+ unsigned int ba;
6014 -+
6015 -+ err = get_user(ba, (unsigned int *)regs->pc);
6016 -+
6017 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6018 -+ unsigned int addr;
6019 -+
6020 -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6021 -+ regs->pc = addr;
6022 -+ regs->npc = addr+4;
6023 -+ return 2;
6024 -+ }
6025 -+ }
6026 -+
6027 -+ do { /* PaX: patched PLT emulation #3 */
6028 -+ unsigned int sethi, jmpl, nop;
6029 -+
6030 -+ err = get_user(sethi, (unsigned int *)regs->pc);
6031 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6032 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
6033 -+
6034 -+ if (err)
6035 -+ break;
6036 -+
6037 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6038 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6039 -+ nop == 0x01000000U)
6040 -+ {
6041 -+ unsigned int addr;
6042 -+
6043 -+ addr = (sethi & 0x003FFFFFU) << 10;
6044 -+ regs->u_regs[UREG_G1] = addr;
6045 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6046 -+ regs->pc = addr;
6047 -+ regs->npc = addr+4;
6048 -+ return 2;
6049 -+ }
6050 -+ } while (0);
6051 -+
6052 -+ do { /* PaX: unpatched PLT emulation step 1 */
6053 -+ unsigned int sethi, ba, nop;
6054 -+
6055 -+ err = get_user(sethi, (unsigned int *)regs->pc);
6056 -+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
6057 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
6058 -+
6059 -+ if (err)
6060 -+ break;
6061 -+
6062 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6063 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6064 -+ nop == 0x01000000U)
6065 -+ {
6066 -+ unsigned int addr, save, call;
6067 -+
6068 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
6069 -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6070 -+ else
6071 -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6072 -+
6073 -+ err = get_user(save, (unsigned int *)addr);
6074 -+ err |= get_user(call, (unsigned int *)(addr+4));
6075 -+ err |= get_user(nop, (unsigned int *)(addr+8));
6076 -+ if (err)
6077 -+ break;
6078 -+
6079 -+#ifdef CONFIG_PAX_DLRESOLVE
6080 -+ if (save == 0x9DE3BFA8U &&
6081 -+ (call & 0xC0000000U) == 0x40000000U &&
6082 -+ nop == 0x01000000U)
6083 -+ {
6084 -+ struct vm_area_struct *vma;
6085 -+ unsigned long call_dl_resolve;
6086 -+
6087 -+ down_read(&current->mm->mmap_sem);
6088 -+ call_dl_resolve = current->mm->call_dl_resolve;
6089 -+ up_read(&current->mm->mmap_sem);
6090 -+ if (likely(call_dl_resolve))
6091 -+ goto emulate;
6092 -+
6093 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6094 -+
6095 -+ down_write(&current->mm->mmap_sem);
6096 -+ if (current->mm->call_dl_resolve) {
6097 -+ call_dl_resolve = current->mm->call_dl_resolve;
6098 -+ up_write(&current->mm->mmap_sem);
6099 -+ if (vma)
6100 -+ kmem_cache_free(vm_area_cachep, vma);
6101 -+ goto emulate;
6102 -+ }
6103 -+
6104 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6105 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6106 -+ up_write(&current->mm->mmap_sem);
6107 -+ if (vma)
6108 -+ kmem_cache_free(vm_area_cachep, vma);
6109 -+ return 1;
6110 -+ }
6111 -+
6112 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
6113 -+ up_write(&current->mm->mmap_sem);
6114 -+ kmem_cache_free(vm_area_cachep, vma);
6115 -+ return 1;
6116 -+ }
6117 -+
6118 -+ current->mm->call_dl_resolve = call_dl_resolve;
6119 -+ up_write(&current->mm->mmap_sem);
6120 -+
6121 -+emulate:
6122 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6123 -+ regs->pc = call_dl_resolve;
6124 -+ regs->npc = addr+4;
6125 -+ return 3;
6126 -+ }
6127 -+#endif
6128 -+
6129 -+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6130 -+ if ((save & 0xFFC00000U) == 0x05000000U &&
6131 -+ (call & 0xFFFFE000U) == 0x85C0A000U &&
6132 -+ nop == 0x01000000U)
6133 -+ {
6134 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6135 -+ regs->u_regs[UREG_G2] = addr + 4;
6136 -+ addr = (save & 0x003FFFFFU) << 10;
6137 -+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6138 -+ regs->pc = addr;
6139 -+ regs->npc = addr+4;
6140 -+ return 3;
6141 -+ }
6142 -+ }
6143 -+ } while (0);
6144 -+
6145 -+ do { /* PaX: unpatched PLT emulation step 2 */
6146 -+ unsigned int save, call, nop;
6147 -+
6148 -+ err = get_user(save, (unsigned int *)(regs->pc-4));
6149 -+ err |= get_user(call, (unsigned int *)regs->pc);
6150 -+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
6151 -+ if (err)
6152 -+ break;
6153 -+
6154 -+ if (save == 0x9DE3BFA8U &&
6155 -+ (call & 0xC0000000U) == 0x40000000U &&
6156 -+ nop == 0x01000000U)
6157 -+ {
6158 -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6159 -+
6160 -+ regs->u_regs[UREG_RETPC] = regs->pc;
6161 -+ regs->pc = dl_resolve;
6162 -+ regs->npc = dl_resolve+4;
6163 -+ return 3;
6164 -+ }
6165 -+ } while (0);
6166 -+#endif
6167 -+
6168 -+ return 1;
6169 -+}
6170 -+
6171 -+void pax_report_insns(void *pc, void *sp)
6172 -+{
6173 -+ unsigned long i;
6174 -+
6175 -+ printk(KERN_ERR "PAX: bytes at PC: ");
6176 -+ for (i = 0; i < 8; i++) {
6177 -+ unsigned int c;
6178 -+ if (get_user(c, (unsigned int *)pc+i))
6179 -+ printk(KERN_CONT "???????? ");
6180 -+ else
6181 -+ printk(KERN_CONT "%08x ", c);
6182 -+ }
6183 -+ printk("\n");
6184 -+}
6185 -+#endif
6186 -+
6187 - asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
6188 - unsigned long address)
6189 - {
6190 -@@ -231,6 +495,24 @@ good_area:
6191 - if(!(vma->vm_flags & VM_WRITE))
6192 - goto bad_area;
6193 - } else {
6194 -+
6195 -+#ifdef CONFIG_PAX_PAGEEXEC
6196 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
6197 -+ up_read(&mm->mmap_sem);
6198 -+ switch (pax_handle_fetch_fault(regs)) {
6199 -+
6200 -+#ifdef CONFIG_PAX_EMUPLT
6201 -+ case 2:
6202 -+ case 3:
6203 -+ return;
6204 -+#endif
6205 -+
6206 -+ }
6207 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
6208 -+ do_group_exit(SIGKILL);
6209 -+ }
6210 -+#endif
6211 -+
6212 - /* Allow reads even for write-only mappings */
6213 - if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
6214 - goto bad_area;
6215 -diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_64.c linux-2.6.32.46/arch/sparc/mm/fault_64.c
6216 ---- linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-03-27 14:31:47.000000000 -0400
6217 -+++ linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-04-17 15:56:46.000000000 -0400
6218 -@@ -20,6 +20,9 @@
6219 - #include <linux/kprobes.h>
6220 - #include <linux/kdebug.h>
6221 - #include <linux/percpu.h>
6222 -+#include <linux/slab.h>
6223 -+#include <linux/pagemap.h>
6224 -+#include <linux/compiler.h>
6225 -
6226 - #include <asm/page.h>
6227 - #include <asm/pgtable.h>
6228 -@@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
6229 - printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
6230 - regs->tpc);
6231 - printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
6232 -- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
6233 -+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
6234 - printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
6235 - dump_stack();
6236 - unhandled_fault(regs->tpc, current, regs);
6237 -@@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
6238 - show_regs(regs);
6239 - }
6240 -
6241 -+#ifdef CONFIG_PAX_PAGEEXEC
6242 -+#ifdef CONFIG_PAX_DLRESOLVE
6243 -+static void pax_emuplt_close(struct vm_area_struct *vma)
6244 -+{
6245 -+ vma->vm_mm->call_dl_resolve = 0UL;
6246 -+}
6247 -+
6248 -+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6249 -+{
6250 -+ unsigned int *kaddr;
6251 -+
6252 -+ vmf->page = alloc_page(GFP_HIGHUSER);
6253 -+ if (!vmf->page)
6254 -+ return VM_FAULT_OOM;
6255 -+
6256 -+ kaddr = kmap(vmf->page);
6257 -+ memset(kaddr, 0, PAGE_SIZE);
6258 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
6259 -+ flush_dcache_page(vmf->page);
6260 -+ kunmap(vmf->page);
6261 -+ return VM_FAULT_MAJOR;
6262 -+}
6263 -+
6264 -+static const struct vm_operations_struct pax_vm_ops = {
6265 -+ .close = pax_emuplt_close,
6266 -+ .fault = pax_emuplt_fault
6267 -+};
6268 -+
6269 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6270 -+{
6271 -+ int ret;
6272 -+
6273 -+ vma->vm_mm = current->mm;
6274 -+ vma->vm_start = addr;
6275 -+ vma->vm_end = addr + PAGE_SIZE;
6276 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6277 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6278 -+ vma->vm_ops = &pax_vm_ops;
6279 -+
6280 -+ ret = insert_vm_struct(current->mm, vma);
6281 -+ if (ret)
6282 -+ return ret;
6283 -+
6284 -+ ++current->mm->total_vm;
6285 -+ return 0;
6286 -+}
6287 -+#endif
6288 -+
6289 -+/*
6290 -+ * PaX: decide what to do with offenders (regs->tpc = fault address)
6291 -+ *
6292 -+ * returns 1 when task should be killed
6293 -+ * 2 when patched PLT trampoline was detected
6294 -+ * 3 when unpatched PLT trampoline was detected
6295 -+ */
6296 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
6297 -+{
6298 -+
6299 -+#ifdef CONFIG_PAX_EMUPLT
6300 -+ int err;
6301 -+
6302 -+ do { /* PaX: patched PLT emulation #1 */
6303 -+ unsigned int sethi1, sethi2, jmpl;
6304 -+
6305 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
6306 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
6307 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
6308 -+
6309 -+ if (err)
6310 -+ break;
6311 -+
6312 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6313 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
6314 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
6315 -+ {
6316 -+ unsigned long addr;
6317 -+
6318 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6319 -+ addr = regs->u_regs[UREG_G1];
6320 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
6321 -+
6322 -+ if (test_thread_flag(TIF_32BIT))
6323 -+ addr &= 0xFFFFFFFFUL;
6324 -+
6325 -+ regs->tpc = addr;
6326 -+ regs->tnpc = addr+4;
6327 -+ return 2;
6328 -+ }
6329 -+ } while (0);
6330 -+
6331 -+ { /* PaX: patched PLT emulation #2 */
6332 -+ unsigned int ba;
6333 -+
6334 -+ err = get_user(ba, (unsigned int *)regs->tpc);
6335 -+
6336 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6337 -+ unsigned long addr;
6338 -+
6339 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
6340 -+
6341 -+ if (test_thread_flag(TIF_32BIT))
6342 -+ addr &= 0xFFFFFFFFUL;
6343 -+
6344 -+ regs->tpc = addr;
6345 -+ regs->tnpc = addr+4;
6346 -+ return 2;
6347 -+ }
6348 -+ }
6349 -+
6350 -+ do { /* PaX: patched PLT emulation #3 */
6351 -+ unsigned int sethi, jmpl, nop;
6352 -+
6353 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6354 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
6355 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
6356 -+
6357 -+ if (err)
6358 -+ break;
6359 -+
6360 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6361 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6362 -+ nop == 0x01000000U)
6363 -+ {
6364 -+ unsigned long addr;
6365 -+
6366 -+ addr = (sethi & 0x003FFFFFU) << 10;
6367 -+ regs->u_regs[UREG_G1] = addr;
6368 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
6369 -+
6370 -+ if (test_thread_flag(TIF_32BIT))
6371 -+ addr &= 0xFFFFFFFFUL;
6372 -+
6373 -+ regs->tpc = addr;
6374 -+ regs->tnpc = addr+4;
6375 -+ return 2;
6376 -+ }
6377 -+ } while (0);
6378 -+
6379 -+ do { /* PaX: patched PLT emulation #4 */
6380 -+ unsigned int sethi, mov1, call, mov2;
6381 -+
6382 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6383 -+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
6384 -+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
6385 -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
6386 -+
6387 -+ if (err)
6388 -+ break;
6389 -+
6390 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6391 -+ mov1 == 0x8210000FU &&
6392 -+ (call & 0xC0000000U) == 0x40000000U &&
6393 -+ mov2 == 0x9E100001U)
6394 -+ {
6395 -+ unsigned long addr;
6396 -+
6397 -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
6398 -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
6399 -+
6400 -+ if (test_thread_flag(TIF_32BIT))
6401 -+ addr &= 0xFFFFFFFFUL;
6402 -+
6403 -+ regs->tpc = addr;
6404 -+ regs->tnpc = addr+4;
6405 -+ return 2;
6406 -+ }
6407 -+ } while (0);
6408 -+
6409 -+ do { /* PaX: patched PLT emulation #5 */
6410 -+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
6411 -+
6412 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6413 -+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
6414 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
6415 -+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
6416 -+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
6417 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
6418 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
6419 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
6420 -+
6421 -+ if (err)
6422 -+ break;
6423 -+
6424 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6425 -+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
6426 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
6427 -+ (or1 & 0xFFFFE000U) == 0x82106000U &&
6428 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
6429 -+ sllx == 0x83287020U &&
6430 -+ jmpl == 0x81C04005U &&
6431 -+ nop == 0x01000000U)
6432 -+ {
6433 -+ unsigned long addr;
6434 -+
6435 -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
6436 -+ regs->u_regs[UREG_G1] <<= 32;
6437 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
6438 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
6439 -+ regs->tpc = addr;
6440 -+ regs->tnpc = addr+4;
6441 -+ return 2;
6442 -+ }
6443 -+ } while (0);
6444 -+
6445 -+ do { /* PaX: patched PLT emulation #6 */
6446 -+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
6447 -+
6448 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6449 -+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
6450 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
6451 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
6452 -+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
6453 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
6454 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
6455 -+
6456 -+ if (err)
6457 -+ break;
6458 -+
6459 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6460 -+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
6461 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
6462 -+ sllx == 0x83287020U &&
6463 -+ (or & 0xFFFFE000U) == 0x8A116000U &&
6464 -+ jmpl == 0x81C04005U &&
6465 -+ nop == 0x01000000U)
6466 -+ {
6467 -+ unsigned long addr;
6468 -+
6469 -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
6470 -+ regs->u_regs[UREG_G1] <<= 32;
6471 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
6472 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
6473 -+ regs->tpc = addr;
6474 -+ regs->tnpc = addr+4;
6475 -+ return 2;
6476 -+ }
6477 -+ } while (0);
6478 -+
6479 -+ do { /* PaX: unpatched PLT emulation step 1 */
6480 -+ unsigned int sethi, ba, nop;
6481 -+
6482 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6483 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
6484 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
6485 -+
6486 -+ if (err)
6487 -+ break;
6488 -+
6489 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6490 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6491 -+ nop == 0x01000000U)
6492 -+ {
6493 -+ unsigned long addr;
6494 -+ unsigned int save, call;
6495 -+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
6496 -+
6497 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
6498 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
6499 -+ else
6500 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
6501 -+
6502 -+ if (test_thread_flag(TIF_32BIT))
6503 -+ addr &= 0xFFFFFFFFUL;
6504 -+
6505 -+ err = get_user(save, (unsigned int *)addr);
6506 -+ err |= get_user(call, (unsigned int *)(addr+4));
6507 -+ err |= get_user(nop, (unsigned int *)(addr+8));
6508 -+ if (err)
6509 -+ break;
6510 -+
6511 -+#ifdef CONFIG_PAX_DLRESOLVE
6512 -+ if (save == 0x9DE3BFA8U &&
6513 -+ (call & 0xC0000000U) == 0x40000000U &&
6514 -+ nop == 0x01000000U)
6515 -+ {
6516 -+ struct vm_area_struct *vma;
6517 -+ unsigned long call_dl_resolve;
6518 -+
6519 -+ down_read(&current->mm->mmap_sem);
6520 -+ call_dl_resolve = current->mm->call_dl_resolve;
6521 -+ up_read(&current->mm->mmap_sem);
6522 -+ if (likely(call_dl_resolve))
6523 -+ goto emulate;
6524 -+
6525 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6526 -+
6527 -+ down_write(&current->mm->mmap_sem);
6528 -+ if (current->mm->call_dl_resolve) {
6529 -+ call_dl_resolve = current->mm->call_dl_resolve;
6530 -+ up_write(&current->mm->mmap_sem);
6531 -+ if (vma)
6532 -+ kmem_cache_free(vm_area_cachep, vma);
6533 -+ goto emulate;
6534 -+ }
6535 -+
6536 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6537 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6538 -+ up_write(&current->mm->mmap_sem);
6539 -+ if (vma)
6540 -+ kmem_cache_free(vm_area_cachep, vma);
6541 -+ return 1;
6542 -+ }
6543 -+
6544 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
6545 -+ up_write(&current->mm->mmap_sem);
6546 -+ kmem_cache_free(vm_area_cachep, vma);
6547 -+ return 1;
6548 -+ }
6549 -+
6550 -+ current->mm->call_dl_resolve = call_dl_resolve;
6551 -+ up_write(&current->mm->mmap_sem);
6552 -+
6553 -+emulate:
6554 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6555 -+ regs->tpc = call_dl_resolve;
6556 -+ regs->tnpc = addr+4;
6557 -+ return 3;
6558 -+ }
6559 -+#endif
6560 -+
6561 -+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6562 -+ if ((save & 0xFFC00000U) == 0x05000000U &&
6563 -+ (call & 0xFFFFE000U) == 0x85C0A000U &&
6564 -+ nop == 0x01000000U)
6565 -+ {
6566 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6567 -+ regs->u_regs[UREG_G2] = addr + 4;
6568 -+ addr = (save & 0x003FFFFFU) << 10;
6569 -+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
6570 -+
6571 -+ if (test_thread_flag(TIF_32BIT))
6572 -+ addr &= 0xFFFFFFFFUL;
6573 -+
6574 -+ regs->tpc = addr;
6575 -+ regs->tnpc = addr+4;
6576 -+ return 3;
6577 -+ }
6578 -+
6579 -+ /* PaX: 64-bit PLT stub */
6580 -+ err = get_user(sethi1, (unsigned int *)addr);
6581 -+ err |= get_user(sethi2, (unsigned int *)(addr+4));
6582 -+ err |= get_user(or1, (unsigned int *)(addr+8));
6583 -+ err |= get_user(or2, (unsigned int *)(addr+12));
6584 -+ err |= get_user(sllx, (unsigned int *)(addr+16));
6585 -+ err |= get_user(add, (unsigned int *)(addr+20));
6586 -+ err |= get_user(jmpl, (unsigned int *)(addr+24));
6587 -+ err |= get_user(nop, (unsigned int *)(addr+28));
6588 -+ if (err)
6589 -+ break;
6590 -+
6591 -+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
6592 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
6593 -+ (or1 & 0xFFFFE000U) == 0x88112000U &&
6594 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
6595 -+ sllx == 0x89293020U &&
6596 -+ add == 0x8A010005U &&
6597 -+ jmpl == 0x89C14000U &&
6598 -+ nop == 0x01000000U)
6599 -+ {
6600 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6601 -+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
6602 -+ regs->u_regs[UREG_G4] <<= 32;
6603 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
6604 -+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
6605 -+ regs->u_regs[UREG_G4] = addr + 24;
6606 -+ addr = regs->u_regs[UREG_G5];
6607 -+ regs->tpc = addr;
6608 -+ regs->tnpc = addr+4;
6609 -+ return 3;
6610 -+ }
6611 -+ }
6612 -+ } while (0);
6613 -+
6614 -+#ifdef CONFIG_PAX_DLRESOLVE
6615 -+ do { /* PaX: unpatched PLT emulation step 2 */
6616 -+ unsigned int save, call, nop;
6617 -+
6618 -+ err = get_user(save, (unsigned int *)(regs->tpc-4));
6619 -+ err |= get_user(call, (unsigned int *)regs->tpc);
6620 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
6621 -+ if (err)
6622 -+ break;
6623 -+
6624 -+ if (save == 0x9DE3BFA8U &&
6625 -+ (call & 0xC0000000U) == 0x40000000U &&
6626 -+ nop == 0x01000000U)
6627 -+ {
6628 -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
6629 -+
6630 -+ if (test_thread_flag(TIF_32BIT))
6631 -+ dl_resolve &= 0xFFFFFFFFUL;
6632 -+
6633 -+ regs->u_regs[UREG_RETPC] = regs->tpc;
6634 -+ regs->tpc = dl_resolve;
6635 -+ regs->tnpc = dl_resolve+4;
6636 -+ return 3;
6637 -+ }
6638 -+ } while (0);
6639 -+#endif
6640 -+
6641 -+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
6642 -+ unsigned int sethi, ba, nop;
6643 -+
6644 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
6645 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
6646 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
6647 -+
6648 -+ if (err)
6649 -+ break;
6650 -+
6651 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
6652 -+ (ba & 0xFFF00000U) == 0x30600000U &&
6653 -+ nop == 0x01000000U)
6654 -+ {
6655 -+ unsigned long addr;
6656 -+
6657 -+ addr = (sethi & 0x003FFFFFU) << 10;
6658 -+ regs->u_regs[UREG_G1] = addr;
6659 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
6660 -+
6661 -+ if (test_thread_flag(TIF_32BIT))
6662 -+ addr &= 0xFFFFFFFFUL;
6663 -+
6664 -+ regs->tpc = addr;
6665 -+ regs->tnpc = addr+4;
6666 -+ return 2;
6667 -+ }
6668 -+ } while (0);
6669 -+
6670 -+#endif
6671 -+
6672 -+ return 1;
6673 -+}
6674 -+
6675 -+void pax_report_insns(void *pc, void *sp)
6676 -+{
6677 -+ unsigned long i;
6678 -+
6679 -+ printk(KERN_ERR "PAX: bytes at PC: ");
6680 -+ for (i = 0; i < 8; i++) {
6681 -+ unsigned int c;
6682 -+ if (get_user(c, (unsigned int *)pc+i))
6683 -+ printk(KERN_CONT "???????? ");
6684 -+ else
6685 -+ printk(KERN_CONT "%08x ", c);
6686 -+ }
6687 -+ printk("\n");
6688 -+}
6689 -+#endif
6690 -+
6691 - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
6692 - {
6693 - struct mm_struct *mm = current->mm;
6694 -@@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
6695 - if (!vma)
6696 - goto bad_area;
6697 -
6698 -+#ifdef CONFIG_PAX_PAGEEXEC
6699 -+ /* PaX: detect ITLB misses on non-exec pages */
6700 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
6701 -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
6702 -+ {
6703 -+ if (address != regs->tpc)
6704 -+ goto good_area;
6705 -+
6706 -+ up_read(&mm->mmap_sem);
6707 -+ switch (pax_handle_fetch_fault(regs)) {
6708 -+
6709 -+#ifdef CONFIG_PAX_EMUPLT
6710 -+ case 2:
6711 -+ case 3:
6712 -+ return;
6713 -+#endif
6714 -+
6715 -+ }
6716 -+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
6717 -+ do_group_exit(SIGKILL);
6718 -+ }
6719 -+#endif
6720 -+
6721 - /* Pure DTLB misses do not tell us whether the fault causing
6722 - * load/store/atomic was a write or not, it only says that there
6723 - * was no match. So in such a case we (carefully) read the
6724 -diff -urNp linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c
6725 ---- linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
6726 -+++ linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
6727 -@@ -69,7 +69,7 @@ full_search:
6728 - }
6729 - return -ENOMEM;
6730 - }
6731 -- if (likely(!vma || addr + len <= vma->vm_start)) {
6732 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
6733 - /*
6734 - * Remember the place where we stopped the search:
6735 - */
6736 -@@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
6737 - /* make sure it can fit in the remaining address space */
6738 - if (likely(addr > len)) {
6739 - vma = find_vma(mm, addr-len);
6740 -- if (!vma || addr <= vma->vm_start) {
6741 -+ if (check_heap_stack_gap(vma, addr - len, len)) {
6742 - /* remember the address as a hint for next time */
6743 - return (mm->free_area_cache = addr-len);
6744 - }
6745 -@@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
6746 - if (unlikely(mm->mmap_base < len))
6747 - goto bottomup;
6748 -
6749 -- addr = (mm->mmap_base-len) & HPAGE_MASK;
6750 -+ addr = mm->mmap_base - len;
6751 -
6752 - do {
6753 -+ addr &= HPAGE_MASK;
6754 - /*
6755 - * Lookup failure means no vma is above this address,
6756 - * else if new region fits below vma->vm_start,
6757 - * return with success:
6758 - */
6759 - vma = find_vma(mm, addr);
6760 -- if (likely(!vma || addr+len <= vma->vm_start)) {
6761 -+ if (likely(check_heap_stack_gap(vma, addr, len))) {
6762 - /* remember the address as a hint for next time */
6763 - return (mm->free_area_cache = addr);
6764 - }
6765 -@@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
6766 - mm->cached_hole_size = vma->vm_start - addr;
6767 -
6768 - /* try just below the current vma->vm_start */
6769 -- addr = (vma->vm_start-len) & HPAGE_MASK;
6770 -- } while (likely(len < vma->vm_start));
6771 -+ addr = skip_heap_stack_gap(vma, len);
6772 -+ } while (!IS_ERR_VALUE(addr));
6773 -
6774 - bottomup:
6775 - /*
6776 -@@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
6777 - if (addr) {
6778 - addr = ALIGN(addr, HPAGE_SIZE);
6779 - vma = find_vma(mm, addr);
6780 -- if (task_size - len >= addr &&
6781 -- (!vma || addr + len <= vma->vm_start))
6782 -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6783 - return addr;
6784 - }
6785 - if (mm->get_unmapped_area == arch_get_unmapped_area)
6786 -diff -urNp linux-2.6.32.46/arch/sparc/mm/init_32.c linux-2.6.32.46/arch/sparc/mm/init_32.c
6787 ---- linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
6788 -+++ linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
6789 -@@ -317,6 +317,9 @@ extern void device_scan(void);
6790 - pgprot_t PAGE_SHARED __read_mostly;
6791 - EXPORT_SYMBOL(PAGE_SHARED);
6792 -
6793 -+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
6794 -+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
6795 -+
6796 - void __init paging_init(void)
6797 - {
6798 - switch(sparc_cpu_model) {
6799 -@@ -345,17 +348,17 @@ void __init paging_init(void)
6800 -
6801 - /* Initialize the protection map with non-constant, MMU dependent values. */
6802 - protection_map[0] = PAGE_NONE;
6803 -- protection_map[1] = PAGE_READONLY;
6804 -- protection_map[2] = PAGE_COPY;
6805 -- protection_map[3] = PAGE_COPY;
6806 -+ protection_map[1] = PAGE_READONLY_NOEXEC;
6807 -+ protection_map[2] = PAGE_COPY_NOEXEC;
6808 -+ protection_map[3] = PAGE_COPY_NOEXEC;
6809 - protection_map[4] = PAGE_READONLY;
6810 - protection_map[5] = PAGE_READONLY;
6811 - protection_map[6] = PAGE_COPY;
6812 - protection_map[7] = PAGE_COPY;
6813 - protection_map[8] = PAGE_NONE;
6814 -- protection_map[9] = PAGE_READONLY;
6815 -- protection_map[10] = PAGE_SHARED;
6816 -- protection_map[11] = PAGE_SHARED;
6817 -+ protection_map[9] = PAGE_READONLY_NOEXEC;
6818 -+ protection_map[10] = PAGE_SHARED_NOEXEC;
6819 -+ protection_map[11] = PAGE_SHARED_NOEXEC;
6820 - protection_map[12] = PAGE_READONLY;
6821 - protection_map[13] = PAGE_READONLY;
6822 - protection_map[14] = PAGE_SHARED;
6823 -diff -urNp linux-2.6.32.46/arch/sparc/mm/srmmu.c linux-2.6.32.46/arch/sparc/mm/srmmu.c
6824 ---- linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-03-27 14:31:47.000000000 -0400
6825 -+++ linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-04-17 15:56:46.000000000 -0400
6826 -@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6827 - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6828 - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6829 - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6830 -+
6831 -+#ifdef CONFIG_PAX_PAGEEXEC
6832 -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6833 -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6834 -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6835 -+#endif
6836 -+
6837 - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6838 - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6839 -
6840 -diff -urNp linux-2.6.32.46/arch/um/include/asm/kmap_types.h linux-2.6.32.46/arch/um/include/asm/kmap_types.h
6841 ---- linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
6842 -+++ linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
6843 -@@ -23,6 +23,7 @@ enum km_type {
6844 - KM_IRQ1,
6845 - KM_SOFTIRQ0,
6846 - KM_SOFTIRQ1,
6847 -+ KM_CLEARPAGE,
6848 - KM_TYPE_NR
6849 - };
6850 -
6851 -diff -urNp linux-2.6.32.46/arch/um/include/asm/page.h linux-2.6.32.46/arch/um/include/asm/page.h
6852 ---- linux-2.6.32.46/arch/um/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
6853 -+++ linux-2.6.32.46/arch/um/include/asm/page.h 2011-04-17 15:56:46.000000000 -0400
6854 -@@ -14,6 +14,9 @@
6855 - #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6856 - #define PAGE_MASK (~(PAGE_SIZE-1))
6857 -
6858 -+#define ktla_ktva(addr) (addr)
6859 -+#define ktva_ktla(addr) (addr)
6860 -+
6861 - #ifndef __ASSEMBLY__
6862 -
6863 - struct page;
6864 -diff -urNp linux-2.6.32.46/arch/um/kernel/process.c linux-2.6.32.46/arch/um/kernel/process.c
6865 ---- linux-2.6.32.46/arch/um/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
6866 -+++ linux-2.6.32.46/arch/um/kernel/process.c 2011-04-17 15:56:46.000000000 -0400
6867 -@@ -393,22 +393,6 @@ int singlestepping(void * t)
6868 - return 2;
6869 - }
6870 -
6871 --/*
6872 -- * Only x86 and x86_64 have an arch_align_stack().
6873 -- * All other arches have "#define arch_align_stack(x) (x)"
6874 -- * in their asm/system.h
6875 -- * As this is included in UML from asm-um/system-generic.h,
6876 -- * we can use it to behave as the subarch does.
6877 -- */
6878 --#ifndef arch_align_stack
6879 --unsigned long arch_align_stack(unsigned long sp)
6880 --{
6881 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6882 -- sp -= get_random_int() % 8192;
6883 -- return sp & ~0xf;
6884 --}
6885 --#endif
6886 --
6887 - unsigned long get_wchan(struct task_struct *p)
6888 - {
6889 - unsigned long stack_page, sp, ip;
6890 -diff -urNp linux-2.6.32.46/arch/um/sys-i386/syscalls.c linux-2.6.32.46/arch/um/sys-i386/syscalls.c
6891 ---- linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-03-27 14:31:47.000000000 -0400
6892 -+++ linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-04-17 15:56:46.000000000 -0400
6893 -@@ -11,6 +11,21 @@
6894 - #include "asm/uaccess.h"
6895 - #include "asm/unistd.h"
6896 -
6897 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6898 -+{
6899 -+ unsigned long pax_task_size = TASK_SIZE;
6900 -+
6901 -+#ifdef CONFIG_PAX_SEGMEXEC
6902 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6903 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
6904 -+#endif
6905 -+
6906 -+ if (len > pax_task_size || addr > pax_task_size - len)
6907 -+ return -EINVAL;
6908 -+
6909 -+ return 0;
6910 -+}
6911 -+
6912 - /*
6913 - * Perform the select(nd, in, out, ex, tv) and mmap() system
6914 - * calls. Linux/i386 didn't use to be able to handle more than
6915 -diff -urNp linux-2.6.32.46/arch/x86/Kconfig linux-2.6.32.46/arch/x86/Kconfig
6916 ---- linux-2.6.32.46/arch/x86/Kconfig 2011-03-27 14:31:47.000000000 -0400
6917 -+++ linux-2.6.32.46/arch/x86/Kconfig 2011-10-07 08:11:49.000000000 -0400
6918 -@@ -223,7 +223,7 @@ config X86_TRAMPOLINE
6919 -
6920 - config X86_32_LAZY_GS
6921 - def_bool y
6922 -- depends on X86_32 && !CC_STACKPROTECTOR
6923 -+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
6924 -
6925 - config KTIME_SCALAR
6926 - def_bool X86_32
6927 -@@ -1008,7 +1008,7 @@ choice
6928 -
6929 - config NOHIGHMEM
6930 - bool "off"
6931 -- depends on !X86_NUMAQ
6932 -+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
6933 - ---help---
6934 - Linux can use up to 64 Gigabytes of physical memory on x86 systems.
6935 - However, the address space of 32-bit x86 processors is only 4
6936 -@@ -1045,7 +1045,7 @@ config NOHIGHMEM
6937 -
6938 - config HIGHMEM4G
6939 - bool "4GB"
6940 -- depends on !X86_NUMAQ
6941 -+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
6942 - ---help---
6943 - Select this if you have a 32-bit processor and between 1 and 4
6944 - gigabytes of physical RAM.
6945 -@@ -1099,7 +1099,7 @@ config PAGE_OFFSET
6946 - hex
6947 - default 0xB0000000 if VMSPLIT_3G_OPT
6948 - default 0x80000000 if VMSPLIT_2G
6949 -- default 0x78000000 if VMSPLIT_2G_OPT
6950 -+ default 0x70000000 if VMSPLIT_2G_OPT
6951 - default 0x40000000 if VMSPLIT_1G
6952 - default 0xC0000000
6953 - depends on X86_32
6954 -@@ -1460,6 +1460,7 @@ config SECCOMP
6955 -
6956 - config CC_STACKPROTECTOR
6957 - bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
6958 -+ depends on X86_64 || !PAX_MEMORY_UDEREF
6959 - ---help---
6960 - This option turns on the -fstack-protector GCC feature. This
6961 - feature puts, at the beginning of functions, a canary value on
6962 -@@ -1517,6 +1518,7 @@ config KEXEC_JUMP
6963 - config PHYSICAL_START
6964 - hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
6965 - default "0x1000000"
6966 -+ range 0x400000 0x40000000
6967 - ---help---
6968 - This gives the physical address where the kernel is loaded.
6969 -
6970 -@@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
6971 - hex
6972 - prompt "Alignment value to which kernel should be aligned" if X86_32
6973 - default "0x1000000"
6974 -+ range 0x400000 0x1000000 if PAX_KERNEXEC
6975 - range 0x2000 0x1000000
6976 - ---help---
6977 - This value puts the alignment restrictions on physical address
6978 -@@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
6979 - Say N if you want to disable CPU hotplug.
6980 -
6981 - config COMPAT_VDSO
6982 -- def_bool y
6983 -+ def_bool n
6984 - prompt "Compat VDSO support"
6985 - depends on X86_32 || IA32_EMULATION
6986 -+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
6987 - ---help---
6988 - Map the 32-bit VDSO to the predictable old-style address too.
6989 - ---help---
6990 -diff -urNp linux-2.6.32.46/arch/x86/Kconfig.cpu linux-2.6.32.46/arch/x86/Kconfig.cpu
6991 ---- linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-03-27 14:31:47.000000000 -0400
6992 -+++ linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-04-17 15:56:46.000000000 -0400
6993 -@@ -340,7 +340,7 @@ config X86_PPRO_FENCE
6994 -
6995 - config X86_F00F_BUG
6996 - def_bool y
6997 -- depends on M586MMX || M586TSC || M586 || M486 || M386
6998 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
6999 -
7000 - config X86_WP_WORKS_OK
7001 - def_bool y
7002 -@@ -360,7 +360,7 @@ config X86_POPAD_OK
7003 -
7004 - config X86_ALIGNMENT_16
7005 - def_bool y
7006 -- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
7007 -+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
7008 -
7009 - config X86_INTEL_USERCOPY
7010 - def_bool y
7011 -@@ -406,7 +406,7 @@ config X86_CMPXCHG64
7012 - # generates cmov.
7013 - config X86_CMOV
7014 - def_bool y
7015 -- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
7016 -+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
7017 -
7018 - config X86_MINIMUM_CPU_FAMILY
7019 - int
7020 -diff -urNp linux-2.6.32.46/arch/x86/Kconfig.debug linux-2.6.32.46/arch/x86/Kconfig.debug
7021 ---- linux-2.6.32.46/arch/x86/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
7022 -+++ linux-2.6.32.46/arch/x86/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
7023 -@@ -99,7 +99,7 @@ config X86_PTDUMP
7024 - config DEBUG_RODATA
7025 - bool "Write protect kernel read-only data structures"
7026 - default y
7027 -- depends on DEBUG_KERNEL
7028 -+ depends on DEBUG_KERNEL && BROKEN
7029 - ---help---
7030 - Mark the kernel read-only data as write-protected in the pagetables,
7031 - in order to catch accidental (and incorrect) writes to such const
7032 -diff -urNp linux-2.6.32.46/arch/x86/Makefile linux-2.6.32.46/arch/x86/Makefile
7033 ---- linux-2.6.32.46/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400
7034 -+++ linux-2.6.32.46/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -0400
7035 -@@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
7036 - else
7037 - BITS := 64
7038 - UTS_MACHINE := x86_64
7039 -+ biarch := $(call cc-option,-m64)
7040 - CHECKFLAGS += -D__x86_64__ -m64
7041 -
7042 - KBUILD_AFLAGS += -m64
7043 -@@ -189,3 +190,12 @@ define archhelp
7044 - echo ' FDARGS="..." arguments for the booted kernel'
7045 - echo ' FDINITRD=file initrd for the booted kernel'
7046 - endef
7047 -+
7048 -+define OLD_LD
7049 -+
7050 -+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
7051 -+*** Please upgrade your binutils to 2.18 or newer
7052 -+endef
7053 -+
7054 -+archprepare:
7055 -+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
7056 -diff -urNp linux-2.6.32.46/arch/x86/boot/Makefile linux-2.6.32.46/arch/x86/boot/Makefile
7057 ---- linux-2.6.32.46/arch/x86/boot/Makefile 2011-03-27 14:31:47.000000000 -0400
7058 -+++ linux-2.6.32.46/arch/x86/boot/Makefile 2011-08-07 14:38:13.000000000 -0400
7059 -@@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
7060 - $(call cc-option, -fno-stack-protector) \
7061 - $(call cc-option, -mpreferred-stack-boundary=2)
7062 - KBUILD_CFLAGS += $(call cc-option, -m32)
7063 -+ifdef CONSTIFY_PLUGIN
7064 -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
7065 -+endif
7066 - KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
7067 - GCOV_PROFILE := n
7068 -
7069 -diff -urNp linux-2.6.32.46/arch/x86/boot/bitops.h linux-2.6.32.46/arch/x86/boot/bitops.h
7070 ---- linux-2.6.32.46/arch/x86/boot/bitops.h 2011-03-27 14:31:47.000000000 -0400
7071 -+++ linux-2.6.32.46/arch/x86/boot/bitops.h 2011-04-17 15:56:46.000000000 -0400
7072 -@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7073 - u8 v;
7074 - const u32 *p = (const u32 *)addr;
7075 -
7076 -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7077 -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7078 - return v;
7079 - }
7080 -
7081 -@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7082 -
7083 - static inline void set_bit(int nr, void *addr)
7084 - {
7085 -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7086 -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7087 - }
7088 -
7089 - #endif /* BOOT_BITOPS_H */
7090 -diff -urNp linux-2.6.32.46/arch/x86/boot/boot.h linux-2.6.32.46/arch/x86/boot/boot.h
7091 ---- linux-2.6.32.46/arch/x86/boot/boot.h 2011-03-27 14:31:47.000000000 -0400
7092 -+++ linux-2.6.32.46/arch/x86/boot/boot.h 2011-04-17 15:56:46.000000000 -0400
7093 -@@ -82,7 +82,7 @@ static inline void io_delay(void)
7094 - static inline u16 ds(void)
7095 - {
7096 - u16 seg;
7097 -- asm("movw %%ds,%0" : "=rm" (seg));
7098 -+ asm volatile("movw %%ds,%0" : "=rm" (seg));
7099 - return seg;
7100 - }
7101 -
7102 -@@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
7103 - static inline int memcmp(const void *s1, const void *s2, size_t len)
7104 - {
7105 - u8 diff;
7106 -- asm("repe; cmpsb; setnz %0"
7107 -+ asm volatile("repe; cmpsb; setnz %0"
7108 - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7109 - return diff;
7110 - }
7111 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/Makefile linux-2.6.32.46/arch/x86/boot/compressed/Makefile
7112 ---- linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-03-27 14:31:47.000000000 -0400
7113 -+++ linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-08-07 14:38:34.000000000 -0400
7114 -@@ -13,6 +13,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
7115 - KBUILD_CFLAGS += $(cflags-y)
7116 - KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
7117 - KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
7118 -+ifdef CONSTIFY_PLUGIN
7119 -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
7120 -+endif
7121 -
7122 - KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
7123 - GCOV_PROFILE := n
7124 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_32.S linux-2.6.32.46/arch/x86/boot/compressed/head_32.S
7125 ---- linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-03-27 14:31:47.000000000 -0400
7126 -+++ linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-04-17 15:56:46.000000000 -0400
7127 -@@ -76,7 +76,7 @@ ENTRY(startup_32)
7128 - notl %eax
7129 - andl %eax, %ebx
7130 - #else
7131 -- movl $LOAD_PHYSICAL_ADDR, %ebx
7132 -+ movl $____LOAD_PHYSICAL_ADDR, %ebx
7133 - #endif
7134 -
7135 - /* Target address to relocate to for decompression */
7136 -@@ -149,7 +149,7 @@ relocated:
7137 - * and where it was actually loaded.
7138 - */
7139 - movl %ebp, %ebx
7140 -- subl $LOAD_PHYSICAL_ADDR, %ebx
7141 -+ subl $____LOAD_PHYSICAL_ADDR, %ebx
7142 - jz 2f /* Nothing to be done if loaded at compiled addr. */
7143 - /*
7144 - * Process relocations.
7145 -@@ -157,8 +157,7 @@ relocated:
7146 -
7147 - 1: subl $4, %edi
7148 - movl (%edi), %ecx
7149 -- testl %ecx, %ecx
7150 -- jz 2f
7151 -+ jecxz 2f
7152 - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7153 - jmp 1b
7154 - 2:
7155 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_64.S linux-2.6.32.46/arch/x86/boot/compressed/head_64.S
7156 ---- linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-03-27 14:31:47.000000000 -0400
7157 -+++ linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-07-01 18:53:00.000000000 -0400
7158 -@@ -91,7 +91,7 @@ ENTRY(startup_32)
7159 - notl %eax
7160 - andl %eax, %ebx
7161 - #else
7162 -- movl $LOAD_PHYSICAL_ADDR, %ebx
7163 -+ movl $____LOAD_PHYSICAL_ADDR, %ebx
7164 - #endif
7165 -
7166 - /* Target address to relocate to for decompression */
7167 -@@ -183,7 +183,7 @@ no_longmode:
7168 - hlt
7169 - jmp 1b
7170 -
7171 --#include "../../kernel/verify_cpu_64.S"
7172 -+#include "../../kernel/verify_cpu.S"
7173 -
7174 - /*
7175 - * Be careful here startup_64 needs to be at a predictable
7176 -@@ -234,7 +234,7 @@ ENTRY(startup_64)
7177 - notq %rax
7178 - andq %rax, %rbp
7179 - #else
7180 -- movq $LOAD_PHYSICAL_ADDR, %rbp
7181 -+ movq $____LOAD_PHYSICAL_ADDR, %rbp
7182 - #endif
7183 -
7184 - /* Target address to relocate to for decompression */
7185 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/misc.c linux-2.6.32.46/arch/x86/boot/compressed/misc.c
7186 ---- linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-03-27 14:31:47.000000000 -0400
7187 -+++ linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-04-17 15:56:46.000000000 -0400
7188 -@@ -288,7 +288,7 @@ static void parse_elf(void *output)
7189 - case PT_LOAD:
7190 - #ifdef CONFIG_RELOCATABLE
7191 - dest = output;
7192 -- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7193 -+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7194 - #else
7195 - dest = (void *)(phdr->p_paddr);
7196 - #endif
7197 -@@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
7198 - error("Destination address too large");
7199 - #endif
7200 - #ifndef CONFIG_RELOCATABLE
7201 -- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7202 -+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7203 - error("Wrong destination address");
7204 - #endif
7205 -
7206 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c
7207 ---- linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-03-27 14:31:47.000000000 -0400
7208 -+++ linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-04-17 15:56:46.000000000 -0400
7209 -@@ -74,7 +74,7 @@ int main(int argc, char *argv[])
7210 -
7211 - offs = (olen > ilen) ? olen - ilen : 0;
7212 - offs += olen >> 12; /* Add 8 bytes for each 32K block */
7213 -- offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
7214 -+ offs += 64*1024; /* Add 64K bytes slack */
7215 - offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
7216 -
7217 - printf(".section \".rodata.compressed\",\"a\",@progbits\n");
7218 -diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/relocs.c linux-2.6.32.46/arch/x86/boot/compressed/relocs.c
7219 ---- linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-03-27 14:31:47.000000000 -0400
7220 -+++ linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-04-17 15:56:46.000000000 -0400
7221 -@@ -10,8 +10,11 @@
7222 - #define USE_BSD
7223 - #include <endian.h>
7224 -
7225 -+#include "../../../../include/linux/autoconf.h"
7226 -+
7227 - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7228 - static Elf32_Ehdr ehdr;
7229 -+static Elf32_Phdr *phdr;
7230 - static unsigned long reloc_count, reloc_idx;
7231 - static unsigned long *relocs;
7232 -
7233 -@@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
7234 -
7235 - static int is_safe_abs_reloc(const char* sym_name)
7236 - {
7237 -- int i;
7238 -+ unsigned int i;
7239 -
7240 - for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
7241 - if (!strcmp(sym_name, safe_abs_relocs[i]))
7242 -@@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
7243 - }
7244 - }
7245 -
7246 -+static void read_phdrs(FILE *fp)
7247 -+{
7248 -+ unsigned int i;
7249 -+
7250 -+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7251 -+ if (!phdr) {
7252 -+ die("Unable to allocate %d program headers\n",
7253 -+ ehdr.e_phnum);
7254 -+ }
7255 -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7256 -+ die("Seek to %d failed: %s\n",
7257 -+ ehdr.e_phoff, strerror(errno));
7258 -+ }
7259 -+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7260 -+ die("Cannot read ELF program headers: %s\n",
7261 -+ strerror(errno));
7262 -+ }
7263 -+ for(i = 0; i < ehdr.e_phnum; i++) {
7264 -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7265 -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7266 -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7267 -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7268 -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7269 -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7270 -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7271 -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7272 -+ }
7273 -+
7274 -+}
7275 -+
7276 - static void read_shdrs(FILE *fp)
7277 - {
7278 -- int i;
7279 -+ unsigned int i;
7280 - Elf32_Shdr shdr;
7281 -
7282 - secs = calloc(ehdr.e_shnum, sizeof(struct section));
7283 -@@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
7284 -
7285 - static void read_strtabs(FILE *fp)
7286 - {
7287 -- int i;
7288 -+ unsigned int i;
7289 - for (i = 0; i < ehdr.e_shnum; i++) {
7290 - struct section *sec = &secs[i];
7291 - if (sec->shdr.sh_type != SHT_STRTAB) {
7292 -@@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
7293 -
7294 - static void read_symtabs(FILE *fp)
7295 - {
7296 -- int i,j;
7297 -+ unsigned int i,j;
7298 - for (i = 0; i < ehdr.e_shnum; i++) {
7299 - struct section *sec = &secs[i];
7300 - if (sec->shdr.sh_type != SHT_SYMTAB) {
7301 -@@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
7302 -
7303 - static void read_relocs(FILE *fp)
7304 - {
7305 -- int i,j;
7306 -+ unsigned int i,j;
7307 -+ uint32_t base;
7308 -+
7309 - for (i = 0; i < ehdr.e_shnum; i++) {
7310 - struct section *sec = &secs[i];
7311 - if (sec->shdr.sh_type != SHT_REL) {
7312 -@@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
7313 - die("Cannot read symbol table: %s\n",
7314 - strerror(errno));
7315 - }
7316 -+ base = 0;
7317 -+ for (j = 0; j < ehdr.e_phnum; j++) {
7318 -+ if (phdr[j].p_type != PT_LOAD )
7319 -+ continue;
7320 -+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7321 -+ continue;
7322 -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7323 -+ break;
7324 -+ }
7325 - for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7326 - Elf32_Rel *rel = &sec->reltab[j];
7327 -- rel->r_offset = elf32_to_cpu(rel->r_offset);
7328 -+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
7329 - rel->r_info = elf32_to_cpu(rel->r_info);
7330 - }
7331 - }
7332 -@@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
7333 -
7334 - static void print_absolute_symbols(void)
7335 - {
7336 -- int i;
7337 -+ unsigned int i;
7338 - printf("Absolute symbols\n");
7339 - printf(" Num: Value Size Type Bind Visibility Name\n");
7340 - for (i = 0; i < ehdr.e_shnum; i++) {
7341 - struct section *sec = &secs[i];
7342 - char *sym_strtab;
7343 - Elf32_Sym *sh_symtab;
7344 -- int j;
7345 -+ unsigned int j;
7346 -
7347 - if (sec->shdr.sh_type != SHT_SYMTAB) {
7348 - continue;
7349 -@@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
7350 -
7351 - static void print_absolute_relocs(void)
7352 - {
7353 -- int i, printed = 0;
7354 -+ unsigned int i, printed = 0;
7355 -
7356 - for (i = 0; i < ehdr.e_shnum; i++) {
7357 - struct section *sec = &secs[i];
7358 - struct section *sec_applies, *sec_symtab;
7359 - char *sym_strtab;
7360 - Elf32_Sym *sh_symtab;
7361 -- int j;
7362 -+ unsigned int j;
7363 - if (sec->shdr.sh_type != SHT_REL) {
7364 - continue;
7365 - }
7366 -@@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
7367 -
7368 - static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
7369 - {
7370 -- int i;
7371 -+ unsigned int i;
7372 - /* Walk through the relocations */
7373 - for (i = 0; i < ehdr.e_shnum; i++) {
7374 - char *sym_strtab;
7375 - Elf32_Sym *sh_symtab;
7376 - struct section *sec_applies, *sec_symtab;
7377 -- int j;
7378 -+ unsigned int j;
7379 - struct section *sec = &secs[i];
7380 -
7381 - if (sec->shdr.sh_type != SHT_REL) {
7382 -@@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
7383 - if (sym->st_shndx == SHN_ABS) {
7384 - continue;
7385 - }
7386 -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
7387 -+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
7388 -+ continue;
7389 -+
7390 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
7391 -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
7392 -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
7393 -+ continue;
7394 -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
7395 -+ continue;
7396 -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
7397 -+ continue;
7398 -+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
7399 -+ continue;
7400 -+#endif
7401 - if (r_type == R_386_NONE || r_type == R_386_PC32) {
7402 - /*
7403 - * NONE can be ignored and and PC relative
7404 -@@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
7405 -
7406 - static void emit_relocs(int as_text)
7407 - {
7408 -- int i;
7409 -+ unsigned int i;
7410 - /* Count how many relocations I have and allocate space for them. */
7411 - reloc_count = 0;
7412 - walk_relocs(count_reloc);
7413 -@@ -634,6 +693,7 @@ int main(int argc, char **argv)
7414 - fname, strerror(errno));
7415 - }
7416 - read_ehdr(fp);
7417 -+ read_phdrs(fp);
7418 - read_shdrs(fp);
7419 - read_strtabs(fp);
7420 - read_symtabs(fp);
7421 -diff -urNp linux-2.6.32.46/arch/x86/boot/cpucheck.c linux-2.6.32.46/arch/x86/boot/cpucheck.c
7422 ---- linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-03-27 14:31:47.000000000 -0400
7423 -+++ linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-04-17 15:56:46.000000000 -0400
7424 -@@ -74,7 +74,7 @@ static int has_fpu(void)
7425 - u16 fcw = -1, fsw = -1;
7426 - u32 cr0;
7427 -
7428 -- asm("movl %%cr0,%0" : "=r" (cr0));
7429 -+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
7430 - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
7431 - cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
7432 - asm volatile("movl %0,%%cr0" : : "r" (cr0));
7433 -@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
7434 - {
7435 - u32 f0, f1;
7436 -
7437 -- asm("pushfl ; "
7438 -+ asm volatile("pushfl ; "
7439 - "pushfl ; "
7440 - "popl %0 ; "
7441 - "movl %0,%1 ; "
7442 -@@ -115,7 +115,7 @@ static void get_flags(void)
7443 - set_bit(X86_FEATURE_FPU, cpu.flags);
7444 -
7445 - if (has_eflag(X86_EFLAGS_ID)) {
7446 -- asm("cpuid"
7447 -+ asm volatile("cpuid"
7448 - : "=a" (max_intel_level),
7449 - "=b" (cpu_vendor[0]),
7450 - "=d" (cpu_vendor[1]),
7451 -@@ -124,7 +124,7 @@ static void get_flags(void)
7452 -
7453 - if (max_intel_level >= 0x00000001 &&
7454 - max_intel_level <= 0x0000ffff) {
7455 -- asm("cpuid"
7456 -+ asm volatile("cpuid"
7457 - : "=a" (tfms),
7458 - "=c" (cpu.flags[4]),
7459 - "=d" (cpu.flags[0])
7460 -@@ -136,7 +136,7 @@ static void get_flags(void)
7461 - cpu.model += ((tfms >> 16) & 0xf) << 4;
7462 - }
7463 -
7464 -- asm("cpuid"
7465 -+ asm volatile("cpuid"
7466 - : "=a" (max_amd_level)
7467 - : "a" (0x80000000)
7468 - : "ebx", "ecx", "edx");
7469 -@@ -144,7 +144,7 @@ static void get_flags(void)
7470 - if (max_amd_level >= 0x80000001 &&
7471 - max_amd_level <= 0x8000ffff) {
7472 - u32 eax = 0x80000001;
7473 -- asm("cpuid"
7474 -+ asm volatile("cpuid"
7475 - : "+a" (eax),
7476 - "=c" (cpu.flags[6]),
7477 - "=d" (cpu.flags[1])
7478 -@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
7479 - u32 ecx = MSR_K7_HWCR;
7480 - u32 eax, edx;
7481 -
7482 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7483 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7484 - eax &= ~(1 << 15);
7485 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7486 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7487 -
7488 - get_flags(); /* Make sure it really did something */
7489 - err = check_flags();
7490 -@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
7491 - u32 ecx = MSR_VIA_FCR;
7492 - u32 eax, edx;
7493 -
7494 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7495 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7496 - eax |= (1<<1)|(1<<7);
7497 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7498 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7499 -
7500 - set_bit(X86_FEATURE_CX8, cpu.flags);
7501 - err = check_flags();
7502 -@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
7503 - u32 eax, edx;
7504 - u32 level = 1;
7505 -
7506 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7507 -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
7508 -- asm("cpuid"
7509 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
7510 -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
7511 -+ asm volatile("cpuid"
7512 - : "+a" (level), "=d" (cpu.flags[0])
7513 - : : "ecx", "ebx");
7514 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7515 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
7516 -
7517 - err = check_flags();
7518 - }
7519 -diff -urNp linux-2.6.32.46/arch/x86/boot/header.S linux-2.6.32.46/arch/x86/boot/header.S
7520 ---- linux-2.6.32.46/arch/x86/boot/header.S 2011-03-27 14:31:47.000000000 -0400
7521 -+++ linux-2.6.32.46/arch/x86/boot/header.S 2011-04-17 15:56:46.000000000 -0400
7522 -@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
7523 - # single linked list of
7524 - # struct setup_data
7525 -
7526 --pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
7527 -+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
7528 -
7529 - #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
7530 - #define VO_INIT_SIZE (VO__end - VO__text)
7531 -diff -urNp linux-2.6.32.46/arch/x86/boot/memory.c linux-2.6.32.46/arch/x86/boot/memory.c
7532 ---- linux-2.6.32.46/arch/x86/boot/memory.c 2011-03-27 14:31:47.000000000 -0400
7533 -+++ linux-2.6.32.46/arch/x86/boot/memory.c 2011-04-17 15:56:46.000000000 -0400
7534 -@@ -19,7 +19,7 @@
7535 -
7536 - static int detect_memory_e820(void)
7537 - {
7538 -- int count = 0;
7539 -+ unsigned int count = 0;
7540 - struct biosregs ireg, oreg;
7541 - struct e820entry *desc = boot_params.e820_map;
7542 - static struct e820entry buf; /* static so it is zeroed */
7543 -diff -urNp linux-2.6.32.46/arch/x86/boot/video-vesa.c linux-2.6.32.46/arch/x86/boot/video-vesa.c
7544 ---- linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-03-27 14:31:47.000000000 -0400
7545 -+++ linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-04-17 15:56:46.000000000 -0400
7546 -@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
7547 -
7548 - boot_params.screen_info.vesapm_seg = oreg.es;
7549 - boot_params.screen_info.vesapm_off = oreg.di;
7550 -+ boot_params.screen_info.vesapm_size = oreg.cx;
7551 - }
7552 -
7553 - /*
7554 -diff -urNp linux-2.6.32.46/arch/x86/boot/video.c linux-2.6.32.46/arch/x86/boot/video.c
7555 ---- linux-2.6.32.46/arch/x86/boot/video.c 2011-03-27 14:31:47.000000000 -0400
7556 -+++ linux-2.6.32.46/arch/x86/boot/video.c 2011-04-17 15:56:46.000000000 -0400
7557 -@@ -90,7 +90,7 @@ static void store_mode_params(void)
7558 - static unsigned int get_entry(void)
7559 - {
7560 - char entry_buf[4];
7561 -- int i, len = 0;
7562 -+ unsigned int i, len = 0;
7563 - int key;
7564 - unsigned int v;
7565 -
7566 -diff -urNp linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S
7567 ---- linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
7568 -+++ linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
7569 -@@ -8,6 +8,8 @@
7570 - * including this sentence is retained in full.
7571 - */
7572 -
7573 -+#include <asm/alternative-asm.h>
7574 -+
7575 - .extern crypto_ft_tab
7576 - .extern crypto_it_tab
7577 - .extern crypto_fl_tab
7578 -@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
7579 - je B192; \
7580 - leaq 32(r9),r9;
7581 -
7582 -+#define ret pax_force_retaddr; ret
7583 -+
7584 - #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
7585 - movq r1,r2; \
7586 - movq r3,r4; \
7587 -diff -urNp linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S
7588 ---- linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
7589 -+++ linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
7590 -@@ -1,3 +1,5 @@
7591 -+#include <asm/alternative-asm.h>
7592 -+
7593 - # enter ECRYPT_encrypt_bytes
7594 - .text
7595 - .p2align 5
7596 -@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
7597 - add %r11,%rsp
7598 - mov %rdi,%rax
7599 - mov %rsi,%rdx
7600 -+ pax_force_retaddr
7601 - ret
7602 - # bytesatleast65:
7603 - ._bytesatleast65:
7604 -@@ -891,6 +894,7 @@ ECRYPT_keysetup:
7605 - add %r11,%rsp
7606 - mov %rdi,%rax
7607 - mov %rsi,%rdx
7608 -+ pax_force_retaddr
7609 - ret
7610 - # enter ECRYPT_ivsetup
7611 - .text
7612 -@@ -917,4 +921,5 @@ ECRYPT_ivsetup:
7613 - add %r11,%rsp
7614 - mov %rdi,%rax
7615 - mov %rsi,%rdx
7616 -+ pax_force_retaddr
7617 - ret
7618 -diff -urNp linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S
7619 ---- linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
7620 -+++ linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
7621 -@@ -21,6 +21,7 @@
7622 - .text
7623 -
7624 - #include <asm/asm-offsets.h>
7625 -+#include <asm/alternative-asm.h>
7626 -
7627 - #define a_offset 0
7628 - #define b_offset 4
7629 -@@ -269,6 +270,7 @@ twofish_enc_blk:
7630 -
7631 - popq R1
7632 - movq $1,%rax
7633 -+ pax_force_retaddr
7634 - ret
7635 -
7636 - twofish_dec_blk:
7637 -@@ -321,4 +323,5 @@ twofish_dec_blk:
7638 -
7639 - popq R1
7640 - movq $1,%rax
7641 -+ pax_force_retaddr
7642 - ret
7643 -diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_aout.c linux-2.6.32.46/arch/x86/ia32/ia32_aout.c
7644 ---- linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400
7645 -+++ linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400
7646 -@@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
7647 - unsigned long dump_start, dump_size;
7648 - struct user32 dump;
7649 -
7650 -+ memset(&dump, 0, sizeof(dump));
7651 -+
7652 - fs = get_fs();
7653 - set_fs(KERNEL_DS);
7654 - has_dumped = 1;
7655 -@@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
7656 - dump_size = dump.u_ssize << PAGE_SHIFT;
7657 - DUMP_WRITE(dump_start, dump_size);
7658 - }
7659 -- /*
7660 -- * Finally dump the task struct. Not be used by gdb, but
7661 -- * could be useful
7662 -- */
7663 -- set_fs(KERNEL_DS);
7664 -- DUMP_WRITE(current, sizeof(*current));
7665 - end_coredump:
7666 - set_fs(fs);
7667 - return has_dumped;
7668 -diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ia32/ia32_signal.c
7669 ---- linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400
7670 -+++ linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-10-06 09:37:08.000000000 -0400
7671 -@@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
7672 - }
7673 - seg = get_fs();
7674 - set_fs(KERNEL_DS);
7675 -- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
7676 -+ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
7677 - set_fs(seg);
7678 - if (ret >= 0 && uoss_ptr) {
7679 - if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
7680 -@@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
7681 - */
7682 - static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
7683 - size_t frame_size,
7684 -- void **fpstate)
7685 -+ void __user **fpstate)
7686 - {
7687 - unsigned long sp;
7688 -
7689 -@@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
7690 -
7691 - if (used_math()) {
7692 - sp = sp - sig_xstate_ia32_size;
7693 -- *fpstate = (struct _fpstate_ia32 *) sp;
7694 -+ *fpstate = (struct _fpstate_ia32 __user *) sp;
7695 - if (save_i387_xstate_ia32(*fpstate) < 0)
7696 - return (void __user *) -1L;
7697 - }
7698 -@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
7699 - sp -= frame_size;
7700 - /* Align the stack pointer according to the i386 ABI,
7701 - * i.e. so that on function entry ((sp + 4) & 15) == 0. */
7702 -- sp = ((sp + 4) & -16ul) - 4;
7703 -+ sp = ((sp - 12) & -16ul) - 4;
7704 - return (void __user *) sp;
7705 - }
7706 -
7707 -@@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
7708 - * These are actually not used anymore, but left because some
7709 - * gdb versions depend on them as a marker.
7710 - */
7711 -- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7712 -+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7713 - } put_user_catch(err);
7714 -
7715 - if (err)
7716 -@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
7717 - 0xb8,
7718 - __NR_ia32_rt_sigreturn,
7719 - 0x80cd,
7720 -- 0,
7721 -+ 0
7722 - };
7723 -
7724 - frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
7725 -@@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
7726 -
7727 - if (ka->sa.sa_flags & SA_RESTORER)
7728 - restorer = ka->sa.sa_restorer;
7729 -+ else if (current->mm->context.vdso)
7730 -+ /* Return stub is in 32bit vsyscall page */
7731 -+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
7732 - else
7733 -- restorer = VDSO32_SYMBOL(current->mm->context.vdso,
7734 -- rt_sigreturn);
7735 -+ restorer = &frame->retcode;
7736 - put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
7737 -
7738 - /*
7739 - * Not actually used anymore, but left because some gdb
7740 - * versions need it.
7741 - */
7742 -- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7743 -+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7744 - } put_user_catch(err);
7745 -
7746 - if (err)
7747 -diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32entry.S linux-2.6.32.46/arch/x86/ia32/ia32entry.S
7748 ---- linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-03-27 14:31:47.000000000 -0400
7749 -+++ linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-08-25 17:42:18.000000000 -0400
7750 -@@ -13,6 +13,7 @@
7751 - #include <asm/thread_info.h>
7752 - #include <asm/segment.h>
7753 - #include <asm/irqflags.h>
7754 -+#include <asm/pgtable.h>
7755 - #include <linux/linkage.h>
7756 -
7757 - /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
7758 -@@ -93,6 +94,29 @@ ENTRY(native_irq_enable_sysexit)
7759 - ENDPROC(native_irq_enable_sysexit)
7760 - #endif
7761 -
7762 -+ .macro pax_enter_kernel_user
7763 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
7764 -+ call pax_enter_kernel_user
7765 -+#endif
7766 -+ .endm
7767 -+
7768 -+ .macro pax_exit_kernel_user
7769 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
7770 -+ call pax_exit_kernel_user
7771 -+#endif
7772 -+#ifdef CONFIG_PAX_RANDKSTACK
7773 -+ pushq %rax
7774 -+ call pax_randomize_kstack
7775 -+ popq %rax
7776 -+#endif
7777 -+ .endm
7778 -+
7779 -+.macro pax_erase_kstack
7780 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
7781 -+ call pax_erase_kstack
7782 -+#endif
7783 -+.endm
7784 -+
7785 - /*
7786 - * 32bit SYSENTER instruction entry.
7787 - *
7788 -@@ -119,7 +143,7 @@ ENTRY(ia32_sysenter_target)
7789 - CFI_REGISTER rsp,rbp
7790 - SWAPGS_UNSAFE_STACK
7791 - movq PER_CPU_VAR(kernel_stack), %rsp
7792 -- addq $(KERNEL_STACK_OFFSET),%rsp
7793 -+ pax_enter_kernel_user
7794 - /*
7795 - * No need to follow this irqs on/off section: the syscall
7796 - * disabled irqs, here we enable it straight after entry:
7797 -@@ -135,7 +159,8 @@ ENTRY(ia32_sysenter_target)
7798 - pushfq
7799 - CFI_ADJUST_CFA_OFFSET 8
7800 - /*CFI_REL_OFFSET rflags,0*/
7801 -- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
7802 -+ GET_THREAD_INFO(%r10)
7803 -+ movl TI_sysenter_return(%r10), %r10d
7804 - CFI_REGISTER rip,r10
7805 - pushq $__USER32_CS
7806 - CFI_ADJUST_CFA_OFFSET 8
7807 -@@ -150,6 +175,12 @@ ENTRY(ia32_sysenter_target)
7808 - SAVE_ARGS 0,0,1
7809 - /* no need to do an access_ok check here because rbp has been
7810 - 32bit zero extended */
7811 -+
7812 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
7813 -+ mov $PAX_USER_SHADOW_BASE,%r10
7814 -+ add %r10,%rbp
7815 -+#endif
7816 -+
7817 - 1: movl (%rbp),%ebp
7818 - .section __ex_table,"a"
7819 - .quad 1b,ia32_badarg
7820 -@@ -172,6 +203,8 @@ sysenter_dispatch:
7821 - testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
7822 - jnz sysexit_audit
7823 - sysexit_from_sys_call:
7824 -+ pax_exit_kernel_user
7825 -+ pax_erase_kstack
7826 - andl $~TS_COMPAT,TI_status(%r10)
7827 - /* clear IF, that popfq doesn't enable interrupts early */
7828 - andl $~0x200,EFLAGS-R11(%rsp)
7829 -@@ -200,6 +233,9 @@ sysexit_from_sys_call:
7830 - movl %eax,%esi /* 2nd arg: syscall number */
7831 - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
7832 - call audit_syscall_entry
7833 -+
7834 -+ pax_erase_kstack
7835 -+
7836 - movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
7837 - cmpq $(IA32_NR_syscalls-1),%rax
7838 - ja ia32_badsys
7839 -@@ -252,6 +288,9 @@ sysenter_tracesys:
7840 - movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
7841 - movq %rsp,%rdi /* &pt_regs -> arg1 */
7842 - call syscall_trace_enter
7843 -+
7844 -+ pax_erase_kstack
7845 -+
7846 - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
7847 - RESTORE_REST
7848 - cmpq $(IA32_NR_syscalls-1),%rax
7849 -@@ -283,19 +322,24 @@ ENDPROC(ia32_sysenter_target)
7850 - ENTRY(ia32_cstar_target)
7851 - CFI_STARTPROC32 simple
7852 - CFI_SIGNAL_FRAME
7853 -- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
7854 -+ CFI_DEF_CFA rsp,0
7855 - CFI_REGISTER rip,rcx
7856 - /*CFI_REGISTER rflags,r11*/
7857 - SWAPGS_UNSAFE_STACK
7858 - movl %esp,%r8d
7859 - CFI_REGISTER rsp,r8
7860 - movq PER_CPU_VAR(kernel_stack),%rsp
7861 -+
7862 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
7863 -+ pax_enter_kernel_user
7864 -+#endif
7865 -+
7866 - /*
7867 - * No need to follow this irqs on/off section: the syscall
7868 - * disabled irqs and here we enable it straight after entry:
7869 - */
7870 - ENABLE_INTERRUPTS(CLBR_NONE)
7871 -- SAVE_ARGS 8,1,1
7872 -+ SAVE_ARGS 8*6,1,1
7873 - movl %eax,%eax /* zero extension */
7874 - movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
7875 - movq %rcx,RIP-ARGOFFSET(%rsp)
7876 -@@ -311,6 +355,12 @@ ENTRY(ia32_cstar_target)
7877 - /* no need to do an access_ok check here because r8 has been
7878 - 32bit zero extended */
7879 - /* hardware stack frame is complete now */
7880 -+
7881 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
7882 -+ mov $PAX_USER_SHADOW_BASE,%r10
7883 -+ add %r10,%r8
7884 -+#endif
7885 -+
7886 - 1: movl (%r8),%r9d
7887 - .section __ex_table,"a"
7888 - .quad 1b,ia32_badarg
7889 -@@ -333,6 +383,8 @@ cstar_dispatch:
7890 - testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
7891 - jnz sysretl_audit
7892 - sysretl_from_sys_call:
7893 -+ pax_exit_kernel_user
7894 -+ pax_erase_kstack
7895 - andl $~TS_COMPAT,TI_status(%r10)
7896 - RESTORE_ARGS 1,-ARG_SKIP,1,1,1
7897 - movl RIP-ARGOFFSET(%rsp),%ecx
7898 -@@ -370,6 +422,9 @@ cstar_tracesys:
7899 - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7900 - movq %rsp,%rdi /* &pt_regs -> arg1 */
7901 - call syscall_trace_enter
7902 -+
7903 -+ pax_erase_kstack
7904 -+
7905 - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
7906 - RESTORE_REST
7907 - xchgl %ebp,%r9d
7908 -@@ -415,6 +470,7 @@ ENTRY(ia32_syscall)
7909 - CFI_REL_OFFSET rip,RIP-RIP
7910 - PARAVIRT_ADJUST_EXCEPTION_FRAME
7911 - SWAPGS
7912 -+ pax_enter_kernel_user
7913 - /*
7914 - * No need to follow this irqs on/off section: the syscall
7915 - * disabled irqs and here we enable it straight after entry:
7916 -@@ -448,6 +504,9 @@ ia32_tracesys:
7917 - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7918 - movq %rsp,%rdi /* &pt_regs -> arg1 */
7919 - call syscall_trace_enter
7920 -+
7921 -+ pax_erase_kstack
7922 -+
7923 - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
7924 - RESTORE_REST
7925 - cmpq $(IA32_NR_syscalls-1),%rax
7926 -diff -urNp linux-2.6.32.46/arch/x86/ia32/sys_ia32.c linux-2.6.32.46/arch/x86/ia32/sys_ia32.c
7927 ---- linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-03-27 14:31:47.000000000 -0400
7928 -+++ linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-10-06 09:37:14.000000000 -0400
7929 -@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
7930 - */
7931 - static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
7932 - {
7933 -- typeof(ubuf->st_uid) uid = 0;
7934 -- typeof(ubuf->st_gid) gid = 0;
7935 -+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
7936 -+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
7937 - SET_UID(uid, stat->uid);
7938 - SET_GID(gid, stat->gid);
7939 - if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
7940 -@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
7941 - }
7942 - set_fs(KERNEL_DS);
7943 - ret = sys_rt_sigprocmask(how,
7944 -- set ? (sigset_t __user *)&s : NULL,
7945 -- oset ? (sigset_t __user *)&s : NULL,
7946 -+ set ? (sigset_t __force_user *)&s : NULL,
7947 -+ oset ? (sigset_t __force_user *)&s : NULL,
7948 - sigsetsize);
7949 - set_fs(old_fs);
7950 - if (ret)
7951 -@@ -371,7 +371,7 @@ asmlinkage long sys32_sched_rr_get_inter
7952 - mm_segment_t old_fs = get_fs();
7953 -
7954 - set_fs(KERNEL_DS);
7955 -- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
7956 -+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
7957 - set_fs(old_fs);
7958 - if (put_compat_timespec(&t, interval))
7959 - return -EFAULT;
7960 -@@ -387,7 +387,7 @@ asmlinkage long sys32_rt_sigpending(comp
7961 - mm_segment_t old_fs = get_fs();
7962 -
7963 - set_fs(KERNEL_DS);
7964 -- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
7965 -+ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
7966 - set_fs(old_fs);
7967 - if (!ret) {
7968 - switch (_NSIG_WORDS) {
7969 -@@ -412,7 +412,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
7970 - if (copy_siginfo_from_user32(&info, uinfo))
7971 - return -EFAULT;
7972 - set_fs(KERNEL_DS);
7973 -- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
7974 -+ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
7975 - set_fs(old_fs);
7976 - return ret;
7977 - }
7978 -@@ -513,7 +513,7 @@ asmlinkage long sys32_sendfile(int out_f
7979 - return -EFAULT;
7980 -
7981 - set_fs(KERNEL_DS);
7982 -- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
7983 -+ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
7984 - count);
7985 - set_fs(old_fs);
7986 -
7987 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h
7988 ---- linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-03-27 14:31:47.000000000 -0400
7989 -+++ linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-10-08 08:14:37.000000000 -0400
7990 -@@ -19,4 +19,18 @@
7991 - .endm
7992 - #endif
7993 -
7994 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
7995 -+ .macro pax_force_retaddr rip=0
7996 -+ btsq $63,\rip(%rsp)
7997 -+ .endm
7998 -+ .macro pax_force_fptr ptr
7999 -+ btsq $63,\ptr
8000 -+ .endm
8001 -+#else
8002 -+ .macro pax_force_retaddr rip=0
8003 -+ .endm
8004 -+ .macro pax_force_fptr ptr
8005 -+ .endm
8006 -+#endif
8007 -+
8008 - #endif /* __ASSEMBLY__ */
8009 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative.h linux-2.6.32.46/arch/x86/include/asm/alternative.h
8010 ---- linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400
8011 -+++ linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400
8012 -@@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
8013 - " .byte 662b-661b\n" /* sourcelen */ \
8014 - " .byte 664f-663f\n" /* replacementlen */ \
8015 - ".previous\n" \
8016 -- ".section .altinstr_replacement, \"ax\"\n" \
8017 -+ ".section .altinstr_replacement, \"a\"\n" \
8018 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8019 - ".previous"
8020 -
8021 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/apic.h linux-2.6.32.46/arch/x86/include/asm/apic.h
8022 ---- linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-03-27 14:31:47.000000000 -0400
8023 -+++ linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-08-17 20:01:15.000000000 -0400
8024 -@@ -46,7 +46,7 @@ static inline void generic_apic_probe(vo
8025 -
8026 - #ifdef CONFIG_X86_LOCAL_APIC
8027 -
8028 --extern unsigned int apic_verbosity;
8029 -+extern int apic_verbosity;
8030 - extern int local_apic_timer_c2_ok;
8031 -
8032 - extern int disable_apic;
8033 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/apm.h linux-2.6.32.46/arch/x86/include/asm/apm.h
8034 ---- linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-03-27 14:31:47.000000000 -0400
8035 -+++ linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-04-17 15:56:46.000000000 -0400
8036 -@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8037 - __asm__ __volatile__(APM_DO_ZERO_SEGS
8038 - "pushl %%edi\n\t"
8039 - "pushl %%ebp\n\t"
8040 -- "lcall *%%cs:apm_bios_entry\n\t"
8041 -+ "lcall *%%ss:apm_bios_entry\n\t"
8042 - "setc %%al\n\t"
8043 - "popl %%ebp\n\t"
8044 - "popl %%edi\n\t"
8045 -@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8046 - __asm__ __volatile__(APM_DO_ZERO_SEGS
8047 - "pushl %%edi\n\t"
8048 - "pushl %%ebp\n\t"
8049 -- "lcall *%%cs:apm_bios_entry\n\t"
8050 -+ "lcall *%%ss:apm_bios_entry\n\t"
8051 - "setc %%bl\n\t"
8052 - "popl %%ebp\n\t"
8053 - "popl %%edi\n\t"
8054 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_32.h linux-2.6.32.46/arch/x86/include/asm/atomic_32.h
8055 ---- linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-03-27 14:31:47.000000000 -0400
8056 -+++ linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-05-04 17:56:20.000000000 -0400
8057 -@@ -25,6 +25,17 @@ static inline int atomic_read(const atom
8058 - }
8059 -
8060 - /**
8061 -+ * atomic_read_unchecked - read atomic variable
8062 -+ * @v: pointer of type atomic_unchecked_t
8063 -+ *
8064 -+ * Atomically reads the value of @v.
8065 -+ */
8066 -+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
8067 -+{
8068 -+ return v->counter;
8069 -+}
8070 -+
8071 -+/**
8072 - * atomic_set - set atomic variable
8073 - * @v: pointer of type atomic_t
8074 - * @i: required value
8075 -@@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
8076 - }
8077 -
8078 - /**
8079 -+ * atomic_set_unchecked - set atomic variable
8080 -+ * @v: pointer of type atomic_unchecked_t
8081 -+ * @i: required value
8082 -+ *
8083 -+ * Atomically sets the value of @v to @i.
8084 -+ */
8085 -+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
8086 -+{
8087 -+ v->counter = i;
8088 -+}
8089 -+
8090 -+/**
8091 - * atomic_add - add integer to atomic variable
8092 - * @i: integer value to add
8093 - * @v: pointer of type atomic_t
8094 -@@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
8095 - */
8096 - static inline void atomic_add(int i, atomic_t *v)
8097 - {
8098 -- asm volatile(LOCK_PREFIX "addl %1,%0"
8099 -+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8100 -+
8101 -+#ifdef CONFIG_PAX_REFCOUNT
8102 -+ "jno 0f\n"
8103 -+ LOCK_PREFIX "subl %1,%0\n"
8104 -+ "int $4\n0:\n"
8105 -+ _ASM_EXTABLE(0b, 0b)
8106 -+#endif
8107 -+
8108 -+ : "+m" (v->counter)
8109 -+ : "ir" (i));
8110 -+}
8111 -+
8112 -+/**
8113 -+ * atomic_add_unchecked - add integer to atomic variable
8114 -+ * @i: integer value to add
8115 -+ * @v: pointer of type atomic_unchecked_t
8116 -+ *
8117 -+ * Atomically adds @i to @v.
8118 -+ */
8119 -+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
8120 -+{
8121 -+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8122 - : "+m" (v->counter)
8123 - : "ir" (i));
8124 - }
8125 -@@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
8126 - */
8127 - static inline void atomic_sub(int i, atomic_t *v)
8128 - {
8129 -- asm volatile(LOCK_PREFIX "subl %1,%0"
8130 -+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
8131 -+
8132 -+#ifdef CONFIG_PAX_REFCOUNT
8133 -+ "jno 0f\n"
8134 -+ LOCK_PREFIX "addl %1,%0\n"
8135 -+ "int $4\n0:\n"
8136 -+ _ASM_EXTABLE(0b, 0b)
8137 -+#endif
8138 -+
8139 -+ : "+m" (v->counter)
8140 -+ : "ir" (i));
8141 -+}
8142 -+
8143 -+/**
8144 -+ * atomic_sub_unchecked - subtract integer from atomic variable
8145 -+ * @i: integer value to subtract
8146 -+ * @v: pointer of type atomic_unchecked_t
8147 -+ *
8148 -+ * Atomically subtracts @i from @v.
8149 -+ */
8150 -+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
8151 -+{
8152 -+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
8153 - : "+m" (v->counter)
8154 - : "ir" (i));
8155 - }
8156 -@@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
8157 - {
8158 - unsigned char c;
8159 -
8160 -- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
8161 -+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
8162 -+
8163 -+#ifdef CONFIG_PAX_REFCOUNT
8164 -+ "jno 0f\n"
8165 -+ LOCK_PREFIX "addl %2,%0\n"
8166 -+ "int $4\n0:\n"
8167 -+ _ASM_EXTABLE(0b, 0b)
8168 -+#endif
8169 -+
8170 -+ "sete %1\n"
8171 - : "+m" (v->counter), "=qm" (c)
8172 - : "ir" (i) : "memory");
8173 - return c;
8174 -@@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
8175 - */
8176 - static inline void atomic_inc(atomic_t *v)
8177 - {
8178 -- asm volatile(LOCK_PREFIX "incl %0"
8179 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8180 -+
8181 -+#ifdef CONFIG_PAX_REFCOUNT
8182 -+ "jno 0f\n"
8183 -+ LOCK_PREFIX "decl %0\n"
8184 -+ "int $4\n0:\n"
8185 -+ _ASM_EXTABLE(0b, 0b)
8186 -+#endif
8187 -+
8188 -+ : "+m" (v->counter));
8189 -+}
8190 -+
8191 -+/**
8192 -+ * atomic_inc_unchecked - increment atomic variable
8193 -+ * @v: pointer of type atomic_unchecked_t
8194 -+ *
8195 -+ * Atomically increments @v by 1.
8196 -+ */
8197 -+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
8198 -+{
8199 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8200 - : "+m" (v->counter));
8201 - }
8202 -
8203 -@@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
8204 - */
8205 - static inline void atomic_dec(atomic_t *v)
8206 - {
8207 -- asm volatile(LOCK_PREFIX "decl %0"
8208 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8209 -+
8210 -+#ifdef CONFIG_PAX_REFCOUNT
8211 -+ "jno 0f\n"
8212 -+ LOCK_PREFIX "incl %0\n"
8213 -+ "int $4\n0:\n"
8214 -+ _ASM_EXTABLE(0b, 0b)
8215 -+#endif
8216 -+
8217 -+ : "+m" (v->counter));
8218 -+}
8219 -+
8220 -+/**
8221 -+ * atomic_dec_unchecked - decrement atomic variable
8222 -+ * @v: pointer of type atomic_unchecked_t
8223 -+ *
8224 -+ * Atomically decrements @v by 1.
8225 -+ */
8226 -+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
8227 -+{
8228 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8229 - : "+m" (v->counter));
8230 - }
8231 -
8232 -@@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
8233 - {
8234 - unsigned char c;
8235 -
8236 -- asm volatile(LOCK_PREFIX "decl %0; sete %1"
8237 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8238 -+
8239 -+#ifdef CONFIG_PAX_REFCOUNT
8240 -+ "jno 0f\n"
8241 -+ LOCK_PREFIX "incl %0\n"
8242 -+ "int $4\n0:\n"
8243 -+ _ASM_EXTABLE(0b, 0b)
8244 -+#endif
8245 -+
8246 -+ "sete %1\n"
8247 - : "+m" (v->counter), "=qm" (c)
8248 - : : "memory");
8249 - return c != 0;
8250 -@@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
8251 - {
8252 - unsigned char c;
8253 -
8254 -- asm volatile(LOCK_PREFIX "incl %0; sete %1"
8255 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8256 -+
8257 -+#ifdef CONFIG_PAX_REFCOUNT
8258 -+ "jno 0f\n"
8259 -+ LOCK_PREFIX "decl %0\n"
8260 -+ "into\n0:\n"
8261 -+ _ASM_EXTABLE(0b, 0b)
8262 -+#endif
8263 -+
8264 -+ "sete %1\n"
8265 -+ : "+m" (v->counter), "=qm" (c)
8266 -+ : : "memory");
8267 -+ return c != 0;
8268 -+}
8269 -+
8270 -+/**
8271 -+ * atomic_inc_and_test_unchecked - increment and test
8272 -+ * @v: pointer of type atomic_unchecked_t
8273 -+ *
8274 -+ * Atomically increments @v by 1
8275 -+ * and returns true if the result is zero, or false for all
8276 -+ * other cases.
8277 -+ */
8278 -+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8279 -+{
8280 -+ unsigned char c;
8281 -+
8282 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8283 -+ "sete %1\n"
8284 - : "+m" (v->counter), "=qm" (c)
8285 - : : "memory");
8286 - return c != 0;
8287 -@@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
8288 - {
8289 - unsigned char c;
8290 -
8291 -- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
8292 -+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
8293 -+
8294 -+#ifdef CONFIG_PAX_REFCOUNT
8295 -+ "jno 0f\n"
8296 -+ LOCK_PREFIX "subl %2,%0\n"
8297 -+ "int $4\n0:\n"
8298 -+ _ASM_EXTABLE(0b, 0b)
8299 -+#endif
8300 -+
8301 -+ "sets %1\n"
8302 - : "+m" (v->counter), "=qm" (c)
8303 - : "ir" (i) : "memory");
8304 - return c;
8305 -@@ -179,6 +341,46 @@ static inline int atomic_add_return(int
8306 - #endif
8307 - /* Modern 486+ processor */
8308 - __i = i;
8309 -+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8310 -+
8311 -+#ifdef CONFIG_PAX_REFCOUNT
8312 -+ "jno 0f\n"
8313 -+ "movl %0, %1\n"
8314 -+ "int $4\n0:\n"
8315 -+ _ASM_EXTABLE(0b, 0b)
8316 -+#endif
8317 -+
8318 -+ : "+r" (i), "+m" (v->counter)
8319 -+ : : "memory");
8320 -+ return i + __i;
8321 -+
8322 -+#ifdef CONFIG_M386
8323 -+no_xadd: /* Legacy 386 processor */
8324 -+ local_irq_save(flags);
8325 -+ __i = atomic_read(v);
8326 -+ atomic_set(v, i + __i);
8327 -+ local_irq_restore(flags);
8328 -+ return i + __i;
8329 -+#endif
8330 -+}
8331 -+
8332 -+/**
8333 -+ * atomic_add_return_unchecked - add integer and return
8334 -+ * @v: pointer of type atomic_unchecked_t
8335 -+ * @i: integer value to add
8336 -+ *
8337 -+ * Atomically adds @i to @v and returns @i + @v
8338 -+ */
8339 -+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
8340 -+{
8341 -+ int __i;
8342 -+#ifdef CONFIG_M386
8343 -+ unsigned long flags;
8344 -+ if (unlikely(boot_cpu_data.x86 <= 3))
8345 -+ goto no_xadd;
8346 -+#endif
8347 -+ /* Modern 486+ processor */
8348 -+ __i = i;
8349 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
8350 - : "+r" (i), "+m" (v->counter)
8351 - : : "memory");
8352 -@@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
8353 - return cmpxchg(&v->counter, old, new);
8354 - }
8355 -
8356 -+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8357 -+{
8358 -+ return cmpxchg(&v->counter, old, new);
8359 -+}
8360 -+
8361 - static inline int atomic_xchg(atomic_t *v, int new)
8362 - {
8363 - return xchg(&v->counter, new);
8364 - }
8365 -
8366 -+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8367 -+{
8368 -+ return xchg(&v->counter, new);
8369 -+}
8370 -+
8371 - /**
8372 - * atomic_add_unless - add unless the number is already a given value
8373 - * @v: pointer of type atomic_t
8374 -@@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
8375 - */
8376 - static inline int atomic_add_unless(atomic_t *v, int a, int u)
8377 - {
8378 -- int c, old;
8379 -+ int c, old, new;
8380 - c = atomic_read(v);
8381 - for (;;) {
8382 -- if (unlikely(c == (u)))
8383 -+ if (unlikely(c == u))
8384 - break;
8385 -- old = atomic_cmpxchg((v), c, c + (a));
8386 -+
8387 -+ asm volatile("addl %2,%0\n"
8388 -+
8389 -+#ifdef CONFIG_PAX_REFCOUNT
8390 -+ "jno 0f\n"
8391 -+ "subl %2,%0\n"
8392 -+ "int $4\n0:\n"
8393 -+ _ASM_EXTABLE(0b, 0b)
8394 -+#endif
8395 -+
8396 -+ : "=r" (new)
8397 -+ : "0" (c), "ir" (a));
8398 -+
8399 -+ old = atomic_cmpxchg(v, c, new);
8400 - if (likely(old == c))
8401 - break;
8402 - c = old;
8403 - }
8404 -- return c != (u);
8405 -+ return c != u;
8406 - }
8407 -
8408 - #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8409 -
8410 - #define atomic_inc_return(v) (atomic_add_return(1, v))
8411 -+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8412 -+{
8413 -+ return atomic_add_return_unchecked(1, v);
8414 -+}
8415 - #define atomic_dec_return(v) (atomic_sub_return(1, v))
8416 -
8417 - /* These are x86-specific, used by some header files */
8418 -@@ -266,9 +495,18 @@ typedef struct {
8419 - u64 __aligned(8) counter;
8420 - } atomic64_t;
8421 -
8422 -+#ifdef CONFIG_PAX_REFCOUNT
8423 -+typedef struct {
8424 -+ u64 __aligned(8) counter;
8425 -+} atomic64_unchecked_t;
8426 -+#else
8427 -+typedef atomic64_t atomic64_unchecked_t;
8428 -+#endif
8429 -+
8430 - #define ATOMIC64_INIT(val) { (val) }
8431 -
8432 - extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
8433 -+extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
8434 -
8435 - /**
8436 - * atomic64_xchg - xchg atomic64 variable
8437 -@@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
8438 - * the old value.
8439 - */
8440 - extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
8441 -+extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
8442 -
8443 - /**
8444 - * atomic64_set - set atomic64 variable
8445 -@@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
8446 - extern void atomic64_set(atomic64_t *ptr, u64 new_val);
8447 -
8448 - /**
8449 -+ * atomic64_unchecked_set - set atomic64 variable
8450 -+ * @ptr: pointer to type atomic64_unchecked_t
8451 -+ * @new_val: value to assign
8452 -+ *
8453 -+ * Atomically sets the value of @ptr to @new_val.
8454 -+ */
8455 -+extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
8456 -+
8457 -+/**
8458 - * atomic64_read - read atomic64 variable
8459 - * @ptr: pointer to type atomic64_t
8460 - *
8461 -@@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
8462 - return res;
8463 - }
8464 -
8465 --extern u64 atomic64_read(atomic64_t *ptr);
8466 -+/**
8467 -+ * atomic64_read_unchecked - read atomic64 variable
8468 -+ * @ptr: pointer to type atomic64_unchecked_t
8469 -+ *
8470 -+ * Atomically reads the value of @ptr and returns it.
8471 -+ */
8472 -+static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
8473 -+{
8474 -+ u64 res;
8475 -+
8476 -+ /*
8477 -+ * Note, we inline this atomic64_unchecked_t primitive because
8478 -+ * it only clobbers EAX/EDX and leaves the others
8479 -+ * untouched. We also (somewhat subtly) rely on the
8480 -+ * fact that cmpxchg8b returns the current 64-bit value
8481 -+ * of the memory location we are touching:
8482 -+ */
8483 -+ asm volatile(
8484 -+ "mov %%ebx, %%eax\n\t"
8485 -+ "mov %%ecx, %%edx\n\t"
8486 -+ LOCK_PREFIX "cmpxchg8b %1\n"
8487 -+ : "=&A" (res)
8488 -+ : "m" (*ptr)
8489 -+ );
8490 -+
8491 -+ return res;
8492 -+}
8493 -
8494 - /**
8495 - * atomic64_add_return - add and return
8496 -@@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
8497 - * Other variants with different arithmetic operators:
8498 - */
8499 - extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
8500 -+extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
8501 - extern u64 atomic64_inc_return(atomic64_t *ptr);
8502 -+extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
8503 - extern u64 atomic64_dec_return(atomic64_t *ptr);
8504 -+extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
8505 -
8506 - /**
8507 - * atomic64_add - add integer to atomic64 variable
8508 -@@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
8509 - extern void atomic64_add(u64 delta, atomic64_t *ptr);
8510 -
8511 - /**
8512 -+ * atomic64_add_unchecked - add integer to atomic64 variable
8513 -+ * @delta: integer value to add
8514 -+ * @ptr: pointer to type atomic64_unchecked_t
8515 -+ *
8516 -+ * Atomically adds @delta to @ptr.
8517 -+ */
8518 -+extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
8519 -+
8520 -+/**
8521 - * atomic64_sub - subtract the atomic64 variable
8522 - * @delta: integer value to subtract
8523 - * @ptr: pointer to type atomic64_t
8524 -@@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
8525 - extern void atomic64_sub(u64 delta, atomic64_t *ptr);
8526 -
8527 - /**
8528 -+ * atomic64_sub_unchecked - subtract the atomic64 variable
8529 -+ * @delta: integer value to subtract
8530 -+ * @ptr: pointer to type atomic64_unchecked_t
8531 -+ *
8532 -+ * Atomically subtracts @delta from @ptr.
8533 -+ */
8534 -+extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
8535 -+
8536 -+/**
8537 - * atomic64_sub_and_test - subtract value from variable and test result
8538 - * @delta: integer value to subtract
8539 - * @ptr: pointer to type atomic64_t
8540 -@@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
8541 - extern void atomic64_inc(atomic64_t *ptr);
8542 -
8543 - /**
8544 -+ * atomic64_inc_unchecked - increment atomic64 variable
8545 -+ * @ptr: pointer to type atomic64_unchecked_t
8546 -+ *
8547 -+ * Atomically increments @ptr by 1.
8548 -+ */
8549 -+extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
8550 -+
8551 -+/**
8552 - * atomic64_dec - decrement atomic64 variable
8553 - * @ptr: pointer to type atomic64_t
8554 - *
8555 -@@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
8556 - extern void atomic64_dec(atomic64_t *ptr);
8557 -
8558 - /**
8559 -+ * atomic64_dec_unchecked - decrement atomic64 variable
8560 -+ * @ptr: pointer to type atomic64_unchecked_t
8561 -+ *
8562 -+ * Atomically decrements @ptr by 1.
8563 -+ */
8564 -+extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
8565 -+
8566 -+/**
8567 - * atomic64_dec_and_test - decrement and test
8568 - * @ptr: pointer to type atomic64_t
8569 - *
8570 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_64.h linux-2.6.32.46/arch/x86/include/asm/atomic_64.h
8571 ---- linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
8572 -+++ linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-05-04 18:35:31.000000000 -0400
8573 -@@ -24,6 +24,17 @@ static inline int atomic_read(const atom
8574 - }
8575 -
8576 - /**
8577 -+ * atomic_read_unchecked - read atomic variable
8578 -+ * @v: pointer of type atomic_unchecked_t
8579 -+ *
8580 -+ * Atomically reads the value of @v.
8581 -+ */
8582 -+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
8583 -+{
8584 -+ return v->counter;
8585 -+}
8586 -+
8587 -+/**
8588 - * atomic_set - set atomic variable
8589 - * @v: pointer of type atomic_t
8590 - * @i: required value
8591 -@@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
8592 - }
8593 -
8594 - /**
8595 -+ * atomic_set_unchecked - set atomic variable
8596 -+ * @v: pointer of type atomic_unchecked_t
8597 -+ * @i: required value
8598 -+ *
8599 -+ * Atomically sets the value of @v to @i.
8600 -+ */
8601 -+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
8602 -+{
8603 -+ v->counter = i;
8604 -+}
8605 -+
8606 -+/**
8607 - * atomic_add - add integer to atomic variable
8608 - * @i: integer value to add
8609 - * @v: pointer of type atomic_t
8610 -@@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
8611 - */
8612 - static inline void atomic_add(int i, atomic_t *v)
8613 - {
8614 -- asm volatile(LOCK_PREFIX "addl %1,%0"
8615 -+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8616 -+
8617 -+#ifdef CONFIG_PAX_REFCOUNT
8618 -+ "jno 0f\n"
8619 -+ LOCK_PREFIX "subl %1,%0\n"
8620 -+ "int $4\n0:\n"
8621 -+ _ASM_EXTABLE(0b, 0b)
8622 -+#endif
8623 -+
8624 -+ : "=m" (v->counter)
8625 -+ : "ir" (i), "m" (v->counter));
8626 -+}
8627 -+
8628 -+/**
8629 -+ * atomic_add_unchecked - add integer to atomic variable
8630 -+ * @i: integer value to add
8631 -+ * @v: pointer of type atomic_unchecked_t
8632 -+ *
8633 -+ * Atomically adds @i to @v.
8634 -+ */
8635 -+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
8636 -+{
8637 -+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8638 - : "=m" (v->counter)
8639 - : "ir" (i), "m" (v->counter));
8640 - }
8641 -@@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
8642 - */
8643 - static inline void atomic_sub(int i, atomic_t *v)
8644 - {
8645 -- asm volatile(LOCK_PREFIX "subl %1,%0"
8646 -+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
8647 -+
8648 -+#ifdef CONFIG_PAX_REFCOUNT
8649 -+ "jno 0f\n"
8650 -+ LOCK_PREFIX "addl %1,%0\n"
8651 -+ "int $4\n0:\n"
8652 -+ _ASM_EXTABLE(0b, 0b)
8653 -+#endif
8654 -+
8655 -+ : "=m" (v->counter)
8656 -+ : "ir" (i), "m" (v->counter));
8657 -+}
8658 -+
8659 -+/**
8660 -+ * atomic_sub_unchecked - subtract the atomic variable
8661 -+ * @i: integer value to subtract
8662 -+ * @v: pointer of type atomic_unchecked_t
8663 -+ *
8664 -+ * Atomically subtracts @i from @v.
8665 -+ */
8666 -+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
8667 -+{
8668 -+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
8669 - : "=m" (v->counter)
8670 - : "ir" (i), "m" (v->counter));
8671 - }
8672 -@@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
8673 - {
8674 - unsigned char c;
8675 -
8676 -- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
8677 -+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
8678 -+
8679 -+#ifdef CONFIG_PAX_REFCOUNT
8680 -+ "jno 0f\n"
8681 -+ LOCK_PREFIX "addl %2,%0\n"
8682 -+ "int $4\n0:\n"
8683 -+ _ASM_EXTABLE(0b, 0b)
8684 -+#endif
8685 -+
8686 -+ "sete %1\n"
8687 - : "=m" (v->counter), "=qm" (c)
8688 - : "ir" (i), "m" (v->counter) : "memory");
8689 - return c;
8690 -@@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
8691 - */
8692 - static inline void atomic_inc(atomic_t *v)
8693 - {
8694 -- asm volatile(LOCK_PREFIX "incl %0"
8695 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8696 -+
8697 -+#ifdef CONFIG_PAX_REFCOUNT
8698 -+ "jno 0f\n"
8699 -+ LOCK_PREFIX "decl %0\n"
8700 -+ "int $4\n0:\n"
8701 -+ _ASM_EXTABLE(0b, 0b)
8702 -+#endif
8703 -+
8704 -+ : "=m" (v->counter)
8705 -+ : "m" (v->counter));
8706 -+}
8707 -+
8708 -+/**
8709 -+ * atomic_inc_unchecked - increment atomic variable
8710 -+ * @v: pointer of type atomic_unchecked_t
8711 -+ *
8712 -+ * Atomically increments @v by 1.
8713 -+ */
8714 -+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
8715 -+{
8716 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8717 - : "=m" (v->counter)
8718 - : "m" (v->counter));
8719 - }
8720 -@@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
8721 - */
8722 - static inline void atomic_dec(atomic_t *v)
8723 - {
8724 -- asm volatile(LOCK_PREFIX "decl %0"
8725 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8726 -+
8727 -+#ifdef CONFIG_PAX_REFCOUNT
8728 -+ "jno 0f\n"
8729 -+ LOCK_PREFIX "incl %0\n"
8730 -+ "int $4\n0:\n"
8731 -+ _ASM_EXTABLE(0b, 0b)
8732 -+#endif
8733 -+
8734 -+ : "=m" (v->counter)
8735 -+ : "m" (v->counter));
8736 -+}
8737 -+
8738 -+/**
8739 -+ * atomic_dec_unchecked - decrement atomic variable
8740 -+ * @v: pointer of type atomic_unchecked_t
8741 -+ *
8742 -+ * Atomically decrements @v by 1.
8743 -+ */
8744 -+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
8745 -+{
8746 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8747 - : "=m" (v->counter)
8748 - : "m" (v->counter));
8749 - }
8750 -@@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
8751 - {
8752 - unsigned char c;
8753 -
8754 -- asm volatile(LOCK_PREFIX "decl %0; sete %1"
8755 -+ asm volatile(LOCK_PREFIX "decl %0\n"
8756 -+
8757 -+#ifdef CONFIG_PAX_REFCOUNT
8758 -+ "jno 0f\n"
8759 -+ LOCK_PREFIX "incl %0\n"
8760 -+ "int $4\n0:\n"
8761 -+ _ASM_EXTABLE(0b, 0b)
8762 -+#endif
8763 -+
8764 -+ "sete %1\n"
8765 - : "=m" (v->counter), "=qm" (c)
8766 - : "m" (v->counter) : "memory");
8767 - return c != 0;
8768 -@@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
8769 - {
8770 - unsigned char c;
8771 -
8772 -- asm volatile(LOCK_PREFIX "incl %0; sete %1"
8773 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8774 -+
8775 -+#ifdef CONFIG_PAX_REFCOUNT
8776 -+ "jno 0f\n"
8777 -+ LOCK_PREFIX "decl %0\n"
8778 -+ "int $4\n0:\n"
8779 -+ _ASM_EXTABLE(0b, 0b)
8780 -+#endif
8781 -+
8782 -+ "sete %1\n"
8783 -+ : "=m" (v->counter), "=qm" (c)
8784 -+ : "m" (v->counter) : "memory");
8785 -+ return c != 0;
8786 -+}
8787 -+
8788 -+/**
8789 -+ * atomic_inc_and_test_unchecked - increment and test
8790 -+ * @v: pointer of type atomic_unchecked_t
8791 -+ *
8792 -+ * Atomically increments @v by 1
8793 -+ * and returns true if the result is zero, or false for all
8794 -+ * other cases.
8795 -+ */
8796 -+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8797 -+{
8798 -+ unsigned char c;
8799 -+
8800 -+ asm volatile(LOCK_PREFIX "incl %0\n"
8801 -+ "sete %1\n"
8802 - : "=m" (v->counter), "=qm" (c)
8803 - : "m" (v->counter) : "memory");
8804 - return c != 0;
8805 -@@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
8806 - {
8807 - unsigned char c;
8808 -
8809 -- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
8810 -+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
8811 -+
8812 -+#ifdef CONFIG_PAX_REFCOUNT
8813 -+ "jno 0f\n"
8814 -+ LOCK_PREFIX "subl %2,%0\n"
8815 -+ "int $4\n0:\n"
8816 -+ _ASM_EXTABLE(0b, 0b)
8817 -+#endif
8818 -+
8819 -+ "sets %1\n"
8820 - : "=m" (v->counter), "=qm" (c)
8821 - : "ir" (i), "m" (v->counter) : "memory");
8822 - return c;
8823 -@@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
8824 - static inline int atomic_add_return(int i, atomic_t *v)
8825 - {
8826 - int __i = i;
8827 -- asm volatile(LOCK_PREFIX "xaddl %0, %1"
8828 -+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8829 -+
8830 -+#ifdef CONFIG_PAX_REFCOUNT
8831 -+ "jno 0f\n"
8832 -+ "movl %0, %1\n"
8833 -+ "int $4\n0:\n"
8834 -+ _ASM_EXTABLE(0b, 0b)
8835 -+#endif
8836 -+
8837 -+ : "+r" (i), "+m" (v->counter)
8838 -+ : : "memory");
8839 -+ return i + __i;
8840 -+}
8841 -+
8842 -+/**
8843 -+ * atomic_add_return_unchecked - add and return
8844 -+ * @i: integer value to add
8845 -+ * @v: pointer of type atomic_unchecked_t
8846 -+ *
8847 -+ * Atomically adds @i to @v and returns @i + @v
8848 -+ */
8849 -+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
8850 -+{
8851 -+ int __i = i;
8852 -+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8853 - : "+r" (i), "+m" (v->counter)
8854 - : : "memory");
8855 - return i + __i;
8856 -@@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
8857 - }
8858 -
8859 - #define atomic_inc_return(v) (atomic_add_return(1, v))
8860 -+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8861 -+{
8862 -+ return atomic_add_return_unchecked(1, v);
8863 -+}
8864 - #define atomic_dec_return(v) (atomic_sub_return(1, v))
8865 -
8866 - /* The 64-bit atomic type */
8867 -@@ -204,6 +396,18 @@ static inline long atomic64_read(const a
8868 - }
8869 -
8870 - /**
8871 -+ * atomic64_read_unchecked - read atomic64 variable
8872 -+ * @v: pointer of type atomic64_unchecked_t
8873 -+ *
8874 -+ * Atomically reads the value of @v.
8875 -+ * Doesn't imply a read memory barrier.
8876 -+ */
8877 -+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8878 -+{
8879 -+ return v->counter;
8880 -+}
8881 -+
8882 -+/**
8883 - * atomic64_set - set atomic64 variable
8884 - * @v: pointer to type atomic64_t
8885 - * @i: required value
8886 -@@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
8887 - }
8888 -
8889 - /**
8890 -+ * atomic64_set_unchecked - set atomic64 variable
8891 -+ * @v: pointer to type atomic64_unchecked_t
8892 -+ * @i: required value
8893 -+ *
8894 -+ * Atomically sets the value of @v to @i.
8895 -+ */
8896 -+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8897 -+{
8898 -+ v->counter = i;
8899 -+}
8900 -+
8901 -+/**
8902 - * atomic64_add - add integer to atomic64 variable
8903 - * @i: integer value to add
8904 - * @v: pointer to type atomic64_t
8905 -@@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
8906 - */
8907 - static inline void atomic64_add(long i, atomic64_t *v)
8908 - {
8909 -+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
8910 -+
8911 -+#ifdef CONFIG_PAX_REFCOUNT
8912 -+ "jno 0f\n"
8913 -+ LOCK_PREFIX "subq %1,%0\n"
8914 -+ "int $4\n0:\n"
8915 -+ _ASM_EXTABLE(0b, 0b)
8916 -+#endif
8917 -+
8918 -+ : "=m" (v->counter)
8919 -+ : "er" (i), "m" (v->counter));
8920 -+}
8921 -+
8922 -+/**
8923 -+ * atomic64_add_unchecked - add integer to atomic64 variable
8924 -+ * @i: integer value to add
8925 -+ * @v: pointer to type atomic64_unchecked_t
8926 -+ *
8927 -+ * Atomically adds @i to @v.
8928 -+ */
8929 -+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8930 -+{
8931 - asm volatile(LOCK_PREFIX "addq %1,%0"
8932 - : "=m" (v->counter)
8933 - : "er" (i), "m" (v->counter));
8934 -@@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
8935 - */
8936 - static inline void atomic64_sub(long i, atomic64_t *v)
8937 - {
8938 -- asm volatile(LOCK_PREFIX "subq %1,%0"
8939 -+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
8940 -+
8941 -+#ifdef CONFIG_PAX_REFCOUNT
8942 -+ "jno 0f\n"
8943 -+ LOCK_PREFIX "addq %1,%0\n"
8944 -+ "int $4\n0:\n"
8945 -+ _ASM_EXTABLE(0b, 0b)
8946 -+#endif
8947 -+
8948 - : "=m" (v->counter)
8949 - : "er" (i), "m" (v->counter));
8950 - }
8951 -@@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
8952 - {
8953 - unsigned char c;
8954 -
8955 -- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8956 -+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
8957 -+
8958 -+#ifdef CONFIG_PAX_REFCOUNT
8959 -+ "jno 0f\n"
8960 -+ LOCK_PREFIX "addq %2,%0\n"
8961 -+ "int $4\n0:\n"
8962 -+ _ASM_EXTABLE(0b, 0b)
8963 -+#endif
8964 -+
8965 -+ "sete %1\n"
8966 - : "=m" (v->counter), "=qm" (c)
8967 - : "er" (i), "m" (v->counter) : "memory");
8968 - return c;
8969 -@@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
8970 - */
8971 - static inline void atomic64_inc(atomic64_t *v)
8972 - {
8973 -+ asm volatile(LOCK_PREFIX "incq %0\n"
8974 -+
8975 -+#ifdef CONFIG_PAX_REFCOUNT
8976 -+ "jno 0f\n"
8977 -+ LOCK_PREFIX "decq %0\n"
8978 -+ "int $4\n0:\n"
8979 -+ _ASM_EXTABLE(0b, 0b)
8980 -+#endif
8981 -+
8982 -+ : "=m" (v->counter)
8983 -+ : "m" (v->counter));
8984 -+}
8985 -+
8986 -+/**
8987 -+ * atomic64_inc_unchecked - increment atomic64 variable
8988 -+ * @v: pointer to type atomic64_unchecked_t
8989 -+ *
8990 -+ * Atomically increments @v by 1.
8991 -+ */
8992 -+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8993 -+{
8994 - asm volatile(LOCK_PREFIX "incq %0"
8995 - : "=m" (v->counter)
8996 - : "m" (v->counter));
8997 -@@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
8998 - */
8999 - static inline void atomic64_dec(atomic64_t *v)
9000 - {
9001 -- asm volatile(LOCK_PREFIX "decq %0"
9002 -+ asm volatile(LOCK_PREFIX "decq %0\n"
9003 -+
9004 -+#ifdef CONFIG_PAX_REFCOUNT
9005 -+ "jno 0f\n"
9006 -+ LOCK_PREFIX "incq %0\n"
9007 -+ "int $4\n0:\n"
9008 -+ _ASM_EXTABLE(0b, 0b)
9009 -+#endif
9010 -+
9011 -+ : "=m" (v->counter)
9012 -+ : "m" (v->counter));
9013 -+}
9014 -+
9015 -+/**
9016 -+ * atomic64_dec_unchecked - decrement atomic64 variable
9017 -+ * @v: pointer to type atomic64_t
9018 -+ *
9019 -+ * Atomically decrements @v by 1.
9020 -+ */
9021 -+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
9022 -+{
9023 -+ asm volatile(LOCK_PREFIX "decq %0\n"
9024 - : "=m" (v->counter)
9025 - : "m" (v->counter));
9026 - }
9027 -@@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
9028 - {
9029 - unsigned char c;
9030 -
9031 -- asm volatile(LOCK_PREFIX "decq %0; sete %1"
9032 -+ asm volatile(LOCK_PREFIX "decq %0\n"
9033 -+
9034 -+#ifdef CONFIG_PAX_REFCOUNT
9035 -+ "jno 0f\n"
9036 -+ LOCK_PREFIX "incq %0\n"
9037 -+ "int $4\n0:\n"
9038 -+ _ASM_EXTABLE(0b, 0b)
9039 -+#endif
9040 -+
9041 -+ "sete %1\n"
9042 - : "=m" (v->counter), "=qm" (c)
9043 - : "m" (v->counter) : "memory");
9044 - return c != 0;
9045 -@@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
9046 - {
9047 - unsigned char c;
9048 -
9049 -- asm volatile(LOCK_PREFIX "incq %0; sete %1"
9050 -+ asm volatile(LOCK_PREFIX "incq %0\n"
9051 -+
9052 -+#ifdef CONFIG_PAX_REFCOUNT
9053 -+ "jno 0f\n"
9054 -+ LOCK_PREFIX "decq %0\n"
9055 -+ "int $4\n0:\n"
9056 -+ _ASM_EXTABLE(0b, 0b)
9057 -+#endif
9058 -+
9059 -+ "sete %1\n"
9060 - : "=m" (v->counter), "=qm" (c)
9061 - : "m" (v->counter) : "memory");
9062 - return c != 0;
9063 -@@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
9064 - {
9065 - unsigned char c;
9066 -
9067 -- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
9068 -+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
9069 -+
9070 -+#ifdef CONFIG_PAX_REFCOUNT
9071 -+ "jno 0f\n"
9072 -+ LOCK_PREFIX "subq %2,%0\n"
9073 -+ "int $4\n0:\n"
9074 -+ _ASM_EXTABLE(0b, 0b)
9075 -+#endif
9076 -+
9077 -+ "sets %1\n"
9078 - : "=m" (v->counter), "=qm" (c)
9079 - : "er" (i), "m" (v->counter) : "memory");
9080 - return c;
9081 -@@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
9082 - static inline long atomic64_add_return(long i, atomic64_t *v)
9083 - {
9084 - long __i = i;
9085 -- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
9086 -+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
9087 -+
9088 -+#ifdef CONFIG_PAX_REFCOUNT
9089 -+ "jno 0f\n"
9090 -+ "movq %0, %1\n"
9091 -+ "int $4\n0:\n"
9092 -+ _ASM_EXTABLE(0b, 0b)
9093 -+#endif
9094 -+
9095 -+ : "+r" (i), "+m" (v->counter)
9096 -+ : : "memory");
9097 -+ return i + __i;
9098 -+}
9099 -+
9100 -+/**
9101 -+ * atomic64_add_return_unchecked - add and return
9102 -+ * @i: integer value to add
9103 -+ * @v: pointer to type atomic64_unchecked_t
9104 -+ *
9105 -+ * Atomically adds @i to @v and returns @i + @v
9106 -+ */
9107 -+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
9108 -+{
9109 -+ long __i = i;
9110 -+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
9111 - : "+r" (i), "+m" (v->counter)
9112 - : : "memory");
9113 - return i + __i;
9114 -@@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
9115 - }
9116 -
9117 - #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
9118 -+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
9119 -+{
9120 -+ return atomic64_add_return_unchecked(1, v);
9121 -+}
9122 - #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
9123 -
9124 - static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
9125 -@@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
9126 - return cmpxchg(&v->counter, old, new);
9127 - }
9128 -
9129 -+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
9130 -+{
9131 -+ return cmpxchg(&v->counter, old, new);
9132 -+}
9133 -+
9134 - static inline long atomic64_xchg(atomic64_t *v, long new)
9135 - {
9136 - return xchg(&v->counter, new);
9137 - }
9138 -
9139 -+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
9140 -+{
9141 -+ return xchg(&v->counter, new);
9142 -+}
9143 -+
9144 - static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
9145 - {
9146 - return cmpxchg(&v->counter, old, new);
9147 - }
9148 -
9149 -+static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9150 -+{
9151 -+ return cmpxchg(&v->counter, old, new);
9152 -+}
9153 -+
9154 - static inline long atomic_xchg(atomic_t *v, int new)
9155 - {
9156 - return xchg(&v->counter, new);
9157 - }
9158 -
9159 -+static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9160 -+{
9161 -+ return xchg(&v->counter, new);
9162 -+}
9163 -+
9164 - /**
9165 - * atomic_add_unless - add unless the number is a given value
9166 - * @v: pointer of type atomic_t
9167 -@@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
9168 - */
9169 - static inline int atomic_add_unless(atomic_t *v, int a, int u)
9170 - {
9171 -- int c, old;
9172 -+ int c, old, new;
9173 - c = atomic_read(v);
9174 - for (;;) {
9175 -- if (unlikely(c == (u)))
9176 -+ if (unlikely(c == u))
9177 - break;
9178 -- old = atomic_cmpxchg((v), c, c + (a));
9179 -+
9180 -+ asm volatile("addl %2,%0\n"
9181 -+
9182 -+#ifdef CONFIG_PAX_REFCOUNT
9183 -+ "jno 0f\n"
9184 -+ "subl %2,%0\n"
9185 -+ "int $4\n0:\n"
9186 -+ _ASM_EXTABLE(0b, 0b)
9187 -+#endif
9188 -+
9189 -+ : "=r" (new)
9190 -+ : "0" (c), "ir" (a));
9191 -+
9192 -+ old = atomic_cmpxchg(v, c, new);
9193 - if (likely(old == c))
9194 - break;
9195 - c = old;
9196 - }
9197 -- return c != (u);
9198 -+ return c != u;
9199 - }
9200 -
9201 - #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9202 -@@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
9203 - */
9204 - static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
9205 - {
9206 -- long c, old;
9207 -+ long c, old, new;
9208 - c = atomic64_read(v);
9209 - for (;;) {
9210 -- if (unlikely(c == (u)))
9211 -+ if (unlikely(c == u))
9212 - break;
9213 -- old = atomic64_cmpxchg((v), c, c + (a));
9214 -+
9215 -+ asm volatile("addq %2,%0\n"
9216 -+
9217 -+#ifdef CONFIG_PAX_REFCOUNT
9218 -+ "jno 0f\n"
9219 -+ "subq %2,%0\n"
9220 -+ "int $4\n0:\n"
9221 -+ _ASM_EXTABLE(0b, 0b)
9222 -+#endif
9223 -+
9224 -+ : "=r" (new)
9225 -+ : "0" (c), "er" (a));
9226 -+
9227 -+ old = atomic64_cmpxchg(v, c, new);
9228 - if (likely(old == c))
9229 - break;
9230 - c = old;
9231 - }
9232 -- return c != (u);
9233 -+ return c != u;
9234 - }
9235 -
9236 - /**
9237 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/bitops.h linux-2.6.32.46/arch/x86/include/asm/bitops.h
9238 ---- linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-03-27 14:31:47.000000000 -0400
9239 -+++ linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-04-17 15:56:46.000000000 -0400
9240 -@@ -38,7 +38,7 @@
9241 - * a mask operation on a byte.
9242 - */
9243 - #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9244 --#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9245 -+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9246 - #define CONST_MASK(nr) (1 << ((nr) & 7))
9247 -
9248 - /**
9249 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/boot.h linux-2.6.32.46/arch/x86/include/asm/boot.h
9250 ---- linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-03-27 14:31:47.000000000 -0400
9251 -+++ linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-04-17 15:56:46.000000000 -0400
9252 -@@ -11,10 +11,15 @@
9253 - #include <asm/pgtable_types.h>
9254 -
9255 - /* Physical address where kernel should be loaded. */
9256 --#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9257 -+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9258 - + (CONFIG_PHYSICAL_ALIGN - 1)) \
9259 - & ~(CONFIG_PHYSICAL_ALIGN - 1))
9260 -
9261 -+#ifndef __ASSEMBLY__
9262 -+extern unsigned char __LOAD_PHYSICAL_ADDR[];
9263 -+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9264 -+#endif
9265 -+
9266 - /* Minimum kernel alignment, as a power of two */
9267 - #ifdef CONFIG_X86_64
9268 - #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9269 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/cache.h linux-2.6.32.46/arch/x86/include/asm/cache.h
9270 ---- linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
9271 -+++ linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
9272 -@@ -5,9 +5,10 @@
9273 -
9274 - /* L1 cache line size */
9275 - #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9276 --#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9277 -+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9278 -
9279 - #define __read_mostly __attribute__((__section__(".data.read_mostly")))
9280 -+#define __read_only __attribute__((__section__(".data.read_only")))
9281 -
9282 - #ifdef CONFIG_X86_VSMP
9283 - /* vSMP Internode cacheline shift */
9284 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/cacheflush.h linux-2.6.32.46/arch/x86/include/asm/cacheflush.h
9285 ---- linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-03-27 14:31:47.000000000 -0400
9286 -+++ linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-04-17 15:56:46.000000000 -0400
9287 -@@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
9288 - static inline unsigned long get_page_memtype(struct page *pg)
9289 - {
9290 - if (!PageUncached(pg) && !PageWC(pg))
9291 -- return -1;
9292 -+ return ~0UL;
9293 - else if (!PageUncached(pg) && PageWC(pg))
9294 - return _PAGE_CACHE_WC;
9295 - else if (PageUncached(pg) && !PageWC(pg))
9296 -@@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
9297 - SetPageWC(pg);
9298 - break;
9299 - default:
9300 -- case -1:
9301 -+ case ~0UL:
9302 - ClearPageUncached(pg);
9303 - ClearPageWC(pg);
9304 - break;
9305 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/calling.h linux-2.6.32.46/arch/x86/include/asm/calling.h
9306 ---- linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-03-27 14:31:47.000000000 -0400
9307 -+++ linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-10-06 10:08:42.000000000 -0400
9308 -@@ -52,32 +52,32 @@ For 32-bit we have the following convent
9309 - * for assembly code:
9310 - */
9311 -
9312 --#define R15 0
9313 --#define R14 8
9314 --#define R13 16
9315 --#define R12 24
9316 --#define RBP 32
9317 --#define RBX 40
9318 -+#define R15 (0)
9319 -+#define R14 (8)
9320 -+#define R13 (16)
9321 -+#define R12 (24)
9322 -+#define RBP (32)
9323 -+#define RBX (40)
9324 -
9325 - /* arguments: interrupts/non tracing syscalls only save up to here: */
9326 --#define R11 48
9327 --#define R10 56
9328 --#define R9 64
9329 --#define R8 72
9330 --#define RAX 80
9331 --#define RCX 88
9332 --#define RDX 96
9333 --#define RSI 104
9334 --#define RDI 112
9335 --#define ORIG_RAX 120 /* + error_code */
9336 -+#define R11 (48)
9337 -+#define R10 (56)
9338 -+#define R9 (64)
9339 -+#define R8 (72)
9340 -+#define RAX (80)
9341 -+#define RCX (88)
9342 -+#define RDX (96)
9343 -+#define RSI (104)
9344 -+#define RDI (112)
9345 -+#define ORIG_RAX (120) /* + error_code */
9346 - /* end of arguments */
9347 -
9348 - /* cpu exception frame or undefined in case of fast syscall: */
9349 --#define RIP 128
9350 --#define CS 136
9351 --#define EFLAGS 144
9352 --#define RSP 152
9353 --#define SS 160
9354 -+#define RIP (128)
9355 -+#define CS (136)
9356 -+#define EFLAGS (144)
9357 -+#define RSP (152)
9358 -+#define SS (160)
9359 -
9360 - #define ARGOFFSET R11
9361 - #define SWFRAME ORIG_RAX
9362 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/checksum_32.h linux-2.6.32.46/arch/x86/include/asm/checksum_32.h
9363 ---- linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400
9364 -+++ linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400
9365 -@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9366 - int len, __wsum sum,
9367 - int *src_err_ptr, int *dst_err_ptr);
9368 -
9369 -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9370 -+ int len, __wsum sum,
9371 -+ int *src_err_ptr, int *dst_err_ptr);
9372 -+
9373 -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9374 -+ int len, __wsum sum,
9375 -+ int *src_err_ptr, int *dst_err_ptr);
9376 -+
9377 - /*
9378 - * Note: when you get a NULL pointer exception here this means someone
9379 - * passed in an incorrect kernel address to one of these functions.
9380 -@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9381 - int *err_ptr)
9382 - {
9383 - might_sleep();
9384 -- return csum_partial_copy_generic((__force void *)src, dst,
9385 -+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
9386 - len, sum, err_ptr, NULL);
9387 - }
9388 -
9389 -@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9390 - {
9391 - might_sleep();
9392 - if (access_ok(VERIFY_WRITE, dst, len))
9393 -- return csum_partial_copy_generic(src, (__force void *)dst,
9394 -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9395 - len, sum, NULL, err_ptr);
9396 -
9397 - if (len)
9398 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc.h linux-2.6.32.46/arch/x86/include/asm/desc.h
9399 ---- linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-03-27 14:31:47.000000000 -0400
9400 -+++ linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-04-23 12:56:10.000000000 -0400
9401 -@@ -4,6 +4,7 @@
9402 - #include <asm/desc_defs.h>
9403 - #include <asm/ldt.h>
9404 - #include <asm/mmu.h>
9405 -+#include <asm/pgtable.h>
9406 - #include <linux/smp.h>
9407 -
9408 - static inline void fill_ldt(struct desc_struct *desc,
9409 -@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9410 - desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9411 - desc->type = (info->read_exec_only ^ 1) << 1;
9412 - desc->type |= info->contents << 2;
9413 -+ desc->type |= info->seg_not_present ^ 1;
9414 - desc->s = 1;
9415 - desc->dpl = 0x3;
9416 - desc->p = info->seg_not_present ^ 1;
9417 -@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9418 - }
9419 -
9420 - extern struct desc_ptr idt_descr;
9421 --extern gate_desc idt_table[];
9422 --
9423 --struct gdt_page {
9424 -- struct desc_struct gdt[GDT_ENTRIES];
9425 --} __attribute__((aligned(PAGE_SIZE)));
9426 --DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9427 -+extern gate_desc idt_table[256];
9428 -
9429 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9430 - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9431 - {
9432 -- return per_cpu(gdt_page, cpu).gdt;
9433 -+ return cpu_gdt_table[cpu];
9434 - }
9435 -
9436 - #ifdef CONFIG_X86_64
9437 -@@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9438 - unsigned long base, unsigned dpl, unsigned flags,
9439 - unsigned short seg)
9440 - {
9441 -- gate->a = (seg << 16) | (base & 0xffff);
9442 -- gate->b = (base & 0xffff0000) |
9443 -- (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9444 -+ gate->gate.offset_low = base;
9445 -+ gate->gate.seg = seg;
9446 -+ gate->gate.reserved = 0;
9447 -+ gate->gate.type = type;
9448 -+ gate->gate.s = 0;
9449 -+ gate->gate.dpl = dpl;
9450 -+ gate->gate.p = 1;
9451 -+ gate->gate.offset_high = base >> 16;
9452 - }
9453 -
9454 - #endif
9455 -@@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9456 - static inline void native_write_idt_entry(gate_desc *idt, int entry,
9457 - const gate_desc *gate)
9458 - {
9459 -+ pax_open_kernel();
9460 - memcpy(&idt[entry], gate, sizeof(*gate));
9461 -+ pax_close_kernel();
9462 - }
9463 -
9464 - static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9465 - const void *desc)
9466 - {
9467 -+ pax_open_kernel();
9468 - memcpy(&ldt[entry], desc, 8);
9469 -+ pax_close_kernel();
9470 - }
9471 -
9472 - static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9473 -@@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9474 - size = sizeof(struct desc_struct);
9475 - break;
9476 - }
9477 -+
9478 -+ pax_open_kernel();
9479 - memcpy(&gdt[entry], desc, size);
9480 -+ pax_close_kernel();
9481 - }
9482 -
9483 - static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9484 -@@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9485 -
9486 - static inline void native_load_tr_desc(void)
9487 - {
9488 -+ pax_open_kernel();
9489 - asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9490 -+ pax_close_kernel();
9491 - }
9492 -
9493 - static inline void native_load_gdt(const struct desc_ptr *dtr)
9494 -@@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9495 - unsigned int i;
9496 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9497 -
9498 -+ pax_open_kernel();
9499 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9500 - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9501 -+ pax_close_kernel();
9502 - }
9503 -
9504 - #define _LDT_empty(info) \
9505 -@@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9506 - desc->limit = (limit >> 16) & 0xf;
9507 - }
9508 -
9509 --static inline void _set_gate(int gate, unsigned type, void *addr,
9510 -+static inline void _set_gate(int gate, unsigned type, const void *addr,
9511 - unsigned dpl, unsigned ist, unsigned seg)
9512 - {
9513 - gate_desc s;
9514 -@@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9515 - * Pentium F0 0F bugfix can have resulted in the mapped
9516 - * IDT being write-protected.
9517 - */
9518 --static inline void set_intr_gate(unsigned int n, void *addr)
9519 -+static inline void set_intr_gate(unsigned int n, const void *addr)
9520 - {
9521 - BUG_ON((unsigned)n > 0xFF);
9522 - _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9523 -@@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9524 - /*
9525 - * This routine sets up an interrupt gate at directory privilege level 3.
9526 - */
9527 --static inline void set_system_intr_gate(unsigned int n, void *addr)
9528 -+static inline void set_system_intr_gate(unsigned int n, const void *addr)
9529 - {
9530 - BUG_ON((unsigned)n > 0xFF);
9531 - _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9532 - }
9533 -
9534 --static inline void set_system_trap_gate(unsigned int n, void *addr)
9535 -+static inline void set_system_trap_gate(unsigned int n, const void *addr)
9536 - {
9537 - BUG_ON((unsigned)n > 0xFF);
9538 - _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9539 - }
9540 -
9541 --static inline void set_trap_gate(unsigned int n, void *addr)
9542 -+static inline void set_trap_gate(unsigned int n, const void *addr)
9543 - {
9544 - BUG_ON((unsigned)n > 0xFF);
9545 - _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9546 -@@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9547 - static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9548 - {
9549 - BUG_ON((unsigned)n > 0xFF);
9550 -- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9551 -+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9552 - }
9553 -
9554 --static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9555 -+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9556 - {
9557 - BUG_ON((unsigned)n > 0xFF);
9558 - _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9559 - }
9560 -
9561 --static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9562 -+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9563 - {
9564 - BUG_ON((unsigned)n > 0xFF);
9565 - _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9566 - }
9567 -
9568 -+#ifdef CONFIG_X86_32
9569 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9570 -+{
9571 -+ struct desc_struct d;
9572 -+
9573 -+ if (likely(limit))
9574 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
9575 -+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
9576 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9577 -+}
9578 -+#endif
9579 -+
9580 - #endif /* _ASM_X86_DESC_H */
9581 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc_defs.h linux-2.6.32.46/arch/x86/include/asm/desc_defs.h
9582 ---- linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-03-27 14:31:47.000000000 -0400
9583 -+++ linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-04-17 15:56:46.000000000 -0400
9584 -@@ -31,6 +31,12 @@ struct desc_struct {
9585 - unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9586 - unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9587 - };
9588 -+ struct {
9589 -+ u16 offset_low;
9590 -+ u16 seg;
9591 -+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9592 -+ unsigned offset_high: 16;
9593 -+ } gate;
9594 - };
9595 - } __attribute__((packed));
9596 -
9597 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/device.h linux-2.6.32.46/arch/x86/include/asm/device.h
9598 ---- linux-2.6.32.46/arch/x86/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
9599 -+++ linux-2.6.32.46/arch/x86/include/asm/device.h 2011-04-17 15:56:46.000000000 -0400
9600 -@@ -6,7 +6,7 @@ struct dev_archdata {
9601 - void *acpi_handle;
9602 - #endif
9603 - #ifdef CONFIG_X86_64
9604 --struct dma_map_ops *dma_ops;
9605 -+ const struct dma_map_ops *dma_ops;
9606 - #endif
9607 - #ifdef CONFIG_DMAR
9608 - void *iommu; /* hook for IOMMU specific extension */
9609 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h
9610 ---- linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
9611 -+++ linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
9612 -@@ -25,9 +25,9 @@ extern int iommu_merge;
9613 - extern struct device x86_dma_fallback_dev;
9614 - extern int panic_on_overflow;
9615 -
9616 --extern struct dma_map_ops *dma_ops;
9617 -+extern const struct dma_map_ops *dma_ops;
9618 -
9619 --static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9620 -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9621 - {
9622 - #ifdef CONFIG_X86_32
9623 - return dma_ops;
9624 -@@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
9625 - /* Make sure we keep the same behaviour */
9626 - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9627 - {
9628 -- struct dma_map_ops *ops = get_dma_ops(dev);
9629 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
9630 - if (ops->mapping_error)
9631 - return ops->mapping_error(dev, dma_addr);
9632 -
9633 -@@ -122,7 +122,7 @@ static inline void *
9634 - dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9635 - gfp_t gfp)
9636 - {
9637 -- struct dma_map_ops *ops = get_dma_ops(dev);
9638 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
9639 - void *memory;
9640 -
9641 - gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9642 -@@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
9643 - static inline void dma_free_coherent(struct device *dev, size_t size,
9644 - void *vaddr, dma_addr_t bus)
9645 - {
9646 -- struct dma_map_ops *ops = get_dma_ops(dev);
9647 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
9648 -
9649 - WARN_ON(irqs_disabled()); /* for portability */
9650 -
9651 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/e820.h linux-2.6.32.46/arch/x86/include/asm/e820.h
9652 ---- linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-03-27 14:31:47.000000000 -0400
9653 -+++ linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-04-17 15:56:46.000000000 -0400
9654 -@@ -133,7 +133,7 @@ extern char *default_machine_specific_me
9655 - #define ISA_END_ADDRESS 0x100000
9656 - #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
9657 -
9658 --#define BIOS_BEGIN 0x000a0000
9659 -+#define BIOS_BEGIN 0x000c0000
9660 - #define BIOS_END 0x00100000
9661 -
9662 - #ifdef __KERNEL__
9663 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/elf.h linux-2.6.32.46/arch/x86/include/asm/elf.h
9664 ---- linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
9665 -+++ linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-08-23 20:24:19.000000000 -0400
9666 -@@ -257,7 +257,25 @@ extern int force_personality32;
9667 - the loader. We need to make sure that it is out of the way of the program
9668 - that it will "exec", and that there is sufficient room for the brk. */
9669 -
9670 -+#ifdef CONFIG_PAX_SEGMEXEC
9671 -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9672 -+#else
9673 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9674 -+#endif
9675 -+
9676 -+#ifdef CONFIG_PAX_ASLR
9677 -+#ifdef CONFIG_X86_32
9678 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9679 -+
9680 -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9681 -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9682 -+#else
9683 -+#define PAX_ELF_ET_DYN_BASE 0x400000UL
9684 -+
9685 -+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9686 -+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9687 -+#endif
9688 -+#endif
9689 -
9690 - /* This yields a mask that user programs can use to figure out what
9691 - instruction set this CPU supports. This could be done in user space,
9692 -@@ -310,9 +328,7 @@ do { \
9693 -
9694 - #define ARCH_DLINFO \
9695 - do { \
9696 -- if (vdso_enabled) \
9697 -- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9698 -- (unsigned long)current->mm->context.vdso); \
9699 -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
9700 - } while (0)
9701 -
9702 - #define AT_SYSINFO 32
9703 -@@ -323,7 +339,7 @@ do { \
9704 -
9705 - #endif /* !CONFIG_X86_32 */
9706 -
9707 --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9708 -+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9709 -
9710 - #define VDSO_ENTRY \
9711 - ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9712 -@@ -337,7 +353,4 @@ extern int arch_setup_additional_pages(s
9713 - extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9714 - #define compat_arch_setup_additional_pages syscall32_setup_pages
9715 -
9716 --extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9717 --#define arch_randomize_brk arch_randomize_brk
9718 --
9719 - #endif /* _ASM_X86_ELF_H */
9720 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h
9721 ---- linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
9722 -+++ linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-05-22 23:02:06.000000000 -0400
9723 -@@ -15,6 +15,6 @@ enum reboot_type {
9724 -
9725 - extern enum reboot_type reboot_type;
9726 -
9727 --extern void machine_emergency_restart(void);
9728 -+extern void machine_emergency_restart(void) __noreturn;
9729 -
9730 - #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9731 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86/include/asm/futex.h
9732 ---- linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400
9733 -+++ linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-10-06 09:37:08.000000000 -0400
9734 -@@ -12,16 +12,18 @@
9735 - #include <asm/system.h>
9736 -
9737 - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9738 -+ typecheck(u32 __user *, uaddr); \
9739 - asm volatile("1:\t" insn "\n" \
9740 - "2:\t.section .fixup,\"ax\"\n" \
9741 - "3:\tmov\t%3, %1\n" \
9742 - "\tjmp\t2b\n" \
9743 - "\t.previous\n" \
9744 - _ASM_EXTABLE(1b, 3b) \
9745 -- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9746 -+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
9747 - : "i" (-EFAULT), "0" (oparg), "1" (0))
9748 -
9749 - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9750 -+ typecheck(u32 __user *, uaddr); \
9751 - asm volatile("1:\tmovl %2, %0\n" \
9752 - "\tmovl\t%0, %3\n" \
9753 - "\t" insn "\n" \
9754 -@@ -34,10 +36,10 @@
9755 - _ASM_EXTABLE(1b, 4b) \
9756 - _ASM_EXTABLE(2b, 4b) \
9757 - : "=&a" (oldval), "=&r" (ret), \
9758 -- "+m" (*uaddr), "=&r" (tem) \
9759 -+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
9760 - : "r" (oparg), "i" (-EFAULT), "1" (0))
9761 -
9762 --static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
9763 -+static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9764 - {
9765 - int op = (encoded_op >> 28) & 7;
9766 - int cmp = (encoded_op >> 24) & 15;
9767 -@@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9768 -
9769 - switch (op) {
9770 - case FUTEX_OP_SET:
9771 -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9772 -+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9773 - break;
9774 - case FUTEX_OP_ADD:
9775 -- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9776 -+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9777 - uaddr, oparg);
9778 - break;
9779 - case FUTEX_OP_OR:
9780 -@@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
9781 - return ret;
9782 - }
9783 -
9784 --static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
9785 -+static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
9786 - int newval)
9787 - {
9788 -
9789 -@@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
9790 - return -ENOSYS;
9791 - #endif
9792 -
9793 -- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
9794 -+ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9795 - return -EFAULT;
9796 -
9797 -- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
9798 -+ asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
9799 - "2:\t.section .fixup, \"ax\"\n"
9800 - "3:\tmov %2, %0\n"
9801 - "\tjmp 2b\n"
9802 - "\t.previous\n"
9803 - _ASM_EXTABLE(1b, 3b)
9804 -- : "=a" (oldval), "+m" (*uaddr)
9805 -+ : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9806 - : "i" (-EFAULT), "r" (newval), "0" (oldval)
9807 - : "memory"
9808 - );
9809 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/hw_irq.h linux-2.6.32.46/arch/x86/include/asm/hw_irq.h
9810 ---- linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-03-27 14:31:47.000000000 -0400
9811 -+++ linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-05-04 17:56:28.000000000 -0400
9812 -@@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
9813 - extern void enable_IO_APIC(void);
9814 -
9815 - /* Statistics */
9816 --extern atomic_t irq_err_count;
9817 --extern atomic_t irq_mis_count;
9818 -+extern atomic_unchecked_t irq_err_count;
9819 -+extern atomic_unchecked_t irq_mis_count;
9820 -
9821 - /* EISA */
9822 - extern void eisa_set_level_irq(unsigned int irq);
9823 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/i387.h linux-2.6.32.46/arch/x86/include/asm/i387.h
9824 ---- linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-03-27 14:31:47.000000000 -0400
9825 -+++ linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-04-17 15:56:46.000000000 -0400
9826 -@@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
9827 - {
9828 - int err;
9829 -
9830 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9831 -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9832 -+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9833 -+#endif
9834 -+
9835 - asm volatile("1: rex64/fxrstor (%[fx])\n\t"
9836 - "2:\n"
9837 - ".section .fixup,\"ax\"\n"
9838 -@@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
9839 - {
9840 - int err;
9841 -
9842 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9843 -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9844 -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9845 -+#endif
9846 -+
9847 - asm volatile("1: rex64/fxsave (%[fx])\n\t"
9848 - "2:\n"
9849 - ".section .fixup,\"ax\"\n"
9850 -@@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
9851 - }
9852 -
9853 - /* We need a safe address that is cheap to find and that is already
9854 -- in L1 during context switch. The best choices are unfortunately
9855 -- different for UP and SMP */
9856 --#ifdef CONFIG_SMP
9857 --#define safe_address (__per_cpu_offset[0])
9858 --#else
9859 --#define safe_address (kstat_cpu(0).cpustat.user)
9860 --#endif
9861 -+ in L1 during context switch. */
9862 -+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9863 -
9864 - /*
9865 - * These must be called with preempt disabled
9866 -@@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
9867 - struct thread_info *me = current_thread_info();
9868 - preempt_disable();
9869 - if (me->status & TS_USEDFPU)
9870 -- __save_init_fpu(me->task);
9871 -+ __save_init_fpu(current);
9872 - else
9873 - clts();
9874 - }
9875 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_32.h linux-2.6.32.46/arch/x86/include/asm/io_32.h
9876 ---- linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-03-27 14:31:47.000000000 -0400
9877 -+++ linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-04-17 15:56:46.000000000 -0400
9878 -@@ -3,6 +3,7 @@
9879 -
9880 - #include <linux/string.h>
9881 - #include <linux/compiler.h>
9882 -+#include <asm/processor.h>
9883 -
9884 - /*
9885 - * This file contains the definitions for the x86 IO instructions
9886 -@@ -42,6 +43,17 @@
9887 -
9888 - #ifdef __KERNEL__
9889 -
9890 -+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9891 -+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9892 -+{
9893 -+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9894 -+}
9895 -+
9896 -+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9897 -+{
9898 -+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9899 -+}
9900 -+
9901 - #include <asm-generic/iomap.h>
9902 -
9903 - #include <linux/vmalloc.h>
9904 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_64.h linux-2.6.32.46/arch/x86/include/asm/io_64.h
9905 ---- linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-03-27 14:31:47.000000000 -0400
9906 -+++ linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-04-17 15:56:46.000000000 -0400
9907 -@@ -140,6 +140,17 @@ __OUTS(l)
9908 -
9909 - #include <linux/vmalloc.h>
9910 -
9911 -+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9912 -+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9913 -+{
9914 -+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9915 -+}
9916 -+
9917 -+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9918 -+{
9919 -+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9920 -+}
9921 -+
9922 - #include <asm-generic/iomap.h>
9923 -
9924 - void __memcpy_fromio(void *, unsigned long, unsigned);
9925 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/iommu.h linux-2.6.32.46/arch/x86/include/asm/iommu.h
9926 ---- linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
9927 -+++ linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-04-17 15:56:46.000000000 -0400
9928 -@@ -3,7 +3,7 @@
9929 -
9930 - extern void pci_iommu_shutdown(void);
9931 - extern void no_iommu_init(void);
9932 --extern struct dma_map_ops nommu_dma_ops;
9933 -+extern const struct dma_map_ops nommu_dma_ops;
9934 - extern int force_iommu, no_iommu;
9935 - extern int iommu_detected;
9936 - extern int iommu_pass_through;
9937 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/irqflags.h linux-2.6.32.46/arch/x86/include/asm/irqflags.h
9938 ---- linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-03-27 14:31:47.000000000 -0400
9939 -+++ linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-04-17 15:56:46.000000000 -0400
9940 -@@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
9941 - sti; \
9942 - sysexit
9943 -
9944 -+#define GET_CR0_INTO_RDI mov %cr0, %rdi
9945 -+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
9946 -+#define GET_CR3_INTO_RDI mov %cr3, %rdi
9947 -+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
9948 -+
9949 - #else
9950 - #define INTERRUPT_RETURN iret
9951 - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
9952 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/kprobes.h linux-2.6.32.46/arch/x86/include/asm/kprobes.h
9953 ---- linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-03-27 14:31:47.000000000 -0400
9954 -+++ linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-04-23 12:56:12.000000000 -0400
9955 -@@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
9956 - #define BREAKPOINT_INSTRUCTION 0xcc
9957 - #define RELATIVEJUMP_INSTRUCTION 0xe9
9958 - #define MAX_INSN_SIZE 16
9959 --#define MAX_STACK_SIZE 64
9960 --#define MIN_STACK_SIZE(ADDR) \
9961 -- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
9962 -- THREAD_SIZE - (unsigned long)(ADDR))) \
9963 -- ? (MAX_STACK_SIZE) \
9964 -- : (((unsigned long)current_thread_info()) + \
9965 -- THREAD_SIZE - (unsigned long)(ADDR)))
9966 -+#define MAX_STACK_SIZE 64UL
9967 -+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
9968 -
9969 - #define flush_insn_slot(p) do { } while (0)
9970 -
9971 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/kvm_host.h linux-2.6.32.46/arch/x86/include/asm/kvm_host.h
9972 ---- linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:01.000000000 -0400
9973 -+++ linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-08-26 20:19:09.000000000 -0400
9974 -@@ -534,9 +534,9 @@ struct kvm_x86_ops {
9975 - bool (*gb_page_enable)(void);
9976 -
9977 - const struct trace_print_flags *exit_reasons_str;
9978 --};
9979 -+} __do_const;
9980 -
9981 --extern struct kvm_x86_ops *kvm_x86_ops;
9982 -+extern const struct kvm_x86_ops *kvm_x86_ops;
9983 -
9984 - int kvm_mmu_module_init(void);
9985 - void kvm_mmu_module_exit(void);
9986 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/local.h linux-2.6.32.46/arch/x86/include/asm/local.h
9987 ---- linux-2.6.32.46/arch/x86/include/asm/local.h 2011-03-27 14:31:47.000000000 -0400
9988 -+++ linux-2.6.32.46/arch/x86/include/asm/local.h 2011-04-17 15:56:46.000000000 -0400
9989 -@@ -18,26 +18,58 @@ typedef struct {
9990 -
9991 - static inline void local_inc(local_t *l)
9992 - {
9993 -- asm volatile(_ASM_INC "%0"
9994 -+ asm volatile(_ASM_INC "%0\n"
9995 -+
9996 -+#ifdef CONFIG_PAX_REFCOUNT
9997 -+ "jno 0f\n"
9998 -+ _ASM_DEC "%0\n"
9999 -+ "int $4\n0:\n"
10000 -+ _ASM_EXTABLE(0b, 0b)
10001 -+#endif
10002 -+
10003 - : "+m" (l->a.counter));
10004 - }
10005 -
10006 - static inline void local_dec(local_t *l)
10007 - {
10008 -- asm volatile(_ASM_DEC "%0"
10009 -+ asm volatile(_ASM_DEC "%0\n"
10010 -+
10011 -+#ifdef CONFIG_PAX_REFCOUNT
10012 -+ "jno 0f\n"
10013 -+ _ASM_INC "%0\n"
10014 -+ "int $4\n0:\n"
10015 -+ _ASM_EXTABLE(0b, 0b)
10016 -+#endif
10017 -+
10018 - : "+m" (l->a.counter));
10019 - }
10020 -
10021 - static inline void local_add(long i, local_t *l)
10022 - {
10023 -- asm volatile(_ASM_ADD "%1,%0"
10024 -+ asm volatile(_ASM_ADD "%1,%0\n"
10025 -+
10026 -+#ifdef CONFIG_PAX_REFCOUNT
10027 -+ "jno 0f\n"
10028 -+ _ASM_SUB "%1,%0\n"
10029 -+ "int $4\n0:\n"
10030 -+ _ASM_EXTABLE(0b, 0b)
10031 -+#endif
10032 -+
10033 - : "+m" (l->a.counter)
10034 - : "ir" (i));
10035 - }
10036 -
10037 - static inline void local_sub(long i, local_t *l)
10038 - {
10039 -- asm volatile(_ASM_SUB "%1,%0"
10040 -+ asm volatile(_ASM_SUB "%1,%0\n"
10041 -+
10042 -+#ifdef CONFIG_PAX_REFCOUNT
10043 -+ "jno 0f\n"
10044 -+ _ASM_ADD "%1,%0\n"
10045 -+ "int $4\n0:\n"
10046 -+ _ASM_EXTABLE(0b, 0b)
10047 -+#endif
10048 -+
10049 - : "+m" (l->a.counter)
10050 - : "ir" (i));
10051 - }
10052 -@@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
10053 - {
10054 - unsigned char c;
10055 -
10056 -- asm volatile(_ASM_SUB "%2,%0; sete %1"
10057 -+ asm volatile(_ASM_SUB "%2,%0\n"
10058 -+
10059 -+#ifdef CONFIG_PAX_REFCOUNT
10060 -+ "jno 0f\n"
10061 -+ _ASM_ADD "%2,%0\n"
10062 -+ "int $4\n0:\n"
10063 -+ _ASM_EXTABLE(0b, 0b)
10064 -+#endif
10065 -+
10066 -+ "sete %1\n"
10067 - : "+m" (l->a.counter), "=qm" (c)
10068 - : "ir" (i) : "memory");
10069 - return c;
10070 -@@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
10071 - {
10072 - unsigned char c;
10073 -
10074 -- asm volatile(_ASM_DEC "%0; sete %1"
10075 -+ asm volatile(_ASM_DEC "%0\n"
10076 -+
10077 -+#ifdef CONFIG_PAX_REFCOUNT
10078 -+ "jno 0f\n"
10079 -+ _ASM_INC "%0\n"
10080 -+ "int $4\n0:\n"
10081 -+ _ASM_EXTABLE(0b, 0b)
10082 -+#endif
10083 -+
10084 -+ "sete %1\n"
10085 - : "+m" (l->a.counter), "=qm" (c)
10086 - : : "memory");
10087 - return c != 0;
10088 -@@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
10089 - {
10090 - unsigned char c;
10091 -
10092 -- asm volatile(_ASM_INC "%0; sete %1"
10093 -+ asm volatile(_ASM_INC "%0\n"
10094 -+
10095 -+#ifdef CONFIG_PAX_REFCOUNT
10096 -+ "jno 0f\n"
10097 -+ _ASM_DEC "%0\n"
10098 -+ "int $4\n0:\n"
10099 -+ _ASM_EXTABLE(0b, 0b)
10100 -+#endif
10101 -+
10102 -+ "sete %1\n"
10103 - : "+m" (l->a.counter), "=qm" (c)
10104 - : : "memory");
10105 - return c != 0;
10106 -@@ -110,7 +169,16 @@ static inline int local_add_negative(lon
10107 - {
10108 - unsigned char c;
10109 -
10110 -- asm volatile(_ASM_ADD "%2,%0; sets %1"
10111 -+ asm volatile(_ASM_ADD "%2,%0\n"
10112 -+
10113 -+#ifdef CONFIG_PAX_REFCOUNT
10114 -+ "jno 0f\n"
10115 -+ _ASM_SUB "%2,%0\n"
10116 -+ "int $4\n0:\n"
10117 -+ _ASM_EXTABLE(0b, 0b)
10118 -+#endif
10119 -+
10120 -+ "sets %1\n"
10121 - : "+m" (l->a.counter), "=qm" (c)
10122 - : "ir" (i) : "memory");
10123 - return c;
10124 -@@ -133,7 +201,15 @@ static inline long local_add_return(long
10125 - #endif
10126 - /* Modern 486+ processor */
10127 - __i = i;
10128 -- asm volatile(_ASM_XADD "%0, %1;"
10129 -+ asm volatile(_ASM_XADD "%0, %1\n"
10130 -+
10131 -+#ifdef CONFIG_PAX_REFCOUNT
10132 -+ "jno 0f\n"
10133 -+ _ASM_MOV "%0,%1\n"
10134 -+ "int $4\n0:\n"
10135 -+ _ASM_EXTABLE(0b, 0b)
10136 -+#endif
10137 -+
10138 - : "+r" (i), "+m" (l->a.counter)
10139 - : : "memory");
10140 - return i + __i;
10141 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/microcode.h linux-2.6.32.46/arch/x86/include/asm/microcode.h
10142 ---- linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-03-27 14:31:47.000000000 -0400
10143 -+++ linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-04-17 15:56:46.000000000 -0400
10144 -@@ -12,13 +12,13 @@ struct device;
10145 - enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
10146 -
10147 - struct microcode_ops {
10148 -- enum ucode_state (*request_microcode_user) (int cpu,
10149 -+ enum ucode_state (* const request_microcode_user) (int cpu,
10150 - const void __user *buf, size_t size);
10151 -
10152 -- enum ucode_state (*request_microcode_fw) (int cpu,
10153 -+ enum ucode_state (* const request_microcode_fw) (int cpu,
10154 - struct device *device);
10155 -
10156 -- void (*microcode_fini_cpu) (int cpu);
10157 -+ void (* const microcode_fini_cpu) (int cpu);
10158 -
10159 - /*
10160 - * The generic 'microcode_core' part guarantees that
10161 -@@ -38,18 +38,18 @@ struct ucode_cpu_info {
10162 - extern struct ucode_cpu_info ucode_cpu_info[];
10163 -
10164 - #ifdef CONFIG_MICROCODE_INTEL
10165 --extern struct microcode_ops * __init init_intel_microcode(void);
10166 -+extern const struct microcode_ops * __init init_intel_microcode(void);
10167 - #else
10168 --static inline struct microcode_ops * __init init_intel_microcode(void)
10169 -+static inline const struct microcode_ops * __init init_intel_microcode(void)
10170 - {
10171 - return NULL;
10172 - }
10173 - #endif /* CONFIG_MICROCODE_INTEL */
10174 -
10175 - #ifdef CONFIG_MICROCODE_AMD
10176 --extern struct microcode_ops * __init init_amd_microcode(void);
10177 -+extern const struct microcode_ops * __init init_amd_microcode(void);
10178 - #else
10179 --static inline struct microcode_ops * __init init_amd_microcode(void)
10180 -+static inline const struct microcode_ops * __init init_amd_microcode(void)
10181 - {
10182 - return NULL;
10183 - }
10184 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/mman.h linux-2.6.32.46/arch/x86/include/asm/mman.h
10185 ---- linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-03-27 14:31:47.000000000 -0400
10186 -+++ linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-04-17 15:56:46.000000000 -0400
10187 -@@ -5,4 +5,14 @@
10188 -
10189 - #include <asm-generic/mman.h>
10190 -
10191 -+#ifdef __KERNEL__
10192 -+#ifndef __ASSEMBLY__
10193 -+#ifdef CONFIG_X86_32
10194 -+#define arch_mmap_check i386_mmap_check
10195 -+int i386_mmap_check(unsigned long addr, unsigned long len,
10196 -+ unsigned long flags);
10197 -+#endif
10198 -+#endif
10199 -+#endif
10200 -+
10201 - #endif /* _ASM_X86_MMAN_H */
10202 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu.h linux-2.6.32.46/arch/x86/include/asm/mmu.h
10203 ---- linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-03-27 14:31:47.000000000 -0400
10204 -+++ linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-04-17 15:56:46.000000000 -0400
10205 -@@ -9,10 +9,23 @@
10206 - * we put the segment information here.
10207 - */
10208 - typedef struct {
10209 -- void *ldt;
10210 -+ struct desc_struct *ldt;
10211 - int size;
10212 - struct mutex lock;
10213 -- void *vdso;
10214 -+ unsigned long vdso;
10215 -+
10216 -+#ifdef CONFIG_X86_32
10217 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10218 -+ unsigned long user_cs_base;
10219 -+ unsigned long user_cs_limit;
10220 -+
10221 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10222 -+ cpumask_t cpu_user_cs_mask;
10223 -+#endif
10224 -+
10225 -+#endif
10226 -+#endif
10227 -+
10228 - } mm_context_t;
10229 -
10230 - #ifdef CONFIG_SMP
10231 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu_context.h linux-2.6.32.46/arch/x86/include/asm/mmu_context.h
10232 ---- linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-03-27 14:31:47.000000000 -0400
10233 -+++ linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-08-23 20:24:19.000000000 -0400
10234 -@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
10235 -
10236 - static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10237 - {
10238 -+
10239 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10240 -+ unsigned int i;
10241 -+ pgd_t *pgd;
10242 -+
10243 -+ pax_open_kernel();
10244 -+ pgd = get_cpu_pgd(smp_processor_id());
10245 -+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10246 -+ set_pgd_batched(pgd+i, native_make_pgd(0));
10247 -+ pax_close_kernel();
10248 -+#endif
10249 -+
10250 - #ifdef CONFIG_SMP
10251 - if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10252 - percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10253 -@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
10254 - struct task_struct *tsk)
10255 - {
10256 - unsigned cpu = smp_processor_id();
10257 -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) && defined(CONFIG_SMP)
10258 -+ int tlbstate = TLBSTATE_OK;
10259 -+#endif
10260 -
10261 - if (likely(prev != next)) {
10262 - #ifdef CONFIG_SMP
10263 -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10264 -+ tlbstate = percpu_read(cpu_tlbstate.state);
10265 -+#endif
10266 - percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10267 - percpu_write(cpu_tlbstate.active_mm, next);
10268 - #endif
10269 - cpumask_set_cpu(cpu, mm_cpumask(next));
10270 -
10271 - /* Re-load page tables */
10272 -+#ifdef CONFIG_PAX_PER_CPU_PGD
10273 -+ pax_open_kernel();
10274 -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10275 -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10276 -+ pax_close_kernel();
10277 -+ load_cr3(get_cpu_pgd(cpu));
10278 -+#else
10279 - load_cr3(next->pgd);
10280 -+#endif
10281 -
10282 - /* stop flush ipis for the previous mm */
10283 - cpumask_clear_cpu(cpu, mm_cpumask(prev));
10284 -@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
10285 - */
10286 - if (unlikely(prev->context.ldt != next->context.ldt))
10287 - load_LDT_nolock(&next->context);
10288 -- }
10289 -+
10290 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10291 -+ if (!nx_enabled) {
10292 -+ smp_mb__before_clear_bit();
10293 -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10294 -+ smp_mb__after_clear_bit();
10295 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
10296 -+ }
10297 -+#endif
10298 -+
10299 -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10300 -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10301 -+ prev->context.user_cs_limit != next->context.user_cs_limit))
10302 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10303 - #ifdef CONFIG_SMP
10304 -+ else if (unlikely(tlbstate != TLBSTATE_OK))
10305 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10306 -+#endif
10307 -+#endif
10308 -+
10309 -+ }
10310 - else {
10311 -+
10312 -+#ifdef CONFIG_PAX_PER_CPU_PGD
10313 -+ pax_open_kernel();
10314 -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10315 -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10316 -+ pax_close_kernel();
10317 -+ load_cr3(get_cpu_pgd(cpu));
10318 -+#endif
10319 -+
10320 -+#ifdef CONFIG_SMP
10321 - percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10322 - BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10323 -
10324 -@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
10325 - * tlb flush IPI delivery. We must reload CR3
10326 - * to make sure to use no freed page tables.
10327 - */
10328 -+
10329 -+#ifndef CONFIG_PAX_PER_CPU_PGD
10330 - load_cr3(next->pgd);
10331 -+#endif
10332 -+
10333 - load_LDT_nolock(&next->context);
10334 -+
10335 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10336 -+ if (!nx_enabled)
10337 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
10338 -+#endif
10339 -+
10340 -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10341 -+#ifdef CONFIG_PAX_PAGEEXEC
10342 -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
10343 -+#endif
10344 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10345 -+#endif
10346 -+
10347 - }
10348 -- }
10349 - #endif
10350 -+ }
10351 - }
10352 -
10353 - #define activate_mm(prev, next) \
10354 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x86/include/asm/module.h
10355 ---- linux-2.6.32.46/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400
10356 -+++ linux-2.6.32.46/arch/x86/include/asm/module.h 2011-10-08 08:16:59.000000000 -0400
10357 -@@ -5,6 +5,7 @@
10358 -
10359 - #ifdef CONFIG_X86_64
10360 - /* X86_64 does not define MODULE_PROC_FAMILY */
10361 -+#define MODULE_PROC_FAMILY ""
10362 - #elif defined CONFIG_M386
10363 - #define MODULE_PROC_FAMILY "386 "
10364 - #elif defined CONFIG_M486
10365 -@@ -59,13 +60,24 @@
10366 - #error unknown processor family
10367 - #endif
10368 -
10369 --#ifdef CONFIG_X86_32
10370 --# ifdef CONFIG_4KSTACKS
10371 --# define MODULE_STACKSIZE "4KSTACKS "
10372 --# else
10373 --# define MODULE_STACKSIZE ""
10374 --# endif
10375 --# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
10376 -+#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
10377 -+#define MODULE_STACKSIZE "4KSTACKS "
10378 -+#else
10379 -+#define MODULE_STACKSIZE ""
10380 -+#endif
10381 -+
10382 -+#ifdef CONFIG_PAX_KERNEXEC
10383 -+#define MODULE_PAX_KERNEXEC "KERNEXEC "
10384 -+#else
10385 -+#define MODULE_PAX_KERNEXEC ""
10386 - #endif
10387 -
10388 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10389 -+#define MODULE_PAX_UDEREF "UDEREF "
10390 -+#else
10391 -+#define MODULE_PAX_UDEREF ""
10392 -+#endif
10393 -+
10394 -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
10395 -+
10396 - #endif /* _ASM_X86_MODULE_H */
10397 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/page_64_types.h linux-2.6.32.46/arch/x86/include/asm/page_64_types.h
10398 ---- linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-03-27 14:31:47.000000000 -0400
10399 -+++ linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-04-17 15:56:46.000000000 -0400
10400 -@@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10401 -
10402 - /* duplicated to the one in bootmem.h */
10403 - extern unsigned long max_pfn;
10404 --extern unsigned long phys_base;
10405 -+extern const unsigned long phys_base;
10406 -
10407 - extern unsigned long __phys_addr(unsigned long);
10408 - #define __phys_reloc_hide(x) (x)
10409 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt.h linux-2.6.32.46/arch/x86/include/asm/paravirt.h
10410 ---- linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-03-27 14:31:47.000000000 -0400
10411 -+++ linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-08-23 21:36:48.000000000 -0400
10412 -@@ -648,6 +648,18 @@ static inline void set_pgd(pgd_t *pgdp,
10413 - val);
10414 - }
10415 -
10416 -+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
10417 -+{
10418 -+ pgdval_t val = native_pgd_val(pgd);
10419 -+
10420 -+ if (sizeof(pgdval_t) > sizeof(long))
10421 -+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
10422 -+ val, (u64)val >> 32);
10423 -+ else
10424 -+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
10425 -+ val);
10426 -+}
10427 -+
10428 - static inline void pgd_clear(pgd_t *pgdp)
10429 - {
10430 - set_pgd(pgdp, __pgd(0));
10431 -@@ -729,6 +741,21 @@ static inline void __set_fixmap(unsigned
10432 - pv_mmu_ops.set_fixmap(idx, phys, flags);
10433 - }
10434 -
10435 -+#ifdef CONFIG_PAX_KERNEXEC
10436 -+static inline unsigned long pax_open_kernel(void)
10437 -+{
10438 -+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10439 -+}
10440 -+
10441 -+static inline unsigned long pax_close_kernel(void)
10442 -+{
10443 -+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10444 -+}
10445 -+#else
10446 -+static inline unsigned long pax_open_kernel(void) { return 0; }
10447 -+static inline unsigned long pax_close_kernel(void) { return 0; }
10448 -+#endif
10449 -+
10450 - #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10451 -
10452 - static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
10453 -@@ -945,7 +972,7 @@ extern void default_banner(void);
10454 -
10455 - #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10456 - #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10457 --#define PARA_INDIRECT(addr) *%cs:addr
10458 -+#define PARA_INDIRECT(addr) *%ss:addr
10459 - #endif
10460 -
10461 - #define INTERRUPT_RETURN \
10462 -@@ -1022,6 +1049,21 @@ extern void default_banner(void);
10463 - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10464 - CLBR_NONE, \
10465 - jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10466 -+
10467 -+#define GET_CR0_INTO_RDI \
10468 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10469 -+ mov %rax,%rdi
10470 -+
10471 -+#define SET_RDI_INTO_CR0 \
10472 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10473 -+
10474 -+#define GET_CR3_INTO_RDI \
10475 -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10476 -+ mov %rax,%rdi
10477 -+
10478 -+#define SET_RDI_INTO_CR3 \
10479 -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10480 -+
10481 - #endif /* CONFIG_X86_32 */
10482 -
10483 - #endif /* __ASSEMBLY__ */
10484 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h
10485 ---- linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-03-27 14:31:47.000000000 -0400
10486 -+++ linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-08-23 20:24:19.000000000 -0400
10487 -@@ -78,19 +78,19 @@ struct pv_init_ops {
10488 - */
10489 - unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
10490 - unsigned long addr, unsigned len);
10491 --};
10492 -+} __no_const;
10493 -
10494 -
10495 - struct pv_lazy_ops {
10496 - /* Set deferred update mode, used for batching operations. */
10497 - void (*enter)(void);
10498 - void (*leave)(void);
10499 --};
10500 -+} __no_const;
10501 -
10502 - struct pv_time_ops {
10503 - unsigned long long (*sched_clock)(void);
10504 - unsigned long (*get_tsc_khz)(void);
10505 --};
10506 -+} __no_const;
10507 -
10508 - struct pv_cpu_ops {
10509 - /* hooks for various privileged instructions */
10510 -@@ -186,7 +186,7 @@ struct pv_cpu_ops {
10511 -
10512 - void (*start_context_switch)(struct task_struct *prev);
10513 - void (*end_context_switch)(struct task_struct *next);
10514 --};
10515 -+} __no_const;
10516 -
10517 - struct pv_irq_ops {
10518 - /*
10519 -@@ -217,7 +217,7 @@ struct pv_apic_ops {
10520 - unsigned long start_eip,
10521 - unsigned long start_esp);
10522 - #endif
10523 --};
10524 -+} __no_const;
10525 -
10526 - struct pv_mmu_ops {
10527 - unsigned long (*read_cr2)(void);
10528 -@@ -301,6 +301,7 @@ struct pv_mmu_ops {
10529 - struct paravirt_callee_save make_pud;
10530 -
10531 - void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
10532 -+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
10533 - #endif /* PAGETABLE_LEVELS == 4 */
10534 - #endif /* PAGETABLE_LEVELS >= 3 */
10535 -
10536 -@@ -316,6 +317,12 @@ struct pv_mmu_ops {
10537 - an mfn. We can tell which is which from the index. */
10538 - void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10539 - phys_addr_t phys, pgprot_t flags);
10540 -+
10541 -+#ifdef CONFIG_PAX_KERNEXEC
10542 -+ unsigned long (*pax_open_kernel)(void);
10543 -+ unsigned long (*pax_close_kernel)(void);
10544 -+#endif
10545 -+
10546 - };
10547 -
10548 - struct raw_spinlock;
10549 -@@ -326,7 +333,7 @@ struct pv_lock_ops {
10550 - void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
10551 - int (*spin_trylock)(struct raw_spinlock *lock);
10552 - void (*spin_unlock)(struct raw_spinlock *lock);
10553 --};
10554 -+} __no_const;
10555 -
10556 - /* This contains all the paravirt structures: we get a convenient
10557 - * number for each function using the offset which we use to indicate
10558 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pci_x86.h linux-2.6.32.46/arch/x86/include/asm/pci_x86.h
10559 ---- linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-03-27 14:31:47.000000000 -0400
10560 -+++ linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-04-17 15:56:46.000000000 -0400
10561 -@@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
10562 - extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10563 -
10564 - struct pci_raw_ops {
10565 -- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10566 -+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10567 - int reg, int len, u32 *val);
10568 -- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10569 -+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10570 - int reg, int len, u32 val);
10571 - };
10572 -
10573 --extern struct pci_raw_ops *raw_pci_ops;
10574 --extern struct pci_raw_ops *raw_pci_ext_ops;
10575 -+extern const struct pci_raw_ops *raw_pci_ops;
10576 -+extern const struct pci_raw_ops *raw_pci_ext_ops;
10577 -
10578 --extern struct pci_raw_ops pci_direct_conf1;
10579 -+extern const struct pci_raw_ops pci_direct_conf1;
10580 - extern bool port_cf9_safe;
10581 -
10582 - /* arch_initcall level */
10583 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/percpu.h linux-2.6.32.46/arch/x86/include/asm/percpu.h
10584 ---- linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-03-27 14:31:47.000000000 -0400
10585 -+++ linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-08-17 19:33:59.000000000 -0400
10586 -@@ -78,6 +78,7 @@ do { \
10587 - if (0) { \
10588 - T__ tmp__; \
10589 - tmp__ = (val); \
10590 -+ (void)tmp__; \
10591 - } \
10592 - switch (sizeof(var)) { \
10593 - case 1: \
10594 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgalloc.h linux-2.6.32.46/arch/x86/include/asm/pgalloc.h
10595 ---- linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-03-27 14:31:47.000000000 -0400
10596 -+++ linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-04-17 15:56:46.000000000 -0400
10597 -@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10598 - pmd_t *pmd, pte_t *pte)
10599 - {
10600 - paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10601 -+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10602 -+}
10603 -+
10604 -+static inline void pmd_populate_user(struct mm_struct *mm,
10605 -+ pmd_t *pmd, pte_t *pte)
10606 -+{
10607 -+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10608 - set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10609 - }
10610 -
10611 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h
10612 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-03-27 14:31:47.000000000 -0400
10613 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:56:46.000000000 -0400
10614 -@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10615 -
10616 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10617 - {
10618 -+ pax_open_kernel();
10619 - *pmdp = pmd;
10620 -+ pax_close_kernel();
10621 - }
10622 -
10623 - static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10624 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h
10625 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-03-27 14:31:47.000000000 -0400
10626 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:56:46.000000000 -0400
10627 -@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10628 -
10629 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10630 - {
10631 -+ pax_open_kernel();
10632 - set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10633 -+ pax_close_kernel();
10634 - }
10635 -
10636 - static inline void native_set_pud(pud_t *pudp, pud_t pud)
10637 - {
10638 -+ pax_open_kernel();
10639 - set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10640 -+ pax_close_kernel();
10641 - }
10642 -
10643 - /*
10644 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable.h linux-2.6.32.46/arch/x86/include/asm/pgtable.h
10645 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
10646 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-08-23 20:24:19.000000000 -0400
10647 -@@ -39,6 +39,7 @@ extern struct list_head pgd_list;
10648 -
10649 - #ifndef __PAGETABLE_PUD_FOLDED
10650 - #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
10651 -+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
10652 - #define pgd_clear(pgd) native_pgd_clear(pgd)
10653 - #endif
10654 -
10655 -@@ -74,12 +75,51 @@ extern struct list_head pgd_list;
10656 -
10657 - #define arch_end_context_switch(prev) do {} while(0)
10658 -
10659 -+#define pax_open_kernel() native_pax_open_kernel()
10660 -+#define pax_close_kernel() native_pax_close_kernel()
10661 - #endif /* CONFIG_PARAVIRT */
10662 -
10663 -+#define __HAVE_ARCH_PAX_OPEN_KERNEL
10664 -+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10665 -+
10666 -+#ifdef CONFIG_PAX_KERNEXEC
10667 -+static inline unsigned long native_pax_open_kernel(void)
10668 -+{
10669 -+ unsigned long cr0;
10670 -+
10671 -+ preempt_disable();
10672 -+ barrier();
10673 -+ cr0 = read_cr0() ^ X86_CR0_WP;
10674 -+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
10675 -+ write_cr0(cr0);
10676 -+ return cr0 ^ X86_CR0_WP;
10677 -+}
10678 -+
10679 -+static inline unsigned long native_pax_close_kernel(void)
10680 -+{
10681 -+ unsigned long cr0;
10682 -+
10683 -+ cr0 = read_cr0() ^ X86_CR0_WP;
10684 -+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10685 -+ write_cr0(cr0);
10686 -+ barrier();
10687 -+ preempt_enable_no_resched();
10688 -+ return cr0 ^ X86_CR0_WP;
10689 -+}
10690 -+#else
10691 -+static inline unsigned long native_pax_open_kernel(void) { return 0; }
10692 -+static inline unsigned long native_pax_close_kernel(void) { return 0; }
10693 -+#endif
10694 -+
10695 - /*
10696 - * The following only work if pte_present() is true.
10697 - * Undefined behaviour if not..
10698 - */
10699 -+static inline int pte_user(pte_t pte)
10700 -+{
10701 -+ return pte_val(pte) & _PAGE_USER;
10702 -+}
10703 -+
10704 - static inline int pte_dirty(pte_t pte)
10705 - {
10706 - return pte_flags(pte) & _PAGE_DIRTY;
10707 -@@ -167,9 +207,29 @@ static inline pte_t pte_wrprotect(pte_t
10708 - return pte_clear_flags(pte, _PAGE_RW);
10709 - }
10710 -
10711 -+static inline pte_t pte_mkread(pte_t pte)
10712 -+{
10713 -+ return __pte(pte_val(pte) | _PAGE_USER);
10714 -+}
10715 -+
10716 - static inline pte_t pte_mkexec(pte_t pte)
10717 - {
10718 -- return pte_clear_flags(pte, _PAGE_NX);
10719 -+#ifdef CONFIG_X86_PAE
10720 -+ if (__supported_pte_mask & _PAGE_NX)
10721 -+ return pte_clear_flags(pte, _PAGE_NX);
10722 -+ else
10723 -+#endif
10724 -+ return pte_set_flags(pte, _PAGE_USER);
10725 -+}
10726 -+
10727 -+static inline pte_t pte_exprotect(pte_t pte)
10728 -+{
10729 -+#ifdef CONFIG_X86_PAE
10730 -+ if (__supported_pte_mask & _PAGE_NX)
10731 -+ return pte_set_flags(pte, _PAGE_NX);
10732 -+ else
10733 -+#endif
10734 -+ return pte_clear_flags(pte, _PAGE_USER);
10735 - }
10736 -
10737 - static inline pte_t pte_mkdirty(pte_t pte)
10738 -@@ -302,6 +362,15 @@ pte_t *populate_extra_pte(unsigned long
10739 - #endif
10740 -
10741 - #ifndef __ASSEMBLY__
10742 -+
10743 -+#ifdef CONFIG_PAX_PER_CPU_PGD
10744 -+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10745 -+static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10746 -+{
10747 -+ return cpu_pgd[cpu];
10748 -+}
10749 -+#endif
10750 -+
10751 - #include <linux/mm_types.h>
10752 -
10753 - static inline int pte_none(pte_t pte)
10754 -@@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
10755 -
10756 - static inline int pgd_bad(pgd_t pgd)
10757 - {
10758 -- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10759 -+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10760 - }
10761 -
10762 - static inline int pgd_none(pgd_t pgd)
10763 -@@ -495,7 +564,12 @@ static inline int pgd_none(pgd_t pgd)
10764 - * pgd_offset() returns a (pgd_t *)
10765 - * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10766 - */
10767 --#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10768 -+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10769 -+
10770 -+#ifdef CONFIG_PAX_PER_CPU_PGD
10771 -+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10772 -+#endif
10773 -+
10774 - /*
10775 - * a shortcut which implies the use of the kernel's pgd, instead
10776 - * of a process's
10777 -@@ -506,6 +580,20 @@ static inline int pgd_none(pgd_t pgd)
10778 - #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10779 - #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10780 -
10781 -+#ifdef CONFIG_X86_32
10782 -+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10783 -+#else
10784 -+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10785 -+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10786 -+
10787 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10788 -+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10789 -+#else
10790 -+#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10791 -+#endif
10792 -+
10793 -+#endif
10794 -+
10795 - #ifndef __ASSEMBLY__
10796 -
10797 - extern int direct_gbpages;
10798 -@@ -611,11 +699,23 @@ static inline void ptep_set_wrprotect(st
10799 - * dst and src can be on the same page, but the range must not overlap,
10800 - * and must not cross a page boundary.
10801 - */
10802 --static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10803 -+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10804 - {
10805 -- memcpy(dst, src, count * sizeof(pgd_t));
10806 -+ pax_open_kernel();
10807 -+ while (count--)
10808 -+ *dst++ = *src++;
10809 -+ pax_close_kernel();
10810 - }
10811 -
10812 -+#ifdef CONFIG_PAX_PER_CPU_PGD
10813 -+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10814 -+#endif
10815 -+
10816 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10817 -+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10818 -+#else
10819 -+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10820 -+#endif
10821 -
10822 - #include <asm-generic/pgtable.h>
10823 - #endif /* __ASSEMBLY__ */
10824 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h
10825 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
10826 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
10827 -@@ -26,9 +26,6 @@
10828 - struct mm_struct;
10829 - struct vm_area_struct;
10830 -
10831 --extern pgd_t swapper_pg_dir[1024];
10832 --extern pgd_t trampoline_pg_dir[1024];
10833 --
10834 - static inline void pgtable_cache_init(void) { }
10835 - static inline void check_pgt_cache(void) { }
10836 - void paging_init(void);
10837 -@@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
10838 - # include <asm/pgtable-2level.h>
10839 - #endif
10840 -
10841 -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10842 -+extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
10843 -+#ifdef CONFIG_X86_PAE
10844 -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10845 -+#endif
10846 -+
10847 - #if defined(CONFIG_HIGHPTE)
10848 - #define __KM_PTE \
10849 - (in_nmi() ? KM_NMI_PTE : \
10850 -@@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
10851 - /* Clear a kernel PTE and flush it from the TLB */
10852 - #define kpte_clear_flush(ptep, vaddr) \
10853 - do { \
10854 -+ pax_open_kernel(); \
10855 - pte_clear(&init_mm, (vaddr), (ptep)); \
10856 -+ pax_close_kernel(); \
10857 - __flush_tlb_one((vaddr)); \
10858 - } while (0)
10859 -
10860 -@@ -85,6 +90,9 @@ do { \
10861 -
10862 - #endif /* !__ASSEMBLY__ */
10863 -
10864 -+#define HAVE_ARCH_UNMAPPED_AREA
10865 -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10866 -+
10867 - /*
10868 - * kern_addr_valid() is (1) for FLATMEM and (0) for
10869 - * SPARSEMEM and DISCONTIGMEM
10870 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h
10871 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-03-27 14:31:47.000000000 -0400
10872 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:56:46.000000000 -0400
10873 -@@ -8,7 +8,7 @@
10874 - */
10875 - #ifdef CONFIG_X86_PAE
10876 - # include <asm/pgtable-3level_types.h>
10877 --# define PMD_SIZE (1UL << PMD_SHIFT)
10878 -+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10879 - # define PMD_MASK (~(PMD_SIZE - 1))
10880 - #else
10881 - # include <asm/pgtable-2level_types.h>
10882 -@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10883 - # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10884 - #endif
10885 -
10886 -+#ifdef CONFIG_PAX_KERNEXEC
10887 -+#ifndef __ASSEMBLY__
10888 -+extern unsigned char MODULES_EXEC_VADDR[];
10889 -+extern unsigned char MODULES_EXEC_END[];
10890 -+#endif
10891 -+#include <asm/boot.h>
10892 -+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10893 -+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10894 -+#else
10895 -+#define ktla_ktva(addr) (addr)
10896 -+#define ktva_ktla(addr) (addr)
10897 -+#endif
10898 -+
10899 - #define MODULES_VADDR VMALLOC_START
10900 - #define MODULES_END VMALLOC_END
10901 - #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10902 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h
10903 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-03-27 14:31:47.000000000 -0400
10904 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-08-23 20:24:19.000000000 -0400
10905 -@@ -16,10 +16,13 @@
10906 -
10907 - extern pud_t level3_kernel_pgt[512];
10908 - extern pud_t level3_ident_pgt[512];
10909 -+extern pud_t level3_vmalloc_pgt[512];
10910 -+extern pud_t level3_vmemmap_pgt[512];
10911 -+extern pud_t level2_vmemmap_pgt[512];
10912 - extern pmd_t level2_kernel_pgt[512];
10913 - extern pmd_t level2_fixmap_pgt[512];
10914 --extern pmd_t level2_ident_pgt[512];
10915 --extern pgd_t init_level4_pgt[];
10916 -+extern pmd_t level2_ident_pgt[512*2];
10917 -+extern pgd_t init_level4_pgt[512];
10918 -
10919 - #define swapper_pg_dir init_level4_pgt
10920 -
10921 -@@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
10922 -
10923 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10924 - {
10925 -+ pax_open_kernel();
10926 - *pmdp = pmd;
10927 -+ pax_close_kernel();
10928 - }
10929 -
10930 - static inline void native_pmd_clear(pmd_t *pmd)
10931 -@@ -94,6 +99,13 @@ static inline void native_pud_clear(pud_
10932 -
10933 - static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10934 - {
10935 -+ pax_open_kernel();
10936 -+ *pgdp = pgd;
10937 -+ pax_close_kernel();
10938 -+}
10939 -+
10940 -+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
10941 -+{
10942 - *pgdp = pgd;
10943 - }
10944 -
10945 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h
10946 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-03-27 14:31:47.000000000 -0400
10947 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:56:46.000000000 -0400
10948 -@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10949 - #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10950 - #define MODULES_END _AC(0xffffffffff000000, UL)
10951 - #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10952 -+#define MODULES_EXEC_VADDR MODULES_VADDR
10953 -+#define MODULES_EXEC_END MODULES_END
10954 -+
10955 -+#define ktla_ktva(addr) (addr)
10956 -+#define ktva_ktla(addr) (addr)
10957 -
10958 - #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10959 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h
10960 ---- linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-03-27 14:31:47.000000000 -0400
10961 -+++ linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:56:46.000000000 -0400
10962 -@@ -16,12 +16,11 @@
10963 - #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10964 - #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10965 - #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10966 --#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10967 -+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10968 - #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10969 - #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10970 - #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10971 --#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10972 --#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10973 -+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10974 - #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10975 -
10976 - /* If _PAGE_BIT_PRESENT is clear, we use these: */
10977 -@@ -39,7 +38,6 @@
10978 - #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10979 - #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10980 - #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10981 --#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10982 - #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10983 - #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10984 - #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10985 -@@ -55,8 +53,10 @@
10986 -
10987 - #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10988 - #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10989 --#else
10990 -+#elif defined(CONFIG_KMEMCHECK)
10991 - #define _PAGE_NX (_AT(pteval_t, 0))
10992 -+#else
10993 -+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10994 - #endif
10995 -
10996 - #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10997 -@@ -93,6 +93,9 @@
10998 - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10999 - _PAGE_ACCESSED)
11000 -
11001 -+#define PAGE_READONLY_NOEXEC PAGE_READONLY
11002 -+#define PAGE_SHARED_NOEXEC PAGE_SHARED
11003 -+
11004 - #define __PAGE_KERNEL_EXEC \
11005 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
11006 - #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
11007 -@@ -103,8 +106,8 @@
11008 - #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
11009 - #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
11010 - #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
11011 --#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
11012 --#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
11013 -+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
11014 -+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
11015 - #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
11016 - #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
11017 - #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
11018 -@@ -163,8 +166,8 @@
11019 - * bits are combined, this will alow user to access the high address mapped
11020 - * VDSO in the presence of CONFIG_COMPAT_VDSO
11021 - */
11022 --#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
11023 --#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
11024 -+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11025 -+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11026 - #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
11027 - #endif
11028 -
11029 -@@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
11030 - {
11031 - return native_pgd_val(pgd) & PTE_FLAGS_MASK;
11032 - }
11033 -+#endif
11034 -
11035 -+#if PAGETABLE_LEVELS == 3
11036 -+#include <asm-generic/pgtable-nopud.h>
11037 -+#endif
11038 -+
11039 -+#if PAGETABLE_LEVELS == 2
11040 -+#include <asm-generic/pgtable-nopmd.h>
11041 -+#endif
11042 -+
11043 -+#ifndef __ASSEMBLY__
11044 - #if PAGETABLE_LEVELS > 3
11045 - typedef struct { pudval_t pud; } pud_t;
11046 -
11047 -@@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
11048 - return pud.pud;
11049 - }
11050 - #else
11051 --#include <asm-generic/pgtable-nopud.h>
11052 --
11053 - static inline pudval_t native_pud_val(pud_t pud)
11054 - {
11055 - return native_pgd_val(pud.pgd);
11056 -@@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
11057 - return pmd.pmd;
11058 - }
11059 - #else
11060 --#include <asm-generic/pgtable-nopmd.h>
11061 --
11062 - static inline pmdval_t native_pmd_val(pmd_t pmd)
11063 - {
11064 - return native_pgd_val(pmd.pud.pgd);
11065 -@@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
11066 -
11067 - extern pteval_t __supported_pte_mask;
11068 - extern void set_nx(void);
11069 -+
11070 -+#ifdef CONFIG_X86_32
11071 -+#ifdef CONFIG_X86_PAE
11072 - extern int nx_enabled;
11073 -+#else
11074 -+#define nx_enabled (0)
11075 -+#endif
11076 -+#else
11077 -+#define nx_enabled (1)
11078 -+#endif
11079 -
11080 - #define pgprot_writecombine pgprot_writecombine
11081 - extern pgprot_t pgprot_writecombine(pgprot_t prot);
11082 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/processor.h linux-2.6.32.46/arch/x86/include/asm/processor.h
11083 ---- linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-04-22 19:16:29.000000000 -0400
11084 -+++ linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-05-11 18:25:15.000000000 -0400
11085 -@@ -272,7 +272,7 @@ struct tss_struct {
11086 -
11087 - } ____cacheline_aligned;
11088 -
11089 --DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
11090 -+extern struct tss_struct init_tss[NR_CPUS];
11091 -
11092 - /*
11093 - * Save the original ist values for checking stack pointers during debugging
11094 -@@ -888,11 +888,18 @@ static inline void spin_lock_prefetch(co
11095 - */
11096 - #define TASK_SIZE PAGE_OFFSET
11097 - #define TASK_SIZE_MAX TASK_SIZE
11098 -+
11099 -+#ifdef CONFIG_PAX_SEGMEXEC
11100 -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
11101 -+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
11102 -+#else
11103 - #define STACK_TOP TASK_SIZE
11104 --#define STACK_TOP_MAX STACK_TOP
11105 -+#endif
11106 -+
11107 -+#define STACK_TOP_MAX TASK_SIZE
11108 -
11109 - #define INIT_THREAD { \
11110 -- .sp0 = sizeof(init_stack) + (long)&init_stack, \
11111 -+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11112 - .vm86_info = NULL, \
11113 - .sysenter_cs = __KERNEL_CS, \
11114 - .io_bitmap_ptr = NULL, \
11115 -@@ -906,7 +913,7 @@ static inline void spin_lock_prefetch(co
11116 - */
11117 - #define INIT_TSS { \
11118 - .x86_tss = { \
11119 -- .sp0 = sizeof(init_stack) + (long)&init_stack, \
11120 -+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11121 - .ss0 = __KERNEL_DS, \
11122 - .ss1 = __KERNEL_CS, \
11123 - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
11124 -@@ -917,11 +924,7 @@ static inline void spin_lock_prefetch(co
11125 - extern unsigned long thread_saved_pc(struct task_struct *tsk);
11126 -
11127 - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
11128 --#define KSTK_TOP(info) \
11129 --({ \
11130 -- unsigned long *__ptr = (unsigned long *)(info); \
11131 -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
11132 --})
11133 -+#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
11134 -
11135 - /*
11136 - * The below -8 is to reserve 8 bytes on top of the ring0 stack.
11137 -@@ -936,7 +939,7 @@ extern unsigned long thread_saved_pc(str
11138 - #define task_pt_regs(task) \
11139 - ({ \
11140 - struct pt_regs *__regs__; \
11141 -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
11142 -+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
11143 - __regs__ - 1; \
11144 - })
11145 -
11146 -@@ -946,13 +949,13 @@ extern unsigned long thread_saved_pc(str
11147 - /*
11148 - * User space process size. 47bits minus one guard page.
11149 - */
11150 --#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
11151 -+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
11152 -
11153 - /* This decides where the kernel will search for a free chunk of vm
11154 - * space during mmap's.
11155 - */
11156 - #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
11157 -- 0xc0000000 : 0xFFFFe000)
11158 -+ 0xc0000000 : 0xFFFFf000)
11159 -
11160 - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
11161 - IA32_PAGE_OFFSET : TASK_SIZE_MAX)
11162 -@@ -963,11 +966,11 @@ extern unsigned long thread_saved_pc(str
11163 - #define STACK_TOP_MAX TASK_SIZE_MAX
11164 -
11165 - #define INIT_THREAD { \
11166 -- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11167 -+ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11168 - }
11169 -
11170 - #define INIT_TSS { \
11171 -- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11172 -+ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11173 - }
11174 -
11175 - /*
11176 -@@ -989,6 +992,10 @@ extern void start_thread(struct pt_regs
11177 - */
11178 - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
11179 -
11180 -+#ifdef CONFIG_PAX_SEGMEXEC
11181 -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
11182 -+#endif
11183 -+
11184 - #define KSTK_EIP(task) (task_pt_regs(task)->ip)
11185 -
11186 - /* Get/set a process' ability to use the timestamp counter instruction */
11187 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/ptrace.h linux-2.6.32.46/arch/x86/include/asm/ptrace.h
11188 ---- linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
11189 -+++ linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-04-17 15:56:46.000000000 -0400
11190 -@@ -151,28 +151,29 @@ static inline unsigned long regs_return_
11191 - }
11192 -
11193 - /*
11194 -- * user_mode_vm(regs) determines whether a register set came from user mode.
11195 -+ * user_mode(regs) determines whether a register set came from user mode.
11196 - * This is true if V8086 mode was enabled OR if the register set was from
11197 - * protected mode with RPL-3 CS value. This tricky test checks that with
11198 - * one comparison. Many places in the kernel can bypass this full check
11199 -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
11200 -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
11201 -+ * be used.
11202 - */
11203 --static inline int user_mode(struct pt_regs *regs)
11204 -+static inline int user_mode_novm(struct pt_regs *regs)
11205 - {
11206 - #ifdef CONFIG_X86_32
11207 - return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
11208 - #else
11209 -- return !!(regs->cs & 3);
11210 -+ return !!(regs->cs & SEGMENT_RPL_MASK);
11211 - #endif
11212 - }
11213 -
11214 --static inline int user_mode_vm(struct pt_regs *regs)
11215 -+static inline int user_mode(struct pt_regs *regs)
11216 - {
11217 - #ifdef CONFIG_X86_32
11218 - return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
11219 - USER_RPL;
11220 - #else
11221 -- return user_mode(regs);
11222 -+ return user_mode_novm(regs);
11223 - #endif
11224 - }
11225 -
11226 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/reboot.h linux-2.6.32.46/arch/x86/include/asm/reboot.h
11227 ---- linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
11228 -+++ linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-08-05 20:33:55.000000000 -0400
11229 -@@ -6,19 +6,19 @@
11230 - struct pt_regs;
11231 -
11232 - struct machine_ops {
11233 -- void (*restart)(char *cmd);
11234 -- void (*halt)(void);
11235 -- void (*power_off)(void);
11236 -+ void (* __noreturn restart)(char *cmd);
11237 -+ void (* __noreturn halt)(void);
11238 -+ void (* __noreturn power_off)(void);
11239 - void (*shutdown)(void);
11240 - void (*crash_shutdown)(struct pt_regs *);
11241 -- void (*emergency_restart)(void);
11242 --};
11243 -+ void (* __noreturn emergency_restart)(void);
11244 -+} __no_const;
11245 -
11246 - extern struct machine_ops machine_ops;
11247 -
11248 - void native_machine_crash_shutdown(struct pt_regs *regs);
11249 - void native_machine_shutdown(void);
11250 --void machine_real_restart(const unsigned char *code, int length);
11251 -+void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
11252 -
11253 - typedef void (*nmi_shootdown_cb)(int, struct die_args*);
11254 - void nmi_shootdown_cpus(nmi_shootdown_cb callback);
11255 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/rwsem.h linux-2.6.32.46/arch/x86/include/asm/rwsem.h
11256 ---- linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-03-27 14:31:47.000000000 -0400
11257 -+++ linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-04-17 15:56:46.000000000 -0400
11258 -@@ -118,6 +118,14 @@ static inline void __down_read(struct rw
11259 - {
11260 - asm volatile("# beginning down_read\n\t"
11261 - LOCK_PREFIX _ASM_INC "(%1)\n\t"
11262 -+
11263 -+#ifdef CONFIG_PAX_REFCOUNT
11264 -+ "jno 0f\n"
11265 -+ LOCK_PREFIX _ASM_DEC "(%1)\n\t"
11266 -+ "int $4\n0:\n"
11267 -+ _ASM_EXTABLE(0b, 0b)
11268 -+#endif
11269 -+
11270 - /* adds 0x00000001, returns the old value */
11271 - " jns 1f\n"
11272 - " call call_rwsem_down_read_failed\n"
11273 -@@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
11274 - "1:\n\t"
11275 - " mov %1,%2\n\t"
11276 - " add %3,%2\n\t"
11277 -+
11278 -+#ifdef CONFIG_PAX_REFCOUNT
11279 -+ "jno 0f\n"
11280 -+ "sub %3,%2\n"
11281 -+ "int $4\n0:\n"
11282 -+ _ASM_EXTABLE(0b, 0b)
11283 -+#endif
11284 -+
11285 - " jle 2f\n\t"
11286 - LOCK_PREFIX " cmpxchg %2,%0\n\t"
11287 - " jnz 1b\n\t"
11288 -@@ -160,6 +176,14 @@ static inline void __down_write_nested(s
11289 - tmp = RWSEM_ACTIVE_WRITE_BIAS;
11290 - asm volatile("# beginning down_write\n\t"
11291 - LOCK_PREFIX " xadd %1,(%2)\n\t"
11292 -+
11293 -+#ifdef CONFIG_PAX_REFCOUNT
11294 -+ "jno 0f\n"
11295 -+ "mov %1,(%2)\n"
11296 -+ "int $4\n0:\n"
11297 -+ _ASM_EXTABLE(0b, 0b)
11298 -+#endif
11299 -+
11300 - /* subtract 0x0000ffff, returns the old value */
11301 - " test %1,%1\n\t"
11302 - /* was the count 0 before? */
11303 -@@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
11304 - rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
11305 - asm volatile("# beginning __up_read\n\t"
11306 - LOCK_PREFIX " xadd %1,(%2)\n\t"
11307 -+
11308 -+#ifdef CONFIG_PAX_REFCOUNT
11309 -+ "jno 0f\n"
11310 -+ "mov %1,(%2)\n"
11311 -+ "int $4\n0:\n"
11312 -+ _ASM_EXTABLE(0b, 0b)
11313 -+#endif
11314 -+
11315 - /* subtracts 1, returns the old value */
11316 - " jns 1f\n\t"
11317 - " call call_rwsem_wake\n"
11318 -@@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
11319 - rwsem_count_t tmp;
11320 - asm volatile("# beginning __up_write\n\t"
11321 - LOCK_PREFIX " xadd %1,(%2)\n\t"
11322 -+
11323 -+#ifdef CONFIG_PAX_REFCOUNT
11324 -+ "jno 0f\n"
11325 -+ "mov %1,(%2)\n"
11326 -+ "int $4\n0:\n"
11327 -+ _ASM_EXTABLE(0b, 0b)
11328 -+#endif
11329 -+
11330 - /* tries to transition
11331 - 0xffff0001 -> 0x00000000 */
11332 - " jz 1f\n"
11333 -@@ -234,6 +274,14 @@ static inline void __downgrade_write(str
11334 - {
11335 - asm volatile("# beginning __downgrade_write\n\t"
11336 - LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11337 -+
11338 -+#ifdef CONFIG_PAX_REFCOUNT
11339 -+ "jno 0f\n"
11340 -+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11341 -+ "int $4\n0:\n"
11342 -+ _ASM_EXTABLE(0b, 0b)
11343 -+#endif
11344 -+
11345 - /*
11346 - * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11347 - * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11348 -@@ -253,7 +301,15 @@ static inline void __downgrade_write(str
11349 - static inline void rwsem_atomic_add(rwsem_count_t delta,
11350 - struct rw_semaphore *sem)
11351 - {
11352 -- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11353 -+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11354 -+
11355 -+#ifdef CONFIG_PAX_REFCOUNT
11356 -+ "jno 0f\n"
11357 -+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
11358 -+ "int $4\n0:\n"
11359 -+ _ASM_EXTABLE(0b, 0b)
11360 -+#endif
11361 -+
11362 - : "+m" (sem->count)
11363 - : "er" (delta));
11364 - }
11365 -@@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
11366 - {
11367 - rwsem_count_t tmp = delta;
11368 -
11369 -- asm volatile(LOCK_PREFIX "xadd %0,%1"
11370 -+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11371 -+
11372 -+#ifdef CONFIG_PAX_REFCOUNT
11373 -+ "jno 0f\n"
11374 -+ "mov %0,%1\n"
11375 -+ "int $4\n0:\n"
11376 -+ _ASM_EXTABLE(0b, 0b)
11377 -+#endif
11378 -+
11379 - : "+r" (tmp), "+m" (sem->count)
11380 - : : "memory");
11381 -
11382 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x86/include/asm/segment.h
11383 ---- linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400
11384 -+++ linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-10-06 09:37:08.000000000 -0400
11385 -@@ -62,10 +62,15 @@
11386 - * 26 - ESPFIX small SS
11387 - * 27 - per-cpu [ offset to per-cpu data area ]
11388 - * 28 - stack_canary-20 [ for stack protector ]
11389 -- * 29 - unused
11390 -- * 30 - unused
11391 -+ * 29 - PCI BIOS CS
11392 -+ * 30 - PCI BIOS DS
11393 - * 31 - TSS for double fault handler
11394 - */
11395 -+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
11396 -+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
11397 -+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
11398 -+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
11399 -+
11400 - #define GDT_ENTRY_TLS_MIN 6
11401 - #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
11402 -
11403 -@@ -77,6 +82,8 @@
11404 -
11405 - #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
11406 -
11407 -+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11408 -+
11409 - #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
11410 -
11411 - #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
11412 -@@ -88,7 +95,7 @@
11413 - #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
11414 - #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
11415 -
11416 --#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
11417 -+#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
11418 - #ifdef CONFIG_SMP
11419 - #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
11420 - #else
11421 -@@ -102,6 +109,12 @@
11422 - #define __KERNEL_STACK_CANARY 0
11423 - #endif
11424 -
11425 -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
11426 -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11427 -+
11428 -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
11429 -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11430 -+
11431 - #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11432 -
11433 - /*
11434 -@@ -139,7 +152,7 @@
11435 - */
11436 -
11437 - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11438 --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11439 -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11440 -
11441 -
11442 - #else
11443 -@@ -163,6 +176,8 @@
11444 - #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11445 - #define __USER32_DS __USER_DS
11446 -
11447 -+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11448 -+
11449 - #define GDT_ENTRY_TSS 8 /* needs two entries */
11450 - #define GDT_ENTRY_LDT 10 /* needs two entries */
11451 - #define GDT_ENTRY_TLS_MIN 12
11452 -@@ -183,6 +198,7 @@
11453 - #endif
11454 -
11455 - #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
11456 -+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
11457 - #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
11458 - #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
11459 - #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
11460 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/smp.h linux-2.6.32.46/arch/x86/include/asm/smp.h
11461 ---- linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-03-27 14:31:47.000000000 -0400
11462 -+++ linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-08-05 20:33:55.000000000 -0400
11463 -@@ -24,7 +24,7 @@ extern unsigned int num_processors;
11464 - DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
11465 - DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
11466 - DECLARE_PER_CPU(u16, cpu_llc_id);
11467 --DECLARE_PER_CPU(int, cpu_number);
11468 -+DECLARE_PER_CPU(unsigned int, cpu_number);
11469 -
11470 - static inline struct cpumask *cpu_sibling_mask(int cpu)
11471 - {
11472 -@@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
11473 - DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
11474 -
11475 - /* Static state in head.S used to set up a CPU */
11476 --extern struct {
11477 -- void *sp;
11478 -- unsigned short ss;
11479 --} stack_start;
11480 -+extern unsigned long stack_start; /* Initial stack pointer address */
11481 -
11482 - struct smp_ops {
11483 - void (*smp_prepare_boot_cpu)(void);
11484 -@@ -60,7 +57,7 @@ struct smp_ops {
11485 -
11486 - void (*send_call_func_ipi)(const struct cpumask *mask);
11487 - void (*send_call_func_single_ipi)(int cpu);
11488 --};
11489 -+} __no_const;
11490 -
11491 - /* Globals due to paravirt */
11492 - extern void set_cpu_sibling_map(int cpu);
11493 -@@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
11494 - extern int safe_smp_processor_id(void);
11495 -
11496 - #elif defined(CONFIG_X86_64_SMP)
11497 --#define raw_smp_processor_id() (percpu_read(cpu_number))
11498 --
11499 --#define stack_smp_processor_id() \
11500 --({ \
11501 -- struct thread_info *ti; \
11502 -- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11503 -- ti->cpu; \
11504 --})
11505 -+#define raw_smp_processor_id() (percpu_read(cpu_number))
11506 -+#define stack_smp_processor_id() raw_smp_processor_id()
11507 - #define safe_smp_processor_id() smp_processor_id()
11508 -
11509 - #endif
11510 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/spinlock.h linux-2.6.32.46/arch/x86/include/asm/spinlock.h
11511 ---- linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
11512 -+++ linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-04-17 15:56:46.000000000 -0400
11513 -@@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
11514 - static inline void __raw_read_lock(raw_rwlock_t *rw)
11515 - {
11516 - asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11517 -+
11518 -+#ifdef CONFIG_PAX_REFCOUNT
11519 -+ "jno 0f\n"
11520 -+ LOCK_PREFIX " addl $1,(%0)\n"
11521 -+ "int $4\n0:\n"
11522 -+ _ASM_EXTABLE(0b, 0b)
11523 -+#endif
11524 -+
11525 - "jns 1f\n"
11526 - "call __read_lock_failed\n\t"
11527 - "1:\n"
11528 -@@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
11529 - static inline void __raw_write_lock(raw_rwlock_t *rw)
11530 - {
11531 - asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11532 -+
11533 -+#ifdef CONFIG_PAX_REFCOUNT
11534 -+ "jno 0f\n"
11535 -+ LOCK_PREFIX " addl %1,(%0)\n"
11536 -+ "int $4\n0:\n"
11537 -+ _ASM_EXTABLE(0b, 0b)
11538 -+#endif
11539 -+
11540 - "jz 1f\n"
11541 - "call __write_lock_failed\n\t"
11542 - "1:\n"
11543 -@@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
11544 -
11545 - static inline void __raw_read_unlock(raw_rwlock_t *rw)
11546 - {
11547 -- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11548 -+ asm volatile(LOCK_PREFIX "incl %0\n"
11549 -+
11550 -+#ifdef CONFIG_PAX_REFCOUNT
11551 -+ "jno 0f\n"
11552 -+ LOCK_PREFIX "decl %0\n"
11553 -+ "int $4\n0:\n"
11554 -+ _ASM_EXTABLE(0b, 0b)
11555 -+#endif
11556 -+
11557 -+ :"+m" (rw->lock) : : "memory");
11558 - }
11559 -
11560 - static inline void __raw_write_unlock(raw_rwlock_t *rw)
11561 - {
11562 -- asm volatile(LOCK_PREFIX "addl %1, %0"
11563 -+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
11564 -+
11565 -+#ifdef CONFIG_PAX_REFCOUNT
11566 -+ "jno 0f\n"
11567 -+ LOCK_PREFIX "subl %1, %0\n"
11568 -+ "int $4\n0:\n"
11569 -+ _ASM_EXTABLE(0b, 0b)
11570 -+#endif
11571 -+
11572 - : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11573 - }
11574 -
11575 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/stackprotector.h linux-2.6.32.46/arch/x86/include/asm/stackprotector.h
11576 ---- linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-03-27 14:31:47.000000000 -0400
11577 -+++ linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-07-06 19:53:33.000000000 -0400
11578 -@@ -48,7 +48,7 @@
11579 - * head_32 for boot CPU and setup_per_cpu_areas() for others.
11580 - */
11581 - #define GDT_STACK_CANARY_INIT \
11582 -- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
11583 -+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
11584 -
11585 - /*
11586 - * Initialize the stackprotector canary value.
11587 -@@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11588 -
11589 - static inline void load_stack_canary_segment(void)
11590 - {
11591 --#ifdef CONFIG_X86_32
11592 -+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11593 - asm volatile ("mov %0, %%gs" : : "r" (0));
11594 - #endif
11595 - }
11596 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/system.h linux-2.6.32.46/arch/x86/include/asm/system.h
11597 ---- linux-2.6.32.46/arch/x86/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
11598 -+++ linux-2.6.32.46/arch/x86/include/asm/system.h 2011-05-22 23:02:03.000000000 -0400
11599 -@@ -132,7 +132,7 @@ do { \
11600 - "thread_return:\n\t" \
11601 - "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11602 - __switch_canary \
11603 -- "movq %P[thread_info](%%rsi),%%r8\n\t" \
11604 -+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11605 - "movq %%rax,%%rdi\n\t" \
11606 - "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11607 - "jnz ret_from_fork\n\t" \
11608 -@@ -143,7 +143,7 @@ do { \
11609 - [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11610 - [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11611 - [_tif_fork] "i" (_TIF_FORK), \
11612 -- [thread_info] "i" (offsetof(struct task_struct, stack)), \
11613 -+ [thread_info] "m" (per_cpu_var(current_tinfo)), \
11614 - [current_task] "m" (per_cpu_var(current_task)) \
11615 - __switch_canary_iparam \
11616 - : "memory", "cc" __EXTRA_CLOBBER)
11617 -@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11618 - {
11619 - unsigned long __limit;
11620 - asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11621 -- return __limit + 1;
11622 -+ return __limit;
11623 - }
11624 -
11625 - static inline void native_clts(void)
11626 -@@ -340,12 +340,12 @@ void enable_hlt(void);
11627 -
11628 - void cpu_idle_wait(void);
11629 -
11630 --extern unsigned long arch_align_stack(unsigned long sp);
11631 -+#define arch_align_stack(x) ((x) & ~0xfUL)
11632 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11633 -
11634 - void default_idle(void);
11635 -
11636 --void stop_this_cpu(void *dummy);
11637 -+void stop_this_cpu(void *dummy) __noreturn;
11638 -
11639 - /*
11640 - * Force strict CPU ordering.
11641 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/thread_info.h linux-2.6.32.46/arch/x86/include/asm/thread_info.h
11642 ---- linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-03-27 14:31:47.000000000 -0400
11643 -+++ linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-05-17 19:26:34.000000000 -0400
11644 -@@ -10,6 +10,7 @@
11645 - #include <linux/compiler.h>
11646 - #include <asm/page.h>
11647 - #include <asm/types.h>
11648 -+#include <asm/percpu.h>
11649 -
11650 - /*
11651 - * low level task data that entry.S needs immediate access to
11652 -@@ -24,7 +25,6 @@ struct exec_domain;
11653 - #include <asm/atomic.h>
11654 -
11655 - struct thread_info {
11656 -- struct task_struct *task; /* main task structure */
11657 - struct exec_domain *exec_domain; /* execution domain */
11658 - __u32 flags; /* low level flags */
11659 - __u32 status; /* thread synchronous flags */
11660 -@@ -34,18 +34,12 @@ struct thread_info {
11661 - mm_segment_t addr_limit;
11662 - struct restart_block restart_block;
11663 - void __user *sysenter_return;
11664 --#ifdef CONFIG_X86_32
11665 -- unsigned long previous_esp; /* ESP of the previous stack in
11666 -- case of nested (IRQ) stacks
11667 -- */
11668 -- __u8 supervisor_stack[0];
11669 --#endif
11670 -+ unsigned long lowest_stack;
11671 - int uaccess_err;
11672 - };
11673 -
11674 --#define INIT_THREAD_INFO(tsk) \
11675 -+#define INIT_THREAD_INFO \
11676 - { \
11677 -- .task = &tsk, \
11678 - .exec_domain = &default_exec_domain, \
11679 - .flags = 0, \
11680 - .cpu = 0, \
11681 -@@ -56,7 +50,7 @@ struct thread_info {
11682 - }, \
11683 - }
11684 -
11685 --#define init_thread_info (init_thread_union.thread_info)
11686 -+#define init_thread_info (init_thread_union.stack)
11687 - #define init_stack (init_thread_union.stack)
11688 -
11689 - #else /* !__ASSEMBLY__ */
11690 -@@ -163,6 +157,23 @@ struct thread_info {
11691 - #define alloc_thread_info(tsk) \
11692 - ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
11693 -
11694 -+#ifdef __ASSEMBLY__
11695 -+/* how to get the thread information struct from ASM */
11696 -+#define GET_THREAD_INFO(reg) \
11697 -+ mov PER_CPU_VAR(current_tinfo), reg
11698 -+
11699 -+/* use this one if reg already contains %esp */
11700 -+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11701 -+#else
11702 -+/* how to get the thread information struct from C */
11703 -+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11704 -+
11705 -+static __always_inline struct thread_info *current_thread_info(void)
11706 -+{
11707 -+ return percpu_read_stable(current_tinfo);
11708 -+}
11709 -+#endif
11710 -+
11711 - #ifdef CONFIG_X86_32
11712 -
11713 - #define STACK_WARN (THREAD_SIZE/8)
11714 -@@ -173,35 +184,13 @@ struct thread_info {
11715 - */
11716 - #ifndef __ASSEMBLY__
11717 -
11718 --
11719 - /* how to get the current stack pointer from C */
11720 - register unsigned long current_stack_pointer asm("esp") __used;
11721 -
11722 --/* how to get the thread information struct from C */
11723 --static inline struct thread_info *current_thread_info(void)
11724 --{
11725 -- return (struct thread_info *)
11726 -- (current_stack_pointer & ~(THREAD_SIZE - 1));
11727 --}
11728 --
11729 --#else /* !__ASSEMBLY__ */
11730 --
11731 --/* how to get the thread information struct from ASM */
11732 --#define GET_THREAD_INFO(reg) \
11733 -- movl $-THREAD_SIZE, reg; \
11734 -- andl %esp, reg
11735 --
11736 --/* use this one if reg already contains %esp */
11737 --#define GET_THREAD_INFO_WITH_ESP(reg) \
11738 -- andl $-THREAD_SIZE, reg
11739 --
11740 - #endif
11741 -
11742 - #else /* X86_32 */
11743 -
11744 --#include <asm/percpu.h>
11745 --#define KERNEL_STACK_OFFSET (5*8)
11746 --
11747 - /*
11748 - * macros/functions for gaining access to the thread information structure
11749 - * preempt_count needs to be 1 initially, until the scheduler is functional.
11750 -@@ -209,21 +198,8 @@ static inline struct thread_info *curren
11751 - #ifndef __ASSEMBLY__
11752 - DECLARE_PER_CPU(unsigned long, kernel_stack);
11753 -
11754 --static inline struct thread_info *current_thread_info(void)
11755 --{
11756 -- struct thread_info *ti;
11757 -- ti = (void *)(percpu_read_stable(kernel_stack) +
11758 -- KERNEL_STACK_OFFSET - THREAD_SIZE);
11759 -- return ti;
11760 --}
11761 --
11762 --#else /* !__ASSEMBLY__ */
11763 --
11764 --/* how to get the thread information struct from ASM */
11765 --#define GET_THREAD_INFO(reg) \
11766 -- movq PER_CPU_VAR(kernel_stack),reg ; \
11767 -- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11768 --
11769 -+/* how to get the current stack pointer from C */
11770 -+register unsigned long current_stack_pointer asm("rsp") __used;
11771 - #endif
11772 -
11773 - #endif /* !X86_32 */
11774 -@@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
11775 - extern void free_thread_info(struct thread_info *ti);
11776 - extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11777 - #define arch_task_cache_init arch_task_cache_init
11778 -+
11779 -+#define __HAVE_THREAD_FUNCTIONS
11780 -+#define task_thread_info(task) (&(task)->tinfo)
11781 -+#define task_stack_page(task) ((task)->stack)
11782 -+#define setup_thread_stack(p, org) do {} while (0)
11783 -+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11784 -+
11785 -+#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11786 -+extern struct task_struct *alloc_task_struct(void);
11787 -+extern void free_task_struct(struct task_struct *);
11788 -+
11789 - #endif
11790 - #endif /* _ASM_X86_THREAD_INFO_H */
11791 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x86/include/asm/uaccess.h
11792 ---- linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400
11793 -+++ linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-10-06 09:37:08.000000000 -0400
11794 -@@ -8,12 +8,15 @@
11795 - #include <linux/thread_info.h>
11796 - #include <linux/prefetch.h>
11797 - #include <linux/string.h>
11798 -+#include <linux/sched.h>
11799 - #include <asm/asm.h>
11800 - #include <asm/page.h>
11801 -
11802 - #define VERIFY_READ 0
11803 - #define VERIFY_WRITE 1
11804 -
11805 -+extern void check_object_size(const void *ptr, unsigned long n, bool to);
11806 -+
11807 - /*
11808 - * The fs value determines whether argument validity checking should be
11809 - * performed or not. If get_fs() == USER_DS, checking is performed, with
11810 -@@ -29,7 +32,12 @@
11811 -
11812 - #define get_ds() (KERNEL_DS)
11813 - #define get_fs() (current_thread_info()->addr_limit)
11814 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11815 -+void __set_fs(mm_segment_t x);
11816 -+void set_fs(mm_segment_t x);
11817 -+#else
11818 - #define set_fs(x) (current_thread_info()->addr_limit = (x))
11819 -+#endif
11820 -
11821 - #define segment_eq(a, b) ((a).seg == (b).seg)
11822 -
11823 -@@ -77,7 +85,33 @@
11824 - * checks that the pointer is in the user space range - after calling
11825 - * this function, memory access functions may still return -EFAULT.
11826 - */
11827 --#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11828 -+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11829 -+#define access_ok(type, addr, size) \
11830 -+({ \
11831 -+ long __size = size; \
11832 -+ unsigned long __addr = (unsigned long)addr; \
11833 -+ unsigned long __addr_ao = __addr & PAGE_MASK; \
11834 -+ unsigned long __end_ao = __addr + __size - 1; \
11835 -+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11836 -+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11837 -+ while(__addr_ao <= __end_ao) { \
11838 -+ char __c_ao; \
11839 -+ __addr_ao += PAGE_SIZE; \
11840 -+ if (__size > PAGE_SIZE) \
11841 -+ cond_resched(); \
11842 -+ if (__get_user(__c_ao, (char __user *)__addr)) \
11843 -+ break; \
11844 -+ if (type != VERIFY_WRITE) { \
11845 -+ __addr = __addr_ao; \
11846 -+ continue; \
11847 -+ } \
11848 -+ if (__put_user(__c_ao, (char __user *)__addr)) \
11849 -+ break; \
11850 -+ __addr = __addr_ao; \
11851 -+ } \
11852 -+ } \
11853 -+ __ret_ao; \
11854 -+})
11855 -
11856 - /*
11857 - * The exception table consists of pairs of addresses: the first is the
11858 -@@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11859 - asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11860 - : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11861 -
11862 --
11863 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11864 -+#define __copyuser_seg "gs;"
11865 -+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11866 -+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11867 -+#else
11868 -+#define __copyuser_seg
11869 -+#define __COPYUSER_SET_ES
11870 -+#define __COPYUSER_RESTORE_ES
11871 -+#endif
11872 -
11873 - #ifdef CONFIG_X86_32
11874 - #define __put_user_asm_u64(x, addr, err, errret) \
11875 -- asm volatile("1: movl %%eax,0(%2)\n" \
11876 -- "2: movl %%edx,4(%2)\n" \
11877 -+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11878 -+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11879 - "3:\n" \
11880 - ".section .fixup,\"ax\"\n" \
11881 - "4: movl %3,%0\n" \
11882 -@@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11883 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
11884 -
11885 - #define __put_user_asm_ex_u64(x, addr) \
11886 -- asm volatile("1: movl %%eax,0(%1)\n" \
11887 -- "2: movl %%edx,4(%1)\n" \
11888 -+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11889 -+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11890 - "3:\n" \
11891 - _ASM_EXTABLE(1b, 2b - 1b) \
11892 - _ASM_EXTABLE(2b, 3b - 2b) \
11893 -@@ -253,7 +295,7 @@ extern void __put_user_8(void);
11894 - __typeof__(*(ptr)) __pu_val; \
11895 - __chk_user_ptr(ptr); \
11896 - might_fault(); \
11897 -- __pu_val = x; \
11898 -+ __pu_val = (x); \
11899 - switch (sizeof(*(ptr))) { \
11900 - case 1: \
11901 - __put_user_x(1, __pu_val, ptr, __ret_pu); \
11902 -@@ -374,7 +416,7 @@ do { \
11903 - } while (0)
11904 -
11905 - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11906 -- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11907 -+ asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11908 - "2:\n" \
11909 - ".section .fixup,\"ax\"\n" \
11910 - "3: mov %3,%0\n" \
11911 -@@ -382,7 +424,7 @@ do { \
11912 - " jmp 2b\n" \
11913 - ".previous\n" \
11914 - _ASM_EXTABLE(1b, 3b) \
11915 -- : "=r" (err), ltype(x) \
11916 -+ : "=r" (err), ltype (x) \
11917 - : "m" (__m(addr)), "i" (errret), "0" (err))
11918 -
11919 - #define __get_user_size_ex(x, ptr, size) \
11920 -@@ -407,7 +449,7 @@ do { \
11921 - } while (0)
11922 -
11923 - #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11924 -- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11925 -+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11926 - "2:\n" \
11927 - _ASM_EXTABLE(1b, 2b - 1b) \
11928 - : ltype(x) : "m" (__m(addr)))
11929 -@@ -424,13 +466,24 @@ do { \
11930 - int __gu_err; \
11931 - unsigned long __gu_val; \
11932 - __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11933 -- (x) = (__force __typeof__(*(ptr)))__gu_val; \
11934 -+ (x) = (__typeof__(*(ptr)))__gu_val; \
11935 - __gu_err; \
11936 - })
11937 -
11938 - /* FIXME: this hack is definitely wrong -AK */
11939 - struct __large_struct { unsigned long buf[100]; };
11940 --#define __m(x) (*(struct __large_struct __user *)(x))
11941 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11942 -+#define ____m(x) \
11943 -+({ \
11944 -+ unsigned long ____x = (unsigned long)(x); \
11945 -+ if (____x < PAX_USER_SHADOW_BASE) \
11946 -+ ____x += PAX_USER_SHADOW_BASE; \
11947 -+ (void __user *)____x; \
11948 -+})
11949 -+#else
11950 -+#define ____m(x) (x)
11951 -+#endif
11952 -+#define __m(x) (*(struct __large_struct __user *)____m(x))
11953 -
11954 - /*
11955 - * Tell gcc we read from memory instead of writing: this is because
11956 -@@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11957 - * aliasing issues.
11958 - */
11959 - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11960 -- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11961 -+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11962 - "2:\n" \
11963 - ".section .fixup,\"ax\"\n" \
11964 - "3: mov %3,%0\n" \
11965 -@@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11966 - ".previous\n" \
11967 - _ASM_EXTABLE(1b, 3b) \
11968 - : "=r"(err) \
11969 -- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11970 -+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11971 -
11972 - #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11973 -- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11974 -+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11975 - "2:\n" \
11976 - _ASM_EXTABLE(1b, 2b - 1b) \
11977 - : : ltype(x), "m" (__m(addr)))
11978 -@@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11979 - * On error, the variable @x is set to zero.
11980 - */
11981 -
11982 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11983 -+#define __get_user(x, ptr) get_user((x), (ptr))
11984 -+#else
11985 - #define __get_user(x, ptr) \
11986 - __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11987 -+#endif
11988 -
11989 - /**
11990 - * __put_user: - Write a simple value into user space, with less checking.
11991 -@@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11992 - * Returns zero on success, or -EFAULT on error.
11993 - */
11994 -
11995 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11996 -+#define __put_user(x, ptr) put_user((x), (ptr))
11997 -+#else
11998 - #define __put_user(x, ptr) \
11999 - __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12000 -+#endif
12001 -
12002 - #define __get_user_unaligned __get_user
12003 - #define __put_user_unaligned __put_user
12004 -@@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12005 - #define get_user_ex(x, ptr) do { \
12006 - unsigned long __gue_val; \
12007 - __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12008 -- (x) = (__force __typeof__(*(ptr)))__gue_val; \
12009 -+ (x) = (__typeof__(*(ptr)))__gue_val; \
12010 - } while (0)
12011 -
12012 - #ifdef CONFIG_X86_WP_WORKS_OK
12013 -@@ -567,6 +628,7 @@ extern struct movsl_mask {
12014 -
12015 - #define ARCH_HAS_NOCACHE_UACCESS 1
12016 -
12017 -+#define ARCH_HAS_SORT_EXTABLE
12018 - #ifdef CONFIG_X86_32
12019 - # include "uaccess_32.h"
12020 - #else
12021 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h
12022 ---- linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
12023 -+++ linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:46:57.000000000 -0400
12024 -@@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
12025 - static __always_inline unsigned long __must_check
12026 - __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
12027 - {
12028 -+ pax_track_stack();
12029 -+
12030 -+ if ((long)n < 0)
12031 -+ return n;
12032 -+
12033 - if (__builtin_constant_p(n)) {
12034 - unsigned long ret;
12035 -
12036 -@@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
12037 - return ret;
12038 - }
12039 - }
12040 -+ if (!__builtin_constant_p(n))
12041 -+ check_object_size(from, n, true);
12042 - return __copy_to_user_ll(to, from, n);
12043 - }
12044 -
12045 -@@ -83,12 +90,16 @@ static __always_inline unsigned long __m
12046 - __copy_to_user(void __user *to, const void *from, unsigned long n)
12047 - {
12048 - might_fault();
12049 -+
12050 - return __copy_to_user_inatomic(to, from, n);
12051 - }
12052 -
12053 - static __always_inline unsigned long
12054 - __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
12055 - {
12056 -+ if ((long)n < 0)
12057 -+ return n;
12058 -+
12059 - /* Avoid zeroing the tail if the copy fails..
12060 - * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
12061 - * but as the zeroing behaviour is only significant when n is not
12062 -@@ -138,6 +149,12 @@ static __always_inline unsigned long
12063 - __copy_from_user(void *to, const void __user *from, unsigned long n)
12064 - {
12065 - might_fault();
12066 -+
12067 -+ pax_track_stack();
12068 -+
12069 -+ if ((long)n < 0)
12070 -+ return n;
12071 -+
12072 - if (__builtin_constant_p(n)) {
12073 - unsigned long ret;
12074 -
12075 -@@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
12076 - return ret;
12077 - }
12078 - }
12079 -+ if (!__builtin_constant_p(n))
12080 -+ check_object_size(to, n, false);
12081 - return __copy_from_user_ll(to, from, n);
12082 - }
12083 -
12084 -@@ -160,6 +179,10 @@ static __always_inline unsigned long __c
12085 - const void __user *from, unsigned long n)
12086 - {
12087 - might_fault();
12088 -+
12089 -+ if ((long)n < 0)
12090 -+ return n;
12091 -+
12092 - if (__builtin_constant_p(n)) {
12093 - unsigned long ret;
12094 -
12095 -@@ -182,14 +205,62 @@ static __always_inline unsigned long
12096 - __copy_from_user_inatomic_nocache(void *to, const void __user *from,
12097 - unsigned long n)
12098 - {
12099 -- return __copy_from_user_ll_nocache_nozero(to, from, n);
12100 -+ if ((long)n < 0)
12101 -+ return n;
12102 -+
12103 -+ return __copy_from_user_ll_nocache_nozero(to, from, n);
12104 -+}
12105 -+
12106 -+/**
12107 -+ * copy_to_user: - Copy a block of data into user space.
12108 -+ * @to: Destination address, in user space.
12109 -+ * @from: Source address, in kernel space.
12110 -+ * @n: Number of bytes to copy.
12111 -+ *
12112 -+ * Context: User context only. This function may sleep.
12113 -+ *
12114 -+ * Copy data from kernel space to user space.
12115 -+ *
12116 -+ * Returns number of bytes that could not be copied.
12117 -+ * On success, this will be zero.
12118 -+ */
12119 -+static __always_inline unsigned long __must_check
12120 -+copy_to_user(void __user *to, const void *from, unsigned long n)
12121 -+{
12122 -+ if (access_ok(VERIFY_WRITE, to, n))
12123 -+ n = __copy_to_user(to, from, n);
12124 -+ return n;
12125 -+}
12126 -+
12127 -+/**
12128 -+ * copy_from_user: - Copy a block of data from user space.
12129 -+ * @to: Destination address, in kernel space.
12130 -+ * @from: Source address, in user space.
12131 -+ * @n: Number of bytes to copy.
12132 -+ *
12133 -+ * Context: User context only. This function may sleep.
12134 -+ *
12135 -+ * Copy data from user space to kernel space.
12136 -+ *
12137 -+ * Returns number of bytes that could not be copied.
12138 -+ * On success, this will be zero.
12139 -+ *
12140 -+ * If some data could not be copied, this function will pad the copied
12141 -+ * data to the requested size using zero bytes.
12142 -+ */
12143 -+static __always_inline unsigned long __must_check
12144 -+copy_from_user(void *to, const void __user *from, unsigned long n)
12145 -+{
12146 -+ if (access_ok(VERIFY_READ, from, n))
12147 -+ n = __copy_from_user(to, from, n);
12148 -+ else if ((long)n > 0) {
12149 -+ if (!__builtin_constant_p(n))
12150 -+ check_object_size(to, n, false);
12151 -+ memset(to, 0, n);
12152 -+ }
12153 -+ return n;
12154 - }
12155 -
12156 --unsigned long __must_check copy_to_user(void __user *to,
12157 -- const void *from, unsigned long n);
12158 --unsigned long __must_check copy_from_user(void *to,
12159 -- const void __user *from,
12160 -- unsigned long n);
12161 - long __must_check strncpy_from_user(char *dst, const char __user *src,
12162 - long count);
12163 - long __must_check __strncpy_from_user(char *dst,
12164 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h
12165 ---- linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
12166 -+++ linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-10-06 09:37:08.000000000 -0400
12167 -@@ -9,6 +9,9 @@
12168 - #include <linux/prefetch.h>
12169 - #include <linux/lockdep.h>
12170 - #include <asm/page.h>
12171 -+#include <asm/pgtable.h>
12172 -+
12173 -+#define set_fs(x) (current_thread_info()->addr_limit = (x))
12174 -
12175 - /*
12176 - * Copy To/From Userspace
12177 -@@ -19,113 +22,203 @@ __must_check unsigned long
12178 - copy_user_generic(void *to, const void *from, unsigned len);
12179 -
12180 - __must_check unsigned long
12181 --copy_to_user(void __user *to, const void *from, unsigned len);
12182 --__must_check unsigned long
12183 --copy_from_user(void *to, const void __user *from, unsigned len);
12184 --__must_check unsigned long
12185 - copy_in_user(void __user *to, const void __user *from, unsigned len);
12186 -
12187 - static __always_inline __must_check
12188 --int __copy_from_user(void *dst, const void __user *src, unsigned size)
12189 -+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
12190 - {
12191 -- int ret = 0;
12192 -+ unsigned ret = 0;
12193 -
12194 - might_fault();
12195 -- if (!__builtin_constant_p(size))
12196 -- return copy_user_generic(dst, (__force void *)src, size);
12197 -+
12198 -+ if ((int)size < 0)
12199 -+ return size;
12200 -+
12201 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12202 -+ if (!__access_ok(VERIFY_READ, src, size))
12203 -+ return size;
12204 -+#endif
12205 -+
12206 -+ if (!__builtin_constant_p(size)) {
12207 -+ check_object_size(dst, size, false);
12208 -+
12209 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12210 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12211 -+ src += PAX_USER_SHADOW_BASE;
12212 -+#endif
12213 -+
12214 -+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
12215 -+ }
12216 - switch (size) {
12217 -- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
12218 -+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
12219 - ret, "b", "b", "=q", 1);
12220 - return ret;
12221 -- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
12222 -+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
12223 - ret, "w", "w", "=r", 2);
12224 - return ret;
12225 -- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
12226 -+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
12227 - ret, "l", "k", "=r", 4);
12228 - return ret;
12229 -- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
12230 -+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12231 - ret, "q", "", "=r", 8);
12232 - return ret;
12233 - case 10:
12234 -- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12235 -+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12236 - ret, "q", "", "=r", 10);
12237 - if (unlikely(ret))
12238 - return ret;
12239 - __get_user_asm(*(u16 *)(8 + (char *)dst),
12240 -- (u16 __user *)(8 + (char __user *)src),
12241 -+ (const u16 __user *)(8 + (const char __user *)src),
12242 - ret, "w", "w", "=r", 2);
12243 - return ret;
12244 - case 16:
12245 -- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12246 -+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12247 - ret, "q", "", "=r", 16);
12248 - if (unlikely(ret))
12249 - return ret;
12250 - __get_user_asm(*(u64 *)(8 + (char *)dst),
12251 -- (u64 __user *)(8 + (char __user *)src),
12252 -+ (const u64 __user *)(8 + (const char __user *)src),
12253 - ret, "q", "", "=r", 8);
12254 - return ret;
12255 - default:
12256 -- return copy_user_generic(dst, (__force void *)src, size);
12257 -+
12258 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12259 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12260 -+ src += PAX_USER_SHADOW_BASE;
12261 -+#endif
12262 -+
12263 -+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
12264 - }
12265 - }
12266 -
12267 - static __always_inline __must_check
12268 --int __copy_to_user(void __user *dst, const void *src, unsigned size)
12269 -+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
12270 - {
12271 -- int ret = 0;
12272 -+ unsigned ret = 0;
12273 -
12274 - might_fault();
12275 -- if (!__builtin_constant_p(size))
12276 -- return copy_user_generic((__force void *)dst, src, size);
12277 -+
12278 -+ pax_track_stack();
12279 -+
12280 -+ if ((int)size < 0)
12281 -+ return size;
12282 -+
12283 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12284 -+ if (!__access_ok(VERIFY_WRITE, dst, size))
12285 -+ return size;
12286 -+#endif
12287 -+
12288 -+ if (!__builtin_constant_p(size)) {
12289 -+ check_object_size(src, size, true);
12290 -+
12291 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12292 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12293 -+ dst += PAX_USER_SHADOW_BASE;
12294 -+#endif
12295 -+
12296 -+ return copy_user_generic((__force_kernel void *)dst, src, size);
12297 -+ }
12298 - switch (size) {
12299 -- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
12300 -+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
12301 - ret, "b", "b", "iq", 1);
12302 - return ret;
12303 -- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
12304 -+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
12305 - ret, "w", "w", "ir", 2);
12306 - return ret;
12307 -- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
12308 -+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
12309 - ret, "l", "k", "ir", 4);
12310 - return ret;
12311 -- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
12312 -+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12313 - ret, "q", "", "er", 8);
12314 - return ret;
12315 - case 10:
12316 -- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12317 -+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12318 - ret, "q", "", "er", 10);
12319 - if (unlikely(ret))
12320 - return ret;
12321 - asm("":::"memory");
12322 -- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
12323 -+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
12324 - ret, "w", "w", "ir", 2);
12325 - return ret;
12326 - case 16:
12327 -- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12328 -+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12329 - ret, "q", "", "er", 16);
12330 - if (unlikely(ret))
12331 - return ret;
12332 - asm("":::"memory");
12333 -- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
12334 -+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
12335 - ret, "q", "", "er", 8);
12336 - return ret;
12337 - default:
12338 -- return copy_user_generic((__force void *)dst, src, size);
12339 -+
12340 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12341 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12342 -+ dst += PAX_USER_SHADOW_BASE;
12343 -+#endif
12344 -+
12345 -+ return copy_user_generic((__force_kernel void *)dst, src, size);
12346 -+ }
12347 -+}
12348 -+
12349 -+static __always_inline __must_check
12350 -+unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
12351 -+{
12352 -+ if (access_ok(VERIFY_WRITE, to, len))
12353 -+ len = __copy_to_user(to, from, len);
12354 -+ return len;
12355 -+}
12356 -+
12357 -+static __always_inline __must_check
12358 -+unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
12359 -+{
12360 -+ if ((int)len < 0)
12361 -+ return len;
12362 -+
12363 -+ if (access_ok(VERIFY_READ, from, len))
12364 -+ len = __copy_from_user(to, from, len);
12365 -+ else if ((int)len > 0) {
12366 -+ if (!__builtin_constant_p(len))
12367 -+ check_object_size(to, len, false);
12368 -+ memset(to, 0, len);
12369 - }
12370 -+ return len;
12371 - }
12372 -
12373 - static __always_inline __must_check
12374 --int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12375 -+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12376 - {
12377 -- int ret = 0;
12378 -+ unsigned ret = 0;
12379 -
12380 - might_fault();
12381 -- if (!__builtin_constant_p(size))
12382 -- return copy_user_generic((__force void *)dst,
12383 -- (__force void *)src, size);
12384 -+
12385 -+ pax_track_stack();
12386 -+
12387 -+ if ((int)size < 0)
12388 -+ return size;
12389 -+
12390 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12391 -+ if (!__access_ok(VERIFY_READ, src, size))
12392 -+ return size;
12393 -+ if (!__access_ok(VERIFY_WRITE, dst, size))
12394 -+ return size;
12395 -+#endif
12396 -+
12397 -+ if (!__builtin_constant_p(size)) {
12398 -+
12399 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12400 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12401 -+ src += PAX_USER_SHADOW_BASE;
12402 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12403 -+ dst += PAX_USER_SHADOW_BASE;
12404 -+#endif
12405 -+
12406 -+ return copy_user_generic((__force_kernel void *)dst,
12407 -+ (__force_kernel const void *)src, size);
12408 -+ }
12409 - switch (size) {
12410 - case 1: {
12411 - u8 tmp;
12412 -- __get_user_asm(tmp, (u8 __user *)src,
12413 -+ __get_user_asm(tmp, (const u8 __user *)src,
12414 - ret, "b", "b", "=q", 1);
12415 - if (likely(!ret))
12416 - __put_user_asm(tmp, (u8 __user *)dst,
12417 -@@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
12418 - }
12419 - case 2: {
12420 - u16 tmp;
12421 -- __get_user_asm(tmp, (u16 __user *)src,
12422 -+ __get_user_asm(tmp, (const u16 __user *)src,
12423 - ret, "w", "w", "=r", 2);
12424 - if (likely(!ret))
12425 - __put_user_asm(tmp, (u16 __user *)dst,
12426 -@@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
12427 -
12428 - case 4: {
12429 - u32 tmp;
12430 -- __get_user_asm(tmp, (u32 __user *)src,
12431 -+ __get_user_asm(tmp, (const u32 __user *)src,
12432 - ret, "l", "k", "=r", 4);
12433 - if (likely(!ret))
12434 - __put_user_asm(tmp, (u32 __user *)dst,
12435 -@@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
12436 - }
12437 - case 8: {
12438 - u64 tmp;
12439 -- __get_user_asm(tmp, (u64 __user *)src,
12440 -+ __get_user_asm(tmp, (const u64 __user *)src,
12441 - ret, "q", "", "=r", 8);
12442 - if (likely(!ret))
12443 - __put_user_asm(tmp, (u64 __user *)dst,
12444 -@@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
12445 - return ret;
12446 - }
12447 - default:
12448 -- return copy_user_generic((__force void *)dst,
12449 -- (__force void *)src, size);
12450 -+
12451 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12452 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12453 -+ src += PAX_USER_SHADOW_BASE;
12454 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12455 -+ dst += PAX_USER_SHADOW_BASE;
12456 -+#endif
12457 -+
12458 -+ return copy_user_generic((__force_kernel void *)dst,
12459 -+ (__force_kernel const void *)src, size);
12460 - }
12461 - }
12462 -
12463 -@@ -176,33 +277,75 @@ __must_check long strlen_user(const char
12464 - __must_check unsigned long clear_user(void __user *mem, unsigned long len);
12465 - __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
12466 -
12467 --__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
12468 -- unsigned size);
12469 -+static __must_check __always_inline unsigned long
12470 -+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12471 -+{
12472 -+ pax_track_stack();
12473 -+
12474 -+ if ((int)size < 0)
12475 -+ return size;
12476 -+
12477 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12478 -+ if (!__access_ok(VERIFY_READ, src, size))
12479 -+ return size;
12480 -+
12481 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12482 -+ src += PAX_USER_SHADOW_BASE;
12483 -+#endif
12484 -
12485 --static __must_check __always_inline int
12486 -+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
12487 -+}
12488 -+
12489 -+static __must_check __always_inline unsigned long
12490 - __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12491 - {
12492 -- return copy_user_generic((__force void *)dst, src, size);
12493 -+ if ((int)size < 0)
12494 -+ return size;
12495 -+
12496 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12497 -+ if (!__access_ok(VERIFY_WRITE, dst, size))
12498 -+ return size;
12499 -+
12500 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12501 -+ dst += PAX_USER_SHADOW_BASE;
12502 -+#endif
12503 -+
12504 -+ return copy_user_generic((__force_kernel void *)dst, src, size);
12505 - }
12506 -
12507 --extern long __copy_user_nocache(void *dst, const void __user *src,
12508 -+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12509 - unsigned size, int zerorest);
12510 -
12511 --static inline int
12512 --__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12513 -+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12514 - {
12515 - might_sleep();
12516 -+
12517 -+ if ((int)size < 0)
12518 -+ return size;
12519 -+
12520 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12521 -+ if (!__access_ok(VERIFY_READ, src, size))
12522 -+ return size;
12523 -+#endif
12524 -+
12525 - return __copy_user_nocache(dst, src, size, 1);
12526 - }
12527 -
12528 --static inline int
12529 --__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12530 -+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12531 - unsigned size)
12532 - {
12533 -+ if ((int)size < 0)
12534 -+ return size;
12535 -+
12536 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
12537 -+ if (!__access_ok(VERIFY_READ, src, size))
12538 -+ return size;
12539 -+#endif
12540 -+
12541 - return __copy_user_nocache(dst, src, size, 0);
12542 - }
12543 -
12544 --unsigned long
12545 --copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12546 -+extern unsigned long
12547 -+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
12548 -
12549 - #endif /* _ASM_X86_UACCESS_64_H */
12550 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/vdso.h linux-2.6.32.46/arch/x86/include/asm/vdso.h
12551 ---- linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-03-27 14:31:47.000000000 -0400
12552 -+++ linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-10-06 09:37:14.000000000 -0400
12553 -@@ -25,7 +25,7 @@ extern const char VDSO32_PRELINK[];
12554 - #define VDSO32_SYMBOL(base, name) \
12555 - ({ \
12556 - extern const char VDSO32_##name[]; \
12557 -- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
12558 -+ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
12559 - })
12560 - #endif
12561 -
12562 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/vgtod.h linux-2.6.32.46/arch/x86/include/asm/vgtod.h
12563 ---- linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400
12564 -+++ linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400
12565 -@@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12566 - int sysctl_enabled;
12567 - struct timezone sys_tz;
12568 - struct { /* extract of a clocksource struct */
12569 -+ char name[8];
12570 - cycle_t (*vread)(void);
12571 - cycle_t cycle_last;
12572 - cycle_t mask;
12573 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi.h linux-2.6.32.46/arch/x86/include/asm/vmi.h
12574 ---- linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-03-27 14:31:47.000000000 -0400
12575 -+++ linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-04-17 15:56:46.000000000 -0400
12576 -@@ -191,6 +191,7 @@ struct vrom_header {
12577 - u8 reserved[96]; /* Reserved for headers */
12578 - char vmi_init[8]; /* VMI_Init jump point */
12579 - char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
12580 -+ char rom_data[8048]; /* rest of the option ROM */
12581 - } __attribute__((packed));
12582 -
12583 - struct pnp_header {
12584 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi_time.h linux-2.6.32.46/arch/x86/include/asm/vmi_time.h
12585 ---- linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-03-27 14:31:47.000000000 -0400
12586 -+++ linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-08-05 20:33:55.000000000 -0400
12587 -@@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
12588 - int (*wallclock_updated)(void);
12589 - void (*set_alarm)(u32 flags, u64 expiry, u64 period);
12590 - void (*cancel_alarm)(u32 flags);
12591 --} vmi_timer_ops;
12592 -+} __no_const vmi_timer_ops;
12593 -
12594 - /* Prototypes */
12595 - extern void __init vmi_time_init(void);
12596 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/vsyscall.h linux-2.6.32.46/arch/x86/include/asm/vsyscall.h
12597 ---- linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-03-27 14:31:47.000000000 -0400
12598 -+++ linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-04-17 15:56:46.000000000 -0400
12599 -@@ -15,9 +15,10 @@ enum vsyscall_num {
12600 -
12601 - #ifdef __KERNEL__
12602 - #include <linux/seqlock.h>
12603 -+#include <linux/getcpu.h>
12604 -+#include <linux/time.h>
12605 -
12606 - #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12607 --#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12608 -
12609 - /* Definitions for CONFIG_GENERIC_TIME definitions */
12610 - #define __section_vsyscall_gtod_data __attribute__ \
12611 -@@ -31,7 +32,6 @@ enum vsyscall_num {
12612 - #define VGETCPU_LSL 2
12613 -
12614 - extern int __vgetcpu_mode;
12615 --extern volatile unsigned long __jiffies;
12616 -
12617 - /* kernel space (writeable) */
12618 - extern int vgetcpu_mode;
12619 -@@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12620 -
12621 - extern void map_vsyscall(void);
12622 -
12623 -+extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12624 -+extern time_t vtime(time_t *t);
12625 -+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12626 - #endif /* __KERNEL__ */
12627 -
12628 - #endif /* _ASM_X86_VSYSCALL_H */
12629 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/x86_init.h linux-2.6.32.46/arch/x86/include/asm/x86_init.h
12630 ---- linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-03-27 14:31:47.000000000 -0400
12631 -+++ linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-08-05 20:33:55.000000000 -0400
12632 -@@ -28,7 +28,7 @@ struct x86_init_mpparse {
12633 - void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
12634 - void (*find_smp_config)(unsigned int reserve);
12635 - void (*get_smp_config)(unsigned int early);
12636 --};
12637 -+} __no_const;
12638 -
12639 - /**
12640 - * struct x86_init_resources - platform specific resource related ops
12641 -@@ -42,7 +42,7 @@ struct x86_init_resources {
12642 - void (*probe_roms)(void);
12643 - void (*reserve_resources)(void);
12644 - char *(*memory_setup)(void);
12645 --};
12646 -+} __no_const;
12647 -
12648 - /**
12649 - * struct x86_init_irqs - platform specific interrupt setup
12650 -@@ -55,7 +55,7 @@ struct x86_init_irqs {
12651 - void (*pre_vector_init)(void);
12652 - void (*intr_init)(void);
12653 - void (*trap_init)(void);
12654 --};
12655 -+} __no_const;
12656 -
12657 - /**
12658 - * struct x86_init_oem - oem platform specific customizing functions
12659 -@@ -65,7 +65,7 @@ struct x86_init_irqs {
12660 - struct x86_init_oem {
12661 - void (*arch_setup)(void);
12662 - void (*banner)(void);
12663 --};
12664 -+} __no_const;
12665 -
12666 - /**
12667 - * struct x86_init_paging - platform specific paging functions
12668 -@@ -75,7 +75,7 @@ struct x86_init_oem {
12669 - struct x86_init_paging {
12670 - void (*pagetable_setup_start)(pgd_t *base);
12671 - void (*pagetable_setup_done)(pgd_t *base);
12672 --};
12673 -+} __no_const;
12674 -
12675 - /**
12676 - * struct x86_init_timers - platform specific timer setup
12677 -@@ -88,7 +88,7 @@ struct x86_init_timers {
12678 - void (*setup_percpu_clockev)(void);
12679 - void (*tsc_pre_init)(void);
12680 - void (*timer_init)(void);
12681 --};
12682 -+} __no_const;
12683 -
12684 - /**
12685 - * struct x86_init_ops - functions for platform specific setup
12686 -@@ -101,7 +101,7 @@ struct x86_init_ops {
12687 - struct x86_init_oem oem;
12688 - struct x86_init_paging paging;
12689 - struct x86_init_timers timers;
12690 --};
12691 -+} __no_const;
12692 -
12693 - /**
12694 - * struct x86_cpuinit_ops - platform specific cpu hotplug setups
12695 -@@ -109,7 +109,7 @@ struct x86_init_ops {
12696 - */
12697 - struct x86_cpuinit_ops {
12698 - void (*setup_percpu_clockev)(void);
12699 --};
12700 -+} __no_const;
12701 -
12702 - /**
12703 - * struct x86_platform_ops - platform specific runtime functions
12704 -@@ -121,7 +121,7 @@ struct x86_platform_ops {
12705 - unsigned long (*calibrate_tsc)(void);
12706 - unsigned long (*get_wallclock)(void);
12707 - int (*set_wallclock)(unsigned long nowtime);
12708 --};
12709 -+} __no_const;
12710 -
12711 - extern struct x86_init_ops x86_init;
12712 - extern struct x86_cpuinit_ops x86_cpuinit;
12713 -diff -urNp linux-2.6.32.46/arch/x86/include/asm/xsave.h linux-2.6.32.46/arch/x86/include/asm/xsave.h
12714 ---- linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400
12715 -+++ linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-10-06 09:37:08.000000000 -0400
12716 -@@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
12717 - static inline int xsave_user(struct xsave_struct __user *buf)
12718 - {
12719 - int err;
12720 -+
12721 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12722 -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12723 -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12724 -+#endif
12725 -+
12726 - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
12727 - "2:\n"
12728 - ".section .fixup,\"ax\"\n"
12729 -@@ -78,10 +84,15 @@ static inline int xsave_user(struct xsav
12730 - static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
12731 - {
12732 - int err;
12733 -- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
12734 -+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
12735 - u32 lmask = mask;
12736 - u32 hmask = mask >> 32;
12737 -
12738 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12739 -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12740 -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12741 -+#endif
12742 -+
12743 - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12744 - "2:\n"
12745 - ".section .fixup,\"ax\"\n"
12746 -diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile
12747 ---- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-03-27 14:31:47.000000000 -0400
12748 -+++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-08-07 14:38:58.000000000 -0400
12749 -@@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
12750 - $(call cc-option, -fno-stack-protector) \
12751 - $(call cc-option, -mpreferred-stack-boundary=2)
12752 - KBUILD_CFLAGS += $(call cc-option, -m32)
12753 -+ifdef CONSTIFY_PLUGIN
12754 -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
12755 -+endif
12756 - KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12757 - GCOV_PROFILE := n
12758 -
12759 -diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S
12760 ---- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-03-27 14:31:47.000000000 -0400
12761 -+++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-01 18:53:40.000000000 -0400
12762 -@@ -91,6 +91,9 @@ _start:
12763 - /* Do any other stuff... */
12764 -
12765 - #ifndef CONFIG_64BIT
12766 -+ /* Recheck NX bit overrides (64bit path does this in trampoline) */
12767 -+ call verify_cpu
12768 -+
12769 - /* This could also be done in C code... */
12770 - movl pmode_cr3, %eax
12771 - movl %eax, %cr3
12772 -@@ -104,7 +107,7 @@ _start:
12773 - movl %eax, %ecx
12774 - orl %edx, %ecx
12775 - jz 1f
12776 -- movl $0xc0000080, %ecx
12777 -+ mov $MSR_EFER, %ecx
12778 - wrmsr
12779 - 1:
12780 -
12781 -@@ -114,6 +117,7 @@ _start:
12782 - movl pmode_cr0, %eax
12783 - movl %eax, %cr0
12784 - jmp pmode_return
12785 -+# include "../../verify_cpu.S"
12786 - #else
12787 - pushw $0
12788 - pushw trampoline_segment
12789 -diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c
12790 ---- linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
12791 -+++ linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-07-01 19:01:34.000000000 -0400
12792 -@@ -11,11 +11,12 @@
12793 - #include <linux/cpumask.h>
12794 - #include <asm/segment.h>
12795 - #include <asm/desc.h>
12796 -+#include <asm/e820.h>
12797 -
12798 - #include "realmode/wakeup.h"
12799 - #include "sleep.h"
12800 -
12801 --unsigned long acpi_wakeup_address;
12802 -+unsigned long acpi_wakeup_address = 0x2000;
12803 - unsigned long acpi_realmode_flags;
12804 -
12805 - /* address in low memory of the wakeup routine. */
12806 -@@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
12807 - #else /* CONFIG_64BIT */
12808 - header->trampoline_segment = setup_trampoline() >> 4;
12809 - #ifdef CONFIG_SMP
12810 -- stack_start.sp = temp_stack + sizeof(temp_stack);
12811 -+ stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12812 -+
12813 -+ pax_open_kernel();
12814 - early_gdt_descr.address =
12815 - (unsigned long)get_cpu_gdt_table(smp_processor_id());
12816 -+ pax_close_kernel();
12817 -+
12818 - initial_gs = per_cpu_offset(smp_processor_id());
12819 - #endif
12820 - initial_code = (unsigned long)wakeup_long64;
12821 -@@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
12822 - return;
12823 - }
12824 -
12825 -- acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
12826 --
12827 -- if (!acpi_realmode) {
12828 -- printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
12829 -- return;
12830 -- }
12831 --
12832 -- acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
12833 -+ reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
12834 -+ acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
12835 - }
12836 -
12837 -
12838 -diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S
12839 ---- linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-03-27 14:31:47.000000000 -0400
12840 -+++ linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:56:46.000000000 -0400
12841 -@@ -30,13 +30,11 @@ wakeup_pmode_return:
12842 - # and restore the stack ... but you need gdt for this to work
12843 - movl saved_context_esp, %esp
12844 -
12845 -- movl %cs:saved_magic, %eax
12846 -- cmpl $0x12345678, %eax
12847 -+ cmpl $0x12345678, saved_magic
12848 - jne bogus_magic
12849 -
12850 - # jump to place where we left off
12851 -- movl saved_eip, %eax
12852 -- jmp *%eax
12853 -+ jmp *(saved_eip)
12854 -
12855 - bogus_magic:
12856 - jmp bogus_magic
12857 -diff -urNp linux-2.6.32.46/arch/x86/kernel/alternative.c linux-2.6.32.46/arch/x86/kernel/alternative.c
12858 ---- linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-03-27 14:31:47.000000000 -0400
12859 -+++ linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-04-17 15:56:46.000000000 -0400
12860 -@@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
12861 -
12862 - BUG_ON(p->len > MAX_PATCH_LEN);
12863 - /* prep the buffer with the original instructions */
12864 -- memcpy(insnbuf, p->instr, p->len);
12865 -+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12866 - used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12867 - (unsigned long)p->instr, p->len);
12868 -
12869 -@@ -475,7 +475,7 @@ void __init alternative_instructions(voi
12870 - if (smp_alt_once)
12871 - free_init_pages("SMP alternatives",
12872 - (unsigned long)__smp_locks,
12873 -- (unsigned long)__smp_locks_end);
12874 -+ PAGE_ALIGN((unsigned long)__smp_locks_end));
12875 -
12876 - restart_nmi();
12877 - }
12878 -@@ -492,13 +492,17 @@ void __init alternative_instructions(voi
12879 - * instructions. And on the local CPU you need to be protected again NMI or MCE
12880 - * handlers seeing an inconsistent instruction while you patch.
12881 - */
12882 --static void *__init_or_module text_poke_early(void *addr, const void *opcode,
12883 -+static void *__kprobes text_poke_early(void *addr, const void *opcode,
12884 - size_t len)
12885 - {
12886 - unsigned long flags;
12887 - local_irq_save(flags);
12888 -- memcpy(addr, opcode, len);
12889 -+
12890 -+ pax_open_kernel();
12891 -+ memcpy(ktla_ktva(addr), opcode, len);
12892 - sync_core();
12893 -+ pax_close_kernel();
12894 -+
12895 - local_irq_restore(flags);
12896 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12897 - that causes hangs on some VIA CPUs. */
12898 -@@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
12899 - */
12900 - void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12901 - {
12902 -- unsigned long flags;
12903 -- char *vaddr;
12904 -+ unsigned char *vaddr = ktla_ktva(addr);
12905 - struct page *pages[2];
12906 -- int i;
12907 -+ size_t i;
12908 -
12909 - if (!core_kernel_text((unsigned long)addr)) {
12910 -- pages[0] = vmalloc_to_page(addr);
12911 -- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12912 -+ pages[0] = vmalloc_to_page(vaddr);
12913 -+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12914 - } else {
12915 -- pages[0] = virt_to_page(addr);
12916 -+ pages[0] = virt_to_page(vaddr);
12917 - WARN_ON(!PageReserved(pages[0]));
12918 -- pages[1] = virt_to_page(addr + PAGE_SIZE);
12919 -+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12920 - }
12921 - BUG_ON(!pages[0]);
12922 -- local_irq_save(flags);
12923 -- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12924 -- if (pages[1])
12925 -- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12926 -- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12927 -- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12928 -- clear_fixmap(FIX_TEXT_POKE0);
12929 -- if (pages[1])
12930 -- clear_fixmap(FIX_TEXT_POKE1);
12931 -- local_flush_tlb();
12932 -- sync_core();
12933 -- /* Could also do a CLFLUSH here to speed up CPU recovery; but
12934 -- that causes hangs on some VIA CPUs. */
12935 -+ text_poke_early(addr, opcode, len);
12936 - for (i = 0; i < len; i++)
12937 -- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12938 -- local_irq_restore(flags);
12939 -+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12940 - return addr;
12941 - }
12942 -diff -urNp linux-2.6.32.46/arch/x86/kernel/amd_iommu.c linux-2.6.32.46/arch/x86/kernel/amd_iommu.c
12943 ---- linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-03-27 14:31:47.000000000 -0400
12944 -+++ linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-04-17 15:56:46.000000000 -0400
12945 -@@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
12946 - }
12947 - }
12948 -
12949 --static struct dma_map_ops amd_iommu_dma_ops = {
12950 -+static const struct dma_map_ops amd_iommu_dma_ops = {
12951 - .alloc_coherent = alloc_coherent,
12952 - .free_coherent = free_coherent,
12953 - .map_page = map_page,
12954 -diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/apic.c linux-2.6.32.46/arch/x86/kernel/apic/apic.c
12955 ---- linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-03-27 14:31:47.000000000 -0400
12956 -+++ linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-08-17 20:00:16.000000000 -0400
12957 -@@ -170,7 +170,7 @@ int first_system_vector = 0xfe;
12958 - /*
12959 - * Debug level, exported for io_apic.c
12960 - */
12961 --unsigned int apic_verbosity;
12962 -+int apic_verbosity;
12963 -
12964 - int pic_mode;
12965 -
12966 -@@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
12967 - apic_write(APIC_ESR, 0);
12968 - v1 = apic_read(APIC_ESR);
12969 - ack_APIC_irq();
12970 -- atomic_inc(&irq_err_count);
12971 -+ atomic_inc_unchecked(&irq_err_count);
12972 -
12973 - /*
12974 - * Here is what the APIC error bits mean:
12975 -@@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
12976 - u16 *bios_cpu_apicid;
12977 - DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12978 -
12979 -+ pax_track_stack();
12980 -+
12981 - bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12982 - bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12983 -
12984 -diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c
12985 ---- linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-03-27 14:31:47.000000000 -0400
12986 -+++ linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-05-04 17:56:20.000000000 -0400
12987 -@@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12988 - ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12989 - GFP_ATOMIC);
12990 - if (!ioapic_entries)
12991 -- return 0;
12992 -+ return NULL;
12993 -
12994 - for (apic = 0; apic < nr_ioapics; apic++) {
12995 - ioapic_entries[apic] =
12996 -@@ -733,7 +733,7 @@ nomem:
12997 - kfree(ioapic_entries[apic]);
12998 - kfree(ioapic_entries);
12999 -
13000 -- return 0;
13001 -+ return NULL;
13002 - }
13003 -
13004 - /*
13005 -@@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
13006 - }
13007 - EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
13008 -
13009 --void lock_vector_lock(void)
13010 -+void lock_vector_lock(void) __acquires(vector_lock)
13011 - {
13012 - /* Used to the online set of cpus does not change
13013 - * during assign_irq_vector.
13014 -@@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
13015 - spin_lock(&vector_lock);
13016 - }
13017 -
13018 --void unlock_vector_lock(void)
13019 -+void unlock_vector_lock(void) __releases(vector_lock)
13020 - {
13021 - spin_unlock(&vector_lock);
13022 - }
13023 -@@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
13024 - ack_APIC_irq();
13025 - }
13026 -
13027 --atomic_t irq_mis_count;
13028 -+atomic_unchecked_t irq_mis_count;
13029 -
13030 - static void ack_apic_level(unsigned int irq)
13031 - {
13032 -@@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
13033 -
13034 - /* Tail end of version 0x11 I/O APIC bug workaround */
13035 - if (!(v & (1 << (i & 0x1f)))) {
13036 -- atomic_inc(&irq_mis_count);
13037 -+ atomic_inc_unchecked(&irq_mis_count);
13038 - spin_lock(&ioapic_lock);
13039 - __mask_and_edge_IO_APIC_irq(cfg);
13040 - __unmask_and_level_IO_APIC_irq(cfg);
13041 -diff -urNp linux-2.6.32.46/arch/x86/kernel/apm_32.c linux-2.6.32.46/arch/x86/kernel/apm_32.c
13042 ---- linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-03-27 14:31:47.000000000 -0400
13043 -+++ linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-04-23 12:56:10.000000000 -0400
13044 -@@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
13045 - * This is for buggy BIOS's that refer to (real mode) segment 0x40
13046 - * even though they are called in protected mode.
13047 - */
13048 --static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
13049 -+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
13050 - (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
13051 -
13052 - static const char driver_version[] = "1.16ac"; /* no spaces */
13053 -@@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
13054 - BUG_ON(cpu != 0);
13055 - gdt = get_cpu_gdt_table(cpu);
13056 - save_desc_40 = gdt[0x40 / 8];
13057 -+
13058 -+ pax_open_kernel();
13059 - gdt[0x40 / 8] = bad_bios_desc;
13060 -+ pax_close_kernel();
13061 -
13062 - apm_irq_save(flags);
13063 - APM_DO_SAVE_SEGS;
13064 -@@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
13065 - &call->esi);
13066 - APM_DO_RESTORE_SEGS;
13067 - apm_irq_restore(flags);
13068 -+
13069 -+ pax_open_kernel();
13070 - gdt[0x40 / 8] = save_desc_40;
13071 -+ pax_close_kernel();
13072 -+
13073 - put_cpu();
13074 -
13075 - return call->eax & 0xff;
13076 -@@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
13077 - BUG_ON(cpu != 0);
13078 - gdt = get_cpu_gdt_table(cpu);
13079 - save_desc_40 = gdt[0x40 / 8];
13080 -+
13081 -+ pax_open_kernel();
13082 - gdt[0x40 / 8] = bad_bios_desc;
13083 -+ pax_close_kernel();
13084 -
13085 - apm_irq_save(flags);
13086 - APM_DO_SAVE_SEGS;
13087 -@@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
13088 - &call->eax);
13089 - APM_DO_RESTORE_SEGS;
13090 - apm_irq_restore(flags);
13091 -+
13092 -+ pax_open_kernel();
13093 - gdt[0x40 / 8] = save_desc_40;
13094 -+ pax_close_kernel();
13095 -+
13096 - put_cpu();
13097 - return error;
13098 - }
13099 -@@ -975,7 +989,7 @@ recalc:
13100 -
13101 - static void apm_power_off(void)
13102 - {
13103 -- unsigned char po_bios_call[] = {
13104 -+ const unsigned char po_bios_call[] = {
13105 - 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
13106 - 0x8e, 0xd0, /* movw ax,ss */
13107 - 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
13108 -@@ -2357,12 +2371,15 @@ static int __init apm_init(void)
13109 - * code to that CPU.
13110 - */
13111 - gdt = get_cpu_gdt_table(0);
13112 -+
13113 -+ pax_open_kernel();
13114 - set_desc_base(&gdt[APM_CS >> 3],
13115 - (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
13116 - set_desc_base(&gdt[APM_CS_16 >> 3],
13117 - (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
13118 - set_desc_base(&gdt[APM_DS >> 3],
13119 - (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
13120 -+ pax_close_kernel();
13121 -
13122 - proc_create("apm", 0, NULL, &apm_file_ops);
13123 -
13124 -diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c
13125 ---- linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-03-27 14:31:47.000000000 -0400
13126 -+++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:46:57.000000000 -0400
13127 -@@ -51,7 +51,6 @@ void foo(void)
13128 - OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
13129 - BLANK();
13130 -
13131 -- OFFSET(TI_task, thread_info, task);
13132 - OFFSET(TI_exec_domain, thread_info, exec_domain);
13133 - OFFSET(TI_flags, thread_info, flags);
13134 - OFFSET(TI_status, thread_info, status);
13135 -@@ -60,6 +59,8 @@ void foo(void)
13136 - OFFSET(TI_restart_block, thread_info, restart_block);
13137 - OFFSET(TI_sysenter_return, thread_info, sysenter_return);
13138 - OFFSET(TI_cpu, thread_info, cpu);
13139 -+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
13140 -+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13141 - BLANK();
13142 -
13143 - OFFSET(GDS_size, desc_ptr, size);
13144 -@@ -99,6 +100,7 @@ void foo(void)
13145 -
13146 - DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13147 - DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
13148 -+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13149 - DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
13150 - DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
13151 - DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
13152 -@@ -115,6 +117,11 @@ void foo(void)
13153 - OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
13154 - OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13155 - OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13156 -+
13157 -+#ifdef CONFIG_PAX_KERNEXEC
13158 -+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13159 -+#endif
13160 -+
13161 - #endif
13162 -
13163 - #ifdef CONFIG_XEN
13164 -diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c
13165 ---- linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-03-27 14:31:47.000000000 -0400
13166 -+++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-08-23 20:24:19.000000000 -0400
13167 -@@ -44,6 +44,8 @@ int main(void)
13168 - ENTRY(addr_limit);
13169 - ENTRY(preempt_count);
13170 - ENTRY(status);
13171 -+ ENTRY(lowest_stack);
13172 -+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13173 - #ifdef CONFIG_IA32_EMULATION
13174 - ENTRY(sysenter_return);
13175 - #endif
13176 -@@ -63,6 +65,18 @@ int main(void)
13177 - OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13178 - OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
13179 - OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
13180 -+
13181 -+#ifdef CONFIG_PAX_KERNEXEC
13182 -+ OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13183 -+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13184 -+#endif
13185 -+
13186 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
13187 -+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
13188 -+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
13189 -+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
13190 -+#endif
13191 -+
13192 - #endif
13193 -
13194 -
13195 -@@ -115,6 +129,7 @@ int main(void)
13196 - ENTRY(cr8);
13197 - BLANK();
13198 - #undef ENTRY
13199 -+ DEFINE(TSS_size, sizeof(struct tss_struct));
13200 - DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
13201 - BLANK();
13202 - DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
13203 -@@ -130,6 +145,7 @@ int main(void)
13204 -
13205 - BLANK();
13206 - DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13207 -+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13208 - #ifdef CONFIG_XEN
13209 - BLANK();
13210 - OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
13211 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/Makefile linux-2.6.32.46/arch/x86/kernel/cpu/Makefile
13212 ---- linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-03-27 14:31:47.000000000 -0400
13213 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-04-17 15:56:46.000000000 -0400
13214 -@@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
13215 - CFLAGS_REMOVE_common.o = -pg
13216 - endif
13217 -
13218 --# Make sure load_percpu_segment has no stackprotector
13219 --nostackp := $(call cc-option, -fno-stack-protector)
13220 --CFLAGS_common.o := $(nostackp)
13221 --
13222 - obj-y := intel_cacheinfo.o addon_cpuid_features.o
13223 - obj-y += proc.o capflags.o powerflags.o common.o
13224 - obj-y += vmware.o hypervisor.o sched.o
13225 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/amd.c
13226 ---- linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:55:34.000000000 -0400
13227 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:56:37.000000000 -0400
13228 -@@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
13229 - unsigned int size)
13230 - {
13231 - /* AMD errata T13 (order #21922) */
13232 -- if ((c->x86 == 6)) {
13233 -+ if (c->x86 == 6) {
13234 - /* Duron Rev A0 */
13235 - if (c->x86_model == 3 && c->x86_mask == 0)
13236 - size = 64;
13237 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/common.c linux-2.6.32.46/arch/x86/kernel/cpu/common.c
13238 ---- linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-03-27 14:31:47.000000000 -0400
13239 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-05-11 18:25:15.000000000 -0400
13240 -@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
13241 -
13242 - static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
13243 -
13244 --DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
13245 --#ifdef CONFIG_X86_64
13246 -- /*
13247 -- * We need valid kernel segments for data and code in long mode too
13248 -- * IRET will check the segment types kkeil 2000/10/28
13249 -- * Also sysret mandates a special GDT layout
13250 -- *
13251 -- * TLS descriptors are currently at a different place compared to i386.
13252 -- * Hopefully nobody expects them at a fixed place (Wine?)
13253 -- */
13254 -- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
13255 -- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
13256 -- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
13257 -- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
13258 -- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
13259 -- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
13260 --#else
13261 -- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
13262 -- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13263 -- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
13264 -- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
13265 -- /*
13266 -- * Segments used for calling PnP BIOS have byte granularity.
13267 -- * They code segments and data segments have fixed 64k limits,
13268 -- * the transfer segment sizes are set at run time.
13269 -- */
13270 -- /* 32-bit code */
13271 -- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13272 -- /* 16-bit code */
13273 -- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13274 -- /* 16-bit data */
13275 -- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
13276 -- /* 16-bit data */
13277 -- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
13278 -- /* 16-bit data */
13279 -- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
13280 -- /*
13281 -- * The APM segments have byte granularity and their bases
13282 -- * are set at run time. All have 64k limits.
13283 -- */
13284 -- /* 32-bit code */
13285 -- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13286 -- /* 16-bit code */
13287 -- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13288 -- /* data */
13289 -- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13290 --
13291 -- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13292 -- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13293 -- GDT_STACK_CANARY_INIT
13294 --#endif
13295 --} };
13296 --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13297 --
13298 - static int __init x86_xsave_setup(char *s)
13299 - {
13300 - setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13301 -@@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
13302 - {
13303 - struct desc_ptr gdt_descr;
13304 -
13305 -- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13306 -+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13307 - gdt_descr.size = GDT_SIZE - 1;
13308 - load_gdt(&gdt_descr);
13309 - /* Reload the per-cpu base */
13310 -@@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
13311 - /* Filter out anything that depends on CPUID levels we don't have */
13312 - filter_cpuid_features(c, true);
13313 -
13314 -+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13315 -+ setup_clear_cpu_cap(X86_FEATURE_SEP);
13316 -+#endif
13317 -+
13318 - /* If the model name is still unset, do table lookup. */
13319 - if (!c->x86_model_id[0]) {
13320 - const char *p;
13321 -@@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
13322 - }
13323 - __setup("clearcpuid=", setup_disablecpuid);
13324 -
13325 -+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13326 -+EXPORT_PER_CPU_SYMBOL(current_tinfo);
13327 -+
13328 - #ifdef CONFIG_X86_64
13329 - struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13330 -
13331 -@@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13332 - EXPORT_PER_CPU_SYMBOL(current_task);
13333 -
13334 - DEFINE_PER_CPU(unsigned long, kernel_stack) =
13335 -- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13336 -+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13337 - EXPORT_PER_CPU_SYMBOL(kernel_stack);
13338 -
13339 - DEFINE_PER_CPU(char *, irq_stack_ptr) =
13340 -@@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
13341 - {
13342 - memset(regs, 0, sizeof(struct pt_regs));
13343 - regs->fs = __KERNEL_PERCPU;
13344 -- regs->gs = __KERNEL_STACK_CANARY;
13345 -+ savesegment(gs, regs->gs);
13346 -
13347 - return regs;
13348 - }
13349 -@@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
13350 - int i;
13351 -
13352 - cpu = stack_smp_processor_id();
13353 -- t = &per_cpu(init_tss, cpu);
13354 -+ t = init_tss + cpu;
13355 - orig_ist = &per_cpu(orig_ist, cpu);
13356 -
13357 - #ifdef CONFIG_NUMA
13358 -@@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
13359 - switch_to_new_gdt(cpu);
13360 - loadsegment(fs, 0);
13361 -
13362 -- load_idt((const struct desc_ptr *)&idt_descr);
13363 -+ load_idt(&idt_descr);
13364 -
13365 - memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13366 - syscall_init();
13367 -@@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
13368 - wrmsrl(MSR_KERNEL_GS_BASE, 0);
13369 - barrier();
13370 -
13371 -- check_efer();
13372 - if (cpu != 0)
13373 - enable_x2apic();
13374 -
13375 -@@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
13376 - {
13377 - int cpu = smp_processor_id();
13378 - struct task_struct *curr = current;
13379 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
13380 -+ struct tss_struct *t = init_tss + cpu;
13381 - struct thread_struct *thread = &curr->thread;
13382 -
13383 - if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13384 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel.c linux-2.6.32.46/arch/x86/kernel/cpu/intel.c
13385 ---- linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-03-27 14:31:47.000000000 -0400
13386 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-04-17 15:56:46.000000000 -0400
13387 -@@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
13388 - * Update the IDT descriptor and reload the IDT so that
13389 - * it uses the read-only mapped virtual address.
13390 - */
13391 -- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13392 -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13393 - load_idt(&idt_descr);
13394 - }
13395 - #endif
13396 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c
13397 ---- linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
13398 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-04-17 15:56:46.000000000 -0400
13399 -@@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
13400 - return ret;
13401 - }
13402 -
13403 --static struct sysfs_ops sysfs_ops = {
13404 -+static const struct sysfs_ops sysfs_ops = {
13405 - .show = show,
13406 - .store = store,
13407 - };
13408 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c
13409 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-03-27 14:31:47.000000000 -0400
13410 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-08-05 20:33:55.000000000 -0400
13411 -@@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
13412 - static int inject_init(void)
13413 - {
13414 - printk(KERN_INFO "Machine check injector initialized\n");
13415 -- mce_chrdev_ops.write = mce_write;
13416 -+ pax_open_kernel();
13417 -+ *(void **)&mce_chrdev_ops.write = mce_write;
13418 -+ pax_close_kernel();
13419 - register_die_notifier(&mce_raise_nb);
13420 - return 0;
13421 - }
13422 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c
13423 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-27 14:31:47.000000000 -0400
13424 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-04 17:56:20.000000000 -0400
13425 -@@ -43,6 +43,7 @@
13426 - #include <asm/ipi.h>
13427 - #include <asm/mce.h>
13428 - #include <asm/msr.h>
13429 -+#include <asm/local.h>
13430 -
13431 - #include "mce-internal.h"
13432 -
13433 -@@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
13434 - !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13435 - m->cs, m->ip);
13436 -
13437 -- if (m->cs == __KERNEL_CS)
13438 -+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13439 - print_symbol("{%s}", m->ip);
13440 - pr_cont("\n");
13441 - }
13442 -@@ -221,10 +222,10 @@ static void print_mce_tail(void)
13443 -
13444 - #define PANIC_TIMEOUT 5 /* 5 seconds */
13445 -
13446 --static atomic_t mce_paniced;
13447 -+static atomic_unchecked_t mce_paniced;
13448 -
13449 - static int fake_panic;
13450 --static atomic_t mce_fake_paniced;
13451 -+static atomic_unchecked_t mce_fake_paniced;
13452 -
13453 - /* Panic in progress. Enable interrupts and wait for final IPI */
13454 - static void wait_for_panic(void)
13455 -@@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
13456 - /*
13457 - * Make sure only one CPU runs in machine check panic
13458 - */
13459 -- if (atomic_inc_return(&mce_paniced) > 1)
13460 -+ if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13461 - wait_for_panic();
13462 - barrier();
13463 -
13464 -@@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
13465 - console_verbose();
13466 - } else {
13467 - /* Don't log too much for fake panic */
13468 -- if (atomic_inc_return(&mce_fake_paniced) > 1)
13469 -+ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13470 - return;
13471 - }
13472 - print_mce_head();
13473 -@@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
13474 - * might have been modified by someone else.
13475 - */
13476 - rmb();
13477 -- if (atomic_read(&mce_paniced))
13478 -+ if (atomic_read_unchecked(&mce_paniced))
13479 - wait_for_panic();
13480 - if (!monarch_timeout)
13481 - goto out;
13482 -@@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
13483 - */
13484 -
13485 - static DEFINE_SPINLOCK(mce_state_lock);
13486 --static int open_count; /* #times opened */
13487 -+static local_t open_count; /* #times opened */
13488 - static int open_exclu; /* already open exclusive? */
13489 -
13490 - static int mce_open(struct inode *inode, struct file *file)
13491 - {
13492 - spin_lock(&mce_state_lock);
13493 -
13494 -- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13495 -+ if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13496 - spin_unlock(&mce_state_lock);
13497 -
13498 - return -EBUSY;
13499 -@@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
13500 -
13501 - if (file->f_flags & O_EXCL)
13502 - open_exclu = 1;
13503 -- open_count++;
13504 -+ local_inc(&open_count);
13505 -
13506 - spin_unlock(&mce_state_lock);
13507 -
13508 -@@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
13509 - {
13510 - spin_lock(&mce_state_lock);
13511 -
13512 -- open_count--;
13513 -+ local_dec(&open_count);
13514 - open_exclu = 0;
13515 -
13516 - spin_unlock(&mce_state_lock);
13517 -@@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
13518 - static void mce_reset(void)
13519 - {
13520 - cpu_missing = 0;
13521 -- atomic_set(&mce_fake_paniced, 0);
13522 -+ atomic_set_unchecked(&mce_fake_paniced, 0);
13523 - atomic_set(&mce_executing, 0);
13524 - atomic_set(&mce_callin, 0);
13525 - atomic_set(&global_nwo, 0);
13526 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c
13527 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:56:59.000000000 -0400
13528 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:57:13.000000000 -0400
13529 -@@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
13530 - return ret;
13531 - }
13532 -
13533 --static struct sysfs_ops threshold_ops = {
13534 -+static const struct sysfs_ops threshold_ops = {
13535 - .show = show,
13536 - .store = store,
13537 - };
13538 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c
13539 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-03-27 14:31:47.000000000 -0400
13540 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-04-17 15:56:46.000000000 -0400
13541 -@@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
13542 - return 0;
13543 - }
13544 -
13545 --static struct mtrr_ops amd_mtrr_ops = {
13546 -+static const struct mtrr_ops amd_mtrr_ops = {
13547 - .vendor = X86_VENDOR_AMD,
13548 - .set = amd_set_mtrr,
13549 - .get = amd_get_mtrr,
13550 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c
13551 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-03-27 14:31:47.000000000 -0400
13552 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-04-17 15:56:46.000000000 -0400
13553 -@@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
13554 - return 0;
13555 - }
13556 -
13557 --static struct mtrr_ops centaur_mtrr_ops = {
13558 -+static const struct mtrr_ops centaur_mtrr_ops = {
13559 - .vendor = X86_VENDOR_CENTAUR,
13560 - .set = centaur_set_mcr,
13561 - .get = centaur_get_mcr,
13562 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c
13563 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-03-27 14:31:47.000000000 -0400
13564 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-04-17 15:56:46.000000000 -0400
13565 -@@ -265,7 +265,7 @@ static void cyrix_set_all(void)
13566 - post_set();
13567 - }
13568 -
13569 --static struct mtrr_ops cyrix_mtrr_ops = {
13570 -+static const struct mtrr_ops cyrix_mtrr_ops = {
13571 - .vendor = X86_VENDOR_CYRIX,
13572 - .set_all = cyrix_set_all,
13573 - .set = cyrix_set_arr,
13574 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c
13575 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-27 14:31:47.000000000 -0400
13576 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-23 12:56:10.000000000 -0400
13577 -@@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
13578 - /*
13579 - * Generic structure...
13580 - */
13581 --struct mtrr_ops generic_mtrr_ops = {
13582 -+const struct mtrr_ops generic_mtrr_ops = {
13583 - .use_intel_if = 1,
13584 - .set_all = generic_set_all,
13585 - .get = generic_get_mtrr,
13586 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c
13587 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:00:52.000000000 -0400
13588 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:03:05.000000000 -0400
13589 -@@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
13590 - u64 size_or_mask, size_and_mask;
13591 - static bool mtrr_aps_delayed_init;
13592 -
13593 --static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13594 -+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13595 -
13596 --struct mtrr_ops *mtrr_if;
13597 -+const struct mtrr_ops *mtrr_if;
13598 -
13599 - static void set_mtrr(unsigned int reg, unsigned long base,
13600 - unsigned long size, mtrr_type type);
13601 -
13602 --void set_mtrr_ops(struct mtrr_ops *ops)
13603 -+void set_mtrr_ops(const struct mtrr_ops *ops)
13604 - {
13605 - if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
13606 - mtrr_ops[ops->vendor] = ops;
13607 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h
13608 ---- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-27 14:31:47.000000000 -0400
13609 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-08-26 20:23:57.000000000 -0400
13610 -@@ -25,14 +25,14 @@ struct mtrr_ops {
13611 - int (*validate_add_page)(unsigned long base, unsigned long size,
13612 - unsigned int type);
13613 - int (*have_wrcomb)(void);
13614 --};
13615 -+} __do_const;
13616 -
13617 - extern int generic_get_free_region(unsigned long base, unsigned long size,
13618 - int replace_reg);
13619 - extern int generic_validate_add_page(unsigned long base, unsigned long size,
13620 - unsigned int type);
13621 -
13622 --extern struct mtrr_ops generic_mtrr_ops;
13623 -+extern const struct mtrr_ops generic_mtrr_ops;
13624 -
13625 - extern int positive_have_wrcomb(void);
13626 -
13627 -@@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
13628 - u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
13629 - void get_mtrr_state(void);
13630 -
13631 --extern void set_mtrr_ops(struct mtrr_ops *ops);
13632 -+extern void set_mtrr_ops(const struct mtrr_ops *ops);
13633 -
13634 - extern u64 size_or_mask, size_and_mask;
13635 --extern struct mtrr_ops *mtrr_if;
13636 -+extern const struct mtrr_ops *mtrr_if;
13637 -
13638 - #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
13639 - #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
13640 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c
13641 ---- linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-03-27 14:31:47.000000000 -0400
13642 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-05-04 17:56:20.000000000 -0400
13643 -@@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
13644 - * count to the generic event atomically:
13645 - */
13646 - again:
13647 -- prev_raw_count = atomic64_read(&hwc->prev_count);
13648 -+ prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
13649 - rdmsrl(hwc->event_base + idx, new_raw_count);
13650 -
13651 -- if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
13652 -+ if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
13653 - new_raw_count) != prev_raw_count)
13654 - goto again;
13655 -
13656 -@@ -741,7 +741,7 @@ again:
13657 - delta = (new_raw_count << shift) - (prev_raw_count << shift);
13658 - delta >>= shift;
13659 -
13660 -- atomic64_add(delta, &event->count);
13661 -+ atomic64_add_unchecked(delta, &event->count);
13662 - atomic64_sub(delta, &hwc->period_left);
13663 -
13664 - return new_raw_count;
13665 -@@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
13666 - * The hw event starts counting from this event offset,
13667 - * mark it to be able to extra future deltas:
13668 - */
13669 -- atomic64_set(&hwc->prev_count, (u64)-left);
13670 -+ atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
13671 -
13672 - err = checking_wrmsrl(hwc->event_base + idx,
13673 - (u64)(-left) & x86_pmu.event_mask);
13674 -@@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
13675 - break;
13676 -
13677 - callchain_store(entry, frame.return_address);
13678 -- fp = frame.next_frame;
13679 -+ fp = (__force const void __user *)frame.next_frame;
13680 - }
13681 - }
13682 -
13683 -diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c
13684 ---- linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-03-27 14:31:47.000000000 -0400
13685 -+++ linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-04-17 15:56:46.000000000 -0400
13686 -@@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
13687 -
13688 - /* Interface defining a CPU specific perfctr watchdog */
13689 - struct wd_ops {
13690 -- int (*reserve)(void);
13691 -- void (*unreserve)(void);
13692 -- int (*setup)(unsigned nmi_hz);
13693 -- void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
13694 -- void (*stop)(void);
13695 -+ int (* const reserve)(void);
13696 -+ void (* const unreserve)(void);
13697 -+ int (* const setup)(unsigned nmi_hz);
13698 -+ void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
13699 -+ void (* const stop)(void);
13700 - unsigned perfctr;
13701 - unsigned evntsel;
13702 - u64 checkbit;
13703 -@@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
13704 - #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
13705 - #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
13706 -
13707 -+/* cannot be const */
13708 - static struct wd_ops intel_arch_wd_ops;
13709 -
13710 - static int setup_intel_arch_watchdog(unsigned nmi_hz)
13711 -@@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
13712 - return 1;
13713 - }
13714 -
13715 -+/* cannot be const */
13716 - static struct wd_ops intel_arch_wd_ops __read_mostly = {
13717 - .reserve = single_msr_reserve,
13718 - .unreserve = single_msr_unreserve,
13719 -diff -urNp linux-2.6.32.46/arch/x86/kernel/crash.c linux-2.6.32.46/arch/x86/kernel/crash.c
13720 ---- linux-2.6.32.46/arch/x86/kernel/crash.c 2011-03-27 14:31:47.000000000 -0400
13721 -+++ linux-2.6.32.46/arch/x86/kernel/crash.c 2011-04-17 15:56:46.000000000 -0400
13722 -@@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
13723 - regs = args->regs;
13724 -
13725 - #ifdef CONFIG_X86_32
13726 -- if (!user_mode_vm(regs)) {
13727 -+ if (!user_mode(regs)) {
13728 - crash_fixup_ss_esp(&fixed_regs, regs);
13729 - regs = &fixed_regs;
13730 - }
13731 -diff -urNp linux-2.6.32.46/arch/x86/kernel/doublefault_32.c linux-2.6.32.46/arch/x86/kernel/doublefault_32.c
13732 ---- linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-03-27 14:31:47.000000000 -0400
13733 -+++ linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-04-17 15:56:46.000000000 -0400
13734 -@@ -11,7 +11,7 @@
13735 -
13736 - #define DOUBLEFAULT_STACKSIZE (1024)
13737 - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13738 --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13739 -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13740 -
13741 - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13742 -
13743 -@@ -21,7 +21,7 @@ static void doublefault_fn(void)
13744 - unsigned long gdt, tss;
13745 -
13746 - store_gdt(&gdt_desc);
13747 -- gdt = gdt_desc.address;
13748 -+ gdt = (unsigned long)gdt_desc.address;
13749 -
13750 - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13751 -
13752 -@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13753 - /* 0x2 bit is always set */
13754 - .flags = X86_EFLAGS_SF | 0x2,
13755 - .sp = STACK_START,
13756 -- .es = __USER_DS,
13757 -+ .es = __KERNEL_DS,
13758 - .cs = __KERNEL_CS,
13759 - .ss = __KERNEL_DS,
13760 -- .ds = __USER_DS,
13761 -+ .ds = __KERNEL_DS,
13762 - .fs = __KERNEL_PERCPU,
13763 -
13764 - .__cr3 = __pa_nodebug(swapper_pg_dir),
13765 -diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.c linux-2.6.32.46/arch/x86/kernel/dumpstack.c
13766 ---- linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-03-27 14:31:47.000000000 -0400
13767 -+++ linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-04-17 15:56:46.000000000 -0400
13768 -@@ -2,6 +2,9 @@
13769 - * Copyright (C) 1991, 1992 Linus Torvalds
13770 - * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13771 - */
13772 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
13773 -+#define __INCLUDED_BY_HIDESYM 1
13774 -+#endif
13775 - #include <linux/kallsyms.h>
13776 - #include <linux/kprobes.h>
13777 - #include <linux/uaccess.h>
13778 -@@ -28,7 +31,7 @@ static int die_counter;
13779 -
13780 - void printk_address(unsigned long address, int reliable)
13781 - {
13782 -- printk(" [<%p>] %s%pS\n", (void *) address,
13783 -+ printk(" [<%p>] %s%pA\n", (void *) address,
13784 - reliable ? "" : "? ", (void *) address);
13785 - }
13786 -
13787 -@@ -36,9 +39,8 @@ void printk_address(unsigned long addres
13788 - static void
13789 - print_ftrace_graph_addr(unsigned long addr, void *data,
13790 - const struct stacktrace_ops *ops,
13791 -- struct thread_info *tinfo, int *graph)
13792 -+ struct task_struct *task, int *graph)
13793 - {
13794 -- struct task_struct *task = tinfo->task;
13795 - unsigned long ret_addr;
13796 - int index = task->curr_ret_stack;
13797 -
13798 -@@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
13799 - static inline void
13800 - print_ftrace_graph_addr(unsigned long addr, void *data,
13801 - const struct stacktrace_ops *ops,
13802 -- struct thread_info *tinfo, int *graph)
13803 -+ struct task_struct *task, int *graph)
13804 - { }
13805 - #endif
13806 -
13807 -@@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
13808 - * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13809 - */
13810 -
13811 --static inline int valid_stack_ptr(struct thread_info *tinfo,
13812 -- void *p, unsigned int size, void *end)
13813 -+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13814 - {
13815 -- void *t = tinfo;
13816 - if (end) {
13817 - if (p < end && p >= (end-THREAD_SIZE))
13818 - return 1;
13819 -@@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
13820 - }
13821 -
13822 - unsigned long
13823 --print_context_stack(struct thread_info *tinfo,
13824 -+print_context_stack(struct task_struct *task, void *stack_start,
13825 - unsigned long *stack, unsigned long bp,
13826 - const struct stacktrace_ops *ops, void *data,
13827 - unsigned long *end, int *graph)
13828 - {
13829 - struct stack_frame *frame = (struct stack_frame *)bp;
13830 -
13831 -- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13832 -+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13833 - unsigned long addr;
13834 -
13835 - addr = *stack;
13836 -@@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
13837 - } else {
13838 - ops->address(data, addr, 0);
13839 - }
13840 -- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13841 -+ print_ftrace_graph_addr(addr, data, ops, task, graph);
13842 - }
13843 - stack++;
13844 - }
13845 -@@ -180,7 +180,7 @@ void dump_stack(void)
13846 - #endif
13847 -
13848 - printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13849 -- current->pid, current->comm, print_tainted(),
13850 -+ task_pid_nr(current), current->comm, print_tainted(),
13851 - init_utsname()->release,
13852 - (int)strcspn(init_utsname()->version, " "),
13853 - init_utsname()->version);
13854 -@@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
13855 - return flags;
13856 - }
13857 -
13858 -+extern void gr_handle_kernel_exploit(void);
13859 -+
13860 - void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13861 - {
13862 - if (regs && kexec_should_crash(current))
13863 -@@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
13864 - panic("Fatal exception in interrupt");
13865 - if (panic_on_oops)
13866 - panic("Fatal exception");
13867 -- do_exit(signr);
13868 -+
13869 -+ gr_handle_kernel_exploit();
13870 -+
13871 -+ do_group_exit(signr);
13872 - }
13873 -
13874 - int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13875 -@@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
13876 - unsigned long flags = oops_begin();
13877 - int sig = SIGSEGV;
13878 -
13879 -- if (!user_mode_vm(regs))
13880 -+ if (!user_mode(regs))
13881 - report_bug(regs->ip, regs);
13882 -
13883 - if (__die(str, regs, err))
13884 -diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.h linux-2.6.32.46/arch/x86/kernel/dumpstack.h
13885 ---- linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-03-27 14:31:47.000000000 -0400
13886 -+++ linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-04-23 13:25:26.000000000 -0400
13887 -@@ -15,7 +15,7 @@
13888 - #endif
13889 -
13890 - extern unsigned long
13891 --print_context_stack(struct thread_info *tinfo,
13892 -+print_context_stack(struct task_struct *task, void *stack_start,
13893 - unsigned long *stack, unsigned long bp,
13894 - const struct stacktrace_ops *ops, void *data,
13895 - unsigned long *end, int *graph);
13896 -diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c
13897 ---- linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-03-27 14:31:47.000000000 -0400
13898 -+++ linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:56:46.000000000 -0400
13899 -@@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
13900 - #endif
13901 -
13902 - for (;;) {
13903 -- struct thread_info *context;
13904 -+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13905 -+ bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13906 -
13907 -- context = (struct thread_info *)
13908 -- ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13909 -- bp = print_context_stack(context, stack, bp, ops,
13910 -- data, NULL, &graph);
13911 --
13912 -- stack = (unsigned long *)context->previous_esp;
13913 -- if (!stack)
13914 -+ if (stack_start == task_stack_page(task))
13915 - break;
13916 -+ stack = *(unsigned long **)stack_start;
13917 - if (ops->stack(data, "IRQ") < 0)
13918 - break;
13919 - touch_nmi_watchdog();
13920 -@@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
13921 - * When in-kernel, we also print out the stack and code at the
13922 - * time of the fault..
13923 - */
13924 -- if (!user_mode_vm(regs)) {
13925 -+ if (!user_mode(regs)) {
13926 - unsigned int code_prologue = code_bytes * 43 / 64;
13927 - unsigned int code_len = code_bytes;
13928 - unsigned char c;
13929 - u8 *ip;
13930 -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13931 -
13932 - printk(KERN_EMERG "Stack:\n");
13933 - show_stack_log_lvl(NULL, regs, &regs->sp,
13934 -@@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
13935 -
13936 - printk(KERN_EMERG "Code: ");
13937 -
13938 -- ip = (u8 *)regs->ip - code_prologue;
13939 -+ ip = (u8 *)regs->ip - code_prologue + cs_base;
13940 - if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13941 - /* try starting at IP */
13942 -- ip = (u8 *)regs->ip;
13943 -+ ip = (u8 *)regs->ip + cs_base;
13944 - code_len = code_len - code_prologue + 1;
13945 - }
13946 - for (i = 0; i < code_len; i++, ip++) {
13947 -@@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
13948 - printk(" Bad EIP value.");
13949 - break;
13950 - }
13951 -- if (ip == (u8 *)regs->ip)
13952 -+ if (ip == (u8 *)regs->ip + cs_base)
13953 - printk("<%02x> ", c);
13954 - else
13955 - printk("%02x ", c);
13956 -@@ -149,6 +146,7 @@ int is_valid_bugaddr(unsigned long ip)
13957 - {
13958 - unsigned short ud2;
13959 -
13960 -+ ip = ktla_ktva(ip);
13961 - if (ip < PAGE_OFFSET)
13962 - return 0;
13963 - if (probe_kernel_address((unsigned short *)ip, ud2))
13964 -diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c
13965 ---- linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-03-27 14:31:47.000000000 -0400
13966 -+++ linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:56:46.000000000 -0400
13967 -@@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
13968 - unsigned long *irq_stack_end =
13969 - (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13970 - unsigned used = 0;
13971 -- struct thread_info *tinfo;
13972 - int graph = 0;
13973 -+ void *stack_start;
13974 -
13975 - if (!task)
13976 - task = current;
13977 -@@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
13978 - * current stack address. If the stacks consist of nested
13979 - * exceptions
13980 - */
13981 -- tinfo = task_thread_info(task);
13982 - for (;;) {
13983 - char *id;
13984 - unsigned long *estack_end;
13985 -+
13986 - estack_end = in_exception_stack(cpu, (unsigned long)stack,
13987 - &used, &id);
13988 -
13989 -@@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
13990 - if (ops->stack(data, id) < 0)
13991 - break;
13992 -
13993 -- bp = print_context_stack(tinfo, stack, bp, ops,
13994 -+ bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13995 - data, estack_end, &graph);
13996 - ops->stack(data, "<EOE>");
13997 - /*
13998 -@@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
13999 - if (stack >= irq_stack && stack < irq_stack_end) {
14000 - if (ops->stack(data, "IRQ") < 0)
14001 - break;
14002 -- bp = print_context_stack(tinfo, stack, bp,
14003 -+ bp = print_context_stack(task, irq_stack, stack, bp,
14004 - ops, data, irq_stack_end, &graph);
14005 - /*
14006 - * We link to the next stack (which would be
14007 -@@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
14008 - /*
14009 - * This handles the process stack:
14010 - */
14011 -- bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
14012 -+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
14013 -+ bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
14014 - put_cpu();
14015 - }
14016 - EXPORT_SYMBOL(dump_trace);
14017 -diff -urNp linux-2.6.32.46/arch/x86/kernel/e820.c linux-2.6.32.46/arch/x86/kernel/e820.c
14018 ---- linux-2.6.32.46/arch/x86/kernel/e820.c 2011-03-27 14:31:47.000000000 -0400
14019 -+++ linux-2.6.32.46/arch/x86/kernel/e820.c 2011-04-17 15:56:46.000000000 -0400
14020 -@@ -733,7 +733,7 @@ struct early_res {
14021 - };
14022 - static struct early_res early_res[MAX_EARLY_RES] __initdata = {
14023 - { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
14024 -- {}
14025 -+ { 0, 0, {0}, 0 }
14026 - };
14027 -
14028 - static int __init find_overlapped_early(u64 start, u64 end)
14029 -diff -urNp linux-2.6.32.46/arch/x86/kernel/early_printk.c linux-2.6.32.46/arch/x86/kernel/early_printk.c
14030 ---- linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-03-27 14:31:47.000000000 -0400
14031 -+++ linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-05-16 21:46:57.000000000 -0400
14032 -@@ -7,6 +7,7 @@
14033 - #include <linux/pci_regs.h>
14034 - #include <linux/pci_ids.h>
14035 - #include <linux/errno.h>
14036 -+#include <linux/sched.h>
14037 - #include <asm/io.h>
14038 - #include <asm/processor.h>
14039 - #include <asm/fcntl.h>
14040 -@@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
14041 - int n;
14042 - va_list ap;
14043 -
14044 -+ pax_track_stack();
14045 -+
14046 - va_start(ap, fmt);
14047 - n = vscnprintf(buf, sizeof(buf), fmt, ap);
14048 - early_console->write(early_console, buf, n);
14049 -diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/kernel/efi_32.c
14050 ---- linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400
14051 -+++ linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-10-06 09:37:08.000000000 -0400
14052 -@@ -38,70 +38,56 @@
14053 - */
14054 -
14055 - static unsigned long efi_rt_eflags;
14056 --static pgd_t efi_bak_pg_dir_pointer[2];
14057 -+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
14058 -
14059 --void efi_call_phys_prelog(void)
14060 -+void __init efi_call_phys_prelog(void)
14061 - {
14062 -- unsigned long cr4;
14063 -- unsigned long temp;
14064 - struct desc_ptr gdt_descr;
14065 -
14066 -- local_irq_save(efi_rt_eflags);
14067 -+#ifdef CONFIG_PAX_KERNEXEC
14068 -+ struct desc_struct d;
14069 -+#endif
14070 -
14071 -- /*
14072 -- * If I don't have PAE, I should just duplicate two entries in page
14073 -- * directory. If I have PAE, I just need to duplicate one entry in
14074 -- * page directory.
14075 -- */
14076 -- cr4 = read_cr4_safe();
14077 -+ local_irq_save(efi_rt_eflags);
14078 -
14079 -- if (cr4 & X86_CR4_PAE) {
14080 -- efi_bak_pg_dir_pointer[0].pgd =
14081 -- swapper_pg_dir[pgd_index(0)].pgd;
14082 -- swapper_pg_dir[0].pgd =
14083 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
14084 -- } else {
14085 -- efi_bak_pg_dir_pointer[0].pgd =
14086 -- swapper_pg_dir[pgd_index(0)].pgd;
14087 -- efi_bak_pg_dir_pointer[1].pgd =
14088 -- swapper_pg_dir[pgd_index(0x400000)].pgd;
14089 -- swapper_pg_dir[pgd_index(0)].pgd =
14090 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
14091 -- temp = PAGE_OFFSET + 0x400000;
14092 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
14093 -- swapper_pg_dir[pgd_index(temp)].pgd;
14094 -- }
14095 -+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
14096 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
14097 -+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
14098 -
14099 - /*
14100 - * After the lock is released, the original page table is restored.
14101 - */
14102 - __flush_tlb_all();
14103 -
14104 -+#ifdef CONFIG_PAX_KERNEXEC
14105 -+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
14106 -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
14107 -+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
14108 -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
14109 -+#endif
14110 -+
14111 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
14112 - gdt_descr.size = GDT_SIZE - 1;
14113 - load_gdt(&gdt_descr);
14114 - }
14115 -
14116 --void efi_call_phys_epilog(void)
14117 -+void __init efi_call_phys_epilog(void)
14118 - {
14119 -- unsigned long cr4;
14120 - struct desc_ptr gdt_descr;
14121 -
14122 -+#ifdef CONFIG_PAX_KERNEXEC
14123 -+ struct desc_struct d;
14124 -+
14125 -+ memset(&d, 0, sizeof d);
14126 -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
14127 -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
14128 -+#endif
14129 -+
14130 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
14131 - gdt_descr.size = GDT_SIZE - 1;
14132 - load_gdt(&gdt_descr);
14133 -
14134 -- cr4 = read_cr4_safe();
14135 --
14136 -- if (cr4 & X86_CR4_PAE) {
14137 -- swapper_pg_dir[pgd_index(0)].pgd =
14138 -- efi_bak_pg_dir_pointer[0].pgd;
14139 -- } else {
14140 -- swapper_pg_dir[pgd_index(0)].pgd =
14141 -- efi_bak_pg_dir_pointer[0].pgd;
14142 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
14143 -- efi_bak_pg_dir_pointer[1].pgd;
14144 -- }
14145 -+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
14146 -
14147 - /*
14148 - * After the lock is released, the original page table is restored.
14149 -diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S
14150 ---- linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400
14151 -+++ linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-10-06 09:37:08.000000000 -0400
14152 -@@ -6,7 +6,9 @@
14153 - */
14154 -
14155 - #include <linux/linkage.h>
14156 -+#include <linux/init.h>
14157 - #include <asm/page_types.h>
14158 -+#include <asm/segment.h>
14159 -
14160 - /*
14161 - * efi_call_phys(void *, ...) is a function with variable parameters.
14162 -@@ -20,7 +22,7 @@
14163 - * service functions will comply with gcc calling convention, too.
14164 - */
14165 -
14166 --.text
14167 -+__INIT
14168 - ENTRY(efi_call_phys)
14169 - /*
14170 - * 0. The function can only be called in Linux kernel. So CS has been
14171 -@@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
14172 - * The mapping of lower virtual memory has been created in prelog and
14173 - * epilog.
14174 - */
14175 -- movl $1f, %edx
14176 -- subl $__PAGE_OFFSET, %edx
14177 -- jmp *%edx
14178 -+ movl $(__KERNEXEC_EFI_DS), %edx
14179 -+ mov %edx, %ds
14180 -+ mov %edx, %es
14181 -+ mov %edx, %ss
14182 -+ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
14183 - 1:
14184 -
14185 - /*
14186 -@@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
14187 - * parameter 2, ..., param n. To make things easy, we save the return
14188 - * address of efi_call_phys in a global variable.
14189 - */
14190 -- popl %edx
14191 -- movl %edx, saved_return_addr
14192 -- /* get the function pointer into ECX*/
14193 -- popl %ecx
14194 -- movl %ecx, efi_rt_function_ptr
14195 -- movl $2f, %edx
14196 -- subl $__PAGE_OFFSET, %edx
14197 -- pushl %edx
14198 -+ popl (saved_return_addr)
14199 -+ popl (efi_rt_function_ptr)
14200 -
14201 - /*
14202 - * 3. Clear PG bit in %CR0.
14203 -@@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
14204 - /*
14205 - * 5. Call the physical function.
14206 - */
14207 -- jmp *%ecx
14208 -+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
14209 -
14210 --2:
14211 - /*
14212 - * 6. After EFI runtime service returns, control will return to
14213 - * following instruction. We'd better readjust stack pointer first.
14214 -@@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
14215 - movl %cr0, %edx
14216 - orl $0x80000000, %edx
14217 - movl %edx, %cr0
14218 -- jmp 1f
14219 --1:
14220 -+
14221 - /*
14222 - * 8. Now restore the virtual mode from flat mode by
14223 - * adding EIP with PAGE_OFFSET.
14224 - */
14225 -- movl $1f, %edx
14226 -- jmp *%edx
14227 -+ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
14228 - 1:
14229 -+ movl $(__KERNEL_DS), %edx
14230 -+ mov %edx, %ds
14231 -+ mov %edx, %es
14232 -+ mov %edx, %ss
14233 -
14234 - /*
14235 - * 9. Balance the stack. And because EAX contain the return value,
14236 - * we'd better not clobber it.
14237 - */
14238 -- leal efi_rt_function_ptr, %edx
14239 -- movl (%edx), %ecx
14240 -- pushl %ecx
14241 -+ pushl (efi_rt_function_ptr)
14242 -
14243 - /*
14244 -- * 10. Push the saved return address onto the stack and return.
14245 -+ * 10. Return to the saved return address.
14246 - */
14247 -- leal saved_return_addr, %edx
14248 -- movl (%edx), %ecx
14249 -- pushl %ecx
14250 -- ret
14251 -+ jmpl *(saved_return_addr)
14252 - ENDPROC(efi_call_phys)
14253 - .previous
14254 -
14255 --.data
14256 -+__INITDATA
14257 - saved_return_addr:
14258 - .long 0
14259 - efi_rt_function_ptr:
14260 -diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S
14261 ---- linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-03-27 14:31:47.000000000 -0400
14262 -+++ linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-10-06 09:37:14.000000000 -0400
14263 -@@ -7,6 +7,7 @@
14264 - */
14265 -
14266 - #include <linux/linkage.h>
14267 -+#include <asm/alternative-asm.h>
14268 -
14269 - #define SAVE_XMM \
14270 - mov %rsp, %rax; \
14271 -@@ -40,6 +41,7 @@ ENTRY(efi_call0)
14272 - call *%rdi
14273 - addq $32, %rsp
14274 - RESTORE_XMM
14275 -+ pax_force_retaddr
14276 - ret
14277 - ENDPROC(efi_call0)
14278 -
14279 -@@ -50,6 +52,7 @@ ENTRY(efi_call1)
14280 - call *%rdi
14281 - addq $32, %rsp
14282 - RESTORE_XMM
14283 -+ pax_force_retaddr
14284 - ret
14285 - ENDPROC(efi_call1)
14286 -
14287 -@@ -60,6 +63,7 @@ ENTRY(efi_call2)
14288 - call *%rdi
14289 - addq $32, %rsp
14290 - RESTORE_XMM
14291 -+ pax_force_retaddr
14292 - ret
14293 - ENDPROC(efi_call2)
14294 -
14295 -@@ -71,6 +75,7 @@ ENTRY(efi_call3)
14296 - call *%rdi
14297 - addq $32, %rsp
14298 - RESTORE_XMM
14299 -+ pax_force_retaddr
14300 - ret
14301 - ENDPROC(efi_call3)
14302 -
14303 -@@ -83,6 +88,7 @@ ENTRY(efi_call4)
14304 - call *%rdi
14305 - addq $32, %rsp
14306 - RESTORE_XMM
14307 -+ pax_force_retaddr
14308 - ret
14309 - ENDPROC(efi_call4)
14310 -
14311 -@@ -96,6 +102,7 @@ ENTRY(efi_call5)
14312 - call *%rdi
14313 - addq $48, %rsp
14314 - RESTORE_XMM
14315 -+ pax_force_retaddr
14316 - ret
14317 - ENDPROC(efi_call5)
14318 -
14319 -@@ -112,5 +119,6 @@ ENTRY(efi_call6)
14320 - call *%rdi
14321 - addq $48, %rsp
14322 - RESTORE_XMM
14323 -+ pax_force_retaddr
14324 - ret
14325 - ENDPROC(efi_call6)
14326 -diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_32.S linux-2.6.32.46/arch/x86/kernel/entry_32.S
14327 ---- linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400
14328 -+++ linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-08-30 18:19:52.000000000 -0400
14329 -@@ -185,13 +185,146 @@
14330 - /*CFI_REL_OFFSET gs, PT_GS*/
14331 - .endm
14332 - .macro SET_KERNEL_GS reg
14333 -+
14334 -+#ifdef CONFIG_CC_STACKPROTECTOR
14335 - movl $(__KERNEL_STACK_CANARY), \reg
14336 -+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14337 -+ movl $(__USER_DS), \reg
14338 -+#else
14339 -+ xorl \reg, \reg
14340 -+#endif
14341 -+
14342 - movl \reg, %gs
14343 - .endm
14344 -
14345 - #endif /* CONFIG_X86_32_LAZY_GS */
14346 -
14347 --.macro SAVE_ALL
14348 -+.macro pax_enter_kernel
14349 -+#ifdef CONFIG_PAX_KERNEXEC
14350 -+ call pax_enter_kernel
14351 -+#endif
14352 -+.endm
14353 -+
14354 -+.macro pax_exit_kernel
14355 -+#ifdef CONFIG_PAX_KERNEXEC
14356 -+ call pax_exit_kernel
14357 -+#endif
14358 -+.endm
14359 -+
14360 -+#ifdef CONFIG_PAX_KERNEXEC
14361 -+ENTRY(pax_enter_kernel)
14362 -+#ifdef CONFIG_PARAVIRT
14363 -+ pushl %eax
14364 -+ pushl %ecx
14365 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
14366 -+ mov %eax, %esi
14367 -+#else
14368 -+ mov %cr0, %esi
14369 -+#endif
14370 -+ bts $16, %esi
14371 -+ jnc 1f
14372 -+ mov %cs, %esi
14373 -+ cmp $__KERNEL_CS, %esi
14374 -+ jz 3f
14375 -+ ljmp $__KERNEL_CS, $3f
14376 -+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
14377 -+2:
14378 -+#ifdef CONFIG_PARAVIRT
14379 -+ mov %esi, %eax
14380 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
14381 -+#else
14382 -+ mov %esi, %cr0
14383 -+#endif
14384 -+3:
14385 -+#ifdef CONFIG_PARAVIRT
14386 -+ popl %ecx
14387 -+ popl %eax
14388 -+#endif
14389 -+ ret
14390 -+ENDPROC(pax_enter_kernel)
14391 -+
14392 -+ENTRY(pax_exit_kernel)
14393 -+#ifdef CONFIG_PARAVIRT
14394 -+ pushl %eax
14395 -+ pushl %ecx
14396 -+#endif
14397 -+ mov %cs, %esi
14398 -+ cmp $__KERNEXEC_KERNEL_CS, %esi
14399 -+ jnz 2f
14400 -+#ifdef CONFIG_PARAVIRT
14401 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
14402 -+ mov %eax, %esi
14403 -+#else
14404 -+ mov %cr0, %esi
14405 -+#endif
14406 -+ btr $16, %esi
14407 -+ ljmp $__KERNEL_CS, $1f
14408 -+1:
14409 -+#ifdef CONFIG_PARAVIRT
14410 -+ mov %esi, %eax
14411 -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
14412 -+#else
14413 -+ mov %esi, %cr0
14414 -+#endif
14415 -+2:
14416 -+#ifdef CONFIG_PARAVIRT
14417 -+ popl %ecx
14418 -+ popl %eax
14419 -+#endif
14420 -+ ret
14421 -+ENDPROC(pax_exit_kernel)
14422 -+#endif
14423 -+
14424 -+.macro pax_erase_kstack
14425 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14426 -+ call pax_erase_kstack
14427 -+#endif
14428 -+.endm
14429 -+
14430 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14431 -+/*
14432 -+ * ebp: thread_info
14433 -+ * ecx, edx: can be clobbered
14434 -+ */
14435 -+ENTRY(pax_erase_kstack)
14436 -+ pushl %edi
14437 -+ pushl %eax
14438 -+
14439 -+ mov TI_lowest_stack(%ebp), %edi
14440 -+ mov $-0xBEEF, %eax
14441 -+ std
14442 -+
14443 -+1: mov %edi, %ecx
14444 -+ and $THREAD_SIZE_asm - 1, %ecx
14445 -+ shr $2, %ecx
14446 -+ repne scasl
14447 -+ jecxz 2f
14448 -+
14449 -+ cmp $2*16, %ecx
14450 -+ jc 2f
14451 -+
14452 -+ mov $2*16, %ecx
14453 -+ repe scasl
14454 -+ jecxz 2f
14455 -+ jne 1b
14456 -+
14457 -+2: cld
14458 -+ mov %esp, %ecx
14459 -+ sub %edi, %ecx
14460 -+ shr $2, %ecx
14461 -+ rep stosl
14462 -+
14463 -+ mov TI_task_thread_sp0(%ebp), %edi
14464 -+ sub $128, %edi
14465 -+ mov %edi, TI_lowest_stack(%ebp)
14466 -+
14467 -+ popl %eax
14468 -+ popl %edi
14469 -+ ret
14470 -+ENDPROC(pax_erase_kstack)
14471 -+#endif
14472 -+
14473 -+.macro __SAVE_ALL _DS
14474 - cld
14475 - PUSH_GS
14476 - pushl %fs
14477 -@@ -224,7 +357,7 @@
14478 - pushl %ebx
14479 - CFI_ADJUST_CFA_OFFSET 4
14480 - CFI_REL_OFFSET ebx, 0
14481 -- movl $(__USER_DS), %edx
14482 -+ movl $\_DS, %edx
14483 - movl %edx, %ds
14484 - movl %edx, %es
14485 - movl $(__KERNEL_PERCPU), %edx
14486 -@@ -232,6 +365,15 @@
14487 - SET_KERNEL_GS %edx
14488 - .endm
14489 -
14490 -+.macro SAVE_ALL
14491 -+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
14492 -+ __SAVE_ALL __KERNEL_DS
14493 -+ pax_enter_kernel
14494 -+#else
14495 -+ __SAVE_ALL __USER_DS
14496 -+#endif
14497 -+.endm
14498 -+
14499 - .macro RESTORE_INT_REGS
14500 - popl %ebx
14501 - CFI_ADJUST_CFA_OFFSET -4
14502 -@@ -352,7 +494,15 @@ check_userspace:
14503 - movb PT_CS(%esp), %al
14504 - andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
14505 - cmpl $USER_RPL, %eax
14506 -+
14507 -+#ifdef CONFIG_PAX_KERNEXEC
14508 -+ jae resume_userspace
14509 -+
14510 -+ PAX_EXIT_KERNEL
14511 -+ jmp resume_kernel
14512 -+#else
14513 - jb resume_kernel # not returning to v8086 or userspace
14514 -+#endif
14515 -
14516 - ENTRY(resume_userspace)
14517 - LOCKDEP_SYS_EXIT
14518 -@@ -364,7 +514,7 @@ ENTRY(resume_userspace)
14519 - andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
14520 - # int/exception return?
14521 - jne work_pending
14522 -- jmp restore_all
14523 -+ jmp restore_all_pax
14524 - END(ret_from_exception)
14525 -
14526 - #ifdef CONFIG_PREEMPT
14527 -@@ -414,25 +564,36 @@ sysenter_past_esp:
14528 - /*CFI_REL_OFFSET cs, 0*/
14529 - /*
14530 - * Push current_thread_info()->sysenter_return to the stack.
14531 -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
14532 -- * pushed above; +8 corresponds to copy_thread's esp0 setting.
14533 - */
14534 -- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
14535 -+ pushl $0
14536 - CFI_ADJUST_CFA_OFFSET 4
14537 - CFI_REL_OFFSET eip, 0
14538 -
14539 - pushl %eax
14540 - CFI_ADJUST_CFA_OFFSET 4
14541 - SAVE_ALL
14542 -+ GET_THREAD_INFO(%ebp)
14543 -+ movl TI_sysenter_return(%ebp),%ebp
14544 -+ movl %ebp,PT_EIP(%esp)
14545 - ENABLE_INTERRUPTS(CLBR_NONE)
14546 -
14547 - /*
14548 - * Load the potential sixth argument from user stack.
14549 - * Careful about security.
14550 - */
14551 -+ movl PT_OLDESP(%esp),%ebp
14552 -+
14553 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
14554 -+ mov PT_OLDSS(%esp),%ds
14555 -+1: movl %ds:(%ebp),%ebp
14556 -+ push %ss
14557 -+ pop %ds
14558 -+#else
14559 - cmpl $__PAGE_OFFSET-3,%ebp
14560 - jae syscall_fault
14561 - 1: movl (%ebp),%ebp
14562 -+#endif
14563 -+
14564 - movl %ebp,PT_EBP(%esp)
14565 - .section __ex_table,"a"
14566 - .align 4
14567 -@@ -455,12 +616,24 @@ sysenter_do_call:
14568 - testl $_TIF_ALLWORK_MASK, %ecx
14569 - jne sysexit_audit
14570 - sysenter_exit:
14571 -+
14572 -+#ifdef CONFIG_PAX_RANDKSTACK
14573 -+ pushl_cfi %eax
14574 -+ movl %esp, %eax
14575 -+ call pax_randomize_kstack
14576 -+ popl_cfi %eax
14577 -+#endif
14578 -+
14579 -+ pax_erase_kstack
14580 -+
14581 - /* if something modifies registers it must also disable sysexit */
14582 - movl PT_EIP(%esp), %edx
14583 - movl PT_OLDESP(%esp), %ecx
14584 - xorl %ebp,%ebp
14585 - TRACE_IRQS_ON
14586 - 1: mov PT_FS(%esp), %fs
14587 -+2: mov PT_DS(%esp), %ds
14588 -+3: mov PT_ES(%esp), %es
14589 - PTGS_TO_GS
14590 - ENABLE_INTERRUPTS_SYSEXIT
14591 -
14592 -@@ -477,6 +650,9 @@ sysenter_audit:
14593 - movl %eax,%edx /* 2nd arg: syscall number */
14594 - movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14595 - call audit_syscall_entry
14596 -+
14597 -+ pax_erase_kstack
14598 -+
14599 - pushl %ebx
14600 - CFI_ADJUST_CFA_OFFSET 4
14601 - movl PT_EAX(%esp),%eax /* reload syscall number */
14602 -@@ -504,11 +680,17 @@ sysexit_audit:
14603 -
14604 - CFI_ENDPROC
14605 - .pushsection .fixup,"ax"
14606 --2: movl $0,PT_FS(%esp)
14607 -+4: movl $0,PT_FS(%esp)
14608 -+ jmp 1b
14609 -+5: movl $0,PT_DS(%esp)
14610 -+ jmp 1b
14611 -+6: movl $0,PT_ES(%esp)
14612 - jmp 1b
14613 - .section __ex_table,"a"
14614 - .align 4
14615 -- .long 1b,2b
14616 -+ .long 1b,4b
14617 -+ .long 2b,5b
14618 -+ .long 3b,6b
14619 - .popsection
14620 - PTGS_TO_GS_EX
14621 - ENDPROC(ia32_sysenter_target)
14622 -@@ -538,6 +720,15 @@ syscall_exit:
14623 - testl $_TIF_ALLWORK_MASK, %ecx # current->work
14624 - jne syscall_exit_work
14625 -
14626 -+restore_all_pax:
14627 -+
14628 -+#ifdef CONFIG_PAX_RANDKSTACK
14629 -+ movl %esp, %eax
14630 -+ call pax_randomize_kstack
14631 -+#endif
14632 -+
14633 -+ pax_erase_kstack
14634 -+
14635 - restore_all:
14636 - TRACE_IRQS_IRET
14637 - restore_all_notrace:
14638 -@@ -602,10 +793,29 @@ ldt_ss:
14639 - mov PT_OLDESP(%esp), %eax /* load userspace esp */
14640 - mov %dx, %ax /* eax: new kernel esp */
14641 - sub %eax, %edx /* offset (low word is 0) */
14642 -- PER_CPU(gdt_page, %ebx)
14643 -+#ifdef CONFIG_SMP
14644 -+ movl PER_CPU_VAR(cpu_number), %ebx
14645 -+ shll $PAGE_SHIFT_asm, %ebx
14646 -+ addl $cpu_gdt_table, %ebx
14647 -+#else
14648 -+ movl $cpu_gdt_table, %ebx
14649 -+#endif
14650 - shr $16, %edx
14651 -+
14652 -+#ifdef CONFIG_PAX_KERNEXEC
14653 -+ mov %cr0, %esi
14654 -+ btr $16, %esi
14655 -+ mov %esi, %cr0
14656 -+#endif
14657 -+
14658 - mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
14659 - mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
14660 -+
14661 -+#ifdef CONFIG_PAX_KERNEXEC
14662 -+ bts $16, %esi
14663 -+ mov %esi, %cr0
14664 -+#endif
14665 -+
14666 - pushl $__ESPFIX_SS
14667 - CFI_ADJUST_CFA_OFFSET 4
14668 - push %eax /* new kernel esp */
14669 -@@ -636,31 +846,25 @@ work_resched:
14670 - movl TI_flags(%ebp), %ecx
14671 - andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14672 - # than syscall tracing?
14673 -- jz restore_all
14674 -+ jz restore_all_pax
14675 - testb $_TIF_NEED_RESCHED, %cl
14676 - jnz work_resched
14677 -
14678 - work_notifysig: # deal with pending signals and
14679 - # notify-resume requests
14680 -+ movl %esp, %eax
14681 - #ifdef CONFIG_VM86
14682 - testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14683 -- movl %esp, %eax
14684 -- jne work_notifysig_v86 # returning to kernel-space or
14685 -+ jz 1f # returning to kernel-space or
14686 - # vm86-space
14687 -- xorl %edx, %edx
14688 -- call do_notify_resume
14689 -- jmp resume_userspace_sig
14690 -
14691 -- ALIGN
14692 --work_notifysig_v86:
14693 - pushl %ecx # save ti_flags for do_notify_resume
14694 - CFI_ADJUST_CFA_OFFSET 4
14695 - call save_v86_state # %eax contains pt_regs pointer
14696 - popl %ecx
14697 - CFI_ADJUST_CFA_OFFSET -4
14698 - movl %eax, %esp
14699 --#else
14700 -- movl %esp, %eax
14701 -+1:
14702 - #endif
14703 - xorl %edx, %edx
14704 - call do_notify_resume
14705 -@@ -673,6 +877,9 @@ syscall_trace_entry:
14706 - movl $-ENOSYS,PT_EAX(%esp)
14707 - movl %esp, %eax
14708 - call syscall_trace_enter
14709 -+
14710 -+ pax_erase_kstack
14711 -+
14712 - /* What it returned is what we'll actually use. */
14713 - cmpl $(nr_syscalls), %eax
14714 - jnae syscall_call
14715 -@@ -695,6 +902,10 @@ END(syscall_exit_work)
14716 -
14717 - RING0_INT_FRAME # can't unwind into user space anyway
14718 - syscall_fault:
14719 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
14720 -+ push %ss
14721 -+ pop %ds
14722 -+#endif
14723 - GET_THREAD_INFO(%ebp)
14724 - movl $-EFAULT,PT_EAX(%esp)
14725 - jmp resume_userspace
14726 -@@ -726,6 +937,33 @@ PTREGSCALL(rt_sigreturn)
14727 - PTREGSCALL(vm86)
14728 - PTREGSCALL(vm86old)
14729 -
14730 -+ ALIGN;
14731 -+ENTRY(kernel_execve)
14732 -+ push %ebp
14733 -+ sub $PT_OLDSS+4,%esp
14734 -+ push %edi
14735 -+ push %ecx
14736 -+ push %eax
14737 -+ lea 3*4(%esp),%edi
14738 -+ mov $PT_OLDSS/4+1,%ecx
14739 -+ xorl %eax,%eax
14740 -+ rep stosl
14741 -+ pop %eax
14742 -+ pop %ecx
14743 -+ pop %edi
14744 -+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14745 -+ mov %eax,PT_EBX(%esp)
14746 -+ mov %edx,PT_ECX(%esp)
14747 -+ mov %ecx,PT_EDX(%esp)
14748 -+ mov %esp,%eax
14749 -+ call sys_execve
14750 -+ GET_THREAD_INFO(%ebp)
14751 -+ test %eax,%eax
14752 -+ jz syscall_exit
14753 -+ add $PT_OLDSS+4,%esp
14754 -+ pop %ebp
14755 -+ ret
14756 -+
14757 - .macro FIXUP_ESPFIX_STACK
14758 - /*
14759 - * Switch back for ESPFIX stack to the normal zerobased stack
14760 -@@ -735,7 +973,13 @@ PTREGSCALL(vm86old)
14761 - * normal stack and adjusts ESP with the matching offset.
14762 - */
14763 - /* fixup the stack */
14764 -- PER_CPU(gdt_page, %ebx)
14765 -+#ifdef CONFIG_SMP
14766 -+ movl PER_CPU_VAR(cpu_number), %ebx
14767 -+ shll $PAGE_SHIFT_asm, %ebx
14768 -+ addl $cpu_gdt_table, %ebx
14769 -+#else
14770 -+ movl $cpu_gdt_table, %ebx
14771 -+#endif
14772 - mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
14773 - mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
14774 - shl $16, %eax
14775 -@@ -1198,7 +1442,6 @@ return_to_handler:
14776 - ret
14777 - #endif
14778 -
14779 --.section .rodata,"a"
14780 - #include "syscall_table_32.S"
14781 -
14782 - syscall_table_size=(.-sys_call_table)
14783 -@@ -1255,9 +1498,12 @@ error_code:
14784 - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14785 - REG_TO_PTGS %ecx
14786 - SET_KERNEL_GS %ecx
14787 -- movl $(__USER_DS), %ecx
14788 -+ movl $(__KERNEL_DS), %ecx
14789 - movl %ecx, %ds
14790 - movl %ecx, %es
14791 -+
14792 -+ pax_enter_kernel
14793 -+
14794 - TRACE_IRQS_OFF
14795 - movl %esp,%eax # pt_regs pointer
14796 - call *%edi
14797 -@@ -1351,6 +1597,9 @@ nmi_stack_correct:
14798 - xorl %edx,%edx # zero error code
14799 - movl %esp,%eax # pt_regs pointer
14800 - call do_nmi
14801 -+
14802 -+ pax_exit_kernel
14803 -+
14804 - jmp restore_all_notrace
14805 - CFI_ENDPROC
14806 -
14807 -@@ -1391,6 +1640,9 @@ nmi_espfix_stack:
14808 - FIXUP_ESPFIX_STACK # %eax == %esp
14809 - xorl %edx,%edx # zero error code
14810 - call do_nmi
14811 -+
14812 -+ pax_exit_kernel
14813 -+
14814 - RESTORE_REGS
14815 - lss 12+4(%esp), %esp # back to espfix stack
14816 - CFI_ADJUST_CFA_OFFSET -24
14817 -diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/kernel/entry_64.S
14818 ---- linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400
14819 -+++ linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-10-08 08:14:37.000000000 -0400
14820 -@@ -53,6 +53,8 @@
14821 - #include <asm/paravirt.h>
14822 - #include <asm/ftrace.h>
14823 - #include <asm/percpu.h>
14824 -+#include <asm/pgtable.h>
14825 -+#include <asm/alternative-asm.h>
14826 -
14827 - /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14828 - #include <linux/elf-em.h>
14829 -@@ -64,6 +66,7 @@
14830 - #ifdef CONFIG_FUNCTION_TRACER
14831 - #ifdef CONFIG_DYNAMIC_FTRACE
14832 - ENTRY(mcount)
14833 -+ pax_force_retaddr
14834 - retq
14835 - END(mcount)
14836 -
14837 -@@ -88,6 +91,7 @@ GLOBAL(ftrace_graph_call)
14838 - #endif
14839 -
14840 - GLOBAL(ftrace_stub)
14841 -+ pax_force_retaddr
14842 - retq
14843 - END(ftrace_caller)
14844 -
14845 -@@ -108,6 +112,7 @@ ENTRY(mcount)
14846 - #endif
14847 -
14848 - GLOBAL(ftrace_stub)
14849 -+ pax_force_retaddr
14850 - retq
14851 -
14852 - trace:
14853 -@@ -117,6 +122,7 @@ trace:
14854 - movq 8(%rbp), %rsi
14855 - subq $MCOUNT_INSN_SIZE, %rdi
14856 -
14857 -+ pax_force_fptr ftrace_trace_function
14858 - call *ftrace_trace_function
14859 -
14860 - MCOUNT_RESTORE_FRAME
14861 -@@ -142,6 +148,7 @@ ENTRY(ftrace_graph_caller)
14862 -
14863 - MCOUNT_RESTORE_FRAME
14864 -
14865 -+ pax_force_retaddr
14866 - retq
14867 - END(ftrace_graph_caller)
14868 -
14869 -@@ -159,6 +166,7 @@ GLOBAL(return_to_handler)
14870 - movq 8(%rsp), %rdx
14871 - movq (%rsp), %rax
14872 - addq $16, %rsp
14873 -+ pax_force_retaddr
14874 - retq
14875 - #endif
14876 -
14877 -@@ -174,6 +182,269 @@ ENTRY(native_usergs_sysret64)
14878 - ENDPROC(native_usergs_sysret64)
14879 - #endif /* CONFIG_PARAVIRT */
14880 -
14881 -+ .macro ljmpq sel, off
14882 -+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14883 -+ .byte 0x48; ljmp *1234f(%rip)
14884 -+ .pushsection .rodata
14885 -+ .align 16
14886 -+ 1234: .quad \off; .word \sel
14887 -+ .popsection
14888 -+#else
14889 -+ pushq $\sel
14890 -+ pushq $\off
14891 -+ lretq
14892 -+#endif
14893 -+ .endm
14894 -+
14895 -+ .macro pax_enter_kernel
14896 -+#ifdef CONFIG_PAX_KERNEXEC
14897 -+ call pax_enter_kernel
14898 -+#endif
14899 -+ .endm
14900 -+
14901 -+ .macro pax_exit_kernel
14902 -+#ifdef CONFIG_PAX_KERNEXEC
14903 -+ call pax_exit_kernel
14904 -+#endif
14905 -+ .endm
14906 -+
14907 -+#ifdef CONFIG_PAX_KERNEXEC
14908 -+ENTRY(pax_enter_kernel)
14909 -+ pushq %rdi
14910 -+
14911 -+#ifdef CONFIG_PARAVIRT
14912 -+ PV_SAVE_REGS(CLBR_RDI)
14913 -+#endif
14914 -+
14915 -+ GET_CR0_INTO_RDI
14916 -+ bts $16,%rdi
14917 -+ jnc 1f
14918 -+ mov %cs,%edi
14919 -+ cmp $__KERNEL_CS,%edi
14920 -+ jz 3f
14921 -+ ljmpq __KERNEL_CS,3f
14922 -+1: ljmpq __KERNEXEC_KERNEL_CS,2f
14923 -+2: SET_RDI_INTO_CR0
14924 -+3:
14925 -+
14926 -+#ifdef CONFIG_PARAVIRT
14927 -+ PV_RESTORE_REGS(CLBR_RDI)
14928 -+#endif
14929 -+
14930 -+ popq %rdi
14931 -+ pax_force_retaddr
14932 -+ retq
14933 -+ENDPROC(pax_enter_kernel)
14934 -+
14935 -+ENTRY(pax_exit_kernel)
14936 -+ pushq %rdi
14937 -+
14938 -+#ifdef CONFIG_PARAVIRT
14939 -+ PV_SAVE_REGS(CLBR_RDI)
14940 -+#endif
14941 -+
14942 -+ mov %cs,%rdi
14943 -+ cmp $__KERNEXEC_KERNEL_CS,%edi
14944 -+ jnz 2f
14945 -+ GET_CR0_INTO_RDI
14946 -+ btr $16,%rdi
14947 -+ ljmpq __KERNEL_CS,1f
14948 -+1: SET_RDI_INTO_CR0
14949 -+2:
14950 -+
14951 -+#ifdef CONFIG_PARAVIRT
14952 -+ PV_RESTORE_REGS(CLBR_RDI);
14953 -+#endif
14954 -+
14955 -+ popq %rdi
14956 -+ pax_force_retaddr
14957 -+ retq
14958 -+ENDPROC(pax_exit_kernel)
14959 -+#endif
14960 -+
14961 -+ .macro pax_enter_kernel_user
14962 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
14963 -+ call pax_enter_kernel_user
14964 -+#endif
14965 -+ .endm
14966 -+
14967 -+ .macro pax_exit_kernel_user
14968 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
14969 -+ call pax_exit_kernel_user
14970 -+#endif
14971 -+#ifdef CONFIG_PAX_RANDKSTACK
14972 -+ push %rax
14973 -+ call pax_randomize_kstack
14974 -+ pop %rax
14975 -+#endif
14976 -+ .endm
14977 -+
14978 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
14979 -+ENTRY(pax_enter_kernel_user)
14980 -+ pushq %rdi
14981 -+ pushq %rbx
14982 -+
14983 -+#ifdef CONFIG_PARAVIRT
14984 -+ PV_SAVE_REGS(CLBR_RDI)
14985 -+#endif
14986 -+
14987 -+ GET_CR3_INTO_RDI
14988 -+ mov %rdi,%rbx
14989 -+ add $__START_KERNEL_map,%rbx
14990 -+ sub phys_base(%rip),%rbx
14991 -+
14992 -+#ifdef CONFIG_PARAVIRT
14993 -+ pushq %rdi
14994 -+ cmpl $0, pv_info+PARAVIRT_enabled
14995 -+ jz 1f
14996 -+ i = 0
14997 -+ .rept USER_PGD_PTRS
14998 -+ mov i*8(%rbx),%rsi
14999 -+ mov $0,%sil
15000 -+ lea i*8(%rbx),%rdi
15001 -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
15002 -+ i = i + 1
15003 -+ .endr
15004 -+ jmp 2f
15005 -+1:
15006 -+#endif
15007 -+
15008 -+ i = 0
15009 -+ .rept USER_PGD_PTRS
15010 -+ movb $0,i*8(%rbx)
15011 -+ i = i + 1
15012 -+ .endr
15013 -+
15014 -+#ifdef CONFIG_PARAVIRT
15015 -+2: popq %rdi
15016 -+#endif
15017 -+ SET_RDI_INTO_CR3
15018 -+
15019 -+#ifdef CONFIG_PAX_KERNEXEC
15020 -+ GET_CR0_INTO_RDI
15021 -+ bts $16,%rdi
15022 -+ SET_RDI_INTO_CR0
15023 -+#endif
15024 -+
15025 -+#ifdef CONFIG_PARAVIRT
15026 -+ PV_RESTORE_REGS(CLBR_RDI)
15027 -+#endif
15028 -+
15029 -+ popq %rbx
15030 -+ popq %rdi
15031 -+ pax_force_retaddr
15032 -+ retq
15033 -+ENDPROC(pax_enter_kernel_user)
15034 -+
15035 -+ENTRY(pax_exit_kernel_user)
15036 -+ push %rdi
15037 -+
15038 -+#ifdef CONFIG_PARAVIRT
15039 -+ pushq %rbx
15040 -+ PV_SAVE_REGS(CLBR_RDI)
15041 -+#endif
15042 -+
15043 -+#ifdef CONFIG_PAX_KERNEXEC
15044 -+ GET_CR0_INTO_RDI
15045 -+ btr $16,%rdi
15046 -+ SET_RDI_INTO_CR0
15047 -+#endif
15048 -+
15049 -+ GET_CR3_INTO_RDI
15050 -+ add $__START_KERNEL_map,%rdi
15051 -+ sub phys_base(%rip),%rdi
15052 -+
15053 -+#ifdef CONFIG_PARAVIRT
15054 -+ cmpl $0, pv_info+PARAVIRT_enabled
15055 -+ jz 1f
15056 -+ mov %rdi,%rbx
15057 -+ i = 0
15058 -+ .rept USER_PGD_PTRS
15059 -+ mov i*8(%rbx),%rsi
15060 -+ mov $0x67,%sil
15061 -+ lea i*8(%rbx),%rdi
15062 -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
15063 -+ i = i + 1
15064 -+ .endr
15065 -+ jmp 2f
15066 -+1:
15067 -+#endif
15068 -+
15069 -+ i = 0
15070 -+ .rept USER_PGD_PTRS
15071 -+ movb $0x67,i*8(%rdi)
15072 -+ i = i + 1
15073 -+ .endr
15074 -+
15075 -+#ifdef CONFIG_PARAVIRT
15076 -+2: PV_RESTORE_REGS(CLBR_RDI)
15077 -+ popq %rbx
15078 -+#endif
15079 -+
15080 -+ popq %rdi
15081 -+ pax_force_retaddr
15082 -+ retq
15083 -+ENDPROC(pax_exit_kernel_user)
15084 -+#endif
15085 -+
15086 -+.macro pax_erase_kstack
15087 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15088 -+ call pax_erase_kstack
15089 -+#endif
15090 -+.endm
15091 -+
15092 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15093 -+/*
15094 -+ * r10: thread_info
15095 -+ * rcx, rdx: can be clobbered
15096 -+ */
15097 -+ENTRY(pax_erase_kstack)
15098 -+ pushq %rdi
15099 -+ pushq %rax
15100 -+ pushq %r10
15101 -+
15102 -+ GET_THREAD_INFO(%r10)
15103 -+ mov TI_lowest_stack(%r10), %rdi
15104 -+ mov $-0xBEEF, %rax
15105 -+ std
15106 -+
15107 -+1: mov %edi, %ecx
15108 -+ and $THREAD_SIZE_asm - 1, %ecx
15109 -+ shr $3, %ecx
15110 -+ repne scasq
15111 -+ jecxz 2f
15112 -+
15113 -+ cmp $2*8, %ecx
15114 -+ jc 2f
15115 -+
15116 -+ mov $2*8, %ecx
15117 -+ repe scasq
15118 -+ jecxz 2f
15119 -+ jne 1b
15120 -+
15121 -+2: cld
15122 -+ mov %esp, %ecx
15123 -+ sub %edi, %ecx
15124 -+
15125 -+ cmp $THREAD_SIZE_asm, %rcx
15126 -+ jb 3f
15127 -+ ud2
15128 -+3:
15129 -+
15130 -+ shr $3, %ecx
15131 -+ rep stosq
15132 -+
15133 -+ mov TI_task_thread_sp0(%r10), %rdi
15134 -+ sub $256, %rdi
15135 -+ mov %rdi, TI_lowest_stack(%r10)
15136 -+
15137 -+ popq %r10
15138 -+ popq %rax
15139 -+ popq %rdi
15140 -+ pax_force_retaddr
15141 -+ ret
15142 -+ENDPROC(pax_erase_kstack)
15143 -+#endif
15144 -
15145 - .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
15146 - #ifdef CONFIG_TRACE_IRQFLAGS
15147 -@@ -317,7 +588,7 @@ ENTRY(save_args)
15148 - leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
15149 - movq_cfi rbp, 8 /* push %rbp */
15150 - leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
15151 -- testl $3, CS(%rdi)
15152 -+ testb $3, CS(%rdi)
15153 - je 1f
15154 - SWAPGS
15155 - /*
15156 -@@ -337,6 +608,7 @@ ENTRY(save_args)
15157 - * We entered an interrupt context - irqs are off:
15158 - */
15159 - 2: TRACE_IRQS_OFF
15160 -+ pax_force_retaddr
15161 - ret
15162 - CFI_ENDPROC
15163 - END(save_args)
15164 -@@ -352,6 +624,7 @@ ENTRY(save_rest)
15165 - movq_cfi r15, R15+16
15166 - movq %r11, 8(%rsp) /* return address */
15167 - FIXUP_TOP_OF_STACK %r11, 16
15168 -+ pax_force_retaddr
15169 - ret
15170 - CFI_ENDPROC
15171 - END(save_rest)
15172 -@@ -383,7 +656,8 @@ ENTRY(save_paranoid)
15173 - js 1f /* negative -> in kernel */
15174 - SWAPGS
15175 - xorl %ebx,%ebx
15176 --1: ret
15177 -+1: pax_force_retaddr
15178 -+ ret
15179 - CFI_ENDPROC
15180 - END(save_paranoid)
15181 - .popsection
15182 -@@ -409,7 +683,7 @@ ENTRY(ret_from_fork)
15183 -
15184 - RESTORE_REST
15185 -
15186 -- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
15187 -+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
15188 - je int_ret_from_sys_call
15189 -
15190 - testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
15191 -@@ -455,7 +729,7 @@ END(ret_from_fork)
15192 - ENTRY(system_call)
15193 - CFI_STARTPROC simple
15194 - CFI_SIGNAL_FRAME
15195 -- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
15196 -+ CFI_DEF_CFA rsp,0
15197 - CFI_REGISTER rip,rcx
15198 - /*CFI_REGISTER rflags,r11*/
15199 - SWAPGS_UNSAFE_STACK
15200 -@@ -468,12 +742,13 @@ ENTRY(system_call_after_swapgs)
15201 -
15202 - movq %rsp,PER_CPU_VAR(old_rsp)
15203 - movq PER_CPU_VAR(kernel_stack),%rsp
15204 -+ pax_enter_kernel_user
15205 - /*
15206 - * No need to follow this irqs off/on section - it's straight
15207 - * and short:
15208 - */
15209 - ENABLE_INTERRUPTS(CLBR_NONE)
15210 -- SAVE_ARGS 8,1
15211 -+ SAVE_ARGS 8*6,1
15212 - movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
15213 - movq %rcx,RIP-ARGOFFSET(%rsp)
15214 - CFI_REL_OFFSET rip,RIP-ARGOFFSET
15215 -@@ -502,6 +777,8 @@ sysret_check:
15216 - andl %edi,%edx
15217 - jnz sysret_careful
15218 - CFI_REMEMBER_STATE
15219 -+ pax_exit_kernel_user
15220 -+ pax_erase_kstack
15221 - /*
15222 - * sysretq will re-enable interrupts:
15223 - */
15224 -@@ -562,6 +839,9 @@ auditsys:
15225 - movq %rax,%rsi /* 2nd arg: syscall number */
15226 - movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
15227 - call audit_syscall_entry
15228 -+
15229 -+ pax_erase_kstack
15230 -+
15231 - LOAD_ARGS 0 /* reload call-clobbered registers */
15232 - jmp system_call_fastpath
15233 -
15234 -@@ -592,6 +872,9 @@ tracesys:
15235 - FIXUP_TOP_OF_STACK %rdi
15236 - movq %rsp,%rdi
15237 - call syscall_trace_enter
15238 -+
15239 -+ pax_erase_kstack
15240 -+
15241 - /*
15242 - * Reload arg registers from stack in case ptrace changed them.
15243 - * We don't reload %rax because syscall_trace_enter() returned
15244 -@@ -613,7 +896,7 @@ tracesys:
15245 - GLOBAL(int_ret_from_sys_call)
15246 - DISABLE_INTERRUPTS(CLBR_NONE)
15247 - TRACE_IRQS_OFF
15248 -- testl $3,CS-ARGOFFSET(%rsp)
15249 -+ testb $3,CS-ARGOFFSET(%rsp)
15250 - je retint_restore_args
15251 - movl $_TIF_ALLWORK_MASK,%edi
15252 - /* edi: mask to check */
15253 -@@ -708,6 +991,7 @@ ENTRY(ptregscall_common)
15254 - movq_cfi_restore R12+8, r12
15255 - movq_cfi_restore RBP+8, rbp
15256 - movq_cfi_restore RBX+8, rbx
15257 -+ pax_force_retaddr
15258 - ret $REST_SKIP /* pop extended registers */
15259 - CFI_ENDPROC
15260 - END(ptregscall_common)
15261 -@@ -800,6 +1084,16 @@ END(interrupt)
15262 - CFI_ADJUST_CFA_OFFSET 10*8
15263 - call save_args
15264 - PARTIAL_FRAME 0
15265 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15266 -+ testb $3, CS(%rdi)
15267 -+ jnz 1f
15268 -+ pax_enter_kernel
15269 -+ jmp 2f
15270 -+1: pax_enter_kernel_user
15271 -+2:
15272 -+#else
15273 -+ pax_enter_kernel
15274 -+#endif
15275 - call \func
15276 - .endm
15277 -
15278 -@@ -822,7 +1116,7 @@ ret_from_intr:
15279 - CFI_ADJUST_CFA_OFFSET -8
15280 - exit_intr:
15281 - GET_THREAD_INFO(%rcx)
15282 -- testl $3,CS-ARGOFFSET(%rsp)
15283 -+ testb $3,CS-ARGOFFSET(%rsp)
15284 - je retint_kernel
15285 -
15286 - /* Interrupt came from user space */
15287 -@@ -844,12 +1138,16 @@ retint_swapgs: /* return to user-space
15288 - * The iretq could re-enable interrupts:
15289 - */
15290 - DISABLE_INTERRUPTS(CLBR_ANY)
15291 -+ pax_exit_kernel_user
15292 -+ pax_erase_kstack
15293 - TRACE_IRQS_IRETQ
15294 - SWAPGS
15295 - jmp restore_args
15296 -
15297 - retint_restore_args: /* return to kernel space */
15298 - DISABLE_INTERRUPTS(CLBR_ANY)
15299 -+ pax_exit_kernel
15300 -+ pax_force_retaddr RIP-ARGOFFSET
15301 - /*
15302 - * The iretq could re-enable interrupts:
15303 - */
15304 -@@ -1032,6 +1330,16 @@ ENTRY(\sym)
15305 - CFI_ADJUST_CFA_OFFSET 15*8
15306 - call error_entry
15307 - DEFAULT_FRAME 0
15308 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15309 -+ testb $3, CS(%rsp)
15310 -+ jnz 1f
15311 -+ pax_enter_kernel
15312 -+ jmp 2f
15313 -+1: pax_enter_kernel_user
15314 -+2:
15315 -+#else
15316 -+ pax_enter_kernel
15317 -+#endif
15318 - movq %rsp,%rdi /* pt_regs pointer */
15319 - xorl %esi,%esi /* no error code */
15320 - call \do_sym
15321 -@@ -1049,6 +1357,16 @@ ENTRY(\sym)
15322 - subq $15*8, %rsp
15323 - call save_paranoid
15324 - TRACE_IRQS_OFF
15325 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15326 -+ testb $3, CS(%rsp)
15327 -+ jnz 1f
15328 -+ pax_enter_kernel
15329 -+ jmp 2f
15330 -+1: pax_enter_kernel_user
15331 -+2:
15332 -+#else
15333 -+ pax_enter_kernel
15334 -+#endif
15335 - movq %rsp,%rdi /* pt_regs pointer */
15336 - xorl %esi,%esi /* no error code */
15337 - call \do_sym
15338 -@@ -1066,9 +1384,24 @@ ENTRY(\sym)
15339 - subq $15*8, %rsp
15340 - call save_paranoid
15341 - TRACE_IRQS_OFF
15342 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15343 -+ testb $3, CS(%rsp)
15344 -+ jnz 1f
15345 -+ pax_enter_kernel
15346 -+ jmp 2f
15347 -+1: pax_enter_kernel_user
15348 -+2:
15349 -+#else
15350 -+ pax_enter_kernel
15351 -+#endif
15352 - movq %rsp,%rdi /* pt_regs pointer */
15353 - xorl %esi,%esi /* no error code */
15354 -- PER_CPU(init_tss, %rbp)
15355 -+#ifdef CONFIG_SMP
15356 -+ imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
15357 -+ lea init_tss(%rbp), %rbp
15358 -+#else
15359 -+ lea init_tss(%rip), %rbp
15360 -+#endif
15361 - subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15362 - call \do_sym
15363 - addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15364 -@@ -1085,6 +1418,16 @@ ENTRY(\sym)
15365 - CFI_ADJUST_CFA_OFFSET 15*8
15366 - call error_entry
15367 - DEFAULT_FRAME 0
15368 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15369 -+ testb $3, CS(%rsp)
15370 -+ jnz 1f
15371 -+ pax_enter_kernel
15372 -+ jmp 2f
15373 -+1: pax_enter_kernel_user
15374 -+2:
15375 -+#else
15376 -+ pax_enter_kernel
15377 -+#endif
15378 - movq %rsp,%rdi /* pt_regs pointer */
15379 - movq ORIG_RAX(%rsp),%rsi /* get error code */
15380 - movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15381 -@@ -1104,6 +1447,16 @@ ENTRY(\sym)
15382 - call save_paranoid
15383 - DEFAULT_FRAME 0
15384 - TRACE_IRQS_OFF
15385 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15386 -+ testb $3, CS(%rsp)
15387 -+ jnz 1f
15388 -+ pax_enter_kernel
15389 -+ jmp 2f
15390 -+1: pax_enter_kernel_user
15391 -+2:
15392 -+#else
15393 -+ pax_enter_kernel
15394 -+#endif
15395 - movq %rsp,%rdi /* pt_regs pointer */
15396 - movq ORIG_RAX(%rsp),%rsi /* get error code */
15397 - movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15398 -@@ -1141,6 +1494,7 @@ gs_change:
15399 - SWAPGS
15400 - popf
15401 - CFI_ADJUST_CFA_OFFSET -8
15402 -+ pax_force_retaddr
15403 - ret
15404 - CFI_ENDPROC
15405 - END(native_load_gs_index)
15406 -@@ -1195,6 +1549,7 @@ ENTRY(kernel_thread)
15407 - */
15408 - RESTORE_ALL
15409 - UNFAKE_STACK_FRAME
15410 -+ pax_force_retaddr
15411 - ret
15412 - CFI_ENDPROC
15413 - END(kernel_thread)
15414 -@@ -1208,6 +1563,7 @@ ENTRY(child_rip)
15415 - */
15416 - movq %rdi, %rax
15417 - movq %rsi, %rdi
15418 -+ pax_force_fptr %rax
15419 - call *%rax
15420 - # exit
15421 - mov %eax, %edi
15422 -@@ -1243,6 +1599,7 @@ ENTRY(kernel_execve)
15423 - je int_ret_from_sys_call
15424 - RESTORE_ARGS
15425 - UNFAKE_STACK_FRAME
15426 -+ pax_force_retaddr
15427 - ret
15428 - CFI_ENDPROC
15429 - END(kernel_execve)
15430 -@@ -1263,6 +1620,7 @@ ENTRY(call_softirq)
15431 - CFI_DEF_CFA_REGISTER rsp
15432 - CFI_ADJUST_CFA_OFFSET -8
15433 - decl PER_CPU_VAR(irq_count)
15434 -+ pax_force_retaddr
15435 - ret
15436 - CFI_ENDPROC
15437 - END(call_softirq)
15438 -@@ -1405,16 +1763,31 @@ ENTRY(paranoid_exit)
15439 - TRACE_IRQS_OFF
15440 - testl %ebx,%ebx /* swapgs needed? */
15441 - jnz paranoid_restore
15442 -- testl $3,CS(%rsp)
15443 -+ testb $3,CS(%rsp)
15444 - jnz paranoid_userspace
15445 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15446 -+ pax_exit_kernel
15447 -+ TRACE_IRQS_IRETQ 0
15448 -+ SWAPGS_UNSAFE_STACK
15449 -+ RESTORE_ALL 8
15450 -+ pax_force_retaddr
15451 -+ jmp irq_return
15452 -+#endif
15453 - paranoid_swapgs:
15454 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15455 -+ pax_exit_kernel_user
15456 -+#else
15457 -+ pax_exit_kernel
15458 -+#endif
15459 - TRACE_IRQS_IRETQ 0
15460 - SWAPGS_UNSAFE_STACK
15461 - RESTORE_ALL 8
15462 - jmp irq_return
15463 - paranoid_restore:
15464 -+ pax_exit_kernel
15465 - TRACE_IRQS_IRETQ 0
15466 - RESTORE_ALL 8
15467 -+ pax_force_retaddr
15468 - jmp irq_return
15469 - paranoid_userspace:
15470 - GET_THREAD_INFO(%rcx)
15471 -@@ -1470,12 +1843,13 @@ ENTRY(error_entry)
15472 - movq_cfi r14, R14+8
15473 - movq_cfi r15, R15+8
15474 - xorl %ebx,%ebx
15475 -- testl $3,CS+8(%rsp)
15476 -+ testb $3,CS+8(%rsp)
15477 - je error_kernelspace
15478 - error_swapgs:
15479 - SWAPGS
15480 - error_sti:
15481 - TRACE_IRQS_OFF
15482 -+ pax_force_retaddr
15483 - ret
15484 - CFI_ENDPROC
15485 -
15486 -@@ -1529,6 +1903,16 @@ ENTRY(nmi)
15487 - CFI_ADJUST_CFA_OFFSET 15*8
15488 - call save_paranoid
15489 - DEFAULT_FRAME 0
15490 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15491 -+ testb $3, CS(%rsp)
15492 -+ jnz 1f
15493 -+ pax_enter_kernel
15494 -+ jmp 2f
15495 -+1: pax_enter_kernel_user
15496 -+2:
15497 -+#else
15498 -+ pax_enter_kernel
15499 -+#endif
15500 - /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
15501 - movq %rsp,%rdi
15502 - movq $-1,%rsi
15503 -@@ -1539,12 +1923,28 @@ ENTRY(nmi)
15504 - DISABLE_INTERRUPTS(CLBR_NONE)
15505 - testl %ebx,%ebx /* swapgs needed? */
15506 - jnz nmi_restore
15507 -- testl $3,CS(%rsp)
15508 -+ testb $3,CS(%rsp)
15509 - jnz nmi_userspace
15510 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15511 -+ pax_exit_kernel
15512 -+ SWAPGS_UNSAFE_STACK
15513 -+ RESTORE_ALL 8
15514 -+ pax_force_retaddr
15515 -+ jmp irq_return
15516 -+#endif
15517 - nmi_swapgs:
15518 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15519 -+ pax_exit_kernel_user
15520 -+#else
15521 -+ pax_exit_kernel
15522 -+#endif
15523 - SWAPGS_UNSAFE_STACK
15524 -+ RESTORE_ALL 8
15525 -+ jmp irq_return
15526 - nmi_restore:
15527 -+ pax_exit_kernel
15528 - RESTORE_ALL 8
15529 -+ pax_force_retaddr
15530 - jmp irq_return
15531 - nmi_userspace:
15532 - GET_THREAD_INFO(%rcx)
15533 -diff -urNp linux-2.6.32.46/arch/x86/kernel/ftrace.c linux-2.6.32.46/arch/x86/kernel/ftrace.c
15534 ---- linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400
15535 -+++ linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400
15536 -@@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
15537 - static void *mod_code_newcode; /* holds the text to write to the IP */
15538 -
15539 - static unsigned nmi_wait_count;
15540 --static atomic_t nmi_update_count = ATOMIC_INIT(0);
15541 -+static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
15542 -
15543 - int ftrace_arch_read_dyn_info(char *buf, int size)
15544 - {
15545 -@@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
15546 -
15547 - r = snprintf(buf, size, "%u %u",
15548 - nmi_wait_count,
15549 -- atomic_read(&nmi_update_count));
15550 -+ atomic_read_unchecked(&nmi_update_count));
15551 - return r;
15552 - }
15553 -
15554 -@@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
15555 - {
15556 - if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
15557 - smp_rmb();
15558 -+ pax_open_kernel();
15559 - ftrace_mod_code();
15560 -- atomic_inc(&nmi_update_count);
15561 -+ pax_close_kernel();
15562 -+ atomic_inc_unchecked(&nmi_update_count);
15563 - }
15564 - /* Must have previous changes seen before executions */
15565 - smp_mb();
15566 -@@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
15567 -
15568 -
15569 -
15570 --static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
15571 -+static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
15572 -
15573 - static unsigned char *ftrace_nop_replace(void)
15574 - {
15575 -@@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
15576 - {
15577 - unsigned char replaced[MCOUNT_INSN_SIZE];
15578 -
15579 -+ ip = ktla_ktva(ip);
15580 -+
15581 - /*
15582 - * Note: Due to modules and __init, code can
15583 - * disappear and change, we need to protect against faulting
15584 -@@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15585 - unsigned char old[MCOUNT_INSN_SIZE], *new;
15586 - int ret;
15587 -
15588 -- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15589 -+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15590 - new = ftrace_call_replace(ip, (unsigned long)func);
15591 - ret = ftrace_modify_code(ip, old, new);
15592 -
15593 -@@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
15594 - switch (faulted) {
15595 - case 0:
15596 - pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
15597 -- memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
15598 -+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
15599 - break;
15600 - case 1:
15601 - pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
15602 -- memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
15603 -+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
15604 - break;
15605 - case 2:
15606 - pr_info("ftrace: converting mcount calls to jmp . + 5\n");
15607 -- memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
15608 -+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
15609 - break;
15610 - }
15611 -
15612 -@@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
15613 - {
15614 - unsigned char code[MCOUNT_INSN_SIZE];
15615 -
15616 -+ ip = ktla_ktva(ip);
15617 -+
15618 - if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15619 - return -EFAULT;
15620 -
15621 -diff -urNp linux-2.6.32.46/arch/x86/kernel/head32.c linux-2.6.32.46/arch/x86/kernel/head32.c
15622 ---- linux-2.6.32.46/arch/x86/kernel/head32.c 2011-03-27 14:31:47.000000000 -0400
15623 -+++ linux-2.6.32.46/arch/x86/kernel/head32.c 2011-04-17 15:56:46.000000000 -0400
15624 -@@ -16,6 +16,7 @@
15625 - #include <asm/apic.h>
15626 - #include <asm/io_apic.h>
15627 - #include <asm/bios_ebda.h>
15628 -+#include <asm/boot.h>
15629 -
15630 - static void __init i386_default_early_setup(void)
15631 - {
15632 -@@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
15633 - {
15634 - reserve_trampoline_memory();
15635 -
15636 -- reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15637 -+ reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15638 -
15639 - #ifdef CONFIG_BLK_DEV_INITRD
15640 - /* Reserve INITRD */
15641 -diff -urNp linux-2.6.32.46/arch/x86/kernel/head_32.S linux-2.6.32.46/arch/x86/kernel/head_32.S
15642 ---- linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-03-27 14:31:47.000000000 -0400
15643 -+++ linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-07-06 19:53:33.000000000 -0400
15644 -@@ -19,10 +19,17 @@
15645 - #include <asm/setup.h>
15646 - #include <asm/processor-flags.h>
15647 - #include <asm/percpu.h>
15648 -+#include <asm/msr-index.h>
15649 -
15650 - /* Physical address */
15651 - #define pa(X) ((X) - __PAGE_OFFSET)
15652 -
15653 -+#ifdef CONFIG_PAX_KERNEXEC
15654 -+#define ta(X) (X)
15655 -+#else
15656 -+#define ta(X) ((X) - __PAGE_OFFSET)
15657 -+#endif
15658 -+
15659 - /*
15660 - * References to members of the new_cpu_data structure.
15661 - */
15662 -@@ -52,11 +59,7 @@
15663 - * and small than max_low_pfn, otherwise will waste some page table entries
15664 - */
15665 -
15666 --#if PTRS_PER_PMD > 1
15667 --#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15668 --#else
15669 --#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15670 --#endif
15671 -+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15672 -
15673 - /* Enough space to fit pagetables for the low memory linear map */
15674 - MAPPING_BEYOND_END = \
15675 -@@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15676 - RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15677 -
15678 - /*
15679 -+ * Real beginning of normal "text" segment
15680 -+ */
15681 -+ENTRY(stext)
15682 -+ENTRY(_stext)
15683 -+
15684 -+/*
15685 - * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15686 - * %esi points to the real-mode code as a 32-bit pointer.
15687 - * CS and DS must be 4 GB flat segments, but we don't depend on
15688 -@@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15689 - * can.
15690 - */
15691 - __HEAD
15692 -+
15693 -+#ifdef CONFIG_PAX_KERNEXEC
15694 -+ jmp startup_32
15695 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15696 -+.fill PAGE_SIZE-5,1,0xcc
15697 -+#endif
15698 -+
15699 - ENTRY(startup_32)
15700 -+ movl pa(stack_start),%ecx
15701 -+
15702 - /* test KEEP_SEGMENTS flag to see if the bootloader is asking
15703 - us to not reload segments */
15704 - testb $(1<<6), BP_loadflags(%esi)
15705 -@@ -95,7 +113,60 @@ ENTRY(startup_32)
15706 - movl %eax,%es
15707 - movl %eax,%fs
15708 - movl %eax,%gs
15709 -+ movl %eax,%ss
15710 - 2:
15711 -+ leal -__PAGE_OFFSET(%ecx),%esp
15712 -+
15713 -+#ifdef CONFIG_SMP
15714 -+ movl $pa(cpu_gdt_table),%edi
15715 -+ movl $__per_cpu_load,%eax
15716 -+ movw %ax,__KERNEL_PERCPU + 2(%edi)
15717 -+ rorl $16,%eax
15718 -+ movb %al,__KERNEL_PERCPU + 4(%edi)
15719 -+ movb %ah,__KERNEL_PERCPU + 7(%edi)
15720 -+ movl $__per_cpu_end - 1,%eax
15721 -+ subl $__per_cpu_start,%eax
15722 -+ movw %ax,__KERNEL_PERCPU + 0(%edi)
15723 -+#endif
15724 -+
15725 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
15726 -+ movl $NR_CPUS,%ecx
15727 -+ movl $pa(cpu_gdt_table),%edi
15728 -+1:
15729 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15730 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15731 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15732 -+ addl $PAGE_SIZE_asm,%edi
15733 -+ loop 1b
15734 -+#endif
15735 -+
15736 -+#ifdef CONFIG_PAX_KERNEXEC
15737 -+ movl $pa(boot_gdt),%edi
15738 -+ movl $__LOAD_PHYSICAL_ADDR,%eax
15739 -+ movw %ax,__BOOT_CS + 2(%edi)
15740 -+ rorl $16,%eax
15741 -+ movb %al,__BOOT_CS + 4(%edi)
15742 -+ movb %ah,__BOOT_CS + 7(%edi)
15743 -+ rorl $16,%eax
15744 -+
15745 -+ ljmp $(__BOOT_CS),$1f
15746 -+1:
15747 -+
15748 -+ movl $NR_CPUS,%ecx
15749 -+ movl $pa(cpu_gdt_table),%edi
15750 -+ addl $__PAGE_OFFSET,%eax
15751 -+1:
15752 -+ movw %ax,__KERNEL_CS + 2(%edi)
15753 -+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15754 -+ rorl $16,%eax
15755 -+ movb %al,__KERNEL_CS + 4(%edi)
15756 -+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15757 -+ movb %ah,__KERNEL_CS + 7(%edi)
15758 -+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15759 -+ rorl $16,%eax
15760 -+ addl $PAGE_SIZE_asm,%edi
15761 -+ loop 1b
15762 -+#endif
15763 -
15764 - /*
15765 - * Clear BSS first so that there are no surprises...
15766 -@@ -140,9 +211,7 @@ ENTRY(startup_32)
15767 - cmpl $num_subarch_entries, %eax
15768 - jae bad_subarch
15769 -
15770 -- movl pa(subarch_entries)(,%eax,4), %eax
15771 -- subl $__PAGE_OFFSET, %eax
15772 -- jmp *%eax
15773 -+ jmp *pa(subarch_entries)(,%eax,4)
15774 -
15775 - bad_subarch:
15776 - WEAK(lguest_entry)
15777 -@@ -154,10 +223,10 @@ WEAK(xen_entry)
15778 - __INITDATA
15779 -
15780 - subarch_entries:
15781 -- .long default_entry /* normal x86/PC */
15782 -- .long lguest_entry /* lguest hypervisor */
15783 -- .long xen_entry /* Xen hypervisor */
15784 -- .long default_entry /* Moorestown MID */
15785 -+ .long ta(default_entry) /* normal x86/PC */
15786 -+ .long ta(lguest_entry) /* lguest hypervisor */
15787 -+ .long ta(xen_entry) /* Xen hypervisor */
15788 -+ .long ta(default_entry) /* Moorestown MID */
15789 - num_subarch_entries = (. - subarch_entries) / 4
15790 - .previous
15791 - #endif /* CONFIG_PARAVIRT */
15792 -@@ -218,8 +287,11 @@ default_entry:
15793 - movl %eax, pa(max_pfn_mapped)
15794 -
15795 - /* Do early initialization of the fixmap area */
15796 -- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15797 -- movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15798 -+#ifdef CONFIG_COMPAT_VDSO
15799 -+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15800 -+#else
15801 -+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15802 -+#endif
15803 - #else /* Not PAE */
15804 -
15805 - page_pde_offset = (__PAGE_OFFSET >> 20);
15806 -@@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15807 - movl %eax, pa(max_pfn_mapped)
15808 -
15809 - /* Do early initialization of the fixmap area */
15810 -- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15811 -- movl %eax,pa(swapper_pg_dir+0xffc)
15812 -+#ifdef CONFIG_COMPAT_VDSO
15813 -+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
15814 -+#else
15815 -+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
15816 -+#endif
15817 - #endif
15818 - jmp 3f
15819 - /*
15820 -@@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
15821 - movl %eax,%es
15822 - movl %eax,%fs
15823 - movl %eax,%gs
15824 -+ movl pa(stack_start),%ecx
15825 -+ movl %eax,%ss
15826 -+ leal -__PAGE_OFFSET(%ecx),%esp
15827 - #endif /* CONFIG_SMP */
15828 - 3:
15829 -
15830 -@@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
15831 - orl %edx,%eax
15832 - movl %eax,%cr4
15833 -
15834 -+#ifdef CONFIG_X86_PAE
15835 - btl $5, %eax # check if PAE is enabled
15836 - jnc 6f
15837 -
15838 -@@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
15839 - cpuid
15840 - cmpl $0x80000000, %eax
15841 - jbe 6f
15842 -+
15843 -+ /* Clear bogus XD_DISABLE bits */
15844 -+ call verify_cpu
15845 -+
15846 - mov $0x80000001, %eax
15847 - cpuid
15848 - /* Execute Disable bit supported? */
15849 -@@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
15850 - jnc 6f
15851 -
15852 - /* Setup EFER (Extended Feature Enable Register) */
15853 -- movl $0xc0000080, %ecx
15854 -+ movl $MSR_EFER, %ecx
15855 - rdmsr
15856 -
15857 - btsl $11, %eax
15858 - /* Make changes effective */
15859 - wrmsr
15860 -
15861 -+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15862 -+ movl $1,pa(nx_enabled)
15863 -+#endif
15864 -+
15865 - 6:
15866 -
15867 - /*
15868 -@@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
15869 - movl %eax,%cr0 /* ..and set paging (PG) bit */
15870 - ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
15871 - 1:
15872 -- /* Set up the stack pointer */
15873 -- lss stack_start,%esp
15874 -+ /* Shift the stack pointer to a virtual address */
15875 -+ addl $__PAGE_OFFSET, %esp
15876 -
15877 - /*
15878 - * Initialize eflags. Some BIOS's leave bits like NT set. This would
15879 -@@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
15880 -
15881 - #ifdef CONFIG_SMP
15882 - cmpb $0, ready
15883 -- jz 1f /* Initial CPU cleans BSS */
15884 -- jmp checkCPUtype
15885 --1:
15886 -+ jnz checkCPUtype
15887 - #endif /* CONFIG_SMP */
15888 -
15889 - /*
15890 -@@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
15891 - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15892 - movl %eax,%ss # after changing gdt.
15893 -
15894 -- movl $(__USER_DS),%eax # DS/ES contains default USER segment
15895 -+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15896 - movl %eax,%ds
15897 - movl %eax,%es
15898 -
15899 -@@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
15900 - */
15901 - cmpb $0,ready
15902 - jne 1f
15903 -- movl $per_cpu__gdt_page,%eax
15904 -+ movl $cpu_gdt_table,%eax
15905 - movl $per_cpu__stack_canary,%ecx
15906 -+#ifdef CONFIG_SMP
15907 -+ addl $__per_cpu_load,%ecx
15908 -+#endif
15909 - movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15910 - shrl $16, %ecx
15911 - movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15912 - movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15913 - 1:
15914 --#endif
15915 - movl $(__KERNEL_STACK_CANARY),%eax
15916 -+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15917 -+ movl $(__USER_DS),%eax
15918 -+#else
15919 -+ xorl %eax,%eax
15920 -+#endif
15921 - movl %eax,%gs
15922 -
15923 - xorl %eax,%eax # Clear LDT
15924 -@@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
15925 -
15926 - cld # gcc2 wants the direction flag cleared at all times
15927 - pushl $0 # fake return address for unwinder
15928 --#ifdef CONFIG_SMP
15929 -- movb ready, %cl
15930 - movb $1, ready
15931 -- cmpb $0,%cl # the first CPU calls start_kernel
15932 -- je 1f
15933 -- movl (stack_start), %esp
15934 --1:
15935 --#endif /* CONFIG_SMP */
15936 - jmp *(initial_code)
15937 -
15938 - /*
15939 -@@ -546,22 +631,22 @@ early_page_fault:
15940 - jmp early_fault
15941 -
15942 - early_fault:
15943 -- cld
15944 - #ifdef CONFIG_PRINTK
15945 -+ cmpl $1,%ss:early_recursion_flag
15946 -+ je hlt_loop
15947 -+ incl %ss:early_recursion_flag
15948 -+ cld
15949 - pusha
15950 - movl $(__KERNEL_DS),%eax
15951 - movl %eax,%ds
15952 - movl %eax,%es
15953 -- cmpl $2,early_recursion_flag
15954 -- je hlt_loop
15955 -- incl early_recursion_flag
15956 - movl %cr2,%eax
15957 - pushl %eax
15958 - pushl %edx /* trapno */
15959 - pushl $fault_msg
15960 - call printk
15961 -+; call dump_stack
15962 - #endif
15963 -- call dump_stack
15964 - hlt_loop:
15965 - hlt
15966 - jmp hlt_loop
15967 -@@ -569,8 +654,11 @@ hlt_loop:
15968 - /* This is the default interrupt "handler" :-) */
15969 - ALIGN
15970 - ignore_int:
15971 -- cld
15972 - #ifdef CONFIG_PRINTK
15973 -+ cmpl $2,%ss:early_recursion_flag
15974 -+ je hlt_loop
15975 -+ incl %ss:early_recursion_flag
15976 -+ cld
15977 - pushl %eax
15978 - pushl %ecx
15979 - pushl %edx
15980 -@@ -579,9 +667,6 @@ ignore_int:
15981 - movl $(__KERNEL_DS),%eax
15982 - movl %eax,%ds
15983 - movl %eax,%es
15984 -- cmpl $2,early_recursion_flag
15985 -- je hlt_loop
15986 -- incl early_recursion_flag
15987 - pushl 16(%esp)
15988 - pushl 24(%esp)
15989 - pushl 32(%esp)
15990 -@@ -600,6 +685,8 @@ ignore_int:
15991 - #endif
15992 - iret
15993 -
15994 -+#include "verify_cpu.S"
15995 -+
15996 - __REFDATA
15997 - .align 4
15998 - ENTRY(initial_code)
15999 -@@ -610,31 +697,47 @@ ENTRY(initial_page_table)
16000 - /*
16001 - * BSS section
16002 - */
16003 --__PAGE_ALIGNED_BSS
16004 -- .align PAGE_SIZE_asm
16005 - #ifdef CONFIG_X86_PAE
16006 -+.section .swapper_pg_pmd,"a",@progbits
16007 - swapper_pg_pmd:
16008 - .fill 1024*KPMDS,4,0
16009 - #else
16010 -+.section .swapper_pg_dir,"a",@progbits
16011 - ENTRY(swapper_pg_dir)
16012 - .fill 1024,4,0
16013 - #endif
16014 -+.section .swapper_pg_fixmap,"a",@progbits
16015 - swapper_pg_fixmap:
16016 - .fill 1024,4,0
16017 - #ifdef CONFIG_X86_TRAMPOLINE
16018 -+.section .trampoline_pg_dir,"a",@progbits
16019 - ENTRY(trampoline_pg_dir)
16020 -+#ifdef CONFIG_X86_PAE
16021 -+ .fill 4,8,0
16022 -+#else
16023 - .fill 1024,4,0
16024 - #endif
16025 -+#endif
16026 -+
16027 -+.section .empty_zero_page,"a",@progbits
16028 - ENTRY(empty_zero_page)
16029 - .fill 4096,1,0
16030 -
16031 - /*
16032 -+ * The IDT has to be page-aligned to simplify the Pentium
16033 -+ * F0 0F bug workaround.. We have a special link segment
16034 -+ * for this.
16035 -+ */
16036 -+.section .idt,"a",@progbits
16037 -+ENTRY(idt_table)
16038 -+ .fill 256,8,0
16039 -+
16040 -+/*
16041 - * This starts the data section.
16042 - */
16043 - #ifdef CONFIG_X86_PAE
16044 --__PAGE_ALIGNED_DATA
16045 -- /* Page-aligned for the benefit of paravirt? */
16046 -- .align PAGE_SIZE_asm
16047 -+.section .swapper_pg_dir,"a",@progbits
16048 -+
16049 - ENTRY(swapper_pg_dir)
16050 - .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
16051 - # if KPMDS == 3
16052 -@@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
16053 - # error "Kernel PMDs should be 1, 2 or 3"
16054 - # endif
16055 - .align PAGE_SIZE_asm /* needs to be page-sized too */
16056 -+
16057 -+#ifdef CONFIG_PAX_PER_CPU_PGD
16058 -+ENTRY(cpu_pgd)
16059 -+ .rept NR_CPUS
16060 -+ .fill 4,8,0
16061 -+ .endr
16062 -+#endif
16063 -+
16064 - #endif
16065 -
16066 - .data
16067 -+.balign 4
16068 - ENTRY(stack_start)
16069 -- .long init_thread_union+THREAD_SIZE
16070 -- .long __BOOT_DS
16071 -+ .long init_thread_union+THREAD_SIZE-8
16072 -
16073 - ready: .byte 0
16074 -
16075 -+.section .rodata,"a",@progbits
16076 - early_recursion_flag:
16077 - .long 0
16078 -
16079 -@@ -697,7 +809,7 @@ fault_msg:
16080 - .word 0 # 32 bit align gdt_desc.address
16081 - boot_gdt_descr:
16082 - .word __BOOT_DS+7
16083 -- .long boot_gdt - __PAGE_OFFSET
16084 -+ .long pa(boot_gdt)
16085 -
16086 - .word 0 # 32-bit align idt_desc.address
16087 - idt_descr:
16088 -@@ -708,7 +820,7 @@ idt_descr:
16089 - .word 0 # 32 bit align gdt_desc.address
16090 - ENTRY(early_gdt_descr)
16091 - .word GDT_ENTRIES*8-1
16092 -- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
16093 -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
16094 -
16095 - /*
16096 - * The boot_gdt must mirror the equivalent in setup.S and is
16097 -@@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
16098 - .align L1_CACHE_BYTES
16099 - ENTRY(boot_gdt)
16100 - .fill GDT_ENTRY_BOOT_CS,8,0
16101 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
16102 -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
16103 -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
16104 -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
16105 -+
16106 -+ .align PAGE_SIZE_asm
16107 -+ENTRY(cpu_gdt_table)
16108 -+ .rept NR_CPUS
16109 -+ .quad 0x0000000000000000 /* NULL descriptor */
16110 -+ .quad 0x0000000000000000 /* 0x0b reserved */
16111 -+ .quad 0x0000000000000000 /* 0x13 reserved */
16112 -+ .quad 0x0000000000000000 /* 0x1b reserved */
16113 -+
16114 -+#ifdef CONFIG_PAX_KERNEXEC
16115 -+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
16116 -+#else
16117 -+ .quad 0x0000000000000000 /* 0x20 unused */
16118 -+#endif
16119 -+
16120 -+ .quad 0x0000000000000000 /* 0x28 unused */
16121 -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
16122 -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
16123 -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
16124 -+ .quad 0x0000000000000000 /* 0x4b reserved */
16125 -+ .quad 0x0000000000000000 /* 0x53 reserved */
16126 -+ .quad 0x0000000000000000 /* 0x5b reserved */
16127 -+
16128 -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
16129 -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
16130 -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
16131 -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
16132 -+
16133 -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
16134 -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
16135 -+
16136 -+ /*
16137 -+ * Segments used for calling PnP BIOS have byte granularity.
16138 -+ * The code segments and data segments have fixed 64k limits,
16139 -+ * the transfer segment sizes are set at run time.
16140 -+ */
16141 -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
16142 -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
16143 -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
16144 -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
16145 -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
16146 -+
16147 -+ /*
16148 -+ * The APM segments have byte granularity and their bases
16149 -+ * are set at run time. All have 64k limits.
16150 -+ */
16151 -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
16152 -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
16153 -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
16154 -+
16155 -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
16156 -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
16157 -+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
16158 -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
16159 -+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
16160 -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
16161 -+
16162 -+ /* Be sure this is zeroed to avoid false validations in Xen */
16163 -+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
16164 -+ .endr
16165 -diff -urNp linux-2.6.32.46/arch/x86/kernel/head_64.S linux-2.6.32.46/arch/x86/kernel/head_64.S
16166 ---- linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-03-27 14:31:47.000000000 -0400
16167 -+++ linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-04-17 15:56:46.000000000 -0400
16168 -@@ -19,6 +19,7 @@
16169 - #include <asm/cache.h>
16170 - #include <asm/processor-flags.h>
16171 - #include <asm/percpu.h>
16172 -+#include <asm/cpufeature.h>
16173 -
16174 - #ifdef CONFIG_PARAVIRT
16175 - #include <asm/asm-offsets.h>
16176 -@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
16177 - L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
16178 - L4_START_KERNEL = pgd_index(__START_KERNEL_map)
16179 - L3_START_KERNEL = pud_index(__START_KERNEL_map)
16180 -+L4_VMALLOC_START = pgd_index(VMALLOC_START)
16181 -+L3_VMALLOC_START = pud_index(VMALLOC_START)
16182 -+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
16183 -+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
16184 -
16185 - .text
16186 - __HEAD
16187 -@@ -85,35 +90,22 @@ startup_64:
16188 - */
16189 - addq %rbp, init_level4_pgt + 0(%rip)
16190 - addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
16191 -+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
16192 -+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
16193 - addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
16194 -
16195 - addq %rbp, level3_ident_pgt + 0(%rip)
16196 -+#ifndef CONFIG_XEN
16197 -+ addq %rbp, level3_ident_pgt + 8(%rip)
16198 -+#endif
16199 -
16200 -- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
16201 -- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
16202 -+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
16203 -
16204 -- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16205 -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
16206 -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
16207 -
16208 -- /* Add an Identity mapping if I am above 1G */
16209 -- leaq _text(%rip), %rdi
16210 -- andq $PMD_PAGE_MASK, %rdi
16211 --
16212 -- movq %rdi, %rax
16213 -- shrq $PUD_SHIFT, %rax
16214 -- andq $(PTRS_PER_PUD - 1), %rax
16215 -- jz ident_complete
16216 --
16217 -- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
16218 -- leaq level3_ident_pgt(%rip), %rbx
16219 -- movq %rdx, 0(%rbx, %rax, 8)
16220 --
16221 -- movq %rdi, %rax
16222 -- shrq $PMD_SHIFT, %rax
16223 -- andq $(PTRS_PER_PMD - 1), %rax
16224 -- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
16225 -- leaq level2_spare_pgt(%rip), %rbx
16226 -- movq %rdx, 0(%rbx, %rax, 8)
16227 --ident_complete:
16228 -+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16229 -+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
16230 -
16231 - /*
16232 - * Fixup the kernel text+data virtual addresses. Note that
16233 -@@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
16234 - * after the boot processor executes this code.
16235 - */
16236 -
16237 -- /* Enable PAE mode and PGE */
16238 -- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
16239 -+ /* Enable PAE mode and PSE/PGE */
16240 -+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16241 - movq %rax, %cr4
16242 -
16243 - /* Setup early boot stage 4 level pagetables. */
16244 -@@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
16245 - movl $MSR_EFER, %ecx
16246 - rdmsr
16247 - btsl $_EFER_SCE, %eax /* Enable System Call */
16248 -- btl $20,%edi /* No Execute supported? */
16249 -+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
16250 - jnc 1f
16251 - btsl $_EFER_NX, %eax
16252 -+ leaq init_level4_pgt(%rip), %rdi
16253 -+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
16254 -+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
16255 -+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
16256 - 1: wrmsr /* Make changes effective */
16257 -
16258 - /* Setup cr0 */
16259 -@@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
16260 - .quad x86_64_start_kernel
16261 - ENTRY(initial_gs)
16262 - .quad INIT_PER_CPU_VAR(irq_stack_union)
16263 -- __FINITDATA
16264 -
16265 - ENTRY(stack_start)
16266 - .quad init_thread_union+THREAD_SIZE-8
16267 - .word 0
16268 -+ __FINITDATA
16269 -
16270 - bad_address:
16271 - jmp bad_address
16272 -
16273 -- .section ".init.text","ax"
16274 -+ __INIT
16275 - #ifdef CONFIG_EARLY_PRINTK
16276 - .globl early_idt_handlers
16277 - early_idt_handlers:
16278 -@@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
16279 - #endif /* EARLY_PRINTK */
16280 - 1: hlt
16281 - jmp 1b
16282 -+ .previous
16283 -
16284 - #ifdef CONFIG_EARLY_PRINTK
16285 -+ __INITDATA
16286 - early_recursion_flag:
16287 - .long 0
16288 -+ .previous
16289 -
16290 -+ .section .rodata,"a",@progbits
16291 - early_idt_msg:
16292 - .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
16293 - early_idt_ripmsg:
16294 - .asciz "RIP %s\n"
16295 --#endif /* CONFIG_EARLY_PRINTK */
16296 - .previous
16297 -+#endif /* CONFIG_EARLY_PRINTK */
16298 -
16299 -+ .section .rodata,"a",@progbits
16300 - #define NEXT_PAGE(name) \
16301 - .balign PAGE_SIZE; \
16302 - ENTRY(name)
16303 -@@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
16304 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16305 - .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
16306 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16307 -+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
16308 -+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
16309 -+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
16310 -+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16311 - .org init_level4_pgt + L4_START_KERNEL*8, 0
16312 - /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
16313 - .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
16314 -
16315 -+#ifdef CONFIG_PAX_PER_CPU_PGD
16316 -+NEXT_PAGE(cpu_pgd)
16317 -+ .rept NR_CPUS
16318 -+ .fill 512,8,0
16319 -+ .endr
16320 -+#endif
16321 -+
16322 - NEXT_PAGE(level3_ident_pgt)
16323 - .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16324 -+#ifdef CONFIG_XEN
16325 - .fill 511,8,0
16326 -+#else
16327 -+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
16328 -+ .fill 510,8,0
16329 -+#endif
16330 -+
16331 -+NEXT_PAGE(level3_vmalloc_pgt)
16332 -+ .fill 512,8,0
16333 -+
16334 -+NEXT_PAGE(level3_vmemmap_pgt)
16335 -+ .fill L3_VMEMMAP_START,8,0
16336 -+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16337 -
16338 - NEXT_PAGE(level3_kernel_pgt)
16339 - .fill L3_START_KERNEL,8,0
16340 -@@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
16341 - .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
16342 - .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16343 -
16344 -+NEXT_PAGE(level2_vmemmap_pgt)
16345 -+ .fill 512,8,0
16346 -+
16347 - NEXT_PAGE(level2_fixmap_pgt)
16348 -- .fill 506,8,0
16349 -- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16350 -- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
16351 -- .fill 5,8,0
16352 -+ .fill 507,8,0
16353 -+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
16354 -+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
16355 -+ .fill 4,8,0
16356 -
16357 --NEXT_PAGE(level1_fixmap_pgt)
16358 -+NEXT_PAGE(level1_vsyscall_pgt)
16359 - .fill 512,8,0
16360 -
16361 --NEXT_PAGE(level2_ident_pgt)
16362 -- /* Since I easily can, map the first 1G.
16363 -+ /* Since I easily can, map the first 2G.
16364 - * Don't set NX because code runs from these pages.
16365 - */
16366 -- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
16367 -+NEXT_PAGE(level2_ident_pgt)
16368 -+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
16369 -
16370 - NEXT_PAGE(level2_kernel_pgt)
16371 - /*
16372 -@@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
16373 - * If you want to increase this then increase MODULES_VADDR
16374 - * too.)
16375 - */
16376 -- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
16377 -- KERNEL_IMAGE_SIZE/PMD_SIZE)
16378 --
16379 --NEXT_PAGE(level2_spare_pgt)
16380 -- .fill 512, 8, 0
16381 -+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
16382 -
16383 - #undef PMDS
16384 - #undef NEXT_PAGE
16385 -
16386 -- .data
16387 -+ .align PAGE_SIZE
16388 -+ENTRY(cpu_gdt_table)
16389 -+ .rept NR_CPUS
16390 -+ .quad 0x0000000000000000 /* NULL descriptor */
16391 -+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
16392 -+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
16393 -+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
16394 -+ .quad 0x00cffb000000ffff /* __USER32_CS */
16395 -+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
16396 -+ .quad 0x00affb000000ffff /* __USER_CS */
16397 -+
16398 -+#ifdef CONFIG_PAX_KERNEXEC
16399 -+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
16400 -+#else
16401 -+ .quad 0x0 /* unused */
16402 -+#endif
16403 -+
16404 -+ .quad 0,0 /* TSS */
16405 -+ .quad 0,0 /* LDT */
16406 -+ .quad 0,0,0 /* three TLS descriptors */
16407 -+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
16408 -+ /* asm/segment.h:GDT_ENTRIES must match this */
16409 -+
16410 -+ /* zero the remaining page */
16411 -+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
16412 -+ .endr
16413 -+
16414 - .align 16
16415 - .globl early_gdt_descr
16416 - early_gdt_descr:
16417 - .word GDT_ENTRIES*8-1
16418 - early_gdt_descr_base:
16419 -- .quad INIT_PER_CPU_VAR(gdt_page)
16420 -+ .quad cpu_gdt_table
16421 -
16422 - ENTRY(phys_base)
16423 - /* This must match the first entry in level2_kernel_pgt */
16424 - .quad 0x0000000000000000
16425 -
16426 - #include "../../x86/xen/xen-head.S"
16427 --
16428 -- .section .bss, "aw", @nobits
16429 -+
16430 -+ .section .rodata,"a",@progbits
16431 - .align L1_CACHE_BYTES
16432 - ENTRY(idt_table)
16433 -- .skip IDT_ENTRIES * 16
16434 -+ .fill 512,8,0
16435 -
16436 - __PAGE_ALIGNED_BSS
16437 - .align PAGE_SIZE
16438 -diff -urNp linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c
16439 ---- linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-03-27 14:31:47.000000000 -0400
16440 -+++ linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:56:46.000000000 -0400
16441 -@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
16442 - EXPORT_SYMBOL(cmpxchg8b_emu);
16443 - #endif
16444 -
16445 -+EXPORT_SYMBOL_GPL(cpu_gdt_table);
16446 -+
16447 - /* Networking helper routines. */
16448 - EXPORT_SYMBOL(csum_partial_copy_generic);
16449 -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
16450 -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
16451 -
16452 - EXPORT_SYMBOL(__get_user_1);
16453 - EXPORT_SYMBOL(__get_user_2);
16454 -@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
16455 -
16456 - EXPORT_SYMBOL(csum_partial);
16457 - EXPORT_SYMBOL(empty_zero_page);
16458 -+
16459 -+#ifdef CONFIG_PAX_KERNEXEC
16460 -+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
16461 -+#endif
16462 -diff -urNp linux-2.6.32.46/arch/x86/kernel/i8259.c linux-2.6.32.46/arch/x86/kernel/i8259.c
16463 ---- linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-03-27 14:31:47.000000000 -0400
16464 -+++ linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-05-04 17:56:28.000000000 -0400
16465 -@@ -208,7 +208,7 @@ spurious_8259A_irq:
16466 - "spurious 8259A interrupt: IRQ%d.\n", irq);
16467 - spurious_irq_mask |= irqmask;
16468 - }
16469 -- atomic_inc(&irq_err_count);
16470 -+ atomic_inc_unchecked(&irq_err_count);
16471 - /*
16472 - * Theoretically we do not have to handle this IRQ,
16473 - * but in Linux this does not cause problems and is
16474 -diff -urNp linux-2.6.32.46/arch/x86/kernel/init_task.c linux-2.6.32.46/arch/x86/kernel/init_task.c
16475 ---- linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-03-27 14:31:47.000000000 -0400
16476 -+++ linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-04-17 15:56:46.000000000 -0400
16477 -@@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
16478 - * way process stacks are handled. This is done by having a special
16479 - * "init_task" linker map entry..
16480 - */
16481 --union thread_union init_thread_union __init_task_data =
16482 -- { INIT_THREAD_INFO(init_task) };
16483 -+union thread_union init_thread_union __init_task_data;
16484 -
16485 - /*
16486 - * Initial task structure.
16487 -@@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
16488 - * section. Since TSS's are completely CPU-local, we want them
16489 - * on exact cacheline boundaries, to eliminate cacheline ping-pong.
16490 - */
16491 --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
16492 --
16493 -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
16494 -+EXPORT_SYMBOL(init_tss);
16495 -diff -urNp linux-2.6.32.46/arch/x86/kernel/ioport.c linux-2.6.32.46/arch/x86/kernel/ioport.c
16496 ---- linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
16497 -+++ linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
16498 -@@ -6,6 +6,7 @@
16499 - #include <linux/sched.h>
16500 - #include <linux/kernel.h>
16501 - #include <linux/capability.h>
16502 -+#include <linux/security.h>
16503 - #include <linux/errno.h>
16504 - #include <linux/types.h>
16505 - #include <linux/ioport.h>
16506 -@@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
16507 -
16508 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
16509 - return -EINVAL;
16510 -+#ifdef CONFIG_GRKERNSEC_IO
16511 -+ if (turn_on && grsec_disable_privio) {
16512 -+ gr_handle_ioperm();
16513 -+ return -EPERM;
16514 -+ }
16515 -+#endif
16516 - if (turn_on && !capable(CAP_SYS_RAWIO))
16517 - return -EPERM;
16518 -
16519 -@@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
16520 - * because the ->io_bitmap_max value must match the bitmap
16521 - * contents:
16522 - */
16523 -- tss = &per_cpu(init_tss, get_cpu());
16524 -+ tss = init_tss + get_cpu();
16525 -
16526 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
16527 -
16528 -@@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
16529 - return -EINVAL;
16530 - /* Trying to gain more privileges? */
16531 - if (level > old) {
16532 -+#ifdef CONFIG_GRKERNSEC_IO
16533 -+ if (grsec_disable_privio) {
16534 -+ gr_handle_iopl();
16535 -+ return -EPERM;
16536 -+ }
16537 -+#endif
16538 - if (!capable(CAP_SYS_RAWIO))
16539 - return -EPERM;
16540 - }
16541 -diff -urNp linux-2.6.32.46/arch/x86/kernel/irq.c linux-2.6.32.46/arch/x86/kernel/irq.c
16542 ---- linux-2.6.32.46/arch/x86/kernel/irq.c 2011-03-27 14:31:47.000000000 -0400
16543 -+++ linux-2.6.32.46/arch/x86/kernel/irq.c 2011-05-04 17:56:28.000000000 -0400
16544 -@@ -15,7 +15,7 @@
16545 - #include <asm/mce.h>
16546 - #include <asm/hw_irq.h>
16547 -
16548 --atomic_t irq_err_count;
16549 -+atomic_unchecked_t irq_err_count;
16550 -
16551 - /* Function pointer for generic interrupt vector handling */
16552 - void (*generic_interrupt_extension)(void) = NULL;
16553 -@@ -114,9 +114,9 @@ static int show_other_interrupts(struct
16554 - seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16555 - seq_printf(p, " Machine check polls\n");
16556 - #endif
16557 -- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16558 -+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16559 - #if defined(CONFIG_X86_IO_APIC)
16560 -- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16561 -+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16562 - #endif
16563 - return 0;
16564 - }
16565 -@@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16566 -
16567 - u64 arch_irq_stat(void)
16568 - {
16569 -- u64 sum = atomic_read(&irq_err_count);
16570 -+ u64 sum = atomic_read_unchecked(&irq_err_count);
16571 -
16572 - #ifdef CONFIG_X86_IO_APIC
16573 -- sum += atomic_read(&irq_mis_count);
16574 -+ sum += atomic_read_unchecked(&irq_mis_count);
16575 - #endif
16576 - return sum;
16577 - }
16578 -diff -urNp linux-2.6.32.46/arch/x86/kernel/irq_32.c linux-2.6.32.46/arch/x86/kernel/irq_32.c
16579 ---- linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-03-27 14:31:47.000000000 -0400
16580 -+++ linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-07-06 19:53:33.000000000 -0400
16581 -@@ -35,7 +35,7 @@ static int check_stack_overflow(void)
16582 - __asm__ __volatile__("andl %%esp,%0" :
16583 - "=r" (sp) : "0" (THREAD_SIZE - 1));
16584 -
16585 -- return sp < (sizeof(struct thread_info) + STACK_WARN);
16586 -+ return sp < STACK_WARN;
16587 - }
16588 -
16589 - static void print_stack_overflow(void)
16590 -@@ -54,9 +54,9 @@ static inline void print_stack_overflow(
16591 - * per-CPU IRQ handling contexts (thread information and stack)
16592 - */
16593 - union irq_ctx {
16594 -- struct thread_info tinfo;
16595 -- u32 stack[THREAD_SIZE/sizeof(u32)];
16596 --} __attribute__((aligned(PAGE_SIZE)));
16597 -+ unsigned long previous_esp;
16598 -+ u32 stack[THREAD_SIZE/sizeof(u32)];
16599 -+} __attribute__((aligned(THREAD_SIZE)));
16600 -
16601 - static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
16602 - static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
16603 -@@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
16604 - static inline int
16605 - execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
16606 - {
16607 -- union irq_ctx *curctx, *irqctx;
16608 -+ union irq_ctx *irqctx;
16609 - u32 *isp, arg1, arg2;
16610 -
16611 -- curctx = (union irq_ctx *) current_thread_info();
16612 - irqctx = __get_cpu_var(hardirq_ctx);
16613 -
16614 - /*
16615 -@@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
16616 - * handler) we can't do that and just have to keep using the
16617 - * current stack (which is the irq stack already after all)
16618 - */
16619 -- if (unlikely(curctx == irqctx))
16620 -+ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
16621 - return 0;
16622 -
16623 - /* build the stack frame on the IRQ stack */
16624 -- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16625 -- irqctx->tinfo.task = curctx->tinfo.task;
16626 -- irqctx->tinfo.previous_esp = current_stack_pointer;
16627 -+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16628 -+ irqctx->previous_esp = current_stack_pointer;
16629 -
16630 -- /*
16631 -- * Copy the softirq bits in preempt_count so that the
16632 -- * softirq checks work in the hardirq context.
16633 -- */
16634 -- irqctx->tinfo.preempt_count =
16635 -- (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
16636 -- (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
16637 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
16638 -+ __set_fs(MAKE_MM_SEG(0));
16639 -+#endif
16640 -
16641 - if (unlikely(overflow))
16642 - call_on_stack(print_stack_overflow, isp);
16643 -@@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
16644 - : "0" (irq), "1" (desc), "2" (isp),
16645 - "D" (desc->handle_irq)
16646 - : "memory", "cc", "ecx");
16647 -+
16648 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
16649 -+ __set_fs(current_thread_info()->addr_limit);
16650 -+#endif
16651 -+
16652 - return 1;
16653 - }
16654 -
16655 -@@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
16656 - */
16657 - void __cpuinit irq_ctx_init(int cpu)
16658 - {
16659 -- union irq_ctx *irqctx;
16660 --
16661 - if (per_cpu(hardirq_ctx, cpu))
16662 - return;
16663 -
16664 -- irqctx = &per_cpu(hardirq_stack, cpu);
16665 -- irqctx->tinfo.task = NULL;
16666 -- irqctx->tinfo.exec_domain = NULL;
16667 -- irqctx->tinfo.cpu = cpu;
16668 -- irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
16669 -- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16670 --
16671 -- per_cpu(hardirq_ctx, cpu) = irqctx;
16672 --
16673 -- irqctx = &per_cpu(softirq_stack, cpu);
16674 -- irqctx->tinfo.task = NULL;
16675 -- irqctx->tinfo.exec_domain = NULL;
16676 -- irqctx->tinfo.cpu = cpu;
16677 -- irqctx->tinfo.preempt_count = 0;
16678 -- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16679 --
16680 -- per_cpu(softirq_ctx, cpu) = irqctx;
16681 -+ per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
16682 -+ per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
16683 -
16684 - printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
16685 - cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
16686 -@@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
16687 - asmlinkage void do_softirq(void)
16688 - {
16689 - unsigned long flags;
16690 -- struct thread_info *curctx;
16691 - union irq_ctx *irqctx;
16692 - u32 *isp;
16693 -
16694 -@@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
16695 - local_irq_save(flags);
16696 -
16697 - if (local_softirq_pending()) {
16698 -- curctx = current_thread_info();
16699 - irqctx = __get_cpu_var(softirq_ctx);
16700 -- irqctx->tinfo.task = curctx->task;
16701 -- irqctx->tinfo.previous_esp = current_stack_pointer;
16702 -+ irqctx->previous_esp = current_stack_pointer;
16703 -
16704 - /* build the stack frame on the softirq stack */
16705 -- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16706 -+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16707 -+
16708 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
16709 -+ __set_fs(MAKE_MM_SEG(0));
16710 -+#endif
16711 -
16712 - call_on_stack(__do_softirq, isp);
16713 -+
16714 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
16715 -+ __set_fs(current_thread_info()->addr_limit);
16716 -+#endif
16717 -+
16718 - /*
16719 - * Shouldnt happen, we returned above if in_interrupt():
16720 - */
16721 -diff -urNp linux-2.6.32.46/arch/x86/kernel/kgdb.c linux-2.6.32.46/arch/x86/kernel/kgdb.c
16722 ---- linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
16723 -+++ linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
16724 -@@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
16725 -
16726 - /* clear the trace bit */
16727 - linux_regs->flags &= ~X86_EFLAGS_TF;
16728 -- atomic_set(&kgdb_cpu_doing_single_step, -1);
16729 -+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16730 -
16731 - /* set the trace bit if we're stepping */
16732 - if (remcomInBuffer[0] == 's') {
16733 - linux_regs->flags |= X86_EFLAGS_TF;
16734 - kgdb_single_step = 1;
16735 -- atomic_set(&kgdb_cpu_doing_single_step,
16736 -+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16737 - raw_smp_processor_id());
16738 - }
16739 -
16740 -@@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
16741 - break;
16742 -
16743 - case DIE_DEBUG:
16744 -- if (atomic_read(&kgdb_cpu_doing_single_step) ==
16745 -+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
16746 - raw_smp_processor_id()) {
16747 - if (user_mode(regs))
16748 - return single_step_cont(regs, args);
16749 -@@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
16750 - return instruction_pointer(regs);
16751 - }
16752 -
16753 --struct kgdb_arch arch_kgdb_ops = {
16754 -+const struct kgdb_arch arch_kgdb_ops = {
16755 - /* Breakpoint instruction: */
16756 - .gdb_bpt_instr = { 0xcc },
16757 - .flags = KGDB_HW_BREAKPOINT,
16758 -diff -urNp linux-2.6.32.46/arch/x86/kernel/kprobes.c linux-2.6.32.46/arch/x86/kernel/kprobes.c
16759 ---- linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
16760 -+++ linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
16761 -@@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
16762 - char op;
16763 - s32 raddr;
16764 - } __attribute__((packed)) * jop;
16765 -- jop = (struct __arch_jmp_op *)from;
16766 -+
16767 -+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
16768 -+
16769 -+ pax_open_kernel();
16770 - jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
16771 - jop->op = RELATIVEJUMP_INSTRUCTION;
16772 -+ pax_close_kernel();
16773 - }
16774 -
16775 - /*
16776 -@@ -193,7 +197,7 @@ static int __kprobes can_boost(kprobe_op
16777 - kprobe_opcode_t opcode;
16778 - kprobe_opcode_t *orig_opcodes = opcodes;
16779 -
16780 -- if (search_exception_tables((unsigned long)opcodes))
16781 -+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16782 - return 0; /* Page fault may occur on this address. */
16783 -
16784 - retry:
16785 -@@ -337,7 +341,9 @@ static void __kprobes fix_riprel(struct
16786 - disp = (u8 *) p->addr + *((s32 *) insn) -
16787 - (u8 *) p->ainsn.insn;
16788 - BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
16789 -+ pax_open_kernel();
16790 - *(s32 *)insn = (s32) disp;
16791 -+ pax_close_kernel();
16792 - }
16793 - }
16794 - #endif
16795 -@@ -345,16 +351,18 @@ static void __kprobes fix_riprel(struct
16796 -
16797 - static void __kprobes arch_copy_kprobe(struct kprobe *p)
16798 - {
16799 -- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16800 -+ pax_open_kernel();
16801 -+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16802 -+ pax_close_kernel();
16803 -
16804 - fix_riprel(p);
16805 -
16806 -- if (can_boost(p->addr))
16807 -+ if (can_boost(ktla_ktva(p->addr)))
16808 - p->ainsn.boostable = 0;
16809 - else
16810 - p->ainsn.boostable = -1;
16811 -
16812 -- p->opcode = *p->addr;
16813 -+ p->opcode = *(ktla_ktva(p->addr));
16814 - }
16815 -
16816 - int __kprobes arch_prepare_kprobe(struct kprobe *p)
16817 -@@ -432,7 +440,7 @@ static void __kprobes prepare_singlestep
16818 - if (p->opcode == BREAKPOINT_INSTRUCTION)
16819 - regs->ip = (unsigned long)p->addr;
16820 - else
16821 -- regs->ip = (unsigned long)p->ainsn.insn;
16822 -+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16823 - }
16824 -
16825 - void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
16826 -@@ -453,7 +461,7 @@ static void __kprobes setup_singlestep(s
16827 - if (p->ainsn.boostable == 1 && !p->post_handler) {
16828 - /* Boost up -- we can execute copied instructions directly */
16829 - reset_current_kprobe();
16830 -- regs->ip = (unsigned long)p->ainsn.insn;
16831 -+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16832 - preempt_enable_no_resched();
16833 - return;
16834 - }
16835 -@@ -523,7 +531,7 @@ static int __kprobes kprobe_handler(stru
16836 - struct kprobe_ctlblk *kcb;
16837 -
16838 - addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
16839 -- if (*addr != BREAKPOINT_INSTRUCTION) {
16840 -+ if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16841 - /*
16842 - * The breakpoint instruction was removed right
16843 - * after we hit it. Another cpu has removed
16844 -@@ -775,7 +783,7 @@ static void __kprobes resume_execution(s
16845 - struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16846 - {
16847 - unsigned long *tos = stack_addr(regs);
16848 -- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16849 -+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16850 - unsigned long orig_ip = (unsigned long)p->addr;
16851 - kprobe_opcode_t *insn = p->ainsn.insn;
16852 -
16853 -@@ -958,7 +966,7 @@ int __kprobes kprobe_exceptions_notify(s
16854 - struct die_args *args = data;
16855 - int ret = NOTIFY_DONE;
16856 -
16857 -- if (args->regs && user_mode_vm(args->regs))
16858 -+ if (args->regs && user_mode(args->regs))
16859 - return ret;
16860 -
16861 - switch (val) {
16862 -diff -urNp linux-2.6.32.46/arch/x86/kernel/kvm.c linux-2.6.32.46/arch/x86/kernel/kvm.c
16863 ---- linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-03-27 14:31:47.000000000 -0400
16864 -+++ linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-08-24 18:35:52.000000000 -0400
16865 -@@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(vo
16866 - pv_mmu_ops.set_pud = kvm_set_pud;
16867 - #if PAGETABLE_LEVELS == 4
16868 - pv_mmu_ops.set_pgd = kvm_set_pgd;
16869 -+ pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
16870 - #endif
16871 - #endif
16872 - pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
16873 -diff -urNp linux-2.6.32.46/arch/x86/kernel/ldt.c linux-2.6.32.46/arch/x86/kernel/ldt.c
16874 ---- linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-03-27 14:31:47.000000000 -0400
16875 -+++ linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-04-17 15:56:46.000000000 -0400
16876 -@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
16877 - if (reload) {
16878 - #ifdef CONFIG_SMP
16879 - preempt_disable();
16880 -- load_LDT(pc);
16881 -+ load_LDT_nolock(pc);
16882 - if (!cpumask_equal(mm_cpumask(current->mm),
16883 - cpumask_of(smp_processor_id())))
16884 - smp_call_function(flush_ldt, current->mm, 1);
16885 - preempt_enable();
16886 - #else
16887 -- load_LDT(pc);
16888 -+ load_LDT_nolock(pc);
16889 - #endif
16890 - }
16891 - if (oldsize) {
16892 -@@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
16893 - return err;
16894 -
16895 - for (i = 0; i < old->size; i++)
16896 -- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16897 -+ write_ldt_entry(new->ldt, i, old->ldt + i);
16898 - return 0;
16899 - }
16900 -
16901 -@@ -115,6 +115,24 @@ int init_new_context(struct task_struct
16902 - retval = copy_ldt(&mm->context, &old_mm->context);
16903 - mutex_unlock(&old_mm->context.lock);
16904 - }
16905 -+
16906 -+ if (tsk == current) {
16907 -+ mm->context.vdso = 0;
16908 -+
16909 -+#ifdef CONFIG_X86_32
16910 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16911 -+ mm->context.user_cs_base = 0UL;
16912 -+ mm->context.user_cs_limit = ~0UL;
16913 -+
16914 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16915 -+ cpus_clear(mm->context.cpu_user_cs_mask);
16916 -+#endif
16917 -+
16918 -+#endif
16919 -+#endif
16920 -+
16921 -+ }
16922 -+
16923 - return retval;
16924 - }
16925 -
16926 -@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
16927 - }
16928 - }
16929 -
16930 -+#ifdef CONFIG_PAX_SEGMEXEC
16931 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16932 -+ error = -EINVAL;
16933 -+ goto out_unlock;
16934 -+ }
16935 -+#endif
16936 -+
16937 - fill_ldt(&ldt, &ldt_info);
16938 - if (oldmode)
16939 - ldt.avl = 0;
16940 -diff -urNp linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c
16941 ---- linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-03-27 14:31:47.000000000 -0400
16942 -+++ linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:56:46.000000000 -0400
16943 -@@ -26,7 +26,7 @@
16944 - #include <asm/system.h>
16945 - #include <asm/cacheflush.h>
16946 -
16947 --static void set_idt(void *newidt, __u16 limit)
16948 -+static void set_idt(struct desc_struct *newidt, __u16 limit)
16949 - {
16950 - struct desc_ptr curidt;
16951 -
16952 -@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
16953 - }
16954 -
16955 -
16956 --static void set_gdt(void *newgdt, __u16 limit)
16957 -+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16958 - {
16959 - struct desc_ptr curgdt;
16960 -
16961 -@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16962 - }
16963 -
16964 - control_page = page_address(image->control_code_page);
16965 -- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16966 -+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16967 -
16968 - relocate_kernel_ptr = control_page;
16969 - page_list[PA_CONTROL_PAGE] = __pa(control_page);
16970 -diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_amd.c linux-2.6.32.46/arch/x86/kernel/microcode_amd.c
16971 ---- linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:00:52.000000000 -0400
16972 -+++ linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:03:05.000000000 -0400
16973 -@@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
16974 - uci->mc = NULL;
16975 - }
16976 -
16977 --static struct microcode_ops microcode_amd_ops = {
16978 -+static const struct microcode_ops microcode_amd_ops = {
16979 - .request_microcode_user = request_microcode_user,
16980 - .request_microcode_fw = request_microcode_fw,
16981 - .collect_cpu_info = collect_cpu_info_amd,
16982 -@@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
16983 - .microcode_fini_cpu = microcode_fini_cpu_amd,
16984 - };
16985 -
16986 --struct microcode_ops * __init init_amd_microcode(void)
16987 -+const struct microcode_ops * __init init_amd_microcode(void)
16988 - {
16989 - return &microcode_amd_ops;
16990 - }
16991 -diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_core.c linux-2.6.32.46/arch/x86/kernel/microcode_core.c
16992 ---- linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-03-27 14:31:47.000000000 -0400
16993 -+++ linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-04-17 15:56:46.000000000 -0400
16994 -@@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
16995 -
16996 - #define MICROCODE_VERSION "2.00"
16997 -
16998 --static struct microcode_ops *microcode_ops;
16999 -+static const struct microcode_ops *microcode_ops;
17000 -
17001 - /*
17002 - * Synchronization.
17003 -diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_intel.c linux-2.6.32.46/arch/x86/kernel/microcode_intel.c
17004 ---- linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400
17005 -+++ linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-10-06 09:37:08.000000000 -0400
17006 -@@ -443,13 +443,13 @@ static enum ucode_state request_microcod
17007 -
17008 - static int get_ucode_user(void *to, const void *from, size_t n)
17009 - {
17010 -- return copy_from_user(to, from, n);
17011 -+ return copy_from_user(to, (const void __force_user *)from, n);
17012 - }
17013 -
17014 - static enum ucode_state
17015 - request_microcode_user(int cpu, const void __user *buf, size_t size)
17016 - {
17017 -- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
17018 -+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
17019 - }
17020 -
17021 - static void microcode_fini_cpu(int cpu)
17022 -@@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
17023 - uci->mc = NULL;
17024 - }
17025 -
17026 --static struct microcode_ops microcode_intel_ops = {
17027 -+static const struct microcode_ops microcode_intel_ops = {
17028 - .request_microcode_user = request_microcode_user,
17029 - .request_microcode_fw = request_microcode_fw,
17030 - .collect_cpu_info = collect_cpu_info,
17031 -@@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
17032 - .microcode_fini_cpu = microcode_fini_cpu,
17033 - };
17034 -
17035 --struct microcode_ops * __init init_intel_microcode(void)
17036 -+const struct microcode_ops * __init init_intel_microcode(void)
17037 - {
17038 - return &microcode_intel_ops;
17039 - }
17040 -diff -urNp linux-2.6.32.46/arch/x86/kernel/module.c linux-2.6.32.46/arch/x86/kernel/module.c
17041 ---- linux-2.6.32.46/arch/x86/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
17042 -+++ linux-2.6.32.46/arch/x86/kernel/module.c 2011-04-17 15:56:46.000000000 -0400
17043 -@@ -34,7 +34,7 @@
17044 - #define DEBUGP(fmt...)
17045 - #endif
17046 -
17047 --void *module_alloc(unsigned long size)
17048 -+static void *__module_alloc(unsigned long size, pgprot_t prot)
17049 - {
17050 - struct vm_struct *area;
17051 -
17052 -@@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
17053 - if (!area)
17054 - return NULL;
17055 -
17056 -- return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
17057 -- PAGE_KERNEL_EXEC);
17058 -+ return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
17059 -+}
17060 -+
17061 -+void *module_alloc(unsigned long size)
17062 -+{
17063 -+
17064 -+#ifdef CONFIG_PAX_KERNEXEC
17065 -+ return __module_alloc(size, PAGE_KERNEL);
17066 -+#else
17067 -+ return __module_alloc(size, PAGE_KERNEL_EXEC);
17068 -+#endif
17069 -+
17070 - }
17071 -
17072 - /* Free memory returned from module_alloc */
17073 -@@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
17074 - vfree(module_region);
17075 - }
17076 -
17077 -+#ifdef CONFIG_PAX_KERNEXEC
17078 -+#ifdef CONFIG_X86_32
17079 -+void *module_alloc_exec(unsigned long size)
17080 -+{
17081 -+ struct vm_struct *area;
17082 -+
17083 -+ if (size == 0)
17084 -+ return NULL;
17085 -+
17086 -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
17087 -+ return area ? area->addr : NULL;
17088 -+}
17089 -+EXPORT_SYMBOL(module_alloc_exec);
17090 -+
17091 -+void module_free_exec(struct module *mod, void *module_region)
17092 -+{
17093 -+ vunmap(module_region);
17094 -+}
17095 -+EXPORT_SYMBOL(module_free_exec);
17096 -+#else
17097 -+void module_free_exec(struct module *mod, void *module_region)
17098 -+{
17099 -+ module_free(mod, module_region);
17100 -+}
17101 -+EXPORT_SYMBOL(module_free_exec);
17102 -+
17103 -+void *module_alloc_exec(unsigned long size)
17104 -+{
17105 -+ return __module_alloc(size, PAGE_KERNEL_RX);
17106 -+}
17107 -+EXPORT_SYMBOL(module_alloc_exec);
17108 -+#endif
17109 -+#endif
17110 -+
17111 - /* We don't need anything special. */
17112 - int module_frob_arch_sections(Elf_Ehdr *hdr,
17113 - Elf_Shdr *sechdrs,
17114 -@@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17115 - unsigned int i;
17116 - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
17117 - Elf32_Sym *sym;
17118 -- uint32_t *location;
17119 -+ uint32_t *plocation, location;
17120 -
17121 - DEBUGP("Applying relocate section %u to %u\n", relsec,
17122 - sechdrs[relsec].sh_info);
17123 - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
17124 - /* This is where to make the change */
17125 -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
17126 -- + rel[i].r_offset;
17127 -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
17128 -+ location = (uint32_t)plocation;
17129 -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
17130 -+ plocation = ktla_ktva((void *)plocation);
17131 - /* This is the symbol it is referring to. Note that all
17132 - undefined symbols have been resolved. */
17133 - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
17134 -@@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17135 - switch (ELF32_R_TYPE(rel[i].r_info)) {
17136 - case R_386_32:
17137 - /* We add the value into the location given */
17138 -- *location += sym->st_value;
17139 -+ pax_open_kernel();
17140 -+ *plocation += sym->st_value;
17141 -+ pax_close_kernel();
17142 - break;
17143 - case R_386_PC32:
17144 - /* Add the value, subtract its postition */
17145 -- *location += sym->st_value - (uint32_t)location;
17146 -+ pax_open_kernel();
17147 -+ *plocation += sym->st_value - location;
17148 -+ pax_close_kernel();
17149 - break;
17150 - default:
17151 - printk(KERN_ERR "module %s: Unknown relocation: %u\n",
17152 -@@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
17153 - case R_X86_64_NONE:
17154 - break;
17155 - case R_X86_64_64:
17156 -+ pax_open_kernel();
17157 - *(u64 *)loc = val;
17158 -+ pax_close_kernel();
17159 - break;
17160 - case R_X86_64_32:
17161 -+ pax_open_kernel();
17162 - *(u32 *)loc = val;
17163 -+ pax_close_kernel();
17164 - if (val != *(u32 *)loc)
17165 - goto overflow;
17166 - break;
17167 - case R_X86_64_32S:
17168 -+ pax_open_kernel();
17169 - *(s32 *)loc = val;
17170 -+ pax_close_kernel();
17171 - if ((s64)val != *(s32 *)loc)
17172 - goto overflow;
17173 - break;
17174 - case R_X86_64_PC32:
17175 - val -= (u64)loc;
17176 -+ pax_open_kernel();
17177 - *(u32 *)loc = val;
17178 -+ pax_close_kernel();
17179 -+
17180 - #if 0
17181 - if ((s64)val != *(s32 *)loc)
17182 - goto overflow;
17183 -diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c
17184 ---- linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-03-27 14:31:47.000000000 -0400
17185 -+++ linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:56:46.000000000 -0400
17186 -@@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
17187 - __raw_spin_lock(lock);
17188 - }
17189 -
17190 --struct pv_lock_ops pv_lock_ops = {
17191 -+struct pv_lock_ops pv_lock_ops __read_only = {
17192 - #ifdef CONFIG_SMP
17193 - .spin_is_locked = __ticket_spin_is_locked,
17194 - .spin_is_contended = __ticket_spin_is_contended,
17195 -diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt.c linux-2.6.32.46/arch/x86/kernel/paravirt.c
17196 ---- linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.000000000 -0400
17197 -+++ linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-08-23 20:24:19.000000000 -0400
17198 -@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
17199 - {
17200 - return x;
17201 - }
17202 -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17203 -+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
17204 -+#endif
17205 -
17206 - void __init default_banner(void)
17207 - {
17208 -@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
17209 - * corresponding structure. */
17210 - static void *get_call_destination(u8 type)
17211 - {
17212 -- struct paravirt_patch_template tmpl = {
17213 -+ const struct paravirt_patch_template tmpl = {
17214 - .pv_init_ops = pv_init_ops,
17215 - .pv_time_ops = pv_time_ops,
17216 - .pv_cpu_ops = pv_cpu_ops,
17217 -@@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
17218 - .pv_lock_ops = pv_lock_ops,
17219 - #endif
17220 - };
17221 -+
17222 -+ pax_track_stack();
17223 - return *((void **)&tmpl + type);
17224 - }
17225 -
17226 -@@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
17227 - if (opfunc == NULL)
17228 - /* If there's no function, patch it with a ud2a (BUG) */
17229 - ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
17230 -- else if (opfunc == _paravirt_nop)
17231 -+ else if (opfunc == (void *)_paravirt_nop)
17232 - /* If the operation is a nop, then nop the callsite */
17233 - ret = paravirt_patch_nop();
17234 -
17235 - /* identity functions just return their single argument */
17236 -- else if (opfunc == _paravirt_ident_32)
17237 -+ else if (opfunc == (void *)_paravirt_ident_32)
17238 - ret = paravirt_patch_ident_32(insnbuf, len);
17239 -- else if (opfunc == _paravirt_ident_64)
17240 -+ else if (opfunc == (void *)_paravirt_ident_64)
17241 -+ ret = paravirt_patch_ident_64(insnbuf, len);
17242 -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17243 -+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
17244 - ret = paravirt_patch_ident_64(insnbuf, len);
17245 -+#endif
17246 -
17247 - else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
17248 - type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
17249 -@@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
17250 - if (insn_len > len || start == NULL)
17251 - insn_len = len;
17252 - else
17253 -- memcpy(insnbuf, start, insn_len);
17254 -+ memcpy(insnbuf, ktla_ktva(start), insn_len);
17255 -
17256 - return insn_len;
17257 - }
17258 -@@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
17259 - preempt_enable();
17260 - }
17261 -
17262 --struct pv_info pv_info = {
17263 -+struct pv_info pv_info __read_only = {
17264 - .name = "bare hardware",
17265 - .paravirt_enabled = 0,
17266 - .kernel_rpl = 0,
17267 - .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
17268 - };
17269 -
17270 --struct pv_init_ops pv_init_ops = {
17271 -+struct pv_init_ops pv_init_ops __read_only = {
17272 - .patch = native_patch,
17273 - };
17274 -
17275 --struct pv_time_ops pv_time_ops = {
17276 -+struct pv_time_ops pv_time_ops __read_only = {
17277 - .sched_clock = native_sched_clock,
17278 - };
17279 -
17280 --struct pv_irq_ops pv_irq_ops = {
17281 -+struct pv_irq_ops pv_irq_ops __read_only = {
17282 - .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
17283 - .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
17284 - .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
17285 -@@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
17286 - #endif
17287 - };
17288 -
17289 --struct pv_cpu_ops pv_cpu_ops = {
17290 -+struct pv_cpu_ops pv_cpu_ops __read_only = {
17291 - .cpuid = native_cpuid,
17292 - .get_debugreg = native_get_debugreg,
17293 - .set_debugreg = native_set_debugreg,
17294 -@@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
17295 - .end_context_switch = paravirt_nop,
17296 - };
17297 -
17298 --struct pv_apic_ops pv_apic_ops = {
17299 -+struct pv_apic_ops pv_apic_ops __read_only = {
17300 - #ifdef CONFIG_X86_LOCAL_APIC
17301 - .startup_ipi_hook = paravirt_nop,
17302 - #endif
17303 - };
17304 -
17305 --#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
17306 -+#ifdef CONFIG_X86_32
17307 -+#ifdef CONFIG_X86_PAE
17308 -+/* 64-bit pagetable entries */
17309 -+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
17310 -+#else
17311 - /* 32-bit pagetable entries */
17312 - #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
17313 -+#endif
17314 - #else
17315 - /* 64-bit pagetable entries */
17316 - #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
17317 - #endif
17318 -
17319 --struct pv_mmu_ops pv_mmu_ops = {
17320 -+struct pv_mmu_ops pv_mmu_ops __read_only = {
17321 -
17322 - .read_cr2 = native_read_cr2,
17323 - .write_cr2 = native_write_cr2,
17324 -@@ -448,6 +462,7 @@ struct pv_mmu_ops pv_mmu_ops = {
17325 - .make_pud = PTE_IDENT,
17326 -
17327 - .set_pgd = native_set_pgd,
17328 -+ .set_pgd_batched = native_set_pgd_batched,
17329 - #endif
17330 - #endif /* PAGETABLE_LEVELS >= 3 */
17331 -
17332 -@@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops = {
17333 - },
17334 -
17335 - .set_fixmap = native_set_fixmap,
17336 -+
17337 -+#ifdef CONFIG_PAX_KERNEXEC
17338 -+ .pax_open_kernel = native_pax_open_kernel,
17339 -+ .pax_close_kernel = native_pax_close_kernel,
17340 -+#endif
17341 -+
17342 - };
17343 -
17344 - EXPORT_SYMBOL_GPL(pv_time_ops);
17345 -diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c
17346 ---- linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-03-27 14:31:47.000000000 -0400
17347 -+++ linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:56:46.000000000 -0400
17348 -@@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
17349 - free_pages((unsigned long)vaddr, get_order(size));
17350 - }
17351 -
17352 --static struct dma_map_ops calgary_dma_ops = {
17353 -+static const struct dma_map_ops calgary_dma_ops = {
17354 - .alloc_coherent = calgary_alloc_coherent,
17355 - .free_coherent = calgary_free_coherent,
17356 - .map_sg = calgary_map_sg,
17357 -diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-dma.c linux-2.6.32.46/arch/x86/kernel/pci-dma.c
17358 ---- linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
17359 -+++ linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-04-17 15:56:46.000000000 -0400
17360 -@@ -14,7 +14,7 @@
17361 -
17362 - static int forbid_dac __read_mostly;
17363 -
17364 --struct dma_map_ops *dma_ops;
17365 -+const struct dma_map_ops *dma_ops;
17366 - EXPORT_SYMBOL(dma_ops);
17367 -
17368 - static int iommu_sac_force __read_mostly;
17369 -@@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
17370 -
17371 - int dma_supported(struct device *dev, u64 mask)
17372 - {
17373 -- struct dma_map_ops *ops = get_dma_ops(dev);
17374 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
17375 -
17376 - #ifdef CONFIG_PCI
17377 - if (mask > 0xffffffff && forbid_dac > 0) {
17378 -diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c
17379 ---- linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-03-27 14:31:47.000000000 -0400
17380 -+++ linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:56:46.000000000 -0400
17381 -@@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
17382 - return -1;
17383 - }
17384 -
17385 --static struct dma_map_ops gart_dma_ops = {
17386 -+static const struct dma_map_ops gart_dma_ops = {
17387 - .map_sg = gart_map_sg,
17388 - .unmap_sg = gart_unmap_sg,
17389 - .map_page = gart_map_page,
17390 -diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-nommu.c linux-2.6.32.46/arch/x86/kernel/pci-nommu.c
17391 ---- linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-03-27 14:31:47.000000000 -0400
17392 -+++ linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-04-17 15:56:46.000000000 -0400
17393 -@@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
17394 - flush_write_buffers();
17395 - }
17396 -
17397 --struct dma_map_ops nommu_dma_ops = {
17398 -+const struct dma_map_ops nommu_dma_ops = {
17399 - .alloc_coherent = dma_generic_alloc_coherent,
17400 - .free_coherent = nommu_free_coherent,
17401 - .map_sg = nommu_map_sg,
17402 -diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c
17403 ---- linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
17404 -+++ linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:56:46.000000000 -0400
17405 -@@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
17406 - return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
17407 - }
17408 -
17409 --static struct dma_map_ops swiotlb_dma_ops = {
17410 -+static const struct dma_map_ops swiotlb_dma_ops = {
17411 - .mapping_error = swiotlb_dma_mapping_error,
17412 - .alloc_coherent = x86_swiotlb_alloc_coherent,
17413 - .free_coherent = swiotlb_free_coherent,
17414 -diff -urNp linux-2.6.32.46/arch/x86/kernel/process.c linux-2.6.32.46/arch/x86/kernel/process.c
17415 ---- linux-2.6.32.46/arch/x86/kernel/process.c 2011-04-22 19:16:29.000000000 -0400
17416 -+++ linux-2.6.32.46/arch/x86/kernel/process.c 2011-08-30 18:19:52.000000000 -0400
17417 -@@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
17418 -
17419 - void free_thread_info(struct thread_info *ti)
17420 - {
17421 -- free_thread_xstate(ti->task);
17422 - free_pages((unsigned long)ti, get_order(THREAD_SIZE));
17423 - }
17424 -
17425 -+static struct kmem_cache *task_struct_cachep;
17426 -+
17427 - void arch_task_cache_init(void)
17428 - {
17429 -- task_xstate_cachep =
17430 -- kmem_cache_create("task_xstate", xstate_size,
17431 -+ /* create a slab on which task_structs can be allocated */
17432 -+ task_struct_cachep =
17433 -+ kmem_cache_create("task_struct", sizeof(struct task_struct),
17434 -+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
17435 -+
17436 -+ task_xstate_cachep =
17437 -+ kmem_cache_create("task_xstate", xstate_size,
17438 - __alignof__(union thread_xstate),
17439 -- SLAB_PANIC | SLAB_NOTRACK, NULL);
17440 -+ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
17441 -+}
17442 -+
17443 -+struct task_struct *alloc_task_struct(void)
17444 -+{
17445 -+ return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
17446 -+}
17447 -+
17448 -+void free_task_struct(struct task_struct *task)
17449 -+{
17450 -+ free_thread_xstate(task);
17451 -+ kmem_cache_free(task_struct_cachep, task);
17452 - }
17453 -
17454 - /*
17455 -@@ -73,7 +90,7 @@ void exit_thread(void)
17456 - unsigned long *bp = t->io_bitmap_ptr;
17457 -
17458 - if (bp) {
17459 -- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
17460 -+ struct tss_struct *tss = init_tss + get_cpu();
17461 -
17462 - t->io_bitmap_ptr = NULL;
17463 - clear_thread_flag(TIF_IO_BITMAP);
17464 -@@ -93,6 +110,9 @@ void flush_thread(void)
17465 -
17466 - clear_tsk_thread_flag(tsk, TIF_DEBUG);
17467 -
17468 -+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
17469 -+ loadsegment(gs, 0);
17470 -+#endif
17471 - tsk->thread.debugreg0 = 0;
17472 - tsk->thread.debugreg1 = 0;
17473 - tsk->thread.debugreg2 = 0;
17474 -@@ -307,7 +327,7 @@ void default_idle(void)
17475 - EXPORT_SYMBOL(default_idle);
17476 - #endif
17477 -
17478 --void stop_this_cpu(void *dummy)
17479 -+__noreturn void stop_this_cpu(void *dummy)
17480 - {
17481 - local_irq_disable();
17482 - /*
17483 -@@ -568,16 +588,38 @@ static int __init idle_setup(char *str)
17484 - }
17485 - early_param("idle", idle_setup);
17486 -
17487 --unsigned long arch_align_stack(unsigned long sp)
17488 -+#ifdef CONFIG_PAX_RANDKSTACK
17489 -+void pax_randomize_kstack(struct pt_regs *regs)
17490 - {
17491 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17492 -- sp -= get_random_int() % 8192;
17493 -- return sp & ~0xf;
17494 --}
17495 -+ struct thread_struct *thread = &current->thread;
17496 -+ unsigned long time;
17497 -
17498 --unsigned long arch_randomize_brk(struct mm_struct *mm)
17499 --{
17500 -- unsigned long range_end = mm->brk + 0x02000000;
17501 -- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17502 -+ if (!randomize_va_space)
17503 -+ return;
17504 -+
17505 -+ if (v8086_mode(regs))
17506 -+ return;
17507 -+
17508 -+ rdtscl(time);
17509 -+
17510 -+ /* P4 seems to return a 0 LSB, ignore it */
17511 -+#ifdef CONFIG_MPENTIUM4
17512 -+ time &= 0x3EUL;
17513 -+ time <<= 2;
17514 -+#elif defined(CONFIG_X86_64)
17515 -+ time &= 0xFUL;
17516 -+ time <<= 4;
17517 -+#else
17518 -+ time &= 0x1FUL;
17519 -+ time <<= 3;
17520 -+#endif
17521 -+
17522 -+ thread->sp0 ^= time;
17523 -+ load_sp0(init_tss + smp_processor_id(), thread);
17524 -+
17525 -+#ifdef CONFIG_X86_64
17526 -+ percpu_write(kernel_stack, thread->sp0);
17527 -+#endif
17528 - }
17529 -+#endif
17530 -
17531 -diff -urNp linux-2.6.32.46/arch/x86/kernel/process_32.c linux-2.6.32.46/arch/x86/kernel/process_32.c
17532 ---- linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:55:34.000000000 -0400
17533 -+++ linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:56:37.000000000 -0400
17534 -@@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
17535 - unsigned long thread_saved_pc(struct task_struct *tsk)
17536 - {
17537 - return ((unsigned long *)tsk->thread.sp)[3];
17538 -+//XXX return tsk->thread.eip;
17539 - }
17540 -
17541 - #ifndef CONFIG_SMP
17542 -@@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
17543 - unsigned short ss, gs;
17544 - const char *board;
17545 -
17546 -- if (user_mode_vm(regs)) {
17547 -+ if (user_mode(regs)) {
17548 - sp = regs->sp;
17549 - ss = regs->ss & 0xffff;
17550 -- gs = get_user_gs(regs);
17551 - } else {
17552 - sp = (unsigned long) (&regs->sp);
17553 - savesegment(ss, ss);
17554 -- savesegment(gs, gs);
17555 - }
17556 -+ gs = get_user_gs(regs);
17557 -
17558 - printk("\n");
17559 -
17560 -@@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
17561 - regs.bx = (unsigned long) fn;
17562 - regs.dx = (unsigned long) arg;
17563 -
17564 -- regs.ds = __USER_DS;
17565 -- regs.es = __USER_DS;
17566 -+ regs.ds = __KERNEL_DS;
17567 -+ regs.es = __KERNEL_DS;
17568 - regs.fs = __KERNEL_PERCPU;
17569 -- regs.gs = __KERNEL_STACK_CANARY;
17570 -+ savesegment(gs, regs.gs);
17571 - regs.orig_ax = -1;
17572 - regs.ip = (unsigned long) kernel_thread_helper;
17573 - regs.cs = __KERNEL_CS | get_kernel_rpl();
17574 -@@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
17575 - struct task_struct *tsk;
17576 - int err;
17577 -
17578 -- childregs = task_pt_regs(p);
17579 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
17580 - *childregs = *regs;
17581 - childregs->ax = 0;
17582 - childregs->sp = sp;
17583 -
17584 - p->thread.sp = (unsigned long) childregs;
17585 - p->thread.sp0 = (unsigned long) (childregs+1);
17586 -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17587 -
17588 - p->thread.ip = (unsigned long) ret_from_fork;
17589 -
17590 -@@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
17591 - struct thread_struct *prev = &prev_p->thread,
17592 - *next = &next_p->thread;
17593 - int cpu = smp_processor_id();
17594 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
17595 -+ struct tss_struct *tss = init_tss + cpu;
17596 - bool preload_fpu;
17597 -
17598 - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
17599 -@@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
17600 - */
17601 - lazy_save_gs(prev->gs);
17602 -
17603 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
17604 -+ __set_fs(task_thread_info(next_p)->addr_limit);
17605 -+#endif
17606 -+
17607 - /*
17608 - * Load the per-thread Thread-Local Storage descriptor.
17609 - */
17610 -@@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
17611 - */
17612 - arch_end_context_switch(next_p);
17613 -
17614 -+ percpu_write(current_task, next_p);
17615 -+ percpu_write(current_tinfo, &next_p->tinfo);
17616 -+
17617 - if (preload_fpu)
17618 - __math_state_restore();
17619 -
17620 -@@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
17621 - if (prev->gs | next->gs)
17622 - lazy_load_gs(next->gs);
17623 -
17624 -- percpu_write(current_task, next_p);
17625 --
17626 - return prev_p;
17627 - }
17628 -
17629 -@@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
17630 - } while (count++ < 16);
17631 - return 0;
17632 - }
17633 --
17634 -diff -urNp linux-2.6.32.46/arch/x86/kernel/process_64.c linux-2.6.32.46/arch/x86/kernel/process_64.c
17635 ---- linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:55:34.000000000 -0400
17636 -+++ linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:56:37.000000000 -0400
17637 -@@ -91,7 +91,7 @@ static void __exit_idle(void)
17638 - void exit_idle(void)
17639 - {
17640 - /* idle loop has pid 0 */
17641 -- if (current->pid)
17642 -+ if (task_pid_nr(current))
17643 - return;
17644 - __exit_idle();
17645 - }
17646 -@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
17647 - if (!board)
17648 - board = "";
17649 - printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
17650 -- current->pid, current->comm, print_tainted(),
17651 -+ task_pid_nr(current), current->comm, print_tainted(),
17652 - init_utsname()->release,
17653 - (int)strcspn(init_utsname()->version, " "),
17654 - init_utsname()->version, board);
17655 -@@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
17656 - struct pt_regs *childregs;
17657 - struct task_struct *me = current;
17658 -
17659 -- childregs = ((struct pt_regs *)
17660 -- (THREAD_SIZE + task_stack_page(p))) - 1;
17661 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
17662 - *childregs = *regs;
17663 -
17664 - childregs->ax = 0;
17665 -@@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
17666 - p->thread.sp = (unsigned long) childregs;
17667 - p->thread.sp0 = (unsigned long) (childregs+1);
17668 - p->thread.usersp = me->thread.usersp;
17669 -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17670 -
17671 - set_tsk_thread_flag(p, TIF_FORK);
17672 -
17673 -@@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
17674 - struct thread_struct *prev = &prev_p->thread;
17675 - struct thread_struct *next = &next_p->thread;
17676 - int cpu = smp_processor_id();
17677 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
17678 -+ struct tss_struct *tss = init_tss + cpu;
17679 - unsigned fsindex, gsindex;
17680 - bool preload_fpu;
17681 -
17682 -@@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
17683 - prev->usersp = percpu_read(old_rsp);
17684 - percpu_write(old_rsp, next->usersp);
17685 - percpu_write(current_task, next_p);
17686 -+ percpu_write(current_tinfo, &next_p->tinfo);
17687 -
17688 -- percpu_write(kernel_stack,
17689 -- (unsigned long)task_stack_page(next_p) +
17690 -- THREAD_SIZE - KERNEL_STACK_OFFSET);
17691 -+ percpu_write(kernel_stack, next->sp0);
17692 -
17693 - /*
17694 - * Now maybe reload the debug registers and handle I/O bitmaps
17695 -@@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
17696 - if (!p || p == current || p->state == TASK_RUNNING)
17697 - return 0;
17698 - stack = (unsigned long)task_stack_page(p);
17699 -- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
17700 -+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
17701 - return 0;
17702 - fp = *(u64 *)(p->thread.sp);
17703 - do {
17704 -- if (fp < (unsigned long)stack ||
17705 -- fp >= (unsigned long)stack+THREAD_SIZE)
17706 -+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
17707 - return 0;
17708 - ip = *(u64 *)(fp+8);
17709 - if (!in_sched_functions(ip))
17710 -diff -urNp linux-2.6.32.46/arch/x86/kernel/ptrace.c linux-2.6.32.46/arch/x86/kernel/ptrace.c
17711 ---- linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
17712 -+++ linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-04-17 15:56:46.000000000 -0400
17713 -@@ -925,7 +925,7 @@ static const struct user_regset_view use
17714 - long arch_ptrace(struct task_struct *child, long request, long addr, long data)
17715 - {
17716 - int ret;
17717 -- unsigned long __user *datap = (unsigned long __user *)data;
17718 -+ unsigned long __user *datap = (__force unsigned long __user *)data;
17719 -
17720 - switch (request) {
17721 - /* read the word at location addr in the USER area. */
17722 -@@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
17723 - if (addr < 0)
17724 - return -EIO;
17725 - ret = do_get_thread_area(child, addr,
17726 -- (struct user_desc __user *) data);
17727 -+ (__force struct user_desc __user *) data);
17728 - break;
17729 -
17730 - case PTRACE_SET_THREAD_AREA:
17731 - if (addr < 0)
17732 - return -EIO;
17733 - ret = do_set_thread_area(child, addr,
17734 -- (struct user_desc __user *) data, 0);
17735 -+ (__force struct user_desc __user *) data, 0);
17736 - break;
17737 - #endif
17738 -
17739 -@@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
17740 - #ifdef CONFIG_X86_PTRACE_BTS
17741 - case PTRACE_BTS_CONFIG:
17742 - ret = ptrace_bts_config
17743 -- (child, data, (struct ptrace_bts_config __user *)addr);
17744 -+ (child, data, (__force struct ptrace_bts_config __user *)addr);
17745 - break;
17746 -
17747 - case PTRACE_BTS_STATUS:
17748 - ret = ptrace_bts_status
17749 -- (child, data, (struct ptrace_bts_config __user *)addr);
17750 -+ (child, data, (__force struct ptrace_bts_config __user *)addr);
17751 - break;
17752 -
17753 - case PTRACE_BTS_SIZE:
17754 -@@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
17755 -
17756 - case PTRACE_BTS_GET:
17757 - ret = ptrace_bts_read_record
17758 -- (child, data, (struct bts_struct __user *) addr);
17759 -+ (child, data, (__force struct bts_struct __user *) addr);
17760 - break;
17761 -
17762 - case PTRACE_BTS_CLEAR:
17763 -@@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
17764 -
17765 - case PTRACE_BTS_DRAIN:
17766 - ret = ptrace_bts_drain
17767 -- (child, data, (struct bts_struct __user *) addr);
17768 -+ (child, data, (__force struct bts_struct __user *) addr);
17769 - break;
17770 - #endif /* CONFIG_X86_PTRACE_BTS */
17771 -
17772 -@@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
17773 - info.si_code = si_code;
17774 -
17775 - /* User-mode ip? */
17776 -- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
17777 -+ info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
17778 -
17779 - /* Send us the fake SIGTRAP */
17780 - force_sig_info(SIGTRAP, &info, tsk);
17781 -@@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
17782 - * We must return the syscall number to actually look up in the table.
17783 - * This can be -1L to skip running any syscall at all.
17784 - */
17785 --asmregparm long syscall_trace_enter(struct pt_regs *regs)
17786 -+long syscall_trace_enter(struct pt_regs *regs)
17787 - {
17788 - long ret = 0;
17789 -
17790 -@@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
17791 - return ret ?: regs->orig_ax;
17792 - }
17793 -
17794 --asmregparm void syscall_trace_leave(struct pt_regs *regs)
17795 -+void syscall_trace_leave(struct pt_regs *regs)
17796 - {
17797 - if (unlikely(current->audit_context))
17798 - audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
17799 -diff -urNp linux-2.6.32.46/arch/x86/kernel/reboot.c linux-2.6.32.46/arch/x86/kernel/reboot.c
17800 ---- linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:35:28.000000000 -0400
17801 -+++ linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:33:59.000000000 -0400
17802 -@@ -33,7 +33,7 @@ void (*pm_power_off)(void);
17803 - EXPORT_SYMBOL(pm_power_off);
17804 -
17805 - static const struct desc_ptr no_idt = {};
17806 --static int reboot_mode;
17807 -+static unsigned short reboot_mode;
17808 - enum reboot_type reboot_type = BOOT_KBD;
17809 - int reboot_force;
17810 -
17811 -@@ -292,12 +292,12 @@ core_initcall(reboot_init);
17812 - controller to pulse the CPU reset line, which is more thorough, but
17813 - doesn't work with at least one type of 486 motherboard. It is easy
17814 - to stop this code working; hence the copious comments. */
17815 --static const unsigned long long
17816 --real_mode_gdt_entries [3] =
17817 -+static struct desc_struct
17818 -+real_mode_gdt_entries [3] __read_only =
17819 - {
17820 -- 0x0000000000000000ULL, /* Null descriptor */
17821 -- 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
17822 -- 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
17823 -+ GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
17824 -+ GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
17825 -+ GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
17826 - };
17827 -
17828 - static const struct desc_ptr
17829 -@@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
17830 - * specified by the code and length parameters.
17831 - * We assume that length will aways be less that 100!
17832 - */
17833 --void machine_real_restart(const unsigned char *code, int length)
17834 -+__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
17835 - {
17836 - local_irq_disable();
17837 -
17838 -@@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
17839 - /* Remap the kernel at virtual address zero, as well as offset zero
17840 - from the kernel segment. This assumes the kernel segment starts at
17841 - virtual address PAGE_OFFSET. */
17842 -- memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17843 -- sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
17844 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17845 -+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
17846 -
17847 - /*
17848 - * Use `swapper_pg_dir' as our page directory.
17849 -@@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
17850 - boot)". This seems like a fairly standard thing that gets set by
17851 - REBOOT.COM programs, and the previous reset routine did this
17852 - too. */
17853 -- *((unsigned short *)0x472) = reboot_mode;
17854 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
17855 -
17856 - /* For the switch to real mode, copy some code to low memory. It has
17857 - to be in the first 64k because it is running in 16-bit mode, and it
17858 - has to have the same physical and virtual address, because it turns
17859 - off paging. Copy it near the end of the first page, out of the way
17860 - of BIOS variables. */
17861 -- memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
17862 -- real_mode_switch, sizeof (real_mode_switch));
17863 -- memcpy((void *)(0x1000 - 100), code, length);
17864 -+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
17865 -+ memcpy(__va(0x1000 - 100), code, length);
17866 -
17867 - /* Set up the IDT for real mode. */
17868 - load_idt(&real_mode_idt);
17869 -@@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
17870 - __asm__ __volatile__ ("ljmp $0x0008,%0"
17871 - :
17872 - : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
17873 -+ do { } while (1);
17874 - }
17875 - #ifdef CONFIG_APM_MODULE
17876 - EXPORT_SYMBOL(machine_real_restart);
17877 -@@ -544,7 +544,7 @@ void __attribute__((weak)) mach_reboot_f
17878 - {
17879 - }
17880 -
17881 --static void native_machine_emergency_restart(void)
17882 -+__noreturn static void native_machine_emergency_restart(void)
17883 - {
17884 - int i;
17885 -
17886 -@@ -659,13 +659,13 @@ void native_machine_shutdown(void)
17887 - #endif
17888 - }
17889 -
17890 --static void __machine_emergency_restart(int emergency)
17891 -+static __noreturn void __machine_emergency_restart(int emergency)
17892 - {
17893 - reboot_emergency = emergency;
17894 - machine_ops.emergency_restart();
17895 - }
17896 -
17897 --static void native_machine_restart(char *__unused)
17898 -+static __noreturn void native_machine_restart(char *__unused)
17899 - {
17900 - printk("machine restart\n");
17901 -
17902 -@@ -674,7 +674,7 @@ static void native_machine_restart(char
17903 - __machine_emergency_restart(0);
17904 - }
17905 -
17906 --static void native_machine_halt(void)
17907 -+static __noreturn void native_machine_halt(void)
17908 - {
17909 - /* stop other cpus and apics */
17910 - machine_shutdown();
17911 -@@ -685,7 +685,7 @@ static void native_machine_halt(void)
17912 - stop_this_cpu(NULL);
17913 - }
17914 -
17915 --static void native_machine_power_off(void)
17916 -+__noreturn static void native_machine_power_off(void)
17917 - {
17918 - if (pm_power_off) {
17919 - if (!reboot_force)
17920 -@@ -694,6 +694,7 @@ static void native_machine_power_off(voi
17921 - }
17922 - /* a fallback in case there is no PM info available */
17923 - tboot_shutdown(TB_SHUTDOWN_HALT);
17924 -+ do { } while (1);
17925 - }
17926 -
17927 - struct machine_ops machine_ops = {
17928 -diff -urNp linux-2.6.32.46/arch/x86/kernel/setup.c linux-2.6.32.46/arch/x86/kernel/setup.c
17929 ---- linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:00:52.000000000 -0400
17930 -+++ linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:03:05.000000000 -0400
17931 -@@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
17932 -
17933 - if (!boot_params.hdr.root_flags)
17934 - root_mountflags &= ~MS_RDONLY;
17935 -- init_mm.start_code = (unsigned long) _text;
17936 -- init_mm.end_code = (unsigned long) _etext;
17937 -+ init_mm.start_code = ktla_ktva((unsigned long) _text);
17938 -+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
17939 - init_mm.end_data = (unsigned long) _edata;
17940 - init_mm.brk = _brk_end;
17941 -
17942 -- code_resource.start = virt_to_phys(_text);
17943 -- code_resource.end = virt_to_phys(_etext)-1;
17944 -- data_resource.start = virt_to_phys(_etext);
17945 -+ code_resource.start = virt_to_phys(ktla_ktva(_text));
17946 -+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17947 -+ data_resource.start = virt_to_phys(_sdata);
17948 - data_resource.end = virt_to_phys(_edata)-1;
17949 - bss_resource.start = virt_to_phys(&__bss_start);
17950 - bss_resource.end = virt_to_phys(&__bss_stop)-1;
17951 -diff -urNp linux-2.6.32.46/arch/x86/kernel/setup_percpu.c linux-2.6.32.46/arch/x86/kernel/setup_percpu.c
17952 ---- linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-03-27 14:31:47.000000000 -0400
17953 -+++ linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-06-04 20:36:29.000000000 -0400
17954 -@@ -25,19 +25,17 @@
17955 - # define DBG(x...)
17956 - #endif
17957 -
17958 --DEFINE_PER_CPU(int, cpu_number);
17959 -+#ifdef CONFIG_SMP
17960 -+DEFINE_PER_CPU(unsigned int, cpu_number);
17961 - EXPORT_PER_CPU_SYMBOL(cpu_number);
17962 -+#endif
17963 -
17964 --#ifdef CONFIG_X86_64
17965 - #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17966 --#else
17967 --#define BOOT_PERCPU_OFFSET 0
17968 --#endif
17969 -
17970 - DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17971 - EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17972 -
17973 --unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17974 -+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17975 - [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17976 - };
17977 - EXPORT_SYMBOL(__per_cpu_offset);
17978 -@@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
17979 - {
17980 - #ifdef CONFIG_X86_32
17981 - struct desc_struct gdt;
17982 -+ unsigned long base = per_cpu_offset(cpu);
17983 -
17984 -- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17985 -- 0x2 | DESCTYPE_S, 0x8);
17986 -- gdt.s = 1;
17987 -+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17988 -+ 0x83 | DESCTYPE_S, 0xC);
17989 - write_gdt_entry(get_cpu_gdt_table(cpu),
17990 - GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17991 - #endif
17992 -@@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
17993 - /* alrighty, percpu areas up and running */
17994 - delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17995 - for_each_possible_cpu(cpu) {
17996 -+#ifdef CONFIG_CC_STACKPROTECTOR
17997 -+#ifdef CONFIG_X86_32
17998 -+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
17999 -+#endif
18000 -+#endif
18001 - per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
18002 - per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
18003 - per_cpu(cpu_number, cpu) = cpu;
18004 -@@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
18005 - early_per_cpu_map(x86_cpu_to_node_map, cpu);
18006 - #endif
18007 - #endif
18008 -+#ifdef CONFIG_CC_STACKPROTECTOR
18009 -+#ifdef CONFIG_X86_32
18010 -+ if (!cpu)
18011 -+ per_cpu(stack_canary.canary, cpu) = canary;
18012 -+#endif
18013 -+#endif
18014 - /*
18015 - * Up to this point, the boot CPU has been using .data.init
18016 - * area. Reload any changed state for the boot CPU.
18017 -diff -urNp linux-2.6.32.46/arch/x86/kernel/signal.c linux-2.6.32.46/arch/x86/kernel/signal.c
18018 ---- linux-2.6.32.46/arch/x86/kernel/signal.c 2011-03-27 14:31:47.000000000 -0400
18019 -+++ linux-2.6.32.46/arch/x86/kernel/signal.c 2011-05-22 23:02:03.000000000 -0400
18020 -@@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
18021 - * Align the stack pointer according to the i386 ABI,
18022 - * i.e. so that on function entry ((sp + 4) & 15) == 0.
18023 - */
18024 -- sp = ((sp + 4) & -16ul) - 4;
18025 -+ sp = ((sp - 12) & -16ul) - 4;
18026 - #else /* !CONFIG_X86_32 */
18027 - sp = round_down(sp, 16) - 8;
18028 - #endif
18029 -@@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
18030 - * Return an always-bogus address instead so we will die with SIGSEGV.
18031 - */
18032 - if (onsigstack && !likely(on_sig_stack(sp)))
18033 -- return (void __user *)-1L;
18034 -+ return (__force void __user *)-1L;
18035 -
18036 - /* save i387 state */
18037 - if (used_math() && save_i387_xstate(*fpstate) < 0)
18038 -- return (void __user *)-1L;
18039 -+ return (__force void __user *)-1L;
18040 -
18041 - return (void __user *)sp;
18042 - }
18043 -@@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
18044 - }
18045 -
18046 - if (current->mm->context.vdso)
18047 -- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
18048 -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
18049 - else
18050 -- restorer = &frame->retcode;
18051 -+ restorer = (void __user *)&frame->retcode;
18052 - if (ka->sa.sa_flags & SA_RESTORER)
18053 - restorer = ka->sa.sa_restorer;
18054 -
18055 -@@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
18056 - * reasons and because gdb uses it as a signature to notice
18057 - * signal handler stack frames.
18058 - */
18059 -- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
18060 -+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
18061 -
18062 - if (err)
18063 - return -EFAULT;
18064 -@@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
18065 - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
18066 -
18067 - /* Set up to return from userspace. */
18068 -- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
18069 -+ if (current->mm->context.vdso)
18070 -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
18071 -+ else
18072 -+ restorer = (void __user *)&frame->retcode;
18073 - if (ka->sa.sa_flags & SA_RESTORER)
18074 - restorer = ka->sa.sa_restorer;
18075 - put_user_ex(restorer, &frame->pretcode);
18076 -@@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
18077 - * reasons and because gdb uses it as a signature to notice
18078 - * signal handler stack frames.
18079 - */
18080 -- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
18081 -+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
18082 - } put_user_catch(err);
18083 -
18084 - if (err)
18085 -@@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
18086 - int signr;
18087 - sigset_t *oldset;
18088 -
18089 -+ pax_track_stack();
18090 -+
18091 - /*
18092 - * We want the common case to go fast, which is why we may in certain
18093 - * cases get here from kernel mode. Just return without doing anything
18094 -@@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
18095 - * X86_32: vm86 regs switched out by assembly code before reaching
18096 - * here, so testing against kernel CS suffices.
18097 - */
18098 -- if (!user_mode(regs))
18099 -+ if (!user_mode_novm(regs))
18100 - return;
18101 -
18102 - if (current_thread_info()->status & TS_RESTORE_SIGMASK)
18103 -diff -urNp linux-2.6.32.46/arch/x86/kernel/smpboot.c linux-2.6.32.46/arch/x86/kernel/smpboot.c
18104 ---- linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-03-27 14:31:47.000000000 -0400
18105 -+++ linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-07-01 19:10:03.000000000 -0400
18106 -@@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
18107 - */
18108 - static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
18109 -
18110 --void cpu_hotplug_driver_lock()
18111 -+void cpu_hotplug_driver_lock(void)
18112 - {
18113 -- mutex_lock(&x86_cpu_hotplug_driver_mutex);
18114 -+ mutex_lock(&x86_cpu_hotplug_driver_mutex);
18115 - }
18116 -
18117 --void cpu_hotplug_driver_unlock()
18118 -+void cpu_hotplug_driver_unlock(void)
18119 - {
18120 -- mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18121 -+ mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18122 - }
18123 -
18124 - ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
18125 -@@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
18126 - * target processor state.
18127 - */
18128 - startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
18129 -- (unsigned long)stack_start.sp);
18130 -+ stack_start);
18131 -
18132 - /*
18133 - * Run STARTUP IPI loop.
18134 -@@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
18135 - set_idle_for_cpu(cpu, c_idle.idle);
18136 - do_rest:
18137 - per_cpu(current_task, cpu) = c_idle.idle;
18138 -+ per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
18139 - #ifdef CONFIG_X86_32
18140 - /* Stack for startup_32 can be just as for start_secondary onwards */
18141 - irq_ctx_init(cpu);
18142 -@@ -750,13 +751,15 @@ do_rest:
18143 - #else
18144 - clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
18145 - initial_gs = per_cpu_offset(cpu);
18146 -- per_cpu(kernel_stack, cpu) =
18147 -- (unsigned long)task_stack_page(c_idle.idle) -
18148 -- KERNEL_STACK_OFFSET + THREAD_SIZE;
18149 -+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
18150 - #endif
18151 -+
18152 -+ pax_open_kernel();
18153 - early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
18154 -+ pax_close_kernel();
18155 -+
18156 - initial_code = (unsigned long)start_secondary;
18157 -- stack_start.sp = (void *) c_idle.idle->thread.sp;
18158 -+ stack_start = c_idle.idle->thread.sp;
18159 -
18160 - /* start_ip had better be page-aligned! */
18161 - start_ip = setup_trampoline();
18162 -@@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
18163 -
18164 - per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
18165 -
18166 -+#ifdef CONFIG_PAX_PER_CPU_PGD
18167 -+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
18168 -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18169 -+ KERNEL_PGD_PTRS);
18170 -+#endif
18171 -+
18172 - err = do_boot_cpu(apicid, cpu);
18173 -
18174 - if (err) {
18175 -diff -urNp linux-2.6.32.46/arch/x86/kernel/step.c linux-2.6.32.46/arch/x86/kernel/step.c
18176 ---- linux-2.6.32.46/arch/x86/kernel/step.c 2011-03-27 14:31:47.000000000 -0400
18177 -+++ linux-2.6.32.46/arch/x86/kernel/step.c 2011-04-17 15:56:46.000000000 -0400
18178 -@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
18179 - struct desc_struct *desc;
18180 - unsigned long base;
18181 -
18182 -- seg &= ~7UL;
18183 -+ seg >>= 3;
18184 -
18185 - mutex_lock(&child->mm->context.lock);
18186 -- if (unlikely((seg >> 3) >= child->mm->context.size))
18187 -+ if (unlikely(seg >= child->mm->context.size))
18188 - addr = -1L; /* bogus selector, access would fault */
18189 - else {
18190 - desc = child->mm->context.ldt + seg;
18191 -@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
18192 - addr += base;
18193 - }
18194 - mutex_unlock(&child->mm->context.lock);
18195 -- }
18196 -+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
18197 -+ addr = ktla_ktva(addr);
18198 -
18199 - return addr;
18200 - }
18201 -@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
18202 - unsigned char opcode[15];
18203 - unsigned long addr = convert_ip_to_linear(child, regs);
18204 -
18205 -+ if (addr == -EINVAL)
18206 -+ return 0;
18207 -+
18208 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
18209 - for (i = 0; i < copied; i++) {
18210 - switch (opcode[i]) {
18211 -@@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
18212 -
18213 - #ifdef CONFIG_X86_64
18214 - case 0x40 ... 0x4f:
18215 -- if (regs->cs != __USER_CS)
18216 -+ if ((regs->cs & 0xffff) != __USER_CS)
18217 - /* 32-bit mode: register increment */
18218 - return 0;
18219 - /* 64-bit mode: REX prefix */
18220 -diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c
18221 ---- linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-03-27 14:31:47.000000000 -0400
18222 -+++ linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:56:46.000000000 -0400
18223 -@@ -24,6 +24,21 @@
18224 -
18225 - #include <asm/syscalls.h>
18226 -
18227 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
18228 -+{
18229 -+ unsigned long pax_task_size = TASK_SIZE;
18230 -+
18231 -+#ifdef CONFIG_PAX_SEGMEXEC
18232 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
18233 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
18234 -+#endif
18235 -+
18236 -+ if (len > pax_task_size || addr > pax_task_size - len)
18237 -+ return -EINVAL;
18238 -+
18239 -+ return 0;
18240 -+}
18241 -+
18242 - /*
18243 - * Perform the select(nd, in, out, ex, tv) and mmap() system
18244 - * calls. Linux/i386 didn't use to be able to handle more than
18245 -@@ -58,6 +73,212 @@ out:
18246 - return err;
18247 - }
18248 -
18249 -+unsigned long
18250 -+arch_get_unmapped_area(struct file *filp, unsigned long addr,
18251 -+ unsigned long len, unsigned long pgoff, unsigned long flags)
18252 -+{
18253 -+ struct mm_struct *mm = current->mm;
18254 -+ struct vm_area_struct *vma;
18255 -+ unsigned long start_addr, pax_task_size = TASK_SIZE;
18256 -+
18257 -+#ifdef CONFIG_PAX_SEGMEXEC
18258 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18259 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
18260 -+#endif
18261 -+
18262 -+ pax_task_size -= PAGE_SIZE;
18263 -+
18264 -+ if (len > pax_task_size)
18265 -+ return -ENOMEM;
18266 -+
18267 -+ if (flags & MAP_FIXED)
18268 -+ return addr;
18269 -+
18270 -+#ifdef CONFIG_PAX_RANDMMAP
18271 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18272 -+#endif
18273 -+
18274 -+ if (addr) {
18275 -+ addr = PAGE_ALIGN(addr);
18276 -+ if (pax_task_size - len >= addr) {
18277 -+ vma = find_vma(mm, addr);
18278 -+ if (check_heap_stack_gap(vma, addr, len))
18279 -+ return addr;
18280 -+ }
18281 -+ }
18282 -+ if (len > mm->cached_hole_size) {
18283 -+ start_addr = addr = mm->free_area_cache;
18284 -+ } else {
18285 -+ start_addr = addr = mm->mmap_base;
18286 -+ mm->cached_hole_size = 0;
18287 -+ }
18288 -+
18289 -+#ifdef CONFIG_PAX_PAGEEXEC
18290 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
18291 -+ start_addr = 0x00110000UL;
18292 -+
18293 -+#ifdef CONFIG_PAX_RANDMMAP
18294 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18295 -+ start_addr += mm->delta_mmap & 0x03FFF000UL;
18296 -+#endif
18297 -+
18298 -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
18299 -+ start_addr = addr = mm->mmap_base;
18300 -+ else
18301 -+ addr = start_addr;
18302 -+ }
18303 -+#endif
18304 -+
18305 -+full_search:
18306 -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18307 -+ /* At this point: (!vma || addr < vma->vm_end). */
18308 -+ if (pax_task_size - len < addr) {
18309 -+ /*
18310 -+ * Start a new search - just in case we missed
18311 -+ * some holes.
18312 -+ */
18313 -+ if (start_addr != mm->mmap_base) {
18314 -+ start_addr = addr = mm->mmap_base;
18315 -+ mm->cached_hole_size = 0;
18316 -+ goto full_search;
18317 -+ }
18318 -+ return -ENOMEM;
18319 -+ }
18320 -+ if (check_heap_stack_gap(vma, addr, len))
18321 -+ break;
18322 -+ if (addr + mm->cached_hole_size < vma->vm_start)
18323 -+ mm->cached_hole_size = vma->vm_start - addr;
18324 -+ addr = vma->vm_end;
18325 -+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
18326 -+ start_addr = addr = mm->mmap_base;
18327 -+ mm->cached_hole_size = 0;
18328 -+ goto full_search;
18329 -+ }
18330 -+ }
18331 -+
18332 -+ /*
18333 -+ * Remember the place where we stopped the search:
18334 -+ */
18335 -+ mm->free_area_cache = addr + len;
18336 -+ return addr;
18337 -+}
18338 -+
18339 -+unsigned long
18340 -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
18341 -+ const unsigned long len, const unsigned long pgoff,
18342 -+ const unsigned long flags)
18343 -+{
18344 -+ struct vm_area_struct *vma;
18345 -+ struct mm_struct *mm = current->mm;
18346 -+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
18347 -+
18348 -+#ifdef CONFIG_PAX_SEGMEXEC
18349 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18350 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
18351 -+#endif
18352 -+
18353 -+ pax_task_size -= PAGE_SIZE;
18354 -+
18355 -+ /* requested length too big for entire address space */
18356 -+ if (len > pax_task_size)
18357 -+ return -ENOMEM;
18358 -+
18359 -+ if (flags & MAP_FIXED)
18360 -+ return addr;
18361 -+
18362 -+#ifdef CONFIG_PAX_PAGEEXEC
18363 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
18364 -+ goto bottomup;
18365 -+#endif
18366 -+
18367 -+#ifdef CONFIG_PAX_RANDMMAP
18368 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18369 -+#endif
18370 -+
18371 -+ /* requesting a specific address */
18372 -+ if (addr) {
18373 -+ addr = PAGE_ALIGN(addr);
18374 -+ if (pax_task_size - len >= addr) {
18375 -+ vma = find_vma(mm, addr);
18376 -+ if (check_heap_stack_gap(vma, addr, len))
18377 -+ return addr;
18378 -+ }
18379 -+ }
18380 -+
18381 -+ /* check if free_area_cache is useful for us */
18382 -+ if (len <= mm->cached_hole_size) {
18383 -+ mm->cached_hole_size = 0;
18384 -+ mm->free_area_cache = mm->mmap_base;
18385 -+ }
18386 -+
18387 -+ /* either no address requested or can't fit in requested address hole */
18388 -+ addr = mm->free_area_cache;
18389 -+
18390 -+ /* make sure it can fit in the remaining address space */
18391 -+ if (addr > len) {
18392 -+ vma = find_vma(mm, addr-len);
18393 -+ if (check_heap_stack_gap(vma, addr - len, len))
18394 -+ /* remember the address as a hint for next time */
18395 -+ return (mm->free_area_cache = addr-len);
18396 -+ }
18397 -+
18398 -+ if (mm->mmap_base < len)
18399 -+ goto bottomup;
18400 -+
18401 -+ addr = mm->mmap_base-len;
18402 -+
18403 -+ do {
18404 -+ /*
18405 -+ * Lookup failure means no vma is above this address,
18406 -+ * else if new region fits below vma->vm_start,
18407 -+ * return with success:
18408 -+ */
18409 -+ vma = find_vma(mm, addr);
18410 -+ if (check_heap_stack_gap(vma, addr, len))
18411 -+ /* remember the address as a hint for next time */
18412 -+ return (mm->free_area_cache = addr);
18413 -+
18414 -+ /* remember the largest hole we saw so far */
18415 -+ if (addr + mm->cached_hole_size < vma->vm_start)
18416 -+ mm->cached_hole_size = vma->vm_start - addr;
18417 -+
18418 -+ /* try just below the current vma->vm_start */
18419 -+ addr = skip_heap_stack_gap(vma, len);
18420 -+ } while (!IS_ERR_VALUE(addr));
18421 -+
18422 -+bottomup:
18423 -+ /*
18424 -+ * A failed mmap() very likely causes application failure,
18425 -+ * so fall back to the bottom-up function here. This scenario
18426 -+ * can happen with large stack limits and large mmap()
18427 -+ * allocations.
18428 -+ */
18429 -+
18430 -+#ifdef CONFIG_PAX_SEGMEXEC
18431 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18432 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18433 -+ else
18434 -+#endif
18435 -+
18436 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
18437 -+
18438 -+#ifdef CONFIG_PAX_RANDMMAP
18439 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18440 -+ mm->mmap_base += mm->delta_mmap;
18441 -+#endif
18442 -+
18443 -+ mm->free_area_cache = mm->mmap_base;
18444 -+ mm->cached_hole_size = ~0UL;
18445 -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18446 -+ /*
18447 -+ * Restore the topdown base:
18448 -+ */
18449 -+ mm->mmap_base = base;
18450 -+ mm->free_area_cache = base;
18451 -+ mm->cached_hole_size = ~0UL;
18452 -+
18453 -+ return addr;
18454 -+}
18455 -
18456 - struct sel_arg_struct {
18457 - unsigned long n;
18458 -@@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
18459 - return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
18460 - case SEMTIMEDOP:
18461 - return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
18462 -- (const struct timespec __user *)fifth);
18463 -+ (__force const struct timespec __user *)fifth);
18464 -
18465 - case SEMGET:
18466 - return sys_semget(first, second, third);
18467 -@@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
18468 - ret = do_shmat(first, (char __user *) ptr, second, &raddr);
18469 - if (ret)
18470 - return ret;
18471 -- return put_user(raddr, (ulong __user *) third);
18472 -+ return put_user(raddr, (__force ulong __user *) third);
18473 - }
18474 - case 1: /* iBCS2 emulator entry point */
18475 - if (!segment_eq(get_fs(), get_ds()))
18476 -@@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
18477 -
18478 - return error;
18479 - }
18480 --
18481 --
18482 --/*
18483 -- * Do a system call from kernel instead of calling sys_execve so we
18484 -- * end up with proper pt_regs.
18485 -- */
18486 --int kernel_execve(const char *filename, char *const argv[], char *const envp[])
18487 --{
18488 -- long __res;
18489 -- asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
18490 -- : "=a" (__res)
18491 -- : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
18492 -- return __res;
18493 --}
18494 -diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c
18495 ---- linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-03-27 14:31:47.000000000 -0400
18496 -+++ linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:56:46.000000000 -0400
18497 -@@ -32,8 +32,8 @@ out:
18498 - return error;
18499 - }
18500 -
18501 --static void find_start_end(unsigned long flags, unsigned long *begin,
18502 -- unsigned long *end)
18503 -+static void find_start_end(struct mm_struct *mm, unsigned long flags,
18504 -+ unsigned long *begin, unsigned long *end)
18505 - {
18506 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
18507 - unsigned long new_begin;
18508 -@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
18509 - *begin = new_begin;
18510 - }
18511 - } else {
18512 -- *begin = TASK_UNMAPPED_BASE;
18513 -+ *begin = mm->mmap_base;
18514 - *end = TASK_SIZE;
18515 - }
18516 - }
18517 -@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
18518 - if (flags & MAP_FIXED)
18519 - return addr;
18520 -
18521 -- find_start_end(flags, &begin, &end);
18522 -+ find_start_end(mm, flags, &begin, &end);
18523 -
18524 - if (len > end)
18525 - return -ENOMEM;
18526 -
18527 -+#ifdef CONFIG_PAX_RANDMMAP
18528 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18529 -+#endif
18530 -+
18531 - if (addr) {
18532 - addr = PAGE_ALIGN(addr);
18533 - vma = find_vma(mm, addr);
18534 -- if (end - len >= addr &&
18535 -- (!vma || addr + len <= vma->vm_start))
18536 -+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
18537 - return addr;
18538 - }
18539 - if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
18540 -@@ -106,7 +109,7 @@ full_search:
18541 - }
18542 - return -ENOMEM;
18543 - }
18544 -- if (!vma || addr + len <= vma->vm_start) {
18545 -+ if (check_heap_stack_gap(vma, addr, len)) {
18546 - /*
18547 - * Remember the place where we stopped the search:
18548 - */
18549 -@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
18550 - {
18551 - struct vm_area_struct *vma;
18552 - struct mm_struct *mm = current->mm;
18553 -- unsigned long addr = addr0;
18554 -+ unsigned long base = mm->mmap_base, addr = addr0;
18555 -
18556 - /* requested length too big for entire address space */
18557 - if (len > TASK_SIZE)
18558 -@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
18559 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
18560 - goto bottomup;
18561 -
18562 -+#ifdef CONFIG_PAX_RANDMMAP
18563 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18564 -+#endif
18565 -+
18566 - /* requesting a specific address */
18567 - if (addr) {
18568 - addr = PAGE_ALIGN(addr);
18569 -- vma = find_vma(mm, addr);
18570 -- if (TASK_SIZE - len >= addr &&
18571 -- (!vma || addr + len <= vma->vm_start))
18572 -- return addr;
18573 -+ if (TASK_SIZE - len >= addr) {
18574 -+ vma = find_vma(mm, addr);
18575 -+ if (check_heap_stack_gap(vma, addr, len))
18576 -+ return addr;
18577 -+ }
18578 - }
18579 -
18580 - /* check if free_area_cache is useful for us */
18581 -@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
18582 - /* make sure it can fit in the remaining address space */
18583 - if (addr > len) {
18584 - vma = find_vma(mm, addr-len);
18585 -- if (!vma || addr <= vma->vm_start)
18586 -+ if (check_heap_stack_gap(vma, addr - len, len))
18587 - /* remember the address as a hint for next time */
18588 - return mm->free_area_cache = addr-len;
18589 - }
18590 -@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
18591 - * return with success:
18592 - */
18593 - vma = find_vma(mm, addr);
18594 -- if (!vma || addr+len <= vma->vm_start)
18595 -+ if (check_heap_stack_gap(vma, addr, len))
18596 - /* remember the address as a hint for next time */
18597 - return mm->free_area_cache = addr;
18598 -
18599 -@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
18600 - mm->cached_hole_size = vma->vm_start - addr;
18601 -
18602 - /* try just below the current vma->vm_start */
18603 -- addr = vma->vm_start-len;
18604 -- } while (len < vma->vm_start);
18605 -+ addr = skip_heap_stack_gap(vma, len);
18606 -+ } while (!IS_ERR_VALUE(addr));
18607 -
18608 - bottomup:
18609 - /*
18610 -@@ -198,13 +206,21 @@ bottomup:
18611 - * can happen with large stack limits and large mmap()
18612 - * allocations.
18613 - */
18614 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
18615 -+
18616 -+#ifdef CONFIG_PAX_RANDMMAP
18617 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18618 -+ mm->mmap_base += mm->delta_mmap;
18619 -+#endif
18620 -+
18621 -+ mm->free_area_cache = mm->mmap_base;
18622 - mm->cached_hole_size = ~0UL;
18623 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
18624 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18625 - /*
18626 - * Restore the topdown base:
18627 - */
18628 -- mm->free_area_cache = mm->mmap_base;
18629 -+ mm->mmap_base = base;
18630 -+ mm->free_area_cache = base;
18631 - mm->cached_hole_size = ~0UL;
18632 -
18633 - return addr;
18634 -diff -urNp linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S
18635 ---- linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-03-27 14:31:47.000000000 -0400
18636 -+++ linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:56:46.000000000 -0400
18637 -@@ -1,3 +1,4 @@
18638 -+.section .rodata,"a",@progbits
18639 - ENTRY(sys_call_table)
18640 - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
18641 - .long sys_exit
18642 -diff -urNp linux-2.6.32.46/arch/x86/kernel/tboot.c linux-2.6.32.46/arch/x86/kernel/tboot.c
18643 ---- linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-03-27 14:31:47.000000000 -0400
18644 -+++ linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-05-22 23:02:03.000000000 -0400
18645 -@@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
18646 -
18647 - void tboot_shutdown(u32 shutdown_type)
18648 - {
18649 -- void (*shutdown)(void);
18650 -+ void (* __noreturn shutdown)(void);
18651 -
18652 - if (!tboot_enabled())
18653 - return;
18654 -@@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
18655 -
18656 - switch_to_tboot_pt();
18657 -
18658 -- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
18659 -+ shutdown = (void *)tboot->shutdown_entry;
18660 - shutdown();
18661 -
18662 - /* should not reach here */
18663 -@@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
18664 - tboot_shutdown(acpi_shutdown_map[sleep_state]);
18665 - }
18666 -
18667 --static atomic_t ap_wfs_count;
18668 -+static atomic_unchecked_t ap_wfs_count;
18669 -
18670 - static int tboot_wait_for_aps(int num_aps)
18671 - {
18672 -@@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
18673 - {
18674 - switch (action) {
18675 - case CPU_DYING:
18676 -- atomic_inc(&ap_wfs_count);
18677 -+ atomic_inc_unchecked(&ap_wfs_count);
18678 - if (num_online_cpus() == 1)
18679 -- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
18680 -+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
18681 - return NOTIFY_BAD;
18682 - break;
18683 - }
18684 -@@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
18685 -
18686 - tboot_create_trampoline();
18687 -
18688 -- atomic_set(&ap_wfs_count, 0);
18689 -+ atomic_set_unchecked(&ap_wfs_count, 0);
18690 - register_hotcpu_notifier(&tboot_cpu_notifier);
18691 - return 0;
18692 - }
18693 -diff -urNp linux-2.6.32.46/arch/x86/kernel/time.c linux-2.6.32.46/arch/x86/kernel/time.c
18694 ---- linux-2.6.32.46/arch/x86/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
18695 -+++ linux-2.6.32.46/arch/x86/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
18696 -@@ -26,17 +26,13 @@
18697 - int timer_ack;
18698 - #endif
18699 -
18700 --#ifdef CONFIG_X86_64
18701 --volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
18702 --#endif
18703 --
18704 - unsigned long profile_pc(struct pt_regs *regs)
18705 - {
18706 - unsigned long pc = instruction_pointer(regs);
18707 -
18708 -- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18709 -+ if (!user_mode(regs) && in_lock_functions(pc)) {
18710 - #ifdef CONFIG_FRAME_POINTER
18711 -- return *(unsigned long *)(regs->bp + sizeof(long));
18712 -+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18713 - #else
18714 - unsigned long *sp =
18715 - (unsigned long *)kernel_stack_pointer(regs);
18716 -@@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
18717 - * or above a saved flags. Eflags has bits 22-31 zero,
18718 - * kernel addresses don't.
18719 - */
18720 -+
18721 -+#ifdef CONFIG_PAX_KERNEXEC
18722 -+ return ktla_ktva(sp[0]);
18723 -+#else
18724 - if (sp[0] >> 22)
18725 - return sp[0];
18726 - if (sp[1] >> 22)
18727 - return sp[1];
18728 - #endif
18729 -+
18730 -+#endif
18731 - }
18732 - return pc;
18733 - }
18734 -diff -urNp linux-2.6.32.46/arch/x86/kernel/tls.c linux-2.6.32.46/arch/x86/kernel/tls.c
18735 ---- linux-2.6.32.46/arch/x86/kernel/tls.c 2011-03-27 14:31:47.000000000 -0400
18736 -+++ linux-2.6.32.46/arch/x86/kernel/tls.c 2011-04-17 15:56:46.000000000 -0400
18737 -@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18738 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18739 - return -EINVAL;
18740 -
18741 -+#ifdef CONFIG_PAX_SEGMEXEC
18742 -+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18743 -+ return -EINVAL;
18744 -+#endif
18745 -+
18746 - set_tls_desc(p, idx, &info, 1);
18747 -
18748 - return 0;
18749 -diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_32.S linux-2.6.32.46/arch/x86/kernel/trampoline_32.S
18750 ---- linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-03-27 14:31:47.000000000 -0400
18751 -+++ linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-04-17 15:56:46.000000000 -0400
18752 -@@ -32,6 +32,12 @@
18753 - #include <asm/segment.h>
18754 - #include <asm/page_types.h>
18755 -
18756 -+#ifdef CONFIG_PAX_KERNEXEC
18757 -+#define ta(X) (X)
18758 -+#else
18759 -+#define ta(X) ((X) - __PAGE_OFFSET)
18760 -+#endif
18761 -+
18762 - /* We can free up trampoline after bootup if cpu hotplug is not supported. */
18763 - __CPUINITRODATA
18764 - .code16
18765 -@@ -60,7 +66,7 @@ r_base = .
18766 - inc %ax # protected mode (PE) bit
18767 - lmsw %ax # into protected mode
18768 - # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18769 -- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18770 -+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
18771 -
18772 - # These need to be in the same 64K segment as the above;
18773 - # hence we don't use the boot_gdt_descr defined in head.S
18774 -diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_64.S linux-2.6.32.46/arch/x86/kernel/trampoline_64.S
18775 ---- linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-03-27 14:31:47.000000000 -0400
18776 -+++ linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-07-01 18:53:26.000000000 -0400
18777 -@@ -91,7 +91,7 @@ startup_32:
18778 - movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18779 - movl %eax, %ds
18780 -
18781 -- movl $X86_CR4_PAE, %eax
18782 -+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18783 - movl %eax, %cr4 # Enable PAE mode
18784 -
18785 - # Setup trampoline 4 level pagetables
18786 -@@ -127,7 +127,7 @@ startup_64:
18787 - no_longmode:
18788 - hlt
18789 - jmp no_longmode
18790 --#include "verify_cpu_64.S"
18791 -+#include "verify_cpu.S"
18792 -
18793 - # Careful these need to be in the same 64K segment as the above;
18794 - tidt:
18795 -@@ -138,7 +138,7 @@ tidt:
18796 - # so the kernel can live anywhere
18797 - .balign 4
18798 - tgdt:
18799 -- .short tgdt_end - tgdt # gdt limit
18800 -+ .short tgdt_end - tgdt - 1 # gdt limit
18801 - .long tgdt - r_base
18802 - .short 0
18803 - .quad 0x00cf9b000000ffff # __KERNEL32_CS
18804 -diff -urNp linux-2.6.32.46/arch/x86/kernel/traps.c linux-2.6.32.46/arch/x86/kernel/traps.c
18805 ---- linux-2.6.32.46/arch/x86/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
18806 -+++ linux-2.6.32.46/arch/x86/kernel/traps.c 2011-07-06 19:53:33.000000000 -0400
18807 -@@ -69,12 +69,6 @@ asmlinkage int system_call(void);
18808 -
18809 - /* Do we ignore FPU interrupts ? */
18810 - char ignore_fpu_irq;
18811 --
18812 --/*
18813 -- * The IDT has to be page-aligned to simplify the Pentium
18814 -- * F0 0F bug workaround.
18815 -- */
18816 --gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18817 - #endif
18818 -
18819 - DECLARE_BITMAP(used_vectors, NR_VECTORS);
18820 -@@ -112,19 +106,19 @@ static inline void preempt_conditional_c
18821 - static inline void
18822 - die_if_kernel(const char *str, struct pt_regs *regs, long err)
18823 - {
18824 -- if (!user_mode_vm(regs))
18825 -+ if (!user_mode(regs))
18826 - die(str, regs, err);
18827 - }
18828 - #endif
18829 -
18830 - static void __kprobes
18831 --do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18832 -+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18833 - long error_code, siginfo_t *info)
18834 - {
18835 - struct task_struct *tsk = current;
18836 -
18837 - #ifdef CONFIG_X86_32
18838 -- if (regs->flags & X86_VM_MASK) {
18839 -+ if (v8086_mode(regs)) {
18840 - /*
18841 - * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18842 - * On nmi (interrupt 2), do_trap should not be called.
18843 -@@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
18844 - }
18845 - #endif
18846 -
18847 -- if (!user_mode(regs))
18848 -+ if (!user_mode_novm(regs))
18849 - goto kernel_trap;
18850 -
18851 - #ifdef CONFIG_X86_32
18852 -@@ -158,7 +152,7 @@ trap_signal:
18853 - printk_ratelimit()) {
18854 - printk(KERN_INFO
18855 - "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18856 -- tsk->comm, tsk->pid, str,
18857 -+ tsk->comm, task_pid_nr(tsk), str,
18858 - regs->ip, regs->sp, error_code);
18859 - print_vma_addr(" in ", regs->ip);
18860 - printk("\n");
18861 -@@ -175,8 +169,20 @@ kernel_trap:
18862 - if (!fixup_exception(regs)) {
18863 - tsk->thread.error_code = error_code;
18864 - tsk->thread.trap_no = trapnr;
18865 -+
18866 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18867 -+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18868 -+ str = "PAX: suspicious stack segment fault";
18869 -+#endif
18870 -+
18871 - die(str, regs, error_code);
18872 - }
18873 -+
18874 -+#ifdef CONFIG_PAX_REFCOUNT
18875 -+ if (trapnr == 4)
18876 -+ pax_report_refcount_overflow(regs);
18877 -+#endif
18878 -+
18879 - return;
18880 -
18881 - #ifdef CONFIG_X86_32
18882 -@@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
18883 - conditional_sti(regs);
18884 -
18885 - #ifdef CONFIG_X86_32
18886 -- if (regs->flags & X86_VM_MASK)
18887 -+ if (v8086_mode(regs))
18888 - goto gp_in_vm86;
18889 - #endif
18890 -
18891 - tsk = current;
18892 -- if (!user_mode(regs))
18893 -+ if (!user_mode_novm(regs))
18894 - goto gp_in_kernel;
18895 -
18896 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18897 -+ if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18898 -+ struct mm_struct *mm = tsk->mm;
18899 -+ unsigned long limit;
18900 -+
18901 -+ down_write(&mm->mmap_sem);
18902 -+ limit = mm->context.user_cs_limit;
18903 -+ if (limit < TASK_SIZE) {
18904 -+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18905 -+ up_write(&mm->mmap_sem);
18906 -+ return;
18907 -+ }
18908 -+ up_write(&mm->mmap_sem);
18909 -+ }
18910 -+#endif
18911 -+
18912 - tsk->thread.error_code = error_code;
18913 - tsk->thread.trap_no = 13;
18914 -
18915 -@@ -305,6 +327,13 @@ gp_in_kernel:
18916 - if (notify_die(DIE_GPF, "general protection fault", regs,
18917 - error_code, 13, SIGSEGV) == NOTIFY_STOP)
18918 - return;
18919 -+
18920 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18921 -+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18922 -+ die("PAX: suspicious general protection fault", regs, error_code);
18923 -+ else
18924 -+#endif
18925 -+
18926 - die("general protection fault", regs, error_code);
18927 - }
18928 -
18929 -@@ -435,6 +464,17 @@ static notrace __kprobes void default_do
18930 - dotraplinkage notrace __kprobes void
18931 - do_nmi(struct pt_regs *regs, long error_code)
18932 - {
18933 -+
18934 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18935 -+ if (!user_mode(regs)) {
18936 -+ unsigned long cs = regs->cs & 0xFFFF;
18937 -+ unsigned long ip = ktva_ktla(regs->ip);
18938 -+
18939 -+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18940 -+ regs->ip = ip;
18941 -+ }
18942 -+#endif
18943 -+
18944 - nmi_enter();
18945 -
18946 - inc_irq_stat(__nmi_count);
18947 -@@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
18948 - }
18949 -
18950 - #ifdef CONFIG_X86_32
18951 -- if (regs->flags & X86_VM_MASK)
18952 -+ if (v8086_mode(regs))
18953 - goto debug_vm86;
18954 - #endif
18955 -
18956 -@@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
18957 - * kernel space (but re-enable TF when returning to user mode).
18958 - */
18959 - if (condition & DR_STEP) {
18960 -- if (!user_mode(regs))
18961 -+ if (!user_mode_novm(regs))
18962 - goto clear_TF_reenable;
18963 - }
18964 -
18965 -@@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
18966 - * Handle strange cache flush from user space exception
18967 - * in all other cases. This is undocumented behaviour.
18968 - */
18969 -- if (regs->flags & X86_VM_MASK) {
18970 -+ if (v8086_mode(regs)) {
18971 - handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
18972 - return;
18973 - }
18974 -@@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
18975 - void __math_state_restore(void)
18976 - {
18977 - struct thread_info *thread = current_thread_info();
18978 -- struct task_struct *tsk = thread->task;
18979 -+ struct task_struct *tsk = current;
18980 -
18981 - /*
18982 - * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18983 -@@ -825,8 +865,7 @@ void __math_state_restore(void)
18984 - */
18985 - asmlinkage void math_state_restore(void)
18986 - {
18987 -- struct thread_info *thread = current_thread_info();
18988 -- struct task_struct *tsk = thread->task;
18989 -+ struct task_struct *tsk = current;
18990 -
18991 - if (!tsk_used_math(tsk)) {
18992 - local_irq_enable();
18993 -diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu.S linux-2.6.32.46/arch/x86/kernel/verify_cpu.S
18994 ---- linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
18995 -+++ linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:42.000000000 -0400
18996 -@@ -0,0 +1,140 @@
18997 -+/*
18998 -+ *
18999 -+ * verify_cpu.S - Code for cpu long mode and SSE verification. This
19000 -+ * code has been borrowed from boot/setup.S and was introduced by
19001 -+ * Andi Kleen.
19002 -+ *
19003 -+ * Copyright (c) 2007 Andi Kleen (ak@××××.de)
19004 -+ * Copyright (c) 2007 Eric Biederman (ebiederm@××××××××.com)
19005 -+ * Copyright (c) 2007 Vivek Goyal (vgoyal@××××××.com)
19006 -+ * Copyright (c) 2010 Kees Cook (kees.cook@×××××××××.com)
19007 -+ *
19008 -+ * This source code is licensed under the GNU General Public License,
19009 -+ * Version 2. See the file COPYING for more details.
19010 -+ *
19011 -+ * This is a common code for verification whether CPU supports
19012 -+ * long mode and SSE or not. It is not called directly instead this
19013 -+ * file is included at various places and compiled in that context.
19014 -+ * This file is expected to run in 32bit code. Currently:
19015 -+ *
19016 -+ * arch/x86/boot/compressed/head_64.S: Boot cpu verification
19017 -+ * arch/x86/kernel/trampoline_64.S: secondary processor verification
19018 -+ * arch/x86/kernel/head_32.S: processor startup
19019 -+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
19020 -+ *
19021 -+ * verify_cpu, returns the status of longmode and SSE in register %eax.
19022 -+ * 0: Success 1: Failure
19023 -+ *
19024 -+ * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
19025 -+ *
19026 -+ * The caller needs to check for the error code and take the action
19027 -+ * appropriately. Either display a message or halt.
19028 -+ */
19029 -+
19030 -+#include <asm/cpufeature.h>
19031 -+#include <asm/msr-index.h>
19032 -+
19033 -+verify_cpu:
19034 -+ pushfl # Save caller passed flags
19035 -+ pushl $0 # Kill any dangerous flags
19036 -+ popfl
19037 -+
19038 -+ pushfl # standard way to check for cpuid
19039 -+ popl %eax
19040 -+ movl %eax,%ebx
19041 -+ xorl $0x200000,%eax
19042 -+ pushl %eax
19043 -+ popfl
19044 -+ pushfl
19045 -+ popl %eax
19046 -+ cmpl %eax,%ebx
19047 -+ jz verify_cpu_no_longmode # cpu has no cpuid
19048 -+
19049 -+ movl $0x0,%eax # See if cpuid 1 is implemented
19050 -+ cpuid
19051 -+ cmpl $0x1,%eax
19052 -+ jb verify_cpu_no_longmode # no cpuid 1
19053 -+
19054 -+ xor %di,%di
19055 -+ cmpl $0x68747541,%ebx # AuthenticAMD
19056 -+ jnz verify_cpu_noamd
19057 -+ cmpl $0x69746e65,%edx
19058 -+ jnz verify_cpu_noamd
19059 -+ cmpl $0x444d4163,%ecx
19060 -+ jnz verify_cpu_noamd
19061 -+ mov $1,%di # cpu is from AMD
19062 -+ jmp verify_cpu_check
19063 -+
19064 -+verify_cpu_noamd:
19065 -+ cmpl $0x756e6547,%ebx # GenuineIntel?
19066 -+ jnz verify_cpu_check
19067 -+ cmpl $0x49656e69,%edx
19068 -+ jnz verify_cpu_check
19069 -+ cmpl $0x6c65746e,%ecx
19070 -+ jnz verify_cpu_check
19071 -+
19072 -+ # only call IA32_MISC_ENABLE when:
19073 -+ # family > 6 || (family == 6 && model >= 0xd)
19074 -+ movl $0x1, %eax # check CPU family and model
19075 -+ cpuid
19076 -+ movl %eax, %ecx
19077 -+
19078 -+ andl $0x0ff00f00, %eax # mask family and extended family
19079 -+ shrl $8, %eax
19080 -+ cmpl $6, %eax
19081 -+ ja verify_cpu_clear_xd # family > 6, ok
19082 -+ jb verify_cpu_check # family < 6, skip
19083 -+
19084 -+ andl $0x000f00f0, %ecx # mask model and extended model
19085 -+ shrl $4, %ecx
19086 -+ cmpl $0xd, %ecx
19087 -+ jb verify_cpu_check # family == 6, model < 0xd, skip
19088 -+
19089 -+verify_cpu_clear_xd:
19090 -+ movl $MSR_IA32_MISC_ENABLE, %ecx
19091 -+ rdmsr
19092 -+ btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
19093 -+ jnc verify_cpu_check # only write MSR if bit was changed
19094 -+ wrmsr
19095 -+
19096 -+verify_cpu_check:
19097 -+ movl $0x1,%eax # Does the cpu have what it takes
19098 -+ cpuid
19099 -+ andl $REQUIRED_MASK0,%edx
19100 -+ xorl $REQUIRED_MASK0,%edx
19101 -+ jnz verify_cpu_no_longmode
19102 -+
19103 -+ movl $0x80000000,%eax # See if extended cpuid is implemented
19104 -+ cpuid
19105 -+ cmpl $0x80000001,%eax
19106 -+ jb verify_cpu_no_longmode # no extended cpuid
19107 -+
19108 -+ movl $0x80000001,%eax # Does the cpu have what it takes
19109 -+ cpuid
19110 -+ andl $REQUIRED_MASK1,%edx
19111 -+ xorl $REQUIRED_MASK1,%edx
19112 -+ jnz verify_cpu_no_longmode
19113 -+
19114 -+verify_cpu_sse_test:
19115 -+ movl $1,%eax
19116 -+ cpuid
19117 -+ andl $SSE_MASK,%edx
19118 -+ cmpl $SSE_MASK,%edx
19119 -+ je verify_cpu_sse_ok
19120 -+ test %di,%di
19121 -+ jz verify_cpu_no_longmode # only try to force SSE on AMD
19122 -+ movl $MSR_K7_HWCR,%ecx
19123 -+ rdmsr
19124 -+ btr $15,%eax # enable SSE
19125 -+ wrmsr
19126 -+ xor %di,%di # don't loop
19127 -+ jmp verify_cpu_sse_test # try again
19128 -+
19129 -+verify_cpu_no_longmode:
19130 -+ popfl # Restore caller passed flags
19131 -+ movl $1,%eax
19132 -+ ret
19133 -+verify_cpu_sse_ok:
19134 -+ popfl # Restore caller passed flags
19135 -+ xorl %eax, %eax
19136 -+ ret
19137 -diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S
19138 ---- linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 2011-03-27 14:31:47.000000000 -0400
19139 -+++ linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
19140 -@@ -1,105 +0,0 @@
19141 --/*
19142 -- *
19143 -- * verify_cpu.S - Code for cpu long mode and SSE verification. This
19144 -- * code has been borrowed from boot/setup.S and was introduced by
19145 -- * Andi Kleen.
19146 -- *
19147 -- * Copyright (c) 2007 Andi Kleen (ak@××××.de)
19148 -- * Copyright (c) 2007 Eric Biederman (ebiederm@××××××××.com)
19149 -- * Copyright (c) 2007 Vivek Goyal (vgoyal@××××××.com)
19150 -- *
19151 -- * This source code is licensed under the GNU General Public License,
19152 -- * Version 2. See the file COPYING for more details.
19153 -- *
19154 -- * This is a common code for verification whether CPU supports
19155 -- * long mode and SSE or not. It is not called directly instead this
19156 -- * file is included at various places and compiled in that context.
19157 -- * Following are the current usage.
19158 -- *
19159 -- * This file is included by both 16bit and 32bit code.
19160 -- *
19161 -- * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
19162 -- * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
19163 -- * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
19164 -- * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
19165 -- *
19166 -- * verify_cpu, returns the status of cpu check in register %eax.
19167 -- * 0: Success 1: Failure
19168 -- *
19169 -- * The caller needs to check for the error code and take the action
19170 -- * appropriately. Either display a message or halt.
19171 -- */
19172 --
19173 --#include <asm/cpufeature.h>
19174 --
19175 --verify_cpu:
19176 -- pushfl # Save caller passed flags
19177 -- pushl $0 # Kill any dangerous flags
19178 -- popfl
19179 --
19180 -- pushfl # standard way to check for cpuid
19181 -- popl %eax
19182 -- movl %eax,%ebx
19183 -- xorl $0x200000,%eax
19184 -- pushl %eax
19185 -- popfl
19186 -- pushfl
19187 -- popl %eax
19188 -- cmpl %eax,%ebx
19189 -- jz verify_cpu_no_longmode # cpu has no cpuid
19190 --
19191 -- movl $0x0,%eax # See if cpuid 1 is implemented
19192 -- cpuid
19193 -- cmpl $0x1,%eax
19194 -- jb verify_cpu_no_longmode # no cpuid 1
19195 --
19196 -- xor %di,%di
19197 -- cmpl $0x68747541,%ebx # AuthenticAMD
19198 -- jnz verify_cpu_noamd
19199 -- cmpl $0x69746e65,%edx
19200 -- jnz verify_cpu_noamd
19201 -- cmpl $0x444d4163,%ecx
19202 -- jnz verify_cpu_noamd
19203 -- mov $1,%di # cpu is from AMD
19204 --
19205 --verify_cpu_noamd:
19206 -- movl $0x1,%eax # Does the cpu have what it takes
19207 -- cpuid
19208 -- andl $REQUIRED_MASK0,%edx
19209 -- xorl $REQUIRED_MASK0,%edx
19210 -- jnz verify_cpu_no_longmode
19211 --
19212 -- movl $0x80000000,%eax # See if extended cpuid is implemented
19213 -- cpuid
19214 -- cmpl $0x80000001,%eax
19215 -- jb verify_cpu_no_longmode # no extended cpuid
19216 --
19217 -- movl $0x80000001,%eax # Does the cpu have what it takes
19218 -- cpuid
19219 -- andl $REQUIRED_MASK1,%edx
19220 -- xorl $REQUIRED_MASK1,%edx
19221 -- jnz verify_cpu_no_longmode
19222 --
19223 --verify_cpu_sse_test:
19224 -- movl $1,%eax
19225 -- cpuid
19226 -- andl $SSE_MASK,%edx
19227 -- cmpl $SSE_MASK,%edx
19228 -- je verify_cpu_sse_ok
19229 -- test %di,%di
19230 -- jz verify_cpu_no_longmode # only try to force SSE on AMD
19231 -- movl $0xc0010015,%ecx # HWCR
19232 -- rdmsr
19233 -- btr $15,%eax # enable SSE
19234 -- wrmsr
19235 -- xor %di,%di # don't loop
19236 -- jmp verify_cpu_sse_test # try again
19237 --
19238 --verify_cpu_no_longmode:
19239 -- popfl # Restore caller passed flags
19240 -- movl $1,%eax
19241 -- ret
19242 --verify_cpu_sse_ok:
19243 -- popfl # Restore caller passed flags
19244 -- xorl %eax, %eax
19245 -- ret
19246 -diff -urNp linux-2.6.32.46/arch/x86/kernel/vm86_32.c linux-2.6.32.46/arch/x86/kernel/vm86_32.c
19247 ---- linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-03-27 14:31:47.000000000 -0400
19248 -+++ linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-04-17 15:56:46.000000000 -0400
19249 -@@ -41,6 +41,7 @@
19250 - #include <linux/ptrace.h>
19251 - #include <linux/audit.h>
19252 - #include <linux/stddef.h>
19253 -+#include <linux/grsecurity.h>
19254 -
19255 - #include <asm/uaccess.h>
19256 - #include <asm/io.h>
19257 -@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
19258 - do_exit(SIGSEGV);
19259 - }
19260 -
19261 -- tss = &per_cpu(init_tss, get_cpu());
19262 -+ tss = init_tss + get_cpu();
19263 - current->thread.sp0 = current->thread.saved_sp0;
19264 - current->thread.sysenter_cs = __KERNEL_CS;
19265 - load_sp0(tss, &current->thread);
19266 -@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
19267 - struct task_struct *tsk;
19268 - int tmp, ret = -EPERM;
19269 -
19270 -+#ifdef CONFIG_GRKERNSEC_VM86
19271 -+ if (!capable(CAP_SYS_RAWIO)) {
19272 -+ gr_handle_vm86();
19273 -+ goto out;
19274 -+ }
19275 -+#endif
19276 -+
19277 - tsk = current;
19278 - if (tsk->thread.saved_sp0)
19279 - goto out;
19280 -@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
19281 - int tmp, ret;
19282 - struct vm86plus_struct __user *v86;
19283 -
19284 -+#ifdef CONFIG_GRKERNSEC_VM86
19285 -+ if (!capable(CAP_SYS_RAWIO)) {
19286 -+ gr_handle_vm86();
19287 -+ ret = -EPERM;
19288 -+ goto out;
19289 -+ }
19290 -+#endif
19291 -+
19292 - tsk = current;
19293 - switch (regs->bx) {
19294 - case VM86_REQUEST_IRQ:
19295 -@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
19296 - tsk->thread.saved_fs = info->regs32->fs;
19297 - tsk->thread.saved_gs = get_user_gs(info->regs32);
19298 -
19299 -- tss = &per_cpu(init_tss, get_cpu());
19300 -+ tss = init_tss + get_cpu();
19301 - tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
19302 - if (cpu_has_sep)
19303 - tsk->thread.sysenter_cs = 0;
19304 -@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
19305 - goto cannot_handle;
19306 - if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
19307 - goto cannot_handle;
19308 -- intr_ptr = (unsigned long __user *) (i << 2);
19309 -+ intr_ptr = (__force unsigned long __user *) (i << 2);
19310 - if (get_user(segoffs, intr_ptr))
19311 - goto cannot_handle;
19312 - if ((segoffs >> 16) == BIOSSEG)
19313 -diff -urNp linux-2.6.32.46/arch/x86/kernel/vmi_32.c linux-2.6.32.46/arch/x86/kernel/vmi_32.c
19314 ---- linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-03-27 14:31:47.000000000 -0400
19315 -+++ linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-08-05 20:33:55.000000000 -0400
19316 -@@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
19317 - typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
19318 -
19319 - #define call_vrom_func(rom,func) \
19320 -- (((VROMFUNC *)(rom->func))())
19321 -+ (((VROMFUNC *)(ktva_ktla(rom.func)))())
19322 -
19323 - #define call_vrom_long_func(rom,func,arg) \
19324 -- (((VROMLONGFUNC *)(rom->func)) (arg))
19325 -+({\
19326 -+ u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
19327 -+ struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
19328 -+ __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
19329 -+ __reloc;\
19330 -+})
19331 -
19332 --static struct vrom_header *vmi_rom;
19333 -+static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
19334 - static int disable_pge;
19335 - static int disable_pse;
19336 - static int disable_sep;
19337 -@@ -76,10 +81,10 @@ static struct {
19338 - void (*set_initial_ap_state)(int, int);
19339 - void (*halt)(void);
19340 - void (*set_lazy_mode)(int mode);
19341 --} vmi_ops;
19342 -+} __no_const vmi_ops __read_only;
19343 -
19344 - /* Cached VMI operations */
19345 --struct vmi_timer_ops vmi_timer_ops;
19346 -+struct vmi_timer_ops vmi_timer_ops __read_only;
19347 -
19348 - /*
19349 - * VMI patching routines.
19350 -@@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
19351 - static inline void patch_offset(void *insnbuf,
19352 - unsigned long ip, unsigned long dest)
19353 - {
19354 -- *(unsigned long *)(insnbuf+1) = dest-ip-5;
19355 -+ *(unsigned long *)(insnbuf+1) = dest-ip-5;
19356 - }
19357 -
19358 - static unsigned patch_internal(int call, unsigned len, void *insnbuf,
19359 -@@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
19360 - {
19361 - u64 reloc;
19362 - struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
19363 -+
19364 - reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
19365 - switch(rel->type) {
19366 - case VMI_RELOCATION_CALL_REL:
19367 -@@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
19368 -
19369 - static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
19370 - {
19371 -- const pte_t pte = { .pte = 0 };
19372 -+ const pte_t pte = __pte(0ULL);
19373 - vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
19374 - }
19375 -
19376 - static void vmi_pmd_clear(pmd_t *pmd)
19377 - {
19378 -- const pte_t pte = { .pte = 0 };
19379 -+ const pte_t pte = __pte(0ULL);
19380 - vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
19381 - }
19382 - #endif
19383 -@@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
19384 - ap.ss = __KERNEL_DS;
19385 - ap.esp = (unsigned long) start_esp;
19386 -
19387 -- ap.ds = __USER_DS;
19388 -- ap.es = __USER_DS;
19389 -+ ap.ds = __KERNEL_DS;
19390 -+ ap.es = __KERNEL_DS;
19391 - ap.fs = __KERNEL_PERCPU;
19392 -- ap.gs = __KERNEL_STACK_CANARY;
19393 -+ savesegment(gs, ap.gs);
19394 -
19395 - ap.eflags = 0;
19396 -
19397 -@@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
19398 - paravirt_leave_lazy_mmu();
19399 - }
19400 -
19401 -+#ifdef CONFIG_PAX_KERNEXEC
19402 -+static unsigned long vmi_pax_open_kernel(void)
19403 -+{
19404 -+ return 0;
19405 -+}
19406 -+
19407 -+static unsigned long vmi_pax_close_kernel(void)
19408 -+{
19409 -+ return 0;
19410 -+}
19411 -+#endif
19412 -+
19413 - static inline int __init check_vmi_rom(struct vrom_header *rom)
19414 - {
19415 - struct pci_header *pci;
19416 -@@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
19417 - return 0;
19418 - if (rom->vrom_signature != VMI_SIGNATURE)
19419 - return 0;
19420 -+ if (rom->rom_length * 512 > sizeof(*rom)) {
19421 -+ printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
19422 -+ return 0;
19423 -+ }
19424 - if (rom->api_version_maj != VMI_API_REV_MAJOR ||
19425 - rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
19426 - printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
19427 -@@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
19428 - struct vrom_header *romstart;
19429 - romstart = (struct vrom_header *)isa_bus_to_virt(base);
19430 - if (check_vmi_rom(romstart)) {
19431 -- vmi_rom = romstart;
19432 -+ vmi_rom = *romstart;
19433 - return 1;
19434 - }
19435 - }
19436 -@@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
19437 -
19438 - para_fill(pv_irq_ops.safe_halt, Halt);
19439 -
19440 -+#ifdef CONFIG_PAX_KERNEXEC
19441 -+ pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
19442 -+ pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
19443 -+#endif
19444 -+
19445 - /*
19446 - * Alternative instruction rewriting doesn't happen soon enough
19447 - * to convert VMI_IRET to a call instead of a jump; so we have
19448 -@@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
19449 -
19450 - void __init vmi_init(void)
19451 - {
19452 -- if (!vmi_rom)
19453 -+ if (!vmi_rom.rom_signature)
19454 - probe_vmi_rom();
19455 - else
19456 -- check_vmi_rom(vmi_rom);
19457 -+ check_vmi_rom(&vmi_rom);
19458 -
19459 - /* In case probing for or validating the ROM failed, basil */
19460 -- if (!vmi_rom)
19461 -+ if (!vmi_rom.rom_signature)
19462 - return;
19463 -
19464 -- reserve_top_address(-vmi_rom->virtual_top);
19465 -+ reserve_top_address(-vmi_rom.virtual_top);
19466 -
19467 - #ifdef CONFIG_X86_IO_APIC
19468 - /* This is virtual hardware; timer routing is wired correctly */
19469 -@@ -874,7 +901,7 @@ void __init vmi_activate(void)
19470 - {
19471 - unsigned long flags;
19472 -
19473 -- if (!vmi_rom)
19474 -+ if (!vmi_rom.rom_signature)
19475 - return;
19476 -
19477 - local_irq_save(flags);
19478 -diff -urNp linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S
19479 ---- linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
19480 -+++ linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:56:46.000000000 -0400
19481 -@@ -26,6 +26,13 @@
19482 - #include <asm/page_types.h>
19483 - #include <asm/cache.h>
19484 - #include <asm/boot.h>
19485 -+#include <asm/segment.h>
19486 -+
19487 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19488 -+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
19489 -+#else
19490 -+#define __KERNEL_TEXT_OFFSET 0
19491 -+#endif
19492 -
19493 - #undef i386 /* in case the preprocessor is a 32bit one */
19494 -
19495 -@@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
19496 - #ifdef CONFIG_X86_32
19497 - OUTPUT_ARCH(i386)
19498 - ENTRY(phys_startup_32)
19499 --jiffies = jiffies_64;
19500 - #else
19501 - OUTPUT_ARCH(i386:x86-64)
19502 - ENTRY(phys_startup_64)
19503 --jiffies_64 = jiffies;
19504 - #endif
19505 -
19506 - PHDRS {
19507 - text PT_LOAD FLAGS(5); /* R_E */
19508 -- data PT_LOAD FLAGS(7); /* RWE */
19509 -+#ifdef CONFIG_X86_32
19510 -+ module PT_LOAD FLAGS(5); /* R_E */
19511 -+#endif
19512 -+#ifdef CONFIG_XEN
19513 -+ rodata PT_LOAD FLAGS(5); /* R_E */
19514 -+#else
19515 -+ rodata PT_LOAD FLAGS(4); /* R__ */
19516 -+#endif
19517 -+ data PT_LOAD FLAGS(6); /* RW_ */
19518 - #ifdef CONFIG_X86_64
19519 - user PT_LOAD FLAGS(5); /* R_E */
19520 -+#endif
19521 -+ init.begin PT_LOAD FLAGS(6); /* RW_ */
19522 - #ifdef CONFIG_SMP
19523 - percpu PT_LOAD FLAGS(6); /* RW_ */
19524 - #endif
19525 -+ text.init PT_LOAD FLAGS(5); /* R_E */
19526 -+ text.exit PT_LOAD FLAGS(5); /* R_E */
19527 - init PT_LOAD FLAGS(7); /* RWE */
19528 --#endif
19529 - note PT_NOTE FLAGS(0); /* ___ */
19530 - }
19531 -
19532 - SECTIONS
19533 - {
19534 - #ifdef CONFIG_X86_32
19535 -- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
19536 -- phys_startup_32 = startup_32 - LOAD_OFFSET;
19537 -+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
19538 - #else
19539 -- . = __START_KERNEL;
19540 -- phys_startup_64 = startup_64 - LOAD_OFFSET;
19541 -+ . = __START_KERNEL;
19542 - #endif
19543 -
19544 - /* Text and read-only data */
19545 -- .text : AT(ADDR(.text) - LOAD_OFFSET) {
19546 -- _text = .;
19547 -+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19548 - /* bootstrapping code */
19549 -+#ifdef CONFIG_X86_32
19550 -+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19551 -+#else
19552 -+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19553 -+#endif
19554 -+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19555 -+ _text = .;
19556 - HEAD_TEXT
19557 - #ifdef CONFIG_X86_32
19558 - . = ALIGN(PAGE_SIZE);
19559 -@@ -82,28 +102,71 @@ SECTIONS
19560 - IRQENTRY_TEXT
19561 - *(.fixup)
19562 - *(.gnu.warning)
19563 -- /* End of text section */
19564 -- _etext = .;
19565 - } :text = 0x9090
19566 -
19567 -- NOTES :text :note
19568 -+ . += __KERNEL_TEXT_OFFSET;
19569 -+
19570 -+#ifdef CONFIG_X86_32
19571 -+ . = ALIGN(PAGE_SIZE);
19572 -+ .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
19573 -+ *(.vmi.rom)
19574 -+ } :module
19575 -+
19576 -+ . = ALIGN(PAGE_SIZE);
19577 -+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
19578 -+
19579 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
19580 -+ MODULES_EXEC_VADDR = .;
19581 -+ BYTE(0)
19582 -+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
19583 -+ . = ALIGN(HPAGE_SIZE);
19584 -+ MODULES_EXEC_END = . - 1;
19585 -+#endif
19586 -+
19587 -+ } :module
19588 -+#endif
19589 -
19590 -- EXCEPTION_TABLE(16) :text = 0x9090
19591 -+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
19592 -+ /* End of text section */
19593 -+ _etext = . - __KERNEL_TEXT_OFFSET;
19594 -+ }
19595 -+
19596 -+#ifdef CONFIG_X86_32
19597 -+ . = ALIGN(PAGE_SIZE);
19598 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
19599 -+ *(.idt)
19600 -+ . = ALIGN(PAGE_SIZE);
19601 -+ *(.empty_zero_page)
19602 -+ *(.swapper_pg_fixmap)
19603 -+ *(.swapper_pg_pmd)
19604 -+ *(.swapper_pg_dir)
19605 -+ *(.trampoline_pg_dir)
19606 -+ } :rodata
19607 -+#endif
19608 -+
19609 -+ . = ALIGN(PAGE_SIZE);
19610 -+ NOTES :rodata :note
19611 -+
19612 -+ EXCEPTION_TABLE(16) :rodata
19613 -
19614 - RO_DATA(PAGE_SIZE)
19615 -
19616 - /* Data */
19617 - .data : AT(ADDR(.data) - LOAD_OFFSET) {
19618 -+
19619 -+#ifdef CONFIG_PAX_KERNEXEC
19620 -+ . = ALIGN(HPAGE_SIZE);
19621 -+#else
19622 -+ . = ALIGN(PAGE_SIZE);
19623 -+#endif
19624 -+
19625 - /* Start of data section */
19626 - _sdata = .;
19627 -
19628 - /* init_task */
19629 - INIT_TASK_DATA(THREAD_SIZE)
19630 -
19631 --#ifdef CONFIG_X86_32
19632 -- /* 32 bit has nosave before _edata */
19633 - NOSAVE_DATA
19634 --#endif
19635 -
19636 - PAGE_ALIGNED_DATA(PAGE_SIZE)
19637 -
19638 -@@ -112,6 +175,8 @@ SECTIONS
19639 - DATA_DATA
19640 - CONSTRUCTORS
19641 -
19642 -+ jiffies = jiffies_64;
19643 -+
19644 - /* rarely changed data like cpu maps */
19645 - READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
19646 -
19647 -@@ -166,12 +231,6 @@ SECTIONS
19648 - }
19649 - vgetcpu_mode = VVIRT(.vgetcpu_mode);
19650 -
19651 -- . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
19652 -- .jiffies : AT(VLOAD(.jiffies)) {
19653 -- *(.jiffies)
19654 -- }
19655 -- jiffies = VVIRT(.jiffies);
19656 --
19657 - .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
19658 - *(.vsyscall_3)
19659 - }
19660 -@@ -187,12 +246,19 @@ SECTIONS
19661 - #endif /* CONFIG_X86_64 */
19662 -
19663 - /* Init code and data - will be freed after init */
19664 -- . = ALIGN(PAGE_SIZE);
19665 - .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
19666 -+ BYTE(0)
19667 -+
19668 -+#ifdef CONFIG_PAX_KERNEXEC
19669 -+ . = ALIGN(HPAGE_SIZE);
19670 -+#else
19671 -+ . = ALIGN(PAGE_SIZE);
19672 -+#endif
19673 -+
19674 - __init_begin = .; /* paired with __init_end */
19675 -- }
19676 -+ } :init.begin
19677 -
19678 --#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
19679 -+#ifdef CONFIG_SMP
19680 - /*
19681 - * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
19682 - * output PHDR, so the next output section - .init.text - should
19683 -@@ -201,12 +267,27 @@ SECTIONS
19684 - PERCPU_VADDR(0, :percpu)
19685 - #endif
19686 -
19687 -- INIT_TEXT_SECTION(PAGE_SIZE)
19688 --#ifdef CONFIG_X86_64
19689 -- :init
19690 --#endif
19691 -+ . = ALIGN(PAGE_SIZE);
19692 -+ init_begin = .;
19693 -+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
19694 -+ VMLINUX_SYMBOL(_sinittext) = .;
19695 -+ INIT_TEXT
19696 -+ VMLINUX_SYMBOL(_einittext) = .;
19697 -+ . = ALIGN(PAGE_SIZE);
19698 -+ } :text.init
19699 -
19700 -- INIT_DATA_SECTION(16)
19701 -+ /*
19702 -+ * .exit.text is discard at runtime, not link time, to deal with
19703 -+ * references from .altinstructions and .eh_frame
19704 -+ */
19705 -+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19706 -+ EXIT_TEXT
19707 -+ . = ALIGN(16);
19708 -+ } :text.exit
19709 -+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
19710 -+
19711 -+ . = ALIGN(PAGE_SIZE);
19712 -+ INIT_DATA_SECTION(16) :init
19713 -
19714 - .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
19715 - __x86_cpu_dev_start = .;
19716 -@@ -232,19 +313,11 @@ SECTIONS
19717 - *(.altinstr_replacement)
19718 - }
19719 -
19720 -- /*
19721 -- * .exit.text is discard at runtime, not link time, to deal with
19722 -- * references from .altinstructions and .eh_frame
19723 -- */
19724 -- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
19725 -- EXIT_TEXT
19726 -- }
19727 --
19728 - .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
19729 - EXIT_DATA
19730 - }
19731 -
19732 --#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
19733 -+#ifndef CONFIG_SMP
19734 - PERCPU(PAGE_SIZE)
19735 - #endif
19736 -
19737 -@@ -267,12 +340,6 @@ SECTIONS
19738 - . = ALIGN(PAGE_SIZE);
19739 - }
19740 -
19741 --#ifdef CONFIG_X86_64
19742 -- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
19743 -- NOSAVE_DATA
19744 -- }
19745 --#endif
19746 --
19747 - /* BSS */
19748 - . = ALIGN(PAGE_SIZE);
19749 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
19750 -@@ -288,6 +355,7 @@ SECTIONS
19751 - __brk_base = .;
19752 - . += 64 * 1024; /* 64k alignment slop space */
19753 - *(.brk_reservation) /* areas brk users have reserved */
19754 -+ . = ALIGN(HPAGE_SIZE);
19755 - __brk_limit = .;
19756 - }
19757 -
19758 -@@ -316,13 +384,12 @@ SECTIONS
19759 - * for the boot processor.
19760 - */
19761 - #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
19762 --INIT_PER_CPU(gdt_page);
19763 - INIT_PER_CPU(irq_stack_union);
19764 -
19765 - /*
19766 - * Build-time check on the image size:
19767 - */
19768 --. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
19769 -+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
19770 - "kernel image bigger than KERNEL_IMAGE_SIZE");
19771 -
19772 - #ifdef CONFIG_SMP
19773 -diff -urNp linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c
19774 ---- linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-03-27 14:31:47.000000000 -0400
19775 -+++ linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-04-23 12:56:10.000000000 -0400
19776 -@@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
19777 -
19778 - write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
19779 - /* copy vsyscall data */
19780 -+ strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
19781 - vsyscall_gtod_data.clock.vread = clock->vread;
19782 - vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
19783 - vsyscall_gtod_data.clock.mask = clock->mask;
19784 -@@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
19785 - We do this here because otherwise user space would do it on
19786 - its own in a likely inferior way (no access to jiffies).
19787 - If you don't like it pass NULL. */
19788 -- if (tcache && tcache->blob[0] == (j = __jiffies)) {
19789 -+ if (tcache && tcache->blob[0] == (j = jiffies)) {
19790 - p = tcache->blob[1];
19791 - } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
19792 - /* Load per CPU data from RDTSCP */
19793 -diff -urNp linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c
19794 ---- linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-03-27 14:31:47.000000000 -0400
19795 -+++ linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:56:46.000000000 -0400
19796 -@@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
19797 -
19798 - EXPORT_SYMBOL(copy_user_generic);
19799 - EXPORT_SYMBOL(__copy_user_nocache);
19800 --EXPORT_SYMBOL(copy_from_user);
19801 --EXPORT_SYMBOL(copy_to_user);
19802 - EXPORT_SYMBOL(__copy_from_user_inatomic);
19803 -
19804 - EXPORT_SYMBOL(copy_page);
19805 -diff -urNp linux-2.6.32.46/arch/x86/kernel/xsave.c linux-2.6.32.46/arch/x86/kernel/xsave.c
19806 ---- linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400
19807 -+++ linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-10-06 09:37:08.000000000 -0400
19808 -@@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
19809 - fx_sw_user->xstate_size > fx_sw_user->extended_size)
19810 - return -1;
19811 -
19812 -- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
19813 -+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
19814 - fx_sw_user->extended_size -
19815 - FP_XSTATE_MAGIC2_SIZE));
19816 - /*
19817 -@@ -196,7 +196,7 @@ fx_only:
19818 - * the other extended state.
19819 - */
19820 - xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
19821 -- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
19822 -+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
19823 - }
19824 -
19825 - /*
19826 -@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
19827 - if (task_thread_info(tsk)->status & TS_XSAVE)
19828 - err = restore_user_xstate(buf);
19829 - else
19830 -- err = fxrstor_checking((__force struct i387_fxsave_struct *)
19831 -+ err = fxrstor_checking((struct i387_fxsave_struct __user *)
19832 - buf);
19833 - if (unlikely(err)) {
19834 - /*
19835 -diff -urNp linux-2.6.32.46/arch/x86/kvm/emulate.c linux-2.6.32.46/arch/x86/kvm/emulate.c
19836 ---- linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-03-27 14:31:47.000000000 -0400
19837 -+++ linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-04-17 15:56:46.000000000 -0400
19838 -@@ -81,8 +81,8 @@
19839 - #define Src2CL (1<<29)
19840 - #define Src2ImmByte (2<<29)
19841 - #define Src2One (3<<29)
19842 --#define Src2Imm16 (4<<29)
19843 --#define Src2Mask (7<<29)
19844 -+#define Src2Imm16 (4U<<29)
19845 -+#define Src2Mask (7U<<29)
19846 -
19847 - enum {
19848 - Group1_80, Group1_81, Group1_82, Group1_83,
19849 -@@ -411,6 +411,7 @@ static u32 group2_table[] = {
19850 -
19851 - #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
19852 - do { \
19853 -+ unsigned long _tmp; \
19854 - __asm__ __volatile__ ( \
19855 - _PRE_EFLAGS("0", "4", "2") \
19856 - _op _suffix " %"_x"3,%1; " \
19857 -@@ -424,8 +425,6 @@ static u32 group2_table[] = {
19858 - /* Raw emulation: instruction has two explicit operands. */
19859 - #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
19860 - do { \
19861 -- unsigned long _tmp; \
19862 -- \
19863 - switch ((_dst).bytes) { \
19864 - case 2: \
19865 - ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
19866 -@@ -441,7 +440,6 @@ static u32 group2_table[] = {
19867 -
19868 - #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
19869 - do { \
19870 -- unsigned long _tmp; \
19871 - switch ((_dst).bytes) { \
19872 - case 1: \
19873 - ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
19874 -diff -urNp linux-2.6.32.46/arch/x86/kvm/lapic.c linux-2.6.32.46/arch/x86/kvm/lapic.c
19875 ---- linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-03-27 14:31:47.000000000 -0400
19876 -+++ linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-04-17 15:56:46.000000000 -0400
19877 -@@ -52,7 +52,7 @@
19878 - #define APIC_BUS_CYCLE_NS 1
19879 -
19880 - /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
19881 --#define apic_debug(fmt, arg...)
19882 -+#define apic_debug(fmt, arg...) do {} while (0)
19883 -
19884 - #define APIC_LVT_NUM 6
19885 - /* 14 is the version for Xeon and Pentium 8.4.8*/
19886 -diff -urNp linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h
19887 ---- linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-03-27 14:31:47.000000000 -0400
19888 -+++ linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:46:57.000000000 -0400
19889 -@@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
19890 - int level = PT_PAGE_TABLE_LEVEL;
19891 - unsigned long mmu_seq;
19892 -
19893 -+ pax_track_stack();
19894 -+
19895 - pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
19896 - kvm_mmu_audit(vcpu, "pre page fault");
19897 -
19898 -diff -urNp linux-2.6.32.46/arch/x86/kvm/svm.c linux-2.6.32.46/arch/x86/kvm/svm.c
19899 ---- linux-2.6.32.46/arch/x86/kvm/svm.c 2011-03-27 14:31:47.000000000 -0400
19900 -+++ linux-2.6.32.46/arch/x86/kvm/svm.c 2011-08-05 20:33:55.000000000 -0400
19901 -@@ -2485,7 +2485,11 @@ static void reload_tss(struct kvm_vcpu *
19902 - int cpu = raw_smp_processor_id();
19903 -
19904 - struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
19905 -+
19906 -+ pax_open_kernel();
19907 - svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
19908 -+ pax_close_kernel();
19909 -+
19910 - load_TR_desc();
19911 - }
19912 -
19913 -@@ -2946,7 +2950,7 @@ static bool svm_gb_page_enable(void)
19914 - return true;
19915 - }
19916 -
19917 --static struct kvm_x86_ops svm_x86_ops = {
19918 -+static const struct kvm_x86_ops svm_x86_ops = {
19919 - .cpu_has_kvm_support = has_svm,
19920 - .disabled_by_bios = is_disabled,
19921 - .hardware_setup = svm_hardware_setup,
19922 -diff -urNp linux-2.6.32.46/arch/x86/kvm/vmx.c linux-2.6.32.46/arch/x86/kvm/vmx.c
19923 ---- linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-03-27 14:31:47.000000000 -0400
19924 -+++ linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-05-04 17:56:20.000000000 -0400
19925 -@@ -570,7 +570,11 @@ static void reload_tss(void)
19926 -
19927 - kvm_get_gdt(&gdt);
19928 - descs = (void *)gdt.base;
19929 -+
19930 -+ pax_open_kernel();
19931 - descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
19932 -+ pax_close_kernel();
19933 -+
19934 - load_TR_desc();
19935 - }
19936 -
19937 -@@ -1409,8 +1413,11 @@ static __init int hardware_setup(void)
19938 - if (!cpu_has_vmx_flexpriority())
19939 - flexpriority_enabled = 0;
19940 -
19941 -- if (!cpu_has_vmx_tpr_shadow())
19942 -- kvm_x86_ops->update_cr8_intercept = NULL;
19943 -+ if (!cpu_has_vmx_tpr_shadow()) {
19944 -+ pax_open_kernel();
19945 -+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
19946 -+ pax_close_kernel();
19947 -+ }
19948 -
19949 - if (enable_ept && !cpu_has_vmx_ept_2m_page())
19950 - kvm_disable_largepages();
19951 -@@ -2361,7 +2368,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
19952 - vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
19953 -
19954 - asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
19955 -- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
19956 -+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
19957 - vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
19958 - vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
19959 - vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
19960 -@@ -3717,6 +3724,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
19961 - "jmp .Lkvm_vmx_return \n\t"
19962 - ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
19963 - ".Lkvm_vmx_return: "
19964 -+
19965 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19966 -+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
19967 -+ ".Lkvm_vmx_return2: "
19968 -+#endif
19969 -+
19970 - /* Save guest registers, load host registers, keep flags */
19971 - "xchg %0, (%%"R"sp) \n\t"
19972 - "mov %%"R"ax, %c[rax](%0) \n\t"
19973 -@@ -3763,8 +3776,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
19974 - [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
19975 - #endif
19976 - [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
19977 -+
19978 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19979 -+ ,[cs]"i"(__KERNEL_CS)
19980 -+#endif
19981 -+
19982 - : "cc", "memory"
19983 -- , R"bx", R"di", R"si"
19984 -+ , R"ax", R"bx", R"di", R"si"
19985 - #ifdef CONFIG_X86_64
19986 - , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
19987 - #endif
19988 -@@ -3781,7 +3799,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
19989 - if (vmx->rmode.irq.pending)
19990 - fixup_rmode_irq(vmx);
19991 -
19992 -- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
19993 -+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
19994 -+
19995 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19996 -+ loadsegment(fs, __KERNEL_PERCPU);
19997 -+#endif
19998 -+
19999 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20000 -+ __set_fs(current_thread_info()->addr_limit);
20001 -+#endif
20002 -+
20003 - vmx->launched = 1;
20004 -
20005 - vmx_complete_interrupts(vmx);
20006 -@@ -3956,7 +3983,7 @@ static bool vmx_gb_page_enable(void)
20007 - return false;
20008 - }
20009 -
20010 --static struct kvm_x86_ops vmx_x86_ops = {
20011 -+static const struct kvm_x86_ops vmx_x86_ops = {
20012 - .cpu_has_kvm_support = cpu_has_kvm_support,
20013 - .disabled_by_bios = vmx_disabled_by_bios,
20014 - .hardware_setup = hardware_setup,
20015 -diff -urNp linux-2.6.32.46/arch/x86/kvm/x86.c linux-2.6.32.46/arch/x86/kvm/x86.c
20016 ---- linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:01.000000000 -0400
20017 -+++ linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:26.000000000 -0400
20018 -@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
20019 - static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
20020 - struct kvm_cpuid_entry2 __user *entries);
20021 -
20022 --struct kvm_x86_ops *kvm_x86_ops;
20023 -+const struct kvm_x86_ops *kvm_x86_ops;
20024 - EXPORT_SYMBOL_GPL(kvm_x86_ops);
20025 -
20026 - int ignore_msrs = 0;
20027 -@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
20028 - struct kvm_cpuid2 *cpuid,
20029 - struct kvm_cpuid_entry2 __user *entries)
20030 - {
20031 -- int r;
20032 -+ int r, i;
20033 -
20034 - r = -E2BIG;
20035 - if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
20036 - goto out;
20037 - r = -EFAULT;
20038 -- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
20039 -- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
20040 -+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
20041 - goto out;
20042 -+ for (i = 0; i < cpuid->nent; ++i) {
20043 -+ struct kvm_cpuid_entry2 cpuid_entry;
20044 -+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
20045 -+ goto out;
20046 -+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
20047 -+ }
20048 - vcpu->arch.cpuid_nent = cpuid->nent;
20049 - kvm_apic_set_version(vcpu);
20050 - return 0;
20051 -@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
20052 - struct kvm_cpuid2 *cpuid,
20053 - struct kvm_cpuid_entry2 __user *entries)
20054 - {
20055 -- int r;
20056 -+ int r, i;
20057 -
20058 - vcpu_load(vcpu);
20059 - r = -E2BIG;
20060 - if (cpuid->nent < vcpu->arch.cpuid_nent)
20061 - goto out;
20062 - r = -EFAULT;
20063 -- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
20064 -- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
20065 -+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
20066 - goto out;
20067 -+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
20068 -+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
20069 -+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
20070 -+ goto out;
20071 -+ }
20072 - return 0;
20073 -
20074 - out:
20075 -@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
20076 - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
20077 - struct kvm_interrupt *irq)
20078 - {
20079 -- if (irq->irq < 0 || irq->irq >= 256)
20080 -+ if (irq->irq >= 256)
20081 - return -EINVAL;
20082 - if (irqchip_in_kernel(vcpu->kvm))
20083 - return -ENXIO;
20084 -@@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
20085 - .notifier_call = kvmclock_cpufreq_notifier
20086 - };
20087 -
20088 --int kvm_arch_init(void *opaque)
20089 -+int kvm_arch_init(const void *opaque)
20090 - {
20091 - int r, cpu;
20092 -- struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
20093 -+ const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
20094 -
20095 - if (kvm_x86_ops) {
20096 - printk(KERN_ERR "kvm: already loaded the other module\n");
20097 -diff -urNp linux-2.6.32.46/arch/x86/lguest/boot.c linux-2.6.32.46/arch/x86/lguest/boot.c
20098 ---- linux-2.6.32.46/arch/x86/lguest/boot.c 2011-03-27 14:31:47.000000000 -0400
20099 -+++ linux-2.6.32.46/arch/x86/lguest/boot.c 2011-08-05 20:33:55.000000000 -0400
20100 -@@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
20101 - * Rebooting also tells the Host we're finished, but the RESTART flag tells the
20102 - * Launcher to reboot us.
20103 - */
20104 --static void lguest_restart(char *reason)
20105 -+static __noreturn void lguest_restart(char *reason)
20106 - {
20107 - kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
20108 -+ BUG();
20109 - }
20110 -
20111 - /*G:050
20112 -diff -urNp linux-2.6.32.46/arch/x86/lib/atomic64_32.c linux-2.6.32.46/arch/x86/lib/atomic64_32.c
20113 ---- linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-03-27 14:31:47.000000000 -0400
20114 -+++ linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-05-04 17:56:28.000000000 -0400
20115 -@@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
20116 - }
20117 - EXPORT_SYMBOL(atomic64_cmpxchg);
20118 -
20119 -+u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
20120 -+{
20121 -+ return cmpxchg8b(&ptr->counter, old_val, new_val);
20122 -+}
20123 -+EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
20124 -+
20125 - /**
20126 - * atomic64_xchg - xchg atomic64 variable
20127 - * @ptr: pointer to type atomic64_t
20128 -@@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
20129 - EXPORT_SYMBOL(atomic64_xchg);
20130 -
20131 - /**
20132 -+ * atomic64_xchg_unchecked - xchg atomic64 variable
20133 -+ * @ptr: pointer to type atomic64_unchecked_t
20134 -+ * @new_val: value to assign
20135 -+ *
20136 -+ * Atomically xchgs the value of @ptr to @new_val and returns
20137 -+ * the old value.
20138 -+ */
20139 -+u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20140 -+{
20141 -+ /*
20142 -+ * Try first with a (possibly incorrect) assumption about
20143 -+ * what we have there. We'll do two loops most likely,
20144 -+ * but we'll get an ownership MESI transaction straight away
20145 -+ * instead of a read transaction followed by a
20146 -+ * flush-for-ownership transaction:
20147 -+ */
20148 -+ u64 old_val, real_val = 0;
20149 -+
20150 -+ do {
20151 -+ old_val = real_val;
20152 -+
20153 -+ real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20154 -+
20155 -+ } while (real_val != old_val);
20156 -+
20157 -+ return old_val;
20158 -+}
20159 -+EXPORT_SYMBOL(atomic64_xchg_unchecked);
20160 -+
20161 -+/**
20162 - * atomic64_set - set atomic64 variable
20163 - * @ptr: pointer to type atomic64_t
20164 - * @new_val: value to assign
20165 -@@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
20166 - EXPORT_SYMBOL(atomic64_set);
20167 -
20168 - /**
20169 --EXPORT_SYMBOL(atomic64_read);
20170 -+ * atomic64_unchecked_set - set atomic64 variable
20171 -+ * @ptr: pointer to type atomic64_unchecked_t
20172 -+ * @new_val: value to assign
20173 -+ *
20174 -+ * Atomically sets the value of @ptr to @new_val.
20175 -+ */
20176 -+void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20177 -+{
20178 -+ atomic64_xchg_unchecked(ptr, new_val);
20179 -+}
20180 -+EXPORT_SYMBOL(atomic64_set_unchecked);
20181 -+
20182 -+/**
20183 - * atomic64_add_return - add and return
20184 - * @delta: integer value to add
20185 - * @ptr: pointer to type atomic64_t
20186 -@@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
20187 - }
20188 - EXPORT_SYMBOL(atomic64_add_return);
20189 -
20190 -+/**
20191 -+ * atomic64_add_return_unchecked - add and return
20192 -+ * @delta: integer value to add
20193 -+ * @ptr: pointer to type atomic64_unchecked_t
20194 -+ *
20195 -+ * Atomically adds @delta to @ptr and returns @delta + *@ptr
20196 -+ */
20197 -+noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20198 -+{
20199 -+ /*
20200 -+ * Try first with a (possibly incorrect) assumption about
20201 -+ * what we have there. We'll do two loops most likely,
20202 -+ * but we'll get an ownership MESI transaction straight away
20203 -+ * instead of a read transaction followed by a
20204 -+ * flush-for-ownership transaction:
20205 -+ */
20206 -+ u64 old_val, new_val, real_val = 0;
20207 -+
20208 -+ do {
20209 -+ old_val = real_val;
20210 -+ new_val = old_val + delta;
20211 -+
20212 -+ real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20213 -+
20214 -+ } while (real_val != old_val);
20215 -+
20216 -+ return new_val;
20217 -+}
20218 -+EXPORT_SYMBOL(atomic64_add_return_unchecked);
20219 -+
20220 - u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
20221 - {
20222 - return atomic64_add_return(-delta, ptr);
20223 - }
20224 - EXPORT_SYMBOL(atomic64_sub_return);
20225 -
20226 -+u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20227 -+{
20228 -+ return atomic64_add_return_unchecked(-delta, ptr);
20229 -+}
20230 -+EXPORT_SYMBOL(atomic64_sub_return_unchecked);
20231 -+
20232 - u64 atomic64_inc_return(atomic64_t *ptr)
20233 - {
20234 - return atomic64_add_return(1, ptr);
20235 - }
20236 - EXPORT_SYMBOL(atomic64_inc_return);
20237 -
20238 -+u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
20239 -+{
20240 -+ return atomic64_add_return_unchecked(1, ptr);
20241 -+}
20242 -+EXPORT_SYMBOL(atomic64_inc_return_unchecked);
20243 -+
20244 - u64 atomic64_dec_return(atomic64_t *ptr)
20245 - {
20246 - return atomic64_sub_return(1, ptr);
20247 - }
20248 - EXPORT_SYMBOL(atomic64_dec_return);
20249 -
20250 -+u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
20251 -+{
20252 -+ return atomic64_sub_return_unchecked(1, ptr);
20253 -+}
20254 -+EXPORT_SYMBOL(atomic64_dec_return_unchecked);
20255 -+
20256 - /**
20257 - * atomic64_add - add integer to atomic64 variable
20258 - * @delta: integer value to add
20259 -@@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
20260 - EXPORT_SYMBOL(atomic64_add);
20261 -
20262 - /**
20263 -+ * atomic64_add_unchecked - add integer to atomic64 variable
20264 -+ * @delta: integer value to add
20265 -+ * @ptr: pointer to type atomic64_unchecked_t
20266 -+ *
20267 -+ * Atomically adds @delta to @ptr.
20268 -+ */
20269 -+void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20270 -+{
20271 -+ atomic64_add_return_unchecked(delta, ptr);
20272 -+}
20273 -+EXPORT_SYMBOL(atomic64_add_unchecked);
20274 -+
20275 -+/**
20276 - * atomic64_sub - subtract the atomic64 variable
20277 - * @delta: integer value to subtract
20278 - * @ptr: pointer to type atomic64_t
20279 -@@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
20280 - EXPORT_SYMBOL(atomic64_sub);
20281 -
20282 - /**
20283 -+ * atomic64_sub_unchecked - subtract the atomic64 variable
20284 -+ * @delta: integer value to subtract
20285 -+ * @ptr: pointer to type atomic64_unchecked_t
20286 -+ *
20287 -+ * Atomically subtracts @delta from @ptr.
20288 -+ */
20289 -+void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20290 -+{
20291 -+ atomic64_add_unchecked(-delta, ptr);
20292 -+}
20293 -+EXPORT_SYMBOL(atomic64_sub_unchecked);
20294 -+
20295 -+/**
20296 - * atomic64_sub_and_test - subtract value from variable and test result
20297 - * @delta: integer value to subtract
20298 - * @ptr: pointer to type atomic64_t
20299 -@@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
20300 - EXPORT_SYMBOL(atomic64_inc);
20301 -
20302 - /**
20303 -+ * atomic64_inc_unchecked - increment atomic64 variable
20304 -+ * @ptr: pointer to type atomic64_unchecked_t
20305 -+ *
20306 -+ * Atomically increments @ptr by 1.
20307 -+ */
20308 -+void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
20309 -+{
20310 -+ atomic64_add_unchecked(1, ptr);
20311 -+}
20312 -+EXPORT_SYMBOL(atomic64_inc_unchecked);
20313 -+
20314 -+/**
20315 - * atomic64_dec - decrement atomic64 variable
20316 - * @ptr: pointer to type atomic64_t
20317 - *
20318 -@@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
20319 - EXPORT_SYMBOL(atomic64_dec);
20320 -
20321 - /**
20322 -+ * atomic64_dec_unchecked - decrement atomic64 variable
20323 -+ * @ptr: pointer to type atomic64_unchecked_t
20324 -+ *
20325 -+ * Atomically decrements @ptr by 1.
20326 -+ */
20327 -+void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
20328 -+{
20329 -+ atomic64_sub_unchecked(1, ptr);
20330 -+}
20331 -+EXPORT_SYMBOL(atomic64_dec_unchecked);
20332 -+
20333 -+/**
20334 - * atomic64_dec_and_test - decrement and test
20335 - * @ptr: pointer to type atomic64_t
20336 - *
20337 -diff -urNp linux-2.6.32.46/arch/x86/lib/checksum_32.S linux-2.6.32.46/arch/x86/lib/checksum_32.S
20338 ---- linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-03-27 14:31:47.000000000 -0400
20339 -+++ linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-04-17 15:56:46.000000000 -0400
20340 -@@ -28,7 +28,8 @@
20341 - #include <linux/linkage.h>
20342 - #include <asm/dwarf2.h>
20343 - #include <asm/errno.h>
20344 --
20345 -+#include <asm/segment.h>
20346 -+
20347 - /*
20348 - * computes a partial checksum, e.g. for TCP/UDP fragments
20349 - */
20350 -@@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
20351 -
20352 - #define ARGBASE 16
20353 - #define FP 12
20354 --
20355 --ENTRY(csum_partial_copy_generic)
20356 -+
20357 -+ENTRY(csum_partial_copy_generic_to_user)
20358 - CFI_STARTPROC
20359 -+
20360 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20361 -+ pushl %gs
20362 -+ CFI_ADJUST_CFA_OFFSET 4
20363 -+ popl %es
20364 -+ CFI_ADJUST_CFA_OFFSET -4
20365 -+ jmp csum_partial_copy_generic
20366 -+#endif
20367 -+
20368 -+ENTRY(csum_partial_copy_generic_from_user)
20369 -+
20370 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20371 -+ pushl %gs
20372 -+ CFI_ADJUST_CFA_OFFSET 4
20373 -+ popl %ds
20374 -+ CFI_ADJUST_CFA_OFFSET -4
20375 -+#endif
20376 -+
20377 -+ENTRY(csum_partial_copy_generic)
20378 - subl $4,%esp
20379 - CFI_ADJUST_CFA_OFFSET 4
20380 - pushl %edi
20381 -@@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
20382 - jmp 4f
20383 - SRC(1: movw (%esi), %bx )
20384 - addl $2, %esi
20385 --DST( movw %bx, (%edi) )
20386 -+DST( movw %bx, %es:(%edi) )
20387 - addl $2, %edi
20388 - addw %bx, %ax
20389 - adcl $0, %eax
20390 -@@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
20391 - SRC(1: movl (%esi), %ebx )
20392 - SRC( movl 4(%esi), %edx )
20393 - adcl %ebx, %eax
20394 --DST( movl %ebx, (%edi) )
20395 -+DST( movl %ebx, %es:(%edi) )
20396 - adcl %edx, %eax
20397 --DST( movl %edx, 4(%edi) )
20398 -+DST( movl %edx, %es:4(%edi) )
20399 -
20400 - SRC( movl 8(%esi), %ebx )
20401 - SRC( movl 12(%esi), %edx )
20402 - adcl %ebx, %eax
20403 --DST( movl %ebx, 8(%edi) )
20404 -+DST( movl %ebx, %es:8(%edi) )
20405 - adcl %edx, %eax
20406 --DST( movl %edx, 12(%edi) )
20407 -+DST( movl %edx, %es:12(%edi) )
20408 -
20409 - SRC( movl 16(%esi), %ebx )
20410 - SRC( movl 20(%esi), %edx )
20411 - adcl %ebx, %eax
20412 --DST( movl %ebx, 16(%edi) )
20413 -+DST( movl %ebx, %es:16(%edi) )
20414 - adcl %edx, %eax
20415 --DST( movl %edx, 20(%edi) )
20416 -+DST( movl %edx, %es:20(%edi) )
20417 -
20418 - SRC( movl 24(%esi), %ebx )
20419 - SRC( movl 28(%esi), %edx )
20420 - adcl %ebx, %eax
20421 --DST( movl %ebx, 24(%edi) )
20422 -+DST( movl %ebx, %es:24(%edi) )
20423 - adcl %edx, %eax
20424 --DST( movl %edx, 28(%edi) )
20425 -+DST( movl %edx, %es:28(%edi) )
20426 -
20427 - lea 32(%esi), %esi
20428 - lea 32(%edi), %edi
20429 -@@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
20430 - shrl $2, %edx # This clears CF
20431 - SRC(3: movl (%esi), %ebx )
20432 - adcl %ebx, %eax
20433 --DST( movl %ebx, (%edi) )
20434 -+DST( movl %ebx, %es:(%edi) )
20435 - lea 4(%esi), %esi
20436 - lea 4(%edi), %edi
20437 - dec %edx
20438 -@@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
20439 - jb 5f
20440 - SRC( movw (%esi), %cx )
20441 - leal 2(%esi), %esi
20442 --DST( movw %cx, (%edi) )
20443 -+DST( movw %cx, %es:(%edi) )
20444 - leal 2(%edi), %edi
20445 - je 6f
20446 - shll $16,%ecx
20447 - SRC(5: movb (%esi), %cl )
20448 --DST( movb %cl, (%edi) )
20449 -+DST( movb %cl, %es:(%edi) )
20450 - 6: addl %ecx, %eax
20451 - adcl $0, %eax
20452 - 7:
20453 -@@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
20454 -
20455 - 6001:
20456 - movl ARGBASE+20(%esp), %ebx # src_err_ptr
20457 -- movl $-EFAULT, (%ebx)
20458 -+ movl $-EFAULT, %ss:(%ebx)
20459 -
20460 - # zero the complete destination - computing the rest
20461 - # is too much work
20462 -@@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
20463 -
20464 - 6002:
20465 - movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20466 -- movl $-EFAULT,(%ebx)
20467 -+ movl $-EFAULT,%ss:(%ebx)
20468 - jmp 5000b
20469 -
20470 - .previous
20471 -
20472 -+ pushl %ss
20473 -+ CFI_ADJUST_CFA_OFFSET 4
20474 -+ popl %ds
20475 -+ CFI_ADJUST_CFA_OFFSET -4
20476 -+ pushl %ss
20477 -+ CFI_ADJUST_CFA_OFFSET 4
20478 -+ popl %es
20479 -+ CFI_ADJUST_CFA_OFFSET -4
20480 - popl %ebx
20481 - CFI_ADJUST_CFA_OFFSET -4
20482 - CFI_RESTORE ebx
20483 -@@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
20484 - CFI_ADJUST_CFA_OFFSET -4
20485 - ret
20486 - CFI_ENDPROC
20487 --ENDPROC(csum_partial_copy_generic)
20488 -+ENDPROC(csum_partial_copy_generic_to_user)
20489 -
20490 - #else
20491 -
20492 - /* Version for PentiumII/PPro */
20493 -
20494 - #define ROUND1(x) \
20495 -+ nop; nop; nop; \
20496 - SRC(movl x(%esi), %ebx ) ; \
20497 - addl %ebx, %eax ; \
20498 -- DST(movl %ebx, x(%edi) ) ;
20499 -+ DST(movl %ebx, %es:x(%edi)) ;
20500 -
20501 - #define ROUND(x) \
20502 -+ nop; nop; nop; \
20503 - SRC(movl x(%esi), %ebx ) ; \
20504 - adcl %ebx, %eax ; \
20505 -- DST(movl %ebx, x(%edi) ) ;
20506 -+ DST(movl %ebx, %es:x(%edi)) ;
20507 -
20508 - #define ARGBASE 12
20509 --
20510 --ENTRY(csum_partial_copy_generic)
20511 -+
20512 -+ENTRY(csum_partial_copy_generic_to_user)
20513 - CFI_STARTPROC
20514 -+
20515 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20516 -+ pushl %gs
20517 -+ CFI_ADJUST_CFA_OFFSET 4
20518 -+ popl %es
20519 -+ CFI_ADJUST_CFA_OFFSET -4
20520 -+ jmp csum_partial_copy_generic
20521 -+#endif
20522 -+
20523 -+ENTRY(csum_partial_copy_generic_from_user)
20524 -+
20525 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20526 -+ pushl %gs
20527 -+ CFI_ADJUST_CFA_OFFSET 4
20528 -+ popl %ds
20529 -+ CFI_ADJUST_CFA_OFFSET -4
20530 -+#endif
20531 -+
20532 -+ENTRY(csum_partial_copy_generic)
20533 - pushl %ebx
20534 - CFI_ADJUST_CFA_OFFSET 4
20535 - CFI_REL_OFFSET ebx, 0
20536 -@@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
20537 - subl %ebx, %edi
20538 - lea -1(%esi),%edx
20539 - andl $-32,%edx
20540 -- lea 3f(%ebx,%ebx), %ebx
20541 -+ lea 3f(%ebx,%ebx,2), %ebx
20542 - testl %esi, %esi
20543 - jmp *%ebx
20544 - 1: addl $64,%esi
20545 -@@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
20546 - jb 5f
20547 - SRC( movw (%esi), %dx )
20548 - leal 2(%esi), %esi
20549 --DST( movw %dx, (%edi) )
20550 -+DST( movw %dx, %es:(%edi) )
20551 - leal 2(%edi), %edi
20552 - je 6f
20553 - shll $16,%edx
20554 - 5:
20555 - SRC( movb (%esi), %dl )
20556 --DST( movb %dl, (%edi) )
20557 -+DST( movb %dl, %es:(%edi) )
20558 - 6: addl %edx, %eax
20559 - adcl $0, %eax
20560 - 7:
20561 - .section .fixup, "ax"
20562 - 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
20563 -- movl $-EFAULT, (%ebx)
20564 -+ movl $-EFAULT, %ss:(%ebx)
20565 - # zero the complete destination (computing the rest is too much work)
20566 - movl ARGBASE+8(%esp),%edi # dst
20567 - movl ARGBASE+12(%esp),%ecx # len
20568 -@@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
20569 - rep; stosb
20570 - jmp 7b
20571 - 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20572 -- movl $-EFAULT, (%ebx)
20573 -+ movl $-EFAULT, %ss:(%ebx)
20574 - jmp 7b
20575 - .previous
20576 -
20577 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20578 -+ pushl %ss
20579 -+ CFI_ADJUST_CFA_OFFSET 4
20580 -+ popl %ds
20581 -+ CFI_ADJUST_CFA_OFFSET -4
20582 -+ pushl %ss
20583 -+ CFI_ADJUST_CFA_OFFSET 4
20584 -+ popl %es
20585 -+ CFI_ADJUST_CFA_OFFSET -4
20586 -+#endif
20587 -+
20588 - popl %esi
20589 - CFI_ADJUST_CFA_OFFSET -4
20590 - CFI_RESTORE esi
20591 -@@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
20592 - CFI_RESTORE ebx
20593 - ret
20594 - CFI_ENDPROC
20595 --ENDPROC(csum_partial_copy_generic)
20596 -+ENDPROC(csum_partial_copy_generic_to_user)
20597 -
20598 - #undef ROUND
20599 - #undef ROUND1
20600 -diff -urNp linux-2.6.32.46/arch/x86/lib/clear_page_64.S linux-2.6.32.46/arch/x86/lib/clear_page_64.S
20601 ---- linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400
20602 -+++ linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-10-06 09:37:08.000000000 -0400
20603 -@@ -1,5 +1,6 @@
20604 - #include <linux/linkage.h>
20605 - #include <asm/dwarf2.h>
20606 -+#include <asm/alternative-asm.h>
20607 -
20608 - /*
20609 - * Zero a page.
20610 -@@ -10,6 +11,7 @@ ENTRY(clear_page_c)
20611 - movl $4096/8,%ecx
20612 - xorl %eax,%eax
20613 - rep stosq
20614 -+ pax_force_retaddr
20615 - ret
20616 - CFI_ENDPROC
20617 - ENDPROC(clear_page_c)
20618 -@@ -33,6 +35,7 @@ ENTRY(clear_page)
20619 - leaq 64(%rdi),%rdi
20620 - jnz .Lloop
20621 - nop
20622 -+ pax_force_retaddr
20623 - ret
20624 - CFI_ENDPROC
20625 - .Lclear_page_end:
20626 -@@ -43,7 +46,7 @@ ENDPROC(clear_page)
20627 -
20628 - #include <asm/cpufeature.h>
20629 -
20630 -- .section .altinstr_replacement,"ax"
20631 -+ .section .altinstr_replacement,"a"
20632 - 1: .byte 0xeb /* jmp <disp8> */
20633 - .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
20634 - 2:
20635 -diff -urNp linux-2.6.32.46/arch/x86/lib/copy_page_64.S linux-2.6.32.46/arch/x86/lib/copy_page_64.S
20636 ---- linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400
20637 -+++ linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-10-06 09:37:08.000000000 -0400
20638 -@@ -2,12 +2,14 @@
20639 -
20640 - #include <linux/linkage.h>
20641 - #include <asm/dwarf2.h>
20642 -+#include <asm/alternative-asm.h>
20643 -
20644 - ALIGN
20645 - copy_page_c:
20646 - CFI_STARTPROC
20647 - movl $4096/8,%ecx
20648 - rep movsq
20649 -+ pax_force_retaddr
20650 - ret
20651 - CFI_ENDPROC
20652 - ENDPROC(copy_page_c)
20653 -@@ -94,6 +96,7 @@ ENTRY(copy_page)
20654 - CFI_RESTORE r13
20655 - addq $3*8,%rsp
20656 - CFI_ADJUST_CFA_OFFSET -3*8
20657 -+ pax_force_retaddr
20658 - ret
20659 - .Lcopy_page_end:
20660 - CFI_ENDPROC
20661 -@@ -104,7 +107,7 @@ ENDPROC(copy_page)
20662 -
20663 - #include <asm/cpufeature.h>
20664 -
20665 -- .section .altinstr_replacement,"ax"
20666 -+ .section .altinstr_replacement,"a"
20667 - 1: .byte 0xeb /* jmp <disp8> */
20668 - .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
20669 - 2:
20670 -diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/lib/copy_user_64.S
20671 ---- linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400
20672 -+++ linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-10-06 10:12:52.000000000 -0400
20673 -@@ -15,13 +15,15 @@
20674 - #include <asm/asm-offsets.h>
20675 - #include <asm/thread_info.h>
20676 - #include <asm/cpufeature.h>
20677 -+#include <asm/pgtable.h>
20678 -+#include <asm/alternative-asm.h>
20679 -
20680 - .macro ALTERNATIVE_JUMP feature,orig,alt
20681 - 0:
20682 - .byte 0xe9 /* 32bit jump */
20683 - .long \orig-1f /* by default jump to orig */
20684 - 1:
20685 -- .section .altinstr_replacement,"ax"
20686 -+ .section .altinstr_replacement,"a"
20687 - 2: .byte 0xe9 /* near jump with 32bit immediate */
20688 - .long \alt-1b /* offset */ /* or alternatively to alt */
20689 - .previous
20690 -@@ -64,55 +66,26 @@
20691 - #endif
20692 - .endm
20693 -
20694 --/* Standard copy_to_user with segment limit checking */
20695 --ENTRY(copy_to_user)
20696 -- CFI_STARTPROC
20697 -- GET_THREAD_INFO(%rax)
20698 -- movq %rdi,%rcx
20699 -- addq %rdx,%rcx
20700 -- jc bad_to_user
20701 -- cmpq TI_addr_limit(%rax),%rcx
20702 -- ja bad_to_user
20703 -- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20704 -- CFI_ENDPROC
20705 --ENDPROC(copy_to_user)
20706 --
20707 --/* Standard copy_from_user with segment limit checking */
20708 --ENTRY(copy_from_user)
20709 -- CFI_STARTPROC
20710 -- GET_THREAD_INFO(%rax)
20711 -- movq %rsi,%rcx
20712 -- addq %rdx,%rcx
20713 -- jc bad_from_user
20714 -- cmpq TI_addr_limit(%rax),%rcx
20715 -- ja bad_from_user
20716 -- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20717 -- CFI_ENDPROC
20718 --ENDPROC(copy_from_user)
20719 --
20720 - ENTRY(copy_user_generic)
20721 - CFI_STARTPROC
20722 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20723 - CFI_ENDPROC
20724 - ENDPROC(copy_user_generic)
20725 -
20726 --ENTRY(__copy_from_user_inatomic)
20727 -- CFI_STARTPROC
20728 -- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20729 -- CFI_ENDPROC
20730 --ENDPROC(__copy_from_user_inatomic)
20731 --
20732 - .section .fixup,"ax"
20733 - /* must zero dest */
20734 - ENTRY(bad_from_user)
20735 - bad_from_user:
20736 - CFI_STARTPROC
20737 -+ testl %edx,%edx
20738 -+ js bad_to_user
20739 - movl %edx,%ecx
20740 - xorl %eax,%eax
20741 - rep
20742 - stosb
20743 - bad_to_user:
20744 - movl %edx,%eax
20745 -+ pax_force_retaddr
20746 - ret
20747 - CFI_ENDPROC
20748 - ENDPROC(bad_from_user)
20749 -@@ -180,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
20750 - decl %ecx
20751 - jnz 21b
20752 - 23: xor %eax,%eax
20753 -+ pax_force_retaddr
20754 - ret
20755 -
20756 - .section .fixup,"ax"
20757 -@@ -252,6 +226,7 @@ ENTRY(copy_user_generic_string)
20758 - 3: rep
20759 - movsb
20760 - 4: xorl %eax,%eax
20761 -+ pax_force_retaddr
20762 - ret
20763 -
20764 - .section .fixup,"ax"
20765 -diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S
20766 ---- linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400
20767 -+++ linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-10-06 09:37:08.000000000 -0400
20768 -@@ -8,12 +8,14 @@
20769 -
20770 - #include <linux/linkage.h>
20771 - #include <asm/dwarf2.h>
20772 -+#include <asm/alternative-asm.h>
20773 -
20774 - #define FIX_ALIGNMENT 1
20775 -
20776 - #include <asm/current.h>
20777 - #include <asm/asm-offsets.h>
20778 - #include <asm/thread_info.h>
20779 -+#include <asm/pgtable.h>
20780 -
20781 - .macro ALIGN_DESTINATION
20782 - #ifdef FIX_ALIGNMENT
20783 -@@ -50,6 +52,15 @@
20784 - */
20785 - ENTRY(__copy_user_nocache)
20786 - CFI_STARTPROC
20787 -+
20788 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20789 -+ mov $PAX_USER_SHADOW_BASE,%rcx
20790 -+ cmp %rcx,%rsi
20791 -+ jae 1f
20792 -+ add %rcx,%rsi
20793 -+1:
20794 -+#endif
20795 -+
20796 - cmpl $8,%edx
20797 - jb 20f /* less then 8 bytes, go to byte copy loop */
20798 - ALIGN_DESTINATION
20799 -@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
20800 - jnz 21b
20801 - 23: xorl %eax,%eax
20802 - sfence
20803 -+ pax_force_retaddr
20804 - ret
20805 -
20806 - .section .fixup,"ax"
20807 -diff -urNp linux-2.6.32.46/arch/x86/lib/csum-copy_64.S linux-2.6.32.46/arch/x86/lib/csum-copy_64.S
20808 ---- linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-03-27 14:31:47.000000000 -0400
20809 -+++ linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-10-06 09:37:14.000000000 -0400
20810 -@@ -8,6 +8,7 @@
20811 - #include <linux/linkage.h>
20812 - #include <asm/dwarf2.h>
20813 - #include <asm/errno.h>
20814 -+#include <asm/alternative-asm.h>
20815 -
20816 - /*
20817 - * Checksum copy with exception handling.
20818 -@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
20819 - CFI_RESTORE rbp
20820 - addq $7*8,%rsp
20821 - CFI_ADJUST_CFA_OFFSET -7*8
20822 -+ pax_force_retaddr
20823 - ret
20824 - CFI_RESTORE_STATE
20825 -
20826 -diff -urNp linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c
20827 ---- linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400
20828 -+++ linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-10-06 09:37:08.000000000 -0400
20829 -@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
20830 - len -= 2;
20831 - }
20832 - }
20833 -- isum = csum_partial_copy_generic((__force const void *)src,
20834 -+
20835 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20836 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20837 -+ src += PAX_USER_SHADOW_BASE;
20838 -+#endif
20839 -+
20840 -+ isum = csum_partial_copy_generic((const void __force_kernel *)src,
20841 - dst, len, isum, errp, NULL);
20842 - if (unlikely(*errp))
20843 - goto out_err;
20844 -@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
20845 - }
20846 -
20847 - *errp = 0;
20848 -- return csum_partial_copy_generic(src, (void __force *)dst,
20849 -+
20850 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20851 -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
20852 -+ dst += PAX_USER_SHADOW_BASE;
20853 -+#endif
20854 -+
20855 -+ return csum_partial_copy_generic(src, (void __force_kernel *)dst,
20856 - len, isum, NULL, errp);
20857 - }
20858 - EXPORT_SYMBOL(csum_partial_copy_to_user);
20859 -diff -urNp linux-2.6.32.46/arch/x86/lib/getuser.S linux-2.6.32.46/arch/x86/lib/getuser.S
20860 ---- linux-2.6.32.46/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400
20861 -+++ linux-2.6.32.46/arch/x86/lib/getuser.S 2011-10-08 08:14:37.000000000 -0400
20862 -@@ -33,15 +33,38 @@
20863 - #include <asm/asm-offsets.h>
20864 - #include <asm/thread_info.h>
20865 - #include <asm/asm.h>
20866 -+#include <asm/segment.h>
20867 -+#include <asm/pgtable.h>
20868 -+#include <asm/alternative-asm.h>
20869 -+
20870 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20871 -+#define __copyuser_seg gs;
20872 -+#else
20873 -+#define __copyuser_seg
20874 -+#endif
20875 -
20876 - .text
20877 - ENTRY(__get_user_1)
20878 - CFI_STARTPROC
20879 -+
20880 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20881 - GET_THREAD_INFO(%_ASM_DX)
20882 - cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20883 - jae bad_get_user
20884 --1: movzb (%_ASM_AX),%edx
20885 -+
20886 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20887 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20888 -+ cmp %_ASM_DX,%_ASM_AX
20889 -+ jae 1234f
20890 -+ add %_ASM_DX,%_ASM_AX
20891 -+1234:
20892 -+#endif
20893 -+
20894 -+#endif
20895 -+
20896 -+1: __copyuser_seg movzb (%_ASM_AX),%edx
20897 - xor %eax,%eax
20898 -+ pax_force_retaddr
20899 - ret
20900 - CFI_ENDPROC
20901 - ENDPROC(__get_user_1)
20902 -@@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
20903 - ENTRY(__get_user_2)
20904 - CFI_STARTPROC
20905 - add $1,%_ASM_AX
20906 -+
20907 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20908 - jc bad_get_user
20909 - GET_THREAD_INFO(%_ASM_DX)
20910 - cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20911 - jae bad_get_user
20912 --2: movzwl -1(%_ASM_AX),%edx
20913 -+
20914 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20915 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20916 -+ cmp %_ASM_DX,%_ASM_AX
20917 -+ jae 1234f
20918 -+ add %_ASM_DX,%_ASM_AX
20919 -+1234:
20920 -+#endif
20921 -+
20922 -+#endif
20923 -+
20924 -+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
20925 - xor %eax,%eax
20926 -+ pax_force_retaddr
20927 - ret
20928 - CFI_ENDPROC
20929 - ENDPROC(__get_user_2)
20930 -@@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
20931 - ENTRY(__get_user_4)
20932 - CFI_STARTPROC
20933 - add $3,%_ASM_AX
20934 -+
20935 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20936 - jc bad_get_user
20937 - GET_THREAD_INFO(%_ASM_DX)
20938 - cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20939 - jae bad_get_user
20940 --3: mov -3(%_ASM_AX),%edx
20941 -+
20942 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20943 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20944 -+ cmp %_ASM_DX,%_ASM_AX
20945 -+ jae 1234f
20946 -+ add %_ASM_DX,%_ASM_AX
20947 -+1234:
20948 -+#endif
20949 -+
20950 -+#endif
20951 -+
20952 -+3: __copyuser_seg mov -3(%_ASM_AX),%edx
20953 - xor %eax,%eax
20954 -+ pax_force_retaddr
20955 - ret
20956 - CFI_ENDPROC
20957 - ENDPROC(__get_user_4)
20958 -@@ -80,8 +131,18 @@ ENTRY(__get_user_8)
20959 - GET_THREAD_INFO(%_ASM_DX)
20960 - cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20961 - jae bad_get_user
20962 -+
20963 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
20964 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20965 -+ cmp %_ASM_DX,%_ASM_AX
20966 -+ jae 1234f
20967 -+ add %_ASM_DX,%_ASM_AX
20968 -+1234:
20969 -+#endif
20970 -+
20971 - 4: movq -7(%_ASM_AX),%_ASM_DX
20972 - xor %eax,%eax
20973 -+ pax_force_retaddr
20974 - ret
20975 - CFI_ENDPROC
20976 - ENDPROC(__get_user_8)
20977 -@@ -91,6 +152,7 @@ bad_get_user:
20978 - CFI_STARTPROC
20979 - xor %edx,%edx
20980 - mov $(-EFAULT),%_ASM_AX
20981 -+ pax_force_retaddr
20982 - ret
20983 - CFI_ENDPROC
20984 - END(bad_get_user)
20985 -diff -urNp linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S
20986 ---- linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-03-27 14:31:47.000000000 -0400
20987 -+++ linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-10-06 09:37:14.000000000 -0400
20988 -@@ -17,6 +17,7 @@
20989 -
20990 - #include <linux/linkage.h>
20991 - #include <asm/dwarf2.h>
20992 -+#include <asm/alternative-asm.h>
20993 -
20994 - /*
20995 - * override generic version in lib/iomap_copy.c
20996 -@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
20997 - CFI_STARTPROC
20998 - movl %edx,%ecx
20999 - rep movsd
21000 -+ pax_force_retaddr
21001 - ret
21002 - CFI_ENDPROC
21003 - ENDPROC(__iowrite32_copy)
21004 -diff -urNp linux-2.6.32.46/arch/x86/lib/memcpy_64.S linux-2.6.32.46/arch/x86/lib/memcpy_64.S
21005 ---- linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400
21006 -+++ linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-10-06 10:13:49.000000000 -0400
21007 -@@ -4,6 +4,7 @@
21008 -
21009 - #include <asm/cpufeature.h>
21010 - #include <asm/dwarf2.h>
21011 -+#include <asm/alternative-asm.h>
21012 -
21013 - /*
21014 - * memcpy - Copy a memory block.
21015 -@@ -34,6 +35,7 @@ memcpy_c:
21016 - rep movsq
21017 - movl %edx, %ecx
21018 - rep movsb
21019 -+ pax_force_retaddr
21020 - ret
21021 - CFI_ENDPROC
21022 - ENDPROC(memcpy_c)
21023 -@@ -118,6 +120,7 @@ ENTRY(memcpy)
21024 - jnz .Lloop_1
21025 -
21026 - .Lend:
21027 -+ pax_force_retaddr
21028 - ret
21029 - CFI_ENDPROC
21030 - ENDPROC(memcpy)
21031 -@@ -128,7 +131,7 @@ ENDPROC(__memcpy)
21032 - * It is also a lot simpler. Use this when possible:
21033 - */
21034 -
21035 -- .section .altinstr_replacement, "ax"
21036 -+ .section .altinstr_replacement, "a"
21037 - 1: .byte 0xeb /* jmp <disp8> */
21038 - .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
21039 - 2:
21040 -diff -urNp linux-2.6.32.46/arch/x86/lib/memset_64.S linux-2.6.32.46/arch/x86/lib/memset_64.S
21041 ---- linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400
21042 -+++ linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-10-06 09:37:08.000000000 -0400
21043 -@@ -2,6 +2,7 @@
21044 -
21045 - #include <linux/linkage.h>
21046 - #include <asm/dwarf2.h>
21047 -+#include <asm/alternative-asm.h>
21048 -
21049 - /*
21050 - * ISO C memset - set a memory block to a byte value.
21051 -@@ -28,6 +29,7 @@ memset_c:
21052 - movl %r8d,%ecx
21053 - rep stosb
21054 - movq %r9,%rax
21055 -+ pax_force_retaddr
21056 - ret
21057 - CFI_ENDPROC
21058 - ENDPROC(memset_c)
21059 -@@ -96,6 +98,7 @@ ENTRY(__memset)
21060 -
21061 - .Lende:
21062 - movq %r10,%rax
21063 -+ pax_force_retaddr
21064 - ret
21065 -
21066 - CFI_RESTORE_STATE
21067 -@@ -118,7 +121,7 @@ ENDPROC(__memset)
21068 -
21069 - #include <asm/cpufeature.h>
21070 -
21071 -- .section .altinstr_replacement,"ax"
21072 -+ .section .altinstr_replacement,"a"
21073 - 1: .byte 0xeb /* jmp <disp8> */
21074 - .byte (memset_c - memset) - (2f - 1b) /* offset */
21075 - 2:
21076 -diff -urNp linux-2.6.32.46/arch/x86/lib/mmx_32.c linux-2.6.32.46/arch/x86/lib/mmx_32.c
21077 ---- linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-03-27 14:31:47.000000000 -0400
21078 -+++ linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-04-17 15:56:46.000000000 -0400
21079 -@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
21080 - {
21081 - void *p;
21082 - int i;
21083 -+ unsigned long cr0;
21084 -
21085 - if (unlikely(in_interrupt()))
21086 - return __memcpy(to, from, len);
21087 -@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
21088 - kernel_fpu_begin();
21089 -
21090 - __asm__ __volatile__ (
21091 -- "1: prefetch (%0)\n" /* This set is 28 bytes */
21092 -- " prefetch 64(%0)\n"
21093 -- " prefetch 128(%0)\n"
21094 -- " prefetch 192(%0)\n"
21095 -- " prefetch 256(%0)\n"
21096 -+ "1: prefetch (%1)\n" /* This set is 28 bytes */
21097 -+ " prefetch 64(%1)\n"
21098 -+ " prefetch 128(%1)\n"
21099 -+ " prefetch 192(%1)\n"
21100 -+ " prefetch 256(%1)\n"
21101 - "2: \n"
21102 - ".section .fixup, \"ax\"\n"
21103 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21104 -+ "3: \n"
21105 -+
21106 -+#ifdef CONFIG_PAX_KERNEXEC
21107 -+ " movl %%cr0, %0\n"
21108 -+ " movl %0, %%eax\n"
21109 -+ " andl $0xFFFEFFFF, %%eax\n"
21110 -+ " movl %%eax, %%cr0\n"
21111 -+#endif
21112 -+
21113 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21114 -+
21115 -+#ifdef CONFIG_PAX_KERNEXEC
21116 -+ " movl %0, %%cr0\n"
21117 -+#endif
21118 -+
21119 - " jmp 2b\n"
21120 - ".previous\n"
21121 - _ASM_EXTABLE(1b, 3b)
21122 -- : : "r" (from));
21123 -+ : "=&r" (cr0) : "r" (from) : "ax");
21124 -
21125 - for ( ; i > 5; i--) {
21126 - __asm__ __volatile__ (
21127 -- "1: prefetch 320(%0)\n"
21128 -- "2: movq (%0), %%mm0\n"
21129 -- " movq 8(%0), %%mm1\n"
21130 -- " movq 16(%0), %%mm2\n"
21131 -- " movq 24(%0), %%mm3\n"
21132 -- " movq %%mm0, (%1)\n"
21133 -- " movq %%mm1, 8(%1)\n"
21134 -- " movq %%mm2, 16(%1)\n"
21135 -- " movq %%mm3, 24(%1)\n"
21136 -- " movq 32(%0), %%mm0\n"
21137 -- " movq 40(%0), %%mm1\n"
21138 -- " movq 48(%0), %%mm2\n"
21139 -- " movq 56(%0), %%mm3\n"
21140 -- " movq %%mm0, 32(%1)\n"
21141 -- " movq %%mm1, 40(%1)\n"
21142 -- " movq %%mm2, 48(%1)\n"
21143 -- " movq %%mm3, 56(%1)\n"
21144 -+ "1: prefetch 320(%1)\n"
21145 -+ "2: movq (%1), %%mm0\n"
21146 -+ " movq 8(%1), %%mm1\n"
21147 -+ " movq 16(%1), %%mm2\n"
21148 -+ " movq 24(%1), %%mm3\n"
21149 -+ " movq %%mm0, (%2)\n"
21150 -+ " movq %%mm1, 8(%2)\n"
21151 -+ " movq %%mm2, 16(%2)\n"
21152 -+ " movq %%mm3, 24(%2)\n"
21153 -+ " movq 32(%1), %%mm0\n"
21154 -+ " movq 40(%1), %%mm1\n"
21155 -+ " movq 48(%1), %%mm2\n"
21156 -+ " movq 56(%1), %%mm3\n"
21157 -+ " movq %%mm0, 32(%2)\n"
21158 -+ " movq %%mm1, 40(%2)\n"
21159 -+ " movq %%mm2, 48(%2)\n"
21160 -+ " movq %%mm3, 56(%2)\n"
21161 - ".section .fixup, \"ax\"\n"
21162 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21163 -+ "3:\n"
21164 -+
21165 -+#ifdef CONFIG_PAX_KERNEXEC
21166 -+ " movl %%cr0, %0\n"
21167 -+ " movl %0, %%eax\n"
21168 -+ " andl $0xFFFEFFFF, %%eax\n"
21169 -+ " movl %%eax, %%cr0\n"
21170 -+#endif
21171 -+
21172 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21173 -+
21174 -+#ifdef CONFIG_PAX_KERNEXEC
21175 -+ " movl %0, %%cr0\n"
21176 -+#endif
21177 -+
21178 - " jmp 2b\n"
21179 - ".previous\n"
21180 - _ASM_EXTABLE(1b, 3b)
21181 -- : : "r" (from), "r" (to) : "memory");
21182 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21183 -
21184 - from += 64;
21185 - to += 64;
21186 -@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
21187 - static void fast_copy_page(void *to, void *from)
21188 - {
21189 - int i;
21190 -+ unsigned long cr0;
21191 -
21192 - kernel_fpu_begin();
21193 -
21194 -@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
21195 - * but that is for later. -AV
21196 - */
21197 - __asm__ __volatile__(
21198 -- "1: prefetch (%0)\n"
21199 -- " prefetch 64(%0)\n"
21200 -- " prefetch 128(%0)\n"
21201 -- " prefetch 192(%0)\n"
21202 -- " prefetch 256(%0)\n"
21203 -+ "1: prefetch (%1)\n"
21204 -+ " prefetch 64(%1)\n"
21205 -+ " prefetch 128(%1)\n"
21206 -+ " prefetch 192(%1)\n"
21207 -+ " prefetch 256(%1)\n"
21208 - "2: \n"
21209 - ".section .fixup, \"ax\"\n"
21210 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21211 -+ "3: \n"
21212 -+
21213 -+#ifdef CONFIG_PAX_KERNEXEC
21214 -+ " movl %%cr0, %0\n"
21215 -+ " movl %0, %%eax\n"
21216 -+ " andl $0xFFFEFFFF, %%eax\n"
21217 -+ " movl %%eax, %%cr0\n"
21218 -+#endif
21219 -+
21220 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21221 -+
21222 -+#ifdef CONFIG_PAX_KERNEXEC
21223 -+ " movl %0, %%cr0\n"
21224 -+#endif
21225 -+
21226 - " jmp 2b\n"
21227 - ".previous\n"
21228 -- _ASM_EXTABLE(1b, 3b) : : "r" (from));
21229 -+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21230 -
21231 - for (i = 0; i < (4096-320)/64; i++) {
21232 - __asm__ __volatile__ (
21233 -- "1: prefetch 320(%0)\n"
21234 -- "2: movq (%0), %%mm0\n"
21235 -- " movntq %%mm0, (%1)\n"
21236 -- " movq 8(%0), %%mm1\n"
21237 -- " movntq %%mm1, 8(%1)\n"
21238 -- " movq 16(%0), %%mm2\n"
21239 -- " movntq %%mm2, 16(%1)\n"
21240 -- " movq 24(%0), %%mm3\n"
21241 -- " movntq %%mm3, 24(%1)\n"
21242 -- " movq 32(%0), %%mm4\n"
21243 -- " movntq %%mm4, 32(%1)\n"
21244 -- " movq 40(%0), %%mm5\n"
21245 -- " movntq %%mm5, 40(%1)\n"
21246 -- " movq 48(%0), %%mm6\n"
21247 -- " movntq %%mm6, 48(%1)\n"
21248 -- " movq 56(%0), %%mm7\n"
21249 -- " movntq %%mm7, 56(%1)\n"
21250 -+ "1: prefetch 320(%1)\n"
21251 -+ "2: movq (%1), %%mm0\n"
21252 -+ " movntq %%mm0, (%2)\n"
21253 -+ " movq 8(%1), %%mm1\n"
21254 -+ " movntq %%mm1, 8(%2)\n"
21255 -+ " movq 16(%1), %%mm2\n"
21256 -+ " movntq %%mm2, 16(%2)\n"
21257 -+ " movq 24(%1), %%mm3\n"
21258 -+ " movntq %%mm3, 24(%2)\n"
21259 -+ " movq 32(%1), %%mm4\n"
21260 -+ " movntq %%mm4, 32(%2)\n"
21261 -+ " movq 40(%1), %%mm5\n"
21262 -+ " movntq %%mm5, 40(%2)\n"
21263 -+ " movq 48(%1), %%mm6\n"
21264 -+ " movntq %%mm6, 48(%2)\n"
21265 -+ " movq 56(%1), %%mm7\n"
21266 -+ " movntq %%mm7, 56(%2)\n"
21267 - ".section .fixup, \"ax\"\n"
21268 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21269 -+ "3:\n"
21270 -+
21271 -+#ifdef CONFIG_PAX_KERNEXEC
21272 -+ " movl %%cr0, %0\n"
21273 -+ " movl %0, %%eax\n"
21274 -+ " andl $0xFFFEFFFF, %%eax\n"
21275 -+ " movl %%eax, %%cr0\n"
21276 -+#endif
21277 -+
21278 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21279 -+
21280 -+#ifdef CONFIG_PAX_KERNEXEC
21281 -+ " movl %0, %%cr0\n"
21282 -+#endif
21283 -+
21284 - " jmp 2b\n"
21285 - ".previous\n"
21286 -- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
21287 -+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21288 -
21289 - from += 64;
21290 - to += 64;
21291 -@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
21292 - static void fast_copy_page(void *to, void *from)
21293 - {
21294 - int i;
21295 -+ unsigned long cr0;
21296 -
21297 - kernel_fpu_begin();
21298 -
21299 - __asm__ __volatile__ (
21300 -- "1: prefetch (%0)\n"
21301 -- " prefetch 64(%0)\n"
21302 -- " prefetch 128(%0)\n"
21303 -- " prefetch 192(%0)\n"
21304 -- " prefetch 256(%0)\n"
21305 -+ "1: prefetch (%1)\n"
21306 -+ " prefetch 64(%1)\n"
21307 -+ " prefetch 128(%1)\n"
21308 -+ " prefetch 192(%1)\n"
21309 -+ " prefetch 256(%1)\n"
21310 - "2: \n"
21311 - ".section .fixup, \"ax\"\n"
21312 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21313 -+ "3: \n"
21314 -+
21315 -+#ifdef CONFIG_PAX_KERNEXEC
21316 -+ " movl %%cr0, %0\n"
21317 -+ " movl %0, %%eax\n"
21318 -+ " andl $0xFFFEFFFF, %%eax\n"
21319 -+ " movl %%eax, %%cr0\n"
21320 -+#endif
21321 -+
21322 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21323 -+
21324 -+#ifdef CONFIG_PAX_KERNEXEC
21325 -+ " movl %0, %%cr0\n"
21326 -+#endif
21327 -+
21328 - " jmp 2b\n"
21329 - ".previous\n"
21330 -- _ASM_EXTABLE(1b, 3b) : : "r" (from));
21331 -+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21332 -
21333 - for (i = 0; i < 4096/64; i++) {
21334 - __asm__ __volatile__ (
21335 -- "1: prefetch 320(%0)\n"
21336 -- "2: movq (%0), %%mm0\n"
21337 -- " movq 8(%0), %%mm1\n"
21338 -- " movq 16(%0), %%mm2\n"
21339 -- " movq 24(%0), %%mm3\n"
21340 -- " movq %%mm0, (%1)\n"
21341 -- " movq %%mm1, 8(%1)\n"
21342 -- " movq %%mm2, 16(%1)\n"
21343 -- " movq %%mm3, 24(%1)\n"
21344 -- " movq 32(%0), %%mm0\n"
21345 -- " movq 40(%0), %%mm1\n"
21346 -- " movq 48(%0), %%mm2\n"
21347 -- " movq 56(%0), %%mm3\n"
21348 -- " movq %%mm0, 32(%1)\n"
21349 -- " movq %%mm1, 40(%1)\n"
21350 -- " movq %%mm2, 48(%1)\n"
21351 -- " movq %%mm3, 56(%1)\n"
21352 -+ "1: prefetch 320(%1)\n"
21353 -+ "2: movq (%1), %%mm0\n"
21354 -+ " movq 8(%1), %%mm1\n"
21355 -+ " movq 16(%1), %%mm2\n"
21356 -+ " movq 24(%1), %%mm3\n"
21357 -+ " movq %%mm0, (%2)\n"
21358 -+ " movq %%mm1, 8(%2)\n"
21359 -+ " movq %%mm2, 16(%2)\n"
21360 -+ " movq %%mm3, 24(%2)\n"
21361 -+ " movq 32(%1), %%mm0\n"
21362 -+ " movq 40(%1), %%mm1\n"
21363 -+ " movq 48(%1), %%mm2\n"
21364 -+ " movq 56(%1), %%mm3\n"
21365 -+ " movq %%mm0, 32(%2)\n"
21366 -+ " movq %%mm1, 40(%2)\n"
21367 -+ " movq %%mm2, 48(%2)\n"
21368 -+ " movq %%mm3, 56(%2)\n"
21369 - ".section .fixup, \"ax\"\n"
21370 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21371 -+ "3:\n"
21372 -+
21373 -+#ifdef CONFIG_PAX_KERNEXEC
21374 -+ " movl %%cr0, %0\n"
21375 -+ " movl %0, %%eax\n"
21376 -+ " andl $0xFFFEFFFF, %%eax\n"
21377 -+ " movl %%eax, %%cr0\n"
21378 -+#endif
21379 -+
21380 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21381 -+
21382 -+#ifdef CONFIG_PAX_KERNEXEC
21383 -+ " movl %0, %%cr0\n"
21384 -+#endif
21385 -+
21386 - " jmp 2b\n"
21387 - ".previous\n"
21388 - _ASM_EXTABLE(1b, 3b)
21389 -- : : "r" (from), "r" (to) : "memory");
21390 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21391 -
21392 - from += 64;
21393 - to += 64;
21394 -diff -urNp linux-2.6.32.46/arch/x86/lib/msr-reg.S linux-2.6.32.46/arch/x86/lib/msr-reg.S
21395 ---- linux-2.6.32.46/arch/x86/lib/msr-reg.S 2011-03-27 14:31:47.000000000 -0400
21396 -+++ linux-2.6.32.46/arch/x86/lib/msr-reg.S 2011-10-08 08:14:40.000000000 -0400
21397 -@@ -3,6 +3,7 @@
21398 - #include <asm/dwarf2.h>
21399 - #include <asm/asm.h>
21400 - #include <asm/msr.h>
21401 -+#include <asm/alternative-asm.h>
21402 -
21403 - #ifdef CONFIG_X86_64
21404 - /*
21405 -@@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
21406 - movl %edi, 28(%r10)
21407 - popq_cfi %rbp
21408 - popq_cfi %rbx
21409 -+ pax_force_retaddr
21410 - ret
21411 - 3:
21412 - CFI_RESTORE_STATE
21413 -diff -urNp linux-2.6.32.46/arch/x86/lib/putuser.S linux-2.6.32.46/arch/x86/lib/putuser.S
21414 ---- linux-2.6.32.46/arch/x86/lib/putuser.S 2011-03-27 14:31:47.000000000 -0400
21415 -+++ linux-2.6.32.46/arch/x86/lib/putuser.S 2011-10-08 08:14:40.000000000 -0400
21416 -@@ -15,7 +15,9 @@
21417 - #include <asm/thread_info.h>
21418 - #include <asm/errno.h>
21419 - #include <asm/asm.h>
21420 --
21421 -+#include <asm/segment.h>
21422 -+#include <asm/pgtable.h>
21423 -+#include <asm/alternative-asm.h>
21424 -
21425 - /*
21426 - * __put_user_X
21427 -@@ -29,52 +31,119 @@
21428 - * as they get called from within inline assembly.
21429 - */
21430 -
21431 --#define ENTER CFI_STARTPROC ; \
21432 -- GET_THREAD_INFO(%_ASM_BX)
21433 --#define EXIT ret ; \
21434 -+#define ENTER CFI_STARTPROC
21435 -+#define EXIT pax_force_retaddr; ret ; \
21436 - CFI_ENDPROC
21437 -
21438 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21439 -+#define _DEST %_ASM_CX,%_ASM_BX
21440 -+#else
21441 -+#define _DEST %_ASM_CX
21442 -+#endif
21443 -+
21444 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
21445 -+#define __copyuser_seg gs;
21446 -+#else
21447 -+#define __copyuser_seg
21448 -+#endif
21449 -+
21450 - .text
21451 - ENTRY(__put_user_1)
21452 - ENTER
21453 -+
21454 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21455 -+ GET_THREAD_INFO(%_ASM_BX)
21456 - cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
21457 - jae bad_put_user
21458 --1: movb %al,(%_ASM_CX)
21459 -+
21460 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21461 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21462 -+ cmp %_ASM_BX,%_ASM_CX
21463 -+ jb 1234f
21464 -+ xor %ebx,%ebx
21465 -+1234:
21466 -+#endif
21467 -+
21468 -+#endif
21469 -+
21470 -+1: __copyuser_seg movb %al,(_DEST)
21471 - xor %eax,%eax
21472 - EXIT
21473 - ENDPROC(__put_user_1)
21474 -
21475 - ENTRY(__put_user_2)
21476 - ENTER
21477 -+
21478 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21479 -+ GET_THREAD_INFO(%_ASM_BX)
21480 - mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21481 - sub $1,%_ASM_BX
21482 - cmp %_ASM_BX,%_ASM_CX
21483 - jae bad_put_user
21484 --2: movw %ax,(%_ASM_CX)
21485 -+
21486 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21487 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21488 -+ cmp %_ASM_BX,%_ASM_CX
21489 -+ jb 1234f
21490 -+ xor %ebx,%ebx
21491 -+1234:
21492 -+#endif
21493 -+
21494 -+#endif
21495 -+
21496 -+2: __copyuser_seg movw %ax,(_DEST)
21497 - xor %eax,%eax
21498 - EXIT
21499 - ENDPROC(__put_user_2)
21500 -
21501 - ENTRY(__put_user_4)
21502 - ENTER
21503 -+
21504 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21505 -+ GET_THREAD_INFO(%_ASM_BX)
21506 - mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21507 - sub $3,%_ASM_BX
21508 - cmp %_ASM_BX,%_ASM_CX
21509 - jae bad_put_user
21510 --3: movl %eax,(%_ASM_CX)
21511 -+
21512 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21513 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21514 -+ cmp %_ASM_BX,%_ASM_CX
21515 -+ jb 1234f
21516 -+ xor %ebx,%ebx
21517 -+1234:
21518 -+#endif
21519 -+
21520 -+#endif
21521 -+
21522 -+3: __copyuser_seg movl %eax,(_DEST)
21523 - xor %eax,%eax
21524 - EXIT
21525 - ENDPROC(__put_user_4)
21526 -
21527 - ENTRY(__put_user_8)
21528 - ENTER
21529 -+
21530 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21531 -+ GET_THREAD_INFO(%_ASM_BX)
21532 - mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21533 - sub $7,%_ASM_BX
21534 - cmp %_ASM_BX,%_ASM_CX
21535 - jae bad_put_user
21536 --4: mov %_ASM_AX,(%_ASM_CX)
21537 -+
21538 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21539 -+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21540 -+ cmp %_ASM_BX,%_ASM_CX
21541 -+ jb 1234f
21542 -+ xor %ebx,%ebx
21543 -+1234:
21544 -+#endif
21545 -+
21546 -+#endif
21547 -+
21548 -+4: __copyuser_seg mov %_ASM_AX,(_DEST)
21549 - #ifdef CONFIG_X86_32
21550 --5: movl %edx,4(%_ASM_CX)
21551 -+5: __copyuser_seg movl %edx,4(_DEST)
21552 - #endif
21553 - xor %eax,%eax
21554 - EXIT
21555 -diff -urNp linux-2.6.32.46/arch/x86/lib/rwlock_64.S linux-2.6.32.46/arch/x86/lib/rwlock_64.S
21556 ---- linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-03-27 14:31:47.000000000 -0400
21557 -+++ linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-10-06 09:37:14.000000000 -0400
21558 -@@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
21559 - LOCK_PREFIX
21560 - subl $RW_LOCK_BIAS,(%rdi)
21561 - jnz __write_lock_failed
21562 -+ pax_force_retaddr
21563 - ret
21564 - CFI_ENDPROC
21565 - END(__write_lock_failed)
21566 -@@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
21567 - LOCK_PREFIX
21568 - decl (%rdi)
21569 - js __read_lock_failed
21570 -+ pax_force_retaddr
21571 - ret
21572 - CFI_ENDPROC
21573 - END(__read_lock_failed)
21574 -diff -urNp linux-2.6.32.46/arch/x86/lib/rwsem_64.S linux-2.6.32.46/arch/x86/lib/rwsem_64.S
21575 ---- linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
21576 -+++ linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-10-06 09:37:14.000000000 -0400
21577 -@@ -48,6 +48,7 @@ ENTRY(call_rwsem_down_read_failed)
21578 - call rwsem_down_read_failed
21579 - popq %rdx
21580 - restore_common_regs
21581 -+ pax_force_retaddr
21582 - ret
21583 - ENDPROC(call_rwsem_down_read_failed)
21584 -
21585 -@@ -56,6 +57,7 @@ ENTRY(call_rwsem_down_write_failed)
21586 - movq %rax,%rdi
21587 - call rwsem_down_write_failed
21588 - restore_common_regs
21589 -+ pax_force_retaddr
21590 - ret
21591 - ENDPROC(call_rwsem_down_write_failed)
21592 -
21593 -@@ -66,7 +68,8 @@ ENTRY(call_rwsem_wake)
21594 - movq %rax,%rdi
21595 - call rwsem_wake
21596 - restore_common_regs
21597 --1: ret
21598 -+1: pax_force_retaddr
21599 -+ ret
21600 - ENDPROC(call_rwsem_wake)
21601 -
21602 - /* Fix up special calling conventions */
21603 -@@ -77,5 +80,6 @@ ENTRY(call_rwsem_downgrade_wake)
21604 - call rwsem_downgrade_wake
21605 - popq %rdx
21606 - restore_common_regs
21607 -+ pax_force_retaddr
21608 - ret
21609 - ENDPROC(call_rwsem_downgrade_wake)
21610 -diff -urNp linux-2.6.32.46/arch/x86/lib/thunk_64.S linux-2.6.32.46/arch/x86/lib/thunk_64.S
21611 ---- linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-03-27 14:31:47.000000000 -0400
21612 -+++ linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-10-06 09:37:14.000000000 -0400
21613 -@@ -10,7 +10,8 @@
21614 - #include <asm/dwarf2.h>
21615 - #include <asm/calling.h>
21616 - #include <asm/rwlock.h>
21617 --
21618 -+ #include <asm/alternative-asm.h>
21619 -+
21620 - /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
21621 - .macro thunk name,func
21622 - .globl \name
21623 -@@ -70,6 +71,7 @@
21624 - SAVE_ARGS
21625 - restore:
21626 - RESTORE_ARGS
21627 -+ pax_force_retaddr
21628 - ret
21629 - CFI_ENDPROC
21630 -
21631 -@@ -77,5 +79,6 @@ restore:
21632 - SAVE_ARGS
21633 - restore_norax:
21634 - RESTORE_ARGS 1
21635 -+ pax_force_retaddr
21636 - ret
21637 - CFI_ENDPROC
21638 -diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_32.c linux-2.6.32.46/arch/x86/lib/usercopy_32.c
21639 ---- linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400
21640 -+++ linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400
21641 -@@ -43,7 +43,7 @@ do { \
21642 - __asm__ __volatile__( \
21643 - " testl %1,%1\n" \
21644 - " jz 2f\n" \
21645 -- "0: lodsb\n" \
21646 -+ "0: "__copyuser_seg"lodsb\n" \
21647 - " stosb\n" \
21648 - " testb %%al,%%al\n" \
21649 - " jz 1f\n" \
21650 -@@ -128,10 +128,12 @@ do { \
21651 - int __d0; \
21652 - might_fault(); \
21653 - __asm__ __volatile__( \
21654 -+ __COPYUSER_SET_ES \
21655 - "0: rep; stosl\n" \
21656 - " movl %2,%0\n" \
21657 - "1: rep; stosb\n" \
21658 - "2:\n" \
21659 -+ __COPYUSER_RESTORE_ES \
21660 - ".section .fixup,\"ax\"\n" \
21661 - "3: lea 0(%2,%0,4),%0\n" \
21662 - " jmp 2b\n" \
21663 -@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
21664 - might_fault();
21665 -
21666 - __asm__ __volatile__(
21667 -+ __COPYUSER_SET_ES
21668 - " testl %0, %0\n"
21669 - " jz 3f\n"
21670 - " andl %0,%%ecx\n"
21671 -@@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
21672 - " subl %%ecx,%0\n"
21673 - " addl %0,%%eax\n"
21674 - "1:\n"
21675 -+ __COPYUSER_RESTORE_ES
21676 - ".section .fixup,\"ax\"\n"
21677 - "2: xorl %%eax,%%eax\n"
21678 - " jmp 1b\n"
21679 -@@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
21680 -
21681 - #ifdef CONFIG_X86_INTEL_USERCOPY
21682 - static unsigned long
21683 --__copy_user_intel(void __user *to, const void *from, unsigned long size)
21684 -+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
21685 - {
21686 - int d0, d1;
21687 - __asm__ __volatile__(
21688 -@@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
21689 - " .align 2,0x90\n"
21690 - "3: movl 0(%4), %%eax\n"
21691 - "4: movl 4(%4), %%edx\n"
21692 -- "5: movl %%eax, 0(%3)\n"
21693 -- "6: movl %%edx, 4(%3)\n"
21694 -+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
21695 -+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
21696 - "7: movl 8(%4), %%eax\n"
21697 - "8: movl 12(%4),%%edx\n"
21698 -- "9: movl %%eax, 8(%3)\n"
21699 -- "10: movl %%edx, 12(%3)\n"
21700 -+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
21701 -+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
21702 - "11: movl 16(%4), %%eax\n"
21703 - "12: movl 20(%4), %%edx\n"
21704 -- "13: movl %%eax, 16(%3)\n"
21705 -- "14: movl %%edx, 20(%3)\n"
21706 -+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
21707 -+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
21708 - "15: movl 24(%4), %%eax\n"
21709 - "16: movl 28(%4), %%edx\n"
21710 -- "17: movl %%eax, 24(%3)\n"
21711 -- "18: movl %%edx, 28(%3)\n"
21712 -+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
21713 -+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
21714 - "19: movl 32(%4), %%eax\n"
21715 - "20: movl 36(%4), %%edx\n"
21716 -- "21: movl %%eax, 32(%3)\n"
21717 -- "22: movl %%edx, 36(%3)\n"
21718 -+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
21719 -+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
21720 - "23: movl 40(%4), %%eax\n"
21721 - "24: movl 44(%4), %%edx\n"
21722 -- "25: movl %%eax, 40(%3)\n"
21723 -- "26: movl %%edx, 44(%3)\n"
21724 -+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
21725 -+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
21726 - "27: movl 48(%4), %%eax\n"
21727 - "28: movl 52(%4), %%edx\n"
21728 -- "29: movl %%eax, 48(%3)\n"
21729 -- "30: movl %%edx, 52(%3)\n"
21730 -+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
21731 -+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
21732 - "31: movl 56(%4), %%eax\n"
21733 - "32: movl 60(%4), %%edx\n"
21734 -- "33: movl %%eax, 56(%3)\n"
21735 -- "34: movl %%edx, 60(%3)\n"
21736 -+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
21737 -+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
21738 - " addl $-64, %0\n"
21739 - " addl $64, %4\n"
21740 - " addl $64, %3\n"
21741 -@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
21742 - " shrl $2, %0\n"
21743 - " andl $3, %%eax\n"
21744 - " cld\n"
21745 -+ __COPYUSER_SET_ES
21746 - "99: rep; movsl\n"
21747 - "36: movl %%eax, %0\n"
21748 - "37: rep; movsb\n"
21749 - "100:\n"
21750 -+ __COPYUSER_RESTORE_ES
21751 -+ ".section .fixup,\"ax\"\n"
21752 -+ "101: lea 0(%%eax,%0,4),%0\n"
21753 -+ " jmp 100b\n"
21754 -+ ".previous\n"
21755 -+ ".section __ex_table,\"a\"\n"
21756 -+ " .align 4\n"
21757 -+ " .long 1b,100b\n"
21758 -+ " .long 2b,100b\n"
21759 -+ " .long 3b,100b\n"
21760 -+ " .long 4b,100b\n"
21761 -+ " .long 5b,100b\n"
21762 -+ " .long 6b,100b\n"
21763 -+ " .long 7b,100b\n"
21764 -+ " .long 8b,100b\n"
21765 -+ " .long 9b,100b\n"
21766 -+ " .long 10b,100b\n"
21767 -+ " .long 11b,100b\n"
21768 -+ " .long 12b,100b\n"
21769 -+ " .long 13b,100b\n"
21770 -+ " .long 14b,100b\n"
21771 -+ " .long 15b,100b\n"
21772 -+ " .long 16b,100b\n"
21773 -+ " .long 17b,100b\n"
21774 -+ " .long 18b,100b\n"
21775 -+ " .long 19b,100b\n"
21776 -+ " .long 20b,100b\n"
21777 -+ " .long 21b,100b\n"
21778 -+ " .long 22b,100b\n"
21779 -+ " .long 23b,100b\n"
21780 -+ " .long 24b,100b\n"
21781 -+ " .long 25b,100b\n"
21782 -+ " .long 26b,100b\n"
21783 -+ " .long 27b,100b\n"
21784 -+ " .long 28b,100b\n"
21785 -+ " .long 29b,100b\n"
21786 -+ " .long 30b,100b\n"
21787 -+ " .long 31b,100b\n"
21788 -+ " .long 32b,100b\n"
21789 -+ " .long 33b,100b\n"
21790 -+ " .long 34b,100b\n"
21791 -+ " .long 35b,100b\n"
21792 -+ " .long 36b,100b\n"
21793 -+ " .long 37b,100b\n"
21794 -+ " .long 99b,101b\n"
21795 -+ ".previous"
21796 -+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
21797 -+ : "1"(to), "2"(from), "0"(size)
21798 -+ : "eax", "edx", "memory");
21799 -+ return size;
21800 -+}
21801 -+
21802 -+static unsigned long
21803 -+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
21804 -+{
21805 -+ int d0, d1;
21806 -+ __asm__ __volatile__(
21807 -+ " .align 2,0x90\n"
21808 -+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
21809 -+ " cmpl $67, %0\n"
21810 -+ " jbe 3f\n"
21811 -+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
21812 -+ " .align 2,0x90\n"
21813 -+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
21814 -+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
21815 -+ "5: movl %%eax, 0(%3)\n"
21816 -+ "6: movl %%edx, 4(%3)\n"
21817 -+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
21818 -+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
21819 -+ "9: movl %%eax, 8(%3)\n"
21820 -+ "10: movl %%edx, 12(%3)\n"
21821 -+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
21822 -+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
21823 -+ "13: movl %%eax, 16(%3)\n"
21824 -+ "14: movl %%edx, 20(%3)\n"
21825 -+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
21826 -+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
21827 -+ "17: movl %%eax, 24(%3)\n"
21828 -+ "18: movl %%edx, 28(%3)\n"
21829 -+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
21830 -+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
21831 -+ "21: movl %%eax, 32(%3)\n"
21832 -+ "22: movl %%edx, 36(%3)\n"
21833 -+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
21834 -+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
21835 -+ "25: movl %%eax, 40(%3)\n"
21836 -+ "26: movl %%edx, 44(%3)\n"
21837 -+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
21838 -+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
21839 -+ "29: movl %%eax, 48(%3)\n"
21840 -+ "30: movl %%edx, 52(%3)\n"
21841 -+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
21842 -+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
21843 -+ "33: movl %%eax, 56(%3)\n"
21844 -+ "34: movl %%edx, 60(%3)\n"
21845 -+ " addl $-64, %0\n"
21846 -+ " addl $64, %4\n"
21847 -+ " addl $64, %3\n"
21848 -+ " cmpl $63, %0\n"
21849 -+ " ja 1b\n"
21850 -+ "35: movl %0, %%eax\n"
21851 -+ " shrl $2, %0\n"
21852 -+ " andl $3, %%eax\n"
21853 -+ " cld\n"
21854 -+ "99: rep; "__copyuser_seg" movsl\n"
21855 -+ "36: movl %%eax, %0\n"
21856 -+ "37: rep; "__copyuser_seg" movsb\n"
21857 -+ "100:\n"
21858 - ".section .fixup,\"ax\"\n"
21859 - "101: lea 0(%%eax,%0,4),%0\n"
21860 - " jmp 100b\n"
21861 -@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
21862 - int d0, d1;
21863 - __asm__ __volatile__(
21864 - " .align 2,0x90\n"
21865 -- "0: movl 32(%4), %%eax\n"
21866 -+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21867 - " cmpl $67, %0\n"
21868 - " jbe 2f\n"
21869 -- "1: movl 64(%4), %%eax\n"
21870 -+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21871 - " .align 2,0x90\n"
21872 -- "2: movl 0(%4), %%eax\n"
21873 -- "21: movl 4(%4), %%edx\n"
21874 -+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21875 -+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21876 - " movl %%eax, 0(%3)\n"
21877 - " movl %%edx, 4(%3)\n"
21878 -- "3: movl 8(%4), %%eax\n"
21879 -- "31: movl 12(%4),%%edx\n"
21880 -+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21881 -+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21882 - " movl %%eax, 8(%3)\n"
21883 - " movl %%edx, 12(%3)\n"
21884 -- "4: movl 16(%4), %%eax\n"
21885 -- "41: movl 20(%4), %%edx\n"
21886 -+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21887 -+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21888 - " movl %%eax, 16(%3)\n"
21889 - " movl %%edx, 20(%3)\n"
21890 -- "10: movl 24(%4), %%eax\n"
21891 -- "51: movl 28(%4), %%edx\n"
21892 -+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21893 -+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21894 - " movl %%eax, 24(%3)\n"
21895 - " movl %%edx, 28(%3)\n"
21896 -- "11: movl 32(%4), %%eax\n"
21897 -- "61: movl 36(%4), %%edx\n"
21898 -+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21899 -+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21900 - " movl %%eax, 32(%3)\n"
21901 - " movl %%edx, 36(%3)\n"
21902 -- "12: movl 40(%4), %%eax\n"
21903 -- "71: movl 44(%4), %%edx\n"
21904 -+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21905 -+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21906 - " movl %%eax, 40(%3)\n"
21907 - " movl %%edx, 44(%3)\n"
21908 -- "13: movl 48(%4), %%eax\n"
21909 -- "81: movl 52(%4), %%edx\n"
21910 -+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21911 -+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21912 - " movl %%eax, 48(%3)\n"
21913 - " movl %%edx, 52(%3)\n"
21914 -- "14: movl 56(%4), %%eax\n"
21915 -- "91: movl 60(%4), %%edx\n"
21916 -+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21917 -+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21918 - " movl %%eax, 56(%3)\n"
21919 - " movl %%edx, 60(%3)\n"
21920 - " addl $-64, %0\n"
21921 -@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
21922 - " shrl $2, %0\n"
21923 - " andl $3, %%eax\n"
21924 - " cld\n"
21925 -- "6: rep; movsl\n"
21926 -+ "6: rep; "__copyuser_seg" movsl\n"
21927 - " movl %%eax,%0\n"
21928 -- "7: rep; movsb\n"
21929 -+ "7: rep; "__copyuser_seg" movsb\n"
21930 - "8:\n"
21931 - ".section .fixup,\"ax\"\n"
21932 - "9: lea 0(%%eax,%0,4),%0\n"
21933 -@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
21934 -
21935 - __asm__ __volatile__(
21936 - " .align 2,0x90\n"
21937 -- "0: movl 32(%4), %%eax\n"
21938 -+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21939 - " cmpl $67, %0\n"
21940 - " jbe 2f\n"
21941 -- "1: movl 64(%4), %%eax\n"
21942 -+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21943 - " .align 2,0x90\n"
21944 -- "2: movl 0(%4), %%eax\n"
21945 -- "21: movl 4(%4), %%edx\n"
21946 -+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21947 -+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21948 - " movnti %%eax, 0(%3)\n"
21949 - " movnti %%edx, 4(%3)\n"
21950 -- "3: movl 8(%4), %%eax\n"
21951 -- "31: movl 12(%4),%%edx\n"
21952 -+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21953 -+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21954 - " movnti %%eax, 8(%3)\n"
21955 - " movnti %%edx, 12(%3)\n"
21956 -- "4: movl 16(%4), %%eax\n"
21957 -- "41: movl 20(%4), %%edx\n"
21958 -+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21959 -+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21960 - " movnti %%eax, 16(%3)\n"
21961 - " movnti %%edx, 20(%3)\n"
21962 -- "10: movl 24(%4), %%eax\n"
21963 -- "51: movl 28(%4), %%edx\n"
21964 -+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21965 -+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21966 - " movnti %%eax, 24(%3)\n"
21967 - " movnti %%edx, 28(%3)\n"
21968 -- "11: movl 32(%4), %%eax\n"
21969 -- "61: movl 36(%4), %%edx\n"
21970 -+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21971 -+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21972 - " movnti %%eax, 32(%3)\n"
21973 - " movnti %%edx, 36(%3)\n"
21974 -- "12: movl 40(%4), %%eax\n"
21975 -- "71: movl 44(%4), %%edx\n"
21976 -+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21977 -+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21978 - " movnti %%eax, 40(%3)\n"
21979 - " movnti %%edx, 44(%3)\n"
21980 -- "13: movl 48(%4), %%eax\n"
21981 -- "81: movl 52(%4), %%edx\n"
21982 -+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21983 -+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21984 - " movnti %%eax, 48(%3)\n"
21985 - " movnti %%edx, 52(%3)\n"
21986 -- "14: movl 56(%4), %%eax\n"
21987 -- "91: movl 60(%4), %%edx\n"
21988 -+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21989 -+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21990 - " movnti %%eax, 56(%3)\n"
21991 - " movnti %%edx, 60(%3)\n"
21992 - " addl $-64, %0\n"
21993 -@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
21994 - " shrl $2, %0\n"
21995 - " andl $3, %%eax\n"
21996 - " cld\n"
21997 -- "6: rep; movsl\n"
21998 -+ "6: rep; "__copyuser_seg" movsl\n"
21999 - " movl %%eax,%0\n"
22000 -- "7: rep; movsb\n"
22001 -+ "7: rep; "__copyuser_seg" movsb\n"
22002 - "8:\n"
22003 - ".section .fixup,\"ax\"\n"
22004 - "9: lea 0(%%eax,%0,4),%0\n"
22005 -@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
22006 -
22007 - __asm__ __volatile__(
22008 - " .align 2,0x90\n"
22009 -- "0: movl 32(%4), %%eax\n"
22010 -+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
22011 - " cmpl $67, %0\n"
22012 - " jbe 2f\n"
22013 -- "1: movl 64(%4), %%eax\n"
22014 -+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
22015 - " .align 2,0x90\n"
22016 -- "2: movl 0(%4), %%eax\n"
22017 -- "21: movl 4(%4), %%edx\n"
22018 -+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
22019 -+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
22020 - " movnti %%eax, 0(%3)\n"
22021 - " movnti %%edx, 4(%3)\n"
22022 -- "3: movl 8(%4), %%eax\n"
22023 -- "31: movl 12(%4),%%edx\n"
22024 -+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
22025 -+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
22026 - " movnti %%eax, 8(%3)\n"
22027 - " movnti %%edx, 12(%3)\n"
22028 -- "4: movl 16(%4), %%eax\n"
22029 -- "41: movl 20(%4), %%edx\n"
22030 -+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
22031 -+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
22032 - " movnti %%eax, 16(%3)\n"
22033 - " movnti %%edx, 20(%3)\n"
22034 -- "10: movl 24(%4), %%eax\n"
22035 -- "51: movl 28(%4), %%edx\n"
22036 -+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
22037 -+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
22038 - " movnti %%eax, 24(%3)\n"
22039 - " movnti %%edx, 28(%3)\n"
22040 -- "11: movl 32(%4), %%eax\n"
22041 -- "61: movl 36(%4), %%edx\n"
22042 -+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
22043 -+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
22044 - " movnti %%eax, 32(%3)\n"
22045 - " movnti %%edx, 36(%3)\n"
22046 -- "12: movl 40(%4), %%eax\n"
22047 -- "71: movl 44(%4), %%edx\n"
22048 -+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
22049 -+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
22050 - " movnti %%eax, 40(%3)\n"
22051 - " movnti %%edx, 44(%3)\n"
22052 -- "13: movl 48(%4), %%eax\n"
22053 -- "81: movl 52(%4), %%edx\n"
22054 -+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
22055 -+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
22056 - " movnti %%eax, 48(%3)\n"
22057 - " movnti %%edx, 52(%3)\n"
22058 -- "14: movl 56(%4), %%eax\n"
22059 -- "91: movl 60(%4), %%edx\n"
22060 -+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
22061 -+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
22062 - " movnti %%eax, 56(%3)\n"
22063 - " movnti %%edx, 60(%3)\n"
22064 - " addl $-64, %0\n"
22065 -@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
22066 - " shrl $2, %0\n"
22067 - " andl $3, %%eax\n"
22068 - " cld\n"
22069 -- "6: rep; movsl\n"
22070 -+ "6: rep; "__copyuser_seg" movsl\n"
22071 - " movl %%eax,%0\n"
22072 -- "7: rep; movsb\n"
22073 -+ "7: rep; "__copyuser_seg" movsb\n"
22074 - "8:\n"
22075 - ".section .fixup,\"ax\"\n"
22076 - "9: lea 0(%%eax,%0,4),%0\n"
22077 -@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
22078 - */
22079 - unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
22080 - unsigned long size);
22081 --unsigned long __copy_user_intel(void __user *to, const void *from,
22082 -+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
22083 -+ unsigned long size);
22084 -+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
22085 - unsigned long size);
22086 - unsigned long __copy_user_zeroing_intel_nocache(void *to,
22087 - const void __user *from, unsigned long size);
22088 - #endif /* CONFIG_X86_INTEL_USERCOPY */
22089 -
22090 - /* Generic arbitrary sized copy. */
22091 --#define __copy_user(to, from, size) \
22092 -+#define __copy_user(to, from, size, prefix, set, restore) \
22093 - do { \
22094 - int __d0, __d1, __d2; \
22095 - __asm__ __volatile__( \
22096 -+ set \
22097 - " cmp $7,%0\n" \
22098 - " jbe 1f\n" \
22099 - " movl %1,%0\n" \
22100 - " negl %0\n" \
22101 - " andl $7,%0\n" \
22102 - " subl %0,%3\n" \
22103 -- "4: rep; movsb\n" \
22104 -+ "4: rep; "prefix"movsb\n" \
22105 - " movl %3,%0\n" \
22106 - " shrl $2,%0\n" \
22107 - " andl $3,%3\n" \
22108 - " .align 2,0x90\n" \
22109 -- "0: rep; movsl\n" \
22110 -+ "0: rep; "prefix"movsl\n" \
22111 - " movl %3,%0\n" \
22112 -- "1: rep; movsb\n" \
22113 -+ "1: rep; "prefix"movsb\n" \
22114 - "2:\n" \
22115 -+ restore \
22116 - ".section .fixup,\"ax\"\n" \
22117 - "5: addl %3,%0\n" \
22118 - " jmp 2b\n" \
22119 -@@ -682,14 +799,14 @@ do { \
22120 - " negl %0\n" \
22121 - " andl $7,%0\n" \
22122 - " subl %0,%3\n" \
22123 -- "4: rep; movsb\n" \
22124 -+ "4: rep; "__copyuser_seg"movsb\n" \
22125 - " movl %3,%0\n" \
22126 - " shrl $2,%0\n" \
22127 - " andl $3,%3\n" \
22128 - " .align 2,0x90\n" \
22129 -- "0: rep; movsl\n" \
22130 -+ "0: rep; "__copyuser_seg"movsl\n" \
22131 - " movl %3,%0\n" \
22132 -- "1: rep; movsb\n" \
22133 -+ "1: rep; "__copyuser_seg"movsb\n" \
22134 - "2:\n" \
22135 - ".section .fixup,\"ax\"\n" \
22136 - "5: addl %3,%0\n" \
22137 -@@ -775,9 +892,9 @@ survive:
22138 - }
22139 - #endif
22140 - if (movsl_is_ok(to, from, n))
22141 -- __copy_user(to, from, n);
22142 -+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
22143 - else
22144 -- n = __copy_user_intel(to, from, n);
22145 -+ n = __generic_copy_to_user_intel(to, from, n);
22146 - return n;
22147 - }
22148 - EXPORT_SYMBOL(__copy_to_user_ll);
22149 -@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
22150 - unsigned long n)
22151 - {
22152 - if (movsl_is_ok(to, from, n))
22153 -- __copy_user(to, from, n);
22154 -+ __copy_user(to, from, n, __copyuser_seg, "", "");
22155 - else
22156 -- n = __copy_user_intel((void __user *)to,
22157 -- (const void *)from, n);
22158 -+ n = __generic_copy_from_user_intel(to, from, n);
22159 - return n;
22160 - }
22161 - EXPORT_SYMBOL(__copy_from_user_ll_nozero);
22162 -@@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
22163 - if (n > 64 && cpu_has_xmm2)
22164 - n = __copy_user_intel_nocache(to, from, n);
22165 - else
22166 -- __copy_user(to, from, n);
22167 -+ __copy_user(to, from, n, __copyuser_seg, "", "");
22168 - #else
22169 -- __copy_user(to, from, n);
22170 -+ __copy_user(to, from, n, __copyuser_seg, "", "");
22171 - #endif
22172 - return n;
22173 - }
22174 - EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
22175 -
22176 --/**
22177 -- * copy_to_user: - Copy a block of data into user space.
22178 -- * @to: Destination address, in user space.
22179 -- * @from: Source address, in kernel space.
22180 -- * @n: Number of bytes to copy.
22181 -- *
22182 -- * Context: User context only. This function may sleep.
22183 -- *
22184 -- * Copy data from kernel space to user space.
22185 -- *
22186 -- * Returns number of bytes that could not be copied.
22187 -- * On success, this will be zero.
22188 -- */
22189 --unsigned long
22190 --copy_to_user(void __user *to, const void *from, unsigned long n)
22191 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
22192 -+void __set_fs(mm_segment_t x)
22193 - {
22194 -- if (access_ok(VERIFY_WRITE, to, n))
22195 -- n = __copy_to_user(to, from, n);
22196 -- return n;
22197 -+ switch (x.seg) {
22198 -+ case 0:
22199 -+ loadsegment(gs, 0);
22200 -+ break;
22201 -+ case TASK_SIZE_MAX:
22202 -+ loadsegment(gs, __USER_DS);
22203 -+ break;
22204 -+ case -1UL:
22205 -+ loadsegment(gs, __KERNEL_DS);
22206 -+ break;
22207 -+ default:
22208 -+ BUG();
22209 -+ }
22210 -+ return;
22211 - }
22212 --EXPORT_SYMBOL(copy_to_user);
22213 -+EXPORT_SYMBOL(__set_fs);
22214 -
22215 --/**
22216 -- * copy_from_user: - Copy a block of data from user space.
22217 -- * @to: Destination address, in kernel space.
22218 -- * @from: Source address, in user space.
22219 -- * @n: Number of bytes to copy.
22220 -- *
22221 -- * Context: User context only. This function may sleep.
22222 -- *
22223 -- * Copy data from user space to kernel space.
22224 -- *
22225 -- * Returns number of bytes that could not be copied.
22226 -- * On success, this will be zero.
22227 -- *
22228 -- * If some data could not be copied, this function will pad the copied
22229 -- * data to the requested size using zero bytes.
22230 -- */
22231 --unsigned long
22232 --copy_from_user(void *to, const void __user *from, unsigned long n)
22233 -+void set_fs(mm_segment_t x)
22234 - {
22235 -- if (access_ok(VERIFY_READ, from, n))
22236 -- n = __copy_from_user(to, from, n);
22237 -- else
22238 -- memset(to, 0, n);
22239 -- return n;
22240 -+ current_thread_info()->addr_limit = x;
22241 -+ __set_fs(x);
22242 - }
22243 --EXPORT_SYMBOL(copy_from_user);
22244 -+EXPORT_SYMBOL(set_fs);
22245 -+#endif
22246 -diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/lib/usercopy_64.c
22247 ---- linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
22248 -+++ linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-10-06 09:37:08.000000000 -0400
22249 -@@ -42,6 +42,12 @@ long
22250 - __strncpy_from_user(char *dst, const char __user *src, long count)
22251 - {
22252 - long res;
22253 -+
22254 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
22255 -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
22256 -+ src += PAX_USER_SHADOW_BASE;
22257 -+#endif
22258 -+
22259 - __do_strncpy_from_user(dst, src, count, res);
22260 - return res;
22261 - }
22262 -@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
22263 - {
22264 - long __d0;
22265 - might_fault();
22266 -+
22267 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
22268 -+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
22269 -+ addr += PAX_USER_SHADOW_BASE;
22270 -+#endif
22271 -+
22272 - /* no memory constraint because it doesn't change any memory gcc knows
22273 - about */
22274 - asm volatile(
22275 -@@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
22276 -
22277 - unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
22278 - {
22279 -- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22280 -- return copy_user_generic((__force void *)to, (__force void *)from, len);
22281 -- }
22282 -- return len;
22283 -+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22284 -+
22285 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
22286 -+ if ((unsigned long)to < PAX_USER_SHADOW_BASE)
22287 -+ to += PAX_USER_SHADOW_BASE;
22288 -+ if ((unsigned long)from < PAX_USER_SHADOW_BASE)
22289 -+ from += PAX_USER_SHADOW_BASE;
22290 -+#endif
22291 -+
22292 -+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
22293 -+ }
22294 -+ return len;
22295 - }
22296 - EXPORT_SYMBOL(copy_in_user);
22297 -
22298 -@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
22299 - * it is not necessary to optimize tail handling.
22300 - */
22301 - unsigned long
22302 --copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
22303 -+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
22304 - {
22305 - char c;
22306 - unsigned zero_len;
22307 -diff -urNp linux-2.6.32.46/arch/x86/mm/extable.c linux-2.6.32.46/arch/x86/mm/extable.c
22308 ---- linux-2.6.32.46/arch/x86/mm/extable.c 2011-03-27 14:31:47.000000000 -0400
22309 -+++ linux-2.6.32.46/arch/x86/mm/extable.c 2011-04-17 15:56:46.000000000 -0400
22310 -@@ -1,14 +1,71 @@
22311 - #include <linux/module.h>
22312 - #include <linux/spinlock.h>
22313 -+#include <linux/sort.h>
22314 - #include <asm/uaccess.h>
22315 -+#include <asm/pgtable.h>
22316 -
22317 -+/*
22318 -+ * The exception table needs to be sorted so that the binary
22319 -+ * search that we use to find entries in it works properly.
22320 -+ * This is used both for the kernel exception table and for
22321 -+ * the exception tables of modules that get loaded.
22322 -+ */
22323 -+static int cmp_ex(const void *a, const void *b)
22324 -+{
22325 -+ const struct exception_table_entry *x = a, *y = b;
22326 -+
22327 -+ /* avoid overflow */
22328 -+ if (x->insn > y->insn)
22329 -+ return 1;
22330 -+ if (x->insn < y->insn)
22331 -+ return -1;
22332 -+ return 0;
22333 -+}
22334 -+
22335 -+static void swap_ex(void *a, void *b, int size)
22336 -+{
22337 -+ struct exception_table_entry t, *x = a, *y = b;
22338 -+
22339 -+ t = *x;
22340 -+
22341 -+ pax_open_kernel();
22342 -+ *x = *y;
22343 -+ *y = t;
22344 -+ pax_close_kernel();
22345 -+}
22346 -+
22347 -+void sort_extable(struct exception_table_entry *start,
22348 -+ struct exception_table_entry *finish)
22349 -+{
22350 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
22351 -+ cmp_ex, swap_ex);
22352 -+}
22353 -+
22354 -+#ifdef CONFIG_MODULES
22355 -+/*
22356 -+ * If the exception table is sorted, any referring to the module init
22357 -+ * will be at the beginning or the end.
22358 -+ */
22359 -+void trim_init_extable(struct module *m)
22360 -+{
22361 -+ /*trim the beginning*/
22362 -+ while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
22363 -+ m->extable++;
22364 -+ m->num_exentries--;
22365 -+ }
22366 -+ /*trim the end*/
22367 -+ while (m->num_exentries &&
22368 -+ within_module_init(m->extable[m->num_exentries-1].insn, m))
22369 -+ m->num_exentries--;
22370 -+}
22371 -+#endif /* CONFIG_MODULES */
22372 -
22373 - int fixup_exception(struct pt_regs *regs)
22374 - {
22375 - const struct exception_table_entry *fixup;
22376 -
22377 - #ifdef CONFIG_PNPBIOS
22378 -- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
22379 -+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
22380 - extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
22381 - extern u32 pnp_bios_is_utter_crap;
22382 - pnp_bios_is_utter_crap = 1;
22383 -diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault.c
22384 ---- linux-2.6.32.46/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
22385 -+++ linux-2.6.32.46/arch/x86/mm/fault.c 2011-10-06 09:37:08.000000000 -0400
22386 -@@ -11,10 +11,19 @@
22387 - #include <linux/kprobes.h> /* __kprobes, ... */
22388 - #include <linux/mmiotrace.h> /* kmmio_handler, ... */
22389 - #include <linux/perf_event.h> /* perf_sw_event */
22390 -+#include <linux/unistd.h>
22391 -+#include <linux/compiler.h>
22392 -
22393 - #include <asm/traps.h> /* dotraplinkage, ... */
22394 - #include <asm/pgalloc.h> /* pgd_*(), ... */
22395 - #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
22396 -+#include <asm/vsyscall.h>
22397 -+#include <asm/tlbflush.h>
22398 -+
22399 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22400 -+#include <asm/stacktrace.h>
22401 -+#include "../kernel/dumpstack.h"
22402 -+#endif
22403 -
22404 - /*
22405 - * Page fault error code bits:
22406 -@@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
22407 - int ret = 0;
22408 -
22409 - /* kprobe_running() needs smp_processor_id() */
22410 -- if (kprobes_built_in() && !user_mode_vm(regs)) {
22411 -+ if (kprobes_built_in() && !user_mode(regs)) {
22412 - preempt_disable();
22413 - if (kprobe_running() && kprobe_fault_handler(regs, 14))
22414 - ret = 1;
22415 -@@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
22416 - return !instr_lo || (instr_lo>>1) == 1;
22417 - case 0x00:
22418 - /* Prefetch instruction is 0x0F0D or 0x0F18 */
22419 -- if (probe_kernel_address(instr, opcode))
22420 -+ if (user_mode(regs)) {
22421 -+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22422 -+ return 0;
22423 -+ } else if (probe_kernel_address(instr, opcode))
22424 - return 0;
22425 -
22426 - *prefetch = (instr_lo == 0xF) &&
22427 -@@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
22428 - while (instr < max_instr) {
22429 - unsigned char opcode;
22430 -
22431 -- if (probe_kernel_address(instr, opcode))
22432 -+ if (user_mode(regs)) {
22433 -+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22434 -+ break;
22435 -+ } else if (probe_kernel_address(instr, opcode))
22436 - break;
22437 -
22438 - instr++;
22439 -@@ -172,6 +187,30 @@ force_sig_info_fault(int si_signo, int s
22440 - force_sig_info(si_signo, &info, tsk);
22441 - }
22442 -
22443 -+#ifdef CONFIG_PAX_EMUTRAMP
22444 -+static int pax_handle_fetch_fault(struct pt_regs *regs);
22445 -+#endif
22446 -+
22447 -+#ifdef CONFIG_PAX_PAGEEXEC
22448 -+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
22449 -+{
22450 -+ pgd_t *pgd;
22451 -+ pud_t *pud;
22452 -+ pmd_t *pmd;
22453 -+
22454 -+ pgd = pgd_offset(mm, address);
22455 -+ if (!pgd_present(*pgd))
22456 -+ return NULL;
22457 -+ pud = pud_offset(pgd, address);
22458 -+ if (!pud_present(*pud))
22459 -+ return NULL;
22460 -+ pmd = pmd_offset(pud, address);
22461 -+ if (!pmd_present(*pmd))
22462 -+ return NULL;
22463 -+ return pmd;
22464 -+}
22465 -+#endif
22466 -+
22467 - DEFINE_SPINLOCK(pgd_lock);
22468 - LIST_HEAD(pgd_list);
22469 -
22470 -@@ -224,11 +263,24 @@ void vmalloc_sync_all(void)
22471 - address += PMD_SIZE) {
22472 -
22473 - unsigned long flags;
22474 -+
22475 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22476 -+ unsigned long cpu;
22477 -+#else
22478 - struct page *page;
22479 -+#endif
22480 -
22481 - spin_lock_irqsave(&pgd_lock, flags);
22482 -+
22483 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22484 -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22485 -+ pgd_t *pgd = get_cpu_pgd(cpu);
22486 -+#else
22487 - list_for_each_entry(page, &pgd_list, lru) {
22488 -- if (!vmalloc_sync_one(page_address(page), address))
22489 -+ pgd_t *pgd = page_address(page);
22490 -+#endif
22491 -+
22492 -+ if (!vmalloc_sync_one(pgd, address))
22493 - break;
22494 - }
22495 - spin_unlock_irqrestore(&pgd_lock, flags);
22496 -@@ -258,6 +310,11 @@ static noinline int vmalloc_fault(unsign
22497 - * an interrupt in the middle of a task switch..
22498 - */
22499 - pgd_paddr = read_cr3();
22500 -+
22501 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22502 -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
22503 -+#endif
22504 -+
22505 - pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
22506 - if (!pmd_k)
22507 - return -1;
22508 -@@ -332,15 +389,27 @@ void vmalloc_sync_all(void)
22509 -
22510 - const pgd_t *pgd_ref = pgd_offset_k(address);
22511 - unsigned long flags;
22512 -+
22513 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22514 -+ unsigned long cpu;
22515 -+#else
22516 - struct page *page;
22517 -+#endif
22518 -
22519 - if (pgd_none(*pgd_ref))
22520 - continue;
22521 -
22522 - spin_lock_irqsave(&pgd_lock, flags);
22523 -+
22524 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22525 -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22526 -+ pgd_t *pgd = pgd_offset_cpu(cpu, address);
22527 -+#else
22528 - list_for_each_entry(page, &pgd_list, lru) {
22529 - pgd_t *pgd;
22530 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22531 -+#endif
22532 -+
22533 - if (pgd_none(*pgd))
22534 - set_pgd(pgd, *pgd_ref);
22535 - else
22536 -@@ -373,7 +442,14 @@ static noinline int vmalloc_fault(unsign
22537 - * happen within a race in page table update. In the later
22538 - * case just flush:
22539 - */
22540 -+
22541 -+#ifdef CONFIG_PAX_PER_CPU_PGD
22542 -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
22543 -+ pgd = pgd_offset_cpu(smp_processor_id(), address);
22544 -+#else
22545 - pgd = pgd_offset(current->active_mm, address);
22546 -+#endif
22547 -+
22548 - pgd_ref = pgd_offset_k(address);
22549 - if (pgd_none(*pgd_ref))
22550 - return -1;
22551 -@@ -535,7 +611,7 @@ static int is_errata93(struct pt_regs *r
22552 - static int is_errata100(struct pt_regs *regs, unsigned long address)
22553 - {
22554 - #ifdef CONFIG_X86_64
22555 -- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
22556 -+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
22557 - return 1;
22558 - #endif
22559 - return 0;
22560 -@@ -562,7 +638,7 @@ static int is_f00f_bug(struct pt_regs *r
22561 - }
22562 -
22563 - static const char nx_warning[] = KERN_CRIT
22564 --"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
22565 -+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
22566 -
22567 - static void
22568 - show_fault_oops(struct pt_regs *regs, unsigned long error_code,
22569 -@@ -571,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, un
22570 - if (!oops_may_print())
22571 - return;
22572 -
22573 -- if (error_code & PF_INSTR) {
22574 -+ if (nx_enabled && (error_code & PF_INSTR)) {
22575 - unsigned int level;
22576 -
22577 - pte_t *pte = lookup_address(address, &level);
22578 -
22579 - if (pte && pte_present(*pte) && !pte_exec(*pte))
22580 -- printk(nx_warning, current_uid());
22581 -+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
22582 - }
22583 -
22584 -+#ifdef CONFIG_PAX_KERNEXEC
22585 -+ if (init_mm.start_code <= address && address < init_mm.end_code) {
22586 -+ if (current->signal->curr_ip)
22587 -+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22588 -+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
22589 -+ else
22590 -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22591 -+ current->comm, task_pid_nr(current), current_uid(), current_euid());
22592 -+ }
22593 -+#endif
22594 -+
22595 - printk(KERN_ALERT "BUG: unable to handle kernel ");
22596 - if (address < PAGE_SIZE)
22597 - printk(KERN_CONT "NULL pointer dereference");
22598 -@@ -704,6 +791,70 @@ __bad_area_nosemaphore(struct pt_regs *r
22599 - unsigned long address, int si_code)
22600 - {
22601 - struct task_struct *tsk = current;
22602 -+#if defined(CONFIG_X86_64) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22603 -+ struct mm_struct *mm = tsk->mm;
22604 -+#endif
22605 -+
22606 -+#ifdef CONFIG_X86_64
22607 -+ if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
22608 -+ if (regs->ip == (unsigned long)vgettimeofday) {
22609 -+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
22610 -+ return;
22611 -+ } else if (regs->ip == (unsigned long)vtime) {
22612 -+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
22613 -+ return;
22614 -+ } else if (regs->ip == (unsigned long)vgetcpu) {
22615 -+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
22616 -+ return;
22617 -+ }
22618 -+ }
22619 -+#endif
22620 -+
22621 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22622 -+ if (mm && (error_code & PF_USER)) {
22623 -+ unsigned long ip = regs->ip;
22624 -+
22625 -+ if (v8086_mode(regs))
22626 -+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
22627 -+
22628 -+ /*
22629 -+ * It's possible to have interrupts off here:
22630 -+ */
22631 -+ local_irq_enable();
22632 -+
22633 -+#ifdef CONFIG_PAX_PAGEEXEC
22634 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
22635 -+ ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
22636 -+
22637 -+#ifdef CONFIG_PAX_EMUTRAMP
22638 -+ switch (pax_handle_fetch_fault(regs)) {
22639 -+ case 2:
22640 -+ return;
22641 -+ }
22642 -+#endif
22643 -+
22644 -+ pax_report_fault(regs, (void *)ip, (void *)regs->sp);
22645 -+ do_group_exit(SIGKILL);
22646 -+ }
22647 -+#endif
22648 -+
22649 -+#ifdef CONFIG_PAX_SEGMEXEC
22650 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
22651 -+
22652 -+#ifdef CONFIG_PAX_EMUTRAMP
22653 -+ switch (pax_handle_fetch_fault(regs)) {
22654 -+ case 2:
22655 -+ return;
22656 -+ }
22657 -+#endif
22658 -+
22659 -+ pax_report_fault(regs, (void *)ip, (void *)regs->sp);
22660 -+ do_group_exit(SIGKILL);
22661 -+ }
22662 -+#endif
22663 -+
22664 -+ }
22665 -+#endif
22666 -
22667 - /* User mode accesses just cause a SIGSEGV */
22668 - if (error_code & PF_USER) {
22669 -@@ -857,6 +1008,99 @@ static int spurious_fault_check(unsigned
22670 - return 1;
22671 - }
22672 -
22673 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22674 -+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
22675 -+{
22676 -+ pte_t *pte;
22677 -+ pmd_t *pmd;
22678 -+ spinlock_t *ptl;
22679 -+ unsigned char pte_mask;
22680 -+
22681 -+ if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
22682 -+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
22683 -+ return 0;
22684 -+
22685 -+ /* PaX: it's our fault, let's handle it if we can */
22686 -+
22687 -+ /* PaX: take a look at read faults before acquiring any locks */
22688 -+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
22689 -+ /* instruction fetch attempt from a protected page in user mode */
22690 -+ up_read(&mm->mmap_sem);
22691 -+
22692 -+#ifdef CONFIG_PAX_EMUTRAMP
22693 -+ switch (pax_handle_fetch_fault(regs)) {
22694 -+ case 2:
22695 -+ return 1;
22696 -+ }
22697 -+#endif
22698 -+
22699 -+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
22700 -+ do_group_exit(SIGKILL);
22701 -+ }
22702 -+
22703 -+ pmd = pax_get_pmd(mm, address);
22704 -+ if (unlikely(!pmd))
22705 -+ return 0;
22706 -+
22707 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
22708 -+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
22709 -+ pte_unmap_unlock(pte, ptl);
22710 -+ return 0;
22711 -+ }
22712 -+
22713 -+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
22714 -+ /* write attempt to a protected page in user mode */
22715 -+ pte_unmap_unlock(pte, ptl);
22716 -+ return 0;
22717 -+ }
22718 -+
22719 -+#ifdef CONFIG_SMP
22720 -+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
22721 -+#else
22722 -+ if (likely(address > get_limit(regs->cs)))
22723 -+#endif
22724 -+ {
22725 -+ set_pte(pte, pte_mkread(*pte));
22726 -+ __flush_tlb_one(address);
22727 -+ pte_unmap_unlock(pte, ptl);
22728 -+ up_read(&mm->mmap_sem);
22729 -+ return 1;
22730 -+ }
22731 -+
22732 -+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
22733 -+
22734 -+ /*
22735 -+ * PaX: fill DTLB with user rights and retry
22736 -+ */
22737 -+ __asm__ __volatile__ (
22738 -+ "orb %2,(%1)\n"
22739 -+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
22740 -+/*
22741 -+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
22742 -+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
22743 -+ * page fault when examined during a TLB load attempt. this is true not only
22744 -+ * for PTEs holding a non-present entry but also present entries that will
22745 -+ * raise a page fault (such as those set up by PaX, or the copy-on-write
22746 -+ * mechanism). in effect it means that we do *not* need to flush the TLBs
22747 -+ * for our target pages since their PTEs are simply not in the TLBs at all.
22748 -+
22749 -+ * the best thing in omitting it is that we gain around 15-20% speed in the
22750 -+ * fast path of the page fault handler and can get rid of tracing since we
22751 -+ * can no longer flush unintended entries.
22752 -+ */
22753 -+ "invlpg (%0)\n"
22754 -+#endif
22755 -+ __copyuser_seg"testb $0,(%0)\n"
22756 -+ "xorb %3,(%1)\n"
22757 -+ :
22758 -+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
22759 -+ : "memory", "cc");
22760 -+ pte_unmap_unlock(pte, ptl);
22761 -+ up_read(&mm->mmap_sem);
22762 -+ return 1;
22763 -+}
22764 -+#endif
22765 -+
22766 - /*
22767 - * Handle a spurious fault caused by a stale TLB entry.
22768 - *
22769 -@@ -923,6 +1167,9 @@ int show_unhandled_signals = 1;
22770 - static inline int
22771 - access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
22772 - {
22773 -+ if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
22774 -+ return 1;
22775 -+
22776 - if (write) {
22777 - /* write, present and write, not present: */
22778 - if (unlikely(!(vma->vm_flags & VM_WRITE)))
22779 -@@ -956,17 +1203,31 @@ do_page_fault(struct pt_regs *regs, unsi
22780 - {
22781 - struct vm_area_struct *vma;
22782 - struct task_struct *tsk;
22783 -- unsigned long address;
22784 - struct mm_struct *mm;
22785 - int write;
22786 - int fault;
22787 -
22788 -+ /* Get the faulting address: */
22789 -+ unsigned long address = read_cr2();
22790 -+
22791 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22792 -+ if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
22793 -+ if (!search_exception_tables(regs->ip)) {
22794 -+ bad_area_nosemaphore(regs, error_code, address);
22795 -+ return;
22796 -+ }
22797 -+ if (address < PAX_USER_SHADOW_BASE) {
22798 -+ printk(KERN_ERR "PAX: please report this to pageexec@××××××××.hu\n");
22799 -+ printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
22800 -+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
22801 -+ } else
22802 -+ address -= PAX_USER_SHADOW_BASE;
22803 -+ }
22804 -+#endif
22805 -+
22806 - tsk = current;
22807 - mm = tsk->mm;
22808 -
22809 -- /* Get the faulting address: */
22810 -- address = read_cr2();
22811 --
22812 - /*
22813 - * Detect and handle instructions that would cause a page fault for
22814 - * both a tracked kernel page and a userspace page.
22815 -@@ -1026,7 +1287,7 @@ do_page_fault(struct pt_regs *regs, unsi
22816 - * User-mode registers count as a user access even for any
22817 - * potential system fault or CPU buglet:
22818 - */
22819 -- if (user_mode_vm(regs)) {
22820 -+ if (user_mode(regs)) {
22821 - local_irq_enable();
22822 - error_code |= PF_USER;
22823 - } else {
22824 -@@ -1080,6 +1341,11 @@ do_page_fault(struct pt_regs *regs, unsi
22825 - might_sleep();
22826 - }
22827 -
22828 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22829 -+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
22830 -+ return;
22831 -+#endif
22832 -+
22833 - vma = find_vma(mm, address);
22834 - if (unlikely(!vma)) {
22835 - bad_area(regs, error_code, address);
22836 -@@ -1091,18 +1357,24 @@ do_page_fault(struct pt_regs *regs, unsi
22837 - bad_area(regs, error_code, address);
22838 - return;
22839 - }
22840 -- if (error_code & PF_USER) {
22841 -- /*
22842 -- * Accessing the stack below %sp is always a bug.
22843 -- * The large cushion allows instructions like enter
22844 -- * and pusha to work. ("enter $65535, $31" pushes
22845 -- * 32 pointers and then decrements %sp by 65535.)
22846 -- */
22847 -- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
22848 -- bad_area(regs, error_code, address);
22849 -- return;
22850 -- }
22851 -+ /*
22852 -+ * Accessing the stack below %sp is always a bug.
22853 -+ * The large cushion allows instructions like enter
22854 -+ * and pusha to work. ("enter $65535, $31" pushes
22855 -+ * 32 pointers and then decrements %sp by 65535.)
22856 -+ */
22857 -+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
22858 -+ bad_area(regs, error_code, address);
22859 -+ return;
22860 - }
22861 -+
22862 -+#ifdef CONFIG_PAX_SEGMEXEC
22863 -+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
22864 -+ bad_area(regs, error_code, address);
22865 -+ return;
22866 -+ }
22867 -+#endif
22868 -+
22869 - if (unlikely(expand_stack(vma, address))) {
22870 - bad_area(regs, error_code, address);
22871 - return;
22872 -@@ -1146,3 +1418,199 @@ good_area:
22873 -
22874 - up_read(&mm->mmap_sem);
22875 - }
22876 -+
22877 -+#ifdef CONFIG_PAX_EMUTRAMP
22878 -+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
22879 -+{
22880 -+ int err;
22881 -+
22882 -+ do { /* PaX: gcc trampoline emulation #1 */
22883 -+ unsigned char mov1, mov2;
22884 -+ unsigned short jmp;
22885 -+ unsigned int addr1, addr2;
22886 -+
22887 -+#ifdef CONFIG_X86_64
22888 -+ if ((regs->ip + 11) >> 32)
22889 -+ break;
22890 -+#endif
22891 -+
22892 -+ err = get_user(mov1, (unsigned char __user *)regs->ip);
22893 -+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22894 -+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
22895 -+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22896 -+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
22897 -+
22898 -+ if (err)
22899 -+ break;
22900 -+
22901 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
22902 -+ regs->cx = addr1;
22903 -+ regs->ax = addr2;
22904 -+ regs->ip = addr2;
22905 -+ return 2;
22906 -+ }
22907 -+ } while (0);
22908 -+
22909 -+ do { /* PaX: gcc trampoline emulation #2 */
22910 -+ unsigned char mov, jmp;
22911 -+ unsigned int addr1, addr2;
22912 -+
22913 -+#ifdef CONFIG_X86_64
22914 -+ if ((regs->ip + 9) >> 32)
22915 -+ break;
22916 -+#endif
22917 -+
22918 -+ err = get_user(mov, (unsigned char __user *)regs->ip);
22919 -+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22920 -+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
22921 -+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22922 -+
22923 -+ if (err)
22924 -+ break;
22925 -+
22926 -+ if (mov == 0xB9 && jmp == 0xE9) {
22927 -+ regs->cx = addr1;
22928 -+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
22929 -+ return 2;
22930 -+ }
22931 -+ } while (0);
22932 -+
22933 -+ return 1; /* PaX in action */
22934 -+}
22935 -+
22936 -+#ifdef CONFIG_X86_64
22937 -+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
22938 -+{
22939 -+ int err;
22940 -+
22941 -+ do { /* PaX: gcc trampoline emulation #1 */
22942 -+ unsigned short mov1, mov2, jmp1;
22943 -+ unsigned char jmp2;
22944 -+ unsigned int addr1;
22945 -+ unsigned long addr2;
22946 -+
22947 -+ err = get_user(mov1, (unsigned short __user *)regs->ip);
22948 -+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
22949 -+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
22950 -+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
22951 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
22952 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
22953 -+
22954 -+ if (err)
22955 -+ break;
22956 -+
22957 -+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22958 -+ regs->r11 = addr1;
22959 -+ regs->r10 = addr2;
22960 -+ regs->ip = addr1;
22961 -+ return 2;
22962 -+ }
22963 -+ } while (0);
22964 -+
22965 -+ do { /* PaX: gcc trampoline emulation #2 */
22966 -+ unsigned short mov1, mov2, jmp1;
22967 -+ unsigned char jmp2;
22968 -+ unsigned long addr1, addr2;
22969 -+
22970 -+ err = get_user(mov1, (unsigned short __user *)regs->ip);
22971 -+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
22972 -+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
22973 -+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
22974 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
22975 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
22976 -+
22977 -+ if (err)
22978 -+ break;
22979 -+
22980 -+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22981 -+ regs->r11 = addr1;
22982 -+ regs->r10 = addr2;
22983 -+ regs->ip = addr1;
22984 -+ return 2;
22985 -+ }
22986 -+ } while (0);
22987 -+
22988 -+ return 1; /* PaX in action */
22989 -+}
22990 -+#endif
22991 -+
22992 -+/*
22993 -+ * PaX: decide what to do with offenders (regs->ip = fault address)
22994 -+ *
22995 -+ * returns 1 when task should be killed
22996 -+ * 2 when gcc trampoline was detected
22997 -+ */
22998 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
22999 -+{
23000 -+ if (v8086_mode(regs))
23001 -+ return 1;
23002 -+
23003 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
23004 -+ return 1;
23005 -+
23006 -+#ifdef CONFIG_X86_32
23007 -+ return pax_handle_fetch_fault_32(regs);
23008 -+#else
23009 -+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
23010 -+ return pax_handle_fetch_fault_32(regs);
23011 -+ else
23012 -+ return pax_handle_fetch_fault_64(regs);
23013 -+#endif
23014 -+}
23015 -+#endif
23016 -+
23017 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23018 -+void pax_report_insns(void *pc, void *sp)
23019 -+{
23020 -+ long i;
23021 -+
23022 -+ printk(KERN_ERR "PAX: bytes at PC: ");
23023 -+ for (i = 0; i < 20; i++) {
23024 -+ unsigned char c;
23025 -+ if (get_user(c, (unsigned char __force_user *)pc+i))
23026 -+ printk(KERN_CONT "?? ");
23027 -+ else
23028 -+ printk(KERN_CONT "%02x ", c);
23029 -+ }
23030 -+ printk("\n");
23031 -+
23032 -+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
23033 -+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
23034 -+ unsigned long c;
23035 -+ if (get_user(c, (unsigned long __force_user *)sp+i))
23036 -+#ifdef CONFIG_X86_32
23037 -+ printk(KERN_CONT "???????? ");
23038 -+#else
23039 -+ printk(KERN_CONT "???????????????? ");
23040 -+#endif
23041 -+ else
23042 -+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
23043 -+ }
23044 -+ printk("\n");
23045 -+}
23046 -+#endif
23047 -+
23048 -+/**
23049 -+ * probe_kernel_write(): safely attempt to write to a location
23050 -+ * @dst: address to write to
23051 -+ * @src: pointer to the data that shall be written
23052 -+ * @size: size of the data chunk
23053 -+ *
23054 -+ * Safely write to address @dst from the buffer at @src. If a kernel fault
23055 -+ * happens, handle that and return -EFAULT.
23056 -+ */
23057 -+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
23058 -+{
23059 -+ long ret;
23060 -+ mm_segment_t old_fs = get_fs();
23061 -+
23062 -+ set_fs(KERNEL_DS);
23063 -+ pagefault_disable();
23064 -+ pax_open_kernel();
23065 -+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
23066 -+ pax_close_kernel();
23067 -+ pagefault_enable();
23068 -+ set_fs(old_fs);
23069 -+
23070 -+ return ret ? -EFAULT : 0;
23071 -+}
23072 -diff -urNp linux-2.6.32.46/arch/x86/mm/gup.c linux-2.6.32.46/arch/x86/mm/gup.c
23073 ---- linux-2.6.32.46/arch/x86/mm/gup.c 2011-03-27 14:31:47.000000000 -0400
23074 -+++ linux-2.6.32.46/arch/x86/mm/gup.c 2011-04-17 15:56:46.000000000 -0400
23075 -@@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
23076 - addr = start;
23077 - len = (unsigned long) nr_pages << PAGE_SHIFT;
23078 - end = start + len;
23079 -- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23080 -+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23081 - (void __user *)start, len)))
23082 - return 0;
23083 -
23084 -diff -urNp linux-2.6.32.46/arch/x86/mm/highmem_32.c linux-2.6.32.46/arch/x86/mm/highmem_32.c
23085 ---- linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-03-27 14:31:47.000000000 -0400
23086 -+++ linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-04-17 15:56:46.000000000 -0400
23087 -@@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
23088 - idx = type + KM_TYPE_NR*smp_processor_id();
23089 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23090 - BUG_ON(!pte_none(*(kmap_pte-idx)));
23091 -+
23092 -+ pax_open_kernel();
23093 - set_pte(kmap_pte-idx, mk_pte(page, prot));
23094 -+ pax_close_kernel();
23095 -
23096 - return (void *)vaddr;
23097 - }
23098 -diff -urNp linux-2.6.32.46/arch/x86/mm/hugetlbpage.c linux-2.6.32.46/arch/x86/mm/hugetlbpage.c
23099 ---- linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
23100 -+++ linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
23101 -@@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
23102 - struct hstate *h = hstate_file(file);
23103 - struct mm_struct *mm = current->mm;
23104 - struct vm_area_struct *vma;
23105 -- unsigned long start_addr;
23106 -+ unsigned long start_addr, pax_task_size = TASK_SIZE;
23107 -+
23108 -+#ifdef CONFIG_PAX_SEGMEXEC
23109 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23110 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
23111 -+#endif
23112 -+
23113 -+ pax_task_size -= PAGE_SIZE;
23114 -
23115 - if (len > mm->cached_hole_size) {
23116 -- start_addr = mm->free_area_cache;
23117 -+ start_addr = mm->free_area_cache;
23118 - } else {
23119 -- start_addr = TASK_UNMAPPED_BASE;
23120 -- mm->cached_hole_size = 0;
23121 -+ start_addr = mm->mmap_base;
23122 -+ mm->cached_hole_size = 0;
23123 - }
23124 -
23125 - full_search:
23126 -@@ -281,26 +288,27 @@ full_search:
23127 -
23128 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
23129 - /* At this point: (!vma || addr < vma->vm_end). */
23130 -- if (TASK_SIZE - len < addr) {
23131 -+ if (pax_task_size - len < addr) {
23132 - /*
23133 - * Start a new search - just in case we missed
23134 - * some holes.
23135 - */
23136 -- if (start_addr != TASK_UNMAPPED_BASE) {
23137 -- start_addr = TASK_UNMAPPED_BASE;
23138 -+ if (start_addr != mm->mmap_base) {
23139 -+ start_addr = mm->mmap_base;
23140 - mm->cached_hole_size = 0;
23141 - goto full_search;
23142 - }
23143 - return -ENOMEM;
23144 - }
23145 -- if (!vma || addr + len <= vma->vm_start) {
23146 -- mm->free_area_cache = addr + len;
23147 -- return addr;
23148 -- }
23149 -+ if (check_heap_stack_gap(vma, addr, len))
23150 -+ break;
23151 - if (addr + mm->cached_hole_size < vma->vm_start)
23152 - mm->cached_hole_size = vma->vm_start - addr;
23153 - addr = ALIGN(vma->vm_end, huge_page_size(h));
23154 - }
23155 -+
23156 -+ mm->free_area_cache = addr + len;
23157 -+ return addr;
23158 - }
23159 -
23160 - static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
23161 -@@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
23162 - {
23163 - struct hstate *h = hstate_file(file);
23164 - struct mm_struct *mm = current->mm;
23165 -- struct vm_area_struct *vma, *prev_vma;
23166 -- unsigned long base = mm->mmap_base, addr = addr0;
23167 -+ struct vm_area_struct *vma;
23168 -+ unsigned long base = mm->mmap_base, addr;
23169 - unsigned long largest_hole = mm->cached_hole_size;
23170 -- int first_time = 1;
23171 -
23172 - /* don't allow allocations above current base */
23173 - if (mm->free_area_cache > base)
23174 -@@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
23175 - largest_hole = 0;
23176 - mm->free_area_cache = base;
23177 - }
23178 --try_again:
23179 -+
23180 - /* make sure it can fit in the remaining address space */
23181 - if (mm->free_area_cache < len)
23182 - goto fail;
23183 -
23184 - /* either no address requested or cant fit in requested address hole */
23185 -- addr = (mm->free_area_cache - len) & huge_page_mask(h);
23186 -+ addr = (mm->free_area_cache - len);
23187 - do {
23188 -+ addr &= huge_page_mask(h);
23189 -+ vma = find_vma(mm, addr);
23190 - /*
23191 - * Lookup failure means no vma is above this address,
23192 - * i.e. return with success:
23193 -- */
23194 -- if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
23195 -- return addr;
23196 --
23197 -- /*
23198 - * new region fits between prev_vma->vm_end and
23199 - * vma->vm_start, use it:
23200 - */
23201 -- if (addr + len <= vma->vm_start &&
23202 -- (!prev_vma || (addr >= prev_vma->vm_end))) {
23203 -+ if (check_heap_stack_gap(vma, addr, len)) {
23204 - /* remember the address as a hint for next time */
23205 -- mm->cached_hole_size = largest_hole;
23206 -- return (mm->free_area_cache = addr);
23207 -- } else {
23208 -- /* pull free_area_cache down to the first hole */
23209 -- if (mm->free_area_cache == vma->vm_end) {
23210 -- mm->free_area_cache = vma->vm_start;
23211 -- mm->cached_hole_size = largest_hole;
23212 -- }
23213 -+ mm->cached_hole_size = largest_hole;
23214 -+ return (mm->free_area_cache = addr);
23215 -+ }
23216 -+ /* pull free_area_cache down to the first hole */
23217 -+ if (mm->free_area_cache == vma->vm_end) {
23218 -+ mm->free_area_cache = vma->vm_start;
23219 -+ mm->cached_hole_size = largest_hole;
23220 - }
23221 -
23222 - /* remember the largest hole we saw so far */
23223 - if (addr + largest_hole < vma->vm_start)
23224 -- largest_hole = vma->vm_start - addr;
23225 -+ largest_hole = vma->vm_start - addr;
23226 -
23227 - /* try just below the current vma->vm_start */
23228 -- addr = (vma->vm_start - len) & huge_page_mask(h);
23229 -- } while (len <= vma->vm_start);
23230 -+ addr = skip_heap_stack_gap(vma, len);
23231 -+ } while (!IS_ERR_VALUE(addr));
23232 -
23233 - fail:
23234 - /*
23235 -- * if hint left us with no space for the requested
23236 -- * mapping then try again:
23237 -- */
23238 -- if (first_time) {
23239 -- mm->free_area_cache = base;
23240 -- largest_hole = 0;
23241 -- first_time = 0;
23242 -- goto try_again;
23243 -- }
23244 -- /*
23245 - * A failed mmap() very likely causes application failure,
23246 - * so fall back to the bottom-up function here. This scenario
23247 - * can happen with large stack limits and large mmap()
23248 - * allocations.
23249 - */
23250 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
23251 -+
23252 -+#ifdef CONFIG_PAX_SEGMEXEC
23253 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23254 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
23255 -+ else
23256 -+#endif
23257 -+
23258 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
23259 -+
23260 -+#ifdef CONFIG_PAX_RANDMMAP
23261 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23262 -+ mm->mmap_base += mm->delta_mmap;
23263 -+#endif
23264 -+
23265 -+ mm->free_area_cache = mm->mmap_base;
23266 - mm->cached_hole_size = ~0UL;
23267 - addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
23268 - len, pgoff, flags);
23269 -@@ -387,6 +393,7 @@ fail:
23270 - /*
23271 - * Restore the topdown base:
23272 - */
23273 -+ mm->mmap_base = base;
23274 - mm->free_area_cache = base;
23275 - mm->cached_hole_size = ~0UL;
23276 -
23277 -@@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
23278 - struct hstate *h = hstate_file(file);
23279 - struct mm_struct *mm = current->mm;
23280 - struct vm_area_struct *vma;
23281 -+ unsigned long pax_task_size = TASK_SIZE;
23282 -
23283 - if (len & ~huge_page_mask(h))
23284 - return -EINVAL;
23285 -- if (len > TASK_SIZE)
23286 -+
23287 -+#ifdef CONFIG_PAX_SEGMEXEC
23288 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23289 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
23290 -+#endif
23291 -+
23292 -+ pax_task_size -= PAGE_SIZE;
23293 -+
23294 -+ if (len > pax_task_size)
23295 - return -ENOMEM;
23296 -
23297 - if (flags & MAP_FIXED) {
23298 -@@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
23299 - if (addr) {
23300 - addr = ALIGN(addr, huge_page_size(h));
23301 - vma = find_vma(mm, addr);
23302 -- if (TASK_SIZE - len >= addr &&
23303 -- (!vma || addr + len <= vma->vm_start))
23304 -+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
23305 - return addr;
23306 - }
23307 - if (mm->get_unmapped_area == arch_get_unmapped_area)
23308 -diff -urNp linux-2.6.32.46/arch/x86/mm/init.c linux-2.6.32.46/arch/x86/mm/init.c
23309 ---- linux-2.6.32.46/arch/x86/mm/init.c 2011-04-17 17:00:52.000000000 -0400
23310 -+++ linux-2.6.32.46/arch/x86/mm/init.c 2011-06-07 19:06:09.000000000 -0400
23311 -@@ -69,11 +69,7 @@ static void __init find_early_table_spac
23312 - * cause a hotspot and fill up ZONE_DMA. The page tables
23313 - * need roughly 0.5KB per GB.
23314 - */
23315 --#ifdef CONFIG_X86_32
23316 -- start = 0x7000;
23317 --#else
23318 -- start = 0x8000;
23319 --#endif
23320 -+ start = 0x100000;
23321 - e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
23322 - tables, PAGE_SIZE);
23323 - if (e820_table_start == -1UL)
23324 -@@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
23325 - #endif
23326 -
23327 - set_nx();
23328 -- if (nx_enabled)
23329 -+ if (nx_enabled && cpu_has_nx)
23330 - printk(KERN_INFO "NX (Execute Disable) protection: active\n");
23331 -
23332 - /* Enable PSE if available */
23333 -@@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
23334 - * Access has to be given to non-kernel-ram areas as well, these contain the PCI
23335 - * mmio resources as well as potential bios/acpi data regions.
23336 - */
23337 -+
23338 - int devmem_is_allowed(unsigned long pagenr)
23339 - {
23340 -+#ifdef CONFIG_GRKERNSEC_KMEM
23341 -+ /* allow BDA */
23342 -+ if (!pagenr)
23343 -+ return 1;
23344 -+ /* allow EBDA */
23345 -+ if ((0x9f000 >> PAGE_SHIFT) == pagenr)
23346 -+ return 1;
23347 -+ /* allow ISA/video mem */
23348 -+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23349 -+ return 1;
23350 -+ /* throw out everything else below 1MB */
23351 -+ if (pagenr <= 256)
23352 -+ return 0;
23353 -+#else
23354 - if (pagenr <= 256)
23355 - return 1;
23356 -+#endif
23357 -+
23358 - if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
23359 - return 0;
23360 - if (!page_is_ram(pagenr))
23361 -@@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
23362 -
23363 - void free_initmem(void)
23364 - {
23365 -+
23366 -+#ifdef CONFIG_PAX_KERNEXEC
23367 -+#ifdef CONFIG_X86_32
23368 -+ /* PaX: limit KERNEL_CS to actual size */
23369 -+ unsigned long addr, limit;
23370 -+ struct desc_struct d;
23371 -+ int cpu;
23372 -+
23373 -+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
23374 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
23375 -+
23376 -+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
23377 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
23378 -+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
23379 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
23380 -+ }
23381 -+
23382 -+ /* PaX: make KERNEL_CS read-only */
23383 -+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
23384 -+ if (!paravirt_enabled())
23385 -+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
23386 -+/*
23387 -+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
23388 -+ pgd = pgd_offset_k(addr);
23389 -+ pud = pud_offset(pgd, addr);
23390 -+ pmd = pmd_offset(pud, addr);
23391 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23392 -+ }
23393 -+*/
23394 -+#ifdef CONFIG_X86_PAE
23395 -+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
23396 -+/*
23397 -+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
23398 -+ pgd = pgd_offset_k(addr);
23399 -+ pud = pud_offset(pgd, addr);
23400 -+ pmd = pmd_offset(pud, addr);
23401 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23402 -+ }
23403 -+*/
23404 -+#endif
23405 -+
23406 -+#ifdef CONFIG_MODULES
23407 -+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
23408 -+#endif
23409 -+
23410 -+#else
23411 -+ pgd_t *pgd;
23412 -+ pud_t *pud;
23413 -+ pmd_t *pmd;
23414 -+ unsigned long addr, end;
23415 -+
23416 -+ /* PaX: make kernel code/rodata read-only, rest non-executable */
23417 -+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
23418 -+ pgd = pgd_offset_k(addr);
23419 -+ pud = pud_offset(pgd, addr);
23420 -+ pmd = pmd_offset(pud, addr);
23421 -+ if (!pmd_present(*pmd))
23422 -+ continue;
23423 -+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
23424 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23425 -+ else
23426 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23427 -+ }
23428 -+
23429 -+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
23430 -+ end = addr + KERNEL_IMAGE_SIZE;
23431 -+ for (; addr < end; addr += PMD_SIZE) {
23432 -+ pgd = pgd_offset_k(addr);
23433 -+ pud = pud_offset(pgd, addr);
23434 -+ pmd = pmd_offset(pud, addr);
23435 -+ if (!pmd_present(*pmd))
23436 -+ continue;
23437 -+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
23438 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23439 -+ }
23440 -+#endif
23441 -+
23442 -+ flush_tlb_all();
23443 -+#endif
23444 -+
23445 - free_init_pages("unused kernel memory",
23446 - (unsigned long)(&__init_begin),
23447 - (unsigned long)(&__init_end));
23448 -diff -urNp linux-2.6.32.46/arch/x86/mm/init_32.c linux-2.6.32.46/arch/x86/mm/init_32.c
23449 ---- linux-2.6.32.46/arch/x86/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
23450 -+++ linux-2.6.32.46/arch/x86/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
23451 -@@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
23452 - }
23453 -
23454 - /*
23455 -- * Creates a middle page table and puts a pointer to it in the
23456 -- * given global directory entry. This only returns the gd entry
23457 -- * in non-PAE compilation mode, since the middle layer is folded.
23458 -- */
23459 --static pmd_t * __init one_md_table_init(pgd_t *pgd)
23460 --{
23461 -- pud_t *pud;
23462 -- pmd_t *pmd_table;
23463 --
23464 --#ifdef CONFIG_X86_PAE
23465 -- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
23466 -- if (after_bootmem)
23467 -- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
23468 -- else
23469 -- pmd_table = (pmd_t *)alloc_low_page();
23470 -- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
23471 -- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
23472 -- pud = pud_offset(pgd, 0);
23473 -- BUG_ON(pmd_table != pmd_offset(pud, 0));
23474 --
23475 -- return pmd_table;
23476 -- }
23477 --#endif
23478 -- pud = pud_offset(pgd, 0);
23479 -- pmd_table = pmd_offset(pud, 0);
23480 --
23481 -- return pmd_table;
23482 --}
23483 --
23484 --/*
23485 - * Create a page table and place a pointer to it in a middle page
23486 - * directory entry:
23487 - */
23488 -@@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
23489 - page_table = (pte_t *)alloc_low_page();
23490 -
23491 - paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
23492 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23493 -+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
23494 -+#else
23495 - set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
23496 -+#endif
23497 - BUG_ON(page_table != pte_offset_kernel(pmd, 0));
23498 - }
23499 -
23500 - return pte_offset_kernel(pmd, 0);
23501 - }
23502 -
23503 -+static pmd_t * __init one_md_table_init(pgd_t *pgd)
23504 -+{
23505 -+ pud_t *pud;
23506 -+ pmd_t *pmd_table;
23507 -+
23508 -+ pud = pud_offset(pgd, 0);
23509 -+ pmd_table = pmd_offset(pud, 0);
23510 -+
23511 -+ return pmd_table;
23512 -+}
23513 -+
23514 - pmd_t * __init populate_extra_pmd(unsigned long vaddr)
23515 - {
23516 - int pgd_idx = pgd_index(vaddr);
23517 -@@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
23518 - int pgd_idx, pmd_idx;
23519 - unsigned long vaddr;
23520 - pgd_t *pgd;
23521 -+ pud_t *pud;
23522 - pmd_t *pmd;
23523 - pte_t *pte = NULL;
23524 -
23525 -@@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
23526 - pgd = pgd_base + pgd_idx;
23527 -
23528 - for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
23529 -- pmd = one_md_table_init(pgd);
23530 -- pmd = pmd + pmd_index(vaddr);
23531 -+ pud = pud_offset(pgd, vaddr);
23532 -+ pmd = pmd_offset(pud, vaddr);
23533 -+
23534 -+#ifdef CONFIG_X86_PAE
23535 -+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23536 -+#endif
23537 -+
23538 - for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
23539 - pmd++, pmd_idx++) {
23540 - pte = page_table_kmap_check(one_page_table_init(pmd),
23541 -@@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
23542 - }
23543 - }
23544 -
23545 --static inline int is_kernel_text(unsigned long addr)
23546 -+static inline int is_kernel_text(unsigned long start, unsigned long end)
23547 - {
23548 -- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
23549 -- return 1;
23550 -- return 0;
23551 -+ if ((start > ktla_ktva((unsigned long)_etext) ||
23552 -+ end <= ktla_ktva((unsigned long)_stext)) &&
23553 -+ (start > ktla_ktva((unsigned long)_einittext) ||
23554 -+ end <= ktla_ktva((unsigned long)_sinittext)) &&
23555 -+
23556 -+#ifdef CONFIG_ACPI_SLEEP
23557 -+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
23558 -+#endif
23559 -+
23560 -+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
23561 -+ return 0;
23562 -+ return 1;
23563 - }
23564 -
23565 - /*
23566 -@@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
23567 - int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
23568 - unsigned long start_pfn, end_pfn;
23569 - pgd_t *pgd_base = swapper_pg_dir;
23570 -- int pgd_idx, pmd_idx, pte_ofs;
23571 -+ unsigned int pgd_idx, pmd_idx, pte_ofs;
23572 - unsigned long pfn;
23573 - pgd_t *pgd;
23574 -+ pud_t *pud;
23575 - pmd_t *pmd;
23576 - pte_t *pte;
23577 - unsigned pages_2m, pages_4k;
23578 -@@ -278,8 +279,13 @@ repeat:
23579 - pfn = start_pfn;
23580 - pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23581 - pgd = pgd_base + pgd_idx;
23582 -- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
23583 -- pmd = one_md_table_init(pgd);
23584 -+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
23585 -+ pud = pud_offset(pgd, 0);
23586 -+ pmd = pmd_offset(pud, 0);
23587 -+
23588 -+#ifdef CONFIG_X86_PAE
23589 -+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23590 -+#endif
23591 -
23592 - if (pfn >= end_pfn)
23593 - continue;
23594 -@@ -291,14 +297,13 @@ repeat:
23595 - #endif
23596 - for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
23597 - pmd++, pmd_idx++) {
23598 -- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
23599 -+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
23600 -
23601 - /*
23602 - * Map with big pages if possible, otherwise
23603 - * create normal page tables:
23604 - */
23605 - if (use_pse) {
23606 -- unsigned int addr2;
23607 - pgprot_t prot = PAGE_KERNEL_LARGE;
23608 - /*
23609 - * first pass will use the same initial
23610 -@@ -308,11 +313,7 @@ repeat:
23611 - __pgprot(PTE_IDENT_ATTR |
23612 - _PAGE_PSE);
23613 -
23614 -- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
23615 -- PAGE_OFFSET + PAGE_SIZE-1;
23616 --
23617 -- if (is_kernel_text(addr) ||
23618 -- is_kernel_text(addr2))
23619 -+ if (is_kernel_text(address, address + PMD_SIZE))
23620 - prot = PAGE_KERNEL_LARGE_EXEC;
23621 -
23622 - pages_2m++;
23623 -@@ -329,7 +330,7 @@ repeat:
23624 - pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23625 - pte += pte_ofs;
23626 - for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
23627 -- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
23628 -+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
23629 - pgprot_t prot = PAGE_KERNEL;
23630 - /*
23631 - * first pass will use the same initial
23632 -@@ -337,7 +338,7 @@ repeat:
23633 - */
23634 - pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
23635 -
23636 -- if (is_kernel_text(addr))
23637 -+ if (is_kernel_text(address, address + PAGE_SIZE))
23638 - prot = PAGE_KERNEL_EXEC;
23639 -
23640 - pages_4k++;
23641 -@@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
23642 -
23643 - pud = pud_offset(pgd, va);
23644 - pmd = pmd_offset(pud, va);
23645 -- if (!pmd_present(*pmd))
23646 -+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
23647 - break;
23648 -
23649 - pte = pte_offset_kernel(pmd, va);
23650 -@@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
23651 -
23652 - static void __init pagetable_init(void)
23653 - {
23654 -- pgd_t *pgd_base = swapper_pg_dir;
23655 --
23656 -- permanent_kmaps_init(pgd_base);
23657 -+ permanent_kmaps_init(swapper_pg_dir);
23658 - }
23659 -
23660 - #ifdef CONFIG_ACPI_SLEEP
23661 -@@ -551,12 +550,12 @@ static void __init pagetable_init(void)
23662 - * ACPI suspend needs this for resume, because things like the intel-agp
23663 - * driver might have split up a kernel 4MB mapping.
23664 - */
23665 --char swsusp_pg_dir[PAGE_SIZE]
23666 -+pgd_t swsusp_pg_dir[PTRS_PER_PGD]
23667 - __attribute__ ((aligned(PAGE_SIZE)));
23668 -
23669 - static inline void save_pg_dir(void)
23670 - {
23671 -- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
23672 -+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
23673 - }
23674 - #else /* !CONFIG_ACPI_SLEEP */
23675 - static inline void save_pg_dir(void)
23676 -@@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
23677 - flush_tlb_all();
23678 - }
23679 -
23680 --pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23681 -+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23682 - EXPORT_SYMBOL_GPL(__supported_pte_mask);
23683 -
23684 - /* user-defined highmem size */
23685 -@@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
23686 - * Initialize the boot-time allocator (with low memory only):
23687 - */
23688 - bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
23689 -- bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23690 -+ bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23691 - PAGE_SIZE);
23692 - if (bootmap == -1L)
23693 - panic("Cannot find bootmem map of size %ld\n", bootmap_size);
23694 -@@ -864,6 +863,12 @@ void __init mem_init(void)
23695 -
23696 - pci_iommu_alloc();
23697 -
23698 -+#ifdef CONFIG_PAX_PER_CPU_PGD
23699 -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23700 -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23701 -+ KERNEL_PGD_PTRS);
23702 -+#endif
23703 -+
23704 - #ifdef CONFIG_FLATMEM
23705 - BUG_ON(!mem_map);
23706 - #endif
23707 -@@ -881,7 +886,7 @@ void __init mem_init(void)
23708 - set_highmem_pages_init();
23709 -
23710 - codesize = (unsigned long) &_etext - (unsigned long) &_text;
23711 -- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
23712 -+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
23713 - initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
23714 -
23715 - printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
23716 -@@ -923,10 +928,10 @@ void __init mem_init(void)
23717 - ((unsigned long)&__init_end -
23718 - (unsigned long)&__init_begin) >> 10,
23719 -
23720 -- (unsigned long)&_etext, (unsigned long)&_edata,
23721 -- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
23722 -+ (unsigned long)&_sdata, (unsigned long)&_edata,
23723 -+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
23724 -
23725 -- (unsigned long)&_text, (unsigned long)&_etext,
23726 -+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
23727 - ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
23728 -
23729 - /*
23730 -@@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
23731 - if (!kernel_set_to_readonly)
23732 - return;
23733 -
23734 -+ start = ktla_ktva(start);
23735 - pr_debug("Set kernel text: %lx - %lx for read write\n",
23736 - start, start+size);
23737 -
23738 -@@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
23739 - if (!kernel_set_to_readonly)
23740 - return;
23741 -
23742 -+ start = ktla_ktva(start);
23743 - pr_debug("Set kernel text: %lx - %lx for read only\n",
23744 - start, start+size);
23745 -
23746 -@@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
23747 - unsigned long start = PFN_ALIGN(_text);
23748 - unsigned long size = PFN_ALIGN(_etext) - start;
23749 -
23750 -+ start = ktla_ktva(start);
23751 - set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
23752 - printk(KERN_INFO "Write protecting the kernel text: %luk\n",
23753 - size >> 10);
23754 -diff -urNp linux-2.6.32.46/arch/x86/mm/init_64.c linux-2.6.32.46/arch/x86/mm/init_64.c
23755 ---- linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:00:52.000000000 -0400
23756 -+++ linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:03:05.000000000 -0400
23757 -@@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
23758 - pmd = fill_pmd(pud, vaddr);
23759 - pte = fill_pte(pmd, vaddr);
23760 -
23761 -+ pax_open_kernel();
23762 - set_pte(pte, new_pte);
23763 -+ pax_close_kernel();
23764 -
23765 - /*
23766 - * It's enough to flush this one mapping.
23767 -@@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
23768 - pgd = pgd_offset_k((unsigned long)__va(phys));
23769 - if (pgd_none(*pgd)) {
23770 - pud = (pud_t *) spp_getpage();
23771 -- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
23772 -- _PAGE_USER));
23773 -+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
23774 - }
23775 - pud = pud_offset(pgd, (unsigned long)__va(phys));
23776 - if (pud_none(*pud)) {
23777 - pmd = (pmd_t *) spp_getpage();
23778 -- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
23779 -- _PAGE_USER));
23780 -+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
23781 - }
23782 - pmd = pmd_offset(pud, phys);
23783 - BUG_ON(!pmd_none(*pmd));
23784 -@@ -675,6 +675,12 @@ void __init mem_init(void)
23785 -
23786 - pci_iommu_alloc();
23787 -
23788 -+#ifdef CONFIG_PAX_PER_CPU_PGD
23789 -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23790 -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23791 -+ KERNEL_PGD_PTRS);
23792 -+#endif
23793 -+
23794 - /* clear_bss() already clear the empty_zero_page */
23795 -
23796 - reservedpages = 0;
23797 -@@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
23798 - static struct vm_area_struct gate_vma = {
23799 - .vm_start = VSYSCALL_START,
23800 - .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
23801 -- .vm_page_prot = PAGE_READONLY_EXEC,
23802 -- .vm_flags = VM_READ | VM_EXEC
23803 -+ .vm_page_prot = PAGE_READONLY,
23804 -+ .vm_flags = VM_READ
23805 - };
23806 -
23807 - struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
23808 -@@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
23809 -
23810 - const char *arch_vma_name(struct vm_area_struct *vma)
23811 - {
23812 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23813 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23814 - return "[vdso]";
23815 - if (vma == &gate_vma)
23816 - return "[vsyscall]";
23817 -diff -urNp linux-2.6.32.46/arch/x86/mm/iomap_32.c linux-2.6.32.46/arch/x86/mm/iomap_32.c
23818 ---- linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-03-27 14:31:47.000000000 -0400
23819 -+++ linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-04-17 15:56:46.000000000 -0400
23820 -@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
23821 - debug_kmap_atomic(type);
23822 - idx = type + KM_TYPE_NR * smp_processor_id();
23823 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23824 -+
23825 -+ pax_open_kernel();
23826 - set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
23827 -+ pax_close_kernel();
23828 -+
23829 - arch_flush_lazy_mmu_mode();
23830 -
23831 - return (void *)vaddr;
23832 -diff -urNp linux-2.6.32.46/arch/x86/mm/ioremap.c linux-2.6.32.46/arch/x86/mm/ioremap.c
23833 ---- linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-03-27 14:31:47.000000000 -0400
23834 -+++ linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-04-17 15:56:46.000000000 -0400
23835 -@@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
23836 - * Second special case: Some BIOSen report the PC BIOS
23837 - * area (640->1Mb) as ram even though it is not.
23838 - */
23839 -- if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
23840 -- pagenr < (BIOS_END >> PAGE_SHIFT))
23841 -+ if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
23842 -+ pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23843 - return 0;
23844 -
23845 - for (i = 0; i < e820.nr_map; i++) {
23846 -@@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
23847 - /*
23848 - * Don't allow anybody to remap normal RAM that we're using..
23849 - */
23850 -- for (pfn = phys_addr >> PAGE_SHIFT;
23851 -- (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
23852 -- pfn++) {
23853 --
23854 -+ for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
23855 - int is_ram = page_is_ram(pfn);
23856 -
23857 -- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
23858 -+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
23859 - return NULL;
23860 - WARN_ON_ONCE(is_ram);
23861 - }
23862 -@@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
23863 - early_param("early_ioremap_debug", early_ioremap_debug_setup);
23864 -
23865 - static __initdata int after_paging_init;
23866 --static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
23867 -+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
23868 -
23869 - static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
23870 - {
23871 -@@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
23872 - slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
23873 -
23874 - pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
23875 -- memset(bm_pte, 0, sizeof(bm_pte));
23876 -- pmd_populate_kernel(&init_mm, pmd, bm_pte);
23877 -+ pmd_populate_user(&init_mm, pmd, bm_pte);
23878 -
23879 - /*
23880 - * The boot-ioremap range spans multiple pmds, for which
23881 -diff -urNp linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c
23882 ---- linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-27 14:31:47.000000000 -0400
23883 -+++ linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:56:46.000000000 -0400
23884 -@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
23885 - * memory (e.g. tracked pages)? For now, we need this to avoid
23886 - * invoking kmemcheck for PnP BIOS calls.
23887 - */
23888 -- if (regs->flags & X86_VM_MASK)
23889 -+ if (v8086_mode(regs))
23890 - return false;
23891 -- if (regs->cs != __KERNEL_CS)
23892 -+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
23893 - return false;
23894 -
23895 - pte = kmemcheck_pte_lookup(address);
23896 -diff -urNp linux-2.6.32.46/arch/x86/mm/mmap.c linux-2.6.32.46/arch/x86/mm/mmap.c
23897 ---- linux-2.6.32.46/arch/x86/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
23898 -+++ linux-2.6.32.46/arch/x86/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
23899 -@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
23900 - * Leave an at least ~128 MB hole with possible stack randomization.
23901 - */
23902 - #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
23903 --#define MAX_GAP (TASK_SIZE/6*5)
23904 -+#define MAX_GAP (pax_task_size/6*5)
23905 -
23906 - /*
23907 - * True on X86_32 or when emulating IA32 on X86_64
23908 -@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
23909 - return rnd << PAGE_SHIFT;
23910 - }
23911 -
23912 --static unsigned long mmap_base(void)
23913 -+static unsigned long mmap_base(struct mm_struct *mm)
23914 - {
23915 - unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
23916 -+ unsigned long pax_task_size = TASK_SIZE;
23917 -+
23918 -+#ifdef CONFIG_PAX_SEGMEXEC
23919 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23920 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
23921 -+#endif
23922 -
23923 - if (gap < MIN_GAP)
23924 - gap = MIN_GAP;
23925 - else if (gap > MAX_GAP)
23926 - gap = MAX_GAP;
23927 -
23928 -- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
23929 -+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
23930 - }
23931 -
23932 - /*
23933 - * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
23934 - * does, but not when emulating X86_32
23935 - */
23936 --static unsigned long mmap_legacy_base(void)
23937 -+static unsigned long mmap_legacy_base(struct mm_struct *mm)
23938 - {
23939 -- if (mmap_is_ia32())
23940 -+ if (mmap_is_ia32()) {
23941 -+
23942 -+#ifdef CONFIG_PAX_SEGMEXEC
23943 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23944 -+ return SEGMEXEC_TASK_UNMAPPED_BASE;
23945 -+ else
23946 -+#endif
23947 -+
23948 - return TASK_UNMAPPED_BASE;
23949 -- else
23950 -+ } else
23951 - return TASK_UNMAPPED_BASE + mmap_rnd();
23952 - }
23953 -
23954 -@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
23955 - void arch_pick_mmap_layout(struct mm_struct *mm)
23956 - {
23957 - if (mmap_is_legacy()) {
23958 -- mm->mmap_base = mmap_legacy_base();
23959 -+ mm->mmap_base = mmap_legacy_base(mm);
23960 -+
23961 -+#ifdef CONFIG_PAX_RANDMMAP
23962 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23963 -+ mm->mmap_base += mm->delta_mmap;
23964 -+#endif
23965 -+
23966 - mm->get_unmapped_area = arch_get_unmapped_area;
23967 - mm->unmap_area = arch_unmap_area;
23968 - } else {
23969 -- mm->mmap_base = mmap_base();
23970 -+ mm->mmap_base = mmap_base(mm);
23971 -+
23972 -+#ifdef CONFIG_PAX_RANDMMAP
23973 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23974 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
23975 -+#endif
23976 -+
23977 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
23978 - mm->unmap_area = arch_unmap_area_topdown;
23979 - }
23980 -diff -urNp linux-2.6.32.46/arch/x86/mm/mmio-mod.c linux-2.6.32.46/arch/x86/mm/mmio-mod.c
23981 ---- linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-03-27 14:31:47.000000000 -0400
23982 -+++ linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-07-06 19:53:33.000000000 -0400
23983 -@@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
23984 - break;
23985 - default:
23986 - {
23987 -- unsigned char *ip = (unsigned char *)instptr;
23988 -+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
23989 - my_trace->opcode = MMIO_UNKNOWN_OP;
23990 - my_trace->width = 0;
23991 - my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
23992 -@@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
23993 - static void ioremap_trace_core(resource_size_t offset, unsigned long size,
23994 - void __iomem *addr)
23995 - {
23996 -- static atomic_t next_id;
23997 -+ static atomic_unchecked_t next_id;
23998 - struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
23999 - /* These are page-unaligned. */
24000 - struct mmiotrace_map map = {
24001 -@@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
24002 - .private = trace
24003 - },
24004 - .phys = offset,
24005 -- .id = atomic_inc_return(&next_id)
24006 -+ .id = atomic_inc_return_unchecked(&next_id)
24007 - };
24008 - map.map_id = trace->id;
24009 -
24010 -diff -urNp linux-2.6.32.46/arch/x86/mm/numa_32.c linux-2.6.32.46/arch/x86/mm/numa_32.c
24011 ---- linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-03-27 14:31:47.000000000 -0400
24012 -+++ linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-04-17 15:56:46.000000000 -0400
24013 -@@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
24014 - }
24015 - #endif
24016 -
24017 --extern unsigned long find_max_low_pfn(void);
24018 - extern unsigned long highend_pfn, highstart_pfn;
24019 -
24020 - #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
24021 -diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr-test.c linux-2.6.32.46/arch/x86/mm/pageattr-test.c
24022 ---- linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-03-27 14:31:47.000000000 -0400
24023 -+++ linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-04-17 15:56:46.000000000 -0400
24024 -@@ -36,7 +36,7 @@ enum {
24025 -
24026 - static int pte_testbit(pte_t pte)
24027 - {
24028 -- return pte_flags(pte) & _PAGE_UNUSED1;
24029 -+ return pte_flags(pte) & _PAGE_CPA_TEST;
24030 - }
24031 -
24032 - struct split_state {
24033 -diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr.c linux-2.6.32.46/arch/x86/mm/pageattr.c
24034 ---- linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-03-27 14:31:47.000000000 -0400
24035 -+++ linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-04-17 15:56:46.000000000 -0400
24036 -@@ -261,16 +261,17 @@ static inline pgprot_t static_protection
24037 - * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
24038 - */
24039 - if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
24040 -- pgprot_val(forbidden) |= _PAGE_NX;
24041 -+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24042 -
24043 - /*
24044 - * The kernel text needs to be executable for obvious reasons
24045 - * Does not cover __inittext since that is gone later on. On
24046 - * 64bit we do not enforce !NX on the low mapping
24047 - */
24048 -- if (within(address, (unsigned long)_text, (unsigned long)_etext))
24049 -- pgprot_val(forbidden) |= _PAGE_NX;
24050 -+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
24051 -+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24052 -
24053 -+#ifdef CONFIG_DEBUG_RODATA
24054 - /*
24055 - * The .rodata section needs to be read-only. Using the pfn
24056 - * catches all aliases.
24057 -@@ -278,6 +279,14 @@ static inline pgprot_t static_protection
24058 - if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
24059 - __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
24060 - pgprot_val(forbidden) |= _PAGE_RW;
24061 -+#endif
24062 -+
24063 -+#ifdef CONFIG_PAX_KERNEXEC
24064 -+ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
24065 -+ pgprot_val(forbidden) |= _PAGE_RW;
24066 -+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24067 -+ }
24068 -+#endif
24069 -
24070 - prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
24071 -
24072 -@@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
24073 - static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
24074 - {
24075 - /* change init_mm */
24076 -+ pax_open_kernel();
24077 - set_pte_atomic(kpte, pte);
24078 -+
24079 - #ifdef CONFIG_X86_32
24080 - if (!SHARED_KERNEL_PMD) {
24081 -+
24082 -+#ifdef CONFIG_PAX_PER_CPU_PGD
24083 -+ unsigned long cpu;
24084 -+#else
24085 - struct page *page;
24086 -+#endif
24087 -
24088 -+#ifdef CONFIG_PAX_PER_CPU_PGD
24089 -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
24090 -+ pgd_t *pgd = get_cpu_pgd(cpu);
24091 -+#else
24092 - list_for_each_entry(page, &pgd_list, lru) {
24093 -- pgd_t *pgd;
24094 -+ pgd_t *pgd = (pgd_t *)page_address(page);
24095 -+#endif
24096 -+
24097 - pud_t *pud;
24098 - pmd_t *pmd;
24099 -
24100 -- pgd = (pgd_t *)page_address(page) + pgd_index(address);
24101 -+ pgd += pgd_index(address);
24102 - pud = pud_offset(pgd, address);
24103 - pmd = pmd_offset(pud, address);
24104 - set_pte_atomic((pte_t *)pmd, pte);
24105 - }
24106 - }
24107 - #endif
24108 -+ pax_close_kernel();
24109 - }
24110 -
24111 - static int
24112 -diff -urNp linux-2.6.32.46/arch/x86/mm/pat.c linux-2.6.32.46/arch/x86/mm/pat.c
24113 ---- linux-2.6.32.46/arch/x86/mm/pat.c 2011-03-27 14:31:47.000000000 -0400
24114 -+++ linux-2.6.32.46/arch/x86/mm/pat.c 2011-04-17 15:56:46.000000000 -0400
24115 -@@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
24116 -
24117 - conflict:
24118 - printk(KERN_INFO "%s:%d conflicting memory types "
24119 -- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
24120 -+ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
24121 - new->end, cattr_name(new->type), cattr_name(entry->type));
24122 - return -EBUSY;
24123 - }
24124 -@@ -559,7 +559,7 @@ unlock_ret:
24125 -
24126 - if (err) {
24127 - printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
24128 -- current->comm, current->pid, start, end);
24129 -+ current->comm, task_pid_nr(current), start, end);
24130 - }
24131 -
24132 - dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
24133 -@@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
24134 - while (cursor < to) {
24135 - if (!devmem_is_allowed(pfn)) {
24136 - printk(KERN_INFO
24137 -- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
24138 -- current->comm, from, to);
24139 -+ "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
24140 -+ current->comm, from, to, cursor);
24141 - return 0;
24142 - }
24143 - cursor += PAGE_SIZE;
24144 -@@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
24145 - printk(KERN_INFO
24146 - "%s:%d ioremap_change_attr failed %s "
24147 - "for %Lx-%Lx\n",
24148 -- current->comm, current->pid,
24149 -+ current->comm, task_pid_nr(current),
24150 - cattr_name(flags),
24151 - base, (unsigned long long)(base + size));
24152 - return -EINVAL;
24153 -@@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
24154 - free_memtype(paddr, paddr + size);
24155 - printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
24156 - " for %Lx-%Lx, got %s\n",
24157 -- current->comm, current->pid,
24158 -+ current->comm, task_pid_nr(current),
24159 - cattr_name(want_flags),
24160 - (unsigned long long)paddr,
24161 - (unsigned long long)(paddr + size),
24162 -diff -urNp linux-2.6.32.46/arch/x86/mm/pf_in.c linux-2.6.32.46/arch/x86/mm/pf_in.c
24163 ---- linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-03-27 14:31:47.000000000 -0400
24164 -+++ linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-07-06 19:53:33.000000000 -0400
24165 -@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
24166 - int i;
24167 - enum reason_type rv = OTHERS;
24168 -
24169 -- p = (unsigned char *)ins_addr;
24170 -+ p = (unsigned char *)ktla_ktva(ins_addr);
24171 - p += skip_prefix(p, &prf);
24172 - p += get_opcode(p, &opcode);
24173 -
24174 -@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
24175 - struct prefix_bits prf;
24176 - int i;
24177 -
24178 -- p = (unsigned char *)ins_addr;
24179 -+ p = (unsigned char *)ktla_ktva(ins_addr);
24180 - p += skip_prefix(p, &prf);
24181 - p += get_opcode(p, &opcode);
24182 -
24183 -@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
24184 - struct prefix_bits prf;
24185 - int i;
24186 -
24187 -- p = (unsigned char *)ins_addr;
24188 -+ p = (unsigned char *)ktla_ktva(ins_addr);
24189 - p += skip_prefix(p, &prf);
24190 - p += get_opcode(p, &opcode);
24191 -
24192 -@@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
24193 - int i;
24194 - unsigned long rv;
24195 -
24196 -- p = (unsigned char *)ins_addr;
24197 -+ p = (unsigned char *)ktla_ktva(ins_addr);
24198 - p += skip_prefix(p, &prf);
24199 - p += get_opcode(p, &opcode);
24200 - for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
24201 -@@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
24202 - int i;
24203 - unsigned long rv;
24204 -
24205 -- p = (unsigned char *)ins_addr;
24206 -+ p = (unsigned char *)ktla_ktva(ins_addr);
24207 - p += skip_prefix(p, &prf);
24208 - p += get_opcode(p, &opcode);
24209 - for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
24210 -diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable.c linux-2.6.32.46/arch/x86/mm/pgtable.c
24211 ---- linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-03-27 14:31:47.000000000 -0400
24212 -+++ linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-05-11 18:25:15.000000000 -0400
24213 -@@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
24214 - list_del(&page->lru);
24215 - }
24216 -
24217 --#define UNSHARED_PTRS_PER_PGD \
24218 -- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24219 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24220 -+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
24221 -
24222 -+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24223 -+{
24224 -+ while (count--)
24225 -+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
24226 -+}
24227 -+#endif
24228 -+
24229 -+#ifdef CONFIG_PAX_PER_CPU_PGD
24230 -+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24231 -+{
24232 -+ while (count--)
24233 -+
24234 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24235 -+ *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
24236 -+#else
24237 -+ *dst++ = *src++;
24238 -+#endif
24239 -+
24240 -+}
24241 -+#endif
24242 -+
24243 -+#ifdef CONFIG_X86_64
24244 -+#define pxd_t pud_t
24245 -+#define pyd_t pgd_t
24246 -+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
24247 -+#define pxd_free(mm, pud) pud_free((mm), (pud))
24248 -+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
24249 -+#define pyd_offset(mm ,address) pgd_offset((mm), (address))
24250 -+#define PYD_SIZE PGDIR_SIZE
24251 -+#else
24252 -+#define pxd_t pmd_t
24253 -+#define pyd_t pud_t
24254 -+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
24255 -+#define pxd_free(mm, pud) pmd_free((mm), (pud))
24256 -+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
24257 -+#define pyd_offset(mm ,address) pud_offset((mm), (address))
24258 -+#define PYD_SIZE PUD_SIZE
24259 -+#endif
24260 -+
24261 -+#ifdef CONFIG_PAX_PER_CPU_PGD
24262 -+static inline void pgd_ctor(pgd_t *pgd) {}
24263 -+static inline void pgd_dtor(pgd_t *pgd) {}
24264 -+#else
24265 - static void pgd_ctor(pgd_t *pgd)
24266 - {
24267 - /* If the pgd points to a shared pagetable level (either the
24268 -@@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
24269 - pgd_list_del(pgd);
24270 - spin_unlock_irqrestore(&pgd_lock, flags);
24271 - }
24272 -+#endif
24273 -
24274 - /*
24275 - * List of all pgd's needed for non-PAE so it can invalidate entries
24276 -@@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
24277 - * -- wli
24278 - */
24279 -
24280 --#ifdef CONFIG_X86_PAE
24281 -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24282 - /*
24283 - * In PAE mode, we need to do a cr3 reload (=tlb flush) when
24284 - * updating the top-level pagetable entries to guarantee the
24285 -@@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
24286 - * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
24287 - * and initialize the kernel pmds here.
24288 - */
24289 --#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
24290 -+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24291 -
24292 - void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
24293 - {
24294 -@@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
24295 - */
24296 - flush_tlb_mm(mm);
24297 - }
24298 -+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
24299 -+#define PREALLOCATED_PXDS USER_PGD_PTRS
24300 - #else /* !CONFIG_X86_PAE */
24301 -
24302 - /* No need to prepopulate any pagetable entries in non-PAE modes. */
24303 --#define PREALLOCATED_PMDS 0
24304 -+#define PREALLOCATED_PXDS 0
24305 -
24306 - #endif /* CONFIG_X86_PAE */
24307 -
24308 --static void free_pmds(pmd_t *pmds[])
24309 -+static void free_pxds(pxd_t *pxds[])
24310 - {
24311 - int i;
24312 -
24313 -- for(i = 0; i < PREALLOCATED_PMDS; i++)
24314 -- if (pmds[i])
24315 -- free_page((unsigned long)pmds[i]);
24316 -+ for(i = 0; i < PREALLOCATED_PXDS; i++)
24317 -+ if (pxds[i])
24318 -+ free_page((unsigned long)pxds[i]);
24319 - }
24320 -
24321 --static int preallocate_pmds(pmd_t *pmds[])
24322 -+static int preallocate_pxds(pxd_t *pxds[])
24323 - {
24324 - int i;
24325 - bool failed = false;
24326 -
24327 -- for(i = 0; i < PREALLOCATED_PMDS; i++) {
24328 -- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
24329 -- if (pmd == NULL)
24330 -+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
24331 -+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
24332 -+ if (pxd == NULL)
24333 - failed = true;
24334 -- pmds[i] = pmd;
24335 -+ pxds[i] = pxd;
24336 - }
24337 -
24338 - if (failed) {
24339 -- free_pmds(pmds);
24340 -+ free_pxds(pxds);
24341 - return -ENOMEM;
24342 - }
24343 -
24344 -@@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
24345 - * preallocate which never got a corresponding vma will need to be
24346 - * freed manually.
24347 - */
24348 --static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
24349 -+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
24350 - {
24351 - int i;
24352 -
24353 -- for(i = 0; i < PREALLOCATED_PMDS; i++) {
24354 -+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
24355 - pgd_t pgd = pgdp[i];
24356 -
24357 - if (pgd_val(pgd) != 0) {
24358 -- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
24359 -+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
24360 -
24361 -- pgdp[i] = native_make_pgd(0);
24362 -+ set_pgd(pgdp + i, native_make_pgd(0));
24363 -
24364 -- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
24365 -- pmd_free(mm, pmd);
24366 -+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
24367 -+ pxd_free(mm, pxd);
24368 - }
24369 - }
24370 - }
24371 -
24372 --static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
24373 -+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
24374 - {
24375 -- pud_t *pud;
24376 -+ pyd_t *pyd;
24377 - unsigned long addr;
24378 - int i;
24379 -
24380 -- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
24381 -+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
24382 - return;
24383 -
24384 -- pud = pud_offset(pgd, 0);
24385 -+#ifdef CONFIG_X86_64
24386 -+ pyd = pyd_offset(mm, 0L);
24387 -+#else
24388 -+ pyd = pyd_offset(pgd, 0L);
24389 -+#endif
24390 -
24391 -- for (addr = i = 0; i < PREALLOCATED_PMDS;
24392 -- i++, pud++, addr += PUD_SIZE) {
24393 -- pmd_t *pmd = pmds[i];
24394 -+ for (addr = i = 0; i < PREALLOCATED_PXDS;
24395 -+ i++, pyd++, addr += PYD_SIZE) {
24396 -+ pxd_t *pxd = pxds[i];
24397 -
24398 - if (i >= KERNEL_PGD_BOUNDARY)
24399 -- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24400 -- sizeof(pmd_t) * PTRS_PER_PMD);
24401 -+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24402 -+ sizeof(pxd_t) * PTRS_PER_PMD);
24403 -
24404 -- pud_populate(mm, pud, pmd);
24405 -+ pyd_populate(mm, pyd, pxd);
24406 - }
24407 - }
24408 -
24409 - pgd_t *pgd_alloc(struct mm_struct *mm)
24410 - {
24411 - pgd_t *pgd;
24412 -- pmd_t *pmds[PREALLOCATED_PMDS];
24413 -+ pxd_t *pxds[PREALLOCATED_PXDS];
24414 -+
24415 - unsigned long flags;
24416 -
24417 - pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
24418 -@@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24419 -
24420 - mm->pgd = pgd;
24421 -
24422 -- if (preallocate_pmds(pmds) != 0)
24423 -+ if (preallocate_pxds(pxds) != 0)
24424 - goto out_free_pgd;
24425 -
24426 - if (paravirt_pgd_alloc(mm) != 0)
24427 -- goto out_free_pmds;
24428 -+ goto out_free_pxds;
24429 -
24430 - /*
24431 - * Make sure that pre-populating the pmds is atomic with
24432 -@@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24433 - spin_lock_irqsave(&pgd_lock, flags);
24434 -
24435 - pgd_ctor(pgd);
24436 -- pgd_prepopulate_pmd(mm, pgd, pmds);
24437 -+ pgd_prepopulate_pxd(mm, pgd, pxds);
24438 -
24439 - spin_unlock_irqrestore(&pgd_lock, flags);
24440 -
24441 - return pgd;
24442 -
24443 --out_free_pmds:
24444 -- free_pmds(pmds);
24445 -+out_free_pxds:
24446 -+ free_pxds(pxds);
24447 - out_free_pgd:
24448 - free_page((unsigned long)pgd);
24449 - out:
24450 -@@ -287,7 +338,7 @@ out:
24451 -
24452 - void pgd_free(struct mm_struct *mm, pgd_t *pgd)
24453 - {
24454 -- pgd_mop_up_pmds(mm, pgd);
24455 -+ pgd_mop_up_pxds(mm, pgd);
24456 - pgd_dtor(pgd);
24457 - paravirt_pgd_free(mm, pgd);
24458 - free_page((unsigned long)pgd);
24459 -diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable_32.c linux-2.6.32.46/arch/x86/mm/pgtable_32.c
24460 ---- linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-03-27 14:31:47.000000000 -0400
24461 -+++ linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-04-17 15:56:46.000000000 -0400
24462 -@@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
24463 - return;
24464 - }
24465 - pte = pte_offset_kernel(pmd, vaddr);
24466 -+
24467 -+ pax_open_kernel();
24468 - if (pte_val(pteval))
24469 - set_pte_at(&init_mm, vaddr, pte, pteval);
24470 - else
24471 - pte_clear(&init_mm, vaddr, pte);
24472 -+ pax_close_kernel();
24473 -
24474 - /*
24475 - * It's enough to flush this one mapping.
24476 -diff -urNp linux-2.6.32.46/arch/x86/mm/setup_nx.c linux-2.6.32.46/arch/x86/mm/setup_nx.c
24477 ---- linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-03-27 14:31:47.000000000 -0400
24478 -+++ linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-04-17 15:56:46.000000000 -0400
24479 -@@ -4,11 +4,10 @@
24480 -
24481 - #include <asm/pgtable.h>
24482 -
24483 -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24484 - int nx_enabled;
24485 -
24486 --#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24487 --static int disable_nx __cpuinitdata;
24488 --
24489 -+#ifndef CONFIG_PAX_PAGEEXEC
24490 - /*
24491 - * noexec = on|off
24492 - *
24493 -@@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
24494 - if (!str)
24495 - return -EINVAL;
24496 - if (!strncmp(str, "on", 2)) {
24497 -- __supported_pte_mask |= _PAGE_NX;
24498 -- disable_nx = 0;
24499 -+ nx_enabled = 1;
24500 - } else if (!strncmp(str, "off", 3)) {
24501 -- disable_nx = 1;
24502 -- __supported_pte_mask &= ~_PAGE_NX;
24503 -+ nx_enabled = 0;
24504 - }
24505 - return 0;
24506 - }
24507 - early_param("noexec", noexec_setup);
24508 - #endif
24509 -+#endif
24510 -
24511 - #ifdef CONFIG_X86_PAE
24512 - void __init set_nx(void)
24513 - {
24514 -- unsigned int v[4], l, h;
24515 -+ if (!nx_enabled && cpu_has_nx) {
24516 -+ unsigned l, h;
24517 -
24518 -- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
24519 -- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
24520 --
24521 -- if ((v[3] & (1 << 20)) && !disable_nx) {
24522 -- rdmsr(MSR_EFER, l, h);
24523 -- l |= EFER_NX;
24524 -- wrmsr(MSR_EFER, l, h);
24525 -- nx_enabled = 1;
24526 -- __supported_pte_mask |= _PAGE_NX;
24527 -- }
24528 -+ __supported_pte_mask &= ~_PAGE_NX;
24529 -+ rdmsr(MSR_EFER, l, h);
24530 -+ l &= ~EFER_NX;
24531 -+ wrmsr(MSR_EFER, l, h);
24532 - }
24533 - }
24534 - #else
24535 -@@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
24536 - unsigned long efer;
24537 -
24538 - rdmsrl(MSR_EFER, efer);
24539 -- if (!(efer & EFER_NX) || disable_nx)
24540 -+ if (!(efer & EFER_NX) || !nx_enabled)
24541 - __supported_pte_mask &= ~_PAGE_NX;
24542 - }
24543 - #endif
24544 -diff -urNp linux-2.6.32.46/arch/x86/mm/tlb.c linux-2.6.32.46/arch/x86/mm/tlb.c
24545 ---- linux-2.6.32.46/arch/x86/mm/tlb.c 2011-03-27 14:31:47.000000000 -0400
24546 -+++ linux-2.6.32.46/arch/x86/mm/tlb.c 2011-04-23 12:56:10.000000000 -0400
24547 -@@ -61,7 +61,11 @@ void leave_mm(int cpu)
24548 - BUG();
24549 - cpumask_clear_cpu(cpu,
24550 - mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
24551 -+
24552 -+#ifndef CONFIG_PAX_PER_CPU_PGD
24553 - load_cr3(swapper_pg_dir);
24554 -+#endif
24555 -+
24556 - }
24557 - EXPORT_SYMBOL_GPL(leave_mm);
24558 -
24559 -diff -urNp linux-2.6.32.46/arch/x86/oprofile/backtrace.c linux-2.6.32.46/arch/x86/oprofile/backtrace.c
24560 ---- linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-03-27 14:31:47.000000000 -0400
24561 -+++ linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-04-17 15:56:46.000000000 -0400
24562 -@@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
24563 - struct frame_head bufhead[2];
24564 -
24565 - /* Also check accessibility of one struct frame_head beyond */
24566 -- if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
24567 -+ if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
24568 - return NULL;
24569 - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
24570 - return NULL;
24571 -@@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
24572 - {
24573 - struct frame_head *head = (struct frame_head *)frame_pointer(regs);
24574 -
24575 -- if (!user_mode_vm(regs)) {
24576 -+ if (!user_mode(regs)) {
24577 - unsigned long stack = kernel_stack_pointer(regs);
24578 - if (depth)
24579 - dump_trace(NULL, regs, (unsigned long *)stack, 0,
24580 -diff -urNp linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c
24581 ---- linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-03-27 14:31:47.000000000 -0400
24582 -+++ linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:56:46.000000000 -0400
24583 -@@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
24584 - #endif
24585 - }
24586 -
24587 --static int inline addr_increment(void)
24588 -+static inline int addr_increment(void)
24589 - {
24590 - #ifdef CONFIG_SMP
24591 - return smp_num_siblings == 2 ? 2 : 1;
24592 -diff -urNp linux-2.6.32.46/arch/x86/pci/common.c linux-2.6.32.46/arch/x86/pci/common.c
24593 ---- linux-2.6.32.46/arch/x86/pci/common.c 2011-03-27 14:31:47.000000000 -0400
24594 -+++ linux-2.6.32.46/arch/x86/pci/common.c 2011-04-23 12:56:10.000000000 -0400
24595 -@@ -31,8 +31,8 @@ int noioapicreroute = 1;
24596 - int pcibios_last_bus = -1;
24597 - unsigned long pirq_table_addr;
24598 - struct pci_bus *pci_root_bus;
24599 --struct pci_raw_ops *raw_pci_ops;
24600 --struct pci_raw_ops *raw_pci_ext_ops;
24601 -+const struct pci_raw_ops *raw_pci_ops;
24602 -+const struct pci_raw_ops *raw_pci_ext_ops;
24603 -
24604 - int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
24605 - int reg, int len, u32 *val)
24606 -diff -urNp linux-2.6.32.46/arch/x86/pci/direct.c linux-2.6.32.46/arch/x86/pci/direct.c
24607 ---- linux-2.6.32.46/arch/x86/pci/direct.c 2011-03-27 14:31:47.000000000 -0400
24608 -+++ linux-2.6.32.46/arch/x86/pci/direct.c 2011-04-17 15:56:46.000000000 -0400
24609 -@@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
24610 -
24611 - #undef PCI_CONF1_ADDRESS
24612 -
24613 --struct pci_raw_ops pci_direct_conf1 = {
24614 -+const struct pci_raw_ops pci_direct_conf1 = {
24615 - .read = pci_conf1_read,
24616 - .write = pci_conf1_write,
24617 - };
24618 -@@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
24619 -
24620 - #undef PCI_CONF2_ADDRESS
24621 -
24622 --struct pci_raw_ops pci_direct_conf2 = {
24623 -+const struct pci_raw_ops pci_direct_conf2 = {
24624 - .read = pci_conf2_read,
24625 - .write = pci_conf2_write,
24626 - };
24627 -@@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
24628 - * This should be close to trivial, but it isn't, because there are buggy
24629 - * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
24630 - */
24631 --static int __init pci_sanity_check(struct pci_raw_ops *o)
24632 -+static int __init pci_sanity_check(const struct pci_raw_ops *o)
24633 - {
24634 - u32 x = 0;
24635 - int year, devfn;
24636 -diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_32.c linux-2.6.32.46/arch/x86/pci/mmconfig_32.c
24637 ---- linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-03-27 14:31:47.000000000 -0400
24638 -+++ linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-04-17 15:56:46.000000000 -0400
24639 -@@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
24640 - return 0;
24641 - }
24642 -
24643 --static struct pci_raw_ops pci_mmcfg = {
24644 -+static const struct pci_raw_ops pci_mmcfg = {
24645 - .read = pci_mmcfg_read,
24646 - .write = pci_mmcfg_write,
24647 - };
24648 -diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_64.c linux-2.6.32.46/arch/x86/pci/mmconfig_64.c
24649 ---- linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-03-27 14:31:47.000000000 -0400
24650 -+++ linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-04-17 15:56:46.000000000 -0400
24651 -@@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
24652 - return 0;
24653 - }
24654 -
24655 --static struct pci_raw_ops pci_mmcfg = {
24656 -+static const struct pci_raw_ops pci_mmcfg = {
24657 - .read = pci_mmcfg_read,
24658 - .write = pci_mmcfg_write,
24659 - };
24660 -diff -urNp linux-2.6.32.46/arch/x86/pci/numaq_32.c linux-2.6.32.46/arch/x86/pci/numaq_32.c
24661 ---- linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-03-27 14:31:47.000000000 -0400
24662 -+++ linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-04-17 15:56:46.000000000 -0400
24663 -@@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
24664 -
24665 - #undef PCI_CONF1_MQ_ADDRESS
24666 -
24667 --static struct pci_raw_ops pci_direct_conf1_mq = {
24668 -+static const struct pci_raw_ops pci_direct_conf1_mq = {
24669 - .read = pci_conf1_mq_read,
24670 - .write = pci_conf1_mq_write
24671 - };
24672 -diff -urNp linux-2.6.32.46/arch/x86/pci/olpc.c linux-2.6.32.46/arch/x86/pci/olpc.c
24673 ---- linux-2.6.32.46/arch/x86/pci/olpc.c 2011-03-27 14:31:47.000000000 -0400
24674 -+++ linux-2.6.32.46/arch/x86/pci/olpc.c 2011-04-17 15:56:46.000000000 -0400
24675 -@@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
24676 - return 0;
24677 - }
24678 -
24679 --static struct pci_raw_ops pci_olpc_conf = {
24680 -+static const struct pci_raw_ops pci_olpc_conf = {
24681 - .read = pci_olpc_read,
24682 - .write = pci_olpc_write,
24683 - };
24684 -diff -urNp linux-2.6.32.46/arch/x86/pci/pcbios.c linux-2.6.32.46/arch/x86/pci/pcbios.c
24685 ---- linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-03-27 14:31:47.000000000 -0400
24686 -+++ linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-04-17 15:56:46.000000000 -0400
24687 -@@ -56,50 +56,93 @@ union bios32 {
24688 - static struct {
24689 - unsigned long address;
24690 - unsigned short segment;
24691 --} bios32_indirect = { 0, __KERNEL_CS };
24692 -+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
24693 -
24694 - /*
24695 - * Returns the entry point for the given service, NULL on error
24696 - */
24697 -
24698 --static unsigned long bios32_service(unsigned long service)
24699 -+static unsigned long __devinit bios32_service(unsigned long service)
24700 - {
24701 - unsigned char return_code; /* %al */
24702 - unsigned long address; /* %ebx */
24703 - unsigned long length; /* %ecx */
24704 - unsigned long entry; /* %edx */
24705 - unsigned long flags;
24706 -+ struct desc_struct d, *gdt;
24707 -
24708 - local_irq_save(flags);
24709 -- __asm__("lcall *(%%edi); cld"
24710 -+
24711 -+ gdt = get_cpu_gdt_table(smp_processor_id());
24712 -+
24713 -+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
24714 -+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24715 -+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
24716 -+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24717 -+
24718 -+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
24719 - : "=a" (return_code),
24720 - "=b" (address),
24721 - "=c" (length),
24722 - "=d" (entry)
24723 - : "0" (service),
24724 - "1" (0),
24725 -- "D" (&bios32_indirect));
24726 -+ "D" (&bios32_indirect),
24727 -+ "r"(__PCIBIOS_DS)
24728 -+ : "memory");
24729 -+
24730 -+ pax_open_kernel();
24731 -+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
24732 -+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
24733 -+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
24734 -+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
24735 -+ pax_close_kernel();
24736 -+
24737 - local_irq_restore(flags);
24738 -
24739 - switch (return_code) {
24740 -- case 0:
24741 -- return address + entry;
24742 -- case 0x80: /* Not present */
24743 -- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24744 -- return 0;
24745 -- default: /* Shouldn't happen */
24746 -- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24747 -- service, return_code);
24748 -+ case 0: {
24749 -+ int cpu;
24750 -+ unsigned char flags;
24751 -+
24752 -+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
24753 -+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
24754 -+ printk(KERN_WARNING "bios32_service: not valid\n");
24755 - return 0;
24756 -+ }
24757 -+ address = address + PAGE_OFFSET;
24758 -+ length += 16UL; /* some BIOSs underreport this... */
24759 -+ flags = 4;
24760 -+ if (length >= 64*1024*1024) {
24761 -+ length >>= PAGE_SHIFT;
24762 -+ flags |= 8;
24763 -+ }
24764 -+
24765 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
24766 -+ gdt = get_cpu_gdt_table(cpu);
24767 -+ pack_descriptor(&d, address, length, 0x9b, flags);
24768 -+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24769 -+ pack_descriptor(&d, address, length, 0x93, flags);
24770 -+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24771 -+ }
24772 -+ return entry;
24773 -+ }
24774 -+ case 0x80: /* Not present */
24775 -+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24776 -+ return 0;
24777 -+ default: /* Shouldn't happen */
24778 -+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24779 -+ service, return_code);
24780 -+ return 0;
24781 - }
24782 - }
24783 -
24784 - static struct {
24785 - unsigned long address;
24786 - unsigned short segment;
24787 --} pci_indirect = { 0, __KERNEL_CS };
24788 -+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
24789 -
24790 --static int pci_bios_present;
24791 -+static int pci_bios_present __read_only;
24792 -
24793 - static int __devinit check_pcibios(void)
24794 - {
24795 -@@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
24796 - unsigned long flags, pcibios_entry;
24797 -
24798 - if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
24799 -- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
24800 -+ pci_indirect.address = pcibios_entry;
24801 -
24802 - local_irq_save(flags);
24803 -- __asm__(
24804 -- "lcall *(%%edi); cld\n\t"
24805 -+ __asm__("movw %w6, %%ds\n\t"
24806 -+ "lcall *%%ss:(%%edi); cld\n\t"
24807 -+ "push %%ss\n\t"
24808 -+ "pop %%ds\n\t"
24809 - "jc 1f\n\t"
24810 - "xor %%ah, %%ah\n"
24811 - "1:"
24812 -@@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
24813 - "=b" (ebx),
24814 - "=c" (ecx)
24815 - : "1" (PCIBIOS_PCI_BIOS_PRESENT),
24816 -- "D" (&pci_indirect)
24817 -+ "D" (&pci_indirect),
24818 -+ "r" (__PCIBIOS_DS)
24819 - : "memory");
24820 - local_irq_restore(flags);
24821 -
24822 -@@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
24823 -
24824 - switch (len) {
24825 - case 1:
24826 -- __asm__("lcall *(%%esi); cld\n\t"
24827 -+ __asm__("movw %w6, %%ds\n\t"
24828 -+ "lcall *%%ss:(%%esi); cld\n\t"
24829 -+ "push %%ss\n\t"
24830 -+ "pop %%ds\n\t"
24831 - "jc 1f\n\t"
24832 - "xor %%ah, %%ah\n"
24833 - "1:"
24834 -@@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
24835 - : "1" (PCIBIOS_READ_CONFIG_BYTE),
24836 - "b" (bx),
24837 - "D" ((long)reg),
24838 -- "S" (&pci_indirect));
24839 -+ "S" (&pci_indirect),
24840 -+ "r" (__PCIBIOS_DS));
24841 - /*
24842 - * Zero-extend the result beyond 8 bits, do not trust the
24843 - * BIOS having done it:
24844 -@@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
24845 - *value &= 0xff;
24846 - break;
24847 - case 2:
24848 -- __asm__("lcall *(%%esi); cld\n\t"
24849 -+ __asm__("movw %w6, %%ds\n\t"
24850 -+ "lcall *%%ss:(%%esi); cld\n\t"
24851 -+ "push %%ss\n\t"
24852 -+ "pop %%ds\n\t"
24853 - "jc 1f\n\t"
24854 - "xor %%ah, %%ah\n"
24855 - "1:"
24856 -@@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
24857 - : "1" (PCIBIOS_READ_CONFIG_WORD),
24858 - "b" (bx),
24859 - "D" ((long)reg),
24860 -- "S" (&pci_indirect));
24861 -+ "S" (&pci_indirect),
24862 -+ "r" (__PCIBIOS_DS));
24863 - /*
24864 - * Zero-extend the result beyond 16 bits, do not trust the
24865 - * BIOS having done it:
24866 -@@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
24867 - *value &= 0xffff;
24868 - break;
24869 - case 4:
24870 -- __asm__("lcall *(%%esi); cld\n\t"
24871 -+ __asm__("movw %w6, %%ds\n\t"
24872 -+ "lcall *%%ss:(%%esi); cld\n\t"
24873 -+ "push %%ss\n\t"
24874 -+ "pop %%ds\n\t"
24875 - "jc 1f\n\t"
24876 - "xor %%ah, %%ah\n"
24877 - "1:"
24878 -@@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
24879 - : "1" (PCIBIOS_READ_CONFIG_DWORD),
24880 - "b" (bx),
24881 - "D" ((long)reg),
24882 -- "S" (&pci_indirect));
24883 -+ "S" (&pci_indirect),
24884 -+ "r" (__PCIBIOS_DS));
24885 - break;
24886 - }
24887 -
24888 -@@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
24889 -
24890 - switch (len) {
24891 - case 1:
24892 -- __asm__("lcall *(%%esi); cld\n\t"
24893 -+ __asm__("movw %w6, %%ds\n\t"
24894 -+ "lcall *%%ss:(%%esi); cld\n\t"
24895 -+ "push %%ss\n\t"
24896 -+ "pop %%ds\n\t"
24897 - "jc 1f\n\t"
24898 - "xor %%ah, %%ah\n"
24899 - "1:"
24900 -@@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
24901 - "c" (value),
24902 - "b" (bx),
24903 - "D" ((long)reg),
24904 -- "S" (&pci_indirect));
24905 -+ "S" (&pci_indirect),
24906 -+ "r" (__PCIBIOS_DS));
24907 - break;
24908 - case 2:
24909 -- __asm__("lcall *(%%esi); cld\n\t"
24910 -+ __asm__("movw %w6, %%ds\n\t"
24911 -+ "lcall *%%ss:(%%esi); cld\n\t"
24912 -+ "push %%ss\n\t"
24913 -+ "pop %%ds\n\t"
24914 - "jc 1f\n\t"
24915 - "xor %%ah, %%ah\n"
24916 - "1:"
24917 -@@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
24918 - "c" (value),
24919 - "b" (bx),
24920 - "D" ((long)reg),
24921 -- "S" (&pci_indirect));
24922 -+ "S" (&pci_indirect),
24923 -+ "r" (__PCIBIOS_DS));
24924 - break;
24925 - case 4:
24926 -- __asm__("lcall *(%%esi); cld\n\t"
24927 -+ __asm__("movw %w6, %%ds\n\t"
24928 -+ "lcall *%%ss:(%%esi); cld\n\t"
24929 -+ "push %%ss\n\t"
24930 -+ "pop %%ds\n\t"
24931 - "jc 1f\n\t"
24932 - "xor %%ah, %%ah\n"
24933 - "1:"
24934 -@@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
24935 - "c" (value),
24936 - "b" (bx),
24937 - "D" ((long)reg),
24938 -- "S" (&pci_indirect));
24939 -+ "S" (&pci_indirect),
24940 -+ "r" (__PCIBIOS_DS));
24941 - break;
24942 - }
24943 -
24944 -@@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
24945 - * Function table for BIOS32 access
24946 - */
24947 -
24948 --static struct pci_raw_ops pci_bios_access = {
24949 -+static const struct pci_raw_ops pci_bios_access = {
24950 - .read = pci_bios_read,
24951 - .write = pci_bios_write
24952 - };
24953 -@@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
24954 - * Try to find PCI BIOS.
24955 - */
24956 -
24957 --static struct pci_raw_ops * __devinit pci_find_bios(void)
24958 -+static const struct pci_raw_ops * __devinit pci_find_bios(void)
24959 - {
24960 - union bios32 *check;
24961 - unsigned char sum;
24962 -@@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
24963 -
24964 - DBG("PCI: Fetching IRQ routing table... ");
24965 - __asm__("push %%es\n\t"
24966 -+ "movw %w8, %%ds\n\t"
24967 - "push %%ds\n\t"
24968 - "pop %%es\n\t"
24969 -- "lcall *(%%esi); cld\n\t"
24970 -+ "lcall *%%ss:(%%esi); cld\n\t"
24971 - "pop %%es\n\t"
24972 -+ "push %%ss\n\t"
24973 -+ "pop %%ds\n"
24974 - "jc 1f\n\t"
24975 - "xor %%ah, %%ah\n"
24976 - "1:"
24977 -@@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
24978 - "1" (0),
24979 - "D" ((long) &opt),
24980 - "S" (&pci_indirect),
24981 -- "m" (opt)
24982 -+ "m" (opt),
24983 -+ "r" (__PCIBIOS_DS)
24984 - : "memory");
24985 - DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
24986 - if (ret & 0xff00)
24987 -@@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
24988 - {
24989 - int ret;
24990 -
24991 -- __asm__("lcall *(%%esi); cld\n\t"
24992 -+ __asm__("movw %w5, %%ds\n\t"
24993 -+ "lcall *%%ss:(%%esi); cld\n\t"
24994 -+ "push %%ss\n\t"
24995 -+ "pop %%ds\n"
24996 - "jc 1f\n\t"
24997 - "xor %%ah, %%ah\n"
24998 - "1:"
24999 -@@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
25000 - : "0" (PCIBIOS_SET_PCI_HW_INT),
25001 - "b" ((dev->bus->number << 8) | dev->devfn),
25002 - "c" ((irq << 8) | (pin + 10)),
25003 -- "S" (&pci_indirect));
25004 -+ "S" (&pci_indirect),
25005 -+ "r" (__PCIBIOS_DS));
25006 - return !(ret & 0xff00);
25007 - }
25008 - EXPORT_SYMBOL(pcibios_set_irq_routing);
25009 -diff -urNp linux-2.6.32.46/arch/x86/power/cpu.c linux-2.6.32.46/arch/x86/power/cpu.c
25010 ---- linux-2.6.32.46/arch/x86/power/cpu.c 2011-03-27 14:31:47.000000000 -0400
25011 -+++ linux-2.6.32.46/arch/x86/power/cpu.c 2011-04-17 15:56:46.000000000 -0400
25012 -@@ -129,7 +129,7 @@ static void do_fpu_end(void)
25013 - static void fix_processor_context(void)
25014 - {
25015 - int cpu = smp_processor_id();
25016 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
25017 -+ struct tss_struct *t = init_tss + cpu;
25018 -
25019 - set_tss_desc(cpu, t); /*
25020 - * This just modifies memory; should not be
25021 -@@ -139,7 +139,9 @@ static void fix_processor_context(void)
25022 - */
25023 -
25024 - #ifdef CONFIG_X86_64
25025 -+ pax_open_kernel();
25026 - get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
25027 -+ pax_close_kernel();
25028 -
25029 - syscall_init(); /* This sets MSR_*STAR and related */
25030 - #endif
25031 -diff -urNp linux-2.6.32.46/arch/x86/vdso/Makefile linux-2.6.32.46/arch/x86/vdso/Makefile
25032 ---- linux-2.6.32.46/arch/x86/vdso/Makefile 2011-03-27 14:31:47.000000000 -0400
25033 -+++ linux-2.6.32.46/arch/x86/vdso/Makefile 2011-04-17 15:56:46.000000000 -0400
25034 -@@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
25035 - $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
25036 - -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
25037 -
25038 --VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25039 -+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25040 - GCOV_PROFILE := n
25041 -
25042 - #
25043 -diff -urNp linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c
25044 ---- linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-03-27 14:31:47.000000000 -0400
25045 -+++ linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:56:46.000000000 -0400
25046 -@@ -22,24 +22,48 @@
25047 - #include <asm/hpet.h>
25048 - #include <asm/unistd.h>
25049 - #include <asm/io.h>
25050 -+#include <asm/fixmap.h>
25051 - #include "vextern.h"
25052 -
25053 - #define gtod vdso_vsyscall_gtod_data
25054 -
25055 -+notrace noinline long __vdso_fallback_time(long *t)
25056 -+{
25057 -+ long secs;
25058 -+ asm volatile("syscall"
25059 -+ : "=a" (secs)
25060 -+ : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
25061 -+ return secs;
25062 -+}
25063 -+
25064 - notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
25065 - {
25066 - long ret;
25067 - asm("syscall" : "=a" (ret) :
25068 -- "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
25069 -+ "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
25070 - return ret;
25071 - }
25072 -
25073 -+notrace static inline cycle_t __vdso_vread_hpet(void)
25074 -+{
25075 -+ return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
25076 -+}
25077 -+
25078 -+notrace static inline cycle_t __vdso_vread_tsc(void)
25079 -+{
25080 -+ cycle_t ret = (cycle_t)vget_cycles();
25081 -+
25082 -+ return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
25083 -+}
25084 -+
25085 - notrace static inline long vgetns(void)
25086 - {
25087 - long v;
25088 -- cycles_t (*vread)(void);
25089 -- vread = gtod->clock.vread;
25090 -- v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
25091 -+ if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
25092 -+ v = __vdso_vread_tsc();
25093 -+ else
25094 -+ v = __vdso_vread_hpet();
25095 -+ v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
25096 - return (v * gtod->clock.mult) >> gtod->clock.shift;
25097 - }
25098 -
25099 -@@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
25100 -
25101 - notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
25102 - {
25103 -- if (likely(gtod->sysctl_enabled))
25104 -+ if (likely(gtod->sysctl_enabled &&
25105 -+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25106 -+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25107 - switch (clock) {
25108 - case CLOCK_REALTIME:
25109 - if (likely(gtod->clock.vread))
25110 -@@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
25111 - int clock_gettime(clockid_t, struct timespec *)
25112 - __attribute__((weak, alias("__vdso_clock_gettime")));
25113 -
25114 --notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25115 -+notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
25116 - {
25117 - long ret;
25118 -- if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
25119 -+ asm("syscall" : "=a" (ret) :
25120 -+ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
25121 -+ return ret;
25122 -+}
25123 -+
25124 -+notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25125 -+{
25126 -+ if (likely(gtod->sysctl_enabled &&
25127 -+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25128 -+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25129 -+ {
25130 - if (likely(tv != NULL)) {
25131 - BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
25132 - offsetof(struct timespec, tv_nsec) ||
25133 -@@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
25134 - }
25135 - return 0;
25136 - }
25137 -- asm("syscall" : "=a" (ret) :
25138 -- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
25139 -- return ret;
25140 -+ return __vdso_fallback_gettimeofday(tv, tz);
25141 - }
25142 - int gettimeofday(struct timeval *, struct timezone *)
25143 - __attribute__((weak, alias("__vdso_gettimeofday")));
25144 -diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso.lds.S linux-2.6.32.46/arch/x86/vdso/vdso.lds.S
25145 ---- linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-03-27 14:31:47.000000000 -0400
25146 -+++ linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-06-06 17:35:35.000000000 -0400
25147 -@@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
25148 - #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
25149 - #include "vextern.h"
25150 - #undef VEXTERN
25151 -+
25152 -+#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
25153 -+VEXTERN(fallback_gettimeofday)
25154 -+VEXTERN(fallback_time)
25155 -+VEXTERN(getcpu)
25156 -+#undef VEXTERN
25157 -diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c
25158 ---- linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-03-27 14:31:47.000000000 -0400
25159 -+++ linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-04-23 12:56:10.000000000 -0400
25160 -@@ -25,6 +25,7 @@
25161 - #include <asm/tlbflush.h>
25162 - #include <asm/vdso.h>
25163 - #include <asm/proto.h>
25164 -+#include <asm/mman.h>
25165 -
25166 - enum {
25167 - VDSO_DISABLED = 0,
25168 -@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
25169 - void enable_sep_cpu(void)
25170 - {
25171 - int cpu = get_cpu();
25172 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
25173 -+ struct tss_struct *tss = init_tss + cpu;
25174 -
25175 - if (!boot_cpu_has(X86_FEATURE_SEP)) {
25176 - put_cpu();
25177 -@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
25178 - gate_vma.vm_start = FIXADDR_USER_START;
25179 - gate_vma.vm_end = FIXADDR_USER_END;
25180 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
25181 -- gate_vma.vm_page_prot = __P101;
25182 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
25183 - /*
25184 - * Make sure the vDSO gets into every core dump.
25185 - * Dumping its contents makes post-mortem fully interpretable later
25186 -@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
25187 - if (compat)
25188 - addr = VDSO_HIGH_BASE;
25189 - else {
25190 -- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
25191 -+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
25192 - if (IS_ERR_VALUE(addr)) {
25193 - ret = addr;
25194 - goto up_fail;
25195 - }
25196 - }
25197 -
25198 -- current->mm->context.vdso = (void *)addr;
25199 -+ current->mm->context.vdso = addr;
25200 -
25201 - if (compat_uses_vma || !compat) {
25202 - /*
25203 -@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
25204 - }
25205 -
25206 - current_thread_info()->sysenter_return =
25207 -- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25208 -+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25209 -
25210 - up_fail:
25211 - if (ret)
25212 -- current->mm->context.vdso = NULL;
25213 -+ current->mm->context.vdso = 0;
25214 -
25215 - up_write(&mm->mmap_sem);
25216 -
25217 -@@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
25218 -
25219 - const char *arch_vma_name(struct vm_area_struct *vma)
25220 - {
25221 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
25222 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
25223 - return "[vdso]";
25224 -+
25225 -+#ifdef CONFIG_PAX_SEGMEXEC
25226 -+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
25227 -+ return "[vdso]";
25228 -+#endif
25229 -+
25230 - return NULL;
25231 - }
25232 -
25233 -@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
25234 - struct mm_struct *mm = tsk->mm;
25235 -
25236 - /* Check to see if this task was created in compat vdso mode */
25237 -- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
25238 -+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
25239 - return &gate_vma;
25240 - return NULL;
25241 - }
25242 -diff -urNp linux-2.6.32.46/arch/x86/vdso/vextern.h linux-2.6.32.46/arch/x86/vdso/vextern.h
25243 ---- linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-03-27 14:31:47.000000000 -0400
25244 -+++ linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-04-17 15:56:46.000000000 -0400
25245 -@@ -11,6 +11,5 @@
25246 - put into vextern.h and be referenced as a pointer with vdso prefix.
25247 - The main kernel later fills in the values. */
25248 -
25249 --VEXTERN(jiffies)
25250 - VEXTERN(vgetcpu_mode)
25251 - VEXTERN(vsyscall_gtod_data)
25252 -diff -urNp linux-2.6.32.46/arch/x86/vdso/vma.c linux-2.6.32.46/arch/x86/vdso/vma.c
25253 ---- linux-2.6.32.46/arch/x86/vdso/vma.c 2011-03-27 14:31:47.000000000 -0400
25254 -+++ linux-2.6.32.46/arch/x86/vdso/vma.c 2011-08-23 20:24:19.000000000 -0400
25255 -@@ -17,8 +17,6 @@
25256 - #include "vextern.h" /* Just for VMAGIC. */
25257 - #undef VEXTERN
25258 -
25259 --unsigned int __read_mostly vdso_enabled = 1;
25260 --
25261 - extern char vdso_start[], vdso_end[];
25262 - extern unsigned short vdso_sync_cpuid;
25263 -
25264 -@@ -27,10 +25,8 @@ static unsigned vdso_size;
25265 -
25266 - static inline void *var_ref(void *p, char *name)
25267 - {
25268 -- if (*(void **)p != (void *)VMAGIC) {
25269 -- printk("VDSO: variable %s broken\n", name);
25270 -- vdso_enabled = 0;
25271 -- }
25272 -+ if (*(void **)p != (void *)VMAGIC)
25273 -+ panic("VDSO: variable %s broken\n", name);
25274 - return p;
25275 - }
25276 -
25277 -@@ -57,21 +53,18 @@ static int __init init_vdso_vars(void)
25278 - if (!vbase)
25279 - goto oom;
25280 -
25281 -- if (memcmp(vbase, "\177ELF", 4)) {
25282 -- printk("VDSO: I'm broken; not ELF\n");
25283 -- vdso_enabled = 0;
25284 -- }
25285 -+ if (memcmp(vbase, ELFMAG, SELFMAG))
25286 -+ panic("VDSO: I'm broken; not ELF\n");
25287 -
25288 - #define VEXTERN(x) \
25289 - *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
25290 - #include "vextern.h"
25291 - #undef VEXTERN
25292 -+ vunmap(vbase);
25293 - return 0;
25294 -
25295 - oom:
25296 -- printk("Cannot allocate vdso\n");
25297 -- vdso_enabled = 0;
25298 -- return -ENOMEM;
25299 -+ panic("Cannot allocate vdso\n");
25300 - }
25301 - __initcall(init_vdso_vars);
25302 -
25303 -@@ -105,9 +98,6 @@ int arch_setup_additional_pages(struct l
25304 - unsigned long addr;
25305 - int ret;
25306 -
25307 -- if (!vdso_enabled)
25308 -- return 0;
25309 --
25310 - down_write(&mm->mmap_sem);
25311 - addr = vdso_addr(mm->start_stack, vdso_size);
25312 - addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
25313 -@@ -116,7 +106,7 @@ int arch_setup_additional_pages(struct l
25314 - goto up_fail;
25315 - }
25316 -
25317 -- current->mm->context.vdso = (void *)addr;
25318 -+ current->mm->context.vdso = addr;
25319 -
25320 - ret = install_special_mapping(mm, addr, vdso_size,
25321 - VM_READ|VM_EXEC|
25322 -@@ -124,7 +114,7 @@ int arch_setup_additional_pages(struct l
25323 - VM_ALWAYSDUMP,
25324 - vdso_pages);
25325 - if (ret) {
25326 -- current->mm->context.vdso = NULL;
25327 -+ current->mm->context.vdso = 0;
25328 - goto up_fail;
25329 - }
25330 -
25331 -@@ -132,10 +122,3 @@ up_fail:
25332 - up_write(&mm->mmap_sem);
25333 - return ret;
25334 - }
25335 --
25336 --static __init int vdso_setup(char *s)
25337 --{
25338 -- vdso_enabled = simple_strtoul(s, NULL, 0);
25339 -- return 0;
25340 --}
25341 --__setup("vdso=", vdso_setup);
25342 -diff -urNp linux-2.6.32.46/arch/x86/xen/enlighten.c linux-2.6.32.46/arch/x86/xen/enlighten.c
25343 ---- linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-03-27 14:31:47.000000000 -0400
25344 -+++ linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-05-22 23:02:03.000000000 -0400
25345 -@@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
25346 -
25347 - struct shared_info xen_dummy_shared_info;
25348 -
25349 --void *xen_initial_gdt;
25350 --
25351 - /*
25352 - * Point at some empty memory to start with. We map the real shared_info
25353 - * page as soon as fixmap is up and running.
25354 -@@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
25355 -
25356 - preempt_disable();
25357 -
25358 -- start = __get_cpu_var(idt_desc).address;
25359 -+ start = (unsigned long)__get_cpu_var(idt_desc).address;
25360 - end = start + __get_cpu_var(idt_desc).size + 1;
25361 -
25362 - xen_mc_flush();
25363 -@@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
25364 - #endif
25365 - };
25366 -
25367 --static void xen_reboot(int reason)
25368 -+static __noreturn void xen_reboot(int reason)
25369 - {
25370 - struct sched_shutdown r = { .reason = reason };
25371 -
25372 -@@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
25373 - BUG();
25374 - }
25375 -
25376 --static void xen_restart(char *msg)
25377 -+static __noreturn void xen_restart(char *msg)
25378 - {
25379 - xen_reboot(SHUTDOWN_reboot);
25380 - }
25381 -
25382 --static void xen_emergency_restart(void)
25383 -+static __noreturn void xen_emergency_restart(void)
25384 - {
25385 - xen_reboot(SHUTDOWN_reboot);
25386 - }
25387 -
25388 --static void xen_machine_halt(void)
25389 -+static __noreturn void xen_machine_halt(void)
25390 - {
25391 - xen_reboot(SHUTDOWN_poweroff);
25392 - }
25393 -@@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
25394 - */
25395 - __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
25396 -
25397 --#ifdef CONFIG_X86_64
25398 - /* Work out if we support NX */
25399 -- check_efer();
25400 -+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
25401 -+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
25402 -+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
25403 -+ unsigned l, h;
25404 -+
25405 -+#ifdef CONFIG_X86_PAE
25406 -+ nx_enabled = 1;
25407 -+#endif
25408 -+ __supported_pte_mask |= _PAGE_NX;
25409 -+ rdmsr(MSR_EFER, l, h);
25410 -+ l |= EFER_NX;
25411 -+ wrmsr(MSR_EFER, l, h);
25412 -+ }
25413 - #endif
25414 -
25415 - xen_setup_features();
25416 -@@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
25417 -
25418 - machine_ops = xen_machine_ops;
25419 -
25420 -- /*
25421 -- * The only reliable way to retain the initial address of the
25422 -- * percpu gdt_page is to remember it here, so we can go and
25423 -- * mark it RW later, when the initial percpu area is freed.
25424 -- */
25425 -- xen_initial_gdt = &per_cpu(gdt_page, 0);
25426 --
25427 - xen_smp_init();
25428 -
25429 - pgd = (pgd_t *)xen_start_info->pt_base;
25430 -diff -urNp linux-2.6.32.46/arch/x86/xen/mmu.c linux-2.6.32.46/arch/x86/xen/mmu.c
25431 ---- linux-2.6.32.46/arch/x86/xen/mmu.c 2011-07-13 17:23:04.000000000 -0400
25432 -+++ linux-2.6.32.46/arch/x86/xen/mmu.c 2011-08-24 18:35:52.000000000 -0400
25433 -@@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
25434 - convert_pfn_mfn(init_level4_pgt);
25435 - convert_pfn_mfn(level3_ident_pgt);
25436 - convert_pfn_mfn(level3_kernel_pgt);
25437 -+ convert_pfn_mfn(level3_vmalloc_pgt);
25438 -+ convert_pfn_mfn(level3_vmemmap_pgt);
25439 -
25440 - l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
25441 - l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
25442 -@@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
25443 - set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
25444 - set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
25445 - set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
25446 -+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
25447 -+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
25448 - set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
25449 -+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
25450 - set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
25451 - set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
25452 -
25453 -@@ -1860,6 +1865,7 @@ static __init void xen_post_allocator_in
25454 - pv_mmu_ops.set_pud = xen_set_pud;
25455 - #if PAGETABLE_LEVELS == 4
25456 - pv_mmu_ops.set_pgd = xen_set_pgd;
25457 -+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
25458 - #endif
25459 -
25460 - /* This will work as long as patching hasn't happened yet
25461 -@@ -1946,6 +1952,7 @@ static const struct pv_mmu_ops xen_mmu_o
25462 - .pud_val = PV_CALLEE_SAVE(xen_pud_val),
25463 - .make_pud = PV_CALLEE_SAVE(xen_make_pud),
25464 - .set_pgd = xen_set_pgd_hyper,
25465 -+ .set_pgd_batched = xen_set_pgd_hyper,
25466 -
25467 - .alloc_pud = xen_alloc_pmd_init,
25468 - .release_pud = xen_release_pmd_init,
25469 -diff -urNp linux-2.6.32.46/arch/x86/xen/smp.c linux-2.6.32.46/arch/x86/xen/smp.c
25470 ---- linux-2.6.32.46/arch/x86/xen/smp.c 2011-03-27 14:31:47.000000000 -0400
25471 -+++ linux-2.6.32.46/arch/x86/xen/smp.c 2011-05-11 18:25:15.000000000 -0400
25472 -@@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
25473 - {
25474 - BUG_ON(smp_processor_id() != 0);
25475 - native_smp_prepare_boot_cpu();
25476 --
25477 -- /* We've switched to the "real" per-cpu gdt, so make sure the
25478 -- old memory can be recycled */
25479 -- make_lowmem_page_readwrite(xen_initial_gdt);
25480 --
25481 - xen_setup_vcpu_info_placement();
25482 - }
25483 -
25484 -@@ -231,12 +226,12 @@ cpu_initialize_context(unsigned int cpu,
25485 - gdt = get_cpu_gdt_table(cpu);
25486 -
25487 - ctxt->flags = VGCF_IN_KERNEL;
25488 -- ctxt->user_regs.ds = __USER_DS;
25489 -- ctxt->user_regs.es = __USER_DS;
25490 -+ ctxt->user_regs.ds = __KERNEL_DS;
25491 -+ ctxt->user_regs.es = __KERNEL_DS;
25492 - ctxt->user_regs.ss = __KERNEL_DS;
25493 - #ifdef CONFIG_X86_32
25494 - ctxt->user_regs.fs = __KERNEL_PERCPU;
25495 -- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
25496 -+ savesegment(gs, ctxt->user_regs.gs);
25497 - #else
25498 - ctxt->gs_base_kernel = per_cpu_offset(cpu);
25499 - #endif
25500 -@@ -287,13 +282,12 @@ static int __cpuinit xen_cpu_up(unsigned
25501 - int rc;
25502 -
25503 - per_cpu(current_task, cpu) = idle;
25504 -+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
25505 - #ifdef CONFIG_X86_32
25506 - irq_ctx_init(cpu);
25507 - #else
25508 - clear_tsk_thread_flag(idle, TIF_FORK);
25509 -- per_cpu(kernel_stack, cpu) =
25510 -- (unsigned long)task_stack_page(idle) -
25511 -- KERNEL_STACK_OFFSET + THREAD_SIZE;
25512 -+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
25513 - #endif
25514 - xen_setup_runstate_info(cpu);
25515 - xen_setup_timer(cpu);
25516 -diff -urNp linux-2.6.32.46/arch/x86/xen/xen-asm_32.S linux-2.6.32.46/arch/x86/xen/xen-asm_32.S
25517 ---- linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-03-27 14:31:47.000000000 -0400
25518 -+++ linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-04-22 19:13:13.000000000 -0400
25519 -@@ -83,14 +83,14 @@ ENTRY(xen_iret)
25520 - ESP_OFFSET=4 # bytes pushed onto stack
25521 -
25522 - /*
25523 -- * Store vcpu_info pointer for easy access. Do it this way to
25524 -- * avoid having to reload %fs
25525 -+ * Store vcpu_info pointer for easy access.
25526 - */
25527 - #ifdef CONFIG_SMP
25528 -- GET_THREAD_INFO(%eax)
25529 -- movl TI_cpu(%eax), %eax
25530 -- movl __per_cpu_offset(,%eax,4), %eax
25531 -- mov per_cpu__xen_vcpu(%eax), %eax
25532 -+ push %fs
25533 -+ mov $(__KERNEL_PERCPU), %eax
25534 -+ mov %eax, %fs
25535 -+ mov PER_CPU_VAR(xen_vcpu), %eax
25536 -+ pop %fs
25537 - #else
25538 - movl per_cpu__xen_vcpu, %eax
25539 - #endif
25540 -diff -urNp linux-2.6.32.46/arch/x86/xen/xen-head.S linux-2.6.32.46/arch/x86/xen/xen-head.S
25541 ---- linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-03-27 14:31:47.000000000 -0400
25542 -+++ linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-04-17 15:56:46.000000000 -0400
25543 -@@ -19,6 +19,17 @@ ENTRY(startup_xen)
25544 - #ifdef CONFIG_X86_32
25545 - mov %esi,xen_start_info
25546 - mov $init_thread_union+THREAD_SIZE,%esp
25547 -+#ifdef CONFIG_SMP
25548 -+ movl $cpu_gdt_table,%edi
25549 -+ movl $__per_cpu_load,%eax
25550 -+ movw %ax,__KERNEL_PERCPU + 2(%edi)
25551 -+ rorl $16,%eax
25552 -+ movb %al,__KERNEL_PERCPU + 4(%edi)
25553 -+ movb %ah,__KERNEL_PERCPU + 7(%edi)
25554 -+ movl $__per_cpu_end - 1,%eax
25555 -+ subl $__per_cpu_start,%eax
25556 -+ movw %ax,__KERNEL_PERCPU + 0(%edi)
25557 -+#endif
25558 - #else
25559 - mov %rsi,xen_start_info
25560 - mov $init_thread_union+THREAD_SIZE,%rsp
25561 -diff -urNp linux-2.6.32.46/arch/x86/xen/xen-ops.h linux-2.6.32.46/arch/x86/xen/xen-ops.h
25562 ---- linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-03-27 14:31:47.000000000 -0400
25563 -+++ linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-04-17 15:56:46.000000000 -0400
25564 -@@ -10,8 +10,6 @@
25565 - extern const char xen_hypervisor_callback[];
25566 - extern const char xen_failsafe_callback[];
25567 -
25568 --extern void *xen_initial_gdt;
25569 --
25570 - struct trap_info;
25571 - void xen_copy_trap_info(struct trap_info *traps);
25572 -
25573 -diff -urNp linux-2.6.32.46/block/blk-integrity.c linux-2.6.32.46/block/blk-integrity.c
25574 ---- linux-2.6.32.46/block/blk-integrity.c 2011-03-27 14:31:47.000000000 -0400
25575 -+++ linux-2.6.32.46/block/blk-integrity.c 2011-04-17 15:56:46.000000000 -0400
25576 -@@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
25577 - NULL,
25578 - };
25579 -
25580 --static struct sysfs_ops integrity_ops = {
25581 -+static const struct sysfs_ops integrity_ops = {
25582 - .show = &integrity_attr_show,
25583 - .store = &integrity_attr_store,
25584 - };
25585 -diff -urNp linux-2.6.32.46/block/blk-iopoll.c linux-2.6.32.46/block/blk-iopoll.c
25586 ---- linux-2.6.32.46/block/blk-iopoll.c 2011-03-27 14:31:47.000000000 -0400
25587 -+++ linux-2.6.32.46/block/blk-iopoll.c 2011-04-17 15:56:46.000000000 -0400
25588 -@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
25589 - }
25590 - EXPORT_SYMBOL(blk_iopoll_complete);
25591 -
25592 --static void blk_iopoll_softirq(struct softirq_action *h)
25593 -+static void blk_iopoll_softirq(void)
25594 - {
25595 - struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
25596 - int rearm = 0, budget = blk_iopoll_budget;
25597 -diff -urNp linux-2.6.32.46/block/blk-map.c linux-2.6.32.46/block/blk-map.c
25598 ---- linux-2.6.32.46/block/blk-map.c 2011-03-27 14:31:47.000000000 -0400
25599 -+++ linux-2.6.32.46/block/blk-map.c 2011-04-18 16:57:33.000000000 -0400
25600 -@@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
25601 - * direct dma. else, set up kernel bounce buffers
25602 - */
25603 - uaddr = (unsigned long) ubuf;
25604 -- if (blk_rq_aligned(q, ubuf, len) && !map_data)
25605 -+ if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
25606 - bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
25607 - else
25608 - bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
25609 -@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
25610 - for (i = 0; i < iov_count; i++) {
25611 - unsigned long uaddr = (unsigned long)iov[i].iov_base;
25612 -
25613 -+ if (!iov[i].iov_len)
25614 -+ return -EINVAL;
25615 -+
25616 - if (uaddr & queue_dma_alignment(q)) {
25617 - unaligned = 1;
25618 - break;
25619 - }
25620 -- if (!iov[i].iov_len)
25621 -- return -EINVAL;
25622 - }
25623 -
25624 - if (unaligned || (q->dma_pad_mask & len) || map_data)
25625 -@@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
25626 - if (!len || !kbuf)
25627 - return -EINVAL;
25628 -
25629 -- do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
25630 -+ do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
25631 - if (do_copy)
25632 - bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
25633 - else
25634 -diff -urNp linux-2.6.32.46/block/blk-softirq.c linux-2.6.32.46/block/blk-softirq.c
25635 ---- linux-2.6.32.46/block/blk-softirq.c 2011-03-27 14:31:47.000000000 -0400
25636 -+++ linux-2.6.32.46/block/blk-softirq.c 2011-04-17 15:56:46.000000000 -0400
25637 -@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
25638 - * Softirq action handler - move entries to local list and loop over them
25639 - * while passing them to the queue registered handler.
25640 - */
25641 --static void blk_done_softirq(struct softirq_action *h)
25642 -+static void blk_done_softirq(void)
25643 - {
25644 - struct list_head *cpu_list, local_list;
25645 -
25646 -diff -urNp linux-2.6.32.46/block/blk-sysfs.c linux-2.6.32.46/block/blk-sysfs.c
25647 ---- linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:01.000000000 -0400
25648 -+++ linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:26.000000000 -0400
25649 -@@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
25650 - kmem_cache_free(blk_requestq_cachep, q);
25651 - }
25652 -
25653 --static struct sysfs_ops queue_sysfs_ops = {
25654 -+static const struct sysfs_ops queue_sysfs_ops = {
25655 - .show = queue_attr_show,
25656 - .store = queue_attr_store,
25657 - };
25658 -diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c
25659 ---- linux-2.6.32.46/block/bsg.c 2011-03-27 14:31:47.000000000 -0400
25660 -+++ linux-2.6.32.46/block/bsg.c 2011-10-06 09:37:08.000000000 -0400
25661 -@@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
25662 - struct sg_io_v4 *hdr, struct bsg_device *bd,
25663 - fmode_t has_write_perm)
25664 - {
25665 -+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25666 -+ unsigned char *cmdptr;
25667 -+
25668 - if (hdr->request_len > BLK_MAX_CDB) {
25669 - rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
25670 - if (!rq->cmd)
25671 - return -ENOMEM;
25672 -- }
25673 -+ cmdptr = rq->cmd;
25674 -+ } else
25675 -+ cmdptr = tmpcmd;
25676 -
25677 -- if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
25678 -+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
25679 - hdr->request_len))
25680 - return -EFAULT;
25681 -
25682 -+ if (cmdptr != rq->cmd)
25683 -+ memcpy(rq->cmd, cmdptr, hdr->request_len);
25684 -+
25685 - if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
25686 - if (blk_verify_command(rq->cmd, has_write_perm))
25687 - return -EPERM;
25688 -@@ -282,7 +290,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
25689 - rq->next_rq = next_rq;
25690 - next_rq->cmd_type = rq->cmd_type;
25691 -
25692 -- dxferp = (void*)(unsigned long)hdr->din_xferp;
25693 -+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25694 - ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
25695 - hdr->din_xfer_len, GFP_KERNEL);
25696 - if (ret)
25697 -@@ -291,10 +299,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
25698 -
25699 - if (hdr->dout_xfer_len) {
25700 - dxfer_len = hdr->dout_xfer_len;
25701 -- dxferp = (void*)(unsigned long)hdr->dout_xferp;
25702 -+ dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
25703 - } else if (hdr->din_xfer_len) {
25704 - dxfer_len = hdr->din_xfer_len;
25705 -- dxferp = (void*)(unsigned long)hdr->din_xferp;
25706 -+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25707 - } else
25708 - dxfer_len = 0;
25709 -
25710 -@@ -436,7 +444,7 @@ static int blk_complete_sgv4_hdr_rq(stru
25711 - int len = min_t(unsigned int, hdr->max_response_len,
25712 - rq->sense_len);
25713 -
25714 -- ret = copy_to_user((void*)(unsigned long)hdr->response,
25715 -+ ret = copy_to_user((void __user *)(unsigned long)hdr->response,
25716 - rq->sense, len);
25717 - if (!ret)
25718 - hdr->response_len = len;
25719 -diff -urNp linux-2.6.32.46/block/compat_ioctl.c linux-2.6.32.46/block/compat_ioctl.c
25720 ---- linux-2.6.32.46/block/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
25721 -+++ linux-2.6.32.46/block/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400
25722 -@@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
25723 - err |= __get_user(f->spec1, &uf->spec1);
25724 - err |= __get_user(f->fmt_gap, &uf->fmt_gap);
25725 - err |= __get_user(name, &uf->name);
25726 -- f->name = compat_ptr(name);
25727 -+ f->name = (void __force_kernel *)compat_ptr(name);
25728 - if (err) {
25729 - err = -EFAULT;
25730 - goto out;
25731 -diff -urNp linux-2.6.32.46/block/elevator.c linux-2.6.32.46/block/elevator.c
25732 ---- linux-2.6.32.46/block/elevator.c 2011-03-27 14:31:47.000000000 -0400
25733 -+++ linux-2.6.32.46/block/elevator.c 2011-04-17 15:56:46.000000000 -0400
25734 -@@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
25735 - return error;
25736 - }
25737 -
25738 --static struct sysfs_ops elv_sysfs_ops = {
25739 -+static const struct sysfs_ops elv_sysfs_ops = {
25740 - .show = elv_attr_show,
25741 - .store = elv_attr_store,
25742 - };
25743 -diff -urNp linux-2.6.32.46/block/scsi_ioctl.c linux-2.6.32.46/block/scsi_ioctl.c
25744 ---- linux-2.6.32.46/block/scsi_ioctl.c 2011-03-27 14:31:47.000000000 -0400
25745 -+++ linux-2.6.32.46/block/scsi_ioctl.c 2011-04-23 13:28:22.000000000 -0400
25746 -@@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
25747 - static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
25748 - struct sg_io_hdr *hdr, fmode_t mode)
25749 - {
25750 -- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
25751 -+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25752 -+ unsigned char *cmdptr;
25753 -+
25754 -+ if (rq->cmd != rq->__cmd)
25755 -+ cmdptr = rq->cmd;
25756 -+ else
25757 -+ cmdptr = tmpcmd;
25758 -+
25759 -+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
25760 - return -EFAULT;
25761 -+
25762 -+ if (cmdptr != rq->cmd)
25763 -+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
25764 -+
25765 - if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
25766 - return -EPERM;
25767 -
25768 -@@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
25769 - int err;
25770 - unsigned int in_len, out_len, bytes, opcode, cmdlen;
25771 - char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
25772 -+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25773 -+ unsigned char *cmdptr;
25774 -
25775 - if (!sic)
25776 - return -EINVAL;
25777 -@@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
25778 - */
25779 - err = -EFAULT;
25780 - rq->cmd_len = cmdlen;
25781 -- if (copy_from_user(rq->cmd, sic->data, cmdlen))
25782 -+
25783 -+ if (rq->cmd != rq->__cmd)
25784 -+ cmdptr = rq->cmd;
25785 -+ else
25786 -+ cmdptr = tmpcmd;
25787 -+
25788 -+ if (copy_from_user(cmdptr, sic->data, cmdlen))
25789 - goto error;
25790 -
25791 -+ if (rq->cmd != cmdptr)
25792 -+ memcpy(rq->cmd, cmdptr, cmdlen);
25793 -+
25794 - if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
25795 - goto error;
25796 -
25797 -diff -urNp linux-2.6.32.46/crypto/cryptd.c linux-2.6.32.46/crypto/cryptd.c
25798 ---- linux-2.6.32.46/crypto/cryptd.c 2011-03-27 14:31:47.000000000 -0400
25799 -+++ linux-2.6.32.46/crypto/cryptd.c 2011-08-23 21:22:32.000000000 -0400
25800 -@@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx {
25801 -
25802 - struct cryptd_blkcipher_request_ctx {
25803 - crypto_completion_t complete;
25804 --};
25805 -+} __no_const;
25806 -
25807 - struct cryptd_hash_ctx {
25808 - struct crypto_shash *child;
25809 -diff -urNp linux-2.6.32.46/crypto/gf128mul.c linux-2.6.32.46/crypto/gf128mul.c
25810 ---- linux-2.6.32.46/crypto/gf128mul.c 2011-03-27 14:31:47.000000000 -0400
25811 -+++ linux-2.6.32.46/crypto/gf128mul.c 2011-07-06 19:53:33.000000000 -0400
25812 -@@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
25813 - for (i = 0; i < 7; ++i)
25814 - gf128mul_x_lle(&p[i + 1], &p[i]);
25815 -
25816 -- memset(r, 0, sizeof(r));
25817 -+ memset(r, 0, sizeof(*r));
25818 - for (i = 0;;) {
25819 - u8 ch = ((u8 *)b)[15 - i];
25820 -
25821 -@@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
25822 - for (i = 0; i < 7; ++i)
25823 - gf128mul_x_bbe(&p[i + 1], &p[i]);
25824 -
25825 -- memset(r, 0, sizeof(r));
25826 -+ memset(r, 0, sizeof(*r));
25827 - for (i = 0;;) {
25828 - u8 ch = ((u8 *)b)[i];
25829 -
25830 -diff -urNp linux-2.6.32.46/crypto/serpent.c linux-2.6.32.46/crypto/serpent.c
25831 ---- linux-2.6.32.46/crypto/serpent.c 2011-03-27 14:31:47.000000000 -0400
25832 -+++ linux-2.6.32.46/crypto/serpent.c 2011-08-18 23:59:56.000000000 -0400
25833 -@@ -21,6 +21,7 @@
25834 - #include <asm/byteorder.h>
25835 - #include <linux/crypto.h>
25836 - #include <linux/types.h>
25837 -+#include <linux/sched.h>
25838 -
25839 - /* Key is padded to the maximum of 256 bits before round key generation.
25840 - * Any key length <= 256 bits (32 bytes) is allowed by the algorithm.
25841 -@@ -224,6 +225,8 @@ static int serpent_setkey(struct crypto_
25842 - u32 r0,r1,r2,r3,r4;
25843 - int i;
25844 -
25845 -+ pax_track_stack();
25846 -+
25847 - /* Copy key, add padding */
25848 -
25849 - for (i = 0; i < keylen; ++i)
25850 -diff -urNp linux-2.6.32.46/drivers/acpi/acpi_pad.c linux-2.6.32.46/drivers/acpi/acpi_pad.c
25851 ---- linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-03-27 14:31:47.000000000 -0400
25852 -+++ linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-04-17 15:56:46.000000000 -0400
25853 -@@ -30,7 +30,7 @@
25854 - #include <acpi/acpi_bus.h>
25855 - #include <acpi/acpi_drivers.h>
25856 -
25857 --#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
25858 -+#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
25859 - #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
25860 - #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
25861 - static DEFINE_MUTEX(isolated_cpus_lock);
25862 -diff -urNp linux-2.6.32.46/drivers/acpi/battery.c linux-2.6.32.46/drivers/acpi/battery.c
25863 ---- linux-2.6.32.46/drivers/acpi/battery.c 2011-03-27 14:31:47.000000000 -0400
25864 -+++ linux-2.6.32.46/drivers/acpi/battery.c 2011-04-17 15:56:46.000000000 -0400
25865 -@@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
25866 - }
25867 -
25868 - static struct battery_file {
25869 -- struct file_operations ops;
25870 -+ const struct file_operations ops;
25871 - mode_t mode;
25872 - const char *name;
25873 - } acpi_battery_file[] = {
25874 -diff -urNp linux-2.6.32.46/drivers/acpi/dock.c linux-2.6.32.46/drivers/acpi/dock.c
25875 ---- linux-2.6.32.46/drivers/acpi/dock.c 2011-03-27 14:31:47.000000000 -0400
25876 -+++ linux-2.6.32.46/drivers/acpi/dock.c 2011-04-17 15:56:46.000000000 -0400
25877 -@@ -77,7 +77,7 @@ struct dock_dependent_device {
25878 - struct list_head list;
25879 - struct list_head hotplug_list;
25880 - acpi_handle handle;
25881 -- struct acpi_dock_ops *ops;
25882 -+ const struct acpi_dock_ops *ops;
25883 - void *context;
25884 - };
25885 -
25886 -@@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
25887 - * the dock driver after _DCK is executed.
25888 - */
25889 - int
25890 --register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
25891 -+register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
25892 - void *context)
25893 - {
25894 - struct dock_dependent_device *dd;
25895 -diff -urNp linux-2.6.32.46/drivers/acpi/osl.c linux-2.6.32.46/drivers/acpi/osl.c
25896 ---- linux-2.6.32.46/drivers/acpi/osl.c 2011-03-27 14:31:47.000000000 -0400
25897 -+++ linux-2.6.32.46/drivers/acpi/osl.c 2011-04-17 15:56:46.000000000 -0400
25898 -@@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
25899 - void __iomem *virt_addr;
25900 -
25901 - virt_addr = ioremap(phys_addr, width);
25902 -+ if (!virt_addr)
25903 -+ return AE_NO_MEMORY;
25904 - if (!value)
25905 - value = &dummy;
25906 -
25907 -@@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
25908 - void __iomem *virt_addr;
25909 -
25910 - virt_addr = ioremap(phys_addr, width);
25911 -+ if (!virt_addr)
25912 -+ return AE_NO_MEMORY;
25913 -
25914 - switch (width) {
25915 - case 8:
25916 -diff -urNp linux-2.6.32.46/drivers/acpi/power_meter.c linux-2.6.32.46/drivers/acpi/power_meter.c
25917 ---- linux-2.6.32.46/drivers/acpi/power_meter.c 2011-03-27 14:31:47.000000000 -0400
25918 -+++ linux-2.6.32.46/drivers/acpi/power_meter.c 2011-04-17 15:56:46.000000000 -0400
25919 -@@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
25920 - return res;
25921 -
25922 - temp /= 1000;
25923 -- if (temp < 0)
25924 -- return -EINVAL;
25925 -
25926 - mutex_lock(&resource->lock);
25927 - resource->trip[attr->index - 7] = temp;
25928 -diff -urNp linux-2.6.32.46/drivers/acpi/proc.c linux-2.6.32.46/drivers/acpi/proc.c
25929 ---- linux-2.6.32.46/drivers/acpi/proc.c 2011-03-27 14:31:47.000000000 -0400
25930 -+++ linux-2.6.32.46/drivers/acpi/proc.c 2011-04-17 15:56:46.000000000 -0400
25931 -@@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
25932 - size_t count, loff_t * ppos)
25933 - {
25934 - struct list_head *node, *next;
25935 -- char strbuf[5];
25936 -- char str[5] = "";
25937 -- unsigned int len = count;
25938 -+ char strbuf[5] = {0};
25939 - struct acpi_device *found_dev = NULL;
25940 -
25941 -- if (len > 4)
25942 -- len = 4;
25943 -- if (len < 0)
25944 -- return -EFAULT;
25945 -+ if (count > 4)
25946 -+ count = 4;
25947 -
25948 -- if (copy_from_user(strbuf, buffer, len))
25949 -+ if (copy_from_user(strbuf, buffer, count))
25950 - return -EFAULT;
25951 -- strbuf[len] = '\0';
25952 -- sscanf(strbuf, "%s", str);
25953 -+ strbuf[count] = '\0';
25954 -
25955 - mutex_lock(&acpi_device_lock);
25956 - list_for_each_safe(node, next, &acpi_wakeup_device_list) {
25957 -@@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
25958 - if (!dev->wakeup.flags.valid)
25959 - continue;
25960 -
25961 -- if (!strncmp(dev->pnp.bus_id, str, 4)) {
25962 -+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
25963 - dev->wakeup.state.enabled =
25964 - dev->wakeup.state.enabled ? 0 : 1;
25965 - found_dev = dev;
25966 -diff -urNp linux-2.6.32.46/drivers/acpi/processor_core.c linux-2.6.32.46/drivers/acpi/processor_core.c
25967 ---- linux-2.6.32.46/drivers/acpi/processor_core.c 2011-03-27 14:31:47.000000000 -0400
25968 -+++ linux-2.6.32.46/drivers/acpi/processor_core.c 2011-04-17 15:56:46.000000000 -0400
25969 -@@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
25970 - return 0;
25971 - }
25972 -
25973 -- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
25974 -+ BUG_ON(pr->id >= nr_cpu_ids);
25975 -
25976 - /*
25977 - * Buggy BIOS check
25978 -diff -urNp linux-2.6.32.46/drivers/acpi/sbshc.c linux-2.6.32.46/drivers/acpi/sbshc.c
25979 ---- linux-2.6.32.46/drivers/acpi/sbshc.c 2011-03-27 14:31:47.000000000 -0400
25980 -+++ linux-2.6.32.46/drivers/acpi/sbshc.c 2011-04-17 15:56:46.000000000 -0400
25981 -@@ -17,7 +17,7 @@
25982 -
25983 - #define PREFIX "ACPI: "
25984 -
25985 --#define ACPI_SMB_HC_CLASS "smbus_host_controller"
25986 -+#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
25987 - #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
25988 -
25989 - struct acpi_smb_hc {
25990 -diff -urNp linux-2.6.32.46/drivers/acpi/sleep.c linux-2.6.32.46/drivers/acpi/sleep.c
25991 ---- linux-2.6.32.46/drivers/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
25992 -+++ linux-2.6.32.46/drivers/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
25993 -@@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
25994 - }
25995 - }
25996 -
25997 --static struct platform_suspend_ops acpi_suspend_ops = {
25998 -+static const struct platform_suspend_ops acpi_suspend_ops = {
25999 - .valid = acpi_suspend_state_valid,
26000 - .begin = acpi_suspend_begin,
26001 - .prepare_late = acpi_pm_prepare,
26002 -@@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
26003 - * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26004 - * been requested.
26005 - */
26006 --static struct platform_suspend_ops acpi_suspend_ops_old = {
26007 -+static const struct platform_suspend_ops acpi_suspend_ops_old = {
26008 - .valid = acpi_suspend_state_valid,
26009 - .begin = acpi_suspend_begin_old,
26010 - .prepare_late = acpi_pm_disable_gpes,
26011 -@@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
26012 - acpi_enable_all_runtime_gpes();
26013 - }
26014 -
26015 --static struct platform_hibernation_ops acpi_hibernation_ops = {
26016 -+static const struct platform_hibernation_ops acpi_hibernation_ops = {
26017 - .begin = acpi_hibernation_begin,
26018 - .end = acpi_pm_end,
26019 - .pre_snapshot = acpi_hibernation_pre_snapshot,
26020 -@@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
26021 - * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26022 - * been requested.
26023 - */
26024 --static struct platform_hibernation_ops acpi_hibernation_ops_old = {
26025 -+static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
26026 - .begin = acpi_hibernation_begin_old,
26027 - .end = acpi_pm_end,
26028 - .pre_snapshot = acpi_hibernation_pre_snapshot_old,
26029 -diff -urNp linux-2.6.32.46/drivers/acpi/video.c linux-2.6.32.46/drivers/acpi/video.c
26030 ---- linux-2.6.32.46/drivers/acpi/video.c 2011-03-27 14:31:47.000000000 -0400
26031 -+++ linux-2.6.32.46/drivers/acpi/video.c 2011-04-17 15:56:46.000000000 -0400
26032 -@@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
26033 - vd->brightness->levels[request_level]);
26034 - }
26035 -
26036 --static struct backlight_ops acpi_backlight_ops = {
26037 -+static const struct backlight_ops acpi_backlight_ops = {
26038 - .get_brightness = acpi_video_get_brightness,
26039 - .update_status = acpi_video_set_brightness,
26040 - };
26041 -diff -urNp linux-2.6.32.46/drivers/ata/ahci.c linux-2.6.32.46/drivers/ata/ahci.c
26042 ---- linux-2.6.32.46/drivers/ata/ahci.c 2011-03-27 14:31:47.000000000 -0400
26043 -+++ linux-2.6.32.46/drivers/ata/ahci.c 2011-04-23 12:56:10.000000000 -0400
26044 -@@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
26045 - .sdev_attrs = ahci_sdev_attrs,
26046 - };
26047 -
26048 --static struct ata_port_operations ahci_ops = {
26049 -+static const struct ata_port_operations ahci_ops = {
26050 - .inherits = &sata_pmp_port_ops,
26051 -
26052 - .qc_defer = sata_pmp_qc_defer_cmd_switch,
26053 -@@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
26054 - .port_stop = ahci_port_stop,
26055 - };
26056 -
26057 --static struct ata_port_operations ahci_vt8251_ops = {
26058 -+static const struct ata_port_operations ahci_vt8251_ops = {
26059 - .inherits = &ahci_ops,
26060 - .hardreset = ahci_vt8251_hardreset,
26061 - };
26062 -
26063 --static struct ata_port_operations ahci_p5wdh_ops = {
26064 -+static const struct ata_port_operations ahci_p5wdh_ops = {
26065 - .inherits = &ahci_ops,
26066 - .hardreset = ahci_p5wdh_hardreset,
26067 - };
26068 -
26069 --static struct ata_port_operations ahci_sb600_ops = {
26070 -+static const struct ata_port_operations ahci_sb600_ops = {
26071 - .inherits = &ahci_ops,
26072 - .softreset = ahci_sb600_softreset,
26073 - .pmp_softreset = ahci_sb600_softreset,
26074 -diff -urNp linux-2.6.32.46/drivers/ata/ata_generic.c linux-2.6.32.46/drivers/ata/ata_generic.c
26075 ---- linux-2.6.32.46/drivers/ata/ata_generic.c 2011-03-27 14:31:47.000000000 -0400
26076 -+++ linux-2.6.32.46/drivers/ata/ata_generic.c 2011-04-17 15:56:46.000000000 -0400
26077 -@@ -104,7 +104,7 @@ static struct scsi_host_template generic
26078 - ATA_BMDMA_SHT(DRV_NAME),
26079 - };
26080 -
26081 --static struct ata_port_operations generic_port_ops = {
26082 -+static const struct ata_port_operations generic_port_ops = {
26083 - .inherits = &ata_bmdma_port_ops,
26084 - .cable_detect = ata_cable_unknown,
26085 - .set_mode = generic_set_mode,
26086 -diff -urNp linux-2.6.32.46/drivers/ata/ata_piix.c linux-2.6.32.46/drivers/ata/ata_piix.c
26087 ---- linux-2.6.32.46/drivers/ata/ata_piix.c 2011-03-27 14:31:47.000000000 -0400
26088 -+++ linux-2.6.32.46/drivers/ata/ata_piix.c 2011-04-23 12:56:10.000000000 -0400
26089 -@@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
26090 - ATA_BMDMA_SHT(DRV_NAME),
26091 - };
26092 -
26093 --static struct ata_port_operations piix_pata_ops = {
26094 -+static const struct ata_port_operations piix_pata_ops = {
26095 - .inherits = &ata_bmdma32_port_ops,
26096 - .cable_detect = ata_cable_40wire,
26097 - .set_piomode = piix_set_piomode,
26098 -@@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
26099 - .prereset = piix_pata_prereset,
26100 - };
26101 -
26102 --static struct ata_port_operations piix_vmw_ops = {
26103 -+static const struct ata_port_operations piix_vmw_ops = {
26104 - .inherits = &piix_pata_ops,
26105 - .bmdma_status = piix_vmw_bmdma_status,
26106 - };
26107 -
26108 --static struct ata_port_operations ich_pata_ops = {
26109 -+static const struct ata_port_operations ich_pata_ops = {
26110 - .inherits = &piix_pata_ops,
26111 - .cable_detect = ich_pata_cable_detect,
26112 - .set_dmamode = ich_set_dmamode,
26113 - };
26114 -
26115 --static struct ata_port_operations piix_sata_ops = {
26116 -+static const struct ata_port_operations piix_sata_ops = {
26117 - .inherits = &ata_bmdma_port_ops,
26118 - };
26119 -
26120 --static struct ata_port_operations piix_sidpr_sata_ops = {
26121 -+static const struct ata_port_operations piix_sidpr_sata_ops = {
26122 - .inherits = &piix_sata_ops,
26123 - .hardreset = sata_std_hardreset,
26124 - .scr_read = piix_sidpr_scr_read,
26125 -diff -urNp linux-2.6.32.46/drivers/ata/libata-acpi.c linux-2.6.32.46/drivers/ata/libata-acpi.c
26126 ---- linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-03-27 14:31:47.000000000 -0400
26127 -+++ linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-04-17 15:56:46.000000000 -0400
26128 -@@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
26129 - ata_acpi_uevent(dev->link->ap, dev, event);
26130 - }
26131 -
26132 --static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26133 -+static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26134 - .handler = ata_acpi_dev_notify_dock,
26135 - .uevent = ata_acpi_dev_uevent,
26136 - };
26137 -
26138 --static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26139 -+static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26140 - .handler = ata_acpi_ap_notify_dock,
26141 - .uevent = ata_acpi_ap_uevent,
26142 - };
26143 -diff -urNp linux-2.6.32.46/drivers/ata/libata-core.c linux-2.6.32.46/drivers/ata/libata-core.c
26144 ---- linux-2.6.32.46/drivers/ata/libata-core.c 2011-03-27 14:31:47.000000000 -0400
26145 -+++ linux-2.6.32.46/drivers/ata/libata-core.c 2011-08-05 20:33:55.000000000 -0400
26146 -@@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
26147 - struct ata_port *ap;
26148 - unsigned int tag;
26149 -
26150 -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26151 -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26152 - ap = qc->ap;
26153 -
26154 - qc->flags = 0;
26155 -@@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
26156 - struct ata_port *ap;
26157 - struct ata_link *link;
26158 -
26159 -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26160 -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26161 - WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
26162 - ap = qc->ap;
26163 - link = qc->dev->link;
26164 -@@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
26165 - * LOCKING:
26166 - * None.
26167 - */
26168 --static void ata_finalize_port_ops(struct ata_port_operations *ops)
26169 -+static void ata_finalize_port_ops(const struct ata_port_operations *ops)
26170 - {
26171 - static DEFINE_SPINLOCK(lock);
26172 - const struct ata_port_operations *cur;
26173 -@@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
26174 - return;
26175 -
26176 - spin_lock(&lock);
26177 -+ pax_open_kernel();
26178 -
26179 - for (cur = ops->inherits; cur; cur = cur->inherits) {
26180 - void **inherit = (void **)cur;
26181 -@@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
26182 - if (IS_ERR(*pp))
26183 - *pp = NULL;
26184 -
26185 -- ops->inherits = NULL;
26186 -+ *(struct ata_port_operations **)&ops->inherits = NULL;
26187 -
26188 -+ pax_close_kernel();
26189 - spin_unlock(&lock);
26190 - }
26191 -
26192 -@@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
26193 - */
26194 - /* KILLME - the only user left is ipr */
26195 - void ata_host_init(struct ata_host *host, struct device *dev,
26196 -- unsigned long flags, struct ata_port_operations *ops)
26197 -+ unsigned long flags, const struct ata_port_operations *ops)
26198 - {
26199 - spin_lock_init(&host->lock);
26200 - host->dev = dev;
26201 -@@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
26202 - /* truly dummy */
26203 - }
26204 -
26205 --struct ata_port_operations ata_dummy_port_ops = {
26206 -+const struct ata_port_operations ata_dummy_port_ops = {
26207 - .qc_prep = ata_noop_qc_prep,
26208 - .qc_issue = ata_dummy_qc_issue,
26209 - .error_handler = ata_dummy_error_handler,
26210 -diff -urNp linux-2.6.32.46/drivers/ata/libata-eh.c linux-2.6.32.46/drivers/ata/libata-eh.c
26211 ---- linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:35:28.000000000 -0400
26212 -+++ linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:33:59.000000000 -0400
26213 -@@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
26214 - {
26215 - struct ata_link *link;
26216 -
26217 -+ pax_track_stack();
26218 -+
26219 - ata_for_each_link(link, ap, HOST_FIRST)
26220 - ata_eh_link_report(link);
26221 - }
26222 -@@ -3594,7 +3596,7 @@ void ata_do_eh(struct ata_port *ap, ata_
26223 - */
26224 - void ata_std_error_handler(struct ata_port *ap)
26225 - {
26226 -- struct ata_port_operations *ops = ap->ops;
26227 -+ const struct ata_port_operations *ops = ap->ops;
26228 - ata_reset_fn_t hardreset = ops->hardreset;
26229 -
26230 - /* ignore built-in hardreset if SCR access is not available */
26231 -diff -urNp linux-2.6.32.46/drivers/ata/libata-pmp.c linux-2.6.32.46/drivers/ata/libata-pmp.c
26232 ---- linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-03-27 14:31:47.000000000 -0400
26233 -+++ linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-04-17 15:56:46.000000000 -0400
26234 -@@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
26235 - */
26236 - static int sata_pmp_eh_recover(struct ata_port *ap)
26237 - {
26238 -- struct ata_port_operations *ops = ap->ops;
26239 -+ const struct ata_port_operations *ops = ap->ops;
26240 - int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
26241 - struct ata_link *pmp_link = &ap->link;
26242 - struct ata_device *pmp_dev = pmp_link->device;
26243 -diff -urNp linux-2.6.32.46/drivers/ata/pata_acpi.c linux-2.6.32.46/drivers/ata/pata_acpi.c
26244 ---- linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-03-27 14:31:47.000000000 -0400
26245 -+++ linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-04-17 15:56:46.000000000 -0400
26246 -@@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
26247 - ATA_BMDMA_SHT(DRV_NAME),
26248 - };
26249 -
26250 --static struct ata_port_operations pacpi_ops = {
26251 -+static const struct ata_port_operations pacpi_ops = {
26252 - .inherits = &ata_bmdma_port_ops,
26253 - .qc_issue = pacpi_qc_issue,
26254 - .cable_detect = pacpi_cable_detect,
26255 -diff -urNp linux-2.6.32.46/drivers/ata/pata_ali.c linux-2.6.32.46/drivers/ata/pata_ali.c
26256 ---- linux-2.6.32.46/drivers/ata/pata_ali.c 2011-03-27 14:31:47.000000000 -0400
26257 -+++ linux-2.6.32.46/drivers/ata/pata_ali.c 2011-04-17 15:56:46.000000000 -0400
26258 -@@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
26259 - * Port operations for PIO only ALi
26260 - */
26261 -
26262 --static struct ata_port_operations ali_early_port_ops = {
26263 -+static const struct ata_port_operations ali_early_port_ops = {
26264 - .inherits = &ata_sff_port_ops,
26265 - .cable_detect = ata_cable_40wire,
26266 - .set_piomode = ali_set_piomode,
26267 -@@ -382,7 +382,7 @@ static const struct ata_port_operations
26268 - * Port operations for DMA capable ALi without cable
26269 - * detect
26270 - */
26271 --static struct ata_port_operations ali_20_port_ops = {
26272 -+static const struct ata_port_operations ali_20_port_ops = {
26273 - .inherits = &ali_dma_base_ops,
26274 - .cable_detect = ata_cable_40wire,
26275 - .mode_filter = ali_20_filter,
26276 -@@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
26277 - /*
26278 - * Port operations for DMA capable ALi with cable detect
26279 - */
26280 --static struct ata_port_operations ali_c2_port_ops = {
26281 -+static const struct ata_port_operations ali_c2_port_ops = {
26282 - .inherits = &ali_dma_base_ops,
26283 - .check_atapi_dma = ali_check_atapi_dma,
26284 - .cable_detect = ali_c2_cable_detect,
26285 -@@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
26286 - /*
26287 - * Port operations for DMA capable ALi with cable detect
26288 - */
26289 --static struct ata_port_operations ali_c4_port_ops = {
26290 -+static const struct ata_port_operations ali_c4_port_ops = {
26291 - .inherits = &ali_dma_base_ops,
26292 - .check_atapi_dma = ali_check_atapi_dma,
26293 - .cable_detect = ali_c2_cable_detect,
26294 -@@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
26295 - /*
26296 - * Port operations for DMA capable ALi with cable detect and LBA48
26297 - */
26298 --static struct ata_port_operations ali_c5_port_ops = {
26299 -+static const struct ata_port_operations ali_c5_port_ops = {
26300 - .inherits = &ali_dma_base_ops,
26301 - .check_atapi_dma = ali_check_atapi_dma,
26302 - .dev_config = ali_warn_atapi_dma,
26303 -diff -urNp linux-2.6.32.46/drivers/ata/pata_amd.c linux-2.6.32.46/drivers/ata/pata_amd.c
26304 ---- linux-2.6.32.46/drivers/ata/pata_amd.c 2011-03-27 14:31:47.000000000 -0400
26305 -+++ linux-2.6.32.46/drivers/ata/pata_amd.c 2011-04-17 15:56:46.000000000 -0400
26306 -@@ -397,28 +397,28 @@ static const struct ata_port_operations
26307 - .prereset = amd_pre_reset,
26308 - };
26309 -
26310 --static struct ata_port_operations amd33_port_ops = {
26311 -+static const struct ata_port_operations amd33_port_ops = {
26312 - .inherits = &amd_base_port_ops,
26313 - .cable_detect = ata_cable_40wire,
26314 - .set_piomode = amd33_set_piomode,
26315 - .set_dmamode = amd33_set_dmamode,
26316 - };
26317 -
26318 --static struct ata_port_operations amd66_port_ops = {
26319 -+static const struct ata_port_operations amd66_port_ops = {
26320 - .inherits = &amd_base_port_ops,
26321 - .cable_detect = ata_cable_unknown,
26322 - .set_piomode = amd66_set_piomode,
26323 - .set_dmamode = amd66_set_dmamode,
26324 - };
26325 -
26326 --static struct ata_port_operations amd100_port_ops = {
26327 -+static const struct ata_port_operations amd100_port_ops = {
26328 - .inherits = &amd_base_port_ops,
26329 - .cable_detect = ata_cable_unknown,
26330 - .set_piomode = amd100_set_piomode,
26331 - .set_dmamode = amd100_set_dmamode,
26332 - };
26333 -
26334 --static struct ata_port_operations amd133_port_ops = {
26335 -+static const struct ata_port_operations amd133_port_ops = {
26336 - .inherits = &amd_base_port_ops,
26337 - .cable_detect = amd_cable_detect,
26338 - .set_piomode = amd133_set_piomode,
26339 -@@ -433,13 +433,13 @@ static const struct ata_port_operations
26340 - .host_stop = nv_host_stop,
26341 - };
26342 -
26343 --static struct ata_port_operations nv100_port_ops = {
26344 -+static const struct ata_port_operations nv100_port_ops = {
26345 - .inherits = &nv_base_port_ops,
26346 - .set_piomode = nv100_set_piomode,
26347 - .set_dmamode = nv100_set_dmamode,
26348 - };
26349 -
26350 --static struct ata_port_operations nv133_port_ops = {
26351 -+static const struct ata_port_operations nv133_port_ops = {
26352 - .inherits = &nv_base_port_ops,
26353 - .set_piomode = nv133_set_piomode,
26354 - .set_dmamode = nv133_set_dmamode,
26355 -diff -urNp linux-2.6.32.46/drivers/ata/pata_artop.c linux-2.6.32.46/drivers/ata/pata_artop.c
26356 ---- linux-2.6.32.46/drivers/ata/pata_artop.c 2011-03-27 14:31:47.000000000 -0400
26357 -+++ linux-2.6.32.46/drivers/ata/pata_artop.c 2011-04-17 15:56:46.000000000 -0400
26358 -@@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
26359 - ATA_BMDMA_SHT(DRV_NAME),
26360 - };
26361 -
26362 --static struct ata_port_operations artop6210_ops = {
26363 -+static const struct ata_port_operations artop6210_ops = {
26364 - .inherits = &ata_bmdma_port_ops,
26365 - .cable_detect = ata_cable_40wire,
26366 - .set_piomode = artop6210_set_piomode,
26367 -@@ -320,7 +320,7 @@ static struct ata_port_operations artop6
26368 - .qc_defer = artop6210_qc_defer,
26369 - };
26370 -
26371 --static struct ata_port_operations artop6260_ops = {
26372 -+static const struct ata_port_operations artop6260_ops = {
26373 - .inherits = &ata_bmdma_port_ops,
26374 - .cable_detect = artop6260_cable_detect,
26375 - .set_piomode = artop6260_set_piomode,
26376 -diff -urNp linux-2.6.32.46/drivers/ata/pata_at32.c linux-2.6.32.46/drivers/ata/pata_at32.c
26377 ---- linux-2.6.32.46/drivers/ata/pata_at32.c 2011-03-27 14:31:47.000000000 -0400
26378 -+++ linux-2.6.32.46/drivers/ata/pata_at32.c 2011-04-17 15:56:46.000000000 -0400
26379 -@@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
26380 - ATA_PIO_SHT(DRV_NAME),
26381 - };
26382 -
26383 --static struct ata_port_operations at32_port_ops = {
26384 -+static const struct ata_port_operations at32_port_ops = {
26385 - .inherits = &ata_sff_port_ops,
26386 - .cable_detect = ata_cable_40wire,
26387 - .set_piomode = pata_at32_set_piomode,
26388 -diff -urNp linux-2.6.32.46/drivers/ata/pata_at91.c linux-2.6.32.46/drivers/ata/pata_at91.c
26389 ---- linux-2.6.32.46/drivers/ata/pata_at91.c 2011-03-27 14:31:47.000000000 -0400
26390 -+++ linux-2.6.32.46/drivers/ata/pata_at91.c 2011-04-17 15:56:46.000000000 -0400
26391 -@@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
26392 - ATA_PIO_SHT(DRV_NAME),
26393 - };
26394 -
26395 --static struct ata_port_operations pata_at91_port_ops = {
26396 -+static const struct ata_port_operations pata_at91_port_ops = {
26397 - .inherits = &ata_sff_port_ops,
26398 -
26399 - .sff_data_xfer = pata_at91_data_xfer_noirq,
26400 -diff -urNp linux-2.6.32.46/drivers/ata/pata_atiixp.c linux-2.6.32.46/drivers/ata/pata_atiixp.c
26401 ---- linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-03-27 14:31:47.000000000 -0400
26402 -+++ linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-04-17 15:56:46.000000000 -0400
26403 -@@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
26404 - .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26405 - };
26406 -
26407 --static struct ata_port_operations atiixp_port_ops = {
26408 -+static const struct ata_port_operations atiixp_port_ops = {
26409 - .inherits = &ata_bmdma_port_ops,
26410 -
26411 - .qc_prep = ata_sff_dumb_qc_prep,
26412 -diff -urNp linux-2.6.32.46/drivers/ata/pata_atp867x.c linux-2.6.32.46/drivers/ata/pata_atp867x.c
26413 ---- linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-03-27 14:31:47.000000000 -0400
26414 -+++ linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-04-17 15:56:46.000000000 -0400
26415 -@@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
26416 - ATA_BMDMA_SHT(DRV_NAME),
26417 - };
26418 -
26419 --static struct ata_port_operations atp867x_ops = {
26420 -+static const struct ata_port_operations atp867x_ops = {
26421 - .inherits = &ata_bmdma_port_ops,
26422 - .cable_detect = atp867x_cable_detect,
26423 - .set_piomode = atp867x_set_piomode,
26424 -diff -urNp linux-2.6.32.46/drivers/ata/pata_bf54x.c linux-2.6.32.46/drivers/ata/pata_bf54x.c
26425 ---- linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-03-27 14:31:47.000000000 -0400
26426 -+++ linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-04-17 15:56:46.000000000 -0400
26427 -@@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
26428 - .dma_boundary = ATA_DMA_BOUNDARY,
26429 - };
26430 -
26431 --static struct ata_port_operations bfin_pata_ops = {
26432 -+static const struct ata_port_operations bfin_pata_ops = {
26433 - .inherits = &ata_sff_port_ops,
26434 -
26435 - .set_piomode = bfin_set_piomode,
26436 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd640.c linux-2.6.32.46/drivers/ata/pata_cmd640.c
26437 ---- linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-03-27 14:31:47.000000000 -0400
26438 -+++ linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-04-17 15:56:46.000000000 -0400
26439 -@@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
26440 - ATA_BMDMA_SHT(DRV_NAME),
26441 - };
26442 -
26443 --static struct ata_port_operations cmd640_port_ops = {
26444 -+static const struct ata_port_operations cmd640_port_ops = {
26445 - .inherits = &ata_bmdma_port_ops,
26446 - /* In theory xfer_noirq is not needed once we kill the prefetcher */
26447 - .sff_data_xfer = ata_sff_data_xfer_noirq,
26448 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd64x.c linux-2.6.32.46/drivers/ata/pata_cmd64x.c
26449 ---- linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:55:34.000000000 -0400
26450 -+++ linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:56:37.000000000 -0400
26451 -@@ -271,18 +271,18 @@ static const struct ata_port_operations
26452 - .set_dmamode = cmd64x_set_dmamode,
26453 - };
26454 -
26455 --static struct ata_port_operations cmd64x_port_ops = {
26456 -+static const struct ata_port_operations cmd64x_port_ops = {
26457 - .inherits = &cmd64x_base_ops,
26458 - .cable_detect = ata_cable_40wire,
26459 - };
26460 -
26461 --static struct ata_port_operations cmd646r1_port_ops = {
26462 -+static const struct ata_port_operations cmd646r1_port_ops = {
26463 - .inherits = &cmd64x_base_ops,
26464 - .bmdma_stop = cmd646r1_bmdma_stop,
26465 - .cable_detect = ata_cable_40wire,
26466 - };
26467 -
26468 --static struct ata_port_operations cmd648_port_ops = {
26469 -+static const struct ata_port_operations cmd648_port_ops = {
26470 - .inherits = &cmd64x_base_ops,
26471 - .bmdma_stop = cmd648_bmdma_stop,
26472 - .cable_detect = cmd648_cable_detect,
26473 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5520.c linux-2.6.32.46/drivers/ata/pata_cs5520.c
26474 ---- linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-03-27 14:31:47.000000000 -0400
26475 -+++ linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-04-17 15:56:46.000000000 -0400
26476 -@@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
26477 - .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26478 - };
26479 -
26480 --static struct ata_port_operations cs5520_port_ops = {
26481 -+static const struct ata_port_operations cs5520_port_ops = {
26482 - .inherits = &ata_bmdma_port_ops,
26483 - .qc_prep = ata_sff_dumb_qc_prep,
26484 - .cable_detect = ata_cable_40wire,
26485 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5530.c linux-2.6.32.46/drivers/ata/pata_cs5530.c
26486 ---- linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-03-27 14:31:47.000000000 -0400
26487 -+++ linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-04-17 15:56:46.000000000 -0400
26488 -@@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
26489 - .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26490 - };
26491 -
26492 --static struct ata_port_operations cs5530_port_ops = {
26493 -+static const struct ata_port_operations cs5530_port_ops = {
26494 - .inherits = &ata_bmdma_port_ops,
26495 -
26496 - .qc_prep = ata_sff_dumb_qc_prep,
26497 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5535.c linux-2.6.32.46/drivers/ata/pata_cs5535.c
26498 ---- linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-03-27 14:31:47.000000000 -0400
26499 -+++ linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-04-17 15:56:46.000000000 -0400
26500 -@@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
26501 - ATA_BMDMA_SHT(DRV_NAME),
26502 - };
26503 -
26504 --static struct ata_port_operations cs5535_port_ops = {
26505 -+static const struct ata_port_operations cs5535_port_ops = {
26506 - .inherits = &ata_bmdma_port_ops,
26507 - .cable_detect = cs5535_cable_detect,
26508 - .set_piomode = cs5535_set_piomode,
26509 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5536.c linux-2.6.32.46/drivers/ata/pata_cs5536.c
26510 ---- linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-03-27 14:31:47.000000000 -0400
26511 -+++ linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-04-17 15:56:46.000000000 -0400
26512 -@@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
26513 - ATA_BMDMA_SHT(DRV_NAME),
26514 - };
26515 -
26516 --static struct ata_port_operations cs5536_port_ops = {
26517 -+static const struct ata_port_operations cs5536_port_ops = {
26518 - .inherits = &ata_bmdma_port_ops,
26519 - .cable_detect = cs5536_cable_detect,
26520 - .set_piomode = cs5536_set_piomode,
26521 -diff -urNp linux-2.6.32.46/drivers/ata/pata_cypress.c linux-2.6.32.46/drivers/ata/pata_cypress.c
26522 ---- linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-03-27 14:31:47.000000000 -0400
26523 -+++ linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-04-17 15:56:46.000000000 -0400
26524 -@@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
26525 - ATA_BMDMA_SHT(DRV_NAME),
26526 - };
26527 -
26528 --static struct ata_port_operations cy82c693_port_ops = {
26529 -+static const struct ata_port_operations cy82c693_port_ops = {
26530 - .inherits = &ata_bmdma_port_ops,
26531 - .cable_detect = ata_cable_40wire,
26532 - .set_piomode = cy82c693_set_piomode,
26533 -diff -urNp linux-2.6.32.46/drivers/ata/pata_efar.c linux-2.6.32.46/drivers/ata/pata_efar.c
26534 ---- linux-2.6.32.46/drivers/ata/pata_efar.c 2011-03-27 14:31:47.000000000 -0400
26535 -+++ linux-2.6.32.46/drivers/ata/pata_efar.c 2011-04-17 15:56:46.000000000 -0400
26536 -@@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
26537 - ATA_BMDMA_SHT(DRV_NAME),
26538 - };
26539 -
26540 --static struct ata_port_operations efar_ops = {
26541 -+static const struct ata_port_operations efar_ops = {
26542 - .inherits = &ata_bmdma_port_ops,
26543 - .cable_detect = efar_cable_detect,
26544 - .set_piomode = efar_set_piomode,
26545 -diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt366.c linux-2.6.32.46/drivers/ata/pata_hpt366.c
26546 ---- linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:55:34.000000000 -0400
26547 -+++ linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:56:37.000000000 -0400
26548 -@@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
26549 - * Configuration for HPT366/68
26550 - */
26551 -
26552 --static struct ata_port_operations hpt366_port_ops = {
26553 -+static const struct ata_port_operations hpt366_port_ops = {
26554 - .inherits = &ata_bmdma_port_ops,
26555 - .cable_detect = hpt36x_cable_detect,
26556 - .mode_filter = hpt366_filter,
26557 -diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt37x.c linux-2.6.32.46/drivers/ata/pata_hpt37x.c
26558 ---- linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:55:34.000000000 -0400
26559 -+++ linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:56:37.000000000 -0400
26560 -@@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
26561 - * Configuration for HPT370
26562 - */
26563 -
26564 --static struct ata_port_operations hpt370_port_ops = {
26565 -+static const struct ata_port_operations hpt370_port_ops = {
26566 - .inherits = &ata_bmdma_port_ops,
26567 -
26568 - .bmdma_stop = hpt370_bmdma_stop,
26569 -@@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
26570 - * Configuration for HPT370A. Close to 370 but less filters
26571 - */
26572 -
26573 --static struct ata_port_operations hpt370a_port_ops = {
26574 -+static const struct ata_port_operations hpt370a_port_ops = {
26575 - .inherits = &hpt370_port_ops,
26576 - .mode_filter = hpt370a_filter,
26577 - };
26578 -@@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
26579 - * and DMA mode setting functionality.
26580 - */
26581 -
26582 --static struct ata_port_operations hpt372_port_ops = {
26583 -+static const struct ata_port_operations hpt372_port_ops = {
26584 - .inherits = &ata_bmdma_port_ops,
26585 -
26586 - .bmdma_stop = hpt37x_bmdma_stop,
26587 -@@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
26588 - * but we have a different cable detection procedure for function 1.
26589 - */
26590 -
26591 --static struct ata_port_operations hpt374_fn1_port_ops = {
26592 -+static const struct ata_port_operations hpt374_fn1_port_ops = {
26593 - .inherits = &hpt372_port_ops,
26594 - .prereset = hpt374_fn1_pre_reset,
26595 - };
26596 -diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c
26597 ---- linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:55:34.000000000 -0400
26598 -+++ linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:56:37.000000000 -0400
26599 -@@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
26600 - * Configuration for HPT3x2n.
26601 - */
26602 -
26603 --static struct ata_port_operations hpt3x2n_port_ops = {
26604 -+static const struct ata_port_operations hpt3x2n_port_ops = {
26605 - .inherits = &ata_bmdma_port_ops,
26606 -
26607 - .bmdma_stop = hpt3x2n_bmdma_stop,
26608 -diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x3.c linux-2.6.32.46/drivers/ata/pata_hpt3x3.c
26609 ---- linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-03-27 14:31:47.000000000 -0400
26610 -+++ linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-04-17 15:56:46.000000000 -0400
26611 -@@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
26612 - ATA_BMDMA_SHT(DRV_NAME),
26613 - };
26614 -
26615 --static struct ata_port_operations hpt3x3_port_ops = {
26616 -+static const struct ata_port_operations hpt3x3_port_ops = {
26617 - .inherits = &ata_bmdma_port_ops,
26618 - .cable_detect = ata_cable_40wire,
26619 - .set_piomode = hpt3x3_set_piomode,
26620 -diff -urNp linux-2.6.32.46/drivers/ata/pata_icside.c linux-2.6.32.46/drivers/ata/pata_icside.c
26621 ---- linux-2.6.32.46/drivers/ata/pata_icside.c 2011-03-27 14:31:47.000000000 -0400
26622 -+++ linux-2.6.32.46/drivers/ata/pata_icside.c 2011-04-17 15:56:46.000000000 -0400
26623 -@@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
26624 - }
26625 - }
26626 -
26627 --static struct ata_port_operations pata_icside_port_ops = {
26628 -+static const struct ata_port_operations pata_icside_port_ops = {
26629 - .inherits = &ata_sff_port_ops,
26630 - /* no need to build any PRD tables for DMA */
26631 - .qc_prep = ata_noop_qc_prep,
26632 -diff -urNp linux-2.6.32.46/drivers/ata/pata_isapnp.c linux-2.6.32.46/drivers/ata/pata_isapnp.c
26633 ---- linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-03-27 14:31:47.000000000 -0400
26634 -+++ linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-04-17 15:56:46.000000000 -0400
26635 -@@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
26636 - ATA_PIO_SHT(DRV_NAME),
26637 - };
26638 -
26639 --static struct ata_port_operations isapnp_port_ops = {
26640 -+static const struct ata_port_operations isapnp_port_ops = {
26641 - .inherits = &ata_sff_port_ops,
26642 - .cable_detect = ata_cable_40wire,
26643 - };
26644 -
26645 --static struct ata_port_operations isapnp_noalt_port_ops = {
26646 -+static const struct ata_port_operations isapnp_noalt_port_ops = {
26647 - .inherits = &ata_sff_port_ops,
26648 - .cable_detect = ata_cable_40wire,
26649 - /* No altstatus so we don't want to use the lost interrupt poll */
26650 -diff -urNp linux-2.6.32.46/drivers/ata/pata_it8213.c linux-2.6.32.46/drivers/ata/pata_it8213.c
26651 ---- linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-03-27 14:31:47.000000000 -0400
26652 -+++ linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-04-17 15:56:46.000000000 -0400
26653 -@@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
26654 - };
26655 -
26656 -
26657 --static struct ata_port_operations it8213_ops = {
26658 -+static const struct ata_port_operations it8213_ops = {
26659 - .inherits = &ata_bmdma_port_ops,
26660 - .cable_detect = it8213_cable_detect,
26661 - .set_piomode = it8213_set_piomode,
26662 -diff -urNp linux-2.6.32.46/drivers/ata/pata_it821x.c linux-2.6.32.46/drivers/ata/pata_it821x.c
26663 ---- linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-03-27 14:31:47.000000000 -0400
26664 -+++ linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-04-17 15:56:46.000000000 -0400
26665 -@@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
26666 - ATA_BMDMA_SHT(DRV_NAME),
26667 - };
26668 -
26669 --static struct ata_port_operations it821x_smart_port_ops = {
26670 -+static const struct ata_port_operations it821x_smart_port_ops = {
26671 - .inherits = &ata_bmdma_port_ops,
26672 -
26673 - .check_atapi_dma= it821x_check_atapi_dma,
26674 -@@ -814,7 +814,7 @@ static struct ata_port_operations it821x
26675 - .port_start = it821x_port_start,
26676 - };
26677 -
26678 --static struct ata_port_operations it821x_passthru_port_ops = {
26679 -+static const struct ata_port_operations it821x_passthru_port_ops = {
26680 - .inherits = &ata_bmdma_port_ops,
26681 -
26682 - .check_atapi_dma= it821x_check_atapi_dma,
26683 -@@ -830,7 +830,7 @@ static struct ata_port_operations it821x
26684 - .port_start = it821x_port_start,
26685 - };
26686 -
26687 --static struct ata_port_operations it821x_rdc_port_ops = {
26688 -+static const struct ata_port_operations it821x_rdc_port_ops = {
26689 - .inherits = &ata_bmdma_port_ops,
26690 -
26691 - .check_atapi_dma= it821x_check_atapi_dma,
26692 -diff -urNp linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c
26693 ---- linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-03-27 14:31:47.000000000 -0400
26694 -+++ linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:56:46.000000000 -0400
26695 -@@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
26696 - ATA_PIO_SHT(DRV_NAME),
26697 - };
26698 -
26699 --static struct ata_port_operations ixp4xx_port_ops = {
26700 -+static const struct ata_port_operations ixp4xx_port_ops = {
26701 - .inherits = &ata_sff_port_ops,
26702 - .sff_data_xfer = ixp4xx_mmio_data_xfer,
26703 - .cable_detect = ata_cable_40wire,
26704 -diff -urNp linux-2.6.32.46/drivers/ata/pata_jmicron.c linux-2.6.32.46/drivers/ata/pata_jmicron.c
26705 ---- linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-03-27 14:31:47.000000000 -0400
26706 -+++ linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-04-17 15:56:46.000000000 -0400
26707 -@@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
26708 - ATA_BMDMA_SHT(DRV_NAME),
26709 - };
26710 -
26711 --static struct ata_port_operations jmicron_ops = {
26712 -+static const struct ata_port_operations jmicron_ops = {
26713 - .inherits = &ata_bmdma_port_ops,
26714 - .prereset = jmicron_pre_reset,
26715 - };
26716 -diff -urNp linux-2.6.32.46/drivers/ata/pata_legacy.c linux-2.6.32.46/drivers/ata/pata_legacy.c
26717 ---- linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-03-27 14:31:47.000000000 -0400
26718 -+++ linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-04-17 15:56:46.000000000 -0400
26719 -@@ -106,7 +106,7 @@ struct legacy_probe {
26720 -
26721 - struct legacy_controller {
26722 - const char *name;
26723 -- struct ata_port_operations *ops;
26724 -+ const struct ata_port_operations *ops;
26725 - unsigned int pio_mask;
26726 - unsigned int flags;
26727 - unsigned int pflags;
26728 -@@ -223,12 +223,12 @@ static const struct ata_port_operations
26729 - * pio_mask as well.
26730 - */
26731 -
26732 --static struct ata_port_operations simple_port_ops = {
26733 -+static const struct ata_port_operations simple_port_ops = {
26734 - .inherits = &legacy_base_port_ops,
26735 - .sff_data_xfer = ata_sff_data_xfer_noirq,
26736 - };
26737 -
26738 --static struct ata_port_operations legacy_port_ops = {
26739 -+static const struct ata_port_operations legacy_port_ops = {
26740 - .inherits = &legacy_base_port_ops,
26741 - .sff_data_xfer = ata_sff_data_xfer_noirq,
26742 - .set_mode = legacy_set_mode,
26743 -@@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
26744 - return buflen;
26745 - }
26746 -
26747 --static struct ata_port_operations pdc20230_port_ops = {
26748 -+static const struct ata_port_operations pdc20230_port_ops = {
26749 - .inherits = &legacy_base_port_ops,
26750 - .set_piomode = pdc20230_set_piomode,
26751 - .sff_data_xfer = pdc_data_xfer_vlb,
26752 -@@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
26753 - ioread8(ap->ioaddr.status_addr);
26754 - }
26755 -
26756 --static struct ata_port_operations ht6560a_port_ops = {
26757 -+static const struct ata_port_operations ht6560a_port_ops = {
26758 - .inherits = &legacy_base_port_ops,
26759 - .set_piomode = ht6560a_set_piomode,
26760 - };
26761 -@@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
26762 - ioread8(ap->ioaddr.status_addr);
26763 - }
26764 -
26765 --static struct ata_port_operations ht6560b_port_ops = {
26766 -+static const struct ata_port_operations ht6560b_port_ops = {
26767 - .inherits = &legacy_base_port_ops,
26768 - .set_piomode = ht6560b_set_piomode,
26769 - };
26770 -@@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
26771 - }
26772 -
26773 -
26774 --static struct ata_port_operations opti82c611a_port_ops = {
26775 -+static const struct ata_port_operations opti82c611a_port_ops = {
26776 - .inherits = &legacy_base_port_ops,
26777 - .set_piomode = opti82c611a_set_piomode,
26778 - };
26779 -@@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
26780 - return ata_sff_qc_issue(qc);
26781 - }
26782 -
26783 --static struct ata_port_operations opti82c46x_port_ops = {
26784 -+static const struct ata_port_operations opti82c46x_port_ops = {
26785 - .inherits = &legacy_base_port_ops,
26786 - .set_piomode = opti82c46x_set_piomode,
26787 - .qc_issue = opti82c46x_qc_issue,
26788 -@@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
26789 - return 0;
26790 - }
26791 -
26792 --static struct ata_port_operations qdi6500_port_ops = {
26793 -+static const struct ata_port_operations qdi6500_port_ops = {
26794 - .inherits = &legacy_base_port_ops,
26795 - .set_piomode = qdi6500_set_piomode,
26796 - .qc_issue = qdi_qc_issue,
26797 - .sff_data_xfer = vlb32_data_xfer,
26798 - };
26799 -
26800 --static struct ata_port_operations qdi6580_port_ops = {
26801 -+static const struct ata_port_operations qdi6580_port_ops = {
26802 - .inherits = &legacy_base_port_ops,
26803 - .set_piomode = qdi6580_set_piomode,
26804 - .sff_data_xfer = vlb32_data_xfer,
26805 - };
26806 -
26807 --static struct ata_port_operations qdi6580dp_port_ops = {
26808 -+static const struct ata_port_operations qdi6580dp_port_ops = {
26809 - .inherits = &legacy_base_port_ops,
26810 - .set_piomode = qdi6580dp_set_piomode,
26811 - .sff_data_xfer = vlb32_data_xfer,
26812 -@@ -855,7 +855,7 @@ static int winbond_port(struct platform_
26813 - return 0;
26814 - }
26815 -
26816 --static struct ata_port_operations winbond_port_ops = {
26817 -+static const struct ata_port_operations winbond_port_ops = {
26818 - .inherits = &legacy_base_port_ops,
26819 - .set_piomode = winbond_set_piomode,
26820 - .sff_data_xfer = vlb32_data_xfer,
26821 -@@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
26822 - int pio_modes = controller->pio_mask;
26823 - unsigned long io = probe->port;
26824 - u32 mask = (1 << probe->slot);
26825 -- struct ata_port_operations *ops = controller->ops;
26826 -+ const struct ata_port_operations *ops = controller->ops;
26827 - struct legacy_data *ld = &legacy_data[probe->slot];
26828 - struct ata_host *host = NULL;
26829 - struct ata_port *ap;
26830 -diff -urNp linux-2.6.32.46/drivers/ata/pata_marvell.c linux-2.6.32.46/drivers/ata/pata_marvell.c
26831 ---- linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-03-27 14:31:47.000000000 -0400
26832 -+++ linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-04-17 15:56:46.000000000 -0400
26833 -@@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26834 - ATA_BMDMA_SHT(DRV_NAME),
26835 - };
26836 -
26837 --static struct ata_port_operations marvell_ops = {
26838 -+static const struct ata_port_operations marvell_ops = {
26839 - .inherits = &ata_bmdma_port_ops,
26840 - .cable_detect = marvell_cable_detect,
26841 - .prereset = marvell_pre_reset,
26842 -diff -urNp linux-2.6.32.46/drivers/ata/pata_mpc52xx.c linux-2.6.32.46/drivers/ata/pata_mpc52xx.c
26843 ---- linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-03-27 14:31:47.000000000 -0400
26844 -+++ linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-04-17 15:56:46.000000000 -0400
26845 -@@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26846 - ATA_PIO_SHT(DRV_NAME),
26847 - };
26848 -
26849 --static struct ata_port_operations mpc52xx_ata_port_ops = {
26850 -+static const struct ata_port_operations mpc52xx_ata_port_ops = {
26851 - .inherits = &ata_bmdma_port_ops,
26852 - .sff_dev_select = mpc52xx_ata_dev_select,
26853 - .set_piomode = mpc52xx_ata_set_piomode,
26854 -diff -urNp linux-2.6.32.46/drivers/ata/pata_mpiix.c linux-2.6.32.46/drivers/ata/pata_mpiix.c
26855 ---- linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-03-27 14:31:47.000000000 -0400
26856 -+++ linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-04-17 15:56:46.000000000 -0400
26857 -@@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
26858 - ATA_PIO_SHT(DRV_NAME),
26859 - };
26860 -
26861 --static struct ata_port_operations mpiix_port_ops = {
26862 -+static const struct ata_port_operations mpiix_port_ops = {
26863 - .inherits = &ata_sff_port_ops,
26864 - .qc_issue = mpiix_qc_issue,
26865 - .cable_detect = ata_cable_40wire,
26866 -diff -urNp linux-2.6.32.46/drivers/ata/pata_netcell.c linux-2.6.32.46/drivers/ata/pata_netcell.c
26867 ---- linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-03-27 14:31:47.000000000 -0400
26868 -+++ linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-04-17 15:56:46.000000000 -0400
26869 -@@ -34,7 +34,7 @@ static struct scsi_host_template netcell
26870 - ATA_BMDMA_SHT(DRV_NAME),
26871 - };
26872 -
26873 --static struct ata_port_operations netcell_ops = {
26874 -+static const struct ata_port_operations netcell_ops = {
26875 - .inherits = &ata_bmdma_port_ops,
26876 - .cable_detect = ata_cable_80wire,
26877 - .read_id = netcell_read_id,
26878 -diff -urNp linux-2.6.32.46/drivers/ata/pata_ninja32.c linux-2.6.32.46/drivers/ata/pata_ninja32.c
26879 ---- linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-03-27 14:31:47.000000000 -0400
26880 -+++ linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-04-17 15:56:46.000000000 -0400
26881 -@@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
26882 - ATA_BMDMA_SHT(DRV_NAME),
26883 - };
26884 -
26885 --static struct ata_port_operations ninja32_port_ops = {
26886 -+static const struct ata_port_operations ninja32_port_ops = {
26887 - .inherits = &ata_bmdma_port_ops,
26888 - .sff_dev_select = ninja32_dev_select,
26889 - .cable_detect = ata_cable_40wire,
26890 -diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87410.c linux-2.6.32.46/drivers/ata/pata_ns87410.c
26891 ---- linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-03-27 14:31:47.000000000 -0400
26892 -+++ linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-04-17 15:56:46.000000000 -0400
26893 -@@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
26894 - ATA_PIO_SHT(DRV_NAME),
26895 - };
26896 -
26897 --static struct ata_port_operations ns87410_port_ops = {
26898 -+static const struct ata_port_operations ns87410_port_ops = {
26899 - .inherits = &ata_sff_port_ops,
26900 - .qc_issue = ns87410_qc_issue,
26901 - .cable_detect = ata_cable_40wire,
26902 -diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87415.c linux-2.6.32.46/drivers/ata/pata_ns87415.c
26903 ---- linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-03-27 14:31:47.000000000 -0400
26904 -+++ linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-04-17 15:56:46.000000000 -0400
26905 -@@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
26906 - }
26907 - #endif /* 87560 SuperIO Support */
26908 -
26909 --static struct ata_port_operations ns87415_pata_ops = {
26910 -+static const struct ata_port_operations ns87415_pata_ops = {
26911 - .inherits = &ata_bmdma_port_ops,
26912 -
26913 - .check_atapi_dma = ns87415_check_atapi_dma,
26914 -@@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
26915 - };
26916 -
26917 - #if defined(CONFIG_SUPERIO)
26918 --static struct ata_port_operations ns87560_pata_ops = {
26919 -+static const struct ata_port_operations ns87560_pata_ops = {
26920 - .inherits = &ns87415_pata_ops,
26921 - .sff_tf_read = ns87560_tf_read,
26922 - .sff_check_status = ns87560_check_status,
26923 -diff -urNp linux-2.6.32.46/drivers/ata/pata_octeon_cf.c linux-2.6.32.46/drivers/ata/pata_octeon_cf.c
26924 ---- linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-03-27 14:31:47.000000000 -0400
26925 -+++ linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-04-17 15:56:46.000000000 -0400
26926 -@@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
26927 - return 0;
26928 - }
26929 -
26930 -+/* cannot be const */
26931 - static struct ata_port_operations octeon_cf_ops = {
26932 - .inherits = &ata_sff_port_ops,
26933 - .check_atapi_dma = octeon_cf_check_atapi_dma,
26934 -diff -urNp linux-2.6.32.46/drivers/ata/pata_oldpiix.c linux-2.6.32.46/drivers/ata/pata_oldpiix.c
26935 ---- linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-03-27 14:31:47.000000000 -0400
26936 -+++ linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-04-17 15:56:46.000000000 -0400
26937 -@@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
26938 - ATA_BMDMA_SHT(DRV_NAME),
26939 - };
26940 -
26941 --static struct ata_port_operations oldpiix_pata_ops = {
26942 -+static const struct ata_port_operations oldpiix_pata_ops = {
26943 - .inherits = &ata_bmdma_port_ops,
26944 - .qc_issue = oldpiix_qc_issue,
26945 - .cable_detect = ata_cable_40wire,
26946 -diff -urNp linux-2.6.32.46/drivers/ata/pata_opti.c linux-2.6.32.46/drivers/ata/pata_opti.c
26947 ---- linux-2.6.32.46/drivers/ata/pata_opti.c 2011-03-27 14:31:47.000000000 -0400
26948 -+++ linux-2.6.32.46/drivers/ata/pata_opti.c 2011-04-17 15:56:46.000000000 -0400
26949 -@@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
26950 - ATA_PIO_SHT(DRV_NAME),
26951 - };
26952 -
26953 --static struct ata_port_operations opti_port_ops = {
26954 -+static const struct ata_port_operations opti_port_ops = {
26955 - .inherits = &ata_sff_port_ops,
26956 - .cable_detect = ata_cable_40wire,
26957 - .set_piomode = opti_set_piomode,
26958 -diff -urNp linux-2.6.32.46/drivers/ata/pata_optidma.c linux-2.6.32.46/drivers/ata/pata_optidma.c
26959 ---- linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-03-27 14:31:47.000000000 -0400
26960 -+++ linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-04-17 15:56:46.000000000 -0400
26961 -@@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26962 - ATA_BMDMA_SHT(DRV_NAME),
26963 - };
26964 -
26965 --static struct ata_port_operations optidma_port_ops = {
26966 -+static const struct ata_port_operations optidma_port_ops = {
26967 - .inherits = &ata_bmdma_port_ops,
26968 - .cable_detect = ata_cable_40wire,
26969 - .set_piomode = optidma_set_pio_mode,
26970 -@@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26971 - .prereset = optidma_pre_reset,
26972 - };
26973 -
26974 --static struct ata_port_operations optiplus_port_ops = {
26975 -+static const struct ata_port_operations optiplus_port_ops = {
26976 - .inherits = &optidma_port_ops,
26977 - .set_piomode = optiplus_set_pio_mode,
26978 - .set_dmamode = optiplus_set_dma_mode,
26979 -diff -urNp linux-2.6.32.46/drivers/ata/pata_palmld.c linux-2.6.32.46/drivers/ata/pata_palmld.c
26980 ---- linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-03-27 14:31:47.000000000 -0400
26981 -+++ linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-04-17 15:56:46.000000000 -0400
26982 -@@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
26983 - ATA_PIO_SHT(DRV_NAME),
26984 - };
26985 -
26986 --static struct ata_port_operations palmld_port_ops = {
26987 -+static const struct ata_port_operations palmld_port_ops = {
26988 - .inherits = &ata_sff_port_ops,
26989 - .sff_data_xfer = ata_sff_data_xfer_noirq,
26990 - .cable_detect = ata_cable_40wire,
26991 -diff -urNp linux-2.6.32.46/drivers/ata/pata_pcmcia.c linux-2.6.32.46/drivers/ata/pata_pcmcia.c
26992 ---- linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-03-27 14:31:47.000000000 -0400
26993 -+++ linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-04-17 15:56:46.000000000 -0400
26994 -@@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
26995 - ATA_PIO_SHT(DRV_NAME),
26996 - };
26997 -
26998 --static struct ata_port_operations pcmcia_port_ops = {
26999 -+static const struct ata_port_operations pcmcia_port_ops = {
27000 - .inherits = &ata_sff_port_ops,
27001 - .sff_data_xfer = ata_sff_data_xfer_noirq,
27002 - .cable_detect = ata_cable_40wire,
27003 - .set_mode = pcmcia_set_mode,
27004 - };
27005 -
27006 --static struct ata_port_operations pcmcia_8bit_port_ops = {
27007 -+static const struct ata_port_operations pcmcia_8bit_port_ops = {
27008 - .inherits = &ata_sff_port_ops,
27009 - .sff_data_xfer = ata_data_xfer_8bit,
27010 - .cable_detect = ata_cable_40wire,
27011 -@@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
27012 - unsigned long io_base, ctl_base;
27013 - void __iomem *io_addr, *ctl_addr;
27014 - int n_ports = 1;
27015 -- struct ata_port_operations *ops = &pcmcia_port_ops;
27016 -+ const struct ata_port_operations *ops = &pcmcia_port_ops;
27017 -
27018 - info = kzalloc(sizeof(*info), GFP_KERNEL);
27019 - if (info == NULL)
27020 -diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc2027x.c linux-2.6.32.46/drivers/ata/pata_pdc2027x.c
27021 ---- linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-03-27 14:31:47.000000000 -0400
27022 -+++ linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-04-17 15:56:46.000000000 -0400
27023 -@@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
27024 - ATA_BMDMA_SHT(DRV_NAME),
27025 - };
27026 -
27027 --static struct ata_port_operations pdc2027x_pata100_ops = {
27028 -+static const struct ata_port_operations pdc2027x_pata100_ops = {
27029 - .inherits = &ata_bmdma_port_ops,
27030 - .check_atapi_dma = pdc2027x_check_atapi_dma,
27031 - .cable_detect = pdc2027x_cable_detect,
27032 - .prereset = pdc2027x_prereset,
27033 - };
27034 -
27035 --static struct ata_port_operations pdc2027x_pata133_ops = {
27036 -+static const struct ata_port_operations pdc2027x_pata133_ops = {
27037 - .inherits = &pdc2027x_pata100_ops,
27038 - .mode_filter = pdc2027x_mode_filter,
27039 - .set_piomode = pdc2027x_set_piomode,
27040 -diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c
27041 ---- linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-03-27 14:31:47.000000000 -0400
27042 -+++ linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:56:46.000000000 -0400
27043 -@@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
27044 - ATA_BMDMA_SHT(DRV_NAME),
27045 - };
27046 -
27047 --static struct ata_port_operations pdc2024x_port_ops = {
27048 -+static const struct ata_port_operations pdc2024x_port_ops = {
27049 - .inherits = &ata_bmdma_port_ops,
27050 -
27051 - .cable_detect = ata_cable_40wire,
27052 -@@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
27053 - .sff_exec_command = pdc202xx_exec_command,
27054 - };
27055 -
27056 --static struct ata_port_operations pdc2026x_port_ops = {
27057 -+static const struct ata_port_operations pdc2026x_port_ops = {
27058 - .inherits = &pdc2024x_port_ops,
27059 -
27060 - .check_atapi_dma = pdc2026x_check_atapi_dma,
27061 -diff -urNp linux-2.6.32.46/drivers/ata/pata_platform.c linux-2.6.32.46/drivers/ata/pata_platform.c
27062 ---- linux-2.6.32.46/drivers/ata/pata_platform.c 2011-03-27 14:31:47.000000000 -0400
27063 -+++ linux-2.6.32.46/drivers/ata/pata_platform.c 2011-04-17 15:56:46.000000000 -0400
27064 -@@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
27065 - ATA_PIO_SHT(DRV_NAME),
27066 - };
27067 -
27068 --static struct ata_port_operations pata_platform_port_ops = {
27069 -+static const struct ata_port_operations pata_platform_port_ops = {
27070 - .inherits = &ata_sff_port_ops,
27071 - .sff_data_xfer = ata_sff_data_xfer_noirq,
27072 - .cable_detect = ata_cable_unknown,
27073 -diff -urNp linux-2.6.32.46/drivers/ata/pata_qdi.c linux-2.6.32.46/drivers/ata/pata_qdi.c
27074 ---- linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-03-27 14:31:47.000000000 -0400
27075 -+++ linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-04-17 15:56:46.000000000 -0400
27076 -@@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
27077 - ATA_PIO_SHT(DRV_NAME),
27078 - };
27079 -
27080 --static struct ata_port_operations qdi6500_port_ops = {
27081 -+static const struct ata_port_operations qdi6500_port_ops = {
27082 - .inherits = &ata_sff_port_ops,
27083 - .qc_issue = qdi_qc_issue,
27084 - .sff_data_xfer = qdi_data_xfer,
27085 -@@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
27086 - .set_piomode = qdi6500_set_piomode,
27087 - };
27088 -
27089 --static struct ata_port_operations qdi6580_port_ops = {
27090 -+static const struct ata_port_operations qdi6580_port_ops = {
27091 - .inherits = &qdi6500_port_ops,
27092 - .set_piomode = qdi6580_set_piomode,
27093 - };
27094 -diff -urNp linux-2.6.32.46/drivers/ata/pata_radisys.c linux-2.6.32.46/drivers/ata/pata_radisys.c
27095 ---- linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-03-27 14:31:47.000000000 -0400
27096 -+++ linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-04-17 15:56:46.000000000 -0400
27097 -@@ -187,7 +187,7 @@ static struct scsi_host_template radisys
27098 - ATA_BMDMA_SHT(DRV_NAME),
27099 - };
27100 -
27101 --static struct ata_port_operations radisys_pata_ops = {
27102 -+static const struct ata_port_operations radisys_pata_ops = {
27103 - .inherits = &ata_bmdma_port_ops,
27104 - .qc_issue = radisys_qc_issue,
27105 - .cable_detect = ata_cable_unknown,
27106 -diff -urNp linux-2.6.32.46/drivers/ata/pata_rb532_cf.c linux-2.6.32.46/drivers/ata/pata_rb532_cf.c
27107 ---- linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-03-27 14:31:47.000000000 -0400
27108 -+++ linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-04-17 15:56:46.000000000 -0400
27109 -@@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
27110 - return IRQ_HANDLED;
27111 - }
27112 -
27113 --static struct ata_port_operations rb532_pata_port_ops = {
27114 -+static const struct ata_port_operations rb532_pata_port_ops = {
27115 - .inherits = &ata_sff_port_ops,
27116 - .sff_data_xfer = ata_sff_data_xfer32,
27117 - };
27118 -diff -urNp linux-2.6.32.46/drivers/ata/pata_rdc.c linux-2.6.32.46/drivers/ata/pata_rdc.c
27119 ---- linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-03-27 14:31:47.000000000 -0400
27120 -+++ linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-04-17 15:56:46.000000000 -0400
27121 -@@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
27122 - pci_write_config_byte(dev, 0x48, udma_enable);
27123 - }
27124 -
27125 --static struct ata_port_operations rdc_pata_ops = {
27126 -+static const struct ata_port_operations rdc_pata_ops = {
27127 - .inherits = &ata_bmdma32_port_ops,
27128 - .cable_detect = rdc_pata_cable_detect,
27129 - .set_piomode = rdc_set_piomode,
27130 -diff -urNp linux-2.6.32.46/drivers/ata/pata_rz1000.c linux-2.6.32.46/drivers/ata/pata_rz1000.c
27131 ---- linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-03-27 14:31:47.000000000 -0400
27132 -+++ linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-04-17 15:56:46.000000000 -0400
27133 -@@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
27134 - ATA_PIO_SHT(DRV_NAME),
27135 - };
27136 -
27137 --static struct ata_port_operations rz1000_port_ops = {
27138 -+static const struct ata_port_operations rz1000_port_ops = {
27139 - .inherits = &ata_sff_port_ops,
27140 - .cable_detect = ata_cable_40wire,
27141 - .set_mode = rz1000_set_mode,
27142 -diff -urNp linux-2.6.32.46/drivers/ata/pata_sc1200.c linux-2.6.32.46/drivers/ata/pata_sc1200.c
27143 ---- linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-03-27 14:31:47.000000000 -0400
27144 -+++ linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-04-17 15:56:46.000000000 -0400
27145 -@@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
27146 - .sg_tablesize = LIBATA_DUMB_MAX_PRD,
27147 - };
27148 -
27149 --static struct ata_port_operations sc1200_port_ops = {
27150 -+static const struct ata_port_operations sc1200_port_ops = {
27151 - .inherits = &ata_bmdma_port_ops,
27152 - .qc_prep = ata_sff_dumb_qc_prep,
27153 - .qc_issue = sc1200_qc_issue,
27154 -diff -urNp linux-2.6.32.46/drivers/ata/pata_scc.c linux-2.6.32.46/drivers/ata/pata_scc.c
27155 ---- linux-2.6.32.46/drivers/ata/pata_scc.c 2011-03-27 14:31:47.000000000 -0400
27156 -+++ linux-2.6.32.46/drivers/ata/pata_scc.c 2011-04-17 15:56:46.000000000 -0400
27157 -@@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
27158 - ATA_BMDMA_SHT(DRV_NAME),
27159 - };
27160 -
27161 --static struct ata_port_operations scc_pata_ops = {
27162 -+static const struct ata_port_operations scc_pata_ops = {
27163 - .inherits = &ata_bmdma_port_ops,
27164 -
27165 - .set_piomode = scc_set_piomode,
27166 -diff -urNp linux-2.6.32.46/drivers/ata/pata_sch.c linux-2.6.32.46/drivers/ata/pata_sch.c
27167 ---- linux-2.6.32.46/drivers/ata/pata_sch.c 2011-03-27 14:31:47.000000000 -0400
27168 -+++ linux-2.6.32.46/drivers/ata/pata_sch.c 2011-04-17 15:56:46.000000000 -0400
27169 -@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
27170 - ATA_BMDMA_SHT(DRV_NAME),
27171 - };
27172 -
27173 --static struct ata_port_operations sch_pata_ops = {
27174 -+static const struct ata_port_operations sch_pata_ops = {
27175 - .inherits = &ata_bmdma_port_ops,
27176 - .cable_detect = ata_cable_unknown,
27177 - .set_piomode = sch_set_piomode,
27178 -diff -urNp linux-2.6.32.46/drivers/ata/pata_serverworks.c linux-2.6.32.46/drivers/ata/pata_serverworks.c
27179 ---- linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-03-27 14:31:47.000000000 -0400
27180 -+++ linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-04-17 15:56:46.000000000 -0400
27181 -@@ -299,7 +299,7 @@ static struct scsi_host_template serverw
27182 - ATA_BMDMA_SHT(DRV_NAME),
27183 - };
27184 -
27185 --static struct ata_port_operations serverworks_osb4_port_ops = {
27186 -+static const struct ata_port_operations serverworks_osb4_port_ops = {
27187 - .inherits = &ata_bmdma_port_ops,
27188 - .cable_detect = serverworks_cable_detect,
27189 - .mode_filter = serverworks_osb4_filter,
27190 -@@ -307,7 +307,7 @@ static struct ata_port_operations server
27191 - .set_dmamode = serverworks_set_dmamode,
27192 - };
27193 -
27194 --static struct ata_port_operations serverworks_csb_port_ops = {
27195 -+static const struct ata_port_operations serverworks_csb_port_ops = {
27196 - .inherits = &serverworks_osb4_port_ops,
27197 - .mode_filter = serverworks_csb_filter,
27198 - };
27199 -diff -urNp linux-2.6.32.46/drivers/ata/pata_sil680.c linux-2.6.32.46/drivers/ata/pata_sil680.c
27200 ---- linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:55:34.000000000 -0400
27201 -+++ linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:56:37.000000000 -0400
27202 -@@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
27203 - ATA_BMDMA_SHT(DRV_NAME),
27204 - };
27205 -
27206 --static struct ata_port_operations sil680_port_ops = {
27207 -+static const struct ata_port_operations sil680_port_ops = {
27208 - .inherits = &ata_bmdma32_port_ops,
27209 - .cable_detect = sil680_cable_detect,
27210 - .set_piomode = sil680_set_piomode,
27211 -diff -urNp linux-2.6.32.46/drivers/ata/pata_sis.c linux-2.6.32.46/drivers/ata/pata_sis.c
27212 ---- linux-2.6.32.46/drivers/ata/pata_sis.c 2011-03-27 14:31:47.000000000 -0400
27213 -+++ linux-2.6.32.46/drivers/ata/pata_sis.c 2011-04-17 15:56:46.000000000 -0400
27214 -@@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
27215 - ATA_BMDMA_SHT(DRV_NAME),
27216 - };
27217 -
27218 --static struct ata_port_operations sis_133_for_sata_ops = {
27219 -+static const struct ata_port_operations sis_133_for_sata_ops = {
27220 - .inherits = &ata_bmdma_port_ops,
27221 - .set_piomode = sis_133_set_piomode,
27222 - .set_dmamode = sis_133_set_dmamode,
27223 - .cable_detect = sis_133_cable_detect,
27224 - };
27225 -
27226 --static struct ata_port_operations sis_base_ops = {
27227 -+static const struct ata_port_operations sis_base_ops = {
27228 - .inherits = &ata_bmdma_port_ops,
27229 - .prereset = sis_pre_reset,
27230 - };
27231 -
27232 --static struct ata_port_operations sis_133_ops = {
27233 -+static const struct ata_port_operations sis_133_ops = {
27234 - .inherits = &sis_base_ops,
27235 - .set_piomode = sis_133_set_piomode,
27236 - .set_dmamode = sis_133_set_dmamode,
27237 - .cable_detect = sis_133_cable_detect,
27238 - };
27239 -
27240 --static struct ata_port_operations sis_133_early_ops = {
27241 -+static const struct ata_port_operations sis_133_early_ops = {
27242 - .inherits = &sis_base_ops,
27243 - .set_piomode = sis_100_set_piomode,
27244 - .set_dmamode = sis_133_early_set_dmamode,
27245 - .cable_detect = sis_66_cable_detect,
27246 - };
27247 -
27248 --static struct ata_port_operations sis_100_ops = {
27249 -+static const struct ata_port_operations sis_100_ops = {
27250 - .inherits = &sis_base_ops,
27251 - .set_piomode = sis_100_set_piomode,
27252 - .set_dmamode = sis_100_set_dmamode,
27253 - .cable_detect = sis_66_cable_detect,
27254 - };
27255 -
27256 --static struct ata_port_operations sis_66_ops = {
27257 -+static const struct ata_port_operations sis_66_ops = {
27258 - .inherits = &sis_base_ops,
27259 - .set_piomode = sis_old_set_piomode,
27260 - .set_dmamode = sis_66_set_dmamode,
27261 - .cable_detect = sis_66_cable_detect,
27262 - };
27263 -
27264 --static struct ata_port_operations sis_old_ops = {
27265 -+static const struct ata_port_operations sis_old_ops = {
27266 - .inherits = &sis_base_ops,
27267 - .set_piomode = sis_old_set_piomode,
27268 - .set_dmamode = sis_old_set_dmamode,
27269 -diff -urNp linux-2.6.32.46/drivers/ata/pata_sl82c105.c linux-2.6.32.46/drivers/ata/pata_sl82c105.c
27270 ---- linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-03-27 14:31:47.000000000 -0400
27271 -+++ linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-04-17 15:56:46.000000000 -0400
27272 -@@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
27273 - ATA_BMDMA_SHT(DRV_NAME),
27274 - };
27275 -
27276 --static struct ata_port_operations sl82c105_port_ops = {
27277 -+static const struct ata_port_operations sl82c105_port_ops = {
27278 - .inherits = &ata_bmdma_port_ops,
27279 - .qc_defer = sl82c105_qc_defer,
27280 - .bmdma_start = sl82c105_bmdma_start,
27281 -diff -urNp linux-2.6.32.46/drivers/ata/pata_triflex.c linux-2.6.32.46/drivers/ata/pata_triflex.c
27282 ---- linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-03-27 14:31:47.000000000 -0400
27283 -+++ linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-04-17 15:56:46.000000000 -0400
27284 -@@ -178,7 +178,7 @@ static struct scsi_host_template triflex
27285 - ATA_BMDMA_SHT(DRV_NAME),
27286 - };
27287 -
27288 --static struct ata_port_operations triflex_port_ops = {
27289 -+static const struct ata_port_operations triflex_port_ops = {
27290 - .inherits = &ata_bmdma_port_ops,
27291 - .bmdma_start = triflex_bmdma_start,
27292 - .bmdma_stop = triflex_bmdma_stop,
27293 -diff -urNp linux-2.6.32.46/drivers/ata/pata_via.c linux-2.6.32.46/drivers/ata/pata_via.c
27294 ---- linux-2.6.32.46/drivers/ata/pata_via.c 2011-03-27 14:31:47.000000000 -0400
27295 -+++ linux-2.6.32.46/drivers/ata/pata_via.c 2011-04-17 15:56:46.000000000 -0400
27296 -@@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
27297 - ATA_BMDMA_SHT(DRV_NAME),
27298 - };
27299 -
27300 --static struct ata_port_operations via_port_ops = {
27301 -+static const struct ata_port_operations via_port_ops = {
27302 - .inherits = &ata_bmdma_port_ops,
27303 - .cable_detect = via_cable_detect,
27304 - .set_piomode = via_set_piomode,
27305 -@@ -429,7 +429,7 @@ static struct ata_port_operations via_po
27306 - .port_start = via_port_start,
27307 - };
27308 -
27309 --static struct ata_port_operations via_port_ops_noirq = {
27310 -+static const struct ata_port_operations via_port_ops_noirq = {
27311 - .inherits = &via_port_ops,
27312 - .sff_data_xfer = ata_sff_data_xfer_noirq,
27313 - };
27314 -diff -urNp linux-2.6.32.46/drivers/ata/pata_winbond.c linux-2.6.32.46/drivers/ata/pata_winbond.c
27315 ---- linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-03-27 14:31:47.000000000 -0400
27316 -+++ linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-04-17 15:56:46.000000000 -0400
27317 -@@ -125,7 +125,7 @@ static struct scsi_host_template winbond
27318 - ATA_PIO_SHT(DRV_NAME),
27319 - };
27320 -
27321 --static struct ata_port_operations winbond_port_ops = {
27322 -+static const struct ata_port_operations winbond_port_ops = {
27323 - .inherits = &ata_sff_port_ops,
27324 - .sff_data_xfer = winbond_data_xfer,
27325 - .cable_detect = ata_cable_40wire,
27326 -diff -urNp linux-2.6.32.46/drivers/ata/pdc_adma.c linux-2.6.32.46/drivers/ata/pdc_adma.c
27327 ---- linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-03-27 14:31:47.000000000 -0400
27328 -+++ linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-04-17 15:56:46.000000000 -0400
27329 -@@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
27330 - .dma_boundary = ADMA_DMA_BOUNDARY,
27331 - };
27332 -
27333 --static struct ata_port_operations adma_ata_ops = {
27334 -+static const struct ata_port_operations adma_ata_ops = {
27335 - .inherits = &ata_sff_port_ops,
27336 -
27337 - .lost_interrupt = ATA_OP_NULL,
27338 -diff -urNp linux-2.6.32.46/drivers/ata/sata_fsl.c linux-2.6.32.46/drivers/ata/sata_fsl.c
27339 ---- linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-03-27 14:31:47.000000000 -0400
27340 -+++ linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-04-17 15:56:46.000000000 -0400
27341 -@@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
27342 - .dma_boundary = ATA_DMA_BOUNDARY,
27343 - };
27344 -
27345 --static struct ata_port_operations sata_fsl_ops = {
27346 -+static const struct ata_port_operations sata_fsl_ops = {
27347 - .inherits = &sata_pmp_port_ops,
27348 -
27349 - .qc_defer = ata_std_qc_defer,
27350 -diff -urNp linux-2.6.32.46/drivers/ata/sata_inic162x.c linux-2.6.32.46/drivers/ata/sata_inic162x.c
27351 ---- linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-03-27 14:31:47.000000000 -0400
27352 -+++ linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-04-17 15:56:46.000000000 -0400
27353 -@@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
27354 - return 0;
27355 - }
27356 -
27357 --static struct ata_port_operations inic_port_ops = {
27358 -+static const struct ata_port_operations inic_port_ops = {
27359 - .inherits = &sata_port_ops,
27360 -
27361 - .check_atapi_dma = inic_check_atapi_dma,
27362 -diff -urNp linux-2.6.32.46/drivers/ata/sata_mv.c linux-2.6.32.46/drivers/ata/sata_mv.c
27363 ---- linux-2.6.32.46/drivers/ata/sata_mv.c 2011-03-27 14:31:47.000000000 -0400
27364 -+++ linux-2.6.32.46/drivers/ata/sata_mv.c 2011-04-17 15:56:46.000000000 -0400
27365 -@@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
27366 - .dma_boundary = MV_DMA_BOUNDARY,
27367 - };
27368 -
27369 --static struct ata_port_operations mv5_ops = {
27370 -+static const struct ata_port_operations mv5_ops = {
27371 - .inherits = &ata_sff_port_ops,
27372 -
27373 - .lost_interrupt = ATA_OP_NULL,
27374 -@@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
27375 - .port_stop = mv_port_stop,
27376 - };
27377 -
27378 --static struct ata_port_operations mv6_ops = {
27379 -+static const struct ata_port_operations mv6_ops = {
27380 - .inherits = &mv5_ops,
27381 - .dev_config = mv6_dev_config,
27382 - .scr_read = mv_scr_read,
27383 -@@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
27384 - .bmdma_status = mv_bmdma_status,
27385 - };
27386 -
27387 --static struct ata_port_operations mv_iie_ops = {
27388 -+static const struct ata_port_operations mv_iie_ops = {
27389 - .inherits = &mv6_ops,
27390 - .dev_config = ATA_OP_NULL,
27391 - .qc_prep = mv_qc_prep_iie,
27392 -diff -urNp linux-2.6.32.46/drivers/ata/sata_nv.c linux-2.6.32.46/drivers/ata/sata_nv.c
27393 ---- linux-2.6.32.46/drivers/ata/sata_nv.c 2011-03-27 14:31:47.000000000 -0400
27394 -+++ linux-2.6.32.46/drivers/ata/sata_nv.c 2011-04-17 15:56:46.000000000 -0400
27395 -@@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
27396 - * cases. Define nv_hardreset() which only kicks in for post-boot
27397 - * probing and use it for all variants.
27398 - */
27399 --static struct ata_port_operations nv_generic_ops = {
27400 -+static const struct ata_port_operations nv_generic_ops = {
27401 - .inherits = &ata_bmdma_port_ops,
27402 - .lost_interrupt = ATA_OP_NULL,
27403 - .scr_read = nv_scr_read,
27404 -@@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
27405 - .hardreset = nv_hardreset,
27406 - };
27407 -
27408 --static struct ata_port_operations nv_nf2_ops = {
27409 -+static const struct ata_port_operations nv_nf2_ops = {
27410 - .inherits = &nv_generic_ops,
27411 - .freeze = nv_nf2_freeze,
27412 - .thaw = nv_nf2_thaw,
27413 - };
27414 -
27415 --static struct ata_port_operations nv_ck804_ops = {
27416 -+static const struct ata_port_operations nv_ck804_ops = {
27417 - .inherits = &nv_generic_ops,
27418 - .freeze = nv_ck804_freeze,
27419 - .thaw = nv_ck804_thaw,
27420 - .host_stop = nv_ck804_host_stop,
27421 - };
27422 -
27423 --static struct ata_port_operations nv_adma_ops = {
27424 -+static const struct ata_port_operations nv_adma_ops = {
27425 - .inherits = &nv_ck804_ops,
27426 -
27427 - .check_atapi_dma = nv_adma_check_atapi_dma,
27428 -@@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
27429 - .host_stop = nv_adma_host_stop,
27430 - };
27431 -
27432 --static struct ata_port_operations nv_swncq_ops = {
27433 -+static const struct ata_port_operations nv_swncq_ops = {
27434 - .inherits = &nv_generic_ops,
27435 -
27436 - .qc_defer = ata_std_qc_defer,
27437 -diff -urNp linux-2.6.32.46/drivers/ata/sata_promise.c linux-2.6.32.46/drivers/ata/sata_promise.c
27438 ---- linux-2.6.32.46/drivers/ata/sata_promise.c 2011-03-27 14:31:47.000000000 -0400
27439 -+++ linux-2.6.32.46/drivers/ata/sata_promise.c 2011-04-17 15:56:46.000000000 -0400
27440 -@@ -195,7 +195,7 @@ static const struct ata_port_operations
27441 - .error_handler = pdc_error_handler,
27442 - };
27443 -
27444 --static struct ata_port_operations pdc_sata_ops = {
27445 -+static const struct ata_port_operations pdc_sata_ops = {
27446 - .inherits = &pdc_common_ops,
27447 - .cable_detect = pdc_sata_cable_detect,
27448 - .freeze = pdc_sata_freeze,
27449 -@@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
27450 -
27451 - /* First-generation chips need a more restrictive ->check_atapi_dma op,
27452 - and ->freeze/thaw that ignore the hotplug controls. */
27453 --static struct ata_port_operations pdc_old_sata_ops = {
27454 -+static const struct ata_port_operations pdc_old_sata_ops = {
27455 - .inherits = &pdc_sata_ops,
27456 - .freeze = pdc_freeze,
27457 - .thaw = pdc_thaw,
27458 - .check_atapi_dma = pdc_old_sata_check_atapi_dma,
27459 - };
27460 -
27461 --static struct ata_port_operations pdc_pata_ops = {
27462 -+static const struct ata_port_operations pdc_pata_ops = {
27463 - .inherits = &pdc_common_ops,
27464 - .cable_detect = pdc_pata_cable_detect,
27465 - .freeze = pdc_freeze,
27466 -diff -urNp linux-2.6.32.46/drivers/ata/sata_qstor.c linux-2.6.32.46/drivers/ata/sata_qstor.c
27467 ---- linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-03-27 14:31:47.000000000 -0400
27468 -+++ linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-04-17 15:56:46.000000000 -0400
27469 -@@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
27470 - .dma_boundary = QS_DMA_BOUNDARY,
27471 - };
27472 -
27473 --static struct ata_port_operations qs_ata_ops = {
27474 -+static const struct ata_port_operations qs_ata_ops = {
27475 - .inherits = &ata_sff_port_ops,
27476 -
27477 - .check_atapi_dma = qs_check_atapi_dma,
27478 -diff -urNp linux-2.6.32.46/drivers/ata/sata_sil.c linux-2.6.32.46/drivers/ata/sata_sil.c
27479 ---- linux-2.6.32.46/drivers/ata/sata_sil.c 2011-03-27 14:31:47.000000000 -0400
27480 -+++ linux-2.6.32.46/drivers/ata/sata_sil.c 2011-04-17 15:56:46.000000000 -0400
27481 -@@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
27482 - .sg_tablesize = ATA_MAX_PRD
27483 - };
27484 -
27485 --static struct ata_port_operations sil_ops = {
27486 -+static const struct ata_port_operations sil_ops = {
27487 - .inherits = &ata_bmdma32_port_ops,
27488 - .dev_config = sil_dev_config,
27489 - .set_mode = sil_set_mode,
27490 -diff -urNp linux-2.6.32.46/drivers/ata/sata_sil24.c linux-2.6.32.46/drivers/ata/sata_sil24.c
27491 ---- linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-03-27 14:31:47.000000000 -0400
27492 -+++ linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-04-17 15:56:46.000000000 -0400
27493 -@@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
27494 - .dma_boundary = ATA_DMA_BOUNDARY,
27495 - };
27496 -
27497 --static struct ata_port_operations sil24_ops = {
27498 -+static const struct ata_port_operations sil24_ops = {
27499 - .inherits = &sata_pmp_port_ops,
27500 -
27501 - .qc_defer = sil24_qc_defer,
27502 -diff -urNp linux-2.6.32.46/drivers/ata/sata_sis.c linux-2.6.32.46/drivers/ata/sata_sis.c
27503 ---- linux-2.6.32.46/drivers/ata/sata_sis.c 2011-03-27 14:31:47.000000000 -0400
27504 -+++ linux-2.6.32.46/drivers/ata/sata_sis.c 2011-04-17 15:56:46.000000000 -0400
27505 -@@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
27506 - ATA_BMDMA_SHT(DRV_NAME),
27507 - };
27508 -
27509 --static struct ata_port_operations sis_ops = {
27510 -+static const struct ata_port_operations sis_ops = {
27511 - .inherits = &ata_bmdma_port_ops,
27512 - .scr_read = sis_scr_read,
27513 - .scr_write = sis_scr_write,
27514 -diff -urNp linux-2.6.32.46/drivers/ata/sata_svw.c linux-2.6.32.46/drivers/ata/sata_svw.c
27515 ---- linux-2.6.32.46/drivers/ata/sata_svw.c 2011-03-27 14:31:47.000000000 -0400
27516 -+++ linux-2.6.32.46/drivers/ata/sata_svw.c 2011-04-17 15:56:46.000000000 -0400
27517 -@@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
27518 - };
27519 -
27520 -
27521 --static struct ata_port_operations k2_sata_ops = {
27522 -+static const struct ata_port_operations k2_sata_ops = {
27523 - .inherits = &ata_bmdma_port_ops,
27524 - .sff_tf_load = k2_sata_tf_load,
27525 - .sff_tf_read = k2_sata_tf_read,
27526 -diff -urNp linux-2.6.32.46/drivers/ata/sata_sx4.c linux-2.6.32.46/drivers/ata/sata_sx4.c
27527 ---- linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-03-27 14:31:47.000000000 -0400
27528 -+++ linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-04-17 15:56:46.000000000 -0400
27529 -@@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
27530 - };
27531 -
27532 - /* TODO: inherit from base port_ops after converting to new EH */
27533 --static struct ata_port_operations pdc_20621_ops = {
27534 -+static const struct ata_port_operations pdc_20621_ops = {
27535 - .inherits = &ata_sff_port_ops,
27536 -
27537 - .check_atapi_dma = pdc_check_atapi_dma,
27538 -diff -urNp linux-2.6.32.46/drivers/ata/sata_uli.c linux-2.6.32.46/drivers/ata/sata_uli.c
27539 ---- linux-2.6.32.46/drivers/ata/sata_uli.c 2011-03-27 14:31:47.000000000 -0400
27540 -+++ linux-2.6.32.46/drivers/ata/sata_uli.c 2011-04-17 15:56:46.000000000 -0400
27541 -@@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
27542 - ATA_BMDMA_SHT(DRV_NAME),
27543 - };
27544 -
27545 --static struct ata_port_operations uli_ops = {
27546 -+static const struct ata_port_operations uli_ops = {
27547 - .inherits = &ata_bmdma_port_ops,
27548 - .scr_read = uli_scr_read,
27549 - .scr_write = uli_scr_write,
27550 -diff -urNp linux-2.6.32.46/drivers/ata/sata_via.c linux-2.6.32.46/drivers/ata/sata_via.c
27551 ---- linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:12:01.000000000 -0400
27552 -+++ linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:15:08.000000000 -0400
27553 -@@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
27554 - ATA_BMDMA_SHT(DRV_NAME),
27555 - };
27556 -
27557 --static struct ata_port_operations svia_base_ops = {
27558 -+static const struct ata_port_operations svia_base_ops = {
27559 - .inherits = &ata_bmdma_port_ops,
27560 - .sff_tf_load = svia_tf_load,
27561 - };
27562 -
27563 --static struct ata_port_operations vt6420_sata_ops = {
27564 -+static const struct ata_port_operations vt6420_sata_ops = {
27565 - .inherits = &svia_base_ops,
27566 - .freeze = svia_noop_freeze,
27567 - .prereset = vt6420_prereset,
27568 - .bmdma_start = vt6420_bmdma_start,
27569 - };
27570 -
27571 --static struct ata_port_operations vt6421_pata_ops = {
27572 -+static const struct ata_port_operations vt6421_pata_ops = {
27573 - .inherits = &svia_base_ops,
27574 - .cable_detect = vt6421_pata_cable_detect,
27575 - .set_piomode = vt6421_set_pio_mode,
27576 - .set_dmamode = vt6421_set_dma_mode,
27577 - };
27578 -
27579 --static struct ata_port_operations vt6421_sata_ops = {
27580 -+static const struct ata_port_operations vt6421_sata_ops = {
27581 - .inherits = &svia_base_ops,
27582 - .scr_read = svia_scr_read,
27583 - .scr_write = svia_scr_write,
27584 - };
27585 -
27586 --static struct ata_port_operations vt8251_ops = {
27587 -+static const struct ata_port_operations vt8251_ops = {
27588 - .inherits = &svia_base_ops,
27589 - .hardreset = sata_std_hardreset,
27590 - .scr_read = vt8251_scr_read,
27591 -diff -urNp linux-2.6.32.46/drivers/ata/sata_vsc.c linux-2.6.32.46/drivers/ata/sata_vsc.c
27592 ---- linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-03-27 14:31:47.000000000 -0400
27593 -+++ linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-04-17 15:56:46.000000000 -0400
27594 -@@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
27595 - };
27596 -
27597 -
27598 --static struct ata_port_operations vsc_sata_ops = {
27599 -+static const struct ata_port_operations vsc_sata_ops = {
27600 - .inherits = &ata_bmdma_port_ops,
27601 - /* The IRQ handling is not quite standard SFF behaviour so we
27602 - cannot use the default lost interrupt handler */
27603 -diff -urNp linux-2.6.32.46/drivers/atm/adummy.c linux-2.6.32.46/drivers/atm/adummy.c
27604 ---- linux-2.6.32.46/drivers/atm/adummy.c 2011-03-27 14:31:47.000000000 -0400
27605 -+++ linux-2.6.32.46/drivers/atm/adummy.c 2011-04-17 15:56:46.000000000 -0400
27606 -@@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
27607 - vcc->pop(vcc, skb);
27608 - else
27609 - dev_kfree_skb_any(skb);
27610 -- atomic_inc(&vcc->stats->tx);
27611 -+ atomic_inc_unchecked(&vcc->stats->tx);
27612 -
27613 - return 0;
27614 - }
27615 -diff -urNp linux-2.6.32.46/drivers/atm/ambassador.c linux-2.6.32.46/drivers/atm/ambassador.c
27616 ---- linux-2.6.32.46/drivers/atm/ambassador.c 2011-03-27 14:31:47.000000000 -0400
27617 -+++ linux-2.6.32.46/drivers/atm/ambassador.c 2011-04-17 15:56:46.000000000 -0400
27618 -@@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
27619 - PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
27620 -
27621 - // VC layer stats
27622 -- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27623 -+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27624 -
27625 - // free the descriptor
27626 - kfree (tx_descr);
27627 -@@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
27628 - dump_skb ("<<<", vc, skb);
27629 -
27630 - // VC layer stats
27631 -- atomic_inc(&atm_vcc->stats->rx);
27632 -+ atomic_inc_unchecked(&atm_vcc->stats->rx);
27633 - __net_timestamp(skb);
27634 - // end of our responsability
27635 - atm_vcc->push (atm_vcc, skb);
27636 -@@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
27637 - } else {
27638 - PRINTK (KERN_INFO, "dropped over-size frame");
27639 - // should we count this?
27640 -- atomic_inc(&atm_vcc->stats->rx_drop);
27641 -+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27642 - }
27643 -
27644 - } else {
27645 -@@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
27646 - }
27647 -
27648 - if (check_area (skb->data, skb->len)) {
27649 -- atomic_inc(&atm_vcc->stats->tx_err);
27650 -+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
27651 - return -ENOMEM; // ?
27652 - }
27653 -
27654 -diff -urNp linux-2.6.32.46/drivers/atm/atmtcp.c linux-2.6.32.46/drivers/atm/atmtcp.c
27655 ---- linux-2.6.32.46/drivers/atm/atmtcp.c 2011-03-27 14:31:47.000000000 -0400
27656 -+++ linux-2.6.32.46/drivers/atm/atmtcp.c 2011-04-17 15:56:46.000000000 -0400
27657 -@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
27658 - if (vcc->pop) vcc->pop(vcc,skb);
27659 - else dev_kfree_skb(skb);
27660 - if (dev_data) return 0;
27661 -- atomic_inc(&vcc->stats->tx_err);
27662 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27663 - return -ENOLINK;
27664 - }
27665 - size = skb->len+sizeof(struct atmtcp_hdr);
27666 -@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
27667 - if (!new_skb) {
27668 - if (vcc->pop) vcc->pop(vcc,skb);
27669 - else dev_kfree_skb(skb);
27670 -- atomic_inc(&vcc->stats->tx_err);
27671 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27672 - return -ENOBUFS;
27673 - }
27674 - hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
27675 -@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
27676 - if (vcc->pop) vcc->pop(vcc,skb);
27677 - else dev_kfree_skb(skb);
27678 - out_vcc->push(out_vcc,new_skb);
27679 -- atomic_inc(&vcc->stats->tx);
27680 -- atomic_inc(&out_vcc->stats->rx);
27681 -+ atomic_inc_unchecked(&vcc->stats->tx);
27682 -+ atomic_inc_unchecked(&out_vcc->stats->rx);
27683 - return 0;
27684 - }
27685 -
27686 -@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
27687 - out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
27688 - read_unlock(&vcc_sklist_lock);
27689 - if (!out_vcc) {
27690 -- atomic_inc(&vcc->stats->tx_err);
27691 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27692 - goto done;
27693 - }
27694 - skb_pull(skb,sizeof(struct atmtcp_hdr));
27695 -@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
27696 - __net_timestamp(new_skb);
27697 - skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
27698 - out_vcc->push(out_vcc,new_skb);
27699 -- atomic_inc(&vcc->stats->tx);
27700 -- atomic_inc(&out_vcc->stats->rx);
27701 -+ atomic_inc_unchecked(&vcc->stats->tx);
27702 -+ atomic_inc_unchecked(&out_vcc->stats->rx);
27703 - done:
27704 - if (vcc->pop) vcc->pop(vcc,skb);
27705 - else dev_kfree_skb(skb);
27706 -diff -urNp linux-2.6.32.46/drivers/atm/eni.c linux-2.6.32.46/drivers/atm/eni.c
27707 ---- linux-2.6.32.46/drivers/atm/eni.c 2011-03-27 14:31:47.000000000 -0400
27708 -+++ linux-2.6.32.46/drivers/atm/eni.c 2011-04-17 15:56:46.000000000 -0400
27709 -@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
27710 - DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
27711 - vcc->dev->number);
27712 - length = 0;
27713 -- atomic_inc(&vcc->stats->rx_err);
27714 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27715 - }
27716 - else {
27717 - length = ATM_CELL_SIZE-1; /* no HEC */
27718 -@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27719 - size);
27720 - }
27721 - eff = length = 0;
27722 -- atomic_inc(&vcc->stats->rx_err);
27723 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27724 - }
27725 - else {
27726 - size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
27727 -@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27728 - "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
27729 - vcc->dev->number,vcc->vci,length,size << 2,descr);
27730 - length = eff = 0;
27731 -- atomic_inc(&vcc->stats->rx_err);
27732 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27733 - }
27734 - }
27735 - skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
27736 -@@ -770,7 +770,7 @@ rx_dequeued++;
27737 - vcc->push(vcc,skb);
27738 - pushed++;
27739 - }
27740 -- atomic_inc(&vcc->stats->rx);
27741 -+ atomic_inc_unchecked(&vcc->stats->rx);
27742 - }
27743 - wake_up(&eni_dev->rx_wait);
27744 - }
27745 -@@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
27746 - PCI_DMA_TODEVICE);
27747 - if (vcc->pop) vcc->pop(vcc,skb);
27748 - else dev_kfree_skb_irq(skb);
27749 -- atomic_inc(&vcc->stats->tx);
27750 -+ atomic_inc_unchecked(&vcc->stats->tx);
27751 - wake_up(&eni_dev->tx_wait);
27752 - dma_complete++;
27753 - }
27754 -diff -urNp linux-2.6.32.46/drivers/atm/firestream.c linux-2.6.32.46/drivers/atm/firestream.c
27755 ---- linux-2.6.32.46/drivers/atm/firestream.c 2011-03-27 14:31:47.000000000 -0400
27756 -+++ linux-2.6.32.46/drivers/atm/firestream.c 2011-04-17 15:56:46.000000000 -0400
27757 -@@ -748,7 +748,7 @@ static void process_txdone_queue (struct
27758 - }
27759 - }
27760 -
27761 -- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27762 -+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27763 -
27764 - fs_dprintk (FS_DEBUG_TXMEM, "i");
27765 - fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27766 -@@ -815,7 +815,7 @@ static void process_incoming (struct fs_
27767 - #endif
27768 - skb_put (skb, qe->p1 & 0xffff);
27769 - ATM_SKB(skb)->vcc = atm_vcc;
27770 -- atomic_inc(&atm_vcc->stats->rx);
27771 -+ atomic_inc_unchecked(&atm_vcc->stats->rx);
27772 - __net_timestamp(skb);
27773 - fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27774 - atm_vcc->push (atm_vcc, skb);
27775 -@@ -836,12 +836,12 @@ static void process_incoming (struct fs_
27776 - kfree (pe);
27777 - }
27778 - if (atm_vcc)
27779 -- atomic_inc(&atm_vcc->stats->rx_drop);
27780 -+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27781 - break;
27782 - case 0x1f: /* Reassembly abort: no buffers. */
27783 - /* Silently increment error counter. */
27784 - if (atm_vcc)
27785 -- atomic_inc(&atm_vcc->stats->rx_drop);
27786 -+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27787 - break;
27788 - default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27789 - printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27790 -diff -urNp linux-2.6.32.46/drivers/atm/fore200e.c linux-2.6.32.46/drivers/atm/fore200e.c
27791 ---- linux-2.6.32.46/drivers/atm/fore200e.c 2011-03-27 14:31:47.000000000 -0400
27792 -+++ linux-2.6.32.46/drivers/atm/fore200e.c 2011-04-17 15:56:46.000000000 -0400
27793 -@@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
27794 - #endif
27795 - /* check error condition */
27796 - if (*entry->status & STATUS_ERROR)
27797 -- atomic_inc(&vcc->stats->tx_err);
27798 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27799 - else
27800 -- atomic_inc(&vcc->stats->tx);
27801 -+ atomic_inc_unchecked(&vcc->stats->tx);
27802 - }
27803 - }
27804 -
27805 -@@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
27806 - if (skb == NULL) {
27807 - DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27808 -
27809 -- atomic_inc(&vcc->stats->rx_drop);
27810 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
27811 - return -ENOMEM;
27812 - }
27813 -
27814 -@@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
27815 -
27816 - dev_kfree_skb_any(skb);
27817 -
27818 -- atomic_inc(&vcc->stats->rx_drop);
27819 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
27820 - return -ENOMEM;
27821 - }
27822 -
27823 - ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27824 -
27825 - vcc->push(vcc, skb);
27826 -- atomic_inc(&vcc->stats->rx);
27827 -+ atomic_inc_unchecked(&vcc->stats->rx);
27828 -
27829 - ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27830 -
27831 -@@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
27832 - DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27833 - fore200e->atm_dev->number,
27834 - entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27835 -- atomic_inc(&vcc->stats->rx_err);
27836 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27837 - }
27838 - }
27839 -
27840 -@@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
27841 - goto retry_here;
27842 - }
27843 -
27844 -- atomic_inc(&vcc->stats->tx_err);
27845 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27846 -
27847 - fore200e->tx_sat++;
27848 - DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
27849 -diff -urNp linux-2.6.32.46/drivers/atm/he.c linux-2.6.32.46/drivers/atm/he.c
27850 ---- linux-2.6.32.46/drivers/atm/he.c 2011-03-27 14:31:47.000000000 -0400
27851 -+++ linux-2.6.32.46/drivers/atm/he.c 2011-04-17 15:56:46.000000000 -0400
27852 -@@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27853 -
27854 - if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
27855 - hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
27856 -- atomic_inc(&vcc->stats->rx_drop);
27857 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
27858 - goto return_host_buffers;
27859 - }
27860 -
27861 -@@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27862 - RBRQ_LEN_ERR(he_dev->rbrq_head)
27863 - ? "LEN_ERR" : "",
27864 - vcc->vpi, vcc->vci);
27865 -- atomic_inc(&vcc->stats->rx_err);
27866 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27867 - goto return_host_buffers;
27868 - }
27869 -
27870 -@@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27871 - vcc->push(vcc, skb);
27872 - spin_lock(&he_dev->global_lock);
27873 -
27874 -- atomic_inc(&vcc->stats->rx);
27875 -+ atomic_inc_unchecked(&vcc->stats->rx);
27876 -
27877 - return_host_buffers:
27878 - ++pdus_assembled;
27879 -@@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
27880 - tpd->vcc->pop(tpd->vcc, tpd->skb);
27881 - else
27882 - dev_kfree_skb_any(tpd->skb);
27883 -- atomic_inc(&tpd->vcc->stats->tx_err);
27884 -+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
27885 - }
27886 - pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
27887 - return;
27888 -@@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27889 - vcc->pop(vcc, skb);
27890 - else
27891 - dev_kfree_skb_any(skb);
27892 -- atomic_inc(&vcc->stats->tx_err);
27893 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27894 - return -EINVAL;
27895 - }
27896 -
27897 -@@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27898 - vcc->pop(vcc, skb);
27899 - else
27900 - dev_kfree_skb_any(skb);
27901 -- atomic_inc(&vcc->stats->tx_err);
27902 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27903 - return -EINVAL;
27904 - }
27905 - #endif
27906 -@@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27907 - vcc->pop(vcc, skb);
27908 - else
27909 - dev_kfree_skb_any(skb);
27910 -- atomic_inc(&vcc->stats->tx_err);
27911 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27912 - spin_unlock_irqrestore(&he_dev->global_lock, flags);
27913 - return -ENOMEM;
27914 - }
27915 -@@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27916 - vcc->pop(vcc, skb);
27917 - else
27918 - dev_kfree_skb_any(skb);
27919 -- atomic_inc(&vcc->stats->tx_err);
27920 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
27921 - spin_unlock_irqrestore(&he_dev->global_lock, flags);
27922 - return -ENOMEM;
27923 - }
27924 -@@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27925 - __enqueue_tpd(he_dev, tpd, cid);
27926 - spin_unlock_irqrestore(&he_dev->global_lock, flags);
27927 -
27928 -- atomic_inc(&vcc->stats->tx);
27929 -+ atomic_inc_unchecked(&vcc->stats->tx);
27930 -
27931 - return 0;
27932 - }
27933 -diff -urNp linux-2.6.32.46/drivers/atm/horizon.c linux-2.6.32.46/drivers/atm/horizon.c
27934 ---- linux-2.6.32.46/drivers/atm/horizon.c 2011-03-27 14:31:47.000000000 -0400
27935 -+++ linux-2.6.32.46/drivers/atm/horizon.c 2011-04-17 15:56:46.000000000 -0400
27936 -@@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
27937 - {
27938 - struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27939 - // VC layer stats
27940 -- atomic_inc(&vcc->stats->rx);
27941 -+ atomic_inc_unchecked(&vcc->stats->rx);
27942 - __net_timestamp(skb);
27943 - // end of our responsability
27944 - vcc->push (vcc, skb);
27945 -@@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
27946 - dev->tx_iovec = NULL;
27947 -
27948 - // VC layer stats
27949 -- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27950 -+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27951 -
27952 - // free the skb
27953 - hrz_kfree_skb (skb);
27954 -diff -urNp linux-2.6.32.46/drivers/atm/idt77252.c linux-2.6.32.46/drivers/atm/idt77252.c
27955 ---- linux-2.6.32.46/drivers/atm/idt77252.c 2011-03-27 14:31:47.000000000 -0400
27956 -+++ linux-2.6.32.46/drivers/atm/idt77252.c 2011-04-17 15:56:46.000000000 -0400
27957 -@@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
27958 - else
27959 - dev_kfree_skb(skb);
27960 -
27961 -- atomic_inc(&vcc->stats->tx);
27962 -+ atomic_inc_unchecked(&vcc->stats->tx);
27963 - }
27964 -
27965 - atomic_dec(&scq->used);
27966 -@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
27967 - if ((sb = dev_alloc_skb(64)) == NULL) {
27968 - printk("%s: Can't allocate buffers for aal0.\n",
27969 - card->name);
27970 -- atomic_add(i, &vcc->stats->rx_drop);
27971 -+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
27972 - break;
27973 - }
27974 - if (!atm_charge(vcc, sb->truesize)) {
27975 - RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27976 - card->name);
27977 -- atomic_add(i - 1, &vcc->stats->rx_drop);
27978 -+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27979 - dev_kfree_skb(sb);
27980 - break;
27981 - }
27982 -@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
27983 - ATM_SKB(sb)->vcc = vcc;
27984 - __net_timestamp(sb);
27985 - vcc->push(vcc, sb);
27986 -- atomic_inc(&vcc->stats->rx);
27987 -+ atomic_inc_unchecked(&vcc->stats->rx);
27988 -
27989 - cell += ATM_CELL_PAYLOAD;
27990 - }
27991 -@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
27992 - "(CDC: %08x)\n",
27993 - card->name, len, rpp->len, readl(SAR_REG_CDC));
27994 - recycle_rx_pool_skb(card, rpp);
27995 -- atomic_inc(&vcc->stats->rx_err);
27996 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
27997 - return;
27998 - }
27999 - if (stat & SAR_RSQE_CRC) {
28000 - RXPRINTK("%s: AAL5 CRC error.\n", card->name);
28001 - recycle_rx_pool_skb(card, rpp);
28002 -- atomic_inc(&vcc->stats->rx_err);
28003 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28004 - return;
28005 - }
28006 - if (skb_queue_len(&rpp->queue) > 1) {
28007 -@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
28008 - RXPRINTK("%s: Can't alloc RX skb.\n",
28009 - card->name);
28010 - recycle_rx_pool_skb(card, rpp);
28011 -- atomic_inc(&vcc->stats->rx_err);
28012 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28013 - return;
28014 - }
28015 - if (!atm_charge(vcc, skb->truesize)) {
28016 -@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
28017 - __net_timestamp(skb);
28018 -
28019 - vcc->push(vcc, skb);
28020 -- atomic_inc(&vcc->stats->rx);
28021 -+ atomic_inc_unchecked(&vcc->stats->rx);
28022 -
28023 - return;
28024 - }
28025 -@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
28026 - __net_timestamp(skb);
28027 -
28028 - vcc->push(vcc, skb);
28029 -- atomic_inc(&vcc->stats->rx);
28030 -+ atomic_inc_unchecked(&vcc->stats->rx);
28031 -
28032 - if (skb->truesize > SAR_FB_SIZE_3)
28033 - add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
28034 -@@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
28035 - if (vcc->qos.aal != ATM_AAL0) {
28036 - RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
28037 - card->name, vpi, vci);
28038 -- atomic_inc(&vcc->stats->rx_drop);
28039 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28040 - goto drop;
28041 - }
28042 -
28043 - if ((sb = dev_alloc_skb(64)) == NULL) {
28044 - printk("%s: Can't allocate buffers for AAL0.\n",
28045 - card->name);
28046 -- atomic_inc(&vcc->stats->rx_err);
28047 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28048 - goto drop;
28049 - }
28050 -
28051 -@@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
28052 - ATM_SKB(sb)->vcc = vcc;
28053 - __net_timestamp(sb);
28054 - vcc->push(vcc, sb);
28055 -- atomic_inc(&vcc->stats->rx);
28056 -+ atomic_inc_unchecked(&vcc->stats->rx);
28057 -
28058 - drop:
28059 - skb_pull(queue, 64);
28060 -@@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28061 -
28062 - if (vc == NULL) {
28063 - printk("%s: NULL connection in send().\n", card->name);
28064 -- atomic_inc(&vcc->stats->tx_err);
28065 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28066 - dev_kfree_skb(skb);
28067 - return -EINVAL;
28068 - }
28069 - if (!test_bit(VCF_TX, &vc->flags)) {
28070 - printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
28071 -- atomic_inc(&vcc->stats->tx_err);
28072 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28073 - dev_kfree_skb(skb);
28074 - return -EINVAL;
28075 - }
28076 -@@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28077 - break;
28078 - default:
28079 - printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
28080 -- atomic_inc(&vcc->stats->tx_err);
28081 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28082 - dev_kfree_skb(skb);
28083 - return -EINVAL;
28084 - }
28085 -
28086 - if (skb_shinfo(skb)->nr_frags != 0) {
28087 - printk("%s: No scatter-gather yet.\n", card->name);
28088 -- atomic_inc(&vcc->stats->tx_err);
28089 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28090 - dev_kfree_skb(skb);
28091 - return -EINVAL;
28092 - }
28093 -@@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28094 -
28095 - err = queue_skb(card, vc, skb, oam);
28096 - if (err) {
28097 -- atomic_inc(&vcc->stats->tx_err);
28098 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28099 - dev_kfree_skb(skb);
28100 - return err;
28101 - }
28102 -@@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
28103 - skb = dev_alloc_skb(64);
28104 - if (!skb) {
28105 - printk("%s: Out of memory in send_oam().\n", card->name);
28106 -- atomic_inc(&vcc->stats->tx_err);
28107 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28108 - return -ENOMEM;
28109 - }
28110 - atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
28111 -diff -urNp linux-2.6.32.46/drivers/atm/iphase.c linux-2.6.32.46/drivers/atm/iphase.c
28112 ---- linux-2.6.32.46/drivers/atm/iphase.c 2011-03-27 14:31:47.000000000 -0400
28113 -+++ linux-2.6.32.46/drivers/atm/iphase.c 2011-04-17 15:56:46.000000000 -0400
28114 -@@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
28115 - status = (u_short) (buf_desc_ptr->desc_mode);
28116 - if (status & (RX_CER | RX_PTE | RX_OFL))
28117 - {
28118 -- atomic_inc(&vcc->stats->rx_err);
28119 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28120 - IF_ERR(printk("IA: bad packet, dropping it");)
28121 - if (status & RX_CER) {
28122 - IF_ERR(printk(" cause: packet CRC error\n");)
28123 -@@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
28124 - len = dma_addr - buf_addr;
28125 - if (len > iadev->rx_buf_sz) {
28126 - printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
28127 -- atomic_inc(&vcc->stats->rx_err);
28128 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28129 - goto out_free_desc;
28130 - }
28131 -
28132 -@@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
28133 - ia_vcc = INPH_IA_VCC(vcc);
28134 - if (ia_vcc == NULL)
28135 - {
28136 -- atomic_inc(&vcc->stats->rx_err);
28137 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28138 - dev_kfree_skb_any(skb);
28139 - atm_return(vcc, atm_guess_pdu2truesize(len));
28140 - goto INCR_DLE;
28141 -@@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
28142 - if ((length > iadev->rx_buf_sz) || (length >
28143 - (skb->len - sizeof(struct cpcs_trailer))))
28144 - {
28145 -- atomic_inc(&vcc->stats->rx_err);
28146 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28147 - IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
28148 - length, skb->len);)
28149 - dev_kfree_skb_any(skb);
28150 -@@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
28151 -
28152 - IF_RX(printk("rx_dle_intr: skb push");)
28153 - vcc->push(vcc,skb);
28154 -- atomic_inc(&vcc->stats->rx);
28155 -+ atomic_inc_unchecked(&vcc->stats->rx);
28156 - iadev->rx_pkt_cnt++;
28157 - }
28158 - INCR_DLE:
28159 -@@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
28160 - {
28161 - struct k_sonet_stats *stats;
28162 - stats = &PRIV(_ia_dev[board])->sonet_stats;
28163 -- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
28164 -- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
28165 -- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
28166 -- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
28167 -- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
28168 -- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
28169 -- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
28170 -- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
28171 -- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
28172 -+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
28173 -+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
28174 -+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
28175 -+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
28176 -+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
28177 -+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
28178 -+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
28179 -+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
28180 -+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
28181 - }
28182 - ia_cmds.status = 0;
28183 - break;
28184 -@@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
28185 - if ((desc == 0) || (desc > iadev->num_tx_desc))
28186 - {
28187 - IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
28188 -- atomic_inc(&vcc->stats->tx);
28189 -+ atomic_inc_unchecked(&vcc->stats->tx);
28190 - if (vcc->pop)
28191 - vcc->pop(vcc, skb);
28192 - else
28193 -@@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
28194 - ATM_DESC(skb) = vcc->vci;
28195 - skb_queue_tail(&iadev->tx_dma_q, skb);
28196 -
28197 -- atomic_inc(&vcc->stats->tx);
28198 -+ atomic_inc_unchecked(&vcc->stats->tx);
28199 - iadev->tx_pkt_cnt++;
28200 - /* Increment transaction counter */
28201 - writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
28202 -
28203 - #if 0
28204 - /* add flow control logic */
28205 -- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
28206 -+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
28207 - if (iavcc->vc_desc_cnt > 10) {
28208 - vcc->tx_quota = vcc->tx_quota * 3 / 4;
28209 - printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
28210 -diff -urNp linux-2.6.32.46/drivers/atm/lanai.c linux-2.6.32.46/drivers/atm/lanai.c
28211 ---- linux-2.6.32.46/drivers/atm/lanai.c 2011-03-27 14:31:47.000000000 -0400
28212 -+++ linux-2.6.32.46/drivers/atm/lanai.c 2011-04-17 15:56:46.000000000 -0400
28213 -@@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
28214 - vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
28215 - lanai_endtx(lanai, lvcc);
28216 - lanai_free_skb(lvcc->tx.atmvcc, skb);
28217 -- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
28218 -+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
28219 - }
28220 -
28221 - /* Try to fill the buffer - don't call unless there is backlog */
28222 -@@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
28223 - ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
28224 - __net_timestamp(skb);
28225 - lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
28226 -- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
28227 -+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
28228 - out:
28229 - lvcc->rx.buf.ptr = end;
28230 - cardvcc_write(lvcc, endptr, vcc_rxreadptr);
28231 -@@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
28232 - DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
28233 - "vcc %d\n", lanai->number, (unsigned int) s, vci);
28234 - lanai->stats.service_rxnotaal5++;
28235 -- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28236 -+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28237 - return 0;
28238 - }
28239 - if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
28240 -@@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
28241 - int bytes;
28242 - read_unlock(&vcc_sklist_lock);
28243 - DPRINTK("got trashed rx pdu on vci %d\n", vci);
28244 -- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28245 -+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28246 - lvcc->stats.x.aal5.service_trash++;
28247 - bytes = (SERVICE_GET_END(s) * 16) -
28248 - (((unsigned long) lvcc->rx.buf.ptr) -
28249 -@@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
28250 - }
28251 - if (s & SERVICE_STREAM) {
28252 - read_unlock(&vcc_sklist_lock);
28253 -- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28254 -+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28255 - lvcc->stats.x.aal5.service_stream++;
28256 - printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
28257 - "PDU on VCI %d!\n", lanai->number, vci);
28258 -@@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
28259 - return 0;
28260 - }
28261 - DPRINTK("got rx crc error on vci %d\n", vci);
28262 -- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28263 -+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28264 - lvcc->stats.x.aal5.service_rxcrc++;
28265 - lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
28266 - cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
28267 -diff -urNp linux-2.6.32.46/drivers/atm/nicstar.c linux-2.6.32.46/drivers/atm/nicstar.c
28268 ---- linux-2.6.32.46/drivers/atm/nicstar.c 2011-03-27 14:31:47.000000000 -0400
28269 -+++ linux-2.6.32.46/drivers/atm/nicstar.c 2011-04-17 15:56:46.000000000 -0400
28270 -@@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
28271 - if ((vc = (vc_map *) vcc->dev_data) == NULL)
28272 - {
28273 - printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
28274 -- atomic_inc(&vcc->stats->tx_err);
28275 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28276 - dev_kfree_skb_any(skb);
28277 - return -EINVAL;
28278 - }
28279 -@@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
28280 - if (!vc->tx)
28281 - {
28282 - printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
28283 -- atomic_inc(&vcc->stats->tx_err);
28284 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28285 - dev_kfree_skb_any(skb);
28286 - return -EINVAL;
28287 - }
28288 -@@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
28289 - if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
28290 - {
28291 - printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
28292 -- atomic_inc(&vcc->stats->tx_err);
28293 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28294 - dev_kfree_skb_any(skb);
28295 - return -EINVAL;
28296 - }
28297 -@@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
28298 - if (skb_shinfo(skb)->nr_frags != 0)
28299 - {
28300 - printk("nicstar%d: No scatter-gather yet.\n", card->index);
28301 -- atomic_inc(&vcc->stats->tx_err);
28302 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28303 - dev_kfree_skb_any(skb);
28304 - return -EINVAL;
28305 - }
28306 -@@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
28307 -
28308 - if (push_scqe(card, vc, scq, &scqe, skb) != 0)
28309 - {
28310 -- atomic_inc(&vcc->stats->tx_err);
28311 -+ atomic_inc_unchecked(&vcc->stats->tx_err);
28312 - dev_kfree_skb_any(skb);
28313 - return -EIO;
28314 - }
28315 -- atomic_inc(&vcc->stats->tx);
28316 -+ atomic_inc_unchecked(&vcc->stats->tx);
28317 -
28318 - return 0;
28319 - }
28320 -@@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
28321 - {
28322 - printk("nicstar%d: Can't allocate buffers for aal0.\n",
28323 - card->index);
28324 -- atomic_add(i,&vcc->stats->rx_drop);
28325 -+ atomic_add_unchecked(i,&vcc->stats->rx_drop);
28326 - break;
28327 - }
28328 - if (!atm_charge(vcc, sb->truesize))
28329 - {
28330 - RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
28331 - card->index);
28332 -- atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28333 -+ atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28334 - dev_kfree_skb_any(sb);
28335 - break;
28336 - }
28337 -@@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
28338 - ATM_SKB(sb)->vcc = vcc;
28339 - __net_timestamp(sb);
28340 - vcc->push(vcc, sb);
28341 -- atomic_inc(&vcc->stats->rx);
28342 -+ atomic_inc_unchecked(&vcc->stats->rx);
28343 - cell += ATM_CELL_PAYLOAD;
28344 - }
28345 -
28346 -@@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
28347 - if (iovb == NULL)
28348 - {
28349 - printk("nicstar%d: Out of iovec buffers.\n", card->index);
28350 -- atomic_inc(&vcc->stats->rx_drop);
28351 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28352 - recycle_rx_buf(card, skb);
28353 - return;
28354 - }
28355 -@@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
28356 - else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
28357 - {
28358 - printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
28359 -- atomic_inc(&vcc->stats->rx_err);
28360 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28361 - recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
28362 - NS_SKB(iovb)->iovcnt = 0;
28363 - iovb->len = 0;
28364 -@@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
28365 - printk("nicstar%d: Expected a small buffer, and this is not one.\n",
28366 - card->index);
28367 - which_list(card, skb);
28368 -- atomic_inc(&vcc->stats->rx_err);
28369 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28370 - recycle_rx_buf(card, skb);
28371 - vc->rx_iov = NULL;
28372 - recycle_iov_buf(card, iovb);
28373 -@@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
28374 - printk("nicstar%d: Expected a large buffer, and this is not one.\n",
28375 - card->index);
28376 - which_list(card, skb);
28377 -- atomic_inc(&vcc->stats->rx_err);
28378 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28379 - recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28380 - NS_SKB(iovb)->iovcnt);
28381 - vc->rx_iov = NULL;
28382 -@@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
28383 - printk(" - PDU size mismatch.\n");
28384 - else
28385 - printk(".\n");
28386 -- atomic_inc(&vcc->stats->rx_err);
28387 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
28388 - recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28389 - NS_SKB(iovb)->iovcnt);
28390 - vc->rx_iov = NULL;
28391 -@@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
28392 - if (!atm_charge(vcc, skb->truesize))
28393 - {
28394 - push_rxbufs(card, skb);
28395 -- atomic_inc(&vcc->stats->rx_drop);
28396 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28397 - }
28398 - else
28399 - {
28400 -@@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
28401 - ATM_SKB(skb)->vcc = vcc;
28402 - __net_timestamp(skb);
28403 - vcc->push(vcc, skb);
28404 -- atomic_inc(&vcc->stats->rx);
28405 -+ atomic_inc_unchecked(&vcc->stats->rx);
28406 - }
28407 - }
28408 - else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
28409 -@@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
28410 - if (!atm_charge(vcc, sb->truesize))
28411 - {
28412 - push_rxbufs(card, sb);
28413 -- atomic_inc(&vcc->stats->rx_drop);
28414 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28415 - }
28416 - else
28417 - {
28418 -@@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
28419 - ATM_SKB(sb)->vcc = vcc;
28420 - __net_timestamp(sb);
28421 - vcc->push(vcc, sb);
28422 -- atomic_inc(&vcc->stats->rx);
28423 -+ atomic_inc_unchecked(&vcc->stats->rx);
28424 - }
28425 -
28426 - push_rxbufs(card, skb);
28427 -@@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
28428 - if (!atm_charge(vcc, skb->truesize))
28429 - {
28430 - push_rxbufs(card, skb);
28431 -- atomic_inc(&vcc->stats->rx_drop);
28432 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28433 - }
28434 - else
28435 - {
28436 -@@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
28437 - ATM_SKB(skb)->vcc = vcc;
28438 - __net_timestamp(skb);
28439 - vcc->push(vcc, skb);
28440 -- atomic_inc(&vcc->stats->rx);
28441 -+ atomic_inc_unchecked(&vcc->stats->rx);
28442 - }
28443 -
28444 - push_rxbufs(card, sb);
28445 -@@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
28446 - if (hb == NULL)
28447 - {
28448 - printk("nicstar%d: Out of huge buffers.\n", card->index);
28449 -- atomic_inc(&vcc->stats->rx_drop);
28450 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28451 - recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28452 - NS_SKB(iovb)->iovcnt);
28453 - vc->rx_iov = NULL;
28454 -@@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
28455 - }
28456 - else
28457 - dev_kfree_skb_any(hb);
28458 -- atomic_inc(&vcc->stats->rx_drop);
28459 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28460 - }
28461 - else
28462 - {
28463 -@@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
28464 - #endif /* NS_USE_DESTRUCTORS */
28465 - __net_timestamp(hb);
28466 - vcc->push(vcc, hb);
28467 -- atomic_inc(&vcc->stats->rx);
28468 -+ atomic_inc_unchecked(&vcc->stats->rx);
28469 - }
28470 - }
28471 -
28472 -diff -urNp linux-2.6.32.46/drivers/atm/solos-pci.c linux-2.6.32.46/drivers/atm/solos-pci.c
28473 ---- linux-2.6.32.46/drivers/atm/solos-pci.c 2011-04-17 17:00:52.000000000 -0400
28474 -+++ linux-2.6.32.46/drivers/atm/solos-pci.c 2011-05-16 21:46:57.000000000 -0400
28475 -@@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
28476 - }
28477 - atm_charge(vcc, skb->truesize);
28478 - vcc->push(vcc, skb);
28479 -- atomic_inc(&vcc->stats->rx);
28480 -+ atomic_inc_unchecked(&vcc->stats->rx);
28481 - break;
28482 -
28483 - case PKT_STATUS:
28484 -@@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
28485 - char msg[500];
28486 - char item[10];
28487 -
28488 -+ pax_track_stack();
28489 -+
28490 - len = buf->len;
28491 - for (i = 0; i < len; i++){
28492 - if(i % 8 == 0)
28493 -@@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
28494 - vcc = SKB_CB(oldskb)->vcc;
28495 -
28496 - if (vcc) {
28497 -- atomic_inc(&vcc->stats->tx);
28498 -+ atomic_inc_unchecked(&vcc->stats->tx);
28499 - solos_pop(vcc, oldskb);
28500 - } else
28501 - dev_kfree_skb_irq(oldskb);
28502 -diff -urNp linux-2.6.32.46/drivers/atm/suni.c linux-2.6.32.46/drivers/atm/suni.c
28503 ---- linux-2.6.32.46/drivers/atm/suni.c 2011-03-27 14:31:47.000000000 -0400
28504 -+++ linux-2.6.32.46/drivers/atm/suni.c 2011-04-17 15:56:46.000000000 -0400
28505 -@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
28506 -
28507 -
28508 - #define ADD_LIMITED(s,v) \
28509 -- atomic_add((v),&stats->s); \
28510 -- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
28511 -+ atomic_add_unchecked((v),&stats->s); \
28512 -+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
28513 -
28514 -
28515 - static void suni_hz(unsigned long from_timer)
28516 -diff -urNp linux-2.6.32.46/drivers/atm/uPD98402.c linux-2.6.32.46/drivers/atm/uPD98402.c
28517 ---- linux-2.6.32.46/drivers/atm/uPD98402.c 2011-03-27 14:31:47.000000000 -0400
28518 -+++ linux-2.6.32.46/drivers/atm/uPD98402.c 2011-04-17 15:56:46.000000000 -0400
28519 -@@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
28520 - struct sonet_stats tmp;
28521 - int error = 0;
28522 -
28523 -- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28524 -+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28525 - sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
28526 - if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
28527 - if (zero && !error) {
28528 -@@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
28529 -
28530 -
28531 - #define ADD_LIMITED(s,v) \
28532 -- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
28533 -- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
28534 -- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28535 -+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
28536 -+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
28537 -+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28538 -
28539 -
28540 - static void stat_event(struct atm_dev *dev)
28541 -@@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
28542 - if (reason & uPD98402_INT_PFM) stat_event(dev);
28543 - if (reason & uPD98402_INT_PCO) {
28544 - (void) GET(PCOCR); /* clear interrupt cause */
28545 -- atomic_add(GET(HECCT),
28546 -+ atomic_add_unchecked(GET(HECCT),
28547 - &PRIV(dev)->sonet_stats.uncorr_hcs);
28548 - }
28549 - if ((reason & uPD98402_INT_RFO) &&
28550 -@@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
28551 - PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
28552 - uPD98402_INT_LOS),PIMR); /* enable them */
28553 - (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
28554 -- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28555 -- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
28556 -- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
28557 -+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28558 -+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
28559 -+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
28560 - return 0;
28561 - }
28562 -
28563 -diff -urNp linux-2.6.32.46/drivers/atm/zatm.c linux-2.6.32.46/drivers/atm/zatm.c
28564 ---- linux-2.6.32.46/drivers/atm/zatm.c 2011-03-27 14:31:47.000000000 -0400
28565 -+++ linux-2.6.32.46/drivers/atm/zatm.c 2011-04-17 15:56:46.000000000 -0400
28566 -@@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28567 - }
28568 - if (!size) {
28569 - dev_kfree_skb_irq(skb);
28570 -- if (vcc) atomic_inc(&vcc->stats->rx_err);
28571 -+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
28572 - continue;
28573 - }
28574 - if (!atm_charge(vcc,skb->truesize)) {
28575 -@@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28576 - skb->len = size;
28577 - ATM_SKB(skb)->vcc = vcc;
28578 - vcc->push(vcc,skb);
28579 -- atomic_inc(&vcc->stats->rx);
28580 -+ atomic_inc_unchecked(&vcc->stats->rx);
28581 - }
28582 - zout(pos & 0xffff,MTA(mbx));
28583 - #if 0 /* probably a stupid idea */
28584 -@@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
28585 - skb_queue_head(&zatm_vcc->backlog,skb);
28586 - break;
28587 - }
28588 -- atomic_inc(&vcc->stats->tx);
28589 -+ atomic_inc_unchecked(&vcc->stats->tx);
28590 - wake_up(&zatm_vcc->tx_wait);
28591 - }
28592 -
28593 -diff -urNp linux-2.6.32.46/drivers/base/bus.c linux-2.6.32.46/drivers/base/bus.c
28594 ---- linux-2.6.32.46/drivers/base/bus.c 2011-03-27 14:31:47.000000000 -0400
28595 -+++ linux-2.6.32.46/drivers/base/bus.c 2011-04-17 15:56:46.000000000 -0400
28596 -@@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
28597 - return ret;
28598 - }
28599 -
28600 --static struct sysfs_ops driver_sysfs_ops = {
28601 -+static const struct sysfs_ops driver_sysfs_ops = {
28602 - .show = drv_attr_show,
28603 - .store = drv_attr_store,
28604 - };
28605 -@@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
28606 - return ret;
28607 - }
28608 -
28609 --static struct sysfs_ops bus_sysfs_ops = {
28610 -+static const struct sysfs_ops bus_sysfs_ops = {
28611 - .show = bus_attr_show,
28612 - .store = bus_attr_store,
28613 - };
28614 -@@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
28615 - return 0;
28616 - }
28617 -
28618 --static struct kset_uevent_ops bus_uevent_ops = {
28619 -+static const struct kset_uevent_ops bus_uevent_ops = {
28620 - .filter = bus_uevent_filter,
28621 - };
28622 -
28623 -diff -urNp linux-2.6.32.46/drivers/base/class.c linux-2.6.32.46/drivers/base/class.c
28624 ---- linux-2.6.32.46/drivers/base/class.c 2011-03-27 14:31:47.000000000 -0400
28625 -+++ linux-2.6.32.46/drivers/base/class.c 2011-04-17 15:56:46.000000000 -0400
28626 -@@ -63,7 +63,7 @@ static void class_release(struct kobject
28627 - kfree(cp);
28628 - }
28629 -
28630 --static struct sysfs_ops class_sysfs_ops = {
28631 -+static const struct sysfs_ops class_sysfs_ops = {
28632 - .show = class_attr_show,
28633 - .store = class_attr_store,
28634 - };
28635 -diff -urNp linux-2.6.32.46/drivers/base/core.c linux-2.6.32.46/drivers/base/core.c
28636 ---- linux-2.6.32.46/drivers/base/core.c 2011-03-27 14:31:47.000000000 -0400
28637 -+++ linux-2.6.32.46/drivers/base/core.c 2011-04-17 15:56:46.000000000 -0400
28638 -@@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
28639 - return ret;
28640 - }
28641 -
28642 --static struct sysfs_ops dev_sysfs_ops = {
28643 -+static const struct sysfs_ops dev_sysfs_ops = {
28644 - .show = dev_attr_show,
28645 - .store = dev_attr_store,
28646 - };
28647 -@@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
28648 - return retval;
28649 - }
28650 -
28651 --static struct kset_uevent_ops device_uevent_ops = {
28652 -+static const struct kset_uevent_ops device_uevent_ops = {
28653 - .filter = dev_uevent_filter,
28654 - .name = dev_uevent_name,
28655 - .uevent = dev_uevent,
28656 -diff -urNp linux-2.6.32.46/drivers/base/memory.c linux-2.6.32.46/drivers/base/memory.c
28657 ---- linux-2.6.32.46/drivers/base/memory.c 2011-03-27 14:31:47.000000000 -0400
28658 -+++ linux-2.6.32.46/drivers/base/memory.c 2011-04-17 15:56:46.000000000 -0400
28659 -@@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
28660 - return retval;
28661 - }
28662 -
28663 --static struct kset_uevent_ops memory_uevent_ops = {
28664 -+static const struct kset_uevent_ops memory_uevent_ops = {
28665 - .name = memory_uevent_name,
28666 - .uevent = memory_uevent,
28667 - };
28668 -diff -urNp linux-2.6.32.46/drivers/base/sys.c linux-2.6.32.46/drivers/base/sys.c
28669 ---- linux-2.6.32.46/drivers/base/sys.c 2011-03-27 14:31:47.000000000 -0400
28670 -+++ linux-2.6.32.46/drivers/base/sys.c 2011-04-17 15:56:46.000000000 -0400
28671 -@@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
28672 - return -EIO;
28673 - }
28674 -
28675 --static struct sysfs_ops sysfs_ops = {
28676 -+static const struct sysfs_ops sysfs_ops = {
28677 - .show = sysdev_show,
28678 - .store = sysdev_store,
28679 - };
28680 -@@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
28681 - return -EIO;
28682 - }
28683 -
28684 --static struct sysfs_ops sysfs_class_ops = {
28685 -+static const struct sysfs_ops sysfs_class_ops = {
28686 - .show = sysdev_class_show,
28687 - .store = sysdev_class_store,
28688 - };
28689 -diff -urNp linux-2.6.32.46/drivers/block/DAC960.c linux-2.6.32.46/drivers/block/DAC960.c
28690 ---- linux-2.6.32.46/drivers/block/DAC960.c 2011-03-27 14:31:47.000000000 -0400
28691 -+++ linux-2.6.32.46/drivers/block/DAC960.c 2011-05-16 21:46:57.000000000 -0400
28692 -@@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
28693 - unsigned long flags;
28694 - int Channel, TargetID;
28695 -
28696 -+ pax_track_stack();
28697 -+
28698 - if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
28699 - DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
28700 - sizeof(DAC960_SCSI_Inquiry_T) +
28701 -diff -urNp linux-2.6.32.46/drivers/block/cciss.c linux-2.6.32.46/drivers/block/cciss.c
28702 ---- linux-2.6.32.46/drivers/block/cciss.c 2011-03-27 14:31:47.000000000 -0400
28703 -+++ linux-2.6.32.46/drivers/block/cciss.c 2011-08-05 20:33:55.000000000 -0400
28704 -@@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
28705 - int err;
28706 - u32 cp;
28707 -
28708 -+ memset(&arg64, 0, sizeof(arg64));
28709 -+
28710 - err = 0;
28711 - err |=
28712 - copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28713 -@@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
28714 - /* Wait (up to 20 seconds) for a command to complete */
28715 -
28716 - for (i = 20 * HZ; i > 0; i--) {
28717 -- done = hba[ctlr]->access.command_completed(hba[ctlr]);
28718 -+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
28719 - if (done == FIFO_EMPTY)
28720 - schedule_timeout_uninterruptible(1);
28721 - else
28722 -@@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
28723 - resend_cmd1:
28724 -
28725 - /* Disable interrupt on the board. */
28726 -- h->access.set_intr_mask(h, CCISS_INTR_OFF);
28727 -+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
28728 -
28729 - /* Make sure there is room in the command FIFO */
28730 - /* Actually it should be completely empty at this time */
28731 -@@ -2884,13 +2886,13 @@ resend_cmd1:
28732 - /* tape side of the driver. */
28733 - for (i = 200000; i > 0; i--) {
28734 - /* if fifo isn't full go */
28735 -- if (!(h->access.fifo_full(h)))
28736 -+ if (!(h->access->fifo_full(h)))
28737 - break;
28738 - udelay(10);
28739 - printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
28740 - " waiting!\n", h->ctlr);
28741 - }
28742 -- h->access.submit_command(h, c); /* Send the cmd */
28743 -+ h->access->submit_command(h, c); /* Send the cmd */
28744 - do {
28745 - complete = pollcomplete(h->ctlr);
28746 -
28747 -@@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
28748 - while (!hlist_empty(&h->reqQ)) {
28749 - c = hlist_entry(h->reqQ.first, CommandList_struct, list);
28750 - /* can't do anything if fifo is full */
28751 -- if ((h->access.fifo_full(h))) {
28752 -+ if ((h->access->fifo_full(h))) {
28753 - printk(KERN_WARNING "cciss: fifo full\n");
28754 - break;
28755 - }
28756 -@@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
28757 - h->Qdepth--;
28758 -
28759 - /* Tell the controller execute command */
28760 -- h->access.submit_command(h, c);
28761 -+ h->access->submit_command(h, c);
28762 -
28763 - /* Put job onto the completed Q */
28764 - addQ(&h->cmpQ, c);
28765 -@@ -3393,17 +3395,17 @@ startio:
28766 -
28767 - static inline unsigned long get_next_completion(ctlr_info_t *h)
28768 - {
28769 -- return h->access.command_completed(h);
28770 -+ return h->access->command_completed(h);
28771 - }
28772 -
28773 - static inline int interrupt_pending(ctlr_info_t *h)
28774 - {
28775 -- return h->access.intr_pending(h);
28776 -+ return h->access->intr_pending(h);
28777 - }
28778 -
28779 - static inline long interrupt_not_for_us(ctlr_info_t *h)
28780 - {
28781 -- return (((h->access.intr_pending(h) == 0) ||
28782 -+ return (((h->access->intr_pending(h) == 0) ||
28783 - (h->interrupts_enabled == 0)));
28784 - }
28785 -
28786 -@@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
28787 - */
28788 - c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
28789 - c->product_name = products[prod_index].product_name;
28790 -- c->access = *(products[prod_index].access);
28791 -+ c->access = products[prod_index].access;
28792 - c->nr_cmds = c->max_commands - 4;
28793 - if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
28794 - (readb(&c->cfgtable->Signature[1]) != 'I') ||
28795 -@@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
28796 - }
28797 -
28798 - /* make sure the board interrupts are off */
28799 -- hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
28800 -+ hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
28801 - if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
28802 - IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
28803 - printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
28804 -@@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
28805 - cciss_scsi_setup(i);
28806 -
28807 - /* Turn the interrupts on so we can service requests */
28808 -- hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
28809 -+ hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
28810 -
28811 - /* Get the firmware version */
28812 - inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
28813 -diff -urNp linux-2.6.32.46/drivers/block/cciss.h linux-2.6.32.46/drivers/block/cciss.h
28814 ---- linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:35:28.000000000 -0400
28815 -+++ linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:33:59.000000000 -0400
28816 -@@ -90,7 +90,7 @@ struct ctlr_info
28817 - // information about each logical volume
28818 - drive_info_struct *drv[CISS_MAX_LUN];
28819 -
28820 -- struct access_method access;
28821 -+ struct access_method *access;
28822 -
28823 - /* queue and queue Info */
28824 - struct hlist_head reqQ;
28825 -diff -urNp linux-2.6.32.46/drivers/block/cpqarray.c linux-2.6.32.46/drivers/block/cpqarray.c
28826 ---- linux-2.6.32.46/drivers/block/cpqarray.c 2011-03-27 14:31:47.000000000 -0400
28827 -+++ linux-2.6.32.46/drivers/block/cpqarray.c 2011-08-05 20:33:55.000000000 -0400
28828 -@@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
28829 - if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
28830 - goto Enomem4;
28831 - }
28832 -- hba[i]->access.set_intr_mask(hba[i], 0);
28833 -+ hba[i]->access->set_intr_mask(hba[i], 0);
28834 - if (request_irq(hba[i]->intr, do_ida_intr,
28835 - IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
28836 - {
28837 -@@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
28838 - add_timer(&hba[i]->timer);
28839 -
28840 - /* Enable IRQ now that spinlock and rate limit timer are set up */
28841 -- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28842 -+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28843 -
28844 - for(j=0; j<NWD; j++) {
28845 - struct gendisk *disk = ida_gendisk[i][j];
28846 -@@ -695,7 +695,7 @@ DBGINFO(
28847 - for(i=0; i<NR_PRODUCTS; i++) {
28848 - if (board_id == products[i].board_id) {
28849 - c->product_name = products[i].product_name;
28850 -- c->access = *(products[i].access);
28851 -+ c->access = products[i].access;
28852 - break;
28853 - }
28854 - }
28855 -@@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
28856 - hba[ctlr]->intr = intr;
28857 - sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
28858 - hba[ctlr]->product_name = products[j].product_name;
28859 -- hba[ctlr]->access = *(products[j].access);
28860 -+ hba[ctlr]->access = products[j].access;
28861 - hba[ctlr]->ctlr = ctlr;
28862 - hba[ctlr]->board_id = board_id;
28863 - hba[ctlr]->pci_dev = NULL; /* not PCI */
28864 -@@ -896,6 +896,8 @@ static void do_ida_request(struct reques
28865 - struct scatterlist tmp_sg[SG_MAX];
28866 - int i, dir, seg;
28867 -
28868 -+ pax_track_stack();
28869 -+
28870 - if (blk_queue_plugged(q))
28871 - goto startio;
28872 -
28873 -@@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
28874 -
28875 - while((c = h->reqQ) != NULL) {
28876 - /* Can't do anything if we're busy */
28877 -- if (h->access.fifo_full(h) == 0)
28878 -+ if (h->access->fifo_full(h) == 0)
28879 - return;
28880 -
28881 - /* Get the first entry from the request Q */
28882 -@@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
28883 - h->Qdepth--;
28884 -
28885 - /* Tell the controller to do our bidding */
28886 -- h->access.submit_command(h, c);
28887 -+ h->access->submit_command(h, c);
28888 -
28889 - /* Get onto the completion Q */
28890 - addQ(&h->cmpQ, c);
28891 -@@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
28892 - unsigned long flags;
28893 - __u32 a,a1;
28894 -
28895 -- istat = h->access.intr_pending(h);
28896 -+ istat = h->access->intr_pending(h);
28897 - /* Is this interrupt for us? */
28898 - if (istat == 0)
28899 - return IRQ_NONE;
28900 -@@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
28901 - */
28902 - spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
28903 - if (istat & FIFO_NOT_EMPTY) {
28904 -- while((a = h->access.command_completed(h))) {
28905 -+ while((a = h->access->command_completed(h))) {
28906 - a1 = a; a &= ~3;
28907 - if ((c = h->cmpQ) == NULL)
28908 - {
28909 -@@ -1434,11 +1436,11 @@ static int sendcmd(
28910 - /*
28911 - * Disable interrupt
28912 - */
28913 -- info_p->access.set_intr_mask(info_p, 0);
28914 -+ info_p->access->set_intr_mask(info_p, 0);
28915 - /* Make sure there is room in the command FIFO */
28916 - /* Actually it should be completely empty at this time. */
28917 - for (i = 200000; i > 0; i--) {
28918 -- temp = info_p->access.fifo_full(info_p);
28919 -+ temp = info_p->access->fifo_full(info_p);
28920 - if (temp != 0) {
28921 - break;
28922 - }
28923 -@@ -1451,7 +1453,7 @@ DBG(
28924 - /*
28925 - * Send the cmd
28926 - */
28927 -- info_p->access.submit_command(info_p, c);
28928 -+ info_p->access->submit_command(info_p, c);
28929 - complete = pollcomplete(ctlr);
28930 -
28931 - pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
28932 -@@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
28933 - * we check the new geometry. Then turn interrupts back on when
28934 - * we're done.
28935 - */
28936 -- host->access.set_intr_mask(host, 0);
28937 -+ host->access->set_intr_mask(host, 0);
28938 - getgeometry(ctlr);
28939 -- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
28940 -+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
28941 -
28942 - for(i=0; i<NWD; i++) {
28943 - struct gendisk *disk = ida_gendisk[ctlr][i];
28944 -@@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
28945 - /* Wait (up to 2 seconds) for a command to complete */
28946 -
28947 - for (i = 200000; i > 0; i--) {
28948 -- done = hba[ctlr]->access.command_completed(hba[ctlr]);
28949 -+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
28950 - if (done == 0) {
28951 - udelay(10); /* a short fixed delay */
28952 - } else
28953 -diff -urNp linux-2.6.32.46/drivers/block/cpqarray.h linux-2.6.32.46/drivers/block/cpqarray.h
28954 ---- linux-2.6.32.46/drivers/block/cpqarray.h 2011-03-27 14:31:47.000000000 -0400
28955 -+++ linux-2.6.32.46/drivers/block/cpqarray.h 2011-08-05 20:33:55.000000000 -0400
28956 -@@ -99,7 +99,7 @@ struct ctlr_info {
28957 - drv_info_t drv[NWD];
28958 - struct proc_dir_entry *proc;
28959 -
28960 -- struct access_method access;
28961 -+ struct access_method *access;
28962 -
28963 - cmdlist_t *reqQ;
28964 - cmdlist_t *cmpQ;
28965 -diff -urNp linux-2.6.32.46/drivers/block/loop.c linux-2.6.32.46/drivers/block/loop.c
28966 ---- linux-2.6.32.46/drivers/block/loop.c 2011-06-25 12:55:34.000000000 -0400
28967 -+++ linux-2.6.32.46/drivers/block/loop.c 2011-10-06 09:37:14.000000000 -0400
28968 -@@ -282,7 +282,7 @@ static int __do_lo_send_write(struct fil
28969 - mm_segment_t old_fs = get_fs();
28970 -
28971 - set_fs(get_ds());
28972 -- bw = file->f_op->write(file, buf, len, &pos);
28973 -+ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
28974 - set_fs(old_fs);
28975 - if (likely(bw == len))
28976 - return 0;
28977 -diff -urNp linux-2.6.32.46/drivers/block/nbd.c linux-2.6.32.46/drivers/block/nbd.c
28978 ---- linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400
28979 -+++ linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400
28980 -@@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
28981 - struct kvec iov;
28982 - sigset_t blocked, oldset;
28983 -
28984 -+ pax_track_stack();
28985 -+
28986 - if (unlikely(!sock)) {
28987 - printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28988 - lo->disk->disk_name, (send ? "send" : "recv"));
28989 -@@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
28990 - static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28991 - unsigned int cmd, unsigned long arg)
28992 - {
28993 -+ pax_track_stack();
28994 -+
28995 - switch (cmd) {
28996 - case NBD_DISCONNECT: {
28997 - struct request sreq;
28998 -diff -urNp linux-2.6.32.46/drivers/block/pktcdvd.c linux-2.6.32.46/drivers/block/pktcdvd.c
28999 ---- linux-2.6.32.46/drivers/block/pktcdvd.c 2011-03-27 14:31:47.000000000 -0400
29000 -+++ linux-2.6.32.46/drivers/block/pktcdvd.c 2011-04-17 15:56:46.000000000 -0400
29001 -@@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
29002 - return len;
29003 - }
29004 -
29005 --static struct sysfs_ops kobj_pkt_ops = {
29006 -+static const struct sysfs_ops kobj_pkt_ops = {
29007 - .show = kobj_pkt_show,
29008 - .store = kobj_pkt_store
29009 - };
29010 -diff -urNp linux-2.6.32.46/drivers/char/Kconfig linux-2.6.32.46/drivers/char/Kconfig
29011 ---- linux-2.6.32.46/drivers/char/Kconfig 2011-03-27 14:31:47.000000000 -0400
29012 -+++ linux-2.6.32.46/drivers/char/Kconfig 2011-04-18 19:20:15.000000000 -0400
29013 -@@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
29014 -
29015 - config DEVKMEM
29016 - bool "/dev/kmem virtual device support"
29017 -- default y
29018 -+ default n
29019 -+ depends on !GRKERNSEC_KMEM
29020 - help
29021 - Say Y here if you want to support the /dev/kmem device. The
29022 - /dev/kmem device is rarely used, but can be used for certain
29023 -@@ -1114,6 +1115,7 @@ config DEVPORT
29024 - bool
29025 - depends on !M68K
29026 - depends on ISA || PCI
29027 -+ depends on !GRKERNSEC_KMEM
29028 - default y
29029 -
29030 - source "drivers/s390/char/Kconfig"
29031 -diff -urNp linux-2.6.32.46/drivers/char/agp/frontend.c linux-2.6.32.46/drivers/char/agp/frontend.c
29032 ---- linux-2.6.32.46/drivers/char/agp/frontend.c 2011-03-27 14:31:47.000000000 -0400
29033 -+++ linux-2.6.32.46/drivers/char/agp/frontend.c 2011-04-17 15:56:46.000000000 -0400
29034 -@@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
29035 - if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
29036 - return -EFAULT;
29037 -
29038 -- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
29039 -+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
29040 - return -EFAULT;
29041 -
29042 - client = agp_find_client_by_pid(reserve.pid);
29043 -diff -urNp linux-2.6.32.46/drivers/char/briq_panel.c linux-2.6.32.46/drivers/char/briq_panel.c
29044 ---- linux-2.6.32.46/drivers/char/briq_panel.c 2011-03-27 14:31:47.000000000 -0400
29045 -+++ linux-2.6.32.46/drivers/char/briq_panel.c 2011-04-18 19:48:57.000000000 -0400
29046 -@@ -10,6 +10,7 @@
29047 - #include <linux/types.h>
29048 - #include <linux/errno.h>
29049 - #include <linux/tty.h>
29050 -+#include <linux/mutex.h>
29051 - #include <linux/timer.h>
29052 - #include <linux/kernel.h>
29053 - #include <linux/wait.h>
29054 -@@ -36,6 +37,7 @@ static int vfd_is_open;
29055 - static unsigned char vfd[40];
29056 - static int vfd_cursor;
29057 - static unsigned char ledpb, led;
29058 -+static DEFINE_MUTEX(vfd_mutex);
29059 -
29060 - static void update_vfd(void)
29061 - {
29062 -@@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
29063 - if (!vfd_is_open)
29064 - return -EBUSY;
29065 -
29066 -+ mutex_lock(&vfd_mutex);
29067 - for (;;) {
29068 - char c;
29069 - if (!indx)
29070 - break;
29071 -- if (get_user(c, buf))
29072 -+ if (get_user(c, buf)) {
29073 -+ mutex_unlock(&vfd_mutex);
29074 - return -EFAULT;
29075 -+ }
29076 - if (esc) {
29077 - set_led(c);
29078 - esc = 0;
29079 -@@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
29080 - buf++;
29081 - }
29082 - update_vfd();
29083 -+ mutex_unlock(&vfd_mutex);
29084 -
29085 - return len;
29086 - }
29087 -diff -urNp linux-2.6.32.46/drivers/char/genrtc.c linux-2.6.32.46/drivers/char/genrtc.c
29088 ---- linux-2.6.32.46/drivers/char/genrtc.c 2011-03-27 14:31:47.000000000 -0400
29089 -+++ linux-2.6.32.46/drivers/char/genrtc.c 2011-04-18 19:45:42.000000000 -0400
29090 -@@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
29091 - switch (cmd) {
29092 -
29093 - case RTC_PLL_GET:
29094 -+ memset(&pll, 0, sizeof(pll));
29095 - if (get_rtc_pll(&pll))
29096 - return -EINVAL;
29097 - else
29098 -diff -urNp linux-2.6.32.46/drivers/char/hpet.c linux-2.6.32.46/drivers/char/hpet.c
29099 ---- linux-2.6.32.46/drivers/char/hpet.c 2011-03-27 14:31:47.000000000 -0400
29100 -+++ linux-2.6.32.46/drivers/char/hpet.c 2011-04-23 12:56:11.000000000 -0400
29101 -@@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
29102 - return 0;
29103 - }
29104 -
29105 --static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
29106 -+static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
29107 -
29108 - static int
29109 - hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
29110 -@@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
29111 - }
29112 -
29113 - static int
29114 --hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
29115 -+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
29116 - {
29117 - struct hpet_timer __iomem *timer;
29118 - struct hpet __iomem *hpet;
29119 -@@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
29120 - {
29121 - struct hpet_info info;
29122 -
29123 -+ memset(&info, 0, sizeof(info));
29124 -+
29125 - if (devp->hd_ireqfreq)
29126 - info.hi_ireqfreq =
29127 - hpet_time_div(hpetp, devp->hd_ireqfreq);
29128 -- else
29129 -- info.hi_ireqfreq = 0;
29130 - info.hi_flags =
29131 - readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
29132 - info.hi_hpet = hpetp->hp_which;
29133 -diff -urNp linux-2.6.32.46/drivers/char/hvc_beat.c linux-2.6.32.46/drivers/char/hvc_beat.c
29134 ---- linux-2.6.32.46/drivers/char/hvc_beat.c 2011-03-27 14:31:47.000000000 -0400
29135 -+++ linux-2.6.32.46/drivers/char/hvc_beat.c 2011-04-17 15:56:46.000000000 -0400
29136 -@@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
29137 - return cnt;
29138 - }
29139 -
29140 --static struct hv_ops hvc_beat_get_put_ops = {
29141 -+static const struct hv_ops hvc_beat_get_put_ops = {
29142 - .get_chars = hvc_beat_get_chars,
29143 - .put_chars = hvc_beat_put_chars,
29144 - };
29145 -diff -urNp linux-2.6.32.46/drivers/char/hvc_console.c linux-2.6.32.46/drivers/char/hvc_console.c
29146 ---- linux-2.6.32.46/drivers/char/hvc_console.c 2011-03-27 14:31:47.000000000 -0400
29147 -+++ linux-2.6.32.46/drivers/char/hvc_console.c 2011-04-17 15:56:46.000000000 -0400
29148 -@@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
29149 - * console interfaces but can still be used as a tty device. This has to be
29150 - * static because kmalloc will not work during early console init.
29151 - */
29152 --static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29153 -+static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29154 - static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
29155 - {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
29156 -
29157 -@@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
29158 - * vty adapters do NOT get an hvc_instantiate() callback since they
29159 - * appear after early console init.
29160 - */
29161 --int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
29162 -+int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
29163 - {
29164 - struct hvc_struct *hp;
29165 -
29166 -@@ -756,7 +756,7 @@ static const struct tty_operations hvc_o
29167 - };
29168 -
29169 - struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
29170 -- struct hv_ops *ops, int outbuf_size)
29171 -+ const struct hv_ops *ops, int outbuf_size)
29172 - {
29173 - struct hvc_struct *hp;
29174 - int i;
29175 -diff -urNp linux-2.6.32.46/drivers/char/hvc_console.h linux-2.6.32.46/drivers/char/hvc_console.h
29176 ---- linux-2.6.32.46/drivers/char/hvc_console.h 2011-03-27 14:31:47.000000000 -0400
29177 -+++ linux-2.6.32.46/drivers/char/hvc_console.h 2011-04-17 15:56:46.000000000 -0400
29178 -@@ -55,7 +55,7 @@ struct hvc_struct {
29179 - int outbuf_size;
29180 - int n_outbuf;
29181 - uint32_t vtermno;
29182 -- struct hv_ops *ops;
29183 -+ const struct hv_ops *ops;
29184 - int irq_requested;
29185 - int data;
29186 - struct winsize ws;
29187 -@@ -76,11 +76,11 @@ struct hv_ops {
29188 - };
29189 -
29190 - /* Register a vterm and a slot index for use as a console (console_init) */
29191 --extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
29192 -+extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
29193 -
29194 - /* register a vterm for hvc tty operation (module_init or hotplug add) */
29195 - extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
29196 -- struct hv_ops *ops, int outbuf_size);
29197 -+ const struct hv_ops *ops, int outbuf_size);
29198 - /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
29199 - extern int hvc_remove(struct hvc_struct *hp);
29200 -
29201 -diff -urNp linux-2.6.32.46/drivers/char/hvc_iseries.c linux-2.6.32.46/drivers/char/hvc_iseries.c
29202 ---- linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-03-27 14:31:47.000000000 -0400
29203 -+++ linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-04-17 15:56:46.000000000 -0400
29204 -@@ -197,7 +197,7 @@ done:
29205 - return sent;
29206 - }
29207 -
29208 --static struct hv_ops hvc_get_put_ops = {
29209 -+static const struct hv_ops hvc_get_put_ops = {
29210 - .get_chars = get_chars,
29211 - .put_chars = put_chars,
29212 - .notifier_add = notifier_add_irq,
29213 -diff -urNp linux-2.6.32.46/drivers/char/hvc_iucv.c linux-2.6.32.46/drivers/char/hvc_iucv.c
29214 ---- linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-03-27 14:31:47.000000000 -0400
29215 -+++ linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-04-17 15:56:46.000000000 -0400
29216 -@@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
29217 -
29218 -
29219 - /* HVC operations */
29220 --static struct hv_ops hvc_iucv_ops = {
29221 -+static const struct hv_ops hvc_iucv_ops = {
29222 - .get_chars = hvc_iucv_get_chars,
29223 - .put_chars = hvc_iucv_put_chars,
29224 - .notifier_add = hvc_iucv_notifier_add,
29225 -diff -urNp linux-2.6.32.46/drivers/char/hvc_rtas.c linux-2.6.32.46/drivers/char/hvc_rtas.c
29226 ---- linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-03-27 14:31:47.000000000 -0400
29227 -+++ linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-04-17 15:56:46.000000000 -0400
29228 -@@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
29229 - return i;
29230 - }
29231 -
29232 --static struct hv_ops hvc_rtas_get_put_ops = {
29233 -+static const struct hv_ops hvc_rtas_get_put_ops = {
29234 - .get_chars = hvc_rtas_read_console,
29235 - .put_chars = hvc_rtas_write_console,
29236 - };
29237 -diff -urNp linux-2.6.32.46/drivers/char/hvc_udbg.c linux-2.6.32.46/drivers/char/hvc_udbg.c
29238 ---- linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-03-27 14:31:47.000000000 -0400
29239 -+++ linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-04-17 15:56:46.000000000 -0400
29240 -@@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
29241 - return i;
29242 - }
29243 -
29244 --static struct hv_ops hvc_udbg_ops = {
29245 -+static const struct hv_ops hvc_udbg_ops = {
29246 - .get_chars = hvc_udbg_get,
29247 - .put_chars = hvc_udbg_put,
29248 - };
29249 -diff -urNp linux-2.6.32.46/drivers/char/hvc_vio.c linux-2.6.32.46/drivers/char/hvc_vio.c
29250 ---- linux-2.6.32.46/drivers/char/hvc_vio.c 2011-03-27 14:31:47.000000000 -0400
29251 -+++ linux-2.6.32.46/drivers/char/hvc_vio.c 2011-04-17 15:56:46.000000000 -0400
29252 -@@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
29253 - return got;
29254 - }
29255 -
29256 --static struct hv_ops hvc_get_put_ops = {
29257 -+static const struct hv_ops hvc_get_put_ops = {
29258 - .get_chars = filtered_get_chars,
29259 - .put_chars = hvc_put_chars,
29260 - .notifier_add = notifier_add_irq,
29261 -diff -urNp linux-2.6.32.46/drivers/char/hvc_xen.c linux-2.6.32.46/drivers/char/hvc_xen.c
29262 ---- linux-2.6.32.46/drivers/char/hvc_xen.c 2011-03-27 14:31:47.000000000 -0400
29263 -+++ linux-2.6.32.46/drivers/char/hvc_xen.c 2011-04-17 15:56:46.000000000 -0400
29264 -@@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
29265 - return recv;
29266 - }
29267 -
29268 --static struct hv_ops hvc_ops = {
29269 -+static const struct hv_ops hvc_ops = {
29270 - .get_chars = read_console,
29271 - .put_chars = write_console,
29272 - .notifier_add = notifier_add_irq,
29273 -diff -urNp linux-2.6.32.46/drivers/char/hvcs.c linux-2.6.32.46/drivers/char/hvcs.c
29274 ---- linux-2.6.32.46/drivers/char/hvcs.c 2011-03-27 14:31:47.000000000 -0400
29275 -+++ linux-2.6.32.46/drivers/char/hvcs.c 2011-04-17 15:56:46.000000000 -0400
29276 -@@ -82,6 +82,7 @@
29277 - #include <asm/hvcserver.h>
29278 - #include <asm/uaccess.h>
29279 - #include <asm/vio.h>
29280 -+#include <asm/local.h>
29281 -
29282 - /*
29283 - * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
29284 -@@ -269,7 +270,7 @@ struct hvcs_struct {
29285 - unsigned int index;
29286 -
29287 - struct tty_struct *tty;
29288 -- int open_count;
29289 -+ local_t open_count;
29290 -
29291 - /*
29292 - * Used to tell the driver kernel_thread what operations need to take
29293 -@@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
29294 -
29295 - spin_lock_irqsave(&hvcsd->lock, flags);
29296 -
29297 -- if (hvcsd->open_count > 0) {
29298 -+ if (local_read(&hvcsd->open_count) > 0) {
29299 - spin_unlock_irqrestore(&hvcsd->lock, flags);
29300 - printk(KERN_INFO "HVCS: vterm state unchanged. "
29301 - "The hvcs device node is still in use.\n");
29302 -@@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
29303 - if ((retval = hvcs_partner_connect(hvcsd)))
29304 - goto error_release;
29305 -
29306 -- hvcsd->open_count = 1;
29307 -+ local_set(&hvcsd->open_count, 1);
29308 - hvcsd->tty = tty;
29309 - tty->driver_data = hvcsd;
29310 -
29311 -@@ -1169,7 +1170,7 @@ fast_open:
29312 -
29313 - spin_lock_irqsave(&hvcsd->lock, flags);
29314 - kref_get(&hvcsd->kref);
29315 -- hvcsd->open_count++;
29316 -+ local_inc(&hvcsd->open_count);
29317 - hvcsd->todo_mask |= HVCS_SCHED_READ;
29318 - spin_unlock_irqrestore(&hvcsd->lock, flags);
29319 -
29320 -@@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
29321 - hvcsd = tty->driver_data;
29322 -
29323 - spin_lock_irqsave(&hvcsd->lock, flags);
29324 -- if (--hvcsd->open_count == 0) {
29325 -+ if (local_dec_and_test(&hvcsd->open_count)) {
29326 -
29327 - vio_disable_interrupts(hvcsd->vdev);
29328 -
29329 -@@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
29330 - free_irq(irq, hvcsd);
29331 - kref_put(&hvcsd->kref, destroy_hvcs_struct);
29332 - return;
29333 -- } else if (hvcsd->open_count < 0) {
29334 -+ } else if (local_read(&hvcsd->open_count) < 0) {
29335 - printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
29336 - " is missmanaged.\n",
29337 -- hvcsd->vdev->unit_address, hvcsd->open_count);
29338 -+ hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
29339 - }
29340 -
29341 - spin_unlock_irqrestore(&hvcsd->lock, flags);
29342 -@@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
29343 -
29344 - spin_lock_irqsave(&hvcsd->lock, flags);
29345 - /* Preserve this so that we know how many kref refs to put */
29346 -- temp_open_count = hvcsd->open_count;
29347 -+ temp_open_count = local_read(&hvcsd->open_count);
29348 -
29349 - /*
29350 - * Don't kref put inside the spinlock because the destruction
29351 -@@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
29352 - hvcsd->tty->driver_data = NULL;
29353 - hvcsd->tty = NULL;
29354 -
29355 -- hvcsd->open_count = 0;
29356 -+ local_set(&hvcsd->open_count, 0);
29357 -
29358 - /* This will drop any buffered data on the floor which is OK in a hangup
29359 - * scenario. */
29360 -@@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
29361 - * the middle of a write operation? This is a crummy place to do this
29362 - * but we want to keep it all in the spinlock.
29363 - */
29364 -- if (hvcsd->open_count <= 0) {
29365 -+ if (local_read(&hvcsd->open_count) <= 0) {
29366 - spin_unlock_irqrestore(&hvcsd->lock, flags);
29367 - return -ENODEV;
29368 - }
29369 -@@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
29370 - {
29371 - struct hvcs_struct *hvcsd = tty->driver_data;
29372 -
29373 -- if (!hvcsd || hvcsd->open_count <= 0)
29374 -+ if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
29375 - return 0;
29376 -
29377 - return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
29378 -diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c
29379 ---- linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-03-27 14:31:47.000000000 -0400
29380 -+++ linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:46:57.000000000 -0400
29381 -@@ -414,7 +414,7 @@ struct ipmi_smi {
29382 - struct proc_dir_entry *proc_dir;
29383 - char proc_dir_name[10];
29384 -
29385 -- atomic_t stats[IPMI_NUM_STATS];
29386 -+ atomic_unchecked_t stats[IPMI_NUM_STATS];
29387 -
29388 - /*
29389 - * run_to_completion duplicate of smb_info, smi_info
29390 -@@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
29391 -
29392 -
29393 - #define ipmi_inc_stat(intf, stat) \
29394 -- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
29395 -+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
29396 - #define ipmi_get_stat(intf, stat) \
29397 -- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
29398 -+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
29399 -
29400 - static int is_lan_addr(struct ipmi_addr *addr)
29401 - {
29402 -@@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
29403 - INIT_LIST_HEAD(&intf->cmd_rcvrs);
29404 - init_waitqueue_head(&intf->waitq);
29405 - for (i = 0; i < IPMI_NUM_STATS; i++)
29406 -- atomic_set(&intf->stats[i], 0);
29407 -+ atomic_set_unchecked(&intf->stats[i], 0);
29408 -
29409 - intf->proc_dir = NULL;
29410 -
29411 -@@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
29412 - struct ipmi_smi_msg smi_msg;
29413 - struct ipmi_recv_msg recv_msg;
29414 -
29415 -+ pax_track_stack();
29416 -+
29417 - si = (struct ipmi_system_interface_addr *) &addr;
29418 - si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
29419 - si->channel = IPMI_BMC_CHANNEL;
29420 -diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c
29421 ---- linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-03-27 14:31:47.000000000 -0400
29422 -+++ linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:56:46.000000000 -0400
29423 -@@ -277,7 +277,7 @@ struct smi_info {
29424 - unsigned char slave_addr;
29425 -
29426 - /* Counters and things for the proc filesystem. */
29427 -- atomic_t stats[SI_NUM_STATS];
29428 -+ atomic_unchecked_t stats[SI_NUM_STATS];
29429 -
29430 - struct task_struct *thread;
29431 -
29432 -@@ -285,9 +285,9 @@ struct smi_info {
29433 - };
29434 -
29435 - #define smi_inc_stat(smi, stat) \
29436 -- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
29437 -+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
29438 - #define smi_get_stat(smi, stat) \
29439 -- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
29440 -+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
29441 -
29442 - #define SI_MAX_PARMS 4
29443 -
29444 -@@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
29445 - atomic_set(&new_smi->req_events, 0);
29446 - new_smi->run_to_completion = 0;
29447 - for (i = 0; i < SI_NUM_STATS; i++)
29448 -- atomic_set(&new_smi->stats[i], 0);
29449 -+ atomic_set_unchecked(&new_smi->stats[i], 0);
29450 -
29451 - new_smi->interrupt_disabled = 0;
29452 - atomic_set(&new_smi->stop_operation, 0);
29453 -diff -urNp linux-2.6.32.46/drivers/char/istallion.c linux-2.6.32.46/drivers/char/istallion.c
29454 ---- linux-2.6.32.46/drivers/char/istallion.c 2011-03-27 14:31:47.000000000 -0400
29455 -+++ linux-2.6.32.46/drivers/char/istallion.c 2011-05-16 21:46:57.000000000 -0400
29456 -@@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
29457 - * re-used for each stats call.
29458 - */
29459 - static comstats_t stli_comstats;
29460 --static combrd_t stli_brdstats;
29461 - static struct asystats stli_cdkstats;
29462 -
29463 - /*****************************************************************************/
29464 -@@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
29465 - {
29466 - struct stlibrd *brdp;
29467 - unsigned int i;
29468 -+ combrd_t stli_brdstats;
29469 -
29470 - if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
29471 - return -EFAULT;
29472 -@@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
29473 - struct stliport stli_dummyport;
29474 - struct stliport *portp;
29475 -
29476 -+ pax_track_stack();
29477 -+
29478 - if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
29479 - return -EFAULT;
29480 - portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
29481 -@@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
29482 - struct stlibrd stli_dummybrd;
29483 - struct stlibrd *brdp;
29484 -
29485 -+ pax_track_stack();
29486 -+
29487 - if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
29488 - return -EFAULT;
29489 - if (stli_dummybrd.brdnr >= STL_MAXBRDS)
29490 -diff -urNp linux-2.6.32.46/drivers/char/keyboard.c linux-2.6.32.46/drivers/char/keyboard.c
29491 ---- linux-2.6.32.46/drivers/char/keyboard.c 2011-03-27 14:31:47.000000000 -0400
29492 -+++ linux-2.6.32.46/drivers/char/keyboard.c 2011-04-17 15:56:46.000000000 -0400
29493 -@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
29494 - kbd->kbdmode == VC_MEDIUMRAW) &&
29495 - value != KVAL(K_SAK))
29496 - return; /* SAK is allowed even in raw mode */
29497 -+
29498 -+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
29499 -+ {
29500 -+ void *func = fn_handler[value];
29501 -+ if (func == fn_show_state || func == fn_show_ptregs ||
29502 -+ func == fn_show_mem)
29503 -+ return;
29504 -+ }
29505 -+#endif
29506 -+
29507 - fn_handler[value](vc);
29508 - }
29509 -
29510 -@@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
29511 - .evbit = { BIT_MASK(EV_SND) },
29512 - },
29513 -
29514 -- { }, /* Terminating entry */
29515 -+ { 0 }, /* Terminating entry */
29516 - };
29517 -
29518 - MODULE_DEVICE_TABLE(input, kbd_ids);
29519 -diff -urNp linux-2.6.32.46/drivers/char/mem.c linux-2.6.32.46/drivers/char/mem.c
29520 ---- linux-2.6.32.46/drivers/char/mem.c 2011-03-27 14:31:47.000000000 -0400
29521 -+++ linux-2.6.32.46/drivers/char/mem.c 2011-04-17 15:56:46.000000000 -0400
29522 -@@ -18,6 +18,7 @@
29523 - #include <linux/raw.h>
29524 - #include <linux/tty.h>
29525 - #include <linux/capability.h>
29526 -+#include <linux/security.h>
29527 - #include <linux/ptrace.h>
29528 - #include <linux/device.h>
29529 - #include <linux/highmem.h>
29530 -@@ -35,6 +36,10 @@
29531 - # include <linux/efi.h>
29532 - #endif
29533 -
29534 -+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29535 -+extern struct file_operations grsec_fops;
29536 -+#endif
29537 -+
29538 - static inline unsigned long size_inside_page(unsigned long start,
29539 - unsigned long size)
29540 - {
29541 -@@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
29542 -
29543 - while (cursor < to) {
29544 - if (!devmem_is_allowed(pfn)) {
29545 -+#ifdef CONFIG_GRKERNSEC_KMEM
29546 -+ gr_handle_mem_readwrite(from, to);
29547 -+#else
29548 - printk(KERN_INFO
29549 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
29550 - current->comm, from, to);
29551 -+#endif
29552 - return 0;
29553 - }
29554 - cursor += PAGE_SIZE;
29555 -@@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
29556 - }
29557 - return 1;
29558 - }
29559 -+#elif defined(CONFIG_GRKERNSEC_KMEM)
29560 -+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29561 -+{
29562 -+ return 0;
29563 -+}
29564 - #else
29565 - static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29566 - {
29567 -@@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
29568 - #endif
29569 -
29570 - while (count > 0) {
29571 -+ char *temp;
29572 -+
29573 - /*
29574 - * Handle first page in case it's not aligned
29575 - */
29576 -@@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
29577 - if (!ptr)
29578 - return -EFAULT;
29579 -
29580 -- if (copy_to_user(buf, ptr, sz)) {
29581 -+#ifdef CONFIG_PAX_USERCOPY
29582 -+ temp = kmalloc(sz, GFP_KERNEL);
29583 -+ if (!temp) {
29584 -+ unxlate_dev_mem_ptr(p, ptr);
29585 -+ return -ENOMEM;
29586 -+ }
29587 -+ memcpy(temp, ptr, sz);
29588 -+#else
29589 -+ temp = ptr;
29590 -+#endif
29591 -+
29592 -+ if (copy_to_user(buf, temp, sz)) {
29593 -+
29594 -+#ifdef CONFIG_PAX_USERCOPY
29595 -+ kfree(temp);
29596 -+#endif
29597 -+
29598 - unxlate_dev_mem_ptr(p, ptr);
29599 - return -EFAULT;
29600 - }
29601 -
29602 -+#ifdef CONFIG_PAX_USERCOPY
29603 -+ kfree(temp);
29604 -+#endif
29605 -+
29606 - unxlate_dev_mem_ptr(p, ptr);
29607 -
29608 - buf += sz;
29609 -@@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
29610 - size_t count, loff_t *ppos)
29611 - {
29612 - unsigned long p = *ppos;
29613 -- ssize_t low_count, read, sz;
29614 -+ ssize_t low_count, read, sz, err = 0;
29615 - char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
29616 -- int err = 0;
29617 -
29618 - read = 0;
29619 - if (p < (unsigned long) high_memory) {
29620 -@@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
29621 - }
29622 - #endif
29623 - while (low_count > 0) {
29624 -+ char *temp;
29625 -+
29626 - sz = size_inside_page(p, low_count);
29627 -
29628 - /*
29629 -@@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
29630 - */
29631 - kbuf = xlate_dev_kmem_ptr((char *)p);
29632 -
29633 -- if (copy_to_user(buf, kbuf, sz))
29634 -+#ifdef CONFIG_PAX_USERCOPY
29635 -+ temp = kmalloc(sz, GFP_KERNEL);
29636 -+ if (!temp)
29637 -+ return -ENOMEM;
29638 -+ memcpy(temp, kbuf, sz);
29639 -+#else
29640 -+ temp = kbuf;
29641 -+#endif
29642 -+
29643 -+ err = copy_to_user(buf, temp, sz);
29644 -+
29645 -+#ifdef CONFIG_PAX_USERCOPY
29646 -+ kfree(temp);
29647 -+#endif
29648 -+
29649 -+ if (err)
29650 - return -EFAULT;
29651 - buf += sz;
29652 - p += sz;
29653 -@@ -889,6 +941,9 @@ static const struct memdev {
29654 - #ifdef CONFIG_CRASH_DUMP
29655 - [12] = { "oldmem", 0, &oldmem_fops, NULL },
29656 - #endif
29657 -+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29658 -+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
29659 -+#endif
29660 - };
29661 -
29662 - static int memory_open(struct inode *inode, struct file *filp)
29663 -diff -urNp linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c
29664 ---- linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-03-27 14:31:47.000000000 -0400
29665 -+++ linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:56:46.000000000 -0400
29666 -@@ -29,6 +29,7 @@
29667 - #include <linux/tty_driver.h>
29668 - #include <linux/tty_flip.h>
29669 - #include <linux/uaccess.h>
29670 -+#include <asm/local.h>
29671 -
29672 - #include "tty.h"
29673 - #include "network.h"
29674 -@@ -51,7 +52,7 @@ struct ipw_tty {
29675 - int tty_type;
29676 - struct ipw_network *network;
29677 - struct tty_struct *linux_tty;
29678 -- int open_count;
29679 -+ local_t open_count;
29680 - unsigned int control_lines;
29681 - struct mutex ipw_tty_mutex;
29682 - int tx_bytes_queued;
29683 -@@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
29684 - mutex_unlock(&tty->ipw_tty_mutex);
29685 - return -ENODEV;
29686 - }
29687 -- if (tty->open_count == 0)
29688 -+ if (local_read(&tty->open_count) == 0)
29689 - tty->tx_bytes_queued = 0;
29690 -
29691 -- tty->open_count++;
29692 -+ local_inc(&tty->open_count);
29693 -
29694 - tty->linux_tty = linux_tty;
29695 - linux_tty->driver_data = tty;
29696 -@@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
29697 -
29698 - static void do_ipw_close(struct ipw_tty *tty)
29699 - {
29700 -- tty->open_count--;
29701 --
29702 -- if (tty->open_count == 0) {
29703 -+ if (local_dec_return(&tty->open_count) == 0) {
29704 - struct tty_struct *linux_tty = tty->linux_tty;
29705 -
29706 - if (linux_tty != NULL) {
29707 -@@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
29708 - return;
29709 -
29710 - mutex_lock(&tty->ipw_tty_mutex);
29711 -- if (tty->open_count == 0) {
29712 -+ if (local_read(&tty->open_count) == 0) {
29713 - mutex_unlock(&tty->ipw_tty_mutex);
29714 - return;
29715 - }
29716 -@@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
29717 - return;
29718 - }
29719 -
29720 -- if (!tty->open_count) {
29721 -+ if (!local_read(&tty->open_count)) {
29722 - mutex_unlock(&tty->ipw_tty_mutex);
29723 - return;
29724 - }
29725 -@@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
29726 - return -ENODEV;
29727 -
29728 - mutex_lock(&tty->ipw_tty_mutex);
29729 -- if (!tty->open_count) {
29730 -+ if (!local_read(&tty->open_count)) {
29731 - mutex_unlock(&tty->ipw_tty_mutex);
29732 - return -EINVAL;
29733 - }
29734 -@@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
29735 - if (!tty)
29736 - return -ENODEV;
29737 -
29738 -- if (!tty->open_count)
29739 -+ if (!local_read(&tty->open_count))
29740 - return -EINVAL;
29741 -
29742 - room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
29743 -@@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
29744 - if (!tty)
29745 - return 0;
29746 -
29747 -- if (!tty->open_count)
29748 -+ if (!local_read(&tty->open_count))
29749 - return 0;
29750 -
29751 - return tty->tx_bytes_queued;
29752 -@@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
29753 - if (!tty)
29754 - return -ENODEV;
29755 -
29756 -- if (!tty->open_count)
29757 -+ if (!local_read(&tty->open_count))
29758 - return -EINVAL;
29759 -
29760 - return get_control_lines(tty);
29761 -@@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
29762 - if (!tty)
29763 - return -ENODEV;
29764 -
29765 -- if (!tty->open_count)
29766 -+ if (!local_read(&tty->open_count))
29767 - return -EINVAL;
29768 -
29769 - return set_control_lines(tty, set, clear);
29770 -@@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
29771 - if (!tty)
29772 - return -ENODEV;
29773 -
29774 -- if (!tty->open_count)
29775 -+ if (!local_read(&tty->open_count))
29776 - return -EINVAL;
29777 -
29778 - /* FIXME: Exactly how is the tty object locked here .. */
29779 -@@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
29780 - against a parallel ioctl etc */
29781 - mutex_lock(&ttyj->ipw_tty_mutex);
29782 - }
29783 -- while (ttyj->open_count)
29784 -+ while (local_read(&ttyj->open_count))
29785 - do_ipw_close(ttyj);
29786 - ipwireless_disassociate_network_ttys(network,
29787 - ttyj->channel_idx);
29788 -diff -urNp linux-2.6.32.46/drivers/char/pty.c linux-2.6.32.46/drivers/char/pty.c
29789 ---- linux-2.6.32.46/drivers/char/pty.c 2011-03-27 14:31:47.000000000 -0400
29790 -+++ linux-2.6.32.46/drivers/char/pty.c 2011-08-05 20:33:55.000000000 -0400
29791 -@@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
29792 - register_sysctl_table(pty_root_table);
29793 -
29794 - /* Now create the /dev/ptmx special device */
29795 -+ pax_open_kernel();
29796 - tty_default_fops(&ptmx_fops);
29797 -- ptmx_fops.open = ptmx_open;
29798 -+ *(void **)&ptmx_fops.open = ptmx_open;
29799 -+ pax_close_kernel();
29800 -
29801 - cdev_init(&ptmx_cdev, &ptmx_fops);
29802 - if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
29803 -diff -urNp linux-2.6.32.46/drivers/char/random.c linux-2.6.32.46/drivers/char/random.c
29804 ---- linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:37:25.000000000 -0400
29805 -+++ linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:43:23.000000000 -0400
29806 -@@ -254,8 +254,13 @@
29807 - /*
29808 - * Configuration information
29809 - */
29810 -+#ifdef CONFIG_GRKERNSEC_RANDNET
29811 -+#define INPUT_POOL_WORDS 512
29812 -+#define OUTPUT_POOL_WORDS 128
29813 -+#else
29814 - #define INPUT_POOL_WORDS 128
29815 - #define OUTPUT_POOL_WORDS 32
29816 -+#endif
29817 - #define SEC_XFER_SIZE 512
29818 -
29819 - /*
29820 -@@ -292,10 +297,17 @@ static struct poolinfo {
29821 - int poolwords;
29822 - int tap1, tap2, tap3, tap4, tap5;
29823 - } poolinfo_table[] = {
29824 -+#ifdef CONFIG_GRKERNSEC_RANDNET
29825 -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
29826 -+ { 512, 411, 308, 208, 104, 1 },
29827 -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
29828 -+ { 128, 103, 76, 51, 25, 1 },
29829 -+#else
29830 - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
29831 - { 128, 103, 76, 51, 25, 1 },
29832 - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
29833 - { 32, 26, 20, 14, 7, 1 },
29834 -+#endif
29835 - #if 0
29836 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
29837 - { 2048, 1638, 1231, 819, 411, 1 },
29838 -@@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
29839 - #include <linux/sysctl.h>
29840 -
29841 - static int min_read_thresh = 8, min_write_thresh;
29842 --static int max_read_thresh = INPUT_POOL_WORDS * 32;
29843 -+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
29844 - static int max_write_thresh = INPUT_POOL_WORDS * 32;
29845 - static char sysctl_bootid[16];
29846 -
29847 -diff -urNp linux-2.6.32.46/drivers/char/rocket.c linux-2.6.32.46/drivers/char/rocket.c
29848 ---- linux-2.6.32.46/drivers/char/rocket.c 2011-03-27 14:31:47.000000000 -0400
29849 -+++ linux-2.6.32.46/drivers/char/rocket.c 2011-05-16 21:46:57.000000000 -0400
29850 -@@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
29851 - struct rocket_ports tmp;
29852 - int board;
29853 -
29854 -+ pax_track_stack();
29855 -+
29856 - if (!retports)
29857 - return -EFAULT;
29858 - memset(&tmp, 0, sizeof (tmp));
29859 -diff -urNp linux-2.6.32.46/drivers/char/sonypi.c linux-2.6.32.46/drivers/char/sonypi.c
29860 ---- linux-2.6.32.46/drivers/char/sonypi.c 2011-03-27 14:31:47.000000000 -0400
29861 -+++ linux-2.6.32.46/drivers/char/sonypi.c 2011-04-17 15:56:46.000000000 -0400
29862 -@@ -55,6 +55,7 @@
29863 - #include <asm/uaccess.h>
29864 - #include <asm/io.h>
29865 - #include <asm/system.h>
29866 -+#include <asm/local.h>
29867 -
29868 - #include <linux/sonypi.h>
29869 -
29870 -@@ -491,7 +492,7 @@ static struct sonypi_device {
29871 - spinlock_t fifo_lock;
29872 - wait_queue_head_t fifo_proc_list;
29873 - struct fasync_struct *fifo_async;
29874 -- int open_count;
29875 -+ local_t open_count;
29876 - int model;
29877 - struct input_dev *input_jog_dev;
29878 - struct input_dev *input_key_dev;
29879 -@@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
29880 - static int sonypi_misc_release(struct inode *inode, struct file *file)
29881 - {
29882 - mutex_lock(&sonypi_device.lock);
29883 -- sonypi_device.open_count--;
29884 -+ local_dec(&sonypi_device.open_count);
29885 - mutex_unlock(&sonypi_device.lock);
29886 - return 0;
29887 - }
29888 -@@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
29889 - lock_kernel();
29890 - mutex_lock(&sonypi_device.lock);
29891 - /* Flush input queue on first open */
29892 -- if (!sonypi_device.open_count)
29893 -+ if (!local_read(&sonypi_device.open_count))
29894 - kfifo_reset(sonypi_device.fifo);
29895 -- sonypi_device.open_count++;
29896 -+ local_inc(&sonypi_device.open_count);
29897 - mutex_unlock(&sonypi_device.lock);
29898 - unlock_kernel();
29899 - return 0;
29900 -diff -urNp linux-2.6.32.46/drivers/char/stallion.c linux-2.6.32.46/drivers/char/stallion.c
29901 ---- linux-2.6.32.46/drivers/char/stallion.c 2011-03-27 14:31:47.000000000 -0400
29902 -+++ linux-2.6.32.46/drivers/char/stallion.c 2011-05-16 21:46:57.000000000 -0400
29903 -@@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
29904 - struct stlport stl_dummyport;
29905 - struct stlport *portp;
29906 -
29907 -+ pax_track_stack();
29908 -+
29909 - if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
29910 - return -EFAULT;
29911 - portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
29912 -diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm.c linux-2.6.32.46/drivers/char/tpm/tpm.c
29913 ---- linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400
29914 -+++ linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-10-17 02:49:00.000000000 -0400
29915 -@@ -374,6 +374,9 @@ static ssize_t tpm_transmit(struct tpm_c
29916 - u32 count, ordinal;
29917 - unsigned long stop;
29918 -
29919 -+ if (bufsiz > TPM_BUFSIZE)
29920 -+ bufsiz = TPM_BUFSIZE;
29921 -+
29922 - count = be32_to_cpu(*((__be32 *) (buf + 2)));
29923 - ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
29924 - if (count == 0)
29925 -@@ -402,7 +405,7 @@ static ssize_t tpm_transmit(struct tpm_c
29926 - chip->vendor.req_complete_val)
29927 - goto out_recv;
29928 -
29929 -- if ((status == chip->vendor.req_canceled)) {
29930 -+ if (status == chip->vendor.req_canceled) {
29931 - dev_err(chip->dev, "Operation Canceled\n");
29932 - rc = -ECANCELED;
29933 - goto out;
29934 -@@ -821,6 +824,8 @@ ssize_t tpm_show_pubek(struct device *de
29935 -
29936 - struct tpm_chip *chip = dev_get_drvdata(dev);
29937 -
29938 -+ pax_track_stack();
29939 -+
29940 - tpm_cmd.header.in = tpm_readpubek_header;
29941 - err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
29942 - "attempting to read the PUBEK");
29943 -@@ -1041,6 +1046,7 @@ ssize_t tpm_read(struct file *file, char
29944 - {
29945 - struct tpm_chip *chip = file->private_data;
29946 - ssize_t ret_size;
29947 -+ int rc;
29948 -
29949 - del_singleshot_timer_sync(&chip->user_read_timer);
29950 - flush_scheduled_work();
29951 -@@ -1051,8 +1057,11 @@ ssize_t tpm_read(struct file *file, char
29952 - ret_size = size;
29953 -
29954 - mutex_lock(&chip->buffer_mutex);
29955 -- if (copy_to_user(buf, chip->data_buffer, ret_size))
29956 -+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
29957 -+ memset(chip->data_buffer, 0, ret_size);
29958 -+ if (rc)
29959 - ret_size = -EFAULT;
29960 -+
29961 - mutex_unlock(&chip->buffer_mutex);
29962 - }
29963 -
29964 -diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/char/tpm/tpm_bios.c
29965 ---- linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400
29966 -+++ linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-10-06 09:37:08.000000000 -0400
29967 -@@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
29968 - event = addr;
29969 -
29970 - if ((event->event_type == 0 && event->event_size == 0) ||
29971 -- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
29972 -+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
29973 - return NULL;
29974 -
29975 - return addr;
29976 -@@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
29977 - return NULL;
29978 -
29979 - if ((event->event_type == 0 && event->event_size == 0) ||
29980 -- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
29981 -+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
29982 - return NULL;
29983 -
29984 - (*pos)++;
29985 -@@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
29986 - int i;
29987 -
29988 - for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
29989 -- seq_putc(m, data[i]);
29990 -+ if (!seq_putc(m, data[i]))
29991 -+ return -EFAULT;
29992 -
29993 - return 0;
29994 - }
29995 -@@ -409,8 +410,13 @@ static int read_log(struct tpm_bios_log
29996 - log->bios_event_log_end = log->bios_event_log + len;
29997 -
29998 - virt = acpi_os_map_memory(start, len);
29999 -+ if (!virt) {
30000 -+ kfree(log->bios_event_log);
30001 -+ log->bios_event_log = NULL;
30002 -+ return -EFAULT;
30003 -+ }
30004 -
30005 -- memcpy(log->bios_event_log, virt, len);
30006 -+ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
30007 -
30008 - acpi_os_unmap_memory(virt, len);
30009 - return 0;
30010 -diff -urNp linux-2.6.32.46/drivers/char/tty_io.c linux-2.6.32.46/drivers/char/tty_io.c
30011 ---- linux-2.6.32.46/drivers/char/tty_io.c 2011-03-27 14:31:47.000000000 -0400
30012 -+++ linux-2.6.32.46/drivers/char/tty_io.c 2011-08-05 20:33:55.000000000 -0400
30013 -@@ -2582,8 +2582,10 @@ long tty_ioctl(struct file *file, unsign
30014 - return retval;
30015 - }
30016 -
30017 -+EXPORT_SYMBOL(tty_ioctl);
30018 -+
30019 - #ifdef CONFIG_COMPAT
30020 --static long tty_compat_ioctl(struct file *file, unsigned int cmd,
30021 -+long tty_compat_ioctl(struct file *file, unsigned int cmd,
30022 - unsigned long arg)
30023 - {
30024 - struct inode *inode = file->f_dentry->d_inode;
30025 -@@ -2607,6 +2609,8 @@ static long tty_compat_ioctl(struct file
30026 -
30027 - return retval;
30028 - }
30029 -+
30030 -+EXPORT_SYMBOL(tty_compat_ioctl);
30031 - #endif
30032 -
30033 - /*
30034 -@@ -3052,7 +3056,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
30035 -
30036 - void tty_default_fops(struct file_operations *fops)
30037 - {
30038 -- *fops = tty_fops;
30039 -+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
30040 - }
30041 -
30042 - /*
30043 -diff -urNp linux-2.6.32.46/drivers/char/tty_ldisc.c linux-2.6.32.46/drivers/char/tty_ldisc.c
30044 ---- linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:04.000000000 -0400
30045 -+++ linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:18.000000000 -0400
30046 -@@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
30047 - if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
30048 - struct tty_ldisc_ops *ldo = ld->ops;
30049 -
30050 -- ldo->refcount--;
30051 -+ atomic_dec(&ldo->refcount);
30052 - module_put(ldo->owner);
30053 - spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30054 -
30055 -@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
30056 - spin_lock_irqsave(&tty_ldisc_lock, flags);
30057 - tty_ldiscs[disc] = new_ldisc;
30058 - new_ldisc->num = disc;
30059 -- new_ldisc->refcount = 0;
30060 -+ atomic_set(&new_ldisc->refcount, 0);
30061 - spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30062 -
30063 - return ret;
30064 -@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
30065 - return -EINVAL;
30066 -
30067 - spin_lock_irqsave(&tty_ldisc_lock, flags);
30068 -- if (tty_ldiscs[disc]->refcount)
30069 -+ if (atomic_read(&tty_ldiscs[disc]->refcount))
30070 - ret = -EBUSY;
30071 - else
30072 - tty_ldiscs[disc] = NULL;
30073 -@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
30074 - if (ldops) {
30075 - ret = ERR_PTR(-EAGAIN);
30076 - if (try_module_get(ldops->owner)) {
30077 -- ldops->refcount++;
30078 -+ atomic_inc(&ldops->refcount);
30079 - ret = ldops;
30080 - }
30081 - }
30082 -@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
30083 - unsigned long flags;
30084 -
30085 - spin_lock_irqsave(&tty_ldisc_lock, flags);
30086 -- ldops->refcount--;
30087 -+ atomic_dec(&ldops->refcount);
30088 - module_put(ldops->owner);
30089 - spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30090 - }
30091 -diff -urNp linux-2.6.32.46/drivers/char/virtio_console.c linux-2.6.32.46/drivers/char/virtio_console.c
30092 ---- linux-2.6.32.46/drivers/char/virtio_console.c 2011-03-27 14:31:47.000000000 -0400
30093 -+++ linux-2.6.32.46/drivers/char/virtio_console.c 2011-08-05 20:33:55.000000000 -0400
30094 -@@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
30095 - * virtqueue, so we let the drivers do some boutique early-output thing. */
30096 - int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
30097 - {
30098 -- virtio_cons.put_chars = put_chars;
30099 -+ pax_open_kernel();
30100 -+ *(void **)&virtio_cons.put_chars = put_chars;
30101 -+ pax_close_kernel();
30102 - return hvc_instantiate(0, 0, &virtio_cons);
30103 - }
30104 -
30105 -@@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
30106 - out_vq = vqs[1];
30107 -
30108 - /* Start using the new console output. */
30109 -- virtio_cons.get_chars = get_chars;
30110 -- virtio_cons.put_chars = put_chars;
30111 -- virtio_cons.notifier_add = notifier_add_vio;
30112 -- virtio_cons.notifier_del = notifier_del_vio;
30113 -- virtio_cons.notifier_hangup = notifier_del_vio;
30114 -+ pax_open_kernel();
30115 -+ *(void **)&virtio_cons.get_chars = get_chars;
30116 -+ *(void **)&virtio_cons.put_chars = put_chars;
30117 -+ *(void **)&virtio_cons.notifier_add = notifier_add_vio;
30118 -+ *(void **)&virtio_cons.notifier_del = notifier_del_vio;
30119 -+ *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
30120 -+ pax_close_kernel();
30121 -
30122 - /* The first argument of hvc_alloc() is the virtual console number, so
30123 - * we use zero. The second argument is the parameter for the
30124 -diff -urNp linux-2.6.32.46/drivers/char/vt.c linux-2.6.32.46/drivers/char/vt.c
30125 ---- linux-2.6.32.46/drivers/char/vt.c 2011-03-27 14:31:47.000000000 -0400
30126 -+++ linux-2.6.32.46/drivers/char/vt.c 2011-04-17 15:56:46.000000000 -0400
30127 -@@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
30128 -
30129 - static void notify_write(struct vc_data *vc, unsigned int unicode)
30130 - {
30131 -- struct vt_notifier_param param = { .vc = vc, unicode = unicode };
30132 -+ struct vt_notifier_param param = { .vc = vc, .c = unicode };
30133 - atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
30134 - }
30135 -
30136 -diff -urNp linux-2.6.32.46/drivers/char/vt_ioctl.c linux-2.6.32.46/drivers/char/vt_ioctl.c
30137 ---- linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-03-27 14:31:47.000000000 -0400
30138 -+++ linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-04-17 15:56:46.000000000 -0400
30139 -@@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30140 - if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
30141 - return -EFAULT;
30142 -
30143 -- if (!capable(CAP_SYS_TTY_CONFIG))
30144 -- perm = 0;
30145 --
30146 - switch (cmd) {
30147 - case KDGKBENT:
30148 - key_map = key_maps[s];
30149 -@@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30150 - val = (i ? K_HOLE : K_NOSUCHMAP);
30151 - return put_user(val, &user_kbe->kb_value);
30152 - case KDSKBENT:
30153 -+ if (!capable(CAP_SYS_TTY_CONFIG))
30154 -+ perm = 0;
30155 -+
30156 - if (!perm)
30157 - return -EPERM;
30158 -+
30159 - if (!i && v == K_NOSUCHMAP) {
30160 - /* deallocate map */
30161 - key_map = key_maps[s];
30162 -@@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30163 - int i, j, k;
30164 - int ret;
30165 -
30166 -- if (!capable(CAP_SYS_TTY_CONFIG))
30167 -- perm = 0;
30168 --
30169 - kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
30170 - if (!kbs) {
30171 - ret = -ENOMEM;
30172 -@@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30173 - kfree(kbs);
30174 - return ((p && *p) ? -EOVERFLOW : 0);
30175 - case KDSKBSENT:
30176 -+ if (!capable(CAP_SYS_TTY_CONFIG))
30177 -+ perm = 0;
30178 -+
30179 - if (!perm) {
30180 - ret = -EPERM;
30181 - goto reterr;
30182 -diff -urNp linux-2.6.32.46/drivers/cpufreq/cpufreq.c linux-2.6.32.46/drivers/cpufreq/cpufreq.c
30183 ---- linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
30184 -+++ linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
30185 -@@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
30186 - complete(&policy->kobj_unregister);
30187 - }
30188 -
30189 --static struct sysfs_ops sysfs_ops = {
30190 -+static const struct sysfs_ops sysfs_ops = {
30191 - .show = show,
30192 - .store = store,
30193 - };
30194 -diff -urNp linux-2.6.32.46/drivers/cpuidle/sysfs.c linux-2.6.32.46/drivers/cpuidle/sysfs.c
30195 ---- linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-03-27 14:31:47.000000000 -0400
30196 -+++ linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-04-17 15:56:46.000000000 -0400
30197 -@@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
30198 - return ret;
30199 - }
30200 -
30201 --static struct sysfs_ops cpuidle_sysfs_ops = {
30202 -+static const struct sysfs_ops cpuidle_sysfs_ops = {
30203 - .show = cpuidle_show,
30204 - .store = cpuidle_store,
30205 - };
30206 -@@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
30207 - return ret;
30208 - }
30209 -
30210 --static struct sysfs_ops cpuidle_state_sysfs_ops = {
30211 -+static const struct sysfs_ops cpuidle_state_sysfs_ops = {
30212 - .show = cpuidle_state_show,
30213 - };
30214 -
30215 -@@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
30216 - .release = cpuidle_state_sysfs_release,
30217 - };
30218 -
30219 --static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30220 -+static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30221 - {
30222 - kobject_put(&device->kobjs[i]->kobj);
30223 - wait_for_completion(&device->kobjs[i]->kobj_unregister);
30224 -diff -urNp linux-2.6.32.46/drivers/crypto/hifn_795x.c linux-2.6.32.46/drivers/crypto/hifn_795x.c
30225 ---- linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-03-27 14:31:47.000000000 -0400
30226 -+++ linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-05-16 21:46:57.000000000 -0400
30227 -@@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
30228 - 0xCA, 0x34, 0x2B, 0x2E};
30229 - struct scatterlist sg;
30230 -
30231 -+ pax_track_stack();
30232 -+
30233 - memset(src, 0, sizeof(src));
30234 - memset(ctx.key, 0, sizeof(ctx.key));
30235 -
30236 -diff -urNp linux-2.6.32.46/drivers/crypto/padlock-aes.c linux-2.6.32.46/drivers/crypto/padlock-aes.c
30237 ---- linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-03-27 14:31:47.000000000 -0400
30238 -+++ linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-05-16 21:46:57.000000000 -0400
30239 -@@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
30240 - struct crypto_aes_ctx gen_aes;
30241 - int cpu;
30242 -
30243 -+ pax_track_stack();
30244 -+
30245 - if (key_len % 8) {
30246 - *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
30247 - return -EINVAL;
30248 -diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.c linux-2.6.32.46/drivers/dma/ioat/dma.c
30249 ---- linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-03-27 14:31:47.000000000 -0400
30250 -+++ linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-04-17 15:56:46.000000000 -0400
30251 -@@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
30252 - return entry->show(&chan->common, page);
30253 - }
30254 -
30255 --struct sysfs_ops ioat_sysfs_ops = {
30256 -+const struct sysfs_ops ioat_sysfs_ops = {
30257 - .show = ioat_attr_show,
30258 - };
30259 -
30260 -diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.h linux-2.6.32.46/drivers/dma/ioat/dma.h
30261 ---- linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-03-27 14:31:47.000000000 -0400
30262 -+++ linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-04-17 15:56:46.000000000 -0400
30263 -@@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
30264 - unsigned long *phys_complete);
30265 - void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
30266 - void ioat_kobject_del(struct ioatdma_device *device);
30267 --extern struct sysfs_ops ioat_sysfs_ops;
30268 -+extern const struct sysfs_ops ioat_sysfs_ops;
30269 - extern struct ioat_sysfs_entry ioat_version_attr;
30270 - extern struct ioat_sysfs_entry ioat_cap_attr;
30271 - #endif /* IOATDMA_H */
30272 -diff -urNp linux-2.6.32.46/drivers/edac/edac_device_sysfs.c linux-2.6.32.46/drivers/edac/edac_device_sysfs.c
30273 ---- linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-03-27 14:31:47.000000000 -0400
30274 -+++ linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-04-17 15:56:46.000000000 -0400
30275 -@@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
30276 - }
30277 -
30278 - /* edac_dev file operations for an 'ctl_info' */
30279 --static struct sysfs_ops device_ctl_info_ops = {
30280 -+static const struct sysfs_ops device_ctl_info_ops = {
30281 - .show = edac_dev_ctl_info_show,
30282 - .store = edac_dev_ctl_info_store
30283 - };
30284 -@@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
30285 - }
30286 -
30287 - /* edac_dev file operations for an 'instance' */
30288 --static struct sysfs_ops device_instance_ops = {
30289 -+static const struct sysfs_ops device_instance_ops = {
30290 - .show = edac_dev_instance_show,
30291 - .store = edac_dev_instance_store
30292 - };
30293 -@@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
30294 - }
30295 -
30296 - /* edac_dev file operations for a 'block' */
30297 --static struct sysfs_ops device_block_ops = {
30298 -+static const struct sysfs_ops device_block_ops = {
30299 - .show = edac_dev_block_show,
30300 - .store = edac_dev_block_store
30301 - };
30302 -diff -urNp linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c
30303 ---- linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-03-27 14:31:47.000000000 -0400
30304 -+++ linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:56:46.000000000 -0400
30305 -@@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
30306 - return -EIO;
30307 - }
30308 -
30309 --static struct sysfs_ops csrowfs_ops = {
30310 -+static const struct sysfs_ops csrowfs_ops = {
30311 - .show = csrowdev_show,
30312 - .store = csrowdev_store
30313 - };
30314 -@@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
30315 - }
30316 -
30317 - /* Intermediate show/store table */
30318 --static struct sysfs_ops mci_ops = {
30319 -+static const struct sysfs_ops mci_ops = {
30320 - .show = mcidev_show,
30321 - .store = mcidev_store
30322 - };
30323 -diff -urNp linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c
30324 ---- linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-03-27 14:31:47.000000000 -0400
30325 -+++ linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-05-04 17:56:20.000000000 -0400
30326 -@@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
30327 - static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
30328 - static int edac_pci_poll_msec = 1000; /* one second workq period */
30329 -
30330 --static atomic_t pci_parity_count = ATOMIC_INIT(0);
30331 --static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
30332 -+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
30333 -+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
30334 -
30335 - static struct kobject *edac_pci_top_main_kobj;
30336 - static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
30337 -@@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
30338 - }
30339 -
30340 - /* fs_ops table */
30341 --static struct sysfs_ops pci_instance_ops = {
30342 -+static const struct sysfs_ops pci_instance_ops = {
30343 - .show = edac_pci_instance_show,
30344 - .store = edac_pci_instance_store
30345 - };
30346 -@@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
30347 - return -EIO;
30348 - }
30349 -
30350 --static struct sysfs_ops edac_pci_sysfs_ops = {
30351 -+static const struct sysfs_ops edac_pci_sysfs_ops = {
30352 - .show = edac_pci_dev_show,
30353 - .store = edac_pci_dev_store
30354 - };
30355 -@@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
30356 - edac_printk(KERN_CRIT, EDAC_PCI,
30357 - "Signaled System Error on %s\n",
30358 - pci_name(dev));
30359 -- atomic_inc(&pci_nonparity_count);
30360 -+ atomic_inc_unchecked(&pci_nonparity_count);
30361 - }
30362 -
30363 - if (status & (PCI_STATUS_PARITY)) {
30364 -@@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
30365 - "Master Data Parity Error on %s\n",
30366 - pci_name(dev));
30367 -
30368 -- atomic_inc(&pci_parity_count);
30369 -+ atomic_inc_unchecked(&pci_parity_count);
30370 - }
30371 -
30372 - if (status & (PCI_STATUS_DETECTED_PARITY)) {
30373 -@@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
30374 - "Detected Parity Error on %s\n",
30375 - pci_name(dev));
30376 -
30377 -- atomic_inc(&pci_parity_count);
30378 -+ atomic_inc_unchecked(&pci_parity_count);
30379 - }
30380 - }
30381 -
30382 -@@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
30383 - edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
30384 - "Signaled System Error on %s\n",
30385 - pci_name(dev));
30386 -- atomic_inc(&pci_nonparity_count);
30387 -+ atomic_inc_unchecked(&pci_nonparity_count);
30388 - }
30389 -
30390 - if (status & (PCI_STATUS_PARITY)) {
30391 -@@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
30392 - "Master Data Parity Error on "
30393 - "%s\n", pci_name(dev));
30394 -
30395 -- atomic_inc(&pci_parity_count);
30396 -+ atomic_inc_unchecked(&pci_parity_count);
30397 - }
30398 -
30399 - if (status & (PCI_STATUS_DETECTED_PARITY)) {
30400 -@@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
30401 - "Detected Parity Error on %s\n",
30402 - pci_name(dev));
30403 -
30404 -- atomic_inc(&pci_parity_count);
30405 -+ atomic_inc_unchecked(&pci_parity_count);
30406 - }
30407 - }
30408 - }
30409 -@@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
30410 - if (!check_pci_errors)
30411 - return;
30412 -
30413 -- before_count = atomic_read(&pci_parity_count);
30414 -+ before_count = atomic_read_unchecked(&pci_parity_count);
30415 -
30416 - /* scan all PCI devices looking for a Parity Error on devices and
30417 - * bridges.
30418 -@@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
30419 - /* Only if operator has selected panic on PCI Error */
30420 - if (edac_pci_get_panic_on_pe()) {
30421 - /* If the count is different 'after' from 'before' */
30422 -- if (before_count != atomic_read(&pci_parity_count))
30423 -+ if (before_count != atomic_read_unchecked(&pci_parity_count))
30424 - panic("EDAC: PCI Parity Error");
30425 - }
30426 - }
30427 -diff -urNp linux-2.6.32.46/drivers/firewire/core-card.c linux-2.6.32.46/drivers/firewire/core-card.c
30428 ---- linux-2.6.32.46/drivers/firewire/core-card.c 2011-03-27 14:31:47.000000000 -0400
30429 -+++ linux-2.6.32.46/drivers/firewire/core-card.c 2011-08-23 21:22:32.000000000 -0400
30430 -@@ -558,7 +558,7 @@ void fw_card_release(struct kref *kref)
30431 -
30432 - void fw_core_remove_card(struct fw_card *card)
30433 - {
30434 -- struct fw_card_driver dummy_driver = dummy_driver_template;
30435 -+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
30436 -
30437 - card->driver->update_phy_reg(card, 4,
30438 - PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
30439 -diff -urNp linux-2.6.32.46/drivers/firewire/core-cdev.c linux-2.6.32.46/drivers/firewire/core-cdev.c
30440 ---- linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-03-27 14:31:47.000000000 -0400
30441 -+++ linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-04-17 15:56:46.000000000 -0400
30442 -@@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
30443 - int ret;
30444 -
30445 - if ((request->channels == 0 && request->bandwidth == 0) ||
30446 -- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
30447 -- request->bandwidth < 0)
30448 -+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
30449 - return -EINVAL;
30450 -
30451 - r = kmalloc(sizeof(*r), GFP_KERNEL);
30452 -diff -urNp linux-2.6.32.46/drivers/firewire/core-transaction.c linux-2.6.32.46/drivers/firewire/core-transaction.c
30453 ---- linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-03-27 14:31:47.000000000 -0400
30454 -+++ linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-05-16 21:46:57.000000000 -0400
30455 -@@ -36,6 +36,7 @@
30456 - #include <linux/string.h>
30457 - #include <linux/timer.h>
30458 - #include <linux/types.h>
30459 -+#include <linux/sched.h>
30460 -
30461 - #include <asm/byteorder.h>
30462 -
30463 -@@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
30464 - struct transaction_callback_data d;
30465 - struct fw_transaction t;
30466 -
30467 -+ pax_track_stack();
30468 -+
30469 - init_completion(&d.done);
30470 - d.payload = payload;
30471 - fw_send_request(card, &t, tcode, destination_id, generation, speed,
30472 -diff -urNp linux-2.6.32.46/drivers/firewire/core.h linux-2.6.32.46/drivers/firewire/core.h
30473 ---- linux-2.6.32.46/drivers/firewire/core.h 2011-03-27 14:31:47.000000000 -0400
30474 -+++ linux-2.6.32.46/drivers/firewire/core.h 2011-08-23 20:24:26.000000000 -0400
30475 -@@ -86,6 +86,7 @@ struct fw_card_driver {
30476 -
30477 - int (*stop_iso)(struct fw_iso_context *ctx);
30478 - };
30479 -+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
30480 -
30481 - void fw_card_initialize(struct fw_card *card,
30482 - const struct fw_card_driver *driver, struct device *device);
30483 -diff -urNp linux-2.6.32.46/drivers/firmware/dmi_scan.c linux-2.6.32.46/drivers/firmware/dmi_scan.c
30484 ---- linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400
30485 -+++ linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-10-06 09:37:08.000000000 -0400
30486 -@@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
30487 - }
30488 - }
30489 - else {
30490 -- /*
30491 -- * no iounmap() for that ioremap(); it would be a no-op, but
30492 -- * it's so early in setup that sucker gets confused into doing
30493 -- * what it shouldn't if we actually call it.
30494 -- */
30495 - p = dmi_ioremap(0xF0000, 0x10000);
30496 - if (p == NULL)
30497 - goto error;
30498 -@@ -667,7 +662,7 @@ int dmi_walk(void (*decode)(const struct
30499 - if (buf == NULL)
30500 - return -1;
30501 -
30502 -- dmi_table(buf, dmi_len, dmi_num, decode, private_data);
30503 -+ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
30504 -
30505 - iounmap(buf);
30506 - return 0;
30507 -diff -urNp linux-2.6.32.46/drivers/firmware/edd.c linux-2.6.32.46/drivers/firmware/edd.c
30508 ---- linux-2.6.32.46/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400
30509 -+++ linux-2.6.32.46/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400
30510 -@@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
30511 - return ret;
30512 - }
30513 -
30514 --static struct sysfs_ops edd_attr_ops = {
30515 -+static const struct sysfs_ops edd_attr_ops = {
30516 - .show = edd_attr_show,
30517 - };
30518 -
30519 -diff -urNp linux-2.6.32.46/drivers/firmware/efivars.c linux-2.6.32.46/drivers/firmware/efivars.c
30520 ---- linux-2.6.32.46/drivers/firmware/efivars.c 2011-03-27 14:31:47.000000000 -0400
30521 -+++ linux-2.6.32.46/drivers/firmware/efivars.c 2011-04-17 15:56:46.000000000 -0400
30522 -@@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
30523 - return ret;
30524 - }
30525 -
30526 --static struct sysfs_ops efivar_attr_ops = {
30527 -+static const struct sysfs_ops efivar_attr_ops = {
30528 - .show = efivar_attr_show,
30529 - .store = efivar_attr_store,
30530 - };
30531 -diff -urNp linux-2.6.32.46/drivers/firmware/iscsi_ibft.c linux-2.6.32.46/drivers/firmware/iscsi_ibft.c
30532 ---- linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-03-27 14:31:47.000000000 -0400
30533 -+++ linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-04-17 15:56:46.000000000 -0400
30534 -@@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
30535 - return ret;
30536 - }
30537 -
30538 --static struct sysfs_ops ibft_attr_ops = {
30539 -+static const struct sysfs_ops ibft_attr_ops = {
30540 - .show = ibft_show_attribute,
30541 - };
30542 -
30543 -diff -urNp linux-2.6.32.46/drivers/firmware/memmap.c linux-2.6.32.46/drivers/firmware/memmap.c
30544 ---- linux-2.6.32.46/drivers/firmware/memmap.c 2011-03-27 14:31:47.000000000 -0400
30545 -+++ linux-2.6.32.46/drivers/firmware/memmap.c 2011-04-17 15:56:46.000000000 -0400
30546 -@@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
30547 - NULL
30548 - };
30549 -
30550 --static struct sysfs_ops memmap_attr_ops = {
30551 -+static const struct sysfs_ops memmap_attr_ops = {
30552 - .show = memmap_attr_show,
30553 - };
30554 -
30555 -diff -urNp linux-2.6.32.46/drivers/gpio/vr41xx_giu.c linux-2.6.32.46/drivers/gpio/vr41xx_giu.c
30556 ---- linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-03-27 14:31:47.000000000 -0400
30557 -+++ linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-05-04 17:56:28.000000000 -0400
30558 -@@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
30559 - printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
30560 - maskl, pendl, maskh, pendh);
30561 -
30562 -- atomic_inc(&irq_err_count);
30563 -+ atomic_inc_unchecked(&irq_err_count);
30564 -
30565 - return -EINVAL;
30566 - }
30567 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c
30568 ---- linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-03-27 14:31:47.000000000 -0400
30569 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-10-06 09:37:14.000000000 -0400
30570 -@@ -1323,7 +1323,7 @@ int drm_mode_getconnector(struct drm_dev
30571 - */
30572 - if ((out_resp->count_modes >= mode_count) && mode_count) {
30573 - copied = 0;
30574 -- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
30575 -+ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
30576 - list_for_each_entry(mode, &connector->modes, head) {
30577 - drm_crtc_convert_to_umode(&u_mode, mode);
30578 - if (copy_to_user(mode_ptr + copied,
30579 -@@ -1338,8 +1338,8 @@ int drm_mode_getconnector(struct drm_dev
30580 -
30581 - if ((out_resp->count_props >= props_count) && props_count) {
30582 - copied = 0;
30583 -- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
30584 -- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
30585 -+ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
30586 -+ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
30587 - for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
30588 - if (connector->property_ids[i] != 0) {
30589 - if (put_user(connector->property_ids[i],
30590 -@@ -1361,7 +1361,7 @@ int drm_mode_getconnector(struct drm_dev
30591 -
30592 - if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
30593 - copied = 0;
30594 -- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
30595 -+ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
30596 - for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
30597 - if (connector->encoder_ids[i] != 0) {
30598 - if (put_user(connector->encoder_ids[i],
30599 -@@ -1513,7 +1513,7 @@ int drm_mode_setcrtc(struct drm_device *
30600 - }
30601 -
30602 - for (i = 0; i < crtc_req->count_connectors; i++) {
30603 -- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
30604 -+ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
30605 - if (get_user(out_id, &set_connectors_ptr[i])) {
30606 - ret = -EFAULT;
30607 - goto out;
30608 -@@ -2118,7 +2118,7 @@ int drm_mode_getproperty_ioctl(struct dr
30609 - out_resp->flags = property->flags;
30610 -
30611 - if ((out_resp->count_values >= value_count) && value_count) {
30612 -- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
30613 -+ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
30614 - for (i = 0; i < value_count; i++) {
30615 - if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
30616 - ret = -EFAULT;
30617 -@@ -2131,7 +2131,7 @@ int drm_mode_getproperty_ioctl(struct dr
30618 - if (property->flags & DRM_MODE_PROP_ENUM) {
30619 - if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
30620 - copied = 0;
30621 -- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
30622 -+ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
30623 - list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
30624 -
30625 - if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
30626 -@@ -2154,7 +2154,7 @@ int drm_mode_getproperty_ioctl(struct dr
30627 - if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
30628 - copied = 0;
30629 - blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
30630 -- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
30631 -+ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
30632 -
30633 - list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
30634 - if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
30635 -@@ -2226,7 +2226,7 @@ int drm_mode_getblob_ioctl(struct drm_de
30636 - blob = obj_to_blob(obj);
30637 -
30638 - if (out_resp->length == blob->length) {
30639 -- blob_ptr = (void *)(unsigned long)out_resp->data;
30640 -+ blob_ptr = (void __user *)(unsigned long)out_resp->data;
30641 - if (copy_to_user(blob_ptr, blob->data, blob->length)){
30642 - ret = -EFAULT;
30643 - goto done;
30644 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c
30645 ---- linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400
30646 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400
30647 -@@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
30648 - struct drm_crtc *tmp;
30649 - int crtc_mask = 1;
30650 -
30651 -- WARN(!crtc, "checking null crtc?");
30652 -+ BUG_ON(!crtc);
30653 -
30654 - dev = crtc->dev;
30655 -
30656 -@@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
30657 -
30658 - adjusted_mode = drm_mode_duplicate(dev, mode);
30659 -
30660 -+ pax_track_stack();
30661 -+
30662 - crtc->enabled = drm_helper_crtc_in_use(crtc);
30663 -
30664 - if (!crtc->enabled)
30665 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_drv.c linux-2.6.32.46/drivers/gpu/drm/drm_drv.c
30666 ---- linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-03-27 14:31:47.000000000 -0400
30667 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-04-17 15:56:46.000000000 -0400
30668 -@@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
30669 - char *kdata = NULL;
30670 -
30671 - atomic_inc(&dev->ioctl_count);
30672 -- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
30673 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
30674 - ++file_priv->ioctl_count;
30675 -
30676 - DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
30677 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_fops.c linux-2.6.32.46/drivers/gpu/drm/drm_fops.c
30678 ---- linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-03-27 14:31:47.000000000 -0400
30679 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-04-17 15:56:46.000000000 -0400
30680 -@@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
30681 - }
30682 -
30683 - for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
30684 -- atomic_set(&dev->counts[i], 0);
30685 -+ atomic_set_unchecked(&dev->counts[i], 0);
30686 -
30687 - dev->sigdata.lock = NULL;
30688 -
30689 -@@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
30690 -
30691 - retcode = drm_open_helper(inode, filp, dev);
30692 - if (!retcode) {
30693 -- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
30694 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
30695 - spin_lock(&dev->count_lock);
30696 -- if (!dev->open_count++) {
30697 -+ if (local_inc_return(&dev->open_count) == 1) {
30698 - spin_unlock(&dev->count_lock);
30699 - retcode = drm_setup(dev);
30700 - goto out;
30701 -@@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
30702 -
30703 - lock_kernel();
30704 -
30705 -- DRM_DEBUG("open_count = %d\n", dev->open_count);
30706 -+ DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
30707 -
30708 - if (dev->driver->preclose)
30709 - dev->driver->preclose(dev, file_priv);
30710 -@@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
30711 - DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
30712 - task_pid_nr(current),
30713 - (long)old_encode_dev(file_priv->minor->device),
30714 -- dev->open_count);
30715 -+ local_read(&dev->open_count));
30716 -
30717 - /* if the master has gone away we can't do anything with the lock */
30718 - if (file_priv->minor->master)
30719 -@@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
30720 - * End inline drm_release
30721 - */
30722 -
30723 -- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
30724 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
30725 - spin_lock(&dev->count_lock);
30726 -- if (!--dev->open_count) {
30727 -+ if (local_dec_and_test(&dev->open_count)) {
30728 - if (atomic_read(&dev->ioctl_count)) {
30729 - DRM_ERROR("Device busy: %d\n",
30730 - atomic_read(&dev->ioctl_count));
30731 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_gem.c linux-2.6.32.46/drivers/gpu/drm/drm_gem.c
30732 ---- linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-03-27 14:31:47.000000000 -0400
30733 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-04-17 15:56:46.000000000 -0400
30734 -@@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
30735 - spin_lock_init(&dev->object_name_lock);
30736 - idr_init(&dev->object_name_idr);
30737 - atomic_set(&dev->object_count, 0);
30738 -- atomic_set(&dev->object_memory, 0);
30739 -+ atomic_set_unchecked(&dev->object_memory, 0);
30740 - atomic_set(&dev->pin_count, 0);
30741 -- atomic_set(&dev->pin_memory, 0);
30742 -+ atomic_set_unchecked(&dev->pin_memory, 0);
30743 - atomic_set(&dev->gtt_count, 0);
30744 -- atomic_set(&dev->gtt_memory, 0);
30745 -+ atomic_set_unchecked(&dev->gtt_memory, 0);
30746 -
30747 - mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
30748 - if (!mm) {
30749 -@@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
30750 - goto fput;
30751 - }
30752 - atomic_inc(&dev->object_count);
30753 -- atomic_add(obj->size, &dev->object_memory);
30754 -+ atomic_add_unchecked(obj->size, &dev->object_memory);
30755 - return obj;
30756 - fput:
30757 - fput(obj->filp);
30758 -@@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
30759 -
30760 - fput(obj->filp);
30761 - atomic_dec(&dev->object_count);
30762 -- atomic_sub(obj->size, &dev->object_memory);
30763 -+ atomic_sub_unchecked(obj->size, &dev->object_memory);
30764 - kfree(obj);
30765 - }
30766 - EXPORT_SYMBOL(drm_gem_object_free);
30767 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_info.c linux-2.6.32.46/drivers/gpu/drm/drm_info.c
30768 ---- linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-03-27 14:31:47.000000000 -0400
30769 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-04-17 15:56:46.000000000 -0400
30770 -@@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
30771 - struct drm_local_map *map;
30772 - struct drm_map_list *r_list;
30773 -
30774 -- /* Hardcoded from _DRM_FRAME_BUFFER,
30775 -- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
30776 -- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
30777 -- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
30778 -+ static const char * const types[] = {
30779 -+ [_DRM_FRAME_BUFFER] = "FB",
30780 -+ [_DRM_REGISTERS] = "REG",
30781 -+ [_DRM_SHM] = "SHM",
30782 -+ [_DRM_AGP] = "AGP",
30783 -+ [_DRM_SCATTER_GATHER] = "SG",
30784 -+ [_DRM_CONSISTENT] = "PCI",
30785 -+ [_DRM_GEM] = "GEM" };
30786 - const char *type;
30787 - int i;
30788 -
30789 -@@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
30790 - map = r_list->map;
30791 - if (!map)
30792 - continue;
30793 -- if (map->type < 0 || map->type > 5)
30794 -+ if (map->type >= ARRAY_SIZE(types))
30795 - type = "??";
30796 - else
30797 - type = types[map->type];
30798 -@@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
30799 - struct drm_device *dev = node->minor->dev;
30800 -
30801 - seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
30802 -- seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
30803 -+ seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
30804 - seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
30805 -- seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
30806 -- seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
30807 -+ seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
30808 -+ seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
30809 - seq_printf(m, "%d gtt total\n", dev->gtt_total);
30810 - return 0;
30811 - }
30812 -@@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
30813 - mutex_lock(&dev->struct_mutex);
30814 - seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
30815 - atomic_read(&dev->vma_count),
30816 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
30817 -+ NULL, 0);
30818 -+#else
30819 - high_memory, (u64)virt_to_phys(high_memory));
30820 -+#endif
30821 -
30822 - list_for_each_entry(pt, &dev->vmalist, head) {
30823 - vma = pt->vma;
30824 -@@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
30825 - continue;
30826 - seq_printf(m,
30827 - "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
30828 -- pt->pid, vma->vm_start, vma->vm_end,
30829 -+ pt->pid,
30830 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
30831 -+ 0, 0,
30832 -+#else
30833 -+ vma->vm_start, vma->vm_end,
30834 -+#endif
30835 - vma->vm_flags & VM_READ ? 'r' : '-',
30836 - vma->vm_flags & VM_WRITE ? 'w' : '-',
30837 - vma->vm_flags & VM_EXEC ? 'x' : '-',
30838 - vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
30839 - vma->vm_flags & VM_LOCKED ? 'l' : '-',
30840 - vma->vm_flags & VM_IO ? 'i' : '-',
30841 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
30842 -+ 0);
30843 -+#else
30844 - vma->vm_pgoff);
30845 -+#endif
30846 -
30847 - #if defined(__i386__)
30848 - pgprot = pgprot_val(vma->vm_page_prot);
30849 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c
30850 ---- linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-03-27 14:31:47.000000000 -0400
30851 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-10-06 09:37:14.000000000 -0400
30852 -@@ -463,7 +463,7 @@ static int compat_drm_infobufs(struct fi
30853 - request = compat_alloc_user_space(nbytes);
30854 - if (!access_ok(VERIFY_WRITE, request, nbytes))
30855 - return -EFAULT;
30856 -- list = (struct drm_buf_desc *) (request + 1);
30857 -+ list = (struct drm_buf_desc __user *) (request + 1);
30858 -
30859 - if (__put_user(count, &request->count)
30860 - || __put_user(list, &request->list))
30861 -@@ -525,7 +525,7 @@ static int compat_drm_mapbufs(struct fil
30862 - request = compat_alloc_user_space(nbytes);
30863 - if (!access_ok(VERIFY_WRITE, request, nbytes))
30864 - return -EFAULT;
30865 -- list = (struct drm_buf_pub *) (request + 1);
30866 -+ list = (struct drm_buf_pub __user *) (request + 1);
30867 -
30868 - if (__put_user(count, &request->count)
30869 - || __put_user(list, &request->list))
30870 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c
30871 ---- linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400
30872 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400
30873 -@@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
30874 - stats->data[i].value =
30875 - (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
30876 - else
30877 -- stats->data[i].value = atomic_read(&dev->counts[i]);
30878 -+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
30879 - stats->data[i].type = dev->types[i];
30880 - }
30881 -
30882 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_lock.c linux-2.6.32.46/drivers/gpu/drm/drm_lock.c
30883 ---- linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-03-27 14:31:47.000000000 -0400
30884 -+++ linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-04-17 15:56:46.000000000 -0400
30885 -@@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
30886 - if (drm_lock_take(&master->lock, lock->context)) {
30887 - master->lock.file_priv = file_priv;
30888 - master->lock.lock_time = jiffies;
30889 -- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
30890 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
30891 - break; /* Got lock */
30892 - }
30893 -
30894 -@@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
30895 - return -EINVAL;
30896 - }
30897 -
30898 -- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
30899 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
30900 -
30901 - /* kernel_context_switch isn't used by any of the x86 drm
30902 - * modules but is required by the Sparc driver.
30903 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c
30904 ---- linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-03-27 14:31:47.000000000 -0400
30905 -+++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:56:46.000000000 -0400
30906 -@@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
30907 - dma->buflist[vertex->idx],
30908 - vertex->discard, vertex->used);
30909 -
30910 -- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
30911 -- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
30912 -+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
30913 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
30914 - sarea_priv->last_enqueue = dev_priv->counter - 1;
30915 - sarea_priv->last_dispatch = (int)hw_status[5];
30916 -
30917 -@@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
30918 - i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
30919 - mc->last_render);
30920 -
30921 -- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
30922 -- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
30923 -+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
30924 -+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
30925 - sarea_priv->last_enqueue = dev_priv->counter - 1;
30926 - sarea_priv->last_dispatch = (int)hw_status[5];
30927 -
30928 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h
30929 ---- linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-03-27 14:31:47.000000000 -0400
30930 -+++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-05-04 17:56:28.000000000 -0400
30931 -@@ -108,8 +108,8 @@ typedef struct drm_i810_private {
30932 - int page_flipping;
30933 -
30934 - wait_queue_head_t irq_queue;
30935 -- atomic_t irq_received;
30936 -- atomic_t irq_emitted;
30937 -+ atomic_unchecked_t irq_received;
30938 -+ atomic_unchecked_t irq_emitted;
30939 -
30940 - int front_offset;
30941 - } drm_i810_private_t;
30942 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h
30943 ---- linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-03-27 14:31:47.000000000 -0400
30944 -+++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-05-04 17:56:28.000000000 -0400
30945 -@@ -115,8 +115,8 @@ typedef struct drm_i830_private {
30946 - int page_flipping;
30947 -
30948 - wait_queue_head_t irq_queue;
30949 -- atomic_t irq_received;
30950 -- atomic_t irq_emitted;
30951 -+ atomic_unchecked_t irq_received;
30952 -+ atomic_unchecked_t irq_emitted;
30953 -
30954 - int use_mi_batchbuffer_start;
30955 -
30956 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c
30957 ---- linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-03-27 14:31:47.000000000 -0400
30958 -+++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-05-04 17:56:28.000000000 -0400
30959 -@@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
30960 -
30961 - I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
30962 -
30963 -- atomic_inc(&dev_priv->irq_received);
30964 -+ atomic_inc_unchecked(&dev_priv->irq_received);
30965 - wake_up_interruptible(&dev_priv->irq_queue);
30966 -
30967 - return IRQ_HANDLED;
30968 -@@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
30969 -
30970 - DRM_DEBUG("%s\n", __func__);
30971 -
30972 -- atomic_inc(&dev_priv->irq_emitted);
30973 -+ atomic_inc_unchecked(&dev_priv->irq_emitted);
30974 -
30975 - BEGIN_LP_RING(2);
30976 - OUT_RING(0);
30977 - OUT_RING(GFX_OP_USER_INTERRUPT);
30978 - ADVANCE_LP_RING();
30979 -
30980 -- return atomic_read(&dev_priv->irq_emitted);
30981 -+ return atomic_read_unchecked(&dev_priv->irq_emitted);
30982 - }
30983 -
30984 - static int i830_wait_irq(struct drm_device * dev, int irq_nr)
30985 -@@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
30986 -
30987 - DRM_DEBUG("%s\n", __func__);
30988 -
30989 -- if (atomic_read(&dev_priv->irq_received) >= irq_nr)
30990 -+ if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
30991 - return 0;
30992 -
30993 - dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
30994 -@@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
30995 -
30996 - for (;;) {
30997 - __set_current_state(TASK_INTERRUPTIBLE);
30998 -- if (atomic_read(&dev_priv->irq_received) >= irq_nr)
30999 -+ if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
31000 - break;
31001 - if ((signed)(end - jiffies) <= 0) {
31002 - DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
31003 -@@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
31004 - I830_WRITE16(I830REG_HWSTAM, 0xffff);
31005 - I830_WRITE16(I830REG_INT_MASK_R, 0x0);
31006 - I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
31007 -- atomic_set(&dev_priv->irq_received, 0);
31008 -- atomic_set(&dev_priv->irq_emitted, 0);
31009 -+ atomic_set_unchecked(&dev_priv->irq_received, 0);
31010 -+ atomic_set_unchecked(&dev_priv->irq_emitted, 0);
31011 - init_waitqueue_head(&dev_priv->irq_queue);
31012 - }
31013 -
31014 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h
31015 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-03-27 14:31:47.000000000 -0400
31016 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:56:46.000000000 -0400
31017 -@@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
31018 - *
31019 - * \return singly-linked list of modes or NULL if no modes found.
31020 - */
31021 -- struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
31022 -+ struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
31023 -
31024 - /**
31025 - * Clean up driver-specific bits of the output
31026 - */
31027 -- void (*destroy) (struct intel_dvo_device *dvo);
31028 -+ void (* const destroy) (struct intel_dvo_device *dvo);
31029 -
31030 - /**
31031 - * Debugging hook to dump device registers to log file
31032 - */
31033 -- void (*dump_regs)(struct intel_dvo_device *dvo);
31034 -+ void (* const dump_regs)(struct intel_dvo_device *dvo);
31035 - };
31036 -
31037 --extern struct intel_dvo_dev_ops sil164_ops;
31038 --extern struct intel_dvo_dev_ops ch7xxx_ops;
31039 --extern struct intel_dvo_dev_ops ivch_ops;
31040 --extern struct intel_dvo_dev_ops tfp410_ops;
31041 --extern struct intel_dvo_dev_ops ch7017_ops;
31042 -+extern const struct intel_dvo_dev_ops sil164_ops;
31043 -+extern const struct intel_dvo_dev_ops ch7xxx_ops;
31044 -+extern const struct intel_dvo_dev_ops ivch_ops;
31045 -+extern const struct intel_dvo_dev_ops tfp410_ops;
31046 -+extern const struct intel_dvo_dev_ops ch7017_ops;
31047 -
31048 - #endif /* _INTEL_DVO_H */
31049 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c
31050 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-27 14:31:47.000000000 -0400
31051 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:56:46.000000000 -0400
31052 -@@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
31053 - }
31054 - }
31055 -
31056 --struct intel_dvo_dev_ops ch7017_ops = {
31057 -+const struct intel_dvo_dev_ops ch7017_ops = {
31058 - .init = ch7017_init,
31059 - .detect = ch7017_detect,
31060 - .mode_valid = ch7017_mode_valid,
31061 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c
31062 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-27 14:31:47.000000000 -0400
31063 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:56:46.000000000 -0400
31064 -@@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
31065 - }
31066 - }
31067 -
31068 --struct intel_dvo_dev_ops ch7xxx_ops = {
31069 -+const struct intel_dvo_dev_ops ch7xxx_ops = {
31070 - .init = ch7xxx_init,
31071 - .detect = ch7xxx_detect,
31072 - .mode_valid = ch7xxx_mode_valid,
31073 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c
31074 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-27 14:31:47.000000000 -0400
31075 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:56:46.000000000 -0400
31076 -@@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
31077 - }
31078 - }
31079 -
31080 --struct intel_dvo_dev_ops ivch_ops= {
31081 -+const struct intel_dvo_dev_ops ivch_ops= {
31082 - .init = ivch_init,
31083 - .dpms = ivch_dpms,
31084 - .save = ivch_save,
31085 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c
31086 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-27 14:31:47.000000000 -0400
31087 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:56:46.000000000 -0400
31088 -@@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
31089 - }
31090 - }
31091 -
31092 --struct intel_dvo_dev_ops sil164_ops = {
31093 -+const struct intel_dvo_dev_ops sil164_ops = {
31094 - .init = sil164_init,
31095 - .detect = sil164_detect,
31096 - .mode_valid = sil164_mode_valid,
31097 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c
31098 ---- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-27 14:31:47.000000000 -0400
31099 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:56:46.000000000 -0400
31100 -@@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
31101 - }
31102 - }
31103 -
31104 --struct intel_dvo_dev_ops tfp410_ops = {
31105 -+const struct intel_dvo_dev_ops tfp410_ops = {
31106 - .init = tfp410_init,
31107 - .detect = tfp410_detect,
31108 - .mode_valid = tfp410_mode_valid,
31109 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c
31110 ---- linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-27 14:31:47.000000000 -0400
31111 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-04 17:56:28.000000000 -0400
31112 -@@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
31113 - I915_READ(GTIMR));
31114 - }
31115 - seq_printf(m, "Interrupts received: %d\n",
31116 -- atomic_read(&dev_priv->irq_received));
31117 -+ atomic_read_unchecked(&dev_priv->irq_received));
31118 - if (dev_priv->hw_status_page != NULL) {
31119 - seq_printf(m, "Current sequence: %d\n",
31120 - i915_get_gem_seqno(dev));
31121 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c
31122 ---- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-03-27 14:31:47.000000000 -0400
31123 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:56:46.000000000 -0400
31124 -@@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
31125 - return i915_resume(dev);
31126 - }
31127 -
31128 --static struct vm_operations_struct i915_gem_vm_ops = {
31129 -+static const struct vm_operations_struct i915_gem_vm_ops = {
31130 - .fault = i915_gem_fault,
31131 - .open = drm_gem_vm_open,
31132 - .close = drm_gem_vm_close,
31133 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h
31134 ---- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-03-27 14:31:47.000000000 -0400
31135 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-08-05 20:33:55.000000000 -0400
31136 -@@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
31137 - /* display clock increase/decrease */
31138 - /* pll clock increase/decrease */
31139 - /* clock gating init */
31140 --};
31141 -+} __no_const;
31142 -
31143 - typedef struct drm_i915_private {
31144 - struct drm_device *dev;
31145 -@@ -197,7 +197,7 @@ typedef struct drm_i915_private {
31146 - int page_flipping;
31147 -
31148 - wait_queue_head_t irq_queue;
31149 -- atomic_t irq_received;
31150 -+ atomic_unchecked_t irq_received;
31151 - /** Protects user_irq_refcount and irq_mask_reg */
31152 - spinlock_t user_irq_lock;
31153 - /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
31154 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c
31155 ---- linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-03-27 14:31:47.000000000 -0400
31156 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-04-17 15:56:46.000000000 -0400
31157 -@@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
31158 -
31159 - args->aper_size = dev->gtt_total;
31160 - args->aper_available_size = (args->aper_size -
31161 -- atomic_read(&dev->pin_memory));
31162 -+ atomic_read_unchecked(&dev->pin_memory));
31163 -
31164 - return 0;
31165 - }
31166 -@@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
31167 - return -EINVAL;
31168 - }
31169 -
31170 -+ if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
31171 -+ drm_gem_object_unreference(obj);
31172 -+ return -EFAULT;
31173 -+ }
31174 -+
31175 - if (i915_gem_object_needs_bit17_swizzle(obj)) {
31176 - ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
31177 - } else {
31178 -@@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
31179 - return -EINVAL;
31180 - }
31181 -
31182 -+ if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
31183 -+ drm_gem_object_unreference(obj);
31184 -+ return -EFAULT;
31185 -+ }
31186 -+
31187 - /* We can only do the GTT pwrite on untiled buffers, as otherwise
31188 - * it would end up going through the fenced access, and we'll get
31189 - * different detiling behavior between reading and writing.
31190 -@@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
31191 -
31192 - if (obj_priv->gtt_space) {
31193 - atomic_dec(&dev->gtt_count);
31194 -- atomic_sub(obj->size, &dev->gtt_memory);
31195 -+ atomic_sub_unchecked(obj->size, &dev->gtt_memory);
31196 -
31197 - drm_mm_put_block(obj_priv->gtt_space);
31198 - obj_priv->gtt_space = NULL;
31199 -@@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
31200 - goto search_free;
31201 - }
31202 - atomic_inc(&dev->gtt_count);
31203 -- atomic_add(obj->size, &dev->gtt_memory);
31204 -+ atomic_add_unchecked(obj->size, &dev->gtt_memory);
31205 -
31206 - /* Assert that the object is not currently in any GPU domain. As it
31207 - * wasn't in the GTT, there shouldn't be any way it could have been in
31208 -@@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
31209 - "%d/%d gtt bytes\n",
31210 - atomic_read(&dev->object_count),
31211 - atomic_read(&dev->pin_count),
31212 -- atomic_read(&dev->object_memory),
31213 -- atomic_read(&dev->pin_memory),
31214 -- atomic_read(&dev->gtt_memory),
31215 -+ atomic_read_unchecked(&dev->object_memory),
31216 -+ atomic_read_unchecked(&dev->pin_memory),
31217 -+ atomic_read_unchecked(&dev->gtt_memory),
31218 - dev->gtt_total);
31219 - }
31220 - goto err;
31221 -@@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
31222 - */
31223 - if (obj_priv->pin_count == 1) {
31224 - atomic_inc(&dev->pin_count);
31225 -- atomic_add(obj->size, &dev->pin_memory);
31226 -+ atomic_add_unchecked(obj->size, &dev->pin_memory);
31227 - if (!obj_priv->active &&
31228 - (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
31229 - !list_empty(&obj_priv->list))
31230 -@@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
31231 - list_move_tail(&obj_priv->list,
31232 - &dev_priv->mm.inactive_list);
31233 - atomic_dec(&dev->pin_count);
31234 -- atomic_sub(obj->size, &dev->pin_memory);
31235 -+ atomic_sub_unchecked(obj->size, &dev->pin_memory);
31236 - }
31237 - i915_verify_inactive(dev, __FILE__, __LINE__);
31238 - }
31239 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c
31240 ---- linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-03-27 14:31:47.000000000 -0400
31241 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-05-04 17:56:28.000000000 -0400
31242 -@@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
31243 - int irq_received;
31244 - int ret = IRQ_NONE;
31245 -
31246 -- atomic_inc(&dev_priv->irq_received);
31247 -+ atomic_inc_unchecked(&dev_priv->irq_received);
31248 -
31249 - if (IS_IGDNG(dev))
31250 - return igdng_irq_handler(dev);
31251 -@@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
31252 - {
31253 - drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
31254 -
31255 -- atomic_set(&dev_priv->irq_received, 0);
31256 -+ atomic_set_unchecked(&dev_priv->irq_received, 0);
31257 -
31258 - INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
31259 - INIT_WORK(&dev_priv->error_work, i915_error_work_func);
31260 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c
31261 ---- linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-03-27 14:31:47.000000000 -0400
31262 -+++ linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-08-05 20:33:55.000000000 -0400
31263 -@@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
31264 - sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
31265 -
31266 - /* Save the bit-banging i2c functionality for use by the DDC wrapper */
31267 -- intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31268 -+ pax_open_kernel();
31269 -+ *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31270 -+ pax_close_kernel();
31271 -
31272 - /* Read the regs to test if we can talk to the device */
31273 - for (i = 0; i < 0x40; i++) {
31274 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h
31275 ---- linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-03-27 14:31:47.000000000 -0400
31276 -+++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-05-04 17:56:28.000000000 -0400
31277 -@@ -120,9 +120,9 @@ typedef struct drm_mga_private {
31278 - u32 clear_cmd;
31279 - u32 maccess;
31280 -
31281 -- atomic_t vbl_received; /**< Number of vblanks received. */
31282 -+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
31283 - wait_queue_head_t fence_queue;
31284 -- atomic_t last_fence_retired;
31285 -+ atomic_unchecked_t last_fence_retired;
31286 - u32 next_fence_to_post;
31287 -
31288 - unsigned int fb_cpp;
31289 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c
31290 ---- linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-03-27 14:31:47.000000000 -0400
31291 -+++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-05-04 17:56:28.000000000 -0400
31292 -@@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
31293 - if (crtc != 0)
31294 - return 0;
31295 -
31296 -- return atomic_read(&dev_priv->vbl_received);
31297 -+ return atomic_read_unchecked(&dev_priv->vbl_received);
31298 - }
31299 -
31300 -
31301 -@@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31302 - /* VBLANK interrupt */
31303 - if (status & MGA_VLINEPEN) {
31304 - MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
31305 -- atomic_inc(&dev_priv->vbl_received);
31306 -+ atomic_inc_unchecked(&dev_priv->vbl_received);
31307 - drm_handle_vblank(dev, 0);
31308 - handled = 1;
31309 - }
31310 -@@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31311 - MGA_WRITE(MGA_PRIMEND, prim_end);
31312 - }
31313 -
31314 -- atomic_inc(&dev_priv->last_fence_retired);
31315 -+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
31316 - DRM_WAKEUP(&dev_priv->fence_queue);
31317 - handled = 1;
31318 - }
31319 -@@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
31320 - * using fences.
31321 - */
31322 - DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
31323 -- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
31324 -+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
31325 - - *sequence) <= (1 << 23)));
31326 -
31327 - *sequence = cur_fence;
31328 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c
31329 ---- linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-03-27 14:31:47.000000000 -0400
31330 -+++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-05-04 17:56:28.000000000 -0400
31331 -@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
31332 -
31333 - /* GH: Simple idle check.
31334 - */
31335 -- atomic_set(&dev_priv->idle_count, 0);
31336 -+ atomic_set_unchecked(&dev_priv->idle_count, 0);
31337 -
31338 - /* We don't support anything other than bus-mastering ring mode,
31339 - * but the ring can be in either AGP or PCI space for the ring
31340 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h
31341 ---- linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-03-27 14:31:47.000000000 -0400
31342 -+++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-05-04 17:56:28.000000000 -0400
31343 -@@ -90,14 +90,14 @@ typedef struct drm_r128_private {
31344 - int is_pci;
31345 - unsigned long cce_buffers_offset;
31346 -
31347 -- atomic_t idle_count;
31348 -+ atomic_unchecked_t idle_count;
31349 -
31350 - int page_flipping;
31351 - int current_page;
31352 - u32 crtc_offset;
31353 - u32 crtc_offset_cntl;
31354 -
31355 -- atomic_t vbl_received;
31356 -+ atomic_unchecked_t vbl_received;
31357 -
31358 - u32 color_fmt;
31359 - unsigned int front_offset;
31360 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c
31361 ---- linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-03-27 14:31:47.000000000 -0400
31362 -+++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-05-04 17:56:28.000000000 -0400
31363 -@@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
31364 - if (crtc != 0)
31365 - return 0;
31366 -
31367 -- return atomic_read(&dev_priv->vbl_received);
31368 -+ return atomic_read_unchecked(&dev_priv->vbl_received);
31369 - }
31370 -
31371 - irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
31372 -@@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
31373 - /* VBLANK interrupt */
31374 - if (status & R128_CRTC_VBLANK_INT) {
31375 - R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
31376 -- atomic_inc(&dev_priv->vbl_received);
31377 -+ atomic_inc_unchecked(&dev_priv->vbl_received);
31378 - drm_handle_vblank(dev, 0);
31379 - return IRQ_HANDLED;
31380 - }
31381 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c
31382 ---- linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-03-27 14:31:47.000000000 -0400
31383 -+++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-05-04 17:56:28.000000000 -0400
31384 -@@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
31385 -
31386 - static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
31387 - {
31388 -- if (atomic_read(&dev_priv->idle_count) == 0) {
31389 -+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
31390 - r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
31391 - } else {
31392 -- atomic_set(&dev_priv->idle_count, 0);
31393 -+ atomic_set_unchecked(&dev_priv->idle_count, 0);
31394 - }
31395 - }
31396 -
31397 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c
31398 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:12:01.000000000 -0400
31399 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:46:57.000000000 -0400
31400 -@@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
31401 - char name[512];
31402 - int i;
31403 -
31404 -+ pax_track_stack();
31405 -+
31406 - ctx->card = card;
31407 - ctx->bios = bios;
31408 -
31409 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c
31410 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-03-27 14:31:47.000000000 -0400
31411 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:56:46.000000000 -0400
31412 -@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
31413 - regex_t mask_rex;
31414 - regmatch_t match[4];
31415 - char buf[1024];
31416 -- size_t end;
31417 -+ long end;
31418 - int len;
31419 - int done = 0;
31420 - int r;
31421 - unsigned o;
31422 - struct offset *offset;
31423 - char last_reg_s[10];
31424 -- int last_reg;
31425 -+ unsigned long last_reg;
31426 -
31427 - if (regcomp
31428 - (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
31429 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h
31430 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-03-27 14:31:47.000000000 -0400
31431 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-08-05 20:33:55.000000000 -0400
31432 -@@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
31433 - */
31434 - struct radeon_fence_driver {
31435 - uint32_t scratch_reg;
31436 -- atomic_t seq;
31437 -+ atomic_unchecked_t seq;
31438 - uint32_t last_seq;
31439 - unsigned long count_timeout;
31440 - wait_queue_head_t queue;
31441 -@@ -640,7 +640,7 @@ struct radeon_asic {
31442 - uint32_t offset, uint32_t obj_size);
31443 - int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
31444 - void (*bandwidth_update)(struct radeon_device *rdev);
31445 --};
31446 -+} __no_const;
31447 -
31448 - /*
31449 - * Asic structures
31450 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c
31451 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-03-27 14:31:47.000000000 -0400
31452 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:46:57.000000000 -0400
31453 -@@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
31454 - bool linkb;
31455 - struct radeon_i2c_bus_rec ddc_bus;
31456 -
31457 -+ pax_track_stack();
31458 -+
31459 - atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31460 -
31461 - if (data_offset == 0)
31462 -@@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
31463 - }
31464 - }
31465 -
31466 --struct bios_connector {
31467 -+static struct bios_connector {
31468 - bool valid;
31469 - uint16_t line_mux;
31470 - uint16_t devices;
31471 - int connector_type;
31472 - struct radeon_i2c_bus_rec ddc_bus;
31473 --};
31474 -+} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31475 -
31476 - bool radeon_get_atom_connector_info_from_supported_devices_table(struct
31477 - drm_device
31478 -@@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
31479 - uint8_t dac;
31480 - union atom_supported_devices *supported_devices;
31481 - int i, j;
31482 -- struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31483 -
31484 - atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31485 -
31486 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c
31487 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-03-27 14:31:47.000000000 -0400
31488 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-04-17 15:56:46.000000000 -0400
31489 -@@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
31490 -
31491 - if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
31492 - error = freq - current_freq;
31493 -- error = error < 0 ? 0xffffffff : error;
31494 -+ error = (int32_t)error < 0 ? 0xffffffff : error;
31495 - } else
31496 - error = abs(current_freq - freq);
31497 - vco_diff = abs(vco - best_vco);
31498 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h
31499 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-27 14:31:47.000000000 -0400
31500 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-04 17:56:28.000000000 -0400
31501 -@@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
31502 -
31503 - /* SW interrupt */
31504 - wait_queue_head_t swi_queue;
31505 -- atomic_t swi_emitted;
31506 -+ atomic_unchecked_t swi_emitted;
31507 - int vblank_crtc;
31508 - uint32_t irq_enable_reg;
31509 - uint32_t r500_disp_irq_reg;
31510 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c
31511 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-03-27 14:31:47.000000000 -0400
31512 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-04 17:56:28.000000000 -0400
31513 -@@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
31514 - write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
31515 - return 0;
31516 - }
31517 -- fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
31518 -+ fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
31519 - if (!rdev->cp.ready) {
31520 - /* FIXME: cp is not running assume everythings is done right
31521 - * away
31522 -@@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
31523 - return r;
31524 - }
31525 - WREG32(rdev->fence_drv.scratch_reg, 0);
31526 -- atomic_set(&rdev->fence_drv.seq, 0);
31527 -+ atomic_set_unchecked(&rdev->fence_drv.seq, 0);
31528 - INIT_LIST_HEAD(&rdev->fence_drv.created);
31529 - INIT_LIST_HEAD(&rdev->fence_drv.emited);
31530 - INIT_LIST_HEAD(&rdev->fence_drv.signaled);
31531 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c
31532 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-27 14:31:47.000000000 -0400
31533 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-23 13:57:24.000000000 -0400
31534 -@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
31535 - request = compat_alloc_user_space(sizeof(*request));
31536 - if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
31537 - || __put_user(req32.param, &request->param)
31538 -- || __put_user((void __user *)(unsigned long)req32.value,
31539 -+ || __put_user((unsigned long)req32.value,
31540 - &request->value))
31541 - return -EFAULT;
31542 -
31543 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c
31544 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-27 14:31:47.000000000 -0400
31545 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-04 17:56:28.000000000 -0400
31546 -@@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
31547 - unsigned int ret;
31548 - RING_LOCALS;
31549 -
31550 -- atomic_inc(&dev_priv->swi_emitted);
31551 -- ret = atomic_read(&dev_priv->swi_emitted);
31552 -+ atomic_inc_unchecked(&dev_priv->swi_emitted);
31553 -+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
31554 -
31555 - BEGIN_RING(4);
31556 - OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
31557 -@@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
31558 - drm_radeon_private_t *dev_priv =
31559 - (drm_radeon_private_t *) dev->dev_private;
31560 -
31561 -- atomic_set(&dev_priv->swi_emitted, 0);
31562 -+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
31563 - DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
31564 -
31565 - dev->max_vblank_count = 0x001fffff;
31566 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c
31567 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-03-27 14:31:47.000000000 -0400
31568 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:56:46.000000000 -0400
31569 -@@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
31570 - {
31571 - drm_radeon_private_t *dev_priv = dev->dev_private;
31572 - drm_radeon_getparam_t *param = data;
31573 -- int value;
31574 -+ int value = 0;
31575 -
31576 - DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
31577 -
31578 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c
31579 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-27 14:31:47.000000000 -0400
31580 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:56:46.000000000 -0400
31581 -@@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
31582 - DRM_INFO("radeon: ttm finalized\n");
31583 - }
31584 -
31585 --static struct vm_operations_struct radeon_ttm_vm_ops;
31586 --static const struct vm_operations_struct *ttm_vm_ops = NULL;
31587 --
31588 --static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
31589 --{
31590 -- struct ttm_buffer_object *bo;
31591 -- int r;
31592 --
31593 -- bo = (struct ttm_buffer_object *)vma->vm_private_data;
31594 -- if (bo == NULL) {
31595 -- return VM_FAULT_NOPAGE;
31596 -- }
31597 -- r = ttm_vm_ops->fault(vma, vmf);
31598 -- return r;
31599 --}
31600 --
31601 - int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
31602 - {
31603 - struct drm_file *file_priv;
31604 - struct radeon_device *rdev;
31605 -- int r;
31606 -
31607 - if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
31608 - return drm_mmap(filp, vma);
31609 -@@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
31610 -
31611 - file_priv = (struct drm_file *)filp->private_data;
31612 - rdev = file_priv->minor->dev->dev_private;
31613 -- if (rdev == NULL) {
31614 -+ if (!rdev)
31615 - return -EINVAL;
31616 -- }
31617 -- r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31618 -- if (unlikely(r != 0)) {
31619 -- return r;
31620 -- }
31621 -- if (unlikely(ttm_vm_ops == NULL)) {
31622 -- ttm_vm_ops = vma->vm_ops;
31623 -- radeon_ttm_vm_ops = *ttm_vm_ops;
31624 -- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
31625 -- }
31626 -- vma->vm_ops = &radeon_ttm_vm_ops;
31627 -- return 0;
31628 -+ return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31629 - }
31630 -
31631 -
31632 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c
31633 ---- linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-03-27 14:31:47.000000000 -0400
31634 -+++ linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:56:46.000000000 -0400
31635 -@@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
31636 - if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
31637 - rdev->pm.sideport_bandwidth.full)
31638 - rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
31639 -- read_delay_latency.full = rfixed_const(370 * 800 * 1000);
31640 -+ read_delay_latency.full = rfixed_const(800 * 1000);
31641 - read_delay_latency.full = rfixed_div(read_delay_latency,
31642 - rdev->pm.igp_sideport_mclk);
31643 -+ a.full = rfixed_const(370);
31644 -+ read_delay_latency.full = rfixed_mul(read_delay_latency, a);
31645 - } else {
31646 - if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
31647 - rdev->pm.k8_bandwidth.full)
31648 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c
31649 ---- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:24:44.000000000 -0400
31650 -+++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:25:07.000000000 -0400
31651 -@@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
31652 - NULL
31653 - };
31654 -
31655 --static struct sysfs_ops ttm_bo_global_ops = {
31656 -+static const struct sysfs_ops ttm_bo_global_ops = {
31657 - .show = &ttm_bo_global_show
31658 - };
31659 -
31660 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c
31661 ---- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-27 14:31:47.000000000 -0400
31662 -+++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:56:46.000000000 -0400
31663 -@@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
31664 - {
31665 - struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
31666 - vma->vm_private_data;
31667 -- struct ttm_bo_device *bdev = bo->bdev;
31668 -+ struct ttm_bo_device *bdev;
31669 - unsigned long bus_base;
31670 - unsigned long bus_offset;
31671 - unsigned long bus_size;
31672 -@@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
31673 - unsigned long address = (unsigned long)vmf->virtual_address;
31674 - int retval = VM_FAULT_NOPAGE;
31675 -
31676 -+ if (!bo)
31677 -+ return VM_FAULT_NOPAGE;
31678 -+ bdev = bo->bdev;
31679 -+
31680 - /*
31681 - * Work around locking order reversal in fault / nopfn
31682 - * between mmap_sem and bo_reserve: Perform a trylock operation
31683 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c
31684 ---- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-03-27 14:31:47.000000000 -0400
31685 -+++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-04-17 15:56:46.000000000 -0400
31686 -@@ -36,7 +36,7 @@
31687 - struct ttm_global_item {
31688 - struct mutex mutex;
31689 - void *object;
31690 -- int refcount;
31691 -+ atomic_t refcount;
31692 - };
31693 -
31694 - static struct ttm_global_item glob[TTM_GLOBAL_NUM];
31695 -@@ -49,7 +49,7 @@ void ttm_global_init(void)
31696 - struct ttm_global_item *item = &glob[i];
31697 - mutex_init(&item->mutex);
31698 - item->object = NULL;
31699 -- item->refcount = 0;
31700 -+ atomic_set(&item->refcount, 0);
31701 - }
31702 - }
31703 -
31704 -@@ -59,7 +59,7 @@ void ttm_global_release(void)
31705 - for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
31706 - struct ttm_global_item *item = &glob[i];
31707 - BUG_ON(item->object != NULL);
31708 -- BUG_ON(item->refcount != 0);
31709 -+ BUG_ON(atomic_read(&item->refcount) != 0);
31710 - }
31711 - }
31712 -
31713 -@@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
31714 - void *object;
31715 -
31716 - mutex_lock(&item->mutex);
31717 -- if (item->refcount == 0) {
31718 -+ if (atomic_read(&item->refcount) == 0) {
31719 - item->object = kzalloc(ref->size, GFP_KERNEL);
31720 - if (unlikely(item->object == NULL)) {
31721 - ret = -ENOMEM;
31722 -@@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
31723 - goto out_err;
31724 -
31725 - }
31726 -- ++item->refcount;
31727 -+ atomic_inc(&item->refcount);
31728 - ref->object = item->object;
31729 - object = item->object;
31730 - mutex_unlock(&item->mutex);
31731 -@@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
31732 - struct ttm_global_item *item = &glob[ref->global_type];
31733 -
31734 - mutex_lock(&item->mutex);
31735 -- BUG_ON(item->refcount == 0);
31736 -+ BUG_ON(atomic_read(&item->refcount) == 0);
31737 - BUG_ON(ref->object != item->object);
31738 -- if (--item->refcount == 0) {
31739 -+ if (atomic_dec_and_test(&item->refcount)) {
31740 - ref->release(ref);
31741 - item->object = NULL;
31742 - }
31743 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c
31744 ---- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-03-27 14:31:47.000000000 -0400
31745 -+++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-04-17 15:56:46.000000000 -0400
31746 -@@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
31747 - NULL
31748 - };
31749 -
31750 --static struct sysfs_ops ttm_mem_zone_ops = {
31751 -+static const struct sysfs_ops ttm_mem_zone_ops = {
31752 - .show = &ttm_mem_zone_show,
31753 - .store = &ttm_mem_zone_store
31754 - };
31755 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h
31756 ---- linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-03-27 14:31:47.000000000 -0400
31757 -+++ linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-05-04 17:56:28.000000000 -0400
31758 -@@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
31759 - typedef uint32_t maskarray_t[5];
31760 -
31761 - typedef struct drm_via_irq {
31762 -- atomic_t irq_received;
31763 -+ atomic_unchecked_t irq_received;
31764 - uint32_t pending_mask;
31765 - uint32_t enable_mask;
31766 - wait_queue_head_t irq_queue;
31767 -@@ -75,7 +75,7 @@ typedef struct drm_via_private {
31768 - struct timeval last_vblank;
31769 - int last_vblank_valid;
31770 - unsigned usec_per_vblank;
31771 -- atomic_t vbl_received;
31772 -+ atomic_unchecked_t vbl_received;
31773 - drm_via_state_t hc_state;
31774 - char pci_buf[VIA_PCI_BUF_SIZE];
31775 - const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
31776 -diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c
31777 ---- linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-03-27 14:31:47.000000000 -0400
31778 -+++ linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-05-04 17:56:28.000000000 -0400
31779 -@@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
31780 - if (crtc != 0)
31781 - return 0;
31782 -
31783 -- return atomic_read(&dev_priv->vbl_received);
31784 -+ return atomic_read_unchecked(&dev_priv->vbl_received);
31785 - }
31786 -
31787 - irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
31788 -@@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
31789 -
31790 - status = VIA_READ(VIA_REG_INTERRUPT);
31791 - if (status & VIA_IRQ_VBLANK_PENDING) {
31792 -- atomic_inc(&dev_priv->vbl_received);
31793 -- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
31794 -+ atomic_inc_unchecked(&dev_priv->vbl_received);
31795 -+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
31796 - do_gettimeofday(&cur_vblank);
31797 - if (dev_priv->last_vblank_valid) {
31798 - dev_priv->usec_per_vblank =
31799 -@@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
31800 - dev_priv->last_vblank = cur_vblank;
31801 - dev_priv->last_vblank_valid = 1;
31802 - }
31803 -- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
31804 -+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
31805 - DRM_DEBUG("US per vblank is: %u\n",
31806 - dev_priv->usec_per_vblank);
31807 - }
31808 -@@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
31809 -
31810 - for (i = 0; i < dev_priv->num_irqs; ++i) {
31811 - if (status & cur_irq->pending_mask) {
31812 -- atomic_inc(&cur_irq->irq_received);
31813 -+ atomic_inc_unchecked(&cur_irq->irq_received);
31814 - DRM_WAKEUP(&cur_irq->irq_queue);
31815 - handled = 1;
31816 - if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
31817 -@@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
31818 - DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
31819 - ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
31820 - masks[irq][4]));
31821 -- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
31822 -+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
31823 - } else {
31824 - DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
31825 - (((cur_irq_sequence =
31826 -- atomic_read(&cur_irq->irq_received)) -
31827 -+ atomic_read_unchecked(&cur_irq->irq_received)) -
31828 - *sequence) <= (1 << 23)));
31829 - }
31830 - *sequence = cur_irq_sequence;
31831 -@@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
31832 - }
31833 -
31834 - for (i = 0; i < dev_priv->num_irqs; ++i) {
31835 -- atomic_set(&cur_irq->irq_received, 0);
31836 -+ atomic_set_unchecked(&cur_irq->irq_received, 0);
31837 - cur_irq->enable_mask = dev_priv->irq_masks[i][0];
31838 - cur_irq->pending_mask = dev_priv->irq_masks[i][1];
31839 - DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
31840 -@@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
31841 - switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
31842 - case VIA_IRQ_RELATIVE:
31843 - irqwait->request.sequence +=
31844 -- atomic_read(&cur_irq->irq_received);
31845 -+ atomic_read_unchecked(&cur_irq->irq_received);
31846 - irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
31847 - case VIA_IRQ_ABSOLUTE:
31848 - break;
31849 -diff -urNp linux-2.6.32.46/drivers/hid/hid-core.c linux-2.6.32.46/drivers/hid/hid-core.c
31850 ---- linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:01.000000000 -0400
31851 -+++ linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:32.000000000 -0400
31852 -@@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
31853 -
31854 - int hid_add_device(struct hid_device *hdev)
31855 - {
31856 -- static atomic_t id = ATOMIC_INIT(0);
31857 -+ static atomic_unchecked_t id = ATOMIC_INIT(0);
31858 - int ret;
31859 -
31860 - if (WARN_ON(hdev->status & HID_STAT_ADDED))
31861 -@@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
31862 - /* XXX hack, any other cleaner solution after the driver core
31863 - * is converted to allow more than 20 bytes as the device name? */
31864 - dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
31865 -- hdev->vendor, hdev->product, atomic_inc_return(&id));
31866 -+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
31867 -
31868 - ret = device_add(&hdev->dev);
31869 - if (!ret)
31870 -diff -urNp linux-2.6.32.46/drivers/hid/usbhid/hiddev.c linux-2.6.32.46/drivers/hid/usbhid/hiddev.c
31871 ---- linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-03-27 14:31:47.000000000 -0400
31872 -+++ linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-04-17 15:56:46.000000000 -0400
31873 -@@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
31874 - return put_user(HID_VERSION, (int __user *)arg);
31875 -
31876 - case HIDIOCAPPLICATION:
31877 -- if (arg < 0 || arg >= hid->maxapplication)
31878 -+ if (arg >= hid->maxapplication)
31879 - return -EINVAL;
31880 -
31881 - for (i = 0; i < hid->maxcollection; i++)
31882 -diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.c linux-2.6.32.46/drivers/hwmon/lis3lv02d.c
31883 ---- linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-03-27 14:31:47.000000000 -0400
31884 -+++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-05-04 17:56:28.000000000 -0400
31885 -@@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
31886 - * the lid is closed. This leads to interrupts as soon as a little move
31887 - * is done.
31888 - */
31889 -- atomic_inc(&lis3_dev.count);
31890 -+ atomic_inc_unchecked(&lis3_dev.count);
31891 -
31892 - wake_up_interruptible(&lis3_dev.misc_wait);
31893 - kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
31894 -@@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
31895 - if (test_and_set_bit(0, &lis3_dev.misc_opened))
31896 - return -EBUSY; /* already open */
31897 -
31898 -- atomic_set(&lis3_dev.count, 0);
31899 -+ atomic_set_unchecked(&lis3_dev.count, 0);
31900 -
31901 - /*
31902 - * The sensor can generate interrupts for free-fall and direction
31903 -@@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
31904 - add_wait_queue(&lis3_dev.misc_wait, &wait);
31905 - while (true) {
31906 - set_current_state(TASK_INTERRUPTIBLE);
31907 -- data = atomic_xchg(&lis3_dev.count, 0);
31908 -+ data = atomic_xchg_unchecked(&lis3_dev.count, 0);
31909 - if (data)
31910 - break;
31911 -
31912 -@@ -244,7 +244,7 @@ out:
31913 - static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
31914 - {
31915 - poll_wait(file, &lis3_dev.misc_wait, wait);
31916 -- if (atomic_read(&lis3_dev.count))
31917 -+ if (atomic_read_unchecked(&lis3_dev.count))
31918 - return POLLIN | POLLRDNORM;
31919 - return 0;
31920 - }
31921 -diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.h linux-2.6.32.46/drivers/hwmon/lis3lv02d.h
31922 ---- linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-03-27 14:31:47.000000000 -0400
31923 -+++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-05-04 17:56:28.000000000 -0400
31924 -@@ -201,7 +201,7 @@ struct lis3lv02d {
31925 -
31926 - struct input_polled_dev *idev; /* input device */
31927 - struct platform_device *pdev; /* platform device */
31928 -- atomic_t count; /* interrupt count after last read */
31929 -+ atomic_unchecked_t count; /* interrupt count after last read */
31930 - int xcalib; /* calibrated null value for x */
31931 - int ycalib; /* calibrated null value for y */
31932 - int zcalib; /* calibrated null value for z */
31933 -diff -urNp linux-2.6.32.46/drivers/hwmon/sht15.c linux-2.6.32.46/drivers/hwmon/sht15.c
31934 ---- linux-2.6.32.46/drivers/hwmon/sht15.c 2011-03-27 14:31:47.000000000 -0400
31935 -+++ linux-2.6.32.46/drivers/hwmon/sht15.c 2011-05-04 17:56:28.000000000 -0400
31936 -@@ -112,7 +112,7 @@ struct sht15_data {
31937 - int supply_uV;
31938 - int supply_uV_valid;
31939 - struct work_struct update_supply_work;
31940 -- atomic_t interrupt_handled;
31941 -+ atomic_unchecked_t interrupt_handled;
31942 - };
31943 -
31944 - /**
31945 -@@ -245,13 +245,13 @@ static inline int sht15_update_single_va
31946 - return ret;
31947 -
31948 - gpio_direction_input(data->pdata->gpio_data);
31949 -- atomic_set(&data->interrupt_handled, 0);
31950 -+ atomic_set_unchecked(&data->interrupt_handled, 0);
31951 -
31952 - enable_irq(gpio_to_irq(data->pdata->gpio_data));
31953 - if (gpio_get_value(data->pdata->gpio_data) == 0) {
31954 - disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
31955 - /* Only relevant if the interrupt hasn't occured. */
31956 -- if (!atomic_read(&data->interrupt_handled))
31957 -+ if (!atomic_read_unchecked(&data->interrupt_handled))
31958 - schedule_work(&data->read_work);
31959 - }
31960 - ret = wait_event_timeout(data->wait_queue,
31961 -@@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
31962 - struct sht15_data *data = d;
31963 - /* First disable the interrupt */
31964 - disable_irq_nosync(irq);
31965 -- atomic_inc(&data->interrupt_handled);
31966 -+ atomic_inc_unchecked(&data->interrupt_handled);
31967 - /* Then schedule a reading work struct */
31968 - if (data->flag != SHT15_READING_NOTHING)
31969 - schedule_work(&data->read_work);
31970 -@@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
31971 - here as could have gone low in meantime so verify
31972 - it hasn't!
31973 - */
31974 -- atomic_set(&data->interrupt_handled, 0);
31975 -+ atomic_set_unchecked(&data->interrupt_handled, 0);
31976 - enable_irq(gpio_to_irq(data->pdata->gpio_data));
31977 - /* If still not occured or another handler has been scheduled */
31978 - if (gpio_get_value(data->pdata->gpio_data)
31979 -- || atomic_read(&data->interrupt_handled))
31980 -+ || atomic_read_unchecked(&data->interrupt_handled))
31981 - return;
31982 - }
31983 - /* Read the data back from the device */
31984 -diff -urNp linux-2.6.32.46/drivers/hwmon/w83791d.c linux-2.6.32.46/drivers/hwmon/w83791d.c
31985 ---- linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-03-27 14:31:47.000000000 -0400
31986 -+++ linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-04-17 15:56:46.000000000 -0400
31987 -@@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
31988 - struct i2c_board_info *info);
31989 - static int w83791d_remove(struct i2c_client *client);
31990 -
31991 --static int w83791d_read(struct i2c_client *client, u8 register);
31992 --static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
31993 -+static int w83791d_read(struct i2c_client *client, u8 reg);
31994 -+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
31995 - static struct w83791d_data *w83791d_update_device(struct device *dev);
31996 -
31997 - #ifdef DEBUG
31998 -diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c
31999 ---- linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-03-27 14:31:47.000000000 -0400
32000 -+++ linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-08-23 21:22:32.000000000 -0400
32001 -@@ -43,7 +43,7 @@
32002 - extern struct i2c_adapter amd756_smbus;
32003 -
32004 - static struct i2c_adapter *s4882_adapter;
32005 --static struct i2c_algorithm *s4882_algo;
32006 -+static i2c_algorithm_no_const *s4882_algo;
32007 -
32008 - /* Wrapper access functions for multiplexed SMBus */
32009 - static DEFINE_MUTEX(amd756_lock);
32010 -diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c
32011 ---- linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-03-27 14:31:47.000000000 -0400
32012 -+++ linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-08-23 21:22:32.000000000 -0400
32013 -@@ -41,7 +41,7 @@
32014 - extern struct i2c_adapter *nforce2_smbus;
32015 -
32016 - static struct i2c_adapter *s4985_adapter;
32017 --static struct i2c_algorithm *s4985_algo;
32018 -+static i2c_algorithm_no_const *s4985_algo;
32019 -
32020 - /* Wrapper access functions for multiplexed SMBus */
32021 - static DEFINE_MUTEX(nforce2_lock);
32022 -diff -urNp linux-2.6.32.46/drivers/ide/ide-cd.c linux-2.6.32.46/drivers/ide/ide-cd.c
32023 ---- linux-2.6.32.46/drivers/ide/ide-cd.c 2011-03-27 14:31:47.000000000 -0400
32024 -+++ linux-2.6.32.46/drivers/ide/ide-cd.c 2011-04-17 15:56:46.000000000 -0400
32025 -@@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
32026 - alignment = queue_dma_alignment(q) | q->dma_pad_mask;
32027 - if ((unsigned long)buf & alignment
32028 - || blk_rq_bytes(rq) & q->dma_pad_mask
32029 -- || object_is_on_stack(buf))
32030 -+ || object_starts_on_stack(buf))
32031 - drive->dma = 0;
32032 - }
32033 - }
32034 -diff -urNp linux-2.6.32.46/drivers/ide/ide-floppy.c linux-2.6.32.46/drivers/ide/ide-floppy.c
32035 ---- linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-03-27 14:31:47.000000000 -0400
32036 -+++ linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-05-16 21:46:57.000000000 -0400
32037 -@@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
32038 - u8 pc_buf[256], header_len, desc_cnt;
32039 - int i, rc = 1, blocks, length;
32040 -
32041 -+ pax_track_stack();
32042 -+
32043 - ide_debug_log(IDE_DBG_FUNC, "enter");
32044 -
32045 - drive->bios_cyl = 0;
32046 -diff -urNp linux-2.6.32.46/drivers/ide/setup-pci.c linux-2.6.32.46/drivers/ide/setup-pci.c
32047 ---- linux-2.6.32.46/drivers/ide/setup-pci.c 2011-03-27 14:31:47.000000000 -0400
32048 -+++ linux-2.6.32.46/drivers/ide/setup-pci.c 2011-05-16 21:46:57.000000000 -0400
32049 -@@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
32050 - int ret, i, n_ports = dev2 ? 4 : 2;
32051 - struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
32052 -
32053 -+ pax_track_stack();
32054 -+
32055 - for (i = 0; i < n_ports / 2; i++) {
32056 - ret = ide_setup_pci_controller(pdev[i], d, !i);
32057 - if (ret < 0)
32058 -diff -urNp linux-2.6.32.46/drivers/ieee1394/dv1394.c linux-2.6.32.46/drivers/ieee1394/dv1394.c
32059 ---- linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-03-27 14:31:47.000000000 -0400
32060 -+++ linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-04-23 12:56:11.000000000 -0400
32061 -@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
32062 - based upon DIF section and sequence
32063 - */
32064 -
32065 --static void inline
32066 -+static inline void
32067 - frame_put_packet (struct frame *f, struct packet *p)
32068 - {
32069 - int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
32070 -diff -urNp linux-2.6.32.46/drivers/ieee1394/hosts.c linux-2.6.32.46/drivers/ieee1394/hosts.c
32071 ---- linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-03-27 14:31:47.000000000 -0400
32072 -+++ linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-04-17 15:56:46.000000000 -0400
32073 -@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
32074 - }
32075 -
32076 - static struct hpsb_host_driver dummy_driver = {
32077 -+ .name = "dummy",
32078 - .transmit_packet = dummy_transmit_packet,
32079 - .devctl = dummy_devctl,
32080 - .isoctl = dummy_isoctl
32081 -diff -urNp linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c
32082 ---- linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-03-27 14:31:47.000000000 -0400
32083 -+++ linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-04-17 15:56:46.000000000 -0400
32084 -@@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
32085 - for (func = 0; func < 8; func++) {
32086 - u32 class = read_pci_config(num,slot,func,
32087 - PCI_CLASS_REVISION);
32088 -- if ((class == 0xffffffff))
32089 -+ if (class == 0xffffffff)
32090 - continue; /* No device at this func */
32091 -
32092 - if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
32093 -diff -urNp linux-2.6.32.46/drivers/ieee1394/ohci1394.c linux-2.6.32.46/drivers/ieee1394/ohci1394.c
32094 ---- linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-03-27 14:31:47.000000000 -0400
32095 -+++ linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-04-23 12:56:11.000000000 -0400
32096 -@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
32097 - printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
32098 -
32099 - /* Module Parameters */
32100 --static int phys_dma = 1;
32101 -+static int phys_dma;
32102 - module_param(phys_dma, int, 0444);
32103 --MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
32104 -+MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
32105 -
32106 - static void dma_trm_tasklet(unsigned long data);
32107 - static void dma_trm_reset(struct dma_trm_ctx *d);
32108 -diff -urNp linux-2.6.32.46/drivers/ieee1394/sbp2.c linux-2.6.32.46/drivers/ieee1394/sbp2.c
32109 ---- linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-03-27 14:31:47.000000000 -0400
32110 -+++ linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-04-23 12:56:11.000000000 -0400
32111 -@@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
32112 - MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
32113 - MODULE_LICENSE("GPL");
32114 -
32115 --static int sbp2_module_init(void)
32116 -+static int __init sbp2_module_init(void)
32117 - {
32118 - int ret;
32119 -
32120 -diff -urNp linux-2.6.32.46/drivers/infiniband/core/cm.c linux-2.6.32.46/drivers/infiniband/core/cm.c
32121 ---- linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-03-27 14:31:47.000000000 -0400
32122 -+++ linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-04-17 15:56:46.000000000 -0400
32123 -@@ -112,7 +112,7 @@ static char const counter_group_names[CM
32124 -
32125 - struct cm_counter_group {
32126 - struct kobject obj;
32127 -- atomic_long_t counter[CM_ATTR_COUNT];
32128 -+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
32129 - };
32130 -
32131 - struct cm_counter_attribute {
32132 -@@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
32133 - struct ib_mad_send_buf *msg = NULL;
32134 - int ret;
32135 -
32136 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32137 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32138 - counter[CM_REQ_COUNTER]);
32139 -
32140 - /* Quick state check to discard duplicate REQs. */
32141 -@@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
32142 - if (!cm_id_priv)
32143 - return;
32144 -
32145 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32146 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32147 - counter[CM_REP_COUNTER]);
32148 - ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
32149 - if (ret)
32150 -@@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
32151 - if (cm_id_priv->id.state != IB_CM_REP_SENT &&
32152 - cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
32153 - spin_unlock_irq(&cm_id_priv->lock);
32154 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32155 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32156 - counter[CM_RTU_COUNTER]);
32157 - goto out;
32158 - }
32159 -@@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
32160 - cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
32161 - dreq_msg->local_comm_id);
32162 - if (!cm_id_priv) {
32163 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32164 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32165 - counter[CM_DREQ_COUNTER]);
32166 - cm_issue_drep(work->port, work->mad_recv_wc);
32167 - return -EINVAL;
32168 -@@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
32169 - case IB_CM_MRA_REP_RCVD:
32170 - break;
32171 - case IB_CM_TIMEWAIT:
32172 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32173 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32174 - counter[CM_DREQ_COUNTER]);
32175 - if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
32176 - goto unlock;
32177 -@@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
32178 - cm_free_msg(msg);
32179 - goto deref;
32180 - case IB_CM_DREQ_RCVD:
32181 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32182 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32183 - counter[CM_DREQ_COUNTER]);
32184 - goto unlock;
32185 - default:
32186 -@@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
32187 - ib_modify_mad(cm_id_priv->av.port->mad_agent,
32188 - cm_id_priv->msg, timeout)) {
32189 - if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
32190 -- atomic_long_inc(&work->port->
32191 -+ atomic_long_inc_unchecked(&work->port->
32192 - counter_group[CM_RECV_DUPLICATES].
32193 - counter[CM_MRA_COUNTER]);
32194 - goto out;
32195 -@@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
32196 - break;
32197 - case IB_CM_MRA_REQ_RCVD:
32198 - case IB_CM_MRA_REP_RCVD:
32199 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32200 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32201 - counter[CM_MRA_COUNTER]);
32202 - /* fall through */
32203 - default:
32204 -@@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
32205 - case IB_CM_LAP_IDLE:
32206 - break;
32207 - case IB_CM_MRA_LAP_SENT:
32208 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32209 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32210 - counter[CM_LAP_COUNTER]);
32211 - if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
32212 - goto unlock;
32213 -@@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
32214 - cm_free_msg(msg);
32215 - goto deref;
32216 - case IB_CM_LAP_RCVD:
32217 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32218 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32219 - counter[CM_LAP_COUNTER]);
32220 - goto unlock;
32221 - default:
32222 -@@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
32223 - cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
32224 - if (cur_cm_id_priv) {
32225 - spin_unlock_irq(&cm.lock);
32226 -- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32227 -+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32228 - counter[CM_SIDR_REQ_COUNTER]);
32229 - goto out; /* Duplicate message. */
32230 - }
32231 -@@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
32232 - if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
32233 - msg->retries = 1;
32234 -
32235 -- atomic_long_add(1 + msg->retries,
32236 -+ atomic_long_add_unchecked(1 + msg->retries,
32237 - &port->counter_group[CM_XMIT].counter[attr_index]);
32238 - if (msg->retries)
32239 -- atomic_long_add(msg->retries,
32240 -+ atomic_long_add_unchecked(msg->retries,
32241 - &port->counter_group[CM_XMIT_RETRIES].
32242 - counter[attr_index]);
32243 -
32244 -@@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
32245 - }
32246 -
32247 - attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
32248 -- atomic_long_inc(&port->counter_group[CM_RECV].
32249 -+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
32250 - counter[attr_id - CM_ATTR_ID_OFFSET]);
32251 -
32252 - work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
32253 -@@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
32254 - cm_attr = container_of(attr, struct cm_counter_attribute, attr);
32255 -
32256 - return sprintf(buf, "%ld\n",
32257 -- atomic_long_read(&group->counter[cm_attr->index]));
32258 -+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
32259 - }
32260 -
32261 --static struct sysfs_ops cm_counter_ops = {
32262 -+static const struct sysfs_ops cm_counter_ops = {
32263 - .show = cm_show_counter
32264 - };
32265 -
32266 -diff -urNp linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c
32267 ---- linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-03-27 14:31:47.000000000 -0400
32268 -+++ linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-05-04 17:56:28.000000000 -0400
32269 -@@ -97,8 +97,8 @@ struct ib_fmr_pool {
32270 -
32271 - struct task_struct *thread;
32272 -
32273 -- atomic_t req_ser;
32274 -- atomic_t flush_ser;
32275 -+ atomic_unchecked_t req_ser;
32276 -+ atomic_unchecked_t flush_ser;
32277 -
32278 - wait_queue_head_t force_wait;
32279 - };
32280 -@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
32281 - struct ib_fmr_pool *pool = pool_ptr;
32282 -
32283 - do {
32284 -- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
32285 -+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
32286 - ib_fmr_batch_release(pool);
32287 -
32288 -- atomic_inc(&pool->flush_ser);
32289 -+ atomic_inc_unchecked(&pool->flush_ser);
32290 - wake_up_interruptible(&pool->force_wait);
32291 -
32292 - if (pool->flush_function)
32293 -@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
32294 - }
32295 -
32296 - set_current_state(TASK_INTERRUPTIBLE);
32297 -- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
32298 -+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
32299 - !kthread_should_stop())
32300 - schedule();
32301 - __set_current_state(TASK_RUNNING);
32302 -@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
32303 - pool->dirty_watermark = params->dirty_watermark;
32304 - pool->dirty_len = 0;
32305 - spin_lock_init(&pool->pool_lock);
32306 -- atomic_set(&pool->req_ser, 0);
32307 -- atomic_set(&pool->flush_ser, 0);
32308 -+ atomic_set_unchecked(&pool->req_ser, 0);
32309 -+ atomic_set_unchecked(&pool->flush_ser, 0);
32310 - init_waitqueue_head(&pool->force_wait);
32311 -
32312 - pool->thread = kthread_run(ib_fmr_cleanup_thread,
32313 -@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
32314 - }
32315 - spin_unlock_irq(&pool->pool_lock);
32316 -
32317 -- serial = atomic_inc_return(&pool->req_ser);
32318 -+ serial = atomic_inc_return_unchecked(&pool->req_ser);
32319 - wake_up_process(pool->thread);
32320 -
32321 - if (wait_event_interruptible(pool->force_wait,
32322 -- atomic_read(&pool->flush_ser) - serial >= 0))
32323 -+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
32324 - return -EINTR;
32325 -
32326 - return 0;
32327 -@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
32328 - } else {
32329 - list_add_tail(&fmr->list, &pool->dirty_list);
32330 - if (++pool->dirty_len >= pool->dirty_watermark) {
32331 -- atomic_inc(&pool->req_ser);
32332 -+ atomic_inc_unchecked(&pool->req_ser);
32333 - wake_up_process(pool->thread);
32334 - }
32335 - }
32336 -diff -urNp linux-2.6.32.46/drivers/infiniband/core/sysfs.c linux-2.6.32.46/drivers/infiniband/core/sysfs.c
32337 ---- linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-03-27 14:31:47.000000000 -0400
32338 -+++ linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-04-17 15:56:46.000000000 -0400
32339 -@@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
32340 - return port_attr->show(p, port_attr, buf);
32341 - }
32342 -
32343 --static struct sysfs_ops port_sysfs_ops = {
32344 -+static const struct sysfs_ops port_sysfs_ops = {
32345 - .show = port_attr_show
32346 - };
32347 -
32348 -diff -urNp linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c
32349 ---- linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-03-27 14:31:47.000000000 -0400
32350 -+++ linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-04-17 15:56:46.000000000 -0400
32351 -@@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
32352 - dst->grh.sgid_index = src->grh.sgid_index;
32353 - dst->grh.hop_limit = src->grh.hop_limit;
32354 - dst->grh.traffic_class = src->grh.traffic_class;
32355 -+ memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
32356 - dst->dlid = src->dlid;
32357 - dst->sl = src->sl;
32358 - dst->src_path_bits = src->src_path_bits;
32359 - dst->static_rate = src->static_rate;
32360 - dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
32361 - dst->port_num = src->port_num;
32362 -+ dst->reserved = 0;
32363 - }
32364 - EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
32365 -
32366 - void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
32367 - struct ib_qp_attr *src)
32368 - {
32369 -+ dst->qp_state = src->qp_state;
32370 - dst->cur_qp_state = src->cur_qp_state;
32371 - dst->path_mtu = src->path_mtu;
32372 - dst->path_mig_state = src->path_mig_state;
32373 -@@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
32374 - dst->rnr_retry = src->rnr_retry;
32375 - dst->alt_port_num = src->alt_port_num;
32376 - dst->alt_timeout = src->alt_timeout;
32377 -+ memset(dst->reserved, 0, sizeof(dst->reserved));
32378 - }
32379 - EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
32380 -
32381 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c
32382 ---- linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-27 14:31:47.000000000 -0400
32383 -+++ linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:46:57.000000000 -0400
32384 -@@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
32385 - struct infinipath_counters counters;
32386 - struct ipath_devdata *dd;
32387 -
32388 -+ pax_track_stack();
32389 -+
32390 - dd = file->f_path.dentry->d_inode->i_private;
32391 - dd->ipath_f_read_counters(dd, &counters);
32392 -
32393 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c
32394 ---- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-03-27 14:31:47.000000000 -0400
32395 -+++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-05-04 17:56:28.000000000 -0400
32396 -@@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
32397 - LIST_HEAD(nes_adapter_list);
32398 - static LIST_HEAD(nes_dev_list);
32399 -
32400 --atomic_t qps_destroyed;
32401 -+atomic_unchecked_t qps_destroyed;
32402 -
32403 - static unsigned int ee_flsh_adapter;
32404 - static unsigned int sysfs_nonidx_addr;
32405 -@@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
32406 - struct nes_adapter *nesadapter = nesdev->nesadapter;
32407 - u32 qp_id;
32408 -
32409 -- atomic_inc(&qps_destroyed);
32410 -+ atomic_inc_unchecked(&qps_destroyed);
32411 -
32412 - /* Free the control structures */
32413 -
32414 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h
32415 ---- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-03-27 14:31:47.000000000 -0400
32416 -+++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-05-04 17:56:28.000000000 -0400
32417 -@@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
32418 - extern unsigned int wqm_quanta;
32419 - extern struct list_head nes_adapter_list;
32420 -
32421 --extern atomic_t cm_connects;
32422 --extern atomic_t cm_accepts;
32423 --extern atomic_t cm_disconnects;
32424 --extern atomic_t cm_closes;
32425 --extern atomic_t cm_connecteds;
32426 --extern atomic_t cm_connect_reqs;
32427 --extern atomic_t cm_rejects;
32428 --extern atomic_t mod_qp_timouts;
32429 --extern atomic_t qps_created;
32430 --extern atomic_t qps_destroyed;
32431 --extern atomic_t sw_qps_destroyed;
32432 -+extern atomic_unchecked_t cm_connects;
32433 -+extern atomic_unchecked_t cm_accepts;
32434 -+extern atomic_unchecked_t cm_disconnects;
32435 -+extern atomic_unchecked_t cm_closes;
32436 -+extern atomic_unchecked_t cm_connecteds;
32437 -+extern atomic_unchecked_t cm_connect_reqs;
32438 -+extern atomic_unchecked_t cm_rejects;
32439 -+extern atomic_unchecked_t mod_qp_timouts;
32440 -+extern atomic_unchecked_t qps_created;
32441 -+extern atomic_unchecked_t qps_destroyed;
32442 -+extern atomic_unchecked_t sw_qps_destroyed;
32443 - extern u32 mh_detected;
32444 - extern u32 mh_pauses_sent;
32445 - extern u32 cm_packets_sent;
32446 -@@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
32447 - extern u32 cm_listens_created;
32448 - extern u32 cm_listens_destroyed;
32449 - extern u32 cm_backlog_drops;
32450 --extern atomic_t cm_loopbacks;
32451 --extern atomic_t cm_nodes_created;
32452 --extern atomic_t cm_nodes_destroyed;
32453 --extern atomic_t cm_accel_dropped_pkts;
32454 --extern atomic_t cm_resets_recvd;
32455 -+extern atomic_unchecked_t cm_loopbacks;
32456 -+extern atomic_unchecked_t cm_nodes_created;
32457 -+extern atomic_unchecked_t cm_nodes_destroyed;
32458 -+extern atomic_unchecked_t cm_accel_dropped_pkts;
32459 -+extern atomic_unchecked_t cm_resets_recvd;
32460 -
32461 - extern u32 int_mod_timer_init;
32462 - extern u32 int_mod_cq_depth_256;
32463 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c
32464 ---- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-03-27 14:31:47.000000000 -0400
32465 -+++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-05-04 17:56:28.000000000 -0400
32466 -@@ -69,11 +69,11 @@ u32 cm_packets_received;
32467 - u32 cm_listens_created;
32468 - u32 cm_listens_destroyed;
32469 - u32 cm_backlog_drops;
32470 --atomic_t cm_loopbacks;
32471 --atomic_t cm_nodes_created;
32472 --atomic_t cm_nodes_destroyed;
32473 --atomic_t cm_accel_dropped_pkts;
32474 --atomic_t cm_resets_recvd;
32475 -+atomic_unchecked_t cm_loopbacks;
32476 -+atomic_unchecked_t cm_nodes_created;
32477 -+atomic_unchecked_t cm_nodes_destroyed;
32478 -+atomic_unchecked_t cm_accel_dropped_pkts;
32479 -+atomic_unchecked_t cm_resets_recvd;
32480 -
32481 - static inline int mini_cm_accelerated(struct nes_cm_core *,
32482 - struct nes_cm_node *);
32483 -@@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
32484 -
32485 - static struct nes_cm_core *g_cm_core;
32486 -
32487 --atomic_t cm_connects;
32488 --atomic_t cm_accepts;
32489 --atomic_t cm_disconnects;
32490 --atomic_t cm_closes;
32491 --atomic_t cm_connecteds;
32492 --atomic_t cm_connect_reqs;
32493 --atomic_t cm_rejects;
32494 -+atomic_unchecked_t cm_connects;
32495 -+atomic_unchecked_t cm_accepts;
32496 -+atomic_unchecked_t cm_disconnects;
32497 -+atomic_unchecked_t cm_closes;
32498 -+atomic_unchecked_t cm_connecteds;
32499 -+atomic_unchecked_t cm_connect_reqs;
32500 -+atomic_unchecked_t cm_rejects;
32501 -
32502 -
32503 - /**
32504 -@@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
32505 - cm_node->rem_mac);
32506 -
32507 - add_hte_node(cm_core, cm_node);
32508 -- atomic_inc(&cm_nodes_created);
32509 -+ atomic_inc_unchecked(&cm_nodes_created);
32510 -
32511 - return cm_node;
32512 - }
32513 -@@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
32514 - }
32515 -
32516 - atomic_dec(&cm_core->node_cnt);
32517 -- atomic_inc(&cm_nodes_destroyed);
32518 -+ atomic_inc_unchecked(&cm_nodes_destroyed);
32519 - nesqp = cm_node->nesqp;
32520 - if (nesqp) {
32521 - nesqp->cm_node = NULL;
32522 -@@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
32523 -
32524 - static void drop_packet(struct sk_buff *skb)
32525 - {
32526 -- atomic_inc(&cm_accel_dropped_pkts);
32527 -+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
32528 - dev_kfree_skb_any(skb);
32529 - }
32530 -
32531 -@@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
32532 -
32533 - int reset = 0; /* whether to send reset in case of err.. */
32534 - int passive_state;
32535 -- atomic_inc(&cm_resets_recvd);
32536 -+ atomic_inc_unchecked(&cm_resets_recvd);
32537 - nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
32538 - " refcnt=%d\n", cm_node, cm_node->state,
32539 - atomic_read(&cm_node->ref_count));
32540 -@@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
32541 - rem_ref_cm_node(cm_node->cm_core, cm_node);
32542 - return NULL;
32543 - }
32544 -- atomic_inc(&cm_loopbacks);
32545 -+ atomic_inc_unchecked(&cm_loopbacks);
32546 - loopbackremotenode->loopbackpartner = cm_node;
32547 - loopbackremotenode->tcp_cntxt.rcv_wscale =
32548 - NES_CM_DEFAULT_RCV_WND_SCALE;
32549 -@@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
32550 - add_ref_cm_node(cm_node);
32551 - } else if (cm_node->state == NES_CM_STATE_TSA) {
32552 - rem_ref_cm_node(cm_core, cm_node);
32553 -- atomic_inc(&cm_accel_dropped_pkts);
32554 -+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
32555 - dev_kfree_skb_any(skb);
32556 - break;
32557 - }
32558 -@@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
32559 -
32560 - if ((cm_id) && (cm_id->event_handler)) {
32561 - if (issue_disconn) {
32562 -- atomic_inc(&cm_disconnects);
32563 -+ atomic_inc_unchecked(&cm_disconnects);
32564 - cm_event.event = IW_CM_EVENT_DISCONNECT;
32565 - cm_event.status = disconn_status;
32566 - cm_event.local_addr = cm_id->local_addr;
32567 -@@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
32568 - }
32569 -
32570 - if (issue_close) {
32571 -- atomic_inc(&cm_closes);
32572 -+ atomic_inc_unchecked(&cm_closes);
32573 - nes_disconnect(nesqp, 1);
32574 -
32575 - cm_id->provider_data = nesqp;
32576 -@@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
32577 -
32578 - nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
32579 - nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
32580 -- atomic_inc(&cm_accepts);
32581 -+ atomic_inc_unchecked(&cm_accepts);
32582 -
32583 - nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
32584 - atomic_read(&nesvnic->netdev->refcnt));
32585 -@@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
32586 -
32587 - struct nes_cm_core *cm_core;
32588 -
32589 -- atomic_inc(&cm_rejects);
32590 -+ atomic_inc_unchecked(&cm_rejects);
32591 - cm_node = (struct nes_cm_node *) cm_id->provider_data;
32592 - loopback = cm_node->loopbackpartner;
32593 - cm_core = cm_node->cm_core;
32594 -@@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
32595 - ntohl(cm_id->local_addr.sin_addr.s_addr),
32596 - ntohs(cm_id->local_addr.sin_port));
32597 -
32598 -- atomic_inc(&cm_connects);
32599 -+ atomic_inc_unchecked(&cm_connects);
32600 - nesqp->active_conn = 1;
32601 -
32602 - /* cache the cm_id in the qp */
32603 -@@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
32604 - if (nesqp->destroyed) {
32605 - return;
32606 - }
32607 -- atomic_inc(&cm_connecteds);
32608 -+ atomic_inc_unchecked(&cm_connecteds);
32609 - nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
32610 - " local port 0x%04X. jiffies = %lu.\n",
32611 - nesqp->hwqp.qp_id,
32612 -@@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
32613 -
32614 - ret = cm_id->event_handler(cm_id, &cm_event);
32615 - cm_id->add_ref(cm_id);
32616 -- atomic_inc(&cm_closes);
32617 -+ atomic_inc_unchecked(&cm_closes);
32618 - cm_event.event = IW_CM_EVENT_CLOSE;
32619 - cm_event.status = IW_CM_EVENT_STATUS_OK;
32620 - cm_event.provider_data = cm_id->provider_data;
32621 -@@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
32622 - return;
32623 - cm_id = cm_node->cm_id;
32624 -
32625 -- atomic_inc(&cm_connect_reqs);
32626 -+ atomic_inc_unchecked(&cm_connect_reqs);
32627 - nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
32628 - cm_node, cm_id, jiffies);
32629 -
32630 -@@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
32631 - return;
32632 - cm_id = cm_node->cm_id;
32633 -
32634 -- atomic_inc(&cm_connect_reqs);
32635 -+ atomic_inc_unchecked(&cm_connect_reqs);
32636 - nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
32637 - cm_node, cm_id, jiffies);
32638 -
32639 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c
32640 ---- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-03-27 14:31:47.000000000 -0400
32641 -+++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-05-04 17:56:28.000000000 -0400
32642 -@@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
32643 - target_stat_values[++index] = mh_detected;
32644 - target_stat_values[++index] = mh_pauses_sent;
32645 - target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
32646 -- target_stat_values[++index] = atomic_read(&cm_connects);
32647 -- target_stat_values[++index] = atomic_read(&cm_accepts);
32648 -- target_stat_values[++index] = atomic_read(&cm_disconnects);
32649 -- target_stat_values[++index] = atomic_read(&cm_connecteds);
32650 -- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
32651 -- target_stat_values[++index] = atomic_read(&cm_rejects);
32652 -- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
32653 -- target_stat_values[++index] = atomic_read(&qps_created);
32654 -- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
32655 -- target_stat_values[++index] = atomic_read(&qps_destroyed);
32656 -- target_stat_values[++index] = atomic_read(&cm_closes);
32657 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
32658 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
32659 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
32660 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
32661 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
32662 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
32663 -+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
32664 -+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
32665 -+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
32666 -+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
32667 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
32668 - target_stat_values[++index] = cm_packets_sent;
32669 - target_stat_values[++index] = cm_packets_bounced;
32670 - target_stat_values[++index] = cm_packets_created;
32671 -@@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
32672 - target_stat_values[++index] = cm_listens_created;
32673 - target_stat_values[++index] = cm_listens_destroyed;
32674 - target_stat_values[++index] = cm_backlog_drops;
32675 -- target_stat_values[++index] = atomic_read(&cm_loopbacks);
32676 -- target_stat_values[++index] = atomic_read(&cm_nodes_created);
32677 -- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
32678 -- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
32679 -- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
32680 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
32681 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
32682 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
32683 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
32684 -+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
32685 - target_stat_values[++index] = int_mod_timer_init;
32686 - target_stat_values[++index] = int_mod_cq_depth_1;
32687 - target_stat_values[++index] = int_mod_cq_depth_4;
32688 -diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c
32689 ---- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-27 14:31:47.000000000 -0400
32690 -+++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-04 17:56:28.000000000 -0400
32691 -@@ -45,9 +45,9 @@
32692 -
32693 - #include <rdma/ib_umem.h>
32694 -
32695 --atomic_t mod_qp_timouts;
32696 --atomic_t qps_created;
32697 --atomic_t sw_qps_destroyed;
32698 -+atomic_unchecked_t mod_qp_timouts;
32699 -+atomic_unchecked_t qps_created;
32700 -+atomic_unchecked_t sw_qps_destroyed;
32701 -
32702 - static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
32703 -
32704 -@@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
32705 - if (init_attr->create_flags)
32706 - return ERR_PTR(-EINVAL);
32707 -
32708 -- atomic_inc(&qps_created);
32709 -+ atomic_inc_unchecked(&qps_created);
32710 - switch (init_attr->qp_type) {
32711 - case IB_QPT_RC:
32712 - if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
32713 -@@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
32714 - struct iw_cm_event cm_event;
32715 - int ret;
32716 -
32717 -- atomic_inc(&sw_qps_destroyed);
32718 -+ atomic_inc_unchecked(&sw_qps_destroyed);
32719 - nesqp->destroyed = 1;
32720 -
32721 - /* Blow away the connection if it exists. */
32722 -diff -urNp linux-2.6.32.46/drivers/input/gameport/gameport.c linux-2.6.32.46/drivers/input/gameport/gameport.c
32723 ---- linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-03-27 14:31:47.000000000 -0400
32724 -+++ linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-05-04 17:56:28.000000000 -0400
32725 -@@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
32726 - */
32727 - static void gameport_init_port(struct gameport *gameport)
32728 - {
32729 -- static atomic_t gameport_no = ATOMIC_INIT(0);
32730 -+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
32731 -
32732 - __module_get(THIS_MODULE);
32733 -
32734 - mutex_init(&gameport->drv_mutex);
32735 - device_initialize(&gameport->dev);
32736 -- dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
32737 -+ dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
32738 - gameport->dev.bus = &gameport_bus;
32739 - gameport->dev.release = gameport_release_port;
32740 - if (gameport->parent)
32741 -diff -urNp linux-2.6.32.46/drivers/input/input.c linux-2.6.32.46/drivers/input/input.c
32742 ---- linux-2.6.32.46/drivers/input/input.c 2011-03-27 14:31:47.000000000 -0400
32743 -+++ linux-2.6.32.46/drivers/input/input.c 2011-05-04 17:56:28.000000000 -0400
32744 -@@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
32745 - */
32746 - int input_register_device(struct input_dev *dev)
32747 - {
32748 -- static atomic_t input_no = ATOMIC_INIT(0);
32749 -+ static atomic_unchecked_t input_no = ATOMIC_INIT(0);
32750 - struct input_handler *handler;
32751 - const char *path;
32752 - int error;
32753 -@@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
32754 - dev->setkeycode = input_default_setkeycode;
32755 -
32756 - dev_set_name(&dev->dev, "input%ld",
32757 -- (unsigned long) atomic_inc_return(&input_no) - 1);
32758 -+ (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
32759 -
32760 - error = device_add(&dev->dev);
32761 - if (error)
32762 -diff -urNp linux-2.6.32.46/drivers/input/joystick/sidewinder.c linux-2.6.32.46/drivers/input/joystick/sidewinder.c
32763 ---- linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-03-27 14:31:47.000000000 -0400
32764 -+++ linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-05-18 20:09:36.000000000 -0400
32765 -@@ -30,6 +30,7 @@
32766 - #include <linux/kernel.h>
32767 - #include <linux/module.h>
32768 - #include <linux/slab.h>
32769 -+#include <linux/sched.h>
32770 - #include <linux/init.h>
32771 - #include <linux/input.h>
32772 - #include <linux/gameport.h>
32773 -@@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
32774 - unsigned char buf[SW_LENGTH];
32775 - int i;
32776 -
32777 -+ pax_track_stack();
32778 -+
32779 - i = sw_read_packet(sw->gameport, buf, sw->length, 0);
32780 -
32781 - if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
32782 -diff -urNp linux-2.6.32.46/drivers/input/joystick/xpad.c linux-2.6.32.46/drivers/input/joystick/xpad.c
32783 ---- linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-03-27 14:31:47.000000000 -0400
32784 -+++ linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-05-04 17:56:28.000000000 -0400
32785 -@@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
32786 -
32787 - static int xpad_led_probe(struct usb_xpad *xpad)
32788 - {
32789 -- static atomic_t led_seq = ATOMIC_INIT(0);
32790 -+ static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
32791 - long led_no;
32792 - struct xpad_led *led;
32793 - struct led_classdev *led_cdev;
32794 -@@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
32795 - if (!led)
32796 - return -ENOMEM;
32797 -
32798 -- led_no = (long)atomic_inc_return(&led_seq) - 1;
32799 -+ led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
32800 -
32801 - snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
32802 - led->xpad = xpad;
32803 -diff -urNp linux-2.6.32.46/drivers/input/serio/serio.c linux-2.6.32.46/drivers/input/serio/serio.c
32804 ---- linux-2.6.32.46/drivers/input/serio/serio.c 2011-03-27 14:31:47.000000000 -0400
32805 -+++ linux-2.6.32.46/drivers/input/serio/serio.c 2011-05-04 17:56:28.000000000 -0400
32806 -@@ -527,7 +527,7 @@ static void serio_release_port(struct de
32807 - */
32808 - static void serio_init_port(struct serio *serio)
32809 - {
32810 -- static atomic_t serio_no = ATOMIC_INIT(0);
32811 -+ static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
32812 -
32813 - __module_get(THIS_MODULE);
32814 -
32815 -@@ -536,7 +536,7 @@ static void serio_init_port(struct serio
32816 - mutex_init(&serio->drv_mutex);
32817 - device_initialize(&serio->dev);
32818 - dev_set_name(&serio->dev, "serio%ld",
32819 -- (long)atomic_inc_return(&serio_no) - 1);
32820 -+ (long)atomic_inc_return_unchecked(&serio_no) - 1);
32821 - serio->dev.bus = &serio_bus;
32822 - serio->dev.release = serio_release_port;
32823 - if (serio->parent) {
32824 -diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/common.c linux-2.6.32.46/drivers/isdn/gigaset/common.c
32825 ---- linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-03-27 14:31:47.000000000 -0400
32826 -+++ linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-04-17 15:56:46.000000000 -0400
32827 -@@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
32828 - cs->commands_pending = 0;
32829 - cs->cur_at_seq = 0;
32830 - cs->gotfwver = -1;
32831 -- cs->open_count = 0;
32832 -+ local_set(&cs->open_count, 0);
32833 - cs->dev = NULL;
32834 - cs->tty = NULL;
32835 - cs->tty_dev = NULL;
32836 -diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h
32837 ---- linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-03-27 14:31:47.000000000 -0400
32838 -+++ linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:56:46.000000000 -0400
32839 -@@ -34,6 +34,7 @@
32840 - #include <linux/tty_driver.h>
32841 - #include <linux/list.h>
32842 - #include <asm/atomic.h>
32843 -+#include <asm/local.h>
32844 -
32845 - #define GIG_VERSION {0,5,0,0}
32846 - #define GIG_COMPAT {0,4,0,0}
32847 -@@ -446,7 +447,7 @@ struct cardstate {
32848 - spinlock_t cmdlock;
32849 - unsigned curlen, cmdbytes;
32850 -
32851 -- unsigned open_count;
32852 -+ local_t open_count;
32853 - struct tty_struct *tty;
32854 - struct tasklet_struct if_wake_tasklet;
32855 - unsigned control_state;
32856 -diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/interface.c linux-2.6.32.46/drivers/isdn/gigaset/interface.c
32857 ---- linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-03-27 14:31:47.000000000 -0400
32858 -+++ linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-04-17 15:56:46.000000000 -0400
32859 -@@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
32860 - return -ERESTARTSYS; // FIXME -EINTR?
32861 - tty->driver_data = cs;
32862 -
32863 -- ++cs->open_count;
32864 --
32865 -- if (cs->open_count == 1) {
32866 -+ if (local_inc_return(&cs->open_count) == 1) {
32867 - spin_lock_irqsave(&cs->lock, flags);
32868 - cs->tty = tty;
32869 - spin_unlock_irqrestore(&cs->lock, flags);
32870 -@@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
32871 -
32872 - if (!cs->connected)
32873 - gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32874 -- else if (!cs->open_count)
32875 -+ else if (!local_read(&cs->open_count))
32876 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32877 - else {
32878 -- if (!--cs->open_count) {
32879 -+ if (!local_dec_return(&cs->open_count)) {
32880 - spin_lock_irqsave(&cs->lock, flags);
32881 - cs->tty = NULL;
32882 - spin_unlock_irqrestore(&cs->lock, flags);
32883 -@@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
32884 - if (!cs->connected) {
32885 - gig_dbg(DEBUG_IF, "not connected");
32886 - retval = -ENODEV;
32887 -- } else if (!cs->open_count)
32888 -+ } else if (!local_read(&cs->open_count))
32889 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32890 - else {
32891 - retval = 0;
32892 -@@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
32893 - if (!cs->connected) {
32894 - gig_dbg(DEBUG_IF, "not connected");
32895 - retval = -ENODEV;
32896 -- } else if (!cs->open_count)
32897 -+ } else if (!local_read(&cs->open_count))
32898 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32899 - else if (cs->mstate != MS_LOCKED) {
32900 - dev_warn(cs->dev, "can't write to unlocked device\n");
32901 -@@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
32902 - if (!cs->connected) {
32903 - gig_dbg(DEBUG_IF, "not connected");
32904 - retval = -ENODEV;
32905 -- } else if (!cs->open_count)
32906 -+ } else if (!local_read(&cs->open_count))
32907 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32908 - else if (cs->mstate != MS_LOCKED) {
32909 - dev_warn(cs->dev, "can't write to unlocked device\n");
32910 -@@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
32911 -
32912 - if (!cs->connected)
32913 - gig_dbg(DEBUG_IF, "not connected");
32914 -- else if (!cs->open_count)
32915 -+ else if (!local_read(&cs->open_count))
32916 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32917 - else if (cs->mstate != MS_LOCKED)
32918 - dev_warn(cs->dev, "can't write to unlocked device\n");
32919 -@@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
32920 -
32921 - if (!cs->connected)
32922 - gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32923 -- else if (!cs->open_count)
32924 -+ else if (!local_read(&cs->open_count))
32925 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32926 - else {
32927 - //FIXME
32928 -@@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
32929 -
32930 - if (!cs->connected)
32931 - gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32932 -- else if (!cs->open_count)
32933 -+ else if (!local_read(&cs->open_count))
32934 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32935 - else {
32936 - //FIXME
32937 -@@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
32938 - goto out;
32939 - }
32940 -
32941 -- if (!cs->open_count) {
32942 -+ if (!local_read(&cs->open_count)) {
32943 - dev_warn(cs->dev, "%s: device not opened\n", __func__);
32944 - goto out;
32945 - }
32946 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c
32947 ---- linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-03-27 14:31:47.000000000 -0400
32948 -+++ linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:56:46.000000000 -0400
32949 -@@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
32950 - }
32951 - if (left) {
32952 - if (t4file->user) {
32953 -- if (copy_from_user(buf, dp, left))
32954 -+ if (left > sizeof buf || copy_from_user(buf, dp, left))
32955 - return -EFAULT;
32956 - } else {
32957 - memcpy(buf, dp, left);
32958 -@@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
32959 - }
32960 - if (left) {
32961 - if (config->user) {
32962 -- if (copy_from_user(buf, dp, left))
32963 -+ if (left > sizeof buf || copy_from_user(buf, dp, left))
32964 - return -EFAULT;
32965 - } else {
32966 - memcpy(buf, dp, left);
32967 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c
32968 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-27 14:31:47.000000000 -0400
32969 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:46:57.000000000 -0400
32970 -@@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
32971 - byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
32972 - short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
32973 -
32974 -+ pax_track_stack();
32975 -
32976 - if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
32977 - {
32978 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c
32979 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-03-27 14:31:47.000000000 -0400
32980 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:46:57.000000000 -0400
32981 -@@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
32982 - IDI_SYNC_REQ req;
32983 - DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32984 -
32985 -+ pax_track_stack();
32986 -+
32987 - DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32988 -
32989 - for (x = 0; x < MAX_DESCRIPTORS; x++) {
32990 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c
32991 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-27 14:31:47.000000000 -0400
32992 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:46:57.000000000 -0400
32993 -@@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
32994 - IDI_SYNC_REQ req;
32995 - DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32996 -
32997 -+ pax_track_stack();
32998 -+
32999 - DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33000 -
33001 - for (x = 0; x < MAX_DESCRIPTORS; x++) {
33002 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c
33003 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-27 14:31:47.000000000 -0400
33004 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:46:57.000000000 -0400
33005 -@@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
33006 - IDI_SYNC_REQ req;
33007 - DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33008 -
33009 -+ pax_track_stack();
33010 -+
33011 - DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33012 -
33013 - for (x = 0; x < MAX_DESCRIPTORS; x++) {
33014 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h
33015 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-03-27 14:31:47.000000000 -0400
33016 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-08-05 20:33:55.000000000 -0400
33017 -@@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
33018 - } diva_didd_add_adapter_t;
33019 - typedef struct _diva_didd_remove_adapter {
33020 - IDI_CALL p_request;
33021 --} diva_didd_remove_adapter_t;
33022 -+} __no_const diva_didd_remove_adapter_t;
33023 - typedef struct _diva_didd_read_adapter_array {
33024 - void * buffer;
33025 - dword length;
33026 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c
33027 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-03-27 14:31:47.000000000 -0400
33028 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:46:57.000000000 -0400
33029 -@@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
33030 - IDI_SYNC_REQ req;
33031 - DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33032 -
33033 -+ pax_track_stack();
33034 -+
33035 - DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33036 -
33037 - for (x = 0; x < MAX_DESCRIPTORS; x++) {
33038 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c
33039 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-03-27 14:31:47.000000000 -0400
33040 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:46:57.000000000 -0400
33041 -@@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
33042 - dword d;
33043 - word w;
33044 -
33045 -+ pax_track_stack();
33046 -+
33047 - a = plci->adapter;
33048 - Id = ((word)plci->Id<<8)|a->Id;
33049 - PUT_WORD(&SS_Ind[4],0x0000);
33050 -@@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
33051 - word j, n, w;
33052 - dword d;
33053 -
33054 -+ pax_track_stack();
33055 -+
33056 -
33057 - for(i=0;i<8;i++) bp_parms[i].length = 0;
33058 - for(i=0;i<2;i++) global_config[i].length = 0;
33059 -@@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
33060 - const byte llc3[] = {4,3,2,2,6,6,0};
33061 - const byte header[] = {0,2,3,3,0,0,0};
33062 -
33063 -+ pax_track_stack();
33064 -+
33065 - for(i=0;i<8;i++) bp_parms[i].length = 0;
33066 - for(i=0;i<6;i++) b2_config_parms[i].length = 0;
33067 - for(i=0;i<5;i++) b3_config_parms[i].length = 0;
33068 -@@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
33069 - word appl_number_group_type[MAX_APPL];
33070 - PLCI *auxplci;
33071 -
33072 -+ pax_track_stack();
33073 -+
33074 - set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
33075 -
33076 - if(!a->group_optimization_enabled)
33077 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c
33078 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-27 14:31:47.000000000 -0400
33079 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:46:57.000000000 -0400
33080 -@@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
33081 - IDI_SYNC_REQ req;
33082 - DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33083 -
33084 -+ pax_track_stack();
33085 -+
33086 - DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33087 -
33088 - for (x = 0; x < MAX_DESCRIPTORS; x++) {
33089 -diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h
33090 ---- linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-03-27 14:31:47.000000000 -0400
33091 -+++ linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-08-05 20:33:55.000000000 -0400
33092 -@@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
33093 - typedef struct _diva_os_idi_adapter_interface {
33094 - diva_init_card_proc_t cleanup_adapter_proc;
33095 - diva_cmd_card_proc_t cmd_proc;
33096 --} diva_os_idi_adapter_interface_t;
33097 -+} __no_const diva_os_idi_adapter_interface_t;
33098 -
33099 - typedef struct _diva_os_xdi_adapter {
33100 - struct list_head link;
33101 -diff -urNp linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c
33102 ---- linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-03-27 14:31:47.000000000 -0400
33103 -+++ linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:46:57.000000000 -0400
33104 -@@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
33105 - } iocpar;
33106 - void __user *argp = (void __user *)arg;
33107 -
33108 -+ pax_track_stack();
33109 -+
33110 - #define name iocpar.name
33111 - #define bname iocpar.bname
33112 - #define iocts iocpar.iocts
33113 -diff -urNp linux-2.6.32.46/drivers/isdn/icn/icn.c linux-2.6.32.46/drivers/isdn/icn/icn.c
33114 ---- linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-03-27 14:31:47.000000000 -0400
33115 -+++ linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-04-17 15:56:46.000000000 -0400
33116 -@@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
33117 - if (count > len)
33118 - count = len;
33119 - if (user) {
33120 -- if (copy_from_user(msg, buf, count))
33121 -+ if (count > sizeof msg || copy_from_user(msg, buf, count))
33122 - return -EFAULT;
33123 - } else
33124 - memcpy(msg, buf, count);
33125 -diff -urNp linux-2.6.32.46/drivers/isdn/mISDN/socket.c linux-2.6.32.46/drivers/isdn/mISDN/socket.c
33126 ---- linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-03-27 14:31:47.000000000 -0400
33127 -+++ linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-04-17 15:56:46.000000000 -0400
33128 -@@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
33129 - if (dev) {
33130 - struct mISDN_devinfo di;
33131 -
33132 -+ memset(&di, 0, sizeof(di));
33133 - di.id = dev->id;
33134 - di.Dprotocols = dev->Dprotocols;
33135 - di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33136 -@@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
33137 - if (dev) {
33138 - struct mISDN_devinfo di;
33139 -
33140 -+ memset(&di, 0, sizeof(di));
33141 - di.id = dev->id;
33142 - di.Dprotocols = dev->Dprotocols;
33143 - di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33144 -diff -urNp linux-2.6.32.46/drivers/isdn/sc/interrupt.c linux-2.6.32.46/drivers/isdn/sc/interrupt.c
33145 ---- linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-03-27 14:31:47.000000000 -0400
33146 -+++ linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-04-17 15:56:46.000000000 -0400
33147 -@@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
33148 - }
33149 - else if(callid>=0x0000 && callid<=0x7FFF)
33150 - {
33151 -+ int len;
33152 -+
33153 - pr_debug("%s: Got Incoming Call\n",
33154 - sc_adapter[card]->devicename);
33155 -- strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
33156 -- strcpy(setup.eazmsn,
33157 -- sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
33158 -+ len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
33159 -+ sizeof(setup.phone));
33160 -+ if (len >= sizeof(setup.phone))
33161 -+ continue;
33162 -+ len = strlcpy(setup.eazmsn,
33163 -+ sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
33164 -+ sizeof(setup.eazmsn));
33165 -+ if (len >= sizeof(setup.eazmsn))
33166 -+ continue;
33167 - setup.si1 = 7;
33168 - setup.si2 = 0;
33169 - setup.plan = 0;
33170 -@@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
33171 - * Handle a GetMyNumber Rsp
33172 - */
33173 - if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
33174 -- strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
33175 -+ strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
33176 -+ rcvmsg.msg_data.byte_array,
33177 -+ sizeof(rcvmsg.msg_data.byte_array));
33178 - continue;
33179 - }
33180 -
33181 -diff -urNp linux-2.6.32.46/drivers/lguest/core.c linux-2.6.32.46/drivers/lguest/core.c
33182 ---- linux-2.6.32.46/drivers/lguest/core.c 2011-03-27 14:31:47.000000000 -0400
33183 -+++ linux-2.6.32.46/drivers/lguest/core.c 2011-04-17 15:56:46.000000000 -0400
33184 -@@ -91,9 +91,17 @@ static __init int map_switcher(void)
33185 - * it's worked so far. The end address needs +1 because __get_vm_area
33186 - * allocates an extra guard page, so we need space for that.
33187 - */
33188 -+
33189 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
33190 -+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
33191 -+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
33192 -+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
33193 -+#else
33194 - switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
33195 - VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
33196 - + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
33197 -+#endif
33198 -+
33199 - if (!switcher_vma) {
33200 - err = -ENOMEM;
33201 - printk("lguest: could not map switcher pages high\n");
33202 -@@ -118,7 +126,7 @@ static __init int map_switcher(void)
33203 - * Now the Switcher is mapped at the right address, we can't fail!
33204 - * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
33205 - */
33206 -- memcpy(switcher_vma->addr, start_switcher_text,
33207 -+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
33208 - end_switcher_text - start_switcher_text);
33209 -
33210 - printk(KERN_INFO "lguest: mapped switcher at %p\n",
33211 -diff -urNp linux-2.6.32.46/drivers/lguest/x86/core.c linux-2.6.32.46/drivers/lguest/x86/core.c
33212 ---- linux-2.6.32.46/drivers/lguest/x86/core.c 2011-03-27 14:31:47.000000000 -0400
33213 -+++ linux-2.6.32.46/drivers/lguest/x86/core.c 2011-04-17 15:56:46.000000000 -0400
33214 -@@ -59,7 +59,7 @@ static struct {
33215 - /* Offset from where switcher.S was compiled to where we've copied it */
33216 - static unsigned long switcher_offset(void)
33217 - {
33218 -- return SWITCHER_ADDR - (unsigned long)start_switcher_text;
33219 -+ return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
33220 - }
33221 -
33222 - /* This cpu's struct lguest_pages. */
33223 -@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
33224 - * These copies are pretty cheap, so we do them unconditionally: */
33225 - /* Save the current Host top-level page directory.
33226 - */
33227 -+
33228 -+#ifdef CONFIG_PAX_PER_CPU_PGD
33229 -+ pages->state.host_cr3 = read_cr3();
33230 -+#else
33231 - pages->state.host_cr3 = __pa(current->mm->pgd);
33232 -+#endif
33233 -+
33234 - /*
33235 - * Set up the Guest's page tables to see this CPU's pages (and no
33236 - * other CPU's pages).
33237 -@@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
33238 - * compiled-in switcher code and the high-mapped copy we just made.
33239 - */
33240 - for (i = 0; i < IDT_ENTRIES; i++)
33241 -- default_idt_entries[i] += switcher_offset();
33242 -+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
33243 -
33244 - /*
33245 - * Set up the Switcher's per-cpu areas.
33246 -@@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
33247 - * it will be undisturbed when we switch. To change %cs and jump we
33248 - * need this structure to feed to Intel's "lcall" instruction.
33249 - */
33250 -- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
33251 -+ lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
33252 - lguest_entry.segment = LGUEST_CS;
33253 -
33254 - /*
33255 -diff -urNp linux-2.6.32.46/drivers/lguest/x86/switcher_32.S linux-2.6.32.46/drivers/lguest/x86/switcher_32.S
33256 ---- linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-03-27 14:31:47.000000000 -0400
33257 -+++ linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-04-17 15:56:46.000000000 -0400
33258 -@@ -87,6 +87,7 @@
33259 - #include <asm/page.h>
33260 - #include <asm/segment.h>
33261 - #include <asm/lguest.h>
33262 -+#include <asm/processor-flags.h>
33263 -
33264 - // We mark the start of the code to copy
33265 - // It's placed in .text tho it's never run here
33266 -@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
33267 - // Changes type when we load it: damn Intel!
33268 - // For after we switch over our page tables
33269 - // That entry will be read-only: we'd crash.
33270 -+
33271 -+#ifdef CONFIG_PAX_KERNEXEC
33272 -+ mov %cr0, %edx
33273 -+ xor $X86_CR0_WP, %edx
33274 -+ mov %edx, %cr0
33275 -+#endif
33276 -+
33277 - movl $(GDT_ENTRY_TSS*8), %edx
33278 - ltr %dx
33279 -
33280 -@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
33281 - // Let's clear it again for our return.
33282 - // The GDT descriptor of the Host
33283 - // Points to the table after two "size" bytes
33284 -- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
33285 -+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
33286 - // Clear "used" from type field (byte 5, bit 2)
33287 -- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
33288 -+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
33289 -+
33290 -+#ifdef CONFIG_PAX_KERNEXEC
33291 -+ mov %cr0, %eax
33292 -+ xor $X86_CR0_WP, %eax
33293 -+ mov %eax, %cr0
33294 -+#endif
33295 -
33296 - // Once our page table's switched, the Guest is live!
33297 - // The Host fades as we run this final step.
33298 -@@ -295,13 +309,12 @@ deliver_to_host:
33299 - // I consulted gcc, and it gave
33300 - // These instructions, which I gladly credit:
33301 - leal (%edx,%ebx,8), %eax
33302 -- movzwl (%eax),%edx
33303 -- movl 4(%eax), %eax
33304 -- xorw %ax, %ax
33305 -- orl %eax, %edx
33306 -+ movl 4(%eax), %edx
33307 -+ movw (%eax), %dx
33308 - // Now the address of the handler's in %edx
33309 - // We call it now: its "iret" drops us home.
33310 -- jmp *%edx
33311 -+ ljmp $__KERNEL_CS, $1f
33312 -+1: jmp *%edx
33313 -
33314 - // Every interrupt can come to us here
33315 - // But we must truly tell each apart.
33316 -diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c
33317 ---- linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-03-27 14:31:47.000000000 -0400
33318 -+++ linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-04-17 15:56:46.000000000 -0400
33319 -@@ -15,7 +15,7 @@
33320 -
33321 - #define MAX_PMU_LEVEL 0xFF
33322 -
33323 --static struct backlight_ops pmu_backlight_data;
33324 -+static const struct backlight_ops pmu_backlight_data;
33325 - static DEFINE_SPINLOCK(pmu_backlight_lock);
33326 - static int sleeping, uses_pmu_bl;
33327 - static u8 bl_curve[FB_BACKLIGHT_LEVELS];
33328 -@@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
33329 - return bd->props.brightness;
33330 - }
33331 -
33332 --static struct backlight_ops pmu_backlight_data = {
33333 -+static const struct backlight_ops pmu_backlight_data = {
33334 - .get_brightness = pmu_backlight_get_brightness,
33335 - .update_status = pmu_backlight_update_status,
33336 -
33337 -diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu.c linux-2.6.32.46/drivers/macintosh/via-pmu.c
33338 ---- linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-03-27 14:31:47.000000000 -0400
33339 -+++ linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-04-17 15:56:46.000000000 -0400
33340 -@@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
33341 - && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
33342 - }
33343 -
33344 --static struct platform_suspend_ops pmu_pm_ops = {
33345 -+static const struct platform_suspend_ops pmu_pm_ops = {
33346 - .enter = powerbook_sleep,
33347 - .valid = pmu_sleep_valid,
33348 - };
33349 -diff -urNp linux-2.6.32.46/drivers/md/dm-ioctl.c linux-2.6.32.46/drivers/md/dm-ioctl.c
33350 ---- linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-03-27 14:31:47.000000000 -0400
33351 -+++ linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-04-17 15:56:46.000000000 -0400
33352 -@@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
33353 - cmd == DM_LIST_VERSIONS_CMD)
33354 - return 0;
33355 -
33356 -- if ((cmd == DM_DEV_CREATE_CMD)) {
33357 -+ if (cmd == DM_DEV_CREATE_CMD) {
33358 - if (!*param->name) {
33359 - DMWARN("name not supplied when creating device");
33360 - return -EINVAL;
33361 -diff -urNp linux-2.6.32.46/drivers/md/dm-raid1.c linux-2.6.32.46/drivers/md/dm-raid1.c
33362 ---- linux-2.6.32.46/drivers/md/dm-raid1.c 2011-03-27 14:31:47.000000000 -0400
33363 -+++ linux-2.6.32.46/drivers/md/dm-raid1.c 2011-05-04 17:56:28.000000000 -0400
33364 -@@ -41,7 +41,7 @@ enum dm_raid1_error {
33365 -
33366 - struct mirror {
33367 - struct mirror_set *ms;
33368 -- atomic_t error_count;
33369 -+ atomic_unchecked_t error_count;
33370 - unsigned long error_type;
33371 - struct dm_dev *dev;
33372 - sector_t offset;
33373 -@@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
33374 - * simple way to tell if a device has encountered
33375 - * errors.
33376 - */
33377 -- atomic_inc(&m->error_count);
33378 -+ atomic_inc_unchecked(&m->error_count);
33379 -
33380 - if (test_and_set_bit(error_type, &m->error_type))
33381 - return;
33382 -@@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
33383 - }
33384 -
33385 - for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
33386 -- if (!atomic_read(&new->error_count)) {
33387 -+ if (!atomic_read_unchecked(&new->error_count)) {
33388 - set_default_mirror(new);
33389 - break;
33390 - }
33391 -@@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
33392 - struct mirror *m = get_default_mirror(ms);
33393 -
33394 - do {
33395 -- if (likely(!atomic_read(&m->error_count)))
33396 -+ if (likely(!atomic_read_unchecked(&m->error_count)))
33397 - return m;
33398 -
33399 - if (m-- == ms->mirror)
33400 -@@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
33401 - {
33402 - struct mirror *default_mirror = get_default_mirror(m->ms);
33403 -
33404 -- return !atomic_read(&default_mirror->error_count);
33405 -+ return !atomic_read_unchecked(&default_mirror->error_count);
33406 - }
33407 -
33408 - static int mirror_available(struct mirror_set *ms, struct bio *bio)
33409 -@@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
33410 - */
33411 - if (likely(region_in_sync(ms, region, 1)))
33412 - m = choose_mirror(ms, bio->bi_sector);
33413 -- else if (m && atomic_read(&m->error_count))
33414 -+ else if (m && atomic_read_unchecked(&m->error_count))
33415 - m = NULL;
33416 -
33417 - if (likely(m))
33418 -@@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
33419 - }
33420 -
33421 - ms->mirror[mirror].ms = ms;
33422 -- atomic_set(&(ms->mirror[mirror].error_count), 0);
33423 -+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
33424 - ms->mirror[mirror].error_type = 0;
33425 - ms->mirror[mirror].offset = offset;
33426 -
33427 -@@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
33428 - */
33429 - static char device_status_char(struct mirror *m)
33430 - {
33431 -- if (!atomic_read(&(m->error_count)))
33432 -+ if (!atomic_read_unchecked(&(m->error_count)))
33433 - return 'A';
33434 -
33435 - return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
33436 -diff -urNp linux-2.6.32.46/drivers/md/dm-stripe.c linux-2.6.32.46/drivers/md/dm-stripe.c
33437 ---- linux-2.6.32.46/drivers/md/dm-stripe.c 2011-03-27 14:31:47.000000000 -0400
33438 -+++ linux-2.6.32.46/drivers/md/dm-stripe.c 2011-05-04 17:56:28.000000000 -0400
33439 -@@ -20,7 +20,7 @@ struct stripe {
33440 - struct dm_dev *dev;
33441 - sector_t physical_start;
33442 -
33443 -- atomic_t error_count;
33444 -+ atomic_unchecked_t error_count;
33445 - };
33446 -
33447 - struct stripe_c {
33448 -@@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
33449 - kfree(sc);
33450 - return r;
33451 - }
33452 -- atomic_set(&(sc->stripe[i].error_count), 0);
33453 -+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
33454 - }
33455 -
33456 - ti->private = sc;
33457 -@@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
33458 - DMEMIT("%d ", sc->stripes);
33459 - for (i = 0; i < sc->stripes; i++) {
33460 - DMEMIT("%s ", sc->stripe[i].dev->name);
33461 -- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
33462 -+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
33463 - 'D' : 'A';
33464 - }
33465 - buffer[i] = '\0';
33466 -@@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
33467 - */
33468 - for (i = 0; i < sc->stripes; i++)
33469 - if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
33470 -- atomic_inc(&(sc->stripe[i].error_count));
33471 -- if (atomic_read(&(sc->stripe[i].error_count)) <
33472 -+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
33473 -+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
33474 - DM_IO_ERROR_THRESHOLD)
33475 - queue_work(kstriped, &sc->kstriped_ws);
33476 - }
33477 -diff -urNp linux-2.6.32.46/drivers/md/dm-sysfs.c linux-2.6.32.46/drivers/md/dm-sysfs.c
33478 ---- linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-03-27 14:31:47.000000000 -0400
33479 -+++ linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-04-17 15:56:46.000000000 -0400
33480 -@@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
33481 - NULL,
33482 - };
33483 -
33484 --static struct sysfs_ops dm_sysfs_ops = {
33485 -+static const struct sysfs_ops dm_sysfs_ops = {
33486 - .show = dm_attr_show,
33487 - };
33488 -
33489 -diff -urNp linux-2.6.32.46/drivers/md/dm-table.c linux-2.6.32.46/drivers/md/dm-table.c
33490 ---- linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:55:34.000000000 -0400
33491 -+++ linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:56:37.000000000 -0400
33492 -@@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
33493 - if (!dev_size)
33494 - return 0;
33495 -
33496 -- if ((start >= dev_size) || (start + len > dev_size)) {
33497 -+ if ((start >= dev_size) || (len > dev_size - start)) {
33498 - DMWARN("%s: %s too small for target: "
33499 - "start=%llu, len=%llu, dev_size=%llu",
33500 - dm_device_name(ti->table->md), bdevname(bdev, b),
33501 -diff -urNp linux-2.6.32.46/drivers/md/dm.c linux-2.6.32.46/drivers/md/dm.c
33502 ---- linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:35:29.000000000 -0400
33503 -+++ linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:33:59.000000000 -0400
33504 -@@ -165,9 +165,9 @@ struct mapped_device {
33505 - /*
33506 - * Event handling.
33507 - */
33508 -- atomic_t event_nr;
33509 -+ atomic_unchecked_t event_nr;
33510 - wait_queue_head_t eventq;
33511 -- atomic_t uevent_seq;
33512 -+ atomic_unchecked_t uevent_seq;
33513 - struct list_head uevent_list;
33514 - spinlock_t uevent_lock; /* Protect access to uevent_list */
33515 -
33516 -@@ -1776,8 +1776,8 @@ static struct mapped_device *alloc_dev(i
33517 - rwlock_init(&md->map_lock);
33518 - atomic_set(&md->holders, 1);
33519 - atomic_set(&md->open_count, 0);
33520 -- atomic_set(&md->event_nr, 0);
33521 -- atomic_set(&md->uevent_seq, 0);
33522 -+ atomic_set_unchecked(&md->event_nr, 0);
33523 -+ atomic_set_unchecked(&md->uevent_seq, 0);
33524 - INIT_LIST_HEAD(&md->uevent_list);
33525 - spin_lock_init(&md->uevent_lock);
33526 -
33527 -@@ -1927,7 +1927,7 @@ static void event_callback(void *context
33528 -
33529 - dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
33530 -
33531 -- atomic_inc(&md->event_nr);
33532 -+ atomic_inc_unchecked(&md->event_nr);
33533 - wake_up(&md->eventq);
33534 - }
33535 -
33536 -@@ -2562,18 +2562,18 @@ void dm_kobject_uevent(struct mapped_dev
33537 -
33538 - uint32_t dm_next_uevent_seq(struct mapped_device *md)
33539 - {
33540 -- return atomic_add_return(1, &md->uevent_seq);
33541 -+ return atomic_add_return_unchecked(1, &md->uevent_seq);
33542 - }
33543 -
33544 - uint32_t dm_get_event_nr(struct mapped_device *md)
33545 - {
33546 -- return atomic_read(&md->event_nr);
33547 -+ return atomic_read_unchecked(&md->event_nr);
33548 - }
33549 -
33550 - int dm_wait_event(struct mapped_device *md, int event_nr)
33551 - {
33552 - return wait_event_interruptible(md->eventq,
33553 -- (event_nr != atomic_read(&md->event_nr)));
33554 -+ (event_nr != atomic_read_unchecked(&md->event_nr)));
33555 - }
33556 -
33557 - void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
33558 -diff -urNp linux-2.6.32.46/drivers/md/md.c linux-2.6.32.46/drivers/md/md.c
33559 ---- linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:04.000000000 -0400
33560 -+++ linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:18.000000000 -0400
33561 -@@ -153,10 +153,10 @@ static int start_readonly;
33562 - * start build, activate spare
33563 - */
33564 - static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
33565 --static atomic_t md_event_count;
33566 -+static atomic_unchecked_t md_event_count;
33567 - void md_new_event(mddev_t *mddev)
33568 - {
33569 -- atomic_inc(&md_event_count);
33570 -+ atomic_inc_unchecked(&md_event_count);
33571 - wake_up(&md_event_waiters);
33572 - }
33573 - EXPORT_SYMBOL_GPL(md_new_event);
33574 -@@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
33575 - */
33576 - static void md_new_event_inintr(mddev_t *mddev)
33577 - {
33578 -- atomic_inc(&md_event_count);
33579 -+ atomic_inc_unchecked(&md_event_count);
33580 - wake_up(&md_event_waiters);
33581 - }
33582 -
33583 -@@ -1218,7 +1218,7 @@ static int super_1_load(mdk_rdev_t *rdev
33584 -
33585 - rdev->preferred_minor = 0xffff;
33586 - rdev->data_offset = le64_to_cpu(sb->data_offset);
33587 -- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
33588 -+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
33589 -
33590 - rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
33591 - bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
33592 -@@ -1392,7 +1392,7 @@ static void super_1_sync(mddev_t *mddev,
33593 - else
33594 - sb->resync_offset = cpu_to_le64(0);
33595 -
33596 -- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
33597 -+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
33598 -
33599 - sb->raid_disks = cpu_to_le32(mddev->raid_disks);
33600 - sb->size = cpu_to_le64(mddev->dev_sectors);
33601 -@@ -2214,7 +2214,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
33602 - static ssize_t
33603 - errors_show(mdk_rdev_t *rdev, char *page)
33604 - {
33605 -- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
33606 -+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
33607 - }
33608 -
33609 - static ssize_t
33610 -@@ -2223,7 +2223,7 @@ errors_store(mdk_rdev_t *rdev, const cha
33611 - char *e;
33612 - unsigned long n = simple_strtoul(buf, &e, 10);
33613 - if (*buf && (*e == 0 || *e == '\n')) {
33614 -- atomic_set(&rdev->corrected_errors, n);
33615 -+ atomic_set_unchecked(&rdev->corrected_errors, n);
33616 - return len;
33617 - }
33618 - return -EINVAL;
33619 -@@ -2517,7 +2517,7 @@ static void rdev_free(struct kobject *ko
33620 - mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
33621 - kfree(rdev);
33622 - }
33623 --static struct sysfs_ops rdev_sysfs_ops = {
33624 -+static const struct sysfs_ops rdev_sysfs_ops = {
33625 - .show = rdev_attr_show,
33626 - .store = rdev_attr_store,
33627 - };
33628 -@@ -2566,8 +2566,8 @@ static mdk_rdev_t *md_import_device(dev_
33629 - rdev->data_offset = 0;
33630 - rdev->sb_events = 0;
33631 - atomic_set(&rdev->nr_pending, 0);
33632 -- atomic_set(&rdev->read_errors, 0);
33633 -- atomic_set(&rdev->corrected_errors, 0);
33634 -+ atomic_set_unchecked(&rdev->read_errors, 0);
33635 -+ atomic_set_unchecked(&rdev->corrected_errors, 0);
33636 -
33637 - size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
33638 - if (!size) {
33639 -@@ -3887,7 +3887,7 @@ static void md_free(struct kobject *ko)
33640 - kfree(mddev);
33641 - }
33642 -
33643 --static struct sysfs_ops md_sysfs_ops = {
33644 -+static const struct sysfs_ops md_sysfs_ops = {
33645 - .show = md_attr_show,
33646 - .store = md_attr_store,
33647 - };
33648 -@@ -4474,7 +4474,8 @@ out:
33649 - err = 0;
33650 - blk_integrity_unregister(disk);
33651 - md_new_event(mddev);
33652 -- sysfs_notify_dirent(mddev->sysfs_state);
33653 -+ if (mddev->sysfs_state)
33654 -+ sysfs_notify_dirent(mddev->sysfs_state);
33655 - return err;
33656 - }
33657 -
33658 -@@ -5954,7 +5955,7 @@ static int md_seq_show(struct seq_file *
33659 -
33660 - spin_unlock(&pers_lock);
33661 - seq_printf(seq, "\n");
33662 -- mi->event = atomic_read(&md_event_count);
33663 -+ mi->event = atomic_read_unchecked(&md_event_count);
33664 - return 0;
33665 - }
33666 - if (v == (void*)2) {
33667 -@@ -6043,7 +6044,7 @@ static int md_seq_show(struct seq_file *
33668 - chunk_kb ? "KB" : "B");
33669 - if (bitmap->file) {
33670 - seq_printf(seq, ", file: ");
33671 -- seq_path(seq, &bitmap->file->f_path, " \t\n");
33672 -+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
33673 - }
33674 -
33675 - seq_printf(seq, "\n");
33676 -@@ -6077,7 +6078,7 @@ static int md_seq_open(struct inode *ino
33677 - else {
33678 - struct seq_file *p = file->private_data;
33679 - p->private = mi;
33680 -- mi->event = atomic_read(&md_event_count);
33681 -+ mi->event = atomic_read_unchecked(&md_event_count);
33682 - }
33683 - return error;
33684 - }
33685 -@@ -6093,7 +6094,7 @@ static unsigned int mdstat_poll(struct f
33686 - /* always allow read */
33687 - mask = POLLIN | POLLRDNORM;
33688 -
33689 -- if (mi->event != atomic_read(&md_event_count))
33690 -+ if (mi->event != atomic_read_unchecked(&md_event_count))
33691 - mask |= POLLERR | POLLPRI;
33692 - return mask;
33693 - }
33694 -@@ -6137,7 +6138,7 @@ static int is_mddev_idle(mddev_t *mddev,
33695 - struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
33696 - curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
33697 - (int)part_stat_read(&disk->part0, sectors[1]) -
33698 -- atomic_read(&disk->sync_io);
33699 -+ atomic_read_unchecked(&disk->sync_io);
33700 - /* sync IO will cause sync_io to increase before the disk_stats
33701 - * as sync_io is counted when a request starts, and
33702 - * disk_stats is counted when it completes.
33703 -diff -urNp linux-2.6.32.46/drivers/md/md.h linux-2.6.32.46/drivers/md/md.h
33704 ---- linux-2.6.32.46/drivers/md/md.h 2011-03-27 14:31:47.000000000 -0400
33705 -+++ linux-2.6.32.46/drivers/md/md.h 2011-05-04 17:56:20.000000000 -0400
33706 -@@ -94,10 +94,10 @@ struct mdk_rdev_s
33707 - * only maintained for arrays that
33708 - * support hot removal
33709 - */
33710 -- atomic_t read_errors; /* number of consecutive read errors that
33711 -+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
33712 - * we have tried to ignore.
33713 - */
33714 -- atomic_t corrected_errors; /* number of corrected read errors,
33715 -+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
33716 - * for reporting to userspace and storing
33717 - * in superblock.
33718 - */
33719 -@@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
33720 -
33721 - static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
33722 - {
33723 -- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
33724 -+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
33725 - }
33726 -
33727 - struct mdk_personality
33728 -diff -urNp linux-2.6.32.46/drivers/md/raid1.c linux-2.6.32.46/drivers/md/raid1.c
33729 ---- linux-2.6.32.46/drivers/md/raid1.c 2011-03-27 14:31:47.000000000 -0400
33730 -+++ linux-2.6.32.46/drivers/md/raid1.c 2011-05-04 17:56:28.000000000 -0400
33731 -@@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
33732 - if (r1_bio->bios[d]->bi_end_io != end_sync_read)
33733 - continue;
33734 - rdev = conf->mirrors[d].rdev;
33735 -- atomic_add(s, &rdev->corrected_errors);
33736 -+ atomic_add_unchecked(s, &rdev->corrected_errors);
33737 - if (sync_page_io(rdev->bdev,
33738 - sect + rdev->data_offset,
33739 - s<<9,
33740 -@@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
33741 - /* Well, this device is dead */
33742 - md_error(mddev, rdev);
33743 - else {
33744 -- atomic_add(s, &rdev->corrected_errors);
33745 -+ atomic_add_unchecked(s, &rdev->corrected_errors);
33746 - printk(KERN_INFO
33747 - "raid1:%s: read error corrected "
33748 - "(%d sectors at %llu on %s)\n",
33749 -diff -urNp linux-2.6.32.46/drivers/md/raid10.c linux-2.6.32.46/drivers/md/raid10.c
33750 ---- linux-2.6.32.46/drivers/md/raid10.c 2011-03-27 14:31:47.000000000 -0400
33751 -+++ linux-2.6.32.46/drivers/md/raid10.c 2011-05-04 17:56:28.000000000 -0400
33752 -@@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
33753 - if (test_bit(BIO_UPTODATE, &bio->bi_flags))
33754 - set_bit(R10BIO_Uptodate, &r10_bio->state);
33755 - else {
33756 -- atomic_add(r10_bio->sectors,
33757 -+ atomic_add_unchecked(r10_bio->sectors,
33758 - &conf->mirrors[d].rdev->corrected_errors);
33759 - if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
33760 - md_error(r10_bio->mddev,
33761 -@@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
33762 - test_bit(In_sync, &rdev->flags)) {
33763 - atomic_inc(&rdev->nr_pending);
33764 - rcu_read_unlock();
33765 -- atomic_add(s, &rdev->corrected_errors);
33766 -+ atomic_add_unchecked(s, &rdev->corrected_errors);
33767 - if (sync_page_io(rdev->bdev,
33768 - r10_bio->devs[sl].addr +
33769 - sect + rdev->data_offset,
33770 -diff -urNp linux-2.6.32.46/drivers/md/raid5.c linux-2.6.32.46/drivers/md/raid5.c
33771 ---- linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:55:34.000000000 -0400
33772 -+++ linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:58:39.000000000 -0400
33773 -@@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
33774 - bi->bi_next = NULL;
33775 - if ((rw & WRITE) &&
33776 - test_bit(R5_ReWrite, &sh->dev[i].flags))
33777 -- atomic_add(STRIPE_SECTORS,
33778 -+ atomic_add_unchecked(STRIPE_SECTORS,
33779 - &rdev->corrected_errors);
33780 - generic_make_request(bi);
33781 - } else {
33782 -@@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
33783 - clear_bit(R5_ReadError, &sh->dev[i].flags);
33784 - clear_bit(R5_ReWrite, &sh->dev[i].flags);
33785 - }
33786 -- if (atomic_read(&conf->disks[i].rdev->read_errors))
33787 -- atomic_set(&conf->disks[i].rdev->read_errors, 0);
33788 -+ if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
33789 -+ atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
33790 - } else {
33791 - const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
33792 - int retry = 0;
33793 - rdev = conf->disks[i].rdev;
33794 -
33795 - clear_bit(R5_UPTODATE, &sh->dev[i].flags);
33796 -- atomic_inc(&rdev->read_errors);
33797 -+ atomic_inc_unchecked(&rdev->read_errors);
33798 - if (conf->mddev->degraded >= conf->max_degraded)
33799 - printk_rl(KERN_WARNING
33800 - "raid5:%s: read error not correctable "
33801 -@@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
33802 - (unsigned long long)(sh->sector
33803 - + rdev->data_offset),
33804 - bdn);
33805 -- else if (atomic_read(&rdev->read_errors)
33806 -+ else if (atomic_read_unchecked(&rdev->read_errors)
33807 - > conf->max_nr_stripes)
33808 - printk(KERN_WARNING
33809 - "raid5:%s: Too many read errors, failing device %s.\n",
33810 -@@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
33811 - sector_t r_sector;
33812 - struct stripe_head sh2;
33813 -
33814 -+ pax_track_stack();
33815 -
33816 - chunk_offset = sector_div(new_sector, sectors_per_chunk);
33817 - stripe = new_sector;
33818 -diff -urNp linux-2.6.32.46/drivers/media/common/saa7146_hlp.c linux-2.6.32.46/drivers/media/common/saa7146_hlp.c
33819 ---- linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-03-27 14:31:47.000000000 -0400
33820 -+++ linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-05-16 21:46:57.000000000 -0400
33821 -@@ -353,6 +353,8 @@ static void calculate_clipping_registers
33822 -
33823 - int x[32], y[32], w[32], h[32];
33824 -
33825 -+ pax_track_stack();
33826 -+
33827 - /* clear out memory */
33828 - memset(&line_list[0], 0x00, sizeof(u32)*32);
33829 - memset(&pixel_list[0], 0x00, sizeof(u32)*32);
33830 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
33831 ---- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-27 14:31:47.000000000 -0400
33832 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:46:57.000000000 -0400
33833 -@@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
33834 - u8 buf[HOST_LINK_BUF_SIZE];
33835 - int i;
33836 -
33837 -+ pax_track_stack();
33838 -+
33839 - dprintk("%s\n", __func__);
33840 -
33841 - /* check if we have space for a link buf in the rx_buffer */
33842 -@@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
33843 - unsigned long timeout;
33844 - int written;
33845 -
33846 -+ pax_track_stack();
33847 -+
33848 - dprintk("%s\n", __func__);
33849 -
33850 - /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
33851 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h
33852 ---- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-03-27 14:31:47.000000000 -0400
33853 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-08-05 20:33:55.000000000 -0400
33854 -@@ -71,7 +71,7 @@ struct dvb_demux_feed {
33855 - union {
33856 - dmx_ts_cb ts;
33857 - dmx_section_cb sec;
33858 -- } cb;
33859 -+ } __no_const cb;
33860 -
33861 - struct dvb_demux *demux;
33862 - void *priv;
33863 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c
33864 ---- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-27 14:31:47.000000000 -0400
33865 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-08-23 21:22:32.000000000 -0400
33866 -@@ -191,7 +191,7 @@ int dvb_register_device(struct dvb_adapt
33867 - const struct dvb_device *template, void *priv, int type)
33868 - {
33869 - struct dvb_device *dvbdev;
33870 -- struct file_operations *dvbdevfops;
33871 -+ file_operations_no_const *dvbdevfops;
33872 - struct device *clsdev;
33873 - int minor;
33874 - int id;
33875 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c
33876 ---- linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-03-27 14:31:47.000000000 -0400
33877 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-08-05 20:33:55.000000000 -0400
33878 -@@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
33879 - struct dib0700_adapter_state {
33880 - int (*set_param_save) (struct dvb_frontend *,
33881 - struct dvb_frontend_parameters *);
33882 --};
33883 -+} __no_const;
33884 -
33885 - static int dib7070_set_param_override(struct dvb_frontend *fe,
33886 - struct dvb_frontend_parameters *fep)
33887 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c
33888 ---- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-27 14:31:47.000000000 -0400
33889 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:46:57.000000000 -0400
33890 -@@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
33891 -
33892 - u8 buf[260];
33893 -
33894 -+ pax_track_stack();
33895 -+
33896 - while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
33897 - deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
33898 -
33899 -diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c
33900 ---- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-05-10 22:12:01.000000000 -0400
33901 -+++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-08-05 20:33:55.000000000 -0400
33902 -@@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
33903 -
33904 - struct dib0700_adapter_state {
33905 - int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
33906 --};
33907 -+} __no_const;
33908 -
33909 - /* Hauppauge Nova-T 500 (aka Bristol)
33910 - * has a LNA on GPIO0 which is enabled by setting 1 */
33911 -diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h
33912 ---- linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-03-27 14:31:47.000000000 -0400
33913 -+++ linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-08-05 20:33:55.000000000 -0400
33914 -@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
33915 - int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
33916 - int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
33917 - int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
33918 --};
33919 -+} __no_const;
33920 -
33921 - #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
33922 - extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
33923 -diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c
33924 ---- linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-03-27 14:31:47.000000000 -0400
33925 -+++ linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:46:57.000000000 -0400
33926 -@@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
33927 - u8 tudata[585];
33928 - int i;
33929 -
33930 -+ pax_track_stack();
33931 -+
33932 - dprintk("Firmware is %zd bytes\n",fw->size);
33933 -
33934 - /* Get eprom data */
33935 -diff -urNp linux-2.6.32.46/drivers/media/radio/radio-cadet.c linux-2.6.32.46/drivers/media/radio/radio-cadet.c
33936 ---- linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-03-27 14:31:47.000000000 -0400
33937 -+++ linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-04-17 15:56:46.000000000 -0400
33938 -@@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
33939 - while (i < count && dev->rdsin != dev->rdsout)
33940 - readbuf[i++] = dev->rdsbuf[dev->rdsout++];
33941 -
33942 -- if (copy_to_user(data, readbuf, i))
33943 -+ if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
33944 - return -EFAULT;
33945 - return i;
33946 - }
33947 -diff -urNp linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c
33948 ---- linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-03-27 14:31:47.000000000 -0400
33949 -+++ linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:46:57.000000000 -0400
33950 -@@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
33951 -
33952 - MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
33953 -
33954 --static atomic_t cx18_instance = ATOMIC_INIT(0);
33955 -+static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
33956 -
33957 - /* Parameter declarations */
33958 - static int cardtype[CX18_MAX_CARDS];
33959 -@@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
33960 - struct i2c_client c;
33961 - u8 eedata[256];
33962 -
33963 -+ pax_track_stack();
33964 -+
33965 - memset(&c, 0, sizeof(c));
33966 - strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
33967 - c.adapter = &cx->i2c_adap[0];
33968 -@@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
33969 - struct cx18 *cx;
33970 -
33971 - /* FIXME - module parameter arrays constrain max instances */
33972 -- i = atomic_inc_return(&cx18_instance) - 1;
33973 -+ i = atomic_inc_return_unchecked(&cx18_instance) - 1;
33974 - if (i >= CX18_MAX_CARDS) {
33975 - printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
33976 - "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
33977 -diff -urNp linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c
33978 ---- linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-03-27 14:31:47.000000000 -0400
33979 -+++ linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-05-04 17:56:28.000000000 -0400
33980 -@@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
33981 - MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
33982 -
33983 - /* ivtv instance counter */
33984 --static atomic_t ivtv_instance = ATOMIC_INIT(0);
33985 -+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
33986 -
33987 - /* Parameter declarations */
33988 - static int cardtype[IVTV_MAX_CARDS];
33989 -diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.c linux-2.6.32.46/drivers/media/video/omap24xxcam.c
33990 ---- linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-03-27 14:31:47.000000000 -0400
33991 -+++ linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-05-04 17:56:28.000000000 -0400
33992 -@@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
33993 - spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33994 -
33995 - do_gettimeofday(&vb->ts);
33996 -- vb->field_count = atomic_add_return(2, &fh->field_count);
33997 -+ vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33998 - if (csr & csr_error) {
33999 - vb->state = VIDEOBUF_ERROR;
34000 - if (!atomic_read(&fh->cam->in_reset)) {
34001 -diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.h linux-2.6.32.46/drivers/media/video/omap24xxcam.h
34002 ---- linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-03-27 14:31:47.000000000 -0400
34003 -+++ linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-05-04 17:56:28.000000000 -0400
34004 -@@ -533,7 +533,7 @@ struct omap24xxcam_fh {
34005 - spinlock_t vbq_lock; /* spinlock for the videobuf queue */
34006 - struct videobuf_queue vbq;
34007 - struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
34008 -- atomic_t field_count; /* field counter for videobuf_buffer */
34009 -+ atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
34010 - /* accessing cam here doesn't need serialisation: it's constant */
34011 - struct omap24xxcam_device *cam;
34012 - };
34013 -diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
34014 ---- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-27 14:31:47.000000000 -0400
34015 -+++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:46:57.000000000 -0400
34016 -@@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
34017 - u8 *eeprom;
34018 - struct tveeprom tvdata;
34019 -
34020 -+ pax_track_stack();
34021 -+
34022 - memset(&tvdata,0,sizeof(tvdata));
34023 -
34024 - eeprom = pvr2_eeprom_fetch(hdw);
34025 -diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
34026 ---- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-03-27 14:31:47.000000000 -0400
34027 -+++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-08-23 21:22:38.000000000 -0400
34028 -@@ -195,7 +195,7 @@ struct pvr2_hdw {
34029 -
34030 - /* I2C stuff */
34031 - struct i2c_adapter i2c_adap;
34032 -- struct i2c_algorithm i2c_algo;
34033 -+ i2c_algorithm_no_const i2c_algo;
34034 - pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
34035 - int i2c_cx25840_hack_state;
34036 - int i2c_linked;
34037 -diff -urNp linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c
34038 ---- linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-03-27 14:31:47.000000000 -0400
34039 -+++ linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:46:57.000000000 -0400
34040 -@@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
34041 - unsigned char localPAT[256];
34042 - unsigned char localPMT[256];
34043 -
34044 -+ pax_track_stack();
34045 -+
34046 - /* Set video format - must be done first as it resets other settings */
34047 - set_reg8(client, 0x41, h->video_format);
34048 -
34049 -diff -urNp linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c
34050 ---- linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-27 14:31:47.000000000 -0400
34051 -+++ linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:46:57.000000000 -0400
34052 -@@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
34053 - wait_queue_head_t *q = 0;
34054 - dprintk(DBGLVL_CMD, "%s()\n", __func__);
34055 -
34056 -+ pax_track_stack();
34057 -+
34058 - /* While any outstand message on the bus exists... */
34059 - do {
34060 -
34061 -@@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
34062 - u8 tmp[512];
34063 - dprintk(DBGLVL_CMD, "%s()\n", __func__);
34064 -
34065 -+ pax_track_stack();
34066 -+
34067 - while (loop) {
34068 -
34069 - tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
34070 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c
34071 ---- linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-03-27 14:31:47.000000000 -0400
34072 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-08-05 20:33:55.000000000 -0400
34073 -@@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
34074 - static int __init ibmcam_init(void)
34075 - {
34076 - struct usbvideo_cb cbTbl;
34077 -- memset(&cbTbl, 0, sizeof(cbTbl));
34078 -- cbTbl.probe = ibmcam_probe;
34079 -- cbTbl.setupOnOpen = ibmcam_setup_on_open;
34080 -- cbTbl.videoStart = ibmcam_video_start;
34081 -- cbTbl.videoStop = ibmcam_video_stop;
34082 -- cbTbl.processData = ibmcam_ProcessIsocData;
34083 -- cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34084 -- cbTbl.adjustPicture = ibmcam_adjust_picture;
34085 -- cbTbl.getFPS = ibmcam_calculate_fps;
34086 -+ memset((void *)&cbTbl, 0, sizeof(cbTbl));
34087 -+ *(void **)&cbTbl.probe = ibmcam_probe;
34088 -+ *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
34089 -+ *(void **)&cbTbl.videoStart = ibmcam_video_start;
34090 -+ *(void **)&cbTbl.videoStop = ibmcam_video_stop;
34091 -+ *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
34092 -+ *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34093 -+ *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
34094 -+ *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
34095 - return usbvideo_register(
34096 - &cams,
34097 - MAX_IBMCAM,
34098 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c
34099 ---- linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-03-27 14:31:47.000000000 -0400
34100 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-08-05 20:33:55.000000000 -0400
34101 -@@ -225,7 +225,7 @@ static void konicawc_register_input(stru
34102 - int error;
34103 -
34104 - usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34105 -- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34106 -+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34107 -
34108 - cam->input = input_dev = input_allocate_device();
34109 - if (!input_dev) {
34110 -@@ -935,16 +935,16 @@ static int __init konicawc_init(void)
34111 - struct usbvideo_cb cbTbl;
34112 - printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
34113 - DRIVER_DESC "\n");
34114 -- memset(&cbTbl, 0, sizeof(cbTbl));
34115 -- cbTbl.probe = konicawc_probe;
34116 -- cbTbl.setupOnOpen = konicawc_setup_on_open;
34117 -- cbTbl.processData = konicawc_process_isoc;
34118 -- cbTbl.getFPS = konicawc_calculate_fps;
34119 -- cbTbl.setVideoMode = konicawc_set_video_mode;
34120 -- cbTbl.startDataPump = konicawc_start_data;
34121 -- cbTbl.stopDataPump = konicawc_stop_data;
34122 -- cbTbl.adjustPicture = konicawc_adjust_picture;
34123 -- cbTbl.userFree = konicawc_free_uvd;
34124 -+ memset((void * )&cbTbl, 0, sizeof(cbTbl));
34125 -+ *(void **)&cbTbl.probe = konicawc_probe;
34126 -+ *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
34127 -+ *(void **)&cbTbl.processData = konicawc_process_isoc;
34128 -+ *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
34129 -+ *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
34130 -+ *(void **)&cbTbl.startDataPump = konicawc_start_data;
34131 -+ *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
34132 -+ *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
34133 -+ *(void **)&cbTbl.userFree = konicawc_free_uvd;
34134 - return usbvideo_register(
34135 - &cams,
34136 - MAX_CAMERAS,
34137 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c
34138 ---- linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-03-27 14:31:47.000000000 -0400
34139 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-04-17 15:56:46.000000000 -0400
34140 -@@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
34141 - int error;
34142 -
34143 - usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34144 -- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34145 -+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34146 -
34147 - cam->input = input_dev = input_allocate_device();
34148 - if (!input_dev) {
34149 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c
34150 ---- linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-03-27 14:31:47.000000000 -0400
34151 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-08-05 20:33:55.000000000 -0400
34152 -@@ -655,14 +655,14 @@ static int __init ultracam_init(void)
34153 - {
34154 - struct usbvideo_cb cbTbl;
34155 - memset(&cbTbl, 0, sizeof(cbTbl));
34156 -- cbTbl.probe = ultracam_probe;
34157 -- cbTbl.setupOnOpen = ultracam_setup_on_open;
34158 -- cbTbl.videoStart = ultracam_video_start;
34159 -- cbTbl.videoStop = ultracam_video_stop;
34160 -- cbTbl.processData = ultracam_ProcessIsocData;
34161 -- cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34162 -- cbTbl.adjustPicture = ultracam_adjust_picture;
34163 -- cbTbl.getFPS = ultracam_calculate_fps;
34164 -+ *(void **)&cbTbl.probe = ultracam_probe;
34165 -+ *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
34166 -+ *(void **)&cbTbl.videoStart = ultracam_video_start;
34167 -+ *(void **)&cbTbl.videoStop = ultracam_video_stop;
34168 -+ *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
34169 -+ *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34170 -+ *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
34171 -+ *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
34172 - return usbvideo_register(
34173 - &cams,
34174 - MAX_CAMERAS,
34175 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c
34176 ---- linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-03-27 14:31:47.000000000 -0400
34177 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-08-05 20:33:55.000000000 -0400
34178 -@@ -697,15 +697,15 @@ int usbvideo_register(
34179 - __func__, cams, base_size, num_cams);
34180 -
34181 - /* Copy callbacks, apply defaults for those that are not set */
34182 -- memmove(&cams->cb, cbTbl, sizeof(cams->cb));
34183 -+ memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
34184 - if (cams->cb.getFrame == NULL)
34185 -- cams->cb.getFrame = usbvideo_GetFrame;
34186 -+ *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
34187 - if (cams->cb.disconnect == NULL)
34188 -- cams->cb.disconnect = usbvideo_Disconnect;
34189 -+ *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
34190 - if (cams->cb.startDataPump == NULL)
34191 -- cams->cb.startDataPump = usbvideo_StartDataPump;
34192 -+ *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
34193 - if (cams->cb.stopDataPump == NULL)
34194 -- cams->cb.stopDataPump = usbvideo_StopDataPump;
34195 -+ *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
34196 -
34197 - cams->num_cameras = num_cams;
34198 - cams->cam = (struct uvd *) &cams[1];
34199 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h
34200 ---- linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h 2011-03-27 14:31:47.000000000 -0400
34201 -+++ linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h 2011-08-30 18:20:06.000000000 -0400
34202 -@@ -268,7 +268,7 @@ struct usbvideo_cb {
34203 - int (*startDataPump)(struct uvd *uvd);
34204 - void (*stopDataPump)(struct uvd *uvd);
34205 - int (*setVideoMode)(struct uvd *uvd, struct video_window *vw);
34206 --};
34207 -+} __no_const;
34208 -
34209 - struct usbvideo {
34210 - int num_cameras; /* As allocated */
34211 -diff -urNp linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c
34212 ---- linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-03-27 14:31:47.000000000 -0400
34213 -+++ linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:46:57.000000000 -0400
34214 -@@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
34215 - unsigned char rv, gv, bv;
34216 - static unsigned char *Y, *U, *V;
34217 -
34218 -+ pax_track_stack();
34219 -+
34220 - frame = usbvision->curFrame;
34221 - imageSize = frame->frmwidth * frame->frmheight;
34222 - if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
34223 -diff -urNp linux-2.6.32.46/drivers/media/video/v4l2-device.c linux-2.6.32.46/drivers/media/video/v4l2-device.c
34224 ---- linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-03-27 14:31:47.000000000 -0400
34225 -+++ linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-05-04 17:56:28.000000000 -0400
34226 -@@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
34227 - EXPORT_SYMBOL_GPL(v4l2_device_register);
34228 -
34229 - int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
34230 -- atomic_t *instance)
34231 -+ atomic_unchecked_t *instance)
34232 - {
34233 -- int num = atomic_inc_return(instance) - 1;
34234 -+ int num = atomic_inc_return_unchecked(instance) - 1;
34235 - int len = strlen(basename);
34236 -
34237 - if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
34238 -diff -urNp linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c
34239 ---- linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-03-27 14:31:47.000000000 -0400
34240 -+++ linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:46:57.000000000 -0400
34241 -@@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
34242 - {
34243 - struct videobuf_queue q;
34244 -
34245 -+ pax_track_stack();
34246 -+
34247 - /* Required to make generic handler to call __videobuf_alloc */
34248 - q.int_ops = &sg_ops;
34249 -
34250 -diff -urNp linux-2.6.32.46/drivers/message/fusion/mptbase.c linux-2.6.32.46/drivers/message/fusion/mptbase.c
34251 ---- linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-03-27 14:31:47.000000000 -0400
34252 -+++ linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-04-17 15:56:46.000000000 -0400
34253 -@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
34254 - len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
34255 - len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
34256 -
34257 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
34258 -+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
34259 -+ NULL, NULL);
34260 -+#else
34261 - len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
34262 - (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
34263 -+#endif
34264 -+
34265 - /*
34266 - * Rounding UP to nearest 4-kB boundary here...
34267 - */
34268 -diff -urNp linux-2.6.32.46/drivers/message/fusion/mptsas.c linux-2.6.32.46/drivers/message/fusion/mptsas.c
34269 ---- linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-03-27 14:31:47.000000000 -0400
34270 -+++ linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-04-17 15:56:46.000000000 -0400
34271 -@@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
34272 - return 0;
34273 - }
34274 -
34275 -+static inline void
34276 -+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
34277 -+{
34278 -+ if (phy_info->port_details) {
34279 -+ phy_info->port_details->rphy = rphy;
34280 -+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
34281 -+ ioc->name, rphy));
34282 -+ }
34283 -+
34284 -+ if (rphy) {
34285 -+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
34286 -+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
34287 -+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
34288 -+ ioc->name, rphy, rphy->dev.release));
34289 -+ }
34290 -+}
34291 -+
34292 - /* no mutex */
34293 - static void
34294 - mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
34295 -@@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
34296 - return NULL;
34297 - }
34298 -
34299 --static inline void
34300 --mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
34301 --{
34302 -- if (phy_info->port_details) {
34303 -- phy_info->port_details->rphy = rphy;
34304 -- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
34305 -- ioc->name, rphy));
34306 -- }
34307 --
34308 -- if (rphy) {
34309 -- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
34310 -- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
34311 -- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
34312 -- ioc->name, rphy, rphy->dev.release));
34313 -- }
34314 --}
34315 --
34316 - static inline struct sas_port *
34317 - mptsas_get_port(struct mptsas_phyinfo *phy_info)
34318 - {
34319 -diff -urNp linux-2.6.32.46/drivers/message/fusion/mptscsih.c linux-2.6.32.46/drivers/message/fusion/mptscsih.c
34320 ---- linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-03-27 14:31:47.000000000 -0400
34321 -+++ linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-04-17 15:56:46.000000000 -0400
34322 -@@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
34323 -
34324 - h = shost_priv(SChost);
34325 -
34326 -- if (h) {
34327 -- if (h->info_kbuf == NULL)
34328 -- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
34329 -- return h->info_kbuf;
34330 -- h->info_kbuf[0] = '\0';
34331 -+ if (!h)
34332 -+ return NULL;
34333 -
34334 -- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
34335 -- h->info_kbuf[size-1] = '\0';
34336 -- }
34337 -+ if (h->info_kbuf == NULL)
34338 -+ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
34339 -+ return h->info_kbuf;
34340 -+ h->info_kbuf[0] = '\0';
34341 -+
34342 -+ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
34343 -+ h->info_kbuf[size-1] = '\0';
34344 -
34345 - return h->info_kbuf;
34346 - }
34347 -diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_config.c linux-2.6.32.46/drivers/message/i2o/i2o_config.c
34348 ---- linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-03-27 14:31:47.000000000 -0400
34349 -+++ linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-05-16 21:46:57.000000000 -0400
34350 -@@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
34351 - struct i2o_message *msg;
34352 - unsigned int iop;
34353 -
34354 -+ pax_track_stack();
34355 -+
34356 - if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
34357 - return -EFAULT;
34358 -
34359 -diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_proc.c linux-2.6.32.46/drivers/message/i2o/i2o_proc.c
34360 ---- linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-03-27 14:31:47.000000000 -0400
34361 -+++ linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-04-17 15:56:46.000000000 -0400
34362 -@@ -259,13 +259,6 @@ static char *scsi_devices[] = {
34363 - "Array Controller Device"
34364 - };
34365 -
34366 --static char *chtostr(u8 * chars, int n)
34367 --{
34368 -- char tmp[256];
34369 -- tmp[0] = 0;
34370 -- return strncat(tmp, (char *)chars, n);
34371 --}
34372 --
34373 - static int i2o_report_query_status(struct seq_file *seq, int block_status,
34374 - char *group)
34375 - {
34376 -@@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
34377 -
34378 - seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
34379 - seq_printf(seq, "%-#8x", ddm_table.module_id);
34380 -- seq_printf(seq, "%-29s",
34381 -- chtostr(ddm_table.module_name_version, 28));
34382 -+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
34383 - seq_printf(seq, "%9d ", ddm_table.data_size);
34384 - seq_printf(seq, "%8d", ddm_table.code_size);
34385 -
34386 -@@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
34387 -
34388 - seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
34389 - seq_printf(seq, "%-#8x", dst->module_id);
34390 -- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
34391 -- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
34392 -+ seq_printf(seq, "%-.28s", dst->module_name_version);
34393 -+ seq_printf(seq, "%-.8s", dst->date);
34394 - seq_printf(seq, "%8d ", dst->module_size);
34395 - seq_printf(seq, "%8d ", dst->mpb_size);
34396 - seq_printf(seq, "0x%04x", dst->module_flags);
34397 -@@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
34398 - seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
34399 - seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
34400 - seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
34401 -- seq_printf(seq, "Vendor info : %s\n",
34402 -- chtostr((u8 *) (work32 + 2), 16));
34403 -- seq_printf(seq, "Product info : %s\n",
34404 -- chtostr((u8 *) (work32 + 6), 16));
34405 -- seq_printf(seq, "Description : %s\n",
34406 -- chtostr((u8 *) (work32 + 10), 16));
34407 -- seq_printf(seq, "Product rev. : %s\n",
34408 -- chtostr((u8 *) (work32 + 14), 8));
34409 -+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
34410 -+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
34411 -+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
34412 -+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
34413 -
34414 - seq_printf(seq, "Serial number : ");
34415 - print_serial_number(seq, (u8 *) (work32 + 16),
34416 -@@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
34417 - }
34418 -
34419 - seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
34420 -- seq_printf(seq, "Module name : %s\n",
34421 -- chtostr(result.module_name, 24));
34422 -- seq_printf(seq, "Module revision : %s\n",
34423 -- chtostr(result.module_rev, 8));
34424 -+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
34425 -+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
34426 -
34427 - seq_printf(seq, "Serial number : ");
34428 - print_serial_number(seq, result.serial_number, sizeof(result) - 36);
34429 -@@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
34430 - return 0;
34431 - }
34432 -
34433 -- seq_printf(seq, "Device name : %s\n",
34434 -- chtostr(result.device_name, 64));
34435 -- seq_printf(seq, "Service name : %s\n",
34436 -- chtostr(result.service_name, 64));
34437 -- seq_printf(seq, "Physical name : %s\n",
34438 -- chtostr(result.physical_location, 64));
34439 -- seq_printf(seq, "Instance number : %s\n",
34440 -- chtostr(result.instance_number, 4));
34441 -+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
34442 -+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
34443 -+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
34444 -+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
34445 -
34446 - return 0;
34447 - }
34448 -diff -urNp linux-2.6.32.46/drivers/message/i2o/iop.c linux-2.6.32.46/drivers/message/i2o/iop.c
34449 ---- linux-2.6.32.46/drivers/message/i2o/iop.c 2011-03-27 14:31:47.000000000 -0400
34450 -+++ linux-2.6.32.46/drivers/message/i2o/iop.c 2011-05-04 17:56:28.000000000 -0400
34451 -@@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
34452 -
34453 - spin_lock_irqsave(&c->context_list_lock, flags);
34454 -
34455 -- if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
34456 -- atomic_inc(&c->context_list_counter);
34457 -+ if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
34458 -+ atomic_inc_unchecked(&c->context_list_counter);
34459 -
34460 -- entry->context = atomic_read(&c->context_list_counter);
34461 -+ entry->context = atomic_read_unchecked(&c->context_list_counter);
34462 -
34463 - list_add(&entry->list, &c->context_list);
34464 -
34465 -@@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
34466 -
34467 - #if BITS_PER_LONG == 64
34468 - spin_lock_init(&c->context_list_lock);
34469 -- atomic_set(&c->context_list_counter, 0);
34470 -+ atomic_set_unchecked(&c->context_list_counter, 0);
34471 - INIT_LIST_HEAD(&c->context_list);
34472 - #endif
34473 -
34474 -diff -urNp linux-2.6.32.46/drivers/mfd/wm8350-i2c.c linux-2.6.32.46/drivers/mfd/wm8350-i2c.c
34475 ---- linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-03-27 14:31:47.000000000 -0400
34476 -+++ linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-05-16 21:46:57.000000000 -0400
34477 -@@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
34478 - u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
34479 - int ret;
34480 -
34481 -+ pax_track_stack();
34482 -+
34483 - if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
34484 - return -EINVAL;
34485 -
34486 -diff -urNp linux-2.6.32.46/drivers/misc/kgdbts.c linux-2.6.32.46/drivers/misc/kgdbts.c
34487 ---- linux-2.6.32.46/drivers/misc/kgdbts.c 2011-03-27 14:31:47.000000000 -0400
34488 -+++ linux-2.6.32.46/drivers/misc/kgdbts.c 2011-04-17 15:56:46.000000000 -0400
34489 -@@ -118,7 +118,7 @@
34490 - } while (0)
34491 - #define MAX_CONFIG_LEN 40
34492 -
34493 --static struct kgdb_io kgdbts_io_ops;
34494 -+static const struct kgdb_io kgdbts_io_ops;
34495 - static char get_buf[BUFMAX];
34496 - static int get_buf_cnt;
34497 - static char put_buf[BUFMAX];
34498 -@@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
34499 - module_put(THIS_MODULE);
34500 - }
34501 -
34502 --static struct kgdb_io kgdbts_io_ops = {
34503 -+static const struct kgdb_io kgdbts_io_ops = {
34504 - .name = "kgdbts",
34505 - .read_char = kgdbts_get_char,
34506 - .write_char = kgdbts_put_char,
34507 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c
34508 ---- linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-03-27 14:31:47.000000000 -0400
34509 -+++ linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:56:46.000000000 -0400
34510 -@@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
34511 -
34512 - static void update_mcs_stats(enum mcs_op op, unsigned long clks)
34513 - {
34514 -- atomic_long_inc(&mcs_op_statistics[op].count);
34515 -- atomic_long_add(clks, &mcs_op_statistics[op].total);
34516 -+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
34517 -+ atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
34518 - if (mcs_op_statistics[op].max < clks)
34519 - mcs_op_statistics[op].max = clks;
34520 - }
34521 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c
34522 ---- linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-03-27 14:31:47.000000000 -0400
34523 -+++ linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:56:46.000000000 -0400
34524 -@@ -32,9 +32,9 @@
34525 -
34526 - #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
34527 -
34528 --static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
34529 -+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
34530 - {
34531 -- unsigned long val = atomic_long_read(v);
34532 -+ unsigned long val = atomic_long_read_unchecked(v);
34533 -
34534 - if (val)
34535 - seq_printf(s, "%16lu %s\n", val, id);
34536 -@@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
34537 - "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
34538 -
34539 - for (op = 0; op < mcsop_last; op++) {
34540 -- count = atomic_long_read(&mcs_op_statistics[op].count);
34541 -- total = atomic_long_read(&mcs_op_statistics[op].total);
34542 -+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
34543 -+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
34544 - max = mcs_op_statistics[op].max;
34545 - seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
34546 - count ? total / count : 0, max);
34547 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h
34548 ---- linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-03-27 14:31:47.000000000 -0400
34549 -+++ linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:56:46.000000000 -0400
34550 -@@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
34551 - * GRU statistics.
34552 - */
34553 - struct gru_stats_s {
34554 -- atomic_long_t vdata_alloc;
34555 -- atomic_long_t vdata_free;
34556 -- atomic_long_t gts_alloc;
34557 -- atomic_long_t gts_free;
34558 -- atomic_long_t vdata_double_alloc;
34559 -- atomic_long_t gts_double_allocate;
34560 -- atomic_long_t assign_context;
34561 -- atomic_long_t assign_context_failed;
34562 -- atomic_long_t free_context;
34563 -- atomic_long_t load_user_context;
34564 -- atomic_long_t load_kernel_context;
34565 -- atomic_long_t lock_kernel_context;
34566 -- atomic_long_t unlock_kernel_context;
34567 -- atomic_long_t steal_user_context;
34568 -- atomic_long_t steal_kernel_context;
34569 -- atomic_long_t steal_context_failed;
34570 -- atomic_long_t nopfn;
34571 -- atomic_long_t break_cow;
34572 -- atomic_long_t asid_new;
34573 -- atomic_long_t asid_next;
34574 -- atomic_long_t asid_wrap;
34575 -- atomic_long_t asid_reuse;
34576 -- atomic_long_t intr;
34577 -- atomic_long_t intr_mm_lock_failed;
34578 -- atomic_long_t call_os;
34579 -- atomic_long_t call_os_offnode_reference;
34580 -- atomic_long_t call_os_check_for_bug;
34581 -- atomic_long_t call_os_wait_queue;
34582 -- atomic_long_t user_flush_tlb;
34583 -- atomic_long_t user_unload_context;
34584 -- atomic_long_t user_exception;
34585 -- atomic_long_t set_context_option;
34586 -- atomic_long_t migrate_check;
34587 -- atomic_long_t migrated_retarget;
34588 -- atomic_long_t migrated_unload;
34589 -- atomic_long_t migrated_unload_delay;
34590 -- atomic_long_t migrated_nopfn_retarget;
34591 -- atomic_long_t migrated_nopfn_unload;
34592 -- atomic_long_t tlb_dropin;
34593 -- atomic_long_t tlb_dropin_fail_no_asid;
34594 -- atomic_long_t tlb_dropin_fail_upm;
34595 -- atomic_long_t tlb_dropin_fail_invalid;
34596 -- atomic_long_t tlb_dropin_fail_range_active;
34597 -- atomic_long_t tlb_dropin_fail_idle;
34598 -- atomic_long_t tlb_dropin_fail_fmm;
34599 -- atomic_long_t tlb_dropin_fail_no_exception;
34600 -- atomic_long_t tlb_dropin_fail_no_exception_war;
34601 -- atomic_long_t tfh_stale_on_fault;
34602 -- atomic_long_t mmu_invalidate_range;
34603 -- atomic_long_t mmu_invalidate_page;
34604 -- atomic_long_t mmu_clear_flush_young;
34605 -- atomic_long_t flush_tlb;
34606 -- atomic_long_t flush_tlb_gru;
34607 -- atomic_long_t flush_tlb_gru_tgh;
34608 -- atomic_long_t flush_tlb_gru_zero_asid;
34609 --
34610 -- atomic_long_t copy_gpa;
34611 --
34612 -- atomic_long_t mesq_receive;
34613 -- atomic_long_t mesq_receive_none;
34614 -- atomic_long_t mesq_send;
34615 -- atomic_long_t mesq_send_failed;
34616 -- atomic_long_t mesq_noop;
34617 -- atomic_long_t mesq_send_unexpected_error;
34618 -- atomic_long_t mesq_send_lb_overflow;
34619 -- atomic_long_t mesq_send_qlimit_reached;
34620 -- atomic_long_t mesq_send_amo_nacked;
34621 -- atomic_long_t mesq_send_put_nacked;
34622 -- atomic_long_t mesq_qf_not_full;
34623 -- atomic_long_t mesq_qf_locked;
34624 -- atomic_long_t mesq_qf_noop_not_full;
34625 -- atomic_long_t mesq_qf_switch_head_failed;
34626 -- atomic_long_t mesq_qf_unexpected_error;
34627 -- atomic_long_t mesq_noop_unexpected_error;
34628 -- atomic_long_t mesq_noop_lb_overflow;
34629 -- atomic_long_t mesq_noop_qlimit_reached;
34630 -- atomic_long_t mesq_noop_amo_nacked;
34631 -- atomic_long_t mesq_noop_put_nacked;
34632 -+ atomic_long_unchecked_t vdata_alloc;
34633 -+ atomic_long_unchecked_t vdata_free;
34634 -+ atomic_long_unchecked_t gts_alloc;
34635 -+ atomic_long_unchecked_t gts_free;
34636 -+ atomic_long_unchecked_t vdata_double_alloc;
34637 -+ atomic_long_unchecked_t gts_double_allocate;
34638 -+ atomic_long_unchecked_t assign_context;
34639 -+ atomic_long_unchecked_t assign_context_failed;
34640 -+ atomic_long_unchecked_t free_context;
34641 -+ atomic_long_unchecked_t load_user_context;
34642 -+ atomic_long_unchecked_t load_kernel_context;
34643 -+ atomic_long_unchecked_t lock_kernel_context;
34644 -+ atomic_long_unchecked_t unlock_kernel_context;
34645 -+ atomic_long_unchecked_t steal_user_context;
34646 -+ atomic_long_unchecked_t steal_kernel_context;
34647 -+ atomic_long_unchecked_t steal_context_failed;
34648 -+ atomic_long_unchecked_t nopfn;
34649 -+ atomic_long_unchecked_t break_cow;
34650 -+ atomic_long_unchecked_t asid_new;
34651 -+ atomic_long_unchecked_t asid_next;
34652 -+ atomic_long_unchecked_t asid_wrap;
34653 -+ atomic_long_unchecked_t asid_reuse;
34654 -+ atomic_long_unchecked_t intr;
34655 -+ atomic_long_unchecked_t intr_mm_lock_failed;
34656 -+ atomic_long_unchecked_t call_os;
34657 -+ atomic_long_unchecked_t call_os_offnode_reference;
34658 -+ atomic_long_unchecked_t call_os_check_for_bug;
34659 -+ atomic_long_unchecked_t call_os_wait_queue;
34660 -+ atomic_long_unchecked_t user_flush_tlb;
34661 -+ atomic_long_unchecked_t user_unload_context;
34662 -+ atomic_long_unchecked_t user_exception;
34663 -+ atomic_long_unchecked_t set_context_option;
34664 -+ atomic_long_unchecked_t migrate_check;
34665 -+ atomic_long_unchecked_t migrated_retarget;
34666 -+ atomic_long_unchecked_t migrated_unload;
34667 -+ atomic_long_unchecked_t migrated_unload_delay;
34668 -+ atomic_long_unchecked_t migrated_nopfn_retarget;
34669 -+ atomic_long_unchecked_t migrated_nopfn_unload;
34670 -+ atomic_long_unchecked_t tlb_dropin;
34671 -+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
34672 -+ atomic_long_unchecked_t tlb_dropin_fail_upm;
34673 -+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
34674 -+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
34675 -+ atomic_long_unchecked_t tlb_dropin_fail_idle;
34676 -+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
34677 -+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
34678 -+ atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
34679 -+ atomic_long_unchecked_t tfh_stale_on_fault;
34680 -+ atomic_long_unchecked_t mmu_invalidate_range;
34681 -+ atomic_long_unchecked_t mmu_invalidate_page;
34682 -+ atomic_long_unchecked_t mmu_clear_flush_young;
34683 -+ atomic_long_unchecked_t flush_tlb;
34684 -+ atomic_long_unchecked_t flush_tlb_gru;
34685 -+ atomic_long_unchecked_t flush_tlb_gru_tgh;
34686 -+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
34687 -+
34688 -+ atomic_long_unchecked_t copy_gpa;
34689 -+
34690 -+ atomic_long_unchecked_t mesq_receive;
34691 -+ atomic_long_unchecked_t mesq_receive_none;
34692 -+ atomic_long_unchecked_t mesq_send;
34693 -+ atomic_long_unchecked_t mesq_send_failed;
34694 -+ atomic_long_unchecked_t mesq_noop;
34695 -+ atomic_long_unchecked_t mesq_send_unexpected_error;
34696 -+ atomic_long_unchecked_t mesq_send_lb_overflow;
34697 -+ atomic_long_unchecked_t mesq_send_qlimit_reached;
34698 -+ atomic_long_unchecked_t mesq_send_amo_nacked;
34699 -+ atomic_long_unchecked_t mesq_send_put_nacked;
34700 -+ atomic_long_unchecked_t mesq_qf_not_full;
34701 -+ atomic_long_unchecked_t mesq_qf_locked;
34702 -+ atomic_long_unchecked_t mesq_qf_noop_not_full;
34703 -+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
34704 -+ atomic_long_unchecked_t mesq_qf_unexpected_error;
34705 -+ atomic_long_unchecked_t mesq_noop_unexpected_error;
34706 -+ atomic_long_unchecked_t mesq_noop_lb_overflow;
34707 -+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
34708 -+ atomic_long_unchecked_t mesq_noop_amo_nacked;
34709 -+ atomic_long_unchecked_t mesq_noop_put_nacked;
34710 -
34711 - };
34712 -
34713 -@@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
34714 - cchop_deallocate, tghop_invalidate, mcsop_last};
34715 -
34716 - struct mcs_op_statistic {
34717 -- atomic_long_t count;
34718 -- atomic_long_t total;
34719 -+ atomic_long_unchecked_t count;
34720 -+ atomic_long_unchecked_t total;
34721 - unsigned long max;
34722 - };
34723 -
34724 -@@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
34725 -
34726 - #define STAT(id) do { \
34727 - if (gru_options & OPT_STATS) \
34728 -- atomic_long_inc(&gru_stats.id); \
34729 -+ atomic_long_inc_unchecked(&gru_stats.id); \
34730 - } while (0)
34731 -
34732 - #ifdef CONFIG_SGI_GRU_DEBUG
34733 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xp.h linux-2.6.32.46/drivers/misc/sgi-xp/xp.h
34734 ---- linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-03-27 14:31:47.000000000 -0400
34735 -+++ linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-08-05 20:33:55.000000000 -0400
34736 -@@ -289,7 +289,7 @@ struct xpc_interface {
34737 - xpc_notify_func, void *);
34738 - void (*received) (short, int, void *);
34739 - enum xp_retval (*partid_to_nasids) (short, void *);
34740 --};
34741 -+} __no_const;
34742 -
34743 - extern struct xpc_interface xpc_interface;
34744 -
34745 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h
34746 ---- linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-03-27 14:31:47.000000000 -0400
34747 -+++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-08-05 20:33:55.000000000 -0400
34748 -@@ -876,7 +876,7 @@ extern struct xpc_registration xpc_regis
34749 - /* found in xpc_main.c */
34750 - extern struct device *xpc_part;
34751 - extern struct device *xpc_chan;
34752 --extern struct xpc_arch_operations xpc_arch_ops;
34753 -+extern const struct xpc_arch_operations xpc_arch_ops;
34754 - extern int xpc_disengage_timelimit;
34755 - extern int xpc_disengage_timedout;
34756 - extern int xpc_activate_IRQ_rcvd;
34757 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c
34758 ---- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-03-27 14:31:47.000000000 -0400
34759 -+++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-08-05 20:33:55.000000000 -0400
34760 -@@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
34761 - .notifier_call = xpc_system_die,
34762 - };
34763 -
34764 --struct xpc_arch_operations xpc_arch_ops;
34765 -+const struct xpc_arch_operations xpc_arch_ops;
34766 -
34767 - /*
34768 - * Timer function to enforce the timelimit on the partition disengage.
34769 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c
34770 ---- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-03-27 14:31:47.000000000 -0400
34771 -+++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-08-05 20:33:55.000000000 -0400
34772 -@@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
34773 - xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34774 - }
34775 -
34776 --static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34777 -+static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34778 - .setup_partitions = xpc_setup_partitions_sn2,
34779 - .teardown_partitions = xpc_teardown_partitions_sn2,
34780 - .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34781 -@@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
34782 - int ret;
34783 - size_t buf_size;
34784 -
34785 -- xpc_arch_ops = xpc_arch_ops_sn2;
34786 -+ pax_open_kernel();
34787 -+ memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
34788 -+ pax_close_kernel();
34789 -
34790 - if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
34791 - dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
34792 -diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c
34793 ---- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-03-27 14:31:47.000000000 -0400
34794 -+++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-08-05 20:33:55.000000000 -0400
34795 -@@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
34796 - XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34797 - }
34798 -
34799 --static struct xpc_arch_operations xpc_arch_ops_uv = {
34800 -+static const struct xpc_arch_operations xpc_arch_ops_uv = {
34801 - .setup_partitions = xpc_setup_partitions_uv,
34802 - .teardown_partitions = xpc_teardown_partitions_uv,
34803 - .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34804 -@@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
34805 - int
34806 - xpc_init_uv(void)
34807 - {
34808 -- xpc_arch_ops = xpc_arch_ops_uv;
34809 -+ pax_open_kernel();
34810 -+ memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
34811 -+ pax_close_kernel();
34812 -
34813 - if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
34814 - dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
34815 -diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c
34816 ---- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-27 14:31:47.000000000 -0400
34817 -+++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:46:57.000000000 -0400
34818 -@@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
34819 - struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34820 - unsigned long timeo = jiffies + HZ;
34821 -
34822 -+ pax_track_stack();
34823 -+
34824 - /* Prevent setting state FL_SYNCING for chip in suspended state. */
34825 - if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34826 - goto sleep;
34827 -@@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
34828 - unsigned long initial_adr;
34829 - int initial_len = len;
34830 -
34831 -+ pax_track_stack();
34832 -+
34833 - wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34834 - adr += chip->start;
34835 - initial_adr = adr;
34836 -@@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
34837 - int retries = 3;
34838 - int ret;
34839 -
34840 -+ pax_track_stack();
34841 -+
34842 - adr += chip->start;
34843 -
34844 - retry:
34845 -diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c
34846 ---- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-27 14:31:47.000000000 -0400
34847 -+++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:46:57.000000000 -0400
34848 -@@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34849 - unsigned long cmd_addr;
34850 - struct cfi_private *cfi = map->fldrv_priv;
34851 -
34852 -+ pax_track_stack();
34853 -+
34854 - adr += chip->start;
34855 -
34856 - /* Ensure cmd read/writes are aligned. */
34857 -@@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34858 - DECLARE_WAITQUEUE(wait, current);
34859 - int wbufsize, z;
34860 -
34861 -+ pax_track_stack();
34862 -+
34863 - /* M58LW064A requires bus alignment for buffer wriets -- saw */
34864 - if (adr & (map_bankwidth(map)-1))
34865 - return -EINVAL;
34866 -@@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34867 - DECLARE_WAITQUEUE(wait, current);
34868 - int ret = 0;
34869 -
34870 -+ pax_track_stack();
34871 -+
34872 - adr += chip->start;
34873 -
34874 - /* Let's determine this according to the interleave only once */
34875 -@@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34876 - unsigned long timeo = jiffies + HZ;
34877 - DECLARE_WAITQUEUE(wait, current);
34878 -
34879 -+ pax_track_stack();
34880 -+
34881 - adr += chip->start;
34882 -
34883 - /* Let's determine this according to the interleave only once */
34884 -@@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34885 - unsigned long timeo = jiffies + HZ;
34886 - DECLARE_WAITQUEUE(wait, current);
34887 -
34888 -+ pax_track_stack();
34889 -+
34890 - adr += chip->start;
34891 -
34892 - /* Let's determine this according to the interleave only once */
34893 -diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2000.c linux-2.6.32.46/drivers/mtd/devices/doc2000.c
34894 ---- linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-03-27 14:31:47.000000000 -0400
34895 -+++ linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-04-17 15:56:46.000000000 -0400
34896 -@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34897 -
34898 - /* The ECC will not be calculated correctly if less than 512 is written */
34899 - /* DBB-
34900 -- if (len != 0x200 && eccbuf)
34901 -+ if (len != 0x200)
34902 - printk(KERN_WARNING
34903 - "ECC needs a full sector write (adr: %lx size %lx)\n",
34904 - (long) to, (long) len);
34905 -diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2001.c linux-2.6.32.46/drivers/mtd/devices/doc2001.c
34906 ---- linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-03-27 14:31:47.000000000 -0400
34907 -+++ linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-04-17 15:56:46.000000000 -0400
34908 -@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34909 - struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34910 -
34911 - /* Don't allow read past end of device */
34912 -- if (from >= this->totlen)
34913 -+ if (from >= this->totlen || !len)
34914 - return -EINVAL;
34915 -
34916 - /* Don't allow a single read to cross a 512-byte block boundary */
34917 -diff -urNp linux-2.6.32.46/drivers/mtd/ftl.c linux-2.6.32.46/drivers/mtd/ftl.c
34918 ---- linux-2.6.32.46/drivers/mtd/ftl.c 2011-03-27 14:31:47.000000000 -0400
34919 -+++ linux-2.6.32.46/drivers/mtd/ftl.c 2011-05-16 21:46:57.000000000 -0400
34920 -@@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34921 - loff_t offset;
34922 - uint16_t srcunitswap = cpu_to_le16(srcunit);
34923 -
34924 -+ pax_track_stack();
34925 -+
34926 - eun = &part->EUNInfo[srcunit];
34927 - xfer = &part->XferInfo[xferunit];
34928 - DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34929 -diff -urNp linux-2.6.32.46/drivers/mtd/inftlcore.c linux-2.6.32.46/drivers/mtd/inftlcore.c
34930 ---- linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-03-27 14:31:47.000000000 -0400
34931 -+++ linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-05-16 21:46:57.000000000 -0400
34932 -@@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
34933 - struct inftl_oob oob;
34934 - size_t retlen;
34935 -
34936 -+ pax_track_stack();
34937 -+
34938 - DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34939 - "pending=%d)\n", inftl, thisVUC, pendingblock);
34940 -
34941 -diff -urNp linux-2.6.32.46/drivers/mtd/inftlmount.c linux-2.6.32.46/drivers/mtd/inftlmount.c
34942 ---- linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-03-27 14:31:47.000000000 -0400
34943 -+++ linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-05-16 21:46:57.000000000 -0400
34944 -@@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
34945 - struct INFTLPartition *ip;
34946 - size_t retlen;
34947 -
34948 -+ pax_track_stack();
34949 -+
34950 - DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34951 -
34952 - /*
34953 -diff -urNp linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c
34954 ---- linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-03-27 14:31:47.000000000 -0400
34955 -+++ linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:46:57.000000000 -0400
34956 -@@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34957 - {
34958 - map_word pfow_val[4];
34959 -
34960 -+ pax_track_stack();
34961 -+
34962 - /* Check identification string */
34963 - pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34964 - pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34965 -diff -urNp linux-2.6.32.46/drivers/mtd/mtdchar.c linux-2.6.32.46/drivers/mtd/mtdchar.c
34966 ---- linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-03-27 14:31:47.000000000 -0400
34967 -+++ linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-05-16 21:46:57.000000000 -0400
34968 -@@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
34969 - u_long size;
34970 - struct mtd_info_user info;
34971 -
34972 -+ pax_track_stack();
34973 -+
34974 - DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34975 -
34976 - size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34977 -diff -urNp linux-2.6.32.46/drivers/mtd/nftlcore.c linux-2.6.32.46/drivers/mtd/nftlcore.c
34978 ---- linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-03-27 14:31:47.000000000 -0400
34979 -+++ linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-05-16 21:46:57.000000000 -0400
34980 -@@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
34981 - int inplace = 1;
34982 - size_t retlen;
34983 -
34984 -+ pax_track_stack();
34985 -+
34986 - memset(BlockMap, 0xff, sizeof(BlockMap));
34987 - memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34988 -
34989 -diff -urNp linux-2.6.32.46/drivers/mtd/nftlmount.c linux-2.6.32.46/drivers/mtd/nftlmount.c
34990 ---- linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-03-27 14:31:47.000000000 -0400
34991 -+++ linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-05-18 20:09:37.000000000 -0400
34992 -@@ -23,6 +23,7 @@
34993 - #include <asm/errno.h>
34994 - #include <linux/delay.h>
34995 - #include <linux/slab.h>
34996 -+#include <linux/sched.h>
34997 - #include <linux/mtd/mtd.h>
34998 - #include <linux/mtd/nand.h>
34999 - #include <linux/mtd/nftl.h>
35000 -@@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
35001 - struct mtd_info *mtd = nftl->mbd.mtd;
35002 - unsigned int i;
35003 -
35004 -+ pax_track_stack();
35005 -+
35006 - /* Assume logical EraseSize == physical erasesize for starting the scan.
35007 - We'll sort it out later if we find a MediaHeader which says otherwise */
35008 - /* Actually, we won't. The new DiskOnChip driver has already scanned
35009 -diff -urNp linux-2.6.32.46/drivers/mtd/ubi/build.c linux-2.6.32.46/drivers/mtd/ubi/build.c
35010 ---- linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-03-27 14:31:47.000000000 -0400
35011 -+++ linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-04-17 15:56:46.000000000 -0400
35012 -@@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
35013 - static int __init bytes_str_to_int(const char *str)
35014 - {
35015 - char *endp;
35016 -- unsigned long result;
35017 -+ unsigned long result, scale = 1;
35018 -
35019 - result = simple_strtoul(str, &endp, 0);
35020 - if (str == endp || result >= INT_MAX) {
35021 -@@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
35022 -
35023 - switch (*endp) {
35024 - case 'G':
35025 -- result *= 1024;
35026 -+ scale *= 1024;
35027 - case 'M':
35028 -- result *= 1024;
35029 -+ scale *= 1024;
35030 - case 'K':
35031 -- result *= 1024;
35032 -+ scale *= 1024;
35033 - if (endp[1] == 'i' && endp[2] == 'B')
35034 - endp += 2;
35035 - case '\0':
35036 -@@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
35037 - return -EINVAL;
35038 - }
35039 -
35040 -- return result;
35041 -+ if ((intoverflow_t)result*scale >= INT_MAX) {
35042 -+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
35043 -+ str);
35044 -+ return -EINVAL;
35045 -+ }
35046 -+
35047 -+ return result*scale;
35048 - }
35049 -
35050 - /**
35051 -diff -urNp linux-2.6.32.46/drivers/net/bnx2.c linux-2.6.32.46/drivers/net/bnx2.c
35052 ---- linux-2.6.32.46/drivers/net/bnx2.c 2011-03-27 14:31:47.000000000 -0400
35053 -+++ linux-2.6.32.46/drivers/net/bnx2.c 2011-05-16 21:46:57.000000000 -0400
35054 -@@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
35055 - int rc = 0;
35056 - u32 magic, csum;
35057 -
35058 -+ pax_track_stack();
35059 -+
35060 - if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
35061 - goto test_nvram_done;
35062 -
35063 -diff -urNp linux-2.6.32.46/drivers/net/cxgb3/l2t.h linux-2.6.32.46/drivers/net/cxgb3/l2t.h
35064 ---- linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-03-27 14:31:47.000000000 -0400
35065 -+++ linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-08-05 20:33:55.000000000 -0400
35066 -@@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
35067 - */
35068 - struct l2t_skb_cb {
35069 - arp_failure_handler_func arp_failure_handler;
35070 --};
35071 -+} __no_const;
35072 -
35073 - #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
35074 -
35075 -diff -urNp linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c
35076 ---- linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-03-27 14:31:47.000000000 -0400
35077 -+++ linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-05-16 21:46:57.000000000 -0400
35078 -@@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
35079 - int i, addr, ret;
35080 - struct t3_vpd vpd;
35081 -
35082 -+ pax_track_stack();
35083 -+
35084 - /*
35085 - * Card information is normally at VPD_BASE but some early cards had
35086 - * it at 0.
35087 -diff -urNp linux-2.6.32.46/drivers/net/e1000e/82571.c linux-2.6.32.46/drivers/net/e1000e/82571.c
35088 ---- linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-03-27 14:31:47.000000000 -0400
35089 -+++ linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-08-23 21:22:32.000000000 -0400
35090 -@@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(s
35091 - {
35092 - struct e1000_hw *hw = &adapter->hw;
35093 - struct e1000_mac_info *mac = &hw->mac;
35094 -- struct e1000_mac_operations *func = &mac->ops;
35095 -+ e1000_mac_operations_no_const *func = &mac->ops;
35096 - u32 swsm = 0;
35097 - u32 swsm2 = 0;
35098 - bool force_clear_smbi = false;
35099 -@@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
35100 - temp = er32(ICRXDMTC);
35101 - }
35102 -
35103 --static struct e1000_mac_operations e82571_mac_ops = {
35104 -+static const struct e1000_mac_operations e82571_mac_ops = {
35105 - /* .check_mng_mode: mac type dependent */
35106 - /* .check_for_link: media type dependent */
35107 - .id_led_init = e1000e_id_led_init,
35108 -@@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
35109 - .setup_led = e1000e_setup_led_generic,
35110 - };
35111 -
35112 --static struct e1000_phy_operations e82_phy_ops_igp = {
35113 -+static const struct e1000_phy_operations e82_phy_ops_igp = {
35114 - .acquire_phy = e1000_get_hw_semaphore_82571,
35115 - .check_reset_block = e1000e_check_reset_block_generic,
35116 - .commit_phy = NULL,
35117 -@@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
35118 - .cfg_on_link_up = NULL,
35119 - };
35120 -
35121 --static struct e1000_phy_operations e82_phy_ops_m88 = {
35122 -+static const struct e1000_phy_operations e82_phy_ops_m88 = {
35123 - .acquire_phy = e1000_get_hw_semaphore_82571,
35124 - .check_reset_block = e1000e_check_reset_block_generic,
35125 - .commit_phy = e1000e_phy_sw_reset,
35126 -@@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
35127 - .cfg_on_link_up = NULL,
35128 - };
35129 -
35130 --static struct e1000_phy_operations e82_phy_ops_bm = {
35131 -+static const struct e1000_phy_operations e82_phy_ops_bm = {
35132 - .acquire_phy = e1000_get_hw_semaphore_82571,
35133 - .check_reset_block = e1000e_check_reset_block_generic,
35134 - .commit_phy = e1000e_phy_sw_reset,
35135 -@@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
35136 - .cfg_on_link_up = NULL,
35137 - };
35138 -
35139 --static struct e1000_nvm_operations e82571_nvm_ops = {
35140 -+static const struct e1000_nvm_operations e82571_nvm_ops = {
35141 - .acquire_nvm = e1000_acquire_nvm_82571,
35142 - .read_nvm = e1000e_read_nvm_eerd,
35143 - .release_nvm = e1000_release_nvm_82571,
35144 -diff -urNp linux-2.6.32.46/drivers/net/e1000e/e1000.h linux-2.6.32.46/drivers/net/e1000e/e1000.h
35145 ---- linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-03-27 14:31:47.000000000 -0400
35146 -+++ linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-04-17 15:56:46.000000000 -0400
35147 -@@ -375,9 +375,9 @@ struct e1000_info {
35148 - u32 pba;
35149 - u32 max_hw_frame_size;
35150 - s32 (*get_variants)(struct e1000_adapter *);
35151 -- struct e1000_mac_operations *mac_ops;
35152 -- struct e1000_phy_operations *phy_ops;
35153 -- struct e1000_nvm_operations *nvm_ops;
35154 -+ const struct e1000_mac_operations *mac_ops;
35155 -+ const struct e1000_phy_operations *phy_ops;
35156 -+ const struct e1000_nvm_operations *nvm_ops;
35157 - };
35158 -
35159 - /* hardware capability, feature, and workaround flags */
35160 -diff -urNp linux-2.6.32.46/drivers/net/e1000e/es2lan.c linux-2.6.32.46/drivers/net/e1000e/es2lan.c
35161 ---- linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-03-27 14:31:47.000000000 -0400
35162 -+++ linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-08-23 21:22:32.000000000 -0400
35163 -@@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es
35164 - {
35165 - struct e1000_hw *hw = &adapter->hw;
35166 - struct e1000_mac_info *mac = &hw->mac;
35167 -- struct e1000_mac_operations *func = &mac->ops;
35168 -+ e1000_mac_operations_no_const *func = &mac->ops;
35169 -
35170 - /* Set media type */
35171 - switch (adapter->pdev->device) {
35172 -@@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
35173 - temp = er32(ICRXDMTC);
35174 - }
35175 -
35176 --static struct e1000_mac_operations es2_mac_ops = {
35177 -+static const struct e1000_mac_operations es2_mac_ops = {
35178 - .id_led_init = e1000e_id_led_init,
35179 - .check_mng_mode = e1000e_check_mng_mode_generic,
35180 - /* check_for_link dependent on media type */
35181 -@@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
35182 - .setup_led = e1000e_setup_led_generic,
35183 - };
35184 -
35185 --static struct e1000_phy_operations es2_phy_ops = {
35186 -+static const struct e1000_phy_operations es2_phy_ops = {
35187 - .acquire_phy = e1000_acquire_phy_80003es2lan,
35188 - .check_reset_block = e1000e_check_reset_block_generic,
35189 - .commit_phy = e1000e_phy_sw_reset,
35190 -@@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
35191 - .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
35192 - };
35193 -
35194 --static struct e1000_nvm_operations es2_nvm_ops = {
35195 -+static const struct e1000_nvm_operations es2_nvm_ops = {
35196 - .acquire_nvm = e1000_acquire_nvm_80003es2lan,
35197 - .read_nvm = e1000e_read_nvm_eerd,
35198 - .release_nvm = e1000_release_nvm_80003es2lan,
35199 -diff -urNp linux-2.6.32.46/drivers/net/e1000e/hw.h linux-2.6.32.46/drivers/net/e1000e/hw.h
35200 ---- linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-03-27 14:31:47.000000000 -0400
35201 -+++ linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-08-23 21:27:38.000000000 -0400
35202 -@@ -753,6 +753,7 @@ struct e1000_mac_operations {
35203 - s32 (*setup_physical_interface)(struct e1000_hw *);
35204 - s32 (*setup_led)(struct e1000_hw *);
35205 - };
35206 -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
35207 -
35208 - /* Function pointers for the PHY. */
35209 - struct e1000_phy_operations {
35210 -@@ -774,6 +775,7 @@ struct e1000_phy_operations {
35211 - s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
35212 - s32 (*cfg_on_link_up)(struct e1000_hw *);
35213 - };
35214 -+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
35215 -
35216 - /* Function pointers for the NVM. */
35217 - struct e1000_nvm_operations {
35218 -@@ -785,9 +787,10 @@ struct e1000_nvm_operations {
35219 - s32 (*validate_nvm)(struct e1000_hw *);
35220 - s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
35221 - };
35222 -+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
35223 -
35224 - struct e1000_mac_info {
35225 -- struct e1000_mac_operations ops;
35226 -+ e1000_mac_operations_no_const ops;
35227 -
35228 - u8 addr[6];
35229 - u8 perm_addr[6];
35230 -@@ -823,7 +826,7 @@ struct e1000_mac_info {
35231 - };
35232 -
35233 - struct e1000_phy_info {
35234 -- struct e1000_phy_operations ops;
35235 -+ e1000_phy_operations_no_const ops;
35236 -
35237 - enum e1000_phy_type type;
35238 -
35239 -@@ -857,7 +860,7 @@ struct e1000_phy_info {
35240 - };
35241 -
35242 - struct e1000_nvm_info {
35243 -- struct e1000_nvm_operations ops;
35244 -+ e1000_nvm_operations_no_const ops;
35245 -
35246 - enum e1000_nvm_type type;
35247 - enum e1000_nvm_override override;
35248 -diff -urNp linux-2.6.32.46/drivers/net/e1000e/ich8lan.c linux-2.6.32.46/drivers/net/e1000e/ich8lan.c
35249 ---- linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:01.000000000 -0400
35250 -+++ linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-08-23 21:22:32.000000000 -0400
35251 -@@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
35252 - }
35253 - }
35254 -
35255 --static struct e1000_mac_operations ich8_mac_ops = {
35256 -+static const struct e1000_mac_operations ich8_mac_ops = {
35257 - .id_led_init = e1000e_id_led_init,
35258 - .check_mng_mode = e1000_check_mng_mode_ich8lan,
35259 - .check_for_link = e1000_check_for_copper_link_ich8lan,
35260 -@@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
35261 - /* id_led_init dependent on mac type */
35262 - };
35263 -
35264 --static struct e1000_phy_operations ich8_phy_ops = {
35265 -+static const struct e1000_phy_operations ich8_phy_ops = {
35266 - .acquire_phy = e1000_acquire_swflag_ich8lan,
35267 - .check_reset_block = e1000_check_reset_block_ich8lan,
35268 - .commit_phy = NULL,
35269 -@@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
35270 - .write_phy_reg = e1000e_write_phy_reg_igp,
35271 - };
35272 -
35273 --static struct e1000_nvm_operations ich8_nvm_ops = {
35274 -+static const struct e1000_nvm_operations ich8_nvm_ops = {
35275 - .acquire_nvm = e1000_acquire_nvm_ich8lan,
35276 - .read_nvm = e1000_read_nvm_ich8lan,
35277 - .release_nvm = e1000_release_nvm_ich8lan,
35278 -diff -urNp linux-2.6.32.46/drivers/net/hamradio/6pack.c linux-2.6.32.46/drivers/net/hamradio/6pack.c
35279 ---- linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:04.000000000 -0400
35280 -+++ linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:18.000000000 -0400
35281 -@@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
35282 - unsigned char buf[512];
35283 - int count1;
35284 -
35285 -+ pax_track_stack();
35286 -+
35287 - if (!count)
35288 - return;
35289 -
35290 -diff -urNp linux-2.6.32.46/drivers/net/ibmveth.c linux-2.6.32.46/drivers/net/ibmveth.c
35291 ---- linux-2.6.32.46/drivers/net/ibmveth.c 2011-03-27 14:31:47.000000000 -0400
35292 -+++ linux-2.6.32.46/drivers/net/ibmveth.c 2011-04-17 15:56:46.000000000 -0400
35293 -@@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
35294 - NULL,
35295 - };
35296 -
35297 --static struct sysfs_ops veth_pool_ops = {
35298 -+static const struct sysfs_ops veth_pool_ops = {
35299 - .show = veth_pool_show,
35300 - .store = veth_pool_store,
35301 - };
35302 -diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_82575.c linux-2.6.32.46/drivers/net/igb/e1000_82575.c
35303 ---- linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:24:44.000000000 -0400
35304 -+++ linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:25:07.000000000 -0400
35305 -@@ -1411,7 +1411,7 @@ void igb_vmdq_set_replication_pf(struct
35306 - wr32(E1000_VT_CTL, vt_ctl);
35307 - }
35308 -
35309 --static struct e1000_mac_operations e1000_mac_ops_82575 = {
35310 -+static const struct e1000_mac_operations e1000_mac_ops_82575 = {
35311 - .reset_hw = igb_reset_hw_82575,
35312 - .init_hw = igb_init_hw_82575,
35313 - .check_for_link = igb_check_for_link_82575,
35314 -@@ -1420,13 +1420,13 @@ static struct e1000_mac_operations e1000
35315 - .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
35316 - };
35317 -
35318 --static struct e1000_phy_operations e1000_phy_ops_82575 = {
35319 -+static const struct e1000_phy_operations e1000_phy_ops_82575 = {
35320 - .acquire = igb_acquire_phy_82575,
35321 - .get_cfg_done = igb_get_cfg_done_82575,
35322 - .release = igb_release_phy_82575,
35323 - };
35324 -
35325 --static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35326 -+static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35327 - .acquire = igb_acquire_nvm_82575,
35328 - .read = igb_read_nvm_eerd,
35329 - .release = igb_release_nvm_82575,
35330 -diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_hw.h linux-2.6.32.46/drivers/net/igb/e1000_hw.h
35331 ---- linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-03-27 14:31:47.000000000 -0400
35332 -+++ linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-08-23 21:28:01.000000000 -0400
35333 -@@ -288,6 +288,7 @@ struct e1000_mac_operations {
35334 - s32 (*read_mac_addr)(struct e1000_hw *);
35335 - s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
35336 - };
35337 -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
35338 -
35339 - struct e1000_phy_operations {
35340 - s32 (*acquire)(struct e1000_hw *);
35341 -@@ -303,6 +304,7 @@ struct e1000_phy_operations {
35342 - s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
35343 - s32 (*write_reg)(struct e1000_hw *, u32, u16);
35344 - };
35345 -+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
35346 -
35347 - struct e1000_nvm_operations {
35348 - s32 (*acquire)(struct e1000_hw *);
35349 -@@ -310,6 +312,7 @@ struct e1000_nvm_operations {
35350 - void (*release)(struct e1000_hw *);
35351 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
35352 - };
35353 -+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
35354 -
35355 - struct e1000_info {
35356 - s32 (*get_invariants)(struct e1000_hw *);
35357 -@@ -321,7 +324,7 @@ struct e1000_info {
35358 - extern const struct e1000_info e1000_82575_info;
35359 -
35360 - struct e1000_mac_info {
35361 -- struct e1000_mac_operations ops;
35362 -+ e1000_mac_operations_no_const ops;
35363 -
35364 - u8 addr[6];
35365 - u8 perm_addr[6];
35366 -@@ -365,7 +368,7 @@ struct e1000_mac_info {
35367 - };
35368 -
35369 - struct e1000_phy_info {
35370 -- struct e1000_phy_operations ops;
35371 -+ e1000_phy_operations_no_const ops;
35372 -
35373 - enum e1000_phy_type type;
35374 -
35375 -@@ -400,7 +403,7 @@ struct e1000_phy_info {
35376 - };
35377 -
35378 - struct e1000_nvm_info {
35379 -- struct e1000_nvm_operations ops;
35380 -+ e1000_nvm_operations_no_const ops;
35381 -
35382 - enum e1000_nvm_type type;
35383 - enum e1000_nvm_override override;
35384 -@@ -446,6 +449,7 @@ struct e1000_mbx_operations {
35385 - s32 (*check_for_ack)(struct e1000_hw *, u16);
35386 - s32 (*check_for_rst)(struct e1000_hw *, u16);
35387 - };
35388 -+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
35389 -
35390 - struct e1000_mbx_stats {
35391 - u32 msgs_tx;
35392 -@@ -457,7 +461,7 @@ struct e1000_mbx_stats {
35393 - };
35394 -
35395 - struct e1000_mbx_info {
35396 -- struct e1000_mbx_operations ops;
35397 -+ e1000_mbx_operations_no_const ops;
35398 - struct e1000_mbx_stats stats;
35399 - u32 timeout;
35400 - u32 usec_delay;
35401 -diff -urNp linux-2.6.32.46/drivers/net/igbvf/vf.h linux-2.6.32.46/drivers/net/igbvf/vf.h
35402 ---- linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-03-27 14:31:47.000000000 -0400
35403 -+++ linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-08-23 21:22:38.000000000 -0400
35404 -@@ -187,9 +187,10 @@ struct e1000_mac_operations {
35405 - s32 (*read_mac_addr)(struct e1000_hw *);
35406 - s32 (*set_vfta)(struct e1000_hw *, u16, bool);
35407 - };
35408 -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
35409 -
35410 - struct e1000_mac_info {
35411 -- struct e1000_mac_operations ops;
35412 -+ e1000_mac_operations_no_const ops;
35413 - u8 addr[6];
35414 - u8 perm_addr[6];
35415 -
35416 -@@ -211,6 +212,7 @@ struct e1000_mbx_operations {
35417 - s32 (*check_for_ack)(struct e1000_hw *);
35418 - s32 (*check_for_rst)(struct e1000_hw *);
35419 - };
35420 -+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
35421 -
35422 - struct e1000_mbx_stats {
35423 - u32 msgs_tx;
35424 -@@ -222,7 +224,7 @@ struct e1000_mbx_stats {
35425 - };
35426 -
35427 - struct e1000_mbx_info {
35428 -- struct e1000_mbx_operations ops;
35429 -+ e1000_mbx_operations_no_const ops;
35430 - struct e1000_mbx_stats stats;
35431 - u32 timeout;
35432 - u32 usec_delay;
35433 -diff -urNp linux-2.6.32.46/drivers/net/iseries_veth.c linux-2.6.32.46/drivers/net/iseries_veth.c
35434 ---- linux-2.6.32.46/drivers/net/iseries_veth.c 2011-03-27 14:31:47.000000000 -0400
35435 -+++ linux-2.6.32.46/drivers/net/iseries_veth.c 2011-04-17 15:56:46.000000000 -0400
35436 -@@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
35437 - NULL
35438 - };
35439 -
35440 --static struct sysfs_ops veth_cnx_sysfs_ops = {
35441 -+static const struct sysfs_ops veth_cnx_sysfs_ops = {
35442 - .show = veth_cnx_attribute_show
35443 - };
35444 -
35445 -@@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
35446 - NULL
35447 - };
35448 -
35449 --static struct sysfs_ops veth_port_sysfs_ops = {
35450 -+static const struct sysfs_ops veth_port_sysfs_ops = {
35451 - .show = veth_port_attribute_show
35452 - };
35453 -
35454 -diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c
35455 ---- linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-03-27 14:31:47.000000000 -0400
35456 -+++ linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:46:57.000000000 -0400
35457 -@@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
35458 - u32 rctl;
35459 - int i;
35460 -
35461 -+ pax_track_stack();
35462 -+
35463 - /* Check for Promiscuous and All Multicast modes */
35464 -
35465 - rctl = IXGB_READ_REG(hw, RCTL);
35466 -diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c
35467 ---- linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-03-27 14:31:47.000000000 -0400
35468 -+++ linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:46:57.000000000 -0400
35469 -@@ -260,6 +260,9 @@ void __devinit
35470 - ixgb_check_options(struct ixgb_adapter *adapter)
35471 - {
35472 - int bd = adapter->bd_number;
35473 -+
35474 -+ pax_track_stack();
35475 -+
35476 - if (bd >= IXGB_MAX_NIC) {
35477 - printk(KERN_NOTICE
35478 - "Warning: no configuration for board #%i\n", bd);
35479 -diff -urNp linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h
35480 ---- linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-03-27 14:31:47.000000000 -0400
35481 -+++ linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-08-23 21:22:38.000000000 -0400
35482 -@@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations {
35483 - s32 (*validate_checksum)(struct ixgbe_hw *, u16 *);
35484 - s32 (*update_checksum)(struct ixgbe_hw *);
35485 - };
35486 -+typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
35487 -
35488 - struct ixgbe_mac_operations {
35489 - s32 (*init_hw)(struct ixgbe_hw *);
35490 -@@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations {
35491 - /* Flow Control */
35492 - s32 (*fc_enable)(struct ixgbe_hw *, s32);
35493 - };
35494 -+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
35495 -
35496 - struct ixgbe_phy_operations {
35497 - s32 (*identify)(struct ixgbe_hw *);
35498 -@@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations {
35499 - s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
35500 - s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
35501 - };
35502 -+typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
35503 -
35504 - struct ixgbe_eeprom_info {
35505 -- struct ixgbe_eeprom_operations ops;
35506 -+ ixgbe_eeprom_operations_no_const ops;
35507 - enum ixgbe_eeprom_type type;
35508 - u32 semaphore_delay;
35509 - u16 word_size;
35510 -@@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info {
35511 - };
35512 -
35513 - struct ixgbe_mac_info {
35514 -- struct ixgbe_mac_operations ops;
35515 -+ ixgbe_mac_operations_no_const ops;
35516 - enum ixgbe_mac_type type;
35517 - u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
35518 - u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
35519 -@@ -2423,7 +2426,7 @@ struct ixgbe_mac_info {
35520 - };
35521 -
35522 - struct ixgbe_phy_info {
35523 -- struct ixgbe_phy_operations ops;
35524 -+ ixgbe_phy_operations_no_const ops;
35525 - struct mdio_if_info mdio;
35526 - enum ixgbe_phy_type type;
35527 - u32 id;
35528 -diff -urNp linux-2.6.32.46/drivers/net/mlx4/main.c linux-2.6.32.46/drivers/net/mlx4/main.c
35529 ---- linux-2.6.32.46/drivers/net/mlx4/main.c 2011-03-27 14:31:47.000000000 -0400
35530 -+++ linux-2.6.32.46/drivers/net/mlx4/main.c 2011-05-18 20:09:37.000000000 -0400
35531 -@@ -38,6 +38,7 @@
35532 - #include <linux/errno.h>
35533 - #include <linux/pci.h>
35534 - #include <linux/dma-mapping.h>
35535 -+#include <linux/sched.h>
35536 -
35537 - #include <linux/mlx4/device.h>
35538 - #include <linux/mlx4/doorbell.h>
35539 -@@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
35540 - u64 icm_size;
35541 - int err;
35542 -
35543 -+ pax_track_stack();
35544 -+
35545 - err = mlx4_QUERY_FW(dev);
35546 - if (err) {
35547 - if (err == -EACCES)
35548 -diff -urNp linux-2.6.32.46/drivers/net/niu.c linux-2.6.32.46/drivers/net/niu.c
35549 ---- linux-2.6.32.46/drivers/net/niu.c 2011-05-10 22:12:01.000000000 -0400
35550 -+++ linux-2.6.32.46/drivers/net/niu.c 2011-05-16 21:46:57.000000000 -0400
35551 -@@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
35552 - int i, num_irqs, err;
35553 - u8 first_ldg;
35554 -
35555 -+ pax_track_stack();
35556 -+
35557 - first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35558 - for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35559 - ldg_num_map[i] = first_ldg + i;
35560 -diff -urNp linux-2.6.32.46/drivers/net/pcnet32.c linux-2.6.32.46/drivers/net/pcnet32.c
35561 ---- linux-2.6.32.46/drivers/net/pcnet32.c 2011-03-27 14:31:47.000000000 -0400
35562 -+++ linux-2.6.32.46/drivers/net/pcnet32.c 2011-08-05 20:33:55.000000000 -0400
35563 -@@ -79,7 +79,7 @@ static int cards_found;
35564 - /*
35565 - * VLB I/O addresses
35566 - */
35567 --static unsigned int pcnet32_portlist[] __initdata =
35568 -+static unsigned int pcnet32_portlist[] __devinitdata =
35569 - { 0x300, 0x320, 0x340, 0x360, 0 };
35570 -
35571 - static int pcnet32_debug = 0;
35572 -@@ -267,7 +267,7 @@ struct pcnet32_private {
35573 - struct sk_buff **rx_skbuff;
35574 - dma_addr_t *tx_dma_addr;
35575 - dma_addr_t *rx_dma_addr;
35576 -- struct pcnet32_access a;
35577 -+ struct pcnet32_access *a;
35578 - spinlock_t lock; /* Guard lock */
35579 - unsigned int cur_rx, cur_tx; /* The next free ring entry */
35580 - unsigned int rx_ring_size; /* current rx ring size */
35581 -@@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
35582 - u16 val;
35583 -
35584 - netif_wake_queue(dev);
35585 -- val = lp->a.read_csr(ioaddr, CSR3);
35586 -+ val = lp->a->read_csr(ioaddr, CSR3);
35587 - val &= 0x00ff;
35588 -- lp->a.write_csr(ioaddr, CSR3, val);
35589 -+ lp->a->write_csr(ioaddr, CSR3, val);
35590 - napi_enable(&lp->napi);
35591 - }
35592 -
35593 -@@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
35594 - r = mii_link_ok(&lp->mii_if);
35595 - } else if (lp->chip_version >= PCNET32_79C970A) {
35596 - ulong ioaddr = dev->base_addr; /* card base I/O address */
35597 -- r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
35598 -+ r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
35599 - } else { /* can not detect link on really old chips */
35600 - r = 1;
35601 - }
35602 -@@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
35603 - pcnet32_netif_stop(dev);
35604 -
35605 - spin_lock_irqsave(&lp->lock, flags);
35606 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
35607 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
35608 -
35609 - size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
35610 -
35611 -@@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
35612 - static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
35613 - {
35614 - struct pcnet32_private *lp = netdev_priv(dev);
35615 -- struct pcnet32_access *a = &lp->a; /* access to registers */
35616 -+ struct pcnet32_access *a = lp->a; /* access to registers */
35617 - ulong ioaddr = dev->base_addr; /* card base I/O address */
35618 - struct sk_buff *skb; /* sk buff */
35619 - int x, i; /* counters */
35620 -@@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
35621 - pcnet32_netif_stop(dev);
35622 -
35623 - spin_lock_irqsave(&lp->lock, flags);
35624 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
35625 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
35626 -
35627 - numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
35628 -
35629 - /* Reset the PCNET32 */
35630 -- lp->a.reset(ioaddr);
35631 -- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35632 -+ lp->a->reset(ioaddr);
35633 -+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35634 -
35635 - /* switch pcnet32 to 32bit mode */
35636 -- lp->a.write_bcr(ioaddr, 20, 2);
35637 -+ lp->a->write_bcr(ioaddr, 20, 2);
35638 -
35639 - /* purge & init rings but don't actually restart */
35640 - pcnet32_restart(dev, 0x0000);
35641 -
35642 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
35643 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
35644 -
35645 - /* Initialize Transmit buffers. */
35646 - size = data_len + 15;
35647 -@@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
35648 -
35649 - /* set int loopback in CSR15 */
35650 - x = a->read_csr(ioaddr, CSR15) & 0xfffc;
35651 -- lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
35652 -+ lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
35653 -
35654 - teststatus = cpu_to_le16(0x8000);
35655 -- lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
35656 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
35657 -
35658 - /* Check status of descriptors */
35659 - for (x = 0; x < numbuffs; x++) {
35660 -@@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
35661 - }
35662 - }
35663 -
35664 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
35665 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
35666 - wmb();
35667 - if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
35668 - printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
35669 -@@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
35670 - pcnet32_restart(dev, CSR0_NORMAL);
35671 - } else {
35672 - pcnet32_purge_rx_ring(dev);
35673 -- lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
35674 -+ lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
35675 - }
35676 - spin_unlock_irqrestore(&lp->lock, flags);
35677 -
35678 -@@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
35679 - static void pcnet32_led_blink_callback(struct net_device *dev)
35680 - {
35681 - struct pcnet32_private *lp = netdev_priv(dev);
35682 -- struct pcnet32_access *a = &lp->a;
35683 -+ struct pcnet32_access *a = lp->a;
35684 - ulong ioaddr = dev->base_addr;
35685 - unsigned long flags;
35686 - int i;
35687 -@@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
35688 - static int pcnet32_phys_id(struct net_device *dev, u32 data)
35689 - {
35690 - struct pcnet32_private *lp = netdev_priv(dev);
35691 -- struct pcnet32_access *a = &lp->a;
35692 -+ struct pcnet32_access *a = lp->a;
35693 - ulong ioaddr = dev->base_addr;
35694 - unsigned long flags;
35695 - int i, regs[4];
35696 -@@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
35697 - {
35698 - int csr5;
35699 - struct pcnet32_private *lp = netdev_priv(dev);
35700 -- struct pcnet32_access *a = &lp->a;
35701 -+ struct pcnet32_access *a = lp->a;
35702 - ulong ioaddr = dev->base_addr;
35703 - int ticks;
35704 -
35705 -@@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
35706 - spin_lock_irqsave(&lp->lock, flags);
35707 - if (pcnet32_tx(dev)) {
35708 - /* reset the chip to clear the error condition, then restart */
35709 -- lp->a.reset(ioaddr);
35710 -- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35711 -+ lp->a->reset(ioaddr);
35712 -+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35713 - pcnet32_restart(dev, CSR0_START);
35714 - netif_wake_queue(dev);
35715 - }
35716 -@@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
35717 - __napi_complete(napi);
35718 -
35719 - /* clear interrupt masks */
35720 -- val = lp->a.read_csr(ioaddr, CSR3);
35721 -+ val = lp->a->read_csr(ioaddr, CSR3);
35722 - val &= 0x00ff;
35723 -- lp->a.write_csr(ioaddr, CSR3, val);
35724 -+ lp->a->write_csr(ioaddr, CSR3, val);
35725 -
35726 - /* Set interrupt enable. */
35727 -- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
35728 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
35729 -
35730 - spin_unlock_irqrestore(&lp->lock, flags);
35731 - }
35732 -@@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
35733 - int i, csr0;
35734 - u16 *buff = ptr;
35735 - struct pcnet32_private *lp = netdev_priv(dev);
35736 -- struct pcnet32_access *a = &lp->a;
35737 -+ struct pcnet32_access *a = lp->a;
35738 - ulong ioaddr = dev->base_addr;
35739 - unsigned long flags;
35740 -
35741 -@@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
35742 - for (j = 0; j < PCNET32_MAX_PHYS; j++) {
35743 - if (lp->phymask & (1 << j)) {
35744 - for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
35745 -- lp->a.write_bcr(ioaddr, 33,
35746 -+ lp->a->write_bcr(ioaddr, 33,
35747 - (j << 5) | i);
35748 -- *buff++ = lp->a.read_bcr(ioaddr, 34);
35749 -+ *buff++ = lp->a->read_bcr(ioaddr, 34);
35750 - }
35751 - }
35752 - }
35753 -@@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35754 - ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
35755 - lp->options |= PCNET32_PORT_FD;
35756 -
35757 -- lp->a = *a;
35758 -+ lp->a = a;
35759 -
35760 - /* prior to register_netdev, dev->name is not yet correct */
35761 - if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
35762 -@@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35763 - if (lp->mii) {
35764 - /* lp->phycount and lp->phymask are set to 0 by memset above */
35765 -
35766 -- lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
35767 -+ lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
35768 - /* scan for PHYs */
35769 - for (i = 0; i < PCNET32_MAX_PHYS; i++) {
35770 - unsigned short id1, id2;
35771 -@@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35772 - "Found PHY %04x:%04x at address %d.\n",
35773 - id1, id2, i);
35774 - }
35775 -- lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
35776 -+ lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
35777 - if (lp->phycount > 1) {
35778 - lp->options |= PCNET32_PORT_MII;
35779 - }
35780 -@@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
35781 - }
35782 -
35783 - /* Reset the PCNET32 */
35784 -- lp->a.reset(ioaddr);
35785 -+ lp->a->reset(ioaddr);
35786 -
35787 - /* switch pcnet32 to 32bit mode */
35788 -- lp->a.write_bcr(ioaddr, 20, 2);
35789 -+ lp->a->write_bcr(ioaddr, 20, 2);
35790 -
35791 - if (netif_msg_ifup(lp))
35792 - printk(KERN_DEBUG
35793 -@@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
35794 - (u32) (lp->init_dma_addr));
35795 -
35796 - /* set/reset autoselect bit */
35797 -- val = lp->a.read_bcr(ioaddr, 2) & ~2;
35798 -+ val = lp->a->read_bcr(ioaddr, 2) & ~2;
35799 - if (lp->options & PCNET32_PORT_ASEL)
35800 - val |= 2;
35801 -- lp->a.write_bcr(ioaddr, 2, val);
35802 -+ lp->a->write_bcr(ioaddr, 2, val);
35803 -
35804 - /* handle full duplex setting */
35805 - if (lp->mii_if.full_duplex) {
35806 -- val = lp->a.read_bcr(ioaddr, 9) & ~3;
35807 -+ val = lp->a->read_bcr(ioaddr, 9) & ~3;
35808 - if (lp->options & PCNET32_PORT_FD) {
35809 - val |= 1;
35810 - if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
35811 -@@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
35812 - if (lp->chip_version == 0x2627)
35813 - val |= 3;
35814 - }
35815 -- lp->a.write_bcr(ioaddr, 9, val);
35816 -+ lp->a->write_bcr(ioaddr, 9, val);
35817 - }
35818 -
35819 - /* set/reset GPSI bit in test register */
35820 -- val = lp->a.read_csr(ioaddr, 124) & ~0x10;
35821 -+ val = lp->a->read_csr(ioaddr, 124) & ~0x10;
35822 - if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
35823 - val |= 0x10;
35824 -- lp->a.write_csr(ioaddr, 124, val);
35825 -+ lp->a->write_csr(ioaddr, 124, val);
35826 -
35827 - /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
35828 - if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
35829 -@@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
35830 - * duplex, and/or enable auto negotiation, and clear DANAS
35831 - */
35832 - if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
35833 -- lp->a.write_bcr(ioaddr, 32,
35834 -- lp->a.read_bcr(ioaddr, 32) | 0x0080);
35835 -+ lp->a->write_bcr(ioaddr, 32,
35836 -+ lp->a->read_bcr(ioaddr, 32) | 0x0080);
35837 - /* disable Auto Negotiation, set 10Mpbs, HD */
35838 -- val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
35839 -+ val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
35840 - if (lp->options & PCNET32_PORT_FD)
35841 - val |= 0x10;
35842 - if (lp->options & PCNET32_PORT_100)
35843 - val |= 0x08;
35844 -- lp->a.write_bcr(ioaddr, 32, val);
35845 -+ lp->a->write_bcr(ioaddr, 32, val);
35846 - } else {
35847 - if (lp->options & PCNET32_PORT_ASEL) {
35848 -- lp->a.write_bcr(ioaddr, 32,
35849 -- lp->a.read_bcr(ioaddr,
35850 -+ lp->a->write_bcr(ioaddr, 32,
35851 -+ lp->a->read_bcr(ioaddr,
35852 - 32) | 0x0080);
35853 - /* enable auto negotiate, setup, disable fd */
35854 -- val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
35855 -+ val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
35856 - val |= 0x20;
35857 -- lp->a.write_bcr(ioaddr, 32, val);
35858 -+ lp->a->write_bcr(ioaddr, 32, val);
35859 - }
35860 - }
35861 - } else {
35862 -@@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
35863 - * There is really no good other way to handle multiple PHYs
35864 - * other than turning off all automatics
35865 - */
35866 -- val = lp->a.read_bcr(ioaddr, 2);
35867 -- lp->a.write_bcr(ioaddr, 2, val & ~2);
35868 -- val = lp->a.read_bcr(ioaddr, 32);
35869 -- lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
35870 -+ val = lp->a->read_bcr(ioaddr, 2);
35871 -+ lp->a->write_bcr(ioaddr, 2, val & ~2);
35872 -+ val = lp->a->read_bcr(ioaddr, 32);
35873 -+ lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
35874 -
35875 - if (!(lp->options & PCNET32_PORT_ASEL)) {
35876 - /* setup ecmd */
35877 -@@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
35878 - ecmd.speed =
35879 - lp->
35880 - options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
35881 -- bcr9 = lp->a.read_bcr(ioaddr, 9);
35882 -+ bcr9 = lp->a->read_bcr(ioaddr, 9);
35883 -
35884 - if (lp->options & PCNET32_PORT_FD) {
35885 - ecmd.duplex = DUPLEX_FULL;
35886 -@@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
35887 - ecmd.duplex = DUPLEX_HALF;
35888 - bcr9 |= ~(1 << 0);
35889 - }
35890 -- lp->a.write_bcr(ioaddr, 9, bcr9);
35891 -+ lp->a->write_bcr(ioaddr, 9, bcr9);
35892 - }
35893 -
35894 - for (i = 0; i < PCNET32_MAX_PHYS; i++) {
35895 -@@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
35896 -
35897 - #ifdef DO_DXSUFLO
35898 - if (lp->dxsuflo) { /* Disable transmit stop on underflow */
35899 -- val = lp->a.read_csr(ioaddr, CSR3);
35900 -+ val = lp->a->read_csr(ioaddr, CSR3);
35901 - val |= 0x40;
35902 -- lp->a.write_csr(ioaddr, CSR3, val);
35903 -+ lp->a->write_csr(ioaddr, CSR3, val);
35904 - }
35905 - #endif
35906 -
35907 -@@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
35908 - napi_enable(&lp->napi);
35909 -
35910 - /* Re-initialize the PCNET32, and start it when done. */
35911 -- lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
35912 -- lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
35913 -+ lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
35914 -+ lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
35915 -
35916 -- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35917 -- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
35918 -+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35919 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
35920 -
35921 - netif_start_queue(dev);
35922 -
35923 -@@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
35924 -
35925 - i = 0;
35926 - while (i++ < 100)
35927 -- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
35928 -+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
35929 - break;
35930 - /*
35931 - * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
35932 - * reports that doing so triggers a bug in the '974.
35933 - */
35934 -- lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
35935 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
35936 -
35937 - if (netif_msg_ifup(lp))
35938 - printk(KERN_DEBUG
35939 - "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
35940 - dev->name, i,
35941 - (u32) (lp->init_dma_addr),
35942 -- lp->a.read_csr(ioaddr, CSR0));
35943 -+ lp->a->read_csr(ioaddr, CSR0));
35944 -
35945 - spin_unlock_irqrestore(&lp->lock, flags);
35946 -
35947 -@@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
35948 - * Switch back to 16bit mode to avoid problems with dumb
35949 - * DOS packet driver after a warm reboot
35950 - */
35951 -- lp->a.write_bcr(ioaddr, 20, 4);
35952 -+ lp->a->write_bcr(ioaddr, 20, 4);
35953 -
35954 - err_free_irq:
35955 - spin_unlock_irqrestore(&lp->lock, flags);
35956 -@@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
35957 -
35958 - /* wait for stop */
35959 - for (i = 0; i < 100; i++)
35960 -- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
35961 -+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
35962 - break;
35963 -
35964 - if (i >= 100 && netif_msg_drv(lp))
35965 -@@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
35966 - return;
35967 -
35968 - /* ReInit Ring */
35969 -- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
35970 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
35971 - i = 0;
35972 - while (i++ < 1000)
35973 -- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
35974 -+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
35975 - break;
35976 -
35977 -- lp->a.write_csr(ioaddr, CSR0, csr0_bits);
35978 -+ lp->a->write_csr(ioaddr, CSR0, csr0_bits);
35979 - }
35980 -
35981 - static void pcnet32_tx_timeout(struct net_device *dev)
35982 -@@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
35983 - if (pcnet32_debug & NETIF_MSG_DRV)
35984 - printk(KERN_ERR
35985 - "%s: transmit timed out, status %4.4x, resetting.\n",
35986 -- dev->name, lp->a.read_csr(ioaddr, CSR0));
35987 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
35988 -+ dev->name, lp->a->read_csr(ioaddr, CSR0));
35989 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
35990 - dev->stats.tx_errors++;
35991 - if (netif_msg_tx_err(lp)) {
35992 - int i;
35993 -@@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
35994 - if (netif_msg_tx_queued(lp)) {
35995 - printk(KERN_DEBUG
35996 - "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
35997 -- dev->name, lp->a.read_csr(ioaddr, CSR0));
35998 -+ dev->name, lp->a->read_csr(ioaddr, CSR0));
35999 - }
36000 -
36001 - /* Default status -- will not enable Successful-TxDone
36002 -@@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
36003 - dev->stats.tx_bytes += skb->len;
36004 -
36005 - /* Trigger an immediate send poll. */
36006 -- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36007 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36008 -
36009 - dev->trans_start = jiffies;
36010 -
36011 -@@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
36012 -
36013 - spin_lock(&lp->lock);
36014 -
36015 -- csr0 = lp->a.read_csr(ioaddr, CSR0);
36016 -+ csr0 = lp->a->read_csr(ioaddr, CSR0);
36017 - while ((csr0 & 0x8f00) && --boguscnt >= 0) {
36018 - if (csr0 == 0xffff) {
36019 - break; /* PCMCIA remove happened */
36020 - }
36021 - /* Acknowledge all of the current interrupt sources ASAP. */
36022 -- lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36023 -+ lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36024 -
36025 - if (netif_msg_intr(lp))
36026 - printk(KERN_DEBUG
36027 - "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
36028 -- dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
36029 -+ dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
36030 -
36031 - /* Log misc errors. */
36032 - if (csr0 & 0x4000)
36033 -@@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
36034 - if (napi_schedule_prep(&lp->napi)) {
36035 - u16 val;
36036 - /* set interrupt masks */
36037 -- val = lp->a.read_csr(ioaddr, CSR3);
36038 -+ val = lp->a->read_csr(ioaddr, CSR3);
36039 - val |= 0x5f00;
36040 -- lp->a.write_csr(ioaddr, CSR3, val);
36041 -+ lp->a->write_csr(ioaddr, CSR3, val);
36042 -
36043 - __napi_schedule(&lp->napi);
36044 - break;
36045 - }
36046 -- csr0 = lp->a.read_csr(ioaddr, CSR0);
36047 -+ csr0 = lp->a->read_csr(ioaddr, CSR0);
36048 - }
36049 -
36050 - if (netif_msg_intr(lp))
36051 - printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
36052 -- dev->name, lp->a.read_csr(ioaddr, CSR0));
36053 -+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36054 -
36055 - spin_unlock(&lp->lock);
36056 -
36057 -@@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
36058 -
36059 - spin_lock_irqsave(&lp->lock, flags);
36060 -
36061 -- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36062 -+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36063 -
36064 - if (netif_msg_ifdown(lp))
36065 - printk(KERN_DEBUG
36066 - "%s: Shutting down ethercard, status was %2.2x.\n",
36067 -- dev->name, lp->a.read_csr(ioaddr, CSR0));
36068 -+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36069 -
36070 - /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
36071 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36072 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36073 -
36074 - /*
36075 - * Switch back to 16bit mode to avoid problems with dumb
36076 - * DOS packet driver after a warm reboot
36077 - */
36078 -- lp->a.write_bcr(ioaddr, 20, 4);
36079 -+ lp->a->write_bcr(ioaddr, 20, 4);
36080 -
36081 - spin_unlock_irqrestore(&lp->lock, flags);
36082 -
36083 -@@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
36084 - unsigned long flags;
36085 -
36086 - spin_lock_irqsave(&lp->lock, flags);
36087 -- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36088 -+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36089 - spin_unlock_irqrestore(&lp->lock, flags);
36090 -
36091 - return &dev->stats;
36092 -@@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
36093 - if (dev->flags & IFF_ALLMULTI) {
36094 - ib->filter[0] = cpu_to_le32(~0U);
36095 - ib->filter[1] = cpu_to_le32(~0U);
36096 -- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
36097 -- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
36098 -- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
36099 -- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
36100 -+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
36101 -+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
36102 -+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
36103 -+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
36104 - return;
36105 - }
36106 - /* clear the multicast filter */
36107 -@@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
36108 - mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
36109 - }
36110 - for (i = 0; i < 4; i++)
36111 -- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
36112 -+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
36113 - le16_to_cpu(mcast_table[i]));
36114 - return;
36115 - }
36116 -@@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
36117 -
36118 - spin_lock_irqsave(&lp->lock, flags);
36119 - suspended = pcnet32_suspend(dev, &flags, 0);
36120 -- csr15 = lp->a.read_csr(ioaddr, CSR15);
36121 -+ csr15 = lp->a->read_csr(ioaddr, CSR15);
36122 - if (dev->flags & IFF_PROMISC) {
36123 - /* Log any net taps. */
36124 - if (netif_msg_hw(lp))
36125 -@@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
36126 - lp->init_block->mode =
36127 - cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
36128 - 7);
36129 -- lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
36130 -+ lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
36131 - } else {
36132 - lp->init_block->mode =
36133 - cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
36134 -- lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
36135 -+ lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
36136 - pcnet32_load_multicast(dev);
36137 - }
36138 -
36139 - if (suspended) {
36140 - int csr5;
36141 - /* clear SUSPEND (SPND) - CSR5 bit 0 */
36142 -- csr5 = lp->a.read_csr(ioaddr, CSR5);
36143 -- lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
36144 -+ csr5 = lp->a->read_csr(ioaddr, CSR5);
36145 -+ lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
36146 - } else {
36147 -- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36148 -+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36149 - pcnet32_restart(dev, CSR0_NORMAL);
36150 - netif_wake_queue(dev);
36151 - }
36152 -@@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
36153 - if (!lp->mii)
36154 - return 0;
36155 -
36156 -- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
36157 -- val_out = lp->a.read_bcr(ioaddr, 34);
36158 -+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
36159 -+ val_out = lp->a->read_bcr(ioaddr, 34);
36160 -
36161 - return val_out;
36162 - }
36163 -@@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
36164 - if (!lp->mii)
36165 - return;
36166 -
36167 -- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
36168 -- lp->a.write_bcr(ioaddr, 34, val);
36169 -+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
36170 -+ lp->a->write_bcr(ioaddr, 34, val);
36171 - }
36172 -
36173 - static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
36174 -@@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
36175 - curr_link = mii_link_ok(&lp->mii_if);
36176 - } else {
36177 - ulong ioaddr = dev->base_addr; /* card base I/O address */
36178 -- curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
36179 -+ curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
36180 - }
36181 - if (!curr_link) {
36182 - if (prev_link || verbose) {
36183 -@@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
36184 - (ecmd.duplex ==
36185 - DUPLEX_FULL) ? "full" : "half");
36186 - }
36187 -- bcr9 = lp->a.read_bcr(dev->base_addr, 9);
36188 -+ bcr9 = lp->a->read_bcr(dev->base_addr, 9);
36189 - if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
36190 - if (lp->mii_if.full_duplex)
36191 - bcr9 |= (1 << 0);
36192 - else
36193 - bcr9 &= ~(1 << 0);
36194 -- lp->a.write_bcr(dev->base_addr, 9, bcr9);
36195 -+ lp->a->write_bcr(dev->base_addr, 9, bcr9);
36196 - }
36197 - } else {
36198 - if (netif_msg_link(lp))
36199 -diff -urNp linux-2.6.32.46/drivers/net/tg3.h linux-2.6.32.46/drivers/net/tg3.h
36200 ---- linux-2.6.32.46/drivers/net/tg3.h 2011-03-27 14:31:47.000000000 -0400
36201 -+++ linux-2.6.32.46/drivers/net/tg3.h 2011-04-17 15:56:46.000000000 -0400
36202 -@@ -95,6 +95,7 @@
36203 - #define CHIPREV_ID_5750_A0 0x4000
36204 - #define CHIPREV_ID_5750_A1 0x4001
36205 - #define CHIPREV_ID_5750_A3 0x4003
36206 -+#define CHIPREV_ID_5750_C1 0x4201
36207 - #define CHIPREV_ID_5750_C2 0x4202
36208 - #define CHIPREV_ID_5752_A0_HW 0x5000
36209 - #define CHIPREV_ID_5752_A0 0x6000
36210 -diff -urNp linux-2.6.32.46/drivers/net/tokenring/abyss.c linux-2.6.32.46/drivers/net/tokenring/abyss.c
36211 ---- linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-03-27 14:31:47.000000000 -0400
36212 -+++ linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-08-05 20:33:55.000000000 -0400
36213 -@@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
36214 -
36215 - static int __init abyss_init (void)
36216 - {
36217 -- abyss_netdev_ops = tms380tr_netdev_ops;
36218 -+ pax_open_kernel();
36219 -+ memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
36220 -
36221 -- abyss_netdev_ops.ndo_open = abyss_open;
36222 -- abyss_netdev_ops.ndo_stop = abyss_close;
36223 -+ *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
36224 -+ *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
36225 -+ pax_close_kernel();
36226 -
36227 - return pci_register_driver(&abyss_driver);
36228 - }
36229 -diff -urNp linux-2.6.32.46/drivers/net/tokenring/madgemc.c linux-2.6.32.46/drivers/net/tokenring/madgemc.c
36230 ---- linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-03-27 14:31:47.000000000 -0400
36231 -+++ linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-08-05 20:33:55.000000000 -0400
36232 -@@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
36233 -
36234 - static int __init madgemc_init (void)
36235 - {
36236 -- madgemc_netdev_ops = tms380tr_netdev_ops;
36237 -- madgemc_netdev_ops.ndo_open = madgemc_open;
36238 -- madgemc_netdev_ops.ndo_stop = madgemc_close;
36239 -+ pax_open_kernel();
36240 -+ memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
36241 -+ *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
36242 -+ *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
36243 -+ pax_close_kernel();
36244 -
36245 - return mca_register_driver (&madgemc_driver);
36246 - }
36247 -diff -urNp linux-2.6.32.46/drivers/net/tokenring/proteon.c linux-2.6.32.46/drivers/net/tokenring/proteon.c
36248 ---- linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-03-27 14:31:47.000000000 -0400
36249 -+++ linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-08-05 20:33:55.000000000 -0400
36250 -@@ -353,9 +353,11 @@ static int __init proteon_init(void)
36251 - struct platform_device *pdev;
36252 - int i, num = 0, err = 0;
36253 -
36254 -- proteon_netdev_ops = tms380tr_netdev_ops;
36255 -- proteon_netdev_ops.ndo_open = proteon_open;
36256 -- proteon_netdev_ops.ndo_stop = tms380tr_close;
36257 -+ pax_open_kernel();
36258 -+ memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
36259 -+ *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
36260 -+ *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
36261 -+ pax_close_kernel();
36262 -
36263 - err = platform_driver_register(&proteon_driver);
36264 - if (err)
36265 -diff -urNp linux-2.6.32.46/drivers/net/tokenring/skisa.c linux-2.6.32.46/drivers/net/tokenring/skisa.c
36266 ---- linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-03-27 14:31:47.000000000 -0400
36267 -+++ linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-08-05 20:33:55.000000000 -0400
36268 -@@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
36269 - struct platform_device *pdev;
36270 - int i, num = 0, err = 0;
36271 -
36272 -- sk_isa_netdev_ops = tms380tr_netdev_ops;
36273 -- sk_isa_netdev_ops.ndo_open = sk_isa_open;
36274 -- sk_isa_netdev_ops.ndo_stop = tms380tr_close;
36275 -+ pax_open_kernel();
36276 -+ memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
36277 -+ *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
36278 -+ *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
36279 -+ pax_close_kernel();
36280 -
36281 - err = platform_driver_register(&sk_isa_driver);
36282 - if (err)
36283 -diff -urNp linux-2.6.32.46/drivers/net/tulip/de2104x.c linux-2.6.32.46/drivers/net/tulip/de2104x.c
36284 ---- linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-03-27 14:31:47.000000000 -0400
36285 -+++ linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-05-16 21:46:57.000000000 -0400
36286 -@@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
36287 - struct de_srom_info_leaf *il;
36288 - void *bufp;
36289 -
36290 -+ pax_track_stack();
36291 -+
36292 - /* download entire eeprom */
36293 - for (i = 0; i < DE_EEPROM_WORDS; i++)
36294 - ((__le16 *)ee_data)[i] =
36295 -diff -urNp linux-2.6.32.46/drivers/net/tulip/de4x5.c linux-2.6.32.46/drivers/net/tulip/de4x5.c
36296 ---- linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-03-27 14:31:47.000000000 -0400
36297 -+++ linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-04-17 15:56:46.000000000 -0400
36298 -@@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
36299 - for (i=0; i<ETH_ALEN; i++) {
36300 - tmp.addr[i] = dev->dev_addr[i];
36301 - }
36302 -- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
36303 -+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
36304 - break;
36305 -
36306 - case DE4X5_SET_HWADDR: /* Set the hardware address */
36307 -@@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
36308 - spin_lock_irqsave(&lp->lock, flags);
36309 - memcpy(&statbuf, &lp->pktStats, ioc->len);
36310 - spin_unlock_irqrestore(&lp->lock, flags);
36311 -- if (copy_to_user(ioc->data, &statbuf, ioc->len))
36312 -+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
36313 - return -EFAULT;
36314 - break;
36315 - }
36316 -diff -urNp linux-2.6.32.46/drivers/net/usb/hso.c linux-2.6.32.46/drivers/net/usb/hso.c
36317 ---- linux-2.6.32.46/drivers/net/usb/hso.c 2011-03-27 14:31:47.000000000 -0400
36318 -+++ linux-2.6.32.46/drivers/net/usb/hso.c 2011-04-17 15:56:46.000000000 -0400
36319 -@@ -71,7 +71,7 @@
36320 - #include <asm/byteorder.h>
36321 - #include <linux/serial_core.h>
36322 - #include <linux/serial.h>
36323 --
36324 -+#include <asm/local.h>
36325 -
36326 - #define DRIVER_VERSION "1.2"
36327 - #define MOD_AUTHOR "Option Wireless"
36328 -@@ -258,7 +258,7 @@ struct hso_serial {
36329 -
36330 - /* from usb_serial_port */
36331 - struct tty_struct *tty;
36332 -- int open_count;
36333 -+ local_t open_count;
36334 - spinlock_t serial_lock;
36335 -
36336 - int (*write_data) (struct hso_serial *serial);
36337 -@@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
36338 - struct urb *urb;
36339 -
36340 - urb = serial->rx_urb[0];
36341 -- if (serial->open_count > 0) {
36342 -+ if (local_read(&serial->open_count) > 0) {
36343 - count = put_rxbuf_data(urb, serial);
36344 - if (count == -1)
36345 - return;
36346 -@@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
36347 - DUMP1(urb->transfer_buffer, urb->actual_length);
36348 -
36349 - /* Anyone listening? */
36350 -- if (serial->open_count == 0)
36351 -+ if (local_read(&serial->open_count) == 0)
36352 - return;
36353 -
36354 - if (status == 0) {
36355 -@@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
36356 - spin_unlock_irq(&serial->serial_lock);
36357 -
36358 - /* check for port already opened, if not set the termios */
36359 -- serial->open_count++;
36360 -- if (serial->open_count == 1) {
36361 -+ if (local_inc_return(&serial->open_count) == 1) {
36362 - tty->low_latency = 1;
36363 - serial->rx_state = RX_IDLE;
36364 - /* Force default termio settings */
36365 -@@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
36366 - result = hso_start_serial_device(serial->parent, GFP_KERNEL);
36367 - if (result) {
36368 - hso_stop_serial_device(serial->parent);
36369 -- serial->open_count--;
36370 -+ local_dec(&serial->open_count);
36371 - kref_put(&serial->parent->ref, hso_serial_ref_free);
36372 - }
36373 - } else {
36374 -@@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
36375 -
36376 - /* reset the rts and dtr */
36377 - /* do the actual close */
36378 -- serial->open_count--;
36379 -+ local_dec(&serial->open_count);
36380 -
36381 -- if (serial->open_count <= 0) {
36382 -- serial->open_count = 0;
36383 -+ if (local_read(&serial->open_count) <= 0) {
36384 -+ local_set(&serial->open_count, 0);
36385 - spin_lock_irq(&serial->serial_lock);
36386 - if (serial->tty == tty) {
36387 - serial->tty->driver_data = NULL;
36388 -@@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
36389 -
36390 - /* the actual setup */
36391 - spin_lock_irqsave(&serial->serial_lock, flags);
36392 -- if (serial->open_count)
36393 -+ if (local_read(&serial->open_count))
36394 - _hso_serial_set_termios(tty, old);
36395 - else
36396 - tty->termios = old;
36397 -@@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
36398 - /* Start all serial ports */
36399 - for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
36400 - if (serial_table[i] && (serial_table[i]->interface == iface)) {
36401 -- if (dev2ser(serial_table[i])->open_count) {
36402 -+ if (local_read(&dev2ser(serial_table[i])->open_count)) {
36403 - result =
36404 - hso_start_serial_device(serial_table[i], GFP_NOIO);
36405 - hso_kick_transmit(dev2ser(serial_table[i]));
36406 -diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-config.h linux-2.6.32.46/drivers/net/vxge/vxge-config.h
36407 ---- linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-03-27 14:31:47.000000000 -0400
36408 -+++ linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-08-05 20:33:55.000000000 -0400
36409 -@@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
36410 - void (*link_down)(struct __vxge_hw_device *devh);
36411 - void (*crit_err)(struct __vxge_hw_device *devh,
36412 - enum vxge_hw_event type, u64 ext_data);
36413 --};
36414 -+} __no_const;
36415 -
36416 - /*
36417 - * struct __vxge_hw_blockpool_entry - Block private data structure
36418 -diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-main.c linux-2.6.32.46/drivers/net/vxge/vxge-main.c
36419 ---- linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-03-27 14:31:47.000000000 -0400
36420 -+++ linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-05-16 21:46:57.000000000 -0400
36421 -@@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
36422 - struct sk_buff *completed[NR_SKB_COMPLETED];
36423 - int more;
36424 -
36425 -+ pax_track_stack();
36426 -+
36427 - do {
36428 - more = 0;
36429 - skb_ptr = completed;
36430 -@@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
36431 - u8 mtable[256] = {0}; /* CPU to vpath mapping */
36432 - int index;
36433 -
36434 -+ pax_track_stack();
36435 -+
36436 - /*
36437 - * Filling
36438 - * - itable with bucket numbers
36439 -diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h
36440 ---- linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-03-27 14:31:47.000000000 -0400
36441 -+++ linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-08-05 20:33:55.000000000 -0400
36442 -@@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
36443 - struct vxge_hw_mempool_dma *dma_object,
36444 - u32 index,
36445 - u32 is_last);
36446 --};
36447 -+} __no_const;
36448 -
36449 - void
36450 - __vxge_hw_mempool_destroy(
36451 -diff -urNp linux-2.6.32.46/drivers/net/wan/cycx_x25.c linux-2.6.32.46/drivers/net/wan/cycx_x25.c
36452 ---- linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-03-27 14:31:47.000000000 -0400
36453 -+++ linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-05-16 21:46:57.000000000 -0400
36454 -@@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
36455 - unsigned char hex[1024],
36456 - * phex = hex;
36457 -
36458 -+ pax_track_stack();
36459 -+
36460 - if (len >= (sizeof(hex) / 2))
36461 - len = (sizeof(hex) / 2) - 1;
36462 -
36463 -diff -urNp linux-2.6.32.46/drivers/net/wan/hdlc_x25.c linux-2.6.32.46/drivers/net/wan/hdlc_x25.c
36464 ---- linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-03-27 14:31:47.000000000 -0400
36465 -+++ linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-08-05 20:33:55.000000000 -0400
36466 -@@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
36467 -
36468 - static int x25_open(struct net_device *dev)
36469 - {
36470 -- struct lapb_register_struct cb;
36471 -+ static struct lapb_register_struct cb = {
36472 -+ .connect_confirmation = x25_connected,
36473 -+ .connect_indication = x25_connected,
36474 -+ .disconnect_confirmation = x25_disconnected,
36475 -+ .disconnect_indication = x25_disconnected,
36476 -+ .data_indication = x25_data_indication,
36477 -+ .data_transmit = x25_data_transmit
36478 -+ };
36479 - int result;
36480 -
36481 -- cb.connect_confirmation = x25_connected;
36482 -- cb.connect_indication = x25_connected;
36483 -- cb.disconnect_confirmation = x25_disconnected;
36484 -- cb.disconnect_indication = x25_disconnected;
36485 -- cb.data_indication = x25_data_indication;
36486 -- cb.data_transmit = x25_data_transmit;
36487 --
36488 - result = lapb_register(dev, &cb);
36489 - if (result != LAPB_OK)
36490 - return result;
36491 -diff -urNp linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c
36492 ---- linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-03-27 14:31:47.000000000 -0400
36493 -+++ linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:46:57.000000000 -0400
36494 -@@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
36495 - int do_autopm = 1;
36496 - DECLARE_COMPLETION_ONSTACK(notif_completion);
36497 -
36498 -+ pax_track_stack();
36499 -+
36500 - d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
36501 - i2400m, ack, ack_size);
36502 - BUG_ON(_ack == i2400m->bm_ack_buf);
36503 -diff -urNp linux-2.6.32.46/drivers/net/wireless/airo.c linux-2.6.32.46/drivers/net/wireless/airo.c
36504 ---- linux-2.6.32.46/drivers/net/wireless/airo.c 2011-03-27 14:31:47.000000000 -0400
36505 -+++ linux-2.6.32.46/drivers/net/wireless/airo.c 2011-05-16 21:46:57.000000000 -0400
36506 -@@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
36507 - BSSListElement * loop_net;
36508 - BSSListElement * tmp_net;
36509 -
36510 -+ pax_track_stack();
36511 -+
36512 - /* Blow away current list of scan results */
36513 - list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
36514 - list_move_tail (&loop_net->list, &ai->network_free_list);
36515 -@@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
36516 - WepKeyRid wkr;
36517 - int rc;
36518 -
36519 -+ pax_track_stack();
36520 -+
36521 - memset( &mySsid, 0, sizeof( mySsid ) );
36522 - kfree (ai->flash);
36523 - ai->flash = NULL;
36524 -@@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
36525 - __le32 *vals = stats.vals;
36526 - int len;
36527 -
36528 -+ pax_track_stack();
36529 -+
36530 - if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36531 - return -ENOMEM;
36532 - data = (struct proc_data *)file->private_data;
36533 -@@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
36534 - /* If doLoseSync is not 1, we won't do a Lose Sync */
36535 - int doLoseSync = -1;
36536 -
36537 -+ pax_track_stack();
36538 -+
36539 - if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36540 - return -ENOMEM;
36541 - data = (struct proc_data *)file->private_data;
36542 -@@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
36543 - int i;
36544 - int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
36545 -
36546 -+ pax_track_stack();
36547 -+
36548 - qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
36549 - if (!qual)
36550 - return -ENOMEM;
36551 -@@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
36552 - CapabilityRid cap_rid;
36553 - __le32 *vals = stats_rid.vals;
36554 -
36555 -+ pax_track_stack();
36556 -+
36557 - /* Get stats out of the card */
36558 - clear_bit(JOB_WSTATS, &local->jobs);
36559 - if (local->power.event) {
36560 -diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c
36561 ---- linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-03-27 14:31:47.000000000 -0400
36562 -+++ linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:46:57.000000000 -0400
36563 -@@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
36564 - unsigned int v;
36565 - u64 tsf;
36566 -
36567 -+ pax_track_stack();
36568 -+
36569 - v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
36570 - len += snprintf(buf+len, sizeof(buf)-len,
36571 - "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
36572 -@@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
36573 - unsigned int len = 0;
36574 - unsigned int i;
36575 -
36576 -+ pax_track_stack();
36577 -+
36578 - len += snprintf(buf+len, sizeof(buf)-len,
36579 - "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
36580 -
36581 -diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c
36582 ---- linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-03-27 14:31:47.000000000 -0400
36583 -+++ linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:46:57.000000000 -0400
36584 -@@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
36585 - char buf[512];
36586 - unsigned int len = 0;
36587 -
36588 -+ pax_track_stack();
36589 -+
36590 - len += snprintf(buf + len, sizeof(buf) - len,
36591 - "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
36592 - len += snprintf(buf + len, sizeof(buf) - len,
36593 -@@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
36594 - int i;
36595 - u8 addr[ETH_ALEN];
36596 -
36597 -+ pax_track_stack();
36598 -+
36599 - len += snprintf(buf + len, sizeof(buf) - len,
36600 - "primary: %s (%s chan=%d ht=%d)\n",
36601 - wiphy_name(sc->pri_wiphy->hw->wiphy),
36602 -diff -urNp linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c
36603 ---- linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36604 -+++ linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:56:46.000000000 -0400
36605 -@@ -43,7 +43,7 @@ static struct dentry *rootdir;
36606 - struct b43_debugfs_fops {
36607 - ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
36608 - int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
36609 -- struct file_operations fops;
36610 -+ const struct file_operations fops;
36611 - /* Offset of struct b43_dfs_file in struct b43_dfsentry */
36612 - size_t file_struct_offset;
36613 - };
36614 -diff -urNp linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c
36615 ---- linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36616 -+++ linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:56:46.000000000 -0400
36617 -@@ -44,7 +44,7 @@ static struct dentry *rootdir;
36618 - struct b43legacy_debugfs_fops {
36619 - ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
36620 - int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
36621 -- struct file_operations fops;
36622 -+ const struct file_operations fops;
36623 - /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
36624 - size_t file_struct_offset;
36625 - /* Take wl->irq_lock before calling read/write? */
36626 -diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c
36627 ---- linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-27 14:31:47.000000000 -0400
36628 -+++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:46:57.000000000 -0400
36629 -@@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
36630 - int err;
36631 - DECLARE_SSID_BUF(ssid);
36632 -
36633 -+ pax_track_stack();
36634 -+
36635 - IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
36636 -
36637 - if (ssid_len)
36638 -@@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
36639 - struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
36640 - int err;
36641 -
36642 -+ pax_track_stack();
36643 -+
36644 - IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
36645 - idx, keylen, len);
36646 -
36647 -diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c
36648 ---- linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-27 14:31:47.000000000 -0400
36649 -+++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:46:57.000000000 -0400
36650 -@@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
36651 - unsigned long flags;
36652 - DECLARE_SSID_BUF(ssid);
36653 -
36654 -+ pax_track_stack();
36655 -+
36656 - LIBIPW_DEBUG_SCAN("'%s' (%pM"
36657 - "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
36658 - print_ssid(ssid, info_element->data, info_element->len),
36659 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c
36660 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-03-27 14:31:47.000000000 -0400
36661 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-04-17 15:56:46.000000000 -0400
36662 -@@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
36663 - },
36664 - };
36665 -
36666 --static struct iwl_ops iwl1000_ops = {
36667 -+static const struct iwl_ops iwl1000_ops = {
36668 - .ucode = &iwl5000_ucode,
36669 - .lib = &iwl1000_lib,
36670 - .hcmd = &iwl5000_hcmd,
36671 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c
36672 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-03-27 14:31:47.000000000 -0400
36673 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-04-17 15:56:46.000000000 -0400
36674 -@@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
36675 - .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
36676 - };
36677 -
36678 --static struct iwl_ops iwl3945_ops = {
36679 -+static const struct iwl_ops iwl3945_ops = {
36680 - .ucode = &iwl3945_ucode,
36681 - .lib = &iwl3945_lib,
36682 - .hcmd = &iwl3945_hcmd,
36683 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c
36684 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-03-27 14:31:47.000000000 -0400
36685 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-04-17 15:56:46.000000000 -0400
36686 -@@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
36687 - },
36688 - };
36689 -
36690 --static struct iwl_ops iwl4965_ops = {
36691 -+static const struct iwl_ops iwl4965_ops = {
36692 - .ucode = &iwl4965_ucode,
36693 - .lib = &iwl4965_lib,
36694 - .hcmd = &iwl4965_hcmd,
36695 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c
36696 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:55:34.000000000 -0400
36697 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:56:37.000000000 -0400
36698 -@@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
36699 - },
36700 - };
36701 -
36702 --struct iwl_ops iwl5000_ops = {
36703 -+const struct iwl_ops iwl5000_ops = {
36704 - .ucode = &iwl5000_ucode,
36705 - .lib = &iwl5000_lib,
36706 - .hcmd = &iwl5000_hcmd,
36707 - .utils = &iwl5000_hcmd_utils,
36708 - };
36709 -
36710 --static struct iwl_ops iwl5150_ops = {
36711 -+static const struct iwl_ops iwl5150_ops = {
36712 - .ucode = &iwl5000_ucode,
36713 - .lib = &iwl5150_lib,
36714 - .hcmd = &iwl5000_hcmd,
36715 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c
36716 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-03-27 14:31:47.000000000 -0400
36717 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-04-17 15:56:46.000000000 -0400
36718 -@@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
36719 - .calc_rssi = iwl5000_calc_rssi,
36720 - };
36721 -
36722 --static struct iwl_ops iwl6000_ops = {
36723 -+static const struct iwl_ops iwl6000_ops = {
36724 - .ucode = &iwl5000_ucode,
36725 - .lib = &iwl6000_lib,
36726 - .hcmd = &iwl5000_hcmd,
36727 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36728 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-27 14:31:47.000000000 -0400
36729 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:46:57.000000000 -0400
36730 -@@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
36731 - u8 active_index = 0;
36732 - s32 tpt = 0;
36733 -
36734 -+ pax_track_stack();
36735 -+
36736 - IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36737 -
36738 - if (!ieee80211_is_data(hdr->frame_control) ||
36739 -@@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
36740 - u8 valid_tx_ant = 0;
36741 - struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36742 -
36743 -+ pax_track_stack();
36744 -+
36745 - /* Override starting rate (index 0) if needed for debug purposes */
36746 - rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36747 -
36748 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c
36749 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-03-27 14:31:47.000000000 -0400
36750 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-08-05 20:33:55.000000000 -0400
36751 -@@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
36752 - if (iwl_debug_level & IWL_DL_INFO)
36753 - dev_printk(KERN_DEBUG, &(pdev->dev),
36754 - "Disabling hw_scan\n");
36755 -- iwl_hw_ops.hw_scan = NULL;
36756 -+ pax_open_kernel();
36757 -+ *(void **)&iwl_hw_ops.hw_scan = NULL;
36758 -+ pax_close_kernel();
36759 - }
36760 -
36761 - hw = iwl_alloc_all(cfg, &iwl_hw_ops);
36762 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h
36763 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-27 14:31:47.000000000 -0400
36764 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:56:46.000000000 -0400
36765 -@@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
36766 - #endif
36767 -
36768 - #else
36769 --#define IWL_DEBUG(__priv, level, fmt, args...)
36770 --#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36771 -+#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36772 -+#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36773 - static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36774 - void *p, u32 len)
36775 - {}
36776 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36777 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-27 14:31:47.000000000 -0400
36778 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:46:57.000000000 -0400
36779 -@@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
36780 - int pos = 0;
36781 - const size_t bufsz = sizeof(buf);
36782 -
36783 -+ pax_track_stack();
36784 -+
36785 - pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36786 - test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36787 - pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
36788 -@@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36789 - const size_t bufsz = sizeof(buf);
36790 - ssize_t ret;
36791 -
36792 -+ pax_track_stack();
36793 -+
36794 - for (i = 0; i < AC_NUM; i++) {
36795 - pos += scnprintf(buf + pos, bufsz - pos,
36796 - "\tcw_min\tcw_max\taifsn\ttxop\n");
36797 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h
36798 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-03-27 14:31:47.000000000 -0400
36799 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-04-17 15:56:46.000000000 -0400
36800 -@@ -68,7 +68,7 @@ struct iwl_tx_queue;
36801 -
36802 - /* shared structures from iwl-5000.c */
36803 - extern struct iwl_mod_params iwl50_mod_params;
36804 --extern struct iwl_ops iwl5000_ops;
36805 -+extern const struct iwl_ops iwl5000_ops;
36806 - extern struct iwl_ucode_ops iwl5000_ucode;
36807 - extern struct iwl_lib_ops iwl5000_lib;
36808 - extern struct iwl_hcmd_ops iwl5000_hcmd;
36809 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c
36810 ---- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-03-27 14:31:47.000000000 -0400
36811 -+++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-08-05 20:33:55.000000000 -0400
36812 -@@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
36813 - */
36814 - if (iwl3945_mod_params.disable_hw_scan) {
36815 - IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
36816 -- iwl3945_hw_ops.hw_scan = NULL;
36817 -+ pax_open_kernel();
36818 -+ *(void **)&iwl3945_hw_ops.hw_scan = NULL;
36819 -+ pax_close_kernel();
36820 - }
36821 -
36822 -
36823 -diff -urNp linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c
36824 ---- linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36825 -+++ linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:46:57.000000000 -0400
36826 -@@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36827 - int buf_len = 512;
36828 - size_t len = 0;
36829 -
36830 -+ pax_track_stack();
36831 -+
36832 - if (*ppos != 0)
36833 - return 0;
36834 - if (count < sizeof(buf))
36835 -diff -urNp linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c
36836 ---- linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36837 -+++ linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:56:46.000000000 -0400
36838 -@@ -708,7 +708,7 @@ out_unlock:
36839 - struct lbs_debugfs_files {
36840 - const char *name;
36841 - int perm;
36842 -- struct file_operations fops;
36843 -+ const struct file_operations fops;
36844 - };
36845 -
36846 - static const struct lbs_debugfs_files debugfs_files[] = {
36847 -diff -urNp linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c
36848 ---- linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-03-27 14:31:47.000000000 -0400
36849 -+++ linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:56:46.000000000 -0400
36850 -@@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
36851 -
36852 - devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
36853 -
36854 -- if (rts_threshold < 0 || rts_threshold > 2347)
36855 -+ if (rts_threshold > 2347)
36856 - rts_threshold = 2347;
36857 -
36858 - tmp = cpu_to_le32(rts_threshold);
36859 -diff -urNp linux-2.6.32.46/drivers/oprofile/buffer_sync.c linux-2.6.32.46/drivers/oprofile/buffer_sync.c
36860 ---- linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-03-27 14:31:47.000000000 -0400
36861 -+++ linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-04-17 15:56:46.000000000 -0400
36862 -@@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
36863 - if (cookie == NO_COOKIE)
36864 - offset = pc;
36865 - if (cookie == INVALID_COOKIE) {
36866 -- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36867 -+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36868 - offset = pc;
36869 - }
36870 - if (cookie != last_cookie) {
36871 -@@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
36872 - /* add userspace sample */
36873 -
36874 - if (!mm) {
36875 -- atomic_inc(&oprofile_stats.sample_lost_no_mm);
36876 -+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36877 - return 0;
36878 - }
36879 -
36880 - cookie = lookup_dcookie(mm, s->eip, &offset);
36881 -
36882 - if (cookie == INVALID_COOKIE) {
36883 -- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36884 -+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36885 - return 0;
36886 - }
36887 -
36888 -@@ -561,7 +561,7 @@ void sync_buffer(int cpu)
36889 - /* ignore backtraces if failed to add a sample */
36890 - if (state == sb_bt_start) {
36891 - state = sb_bt_ignore;
36892 -- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36893 -+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36894 - }
36895 - }
36896 - release_mm(mm);
36897 -diff -urNp linux-2.6.32.46/drivers/oprofile/event_buffer.c linux-2.6.32.46/drivers/oprofile/event_buffer.c
36898 ---- linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-03-27 14:31:47.000000000 -0400
36899 -+++ linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-04-17 15:56:46.000000000 -0400
36900 -@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36901 - }
36902 -
36903 - if (buffer_pos == buffer_size) {
36904 -- atomic_inc(&oprofile_stats.event_lost_overflow);
36905 -+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36906 - return;
36907 - }
36908 -
36909 -diff -urNp linux-2.6.32.46/drivers/oprofile/oprof.c linux-2.6.32.46/drivers/oprofile/oprof.c
36910 ---- linux-2.6.32.46/drivers/oprofile/oprof.c 2011-03-27 14:31:47.000000000 -0400
36911 -+++ linux-2.6.32.46/drivers/oprofile/oprof.c 2011-04-17 15:56:46.000000000 -0400
36912 -@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36913 - if (oprofile_ops.switch_events())
36914 - return;
36915 -
36916 -- atomic_inc(&oprofile_stats.multiplex_counter);
36917 -+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36918 - start_switch_worker();
36919 - }
36920 -
36921 -diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.c linux-2.6.32.46/drivers/oprofile/oprofile_stats.c
36922 ---- linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-03-27 14:31:47.000000000 -0400
36923 -+++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-04-17 15:56:46.000000000 -0400
36924 -@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36925 - cpu_buf->sample_invalid_eip = 0;
36926 - }
36927 -
36928 -- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36929 -- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36930 -- atomic_set(&oprofile_stats.event_lost_overflow, 0);
36931 -- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36932 -- atomic_set(&oprofile_stats.multiplex_counter, 0);
36933 -+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36934 -+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36935 -+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36936 -+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36937 -+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36938 - }
36939 -
36940 -
36941 -diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.h linux-2.6.32.46/drivers/oprofile/oprofile_stats.h
36942 ---- linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-03-27 14:31:47.000000000 -0400
36943 -+++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-04-17 15:56:46.000000000 -0400
36944 -@@ -13,11 +13,11 @@
36945 - #include <asm/atomic.h>
36946 -
36947 - struct oprofile_stat_struct {
36948 -- atomic_t sample_lost_no_mm;
36949 -- atomic_t sample_lost_no_mapping;
36950 -- atomic_t bt_lost_no_mapping;
36951 -- atomic_t event_lost_overflow;
36952 -- atomic_t multiplex_counter;
36953 -+ atomic_unchecked_t sample_lost_no_mm;
36954 -+ atomic_unchecked_t sample_lost_no_mapping;
36955 -+ atomic_unchecked_t bt_lost_no_mapping;
36956 -+ atomic_unchecked_t event_lost_overflow;
36957 -+ atomic_unchecked_t multiplex_counter;
36958 - };
36959 -
36960 - extern struct oprofile_stat_struct oprofile_stats;
36961 -diff -urNp linux-2.6.32.46/drivers/oprofile/oprofilefs.c linux-2.6.32.46/drivers/oprofile/oprofilefs.c
36962 ---- linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-03-27 14:31:47.000000000 -0400
36963 -+++ linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-04-17 15:56:46.000000000 -0400
36964 -@@ -187,7 +187,7 @@ static const struct file_operations atom
36965 -
36966 -
36967 - int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36968 -- char const *name, atomic_t *val)
36969 -+ char const *name, atomic_unchecked_t *val)
36970 - {
36971 - struct dentry *d = __oprofilefs_create_file(sb, root, name,
36972 - &atomic_ro_fops, 0444);
36973 -diff -urNp linux-2.6.32.46/drivers/parisc/pdc_stable.c linux-2.6.32.46/drivers/parisc/pdc_stable.c
36974 ---- linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-03-27 14:31:47.000000000 -0400
36975 -+++ linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-04-17 15:56:46.000000000 -0400
36976 -@@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
36977 - return ret;
36978 - }
36979 -
36980 --static struct sysfs_ops pdcspath_attr_ops = {
36981 -+static const struct sysfs_ops pdcspath_attr_ops = {
36982 - .show = pdcspath_attr_show,
36983 - .store = pdcspath_attr_store,
36984 - };
36985 -diff -urNp linux-2.6.32.46/drivers/parport/procfs.c linux-2.6.32.46/drivers/parport/procfs.c
36986 ---- linux-2.6.32.46/drivers/parport/procfs.c 2011-03-27 14:31:47.000000000 -0400
36987 -+++ linux-2.6.32.46/drivers/parport/procfs.c 2011-04-17 15:56:46.000000000 -0400
36988 -@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
36989 -
36990 - *ppos += len;
36991 -
36992 -- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
36993 -+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
36994 - }
36995 -
36996 - #ifdef CONFIG_PARPORT_1284
36997 -@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
36998 -
36999 - *ppos += len;
37000 -
37001 -- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37002 -+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37003 - }
37004 - #endif /* IEEE1284.3 support. */
37005 -
37006 -diff -urNp linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c
37007 ---- linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-03-27 14:31:47.000000000 -0400
37008 -+++ linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:56:46.000000000 -0400
37009 -@@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
37010 - }
37011 -
37012 -
37013 --static struct acpi_dock_ops acpiphp_dock_ops = {
37014 -+static const struct acpi_dock_ops acpiphp_dock_ops = {
37015 - .handler = handle_hotplug_event_func,
37016 - };
37017 -
37018 -diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h
37019 ---- linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-03-27 14:31:47.000000000 -0400
37020 -+++ linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-08-05 20:33:55.000000000 -0400
37021 -@@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
37022 - int (*hardware_test) (struct slot* slot, u32 value);
37023 - u8 (*get_power) (struct slot* slot);
37024 - int (*set_power) (struct slot* slot, int value);
37025 --};
37026 -+} __no_const;
37027 -
37028 - struct cpci_hp_controller {
37029 - unsigned int irq;
37030 -diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c
37031 ---- linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-27 14:31:47.000000000 -0400
37032 -+++ linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:56:46.000000000 -0400
37033 -@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37034 -
37035 - void compaq_nvram_init (void __iomem *rom_start)
37036 - {
37037 -+
37038 -+#ifndef CONFIG_PAX_KERNEXEC
37039 - if (rom_start) {
37040 - compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37041 - }
37042 -+#endif
37043 -+
37044 - dbg("int15 entry = %p\n", compaq_int15_entry_point);
37045 -
37046 - /* initialize our int15 lock */
37047 -diff -urNp linux-2.6.32.46/drivers/pci/hotplug/fakephp.c linux-2.6.32.46/drivers/pci/hotplug/fakephp.c
37048 ---- linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-03-27 14:31:47.000000000 -0400
37049 -+++ linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-04-17 15:56:46.000000000 -0400
37050 -@@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
37051 - }
37052 -
37053 - static struct kobj_type legacy_ktype = {
37054 -- .sysfs_ops = &(struct sysfs_ops){
37055 -+ .sysfs_ops = &(const struct sysfs_ops){
37056 - .store = legacy_store, .show = legacy_show
37057 - },
37058 - .release = &legacy_release,
37059 -diff -urNp linux-2.6.32.46/drivers/pci/intel-iommu.c linux-2.6.32.46/drivers/pci/intel-iommu.c
37060 ---- linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:01.000000000 -0400
37061 -+++ linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:33.000000000 -0400
37062 -@@ -2643,7 +2643,7 @@ error:
37063 - return 0;
37064 - }
37065 -
37066 --static dma_addr_t intel_map_page(struct device *dev, struct page *page,
37067 -+dma_addr_t intel_map_page(struct device *dev, struct page *page,
37068 - unsigned long offset, size_t size,
37069 - enum dma_data_direction dir,
37070 - struct dma_attrs *attrs)
37071 -@@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
37072 - spin_unlock_irqrestore(&async_umap_flush_lock, flags);
37073 - }
37074 -
37075 --static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
37076 -+void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
37077 - size_t size, enum dma_data_direction dir,
37078 - struct dma_attrs *attrs)
37079 - {
37080 -@@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
37081 - }
37082 - }
37083 -
37084 --static void *intel_alloc_coherent(struct device *hwdev, size_t size,
37085 -+void *intel_alloc_coherent(struct device *hwdev, size_t size,
37086 - dma_addr_t *dma_handle, gfp_t flags)
37087 - {
37088 - void *vaddr;
37089 -@@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
37090 - return NULL;
37091 - }
37092 -
37093 --static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
37094 -+void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
37095 - dma_addr_t dma_handle)
37096 - {
37097 - int order;
37098 -@@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
37099 - free_pages((unsigned long)vaddr, order);
37100 - }
37101 -
37102 --static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
37103 -+void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
37104 - int nelems, enum dma_data_direction dir,
37105 - struct dma_attrs *attrs)
37106 - {
37107 -@@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
37108 - return nelems;
37109 - }
37110 -
37111 --static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
37112 -+int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
37113 - enum dma_data_direction dir, struct dma_attrs *attrs)
37114 - {
37115 - int i;
37116 -@@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
37117 - return nelems;
37118 - }
37119 -
37120 --static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
37121 -+int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
37122 - {
37123 - return !dma_addr;
37124 - }
37125 -
37126 --struct dma_map_ops intel_dma_ops = {
37127 -+const struct dma_map_ops intel_dma_ops = {
37128 - .alloc_coherent = intel_alloc_coherent,
37129 - .free_coherent = intel_free_coherent,
37130 - .map_sg = intel_map_sg,
37131 -diff -urNp linux-2.6.32.46/drivers/pci/pcie/aspm.c linux-2.6.32.46/drivers/pci/pcie/aspm.c
37132 ---- linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-03-27 14:31:47.000000000 -0400
37133 -+++ linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-04-17 15:56:46.000000000 -0400
37134 -@@ -27,9 +27,9 @@
37135 - #define MODULE_PARAM_PREFIX "pcie_aspm."
37136 -
37137 - /* Note: those are not register definitions */
37138 --#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
37139 --#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
37140 --#define ASPM_STATE_L1 (4) /* L1 state */
37141 -+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
37142 -+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
37143 -+#define ASPM_STATE_L1 (4U) /* L1 state */
37144 - #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
37145 - #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
37146 -
37147 -diff -urNp linux-2.6.32.46/drivers/pci/probe.c linux-2.6.32.46/drivers/pci/probe.c
37148 ---- linux-2.6.32.46/drivers/pci/probe.c 2011-03-27 14:31:47.000000000 -0400
37149 -+++ linux-2.6.32.46/drivers/pci/probe.c 2011-04-17 15:56:46.000000000 -0400
37150 -@@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
37151 - return ret;
37152 - }
37153 -
37154 --static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
37155 -+static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
37156 - struct device_attribute *attr,
37157 - char *buf)
37158 - {
37159 - return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
37160 - }
37161 -
37162 --static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
37163 -+static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
37164 - struct device_attribute *attr,
37165 - char *buf)
37166 - {
37167 -diff -urNp linux-2.6.32.46/drivers/pci/proc.c linux-2.6.32.46/drivers/pci/proc.c
37168 ---- linux-2.6.32.46/drivers/pci/proc.c 2011-03-27 14:31:47.000000000 -0400
37169 -+++ linux-2.6.32.46/drivers/pci/proc.c 2011-04-17 15:56:46.000000000 -0400
37170 -@@ -480,7 +480,16 @@ static const struct file_operations proc
37171 - static int __init pci_proc_init(void)
37172 - {
37173 - struct pci_dev *dev = NULL;
37174 -+
37175 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
37176 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
37177 -+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
37178 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37179 -+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
37180 -+#endif
37181 -+#else
37182 - proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
37183 -+#endif
37184 - proc_create("devices", 0, proc_bus_pci_dir,
37185 - &proc_bus_pci_dev_operations);
37186 - proc_initialized = 1;
37187 -diff -urNp linux-2.6.32.46/drivers/pci/slot.c linux-2.6.32.46/drivers/pci/slot.c
37188 ---- linux-2.6.32.46/drivers/pci/slot.c 2011-03-27 14:31:47.000000000 -0400
37189 -+++ linux-2.6.32.46/drivers/pci/slot.c 2011-04-17 15:56:46.000000000 -0400
37190 -@@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
37191 - return attribute->store ? attribute->store(slot, buf, len) : -EIO;
37192 - }
37193 -
37194 --static struct sysfs_ops pci_slot_sysfs_ops = {
37195 -+static const struct sysfs_ops pci_slot_sysfs_ops = {
37196 - .show = pci_slot_attr_show,
37197 - .store = pci_slot_attr_store,
37198 - };
37199 -diff -urNp linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c
37200 ---- linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-03-27 14:31:47.000000000 -0400
37201 -+++ linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-04-17 15:56:46.000000000 -0400
37202 -@@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
37203 - return -EFAULT;
37204 - }
37205 - }
37206 -- buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
37207 -+ buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
37208 - if (!buf)
37209 - return -ENOMEM;
37210 -
37211 -diff -urNp linux-2.6.32.46/drivers/platform/x86/acer-wmi.c linux-2.6.32.46/drivers/platform/x86/acer-wmi.c
37212 ---- linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-03-27 14:31:47.000000000 -0400
37213 -+++ linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-04-17 15:56:46.000000000 -0400
37214 -@@ -918,7 +918,7 @@ static int update_bl_status(struct backl
37215 - return 0;
37216 - }
37217 -
37218 --static struct backlight_ops acer_bl_ops = {
37219 -+static const struct backlight_ops acer_bl_ops = {
37220 - .get_brightness = read_brightness,
37221 - .update_status = update_bl_status,
37222 - };
37223 -diff -urNp linux-2.6.32.46/drivers/platform/x86/asus-laptop.c linux-2.6.32.46/drivers/platform/x86/asus-laptop.c
37224 ---- linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-03-27 14:31:47.000000000 -0400
37225 -+++ linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-04-17 15:56:46.000000000 -0400
37226 -@@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
37227 - */
37228 - static int read_brightness(struct backlight_device *bd);
37229 - static int update_bl_status(struct backlight_device *bd);
37230 --static struct backlight_ops asusbl_ops = {
37231 -+static const struct backlight_ops asusbl_ops = {
37232 - .get_brightness = read_brightness,
37233 - .update_status = update_bl_status,
37234 - };
37235 -diff -urNp linux-2.6.32.46/drivers/platform/x86/asus_acpi.c linux-2.6.32.46/drivers/platform/x86/asus_acpi.c
37236 ---- linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-03-27 14:31:47.000000000 -0400
37237 -+++ linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-04-17 15:56:46.000000000 -0400
37238 -@@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
37239 - return 0;
37240 - }
37241 -
37242 --static struct backlight_ops asus_backlight_data = {
37243 -+static const struct backlight_ops asus_backlight_data = {
37244 - .get_brightness = read_brightness,
37245 - .update_status = set_brightness_status,
37246 - };
37247 -diff -urNp linux-2.6.32.46/drivers/platform/x86/compal-laptop.c linux-2.6.32.46/drivers/platform/x86/compal-laptop.c
37248 ---- linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-03-27 14:31:47.000000000 -0400
37249 -+++ linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-04-17 15:56:46.000000000 -0400
37250 -@@ -163,7 +163,7 @@ static int bl_update_status(struct backl
37251 - return set_lcd_level(b->props.brightness);
37252 - }
37253 -
37254 --static struct backlight_ops compalbl_ops = {
37255 -+static const struct backlight_ops compalbl_ops = {
37256 - .get_brightness = bl_get_brightness,
37257 - .update_status = bl_update_status,
37258 - };
37259 -diff -urNp linux-2.6.32.46/drivers/platform/x86/dell-laptop.c linux-2.6.32.46/drivers/platform/x86/dell-laptop.c
37260 ---- linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:01.000000000 -0400
37261 -+++ linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:33.000000000 -0400
37262 -@@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
37263 - return buffer.output[1];
37264 - }
37265 -
37266 --static struct backlight_ops dell_ops = {
37267 -+static const struct backlight_ops dell_ops = {
37268 - .get_brightness = dell_get_intensity,
37269 - .update_status = dell_send_intensity,
37270 - };
37271 -diff -urNp linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c
37272 ---- linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-03-27 14:31:47.000000000 -0400
37273 -+++ linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-04-17 15:56:46.000000000 -0400
37274 -@@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
37275 - */
37276 - static int read_brightness(struct backlight_device *bd);
37277 - static int update_bl_status(struct backlight_device *bd);
37278 --static struct backlight_ops eeepcbl_ops = {
37279 -+static const struct backlight_ops eeepcbl_ops = {
37280 - .get_brightness = read_brightness,
37281 - .update_status = update_bl_status,
37282 - };
37283 -diff -urNp linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c
37284 ---- linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-03-27 14:31:47.000000000 -0400
37285 -+++ linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-04-17 15:56:46.000000000 -0400
37286 -@@ -436,7 +436,7 @@ static int bl_update_status(struct backl
37287 - return ret;
37288 - }
37289 -
37290 --static struct backlight_ops fujitsubl_ops = {
37291 -+static const struct backlight_ops fujitsubl_ops = {
37292 - .get_brightness = bl_get_brightness,
37293 - .update_status = bl_update_status,
37294 - };
37295 -diff -urNp linux-2.6.32.46/drivers/platform/x86/msi-laptop.c linux-2.6.32.46/drivers/platform/x86/msi-laptop.c
37296 ---- linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-03-27 14:31:47.000000000 -0400
37297 -+++ linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-04-17 15:56:46.000000000 -0400
37298 -@@ -161,7 +161,7 @@ static int bl_update_status(struct backl
37299 - return set_lcd_level(b->props.brightness);
37300 - }
37301 -
37302 --static struct backlight_ops msibl_ops = {
37303 -+static const struct backlight_ops msibl_ops = {
37304 - .get_brightness = bl_get_brightness,
37305 - .update_status = bl_update_status,
37306 - };
37307 -diff -urNp linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c
37308 ---- linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-03-27 14:31:47.000000000 -0400
37309 -+++ linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-04-17 15:56:46.000000000 -0400
37310 -@@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
37311 - return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
37312 - }
37313 -
37314 --static struct backlight_ops pcc_backlight_ops = {
37315 -+static const struct backlight_ops pcc_backlight_ops = {
37316 - .get_brightness = bl_get,
37317 - .update_status = bl_set_status,
37318 - };
37319 -diff -urNp linux-2.6.32.46/drivers/platform/x86/sony-laptop.c linux-2.6.32.46/drivers/platform/x86/sony-laptop.c
37320 ---- linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-03-27 14:31:47.000000000 -0400
37321 -+++ linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-04-17 15:56:46.000000000 -0400
37322 -@@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
37323 - }
37324 -
37325 - static struct backlight_device *sony_backlight_device;
37326 --static struct backlight_ops sony_backlight_ops = {
37327 -+static const struct backlight_ops sony_backlight_ops = {
37328 - .update_status = sony_backlight_update_status,
37329 - .get_brightness = sony_backlight_get_brightness,
37330 - };
37331 -diff -urNp linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c
37332 ---- linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-03-27 14:31:47.000000000 -0400
37333 -+++ linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-08-05 20:33:55.000000000 -0400
37334 -@@ -2137,7 +2137,7 @@ static int hotkey_mask_get(void)
37335 - return 0;
37336 - }
37337 -
37338 --void static hotkey_mask_warn_incomplete_mask(void)
37339 -+static void hotkey_mask_warn_incomplete_mask(void)
37340 - {
37341 - /* log only what the user can fix... */
37342 - const u32 wantedmask = hotkey_driver_mask &
37343 -@@ -6122,7 +6122,7 @@ static void tpacpi_brightness_notify_cha
37344 - BACKLIGHT_UPDATE_HOTKEY);
37345 - }
37346 -
37347 --static struct backlight_ops ibm_backlight_data = {
37348 -+static const struct backlight_ops ibm_backlight_data = {
37349 - .get_brightness = brightness_get,
37350 - .update_status = brightness_update_status,
37351 - };
37352 -diff -urNp linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c
37353 ---- linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-03-27 14:31:47.000000000 -0400
37354 -+++ linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-04-17 15:56:46.000000000 -0400
37355 -@@ -671,7 +671,7 @@ static acpi_status remove_device(void)
37356 - return AE_OK;
37357 - }
37358 -
37359 --static struct backlight_ops toshiba_backlight_data = {
37360 -+static const struct backlight_ops toshiba_backlight_data = {
37361 - .get_brightness = get_lcd,
37362 - .update_status = set_lcd_status,
37363 - };
37364 -diff -urNp linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c
37365 ---- linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-03-27 14:31:47.000000000 -0400
37366 -+++ linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:56:46.000000000 -0400
37367 -@@ -60,7 +60,7 @@ do { \
37368 - set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37369 - } while(0)
37370 -
37371 --static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37372 -+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37373 - (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37374 -
37375 - /*
37376 -@@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
37377 -
37378 - cpu = get_cpu();
37379 - save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37380 -+
37381 -+ pax_open_kernel();
37382 - get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37383 -+ pax_close_kernel();
37384 -
37385 - /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37386 - spin_lock_irqsave(&pnp_bios_lock, flags);
37387 -@@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
37388 - :"memory");
37389 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
37390 -
37391 -+ pax_open_kernel();
37392 - get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37393 -+ pax_close_kernel();
37394 -+
37395 - put_cpu();
37396 -
37397 - /* If we get here and this is set then the PnP BIOS faulted on us. */
37398 -@@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
37399 - return status;
37400 - }
37401 -
37402 --void pnpbios_calls_init(union pnp_bios_install_struct *header)
37403 -+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37404 - {
37405 - int i;
37406 -
37407 -@@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
37408 - pnp_bios_callpoint.offset = header->fields.pm16offset;
37409 - pnp_bios_callpoint.segment = PNP_CS16;
37410 -
37411 -+ pax_open_kernel();
37412 -+
37413 - for_each_possible_cpu(i) {
37414 - struct desc_struct *gdt = get_cpu_gdt_table(i);
37415 - if (!gdt)
37416 -@@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
37417 - set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37418 - (unsigned long)__va(header->fields.pm16dseg));
37419 - }
37420 -+
37421 -+ pax_close_kernel();
37422 - }
37423 -diff -urNp linux-2.6.32.46/drivers/pnp/resource.c linux-2.6.32.46/drivers/pnp/resource.c
37424 ---- linux-2.6.32.46/drivers/pnp/resource.c 2011-03-27 14:31:47.000000000 -0400
37425 -+++ linux-2.6.32.46/drivers/pnp/resource.c 2011-04-17 15:56:46.000000000 -0400
37426 -@@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37427 - return 1;
37428 -
37429 - /* check if the resource is valid */
37430 -- if (*irq < 0 || *irq > 15)
37431 -+ if (*irq > 15)
37432 - return 0;
37433 -
37434 - /* check if the resource is reserved */
37435 -@@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37436 - return 1;
37437 -
37438 - /* check if the resource is valid */
37439 -- if (*dma < 0 || *dma == 4 || *dma > 7)
37440 -+ if (*dma == 4 || *dma > 7)
37441 - return 0;
37442 -
37443 - /* check if the resource is reserved */
37444 -diff -urNp linux-2.6.32.46/drivers/power/bq27x00_battery.c linux-2.6.32.46/drivers/power/bq27x00_battery.c
37445 ---- linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-03-27 14:31:47.000000000 -0400
37446 -+++ linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-08-05 20:33:55.000000000 -0400
37447 -@@ -44,7 +44,7 @@ struct bq27x00_device_info;
37448 - struct bq27x00_access_methods {
37449 - int (*read)(u8 reg, int *rt_value, int b_single,
37450 - struct bq27x00_device_info *di);
37451 --};
37452 -+} __no_const;
37453 -
37454 - struct bq27x00_device_info {
37455 - struct device *dev;
37456 -diff -urNp linux-2.6.32.46/drivers/rtc/rtc-dev.c linux-2.6.32.46/drivers/rtc/rtc-dev.c
37457 ---- linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-03-27 14:31:47.000000000 -0400
37458 -+++ linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-04-17 15:56:46.000000000 -0400
37459 -@@ -14,6 +14,7 @@
37460 - #include <linux/module.h>
37461 - #include <linux/rtc.h>
37462 - #include <linux/sched.h>
37463 -+#include <linux/grsecurity.h>
37464 - #include "rtc-core.h"
37465 -
37466 - static dev_t rtc_devt;
37467 -@@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
37468 - if (copy_from_user(&tm, uarg, sizeof(tm)))
37469 - return -EFAULT;
37470 -
37471 -+ gr_log_timechange();
37472 -+
37473 - return rtc_set_time(rtc, &tm);
37474 -
37475 - case RTC_PIE_ON:
37476 -diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.c linux-2.6.32.46/drivers/s390/cio/qdio_perf.c
37477 ---- linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-03-27 14:31:47.000000000 -0400
37478 -+++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-04-17 15:56:46.000000000 -0400
37479 -@@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
37480 - static int qdio_perf_proc_show(struct seq_file *m, void *v)
37481 - {
37482 - seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
37483 -- (long)atomic_long_read(&perf_stats.qdio_int));
37484 -+ (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
37485 - seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
37486 -- (long)atomic_long_read(&perf_stats.pci_int));
37487 -+ (long)atomic_long_read_unchecked(&perf_stats.pci_int));
37488 - seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
37489 -- (long)atomic_long_read(&perf_stats.thin_int));
37490 -+ (long)atomic_long_read_unchecked(&perf_stats.thin_int));
37491 - seq_printf(m, "\n");
37492 - seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
37493 -- (long)atomic_long_read(&perf_stats.tasklet_inbound));
37494 -+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
37495 - seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
37496 -- (long)atomic_long_read(&perf_stats.tasklet_outbound));
37497 -+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
37498 - seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
37499 -- (long)atomic_long_read(&perf_stats.tasklet_thinint),
37500 -- (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
37501 -+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
37502 -+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
37503 - seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
37504 -- (long)atomic_long_read(&perf_stats.thinint_inbound),
37505 -- (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
37506 -+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
37507 -+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
37508 - seq_printf(m, "\n");
37509 - seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
37510 -- (long)atomic_long_read(&perf_stats.siga_in));
37511 -+ (long)atomic_long_read_unchecked(&perf_stats.siga_in));
37512 - seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
37513 -- (long)atomic_long_read(&perf_stats.siga_out));
37514 -+ (long)atomic_long_read_unchecked(&perf_stats.siga_out));
37515 - seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
37516 -- (long)atomic_long_read(&perf_stats.siga_sync));
37517 -+ (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
37518 - seq_printf(m, "\n");
37519 - seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
37520 -- (long)atomic_long_read(&perf_stats.inbound_handler));
37521 -+ (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
37522 - seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
37523 -- (long)atomic_long_read(&perf_stats.outbound_handler));
37524 -+ (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
37525 - seq_printf(m, "\n");
37526 - seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
37527 -- (long)atomic_long_read(&perf_stats.fast_requeue));
37528 -+ (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
37529 - seq_printf(m, "Number of outbound target full condition\t: %li\n",
37530 -- (long)atomic_long_read(&perf_stats.outbound_target_full));
37531 -+ (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
37532 - seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
37533 -- (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
37534 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
37535 - seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
37536 -- (long)atomic_long_read(&perf_stats.debug_stop_polling));
37537 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
37538 - seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
37539 -- (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
37540 -+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
37541 - seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
37542 -- (long)atomic_long_read(&perf_stats.debug_eqbs_all),
37543 -- (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
37544 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
37545 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
37546 - seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
37547 -- (long)atomic_long_read(&perf_stats.debug_sqbs_all),
37548 -- (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
37549 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
37550 -+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
37551 - seq_printf(m, "\n");
37552 - return 0;
37553 - }
37554 -diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.h linux-2.6.32.46/drivers/s390/cio/qdio_perf.h
37555 ---- linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-03-27 14:31:47.000000000 -0400
37556 -+++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-04-17 15:56:46.000000000 -0400
37557 -@@ -13,46 +13,46 @@
37558 -
37559 - struct qdio_perf_stats {
37560 - /* interrupt handler calls */
37561 -- atomic_long_t qdio_int;
37562 -- atomic_long_t pci_int;
37563 -- atomic_long_t thin_int;
37564 -+ atomic_long_unchecked_t qdio_int;
37565 -+ atomic_long_unchecked_t pci_int;
37566 -+ atomic_long_unchecked_t thin_int;
37567 -
37568 - /* tasklet runs */
37569 -- atomic_long_t tasklet_inbound;
37570 -- atomic_long_t tasklet_outbound;
37571 -- atomic_long_t tasklet_thinint;
37572 -- atomic_long_t tasklet_thinint_loop;
37573 -- atomic_long_t thinint_inbound;
37574 -- atomic_long_t thinint_inbound_loop;
37575 -- atomic_long_t thinint_inbound_loop2;
37576 -+ atomic_long_unchecked_t tasklet_inbound;
37577 -+ atomic_long_unchecked_t tasklet_outbound;
37578 -+ atomic_long_unchecked_t tasklet_thinint;
37579 -+ atomic_long_unchecked_t tasklet_thinint_loop;
37580 -+ atomic_long_unchecked_t thinint_inbound;
37581 -+ atomic_long_unchecked_t thinint_inbound_loop;
37582 -+ atomic_long_unchecked_t thinint_inbound_loop2;
37583 -
37584 - /* signal adapter calls */
37585 -- atomic_long_t siga_out;
37586 -- atomic_long_t siga_in;
37587 -- atomic_long_t siga_sync;
37588 -+ atomic_long_unchecked_t siga_out;
37589 -+ atomic_long_unchecked_t siga_in;
37590 -+ atomic_long_unchecked_t siga_sync;
37591 -
37592 - /* misc */
37593 -- atomic_long_t inbound_handler;
37594 -- atomic_long_t outbound_handler;
37595 -- atomic_long_t fast_requeue;
37596 -- atomic_long_t outbound_target_full;
37597 -+ atomic_long_unchecked_t inbound_handler;
37598 -+ atomic_long_unchecked_t outbound_handler;
37599 -+ atomic_long_unchecked_t fast_requeue;
37600 -+ atomic_long_unchecked_t outbound_target_full;
37601 -
37602 - /* for debugging */
37603 -- atomic_long_t debug_tl_out_timer;
37604 -- atomic_long_t debug_stop_polling;
37605 -- atomic_long_t debug_eqbs_all;
37606 -- atomic_long_t debug_eqbs_incomplete;
37607 -- atomic_long_t debug_sqbs_all;
37608 -- atomic_long_t debug_sqbs_incomplete;
37609 -+ atomic_long_unchecked_t debug_tl_out_timer;
37610 -+ atomic_long_unchecked_t debug_stop_polling;
37611 -+ atomic_long_unchecked_t debug_eqbs_all;
37612 -+ atomic_long_unchecked_t debug_eqbs_incomplete;
37613 -+ atomic_long_unchecked_t debug_sqbs_all;
37614 -+ atomic_long_unchecked_t debug_sqbs_incomplete;
37615 - };
37616 -
37617 - extern struct qdio_perf_stats perf_stats;
37618 - extern int qdio_performance_stats;
37619 -
37620 --static inline void qdio_perf_stat_inc(atomic_long_t *count)
37621 -+static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
37622 - {
37623 - if (qdio_performance_stats)
37624 -- atomic_long_inc(count);
37625 -+ atomic_long_inc_unchecked(count);
37626 - }
37627 -
37628 - int qdio_setup_perf_stats(void);
37629 -diff -urNp linux-2.6.32.46/drivers/scsi/BusLogic.c linux-2.6.32.46/drivers/scsi/BusLogic.c
37630 ---- linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-03-27 14:31:47.000000000 -0400
37631 -+++ linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-05-16 21:46:57.000000000 -0400
37632 -@@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
37633 - static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
37634 - *PrototypeHostAdapter)
37635 - {
37636 -+ pax_track_stack();
37637 -+
37638 - /*
37639 - If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
37640 - Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
37641 -diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h
37642 ---- linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-03-27 14:31:47.000000000 -0400
37643 -+++ linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-08-05 20:33:55.000000000 -0400
37644 -@@ -471,7 +471,7 @@ struct adapter_ops
37645 - int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
37646 - /* Administrative operations */
37647 - int (*adapter_comm)(struct aac_dev * dev, int comm);
37648 --};
37649 -+} __no_const;
37650 -
37651 - /*
37652 - * Define which interrupt handler needs to be installed
37653 -diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c
37654 ---- linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-03-27 14:31:47.000000000 -0400
37655 -+++ linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:46:57.000000000 -0400
37656 -@@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
37657 - u32 actual_fibsize64, actual_fibsize = 0;
37658 - int i;
37659 -
37660 -+ pax_track_stack();
37661 -
37662 - if (dev->in_reset) {
37663 - dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
37664 -diff -urNp linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c
37665 ---- linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-27 14:31:47.000000000 -0400
37666 -+++ linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:56:46.000000000 -0400
37667 -@@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
37668 - flash_error_table[i].reason);
37669 - }
37670 -
37671 --static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
37672 -+static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
37673 - asd_show_update_bios, asd_store_update_bios);
37674 -
37675 - static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
37676 -diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h
37677 ---- linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-03-27 14:31:47.000000000 -0400
37678 -+++ linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-08-05 20:33:55.000000000 -0400
37679 -@@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
37680 - bfa_ioc_disable_cbfn_t disable_cbfn;
37681 - bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
37682 - bfa_ioc_reset_cbfn_t reset_cbfn;
37683 --};
37684 -+} __no_const;
37685 -
37686 - /**
37687 - * Heartbeat failure notification queue element.
37688 -diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h
37689 ---- linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-03-27 14:31:47.000000000 -0400
37690 -+++ linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-08-05 20:33:55.000000000 -0400
37691 -@@ -61,7 +61,7 @@ struct bfa_hwif_s {
37692 - void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
37693 - void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
37694 - u32 *nvecs, u32 *maxvec);
37695 --};
37696 -+} __no_const;
37697 - typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
37698 -
37699 - struct bfa_iocfc_s {
37700 -diff -urNp linux-2.6.32.46/drivers/scsi/dpt_i2o.c linux-2.6.32.46/drivers/scsi/dpt_i2o.c
37701 ---- linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-03-27 14:31:47.000000000 -0400
37702 -+++ linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-05-16 21:46:57.000000000 -0400
37703 -@@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
37704 - dma_addr_t addr;
37705 - ulong flags = 0;
37706 -
37707 -+ pax_track_stack();
37708 -+
37709 - memset(&msg, 0, MAX_MESSAGE_SIZE*4);
37710 - // get user msg size in u32s
37711 - if(get_user(size, &user_msg[0])){
37712 -@@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
37713 - s32 rcode;
37714 - dma_addr_t addr;
37715 -
37716 -+ pax_track_stack();
37717 -+
37718 - memset(msg, 0 , sizeof(msg));
37719 - len = scsi_bufflen(cmd);
37720 - direction = 0x00000000;
37721 -diff -urNp linux-2.6.32.46/drivers/scsi/eata.c linux-2.6.32.46/drivers/scsi/eata.c
37722 ---- linux-2.6.32.46/drivers/scsi/eata.c 2011-03-27 14:31:47.000000000 -0400
37723 -+++ linux-2.6.32.46/drivers/scsi/eata.c 2011-05-16 21:46:57.000000000 -0400
37724 -@@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
37725 - struct hostdata *ha;
37726 - char name[16];
37727 -
37728 -+ pax_track_stack();
37729 -+
37730 - sprintf(name, "%s%d", driver_name, j);
37731 -
37732 - if (!request_region(port_base, REGION_SIZE, driver_name)) {
37733 -diff -urNp linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c
37734 ---- linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-03-27 14:31:47.000000000 -0400
37735 -+++ linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:46:57.000000000 -0400
37736 -@@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
37737 - size_t rlen;
37738 - size_t dlen;
37739 -
37740 -+ pax_track_stack();
37741 -+
37742 - fiph = (struct fip_header *)skb->data;
37743 - sub = fiph->fip_subcode;
37744 - if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
37745 -diff -urNp linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c
37746 ---- linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-03-27 14:31:47.000000000 -0400
37747 -+++ linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-08-05 20:33:55.000000000 -0400
37748 -@@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
37749 - /* Start local port initiatialization */
37750 -
37751 - lp->link_up = 0;
37752 -- lp->tt = fnic_transport_template;
37753 -+ memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
37754 -
37755 - lp->max_retry_count = fnic->config.flogi_retries;
37756 - lp->max_rport_retry_count = fnic->config.plogi_retries;
37757 -diff -urNp linux-2.6.32.46/drivers/scsi/gdth.c linux-2.6.32.46/drivers/scsi/gdth.c
37758 ---- linux-2.6.32.46/drivers/scsi/gdth.c 2011-03-27 14:31:47.000000000 -0400
37759 -+++ linux-2.6.32.46/drivers/scsi/gdth.c 2011-05-16 21:46:57.000000000 -0400
37760 -@@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
37761 - ulong flags;
37762 - gdth_ha_str *ha;
37763 -
37764 -+ pax_track_stack();
37765 -+
37766 - if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
37767 - return -EFAULT;
37768 - ha = gdth_find_ha(ldrv.ionode);
37769 -@@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
37770 - gdth_ha_str *ha;
37771 - int rval;
37772 -
37773 -+ pax_track_stack();
37774 -+
37775 - if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
37776 - res.number >= MAX_HDRIVES)
37777 - return -EFAULT;
37778 -@@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
37779 - gdth_ha_str *ha;
37780 - int rval;
37781 -
37782 -+ pax_track_stack();
37783 -+
37784 - if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
37785 - return -EFAULT;
37786 - ha = gdth_find_ha(gen.ionode);
37787 -@@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
37788 - int i;
37789 - gdth_cmd_str gdtcmd;
37790 - char cmnd[MAX_COMMAND_SIZE];
37791 -+
37792 -+ pax_track_stack();
37793 -+
37794 - memset(cmnd, 0xff, MAX_COMMAND_SIZE);
37795 -
37796 - TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
37797 -diff -urNp linux-2.6.32.46/drivers/scsi/gdth_proc.c linux-2.6.32.46/drivers/scsi/gdth_proc.c
37798 ---- linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-03-27 14:31:47.000000000 -0400
37799 -+++ linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-05-16 21:46:57.000000000 -0400
37800 -@@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
37801 - ulong64 paddr;
37802 -
37803 - char cmnd[MAX_COMMAND_SIZE];
37804 -+
37805 -+ pax_track_stack();
37806 -+
37807 - memset(cmnd, 0xff, 12);
37808 - memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
37809 -
37810 -@@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
37811 - gdth_hget_str *phg;
37812 - char cmnd[MAX_COMMAND_SIZE];
37813 -
37814 -+ pax_track_stack();
37815 -+
37816 - gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
37817 - estr = kmalloc(sizeof(*estr), GFP_KERNEL);
37818 - if (!gdtcmd || !estr)
37819 -diff -urNp linux-2.6.32.46/drivers/scsi/hosts.c linux-2.6.32.46/drivers/scsi/hosts.c
37820 ---- linux-2.6.32.46/drivers/scsi/hosts.c 2011-03-27 14:31:47.000000000 -0400
37821 -+++ linux-2.6.32.46/drivers/scsi/hosts.c 2011-05-04 17:56:28.000000000 -0400
37822 -@@ -40,7 +40,7 @@
37823 - #include "scsi_logging.h"
37824 -
37825 -
37826 --static atomic_t scsi_host_next_hn; /* host_no for next new host */
37827 -+static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
37828 -
37829 -
37830 - static void scsi_host_cls_release(struct device *dev)
37831 -@@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
37832 - * subtract one because we increment first then return, but we need to
37833 - * know what the next host number was before increment
37834 - */
37835 -- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
37836 -+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
37837 - shost->dma_channel = 0xff;
37838 -
37839 - /* These three are default values which can be overridden */
37840 -diff -urNp linux-2.6.32.46/drivers/scsi/ipr.c linux-2.6.32.46/drivers/scsi/ipr.c
37841 ---- linux-2.6.32.46/drivers/scsi/ipr.c 2011-03-27 14:31:47.000000000 -0400
37842 -+++ linux-2.6.32.46/drivers/scsi/ipr.c 2011-04-17 15:56:46.000000000 -0400
37843 -@@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
37844 - return true;
37845 - }
37846 -
37847 --static struct ata_port_operations ipr_sata_ops = {
37848 -+static const struct ata_port_operations ipr_sata_ops = {
37849 - .phy_reset = ipr_ata_phy_reset,
37850 - .hardreset = ipr_sata_reset,
37851 - .post_internal_cmd = ipr_ata_post_internal,
37852 -diff -urNp linux-2.6.32.46/drivers/scsi/ips.h linux-2.6.32.46/drivers/scsi/ips.h
37853 ---- linux-2.6.32.46/drivers/scsi/ips.h 2011-03-27 14:31:47.000000000 -0400
37854 -+++ linux-2.6.32.46/drivers/scsi/ips.h 2011-08-05 20:33:55.000000000 -0400
37855 -@@ -1027,7 +1027,7 @@ typedef struct {
37856 - int (*intr)(struct ips_ha *);
37857 - void (*enableint)(struct ips_ha *);
37858 - uint32_t (*statupd)(struct ips_ha *);
37859 --} ips_hw_func_t;
37860 -+} __no_const ips_hw_func_t;
37861 -
37862 - typedef struct ips_ha {
37863 - uint8_t ha_id[IPS_MAX_CHANNELS+1];
37864 -diff -urNp linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c
37865 ---- linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-03-27 14:31:47.000000000 -0400
37866 -+++ linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-08-23 21:22:32.000000000 -0400
37867 -@@ -86,12 +86,12 @@ struct fc_exch_mgr {
37868 - * all together if not used XXX
37869 - */
37870 - struct {
37871 -- atomic_t no_free_exch;
37872 -- atomic_t no_free_exch_xid;
37873 -- atomic_t xid_not_found;
37874 -- atomic_t xid_busy;
37875 -- atomic_t seq_not_found;
37876 -- atomic_t non_bls_resp;
37877 -+ atomic_unchecked_t no_free_exch;
37878 -+ atomic_unchecked_t no_free_exch_xid;
37879 -+ atomic_unchecked_t xid_not_found;
37880 -+ atomic_unchecked_t xid_busy;
37881 -+ atomic_unchecked_t seq_not_found;
37882 -+ atomic_unchecked_t non_bls_resp;
37883 - } stats;
37884 - };
37885 - #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
37886 -@@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
37887 - /* allocate memory for exchange */
37888 - ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
37889 - if (!ep) {
37890 -- atomic_inc(&mp->stats.no_free_exch);
37891 -+ atomic_inc_unchecked(&mp->stats.no_free_exch);
37892 - goto out;
37893 - }
37894 - memset(ep, 0, sizeof(*ep));
37895 -@@ -557,7 +557,7 @@ out:
37896 - return ep;
37897 - err:
37898 - spin_unlock_bh(&pool->lock);
37899 -- atomic_inc(&mp->stats.no_free_exch_xid);
37900 -+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
37901 - mempool_free(ep, mp->ep_pool);
37902 - return NULL;
37903 - }
37904 -@@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37905 - xid = ntohs(fh->fh_ox_id); /* we originated exch */
37906 - ep = fc_exch_find(mp, xid);
37907 - if (!ep) {
37908 -- atomic_inc(&mp->stats.xid_not_found);
37909 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37910 - reject = FC_RJT_OX_ID;
37911 - goto out;
37912 - }
37913 -@@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37914 - ep = fc_exch_find(mp, xid);
37915 - if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
37916 - if (ep) {
37917 -- atomic_inc(&mp->stats.xid_busy);
37918 -+ atomic_inc_unchecked(&mp->stats.xid_busy);
37919 - reject = FC_RJT_RX_ID;
37920 - goto rel;
37921 - }
37922 -@@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37923 - }
37924 - xid = ep->xid; /* get our XID */
37925 - } else if (!ep) {
37926 -- atomic_inc(&mp->stats.xid_not_found);
37927 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37928 - reject = FC_RJT_RX_ID; /* XID not found */
37929 - goto out;
37930 - }
37931 -@@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37932 - } else {
37933 - sp = &ep->seq;
37934 - if (sp->id != fh->fh_seq_id) {
37935 -- atomic_inc(&mp->stats.seq_not_found);
37936 -+ atomic_inc_unchecked(&mp->stats.seq_not_found);
37937 - reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
37938 - goto rel;
37939 - }
37940 -@@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
37941 -
37942 - ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
37943 - if (!ep) {
37944 -- atomic_inc(&mp->stats.xid_not_found);
37945 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37946 - goto out;
37947 - }
37948 - if (ep->esb_stat & ESB_ST_COMPLETE) {
37949 -- atomic_inc(&mp->stats.xid_not_found);
37950 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37951 - goto out;
37952 - }
37953 - if (ep->rxid == FC_XID_UNKNOWN)
37954 - ep->rxid = ntohs(fh->fh_rx_id);
37955 - if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
37956 -- atomic_inc(&mp->stats.xid_not_found);
37957 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37958 - goto rel;
37959 - }
37960 - if (ep->did != ntoh24(fh->fh_s_id) &&
37961 - ep->did != FC_FID_FLOGI) {
37962 -- atomic_inc(&mp->stats.xid_not_found);
37963 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37964 - goto rel;
37965 - }
37966 - sof = fr_sof(fp);
37967 -@@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
37968 - } else {
37969 - sp = &ep->seq;
37970 - if (sp->id != fh->fh_seq_id) {
37971 -- atomic_inc(&mp->stats.seq_not_found);
37972 -+ atomic_inc_unchecked(&mp->stats.seq_not_found);
37973 - goto rel;
37974 - }
37975 - }
37976 -@@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
37977 - sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
37978 -
37979 - if (!sp)
37980 -- atomic_inc(&mp->stats.xid_not_found);
37981 -+ atomic_inc_unchecked(&mp->stats.xid_not_found);
37982 - else
37983 -- atomic_inc(&mp->stats.non_bls_resp);
37984 -+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
37985 -
37986 - fc_frame_free(fp);
37987 - }
37988 -diff -urNp linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c
37989 ---- linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-03-27 14:31:47.000000000 -0400
37990 -+++ linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-04-23 12:56:11.000000000 -0400
37991 -@@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
37992 - }
37993 - }
37994 -
37995 --static struct ata_port_operations sas_sata_ops = {
37996 -+static const struct ata_port_operations sas_sata_ops = {
37997 - .phy_reset = sas_ata_phy_reset,
37998 - .post_internal_cmd = sas_ata_post_internal,
37999 - .qc_defer = ata_std_qc_defer,
38000 -diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h
38001 ---- linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-03-27 14:31:47.000000000 -0400
38002 -+++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-05-04 17:56:28.000000000 -0400
38003 -@@ -400,7 +400,7 @@ struct lpfc_vport {
38004 - struct dentry *debug_nodelist;
38005 - struct dentry *vport_debugfs_root;
38006 - struct lpfc_debugfs_trc *disc_trc;
38007 -- atomic_t disc_trc_cnt;
38008 -+ atomic_unchecked_t disc_trc_cnt;
38009 - #endif
38010 - uint8_t stat_data_enabled;
38011 - uint8_t stat_data_blocked;
38012 -@@ -725,8 +725,8 @@ struct lpfc_hba {
38013 - struct timer_list fabric_block_timer;
38014 - unsigned long bit_flags;
38015 - #define FABRIC_COMANDS_BLOCKED 0
38016 -- atomic_t num_rsrc_err;
38017 -- atomic_t num_cmd_success;
38018 -+ atomic_unchecked_t num_rsrc_err;
38019 -+ atomic_unchecked_t num_cmd_success;
38020 - unsigned long last_rsrc_error_time;
38021 - unsigned long last_ramp_down_time;
38022 - unsigned long last_ramp_up_time;
38023 -@@ -740,7 +740,7 @@ struct lpfc_hba {
38024 - struct dentry *debug_dumpDif; /* BlockGuard BPL*/
38025 - struct dentry *debug_slow_ring_trc;
38026 - struct lpfc_debugfs_trc *slow_ring_trc;
38027 -- atomic_t slow_ring_trc_cnt;
38028 -+ atomic_unchecked_t slow_ring_trc_cnt;
38029 - #endif
38030 -
38031 - /* Used for deferred freeing of ELS data buffers */
38032 -diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c
38033 ---- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-27 14:31:47.000000000 -0400
38034 -+++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:46:57.000000000 -0400
38035 -@@ -124,7 +124,7 @@ struct lpfc_debug {
38036 - int len;
38037 - };
38038 -
38039 --static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38040 -+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38041 - static unsigned long lpfc_debugfs_start_time = 0L;
38042 -
38043 - /**
38044 -@@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38045 - lpfc_debugfs_enable = 0;
38046 -
38047 - len = 0;
38048 -- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38049 -+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38050 - (lpfc_debugfs_max_disc_trc - 1);
38051 - for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38052 - dtp = vport->disc_trc + i;
38053 -@@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38054 - lpfc_debugfs_enable = 0;
38055 -
38056 - len = 0;
38057 -- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38058 -+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38059 - (lpfc_debugfs_max_slow_ring_trc - 1);
38060 - for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38061 - dtp = phba->slow_ring_trc + i;
38062 -@@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38063 - uint32_t *ptr;
38064 - char buffer[1024];
38065 -
38066 -+ pax_track_stack();
38067 -+
38068 - off = 0;
38069 - spin_lock_irq(&phba->hbalock);
38070 -
38071 -@@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38072 - !vport || !vport->disc_trc)
38073 - return;
38074 -
38075 -- index = atomic_inc_return(&vport->disc_trc_cnt) &
38076 -+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38077 - (lpfc_debugfs_max_disc_trc - 1);
38078 - dtp = vport->disc_trc + index;
38079 - dtp->fmt = fmt;
38080 - dtp->data1 = data1;
38081 - dtp->data2 = data2;
38082 - dtp->data3 = data3;
38083 -- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38084 -+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38085 - dtp->jif = jiffies;
38086 - #endif
38087 - return;
38088 -@@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38089 - !phba || !phba->slow_ring_trc)
38090 - return;
38091 -
38092 -- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38093 -+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38094 - (lpfc_debugfs_max_slow_ring_trc - 1);
38095 - dtp = phba->slow_ring_trc + index;
38096 - dtp->fmt = fmt;
38097 - dtp->data1 = data1;
38098 - dtp->data2 = data2;
38099 - dtp->data3 = data3;
38100 -- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38101 -+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38102 - dtp->jif = jiffies;
38103 - #endif
38104 - return;
38105 -@@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38106 - "slow_ring buffer\n");
38107 - goto debug_failed;
38108 - }
38109 -- atomic_set(&phba->slow_ring_trc_cnt, 0);
38110 -+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38111 - memset(phba->slow_ring_trc, 0,
38112 - (sizeof(struct lpfc_debugfs_trc) *
38113 - lpfc_debugfs_max_slow_ring_trc));
38114 -@@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38115 - "buffer\n");
38116 - goto debug_failed;
38117 - }
38118 -- atomic_set(&vport->disc_trc_cnt, 0);
38119 -+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38120 -
38121 - snprintf(name, sizeof(name), "discovery_trace");
38122 - vport->debug_disc_trc =
38123 -diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c
38124 ---- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-03-27 14:31:47.000000000 -0400
38125 -+++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-08-05 20:33:55.000000000 -0400
38126 -@@ -8021,8 +8021,10 @@ lpfc_init(void)
38127 - printk(LPFC_COPYRIGHT "\n");
38128 -
38129 - if (lpfc_enable_npiv) {
38130 -- lpfc_transport_functions.vport_create = lpfc_vport_create;
38131 -- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
38132 -+ pax_open_kernel();
38133 -+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
38134 -+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
38135 -+ pax_close_kernel();
38136 - }
38137 - lpfc_transport_template =
38138 - fc_attach_transport(&lpfc_transport_functions);
38139 -diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c
38140 ---- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-27 14:31:47.000000000 -0400
38141 -+++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-04 17:56:28.000000000 -0400
38142 -@@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
38143 - uint32_t evt_posted;
38144 -
38145 - spin_lock_irqsave(&phba->hbalock, flags);
38146 -- atomic_inc(&phba->num_rsrc_err);
38147 -+ atomic_inc_unchecked(&phba->num_rsrc_err);
38148 - phba->last_rsrc_error_time = jiffies;
38149 -
38150 - if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
38151 -@@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
38152 - unsigned long flags;
38153 - struct lpfc_hba *phba = vport->phba;
38154 - uint32_t evt_posted;
38155 -- atomic_inc(&phba->num_cmd_success);
38156 -+ atomic_inc_unchecked(&phba->num_cmd_success);
38157 -
38158 - if (vport->cfg_lun_queue_depth <= queue_depth)
38159 - return;
38160 -@@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38161 - int i;
38162 - struct lpfc_rport_data *rdata;
38163 -
38164 -- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
38165 -- num_cmd_success = atomic_read(&phba->num_cmd_success);
38166 -+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
38167 -+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
38168 -
38169 - vports = lpfc_create_vport_work_array(phba);
38170 - if (vports != NULL)
38171 -@@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
38172 - }
38173 - }
38174 - lpfc_destroy_vport_work_array(phba, vports);
38175 -- atomic_set(&phba->num_rsrc_err, 0);
38176 -- atomic_set(&phba->num_cmd_success, 0);
38177 -+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
38178 -+ atomic_set_unchecked(&phba->num_cmd_success, 0);
38179 - }
38180 -
38181 - /**
38182 -@@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
38183 - }
38184 - }
38185 - lpfc_destroy_vport_work_array(phba, vports);
38186 -- atomic_set(&phba->num_rsrc_err, 0);
38187 -- atomic_set(&phba->num_cmd_success, 0);
38188 -+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
38189 -+ atomic_set_unchecked(&phba->num_cmd_success, 0);
38190 - }
38191 -
38192 - /**
38193 -diff -urNp linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c
38194 ---- linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-27 14:31:47.000000000 -0400
38195 -+++ linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:46:57.000000000 -0400
38196 -@@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
38197 - int rval;
38198 - int i;
38199 -
38200 -+ pax_track_stack();
38201 -+
38202 - // Allocate memory for the base list of scb for management module.
38203 - adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
38204 -
38205 -diff -urNp linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c
38206 ---- linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-03-27 14:31:47.000000000 -0400
38207 -+++ linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:46:57.000000000 -0400
38208 -@@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
38209 - int nelem = ARRAY_SIZE(get_attrs), a = 0;
38210 - int ret;
38211 -
38212 -+ pax_track_stack();
38213 -+
38214 - or = osd_start_request(od, GFP_KERNEL);
38215 - if (!or)
38216 - return -ENOMEM;
38217 -diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.c linux-2.6.32.46/drivers/scsi/pmcraid.c
38218 ---- linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:35:29.000000000 -0400
38219 -+++ linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:33:59.000000000 -0400
38220 -@@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
38221 - res->scsi_dev = scsi_dev;
38222 - scsi_dev->hostdata = res;
38223 - res->change_detected = 0;
38224 -- atomic_set(&res->read_failures, 0);
38225 -- atomic_set(&res->write_failures, 0);
38226 -+ atomic_set_unchecked(&res->read_failures, 0);
38227 -+ atomic_set_unchecked(&res->write_failures, 0);
38228 - rc = 0;
38229 - }
38230 - spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
38231 -@@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
38232 -
38233 - /* If this was a SCSI read/write command keep count of errors */
38234 - if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
38235 -- atomic_inc(&res->read_failures);
38236 -+ atomic_inc_unchecked(&res->read_failures);
38237 - else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
38238 -- atomic_inc(&res->write_failures);
38239 -+ atomic_inc_unchecked(&res->write_failures);
38240 -
38241 - if (!RES_IS_GSCSI(res->cfg_entry) &&
38242 - masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
38243 -@@ -4116,7 +4116,7 @@ static void pmcraid_worker_function(stru
38244 -
38245 - pinstance = container_of(workp, struct pmcraid_instance, worker_q);
38246 - /* add resources only after host is added into system */
38247 -- if (!atomic_read(&pinstance->expose_resources))
38248 -+ if (!atomic_read_unchecked(&pinstance->expose_resources))
38249 - return;
38250 -
38251 - spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
38252 -@@ -4850,7 +4850,7 @@ static int __devinit pmcraid_init_instan
38253 - init_waitqueue_head(&pinstance->reset_wait_q);
38254 -
38255 - atomic_set(&pinstance->outstanding_cmds, 0);
38256 -- atomic_set(&pinstance->expose_resources, 0);
38257 -+ atomic_set_unchecked(&pinstance->expose_resources, 0);
38258 -
38259 - INIT_LIST_HEAD(&pinstance->free_res_q);
38260 - INIT_LIST_HEAD(&pinstance->used_res_q);
38261 -@@ -5502,7 +5502,7 @@ static int __devinit pmcraid_probe(
38262 - /* Schedule worker thread to handle CCN and take care of adding and
38263 - * removing devices to OS
38264 - */
38265 -- atomic_set(&pinstance->expose_resources, 1);
38266 -+ atomic_set_unchecked(&pinstance->expose_resources, 1);
38267 - schedule_work(&pinstance->worker_q);
38268 - return rc;
38269 -
38270 -diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.h linux-2.6.32.46/drivers/scsi/pmcraid.h
38271 ---- linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-03-27 14:31:47.000000000 -0400
38272 -+++ linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-05-04 17:56:28.000000000 -0400
38273 -@@ -690,7 +690,7 @@ struct pmcraid_instance {
38274 - atomic_t outstanding_cmds;
38275 -
38276 - /* should add/delete resources to mid-layer now ?*/
38277 -- atomic_t expose_resources;
38278 -+ atomic_unchecked_t expose_resources;
38279 -
38280 - /* Tasklet to handle deferred processing */
38281 - struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
38282 -@@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
38283 - struct list_head queue; /* link to "to be exposed" resources */
38284 - struct pmcraid_config_table_entry cfg_entry;
38285 - struct scsi_device *scsi_dev; /* Link scsi_device structure */
38286 -- atomic_t read_failures; /* count of failed READ commands */
38287 -- atomic_t write_failures; /* count of failed WRITE commands */
38288 -+ atomic_unchecked_t read_failures; /* count of failed READ commands */
38289 -+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
38290 -
38291 - /* To indicate add/delete/modify during CCN */
38292 - u8 change_detected;
38293 -diff -urNp linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h
38294 ---- linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-03-27 14:31:47.000000000 -0400
38295 -+++ linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-08-05 20:33:55.000000000 -0400
38296 -@@ -2089,7 +2089,7 @@ struct isp_operations {
38297 -
38298 - int (*get_flash_version) (struct scsi_qla_host *, void *);
38299 - int (*start_scsi) (srb_t *);
38300 --};
38301 -+} __no_const;
38302 -
38303 - /* MSI-X Support *************************************************************/
38304 -
38305 -diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h
38306 ---- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-03-27 14:31:47.000000000 -0400
38307 -+++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-05-04 17:56:28.000000000 -0400
38308 -@@ -240,7 +240,7 @@ struct ddb_entry {
38309 - atomic_t retry_relogin_timer; /* Min Time between relogins
38310 - * (4000 only) */
38311 - atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
38312 -- atomic_t relogin_retry_count; /* Num of times relogin has been
38313 -+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
38314 - * retried */
38315 -
38316 - uint16_t port;
38317 -diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c
38318 ---- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-03-27 14:31:47.000000000 -0400
38319 -+++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-05-04 17:56:28.000000000 -0400
38320 -@@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
38321 - atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
38322 - atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
38323 - atomic_set(&ddb_entry->relogin_timer, 0);
38324 -- atomic_set(&ddb_entry->relogin_retry_count, 0);
38325 -+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
38326 - atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
38327 - list_add_tail(&ddb_entry->list, &ha->ddb_list);
38328 - ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
38329 -@@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
38330 - atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
38331 - atomic_set(&ddb_entry->port_down_timer,
38332 - ha->port_down_retry_count);
38333 -- atomic_set(&ddb_entry->relogin_retry_count, 0);
38334 -+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
38335 - atomic_set(&ddb_entry->relogin_timer, 0);
38336 - clear_bit(DF_RELOGIN, &ddb_entry->flags);
38337 - clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
38338 -diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c
38339 ---- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-03-27 14:31:47.000000000 -0400
38340 -+++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-05-04 17:56:28.000000000 -0400
38341 -@@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
38342 - ddb_entry->fw_ddb_device_state ==
38343 - DDB_DS_SESSION_FAILED) {
38344 - /* Reset retry relogin timer */
38345 -- atomic_inc(&ddb_entry->relogin_retry_count);
38346 -+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
38347 - DEBUG2(printk("scsi%ld: index[%d] relogin"
38348 - " timed out-retrying"
38349 - " relogin (%d)\n",
38350 - ha->host_no,
38351 - ddb_entry->fw_ddb_index,
38352 -- atomic_read(&ddb_entry->
38353 -+ atomic_read_unchecked(&ddb_entry->
38354 - relogin_retry_count))
38355 - );
38356 - start_dpc++;
38357 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi.c linux-2.6.32.46/drivers/scsi/scsi.c
38358 ---- linux-2.6.32.46/drivers/scsi/scsi.c 2011-03-27 14:31:47.000000000 -0400
38359 -+++ linux-2.6.32.46/drivers/scsi/scsi.c 2011-05-04 17:56:28.000000000 -0400
38360 -@@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
38361 - unsigned long timeout;
38362 - int rtn = 0;
38363 -
38364 -- atomic_inc(&cmd->device->iorequest_cnt);
38365 -+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
38366 -
38367 - /* check if the device is still usable */
38368 - if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
38369 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_debug.c linux-2.6.32.46/drivers/scsi/scsi_debug.c
38370 ---- linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-03-27 14:31:47.000000000 -0400
38371 -+++ linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-05-16 21:46:57.000000000 -0400
38372 -@@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
38373 - unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
38374 - unsigned char *cmd = (unsigned char *)scp->cmnd;
38375 -
38376 -+ pax_track_stack();
38377 -+
38378 - if ((errsts = check_readiness(scp, 1, devip)))
38379 - return errsts;
38380 - memset(arr, 0, sizeof(arr));
38381 -@@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
38382 - unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
38383 - unsigned char *cmd = (unsigned char *)scp->cmnd;
38384 -
38385 -+ pax_track_stack();
38386 -+
38387 - if ((errsts = check_readiness(scp, 1, devip)))
38388 - return errsts;
38389 - memset(arr, 0, sizeof(arr));
38390 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_lib.c linux-2.6.32.46/drivers/scsi/scsi_lib.c
38391 ---- linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:01.000000000 -0400
38392 -+++ linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:33.000000000 -0400
38393 -@@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
38394 -
38395 - scsi_init_cmd_errh(cmd);
38396 - cmd->result = DID_NO_CONNECT << 16;
38397 -- atomic_inc(&cmd->device->iorequest_cnt);
38398 -+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
38399 -
38400 - /*
38401 - * SCSI request completion path will do scsi_device_unbusy(),
38402 -@@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
38403 - */
38404 - cmd->serial_number = 0;
38405 -
38406 -- atomic_inc(&cmd->device->iodone_cnt);
38407 -+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
38408 - if (cmd->result)
38409 -- atomic_inc(&cmd->device->ioerr_cnt);
38410 -+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
38411 -
38412 - disposition = scsi_decide_disposition(cmd);
38413 - if (disposition != SUCCESS &&
38414 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_sysfs.c linux-2.6.32.46/drivers/scsi/scsi_sysfs.c
38415 ---- linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:34.000000000 -0400
38416 -+++ linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:56:37.000000000 -0400
38417 -@@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
38418 - char *buf) \
38419 - { \
38420 - struct scsi_device *sdev = to_scsi_device(dev); \
38421 -- unsigned long long count = atomic_read(&sdev->field); \
38422 -+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
38423 - return snprintf(buf, 20, "0x%llx\n", count); \
38424 - } \
38425 - static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
38426 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c
38427 ---- linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-03-27 14:31:47.000000000 -0400
38428 -+++ linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-10-06 09:37:14.000000000 -0400
38429 -@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
38430 - int err;
38431 -
38432 - dprintk("%lx %u\n", uaddr, len);
38433 -- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
38434 -+ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
38435 - if (err) {
38436 - /*
38437 - * TODO: need to fixup sg_tablesize, max_segment_size,
38438 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c
38439 ---- linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400
38440 -+++ linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400
38441 -@@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
38442 - * Netlink Infrastructure
38443 - */
38444 -
38445 --static atomic_t fc_event_seq;
38446 -+static atomic_unchecked_t fc_event_seq;
38447 -
38448 - /**
38449 - * fc_get_event_number - Obtain the next sequential FC event number
38450 -@@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
38451 - u32
38452 - fc_get_event_number(void)
38453 - {
38454 -- return atomic_add_return(1, &fc_event_seq);
38455 -+ return atomic_add_return_unchecked(1, &fc_event_seq);
38456 - }
38457 - EXPORT_SYMBOL(fc_get_event_number);
38458 -
38459 -@@ -641,7 +641,7 @@ static __init int fc_transport_init(void
38460 - {
38461 - int error;
38462 -
38463 -- atomic_set(&fc_event_seq, 0);
38464 -+ atomic_set_unchecked(&fc_event_seq, 0);
38465 -
38466 - error = transport_class_register(&fc_host_class);
38467 - if (error)
38468 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c
38469 ---- linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-03-27 14:31:47.000000000 -0400
38470 -+++ linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-05-04 17:56:28.000000000 -0400
38471 -@@ -81,7 +81,7 @@ struct iscsi_internal {
38472 - struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
38473 - };
38474 -
38475 --static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
38476 -+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
38477 - static struct workqueue_struct *iscsi_eh_timer_workq;
38478 -
38479 - /*
38480 -@@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
38481 - int err;
38482 -
38483 - ihost = shost->shost_data;
38484 -- session->sid = atomic_add_return(1, &iscsi_session_nr);
38485 -+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
38486 -
38487 - if (id == ISCSI_MAX_TARGET) {
38488 - for (id = 0; id < ISCSI_MAX_TARGET; id++) {
38489 -@@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
38490 - printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
38491 - ISCSI_TRANSPORT_VERSION);
38492 -
38493 -- atomic_set(&iscsi_session_nr, 0);
38494 -+ atomic_set_unchecked(&iscsi_session_nr, 0);
38495 -
38496 - err = class_register(&iscsi_transport_class);
38497 - if (err)
38498 -diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c
38499 ---- linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-03-27 14:31:47.000000000 -0400
38500 -+++ linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-05-04 17:56:28.000000000 -0400
38501 -@@ -33,7 +33,7 @@
38502 - #include "scsi_transport_srp_internal.h"
38503 -
38504 - struct srp_host_attrs {
38505 -- atomic_t next_port_id;
38506 -+ atomic_unchecked_t next_port_id;
38507 - };
38508 - #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
38509 -
38510 -@@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
38511 - struct Scsi_Host *shost = dev_to_shost(dev);
38512 - struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
38513 -
38514 -- atomic_set(&srp_host->next_port_id, 0);
38515 -+ atomic_set_unchecked(&srp_host->next_port_id, 0);
38516 - return 0;
38517 - }
38518 -
38519 -@@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
38520 - memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
38521 - rport->roles = ids->roles;
38522 -
38523 -- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
38524 -+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
38525 - dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
38526 -
38527 - transport_setup_device(&rport->dev);
38528 -diff -urNp linux-2.6.32.46/drivers/scsi/sg.c linux-2.6.32.46/drivers/scsi/sg.c
38529 ---- linux-2.6.32.46/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400
38530 -+++ linux-2.6.32.46/drivers/scsi/sg.c 2011-10-06 09:37:08.000000000 -0400
38531 -@@ -1064,7 +1064,7 @@ sg_ioctl(struct inode *inode, struct fil
38532 - sdp->disk->disk_name,
38533 - MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
38534 - NULL,
38535 -- (char *)arg);
38536 -+ (char __user *)arg);
38537 - case BLKTRACESTART:
38538 - return blk_trace_startstop(sdp->device->request_queue, 1);
38539 - case BLKTRACESTOP:
38540 -@@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
38541 - const struct file_operations * fops;
38542 - };
38543 -
38544 --static struct sg_proc_leaf sg_proc_leaf_arr[] = {
38545 -+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
38546 - {"allow_dio", &adio_fops},
38547 - {"debug", &debug_fops},
38548 - {"def_reserved_size", &dressz_fops},
38549 -@@ -2307,7 +2307,7 @@ sg_proc_init(void)
38550 - {
38551 - int k, mask;
38552 - int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
38553 -- struct sg_proc_leaf * leaf;
38554 -+ const struct sg_proc_leaf * leaf;
38555 -
38556 - sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
38557 - if (!sg_proc_sgp)
38558 -diff -urNp linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c
38559 ---- linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-27 14:31:47.000000000 -0400
38560 -+++ linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:46:57.000000000 -0400
38561 -@@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
38562 - int do_iounmap = 0;
38563 - int do_disable_device = 1;
38564 -
38565 -+ pax_track_stack();
38566 -+
38567 - memset(&sym_dev, 0, sizeof(sym_dev));
38568 - memset(&nvram, 0, sizeof(nvram));
38569 - sym_dev.pdev = pdev;
38570 -diff -urNp linux-2.6.32.46/drivers/serial/kgdboc.c linux-2.6.32.46/drivers/serial/kgdboc.c
38571 ---- linux-2.6.32.46/drivers/serial/kgdboc.c 2011-03-27 14:31:47.000000000 -0400
38572 -+++ linux-2.6.32.46/drivers/serial/kgdboc.c 2011-04-17 15:56:46.000000000 -0400
38573 -@@ -18,7 +18,7 @@
38574 -
38575 - #define MAX_CONFIG_LEN 40
38576 -
38577 --static struct kgdb_io kgdboc_io_ops;
38578 -+static const struct kgdb_io kgdboc_io_ops;
38579 -
38580 - /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
38581 - static int configured = -1;
38582 -@@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
38583 - module_put(THIS_MODULE);
38584 - }
38585 -
38586 --static struct kgdb_io kgdboc_io_ops = {
38587 -+static const struct kgdb_io kgdboc_io_ops = {
38588 - .name = "kgdboc",
38589 - .read_char = kgdboc_get_char,
38590 - .write_char = kgdboc_put_char,
38591 -diff -urNp linux-2.6.32.46/drivers/spi/spi.c linux-2.6.32.46/drivers/spi/spi.c
38592 ---- linux-2.6.32.46/drivers/spi/spi.c 2011-03-27 14:31:47.000000000 -0400
38593 -+++ linux-2.6.32.46/drivers/spi/spi.c 2011-05-04 17:56:28.000000000 -0400
38594 -@@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
38595 - EXPORT_SYMBOL_GPL(spi_sync);
38596 -
38597 - /* portable code must never pass more than 32 bytes */
38598 --#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
38599 -+#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
38600 -
38601 - static u8 *buf;
38602 -
38603 -diff -urNp linux-2.6.32.46/drivers/staging/android/binder.c linux-2.6.32.46/drivers/staging/android/binder.c
38604 ---- linux-2.6.32.46/drivers/staging/android/binder.c 2011-03-27 14:31:47.000000000 -0400
38605 -+++ linux-2.6.32.46/drivers/staging/android/binder.c 2011-04-17 15:56:46.000000000 -0400
38606 -@@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
38607 - binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
38608 - }
38609 -
38610 --static struct vm_operations_struct binder_vm_ops = {
38611 -+static const struct vm_operations_struct binder_vm_ops = {
38612 - .open = binder_vma_open,
38613 - .close = binder_vma_close,
38614 - };
38615 -diff -urNp linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c
38616 ---- linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-03-27 14:31:47.000000000 -0400
38617 -+++ linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-04-17 15:56:46.000000000 -0400
38618 -@@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
38619 - return VM_FAULT_NOPAGE;
38620 - }
38621 -
38622 --static struct vm_operations_struct b3dfg_vm_ops = {
38623 -+static const struct vm_operations_struct b3dfg_vm_ops = {
38624 - .fault = b3dfg_vma_fault,
38625 - };
38626 -
38627 -@@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
38628 - return r;
38629 - }
38630 -
38631 --static struct file_operations b3dfg_fops = {
38632 -+static const struct file_operations b3dfg_fops = {
38633 - .owner = THIS_MODULE,
38634 - .open = b3dfg_open,
38635 - .release = b3dfg_release,
38636 -diff -urNp linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c
38637 ---- linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:35:29.000000000 -0400
38638 -+++ linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:34:00.000000000 -0400
38639 -@@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
38640 - mutex_unlock(&dev->mutex);
38641 - }
38642 -
38643 --static struct vm_operations_struct comedi_vm_ops = {
38644 -+static const struct vm_operations_struct comedi_vm_ops = {
38645 - .close = comedi_unmap,
38646 - };
38647 -
38648 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c
38649 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-03-27 14:31:47.000000000 -0400
38650 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-04-17 15:56:46.000000000 -0400
38651 -@@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
38652 - static dev_t adsp_devno;
38653 - static struct class *adsp_class;
38654 -
38655 --static struct file_operations adsp_fops = {
38656 -+static const struct file_operations adsp_fops = {
38657 - .owner = THIS_MODULE,
38658 - .open = adsp_open,
38659 - .unlocked_ioctl = adsp_ioctl,
38660 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c
38661 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-03-27 14:31:47.000000000 -0400
38662 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-04-17 15:56:46.000000000 -0400
38663 -@@ -1022,7 +1022,7 @@ done:
38664 - return rc;
38665 - }
38666 -
38667 --static struct file_operations audio_aac_fops = {
38668 -+static const struct file_operations audio_aac_fops = {
38669 - .owner = THIS_MODULE,
38670 - .open = audio_open,
38671 - .release = audio_release,
38672 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c
38673 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-03-27 14:31:47.000000000 -0400
38674 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-04-17 15:56:46.000000000 -0400
38675 -@@ -833,7 +833,7 @@ done:
38676 - return rc;
38677 - }
38678 -
38679 --static struct file_operations audio_amrnb_fops = {
38680 -+static const struct file_operations audio_amrnb_fops = {
38681 - .owner = THIS_MODULE,
38682 - .open = audamrnb_open,
38683 - .release = audamrnb_release,
38684 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c
38685 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-03-27 14:31:47.000000000 -0400
38686 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-04-17 15:56:46.000000000 -0400
38687 -@@ -805,7 +805,7 @@ dma_fail:
38688 - return rc;
38689 - }
38690 -
38691 --static struct file_operations audio_evrc_fops = {
38692 -+static const struct file_operations audio_evrc_fops = {
38693 - .owner = THIS_MODULE,
38694 - .open = audevrc_open,
38695 - .release = audevrc_release,
38696 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c
38697 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-03-27 14:31:47.000000000 -0400
38698 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-04-17 15:56:46.000000000 -0400
38699 -@@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
38700 - return 0;
38701 - }
38702 -
38703 --static struct file_operations audio_fops = {
38704 -+static const struct file_operations audio_fops = {
38705 - .owner = THIS_MODULE,
38706 - .open = audio_in_open,
38707 - .release = audio_in_release,
38708 -@@ -922,7 +922,7 @@ static struct file_operations audio_fops
38709 - .unlocked_ioctl = audio_in_ioctl,
38710 - };
38711 -
38712 --static struct file_operations audpre_fops = {
38713 -+static const struct file_operations audpre_fops = {
38714 - .owner = THIS_MODULE,
38715 - .open = audpre_open,
38716 - .unlocked_ioctl = audpre_ioctl,
38717 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c
38718 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-03-27 14:31:47.000000000 -0400
38719 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-04-17 15:56:46.000000000 -0400
38720 -@@ -941,7 +941,7 @@ done:
38721 - return rc;
38722 - }
38723 -
38724 --static struct file_operations audio_mp3_fops = {
38725 -+static const struct file_operations audio_mp3_fops = {
38726 - .owner = THIS_MODULE,
38727 - .open = audio_open,
38728 - .release = audio_release,
38729 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c
38730 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-03-27 14:31:47.000000000 -0400
38731 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-04-17 15:56:46.000000000 -0400
38732 -@@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
38733 - return 0;
38734 - }
38735 -
38736 --static struct file_operations audio_fops = {
38737 -+static const struct file_operations audio_fops = {
38738 - .owner = THIS_MODULE,
38739 - .open = audio_open,
38740 - .release = audio_release,
38741 -@@ -819,7 +819,7 @@ static struct file_operations audio_fops
38742 - .unlocked_ioctl = audio_ioctl,
38743 - };
38744 -
38745 --static struct file_operations audpp_fops = {
38746 -+static const struct file_operations audpp_fops = {
38747 - .owner = THIS_MODULE,
38748 - .open = audpp_open,
38749 - .unlocked_ioctl = audpp_ioctl,
38750 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c
38751 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-03-27 14:31:47.000000000 -0400
38752 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-04-17 15:56:46.000000000 -0400
38753 -@@ -816,7 +816,7 @@ err:
38754 - return rc;
38755 - }
38756 -
38757 --static struct file_operations audio_qcelp_fops = {
38758 -+static const struct file_operations audio_qcelp_fops = {
38759 - .owner = THIS_MODULE,
38760 - .open = audqcelp_open,
38761 - .release = audqcelp_release,
38762 -diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c
38763 ---- linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-03-27 14:31:47.000000000 -0400
38764 -+++ linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-04-17 15:56:46.000000000 -0400
38765 -@@ -242,7 +242,7 @@ err:
38766 - return rc;
38767 - }
38768 -
38769 --static struct file_operations snd_fops = {
38770 -+static const struct file_operations snd_fops = {
38771 - .owner = THIS_MODULE,
38772 - .open = snd_open,
38773 - .release = snd_release,
38774 -diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c
38775 ---- linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-03-27 14:31:47.000000000 -0400
38776 -+++ linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-04-17 15:56:46.000000000 -0400
38777 -@@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
38778 - return 0;
38779 - }
38780 -
38781 --static struct file_operations qmi_fops = {
38782 -+static const struct file_operations qmi_fops = {
38783 - .owner = THIS_MODULE,
38784 - .read = qmi_read,
38785 - .write = qmi_write,
38786 -diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c
38787 ---- linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-03-27 14:31:47.000000000 -0400
38788 -+++ linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-04-17 15:56:46.000000000 -0400
38789 -@@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
38790 - return rc;
38791 - }
38792 -
38793 --static struct file_operations rpcrouter_server_fops = {
38794 -+static const struct file_operations rpcrouter_server_fops = {
38795 - .owner = THIS_MODULE,
38796 - .open = rpcrouter_open,
38797 - .release = rpcrouter_release,
38798 -@@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
38799 - .unlocked_ioctl = rpcrouter_ioctl,
38800 - };
38801 -
38802 --static struct file_operations rpcrouter_router_fops = {
38803 -+static const struct file_operations rpcrouter_router_fops = {
38804 - .owner = THIS_MODULE,
38805 - .open = rpcrouter_open,
38806 - .release = rpcrouter_release,
38807 -diff -urNp linux-2.6.32.46/drivers/staging/dst/dcore.c linux-2.6.32.46/drivers/staging/dst/dcore.c
38808 ---- linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-03-27 14:31:47.000000000 -0400
38809 -+++ linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-04-17 15:56:46.000000000 -0400
38810 -@@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
38811 - return 0;
38812 - }
38813 -
38814 --static struct block_device_operations dst_blk_ops = {
38815 -+static const struct block_device_operations dst_blk_ops = {
38816 - .open = dst_bdev_open,
38817 - .release = dst_bdev_release,
38818 - .owner = THIS_MODULE,
38819 -@@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
38820 - n->size = ctl->size;
38821 -
38822 - atomic_set(&n->refcnt, 1);
38823 -- atomic_long_set(&n->gen, 0);
38824 -+ atomic_long_set_unchecked(&n->gen, 0);
38825 - snprintf(n->name, sizeof(n->name), "%s", ctl->name);
38826 -
38827 - err = dst_node_sysfs_init(n);
38828 -diff -urNp linux-2.6.32.46/drivers/staging/dst/trans.c linux-2.6.32.46/drivers/staging/dst/trans.c
38829 ---- linux-2.6.32.46/drivers/staging/dst/trans.c 2011-03-27 14:31:47.000000000 -0400
38830 -+++ linux-2.6.32.46/drivers/staging/dst/trans.c 2011-04-17 15:56:46.000000000 -0400
38831 -@@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
38832 - t->error = 0;
38833 - t->retries = 0;
38834 - atomic_set(&t->refcnt, 1);
38835 -- t->gen = atomic_long_inc_return(&n->gen);
38836 -+ t->gen = atomic_long_inc_return_unchecked(&n->gen);
38837 -
38838 - t->enc = bio_data_dir(bio);
38839 - dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
38840 -diff -urNp linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c
38841 ---- linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-03-27 14:31:47.000000000 -0400
38842 -+++ linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-05-04 17:56:28.000000000 -0400
38843 -@@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
38844 - struct net_device_stats *stats = &etdev->net_stats;
38845 -
38846 - if (pMpTcb->Flags & fMP_DEST_BROAD)
38847 -- atomic_inc(&etdev->Stats.brdcstxmt);
38848 -+ atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
38849 - else if (pMpTcb->Flags & fMP_DEST_MULTI)
38850 -- atomic_inc(&etdev->Stats.multixmt);
38851 -+ atomic_inc_unchecked(&etdev->Stats.multixmt);
38852 - else
38853 -- atomic_inc(&etdev->Stats.unixmt);
38854 -+ atomic_inc_unchecked(&etdev->Stats.unixmt);
38855 -
38856 - if (pMpTcb->Packet) {
38857 - stats->tx_bytes += pMpTcb->Packet->len;
38858 -diff -urNp linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h
38859 ---- linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-03-27 14:31:47.000000000 -0400
38860 -+++ linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-05-04 17:56:28.000000000 -0400
38861 -@@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
38862 - * operations
38863 - */
38864 - u32 unircv; /* # multicast packets received */
38865 -- atomic_t unixmt; /* # multicast packets for Tx */
38866 -+ atomic_unchecked_t unixmt; /* # multicast packets for Tx */
38867 - u32 multircv; /* # multicast packets received */
38868 -- atomic_t multixmt; /* # multicast packets for Tx */
38869 -+ atomic_unchecked_t multixmt; /* # multicast packets for Tx */
38870 - u32 brdcstrcv; /* # broadcast packets received */
38871 -- atomic_t brdcstxmt; /* # broadcast packets for Tx */
38872 -+ atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
38873 - u32 norcvbuf; /* # Rx packets discarded */
38874 - u32 noxmtbuf; /* # Tx packets discarded */
38875 -
38876 -diff -urNp linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c
38877 ---- linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-03-27 14:31:47.000000000 -0400
38878 -+++ linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:56:46.000000000 -0400
38879 -@@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
38880 - return 0;
38881 - }
38882 -
38883 --static struct vm_operations_struct go7007_vm_ops = {
38884 -+static const struct vm_operations_struct go7007_vm_ops = {
38885 - .open = go7007_vm_open,
38886 - .close = go7007_vm_close,
38887 - .fault = go7007_vm_fault,
38888 -diff -urNp linux-2.6.32.46/drivers/staging/hv/Channel.c linux-2.6.32.46/drivers/staging/hv/Channel.c
38889 ---- linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-04-17 17:00:52.000000000 -0400
38890 -+++ linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-05-04 17:56:28.000000000 -0400
38891 -@@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
38892 -
38893 - DPRINT_ENTER(VMBUS);
38894 -
38895 -- nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
38896 -- atomic_inc(&gVmbusConnection.NextGpadlHandle);
38897 -+ nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
38898 -+ atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
38899 -
38900 - VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
38901 - ASSERT(msgInfo != NULL);
38902 -diff -urNp linux-2.6.32.46/drivers/staging/hv/Hv.c linux-2.6.32.46/drivers/staging/hv/Hv.c
38903 ---- linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-03-27 14:31:47.000000000 -0400
38904 -+++ linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-04-17 15:56:46.000000000 -0400
38905 -@@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
38906 - u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
38907 - u32 outputAddressHi = outputAddress >> 32;
38908 - u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
38909 -- volatile void *hypercallPage = gHvContext.HypercallPage;
38910 -+ volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
38911 -
38912 - DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
38913 - Control, Input, Output);
38914 -diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusApi.h linux-2.6.32.46/drivers/staging/hv/VmbusApi.h
38915 ---- linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-03-27 14:31:47.000000000 -0400
38916 -+++ linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-08-29 22:32:57.000000000 -0400
38917 -@@ -109,7 +109,7 @@ struct vmbus_channel_interface {
38918 - u32 *GpadlHandle);
38919 - int (*TeardownGpadl)(struct hv_device *device, u32 GpadlHandle);
38920 - void (*GetInfo)(struct hv_device *dev, struct hv_device_info *devinfo);
38921 --};
38922 -+} __no_const;
38923 -
38924 - /* Base driver object */
38925 - struct hv_driver {
38926 -diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h
38927 ---- linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-04-17 17:00:52.000000000 -0400
38928 -+++ linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-05-04 17:56:28.000000000 -0400
38929 -@@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
38930 - struct VMBUS_CONNECTION {
38931 - enum VMBUS_CONNECT_STATE ConnectState;
38932 -
38933 -- atomic_t NextGpadlHandle;
38934 -+ atomic_unchecked_t NextGpadlHandle;
38935 -
38936 - /*
38937 - * Represents channel interrupts. Each bit position represents a
38938 -diff -urNp linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c
38939 ---- linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-03-27 14:31:47.000000000 -0400
38940 -+++ linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-04-17 15:56:46.000000000 -0400
38941 -@@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
38942 - /* The one and only one */
38943 - static struct blkvsc_driver_context g_blkvsc_drv;
38944 -
38945 --static struct block_device_operations block_ops = {
38946 -+static const struct block_device_operations block_ops = {
38947 - .owner = THIS_MODULE,
38948 - .open = blkvsc_open,
38949 - .release = blkvsc_release,
38950 -diff -urNp linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c
38951 ---- linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-03-27 14:31:47.000000000 -0400
38952 -+++ linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-05-04 17:56:28.000000000 -0400
38953 -@@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
38954 - to_device_context(root_device_obj);
38955 - struct device_context *child_device_ctx =
38956 - to_device_context(child_device_obj);
38957 -- static atomic_t device_num = ATOMIC_INIT(0);
38958 -+ static atomic_unchecked_t device_num = ATOMIC_INIT(0);
38959 -
38960 - DPRINT_ENTER(VMBUS_DRV);
38961 -
38962 -@@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
38963 -
38964 - /* Set the device name. Otherwise, device_register() will fail. */
38965 - dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
38966 -- atomic_inc_return(&device_num));
38967 -+ atomic_inc_return_unchecked(&device_num));
38968 -
38969 - /* The new device belongs to this bus */
38970 - child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
38971 -diff -urNp linux-2.6.32.46/drivers/staging/iio/ring_generic.h linux-2.6.32.46/drivers/staging/iio/ring_generic.h
38972 ---- linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-03-27 14:31:47.000000000 -0400
38973 -+++ linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-08-23 20:24:26.000000000 -0400
38974 -@@ -87,7 +87,7 @@ struct iio_ring_access_funcs {
38975 -
38976 - int (*is_enabled)(struct iio_ring_buffer *ring);
38977 - int (*enable)(struct iio_ring_buffer *ring);
38978 --};
38979 -+} __no_const;
38980 -
38981 - /**
38982 - * struct iio_ring_buffer - general ring buffer structure
38983 -diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c
38984 ---- linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-03-27 14:31:47.000000000 -0400
38985 -+++ linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-05-04 17:56:28.000000000 -0400
38986 -@@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
38987 - /* Increment RX stats for virtual ports */
38988 - if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
38989 - #ifdef CONFIG_64BIT
38990 -- atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
38991 -- atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
38992 -+ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
38993 -+ atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
38994 - #else
38995 -- atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
38996 -- atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
38997 -+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
38998 -+ atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
38999 - #endif
39000 - }
39001 - netif_receive_skb(skb);
39002 -@@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
39003 - dev->name);
39004 - */
39005 - #ifdef CONFIG_64BIT
39006 -- atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
39007 -+ atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
39008 - #else
39009 -- atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
39010 -+ atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
39011 - #endif
39012 - dev_kfree_skb_irq(skb);
39013 - }
39014 -diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet.c linux-2.6.32.46/drivers/staging/octeon/ethernet.c
39015 ---- linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-03-27 14:31:47.000000000 -0400
39016 -+++ linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-05-04 17:56:28.000000000 -0400
39017 -@@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
39018 - * since the RX tasklet also increments it.
39019 - */
39020 - #ifdef CONFIG_64BIT
39021 -- atomic64_add(rx_status.dropped_packets,
39022 -- (atomic64_t *)&priv->stats.rx_dropped);
39023 -+ atomic64_add_unchecked(rx_status.dropped_packets,
39024 -+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
39025 - #else
39026 -- atomic_add(rx_status.dropped_packets,
39027 -- (atomic_t *)&priv->stats.rx_dropped);
39028 -+ atomic_add_unchecked(rx_status.dropped_packets,
39029 -+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
39030 - #endif
39031 - }
39032 -
39033 -diff -urNp linux-2.6.32.46/drivers/staging/panel/panel.c linux-2.6.32.46/drivers/staging/panel/panel.c
39034 ---- linux-2.6.32.46/drivers/staging/panel/panel.c 2011-03-27 14:31:47.000000000 -0400
39035 -+++ linux-2.6.32.46/drivers/staging/panel/panel.c 2011-04-17 15:56:46.000000000 -0400
39036 -@@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
39037 - return 0;
39038 - }
39039 -
39040 --static struct file_operations lcd_fops = {
39041 -+static const struct file_operations lcd_fops = {
39042 - .write = lcd_write,
39043 - .open = lcd_open,
39044 - .release = lcd_release,
39045 -@@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
39046 - return 0;
39047 - }
39048 -
39049 --static struct file_operations keypad_fops = {
39050 -+static const struct file_operations keypad_fops = {
39051 - .read = keypad_read, /* read */
39052 - .open = keypad_open, /* open */
39053 - .release = keypad_release, /* close */
39054 -diff -urNp linux-2.6.32.46/drivers/staging/phison/phison.c linux-2.6.32.46/drivers/staging/phison/phison.c
39055 ---- linux-2.6.32.46/drivers/staging/phison/phison.c 2011-03-27 14:31:47.000000000 -0400
39056 -+++ linux-2.6.32.46/drivers/staging/phison/phison.c 2011-04-17 15:56:46.000000000 -0400
39057 -@@ -43,7 +43,7 @@ static struct scsi_host_template phison_
39058 - ATA_BMDMA_SHT(DRV_NAME),
39059 - };
39060 -
39061 --static struct ata_port_operations phison_ops = {
39062 -+static const struct ata_port_operations phison_ops = {
39063 - .inherits = &ata_bmdma_port_ops,
39064 - .prereset = phison_pre_reset,
39065 - };
39066 -diff -urNp linux-2.6.32.46/drivers/staging/poch/poch.c linux-2.6.32.46/drivers/staging/poch/poch.c
39067 ---- linux-2.6.32.46/drivers/staging/poch/poch.c 2011-03-27 14:31:47.000000000 -0400
39068 -+++ linux-2.6.32.46/drivers/staging/poch/poch.c 2011-04-17 15:56:46.000000000 -0400
39069 -@@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
39070 - return 0;
39071 - }
39072 -
39073 --static struct file_operations poch_fops = {
39074 -+static const struct file_operations poch_fops = {
39075 - .owner = THIS_MODULE,
39076 - .open = poch_open,
39077 - .release = poch_release,
39078 -diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/inode.c linux-2.6.32.46/drivers/staging/pohmelfs/inode.c
39079 ---- linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-03-27 14:31:47.000000000 -0400
39080 -+++ linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-05-04 17:56:20.000000000 -0400
39081 -@@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
39082 - mutex_init(&psb->mcache_lock);
39083 - psb->mcache_root = RB_ROOT;
39084 - psb->mcache_timeout = msecs_to_jiffies(5000);
39085 -- atomic_long_set(&psb->mcache_gen, 0);
39086 -+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
39087 -
39088 - psb->trans_max_pages = 100;
39089 -
39090 -@@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
39091 - INIT_LIST_HEAD(&psb->crypto_ready_list);
39092 - INIT_LIST_HEAD(&psb->crypto_active_list);
39093 -
39094 -- atomic_set(&psb->trans_gen, 1);
39095 -+ atomic_set_unchecked(&psb->trans_gen, 1);
39096 - atomic_long_set(&psb->total_inodes, 0);
39097 -
39098 - mutex_init(&psb->state_lock);
39099 -diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c
39100 ---- linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-03-27 14:31:47.000000000 -0400
39101 -+++ linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:56:46.000000000 -0400
39102 -@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
39103 - m->data = data;
39104 - m->start = start;
39105 - m->size = size;
39106 -- m->gen = atomic_long_inc_return(&psb->mcache_gen);
39107 -+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
39108 -
39109 - mutex_lock(&psb->mcache_lock);
39110 - err = pohmelfs_mcache_insert(psb, m);
39111 -diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h
39112 ---- linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-03-27 14:31:47.000000000 -0400
39113 -+++ linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-05-04 17:56:20.000000000 -0400
39114 -@@ -570,14 +570,14 @@ struct pohmelfs_config;
39115 - struct pohmelfs_sb {
39116 - struct rb_root mcache_root;
39117 - struct mutex mcache_lock;
39118 -- atomic_long_t mcache_gen;
39119 -+ atomic_long_unchecked_t mcache_gen;
39120 - unsigned long mcache_timeout;
39121 -
39122 - unsigned int idx;
39123 -
39124 - unsigned int trans_retries;
39125 -
39126 -- atomic_t trans_gen;
39127 -+ atomic_unchecked_t trans_gen;
39128 -
39129 - unsigned int crypto_attached_size;
39130 - unsigned int crypto_align_size;
39131 -diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/trans.c linux-2.6.32.46/drivers/staging/pohmelfs/trans.c
39132 ---- linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-03-27 14:31:47.000000000 -0400
39133 -+++ linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-05-04 17:56:28.000000000 -0400
39134 -@@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
39135 - int err;
39136 - struct netfs_cmd *cmd = t->iovec.iov_base;
39137 -
39138 -- t->gen = atomic_inc_return(&psb->trans_gen);
39139 -+ t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
39140 -
39141 - cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
39142 - t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
39143 -diff -urNp linux-2.6.32.46/drivers/staging/sep/sep_driver.c linux-2.6.32.46/drivers/staging/sep/sep_driver.c
39144 ---- linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-03-27 14:31:47.000000000 -0400
39145 -+++ linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-04-17 15:56:46.000000000 -0400
39146 -@@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
39147 - static dev_t sep_devno;
39148 -
39149 - /* the files operations structure of the driver */
39150 --static struct file_operations sep_file_operations = {
39151 -+static const struct file_operations sep_file_operations = {
39152 - .owner = THIS_MODULE,
39153 - .ioctl = sep_ioctl,
39154 - .poll = sep_poll,
39155 -diff -urNp linux-2.6.32.46/drivers/staging/usbip/usbip_common.h linux-2.6.32.46/drivers/staging/usbip/usbip_common.h
39156 ---- linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-04-17 17:00:52.000000000 -0400
39157 -+++ linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-08-23 20:24:26.000000000 -0400
39158 -@@ -374,7 +374,7 @@ struct usbip_device {
39159 - void (*shutdown)(struct usbip_device *);
39160 - void (*reset)(struct usbip_device *);
39161 - void (*unusable)(struct usbip_device *);
39162 -- } eh_ops;
39163 -+ } __no_const eh_ops;
39164 - };
39165 -
39166 -
39167 -diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci.h linux-2.6.32.46/drivers/staging/usbip/vhci.h
39168 ---- linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-03-27 14:31:47.000000000 -0400
39169 -+++ linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-05-04 17:56:28.000000000 -0400
39170 -@@ -92,7 +92,7 @@ struct vhci_hcd {
39171 - unsigned resuming:1;
39172 - unsigned long re_timeout;
39173 -
39174 -- atomic_t seqnum;
39175 -+ atomic_unchecked_t seqnum;
39176 -
39177 - /*
39178 - * NOTE:
39179 -diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c
39180 ---- linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:01.000000000 -0400
39181 -+++ linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:33.000000000 -0400
39182 -@@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
39183 - return;
39184 - }
39185 -
39186 -- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
39187 -+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
39188 - if (priv->seqnum == 0xffff)
39189 - usbip_uinfo("seqnum max\n");
39190 -
39191 -@@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
39192 - return -ENOMEM;
39193 - }
39194 -
39195 -- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
39196 -+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
39197 - if (unlink->seqnum == 0xffff)
39198 - usbip_uinfo("seqnum max\n");
39199 -
39200 -@@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
39201 - vdev->rhport = rhport;
39202 - }
39203 -
39204 -- atomic_set(&vhci->seqnum, 0);
39205 -+ atomic_set_unchecked(&vhci->seqnum, 0);
39206 - spin_lock_init(&vhci->lock);
39207 -
39208 -
39209 -diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c
39210 ---- linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-04-17 17:00:52.000000000 -0400
39211 -+++ linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-05-04 17:56:28.000000000 -0400
39212 -@@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
39213 - usbip_uerr("cannot find a urb of seqnum %u\n",
39214 - pdu->base.seqnum);
39215 - usbip_uinfo("max seqnum %d\n",
39216 -- atomic_read(&the_controller->seqnum));
39217 -+ atomic_read_unchecked(&the_controller->seqnum));
39218 - usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
39219 - return;
39220 - }
39221 -diff -urNp linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c
39222 ---- linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-03-27 14:31:47.000000000 -0400
39223 -+++ linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:56:46.000000000 -0400
39224 -@@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
39225 - static int __init vme_user_probe(struct device *, int, int);
39226 - static int __exit vme_user_remove(struct device *, int, int);
39227 -
39228 --static struct file_operations vme_user_fops = {
39229 -+static const struct file_operations vme_user_fops = {
39230 - .open = vme_user_open,
39231 - .release = vme_user_release,
39232 - .read = vme_user_read,
39233 -diff -urNp linux-2.6.32.46/drivers/staging/vt6655/hostap.c linux-2.6.32.46/drivers/staging/vt6655/hostap.c
39234 ---- linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-03-27 14:31:47.000000000 -0400
39235 -+++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-14 09:51:07.000000000 -0400
39236 -@@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic
39237 - PSDevice apdev_priv;
39238 - struct net_device *dev = pDevice->dev;
39239 - int ret;
39240 -- const struct net_device_ops apdev_netdev_ops = {
39241 -+ net_device_ops_no_const apdev_netdev_ops = {
39242 - .ndo_start_xmit = pDevice->tx_80211,
39243 - };
39244 -
39245 -diff -urNp linux-2.6.32.46/drivers/staging/vt6656/hostap.c linux-2.6.32.46/drivers/staging/vt6656/hostap.c
39246 ---- linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-03-27 14:31:47.000000000 -0400
39247 -+++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-14 09:49:53.000000000 -0400
39248 -@@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic
39249 - PSDevice apdev_priv;
39250 - struct net_device *dev = pDevice->dev;
39251 - int ret;
39252 -- const struct net_device_ops apdev_netdev_ops = {
39253 -+ net_device_ops_no_const apdev_netdev_ops = {
39254 - .ndo_start_xmit = pDevice->tx_80211,
39255 - };
39256 -
39257 -diff -urNp linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c
39258 ---- linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-03-27 14:31:47.000000000 -0400
39259 -+++ linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-08-23 20:24:26.000000000 -0400
39260 -@@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hf
39261 -
39262 - struct usbctlx_completor {
39263 - int (*complete) (struct usbctlx_completor *);
39264 --};
39265 -+} __no_const;
39266 - typedef struct usbctlx_completor usbctlx_completor_t;
39267 -
39268 - static int
39269 -diff -urNp linux-2.6.32.46/drivers/telephony/ixj.c linux-2.6.32.46/drivers/telephony/ixj.c
39270 ---- linux-2.6.32.46/drivers/telephony/ixj.c 2011-03-27 14:31:47.000000000 -0400
39271 -+++ linux-2.6.32.46/drivers/telephony/ixj.c 2011-05-16 21:46:57.000000000 -0400
39272 -@@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
39273 - bool mContinue;
39274 - char *pIn, *pOut;
39275 -
39276 -+ pax_track_stack();
39277 -+
39278 - if (!SCI_Prepare(j))
39279 - return 0;
39280 -
39281 -diff -urNp linux-2.6.32.46/drivers/uio/uio.c linux-2.6.32.46/drivers/uio/uio.c
39282 ---- linux-2.6.32.46/drivers/uio/uio.c 2011-03-27 14:31:47.000000000 -0400
39283 -+++ linux-2.6.32.46/drivers/uio/uio.c 2011-05-04 17:56:20.000000000 -0400
39284 -@@ -23,6 +23,7 @@
39285 - #include <linux/string.h>
39286 - #include <linux/kobject.h>
39287 - #include <linux/uio_driver.h>
39288 -+#include <asm/local.h>
39289 -
39290 - #define UIO_MAX_DEVICES 255
39291 -
39292 -@@ -30,10 +31,10 @@ struct uio_device {
39293 - struct module *owner;
39294 - struct device *dev;
39295 - int minor;
39296 -- atomic_t event;
39297 -+ atomic_unchecked_t event;
39298 - struct fasync_struct *async_queue;
39299 - wait_queue_head_t wait;
39300 -- int vma_count;
39301 -+ local_t vma_count;
39302 - struct uio_info *info;
39303 - struct kobject *map_dir;
39304 - struct kobject *portio_dir;
39305 -@@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
39306 - return entry->show(mem, buf);
39307 - }
39308 -
39309 --static struct sysfs_ops map_sysfs_ops = {
39310 -+static const struct sysfs_ops map_sysfs_ops = {
39311 - .show = map_type_show,
39312 - };
39313 -
39314 -@@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
39315 - return entry->show(port, buf);
39316 - }
39317 -
39318 --static struct sysfs_ops portio_sysfs_ops = {
39319 -+static const struct sysfs_ops portio_sysfs_ops = {
39320 - .show = portio_type_show,
39321 - };
39322 -
39323 -@@ -255,7 +256,7 @@ static ssize_t show_event(struct device
39324 - struct uio_device *idev = dev_get_drvdata(dev);
39325 - if (idev)
39326 - return sprintf(buf, "%u\n",
39327 -- (unsigned int)atomic_read(&idev->event));
39328 -+ (unsigned int)atomic_read_unchecked(&idev->event));
39329 - else
39330 - return -ENODEV;
39331 - }
39332 -@@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
39333 - {
39334 - struct uio_device *idev = info->uio_dev;
39335 -
39336 -- atomic_inc(&idev->event);
39337 -+ atomic_inc_unchecked(&idev->event);
39338 - wake_up_interruptible(&idev->wait);
39339 - kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
39340 - }
39341 -@@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
39342 - }
39343 -
39344 - listener->dev = idev;
39345 -- listener->event_count = atomic_read(&idev->event);
39346 -+ listener->event_count = atomic_read_unchecked(&idev->event);
39347 - filep->private_data = listener;
39348 -
39349 - if (idev->info->open) {
39350 -@@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
39351 - return -EIO;
39352 -
39353 - poll_wait(filep, &idev->wait, wait);
39354 -- if (listener->event_count != atomic_read(&idev->event))
39355 -+ if (listener->event_count != atomic_read_unchecked(&idev->event))
39356 - return POLLIN | POLLRDNORM;
39357 - return 0;
39358 - }
39359 -@@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
39360 - do {
39361 - set_current_state(TASK_INTERRUPTIBLE);
39362 -
39363 -- event_count = atomic_read(&idev->event);
39364 -+ event_count = atomic_read_unchecked(&idev->event);
39365 - if (event_count != listener->event_count) {
39366 - if (copy_to_user(buf, &event_count, count))
39367 - retval = -EFAULT;
39368 -@@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
39369 - static void uio_vma_open(struct vm_area_struct *vma)
39370 - {
39371 - struct uio_device *idev = vma->vm_private_data;
39372 -- idev->vma_count++;
39373 -+ local_inc(&idev->vma_count);
39374 - }
39375 -
39376 - static void uio_vma_close(struct vm_area_struct *vma)
39377 - {
39378 - struct uio_device *idev = vma->vm_private_data;
39379 -- idev->vma_count--;
39380 -+ local_dec(&idev->vma_count);
39381 - }
39382 -
39383 - static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
39384 -@@ -840,7 +841,7 @@ int __uio_register_device(struct module
39385 - idev->owner = owner;
39386 - idev->info = info;
39387 - init_waitqueue_head(&idev->wait);
39388 -- atomic_set(&idev->event, 0);
39389 -+ atomic_set_unchecked(&idev->event, 0);
39390 -
39391 - ret = uio_get_minor(idev);
39392 - if (ret)
39393 -diff -urNp linux-2.6.32.46/drivers/usb/atm/usbatm.c linux-2.6.32.46/drivers/usb/atm/usbatm.c
39394 ---- linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-03-27 14:31:47.000000000 -0400
39395 -+++ linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-04-17 15:56:46.000000000 -0400
39396 -@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
39397 - if (printk_ratelimit())
39398 - atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
39399 - __func__, vpi, vci);
39400 -- atomic_inc(&vcc->stats->rx_err);
39401 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
39402 - return;
39403 - }
39404 -
39405 -@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
39406 - if (length > ATM_MAX_AAL5_PDU) {
39407 - atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
39408 - __func__, length, vcc);
39409 -- atomic_inc(&vcc->stats->rx_err);
39410 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
39411 - goto out;
39412 - }
39413 -
39414 -@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
39415 - if (sarb->len < pdu_length) {
39416 - atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
39417 - __func__, pdu_length, sarb->len, vcc);
39418 -- atomic_inc(&vcc->stats->rx_err);
39419 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
39420 - goto out;
39421 - }
39422 -
39423 - if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
39424 - atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
39425 - __func__, vcc);
39426 -- atomic_inc(&vcc->stats->rx_err);
39427 -+ atomic_inc_unchecked(&vcc->stats->rx_err);
39428 - goto out;
39429 - }
39430 -
39431 -@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
39432 - if (printk_ratelimit())
39433 - atm_err(instance, "%s: no memory for skb (length: %u)!\n",
39434 - __func__, length);
39435 -- atomic_inc(&vcc->stats->rx_drop);
39436 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
39437 - goto out;
39438 - }
39439 -
39440 -@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
39441 -
39442 - vcc->push(vcc, skb);
39443 -
39444 -- atomic_inc(&vcc->stats->rx);
39445 -+ atomic_inc_unchecked(&vcc->stats->rx);
39446 - out:
39447 - skb_trim(sarb, 0);
39448 - }
39449 -@@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
39450 - struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
39451 -
39452 - usbatm_pop(vcc, skb);
39453 -- atomic_inc(&vcc->stats->tx);
39454 -+ atomic_inc_unchecked(&vcc->stats->tx);
39455 -
39456 - skb = skb_dequeue(&instance->sndqueue);
39457 - }
39458 -@@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
39459 - if (!left--)
39460 - return sprintf(page,
39461 - "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
39462 -- atomic_read(&atm_dev->stats.aal5.tx),
39463 -- atomic_read(&atm_dev->stats.aal5.tx_err),
39464 -- atomic_read(&atm_dev->stats.aal5.rx),
39465 -- atomic_read(&atm_dev->stats.aal5.rx_err),
39466 -- atomic_read(&atm_dev->stats.aal5.rx_drop));
39467 -+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
39468 -+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
39469 -+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
39470 -+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
39471 -+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
39472 -
39473 - if (!left--) {
39474 - if (instance->disconnected)
39475 -diff -urNp linux-2.6.32.46/drivers/usb/class/cdc-wdm.c linux-2.6.32.46/drivers/usb/class/cdc-wdm.c
39476 ---- linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-03-27 14:31:47.000000000 -0400
39477 -+++ linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-04-17 15:56:46.000000000 -0400
39478 -@@ -314,7 +314,7 @@ static ssize_t wdm_write
39479 - if (r < 0)
39480 - goto outnp;
39481 -
39482 -- if (!file->f_flags && O_NONBLOCK)
39483 -+ if (!(file->f_flags & O_NONBLOCK))
39484 - r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
39485 - &desc->flags));
39486 - else
39487 -diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.c linux-2.6.32.46/drivers/usb/core/hcd.c
39488 ---- linux-2.6.32.46/drivers/usb/core/hcd.c 2011-03-27 14:31:47.000000000 -0400
39489 -+++ linux-2.6.32.46/drivers/usb/core/hcd.c 2011-04-17 15:56:46.000000000 -0400
39490 -@@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
39491 -
39492 - #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
39493 -
39494 --struct usb_mon_operations *mon_ops;
39495 -+const struct usb_mon_operations *mon_ops;
39496 -
39497 - /*
39498 - * The registration is unlocked.
39499 -@@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
39500 - * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
39501 - */
39502 -
39503 --int usb_mon_register (struct usb_mon_operations *ops)
39504 -+int usb_mon_register (const struct usb_mon_operations *ops)
39505 - {
39506 -
39507 - if (mon_ops)
39508 -diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.h linux-2.6.32.46/drivers/usb/core/hcd.h
39509 ---- linux-2.6.32.46/drivers/usb/core/hcd.h 2011-03-27 14:31:47.000000000 -0400
39510 -+++ linux-2.6.32.46/drivers/usb/core/hcd.h 2011-04-17 15:56:46.000000000 -0400
39511 -@@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
39512 - #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
39513 -
39514 - struct usb_mon_operations {
39515 -- void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
39516 -- void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
39517 -- void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
39518 -+ void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
39519 -+ void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
39520 -+ void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
39521 - /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
39522 - };
39523 -
39524 --extern struct usb_mon_operations *mon_ops;
39525 -+extern const struct usb_mon_operations *mon_ops;
39526 -
39527 - static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
39528 - {
39529 -@@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
39530 - (*mon_ops->urb_complete)(bus, urb, status);
39531 - }
39532 -
39533 --int usb_mon_register(struct usb_mon_operations *ops);
39534 -+int usb_mon_register(const struct usb_mon_operations *ops);
39535 - void usb_mon_deregister(void);
39536 -
39537 - #else
39538 -diff -urNp linux-2.6.32.46/drivers/usb/core/message.c linux-2.6.32.46/drivers/usb/core/message.c
39539 ---- linux-2.6.32.46/drivers/usb/core/message.c 2011-03-27 14:31:47.000000000 -0400
39540 -+++ linux-2.6.32.46/drivers/usb/core/message.c 2011-04-17 15:56:46.000000000 -0400
39541 -@@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
39542 - buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
39543 - if (buf) {
39544 - len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
39545 -- if (len > 0) {
39546 -- smallbuf = kmalloc(++len, GFP_NOIO);
39547 -+ if (len++ > 0) {
39548 -+ smallbuf = kmalloc(len, GFP_NOIO);
39549 - if (!smallbuf)
39550 - return buf;
39551 - memcpy(smallbuf, buf, len);
39552 -diff -urNp linux-2.6.32.46/drivers/usb/misc/appledisplay.c linux-2.6.32.46/drivers/usb/misc/appledisplay.c
39553 ---- linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-03-27 14:31:47.000000000 -0400
39554 -+++ linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-04-17 15:56:46.000000000 -0400
39555 -@@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
39556 - return pdata->msgdata[1];
39557 - }
39558 -
39559 --static struct backlight_ops appledisplay_bl_data = {
39560 -+static const struct backlight_ops appledisplay_bl_data = {
39561 - .get_brightness = appledisplay_bl_get_brightness,
39562 - .update_status = appledisplay_bl_update_status,
39563 - };
39564 -diff -urNp linux-2.6.32.46/drivers/usb/mon/mon_main.c linux-2.6.32.46/drivers/usb/mon/mon_main.c
39565 ---- linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-03-27 14:31:47.000000000 -0400
39566 -+++ linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-04-17 15:56:46.000000000 -0400
39567 -@@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
39568 - /*
39569 - * Ops
39570 - */
39571 --static struct usb_mon_operations mon_ops_0 = {
39572 -+static const struct usb_mon_operations mon_ops_0 = {
39573 - .urb_submit = mon_submit,
39574 - .urb_submit_error = mon_submit_error,
39575 - .urb_complete = mon_complete,
39576 -diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h
39577 ---- linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-03-27 14:31:47.000000000 -0400
39578 -+++ linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-05-04 17:56:28.000000000 -0400
39579 -@@ -192,7 +192,7 @@ struct wahc {
39580 - struct list_head xfer_delayed_list;
39581 - spinlock_t xfer_list_lock;
39582 - struct work_struct xfer_work;
39583 -- atomic_t xfer_id_count;
39584 -+ atomic_unchecked_t xfer_id_count;
39585 - };
39586 -
39587 -
39588 -@@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
39589 - INIT_LIST_HEAD(&wa->xfer_delayed_list);
39590 - spin_lock_init(&wa->xfer_list_lock);
39591 - INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
39592 -- atomic_set(&wa->xfer_id_count, 1);
39593 -+ atomic_set_unchecked(&wa->xfer_id_count, 1);
39594 - }
39595 -
39596 - /**
39597 -diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c
39598 ---- linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-03-27 14:31:47.000000000 -0400
39599 -+++ linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-05-04 17:56:28.000000000 -0400
39600 -@@ -293,7 +293,7 @@ out:
39601 - */
39602 - static void wa_xfer_id_init(struct wa_xfer *xfer)
39603 - {
39604 -- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
39605 -+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
39606 - }
39607 -
39608 - /*
39609 -diff -urNp linux-2.6.32.46/drivers/uwb/wlp/messages.c linux-2.6.32.46/drivers/uwb/wlp/messages.c
39610 ---- linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-03-27 14:31:47.000000000 -0400
39611 -+++ linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-04-17 15:56:46.000000000 -0400
39612 -@@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
39613 - size_t len = skb->len;
39614 - size_t used;
39615 - ssize_t result;
39616 -- struct wlp_nonce enonce, rnonce;
39617 -+ struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
39618 - enum wlp_assc_error assc_err;
39619 - char enonce_buf[WLP_WSS_NONCE_STRSIZE];
39620 - char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
39621 -diff -urNp linux-2.6.32.46/drivers/uwb/wlp/sysfs.c linux-2.6.32.46/drivers/uwb/wlp/sysfs.c
39622 ---- linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-03-27 14:31:47.000000000 -0400
39623 -+++ linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-04-17 15:56:46.000000000 -0400
39624 -@@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
39625 - return ret;
39626 - }
39627 -
39628 --static
39629 --struct sysfs_ops wss_sysfs_ops = {
39630 -+static const struct sysfs_ops wss_sysfs_ops = {
39631 - .show = wlp_wss_attr_show,
39632 - .store = wlp_wss_attr_store,
39633 - };
39634 -diff -urNp linux-2.6.32.46/drivers/video/atmel_lcdfb.c linux-2.6.32.46/drivers/video/atmel_lcdfb.c
39635 ---- linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-03-27 14:31:47.000000000 -0400
39636 -+++ linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-04-17 15:56:46.000000000 -0400
39637 -@@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
39638 - return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
39639 - }
39640 -
39641 --static struct backlight_ops atmel_lcdc_bl_ops = {
39642 -+static const struct backlight_ops atmel_lcdc_bl_ops = {
39643 - .update_status = atmel_bl_update_status,
39644 - .get_brightness = atmel_bl_get_brightness,
39645 - };
39646 -diff -urNp linux-2.6.32.46/drivers/video/aty/aty128fb.c linux-2.6.32.46/drivers/video/aty/aty128fb.c
39647 ---- linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-03-27 14:31:47.000000000 -0400
39648 -+++ linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-04-17 15:56:46.000000000 -0400
39649 -@@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
39650 - return bd->props.brightness;
39651 - }
39652 -
39653 --static struct backlight_ops aty128_bl_data = {
39654 -+static const struct backlight_ops aty128_bl_data = {
39655 - .get_brightness = aty128_bl_get_brightness,
39656 - .update_status = aty128_bl_update_status,
39657 - };
39658 -diff -urNp linux-2.6.32.46/drivers/video/aty/atyfb_base.c linux-2.6.32.46/drivers/video/aty/atyfb_base.c
39659 ---- linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-03-27 14:31:47.000000000 -0400
39660 -+++ linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-04-17 15:56:46.000000000 -0400
39661 -@@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
39662 - return bd->props.brightness;
39663 - }
39664 -
39665 --static struct backlight_ops aty_bl_data = {
39666 -+static const struct backlight_ops aty_bl_data = {
39667 - .get_brightness = aty_bl_get_brightness,
39668 - .update_status = aty_bl_update_status,
39669 - };
39670 -diff -urNp linux-2.6.32.46/drivers/video/aty/radeon_backlight.c linux-2.6.32.46/drivers/video/aty/radeon_backlight.c
39671 ---- linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-03-27 14:31:47.000000000 -0400
39672 -+++ linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-04-17 15:56:46.000000000 -0400
39673 -@@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
39674 - return bd->props.brightness;
39675 - }
39676 -
39677 --static struct backlight_ops radeon_bl_data = {
39678 -+static const struct backlight_ops radeon_bl_data = {
39679 - .get_brightness = radeon_bl_get_brightness,
39680 - .update_status = radeon_bl_update_status,
39681 - };
39682 -diff -urNp linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c
39683 ---- linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-03-27 14:31:47.000000000 -0400
39684 -+++ linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-04-17 15:56:46.000000000 -0400
39685 -@@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
39686 - return error ? data->current_brightness : reg_val;
39687 - }
39688 -
39689 --static struct backlight_ops adp5520_bl_ops = {
39690 -+static const struct backlight_ops adp5520_bl_ops = {
39691 - .update_status = adp5520_bl_update_status,
39692 - .get_brightness = adp5520_bl_get_brightness,
39693 - };
39694 -diff -urNp linux-2.6.32.46/drivers/video/backlight/adx_bl.c linux-2.6.32.46/drivers/video/backlight/adx_bl.c
39695 ---- linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-03-27 14:31:47.000000000 -0400
39696 -+++ linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-04-17 15:56:46.000000000 -0400
39697 -@@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
39698 - return 1;
39699 - }
39700 -
39701 --static struct backlight_ops adx_backlight_ops = {
39702 -+static const struct backlight_ops adx_backlight_ops = {
39703 - .options = 0,
39704 - .update_status = adx_backlight_update_status,
39705 - .get_brightness = adx_backlight_get_brightness,
39706 -diff -urNp linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c
39707 ---- linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-03-27 14:31:47.000000000 -0400
39708 -+++ linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-04-17 15:56:46.000000000 -0400
39709 -@@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
39710 - return pwm_channel_enable(&pwmbl->pwmc);
39711 - }
39712 -
39713 --static struct backlight_ops atmel_pwm_bl_ops = {
39714 -+static const struct backlight_ops atmel_pwm_bl_ops = {
39715 - .get_brightness = atmel_pwm_bl_get_intensity,
39716 - .update_status = atmel_pwm_bl_set_intensity,
39717 - };
39718 -diff -urNp linux-2.6.32.46/drivers/video/backlight/backlight.c linux-2.6.32.46/drivers/video/backlight/backlight.c
39719 ---- linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-03-27 14:31:47.000000000 -0400
39720 -+++ linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-04-17 15:56:46.000000000 -0400
39721 -@@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
39722 - * ERR_PTR() or a pointer to the newly allocated device.
39723 - */
39724 - struct backlight_device *backlight_device_register(const char *name,
39725 -- struct device *parent, void *devdata, struct backlight_ops *ops)
39726 -+ struct device *parent, void *devdata, const struct backlight_ops *ops)
39727 - {
39728 - struct backlight_device *new_bd;
39729 - int rc;
39730 -diff -urNp linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c
39731 ---- linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-03-27 14:31:47.000000000 -0400
39732 -+++ linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-04-17 15:56:46.000000000 -0400
39733 -@@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
39734 - }
39735 - EXPORT_SYMBOL(corgi_lcd_limit_intensity);
39736 -
39737 --static struct backlight_ops corgi_bl_ops = {
39738 -+static const struct backlight_ops corgi_bl_ops = {
39739 - .get_brightness = corgi_bl_get_intensity,
39740 - .update_status = corgi_bl_update_status,
39741 - };
39742 -diff -urNp linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c
39743 ---- linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-03-27 14:31:47.000000000 -0400
39744 -+++ linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-04-17 15:56:46.000000000 -0400
39745 -@@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
39746 - return intensity;
39747 - }
39748 -
39749 --static struct backlight_ops cr_backlight_ops = {
39750 -+static const struct backlight_ops cr_backlight_ops = {
39751 - .get_brightness = cr_backlight_get_intensity,
39752 - .update_status = cr_backlight_set_intensity,
39753 - };
39754 -diff -urNp linux-2.6.32.46/drivers/video/backlight/da903x_bl.c linux-2.6.32.46/drivers/video/backlight/da903x_bl.c
39755 ---- linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-03-27 14:31:47.000000000 -0400
39756 -+++ linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-04-17 15:56:46.000000000 -0400
39757 -@@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
39758 - return data->current_brightness;
39759 - }
39760 -
39761 --static struct backlight_ops da903x_backlight_ops = {
39762 -+static const struct backlight_ops da903x_backlight_ops = {
39763 - .update_status = da903x_backlight_update_status,
39764 - .get_brightness = da903x_backlight_get_brightness,
39765 - };
39766 -diff -urNp linux-2.6.32.46/drivers/video/backlight/generic_bl.c linux-2.6.32.46/drivers/video/backlight/generic_bl.c
39767 ---- linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-03-27 14:31:47.000000000 -0400
39768 -+++ linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-04-17 15:56:46.000000000 -0400
39769 -@@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
39770 - }
39771 - EXPORT_SYMBOL(corgibl_limit_intensity);
39772 -
39773 --static struct backlight_ops genericbl_ops = {
39774 -+static const struct backlight_ops genericbl_ops = {
39775 - .options = BL_CORE_SUSPENDRESUME,
39776 - .get_brightness = genericbl_get_intensity,
39777 - .update_status = genericbl_send_intensity,
39778 -diff -urNp linux-2.6.32.46/drivers/video/backlight/hp680_bl.c linux-2.6.32.46/drivers/video/backlight/hp680_bl.c
39779 ---- linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-03-27 14:31:47.000000000 -0400
39780 -+++ linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-04-17 15:56:46.000000000 -0400
39781 -@@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
39782 - return current_intensity;
39783 - }
39784 -
39785 --static struct backlight_ops hp680bl_ops = {
39786 -+static const struct backlight_ops hp680bl_ops = {
39787 - .get_brightness = hp680bl_get_intensity,
39788 - .update_status = hp680bl_set_intensity,
39789 - };
39790 -diff -urNp linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c
39791 ---- linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-03-27 14:31:47.000000000 -0400
39792 -+++ linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-04-17 15:56:46.000000000 -0400
39793 -@@ -93,7 +93,7 @@ out:
39794 - return ret;
39795 - }
39796 -
39797 --static struct backlight_ops jornada_bl_ops = {
39798 -+static const struct backlight_ops jornada_bl_ops = {
39799 - .get_brightness = jornada_bl_get_brightness,
39800 - .update_status = jornada_bl_update_status,
39801 - .options = BL_CORE_SUSPENDRESUME,
39802 -diff -urNp linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c
39803 ---- linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-03-27 14:31:47.000000000 -0400
39804 -+++ linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-04-17 15:56:46.000000000 -0400
39805 -@@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
39806 - return kb3886bl_intensity;
39807 - }
39808 -
39809 --static struct backlight_ops kb3886bl_ops = {
39810 -+static const struct backlight_ops kb3886bl_ops = {
39811 - .get_brightness = kb3886bl_get_intensity,
39812 - .update_status = kb3886bl_send_intensity,
39813 - };
39814 -diff -urNp linux-2.6.32.46/drivers/video/backlight/locomolcd.c linux-2.6.32.46/drivers/video/backlight/locomolcd.c
39815 ---- linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-03-27 14:31:47.000000000 -0400
39816 -+++ linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-04-17 15:56:46.000000000 -0400
39817 -@@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
39818 - return current_intensity;
39819 - }
39820 -
39821 --static struct backlight_ops locomobl_data = {
39822 -+static const struct backlight_ops locomobl_data = {
39823 - .get_brightness = locomolcd_get_intensity,
39824 - .update_status = locomolcd_set_intensity,
39825 - };
39826 -diff -urNp linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c
39827 ---- linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:01.000000000 -0400
39828 -+++ linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:33.000000000 -0400
39829 -@@ -33,7 +33,7 @@ struct dmi_match_data {
39830 - unsigned long iostart;
39831 - unsigned long iolen;
39832 - /* Backlight operations structure. */
39833 -- struct backlight_ops backlight_ops;
39834 -+ const struct backlight_ops backlight_ops;
39835 - };
39836 -
39837 - /* Module parameters. */
39838 -diff -urNp linux-2.6.32.46/drivers/video/backlight/omap1_bl.c linux-2.6.32.46/drivers/video/backlight/omap1_bl.c
39839 ---- linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-03-27 14:31:47.000000000 -0400
39840 -+++ linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-04-17 15:56:46.000000000 -0400
39841 -@@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
39842 - return bl->current_intensity;
39843 - }
39844 -
39845 --static struct backlight_ops omapbl_ops = {
39846 -+static const struct backlight_ops omapbl_ops = {
39847 - .get_brightness = omapbl_get_intensity,
39848 - .update_status = omapbl_update_status,
39849 - };
39850 -diff -urNp linux-2.6.32.46/drivers/video/backlight/progear_bl.c linux-2.6.32.46/drivers/video/backlight/progear_bl.c
39851 ---- linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-03-27 14:31:47.000000000 -0400
39852 -+++ linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-04-17 15:56:46.000000000 -0400
39853 -@@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
39854 - return intensity - HW_LEVEL_MIN;
39855 - }
39856 -
39857 --static struct backlight_ops progearbl_ops = {
39858 -+static const struct backlight_ops progearbl_ops = {
39859 - .get_brightness = progearbl_get_intensity,
39860 - .update_status = progearbl_set_intensity,
39861 - };
39862 -diff -urNp linux-2.6.32.46/drivers/video/backlight/pwm_bl.c linux-2.6.32.46/drivers/video/backlight/pwm_bl.c
39863 ---- linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-03-27 14:31:47.000000000 -0400
39864 -+++ linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-04-17 15:56:46.000000000 -0400
39865 -@@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
39866 - return bl->props.brightness;
39867 - }
39868 -
39869 --static struct backlight_ops pwm_backlight_ops = {
39870 -+static const struct backlight_ops pwm_backlight_ops = {
39871 - .update_status = pwm_backlight_update_status,
39872 - .get_brightness = pwm_backlight_get_brightness,
39873 - };
39874 -diff -urNp linux-2.6.32.46/drivers/video/backlight/tosa_bl.c linux-2.6.32.46/drivers/video/backlight/tosa_bl.c
39875 ---- linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-03-27 14:31:47.000000000 -0400
39876 -+++ linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-04-17 15:56:46.000000000 -0400
39877 -@@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
39878 - return props->brightness;
39879 - }
39880 -
39881 --static struct backlight_ops bl_ops = {
39882 -+static const struct backlight_ops bl_ops = {
39883 - .get_brightness = tosa_bl_get_brightness,
39884 - .update_status = tosa_bl_update_status,
39885 - };
39886 -diff -urNp linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c
39887 ---- linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-03-27 14:31:47.000000000 -0400
39888 -+++ linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-04-17 15:56:46.000000000 -0400
39889 -@@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
39890 - return data->current_brightness;
39891 - }
39892 -
39893 --static struct backlight_ops wm831x_backlight_ops = {
39894 -+static const struct backlight_ops wm831x_backlight_ops = {
39895 - .options = BL_CORE_SUSPENDRESUME,
39896 - .update_status = wm831x_backlight_update_status,
39897 - .get_brightness = wm831x_backlight_get_brightness,
39898 -diff -urNp linux-2.6.32.46/drivers/video/bf54x-lq043fb.c linux-2.6.32.46/drivers/video/bf54x-lq043fb.c
39899 ---- linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-03-27 14:31:47.000000000 -0400
39900 -+++ linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-04-17 15:56:46.000000000 -0400
39901 -@@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
39902 - return 0;
39903 - }
39904 -
39905 --static struct backlight_ops bfin_lq043fb_bl_ops = {
39906 -+static const struct backlight_ops bfin_lq043fb_bl_ops = {
39907 - .get_brightness = bl_get_brightness,
39908 - };
39909 -
39910 -diff -urNp linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c
39911 ---- linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-03-27 14:31:47.000000000 -0400
39912 -+++ linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-04-17 15:56:46.000000000 -0400
39913 -@@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
39914 - return 0;
39915 - }
39916 -
39917 --static struct backlight_ops bfin_lq043fb_bl_ops = {
39918 -+static const struct backlight_ops bfin_lq043fb_bl_ops = {
39919 - .get_brightness = bl_get_brightness,
39920 - };
39921 -
39922 -diff -urNp linux-2.6.32.46/drivers/video/fbcmap.c linux-2.6.32.46/drivers/video/fbcmap.c
39923 ---- linux-2.6.32.46/drivers/video/fbcmap.c 2011-03-27 14:31:47.000000000 -0400
39924 -+++ linux-2.6.32.46/drivers/video/fbcmap.c 2011-04-17 15:56:46.000000000 -0400
39925 -@@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
39926 - rc = -ENODEV;
39927 - goto out;
39928 - }
39929 -- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
39930 -- !info->fbops->fb_setcmap)) {
39931 -+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
39932 - rc = -EINVAL;
39933 - goto out1;
39934 - }
39935 -diff -urNp linux-2.6.32.46/drivers/video/fbmem.c linux-2.6.32.46/drivers/video/fbmem.c
39936 ---- linux-2.6.32.46/drivers/video/fbmem.c 2011-03-27 14:31:47.000000000 -0400
39937 -+++ linux-2.6.32.46/drivers/video/fbmem.c 2011-05-16 21:46:57.000000000 -0400
39938 -@@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
39939 - image->dx += image->width + 8;
39940 - }
39941 - } else if (rotate == FB_ROTATE_UD) {
39942 -- for (x = 0; x < num && image->dx >= 0; x++) {
39943 -+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
39944 - info->fbops->fb_imageblit(info, image);
39945 - image->dx -= image->width + 8;
39946 - }
39947 -@@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
39948 - image->dy += image->height + 8;
39949 - }
39950 - } else if (rotate == FB_ROTATE_CCW) {
39951 -- for (x = 0; x < num && image->dy >= 0; x++) {
39952 -+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
39953 - info->fbops->fb_imageblit(info, image);
39954 - image->dy -= image->height + 8;
39955 - }
39956 -@@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
39957 - int flags = info->flags;
39958 - int ret = 0;
39959 -
39960 -+ pax_track_stack();
39961 -+
39962 - if (var->activate & FB_ACTIVATE_INV_MODE) {
39963 - struct fb_videomode mode1, mode2;
39964 -
39965 -@@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
39966 - void __user *argp = (void __user *)arg;
39967 - long ret = 0;
39968 -
39969 -+ pax_track_stack();
39970 -+
39971 - switch (cmd) {
39972 - case FBIOGET_VSCREENINFO:
39973 - if (!lock_fb_info(info))
39974 -@@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
39975 - return -EFAULT;
39976 - if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
39977 - return -EINVAL;
39978 -- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
39979 -+ if (con2fb.framebuffer >= FB_MAX)
39980 - return -EINVAL;
39981 - if (!registered_fb[con2fb.framebuffer])
39982 - request_module("fb%d", con2fb.framebuffer);
39983 -diff -urNp linux-2.6.32.46/drivers/video/i810/i810_accel.c linux-2.6.32.46/drivers/video/i810/i810_accel.c
39984 ---- linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-03-27 14:31:47.000000000 -0400
39985 -+++ linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-04-17 15:56:46.000000000 -0400
39986 -@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
39987 - }
39988 - }
39989 - printk("ringbuffer lockup!!!\n");
39990 -+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
39991 - i810_report_error(mmio);
39992 - par->dev_flags |= LOCKUP;
39993 - info->pixmap.scan_align = 1;
39994 -diff -urNp linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm
39995 ---- linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-03-27 14:31:47.000000000 -0400
39996 -+++ linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-08-29 23:49:24.000000000 -0400
39997 -@@ -1,1604 +1,1123 @@
39998 - P3
39999 --# Standard 224-color Linux logo
40000 - 80 80
40001 - 255
40002 -- 0 0 0 0 0 0 0 0 0 0 0 0
40003 -- 0 0 0 0 0 0 0 0 0 0 0 0
40004 -- 0 0 0 0 0 0 0 0 0 0 0 0
40005 -- 0 0 0 0 0 0 0 0 0 0 0 0
40006 -- 0 0 0 0 0 0 0 0 0 0 0 0
40007 -- 0 0 0 0 0 0 0 0 0 0 0 0
40008 -- 0 0 0 0 0 0 0 0 0 0 0 0
40009 -- 0 0 0 0 0 0 0 0 0 0 0 0
40010 -- 0 0 0 0 0 0 0 0 0 0 0 0
40011 -- 6 6 6 6 6 6 10 10 10 10 10 10
40012 -- 10 10 10 6 6 6 6 6 6 6 6 6
40013 -- 0 0 0 0 0 0 0 0 0 0 0 0
40014 -- 0 0 0 0 0 0 0 0 0 0 0 0
40015 -- 0 0 0 0 0 0 0 0 0 0 0 0
40016 -- 0 0 0 0 0 0 0 0 0 0 0 0
40017 -- 0 0 0 0 0 0 0 0 0 0 0 0
40018 -- 0 0 0 0 0 0 0 0 0 0 0 0
40019 -- 0 0 0 0 0 0 0 0 0 0 0 0
40020 -- 0 0 0 0 0 0 0 0 0 0 0 0
40021 -- 0 0 0 0 0 0 0 0 0 0 0 0
40022 -- 0 0 0 0 0 0 0 0 0 0 0 0
40023 -- 0 0 0 0 0 0 0 0 0 0 0 0
40024 -- 0 0 0 0 0 0 0 0 0 0 0 0
40025 -- 0 0 0 0 0 0 0 0 0 0 0 0
40026 -- 0 0 0 0 0 0 0 0 0 0 0 0
40027 -- 0 0 0 0 0 0 0 0 0 0 0 0
40028 -- 0 0 0 0 0 0 0 0 0 0 0 0
40029 -- 0 0 0 0 0 0 0 0 0 0 0 0
40030 -- 0 0 0 6 6 6 10 10 10 14 14 14
40031 -- 22 22 22 26 26 26 30 30 30 34 34 34
40032 -- 30 30 30 30 30 30 26 26 26 18 18 18
40033 -- 14 14 14 10 10 10 6 6 6 0 0 0
40034 -- 0 0 0 0 0 0 0 0 0 0 0 0
40035 -- 0 0 0 0 0 0 0 0 0 0 0 0
40036 -- 0 0 0 0 0 0 0 0 0 0 0 0
40037 -- 0 0 0 0 0 0 0 0 0 0 0 0
40038 -- 0 0 0 0 0 0 0 0 0 0 0 0
40039 -- 0 0 0 0 0 0 0 0 0 0 0 0
40040 -- 0 0 0 0 0 0 0 0 0 0 0 0
40041 -- 0 0 0 0 0 0 0 0 0 0 0 0
40042 -- 0 0 0 0 0 0 0 0 0 0 0 0
40043 -- 0 0 0 0 0 1 0 0 1 0 0 0
40044 -- 0 0 0 0 0 0 0 0 0 0 0 0
40045 -- 0 0 0 0 0 0 0 0 0 0 0 0
40046 -- 0 0 0 0 0 0 0 0 0 0 0 0
40047 -- 0 0 0 0 0 0 0 0 0 0 0 0
40048 -- 0 0 0 0 0 0 0 0 0 0 0 0
40049 -- 0 0 0 0 0 0 0 0 0 0 0 0
40050 -- 6 6 6 14 14 14 26 26 26 42 42 42
40051 -- 54 54 54 66 66 66 78 78 78 78 78 78
40052 -- 78 78 78 74 74 74 66 66 66 54 54 54
40053 -- 42 42 42 26 26 26 18 18 18 10 10 10
40054 -- 6 6 6 0 0 0 0 0 0 0 0 0
40055 -- 0 0 0 0 0 0 0 0 0 0 0 0
40056 -- 0 0 0 0 0 0 0 0 0 0 0 0
40057 -- 0 0 0 0 0 0 0 0 0 0 0 0
40058 -- 0 0 0 0 0 0 0 0 0 0 0 0
40059 -- 0 0 0 0 0 0 0 0 0 0 0 0
40060 -- 0 0 0 0 0 0 0 0 0 0 0 0
40061 -- 0 0 0 0 0 0 0 0 0 0 0 0
40062 -- 0 0 0 0 0 0 0 0 0 0 0 0
40063 -- 0 0 1 0 0 0 0 0 0 0 0 0
40064 -- 0 0 0 0 0 0 0 0 0 0 0 0
40065 -- 0 0 0 0 0 0 0 0 0 0 0 0
40066 -- 0 0 0 0 0 0 0 0 0 0 0 0
40067 -- 0 0 0 0 0 0 0 0 0 0 0 0
40068 -- 0 0 0 0 0 0 0 0 0 0 0 0
40069 -- 0 0 0 0 0 0 0 0 0 10 10 10
40070 -- 22 22 22 42 42 42 66 66 66 86 86 86
40071 -- 66 66 66 38 38 38 38 38 38 22 22 22
40072 -- 26 26 26 34 34 34 54 54 54 66 66 66
40073 -- 86 86 86 70 70 70 46 46 46 26 26 26
40074 -- 14 14 14 6 6 6 0 0 0 0 0 0
40075 -- 0 0 0 0 0 0 0 0 0 0 0 0
40076 -- 0 0 0 0 0 0 0 0 0 0 0 0
40077 -- 0 0 0 0 0 0 0 0 0 0 0 0
40078 -- 0 0 0 0 0 0 0 0 0 0 0 0
40079 -- 0 0 0 0 0 0 0 0 0 0 0 0
40080 -- 0 0 0 0 0 0 0 0 0 0 0 0
40081 -- 0 0 0 0 0 0 0 0 0 0 0 0
40082 -- 0 0 0 0 0 0 0 0 0 0 0 0
40083 -- 0 0 1 0 0 1 0 0 1 0 0 0
40084 -- 0 0 0 0 0 0 0 0 0 0 0 0
40085 -- 0 0 0 0 0 0 0 0 0 0 0 0
40086 -- 0 0 0 0 0 0 0 0 0 0 0 0
40087 -- 0 0 0 0 0 0 0 0 0 0 0 0
40088 -- 0 0 0 0 0 0 0 0 0 0 0 0
40089 -- 0 0 0 0 0 0 10 10 10 26 26 26
40090 -- 50 50 50 82 82 82 58 58 58 6 6 6
40091 -- 2 2 6 2 2 6 2 2 6 2 2 6
40092 -- 2 2 6 2 2 6 2 2 6 2 2 6
40093 -- 6 6 6 54 54 54 86 86 86 66 66 66
40094 -- 38 38 38 18 18 18 6 6 6 0 0 0
40095 -- 0 0 0 0 0 0 0 0 0 0 0 0
40096 -- 0 0 0 0 0 0 0 0 0 0 0 0
40097 -- 0 0 0 0 0 0 0 0 0 0 0 0
40098 -- 0 0 0 0 0 0 0 0 0 0 0 0
40099 -- 0 0 0 0 0 0 0 0 0 0 0 0
40100 -- 0 0 0 0 0 0 0 0 0 0 0 0
40101 -- 0 0 0 0 0 0 0 0 0 0 0 0
40102 -- 0 0 0 0 0 0 0 0 0 0 0 0
40103 -- 0 0 0 0 0 0 0 0 0 0 0 0
40104 -- 0 0 0 0 0 0 0 0 0 0 0 0
40105 -- 0 0 0 0 0 0 0 0 0 0 0 0
40106 -- 0 0 0 0 0 0 0 0 0 0 0 0
40107 -- 0 0 0 0 0 0 0 0 0 0 0 0
40108 -- 0 0 0 0 0 0 0 0 0 0 0 0
40109 -- 0 0 0 6 6 6 22 22 22 50 50 50
40110 -- 78 78 78 34 34 34 2 2 6 2 2 6
40111 -- 2 2 6 2 2 6 2 2 6 2 2 6
40112 -- 2 2 6 2 2 6 2 2 6 2 2 6
40113 -- 2 2 6 2 2 6 6 6 6 70 70 70
40114 -- 78 78 78 46 46 46 22 22 22 6 6 6
40115 -- 0 0 0 0 0 0 0 0 0 0 0 0
40116 -- 0 0 0 0 0 0 0 0 0 0 0 0
40117 -- 0 0 0 0 0 0 0 0 0 0 0 0
40118 -- 0 0 0 0 0 0 0 0 0 0 0 0
40119 -- 0 0 0 0 0 0 0 0 0 0 0 0
40120 -- 0 0 0 0 0 0 0 0 0 0 0 0
40121 -- 0 0 0 0 0 0 0 0 0 0 0 0
40122 -- 0 0 0 0 0 0 0 0 0 0 0 0
40123 -- 0 0 1 0 0 1 0 0 1 0 0 0
40124 -- 0 0 0 0 0 0 0 0 0 0 0 0
40125 -- 0 0 0 0 0 0 0 0 0 0 0 0
40126 -- 0 0 0 0 0 0 0 0 0 0 0 0
40127 -- 0 0 0 0 0 0 0 0 0 0 0 0
40128 -- 0 0 0 0 0 0 0 0 0 0 0 0
40129 -- 6 6 6 18 18 18 42 42 42 82 82 82
40130 -- 26 26 26 2 2 6 2 2 6 2 2 6
40131 -- 2 2 6 2 2 6 2 2 6 2 2 6
40132 -- 2 2 6 2 2 6 2 2 6 14 14 14
40133 -- 46 46 46 34 34 34 6 6 6 2 2 6
40134 -- 42 42 42 78 78 78 42 42 42 18 18 18
40135 -- 6 6 6 0 0 0 0 0 0 0 0 0
40136 -- 0 0 0 0 0 0 0 0 0 0 0 0
40137 -- 0 0 0 0 0 0 0 0 0 0 0 0
40138 -- 0 0 0 0 0 0 0 0 0 0 0 0
40139 -- 0 0 0 0 0 0 0 0 0 0 0 0
40140 -- 0 0 0 0 0 0 0 0 0 0 0 0
40141 -- 0 0 0 0 0 0 0 0 0 0 0 0
40142 -- 0 0 0 0 0 0 0 0 0 0 0 0
40143 -- 0 0 1 0 0 0 0 0 1 0 0 0
40144 -- 0 0 0 0 0 0 0 0 0 0 0 0
40145 -- 0 0 0 0 0 0 0 0 0 0 0 0
40146 -- 0 0 0 0 0 0 0 0 0 0 0 0
40147 -- 0 0 0 0 0 0 0 0 0 0 0 0
40148 -- 0 0 0 0 0 0 0 0 0 0 0 0
40149 -- 10 10 10 30 30 30 66 66 66 58 58 58
40150 -- 2 2 6 2 2 6 2 2 6 2 2 6
40151 -- 2 2 6 2 2 6 2 2 6 2 2 6
40152 -- 2 2 6 2 2 6 2 2 6 26 26 26
40153 -- 86 86 86 101 101 101 46 46 46 10 10 10
40154 -- 2 2 6 58 58 58 70 70 70 34 34 34
40155 -- 10 10 10 0 0 0 0 0 0 0 0 0
40156 -- 0 0 0 0 0 0 0 0 0 0 0 0
40157 -- 0 0 0 0 0 0 0 0 0 0 0 0
40158 -- 0 0 0 0 0 0 0 0 0 0 0 0
40159 -- 0 0 0 0 0 0 0 0 0 0 0 0
40160 -- 0 0 0 0 0 0 0 0 0 0 0 0
40161 -- 0 0 0 0 0 0 0 0 0 0 0 0
40162 -- 0 0 0 0 0 0 0 0 0 0 0 0
40163 -- 0 0 1 0 0 1 0 0 1 0 0 0
40164 -- 0 0 0 0 0 0 0 0 0 0 0 0
40165 -- 0 0 0 0 0 0 0 0 0 0 0 0
40166 -- 0 0 0 0 0 0 0 0 0 0 0 0
40167 -- 0 0 0 0 0 0 0 0 0 0 0 0
40168 -- 0 0 0 0 0 0 0 0 0 0 0 0
40169 -- 14 14 14 42 42 42 86 86 86 10 10 10
40170 -- 2 2 6 2 2 6 2 2 6 2 2 6
40171 -- 2 2 6 2 2 6 2 2 6 2 2 6
40172 -- 2 2 6 2 2 6 2 2 6 30 30 30
40173 -- 94 94 94 94 94 94 58 58 58 26 26 26
40174 -- 2 2 6 6 6 6 78 78 78 54 54 54
40175 -- 22 22 22 6 6 6 0 0 0 0 0 0
40176 -- 0 0 0 0 0 0 0 0 0 0 0 0
40177 -- 0 0 0 0 0 0 0 0 0 0 0 0
40178 -- 0 0 0 0 0 0 0 0 0 0 0 0
40179 -- 0 0 0 0 0 0 0 0 0 0 0 0
40180 -- 0 0 0 0 0 0 0 0 0 0 0 0
40181 -- 0 0 0 0 0 0 0 0 0 0 0 0
40182 -- 0 0 0 0 0 0 0 0 0 0 0 0
40183 -- 0 0 0 0 0 0 0 0 0 0 0 0
40184 -- 0 0 0 0 0 0 0 0 0 0 0 0
40185 -- 0 0 0 0 0 0 0 0 0 0 0 0
40186 -- 0 0 0 0 0 0 0 0 0 0 0 0
40187 -- 0 0 0 0 0 0 0 0 0 0 0 0
40188 -- 0 0 0 0 0 0 0 0 0 6 6 6
40189 -- 22 22 22 62 62 62 62 62 62 2 2 6
40190 -- 2 2 6 2 2 6 2 2 6 2 2 6
40191 -- 2 2 6 2 2 6 2 2 6 2 2 6
40192 -- 2 2 6 2 2 6 2 2 6 26 26 26
40193 -- 54 54 54 38 38 38 18 18 18 10 10 10
40194 -- 2 2 6 2 2 6 34 34 34 82 82 82
40195 -- 38 38 38 14 14 14 0 0 0 0 0 0
40196 -- 0 0 0 0 0 0 0 0 0 0 0 0
40197 -- 0 0 0 0 0 0 0 0 0 0 0 0
40198 -- 0 0 0 0 0 0 0 0 0 0 0 0
40199 -- 0 0 0 0 0 0 0 0 0 0 0 0
40200 -- 0 0 0 0 0 0 0 0 0 0 0 0
40201 -- 0 0 0 0 0 0 0 0 0 0 0 0
40202 -- 0 0 0 0 0 0 0 0 0 0 0 0
40203 -- 0 0 0 0 0 1 0 0 1 0 0 0
40204 -- 0 0 0 0 0 0 0 0 0 0 0 0
40205 -- 0 0 0 0 0 0 0 0 0 0 0 0
40206 -- 0 0 0 0 0 0 0 0 0 0 0 0
40207 -- 0 0 0 0 0 0 0 0 0 0 0 0
40208 -- 0 0 0 0 0 0 0 0 0 6 6 6
40209 -- 30 30 30 78 78 78 30 30 30 2 2 6
40210 -- 2 2 6 2 2 6 2 2 6 2 2 6
40211 -- 2 2 6 2 2 6 2 2 6 2 2 6
40212 -- 2 2 6 2 2 6 2 2 6 10 10 10
40213 -- 10 10 10 2 2 6 2 2 6 2 2 6
40214 -- 2 2 6 2 2 6 2 2 6 78 78 78
40215 -- 50 50 50 18 18 18 6 6 6 0 0 0
40216 -- 0 0 0 0 0 0 0 0 0 0 0 0
40217 -- 0 0 0 0 0 0 0 0 0 0 0 0
40218 -- 0 0 0 0 0 0 0 0 0 0 0 0
40219 -- 0 0 0 0 0 0 0 0 0 0 0 0
40220 -- 0 0 0 0 0 0 0 0 0 0 0 0
40221 -- 0 0 0 0 0 0 0 0 0 0 0 0
40222 -- 0 0 0 0 0 0 0 0 0 0 0 0
40223 -- 0 0 1 0 0 0 0 0 0 0 0 0
40224 -- 0 0 0 0 0 0 0 0 0 0 0 0
40225 -- 0 0 0 0 0 0 0 0 0 0 0 0
40226 -- 0 0 0 0 0 0 0 0 0 0 0 0
40227 -- 0 0 0 0 0 0 0 0 0 0 0 0
40228 -- 0 0 0 0 0 0 0 0 0 10 10 10
40229 -- 38 38 38 86 86 86 14 14 14 2 2 6
40230 -- 2 2 6 2 2 6 2 2 6 2 2 6
40231 -- 2 2 6 2 2 6 2 2 6 2 2 6
40232 -- 2 2 6 2 2 6 2 2 6 2 2 6
40233 -- 2 2 6 2 2 6 2 2 6 2 2 6
40234 -- 2 2 6 2 2 6 2 2 6 54 54 54
40235 -- 66 66 66 26 26 26 6 6 6 0 0 0
40236 -- 0 0 0 0 0 0 0 0 0 0 0 0
40237 -- 0 0 0 0 0 0 0 0 0 0 0 0
40238 -- 0 0 0 0 0 0 0 0 0 0 0 0
40239 -- 0 0 0 0 0 0 0 0 0 0 0 0
40240 -- 0 0 0 0 0 0 0 0 0 0 0 0
40241 -- 0 0 0 0 0 0 0 0 0 0 0 0
40242 -- 0 0 0 0 0 0 0 0 0 0 0 0
40243 -- 0 0 0 0 0 1 0 0 1 0 0 0
40244 -- 0 0 0 0 0 0 0 0 0 0 0 0
40245 -- 0 0 0 0 0 0 0 0 0 0 0 0
40246 -- 0 0 0 0 0 0 0 0 0 0 0 0
40247 -- 0 0 0 0 0 0 0 0 0 0 0 0
40248 -- 0 0 0 0 0 0 0 0 0 14 14 14
40249 -- 42 42 42 82 82 82 2 2 6 2 2 6
40250 -- 2 2 6 6 6 6 10 10 10 2 2 6
40251 -- 2 2 6 2 2 6 2 2 6 2 2 6
40252 -- 2 2 6 2 2 6 2 2 6 6 6 6
40253 -- 14 14 14 10 10 10 2 2 6 2 2 6
40254 -- 2 2 6 2 2 6 2 2 6 18 18 18
40255 -- 82 82 82 34 34 34 10 10 10 0 0 0
40256 -- 0 0 0 0 0 0 0 0 0 0 0 0
40257 -- 0 0 0 0 0 0 0 0 0 0 0 0
40258 -- 0 0 0 0 0 0 0 0 0 0 0 0
40259 -- 0 0 0 0 0 0 0 0 0 0 0 0
40260 -- 0 0 0 0 0 0 0 0 0 0 0 0
40261 -- 0 0 0 0 0 0 0 0 0 0 0 0
40262 -- 0 0 0 0 0 0 0 0 0 0 0 0
40263 -- 0 0 1 0 0 0 0 0 0 0 0 0
40264 -- 0 0 0 0 0 0 0 0 0 0 0 0
40265 -- 0 0 0 0 0 0 0 0 0 0 0 0
40266 -- 0 0 0 0 0 0 0 0 0 0 0 0
40267 -- 0 0 0 0 0 0 0 0 0 0 0 0
40268 -- 0 0 0 0 0 0 0 0 0 14 14 14
40269 -- 46 46 46 86 86 86 2 2 6 2 2 6
40270 -- 6 6 6 6 6 6 22 22 22 34 34 34
40271 -- 6 6 6 2 2 6 2 2 6 2 2 6
40272 -- 2 2 6 2 2 6 18 18 18 34 34 34
40273 -- 10 10 10 50 50 50 22 22 22 2 2 6
40274 -- 2 2 6 2 2 6 2 2 6 10 10 10
40275 -- 86 86 86 42 42 42 14 14 14 0 0 0
40276 -- 0 0 0 0 0 0 0 0 0 0 0 0
40277 -- 0 0 0 0 0 0 0 0 0 0 0 0
40278 -- 0 0 0 0 0 0 0 0 0 0 0 0
40279 -- 0 0 0 0 0 0 0 0 0 0 0 0
40280 -- 0 0 0 0 0 0 0 0 0 0 0 0
40281 -- 0 0 0 0 0 0 0 0 0 0 0 0
40282 -- 0 0 0 0 0 0 0 0 0 0 0 0
40283 -- 0 0 1 0 0 1 0 0 1 0 0 0
40284 -- 0 0 0 0 0 0 0 0 0 0 0 0
40285 -- 0 0 0 0 0 0 0 0 0 0 0 0
40286 -- 0 0 0 0 0 0 0 0 0 0 0 0
40287 -- 0 0 0 0 0 0 0 0 0 0 0 0
40288 -- 0 0 0 0 0 0 0 0 0 14 14 14
40289 -- 46 46 46 86 86 86 2 2 6 2 2 6
40290 -- 38 38 38 116 116 116 94 94 94 22 22 22
40291 -- 22 22 22 2 2 6 2 2 6 2 2 6
40292 -- 14 14 14 86 86 86 138 138 138 162 162 162
40293 --154 154 154 38 38 38 26 26 26 6 6 6
40294 -- 2 2 6 2 2 6 2 2 6 2 2 6
40295 -- 86 86 86 46 46 46 14 14 14 0 0 0
40296 -- 0 0 0 0 0 0 0 0 0 0 0 0
40297 -- 0 0 0 0 0 0 0 0 0 0 0 0
40298 -- 0 0 0 0 0 0 0 0 0 0 0 0
40299 -- 0 0 0 0 0 0 0 0 0 0 0 0
40300 -- 0 0 0 0 0 0 0 0 0 0 0 0
40301 -- 0 0 0 0 0 0 0 0 0 0 0 0
40302 -- 0 0 0 0 0 0 0 0 0 0 0 0
40303 -- 0 0 0 0 0 0 0 0 0 0 0 0
40304 -- 0 0 0 0 0 0 0 0 0 0 0 0
40305 -- 0 0 0 0 0 0 0 0 0 0 0 0
40306 -- 0 0 0 0 0 0 0 0 0 0 0 0
40307 -- 0 0 0 0 0 0 0 0 0 0 0 0
40308 -- 0 0 0 0 0 0 0 0 0 14 14 14
40309 -- 46 46 46 86 86 86 2 2 6 14 14 14
40310 --134 134 134 198 198 198 195 195 195 116 116 116
40311 -- 10 10 10 2 2 6 2 2 6 6 6 6
40312 --101 98 89 187 187 187 210 210 210 218 218 218
40313 --214 214 214 134 134 134 14 14 14 6 6 6
40314 -- 2 2 6 2 2 6 2 2 6 2 2 6
40315 -- 86 86 86 50 50 50 18 18 18 6 6 6
40316 -- 0 0 0 0 0 0 0 0 0 0 0 0
40317 -- 0 0 0 0 0 0 0 0 0 0 0 0
40318 -- 0 0 0 0 0 0 0 0 0 0 0 0
40319 -- 0 0 0 0 0 0 0 0 0 0 0 0
40320 -- 0 0 0 0 0 0 0 0 0 0 0 0
40321 -- 0 0 0 0 0 0 0 0 0 0 0 0
40322 -- 0 0 0 0 0 0 0 0 1 0 0 0
40323 -- 0 0 1 0 0 1 0 0 1 0 0 0
40324 -- 0 0 0 0 0 0 0 0 0 0 0 0
40325 -- 0 0 0 0 0 0 0 0 0 0 0 0
40326 -- 0 0 0 0 0 0 0 0 0 0 0 0
40327 -- 0 0 0 0 0 0 0 0 0 0 0 0
40328 -- 0 0 0 0 0 0 0 0 0 14 14 14
40329 -- 46 46 46 86 86 86 2 2 6 54 54 54
40330 --218 218 218 195 195 195 226 226 226 246 246 246
40331 -- 58 58 58 2 2 6 2 2 6 30 30 30
40332 --210 210 210 253 253 253 174 174 174 123 123 123
40333 --221 221 221 234 234 234 74 74 74 2 2 6
40334 -- 2 2 6 2 2 6 2 2 6 2 2 6
40335 -- 70 70 70 58 58 58 22 22 22 6 6 6
40336 -- 0 0 0 0 0 0 0 0 0 0 0 0
40337 -- 0 0 0 0 0 0 0 0 0 0 0 0
40338 -- 0 0 0 0 0 0 0 0 0 0 0 0
40339 -- 0 0 0 0 0 0 0 0 0 0 0 0
40340 -- 0 0 0 0 0 0 0 0 0 0 0 0
40341 -- 0 0 0 0 0 0 0 0 0 0 0 0
40342 -- 0 0 0 0 0 0 0 0 0 0 0 0
40343 -- 0 0 0 0 0 0 0 0 0 0 0 0
40344 -- 0 0 0 0 0 0 0 0 0 0 0 0
40345 -- 0 0 0 0 0 0 0 0 0 0 0 0
40346 -- 0 0 0 0 0 0 0 0 0 0 0 0
40347 -- 0 0 0 0 0 0 0 0 0 0 0 0
40348 -- 0 0 0 0 0 0 0 0 0 14 14 14
40349 -- 46 46 46 82 82 82 2 2 6 106 106 106
40350 --170 170 170 26 26 26 86 86 86 226 226 226
40351 --123 123 123 10 10 10 14 14 14 46 46 46
40352 --231 231 231 190 190 190 6 6 6 70 70 70
40353 -- 90 90 90 238 238 238 158 158 158 2 2 6
40354 -- 2 2 6 2 2 6 2 2 6 2 2 6
40355 -- 70 70 70 58 58 58 22 22 22 6 6 6
40356 -- 0 0 0 0 0 0 0 0 0 0 0 0
40357 -- 0 0 0 0 0 0 0 0 0 0 0 0
40358 -- 0 0 0 0 0 0 0 0 0 0 0 0
40359 -- 0 0 0 0 0 0 0 0 0 0 0 0
40360 -- 0 0 0 0 0 0 0 0 0 0 0 0
40361 -- 0 0 0 0 0 0 0 0 0 0 0 0
40362 -- 0 0 0 0 0 0 0 0 1 0 0 0
40363 -- 0 0 1 0 0 1 0 0 1 0 0 0
40364 -- 0 0 0 0 0 0 0 0 0 0 0 0
40365 -- 0 0 0 0 0 0 0 0 0 0 0 0
40366 -- 0 0 0 0 0 0 0 0 0 0 0 0
40367 -- 0 0 0 0 0 0 0 0 0 0 0 0
40368 -- 0 0 0 0 0 0 0 0 0 14 14 14
40369 -- 42 42 42 86 86 86 6 6 6 116 116 116
40370 --106 106 106 6 6 6 70 70 70 149 149 149
40371 --128 128 128 18 18 18 38 38 38 54 54 54
40372 --221 221 221 106 106 106 2 2 6 14 14 14
40373 -- 46 46 46 190 190 190 198 198 198 2 2 6
40374 -- 2 2 6 2 2 6 2 2 6 2 2 6
40375 -- 74 74 74 62 62 62 22 22 22 6 6 6
40376 -- 0 0 0 0 0 0 0 0 0 0 0 0
40377 -- 0 0 0 0 0 0 0 0 0 0 0 0
40378 -- 0 0 0 0 0 0 0 0 0 0 0 0
40379 -- 0 0 0 0 0 0 0 0 0 0 0 0
40380 -- 0 0 0 0 0 0 0 0 0 0 0 0
40381 -- 0 0 0 0 0 0 0 0 0 0 0 0
40382 -- 0 0 0 0 0 0 0 0 1 0 0 0
40383 -- 0 0 1 0 0 0 0 0 1 0 0 0
40384 -- 0 0 0 0 0 0 0 0 0 0 0 0
40385 -- 0 0 0 0 0 0 0 0 0 0 0 0
40386 -- 0 0 0 0 0 0 0 0 0 0 0 0
40387 -- 0 0 0 0 0 0 0 0 0 0 0 0
40388 -- 0 0 0 0 0 0 0 0 0 14 14 14
40389 -- 42 42 42 94 94 94 14 14 14 101 101 101
40390 --128 128 128 2 2 6 18 18 18 116 116 116
40391 --118 98 46 121 92 8 121 92 8 98 78 10
40392 --162 162 162 106 106 106 2 2 6 2 2 6
40393 -- 2 2 6 195 195 195 195 195 195 6 6 6
40394 -- 2 2 6 2 2 6 2 2 6 2 2 6
40395 -- 74 74 74 62 62 62 22 22 22 6 6 6
40396 -- 0 0 0 0 0 0 0 0 0 0 0 0
40397 -- 0 0 0 0 0 0 0 0 0 0 0 0
40398 -- 0 0 0 0 0 0 0 0 0 0 0 0
40399 -- 0 0 0 0 0 0 0 0 0 0 0 0
40400 -- 0 0 0 0 0 0 0 0 0 0 0 0
40401 -- 0 0 0 0 0 0 0 0 0 0 0 0
40402 -- 0 0 0 0 0 0 0 0 1 0 0 1
40403 -- 0 0 1 0 0 0 0 0 1 0 0 0
40404 -- 0 0 0 0 0 0 0 0 0 0 0 0
40405 -- 0 0 0 0 0 0 0 0 0 0 0 0
40406 -- 0 0 0 0 0 0 0 0 0 0 0 0
40407 -- 0 0 0 0 0 0 0 0 0 0 0 0
40408 -- 0 0 0 0 0 0 0 0 0 10 10 10
40409 -- 38 38 38 90 90 90 14 14 14 58 58 58
40410 --210 210 210 26 26 26 54 38 6 154 114 10
40411 --226 170 11 236 186 11 225 175 15 184 144 12
40412 --215 174 15 175 146 61 37 26 9 2 2 6
40413 -- 70 70 70 246 246 246 138 138 138 2 2 6
40414 -- 2 2 6 2 2 6 2 2 6 2 2 6
40415 -- 70 70 70 66 66 66 26 26 26 6 6 6
40416 -- 0 0 0 0 0 0 0 0 0 0 0 0
40417 -- 0 0 0 0 0 0 0 0 0 0 0 0
40418 -- 0 0 0 0 0 0 0 0 0 0 0 0
40419 -- 0 0 0 0 0 0 0 0 0 0 0 0
40420 -- 0 0 0 0 0 0 0 0 0 0 0 0
40421 -- 0 0 0 0 0 0 0 0 0 0 0 0
40422 -- 0 0 0 0 0 0 0 0 0 0 0 0
40423 -- 0 0 0 0 0 0 0 0 0 0 0 0
40424 -- 0 0 0 0 0 0 0 0 0 0 0 0
40425 -- 0 0 0 0 0 0 0 0 0 0 0 0
40426 -- 0 0 0 0 0 0 0 0 0 0 0 0
40427 -- 0 0 0 0 0 0 0 0 0 0 0 0
40428 -- 0 0 0 0 0 0 0 0 0 10 10 10
40429 -- 38 38 38 86 86 86 14 14 14 10 10 10
40430 --195 195 195 188 164 115 192 133 9 225 175 15
40431 --239 182 13 234 190 10 232 195 16 232 200 30
40432 --245 207 45 241 208 19 232 195 16 184 144 12
40433 --218 194 134 211 206 186 42 42 42 2 2 6
40434 -- 2 2 6 2 2 6 2 2 6 2 2 6
40435 -- 50 50 50 74 74 74 30 30 30 6 6 6
40436 -- 0 0 0 0 0 0 0 0 0 0 0 0
40437 -- 0 0 0 0 0 0 0 0 0 0 0 0
40438 -- 0 0 0 0 0 0 0 0 0 0 0 0
40439 -- 0 0 0 0 0 0 0 0 0 0 0 0
40440 -- 0 0 0 0 0 0 0 0 0 0 0 0
40441 -- 0 0 0 0 0 0 0 0 0 0 0 0
40442 -- 0 0 0 0 0 0 0 0 0 0 0 0
40443 -- 0 0 0 0 0 0 0 0 0 0 0 0
40444 -- 0 0 0 0 0 0 0 0 0 0 0 0
40445 -- 0 0 0 0 0 0 0 0 0 0 0 0
40446 -- 0 0 0 0 0 0 0 0 0 0 0 0
40447 -- 0 0 0 0 0 0 0 0 0 0 0 0
40448 -- 0 0 0 0 0 0 0 0 0 10 10 10
40449 -- 34 34 34 86 86 86 14 14 14 2 2 6
40450 --121 87 25 192 133 9 219 162 10 239 182 13
40451 --236 186 11 232 195 16 241 208 19 244 214 54
40452 --246 218 60 246 218 38 246 215 20 241 208 19
40453 --241 208 19 226 184 13 121 87 25 2 2 6
40454 -- 2 2 6 2 2 6 2 2 6 2 2 6
40455 -- 50 50 50 82 82 82 34 34 34 10 10 10
40456 -- 0 0 0 0 0 0 0 0 0 0 0 0
40457 -- 0 0 0 0 0 0 0 0 0 0 0 0
40458 -- 0 0 0 0 0 0 0 0 0 0 0 0
40459 -- 0 0 0 0 0 0 0 0 0 0 0 0
40460 -- 0 0 0 0 0 0 0 0 0 0 0 0
40461 -- 0 0 0 0 0 0 0 0 0 0 0 0
40462 -- 0 0 0 0 0 0 0 0 0 0 0 0
40463 -- 0 0 0 0 0 0 0 0 0 0 0 0
40464 -- 0 0 0 0 0 0 0 0 0 0 0 0
40465 -- 0 0 0 0 0 0 0 0 0 0 0 0
40466 -- 0 0 0 0 0 0 0 0 0 0 0 0
40467 -- 0 0 0 0 0 0 0 0 0 0 0 0
40468 -- 0 0 0 0 0 0 0 0 0 10 10 10
40469 -- 34 34 34 82 82 82 30 30 30 61 42 6
40470 --180 123 7 206 145 10 230 174 11 239 182 13
40471 --234 190 10 238 202 15 241 208 19 246 218 74
40472 --246 218 38 246 215 20 246 215 20 246 215 20
40473 --226 184 13 215 174 15 184 144 12 6 6 6
40474 -- 2 2 6 2 2 6 2 2 6 2 2 6
40475 -- 26 26 26 94 94 94 42 42 42 14 14 14
40476 -- 0 0 0 0 0 0 0 0 0 0 0 0
40477 -- 0 0 0 0 0 0 0 0 0 0 0 0
40478 -- 0 0 0 0 0 0 0 0 0 0 0 0
40479 -- 0 0 0 0 0 0 0 0 0 0 0 0
40480 -- 0 0 0 0 0 0 0 0 0 0 0 0
40481 -- 0 0 0 0 0 0 0 0 0 0 0 0
40482 -- 0 0 0 0 0 0 0 0 0 0 0 0
40483 -- 0 0 0 0 0 0 0 0 0 0 0 0
40484 -- 0 0 0 0 0 0 0 0 0 0 0 0
40485 -- 0 0 0 0 0 0 0 0 0 0 0 0
40486 -- 0 0 0 0 0 0 0 0 0 0 0 0
40487 -- 0 0 0 0 0 0 0 0 0 0 0 0
40488 -- 0 0 0 0 0 0 0 0 0 10 10 10
40489 -- 30 30 30 78 78 78 50 50 50 104 69 6
40490 --192 133 9 216 158 10 236 178 12 236 186 11
40491 --232 195 16 241 208 19 244 214 54 245 215 43
40492 --246 215 20 246 215 20 241 208 19 198 155 10
40493 --200 144 11 216 158 10 156 118 10 2 2 6
40494 -- 2 2 6 2 2 6 2 2 6 2 2 6
40495 -- 6 6 6 90 90 90 54 54 54 18 18 18
40496 -- 6 6 6 0 0 0 0 0 0 0 0 0
40497 -- 0 0 0 0 0 0 0 0 0 0 0 0
40498 -- 0 0 0 0 0 0 0 0 0 0 0 0
40499 -- 0 0 0 0 0 0 0 0 0 0 0 0
40500 -- 0 0 0 0 0 0 0 0 0 0 0 0
40501 -- 0 0 0 0 0 0 0 0 0 0 0 0
40502 -- 0 0 0 0 0 0 0 0 0 0 0 0
40503 -- 0 0 0 0 0 0 0 0 0 0 0 0
40504 -- 0 0 0 0 0 0 0 0 0 0 0 0
40505 -- 0 0 0 0 0 0 0 0 0 0 0 0
40506 -- 0 0 0 0 0 0 0 0 0 0 0 0
40507 -- 0 0 0 0 0 0 0 0 0 0 0 0
40508 -- 0 0 0 0 0 0 0 0 0 10 10 10
40509 -- 30 30 30 78 78 78 46 46 46 22 22 22
40510 --137 92 6 210 162 10 239 182 13 238 190 10
40511 --238 202 15 241 208 19 246 215 20 246 215 20
40512 --241 208 19 203 166 17 185 133 11 210 150 10
40513 --216 158 10 210 150 10 102 78 10 2 2 6
40514 -- 6 6 6 54 54 54 14 14 14 2 2 6
40515 -- 2 2 6 62 62 62 74 74 74 30 30 30
40516 -- 10 10 10 0 0 0 0 0 0 0 0 0
40517 -- 0 0 0 0 0 0 0 0 0 0 0 0
40518 -- 0 0 0 0 0 0 0 0 0 0 0 0
40519 -- 0 0 0 0 0 0 0 0 0 0 0 0
40520 -- 0 0 0 0 0 0 0 0 0 0 0 0
40521 -- 0 0 0 0 0 0 0 0 0 0 0 0
40522 -- 0 0 0 0 0 0 0 0 0 0 0 0
40523 -- 0 0 0 0 0 0 0 0 0 0 0 0
40524 -- 0 0 0 0 0 0 0 0 0 0 0 0
40525 -- 0 0 0 0 0 0 0 0 0 0 0 0
40526 -- 0 0 0 0 0 0 0 0 0 0 0 0
40527 -- 0 0 0 0 0 0 0 0 0 0 0 0
40528 -- 0 0 0 0 0 0 0 0 0 10 10 10
40529 -- 34 34 34 78 78 78 50 50 50 6 6 6
40530 -- 94 70 30 139 102 15 190 146 13 226 184 13
40531 --232 200 30 232 195 16 215 174 15 190 146 13
40532 --168 122 10 192 133 9 210 150 10 213 154 11
40533 --202 150 34 182 157 106 101 98 89 2 2 6
40534 -- 2 2 6 78 78 78 116 116 116 58 58 58
40535 -- 2 2 6 22 22 22 90 90 90 46 46 46
40536 -- 18 18 18 6 6 6 0 0 0 0 0 0
40537 -- 0 0 0 0 0 0 0 0 0 0 0 0
40538 -- 0 0 0 0 0 0 0 0 0 0 0 0
40539 -- 0 0 0 0 0 0 0 0 0 0 0 0
40540 -- 0 0 0 0 0 0 0 0 0 0 0 0
40541 -- 0 0 0 0 0 0 0 0 0 0 0 0
40542 -- 0 0 0 0 0 0 0 0 0 0 0 0
40543 -- 0 0 0 0 0 0 0 0 0 0 0 0
40544 -- 0 0 0 0 0 0 0 0 0 0 0 0
40545 -- 0 0 0 0 0 0 0 0 0 0 0 0
40546 -- 0 0 0 0 0 0 0 0 0 0 0 0
40547 -- 0 0 0 0 0 0 0 0 0 0 0 0
40548 -- 0 0 0 0 0 0 0 0 0 10 10 10
40549 -- 38 38 38 86 86 86 50 50 50 6 6 6
40550 --128 128 128 174 154 114 156 107 11 168 122 10
40551 --198 155 10 184 144 12 197 138 11 200 144 11
40552 --206 145 10 206 145 10 197 138 11 188 164 115
40553 --195 195 195 198 198 198 174 174 174 14 14 14
40554 -- 2 2 6 22 22 22 116 116 116 116 116 116
40555 -- 22 22 22 2 2 6 74 74 74 70 70 70
40556 -- 30 30 30 10 10 10 0 0 0 0 0 0
40557 -- 0 0 0 0 0 0 0 0 0 0 0 0
40558 -- 0 0 0 0 0 0 0 0 0 0 0 0
40559 -- 0 0 0 0 0 0 0 0 0 0 0 0
40560 -- 0 0 0 0 0 0 0 0 0 0 0 0
40561 -- 0 0 0 0 0 0 0 0 0 0 0 0
40562 -- 0 0 0 0 0 0 0 0 0 0 0 0
40563 -- 0 0 0 0 0 0 0 0 0 0 0 0
40564 -- 0 0 0 0 0 0 0 0 0 0 0 0
40565 -- 0 0 0 0 0 0 0 0 0 0 0 0
40566 -- 0 0 0 0 0 0 0 0 0 0 0 0
40567 -- 0 0 0 0 0 0 0 0 0 0 0 0
40568 -- 0 0 0 0 0 0 6 6 6 18 18 18
40569 -- 50 50 50 101 101 101 26 26 26 10 10 10
40570 --138 138 138 190 190 190 174 154 114 156 107 11
40571 --197 138 11 200 144 11 197 138 11 192 133 9
40572 --180 123 7 190 142 34 190 178 144 187 187 187
40573 --202 202 202 221 221 221 214 214 214 66 66 66
40574 -- 2 2 6 2 2 6 50 50 50 62 62 62
40575 -- 6 6 6 2 2 6 10 10 10 90 90 90
40576 -- 50 50 50 18 18 18 6 6 6 0 0 0
40577 -- 0 0 0 0 0 0 0 0 0 0 0 0
40578 -- 0 0 0 0 0 0 0 0 0 0 0 0
40579 -- 0 0 0 0 0 0 0 0 0 0 0 0
40580 -- 0 0 0 0 0 0 0 0 0 0 0 0
40581 -- 0 0 0 0 0 0 0 0 0 0 0 0
40582 -- 0 0 0 0 0 0 0 0 0 0 0 0
40583 -- 0 0 0 0 0 0 0 0 0 0 0 0
40584 -- 0 0 0 0 0 0 0 0 0 0 0 0
40585 -- 0 0 0 0 0 0 0 0 0 0 0 0
40586 -- 0 0 0 0 0 0 0 0 0 0 0 0
40587 -- 0 0 0 0 0 0 0 0 0 0 0 0
40588 -- 0 0 0 0 0 0 10 10 10 34 34 34
40589 -- 74 74 74 74 74 74 2 2 6 6 6 6
40590 --144 144 144 198 198 198 190 190 190 178 166 146
40591 --154 121 60 156 107 11 156 107 11 168 124 44
40592 --174 154 114 187 187 187 190 190 190 210 210 210
40593 --246 246 246 253 253 253 253 253 253 182 182 182
40594 -- 6 6 6 2 2 6 2 2 6 2 2 6
40595 -- 2 2 6 2 2 6 2 2 6 62 62 62
40596 -- 74 74 74 34 34 34 14 14 14 0 0 0
40597 -- 0 0 0 0 0 0 0 0 0 0 0 0
40598 -- 0 0 0 0 0 0 0 0 0 0 0 0
40599 -- 0 0 0 0 0 0 0 0 0 0 0 0
40600 -- 0 0 0 0 0 0 0 0 0 0 0 0
40601 -- 0 0 0 0 0 0 0 0 0 0 0 0
40602 -- 0 0 0 0 0 0 0 0 0 0 0 0
40603 -- 0 0 0 0 0 0 0 0 0 0 0 0
40604 -- 0 0 0 0 0 0 0 0 0 0 0 0
40605 -- 0 0 0 0 0 0 0 0 0 0 0 0
40606 -- 0 0 0 0 0 0 0 0 0 0 0 0
40607 -- 0 0 0 0 0 0 0 0 0 0 0 0
40608 -- 0 0 0 10 10 10 22 22 22 54 54 54
40609 -- 94 94 94 18 18 18 2 2 6 46 46 46
40610 --234 234 234 221 221 221 190 190 190 190 190 190
40611 --190 190 190 187 187 187 187 187 187 190 190 190
40612 --190 190 190 195 195 195 214 214 214 242 242 242
40613 --253 253 253 253 253 253 253 253 253 253 253 253
40614 -- 82 82 82 2 2 6 2 2 6 2 2 6
40615 -- 2 2 6 2 2 6 2 2 6 14 14 14
40616 -- 86 86 86 54 54 54 22 22 22 6 6 6
40617 -- 0 0 0 0 0 0 0 0 0 0 0 0
40618 -- 0 0 0 0 0 0 0 0 0 0 0 0
40619 -- 0 0 0 0 0 0 0 0 0 0 0 0
40620 -- 0 0 0 0 0 0 0 0 0 0 0 0
40621 -- 0 0 0 0 0 0 0 0 0 0 0 0
40622 -- 0 0 0 0 0 0 0 0 0 0 0 0
40623 -- 0 0 0 0 0 0 0 0 0 0 0 0
40624 -- 0 0 0 0 0 0 0 0 0 0 0 0
40625 -- 0 0 0 0 0 0 0 0 0 0 0 0
40626 -- 0 0 0 0 0 0 0 0 0 0 0 0
40627 -- 0 0 0 0 0 0 0 0 0 0 0 0
40628 -- 6 6 6 18 18 18 46 46 46 90 90 90
40629 -- 46 46 46 18 18 18 6 6 6 182 182 182
40630 --253 253 253 246 246 246 206 206 206 190 190 190
40631 --190 190 190 190 190 190 190 190 190 190 190 190
40632 --206 206 206 231 231 231 250 250 250 253 253 253
40633 --253 253 253 253 253 253 253 253 253 253 253 253
40634 --202 202 202 14 14 14 2 2 6 2 2 6
40635 -- 2 2 6 2 2 6 2 2 6 2 2 6
40636 -- 42 42 42 86 86 86 42 42 42 18 18 18
40637 -- 6 6 6 0 0 0 0 0 0 0 0 0
40638 -- 0 0 0 0 0 0 0 0 0 0 0 0
40639 -- 0 0 0 0 0 0 0 0 0 0 0 0
40640 -- 0 0 0 0 0 0 0 0 0 0 0 0
40641 -- 0 0 0 0 0 0 0 0 0 0 0 0
40642 -- 0 0 0 0 0 0 0 0 0 0 0 0
40643 -- 0 0 0 0 0 0 0 0 0 0 0 0
40644 -- 0 0 0 0 0 0 0 0 0 0 0 0
40645 -- 0 0 0 0 0 0 0 0 0 0 0 0
40646 -- 0 0 0 0 0 0 0 0 0 0 0 0
40647 -- 0 0 0 0 0 0 0 0 0 6 6 6
40648 -- 14 14 14 38 38 38 74 74 74 66 66 66
40649 -- 2 2 6 6 6 6 90 90 90 250 250 250
40650 --253 253 253 253 253 253 238 238 238 198 198 198
40651 --190 190 190 190 190 190 195 195 195 221 221 221
40652 --246 246 246 253 253 253 253 253 253 253 253 253
40653 --253 253 253 253 253 253 253 253 253 253 253 253
40654 --253 253 253 82 82 82 2 2 6 2 2 6
40655 -- 2 2 6 2 2 6 2 2 6 2 2 6
40656 -- 2 2 6 78 78 78 70 70 70 34 34 34
40657 -- 14 14 14 6 6 6 0 0 0 0 0 0
40658 -- 0 0 0 0 0 0 0 0 0 0 0 0
40659 -- 0 0 0 0 0 0 0 0 0 0 0 0
40660 -- 0 0 0 0 0 0 0 0 0 0 0 0
40661 -- 0 0 0 0 0 0 0 0 0 0 0 0
40662 -- 0 0 0 0 0 0 0 0 0 0 0 0
40663 -- 0 0 0 0 0 0 0 0 0 0 0 0
40664 -- 0 0 0 0 0 0 0 0 0 0 0 0
40665 -- 0 0 0 0 0 0 0 0 0 0 0 0
40666 -- 0 0 0 0 0 0 0 0 0 0 0 0
40667 -- 0 0 0 0 0 0 0 0 0 14 14 14
40668 -- 34 34 34 66 66 66 78 78 78 6 6 6
40669 -- 2 2 6 18 18 18 218 218 218 253 253 253
40670 --253 253 253 253 253 253 253 253 253 246 246 246
40671 --226 226 226 231 231 231 246 246 246 253 253 253
40672 --253 253 253 253 253 253 253 253 253 253 253 253
40673 --253 253 253 253 253 253 253 253 253 253 253 253
40674 --253 253 253 178 178 178 2 2 6 2 2 6
40675 -- 2 2 6 2 2 6 2 2 6 2 2 6
40676 -- 2 2 6 18 18 18 90 90 90 62 62 62
40677 -- 30 30 30 10 10 10 0 0 0 0 0 0
40678 -- 0 0 0 0 0 0 0 0 0 0 0 0
40679 -- 0 0 0 0 0 0 0 0 0 0 0 0
40680 -- 0 0 0 0 0 0 0 0 0 0 0 0
40681 -- 0 0 0 0 0 0 0 0 0 0 0 0
40682 -- 0 0 0 0 0 0 0 0 0 0 0 0
40683 -- 0 0 0 0 0 0 0 0 0 0 0 0
40684 -- 0 0 0 0 0 0 0 0 0 0 0 0
40685 -- 0 0 0 0 0 0 0 0 0 0 0 0
40686 -- 0 0 0 0 0 0 0 0 0 0 0 0
40687 -- 0 0 0 0 0 0 10 10 10 26 26 26
40688 -- 58 58 58 90 90 90 18 18 18 2 2 6
40689 -- 2 2 6 110 110 110 253 253 253 253 253 253
40690 --253 253 253 253 253 253 253 253 253 253 253 253
40691 --250 250 250 253 253 253 253 253 253 253 253 253
40692 --253 253 253 253 253 253 253 253 253 253 253 253
40693 --253 253 253 253 253 253 253 253 253 253 253 253
40694 --253 253 253 231 231 231 18 18 18 2 2 6
40695 -- 2 2 6 2 2 6 2 2 6 2 2 6
40696 -- 2 2 6 2 2 6 18 18 18 94 94 94
40697 -- 54 54 54 26 26 26 10 10 10 0 0 0
40698 -- 0 0 0 0 0 0 0 0 0 0 0 0
40699 -- 0 0 0 0 0 0 0 0 0 0 0 0
40700 -- 0 0 0 0 0 0 0 0 0 0 0 0
40701 -- 0 0 0 0 0 0 0 0 0 0 0 0
40702 -- 0 0 0 0 0 0 0 0 0 0 0 0
40703 -- 0 0 0 0 0 0 0 0 0 0 0 0
40704 -- 0 0 0 0 0 0 0 0 0 0 0 0
40705 -- 0 0 0 0 0 0 0 0 0 0 0 0
40706 -- 0 0 0 0 0 0 0 0 0 0 0 0
40707 -- 0 0 0 6 6 6 22 22 22 50 50 50
40708 -- 90 90 90 26 26 26 2 2 6 2 2 6
40709 -- 14 14 14 195 195 195 250 250 250 253 253 253
40710 --253 253 253 253 253 253 253 253 253 253 253 253
40711 --253 253 253 253 253 253 253 253 253 253 253 253
40712 --253 253 253 253 253 253 253 253 253 253 253 253
40713 --253 253 253 253 253 253 253 253 253 253 253 253
40714 --250 250 250 242 242 242 54 54 54 2 2 6
40715 -- 2 2 6 2 2 6 2 2 6 2 2 6
40716 -- 2 2 6 2 2 6 2 2 6 38 38 38
40717 -- 86 86 86 50 50 50 22 22 22 6 6 6
40718 -- 0 0 0 0 0 0 0 0 0 0 0 0
40719 -- 0 0 0 0 0 0 0 0 0 0 0 0
40720 -- 0 0 0 0 0 0 0 0 0 0 0 0
40721 -- 0 0 0 0 0 0 0 0 0 0 0 0
40722 -- 0 0 0 0 0 0 0 0 0 0 0 0
40723 -- 0 0 0 0 0 0 0 0 0 0 0 0
40724 -- 0 0 0 0 0 0 0 0 0 0 0 0
40725 -- 0 0 0 0 0 0 0 0 0 0 0 0
40726 -- 0 0 0 0 0 0 0 0 0 0 0 0
40727 -- 6 6 6 14 14 14 38 38 38 82 82 82
40728 -- 34 34 34 2 2 6 2 2 6 2 2 6
40729 -- 42 42 42 195 195 195 246 246 246 253 253 253
40730 --253 253 253 253 253 253 253 253 253 250 250 250
40731 --242 242 242 242 242 242 250 250 250 253 253 253
40732 --253 253 253 253 253 253 253 253 253 253 253 253
40733 --253 253 253 250 250 250 246 246 246 238 238 238
40734 --226 226 226 231 231 231 101 101 101 6 6 6
40735 -- 2 2 6 2 2 6 2 2 6 2 2 6
40736 -- 2 2 6 2 2 6 2 2 6 2 2 6
40737 -- 38 38 38 82 82 82 42 42 42 14 14 14
40738 -- 6 6 6 0 0 0 0 0 0 0 0 0
40739 -- 0 0 0 0 0 0 0 0 0 0 0 0
40740 -- 0 0 0 0 0 0 0 0 0 0 0 0
40741 -- 0 0 0 0 0 0 0 0 0 0 0 0
40742 -- 0 0 0 0 0 0 0 0 0 0 0 0
40743 -- 0 0 0 0 0 0 0 0 0 0 0 0
40744 -- 0 0 0 0 0 0 0 0 0 0 0 0
40745 -- 0 0 0 0 0 0 0 0 0 0 0 0
40746 -- 0 0 0 0 0 0 0 0 0 0 0 0
40747 -- 10 10 10 26 26 26 62 62 62 66 66 66
40748 -- 2 2 6 2 2 6 2 2 6 6 6 6
40749 -- 70 70 70 170 170 170 206 206 206 234 234 234
40750 --246 246 246 250 250 250 250 250 250 238 238 238
40751 --226 226 226 231 231 231 238 238 238 250 250 250
40752 --250 250 250 250 250 250 246 246 246 231 231 231
40753 --214 214 214 206 206 206 202 202 202 202 202 202
40754 --198 198 198 202 202 202 182 182 182 18 18 18
40755 -- 2 2 6 2 2 6 2 2 6 2 2 6
40756 -- 2 2 6 2 2 6 2 2 6 2 2 6
40757 -- 2 2 6 62 62 62 66 66 66 30 30 30
40758 -- 10 10 10 0 0 0 0 0 0 0 0 0
40759 -- 0 0 0 0 0 0 0 0 0 0 0 0
40760 -- 0 0 0 0 0 0 0 0 0 0 0 0
40761 -- 0 0 0 0 0 0 0 0 0 0 0 0
40762 -- 0 0 0 0 0 0 0 0 0 0 0 0
40763 -- 0 0 0 0 0 0 0 0 0 0 0 0
40764 -- 0 0 0 0 0 0 0 0 0 0 0 0
40765 -- 0 0 0 0 0 0 0 0 0 0 0 0
40766 -- 0 0 0 0 0 0 0 0 0 0 0 0
40767 -- 14 14 14 42 42 42 82 82 82 18 18 18
40768 -- 2 2 6 2 2 6 2 2 6 10 10 10
40769 -- 94 94 94 182 182 182 218 218 218 242 242 242
40770 --250 250 250 253 253 253 253 253 253 250 250 250
40771 --234 234 234 253 253 253 253 253 253 253 253 253
40772 --253 253 253 253 253 253 253 253 253 246 246 246
40773 --238 238 238 226 226 226 210 210 210 202 202 202
40774 --195 195 195 195 195 195 210 210 210 158 158 158
40775 -- 6 6 6 14 14 14 50 50 50 14 14 14
40776 -- 2 2 6 2 2 6 2 2 6 2 2 6
40777 -- 2 2 6 6 6 6 86 86 86 46 46 46
40778 -- 18 18 18 6 6 6 0 0 0 0 0 0
40779 -- 0 0 0 0 0 0 0 0 0 0 0 0
40780 -- 0 0 0 0 0 0 0 0 0 0 0 0
40781 -- 0 0 0 0 0 0 0 0 0 0 0 0
40782 -- 0 0 0 0 0 0 0 0 0 0 0 0
40783 -- 0 0 0 0 0 0 0 0 0 0 0 0
40784 -- 0 0 0 0 0 0 0 0 0 0 0 0
40785 -- 0 0 0 0 0 0 0 0 0 0 0 0
40786 -- 0 0 0 0 0 0 0 0 0 6 6 6
40787 -- 22 22 22 54 54 54 70 70 70 2 2 6
40788 -- 2 2 6 10 10 10 2 2 6 22 22 22
40789 --166 166 166 231 231 231 250 250 250 253 253 253
40790 --253 253 253 253 253 253 253 253 253 250 250 250
40791 --242 242 242 253 253 253 253 253 253 253 253 253
40792 --253 253 253 253 253 253 253 253 253 253 253 253
40793 --253 253 253 253 253 253 253 253 253 246 246 246
40794 --231 231 231 206 206 206 198 198 198 226 226 226
40795 -- 94 94 94 2 2 6 6 6 6 38 38 38
40796 -- 30 30 30 2 2 6 2 2 6 2 2 6
40797 -- 2 2 6 2 2 6 62 62 62 66 66 66
40798 -- 26 26 26 10 10 10 0 0 0 0 0 0
40799 -- 0 0 0 0 0 0 0 0 0 0 0 0
40800 -- 0 0 0 0 0 0 0 0 0 0 0 0
40801 -- 0 0 0 0 0 0 0 0 0 0 0 0
40802 -- 0 0 0 0 0 0 0 0 0 0 0 0
40803 -- 0 0 0 0 0 0 0 0 0 0 0 0
40804 -- 0 0 0 0 0 0 0 0 0 0 0 0
40805 -- 0 0 0 0 0 0 0 0 0 0 0 0
40806 -- 0 0 0 0 0 0 0 0 0 10 10 10
40807 -- 30 30 30 74 74 74 50 50 50 2 2 6
40808 -- 26 26 26 26 26 26 2 2 6 106 106 106
40809 --238 238 238 253 253 253 253 253 253 253 253 253
40810 --253 253 253 253 253 253 253 253 253 253 253 253
40811 --253 253 253 253 253 253 253 253 253 253 253 253
40812 --253 253 253 253 253 253 253 253 253 253 253 253
40813 --253 253 253 253 253 253 253 253 253 253 253 253
40814 --253 253 253 246 246 246 218 218 218 202 202 202
40815 --210 210 210 14 14 14 2 2 6 2 2 6
40816 -- 30 30 30 22 22 22 2 2 6 2 2 6
40817 -- 2 2 6 2 2 6 18 18 18 86 86 86
40818 -- 42 42 42 14 14 14 0 0 0 0 0 0
40819 -- 0 0 0 0 0 0 0 0 0 0 0 0
40820 -- 0 0 0 0 0 0 0 0 0 0 0 0
40821 -- 0 0 0 0 0 0 0 0 0 0 0 0
40822 -- 0 0 0 0 0 0 0 0 0 0 0 0
40823 -- 0 0 0 0 0 0 0 0 0 0 0 0
40824 -- 0 0 0 0 0 0 0 0 0 0 0 0
40825 -- 0 0 0 0 0 0 0 0 0 0 0 0
40826 -- 0 0 0 0 0 0 0 0 0 14 14 14
40827 -- 42 42 42 90 90 90 22 22 22 2 2 6
40828 -- 42 42 42 2 2 6 18 18 18 218 218 218
40829 --253 253 253 253 253 253 253 253 253 253 253 253
40830 --253 253 253 253 253 253 253 253 253 253 253 253
40831 --253 253 253 253 253 253 253 253 253 253 253 253
40832 --253 253 253 253 253 253 253 253 253 253 253 253
40833 --253 253 253 253 253 253 253 253 253 253 253 253
40834 --253 253 253 253 253 253 250 250 250 221 221 221
40835 --218 218 218 101 101 101 2 2 6 14 14 14
40836 -- 18 18 18 38 38 38 10 10 10 2 2 6
40837 -- 2 2 6 2 2 6 2 2 6 78 78 78
40838 -- 58 58 58 22 22 22 6 6 6 0 0 0
40839 -- 0 0 0 0 0 0 0 0 0 0 0 0
40840 -- 0 0 0 0 0 0 0 0 0 0 0 0
40841 -- 0 0 0 0 0 0 0 0 0 0 0 0
40842 -- 0 0 0 0 0 0 0 0 0 0 0 0
40843 -- 0 0 0 0 0 0 0 0 0 0 0 0
40844 -- 0 0 0 0 0 0 0 0 0 0 0 0
40845 -- 0 0 0 0 0 0 0 0 0 0 0 0
40846 -- 0 0 0 0 0 0 6 6 6 18 18 18
40847 -- 54 54 54 82 82 82 2 2 6 26 26 26
40848 -- 22 22 22 2 2 6 123 123 123 253 253 253
40849 --253 253 253 253 253 253 253 253 253 253 253 253
40850 --253 253 253 253 253 253 253 253 253 253 253 253
40851 --253 253 253 253 253 253 253 253 253 253 253 253
40852 --253 253 253 253 253 253 253 253 253 253 253 253
40853 --253 253 253 253 253 253 253 253 253 253 253 253
40854 --253 253 253 253 253 253 253 253 253 250 250 250
40855 --238 238 238 198 198 198 6 6 6 38 38 38
40856 -- 58 58 58 26 26 26 38 38 38 2 2 6
40857 -- 2 2 6 2 2 6 2 2 6 46 46 46
40858 -- 78 78 78 30 30 30 10 10 10 0 0 0
40859 -- 0 0 0 0 0 0 0 0 0 0 0 0
40860 -- 0 0 0 0 0 0 0 0 0 0 0 0
40861 -- 0 0 0 0 0 0 0 0 0 0 0 0
40862 -- 0 0 0 0 0 0 0 0 0 0 0 0
40863 -- 0 0 0 0 0 0 0 0 0 0 0 0
40864 -- 0 0 0 0 0 0 0 0 0 0 0 0
40865 -- 0 0 0 0 0 0 0 0 0 0 0 0
40866 -- 0 0 0 0 0 0 10 10 10 30 30 30
40867 -- 74 74 74 58 58 58 2 2 6 42 42 42
40868 -- 2 2 6 22 22 22 231 231 231 253 253 253
40869 --253 253 253 253 253 253 253 253 253 253 253 253
40870 --253 253 253 253 253 253 253 253 253 250 250 250
40871 --253 253 253 253 253 253 253 253 253 253 253 253
40872 --253 253 253 253 253 253 253 253 253 253 253 253
40873 --253 253 253 253 253 253 253 253 253 253 253 253
40874 --253 253 253 253 253 253 253 253 253 253 253 253
40875 --253 253 253 246 246 246 46 46 46 38 38 38
40876 -- 42 42 42 14 14 14 38 38 38 14 14 14
40877 -- 2 2 6 2 2 6 2 2 6 6 6 6
40878 -- 86 86 86 46 46 46 14 14 14 0 0 0
40879 -- 0 0 0 0 0 0 0 0 0 0 0 0
40880 -- 0 0 0 0 0 0 0 0 0 0 0 0
40881 -- 0 0 0 0 0 0 0 0 0 0 0 0
40882 -- 0 0 0 0 0 0 0 0 0 0 0 0
40883 -- 0 0 0 0 0 0 0 0 0 0 0 0
40884 -- 0 0 0 0 0 0 0 0 0 0 0 0
40885 -- 0 0 0 0 0 0 0 0 0 0 0 0
40886 -- 0 0 0 6 6 6 14 14 14 42 42 42
40887 -- 90 90 90 18 18 18 18 18 18 26 26 26
40888 -- 2 2 6 116 116 116 253 253 253 253 253 253
40889 --253 253 253 253 253 253 253 253 253 253 253 253
40890 --253 253 253 253 253 253 250 250 250 238 238 238
40891 --253 253 253 253 253 253 253 253 253 253 253 253
40892 --253 253 253 253 253 253 253 253 253 253 253 253
40893 --253 253 253 253 253 253 253 253 253 253 253 253
40894 --253 253 253 253 253 253 253 253 253 253 253 253
40895 --253 253 253 253 253 253 94 94 94 6 6 6
40896 -- 2 2 6 2 2 6 10 10 10 34 34 34
40897 -- 2 2 6 2 2 6 2 2 6 2 2 6
40898 -- 74 74 74 58 58 58 22 22 22 6 6 6
40899 -- 0 0 0 0 0 0 0 0 0 0 0 0
40900 -- 0 0 0 0 0 0 0 0 0 0 0 0
40901 -- 0 0 0 0 0 0 0 0 0 0 0 0
40902 -- 0 0 0 0 0 0 0 0 0 0 0 0
40903 -- 0 0 0 0 0 0 0 0 0 0 0 0
40904 -- 0 0 0 0 0 0 0 0 0 0 0 0
40905 -- 0 0 0 0 0 0 0 0 0 0 0 0
40906 -- 0 0 0 10 10 10 26 26 26 66 66 66
40907 -- 82 82 82 2 2 6 38 38 38 6 6 6
40908 -- 14 14 14 210 210 210 253 253 253 253 253 253
40909 --253 253 253 253 253 253 253 253 253 253 253 253
40910 --253 253 253 253 253 253 246 246 246 242 242 242
40911 --253 253 253 253 253 253 253 253 253 253 253 253
40912 --253 253 253 253 253 253 253 253 253 253 253 253
40913 --253 253 253 253 253 253 253 253 253 253 253 253
40914 --253 253 253 253 253 253 253 253 253 253 253 253
40915 --253 253 253 253 253 253 144 144 144 2 2 6
40916 -- 2 2 6 2 2 6 2 2 6 46 46 46
40917 -- 2 2 6 2 2 6 2 2 6 2 2 6
40918 -- 42 42 42 74 74 74 30 30 30 10 10 10
40919 -- 0 0 0 0 0 0 0 0 0 0 0 0
40920 -- 0 0 0 0 0 0 0 0 0 0 0 0
40921 -- 0 0 0 0 0 0 0 0 0 0 0 0
40922 -- 0 0 0 0 0 0 0 0 0 0 0 0
40923 -- 0 0 0 0 0 0 0 0 0 0 0 0
40924 -- 0 0 0 0 0 0 0 0 0 0 0 0
40925 -- 0 0 0 0 0 0 0 0 0 0 0 0
40926 -- 6 6 6 14 14 14 42 42 42 90 90 90
40927 -- 26 26 26 6 6 6 42 42 42 2 2 6
40928 -- 74 74 74 250 250 250 253 253 253 253 253 253
40929 --253 253 253 253 253 253 253 253 253 253 253 253
40930 --253 253 253 253 253 253 242 242 242 242 242 242
40931 --253 253 253 253 253 253 253 253 253 253 253 253
40932 --253 253 253 253 253 253 253 253 253 253 253 253
40933 --253 253 253 253 253 253 253 253 253 253 253 253
40934 --253 253 253 253 253 253 253 253 253 253 253 253
40935 --253 253 253 253 253 253 182 182 182 2 2 6
40936 -- 2 2 6 2 2 6 2 2 6 46 46 46
40937 -- 2 2 6 2 2 6 2 2 6 2 2 6
40938 -- 10 10 10 86 86 86 38 38 38 10 10 10
40939 -- 0 0 0 0 0 0 0 0 0 0 0 0
40940 -- 0 0 0 0 0 0 0 0 0 0 0 0
40941 -- 0 0 0 0 0 0 0 0 0 0 0 0
40942 -- 0 0 0 0 0 0 0 0 0 0 0 0
40943 -- 0 0 0 0 0 0 0 0 0 0 0 0
40944 -- 0 0 0 0 0 0 0 0 0 0 0 0
40945 -- 0 0 0 0 0 0 0 0 0 0 0 0
40946 -- 10 10 10 26 26 26 66 66 66 82 82 82
40947 -- 2 2 6 22 22 22 18 18 18 2 2 6
40948 --149 149 149 253 253 253 253 253 253 253 253 253
40949 --253 253 253 253 253 253 253 253 253 253 253 253
40950 --253 253 253 253 253 253 234 234 234 242 242 242
40951 --253 253 253 253 253 253 253 253 253 253 253 253
40952 --253 253 253 253 253 253 253 253 253 253 253 253
40953 --253 253 253 253 253 253 253 253 253 253 253 253
40954 --253 253 253 253 253 253 253 253 253 253 253 253
40955 --253 253 253 253 253 253 206 206 206 2 2 6
40956 -- 2 2 6 2 2 6 2 2 6 38 38 38
40957 -- 2 2 6 2 2 6 2 2 6 2 2 6
40958 -- 6 6 6 86 86 86 46 46 46 14 14 14
40959 -- 0 0 0 0 0 0 0 0 0 0 0 0
40960 -- 0 0 0 0 0 0 0 0 0 0 0 0
40961 -- 0 0 0 0 0 0 0 0 0 0 0 0
40962 -- 0 0 0 0 0 0 0 0 0 0 0 0
40963 -- 0 0 0 0 0 0 0 0 0 0 0 0
40964 -- 0 0 0 0 0 0 0 0 0 0 0 0
40965 -- 0 0 0 0 0 0 0 0 0 6 6 6
40966 -- 18 18 18 46 46 46 86 86 86 18 18 18
40967 -- 2 2 6 34 34 34 10 10 10 6 6 6
40968 --210 210 210 253 253 253 253 253 253 253 253 253
40969 --253 253 253 253 253 253 253 253 253 253 253 253
40970 --253 253 253 253 253 253 234 234 234 242 242 242
40971 --253 253 253 253 253 253 253 253 253 253 253 253
40972 --253 253 253 253 253 253 253 253 253 253 253 253
40973 --253 253 253 253 253 253 253 253 253 253 253 253
40974 --253 253 253 253 253 253 253 253 253 253 253 253
40975 --253 253 253 253 253 253 221 221 221 6 6 6
40976 -- 2 2 6 2 2 6 6 6 6 30 30 30
40977 -- 2 2 6 2 2 6 2 2 6 2 2 6
40978 -- 2 2 6 82 82 82 54 54 54 18 18 18
40979 -- 6 6 6 0 0 0 0 0 0 0 0 0
40980 -- 0 0 0 0 0 0 0 0 0 0 0 0
40981 -- 0 0 0 0 0 0 0 0 0 0 0 0
40982 -- 0 0 0 0 0 0 0 0 0 0 0 0
40983 -- 0 0 0 0 0 0 0 0 0 0 0 0
40984 -- 0 0 0 0 0 0 0 0 0 0 0 0
40985 -- 0 0 0 0 0 0 0 0 0 10 10 10
40986 -- 26 26 26 66 66 66 62 62 62 2 2 6
40987 -- 2 2 6 38 38 38 10 10 10 26 26 26
40988 --238 238 238 253 253 253 253 253 253 253 253 253
40989 --253 253 253 253 253 253 253 253 253 253 253 253
40990 --253 253 253 253 253 253 231 231 231 238 238 238
40991 --253 253 253 253 253 253 253 253 253 253 253 253
40992 --253 253 253 253 253 253 253 253 253 253 253 253
40993 --253 253 253 253 253 253 253 253 253 253 253 253
40994 --253 253 253 253 253 253 253 253 253 253 253 253
40995 --253 253 253 253 253 253 231 231 231 6 6 6
40996 -- 2 2 6 2 2 6 10 10 10 30 30 30
40997 -- 2 2 6 2 2 6 2 2 6 2 2 6
40998 -- 2 2 6 66 66 66 58 58 58 22 22 22
40999 -- 6 6 6 0 0 0 0 0 0 0 0 0
41000 -- 0 0 0 0 0 0 0 0 0 0 0 0
41001 -- 0 0 0 0 0 0 0 0 0 0 0 0
41002 -- 0 0 0 0 0 0 0 0 0 0 0 0
41003 -- 0 0 0 0 0 0 0 0 0 0 0 0
41004 -- 0 0 0 0 0 0 0 0 0 0 0 0
41005 -- 0 0 0 0 0 0 0 0 0 10 10 10
41006 -- 38 38 38 78 78 78 6 6 6 2 2 6
41007 -- 2 2 6 46 46 46 14 14 14 42 42 42
41008 --246 246 246 253 253 253 253 253 253 253 253 253
41009 --253 253 253 253 253 253 253 253 253 253 253 253
41010 --253 253 253 253 253 253 231 231 231 242 242 242
41011 --253 253 253 253 253 253 253 253 253 253 253 253
41012 --253 253 253 253 253 253 253 253 253 253 253 253
41013 --253 253 253 253 253 253 253 253 253 253 253 253
41014 --253 253 253 253 253 253 253 253 253 253 253 253
41015 --253 253 253 253 253 253 234 234 234 10 10 10
41016 -- 2 2 6 2 2 6 22 22 22 14 14 14
41017 -- 2 2 6 2 2 6 2 2 6 2 2 6
41018 -- 2 2 6 66 66 66 62 62 62 22 22 22
41019 -- 6 6 6 0 0 0 0 0 0 0 0 0
41020 -- 0 0 0 0 0 0 0 0 0 0 0 0
41021 -- 0 0 0 0 0 0 0 0 0 0 0 0
41022 -- 0 0 0 0 0 0 0 0 0 0 0 0
41023 -- 0 0 0 0 0 0 0 0 0 0 0 0
41024 -- 0 0 0 0 0 0 0 0 0 0 0 0
41025 -- 0 0 0 0 0 0 6 6 6 18 18 18
41026 -- 50 50 50 74 74 74 2 2 6 2 2 6
41027 -- 14 14 14 70 70 70 34 34 34 62 62 62
41028 --250 250 250 253 253 253 253 253 253 253 253 253
41029 --253 253 253 253 253 253 253 253 253 253 253 253
41030 --253 253 253 253 253 253 231 231 231 246 246 246
41031 --253 253 253 253 253 253 253 253 253 253 253 253
41032 --253 253 253 253 253 253 253 253 253 253 253 253
41033 --253 253 253 253 253 253 253 253 253 253 253 253
41034 --253 253 253 253 253 253 253 253 253 253 253 253
41035 --253 253 253 253 253 253 234 234 234 14 14 14
41036 -- 2 2 6 2 2 6 30 30 30 2 2 6
41037 -- 2 2 6 2 2 6 2 2 6 2 2 6
41038 -- 2 2 6 66 66 66 62 62 62 22 22 22
41039 -- 6 6 6 0 0 0 0 0 0 0 0 0
41040 -- 0 0 0 0 0 0 0 0 0 0 0 0
41041 -- 0 0 0 0 0 0 0 0 0 0 0 0
41042 -- 0 0 0 0 0 0 0 0 0 0 0 0
41043 -- 0 0 0 0 0 0 0 0 0 0 0 0
41044 -- 0 0 0 0 0 0 0 0 0 0 0 0
41045 -- 0 0 0 0 0 0 6 6 6 18 18 18
41046 -- 54 54 54 62 62 62 2 2 6 2 2 6
41047 -- 2 2 6 30 30 30 46 46 46 70 70 70
41048 --250 250 250 253 253 253 253 253 253 253 253 253
41049 --253 253 253 253 253 253 253 253 253 253 253 253
41050 --253 253 253 253 253 253 231 231 231 246 246 246
41051 --253 253 253 253 253 253 253 253 253 253 253 253
41052 --253 253 253 253 253 253 253 253 253 253 253 253
41053 --253 253 253 253 253 253 253 253 253 253 253 253
41054 --253 253 253 253 253 253 253 253 253 253 253 253
41055 --253 253 253 253 253 253 226 226 226 10 10 10
41056 -- 2 2 6 6 6 6 30 30 30 2 2 6
41057 -- 2 2 6 2 2 6 2 2 6 2 2 6
41058 -- 2 2 6 66 66 66 58 58 58 22 22 22
41059 -- 6 6 6 0 0 0 0 0 0 0 0 0
41060 -- 0 0 0 0 0 0 0 0 0 0 0 0
41061 -- 0 0 0 0 0 0 0 0 0 0 0 0
41062 -- 0 0 0 0 0 0 0 0 0 0 0 0
41063 -- 0 0 0 0 0 0 0 0 0 0 0 0
41064 -- 0 0 0 0 0 0 0 0 0 0 0 0
41065 -- 0 0 0 0 0 0 6 6 6 22 22 22
41066 -- 58 58 58 62 62 62 2 2 6 2 2 6
41067 -- 2 2 6 2 2 6 30 30 30 78 78 78
41068 --250 250 250 253 253 253 253 253 253 253 253 253
41069 --253 253 253 253 253 253 253 253 253 253 253 253
41070 --253 253 253 253 253 253 231 231 231 246 246 246
41071 --253 253 253 253 253 253 253 253 253 253 253 253
41072 --253 253 253 253 253 253 253 253 253 253 253 253
41073 --253 253 253 253 253 253 253 253 253 253 253 253
41074 --253 253 253 253 253 253 253 253 253 253 253 253
41075 --253 253 253 253 253 253 206 206 206 2 2 6
41076 -- 22 22 22 34 34 34 18 14 6 22 22 22
41077 -- 26 26 26 18 18 18 6 6 6 2 2 6
41078 -- 2 2 6 82 82 82 54 54 54 18 18 18
41079 -- 6 6 6 0 0 0 0 0 0 0 0 0
41080 -- 0 0 0 0 0 0 0 0 0 0 0 0
41081 -- 0 0 0 0 0 0 0 0 0 0 0 0
41082 -- 0 0 0 0 0 0 0 0 0 0 0 0
41083 -- 0 0 0 0 0 0 0 0 0 0 0 0
41084 -- 0 0 0 0 0 0 0 0 0 0 0 0
41085 -- 0 0 0 0 0 0 6 6 6 26 26 26
41086 -- 62 62 62 106 106 106 74 54 14 185 133 11
41087 --210 162 10 121 92 8 6 6 6 62 62 62
41088 --238 238 238 253 253 253 253 253 253 253 253 253
41089 --253 253 253 253 253 253 253 253 253 253 253 253
41090 --253 253 253 253 253 253 231 231 231 246 246 246
41091 --253 253 253 253 253 253 253 253 253 253 253 253
41092 --253 253 253 253 253 253 253 253 253 253 253 253
41093 --253 253 253 253 253 253 253 253 253 253 253 253
41094 --253 253 253 253 253 253 253 253 253 253 253 253
41095 --253 253 253 253 253 253 158 158 158 18 18 18
41096 -- 14 14 14 2 2 6 2 2 6 2 2 6
41097 -- 6 6 6 18 18 18 66 66 66 38 38 38
41098 -- 6 6 6 94 94 94 50 50 50 18 18 18
41099 -- 6 6 6 0 0 0 0 0 0 0 0 0
41100 -- 0 0 0 0 0 0 0 0 0 0 0 0
41101 -- 0 0 0 0 0 0 0 0 0 0 0 0
41102 -- 0 0 0 0 0 0 0 0 0 0 0 0
41103 -- 0 0 0 0 0 0 0 0 0 0 0 0
41104 -- 0 0 0 0 0 0 0 0 0 6 6 6
41105 -- 10 10 10 10 10 10 18 18 18 38 38 38
41106 -- 78 78 78 142 134 106 216 158 10 242 186 14
41107 --246 190 14 246 190 14 156 118 10 10 10 10
41108 -- 90 90 90 238 238 238 253 253 253 253 253 253
41109 --253 253 253 253 253 253 253 253 253 253 253 253
41110 --253 253 253 253 253 253 231 231 231 250 250 250
41111 --253 253 253 253 253 253 253 253 253 253 253 253
41112 --253 253 253 253 253 253 253 253 253 253 253 253
41113 --253 253 253 253 253 253 253 253 253 253 253 253
41114 --253 253 253 253 253 253 253 253 253 246 230 190
41115 --238 204 91 238 204 91 181 142 44 37 26 9
41116 -- 2 2 6 2 2 6 2 2 6 2 2 6
41117 -- 2 2 6 2 2 6 38 38 38 46 46 46
41118 -- 26 26 26 106 106 106 54 54 54 18 18 18
41119 -- 6 6 6 0 0 0 0 0 0 0 0 0
41120 -- 0 0 0 0 0 0 0 0 0 0 0 0
41121 -- 0 0 0 0 0 0 0 0 0 0 0 0
41122 -- 0 0 0 0 0 0 0 0 0 0 0 0
41123 -- 0 0 0 0 0 0 0 0 0 0 0 0
41124 -- 0 0 0 6 6 6 14 14 14 22 22 22
41125 -- 30 30 30 38 38 38 50 50 50 70 70 70
41126 --106 106 106 190 142 34 226 170 11 242 186 14
41127 --246 190 14 246 190 14 246 190 14 154 114 10
41128 -- 6 6 6 74 74 74 226 226 226 253 253 253
41129 --253 253 253 253 253 253 253 253 253 253 253 253
41130 --253 253 253 253 253 253 231 231 231 250 250 250
41131 --253 253 253 253 253 253 253 253 253 253 253 253
41132 --253 253 253 253 253 253 253 253 253 253 253 253
41133 --253 253 253 253 253 253 253 253 253 253 253 253
41134 --253 253 253 253 253 253 253 253 253 228 184 62
41135 --241 196 14 241 208 19 232 195 16 38 30 10
41136 -- 2 2 6 2 2 6 2 2 6 2 2 6
41137 -- 2 2 6 6 6 6 30 30 30 26 26 26
41138 --203 166 17 154 142 90 66 66 66 26 26 26
41139 -- 6 6 6 0 0 0 0 0 0 0 0 0
41140 -- 0 0 0 0 0 0 0 0 0 0 0 0
41141 -- 0 0 0 0 0 0 0 0 0 0 0 0
41142 -- 0 0 0 0 0 0 0 0 0 0 0 0
41143 -- 0 0 0 0 0 0 0 0 0 0 0 0
41144 -- 6 6 6 18 18 18 38 38 38 58 58 58
41145 -- 78 78 78 86 86 86 101 101 101 123 123 123
41146 --175 146 61 210 150 10 234 174 13 246 186 14
41147 --246 190 14 246 190 14 246 190 14 238 190 10
41148 --102 78 10 2 2 6 46 46 46 198 198 198
41149 --253 253 253 253 253 253 253 253 253 253 253 253
41150 --253 253 253 253 253 253 234 234 234 242 242 242
41151 --253 253 253 253 253 253 253 253 253 253 253 253
41152 --253 253 253 253 253 253 253 253 253 253 253 253
41153 --253 253 253 253 253 253 253 253 253 253 253 253
41154 --253 253 253 253 253 253 253 253 253 224 178 62
41155 --242 186 14 241 196 14 210 166 10 22 18 6
41156 -- 2 2 6 2 2 6 2 2 6 2 2 6
41157 -- 2 2 6 2 2 6 6 6 6 121 92 8
41158 --238 202 15 232 195 16 82 82 82 34 34 34
41159 -- 10 10 10 0 0 0 0 0 0 0 0 0
41160 -- 0 0 0 0 0 0 0 0 0 0 0 0
41161 -- 0 0 0 0 0 0 0 0 0 0 0 0
41162 -- 0 0 0 0 0 0 0 0 0 0 0 0
41163 -- 0 0 0 0 0 0 0 0 0 0 0 0
41164 -- 14 14 14 38 38 38 70 70 70 154 122 46
41165 --190 142 34 200 144 11 197 138 11 197 138 11
41166 --213 154 11 226 170 11 242 186 14 246 190 14
41167 --246 190 14 246 190 14 246 190 14 246 190 14
41168 --225 175 15 46 32 6 2 2 6 22 22 22
41169 --158 158 158 250 250 250 253 253 253 253 253 253
41170 --253 253 253 253 253 253 253 253 253 253 253 253
41171 --253 253 253 253 253 253 253 253 253 253 253 253
41172 --253 253 253 253 253 253 253 253 253 253 253 253
41173 --253 253 253 253 253 253 253 253 253 253 253 253
41174 --253 253 253 250 250 250 242 242 242 224 178 62
41175 --239 182 13 236 186 11 213 154 11 46 32 6
41176 -- 2 2 6 2 2 6 2 2 6 2 2 6
41177 -- 2 2 6 2 2 6 61 42 6 225 175 15
41178 --238 190 10 236 186 11 112 100 78 42 42 42
41179 -- 14 14 14 0 0 0 0 0 0 0 0 0
41180 -- 0 0 0 0 0 0 0 0 0 0 0 0
41181 -- 0 0 0 0 0 0 0 0 0 0 0 0
41182 -- 0 0 0 0 0 0 0 0 0 0 0 0
41183 -- 0 0 0 0 0 0 0 0 0 6 6 6
41184 -- 22 22 22 54 54 54 154 122 46 213 154 11
41185 --226 170 11 230 174 11 226 170 11 226 170 11
41186 --236 178 12 242 186 14 246 190 14 246 190 14
41187 --246 190 14 246 190 14 246 190 14 246 190 14
41188 --241 196 14 184 144 12 10 10 10 2 2 6
41189 -- 6 6 6 116 116 116 242 242 242 253 253 253
41190 --253 253 253 253 253 253 253 253 253 253 253 253
41191 --253 253 253 253 253 253 253 253 253 253 253 253
41192 --253 253 253 253 253 253 253 253 253 253 253 253
41193 --253 253 253 253 253 253 253 253 253 253 253 253
41194 --253 253 253 231 231 231 198 198 198 214 170 54
41195 --236 178 12 236 178 12 210 150 10 137 92 6
41196 -- 18 14 6 2 2 6 2 2 6 2 2 6
41197 -- 6 6 6 70 47 6 200 144 11 236 178 12
41198 --239 182 13 239 182 13 124 112 88 58 58 58
41199 -- 22 22 22 6 6 6 0 0 0 0 0 0
41200 -- 0 0 0 0 0 0 0 0 0 0 0 0
41201 -- 0 0 0 0 0 0 0 0 0 0 0 0
41202 -- 0 0 0 0 0 0 0 0 0 0 0 0
41203 -- 0 0 0 0 0 0 0 0 0 10 10 10
41204 -- 30 30 30 70 70 70 180 133 36 226 170 11
41205 --239 182 13 242 186 14 242 186 14 246 186 14
41206 --246 190 14 246 190 14 246 190 14 246 190 14
41207 --246 190 14 246 190 14 246 190 14 246 190 14
41208 --246 190 14 232 195 16 98 70 6 2 2 6
41209 -- 2 2 6 2 2 6 66 66 66 221 221 221
41210 --253 253 253 253 253 253 253 253 253 253 253 253
41211 --253 253 253 253 253 253 253 253 253 253 253 253
41212 --253 253 253 253 253 253 253 253 253 253 253 253
41213 --253 253 253 253 253 253 253 253 253 253 253 253
41214 --253 253 253 206 206 206 198 198 198 214 166 58
41215 --230 174 11 230 174 11 216 158 10 192 133 9
41216 --163 110 8 116 81 8 102 78 10 116 81 8
41217 --167 114 7 197 138 11 226 170 11 239 182 13
41218 --242 186 14 242 186 14 162 146 94 78 78 78
41219 -- 34 34 34 14 14 14 6 6 6 0 0 0
41220 -- 0 0 0 0 0 0 0 0 0 0 0 0
41221 -- 0 0 0 0 0 0 0 0 0 0 0 0
41222 -- 0 0 0 0 0 0 0 0 0 0 0 0
41223 -- 0 0 0 0 0 0 0 0 0 6 6 6
41224 -- 30 30 30 78 78 78 190 142 34 226 170 11
41225 --239 182 13 246 190 14 246 190 14 246 190 14
41226 --246 190 14 246 190 14 246 190 14 246 190 14
41227 --246 190 14 246 190 14 246 190 14 246 190 14
41228 --246 190 14 241 196 14 203 166 17 22 18 6
41229 -- 2 2 6 2 2 6 2 2 6 38 38 38
41230 --218 218 218 253 253 253 253 253 253 253 253 253
41231 --253 253 253 253 253 253 253 253 253 253 253 253
41232 --253 253 253 253 253 253 253 253 253 253 253 253
41233 --253 253 253 253 253 253 253 253 253 253 253 253
41234 --250 250 250 206 206 206 198 198 198 202 162 69
41235 --226 170 11 236 178 12 224 166 10 210 150 10
41236 --200 144 11 197 138 11 192 133 9 197 138 11
41237 --210 150 10 226 170 11 242 186 14 246 190 14
41238 --246 190 14 246 186 14 225 175 15 124 112 88
41239 -- 62 62 62 30 30 30 14 14 14 6 6 6
41240 -- 0 0 0 0 0 0 0 0 0 0 0 0
41241 -- 0 0 0 0 0 0 0 0 0 0 0 0
41242 -- 0 0 0 0 0 0 0 0 0 0 0 0
41243 -- 0 0 0 0 0 0 0 0 0 10 10 10
41244 -- 30 30 30 78 78 78 174 135 50 224 166 10
41245 --239 182 13 246 190 14 246 190 14 246 190 14
41246 --246 190 14 246 190 14 246 190 14 246 190 14
41247 --246 190 14 246 190 14 246 190 14 246 190 14
41248 --246 190 14 246 190 14 241 196 14 139 102 15
41249 -- 2 2 6 2 2 6 2 2 6 2 2 6
41250 -- 78 78 78 250 250 250 253 253 253 253 253 253
41251 --253 253 253 253 253 253 253 253 253 253 253 253
41252 --253 253 253 253 253 253 253 253 253 253 253 253
41253 --253 253 253 253 253 253 253 253 253 253 253 253
41254 --250 250 250 214 214 214 198 198 198 190 150 46
41255 --219 162 10 236 178 12 234 174 13 224 166 10
41256 --216 158 10 213 154 11 213 154 11 216 158 10
41257 --226 170 11 239 182 13 246 190 14 246 190 14
41258 --246 190 14 246 190 14 242 186 14 206 162 42
41259 --101 101 101 58 58 58 30 30 30 14 14 14
41260 -- 6 6 6 0 0 0 0 0 0 0 0 0
41261 -- 0 0 0 0 0 0 0 0 0 0 0 0
41262 -- 0 0 0 0 0 0 0 0 0 0 0 0
41263 -- 0 0 0 0 0 0 0 0 0 10 10 10
41264 -- 30 30 30 74 74 74 174 135 50 216 158 10
41265 --236 178 12 246 190 14 246 190 14 246 190 14
41266 --246 190 14 246 190 14 246 190 14 246 190 14
41267 --246 190 14 246 190 14 246 190 14 246 190 14
41268 --246 190 14 246 190 14 241 196 14 226 184 13
41269 -- 61 42 6 2 2 6 2 2 6 2 2 6
41270 -- 22 22 22 238 238 238 253 253 253 253 253 253
41271 --253 253 253 253 253 253 253 253 253 253 253 253
41272 --253 253 253 253 253 253 253 253 253 253 253 253
41273 --253 253 253 253 253 253 253 253 253 253 253 253
41274 --253 253 253 226 226 226 187 187 187 180 133 36
41275 --216 158 10 236 178 12 239 182 13 236 178 12
41276 --230 174 11 226 170 11 226 170 11 230 174 11
41277 --236 178 12 242 186 14 246 190 14 246 190 14
41278 --246 190 14 246 190 14 246 186 14 239 182 13
41279 --206 162 42 106 106 106 66 66 66 34 34 34
41280 -- 14 14 14 6 6 6 0 0 0 0 0 0
41281 -- 0 0 0 0 0 0 0 0 0 0 0 0
41282 -- 0 0 0 0 0 0 0 0 0 0 0 0
41283 -- 0 0 0 0 0 0 0 0 0 6 6 6
41284 -- 26 26 26 70 70 70 163 133 67 213 154 11
41285 --236 178 12 246 190 14 246 190 14 246 190 14
41286 --246 190 14 246 190 14 246 190 14 246 190 14
41287 --246 190 14 246 190 14 246 190 14 246 190 14
41288 --246 190 14 246 190 14 246 190 14 241 196 14
41289 --190 146 13 18 14 6 2 2 6 2 2 6
41290 -- 46 46 46 246 246 246 253 253 253 253 253 253
41291 --253 253 253 253 253 253 253 253 253 253 253 253
41292 --253 253 253 253 253 253 253 253 253 253 253 253
41293 --253 253 253 253 253 253 253 253 253 253 253 253
41294 --253 253 253 221 221 221 86 86 86 156 107 11
41295 --216 158 10 236 178 12 242 186 14 246 186 14
41296 --242 186 14 239 182 13 239 182 13 242 186 14
41297 --242 186 14 246 186 14 246 190 14 246 190 14
41298 --246 190 14 246 190 14 246 190 14 246 190 14
41299 --242 186 14 225 175 15 142 122 72 66 66 66
41300 -- 30 30 30 10 10 10 0 0 0 0 0 0
41301 -- 0 0 0 0 0 0 0 0 0 0 0 0
41302 -- 0 0 0 0 0 0 0 0 0 0 0 0
41303 -- 0 0 0 0 0 0 0 0 0 6 6 6
41304 -- 26 26 26 70 70 70 163 133 67 210 150 10
41305 --236 178 12 246 190 14 246 190 14 246 190 14
41306 --246 190 14 246 190 14 246 190 14 246 190 14
41307 --246 190 14 246 190 14 246 190 14 246 190 14
41308 --246 190 14 246 190 14 246 190 14 246 190 14
41309 --232 195 16 121 92 8 34 34 34 106 106 106
41310 --221 221 221 253 253 253 253 253 253 253 253 253
41311 --253 253 253 253 253 253 253 253 253 253 253 253
41312 --253 253 253 253 253 253 253 253 253 253 253 253
41313 --253 253 253 253 253 253 253 253 253 253 253 253
41314 --242 242 242 82 82 82 18 14 6 163 110 8
41315 --216 158 10 236 178 12 242 186 14 246 190 14
41316 --246 190 14 246 190 14 246 190 14 246 190 14
41317 --246 190 14 246 190 14 246 190 14 246 190 14
41318 --246 190 14 246 190 14 246 190 14 246 190 14
41319 --246 190 14 246 190 14 242 186 14 163 133 67
41320 -- 46 46 46 18 18 18 6 6 6 0 0 0
41321 -- 0 0 0 0 0 0 0 0 0 0 0 0
41322 -- 0 0 0 0 0 0 0 0 0 0 0 0
41323 -- 0 0 0 0 0 0 0 0 0 10 10 10
41324 -- 30 30 30 78 78 78 163 133 67 210 150 10
41325 --236 178 12 246 186 14 246 190 14 246 190 14
41326 --246 190 14 246 190 14 246 190 14 246 190 14
41327 --246 190 14 246 190 14 246 190 14 246 190 14
41328 --246 190 14 246 190 14 246 190 14 246 190 14
41329 --241 196 14 215 174 15 190 178 144 253 253 253
41330 --253 253 253 253 253 253 253 253 253 253 253 253
41331 --253 253 253 253 253 253 253 253 253 253 253 253
41332 --253 253 253 253 253 253 253 253 253 253 253 253
41333 --253 253 253 253 253 253 253 253 253 218 218 218
41334 -- 58 58 58 2 2 6 22 18 6 167 114 7
41335 --216 158 10 236 178 12 246 186 14 246 190 14
41336 --246 190 14 246 190 14 246 190 14 246 190 14
41337 --246 190 14 246 190 14 246 190 14 246 190 14
41338 --246 190 14 246 190 14 246 190 14 246 190 14
41339 --246 190 14 246 186 14 242 186 14 190 150 46
41340 -- 54 54 54 22 22 22 6 6 6 0 0 0
41341 -- 0 0 0 0 0 0 0 0 0 0 0 0
41342 -- 0 0 0 0 0 0 0 0 0 0 0 0
41343 -- 0 0 0 0 0 0 0 0 0 14 14 14
41344 -- 38 38 38 86 86 86 180 133 36 213 154 11
41345 --236 178 12 246 186 14 246 190 14 246 190 14
41346 --246 190 14 246 190 14 246 190 14 246 190 14
41347 --246 190 14 246 190 14 246 190 14 246 190 14
41348 --246 190 14 246 190 14 246 190 14 246 190 14
41349 --246 190 14 232 195 16 190 146 13 214 214 214
41350 --253 253 253 253 253 253 253 253 253 253 253 253
41351 --253 253 253 253 253 253 253 253 253 253 253 253
41352 --253 253 253 253 253 253 253 253 253 253 253 253
41353 --253 253 253 250 250 250 170 170 170 26 26 26
41354 -- 2 2 6 2 2 6 37 26 9 163 110 8
41355 --219 162 10 239 182 13 246 186 14 246 190 14
41356 --246 190 14 246 190 14 246 190 14 246 190 14
41357 --246 190 14 246 190 14 246 190 14 246 190 14
41358 --246 190 14 246 190 14 246 190 14 246 190 14
41359 --246 186 14 236 178 12 224 166 10 142 122 72
41360 -- 46 46 46 18 18 18 6 6 6 0 0 0
41361 -- 0 0 0 0 0 0 0 0 0 0 0 0
41362 -- 0 0 0 0 0 0 0 0 0 0 0 0
41363 -- 0 0 0 0 0 0 6 6 6 18 18 18
41364 -- 50 50 50 109 106 95 192 133 9 224 166 10
41365 --242 186 14 246 190 14 246 190 14 246 190 14
41366 --246 190 14 246 190 14 246 190 14 246 190 14
41367 --246 190 14 246 190 14 246 190 14 246 190 14
41368 --246 190 14 246 190 14 246 190 14 246 190 14
41369 --242 186 14 226 184 13 210 162 10 142 110 46
41370 --226 226 226 253 253 253 253 253 253 253 253 253
41371 --253 253 253 253 253 253 253 253 253 253 253 253
41372 --253 253 253 253 253 253 253 253 253 253 253 253
41373 --198 198 198 66 66 66 2 2 6 2 2 6
41374 -- 2 2 6 2 2 6 50 34 6 156 107 11
41375 --219 162 10 239 182 13 246 186 14 246 190 14
41376 --246 190 14 246 190 14 246 190 14 246 190 14
41377 --246 190 14 246 190 14 246 190 14 246 190 14
41378 --246 190 14 246 190 14 246 190 14 242 186 14
41379 --234 174 13 213 154 11 154 122 46 66 66 66
41380 -- 30 30 30 10 10 10 0 0 0 0 0 0
41381 -- 0 0 0 0 0 0 0 0 0 0 0 0
41382 -- 0 0 0 0 0 0 0 0 0 0 0 0
41383 -- 0 0 0 0 0 0 6 6 6 22 22 22
41384 -- 58 58 58 154 121 60 206 145 10 234 174 13
41385 --242 186 14 246 186 14 246 190 14 246 190 14
41386 --246 190 14 246 190 14 246 190 14 246 190 14
41387 --246 190 14 246 190 14 246 190 14 246 190 14
41388 --246 190 14 246 190 14 246 190 14 246 190 14
41389 --246 186 14 236 178 12 210 162 10 163 110 8
41390 -- 61 42 6 138 138 138 218 218 218 250 250 250
41391 --253 253 253 253 253 253 253 253 253 250 250 250
41392 --242 242 242 210 210 210 144 144 144 66 66 66
41393 -- 6 6 6 2 2 6 2 2 6 2 2 6
41394 -- 2 2 6 2 2 6 61 42 6 163 110 8
41395 --216 158 10 236 178 12 246 190 14 246 190 14
41396 --246 190 14 246 190 14 246 190 14 246 190 14
41397 --246 190 14 246 190 14 246 190 14 246 190 14
41398 --246 190 14 239 182 13 230 174 11 216 158 10
41399 --190 142 34 124 112 88 70 70 70 38 38 38
41400 -- 18 18 18 6 6 6 0 0 0 0 0 0
41401 -- 0 0 0 0 0 0 0 0 0 0 0 0
41402 -- 0 0 0 0 0 0 0 0 0 0 0 0
41403 -- 0 0 0 0 0 0 6 6 6 22 22 22
41404 -- 62 62 62 168 124 44 206 145 10 224 166 10
41405 --236 178 12 239 182 13 242 186 14 242 186 14
41406 --246 186 14 246 190 14 246 190 14 246 190 14
41407 --246 190 14 246 190 14 246 190 14 246 190 14
41408 --246 190 14 246 190 14 246 190 14 246 190 14
41409 --246 190 14 236 178 12 216 158 10 175 118 6
41410 -- 80 54 7 2 2 6 6 6 6 30 30 30
41411 -- 54 54 54 62 62 62 50 50 50 38 38 38
41412 -- 14 14 14 2 2 6 2 2 6 2 2 6
41413 -- 2 2 6 2 2 6 2 2 6 2 2 6
41414 -- 2 2 6 6 6 6 80 54 7 167 114 7
41415 --213 154 11 236 178 12 246 190 14 246 190 14
41416 --246 190 14 246 190 14 246 190 14 246 190 14
41417 --246 190 14 242 186 14 239 182 13 239 182 13
41418 --230 174 11 210 150 10 174 135 50 124 112 88
41419 -- 82 82 82 54 54 54 34 34 34 18 18 18
41420 -- 6 6 6 0 0 0 0 0 0 0 0 0
41421 -- 0 0 0 0 0 0 0 0 0 0 0 0
41422 -- 0 0 0 0 0 0 0 0 0 0 0 0
41423 -- 0 0 0 0 0 0 6 6 6 18 18 18
41424 -- 50 50 50 158 118 36 192 133 9 200 144 11
41425 --216 158 10 219 162 10 224 166 10 226 170 11
41426 --230 174 11 236 178 12 239 182 13 239 182 13
41427 --242 186 14 246 186 14 246 190 14 246 190 14
41428 --246 190 14 246 190 14 246 190 14 246 190 14
41429 --246 186 14 230 174 11 210 150 10 163 110 8
41430 --104 69 6 10 10 10 2 2 6 2 2 6
41431 -- 2 2 6 2 2 6 2 2 6 2 2 6
41432 -- 2 2 6 2 2 6 2 2 6 2 2 6
41433 -- 2 2 6 2 2 6 2 2 6 2 2 6
41434 -- 2 2 6 6 6 6 91 60 6 167 114 7
41435 --206 145 10 230 174 11 242 186 14 246 190 14
41436 --246 190 14 246 190 14 246 186 14 242 186 14
41437 --239 182 13 230 174 11 224 166 10 213 154 11
41438 --180 133 36 124 112 88 86 86 86 58 58 58
41439 -- 38 38 38 22 22 22 10 10 10 6 6 6
41440 -- 0 0 0 0 0 0 0 0 0 0 0 0
41441 -- 0 0 0 0 0 0 0 0 0 0 0 0
41442 -- 0 0 0 0 0 0 0 0 0 0 0 0
41443 -- 0 0 0 0 0 0 0 0 0 14 14 14
41444 -- 34 34 34 70 70 70 138 110 50 158 118 36
41445 --167 114 7 180 123 7 192 133 9 197 138 11
41446 --200 144 11 206 145 10 213 154 11 219 162 10
41447 --224 166 10 230 174 11 239 182 13 242 186 14
41448 --246 186 14 246 186 14 246 186 14 246 186 14
41449 --239 182 13 216 158 10 185 133 11 152 99 6
41450 --104 69 6 18 14 6 2 2 6 2 2 6
41451 -- 2 2 6 2 2 6 2 2 6 2 2 6
41452 -- 2 2 6 2 2 6 2 2 6 2 2 6
41453 -- 2 2 6 2 2 6 2 2 6 2 2 6
41454 -- 2 2 6 6 6 6 80 54 7 152 99 6
41455 --192 133 9 219 162 10 236 178 12 239 182 13
41456 --246 186 14 242 186 14 239 182 13 236 178 12
41457 --224 166 10 206 145 10 192 133 9 154 121 60
41458 -- 94 94 94 62 62 62 42 42 42 22 22 22
41459 -- 14 14 14 6 6 6 0 0 0 0 0 0
41460 -- 0 0 0 0 0 0 0 0 0 0 0 0
41461 -- 0 0 0 0 0 0 0 0 0 0 0 0
41462 -- 0 0 0 0 0 0 0 0 0 0 0 0
41463 -- 0 0 0 0 0 0 0 0 0 6 6 6
41464 -- 18 18 18 34 34 34 58 58 58 78 78 78
41465 --101 98 89 124 112 88 142 110 46 156 107 11
41466 --163 110 8 167 114 7 175 118 6 180 123 7
41467 --185 133 11 197 138 11 210 150 10 219 162 10
41468 --226 170 11 236 178 12 236 178 12 234 174 13
41469 --219 162 10 197 138 11 163 110 8 130 83 6
41470 -- 91 60 6 10 10 10 2 2 6 2 2 6
41471 -- 18 18 18 38 38 38 38 38 38 38 38 38
41472 -- 38 38 38 38 38 38 38 38 38 38 38 38
41473 -- 38 38 38 38 38 38 26 26 26 2 2 6
41474 -- 2 2 6 6 6 6 70 47 6 137 92 6
41475 --175 118 6 200 144 11 219 162 10 230 174 11
41476 --234 174 13 230 174 11 219 162 10 210 150 10
41477 --192 133 9 163 110 8 124 112 88 82 82 82
41478 -- 50 50 50 30 30 30 14 14 14 6 6 6
41479 -- 0 0 0 0 0 0 0 0 0 0 0 0
41480 -- 0 0 0 0 0 0 0 0 0 0 0 0
41481 -- 0 0 0 0 0 0 0 0 0 0 0 0
41482 -- 0 0 0 0 0 0 0 0 0 0 0 0
41483 -- 0 0 0 0 0 0 0 0 0 0 0 0
41484 -- 6 6 6 14 14 14 22 22 22 34 34 34
41485 -- 42 42 42 58 58 58 74 74 74 86 86 86
41486 --101 98 89 122 102 70 130 98 46 121 87 25
41487 --137 92 6 152 99 6 163 110 8 180 123 7
41488 --185 133 11 197 138 11 206 145 10 200 144 11
41489 --180 123 7 156 107 11 130 83 6 104 69 6
41490 -- 50 34 6 54 54 54 110 110 110 101 98 89
41491 -- 86 86 86 82 82 82 78 78 78 78 78 78
41492 -- 78 78 78 78 78 78 78 78 78 78 78 78
41493 -- 78 78 78 82 82 82 86 86 86 94 94 94
41494 --106 106 106 101 101 101 86 66 34 124 80 6
41495 --156 107 11 180 123 7 192 133 9 200 144 11
41496 --206 145 10 200 144 11 192 133 9 175 118 6
41497 --139 102 15 109 106 95 70 70 70 42 42 42
41498 -- 22 22 22 10 10 10 0 0 0 0 0 0
41499 -- 0 0 0 0 0 0 0 0 0 0 0 0
41500 -- 0 0 0 0 0 0 0 0 0 0 0 0
41501 -- 0 0 0 0 0 0 0 0 0 0 0 0
41502 -- 0 0 0 0 0 0 0 0 0 0 0 0
41503 -- 0 0 0 0 0 0 0 0 0 0 0 0
41504 -- 0 0 0 0 0 0 6 6 6 10 10 10
41505 -- 14 14 14 22 22 22 30 30 30 38 38 38
41506 -- 50 50 50 62 62 62 74 74 74 90 90 90
41507 --101 98 89 112 100 78 121 87 25 124 80 6
41508 --137 92 6 152 99 6 152 99 6 152 99 6
41509 --138 86 6 124 80 6 98 70 6 86 66 30
41510 --101 98 89 82 82 82 58 58 58 46 46 46
41511 -- 38 38 38 34 34 34 34 34 34 34 34 34
41512 -- 34 34 34 34 34 34 34 34 34 34 34 34
41513 -- 34 34 34 34 34 34 38 38 38 42 42 42
41514 -- 54 54 54 82 82 82 94 86 76 91 60 6
41515 --134 86 6 156 107 11 167 114 7 175 118 6
41516 --175 118 6 167 114 7 152 99 6 121 87 25
41517 --101 98 89 62 62 62 34 34 34 18 18 18
41518 -- 6 6 6 0 0 0 0 0 0 0 0 0
41519 -- 0 0 0 0 0 0 0 0 0 0 0 0
41520 -- 0 0 0 0 0 0 0 0 0 0 0 0
41521 -- 0 0 0 0 0 0 0 0 0 0 0 0
41522 -- 0 0 0 0 0 0 0 0 0 0 0 0
41523 -- 0 0 0 0 0 0 0 0 0 0 0 0
41524 -- 0 0 0 0 0 0 0 0 0 0 0 0
41525 -- 0 0 0 6 6 6 6 6 6 10 10 10
41526 -- 18 18 18 22 22 22 30 30 30 42 42 42
41527 -- 50 50 50 66 66 66 86 86 86 101 98 89
41528 --106 86 58 98 70 6 104 69 6 104 69 6
41529 --104 69 6 91 60 6 82 62 34 90 90 90
41530 -- 62 62 62 38 38 38 22 22 22 14 14 14
41531 -- 10 10 10 10 10 10 10 10 10 10 10 10
41532 -- 10 10 10 10 10 10 6 6 6 10 10 10
41533 -- 10 10 10 10 10 10 10 10 10 14 14 14
41534 -- 22 22 22 42 42 42 70 70 70 89 81 66
41535 -- 80 54 7 104 69 6 124 80 6 137 92 6
41536 --134 86 6 116 81 8 100 82 52 86 86 86
41537 -- 58 58 58 30 30 30 14 14 14 6 6 6
41538 -- 0 0 0 0 0 0 0 0 0 0 0 0
41539 -- 0 0 0 0 0 0 0 0 0 0 0 0
41540 -- 0 0 0 0 0 0 0 0 0 0 0 0
41541 -- 0 0 0 0 0 0 0 0 0 0 0 0
41542 -- 0 0 0 0 0 0 0 0 0 0 0 0
41543 -- 0 0 0 0 0 0 0 0 0 0 0 0
41544 -- 0 0 0 0 0 0 0 0 0 0 0 0
41545 -- 0 0 0 0 0 0 0 0 0 0 0 0
41546 -- 0 0 0 6 6 6 10 10 10 14 14 14
41547 -- 18 18 18 26 26 26 38 38 38 54 54 54
41548 -- 70 70 70 86 86 86 94 86 76 89 81 66
41549 -- 89 81 66 86 86 86 74 74 74 50 50 50
41550 -- 30 30 30 14 14 14 6 6 6 0 0 0
41551 -- 0 0 0 0 0 0 0 0 0 0 0 0
41552 -- 0 0 0 0 0 0 0 0 0 0 0 0
41553 -- 0 0 0 0 0 0 0 0 0 0 0 0
41554 -- 6 6 6 18 18 18 34 34 34 58 58 58
41555 -- 82 82 82 89 81 66 89 81 66 89 81 66
41556 -- 94 86 66 94 86 76 74 74 74 50 50 50
41557 -- 26 26 26 14 14 14 6 6 6 0 0 0
41558 -- 0 0 0 0 0 0 0 0 0 0 0 0
41559 -- 0 0 0 0 0 0 0 0 0 0 0 0
41560 -- 0 0 0 0 0 0 0 0 0 0 0 0
41561 -- 0 0 0 0 0 0 0 0 0 0 0 0
41562 -- 0 0 0 0 0 0 0 0 0 0 0 0
41563 -- 0 0 0 0 0 0 0 0 0 0 0 0
41564 -- 0 0 0 0 0 0 0 0 0 0 0 0
41565 -- 0 0 0 0 0 0 0 0 0 0 0 0
41566 -- 0 0 0 0 0 0 0 0 0 0 0 0
41567 -- 6 6 6 6 6 6 14 14 14 18 18 18
41568 -- 30 30 30 38 38 38 46 46 46 54 54 54
41569 -- 50 50 50 42 42 42 30 30 30 18 18 18
41570 -- 10 10 10 0 0 0 0 0 0 0 0 0
41571 -- 0 0 0 0 0 0 0 0 0 0 0 0
41572 -- 0 0 0 0 0 0 0 0 0 0 0 0
41573 -- 0 0 0 0 0 0 0 0 0 0 0 0
41574 -- 0 0 0 6 6 6 14 14 14 26 26 26
41575 -- 38 38 38 50 50 50 58 58 58 58 58 58
41576 -- 54 54 54 42 42 42 30 30 30 18 18 18
41577 -- 10 10 10 0 0 0 0 0 0 0 0 0
41578 -- 0 0 0 0 0 0 0 0 0 0 0 0
41579 -- 0 0 0 0 0 0 0 0 0 0 0 0
41580 -- 0 0 0 0 0 0 0 0 0 0 0 0
41581 -- 0 0 0 0 0 0 0 0 0 0 0 0
41582 -- 0 0 0 0 0 0 0 0 0 0 0 0
41583 -- 0 0 0 0 0 0 0 0 0 0 0 0
41584 -- 0 0 0 0 0 0 0 0 0 0 0 0
41585 -- 0 0 0 0 0 0 0 0 0 0 0 0
41586 -- 0 0 0 0 0 0 0 0 0 0 0 0
41587 -- 0 0 0 0 0 0 0 0 0 6 6 6
41588 -- 6 6 6 10 10 10 14 14 14 18 18 18
41589 -- 18 18 18 14 14 14 10 10 10 6 6 6
41590 -- 0 0 0 0 0 0 0 0 0 0 0 0
41591 -- 0 0 0 0 0 0 0 0 0 0 0 0
41592 -- 0 0 0 0 0 0 0 0 0 0 0 0
41593 -- 0 0 0 0 0 0 0 0 0 0 0 0
41594 -- 0 0 0 0 0 0 0 0 0 6 6 6
41595 -- 14 14 14 18 18 18 22 22 22 22 22 22
41596 -- 18 18 18 14 14 14 10 10 10 6 6 6
41597 -- 0 0 0 0 0 0 0 0 0 0 0 0
41598 -- 0 0 0 0 0 0 0 0 0 0 0 0
41599 -- 0 0 0 0 0 0 0 0 0 0 0 0
41600 -- 0 0 0 0 0 0 0 0 0 0 0 0
41601 -- 0 0 0 0 0 0 0 0 0 0 0 0
41602 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41603 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41604 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41605 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41606 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41607 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41608 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41609 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41610 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41611 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41612 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41613 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41614 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41615 -+4 4 4 4 4 4
41616 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41617 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41618 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41619 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41620 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41621 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41622 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41623 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41624 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41625 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41626 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41627 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41628 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41629 -+4 4 4 4 4 4
41630 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41631 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41632 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41633 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41634 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41635 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41636 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41637 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41638 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41639 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41640 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41641 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41642 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41643 -+4 4 4 4 4 4
41644 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41645 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41646 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41647 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41648 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41649 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41650 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41651 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41652 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41653 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41654 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41655 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41656 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41657 -+4 4 4 4 4 4
41658 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41659 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41660 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41661 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41662 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41663 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41664 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41665 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41666 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41667 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41668 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41669 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41670 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41671 -+4 4 4 4 4 4
41672 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41673 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41674 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41675 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41676 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41677 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41678 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41679 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41680 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41681 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41682 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41683 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41684 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41685 -+4 4 4 4 4 4
41686 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41687 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41688 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41689 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41690 -+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
41691 -+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
41692 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41693 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41694 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41695 -+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
41696 -+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
41697 -+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
41698 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41699 -+4 4 4 4 4 4
41700 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41701 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41702 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41703 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41704 -+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
41705 -+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
41706 -+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41707 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41708 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41709 -+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
41710 -+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
41711 -+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
41712 -+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41713 -+4 4 4 4 4 4
41714 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41715 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41716 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41717 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41718 -+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
41719 -+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
41720 -+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
41721 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41722 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41723 -+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
41724 -+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
41725 -+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
41726 -+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
41727 -+4 4 4 4 4 4
41728 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41729 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41730 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41731 -+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
41732 -+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
41733 -+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
41734 -+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
41735 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41736 -+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
41737 -+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
41738 -+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
41739 -+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
41740 -+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
41741 -+4 4 4 4 4 4
41742 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41743 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41744 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41745 -+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
41746 -+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
41747 -+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
41748 -+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
41749 -+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41750 -+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
41751 -+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
41752 -+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
41753 -+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
41754 -+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
41755 -+4 4 4 4 4 4
41756 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41757 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41758 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41759 -+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
41760 -+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
41761 -+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
41762 -+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
41763 -+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
41764 -+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
41765 -+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
41766 -+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
41767 -+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
41768 -+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
41769 -+4 4 4 4 4 4
41770 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41771 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41772 -+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
41773 -+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
41774 -+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
41775 -+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
41776 -+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
41777 -+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
41778 -+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
41779 -+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
41780 -+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
41781 -+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
41782 -+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
41783 -+4 4 4 4 4 4
41784 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41785 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41786 -+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
41787 -+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
41788 -+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
41789 -+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
41790 -+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
41791 -+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
41792 -+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
41793 -+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
41794 -+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
41795 -+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
41796 -+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
41797 -+4 4 4 4 4 4
41798 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41799 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41800 -+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
41801 -+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
41802 -+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
41803 -+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
41804 -+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
41805 -+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
41806 -+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
41807 -+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
41808 -+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
41809 -+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
41810 -+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
41811 -+4 4 4 4 4 4
41812 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41813 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41814 -+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
41815 -+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
41816 -+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
41817 -+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
41818 -+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
41819 -+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
41820 -+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
41821 -+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
41822 -+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
41823 -+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
41824 -+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
41825 -+4 4 4 4 4 4
41826 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41827 -+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
41828 -+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
41829 -+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
41830 -+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
41831 -+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
41832 -+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
41833 -+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
41834 -+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
41835 -+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
41836 -+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
41837 -+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
41838 -+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
41839 -+4 4 4 4 4 4
41840 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41841 -+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
41842 -+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
41843 -+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
41844 -+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
41845 -+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
41846 -+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
41847 -+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
41848 -+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
41849 -+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
41850 -+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
41851 -+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
41852 -+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
41853 -+0 0 0 4 4 4
41854 -+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
41855 -+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
41856 -+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
41857 -+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
41858 -+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
41859 -+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
41860 -+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
41861 -+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
41862 -+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
41863 -+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
41864 -+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
41865 -+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
41866 -+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
41867 -+2 0 0 0 0 0
41868 -+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
41869 -+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
41870 -+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
41871 -+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
41872 -+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
41873 -+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
41874 -+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
41875 -+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
41876 -+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
41877 -+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
41878 -+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
41879 -+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
41880 -+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
41881 -+37 38 37 0 0 0
41882 -+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
41883 -+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
41884 -+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
41885 -+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
41886 -+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
41887 -+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
41888 -+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
41889 -+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
41890 -+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
41891 -+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
41892 -+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
41893 -+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
41894 -+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
41895 -+85 115 134 4 0 0
41896 -+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
41897 -+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
41898 -+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
41899 -+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
41900 -+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
41901 -+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
41902 -+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
41903 -+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
41904 -+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
41905 -+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
41906 -+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
41907 -+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
41908 -+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
41909 -+60 73 81 4 0 0
41910 -+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
41911 -+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
41912 -+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
41913 -+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
41914 -+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
41915 -+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
41916 -+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
41917 -+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
41918 -+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
41919 -+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
41920 -+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
41921 -+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
41922 -+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
41923 -+16 19 21 4 0 0
41924 -+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
41925 -+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
41926 -+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
41927 -+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
41928 -+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
41929 -+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
41930 -+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
41931 -+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
41932 -+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
41933 -+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
41934 -+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
41935 -+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
41936 -+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
41937 -+4 0 0 4 3 3
41938 -+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
41939 -+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
41940 -+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
41941 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
41942 -+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
41943 -+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
41944 -+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
41945 -+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
41946 -+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
41947 -+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
41948 -+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
41949 -+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
41950 -+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
41951 -+3 2 2 4 4 4
41952 -+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
41953 -+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
41954 -+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
41955 -+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
41956 -+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
41957 -+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
41958 -+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
41959 -+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
41960 -+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
41961 -+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
41962 -+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
41963 -+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
41964 -+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
41965 -+4 4 4 4 4 4
41966 -+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
41967 -+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
41968 -+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
41969 -+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
41970 -+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
41971 -+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
41972 -+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
41973 -+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
41974 -+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
41975 -+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
41976 -+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
41977 -+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
41978 -+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
41979 -+4 4 4 4 4 4
41980 -+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
41981 -+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
41982 -+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
41983 -+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
41984 -+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
41985 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
41986 -+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
41987 -+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
41988 -+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
41989 -+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
41990 -+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
41991 -+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
41992 -+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
41993 -+5 5 5 5 5 5
41994 -+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
41995 -+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
41996 -+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
41997 -+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
41998 -+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
41999 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
42000 -+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
42001 -+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
42002 -+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
42003 -+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
42004 -+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
42005 -+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
42006 -+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
42007 -+5 5 5 4 4 4
42008 -+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
42009 -+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
42010 -+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
42011 -+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
42012 -+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
42013 -+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
42014 -+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
42015 -+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
42016 -+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
42017 -+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
42018 -+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
42019 -+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
42020 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42021 -+4 4 4 4 4 4
42022 -+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
42023 -+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
42024 -+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
42025 -+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
42026 -+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
42027 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
42028 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
42029 -+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
42030 -+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
42031 -+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
42032 -+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
42033 -+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
42034 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42035 -+4 4 4 4 4 4
42036 -+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
42037 -+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
42038 -+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
42039 -+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
42040 -+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
42041 -+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
42042 -+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
42043 -+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
42044 -+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
42045 -+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
42046 -+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
42047 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42048 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42049 -+4 4 4 4 4 4
42050 -+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
42051 -+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
42052 -+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
42053 -+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
42054 -+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
42055 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
42056 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
42057 -+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
42058 -+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
42059 -+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
42060 -+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
42061 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42062 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42063 -+4 4 4 4 4 4
42064 -+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
42065 -+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
42066 -+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
42067 -+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
42068 -+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
42069 -+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
42070 -+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
42071 -+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
42072 -+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
42073 -+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
42074 -+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42075 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42076 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42077 -+4 4 4 4 4 4
42078 -+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
42079 -+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
42080 -+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
42081 -+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
42082 -+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
42083 -+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
42084 -+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
42085 -+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
42086 -+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
42087 -+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
42088 -+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
42089 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42090 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42091 -+4 4 4 4 4 4
42092 -+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
42093 -+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
42094 -+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
42095 -+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
42096 -+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
42097 -+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
42098 -+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
42099 -+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
42100 -+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
42101 -+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
42102 -+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
42103 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42104 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42105 -+4 4 4 4 4 4
42106 -+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
42107 -+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
42108 -+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
42109 -+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
42110 -+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
42111 -+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
42112 -+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
42113 -+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
42114 -+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
42115 -+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
42116 -+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42117 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42118 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42119 -+4 4 4 4 4 4
42120 -+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
42121 -+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
42122 -+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
42123 -+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
42124 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42125 -+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
42126 -+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
42127 -+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
42128 -+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
42129 -+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
42130 -+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42131 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42132 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42133 -+4 4 4 4 4 4
42134 -+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
42135 -+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
42136 -+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
42137 -+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
42138 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42139 -+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
42140 -+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
42141 -+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
42142 -+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
42143 -+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
42144 -+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42145 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42146 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42147 -+4 4 4 4 4 4
42148 -+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
42149 -+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
42150 -+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
42151 -+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
42152 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42153 -+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
42154 -+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
42155 -+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
42156 -+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
42157 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42158 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42159 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42160 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42161 -+4 4 4 4 4 4
42162 -+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
42163 -+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
42164 -+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
42165 -+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
42166 -+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
42167 -+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
42168 -+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
42169 -+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
42170 -+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
42171 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42172 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42173 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42174 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42175 -+4 4 4 4 4 4
42176 -+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
42177 -+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
42178 -+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
42179 -+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
42180 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42181 -+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
42182 -+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
42183 -+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
42184 -+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
42185 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42186 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42187 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42188 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42189 -+4 4 4 4 4 4
42190 -+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
42191 -+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
42192 -+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
42193 -+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
42194 -+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
42195 -+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
42196 -+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
42197 -+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
42198 -+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
42199 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42200 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42201 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42202 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42203 -+4 4 4 4 4 4
42204 -+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
42205 -+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
42206 -+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
42207 -+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
42208 -+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
42209 -+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
42210 -+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
42211 -+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
42212 -+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
42213 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42214 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42215 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42216 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42217 -+4 4 4 4 4 4
42218 -+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
42219 -+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
42220 -+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
42221 -+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
42222 -+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
42223 -+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
42224 -+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
42225 -+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
42226 -+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
42227 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42228 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42229 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42230 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42231 -+4 4 4 4 4 4
42232 -+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
42233 -+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
42234 -+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
42235 -+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
42236 -+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
42237 -+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
42238 -+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
42239 -+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
42240 -+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
42241 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42242 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42243 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42244 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42245 -+4 4 4 4 4 4
42246 -+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
42247 -+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
42248 -+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
42249 -+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
42250 -+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
42251 -+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
42252 -+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
42253 -+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
42254 -+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
42255 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42256 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42257 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42258 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42259 -+4 4 4 4 4 4
42260 -+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
42261 -+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
42262 -+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
42263 -+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
42264 -+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
42265 -+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
42266 -+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
42267 -+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
42268 -+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
42269 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42270 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42271 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42272 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42273 -+4 4 4 4 4 4
42274 -+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
42275 -+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
42276 -+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
42277 -+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
42278 -+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
42279 -+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
42280 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42281 -+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
42282 -+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
42283 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42284 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42285 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42286 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42287 -+4 4 4 4 4 4
42288 -+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
42289 -+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
42290 -+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
42291 -+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
42292 -+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
42293 -+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
42294 -+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
42295 -+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
42296 -+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
42297 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42298 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42299 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42300 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42301 -+4 4 4 4 4 4
42302 -+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
42303 -+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
42304 -+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
42305 -+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
42306 -+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
42307 -+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
42308 -+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
42309 -+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
42310 -+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
42311 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42312 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42313 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42314 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42315 -+4 4 4 4 4 4
42316 -+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
42317 -+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
42318 -+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
42319 -+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
42320 -+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
42321 -+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
42322 -+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
42323 -+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
42324 -+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
42325 -+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42326 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42327 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42328 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42329 -+4 4 4 4 4 4
42330 -+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
42331 -+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
42332 -+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
42333 -+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
42334 -+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
42335 -+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
42336 -+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
42337 -+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
42338 -+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
42339 -+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42340 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42341 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42342 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42343 -+4 4 4 4 4 4
42344 -+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
42345 -+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
42346 -+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
42347 -+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
42348 -+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
42349 -+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
42350 -+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
42351 -+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
42352 -+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
42353 -+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
42354 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42355 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42356 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42357 -+4 4 4 4 4 4
42358 -+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
42359 -+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
42360 -+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
42361 -+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
42362 -+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
42363 -+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
42364 -+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
42365 -+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
42366 -+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
42367 -+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
42368 -+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42369 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42370 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42371 -+4 4 4 4 4 4
42372 -+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
42373 -+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
42374 -+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
42375 -+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
42376 -+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
42377 -+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
42378 -+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
42379 -+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
42380 -+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
42381 -+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
42382 -+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42383 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42384 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42385 -+4 4 4 4 4 4
42386 -+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
42387 -+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
42388 -+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
42389 -+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
42390 -+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
42391 -+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
42392 -+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42393 -+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
42394 -+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
42395 -+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
42396 -+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42397 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42398 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42399 -+4 4 4 4 4 4
42400 -+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
42401 -+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
42402 -+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
42403 -+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
42404 -+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
42405 -+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
42406 -+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
42407 -+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
42408 -+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
42409 -+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
42410 -+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42411 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42412 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42413 -+4 4 4 4 4 4
42414 -+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
42415 -+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
42416 -+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
42417 -+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
42418 -+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
42419 -+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
42420 -+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
42421 -+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
42422 -+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
42423 -+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
42424 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42425 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42426 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42427 -+4 4 4 4 4 4
42428 -+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
42429 -+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
42430 -+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
42431 -+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
42432 -+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
42433 -+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
42434 -+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
42435 -+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
42436 -+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
42437 -+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
42438 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42439 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42440 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42441 -+4 4 4 4 4 4
42442 -+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
42443 -+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
42444 -+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
42445 -+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
42446 -+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
42447 -+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
42448 -+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
42449 -+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
42450 -+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
42451 -+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
42452 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42453 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42454 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42455 -+4 4 4 4 4 4
42456 -+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
42457 -+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
42458 -+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
42459 -+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
42460 -+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
42461 -+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
42462 -+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
42463 -+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
42464 -+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
42465 -+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42466 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42467 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42468 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42469 -+4 4 4 4 4 4
42470 -+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
42471 -+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
42472 -+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
42473 -+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
42474 -+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
42475 -+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
42476 -+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
42477 -+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
42478 -+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
42479 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42480 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42481 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42482 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42483 -+4 4 4 4 4 4
42484 -+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
42485 -+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
42486 -+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
42487 -+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
42488 -+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
42489 -+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
42490 -+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
42491 -+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
42492 -+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
42493 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42494 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42495 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42496 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42497 -+4 4 4 4 4 4
42498 -+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
42499 -+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
42500 -+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
42501 -+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
42502 -+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
42503 -+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
42504 -+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
42505 -+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
42506 -+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42507 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42508 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42509 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42510 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42511 -+4 4 4 4 4 4
42512 -+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
42513 -+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
42514 -+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
42515 -+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
42516 -+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
42517 -+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
42518 -+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
42519 -+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
42520 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42521 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42522 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42523 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42524 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42525 -+4 4 4 4 4 4
42526 -+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
42527 -+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
42528 -+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
42529 -+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
42530 -+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
42531 -+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
42532 -+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
42533 -+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
42534 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42535 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42536 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42537 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42538 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42539 -+4 4 4 4 4 4
42540 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
42541 -+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
42542 -+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
42543 -+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
42544 -+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
42545 -+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
42546 -+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
42547 -+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
42548 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42549 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42550 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42551 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42552 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42553 -+4 4 4 4 4 4
42554 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42555 -+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
42556 -+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
42557 -+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
42558 -+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
42559 -+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
42560 -+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
42561 -+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
42562 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42563 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42564 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42565 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42566 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42567 -+4 4 4 4 4 4
42568 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42569 -+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
42570 -+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
42571 -+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
42572 -+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
42573 -+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
42574 -+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
42575 -+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42576 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42577 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42578 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42579 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42580 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42581 -+4 4 4 4 4 4
42582 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42583 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42584 -+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
42585 -+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
42586 -+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
42587 -+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
42588 -+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
42589 -+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42590 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42591 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42592 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42593 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42594 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42595 -+4 4 4 4 4 4
42596 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42597 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42598 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
42599 -+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
42600 -+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
42601 -+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
42602 -+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
42603 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42604 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42605 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42606 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42607 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42608 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42609 -+4 4 4 4 4 4
42610 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42611 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42612 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42613 -+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
42614 -+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
42615 -+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
42616 -+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
42617 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42618 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42619 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42620 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42621 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42622 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42623 -+4 4 4 4 4 4
42624 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42625 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42626 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42627 -+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
42628 -+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
42629 -+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
42630 -+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
42631 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42632 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42633 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42634 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42635 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42636 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42637 -+4 4 4 4 4 4
42638 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42639 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42640 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42641 -+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
42642 -+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
42643 -+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
42644 -+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
42645 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42646 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42647 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42648 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42649 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42650 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42651 -+4 4 4 4 4 4
42652 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42653 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42654 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42655 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
42656 -+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
42657 -+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
42658 -+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
42659 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42660 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42661 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42662 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42663 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42664 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42665 -+4 4 4 4 4 4
42666 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42667 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42668 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42669 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42670 -+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
42671 -+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
42672 -+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
42673 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42674 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42675 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42676 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42677 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42678 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42679 -+4 4 4 4 4 4
42680 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42681 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42682 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42683 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42684 -+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
42685 -+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
42686 -+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42687 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42688 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42689 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42690 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42691 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42692 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42693 -+4 4 4 4 4 4
42694 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42695 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42696 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42697 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42698 -+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
42699 -+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
42700 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42701 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42702 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42703 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42704 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42705 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42706 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42707 -+4 4 4 4 4 4
42708 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42709 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42710 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42711 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42712 -+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
42713 -+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
42714 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42715 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42716 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42717 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42718 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42719 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42720 -+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42721 -+4 4 4 4 4 4
42722 -diff -urNp linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c
42723 ---- linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-03-27 14:31:47.000000000 -0400
42724 -+++ linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-04-17 15:56:46.000000000 -0400
42725 -@@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
42726 - return bd->props.brightness;
42727 - }
42728 -
42729 --static struct backlight_ops nvidia_bl_ops = {
42730 -+static const struct backlight_ops nvidia_bl_ops = {
42731 - .get_brightness = nvidia_bl_get_brightness,
42732 - .update_status = nvidia_bl_update_status,
42733 - };
42734 -diff -urNp linux-2.6.32.46/drivers/video/riva/fbdev.c linux-2.6.32.46/drivers/video/riva/fbdev.c
42735 ---- linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-03-27 14:31:47.000000000 -0400
42736 -+++ linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-04-17 15:56:46.000000000 -0400
42737 -@@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
42738 - return bd->props.brightness;
42739 - }
42740 -
42741 --static struct backlight_ops riva_bl_ops = {
42742 -+static const struct backlight_ops riva_bl_ops = {
42743 - .get_brightness = riva_bl_get_brightness,
42744 - .update_status = riva_bl_update_status,
42745 - };
42746 -diff -urNp linux-2.6.32.46/drivers/video/uvesafb.c linux-2.6.32.46/drivers/video/uvesafb.c
42747 ---- linux-2.6.32.46/drivers/video/uvesafb.c 2011-03-27 14:31:47.000000000 -0400
42748 -+++ linux-2.6.32.46/drivers/video/uvesafb.c 2011-04-17 15:56:46.000000000 -0400
42749 -@@ -18,6 +18,7 @@
42750 - #include <linux/fb.h>
42751 - #include <linux/io.h>
42752 - #include <linux/mutex.h>
42753 -+#include <linux/moduleloader.h>
42754 - #include <video/edid.h>
42755 - #include <video/uvesafb.h>
42756 - #ifdef CONFIG_X86
42757 -@@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
42758 - NULL,
42759 - };
42760 -
42761 -- return call_usermodehelper(v86d_path, argv, envp, 1);
42762 -+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
42763 - }
42764 -
42765 - /*
42766 -@@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
42767 - if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
42768 - par->pmi_setpal = par->ypan = 0;
42769 - } else {
42770 -+
42771 -+#ifdef CONFIG_PAX_KERNEXEC
42772 -+#ifdef CONFIG_MODULES
42773 -+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
42774 -+#endif
42775 -+ if (!par->pmi_code) {
42776 -+ par->pmi_setpal = par->ypan = 0;
42777 -+ return 0;
42778 -+ }
42779 -+#endif
42780 -+
42781 - par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
42782 - + task->t.regs.edi);
42783 -+
42784 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42785 -+ pax_open_kernel();
42786 -+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
42787 -+ pax_close_kernel();
42788 -+
42789 -+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
42790 -+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
42791 -+#else
42792 - par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
42793 - par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
42794 -+#endif
42795 -+
42796 - printk(KERN_INFO "uvesafb: protected mode interface info at "
42797 - "%04x:%04x\n",
42798 - (u16)task->t.regs.es, (u16)task->t.regs.edi);
42799 -@@ -1799,6 +1822,11 @@ out:
42800 - if (par->vbe_modes)
42801 - kfree(par->vbe_modes);
42802 -
42803 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42804 -+ if (par->pmi_code)
42805 -+ module_free_exec(NULL, par->pmi_code);
42806 -+#endif
42807 -+
42808 - framebuffer_release(info);
42809 - return err;
42810 - }
42811 -@@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
42812 - kfree(par->vbe_state_orig);
42813 - if (par->vbe_state_saved)
42814 - kfree(par->vbe_state_saved);
42815 -+
42816 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42817 -+ if (par->pmi_code)
42818 -+ module_free_exec(NULL, par->pmi_code);
42819 -+#endif
42820 -+
42821 - }
42822 -
42823 - framebuffer_release(info);
42824 -diff -urNp linux-2.6.32.46/drivers/video/vesafb.c linux-2.6.32.46/drivers/video/vesafb.c
42825 ---- linux-2.6.32.46/drivers/video/vesafb.c 2011-03-27 14:31:47.000000000 -0400
42826 -+++ linux-2.6.32.46/drivers/video/vesafb.c 2011-08-05 20:33:55.000000000 -0400
42827 -@@ -9,6 +9,7 @@
42828 - */
42829 -
42830 - #include <linux/module.h>
42831 -+#include <linux/moduleloader.h>
42832 - #include <linux/kernel.h>
42833 - #include <linux/errno.h>
42834 - #include <linux/string.h>
42835 -@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
42836 - static int vram_total __initdata; /* Set total amount of memory */
42837 - static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
42838 - static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
42839 --static void (*pmi_start)(void) __read_mostly;
42840 --static void (*pmi_pal) (void) __read_mostly;
42841 -+static void (*pmi_start)(void) __read_only;
42842 -+static void (*pmi_pal) (void) __read_only;
42843 - static int depth __read_mostly;
42844 - static int vga_compat __read_mostly;
42845 - /* --------------------------------------------------------------------- */
42846 -@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
42847 - unsigned int size_vmode;
42848 - unsigned int size_remap;
42849 - unsigned int size_total;
42850 -+ void *pmi_code = NULL;
42851 -
42852 - if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
42853 - return -ENODEV;
42854 -@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
42855 - size_remap = size_total;
42856 - vesafb_fix.smem_len = size_remap;
42857 -
42858 --#ifndef __i386__
42859 -- screen_info.vesapm_seg = 0;
42860 --#endif
42861 --
42862 - if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
42863 - printk(KERN_WARNING
42864 - "vesafb: cannot reserve video memory at 0x%lx\n",
42865 -@@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
42866 - printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
42867 - vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
42868 -
42869 -+#ifdef __i386__
42870 -+
42871 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42872 -+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
42873 -+ if (!pmi_code)
42874 -+#elif !defined(CONFIG_PAX_KERNEXEC)
42875 -+ if (0)
42876 -+#endif
42877 -+
42878 -+#endif
42879 -+ screen_info.vesapm_seg = 0;
42880 -+
42881 - if (screen_info.vesapm_seg) {
42882 -- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
42883 -- screen_info.vesapm_seg,screen_info.vesapm_off);
42884 -+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
42885 -+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
42886 - }
42887 -
42888 - if (screen_info.vesapm_seg < 0xc000)
42889 -@@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
42890 -
42891 - if (ypan || pmi_setpal) {
42892 - unsigned short *pmi_base;
42893 -+
42894 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
42895 -- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
42896 -- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
42897 -+
42898 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42899 -+ pax_open_kernel();
42900 -+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
42901 -+#else
42902 -+ pmi_code = pmi_base;
42903 -+#endif
42904 -+
42905 -+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
42906 -+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
42907 -+
42908 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42909 -+ pmi_start = ktva_ktla(pmi_start);
42910 -+ pmi_pal = ktva_ktla(pmi_pal);
42911 -+ pax_close_kernel();
42912 -+#endif
42913 -+
42914 - printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
42915 - if (pmi_base[3]) {
42916 - printk(KERN_INFO "vesafb: pmi: ports = ");
42917 -@@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
42918 - info->node, info->fix.id);
42919 - return 0;
42920 - err:
42921 -+
42922 -+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42923 -+ module_free_exec(NULL, pmi_code);
42924 -+#endif
42925 -+
42926 - if (info->screen_base)
42927 - iounmap(info->screen_base);
42928 - framebuffer_release(info);
42929 -diff -urNp linux-2.6.32.46/drivers/xen/sys-hypervisor.c linux-2.6.32.46/drivers/xen/sys-hypervisor.c
42930 ---- linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-03-27 14:31:47.000000000 -0400
42931 -+++ linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-04-17 15:56:46.000000000 -0400
42932 -@@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
42933 - return 0;
42934 - }
42935 -
42936 --static struct sysfs_ops hyp_sysfs_ops = {
42937 -+static const struct sysfs_ops hyp_sysfs_ops = {
42938 - .show = hyp_sysfs_show,
42939 - .store = hyp_sysfs_store,
42940 - };
42941 -diff -urNp linux-2.6.32.46/fs/9p/vfs_inode.c linux-2.6.32.46/fs/9p/vfs_inode.c
42942 ---- linux-2.6.32.46/fs/9p/vfs_inode.c 2011-03-27 14:31:47.000000000 -0400
42943 -+++ linux-2.6.32.46/fs/9p/vfs_inode.c 2011-04-17 15:56:46.000000000 -0400
42944 -@@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
42945 - static void
42946 - v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
42947 - {
42948 -- char *s = nd_get_link(nd);
42949 -+ const char *s = nd_get_link(nd);
42950 -
42951 - P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
42952 - IS_ERR(s) ? "<error>" : s);
42953 -diff -urNp linux-2.6.32.46/fs/Kconfig.binfmt linux-2.6.32.46/fs/Kconfig.binfmt
42954 ---- linux-2.6.32.46/fs/Kconfig.binfmt 2011-03-27 14:31:47.000000000 -0400
42955 -+++ linux-2.6.32.46/fs/Kconfig.binfmt 2011-04-17 15:56:46.000000000 -0400
42956 -@@ -86,7 +86,7 @@ config HAVE_AOUT
42957 -
42958 - config BINFMT_AOUT
42959 - tristate "Kernel support for a.out and ECOFF binaries"
42960 -- depends on HAVE_AOUT
42961 -+ depends on HAVE_AOUT && BROKEN
42962 - ---help---
42963 - A.out (Assembler.OUTput) is a set of formats for libraries and
42964 - executables used in the earliest versions of UNIX. Linux used
42965 -diff -urNp linux-2.6.32.46/fs/aio.c linux-2.6.32.46/fs/aio.c
42966 ---- linux-2.6.32.46/fs/aio.c 2011-03-27 14:31:47.000000000 -0400
42967 -+++ linux-2.6.32.46/fs/aio.c 2011-06-04 20:40:21.000000000 -0400
42968 -@@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
42969 - size += sizeof(struct io_event) * nr_events;
42970 - nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
42971 -
42972 -- if (nr_pages < 0)
42973 -+ if (nr_pages <= 0)
42974 - return -EINVAL;
42975 -
42976 - nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
42977 -@@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
42978 - struct aio_timeout to;
42979 - int retry = 0;
42980 -
42981 -+ pax_track_stack();
42982 -+
42983 - /* needed to zero any padding within an entry (there shouldn't be
42984 - * any, but C is fun!
42985 - */
42986 -@@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
42987 - static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
42988 - {
42989 - ssize_t ret;
42990 -+ struct iovec iovstack;
42991 -
42992 - ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
42993 - kiocb->ki_nbytes, 1,
42994 -- &kiocb->ki_inline_vec, &kiocb->ki_iovec);
42995 -+ &iovstack, &kiocb->ki_iovec);
42996 - if (ret < 0)
42997 - goto out;
42998 -
42999 -+ if (kiocb->ki_iovec == &iovstack) {
43000 -+ kiocb->ki_inline_vec = iovstack;
43001 -+ kiocb->ki_iovec = &kiocb->ki_inline_vec;
43002 -+ }
43003 - kiocb->ki_nr_segs = kiocb->ki_nbytes;
43004 - kiocb->ki_cur_seg = 0;
43005 - /* ki_nbytes/left now reflect bytes instead of segs */
43006 -diff -urNp linux-2.6.32.46/fs/attr.c linux-2.6.32.46/fs/attr.c
43007 ---- linux-2.6.32.46/fs/attr.c 2011-03-27 14:31:47.000000000 -0400
43008 -+++ linux-2.6.32.46/fs/attr.c 2011-04-17 15:56:46.000000000 -0400
43009 -@@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
43010 - unsigned long limit;
43011 -
43012 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
43013 -+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43014 - if (limit != RLIM_INFINITY && offset > limit)
43015 - goto out_sig;
43016 - if (offset > inode->i_sb->s_maxbytes)
43017 -diff -urNp linux-2.6.32.46/fs/autofs/root.c linux-2.6.32.46/fs/autofs/root.c
43018 ---- linux-2.6.32.46/fs/autofs/root.c 2011-03-27 14:31:47.000000000 -0400
43019 -+++ linux-2.6.32.46/fs/autofs/root.c 2011-04-17 15:56:46.000000000 -0400
43020 -@@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
43021 - set_bit(n,sbi->symlink_bitmap);
43022 - sl = &sbi->symlink[n];
43023 - sl->len = strlen(symname);
43024 -- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
43025 -+ slsize = sl->len+1;
43026 -+ sl->data = kmalloc(slsize, GFP_KERNEL);
43027 - if (!sl->data) {
43028 - clear_bit(n,sbi->symlink_bitmap);
43029 - unlock_kernel();
43030 -diff -urNp linux-2.6.32.46/fs/autofs4/symlink.c linux-2.6.32.46/fs/autofs4/symlink.c
43031 ---- linux-2.6.32.46/fs/autofs4/symlink.c 2011-03-27 14:31:47.000000000 -0400
43032 -+++ linux-2.6.32.46/fs/autofs4/symlink.c 2011-04-17 15:56:46.000000000 -0400
43033 -@@ -15,7 +15,7 @@
43034 - static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
43035 - {
43036 - struct autofs_info *ino = autofs4_dentry_ino(dentry);
43037 -- nd_set_link(nd, (char *)ino->u.symlink);
43038 -+ nd_set_link(nd, ino->u.symlink);
43039 - return NULL;
43040 - }
43041 -
43042 -diff -urNp linux-2.6.32.46/fs/autofs4/waitq.c linux-2.6.32.46/fs/autofs4/waitq.c
43043 ---- linux-2.6.32.46/fs/autofs4/waitq.c 2011-03-27 14:31:47.000000000 -0400
43044 -+++ linux-2.6.32.46/fs/autofs4/waitq.c 2011-10-06 09:37:14.000000000 -0400
43045 -@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
43046 - {
43047 - unsigned long sigpipe, flags;
43048 - mm_segment_t fs;
43049 -- const char *data = (const char *)addr;
43050 -+ const char __user *data = (const char __force_user *)addr;
43051 - ssize_t wr = 0;
43052 -
43053 - /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
43054 -diff -urNp linux-2.6.32.46/fs/befs/linuxvfs.c linux-2.6.32.46/fs/befs/linuxvfs.c
43055 ---- linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:24:44.000000000 -0400
43056 -+++ linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:25:07.000000000 -0400
43057 -@@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43058 - {
43059 - befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43060 - if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43061 -- char *link = nd_get_link(nd);
43062 -+ const char *link = nd_get_link(nd);
43063 - if (!IS_ERR(link))
43064 - kfree(link);
43065 - }
43066 -diff -urNp linux-2.6.32.46/fs/binfmt_aout.c linux-2.6.32.46/fs/binfmt_aout.c
43067 ---- linux-2.6.32.46/fs/binfmt_aout.c 2011-03-27 14:31:47.000000000 -0400
43068 -+++ linux-2.6.32.46/fs/binfmt_aout.c 2011-04-17 15:56:46.000000000 -0400
43069 -@@ -16,6 +16,7 @@
43070 - #include <linux/string.h>
43071 - #include <linux/fs.h>
43072 - #include <linux/file.h>
43073 -+#include <linux/security.h>
43074 - #include <linux/stat.h>
43075 - #include <linux/fcntl.h>
43076 - #include <linux/ptrace.h>
43077 -@@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
43078 - #endif
43079 - # define START_STACK(u) (u.start_stack)
43080 -
43081 -+ memset(&dump, 0, sizeof(dump));
43082 -+
43083 - fs = get_fs();
43084 - set_fs(KERNEL_DS);
43085 - has_dumped = 1;
43086 -@@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
43087 -
43088 - /* If the size of the dump file exceeds the rlimit, then see what would happen
43089 - if we wrote the stack, but not the data area. */
43090 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43091 - if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
43092 - dump.u_dsize = 0;
43093 -
43094 - /* Make sure we have enough room to write the stack and data areas. */
43095 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43096 - if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
43097 - dump.u_ssize = 0;
43098 -
43099 -@@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
43100 - dump_size = dump.u_ssize << PAGE_SHIFT;
43101 - DUMP_WRITE(dump_start,dump_size);
43102 - }
43103 --/* Finally dump the task struct. Not be used by gdb, but could be useful */
43104 -- set_fs(KERNEL_DS);
43105 -- DUMP_WRITE(current,sizeof(*current));
43106 -+/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
43107 - end_coredump:
43108 - set_fs(fs);
43109 - return has_dumped;
43110 -@@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
43111 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
43112 - if (rlim >= RLIM_INFINITY)
43113 - rlim = ~0;
43114 -+
43115 -+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43116 - if (ex.a_data + ex.a_bss > rlim)
43117 - return -ENOMEM;
43118 -
43119 -@@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
43120 - install_exec_creds(bprm);
43121 - current->flags &= ~PF_FORKNOEXEC;
43122 -
43123 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43124 -+ current->mm->pax_flags = 0UL;
43125 -+#endif
43126 -+
43127 -+#ifdef CONFIG_PAX_PAGEEXEC
43128 -+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43129 -+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43130 -+
43131 -+#ifdef CONFIG_PAX_EMUTRAMP
43132 -+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43133 -+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43134 -+#endif
43135 -+
43136 -+#ifdef CONFIG_PAX_MPROTECT
43137 -+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43138 -+ current->mm->pax_flags |= MF_PAX_MPROTECT;
43139 -+#endif
43140 -+
43141 -+ }
43142 -+#endif
43143 -+
43144 - if (N_MAGIC(ex) == OMAGIC) {
43145 - unsigned long text_addr, map_size;
43146 - loff_t pos;
43147 -@@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
43148 -
43149 - down_write(&current->mm->mmap_sem);
43150 - error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43151 -- PROT_READ | PROT_WRITE | PROT_EXEC,
43152 -+ PROT_READ | PROT_WRITE,
43153 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43154 - fd_offset + ex.a_text);
43155 - up_write(&current->mm->mmap_sem);
43156 -diff -urNp linux-2.6.32.46/fs/binfmt_elf.c linux-2.6.32.46/fs/binfmt_elf.c
43157 ---- linux-2.6.32.46/fs/binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
43158 -+++ linux-2.6.32.46/fs/binfmt_elf.c 2011-05-16 21:46:57.000000000 -0400
43159 -@@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
43160 - #define elf_core_dump NULL
43161 - #endif
43162 -
43163 -+#ifdef CONFIG_PAX_MPROTECT
43164 -+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43165 -+#endif
43166 -+
43167 - #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43168 - #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43169 - #else
43170 -@@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
43171 - .load_binary = load_elf_binary,
43172 - .load_shlib = load_elf_library,
43173 - .core_dump = elf_core_dump,
43174 -+
43175 -+#ifdef CONFIG_PAX_MPROTECT
43176 -+ .handle_mprotect= elf_handle_mprotect,
43177 -+#endif
43178 -+
43179 - .min_coredump = ELF_EXEC_PAGESIZE,
43180 - .hasvdso = 1
43181 - };
43182 -@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43183 -
43184 - static int set_brk(unsigned long start, unsigned long end)
43185 - {
43186 -+ unsigned long e = end;
43187 -+
43188 - start = ELF_PAGEALIGN(start);
43189 - end = ELF_PAGEALIGN(end);
43190 - if (end > start) {
43191 -@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43192 - if (BAD_ADDR(addr))
43193 - return addr;
43194 - }
43195 -- current->mm->start_brk = current->mm->brk = end;
43196 -+ current->mm->start_brk = current->mm->brk = e;
43197 - return 0;
43198 - }
43199 -
43200 -@@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43201 - elf_addr_t __user *u_rand_bytes;
43202 - const char *k_platform = ELF_PLATFORM;
43203 - const char *k_base_platform = ELF_BASE_PLATFORM;
43204 -- unsigned char k_rand_bytes[16];
43205 -+ u32 k_rand_bytes[4];
43206 - int items;
43207 - elf_addr_t *elf_info;
43208 - int ei_index = 0;
43209 - const struct cred *cred = current_cred();
43210 - struct vm_area_struct *vma;
43211 -+ unsigned long saved_auxv[AT_VECTOR_SIZE];
43212 -+
43213 -+ pax_track_stack();
43214 -
43215 - /*
43216 - * In some cases (e.g. Hyper-Threading), we want to avoid L1
43217 -@@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43218 - * Generate 16 random bytes for userspace PRNG seeding.
43219 - */
43220 - get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43221 -- u_rand_bytes = (elf_addr_t __user *)
43222 -- STACK_ALLOC(p, sizeof(k_rand_bytes));
43223 -+ srandom32(k_rand_bytes[0] ^ random32());
43224 -+ srandom32(k_rand_bytes[1] ^ random32());
43225 -+ srandom32(k_rand_bytes[2] ^ random32());
43226 -+ srandom32(k_rand_bytes[3] ^ random32());
43227 -+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
43228 -+ u_rand_bytes = (elf_addr_t __user *) p;
43229 - if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43230 - return -EFAULT;
43231 -
43232 -@@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43233 - return -EFAULT;
43234 - current->mm->env_end = p;
43235 -
43236 -+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43237 -+
43238 - /* Put the elf_info on the stack in the right place. */
43239 - sp = (elf_addr_t __user *)envp + 1;
43240 -- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43241 -+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43242 - return -EFAULT;
43243 - return 0;
43244 - }
43245 -@@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
43246 - {
43247 - struct elf_phdr *elf_phdata;
43248 - struct elf_phdr *eppnt;
43249 -- unsigned long load_addr = 0;
43250 -+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43251 - int load_addr_set = 0;
43252 - unsigned long last_bss = 0, elf_bss = 0;
43253 -- unsigned long error = ~0UL;
43254 -+ unsigned long error = -EINVAL;
43255 - unsigned long total_size;
43256 - int retval, i, size;
43257 -
43258 -@@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
43259 - goto out_close;
43260 - }
43261 -
43262 -+#ifdef CONFIG_PAX_SEGMEXEC
43263 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43264 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
43265 -+#endif
43266 -+
43267 - eppnt = elf_phdata;
43268 - for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43269 - if (eppnt->p_type == PT_LOAD) {
43270 -@@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
43271 - k = load_addr + eppnt->p_vaddr;
43272 - if (BAD_ADDR(k) ||
43273 - eppnt->p_filesz > eppnt->p_memsz ||
43274 -- eppnt->p_memsz > TASK_SIZE ||
43275 -- TASK_SIZE - eppnt->p_memsz < k) {
43276 -+ eppnt->p_memsz > pax_task_size ||
43277 -+ pax_task_size - eppnt->p_memsz < k) {
43278 - error = -ENOMEM;
43279 - goto out_close;
43280 - }
43281 -@@ -532,6 +557,194 @@ out:
43282 - return error;
43283 - }
43284 -
43285 -+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43286 -+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43287 -+{
43288 -+ unsigned long pax_flags = 0UL;
43289 -+
43290 -+#ifdef CONFIG_PAX_PAGEEXEC
43291 -+ if (elf_phdata->p_flags & PF_PAGEEXEC)
43292 -+ pax_flags |= MF_PAX_PAGEEXEC;
43293 -+#endif
43294 -+
43295 -+#ifdef CONFIG_PAX_SEGMEXEC
43296 -+ if (elf_phdata->p_flags & PF_SEGMEXEC)
43297 -+ pax_flags |= MF_PAX_SEGMEXEC;
43298 -+#endif
43299 -+
43300 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43301 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43302 -+ if (nx_enabled)
43303 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
43304 -+ else
43305 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
43306 -+ }
43307 -+#endif
43308 -+
43309 -+#ifdef CONFIG_PAX_EMUTRAMP
43310 -+ if (elf_phdata->p_flags & PF_EMUTRAMP)
43311 -+ pax_flags |= MF_PAX_EMUTRAMP;
43312 -+#endif
43313 -+
43314 -+#ifdef CONFIG_PAX_MPROTECT
43315 -+ if (elf_phdata->p_flags & PF_MPROTECT)
43316 -+ pax_flags |= MF_PAX_MPROTECT;
43317 -+#endif
43318 -+
43319 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43320 -+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43321 -+ pax_flags |= MF_PAX_RANDMMAP;
43322 -+#endif
43323 -+
43324 -+ return pax_flags;
43325 -+}
43326 -+#endif
43327 -+
43328 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
43329 -+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
43330 -+{
43331 -+ unsigned long pax_flags = 0UL;
43332 -+
43333 -+#ifdef CONFIG_PAX_PAGEEXEC
43334 -+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
43335 -+ pax_flags |= MF_PAX_PAGEEXEC;
43336 -+#endif
43337 -+
43338 -+#ifdef CONFIG_PAX_SEGMEXEC
43339 -+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
43340 -+ pax_flags |= MF_PAX_SEGMEXEC;
43341 -+#endif
43342 -+
43343 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43344 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43345 -+ if (nx_enabled)
43346 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
43347 -+ else
43348 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
43349 -+ }
43350 -+#endif
43351 -+
43352 -+#ifdef CONFIG_PAX_EMUTRAMP
43353 -+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
43354 -+ pax_flags |= MF_PAX_EMUTRAMP;
43355 -+#endif
43356 -+
43357 -+#ifdef CONFIG_PAX_MPROTECT
43358 -+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
43359 -+ pax_flags |= MF_PAX_MPROTECT;
43360 -+#endif
43361 -+
43362 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43363 -+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
43364 -+ pax_flags |= MF_PAX_RANDMMAP;
43365 -+#endif
43366 -+
43367 -+ return pax_flags;
43368 -+}
43369 -+#endif
43370 -+
43371 -+#ifdef CONFIG_PAX_EI_PAX
43372 -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
43373 -+{
43374 -+ unsigned long pax_flags = 0UL;
43375 -+
43376 -+#ifdef CONFIG_PAX_PAGEEXEC
43377 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
43378 -+ pax_flags |= MF_PAX_PAGEEXEC;
43379 -+#endif
43380 -+
43381 -+#ifdef CONFIG_PAX_SEGMEXEC
43382 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
43383 -+ pax_flags |= MF_PAX_SEGMEXEC;
43384 -+#endif
43385 -+
43386 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43387 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43388 -+ if (nx_enabled)
43389 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
43390 -+ else
43391 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
43392 -+ }
43393 -+#endif
43394 -+
43395 -+#ifdef CONFIG_PAX_EMUTRAMP
43396 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
43397 -+ pax_flags |= MF_PAX_EMUTRAMP;
43398 -+#endif
43399 -+
43400 -+#ifdef CONFIG_PAX_MPROTECT
43401 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
43402 -+ pax_flags |= MF_PAX_MPROTECT;
43403 -+#endif
43404 -+
43405 -+#ifdef CONFIG_PAX_ASLR
43406 -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
43407 -+ pax_flags |= MF_PAX_RANDMMAP;
43408 -+#endif
43409 -+
43410 -+ return pax_flags;
43411 -+}
43412 -+#endif
43413 -+
43414 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
43415 -+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
43416 -+{
43417 -+ unsigned long pax_flags = 0UL;
43418 -+
43419 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
43420 -+ unsigned long i;
43421 -+ int found_flags = 0;
43422 -+#endif
43423 -+
43424 -+#ifdef CONFIG_PAX_EI_PAX
43425 -+ pax_flags = pax_parse_ei_pax(elf_ex);
43426 -+#endif
43427 -+
43428 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
43429 -+ for (i = 0UL; i < elf_ex->e_phnum; i++)
43430 -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
43431 -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
43432 -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
43433 -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
43434 -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
43435 -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
43436 -+ return -EINVAL;
43437 -+
43438 -+#ifdef CONFIG_PAX_SOFTMODE
43439 -+ if (pax_softmode)
43440 -+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
43441 -+ else
43442 -+#endif
43443 -+
43444 -+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
43445 -+ found_flags = 1;
43446 -+ break;
43447 -+ }
43448 -+#endif
43449 -+
43450 -+#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
43451 -+ if (found_flags == 0) {
43452 -+ struct elf_phdr phdr;
43453 -+ memset(&phdr, 0, sizeof(phdr));
43454 -+ phdr.p_flags = PF_NOEMUTRAMP;
43455 -+#ifdef CONFIG_PAX_SOFTMODE
43456 -+ if (pax_softmode)
43457 -+ pax_flags = pax_parse_softmode(&phdr);
43458 -+ else
43459 -+#endif
43460 -+ pax_flags = pax_parse_hardmode(&phdr);
43461 -+ }
43462 -+#endif
43463 -+
43464 -+
43465 -+ if (0 > pax_check_flags(&pax_flags))
43466 -+ return -EINVAL;
43467 -+
43468 -+ current->mm->pax_flags = pax_flags;
43469 -+ return 0;
43470 -+}
43471 -+#endif
43472 -+
43473 - /*
43474 - * These are the functions used to load ELF style executables and shared
43475 - * libraries. There is no binary dependent code anywhere else.
43476 -@@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
43477 - {
43478 - unsigned int random_variable = 0;
43479 -
43480 -+#ifdef CONFIG_PAX_RANDUSTACK
43481 -+ if (randomize_va_space)
43482 -+ return stack_top - current->mm->delta_stack;
43483 -+#endif
43484 -+
43485 - if ((current->flags & PF_RANDOMIZE) &&
43486 - !(current->personality & ADDR_NO_RANDOMIZE)) {
43487 - random_variable = get_random_int() & STACK_RND_MASK;
43488 -@@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
43489 - unsigned long load_addr = 0, load_bias = 0;
43490 - int load_addr_set = 0;
43491 - char * elf_interpreter = NULL;
43492 -- unsigned long error;
43493 -+ unsigned long error = 0;
43494 - struct elf_phdr *elf_ppnt, *elf_phdata;
43495 - unsigned long elf_bss, elf_brk;
43496 - int retval, i;
43497 -@@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
43498 - unsigned long start_code, end_code, start_data, end_data;
43499 - unsigned long reloc_func_desc = 0;
43500 - int executable_stack = EXSTACK_DEFAULT;
43501 -- unsigned long def_flags = 0;
43502 - struct {
43503 - struct elfhdr elf_ex;
43504 - struct elfhdr interp_elf_ex;
43505 - } *loc;
43506 -+ unsigned long pax_task_size = TASK_SIZE;
43507 -
43508 - loc = kmalloc(sizeof(*loc), GFP_KERNEL);
43509 - if (!loc) {
43510 -@@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
43511 -
43512 - /* OK, This is the point of no return */
43513 - current->flags &= ~PF_FORKNOEXEC;
43514 -- current->mm->def_flags = def_flags;
43515 -+
43516 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43517 -+ current->mm->pax_flags = 0UL;
43518 -+#endif
43519 -+
43520 -+#ifdef CONFIG_PAX_DLRESOLVE
43521 -+ current->mm->call_dl_resolve = 0UL;
43522 -+#endif
43523 -+
43524 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43525 -+ current->mm->call_syscall = 0UL;
43526 -+#endif
43527 -+
43528 -+#ifdef CONFIG_PAX_ASLR
43529 -+ current->mm->delta_mmap = 0UL;
43530 -+ current->mm->delta_stack = 0UL;
43531 -+#endif
43532 -+
43533 -+ current->mm->def_flags = 0;
43534 -+
43535 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
43536 -+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
43537 -+ send_sig(SIGKILL, current, 0);
43538 -+ goto out_free_dentry;
43539 -+ }
43540 -+#endif
43541 -+
43542 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
43543 -+ pax_set_initial_flags(bprm);
43544 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
43545 -+ if (pax_set_initial_flags_func)
43546 -+ (pax_set_initial_flags_func)(bprm);
43547 -+#endif
43548 -+
43549 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43550 -+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
43551 -+ current->mm->context.user_cs_limit = PAGE_SIZE;
43552 -+ current->mm->def_flags |= VM_PAGEEXEC;
43553 -+ }
43554 -+#endif
43555 -+
43556 -+#ifdef CONFIG_PAX_SEGMEXEC
43557 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
43558 -+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
43559 -+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
43560 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
43561 -+ }
43562 -+#endif
43563 -+
43564 -+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
43565 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43566 -+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
43567 -+ put_cpu();
43568 -+ }
43569 -+#endif
43570 -
43571 - /* Do this immediately, since STACK_TOP as used in setup_arg_pages
43572 - may depend on the personality. */
43573 - SET_PERSONALITY(loc->elf_ex);
43574 -+
43575 -+#ifdef CONFIG_PAX_ASLR
43576 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
43577 -+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
43578 -+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
43579 -+ }
43580 -+#endif
43581 -+
43582 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43583 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43584 -+ executable_stack = EXSTACK_DISABLE_X;
43585 -+ current->personality &= ~READ_IMPLIES_EXEC;
43586 -+ } else
43587 -+#endif
43588 -+
43589 - if (elf_read_implies_exec(loc->elf_ex, executable_stack))
43590 - current->personality |= READ_IMPLIES_EXEC;
43591 -
43592 -@@ -804,6 +1091,20 @@ static int load_elf_binary(struct linux_
43593 - #else
43594 - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
43595 - #endif
43596 -+
43597 -+#ifdef CONFIG_PAX_RANDMMAP
43598 -+ /* PaX: randomize base address at the default exe base if requested */
43599 -+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
43600 -+#ifdef CONFIG_SPARC64
43601 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
43602 -+#else
43603 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
43604 -+#endif
43605 -+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
43606 -+ elf_flags |= MAP_FIXED;
43607 -+ }
43608 -+#endif
43609 -+
43610 - }
43611 -
43612 - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
43613 -@@ -836,9 +1137,9 @@ static int load_elf_binary(struct linux_
43614 - * allowed task size. Note that p_filesz must always be
43615 - * <= p_memsz so it is only necessary to check p_memsz.
43616 - */
43617 -- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
43618 -- elf_ppnt->p_memsz > TASK_SIZE ||
43619 -- TASK_SIZE - elf_ppnt->p_memsz < k) {
43620 -+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
43621 -+ elf_ppnt->p_memsz > pax_task_size ||
43622 -+ pax_task_size - elf_ppnt->p_memsz < k) {
43623 - /* set_brk can never work. Avoid overflows. */
43624 - send_sig(SIGKILL, current, 0);
43625 - retval = -EINVAL;
43626 -@@ -866,6 +1167,11 @@ static int load_elf_binary(struct linux_
43627 - start_data += load_bias;
43628 - end_data += load_bias;
43629 -
43630 -+#ifdef CONFIG_PAX_RANDMMAP
43631 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
43632 -+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
43633 -+#endif
43634 -+
43635 - /* Calling set_brk effectively mmaps the pages that we need
43636 - * for the bss and break sections. We must do this before
43637 - * mapping in the interpreter, to make sure it doesn't wind
43638 -@@ -877,9 +1183,11 @@ static int load_elf_binary(struct linux_
43639 - goto out_free_dentry;
43640 - }
43641 - if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
43642 -- send_sig(SIGSEGV, current, 0);
43643 -- retval = -EFAULT; /* Nobody gets to see this, but.. */
43644 -- goto out_free_dentry;
43645 -+ /*
43646 -+ * This bss-zeroing can fail if the ELF
43647 -+ * file specifies odd protections. So
43648 -+ * we don't check the return value
43649 -+ */
43650 - }
43651 -
43652 - if (elf_interpreter) {
43653 -@@ -1112,8 +1420,10 @@ static int dump_seek(struct file *file,
43654 - unsigned long n = off;
43655 - if (n > PAGE_SIZE)
43656 - n = PAGE_SIZE;
43657 -- if (!dump_write(file, buf, n))
43658 -+ if (!dump_write(file, buf, n)) {
43659 -+ free_page((unsigned long)buf);
43660 - return 0;
43661 -+ }
43662 - off -= n;
43663 - }
43664 - free_page((unsigned long)buf);
43665 -@@ -1125,7 +1435,7 @@ static int dump_seek(struct file *file,
43666 - * Decide what to dump of a segment, part, all or none.
43667 - */
43668 - static unsigned long vma_dump_size(struct vm_area_struct *vma,
43669 -- unsigned long mm_flags)
43670 -+ unsigned long mm_flags, long signr)
43671 - {
43672 - #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
43673 -
43674 -@@ -1159,7 +1469,7 @@ static unsigned long vma_dump_size(struc
43675 - if (vma->vm_file == NULL)
43676 - return 0;
43677 -
43678 -- if (FILTER(MAPPED_PRIVATE))
43679 -+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
43680 - goto whole;
43681 -
43682 - /*
43683 -@@ -1255,8 +1565,11 @@ static int writenote(struct memelfnote *
43684 - #undef DUMP_WRITE
43685 -
43686 - #define DUMP_WRITE(addr, nr) \
43687 -+ do { \
43688 -+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
43689 - if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
43690 -- goto end_coredump;
43691 -+ goto end_coredump; \
43692 -+ } while (0);
43693 -
43694 - static void fill_elf_header(struct elfhdr *elf, int segs,
43695 - u16 machine, u32 flags, u8 osabi)
43696 -@@ -1385,9 +1698,9 @@ static void fill_auxv_note(struct memelf
43697 - {
43698 - elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
43699 - int i = 0;
43700 -- do
43701 -+ do {
43702 - i += 2;
43703 -- while (auxv[i - 2] != AT_NULL);
43704 -+ } while (auxv[i - 2] != AT_NULL);
43705 - fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
43706 - }
43707 -
43708 -@@ -1973,7 +2286,7 @@ static int elf_core_dump(long signr, str
43709 - phdr.p_offset = offset;
43710 - phdr.p_vaddr = vma->vm_start;
43711 - phdr.p_paddr = 0;
43712 -- phdr.p_filesz = vma_dump_size(vma, mm_flags);
43713 -+ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
43714 - phdr.p_memsz = vma->vm_end - vma->vm_start;
43715 - offset += phdr.p_filesz;
43716 - phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
43717 -@@ -2006,7 +2319,7 @@ static int elf_core_dump(long signr, str
43718 - unsigned long addr;
43719 - unsigned long end;
43720 -
43721 -- end = vma->vm_start + vma_dump_size(vma, mm_flags);
43722 -+ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
43723 -
43724 - for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
43725 - struct page *page;
43726 -@@ -2015,6 +2328,7 @@ static int elf_core_dump(long signr, str
43727 - page = get_dump_page(addr);
43728 - if (page) {
43729 - void *kaddr = kmap(page);
43730 -+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
43731 - stop = ((size += PAGE_SIZE) > limit) ||
43732 - !dump_write(file, kaddr, PAGE_SIZE);
43733 - kunmap(page);
43734 -@@ -2042,6 +2356,97 @@ out:
43735 -
43736 - #endif /* USE_ELF_CORE_DUMP */
43737 -
43738 -+#ifdef CONFIG_PAX_MPROTECT
43739 -+/* PaX: non-PIC ELF libraries need relocations on their executable segments
43740 -+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
43741 -+ * we'll remove VM_MAYWRITE for good on RELRO segments.
43742 -+ *
43743 -+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
43744 -+ * basis because we want to allow the common case and not the special ones.
43745 -+ */
43746 -+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
43747 -+{
43748 -+ struct elfhdr elf_h;
43749 -+ struct elf_phdr elf_p;
43750 -+ unsigned long i;
43751 -+ unsigned long oldflags;
43752 -+ bool is_textrel_rw, is_textrel_rx, is_relro;
43753 -+
43754 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
43755 -+ return;
43756 -+
43757 -+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
43758 -+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
43759 -+
43760 -+#ifdef CONFIG_PAX_ELFRELOCS
43761 -+ /* possible TEXTREL */
43762 -+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
43763 -+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
43764 -+#else
43765 -+ is_textrel_rw = false;
43766 -+ is_textrel_rx = false;
43767 -+#endif
43768 -+
43769 -+ /* possible RELRO */
43770 -+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
43771 -+
43772 -+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
43773 -+ return;
43774 -+
43775 -+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
43776 -+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
43777 -+
43778 -+#ifdef CONFIG_PAX_ETEXECRELOCS
43779 -+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
43780 -+#else
43781 -+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
43782 -+#endif
43783 -+
43784 -+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
43785 -+ !elf_check_arch(&elf_h) ||
43786 -+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
43787 -+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
43788 -+ return;
43789 -+
43790 -+ for (i = 0UL; i < elf_h.e_phnum; i++) {
43791 -+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
43792 -+ return;
43793 -+ switch (elf_p.p_type) {
43794 -+ case PT_DYNAMIC:
43795 -+ if (!is_textrel_rw && !is_textrel_rx)
43796 -+ continue;
43797 -+ i = 0UL;
43798 -+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
43799 -+ elf_dyn dyn;
43800 -+
43801 -+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
43802 -+ return;
43803 -+ if (dyn.d_tag == DT_NULL)
43804 -+ return;
43805 -+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
43806 -+ gr_log_textrel(vma);
43807 -+ if (is_textrel_rw)
43808 -+ vma->vm_flags |= VM_MAYWRITE;
43809 -+ else
43810 -+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
43811 -+ vma->vm_flags &= ~VM_MAYWRITE;
43812 -+ return;
43813 -+ }
43814 -+ i++;
43815 -+ }
43816 -+ return;
43817 -+
43818 -+ case PT_GNU_RELRO:
43819 -+ if (!is_relro)
43820 -+ continue;
43821 -+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
43822 -+ vma->vm_flags &= ~VM_MAYWRITE;
43823 -+ return;
43824 -+ }
43825 -+ }
43826 -+}
43827 -+#endif
43828 -+
43829 - static int __init init_elf_binfmt(void)
43830 - {
43831 - return register_binfmt(&elf_format);
43832 -diff -urNp linux-2.6.32.46/fs/binfmt_flat.c linux-2.6.32.46/fs/binfmt_flat.c
43833 ---- linux-2.6.32.46/fs/binfmt_flat.c 2011-03-27 14:31:47.000000000 -0400
43834 -+++ linux-2.6.32.46/fs/binfmt_flat.c 2011-04-17 15:56:46.000000000 -0400
43835 -@@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
43836 - realdatastart = (unsigned long) -ENOMEM;
43837 - printk("Unable to allocate RAM for process data, errno %d\n",
43838 - (int)-realdatastart);
43839 -+ down_write(&current->mm->mmap_sem);
43840 - do_munmap(current->mm, textpos, text_len);
43841 -+ up_write(&current->mm->mmap_sem);
43842 - ret = realdatastart;
43843 - goto err;
43844 - }
43845 -@@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
43846 - }
43847 - if (IS_ERR_VALUE(result)) {
43848 - printk("Unable to read data+bss, errno %d\n", (int)-result);
43849 -+ down_write(&current->mm->mmap_sem);
43850 - do_munmap(current->mm, textpos, text_len);
43851 - do_munmap(current->mm, realdatastart, data_len + extra);
43852 -+ up_write(&current->mm->mmap_sem);
43853 - ret = result;
43854 - goto err;
43855 - }
43856 -@@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
43857 - }
43858 - if (IS_ERR_VALUE(result)) {
43859 - printk("Unable to read code+data+bss, errno %d\n",(int)-result);
43860 -+ down_write(&current->mm->mmap_sem);
43861 - do_munmap(current->mm, textpos, text_len + data_len + extra +
43862 - MAX_SHARED_LIBS * sizeof(unsigned long));
43863 -+ up_write(&current->mm->mmap_sem);
43864 - ret = result;
43865 - goto err;
43866 - }
43867 -diff -urNp linux-2.6.32.46/fs/bio.c linux-2.6.32.46/fs/bio.c
43868 ---- linux-2.6.32.46/fs/bio.c 2011-03-27 14:31:47.000000000 -0400
43869 -+++ linux-2.6.32.46/fs/bio.c 2011-10-06 09:37:14.000000000 -0400
43870 -@@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
43871 -
43872 - i = 0;
43873 - while (i < bio_slab_nr) {
43874 -- struct bio_slab *bslab = &bio_slabs[i];
43875 -+ bslab = &bio_slabs[i];
43876 -
43877 - if (!bslab->slab && entry == -1)
43878 - entry = i;
43879 -@@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
43880 - const int read = bio_data_dir(bio) == READ;
43881 - struct bio_map_data *bmd = bio->bi_private;
43882 - int i;
43883 -- char *p = bmd->sgvecs[0].iov_base;
43884 -+ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
43885 -
43886 - __bio_for_each_segment(bvec, bio, i, 0) {
43887 - char *addr = page_address(bvec->bv_page);
43888 -diff -urNp linux-2.6.32.46/fs/block_dev.c linux-2.6.32.46/fs/block_dev.c
43889 ---- linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:35:29.000000000 -0400
43890 -+++ linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:34:00.000000000 -0400
43891 -@@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
43892 - else if (bdev->bd_contains == bdev)
43893 - res = 0; /* is a whole device which isn't held */
43894 -
43895 -- else if (bdev->bd_contains->bd_holder == bd_claim)
43896 -+ else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
43897 - res = 0; /* is a partition of a device that is being partitioned */
43898 - else if (bdev->bd_contains->bd_holder != NULL)
43899 - res = -EBUSY; /* is a partition of a held device */
43900 -diff -urNp linux-2.6.32.46/fs/btrfs/ctree.c linux-2.6.32.46/fs/btrfs/ctree.c
43901 ---- linux-2.6.32.46/fs/btrfs/ctree.c 2011-03-27 14:31:47.000000000 -0400
43902 -+++ linux-2.6.32.46/fs/btrfs/ctree.c 2011-04-17 15:56:46.000000000 -0400
43903 -@@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
43904 - free_extent_buffer(buf);
43905 - add_root_to_dirty_list(root);
43906 - } else {
43907 -- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
43908 -- parent_start = parent->start;
43909 -- else
43910 -+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
43911 -+ if (parent)
43912 -+ parent_start = parent->start;
43913 -+ else
43914 -+ parent_start = 0;
43915 -+ } else
43916 - parent_start = 0;
43917 -
43918 - WARN_ON(trans->transid != btrfs_header_generation(parent));
43919 -@@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
43920 -
43921 - ret = 0;
43922 - if (slot == 0) {
43923 -- struct btrfs_disk_key disk_key;
43924 - btrfs_cpu_key_to_disk(&disk_key, cpu_key);
43925 - ret = fixup_low_keys(trans, root, path, &disk_key, 1);
43926 - }
43927 -diff -urNp linux-2.6.32.46/fs/btrfs/disk-io.c linux-2.6.32.46/fs/btrfs/disk-io.c
43928 ---- linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:00:52.000000000 -0400
43929 -+++ linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:03:11.000000000 -0400
43930 -@@ -39,7 +39,7 @@
43931 - #include "tree-log.h"
43932 - #include "free-space-cache.h"
43933 -
43934 --static struct extent_io_ops btree_extent_io_ops;
43935 -+static const struct extent_io_ops btree_extent_io_ops;
43936 - static void end_workqueue_fn(struct btrfs_work *work);
43937 - static void free_fs_root(struct btrfs_root *root);
43938 -
43939 -@@ -2607,7 +2607,7 @@ out:
43940 - return 0;
43941 - }
43942 -
43943 --static struct extent_io_ops btree_extent_io_ops = {
43944 -+static const struct extent_io_ops btree_extent_io_ops = {
43945 - .write_cache_pages_lock_hook = btree_lock_page_hook,
43946 - .readpage_end_io_hook = btree_readpage_end_io_hook,
43947 - .submit_bio_hook = btree_submit_bio_hook,
43948 -diff -urNp linux-2.6.32.46/fs/btrfs/extent-tree.c linux-2.6.32.46/fs/btrfs/extent-tree.c
43949 ---- linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400
43950 -+++ linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400
43951 -@@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
43952 - u64 group_start = group->key.objectid;
43953 - new_extents = kmalloc(sizeof(*new_extents),
43954 - GFP_NOFS);
43955 -+ if (!new_extents) {
43956 -+ ret = -ENOMEM;
43957 -+ goto out;
43958 -+ }
43959 - nr_extents = 1;
43960 - ret = get_new_locations(reloc_inode,
43961 - extent_key,
43962 -diff -urNp linux-2.6.32.46/fs/btrfs/extent_io.h linux-2.6.32.46/fs/btrfs/extent_io.h
43963 ---- linux-2.6.32.46/fs/btrfs/extent_io.h 2011-03-27 14:31:47.000000000 -0400
43964 -+++ linux-2.6.32.46/fs/btrfs/extent_io.h 2011-04-17 15:56:46.000000000 -0400
43965 -@@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
43966 - struct bio *bio, int mirror_num,
43967 - unsigned long bio_flags);
43968 - struct extent_io_ops {
43969 -- int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
43970 -+ int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
43971 - u64 start, u64 end, int *page_started,
43972 - unsigned long *nr_written);
43973 -- int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
43974 -- int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
43975 -+ int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
43976 -+ int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
43977 - extent_submit_bio_hook_t *submit_bio_hook;
43978 -- int (*merge_bio_hook)(struct page *page, unsigned long offset,
43979 -+ int (* const merge_bio_hook)(struct page *page, unsigned long offset,
43980 - size_t size, struct bio *bio,
43981 - unsigned long bio_flags);
43982 -- int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
43983 -- int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
43984 -+ int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
43985 -+ int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
43986 - u64 start, u64 end,
43987 - struct extent_state *state);
43988 -- int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
43989 -+ int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
43990 - u64 start, u64 end,
43991 - struct extent_state *state);
43992 -- int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
43993 -+ int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
43994 - struct extent_state *state);
43995 -- int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
43996 -+ int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
43997 - struct extent_state *state, int uptodate);
43998 -- int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
43999 -+ int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
44000 - unsigned long old, unsigned long bits);
44001 -- int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44002 -+ int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44003 - unsigned long bits);
44004 -- int (*merge_extent_hook)(struct inode *inode,
44005 -+ int (* const merge_extent_hook)(struct inode *inode,
44006 - struct extent_state *new,
44007 - struct extent_state *other);
44008 -- int (*split_extent_hook)(struct inode *inode,
44009 -+ int (* const split_extent_hook)(struct inode *inode,
44010 - struct extent_state *orig, u64 split);
44011 -- int (*write_cache_pages_lock_hook)(struct page *page);
44012 -+ int (* const write_cache_pages_lock_hook)(struct page *page);
44013 - };
44014 -
44015 - struct extent_io_tree {
44016 -@@ -88,7 +88,7 @@ struct extent_io_tree {
44017 - u64 dirty_bytes;
44018 - spinlock_t lock;
44019 - spinlock_t buffer_lock;
44020 -- struct extent_io_ops *ops;
44021 -+ const struct extent_io_ops *ops;
44022 - };
44023 -
44024 - struct extent_state {
44025 -diff -urNp linux-2.6.32.46/fs/btrfs/free-space-cache.c linux-2.6.32.46/fs/btrfs/free-space-cache.c
44026 ---- linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400
44027 -+++ linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400
44028 -@@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44029 -
44030 - while(1) {
44031 - if (entry->bytes < bytes || entry->offset < min_start) {
44032 -- struct rb_node *node;
44033 --
44034 - node = rb_next(&entry->offset_index);
44035 - if (!node)
44036 - break;
44037 -@@ -1226,7 +1224,7 @@ again:
44038 - */
44039 - while (entry->bitmap || found_bitmap ||
44040 - (!entry->bitmap && entry->bytes < min_bytes)) {
44041 -- struct rb_node *node = rb_next(&entry->offset_index);
44042 -+ node = rb_next(&entry->offset_index);
44043 -
44044 - if (entry->bitmap && entry->bytes > bytes + empty_size) {
44045 - ret = btrfs_bitmap_cluster(block_group, entry, cluster,
44046 -diff -urNp linux-2.6.32.46/fs/btrfs/inode.c linux-2.6.32.46/fs/btrfs/inode.c
44047 ---- linux-2.6.32.46/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400
44048 -+++ linux-2.6.32.46/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400
44049 -@@ -63,7 +63,7 @@ static const struct inode_operations btr
44050 - static const struct address_space_operations btrfs_aops;
44051 - static const struct address_space_operations btrfs_symlink_aops;
44052 - static const struct file_operations btrfs_dir_file_operations;
44053 --static struct extent_io_ops btrfs_extent_io_ops;
44054 -+static const struct extent_io_ops btrfs_extent_io_ops;
44055 -
44056 - static struct kmem_cache *btrfs_inode_cachep;
44057 - struct kmem_cache *btrfs_trans_handle_cachep;
44058 -@@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
44059 - 1, 0, NULL, GFP_NOFS);
44060 - while (start < end) {
44061 - async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
44062 -+ BUG_ON(!async_cow);
44063 - async_cow->inode = inode;
44064 - async_cow->root = root;
44065 - async_cow->locked_page = locked_page;
44066 -@@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
44067 - inline_size = btrfs_file_extent_inline_item_len(leaf,
44068 - btrfs_item_nr(leaf, path->slots[0]));
44069 - tmp = kmalloc(inline_size, GFP_NOFS);
44070 -+ if (!tmp)
44071 -+ return -ENOMEM;
44072 - ptr = btrfs_file_extent_inline_start(item);
44073 -
44074 - read_extent_buffer(leaf, tmp, ptr, inline_size);
44075 -@@ -5410,7 +5413,7 @@ fail:
44076 - return -ENOMEM;
44077 - }
44078 -
44079 --static int btrfs_getattr(struct vfsmount *mnt,
44080 -+int btrfs_getattr(struct vfsmount *mnt,
44081 - struct dentry *dentry, struct kstat *stat)
44082 - {
44083 - struct inode *inode = dentry->d_inode;
44084 -@@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
44085 - return 0;
44086 - }
44087 -
44088 -+EXPORT_SYMBOL(btrfs_getattr);
44089 -+
44090 -+dev_t get_btrfs_dev_from_inode(struct inode *inode)
44091 -+{
44092 -+ return BTRFS_I(inode)->root->anon_super.s_dev;
44093 -+}
44094 -+EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44095 -+
44096 - static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
44097 - struct inode *new_dir, struct dentry *new_dentry)
44098 - {
44099 -@@ -5972,7 +5983,7 @@ static const struct file_operations btrf
44100 - .fsync = btrfs_sync_file,
44101 - };
44102 -
44103 --static struct extent_io_ops btrfs_extent_io_ops = {
44104 -+static const struct extent_io_ops btrfs_extent_io_ops = {
44105 - .fill_delalloc = run_delalloc_range,
44106 - .submit_bio_hook = btrfs_submit_bio_hook,
44107 - .merge_bio_hook = btrfs_merge_bio_hook,
44108 -diff -urNp linux-2.6.32.46/fs/btrfs/relocation.c linux-2.6.32.46/fs/btrfs/relocation.c
44109 ---- linux-2.6.32.46/fs/btrfs/relocation.c 2011-03-27 14:31:47.000000000 -0400
44110 -+++ linux-2.6.32.46/fs/btrfs/relocation.c 2011-04-17 15:56:46.000000000 -0400
44111 -@@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
44112 - }
44113 - spin_unlock(&rc->reloc_root_tree.lock);
44114 -
44115 -- BUG_ON((struct btrfs_root *)node->data != root);
44116 -+ BUG_ON(!node || (struct btrfs_root *)node->data != root);
44117 -
44118 - if (!del) {
44119 - spin_lock(&rc->reloc_root_tree.lock);
44120 -diff -urNp linux-2.6.32.46/fs/btrfs/sysfs.c linux-2.6.32.46/fs/btrfs/sysfs.c
44121 ---- linux-2.6.32.46/fs/btrfs/sysfs.c 2011-03-27 14:31:47.000000000 -0400
44122 -+++ linux-2.6.32.46/fs/btrfs/sysfs.c 2011-04-17 15:56:46.000000000 -0400
44123 -@@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
44124 - complete(&root->kobj_unregister);
44125 - }
44126 -
44127 --static struct sysfs_ops btrfs_super_attr_ops = {
44128 -+static const struct sysfs_ops btrfs_super_attr_ops = {
44129 - .show = btrfs_super_attr_show,
44130 - .store = btrfs_super_attr_store,
44131 - };
44132 -
44133 --static struct sysfs_ops btrfs_root_attr_ops = {
44134 -+static const struct sysfs_ops btrfs_root_attr_ops = {
44135 - .show = btrfs_root_attr_show,
44136 - .store = btrfs_root_attr_store,
44137 - };
44138 -diff -urNp linux-2.6.32.46/fs/buffer.c linux-2.6.32.46/fs/buffer.c
44139 ---- linux-2.6.32.46/fs/buffer.c 2011-03-27 14:31:47.000000000 -0400
44140 -+++ linux-2.6.32.46/fs/buffer.c 2011-04-17 15:56:46.000000000 -0400
44141 -@@ -25,6 +25,7 @@
44142 - #include <linux/percpu.h>
44143 - #include <linux/slab.h>
44144 - #include <linux/capability.h>
44145 -+#include <linux/security.h>
44146 - #include <linux/blkdev.h>
44147 - #include <linux/file.h>
44148 - #include <linux/quotaops.h>
44149 -diff -urNp linux-2.6.32.46/fs/cachefiles/bind.c linux-2.6.32.46/fs/cachefiles/bind.c
44150 ---- linux-2.6.32.46/fs/cachefiles/bind.c 2011-03-27 14:31:47.000000000 -0400
44151 -+++ linux-2.6.32.46/fs/cachefiles/bind.c 2011-04-17 15:56:46.000000000 -0400
44152 -@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44153 - args);
44154 -
44155 - /* start by checking things over */
44156 -- ASSERT(cache->fstop_percent >= 0 &&
44157 -- cache->fstop_percent < cache->fcull_percent &&
44158 -+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
44159 - cache->fcull_percent < cache->frun_percent &&
44160 - cache->frun_percent < 100);
44161 -
44162 -- ASSERT(cache->bstop_percent >= 0 &&
44163 -- cache->bstop_percent < cache->bcull_percent &&
44164 -+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
44165 - cache->bcull_percent < cache->brun_percent &&
44166 - cache->brun_percent < 100);
44167 -
44168 -diff -urNp linux-2.6.32.46/fs/cachefiles/daemon.c linux-2.6.32.46/fs/cachefiles/daemon.c
44169 ---- linux-2.6.32.46/fs/cachefiles/daemon.c 2011-03-27 14:31:47.000000000 -0400
44170 -+++ linux-2.6.32.46/fs/cachefiles/daemon.c 2011-04-17 15:56:46.000000000 -0400
44171 -@@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
44172 - if (test_bit(CACHEFILES_DEAD, &cache->flags))
44173 - return -EIO;
44174 -
44175 -- if (datalen < 0 || datalen > PAGE_SIZE - 1)
44176 -+ if (datalen > PAGE_SIZE - 1)
44177 - return -EOPNOTSUPP;
44178 -
44179 - /* drag the command string into the kernel so we can parse it */
44180 -@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
44181 - if (args[0] != '%' || args[1] != '\0')
44182 - return -EINVAL;
44183 -
44184 -- if (fstop < 0 || fstop >= cache->fcull_percent)
44185 -+ if (fstop >= cache->fcull_percent)
44186 - return cachefiles_daemon_range_error(cache, args);
44187 -
44188 - cache->fstop_percent = fstop;
44189 -@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
44190 - if (args[0] != '%' || args[1] != '\0')
44191 - return -EINVAL;
44192 -
44193 -- if (bstop < 0 || bstop >= cache->bcull_percent)
44194 -+ if (bstop >= cache->bcull_percent)
44195 - return cachefiles_daemon_range_error(cache, args);
44196 -
44197 - cache->bstop_percent = bstop;
44198 -diff -urNp linux-2.6.32.46/fs/cachefiles/internal.h linux-2.6.32.46/fs/cachefiles/internal.h
44199 ---- linux-2.6.32.46/fs/cachefiles/internal.h 2011-03-27 14:31:47.000000000 -0400
44200 -+++ linux-2.6.32.46/fs/cachefiles/internal.h 2011-05-04 17:56:28.000000000 -0400
44201 -@@ -56,7 +56,7 @@ struct cachefiles_cache {
44202 - wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44203 - struct rb_root active_nodes; /* active nodes (can't be culled) */
44204 - rwlock_t active_lock; /* lock for active_nodes */
44205 -- atomic_t gravecounter; /* graveyard uniquifier */
44206 -+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44207 - unsigned frun_percent; /* when to stop culling (% files) */
44208 - unsigned fcull_percent; /* when to start culling (% files) */
44209 - unsigned fstop_percent; /* when to stop allocating (% files) */
44210 -@@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
44211 - * proc.c
44212 - */
44213 - #ifdef CONFIG_CACHEFILES_HISTOGRAM
44214 --extern atomic_t cachefiles_lookup_histogram[HZ];
44215 --extern atomic_t cachefiles_mkdir_histogram[HZ];
44216 --extern atomic_t cachefiles_create_histogram[HZ];
44217 -+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44218 -+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44219 -+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44220 -
44221 - extern int __init cachefiles_proc_init(void);
44222 - extern void cachefiles_proc_cleanup(void);
44223 - static inline
44224 --void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44225 -+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44226 - {
44227 - unsigned long jif = jiffies - start_jif;
44228 - if (jif >= HZ)
44229 - jif = HZ - 1;
44230 -- atomic_inc(&histogram[jif]);
44231 -+ atomic_inc_unchecked(&histogram[jif]);
44232 - }
44233 -
44234 - #else
44235 -diff -urNp linux-2.6.32.46/fs/cachefiles/namei.c linux-2.6.32.46/fs/cachefiles/namei.c
44236 ---- linux-2.6.32.46/fs/cachefiles/namei.c 2011-03-27 14:31:47.000000000 -0400
44237 -+++ linux-2.6.32.46/fs/cachefiles/namei.c 2011-05-04 17:56:28.000000000 -0400
44238 -@@ -250,7 +250,7 @@ try_again:
44239 - /* first step is to make up a grave dentry in the graveyard */
44240 - sprintf(nbuffer, "%08x%08x",
44241 - (uint32_t) get_seconds(),
44242 -- (uint32_t) atomic_inc_return(&cache->gravecounter));
44243 -+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44244 -
44245 - /* do the multiway lock magic */
44246 - trap = lock_rename(cache->graveyard, dir);
44247 -diff -urNp linux-2.6.32.46/fs/cachefiles/proc.c linux-2.6.32.46/fs/cachefiles/proc.c
44248 ---- linux-2.6.32.46/fs/cachefiles/proc.c 2011-03-27 14:31:47.000000000 -0400
44249 -+++ linux-2.6.32.46/fs/cachefiles/proc.c 2011-05-04 17:56:28.000000000 -0400
44250 -@@ -14,9 +14,9 @@
44251 - #include <linux/seq_file.h>
44252 - #include "internal.h"
44253 -
44254 --atomic_t cachefiles_lookup_histogram[HZ];
44255 --atomic_t cachefiles_mkdir_histogram[HZ];
44256 --atomic_t cachefiles_create_histogram[HZ];
44257 -+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44258 -+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44259 -+atomic_unchecked_t cachefiles_create_histogram[HZ];
44260 -
44261 - /*
44262 - * display the latency histogram
44263 -@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44264 - return 0;
44265 - default:
44266 - index = (unsigned long) v - 3;
44267 -- x = atomic_read(&cachefiles_lookup_histogram[index]);
44268 -- y = atomic_read(&cachefiles_mkdir_histogram[index]);
44269 -- z = atomic_read(&cachefiles_create_histogram[index]);
44270 -+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44271 -+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44272 -+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44273 - if (x == 0 && y == 0 && z == 0)
44274 - return 0;
44275 -
44276 -diff -urNp linux-2.6.32.46/fs/cachefiles/rdwr.c linux-2.6.32.46/fs/cachefiles/rdwr.c
44277 ---- linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400
44278 -+++ linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-10-06 09:37:14.000000000 -0400
44279 -@@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
44280 - old_fs = get_fs();
44281 - set_fs(KERNEL_DS);
44282 - ret = file->f_op->write(
44283 -- file, (const void __user *) data, len, &pos);
44284 -+ file, (const void __force_user *) data, len, &pos);
44285 - set_fs(old_fs);
44286 - kunmap(page);
44287 - if (ret != len)
44288 -diff -urNp linux-2.6.32.46/fs/cifs/cifs_debug.c linux-2.6.32.46/fs/cifs/cifs_debug.c
44289 ---- linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-03-27 14:31:47.000000000 -0400
44290 -+++ linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-05-04 17:56:28.000000000 -0400
44291 -@@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
44292 - tcon = list_entry(tmp3,
44293 - struct cifsTconInfo,
44294 - tcon_list);
44295 -- atomic_set(&tcon->num_smbs_sent, 0);
44296 -- atomic_set(&tcon->num_writes, 0);
44297 -- atomic_set(&tcon->num_reads, 0);
44298 -- atomic_set(&tcon->num_oplock_brks, 0);
44299 -- atomic_set(&tcon->num_opens, 0);
44300 -- atomic_set(&tcon->num_posixopens, 0);
44301 -- atomic_set(&tcon->num_posixmkdirs, 0);
44302 -- atomic_set(&tcon->num_closes, 0);
44303 -- atomic_set(&tcon->num_deletes, 0);
44304 -- atomic_set(&tcon->num_mkdirs, 0);
44305 -- atomic_set(&tcon->num_rmdirs, 0);
44306 -- atomic_set(&tcon->num_renames, 0);
44307 -- atomic_set(&tcon->num_t2renames, 0);
44308 -- atomic_set(&tcon->num_ffirst, 0);
44309 -- atomic_set(&tcon->num_fnext, 0);
44310 -- atomic_set(&tcon->num_fclose, 0);
44311 -- atomic_set(&tcon->num_hardlinks, 0);
44312 -- atomic_set(&tcon->num_symlinks, 0);
44313 -- atomic_set(&tcon->num_locks, 0);
44314 -+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
44315 -+ atomic_set_unchecked(&tcon->num_writes, 0);
44316 -+ atomic_set_unchecked(&tcon->num_reads, 0);
44317 -+ atomic_set_unchecked(&tcon->num_oplock_brks, 0);
44318 -+ atomic_set_unchecked(&tcon->num_opens, 0);
44319 -+ atomic_set_unchecked(&tcon->num_posixopens, 0);
44320 -+ atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
44321 -+ atomic_set_unchecked(&tcon->num_closes, 0);
44322 -+ atomic_set_unchecked(&tcon->num_deletes, 0);
44323 -+ atomic_set_unchecked(&tcon->num_mkdirs, 0);
44324 -+ atomic_set_unchecked(&tcon->num_rmdirs, 0);
44325 -+ atomic_set_unchecked(&tcon->num_renames, 0);
44326 -+ atomic_set_unchecked(&tcon->num_t2renames, 0);
44327 -+ atomic_set_unchecked(&tcon->num_ffirst, 0);
44328 -+ atomic_set_unchecked(&tcon->num_fnext, 0);
44329 -+ atomic_set_unchecked(&tcon->num_fclose, 0);
44330 -+ atomic_set_unchecked(&tcon->num_hardlinks, 0);
44331 -+ atomic_set_unchecked(&tcon->num_symlinks, 0);
44332 -+ atomic_set_unchecked(&tcon->num_locks, 0);
44333 - }
44334 - }
44335 - }
44336 -@@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
44337 - if (tcon->need_reconnect)
44338 - seq_puts(m, "\tDISCONNECTED ");
44339 - seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
44340 -- atomic_read(&tcon->num_smbs_sent),
44341 -- atomic_read(&tcon->num_oplock_brks));
44342 -+ atomic_read_unchecked(&tcon->num_smbs_sent),
44343 -+ atomic_read_unchecked(&tcon->num_oplock_brks));
44344 - seq_printf(m, "\nReads: %d Bytes: %lld",
44345 -- atomic_read(&tcon->num_reads),
44346 -+ atomic_read_unchecked(&tcon->num_reads),
44347 - (long long)(tcon->bytes_read));
44348 - seq_printf(m, "\nWrites: %d Bytes: %lld",
44349 -- atomic_read(&tcon->num_writes),
44350 -+ atomic_read_unchecked(&tcon->num_writes),
44351 - (long long)(tcon->bytes_written));
44352 - seq_printf(m, "\nFlushes: %d",
44353 -- atomic_read(&tcon->num_flushes));
44354 -+ atomic_read_unchecked(&tcon->num_flushes));
44355 - seq_printf(m, "\nLocks: %d HardLinks: %d "
44356 - "Symlinks: %d",
44357 -- atomic_read(&tcon->num_locks),
44358 -- atomic_read(&tcon->num_hardlinks),
44359 -- atomic_read(&tcon->num_symlinks));
44360 -+ atomic_read_unchecked(&tcon->num_locks),
44361 -+ atomic_read_unchecked(&tcon->num_hardlinks),
44362 -+ atomic_read_unchecked(&tcon->num_symlinks));
44363 - seq_printf(m, "\nOpens: %d Closes: %d "
44364 - "Deletes: %d",
44365 -- atomic_read(&tcon->num_opens),
44366 -- atomic_read(&tcon->num_closes),
44367 -- atomic_read(&tcon->num_deletes));
44368 -+ atomic_read_unchecked(&tcon->num_opens),
44369 -+ atomic_read_unchecked(&tcon->num_closes),
44370 -+ atomic_read_unchecked(&tcon->num_deletes));
44371 - seq_printf(m, "\nPosix Opens: %d "
44372 - "Posix Mkdirs: %d",
44373 -- atomic_read(&tcon->num_posixopens),
44374 -- atomic_read(&tcon->num_posixmkdirs));
44375 -+ atomic_read_unchecked(&tcon->num_posixopens),
44376 -+ atomic_read_unchecked(&tcon->num_posixmkdirs));
44377 - seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
44378 -- atomic_read(&tcon->num_mkdirs),
44379 -- atomic_read(&tcon->num_rmdirs));
44380 -+ atomic_read_unchecked(&tcon->num_mkdirs),
44381 -+ atomic_read_unchecked(&tcon->num_rmdirs));
44382 - seq_printf(m, "\nRenames: %d T2 Renames %d",
44383 -- atomic_read(&tcon->num_renames),
44384 -- atomic_read(&tcon->num_t2renames));
44385 -+ atomic_read_unchecked(&tcon->num_renames),
44386 -+ atomic_read_unchecked(&tcon->num_t2renames));
44387 - seq_printf(m, "\nFindFirst: %d FNext %d "
44388 - "FClose %d",
44389 -- atomic_read(&tcon->num_ffirst),
44390 -- atomic_read(&tcon->num_fnext),
44391 -- atomic_read(&tcon->num_fclose));
44392 -+ atomic_read_unchecked(&tcon->num_ffirst),
44393 -+ atomic_read_unchecked(&tcon->num_fnext),
44394 -+ atomic_read_unchecked(&tcon->num_fclose));
44395 - }
44396 - }
44397 - }
44398 -diff -urNp linux-2.6.32.46/fs/cifs/cifsfs.c linux-2.6.32.46/fs/cifs/cifsfs.c
44399 ---- linux-2.6.32.46/fs/cifs/cifsfs.c 2011-03-27 14:31:47.000000000 -0400
44400 -+++ linux-2.6.32.46/fs/cifs/cifsfs.c 2011-08-25 17:17:57.000000000 -0400
44401 -@@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
44402 - cifs_req_cachep = kmem_cache_create("cifs_request",
44403 - CIFSMaxBufSize +
44404 - MAX_CIFS_HDR_SIZE, 0,
44405 -- SLAB_HWCACHE_ALIGN, NULL);
44406 -+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
44407 - if (cifs_req_cachep == NULL)
44408 - return -ENOMEM;
44409 -
44410 -@@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
44411 - efficient to alloc 1 per page off the slab compared to 17K (5page)
44412 - alloc of large cifs buffers even when page debugging is on */
44413 - cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
44414 -- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
44415 -+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
44416 - NULL);
44417 - if (cifs_sm_req_cachep == NULL) {
44418 - mempool_destroy(cifs_req_poolp);
44419 -@@ -991,8 +991,8 @@ init_cifs(void)
44420 - atomic_set(&bufAllocCount, 0);
44421 - atomic_set(&smBufAllocCount, 0);
44422 - #ifdef CONFIG_CIFS_STATS2
44423 -- atomic_set(&totBufAllocCount, 0);
44424 -- atomic_set(&totSmBufAllocCount, 0);
44425 -+ atomic_set_unchecked(&totBufAllocCount, 0);
44426 -+ atomic_set_unchecked(&totSmBufAllocCount, 0);
44427 - #endif /* CONFIG_CIFS_STATS2 */
44428 -
44429 - atomic_set(&midCount, 0);
44430 -diff -urNp linux-2.6.32.46/fs/cifs/cifsglob.h linux-2.6.32.46/fs/cifs/cifsglob.h
44431 ---- linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-09 18:35:29.000000000 -0400
44432 -+++ linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-25 17:17:57.000000000 -0400
44433 -@@ -252,28 +252,28 @@ struct cifsTconInfo {
44434 - __u16 Flags; /* optional support bits */
44435 - enum statusEnum tidStatus;
44436 - #ifdef CONFIG_CIFS_STATS
44437 -- atomic_t num_smbs_sent;
44438 -- atomic_t num_writes;
44439 -- atomic_t num_reads;
44440 -- atomic_t num_flushes;
44441 -- atomic_t num_oplock_brks;
44442 -- atomic_t num_opens;
44443 -- atomic_t num_closes;
44444 -- atomic_t num_deletes;
44445 -- atomic_t num_mkdirs;
44446 -- atomic_t num_posixopens;
44447 -- atomic_t num_posixmkdirs;
44448 -- atomic_t num_rmdirs;
44449 -- atomic_t num_renames;
44450 -- atomic_t num_t2renames;
44451 -- atomic_t num_ffirst;
44452 -- atomic_t num_fnext;
44453 -- atomic_t num_fclose;
44454 -- atomic_t num_hardlinks;
44455 -- atomic_t num_symlinks;
44456 -- atomic_t num_locks;
44457 -- atomic_t num_acl_get;
44458 -- atomic_t num_acl_set;
44459 -+ atomic_unchecked_t num_smbs_sent;
44460 -+ atomic_unchecked_t num_writes;
44461 -+ atomic_unchecked_t num_reads;
44462 -+ atomic_unchecked_t num_flushes;
44463 -+ atomic_unchecked_t num_oplock_brks;
44464 -+ atomic_unchecked_t num_opens;
44465 -+ atomic_unchecked_t num_closes;
44466 -+ atomic_unchecked_t num_deletes;
44467 -+ atomic_unchecked_t num_mkdirs;
44468 -+ atomic_unchecked_t num_posixopens;
44469 -+ atomic_unchecked_t num_posixmkdirs;
44470 -+ atomic_unchecked_t num_rmdirs;
44471 -+ atomic_unchecked_t num_renames;
44472 -+ atomic_unchecked_t num_t2renames;
44473 -+ atomic_unchecked_t num_ffirst;
44474 -+ atomic_unchecked_t num_fnext;
44475 -+ atomic_unchecked_t num_fclose;
44476 -+ atomic_unchecked_t num_hardlinks;
44477 -+ atomic_unchecked_t num_symlinks;
44478 -+ atomic_unchecked_t num_locks;
44479 -+ atomic_unchecked_t num_acl_get;
44480 -+ atomic_unchecked_t num_acl_set;
44481 - #ifdef CONFIG_CIFS_STATS2
44482 - unsigned long long time_writes;
44483 - unsigned long long time_reads;
44484 -@@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
44485 - }
44486 -
44487 - #ifdef CONFIG_CIFS_STATS
44488 --#define cifs_stats_inc atomic_inc
44489 -+#define cifs_stats_inc atomic_inc_unchecked
44490 -
44491 - static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
44492 - unsigned int bytes)
44493 -@@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
44494 - /* Various Debug counters */
44495 - GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
44496 - #ifdef CONFIG_CIFS_STATS2
44497 --GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
44498 --GLOBAL_EXTERN atomic_t totSmBufAllocCount;
44499 -+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
44500 -+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
44501 - #endif
44502 - GLOBAL_EXTERN atomic_t smBufAllocCount;
44503 - GLOBAL_EXTERN atomic_t midCount;
44504 -diff -urNp linux-2.6.32.46/fs/cifs/cifssmb.c linux-2.6.32.46/fs/cifs/cifssmb.c
44505 ---- linux-2.6.32.46/fs/cifs/cifssmb.c 2011-03-27 14:31:47.000000000 -0400
44506 -+++ linux-2.6.32.46/fs/cifs/cifssmb.c 2011-10-17 02:36:33.000000000 -0400
44507 -@@ -3596,7 +3596,8 @@ int CIFSFindNext(const int xid, struct c
44508 - T2_FNEXT_RSP_PARMS *parms;
44509 - char *response_data;
44510 - int rc = 0;
44511 -- int bytes_returned, name_len;
44512 -+ int bytes_returned;
44513 -+ unsigned int name_len;
44514 - __u16 params, byte_count;
44515 -
44516 - cFYI(1, ("In FindNext"));
44517 -diff -urNp linux-2.6.32.46/fs/cifs/link.c linux-2.6.32.46/fs/cifs/link.c
44518 ---- linux-2.6.32.46/fs/cifs/link.c 2011-03-27 14:31:47.000000000 -0400
44519 -+++ linux-2.6.32.46/fs/cifs/link.c 2011-04-17 15:56:46.000000000 -0400
44520 -@@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
44521 -
44522 - void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
44523 - {
44524 -- char *p = nd_get_link(nd);
44525 -+ const char *p = nd_get_link(nd);
44526 - if (!IS_ERR(p))
44527 - kfree(p);
44528 - }
44529 -diff -urNp linux-2.6.32.46/fs/cifs/misc.c linux-2.6.32.46/fs/cifs/misc.c
44530 ---- linux-2.6.32.46/fs/cifs/misc.c 2011-03-27 14:31:47.000000000 -0400
44531 -+++ linux-2.6.32.46/fs/cifs/misc.c 2011-08-25 17:17:57.000000000 -0400
44532 -@@ -155,7 +155,7 @@ cifs_buf_get(void)
44533 - memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
44534 - atomic_inc(&bufAllocCount);
44535 - #ifdef CONFIG_CIFS_STATS2
44536 -- atomic_inc(&totBufAllocCount);
44537 -+ atomic_inc_unchecked(&totBufAllocCount);
44538 - #endif /* CONFIG_CIFS_STATS2 */
44539 - }
44540 -
44541 -@@ -190,7 +190,7 @@ cifs_small_buf_get(void)
44542 - /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
44543 - atomic_inc(&smBufAllocCount);
44544 - #ifdef CONFIG_CIFS_STATS2
44545 -- atomic_inc(&totSmBufAllocCount);
44546 -+ atomic_inc_unchecked(&totSmBufAllocCount);
44547 - #endif /* CONFIG_CIFS_STATS2 */
44548 -
44549 - }
44550 -diff -urNp linux-2.6.32.46/fs/coda/cache.c linux-2.6.32.46/fs/coda/cache.c
44551 ---- linux-2.6.32.46/fs/coda/cache.c 2011-03-27 14:31:47.000000000 -0400
44552 -+++ linux-2.6.32.46/fs/coda/cache.c 2011-05-04 17:56:28.000000000 -0400
44553 -@@ -24,14 +24,14 @@
44554 - #include <linux/coda_fs_i.h>
44555 - #include <linux/coda_cache.h>
44556 -
44557 --static atomic_t permission_epoch = ATOMIC_INIT(0);
44558 -+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
44559 -
44560 - /* replace or extend an acl cache hit */
44561 - void coda_cache_enter(struct inode *inode, int mask)
44562 - {
44563 - struct coda_inode_info *cii = ITOC(inode);
44564 -
44565 -- cii->c_cached_epoch = atomic_read(&permission_epoch);
44566 -+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
44567 - if (cii->c_uid != current_fsuid()) {
44568 - cii->c_uid = current_fsuid();
44569 - cii->c_cached_perm = mask;
44570 -@@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
44571 - void coda_cache_clear_inode(struct inode *inode)
44572 - {
44573 - struct coda_inode_info *cii = ITOC(inode);
44574 -- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
44575 -+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
44576 - }
44577 -
44578 - /* remove all acl caches */
44579 - void coda_cache_clear_all(struct super_block *sb)
44580 - {
44581 -- atomic_inc(&permission_epoch);
44582 -+ atomic_inc_unchecked(&permission_epoch);
44583 - }
44584 -
44585 -
44586 -@@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
44587 -
44588 - hit = (mask & cii->c_cached_perm) == mask &&
44589 - cii->c_uid == current_fsuid() &&
44590 -- cii->c_cached_epoch == atomic_read(&permission_epoch);
44591 -+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
44592 -
44593 - return hit;
44594 - }
44595 -diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c
44596 ---- linux-2.6.32.46/fs/compat.c 2011-04-17 17:00:52.000000000 -0400
44597 -+++ linux-2.6.32.46/fs/compat.c 2011-10-06 09:37:14.000000000 -0400
44598 -@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char _
44599 - static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
44600 - {
44601 - compat_ino_t ino = stat->ino;
44602 -- typeof(ubuf->st_uid) uid = 0;
44603 -- typeof(ubuf->st_gid) gid = 0;
44604 -+ typeof(((struct compat_stat *)0)->st_uid) uid = 0;
44605 -+ typeof(((struct compat_stat *)0)->st_gid) gid = 0;
44606 - int err;
44607 -
44608 - SET_UID(uid, stat->uid);
44609 -@@ -533,7 +533,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
44610 -
44611 - set_fs(KERNEL_DS);
44612 - /* The __user pointer cast is valid because of the set_fs() */
44613 -- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
44614 -+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
44615 - set_fs(oldfs);
44616 - /* truncating is ok because it's a user address */
44617 - if (!ret)
44618 -@@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
44619 -
44620 - struct compat_readdir_callback {
44621 - struct compat_old_linux_dirent __user *dirent;
44622 -+ struct file * file;
44623 - int result;
44624 - };
44625 -
44626 -@@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
44627 - buf->result = -EOVERFLOW;
44628 - return -EOVERFLOW;
44629 - }
44630 -+
44631 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44632 -+ return 0;
44633 -+
44634 - buf->result++;
44635 - dirent = buf->dirent;
44636 - if (!access_ok(VERIFY_WRITE, dirent,
44637 -@@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
44638 -
44639 - buf.result = 0;
44640 - buf.dirent = dirent;
44641 -+ buf.file = file;
44642 -
44643 - error = vfs_readdir(file, compat_fillonedir, &buf);
44644 - if (buf.result)
44645 -@@ -899,6 +905,7 @@ struct compat_linux_dirent {
44646 - struct compat_getdents_callback {
44647 - struct compat_linux_dirent __user *current_dir;
44648 - struct compat_linux_dirent __user *previous;
44649 -+ struct file * file;
44650 - int count;
44651 - int error;
44652 - };
44653 -@@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
44654 - buf->error = -EOVERFLOW;
44655 - return -EOVERFLOW;
44656 - }
44657 -+
44658 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44659 -+ return 0;
44660 -+
44661 - dirent = buf->previous;
44662 - if (dirent) {
44663 - if (__put_user(offset, &dirent->d_off))
44664 -@@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
44665 - buf.previous = NULL;
44666 - buf.count = count;
44667 - buf.error = 0;
44668 -+ buf.file = file;
44669 -
44670 - error = vfs_readdir(file, compat_filldir, &buf);
44671 - if (error >= 0)
44672 -@@ -987,6 +999,7 @@ out:
44673 - struct compat_getdents_callback64 {
44674 - struct linux_dirent64 __user *current_dir;
44675 - struct linux_dirent64 __user *previous;
44676 -+ struct file * file;
44677 - int count;
44678 - int error;
44679 - };
44680 -@@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
44681 - buf->error = -EINVAL; /* only used if we fail.. */
44682 - if (reclen > buf->count)
44683 - return -EINVAL;
44684 -+
44685 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
44686 -+ return 0;
44687 -+
44688 - dirent = buf->previous;
44689 -
44690 - if (dirent) {
44691 -@@ -1054,13 +1071,14 @@ asmlinkage long compat_sys_getdents64(un
44692 - buf.previous = NULL;
44693 - buf.count = count;
44694 - buf.error = 0;
44695 -+ buf.file = file;
44696 -
44697 - error = vfs_readdir(file, compat_filldir64, &buf);
44698 - if (error >= 0)
44699 - error = buf.error;
44700 - lastdirent = buf.previous;
44701 - if (lastdirent) {
44702 -- typeof(lastdirent->d_off) d_off = file->f_pos;
44703 -+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
44704 - if (__put_user_unaligned(d_off, &lastdirent->d_off))
44705 - error = -EFAULT;
44706 - else
44707 -@@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
44708 - * verify all the pointers
44709 - */
44710 - ret = -EINVAL;
44711 -- if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
44712 -+ if (nr_segs > UIO_MAXIOV)
44713 - goto out;
44714 - if (!file->f_op)
44715 - goto out;
44716 -@@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename,
44717 - compat_uptr_t __user *envp,
44718 - struct pt_regs * regs)
44719 - {
44720 -+#ifdef CONFIG_GRKERNSEC
44721 -+ struct file *old_exec_file;
44722 -+ struct acl_subject_label *old_acl;
44723 -+ struct rlimit old_rlim[RLIM_NLIMITS];
44724 -+#endif
44725 - struct linux_binprm *bprm;
44726 - struct file *file;
44727 - struct files_struct *displaced;
44728 - bool clear_in_exec;
44729 - int retval;
44730 -+ const struct cred *cred = current_cred();
44731 -+
44732 -+ /*
44733 -+ * We move the actual failure in case of RLIMIT_NPROC excess from
44734 -+ * set*uid() to execve() because too many poorly written programs
44735 -+ * don't check setuid() return code. Here we additionally recheck
44736 -+ * whether NPROC limit is still exceeded.
44737 -+ */
44738 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
44739 -+
44740 -+ if ((current->flags & PF_NPROC_EXCEEDED) &&
44741 -+ atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
44742 -+ retval = -EAGAIN;
44743 -+ goto out_ret;
44744 -+ }
44745 -+
44746 -+ /* We're below the limit (still or again), so we don't want to make
44747 -+ * further execve() calls fail. */
44748 -+ current->flags &= ~PF_NPROC_EXCEEDED;
44749 -
44750 - retval = unshare_files(&displaced);
44751 - if (retval)
44752 -@@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
44753 - bprm->filename = filename;
44754 - bprm->interp = filename;
44755 -
44756 -+ if (gr_process_user_ban()) {
44757 -+ retval = -EPERM;
44758 -+ goto out_file;
44759 -+ }
44760 -+
44761 -+ retval = -EACCES;
44762 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
44763 -+ goto out_file;
44764 -+
44765 - retval = bprm_mm_init(bprm);
44766 - if (retval)
44767 - goto out_file;
44768 -@@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
44769 - if (retval < 0)
44770 - goto out;
44771 -
44772 -+ if (!gr_tpe_allow(file)) {
44773 -+ retval = -EACCES;
44774 -+ goto out;
44775 -+ }
44776 -+
44777 -+ if (gr_check_crash_exec(file)) {
44778 -+ retval = -EACCES;
44779 -+ goto out;
44780 -+ }
44781 -+
44782 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
44783 -+
44784 -+ gr_handle_exec_args_compat(bprm, argv);
44785 -+
44786 -+#ifdef CONFIG_GRKERNSEC
44787 -+ old_acl = current->acl;
44788 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
44789 -+ old_exec_file = current->exec_file;
44790 -+ get_file(file);
44791 -+ current->exec_file = file;
44792 -+#endif
44793 -+
44794 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
44795 -+ bprm->unsafe & LSM_UNSAFE_SHARE);
44796 -+ if (retval < 0)
44797 -+ goto out_fail;
44798 -+
44799 - retval = search_binary_handler(bprm, regs);
44800 - if (retval < 0)
44801 -- goto out;
44802 -+ goto out_fail;
44803 -+#ifdef CONFIG_GRKERNSEC
44804 -+ if (old_exec_file)
44805 -+ fput(old_exec_file);
44806 -+#endif
44807 -
44808 - /* execve succeeded */
44809 - current->fs->in_exec = 0;
44810 -@@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
44811 - put_files_struct(displaced);
44812 - return retval;
44813 -
44814 -+out_fail:
44815 -+#ifdef CONFIG_GRKERNSEC
44816 -+ current->acl = old_acl;
44817 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
44818 -+ fput(current->exec_file);
44819 -+ current->exec_file = old_exec_file;
44820 -+#endif
44821 -+
44822 - out:
44823 - if (bprm->mm) {
44824 - acct_arg_size(bprm, 0);
44825 -@@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat
44826 - struct fdtable *fdt;
44827 - long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
44828 -
44829 -+ pax_track_stack();
44830 -+
44831 - if (n < 0)
44832 - goto out_nofds;
44833 -
44834 -@@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(in
44835 - oldfs = get_fs();
44836 - set_fs(KERNEL_DS);
44837 - /* The __user pointer casts are valid because of the set_fs() */
44838 -- err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
44839 -+ err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
44840 - set_fs(oldfs);
44841 -
44842 - if (err)
44843 -diff -urNp linux-2.6.32.46/fs/compat_binfmt_elf.c linux-2.6.32.46/fs/compat_binfmt_elf.c
44844 ---- linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
44845 -+++ linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-04-17 15:56:46.000000000 -0400
44846 -@@ -29,10 +29,12 @@
44847 - #undef elfhdr
44848 - #undef elf_phdr
44849 - #undef elf_note
44850 -+#undef elf_dyn
44851 - #undef elf_addr_t
44852 - #define elfhdr elf32_hdr
44853 - #define elf_phdr elf32_phdr
44854 - #define elf_note elf32_note
44855 -+#define elf_dyn Elf32_Dyn
44856 - #define elf_addr_t Elf32_Addr
44857 -
44858 - /*
44859 -diff -urNp linux-2.6.32.46/fs/compat_ioctl.c linux-2.6.32.46/fs/compat_ioctl.c
44860 ---- linux-2.6.32.46/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
44861 -+++ linux-2.6.32.46/fs/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400
44862 -@@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
44863 - up = (struct compat_video_spu_palette __user *) arg;
44864 - err = get_user(palp, &up->palette);
44865 - err |= get_user(length, &up->length);
44866 -+ if (err)
44867 -+ return -EFAULT;
44868 -
44869 - up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
44870 - err = put_user(compat_ptr(palp), &up_native->palette);
44871 -@@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned
44872 - return -EFAULT;
44873 - if (__get_user(udata, &ss32->iomem_base))
44874 - return -EFAULT;
44875 -- ss.iomem_base = compat_ptr(udata);
44876 -+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
44877 - if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
44878 - __get_user(ss.port_high, &ss32->port_high))
44879 - return -EFAULT;
44880 -@@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(stru
44881 - copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
44882 - copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
44883 - copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
44884 -- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
44885 -+ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
44886 - return -EFAULT;
44887 -
44888 - return ioctl_preallocate(file, p);
44889 -diff -urNp linux-2.6.32.46/fs/configfs/dir.c linux-2.6.32.46/fs/configfs/dir.c
44890 ---- linux-2.6.32.46/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400
44891 -+++ linux-2.6.32.46/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400
44892 -@@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
44893 - }
44894 - for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
44895 - struct configfs_dirent *next;
44896 -- const char * name;
44897 -+ const unsigned char * name;
44898 -+ char d_name[sizeof(next->s_dentry->d_iname)];
44899 - int len;
44900 -
44901 - next = list_entry(p, struct configfs_dirent,
44902 -@@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
44903 - continue;
44904 -
44905 - name = configfs_get_name(next);
44906 -- len = strlen(name);
44907 -+ if (next->s_dentry && name == next->s_dentry->d_iname) {
44908 -+ len = next->s_dentry->d_name.len;
44909 -+ memcpy(d_name, name, len);
44910 -+ name = d_name;
44911 -+ } else
44912 -+ len = strlen(name);
44913 - if (next->s_dentry)
44914 - ino = next->s_dentry->d_inode->i_ino;
44915 - else
44916 -diff -urNp linux-2.6.32.46/fs/dcache.c linux-2.6.32.46/fs/dcache.c
44917 ---- linux-2.6.32.46/fs/dcache.c 2011-03-27 14:31:47.000000000 -0400
44918 -+++ linux-2.6.32.46/fs/dcache.c 2011-04-23 13:32:21.000000000 -0400
44919 -@@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
44920 -
44921 - static struct kmem_cache *dentry_cache __read_mostly;
44922 -
44923 --#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
44924 --
44925 - /*
44926 - * This is the single most critical data structure when it comes
44927 - * to the dcache: the hashtable for lookups. Somebody should try
44928 -@@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
44929 - mempages -= reserve;
44930 -
44931 - names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
44932 -- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
44933 -+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
44934 -
44935 - dcache_init();
44936 - inode_init();
44937 -diff -urNp linux-2.6.32.46/fs/dlm/lockspace.c linux-2.6.32.46/fs/dlm/lockspace.c
44938 ---- linux-2.6.32.46/fs/dlm/lockspace.c 2011-03-27 14:31:47.000000000 -0400
44939 -+++ linux-2.6.32.46/fs/dlm/lockspace.c 2011-04-17 15:56:46.000000000 -0400
44940 -@@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
44941 - kfree(ls);
44942 - }
44943 -
44944 --static struct sysfs_ops dlm_attr_ops = {
44945 -+static const struct sysfs_ops dlm_attr_ops = {
44946 - .show = dlm_attr_show,
44947 - .store = dlm_attr_store,
44948 - };
44949 -diff -urNp linux-2.6.32.46/fs/ecryptfs/inode.c linux-2.6.32.46/fs/ecryptfs/inode.c
44950 ---- linux-2.6.32.46/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400
44951 -+++ linux-2.6.32.46/fs/ecryptfs/inode.c 2011-10-06 09:37:14.000000000 -0400
44952 -@@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
44953 - old_fs = get_fs();
44954 - set_fs(get_ds());
44955 - rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
44956 -- (char __user *)lower_buf,
44957 -+ (char __force_user *)lower_buf,
44958 - lower_bufsiz);
44959 - set_fs(old_fs);
44960 - if (rc < 0)
44961 -@@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
44962 - }
44963 - old_fs = get_fs();
44964 - set_fs(get_ds());
44965 -- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
44966 -+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
44967 - set_fs(old_fs);
44968 - if (rc < 0)
44969 - goto out_free;
44970 -diff -urNp linux-2.6.32.46/fs/exec.c linux-2.6.32.46/fs/exec.c
44971 ---- linux-2.6.32.46/fs/exec.c 2011-06-25 12:55:34.000000000 -0400
44972 -+++ linux-2.6.32.46/fs/exec.c 2011-10-06 09:37:14.000000000 -0400
44973 -@@ -56,12 +56,24 @@
44974 - #include <linux/fsnotify.h>
44975 - #include <linux/fs_struct.h>
44976 - #include <linux/pipe_fs_i.h>
44977 -+#include <linux/random.h>
44978 -+#include <linux/seq_file.h>
44979 -+
44980 -+#ifdef CONFIG_PAX_REFCOUNT
44981 -+#include <linux/kallsyms.h>
44982 -+#include <linux/kdebug.h>
44983 -+#endif
44984 -
44985 - #include <asm/uaccess.h>
44986 - #include <asm/mmu_context.h>
44987 - #include <asm/tlb.h>
44988 - #include "internal.h"
44989 -
44990 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
44991 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44992 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
44993 -+#endif
44994 -+
44995 - int core_uses_pid;
44996 - char core_pattern[CORENAME_MAX_SIZE] = "core";
44997 - unsigned int core_pipe_limit;
44998 -@@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
44999 - goto out;
45000 -
45001 - file = do_filp_open(AT_FDCWD, tmp,
45002 -- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
45003 -+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
45004 - MAY_READ | MAY_EXEC | MAY_OPEN);
45005 - putname(tmp);
45006 - error = PTR_ERR(file);
45007 -@@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
45008 - int write)
45009 - {
45010 - struct page *page;
45011 -- int ret;
45012 -
45013 --#ifdef CONFIG_STACK_GROWSUP
45014 -- if (write) {
45015 -- ret = expand_stack_downwards(bprm->vma, pos);
45016 -- if (ret < 0)
45017 -- return NULL;
45018 -- }
45019 --#endif
45020 -- ret = get_user_pages(current, bprm->mm, pos,
45021 -- 1, write, 1, &page, NULL);
45022 -- if (ret <= 0)
45023 -+ if (0 > expand_stack_downwards(bprm->vma, pos))
45024 -+ return NULL;
45025 -+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45026 - return NULL;
45027 -
45028 - if (write) {
45029 -@@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
45030 - vma->vm_end = STACK_TOP_MAX;
45031 - vma->vm_start = vma->vm_end - PAGE_SIZE;
45032 - vma->vm_flags = VM_STACK_FLAGS;
45033 -+
45034 -+#ifdef CONFIG_PAX_SEGMEXEC
45035 -+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45036 -+#endif
45037 -+
45038 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45039 -
45040 - err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
45041 -@@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
45042 - mm->stack_vm = mm->total_vm = 1;
45043 - up_write(&mm->mmap_sem);
45044 - bprm->p = vma->vm_end - sizeof(void *);
45045 -+
45046 -+#ifdef CONFIG_PAX_RANDUSTACK
45047 -+ if (randomize_va_space)
45048 -+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45049 -+#endif
45050 -+
45051 - return 0;
45052 - err:
45053 - up_write(&mm->mmap_sem);
45054 -@@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
45055 - int r;
45056 - mm_segment_t oldfs = get_fs();
45057 - set_fs(KERNEL_DS);
45058 -- r = copy_strings(argc, (char __user * __user *)argv, bprm);
45059 -+ r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
45060 - set_fs(oldfs);
45061 - return r;
45062 - }
45063 -@@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
45064 - unsigned long new_end = old_end - shift;
45065 - struct mmu_gather *tlb;
45066 -
45067 -- BUG_ON(new_start > new_end);
45068 -+ if (new_start >= new_end || new_start < mmap_min_addr)
45069 -+ return -ENOMEM;
45070 -
45071 - /*
45072 - * ensure there are no vmas between where we want to go
45073 -@@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
45074 - if (vma != find_vma(mm, new_start))
45075 - return -EFAULT;
45076 -
45077 -+#ifdef CONFIG_PAX_SEGMEXEC
45078 -+ BUG_ON(pax_find_mirror_vma(vma));
45079 -+#endif
45080 -+
45081 - /*
45082 - * cover the whole range: [new_start, old_end)
45083 - */
45084 -@@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
45085 - stack_top = arch_align_stack(stack_top);
45086 - stack_top = PAGE_ALIGN(stack_top);
45087 -
45088 -- if (unlikely(stack_top < mmap_min_addr) ||
45089 -- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45090 -- return -ENOMEM;
45091 --
45092 - stack_shift = vma->vm_end - stack_top;
45093 -
45094 - bprm->p -= stack_shift;
45095 -@@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
45096 - bprm->exec -= stack_shift;
45097 -
45098 - down_write(&mm->mmap_sem);
45099 -+
45100 -+ /* Move stack pages down in memory. */
45101 -+ if (stack_shift) {
45102 -+ ret = shift_arg_pages(vma, stack_shift);
45103 -+ if (ret)
45104 -+ goto out_unlock;
45105 -+ }
45106 -+
45107 - vm_flags = VM_STACK_FLAGS;
45108 -
45109 - /*
45110 -@@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
45111 - vm_flags &= ~VM_EXEC;
45112 - vm_flags |= mm->def_flags;
45113 -
45114 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45115 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45116 -+ vm_flags &= ~VM_EXEC;
45117 -+
45118 -+#ifdef CONFIG_PAX_MPROTECT
45119 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
45120 -+ vm_flags &= ~VM_MAYEXEC;
45121 -+#endif
45122 -+
45123 -+ }
45124 -+#endif
45125 -+
45126 - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
45127 - vm_flags);
45128 - if (ret)
45129 - goto out_unlock;
45130 - BUG_ON(prev != vma);
45131 -
45132 -- /* Move stack pages down in memory. */
45133 -- if (stack_shift) {
45134 -- ret = shift_arg_pages(vma, stack_shift);
45135 -- if (ret)
45136 -- goto out_unlock;
45137 -- }
45138 --
45139 - stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
45140 - stack_size = vma->vm_end - vma->vm_start;
45141 - /*
45142 -@@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
45143 - int err;
45144 -
45145 - file = do_filp_open(AT_FDCWD, name,
45146 -- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
45147 -+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
45148 - MAY_EXEC | MAY_OPEN);
45149 - if (IS_ERR(file))
45150 - goto out;
45151 -@@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
45152 - old_fs = get_fs();
45153 - set_fs(get_ds());
45154 - /* The cast to a user pointer is valid due to the set_fs() */
45155 -- result = vfs_read(file, (void __user *)addr, count, &pos);
45156 -+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
45157 - set_fs(old_fs);
45158 - return result;
45159 - }
45160 -@@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
45161 - }
45162 - rcu_read_unlock();
45163 -
45164 -- if (p->fs->users > n_fs) {
45165 -+ if (atomic_read(&p->fs->users) > n_fs) {
45166 - bprm->unsafe |= LSM_UNSAFE_SHARE;
45167 - } else {
45168 - res = -EAGAIN;
45169 -@@ -1347,11 +1376,35 @@ int do_execve(char * filename,
45170 - char __user *__user *envp,
45171 - struct pt_regs * regs)
45172 - {
45173 -+#ifdef CONFIG_GRKERNSEC
45174 -+ struct file *old_exec_file;
45175 -+ struct acl_subject_label *old_acl;
45176 -+ struct rlimit old_rlim[RLIM_NLIMITS];
45177 -+#endif
45178 - struct linux_binprm *bprm;
45179 - struct file *file;
45180 - struct files_struct *displaced;
45181 - bool clear_in_exec;
45182 - int retval;
45183 -+ const struct cred *cred = current_cred();
45184 -+
45185 -+ /*
45186 -+ * We move the actual failure in case of RLIMIT_NPROC excess from
45187 -+ * set*uid() to execve() because too many poorly written programs
45188 -+ * don't check setuid() return code. Here we additionally recheck
45189 -+ * whether NPROC limit is still exceeded.
45190 -+ */
45191 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45192 -+
45193 -+ if ((current->flags & PF_NPROC_EXCEEDED) &&
45194 -+ atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45195 -+ retval = -EAGAIN;
45196 -+ goto out_ret;
45197 -+ }
45198 -+
45199 -+ /* We're below the limit (still or again), so we don't want to make
45200 -+ * further execve() calls fail. */
45201 -+ current->flags &= ~PF_NPROC_EXCEEDED;
45202 -
45203 - retval = unshare_files(&displaced);
45204 - if (retval)
45205 -@@ -1383,6 +1436,16 @@ int do_execve(char * filename,
45206 - bprm->filename = filename;
45207 - bprm->interp = filename;
45208 -
45209 -+ if (gr_process_user_ban()) {
45210 -+ retval = -EPERM;
45211 -+ goto out_file;
45212 -+ }
45213 -+
45214 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45215 -+ retval = -EACCES;
45216 -+ goto out_file;
45217 -+ }
45218 -+
45219 - retval = bprm_mm_init(bprm);
45220 - if (retval)
45221 - goto out_file;
45222 -@@ -1412,10 +1475,41 @@ int do_execve(char * filename,
45223 - if (retval < 0)
45224 - goto out;
45225 -
45226 -+ if (!gr_tpe_allow(file)) {
45227 -+ retval = -EACCES;
45228 -+ goto out;
45229 -+ }
45230 -+
45231 -+ if (gr_check_crash_exec(file)) {
45232 -+ retval = -EACCES;
45233 -+ goto out;
45234 -+ }
45235 -+
45236 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45237 -+
45238 -+ gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
45239 -+
45240 -+#ifdef CONFIG_GRKERNSEC
45241 -+ old_acl = current->acl;
45242 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45243 -+ old_exec_file = current->exec_file;
45244 -+ get_file(file);
45245 -+ current->exec_file = file;
45246 -+#endif
45247 -+
45248 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45249 -+ bprm->unsafe & LSM_UNSAFE_SHARE);
45250 -+ if (retval < 0)
45251 -+ goto out_fail;
45252 -+
45253 - current->flags &= ~PF_KTHREAD;
45254 - retval = search_binary_handler(bprm,regs);
45255 - if (retval < 0)
45256 -- goto out;
45257 -+ goto out_fail;
45258 -+#ifdef CONFIG_GRKERNSEC
45259 -+ if (old_exec_file)
45260 -+ fput(old_exec_file);
45261 -+#endif
45262 -
45263 - /* execve succeeded */
45264 - current->fs->in_exec = 0;
45265 -@@ -1426,6 +1520,14 @@ int do_execve(char * filename,
45266 - put_files_struct(displaced);
45267 - return retval;
45268 -
45269 -+out_fail:
45270 -+#ifdef CONFIG_GRKERNSEC
45271 -+ current->acl = old_acl;
45272 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45273 -+ fput(current->exec_file);
45274 -+ current->exec_file = old_exec_file;
45275 -+#endif
45276 -+
45277 - out:
45278 - if (bprm->mm) {
45279 - acct_arg_size(bprm, 0);
45280 -@@ -1591,6 +1693,220 @@ out:
45281 - return ispipe;
45282 - }
45283 -
45284 -+int pax_check_flags(unsigned long *flags)
45285 -+{
45286 -+ int retval = 0;
45287 -+
45288 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45289 -+ if (*flags & MF_PAX_SEGMEXEC)
45290 -+ {
45291 -+ *flags &= ~MF_PAX_SEGMEXEC;
45292 -+ retval = -EINVAL;
45293 -+ }
45294 -+#endif
45295 -+
45296 -+ if ((*flags & MF_PAX_PAGEEXEC)
45297 -+
45298 -+#ifdef CONFIG_PAX_PAGEEXEC
45299 -+ && (*flags & MF_PAX_SEGMEXEC)
45300 -+#endif
45301 -+
45302 -+ )
45303 -+ {
45304 -+ *flags &= ~MF_PAX_PAGEEXEC;
45305 -+ retval = -EINVAL;
45306 -+ }
45307 -+
45308 -+ if ((*flags & MF_PAX_MPROTECT)
45309 -+
45310 -+#ifdef CONFIG_PAX_MPROTECT
45311 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45312 -+#endif
45313 -+
45314 -+ )
45315 -+ {
45316 -+ *flags &= ~MF_PAX_MPROTECT;
45317 -+ retval = -EINVAL;
45318 -+ }
45319 -+
45320 -+ if ((*flags & MF_PAX_EMUTRAMP)
45321 -+
45322 -+#ifdef CONFIG_PAX_EMUTRAMP
45323 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45324 -+#endif
45325 -+
45326 -+ )
45327 -+ {
45328 -+ *flags &= ~MF_PAX_EMUTRAMP;
45329 -+ retval = -EINVAL;
45330 -+ }
45331 -+
45332 -+ return retval;
45333 -+}
45334 -+
45335 -+EXPORT_SYMBOL(pax_check_flags);
45336 -+
45337 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45338 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45339 -+{
45340 -+ struct task_struct *tsk = current;
45341 -+ struct mm_struct *mm = current->mm;
45342 -+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
45343 -+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
45344 -+ char *path_exec = NULL;
45345 -+ char *path_fault = NULL;
45346 -+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
45347 -+
45348 -+ if (buffer_exec && buffer_fault) {
45349 -+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
45350 -+
45351 -+ down_read(&mm->mmap_sem);
45352 -+ vma = mm->mmap;
45353 -+ while (vma && (!vma_exec || !vma_fault)) {
45354 -+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
45355 -+ vma_exec = vma;
45356 -+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
45357 -+ vma_fault = vma;
45358 -+ vma = vma->vm_next;
45359 -+ }
45360 -+ if (vma_exec) {
45361 -+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
45362 -+ if (IS_ERR(path_exec))
45363 -+ path_exec = "<path too long>";
45364 -+ else {
45365 -+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
45366 -+ if (path_exec) {
45367 -+ *path_exec = 0;
45368 -+ path_exec = buffer_exec;
45369 -+ } else
45370 -+ path_exec = "<path too long>";
45371 -+ }
45372 -+ }
45373 -+ if (vma_fault) {
45374 -+ start = vma_fault->vm_start;
45375 -+ end = vma_fault->vm_end;
45376 -+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
45377 -+ if (vma_fault->vm_file) {
45378 -+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
45379 -+ if (IS_ERR(path_fault))
45380 -+ path_fault = "<path too long>";
45381 -+ else {
45382 -+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
45383 -+ if (path_fault) {
45384 -+ *path_fault = 0;
45385 -+ path_fault = buffer_fault;
45386 -+ } else
45387 -+ path_fault = "<path too long>";
45388 -+ }
45389 -+ } else
45390 -+ path_fault = "<anonymous mapping>";
45391 -+ }
45392 -+ up_read(&mm->mmap_sem);
45393 -+ }
45394 -+ if (tsk->signal->curr_ip)
45395 -+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
45396 -+ else
45397 -+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
45398 -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
45399 -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
45400 -+ task_uid(tsk), task_euid(tsk), pc, sp);
45401 -+ free_page((unsigned long)buffer_exec);
45402 -+ free_page((unsigned long)buffer_fault);
45403 -+ pax_report_insns(pc, sp);
45404 -+ do_coredump(SIGKILL, SIGKILL, regs);
45405 -+}
45406 -+#endif
45407 -+
45408 -+#ifdef CONFIG_PAX_REFCOUNT
45409 -+void pax_report_refcount_overflow(struct pt_regs *regs)
45410 -+{
45411 -+ if (current->signal->curr_ip)
45412 -+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45413 -+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
45414 -+ else
45415 -+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
45416 -+ current->comm, task_pid_nr(current), current_uid(), current_euid());
45417 -+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
45418 -+ show_regs(regs);
45419 -+ force_sig_specific(SIGKILL, current);
45420 -+}
45421 -+#endif
45422 -+
45423 -+#ifdef CONFIG_PAX_USERCOPY
45424 -+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
45425 -+int object_is_on_stack(const void *obj, unsigned long len)
45426 -+{
45427 -+ const void * const stack = task_stack_page(current);
45428 -+ const void * const stackend = stack + THREAD_SIZE;
45429 -+
45430 -+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45431 -+ const void *frame = NULL;
45432 -+ const void *oldframe;
45433 -+#endif
45434 -+
45435 -+ if (obj + len < obj)
45436 -+ return -1;
45437 -+
45438 -+ if (obj + len <= stack || stackend <= obj)
45439 -+ return 0;
45440 -+
45441 -+ if (obj < stack || stackend < obj + len)
45442 -+ return -1;
45443 -+
45444 -+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
45445 -+ oldframe = __builtin_frame_address(1);
45446 -+ if (oldframe)
45447 -+ frame = __builtin_frame_address(2);
45448 -+ /*
45449 -+ low ----------------------------------------------> high
45450 -+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
45451 -+ ^----------------^
45452 -+ allow copies only within here
45453 -+ */
45454 -+ while (stack <= frame && frame < stackend) {
45455 -+ /* if obj + len extends past the last frame, this
45456 -+ check won't pass and the next frame will be 0,
45457 -+ causing us to bail out and correctly report
45458 -+ the copy as invalid
45459 -+ */
45460 -+ if (obj + len <= frame)
45461 -+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
45462 -+ oldframe = frame;
45463 -+ frame = *(const void * const *)frame;
45464 -+ }
45465 -+ return -1;
45466 -+#else
45467 -+ return 1;
45468 -+#endif
45469 -+}
45470 -+
45471 -+
45472 -+NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
45473 -+{
45474 -+ if (current->signal->curr_ip)
45475 -+ printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45476 -+ &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45477 -+ else
45478 -+ printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
45479 -+ to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
45480 -+
45481 -+ dump_stack();
45482 -+ gr_handle_kernel_exploit();
45483 -+ do_group_exit(SIGKILL);
45484 -+}
45485 -+#endif
45486 -+
45487 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
45488 -+void pax_track_stack(void)
45489 -+{
45490 -+ unsigned long sp = (unsigned long)&sp;
45491 -+ if (sp < current_thread_info()->lowest_stack &&
45492 -+ sp > (unsigned long)task_stack_page(current))
45493 -+ current_thread_info()->lowest_stack = sp;
45494 -+}
45495 -+EXPORT_SYMBOL(pax_track_stack);
45496 -+#endif
45497 -+
45498 - static int zap_process(struct task_struct *start)
45499 - {
45500 - struct task_struct *t;
45501 -@@ -1793,17 +2109,17 @@ static void wait_for_dump_helpers(struct
45502 - pipe = file->f_path.dentry->d_inode->i_pipe;
45503 -
45504 - pipe_lock(pipe);
45505 -- pipe->readers++;
45506 -- pipe->writers--;
45507 -+ atomic_inc(&pipe->readers);
45508 -+ atomic_dec(&pipe->writers);
45509 -
45510 -- while ((pipe->readers > 1) && (!signal_pending(current))) {
45511 -+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
45512 - wake_up_interruptible_sync(&pipe->wait);
45513 - kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45514 - pipe_wait(pipe);
45515 - }
45516 -
45517 -- pipe->readers--;
45518 -- pipe->writers++;
45519 -+ atomic_dec(&pipe->readers);
45520 -+ atomic_inc(&pipe->writers);
45521 - pipe_unlock(pipe);
45522 -
45523 - }
45524 -@@ -1826,10 +2142,13 @@ void do_coredump(long signr, int exit_co
45525 - char **helper_argv = NULL;
45526 - int helper_argc = 0;
45527 - int dump_count = 0;
45528 -- static atomic_t core_dump_count = ATOMIC_INIT(0);
45529 -+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
45530 -
45531 - audit_core_dumps(signr);
45532 -
45533 -+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
45534 -+ gr_handle_brute_attach(current, mm->flags);
45535 -+
45536 - binfmt = mm->binfmt;
45537 - if (!binfmt || !binfmt->core_dump)
45538 - goto fail;
45539 -@@ -1874,6 +2193,8 @@ void do_coredump(long signr, int exit_co
45540 - */
45541 - clear_thread_flag(TIF_SIGPENDING);
45542 -
45543 -+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
45544 -+
45545 - /*
45546 - * lock_kernel() because format_corename() is controlled by sysctl, which
45547 - * uses lock_kernel()
45548 -@@ -1908,7 +2229,7 @@ void do_coredump(long signr, int exit_co
45549 - goto fail_unlock;
45550 - }
45551 -
45552 -- dump_count = atomic_inc_return(&core_dump_count);
45553 -+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
45554 - if (core_pipe_limit && (core_pipe_limit < dump_count)) {
45555 - printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
45556 - task_tgid_vnr(current), current->comm);
45557 -@@ -1972,7 +2293,7 @@ close_fail:
45558 - filp_close(file, NULL);
45559 - fail_dropcount:
45560 - if (dump_count)
45561 -- atomic_dec(&core_dump_count);
45562 -+ atomic_dec_unchecked(&core_dump_count);
45563 - fail_unlock:
45564 - if (helper_argv)
45565 - argv_free(helper_argv);
45566 -diff -urNp linux-2.6.32.46/fs/ext2/balloc.c linux-2.6.32.46/fs/ext2/balloc.c
45567 ---- linux-2.6.32.46/fs/ext2/balloc.c 2011-03-27 14:31:47.000000000 -0400
45568 -+++ linux-2.6.32.46/fs/ext2/balloc.c 2011-04-17 15:56:46.000000000 -0400
45569 -@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
45570 -
45571 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
45572 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
45573 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
45574 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
45575 - sbi->s_resuid != current_fsuid() &&
45576 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
45577 - return 0;
45578 -diff -urNp linux-2.6.32.46/fs/ext3/balloc.c linux-2.6.32.46/fs/ext3/balloc.c
45579 ---- linux-2.6.32.46/fs/ext3/balloc.c 2011-03-27 14:31:47.000000000 -0400
45580 -+++ linux-2.6.32.46/fs/ext3/balloc.c 2011-04-17 15:56:46.000000000 -0400
45581 -@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
45582 -
45583 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
45584 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
45585 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
45586 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
45587 - sbi->s_resuid != current_fsuid() &&
45588 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
45589 - return 0;
45590 -diff -urNp linux-2.6.32.46/fs/ext4/balloc.c linux-2.6.32.46/fs/ext4/balloc.c
45591 ---- linux-2.6.32.46/fs/ext4/balloc.c 2011-03-27 14:31:47.000000000 -0400
45592 -+++ linux-2.6.32.46/fs/ext4/balloc.c 2011-04-17 15:56:46.000000000 -0400
45593 -@@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
45594 - /* Hm, nope. Are (enough) root reserved blocks available? */
45595 - if (sbi->s_resuid == current_fsuid() ||
45596 - ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
45597 -- capable(CAP_SYS_RESOURCE)) {
45598 -+ capable_nolog(CAP_SYS_RESOURCE)) {
45599 - if (free_blocks >= (nblocks + dirty_blocks))
45600 - return 1;
45601 - }
45602 -diff -urNp linux-2.6.32.46/fs/ext4/ext4.h linux-2.6.32.46/fs/ext4/ext4.h
45603 ---- linux-2.6.32.46/fs/ext4/ext4.h 2011-03-27 14:31:47.000000000 -0400
45604 -+++ linux-2.6.32.46/fs/ext4/ext4.h 2011-04-17 15:56:46.000000000 -0400
45605 -@@ -1078,19 +1078,19 @@ struct ext4_sb_info {
45606 -
45607 - /* stats for buddy allocator */
45608 - spinlock_t s_mb_pa_lock;
45609 -- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
45610 -- atomic_t s_bal_success; /* we found long enough chunks */
45611 -- atomic_t s_bal_allocated; /* in blocks */
45612 -- atomic_t s_bal_ex_scanned; /* total extents scanned */
45613 -- atomic_t s_bal_goals; /* goal hits */
45614 -- atomic_t s_bal_breaks; /* too long searches */
45615 -- atomic_t s_bal_2orders; /* 2^order hits */
45616 -+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
45617 -+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
45618 -+ atomic_unchecked_t s_bal_allocated; /* in blocks */
45619 -+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
45620 -+ atomic_unchecked_t s_bal_goals; /* goal hits */
45621 -+ atomic_unchecked_t s_bal_breaks; /* too long searches */
45622 -+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
45623 - spinlock_t s_bal_lock;
45624 - unsigned long s_mb_buddies_generated;
45625 - unsigned long long s_mb_generation_time;
45626 -- atomic_t s_mb_lost_chunks;
45627 -- atomic_t s_mb_preallocated;
45628 -- atomic_t s_mb_discarded;
45629 -+ atomic_unchecked_t s_mb_lost_chunks;
45630 -+ atomic_unchecked_t s_mb_preallocated;
45631 -+ atomic_unchecked_t s_mb_discarded;
45632 - atomic_t s_lock_busy;
45633 -
45634 - /* locality groups */
45635 -diff -urNp linux-2.6.32.46/fs/ext4/file.c linux-2.6.32.46/fs/ext4/file.c
45636 ---- linux-2.6.32.46/fs/ext4/file.c 2011-03-27 14:31:47.000000000 -0400
45637 -+++ linux-2.6.32.46/fs/ext4/file.c 2011-10-17 02:30:06.000000000 -0400
45638 -@@ -122,8 +122,8 @@ static int ext4_file_open(struct inode *
45639 - cp = d_path(&path, buf, sizeof(buf));
45640 - path_put(&path);
45641 - if (!IS_ERR(cp)) {
45642 -- memcpy(sbi->s_es->s_last_mounted, cp,
45643 -- sizeof(sbi->s_es->s_last_mounted));
45644 -+ strlcpy(sbi->s_es->s_last_mounted, cp,
45645 -+ sizeof(sbi->s_es->s_last_mounted));
45646 - sb->s_dirt = 1;
45647 - }
45648 - }
45649 -diff -urNp linux-2.6.32.46/fs/ext4/mballoc.c linux-2.6.32.46/fs/ext4/mballoc.c
45650 ---- linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:55:34.000000000 -0400
45651 -+++ linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:56:37.000000000 -0400
45652 -@@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
45653 - BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
45654 -
45655 - if (EXT4_SB(sb)->s_mb_stats)
45656 -- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
45657 -+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
45658 -
45659 - break;
45660 - }
45661 -@@ -2131,7 +2131,7 @@ repeat:
45662 - ac->ac_status = AC_STATUS_CONTINUE;
45663 - ac->ac_flags |= EXT4_MB_HINT_FIRST;
45664 - cr = 3;
45665 -- atomic_inc(&sbi->s_mb_lost_chunks);
45666 -+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
45667 - goto repeat;
45668 - }
45669 - }
45670 -@@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
45671 - ext4_grpblk_t counters[16];
45672 - } sg;
45673 -
45674 -+ pax_track_stack();
45675 -+
45676 - group--;
45677 - if (group == 0)
45678 - seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
45679 -@@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
45680 - if (sbi->s_mb_stats) {
45681 - printk(KERN_INFO
45682 - "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
45683 -- atomic_read(&sbi->s_bal_allocated),
45684 -- atomic_read(&sbi->s_bal_reqs),
45685 -- atomic_read(&sbi->s_bal_success));
45686 -+ atomic_read_unchecked(&sbi->s_bal_allocated),
45687 -+ atomic_read_unchecked(&sbi->s_bal_reqs),
45688 -+ atomic_read_unchecked(&sbi->s_bal_success));
45689 - printk(KERN_INFO
45690 - "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
45691 - "%u 2^N hits, %u breaks, %u lost\n",
45692 -- atomic_read(&sbi->s_bal_ex_scanned),
45693 -- atomic_read(&sbi->s_bal_goals),
45694 -- atomic_read(&sbi->s_bal_2orders),
45695 -- atomic_read(&sbi->s_bal_breaks),
45696 -- atomic_read(&sbi->s_mb_lost_chunks));
45697 -+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
45698 -+ atomic_read_unchecked(&sbi->s_bal_goals),
45699 -+ atomic_read_unchecked(&sbi->s_bal_2orders),
45700 -+ atomic_read_unchecked(&sbi->s_bal_breaks),
45701 -+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
45702 - printk(KERN_INFO
45703 - "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
45704 - sbi->s_mb_buddies_generated++,
45705 - sbi->s_mb_generation_time);
45706 - printk(KERN_INFO
45707 - "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
45708 -- atomic_read(&sbi->s_mb_preallocated),
45709 -- atomic_read(&sbi->s_mb_discarded));
45710 -+ atomic_read_unchecked(&sbi->s_mb_preallocated),
45711 -+ atomic_read_unchecked(&sbi->s_mb_discarded));
45712 - }
45713 -
45714 - free_percpu(sbi->s_locality_groups);
45715 -@@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
45716 - struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
45717 -
45718 - if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
45719 -- atomic_inc(&sbi->s_bal_reqs);
45720 -- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
45721 -+ atomic_inc_unchecked(&sbi->s_bal_reqs);
45722 -+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
45723 - if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
45724 -- atomic_inc(&sbi->s_bal_success);
45725 -- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
45726 -+ atomic_inc_unchecked(&sbi->s_bal_success);
45727 -+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
45728 - if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
45729 - ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
45730 -- atomic_inc(&sbi->s_bal_goals);
45731 -+ atomic_inc_unchecked(&sbi->s_bal_goals);
45732 - if (ac->ac_found > sbi->s_mb_max_to_scan)
45733 -- atomic_inc(&sbi->s_bal_breaks);
45734 -+ atomic_inc_unchecked(&sbi->s_bal_breaks);
45735 - }
45736 -
45737 - if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
45738 -@@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
45739 - trace_ext4_mb_new_inode_pa(ac, pa);
45740 -
45741 - ext4_mb_use_inode_pa(ac, pa);
45742 -- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45743 -+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45744 -
45745 - ei = EXT4_I(ac->ac_inode);
45746 - grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
45747 -@@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
45748 - trace_ext4_mb_new_group_pa(ac, pa);
45749 -
45750 - ext4_mb_use_group_pa(ac, pa);
45751 -- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45752 -+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
45753 -
45754 - grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
45755 - lg = ac->ac_lg;
45756 -@@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
45757 - * from the bitmap and continue.
45758 - */
45759 - }
45760 -- atomic_add(free, &sbi->s_mb_discarded);
45761 -+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
45762 -
45763 - return err;
45764 - }
45765 -@@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
45766 - ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
45767 - BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
45768 - mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
45769 -- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45770 -+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45771 -
45772 - if (ac) {
45773 - ac->ac_sb = sb;
45774 -diff -urNp linux-2.6.32.46/fs/ext4/super.c linux-2.6.32.46/fs/ext4/super.c
45775 ---- linux-2.6.32.46/fs/ext4/super.c 2011-03-27 14:31:47.000000000 -0400
45776 -+++ linux-2.6.32.46/fs/ext4/super.c 2011-04-17 15:56:46.000000000 -0400
45777 -@@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
45778 - }
45779 -
45780 -
45781 --static struct sysfs_ops ext4_attr_ops = {
45782 -+static const struct sysfs_ops ext4_attr_ops = {
45783 - .show = ext4_attr_show,
45784 - .store = ext4_attr_store,
45785 - };
45786 -diff -urNp linux-2.6.32.46/fs/fcntl.c linux-2.6.32.46/fs/fcntl.c
45787 ---- linux-2.6.32.46/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400
45788 -+++ linux-2.6.32.46/fs/fcntl.c 2011-10-06 09:37:14.000000000 -0400
45789 -@@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
45790 - if (err)
45791 - return err;
45792 -
45793 -+ if (gr_handle_chroot_fowner(pid, type))
45794 -+ return -ENOENT;
45795 -+ if (gr_check_protected_task_fowner(pid, type))
45796 -+ return -EACCES;
45797 -+
45798 - f_modown(filp, pid, type, force);
45799 - return 0;
45800 - }
45801 -@@ -265,7 +270,7 @@ pid_t f_getown(struct file *filp)
45802 -
45803 - static int f_setown_ex(struct file *filp, unsigned long arg)
45804 - {
45805 -- struct f_owner_ex * __user owner_p = (void * __user)arg;
45806 -+ struct f_owner_ex __user *owner_p = (void __user *)arg;
45807 - struct f_owner_ex owner;
45808 - struct pid *pid;
45809 - int type;
45810 -@@ -305,7 +310,7 @@ static int f_setown_ex(struct file *filp
45811 -
45812 - static int f_getown_ex(struct file *filp, unsigned long arg)
45813 - {
45814 -- struct f_owner_ex * __user owner_p = (void * __user)arg;
45815 -+ struct f_owner_ex __user *owner_p = (void __user *)arg;
45816 - struct f_owner_ex owner;
45817 - int ret = 0;
45818 -
45819 -@@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
45820 - switch (cmd) {
45821 - case F_DUPFD:
45822 - case F_DUPFD_CLOEXEC:
45823 -+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
45824 - if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
45825 - break;
45826 - err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
45827 -diff -urNp linux-2.6.32.46/fs/fifo.c linux-2.6.32.46/fs/fifo.c
45828 ---- linux-2.6.32.46/fs/fifo.c 2011-03-27 14:31:47.000000000 -0400
45829 -+++ linux-2.6.32.46/fs/fifo.c 2011-04-17 15:56:46.000000000 -0400
45830 -@@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
45831 - */
45832 - filp->f_op = &read_pipefifo_fops;
45833 - pipe->r_counter++;
45834 -- if (pipe->readers++ == 0)
45835 -+ if (atomic_inc_return(&pipe->readers) == 1)
45836 - wake_up_partner(inode);
45837 -
45838 -- if (!pipe->writers) {
45839 -+ if (!atomic_read(&pipe->writers)) {
45840 - if ((filp->f_flags & O_NONBLOCK)) {
45841 - /* suppress POLLHUP until we have
45842 - * seen a writer */
45843 -@@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
45844 - * errno=ENXIO when there is no process reading the FIFO.
45845 - */
45846 - ret = -ENXIO;
45847 -- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
45848 -+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
45849 - goto err;
45850 -
45851 - filp->f_op = &write_pipefifo_fops;
45852 - pipe->w_counter++;
45853 -- if (!pipe->writers++)
45854 -+ if (atomic_inc_return(&pipe->writers) == 1)
45855 - wake_up_partner(inode);
45856 -
45857 -- if (!pipe->readers) {
45858 -+ if (!atomic_read(&pipe->readers)) {
45859 - wait_for_partner(inode, &pipe->r_counter);
45860 - if (signal_pending(current))
45861 - goto err_wr;
45862 -@@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
45863 - */
45864 - filp->f_op = &rdwr_pipefifo_fops;
45865 -
45866 -- pipe->readers++;
45867 -- pipe->writers++;
45868 -+ atomic_inc(&pipe->readers);
45869 -+ atomic_inc(&pipe->writers);
45870 - pipe->r_counter++;
45871 - pipe->w_counter++;
45872 -- if (pipe->readers == 1 || pipe->writers == 1)
45873 -+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
45874 - wake_up_partner(inode);
45875 - break;
45876 -
45877 -@@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
45878 - return 0;
45879 -
45880 - err_rd:
45881 -- if (!--pipe->readers)
45882 -+ if (atomic_dec_and_test(&pipe->readers))
45883 - wake_up_interruptible(&pipe->wait);
45884 - ret = -ERESTARTSYS;
45885 - goto err;
45886 -
45887 - err_wr:
45888 -- if (!--pipe->writers)
45889 -+ if (atomic_dec_and_test(&pipe->writers))
45890 - wake_up_interruptible(&pipe->wait);
45891 - ret = -ERESTARTSYS;
45892 - goto err;
45893 -
45894 - err:
45895 -- if (!pipe->readers && !pipe->writers)
45896 -+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
45897 - free_pipe_info(inode);
45898 -
45899 - err_nocleanup:
45900 -diff -urNp linux-2.6.32.46/fs/file.c linux-2.6.32.46/fs/file.c
45901 ---- linux-2.6.32.46/fs/file.c 2011-03-27 14:31:47.000000000 -0400
45902 -+++ linux-2.6.32.46/fs/file.c 2011-04-17 15:56:46.000000000 -0400
45903 -@@ -14,6 +14,7 @@
45904 - #include <linux/slab.h>
45905 - #include <linux/vmalloc.h>
45906 - #include <linux/file.h>
45907 -+#include <linux/security.h>
45908 - #include <linux/fdtable.h>
45909 - #include <linux/bitops.h>
45910 - #include <linux/interrupt.h>
45911 -@@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
45912 - * N.B. For clone tasks sharing a files structure, this test
45913 - * will limit the total number of files that can be opened.
45914 - */
45915 -+
45916 -+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
45917 - if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
45918 - return -EMFILE;
45919 -
45920 -diff -urNp linux-2.6.32.46/fs/filesystems.c linux-2.6.32.46/fs/filesystems.c
45921 ---- linux-2.6.32.46/fs/filesystems.c 2011-03-27 14:31:47.000000000 -0400
45922 -+++ linux-2.6.32.46/fs/filesystems.c 2011-04-17 15:56:46.000000000 -0400
45923 -@@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
45924 - int len = dot ? dot - name : strlen(name);
45925 -
45926 - fs = __get_fs_type(name, len);
45927 -+
45928 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
45929 -+ if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
45930 -+#else
45931 - if (!fs && (request_module("%.*s", len, name) == 0))
45932 -+#endif
45933 - fs = __get_fs_type(name, len);
45934 -
45935 - if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
45936 -diff -urNp linux-2.6.32.46/fs/fs_struct.c linux-2.6.32.46/fs/fs_struct.c
45937 ---- linux-2.6.32.46/fs/fs_struct.c 2011-03-27 14:31:47.000000000 -0400
45938 -+++ linux-2.6.32.46/fs/fs_struct.c 2011-04-17 15:56:46.000000000 -0400
45939 -@@ -4,6 +4,7 @@
45940 - #include <linux/path.h>
45941 - #include <linux/slab.h>
45942 - #include <linux/fs_struct.h>
45943 -+#include <linux/grsecurity.h>
45944 -
45945 - /*
45946 - * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
45947 -@@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
45948 - old_root = fs->root;
45949 - fs->root = *path;
45950 - path_get(path);
45951 -+ gr_set_chroot_entries(current, path);
45952 - write_unlock(&fs->lock);
45953 - if (old_root.dentry)
45954 - path_put(&old_root);
45955 -@@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
45956 - && fs->root.mnt == old_root->mnt) {
45957 - path_get(new_root);
45958 - fs->root = *new_root;
45959 -+ gr_set_chroot_entries(p, new_root);
45960 - count++;
45961 - }
45962 - if (fs->pwd.dentry == old_root->dentry
45963 -@@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
45964 - task_lock(tsk);
45965 - write_lock(&fs->lock);
45966 - tsk->fs = NULL;
45967 -- kill = !--fs->users;
45968 -+ gr_clear_chroot_entries(tsk);
45969 -+ kill = !atomic_dec_return(&fs->users);
45970 - write_unlock(&fs->lock);
45971 - task_unlock(tsk);
45972 - if (kill)
45973 -@@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
45974 - struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
45975 - /* We don't need to lock fs - think why ;-) */
45976 - if (fs) {
45977 -- fs->users = 1;
45978 -+ atomic_set(&fs->users, 1);
45979 - fs->in_exec = 0;
45980 - rwlock_init(&fs->lock);
45981 - fs->umask = old->umask;
45982 -@@ -127,8 +131,9 @@ int unshare_fs_struct(void)
45983 -
45984 - task_lock(current);
45985 - write_lock(&fs->lock);
45986 -- kill = !--fs->users;
45987 -+ kill = !atomic_dec_return(&fs->users);
45988 - current->fs = new_fs;
45989 -+ gr_set_chroot_entries(current, &new_fs->root);
45990 - write_unlock(&fs->lock);
45991 - task_unlock(current);
45992 -
45993 -@@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
45994 -
45995 - /* to be mentioned only in INIT_TASK */
45996 - struct fs_struct init_fs = {
45997 -- .users = 1,
45998 -+ .users = ATOMIC_INIT(1),
45999 - .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
46000 - .umask = 0022,
46001 - };
46002 -@@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
46003 - task_lock(current);
46004 -
46005 - write_lock(&init_fs.lock);
46006 -- init_fs.users++;
46007 -+ atomic_inc(&init_fs.users);
46008 - write_unlock(&init_fs.lock);
46009 -
46010 - write_lock(&fs->lock);
46011 - current->fs = &init_fs;
46012 -- kill = !--fs->users;
46013 -+ gr_set_chroot_entries(current, &current->fs->root);
46014 -+ kill = !atomic_dec_return(&fs->users);
46015 - write_unlock(&fs->lock);
46016 -
46017 - task_unlock(current);
46018 -diff -urNp linux-2.6.32.46/fs/fscache/cookie.c linux-2.6.32.46/fs/fscache/cookie.c
46019 ---- linux-2.6.32.46/fs/fscache/cookie.c 2011-03-27 14:31:47.000000000 -0400
46020 -+++ linux-2.6.32.46/fs/fscache/cookie.c 2011-05-04 17:56:28.000000000 -0400
46021 -@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46022 - parent ? (char *) parent->def->name : "<no-parent>",
46023 - def->name, netfs_data);
46024 -
46025 -- fscache_stat(&fscache_n_acquires);
46026 -+ fscache_stat_unchecked(&fscache_n_acquires);
46027 -
46028 - /* if there's no parent cookie, then we don't create one here either */
46029 - if (!parent) {
46030 -- fscache_stat(&fscache_n_acquires_null);
46031 -+ fscache_stat_unchecked(&fscache_n_acquires_null);
46032 - _leave(" [no parent]");
46033 - return NULL;
46034 - }
46035 -@@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46036 - /* allocate and initialise a cookie */
46037 - cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46038 - if (!cookie) {
46039 -- fscache_stat(&fscache_n_acquires_oom);
46040 -+ fscache_stat_unchecked(&fscache_n_acquires_oom);
46041 - _leave(" [ENOMEM]");
46042 - return NULL;
46043 - }
46044 -@@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46045 -
46046 - switch (cookie->def->type) {
46047 - case FSCACHE_COOKIE_TYPE_INDEX:
46048 -- fscache_stat(&fscache_n_cookie_index);
46049 -+ fscache_stat_unchecked(&fscache_n_cookie_index);
46050 - break;
46051 - case FSCACHE_COOKIE_TYPE_DATAFILE:
46052 -- fscache_stat(&fscache_n_cookie_data);
46053 -+ fscache_stat_unchecked(&fscache_n_cookie_data);
46054 - break;
46055 - default:
46056 -- fscache_stat(&fscache_n_cookie_special);
46057 -+ fscache_stat_unchecked(&fscache_n_cookie_special);
46058 - break;
46059 - }
46060 -
46061 -@@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46062 - if (fscache_acquire_non_index_cookie(cookie) < 0) {
46063 - atomic_dec(&parent->n_children);
46064 - __fscache_cookie_put(cookie);
46065 -- fscache_stat(&fscache_n_acquires_nobufs);
46066 -+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46067 - _leave(" = NULL");
46068 - return NULL;
46069 - }
46070 - }
46071 -
46072 -- fscache_stat(&fscache_n_acquires_ok);
46073 -+ fscache_stat_unchecked(&fscache_n_acquires_ok);
46074 - _leave(" = %p", cookie);
46075 - return cookie;
46076 - }
46077 -@@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46078 - cache = fscache_select_cache_for_object(cookie->parent);
46079 - if (!cache) {
46080 - up_read(&fscache_addremove_sem);
46081 -- fscache_stat(&fscache_n_acquires_no_cache);
46082 -+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46083 - _leave(" = -ENOMEDIUM [no cache]");
46084 - return -ENOMEDIUM;
46085 - }
46086 -@@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46087 - object = cache->ops->alloc_object(cache, cookie);
46088 - fscache_stat_d(&fscache_n_cop_alloc_object);
46089 - if (IS_ERR(object)) {
46090 -- fscache_stat(&fscache_n_object_no_alloc);
46091 -+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
46092 - ret = PTR_ERR(object);
46093 - goto error;
46094 - }
46095 -
46096 -- fscache_stat(&fscache_n_object_alloc);
46097 -+ fscache_stat_unchecked(&fscache_n_object_alloc);
46098 -
46099 - object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46100 -
46101 -@@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46102 - struct fscache_object *object;
46103 - struct hlist_node *_p;
46104 -
46105 -- fscache_stat(&fscache_n_updates);
46106 -+ fscache_stat_unchecked(&fscache_n_updates);
46107 -
46108 - if (!cookie) {
46109 -- fscache_stat(&fscache_n_updates_null);
46110 -+ fscache_stat_unchecked(&fscache_n_updates_null);
46111 - _leave(" [no cookie]");
46112 - return;
46113 - }
46114 -@@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46115 - struct fscache_object *object;
46116 - unsigned long event;
46117 -
46118 -- fscache_stat(&fscache_n_relinquishes);
46119 -+ fscache_stat_unchecked(&fscache_n_relinquishes);
46120 - if (retire)
46121 -- fscache_stat(&fscache_n_relinquishes_retire);
46122 -+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46123 -
46124 - if (!cookie) {
46125 -- fscache_stat(&fscache_n_relinquishes_null);
46126 -+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
46127 - _leave(" [no cookie]");
46128 - return;
46129 - }
46130 -@@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46131 -
46132 - /* wait for the cookie to finish being instantiated (or to fail) */
46133 - if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46134 -- fscache_stat(&fscache_n_relinquishes_waitcrt);
46135 -+ fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46136 - wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46137 - fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46138 - }
46139 -diff -urNp linux-2.6.32.46/fs/fscache/internal.h linux-2.6.32.46/fs/fscache/internal.h
46140 ---- linux-2.6.32.46/fs/fscache/internal.h 2011-03-27 14:31:47.000000000 -0400
46141 -+++ linux-2.6.32.46/fs/fscache/internal.h 2011-05-04 17:56:28.000000000 -0400
46142 -@@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
46143 - extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46144 - extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46145 -
46146 --extern atomic_t fscache_n_op_pend;
46147 --extern atomic_t fscache_n_op_run;
46148 --extern atomic_t fscache_n_op_enqueue;
46149 --extern atomic_t fscache_n_op_deferred_release;
46150 --extern atomic_t fscache_n_op_release;
46151 --extern atomic_t fscache_n_op_gc;
46152 --extern atomic_t fscache_n_op_cancelled;
46153 --extern atomic_t fscache_n_op_rejected;
46154 --
46155 --extern atomic_t fscache_n_attr_changed;
46156 --extern atomic_t fscache_n_attr_changed_ok;
46157 --extern atomic_t fscache_n_attr_changed_nobufs;
46158 --extern atomic_t fscache_n_attr_changed_nomem;
46159 --extern atomic_t fscache_n_attr_changed_calls;
46160 --
46161 --extern atomic_t fscache_n_allocs;
46162 --extern atomic_t fscache_n_allocs_ok;
46163 --extern atomic_t fscache_n_allocs_wait;
46164 --extern atomic_t fscache_n_allocs_nobufs;
46165 --extern atomic_t fscache_n_allocs_intr;
46166 --extern atomic_t fscache_n_allocs_object_dead;
46167 --extern atomic_t fscache_n_alloc_ops;
46168 --extern atomic_t fscache_n_alloc_op_waits;
46169 --
46170 --extern atomic_t fscache_n_retrievals;
46171 --extern atomic_t fscache_n_retrievals_ok;
46172 --extern atomic_t fscache_n_retrievals_wait;
46173 --extern atomic_t fscache_n_retrievals_nodata;
46174 --extern atomic_t fscache_n_retrievals_nobufs;
46175 --extern atomic_t fscache_n_retrievals_intr;
46176 --extern atomic_t fscache_n_retrievals_nomem;
46177 --extern atomic_t fscache_n_retrievals_object_dead;
46178 --extern atomic_t fscache_n_retrieval_ops;
46179 --extern atomic_t fscache_n_retrieval_op_waits;
46180 --
46181 --extern atomic_t fscache_n_stores;
46182 --extern atomic_t fscache_n_stores_ok;
46183 --extern atomic_t fscache_n_stores_again;
46184 --extern atomic_t fscache_n_stores_nobufs;
46185 --extern atomic_t fscache_n_stores_oom;
46186 --extern atomic_t fscache_n_store_ops;
46187 --extern atomic_t fscache_n_store_calls;
46188 --extern atomic_t fscache_n_store_pages;
46189 --extern atomic_t fscache_n_store_radix_deletes;
46190 --extern atomic_t fscache_n_store_pages_over_limit;
46191 --
46192 --extern atomic_t fscache_n_store_vmscan_not_storing;
46193 --extern atomic_t fscache_n_store_vmscan_gone;
46194 --extern atomic_t fscache_n_store_vmscan_busy;
46195 --extern atomic_t fscache_n_store_vmscan_cancelled;
46196 --
46197 --extern atomic_t fscache_n_marks;
46198 --extern atomic_t fscache_n_uncaches;
46199 --
46200 --extern atomic_t fscache_n_acquires;
46201 --extern atomic_t fscache_n_acquires_null;
46202 --extern atomic_t fscache_n_acquires_no_cache;
46203 --extern atomic_t fscache_n_acquires_ok;
46204 --extern atomic_t fscache_n_acquires_nobufs;
46205 --extern atomic_t fscache_n_acquires_oom;
46206 --
46207 --extern atomic_t fscache_n_updates;
46208 --extern atomic_t fscache_n_updates_null;
46209 --extern atomic_t fscache_n_updates_run;
46210 --
46211 --extern atomic_t fscache_n_relinquishes;
46212 --extern atomic_t fscache_n_relinquishes_null;
46213 --extern atomic_t fscache_n_relinquishes_waitcrt;
46214 --extern atomic_t fscache_n_relinquishes_retire;
46215 --
46216 --extern atomic_t fscache_n_cookie_index;
46217 --extern atomic_t fscache_n_cookie_data;
46218 --extern atomic_t fscache_n_cookie_special;
46219 --
46220 --extern atomic_t fscache_n_object_alloc;
46221 --extern atomic_t fscache_n_object_no_alloc;
46222 --extern atomic_t fscache_n_object_lookups;
46223 --extern atomic_t fscache_n_object_lookups_negative;
46224 --extern atomic_t fscache_n_object_lookups_positive;
46225 --extern atomic_t fscache_n_object_lookups_timed_out;
46226 --extern atomic_t fscache_n_object_created;
46227 --extern atomic_t fscache_n_object_avail;
46228 --extern atomic_t fscache_n_object_dead;
46229 --
46230 --extern atomic_t fscache_n_checkaux_none;
46231 --extern atomic_t fscache_n_checkaux_okay;
46232 --extern atomic_t fscache_n_checkaux_update;
46233 --extern atomic_t fscache_n_checkaux_obsolete;
46234 -+extern atomic_unchecked_t fscache_n_op_pend;
46235 -+extern atomic_unchecked_t fscache_n_op_run;
46236 -+extern atomic_unchecked_t fscache_n_op_enqueue;
46237 -+extern atomic_unchecked_t fscache_n_op_deferred_release;
46238 -+extern atomic_unchecked_t fscache_n_op_release;
46239 -+extern atomic_unchecked_t fscache_n_op_gc;
46240 -+extern atomic_unchecked_t fscache_n_op_cancelled;
46241 -+extern atomic_unchecked_t fscache_n_op_rejected;
46242 -+
46243 -+extern atomic_unchecked_t fscache_n_attr_changed;
46244 -+extern atomic_unchecked_t fscache_n_attr_changed_ok;
46245 -+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46246 -+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46247 -+extern atomic_unchecked_t fscache_n_attr_changed_calls;
46248 -+
46249 -+extern atomic_unchecked_t fscache_n_allocs;
46250 -+extern atomic_unchecked_t fscache_n_allocs_ok;
46251 -+extern atomic_unchecked_t fscache_n_allocs_wait;
46252 -+extern atomic_unchecked_t fscache_n_allocs_nobufs;
46253 -+extern atomic_unchecked_t fscache_n_allocs_intr;
46254 -+extern atomic_unchecked_t fscache_n_allocs_object_dead;
46255 -+extern atomic_unchecked_t fscache_n_alloc_ops;
46256 -+extern atomic_unchecked_t fscache_n_alloc_op_waits;
46257 -+
46258 -+extern atomic_unchecked_t fscache_n_retrievals;
46259 -+extern atomic_unchecked_t fscache_n_retrievals_ok;
46260 -+extern atomic_unchecked_t fscache_n_retrievals_wait;
46261 -+extern atomic_unchecked_t fscache_n_retrievals_nodata;
46262 -+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46263 -+extern atomic_unchecked_t fscache_n_retrievals_intr;
46264 -+extern atomic_unchecked_t fscache_n_retrievals_nomem;
46265 -+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46266 -+extern atomic_unchecked_t fscache_n_retrieval_ops;
46267 -+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46268 -+
46269 -+extern atomic_unchecked_t fscache_n_stores;
46270 -+extern atomic_unchecked_t fscache_n_stores_ok;
46271 -+extern atomic_unchecked_t fscache_n_stores_again;
46272 -+extern atomic_unchecked_t fscache_n_stores_nobufs;
46273 -+extern atomic_unchecked_t fscache_n_stores_oom;
46274 -+extern atomic_unchecked_t fscache_n_store_ops;
46275 -+extern atomic_unchecked_t fscache_n_store_calls;
46276 -+extern atomic_unchecked_t fscache_n_store_pages;
46277 -+extern atomic_unchecked_t fscache_n_store_radix_deletes;
46278 -+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46279 -+
46280 -+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46281 -+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46282 -+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46283 -+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46284 -+
46285 -+extern atomic_unchecked_t fscache_n_marks;
46286 -+extern atomic_unchecked_t fscache_n_uncaches;
46287 -+
46288 -+extern atomic_unchecked_t fscache_n_acquires;
46289 -+extern atomic_unchecked_t fscache_n_acquires_null;
46290 -+extern atomic_unchecked_t fscache_n_acquires_no_cache;
46291 -+extern atomic_unchecked_t fscache_n_acquires_ok;
46292 -+extern atomic_unchecked_t fscache_n_acquires_nobufs;
46293 -+extern atomic_unchecked_t fscache_n_acquires_oom;
46294 -+
46295 -+extern atomic_unchecked_t fscache_n_updates;
46296 -+extern atomic_unchecked_t fscache_n_updates_null;
46297 -+extern atomic_unchecked_t fscache_n_updates_run;
46298 -+
46299 -+extern atomic_unchecked_t fscache_n_relinquishes;
46300 -+extern atomic_unchecked_t fscache_n_relinquishes_null;
46301 -+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46302 -+extern atomic_unchecked_t fscache_n_relinquishes_retire;
46303 -+
46304 -+extern atomic_unchecked_t fscache_n_cookie_index;
46305 -+extern atomic_unchecked_t fscache_n_cookie_data;
46306 -+extern atomic_unchecked_t fscache_n_cookie_special;
46307 -+
46308 -+extern atomic_unchecked_t fscache_n_object_alloc;
46309 -+extern atomic_unchecked_t fscache_n_object_no_alloc;
46310 -+extern atomic_unchecked_t fscache_n_object_lookups;
46311 -+extern atomic_unchecked_t fscache_n_object_lookups_negative;
46312 -+extern atomic_unchecked_t fscache_n_object_lookups_positive;
46313 -+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46314 -+extern atomic_unchecked_t fscache_n_object_created;
46315 -+extern atomic_unchecked_t fscache_n_object_avail;
46316 -+extern atomic_unchecked_t fscache_n_object_dead;
46317 -+
46318 -+extern atomic_unchecked_t fscache_n_checkaux_none;
46319 -+extern atomic_unchecked_t fscache_n_checkaux_okay;
46320 -+extern atomic_unchecked_t fscache_n_checkaux_update;
46321 -+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46322 -
46323 - extern atomic_t fscache_n_cop_alloc_object;
46324 - extern atomic_t fscache_n_cop_lookup_object;
46325 -@@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
46326 - atomic_inc(stat);
46327 - }
46328 -
46329 -+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46330 -+{
46331 -+ atomic_inc_unchecked(stat);
46332 -+}
46333 -+
46334 - static inline void fscache_stat_d(atomic_t *stat)
46335 - {
46336 - atomic_dec(stat);
46337 -@@ -259,6 +264,7 @@ extern const struct file_operations fsca
46338 -
46339 - #define __fscache_stat(stat) (NULL)
46340 - #define fscache_stat(stat) do {} while (0)
46341 -+#define fscache_stat_unchecked(stat) do {} while (0)
46342 - #define fscache_stat_d(stat) do {} while (0)
46343 - #endif
46344 -
46345 -diff -urNp linux-2.6.32.46/fs/fscache/object.c linux-2.6.32.46/fs/fscache/object.c
46346 ---- linux-2.6.32.46/fs/fscache/object.c 2011-03-27 14:31:47.000000000 -0400
46347 -+++ linux-2.6.32.46/fs/fscache/object.c 2011-05-04 17:56:28.000000000 -0400
46348 -@@ -144,7 +144,7 @@ static void fscache_object_state_machine
46349 - /* update the object metadata on disk */
46350 - case FSCACHE_OBJECT_UPDATING:
46351 - clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46352 -- fscache_stat(&fscache_n_updates_run);
46353 -+ fscache_stat_unchecked(&fscache_n_updates_run);
46354 - fscache_stat(&fscache_n_cop_update_object);
46355 - object->cache->ops->update_object(object);
46356 - fscache_stat_d(&fscache_n_cop_update_object);
46357 -@@ -233,7 +233,7 @@ static void fscache_object_state_machine
46358 - spin_lock(&object->lock);
46359 - object->state = FSCACHE_OBJECT_DEAD;
46360 - spin_unlock(&object->lock);
46361 -- fscache_stat(&fscache_n_object_dead);
46362 -+ fscache_stat_unchecked(&fscache_n_object_dead);
46363 - goto terminal_transit;
46364 -
46365 - /* handle the parent cache of this object being withdrawn from
46366 -@@ -248,7 +248,7 @@ static void fscache_object_state_machine
46367 - spin_lock(&object->lock);
46368 - object->state = FSCACHE_OBJECT_DEAD;
46369 - spin_unlock(&object->lock);
46370 -- fscache_stat(&fscache_n_object_dead);
46371 -+ fscache_stat_unchecked(&fscache_n_object_dead);
46372 - goto terminal_transit;
46373 -
46374 - /* complain about the object being woken up once it is
46375 -@@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
46376 - parent->cookie->def->name, cookie->def->name,
46377 - object->cache->tag->name);
46378 -
46379 -- fscache_stat(&fscache_n_object_lookups);
46380 -+ fscache_stat_unchecked(&fscache_n_object_lookups);
46381 - fscache_stat(&fscache_n_cop_lookup_object);
46382 - ret = object->cache->ops->lookup_object(object);
46383 - fscache_stat_d(&fscache_n_cop_lookup_object);
46384 -@@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
46385 - if (ret == -ETIMEDOUT) {
46386 - /* probably stuck behind another object, so move this one to
46387 - * the back of the queue */
46388 -- fscache_stat(&fscache_n_object_lookups_timed_out);
46389 -+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46390 - set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46391 - }
46392 -
46393 -@@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
46394 -
46395 - spin_lock(&object->lock);
46396 - if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46397 -- fscache_stat(&fscache_n_object_lookups_negative);
46398 -+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46399 -
46400 - /* transit here to allow write requests to begin stacking up
46401 - * and read requests to begin returning ENODATA */
46402 -@@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
46403 - * result, in which case there may be data available */
46404 - spin_lock(&object->lock);
46405 - if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46406 -- fscache_stat(&fscache_n_object_lookups_positive);
46407 -+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46408 -
46409 - clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46410 -
46411 -@@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
46412 - set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46413 - } else {
46414 - ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46415 -- fscache_stat(&fscache_n_object_created);
46416 -+ fscache_stat_unchecked(&fscache_n_object_created);
46417 -
46418 - object->state = FSCACHE_OBJECT_AVAILABLE;
46419 - spin_unlock(&object->lock);
46420 -@@ -633,7 +633,7 @@ static void fscache_object_available(str
46421 - fscache_enqueue_dependents(object);
46422 -
46423 - fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46424 -- fscache_stat(&fscache_n_object_avail);
46425 -+ fscache_stat_unchecked(&fscache_n_object_avail);
46426 -
46427 - _leave("");
46428 - }
46429 -@@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46430 - enum fscache_checkaux result;
46431 -
46432 - if (!object->cookie->def->check_aux) {
46433 -- fscache_stat(&fscache_n_checkaux_none);
46434 -+ fscache_stat_unchecked(&fscache_n_checkaux_none);
46435 - return FSCACHE_CHECKAUX_OKAY;
46436 - }
46437 -
46438 -@@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46439 - switch (result) {
46440 - /* entry okay as is */
46441 - case FSCACHE_CHECKAUX_OKAY:
46442 -- fscache_stat(&fscache_n_checkaux_okay);
46443 -+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
46444 - break;
46445 -
46446 - /* entry requires update */
46447 - case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46448 -- fscache_stat(&fscache_n_checkaux_update);
46449 -+ fscache_stat_unchecked(&fscache_n_checkaux_update);
46450 - break;
46451 -
46452 - /* entry requires deletion */
46453 - case FSCACHE_CHECKAUX_OBSOLETE:
46454 -- fscache_stat(&fscache_n_checkaux_obsolete);
46455 -+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
46456 - break;
46457 -
46458 - default:
46459 -diff -urNp linux-2.6.32.46/fs/fscache/operation.c linux-2.6.32.46/fs/fscache/operation.c
46460 ---- linux-2.6.32.46/fs/fscache/operation.c 2011-03-27 14:31:47.000000000 -0400
46461 -+++ linux-2.6.32.46/fs/fscache/operation.c 2011-05-04 17:56:28.000000000 -0400
46462 -@@ -16,7 +16,7 @@
46463 - #include <linux/seq_file.h>
46464 - #include "internal.h"
46465 -
46466 --atomic_t fscache_op_debug_id;
46467 -+atomic_unchecked_t fscache_op_debug_id;
46468 - EXPORT_SYMBOL(fscache_op_debug_id);
46469 -
46470 - /**
46471 -@@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
46472 - ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
46473 - ASSERTCMP(atomic_read(&op->usage), >, 0);
46474 -
46475 -- fscache_stat(&fscache_n_op_enqueue);
46476 -+ fscache_stat_unchecked(&fscache_n_op_enqueue);
46477 - switch (op->flags & FSCACHE_OP_TYPE) {
46478 - case FSCACHE_OP_FAST:
46479 - _debug("queue fast");
46480 -@@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
46481 - wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
46482 - if (op->processor)
46483 - fscache_enqueue_operation(op);
46484 -- fscache_stat(&fscache_n_op_run);
46485 -+ fscache_stat_unchecked(&fscache_n_op_run);
46486 - }
46487 -
46488 - /*
46489 -@@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
46490 - if (object->n_ops > 0) {
46491 - atomic_inc(&op->usage);
46492 - list_add_tail(&op->pend_link, &object->pending_ops);
46493 -- fscache_stat(&fscache_n_op_pend);
46494 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46495 - } else if (!list_empty(&object->pending_ops)) {
46496 - atomic_inc(&op->usage);
46497 - list_add_tail(&op->pend_link, &object->pending_ops);
46498 -- fscache_stat(&fscache_n_op_pend);
46499 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46500 - fscache_start_operations(object);
46501 - } else {
46502 - ASSERTCMP(object->n_in_progress, ==, 0);
46503 -@@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
46504 - object->n_exclusive++; /* reads and writes must wait */
46505 - atomic_inc(&op->usage);
46506 - list_add_tail(&op->pend_link, &object->pending_ops);
46507 -- fscache_stat(&fscache_n_op_pend);
46508 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46509 - ret = 0;
46510 - } else {
46511 - /* not allowed to submit ops in any other state */
46512 -@@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
46513 - if (object->n_exclusive > 0) {
46514 - atomic_inc(&op->usage);
46515 - list_add_tail(&op->pend_link, &object->pending_ops);
46516 -- fscache_stat(&fscache_n_op_pend);
46517 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46518 - } else if (!list_empty(&object->pending_ops)) {
46519 - atomic_inc(&op->usage);
46520 - list_add_tail(&op->pend_link, &object->pending_ops);
46521 -- fscache_stat(&fscache_n_op_pend);
46522 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46523 - fscache_start_operations(object);
46524 - } else {
46525 - ASSERTCMP(object->n_exclusive, ==, 0);
46526 -@@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
46527 - object->n_ops++;
46528 - atomic_inc(&op->usage);
46529 - list_add_tail(&op->pend_link, &object->pending_ops);
46530 -- fscache_stat(&fscache_n_op_pend);
46531 -+ fscache_stat_unchecked(&fscache_n_op_pend);
46532 - ret = 0;
46533 - } else if (object->state == FSCACHE_OBJECT_DYING ||
46534 - object->state == FSCACHE_OBJECT_LC_DYING ||
46535 - object->state == FSCACHE_OBJECT_WITHDRAWING) {
46536 -- fscache_stat(&fscache_n_op_rejected);
46537 -+ fscache_stat_unchecked(&fscache_n_op_rejected);
46538 - ret = -ENOBUFS;
46539 - } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
46540 - fscache_report_unexpected_submission(object, op, ostate);
46541 -@@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
46542 -
46543 - ret = -EBUSY;
46544 - if (!list_empty(&op->pend_link)) {
46545 -- fscache_stat(&fscache_n_op_cancelled);
46546 -+ fscache_stat_unchecked(&fscache_n_op_cancelled);
46547 - list_del_init(&op->pend_link);
46548 - object->n_ops--;
46549 - if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
46550 -@@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
46551 - if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
46552 - BUG();
46553 -
46554 -- fscache_stat(&fscache_n_op_release);
46555 -+ fscache_stat_unchecked(&fscache_n_op_release);
46556 -
46557 - if (op->release) {
46558 - op->release(op);
46559 -@@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
46560 - * lock, and defer it otherwise */
46561 - if (!spin_trylock(&object->lock)) {
46562 - _debug("defer put");
46563 -- fscache_stat(&fscache_n_op_deferred_release);
46564 -+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
46565 -
46566 - cache = object->cache;
46567 - spin_lock(&cache->op_gc_list_lock);
46568 -@@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
46569 -
46570 - _debug("GC DEFERRED REL OBJ%x OP%x",
46571 - object->debug_id, op->debug_id);
46572 -- fscache_stat(&fscache_n_op_gc);
46573 -+ fscache_stat_unchecked(&fscache_n_op_gc);
46574 -
46575 - ASSERTCMP(atomic_read(&op->usage), ==, 0);
46576 -
46577 -diff -urNp linux-2.6.32.46/fs/fscache/page.c linux-2.6.32.46/fs/fscache/page.c
46578 ---- linux-2.6.32.46/fs/fscache/page.c 2011-03-27 14:31:47.000000000 -0400
46579 -+++ linux-2.6.32.46/fs/fscache/page.c 2011-05-04 17:56:28.000000000 -0400
46580 -@@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
46581 - val = radix_tree_lookup(&cookie->stores, page->index);
46582 - if (!val) {
46583 - rcu_read_unlock();
46584 -- fscache_stat(&fscache_n_store_vmscan_not_storing);
46585 -+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
46586 - __fscache_uncache_page(cookie, page);
46587 - return true;
46588 - }
46589 -@@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
46590 - spin_unlock(&cookie->stores_lock);
46591 -
46592 - if (xpage) {
46593 -- fscache_stat(&fscache_n_store_vmscan_cancelled);
46594 -- fscache_stat(&fscache_n_store_radix_deletes);
46595 -+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
46596 -+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46597 - ASSERTCMP(xpage, ==, page);
46598 - } else {
46599 -- fscache_stat(&fscache_n_store_vmscan_gone);
46600 -+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
46601 - }
46602 -
46603 - wake_up_bit(&cookie->flags, 0);
46604 -@@ -106,7 +106,7 @@ page_busy:
46605 - /* we might want to wait here, but that could deadlock the allocator as
46606 - * the slow-work threads writing to the cache may all end up sleeping
46607 - * on memory allocation */
46608 -- fscache_stat(&fscache_n_store_vmscan_busy);
46609 -+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
46610 - return false;
46611 - }
46612 - EXPORT_SYMBOL(__fscache_maybe_release_page);
46613 -@@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
46614 - FSCACHE_COOKIE_STORING_TAG);
46615 - if (!radix_tree_tag_get(&cookie->stores, page->index,
46616 - FSCACHE_COOKIE_PENDING_TAG)) {
46617 -- fscache_stat(&fscache_n_store_radix_deletes);
46618 -+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
46619 - xpage = radix_tree_delete(&cookie->stores, page->index);
46620 - }
46621 - spin_unlock(&cookie->stores_lock);
46622 -@@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
46623 -
46624 - _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
46625 -
46626 -- fscache_stat(&fscache_n_attr_changed_calls);
46627 -+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
46628 -
46629 - if (fscache_object_is_active(object)) {
46630 - fscache_set_op_state(op, "CallFS");
46631 -@@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
46632 -
46633 - ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46634 -
46635 -- fscache_stat(&fscache_n_attr_changed);
46636 -+ fscache_stat_unchecked(&fscache_n_attr_changed);
46637 -
46638 - op = kzalloc(sizeof(*op), GFP_KERNEL);
46639 - if (!op) {
46640 -- fscache_stat(&fscache_n_attr_changed_nomem);
46641 -+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
46642 - _leave(" = -ENOMEM");
46643 - return -ENOMEM;
46644 - }
46645 -@@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
46646 - if (fscache_submit_exclusive_op(object, op) < 0)
46647 - goto nobufs;
46648 - spin_unlock(&cookie->lock);
46649 -- fscache_stat(&fscache_n_attr_changed_ok);
46650 -+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
46651 - fscache_put_operation(op);
46652 - _leave(" = 0");
46653 - return 0;
46654 -@@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
46655 - nobufs:
46656 - spin_unlock(&cookie->lock);
46657 - kfree(op);
46658 -- fscache_stat(&fscache_n_attr_changed_nobufs);
46659 -+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
46660 - _leave(" = %d", -ENOBUFS);
46661 - return -ENOBUFS;
46662 - }
46663 -@@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
46664 - /* allocate a retrieval operation and attempt to submit it */
46665 - op = kzalloc(sizeof(*op), GFP_NOIO);
46666 - if (!op) {
46667 -- fscache_stat(&fscache_n_retrievals_nomem);
46668 -+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46669 - return NULL;
46670 - }
46671 -
46672 -@@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
46673 - return 0;
46674 - }
46675 -
46676 -- fscache_stat(&fscache_n_retrievals_wait);
46677 -+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
46678 -
46679 - jif = jiffies;
46680 - if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
46681 - fscache_wait_bit_interruptible,
46682 - TASK_INTERRUPTIBLE) != 0) {
46683 -- fscache_stat(&fscache_n_retrievals_intr);
46684 -+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
46685 - _leave(" = -ERESTARTSYS");
46686 - return -ERESTARTSYS;
46687 - }
46688 -@@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
46689 - */
46690 - static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
46691 - struct fscache_retrieval *op,
46692 -- atomic_t *stat_op_waits,
46693 -- atomic_t *stat_object_dead)
46694 -+ atomic_unchecked_t *stat_op_waits,
46695 -+ atomic_unchecked_t *stat_object_dead)
46696 - {
46697 - int ret;
46698 -
46699 -@@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
46700 - goto check_if_dead;
46701 -
46702 - _debug(">>> WT");
46703 -- fscache_stat(stat_op_waits);
46704 -+ fscache_stat_unchecked(stat_op_waits);
46705 - if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
46706 - fscache_wait_bit_interruptible,
46707 - TASK_INTERRUPTIBLE) < 0) {
46708 -@@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
46709 -
46710 - check_if_dead:
46711 - if (unlikely(fscache_object_is_dead(object))) {
46712 -- fscache_stat(stat_object_dead);
46713 -+ fscache_stat_unchecked(stat_object_dead);
46714 - return -ENOBUFS;
46715 - }
46716 - return 0;
46717 -@@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
46718 -
46719 - _enter("%p,%p,,,", cookie, page);
46720 -
46721 -- fscache_stat(&fscache_n_retrievals);
46722 -+ fscache_stat_unchecked(&fscache_n_retrievals);
46723 -
46724 - if (hlist_empty(&cookie->backing_objects))
46725 - goto nobufs;
46726 -@@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
46727 - goto nobufs_unlock;
46728 - spin_unlock(&cookie->lock);
46729 -
46730 -- fscache_stat(&fscache_n_retrieval_ops);
46731 -+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
46732 -
46733 - /* pin the netfs read context in case we need to do the actual netfs
46734 - * read because we've encountered a cache read failure */
46735 -@@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
46736 -
46737 - error:
46738 - if (ret == -ENOMEM)
46739 -- fscache_stat(&fscache_n_retrievals_nomem);
46740 -+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46741 - else if (ret == -ERESTARTSYS)
46742 -- fscache_stat(&fscache_n_retrievals_intr);
46743 -+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
46744 - else if (ret == -ENODATA)
46745 -- fscache_stat(&fscache_n_retrievals_nodata);
46746 -+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
46747 - else if (ret < 0)
46748 -- fscache_stat(&fscache_n_retrievals_nobufs);
46749 -+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46750 - else
46751 -- fscache_stat(&fscache_n_retrievals_ok);
46752 -+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
46753 -
46754 - fscache_put_retrieval(op);
46755 - _leave(" = %d", ret);
46756 -@@ -453,7 +453,7 @@ nobufs_unlock:
46757 - spin_unlock(&cookie->lock);
46758 - kfree(op);
46759 - nobufs:
46760 -- fscache_stat(&fscache_n_retrievals_nobufs);
46761 -+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46762 - _leave(" = -ENOBUFS");
46763 - return -ENOBUFS;
46764 - }
46765 -@@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
46766 -
46767 - _enter("%p,,%d,,,", cookie, *nr_pages);
46768 -
46769 -- fscache_stat(&fscache_n_retrievals);
46770 -+ fscache_stat_unchecked(&fscache_n_retrievals);
46771 -
46772 - if (hlist_empty(&cookie->backing_objects))
46773 - goto nobufs;
46774 -@@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
46775 - goto nobufs_unlock;
46776 - spin_unlock(&cookie->lock);
46777 -
46778 -- fscache_stat(&fscache_n_retrieval_ops);
46779 -+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
46780 -
46781 - /* pin the netfs read context in case we need to do the actual netfs
46782 - * read because we've encountered a cache read failure */
46783 -@@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
46784 -
46785 - error:
46786 - if (ret == -ENOMEM)
46787 -- fscache_stat(&fscache_n_retrievals_nomem);
46788 -+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
46789 - else if (ret == -ERESTARTSYS)
46790 -- fscache_stat(&fscache_n_retrievals_intr);
46791 -+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
46792 - else if (ret == -ENODATA)
46793 -- fscache_stat(&fscache_n_retrievals_nodata);
46794 -+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
46795 - else if (ret < 0)
46796 -- fscache_stat(&fscache_n_retrievals_nobufs);
46797 -+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46798 - else
46799 -- fscache_stat(&fscache_n_retrievals_ok);
46800 -+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
46801 -
46802 - fscache_put_retrieval(op);
46803 - _leave(" = %d", ret);
46804 -@@ -570,7 +570,7 @@ nobufs_unlock:
46805 - spin_unlock(&cookie->lock);
46806 - kfree(op);
46807 - nobufs:
46808 -- fscache_stat(&fscache_n_retrievals_nobufs);
46809 -+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
46810 - _leave(" = -ENOBUFS");
46811 - return -ENOBUFS;
46812 - }
46813 -@@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
46814 -
46815 - _enter("%p,%p,,,", cookie, page);
46816 -
46817 -- fscache_stat(&fscache_n_allocs);
46818 -+ fscache_stat_unchecked(&fscache_n_allocs);
46819 -
46820 - if (hlist_empty(&cookie->backing_objects))
46821 - goto nobufs;
46822 -@@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
46823 - goto nobufs_unlock;
46824 - spin_unlock(&cookie->lock);
46825 -
46826 -- fscache_stat(&fscache_n_alloc_ops);
46827 -+ fscache_stat_unchecked(&fscache_n_alloc_ops);
46828 -
46829 - ret = fscache_wait_for_retrieval_activation(
46830 - object, op,
46831 -@@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
46832 -
46833 - error:
46834 - if (ret == -ERESTARTSYS)
46835 -- fscache_stat(&fscache_n_allocs_intr);
46836 -+ fscache_stat_unchecked(&fscache_n_allocs_intr);
46837 - else if (ret < 0)
46838 -- fscache_stat(&fscache_n_allocs_nobufs);
46839 -+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
46840 - else
46841 -- fscache_stat(&fscache_n_allocs_ok);
46842 -+ fscache_stat_unchecked(&fscache_n_allocs_ok);
46843 -
46844 - fscache_put_retrieval(op);
46845 - _leave(" = %d", ret);
46846 -@@ -651,7 +651,7 @@ nobufs_unlock:
46847 - spin_unlock(&cookie->lock);
46848 - kfree(op);
46849 - nobufs:
46850 -- fscache_stat(&fscache_n_allocs_nobufs);
46851 -+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
46852 - _leave(" = -ENOBUFS");
46853 - return -ENOBUFS;
46854 - }
46855 -@@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
46856 -
46857 - spin_lock(&cookie->stores_lock);
46858 -
46859 -- fscache_stat(&fscache_n_store_calls);
46860 -+ fscache_stat_unchecked(&fscache_n_store_calls);
46861 -
46862 - /* find a page to store */
46863 - page = NULL;
46864 -@@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
46865 - page = results[0];
46866 - _debug("gang %d [%lx]", n, page->index);
46867 - if (page->index > op->store_limit) {
46868 -- fscache_stat(&fscache_n_store_pages_over_limit);
46869 -+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
46870 - goto superseded;
46871 - }
46872 -
46873 -@@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
46874 -
46875 - if (page) {
46876 - fscache_set_op_state(&op->op, "Store");
46877 -- fscache_stat(&fscache_n_store_pages);
46878 -+ fscache_stat_unchecked(&fscache_n_store_pages);
46879 - fscache_stat(&fscache_n_cop_write_page);
46880 - ret = object->cache->ops->write_page(op, page);
46881 - fscache_stat_d(&fscache_n_cop_write_page);
46882 -@@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
46883 - ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46884 - ASSERT(PageFsCache(page));
46885 -
46886 -- fscache_stat(&fscache_n_stores);
46887 -+ fscache_stat_unchecked(&fscache_n_stores);
46888 -
46889 - op = kzalloc(sizeof(*op), GFP_NOIO);
46890 - if (!op)
46891 -@@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
46892 - spin_unlock(&cookie->stores_lock);
46893 - spin_unlock(&object->lock);
46894 -
46895 -- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
46896 -+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
46897 - op->store_limit = object->store_limit;
46898 -
46899 - if (fscache_submit_op(object, &op->op) < 0)
46900 -@@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
46901 -
46902 - spin_unlock(&cookie->lock);
46903 - radix_tree_preload_end();
46904 -- fscache_stat(&fscache_n_store_ops);
46905 -- fscache_stat(&fscache_n_stores_ok);
46906 -+ fscache_stat_unchecked(&fscache_n_store_ops);
46907 -+ fscache_stat_unchecked(&fscache_n_stores_ok);
46908 -
46909 - /* the slow work queue now carries its own ref on the object */
46910 - fscache_put_operation(&op->op);
46911 -@@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
46912 - return 0;
46913 -
46914 - already_queued:
46915 -- fscache_stat(&fscache_n_stores_again);
46916 -+ fscache_stat_unchecked(&fscache_n_stores_again);
46917 - already_pending:
46918 - spin_unlock(&cookie->stores_lock);
46919 - spin_unlock(&object->lock);
46920 - spin_unlock(&cookie->lock);
46921 - radix_tree_preload_end();
46922 - kfree(op);
46923 -- fscache_stat(&fscache_n_stores_ok);
46924 -+ fscache_stat_unchecked(&fscache_n_stores_ok);
46925 - _leave(" = 0");
46926 - return 0;
46927 -
46928 -@@ -886,14 +886,14 @@ nobufs:
46929 - spin_unlock(&cookie->lock);
46930 - radix_tree_preload_end();
46931 - kfree(op);
46932 -- fscache_stat(&fscache_n_stores_nobufs);
46933 -+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
46934 - _leave(" = -ENOBUFS");
46935 - return -ENOBUFS;
46936 -
46937 - nomem_free:
46938 - kfree(op);
46939 - nomem:
46940 -- fscache_stat(&fscache_n_stores_oom);
46941 -+ fscache_stat_unchecked(&fscache_n_stores_oom);
46942 - _leave(" = -ENOMEM");
46943 - return -ENOMEM;
46944 - }
46945 -@@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
46946 - ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46947 - ASSERTCMP(page, !=, NULL);
46948 -
46949 -- fscache_stat(&fscache_n_uncaches);
46950 -+ fscache_stat_unchecked(&fscache_n_uncaches);
46951 -
46952 - /* cache withdrawal may beat us to it */
46953 - if (!PageFsCache(page))
46954 -@@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
46955 - unsigned long loop;
46956 -
46957 - #ifdef CONFIG_FSCACHE_STATS
46958 -- atomic_add(pagevec->nr, &fscache_n_marks);
46959 -+ atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
46960 - #endif
46961 -
46962 - for (loop = 0; loop < pagevec->nr; loop++) {
46963 -diff -urNp linux-2.6.32.46/fs/fscache/stats.c linux-2.6.32.46/fs/fscache/stats.c
46964 ---- linux-2.6.32.46/fs/fscache/stats.c 2011-03-27 14:31:47.000000000 -0400
46965 -+++ linux-2.6.32.46/fs/fscache/stats.c 2011-05-04 17:56:28.000000000 -0400
46966 -@@ -18,95 +18,95 @@
46967 - /*
46968 - * operation counters
46969 - */
46970 --atomic_t fscache_n_op_pend;
46971 --atomic_t fscache_n_op_run;
46972 --atomic_t fscache_n_op_enqueue;
46973 --atomic_t fscache_n_op_requeue;
46974 --atomic_t fscache_n_op_deferred_release;
46975 --atomic_t fscache_n_op_release;
46976 --atomic_t fscache_n_op_gc;
46977 --atomic_t fscache_n_op_cancelled;
46978 --atomic_t fscache_n_op_rejected;
46979 --
46980 --atomic_t fscache_n_attr_changed;
46981 --atomic_t fscache_n_attr_changed_ok;
46982 --atomic_t fscache_n_attr_changed_nobufs;
46983 --atomic_t fscache_n_attr_changed_nomem;
46984 --atomic_t fscache_n_attr_changed_calls;
46985 --
46986 --atomic_t fscache_n_allocs;
46987 --atomic_t fscache_n_allocs_ok;
46988 --atomic_t fscache_n_allocs_wait;
46989 --atomic_t fscache_n_allocs_nobufs;
46990 --atomic_t fscache_n_allocs_intr;
46991 --atomic_t fscache_n_allocs_object_dead;
46992 --atomic_t fscache_n_alloc_ops;
46993 --atomic_t fscache_n_alloc_op_waits;
46994 --
46995 --atomic_t fscache_n_retrievals;
46996 --atomic_t fscache_n_retrievals_ok;
46997 --atomic_t fscache_n_retrievals_wait;
46998 --atomic_t fscache_n_retrievals_nodata;
46999 --atomic_t fscache_n_retrievals_nobufs;
47000 --atomic_t fscache_n_retrievals_intr;
47001 --atomic_t fscache_n_retrievals_nomem;
47002 --atomic_t fscache_n_retrievals_object_dead;
47003 --atomic_t fscache_n_retrieval_ops;
47004 --atomic_t fscache_n_retrieval_op_waits;
47005 --
47006 --atomic_t fscache_n_stores;
47007 --atomic_t fscache_n_stores_ok;
47008 --atomic_t fscache_n_stores_again;
47009 --atomic_t fscache_n_stores_nobufs;
47010 --atomic_t fscache_n_stores_oom;
47011 --atomic_t fscache_n_store_ops;
47012 --atomic_t fscache_n_store_calls;
47013 --atomic_t fscache_n_store_pages;
47014 --atomic_t fscache_n_store_radix_deletes;
47015 --atomic_t fscache_n_store_pages_over_limit;
47016 --
47017 --atomic_t fscache_n_store_vmscan_not_storing;
47018 --atomic_t fscache_n_store_vmscan_gone;
47019 --atomic_t fscache_n_store_vmscan_busy;
47020 --atomic_t fscache_n_store_vmscan_cancelled;
47021 --
47022 --atomic_t fscache_n_marks;
47023 --atomic_t fscache_n_uncaches;
47024 --
47025 --atomic_t fscache_n_acquires;
47026 --atomic_t fscache_n_acquires_null;
47027 --atomic_t fscache_n_acquires_no_cache;
47028 --atomic_t fscache_n_acquires_ok;
47029 --atomic_t fscache_n_acquires_nobufs;
47030 --atomic_t fscache_n_acquires_oom;
47031 --
47032 --atomic_t fscache_n_updates;
47033 --atomic_t fscache_n_updates_null;
47034 --atomic_t fscache_n_updates_run;
47035 --
47036 --atomic_t fscache_n_relinquishes;
47037 --atomic_t fscache_n_relinquishes_null;
47038 --atomic_t fscache_n_relinquishes_waitcrt;
47039 --atomic_t fscache_n_relinquishes_retire;
47040 --
47041 --atomic_t fscache_n_cookie_index;
47042 --atomic_t fscache_n_cookie_data;
47043 --atomic_t fscache_n_cookie_special;
47044 --
47045 --atomic_t fscache_n_object_alloc;
47046 --atomic_t fscache_n_object_no_alloc;
47047 --atomic_t fscache_n_object_lookups;
47048 --atomic_t fscache_n_object_lookups_negative;
47049 --atomic_t fscache_n_object_lookups_positive;
47050 --atomic_t fscache_n_object_lookups_timed_out;
47051 --atomic_t fscache_n_object_created;
47052 --atomic_t fscache_n_object_avail;
47053 --atomic_t fscache_n_object_dead;
47054 --
47055 --atomic_t fscache_n_checkaux_none;
47056 --atomic_t fscache_n_checkaux_okay;
47057 --atomic_t fscache_n_checkaux_update;
47058 --atomic_t fscache_n_checkaux_obsolete;
47059 -+atomic_unchecked_t fscache_n_op_pend;
47060 -+atomic_unchecked_t fscache_n_op_run;
47061 -+atomic_unchecked_t fscache_n_op_enqueue;
47062 -+atomic_unchecked_t fscache_n_op_requeue;
47063 -+atomic_unchecked_t fscache_n_op_deferred_release;
47064 -+atomic_unchecked_t fscache_n_op_release;
47065 -+atomic_unchecked_t fscache_n_op_gc;
47066 -+atomic_unchecked_t fscache_n_op_cancelled;
47067 -+atomic_unchecked_t fscache_n_op_rejected;
47068 -+
47069 -+atomic_unchecked_t fscache_n_attr_changed;
47070 -+atomic_unchecked_t fscache_n_attr_changed_ok;
47071 -+atomic_unchecked_t fscache_n_attr_changed_nobufs;
47072 -+atomic_unchecked_t fscache_n_attr_changed_nomem;
47073 -+atomic_unchecked_t fscache_n_attr_changed_calls;
47074 -+
47075 -+atomic_unchecked_t fscache_n_allocs;
47076 -+atomic_unchecked_t fscache_n_allocs_ok;
47077 -+atomic_unchecked_t fscache_n_allocs_wait;
47078 -+atomic_unchecked_t fscache_n_allocs_nobufs;
47079 -+atomic_unchecked_t fscache_n_allocs_intr;
47080 -+atomic_unchecked_t fscache_n_allocs_object_dead;
47081 -+atomic_unchecked_t fscache_n_alloc_ops;
47082 -+atomic_unchecked_t fscache_n_alloc_op_waits;
47083 -+
47084 -+atomic_unchecked_t fscache_n_retrievals;
47085 -+atomic_unchecked_t fscache_n_retrievals_ok;
47086 -+atomic_unchecked_t fscache_n_retrievals_wait;
47087 -+atomic_unchecked_t fscache_n_retrievals_nodata;
47088 -+atomic_unchecked_t fscache_n_retrievals_nobufs;
47089 -+atomic_unchecked_t fscache_n_retrievals_intr;
47090 -+atomic_unchecked_t fscache_n_retrievals_nomem;
47091 -+atomic_unchecked_t fscache_n_retrievals_object_dead;
47092 -+atomic_unchecked_t fscache_n_retrieval_ops;
47093 -+atomic_unchecked_t fscache_n_retrieval_op_waits;
47094 -+
47095 -+atomic_unchecked_t fscache_n_stores;
47096 -+atomic_unchecked_t fscache_n_stores_ok;
47097 -+atomic_unchecked_t fscache_n_stores_again;
47098 -+atomic_unchecked_t fscache_n_stores_nobufs;
47099 -+atomic_unchecked_t fscache_n_stores_oom;
47100 -+atomic_unchecked_t fscache_n_store_ops;
47101 -+atomic_unchecked_t fscache_n_store_calls;
47102 -+atomic_unchecked_t fscache_n_store_pages;
47103 -+atomic_unchecked_t fscache_n_store_radix_deletes;
47104 -+atomic_unchecked_t fscache_n_store_pages_over_limit;
47105 -+
47106 -+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47107 -+atomic_unchecked_t fscache_n_store_vmscan_gone;
47108 -+atomic_unchecked_t fscache_n_store_vmscan_busy;
47109 -+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47110 -+
47111 -+atomic_unchecked_t fscache_n_marks;
47112 -+atomic_unchecked_t fscache_n_uncaches;
47113 -+
47114 -+atomic_unchecked_t fscache_n_acquires;
47115 -+atomic_unchecked_t fscache_n_acquires_null;
47116 -+atomic_unchecked_t fscache_n_acquires_no_cache;
47117 -+atomic_unchecked_t fscache_n_acquires_ok;
47118 -+atomic_unchecked_t fscache_n_acquires_nobufs;
47119 -+atomic_unchecked_t fscache_n_acquires_oom;
47120 -+
47121 -+atomic_unchecked_t fscache_n_updates;
47122 -+atomic_unchecked_t fscache_n_updates_null;
47123 -+atomic_unchecked_t fscache_n_updates_run;
47124 -+
47125 -+atomic_unchecked_t fscache_n_relinquishes;
47126 -+atomic_unchecked_t fscache_n_relinquishes_null;
47127 -+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47128 -+atomic_unchecked_t fscache_n_relinquishes_retire;
47129 -+
47130 -+atomic_unchecked_t fscache_n_cookie_index;
47131 -+atomic_unchecked_t fscache_n_cookie_data;
47132 -+atomic_unchecked_t fscache_n_cookie_special;
47133 -+
47134 -+atomic_unchecked_t fscache_n_object_alloc;
47135 -+atomic_unchecked_t fscache_n_object_no_alloc;
47136 -+atomic_unchecked_t fscache_n_object_lookups;
47137 -+atomic_unchecked_t fscache_n_object_lookups_negative;
47138 -+atomic_unchecked_t fscache_n_object_lookups_positive;
47139 -+atomic_unchecked_t fscache_n_object_lookups_timed_out;
47140 -+atomic_unchecked_t fscache_n_object_created;
47141 -+atomic_unchecked_t fscache_n_object_avail;
47142 -+atomic_unchecked_t fscache_n_object_dead;
47143 -+
47144 -+atomic_unchecked_t fscache_n_checkaux_none;
47145 -+atomic_unchecked_t fscache_n_checkaux_okay;
47146 -+atomic_unchecked_t fscache_n_checkaux_update;
47147 -+atomic_unchecked_t fscache_n_checkaux_obsolete;
47148 -
47149 - atomic_t fscache_n_cop_alloc_object;
47150 - atomic_t fscache_n_cop_lookup_object;
47151 -@@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47152 - seq_puts(m, "FS-Cache statistics\n");
47153 -
47154 - seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47155 -- atomic_read(&fscache_n_cookie_index),
47156 -- atomic_read(&fscache_n_cookie_data),
47157 -- atomic_read(&fscache_n_cookie_special));
47158 -+ atomic_read_unchecked(&fscache_n_cookie_index),
47159 -+ atomic_read_unchecked(&fscache_n_cookie_data),
47160 -+ atomic_read_unchecked(&fscache_n_cookie_special));
47161 -
47162 - seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47163 -- atomic_read(&fscache_n_object_alloc),
47164 -- atomic_read(&fscache_n_object_no_alloc),
47165 -- atomic_read(&fscache_n_object_avail),
47166 -- atomic_read(&fscache_n_object_dead));
47167 -+ atomic_read_unchecked(&fscache_n_object_alloc),
47168 -+ atomic_read_unchecked(&fscache_n_object_no_alloc),
47169 -+ atomic_read_unchecked(&fscache_n_object_avail),
47170 -+ atomic_read_unchecked(&fscache_n_object_dead));
47171 - seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47172 -- atomic_read(&fscache_n_checkaux_none),
47173 -- atomic_read(&fscache_n_checkaux_okay),
47174 -- atomic_read(&fscache_n_checkaux_update),
47175 -- atomic_read(&fscache_n_checkaux_obsolete));
47176 -+ atomic_read_unchecked(&fscache_n_checkaux_none),
47177 -+ atomic_read_unchecked(&fscache_n_checkaux_okay),
47178 -+ atomic_read_unchecked(&fscache_n_checkaux_update),
47179 -+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47180 -
47181 - seq_printf(m, "Pages : mrk=%u unc=%u\n",
47182 -- atomic_read(&fscache_n_marks),
47183 -- atomic_read(&fscache_n_uncaches));
47184 -+ atomic_read_unchecked(&fscache_n_marks),
47185 -+ atomic_read_unchecked(&fscache_n_uncaches));
47186 -
47187 - seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47188 - " oom=%u\n",
47189 -- atomic_read(&fscache_n_acquires),
47190 -- atomic_read(&fscache_n_acquires_null),
47191 -- atomic_read(&fscache_n_acquires_no_cache),
47192 -- atomic_read(&fscache_n_acquires_ok),
47193 -- atomic_read(&fscache_n_acquires_nobufs),
47194 -- atomic_read(&fscache_n_acquires_oom));
47195 -+ atomic_read_unchecked(&fscache_n_acquires),
47196 -+ atomic_read_unchecked(&fscache_n_acquires_null),
47197 -+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
47198 -+ atomic_read_unchecked(&fscache_n_acquires_ok),
47199 -+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
47200 -+ atomic_read_unchecked(&fscache_n_acquires_oom));
47201 -
47202 - seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47203 -- atomic_read(&fscache_n_object_lookups),
47204 -- atomic_read(&fscache_n_object_lookups_negative),
47205 -- atomic_read(&fscache_n_object_lookups_positive),
47206 -- atomic_read(&fscache_n_object_lookups_timed_out),
47207 -- atomic_read(&fscache_n_object_created));
47208 -+ atomic_read_unchecked(&fscache_n_object_lookups),
47209 -+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
47210 -+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
47211 -+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
47212 -+ atomic_read_unchecked(&fscache_n_object_created));
47213 -
47214 - seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47215 -- atomic_read(&fscache_n_updates),
47216 -- atomic_read(&fscache_n_updates_null),
47217 -- atomic_read(&fscache_n_updates_run));
47218 -+ atomic_read_unchecked(&fscache_n_updates),
47219 -+ atomic_read_unchecked(&fscache_n_updates_null),
47220 -+ atomic_read_unchecked(&fscache_n_updates_run));
47221 -
47222 - seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47223 -- atomic_read(&fscache_n_relinquishes),
47224 -- atomic_read(&fscache_n_relinquishes_null),
47225 -- atomic_read(&fscache_n_relinquishes_waitcrt),
47226 -- atomic_read(&fscache_n_relinquishes_retire));
47227 -+ atomic_read_unchecked(&fscache_n_relinquishes),
47228 -+ atomic_read_unchecked(&fscache_n_relinquishes_null),
47229 -+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47230 -+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
47231 -
47232 - seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47233 -- atomic_read(&fscache_n_attr_changed),
47234 -- atomic_read(&fscache_n_attr_changed_ok),
47235 -- atomic_read(&fscache_n_attr_changed_nobufs),
47236 -- atomic_read(&fscache_n_attr_changed_nomem),
47237 -- atomic_read(&fscache_n_attr_changed_calls));
47238 -+ atomic_read_unchecked(&fscache_n_attr_changed),
47239 -+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
47240 -+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47241 -+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47242 -+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
47243 -
47244 - seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47245 -- atomic_read(&fscache_n_allocs),
47246 -- atomic_read(&fscache_n_allocs_ok),
47247 -- atomic_read(&fscache_n_allocs_wait),
47248 -- atomic_read(&fscache_n_allocs_nobufs),
47249 -- atomic_read(&fscache_n_allocs_intr));
47250 -+ atomic_read_unchecked(&fscache_n_allocs),
47251 -+ atomic_read_unchecked(&fscache_n_allocs_ok),
47252 -+ atomic_read_unchecked(&fscache_n_allocs_wait),
47253 -+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
47254 -+ atomic_read_unchecked(&fscache_n_allocs_intr));
47255 - seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47256 -- atomic_read(&fscache_n_alloc_ops),
47257 -- atomic_read(&fscache_n_alloc_op_waits),
47258 -- atomic_read(&fscache_n_allocs_object_dead));
47259 -+ atomic_read_unchecked(&fscache_n_alloc_ops),
47260 -+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
47261 -+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
47262 -
47263 - seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47264 - " int=%u oom=%u\n",
47265 -- atomic_read(&fscache_n_retrievals),
47266 -- atomic_read(&fscache_n_retrievals_ok),
47267 -- atomic_read(&fscache_n_retrievals_wait),
47268 -- atomic_read(&fscache_n_retrievals_nodata),
47269 -- atomic_read(&fscache_n_retrievals_nobufs),
47270 -- atomic_read(&fscache_n_retrievals_intr),
47271 -- atomic_read(&fscache_n_retrievals_nomem));
47272 -+ atomic_read_unchecked(&fscache_n_retrievals),
47273 -+ atomic_read_unchecked(&fscache_n_retrievals_ok),
47274 -+ atomic_read_unchecked(&fscache_n_retrievals_wait),
47275 -+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
47276 -+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47277 -+ atomic_read_unchecked(&fscache_n_retrievals_intr),
47278 -+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
47279 - seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47280 -- atomic_read(&fscache_n_retrieval_ops),
47281 -- atomic_read(&fscache_n_retrieval_op_waits),
47282 -- atomic_read(&fscache_n_retrievals_object_dead));
47283 -+ atomic_read_unchecked(&fscache_n_retrieval_ops),
47284 -+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47285 -+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47286 -
47287 - seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47288 -- atomic_read(&fscache_n_stores),
47289 -- atomic_read(&fscache_n_stores_ok),
47290 -- atomic_read(&fscache_n_stores_again),
47291 -- atomic_read(&fscache_n_stores_nobufs),
47292 -- atomic_read(&fscache_n_stores_oom));
47293 -+ atomic_read_unchecked(&fscache_n_stores),
47294 -+ atomic_read_unchecked(&fscache_n_stores_ok),
47295 -+ atomic_read_unchecked(&fscache_n_stores_again),
47296 -+ atomic_read_unchecked(&fscache_n_stores_nobufs),
47297 -+ atomic_read_unchecked(&fscache_n_stores_oom));
47298 - seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47299 -- atomic_read(&fscache_n_store_ops),
47300 -- atomic_read(&fscache_n_store_calls),
47301 -- atomic_read(&fscache_n_store_pages),
47302 -- atomic_read(&fscache_n_store_radix_deletes),
47303 -- atomic_read(&fscache_n_store_pages_over_limit));
47304 -+ atomic_read_unchecked(&fscache_n_store_ops),
47305 -+ atomic_read_unchecked(&fscache_n_store_calls),
47306 -+ atomic_read_unchecked(&fscache_n_store_pages),
47307 -+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
47308 -+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47309 -
47310 - seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47311 -- atomic_read(&fscache_n_store_vmscan_not_storing),
47312 -- atomic_read(&fscache_n_store_vmscan_gone),
47313 -- atomic_read(&fscache_n_store_vmscan_busy),
47314 -- atomic_read(&fscache_n_store_vmscan_cancelled));
47315 -+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47316 -+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47317 -+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47318 -+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47319 -
47320 - seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47321 -- atomic_read(&fscache_n_op_pend),
47322 -- atomic_read(&fscache_n_op_run),
47323 -- atomic_read(&fscache_n_op_enqueue),
47324 -- atomic_read(&fscache_n_op_cancelled),
47325 -- atomic_read(&fscache_n_op_rejected));
47326 -+ atomic_read_unchecked(&fscache_n_op_pend),
47327 -+ atomic_read_unchecked(&fscache_n_op_run),
47328 -+ atomic_read_unchecked(&fscache_n_op_enqueue),
47329 -+ atomic_read_unchecked(&fscache_n_op_cancelled),
47330 -+ atomic_read_unchecked(&fscache_n_op_rejected));
47331 - seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47332 -- atomic_read(&fscache_n_op_deferred_release),
47333 -- atomic_read(&fscache_n_op_release),
47334 -- atomic_read(&fscache_n_op_gc));
47335 -+ atomic_read_unchecked(&fscache_n_op_deferred_release),
47336 -+ atomic_read_unchecked(&fscache_n_op_release),
47337 -+ atomic_read_unchecked(&fscache_n_op_gc));
47338 -
47339 - seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47340 - atomic_read(&fscache_n_cop_alloc_object),
47341 -diff -urNp linux-2.6.32.46/fs/fuse/cuse.c linux-2.6.32.46/fs/fuse/cuse.c
47342 ---- linux-2.6.32.46/fs/fuse/cuse.c 2011-03-27 14:31:47.000000000 -0400
47343 -+++ linux-2.6.32.46/fs/fuse/cuse.c 2011-08-05 20:33:55.000000000 -0400
47344 -@@ -576,10 +576,12 @@ static int __init cuse_init(void)
47345 - INIT_LIST_HEAD(&cuse_conntbl[i]);
47346 -
47347 - /* inherit and extend fuse_dev_operations */
47348 -- cuse_channel_fops = fuse_dev_operations;
47349 -- cuse_channel_fops.owner = THIS_MODULE;
47350 -- cuse_channel_fops.open = cuse_channel_open;
47351 -- cuse_channel_fops.release = cuse_channel_release;
47352 -+ pax_open_kernel();
47353 -+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
47354 -+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
47355 -+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
47356 -+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
47357 -+ pax_close_kernel();
47358 -
47359 - cuse_class = class_create(THIS_MODULE, "cuse");
47360 - if (IS_ERR(cuse_class))
47361 -diff -urNp linux-2.6.32.46/fs/fuse/dev.c linux-2.6.32.46/fs/fuse/dev.c
47362 ---- linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:24:44.000000000 -0400
47363 -+++ linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:25:07.000000000 -0400
47364 -@@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
47365 - {
47366 - struct fuse_notify_inval_entry_out outarg;
47367 - int err = -EINVAL;
47368 -- char buf[FUSE_NAME_MAX+1];
47369 -+ char *buf = NULL;
47370 - struct qstr name;
47371 -
47372 - if (size < sizeof(outarg))
47373 -@@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
47374 - if (outarg.namelen > FUSE_NAME_MAX)
47375 - goto err;
47376 -
47377 -+ err = -ENOMEM;
47378 -+ buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
47379 -+ if (!buf)
47380 -+ goto err;
47381 -+
47382 - err = -EINVAL;
47383 - if (size != sizeof(outarg) + outarg.namelen + 1)
47384 - goto err;
47385 -@@ -914,17 +919,15 @@ static int fuse_notify_inval_entry(struc
47386 -
47387 - down_read(&fc->killsb);
47388 - err = -ENOENT;
47389 -- if (!fc->sb)
47390 -- goto err_unlock;
47391 --
47392 -- err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
47393 --
47394 --err_unlock:
47395 -+ if (fc->sb)
47396 -+ err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
47397 - up_read(&fc->killsb);
47398 -+ kfree(buf);
47399 - return err;
47400 -
47401 - err:
47402 - fuse_copy_finish(cs);
47403 -+ kfree(buf);
47404 - return err;
47405 - }
47406 -
47407 -diff -urNp linux-2.6.32.46/fs/fuse/dir.c linux-2.6.32.46/fs/fuse/dir.c
47408 ---- linux-2.6.32.46/fs/fuse/dir.c 2011-03-27 14:31:47.000000000 -0400
47409 -+++ linux-2.6.32.46/fs/fuse/dir.c 2011-04-17 15:56:46.000000000 -0400
47410 -@@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
47411 - return link;
47412 - }
47413 -
47414 --static void free_link(char *link)
47415 -+static void free_link(const char *link)
47416 - {
47417 - if (!IS_ERR(link))
47418 - free_page((unsigned long) link);
47419 -diff -urNp linux-2.6.32.46/fs/gfs2/ops_inode.c linux-2.6.32.46/fs/gfs2/ops_inode.c
47420 ---- linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-03-27 14:31:47.000000000 -0400
47421 -+++ linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-05-16 21:46:57.000000000 -0400
47422 -@@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
47423 - unsigned int x;
47424 - int error;
47425 -
47426 -+ pax_track_stack();
47427 -+
47428 - if (ndentry->d_inode) {
47429 - nip = GFS2_I(ndentry->d_inode);
47430 - if (ip == nip)
47431 -diff -urNp linux-2.6.32.46/fs/gfs2/sys.c linux-2.6.32.46/fs/gfs2/sys.c
47432 ---- linux-2.6.32.46/fs/gfs2/sys.c 2011-03-27 14:31:47.000000000 -0400
47433 -+++ linux-2.6.32.46/fs/gfs2/sys.c 2011-04-17 15:56:46.000000000 -0400
47434 -@@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
47435 - return a->store ? a->store(sdp, buf, len) : len;
47436 - }
47437 -
47438 --static struct sysfs_ops gfs2_attr_ops = {
47439 -+static const struct sysfs_ops gfs2_attr_ops = {
47440 - .show = gfs2_attr_show,
47441 - .store = gfs2_attr_store,
47442 - };
47443 -@@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
47444 - return 0;
47445 - }
47446 -
47447 --static struct kset_uevent_ops gfs2_uevent_ops = {
47448 -+static const struct kset_uevent_ops gfs2_uevent_ops = {
47449 - .uevent = gfs2_uevent,
47450 - };
47451 -
47452 -diff -urNp linux-2.6.32.46/fs/hfsplus/catalog.c linux-2.6.32.46/fs/hfsplus/catalog.c
47453 ---- linux-2.6.32.46/fs/hfsplus/catalog.c 2011-03-27 14:31:47.000000000 -0400
47454 -+++ linux-2.6.32.46/fs/hfsplus/catalog.c 2011-05-16 21:46:57.000000000 -0400
47455 -@@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
47456 - int err;
47457 - u16 type;
47458 -
47459 -+ pax_track_stack();
47460 -+
47461 - hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
47462 - err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
47463 - if (err)
47464 -@@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
47465 - int entry_size;
47466 - int err;
47467 -
47468 -+ pax_track_stack();
47469 -+
47470 - dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
47471 - sb = dir->i_sb;
47472 - hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
47473 -@@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
47474 - int entry_size, type;
47475 - int err = 0;
47476 -
47477 -+ pax_track_stack();
47478 -+
47479 - dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
47480 - dst_dir->i_ino, dst_name->name);
47481 - sb = src_dir->i_sb;
47482 -diff -urNp linux-2.6.32.46/fs/hfsplus/dir.c linux-2.6.32.46/fs/hfsplus/dir.c
47483 ---- linux-2.6.32.46/fs/hfsplus/dir.c 2011-03-27 14:31:47.000000000 -0400
47484 -+++ linux-2.6.32.46/fs/hfsplus/dir.c 2011-05-16 21:46:57.000000000 -0400
47485 -@@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
47486 - struct hfsplus_readdir_data *rd;
47487 - u16 type;
47488 -
47489 -+ pax_track_stack();
47490 -+
47491 - if (filp->f_pos >= inode->i_size)
47492 - return 0;
47493 -
47494 -diff -urNp linux-2.6.32.46/fs/hfsplus/inode.c linux-2.6.32.46/fs/hfsplus/inode.c
47495 ---- linux-2.6.32.46/fs/hfsplus/inode.c 2011-03-27 14:31:47.000000000 -0400
47496 -+++ linux-2.6.32.46/fs/hfsplus/inode.c 2011-05-16 21:46:57.000000000 -0400
47497 -@@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
47498 - int res = 0;
47499 - u16 type;
47500 -
47501 -+ pax_track_stack();
47502 -+
47503 - type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
47504 -
47505 - HFSPLUS_I(inode).dev = 0;
47506 -@@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
47507 - struct hfs_find_data fd;
47508 - hfsplus_cat_entry entry;
47509 -
47510 -+ pax_track_stack();
47511 -+
47512 - if (HFSPLUS_IS_RSRC(inode))
47513 - main_inode = HFSPLUS_I(inode).rsrc_inode;
47514 -
47515 -diff -urNp linux-2.6.32.46/fs/hfsplus/ioctl.c linux-2.6.32.46/fs/hfsplus/ioctl.c
47516 ---- linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-03-27 14:31:47.000000000 -0400
47517 -+++ linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-05-16 21:46:57.000000000 -0400
47518 -@@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
47519 - struct hfsplus_cat_file *file;
47520 - int res;
47521 -
47522 -+ pax_track_stack();
47523 -+
47524 - if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
47525 - return -EOPNOTSUPP;
47526 -
47527 -@@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
47528 - struct hfsplus_cat_file *file;
47529 - ssize_t res = 0;
47530 -
47531 -+ pax_track_stack();
47532 -+
47533 - if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
47534 - return -EOPNOTSUPP;
47535 -
47536 -diff -urNp linux-2.6.32.46/fs/hfsplus/super.c linux-2.6.32.46/fs/hfsplus/super.c
47537 ---- linux-2.6.32.46/fs/hfsplus/super.c 2011-03-27 14:31:47.000000000 -0400
47538 -+++ linux-2.6.32.46/fs/hfsplus/super.c 2011-05-16 21:46:57.000000000 -0400
47539 -@@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
47540 - struct nls_table *nls = NULL;
47541 - int err = -EINVAL;
47542 -
47543 -+ pax_track_stack();
47544 -+
47545 - sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
47546 - if (!sbi)
47547 - return -ENOMEM;
47548 -diff -urNp linux-2.6.32.46/fs/hugetlbfs/inode.c linux-2.6.32.46/fs/hugetlbfs/inode.c
47549 ---- linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-03-27 14:31:47.000000000 -0400
47550 -+++ linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-04-17 15:56:46.000000000 -0400
47551 -@@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
47552 - .kill_sb = kill_litter_super,
47553 - };
47554 -
47555 --static struct vfsmount *hugetlbfs_vfsmount;
47556 -+struct vfsmount *hugetlbfs_vfsmount;
47557 -
47558 - static int can_do_hugetlb_shm(void)
47559 - {
47560 -diff -urNp linux-2.6.32.46/fs/ioctl.c linux-2.6.32.46/fs/ioctl.c
47561 ---- linux-2.6.32.46/fs/ioctl.c 2011-03-27 14:31:47.000000000 -0400
47562 -+++ linux-2.6.32.46/fs/ioctl.c 2011-04-17 15:56:46.000000000 -0400
47563 -@@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
47564 - u64 phys, u64 len, u32 flags)
47565 - {
47566 - struct fiemap_extent extent;
47567 -- struct fiemap_extent *dest = fieinfo->fi_extents_start;
47568 -+ struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
47569 -
47570 - /* only count the extents */
47571 - if (fieinfo->fi_extents_max == 0) {
47572 -@@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
47573 -
47574 - fieinfo.fi_flags = fiemap.fm_flags;
47575 - fieinfo.fi_extents_max = fiemap.fm_extent_count;
47576 -- fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
47577 -+ fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
47578 -
47579 - if (fiemap.fm_extent_count != 0 &&
47580 - !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
47581 -@@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
47582 - error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
47583 - fiemap.fm_flags = fieinfo.fi_flags;
47584 - fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
47585 -- if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
47586 -+ if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
47587 - error = -EFAULT;
47588 -
47589 - return error;
47590 -diff -urNp linux-2.6.32.46/fs/jbd/checkpoint.c linux-2.6.32.46/fs/jbd/checkpoint.c
47591 ---- linux-2.6.32.46/fs/jbd/checkpoint.c 2011-03-27 14:31:47.000000000 -0400
47592 -+++ linux-2.6.32.46/fs/jbd/checkpoint.c 2011-05-16 21:46:57.000000000 -0400
47593 -@@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
47594 - tid_t this_tid;
47595 - int result;
47596 -
47597 -+ pax_track_stack();
47598 -+
47599 - jbd_debug(1, "Start checkpoint\n");
47600 -
47601 - /*
47602 -diff -urNp linux-2.6.32.46/fs/jffs2/compr_rtime.c linux-2.6.32.46/fs/jffs2/compr_rtime.c
47603 ---- linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-03-27 14:31:47.000000000 -0400
47604 -+++ linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-05-16 21:46:57.000000000 -0400
47605 -@@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
47606 - int outpos = 0;
47607 - int pos=0;
47608 -
47609 -+ pax_track_stack();
47610 -+
47611 - memset(positions,0,sizeof(positions));
47612 -
47613 - while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
47614 -@@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
47615 - int outpos = 0;
47616 - int pos=0;
47617 -
47618 -+ pax_track_stack();
47619 -+
47620 - memset(positions,0,sizeof(positions));
47621 -
47622 - while (outpos<destlen) {
47623 -diff -urNp linux-2.6.32.46/fs/jffs2/compr_rubin.c linux-2.6.32.46/fs/jffs2/compr_rubin.c
47624 ---- linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-03-27 14:31:47.000000000 -0400
47625 -+++ linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-05-16 21:46:57.000000000 -0400
47626 -@@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
47627 - int ret;
47628 - uint32_t mysrclen, mydstlen;
47629 -
47630 -+ pax_track_stack();
47631 -+
47632 - mysrclen = *sourcelen;
47633 - mydstlen = *dstlen - 8;
47634 -
47635 -diff -urNp linux-2.6.32.46/fs/jffs2/erase.c linux-2.6.32.46/fs/jffs2/erase.c
47636 ---- linux-2.6.32.46/fs/jffs2/erase.c 2011-03-27 14:31:47.000000000 -0400
47637 -+++ linux-2.6.32.46/fs/jffs2/erase.c 2011-04-17 15:56:46.000000000 -0400
47638 -@@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
47639 - struct jffs2_unknown_node marker = {
47640 - .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
47641 - .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
47642 -- .totlen = cpu_to_je32(c->cleanmarker_size)
47643 -+ .totlen = cpu_to_je32(c->cleanmarker_size),
47644 -+ .hdr_crc = cpu_to_je32(0)
47645 - };
47646 -
47647 - jffs2_prealloc_raw_node_refs(c, jeb, 1);
47648 -diff -urNp linux-2.6.32.46/fs/jffs2/wbuf.c linux-2.6.32.46/fs/jffs2/wbuf.c
47649 ---- linux-2.6.32.46/fs/jffs2/wbuf.c 2011-03-27 14:31:47.000000000 -0400
47650 -+++ linux-2.6.32.46/fs/jffs2/wbuf.c 2011-04-17 15:56:46.000000000 -0400
47651 -@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
47652 - {
47653 - .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
47654 - .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
47655 -- .totlen = constant_cpu_to_je32(8)
47656 -+ .totlen = constant_cpu_to_je32(8),
47657 -+ .hdr_crc = constant_cpu_to_je32(0)
47658 - };
47659 -
47660 - /*
47661 -diff -urNp linux-2.6.32.46/fs/jffs2/xattr.c linux-2.6.32.46/fs/jffs2/xattr.c
47662 ---- linux-2.6.32.46/fs/jffs2/xattr.c 2011-03-27 14:31:47.000000000 -0400
47663 -+++ linux-2.6.32.46/fs/jffs2/xattr.c 2011-05-16 21:46:57.000000000 -0400
47664 -@@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
47665 -
47666 - BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
47667 -
47668 -+ pax_track_stack();
47669 -+
47670 - /* Phase.1 : Merge same xref */
47671 - for (i=0; i < XREF_TMPHASH_SIZE; i++)
47672 - xref_tmphash[i] = NULL;
47673 -diff -urNp linux-2.6.32.46/fs/jfs/super.c linux-2.6.32.46/fs/jfs/super.c
47674 ---- linux-2.6.32.46/fs/jfs/super.c 2011-03-27 14:31:47.000000000 -0400
47675 -+++ linux-2.6.32.46/fs/jfs/super.c 2011-06-07 18:06:04.000000000 -0400
47676 -@@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
47677 -
47678 - jfs_inode_cachep =
47679 - kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
47680 -- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
47681 -+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
47682 - init_once);
47683 - if (jfs_inode_cachep == NULL)
47684 - return -ENOMEM;
47685 -diff -urNp linux-2.6.32.46/fs/libfs.c linux-2.6.32.46/fs/libfs.c
47686 ---- linux-2.6.32.46/fs/libfs.c 2011-03-27 14:31:47.000000000 -0400
47687 -+++ linux-2.6.32.46/fs/libfs.c 2011-05-11 18:25:15.000000000 -0400
47688 -@@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
47689 -
47690 - for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
47691 - struct dentry *next;
47692 -+ char d_name[sizeof(next->d_iname)];
47693 -+ const unsigned char *name;
47694 -+
47695 - next = list_entry(p, struct dentry, d_u.d_child);
47696 - if (d_unhashed(next) || !next->d_inode)
47697 - continue;
47698 -
47699 - spin_unlock(&dcache_lock);
47700 -- if (filldir(dirent, next->d_name.name,
47701 -+ name = next->d_name.name;
47702 -+ if (name == next->d_iname) {
47703 -+ memcpy(d_name, name, next->d_name.len);
47704 -+ name = d_name;
47705 -+ }
47706 -+ if (filldir(dirent, name,
47707 - next->d_name.len, filp->f_pos,
47708 - next->d_inode->i_ino,
47709 - dt_type(next->d_inode)) < 0)
47710 -diff -urNp linux-2.6.32.46/fs/lockd/clntproc.c linux-2.6.32.46/fs/lockd/clntproc.c
47711 ---- linux-2.6.32.46/fs/lockd/clntproc.c 2011-03-27 14:31:47.000000000 -0400
47712 -+++ linux-2.6.32.46/fs/lockd/clntproc.c 2011-05-16 21:46:57.000000000 -0400
47713 -@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
47714 - /*
47715 - * Cookie counter for NLM requests
47716 - */
47717 --static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
47718 -+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
47719 -
47720 - void nlmclnt_next_cookie(struct nlm_cookie *c)
47721 - {
47722 -- u32 cookie = atomic_inc_return(&nlm_cookie);
47723 -+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
47724 -
47725 - memcpy(c->data, &cookie, 4);
47726 - c->len=4;
47727 -@@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
47728 - struct nlm_rqst reqst, *req;
47729 - int status;
47730 -
47731 -+ pax_track_stack();
47732 -+
47733 - req = &reqst;
47734 - memset(req, 0, sizeof(*req));
47735 - locks_init_lock(&req->a_args.lock.fl);
47736 -diff -urNp linux-2.6.32.46/fs/lockd/svc.c linux-2.6.32.46/fs/lockd/svc.c
47737 ---- linux-2.6.32.46/fs/lockd/svc.c 2011-03-27 14:31:47.000000000 -0400
47738 -+++ linux-2.6.32.46/fs/lockd/svc.c 2011-04-17 15:56:46.000000000 -0400
47739 -@@ -43,7 +43,7 @@
47740 -
47741 - static struct svc_program nlmsvc_program;
47742 -
47743 --struct nlmsvc_binding * nlmsvc_ops;
47744 -+const struct nlmsvc_binding * nlmsvc_ops;
47745 - EXPORT_SYMBOL_GPL(nlmsvc_ops);
47746 -
47747 - static DEFINE_MUTEX(nlmsvc_mutex);
47748 -diff -urNp linux-2.6.32.46/fs/locks.c linux-2.6.32.46/fs/locks.c
47749 ---- linux-2.6.32.46/fs/locks.c 2011-03-27 14:31:47.000000000 -0400
47750 -+++ linux-2.6.32.46/fs/locks.c 2011-07-06 19:47:11.000000000 -0400
47751 -@@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
47752 -
47753 - static struct kmem_cache *filelock_cache __read_mostly;
47754 -
47755 -+static void locks_init_lock_always(struct file_lock *fl)
47756 -+{
47757 -+ fl->fl_next = NULL;
47758 -+ fl->fl_fasync = NULL;
47759 -+ fl->fl_owner = NULL;
47760 -+ fl->fl_pid = 0;
47761 -+ fl->fl_nspid = NULL;
47762 -+ fl->fl_file = NULL;
47763 -+ fl->fl_flags = 0;
47764 -+ fl->fl_type = 0;
47765 -+ fl->fl_start = fl->fl_end = 0;
47766 -+}
47767 -+
47768 - /* Allocate an empty lock structure. */
47769 - static struct file_lock *locks_alloc_lock(void)
47770 - {
47771 -- return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
47772 -+ struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
47773 -+
47774 -+ if (fl)
47775 -+ locks_init_lock_always(fl);
47776 -+
47777 -+ return fl;
47778 - }
47779 -
47780 - void locks_release_private(struct file_lock *fl)
47781 -@@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
47782 - INIT_LIST_HEAD(&fl->fl_link);
47783 - INIT_LIST_HEAD(&fl->fl_block);
47784 - init_waitqueue_head(&fl->fl_wait);
47785 -- fl->fl_next = NULL;
47786 -- fl->fl_fasync = NULL;
47787 -- fl->fl_owner = NULL;
47788 -- fl->fl_pid = 0;
47789 -- fl->fl_nspid = NULL;
47790 -- fl->fl_file = NULL;
47791 -- fl->fl_flags = 0;
47792 -- fl->fl_type = 0;
47793 -- fl->fl_start = fl->fl_end = 0;
47794 - fl->fl_ops = NULL;
47795 - fl->fl_lmops = NULL;
47796 -+ locks_init_lock_always(fl);
47797 - }
47798 -
47799 - EXPORT_SYMBOL(locks_init_lock);
47800 -@@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
47801 - return;
47802 -
47803 - if (filp->f_op && filp->f_op->flock) {
47804 -- struct file_lock fl = {
47805 -+ struct file_lock flock = {
47806 - .fl_pid = current->tgid,
47807 - .fl_file = filp,
47808 - .fl_flags = FL_FLOCK,
47809 - .fl_type = F_UNLCK,
47810 - .fl_end = OFFSET_MAX,
47811 - };
47812 -- filp->f_op->flock(filp, F_SETLKW, &fl);
47813 -- if (fl.fl_ops && fl.fl_ops->fl_release_private)
47814 -- fl.fl_ops->fl_release_private(&fl);
47815 -+ filp->f_op->flock(filp, F_SETLKW, &flock);
47816 -+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
47817 -+ flock.fl_ops->fl_release_private(&flock);
47818 - }
47819 -
47820 - lock_kernel();
47821 -diff -urNp linux-2.6.32.46/fs/mbcache.c linux-2.6.32.46/fs/mbcache.c
47822 ---- linux-2.6.32.46/fs/mbcache.c 2011-03-27 14:31:47.000000000 -0400
47823 -+++ linux-2.6.32.46/fs/mbcache.c 2011-08-05 20:33:55.000000000 -0400
47824 -@@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
47825 - if (!cache)
47826 - goto fail;
47827 - cache->c_name = name;
47828 -- cache->c_op.free = NULL;
47829 -+ *(void **)&cache->c_op.free = NULL;
47830 - if (cache_op)
47831 -- cache->c_op.free = cache_op->free;
47832 -+ *(void **)&cache->c_op.free = cache_op->free;
47833 - atomic_set(&cache->c_entry_count, 0);
47834 - cache->c_bucket_bits = bucket_bits;
47835 - #ifdef MB_CACHE_INDEXES_COUNT
47836 -diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c
47837 ---- linux-2.6.32.46/fs/namei.c 2011-03-27 14:31:47.000000000 -0400
47838 -+++ linux-2.6.32.46/fs/namei.c 2011-10-19 12:12:56.000000000 -0400
47839 -@@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
47840 - return ret;
47841 -
47842 - /*
47843 -- * Read/write DACs are always overridable.
47844 -- * Executable DACs are overridable if at least one exec bit is set.
47845 -- */
47846 -- if (!(mask & MAY_EXEC) || execute_ok(inode))
47847 -- if (capable(CAP_DAC_OVERRIDE))
47848 -- return 0;
47849 --
47850 -- /*
47851 - * Searching includes executable on directories, else just read.
47852 - */
47853 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
47854 -@@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
47855 - if (capable(CAP_DAC_READ_SEARCH))
47856 - return 0;
47857 -
47858 -+ /*
47859 -+ * Read/write DACs are always overridable.
47860 -+ * Executable DACs are overridable if at least one exec bit is set.
47861 -+ */
47862 -+ if (!(mask & MAY_EXEC) || execute_ok(inode))
47863 -+ if (capable(CAP_DAC_OVERRIDE))
47864 -+ return 0;
47865 -+
47866 - return -EACCES;
47867 - }
47868 -
47869 -@@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
47870 - if (!ret)
47871 - goto ok;
47872 -
47873 -- if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
47874 -+ if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
47875 -+ capable(CAP_DAC_OVERRIDE))
47876 - goto ok;
47877 -
47878 - return ret;
47879 -@@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
47880 - cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
47881 - error = PTR_ERR(cookie);
47882 - if (!IS_ERR(cookie)) {
47883 -- char *s = nd_get_link(nd);
47884 -+ const char *s = nd_get_link(nd);
47885 - error = 0;
47886 - if (s)
47887 - error = __vfs_follow_link(nd, s);
47888 -@@ -669,6 +670,13 @@ static inline int do_follow_link(struct
47889 - err = security_inode_follow_link(path->dentry, nd);
47890 - if (err)
47891 - goto loop;
47892 -+
47893 -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
47894 -+ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
47895 -+ err = -EACCES;
47896 -+ goto loop;
47897 -+ }
47898 -+
47899 - current->link_count++;
47900 - current->total_link_count++;
47901 - nd->depth++;
47902 -@@ -1016,11 +1024,19 @@ return_reval:
47903 - break;
47904 - }
47905 - return_base:
47906 -+ if (!(nd->flags & (LOOKUP_CONTINUE | LOOKUP_PARENT)) &&
47907 -+ !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
47908 -+ path_put(&nd->path);
47909 -+ return -ENOENT;
47910 -+ }
47911 - return 0;
47912 - out_dput:
47913 - path_put_conditional(&next, nd);
47914 - break;
47915 - }
47916 -+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
47917 -+ err = -ENOENT;
47918 -+
47919 - path_put(&nd->path);
47920 - return_err:
47921 - return err;
47922 -@@ -1091,13 +1107,20 @@ static int do_path_lookup(int dfd, const
47923 - int retval = path_init(dfd, name, flags, nd);
47924 - if (!retval)
47925 - retval = path_walk(name, nd);
47926 -- if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
47927 -- nd->path.dentry->d_inode))
47928 -- audit_inode(name, nd->path.dentry);
47929 -+
47930 -+ if (likely(!retval)) {
47931 -+ if (nd->path.dentry && nd->path.dentry->d_inode) {
47932 -+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
47933 -+ retval = -ENOENT;
47934 -+ if (!audit_dummy_context())
47935 -+ audit_inode(name, nd->path.dentry);
47936 -+ }
47937 -+ }
47938 - if (nd->root.mnt) {
47939 - path_put(&nd->root);
47940 - nd->root.mnt = NULL;
47941 - }
47942 -+
47943 - return retval;
47944 - }
47945 -
47946 -@@ -1576,6 +1599,20 @@ int may_open(struct path *path, int acc_
47947 - if (error)
47948 - goto err_out;
47949 -
47950 -+
47951 -+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
47952 -+ error = -EPERM;
47953 -+ goto err_out;
47954 -+ }
47955 -+ if (gr_handle_rawio(inode)) {
47956 -+ error = -EPERM;
47957 -+ goto err_out;
47958 -+ }
47959 -+ if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
47960 -+ error = -EACCES;
47961 -+ goto err_out;
47962 -+ }
47963 -+
47964 - if (flag & O_TRUNC) {
47965 - error = get_write_access(inode);
47966 - if (error)
47967 -@@ -1621,12 +1658,19 @@ static int __open_namei_create(struct na
47968 - int error;
47969 - struct dentry *dir = nd->path.dentry;
47970 -
47971 -+ if (!gr_acl_handle_creat(path->dentry, dir, nd->path.mnt, flag, mode)) {
47972 -+ error = -EACCES;
47973 -+ goto out_unlock;
47974 -+ }
47975 -+
47976 - if (!IS_POSIXACL(dir->d_inode))
47977 - mode &= ~current_umask();
47978 - error = security_path_mknod(&nd->path, path->dentry, mode, 0);
47979 - if (error)
47980 - goto out_unlock;
47981 - error = vfs_create(dir->d_inode, path->dentry, mode, nd);
47982 -+ if (!error)
47983 -+ gr_handle_create(path->dentry, nd->path.mnt);
47984 - out_unlock:
47985 - mutex_unlock(&dir->d_inode->i_mutex);
47986 - dput(nd->path.dentry);
47987 -@@ -1709,6 +1753,22 @@ struct file *do_filp_open(int dfd, const
47988 - &nd, flag);
47989 - if (error)
47990 - return ERR_PTR(error);
47991 -+
47992 -+ if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
47993 -+ error = -EPERM;
47994 -+ goto exit;
47995 -+ }
47996 -+
47997 -+ if (gr_handle_rawio(nd.path.dentry->d_inode)) {
47998 -+ error = -EPERM;
47999 -+ goto exit;
48000 -+ }
48001 -+
48002 -+ if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
48003 -+ error = -EACCES;
48004 -+ goto exit;
48005 -+ }
48006 -+
48007 - goto ok;
48008 - }
48009 -
48010 -@@ -1795,6 +1855,19 @@ do_last:
48011 - /*
48012 - * It already exists.
48013 - */
48014 -+
48015 -+ if (!gr_acl_handle_hidden_file(path.dentry, path.mnt)) {
48016 -+ error = -ENOENT;
48017 -+ goto exit_mutex_unlock;
48018 -+ }
48019 -+
48020 -+ /* only check if O_CREAT is specified, all other checks need
48021 -+ to go into may_open */
48022 -+ if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
48023 -+ error = -EACCES;
48024 -+ goto exit_mutex_unlock;
48025 -+ }
48026 -+
48027 - mutex_unlock(&dir->d_inode->i_mutex);
48028 - audit_inode(pathname, path.dentry);
48029 -
48030 -@@ -1887,6 +1960,13 @@ do_link:
48031 - error = security_inode_follow_link(path.dentry, &nd);
48032 - if (error)
48033 - goto exit_dput;
48034 -+
48035 -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
48036 -+ path.dentry, nd.path.mnt)) {
48037 -+ error = -EACCES;
48038 -+ goto exit_dput;
48039 -+ }
48040 -+
48041 - error = __do_follow_link(&path, &nd);
48042 - if (error) {
48043 - /* Does someone understand code flow here? Or it is only
48044 -@@ -1984,6 +2064,10 @@ struct dentry *lookup_create(struct name
48045 - }
48046 - return dentry;
48047 - eexist:
48048 -+ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
48049 -+ dput(dentry);
48050 -+ return ERR_PTR(-ENOENT);
48051 -+ }
48052 - dput(dentry);
48053 - dentry = ERR_PTR(-EEXIST);
48054 - fail:
48055 -@@ -2061,6 +2145,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48056 - error = may_mknod(mode);
48057 - if (error)
48058 - goto out_dput;
48059 -+
48060 -+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48061 -+ error = -EPERM;
48062 -+ goto out_dput;
48063 -+ }
48064 -+
48065 -+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48066 -+ error = -EACCES;
48067 -+ goto out_dput;
48068 -+ }
48069 -+
48070 - error = mnt_want_write(nd.path.mnt);
48071 - if (error)
48072 - goto out_dput;
48073 -@@ -2081,6 +2176,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48074 - }
48075 - out_drop_write:
48076 - mnt_drop_write(nd.path.mnt);
48077 -+
48078 -+ if (!error)
48079 -+ gr_handle_create(dentry, nd.path.mnt);
48080 - out_dput:
48081 - dput(dentry);
48082 - out_unlock:
48083 -@@ -2134,6 +2232,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48084 - if (IS_ERR(dentry))
48085 - goto out_unlock;
48086 -
48087 -+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48088 -+ error = -EACCES;
48089 -+ goto out_dput;
48090 -+ }
48091 -+
48092 - if (!IS_POSIXACL(nd.path.dentry->d_inode))
48093 - mode &= ~current_umask();
48094 - error = mnt_want_write(nd.path.mnt);
48095 -@@ -2145,6 +2248,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48096 - error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48097 - out_drop_write:
48098 - mnt_drop_write(nd.path.mnt);
48099 -+
48100 -+ if (!error)
48101 -+ gr_handle_create(dentry, nd.path.mnt);
48102 -+
48103 - out_dput:
48104 - dput(dentry);
48105 - out_unlock:
48106 -@@ -2226,6 +2333,8 @@ static long do_rmdir(int dfd, const char
48107 - char * name;
48108 - struct dentry *dentry;
48109 - struct nameidata nd;
48110 -+ ino_t saved_ino = 0;
48111 -+ dev_t saved_dev = 0;
48112 -
48113 - error = user_path_parent(dfd, pathname, &nd, &name);
48114 - if (error)
48115 -@@ -2250,6 +2359,19 @@ static long do_rmdir(int dfd, const char
48116 - error = PTR_ERR(dentry);
48117 - if (IS_ERR(dentry))
48118 - goto exit2;
48119 -+
48120 -+ if (dentry->d_inode != NULL) {
48121 -+ if (dentry->d_inode->i_nlink <= 1) {
48122 -+ saved_ino = dentry->d_inode->i_ino;
48123 -+ saved_dev = gr_get_dev_from_dentry(dentry);
48124 -+ }
48125 -+
48126 -+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48127 -+ error = -EACCES;
48128 -+ goto exit3;
48129 -+ }
48130 -+ }
48131 -+
48132 - error = mnt_want_write(nd.path.mnt);
48133 - if (error)
48134 - goto exit3;
48135 -@@ -2257,6 +2379,8 @@ static long do_rmdir(int dfd, const char
48136 - if (error)
48137 - goto exit4;
48138 - error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48139 -+ if (!error && (saved_dev || saved_ino))
48140 -+ gr_handle_delete(saved_ino, saved_dev);
48141 - exit4:
48142 - mnt_drop_write(nd.path.mnt);
48143 - exit3:
48144 -@@ -2318,6 +2442,8 @@ static long do_unlinkat(int dfd, const c
48145 - struct dentry *dentry;
48146 - struct nameidata nd;
48147 - struct inode *inode = NULL;
48148 -+ ino_t saved_ino = 0;
48149 -+ dev_t saved_dev = 0;
48150 -
48151 - error = user_path_parent(dfd, pathname, &nd, &name);
48152 - if (error)
48153 -@@ -2337,8 +2463,19 @@ static long do_unlinkat(int dfd, const c
48154 - if (nd.last.name[nd.last.len])
48155 - goto slashes;
48156 - inode = dentry->d_inode;
48157 -- if (inode)
48158 -+ if (inode) {
48159 -+ if (inode->i_nlink <= 1) {
48160 -+ saved_ino = inode->i_ino;
48161 -+ saved_dev = gr_get_dev_from_dentry(dentry);
48162 -+ }
48163 -+
48164 - atomic_inc(&inode->i_count);
48165 -+
48166 -+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48167 -+ error = -EACCES;
48168 -+ goto exit2;
48169 -+ }
48170 -+ }
48171 - error = mnt_want_write(nd.path.mnt);
48172 - if (error)
48173 - goto exit2;
48174 -@@ -2346,6 +2483,8 @@ static long do_unlinkat(int dfd, const c
48175 - if (error)
48176 - goto exit3;
48177 - error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48178 -+ if (!error && (saved_ino || saved_dev))
48179 -+ gr_handle_delete(saved_ino, saved_dev);
48180 - exit3:
48181 - mnt_drop_write(nd.path.mnt);
48182 - exit2:
48183 -@@ -2424,6 +2563,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48184 - if (IS_ERR(dentry))
48185 - goto out_unlock;
48186 -
48187 -+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48188 -+ error = -EACCES;
48189 -+ goto out_dput;
48190 -+ }
48191 -+
48192 - error = mnt_want_write(nd.path.mnt);
48193 - if (error)
48194 - goto out_dput;
48195 -@@ -2431,6 +2575,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48196 - if (error)
48197 - goto out_drop_write;
48198 - error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48199 -+ if (!error)
48200 -+ gr_handle_create(dentry, nd.path.mnt);
48201 - out_drop_write:
48202 - mnt_drop_write(nd.path.mnt);
48203 - out_dput:
48204 -@@ -2524,6 +2670,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48205 - error = PTR_ERR(new_dentry);
48206 - if (IS_ERR(new_dentry))
48207 - goto out_unlock;
48208 -+
48209 -+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48210 -+ old_path.dentry->d_inode,
48211 -+ old_path.dentry->d_inode->i_mode, to)) {
48212 -+ error = -EACCES;
48213 -+ goto out_dput;
48214 -+ }
48215 -+
48216 -+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48217 -+ old_path.dentry, old_path.mnt, to)) {
48218 -+ error = -EACCES;
48219 -+ goto out_dput;
48220 -+ }
48221 -+
48222 - error = mnt_want_write(nd.path.mnt);
48223 - if (error)
48224 - goto out_dput;
48225 -@@ -2531,6 +2691,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48226 - if (error)
48227 - goto out_drop_write;
48228 - error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48229 -+ if (!error)
48230 -+ gr_handle_create(new_dentry, nd.path.mnt);
48231 - out_drop_write:
48232 - mnt_drop_write(nd.path.mnt);
48233 - out_dput:
48234 -@@ -2708,6 +2870,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48235 - char *to;
48236 - int error;
48237 -
48238 -+ pax_track_stack();
48239 -+
48240 - error = user_path_parent(olddfd, oldname, &oldnd, &from);
48241 - if (error)
48242 - goto exit;
48243 -@@ -2764,6 +2928,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48244 - if (new_dentry == trap)
48245 - goto exit5;
48246 -
48247 -+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48248 -+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
48249 -+ to);
48250 -+ if (error)
48251 -+ goto exit5;
48252 -+
48253 - error = mnt_want_write(oldnd.path.mnt);
48254 - if (error)
48255 - goto exit5;
48256 -@@ -2773,6 +2943,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48257 - goto exit6;
48258 - error = vfs_rename(old_dir->d_inode, old_dentry,
48259 - new_dir->d_inode, new_dentry);
48260 -+ if (!error)
48261 -+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48262 -+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48263 - exit6:
48264 - mnt_drop_write(oldnd.path.mnt);
48265 - exit5:
48266 -@@ -2798,6 +2971,8 @@ SYSCALL_DEFINE2(rename, const char __use
48267 -
48268 - int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48269 - {
48270 -+ char tmpbuf[64];
48271 -+ const char *newlink;
48272 - int len;
48273 -
48274 - len = PTR_ERR(link);
48275 -@@ -2807,7 +2982,14 @@ int vfs_readlink(struct dentry *dentry,
48276 - len = strlen(link);
48277 - if (len > (unsigned) buflen)
48278 - len = buflen;
48279 -- if (copy_to_user(buffer, link, len))
48280 -+
48281 -+ if (len < sizeof(tmpbuf)) {
48282 -+ memcpy(tmpbuf, link, len);
48283 -+ newlink = tmpbuf;
48284 -+ } else
48285 -+ newlink = link;
48286 -+
48287 -+ if (copy_to_user(buffer, newlink, len))
48288 - len = -EFAULT;
48289 - out:
48290 - return len;
48291 -diff -urNp linux-2.6.32.46/fs/namespace.c linux-2.6.32.46/fs/namespace.c
48292 ---- linux-2.6.32.46/fs/namespace.c 2011-03-27 14:31:47.000000000 -0400
48293 -+++ linux-2.6.32.46/fs/namespace.c 2011-04-17 15:56:46.000000000 -0400
48294 -@@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
48295 - if (!(sb->s_flags & MS_RDONLY))
48296 - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48297 - up_write(&sb->s_umount);
48298 -+
48299 -+ gr_log_remount(mnt->mnt_devname, retval);
48300 -+
48301 - return retval;
48302 - }
48303 -
48304 -@@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
48305 - security_sb_umount_busy(mnt);
48306 - up_write(&namespace_sem);
48307 - release_mounts(&umount_list);
48308 -+
48309 -+ gr_log_unmount(mnt->mnt_devname, retval);
48310 -+
48311 - return retval;
48312 - }
48313 -
48314 -@@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
48315 - if (retval)
48316 - goto dput_out;
48317 -
48318 -+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48319 -+ retval = -EPERM;
48320 -+ goto dput_out;
48321 -+ }
48322 -+
48323 -+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48324 -+ retval = -EPERM;
48325 -+ goto dput_out;
48326 -+ }
48327 -+
48328 - if (flags & MS_REMOUNT)
48329 - retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48330 - data_page);
48331 -@@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
48332 - dev_name, data_page);
48333 - dput_out:
48334 - path_put(&path);
48335 -+
48336 -+ gr_log_mount(dev_name, dir_name, retval);
48337 -+
48338 - return retval;
48339 - }
48340 -
48341 -@@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
48342 - goto out1;
48343 - }
48344 -
48345 -+ if (gr_handle_chroot_pivot()) {
48346 -+ error = -EPERM;
48347 -+ path_put(&old);
48348 -+ goto out1;
48349 -+ }
48350 -+
48351 - read_lock(&current->fs->lock);
48352 - root = current->fs->root;
48353 - path_get(&current->fs->root);
48354 -diff -urNp linux-2.6.32.46/fs/ncpfs/dir.c linux-2.6.32.46/fs/ncpfs/dir.c
48355 ---- linux-2.6.32.46/fs/ncpfs/dir.c 2011-03-27 14:31:47.000000000 -0400
48356 -+++ linux-2.6.32.46/fs/ncpfs/dir.c 2011-05-16 21:46:57.000000000 -0400
48357 -@@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
48358 - int res, val = 0, len;
48359 - __u8 __name[NCP_MAXPATHLEN + 1];
48360 -
48361 -+ pax_track_stack();
48362 -+
48363 - parent = dget_parent(dentry);
48364 - dir = parent->d_inode;
48365 -
48366 -@@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
48367 - int error, res, len;
48368 - __u8 __name[NCP_MAXPATHLEN + 1];
48369 -
48370 -+ pax_track_stack();
48371 -+
48372 - lock_kernel();
48373 - error = -EIO;
48374 - if (!ncp_conn_valid(server))
48375 -@@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
48376 - int error, result, len;
48377 - int opmode;
48378 - __u8 __name[NCP_MAXPATHLEN + 1];
48379 --
48380 -+
48381 - PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
48382 - dentry->d_parent->d_name.name, dentry->d_name.name, mode);
48383 -
48384 -+ pax_track_stack();
48385 -+
48386 - error = -EIO;
48387 - lock_kernel();
48388 - if (!ncp_conn_valid(server))
48389 -@@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
48390 - int error, len;
48391 - __u8 __name[NCP_MAXPATHLEN + 1];
48392 -
48393 -+ pax_track_stack();
48394 -+
48395 - DPRINTK("ncp_mkdir: making %s/%s\n",
48396 - dentry->d_parent->d_name.name, dentry->d_name.name);
48397 -
48398 -@@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
48399 - if (!ncp_conn_valid(server))
48400 - goto out;
48401 -
48402 -+ pax_track_stack();
48403 -+
48404 - ncp_age_dentry(server, dentry);
48405 - len = sizeof(__name);
48406 - error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
48407 -@@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
48408 - int old_len, new_len;
48409 - __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
48410 -
48411 -+ pax_track_stack();
48412 -+
48413 - DPRINTK("ncp_rename: %s/%s to %s/%s\n",
48414 - old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
48415 - new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
48416 -diff -urNp linux-2.6.32.46/fs/ncpfs/inode.c linux-2.6.32.46/fs/ncpfs/inode.c
48417 ---- linux-2.6.32.46/fs/ncpfs/inode.c 2011-03-27 14:31:47.000000000 -0400
48418 -+++ linux-2.6.32.46/fs/ncpfs/inode.c 2011-05-16 21:46:57.000000000 -0400
48419 -@@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
48420 - #endif
48421 - struct ncp_entry_info finfo;
48422 -
48423 -+ pax_track_stack();
48424 -+
48425 - data.wdog_pid = NULL;
48426 - server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
48427 - if (!server)
48428 -diff -urNp linux-2.6.32.46/fs/nfs/inode.c linux-2.6.32.46/fs/nfs/inode.c
48429 ---- linux-2.6.32.46/fs/nfs/inode.c 2011-05-10 22:12:01.000000000 -0400
48430 -+++ linux-2.6.32.46/fs/nfs/inode.c 2011-07-06 19:53:33.000000000 -0400
48431 -@@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
48432 - nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
48433 - nfsi->attrtimeo_timestamp = jiffies;
48434 -
48435 -- memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
48436 -+ memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
48437 - if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
48438 - nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
48439 - else
48440 -@@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
48441 - return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
48442 - }
48443 -
48444 --static atomic_long_t nfs_attr_generation_counter;
48445 -+static atomic_long_unchecked_t nfs_attr_generation_counter;
48446 -
48447 - static unsigned long nfs_read_attr_generation_counter(void)
48448 - {
48449 -- return atomic_long_read(&nfs_attr_generation_counter);
48450 -+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
48451 - }
48452 -
48453 - unsigned long nfs_inc_attr_generation_counter(void)
48454 - {
48455 -- return atomic_long_inc_return(&nfs_attr_generation_counter);
48456 -+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
48457 - }
48458 -
48459 - void nfs_fattr_init(struct nfs_fattr *fattr)
48460 -diff -urNp linux-2.6.32.46/fs/nfsd/lockd.c linux-2.6.32.46/fs/nfsd/lockd.c
48461 ---- linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:00:52.000000000 -0400
48462 -+++ linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:03:15.000000000 -0400
48463 -@@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
48464 - fput(filp);
48465 - }
48466 -
48467 --static struct nlmsvc_binding nfsd_nlm_ops = {
48468 -+static const struct nlmsvc_binding nfsd_nlm_ops = {
48469 - .fopen = nlm_fopen, /* open file for locking */
48470 - .fclose = nlm_fclose, /* close file */
48471 - };
48472 -diff -urNp linux-2.6.32.46/fs/nfsd/nfs4state.c linux-2.6.32.46/fs/nfsd/nfs4state.c
48473 ---- linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-03-27 14:31:47.000000000 -0400
48474 -+++ linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-05-16 21:46:57.000000000 -0400
48475 -@@ -3457,6 +3457,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
48476 - unsigned int cmd;
48477 - int err;
48478 -
48479 -+ pax_track_stack();
48480 -+
48481 - dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
48482 - (long long) lock->lk_offset,
48483 - (long long) lock->lk_length);
48484 -diff -urNp linux-2.6.32.46/fs/nfsd/nfs4xdr.c linux-2.6.32.46/fs/nfsd/nfs4xdr.c
48485 ---- linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-03-27 14:31:47.000000000 -0400
48486 -+++ linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-05-16 21:46:57.000000000 -0400
48487 -@@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
48488 - struct nfsd4_compoundres *resp = rqstp->rq_resp;
48489 - u32 minorversion = resp->cstate.minorversion;
48490 -
48491 -+ pax_track_stack();
48492 -+
48493 - BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
48494 - BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
48495 - BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
48496 -diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c
48497 ---- linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400
48498 -+++ linux-2.6.32.46/fs/nfsd/vfs.c 2011-10-06 09:37:14.000000000 -0400
48499 -@@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
48500 - } else {
48501 - oldfs = get_fs();
48502 - set_fs(KERNEL_DS);
48503 -- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
48504 -+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
48505 - set_fs(oldfs);
48506 - }
48507 -
48508 -@@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
48509 -
48510 - /* Write the data. */
48511 - oldfs = get_fs(); set_fs(KERNEL_DS);
48512 -- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
48513 -+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
48514 - set_fs(oldfs);
48515 - if (host_err < 0)
48516 - goto out_nfserr;
48517 -@@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
48518 - */
48519 -
48520 - oldfs = get_fs(); set_fs(KERNEL_DS);
48521 -- host_err = inode->i_op->readlink(dentry, buf, *lenp);
48522 -+ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
48523 - set_fs(oldfs);
48524 -
48525 - if (host_err < 0)
48526 -diff -urNp linux-2.6.32.46/fs/nilfs2/ioctl.c linux-2.6.32.46/fs/nilfs2/ioctl.c
48527 ---- linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-03-27 14:31:47.000000000 -0400
48528 -+++ linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-05-04 17:56:28.000000000 -0400
48529 -@@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
48530 - unsigned int cmd, void __user *argp)
48531 - {
48532 - struct nilfs_argv argv[5];
48533 -- const static size_t argsz[5] = {
48534 -+ static const size_t argsz[5] = {
48535 - sizeof(struct nilfs_vdesc),
48536 - sizeof(struct nilfs_period),
48537 - sizeof(__u64),
48538 -diff -urNp linux-2.6.32.46/fs/notify/dnotify/dnotify.c linux-2.6.32.46/fs/notify/dnotify/dnotify.c
48539 ---- linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-03-27 14:31:47.000000000 -0400
48540 -+++ linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-04-17 15:56:46.000000000 -0400
48541 -@@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
48542 - kmem_cache_free(dnotify_mark_entry_cache, dnentry);
48543 - }
48544 -
48545 --static struct fsnotify_ops dnotify_fsnotify_ops = {
48546 -+static const struct fsnotify_ops dnotify_fsnotify_ops = {
48547 - .handle_event = dnotify_handle_event,
48548 - .should_send_event = dnotify_should_send_event,
48549 - .free_group_priv = NULL,
48550 -diff -urNp linux-2.6.32.46/fs/notify/notification.c linux-2.6.32.46/fs/notify/notification.c
48551 ---- linux-2.6.32.46/fs/notify/notification.c 2011-03-27 14:31:47.000000000 -0400
48552 -+++ linux-2.6.32.46/fs/notify/notification.c 2011-05-04 17:56:28.000000000 -0400
48553 -@@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
48554 - * get set to 0 so it will never get 'freed'
48555 - */
48556 - static struct fsnotify_event q_overflow_event;
48557 --static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
48558 -+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
48559 -
48560 - /**
48561 - * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
48562 -@@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
48563 - */
48564 - u32 fsnotify_get_cookie(void)
48565 - {
48566 -- return atomic_inc_return(&fsnotify_sync_cookie);
48567 -+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
48568 - }
48569 - EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
48570 -
48571 -diff -urNp linux-2.6.32.46/fs/ntfs/dir.c linux-2.6.32.46/fs/ntfs/dir.c
48572 ---- linux-2.6.32.46/fs/ntfs/dir.c 2011-03-27 14:31:47.000000000 -0400
48573 -+++ linux-2.6.32.46/fs/ntfs/dir.c 2011-04-17 15:56:46.000000000 -0400
48574 -@@ -1328,7 +1328,7 @@ find_next_index_buffer:
48575 - ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
48576 - ~(s64)(ndir->itype.index.block_size - 1)));
48577 - /* Bounds checks. */
48578 -- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
48579 -+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
48580 - ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
48581 - "inode 0x%lx or driver bug.", vdir->i_ino);
48582 - goto err_out;
48583 -diff -urNp linux-2.6.32.46/fs/ntfs/file.c linux-2.6.32.46/fs/ntfs/file.c
48584 ---- linux-2.6.32.46/fs/ntfs/file.c 2011-03-27 14:31:47.000000000 -0400
48585 -+++ linux-2.6.32.46/fs/ntfs/file.c 2011-04-17 15:56:46.000000000 -0400
48586 -@@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
48587 - #endif /* NTFS_RW */
48588 - };
48589 -
48590 --const struct file_operations ntfs_empty_file_ops = {};
48591 -+const struct file_operations ntfs_empty_file_ops __read_only;
48592 -
48593 --const struct inode_operations ntfs_empty_inode_ops = {};
48594 -+const struct inode_operations ntfs_empty_inode_ops __read_only;
48595 -diff -urNp linux-2.6.32.46/fs/ocfs2/cluster/masklog.c linux-2.6.32.46/fs/ocfs2/cluster/masklog.c
48596 ---- linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-03-27 14:31:47.000000000 -0400
48597 -+++ linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-04-17 15:56:46.000000000 -0400
48598 -@@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
48599 - return mlog_mask_store(mlog_attr->mask, buf, count);
48600 - }
48601 -
48602 --static struct sysfs_ops mlog_attr_ops = {
48603 -+static const struct sysfs_ops mlog_attr_ops = {
48604 - .show = mlog_show,
48605 - .store = mlog_store,
48606 - };
48607 -diff -urNp linux-2.6.32.46/fs/ocfs2/localalloc.c linux-2.6.32.46/fs/ocfs2/localalloc.c
48608 ---- linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-03-27 14:31:47.000000000 -0400
48609 -+++ linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-04-17 15:56:46.000000000 -0400
48610 -@@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
48611 - goto bail;
48612 - }
48613 -
48614 -- atomic_inc(&osb->alloc_stats.moves);
48615 -+ atomic_inc_unchecked(&osb->alloc_stats.moves);
48616 -
48617 - status = 0;
48618 - bail:
48619 -diff -urNp linux-2.6.32.46/fs/ocfs2/namei.c linux-2.6.32.46/fs/ocfs2/namei.c
48620 ---- linux-2.6.32.46/fs/ocfs2/namei.c 2011-03-27 14:31:47.000000000 -0400
48621 -+++ linux-2.6.32.46/fs/ocfs2/namei.c 2011-05-16 21:46:57.000000000 -0400
48622 -@@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
48623 - struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
48624 - struct ocfs2_dir_lookup_result target_insert = { NULL, };
48625 -
48626 -+ pax_track_stack();
48627 -+
48628 - /* At some point it might be nice to break this function up a
48629 - * bit. */
48630 -
48631 -diff -urNp linux-2.6.32.46/fs/ocfs2/ocfs2.h linux-2.6.32.46/fs/ocfs2/ocfs2.h
48632 ---- linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-03-27 14:31:47.000000000 -0400
48633 -+++ linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-04-17 15:56:46.000000000 -0400
48634 -@@ -217,11 +217,11 @@ enum ocfs2_vol_state
48635 -
48636 - struct ocfs2_alloc_stats
48637 - {
48638 -- atomic_t moves;
48639 -- atomic_t local_data;
48640 -- atomic_t bitmap_data;
48641 -- atomic_t bg_allocs;
48642 -- atomic_t bg_extends;
48643 -+ atomic_unchecked_t moves;
48644 -+ atomic_unchecked_t local_data;
48645 -+ atomic_unchecked_t bitmap_data;
48646 -+ atomic_unchecked_t bg_allocs;
48647 -+ atomic_unchecked_t bg_extends;
48648 - };
48649 -
48650 - enum ocfs2_local_alloc_state
48651 -diff -urNp linux-2.6.32.46/fs/ocfs2/suballoc.c linux-2.6.32.46/fs/ocfs2/suballoc.c
48652 ---- linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-03-27 14:31:47.000000000 -0400
48653 -+++ linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-04-17 15:56:46.000000000 -0400
48654 -@@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
48655 - mlog_errno(status);
48656 - goto bail;
48657 - }
48658 -- atomic_inc(&osb->alloc_stats.bg_extends);
48659 -+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
48660 -
48661 - /* You should never ask for this much metadata */
48662 - BUG_ON(bits_wanted >
48663 -@@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
48664 - mlog_errno(status);
48665 - goto bail;
48666 - }
48667 -- atomic_inc(&osb->alloc_stats.bg_allocs);
48668 -+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
48669 -
48670 - *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
48671 - ac->ac_bits_given += (*num_bits);
48672 -@@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
48673 - mlog_errno(status);
48674 - goto bail;
48675 - }
48676 -- atomic_inc(&osb->alloc_stats.bg_allocs);
48677 -+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
48678 -
48679 - BUG_ON(num_bits != 1);
48680 -
48681 -@@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
48682 - cluster_start,
48683 - num_clusters);
48684 - if (!status)
48685 -- atomic_inc(&osb->alloc_stats.local_data);
48686 -+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
48687 - } else {
48688 - if (min_clusters > (osb->bitmap_cpg - 1)) {
48689 - /* The only paths asking for contiguousness
48690 -@@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
48691 - ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
48692 - bg_blkno,
48693 - bg_bit_off);
48694 -- atomic_inc(&osb->alloc_stats.bitmap_data);
48695 -+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
48696 - }
48697 - }
48698 - if (status < 0) {
48699 -diff -urNp linux-2.6.32.46/fs/ocfs2/super.c linux-2.6.32.46/fs/ocfs2/super.c
48700 ---- linux-2.6.32.46/fs/ocfs2/super.c 2011-03-27 14:31:47.000000000 -0400
48701 -+++ linux-2.6.32.46/fs/ocfs2/super.c 2011-04-17 15:56:46.000000000 -0400
48702 -@@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
48703 - "%10s => GlobalAllocs: %d LocalAllocs: %d "
48704 - "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
48705 - "Stats",
48706 -- atomic_read(&osb->alloc_stats.bitmap_data),
48707 -- atomic_read(&osb->alloc_stats.local_data),
48708 -- atomic_read(&osb->alloc_stats.bg_allocs),
48709 -- atomic_read(&osb->alloc_stats.moves),
48710 -- atomic_read(&osb->alloc_stats.bg_extends));
48711 -+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
48712 -+ atomic_read_unchecked(&osb->alloc_stats.local_data),
48713 -+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
48714 -+ atomic_read_unchecked(&osb->alloc_stats.moves),
48715 -+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
48716 -
48717 - out += snprintf(buf + out, len - out,
48718 - "%10s => State: %u Descriptor: %llu Size: %u bits "
48719 -@@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
48720 - spin_lock_init(&osb->osb_xattr_lock);
48721 - ocfs2_init_inode_steal_slot(osb);
48722 -
48723 -- atomic_set(&osb->alloc_stats.moves, 0);
48724 -- atomic_set(&osb->alloc_stats.local_data, 0);
48725 -- atomic_set(&osb->alloc_stats.bitmap_data, 0);
48726 -- atomic_set(&osb->alloc_stats.bg_allocs, 0);
48727 -- atomic_set(&osb->alloc_stats.bg_extends, 0);
48728 -+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
48729 -+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
48730 -+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
48731 -+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
48732 -+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
48733 -
48734 - /* Copy the blockcheck stats from the superblock probe */
48735 - osb->osb_ecc_stats = *stats;
48736 -diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
48737 ---- linux-2.6.32.46/fs/open.c 2011-03-27 14:31:47.000000000 -0400
48738 -+++ linux-2.6.32.46/fs/open.c 2011-09-13 16:03:56.000000000 -0400
48739 -@@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
48740 - error = locks_verify_truncate(inode, NULL, length);
48741 - if (!error)
48742 - error = security_path_truncate(&path, length, 0);
48743 -+
48744 -+ if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
48745 -+ error = -EACCES;
48746 -+
48747 - if (!error) {
48748 - vfs_dq_init(inode);
48749 - error = do_truncate(path.dentry, length, 0, NULL);
48750 -@@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
48751 - if (__mnt_is_readonly(path.mnt))
48752 - res = -EROFS;
48753 -
48754 -+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
48755 -+ res = -EACCES;
48756 -+
48757 - out_path_release:
48758 - path_put(&path);
48759 - out:
48760 -@@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
48761 - if (error)
48762 - goto dput_and_out;
48763 -
48764 -+ gr_log_chdir(path.dentry, path.mnt);
48765 -+
48766 - set_fs_pwd(current->fs, &path);
48767 -
48768 - dput_and_out:
48769 -@@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
48770 - goto out_putf;
48771 -
48772 - error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
48773 -+
48774 -+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
48775 -+ error = -EPERM;
48776 -+
48777 -+ if (!error)
48778 -+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
48779 -+
48780 - if (!error)
48781 - set_fs_pwd(current->fs, &file->f_path);
48782 - out_putf:
48783 -@@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use
48784 - if (!capable(CAP_SYS_CHROOT))
48785 - goto dput_and_out;
48786 -
48787 -+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
48788 -+ goto dput_and_out;
48789 -+
48790 - set_fs_root(current->fs, &path);
48791 -+
48792 -+ gr_handle_chroot_chdir(&path);
48793 -+
48794 - error = 0;
48795 - dput_and_out:
48796 - path_put(&path);
48797 -@@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
48798 - err = mnt_want_write_file(file);
48799 - if (err)
48800 - goto out_putf;
48801 -+
48802 - mutex_lock(&inode->i_mutex);
48803 -+
48804 -+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
48805 -+ err = -EACCES;
48806 -+ goto out_unlock;
48807 -+ }
48808 -+
48809 - if (mode == (mode_t) -1)
48810 - mode = inode->i_mode;
48811 -+
48812 -+ if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
48813 -+ err = -EPERM;
48814 -+ goto out_unlock;
48815 -+ }
48816 -+
48817 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
48818 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
48819 - err = notify_change(dentry, &newattrs);
48820 -+
48821 -+out_unlock:
48822 - mutex_unlock(&inode->i_mutex);
48823 - mnt_drop_write(file->f_path.mnt);
48824 - out_putf:
48825 -@@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
48826 - error = mnt_want_write(path.mnt);
48827 - if (error)
48828 - goto dput_and_out;
48829 -+
48830 - mutex_lock(&inode->i_mutex);
48831 -+
48832 -+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
48833 -+ error = -EACCES;
48834 -+ goto out_unlock;
48835 -+ }
48836 -+
48837 - if (mode == (mode_t) -1)
48838 - mode = inode->i_mode;
48839 -+
48840 -+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
48841 -+ error = -EACCES;
48842 -+ goto out_unlock;
48843 -+ }
48844 -+
48845 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
48846 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
48847 - error = notify_change(path.dentry, &newattrs);
48848 -+
48849 -+out_unlock:
48850 - mutex_unlock(&inode->i_mutex);
48851 - mnt_drop_write(path.mnt);
48852 - dput_and_out:
48853 -@@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user
48854 - return sys_fchmodat(AT_FDCWD, filename, mode);
48855 - }
48856 -
48857 --static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
48858 -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
48859 - {
48860 - struct inode *inode = dentry->d_inode;
48861 - int error;
48862 - struct iattr newattrs;
48863 -
48864 -+ if (!gr_acl_handle_chown(dentry, mnt))
48865 -+ return -EACCES;
48866 -+
48867 - newattrs.ia_valid = ATTR_CTIME;
48868 - if (user != (uid_t) -1) {
48869 - newattrs.ia_valid |= ATTR_UID;
48870 -@@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user
48871 - error = mnt_want_write(path.mnt);
48872 - if (error)
48873 - goto out_release;
48874 -- error = chown_common(path.dentry, user, group);
48875 -+ error = chown_common(path.dentry, user, group, path.mnt);
48876 - mnt_drop_write(path.mnt);
48877 - out_release:
48878 - path_put(&path);
48879 -@@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
48880 - error = mnt_want_write(path.mnt);
48881 - if (error)
48882 - goto out_release;
48883 -- error = chown_common(path.dentry, user, group);
48884 -+ error = chown_common(path.dentry, user, group, path.mnt);
48885 - mnt_drop_write(path.mnt);
48886 - out_release:
48887 - path_put(&path);
48888 -@@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use
48889 - error = mnt_want_write(path.mnt);
48890 - if (error)
48891 - goto out_release;
48892 -- error = chown_common(path.dentry, user, group);
48893 -+ error = chown_common(path.dentry, user, group, path.mnt);
48894 - mnt_drop_write(path.mnt);
48895 - out_release:
48896 - path_put(&path);
48897 -@@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
48898 - goto out_fput;
48899 - dentry = file->f_path.dentry;
48900 - audit_inode(NULL, dentry);
48901 -- error = chown_common(dentry, user, group);
48902 -+ error = chown_common(dentry, user, group, file->f_path.mnt);
48903 - mnt_drop_write(file->f_path.mnt);
48904 - out_fput:
48905 - fput(file);
48906 -@@ -1036,7 +1091,10 @@ long do_sys_open(int dfd, const char __u
48907 - if (!IS_ERR(tmp)) {
48908 - fd = get_unused_fd_flags(flags);
48909 - if (fd >= 0) {
48910 -- struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
48911 -+ struct file *f;
48912 -+ /* don't allow to be set by userland */
48913 -+ flags &= ~FMODE_GREXEC;
48914 -+ f = do_filp_open(dfd, tmp, flags, mode, 0);
48915 - if (IS_ERR(f)) {
48916 - put_unused_fd(fd);
48917 - fd = PTR_ERR(f);
48918 -diff -urNp linux-2.6.32.46/fs/partitions/ldm.c linux-2.6.32.46/fs/partitions/ldm.c
48919 ---- linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:55:34.000000000 -0400
48920 -+++ linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:56:37.000000000 -0400
48921 -@@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
48922 - ldm_error ("A VBLK claims to have %d parts.", num);
48923 - return false;
48924 - }
48925 -+
48926 - if (rec >= num) {
48927 - ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
48928 - return false;
48929 -@@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
48930 - goto found;
48931 - }
48932 -
48933 -- f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
48934 -+ f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
48935 - if (!f) {
48936 - ldm_crit ("Out of memory.");
48937 - return false;
48938 -diff -urNp linux-2.6.32.46/fs/partitions/mac.c linux-2.6.32.46/fs/partitions/mac.c
48939 ---- linux-2.6.32.46/fs/partitions/mac.c 2011-03-27 14:31:47.000000000 -0400
48940 -+++ linux-2.6.32.46/fs/partitions/mac.c 2011-04-17 15:56:46.000000000 -0400
48941 -@@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
48942 - return 0; /* not a MacOS disk */
48943 - }
48944 - blocks_in_map = be32_to_cpu(part->map_count);
48945 -+ printk(" [mac]");
48946 - if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
48947 - put_dev_sector(sect);
48948 - return 0;
48949 - }
48950 -- printk(" [mac]");
48951 - for (slot = 1; slot <= blocks_in_map; ++slot) {
48952 - int pos = slot * secsize;
48953 - put_dev_sector(sect);
48954 -diff -urNp linux-2.6.32.46/fs/pipe.c linux-2.6.32.46/fs/pipe.c
48955 ---- linux-2.6.32.46/fs/pipe.c 2011-03-27 14:31:47.000000000 -0400
48956 -+++ linux-2.6.32.46/fs/pipe.c 2011-04-23 13:37:17.000000000 -0400
48957 -@@ -401,9 +401,9 @@ redo:
48958 - }
48959 - if (bufs) /* More to do? */
48960 - continue;
48961 -- if (!pipe->writers)
48962 -+ if (!atomic_read(&pipe->writers))
48963 - break;
48964 -- if (!pipe->waiting_writers) {
48965 -+ if (!atomic_read(&pipe->waiting_writers)) {
48966 - /* syscall merging: Usually we must not sleep
48967 - * if O_NONBLOCK is set, or if we got some data.
48968 - * But if a writer sleeps in kernel space, then
48969 -@@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
48970 - mutex_lock(&inode->i_mutex);
48971 - pipe = inode->i_pipe;
48972 -
48973 -- if (!pipe->readers) {
48974 -+ if (!atomic_read(&pipe->readers)) {
48975 - send_sig(SIGPIPE, current, 0);
48976 - ret = -EPIPE;
48977 - goto out;
48978 -@@ -511,7 +511,7 @@ redo1:
48979 - for (;;) {
48980 - int bufs;
48981 -
48982 -- if (!pipe->readers) {
48983 -+ if (!atomic_read(&pipe->readers)) {
48984 - send_sig(SIGPIPE, current, 0);
48985 - if (!ret)
48986 - ret = -EPIPE;
48987 -@@ -597,9 +597,9 @@ redo2:
48988 - kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
48989 - do_wakeup = 0;
48990 - }
48991 -- pipe->waiting_writers++;
48992 -+ atomic_inc(&pipe->waiting_writers);
48993 - pipe_wait(pipe);
48994 -- pipe->waiting_writers--;
48995 -+ atomic_dec(&pipe->waiting_writers);
48996 - }
48997 - out:
48998 - mutex_unlock(&inode->i_mutex);
48999 -@@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
49000 - mask = 0;
49001 - if (filp->f_mode & FMODE_READ) {
49002 - mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49003 -- if (!pipe->writers && filp->f_version != pipe->w_counter)
49004 -+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49005 - mask |= POLLHUP;
49006 - }
49007 -
49008 -@@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
49009 - * Most Unices do not set POLLERR for FIFOs but on Linux they
49010 - * behave exactly like pipes for poll().
49011 - */
49012 -- if (!pipe->readers)
49013 -+ if (!atomic_read(&pipe->readers))
49014 - mask |= POLLERR;
49015 - }
49016 -
49017 -@@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
49018 -
49019 - mutex_lock(&inode->i_mutex);
49020 - pipe = inode->i_pipe;
49021 -- pipe->readers -= decr;
49022 -- pipe->writers -= decw;
49023 -+ atomic_sub(decr, &pipe->readers);
49024 -+ atomic_sub(decw, &pipe->writers);
49025 -
49026 -- if (!pipe->readers && !pipe->writers) {
49027 -+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49028 - free_pipe_info(inode);
49029 - } else {
49030 - wake_up_interruptible_sync(&pipe->wait);
49031 -@@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
49032 -
49033 - if (inode->i_pipe) {
49034 - ret = 0;
49035 -- inode->i_pipe->readers++;
49036 -+ atomic_inc(&inode->i_pipe->readers);
49037 - }
49038 -
49039 - mutex_unlock(&inode->i_mutex);
49040 -@@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
49041 -
49042 - if (inode->i_pipe) {
49043 - ret = 0;
49044 -- inode->i_pipe->writers++;
49045 -+ atomic_inc(&inode->i_pipe->writers);
49046 - }
49047 -
49048 - mutex_unlock(&inode->i_mutex);
49049 -@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
49050 - if (inode->i_pipe) {
49051 - ret = 0;
49052 - if (filp->f_mode & FMODE_READ)
49053 -- inode->i_pipe->readers++;
49054 -+ atomic_inc(&inode->i_pipe->readers);
49055 - if (filp->f_mode & FMODE_WRITE)
49056 -- inode->i_pipe->writers++;
49057 -+ atomic_inc(&inode->i_pipe->writers);
49058 - }
49059 -
49060 - mutex_unlock(&inode->i_mutex);
49061 -@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
49062 - inode->i_pipe = NULL;
49063 - }
49064 -
49065 --static struct vfsmount *pipe_mnt __read_mostly;
49066 -+struct vfsmount *pipe_mnt __read_mostly;
49067 - static int pipefs_delete_dentry(struct dentry *dentry)
49068 - {
49069 - /*
49070 -@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
49071 - goto fail_iput;
49072 - inode->i_pipe = pipe;
49073 -
49074 -- pipe->readers = pipe->writers = 1;
49075 -+ atomic_set(&pipe->readers, 1);
49076 -+ atomic_set(&pipe->writers, 1);
49077 - inode->i_fop = &rdwr_pipefifo_fops;
49078 -
49079 - /*
49080 -diff -urNp linux-2.6.32.46/fs/proc/Kconfig linux-2.6.32.46/fs/proc/Kconfig
49081 ---- linux-2.6.32.46/fs/proc/Kconfig 2011-03-27 14:31:47.000000000 -0400
49082 -+++ linux-2.6.32.46/fs/proc/Kconfig 2011-04-17 15:56:46.000000000 -0400
49083 -@@ -30,12 +30,12 @@ config PROC_FS
49084 -
49085 - config PROC_KCORE
49086 - bool "/proc/kcore support" if !ARM
49087 -- depends on PROC_FS && MMU
49088 -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
49089 -
49090 - config PROC_VMCORE
49091 - bool "/proc/vmcore support (EXPERIMENTAL)"
49092 -- depends on PROC_FS && CRASH_DUMP
49093 -- default y
49094 -+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
49095 -+ default n
49096 - help
49097 - Exports the dump image of crashed kernel in ELF format.
49098 -
49099 -@@ -59,8 +59,8 @@ config PROC_SYSCTL
49100 - limited in memory.
49101 -
49102 - config PROC_PAGE_MONITOR
49103 -- default y
49104 -- depends on PROC_FS && MMU
49105 -+ default n
49106 -+ depends on PROC_FS && MMU && !GRKERNSEC
49107 - bool "Enable /proc page monitoring" if EMBEDDED
49108 - help
49109 - Various /proc files exist to monitor process memory utilization:
49110 -diff -urNp linux-2.6.32.46/fs/proc/array.c linux-2.6.32.46/fs/proc/array.c
49111 ---- linux-2.6.32.46/fs/proc/array.c 2011-03-27 14:31:47.000000000 -0400
49112 -+++ linux-2.6.32.46/fs/proc/array.c 2011-05-16 21:46:57.000000000 -0400
49113 -@@ -60,6 +60,7 @@
49114 - #include <linux/tty.h>
49115 - #include <linux/string.h>
49116 - #include <linux/mman.h>
49117 -+#include <linux/grsecurity.h>
49118 - #include <linux/proc_fs.h>
49119 - #include <linux/ioport.h>
49120 - #include <linux/uaccess.h>
49121 -@@ -321,6 +322,21 @@ static inline void task_context_switch_c
49122 - p->nivcsw);
49123 - }
49124 -
49125 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49126 -+static inline void task_pax(struct seq_file *m, struct task_struct *p)
49127 -+{
49128 -+ if (p->mm)
49129 -+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49130 -+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49131 -+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49132 -+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49133 -+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49134 -+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49135 -+ else
49136 -+ seq_printf(m, "PaX:\t-----\n");
49137 -+}
49138 -+#endif
49139 -+
49140 - int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49141 - struct pid *pid, struct task_struct *task)
49142 - {
49143 -@@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
49144 - task_cap(m, task);
49145 - cpuset_task_status_allowed(m, task);
49146 - task_context_switch_counts(m, task);
49147 -+
49148 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49149 -+ task_pax(m, task);
49150 -+#endif
49151 -+
49152 -+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49153 -+ task_grsec_rbac(m, task);
49154 -+#endif
49155 -+
49156 - return 0;
49157 - }
49158 -
49159 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49160 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49161 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
49162 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
49163 -+#endif
49164 -+
49165 - static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49166 - struct pid *pid, struct task_struct *task, int whole)
49167 - {
49168 -@@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
49169 - cputime_t cutime, cstime, utime, stime;
49170 - cputime_t cgtime, gtime;
49171 - unsigned long rsslim = 0;
49172 -- char tcomm[sizeof(task->comm)];
49173 -+ char tcomm[sizeof(task->comm)] = { 0 };
49174 - unsigned long flags;
49175 -
49176 -+ pax_track_stack();
49177 -+
49178 - state = *get_task_state(task);
49179 - vsize = eip = esp = 0;
49180 - permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49181 -@@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
49182 - gtime = task_gtime(task);
49183 - }
49184 -
49185 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49186 -+ if (PAX_RAND_FLAGS(mm)) {
49187 -+ eip = 0;
49188 -+ esp = 0;
49189 -+ wchan = 0;
49190 -+ }
49191 -+#endif
49192 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
49193 -+ wchan = 0;
49194 -+ eip =0;
49195 -+ esp =0;
49196 -+#endif
49197 -+
49198 - /* scale priority and nice values from timeslices to -20..20 */
49199 - /* to make it look like a "normal" Unix priority/nice value */
49200 - priority = task_prio(task);
49201 -@@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
49202 - vsize,
49203 - mm ? get_mm_rss(mm) : 0,
49204 - rsslim,
49205 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49206 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49207 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49208 -+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49209 -+#else
49210 - mm ? (permitted ? mm->start_code : 1) : 0,
49211 - mm ? (permitted ? mm->end_code : 1) : 0,
49212 - (permitted && mm) ? mm->start_stack : 0,
49213 -+#endif
49214 - esp,
49215 - eip,
49216 - /* The signal information here is obsolete.
49217 -@@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
49218 -
49219 - return 0;
49220 - }
49221 -+
49222 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49223 -+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49224 -+{
49225 -+ u32 curr_ip = 0;
49226 -+ unsigned long flags;
49227 -+
49228 -+ if (lock_task_sighand(task, &flags)) {
49229 -+ curr_ip = task->signal->curr_ip;
49230 -+ unlock_task_sighand(task, &flags);
49231 -+ }
49232 -+
49233 -+ return sprintf(buffer, "%pI4\n", &curr_ip);
49234 -+}
49235 -+#endif
49236 -diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c
49237 ---- linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:35:30.000000000 -0400
49238 -+++ linux-2.6.32.46/fs/proc/base.c 2011-10-19 04:05:03.000000000 -0400
49239 -@@ -102,6 +102,22 @@ struct pid_entry {
49240 - union proc_op op;
49241 - };
49242 -
49243 -+struct getdents_callback {
49244 -+ struct linux_dirent __user * current_dir;
49245 -+ struct linux_dirent __user * previous;
49246 -+ struct file * file;
49247 -+ int count;
49248 -+ int error;
49249 -+};
49250 -+
49251 -+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49252 -+ loff_t offset, u64 ino, unsigned int d_type)
49253 -+{
49254 -+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
49255 -+ buf->error = -EINVAL;
49256 -+ return 0;
49257 -+}
49258 -+
49259 - #define NOD(NAME, MODE, IOP, FOP, OP) { \
49260 - .name = (NAME), \
49261 - .len = sizeof(NAME) - 1, \
49262 -@@ -213,6 +229,9 @@ static int check_mem_permission(struct t
49263 - if (task == current)
49264 - return 0;
49265 -
49266 -+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49267 -+ return -EPERM;
49268 -+
49269 - /*
49270 - * If current is actively ptrace'ing, and would also be
49271 - * permitted to freshly attach with ptrace now, permit it.
49272 -@@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
49273 - if (!mm->arg_end)
49274 - goto out_mm; /* Shh! No looking before we're done */
49275 -
49276 -+ if (gr_acl_handle_procpidmem(task))
49277 -+ goto out_mm;
49278 -+
49279 - len = mm->arg_end - mm->arg_start;
49280 -
49281 - if (len > PAGE_SIZE)
49282 -@@ -287,12 +309,28 @@ out:
49283 - return res;
49284 - }
49285 -
49286 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49287 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49288 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
49289 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
49290 -+#endif
49291 -+
49292 - static int proc_pid_auxv(struct task_struct *task, char *buffer)
49293 - {
49294 - int res = 0;
49295 - struct mm_struct *mm = get_task_mm(task);
49296 - if (mm) {
49297 - unsigned int nwords = 0;
49298 -+
49299 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49300 -+ /* allow if we're currently ptracing this task */
49301 -+ if (PAX_RAND_FLAGS(mm) &&
49302 -+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
49303 -+ mmput(mm);
49304 -+ return 0;
49305 -+ }
49306 -+#endif
49307 -+
49308 - do {
49309 - nwords += 2;
49310 - } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
49311 -@@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
49312 - }
49313 -
49314 -
49315 --#ifdef CONFIG_KALLSYMS
49316 -+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49317 - /*
49318 - * Provides a wchan file via kallsyms in a proper one-value-per-file format.
49319 - * Returns the resolved symbol. If that fails, simply return the address.
49320 -@@ -328,7 +366,7 @@ static int proc_pid_wchan(struct task_st
49321 - }
49322 - #endif /* CONFIG_KALLSYMS */
49323 -
49324 --#ifdef CONFIG_STACKTRACE
49325 -+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49326 -
49327 - #define MAX_STACK_TRACE_DEPTH 64
49328 -
49329 -@@ -522,7 +560,7 @@ static int proc_pid_limits(struct task_s
49330 - return count;
49331 - }
49332 -
49333 --#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49334 -+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49335 - static int proc_pid_syscall(struct task_struct *task, char *buffer)
49336 - {
49337 - long nr;
49338 -@@ -547,7 +585,7 @@ static int proc_pid_syscall(struct task_
49339 - /************************************************************************/
49340 -
49341 - /* permission checks */
49342 --static int proc_fd_access_allowed(struct inode *inode)
49343 -+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
49344 - {
49345 - struct task_struct *task;
49346 - int allowed = 0;
49347 -@@ -557,7 +595,10 @@ static int proc_fd_access_allowed(struct
49348 - */
49349 - task = get_proc_task(inode);
49350 - if (task) {
49351 -- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49352 -+ if (log)
49353 -+ allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
49354 -+ else
49355 -+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
49356 - put_task_struct(task);
49357 - }
49358 - return allowed;
49359 -@@ -936,6 +977,9 @@ static ssize_t environ_read(struct file
49360 - if (!task)
49361 - goto out_no_task;
49362 -
49363 -+ if (gr_acl_handle_procpidmem(task))
49364 -+ goto out;
49365 -+
49366 - if (!ptrace_may_access(task, PTRACE_MODE_READ))
49367 - goto out;
49368 -
49369 -@@ -1350,7 +1394,7 @@ static void *proc_pid_follow_link(struct
49370 - path_put(&nd->path);
49371 -
49372 - /* Are we allowed to snoop on the tasks file descriptors? */
49373 -- if (!proc_fd_access_allowed(inode))
49374 -+ if (!proc_fd_access_allowed(inode,0))
49375 - goto out;
49376 -
49377 - error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
49378 -@@ -1390,8 +1434,18 @@ static int proc_pid_readlink(struct dent
49379 - struct path path;
49380 -
49381 - /* Are we allowed to snoop on the tasks file descriptors? */
49382 -- if (!proc_fd_access_allowed(inode))
49383 -- goto out;
49384 -+ /* logging this is needed for learning on chromium to work properly,
49385 -+ but we don't want to flood the logs from 'ps' which does a readlink
49386 -+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
49387 -+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
49388 -+ */
49389 -+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
49390 -+ if (!proc_fd_access_allowed(inode,0))
49391 -+ goto out;
49392 -+ } else {
49393 -+ if (!proc_fd_access_allowed(inode,1))
49394 -+ goto out;
49395 -+ }
49396 -
49397 - error = PROC_I(inode)->op.proc_get_link(inode, &path);
49398 - if (error)
49399 -@@ -1456,7 +1510,11 @@ static struct inode *proc_pid_make_inode
49400 - rcu_read_lock();
49401 - cred = __task_cred(task);
49402 - inode->i_uid = cred->euid;
49403 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49404 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49405 -+#else
49406 - inode->i_gid = cred->egid;
49407 -+#endif
49408 - rcu_read_unlock();
49409 - }
49410 - security_task_to_inode(task, inode);
49411 -@@ -1474,6 +1532,9 @@ static int pid_getattr(struct vfsmount *
49412 - struct inode *inode = dentry->d_inode;
49413 - struct task_struct *task;
49414 - const struct cred *cred;
49415 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49416 -+ const struct cred *tmpcred = current_cred();
49417 -+#endif
49418 -
49419 - generic_fillattr(inode, stat);
49420 -
49421 -@@ -1481,13 +1542,41 @@ static int pid_getattr(struct vfsmount *
49422 - stat->uid = 0;
49423 - stat->gid = 0;
49424 - task = pid_task(proc_pid(inode), PIDTYPE_PID);
49425 -+
49426 -+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
49427 -+ rcu_read_unlock();
49428 -+ return -ENOENT;
49429 -+ }
49430 -+
49431 - if (task) {
49432 -+ cred = __task_cred(task);
49433 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49434 -+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
49435 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49436 -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
49437 -+#endif
49438 -+ ) {
49439 -+#endif
49440 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49441 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
49442 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49443 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49444 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49445 -+#endif
49446 - task_dumpable(task)) {
49447 -- cred = __task_cred(task);
49448 - stat->uid = cred->euid;
49449 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49450 -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
49451 -+#else
49452 - stat->gid = cred->egid;
49453 -+#endif
49454 - }
49455 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49456 -+ } else {
49457 -+ rcu_read_unlock();
49458 -+ return -ENOENT;
49459 -+ }
49460 -+#endif
49461 - }
49462 - rcu_read_unlock();
49463 - return 0;
49464 -@@ -1518,11 +1607,20 @@ static int pid_revalidate(struct dentry
49465 -
49466 - if (task) {
49467 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
49468 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
49469 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
49470 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49471 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
49472 -+#endif
49473 - task_dumpable(task)) {
49474 - rcu_read_lock();
49475 - cred = __task_cred(task);
49476 - inode->i_uid = cred->euid;
49477 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49478 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49479 -+#else
49480 - inode->i_gid = cred->egid;
49481 -+#endif
49482 - rcu_read_unlock();
49483 - } else {
49484 - inode->i_uid = 0;
49485 -@@ -1643,7 +1741,8 @@ static int proc_fd_info(struct inode *in
49486 - int fd = proc_fd(inode);
49487 -
49488 - if (task) {
49489 -- files = get_files_struct(task);
49490 -+ if (!gr_acl_handle_procpidmem(task))
49491 -+ files = get_files_struct(task);
49492 - put_task_struct(task);
49493 - }
49494 - if (files) {
49495 -@@ -1895,12 +1994,22 @@ static const struct file_operations proc
49496 - static int proc_fd_permission(struct inode *inode, int mask)
49497 - {
49498 - int rv;
49499 -+ struct task_struct *task;
49500 -
49501 - rv = generic_permission(inode, mask, NULL);
49502 -- if (rv == 0)
49503 -- return 0;
49504 -+
49505 - if (task_pid(current) == proc_pid(inode))
49506 - rv = 0;
49507 -+
49508 -+ task = get_proc_task(inode);
49509 -+ if (task == NULL)
49510 -+ return rv;
49511 -+
49512 -+ if (gr_acl_handle_procpidmem(task))
49513 -+ rv = -EACCES;
49514 -+
49515 -+ put_task_struct(task);
49516 -+
49517 - return rv;
49518 - }
49519 -
49520 -@@ -2009,6 +2118,9 @@ static struct dentry *proc_pident_lookup
49521 - if (!task)
49522 - goto out_no_task;
49523 -
49524 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49525 -+ goto out;
49526 -+
49527 - /*
49528 - * Yes, it does not scale. And it should not. Don't add
49529 - * new entries into /proc/<tgid>/ without very good reasons.
49530 -@@ -2053,6 +2165,9 @@ static int proc_pident_readdir(struct fi
49531 - if (!task)
49532 - goto out_no_task;
49533 -
49534 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49535 -+ goto out;
49536 -+
49537 - ret = 0;
49538 - i = filp->f_pos;
49539 - switch (i) {
49540 -@@ -2320,7 +2435,7 @@ static void *proc_self_follow_link(struc
49541 - static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
49542 - void *cookie)
49543 - {
49544 -- char *s = nd_get_link(nd);
49545 -+ const char *s = nd_get_link(nd);
49546 - if (!IS_ERR(s))
49547 - __putname(s);
49548 - }
49549 -@@ -2522,7 +2637,7 @@ static const struct pid_entry tgid_base_
49550 - #ifdef CONFIG_SCHED_DEBUG
49551 - REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
49552 - #endif
49553 --#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49554 -+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49555 - INF("syscall", S_IRUSR, proc_pid_syscall),
49556 - #endif
49557 - INF("cmdline", S_IRUGO, proc_pid_cmdline),
49558 -@@ -2547,10 +2662,10 @@ static const struct pid_entry tgid_base_
49559 - #ifdef CONFIG_SECURITY
49560 - DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
49561 - #endif
49562 --#ifdef CONFIG_KALLSYMS
49563 -+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49564 - INF("wchan", S_IRUGO, proc_pid_wchan),
49565 - #endif
49566 --#ifdef CONFIG_STACKTRACE
49567 -+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49568 - ONE("stack", S_IRUSR, proc_pid_stack),
49569 - #endif
49570 - #ifdef CONFIG_SCHEDSTATS
49571 -@@ -2580,6 +2695,9 @@ static const struct pid_entry tgid_base_
49572 - #ifdef CONFIG_TASK_IO_ACCOUNTING
49573 - INF("io", S_IRUSR, proc_tgid_io_accounting),
49574 - #endif
49575 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49576 -+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
49577 -+#endif
49578 - };
49579 -
49580 - static int proc_tgid_base_readdir(struct file * filp,
49581 -@@ -2704,7 +2822,14 @@ static struct dentry *proc_pid_instantia
49582 - if (!inode)
49583 - goto out;
49584 -
49585 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
49586 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
49587 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49588 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49589 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
49590 -+#else
49591 - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
49592 -+#endif
49593 - inode->i_op = &proc_tgid_base_inode_operations;
49594 - inode->i_fop = &proc_tgid_base_operations;
49595 - inode->i_flags|=S_IMMUTABLE;
49596 -@@ -2746,7 +2871,14 @@ struct dentry *proc_pid_lookup(struct in
49597 - if (!task)
49598 - goto out;
49599 -
49600 -+ if (!has_group_leader_pid(task))
49601 -+ goto out_put_task;
49602 -+
49603 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
49604 -+ goto out_put_task;
49605 -+
49606 - result = proc_pid_instantiate(dir, dentry, task, NULL);
49607 -+out_put_task:
49608 - put_task_struct(task);
49609 - out:
49610 - return result;
49611 -@@ -2811,6 +2943,11 @@ int proc_pid_readdir(struct file * filp,
49612 - {
49613 - unsigned int nr;
49614 - struct task_struct *reaper;
49615 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49616 -+ const struct cred *tmpcred = current_cred();
49617 -+ const struct cred *itercred;
49618 -+#endif
49619 -+ filldir_t __filldir = filldir;
49620 - struct tgid_iter iter;
49621 - struct pid_namespace *ns;
49622 -
49623 -@@ -2834,8 +2971,27 @@ int proc_pid_readdir(struct file * filp,
49624 - for (iter = next_tgid(ns, iter);
49625 - iter.task;
49626 - iter.tgid += 1, iter = next_tgid(ns, iter)) {
49627 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49628 -+ rcu_read_lock();
49629 -+ itercred = __task_cred(iter.task);
49630 -+#endif
49631 -+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
49632 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49633 -+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
49634 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49635 -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
49636 -+#endif
49637 -+ )
49638 -+#endif
49639 -+ )
49640 -+ __filldir = &gr_fake_filldir;
49641 -+ else
49642 -+ __filldir = filldir;
49643 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49644 -+ rcu_read_unlock();
49645 -+#endif
49646 - filp->f_pos = iter.tgid + TGID_OFFSET;
49647 -- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
49648 -+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
49649 - put_task_struct(iter.task);
49650 - goto out;
49651 - }
49652 -@@ -2861,7 +3017,7 @@ static const struct pid_entry tid_base_s
49653 - #ifdef CONFIG_SCHED_DEBUG
49654 - REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
49655 - #endif
49656 --#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
49657 -+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
49658 - INF("syscall", S_IRUSR, proc_pid_syscall),
49659 - #endif
49660 - INF("cmdline", S_IRUGO, proc_pid_cmdline),
49661 -@@ -2885,10 +3041,10 @@ static const struct pid_entry tid_base_s
49662 - #ifdef CONFIG_SECURITY
49663 - DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
49664 - #endif
49665 --#ifdef CONFIG_KALLSYMS
49666 -+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49667 - INF("wchan", S_IRUGO, proc_pid_wchan),
49668 - #endif
49669 --#ifdef CONFIG_STACKTRACE
49670 -+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
49671 - ONE("stack", S_IRUSR, proc_pid_stack),
49672 - #endif
49673 - #ifdef CONFIG_SCHEDSTATS
49674 -diff -urNp linux-2.6.32.46/fs/proc/cmdline.c linux-2.6.32.46/fs/proc/cmdline.c
49675 ---- linux-2.6.32.46/fs/proc/cmdline.c 2011-03-27 14:31:47.000000000 -0400
49676 -+++ linux-2.6.32.46/fs/proc/cmdline.c 2011-04-17 15:56:46.000000000 -0400
49677 -@@ -23,7 +23,11 @@ static const struct file_operations cmdl
49678 -
49679 - static int __init proc_cmdline_init(void)
49680 - {
49681 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
49682 -+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
49683 -+#else
49684 - proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
49685 -+#endif
49686 - return 0;
49687 - }
49688 - module_init(proc_cmdline_init);
49689 -diff -urNp linux-2.6.32.46/fs/proc/devices.c linux-2.6.32.46/fs/proc/devices.c
49690 ---- linux-2.6.32.46/fs/proc/devices.c 2011-03-27 14:31:47.000000000 -0400
49691 -+++ linux-2.6.32.46/fs/proc/devices.c 2011-04-17 15:56:46.000000000 -0400
49692 -@@ -64,7 +64,11 @@ static const struct file_operations proc
49693 -
49694 - static int __init proc_devices_init(void)
49695 - {
49696 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
49697 -+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
49698 -+#else
49699 - proc_create("devices", 0, NULL, &proc_devinfo_operations);
49700 -+#endif
49701 - return 0;
49702 - }
49703 - module_init(proc_devices_init);
49704 -diff -urNp linux-2.6.32.46/fs/proc/inode.c linux-2.6.32.46/fs/proc/inode.c
49705 ---- linux-2.6.32.46/fs/proc/inode.c 2011-03-27 14:31:47.000000000 -0400
49706 -+++ linux-2.6.32.46/fs/proc/inode.c 2011-10-19 04:08:02.000000000 -0400
49707 -@@ -18,12 +18,19 @@
49708 - #include <linux/module.h>
49709 - #include <linux/smp_lock.h>
49710 - #include <linux/sysctl.h>
49711 -+#include <linux/grsecurity.h>
49712 -
49713 - #include <asm/system.h>
49714 - #include <asm/uaccess.h>
49715 -
49716 - #include "internal.h"
49717 -
49718 -+#ifdef CONFIG_PROC_SYSCTL
49719 -+extern const struct inode_operations proc_sys_inode_operations;
49720 -+extern const struct inode_operations proc_sys_dir_operations;
49721 -+#endif
49722 -+
49723 -+
49724 - struct proc_dir_entry *de_get(struct proc_dir_entry *de)
49725 - {
49726 - atomic_inc(&de->count);
49727 -@@ -62,6 +69,13 @@ static void proc_delete_inode(struct ino
49728 - de_put(de);
49729 - if (PROC_I(inode)->sysctl)
49730 - sysctl_head_put(PROC_I(inode)->sysctl);
49731 -+
49732 -+#ifdef CONFIG_PROC_SYSCTL
49733 -+ if (inode->i_op == &proc_sys_inode_operations ||
49734 -+ inode->i_op == &proc_sys_dir_operations)
49735 -+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
49736 -+#endif
49737 -+
49738 - clear_inode(inode);
49739 - }
49740 -
49741 -@@ -457,7 +471,11 @@ struct inode *proc_get_inode(struct supe
49742 - if (de->mode) {
49743 - inode->i_mode = de->mode;
49744 - inode->i_uid = de->uid;
49745 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
49746 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
49747 -+#else
49748 - inode->i_gid = de->gid;
49749 -+#endif
49750 - }
49751 - if (de->size)
49752 - inode->i_size = de->size;
49753 -diff -urNp linux-2.6.32.46/fs/proc/internal.h linux-2.6.32.46/fs/proc/internal.h
49754 ---- linux-2.6.32.46/fs/proc/internal.h 2011-03-27 14:31:47.000000000 -0400
49755 -+++ linux-2.6.32.46/fs/proc/internal.h 2011-04-17 15:56:46.000000000 -0400
49756 -@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
49757 - struct pid *pid, struct task_struct *task);
49758 - extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
49759 - struct pid *pid, struct task_struct *task);
49760 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49761 -+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
49762 -+#endif
49763 - extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
49764 -
49765 - extern const struct file_operations proc_maps_operations;
49766 -diff -urNp linux-2.6.32.46/fs/proc/kcore.c linux-2.6.32.46/fs/proc/kcore.c
49767 ---- linux-2.6.32.46/fs/proc/kcore.c 2011-03-27 14:31:47.000000000 -0400
49768 -+++ linux-2.6.32.46/fs/proc/kcore.c 2011-05-16 21:46:57.000000000 -0400
49769 -@@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
49770 - off_t offset = 0;
49771 - struct kcore_list *m;
49772 -
49773 -+ pax_track_stack();
49774 -+
49775 - /* setup ELF header */
49776 - elf = (struct elfhdr *) bufp;
49777 - bufp += sizeof(struct elfhdr);
49778 -@@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
49779 - * the addresses in the elf_phdr on our list.
49780 - */
49781 - start = kc_offset_to_vaddr(*fpos - elf_buflen);
49782 -- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
49783 -+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
49784 -+ if (tsz > buflen)
49785 - tsz = buflen;
49786 --
49787 -+
49788 - while (buflen) {
49789 - struct kcore_list *m;
49790 -
49791 -@@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
49792 - kfree(elf_buf);
49793 - } else {
49794 - if (kern_addr_valid(start)) {
49795 -- unsigned long n;
49796 -+ char *elf_buf;
49797 -+ mm_segment_t oldfs;
49798 -
49799 -- n = copy_to_user(buffer, (char *)start, tsz);
49800 -- /*
49801 -- * We cannot distingush between fault on source
49802 -- * and fault on destination. When this happens
49803 -- * we clear too and hope it will trigger the
49804 -- * EFAULT again.
49805 -- */
49806 -- if (n) {
49807 -- if (clear_user(buffer + tsz - n,
49808 -- n))
49809 -+ elf_buf = kmalloc(tsz, GFP_KERNEL);
49810 -+ if (!elf_buf)
49811 -+ return -ENOMEM;
49812 -+ oldfs = get_fs();
49813 -+ set_fs(KERNEL_DS);
49814 -+ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
49815 -+ set_fs(oldfs);
49816 -+ if (copy_to_user(buffer, elf_buf, tsz)) {
49817 -+ kfree(elf_buf);
49818 - return -EFAULT;
49819 -+ }
49820 - }
49821 -+ set_fs(oldfs);
49822 -+ kfree(elf_buf);
49823 - } else {
49824 - if (clear_user(buffer, tsz))
49825 - return -EFAULT;
49826 -@@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
49827 -
49828 - static int open_kcore(struct inode *inode, struct file *filp)
49829 - {
49830 -+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49831 -+ return -EPERM;
49832 -+#endif
49833 - if (!capable(CAP_SYS_RAWIO))
49834 - return -EPERM;
49835 - if (kcore_need_update)
49836 -diff -urNp linux-2.6.32.46/fs/proc/meminfo.c linux-2.6.32.46/fs/proc/meminfo.c
49837 ---- linux-2.6.32.46/fs/proc/meminfo.c 2011-03-27 14:31:47.000000000 -0400
49838 -+++ linux-2.6.32.46/fs/proc/meminfo.c 2011-05-16 21:46:57.000000000 -0400
49839 -@@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
49840 - unsigned long pages[NR_LRU_LISTS];
49841 - int lru;
49842 -
49843 -+ pax_track_stack();
49844 -+
49845 - /*
49846 - * display in kilobytes.
49847 - */
49848 -@@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
49849 - vmi.used >> 10,
49850 - vmi.largest_chunk >> 10
49851 - #ifdef CONFIG_MEMORY_FAILURE
49852 -- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
49853 -+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
49854 - #endif
49855 - );
49856 -
49857 -diff -urNp linux-2.6.32.46/fs/proc/nommu.c linux-2.6.32.46/fs/proc/nommu.c
49858 ---- linux-2.6.32.46/fs/proc/nommu.c 2011-03-27 14:31:47.000000000 -0400
49859 -+++ linux-2.6.32.46/fs/proc/nommu.c 2011-04-17 15:56:46.000000000 -0400
49860 -@@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
49861 - if (len < 1)
49862 - len = 1;
49863 - seq_printf(m, "%*c", len, ' ');
49864 -- seq_path(m, &file->f_path, "");
49865 -+ seq_path(m, &file->f_path, "\n\\");
49866 - }
49867 -
49868 - seq_putc(m, '\n');
49869 -diff -urNp linux-2.6.32.46/fs/proc/proc_net.c linux-2.6.32.46/fs/proc/proc_net.c
49870 ---- linux-2.6.32.46/fs/proc/proc_net.c 2011-03-27 14:31:47.000000000 -0400
49871 -+++ linux-2.6.32.46/fs/proc/proc_net.c 2011-04-17 15:56:46.000000000 -0400
49872 -@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
49873 - struct task_struct *task;
49874 - struct nsproxy *ns;
49875 - struct net *net = NULL;
49876 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49877 -+ const struct cred *cred = current_cred();
49878 -+#endif
49879 -+
49880 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
49881 -+ if (cred->fsuid)
49882 -+ return net;
49883 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49884 -+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
49885 -+ return net;
49886 -+#endif
49887 -
49888 - rcu_read_lock();
49889 - task = pid_task(proc_pid(dir), PIDTYPE_PID);
49890 -diff -urNp linux-2.6.32.46/fs/proc/proc_sysctl.c linux-2.6.32.46/fs/proc/proc_sysctl.c
49891 ---- linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-03-27 14:31:47.000000000 -0400
49892 -+++ linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-10-19 04:08:51.000000000 -0400
49893 -@@ -7,11 +7,13 @@
49894 - #include <linux/security.h>
49895 - #include "internal.h"
49896 -
49897 -+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
49898 -+
49899 - static const struct dentry_operations proc_sys_dentry_operations;
49900 - static const struct file_operations proc_sys_file_operations;
49901 --static const struct inode_operations proc_sys_inode_operations;
49902 -+const struct inode_operations proc_sys_inode_operations;
49903 - static const struct file_operations proc_sys_dir_file_operations;
49904 --static const struct inode_operations proc_sys_dir_operations;
49905 -+const struct inode_operations proc_sys_dir_operations;
49906 -
49907 - static struct inode *proc_sys_make_inode(struct super_block *sb,
49908 - struct ctl_table_header *head, struct ctl_table *table)
49909 -@@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
49910 - if (!p)
49911 - goto out;
49912 -
49913 -+ if (gr_handle_sysctl(p, MAY_EXEC))
49914 -+ goto out;
49915 -+
49916 - err = ERR_PTR(-ENOMEM);
49917 - inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
49918 - if (h)
49919 -@@ -119,6 +124,9 @@ static struct dentry *proc_sys_lookup(st
49920 -
49921 - err = NULL;
49922 - dentry->d_op = &proc_sys_dentry_operations;
49923 -+
49924 -+ gr_handle_proc_create(dentry, inode);
49925 -+
49926 - d_add(dentry, inode);
49927 -
49928 - out:
49929 -@@ -200,6 +208,9 @@ static int proc_sys_fill_cache(struct fi
49930 - return -ENOMEM;
49931 - } else {
49932 - child->d_op = &proc_sys_dentry_operations;
49933 -+
49934 -+ gr_handle_proc_create(child, inode);
49935 -+
49936 - d_add(child, inode);
49937 - }
49938 - } else {
49939 -@@ -228,6 +239,9 @@ static int scan(struct ctl_table_header
49940 - if (*pos < file->f_pos)
49941 - continue;
49942 -
49943 -+ if (gr_handle_sysctl(table, 0))
49944 -+ continue;
49945 -+
49946 - res = proc_sys_fill_cache(file, dirent, filldir, head, table);
49947 - if (res)
49948 - return res;
49949 -@@ -344,6 +358,9 @@ static int proc_sys_getattr(struct vfsmo
49950 - if (IS_ERR(head))
49951 - return PTR_ERR(head);
49952 -
49953 -+ if (table && gr_handle_sysctl(table, MAY_EXEC))
49954 -+ return -ENOENT;
49955 -+
49956 - generic_fillattr(inode, stat);
49957 - if (table)
49958 - stat->mode = (stat->mode & S_IFMT) | table->mode;
49959 -@@ -362,13 +379,13 @@ static const struct file_operations proc
49960 - .llseek = generic_file_llseek,
49961 - };
49962 -
49963 --static const struct inode_operations proc_sys_inode_operations = {
49964 -+const struct inode_operations proc_sys_inode_operations = {
49965 - .permission = proc_sys_permission,
49966 - .setattr = proc_sys_setattr,
49967 - .getattr = proc_sys_getattr,
49968 - };
49969 -
49970 --static const struct inode_operations proc_sys_dir_operations = {
49971 -+const struct inode_operations proc_sys_dir_operations = {
49972 - .lookup = proc_sys_lookup,
49973 - .permission = proc_sys_permission,
49974 - .setattr = proc_sys_setattr,
49975 -diff -urNp linux-2.6.32.46/fs/proc/root.c linux-2.6.32.46/fs/proc/root.c
49976 ---- linux-2.6.32.46/fs/proc/root.c 2011-03-27 14:31:47.000000000 -0400
49977 -+++ linux-2.6.32.46/fs/proc/root.c 2011-04-17 15:56:46.000000000 -0400
49978 -@@ -134,7 +134,15 @@ void __init proc_root_init(void)
49979 - #ifdef CONFIG_PROC_DEVICETREE
49980 - proc_device_tree_init();
49981 - #endif
49982 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
49983 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
49984 -+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
49985 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49986 -+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
49987 -+#endif
49988 -+#else
49989 - proc_mkdir("bus", NULL);
49990 -+#endif
49991 - proc_sys_init();
49992 - }
49993 -
49994 -diff -urNp linux-2.6.32.46/fs/proc/task_mmu.c linux-2.6.32.46/fs/proc/task_mmu.c
49995 ---- linux-2.6.32.46/fs/proc/task_mmu.c 2011-03-27 14:31:47.000000000 -0400
49996 -+++ linux-2.6.32.46/fs/proc/task_mmu.c 2011-04-23 13:38:09.000000000 -0400
49997 -@@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
49998 - "VmStk:\t%8lu kB\n"
49999 - "VmExe:\t%8lu kB\n"
50000 - "VmLib:\t%8lu kB\n"
50001 -- "VmPTE:\t%8lu kB\n",
50002 -- hiwater_vm << (PAGE_SHIFT-10),
50003 -+ "VmPTE:\t%8lu kB\n"
50004 -+
50005 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50006 -+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50007 -+#endif
50008 -+
50009 -+ ,hiwater_vm << (PAGE_SHIFT-10),
50010 - (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50011 - mm->locked_vm << (PAGE_SHIFT-10),
50012 - hiwater_rss << (PAGE_SHIFT-10),
50013 - total_rss << (PAGE_SHIFT-10),
50014 - data << (PAGE_SHIFT-10),
50015 - mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50016 -- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
50017 -+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
50018 -+
50019 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50020 -+ , mm->context.user_cs_base, mm->context.user_cs_limit
50021 -+#endif
50022 -+
50023 -+ );
50024 - }
50025 -
50026 - unsigned long task_vsize(struct mm_struct *mm)
50027 -@@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
50028 - struct proc_maps_private *priv = m->private;
50029 - struct vm_area_struct *vma = v;
50030 -
50031 -- vma_stop(priv, vma);
50032 -+ if (!IS_ERR(vma))
50033 -+ vma_stop(priv, vma);
50034 - if (priv->task)
50035 - put_task_struct(priv->task);
50036 - }
50037 -@@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
50038 - return ret;
50039 - }
50040 -
50041 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50042 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50043 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
50044 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
50045 -+#endif
50046 -+
50047 - static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50048 - {
50049 - struct mm_struct *mm = vma->vm_mm;
50050 -@@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
50051 - int flags = vma->vm_flags;
50052 - unsigned long ino = 0;
50053 - unsigned long long pgoff = 0;
50054 -- unsigned long start;
50055 - dev_t dev = 0;
50056 - int len;
50057 -
50058 -@@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
50059 - pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50060 - }
50061 -
50062 -- /* We don't show the stack guard page in /proc/maps */
50063 -- start = vma->vm_start;
50064 -- if (vma->vm_flags & VM_GROWSDOWN)
50065 -- if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
50066 -- start += PAGE_SIZE;
50067 --
50068 - seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50069 -- start,
50070 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50071 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
50072 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
50073 -+#else
50074 -+ vma->vm_start,
50075 - vma->vm_end,
50076 -+#endif
50077 - flags & VM_READ ? 'r' : '-',
50078 - flags & VM_WRITE ? 'w' : '-',
50079 - flags & VM_EXEC ? 'x' : '-',
50080 - flags & VM_MAYSHARE ? 's' : 'p',
50081 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50082 -+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50083 -+#else
50084 - pgoff,
50085 -+#endif
50086 - MAJOR(dev), MINOR(dev), ino, &len);
50087 -
50088 - /*
50089 -@@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
50090 - */
50091 - if (file) {
50092 - pad_len_spaces(m, len);
50093 -- seq_path(m, &file->f_path, "\n");
50094 -+ seq_path(m, &file->f_path, "\n\\");
50095 - } else {
50096 - const char *name = arch_vma_name(vma);
50097 - if (!name) {
50098 -@@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
50099 - if (vma->vm_start <= mm->brk &&
50100 - vma->vm_end >= mm->start_brk) {
50101 - name = "[heap]";
50102 -- } else if (vma->vm_start <= mm->start_stack &&
50103 -- vma->vm_end >= mm->start_stack) {
50104 -+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50105 -+ (vma->vm_start <= mm->start_stack &&
50106 -+ vma->vm_end >= mm->start_stack)) {
50107 - name = "[stack]";
50108 - }
50109 - } else {
50110 -@@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
50111 - };
50112 -
50113 - memset(&mss, 0, sizeof mss);
50114 -- mss.vma = vma;
50115 -- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50116 -- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50117 -+
50118 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50119 -+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50120 -+#endif
50121 -+ mss.vma = vma;
50122 -+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50123 -+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50124 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50125 -+ }
50126 -+#endif
50127 -
50128 - show_map_vma(m, vma);
50129 -
50130 -@@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
50131 - "Swap: %8lu kB\n"
50132 - "KernelPageSize: %8lu kB\n"
50133 - "MMUPageSize: %8lu kB\n",
50134 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50135 -+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50136 -+#else
50137 - (vma->vm_end - vma->vm_start) >> 10,
50138 -+#endif
50139 - mss.resident >> 10,
50140 - (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50141 - mss.shared_clean >> 10,
50142 -diff -urNp linux-2.6.32.46/fs/proc/task_nommu.c linux-2.6.32.46/fs/proc/task_nommu.c
50143 ---- linux-2.6.32.46/fs/proc/task_nommu.c 2011-03-27 14:31:47.000000000 -0400
50144 -+++ linux-2.6.32.46/fs/proc/task_nommu.c 2011-04-17 15:56:46.000000000 -0400
50145 -@@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
50146 - else
50147 - bytes += kobjsize(mm);
50148 -
50149 -- if (current->fs && current->fs->users > 1)
50150 -+ if (current->fs && atomic_read(&current->fs->users) > 1)
50151 - sbytes += kobjsize(current->fs);
50152 - else
50153 - bytes += kobjsize(current->fs);
50154 -@@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
50155 - if (len < 1)
50156 - len = 1;
50157 - seq_printf(m, "%*c", len, ' ');
50158 -- seq_path(m, &file->f_path, "");
50159 -+ seq_path(m, &file->f_path, "\n\\");
50160 - }
50161 -
50162 - seq_putc(m, '\n');
50163 -diff -urNp linux-2.6.32.46/fs/readdir.c linux-2.6.32.46/fs/readdir.c
50164 ---- linux-2.6.32.46/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400
50165 -+++ linux-2.6.32.46/fs/readdir.c 2011-10-06 09:37:14.000000000 -0400
50166 -@@ -16,6 +16,7 @@
50167 - #include <linux/security.h>
50168 - #include <linux/syscalls.h>
50169 - #include <linux/unistd.h>
50170 -+#include <linux/namei.h>
50171 -
50172 - #include <asm/uaccess.h>
50173 -
50174 -@@ -67,6 +68,7 @@ struct old_linux_dirent {
50175 -
50176 - struct readdir_callback {
50177 - struct old_linux_dirent __user * dirent;
50178 -+ struct file * file;
50179 - int result;
50180 - };
50181 -
50182 -@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50183 - buf->result = -EOVERFLOW;
50184 - return -EOVERFLOW;
50185 - }
50186 -+
50187 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50188 -+ return 0;
50189 -+
50190 - buf->result++;
50191 - dirent = buf->dirent;
50192 - if (!access_ok(VERIFY_WRITE, dirent,
50193 -@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50194 -
50195 - buf.result = 0;
50196 - buf.dirent = dirent;
50197 -+ buf.file = file;
50198 -
50199 - error = vfs_readdir(file, fillonedir, &buf);
50200 - if (buf.result)
50201 -@@ -142,6 +149,7 @@ struct linux_dirent {
50202 - struct getdents_callback {
50203 - struct linux_dirent __user * current_dir;
50204 - struct linux_dirent __user * previous;
50205 -+ struct file * file;
50206 - int count;
50207 - int error;
50208 - };
50209 -@@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
50210 - buf->error = -EOVERFLOW;
50211 - return -EOVERFLOW;
50212 - }
50213 -+
50214 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50215 -+ return 0;
50216 -+
50217 - dirent = buf->previous;
50218 - if (dirent) {
50219 - if (__put_user(offset, &dirent->d_off))
50220 -@@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50221 - buf.previous = NULL;
50222 - buf.count = count;
50223 - buf.error = 0;
50224 -+ buf.file = file;
50225 -
50226 - error = vfs_readdir(file, filldir, &buf);
50227 - if (error >= 0)
50228 -@@ -228,6 +241,7 @@ out:
50229 - struct getdents_callback64 {
50230 - struct linux_dirent64 __user * current_dir;
50231 - struct linux_dirent64 __user * previous;
50232 -+ struct file *file;
50233 - int count;
50234 - int error;
50235 - };
50236 -@@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
50237 - buf->error = -EINVAL; /* only used if we fail.. */
50238 - if (reclen > buf->count)
50239 - return -EINVAL;
50240 -+
50241 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50242 -+ return 0;
50243 -+
50244 - dirent = buf->previous;
50245 - if (dirent) {
50246 - if (__put_user(offset, &dirent->d_off))
50247 -@@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50248 -
50249 - buf.current_dir = dirent;
50250 - buf.previous = NULL;
50251 -+ buf.file = file;
50252 - buf.count = count;
50253 - buf.error = 0;
50254 -
50255 -@@ -297,7 +316,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50256 - error = buf.error;
50257 - lastdirent = buf.previous;
50258 - if (lastdirent) {
50259 -- typeof(lastdirent->d_off) d_off = file->f_pos;
50260 -+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
50261 - if (__put_user(d_off, &lastdirent->d_off))
50262 - error = -EFAULT;
50263 - else
50264 -diff -urNp linux-2.6.32.46/fs/reiserfs/dir.c linux-2.6.32.46/fs/reiserfs/dir.c
50265 ---- linux-2.6.32.46/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400
50266 -+++ linux-2.6.32.46/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400
50267 -@@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50268 - struct reiserfs_dir_entry de;
50269 - int ret = 0;
50270 -
50271 -+ pax_track_stack();
50272 -+
50273 - reiserfs_write_lock(inode->i_sb);
50274 -
50275 - reiserfs_check_lock_depth(inode->i_sb, "readdir");
50276 -diff -urNp linux-2.6.32.46/fs/reiserfs/do_balan.c linux-2.6.32.46/fs/reiserfs/do_balan.c
50277 ---- linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-03-27 14:31:47.000000000 -0400
50278 -+++ linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-04-17 15:56:46.000000000 -0400
50279 -@@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
50280 - return;
50281 - }
50282 -
50283 -- atomic_inc(&(fs_generation(tb->tb_sb)));
50284 -+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50285 - do_balance_starts(tb);
50286 -
50287 - /* balance leaf returns 0 except if combining L R and S into
50288 -diff -urNp linux-2.6.32.46/fs/reiserfs/item_ops.c linux-2.6.32.46/fs/reiserfs/item_ops.c
50289 ---- linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-03-27 14:31:47.000000000 -0400
50290 -+++ linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-04-17 15:56:46.000000000 -0400
50291 -@@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50292 - vi->vi_index, vi->vi_type, vi->vi_ih);
50293 - }
50294 -
50295 --static struct item_operations stat_data_ops = {
50296 -+static const struct item_operations stat_data_ops = {
50297 - .bytes_number = sd_bytes_number,
50298 - .decrement_key = sd_decrement_key,
50299 - .is_left_mergeable = sd_is_left_mergeable,
50300 -@@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50301 - vi->vi_index, vi->vi_type, vi->vi_ih);
50302 - }
50303 -
50304 --static struct item_operations direct_ops = {
50305 -+static const struct item_operations direct_ops = {
50306 - .bytes_number = direct_bytes_number,
50307 - .decrement_key = direct_decrement_key,
50308 - .is_left_mergeable = direct_is_left_mergeable,
50309 -@@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50310 - vi->vi_index, vi->vi_type, vi->vi_ih);
50311 - }
50312 -
50313 --static struct item_operations indirect_ops = {
50314 -+static const struct item_operations indirect_ops = {
50315 - .bytes_number = indirect_bytes_number,
50316 - .decrement_key = indirect_decrement_key,
50317 - .is_left_mergeable = indirect_is_left_mergeable,
50318 -@@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50319 - printk("\n");
50320 - }
50321 -
50322 --static struct item_operations direntry_ops = {
50323 -+static const struct item_operations direntry_ops = {
50324 - .bytes_number = direntry_bytes_number,
50325 - .decrement_key = direntry_decrement_key,
50326 - .is_left_mergeable = direntry_is_left_mergeable,
50327 -@@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
50328 - "Invalid item type observed, run fsck ASAP");
50329 - }
50330 -
50331 --static struct item_operations errcatch_ops = {
50332 -+static const struct item_operations errcatch_ops = {
50333 - errcatch_bytes_number,
50334 - errcatch_decrement_key,
50335 - errcatch_is_left_mergeable,
50336 -@@ -746,7 +746,7 @@ static struct item_operations errcatch_o
50337 - #error Item types must use disk-format assigned values.
50338 - #endif
50339 -
50340 --struct item_operations *item_ops[TYPE_ANY + 1] = {
50341 -+const struct item_operations * const item_ops[TYPE_ANY + 1] = {
50342 - &stat_data_ops,
50343 - &indirect_ops,
50344 - &direct_ops,
50345 -diff -urNp linux-2.6.32.46/fs/reiserfs/journal.c linux-2.6.32.46/fs/reiserfs/journal.c
50346 ---- linux-2.6.32.46/fs/reiserfs/journal.c 2011-03-27 14:31:47.000000000 -0400
50347 -+++ linux-2.6.32.46/fs/reiserfs/journal.c 2011-05-16 21:46:57.000000000 -0400
50348 -@@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
50349 - struct buffer_head *bh;
50350 - int i, j;
50351 -
50352 -+ pax_track_stack();
50353 -+
50354 - bh = __getblk(dev, block, bufsize);
50355 - if (buffer_uptodate(bh))
50356 - return (bh);
50357 -diff -urNp linux-2.6.32.46/fs/reiserfs/namei.c linux-2.6.32.46/fs/reiserfs/namei.c
50358 ---- linux-2.6.32.46/fs/reiserfs/namei.c 2011-03-27 14:31:47.000000000 -0400
50359 -+++ linux-2.6.32.46/fs/reiserfs/namei.c 2011-05-16 21:46:57.000000000 -0400
50360 -@@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
50361 - unsigned long savelink = 1;
50362 - struct timespec ctime;
50363 -
50364 -+ pax_track_stack();
50365 -+
50366 - /* three balancings: (1) old name removal, (2) new name insertion
50367 - and (3) maybe "save" link insertion
50368 - stat data updates: (1) old directory,
50369 -diff -urNp linux-2.6.32.46/fs/reiserfs/procfs.c linux-2.6.32.46/fs/reiserfs/procfs.c
50370 ---- linux-2.6.32.46/fs/reiserfs/procfs.c 2011-03-27 14:31:47.000000000 -0400
50371 -+++ linux-2.6.32.46/fs/reiserfs/procfs.c 2011-05-16 21:46:57.000000000 -0400
50372 -@@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
50373 - "SMALL_TAILS " : "NO_TAILS ",
50374 - replay_only(sb) ? "REPLAY_ONLY " : "",
50375 - convert_reiserfs(sb) ? "CONV " : "",
50376 -- atomic_read(&r->s_generation_counter),
50377 -+ atomic_read_unchecked(&r->s_generation_counter),
50378 - SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
50379 - SF(s_do_balance), SF(s_unneeded_left_neighbor),
50380 - SF(s_good_search_by_key_reada), SF(s_bmaps),
50381 -@@ -309,6 +309,8 @@ static int show_journal(struct seq_file
50382 - struct journal_params *jp = &rs->s_v1.s_journal;
50383 - char b[BDEVNAME_SIZE];
50384 -
50385 -+ pax_track_stack();
50386 -+
50387 - seq_printf(m, /* on-disk fields */
50388 - "jp_journal_1st_block: \t%i\n"
50389 - "jp_journal_dev: \t%s[%x]\n"
50390 -diff -urNp linux-2.6.32.46/fs/reiserfs/stree.c linux-2.6.32.46/fs/reiserfs/stree.c
50391 ---- linux-2.6.32.46/fs/reiserfs/stree.c 2011-03-27 14:31:47.000000000 -0400
50392 -+++ linux-2.6.32.46/fs/reiserfs/stree.c 2011-05-16 21:46:57.000000000 -0400
50393 -@@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
50394 - int iter = 0;
50395 - #endif
50396 -
50397 -+ pax_track_stack();
50398 -+
50399 - BUG_ON(!th->t_trans_id);
50400 -
50401 - init_tb_struct(th, &s_del_balance, sb, path,
50402 -@@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
50403 - int retval;
50404 - int quota_cut_bytes = 0;
50405 -
50406 -+ pax_track_stack();
50407 -+
50408 - BUG_ON(!th->t_trans_id);
50409 -
50410 - le_key2cpu_key(&cpu_key, key);
50411 -@@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
50412 - int quota_cut_bytes;
50413 - loff_t tail_pos = 0;
50414 -
50415 -+ pax_track_stack();
50416 -+
50417 - BUG_ON(!th->t_trans_id);
50418 -
50419 - init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
50420 -@@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
50421 - int retval;
50422 - int fs_gen;
50423 -
50424 -+ pax_track_stack();
50425 -+
50426 - BUG_ON(!th->t_trans_id);
50427 -
50428 - fs_gen = get_generation(inode->i_sb);
50429 -@@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
50430 - int fs_gen = 0;
50431 - int quota_bytes = 0;
50432 -
50433 -+ pax_track_stack();
50434 -+
50435 - BUG_ON(!th->t_trans_id);
50436 -
50437 - if (inode) { /* Do we count quotas for item? */
50438 -diff -urNp linux-2.6.32.46/fs/reiserfs/super.c linux-2.6.32.46/fs/reiserfs/super.c
50439 ---- linux-2.6.32.46/fs/reiserfs/super.c 2011-03-27 14:31:47.000000000 -0400
50440 -+++ linux-2.6.32.46/fs/reiserfs/super.c 2011-05-16 21:46:57.000000000 -0400
50441 -@@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
50442 - {.option_name = NULL}
50443 - };
50444 -
50445 -+ pax_track_stack();
50446 -+
50447 - *blocks = 0;
50448 - if (!options || !*options)
50449 - /* use default configuration: create tails, journaling on, no
50450 -diff -urNp linux-2.6.32.46/fs/select.c linux-2.6.32.46/fs/select.c
50451 ---- linux-2.6.32.46/fs/select.c 2011-03-27 14:31:47.000000000 -0400
50452 -+++ linux-2.6.32.46/fs/select.c 2011-05-16 21:46:57.000000000 -0400
50453 -@@ -20,6 +20,7 @@
50454 - #include <linux/module.h>
50455 - #include <linux/slab.h>
50456 - #include <linux/poll.h>
50457 -+#include <linux/security.h>
50458 - #include <linux/personality.h> /* for STICKY_TIMEOUTS */
50459 - #include <linux/file.h>
50460 - #include <linux/fdtable.h>
50461 -@@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
50462 - int retval, i, timed_out = 0;
50463 - unsigned long slack = 0;
50464 -
50465 -+ pax_track_stack();
50466 -+
50467 - rcu_read_lock();
50468 - retval = max_select_fd(n, fds);
50469 - rcu_read_unlock();
50470 -@@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
50471 - /* Allocate small arguments on the stack to save memory and be faster */
50472 - long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
50473 -
50474 -+ pax_track_stack();
50475 -+
50476 - ret = -EINVAL;
50477 - if (n < 0)
50478 - goto out_nofds;
50479 -@@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
50480 - struct poll_list *walk = head;
50481 - unsigned long todo = nfds;
50482 -
50483 -+ pax_track_stack();
50484 -+
50485 -+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
50486 - if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
50487 - return -EINVAL;
50488 -
50489 -diff -urNp linux-2.6.32.46/fs/seq_file.c linux-2.6.32.46/fs/seq_file.c
50490 ---- linux-2.6.32.46/fs/seq_file.c 2011-03-27 14:31:47.000000000 -0400
50491 -+++ linux-2.6.32.46/fs/seq_file.c 2011-08-23 21:22:32.000000000 -0400
50492 -@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
50493 - return 0;
50494 - }
50495 - if (!m->buf) {
50496 -- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50497 -+ m->size = PAGE_SIZE;
50498 -+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50499 - if (!m->buf)
50500 - return -ENOMEM;
50501 - }
50502 -@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
50503 - Eoverflow:
50504 - m->op->stop(m, p);
50505 - kfree(m->buf);
50506 -- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
50507 -+ m->size <<= 1;
50508 -+ m->buf = kmalloc(m->size, GFP_KERNEL);
50509 - return !m->buf ? -ENOMEM : -EAGAIN;
50510 - }
50511 -
50512 -@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
50513 - m->version = file->f_version;
50514 - /* grab buffer if we didn't have one */
50515 - if (!m->buf) {
50516 -- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
50517 -+ m->size = PAGE_SIZE;
50518 -+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
50519 - if (!m->buf)
50520 - goto Enomem;
50521 - }
50522 -@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
50523 - goto Fill;
50524 - m->op->stop(m, p);
50525 - kfree(m->buf);
50526 -- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
50527 -+ m->size <<= 1;
50528 -+ m->buf = kmalloc(m->size, GFP_KERNEL);
50529 - if (!m->buf)
50530 - goto Enomem;
50531 - m->count = 0;
50532 -@@ -551,7 +555,7 @@ static void single_stop(struct seq_file
50533 - int single_open(struct file *file, int (*show)(struct seq_file *, void *),
50534 - void *data)
50535 - {
50536 -- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
50537 -+ seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
50538 - int res = -ENOMEM;
50539 -
50540 - if (op) {
50541 -diff -urNp linux-2.6.32.46/fs/smbfs/proc.c linux-2.6.32.46/fs/smbfs/proc.c
50542 ---- linux-2.6.32.46/fs/smbfs/proc.c 2011-03-27 14:31:47.000000000 -0400
50543 -+++ linux-2.6.32.46/fs/smbfs/proc.c 2011-08-05 20:33:55.000000000 -0400
50544 -@@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
50545 -
50546 - out:
50547 - if (server->local_nls != NULL && server->remote_nls != NULL)
50548 -- server->ops->convert = convert_cp;
50549 -+ *(void **)&server->ops->convert = convert_cp;
50550 - else
50551 -- server->ops->convert = convert_memcpy;
50552 -+ *(void **)&server->ops->convert = convert_memcpy;
50553 -
50554 - smb_unlock_server(server);
50555 - return n;
50556 -@@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
50557 -
50558 - /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
50559 - if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
50560 -- server->ops->getattr = smb_proc_getattr_core;
50561 -+ *(void **)&server->ops->getattr = smb_proc_getattr_core;
50562 - } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
50563 -- server->ops->getattr = smb_proc_getattr_ff;
50564 -+ *(void **)&server->ops->getattr = smb_proc_getattr_ff;
50565 - }
50566 -
50567 - /* Decode server capabilities */
50568 -@@ -3439,7 +3439,7 @@ out:
50569 - static void
50570 - install_ops(struct smb_ops *dst, struct smb_ops *src)
50571 - {
50572 -- memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
50573 -+ memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
50574 - }
50575 -
50576 - /* < LANMAN2 */
50577 -diff -urNp linux-2.6.32.46/fs/smbfs/symlink.c linux-2.6.32.46/fs/smbfs/symlink.c
50578 ---- linux-2.6.32.46/fs/smbfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
50579 -+++ linux-2.6.32.46/fs/smbfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
50580 -@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
50581 -
50582 - static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
50583 - {
50584 -- char *s = nd_get_link(nd);
50585 -+ const char *s = nd_get_link(nd);
50586 - if (!IS_ERR(s))
50587 - __putname(s);
50588 - }
50589 -diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c
50590 ---- linux-2.6.32.46/fs/splice.c 2011-03-27 14:31:47.000000000 -0400
50591 -+++ linux-2.6.32.46/fs/splice.c 2011-10-06 09:37:14.000000000 -0400
50592 -@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
50593 - pipe_lock(pipe);
50594 -
50595 - for (;;) {
50596 -- if (!pipe->readers) {
50597 -+ if (!atomic_read(&pipe->readers)) {
50598 - send_sig(SIGPIPE, current, 0);
50599 - if (!ret)
50600 - ret = -EPIPE;
50601 -@@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
50602 - do_wakeup = 0;
50603 - }
50604 -
50605 -- pipe->waiting_writers++;
50606 -+ atomic_inc(&pipe->waiting_writers);
50607 - pipe_wait(pipe);
50608 -- pipe->waiting_writers--;
50609 -+ atomic_dec(&pipe->waiting_writers);
50610 - }
50611 -
50612 - pipe_unlock(pipe);
50613 -@@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
50614 - .spd_release = spd_release_page,
50615 - };
50616 -
50617 -+ pax_track_stack();
50618 -+
50619 - index = *ppos >> PAGE_CACHE_SHIFT;
50620 - loff = *ppos & ~PAGE_CACHE_MASK;
50621 - req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
50622 -@@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
50623 - old_fs = get_fs();
50624 - set_fs(get_ds());
50625 - /* The cast to a user pointer is valid due to the set_fs() */
50626 -- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
50627 -+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
50628 - set_fs(old_fs);
50629 -
50630 - return res;
50631 -@@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
50632 - old_fs = get_fs();
50633 - set_fs(get_ds());
50634 - /* The cast to a user pointer is valid due to the set_fs() */
50635 -- res = vfs_write(file, (const char __user *)buf, count, &pos);
50636 -+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
50637 - set_fs(old_fs);
50638 -
50639 - return res;
50640 -@@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
50641 - .spd_release = spd_release_page,
50642 - };
50643 -
50644 -+ pax_track_stack();
50645 -+
50646 - index = *ppos >> PAGE_CACHE_SHIFT;
50647 - offset = *ppos & ~PAGE_CACHE_MASK;
50648 - nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
50649 -@@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
50650 - goto err;
50651 -
50652 - this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
50653 -- vec[i].iov_base = (void __user *) page_address(page);
50654 -+ vec[i].iov_base = (__force void __user *) page_address(page);
50655 - vec[i].iov_len = this_len;
50656 - pages[i] = page;
50657 - spd.nr_pages++;
50658 -@@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
50659 - int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
50660 - {
50661 - while (!pipe->nrbufs) {
50662 -- if (!pipe->writers)
50663 -+ if (!atomic_read(&pipe->writers))
50664 - return 0;
50665 -
50666 -- if (!pipe->waiting_writers && sd->num_spliced)
50667 -+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
50668 - return 0;
50669 -
50670 - if (sd->flags & SPLICE_F_NONBLOCK)
50671 -@@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
50672 - * out of the pipe right after the splice_to_pipe(). So set
50673 - * PIPE_READERS appropriately.
50674 - */
50675 -- pipe->readers = 1;
50676 -+ atomic_set(&pipe->readers, 1);
50677 -
50678 - current->splice_pipe = pipe;
50679 - }
50680 -@@ -1592,6 +1596,8 @@ static long vmsplice_to_pipe(struct file
50681 - .spd_release = spd_release_page,
50682 - };
50683 -
50684 -+ pax_track_stack();
50685 -+
50686 - pipe = pipe_info(file->f_path.dentry->d_inode);
50687 - if (!pipe)
50688 - return -EBADF;
50689 -@@ -1700,9 +1706,9 @@ static int ipipe_prep(struct pipe_inode_
50690 - ret = -ERESTARTSYS;
50691 - break;
50692 - }
50693 -- if (!pipe->writers)
50694 -+ if (!atomic_read(&pipe->writers))
50695 - break;
50696 -- if (!pipe->waiting_writers) {
50697 -+ if (!atomic_read(&pipe->waiting_writers)) {
50698 - if (flags & SPLICE_F_NONBLOCK) {
50699 - ret = -EAGAIN;
50700 - break;
50701 -@@ -1734,7 +1740,7 @@ static int opipe_prep(struct pipe_inode_
50702 - pipe_lock(pipe);
50703 -
50704 - while (pipe->nrbufs >= PIPE_BUFFERS) {
50705 -- if (!pipe->readers) {
50706 -+ if (!atomic_read(&pipe->readers)) {
50707 - send_sig(SIGPIPE, current, 0);
50708 - ret = -EPIPE;
50709 - break;
50710 -@@ -1747,9 +1753,9 @@ static int opipe_prep(struct pipe_inode_
50711 - ret = -ERESTARTSYS;
50712 - break;
50713 - }
50714 -- pipe->waiting_writers++;
50715 -+ atomic_inc(&pipe->waiting_writers);
50716 - pipe_wait(pipe);
50717 -- pipe->waiting_writers--;
50718 -+ atomic_dec(&pipe->waiting_writers);
50719 - }
50720 -
50721 - pipe_unlock(pipe);
50722 -@@ -1785,14 +1791,14 @@ retry:
50723 - pipe_double_lock(ipipe, opipe);
50724 -
50725 - do {
50726 -- if (!opipe->readers) {
50727 -+ if (!atomic_read(&opipe->readers)) {
50728 - send_sig(SIGPIPE, current, 0);
50729 - if (!ret)
50730 - ret = -EPIPE;
50731 - break;
50732 - }
50733 -
50734 -- if (!ipipe->nrbufs && !ipipe->writers)
50735 -+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
50736 - break;
50737 -
50738 - /*
50739 -@@ -1892,7 +1898,7 @@ static int link_pipe(struct pipe_inode_i
50740 - pipe_double_lock(ipipe, opipe);
50741 -
50742 - do {
50743 -- if (!opipe->readers) {
50744 -+ if (!atomic_read(&opipe->readers)) {
50745 - send_sig(SIGPIPE, current, 0);
50746 - if (!ret)
50747 - ret = -EPIPE;
50748 -@@ -1937,7 +1943,7 @@ static int link_pipe(struct pipe_inode_i
50749 - * return EAGAIN if we have the potential of some data in the
50750 - * future, otherwise just return 0
50751 - */
50752 -- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
50753 -+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
50754 - ret = -EAGAIN;
50755 -
50756 - pipe_unlock(ipipe);
50757 -diff -urNp linux-2.6.32.46/fs/sysfs/file.c linux-2.6.32.46/fs/sysfs/file.c
50758 ---- linux-2.6.32.46/fs/sysfs/file.c 2011-03-27 14:31:47.000000000 -0400
50759 -+++ linux-2.6.32.46/fs/sysfs/file.c 2011-05-04 17:56:20.000000000 -0400
50760 -@@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
50761 -
50762 - struct sysfs_open_dirent {
50763 - atomic_t refcnt;
50764 -- atomic_t event;
50765 -+ atomic_unchecked_t event;
50766 - wait_queue_head_t poll;
50767 - struct list_head buffers; /* goes through sysfs_buffer.list */
50768 - };
50769 -@@ -53,7 +53,7 @@ struct sysfs_buffer {
50770 - size_t count;
50771 - loff_t pos;
50772 - char * page;
50773 -- struct sysfs_ops * ops;
50774 -+ const struct sysfs_ops * ops;
50775 - struct mutex mutex;
50776 - int needs_read_fill;
50777 - int event;
50778 -@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
50779 - {
50780 - struct sysfs_dirent *attr_sd = dentry->d_fsdata;
50781 - struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
50782 -- struct sysfs_ops * ops = buffer->ops;
50783 -+ const struct sysfs_ops * ops = buffer->ops;
50784 - int ret = 0;
50785 - ssize_t count;
50786 -
50787 -@@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
50788 - if (!sysfs_get_active_two(attr_sd))
50789 - return -ENODEV;
50790 -
50791 -- buffer->event = atomic_read(&attr_sd->s_attr.open->event);
50792 -+ buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
50793 - count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
50794 -
50795 - sysfs_put_active_two(attr_sd);
50796 -@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
50797 - {
50798 - struct sysfs_dirent *attr_sd = dentry->d_fsdata;
50799 - struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
50800 -- struct sysfs_ops * ops = buffer->ops;
50801 -+ const struct sysfs_ops * ops = buffer->ops;
50802 - int rc;
50803 -
50804 - /* need attr_sd for attr and ops, its parent for kobj */
50805 -@@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
50806 - return -ENOMEM;
50807 -
50808 - atomic_set(&new_od->refcnt, 0);
50809 -- atomic_set(&new_od->event, 1);
50810 -+ atomic_set_unchecked(&new_od->event, 1);
50811 - init_waitqueue_head(&new_od->poll);
50812 - INIT_LIST_HEAD(&new_od->buffers);
50813 - goto retry;
50814 -@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
50815 - struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
50816 - struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
50817 - struct sysfs_buffer *buffer;
50818 -- struct sysfs_ops *ops;
50819 -+ const struct sysfs_ops *ops;
50820 - int error = -EACCES;
50821 - char *p;
50822 -
50823 -@@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
50824 -
50825 - sysfs_put_active_two(attr_sd);
50826 -
50827 -- if (buffer->event != atomic_read(&od->event))
50828 -+ if (buffer->event != atomic_read_unchecked(&od->event))
50829 - goto trigger;
50830 -
50831 - return DEFAULT_POLLMASK;
50832 -@@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
50833 -
50834 - od = sd->s_attr.open;
50835 - if (od) {
50836 -- atomic_inc(&od->event);
50837 -+ atomic_inc_unchecked(&od->event);
50838 - wake_up_interruptible(&od->poll);
50839 - }
50840 -
50841 -diff -urNp linux-2.6.32.46/fs/sysfs/mount.c linux-2.6.32.46/fs/sysfs/mount.c
50842 ---- linux-2.6.32.46/fs/sysfs/mount.c 2011-03-27 14:31:47.000000000 -0400
50843 -+++ linux-2.6.32.46/fs/sysfs/mount.c 2011-04-17 15:56:46.000000000 -0400
50844 -@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
50845 - .s_name = "",
50846 - .s_count = ATOMIC_INIT(1),
50847 - .s_flags = SYSFS_DIR,
50848 -+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
50849 -+ .s_mode = S_IFDIR | S_IRWXU,
50850 -+#else
50851 - .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
50852 -+#endif
50853 - .s_ino = 1,
50854 - };
50855 -
50856 -diff -urNp linux-2.6.32.46/fs/sysfs/symlink.c linux-2.6.32.46/fs/sysfs/symlink.c
50857 ---- linux-2.6.32.46/fs/sysfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
50858 -+++ linux-2.6.32.46/fs/sysfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
50859 -@@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
50860 -
50861 - static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
50862 - {
50863 -- char *page = nd_get_link(nd);
50864 -+ const char *page = nd_get_link(nd);
50865 - if (!IS_ERR(page))
50866 - free_page((unsigned long)page);
50867 - }
50868 -diff -urNp linux-2.6.32.46/fs/udf/balloc.c linux-2.6.32.46/fs/udf/balloc.c
50869 ---- linux-2.6.32.46/fs/udf/balloc.c 2011-03-27 14:31:47.000000000 -0400
50870 -+++ linux-2.6.32.46/fs/udf/balloc.c 2011-04-17 15:56:46.000000000 -0400
50871 -@@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
50872 -
50873 - mutex_lock(&sbi->s_alloc_mutex);
50874 - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
50875 -- if (bloc->logicalBlockNum < 0 ||
50876 -- (bloc->logicalBlockNum + count) >
50877 -- partmap->s_partition_len) {
50878 -+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
50879 - udf_debug("%d < %d || %d + %d > %d\n",
50880 - bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
50881 - count, partmap->s_partition_len);
50882 -@@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
50883 -
50884 - mutex_lock(&sbi->s_alloc_mutex);
50885 - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
50886 -- if (bloc->logicalBlockNum < 0 ||
50887 -- (bloc->logicalBlockNum + count) >
50888 -- partmap->s_partition_len) {
50889 -+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
50890 - udf_debug("%d < %d || %d + %d > %d\n",
50891 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
50892 - partmap->s_partition_len);
50893 -diff -urNp linux-2.6.32.46/fs/udf/inode.c linux-2.6.32.46/fs/udf/inode.c
50894 ---- linux-2.6.32.46/fs/udf/inode.c 2011-03-27 14:31:47.000000000 -0400
50895 -+++ linux-2.6.32.46/fs/udf/inode.c 2011-05-16 21:46:57.000000000 -0400
50896 -@@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
50897 - int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
50898 - int lastblock = 0;
50899 -
50900 -+ pax_track_stack();
50901 -+
50902 - prev_epos.offset = udf_file_entry_alloc_offset(inode);
50903 - prev_epos.block = iinfo->i_location;
50904 - prev_epos.bh = NULL;
50905 -diff -urNp linux-2.6.32.46/fs/udf/misc.c linux-2.6.32.46/fs/udf/misc.c
50906 ---- linux-2.6.32.46/fs/udf/misc.c 2011-03-27 14:31:47.000000000 -0400
50907 -+++ linux-2.6.32.46/fs/udf/misc.c 2011-04-23 12:56:11.000000000 -0400
50908 -@@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
50909 -
50910 - u8 udf_tag_checksum(const struct tag *t)
50911 - {
50912 -- u8 *data = (u8 *)t;
50913 -+ const u8 *data = (const u8 *)t;
50914 - u8 checksum = 0;
50915 - int i;
50916 - for (i = 0; i < sizeof(struct tag); ++i)
50917 -diff -urNp linux-2.6.32.46/fs/utimes.c linux-2.6.32.46/fs/utimes.c
50918 ---- linux-2.6.32.46/fs/utimes.c 2011-03-27 14:31:47.000000000 -0400
50919 -+++ linux-2.6.32.46/fs/utimes.c 2011-04-17 15:56:46.000000000 -0400
50920 -@@ -1,6 +1,7 @@
50921 - #include <linux/compiler.h>
50922 - #include <linux/file.h>
50923 - #include <linux/fs.h>
50924 -+#include <linux/security.h>
50925 - #include <linux/linkage.h>
50926 - #include <linux/mount.h>
50927 - #include <linux/namei.h>
50928 -@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
50929 - goto mnt_drop_write_and_out;
50930 - }
50931 - }
50932 -+
50933 -+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
50934 -+ error = -EACCES;
50935 -+ goto mnt_drop_write_and_out;
50936 -+ }
50937 -+
50938 - mutex_lock(&inode->i_mutex);
50939 - error = notify_change(path->dentry, &newattrs);
50940 - mutex_unlock(&inode->i_mutex);
50941 -diff -urNp linux-2.6.32.46/fs/xattr.c linux-2.6.32.46/fs/xattr.c
50942 ---- linux-2.6.32.46/fs/xattr.c 2011-03-27 14:31:47.000000000 -0400
50943 -+++ linux-2.6.32.46/fs/xattr.c 2011-04-17 15:56:46.000000000 -0400
50944 -@@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
50945 - * Extended attribute SET operations
50946 - */
50947 - static long
50948 --setxattr(struct dentry *d, const char __user *name, const void __user *value,
50949 -+setxattr(struct path *path, const char __user *name, const void __user *value,
50950 - size_t size, int flags)
50951 - {
50952 - int error;
50953 -@@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
50954 - return PTR_ERR(kvalue);
50955 - }
50956 -
50957 -- error = vfs_setxattr(d, kname, kvalue, size, flags);
50958 -+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
50959 -+ error = -EACCES;
50960 -+ goto out;
50961 -+ }
50962 -+
50963 -+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
50964 -+out:
50965 - kfree(kvalue);
50966 - return error;
50967 - }
50968 -@@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
50969 - return error;
50970 - error = mnt_want_write(path.mnt);
50971 - if (!error) {
50972 -- error = setxattr(path.dentry, name, value, size, flags);
50973 -+ error = setxattr(&path, name, value, size, flags);
50974 - mnt_drop_write(path.mnt);
50975 - }
50976 - path_put(&path);
50977 -@@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
50978 - return error;
50979 - error = mnt_want_write(path.mnt);
50980 - if (!error) {
50981 -- error = setxattr(path.dentry, name, value, size, flags);
50982 -+ error = setxattr(&path, name, value, size, flags);
50983 - mnt_drop_write(path.mnt);
50984 - }
50985 - path_put(&path);
50986 -@@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
50987 - const void __user *,value, size_t, size, int, flags)
50988 - {
50989 - struct file *f;
50990 -- struct dentry *dentry;
50991 - int error = -EBADF;
50992 -
50993 - f = fget(fd);
50994 - if (!f)
50995 - return error;
50996 -- dentry = f->f_path.dentry;
50997 -- audit_inode(NULL, dentry);
50998 -+ audit_inode(NULL, f->f_path.dentry);
50999 - error = mnt_want_write_file(f);
51000 - if (!error) {
51001 -- error = setxattr(dentry, name, value, size, flags);
51002 -+ error = setxattr(&f->f_path, name, value, size, flags);
51003 - mnt_drop_write(f->f_path.mnt);
51004 - }
51005 - fput(f);
51006 -diff -urNp linux-2.6.32.46/fs/xattr_acl.c linux-2.6.32.46/fs/xattr_acl.c
51007 ---- linux-2.6.32.46/fs/xattr_acl.c 2011-03-27 14:31:47.000000000 -0400
51008 -+++ linux-2.6.32.46/fs/xattr_acl.c 2011-04-17 15:56:46.000000000 -0400
51009 -@@ -17,8 +17,8 @@
51010 - struct posix_acl *
51011 - posix_acl_from_xattr(const void *value, size_t size)
51012 - {
51013 -- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51014 -- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51015 -+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51016 -+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51017 - int count;
51018 - struct posix_acl *acl;
51019 - struct posix_acl_entry *acl_e;
51020 -diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c
51021 ---- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 17:00:52.000000000 -0400
51022 -+++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:07:09.000000000 -0400
51023 -@@ -134,7 +134,7 @@ xfs_find_handle(
51024 - }
51025 -
51026 - error = -EFAULT;
51027 -- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51028 -+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51029 - copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51030 - goto out_put;
51031 -
51032 -@@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
51033 - if (IS_ERR(dentry))
51034 - return PTR_ERR(dentry);
51035 -
51036 -- kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
51037 -+ kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
51038 - if (!kbuf)
51039 - goto out_dput;
51040 -
51041 -@@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
51042 - xfs_mount_t *mp,
51043 - void __user *arg)
51044 - {
51045 -- xfs_fsop_geom_t fsgeo;
51046 -+ xfs_fsop_geom_t fsgeo;
51047 - int error;
51048 -
51049 - error = xfs_fs_geometry(mp, &fsgeo, 3);
51050 -diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c
51051 ---- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-27 14:31:47.000000000 -0400
51052 -+++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:56:46.000000000 -0400
51053 -@@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
51054 - xfs_fsop_geom_t fsgeo;
51055 - int error;
51056 -
51057 -+ memset(&fsgeo, 0, sizeof(fsgeo));
51058 - error = xfs_fs_geometry(mp, &fsgeo, 3);
51059 - if (error)
51060 - return -error;
51061 -diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c
51062 ---- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-03-27 14:31:47.000000000 -0400
51063 -+++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:56:46.000000000 -0400
51064 -@@ -468,7 +468,7 @@ xfs_vn_put_link(
51065 - struct nameidata *nd,
51066 - void *p)
51067 - {
51068 -- char *s = nd_get_link(nd);
51069 -+ const char *s = nd_get_link(nd);
51070 -
51071 - if (!IS_ERR(s))
51072 - kfree(s);
51073 -diff -urNp linux-2.6.32.46/fs/xfs/xfs_bmap.c linux-2.6.32.46/fs/xfs/xfs_bmap.c
51074 ---- linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-03-27 14:31:47.000000000 -0400
51075 -+++ linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-04-17 15:56:46.000000000 -0400
51076 -@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
51077 - int nmap,
51078 - int ret_nmap);
51079 - #else
51080 --#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51081 -+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51082 - #endif /* DEBUG */
51083 -
51084 - #if defined(XFS_RW_TRACE)
51085 -diff -urNp linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c
51086 ---- linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-03-27 14:31:47.000000000 -0400
51087 -+++ linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:07:30.000000000 -0400
51088 -@@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
51089 - }
51090 -
51091 - ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51092 -- if (filldir(dirent, sfep->name, sfep->namelen,
51093 -+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51094 -+ char name[sfep->namelen];
51095 -+ memcpy(name, sfep->name, sfep->namelen);
51096 -+ if (filldir(dirent, name, sfep->namelen,
51097 -+ off & 0x7fffffff, ino, DT_UNKNOWN)) {
51098 -+ *offset = off & 0x7fffffff;
51099 -+ return 0;
51100 -+ }
51101 -+ } else if (filldir(dirent, sfep->name, sfep->namelen,
51102 - off & 0x7fffffff, ino, DT_UNKNOWN)) {
51103 - *offset = off & 0x7fffffff;
51104 - return 0;
51105 -diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
51106 ---- linux-2.6.32.46/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
51107 -+++ linux-2.6.32.46/grsecurity/Kconfig 2011-09-15 00:00:38.000000000 -0400
51108 -@@ -0,0 +1,1037 @@
51109 -+#
51110 -+# grecurity configuration
51111 -+#
51112 -+
51113 -+menu "Grsecurity"
51114 -+
51115 -+config GRKERNSEC
51116 -+ bool "Grsecurity"
51117 -+ select CRYPTO
51118 -+ select CRYPTO_SHA256
51119 -+ help
51120 -+ If you say Y here, you will be able to configure many features
51121 -+ that will enhance the security of your system. It is highly
51122 -+ recommended that you say Y here and read through the help
51123 -+ for each option so that you fully understand the features and
51124 -+ can evaluate their usefulness for your machine.
51125 -+
51126 -+choice
51127 -+ prompt "Security Level"
51128 -+ depends on GRKERNSEC
51129 -+ default GRKERNSEC_CUSTOM
51130 -+
51131 -+config GRKERNSEC_LOW
51132 -+ bool "Low"
51133 -+ select GRKERNSEC_LINK
51134 -+ select GRKERNSEC_FIFO
51135 -+ select GRKERNSEC_RANDNET
51136 -+ select GRKERNSEC_DMESG
51137 -+ select GRKERNSEC_CHROOT
51138 -+ select GRKERNSEC_CHROOT_CHDIR
51139 -+
51140 -+ help
51141 -+ If you choose this option, several of the grsecurity options will
51142 -+ be enabled that will give you greater protection against a number
51143 -+ of attacks, while assuring that none of your software will have any
51144 -+ conflicts with the additional security measures. If you run a lot
51145 -+ of unusual software, or you are having problems with the higher
51146 -+ security levels, you should say Y here. With this option, the
51147 -+ following features are enabled:
51148 -+
51149 -+ - Linking restrictions
51150 -+ - FIFO restrictions
51151 -+ - Restricted dmesg
51152 -+ - Enforced chdir("/") on chroot
51153 -+ - Runtime module disabling
51154 -+
51155 -+config GRKERNSEC_MEDIUM
51156 -+ bool "Medium"
51157 -+ select PAX
51158 -+ select PAX_EI_PAX
51159 -+ select PAX_PT_PAX_FLAGS
51160 -+ select PAX_HAVE_ACL_FLAGS
51161 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
51162 -+ select GRKERNSEC_CHROOT
51163 -+ select GRKERNSEC_CHROOT_SYSCTL
51164 -+ select GRKERNSEC_LINK
51165 -+ select GRKERNSEC_FIFO
51166 -+ select GRKERNSEC_DMESG
51167 -+ select GRKERNSEC_RANDNET
51168 -+ select GRKERNSEC_FORKFAIL
51169 -+ select GRKERNSEC_TIME
51170 -+ select GRKERNSEC_SIGNAL
51171 -+ select GRKERNSEC_CHROOT
51172 -+ select GRKERNSEC_CHROOT_UNIX
51173 -+ select GRKERNSEC_CHROOT_MOUNT
51174 -+ select GRKERNSEC_CHROOT_PIVOT
51175 -+ select GRKERNSEC_CHROOT_DOUBLE
51176 -+ select GRKERNSEC_CHROOT_CHDIR
51177 -+ select GRKERNSEC_CHROOT_MKNOD
51178 -+ select GRKERNSEC_PROC
51179 -+ select GRKERNSEC_PROC_USERGROUP
51180 -+ select PAX_RANDUSTACK
51181 -+ select PAX_ASLR
51182 -+ select PAX_RANDMMAP
51183 -+ select PAX_REFCOUNT if (X86 || SPARC64)
51184 -+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
51185 -+
51186 -+ help
51187 -+ If you say Y here, several features in addition to those included
51188 -+ in the low additional security level will be enabled. These
51189 -+ features provide even more security to your system, though in rare
51190 -+ cases they may be incompatible with very old or poorly written
51191 -+ software. If you enable this option, make sure that your auth
51192 -+ service (identd) is running as gid 1001. With this option,
51193 -+ the following features (in addition to those provided in the
51194 -+ low additional security level) will be enabled:
51195 -+
51196 -+ - Failed fork logging
51197 -+ - Time change logging
51198 -+ - Signal logging
51199 -+ - Deny mounts in chroot
51200 -+ - Deny double chrooting
51201 -+ - Deny sysctl writes in chroot
51202 -+ - Deny mknod in chroot
51203 -+ - Deny access to abstract AF_UNIX sockets out of chroot
51204 -+ - Deny pivot_root in chroot
51205 -+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
51206 -+ - /proc restrictions with special GID set to 10 (usually wheel)
51207 -+ - Address Space Layout Randomization (ASLR)
51208 -+ - Prevent exploitation of most refcount overflows
51209 -+ - Bounds checking of copying between the kernel and userland
51210 -+
51211 -+config GRKERNSEC_HIGH
51212 -+ bool "High"
51213 -+ select GRKERNSEC_LINK
51214 -+ select GRKERNSEC_FIFO
51215 -+ select GRKERNSEC_DMESG
51216 -+ select GRKERNSEC_FORKFAIL
51217 -+ select GRKERNSEC_TIME
51218 -+ select GRKERNSEC_SIGNAL
51219 -+ select GRKERNSEC_CHROOT
51220 -+ select GRKERNSEC_CHROOT_SHMAT
51221 -+ select GRKERNSEC_CHROOT_UNIX
51222 -+ select GRKERNSEC_CHROOT_MOUNT
51223 -+ select GRKERNSEC_CHROOT_FCHDIR
51224 -+ select GRKERNSEC_CHROOT_PIVOT
51225 -+ select GRKERNSEC_CHROOT_DOUBLE
51226 -+ select GRKERNSEC_CHROOT_CHDIR
51227 -+ select GRKERNSEC_CHROOT_MKNOD
51228 -+ select GRKERNSEC_CHROOT_CAPS
51229 -+ select GRKERNSEC_CHROOT_SYSCTL
51230 -+ select GRKERNSEC_CHROOT_FINDTASK
51231 -+ select GRKERNSEC_SYSFS_RESTRICT
51232 -+ select GRKERNSEC_PROC
51233 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
51234 -+ select GRKERNSEC_HIDESYM
51235 -+ select GRKERNSEC_BRUTE
51236 -+ select GRKERNSEC_PROC_USERGROUP
51237 -+ select GRKERNSEC_KMEM
51238 -+ select GRKERNSEC_RESLOG
51239 -+ select GRKERNSEC_RANDNET
51240 -+ select GRKERNSEC_PROC_ADD
51241 -+ select GRKERNSEC_CHROOT_CHMOD
51242 -+ select GRKERNSEC_CHROOT_NICE
51243 -+ select GRKERNSEC_AUDIT_MOUNT
51244 -+ select GRKERNSEC_MODHARDEN if (MODULES)
51245 -+ select GRKERNSEC_HARDEN_PTRACE
51246 -+ select GRKERNSEC_VM86 if (X86_32)
51247 -+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
51248 -+ select PAX
51249 -+ select PAX_RANDUSTACK
51250 -+ select PAX_ASLR
51251 -+ select PAX_RANDMMAP
51252 -+ select PAX_NOEXEC
51253 -+ select PAX_MPROTECT
51254 -+ select PAX_EI_PAX
51255 -+ select PAX_PT_PAX_FLAGS
51256 -+ select PAX_HAVE_ACL_FLAGS
51257 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
51258 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
51259 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
51260 -+ select PAX_SEGMEXEC if (X86_32)
51261 -+ select PAX_PAGEEXEC
51262 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
51263 -+ select PAX_EMUTRAMP if (PARISC)
51264 -+ select PAX_EMUSIGRT if (PARISC)
51265 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
51266 -+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
51267 -+ select PAX_REFCOUNT if (X86 || SPARC64)
51268 -+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
51269 -+ help
51270 -+ If you say Y here, many of the features of grsecurity will be
51271 -+ enabled, which will protect you against many kinds of attacks
51272 -+ against your system. The heightened security comes at a cost
51273 -+ of an increased chance of incompatibilities with rare software
51274 -+ on your machine. Since this security level enables PaX, you should
51275 -+ view <http://pax.grsecurity.net> and read about the PaX
51276 -+ project. While you are there, download chpax and run it on
51277 -+ binaries that cause problems with PaX. Also remember that
51278 -+ since the /proc restrictions are enabled, you must run your
51279 -+ identd as gid 1001. This security level enables the following
51280 -+ features in addition to those listed in the low and medium
51281 -+ security levels:
51282 -+
51283 -+ - Additional /proc restrictions
51284 -+ - Chmod restrictions in chroot
51285 -+ - No signals, ptrace, or viewing of processes outside of chroot
51286 -+ - Capability restrictions in chroot
51287 -+ - Deny fchdir out of chroot
51288 -+ - Priority restrictions in chroot
51289 -+ - Segmentation-based implementation of PaX
51290 -+ - Mprotect restrictions
51291 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
51292 -+ - Kernel stack randomization
51293 -+ - Mount/unmount/remount logging
51294 -+ - Kernel symbol hiding
51295 -+ - Prevention of memory exhaustion-based exploits
51296 -+ - Hardening of module auto-loading
51297 -+ - Ptrace restrictions
51298 -+ - Restricted vm86 mode
51299 -+ - Restricted sysfs/debugfs
51300 -+ - Active kernel exploit response
51301 -+
51302 -+config GRKERNSEC_CUSTOM
51303 -+ bool "Custom"
51304 -+ help
51305 -+ If you say Y here, you will be able to configure every grsecurity
51306 -+ option, which allows you to enable many more features that aren't
51307 -+ covered in the basic security levels. These additional features
51308 -+ include TPE, socket restrictions, and the sysctl system for
51309 -+ grsecurity. It is advised that you read through the help for
51310 -+ each option to determine its usefulness in your situation.
51311 -+
51312 -+endchoice
51313 -+
51314 -+menu "Address Space Protection"
51315 -+depends on GRKERNSEC
51316 -+
51317 -+config GRKERNSEC_KMEM
51318 -+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
51319 -+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
51320 -+ help
51321 -+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
51322 -+ be written to via mmap or otherwise to modify the running kernel.
51323 -+ /dev/port will also not be allowed to be opened. If you have module
51324 -+ support disabled, enabling this will close up four ways that are
51325 -+ currently used to insert malicious code into the running kernel.
51326 -+ Even with all these features enabled, we still highly recommend that
51327 -+ you use the RBAC system, as it is still possible for an attacker to
51328 -+ modify the running kernel through privileged I/O granted by ioperm/iopl.
51329 -+ If you are not using XFree86, you may be able to stop this additional
51330 -+ case by enabling the 'Disable privileged I/O' option. Though nothing
51331 -+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
51332 -+ but only to video memory, which is the only writing we allow in this
51333 -+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
51334 -+ not be allowed to mprotect it with PROT_WRITE later.
51335 -+ It is highly recommended that you say Y here if you meet all the
51336 -+ conditions above.
51337 -+
51338 -+config GRKERNSEC_VM86
51339 -+ bool "Restrict VM86 mode"
51340 -+ depends on X86_32
51341 -+
51342 -+ help
51343 -+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
51344 -+ make use of a special execution mode on 32bit x86 processors called
51345 -+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
51346 -+ video cards and will still work with this option enabled. The purpose
51347 -+ of the option is to prevent exploitation of emulation errors in
51348 -+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
51349 -+ Nearly all users should be able to enable this option.
51350 -+
51351 -+config GRKERNSEC_IO
51352 -+ bool "Disable privileged I/O"
51353 -+ depends on X86
51354 -+ select RTC_CLASS
51355 -+ select RTC_INTF_DEV
51356 -+ select RTC_DRV_CMOS
51357 -+
51358 -+ help
51359 -+ If you say Y here, all ioperm and iopl calls will return an error.
51360 -+ Ioperm and iopl can be used to modify the running kernel.
51361 -+ Unfortunately, some programs need this access to operate properly,
51362 -+ the most notable of which are XFree86 and hwclock. hwclock can be
51363 -+ remedied by having RTC support in the kernel, so real-time
51364 -+ clock support is enabled if this option is enabled, to ensure
51365 -+ that hwclock operates correctly. XFree86 still will not
51366 -+ operate correctly with this option enabled, so DO NOT CHOOSE Y
51367 -+ IF YOU USE XFree86. If you use XFree86 and you still want to
51368 -+ protect your kernel against modification, use the RBAC system.
51369 -+
51370 -+config GRKERNSEC_PROC_MEMMAP
51371 -+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
51372 -+ default y if (PAX_NOEXEC || PAX_ASLR)
51373 -+ depends on PAX_NOEXEC || PAX_ASLR
51374 -+ help
51375 -+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
51376 -+ give no information about the addresses of its mappings if
51377 -+ PaX features that rely on random addresses are enabled on the task.
51378 -+ If you use PaX it is greatly recommended that you say Y here as it
51379 -+ closes up a hole that makes the full ASLR useless for suid
51380 -+ binaries.
51381 -+
51382 -+config GRKERNSEC_BRUTE
51383 -+ bool "Deter exploit bruteforcing"
51384 -+ help
51385 -+ If you say Y here, attempts to bruteforce exploits against forking
51386 -+ daemons such as apache or sshd, as well as against suid/sgid binaries
51387 -+ will be deterred. When a child of a forking daemon is killed by PaX
51388 -+ or crashes due to an illegal instruction or other suspicious signal,
51389 -+ the parent process will be delayed 30 seconds upon every subsequent
51390 -+ fork until the administrator is able to assess the situation and
51391 -+ restart the daemon.
51392 -+ In the suid/sgid case, the attempt is logged, the user has all their
51393 -+ processes terminated, and they are prevented from executing any further
51394 -+ processes for 15 minutes.
51395 -+ It is recommended that you also enable signal logging in the auditing
51396 -+ section so that logs are generated when a process triggers a suspicious
51397 -+ signal.
51398 -+ If the sysctl option is enabled, a sysctl option with name
51399 -+ "deter_bruteforce" is created.
51400 -+
51401 -+config GRKERNSEC_MODHARDEN
51402 -+ bool "Harden module auto-loading"
51403 -+ depends on MODULES
51404 -+ help
51405 -+ If you say Y here, module auto-loading in response to use of some
51406 -+ feature implemented by an unloaded module will be restricted to
51407 -+ root users. Enabling this option helps defend against attacks
51408 -+ by unprivileged users who abuse the auto-loading behavior to
51409 -+ cause a vulnerable module to load that is then exploited.
51410 -+
51411 -+ If this option prevents a legitimate use of auto-loading for a
51412 -+ non-root user, the administrator can execute modprobe manually
51413 -+ with the exact name of the module mentioned in the alert log.
51414 -+ Alternatively, the administrator can add the module to the list
51415 -+ of modules loaded at boot by modifying init scripts.
51416 -+
51417 -+ Modification of init scripts will most likely be needed on
51418 -+ Ubuntu servers with encrypted home directory support enabled,
51419 -+ as the first non-root user logging in will cause the ecb(aes),
51420 -+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
51421 -+
51422 -+config GRKERNSEC_HIDESYM
51423 -+ bool "Hide kernel symbols"
51424 -+ help
51425 -+ If you say Y here, getting information on loaded modules, and
51426 -+ displaying all kernel symbols through a syscall will be restricted
51427 -+ to users with CAP_SYS_MODULE. For software compatibility reasons,
51428 -+ /proc/kallsyms will be restricted to the root user. The RBAC
51429 -+ system can hide that entry even from root.
51430 -+
51431 -+ This option also prevents leaking of kernel addresses through
51432 -+ several /proc entries.
51433 -+
51434 -+ Note that this option is only effective provided the following
51435 -+ conditions are met:
51436 -+ 1) The kernel using grsecurity is not precompiled by some distribution
51437 -+ 2) You have also enabled GRKERNSEC_DMESG
51438 -+ 3) You are using the RBAC system and hiding other files such as your
51439 -+ kernel image and System.map. Alternatively, enabling this option
51440 -+ causes the permissions on /boot, /lib/modules, and the kernel
51441 -+ source directory to change at compile time to prevent
51442 -+ reading by non-root users.
51443 -+ If the above conditions are met, this option will aid in providing a
51444 -+ useful protection against local kernel exploitation of overflows
51445 -+ and arbitrary read/write vulnerabilities.
51446 -+
51447 -+config GRKERNSEC_KERN_LOCKOUT
51448 -+ bool "Active kernel exploit response"
51449 -+ depends on X86 || ARM || PPC || SPARC
51450 -+ help
51451 -+ If you say Y here, when a PaX alert is triggered due to suspicious
51452 -+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
51453 -+ or an OOPs occurs due to bad memory accesses, instead of just
51454 -+ terminating the offending process (and potentially allowing
51455 -+ a subsequent exploit from the same user), we will take one of two
51456 -+ actions:
51457 -+ If the user was root, we will panic the system
51458 -+ If the user was non-root, we will log the attempt, terminate
51459 -+ all processes owned by the user, then prevent them from creating
51460 -+ any new processes until the system is restarted
51461 -+ This deters repeated kernel exploitation/bruteforcing attempts
51462 -+ and is useful for later forensics.
51463 -+
51464 -+endmenu
51465 -+menu "Role Based Access Control Options"
51466 -+depends on GRKERNSEC
51467 -+
51468 -+config GRKERNSEC_RBAC_DEBUG
51469 -+ bool
51470 -+
51471 -+config GRKERNSEC_NO_RBAC
51472 -+ bool "Disable RBAC system"
51473 -+ help
51474 -+ If you say Y here, the /dev/grsec device will be removed from the kernel,
51475 -+ preventing the RBAC system from being enabled. You should only say Y
51476 -+ here if you have no intention of using the RBAC system, so as to prevent
51477 -+ an attacker with root access from misusing the RBAC system to hide files
51478 -+ and processes when loadable module support and /dev/[k]mem have been
51479 -+ locked down.
51480 -+
51481 -+config GRKERNSEC_ACL_HIDEKERN
51482 -+ bool "Hide kernel processes"
51483 -+ help
51484 -+ If you say Y here, all kernel threads will be hidden to all
51485 -+ processes but those whose subject has the "view hidden processes"
51486 -+ flag.
51487 -+
51488 -+config GRKERNSEC_ACL_MAXTRIES
51489 -+ int "Maximum tries before password lockout"
51490 -+ default 3
51491 -+ help
51492 -+ This option enforces the maximum number of times a user can attempt
51493 -+ to authorize themselves with the grsecurity RBAC system before being
51494 -+ denied the ability to attempt authorization again for a specified time.
51495 -+ The lower the number, the harder it will be to brute-force a password.
51496 -+
51497 -+config GRKERNSEC_ACL_TIMEOUT
51498 -+ int "Time to wait after max password tries, in seconds"
51499 -+ default 30
51500 -+ help
51501 -+ This option specifies the time the user must wait after attempting to
51502 -+ authorize to the RBAC system with the maximum number of invalid
51503 -+ passwords. The higher the number, the harder it will be to brute-force
51504 -+ a password.
51505 -+
51506 -+endmenu
51507 -+menu "Filesystem Protections"
51508 -+depends on GRKERNSEC
51509 -+
51510 -+config GRKERNSEC_PROC
51511 -+ bool "Proc restrictions"
51512 -+ help
51513 -+ If you say Y here, the permissions of the /proc filesystem
51514 -+ will be altered to enhance system security and privacy. You MUST
51515 -+ choose either a user only restriction or a user and group restriction.
51516 -+ Depending upon the option you choose, you can either restrict users to
51517 -+ see only the processes they themselves run, or choose a group that can
51518 -+ view all processes and files normally restricted to root if you choose
51519 -+ the "restrict to user only" option. NOTE: If you're running identd as
51520 -+ a non-root user, you will have to run it as the group you specify here.
51521 -+
51522 -+config GRKERNSEC_PROC_USER
51523 -+ bool "Restrict /proc to user only"
51524 -+ depends on GRKERNSEC_PROC
51525 -+ help
51526 -+ If you say Y here, non-root users will only be able to view their own
51527 -+ processes, and restricts them from viewing network-related information,
51528 -+ and viewing kernel symbol and module information.
51529 -+
51530 -+config GRKERNSEC_PROC_USERGROUP
51531 -+ bool "Allow special group"
51532 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
51533 -+ help
51534 -+ If you say Y here, you will be able to select a group that will be
51535 -+ able to view all processes and network-related information. If you've
51536 -+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
51537 -+ remain hidden. This option is useful if you want to run identd as
51538 -+ a non-root user.
51539 -+
51540 -+config GRKERNSEC_PROC_GID
51541 -+ int "GID for special group"
51542 -+ depends on GRKERNSEC_PROC_USERGROUP
51543 -+ default 1001
51544 -+
51545 -+config GRKERNSEC_PROC_ADD
51546 -+ bool "Additional restrictions"
51547 -+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
51548 -+ help
51549 -+ If you say Y here, additional restrictions will be placed on
51550 -+ /proc that keep normal users from viewing device information and
51551 -+ slabinfo information that could be useful for exploits.
51552 -+
51553 -+config GRKERNSEC_LINK
51554 -+ bool "Linking restrictions"
51555 -+ help
51556 -+ If you say Y here, /tmp race exploits will be prevented, since users
51557 -+ will no longer be able to follow symlinks owned by other users in
51558 -+ world-writable +t directories (e.g. /tmp), unless the owner of the
51559 -+ symlink is the owner of the directory. users will also not be
51560 -+ able to hardlink to files they do not own. If the sysctl option is
51561 -+ enabled, a sysctl option with name "linking_restrictions" is created.
51562 -+
51563 -+config GRKERNSEC_FIFO
51564 -+ bool "FIFO restrictions"
51565 -+ help
51566 -+ If you say Y here, users will not be able to write to FIFOs they don't
51567 -+ own in world-writable +t directories (e.g. /tmp), unless the owner of
51568 -+ the FIFO is the same owner of the directory it's held in. If the sysctl
51569 -+ option is enabled, a sysctl option with name "fifo_restrictions" is
51570 -+ created.
51571 -+
51572 -+config GRKERNSEC_SYSFS_RESTRICT
51573 -+ bool "Sysfs/debugfs restriction"
51574 -+ depends on SYSFS
51575 -+ help
51576 -+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
51577 -+ any filesystem normally mounted under it (e.g. debugfs) will only
51578 -+ be accessible by root. These filesystems generally provide access
51579 -+ to hardware and debug information that isn't appropriate for unprivileged
51580 -+ users of the system. Sysfs and debugfs have also become a large source
51581 -+ of new vulnerabilities, ranging from infoleaks to local compromise.
51582 -+ There has been very little oversight with an eye toward security involved
51583 -+ in adding new exporters of information to these filesystems, so their
51584 -+ use is discouraged.
51585 -+ This option is equivalent to a chmod 0700 of the mount paths.
51586 -+
51587 -+config GRKERNSEC_ROFS
51588 -+ bool "Runtime read-only mount protection"
51589 -+ help
51590 -+ If you say Y here, a sysctl option with name "romount_protect" will
51591 -+ be created. By setting this option to 1 at runtime, filesystems
51592 -+ will be protected in the following ways:
51593 -+ * No new writable mounts will be allowed
51594 -+ * Existing read-only mounts won't be able to be remounted read/write
51595 -+ * Write operations will be denied on all block devices
51596 -+ This option acts independently of grsec_lock: once it is set to 1,
51597 -+ it cannot be turned off. Therefore, please be mindful of the resulting
51598 -+ behavior if this option is enabled in an init script on a read-only
51599 -+ filesystem. This feature is mainly intended for secure embedded systems.
51600 -+
51601 -+config GRKERNSEC_CHROOT
51602 -+ bool "Chroot jail restrictions"
51603 -+ help
51604 -+ If you say Y here, you will be able to choose several options that will
51605 -+ make breaking out of a chrooted jail much more difficult. If you
51606 -+ encounter no software incompatibilities with the following options, it
51607 -+ is recommended that you enable each one.
51608 -+
51609 -+config GRKERNSEC_CHROOT_MOUNT
51610 -+ bool "Deny mounts"
51611 -+ depends on GRKERNSEC_CHROOT
51612 -+ help
51613 -+ If you say Y here, processes inside a chroot will not be able to
51614 -+ mount or remount filesystems. If the sysctl option is enabled, a
51615 -+ sysctl option with name "chroot_deny_mount" is created.
51616 -+
51617 -+config GRKERNSEC_CHROOT_DOUBLE
51618 -+ bool "Deny double-chroots"
51619 -+ depends on GRKERNSEC_CHROOT
51620 -+ help
51621 -+ If you say Y here, processes inside a chroot will not be able to chroot
51622 -+ again outside the chroot. This is a widely used method of breaking
51623 -+ out of a chroot jail and should not be allowed. If the sysctl
51624 -+ option is enabled, a sysctl option with name
51625 -+ "chroot_deny_chroot" is created.
51626 -+
51627 -+config GRKERNSEC_CHROOT_PIVOT
51628 -+ bool "Deny pivot_root in chroot"
51629 -+ depends on GRKERNSEC_CHROOT
51630 -+ help
51631 -+ If you say Y here, processes inside a chroot will not be able to use
51632 -+ a function called pivot_root() that was introduced in Linux 2.3.41. It
51633 -+ works similar to chroot in that it changes the root filesystem. This
51634 -+ function could be misused in a chrooted process to attempt to break out
51635 -+ of the chroot, and therefore should not be allowed. If the sysctl
51636 -+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
51637 -+ created.
51638 -+
51639 -+config GRKERNSEC_CHROOT_CHDIR
51640 -+ bool "Enforce chdir(\"/\") on all chroots"
51641 -+ depends on GRKERNSEC_CHROOT
51642 -+ help
51643 -+ If you say Y here, the current working directory of all newly-chrooted
51644 -+ applications will be set to the the root directory of the chroot.
51645 -+ The man page on chroot(2) states:
51646 -+ Note that this call does not change the current working
51647 -+ directory, so that `.' can be outside the tree rooted at
51648 -+ `/'. In particular, the super-user can escape from a
51649 -+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
51650 -+
51651 -+ It is recommended that you say Y here, since it's not known to break
51652 -+ any software. If the sysctl option is enabled, a sysctl option with
51653 -+ name "chroot_enforce_chdir" is created.
51654 -+
51655 -+config GRKERNSEC_CHROOT_CHMOD
51656 -+ bool "Deny (f)chmod +s"
51657 -+ depends on GRKERNSEC_CHROOT
51658 -+ help
51659 -+ If you say Y here, processes inside a chroot will not be able to chmod
51660 -+ or fchmod files to make them have suid or sgid bits. This protects
51661 -+ against another published method of breaking a chroot. If the sysctl
51662 -+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
51663 -+ created.
51664 -+
51665 -+config GRKERNSEC_CHROOT_FCHDIR
51666 -+ bool "Deny fchdir out of chroot"
51667 -+ depends on GRKERNSEC_CHROOT
51668 -+ help
51669 -+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
51670 -+ to a file descriptor of the chrooting process that points to a directory
51671 -+ outside the filesystem will be stopped. If the sysctl option
51672 -+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
51673 -+
51674 -+config GRKERNSEC_CHROOT_MKNOD
51675 -+ bool "Deny mknod"
51676 -+ depends on GRKERNSEC_CHROOT
51677 -+ help
51678 -+ If you say Y here, processes inside a chroot will not be allowed to
51679 -+ mknod. The problem with using mknod inside a chroot is that it
51680 -+ would allow an attacker to create a device entry that is the same
51681 -+ as one on the physical root of your system, which could range from
51682 -+ anything from the console device to a device for your harddrive (which
51683 -+ they could then use to wipe the drive or steal data). It is recommended
51684 -+ that you say Y here, unless you run into software incompatibilities.
51685 -+ If the sysctl option is enabled, a sysctl option with name
51686 -+ "chroot_deny_mknod" is created.
51687 -+
51688 -+config GRKERNSEC_CHROOT_SHMAT
51689 -+ bool "Deny shmat() out of chroot"
51690 -+ depends on GRKERNSEC_CHROOT
51691 -+ help
51692 -+ If you say Y here, processes inside a chroot will not be able to attach
51693 -+ to shared memory segments that were created outside of the chroot jail.
51694 -+ It is recommended that you say Y here. If the sysctl option is enabled,
51695 -+ a sysctl option with name "chroot_deny_shmat" is created.
51696 -+
51697 -+config GRKERNSEC_CHROOT_UNIX
51698 -+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
51699 -+ depends on GRKERNSEC_CHROOT
51700 -+ help
51701 -+ If you say Y here, processes inside a chroot will not be able to
51702 -+ connect to abstract (meaning not belonging to a filesystem) Unix
51703 -+ domain sockets that were bound outside of a chroot. It is recommended
51704 -+ that you say Y here. If the sysctl option is enabled, a sysctl option
51705 -+ with name "chroot_deny_unix" is created.
51706 -+
51707 -+config GRKERNSEC_CHROOT_FINDTASK
51708 -+ bool "Protect outside processes"
51709 -+ depends on GRKERNSEC_CHROOT
51710 -+ help
51711 -+ If you say Y here, processes inside a chroot will not be able to
51712 -+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
51713 -+ getsid, or view any process outside of the chroot. If the sysctl
51714 -+ option is enabled, a sysctl option with name "chroot_findtask" is
51715 -+ created.
51716 -+
51717 -+config GRKERNSEC_CHROOT_NICE
51718 -+ bool "Restrict priority changes"
51719 -+ depends on GRKERNSEC_CHROOT
51720 -+ help
51721 -+ If you say Y here, processes inside a chroot will not be able to raise
51722 -+ the priority of processes in the chroot, or alter the priority of
51723 -+ processes outside the chroot. This provides more security than simply
51724 -+ removing CAP_SYS_NICE from the process' capability set. If the
51725 -+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
51726 -+ is created.
51727 -+
51728 -+config GRKERNSEC_CHROOT_SYSCTL
51729 -+ bool "Deny sysctl writes"
51730 -+ depends on GRKERNSEC_CHROOT
51731 -+ help
51732 -+ If you say Y here, an attacker in a chroot will not be able to
51733 -+ write to sysctl entries, either by sysctl(2) or through a /proc
51734 -+ interface. It is strongly recommended that you say Y here. If the
51735 -+ sysctl option is enabled, a sysctl option with name
51736 -+ "chroot_deny_sysctl" is created.
51737 -+
51738 -+config GRKERNSEC_CHROOT_CAPS
51739 -+ bool "Capability restrictions"
51740 -+ depends on GRKERNSEC_CHROOT
51741 -+ help
51742 -+ If you say Y here, the capabilities on all processes within a
51743 -+ chroot jail will be lowered to stop module insertion, raw i/o,
51744 -+ system and net admin tasks, rebooting the system, modifying immutable
51745 -+ files, modifying IPC owned by another, and changing the system time.
51746 -+ This is left an option because it can break some apps. Disable this
51747 -+ if your chrooted apps are having problems performing those kinds of
51748 -+ tasks. If the sysctl option is enabled, a sysctl option with
51749 -+ name "chroot_caps" is created.
51750 -+
51751 -+endmenu
51752 -+menu "Kernel Auditing"
51753 -+depends on GRKERNSEC
51754 -+
51755 -+config GRKERNSEC_AUDIT_GROUP
51756 -+ bool "Single group for auditing"
51757 -+ help
51758 -+ If you say Y here, the exec, chdir, and (un)mount logging features
51759 -+ will only operate on a group you specify. This option is recommended
51760 -+ if you only want to watch certain users instead of having a large
51761 -+ amount of logs from the entire system. If the sysctl option is enabled,
51762 -+ a sysctl option with name "audit_group" is created.
51763 -+
51764 -+config GRKERNSEC_AUDIT_GID
51765 -+ int "GID for auditing"
51766 -+ depends on GRKERNSEC_AUDIT_GROUP
51767 -+ default 1007
51768 -+
51769 -+config GRKERNSEC_EXECLOG
51770 -+ bool "Exec logging"
51771 -+ help
51772 -+ If you say Y here, all execve() calls will be logged (since the
51773 -+ other exec*() calls are frontends to execve(), all execution
51774 -+ will be logged). Useful for shell-servers that like to keep track
51775 -+ of their users. If the sysctl option is enabled, a sysctl option with
51776 -+ name "exec_logging" is created.
51777 -+ WARNING: This option when enabled will produce a LOT of logs, especially
51778 -+ on an active system.
51779 -+
51780 -+config GRKERNSEC_RESLOG
51781 -+ bool "Resource logging"
51782 -+ help
51783 -+ If you say Y here, all attempts to overstep resource limits will
51784 -+ be logged with the resource name, the requested size, and the current
51785 -+ limit. It is highly recommended that you say Y here. If the sysctl
51786 -+ option is enabled, a sysctl option with name "resource_logging" is
51787 -+ created. If the RBAC system is enabled, the sysctl value is ignored.
51788 -+
51789 -+config GRKERNSEC_CHROOT_EXECLOG
51790 -+ bool "Log execs within chroot"
51791 -+ help
51792 -+ If you say Y here, all executions inside a chroot jail will be logged
51793 -+ to syslog. This can cause a large amount of logs if certain
51794 -+ applications (eg. djb's daemontools) are installed on the system, and
51795 -+ is therefore left as an option. If the sysctl option is enabled, a
51796 -+ sysctl option with name "chroot_execlog" is created.
51797 -+
51798 -+config GRKERNSEC_AUDIT_PTRACE
51799 -+ bool "Ptrace logging"
51800 -+ help
51801 -+ If you say Y here, all attempts to attach to a process via ptrace
51802 -+ will be logged. If the sysctl option is enabled, a sysctl option
51803 -+ with name "audit_ptrace" is created.
51804 -+
51805 -+config GRKERNSEC_AUDIT_CHDIR
51806 -+ bool "Chdir logging"
51807 -+ help
51808 -+ If you say Y here, all chdir() calls will be logged. If the sysctl
51809 -+ option is enabled, a sysctl option with name "audit_chdir" is created.
51810 -+
51811 -+config GRKERNSEC_AUDIT_MOUNT
51812 -+ bool "(Un)Mount logging"
51813 -+ help
51814 -+ If you say Y here, all mounts and unmounts will be logged. If the
51815 -+ sysctl option is enabled, a sysctl option with name "audit_mount" is
51816 -+ created.
51817 -+
51818 -+config GRKERNSEC_SIGNAL
51819 -+ bool "Signal logging"
51820 -+ help
51821 -+ If you say Y here, certain important signals will be logged, such as
51822 -+ SIGSEGV, which will as a result inform you of when a error in a program
51823 -+ occurred, which in some cases could mean a possible exploit attempt.
51824 -+ If the sysctl option is enabled, a sysctl option with name
51825 -+ "signal_logging" is created.
51826 -+
51827 -+config GRKERNSEC_FORKFAIL
51828 -+ bool "Fork failure logging"
51829 -+ help
51830 -+ If you say Y here, all failed fork() attempts will be logged.
51831 -+ This could suggest a fork bomb, or someone attempting to overstep
51832 -+ their process limit. If the sysctl option is enabled, a sysctl option
51833 -+ with name "forkfail_logging" is created.
51834 -+
51835 -+config GRKERNSEC_TIME
51836 -+ bool "Time change logging"
51837 -+ help
51838 -+ If you say Y here, any changes of the system clock will be logged.
51839 -+ If the sysctl option is enabled, a sysctl option with name
51840 -+ "timechange_logging" is created.
51841 -+
51842 -+config GRKERNSEC_PROC_IPADDR
51843 -+ bool "/proc/<pid>/ipaddr support"
51844 -+ help
51845 -+ If you say Y here, a new entry will be added to each /proc/<pid>
51846 -+ directory that contains the IP address of the person using the task.
51847 -+ The IP is carried across local TCP and AF_UNIX stream sockets.
51848 -+ This information can be useful for IDS/IPSes to perform remote response
51849 -+ to a local attack. The entry is readable by only the owner of the
51850 -+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
51851 -+ the RBAC system), and thus does not create privacy concerns.
51852 -+
51853 -+config GRKERNSEC_RWXMAP_LOG
51854 -+ bool 'Denied RWX mmap/mprotect logging'
51855 -+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
51856 -+ help
51857 -+ If you say Y here, calls to mmap() and mprotect() with explicit
51858 -+ usage of PROT_WRITE and PROT_EXEC together will be logged when
51859 -+ denied by the PAX_MPROTECT feature. If the sysctl option is
51860 -+ enabled, a sysctl option with name "rwxmap_logging" is created.
51861 -+
51862 -+config GRKERNSEC_AUDIT_TEXTREL
51863 -+ bool 'ELF text relocations logging (READ HELP)'
51864 -+ depends on PAX_MPROTECT
51865 -+ help
51866 -+ If you say Y here, text relocations will be logged with the filename
51867 -+ of the offending library or binary. The purpose of the feature is
51868 -+ to help Linux distribution developers get rid of libraries and
51869 -+ binaries that need text relocations which hinder the future progress
51870 -+ of PaX. Only Linux distribution developers should say Y here, and
51871 -+ never on a production machine, as this option creates an information
51872 -+ leak that could aid an attacker in defeating the randomization of
51873 -+ a single memory region. If the sysctl option is enabled, a sysctl
51874 -+ option with name "audit_textrel" is created.
51875 -+
51876 -+endmenu
51877 -+
51878 -+menu "Executable Protections"
51879 -+depends on GRKERNSEC
51880 -+
51881 -+config GRKERNSEC_DMESG
51882 -+ bool "Dmesg(8) restriction"
51883 -+ help
51884 -+ If you say Y here, non-root users will not be able to use dmesg(8)
51885 -+ to view up to the last 4kb of messages in the kernel's log buffer.
51886 -+ The kernel's log buffer often contains kernel addresses and other
51887 -+ identifying information useful to an attacker in fingerprinting a
51888 -+ system for a targeted exploit.
51889 -+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
51890 -+ created.
51891 -+
51892 -+config GRKERNSEC_HARDEN_PTRACE
51893 -+ bool "Deter ptrace-based process snooping"
51894 -+ help
51895 -+ If you say Y here, TTY sniffers and other malicious monitoring
51896 -+ programs implemented through ptrace will be defeated. If you
51897 -+ have been using the RBAC system, this option has already been
51898 -+ enabled for several years for all users, with the ability to make
51899 -+ fine-grained exceptions.
51900 -+
51901 -+ This option only affects the ability of non-root users to ptrace
51902 -+ processes that are not a descendent of the ptracing process.
51903 -+ This means that strace ./binary and gdb ./binary will still work,
51904 -+ but attaching to arbitrary processes will not. If the sysctl
51905 -+ option is enabled, a sysctl option with name "harden_ptrace" is
51906 -+ created.
51907 -+
51908 -+config GRKERNSEC_TPE
51909 -+ bool "Trusted Path Execution (TPE)"
51910 -+ help
51911 -+ If you say Y here, you will be able to choose a gid to add to the
51912 -+ supplementary groups of users you want to mark as "untrusted."
51913 -+ These users will not be able to execute any files that are not in
51914 -+ root-owned directories writable only by root. If the sysctl option
51915 -+ is enabled, a sysctl option with name "tpe" is created.
51916 -+
51917 -+config GRKERNSEC_TPE_ALL
51918 -+ bool "Partially restrict all non-root users"
51919 -+ depends on GRKERNSEC_TPE
51920 -+ help
51921 -+ If you say Y here, all non-root users will be covered under
51922 -+ a weaker TPE restriction. This is separate from, and in addition to,
51923 -+ the main TPE options that you have selected elsewhere. Thus, if a
51924 -+ "trusted" GID is chosen, this restriction applies to even that GID.
51925 -+ Under this restriction, all non-root users will only be allowed to
51926 -+ execute files in directories they own that are not group or
51927 -+ world-writable, or in directories owned by root and writable only by
51928 -+ root. If the sysctl option is enabled, a sysctl option with name
51929 -+ "tpe_restrict_all" is created.
51930 -+
51931 -+config GRKERNSEC_TPE_INVERT
51932 -+ bool "Invert GID option"
51933 -+ depends on GRKERNSEC_TPE
51934 -+ help
51935 -+ If you say Y here, the group you specify in the TPE configuration will
51936 -+ decide what group TPE restrictions will be *disabled* for. This
51937 -+ option is useful if you want TPE restrictions to be applied to most
51938 -+ users on the system. If the sysctl option is enabled, a sysctl option
51939 -+ with name "tpe_invert" is created. Unlike other sysctl options, this
51940 -+ entry will default to on for backward-compatibility.
51941 -+
51942 -+config GRKERNSEC_TPE_GID
51943 -+ int "GID for untrusted users"
51944 -+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
51945 -+ default 1005
51946 -+ help
51947 -+ Setting this GID determines what group TPE restrictions will be
51948 -+ *enabled* for. If the sysctl option is enabled, a sysctl option
51949 -+ with name "tpe_gid" is created.
51950 -+
51951 -+config GRKERNSEC_TPE_GID
51952 -+ int "GID for trusted users"
51953 -+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
51954 -+ default 1005
51955 -+ help
51956 -+ Setting this GID determines what group TPE restrictions will be
51957 -+ *disabled* for. If the sysctl option is enabled, a sysctl option
51958 -+ with name "tpe_gid" is created.
51959 -+
51960 -+endmenu
51961 -+menu "Network Protections"
51962 -+depends on GRKERNSEC
51963 -+
51964 -+config GRKERNSEC_RANDNET
51965 -+ bool "Larger entropy pools"
51966 -+ help
51967 -+ If you say Y here, the entropy pools used for many features of Linux
51968 -+ and grsecurity will be doubled in size. Since several grsecurity
51969 -+ features use additional randomness, it is recommended that you say Y
51970 -+ here. Saying Y here has a similar effect as modifying
51971 -+ /proc/sys/kernel/random/poolsize.
51972 -+
51973 -+config GRKERNSEC_BLACKHOLE
51974 -+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
51975 -+ depends on NET
51976 -+ help
51977 -+ If you say Y here, neither TCP resets nor ICMP
51978 -+ destination-unreachable packets will be sent in response to packets
51979 -+ sent to ports for which no associated listening process exists.
51980 -+ This feature supports both IPV4 and IPV6 and exempts the
51981 -+ loopback interface from blackholing. Enabling this feature
51982 -+ makes a host more resilient to DoS attacks and reduces network
51983 -+ visibility against scanners.
51984 -+
51985 -+ The blackhole feature as-implemented is equivalent to the FreeBSD
51986 -+ blackhole feature, as it prevents RST responses to all packets, not
51987 -+ just SYNs. Under most application behavior this causes no
51988 -+ problems, but applications (like haproxy) may not close certain
51989 -+ connections in a way that cleanly terminates them on the remote
51990 -+ end, leaving the remote host in LAST_ACK state. Because of this
51991 -+ side-effect and to prevent intentional LAST_ACK DoSes, this
51992 -+ feature also adds automatic mitigation against such attacks.
51993 -+ The mitigation drastically reduces the amount of time a socket
51994 -+ can spend in LAST_ACK state. If you're using haproxy and not
51995 -+ all servers it connects to have this option enabled, consider
51996 -+ disabling this feature on the haproxy host.
51997 -+
51998 -+ If the sysctl option is enabled, two sysctl options with names
51999 -+ "ip_blackhole" and "lastack_retries" will be created.
52000 -+ While "ip_blackhole" takes the standard zero/non-zero on/off
52001 -+ toggle, "lastack_retries" uses the same kinds of values as
52002 -+ "tcp_retries1" and "tcp_retries2". The default value of 4
52003 -+ prevents a socket from lasting more than 45 seconds in LAST_ACK
52004 -+ state.
52005 -+
52006 -+config GRKERNSEC_SOCKET
52007 -+ bool "Socket restrictions"
52008 -+ depends on NET
52009 -+ help
52010 -+ If you say Y here, you will be able to choose from several options.
52011 -+ If you assign a GID on your system and add it to the supplementary
52012 -+ groups of users you want to restrict socket access to, this patch
52013 -+ will perform up to three things, based on the option(s) you choose.
52014 -+
52015 -+config GRKERNSEC_SOCKET_ALL
52016 -+ bool "Deny any sockets to group"
52017 -+ depends on GRKERNSEC_SOCKET
52018 -+ help
52019 -+ If you say Y here, you will be able to choose a GID of whose users will
52020 -+ be unable to connect to other hosts from your machine or run server
52021 -+ applications from your machine. If the sysctl option is enabled, a
52022 -+ sysctl option with name "socket_all" is created.
52023 -+
52024 -+config GRKERNSEC_SOCKET_ALL_GID
52025 -+ int "GID to deny all sockets for"
52026 -+ depends on GRKERNSEC_SOCKET_ALL
52027 -+ default 1004
52028 -+ help
52029 -+ Here you can choose the GID to disable socket access for. Remember to
52030 -+ add the users you want socket access disabled for to the GID
52031 -+ specified here. If the sysctl option is enabled, a sysctl option
52032 -+ with name "socket_all_gid" is created.
52033 -+
52034 -+config GRKERNSEC_SOCKET_CLIENT
52035 -+ bool "Deny client sockets to group"
52036 -+ depends on GRKERNSEC_SOCKET
52037 -+ help
52038 -+ If you say Y here, you will be able to choose a GID of whose users will
52039 -+ be unable to connect to other hosts from your machine, but will be
52040 -+ able to run servers. If this option is enabled, all users in the group
52041 -+ you specify will have to use passive mode when initiating ftp transfers
52042 -+ from the shell on your machine. If the sysctl option is enabled, a
52043 -+ sysctl option with name "socket_client" is created.
52044 -+
52045 -+config GRKERNSEC_SOCKET_CLIENT_GID
52046 -+ int "GID to deny client sockets for"
52047 -+ depends on GRKERNSEC_SOCKET_CLIENT
52048 -+ default 1003
52049 -+ help
52050 -+ Here you can choose the GID to disable client socket access for.
52051 -+ Remember to add the users you want client socket access disabled for to
52052 -+ the GID specified here. If the sysctl option is enabled, a sysctl
52053 -+ option with name "socket_client_gid" is created.
52054 -+
52055 -+config GRKERNSEC_SOCKET_SERVER
52056 -+ bool "Deny server sockets to group"
52057 -+ depends on GRKERNSEC_SOCKET
52058 -+ help
52059 -+ If you say Y here, you will be able to choose a GID of whose users will
52060 -+ be unable to run server applications from your machine. If the sysctl
52061 -+ option is enabled, a sysctl option with name "socket_server" is created.
52062 -+
52063 -+config GRKERNSEC_SOCKET_SERVER_GID
52064 -+ int "GID to deny server sockets for"
52065 -+ depends on GRKERNSEC_SOCKET_SERVER
52066 -+ default 1002
52067 -+ help
52068 -+ Here you can choose the GID to disable server socket access for.
52069 -+ Remember to add the users you want server socket access disabled for to
52070 -+ the GID specified here. If the sysctl option is enabled, a sysctl
52071 -+ option with name "socket_server_gid" is created.
52072 -+
52073 -+endmenu
52074 -+menu "Sysctl support"
52075 -+depends on GRKERNSEC && SYSCTL
52076 -+
52077 -+config GRKERNSEC_SYSCTL
52078 -+ bool "Sysctl support"
52079 -+ help
52080 -+ If you say Y here, you will be able to change the options that
52081 -+ grsecurity runs with at bootup, without having to recompile your
52082 -+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
52083 -+ to enable (1) or disable (0) various features. All the sysctl entries
52084 -+ are mutable until the "grsec_lock" entry is set to a non-zero value.
52085 -+ All features enabled in the kernel configuration are disabled at boot
52086 -+ if you do not say Y to the "Turn on features by default" option.
52087 -+ All options should be set at startup, and the grsec_lock entry should
52088 -+ be set to a non-zero value after all the options are set.
52089 -+ *THIS IS EXTREMELY IMPORTANT*
52090 -+
52091 -+config GRKERNSEC_SYSCTL_DISTRO
52092 -+ bool "Extra sysctl support for distro makers (READ HELP)"
52093 -+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
52094 -+ help
52095 -+ If you say Y here, additional sysctl options will be created
52096 -+ for features that affect processes running as root. Therefore,
52097 -+ it is critical when using this option that the grsec_lock entry be
52098 -+ enabled after boot. Only distros with prebuilt kernel packages
52099 -+ with this option enabled that can ensure grsec_lock is enabled
52100 -+ after boot should use this option.
52101 -+ *Failure to set grsec_lock after boot makes all grsec features
52102 -+ this option covers useless*
52103 -+
52104 -+ Currently this option creates the following sysctl entries:
52105 -+ "Disable Privileged I/O": "disable_priv_io"
52106 -+
52107 -+config GRKERNSEC_SYSCTL_ON
52108 -+ bool "Turn on features by default"
52109 -+ depends on GRKERNSEC_SYSCTL
52110 -+ help
52111 -+ If you say Y here, instead of having all features enabled in the
52112 -+ kernel configuration disabled at boot time, the features will be
52113 -+ enabled at boot time. It is recommended you say Y here unless
52114 -+ there is some reason you would want all sysctl-tunable features to
52115 -+ be disabled by default. As mentioned elsewhere, it is important
52116 -+ to enable the grsec_lock entry once you have finished modifying
52117 -+ the sysctl entries.
52118 -+
52119 -+endmenu
52120 -+menu "Logging Options"
52121 -+depends on GRKERNSEC
52122 -+
52123 -+config GRKERNSEC_FLOODTIME
52124 -+ int "Seconds in between log messages (minimum)"
52125 -+ default 10
52126 -+ help
52127 -+ This option allows you to enforce the number of seconds between
52128 -+ grsecurity log messages. The default should be suitable for most
52129 -+ people, however, if you choose to change it, choose a value small enough
52130 -+ to allow informative logs to be produced, but large enough to
52131 -+ prevent flooding.
52132 -+
52133 -+config GRKERNSEC_FLOODBURST
52134 -+ int "Number of messages in a burst (maximum)"
52135 -+ default 6
52136 -+ help
52137 -+ This option allows you to choose the maximum number of messages allowed
52138 -+ within the flood time interval you chose in a separate option. The
52139 -+ default should be suitable for most people, however if you find that
52140 -+ many of your logs are being interpreted as flooding, you may want to
52141 -+ raise this value.
52142 -+
52143 -+endmenu
52144 -+
52145 -+endmenu
52146 -diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefile
52147 ---- linux-2.6.32.46/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
52148 -+++ linux-2.6.32.46/grsecurity/Makefile 2011-10-17 06:48:36.000000000 -0400
52149 -@@ -0,0 +1,36 @@
52150 -+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
52151 -+# during 2001-2009 it has been completely redesigned by Brad Spengler
52152 -+# into an RBAC system
52153 -+#
52154 -+# All code in this directory and various hooks inserted throughout the kernel
52155 -+# are copyright Brad Spengler - Open Source Security, Inc., and released
52156 -+# under the GPL v2 or higher
52157 -+
52158 -+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
52159 -+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
52160 -+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
52161 -+
52162 -+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
52163 -+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
52164 -+ gracl_learn.o grsec_log.o
52165 -+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
52166 -+
52167 -+ifdef CONFIG_NET
52168 -+obj-y += grsec_sock.o
52169 -+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
52170 -+endif
52171 -+
52172 -+ifndef CONFIG_GRKERNSEC
52173 -+obj-y += grsec_disabled.o
52174 -+endif
52175 -+
52176 -+ifdef CONFIG_GRKERNSEC_HIDESYM
52177 -+extra-y := grsec_hidesym.o
52178 -+$(obj)/grsec_hidesym.o:
52179 -+ @-chmod -f 500 /boot
52180 -+ @-chmod -f 500 /lib/modules
52181 -+ @-chmod -f 500 /lib64/modules
52182 -+ @-chmod -f 500 /lib32/modules
52183 -+ @-chmod -f 700 .
52184 -+ @echo ' grsec: protected kernel image paths'
52185 -+endif
52186 -diff -urNp linux-2.6.32.46/grsecurity/gracl.c linux-2.6.32.46/grsecurity/gracl.c
52187 ---- linux-2.6.32.46/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
52188 -+++ linux-2.6.32.46/grsecurity/gracl.c 2011-10-17 07:04:31.000000000 -0400
52189 -@@ -0,0 +1,4140 @@
52190 -+#include <linux/kernel.h>
52191 -+#include <linux/module.h>
52192 -+#include <linux/sched.h>
52193 -+#include <linux/mm.h>
52194 -+#include <linux/file.h>
52195 -+#include <linux/fs.h>
52196 -+#include <linux/namei.h>
52197 -+#include <linux/mount.h>
52198 -+#include <linux/tty.h>
52199 -+#include <linux/proc_fs.h>
52200 -+#include <linux/smp_lock.h>
52201 -+#include <linux/slab.h>
52202 -+#include <linux/vmalloc.h>
52203 -+#include <linux/types.h>
52204 -+#include <linux/sysctl.h>
52205 -+#include <linux/netdevice.h>
52206 -+#include <linux/ptrace.h>
52207 -+#include <linux/gracl.h>
52208 -+#include <linux/gralloc.h>
52209 -+#include <linux/grsecurity.h>
52210 -+#include <linux/grinternal.h>
52211 -+#include <linux/pid_namespace.h>
52212 -+#include <linux/fdtable.h>
52213 -+#include <linux/percpu.h>
52214 -+
52215 -+#include <asm/uaccess.h>
52216 -+#include <asm/errno.h>
52217 -+#include <asm/mman.h>
52218 -+
52219 -+static struct acl_role_db acl_role_set;
52220 -+static struct name_db name_set;
52221 -+static struct inodev_db inodev_set;
52222 -+
52223 -+/* for keeping track of userspace pointers used for subjects, so we
52224 -+ can share references in the kernel as well
52225 -+*/
52226 -+
52227 -+static struct dentry *real_root;
52228 -+static struct vfsmount *real_root_mnt;
52229 -+
52230 -+static struct acl_subj_map_db subj_map_set;
52231 -+
52232 -+static struct acl_role_label *default_role;
52233 -+
52234 -+static struct acl_role_label *role_list;
52235 -+
52236 -+static u16 acl_sp_role_value;
52237 -+
52238 -+extern char *gr_shared_page[4];
52239 -+static DEFINE_MUTEX(gr_dev_mutex);
52240 -+DEFINE_RWLOCK(gr_inode_lock);
52241 -+
52242 -+struct gr_arg *gr_usermode;
52243 -+
52244 -+static unsigned int gr_status __read_only = GR_STATUS_INIT;
52245 -+
52246 -+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
52247 -+extern void gr_clear_learn_entries(void);
52248 -+
52249 -+#ifdef CONFIG_GRKERNSEC_RESLOG
52250 -+extern void gr_log_resource(const struct task_struct *task,
52251 -+ const int res, const unsigned long wanted, const int gt);
52252 -+#endif
52253 -+
52254 -+unsigned char *gr_system_salt;
52255 -+unsigned char *gr_system_sum;
52256 -+
52257 -+static struct sprole_pw **acl_special_roles = NULL;
52258 -+static __u16 num_sprole_pws = 0;
52259 -+
52260 -+static struct acl_role_label *kernel_role = NULL;
52261 -+
52262 -+static unsigned int gr_auth_attempts = 0;
52263 -+static unsigned long gr_auth_expires = 0UL;
52264 -+
52265 -+#ifdef CONFIG_NET
52266 -+extern struct vfsmount *sock_mnt;
52267 -+#endif
52268 -+extern struct vfsmount *pipe_mnt;
52269 -+extern struct vfsmount *shm_mnt;
52270 -+#ifdef CONFIG_HUGETLBFS
52271 -+extern struct vfsmount *hugetlbfs_vfsmount;
52272 -+#endif
52273 -+
52274 -+static struct acl_object_label *fakefs_obj_rw;
52275 -+static struct acl_object_label *fakefs_obj_rwx;
52276 -+
52277 -+extern int gr_init_uidset(void);
52278 -+extern void gr_free_uidset(void);
52279 -+extern void gr_remove_uid(uid_t uid);
52280 -+extern int gr_find_uid(uid_t uid);
52281 -+
52282 -+__inline__ int
52283 -+gr_acl_is_enabled(void)
52284 -+{
52285 -+ return (gr_status & GR_READY);
52286 -+}
52287 -+
52288 -+#ifdef CONFIG_BTRFS_FS
52289 -+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52290 -+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52291 -+#endif
52292 -+
52293 -+static inline dev_t __get_dev(const struct dentry *dentry)
52294 -+{
52295 -+#ifdef CONFIG_BTRFS_FS
52296 -+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52297 -+ return get_btrfs_dev_from_inode(dentry->d_inode);
52298 -+ else
52299 -+#endif
52300 -+ return dentry->d_inode->i_sb->s_dev;
52301 -+}
52302 -+
52303 -+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
52304 -+{
52305 -+ return __get_dev(dentry);
52306 -+}
52307 -+
52308 -+static char gr_task_roletype_to_char(struct task_struct *task)
52309 -+{
52310 -+ switch (task->role->roletype &
52311 -+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
52312 -+ GR_ROLE_SPECIAL)) {
52313 -+ case GR_ROLE_DEFAULT:
52314 -+ return 'D';
52315 -+ case GR_ROLE_USER:
52316 -+ return 'U';
52317 -+ case GR_ROLE_GROUP:
52318 -+ return 'G';
52319 -+ case GR_ROLE_SPECIAL:
52320 -+ return 'S';
52321 -+ }
52322 -+
52323 -+ return 'X';
52324 -+}
52325 -+
52326 -+char gr_roletype_to_char(void)
52327 -+{
52328 -+ return gr_task_roletype_to_char(current);
52329 -+}
52330 -+
52331 -+__inline__ int
52332 -+gr_acl_tpe_check(void)
52333 -+{
52334 -+ if (unlikely(!(gr_status & GR_READY)))
52335 -+ return 0;
52336 -+ if (current->role->roletype & GR_ROLE_TPE)
52337 -+ return 1;
52338 -+ else
52339 -+ return 0;
52340 -+}
52341 -+
52342 -+int
52343 -+gr_handle_rawio(const struct inode *inode)
52344 -+{
52345 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52346 -+ if (inode && S_ISBLK(inode->i_mode) &&
52347 -+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
52348 -+ !capable(CAP_SYS_RAWIO))
52349 -+ return 1;
52350 -+#endif
52351 -+ return 0;
52352 -+}
52353 -+
52354 -+static int
52355 -+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
52356 -+{
52357 -+ if (likely(lena != lenb))
52358 -+ return 0;
52359 -+
52360 -+ return !memcmp(a, b, lena);
52361 -+}
52362 -+
52363 -+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
52364 -+{
52365 -+ *buflen -= namelen;
52366 -+ if (*buflen < 0)
52367 -+ return -ENAMETOOLONG;
52368 -+ *buffer -= namelen;
52369 -+ memcpy(*buffer, str, namelen);
52370 -+ return 0;
52371 -+}
52372 -+
52373 -+/* this must be called with vfsmount_lock and dcache_lock held */
52374 -+
52375 -+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52376 -+ struct dentry *root, struct vfsmount *rootmnt,
52377 -+ char *buffer, int buflen)
52378 -+{
52379 -+ char * end = buffer+buflen;
52380 -+ char * retval;
52381 -+ int namelen;
52382 -+
52383 -+ *--end = '\0';
52384 -+ buflen--;
52385 -+
52386 -+ if (buflen < 1)
52387 -+ goto Elong;
52388 -+ /* Get '/' right */
52389 -+ retval = end-1;
52390 -+ *retval = '/';
52391 -+
52392 -+ for (;;) {
52393 -+ struct dentry * parent;
52394 -+
52395 -+ if (dentry == root && vfsmnt == rootmnt)
52396 -+ break;
52397 -+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
52398 -+ /* Global root? */
52399 -+ if (vfsmnt->mnt_parent == vfsmnt)
52400 -+ goto global_root;
52401 -+ dentry = vfsmnt->mnt_mountpoint;
52402 -+ vfsmnt = vfsmnt->mnt_parent;
52403 -+ continue;
52404 -+ }
52405 -+ parent = dentry->d_parent;
52406 -+ prefetch(parent);
52407 -+ namelen = dentry->d_name.len;
52408 -+ buflen -= namelen + 1;
52409 -+ if (buflen < 0)
52410 -+ goto Elong;
52411 -+ end -= namelen;
52412 -+ memcpy(end, dentry->d_name.name, namelen);
52413 -+ *--end = '/';
52414 -+ retval = end;
52415 -+ dentry = parent;
52416 -+ }
52417 -+
52418 -+out:
52419 -+ return retval;
52420 -+
52421 -+global_root:
52422 -+ namelen = dentry->d_name.len;
52423 -+ buflen -= namelen;
52424 -+ if (buflen < 0)
52425 -+ goto Elong;
52426 -+ retval -= namelen-1; /* hit the slash */
52427 -+ memcpy(retval, dentry->d_name.name, namelen);
52428 -+ goto out;
52429 -+Elong:
52430 -+ retval = ERR_PTR(-ENAMETOOLONG);
52431 -+ goto out;
52432 -+}
52433 -+
52434 -+static char *
52435 -+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52436 -+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
52437 -+{
52438 -+ char *retval;
52439 -+
52440 -+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
52441 -+ if (unlikely(IS_ERR(retval)))
52442 -+ retval = strcpy(buf, "<path too long>");
52443 -+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
52444 -+ retval[1] = '\0';
52445 -+
52446 -+ return retval;
52447 -+}
52448 -+
52449 -+static char *
52450 -+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52451 -+ char *buf, int buflen)
52452 -+{
52453 -+ char *res;
52454 -+
52455 -+ /* we can use real_root, real_root_mnt, because this is only called
52456 -+ by the RBAC system */
52457 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
52458 -+
52459 -+ return res;
52460 -+}
52461 -+
52462 -+static char *
52463 -+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52464 -+ char *buf, int buflen)
52465 -+{
52466 -+ char *res;
52467 -+ struct dentry *root;
52468 -+ struct vfsmount *rootmnt;
52469 -+ struct task_struct *reaper = &init_task;
52470 -+
52471 -+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
52472 -+ read_lock(&reaper->fs->lock);
52473 -+ root = dget(reaper->fs->root.dentry);
52474 -+ rootmnt = mntget(reaper->fs->root.mnt);
52475 -+ read_unlock(&reaper->fs->lock);
52476 -+
52477 -+ spin_lock(&dcache_lock);
52478 -+ spin_lock(&vfsmount_lock);
52479 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
52480 -+ spin_unlock(&vfsmount_lock);
52481 -+ spin_unlock(&dcache_lock);
52482 -+
52483 -+ dput(root);
52484 -+ mntput(rootmnt);
52485 -+ return res;
52486 -+}
52487 -+
52488 -+static char *
52489 -+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52490 -+{
52491 -+ char *ret;
52492 -+ spin_lock(&dcache_lock);
52493 -+ spin_lock(&vfsmount_lock);
52494 -+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52495 -+ PAGE_SIZE);
52496 -+ spin_unlock(&vfsmount_lock);
52497 -+ spin_unlock(&dcache_lock);
52498 -+ return ret;
52499 -+}
52500 -+
52501 -+static char *
52502 -+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52503 -+{
52504 -+ char *ret;
52505 -+ char *buf;
52506 -+ int buflen;
52507 -+
52508 -+ spin_lock(&dcache_lock);
52509 -+ spin_lock(&vfsmount_lock);
52510 -+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
52511 -+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
52512 -+ buflen = (int)(ret - buf);
52513 -+ if (buflen >= 5)
52514 -+ prepend(&ret, &buflen, "/proc", 5);
52515 -+ else
52516 -+ ret = strcpy(buf, "<path too long>");
52517 -+ spin_unlock(&vfsmount_lock);
52518 -+ spin_unlock(&dcache_lock);
52519 -+ return ret;
52520 -+}
52521 -+
52522 -+char *
52523 -+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52524 -+{
52525 -+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52526 -+ PAGE_SIZE);
52527 -+}
52528 -+
52529 -+char *
52530 -+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52531 -+{
52532 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52533 -+ PAGE_SIZE);
52534 -+}
52535 -+
52536 -+char *
52537 -+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52538 -+{
52539 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52540 -+ PAGE_SIZE);
52541 -+}
52542 -+
52543 -+char *
52544 -+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52545 -+{
52546 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52547 -+ PAGE_SIZE);
52548 -+}
52549 -+
52550 -+char *
52551 -+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52552 -+{
52553 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52554 -+ PAGE_SIZE);
52555 -+}
52556 -+
52557 -+__inline__ __u32
52558 -+to_gr_audit(const __u32 reqmode)
52559 -+{
52560 -+ /* masks off auditable permission flags, then shifts them to create
52561 -+ auditing flags, and adds the special case of append auditing if
52562 -+ we're requesting write */
52563 -+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52564 -+}
52565 -+
52566 -+struct acl_subject_label *
52567 -+lookup_subject_map(const struct acl_subject_label *userp)
52568 -+{
52569 -+ unsigned int index = shash(userp, subj_map_set.s_size);
52570 -+ struct subject_map *match;
52571 -+
52572 -+ match = subj_map_set.s_hash[index];
52573 -+
52574 -+ while (match && match->user != userp)
52575 -+ match = match->next;
52576 -+
52577 -+ if (match != NULL)
52578 -+ return match->kernel;
52579 -+ else
52580 -+ return NULL;
52581 -+}
52582 -+
52583 -+static void
52584 -+insert_subj_map_entry(struct subject_map *subjmap)
52585 -+{
52586 -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52587 -+ struct subject_map **curr;
52588 -+
52589 -+ subjmap->prev = NULL;
52590 -+
52591 -+ curr = &subj_map_set.s_hash[index];
52592 -+ if (*curr != NULL)
52593 -+ (*curr)->prev = subjmap;
52594 -+
52595 -+ subjmap->next = *curr;
52596 -+ *curr = subjmap;
52597 -+
52598 -+ return;
52599 -+}
52600 -+
52601 -+static struct acl_role_label *
52602 -+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52603 -+ const gid_t gid)
52604 -+{
52605 -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52606 -+ struct acl_role_label *match;
52607 -+ struct role_allowed_ip *ipp;
52608 -+ unsigned int x;
52609 -+ u32 curr_ip = task->signal->curr_ip;
52610 -+
52611 -+ task->signal->saved_ip = curr_ip;
52612 -+
52613 -+ match = acl_role_set.r_hash[index];
52614 -+
52615 -+ while (match) {
52616 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52617 -+ for (x = 0; x < match->domain_child_num; x++) {
52618 -+ if (match->domain_children[x] == uid)
52619 -+ goto found;
52620 -+ }
52621 -+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52622 -+ break;
52623 -+ match = match->next;
52624 -+ }
52625 -+found:
52626 -+ if (match == NULL) {
52627 -+ try_group:
52628 -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52629 -+ match = acl_role_set.r_hash[index];
52630 -+
52631 -+ while (match) {
52632 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52633 -+ for (x = 0; x < match->domain_child_num; x++) {
52634 -+ if (match->domain_children[x] == gid)
52635 -+ goto found2;
52636 -+ }
52637 -+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52638 -+ break;
52639 -+ match = match->next;
52640 -+ }
52641 -+found2:
52642 -+ if (match == NULL)
52643 -+ match = default_role;
52644 -+ if (match->allowed_ips == NULL)
52645 -+ return match;
52646 -+ else {
52647 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52648 -+ if (likely
52649 -+ ((ntohl(curr_ip) & ipp->netmask) ==
52650 -+ (ntohl(ipp->addr) & ipp->netmask)))
52651 -+ return match;
52652 -+ }
52653 -+ match = default_role;
52654 -+ }
52655 -+ } else if (match->allowed_ips == NULL) {
52656 -+ return match;
52657 -+ } else {
52658 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52659 -+ if (likely
52660 -+ ((ntohl(curr_ip) & ipp->netmask) ==
52661 -+ (ntohl(ipp->addr) & ipp->netmask)))
52662 -+ return match;
52663 -+ }
52664 -+ goto try_group;
52665 -+ }
52666 -+
52667 -+ return match;
52668 -+}
52669 -+
52670 -+struct acl_subject_label *
52671 -+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52672 -+ const struct acl_role_label *role)
52673 -+{
52674 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
52675 -+ struct acl_subject_label *match;
52676 -+
52677 -+ match = role->subj_hash[index];
52678 -+
52679 -+ while (match && (match->inode != ino || match->device != dev ||
52680 -+ (match->mode & GR_DELETED))) {
52681 -+ match = match->next;
52682 -+ }
52683 -+
52684 -+ if (match && !(match->mode & GR_DELETED))
52685 -+ return match;
52686 -+ else
52687 -+ return NULL;
52688 -+}
52689 -+
52690 -+struct acl_subject_label *
52691 -+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52692 -+ const struct acl_role_label *role)
52693 -+{
52694 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
52695 -+ struct acl_subject_label *match;
52696 -+
52697 -+ match = role->subj_hash[index];
52698 -+
52699 -+ while (match && (match->inode != ino || match->device != dev ||
52700 -+ !(match->mode & GR_DELETED))) {
52701 -+ match = match->next;
52702 -+ }
52703 -+
52704 -+ if (match && (match->mode & GR_DELETED))
52705 -+ return match;
52706 -+ else
52707 -+ return NULL;
52708 -+}
52709 -+
52710 -+static struct acl_object_label *
52711 -+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52712 -+ const struct acl_subject_label *subj)
52713 -+{
52714 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52715 -+ struct acl_object_label *match;
52716 -+
52717 -+ match = subj->obj_hash[index];
52718 -+
52719 -+ while (match && (match->inode != ino || match->device != dev ||
52720 -+ (match->mode & GR_DELETED))) {
52721 -+ match = match->next;
52722 -+ }
52723 -+
52724 -+ if (match && !(match->mode & GR_DELETED))
52725 -+ return match;
52726 -+ else
52727 -+ return NULL;
52728 -+}
52729 -+
52730 -+static struct acl_object_label *
52731 -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52732 -+ const struct acl_subject_label *subj)
52733 -+{
52734 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52735 -+ struct acl_object_label *match;
52736 -+
52737 -+ match = subj->obj_hash[index];
52738 -+
52739 -+ while (match && (match->inode != ino || match->device != dev ||
52740 -+ !(match->mode & GR_DELETED))) {
52741 -+ match = match->next;
52742 -+ }
52743 -+
52744 -+ if (match && (match->mode & GR_DELETED))
52745 -+ return match;
52746 -+
52747 -+ match = subj->obj_hash[index];
52748 -+
52749 -+ while (match && (match->inode != ino || match->device != dev ||
52750 -+ (match->mode & GR_DELETED))) {
52751 -+ match = match->next;
52752 -+ }
52753 -+
52754 -+ if (match && !(match->mode & GR_DELETED))
52755 -+ return match;
52756 -+ else
52757 -+ return NULL;
52758 -+}
52759 -+
52760 -+static struct name_entry *
52761 -+lookup_name_entry(const char *name)
52762 -+{
52763 -+ unsigned int len = strlen(name);
52764 -+ unsigned int key = full_name_hash(name, len);
52765 -+ unsigned int index = key % name_set.n_size;
52766 -+ struct name_entry *match;
52767 -+
52768 -+ match = name_set.n_hash[index];
52769 -+
52770 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52771 -+ match = match->next;
52772 -+
52773 -+ return match;
52774 -+}
52775 -+
52776 -+static struct name_entry *
52777 -+lookup_name_entry_create(const char *name)
52778 -+{
52779 -+ unsigned int len = strlen(name);
52780 -+ unsigned int key = full_name_hash(name, len);
52781 -+ unsigned int index = key % name_set.n_size;
52782 -+ struct name_entry *match;
52783 -+
52784 -+ match = name_set.n_hash[index];
52785 -+
52786 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52787 -+ !match->deleted))
52788 -+ match = match->next;
52789 -+
52790 -+ if (match && match->deleted)
52791 -+ return match;
52792 -+
52793 -+ match = name_set.n_hash[index];
52794 -+
52795 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52796 -+ match->deleted))
52797 -+ match = match->next;
52798 -+
52799 -+ if (match && !match->deleted)
52800 -+ return match;
52801 -+ else
52802 -+ return NULL;
52803 -+}
52804 -+
52805 -+static struct inodev_entry *
52806 -+lookup_inodev_entry(const ino_t ino, const dev_t dev)
52807 -+{
52808 -+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
52809 -+ struct inodev_entry *match;
52810 -+
52811 -+ match = inodev_set.i_hash[index];
52812 -+
52813 -+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52814 -+ match = match->next;
52815 -+
52816 -+ return match;
52817 -+}
52818 -+
52819 -+static void
52820 -+insert_inodev_entry(struct inodev_entry *entry)
52821 -+{
52822 -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52823 -+ inodev_set.i_size);
52824 -+ struct inodev_entry **curr;
52825 -+
52826 -+ entry->prev = NULL;
52827 -+
52828 -+ curr = &inodev_set.i_hash[index];
52829 -+ if (*curr != NULL)
52830 -+ (*curr)->prev = entry;
52831 -+
52832 -+ entry->next = *curr;
52833 -+ *curr = entry;
52834 -+
52835 -+ return;
52836 -+}
52837 -+
52838 -+static void
52839 -+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52840 -+{
52841 -+ unsigned int index =
52842 -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52843 -+ struct acl_role_label **curr;
52844 -+ struct acl_role_label *tmp;
52845 -+
52846 -+ curr = &acl_role_set.r_hash[index];
52847 -+
52848 -+ /* if role was already inserted due to domains and already has
52849 -+ a role in the same bucket as it attached, then we need to
52850 -+ combine these two buckets
52851 -+ */
52852 -+ if (role->next) {
52853 -+ tmp = role->next;
52854 -+ while (tmp->next)
52855 -+ tmp = tmp->next;
52856 -+ tmp->next = *curr;
52857 -+ } else
52858 -+ role->next = *curr;
52859 -+ *curr = role;
52860 -+
52861 -+ return;
52862 -+}
52863 -+
52864 -+static void
52865 -+insert_acl_role_label(struct acl_role_label *role)
52866 -+{
52867 -+ int i;
52868 -+
52869 -+ if (role_list == NULL) {
52870 -+ role_list = role;
52871 -+ role->prev = NULL;
52872 -+ } else {
52873 -+ role->prev = role_list;
52874 -+ role_list = role;
52875 -+ }
52876 -+
52877 -+ /* used for hash chains */
52878 -+ role->next = NULL;
52879 -+
52880 -+ if (role->roletype & GR_ROLE_DOMAIN) {
52881 -+ for (i = 0; i < role->domain_child_num; i++)
52882 -+ __insert_acl_role_label(role, role->domain_children[i]);
52883 -+ } else
52884 -+ __insert_acl_role_label(role, role->uidgid);
52885 -+}
52886 -+
52887 -+static int
52888 -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52889 -+{
52890 -+ struct name_entry **curr, *nentry;
52891 -+ struct inodev_entry *ientry;
52892 -+ unsigned int len = strlen(name);
52893 -+ unsigned int key = full_name_hash(name, len);
52894 -+ unsigned int index = key % name_set.n_size;
52895 -+
52896 -+ curr = &name_set.n_hash[index];
52897 -+
52898 -+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52899 -+ curr = &((*curr)->next);
52900 -+
52901 -+ if (*curr != NULL)
52902 -+ return 1;
52903 -+
52904 -+ nentry = acl_alloc(sizeof (struct name_entry));
52905 -+ if (nentry == NULL)
52906 -+ return 0;
52907 -+ ientry = acl_alloc(sizeof (struct inodev_entry));
52908 -+ if (ientry == NULL)
52909 -+ return 0;
52910 -+ ientry->nentry = nentry;
52911 -+
52912 -+ nentry->key = key;
52913 -+ nentry->name = name;
52914 -+ nentry->inode = inode;
52915 -+ nentry->device = device;
52916 -+ nentry->len = len;
52917 -+ nentry->deleted = deleted;
52918 -+
52919 -+ nentry->prev = NULL;
52920 -+ curr = &name_set.n_hash[index];
52921 -+ if (*curr != NULL)
52922 -+ (*curr)->prev = nentry;
52923 -+ nentry->next = *curr;
52924 -+ *curr = nentry;
52925 -+
52926 -+ /* insert us into the table searchable by inode/dev */
52927 -+ insert_inodev_entry(ientry);
52928 -+
52929 -+ return 1;
52930 -+}
52931 -+
52932 -+static void
52933 -+insert_acl_obj_label(struct acl_object_label *obj,
52934 -+ struct acl_subject_label *subj)
52935 -+{
52936 -+ unsigned int index =
52937 -+ fhash(obj->inode, obj->device, subj->obj_hash_size);
52938 -+ struct acl_object_label **curr;
52939 -+
52940 -+
52941 -+ obj->prev = NULL;
52942 -+
52943 -+ curr = &subj->obj_hash[index];
52944 -+ if (*curr != NULL)
52945 -+ (*curr)->prev = obj;
52946 -+
52947 -+ obj->next = *curr;
52948 -+ *curr = obj;
52949 -+
52950 -+ return;
52951 -+}
52952 -+
52953 -+static void
52954 -+insert_acl_subj_label(struct acl_subject_label *obj,
52955 -+ struct acl_role_label *role)
52956 -+{
52957 -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52958 -+ struct acl_subject_label **curr;
52959 -+
52960 -+ obj->prev = NULL;
52961 -+
52962 -+ curr = &role->subj_hash[index];
52963 -+ if (*curr != NULL)
52964 -+ (*curr)->prev = obj;
52965 -+
52966 -+ obj->next = *curr;
52967 -+ *curr = obj;
52968 -+
52969 -+ return;
52970 -+}
52971 -+
52972 -+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52973 -+
52974 -+static void *
52975 -+create_table(__u32 * len, int elementsize)
52976 -+{
52977 -+ unsigned int table_sizes[] = {
52978 -+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52979 -+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52980 -+ 4194301, 8388593, 16777213, 33554393, 67108859
52981 -+ };
52982 -+ void *newtable = NULL;
52983 -+ unsigned int pwr = 0;
52984 -+
52985 -+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52986 -+ table_sizes[pwr] <= *len)
52987 -+ pwr++;
52988 -+
52989 -+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52990 -+ return newtable;
52991 -+
52992 -+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52993 -+ newtable =
52994 -+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52995 -+ else
52996 -+ newtable = vmalloc(table_sizes[pwr] * elementsize);
52997 -+
52998 -+ *len = table_sizes[pwr];
52999 -+
53000 -+ return newtable;
53001 -+}
53002 -+
53003 -+static int
53004 -+init_variables(const struct gr_arg *arg)
53005 -+{
53006 -+ struct task_struct *reaper = &init_task;
53007 -+ unsigned int stacksize;
53008 -+
53009 -+ subj_map_set.s_size = arg->role_db.num_subjects;
53010 -+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
53011 -+ name_set.n_size = arg->role_db.num_objects;
53012 -+ inodev_set.i_size = arg->role_db.num_objects;
53013 -+
53014 -+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
53015 -+ !name_set.n_size || !inodev_set.i_size)
53016 -+ return 1;
53017 -+
53018 -+ if (!gr_init_uidset())
53019 -+ return 1;
53020 -+
53021 -+ /* set up the stack that holds allocation info */
53022 -+
53023 -+ stacksize = arg->role_db.num_pointers + 5;
53024 -+
53025 -+ if (!acl_alloc_stack_init(stacksize))
53026 -+ return 1;
53027 -+
53028 -+ /* grab reference for the real root dentry and vfsmount */
53029 -+ read_lock(&reaper->fs->lock);
53030 -+ real_root = dget(reaper->fs->root.dentry);
53031 -+ real_root_mnt = mntget(reaper->fs->root.mnt);
53032 -+ read_unlock(&reaper->fs->lock);
53033 -+
53034 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53035 -+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
53036 -+#endif
53037 -+
53038 -+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
53039 -+ if (fakefs_obj_rw == NULL)
53040 -+ return 1;
53041 -+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
53042 -+
53043 -+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
53044 -+ if (fakefs_obj_rwx == NULL)
53045 -+ return 1;
53046 -+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
53047 -+
53048 -+ subj_map_set.s_hash =
53049 -+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
53050 -+ acl_role_set.r_hash =
53051 -+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
53052 -+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
53053 -+ inodev_set.i_hash =
53054 -+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
53055 -+
53056 -+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
53057 -+ !name_set.n_hash || !inodev_set.i_hash)
53058 -+ return 1;
53059 -+
53060 -+ memset(subj_map_set.s_hash, 0,
53061 -+ sizeof(struct subject_map *) * subj_map_set.s_size);
53062 -+ memset(acl_role_set.r_hash, 0,
53063 -+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
53064 -+ memset(name_set.n_hash, 0,
53065 -+ sizeof (struct name_entry *) * name_set.n_size);
53066 -+ memset(inodev_set.i_hash, 0,
53067 -+ sizeof (struct inodev_entry *) * inodev_set.i_size);
53068 -+
53069 -+ return 0;
53070 -+}
53071 -+
53072 -+/* free information not needed after startup
53073 -+ currently contains user->kernel pointer mappings for subjects
53074 -+*/
53075 -+
53076 -+static void
53077 -+free_init_variables(void)
53078 -+{
53079 -+ __u32 i;
53080 -+
53081 -+ if (subj_map_set.s_hash) {
53082 -+ for (i = 0; i < subj_map_set.s_size; i++) {
53083 -+ if (subj_map_set.s_hash[i]) {
53084 -+ kfree(subj_map_set.s_hash[i]);
53085 -+ subj_map_set.s_hash[i] = NULL;
53086 -+ }
53087 -+ }
53088 -+
53089 -+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
53090 -+ PAGE_SIZE)
53091 -+ kfree(subj_map_set.s_hash);
53092 -+ else
53093 -+ vfree(subj_map_set.s_hash);
53094 -+ }
53095 -+
53096 -+ return;
53097 -+}
53098 -+
53099 -+static void
53100 -+free_variables(void)
53101 -+{
53102 -+ struct acl_subject_label *s;
53103 -+ struct acl_role_label *r;
53104 -+ struct task_struct *task, *task2;
53105 -+ unsigned int x;
53106 -+
53107 -+ gr_clear_learn_entries();
53108 -+
53109 -+ read_lock(&tasklist_lock);
53110 -+ do_each_thread(task2, task) {
53111 -+ task->acl_sp_role = 0;
53112 -+ task->acl_role_id = 0;
53113 -+ task->acl = NULL;
53114 -+ task->role = NULL;
53115 -+ } while_each_thread(task2, task);
53116 -+ read_unlock(&tasklist_lock);
53117 -+
53118 -+ /* release the reference to the real root dentry and vfsmount */
53119 -+ if (real_root)
53120 -+ dput(real_root);
53121 -+ real_root = NULL;
53122 -+ if (real_root_mnt)
53123 -+ mntput(real_root_mnt);
53124 -+ real_root_mnt = NULL;
53125 -+
53126 -+ /* free all object hash tables */
53127 -+
53128 -+ FOR_EACH_ROLE_START(r)
53129 -+ if (r->subj_hash == NULL)
53130 -+ goto next_role;
53131 -+ FOR_EACH_SUBJECT_START(r, s, x)
53132 -+ if (s->obj_hash == NULL)
53133 -+ break;
53134 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53135 -+ kfree(s->obj_hash);
53136 -+ else
53137 -+ vfree(s->obj_hash);
53138 -+ FOR_EACH_SUBJECT_END(s, x)
53139 -+ FOR_EACH_NESTED_SUBJECT_START(r, s)
53140 -+ if (s->obj_hash == NULL)
53141 -+ break;
53142 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53143 -+ kfree(s->obj_hash);
53144 -+ else
53145 -+ vfree(s->obj_hash);
53146 -+ FOR_EACH_NESTED_SUBJECT_END(s)
53147 -+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
53148 -+ kfree(r->subj_hash);
53149 -+ else
53150 -+ vfree(r->subj_hash);
53151 -+ r->subj_hash = NULL;
53152 -+next_role:
53153 -+ FOR_EACH_ROLE_END(r)
53154 -+
53155 -+ acl_free_all();
53156 -+
53157 -+ if (acl_role_set.r_hash) {
53158 -+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
53159 -+ PAGE_SIZE)
53160 -+ kfree(acl_role_set.r_hash);
53161 -+ else
53162 -+ vfree(acl_role_set.r_hash);
53163 -+ }
53164 -+ if (name_set.n_hash) {
53165 -+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
53166 -+ PAGE_SIZE)
53167 -+ kfree(name_set.n_hash);
53168 -+ else
53169 -+ vfree(name_set.n_hash);
53170 -+ }
53171 -+
53172 -+ if (inodev_set.i_hash) {
53173 -+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
53174 -+ PAGE_SIZE)
53175 -+ kfree(inodev_set.i_hash);
53176 -+ else
53177 -+ vfree(inodev_set.i_hash);
53178 -+ }
53179 -+
53180 -+ gr_free_uidset();
53181 -+
53182 -+ memset(&name_set, 0, sizeof (struct name_db));
53183 -+ memset(&inodev_set, 0, sizeof (struct inodev_db));
53184 -+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
53185 -+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
53186 -+
53187 -+ default_role = NULL;
53188 -+ role_list = NULL;
53189 -+
53190 -+ return;
53191 -+}
53192 -+
53193 -+static __u32
53194 -+count_user_objs(struct acl_object_label *userp)
53195 -+{
53196 -+ struct acl_object_label o_tmp;
53197 -+ __u32 num = 0;
53198 -+
53199 -+ while (userp) {
53200 -+ if (copy_from_user(&o_tmp, userp,
53201 -+ sizeof (struct acl_object_label)))
53202 -+ break;
53203 -+
53204 -+ userp = o_tmp.prev;
53205 -+ num++;
53206 -+ }
53207 -+
53208 -+ return num;
53209 -+}
53210 -+
53211 -+static struct acl_subject_label *
53212 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
53213 -+
53214 -+static int
53215 -+copy_user_glob(struct acl_object_label *obj)
53216 -+{
53217 -+ struct acl_object_label *g_tmp, **guser;
53218 -+ unsigned int len;
53219 -+ char *tmp;
53220 -+
53221 -+ if (obj->globbed == NULL)
53222 -+ return 0;
53223 -+
53224 -+ guser = &obj->globbed;
53225 -+ while (*guser) {
53226 -+ g_tmp = (struct acl_object_label *)
53227 -+ acl_alloc(sizeof (struct acl_object_label));
53228 -+ if (g_tmp == NULL)
53229 -+ return -ENOMEM;
53230 -+
53231 -+ if (copy_from_user(g_tmp, *guser,
53232 -+ sizeof (struct acl_object_label)))
53233 -+ return -EFAULT;
53234 -+
53235 -+ len = strnlen_user(g_tmp->filename, PATH_MAX);
53236 -+
53237 -+ if (!len || len >= PATH_MAX)
53238 -+ return -EINVAL;
53239 -+
53240 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53241 -+ return -ENOMEM;
53242 -+
53243 -+ if (copy_from_user(tmp, g_tmp->filename, len))
53244 -+ return -EFAULT;
53245 -+ tmp[len-1] = '\0';
53246 -+ g_tmp->filename = tmp;
53247 -+
53248 -+ *guser = g_tmp;
53249 -+ guser = &(g_tmp->next);
53250 -+ }
53251 -+
53252 -+ return 0;
53253 -+}
53254 -+
53255 -+static int
53256 -+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
53257 -+ struct acl_role_label *role)
53258 -+{
53259 -+ struct acl_object_label *o_tmp;
53260 -+ unsigned int len;
53261 -+ int ret;
53262 -+ char *tmp;
53263 -+
53264 -+ while (userp) {
53265 -+ if ((o_tmp = (struct acl_object_label *)
53266 -+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
53267 -+ return -ENOMEM;
53268 -+
53269 -+ if (copy_from_user(o_tmp, userp,
53270 -+ sizeof (struct acl_object_label)))
53271 -+ return -EFAULT;
53272 -+
53273 -+ userp = o_tmp->prev;
53274 -+
53275 -+ len = strnlen_user(o_tmp->filename, PATH_MAX);
53276 -+
53277 -+ if (!len || len >= PATH_MAX)
53278 -+ return -EINVAL;
53279 -+
53280 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53281 -+ return -ENOMEM;
53282 -+
53283 -+ if (copy_from_user(tmp, o_tmp->filename, len))
53284 -+ return -EFAULT;
53285 -+ tmp[len-1] = '\0';
53286 -+ o_tmp->filename = tmp;
53287 -+
53288 -+ insert_acl_obj_label(o_tmp, subj);
53289 -+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
53290 -+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
53291 -+ return -ENOMEM;
53292 -+
53293 -+ ret = copy_user_glob(o_tmp);
53294 -+ if (ret)
53295 -+ return ret;
53296 -+
53297 -+ if (o_tmp->nested) {
53298 -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
53299 -+ if (IS_ERR(o_tmp->nested))
53300 -+ return PTR_ERR(o_tmp->nested);
53301 -+
53302 -+ /* insert into nested subject list */
53303 -+ o_tmp->nested->next = role->hash->first;
53304 -+ role->hash->first = o_tmp->nested;
53305 -+ }
53306 -+ }
53307 -+
53308 -+ return 0;
53309 -+}
53310 -+
53311 -+static __u32
53312 -+count_user_subjs(struct acl_subject_label *userp)
53313 -+{
53314 -+ struct acl_subject_label s_tmp;
53315 -+ __u32 num = 0;
53316 -+
53317 -+ while (userp) {
53318 -+ if (copy_from_user(&s_tmp, userp,
53319 -+ sizeof (struct acl_subject_label)))
53320 -+ break;
53321 -+
53322 -+ userp = s_tmp.prev;
53323 -+ /* do not count nested subjects against this count, since
53324 -+ they are not included in the hash table, but are
53325 -+ attached to objects. We have already counted
53326 -+ the subjects in userspace for the allocation
53327 -+ stack
53328 -+ */
53329 -+ if (!(s_tmp.mode & GR_NESTED))
53330 -+ num++;
53331 -+ }
53332 -+
53333 -+ return num;
53334 -+}
53335 -+
53336 -+static int
53337 -+copy_user_allowedips(struct acl_role_label *rolep)
53338 -+{
53339 -+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
53340 -+
53341 -+ ruserip = rolep->allowed_ips;
53342 -+
53343 -+ while (ruserip) {
53344 -+ rlast = rtmp;
53345 -+
53346 -+ if ((rtmp = (struct role_allowed_ip *)
53347 -+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
53348 -+ return -ENOMEM;
53349 -+
53350 -+ if (copy_from_user(rtmp, ruserip,
53351 -+ sizeof (struct role_allowed_ip)))
53352 -+ return -EFAULT;
53353 -+
53354 -+ ruserip = rtmp->prev;
53355 -+
53356 -+ if (!rlast) {
53357 -+ rtmp->prev = NULL;
53358 -+ rolep->allowed_ips = rtmp;
53359 -+ } else {
53360 -+ rlast->next = rtmp;
53361 -+ rtmp->prev = rlast;
53362 -+ }
53363 -+
53364 -+ if (!ruserip)
53365 -+ rtmp->next = NULL;
53366 -+ }
53367 -+
53368 -+ return 0;
53369 -+}
53370 -+
53371 -+static int
53372 -+copy_user_transitions(struct acl_role_label *rolep)
53373 -+{
53374 -+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
53375 -+
53376 -+ unsigned int len;
53377 -+ char *tmp;
53378 -+
53379 -+ rusertp = rolep->transitions;
53380 -+
53381 -+ while (rusertp) {
53382 -+ rlast = rtmp;
53383 -+
53384 -+ if ((rtmp = (struct role_transition *)
53385 -+ acl_alloc(sizeof (struct role_transition))) == NULL)
53386 -+ return -ENOMEM;
53387 -+
53388 -+ if (copy_from_user(rtmp, rusertp,
53389 -+ sizeof (struct role_transition)))
53390 -+ return -EFAULT;
53391 -+
53392 -+ rusertp = rtmp->prev;
53393 -+
53394 -+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
53395 -+
53396 -+ if (!len || len >= GR_SPROLE_LEN)
53397 -+ return -EINVAL;
53398 -+
53399 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53400 -+ return -ENOMEM;
53401 -+
53402 -+ if (copy_from_user(tmp, rtmp->rolename, len))
53403 -+ return -EFAULT;
53404 -+ tmp[len-1] = '\0';
53405 -+ rtmp->rolename = tmp;
53406 -+
53407 -+ if (!rlast) {
53408 -+ rtmp->prev = NULL;
53409 -+ rolep->transitions = rtmp;
53410 -+ } else {
53411 -+ rlast->next = rtmp;
53412 -+ rtmp->prev = rlast;
53413 -+ }
53414 -+
53415 -+ if (!rusertp)
53416 -+ rtmp->next = NULL;
53417 -+ }
53418 -+
53419 -+ return 0;
53420 -+}
53421 -+
53422 -+static struct acl_subject_label *
53423 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
53424 -+{
53425 -+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
53426 -+ unsigned int len;
53427 -+ char *tmp;
53428 -+ __u32 num_objs;
53429 -+ struct acl_ip_label **i_tmp, *i_utmp2;
53430 -+ struct gr_hash_struct ghash;
53431 -+ struct subject_map *subjmap;
53432 -+ unsigned int i_num;
53433 -+ int err;
53434 -+
53435 -+ s_tmp = lookup_subject_map(userp);
53436 -+
53437 -+ /* we've already copied this subject into the kernel, just return
53438 -+ the reference to it, and don't copy it over again
53439 -+ */
53440 -+ if (s_tmp)
53441 -+ return(s_tmp);
53442 -+
53443 -+ if ((s_tmp = (struct acl_subject_label *)
53444 -+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
53445 -+ return ERR_PTR(-ENOMEM);
53446 -+
53447 -+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
53448 -+ if (subjmap == NULL)
53449 -+ return ERR_PTR(-ENOMEM);
53450 -+
53451 -+ subjmap->user = userp;
53452 -+ subjmap->kernel = s_tmp;
53453 -+ insert_subj_map_entry(subjmap);
53454 -+
53455 -+ if (copy_from_user(s_tmp, userp,
53456 -+ sizeof (struct acl_subject_label)))
53457 -+ return ERR_PTR(-EFAULT);
53458 -+
53459 -+ len = strnlen_user(s_tmp->filename, PATH_MAX);
53460 -+
53461 -+ if (!len || len >= PATH_MAX)
53462 -+ return ERR_PTR(-EINVAL);
53463 -+
53464 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53465 -+ return ERR_PTR(-ENOMEM);
53466 -+
53467 -+ if (copy_from_user(tmp, s_tmp->filename, len))
53468 -+ return ERR_PTR(-EFAULT);
53469 -+ tmp[len-1] = '\0';
53470 -+ s_tmp->filename = tmp;
53471 -+
53472 -+ if (!strcmp(s_tmp->filename, "/"))
53473 -+ role->root_label = s_tmp;
53474 -+
53475 -+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
53476 -+ return ERR_PTR(-EFAULT);
53477 -+
53478 -+ /* copy user and group transition tables */
53479 -+
53480 -+ if (s_tmp->user_trans_num) {
53481 -+ uid_t *uidlist;
53482 -+
53483 -+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53484 -+ if (uidlist == NULL)
53485 -+ return ERR_PTR(-ENOMEM);
53486 -+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53487 -+ return ERR_PTR(-EFAULT);
53488 -+
53489 -+ s_tmp->user_transitions = uidlist;
53490 -+ }
53491 -+
53492 -+ if (s_tmp->group_trans_num) {
53493 -+ gid_t *gidlist;
53494 -+
53495 -+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53496 -+ if (gidlist == NULL)
53497 -+ return ERR_PTR(-ENOMEM);
53498 -+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53499 -+ return ERR_PTR(-EFAULT);
53500 -+
53501 -+ s_tmp->group_transitions = gidlist;
53502 -+ }
53503 -+
53504 -+ /* set up object hash table */
53505 -+ num_objs = count_user_objs(ghash.first);
53506 -+
53507 -+ s_tmp->obj_hash_size = num_objs;
53508 -+ s_tmp->obj_hash =
53509 -+ (struct acl_object_label **)
53510 -+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53511 -+
53512 -+ if (!s_tmp->obj_hash)
53513 -+ return ERR_PTR(-ENOMEM);
53514 -+
53515 -+ memset(s_tmp->obj_hash, 0,
53516 -+ s_tmp->obj_hash_size *
53517 -+ sizeof (struct acl_object_label *));
53518 -+
53519 -+ /* add in objects */
53520 -+ err = copy_user_objs(ghash.first, s_tmp, role);
53521 -+
53522 -+ if (err)
53523 -+ return ERR_PTR(err);
53524 -+
53525 -+ /* set pointer for parent subject */
53526 -+ if (s_tmp->parent_subject) {
53527 -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53528 -+
53529 -+ if (IS_ERR(s_tmp2))
53530 -+ return s_tmp2;
53531 -+
53532 -+ s_tmp->parent_subject = s_tmp2;
53533 -+ }
53534 -+
53535 -+ /* add in ip acls */
53536 -+
53537 -+ if (!s_tmp->ip_num) {
53538 -+ s_tmp->ips = NULL;
53539 -+ goto insert;
53540 -+ }
53541 -+
53542 -+ i_tmp =
53543 -+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53544 -+ sizeof (struct acl_ip_label *));
53545 -+
53546 -+ if (!i_tmp)
53547 -+ return ERR_PTR(-ENOMEM);
53548 -+
53549 -+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53550 -+ *(i_tmp + i_num) =
53551 -+ (struct acl_ip_label *)
53552 -+ acl_alloc(sizeof (struct acl_ip_label));
53553 -+ if (!*(i_tmp + i_num))
53554 -+ return ERR_PTR(-ENOMEM);
53555 -+
53556 -+ if (copy_from_user
53557 -+ (&i_utmp2, s_tmp->ips + i_num,
53558 -+ sizeof (struct acl_ip_label *)))
53559 -+ return ERR_PTR(-EFAULT);
53560 -+
53561 -+ if (copy_from_user
53562 -+ (*(i_tmp + i_num), i_utmp2,
53563 -+ sizeof (struct acl_ip_label)))
53564 -+ return ERR_PTR(-EFAULT);
53565 -+
53566 -+ if ((*(i_tmp + i_num))->iface == NULL)
53567 -+ continue;
53568 -+
53569 -+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53570 -+ if (!len || len >= IFNAMSIZ)
53571 -+ return ERR_PTR(-EINVAL);
53572 -+ tmp = acl_alloc(len);
53573 -+ if (tmp == NULL)
53574 -+ return ERR_PTR(-ENOMEM);
53575 -+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53576 -+ return ERR_PTR(-EFAULT);
53577 -+ (*(i_tmp + i_num))->iface = tmp;
53578 -+ }
53579 -+
53580 -+ s_tmp->ips = i_tmp;
53581 -+
53582 -+insert:
53583 -+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53584 -+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53585 -+ return ERR_PTR(-ENOMEM);
53586 -+
53587 -+ return s_tmp;
53588 -+}
53589 -+
53590 -+static int
53591 -+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53592 -+{
53593 -+ struct acl_subject_label s_pre;
53594 -+ struct acl_subject_label * ret;
53595 -+ int err;
53596 -+
53597 -+ while (userp) {
53598 -+ if (copy_from_user(&s_pre, userp,
53599 -+ sizeof (struct acl_subject_label)))
53600 -+ return -EFAULT;
53601 -+
53602 -+ /* do not add nested subjects here, add
53603 -+ while parsing objects
53604 -+ */
53605 -+
53606 -+ if (s_pre.mode & GR_NESTED) {
53607 -+ userp = s_pre.prev;
53608 -+ continue;
53609 -+ }
53610 -+
53611 -+ ret = do_copy_user_subj(userp, role);
53612 -+
53613 -+ err = PTR_ERR(ret);
53614 -+ if (IS_ERR(ret))
53615 -+ return err;
53616 -+
53617 -+ insert_acl_subj_label(ret, role);
53618 -+
53619 -+ userp = s_pre.prev;
53620 -+ }
53621 -+
53622 -+ return 0;
53623 -+}
53624 -+
53625 -+static int
53626 -+copy_user_acl(struct gr_arg *arg)
53627 -+{
53628 -+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53629 -+ struct sprole_pw *sptmp;
53630 -+ struct gr_hash_struct *ghash;
53631 -+ uid_t *domainlist;
53632 -+ unsigned int r_num;
53633 -+ unsigned int len;
53634 -+ char *tmp;
53635 -+ int err = 0;
53636 -+ __u16 i;
53637 -+ __u32 num_subjs;
53638 -+
53639 -+ /* we need a default and kernel role */
53640 -+ if (arg->role_db.num_roles < 2)
53641 -+ return -EINVAL;
53642 -+
53643 -+ /* copy special role authentication info from userspace */
53644 -+
53645 -+ num_sprole_pws = arg->num_sprole_pws;
53646 -+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53647 -+
53648 -+ if (!acl_special_roles) {
53649 -+ err = -ENOMEM;
53650 -+ goto cleanup;
53651 -+ }
53652 -+
53653 -+ for (i = 0; i < num_sprole_pws; i++) {
53654 -+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53655 -+ if (!sptmp) {
53656 -+ err = -ENOMEM;
53657 -+ goto cleanup;
53658 -+ }
53659 -+ if (copy_from_user(sptmp, arg->sprole_pws + i,
53660 -+ sizeof (struct sprole_pw))) {
53661 -+ err = -EFAULT;
53662 -+ goto cleanup;
53663 -+ }
53664 -+
53665 -+ len =
53666 -+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53667 -+
53668 -+ if (!len || len >= GR_SPROLE_LEN) {
53669 -+ err = -EINVAL;
53670 -+ goto cleanup;
53671 -+ }
53672 -+
53673 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
53674 -+ err = -ENOMEM;
53675 -+ goto cleanup;
53676 -+ }
53677 -+
53678 -+ if (copy_from_user(tmp, sptmp->rolename, len)) {
53679 -+ err = -EFAULT;
53680 -+ goto cleanup;
53681 -+ }
53682 -+ tmp[len-1] = '\0';
53683 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53684 -+ printk(KERN_ALERT "Copying special role %s\n", tmp);
53685 -+#endif
53686 -+ sptmp->rolename = tmp;
53687 -+ acl_special_roles[i] = sptmp;
53688 -+ }
53689 -+
53690 -+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53691 -+
53692 -+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53693 -+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
53694 -+
53695 -+ if (!r_tmp) {
53696 -+ err = -ENOMEM;
53697 -+ goto cleanup;
53698 -+ }
53699 -+
53700 -+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
53701 -+ sizeof (struct acl_role_label *))) {
53702 -+ err = -EFAULT;
53703 -+ goto cleanup;
53704 -+ }
53705 -+
53706 -+ if (copy_from_user(r_tmp, r_utmp2,
53707 -+ sizeof (struct acl_role_label))) {
53708 -+ err = -EFAULT;
53709 -+ goto cleanup;
53710 -+ }
53711 -+
53712 -+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53713 -+
53714 -+ if (!len || len >= PATH_MAX) {
53715 -+ err = -EINVAL;
53716 -+ goto cleanup;
53717 -+ }
53718 -+
53719 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
53720 -+ err = -ENOMEM;
53721 -+ goto cleanup;
53722 -+ }
53723 -+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
53724 -+ err = -EFAULT;
53725 -+ goto cleanup;
53726 -+ }
53727 -+ tmp[len-1] = '\0';
53728 -+ r_tmp->rolename = tmp;
53729 -+
53730 -+ if (!strcmp(r_tmp->rolename, "default")
53731 -+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53732 -+ default_role = r_tmp;
53733 -+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53734 -+ kernel_role = r_tmp;
53735 -+ }
53736 -+
53737 -+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53738 -+ err = -ENOMEM;
53739 -+ goto cleanup;
53740 -+ }
53741 -+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53742 -+ err = -EFAULT;
53743 -+ goto cleanup;
53744 -+ }
53745 -+
53746 -+ r_tmp->hash = ghash;
53747 -+
53748 -+ num_subjs = count_user_subjs(r_tmp->hash->first);
53749 -+
53750 -+ r_tmp->subj_hash_size = num_subjs;
53751 -+ r_tmp->subj_hash =
53752 -+ (struct acl_subject_label **)
53753 -+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53754 -+
53755 -+ if (!r_tmp->subj_hash) {
53756 -+ err = -ENOMEM;
53757 -+ goto cleanup;
53758 -+ }
53759 -+
53760 -+ err = copy_user_allowedips(r_tmp);
53761 -+ if (err)
53762 -+ goto cleanup;
53763 -+
53764 -+ /* copy domain info */
53765 -+ if (r_tmp->domain_children != NULL) {
53766 -+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53767 -+ if (domainlist == NULL) {
53768 -+ err = -ENOMEM;
53769 -+ goto cleanup;
53770 -+ }
53771 -+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53772 -+ err = -EFAULT;
53773 -+ goto cleanup;
53774 -+ }
53775 -+ r_tmp->domain_children = domainlist;
53776 -+ }
53777 -+
53778 -+ err = copy_user_transitions(r_tmp);
53779 -+ if (err)
53780 -+ goto cleanup;
53781 -+
53782 -+ memset(r_tmp->subj_hash, 0,
53783 -+ r_tmp->subj_hash_size *
53784 -+ sizeof (struct acl_subject_label *));
53785 -+
53786 -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53787 -+
53788 -+ if (err)
53789 -+ goto cleanup;
53790 -+
53791 -+ /* set nested subject list to null */
53792 -+ r_tmp->hash->first = NULL;
53793 -+
53794 -+ insert_acl_role_label(r_tmp);
53795 -+ }
53796 -+
53797 -+ goto return_err;
53798 -+ cleanup:
53799 -+ free_variables();
53800 -+ return_err:
53801 -+ return err;
53802 -+
53803 -+}
53804 -+
53805 -+static int
53806 -+gracl_init(struct gr_arg *args)
53807 -+{
53808 -+ int error = 0;
53809 -+
53810 -+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53811 -+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53812 -+
53813 -+ if (init_variables(args)) {
53814 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53815 -+ error = -ENOMEM;
53816 -+ free_variables();
53817 -+ goto out;
53818 -+ }
53819 -+
53820 -+ error = copy_user_acl(args);
53821 -+ free_init_variables();
53822 -+ if (error) {
53823 -+ free_variables();
53824 -+ goto out;
53825 -+ }
53826 -+
53827 -+ if ((error = gr_set_acls(0))) {
53828 -+ free_variables();
53829 -+ goto out;
53830 -+ }
53831 -+
53832 -+ pax_open_kernel();
53833 -+ gr_status |= GR_READY;
53834 -+ pax_close_kernel();
53835 -+
53836 -+ out:
53837 -+ return error;
53838 -+}
53839 -+
53840 -+/* derived from glibc fnmatch() 0: match, 1: no match*/
53841 -+
53842 -+static int
53843 -+glob_match(const char *p, const char *n)
53844 -+{
53845 -+ char c;
53846 -+
53847 -+ while ((c = *p++) != '\0') {
53848 -+ switch (c) {
53849 -+ case '?':
53850 -+ if (*n == '\0')
53851 -+ return 1;
53852 -+ else if (*n == '/')
53853 -+ return 1;
53854 -+ break;
53855 -+ case '\\':
53856 -+ if (*n != c)
53857 -+ return 1;
53858 -+ break;
53859 -+ case '*':
53860 -+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
53861 -+ if (*n == '/')
53862 -+ return 1;
53863 -+ else if (c == '?') {
53864 -+ if (*n == '\0')
53865 -+ return 1;
53866 -+ else
53867 -+ ++n;
53868 -+ }
53869 -+ }
53870 -+ if (c == '\0') {
53871 -+ return 0;
53872 -+ } else {
53873 -+ const char *endp;
53874 -+
53875 -+ if ((endp = strchr(n, '/')) == NULL)
53876 -+ endp = n + strlen(n);
53877 -+
53878 -+ if (c == '[') {
53879 -+ for (--p; n < endp; ++n)
53880 -+ if (!glob_match(p, n))
53881 -+ return 0;
53882 -+ } else if (c == '/') {
53883 -+ while (*n != '\0' && *n != '/')
53884 -+ ++n;
53885 -+ if (*n == '/' && !glob_match(p, n + 1))
53886 -+ return 0;
53887 -+ } else {
53888 -+ for (--p; n < endp; ++n)
53889 -+ if (*n == c && !glob_match(p, n))
53890 -+ return 0;
53891 -+ }
53892 -+
53893 -+ return 1;
53894 -+ }
53895 -+ case '[':
53896 -+ {
53897 -+ int not;
53898 -+ char cold;
53899 -+
53900 -+ if (*n == '\0' || *n == '/')
53901 -+ return 1;
53902 -+
53903 -+ not = (*p == '!' || *p == '^');
53904 -+ if (not)
53905 -+ ++p;
53906 -+
53907 -+ c = *p++;
53908 -+ for (;;) {
53909 -+ unsigned char fn = (unsigned char)*n;
53910 -+
53911 -+ if (c == '\0')
53912 -+ return 1;
53913 -+ else {
53914 -+ if (c == fn)
53915 -+ goto matched;
53916 -+ cold = c;
53917 -+ c = *p++;
53918 -+
53919 -+ if (c == '-' && *p != ']') {
53920 -+ unsigned char cend = *p++;
53921 -+
53922 -+ if (cend == '\0')
53923 -+ return 1;
53924 -+
53925 -+ if (cold <= fn && fn <= cend)
53926 -+ goto matched;
53927 -+
53928 -+ c = *p++;
53929 -+ }
53930 -+ }
53931 -+
53932 -+ if (c == ']')
53933 -+ break;
53934 -+ }
53935 -+ if (!not)
53936 -+ return 1;
53937 -+ break;
53938 -+ matched:
53939 -+ while (c != ']') {
53940 -+ if (c == '\0')
53941 -+ return 1;
53942 -+
53943 -+ c = *p++;
53944 -+ }
53945 -+ if (not)
53946 -+ return 1;
53947 -+ }
53948 -+ break;
53949 -+ default:
53950 -+ if (c != *n)
53951 -+ return 1;
53952 -+ }
53953 -+
53954 -+ ++n;
53955 -+ }
53956 -+
53957 -+ if (*n == '\0')
53958 -+ return 0;
53959 -+
53960 -+ if (*n == '/')
53961 -+ return 0;
53962 -+
53963 -+ return 1;
53964 -+}
53965 -+
53966 -+static struct acl_object_label *
53967 -+chk_glob_label(struct acl_object_label *globbed,
53968 -+ struct dentry *dentry, struct vfsmount *mnt, char **path)
53969 -+{
53970 -+ struct acl_object_label *tmp;
53971 -+
53972 -+ if (*path == NULL)
53973 -+ *path = gr_to_filename_nolock(dentry, mnt);
53974 -+
53975 -+ tmp = globbed;
53976 -+
53977 -+ while (tmp) {
53978 -+ if (!glob_match(tmp->filename, *path))
53979 -+ return tmp;
53980 -+ tmp = tmp->next;
53981 -+ }
53982 -+
53983 -+ return NULL;
53984 -+}
53985 -+
53986 -+static struct acl_object_label *
53987 -+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53988 -+ const ino_t curr_ino, const dev_t curr_dev,
53989 -+ const struct acl_subject_label *subj, char **path, const int checkglob)
53990 -+{
53991 -+ struct acl_subject_label *tmpsubj;
53992 -+ struct acl_object_label *retval;
53993 -+ struct acl_object_label *retval2;
53994 -+
53995 -+ tmpsubj = (struct acl_subject_label *) subj;
53996 -+ read_lock(&gr_inode_lock);
53997 -+ do {
53998 -+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53999 -+ if (retval) {
54000 -+ if (checkglob && retval->globbed) {
54001 -+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
54002 -+ (struct vfsmount *)orig_mnt, path);
54003 -+ if (retval2)
54004 -+ retval = retval2;
54005 -+ }
54006 -+ break;
54007 -+ }
54008 -+ } while ((tmpsubj = tmpsubj->parent_subject));
54009 -+ read_unlock(&gr_inode_lock);
54010 -+
54011 -+ return retval;
54012 -+}
54013 -+
54014 -+static __inline__ struct acl_object_label *
54015 -+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
54016 -+ const struct dentry *curr_dentry,
54017 -+ const struct acl_subject_label *subj, char **path, const int checkglob)
54018 -+{
54019 -+ int newglob = checkglob;
54020 -+
54021 -+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
54022 -+ as we don't want a / * rule to match instead of the / object
54023 -+ don't do this for create lookups that call this function though, since they're looking up
54024 -+ on the parent and thus need globbing checks on all paths
54025 -+ */
54026 -+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
54027 -+ newglob = GR_NO_GLOB;
54028 -+
54029 -+ return __full_lookup(orig_dentry, orig_mnt,
54030 -+ curr_dentry->d_inode->i_ino,
54031 -+ __get_dev(curr_dentry), subj, path, newglob);
54032 -+}
54033 -+
54034 -+static struct acl_object_label *
54035 -+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54036 -+ const struct acl_subject_label *subj, char *path, const int checkglob)
54037 -+{
54038 -+ struct dentry *dentry = (struct dentry *) l_dentry;
54039 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54040 -+ struct acl_object_label *retval;
54041 -+
54042 -+ spin_lock(&dcache_lock);
54043 -+ spin_lock(&vfsmount_lock);
54044 -+
54045 -+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
54046 -+#ifdef CONFIG_NET
54047 -+ mnt == sock_mnt ||
54048 -+#endif
54049 -+#ifdef CONFIG_HUGETLBFS
54050 -+ (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
54051 -+#endif
54052 -+ /* ignore Eric Biederman */
54053 -+ IS_PRIVATE(l_dentry->d_inode))) {
54054 -+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
54055 -+ goto out;
54056 -+ }
54057 -+
54058 -+ for (;;) {
54059 -+ if (dentry == real_root && mnt == real_root_mnt)
54060 -+ break;
54061 -+
54062 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54063 -+ if (mnt->mnt_parent == mnt)
54064 -+ break;
54065 -+
54066 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54067 -+ if (retval != NULL)
54068 -+ goto out;
54069 -+
54070 -+ dentry = mnt->mnt_mountpoint;
54071 -+ mnt = mnt->mnt_parent;
54072 -+ continue;
54073 -+ }
54074 -+
54075 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54076 -+ if (retval != NULL)
54077 -+ goto out;
54078 -+
54079 -+ dentry = dentry->d_parent;
54080 -+ }
54081 -+
54082 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54083 -+
54084 -+ if (retval == NULL)
54085 -+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
54086 -+out:
54087 -+ spin_unlock(&vfsmount_lock);
54088 -+ spin_unlock(&dcache_lock);
54089 -+
54090 -+ BUG_ON(retval == NULL);
54091 -+
54092 -+ return retval;
54093 -+}
54094 -+
54095 -+static __inline__ struct acl_object_label *
54096 -+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54097 -+ const struct acl_subject_label *subj)
54098 -+{
54099 -+ char *path = NULL;
54100 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
54101 -+}
54102 -+
54103 -+static __inline__ struct acl_object_label *
54104 -+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54105 -+ const struct acl_subject_label *subj)
54106 -+{
54107 -+ char *path = NULL;
54108 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
54109 -+}
54110 -+
54111 -+static __inline__ struct acl_object_label *
54112 -+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54113 -+ const struct acl_subject_label *subj, char *path)
54114 -+{
54115 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
54116 -+}
54117 -+
54118 -+static struct acl_subject_label *
54119 -+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54120 -+ const struct acl_role_label *role)
54121 -+{
54122 -+ struct dentry *dentry = (struct dentry *) l_dentry;
54123 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54124 -+ struct acl_subject_label *retval;
54125 -+
54126 -+ spin_lock(&dcache_lock);
54127 -+ spin_lock(&vfsmount_lock);
54128 -+
54129 -+ for (;;) {
54130 -+ if (dentry == real_root && mnt == real_root_mnt)
54131 -+ break;
54132 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54133 -+ if (mnt->mnt_parent == mnt)
54134 -+ break;
54135 -+
54136 -+ read_lock(&gr_inode_lock);
54137 -+ retval =
54138 -+ lookup_acl_subj_label(dentry->d_inode->i_ino,
54139 -+ __get_dev(dentry), role);
54140 -+ read_unlock(&gr_inode_lock);
54141 -+ if (retval != NULL)
54142 -+ goto out;
54143 -+
54144 -+ dentry = mnt->mnt_mountpoint;
54145 -+ mnt = mnt->mnt_parent;
54146 -+ continue;
54147 -+ }
54148 -+
54149 -+ read_lock(&gr_inode_lock);
54150 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54151 -+ __get_dev(dentry), role);
54152 -+ read_unlock(&gr_inode_lock);
54153 -+ if (retval != NULL)
54154 -+ goto out;
54155 -+
54156 -+ dentry = dentry->d_parent;
54157 -+ }
54158 -+
54159 -+ read_lock(&gr_inode_lock);
54160 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54161 -+ __get_dev(dentry), role);
54162 -+ read_unlock(&gr_inode_lock);
54163 -+
54164 -+ if (unlikely(retval == NULL)) {
54165 -+ read_lock(&gr_inode_lock);
54166 -+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
54167 -+ __get_dev(real_root), role);
54168 -+ read_unlock(&gr_inode_lock);
54169 -+ }
54170 -+out:
54171 -+ spin_unlock(&vfsmount_lock);
54172 -+ spin_unlock(&dcache_lock);
54173 -+
54174 -+ BUG_ON(retval == NULL);
54175 -+
54176 -+ return retval;
54177 -+}
54178 -+
54179 -+static void
54180 -+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
54181 -+{
54182 -+ struct task_struct *task = current;
54183 -+ const struct cred *cred = current_cred();
54184 -+
54185 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54186 -+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54187 -+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54188 -+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
54189 -+
54190 -+ return;
54191 -+}
54192 -+
54193 -+static void
54194 -+gr_log_learn_sysctl(const char *path, const __u32 mode)
54195 -+{
54196 -+ struct task_struct *task = current;
54197 -+ const struct cred *cred = current_cred();
54198 -+
54199 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54200 -+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54201 -+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54202 -+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
54203 -+
54204 -+ return;
54205 -+}
54206 -+
54207 -+static void
54208 -+gr_log_learn_id_change(const char type, const unsigned int real,
54209 -+ const unsigned int effective, const unsigned int fs)
54210 -+{
54211 -+ struct task_struct *task = current;
54212 -+ const struct cred *cred = current_cred();
54213 -+
54214 -+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
54215 -+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54216 -+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54217 -+ type, real, effective, fs, &task->signal->saved_ip);
54218 -+
54219 -+ return;
54220 -+}
54221 -+
54222 -+__u32
54223 -+gr_search_file(const struct dentry * dentry, const __u32 mode,
54224 -+ const struct vfsmount * mnt)
54225 -+{
54226 -+ __u32 retval = mode;
54227 -+ struct acl_subject_label *curracl;
54228 -+ struct acl_object_label *currobj;
54229 -+
54230 -+ if (unlikely(!(gr_status & GR_READY)))
54231 -+ return (mode & ~GR_AUDITS);
54232 -+
54233 -+ curracl = current->acl;
54234 -+
54235 -+ currobj = chk_obj_label(dentry, mnt, curracl);
54236 -+ retval = currobj->mode & mode;
54237 -+
54238 -+ /* if we're opening a specified transfer file for writing
54239 -+ (e.g. /dev/initctl), then transfer our role to init
54240 -+ */
54241 -+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
54242 -+ current->role->roletype & GR_ROLE_PERSIST)) {
54243 -+ struct task_struct *task = init_pid_ns.child_reaper;
54244 -+
54245 -+ if (task->role != current->role) {
54246 -+ task->acl_sp_role = 0;
54247 -+ task->acl_role_id = current->acl_role_id;
54248 -+ task->role = current->role;
54249 -+ rcu_read_lock();
54250 -+ read_lock(&grsec_exec_file_lock);
54251 -+ gr_apply_subject_to_task(task);
54252 -+ read_unlock(&grsec_exec_file_lock);
54253 -+ rcu_read_unlock();
54254 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
54255 -+ }
54256 -+ }
54257 -+
54258 -+ if (unlikely
54259 -+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
54260 -+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
54261 -+ __u32 new_mode = mode;
54262 -+
54263 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54264 -+
54265 -+ retval = new_mode;
54266 -+
54267 -+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
54268 -+ new_mode |= GR_INHERIT;
54269 -+
54270 -+ if (!(mode & GR_NOLEARN))
54271 -+ gr_log_learn(dentry, mnt, new_mode);
54272 -+ }
54273 -+
54274 -+ return retval;
54275 -+}
54276 -+
54277 -+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
54278 -+ const struct dentry *parent,
54279 -+ const struct vfsmount *mnt)
54280 -+{
54281 -+ struct name_entry *match;
54282 -+ struct acl_object_label *matchpo;
54283 -+ struct acl_subject_label *curracl;
54284 -+ char *path;
54285 -+
54286 -+ if (unlikely(!(gr_status & GR_READY)))
54287 -+ return NULL;
54288 -+
54289 -+ preempt_disable();
54290 -+ path = gr_to_filename_rbac(new_dentry, mnt);
54291 -+ match = lookup_name_entry_create(path);
54292 -+
54293 -+ curracl = current->acl;
54294 -+
54295 -+ if (match) {
54296 -+ read_lock(&gr_inode_lock);
54297 -+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
54298 -+ read_unlock(&gr_inode_lock);
54299 -+
54300 -+ if (matchpo) {
54301 -+ preempt_enable();
54302 -+ return matchpo;
54303 -+ }
54304 -+ }
54305 -+
54306 -+ // lookup parent
54307 -+
54308 -+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
54309 -+
54310 -+ preempt_enable();
54311 -+ return matchpo;
54312 -+}
54313 -+
54314 -+__u32
54315 -+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
54316 -+ const struct vfsmount * mnt, const __u32 mode)
54317 -+{
54318 -+ struct acl_object_label *matchpo;
54319 -+ __u32 retval;
54320 -+
54321 -+ if (unlikely(!(gr_status & GR_READY)))
54322 -+ return (mode & ~GR_AUDITS);
54323 -+
54324 -+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
54325 -+
54326 -+ retval = matchpo->mode & mode;
54327 -+
54328 -+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
54329 -+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
54330 -+ __u32 new_mode = mode;
54331 -+
54332 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54333 -+
54334 -+ gr_log_learn(new_dentry, mnt, new_mode);
54335 -+ return new_mode;
54336 -+ }
54337 -+
54338 -+ return retval;
54339 -+}
54340 -+
54341 -+__u32
54342 -+gr_check_link(const struct dentry * new_dentry,
54343 -+ const struct dentry * parent_dentry,
54344 -+ const struct vfsmount * parent_mnt,
54345 -+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
54346 -+{
54347 -+ struct acl_object_label *obj;
54348 -+ __u32 oldmode, newmode;
54349 -+ __u32 needmode;
54350 -+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
54351 -+ GR_DELETE | GR_INHERIT;
54352 -+
54353 -+ if (unlikely(!(gr_status & GR_READY)))
54354 -+ return (GR_CREATE | GR_LINK);
54355 -+
54356 -+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
54357 -+ oldmode = obj->mode;
54358 -+
54359 -+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
54360 -+ newmode = obj->mode;
54361 -+
54362 -+ needmode = newmode & checkmodes;
54363 -+
54364 -+ // old name for hardlink must have at least the permissions of the new name
54365 -+ if ((oldmode & needmode) != needmode)
54366 -+ goto bad;
54367 -+
54368 -+ // if old name had restrictions/auditing, make sure the new name does as well
54369 -+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
54370 -+
54371 -+ // don't allow hardlinking of suid/sgid files without permission
54372 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54373 -+ needmode |= GR_SETID;
54374 -+
54375 -+ if ((newmode & needmode) != needmode)
54376 -+ goto bad;
54377 -+
54378 -+ // enforce minimum permissions
54379 -+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
54380 -+ return newmode;
54381 -+bad:
54382 -+ needmode = oldmode;
54383 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54384 -+ needmode |= GR_SETID;
54385 -+
54386 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
54387 -+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
54388 -+ return (GR_CREATE | GR_LINK);
54389 -+ } else if (newmode & GR_SUPPRESS)
54390 -+ return GR_SUPPRESS;
54391 -+ else
54392 -+ return 0;
54393 -+}
54394 -+
54395 -+int
54396 -+gr_check_hidden_task(const struct task_struct *task)
54397 -+{
54398 -+ if (unlikely(!(gr_status & GR_READY)))
54399 -+ return 0;
54400 -+
54401 -+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
54402 -+ return 1;
54403 -+
54404 -+ return 0;
54405 -+}
54406 -+
54407 -+int
54408 -+gr_check_protected_task(const struct task_struct *task)
54409 -+{
54410 -+ if (unlikely(!(gr_status & GR_READY) || !task))
54411 -+ return 0;
54412 -+
54413 -+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54414 -+ task->acl != current->acl)
54415 -+ return 1;
54416 -+
54417 -+ return 0;
54418 -+}
54419 -+
54420 -+int
54421 -+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
54422 -+{
54423 -+ struct task_struct *p;
54424 -+ int ret = 0;
54425 -+
54426 -+ if (unlikely(!(gr_status & GR_READY) || !pid))
54427 -+ return ret;
54428 -+
54429 -+ read_lock(&tasklist_lock);
54430 -+ do_each_pid_task(pid, type, p) {
54431 -+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54432 -+ p->acl != current->acl) {
54433 -+ ret = 1;
54434 -+ goto out;
54435 -+ }
54436 -+ } while_each_pid_task(pid, type, p);
54437 -+out:
54438 -+ read_unlock(&tasklist_lock);
54439 -+
54440 -+ return ret;
54441 -+}
54442 -+
54443 -+void
54444 -+gr_copy_label(struct task_struct *tsk)
54445 -+{
54446 -+ tsk->signal->used_accept = 0;
54447 -+ tsk->acl_sp_role = 0;
54448 -+ tsk->acl_role_id = current->acl_role_id;
54449 -+ tsk->acl = current->acl;
54450 -+ tsk->role = current->role;
54451 -+ tsk->signal->curr_ip = current->signal->curr_ip;
54452 -+ tsk->signal->saved_ip = current->signal->saved_ip;
54453 -+ if (current->exec_file)
54454 -+ get_file(current->exec_file);
54455 -+ tsk->exec_file = current->exec_file;
54456 -+ tsk->is_writable = current->is_writable;
54457 -+ if (unlikely(current->signal->used_accept)) {
54458 -+ current->signal->curr_ip = 0;
54459 -+ current->signal->saved_ip = 0;
54460 -+ }
54461 -+
54462 -+ return;
54463 -+}
54464 -+
54465 -+static void
54466 -+gr_set_proc_res(struct task_struct *task)
54467 -+{
54468 -+ struct acl_subject_label *proc;
54469 -+ unsigned short i;
54470 -+
54471 -+ proc = task->acl;
54472 -+
54473 -+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54474 -+ return;
54475 -+
54476 -+ for (i = 0; i < RLIM_NLIMITS; i++) {
54477 -+ if (!(proc->resmask & (1 << i)))
54478 -+ continue;
54479 -+
54480 -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54481 -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54482 -+ }
54483 -+
54484 -+ return;
54485 -+}
54486 -+
54487 -+extern int __gr_process_user_ban(struct user_struct *user);
54488 -+
54489 -+int
54490 -+gr_check_user_change(int real, int effective, int fs)
54491 -+{
54492 -+ unsigned int i;
54493 -+ __u16 num;
54494 -+ uid_t *uidlist;
54495 -+ int curuid;
54496 -+ int realok = 0;
54497 -+ int effectiveok = 0;
54498 -+ int fsok = 0;
54499 -+
54500 -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54501 -+ struct user_struct *user;
54502 -+
54503 -+ if (real == -1)
54504 -+ goto skipit;
54505 -+
54506 -+ user = find_user(real);
54507 -+ if (user == NULL)
54508 -+ goto skipit;
54509 -+
54510 -+ if (__gr_process_user_ban(user)) {
54511 -+ /* for find_user */
54512 -+ free_uid(user);
54513 -+ return 1;
54514 -+ }
54515 -+
54516 -+ /* for find_user */
54517 -+ free_uid(user);
54518 -+
54519 -+skipit:
54520 -+#endif
54521 -+
54522 -+ if (unlikely(!(gr_status & GR_READY)))
54523 -+ return 0;
54524 -+
54525 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54526 -+ gr_log_learn_id_change('u', real, effective, fs);
54527 -+
54528 -+ num = current->acl->user_trans_num;
54529 -+ uidlist = current->acl->user_transitions;
54530 -+
54531 -+ if (uidlist == NULL)
54532 -+ return 0;
54533 -+
54534 -+ if (real == -1)
54535 -+ realok = 1;
54536 -+ if (effective == -1)
54537 -+ effectiveok = 1;
54538 -+ if (fs == -1)
54539 -+ fsok = 1;
54540 -+
54541 -+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
54542 -+ for (i = 0; i < num; i++) {
54543 -+ curuid = (int)uidlist[i];
54544 -+ if (real == curuid)
54545 -+ realok = 1;
54546 -+ if (effective == curuid)
54547 -+ effectiveok = 1;
54548 -+ if (fs == curuid)
54549 -+ fsok = 1;
54550 -+ }
54551 -+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
54552 -+ for (i = 0; i < num; i++) {
54553 -+ curuid = (int)uidlist[i];
54554 -+ if (real == curuid)
54555 -+ break;
54556 -+ if (effective == curuid)
54557 -+ break;
54558 -+ if (fs == curuid)
54559 -+ break;
54560 -+ }
54561 -+ /* not in deny list */
54562 -+ if (i == num) {
54563 -+ realok = 1;
54564 -+ effectiveok = 1;
54565 -+ fsok = 1;
54566 -+ }
54567 -+ }
54568 -+
54569 -+ if (realok && effectiveok && fsok)
54570 -+ return 0;
54571 -+ else {
54572 -+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54573 -+ return 1;
54574 -+ }
54575 -+}
54576 -+
54577 -+int
54578 -+gr_check_group_change(int real, int effective, int fs)
54579 -+{
54580 -+ unsigned int i;
54581 -+ __u16 num;
54582 -+ gid_t *gidlist;
54583 -+ int curgid;
54584 -+ int realok = 0;
54585 -+ int effectiveok = 0;
54586 -+ int fsok = 0;
54587 -+
54588 -+ if (unlikely(!(gr_status & GR_READY)))
54589 -+ return 0;
54590 -+
54591 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54592 -+ gr_log_learn_id_change('g', real, effective, fs);
54593 -+
54594 -+ num = current->acl->group_trans_num;
54595 -+ gidlist = current->acl->group_transitions;
54596 -+
54597 -+ if (gidlist == NULL)
54598 -+ return 0;
54599 -+
54600 -+ if (real == -1)
54601 -+ realok = 1;
54602 -+ if (effective == -1)
54603 -+ effectiveok = 1;
54604 -+ if (fs == -1)
54605 -+ fsok = 1;
54606 -+
54607 -+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
54608 -+ for (i = 0; i < num; i++) {
54609 -+ curgid = (int)gidlist[i];
54610 -+ if (real == curgid)
54611 -+ realok = 1;
54612 -+ if (effective == curgid)
54613 -+ effectiveok = 1;
54614 -+ if (fs == curgid)
54615 -+ fsok = 1;
54616 -+ }
54617 -+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
54618 -+ for (i = 0; i < num; i++) {
54619 -+ curgid = (int)gidlist[i];
54620 -+ if (real == curgid)
54621 -+ break;
54622 -+ if (effective == curgid)
54623 -+ break;
54624 -+ if (fs == curgid)
54625 -+ break;
54626 -+ }
54627 -+ /* not in deny list */
54628 -+ if (i == num) {
54629 -+ realok = 1;
54630 -+ effectiveok = 1;
54631 -+ fsok = 1;
54632 -+ }
54633 -+ }
54634 -+
54635 -+ if (realok && effectiveok && fsok)
54636 -+ return 0;
54637 -+ else {
54638 -+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54639 -+ return 1;
54640 -+ }
54641 -+}
54642 -+
54643 -+void
54644 -+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54645 -+{
54646 -+ struct acl_role_label *role = task->role;
54647 -+ struct acl_subject_label *subj = NULL;
54648 -+ struct acl_object_label *obj;
54649 -+ struct file *filp;
54650 -+
54651 -+ if (unlikely(!(gr_status & GR_READY)))
54652 -+ return;
54653 -+
54654 -+ filp = task->exec_file;
54655 -+
54656 -+ /* kernel process, we'll give them the kernel role */
54657 -+ if (unlikely(!filp)) {
54658 -+ task->role = kernel_role;
54659 -+ task->acl = kernel_role->root_label;
54660 -+ return;
54661 -+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54662 -+ role = lookup_acl_role_label(task, uid, gid);
54663 -+
54664 -+ /* perform subject lookup in possibly new role
54665 -+ we can use this result below in the case where role == task->role
54666 -+ */
54667 -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54668 -+
54669 -+ /* if we changed uid/gid, but result in the same role
54670 -+ and are using inheritance, don't lose the inherited subject
54671 -+ if current subject is other than what normal lookup
54672 -+ would result in, we arrived via inheritance, don't
54673 -+ lose subject
54674 -+ */
54675 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54676 -+ (subj == task->acl)))
54677 -+ task->acl = subj;
54678 -+
54679 -+ task->role = role;
54680 -+
54681 -+ task->is_writable = 0;
54682 -+
54683 -+ /* ignore additional mmap checks for processes that are writable
54684 -+ by the default ACL */
54685 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54686 -+ if (unlikely(obj->mode & GR_WRITE))
54687 -+ task->is_writable = 1;
54688 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54689 -+ if (unlikely(obj->mode & GR_WRITE))
54690 -+ task->is_writable = 1;
54691 -+
54692 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54693 -+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54694 -+#endif
54695 -+
54696 -+ gr_set_proc_res(task);
54697 -+
54698 -+ return;
54699 -+}
54700 -+
54701 -+int
54702 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54703 -+ const int unsafe_share)
54704 -+{
54705 -+ struct task_struct *task = current;
54706 -+ struct acl_subject_label *newacl;
54707 -+ struct acl_object_label *obj;
54708 -+ __u32 retmode;
54709 -+
54710 -+ if (unlikely(!(gr_status & GR_READY)))
54711 -+ return 0;
54712 -+
54713 -+ newacl = chk_subj_label(dentry, mnt, task->role);
54714 -+
54715 -+ task_lock(task);
54716 -+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54717 -+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54718 -+ !(task->role->roletype & GR_ROLE_GOD) &&
54719 -+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54720 -+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54721 -+ task_unlock(task);
54722 -+ if (unsafe_share)
54723 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54724 -+ else
54725 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54726 -+ return -EACCES;
54727 -+ }
54728 -+ task_unlock(task);
54729 -+
54730 -+ obj = chk_obj_label(dentry, mnt, task->acl);
54731 -+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54732 -+
54733 -+ if (!(task->acl->mode & GR_INHERITLEARN) &&
54734 -+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54735 -+ if (obj->nested)
54736 -+ task->acl = obj->nested;
54737 -+ else
54738 -+ task->acl = newacl;
54739 -+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54740 -+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54741 -+
54742 -+ task->is_writable = 0;
54743 -+
54744 -+ /* ignore additional mmap checks for processes that are writable
54745 -+ by the default ACL */
54746 -+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
54747 -+ if (unlikely(obj->mode & GR_WRITE))
54748 -+ task->is_writable = 1;
54749 -+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
54750 -+ if (unlikely(obj->mode & GR_WRITE))
54751 -+ task->is_writable = 1;
54752 -+
54753 -+ gr_set_proc_res(task);
54754 -+
54755 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54756 -+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54757 -+#endif
54758 -+ return 0;
54759 -+}
54760 -+
54761 -+/* always called with valid inodev ptr */
54762 -+static void
54763 -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54764 -+{
54765 -+ struct acl_object_label *matchpo;
54766 -+ struct acl_subject_label *matchps;
54767 -+ struct acl_subject_label *subj;
54768 -+ struct acl_role_label *role;
54769 -+ unsigned int x;
54770 -+
54771 -+ FOR_EACH_ROLE_START(role)
54772 -+ FOR_EACH_SUBJECT_START(role, subj, x)
54773 -+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54774 -+ matchpo->mode |= GR_DELETED;
54775 -+ FOR_EACH_SUBJECT_END(subj,x)
54776 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
54777 -+ if (subj->inode == ino && subj->device == dev)
54778 -+ subj->mode |= GR_DELETED;
54779 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
54780 -+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54781 -+ matchps->mode |= GR_DELETED;
54782 -+ FOR_EACH_ROLE_END(role)
54783 -+
54784 -+ inodev->nentry->deleted = 1;
54785 -+
54786 -+ return;
54787 -+}
54788 -+
54789 -+void
54790 -+gr_handle_delete(const ino_t ino, const dev_t dev)
54791 -+{
54792 -+ struct inodev_entry *inodev;
54793 -+
54794 -+ if (unlikely(!(gr_status & GR_READY)))
54795 -+ return;
54796 -+
54797 -+ write_lock(&gr_inode_lock);
54798 -+ inodev = lookup_inodev_entry(ino, dev);
54799 -+ if (inodev != NULL)
54800 -+ do_handle_delete(inodev, ino, dev);
54801 -+ write_unlock(&gr_inode_lock);
54802 -+
54803 -+ return;
54804 -+}
54805 -+
54806 -+static void
54807 -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54808 -+ const ino_t newinode, const dev_t newdevice,
54809 -+ struct acl_subject_label *subj)
54810 -+{
54811 -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54812 -+ struct acl_object_label *match;
54813 -+
54814 -+ match = subj->obj_hash[index];
54815 -+
54816 -+ while (match && (match->inode != oldinode ||
54817 -+ match->device != olddevice ||
54818 -+ !(match->mode & GR_DELETED)))
54819 -+ match = match->next;
54820 -+
54821 -+ if (match && (match->inode == oldinode)
54822 -+ && (match->device == olddevice)
54823 -+ && (match->mode & GR_DELETED)) {
54824 -+ if (match->prev == NULL) {
54825 -+ subj->obj_hash[index] = match->next;
54826 -+ if (match->next != NULL)
54827 -+ match->next->prev = NULL;
54828 -+ } else {
54829 -+ match->prev->next = match->next;
54830 -+ if (match->next != NULL)
54831 -+ match->next->prev = match->prev;
54832 -+ }
54833 -+ match->prev = NULL;
54834 -+ match->next = NULL;
54835 -+ match->inode = newinode;
54836 -+ match->device = newdevice;
54837 -+ match->mode &= ~GR_DELETED;
54838 -+
54839 -+ insert_acl_obj_label(match, subj);
54840 -+ }
54841 -+
54842 -+ return;
54843 -+}
54844 -+
54845 -+static void
54846 -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54847 -+ const ino_t newinode, const dev_t newdevice,
54848 -+ struct acl_role_label *role)
54849 -+{
54850 -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54851 -+ struct acl_subject_label *match;
54852 -+
54853 -+ match = role->subj_hash[index];
54854 -+
54855 -+ while (match && (match->inode != oldinode ||
54856 -+ match->device != olddevice ||
54857 -+ !(match->mode & GR_DELETED)))
54858 -+ match = match->next;
54859 -+
54860 -+ if (match && (match->inode == oldinode)
54861 -+ && (match->device == olddevice)
54862 -+ && (match->mode & GR_DELETED)) {
54863 -+ if (match->prev == NULL) {
54864 -+ role->subj_hash[index] = match->next;
54865 -+ if (match->next != NULL)
54866 -+ match->next->prev = NULL;
54867 -+ } else {
54868 -+ match->prev->next = match->next;
54869 -+ if (match->next != NULL)
54870 -+ match->next->prev = match->prev;
54871 -+ }
54872 -+ match->prev = NULL;
54873 -+ match->next = NULL;
54874 -+ match->inode = newinode;
54875 -+ match->device = newdevice;
54876 -+ match->mode &= ~GR_DELETED;
54877 -+
54878 -+ insert_acl_subj_label(match, role);
54879 -+ }
54880 -+
54881 -+ return;
54882 -+}
54883 -+
54884 -+static void
54885 -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54886 -+ const ino_t newinode, const dev_t newdevice)
54887 -+{
54888 -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54889 -+ struct inodev_entry *match;
54890 -+
54891 -+ match = inodev_set.i_hash[index];
54892 -+
54893 -+ while (match && (match->nentry->inode != oldinode ||
54894 -+ match->nentry->device != olddevice || !match->nentry->deleted))
54895 -+ match = match->next;
54896 -+
54897 -+ if (match && (match->nentry->inode == oldinode)
54898 -+ && (match->nentry->device == olddevice) &&
54899 -+ match->nentry->deleted) {
54900 -+ if (match->prev == NULL) {
54901 -+ inodev_set.i_hash[index] = match->next;
54902 -+ if (match->next != NULL)
54903 -+ match->next->prev = NULL;
54904 -+ } else {
54905 -+ match->prev->next = match->next;
54906 -+ if (match->next != NULL)
54907 -+ match->next->prev = match->prev;
54908 -+ }
54909 -+ match->prev = NULL;
54910 -+ match->next = NULL;
54911 -+ match->nentry->inode = newinode;
54912 -+ match->nentry->device = newdevice;
54913 -+ match->nentry->deleted = 0;
54914 -+
54915 -+ insert_inodev_entry(match);
54916 -+ }
54917 -+
54918 -+ return;
54919 -+}
54920 -+
54921 -+static void
54922 -+__do_handle_create(const struct name_entry *matchn, ino_t inode, dev_t dev)
54923 -+{
54924 -+ struct acl_subject_label *subj;
54925 -+ struct acl_role_label *role;
54926 -+ unsigned int x;
54927 -+
54928 -+ FOR_EACH_ROLE_START(role)
54929 -+ update_acl_subj_label(matchn->inode, matchn->device,
54930 -+ inode, dev, role);
54931 -+
54932 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
54933 -+ if ((subj->inode == inode) && (subj->device == dev)) {
54934 -+ subj->inode = inode;
54935 -+ subj->device = dev;
54936 -+ }
54937 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
54938 -+ FOR_EACH_SUBJECT_START(role, subj, x)
54939 -+ update_acl_obj_label(matchn->inode, matchn->device,
54940 -+ inode, dev, subj);
54941 -+ FOR_EACH_SUBJECT_END(subj,x)
54942 -+ FOR_EACH_ROLE_END(role)
54943 -+
54944 -+ update_inodev_entry(matchn->inode, matchn->device, inode, dev);
54945 -+
54946 -+ return;
54947 -+}
54948 -+
54949 -+static void
54950 -+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54951 -+ const struct vfsmount *mnt)
54952 -+{
54953 -+ ino_t ino = dentry->d_inode->i_ino;
54954 -+ dev_t dev = __get_dev(dentry);
54955 -+
54956 -+ __do_handle_create(matchn, ino, dev);
54957 -+
54958 -+ return;
54959 -+}
54960 -+
54961 -+void
54962 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54963 -+{
54964 -+ struct name_entry *matchn;
54965 -+
54966 -+ if (unlikely(!(gr_status & GR_READY)))
54967 -+ return;
54968 -+
54969 -+ preempt_disable();
54970 -+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54971 -+
54972 -+ if (unlikely((unsigned long)matchn)) {
54973 -+ write_lock(&gr_inode_lock);
54974 -+ do_handle_create(matchn, dentry, mnt);
54975 -+ write_unlock(&gr_inode_lock);
54976 -+ }
54977 -+ preempt_enable();
54978 -+
54979 -+ return;
54980 -+}
54981 -+
54982 -+void
54983 -+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
54984 -+{
54985 -+ struct name_entry *matchn;
54986 -+
54987 -+ if (unlikely(!(gr_status & GR_READY)))
54988 -+ return;
54989 -+
54990 -+ preempt_disable();
54991 -+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
54992 -+
54993 -+ if (unlikely((unsigned long)matchn)) {
54994 -+ write_lock(&gr_inode_lock);
54995 -+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
54996 -+ write_unlock(&gr_inode_lock);
54997 -+ }
54998 -+ preempt_enable();
54999 -+
55000 -+ return;
55001 -+}
55002 -+
55003 -+void
55004 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
55005 -+ struct dentry *old_dentry,
55006 -+ struct dentry *new_dentry,
55007 -+ struct vfsmount *mnt, const __u8 replace)
55008 -+{
55009 -+ struct name_entry *matchn;
55010 -+ struct inodev_entry *inodev;
55011 -+ ino_t oldinode = old_dentry->d_inode->i_ino;
55012 -+ dev_t olddev = __get_dev(old_dentry);
55013 -+
55014 -+ /* vfs_rename swaps the name and parent link for old_dentry and
55015 -+ new_dentry
55016 -+ at this point, old_dentry has the new name, parent link, and inode
55017 -+ for the renamed file
55018 -+ if a file is being replaced by a rename, new_dentry has the inode
55019 -+ and name for the replaced file
55020 -+ */
55021 -+
55022 -+ if (unlikely(!(gr_status & GR_READY)))
55023 -+ return;
55024 -+
55025 -+ preempt_disable();
55026 -+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
55027 -+
55028 -+ /* we wouldn't have to check d_inode if it weren't for
55029 -+ NFS silly-renaming
55030 -+ */
55031 -+
55032 -+ write_lock(&gr_inode_lock);
55033 -+ if (unlikely(replace && new_dentry->d_inode)) {
55034 -+ ino_t newinode = new_dentry->d_inode->i_ino;
55035 -+ dev_t newdev = __get_dev(new_dentry);
55036 -+ inodev = lookup_inodev_entry(newinode, newdev);
55037 -+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
55038 -+ do_handle_delete(inodev, newinode, newdev);
55039 -+ }
55040 -+
55041 -+ inodev = lookup_inodev_entry(oldinode, olddev);
55042 -+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
55043 -+ do_handle_delete(inodev, oldinode, olddev);
55044 -+
55045 -+ if (unlikely((unsigned long)matchn))
55046 -+ do_handle_create(matchn, old_dentry, mnt);
55047 -+
55048 -+ write_unlock(&gr_inode_lock);
55049 -+ preempt_enable();
55050 -+
55051 -+ return;
55052 -+}
55053 -+
55054 -+static int
55055 -+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
55056 -+ unsigned char **sum)
55057 -+{
55058 -+ struct acl_role_label *r;
55059 -+ struct role_allowed_ip *ipp;
55060 -+ struct role_transition *trans;
55061 -+ unsigned int i;
55062 -+ int found = 0;
55063 -+ u32 curr_ip = current->signal->curr_ip;
55064 -+
55065 -+ current->signal->saved_ip = curr_ip;
55066 -+
55067 -+ /* check transition table */
55068 -+
55069 -+ for (trans = current->role->transitions; trans; trans = trans->next) {
55070 -+ if (!strcmp(rolename, trans->rolename)) {
55071 -+ found = 1;
55072 -+ break;
55073 -+ }
55074 -+ }
55075 -+
55076 -+ if (!found)
55077 -+ return 0;
55078 -+
55079 -+ /* handle special roles that do not require authentication
55080 -+ and check ip */
55081 -+
55082 -+ FOR_EACH_ROLE_START(r)
55083 -+ if (!strcmp(rolename, r->rolename) &&
55084 -+ (r->roletype & GR_ROLE_SPECIAL)) {
55085 -+ found = 0;
55086 -+ if (r->allowed_ips != NULL) {
55087 -+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
55088 -+ if ((ntohl(curr_ip) & ipp->netmask) ==
55089 -+ (ntohl(ipp->addr) & ipp->netmask))
55090 -+ found = 1;
55091 -+ }
55092 -+ } else
55093 -+ found = 2;
55094 -+ if (!found)
55095 -+ return 0;
55096 -+
55097 -+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
55098 -+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
55099 -+ *salt = NULL;
55100 -+ *sum = NULL;
55101 -+ return 1;
55102 -+ }
55103 -+ }
55104 -+ FOR_EACH_ROLE_END(r)
55105 -+
55106 -+ for (i = 0; i < num_sprole_pws; i++) {
55107 -+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
55108 -+ *salt = acl_special_roles[i]->salt;
55109 -+ *sum = acl_special_roles[i]->sum;
55110 -+ return 1;
55111 -+ }
55112 -+ }
55113 -+
55114 -+ return 0;
55115 -+}
55116 -+
55117 -+static void
55118 -+assign_special_role(char *rolename)
55119 -+{
55120 -+ struct acl_object_label *obj;
55121 -+ struct acl_role_label *r;
55122 -+ struct acl_role_label *assigned = NULL;
55123 -+ struct task_struct *tsk;
55124 -+ struct file *filp;
55125 -+
55126 -+ FOR_EACH_ROLE_START(r)
55127 -+ if (!strcmp(rolename, r->rolename) &&
55128 -+ (r->roletype & GR_ROLE_SPECIAL)) {
55129 -+ assigned = r;
55130 -+ break;
55131 -+ }
55132 -+ FOR_EACH_ROLE_END(r)
55133 -+
55134 -+ if (!assigned)
55135 -+ return;
55136 -+
55137 -+ read_lock(&tasklist_lock);
55138 -+ read_lock(&grsec_exec_file_lock);
55139 -+
55140 -+ tsk = current->real_parent;
55141 -+ if (tsk == NULL)
55142 -+ goto out_unlock;
55143 -+
55144 -+ filp = tsk->exec_file;
55145 -+ if (filp == NULL)
55146 -+ goto out_unlock;
55147 -+
55148 -+ tsk->is_writable = 0;
55149 -+
55150 -+ tsk->acl_sp_role = 1;
55151 -+ tsk->acl_role_id = ++acl_sp_role_value;
55152 -+ tsk->role = assigned;
55153 -+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
55154 -+
55155 -+ /* ignore additional mmap checks for processes that are writable
55156 -+ by the default ACL */
55157 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55158 -+ if (unlikely(obj->mode & GR_WRITE))
55159 -+ tsk->is_writable = 1;
55160 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
55161 -+ if (unlikely(obj->mode & GR_WRITE))
55162 -+ tsk->is_writable = 1;
55163 -+
55164 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55165 -+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
55166 -+#endif
55167 -+
55168 -+out_unlock:
55169 -+ read_unlock(&grsec_exec_file_lock);
55170 -+ read_unlock(&tasklist_lock);
55171 -+ return;
55172 -+}
55173 -+
55174 -+int gr_check_secure_terminal(struct task_struct *task)
55175 -+{
55176 -+ struct task_struct *p, *p2, *p3;
55177 -+ struct files_struct *files;
55178 -+ struct fdtable *fdt;
55179 -+ struct file *our_file = NULL, *file;
55180 -+ int i;
55181 -+
55182 -+ if (task->signal->tty == NULL)
55183 -+ return 1;
55184 -+
55185 -+ files = get_files_struct(task);
55186 -+ if (files != NULL) {
55187 -+ rcu_read_lock();
55188 -+ fdt = files_fdtable(files);
55189 -+ for (i=0; i < fdt->max_fds; i++) {
55190 -+ file = fcheck_files(files, i);
55191 -+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
55192 -+ get_file(file);
55193 -+ our_file = file;
55194 -+ }
55195 -+ }
55196 -+ rcu_read_unlock();
55197 -+ put_files_struct(files);
55198 -+ }
55199 -+
55200 -+ if (our_file == NULL)
55201 -+ return 1;
55202 -+
55203 -+ read_lock(&tasklist_lock);
55204 -+ do_each_thread(p2, p) {
55205 -+ files = get_files_struct(p);
55206 -+ if (files == NULL ||
55207 -+ (p->signal && p->signal->tty == task->signal->tty)) {
55208 -+ if (files != NULL)
55209 -+ put_files_struct(files);
55210 -+ continue;
55211 -+ }
55212 -+ rcu_read_lock();
55213 -+ fdt = files_fdtable(files);
55214 -+ for (i=0; i < fdt->max_fds; i++) {
55215 -+ file = fcheck_files(files, i);
55216 -+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
55217 -+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
55218 -+ p3 = task;
55219 -+ while (p3->pid > 0) {
55220 -+ if (p3 == p)
55221 -+ break;
55222 -+ p3 = p3->real_parent;
55223 -+ }
55224 -+ if (p3 == p)
55225 -+ break;
55226 -+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
55227 -+ gr_handle_alertkill(p);
55228 -+ rcu_read_unlock();
55229 -+ put_files_struct(files);
55230 -+ read_unlock(&tasklist_lock);
55231 -+ fput(our_file);
55232 -+ return 0;
55233 -+ }
55234 -+ }
55235 -+ rcu_read_unlock();
55236 -+ put_files_struct(files);
55237 -+ } while_each_thread(p2, p);
55238 -+ read_unlock(&tasklist_lock);
55239 -+
55240 -+ fput(our_file);
55241 -+ return 1;
55242 -+}
55243 -+
55244 -+ssize_t
55245 -+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
55246 -+{
55247 -+ struct gr_arg_wrapper uwrap;
55248 -+ unsigned char *sprole_salt = NULL;
55249 -+ unsigned char *sprole_sum = NULL;
55250 -+ int error = sizeof (struct gr_arg_wrapper);
55251 -+ int error2 = 0;
55252 -+
55253 -+ mutex_lock(&gr_dev_mutex);
55254 -+
55255 -+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
55256 -+ error = -EPERM;
55257 -+ goto out;
55258 -+ }
55259 -+
55260 -+ if (count != sizeof (struct gr_arg_wrapper)) {
55261 -+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
55262 -+ error = -EINVAL;
55263 -+ goto out;
55264 -+ }
55265 -+
55266 -+
55267 -+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
55268 -+ gr_auth_expires = 0;
55269 -+ gr_auth_attempts = 0;
55270 -+ }
55271 -+
55272 -+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
55273 -+ error = -EFAULT;
55274 -+ goto out;
55275 -+ }
55276 -+
55277 -+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
55278 -+ error = -EINVAL;
55279 -+ goto out;
55280 -+ }
55281 -+
55282 -+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
55283 -+ error = -EFAULT;
55284 -+ goto out;
55285 -+ }
55286 -+
55287 -+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55288 -+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55289 -+ time_after(gr_auth_expires, get_seconds())) {
55290 -+ error = -EBUSY;
55291 -+ goto out;
55292 -+ }
55293 -+
55294 -+ /* if non-root trying to do anything other than use a special role,
55295 -+ do not attempt authentication, do not count towards authentication
55296 -+ locking
55297 -+ */
55298 -+
55299 -+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
55300 -+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55301 -+ current_uid()) {
55302 -+ error = -EPERM;
55303 -+ goto out;
55304 -+ }
55305 -+
55306 -+ /* ensure pw and special role name are null terminated */
55307 -+
55308 -+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
55309 -+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
55310 -+
55311 -+ /* Okay.
55312 -+ * We have our enough of the argument structure..(we have yet
55313 -+ * to copy_from_user the tables themselves) . Copy the tables
55314 -+ * only if we need them, i.e. for loading operations. */
55315 -+
55316 -+ switch (gr_usermode->mode) {
55317 -+ case GR_STATUS:
55318 -+ if (gr_status & GR_READY) {
55319 -+ error = 1;
55320 -+ if (!gr_check_secure_terminal(current))
55321 -+ error = 3;
55322 -+ } else
55323 -+ error = 2;
55324 -+ goto out;
55325 -+ case GR_SHUTDOWN:
55326 -+ if ((gr_status & GR_READY)
55327 -+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55328 -+ pax_open_kernel();
55329 -+ gr_status &= ~GR_READY;
55330 -+ pax_close_kernel();
55331 -+
55332 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
55333 -+ free_variables();
55334 -+ memset(gr_usermode, 0, sizeof (struct gr_arg));
55335 -+ memset(gr_system_salt, 0, GR_SALT_LEN);
55336 -+ memset(gr_system_sum, 0, GR_SHA_LEN);
55337 -+ } else if (gr_status & GR_READY) {
55338 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
55339 -+ error = -EPERM;
55340 -+ } else {
55341 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
55342 -+ error = -EAGAIN;
55343 -+ }
55344 -+ break;
55345 -+ case GR_ENABLE:
55346 -+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
55347 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
55348 -+ else {
55349 -+ if (gr_status & GR_READY)
55350 -+ error = -EAGAIN;
55351 -+ else
55352 -+ error = error2;
55353 -+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
55354 -+ }
55355 -+ break;
55356 -+ case GR_RELOAD:
55357 -+ if (!(gr_status & GR_READY)) {
55358 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
55359 -+ error = -EAGAIN;
55360 -+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55361 -+ lock_kernel();
55362 -+
55363 -+ pax_open_kernel();
55364 -+ gr_status &= ~GR_READY;
55365 -+ pax_close_kernel();
55366 -+
55367 -+ free_variables();
55368 -+ if (!(error2 = gracl_init(gr_usermode))) {
55369 -+ unlock_kernel();
55370 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
55371 -+ } else {
55372 -+ unlock_kernel();
55373 -+ error = error2;
55374 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55375 -+ }
55376 -+ } else {
55377 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55378 -+ error = -EPERM;
55379 -+ }
55380 -+ break;
55381 -+ case GR_SEGVMOD:
55382 -+ if (unlikely(!(gr_status & GR_READY))) {
55383 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
55384 -+ error = -EAGAIN;
55385 -+ break;
55386 -+ }
55387 -+
55388 -+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55389 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
55390 -+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
55391 -+ struct acl_subject_label *segvacl;
55392 -+ segvacl =
55393 -+ lookup_acl_subj_label(gr_usermode->segv_inode,
55394 -+ gr_usermode->segv_device,
55395 -+ current->role);
55396 -+ if (segvacl) {
55397 -+ segvacl->crashes = 0;
55398 -+ segvacl->expires = 0;
55399 -+ }
55400 -+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
55401 -+ gr_remove_uid(gr_usermode->segv_uid);
55402 -+ }
55403 -+ } else {
55404 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
55405 -+ error = -EPERM;
55406 -+ }
55407 -+ break;
55408 -+ case GR_SPROLE:
55409 -+ case GR_SPROLEPAM:
55410 -+ if (unlikely(!(gr_status & GR_READY))) {
55411 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
55412 -+ error = -EAGAIN;
55413 -+ break;
55414 -+ }
55415 -+
55416 -+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
55417 -+ current->role->expires = 0;
55418 -+ current->role->auth_attempts = 0;
55419 -+ }
55420 -+
55421 -+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55422 -+ time_after(current->role->expires, get_seconds())) {
55423 -+ error = -EBUSY;
55424 -+ goto out;
55425 -+ }
55426 -+
55427 -+ if (lookup_special_role_auth
55428 -+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
55429 -+ && ((!sprole_salt && !sprole_sum)
55430 -+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
55431 -+ char *p = "";
55432 -+ assign_special_role(gr_usermode->sp_role);
55433 -+ read_lock(&tasklist_lock);
55434 -+ if (current->real_parent)
55435 -+ p = current->real_parent->role->rolename;
55436 -+ read_unlock(&tasklist_lock);
55437 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
55438 -+ p, acl_sp_role_value);
55439 -+ } else {
55440 -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
55441 -+ error = -EPERM;
55442 -+ if(!(current->role->auth_attempts++))
55443 -+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55444 -+
55445 -+ goto out;
55446 -+ }
55447 -+ break;
55448 -+ case GR_UNSPROLE:
55449 -+ if (unlikely(!(gr_status & GR_READY))) {
55450 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
55451 -+ error = -EAGAIN;
55452 -+ break;
55453 -+ }
55454 -+
55455 -+ if (current->role->roletype & GR_ROLE_SPECIAL) {
55456 -+ char *p = "";
55457 -+ int i = 0;
55458 -+
55459 -+ read_lock(&tasklist_lock);
55460 -+ if (current->real_parent) {
55461 -+ p = current->real_parent->role->rolename;
55462 -+ i = current->real_parent->acl_role_id;
55463 -+ }
55464 -+ read_unlock(&tasklist_lock);
55465 -+
55466 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
55467 -+ gr_set_acls(1);
55468 -+ } else {
55469 -+ error = -EPERM;
55470 -+ goto out;
55471 -+ }
55472 -+ break;
55473 -+ default:
55474 -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
55475 -+ error = -EINVAL;
55476 -+ break;
55477 -+ }
55478 -+
55479 -+ if (error != -EPERM)
55480 -+ goto out;
55481 -+
55482 -+ if(!(gr_auth_attempts++))
55483 -+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55484 -+
55485 -+ out:
55486 -+ mutex_unlock(&gr_dev_mutex);
55487 -+ return error;
55488 -+}
55489 -+
55490 -+/* must be called with
55491 -+ rcu_read_lock();
55492 -+ read_lock(&tasklist_lock);
55493 -+ read_lock(&grsec_exec_file_lock);
55494 -+*/
55495 -+int gr_apply_subject_to_task(struct task_struct *task)
55496 -+{
55497 -+ struct acl_object_label *obj;
55498 -+ char *tmpname;
55499 -+ struct acl_subject_label *tmpsubj;
55500 -+ struct file *filp;
55501 -+ struct name_entry *nmatch;
55502 -+
55503 -+ filp = task->exec_file;
55504 -+ if (filp == NULL)
55505 -+ return 0;
55506 -+
55507 -+ /* the following is to apply the correct subject
55508 -+ on binaries running when the RBAC system
55509 -+ is enabled, when the binaries have been
55510 -+ replaced or deleted since their execution
55511 -+ -----
55512 -+ when the RBAC system starts, the inode/dev
55513 -+ from exec_file will be one the RBAC system
55514 -+ is unaware of. It only knows the inode/dev
55515 -+ of the present file on disk, or the absence
55516 -+ of it.
55517 -+ */
55518 -+ preempt_disable();
55519 -+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55520 -+
55521 -+ nmatch = lookup_name_entry(tmpname);
55522 -+ preempt_enable();
55523 -+ tmpsubj = NULL;
55524 -+ if (nmatch) {
55525 -+ if (nmatch->deleted)
55526 -+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55527 -+ else
55528 -+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55529 -+ if (tmpsubj != NULL)
55530 -+ task->acl = tmpsubj;
55531 -+ }
55532 -+ if (tmpsubj == NULL)
55533 -+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55534 -+ task->role);
55535 -+ if (task->acl) {
55536 -+ task->is_writable = 0;
55537 -+ /* ignore additional mmap checks for processes that are writable
55538 -+ by the default ACL */
55539 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55540 -+ if (unlikely(obj->mode & GR_WRITE))
55541 -+ task->is_writable = 1;
55542 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55543 -+ if (unlikely(obj->mode & GR_WRITE))
55544 -+ task->is_writable = 1;
55545 -+
55546 -+ gr_set_proc_res(task);
55547 -+
55548 -+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55549 -+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55550 -+#endif
55551 -+ } else {
55552 -+ return 1;
55553 -+ }
55554 -+
55555 -+ return 0;
55556 -+}
55557 -+
55558 -+int
55559 -+gr_set_acls(const int type)
55560 -+{
55561 -+ struct task_struct *task, *task2;
55562 -+ struct acl_role_label *role = current->role;
55563 -+ __u16 acl_role_id = current->acl_role_id;
55564 -+ const struct cred *cred;
55565 -+ int ret;
55566 -+
55567 -+ rcu_read_lock();
55568 -+ read_lock(&tasklist_lock);
55569 -+ read_lock(&grsec_exec_file_lock);
55570 -+ do_each_thread(task2, task) {
55571 -+ /* check to see if we're called from the exit handler,
55572 -+ if so, only replace ACLs that have inherited the admin
55573 -+ ACL */
55574 -+
55575 -+ if (type && (task->role != role ||
55576 -+ task->acl_role_id != acl_role_id))
55577 -+ continue;
55578 -+
55579 -+ task->acl_role_id = 0;
55580 -+ task->acl_sp_role = 0;
55581 -+
55582 -+ if (task->exec_file) {
55583 -+ cred = __task_cred(task);
55584 -+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55585 -+
55586 -+ ret = gr_apply_subject_to_task(task);
55587 -+ if (ret) {
55588 -+ read_unlock(&grsec_exec_file_lock);
55589 -+ read_unlock(&tasklist_lock);
55590 -+ rcu_read_unlock();
55591 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55592 -+ return ret;
55593 -+ }
55594 -+ } else {
55595 -+ // it's a kernel process
55596 -+ task->role = kernel_role;
55597 -+ task->acl = kernel_role->root_label;
55598 -+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55599 -+ task->acl->mode &= ~GR_PROCFIND;
55600 -+#endif
55601 -+ }
55602 -+ } while_each_thread(task2, task);
55603 -+ read_unlock(&grsec_exec_file_lock);
55604 -+ read_unlock(&tasklist_lock);
55605 -+ rcu_read_unlock();
55606 -+
55607 -+ return 0;
55608 -+}
55609 -+
55610 -+void
55611 -+gr_learn_resource(const struct task_struct *task,
55612 -+ const int res, const unsigned long wanted, const int gt)
55613 -+{
55614 -+ struct acl_subject_label *acl;
55615 -+ const struct cred *cred;
55616 -+
55617 -+ if (unlikely((gr_status & GR_READY) &&
55618 -+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55619 -+ goto skip_reslog;
55620 -+
55621 -+#ifdef CONFIG_GRKERNSEC_RESLOG
55622 -+ gr_log_resource(task, res, wanted, gt);
55623 -+#endif
55624 -+ skip_reslog:
55625 -+
55626 -+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55627 -+ return;
55628 -+
55629 -+ acl = task->acl;
55630 -+
55631 -+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55632 -+ !(acl->resmask & (1 << (unsigned short) res))))
55633 -+ return;
55634 -+
55635 -+ if (wanted >= acl->res[res].rlim_cur) {
55636 -+ unsigned long res_add;
55637 -+
55638 -+ res_add = wanted;
55639 -+ switch (res) {
55640 -+ case RLIMIT_CPU:
55641 -+ res_add += GR_RLIM_CPU_BUMP;
55642 -+ break;
55643 -+ case RLIMIT_FSIZE:
55644 -+ res_add += GR_RLIM_FSIZE_BUMP;
55645 -+ break;
55646 -+ case RLIMIT_DATA:
55647 -+ res_add += GR_RLIM_DATA_BUMP;
55648 -+ break;
55649 -+ case RLIMIT_STACK:
55650 -+ res_add += GR_RLIM_STACK_BUMP;
55651 -+ break;
55652 -+ case RLIMIT_CORE:
55653 -+ res_add += GR_RLIM_CORE_BUMP;
55654 -+ break;
55655 -+ case RLIMIT_RSS:
55656 -+ res_add += GR_RLIM_RSS_BUMP;
55657 -+ break;
55658 -+ case RLIMIT_NPROC:
55659 -+ res_add += GR_RLIM_NPROC_BUMP;
55660 -+ break;
55661 -+ case RLIMIT_NOFILE:
55662 -+ res_add += GR_RLIM_NOFILE_BUMP;
55663 -+ break;
55664 -+ case RLIMIT_MEMLOCK:
55665 -+ res_add += GR_RLIM_MEMLOCK_BUMP;
55666 -+ break;
55667 -+ case RLIMIT_AS:
55668 -+ res_add += GR_RLIM_AS_BUMP;
55669 -+ break;
55670 -+ case RLIMIT_LOCKS:
55671 -+ res_add += GR_RLIM_LOCKS_BUMP;
55672 -+ break;
55673 -+ case RLIMIT_SIGPENDING:
55674 -+ res_add += GR_RLIM_SIGPENDING_BUMP;
55675 -+ break;
55676 -+ case RLIMIT_MSGQUEUE:
55677 -+ res_add += GR_RLIM_MSGQUEUE_BUMP;
55678 -+ break;
55679 -+ case RLIMIT_NICE:
55680 -+ res_add += GR_RLIM_NICE_BUMP;
55681 -+ break;
55682 -+ case RLIMIT_RTPRIO:
55683 -+ res_add += GR_RLIM_RTPRIO_BUMP;
55684 -+ break;
55685 -+ case RLIMIT_RTTIME:
55686 -+ res_add += GR_RLIM_RTTIME_BUMP;
55687 -+ break;
55688 -+ }
55689 -+
55690 -+ acl->res[res].rlim_cur = res_add;
55691 -+
55692 -+ if (wanted > acl->res[res].rlim_max)
55693 -+ acl->res[res].rlim_max = res_add;
55694 -+
55695 -+ /* only log the subject filename, since resource logging is supported for
55696 -+ single-subject learning only */
55697 -+ rcu_read_lock();
55698 -+ cred = __task_cred(task);
55699 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55700 -+ task->role->roletype, cred->uid, cred->gid, acl->filename,
55701 -+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55702 -+ "", (unsigned long) res, &task->signal->saved_ip);
55703 -+ rcu_read_unlock();
55704 -+ }
55705 -+
55706 -+ return;
55707 -+}
55708 -+
55709 -+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55710 -+void
55711 -+pax_set_initial_flags(struct linux_binprm *bprm)
55712 -+{
55713 -+ struct task_struct *task = current;
55714 -+ struct acl_subject_label *proc;
55715 -+ unsigned long flags;
55716 -+
55717 -+ if (unlikely(!(gr_status & GR_READY)))
55718 -+ return;
55719 -+
55720 -+ flags = pax_get_flags(task);
55721 -+
55722 -+ proc = task->acl;
55723 -+
55724 -+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55725 -+ flags &= ~MF_PAX_PAGEEXEC;
55726 -+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55727 -+ flags &= ~MF_PAX_SEGMEXEC;
55728 -+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55729 -+ flags &= ~MF_PAX_RANDMMAP;
55730 -+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55731 -+ flags &= ~MF_PAX_EMUTRAMP;
55732 -+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55733 -+ flags &= ~MF_PAX_MPROTECT;
55734 -+
55735 -+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55736 -+ flags |= MF_PAX_PAGEEXEC;
55737 -+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55738 -+ flags |= MF_PAX_SEGMEXEC;
55739 -+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55740 -+ flags |= MF_PAX_RANDMMAP;
55741 -+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55742 -+ flags |= MF_PAX_EMUTRAMP;
55743 -+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55744 -+ flags |= MF_PAX_MPROTECT;
55745 -+
55746 -+ pax_set_flags(task, flags);
55747 -+
55748 -+ return;
55749 -+}
55750 -+#endif
55751 -+
55752 -+#ifdef CONFIG_SYSCTL
55753 -+/* Eric Biederman likes breaking userland ABI and every inode-based security
55754 -+ system to save 35kb of memory */
55755 -+
55756 -+/* we modify the passed in filename, but adjust it back before returning */
55757 -+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55758 -+{
55759 -+ struct name_entry *nmatch;
55760 -+ char *p, *lastp = NULL;
55761 -+ struct acl_object_label *obj = NULL, *tmp;
55762 -+ struct acl_subject_label *tmpsubj;
55763 -+ char c = '\0';
55764 -+
55765 -+ read_lock(&gr_inode_lock);
55766 -+
55767 -+ p = name + len - 1;
55768 -+ do {
55769 -+ nmatch = lookup_name_entry(name);
55770 -+ if (lastp != NULL)
55771 -+ *lastp = c;
55772 -+
55773 -+ if (nmatch == NULL)
55774 -+ goto next_component;
55775 -+ tmpsubj = current->acl;
55776 -+ do {
55777 -+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55778 -+ if (obj != NULL) {
55779 -+ tmp = obj->globbed;
55780 -+ while (tmp) {
55781 -+ if (!glob_match(tmp->filename, name)) {
55782 -+ obj = tmp;
55783 -+ goto found_obj;
55784 -+ }
55785 -+ tmp = tmp->next;
55786 -+ }
55787 -+ goto found_obj;
55788 -+ }
55789 -+ } while ((tmpsubj = tmpsubj->parent_subject));
55790 -+next_component:
55791 -+ /* end case */
55792 -+ if (p == name)
55793 -+ break;
55794 -+
55795 -+ while (*p != '/')
55796 -+ p--;
55797 -+ if (p == name)
55798 -+ lastp = p + 1;
55799 -+ else {
55800 -+ lastp = p;
55801 -+ p--;
55802 -+ }
55803 -+ c = *lastp;
55804 -+ *lastp = '\0';
55805 -+ } while (1);
55806 -+found_obj:
55807 -+ read_unlock(&gr_inode_lock);
55808 -+ /* obj returned will always be non-null */
55809 -+ return obj;
55810 -+}
55811 -+
55812 -+/* returns 0 when allowing, non-zero on error
55813 -+ op of 0 is used for readdir, so we don't log the names of hidden files
55814 -+*/
55815 -+__u32
55816 -+gr_handle_sysctl(const struct ctl_table *table, const int op)
55817 -+{
55818 -+ ctl_table *tmp;
55819 -+ const char *proc_sys = "/proc/sys";
55820 -+ char *path;
55821 -+ struct acl_object_label *obj;
55822 -+ unsigned short len = 0, pos = 0, depth = 0, i;
55823 -+ __u32 err = 0;
55824 -+ __u32 mode = 0;
55825 -+
55826 -+ if (unlikely(!(gr_status & GR_READY)))
55827 -+ return 0;
55828 -+
55829 -+ /* for now, ignore operations on non-sysctl entries if it's not a
55830 -+ readdir*/
55831 -+ if (table->child != NULL && op != 0)
55832 -+ return 0;
55833 -+
55834 -+ mode |= GR_FIND;
55835 -+ /* it's only a read if it's an entry, read on dirs is for readdir */
55836 -+ if (op & MAY_READ)
55837 -+ mode |= GR_READ;
55838 -+ if (op & MAY_WRITE)
55839 -+ mode |= GR_WRITE;
55840 -+
55841 -+ preempt_disable();
55842 -+
55843 -+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55844 -+
55845 -+ /* it's only a read/write if it's an actual entry, not a dir
55846 -+ (which are opened for readdir)
55847 -+ */
55848 -+
55849 -+ /* convert the requested sysctl entry into a pathname */
55850 -+
55851 -+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55852 -+ len += strlen(tmp->procname);
55853 -+ len++;
55854 -+ depth++;
55855 -+ }
55856 -+
55857 -+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55858 -+ /* deny */
55859 -+ goto out;
55860 -+ }
55861 -+
55862 -+ memset(path, 0, PAGE_SIZE);
55863 -+
55864 -+ memcpy(path, proc_sys, strlen(proc_sys));
55865 -+
55866 -+ pos += strlen(proc_sys);
55867 -+
55868 -+ for (; depth > 0; depth--) {
55869 -+ path[pos] = '/';
55870 -+ pos++;
55871 -+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55872 -+ if (depth == i) {
55873 -+ memcpy(path + pos, tmp->procname,
55874 -+ strlen(tmp->procname));
55875 -+ pos += strlen(tmp->procname);
55876 -+ }
55877 -+ i++;
55878 -+ }
55879 -+ }
55880 -+
55881 -+ obj = gr_lookup_by_name(path, pos);
55882 -+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55883 -+
55884 -+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55885 -+ ((err & mode) != mode))) {
55886 -+ __u32 new_mode = mode;
55887 -+
55888 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55889 -+
55890 -+ err = 0;
55891 -+ gr_log_learn_sysctl(path, new_mode);
55892 -+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55893 -+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55894 -+ err = -ENOENT;
55895 -+ } else if (!(err & GR_FIND)) {
55896 -+ err = -ENOENT;
55897 -+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55898 -+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55899 -+ path, (mode & GR_READ) ? " reading" : "",
55900 -+ (mode & GR_WRITE) ? " writing" : "");
55901 -+ err = -EACCES;
55902 -+ } else if ((err & mode) != mode) {
55903 -+ err = -EACCES;
55904 -+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55905 -+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55906 -+ path, (mode & GR_READ) ? " reading" : "",
55907 -+ (mode & GR_WRITE) ? " writing" : "");
55908 -+ err = 0;
55909 -+ } else
55910 -+ err = 0;
55911 -+
55912 -+ out:
55913 -+ preempt_enable();
55914 -+
55915 -+ return err;
55916 -+}
55917 -+#endif
55918 -+
55919 -+int
55920 -+gr_handle_proc_ptrace(struct task_struct *task)
55921 -+{
55922 -+ struct file *filp;
55923 -+ struct task_struct *tmp = task;
55924 -+ struct task_struct *curtemp = current;
55925 -+ __u32 retmode;
55926 -+
55927 -+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55928 -+ if (unlikely(!(gr_status & GR_READY)))
55929 -+ return 0;
55930 -+#endif
55931 -+
55932 -+ read_lock(&tasklist_lock);
55933 -+ read_lock(&grsec_exec_file_lock);
55934 -+ filp = task->exec_file;
55935 -+
55936 -+ while (tmp->pid > 0) {
55937 -+ if (tmp == curtemp)
55938 -+ break;
55939 -+ tmp = tmp->real_parent;
55940 -+ }
55941 -+
55942 -+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55943 -+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55944 -+ read_unlock(&grsec_exec_file_lock);
55945 -+ read_unlock(&tasklist_lock);
55946 -+ return 1;
55947 -+ }
55948 -+
55949 -+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55950 -+ if (!(gr_status & GR_READY)) {
55951 -+ read_unlock(&grsec_exec_file_lock);
55952 -+ read_unlock(&tasklist_lock);
55953 -+ return 0;
55954 -+ }
55955 -+#endif
55956 -+
55957 -+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55958 -+ read_unlock(&grsec_exec_file_lock);
55959 -+ read_unlock(&tasklist_lock);
55960 -+
55961 -+ if (retmode & GR_NOPTRACE)
55962 -+ return 1;
55963 -+
55964 -+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55965 -+ && (current->acl != task->acl || (current->acl != current->role->root_label
55966 -+ && current->pid != task->pid)))
55967 -+ return 1;
55968 -+
55969 -+ return 0;
55970 -+}
55971 -+
55972 -+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55973 -+{
55974 -+ if (unlikely(!(gr_status & GR_READY)))
55975 -+ return;
55976 -+
55977 -+ if (!(current->role->roletype & GR_ROLE_GOD))
55978 -+ return;
55979 -+
55980 -+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55981 -+ p->role->rolename, gr_task_roletype_to_char(p),
55982 -+ p->acl->filename);
55983 -+}
55984 -+
55985 -+int
55986 -+gr_handle_ptrace(struct task_struct *task, const long request)
55987 -+{
55988 -+ struct task_struct *tmp = task;
55989 -+ struct task_struct *curtemp = current;
55990 -+ __u32 retmode;
55991 -+
55992 -+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55993 -+ if (unlikely(!(gr_status & GR_READY)))
55994 -+ return 0;
55995 -+#endif
55996 -+
55997 -+ read_lock(&tasklist_lock);
55998 -+ while (tmp->pid > 0) {
55999 -+ if (tmp == curtemp)
56000 -+ break;
56001 -+ tmp = tmp->real_parent;
56002 -+ }
56003 -+
56004 -+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
56005 -+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
56006 -+ read_unlock(&tasklist_lock);
56007 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56008 -+ return 1;
56009 -+ }
56010 -+ read_unlock(&tasklist_lock);
56011 -+
56012 -+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56013 -+ if (!(gr_status & GR_READY))
56014 -+ return 0;
56015 -+#endif
56016 -+
56017 -+ read_lock(&grsec_exec_file_lock);
56018 -+ if (unlikely(!task->exec_file)) {
56019 -+ read_unlock(&grsec_exec_file_lock);
56020 -+ return 0;
56021 -+ }
56022 -+
56023 -+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
56024 -+ read_unlock(&grsec_exec_file_lock);
56025 -+
56026 -+ if (retmode & GR_NOPTRACE) {
56027 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56028 -+ return 1;
56029 -+ }
56030 -+
56031 -+ if (retmode & GR_PTRACERD) {
56032 -+ switch (request) {
56033 -+ case PTRACE_POKETEXT:
56034 -+ case PTRACE_POKEDATA:
56035 -+ case PTRACE_POKEUSR:
56036 -+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
56037 -+ case PTRACE_SETREGS:
56038 -+ case PTRACE_SETFPREGS:
56039 -+#endif
56040 -+#ifdef CONFIG_X86
56041 -+ case PTRACE_SETFPXREGS:
56042 -+#endif
56043 -+#ifdef CONFIG_ALTIVEC
56044 -+ case PTRACE_SETVRREGS:
56045 -+#endif
56046 -+ return 1;
56047 -+ default:
56048 -+ return 0;
56049 -+ }
56050 -+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
56051 -+ !(current->role->roletype & GR_ROLE_GOD) &&
56052 -+ (current->acl != task->acl)) {
56053 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56054 -+ return 1;
56055 -+ }
56056 -+
56057 -+ return 0;
56058 -+}
56059 -+
56060 -+static int is_writable_mmap(const struct file *filp)
56061 -+{
56062 -+ struct task_struct *task = current;
56063 -+ struct acl_object_label *obj, *obj2;
56064 -+
56065 -+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
56066 -+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
56067 -+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
56068 -+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
56069 -+ task->role->root_label);
56070 -+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
56071 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
56072 -+ return 1;
56073 -+ }
56074 -+ }
56075 -+ return 0;
56076 -+}
56077 -+
56078 -+int
56079 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
56080 -+{
56081 -+ __u32 mode;
56082 -+
56083 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
56084 -+ return 1;
56085 -+
56086 -+ if (is_writable_mmap(file))
56087 -+ return 0;
56088 -+
56089 -+ mode =
56090 -+ gr_search_file(file->f_path.dentry,
56091 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56092 -+ file->f_path.mnt);
56093 -+
56094 -+ if (!gr_tpe_allow(file))
56095 -+ return 0;
56096 -+
56097 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56098 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56099 -+ return 0;
56100 -+ } else if (unlikely(!(mode & GR_EXEC))) {
56101 -+ return 0;
56102 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56103 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56104 -+ return 1;
56105 -+ }
56106 -+
56107 -+ return 1;
56108 -+}
56109 -+
56110 -+int
56111 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
56112 -+{
56113 -+ __u32 mode;
56114 -+
56115 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
56116 -+ return 1;
56117 -+
56118 -+ if (is_writable_mmap(file))
56119 -+ return 0;
56120 -+
56121 -+ mode =
56122 -+ gr_search_file(file->f_path.dentry,
56123 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56124 -+ file->f_path.mnt);
56125 -+
56126 -+ if (!gr_tpe_allow(file))
56127 -+ return 0;
56128 -+
56129 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56130 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56131 -+ return 0;
56132 -+ } else if (unlikely(!(mode & GR_EXEC))) {
56133 -+ return 0;
56134 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56135 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56136 -+ return 1;
56137 -+ }
56138 -+
56139 -+ return 1;
56140 -+}
56141 -+
56142 -+void
56143 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
56144 -+{
56145 -+ unsigned long runtime;
56146 -+ unsigned long cputime;
56147 -+ unsigned int wday, cday;
56148 -+ __u8 whr, chr;
56149 -+ __u8 wmin, cmin;
56150 -+ __u8 wsec, csec;
56151 -+ struct timespec timeval;
56152 -+
56153 -+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
56154 -+ !(task->acl->mode & GR_PROCACCT)))
56155 -+ return;
56156 -+
56157 -+ do_posix_clock_monotonic_gettime(&timeval);
56158 -+ runtime = timeval.tv_sec - task->start_time.tv_sec;
56159 -+ wday = runtime / (3600 * 24);
56160 -+ runtime -= wday * (3600 * 24);
56161 -+ whr = runtime / 3600;
56162 -+ runtime -= whr * 3600;
56163 -+ wmin = runtime / 60;
56164 -+ runtime -= wmin * 60;
56165 -+ wsec = runtime;
56166 -+
56167 -+ cputime = (task->utime + task->stime) / HZ;
56168 -+ cday = cputime / (3600 * 24);
56169 -+ cputime -= cday * (3600 * 24);
56170 -+ chr = cputime / 3600;
56171 -+ cputime -= chr * 3600;
56172 -+ cmin = cputime / 60;
56173 -+ cputime -= cmin * 60;
56174 -+ csec = cputime;
56175 -+
56176 -+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
56177 -+
56178 -+ return;
56179 -+}
56180 -+
56181 -+void gr_set_kernel_label(struct task_struct *task)
56182 -+{
56183 -+ if (gr_status & GR_READY) {
56184 -+ task->role = kernel_role;
56185 -+ task->acl = kernel_role->root_label;
56186 -+ }
56187 -+ return;
56188 -+}
56189 -+
56190 -+#ifdef CONFIG_TASKSTATS
56191 -+int gr_is_taskstats_denied(int pid)
56192 -+{
56193 -+ struct task_struct *task;
56194 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56195 -+ const struct cred *cred;
56196 -+#endif
56197 -+ int ret = 0;
56198 -+
56199 -+ /* restrict taskstats viewing to un-chrooted root users
56200 -+ who have the 'view' subject flag if the RBAC system is enabled
56201 -+ */
56202 -+
56203 -+ rcu_read_lock();
56204 -+ read_lock(&tasklist_lock);
56205 -+ task = find_task_by_vpid(pid);
56206 -+ if (task) {
56207 -+#ifdef CONFIG_GRKERNSEC_CHROOT
56208 -+ if (proc_is_chrooted(task))
56209 -+ ret = -EACCES;
56210 -+#endif
56211 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56212 -+ cred = __task_cred(task);
56213 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
56214 -+ if (cred->uid != 0)
56215 -+ ret = -EACCES;
56216 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56217 -+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
56218 -+ ret = -EACCES;
56219 -+#endif
56220 -+#endif
56221 -+ if (gr_status & GR_READY) {
56222 -+ if (!(task->acl->mode & GR_VIEW))
56223 -+ ret = -EACCES;
56224 -+ }
56225 -+ } else
56226 -+ ret = -ENOENT;
56227 -+
56228 -+ read_unlock(&tasklist_lock);
56229 -+ rcu_read_unlock();
56230 -+
56231 -+ return ret;
56232 -+}
56233 -+#endif
56234 -+
56235 -+/* AUXV entries are filled via a descendant of search_binary_handler
56236 -+ after we've already applied the subject for the target
56237 -+*/
56238 -+int gr_acl_enable_at_secure(void)
56239 -+{
56240 -+ if (unlikely(!(gr_status & GR_READY)))
56241 -+ return 0;
56242 -+
56243 -+ if (current->acl->mode & GR_ATSECURE)
56244 -+ return 1;
56245 -+
56246 -+ return 0;
56247 -+}
56248 -+
56249 -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
56250 -+{
56251 -+ struct task_struct *task = current;
56252 -+ struct dentry *dentry = file->f_path.dentry;
56253 -+ struct vfsmount *mnt = file->f_path.mnt;
56254 -+ struct acl_object_label *obj, *tmp;
56255 -+ struct acl_subject_label *subj;
56256 -+ unsigned int bufsize;
56257 -+ int is_not_root;
56258 -+ char *path;
56259 -+ dev_t dev = __get_dev(dentry);
56260 -+
56261 -+ if (unlikely(!(gr_status & GR_READY)))
56262 -+ return 1;
56263 -+
56264 -+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
56265 -+ return 1;
56266 -+
56267 -+ /* ignore Eric Biederman */
56268 -+ if (IS_PRIVATE(dentry->d_inode))
56269 -+ return 1;
56270 -+
56271 -+ subj = task->acl;
56272 -+ do {
56273 -+ obj = lookup_acl_obj_label(ino, dev, subj);
56274 -+ if (obj != NULL)
56275 -+ return (obj->mode & GR_FIND) ? 1 : 0;
56276 -+ } while ((subj = subj->parent_subject));
56277 -+
56278 -+ /* this is purely an optimization since we're looking for an object
56279 -+ for the directory we're doing a readdir on
56280 -+ if it's possible for any globbed object to match the entry we're
56281 -+ filling into the directory, then the object we find here will be
56282 -+ an anchor point with attached globbed objects
56283 -+ */
56284 -+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
56285 -+ if (obj->globbed == NULL)
56286 -+ return (obj->mode & GR_FIND) ? 1 : 0;
56287 -+
56288 -+ is_not_root = ((obj->filename[0] == '/') &&
56289 -+ (obj->filename[1] == '\0')) ? 0 : 1;
56290 -+ bufsize = PAGE_SIZE - namelen - is_not_root;
56291 -+
56292 -+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
56293 -+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
56294 -+ return 1;
56295 -+
56296 -+ preempt_disable();
56297 -+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
56298 -+ bufsize);
56299 -+
56300 -+ bufsize = strlen(path);
56301 -+
56302 -+ /* if base is "/", don't append an additional slash */
56303 -+ if (is_not_root)
56304 -+ *(path + bufsize) = '/';
56305 -+ memcpy(path + bufsize + is_not_root, name, namelen);
56306 -+ *(path + bufsize + namelen + is_not_root) = '\0';
56307 -+
56308 -+ tmp = obj->globbed;
56309 -+ while (tmp) {
56310 -+ if (!glob_match(tmp->filename, path)) {
56311 -+ preempt_enable();
56312 -+ return (tmp->mode & GR_FIND) ? 1 : 0;
56313 -+ }
56314 -+ tmp = tmp->next;
56315 -+ }
56316 -+ preempt_enable();
56317 -+ return (obj->mode & GR_FIND) ? 1 : 0;
56318 -+}
56319 -+
56320 -+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
56321 -+EXPORT_SYMBOL(gr_acl_is_enabled);
56322 -+#endif
56323 -+EXPORT_SYMBOL(gr_learn_resource);
56324 -+EXPORT_SYMBOL(gr_set_kernel_label);
56325 -+#ifdef CONFIG_SECURITY
56326 -+EXPORT_SYMBOL(gr_check_user_change);
56327 -+EXPORT_SYMBOL(gr_check_group_change);
56328 -+#endif
56329 -+
56330 -diff -urNp linux-2.6.32.46/grsecurity/gracl_alloc.c linux-2.6.32.46/grsecurity/gracl_alloc.c
56331 ---- linux-2.6.32.46/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
56332 -+++ linux-2.6.32.46/grsecurity/gracl_alloc.c 2011-04-17 15:56:46.000000000 -0400
56333 -@@ -0,0 +1,105 @@
56334 -+#include <linux/kernel.h>
56335 -+#include <linux/mm.h>
56336 -+#include <linux/slab.h>
56337 -+#include <linux/vmalloc.h>
56338 -+#include <linux/gracl.h>
56339 -+#include <linux/grsecurity.h>
56340 -+
56341 -+static unsigned long alloc_stack_next = 1;
56342 -+static unsigned long alloc_stack_size = 1;
56343 -+static void **alloc_stack;
56344 -+
56345 -+static __inline__ int
56346 -+alloc_pop(void)
56347 -+{
56348 -+ if (alloc_stack_next == 1)
56349 -+ return 0;
56350 -+
56351 -+ kfree(alloc_stack[alloc_stack_next - 2]);
56352 -+
56353 -+ alloc_stack_next--;
56354 -+
56355 -+ return 1;
56356 -+}
56357 -+
56358 -+static __inline__ int
56359 -+alloc_push(void *buf)
56360 -+{
56361 -+ if (alloc_stack_next >= alloc_stack_size)
56362 -+ return 1;
56363 -+
56364 -+ alloc_stack[alloc_stack_next - 1] = buf;
56365 -+
56366 -+ alloc_stack_next++;
56367 -+
56368 -+ return 0;
56369 -+}
56370 -+
56371 -+void *
56372 -+acl_alloc(unsigned long len)
56373 -+{
56374 -+ void *ret = NULL;
56375 -+
56376 -+ if (!len || len > PAGE_SIZE)
56377 -+ goto out;
56378 -+
56379 -+ ret = kmalloc(len, GFP_KERNEL);
56380 -+
56381 -+ if (ret) {
56382 -+ if (alloc_push(ret)) {
56383 -+ kfree(ret);
56384 -+ ret = NULL;
56385 -+ }
56386 -+ }
56387 -+
56388 -+out:
56389 -+ return ret;
56390 -+}
56391 -+
56392 -+void *
56393 -+acl_alloc_num(unsigned long num, unsigned long len)
56394 -+{
56395 -+ if (!len || (num > (PAGE_SIZE / len)))
56396 -+ return NULL;
56397 -+
56398 -+ return acl_alloc(num * len);
56399 -+}
56400 -+
56401 -+void
56402 -+acl_free_all(void)
56403 -+{
56404 -+ if (gr_acl_is_enabled() || !alloc_stack)
56405 -+ return;
56406 -+
56407 -+ while (alloc_pop()) ;
56408 -+
56409 -+ if (alloc_stack) {
56410 -+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
56411 -+ kfree(alloc_stack);
56412 -+ else
56413 -+ vfree(alloc_stack);
56414 -+ }
56415 -+
56416 -+ alloc_stack = NULL;
56417 -+ alloc_stack_size = 1;
56418 -+ alloc_stack_next = 1;
56419 -+
56420 -+ return;
56421 -+}
56422 -+
56423 -+int
56424 -+acl_alloc_stack_init(unsigned long size)
56425 -+{
56426 -+ if ((size * sizeof (void *)) <= PAGE_SIZE)
56427 -+ alloc_stack =
56428 -+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
56429 -+ else
56430 -+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
56431 -+
56432 -+ alloc_stack_size = size;
56433 -+
56434 -+ if (!alloc_stack)
56435 -+ return 0;
56436 -+ else
56437 -+ return 1;
56438 -+}
56439 -diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gracl_cap.c
56440 ---- linux-2.6.32.46/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
56441 -+++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-09-14 08:53:50.000000000 -0400
56442 -@@ -0,0 +1,101 @@
56443 -+#include <linux/kernel.h>
56444 -+#include <linux/module.h>
56445 -+#include <linux/sched.h>
56446 -+#include <linux/gracl.h>
56447 -+#include <linux/grsecurity.h>
56448 -+#include <linux/grinternal.h>
56449 -+
56450 -+extern const char *captab_log[];
56451 -+extern int captab_log_entries;
56452 -+
56453 -+int
56454 -+gr_acl_is_capable(const int cap)
56455 -+{
56456 -+ struct task_struct *task = current;
56457 -+ const struct cred *cred = current_cred();
56458 -+ struct acl_subject_label *curracl;
56459 -+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56460 -+ kernel_cap_t cap_audit = __cap_empty_set;
56461 -+
56462 -+ if (!gr_acl_is_enabled())
56463 -+ return 1;
56464 -+
56465 -+ curracl = task->acl;
56466 -+
56467 -+ cap_drop = curracl->cap_lower;
56468 -+ cap_mask = curracl->cap_mask;
56469 -+ cap_audit = curracl->cap_invert_audit;
56470 -+
56471 -+ while ((curracl = curracl->parent_subject)) {
56472 -+ /* if the cap isn't specified in the current computed mask but is specified in the
56473 -+ current level subject, and is lowered in the current level subject, then add
56474 -+ it to the set of dropped capabilities
56475 -+ otherwise, add the current level subject's mask to the current computed mask
56476 -+ */
56477 -+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56478 -+ cap_raise(cap_mask, cap);
56479 -+ if (cap_raised(curracl->cap_lower, cap))
56480 -+ cap_raise(cap_drop, cap);
56481 -+ if (cap_raised(curracl->cap_invert_audit, cap))
56482 -+ cap_raise(cap_audit, cap);
56483 -+ }
56484 -+ }
56485 -+
56486 -+ if (!cap_raised(cap_drop, cap)) {
56487 -+ if (cap_raised(cap_audit, cap))
56488 -+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
56489 -+ return 1;
56490 -+ }
56491 -+
56492 -+ curracl = task->acl;
56493 -+
56494 -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
56495 -+ && cap_raised(cred->cap_effective, cap)) {
56496 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
56497 -+ task->role->roletype, cred->uid,
56498 -+ cred->gid, task->exec_file ?
56499 -+ gr_to_filename(task->exec_file->f_path.dentry,
56500 -+ task->exec_file->f_path.mnt) : curracl->filename,
56501 -+ curracl->filename, 0UL,
56502 -+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
56503 -+ return 1;
56504 -+ }
56505 -+
56506 -+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
56507 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
56508 -+ return 0;
56509 -+}
56510 -+
56511 -+int
56512 -+gr_acl_is_capable_nolog(const int cap)
56513 -+{
56514 -+ struct acl_subject_label *curracl;
56515 -+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56516 -+
56517 -+ if (!gr_acl_is_enabled())
56518 -+ return 1;
56519 -+
56520 -+ curracl = current->acl;
56521 -+
56522 -+ cap_drop = curracl->cap_lower;
56523 -+ cap_mask = curracl->cap_mask;
56524 -+
56525 -+ while ((curracl = curracl->parent_subject)) {
56526 -+ /* if the cap isn't specified in the current computed mask but is specified in the
56527 -+ current level subject, and is lowered in the current level subject, then add
56528 -+ it to the set of dropped capabilities
56529 -+ otherwise, add the current level subject's mask to the current computed mask
56530 -+ */
56531 -+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56532 -+ cap_raise(cap_mask, cap);
56533 -+ if (cap_raised(curracl->cap_lower, cap))
56534 -+ cap_raise(cap_drop, cap);
56535 -+ }
56536 -+ }
56537 -+
56538 -+ if (!cap_raised(cap_drop, cap))
56539 -+ return 1;
56540 -+
56541 -+ return 0;
56542 -+}
56543 -+
56544 -diff -urNp linux-2.6.32.46/grsecurity/gracl_fs.c linux-2.6.32.46/grsecurity/gracl_fs.c
56545 ---- linux-2.6.32.46/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
56546 -+++ linux-2.6.32.46/grsecurity/gracl_fs.c 2011-10-17 02:16:34.000000000 -0400
56547 -@@ -0,0 +1,431 @@
56548 -+#include <linux/kernel.h>
56549 -+#include <linux/sched.h>
56550 -+#include <linux/types.h>
56551 -+#include <linux/fs.h>
56552 -+#include <linux/file.h>
56553 -+#include <linux/stat.h>
56554 -+#include <linux/grsecurity.h>
56555 -+#include <linux/grinternal.h>
56556 -+#include <linux/gracl.h>
56557 -+
56558 -+__u32
56559 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
56560 -+ const struct vfsmount * mnt)
56561 -+{
56562 -+ __u32 mode;
56563 -+
56564 -+ if (unlikely(!dentry->d_inode))
56565 -+ return GR_FIND;
56566 -+
56567 -+ mode =
56568 -+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56569 -+
56570 -+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56571 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56572 -+ return mode;
56573 -+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56574 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56575 -+ return 0;
56576 -+ } else if (unlikely(!(mode & GR_FIND)))
56577 -+ return 0;
56578 -+
56579 -+ return GR_FIND;
56580 -+}
56581 -+
56582 -+__u32
56583 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56584 -+ const int fmode)
56585 -+{
56586 -+ __u32 reqmode = GR_FIND;
56587 -+ __u32 mode;
56588 -+
56589 -+ if (unlikely(!dentry->d_inode))
56590 -+ return reqmode;
56591 -+
56592 -+ if (unlikely(fmode & O_APPEND))
56593 -+ reqmode |= GR_APPEND;
56594 -+ else if (unlikely(fmode & FMODE_WRITE))
56595 -+ reqmode |= GR_WRITE;
56596 -+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56597 -+ reqmode |= GR_READ;
56598 -+ if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
56599 -+ reqmode &= ~GR_READ;
56600 -+ mode =
56601 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56602 -+ mnt);
56603 -+
56604 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56605 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56606 -+ reqmode & GR_READ ? " reading" : "",
56607 -+ reqmode & GR_WRITE ? " writing" : reqmode &
56608 -+ GR_APPEND ? " appending" : "");
56609 -+ return reqmode;
56610 -+ } else
56611 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56612 -+ {
56613 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56614 -+ reqmode & GR_READ ? " reading" : "",
56615 -+ reqmode & GR_WRITE ? " writing" : reqmode &
56616 -+ GR_APPEND ? " appending" : "");
56617 -+ return 0;
56618 -+ } else if (unlikely((mode & reqmode) != reqmode))
56619 -+ return 0;
56620 -+
56621 -+ return reqmode;
56622 -+}
56623 -+
56624 -+__u32
56625 -+gr_acl_handle_creat(const struct dentry * dentry,
56626 -+ const struct dentry * p_dentry,
56627 -+ const struct vfsmount * p_mnt, const int fmode,
56628 -+ const int imode)
56629 -+{
56630 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
56631 -+ __u32 mode;
56632 -+
56633 -+ if (unlikely(fmode & O_APPEND))
56634 -+ reqmode |= GR_APPEND;
56635 -+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56636 -+ reqmode |= GR_READ;
56637 -+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
56638 -+ reqmode |= GR_SETID;
56639 -+
56640 -+ mode =
56641 -+ gr_check_create(dentry, p_dentry, p_mnt,
56642 -+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56643 -+
56644 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56645 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56646 -+ reqmode & GR_READ ? " reading" : "",
56647 -+ reqmode & GR_WRITE ? " writing" : reqmode &
56648 -+ GR_APPEND ? " appending" : "");
56649 -+ return reqmode;
56650 -+ } else
56651 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56652 -+ {
56653 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56654 -+ reqmode & GR_READ ? " reading" : "",
56655 -+ reqmode & GR_WRITE ? " writing" : reqmode &
56656 -+ GR_APPEND ? " appending" : "");
56657 -+ return 0;
56658 -+ } else if (unlikely((mode & reqmode) != reqmode))
56659 -+ return 0;
56660 -+
56661 -+ return reqmode;
56662 -+}
56663 -+
56664 -+__u32
56665 -+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56666 -+ const int fmode)
56667 -+{
56668 -+ __u32 mode, reqmode = GR_FIND;
56669 -+
56670 -+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56671 -+ reqmode |= GR_EXEC;
56672 -+ if (fmode & S_IWOTH)
56673 -+ reqmode |= GR_WRITE;
56674 -+ if (fmode & S_IROTH)
56675 -+ reqmode |= GR_READ;
56676 -+
56677 -+ mode =
56678 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56679 -+ mnt);
56680 -+
56681 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56682 -+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56683 -+ reqmode & GR_READ ? " reading" : "",
56684 -+ reqmode & GR_WRITE ? " writing" : "",
56685 -+ reqmode & GR_EXEC ? " executing" : "");
56686 -+ return reqmode;
56687 -+ } else
56688 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56689 -+ {
56690 -+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56691 -+ reqmode & GR_READ ? " reading" : "",
56692 -+ reqmode & GR_WRITE ? " writing" : "",
56693 -+ reqmode & GR_EXEC ? " executing" : "");
56694 -+ return 0;
56695 -+ } else if (unlikely((mode & reqmode) != reqmode))
56696 -+ return 0;
56697 -+
56698 -+ return reqmode;
56699 -+}
56700 -+
56701 -+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56702 -+{
56703 -+ __u32 mode;
56704 -+
56705 -+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56706 -+
56707 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56708 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56709 -+ return mode;
56710 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56711 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56712 -+ return 0;
56713 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
56714 -+ return 0;
56715 -+
56716 -+ return (reqmode);
56717 -+}
56718 -+
56719 -+__u32
56720 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56721 -+{
56722 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56723 -+}
56724 -+
56725 -+__u32
56726 -+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56727 -+{
56728 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56729 -+}
56730 -+
56731 -+__u32
56732 -+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56733 -+{
56734 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56735 -+}
56736 -+
56737 -+__u32
56738 -+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56739 -+{
56740 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56741 -+}
56742 -+
56743 -+__u32
56744 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56745 -+ mode_t mode)
56746 -+{
56747 -+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56748 -+ return 1;
56749 -+
56750 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56751 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56752 -+ GR_FCHMOD_ACL_MSG);
56753 -+ } else {
56754 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56755 -+ }
56756 -+}
56757 -+
56758 -+__u32
56759 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56760 -+ mode_t mode)
56761 -+{
56762 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56763 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56764 -+ GR_CHMOD_ACL_MSG);
56765 -+ } else {
56766 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56767 -+ }
56768 -+}
56769 -+
56770 -+__u32
56771 -+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56772 -+{
56773 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56774 -+}
56775 -+
56776 -+__u32
56777 -+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56778 -+{
56779 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56780 -+}
56781 -+
56782 -+__u32
56783 -+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56784 -+{
56785 -+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56786 -+}
56787 -+
56788 -+__u32
56789 -+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56790 -+{
56791 -+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56792 -+ GR_UNIXCONNECT_ACL_MSG);
56793 -+}
56794 -+
56795 -+/* hardlinks require at minimum create and link permission,
56796 -+ any additional privilege required is based on the
56797 -+ privilege of the file being linked to
56798 -+*/
56799 -+__u32
56800 -+gr_acl_handle_link(const struct dentry * new_dentry,
56801 -+ const struct dentry * parent_dentry,
56802 -+ const struct vfsmount * parent_mnt,
56803 -+ const struct dentry * old_dentry,
56804 -+ const struct vfsmount * old_mnt, const char *to)
56805 -+{
56806 -+ __u32 mode;
56807 -+ __u32 needmode = GR_CREATE | GR_LINK;
56808 -+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56809 -+
56810 -+ mode =
56811 -+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56812 -+ old_mnt);
56813 -+
56814 -+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56815 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56816 -+ return mode;
56817 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56818 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56819 -+ return 0;
56820 -+ } else if (unlikely((mode & needmode) != needmode))
56821 -+ return 0;
56822 -+
56823 -+ return 1;
56824 -+}
56825 -+
56826 -+__u32
56827 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
56828 -+ const struct dentry * parent_dentry,
56829 -+ const struct vfsmount * parent_mnt, const char *from)
56830 -+{
56831 -+ __u32 needmode = GR_WRITE | GR_CREATE;
56832 -+ __u32 mode;
56833 -+
56834 -+ mode =
56835 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
56836 -+ GR_CREATE | GR_AUDIT_CREATE |
56837 -+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56838 -+
56839 -+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56840 -+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56841 -+ return mode;
56842 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56843 -+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56844 -+ return 0;
56845 -+ } else if (unlikely((mode & needmode) != needmode))
56846 -+ return 0;
56847 -+
56848 -+ return (GR_WRITE | GR_CREATE);
56849 -+}
56850 -+
56851 -+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56852 -+{
56853 -+ __u32 mode;
56854 -+
56855 -+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56856 -+
56857 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56858 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56859 -+ return mode;
56860 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56861 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56862 -+ return 0;
56863 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
56864 -+ return 0;
56865 -+
56866 -+ return (reqmode);
56867 -+}
56868 -+
56869 -+__u32
56870 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
56871 -+ const struct dentry * parent_dentry,
56872 -+ const struct vfsmount * parent_mnt,
56873 -+ const int mode)
56874 -+{
56875 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
56876 -+ if (unlikely(mode & (S_ISUID | S_ISGID)))
56877 -+ reqmode |= GR_SETID;
56878 -+
56879 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56880 -+ reqmode, GR_MKNOD_ACL_MSG);
56881 -+}
56882 -+
56883 -+__u32
56884 -+gr_acl_handle_mkdir(const struct dentry *new_dentry,
56885 -+ const struct dentry *parent_dentry,
56886 -+ const struct vfsmount *parent_mnt)
56887 -+{
56888 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56889 -+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56890 -+}
56891 -+
56892 -+#define RENAME_CHECK_SUCCESS(old, new) \
56893 -+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56894 -+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56895 -+
56896 -+int
56897 -+gr_acl_handle_rename(struct dentry *new_dentry,
56898 -+ struct dentry *parent_dentry,
56899 -+ const struct vfsmount *parent_mnt,
56900 -+ struct dentry *old_dentry,
56901 -+ struct inode *old_parent_inode,
56902 -+ struct vfsmount *old_mnt, const char *newname)
56903 -+{
56904 -+ __u32 comp1, comp2;
56905 -+ int error = 0;
56906 -+
56907 -+ if (unlikely(!gr_acl_is_enabled()))
56908 -+ return 0;
56909 -+
56910 -+ if (!new_dentry->d_inode) {
56911 -+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56912 -+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56913 -+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56914 -+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56915 -+ GR_DELETE | GR_AUDIT_DELETE |
56916 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
56917 -+ GR_SUPPRESS, old_mnt);
56918 -+ } else {
56919 -+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56920 -+ GR_CREATE | GR_DELETE |
56921 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56922 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
56923 -+ GR_SUPPRESS, parent_mnt);
56924 -+ comp2 =
56925 -+ gr_search_file(old_dentry,
56926 -+ GR_READ | GR_WRITE | GR_AUDIT_READ |
56927 -+ GR_DELETE | GR_AUDIT_DELETE |
56928 -+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56929 -+ }
56930 -+
56931 -+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56932 -+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56933 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56934 -+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56935 -+ && !(comp2 & GR_SUPPRESS)) {
56936 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56937 -+ error = -EACCES;
56938 -+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56939 -+ error = -EACCES;
56940 -+
56941 -+ return error;
56942 -+}
56943 -+
56944 -+void
56945 -+gr_acl_handle_exit(void)
56946 -+{
56947 -+ u16 id;
56948 -+ char *rolename;
56949 -+ struct file *exec_file;
56950 -+
56951 -+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56952 -+ !(current->role->roletype & GR_ROLE_PERSIST))) {
56953 -+ id = current->acl_role_id;
56954 -+ rolename = current->role->rolename;
56955 -+ gr_set_acls(1);
56956 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56957 -+ }
56958 -+
56959 -+ write_lock(&grsec_exec_file_lock);
56960 -+ exec_file = current->exec_file;
56961 -+ current->exec_file = NULL;
56962 -+ write_unlock(&grsec_exec_file_lock);
56963 -+
56964 -+ if (exec_file)
56965 -+ fput(exec_file);
56966 -+}
56967 -+
56968 -+int
56969 -+gr_acl_handle_procpidmem(const struct task_struct *task)
56970 -+{
56971 -+ if (unlikely(!gr_acl_is_enabled()))
56972 -+ return 0;
56973 -+
56974 -+ if (task != current && task->acl->mode & GR_PROTPROCFD)
56975 -+ return -EACCES;
56976 -+
56977 -+ return 0;
56978 -+}
56979 -diff -urNp linux-2.6.32.46/grsecurity/gracl_ip.c linux-2.6.32.46/grsecurity/gracl_ip.c
56980 ---- linux-2.6.32.46/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56981 -+++ linux-2.6.32.46/grsecurity/gracl_ip.c 2011-04-17 15:56:46.000000000 -0400
56982 -@@ -0,0 +1,382 @@
56983 -+#include <linux/kernel.h>
56984 -+#include <asm/uaccess.h>
56985 -+#include <asm/errno.h>
56986 -+#include <net/sock.h>
56987 -+#include <linux/file.h>
56988 -+#include <linux/fs.h>
56989 -+#include <linux/net.h>
56990 -+#include <linux/in.h>
56991 -+#include <linux/skbuff.h>
56992 -+#include <linux/ip.h>
56993 -+#include <linux/udp.h>
56994 -+#include <linux/smp_lock.h>
56995 -+#include <linux/types.h>
56996 -+#include <linux/sched.h>
56997 -+#include <linux/netdevice.h>
56998 -+#include <linux/inetdevice.h>
56999 -+#include <linux/gracl.h>
57000 -+#include <linux/grsecurity.h>
57001 -+#include <linux/grinternal.h>
57002 -+
57003 -+#define GR_BIND 0x01
57004 -+#define GR_CONNECT 0x02
57005 -+#define GR_INVERT 0x04
57006 -+#define GR_BINDOVERRIDE 0x08
57007 -+#define GR_CONNECTOVERRIDE 0x10
57008 -+#define GR_SOCK_FAMILY 0x20
57009 -+
57010 -+static const char * gr_protocols[IPPROTO_MAX] = {
57011 -+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
57012 -+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
57013 -+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
57014 -+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
57015 -+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
57016 -+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
57017 -+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
57018 -+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
57019 -+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
57020 -+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
57021 -+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
57022 -+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
57023 -+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
57024 -+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
57025 -+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
57026 -+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
57027 -+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
57028 -+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
57029 -+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
57030 -+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
57031 -+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
57032 -+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
57033 -+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
57034 -+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
57035 -+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
57036 -+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
57037 -+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
57038 -+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
57039 -+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
57040 -+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
57041 -+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
57042 -+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
57043 -+ };
57044 -+
57045 -+static const char * gr_socktypes[SOCK_MAX] = {
57046 -+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
57047 -+ "unknown:7", "unknown:8", "unknown:9", "packet"
57048 -+ };
57049 -+
57050 -+static const char * gr_sockfamilies[AF_MAX+1] = {
57051 -+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
57052 -+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
57053 -+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
57054 -+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
57055 -+ };
57056 -+
57057 -+const char *
57058 -+gr_proto_to_name(unsigned char proto)
57059 -+{
57060 -+ return gr_protocols[proto];
57061 -+}
57062 -+
57063 -+const char *
57064 -+gr_socktype_to_name(unsigned char type)
57065 -+{
57066 -+ return gr_socktypes[type];
57067 -+}
57068 -+
57069 -+const char *
57070 -+gr_sockfamily_to_name(unsigned char family)
57071 -+{
57072 -+ return gr_sockfamilies[family];
57073 -+}
57074 -+
57075 -+int
57076 -+gr_search_socket(const int domain, const int type, const int protocol)
57077 -+{
57078 -+ struct acl_subject_label *curr;
57079 -+ const struct cred *cred = current_cred();
57080 -+
57081 -+ if (unlikely(!gr_acl_is_enabled()))
57082 -+ goto exit;
57083 -+
57084 -+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
57085 -+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
57086 -+ goto exit; // let the kernel handle it
57087 -+
57088 -+ curr = current->acl;
57089 -+
57090 -+ if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
57091 -+ /* the family is allowed, if this is PF_INET allow it only if
57092 -+ the extra sock type/protocol checks pass */
57093 -+ if (domain == PF_INET)
57094 -+ goto inet_check;
57095 -+ goto exit;
57096 -+ } else {
57097 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57098 -+ __u32 fakeip = 0;
57099 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57100 -+ current->role->roletype, cred->uid,
57101 -+ cred->gid, current->exec_file ?
57102 -+ gr_to_filename(current->exec_file->f_path.dentry,
57103 -+ current->exec_file->f_path.mnt) :
57104 -+ curr->filename, curr->filename,
57105 -+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
57106 -+ &current->signal->saved_ip);
57107 -+ goto exit;
57108 -+ }
57109 -+ goto exit_fail;
57110 -+ }
57111 -+
57112 -+inet_check:
57113 -+ /* the rest of this checking is for IPv4 only */
57114 -+ if (!curr->ips)
57115 -+ goto exit;
57116 -+
57117 -+ if ((curr->ip_type & (1 << type)) &&
57118 -+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
57119 -+ goto exit;
57120 -+
57121 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57122 -+ /* we don't place acls on raw sockets , and sometimes
57123 -+ dgram/ip sockets are opened for ioctl and not
57124 -+ bind/connect, so we'll fake a bind learn log */
57125 -+ if (type == SOCK_RAW || type == SOCK_PACKET) {
57126 -+ __u32 fakeip = 0;
57127 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57128 -+ current->role->roletype, cred->uid,
57129 -+ cred->gid, current->exec_file ?
57130 -+ gr_to_filename(current->exec_file->f_path.dentry,
57131 -+ current->exec_file->f_path.mnt) :
57132 -+ curr->filename, curr->filename,
57133 -+ &fakeip, 0, type,
57134 -+ protocol, GR_CONNECT, &current->signal->saved_ip);
57135 -+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
57136 -+ __u32 fakeip = 0;
57137 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57138 -+ current->role->roletype, cred->uid,
57139 -+ cred->gid, current->exec_file ?
57140 -+ gr_to_filename(current->exec_file->f_path.dentry,
57141 -+ current->exec_file->f_path.mnt) :
57142 -+ curr->filename, curr->filename,
57143 -+ &fakeip, 0, type,
57144 -+ protocol, GR_BIND, &current->signal->saved_ip);
57145 -+ }
57146 -+ /* we'll log when they use connect or bind */
57147 -+ goto exit;
57148 -+ }
57149 -+
57150 -+exit_fail:
57151 -+ if (domain == PF_INET)
57152 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
57153 -+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
57154 -+ else
57155 -+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
57156 -+ gr_socktype_to_name(type), protocol);
57157 -+
57158 -+ return 0;
57159 -+exit:
57160 -+ return 1;
57161 -+}
57162 -+
57163 -+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
57164 -+{
57165 -+ if ((ip->mode & mode) &&
57166 -+ (ip_port >= ip->low) &&
57167 -+ (ip_port <= ip->high) &&
57168 -+ ((ntohl(ip_addr) & our_netmask) ==
57169 -+ (ntohl(our_addr) & our_netmask))
57170 -+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
57171 -+ && (ip->type & (1 << type))) {
57172 -+ if (ip->mode & GR_INVERT)
57173 -+ return 2; // specifically denied
57174 -+ else
57175 -+ return 1; // allowed
57176 -+ }
57177 -+
57178 -+ return 0; // not specifically allowed, may continue parsing
57179 -+}
57180 -+
57181 -+static int
57182 -+gr_search_connectbind(const int full_mode, struct sock *sk,
57183 -+ struct sockaddr_in *addr, const int type)
57184 -+{
57185 -+ char iface[IFNAMSIZ] = {0};
57186 -+ struct acl_subject_label *curr;
57187 -+ struct acl_ip_label *ip;
57188 -+ struct inet_sock *isk;
57189 -+ struct net_device *dev;
57190 -+ struct in_device *idev;
57191 -+ unsigned long i;
57192 -+ int ret;
57193 -+ int mode = full_mode & (GR_BIND | GR_CONNECT);
57194 -+ __u32 ip_addr = 0;
57195 -+ __u32 our_addr;
57196 -+ __u32 our_netmask;
57197 -+ char *p;
57198 -+ __u16 ip_port = 0;
57199 -+ const struct cred *cred = current_cred();
57200 -+
57201 -+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
57202 -+ return 0;
57203 -+
57204 -+ curr = current->acl;
57205 -+ isk = inet_sk(sk);
57206 -+
57207 -+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
57208 -+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
57209 -+ addr->sin_addr.s_addr = curr->inaddr_any_override;
57210 -+ if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
57211 -+ struct sockaddr_in saddr;
57212 -+ int err;
57213 -+
57214 -+ saddr.sin_family = AF_INET;
57215 -+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
57216 -+ saddr.sin_port = isk->sport;
57217 -+
57218 -+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57219 -+ if (err)
57220 -+ return err;
57221 -+
57222 -+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57223 -+ if (err)
57224 -+ return err;
57225 -+ }
57226 -+
57227 -+ if (!curr->ips)
57228 -+ return 0;
57229 -+
57230 -+ ip_addr = addr->sin_addr.s_addr;
57231 -+ ip_port = ntohs(addr->sin_port);
57232 -+
57233 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57234 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57235 -+ current->role->roletype, cred->uid,
57236 -+ cred->gid, current->exec_file ?
57237 -+ gr_to_filename(current->exec_file->f_path.dentry,
57238 -+ current->exec_file->f_path.mnt) :
57239 -+ curr->filename, curr->filename,
57240 -+ &ip_addr, ip_port, type,
57241 -+ sk->sk_protocol, mode, &current->signal->saved_ip);
57242 -+ return 0;
57243 -+ }
57244 -+
57245 -+ for (i = 0; i < curr->ip_num; i++) {
57246 -+ ip = *(curr->ips + i);
57247 -+ if (ip->iface != NULL) {
57248 -+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
57249 -+ p = strchr(iface, ':');
57250 -+ if (p != NULL)
57251 -+ *p = '\0';
57252 -+ dev = dev_get_by_name(sock_net(sk), iface);
57253 -+ if (dev == NULL)
57254 -+ continue;
57255 -+ idev = in_dev_get(dev);
57256 -+ if (idev == NULL) {
57257 -+ dev_put(dev);
57258 -+ continue;
57259 -+ }
57260 -+ rcu_read_lock();
57261 -+ for_ifa(idev) {
57262 -+ if (!strcmp(ip->iface, ifa->ifa_label)) {
57263 -+ our_addr = ifa->ifa_address;
57264 -+ our_netmask = 0xffffffff;
57265 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57266 -+ if (ret == 1) {
57267 -+ rcu_read_unlock();
57268 -+ in_dev_put(idev);
57269 -+ dev_put(dev);
57270 -+ return 0;
57271 -+ } else if (ret == 2) {
57272 -+ rcu_read_unlock();
57273 -+ in_dev_put(idev);
57274 -+ dev_put(dev);
57275 -+ goto denied;
57276 -+ }
57277 -+ }
57278 -+ } endfor_ifa(idev);
57279 -+ rcu_read_unlock();
57280 -+ in_dev_put(idev);
57281 -+ dev_put(dev);
57282 -+ } else {
57283 -+ our_addr = ip->addr;
57284 -+ our_netmask = ip->netmask;
57285 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57286 -+ if (ret == 1)
57287 -+ return 0;
57288 -+ else if (ret == 2)
57289 -+ goto denied;
57290 -+ }
57291 -+ }
57292 -+
57293 -+denied:
57294 -+ if (mode == GR_BIND)
57295 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57296 -+ else if (mode == GR_CONNECT)
57297 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57298 -+
57299 -+ return -EACCES;
57300 -+}
57301 -+
57302 -+int
57303 -+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
57304 -+{
57305 -+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
57306 -+}
57307 -+
57308 -+int
57309 -+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
57310 -+{
57311 -+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
57312 -+}
57313 -+
57314 -+int gr_search_listen(struct socket *sock)
57315 -+{
57316 -+ struct sock *sk = sock->sk;
57317 -+ struct sockaddr_in addr;
57318 -+
57319 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57320 -+ addr.sin_port = inet_sk(sk)->sport;
57321 -+
57322 -+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57323 -+}
57324 -+
57325 -+int gr_search_accept(struct socket *sock)
57326 -+{
57327 -+ struct sock *sk = sock->sk;
57328 -+ struct sockaddr_in addr;
57329 -+
57330 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57331 -+ addr.sin_port = inet_sk(sk)->sport;
57332 -+
57333 -+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57334 -+}
57335 -+
57336 -+int
57337 -+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
57338 -+{
57339 -+ if (addr)
57340 -+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
57341 -+ else {
57342 -+ struct sockaddr_in sin;
57343 -+ const struct inet_sock *inet = inet_sk(sk);
57344 -+
57345 -+ sin.sin_addr.s_addr = inet->daddr;
57346 -+ sin.sin_port = inet->dport;
57347 -+
57348 -+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57349 -+ }
57350 -+}
57351 -+
57352 -+int
57353 -+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
57354 -+{
57355 -+ struct sockaddr_in sin;
57356 -+
57357 -+ if (unlikely(skb->len < sizeof (struct udphdr)))
57358 -+ return 0; // skip this packet
57359 -+
57360 -+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
57361 -+ sin.sin_port = udp_hdr(skb)->source;
57362 -+
57363 -+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57364 -+}
57365 -diff -urNp linux-2.6.32.46/grsecurity/gracl_learn.c linux-2.6.32.46/grsecurity/gracl_learn.c
57366 ---- linux-2.6.32.46/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
57367 -+++ linux-2.6.32.46/grsecurity/gracl_learn.c 2011-07-14 21:02:03.000000000 -0400
57368 -@@ -0,0 +1,208 @@
57369 -+#include <linux/kernel.h>
57370 -+#include <linux/mm.h>
57371 -+#include <linux/sched.h>
57372 -+#include <linux/poll.h>
57373 -+#include <linux/smp_lock.h>
57374 -+#include <linux/string.h>
57375 -+#include <linux/file.h>
57376 -+#include <linux/types.h>
57377 -+#include <linux/vmalloc.h>
57378 -+#include <linux/grinternal.h>
57379 -+
57380 -+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
57381 -+ size_t count, loff_t *ppos);
57382 -+extern int gr_acl_is_enabled(void);
57383 -+
57384 -+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
57385 -+static int gr_learn_attached;
57386 -+
57387 -+/* use a 512k buffer */
57388 -+#define LEARN_BUFFER_SIZE (512 * 1024)
57389 -+
57390 -+static DEFINE_SPINLOCK(gr_learn_lock);
57391 -+static DEFINE_MUTEX(gr_learn_user_mutex);
57392 -+
57393 -+/* we need to maintain two buffers, so that the kernel context of grlearn
57394 -+ uses a semaphore around the userspace copying, and the other kernel contexts
57395 -+ use a spinlock when copying into the buffer, since they cannot sleep
57396 -+*/
57397 -+static char *learn_buffer;
57398 -+static char *learn_buffer_user;
57399 -+static int learn_buffer_len;
57400 -+static int learn_buffer_user_len;
57401 -+
57402 -+static ssize_t
57403 -+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
57404 -+{
57405 -+ DECLARE_WAITQUEUE(wait, current);
57406 -+ ssize_t retval = 0;
57407 -+
57408 -+ add_wait_queue(&learn_wait, &wait);
57409 -+ set_current_state(TASK_INTERRUPTIBLE);
57410 -+ do {
57411 -+ mutex_lock(&gr_learn_user_mutex);
57412 -+ spin_lock(&gr_learn_lock);
57413 -+ if (learn_buffer_len)
57414 -+ break;
57415 -+ spin_unlock(&gr_learn_lock);
57416 -+ mutex_unlock(&gr_learn_user_mutex);
57417 -+ if (file->f_flags & O_NONBLOCK) {
57418 -+ retval = -EAGAIN;
57419 -+ goto out;
57420 -+ }
57421 -+ if (signal_pending(current)) {
57422 -+ retval = -ERESTARTSYS;
57423 -+ goto out;
57424 -+ }
57425 -+
57426 -+ schedule();
57427 -+ } while (1);
57428 -+
57429 -+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
57430 -+ learn_buffer_user_len = learn_buffer_len;
57431 -+ retval = learn_buffer_len;
57432 -+ learn_buffer_len = 0;
57433 -+
57434 -+ spin_unlock(&gr_learn_lock);
57435 -+
57436 -+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
57437 -+ retval = -EFAULT;
57438 -+
57439 -+ mutex_unlock(&gr_learn_user_mutex);
57440 -+out:
57441 -+ set_current_state(TASK_RUNNING);
57442 -+ remove_wait_queue(&learn_wait, &wait);
57443 -+ return retval;
57444 -+}
57445 -+
57446 -+static unsigned int
57447 -+poll_learn(struct file * file, poll_table * wait)
57448 -+{
57449 -+ poll_wait(file, &learn_wait, wait);
57450 -+
57451 -+ if (learn_buffer_len)
57452 -+ return (POLLIN | POLLRDNORM);
57453 -+
57454 -+ return 0;
57455 -+}
57456 -+
57457 -+void
57458 -+gr_clear_learn_entries(void)
57459 -+{
57460 -+ char *tmp;
57461 -+
57462 -+ mutex_lock(&gr_learn_user_mutex);
57463 -+ spin_lock(&gr_learn_lock);
57464 -+ tmp = learn_buffer;
57465 -+ learn_buffer = NULL;
57466 -+ spin_unlock(&gr_learn_lock);
57467 -+ if (tmp)
57468 -+ vfree(tmp);
57469 -+ if (learn_buffer_user != NULL) {
57470 -+ vfree(learn_buffer_user);
57471 -+ learn_buffer_user = NULL;
57472 -+ }
57473 -+ learn_buffer_len = 0;
57474 -+ mutex_unlock(&gr_learn_user_mutex);
57475 -+
57476 -+ return;
57477 -+}
57478 -+
57479 -+void
57480 -+gr_add_learn_entry(const char *fmt, ...)
57481 -+{
57482 -+ va_list args;
57483 -+ unsigned int len;
57484 -+
57485 -+ if (!gr_learn_attached)
57486 -+ return;
57487 -+
57488 -+ spin_lock(&gr_learn_lock);
57489 -+
57490 -+ /* leave a gap at the end so we know when it's "full" but don't have to
57491 -+ compute the exact length of the string we're trying to append
57492 -+ */
57493 -+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
57494 -+ spin_unlock(&gr_learn_lock);
57495 -+ wake_up_interruptible(&learn_wait);
57496 -+ return;
57497 -+ }
57498 -+ if (learn_buffer == NULL) {
57499 -+ spin_unlock(&gr_learn_lock);
57500 -+ return;
57501 -+ }
57502 -+
57503 -+ va_start(args, fmt);
57504 -+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
57505 -+ va_end(args);
57506 -+
57507 -+ learn_buffer_len += len + 1;
57508 -+
57509 -+ spin_unlock(&gr_learn_lock);
57510 -+ wake_up_interruptible(&learn_wait);
57511 -+
57512 -+ return;
57513 -+}
57514 -+
57515 -+static int
57516 -+open_learn(struct inode *inode, struct file *file)
57517 -+{
57518 -+ if (file->f_mode & FMODE_READ && gr_learn_attached)
57519 -+ return -EBUSY;
57520 -+ if (file->f_mode & FMODE_READ) {
57521 -+ int retval = 0;
57522 -+ mutex_lock(&gr_learn_user_mutex);
57523 -+ if (learn_buffer == NULL)
57524 -+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
57525 -+ if (learn_buffer_user == NULL)
57526 -+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
57527 -+ if (learn_buffer == NULL) {
57528 -+ retval = -ENOMEM;
57529 -+ goto out_error;
57530 -+ }
57531 -+ if (learn_buffer_user == NULL) {
57532 -+ retval = -ENOMEM;
57533 -+ goto out_error;
57534 -+ }
57535 -+ learn_buffer_len = 0;
57536 -+ learn_buffer_user_len = 0;
57537 -+ gr_learn_attached = 1;
57538 -+out_error:
57539 -+ mutex_unlock(&gr_learn_user_mutex);
57540 -+ return retval;
57541 -+ }
57542 -+ return 0;
57543 -+}
57544 -+
57545 -+static int
57546 -+close_learn(struct inode *inode, struct file *file)
57547 -+{
57548 -+ if (file->f_mode & FMODE_READ) {
57549 -+ char *tmp = NULL;
57550 -+ mutex_lock(&gr_learn_user_mutex);
57551 -+ spin_lock(&gr_learn_lock);
57552 -+ tmp = learn_buffer;
57553 -+ learn_buffer = NULL;
57554 -+ spin_unlock(&gr_learn_lock);
57555 -+ if (tmp)
57556 -+ vfree(tmp);
57557 -+ if (learn_buffer_user != NULL) {
57558 -+ vfree(learn_buffer_user);
57559 -+ learn_buffer_user = NULL;
57560 -+ }
57561 -+ learn_buffer_len = 0;
57562 -+ learn_buffer_user_len = 0;
57563 -+ gr_learn_attached = 0;
57564 -+ mutex_unlock(&gr_learn_user_mutex);
57565 -+ }
57566 -+
57567 -+ return 0;
57568 -+}
57569 -+
57570 -+const struct file_operations grsec_fops = {
57571 -+ .read = read_learn,
57572 -+ .write = write_grsec_handler,
57573 -+ .open = open_learn,
57574 -+ .release = close_learn,
57575 -+ .poll = poll_learn,
57576 -+};
57577 -diff -urNp linux-2.6.32.46/grsecurity/gracl_res.c linux-2.6.32.46/grsecurity/gracl_res.c
57578 ---- linux-2.6.32.46/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57579 -+++ linux-2.6.32.46/grsecurity/gracl_res.c 2011-04-17 15:56:46.000000000 -0400
57580 -@@ -0,0 +1,67 @@
57581 -+#include <linux/kernel.h>
57582 -+#include <linux/sched.h>
57583 -+#include <linux/gracl.h>
57584 -+#include <linux/grinternal.h>
57585 -+
57586 -+static const char *restab_log[] = {
57587 -+ [RLIMIT_CPU] = "RLIMIT_CPU",
57588 -+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57589 -+ [RLIMIT_DATA] = "RLIMIT_DATA",
57590 -+ [RLIMIT_STACK] = "RLIMIT_STACK",
57591 -+ [RLIMIT_CORE] = "RLIMIT_CORE",
57592 -+ [RLIMIT_RSS] = "RLIMIT_RSS",
57593 -+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
57594 -+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57595 -+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57596 -+ [RLIMIT_AS] = "RLIMIT_AS",
57597 -+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57598 -+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57599 -+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57600 -+ [RLIMIT_NICE] = "RLIMIT_NICE",
57601 -+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57602 -+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57603 -+ [GR_CRASH_RES] = "RLIMIT_CRASH"
57604 -+};
57605 -+
57606 -+void
57607 -+gr_log_resource(const struct task_struct *task,
57608 -+ const int res, const unsigned long wanted, const int gt)
57609 -+{
57610 -+ const struct cred *cred;
57611 -+ unsigned long rlim;
57612 -+
57613 -+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
57614 -+ return;
57615 -+
57616 -+ // not yet supported resource
57617 -+ if (unlikely(!restab_log[res]))
57618 -+ return;
57619 -+
57620 -+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57621 -+ rlim = task->signal->rlim[res].rlim_max;
57622 -+ else
57623 -+ rlim = task->signal->rlim[res].rlim_cur;
57624 -+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57625 -+ return;
57626 -+
57627 -+ rcu_read_lock();
57628 -+ cred = __task_cred(task);
57629 -+
57630 -+ if (res == RLIMIT_NPROC &&
57631 -+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57632 -+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57633 -+ goto out_rcu_unlock;
57634 -+ else if (res == RLIMIT_MEMLOCK &&
57635 -+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57636 -+ goto out_rcu_unlock;
57637 -+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57638 -+ goto out_rcu_unlock;
57639 -+ rcu_read_unlock();
57640 -+
57641 -+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57642 -+
57643 -+ return;
57644 -+out_rcu_unlock:
57645 -+ rcu_read_unlock();
57646 -+ return;
57647 -+}
57648 -diff -urNp linux-2.6.32.46/grsecurity/gracl_segv.c linux-2.6.32.46/grsecurity/gracl_segv.c
57649 ---- linux-2.6.32.46/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57650 -+++ linux-2.6.32.46/grsecurity/gracl_segv.c 2011-04-17 15:56:46.000000000 -0400
57651 -@@ -0,0 +1,284 @@
57652 -+#include <linux/kernel.h>
57653 -+#include <linux/mm.h>
57654 -+#include <asm/uaccess.h>
57655 -+#include <asm/errno.h>
57656 -+#include <asm/mman.h>
57657 -+#include <net/sock.h>
57658 -+#include <linux/file.h>
57659 -+#include <linux/fs.h>
57660 -+#include <linux/net.h>
57661 -+#include <linux/in.h>
57662 -+#include <linux/smp_lock.h>
57663 -+#include <linux/slab.h>
57664 -+#include <linux/types.h>
57665 -+#include <linux/sched.h>
57666 -+#include <linux/timer.h>
57667 -+#include <linux/gracl.h>
57668 -+#include <linux/grsecurity.h>
57669 -+#include <linux/grinternal.h>
57670 -+
57671 -+static struct crash_uid *uid_set;
57672 -+static unsigned short uid_used;
57673 -+static DEFINE_SPINLOCK(gr_uid_lock);
57674 -+extern rwlock_t gr_inode_lock;
57675 -+extern struct acl_subject_label *
57676 -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57677 -+ struct acl_role_label *role);
57678 -+extern int gr_fake_force_sig(int sig, struct task_struct *t);
57679 -+
57680 -+int
57681 -+gr_init_uidset(void)
57682 -+{
57683 -+ uid_set =
57684 -+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57685 -+ uid_used = 0;
57686 -+
57687 -+ return uid_set ? 1 : 0;
57688 -+}
57689 -+
57690 -+void
57691 -+gr_free_uidset(void)
57692 -+{
57693 -+ if (uid_set)
57694 -+ kfree(uid_set);
57695 -+
57696 -+ return;
57697 -+}
57698 -+
57699 -+int
57700 -+gr_find_uid(const uid_t uid)
57701 -+{
57702 -+ struct crash_uid *tmp = uid_set;
57703 -+ uid_t buid;
57704 -+ int low = 0, high = uid_used - 1, mid;
57705 -+
57706 -+ while (high >= low) {
57707 -+ mid = (low + high) >> 1;
57708 -+ buid = tmp[mid].uid;
57709 -+ if (buid == uid)
57710 -+ return mid;
57711 -+ if (buid > uid)
57712 -+ high = mid - 1;
57713 -+ if (buid < uid)
57714 -+ low = mid + 1;
57715 -+ }
57716 -+
57717 -+ return -1;
57718 -+}
57719 -+
57720 -+static __inline__ void
57721 -+gr_insertsort(void)
57722 -+{
57723 -+ unsigned short i, j;
57724 -+ struct crash_uid index;
57725 -+
57726 -+ for (i = 1; i < uid_used; i++) {
57727 -+ index = uid_set[i];
57728 -+ j = i;
57729 -+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57730 -+ uid_set[j] = uid_set[j - 1];
57731 -+ j--;
57732 -+ }
57733 -+ uid_set[j] = index;
57734 -+ }
57735 -+
57736 -+ return;
57737 -+}
57738 -+
57739 -+static __inline__ void
57740 -+gr_insert_uid(const uid_t uid, const unsigned long expires)
57741 -+{
57742 -+ int loc;
57743 -+
57744 -+ if (uid_used == GR_UIDTABLE_MAX)
57745 -+ return;
57746 -+
57747 -+ loc = gr_find_uid(uid);
57748 -+
57749 -+ if (loc >= 0) {
57750 -+ uid_set[loc].expires = expires;
57751 -+ return;
57752 -+ }
57753 -+
57754 -+ uid_set[uid_used].uid = uid;
57755 -+ uid_set[uid_used].expires = expires;
57756 -+ uid_used++;
57757 -+
57758 -+ gr_insertsort();
57759 -+
57760 -+ return;
57761 -+}
57762 -+
57763 -+void
57764 -+gr_remove_uid(const unsigned short loc)
57765 -+{
57766 -+ unsigned short i;
57767 -+
57768 -+ for (i = loc + 1; i < uid_used; i++)
57769 -+ uid_set[i - 1] = uid_set[i];
57770 -+
57771 -+ uid_used--;
57772 -+
57773 -+ return;
57774 -+}
57775 -+
57776 -+int
57777 -+gr_check_crash_uid(const uid_t uid)
57778 -+{
57779 -+ int loc;
57780 -+ int ret = 0;
57781 -+
57782 -+ if (unlikely(!gr_acl_is_enabled()))
57783 -+ return 0;
57784 -+
57785 -+ spin_lock(&gr_uid_lock);
57786 -+ loc = gr_find_uid(uid);
57787 -+
57788 -+ if (loc < 0)
57789 -+ goto out_unlock;
57790 -+
57791 -+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
57792 -+ gr_remove_uid(loc);
57793 -+ else
57794 -+ ret = 1;
57795 -+
57796 -+out_unlock:
57797 -+ spin_unlock(&gr_uid_lock);
57798 -+ return ret;
57799 -+}
57800 -+
57801 -+static __inline__ int
57802 -+proc_is_setxid(const struct cred *cred)
57803 -+{
57804 -+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
57805 -+ cred->uid != cred->fsuid)
57806 -+ return 1;
57807 -+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57808 -+ cred->gid != cred->fsgid)
57809 -+ return 1;
57810 -+
57811 -+ return 0;
57812 -+}
57813 -+
57814 -+void
57815 -+gr_handle_crash(struct task_struct *task, const int sig)
57816 -+{
57817 -+ struct acl_subject_label *curr;
57818 -+ struct acl_subject_label *curr2;
57819 -+ struct task_struct *tsk, *tsk2;
57820 -+ const struct cred *cred;
57821 -+ const struct cred *cred2;
57822 -+
57823 -+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57824 -+ return;
57825 -+
57826 -+ if (unlikely(!gr_acl_is_enabled()))
57827 -+ return;
57828 -+
57829 -+ curr = task->acl;
57830 -+
57831 -+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
57832 -+ return;
57833 -+
57834 -+ if (time_before_eq(curr->expires, get_seconds())) {
57835 -+ curr->expires = 0;
57836 -+ curr->crashes = 0;
57837 -+ }
57838 -+
57839 -+ curr->crashes++;
57840 -+
57841 -+ if (!curr->expires)
57842 -+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57843 -+
57844 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57845 -+ time_after(curr->expires, get_seconds())) {
57846 -+ rcu_read_lock();
57847 -+ cred = __task_cred(task);
57848 -+ if (cred->uid && proc_is_setxid(cred)) {
57849 -+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57850 -+ spin_lock(&gr_uid_lock);
57851 -+ gr_insert_uid(cred->uid, curr->expires);
57852 -+ spin_unlock(&gr_uid_lock);
57853 -+ curr->expires = 0;
57854 -+ curr->crashes = 0;
57855 -+ read_lock(&tasklist_lock);
57856 -+ do_each_thread(tsk2, tsk) {
57857 -+ cred2 = __task_cred(tsk);
57858 -+ if (tsk != task && cred2->uid == cred->uid)
57859 -+ gr_fake_force_sig(SIGKILL, tsk);
57860 -+ } while_each_thread(tsk2, tsk);
57861 -+ read_unlock(&tasklist_lock);
57862 -+ } else {
57863 -+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57864 -+ read_lock(&tasklist_lock);
57865 -+ do_each_thread(tsk2, tsk) {
57866 -+ if (likely(tsk != task)) {
57867 -+ curr2 = tsk->acl;
57868 -+
57869 -+ if (curr2->device == curr->device &&
57870 -+ curr2->inode == curr->inode)
57871 -+ gr_fake_force_sig(SIGKILL, tsk);
57872 -+ }
57873 -+ } while_each_thread(tsk2, tsk);
57874 -+ read_unlock(&tasklist_lock);
57875 -+ }
57876 -+ rcu_read_unlock();
57877 -+ }
57878 -+
57879 -+ return;
57880 -+}
57881 -+
57882 -+int
57883 -+gr_check_crash_exec(const struct file *filp)
57884 -+{
57885 -+ struct acl_subject_label *curr;
57886 -+
57887 -+ if (unlikely(!gr_acl_is_enabled()))
57888 -+ return 0;
57889 -+
57890 -+ read_lock(&gr_inode_lock);
57891 -+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57892 -+ filp->f_path.dentry->d_inode->i_sb->s_dev,
57893 -+ current->role);
57894 -+ read_unlock(&gr_inode_lock);
57895 -+
57896 -+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57897 -+ (!curr->crashes && !curr->expires))
57898 -+ return 0;
57899 -+
57900 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57901 -+ time_after(curr->expires, get_seconds()))
57902 -+ return 1;
57903 -+ else if (time_before_eq(curr->expires, get_seconds())) {
57904 -+ curr->crashes = 0;
57905 -+ curr->expires = 0;
57906 -+ }
57907 -+
57908 -+ return 0;
57909 -+}
57910 -+
57911 -+void
57912 -+gr_handle_alertkill(struct task_struct *task)
57913 -+{
57914 -+ struct acl_subject_label *curracl;
57915 -+ __u32 curr_ip;
57916 -+ struct task_struct *p, *p2;
57917 -+
57918 -+ if (unlikely(!gr_acl_is_enabled()))
57919 -+ return;
57920 -+
57921 -+ curracl = task->acl;
57922 -+ curr_ip = task->signal->curr_ip;
57923 -+
57924 -+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57925 -+ read_lock(&tasklist_lock);
57926 -+ do_each_thread(p2, p) {
57927 -+ if (p->signal->curr_ip == curr_ip)
57928 -+ gr_fake_force_sig(SIGKILL, p);
57929 -+ } while_each_thread(p2, p);
57930 -+ read_unlock(&tasklist_lock);
57931 -+ } else if (curracl->mode & GR_KILLPROC)
57932 -+ gr_fake_force_sig(SIGKILL, task);
57933 -+
57934 -+ return;
57935 -+}
57936 -diff -urNp linux-2.6.32.46/grsecurity/gracl_shm.c linux-2.6.32.46/grsecurity/gracl_shm.c
57937 ---- linux-2.6.32.46/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57938 -+++ linux-2.6.32.46/grsecurity/gracl_shm.c 2011-04-17 15:56:46.000000000 -0400
57939 -@@ -0,0 +1,40 @@
57940 -+#include <linux/kernel.h>
57941 -+#include <linux/mm.h>
57942 -+#include <linux/sched.h>
57943 -+#include <linux/file.h>
57944 -+#include <linux/ipc.h>
57945 -+#include <linux/gracl.h>
57946 -+#include <linux/grsecurity.h>
57947 -+#include <linux/grinternal.h>
57948 -+
57949 -+int
57950 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57951 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
57952 -+{
57953 -+ struct task_struct *task;
57954 -+
57955 -+ if (!gr_acl_is_enabled())
57956 -+ return 1;
57957 -+
57958 -+ rcu_read_lock();
57959 -+ read_lock(&tasklist_lock);
57960 -+
57961 -+ task = find_task_by_vpid(shm_cprid);
57962 -+
57963 -+ if (unlikely(!task))
57964 -+ task = find_task_by_vpid(shm_lapid);
57965 -+
57966 -+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57967 -+ (task->pid == shm_lapid)) &&
57968 -+ (task->acl->mode & GR_PROTSHM) &&
57969 -+ (task->acl != current->acl))) {
57970 -+ read_unlock(&tasklist_lock);
57971 -+ rcu_read_unlock();
57972 -+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57973 -+ return 0;
57974 -+ }
57975 -+ read_unlock(&tasklist_lock);
57976 -+ rcu_read_unlock();
57977 -+
57978 -+ return 1;
57979 -+}
57980 -diff -urNp linux-2.6.32.46/grsecurity/grsec_chdir.c linux-2.6.32.46/grsecurity/grsec_chdir.c
57981 ---- linux-2.6.32.46/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57982 -+++ linux-2.6.32.46/grsecurity/grsec_chdir.c 2011-04-17 15:56:46.000000000 -0400
57983 -@@ -0,0 +1,19 @@
57984 -+#include <linux/kernel.h>
57985 -+#include <linux/sched.h>
57986 -+#include <linux/fs.h>
57987 -+#include <linux/file.h>
57988 -+#include <linux/grsecurity.h>
57989 -+#include <linux/grinternal.h>
57990 -+
57991 -+void
57992 -+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57993 -+{
57994 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57995 -+ if ((grsec_enable_chdir && grsec_enable_group &&
57996 -+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57997 -+ !grsec_enable_group)) {
57998 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57999 -+ }
58000 -+#endif
58001 -+ return;
58002 -+}
58003 -diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/grsec_chroot.c
58004 ---- linux-2.6.32.46/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
58005 -+++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-09-15 06:48:16.000000000 -0400
58006 -@@ -0,0 +1,386 @@
58007 -+#include <linux/kernel.h>
58008 -+#include <linux/module.h>
58009 -+#include <linux/sched.h>
58010 -+#include <linux/file.h>
58011 -+#include <linux/fs.h>
58012 -+#include <linux/mount.h>
58013 -+#include <linux/types.h>
58014 -+#include <linux/pid_namespace.h>
58015 -+#include <linux/grsecurity.h>
58016 -+#include <linux/grinternal.h>
58017 -+
58018 -+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
58019 -+{
58020 -+#ifdef CONFIG_GRKERNSEC
58021 -+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
58022 -+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
58023 -+ task->gr_is_chrooted = 1;
58024 -+ else
58025 -+ task->gr_is_chrooted = 0;
58026 -+
58027 -+ task->gr_chroot_dentry = path->dentry;
58028 -+#endif
58029 -+ return;
58030 -+}
58031 -+
58032 -+void gr_clear_chroot_entries(struct task_struct *task)
58033 -+{
58034 -+#ifdef CONFIG_GRKERNSEC
58035 -+ task->gr_is_chrooted = 0;
58036 -+ task->gr_chroot_dentry = NULL;
58037 -+#endif
58038 -+ return;
58039 -+}
58040 -+
58041 -+int
58042 -+gr_handle_chroot_unix(const pid_t pid)
58043 -+{
58044 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58045 -+ struct task_struct *p;
58046 -+
58047 -+ if (unlikely(!grsec_enable_chroot_unix))
58048 -+ return 1;
58049 -+
58050 -+ if (likely(!proc_is_chrooted(current)))
58051 -+ return 1;
58052 -+
58053 -+ rcu_read_lock();
58054 -+ read_lock(&tasklist_lock);
58055 -+
58056 -+ p = find_task_by_vpid_unrestricted(pid);
58057 -+ if (unlikely(p && !have_same_root(current, p))) {
58058 -+ read_unlock(&tasklist_lock);
58059 -+ rcu_read_unlock();
58060 -+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
58061 -+ return 0;
58062 -+ }
58063 -+ read_unlock(&tasklist_lock);
58064 -+ rcu_read_unlock();
58065 -+#endif
58066 -+ return 1;
58067 -+}
58068 -+
58069 -+int
58070 -+gr_handle_chroot_nice(void)
58071 -+{
58072 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58073 -+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
58074 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
58075 -+ return -EPERM;
58076 -+ }
58077 -+#endif
58078 -+ return 0;
58079 -+}
58080 -+
58081 -+int
58082 -+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
58083 -+{
58084 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58085 -+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
58086 -+ && proc_is_chrooted(current)) {
58087 -+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
58088 -+ return -EACCES;
58089 -+ }
58090 -+#endif
58091 -+ return 0;
58092 -+}
58093 -+
58094 -+int
58095 -+gr_handle_chroot_rawio(const struct inode *inode)
58096 -+{
58097 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58098 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
58099 -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
58100 -+ return 1;
58101 -+#endif
58102 -+ return 0;
58103 -+}
58104 -+
58105 -+int
58106 -+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
58107 -+{
58108 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58109 -+ struct task_struct *p;
58110 -+ int ret = 0;
58111 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
58112 -+ return ret;
58113 -+
58114 -+ read_lock(&tasklist_lock);
58115 -+ do_each_pid_task(pid, type, p) {
58116 -+ if (!have_same_root(current, p)) {
58117 -+ ret = 1;
58118 -+ goto out;
58119 -+ }
58120 -+ } while_each_pid_task(pid, type, p);
58121 -+out:
58122 -+ read_unlock(&tasklist_lock);
58123 -+ return ret;
58124 -+#endif
58125 -+ return 0;
58126 -+}
58127 -+
58128 -+int
58129 -+gr_pid_is_chrooted(struct task_struct *p)
58130 -+{
58131 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58132 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
58133 -+ return 0;
58134 -+
58135 -+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
58136 -+ !have_same_root(current, p)) {
58137 -+ return 1;
58138 -+ }
58139 -+#endif
58140 -+ return 0;
58141 -+}
58142 -+
58143 -+EXPORT_SYMBOL(gr_pid_is_chrooted);
58144 -+
58145 -+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
58146 -+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
58147 -+{
58148 -+ struct dentry *dentry = (struct dentry *)u_dentry;
58149 -+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
58150 -+ struct dentry *realroot;
58151 -+ struct vfsmount *realrootmnt;
58152 -+ struct dentry *currentroot;
58153 -+ struct vfsmount *currentmnt;
58154 -+ struct task_struct *reaper = &init_task;
58155 -+ int ret = 1;
58156 -+
58157 -+ read_lock(&reaper->fs->lock);
58158 -+ realrootmnt = mntget(reaper->fs->root.mnt);
58159 -+ realroot = dget(reaper->fs->root.dentry);
58160 -+ read_unlock(&reaper->fs->lock);
58161 -+
58162 -+ read_lock(&current->fs->lock);
58163 -+ currentmnt = mntget(current->fs->root.mnt);
58164 -+ currentroot = dget(current->fs->root.dentry);
58165 -+ read_unlock(&current->fs->lock);
58166 -+
58167 -+ spin_lock(&dcache_lock);
58168 -+ for (;;) {
58169 -+ if (unlikely((dentry == realroot && mnt == realrootmnt)
58170 -+ || (dentry == currentroot && mnt == currentmnt)))
58171 -+ break;
58172 -+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
58173 -+ if (mnt->mnt_parent == mnt)
58174 -+ break;
58175 -+ dentry = mnt->mnt_mountpoint;
58176 -+ mnt = mnt->mnt_parent;
58177 -+ continue;
58178 -+ }
58179 -+ dentry = dentry->d_parent;
58180 -+ }
58181 -+ spin_unlock(&dcache_lock);
58182 -+
58183 -+ dput(currentroot);
58184 -+ mntput(currentmnt);
58185 -+
58186 -+ /* access is outside of chroot */
58187 -+ if (dentry == realroot && mnt == realrootmnt)
58188 -+ ret = 0;
58189 -+
58190 -+ dput(realroot);
58191 -+ mntput(realrootmnt);
58192 -+ return ret;
58193 -+}
58194 -+#endif
58195 -+
58196 -+int
58197 -+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
58198 -+{
58199 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58200 -+ if (!grsec_enable_chroot_fchdir)
58201 -+ return 1;
58202 -+
58203 -+ if (!proc_is_chrooted(current))
58204 -+ return 1;
58205 -+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
58206 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
58207 -+ return 0;
58208 -+ }
58209 -+#endif
58210 -+ return 1;
58211 -+}
58212 -+
58213 -+int
58214 -+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58215 -+ const time_t shm_createtime)
58216 -+{
58217 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58218 -+ struct task_struct *p;
58219 -+ time_t starttime;
58220 -+
58221 -+ if (unlikely(!grsec_enable_chroot_shmat))
58222 -+ return 1;
58223 -+
58224 -+ if (likely(!proc_is_chrooted(current)))
58225 -+ return 1;
58226 -+
58227 -+ rcu_read_lock();
58228 -+ read_lock(&tasklist_lock);
58229 -+
58230 -+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
58231 -+ starttime = p->start_time.tv_sec;
58232 -+ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
58233 -+ if (have_same_root(current, p)) {
58234 -+ goto allow;
58235 -+ } else {
58236 -+ read_unlock(&tasklist_lock);
58237 -+ rcu_read_unlock();
58238 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58239 -+ return 0;
58240 -+ }
58241 -+ }
58242 -+ /* creator exited, pid reuse, fall through to next check */
58243 -+ }
58244 -+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
58245 -+ if (unlikely(!have_same_root(current, p))) {
58246 -+ read_unlock(&tasklist_lock);
58247 -+ rcu_read_unlock();
58248 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58249 -+ return 0;
58250 -+ }
58251 -+ }
58252 -+
58253 -+allow:
58254 -+ read_unlock(&tasklist_lock);
58255 -+ rcu_read_unlock();
58256 -+#endif
58257 -+ return 1;
58258 -+}
58259 -+
58260 -+void
58261 -+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
58262 -+{
58263 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58264 -+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
58265 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
58266 -+#endif
58267 -+ return;
58268 -+}
58269 -+
58270 -+int
58271 -+gr_handle_chroot_mknod(const struct dentry *dentry,
58272 -+ const struct vfsmount *mnt, const int mode)
58273 -+{
58274 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58275 -+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
58276 -+ proc_is_chrooted(current)) {
58277 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
58278 -+ return -EPERM;
58279 -+ }
58280 -+#endif
58281 -+ return 0;
58282 -+}
58283 -+
58284 -+int
58285 -+gr_handle_chroot_mount(const struct dentry *dentry,
58286 -+ const struct vfsmount *mnt, const char *dev_name)
58287 -+{
58288 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58289 -+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
58290 -+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
58291 -+ return -EPERM;
58292 -+ }
58293 -+#endif
58294 -+ return 0;
58295 -+}
58296 -+
58297 -+int
58298 -+gr_handle_chroot_pivot(void)
58299 -+{
58300 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58301 -+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
58302 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
58303 -+ return -EPERM;
58304 -+ }
58305 -+#endif
58306 -+ return 0;
58307 -+}
58308 -+
58309 -+int
58310 -+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
58311 -+{
58312 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58313 -+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
58314 -+ !gr_is_outside_chroot(dentry, mnt)) {
58315 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
58316 -+ return -EPERM;
58317 -+ }
58318 -+#endif
58319 -+ return 0;
58320 -+}
58321 -+
58322 -+extern const char *captab_log[];
58323 -+extern int captab_log_entries;
58324 -+
58325 -+int
58326 -+gr_chroot_is_capable(const int cap)
58327 -+{
58328 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58329 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58330 -+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58331 -+ if (cap_raised(chroot_caps, cap)) {
58332 -+ const struct cred *creds = current_cred();
58333 -+ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
58334 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
58335 -+ }
58336 -+ return 0;
58337 -+ }
58338 -+ }
58339 -+#endif
58340 -+ return 1;
58341 -+}
58342 -+
58343 -+int
58344 -+gr_chroot_is_capable_nolog(const int cap)
58345 -+{
58346 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58347 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58348 -+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58349 -+ if (cap_raised(chroot_caps, cap)) {
58350 -+ return 0;
58351 -+ }
58352 -+ }
58353 -+#endif
58354 -+ return 1;
58355 -+}
58356 -+
58357 -+int
58358 -+gr_handle_chroot_sysctl(const int op)
58359 -+{
58360 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58361 -+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
58362 -+ && (op & MAY_WRITE))
58363 -+ return -EACCES;
58364 -+#endif
58365 -+ return 0;
58366 -+}
58367 -+
58368 -+void
58369 -+gr_handle_chroot_chdir(struct path *path)
58370 -+{
58371 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58372 -+ if (grsec_enable_chroot_chdir)
58373 -+ set_fs_pwd(current->fs, path);
58374 -+#endif
58375 -+ return;
58376 -+}
58377 -+
58378 -+int
58379 -+gr_handle_chroot_chmod(const struct dentry *dentry,
58380 -+ const struct vfsmount *mnt, const int mode)
58381 -+{
58382 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58383 -+ /* allow chmod +s on directories, but not on files */
58384 -+ if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
58385 -+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
58386 -+ proc_is_chrooted(current)) {
58387 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
58388 -+ return -EPERM;
58389 -+ }
58390 -+#endif
58391 -+ return 0;
58392 -+}
58393 -diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c
58394 ---- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
58395 -+++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-09-24 08:13:29.000000000 -0400
58396 -@@ -0,0 +1,433 @@
58397 -+#include <linux/kernel.h>
58398 -+#include <linux/module.h>
58399 -+#include <linux/sched.h>
58400 -+#include <linux/file.h>
58401 -+#include <linux/fs.h>
58402 -+#include <linux/kdev_t.h>
58403 -+#include <linux/net.h>
58404 -+#include <linux/in.h>
58405 -+#include <linux/ip.h>
58406 -+#include <linux/skbuff.h>
58407 -+#include <linux/sysctl.h>
58408 -+
58409 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
58410 -+void
58411 -+pax_set_initial_flags(struct linux_binprm *bprm)
58412 -+{
58413 -+ return;
58414 -+}
58415 -+#endif
58416 -+
58417 -+#ifdef CONFIG_SYSCTL
58418 -+__u32
58419 -+gr_handle_sysctl(const struct ctl_table * table, const int op)
58420 -+{
58421 -+ return 0;
58422 -+}
58423 -+#endif
58424 -+
58425 -+#ifdef CONFIG_TASKSTATS
58426 -+int gr_is_taskstats_denied(int pid)
58427 -+{
58428 -+ return 0;
58429 -+}
58430 -+#endif
58431 -+
58432 -+int
58433 -+gr_acl_is_enabled(void)
58434 -+{
58435 -+ return 0;
58436 -+}
58437 -+
58438 -+int
58439 -+gr_handle_rawio(const struct inode *inode)
58440 -+{
58441 -+ return 0;
58442 -+}
58443 -+
58444 -+void
58445 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
58446 -+{
58447 -+ return;
58448 -+}
58449 -+
58450 -+int
58451 -+gr_handle_ptrace(struct task_struct *task, const long request)
58452 -+{
58453 -+ return 0;
58454 -+}
58455 -+
58456 -+int
58457 -+gr_handle_proc_ptrace(struct task_struct *task)
58458 -+{
58459 -+ return 0;
58460 -+}
58461 -+
58462 -+void
58463 -+gr_learn_resource(const struct task_struct *task,
58464 -+ const int res, const unsigned long wanted, const int gt)
58465 -+{
58466 -+ return;
58467 -+}
58468 -+
58469 -+int
58470 -+gr_set_acls(const int type)
58471 -+{
58472 -+ return 0;
58473 -+}
58474 -+
58475 -+int
58476 -+gr_check_hidden_task(const struct task_struct *tsk)
58477 -+{
58478 -+ return 0;
58479 -+}
58480 -+
58481 -+int
58482 -+gr_check_protected_task(const struct task_struct *task)
58483 -+{
58484 -+ return 0;
58485 -+}
58486 -+
58487 -+int
58488 -+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
58489 -+{
58490 -+ return 0;
58491 -+}
58492 -+
58493 -+void
58494 -+gr_copy_label(struct task_struct *tsk)
58495 -+{
58496 -+ return;
58497 -+}
58498 -+
58499 -+void
58500 -+gr_set_pax_flags(struct task_struct *task)
58501 -+{
58502 -+ return;
58503 -+}
58504 -+
58505 -+int
58506 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
58507 -+ const int unsafe_share)
58508 -+{
58509 -+ return 0;
58510 -+}
58511 -+
58512 -+void
58513 -+gr_handle_delete(const ino_t ino, const dev_t dev)
58514 -+{
58515 -+ return;
58516 -+}
58517 -+
58518 -+void
58519 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
58520 -+{
58521 -+ return;
58522 -+}
58523 -+
58524 -+void
58525 -+gr_handle_crash(struct task_struct *task, const int sig)
58526 -+{
58527 -+ return;
58528 -+}
58529 -+
58530 -+int
58531 -+gr_check_crash_exec(const struct file *filp)
58532 -+{
58533 -+ return 0;
58534 -+}
58535 -+
58536 -+int
58537 -+gr_check_crash_uid(const uid_t uid)
58538 -+{
58539 -+ return 0;
58540 -+}
58541 -+
58542 -+void
58543 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58544 -+ struct dentry *old_dentry,
58545 -+ struct dentry *new_dentry,
58546 -+ struct vfsmount *mnt, const __u8 replace)
58547 -+{
58548 -+ return;
58549 -+}
58550 -+
58551 -+int
58552 -+gr_search_socket(const int family, const int type, const int protocol)
58553 -+{
58554 -+ return 1;
58555 -+}
58556 -+
58557 -+int
58558 -+gr_search_connectbind(const int mode, const struct socket *sock,
58559 -+ const struct sockaddr_in *addr)
58560 -+{
58561 -+ return 0;
58562 -+}
58563 -+
58564 -+void
58565 -+gr_handle_alertkill(struct task_struct *task)
58566 -+{
58567 -+ return;
58568 -+}
58569 -+
58570 -+__u32
58571 -+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
58572 -+{
58573 -+ return 1;
58574 -+}
58575 -+
58576 -+__u32
58577 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
58578 -+ const struct vfsmount * mnt)
58579 -+{
58580 -+ return 1;
58581 -+}
58582 -+
58583 -+__u32
58584 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58585 -+ const int fmode)
58586 -+{
58587 -+ return 1;
58588 -+}
58589 -+
58590 -+__u32
58591 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58592 -+{
58593 -+ return 1;
58594 -+}
58595 -+
58596 -+__u32
58597 -+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58598 -+{
58599 -+ return 1;
58600 -+}
58601 -+
58602 -+int
58603 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58604 -+ unsigned int *vm_flags)
58605 -+{
58606 -+ return 1;
58607 -+}
58608 -+
58609 -+__u32
58610 -+gr_acl_handle_truncate(const struct dentry * dentry,
58611 -+ const struct vfsmount * mnt)
58612 -+{
58613 -+ return 1;
58614 -+}
58615 -+
58616 -+__u32
58617 -+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58618 -+{
58619 -+ return 1;
58620 -+}
58621 -+
58622 -+__u32
58623 -+gr_acl_handle_access(const struct dentry * dentry,
58624 -+ const struct vfsmount * mnt, const int fmode)
58625 -+{
58626 -+ return 1;
58627 -+}
58628 -+
58629 -+__u32
58630 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58631 -+ mode_t mode)
58632 -+{
58633 -+ return 1;
58634 -+}
58635 -+
58636 -+__u32
58637 -+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58638 -+ mode_t mode)
58639 -+{
58640 -+ return 1;
58641 -+}
58642 -+
58643 -+__u32
58644 -+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58645 -+{
58646 -+ return 1;
58647 -+}
58648 -+
58649 -+__u32
58650 -+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58651 -+{
58652 -+ return 1;
58653 -+}
58654 -+
58655 -+void
58656 -+grsecurity_init(void)
58657 -+{
58658 -+ return;
58659 -+}
58660 -+
58661 -+__u32
58662 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
58663 -+ const struct dentry * parent_dentry,
58664 -+ const struct vfsmount * parent_mnt,
58665 -+ const int mode)
58666 -+{
58667 -+ return 1;
58668 -+}
58669 -+
58670 -+__u32
58671 -+gr_acl_handle_mkdir(const struct dentry * new_dentry,
58672 -+ const struct dentry * parent_dentry,
58673 -+ const struct vfsmount * parent_mnt)
58674 -+{
58675 -+ return 1;
58676 -+}
58677 -+
58678 -+__u32
58679 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
58680 -+ const struct dentry * parent_dentry,
58681 -+ const struct vfsmount * parent_mnt, const char *from)
58682 -+{
58683 -+ return 1;
58684 -+}
58685 -+
58686 -+__u32
58687 -+gr_acl_handle_link(const struct dentry * new_dentry,
58688 -+ const struct dentry * parent_dentry,
58689 -+ const struct vfsmount * parent_mnt,
58690 -+ const struct dentry * old_dentry,
58691 -+ const struct vfsmount * old_mnt, const char *to)
58692 -+{
58693 -+ return 1;
58694 -+}
58695 -+
58696 -+int
58697 -+gr_acl_handle_rename(const struct dentry *new_dentry,
58698 -+ const struct dentry *parent_dentry,
58699 -+ const struct vfsmount *parent_mnt,
58700 -+ const struct dentry *old_dentry,
58701 -+ const struct inode *old_parent_inode,
58702 -+ const struct vfsmount *old_mnt, const char *newname)
58703 -+{
58704 -+ return 0;
58705 -+}
58706 -+
58707 -+int
58708 -+gr_acl_handle_filldir(const struct file *file, const char *name,
58709 -+ const int namelen, const ino_t ino)
58710 -+{
58711 -+ return 1;
58712 -+}
58713 -+
58714 -+int
58715 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58716 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
58717 -+{
58718 -+ return 1;
58719 -+}
58720 -+
58721 -+int
58722 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58723 -+{
58724 -+ return 0;
58725 -+}
58726 -+
58727 -+int
58728 -+gr_search_accept(const struct socket *sock)
58729 -+{
58730 -+ return 0;
58731 -+}
58732 -+
58733 -+int
58734 -+gr_search_listen(const struct socket *sock)
58735 -+{
58736 -+ return 0;
58737 -+}
58738 -+
58739 -+int
58740 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58741 -+{
58742 -+ return 0;
58743 -+}
58744 -+
58745 -+__u32
58746 -+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58747 -+{
58748 -+ return 1;
58749 -+}
58750 -+
58751 -+__u32
58752 -+gr_acl_handle_creat(const struct dentry * dentry,
58753 -+ const struct dentry * p_dentry,
58754 -+ const struct vfsmount * p_mnt, const int fmode,
58755 -+ const int imode)
58756 -+{
58757 -+ return 1;
58758 -+}
58759 -+
58760 -+void
58761 -+gr_acl_handle_exit(void)
58762 -+{
58763 -+ return;
58764 -+}
58765 -+
58766 -+int
58767 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58768 -+{
58769 -+ return 1;
58770 -+}
58771 -+
58772 -+void
58773 -+gr_set_role_label(const uid_t uid, const gid_t gid)
58774 -+{
58775 -+ return;
58776 -+}
58777 -+
58778 -+int
58779 -+gr_acl_handle_procpidmem(const struct task_struct *task)
58780 -+{
58781 -+ return 0;
58782 -+}
58783 -+
58784 -+int
58785 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58786 -+{
58787 -+ return 0;
58788 -+}
58789 -+
58790 -+int
58791 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58792 -+{
58793 -+ return 0;
58794 -+}
58795 -+
58796 -+void
58797 -+gr_set_kernel_label(struct task_struct *task)
58798 -+{
58799 -+ return;
58800 -+}
58801 -+
58802 -+int
58803 -+gr_check_user_change(int real, int effective, int fs)
58804 -+{
58805 -+ return 0;
58806 -+}
58807 -+
58808 -+int
58809 -+gr_check_group_change(int real, int effective, int fs)
58810 -+{
58811 -+ return 0;
58812 -+}
58813 -+
58814 -+int gr_acl_enable_at_secure(void)
58815 -+{
58816 -+ return 0;
58817 -+}
58818 -+
58819 -+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58820 -+{
58821 -+ return dentry->d_inode->i_sb->s_dev;
58822 -+}
58823 -+
58824 -+EXPORT_SYMBOL(gr_learn_resource);
58825 -+EXPORT_SYMBOL(gr_set_kernel_label);
58826 -+#ifdef CONFIG_SECURITY
58827 -+EXPORT_SYMBOL(gr_check_user_change);
58828 -+EXPORT_SYMBOL(gr_check_group_change);
58829 -+#endif
58830 -diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/grsec_exec.c
58831 ---- linux-2.6.32.46/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58832 -+++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-09-13 22:54:27.000000000 -0400
58833 -@@ -0,0 +1,204 @@
58834 -+#include <linux/kernel.h>
58835 -+#include <linux/sched.h>
58836 -+#include <linux/file.h>
58837 -+#include <linux/binfmts.h>
58838 -+#include <linux/smp_lock.h>
58839 -+#include <linux/fs.h>
58840 -+#include <linux/types.h>
58841 -+#include <linux/grdefs.h>
58842 -+#include <linux/grinternal.h>
58843 -+#include <linux/capability.h>
58844 -+#include <linux/compat.h>
58845 -+#include <linux/module.h>
58846 -+
58847 -+#include <asm/uaccess.h>
58848 -+
58849 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
58850 -+static char gr_exec_arg_buf[132];
58851 -+static DEFINE_MUTEX(gr_exec_arg_mutex);
58852 -+#endif
58853 -+
58854 -+void
58855 -+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58856 -+{
58857 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
58858 -+ char *grarg = gr_exec_arg_buf;
58859 -+ unsigned int i, x, execlen = 0;
58860 -+ char c;
58861 -+
58862 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
58863 -+ in_group_p(grsec_audit_gid))
58864 -+ || (grsec_enable_execlog && !grsec_enable_group)))
58865 -+ return;
58866 -+
58867 -+ mutex_lock(&gr_exec_arg_mutex);
58868 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
58869 -+
58870 -+ if (unlikely(argv == NULL))
58871 -+ goto log;
58872 -+
58873 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
58874 -+ const char __user *p;
58875 -+ unsigned int len;
58876 -+
58877 -+ if (copy_from_user(&p, argv + i, sizeof(p)))
58878 -+ goto log;
58879 -+ if (!p)
58880 -+ goto log;
58881 -+ len = strnlen_user(p, 128 - execlen);
58882 -+ if (len > 128 - execlen)
58883 -+ len = 128 - execlen;
58884 -+ else if (len > 0)
58885 -+ len--;
58886 -+ if (copy_from_user(grarg + execlen, p, len))
58887 -+ goto log;
58888 -+
58889 -+ /* rewrite unprintable characters */
58890 -+ for (x = 0; x < len; x++) {
58891 -+ c = *(grarg + execlen + x);
58892 -+ if (c < 32 || c > 126)
58893 -+ *(grarg + execlen + x) = ' ';
58894 -+ }
58895 -+
58896 -+ execlen += len;
58897 -+ *(grarg + execlen) = ' ';
58898 -+ *(grarg + execlen + 1) = '\0';
58899 -+ execlen++;
58900 -+ }
58901 -+
58902 -+ log:
58903 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58904 -+ bprm->file->f_path.mnt, grarg);
58905 -+ mutex_unlock(&gr_exec_arg_mutex);
58906 -+#endif
58907 -+ return;
58908 -+}
58909 -+
58910 -+#ifdef CONFIG_COMPAT
58911 -+void
58912 -+gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58913 -+{
58914 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
58915 -+ char *grarg = gr_exec_arg_buf;
58916 -+ unsigned int i, x, execlen = 0;
58917 -+ char c;
58918 -+
58919 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
58920 -+ in_group_p(grsec_audit_gid))
58921 -+ || (grsec_enable_execlog && !grsec_enable_group)))
58922 -+ return;
58923 -+
58924 -+ mutex_lock(&gr_exec_arg_mutex);
58925 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
58926 -+
58927 -+ if (unlikely(argv == NULL))
58928 -+ goto log;
58929 -+
58930 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
58931 -+ compat_uptr_t p;
58932 -+ unsigned int len;
58933 -+
58934 -+ if (get_user(p, argv + i))
58935 -+ goto log;
58936 -+ len = strnlen_user(compat_ptr(p), 128 - execlen);
58937 -+ if (len > 128 - execlen)
58938 -+ len = 128 - execlen;
58939 -+ else if (len > 0)
58940 -+ len--;
58941 -+ else
58942 -+ goto log;
58943 -+ if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58944 -+ goto log;
58945 -+
58946 -+ /* rewrite unprintable characters */
58947 -+ for (x = 0; x < len; x++) {
58948 -+ c = *(grarg + execlen + x);
58949 -+ if (c < 32 || c > 126)
58950 -+ *(grarg + execlen + x) = ' ';
58951 -+ }
58952 -+
58953 -+ execlen += len;
58954 -+ *(grarg + execlen) = ' ';
58955 -+ *(grarg + execlen + 1) = '\0';
58956 -+ execlen++;
58957 -+ }
58958 -+
58959 -+ log:
58960 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58961 -+ bprm->file->f_path.mnt, grarg);
58962 -+ mutex_unlock(&gr_exec_arg_mutex);
58963 -+#endif
58964 -+ return;
58965 -+}
58966 -+#endif
58967 -+
58968 -+#ifdef CONFIG_GRKERNSEC
58969 -+extern int gr_acl_is_capable(const int cap);
58970 -+extern int gr_acl_is_capable_nolog(const int cap);
58971 -+extern int gr_chroot_is_capable(const int cap);
58972 -+extern int gr_chroot_is_capable_nolog(const int cap);
58973 -+#endif
58974 -+
58975 -+const char *captab_log[] = {
58976 -+ "CAP_CHOWN",
58977 -+ "CAP_DAC_OVERRIDE",
58978 -+ "CAP_DAC_READ_SEARCH",
58979 -+ "CAP_FOWNER",
58980 -+ "CAP_FSETID",
58981 -+ "CAP_KILL",
58982 -+ "CAP_SETGID",
58983 -+ "CAP_SETUID",
58984 -+ "CAP_SETPCAP",
58985 -+ "CAP_LINUX_IMMUTABLE",
58986 -+ "CAP_NET_BIND_SERVICE",
58987 -+ "CAP_NET_BROADCAST",
58988 -+ "CAP_NET_ADMIN",
58989 -+ "CAP_NET_RAW",
58990 -+ "CAP_IPC_LOCK",
58991 -+ "CAP_IPC_OWNER",
58992 -+ "CAP_SYS_MODULE",
58993 -+ "CAP_SYS_RAWIO",
58994 -+ "CAP_SYS_CHROOT",
58995 -+ "CAP_SYS_PTRACE",
58996 -+ "CAP_SYS_PACCT",
58997 -+ "CAP_SYS_ADMIN",
58998 -+ "CAP_SYS_BOOT",
58999 -+ "CAP_SYS_NICE",
59000 -+ "CAP_SYS_RESOURCE",
59001 -+ "CAP_SYS_TIME",
59002 -+ "CAP_SYS_TTY_CONFIG",
59003 -+ "CAP_MKNOD",
59004 -+ "CAP_LEASE",
59005 -+ "CAP_AUDIT_WRITE",
59006 -+ "CAP_AUDIT_CONTROL",
59007 -+ "CAP_SETFCAP",
59008 -+ "CAP_MAC_OVERRIDE",
59009 -+ "CAP_MAC_ADMIN"
59010 -+};
59011 -+
59012 -+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
59013 -+
59014 -+int gr_is_capable(const int cap)
59015 -+{
59016 -+#ifdef CONFIG_GRKERNSEC
59017 -+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
59018 -+ return 1;
59019 -+ return 0;
59020 -+#else
59021 -+ return 1;
59022 -+#endif
59023 -+}
59024 -+
59025 -+int gr_is_capable_nolog(const int cap)
59026 -+{
59027 -+#ifdef CONFIG_GRKERNSEC
59028 -+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
59029 -+ return 1;
59030 -+ return 0;
59031 -+#else
59032 -+ return 1;
59033 -+#endif
59034 -+}
59035 -+
59036 -+EXPORT_SYMBOL(gr_is_capable);
59037 -+EXPORT_SYMBOL(gr_is_capable_nolog);
59038 -diff -urNp linux-2.6.32.46/grsecurity/grsec_fifo.c linux-2.6.32.46/grsecurity/grsec_fifo.c
59039 ---- linux-2.6.32.46/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
59040 -+++ linux-2.6.32.46/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
59041 -@@ -0,0 +1,24 @@
59042 -+#include <linux/kernel.h>
59043 -+#include <linux/sched.h>
59044 -+#include <linux/fs.h>
59045 -+#include <linux/file.h>
59046 -+#include <linux/grinternal.h>
59047 -+
59048 -+int
59049 -+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
59050 -+ const struct dentry *dir, const int flag, const int acc_mode)
59051 -+{
59052 -+#ifdef CONFIG_GRKERNSEC_FIFO
59053 -+ const struct cred *cred = current_cred();
59054 -+
59055 -+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
59056 -+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
59057 -+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
59058 -+ (cred->fsuid != dentry->d_inode->i_uid)) {
59059 -+ if (!inode_permission(dentry->d_inode, acc_mode))
59060 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
59061 -+ return -EACCES;
59062 -+ }
59063 -+#endif
59064 -+ return 0;
59065 -+}
59066 -diff -urNp linux-2.6.32.46/grsecurity/grsec_fork.c linux-2.6.32.46/grsecurity/grsec_fork.c
59067 ---- linux-2.6.32.46/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
59068 -+++ linux-2.6.32.46/grsecurity/grsec_fork.c 2011-04-17 15:56:46.000000000 -0400
59069 -@@ -0,0 +1,23 @@
59070 -+#include <linux/kernel.h>
59071 -+#include <linux/sched.h>
59072 -+#include <linux/grsecurity.h>
59073 -+#include <linux/grinternal.h>
59074 -+#include <linux/errno.h>
59075 -+
59076 -+void
59077 -+gr_log_forkfail(const int retval)
59078 -+{
59079 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
59080 -+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
59081 -+ switch (retval) {
59082 -+ case -EAGAIN:
59083 -+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
59084 -+ break;
59085 -+ case -ENOMEM:
59086 -+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
59087 -+ break;
59088 -+ }
59089 -+ }
59090 -+#endif
59091 -+ return;
59092 -+}
59093 -diff -urNp linux-2.6.32.46/grsecurity/grsec_init.c linux-2.6.32.46/grsecurity/grsec_init.c
59094 ---- linux-2.6.32.46/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
59095 -+++ linux-2.6.32.46/grsecurity/grsec_init.c 2011-08-11 19:57:42.000000000 -0400
59096 -@@ -0,0 +1,270 @@
59097 -+#include <linux/kernel.h>
59098 -+#include <linux/sched.h>
59099 -+#include <linux/mm.h>
59100 -+#include <linux/smp_lock.h>
59101 -+#include <linux/gracl.h>
59102 -+#include <linux/slab.h>
59103 -+#include <linux/vmalloc.h>
59104 -+#include <linux/percpu.h>
59105 -+#include <linux/module.h>
59106 -+
59107 -+int grsec_enable_brute;
59108 -+int grsec_enable_link;
59109 -+int grsec_enable_dmesg;
59110 -+int grsec_enable_harden_ptrace;
59111 -+int grsec_enable_fifo;
59112 -+int grsec_enable_execlog;
59113 -+int grsec_enable_signal;
59114 -+int grsec_enable_forkfail;
59115 -+int grsec_enable_audit_ptrace;
59116 -+int grsec_enable_time;
59117 -+int grsec_enable_audit_textrel;
59118 -+int grsec_enable_group;
59119 -+int grsec_audit_gid;
59120 -+int grsec_enable_chdir;
59121 -+int grsec_enable_mount;
59122 -+int grsec_enable_rofs;
59123 -+int grsec_enable_chroot_findtask;
59124 -+int grsec_enable_chroot_mount;
59125 -+int grsec_enable_chroot_shmat;
59126 -+int grsec_enable_chroot_fchdir;
59127 -+int grsec_enable_chroot_double;
59128 -+int grsec_enable_chroot_pivot;
59129 -+int grsec_enable_chroot_chdir;
59130 -+int grsec_enable_chroot_chmod;
59131 -+int grsec_enable_chroot_mknod;
59132 -+int grsec_enable_chroot_nice;
59133 -+int grsec_enable_chroot_execlog;
59134 -+int grsec_enable_chroot_caps;
59135 -+int grsec_enable_chroot_sysctl;
59136 -+int grsec_enable_chroot_unix;
59137 -+int grsec_enable_tpe;
59138 -+int grsec_tpe_gid;
59139 -+int grsec_enable_blackhole;
59140 -+#ifdef CONFIG_IPV6_MODULE
59141 -+EXPORT_SYMBOL(grsec_enable_blackhole);
59142 -+#endif
59143 -+int grsec_lastack_retries;
59144 -+int grsec_enable_tpe_all;
59145 -+int grsec_enable_tpe_invert;
59146 -+int grsec_enable_socket_all;
59147 -+int grsec_socket_all_gid;
59148 -+int grsec_enable_socket_client;
59149 -+int grsec_socket_client_gid;
59150 -+int grsec_enable_socket_server;
59151 -+int grsec_socket_server_gid;
59152 -+int grsec_resource_logging;
59153 -+int grsec_disable_privio;
59154 -+int grsec_enable_log_rwxmaps;
59155 -+int grsec_lock;
59156 -+
59157 -+DEFINE_SPINLOCK(grsec_alert_lock);
59158 -+unsigned long grsec_alert_wtime = 0;
59159 -+unsigned long grsec_alert_fyet = 0;
59160 -+
59161 -+DEFINE_SPINLOCK(grsec_audit_lock);
59162 -+
59163 -+DEFINE_RWLOCK(grsec_exec_file_lock);
59164 -+
59165 -+char *gr_shared_page[4];
59166 -+
59167 -+char *gr_alert_log_fmt;
59168 -+char *gr_audit_log_fmt;
59169 -+char *gr_alert_log_buf;
59170 -+char *gr_audit_log_buf;
59171 -+
59172 -+extern struct gr_arg *gr_usermode;
59173 -+extern unsigned char *gr_system_salt;
59174 -+extern unsigned char *gr_system_sum;
59175 -+
59176 -+void __init
59177 -+grsecurity_init(void)
59178 -+{
59179 -+ int j;
59180 -+ /* create the per-cpu shared pages */
59181 -+
59182 -+#ifdef CONFIG_X86
59183 -+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
59184 -+#endif
59185 -+
59186 -+ for (j = 0; j < 4; j++) {
59187 -+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
59188 -+ if (gr_shared_page[j] == NULL) {
59189 -+ panic("Unable to allocate grsecurity shared page");
59190 -+ return;
59191 -+ }
59192 -+ }
59193 -+
59194 -+ /* allocate log buffers */
59195 -+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
59196 -+ if (!gr_alert_log_fmt) {
59197 -+ panic("Unable to allocate grsecurity alert log format buffer");
59198 -+ return;
59199 -+ }
59200 -+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
59201 -+ if (!gr_audit_log_fmt) {
59202 -+ panic("Unable to allocate grsecurity audit log format buffer");
59203 -+ return;
59204 -+ }
59205 -+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59206 -+ if (!gr_alert_log_buf) {
59207 -+ panic("Unable to allocate grsecurity alert log buffer");
59208 -+ return;
59209 -+ }
59210 -+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59211 -+ if (!gr_audit_log_buf) {
59212 -+ panic("Unable to allocate grsecurity audit log buffer");
59213 -+ return;
59214 -+ }
59215 -+
59216 -+ /* allocate memory for authentication structure */
59217 -+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
59218 -+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
59219 -+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
59220 -+
59221 -+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
59222 -+ panic("Unable to allocate grsecurity authentication structure");
59223 -+ return;
59224 -+ }
59225 -+
59226 -+
59227 -+#ifdef CONFIG_GRKERNSEC_IO
59228 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
59229 -+ grsec_disable_privio = 1;
59230 -+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59231 -+ grsec_disable_privio = 1;
59232 -+#else
59233 -+ grsec_disable_privio = 0;
59234 -+#endif
59235 -+#endif
59236 -+
59237 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59238 -+ /* for backward compatibility, tpe_invert always defaults to on if
59239 -+ enabled in the kernel
59240 -+ */
59241 -+ grsec_enable_tpe_invert = 1;
59242 -+#endif
59243 -+
59244 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59245 -+#ifndef CONFIG_GRKERNSEC_SYSCTL
59246 -+ grsec_lock = 1;
59247 -+#endif
59248 -+
59249 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59250 -+ grsec_enable_audit_textrel = 1;
59251 -+#endif
59252 -+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59253 -+ grsec_enable_log_rwxmaps = 1;
59254 -+#endif
59255 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
59256 -+ grsec_enable_group = 1;
59257 -+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
59258 -+#endif
59259 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59260 -+ grsec_enable_chdir = 1;
59261 -+#endif
59262 -+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
59263 -+ grsec_enable_harden_ptrace = 1;
59264 -+#endif
59265 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59266 -+ grsec_enable_mount = 1;
59267 -+#endif
59268 -+#ifdef CONFIG_GRKERNSEC_LINK
59269 -+ grsec_enable_link = 1;
59270 -+#endif
59271 -+#ifdef CONFIG_GRKERNSEC_BRUTE
59272 -+ grsec_enable_brute = 1;
59273 -+#endif
59274 -+#ifdef CONFIG_GRKERNSEC_DMESG
59275 -+ grsec_enable_dmesg = 1;
59276 -+#endif
59277 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59278 -+ grsec_enable_blackhole = 1;
59279 -+ grsec_lastack_retries = 4;
59280 -+#endif
59281 -+#ifdef CONFIG_GRKERNSEC_FIFO
59282 -+ grsec_enable_fifo = 1;
59283 -+#endif
59284 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
59285 -+ grsec_enable_execlog = 1;
59286 -+#endif
59287 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
59288 -+ grsec_enable_signal = 1;
59289 -+#endif
59290 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
59291 -+ grsec_enable_forkfail = 1;
59292 -+#endif
59293 -+#ifdef CONFIG_GRKERNSEC_TIME
59294 -+ grsec_enable_time = 1;
59295 -+#endif
59296 -+#ifdef CONFIG_GRKERNSEC_RESLOG
59297 -+ grsec_resource_logging = 1;
59298 -+#endif
59299 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59300 -+ grsec_enable_chroot_findtask = 1;
59301 -+#endif
59302 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59303 -+ grsec_enable_chroot_unix = 1;
59304 -+#endif
59305 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59306 -+ grsec_enable_chroot_mount = 1;
59307 -+#endif
59308 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59309 -+ grsec_enable_chroot_fchdir = 1;
59310 -+#endif
59311 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59312 -+ grsec_enable_chroot_shmat = 1;
59313 -+#endif
59314 -+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59315 -+ grsec_enable_audit_ptrace = 1;
59316 -+#endif
59317 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59318 -+ grsec_enable_chroot_double = 1;
59319 -+#endif
59320 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59321 -+ grsec_enable_chroot_pivot = 1;
59322 -+#endif
59323 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59324 -+ grsec_enable_chroot_chdir = 1;
59325 -+#endif
59326 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59327 -+ grsec_enable_chroot_chmod = 1;
59328 -+#endif
59329 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59330 -+ grsec_enable_chroot_mknod = 1;
59331 -+#endif
59332 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59333 -+ grsec_enable_chroot_nice = 1;
59334 -+#endif
59335 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59336 -+ grsec_enable_chroot_execlog = 1;
59337 -+#endif
59338 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59339 -+ grsec_enable_chroot_caps = 1;
59340 -+#endif
59341 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59342 -+ grsec_enable_chroot_sysctl = 1;
59343 -+#endif
59344 -+#ifdef CONFIG_GRKERNSEC_TPE
59345 -+ grsec_enable_tpe = 1;
59346 -+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
59347 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
59348 -+ grsec_enable_tpe_all = 1;
59349 -+#endif
59350 -+#endif
59351 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59352 -+ grsec_enable_socket_all = 1;
59353 -+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
59354 -+#endif
59355 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59356 -+ grsec_enable_socket_client = 1;
59357 -+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
59358 -+#endif
59359 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59360 -+ grsec_enable_socket_server = 1;
59361 -+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
59362 -+#endif
59363 -+#endif
59364 -+
59365 -+ return;
59366 -+}
59367 -diff -urNp linux-2.6.32.46/grsecurity/grsec_link.c linux-2.6.32.46/grsecurity/grsec_link.c
59368 ---- linux-2.6.32.46/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
59369 -+++ linux-2.6.32.46/grsecurity/grsec_link.c 2011-04-17 15:56:46.000000000 -0400
59370 -@@ -0,0 +1,43 @@
59371 -+#include <linux/kernel.h>
59372 -+#include <linux/sched.h>
59373 -+#include <linux/fs.h>
59374 -+#include <linux/file.h>
59375 -+#include <linux/grinternal.h>
59376 -+
59377 -+int
59378 -+gr_handle_follow_link(const struct inode *parent,
59379 -+ const struct inode *inode,
59380 -+ const struct dentry *dentry, const struct vfsmount *mnt)
59381 -+{
59382 -+#ifdef CONFIG_GRKERNSEC_LINK
59383 -+ const struct cred *cred = current_cred();
59384 -+
59385 -+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
59386 -+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
59387 -+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
59388 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
59389 -+ return -EACCES;
59390 -+ }
59391 -+#endif
59392 -+ return 0;
59393 -+}
59394 -+
59395 -+int
59396 -+gr_handle_hardlink(const struct dentry *dentry,
59397 -+ const struct vfsmount *mnt,
59398 -+ struct inode *inode, const int mode, const char *to)
59399 -+{
59400 -+#ifdef CONFIG_GRKERNSEC_LINK
59401 -+ const struct cred *cred = current_cred();
59402 -+
59403 -+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
59404 -+ (!S_ISREG(mode) || (mode & S_ISUID) ||
59405 -+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
59406 -+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
59407 -+ !capable(CAP_FOWNER) && cred->uid) {
59408 -+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
59409 -+ return -EPERM;
59410 -+ }
59411 -+#endif
59412 -+ return 0;
59413 -+}
59414 -diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grsec_log.c
59415 ---- linux-2.6.32.46/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
59416 -+++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-09-26 10:44:49.000000000 -0400
59417 -@@ -0,0 +1,315 @@
59418 -+#include <linux/kernel.h>
59419 -+#include <linux/sched.h>
59420 -+#include <linux/file.h>
59421 -+#include <linux/tty.h>
59422 -+#include <linux/fs.h>
59423 -+#include <linux/grinternal.h>
59424 -+
59425 -+#ifdef CONFIG_TREE_PREEMPT_RCU
59426 -+#define DISABLE_PREEMPT() preempt_disable()
59427 -+#define ENABLE_PREEMPT() preempt_enable()
59428 -+#else
59429 -+#define DISABLE_PREEMPT()
59430 -+#define ENABLE_PREEMPT()
59431 -+#endif
59432 -+
59433 -+#define BEGIN_LOCKS(x) \
59434 -+ DISABLE_PREEMPT(); \
59435 -+ rcu_read_lock(); \
59436 -+ read_lock(&tasklist_lock); \
59437 -+ read_lock(&grsec_exec_file_lock); \
59438 -+ if (x != GR_DO_AUDIT) \
59439 -+ spin_lock(&grsec_alert_lock); \
59440 -+ else \
59441 -+ spin_lock(&grsec_audit_lock)
59442 -+
59443 -+#define END_LOCKS(x) \
59444 -+ if (x != GR_DO_AUDIT) \
59445 -+ spin_unlock(&grsec_alert_lock); \
59446 -+ else \
59447 -+ spin_unlock(&grsec_audit_lock); \
59448 -+ read_unlock(&grsec_exec_file_lock); \
59449 -+ read_unlock(&tasklist_lock); \
59450 -+ rcu_read_unlock(); \
59451 -+ ENABLE_PREEMPT(); \
59452 -+ if (x == GR_DONT_AUDIT) \
59453 -+ gr_handle_alertkill(current)
59454 -+
59455 -+enum {
59456 -+ FLOODING,
59457 -+ NO_FLOODING
59458 -+};
59459 -+
59460 -+extern char *gr_alert_log_fmt;
59461 -+extern char *gr_audit_log_fmt;
59462 -+extern char *gr_alert_log_buf;
59463 -+extern char *gr_audit_log_buf;
59464 -+
59465 -+static int gr_log_start(int audit)
59466 -+{
59467 -+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
59468 -+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
59469 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59470 -+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
59471 -+ unsigned long curr_secs = get_seconds();
59472 -+
59473 -+ if (audit == GR_DO_AUDIT)
59474 -+ goto set_fmt;
59475 -+
59476 -+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
59477 -+ grsec_alert_wtime = curr_secs;
59478 -+ grsec_alert_fyet = 0;
59479 -+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
59480 -+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
59481 -+ grsec_alert_fyet++;
59482 -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
59483 -+ grsec_alert_wtime = curr_secs;
59484 -+ grsec_alert_fyet++;
59485 -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
59486 -+ return FLOODING;
59487 -+ }
59488 -+ else return FLOODING;
59489 -+
59490 -+set_fmt:
59491 -+#endif
59492 -+ memset(buf, 0, PAGE_SIZE);
59493 -+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
59494 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
59495 -+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59496 -+ } else if (current->signal->curr_ip) {
59497 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
59498 -+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
59499 -+ } else if (gr_acl_is_enabled()) {
59500 -+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
59501 -+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59502 -+ } else {
59503 -+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
59504 -+ strcpy(buf, fmt);
59505 -+ }
59506 -+
59507 -+ return NO_FLOODING;
59508 -+}
59509 -+
59510 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
59511 -+ __attribute__ ((format (printf, 2, 0)));
59512 -+
59513 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
59514 -+{
59515 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59516 -+ unsigned int len = strlen(buf);
59517 -+
59518 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59519 -+
59520 -+ return;
59521 -+}
59522 -+
59523 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
59524 -+ __attribute__ ((format (printf, 2, 3)));
59525 -+
59526 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
59527 -+{
59528 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59529 -+ unsigned int len = strlen(buf);
59530 -+ va_list ap;
59531 -+
59532 -+ va_start(ap, msg);
59533 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59534 -+ va_end(ap);
59535 -+
59536 -+ return;
59537 -+}
59538 -+
59539 -+static void gr_log_end(int audit)
59540 -+{
59541 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59542 -+ unsigned int len = strlen(buf);
59543 -+
59544 -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
59545 -+ printk("%s\n", buf);
59546 -+
59547 -+ return;
59548 -+}
59549 -+
59550 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
59551 -+{
59552 -+ int logtype;
59553 -+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
59554 -+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
59555 -+ void *voidptr = NULL;
59556 -+ int num1 = 0, num2 = 0;
59557 -+ unsigned long ulong1 = 0, ulong2 = 0;
59558 -+ struct dentry *dentry = NULL;
59559 -+ struct vfsmount *mnt = NULL;
59560 -+ struct file *file = NULL;
59561 -+ struct task_struct *task = NULL;
59562 -+ const struct cred *cred, *pcred;
59563 -+ va_list ap;
59564 -+
59565 -+ BEGIN_LOCKS(audit);
59566 -+ logtype = gr_log_start(audit);
59567 -+ if (logtype == FLOODING) {
59568 -+ END_LOCKS(audit);
59569 -+ return;
59570 -+ }
59571 -+ va_start(ap, argtypes);
59572 -+ switch (argtypes) {
59573 -+ case GR_TTYSNIFF:
59574 -+ task = va_arg(ap, struct task_struct *);
59575 -+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
59576 -+ break;
59577 -+ case GR_SYSCTL_HIDDEN:
59578 -+ str1 = va_arg(ap, char *);
59579 -+ gr_log_middle_varargs(audit, msg, result, str1);
59580 -+ break;
59581 -+ case GR_RBAC:
59582 -+ dentry = va_arg(ap, struct dentry *);
59583 -+ mnt = va_arg(ap, struct vfsmount *);
59584 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
59585 -+ break;
59586 -+ case GR_RBAC_STR:
59587 -+ dentry = va_arg(ap, struct dentry *);
59588 -+ mnt = va_arg(ap, struct vfsmount *);
59589 -+ str1 = va_arg(ap, char *);
59590 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
59591 -+ break;
59592 -+ case GR_STR_RBAC:
59593 -+ str1 = va_arg(ap, char *);
59594 -+ dentry = va_arg(ap, struct dentry *);
59595 -+ mnt = va_arg(ap, struct vfsmount *);
59596 -+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
59597 -+ break;
59598 -+ case GR_RBAC_MODE2:
59599 -+ dentry = va_arg(ap, struct dentry *);
59600 -+ mnt = va_arg(ap, struct vfsmount *);
59601 -+ str1 = va_arg(ap, char *);
59602 -+ str2 = va_arg(ap, char *);
59603 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
59604 -+ break;
59605 -+ case GR_RBAC_MODE3:
59606 -+ dentry = va_arg(ap, struct dentry *);
59607 -+ mnt = va_arg(ap, struct vfsmount *);
59608 -+ str1 = va_arg(ap, char *);
59609 -+ str2 = va_arg(ap, char *);
59610 -+ str3 = va_arg(ap, char *);
59611 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
59612 -+ break;
59613 -+ case GR_FILENAME:
59614 -+ dentry = va_arg(ap, struct dentry *);
59615 -+ mnt = va_arg(ap, struct vfsmount *);
59616 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
59617 -+ break;
59618 -+ case GR_STR_FILENAME:
59619 -+ str1 = va_arg(ap, char *);
59620 -+ dentry = va_arg(ap, struct dentry *);
59621 -+ mnt = va_arg(ap, struct vfsmount *);
59622 -+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
59623 -+ break;
59624 -+ case GR_FILENAME_STR:
59625 -+ dentry = va_arg(ap, struct dentry *);
59626 -+ mnt = va_arg(ap, struct vfsmount *);
59627 -+ str1 = va_arg(ap, char *);
59628 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
59629 -+ break;
59630 -+ case GR_FILENAME_TWO_INT:
59631 -+ dentry = va_arg(ap, struct dentry *);
59632 -+ mnt = va_arg(ap, struct vfsmount *);
59633 -+ num1 = va_arg(ap, int);
59634 -+ num2 = va_arg(ap, int);
59635 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59636 -+ break;
59637 -+ case GR_FILENAME_TWO_INT_STR:
59638 -+ dentry = va_arg(ap, struct dentry *);
59639 -+ mnt = va_arg(ap, struct vfsmount *);
59640 -+ num1 = va_arg(ap, int);
59641 -+ num2 = va_arg(ap, int);
59642 -+ str1 = va_arg(ap, char *);
59643 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59644 -+ break;
59645 -+ case GR_TEXTREL:
59646 -+ file = va_arg(ap, struct file *);
59647 -+ ulong1 = va_arg(ap, unsigned long);
59648 -+ ulong2 = va_arg(ap, unsigned long);
59649 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59650 -+ break;
59651 -+ case GR_PTRACE:
59652 -+ task = va_arg(ap, struct task_struct *);
59653 -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59654 -+ break;
59655 -+ case GR_RESOURCE:
59656 -+ task = va_arg(ap, struct task_struct *);
59657 -+ cred = __task_cred(task);
59658 -+ pcred = __task_cred(task->real_parent);
59659 -+ ulong1 = va_arg(ap, unsigned long);
59660 -+ str1 = va_arg(ap, char *);
59661 -+ ulong2 = va_arg(ap, unsigned long);
59662 -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59663 -+ break;
59664 -+ case GR_CAP:
59665 -+ task = va_arg(ap, struct task_struct *);
59666 -+ cred = __task_cred(task);
59667 -+ pcred = __task_cred(task->real_parent);
59668 -+ str1 = va_arg(ap, char *);
59669 -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59670 -+ break;
59671 -+ case GR_SIG:
59672 -+ str1 = va_arg(ap, char *);
59673 -+ voidptr = va_arg(ap, void *);
59674 -+ gr_log_middle_varargs(audit, msg, str1, voidptr);
59675 -+ break;
59676 -+ case GR_SIG2:
59677 -+ task = va_arg(ap, struct task_struct *);
59678 -+ cred = __task_cred(task);
59679 -+ pcred = __task_cred(task->real_parent);
59680 -+ num1 = va_arg(ap, int);
59681 -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59682 -+ break;
59683 -+ case GR_CRASH1:
59684 -+ task = va_arg(ap, struct task_struct *);
59685 -+ cred = __task_cred(task);
59686 -+ pcred = __task_cred(task->real_parent);
59687 -+ ulong1 = va_arg(ap, unsigned long);
59688 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59689 -+ break;
59690 -+ case GR_CRASH2:
59691 -+ task = va_arg(ap, struct task_struct *);
59692 -+ cred = __task_cred(task);
59693 -+ pcred = __task_cred(task->real_parent);
59694 -+ ulong1 = va_arg(ap, unsigned long);
59695 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59696 -+ break;
59697 -+ case GR_RWXMAP:
59698 -+ file = va_arg(ap, struct file *);
59699 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59700 -+ break;
59701 -+ case GR_PSACCT:
59702 -+ {
59703 -+ unsigned int wday, cday;
59704 -+ __u8 whr, chr;
59705 -+ __u8 wmin, cmin;
59706 -+ __u8 wsec, csec;
59707 -+ char cur_tty[64] = { 0 };
59708 -+ char parent_tty[64] = { 0 };
59709 -+
59710 -+ task = va_arg(ap, struct task_struct *);
59711 -+ wday = va_arg(ap, unsigned int);
59712 -+ cday = va_arg(ap, unsigned int);
59713 -+ whr = va_arg(ap, int);
59714 -+ chr = va_arg(ap, int);
59715 -+ wmin = va_arg(ap, int);
59716 -+ cmin = va_arg(ap, int);
59717 -+ wsec = va_arg(ap, int);
59718 -+ csec = va_arg(ap, int);
59719 -+ ulong1 = va_arg(ap, unsigned long);
59720 -+ cred = __task_cred(task);
59721 -+ pcred = __task_cred(task->real_parent);
59722 -+
59723 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59724 -+ }
59725 -+ break;
59726 -+ default:
59727 -+ gr_log_middle(audit, msg, ap);
59728 -+ }
59729 -+ va_end(ap);
59730 -+ gr_log_end(audit);
59731 -+ END_LOCKS(audit);
59732 -+}
59733 -diff -urNp linux-2.6.32.46/grsecurity/grsec_mem.c linux-2.6.32.46/grsecurity/grsec_mem.c
59734 ---- linux-2.6.32.46/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59735 -+++ linux-2.6.32.46/grsecurity/grsec_mem.c 2011-04-17 15:56:46.000000000 -0400
59736 -@@ -0,0 +1,33 @@
59737 -+#include <linux/kernel.h>
59738 -+#include <linux/sched.h>
59739 -+#include <linux/mm.h>
59740 -+#include <linux/mman.h>
59741 -+#include <linux/grinternal.h>
59742 -+
59743 -+void
59744 -+gr_handle_ioperm(void)
59745 -+{
59746 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59747 -+ return;
59748 -+}
59749 -+
59750 -+void
59751 -+gr_handle_iopl(void)
59752 -+{
59753 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59754 -+ return;
59755 -+}
59756 -+
59757 -+void
59758 -+gr_handle_mem_readwrite(u64 from, u64 to)
59759 -+{
59760 -+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59761 -+ return;
59762 -+}
59763 -+
59764 -+void
59765 -+gr_handle_vm86(void)
59766 -+{
59767 -+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59768 -+ return;
59769 -+}
59770 -diff -urNp linux-2.6.32.46/grsecurity/grsec_mount.c linux-2.6.32.46/grsecurity/grsec_mount.c
59771 ---- linux-2.6.32.46/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59772 -+++ linux-2.6.32.46/grsecurity/grsec_mount.c 2011-06-20 19:47:03.000000000 -0400
59773 -@@ -0,0 +1,62 @@
59774 -+#include <linux/kernel.h>
59775 -+#include <linux/sched.h>
59776 -+#include <linux/mount.h>
59777 -+#include <linux/grsecurity.h>
59778 -+#include <linux/grinternal.h>
59779 -+
59780 -+void
59781 -+gr_log_remount(const char *devname, const int retval)
59782 -+{
59783 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59784 -+ if (grsec_enable_mount && (retval >= 0))
59785 -+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59786 -+#endif
59787 -+ return;
59788 -+}
59789 -+
59790 -+void
59791 -+gr_log_unmount(const char *devname, const int retval)
59792 -+{
59793 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59794 -+ if (grsec_enable_mount && (retval >= 0))
59795 -+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59796 -+#endif
59797 -+ return;
59798 -+}
59799 -+
59800 -+void
59801 -+gr_log_mount(const char *from, const char *to, const int retval)
59802 -+{
59803 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59804 -+ if (grsec_enable_mount && (retval >= 0))
59805 -+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59806 -+#endif
59807 -+ return;
59808 -+}
59809 -+
59810 -+int
59811 -+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59812 -+{
59813 -+#ifdef CONFIG_GRKERNSEC_ROFS
59814 -+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59815 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59816 -+ return -EPERM;
59817 -+ } else
59818 -+ return 0;
59819 -+#endif
59820 -+ return 0;
59821 -+}
59822 -+
59823 -+int
59824 -+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59825 -+{
59826 -+#ifdef CONFIG_GRKERNSEC_ROFS
59827 -+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59828 -+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59829 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59830 -+ return -EPERM;
59831 -+ } else
59832 -+ return 0;
59833 -+#endif
59834 -+ return 0;
59835 -+}
59836 -diff -urNp linux-2.6.32.46/grsecurity/grsec_pax.c linux-2.6.32.46/grsecurity/grsec_pax.c
59837 ---- linux-2.6.32.46/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59838 -+++ linux-2.6.32.46/grsecurity/grsec_pax.c 2011-04-17 15:56:46.000000000 -0400
59839 -@@ -0,0 +1,36 @@
59840 -+#include <linux/kernel.h>
59841 -+#include <linux/sched.h>
59842 -+#include <linux/mm.h>
59843 -+#include <linux/file.h>
59844 -+#include <linux/grinternal.h>
59845 -+#include <linux/grsecurity.h>
59846 -+
59847 -+void
59848 -+gr_log_textrel(struct vm_area_struct * vma)
59849 -+{
59850 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59851 -+ if (grsec_enable_audit_textrel)
59852 -+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59853 -+#endif
59854 -+ return;
59855 -+}
59856 -+
59857 -+void
59858 -+gr_log_rwxmmap(struct file *file)
59859 -+{
59860 -+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59861 -+ if (grsec_enable_log_rwxmaps)
59862 -+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59863 -+#endif
59864 -+ return;
59865 -+}
59866 -+
59867 -+void
59868 -+gr_log_rwxmprotect(struct file *file)
59869 -+{
59870 -+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59871 -+ if (grsec_enable_log_rwxmaps)
59872 -+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59873 -+#endif
59874 -+ return;
59875 -+}
59876 -diff -urNp linux-2.6.32.46/grsecurity/grsec_ptrace.c linux-2.6.32.46/grsecurity/grsec_ptrace.c
59877 ---- linux-2.6.32.46/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59878 -+++ linux-2.6.32.46/grsecurity/grsec_ptrace.c 2011-04-17 15:56:46.000000000 -0400
59879 -@@ -0,0 +1,14 @@
59880 -+#include <linux/kernel.h>
59881 -+#include <linux/sched.h>
59882 -+#include <linux/grinternal.h>
59883 -+#include <linux/grsecurity.h>
59884 -+
59885 -+void
59886 -+gr_audit_ptrace(struct task_struct *task)
59887 -+{
59888 -+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59889 -+ if (grsec_enable_audit_ptrace)
59890 -+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59891 -+#endif
59892 -+ return;
59893 -+}
59894 -diff -urNp linux-2.6.32.46/grsecurity/grsec_sig.c linux-2.6.32.46/grsecurity/grsec_sig.c
59895 ---- linux-2.6.32.46/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59896 -+++ linux-2.6.32.46/grsecurity/grsec_sig.c 2011-06-29 19:40:31.000000000 -0400
59897 -@@ -0,0 +1,205 @@
59898 -+#include <linux/kernel.h>
59899 -+#include <linux/sched.h>
59900 -+#include <linux/delay.h>
59901 -+#include <linux/grsecurity.h>
59902 -+#include <linux/grinternal.h>
59903 -+#include <linux/hardirq.h>
59904 -+
59905 -+char *signames[] = {
59906 -+ [SIGSEGV] = "Segmentation fault",
59907 -+ [SIGILL] = "Illegal instruction",
59908 -+ [SIGABRT] = "Abort",
59909 -+ [SIGBUS] = "Invalid alignment/Bus error"
59910 -+};
59911 -+
59912 -+void
59913 -+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59914 -+{
59915 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
59916 -+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59917 -+ (sig == SIGABRT) || (sig == SIGBUS))) {
59918 -+ if (t->pid == current->pid) {
59919 -+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59920 -+ } else {
59921 -+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59922 -+ }
59923 -+ }
59924 -+#endif
59925 -+ return;
59926 -+}
59927 -+
59928 -+int
59929 -+gr_handle_signal(const struct task_struct *p, const int sig)
59930 -+{
59931 -+#ifdef CONFIG_GRKERNSEC
59932 -+ if (current->pid > 1 && gr_check_protected_task(p)) {
59933 -+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59934 -+ return -EPERM;
59935 -+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59936 -+ return -EPERM;
59937 -+ }
59938 -+#endif
59939 -+ return 0;
59940 -+}
59941 -+
59942 -+#ifdef CONFIG_GRKERNSEC
59943 -+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59944 -+
59945 -+int gr_fake_force_sig(int sig, struct task_struct *t)
59946 -+{
59947 -+ unsigned long int flags;
59948 -+ int ret, blocked, ignored;
59949 -+ struct k_sigaction *action;
59950 -+
59951 -+ spin_lock_irqsave(&t->sighand->siglock, flags);
59952 -+ action = &t->sighand->action[sig-1];
59953 -+ ignored = action->sa.sa_handler == SIG_IGN;
59954 -+ blocked = sigismember(&t->blocked, sig);
59955 -+ if (blocked || ignored) {
59956 -+ action->sa.sa_handler = SIG_DFL;
59957 -+ if (blocked) {
59958 -+ sigdelset(&t->blocked, sig);
59959 -+ recalc_sigpending_and_wake(t);
59960 -+ }
59961 -+ }
59962 -+ if (action->sa.sa_handler == SIG_DFL)
59963 -+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
59964 -+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59965 -+
59966 -+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
59967 -+
59968 -+ return ret;
59969 -+}
59970 -+#endif
59971 -+
59972 -+#ifdef CONFIG_GRKERNSEC_BRUTE
59973 -+#define GR_USER_BAN_TIME (15 * 60)
59974 -+
59975 -+static int __get_dumpable(unsigned long mm_flags)
59976 -+{
59977 -+ int ret;
59978 -+
59979 -+ ret = mm_flags & MMF_DUMPABLE_MASK;
59980 -+ return (ret >= 2) ? 2 : ret;
59981 -+}
59982 -+#endif
59983 -+
59984 -+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59985 -+{
59986 -+#ifdef CONFIG_GRKERNSEC_BRUTE
59987 -+ uid_t uid = 0;
59988 -+
59989 -+ if (!grsec_enable_brute)
59990 -+ return;
59991 -+
59992 -+ rcu_read_lock();
59993 -+ read_lock(&tasklist_lock);
59994 -+ read_lock(&grsec_exec_file_lock);
59995 -+ if (p->real_parent && p->real_parent->exec_file == p->exec_file)
59996 -+ p->real_parent->brute = 1;
59997 -+ else {
59998 -+ const struct cred *cred = __task_cred(p), *cred2;
59999 -+ struct task_struct *tsk, *tsk2;
60000 -+
60001 -+ if (!__get_dumpable(mm_flags) && cred->uid) {
60002 -+ struct user_struct *user;
60003 -+
60004 -+ uid = cred->uid;
60005 -+
60006 -+ /* this is put upon execution past expiration */
60007 -+ user = find_user(uid);
60008 -+ if (user == NULL)
60009 -+ goto unlock;
60010 -+ user->banned = 1;
60011 -+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
60012 -+ if (user->ban_expires == ~0UL)
60013 -+ user->ban_expires--;
60014 -+
60015 -+ do_each_thread(tsk2, tsk) {
60016 -+ cred2 = __task_cred(tsk);
60017 -+ if (tsk != p && cred2->uid == uid)
60018 -+ gr_fake_force_sig(SIGKILL, tsk);
60019 -+ } while_each_thread(tsk2, tsk);
60020 -+ }
60021 -+ }
60022 -+unlock:
60023 -+ read_unlock(&grsec_exec_file_lock);
60024 -+ read_unlock(&tasklist_lock);
60025 -+ rcu_read_unlock();
60026 -+
60027 -+ if (uid)
60028 -+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
60029 -+#endif
60030 -+ return;
60031 -+}
60032 -+
60033 -+void gr_handle_brute_check(void)
60034 -+{
60035 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60036 -+ if (current->brute)
60037 -+ msleep(30 * 1000);
60038 -+#endif
60039 -+ return;
60040 -+}
60041 -+
60042 -+void gr_handle_kernel_exploit(void)
60043 -+{
60044 -+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
60045 -+ const struct cred *cred;
60046 -+ struct task_struct *tsk, *tsk2;
60047 -+ struct user_struct *user;
60048 -+ uid_t uid;
60049 -+
60050 -+ if (in_irq() || in_serving_softirq() || in_nmi())
60051 -+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
60052 -+
60053 -+ uid = current_uid();
60054 -+
60055 -+ if (uid == 0)
60056 -+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
60057 -+ else {
60058 -+ /* kill all the processes of this user, hold a reference
60059 -+ to their creds struct, and prevent them from creating
60060 -+ another process until system reset
60061 -+ */
60062 -+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
60063 -+ /* we intentionally leak this ref */
60064 -+ user = get_uid(current->cred->user);
60065 -+ if (user) {
60066 -+ user->banned = 1;
60067 -+ user->ban_expires = ~0UL;
60068 -+ }
60069 -+
60070 -+ read_lock(&tasklist_lock);
60071 -+ do_each_thread(tsk2, tsk) {
60072 -+ cred = __task_cred(tsk);
60073 -+ if (cred->uid == uid)
60074 -+ gr_fake_force_sig(SIGKILL, tsk);
60075 -+ } while_each_thread(tsk2, tsk);
60076 -+ read_unlock(&tasklist_lock);
60077 -+ }
60078 -+#endif
60079 -+}
60080 -+
60081 -+int __gr_process_user_ban(struct user_struct *user)
60082 -+{
60083 -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60084 -+ if (unlikely(user->banned)) {
60085 -+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
60086 -+ user->banned = 0;
60087 -+ user->ban_expires = 0;
60088 -+ free_uid(user);
60089 -+ } else
60090 -+ return -EPERM;
60091 -+ }
60092 -+#endif
60093 -+ return 0;
60094 -+}
60095 -+
60096 -+int gr_process_user_ban(void)
60097 -+{
60098 -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60099 -+ return __gr_process_user_ban(current->cred->user);
60100 -+#endif
60101 -+ return 0;
60102 -+}
60103 -diff -urNp linux-2.6.32.46/grsecurity/grsec_sock.c linux-2.6.32.46/grsecurity/grsec_sock.c
60104 ---- linux-2.6.32.46/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
60105 -+++ linux-2.6.32.46/grsecurity/grsec_sock.c 2011-04-17 15:56:46.000000000 -0400
60106 -@@ -0,0 +1,275 @@
60107 -+#include <linux/kernel.h>
60108 -+#include <linux/module.h>
60109 -+#include <linux/sched.h>
60110 -+#include <linux/file.h>
60111 -+#include <linux/net.h>
60112 -+#include <linux/in.h>
60113 -+#include <linux/ip.h>
60114 -+#include <net/sock.h>
60115 -+#include <net/inet_sock.h>
60116 -+#include <linux/grsecurity.h>
60117 -+#include <linux/grinternal.h>
60118 -+#include <linux/gracl.h>
60119 -+
60120 -+kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
60121 -+EXPORT_SYMBOL(gr_cap_rtnetlink);
60122 -+
60123 -+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
60124 -+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
60125 -+
60126 -+EXPORT_SYMBOL(gr_search_udp_recvmsg);
60127 -+EXPORT_SYMBOL(gr_search_udp_sendmsg);
60128 -+
60129 -+#ifdef CONFIG_UNIX_MODULE
60130 -+EXPORT_SYMBOL(gr_acl_handle_unix);
60131 -+EXPORT_SYMBOL(gr_acl_handle_mknod);
60132 -+EXPORT_SYMBOL(gr_handle_chroot_unix);
60133 -+EXPORT_SYMBOL(gr_handle_create);
60134 -+#endif
60135 -+
60136 -+#ifdef CONFIG_GRKERNSEC
60137 -+#define gr_conn_table_size 32749
60138 -+struct conn_table_entry {
60139 -+ struct conn_table_entry *next;
60140 -+ struct signal_struct *sig;
60141 -+};
60142 -+
60143 -+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
60144 -+DEFINE_SPINLOCK(gr_conn_table_lock);
60145 -+
60146 -+extern const char * gr_socktype_to_name(unsigned char type);
60147 -+extern const char * gr_proto_to_name(unsigned char proto);
60148 -+extern const char * gr_sockfamily_to_name(unsigned char family);
60149 -+
60150 -+static __inline__ int
60151 -+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
60152 -+{
60153 -+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
60154 -+}
60155 -+
60156 -+static __inline__ int
60157 -+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
60158 -+ __u16 sport, __u16 dport)
60159 -+{
60160 -+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
60161 -+ sig->gr_sport == sport && sig->gr_dport == dport))
60162 -+ return 1;
60163 -+ else
60164 -+ return 0;
60165 -+}
60166 -+
60167 -+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
60168 -+{
60169 -+ struct conn_table_entry **match;
60170 -+ unsigned int index;
60171 -+
60172 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60173 -+ sig->gr_sport, sig->gr_dport,
60174 -+ gr_conn_table_size);
60175 -+
60176 -+ newent->sig = sig;
60177 -+
60178 -+ match = &gr_conn_table[index];
60179 -+ newent->next = *match;
60180 -+ *match = newent;
60181 -+
60182 -+ return;
60183 -+}
60184 -+
60185 -+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
60186 -+{
60187 -+ struct conn_table_entry *match, *last = NULL;
60188 -+ unsigned int index;
60189 -+
60190 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60191 -+ sig->gr_sport, sig->gr_dport,
60192 -+ gr_conn_table_size);
60193 -+
60194 -+ match = gr_conn_table[index];
60195 -+ while (match && !conn_match(match->sig,
60196 -+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
60197 -+ sig->gr_dport)) {
60198 -+ last = match;
60199 -+ match = match->next;
60200 -+ }
60201 -+
60202 -+ if (match) {
60203 -+ if (last)
60204 -+ last->next = match->next;
60205 -+ else
60206 -+ gr_conn_table[index] = NULL;
60207 -+ kfree(match);
60208 -+ }
60209 -+
60210 -+ return;
60211 -+}
60212 -+
60213 -+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
60214 -+ __u16 sport, __u16 dport)
60215 -+{
60216 -+ struct conn_table_entry *match;
60217 -+ unsigned int index;
60218 -+
60219 -+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
60220 -+
60221 -+ match = gr_conn_table[index];
60222 -+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
60223 -+ match = match->next;
60224 -+
60225 -+ if (match)
60226 -+ return match->sig;
60227 -+ else
60228 -+ return NULL;
60229 -+}
60230 -+
60231 -+#endif
60232 -+
60233 -+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
60234 -+{
60235 -+#ifdef CONFIG_GRKERNSEC
60236 -+ struct signal_struct *sig = task->signal;
60237 -+ struct conn_table_entry *newent;
60238 -+
60239 -+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
60240 -+ if (newent == NULL)
60241 -+ return;
60242 -+ /* no bh lock needed since we are called with bh disabled */
60243 -+ spin_lock(&gr_conn_table_lock);
60244 -+ gr_del_task_from_ip_table_nolock(sig);
60245 -+ sig->gr_saddr = inet->rcv_saddr;
60246 -+ sig->gr_daddr = inet->daddr;
60247 -+ sig->gr_sport = inet->sport;
60248 -+ sig->gr_dport = inet->dport;
60249 -+ gr_add_to_task_ip_table_nolock(sig, newent);
60250 -+ spin_unlock(&gr_conn_table_lock);
60251 -+#endif
60252 -+ return;
60253 -+}
60254 -+
60255 -+void gr_del_task_from_ip_table(struct task_struct *task)
60256 -+{
60257 -+#ifdef CONFIG_GRKERNSEC
60258 -+ spin_lock_bh(&gr_conn_table_lock);
60259 -+ gr_del_task_from_ip_table_nolock(task->signal);
60260 -+ spin_unlock_bh(&gr_conn_table_lock);
60261 -+#endif
60262 -+ return;
60263 -+}
60264 -+
60265 -+void
60266 -+gr_attach_curr_ip(const struct sock *sk)
60267 -+{
60268 -+#ifdef CONFIG_GRKERNSEC
60269 -+ struct signal_struct *p, *set;
60270 -+ const struct inet_sock *inet = inet_sk(sk);
60271 -+
60272 -+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
60273 -+ return;
60274 -+
60275 -+ set = current->signal;
60276 -+
60277 -+ spin_lock_bh(&gr_conn_table_lock);
60278 -+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
60279 -+ inet->dport, inet->sport);
60280 -+ if (unlikely(p != NULL)) {
60281 -+ set->curr_ip = p->curr_ip;
60282 -+ set->used_accept = 1;
60283 -+ gr_del_task_from_ip_table_nolock(p);
60284 -+ spin_unlock_bh(&gr_conn_table_lock);
60285 -+ return;
60286 -+ }
60287 -+ spin_unlock_bh(&gr_conn_table_lock);
60288 -+
60289 -+ set->curr_ip = inet->daddr;
60290 -+ set->used_accept = 1;
60291 -+#endif
60292 -+ return;
60293 -+}
60294 -+
60295 -+int
60296 -+gr_handle_sock_all(const int family, const int type, const int protocol)
60297 -+{
60298 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60299 -+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
60300 -+ (family != AF_UNIX)) {
60301 -+ if (family == AF_INET)
60302 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
60303 -+ else
60304 -+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
60305 -+ return -EACCES;
60306 -+ }
60307 -+#endif
60308 -+ return 0;
60309 -+}
60310 -+
60311 -+int
60312 -+gr_handle_sock_server(const struct sockaddr *sck)
60313 -+{
60314 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60315 -+ if (grsec_enable_socket_server &&
60316 -+ in_group_p(grsec_socket_server_gid) &&
60317 -+ sck && (sck->sa_family != AF_UNIX) &&
60318 -+ (sck->sa_family != AF_LOCAL)) {
60319 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60320 -+ return -EACCES;
60321 -+ }
60322 -+#endif
60323 -+ return 0;
60324 -+}
60325 -+
60326 -+int
60327 -+gr_handle_sock_server_other(const struct sock *sck)
60328 -+{
60329 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60330 -+ if (grsec_enable_socket_server &&
60331 -+ in_group_p(grsec_socket_server_gid) &&
60332 -+ sck && (sck->sk_family != AF_UNIX) &&
60333 -+ (sck->sk_family != AF_LOCAL)) {
60334 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60335 -+ return -EACCES;
60336 -+ }
60337 -+#endif
60338 -+ return 0;
60339 -+}
60340 -+
60341 -+int
60342 -+gr_handle_sock_client(const struct sockaddr *sck)
60343 -+{
60344 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60345 -+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
60346 -+ sck && (sck->sa_family != AF_UNIX) &&
60347 -+ (sck->sa_family != AF_LOCAL)) {
60348 -+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
60349 -+ return -EACCES;
60350 -+ }
60351 -+#endif
60352 -+ return 0;
60353 -+}
60354 -+
60355 -+kernel_cap_t
60356 -+gr_cap_rtnetlink(struct sock *sock)
60357 -+{
60358 -+#ifdef CONFIG_GRKERNSEC
60359 -+ if (!gr_acl_is_enabled())
60360 -+ return current_cap();
60361 -+ else if (sock->sk_protocol == NETLINK_ISCSI &&
60362 -+ cap_raised(current_cap(), CAP_SYS_ADMIN) &&
60363 -+ gr_is_capable(CAP_SYS_ADMIN))
60364 -+ return current_cap();
60365 -+ else if (sock->sk_protocol == NETLINK_AUDIT &&
60366 -+ cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
60367 -+ gr_is_capable(CAP_AUDIT_WRITE) &&
60368 -+ cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
60369 -+ gr_is_capable(CAP_AUDIT_CONTROL))
60370 -+ return current_cap();
60371 -+ else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
60372 -+ ((sock->sk_protocol == NETLINK_ROUTE) ?
60373 -+ gr_is_capable_nolog(CAP_NET_ADMIN) :
60374 -+ gr_is_capable(CAP_NET_ADMIN)))
60375 -+ return current_cap();
60376 -+ else
60377 -+ return __cap_empty_set;
60378 -+#else
60379 -+ return current_cap();
60380 -+#endif
60381 -+}
60382 -diff -urNp linux-2.6.32.46/grsecurity/grsec_sysctl.c linux-2.6.32.46/grsecurity/grsec_sysctl.c
60383 ---- linux-2.6.32.46/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
60384 -+++ linux-2.6.32.46/grsecurity/grsec_sysctl.c 2011-08-11 19:57:54.000000000 -0400
60385 -@@ -0,0 +1,479 @@
60386 -+#include <linux/kernel.h>
60387 -+#include <linux/sched.h>
60388 -+#include <linux/sysctl.h>
60389 -+#include <linux/grsecurity.h>
60390 -+#include <linux/grinternal.h>
60391 -+
60392 -+int
60393 -+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
60394 -+{
60395 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
60396 -+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
60397 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
60398 -+ return -EACCES;
60399 -+ }
60400 -+#endif
60401 -+ return 0;
60402 -+}
60403 -+
60404 -+#ifdef CONFIG_GRKERNSEC_ROFS
60405 -+static int __maybe_unused one = 1;
60406 -+#endif
60407 -+
60408 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
60409 -+ctl_table grsecurity_table[] = {
60410 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
60411 -+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
60412 -+#ifdef CONFIG_GRKERNSEC_IO
60413 -+ {
60414 -+ .ctl_name = CTL_UNNUMBERED,
60415 -+ .procname = "disable_priv_io",
60416 -+ .data = &grsec_disable_privio,
60417 -+ .maxlen = sizeof(int),
60418 -+ .mode = 0600,
60419 -+ .proc_handler = &proc_dointvec,
60420 -+ },
60421 -+#endif
60422 -+#endif
60423 -+#ifdef CONFIG_GRKERNSEC_LINK
60424 -+ {
60425 -+ .ctl_name = CTL_UNNUMBERED,
60426 -+ .procname = "linking_restrictions",
60427 -+ .data = &grsec_enable_link,
60428 -+ .maxlen = sizeof(int),
60429 -+ .mode = 0600,
60430 -+ .proc_handler = &proc_dointvec,
60431 -+ },
60432 -+#endif
60433 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60434 -+ {
60435 -+ .ctl_name = CTL_UNNUMBERED,
60436 -+ .procname = "deter_bruteforce",
60437 -+ .data = &grsec_enable_brute,
60438 -+ .maxlen = sizeof(int),
60439 -+ .mode = 0600,
60440 -+ .proc_handler = &proc_dointvec,
60441 -+ },
60442 -+#endif
60443 -+#ifdef CONFIG_GRKERNSEC_FIFO
60444 -+ {
60445 -+ .ctl_name = CTL_UNNUMBERED,
60446 -+ .procname = "fifo_restrictions",
60447 -+ .data = &grsec_enable_fifo,
60448 -+ .maxlen = sizeof(int),
60449 -+ .mode = 0600,
60450 -+ .proc_handler = &proc_dointvec,
60451 -+ },
60452 -+#endif
60453 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
60454 -+ {
60455 -+ .ctl_name = CTL_UNNUMBERED,
60456 -+ .procname = "ip_blackhole",
60457 -+ .data = &grsec_enable_blackhole,
60458 -+ .maxlen = sizeof(int),
60459 -+ .mode = 0600,
60460 -+ .proc_handler = &proc_dointvec,
60461 -+ },
60462 -+ {
60463 -+ .ctl_name = CTL_UNNUMBERED,
60464 -+ .procname = "lastack_retries",
60465 -+ .data = &grsec_lastack_retries,
60466 -+ .maxlen = sizeof(int),
60467 -+ .mode = 0600,
60468 -+ .proc_handler = &proc_dointvec,
60469 -+ },
60470 -+#endif
60471 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
60472 -+ {
60473 -+ .ctl_name = CTL_UNNUMBERED,
60474 -+ .procname = "exec_logging",
60475 -+ .data = &grsec_enable_execlog,
60476 -+ .maxlen = sizeof(int),
60477 -+ .mode = 0600,
60478 -+ .proc_handler = &proc_dointvec,
60479 -+ },
60480 -+#endif
60481 -+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
60482 -+ {
60483 -+ .ctl_name = CTL_UNNUMBERED,
60484 -+ .procname = "rwxmap_logging",
60485 -+ .data = &grsec_enable_log_rwxmaps,
60486 -+ .maxlen = sizeof(int),
60487 -+ .mode = 0600,
60488 -+ .proc_handler = &proc_dointvec,
60489 -+ },
60490 -+#endif
60491 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
60492 -+ {
60493 -+ .ctl_name = CTL_UNNUMBERED,
60494 -+ .procname = "signal_logging",
60495 -+ .data = &grsec_enable_signal,
60496 -+ .maxlen = sizeof(int),
60497 -+ .mode = 0600,
60498 -+ .proc_handler = &proc_dointvec,
60499 -+ },
60500 -+#endif
60501 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60502 -+ {
60503 -+ .ctl_name = CTL_UNNUMBERED,
60504 -+ .procname = "forkfail_logging",
60505 -+ .data = &grsec_enable_forkfail,
60506 -+ .maxlen = sizeof(int),
60507 -+ .mode = 0600,
60508 -+ .proc_handler = &proc_dointvec,
60509 -+ },
60510 -+#endif
60511 -+#ifdef CONFIG_GRKERNSEC_TIME
60512 -+ {
60513 -+ .ctl_name = CTL_UNNUMBERED,
60514 -+ .procname = "timechange_logging",
60515 -+ .data = &grsec_enable_time,
60516 -+ .maxlen = sizeof(int),
60517 -+ .mode = 0600,
60518 -+ .proc_handler = &proc_dointvec,
60519 -+ },
60520 -+#endif
60521 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
60522 -+ {
60523 -+ .ctl_name = CTL_UNNUMBERED,
60524 -+ .procname = "chroot_deny_shmat",
60525 -+ .data = &grsec_enable_chroot_shmat,
60526 -+ .maxlen = sizeof(int),
60527 -+ .mode = 0600,
60528 -+ .proc_handler = &proc_dointvec,
60529 -+ },
60530 -+#endif
60531 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
60532 -+ {
60533 -+ .ctl_name = CTL_UNNUMBERED,
60534 -+ .procname = "chroot_deny_unix",
60535 -+ .data = &grsec_enable_chroot_unix,
60536 -+ .maxlen = sizeof(int),
60537 -+ .mode = 0600,
60538 -+ .proc_handler = &proc_dointvec,
60539 -+ },
60540 -+#endif
60541 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
60542 -+ {
60543 -+ .ctl_name = CTL_UNNUMBERED,
60544 -+ .procname = "chroot_deny_mount",
60545 -+ .data = &grsec_enable_chroot_mount,
60546 -+ .maxlen = sizeof(int),
60547 -+ .mode = 0600,
60548 -+ .proc_handler = &proc_dointvec,
60549 -+ },
60550 -+#endif
60551 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
60552 -+ {
60553 -+ .ctl_name = CTL_UNNUMBERED,
60554 -+ .procname = "chroot_deny_fchdir",
60555 -+ .data = &grsec_enable_chroot_fchdir,
60556 -+ .maxlen = sizeof(int),
60557 -+ .mode = 0600,
60558 -+ .proc_handler = &proc_dointvec,
60559 -+ },
60560 -+#endif
60561 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
60562 -+ {
60563 -+ .ctl_name = CTL_UNNUMBERED,
60564 -+ .procname = "chroot_deny_chroot",
60565 -+ .data = &grsec_enable_chroot_double,
60566 -+ .maxlen = sizeof(int),
60567 -+ .mode = 0600,
60568 -+ .proc_handler = &proc_dointvec,
60569 -+ },
60570 -+#endif
60571 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
60572 -+ {
60573 -+ .ctl_name = CTL_UNNUMBERED,
60574 -+ .procname = "chroot_deny_pivot",
60575 -+ .data = &grsec_enable_chroot_pivot,
60576 -+ .maxlen = sizeof(int),
60577 -+ .mode = 0600,
60578 -+ .proc_handler = &proc_dointvec,
60579 -+ },
60580 -+#endif
60581 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
60582 -+ {
60583 -+ .ctl_name = CTL_UNNUMBERED,
60584 -+ .procname = "chroot_enforce_chdir",
60585 -+ .data = &grsec_enable_chroot_chdir,
60586 -+ .maxlen = sizeof(int),
60587 -+ .mode = 0600,
60588 -+ .proc_handler = &proc_dointvec,
60589 -+ },
60590 -+#endif
60591 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
60592 -+ {
60593 -+ .ctl_name = CTL_UNNUMBERED,
60594 -+ .procname = "chroot_deny_chmod",
60595 -+ .data = &grsec_enable_chroot_chmod,
60596 -+ .maxlen = sizeof(int),
60597 -+ .mode = 0600,
60598 -+ .proc_handler = &proc_dointvec,
60599 -+ },
60600 -+#endif
60601 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
60602 -+ {
60603 -+ .ctl_name = CTL_UNNUMBERED,
60604 -+ .procname = "chroot_deny_mknod",
60605 -+ .data = &grsec_enable_chroot_mknod,
60606 -+ .maxlen = sizeof(int),
60607 -+ .mode = 0600,
60608 -+ .proc_handler = &proc_dointvec,
60609 -+ },
60610 -+#endif
60611 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
60612 -+ {
60613 -+ .ctl_name = CTL_UNNUMBERED,
60614 -+ .procname = "chroot_restrict_nice",
60615 -+ .data = &grsec_enable_chroot_nice,
60616 -+ .maxlen = sizeof(int),
60617 -+ .mode = 0600,
60618 -+ .proc_handler = &proc_dointvec,
60619 -+ },
60620 -+#endif
60621 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
60622 -+ {
60623 -+ .ctl_name = CTL_UNNUMBERED,
60624 -+ .procname = "chroot_execlog",
60625 -+ .data = &grsec_enable_chroot_execlog,
60626 -+ .maxlen = sizeof(int),
60627 -+ .mode = 0600,
60628 -+ .proc_handler = &proc_dointvec,
60629 -+ },
60630 -+#endif
60631 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60632 -+ {
60633 -+ .ctl_name = CTL_UNNUMBERED,
60634 -+ .procname = "chroot_caps",
60635 -+ .data = &grsec_enable_chroot_caps,
60636 -+ .maxlen = sizeof(int),
60637 -+ .mode = 0600,
60638 -+ .proc_handler = &proc_dointvec,
60639 -+ },
60640 -+#endif
60641 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60642 -+ {
60643 -+ .ctl_name = CTL_UNNUMBERED,
60644 -+ .procname = "chroot_deny_sysctl",
60645 -+ .data = &grsec_enable_chroot_sysctl,
60646 -+ .maxlen = sizeof(int),
60647 -+ .mode = 0600,
60648 -+ .proc_handler = &proc_dointvec,
60649 -+ },
60650 -+#endif
60651 -+#ifdef CONFIG_GRKERNSEC_TPE
60652 -+ {
60653 -+ .ctl_name = CTL_UNNUMBERED,
60654 -+ .procname = "tpe",
60655 -+ .data = &grsec_enable_tpe,
60656 -+ .maxlen = sizeof(int),
60657 -+ .mode = 0600,
60658 -+ .proc_handler = &proc_dointvec,
60659 -+ },
60660 -+ {
60661 -+ .ctl_name = CTL_UNNUMBERED,
60662 -+ .procname = "tpe_gid",
60663 -+ .data = &grsec_tpe_gid,
60664 -+ .maxlen = sizeof(int),
60665 -+ .mode = 0600,
60666 -+ .proc_handler = &proc_dointvec,
60667 -+ },
60668 -+#endif
60669 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60670 -+ {
60671 -+ .ctl_name = CTL_UNNUMBERED,
60672 -+ .procname = "tpe_invert",
60673 -+ .data = &grsec_enable_tpe_invert,
60674 -+ .maxlen = sizeof(int),
60675 -+ .mode = 0600,
60676 -+ .proc_handler = &proc_dointvec,
60677 -+ },
60678 -+#endif
60679 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60680 -+ {
60681 -+ .ctl_name = CTL_UNNUMBERED,
60682 -+ .procname = "tpe_restrict_all",
60683 -+ .data = &grsec_enable_tpe_all,
60684 -+ .maxlen = sizeof(int),
60685 -+ .mode = 0600,
60686 -+ .proc_handler = &proc_dointvec,
60687 -+ },
60688 -+#endif
60689 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60690 -+ {
60691 -+ .ctl_name = CTL_UNNUMBERED,
60692 -+ .procname = "socket_all",
60693 -+ .data = &grsec_enable_socket_all,
60694 -+ .maxlen = sizeof(int),
60695 -+ .mode = 0600,
60696 -+ .proc_handler = &proc_dointvec,
60697 -+ },
60698 -+ {
60699 -+ .ctl_name = CTL_UNNUMBERED,
60700 -+ .procname = "socket_all_gid",
60701 -+ .data = &grsec_socket_all_gid,
60702 -+ .maxlen = sizeof(int),
60703 -+ .mode = 0600,
60704 -+ .proc_handler = &proc_dointvec,
60705 -+ },
60706 -+#endif
60707 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60708 -+ {
60709 -+ .ctl_name = CTL_UNNUMBERED,
60710 -+ .procname = "socket_client",
60711 -+ .data = &grsec_enable_socket_client,
60712 -+ .maxlen = sizeof(int),
60713 -+ .mode = 0600,
60714 -+ .proc_handler = &proc_dointvec,
60715 -+ },
60716 -+ {
60717 -+ .ctl_name = CTL_UNNUMBERED,
60718 -+ .procname = "socket_client_gid",
60719 -+ .data = &grsec_socket_client_gid,
60720 -+ .maxlen = sizeof(int),
60721 -+ .mode = 0600,
60722 -+ .proc_handler = &proc_dointvec,
60723 -+ },
60724 -+#endif
60725 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60726 -+ {
60727 -+ .ctl_name = CTL_UNNUMBERED,
60728 -+ .procname = "socket_server",
60729 -+ .data = &grsec_enable_socket_server,
60730 -+ .maxlen = sizeof(int),
60731 -+ .mode = 0600,
60732 -+ .proc_handler = &proc_dointvec,
60733 -+ },
60734 -+ {
60735 -+ .ctl_name = CTL_UNNUMBERED,
60736 -+ .procname = "socket_server_gid",
60737 -+ .data = &grsec_socket_server_gid,
60738 -+ .maxlen = sizeof(int),
60739 -+ .mode = 0600,
60740 -+ .proc_handler = &proc_dointvec,
60741 -+ },
60742 -+#endif
60743 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60744 -+ {
60745 -+ .ctl_name = CTL_UNNUMBERED,
60746 -+ .procname = "audit_group",
60747 -+ .data = &grsec_enable_group,
60748 -+ .maxlen = sizeof(int),
60749 -+ .mode = 0600,
60750 -+ .proc_handler = &proc_dointvec,
60751 -+ },
60752 -+ {
60753 -+ .ctl_name = CTL_UNNUMBERED,
60754 -+ .procname = "audit_gid",
60755 -+ .data = &grsec_audit_gid,
60756 -+ .maxlen = sizeof(int),
60757 -+ .mode = 0600,
60758 -+ .proc_handler = &proc_dointvec,
60759 -+ },
60760 -+#endif
60761 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60762 -+ {
60763 -+ .ctl_name = CTL_UNNUMBERED,
60764 -+ .procname = "audit_chdir",
60765 -+ .data = &grsec_enable_chdir,
60766 -+ .maxlen = sizeof(int),
60767 -+ .mode = 0600,
60768 -+ .proc_handler = &proc_dointvec,
60769 -+ },
60770 -+#endif
60771 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60772 -+ {
60773 -+ .ctl_name = CTL_UNNUMBERED,
60774 -+ .procname = "audit_mount",
60775 -+ .data = &grsec_enable_mount,
60776 -+ .maxlen = sizeof(int),
60777 -+ .mode = 0600,
60778 -+ .proc_handler = &proc_dointvec,
60779 -+ },
60780 -+#endif
60781 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60782 -+ {
60783 -+ .ctl_name = CTL_UNNUMBERED,
60784 -+ .procname = "audit_textrel",
60785 -+ .data = &grsec_enable_audit_textrel,
60786 -+ .maxlen = sizeof(int),
60787 -+ .mode = 0600,
60788 -+ .proc_handler = &proc_dointvec,
60789 -+ },
60790 -+#endif
60791 -+#ifdef CONFIG_GRKERNSEC_DMESG
60792 -+ {
60793 -+ .ctl_name = CTL_UNNUMBERED,
60794 -+ .procname = "dmesg",
60795 -+ .data = &grsec_enable_dmesg,
60796 -+ .maxlen = sizeof(int),
60797 -+ .mode = 0600,
60798 -+ .proc_handler = &proc_dointvec,
60799 -+ },
60800 -+#endif
60801 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60802 -+ {
60803 -+ .ctl_name = CTL_UNNUMBERED,
60804 -+ .procname = "chroot_findtask",
60805 -+ .data = &grsec_enable_chroot_findtask,
60806 -+ .maxlen = sizeof(int),
60807 -+ .mode = 0600,
60808 -+ .proc_handler = &proc_dointvec,
60809 -+ },
60810 -+#endif
60811 -+#ifdef CONFIG_GRKERNSEC_RESLOG
60812 -+ {
60813 -+ .ctl_name = CTL_UNNUMBERED,
60814 -+ .procname = "resource_logging",
60815 -+ .data = &grsec_resource_logging,
60816 -+ .maxlen = sizeof(int),
60817 -+ .mode = 0600,
60818 -+ .proc_handler = &proc_dointvec,
60819 -+ },
60820 -+#endif
60821 -+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60822 -+ {
60823 -+ .ctl_name = CTL_UNNUMBERED,
60824 -+ .procname = "audit_ptrace",
60825 -+ .data = &grsec_enable_audit_ptrace,
60826 -+ .maxlen = sizeof(int),
60827 -+ .mode = 0600,
60828 -+ .proc_handler = &proc_dointvec,
60829 -+ },
60830 -+#endif
60831 -+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60832 -+ {
60833 -+ .ctl_name = CTL_UNNUMBERED,
60834 -+ .procname = "harden_ptrace",
60835 -+ .data = &grsec_enable_harden_ptrace,
60836 -+ .maxlen = sizeof(int),
60837 -+ .mode = 0600,
60838 -+ .proc_handler = &proc_dointvec,
60839 -+ },
60840 -+#endif
60841 -+ {
60842 -+ .ctl_name = CTL_UNNUMBERED,
60843 -+ .procname = "grsec_lock",
60844 -+ .data = &grsec_lock,
60845 -+ .maxlen = sizeof(int),
60846 -+ .mode = 0600,
60847 -+ .proc_handler = &proc_dointvec,
60848 -+ },
60849 -+#endif
60850 -+#ifdef CONFIG_GRKERNSEC_ROFS
60851 -+ {
60852 -+ .ctl_name = CTL_UNNUMBERED,
60853 -+ .procname = "romount_protect",
60854 -+ .data = &grsec_enable_rofs,
60855 -+ .maxlen = sizeof(int),
60856 -+ .mode = 0600,
60857 -+ .proc_handler = &proc_dointvec_minmax,
60858 -+ .extra1 = &one,
60859 -+ .extra2 = &one,
60860 -+ },
60861 -+#endif
60862 -+ { .ctl_name = 0 }
60863 -+};
60864 -+#endif
60865 -diff -urNp linux-2.6.32.46/grsecurity/grsec_time.c linux-2.6.32.46/grsecurity/grsec_time.c
60866 ---- linux-2.6.32.46/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60867 -+++ linux-2.6.32.46/grsecurity/grsec_time.c 2011-04-17 15:56:46.000000000 -0400
60868 -@@ -0,0 +1,16 @@
60869 -+#include <linux/kernel.h>
60870 -+#include <linux/sched.h>
60871 -+#include <linux/grinternal.h>
60872 -+#include <linux/module.h>
60873 -+
60874 -+void
60875 -+gr_log_timechange(void)
60876 -+{
60877 -+#ifdef CONFIG_GRKERNSEC_TIME
60878 -+ if (grsec_enable_time)
60879 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60880 -+#endif
60881 -+ return;
60882 -+}
60883 -+
60884 -+EXPORT_SYMBOL(gr_log_timechange);
60885 -diff -urNp linux-2.6.32.46/grsecurity/grsec_tpe.c linux-2.6.32.46/grsecurity/grsec_tpe.c
60886 ---- linux-2.6.32.46/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60887 -+++ linux-2.6.32.46/grsecurity/grsec_tpe.c 2011-04-17 15:56:46.000000000 -0400
60888 -@@ -0,0 +1,39 @@
60889 -+#include <linux/kernel.h>
60890 -+#include <linux/sched.h>
60891 -+#include <linux/file.h>
60892 -+#include <linux/fs.h>
60893 -+#include <linux/grinternal.h>
60894 -+
60895 -+extern int gr_acl_tpe_check(void);
60896 -+
60897 -+int
60898 -+gr_tpe_allow(const struct file *file)
60899 -+{
60900 -+#ifdef CONFIG_GRKERNSEC
60901 -+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60902 -+ const struct cred *cred = current_cred();
60903 -+
60904 -+ if (cred->uid && ((grsec_enable_tpe &&
60905 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60906 -+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60907 -+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60908 -+#else
60909 -+ in_group_p(grsec_tpe_gid)
60910 -+#endif
60911 -+ ) || gr_acl_tpe_check()) &&
60912 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60913 -+ (inode->i_mode & S_IWOTH))))) {
60914 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60915 -+ return 0;
60916 -+ }
60917 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60918 -+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60919 -+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60920 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60921 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60922 -+ return 0;
60923 -+ }
60924 -+#endif
60925 -+#endif
60926 -+ return 1;
60927 -+}
60928 -diff -urNp linux-2.6.32.46/grsecurity/grsum.c linux-2.6.32.46/grsecurity/grsum.c
60929 ---- linux-2.6.32.46/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60930 -+++ linux-2.6.32.46/grsecurity/grsum.c 2011-04-17 15:56:46.000000000 -0400
60931 -@@ -0,0 +1,61 @@
60932 -+#include <linux/err.h>
60933 -+#include <linux/kernel.h>
60934 -+#include <linux/sched.h>
60935 -+#include <linux/mm.h>
60936 -+#include <linux/scatterlist.h>
60937 -+#include <linux/crypto.h>
60938 -+#include <linux/gracl.h>
60939 -+
60940 -+
60941 -+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60942 -+#error "crypto and sha256 must be built into the kernel"
60943 -+#endif
60944 -+
60945 -+int
60946 -+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60947 -+{
60948 -+ char *p;
60949 -+ struct crypto_hash *tfm;
60950 -+ struct hash_desc desc;
60951 -+ struct scatterlist sg;
60952 -+ unsigned char temp_sum[GR_SHA_LEN];
60953 -+ volatile int retval = 0;
60954 -+ volatile int dummy = 0;
60955 -+ unsigned int i;
60956 -+
60957 -+ sg_init_table(&sg, 1);
60958 -+
60959 -+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60960 -+ if (IS_ERR(tfm)) {
60961 -+ /* should never happen, since sha256 should be built in */
60962 -+ return 1;
60963 -+ }
60964 -+
60965 -+ desc.tfm = tfm;
60966 -+ desc.flags = 0;
60967 -+
60968 -+ crypto_hash_init(&desc);
60969 -+
60970 -+ p = salt;
60971 -+ sg_set_buf(&sg, p, GR_SALT_LEN);
60972 -+ crypto_hash_update(&desc, &sg, sg.length);
60973 -+
60974 -+ p = entry->pw;
60975 -+ sg_set_buf(&sg, p, strlen(p));
60976 -+
60977 -+ crypto_hash_update(&desc, &sg, sg.length);
60978 -+
60979 -+ crypto_hash_final(&desc, temp_sum);
60980 -+
60981 -+ memset(entry->pw, 0, GR_PW_LEN);
60982 -+
60983 -+ for (i = 0; i < GR_SHA_LEN; i++)
60984 -+ if (sum[i] != temp_sum[i])
60985 -+ retval = 1;
60986 -+ else
60987 -+ dummy = 1; // waste a cycle
60988 -+
60989 -+ crypto_free_hash(tfm);
60990 -+
60991 -+ return retval;
60992 -+}
60993 -diff -urNp linux-2.6.32.46/include/acpi/acpi_bus.h linux-2.6.32.46/include/acpi/acpi_bus.h
60994 ---- linux-2.6.32.46/include/acpi/acpi_bus.h 2011-03-27 14:31:47.000000000 -0400
60995 -+++ linux-2.6.32.46/include/acpi/acpi_bus.h 2011-08-05 20:33:55.000000000 -0400
60996 -@@ -107,7 +107,7 @@ struct acpi_device_ops {
60997 - acpi_op_bind bind;
60998 - acpi_op_unbind unbind;
60999 - acpi_op_notify notify;
61000 --};
61001 -+} __no_const;
61002 -
61003 - #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
61004 -
61005 -diff -urNp linux-2.6.32.46/include/acpi/acpi_drivers.h linux-2.6.32.46/include/acpi/acpi_drivers.h
61006 ---- linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-03-27 14:31:47.000000000 -0400
61007 -+++ linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-04-17 15:56:46.000000000 -0400
61008 -@@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
61009 - Dock Station
61010 - -------------------------------------------------------------------------- */
61011 - struct acpi_dock_ops {
61012 -- acpi_notify_handler handler;
61013 -- acpi_notify_handler uevent;
61014 -+ const acpi_notify_handler handler;
61015 -+ const acpi_notify_handler uevent;
61016 - };
61017 -
61018 - #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
61019 -@@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
61020 - extern int register_dock_notifier(struct notifier_block *nb);
61021 - extern void unregister_dock_notifier(struct notifier_block *nb);
61022 - extern int register_hotplug_dock_device(acpi_handle handle,
61023 -- struct acpi_dock_ops *ops,
61024 -+ const struct acpi_dock_ops *ops,
61025 - void *context);
61026 - extern void unregister_hotplug_dock_device(acpi_handle handle);
61027 - #else
61028 -@@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61029 - {
61030 - }
61031 - static inline int register_hotplug_dock_device(acpi_handle handle,
61032 -- struct acpi_dock_ops *ops,
61033 -+ const struct acpi_dock_ops *ops,
61034 - void *context)
61035 - {
61036 - return -ENODEV;
61037 -diff -urNp linux-2.6.32.46/include/asm-generic/atomic-long.h linux-2.6.32.46/include/asm-generic/atomic-long.h
61038 ---- linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-03-27 14:31:47.000000000 -0400
61039 -+++ linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-07-13 22:21:25.000000000 -0400
61040 -@@ -22,6 +22,12 @@
61041 -
61042 - typedef atomic64_t atomic_long_t;
61043 -
61044 -+#ifdef CONFIG_PAX_REFCOUNT
61045 -+typedef atomic64_unchecked_t atomic_long_unchecked_t;
61046 -+#else
61047 -+typedef atomic64_t atomic_long_unchecked_t;
61048 -+#endif
61049 -+
61050 - #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61051 -
61052 - static inline long atomic_long_read(atomic_long_t *l)
61053 -@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61054 - return (long)atomic64_read(v);
61055 - }
61056 -
61057 -+#ifdef CONFIG_PAX_REFCOUNT
61058 -+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61059 -+{
61060 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61061 -+
61062 -+ return (long)atomic64_read_unchecked(v);
61063 -+}
61064 -+#endif
61065 -+
61066 - static inline void atomic_long_set(atomic_long_t *l, long i)
61067 - {
61068 - atomic64_t *v = (atomic64_t *)l;
61069 -@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61070 - atomic64_set(v, i);
61071 - }
61072 -
61073 -+#ifdef CONFIG_PAX_REFCOUNT
61074 -+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61075 -+{
61076 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61077 -+
61078 -+ atomic64_set_unchecked(v, i);
61079 -+}
61080 -+#endif
61081 -+
61082 - static inline void atomic_long_inc(atomic_long_t *l)
61083 - {
61084 - atomic64_t *v = (atomic64_t *)l;
61085 -@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61086 - atomic64_inc(v);
61087 - }
61088 -
61089 -+#ifdef CONFIG_PAX_REFCOUNT
61090 -+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61091 -+{
61092 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61093 -+
61094 -+ atomic64_inc_unchecked(v);
61095 -+}
61096 -+#endif
61097 -+
61098 - static inline void atomic_long_dec(atomic_long_t *l)
61099 - {
61100 - atomic64_t *v = (atomic64_t *)l;
61101 -@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61102 - atomic64_dec(v);
61103 - }
61104 -
61105 -+#ifdef CONFIG_PAX_REFCOUNT
61106 -+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61107 -+{
61108 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61109 -+
61110 -+ atomic64_dec_unchecked(v);
61111 -+}
61112 -+#endif
61113 -+
61114 - static inline void atomic_long_add(long i, atomic_long_t *l)
61115 - {
61116 - atomic64_t *v = (atomic64_t *)l;
61117 -@@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61118 - atomic64_add(i, v);
61119 - }
61120 -
61121 -+#ifdef CONFIG_PAX_REFCOUNT
61122 -+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61123 -+{
61124 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61125 -+
61126 -+ atomic64_add_unchecked(i, v);
61127 -+}
61128 -+#endif
61129 -+
61130 - static inline void atomic_long_sub(long i, atomic_long_t *l)
61131 - {
61132 - atomic64_t *v = (atomic64_t *)l;
61133 -@@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
61134 - return (long)atomic64_inc_return(v);
61135 - }
61136 -
61137 -+#ifdef CONFIG_PAX_REFCOUNT
61138 -+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61139 -+{
61140 -+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61141 -+
61142 -+ return (long)atomic64_inc_return_unchecked(v);
61143 -+}
61144 -+#endif
61145 -+
61146 - static inline long atomic_long_dec_return(atomic_long_t *l)
61147 - {
61148 - atomic64_t *v = (atomic64_t *)l;
61149 -@@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
61150 -
61151 - typedef atomic_t atomic_long_t;
61152 -
61153 -+#ifdef CONFIG_PAX_REFCOUNT
61154 -+typedef atomic_unchecked_t atomic_long_unchecked_t;
61155 -+#else
61156 -+typedef atomic_t atomic_long_unchecked_t;
61157 -+#endif
61158 -+
61159 - #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61160 - static inline long atomic_long_read(atomic_long_t *l)
61161 - {
61162 -@@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
61163 - return (long)atomic_read(v);
61164 - }
61165 -
61166 -+#ifdef CONFIG_PAX_REFCOUNT
61167 -+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61168 -+{
61169 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61170 -+
61171 -+ return (long)atomic_read_unchecked(v);
61172 -+}
61173 -+#endif
61174 -+
61175 - static inline void atomic_long_set(atomic_long_t *l, long i)
61176 - {
61177 - atomic_t *v = (atomic_t *)l;
61178 -@@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
61179 - atomic_set(v, i);
61180 - }
61181 -
61182 -+#ifdef CONFIG_PAX_REFCOUNT
61183 -+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61184 -+{
61185 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61186 -+
61187 -+ atomic_set_unchecked(v, i);
61188 -+}
61189 -+#endif
61190 -+
61191 - static inline void atomic_long_inc(atomic_long_t *l)
61192 - {
61193 - atomic_t *v = (atomic_t *)l;
61194 -@@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
61195 - atomic_inc(v);
61196 - }
61197 -
61198 -+#ifdef CONFIG_PAX_REFCOUNT
61199 -+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61200 -+{
61201 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61202 -+
61203 -+ atomic_inc_unchecked(v);
61204 -+}
61205 -+#endif
61206 -+
61207 - static inline void atomic_long_dec(atomic_long_t *l)
61208 - {
61209 - atomic_t *v = (atomic_t *)l;
61210 -@@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
61211 - atomic_dec(v);
61212 - }
61213 -
61214 -+#ifdef CONFIG_PAX_REFCOUNT
61215 -+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61216 -+{
61217 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61218 -+
61219 -+ atomic_dec_unchecked(v);
61220 -+}
61221 -+#endif
61222 -+
61223 - static inline void atomic_long_add(long i, atomic_long_t *l)
61224 - {
61225 - atomic_t *v = (atomic_t *)l;
61226 -@@ -176,6 +278,15 @@ static inline void atomic_long_add(long
61227 - atomic_add(i, v);
61228 - }
61229 -
61230 -+#ifdef CONFIG_PAX_REFCOUNT
61231 -+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61232 -+{
61233 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61234 -+
61235 -+ atomic_add_unchecked(i, v);
61236 -+}
61237 -+#endif
61238 -+
61239 - static inline void atomic_long_sub(long i, atomic_long_t *l)
61240 - {
61241 - atomic_t *v = (atomic_t *)l;
61242 -@@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
61243 - return (long)atomic_inc_return(v);
61244 - }
61245 -
61246 -+#ifdef CONFIG_PAX_REFCOUNT
61247 -+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61248 -+{
61249 -+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61250 -+
61251 -+ return (long)atomic_inc_return_unchecked(v);
61252 -+}
61253 -+#endif
61254 -+
61255 - static inline long atomic_long_dec_return(atomic_long_t *l)
61256 - {
61257 - atomic_t *v = (atomic_t *)l;
61258 -@@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
61259 -
61260 - #endif /* BITS_PER_LONG == 64 */
61261 -
61262 -+#ifdef CONFIG_PAX_REFCOUNT
61263 -+static inline void pax_refcount_needs_these_functions(void)
61264 -+{
61265 -+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
61266 -+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61267 -+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61268 -+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61269 -+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61270 -+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61271 -+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61272 -+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61273 -+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61274 -+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61275 -+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61276 -+
61277 -+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61278 -+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61279 -+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61280 -+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61281 -+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61282 -+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61283 -+}
61284 -+#else
61285 -+#define atomic_read_unchecked(v) atomic_read(v)
61286 -+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61287 -+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61288 -+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61289 -+#define atomic_inc_unchecked(v) atomic_inc(v)
61290 -+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61291 -+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61292 -+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61293 -+#define atomic_dec_unchecked(v) atomic_dec(v)
61294 -+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61295 -+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61296 -+
61297 -+#define atomic_long_read_unchecked(v) atomic_long_read(v)
61298 -+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61299 -+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61300 -+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61301 -+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61302 -+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61303 -+#endif
61304 -+
61305 - #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61306 -diff -urNp linux-2.6.32.46/include/asm-generic/bug.h linux-2.6.32.46/include/asm-generic/bug.h
61307 ---- linux-2.6.32.46/include/asm-generic/bug.h 2011-07-13 17:23:04.000000000 -0400
61308 -+++ linux-2.6.32.46/include/asm-generic/bug.h 2011-08-21 17:56:07.000000000 -0400
61309 -@@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
61310 -
61311 - #else /* !CONFIG_BUG */
61312 - #ifndef HAVE_ARCH_BUG
61313 --#define BUG() do {} while(0)
61314 -+#define BUG() do { for (;;) ; } while(0)
61315 - #endif
61316 -
61317 - #ifndef HAVE_ARCH_BUG_ON
61318 --#define BUG_ON(condition) do { if (condition) ; } while(0)
61319 -+#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
61320 - #endif
61321 -
61322 - #ifndef HAVE_ARCH_WARN_ON
61323 -diff -urNp linux-2.6.32.46/include/asm-generic/cache.h linux-2.6.32.46/include/asm-generic/cache.h
61324 ---- linux-2.6.32.46/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400
61325 -+++ linux-2.6.32.46/include/asm-generic/cache.h 2011-07-06 19:53:33.000000000 -0400
61326 -@@ -6,7 +6,7 @@
61327 - * cache lines need to provide their own cache.h.
61328 - */
61329 -
61330 --#define L1_CACHE_SHIFT 5
61331 --#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61332 -+#define L1_CACHE_SHIFT 5UL
61333 -+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
61334 -
61335 - #endif /* __ASM_GENERIC_CACHE_H */
61336 -diff -urNp linux-2.6.32.46/include/asm-generic/dma-mapping-common.h linux-2.6.32.46/include/asm-generic/dma-mapping-common.h
61337 ---- linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-03-27 14:31:47.000000000 -0400
61338 -+++ linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-04-17 15:56:46.000000000 -0400
61339 -@@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61340 - enum dma_data_direction dir,
61341 - struct dma_attrs *attrs)
61342 - {
61343 -- struct dma_map_ops *ops = get_dma_ops(dev);
61344 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61345 - dma_addr_t addr;
61346 -
61347 - kmemcheck_mark_initialized(ptr, size);
61348 -@@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61349 - enum dma_data_direction dir,
61350 - struct dma_attrs *attrs)
61351 - {
61352 -- struct dma_map_ops *ops = get_dma_ops(dev);
61353 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61354 -
61355 - BUG_ON(!valid_dma_direction(dir));
61356 - if (ops->unmap_page)
61357 -@@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61358 - int nents, enum dma_data_direction dir,
61359 - struct dma_attrs *attrs)
61360 - {
61361 -- struct dma_map_ops *ops = get_dma_ops(dev);
61362 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61363 - int i, ents;
61364 - struct scatterlist *s;
61365 -
61366 -@@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61367 - int nents, enum dma_data_direction dir,
61368 - struct dma_attrs *attrs)
61369 - {
61370 -- struct dma_map_ops *ops = get_dma_ops(dev);
61371 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61372 -
61373 - BUG_ON(!valid_dma_direction(dir));
61374 - debug_dma_unmap_sg(dev, sg, nents, dir);
61375 -@@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61376 - size_t offset, size_t size,
61377 - enum dma_data_direction dir)
61378 - {
61379 -- struct dma_map_ops *ops = get_dma_ops(dev);
61380 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61381 - dma_addr_t addr;
61382 -
61383 - kmemcheck_mark_initialized(page_address(page) + offset, size);
61384 -@@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61385 - static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61386 - size_t size, enum dma_data_direction dir)
61387 - {
61388 -- struct dma_map_ops *ops = get_dma_ops(dev);
61389 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61390 -
61391 - BUG_ON(!valid_dma_direction(dir));
61392 - if (ops->unmap_page)
61393 -@@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61394 - size_t size,
61395 - enum dma_data_direction dir)
61396 - {
61397 -- struct dma_map_ops *ops = get_dma_ops(dev);
61398 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61399 -
61400 - BUG_ON(!valid_dma_direction(dir));
61401 - if (ops->sync_single_for_cpu)
61402 -@@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61403 - dma_addr_t addr, size_t size,
61404 - enum dma_data_direction dir)
61405 - {
61406 -- struct dma_map_ops *ops = get_dma_ops(dev);
61407 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61408 -
61409 - BUG_ON(!valid_dma_direction(dir));
61410 - if (ops->sync_single_for_device)
61411 -@@ -123,7 +123,7 @@ static inline void dma_sync_single_range
61412 - size_t size,
61413 - enum dma_data_direction dir)
61414 - {
61415 -- struct dma_map_ops *ops = get_dma_ops(dev);
61416 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61417 -
61418 - BUG_ON(!valid_dma_direction(dir));
61419 - if (ops->sync_single_range_for_cpu) {
61420 -@@ -140,7 +140,7 @@ static inline void dma_sync_single_range
61421 - size_t size,
61422 - enum dma_data_direction dir)
61423 - {
61424 -- struct dma_map_ops *ops = get_dma_ops(dev);
61425 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61426 -
61427 - BUG_ON(!valid_dma_direction(dir));
61428 - if (ops->sync_single_range_for_device) {
61429 -@@ -155,7 +155,7 @@ static inline void
61430 - dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61431 - int nelems, enum dma_data_direction dir)
61432 - {
61433 -- struct dma_map_ops *ops = get_dma_ops(dev);
61434 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61435 -
61436 - BUG_ON(!valid_dma_direction(dir));
61437 - if (ops->sync_sg_for_cpu)
61438 -@@ -167,7 +167,7 @@ static inline void
61439 - dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61440 - int nelems, enum dma_data_direction dir)
61441 - {
61442 -- struct dma_map_ops *ops = get_dma_ops(dev);
61443 -+ const struct dma_map_ops *ops = get_dma_ops(dev);
61444 -
61445 - BUG_ON(!valid_dma_direction(dir));
61446 - if (ops->sync_sg_for_device)
61447 -diff -urNp linux-2.6.32.46/include/asm-generic/emergency-restart.h linux-2.6.32.46/include/asm-generic/emergency-restart.h
61448 ---- linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
61449 -+++ linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-08-21 19:17:17.000000000 -0400
61450 -@@ -1,7 +1,7 @@
61451 - #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
61452 - #define _ASM_GENERIC_EMERGENCY_RESTART_H
61453 -
61454 --static inline void machine_emergency_restart(void)
61455 -+static inline __noreturn void machine_emergency_restart(void)
61456 - {
61457 - machine_restart(NULL);
61458 - }
61459 -diff -urNp linux-2.6.32.46/include/asm-generic/futex.h linux-2.6.32.46/include/asm-generic/futex.h
61460 ---- linux-2.6.32.46/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400
61461 -+++ linux-2.6.32.46/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400
61462 -@@ -6,7 +6,7 @@
61463 - #include <asm/errno.h>
61464 -
61465 - static inline int
61466 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
61467 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
61468 - {
61469 - int op = (encoded_op >> 28) & 7;
61470 - int cmp = (encoded_op >> 24) & 15;
61471 -@@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
61472 - }
61473 -
61474 - static inline int
61475 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
61476 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
61477 - {
61478 - return -ENOSYS;
61479 - }
61480 -diff -urNp linux-2.6.32.46/include/asm-generic/int-l64.h linux-2.6.32.46/include/asm-generic/int-l64.h
61481 ---- linux-2.6.32.46/include/asm-generic/int-l64.h 2011-03-27 14:31:47.000000000 -0400
61482 -+++ linux-2.6.32.46/include/asm-generic/int-l64.h 2011-04-17 15:56:46.000000000 -0400
61483 -@@ -46,6 +46,8 @@ typedef unsigned int u32;
61484 - typedef signed long s64;
61485 - typedef unsigned long u64;
61486 -
61487 -+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61488 -+
61489 - #define S8_C(x) x
61490 - #define U8_C(x) x ## U
61491 - #define S16_C(x) x
61492 -diff -urNp linux-2.6.32.46/include/asm-generic/int-ll64.h linux-2.6.32.46/include/asm-generic/int-ll64.h
61493 ---- linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-03-27 14:31:47.000000000 -0400
61494 -+++ linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-04-17 15:56:46.000000000 -0400
61495 -@@ -51,6 +51,8 @@ typedef unsigned int u32;
61496 - typedef signed long long s64;
61497 - typedef unsigned long long u64;
61498 -
61499 -+typedef unsigned long long intoverflow_t;
61500 -+
61501 - #define S8_C(x) x
61502 - #define U8_C(x) x ## U
61503 - #define S16_C(x) x
61504 -diff -urNp linux-2.6.32.46/include/asm-generic/kmap_types.h linux-2.6.32.46/include/asm-generic/kmap_types.h
61505 ---- linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
61506 -+++ linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
61507 -@@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
61508 - KMAP_D(16) KM_IRQ_PTE,
61509 - KMAP_D(17) KM_NMI,
61510 - KMAP_D(18) KM_NMI_PTE,
61511 --KMAP_D(19) KM_TYPE_NR
61512 -+KMAP_D(19) KM_CLEARPAGE,
61513 -+KMAP_D(20) KM_TYPE_NR
61514 - };
61515 -
61516 - #undef KMAP_D
61517 -diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h
61518 ---- linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-03-27 14:31:47.000000000 -0400
61519 -+++ linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:56:46.000000000 -0400
61520 -@@ -1,14 +1,19 @@
61521 - #ifndef _PGTABLE_NOPMD_H
61522 - #define _PGTABLE_NOPMD_H
61523 -
61524 --#ifndef __ASSEMBLY__
61525 --
61526 - #include <asm-generic/pgtable-nopud.h>
61527 -
61528 --struct mm_struct;
61529 --
61530 - #define __PAGETABLE_PMD_FOLDED
61531 -
61532 -+#define PMD_SHIFT PUD_SHIFT
61533 -+#define PTRS_PER_PMD 1
61534 -+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61535 -+#define PMD_MASK (~(PMD_SIZE-1))
61536 -+
61537 -+#ifndef __ASSEMBLY__
61538 -+
61539 -+struct mm_struct;
61540 -+
61541 - /*
61542 - * Having the pmd type consist of a pud gets the size right, and allows
61543 - * us to conceptually access the pud entry that this pmd is folded into
61544 -@@ -16,11 +21,6 @@ struct mm_struct;
61545 - */
61546 - typedef struct { pud_t pud; } pmd_t;
61547 -
61548 --#define PMD_SHIFT PUD_SHIFT
61549 --#define PTRS_PER_PMD 1
61550 --#define PMD_SIZE (1UL << PMD_SHIFT)
61551 --#define PMD_MASK (~(PMD_SIZE-1))
61552 --
61553 - /*
61554 - * The "pud_xxx()" functions here are trivial for a folded two-level
61555 - * setup: the pmd is never bad, and a pmd always exists (as it's folded
61556 -diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopud.h linux-2.6.32.46/include/asm-generic/pgtable-nopud.h
61557 ---- linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-03-27 14:31:47.000000000 -0400
61558 -+++ linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-04-17 15:56:46.000000000 -0400
61559 -@@ -1,10 +1,15 @@
61560 - #ifndef _PGTABLE_NOPUD_H
61561 - #define _PGTABLE_NOPUD_H
61562 -
61563 --#ifndef __ASSEMBLY__
61564 --
61565 - #define __PAGETABLE_PUD_FOLDED
61566 -
61567 -+#define PUD_SHIFT PGDIR_SHIFT
61568 -+#define PTRS_PER_PUD 1
61569 -+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61570 -+#define PUD_MASK (~(PUD_SIZE-1))
61571 -+
61572 -+#ifndef __ASSEMBLY__
61573 -+
61574 - /*
61575 - * Having the pud type consist of a pgd gets the size right, and allows
61576 - * us to conceptually access the pgd entry that this pud is folded into
61577 -@@ -12,11 +17,6 @@
61578 - */
61579 - typedef struct { pgd_t pgd; } pud_t;
61580 -
61581 --#define PUD_SHIFT PGDIR_SHIFT
61582 --#define PTRS_PER_PUD 1
61583 --#define PUD_SIZE (1UL << PUD_SHIFT)
61584 --#define PUD_MASK (~(PUD_SIZE-1))
61585 --
61586 - /*
61587 - * The "pgd_xxx()" functions here are trivial for a folded two-level
61588 - * setup: the pud is never bad, and a pud always exists (as it's folded
61589 -diff -urNp linux-2.6.32.46/include/asm-generic/pgtable.h linux-2.6.32.46/include/asm-generic/pgtable.h
61590 ---- linux-2.6.32.46/include/asm-generic/pgtable.h 2011-03-27 14:31:47.000000000 -0400
61591 -+++ linux-2.6.32.46/include/asm-generic/pgtable.h 2011-04-17 15:56:46.000000000 -0400
61592 -@@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
61593 - unsigned long size);
61594 - #endif
61595 -
61596 -+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61597 -+static inline unsigned long pax_open_kernel(void) { return 0; }
61598 -+#endif
61599 -+
61600 -+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61601 -+static inline unsigned long pax_close_kernel(void) { return 0; }
61602 -+#endif
61603 -+
61604 - #endif /* !__ASSEMBLY__ */
61605 -
61606 - #endif /* _ASM_GENERIC_PGTABLE_H */
61607 -diff -urNp linux-2.6.32.46/include/asm-generic/vmlinux.lds.h linux-2.6.32.46/include/asm-generic/vmlinux.lds.h
61608 ---- linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-03-27 14:31:47.000000000 -0400
61609 -+++ linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-04-17 15:56:46.000000000 -0400
61610 -@@ -199,6 +199,7 @@
61611 - .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61612 - VMLINUX_SYMBOL(__start_rodata) = .; \
61613 - *(.rodata) *(.rodata.*) \
61614 -+ *(.data.read_only) \
61615 - *(__vermagic) /* Kernel version magic */ \
61616 - *(__markers_strings) /* Markers: strings */ \
61617 - *(__tracepoints_strings)/* Tracepoints: strings */ \
61618 -@@ -656,22 +657,24 @@
61619 - * section in the linker script will go there too. @phdr should have
61620 - * a leading colon.
61621 - *
61622 -- * Note that this macros defines __per_cpu_load as an absolute symbol.
61623 -+ * Note that this macros defines per_cpu_load as an absolute symbol.
61624 - * If there is no need to put the percpu section at a predetermined
61625 - * address, use PERCPU().
61626 - */
61627 - #define PERCPU_VADDR(vaddr, phdr) \
61628 -- VMLINUX_SYMBOL(__per_cpu_load) = .; \
61629 -- .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
61630 -+ per_cpu_load = .; \
61631 -+ .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
61632 - - LOAD_OFFSET) { \
61633 -+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
61634 - VMLINUX_SYMBOL(__per_cpu_start) = .; \
61635 - *(.data.percpu.first) \
61636 -- *(.data.percpu.page_aligned) \
61637 - *(.data.percpu) \
61638 -+ . = ALIGN(PAGE_SIZE); \
61639 -+ *(.data.percpu.page_aligned) \
61640 - *(.data.percpu.shared_aligned) \
61641 - VMLINUX_SYMBOL(__per_cpu_end) = .; \
61642 - } phdr \
61643 -- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
61644 -+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
61645 -
61646 - /**
61647 - * PERCPU - define output section for percpu area, simple version
61648 -diff -urNp linux-2.6.32.46/include/drm/drmP.h linux-2.6.32.46/include/drm/drmP.h
61649 ---- linux-2.6.32.46/include/drm/drmP.h 2011-03-27 14:31:47.000000000 -0400
61650 -+++ linux-2.6.32.46/include/drm/drmP.h 2011-04-17 15:56:46.000000000 -0400
61651 -@@ -71,6 +71,7 @@
61652 - #include <linux/workqueue.h>
61653 - #include <linux/poll.h>
61654 - #include <asm/pgalloc.h>
61655 -+#include <asm/local.h>
61656 - #include "drm.h"
61657 -
61658 - #include <linux/idr.h>
61659 -@@ -814,7 +815,7 @@ struct drm_driver {
61660 - void (*vgaarb_irq)(struct drm_device *dev, bool state);
61661 -
61662 - /* Driver private ops for this object */
61663 -- struct vm_operations_struct *gem_vm_ops;
61664 -+ const struct vm_operations_struct *gem_vm_ops;
61665 -
61666 - int major;
61667 - int minor;
61668 -@@ -917,7 +918,7 @@ struct drm_device {
61669 -
61670 - /** \name Usage Counters */
61671 - /*@{ */
61672 -- int open_count; /**< Outstanding files open */
61673 -+ local_t open_count; /**< Outstanding files open */
61674 - atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
61675 - atomic_t vma_count; /**< Outstanding vma areas open */
61676 - int buf_use; /**< Buffers in use -- cannot alloc */
61677 -@@ -928,7 +929,7 @@ struct drm_device {
61678 - /*@{ */
61679 - unsigned long counters;
61680 - enum drm_stat_type types[15];
61681 -- atomic_t counts[15];
61682 -+ atomic_unchecked_t counts[15];
61683 - /*@} */
61684 -
61685 - struct list_head filelist;
61686 -@@ -1016,7 +1017,7 @@ struct drm_device {
61687 - struct pci_controller *hose;
61688 - #endif
61689 - struct drm_sg_mem *sg; /**< Scatter gather memory */
61690 -- unsigned int num_crtcs; /**< Number of CRTCs on this device */
61691 -+ unsigned int num_crtcs; /**< Number of CRTCs on this device */
61692 - void *dev_private; /**< device private data */
61693 - void *mm_private;
61694 - struct address_space *dev_mapping;
61695 -@@ -1042,11 +1043,11 @@ struct drm_device {
61696 - spinlock_t object_name_lock;
61697 - struct idr object_name_idr;
61698 - atomic_t object_count;
61699 -- atomic_t object_memory;
61700 -+ atomic_unchecked_t object_memory;
61701 - atomic_t pin_count;
61702 -- atomic_t pin_memory;
61703 -+ atomic_unchecked_t pin_memory;
61704 - atomic_t gtt_count;
61705 -- atomic_t gtt_memory;
61706 -+ atomic_unchecked_t gtt_memory;
61707 - uint32_t gtt_total;
61708 - uint32_t invalidate_domains; /* domains pending invalidation */
61709 - uint32_t flush_domains; /* domains pending flush */
61710 -diff -urNp linux-2.6.32.46/include/drm/drm_crtc_helper.h linux-2.6.32.46/include/drm/drm_crtc_helper.h
61711 ---- linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-03-27 14:31:47.000000000 -0400
61712 -+++ linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-08-05 20:33:55.000000000 -0400
61713 -@@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
61714 -
61715 - /* reload the current crtc LUT */
61716 - void (*load_lut)(struct drm_crtc *crtc);
61717 --};
61718 -+} __no_const;
61719 -
61720 - struct drm_encoder_helper_funcs {
61721 - void (*dpms)(struct drm_encoder *encoder, int mode);
61722 -@@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
61723 - struct drm_connector *connector);
61724 - /* disable encoder when not in use - more explicit than dpms off */
61725 - void (*disable)(struct drm_encoder *encoder);
61726 --};
61727 -+} __no_const;
61728 -
61729 - struct drm_connector_helper_funcs {
61730 - int (*get_modes)(struct drm_connector *connector);
61731 -diff -urNp linux-2.6.32.46/include/drm/ttm/ttm_memory.h linux-2.6.32.46/include/drm/ttm/ttm_memory.h
61732 ---- linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-03-27 14:31:47.000000000 -0400
61733 -+++ linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-08-05 20:33:55.000000000 -0400
61734 -@@ -47,7 +47,7 @@
61735 -
61736 - struct ttm_mem_shrink {
61737 - int (*do_shrink) (struct ttm_mem_shrink *);
61738 --};
61739 -+} __no_const;
61740 -
61741 - /**
61742 - * struct ttm_mem_global - Global memory accounting structure.
61743 -diff -urNp linux-2.6.32.46/include/linux/a.out.h linux-2.6.32.46/include/linux/a.out.h
61744 ---- linux-2.6.32.46/include/linux/a.out.h 2011-03-27 14:31:47.000000000 -0400
61745 -+++ linux-2.6.32.46/include/linux/a.out.h 2011-04-17 15:56:46.000000000 -0400
61746 -@@ -39,6 +39,14 @@ enum machine_type {
61747 - M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
61748 - };
61749 -
61750 -+/* Constants for the N_FLAGS field */
61751 -+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
61752 -+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
61753 -+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
61754 -+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
61755 -+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
61756 -+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
61757 -+
61758 - #if !defined (N_MAGIC)
61759 - #define N_MAGIC(exec) ((exec).a_info & 0xffff)
61760 - #endif
61761 -diff -urNp linux-2.6.32.46/include/linux/atmdev.h linux-2.6.32.46/include/linux/atmdev.h
61762 ---- linux-2.6.32.46/include/linux/atmdev.h 2011-03-27 14:31:47.000000000 -0400
61763 -+++ linux-2.6.32.46/include/linux/atmdev.h 2011-04-17 15:56:46.000000000 -0400
61764 -@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
61765 - #endif
61766 -
61767 - struct k_atm_aal_stats {
61768 --#define __HANDLE_ITEM(i) atomic_t i
61769 -+#define __HANDLE_ITEM(i) atomic_unchecked_t i
61770 - __AAL_STAT_ITEMS
61771 - #undef __HANDLE_ITEM
61772 - };
61773 -diff -urNp linux-2.6.32.46/include/linux/backlight.h linux-2.6.32.46/include/linux/backlight.h
61774 ---- linux-2.6.32.46/include/linux/backlight.h 2011-03-27 14:31:47.000000000 -0400
61775 -+++ linux-2.6.32.46/include/linux/backlight.h 2011-04-17 15:56:46.000000000 -0400
61776 -@@ -36,18 +36,18 @@ struct backlight_device;
61777 - struct fb_info;
61778 -
61779 - struct backlight_ops {
61780 -- unsigned int options;
61781 -+ const unsigned int options;
61782 -
61783 - #define BL_CORE_SUSPENDRESUME (1 << 0)
61784 -
61785 - /* Notify the backlight driver some property has changed */
61786 -- int (*update_status)(struct backlight_device *);
61787 -+ int (* const update_status)(struct backlight_device *);
61788 - /* Return the current backlight brightness (accounting for power,
61789 - fb_blank etc.) */
61790 -- int (*get_brightness)(struct backlight_device *);
61791 -+ int (* const get_brightness)(struct backlight_device *);
61792 - /* Check if given framebuffer device is the one bound to this backlight;
61793 - return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
61794 -- int (*check_fb)(struct fb_info *);
61795 -+ int (* const check_fb)(struct fb_info *);
61796 - };
61797 -
61798 - /* This structure defines all the properties of a backlight */
61799 -@@ -86,7 +86,7 @@ struct backlight_device {
61800 - registered this device has been unloaded, and if class_get_devdata()
61801 - points to something in the body of that driver, it is also invalid. */
61802 - struct mutex ops_lock;
61803 -- struct backlight_ops *ops;
61804 -+ const struct backlight_ops *ops;
61805 -
61806 - /* The framebuffer notifier block */
61807 - struct notifier_block fb_notif;
61808 -@@ -103,7 +103,7 @@ static inline void backlight_update_stat
61809 - }
61810 -
61811 - extern struct backlight_device *backlight_device_register(const char *name,
61812 -- struct device *dev, void *devdata, struct backlight_ops *ops);
61813 -+ struct device *dev, void *devdata, const struct backlight_ops *ops);
61814 - extern void backlight_device_unregister(struct backlight_device *bd);
61815 - extern void backlight_force_update(struct backlight_device *bd,
61816 - enum backlight_update_reason reason);
61817 -diff -urNp linux-2.6.32.46/include/linux/binfmts.h linux-2.6.32.46/include/linux/binfmts.h
61818 ---- linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 17:00:52.000000000 -0400
61819 -+++ linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 15:56:46.000000000 -0400
61820 -@@ -83,6 +83,7 @@ struct linux_binfmt {
61821 - int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
61822 - int (*load_shlib)(struct file *);
61823 - int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
61824 -+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
61825 - unsigned long min_coredump; /* minimal dump size */
61826 - int hasvdso;
61827 - };
61828 -diff -urNp linux-2.6.32.46/include/linux/blkdev.h linux-2.6.32.46/include/linux/blkdev.h
61829 ---- linux-2.6.32.46/include/linux/blkdev.h 2011-03-27 14:31:47.000000000 -0400
61830 -+++ linux-2.6.32.46/include/linux/blkdev.h 2011-08-26 20:27:21.000000000 -0400
61831 -@@ -1278,7 +1278,7 @@ struct block_device_operations {
61832 - int (*revalidate_disk) (struct gendisk *);
61833 - int (*getgeo)(struct block_device *, struct hd_geometry *);
61834 - struct module *owner;
61835 --};
61836 -+} __do_const;
61837 -
61838 - extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
61839 - unsigned long);
61840 -diff -urNp linux-2.6.32.46/include/linux/blktrace_api.h linux-2.6.32.46/include/linux/blktrace_api.h
61841 ---- linux-2.6.32.46/include/linux/blktrace_api.h 2011-03-27 14:31:47.000000000 -0400
61842 -+++ linux-2.6.32.46/include/linux/blktrace_api.h 2011-05-04 17:56:28.000000000 -0400
61843 -@@ -160,7 +160,7 @@ struct blk_trace {
61844 - struct dentry *dir;
61845 - struct dentry *dropped_file;
61846 - struct dentry *msg_file;
61847 -- atomic_t dropped;
61848 -+ atomic_unchecked_t dropped;
61849 - };
61850 -
61851 - extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
61852 -diff -urNp linux-2.6.32.46/include/linux/byteorder/little_endian.h linux-2.6.32.46/include/linux/byteorder/little_endian.h
61853 ---- linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-03-27 14:31:47.000000000 -0400
61854 -+++ linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-04-17 15:56:46.000000000 -0400
61855 -@@ -42,51 +42,51 @@
61856 -
61857 - static inline __le64 __cpu_to_le64p(const __u64 *p)
61858 - {
61859 -- return (__force __le64)*p;
61860 -+ return (__force const __le64)*p;
61861 - }
61862 - static inline __u64 __le64_to_cpup(const __le64 *p)
61863 - {
61864 -- return (__force __u64)*p;
61865 -+ return (__force const __u64)*p;
61866 - }
61867 - static inline __le32 __cpu_to_le32p(const __u32 *p)
61868 - {
61869 -- return (__force __le32)*p;
61870 -+ return (__force const __le32)*p;
61871 - }
61872 - static inline __u32 __le32_to_cpup(const __le32 *p)
61873 - {
61874 -- return (__force __u32)*p;
61875 -+ return (__force const __u32)*p;
61876 - }
61877 - static inline __le16 __cpu_to_le16p(const __u16 *p)
61878 - {
61879 -- return (__force __le16)*p;
61880 -+ return (__force const __le16)*p;
61881 - }
61882 - static inline __u16 __le16_to_cpup(const __le16 *p)
61883 - {
61884 -- return (__force __u16)*p;
61885 -+ return (__force const __u16)*p;
61886 - }
61887 - static inline __be64 __cpu_to_be64p(const __u64 *p)
61888 - {
61889 -- return (__force __be64)__swab64p(p);
61890 -+ return (__force const __be64)__swab64p(p);
61891 - }
61892 - static inline __u64 __be64_to_cpup(const __be64 *p)
61893 - {
61894 -- return __swab64p((__u64 *)p);
61895 -+ return __swab64p((const __u64 *)p);
61896 - }
61897 - static inline __be32 __cpu_to_be32p(const __u32 *p)
61898 - {
61899 -- return (__force __be32)__swab32p(p);
61900 -+ return (__force const __be32)__swab32p(p);
61901 - }
61902 - static inline __u32 __be32_to_cpup(const __be32 *p)
61903 - {
61904 -- return __swab32p((__u32 *)p);
61905 -+ return __swab32p((const __u32 *)p);
61906 - }
61907 - static inline __be16 __cpu_to_be16p(const __u16 *p)
61908 - {
61909 -- return (__force __be16)__swab16p(p);
61910 -+ return (__force const __be16)__swab16p(p);
61911 - }
61912 - static inline __u16 __be16_to_cpup(const __be16 *p)
61913 - {
61914 -- return __swab16p((__u16 *)p);
61915 -+ return __swab16p((const __u16 *)p);
61916 - }
61917 - #define __cpu_to_le64s(x) do { (void)(x); } while (0)
61918 - #define __le64_to_cpus(x) do { (void)(x); } while (0)
61919 -diff -urNp linux-2.6.32.46/include/linux/cache.h linux-2.6.32.46/include/linux/cache.h
61920 ---- linux-2.6.32.46/include/linux/cache.h 2011-03-27 14:31:47.000000000 -0400
61921 -+++ linux-2.6.32.46/include/linux/cache.h 2011-04-17 15:56:46.000000000 -0400
61922 -@@ -16,6 +16,10 @@
61923 - #define __read_mostly
61924 - #endif
61925 -
61926 -+#ifndef __read_only
61927 -+#define __read_only __read_mostly
61928 -+#endif
61929 -+
61930 - #ifndef ____cacheline_aligned
61931 - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
61932 - #endif
61933 -diff -urNp linux-2.6.32.46/include/linux/capability.h linux-2.6.32.46/include/linux/capability.h
61934 ---- linux-2.6.32.46/include/linux/capability.h 2011-03-27 14:31:47.000000000 -0400
61935 -+++ linux-2.6.32.46/include/linux/capability.h 2011-04-17 15:56:46.000000000 -0400
61936 -@@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
61937 - (security_real_capable_noaudit((t), (cap)) == 0)
61938 -
61939 - extern int capable(int cap);
61940 -+int capable_nolog(int cap);
61941 -
61942 - /* audit system wants to get cap info from files as well */
61943 - struct dentry;
61944 -diff -urNp linux-2.6.32.46/include/linux/compiler-gcc4.h linux-2.6.32.46/include/linux/compiler-gcc4.h
61945 ---- linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-03-27 14:31:47.000000000 -0400
61946 -+++ linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-08-26 20:19:09.000000000 -0400
61947 -@@ -36,4 +36,16 @@
61948 - the kernel context */
61949 - #define __cold __attribute__((__cold__))
61950 -
61951 -+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
61952 -+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
61953 -+#define __bos0(ptr) __bos((ptr), 0)
61954 -+#define __bos1(ptr) __bos((ptr), 1)
61955 -+
61956 -+#if __GNUC_MINOR__ >= 5
61957 -+#ifdef CONSTIFY_PLUGIN
61958 -+#define __no_const __attribute__((no_const))
61959 -+#define __do_const __attribute__((do_const))
61960 -+#endif
61961 -+#endif
61962 -+
61963 - #endif
61964 -diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linux/compiler.h
61965 ---- linux-2.6.32.46/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400
61966 -+++ linux-2.6.32.46/include/linux/compiler.h 2011-10-06 09:37:14.000000000 -0400
61967 -@@ -5,11 +5,14 @@
61968 -
61969 - #ifdef __CHECKER__
61970 - # define __user __attribute__((noderef, address_space(1)))
61971 -+# define __force_user __force __user
61972 - # define __kernel /* default address space */
61973 -+# define __force_kernel __force __kernel
61974 - # define __safe __attribute__((safe))
61975 - # define __force __attribute__((force))
61976 - # define __nocast __attribute__((nocast))
61977 - # define __iomem __attribute__((noderef, address_space(2)))
61978 -+# define __force_iomem __force __iomem
61979 - # define __acquires(x) __attribute__((context(x,0,1)))
61980 - # define __releases(x) __attribute__((context(x,1,0)))
61981 - # define __acquire(x) __context__(x,1)
61982 -@@ -17,13 +20,34 @@
61983 - # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
61984 - extern void __chk_user_ptr(const volatile void __user *);
61985 - extern void __chk_io_ptr(const volatile void __iomem *);
61986 -+#elif defined(CHECKER_PLUGIN)
61987 -+//# define __user
61988 -+//# define __force_user
61989 -+//# define __kernel
61990 -+//# define __force_kernel
61991 -+# define __safe
61992 -+# define __force
61993 -+# define __nocast
61994 -+# define __iomem
61995 -+# define __force_iomem
61996 -+# define __chk_user_ptr(x) (void)0
61997 -+# define __chk_io_ptr(x) (void)0
61998 -+# define __builtin_warning(x, y...) (1)
61999 -+# define __acquires(x)
62000 -+# define __releases(x)
62001 -+# define __acquire(x) (void)0
62002 -+# define __release(x) (void)0
62003 -+# define __cond_lock(x,c) (c)
62004 - #else
62005 - # define __user
62006 -+# define __force_user
62007 - # define __kernel
62008 -+# define __force_kernel
62009 - # define __safe
62010 - # define __force
62011 - # define __nocast
62012 - # define __iomem
62013 -+# define __force_iomem
62014 - # define __chk_user_ptr(x) (void)0
62015 - # define __chk_io_ptr(x) (void)0
62016 - # define __builtin_warning(x, y...) (1)
62017 -@@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_
62018 - # define __attribute_const__ /* unimplemented */
62019 - #endif
62020 -
62021 -+#ifndef __no_const
62022 -+# define __no_const
62023 -+#endif
62024 -+
62025 -+#ifndef __do_const
62026 -+# define __do_const
62027 -+#endif
62028 -+
62029 - /*
62030 - * Tell gcc if a function is cold. The compiler will assume any path
62031 - * directly leading to the call is unlikely.
62032 -@@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_
62033 - #define __cold
62034 - #endif
62035 -
62036 -+#ifndef __alloc_size
62037 -+#define __alloc_size(...)
62038 -+#endif
62039 -+
62040 -+#ifndef __bos
62041 -+#define __bos(ptr, arg)
62042 -+#endif
62043 -+
62044 -+#ifndef __bos0
62045 -+#define __bos0(ptr)
62046 -+#endif
62047 -+
62048 -+#ifndef __bos1
62049 -+#define __bos1(ptr)
62050 -+#endif
62051 -+
62052 - /* Simple shorthand for a section definition */
62053 - #ifndef __section
62054 - # define __section(S) __attribute__ ((__section__(#S)))
62055 -@@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_
62056 - * use is to mediate communication between process-level code and irq/NMI
62057 - * handlers, all running on the same CPU.
62058 - */
62059 --#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
62060 -+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
62061 -+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
62062 -
62063 - #endif /* __LINUX_COMPILER_H */
62064 -diff -urNp linux-2.6.32.46/include/linux/crypto.h linux-2.6.32.46/include/linux/crypto.h
62065 ---- linux-2.6.32.46/include/linux/crypto.h 2011-03-27 14:31:47.000000000 -0400
62066 -+++ linux-2.6.32.46/include/linux/crypto.h 2011-08-05 20:33:55.000000000 -0400
62067 -@@ -394,7 +394,7 @@ struct cipher_tfm {
62068 - const u8 *key, unsigned int keylen);
62069 - void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
62070 - void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
62071 --};
62072 -+} __no_const;
62073 -
62074 - struct hash_tfm {
62075 - int (*init)(struct hash_desc *desc);
62076 -@@ -415,13 +415,13 @@ struct compress_tfm {
62077 - int (*cot_decompress)(struct crypto_tfm *tfm,
62078 - const u8 *src, unsigned int slen,
62079 - u8 *dst, unsigned int *dlen);
62080 --};
62081 -+} __no_const;
62082 -
62083 - struct rng_tfm {
62084 - int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
62085 - unsigned int dlen);
62086 - int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
62087 --};
62088 -+} __no_const;
62089 -
62090 - #define crt_ablkcipher crt_u.ablkcipher
62091 - #define crt_aead crt_u.aead
62092 -diff -urNp linux-2.6.32.46/include/linux/dcache.h linux-2.6.32.46/include/linux/dcache.h
62093 ---- linux-2.6.32.46/include/linux/dcache.h 2011-03-27 14:31:47.000000000 -0400
62094 -+++ linux-2.6.32.46/include/linux/dcache.h 2011-04-23 13:34:46.000000000 -0400
62095 -@@ -119,6 +119,8 @@ struct dentry {
62096 - unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
62097 - };
62098 -
62099 -+#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
62100 -+
62101 - /*
62102 - * dentry->d_lock spinlock nesting subclasses:
62103 - *
62104 -diff -urNp linux-2.6.32.46/include/linux/decompress/mm.h linux-2.6.32.46/include/linux/decompress/mm.h
62105 ---- linux-2.6.32.46/include/linux/decompress/mm.h 2011-03-27 14:31:47.000000000 -0400
62106 -+++ linux-2.6.32.46/include/linux/decompress/mm.h 2011-04-17 15:56:46.000000000 -0400
62107 -@@ -78,7 +78,7 @@ static void free(void *where)
62108 - * warnings when not needed (indeed large_malloc / large_free are not
62109 - * needed by inflate */
62110 -
62111 --#define malloc(a) kmalloc(a, GFP_KERNEL)
62112 -+#define malloc(a) kmalloc((a), GFP_KERNEL)
62113 - #define free(a) kfree(a)
62114 -
62115 - #define large_malloc(a) vmalloc(a)
62116 -diff -urNp linux-2.6.32.46/include/linux/dma-mapping.h linux-2.6.32.46/include/linux/dma-mapping.h
62117 ---- linux-2.6.32.46/include/linux/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
62118 -+++ linux-2.6.32.46/include/linux/dma-mapping.h 2011-08-26 20:19:09.000000000 -0400
62119 -@@ -16,51 +16,51 @@ enum dma_data_direction {
62120 - };
62121 -
62122 - struct dma_map_ops {
62123 -- void* (*alloc_coherent)(struct device *dev, size_t size,
62124 -+ void* (* const alloc_coherent)(struct device *dev, size_t size,
62125 - dma_addr_t *dma_handle, gfp_t gfp);
62126 -- void (*free_coherent)(struct device *dev, size_t size,
62127 -+ void (* const free_coherent)(struct device *dev, size_t size,
62128 - void *vaddr, dma_addr_t dma_handle);
62129 -- dma_addr_t (*map_page)(struct device *dev, struct page *page,
62130 -+ dma_addr_t (* const map_page)(struct device *dev, struct page *page,
62131 - unsigned long offset, size_t size,
62132 - enum dma_data_direction dir,
62133 - struct dma_attrs *attrs);
62134 -- void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
62135 -+ void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
62136 - size_t size, enum dma_data_direction dir,
62137 - struct dma_attrs *attrs);
62138 -- int (*map_sg)(struct device *dev, struct scatterlist *sg,
62139 -+ int (* const map_sg)(struct device *dev, struct scatterlist *sg,
62140 - int nents, enum dma_data_direction dir,
62141 - struct dma_attrs *attrs);
62142 -- void (*unmap_sg)(struct device *dev,
62143 -+ void (* const unmap_sg)(struct device *dev,
62144 - struct scatterlist *sg, int nents,
62145 - enum dma_data_direction dir,
62146 - struct dma_attrs *attrs);
62147 -- void (*sync_single_for_cpu)(struct device *dev,
62148 -+ void (* const sync_single_for_cpu)(struct device *dev,
62149 - dma_addr_t dma_handle, size_t size,
62150 - enum dma_data_direction dir);
62151 -- void (*sync_single_for_device)(struct device *dev,
62152 -+ void (* const sync_single_for_device)(struct device *dev,
62153 - dma_addr_t dma_handle, size_t size,
62154 - enum dma_data_direction dir);
62155 -- void (*sync_single_range_for_cpu)(struct device *dev,
62156 -+ void (* const sync_single_range_for_cpu)(struct device *dev,
62157 - dma_addr_t dma_handle,
62158 - unsigned long offset,
62159 - size_t size,
62160 - enum dma_data_direction dir);
62161 -- void (*sync_single_range_for_device)(struct device *dev,
62162 -+ void (* const sync_single_range_for_device)(struct device *dev,
62163 - dma_addr_t dma_handle,
62164 - unsigned long offset,
62165 - size_t size,
62166 - enum dma_data_direction dir);
62167 -- void (*sync_sg_for_cpu)(struct device *dev,
62168 -+ void (* const sync_sg_for_cpu)(struct device *dev,
62169 - struct scatterlist *sg, int nents,
62170 - enum dma_data_direction dir);
62171 -- void (*sync_sg_for_device)(struct device *dev,
62172 -+ void (* const sync_sg_for_device)(struct device *dev,
62173 - struct scatterlist *sg, int nents,
62174 - enum dma_data_direction dir);
62175 -- int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
62176 -- int (*dma_supported)(struct device *dev, u64 mask);
62177 -+ int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
62178 -+ int (* const dma_supported)(struct device *dev, u64 mask);
62179 - int (*set_dma_mask)(struct device *dev, u64 mask);
62180 - int is_phys;
62181 --};
62182 -+} __do_const;
62183 -
62184 - #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62185 -
62186 -diff -urNp linux-2.6.32.46/include/linux/dst.h linux-2.6.32.46/include/linux/dst.h
62187 ---- linux-2.6.32.46/include/linux/dst.h 2011-03-27 14:31:47.000000000 -0400
62188 -+++ linux-2.6.32.46/include/linux/dst.h 2011-04-17 15:56:46.000000000 -0400
62189 -@@ -380,7 +380,7 @@ struct dst_node
62190 - struct thread_pool *pool;
62191 -
62192 - /* Transaction IDs live here */
62193 -- atomic_long_t gen;
62194 -+ atomic_long_unchecked_t gen;
62195 -
62196 - /*
62197 - * How frequently and how many times transaction
62198 -diff -urNp linux-2.6.32.46/include/linux/elf.h linux-2.6.32.46/include/linux/elf.h
62199 ---- linux-2.6.32.46/include/linux/elf.h 2011-03-27 14:31:47.000000000 -0400
62200 -+++ linux-2.6.32.46/include/linux/elf.h 2011-04-17 15:56:46.000000000 -0400
62201 -@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62202 - #define PT_GNU_EH_FRAME 0x6474e550
62203 -
62204 - #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62205 -+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62206 -+
62207 -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62208 -+
62209 -+/* Constants for the e_flags field */
62210 -+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62211 -+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62212 -+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62213 -+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62214 -+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62215 -+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62216 -
62217 - /* These constants define the different elf file types */
62218 - #define ET_NONE 0
62219 -@@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
62220 - #define DT_DEBUG 21
62221 - #define DT_TEXTREL 22
62222 - #define DT_JMPREL 23
62223 -+#define DT_FLAGS 30
62224 -+ #define DF_TEXTREL 0x00000004
62225 - #define DT_ENCODING 32
62226 - #define OLD_DT_LOOS 0x60000000
62227 - #define DT_LOOS 0x6000000d
62228 -@@ -230,6 +243,19 @@ typedef struct elf64_hdr {
62229 - #define PF_W 0x2
62230 - #define PF_X 0x1
62231 -
62232 -+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62233 -+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62234 -+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62235 -+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62236 -+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62237 -+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62238 -+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62239 -+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62240 -+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62241 -+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62242 -+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62243 -+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62244 -+
62245 - typedef struct elf32_phdr{
62246 - Elf32_Word p_type;
62247 - Elf32_Off p_offset;
62248 -@@ -322,6 +348,8 @@ typedef struct elf64_shdr {
62249 - #define EI_OSABI 7
62250 - #define EI_PAD 8
62251 -
62252 -+#define EI_PAX 14
62253 -+
62254 - #define ELFMAG0 0x7f /* EI_MAG */
62255 - #define ELFMAG1 'E'
62256 - #define ELFMAG2 'L'
62257 -@@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
62258 - #define elf_phdr elf32_phdr
62259 - #define elf_note elf32_note
62260 - #define elf_addr_t Elf32_Off
62261 -+#define elf_dyn Elf32_Dyn
62262 -
62263 - #else
62264 -
62265 -@@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
62266 - #define elf_phdr elf64_phdr
62267 - #define elf_note elf64_note
62268 - #define elf_addr_t Elf64_Off
62269 -+#define elf_dyn Elf64_Dyn
62270 -
62271 - #endif
62272 -
62273 -diff -urNp linux-2.6.32.46/include/linux/fs.h linux-2.6.32.46/include/linux/fs.h
62274 ---- linux-2.6.32.46/include/linux/fs.h 2011-07-13 17:23:04.000000000 -0400
62275 -+++ linux-2.6.32.46/include/linux/fs.h 2011-08-26 20:19:09.000000000 -0400
62276 -@@ -90,6 +90,11 @@ struct inodes_stat_t {
62277 - /* Expect random access pattern */
62278 - #define FMODE_RANDOM ((__force fmode_t)4096)
62279 -
62280 -+/* Hack for grsec so as not to require read permission simply to execute
62281 -+ * a binary
62282 -+ */
62283 -+#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62284 -+
62285 - /*
62286 - * The below are the various read and write types that we support. Some of
62287 - * them include behavioral modifiers that send information down to the
62288 -@@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
62289 - unsigned long, unsigned long);
62290 -
62291 - struct address_space_operations {
62292 -- int (*writepage)(struct page *page, struct writeback_control *wbc);
62293 -- int (*readpage)(struct file *, struct page *);
62294 -- void (*sync_page)(struct page *);
62295 -+ int (* const writepage)(struct page *page, struct writeback_control *wbc);
62296 -+ int (* const readpage)(struct file *, struct page *);
62297 -+ void (* const sync_page)(struct page *);
62298 -
62299 - /* Write back some dirty pages from this mapping. */
62300 -- int (*writepages)(struct address_space *, struct writeback_control *);
62301 -+ int (* const writepages)(struct address_space *, struct writeback_control *);
62302 -
62303 - /* Set a page dirty. Return true if this dirtied it */
62304 -- int (*set_page_dirty)(struct page *page);
62305 -+ int (* const set_page_dirty)(struct page *page);
62306 -
62307 -- int (*readpages)(struct file *filp, struct address_space *mapping,
62308 -+ int (* const readpages)(struct file *filp, struct address_space *mapping,
62309 - struct list_head *pages, unsigned nr_pages);
62310 -
62311 -- int (*write_begin)(struct file *, struct address_space *mapping,
62312 -+ int (* const write_begin)(struct file *, struct address_space *mapping,
62313 - loff_t pos, unsigned len, unsigned flags,
62314 - struct page **pagep, void **fsdata);
62315 -- int (*write_end)(struct file *, struct address_space *mapping,
62316 -+ int (* const write_end)(struct file *, struct address_space *mapping,
62317 - loff_t pos, unsigned len, unsigned copied,
62318 - struct page *page, void *fsdata);
62319 -
62320 - /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62321 -- sector_t (*bmap)(struct address_space *, sector_t);
62322 -- void (*invalidatepage) (struct page *, unsigned long);
62323 -- int (*releasepage) (struct page *, gfp_t);
62324 -- ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62325 -+ sector_t (* const bmap)(struct address_space *, sector_t);
62326 -+ void (* const invalidatepage) (struct page *, unsigned long);
62327 -+ int (* const releasepage) (struct page *, gfp_t);
62328 -+ ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62329 - loff_t offset, unsigned long nr_segs);
62330 -- int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62331 -+ int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62332 - void **, unsigned long *);
62333 - /* migrate the contents of a page to the specified target */
62334 -- int (*migratepage) (struct address_space *,
62335 -+ int (* const migratepage) (struct address_space *,
62336 - struct page *, struct page *);
62337 -- int (*launder_page) (struct page *);
62338 -- int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62339 -+ int (* const launder_page) (struct page *);
62340 -+ int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62341 - unsigned long);
62342 -- int (*error_remove_page)(struct address_space *, struct page *);
62343 -+ int (* const error_remove_page)(struct address_space *, struct page *);
62344 - };
62345 -
62346 - /*
62347 -@@ -1031,19 +1036,19 @@ static inline int file_check_writeable(s
62348 - typedef struct files_struct *fl_owner_t;
62349 -
62350 - struct file_lock_operations {
62351 -- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62352 -- void (*fl_release_private)(struct file_lock *);
62353 -+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62354 -+ void (* const fl_release_private)(struct file_lock *);
62355 - };
62356 -
62357 - struct lock_manager_operations {
62358 -- int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62359 -- void (*fl_notify)(struct file_lock *); /* unblock callback */
62360 -- int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62361 -- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62362 -- void (*fl_release_private)(struct file_lock *);
62363 -- void (*fl_break)(struct file_lock *);
62364 -- int (*fl_mylease)(struct file_lock *, struct file_lock *);
62365 -- int (*fl_change)(struct file_lock **, int);
62366 -+ int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62367 -+ void (* const fl_notify)(struct file_lock *); /* unblock callback */
62368 -+ int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62369 -+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62370 -+ void (* const fl_release_private)(struct file_lock *);
62371 -+ void (* const fl_break)(struct file_lock *);
62372 -+ int (* const fl_mylease)(struct file_lock *, struct file_lock *);
62373 -+ int (* const fl_change)(struct file_lock **, int);
62374 - };
62375 -
62376 - struct lock_manager {
62377 -@@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
62378 - unsigned int fi_flags; /* Flags as passed from user */
62379 - unsigned int fi_extents_mapped; /* Number of mapped extents */
62380 - unsigned int fi_extents_max; /* Size of fiemap_extent array */
62381 -- struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
62382 -+ struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
62383 - * array */
62384 - };
62385 - int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
62386 -@@ -1512,7 +1517,8 @@ struct file_operations {
62387 - ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
62388 - ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
62389 - int (*setlease)(struct file *, long, struct file_lock **);
62390 --};
62391 -+} __do_const;
62392 -+typedef struct file_operations __no_const file_operations_no_const;
62393 -
62394 - struct inode_operations {
62395 - int (*create) (struct inode *,struct dentry *,int, struct nameidata *);
62396 -@@ -1559,30 +1565,30 @@ extern ssize_t vfs_writev(struct file *,
62397 - unsigned long, loff_t *);
62398 -
62399 - struct super_operations {
62400 -- struct inode *(*alloc_inode)(struct super_block *sb);
62401 -- void (*destroy_inode)(struct inode *);
62402 -+ struct inode *(* const alloc_inode)(struct super_block *sb);
62403 -+ void (* const destroy_inode)(struct inode *);
62404 -
62405 -- void (*dirty_inode) (struct inode *);
62406 -- int (*write_inode) (struct inode *, int);
62407 -- void (*drop_inode) (struct inode *);
62408 -- void (*delete_inode) (struct inode *);
62409 -- void (*put_super) (struct super_block *);
62410 -- void (*write_super) (struct super_block *);
62411 -- int (*sync_fs)(struct super_block *sb, int wait);
62412 -- int (*freeze_fs) (struct super_block *);
62413 -- int (*unfreeze_fs) (struct super_block *);
62414 -- int (*statfs) (struct dentry *, struct kstatfs *);
62415 -- int (*remount_fs) (struct super_block *, int *, char *);
62416 -- void (*clear_inode) (struct inode *);
62417 -- void (*umount_begin) (struct super_block *);
62418 -+ void (* const dirty_inode) (struct inode *);
62419 -+ int (* const write_inode) (struct inode *, int);
62420 -+ void (* const drop_inode) (struct inode *);
62421 -+ void (* const delete_inode) (struct inode *);
62422 -+ void (* const put_super) (struct super_block *);
62423 -+ void (* const write_super) (struct super_block *);
62424 -+ int (* const sync_fs)(struct super_block *sb, int wait);
62425 -+ int (* const freeze_fs) (struct super_block *);
62426 -+ int (* const unfreeze_fs) (struct super_block *);
62427 -+ int (* const statfs) (struct dentry *, struct kstatfs *);
62428 -+ int (* const remount_fs) (struct super_block *, int *, char *);
62429 -+ void (* const clear_inode) (struct inode *);
62430 -+ void (* const umount_begin) (struct super_block *);
62431 -
62432 -- int (*show_options)(struct seq_file *, struct vfsmount *);
62433 -- int (*show_stats)(struct seq_file *, struct vfsmount *);
62434 -+ int (* const show_options)(struct seq_file *, struct vfsmount *);
62435 -+ int (* const show_stats)(struct seq_file *, struct vfsmount *);
62436 - #ifdef CONFIG_QUOTA
62437 -- ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62438 -- ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62439 -+ ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62440 -+ ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62441 - #endif
62442 -- int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62443 -+ int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62444 - };
62445 -
62446 - /*
62447 -diff -urNp linux-2.6.32.46/include/linux/fs_struct.h linux-2.6.32.46/include/linux/fs_struct.h
62448 ---- linux-2.6.32.46/include/linux/fs_struct.h 2011-03-27 14:31:47.000000000 -0400
62449 -+++ linux-2.6.32.46/include/linux/fs_struct.h 2011-04-17 15:56:46.000000000 -0400
62450 -@@ -4,7 +4,7 @@
62451 - #include <linux/path.h>
62452 -
62453 - struct fs_struct {
62454 -- int users;
62455 -+ atomic_t users;
62456 - rwlock_t lock;
62457 - int umask;
62458 - int in_exec;
62459 -diff -urNp linux-2.6.32.46/include/linux/fscache-cache.h linux-2.6.32.46/include/linux/fscache-cache.h
62460 ---- linux-2.6.32.46/include/linux/fscache-cache.h 2011-03-27 14:31:47.000000000 -0400
62461 -+++ linux-2.6.32.46/include/linux/fscache-cache.h 2011-05-04 17:56:28.000000000 -0400
62462 -@@ -116,7 +116,7 @@ struct fscache_operation {
62463 - #endif
62464 - };
62465 -
62466 --extern atomic_t fscache_op_debug_id;
62467 -+extern atomic_unchecked_t fscache_op_debug_id;
62468 - extern const struct slow_work_ops fscache_op_slow_work_ops;
62469 -
62470 - extern void fscache_enqueue_operation(struct fscache_operation *);
62471 -@@ -134,7 +134,7 @@ static inline void fscache_operation_ini
62472 - fscache_operation_release_t release)
62473 - {
62474 - atomic_set(&op->usage, 1);
62475 -- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62476 -+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62477 - op->release = release;
62478 - INIT_LIST_HEAD(&op->pend_link);
62479 - fscache_set_op_state(op, "Init");
62480 -diff -urNp linux-2.6.32.46/include/linux/ftrace_event.h linux-2.6.32.46/include/linux/ftrace_event.h
62481 ---- linux-2.6.32.46/include/linux/ftrace_event.h 2011-03-27 14:31:47.000000000 -0400
62482 -+++ linux-2.6.32.46/include/linux/ftrace_event.h 2011-05-04 17:56:28.000000000 -0400
62483 -@@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
62484 - int filter_type);
62485 - extern int trace_define_common_fields(struct ftrace_event_call *call);
62486 -
62487 --#define is_signed_type(type) (((type)(-1)) < 0)
62488 -+#define is_signed_type(type) (((type)(-1)) < (type)1)
62489 -
62490 - int trace_set_clr_event(const char *system, const char *event, int set);
62491 -
62492 -diff -urNp linux-2.6.32.46/include/linux/genhd.h linux-2.6.32.46/include/linux/genhd.h
62493 ---- linux-2.6.32.46/include/linux/genhd.h 2011-03-27 14:31:47.000000000 -0400
62494 -+++ linux-2.6.32.46/include/linux/genhd.h 2011-04-17 15:56:46.000000000 -0400
62495 -@@ -161,7 +161,7 @@ struct gendisk {
62496 -
62497 - struct timer_rand_state *random;
62498 -
62499 -- atomic_t sync_io; /* RAID */
62500 -+ atomic_unchecked_t sync_io; /* RAID */
62501 - struct work_struct async_notify;
62502 - #ifdef CONFIG_BLK_DEV_INTEGRITY
62503 - struct blk_integrity *integrity;
62504 -diff -urNp linux-2.6.32.46/include/linux/gracl.h linux-2.6.32.46/include/linux/gracl.h
62505 ---- linux-2.6.32.46/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62506 -+++ linux-2.6.32.46/include/linux/gracl.h 2011-04-17 15:56:46.000000000 -0400
62507 -@@ -0,0 +1,317 @@
62508 -+#ifndef GR_ACL_H
62509 -+#define GR_ACL_H
62510 -+
62511 -+#include <linux/grdefs.h>
62512 -+#include <linux/resource.h>
62513 -+#include <linux/capability.h>
62514 -+#include <linux/dcache.h>
62515 -+#include <asm/resource.h>
62516 -+
62517 -+/* Major status information */
62518 -+
62519 -+#define GR_VERSION "grsecurity 2.2.2"
62520 -+#define GRSECURITY_VERSION 0x2202
62521 -+
62522 -+enum {
62523 -+ GR_SHUTDOWN = 0,
62524 -+ GR_ENABLE = 1,
62525 -+ GR_SPROLE = 2,
62526 -+ GR_RELOAD = 3,
62527 -+ GR_SEGVMOD = 4,
62528 -+ GR_STATUS = 5,
62529 -+ GR_UNSPROLE = 6,
62530 -+ GR_PASSSET = 7,
62531 -+ GR_SPROLEPAM = 8,
62532 -+};
62533 -+
62534 -+/* Password setup definitions
62535 -+ * kernel/grhash.c */
62536 -+enum {
62537 -+ GR_PW_LEN = 128,
62538 -+ GR_SALT_LEN = 16,
62539 -+ GR_SHA_LEN = 32,
62540 -+};
62541 -+
62542 -+enum {
62543 -+ GR_SPROLE_LEN = 64,
62544 -+};
62545 -+
62546 -+enum {
62547 -+ GR_NO_GLOB = 0,
62548 -+ GR_REG_GLOB,
62549 -+ GR_CREATE_GLOB
62550 -+};
62551 -+
62552 -+#define GR_NLIMITS 32
62553 -+
62554 -+/* Begin Data Structures */
62555 -+
62556 -+struct sprole_pw {
62557 -+ unsigned char *rolename;
62558 -+ unsigned char salt[GR_SALT_LEN];
62559 -+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62560 -+};
62561 -+
62562 -+struct name_entry {
62563 -+ __u32 key;
62564 -+ ino_t inode;
62565 -+ dev_t device;
62566 -+ char *name;
62567 -+ __u16 len;
62568 -+ __u8 deleted;
62569 -+ struct name_entry *prev;
62570 -+ struct name_entry *next;
62571 -+};
62572 -+
62573 -+struct inodev_entry {
62574 -+ struct name_entry *nentry;
62575 -+ struct inodev_entry *prev;
62576 -+ struct inodev_entry *next;
62577 -+};
62578 -+
62579 -+struct acl_role_db {
62580 -+ struct acl_role_label **r_hash;
62581 -+ __u32 r_size;
62582 -+};
62583 -+
62584 -+struct inodev_db {
62585 -+ struct inodev_entry **i_hash;
62586 -+ __u32 i_size;
62587 -+};
62588 -+
62589 -+struct name_db {
62590 -+ struct name_entry **n_hash;
62591 -+ __u32 n_size;
62592 -+};
62593 -+
62594 -+struct crash_uid {
62595 -+ uid_t uid;
62596 -+ unsigned long expires;
62597 -+};
62598 -+
62599 -+struct gr_hash_struct {
62600 -+ void **table;
62601 -+ void **nametable;
62602 -+ void *first;
62603 -+ __u32 table_size;
62604 -+ __u32 used_size;
62605 -+ int type;
62606 -+};
62607 -+
62608 -+/* Userspace Grsecurity ACL data structures */
62609 -+
62610 -+struct acl_subject_label {
62611 -+ char *filename;
62612 -+ ino_t inode;
62613 -+ dev_t device;
62614 -+ __u32 mode;
62615 -+ kernel_cap_t cap_mask;
62616 -+ kernel_cap_t cap_lower;
62617 -+ kernel_cap_t cap_invert_audit;
62618 -+
62619 -+ struct rlimit res[GR_NLIMITS];
62620 -+ __u32 resmask;
62621 -+
62622 -+ __u8 user_trans_type;
62623 -+ __u8 group_trans_type;
62624 -+ uid_t *user_transitions;
62625 -+ gid_t *group_transitions;
62626 -+ __u16 user_trans_num;
62627 -+ __u16 group_trans_num;
62628 -+
62629 -+ __u32 sock_families[2];
62630 -+ __u32 ip_proto[8];
62631 -+ __u32 ip_type;
62632 -+ struct acl_ip_label **ips;
62633 -+ __u32 ip_num;
62634 -+ __u32 inaddr_any_override;
62635 -+
62636 -+ __u32 crashes;
62637 -+ unsigned long expires;
62638 -+
62639 -+ struct acl_subject_label *parent_subject;
62640 -+ struct gr_hash_struct *hash;
62641 -+ struct acl_subject_label *prev;
62642 -+ struct acl_subject_label *next;
62643 -+
62644 -+ struct acl_object_label **obj_hash;
62645 -+ __u32 obj_hash_size;
62646 -+ __u16 pax_flags;
62647 -+};
62648 -+
62649 -+struct role_allowed_ip {
62650 -+ __u32 addr;
62651 -+ __u32 netmask;
62652 -+
62653 -+ struct role_allowed_ip *prev;
62654 -+ struct role_allowed_ip *next;
62655 -+};
62656 -+
62657 -+struct role_transition {
62658 -+ char *rolename;
62659 -+
62660 -+ struct role_transition *prev;
62661 -+ struct role_transition *next;
62662 -+};
62663 -+
62664 -+struct acl_role_label {
62665 -+ char *rolename;
62666 -+ uid_t uidgid;
62667 -+ __u16 roletype;
62668 -+
62669 -+ __u16 auth_attempts;
62670 -+ unsigned long expires;
62671 -+
62672 -+ struct acl_subject_label *root_label;
62673 -+ struct gr_hash_struct *hash;
62674 -+
62675 -+ struct acl_role_label *prev;
62676 -+ struct acl_role_label *next;
62677 -+
62678 -+ struct role_transition *transitions;
62679 -+ struct role_allowed_ip *allowed_ips;
62680 -+ uid_t *domain_children;
62681 -+ __u16 domain_child_num;
62682 -+
62683 -+ struct acl_subject_label **subj_hash;
62684 -+ __u32 subj_hash_size;
62685 -+};
62686 -+
62687 -+struct user_acl_role_db {
62688 -+ struct acl_role_label **r_table;
62689 -+ __u32 num_pointers; /* Number of allocations to track */
62690 -+ __u32 num_roles; /* Number of roles */
62691 -+ __u32 num_domain_children; /* Number of domain children */
62692 -+ __u32 num_subjects; /* Number of subjects */
62693 -+ __u32 num_objects; /* Number of objects */
62694 -+};
62695 -+
62696 -+struct acl_object_label {
62697 -+ char *filename;
62698 -+ ino_t inode;
62699 -+ dev_t device;
62700 -+ __u32 mode;
62701 -+
62702 -+ struct acl_subject_label *nested;
62703 -+ struct acl_object_label *globbed;
62704 -+
62705 -+ /* next two structures not used */
62706 -+
62707 -+ struct acl_object_label *prev;
62708 -+ struct acl_object_label *next;
62709 -+};
62710 -+
62711 -+struct acl_ip_label {
62712 -+ char *iface;
62713 -+ __u32 addr;
62714 -+ __u32 netmask;
62715 -+ __u16 low, high;
62716 -+ __u8 mode;
62717 -+ __u32 type;
62718 -+ __u32 proto[8];
62719 -+
62720 -+ /* next two structures not used */
62721 -+
62722 -+ struct acl_ip_label *prev;
62723 -+ struct acl_ip_label *next;
62724 -+};
62725 -+
62726 -+struct gr_arg {
62727 -+ struct user_acl_role_db role_db;
62728 -+ unsigned char pw[GR_PW_LEN];
62729 -+ unsigned char salt[GR_SALT_LEN];
62730 -+ unsigned char sum[GR_SHA_LEN];
62731 -+ unsigned char sp_role[GR_SPROLE_LEN];
62732 -+ struct sprole_pw *sprole_pws;
62733 -+ dev_t segv_device;
62734 -+ ino_t segv_inode;
62735 -+ uid_t segv_uid;
62736 -+ __u16 num_sprole_pws;
62737 -+ __u16 mode;
62738 -+};
62739 -+
62740 -+struct gr_arg_wrapper {
62741 -+ struct gr_arg *arg;
62742 -+ __u32 version;
62743 -+ __u32 size;
62744 -+};
62745 -+
62746 -+struct subject_map {
62747 -+ struct acl_subject_label *user;
62748 -+ struct acl_subject_label *kernel;
62749 -+ struct subject_map *prev;
62750 -+ struct subject_map *next;
62751 -+};
62752 -+
62753 -+struct acl_subj_map_db {
62754 -+ struct subject_map **s_hash;
62755 -+ __u32 s_size;
62756 -+};
62757 -+
62758 -+/* End Data Structures Section */
62759 -+
62760 -+/* Hash functions generated by empirical testing by Brad Spengler
62761 -+ Makes good use of the low bits of the inode. Generally 0-1 times
62762 -+ in loop for successful match. 0-3 for unsuccessful match.
62763 -+ Shift/add algorithm with modulus of table size and an XOR*/
62764 -+
62765 -+static __inline__ unsigned int
62766 -+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
62767 -+{
62768 -+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
62769 -+}
62770 -+
62771 -+ static __inline__ unsigned int
62772 -+shash(const struct acl_subject_label *userp, const unsigned int sz)
62773 -+{
62774 -+ return ((const unsigned long)userp % sz);
62775 -+}
62776 -+
62777 -+static __inline__ unsigned int
62778 -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
62779 -+{
62780 -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
62781 -+}
62782 -+
62783 -+static __inline__ unsigned int
62784 -+nhash(const char *name, const __u16 len, const unsigned int sz)
62785 -+{
62786 -+ return full_name_hash((const unsigned char *)name, len) % sz;
62787 -+}
62788 -+
62789 -+#define FOR_EACH_ROLE_START(role) \
62790 -+ role = role_list; \
62791 -+ while (role) {
62792 -+
62793 -+#define FOR_EACH_ROLE_END(role) \
62794 -+ role = role->prev; \
62795 -+ }
62796 -+
62797 -+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
62798 -+ subj = NULL; \
62799 -+ iter = 0; \
62800 -+ while (iter < role->subj_hash_size) { \
62801 -+ if (subj == NULL) \
62802 -+ subj = role->subj_hash[iter]; \
62803 -+ if (subj == NULL) { \
62804 -+ iter++; \
62805 -+ continue; \
62806 -+ }
62807 -+
62808 -+#define FOR_EACH_SUBJECT_END(subj,iter) \
62809 -+ subj = subj->next; \
62810 -+ if (subj == NULL) \
62811 -+ iter++; \
62812 -+ }
62813 -+
62814 -+
62815 -+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
62816 -+ subj = role->hash->first; \
62817 -+ while (subj != NULL) {
62818 -+
62819 -+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
62820 -+ subj = subj->next; \
62821 -+ }
62822 -+
62823 -+#endif
62824 -+
62825 -diff -urNp linux-2.6.32.46/include/linux/gralloc.h linux-2.6.32.46/include/linux/gralloc.h
62826 ---- linux-2.6.32.46/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
62827 -+++ linux-2.6.32.46/include/linux/gralloc.h 2011-04-17 15:56:46.000000000 -0400
62828 -@@ -0,0 +1,9 @@
62829 -+#ifndef __GRALLOC_H
62830 -+#define __GRALLOC_H
62831 -+
62832 -+void acl_free_all(void);
62833 -+int acl_alloc_stack_init(unsigned long size);
62834 -+void *acl_alloc(unsigned long len);
62835 -+void *acl_alloc_num(unsigned long num, unsigned long len);
62836 -+
62837 -+#endif
62838 -diff -urNp linux-2.6.32.46/include/linux/grdefs.h linux-2.6.32.46/include/linux/grdefs.h
62839 ---- linux-2.6.32.46/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
62840 -+++ linux-2.6.32.46/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400
62841 -@@ -0,0 +1,140 @@
62842 -+#ifndef GRDEFS_H
62843 -+#define GRDEFS_H
62844 -+
62845 -+/* Begin grsecurity status declarations */
62846 -+
62847 -+enum {
62848 -+ GR_READY = 0x01,
62849 -+ GR_STATUS_INIT = 0x00 // disabled state
62850 -+};
62851 -+
62852 -+/* Begin ACL declarations */
62853 -+
62854 -+/* Role flags */
62855 -+
62856 -+enum {
62857 -+ GR_ROLE_USER = 0x0001,
62858 -+ GR_ROLE_GROUP = 0x0002,
62859 -+ GR_ROLE_DEFAULT = 0x0004,
62860 -+ GR_ROLE_SPECIAL = 0x0008,
62861 -+ GR_ROLE_AUTH = 0x0010,
62862 -+ GR_ROLE_NOPW = 0x0020,
62863 -+ GR_ROLE_GOD = 0x0040,
62864 -+ GR_ROLE_LEARN = 0x0080,
62865 -+ GR_ROLE_TPE = 0x0100,
62866 -+ GR_ROLE_DOMAIN = 0x0200,
62867 -+ GR_ROLE_PAM = 0x0400,
62868 -+ GR_ROLE_PERSIST = 0x800
62869 -+};
62870 -+
62871 -+/* ACL Subject and Object mode flags */
62872 -+enum {
62873 -+ GR_DELETED = 0x80000000
62874 -+};
62875 -+
62876 -+/* ACL Object-only mode flags */
62877 -+enum {
62878 -+ GR_READ = 0x00000001,
62879 -+ GR_APPEND = 0x00000002,
62880 -+ GR_WRITE = 0x00000004,
62881 -+ GR_EXEC = 0x00000008,
62882 -+ GR_FIND = 0x00000010,
62883 -+ GR_INHERIT = 0x00000020,
62884 -+ GR_SETID = 0x00000040,
62885 -+ GR_CREATE = 0x00000080,
62886 -+ GR_DELETE = 0x00000100,
62887 -+ GR_LINK = 0x00000200,
62888 -+ GR_AUDIT_READ = 0x00000400,
62889 -+ GR_AUDIT_APPEND = 0x00000800,
62890 -+ GR_AUDIT_WRITE = 0x00001000,
62891 -+ GR_AUDIT_EXEC = 0x00002000,
62892 -+ GR_AUDIT_FIND = 0x00004000,
62893 -+ GR_AUDIT_INHERIT= 0x00008000,
62894 -+ GR_AUDIT_SETID = 0x00010000,
62895 -+ GR_AUDIT_CREATE = 0x00020000,
62896 -+ GR_AUDIT_DELETE = 0x00040000,
62897 -+ GR_AUDIT_LINK = 0x00080000,
62898 -+ GR_PTRACERD = 0x00100000,
62899 -+ GR_NOPTRACE = 0x00200000,
62900 -+ GR_SUPPRESS = 0x00400000,
62901 -+ GR_NOLEARN = 0x00800000,
62902 -+ GR_INIT_TRANSFER= 0x01000000
62903 -+};
62904 -+
62905 -+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
62906 -+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
62907 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
62908 -+
62909 -+/* ACL subject-only mode flags */
62910 -+enum {
62911 -+ GR_KILL = 0x00000001,
62912 -+ GR_VIEW = 0x00000002,
62913 -+ GR_PROTECTED = 0x00000004,
62914 -+ GR_LEARN = 0x00000008,
62915 -+ GR_OVERRIDE = 0x00000010,
62916 -+ /* just a placeholder, this mode is only used in userspace */
62917 -+ GR_DUMMY = 0x00000020,
62918 -+ GR_PROTSHM = 0x00000040,
62919 -+ GR_KILLPROC = 0x00000080,
62920 -+ GR_KILLIPPROC = 0x00000100,
62921 -+ /* just a placeholder, this mode is only used in userspace */
62922 -+ GR_NOTROJAN = 0x00000200,
62923 -+ GR_PROTPROCFD = 0x00000400,
62924 -+ GR_PROCACCT = 0x00000800,
62925 -+ GR_RELAXPTRACE = 0x00001000,
62926 -+ GR_NESTED = 0x00002000,
62927 -+ GR_INHERITLEARN = 0x00004000,
62928 -+ GR_PROCFIND = 0x00008000,
62929 -+ GR_POVERRIDE = 0x00010000,
62930 -+ GR_KERNELAUTH = 0x00020000,
62931 -+ GR_ATSECURE = 0x00040000,
62932 -+ GR_SHMEXEC = 0x00080000
62933 -+};
62934 -+
62935 -+enum {
62936 -+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
62937 -+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
62938 -+ GR_PAX_ENABLE_MPROTECT = 0x0004,
62939 -+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
62940 -+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
62941 -+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
62942 -+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
62943 -+ GR_PAX_DISABLE_MPROTECT = 0x0400,
62944 -+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
62945 -+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
62946 -+};
62947 -+
62948 -+enum {
62949 -+ GR_ID_USER = 0x01,
62950 -+ GR_ID_GROUP = 0x02,
62951 -+};
62952 -+
62953 -+enum {
62954 -+ GR_ID_ALLOW = 0x01,
62955 -+ GR_ID_DENY = 0x02,
62956 -+};
62957 -+
62958 -+#define GR_CRASH_RES 31
62959 -+#define GR_UIDTABLE_MAX 500
62960 -+
62961 -+/* begin resource learning section */
62962 -+enum {
62963 -+ GR_RLIM_CPU_BUMP = 60,
62964 -+ GR_RLIM_FSIZE_BUMP = 50000,
62965 -+ GR_RLIM_DATA_BUMP = 10000,
62966 -+ GR_RLIM_STACK_BUMP = 1000,
62967 -+ GR_RLIM_CORE_BUMP = 10000,
62968 -+ GR_RLIM_RSS_BUMP = 500000,
62969 -+ GR_RLIM_NPROC_BUMP = 1,
62970 -+ GR_RLIM_NOFILE_BUMP = 5,
62971 -+ GR_RLIM_MEMLOCK_BUMP = 50000,
62972 -+ GR_RLIM_AS_BUMP = 500000,
62973 -+ GR_RLIM_LOCKS_BUMP = 2,
62974 -+ GR_RLIM_SIGPENDING_BUMP = 5,
62975 -+ GR_RLIM_MSGQUEUE_BUMP = 10000,
62976 -+ GR_RLIM_NICE_BUMP = 1,
62977 -+ GR_RLIM_RTPRIO_BUMP = 1,
62978 -+ GR_RLIM_RTTIME_BUMP = 1000000
62979 -+};
62980 -+
62981 -+#endif
62982 -diff -urNp linux-2.6.32.46/include/linux/grinternal.h linux-2.6.32.46/include/linux/grinternal.h
62983 ---- linux-2.6.32.46/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
62984 -+++ linux-2.6.32.46/include/linux/grinternal.h 2011-10-20 00:48:45.000000000 -0400
62985 -@@ -0,0 +1,218 @@
62986 -+#ifndef __GRINTERNAL_H
62987 -+#define __GRINTERNAL_H
62988 -+
62989 -+#ifdef CONFIG_GRKERNSEC
62990 -+
62991 -+#include <linux/fs.h>
62992 -+#include <linux/mnt_namespace.h>
62993 -+#include <linux/nsproxy.h>
62994 -+#include <linux/gracl.h>
62995 -+#include <linux/grdefs.h>
62996 -+#include <linux/grmsg.h>
62997 -+
62998 -+void gr_add_learn_entry(const char *fmt, ...)
62999 -+ __attribute__ ((format (printf, 1, 2)));
63000 -+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
63001 -+ const struct vfsmount *mnt);
63002 -+__u32 gr_check_create(const struct dentry *new_dentry,
63003 -+ const struct dentry *parent,
63004 -+ const struct vfsmount *mnt, const __u32 mode);
63005 -+int gr_check_protected_task(const struct task_struct *task);
63006 -+__u32 to_gr_audit(const __u32 reqmode);
63007 -+int gr_set_acls(const int type);
63008 -+int gr_apply_subject_to_task(struct task_struct *task);
63009 -+int gr_acl_is_enabled(void);
63010 -+char gr_roletype_to_char(void);
63011 -+
63012 -+void gr_handle_alertkill(struct task_struct *task);
63013 -+char *gr_to_filename(const struct dentry *dentry,
63014 -+ const struct vfsmount *mnt);
63015 -+char *gr_to_filename1(const struct dentry *dentry,
63016 -+ const struct vfsmount *mnt);
63017 -+char *gr_to_filename2(const struct dentry *dentry,
63018 -+ const struct vfsmount *mnt);
63019 -+char *gr_to_filename3(const struct dentry *dentry,
63020 -+ const struct vfsmount *mnt);
63021 -+
63022 -+extern int grsec_enable_harden_ptrace;
63023 -+extern int grsec_enable_link;
63024 -+extern int grsec_enable_fifo;
63025 -+extern int grsec_enable_shm;
63026 -+extern int grsec_enable_execlog;
63027 -+extern int grsec_enable_signal;
63028 -+extern int grsec_enable_audit_ptrace;
63029 -+extern int grsec_enable_forkfail;
63030 -+extern int grsec_enable_time;
63031 -+extern int grsec_enable_rofs;
63032 -+extern int grsec_enable_chroot_shmat;
63033 -+extern int grsec_enable_chroot_mount;
63034 -+extern int grsec_enable_chroot_double;
63035 -+extern int grsec_enable_chroot_pivot;
63036 -+extern int grsec_enable_chroot_chdir;
63037 -+extern int grsec_enable_chroot_chmod;
63038 -+extern int grsec_enable_chroot_mknod;
63039 -+extern int grsec_enable_chroot_fchdir;
63040 -+extern int grsec_enable_chroot_nice;
63041 -+extern int grsec_enable_chroot_execlog;
63042 -+extern int grsec_enable_chroot_caps;
63043 -+extern int grsec_enable_chroot_sysctl;
63044 -+extern int grsec_enable_chroot_unix;
63045 -+extern int grsec_enable_tpe;
63046 -+extern int grsec_tpe_gid;
63047 -+extern int grsec_enable_tpe_all;
63048 -+extern int grsec_enable_tpe_invert;
63049 -+extern int grsec_enable_socket_all;
63050 -+extern int grsec_socket_all_gid;
63051 -+extern int grsec_enable_socket_client;
63052 -+extern int grsec_socket_client_gid;
63053 -+extern int grsec_enable_socket_server;
63054 -+extern int grsec_socket_server_gid;
63055 -+extern int grsec_audit_gid;
63056 -+extern int grsec_enable_group;
63057 -+extern int grsec_enable_audit_textrel;
63058 -+extern int grsec_enable_log_rwxmaps;
63059 -+extern int grsec_enable_mount;
63060 -+extern int grsec_enable_chdir;
63061 -+extern int grsec_resource_logging;
63062 -+extern int grsec_enable_blackhole;
63063 -+extern int grsec_lastack_retries;
63064 -+extern int grsec_enable_brute;
63065 -+extern int grsec_lock;
63066 -+
63067 -+extern spinlock_t grsec_alert_lock;
63068 -+extern unsigned long grsec_alert_wtime;
63069 -+extern unsigned long grsec_alert_fyet;
63070 -+
63071 -+extern spinlock_t grsec_audit_lock;
63072 -+
63073 -+extern rwlock_t grsec_exec_file_lock;
63074 -+
63075 -+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
63076 -+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
63077 -+ (tsk)->exec_file->f_vfsmnt) : "/")
63078 -+
63079 -+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
63080 -+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
63081 -+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63082 -+
63083 -+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
63084 -+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
63085 -+ (tsk)->exec_file->f_vfsmnt) : "/")
63086 -+
63087 -+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
63088 -+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
63089 -+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63090 -+
63091 -+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
63092 -+
63093 -+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
63094 -+
63095 -+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
63096 -+ (task)->pid, (cred)->uid, \
63097 -+ (cred)->euid, (cred)->gid, (cred)->egid, \
63098 -+ gr_parent_task_fullpath(task), \
63099 -+ (task)->real_parent->comm, (task)->real_parent->pid, \
63100 -+ (pcred)->uid, (pcred)->euid, \
63101 -+ (pcred)->gid, (pcred)->egid
63102 -+
63103 -+#define GR_CHROOT_CAPS {{ \
63104 -+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
63105 -+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
63106 -+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
63107 -+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
63108 -+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
63109 -+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
63110 -+ CAP_TO_MASK(CAP_MAC_ADMIN) }}
63111 -+
63112 -+#define security_learn(normal_msg,args...) \
63113 -+({ \
63114 -+ read_lock(&grsec_exec_file_lock); \
63115 -+ gr_add_learn_entry(normal_msg "\n", ## args); \
63116 -+ read_unlock(&grsec_exec_file_lock); \
63117 -+})
63118 -+
63119 -+enum {
63120 -+ GR_DO_AUDIT,
63121 -+ GR_DONT_AUDIT,
63122 -+ GR_DONT_AUDIT_GOOD
63123 -+};
63124 -+
63125 -+enum {
63126 -+ GR_TTYSNIFF,
63127 -+ GR_RBAC,
63128 -+ GR_RBAC_STR,
63129 -+ GR_STR_RBAC,
63130 -+ GR_RBAC_MODE2,
63131 -+ GR_RBAC_MODE3,
63132 -+ GR_FILENAME,
63133 -+ GR_SYSCTL_HIDDEN,
63134 -+ GR_NOARGS,
63135 -+ GR_ONE_INT,
63136 -+ GR_ONE_INT_TWO_STR,
63137 -+ GR_ONE_STR,
63138 -+ GR_STR_INT,
63139 -+ GR_TWO_STR_INT,
63140 -+ GR_TWO_INT,
63141 -+ GR_TWO_U64,
63142 -+ GR_THREE_INT,
63143 -+ GR_FIVE_INT_TWO_STR,
63144 -+ GR_TWO_STR,
63145 -+ GR_THREE_STR,
63146 -+ GR_FOUR_STR,
63147 -+ GR_STR_FILENAME,
63148 -+ GR_FILENAME_STR,
63149 -+ GR_FILENAME_TWO_INT,
63150 -+ GR_FILENAME_TWO_INT_STR,
63151 -+ GR_TEXTREL,
63152 -+ GR_PTRACE,
63153 -+ GR_RESOURCE,
63154 -+ GR_CAP,
63155 -+ GR_SIG,
63156 -+ GR_SIG2,
63157 -+ GR_CRASH1,
63158 -+ GR_CRASH2,
63159 -+ GR_PSACCT,
63160 -+ GR_RWXMAP
63161 -+};
63162 -+
63163 -+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
63164 -+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
63165 -+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
63166 -+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
63167 -+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
63168 -+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
63169 -+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
63170 -+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
63171 -+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
63172 -+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
63173 -+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
63174 -+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
63175 -+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
63176 -+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
63177 -+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
63178 -+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
63179 -+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
63180 -+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
63181 -+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
63182 -+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
63183 -+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
63184 -+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
63185 -+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
63186 -+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
63187 -+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63188 -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63189 -+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63190 -+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63191 -+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63192 -+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63193 -+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63194 -+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63195 -+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63196 -+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63197 -+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63198 -+
63199 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63200 -+
63201 -+#endif
63202 -+
63203 -+#endif
63204 -diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/grmsg.h
63205 ---- linux-2.6.32.46/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63206 -+++ linux-2.6.32.46/include/linux/grmsg.h 2011-09-13 15:44:53.000000000 -0400
63207 -@@ -0,0 +1,108 @@
63208 -+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63209 -+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63210 -+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63211 -+#define GR_STOPMOD_MSG "denied modification of module state by "
63212 -+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63213 -+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63214 -+#define GR_IOPERM_MSG "denied use of ioperm() by "
63215 -+#define GR_IOPL_MSG "denied use of iopl() by "
63216 -+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63217 -+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63218 -+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63219 -+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63220 -+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63221 -+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63222 -+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63223 -+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63224 -+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63225 -+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63226 -+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63227 -+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63228 -+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63229 -+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63230 -+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63231 -+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63232 -+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63233 -+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63234 -+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63235 -+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63236 -+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63237 -+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63238 -+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63239 -+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63240 -+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63241 -+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63242 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63243 -+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63244 -+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63245 -+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63246 -+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63247 -+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63248 -+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63249 -+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63250 -+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63251 -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63252 -+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63253 -+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63254 -+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63255 -+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63256 -+#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63257 -+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63258 -+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63259 -+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63260 -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63261 -+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63262 -+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63263 -+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63264 -+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63265 -+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63266 -+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63267 -+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63268 -+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63269 -+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63270 -+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63271 -+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63272 -+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63273 -+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63274 -+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63275 -+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63276 -+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63277 -+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63278 -+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63279 -+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63280 -+#define GR_FAILFORK_MSG "failed fork with errno %s by "
63281 -+#define GR_NICE_CHROOT_MSG "denied priority change by "
63282 -+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63283 -+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63284 -+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63285 -+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63286 -+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63287 -+#define GR_TIME_MSG "time set by "
63288 -+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63289 -+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63290 -+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63291 -+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63292 -+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63293 -+#define GR_BIND_MSG "denied bind() by "
63294 -+#define GR_CONNECT_MSG "denied connect() by "
63295 -+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63296 -+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63297 -+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63298 -+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63299 -+#define GR_CAP_ACL_MSG "use of %s denied for "
63300 -+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
63301 -+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63302 -+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63303 -+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63304 -+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63305 -+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63306 -+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63307 -+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63308 -+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63309 -+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63310 -+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63311 -+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63312 -+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63313 -+#define GR_VM86_MSG "denied use of vm86 by "
63314 -+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63315 -+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63316 -diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/linux/grsecurity.h
63317 ---- linux-2.6.32.46/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63318 -+++ linux-2.6.32.46/include/linux/grsecurity.h 2011-10-17 06:48:36.000000000 -0400
63319 -@@ -0,0 +1,218 @@
63320 -+#ifndef GR_SECURITY_H
63321 -+#define GR_SECURITY_H
63322 -+#include <linux/fs.h>
63323 -+#include <linux/fs_struct.h>
63324 -+#include <linux/binfmts.h>
63325 -+#include <linux/gracl.h>
63326 -+#include <linux/compat.h>
63327 -+
63328 -+/* notify of brain-dead configs */
63329 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
63330 -+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
63331 -+#endif
63332 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63333 -+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63334 -+#endif
63335 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63336 -+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63337 -+#endif
63338 -+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63339 -+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63340 -+#endif
63341 -+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63342 -+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63343 -+#endif
63344 -+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63345 -+#error "CONFIG_PAX enabled, but no PaX options are enabled."
63346 -+#endif
63347 -+
63348 -+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63349 -+void gr_handle_brute_check(void);
63350 -+void gr_handle_kernel_exploit(void);
63351 -+int gr_process_user_ban(void);
63352 -+
63353 -+char gr_roletype_to_char(void);
63354 -+
63355 -+int gr_acl_enable_at_secure(void);
63356 -+
63357 -+int gr_check_user_change(int real, int effective, int fs);
63358 -+int gr_check_group_change(int real, int effective, int fs);
63359 -+
63360 -+void gr_del_task_from_ip_table(struct task_struct *p);
63361 -+
63362 -+int gr_pid_is_chrooted(struct task_struct *p);
63363 -+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63364 -+int gr_handle_chroot_nice(void);
63365 -+int gr_handle_chroot_sysctl(const int op);
63366 -+int gr_handle_chroot_setpriority(struct task_struct *p,
63367 -+ const int niceval);
63368 -+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63369 -+int gr_handle_chroot_chroot(const struct dentry *dentry,
63370 -+ const struct vfsmount *mnt);
63371 -+void gr_handle_chroot_chdir(struct path *path);
63372 -+int gr_handle_chroot_chmod(const struct dentry *dentry,
63373 -+ const struct vfsmount *mnt, const int mode);
63374 -+int gr_handle_chroot_mknod(const struct dentry *dentry,
63375 -+ const struct vfsmount *mnt, const int mode);
63376 -+int gr_handle_chroot_mount(const struct dentry *dentry,
63377 -+ const struct vfsmount *mnt,
63378 -+ const char *dev_name);
63379 -+int gr_handle_chroot_pivot(void);
63380 -+int gr_handle_chroot_unix(const pid_t pid);
63381 -+
63382 -+int gr_handle_rawio(const struct inode *inode);
63383 -+
63384 -+void gr_handle_ioperm(void);
63385 -+void gr_handle_iopl(void);
63386 -+
63387 -+int gr_tpe_allow(const struct file *file);
63388 -+
63389 -+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63390 -+void gr_clear_chroot_entries(struct task_struct *task);
63391 -+
63392 -+void gr_log_forkfail(const int retval);
63393 -+void gr_log_timechange(void);
63394 -+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63395 -+void gr_log_chdir(const struct dentry *dentry,
63396 -+ const struct vfsmount *mnt);
63397 -+void gr_log_chroot_exec(const struct dentry *dentry,
63398 -+ const struct vfsmount *mnt);
63399 -+void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63400 -+#ifdef CONFIG_COMPAT
63401 -+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63402 -+#endif
63403 -+void gr_log_remount(const char *devname, const int retval);
63404 -+void gr_log_unmount(const char *devname, const int retval);
63405 -+void gr_log_mount(const char *from, const char *to, const int retval);
63406 -+void gr_log_textrel(struct vm_area_struct *vma);
63407 -+void gr_log_rwxmmap(struct file *file);
63408 -+void gr_log_rwxmprotect(struct file *file);
63409 -+
63410 -+int gr_handle_follow_link(const struct inode *parent,
63411 -+ const struct inode *inode,
63412 -+ const struct dentry *dentry,
63413 -+ const struct vfsmount *mnt);
63414 -+int gr_handle_fifo(const struct dentry *dentry,
63415 -+ const struct vfsmount *mnt,
63416 -+ const struct dentry *dir, const int flag,
63417 -+ const int acc_mode);
63418 -+int gr_handle_hardlink(const struct dentry *dentry,
63419 -+ const struct vfsmount *mnt,
63420 -+ struct inode *inode,
63421 -+ const int mode, const char *to);
63422 -+
63423 -+int gr_is_capable(const int cap);
63424 -+int gr_is_capable_nolog(const int cap);
63425 -+void gr_learn_resource(const struct task_struct *task, const int limit,
63426 -+ const unsigned long wanted, const int gt);
63427 -+void gr_copy_label(struct task_struct *tsk);
63428 -+void gr_handle_crash(struct task_struct *task, const int sig);
63429 -+int gr_handle_signal(const struct task_struct *p, const int sig);
63430 -+int gr_check_crash_uid(const uid_t uid);
63431 -+int gr_check_protected_task(const struct task_struct *task);
63432 -+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63433 -+int gr_acl_handle_mmap(const struct file *file,
63434 -+ const unsigned long prot);
63435 -+int gr_acl_handle_mprotect(const struct file *file,
63436 -+ const unsigned long prot);
63437 -+int gr_check_hidden_task(const struct task_struct *tsk);
63438 -+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63439 -+ const struct vfsmount *mnt);
63440 -+__u32 gr_acl_handle_utime(const struct dentry *dentry,
63441 -+ const struct vfsmount *mnt);
63442 -+__u32 gr_acl_handle_access(const struct dentry *dentry,
63443 -+ const struct vfsmount *mnt, const int fmode);
63444 -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63445 -+ const struct vfsmount *mnt, mode_t mode);
63446 -+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63447 -+ const struct vfsmount *mnt, mode_t mode);
63448 -+__u32 gr_acl_handle_chown(const struct dentry *dentry,
63449 -+ const struct vfsmount *mnt);
63450 -+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63451 -+ const struct vfsmount *mnt);
63452 -+int gr_handle_ptrace(struct task_struct *task, const long request);
63453 -+int gr_handle_proc_ptrace(struct task_struct *task);
63454 -+__u32 gr_acl_handle_execve(const struct dentry *dentry,
63455 -+ const struct vfsmount *mnt);
63456 -+int gr_check_crash_exec(const struct file *filp);
63457 -+int gr_acl_is_enabled(void);
63458 -+void gr_set_kernel_label(struct task_struct *task);
63459 -+void gr_set_role_label(struct task_struct *task, const uid_t uid,
63460 -+ const gid_t gid);
63461 -+int gr_set_proc_label(const struct dentry *dentry,
63462 -+ const struct vfsmount *mnt,
63463 -+ const int unsafe_share);
63464 -+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63465 -+ const struct vfsmount *mnt);
63466 -+__u32 gr_acl_handle_open(const struct dentry *dentry,
63467 -+ const struct vfsmount *mnt, const int fmode);
63468 -+__u32 gr_acl_handle_creat(const struct dentry *dentry,
63469 -+ const struct dentry *p_dentry,
63470 -+ const struct vfsmount *p_mnt, const int fmode,
63471 -+ const int imode);
63472 -+void gr_handle_create(const struct dentry *dentry,
63473 -+ const struct vfsmount *mnt);
63474 -+void gr_handle_proc_create(const struct dentry *dentry,
63475 -+ const struct inode *inode);
63476 -+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63477 -+ const struct dentry *parent_dentry,
63478 -+ const struct vfsmount *parent_mnt,
63479 -+ const int mode);
63480 -+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63481 -+ const struct dentry *parent_dentry,
63482 -+ const struct vfsmount *parent_mnt);
63483 -+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63484 -+ const struct vfsmount *mnt);
63485 -+void gr_handle_delete(const ino_t ino, const dev_t dev);
63486 -+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63487 -+ const struct vfsmount *mnt);
63488 -+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63489 -+ const struct dentry *parent_dentry,
63490 -+ const struct vfsmount *parent_mnt,
63491 -+ const char *from);
63492 -+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63493 -+ const struct dentry *parent_dentry,
63494 -+ const struct vfsmount *parent_mnt,
63495 -+ const struct dentry *old_dentry,
63496 -+ const struct vfsmount *old_mnt, const char *to);
63497 -+int gr_acl_handle_rename(struct dentry *new_dentry,
63498 -+ struct dentry *parent_dentry,
63499 -+ const struct vfsmount *parent_mnt,
63500 -+ struct dentry *old_dentry,
63501 -+ struct inode *old_parent_inode,
63502 -+ struct vfsmount *old_mnt, const char *newname);
63503 -+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63504 -+ struct dentry *old_dentry,
63505 -+ struct dentry *new_dentry,
63506 -+ struct vfsmount *mnt, const __u8 replace);
63507 -+__u32 gr_check_link(const struct dentry *new_dentry,
63508 -+ const struct dentry *parent_dentry,
63509 -+ const struct vfsmount *parent_mnt,
63510 -+ const struct dentry *old_dentry,
63511 -+ const struct vfsmount *old_mnt);
63512 -+int gr_acl_handle_filldir(const struct file *file, const char *name,
63513 -+ const unsigned int namelen, const ino_t ino);
63514 -+
63515 -+__u32 gr_acl_handle_unix(const struct dentry *dentry,
63516 -+ const struct vfsmount *mnt);
63517 -+void gr_acl_handle_exit(void);
63518 -+void gr_acl_handle_psacct(struct task_struct *task, const long code);
63519 -+int gr_acl_handle_procpidmem(const struct task_struct *task);
63520 -+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63521 -+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63522 -+void gr_audit_ptrace(struct task_struct *task);
63523 -+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63524 -+
63525 -+#ifdef CONFIG_GRKERNSEC
63526 -+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63527 -+void gr_handle_vm86(void);
63528 -+void gr_handle_mem_readwrite(u64 from, u64 to);
63529 -+
63530 -+extern int grsec_enable_dmesg;
63531 -+extern int grsec_disable_privio;
63532 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
63533 -+extern int grsec_enable_chroot_findtask;
63534 -+#endif
63535 -+#endif
63536 -+
63537 -+#endif
63538 -diff -urNp linux-2.6.32.46/include/linux/hdpu_features.h linux-2.6.32.46/include/linux/hdpu_features.h
63539 ---- linux-2.6.32.46/include/linux/hdpu_features.h 2011-03-27 14:31:47.000000000 -0400
63540 -+++ linux-2.6.32.46/include/linux/hdpu_features.h 2011-04-17 15:56:46.000000000 -0400
63541 -@@ -3,7 +3,7 @@
63542 - struct cpustate_t {
63543 - spinlock_t lock;
63544 - int excl;
63545 -- int open_count;
63546 -+ atomic_t open_count;
63547 - unsigned char cached_val;
63548 - int inited;
63549 - unsigned long *set_addr;
63550 -diff -urNp linux-2.6.32.46/include/linux/highmem.h linux-2.6.32.46/include/linux/highmem.h
63551 ---- linux-2.6.32.46/include/linux/highmem.h 2011-03-27 14:31:47.000000000 -0400
63552 -+++ linux-2.6.32.46/include/linux/highmem.h 2011-04-17 15:56:46.000000000 -0400
63553 -@@ -137,6 +137,18 @@ static inline void clear_highpage(struct
63554 - kunmap_atomic(kaddr, KM_USER0);
63555 - }
63556 -
63557 -+static inline void sanitize_highpage(struct page *page)
63558 -+{
63559 -+ void *kaddr;
63560 -+ unsigned long flags;
63561 -+
63562 -+ local_irq_save(flags);
63563 -+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
63564 -+ clear_page(kaddr);
63565 -+ kunmap_atomic(kaddr, KM_CLEARPAGE);
63566 -+ local_irq_restore(flags);
63567 -+}
63568 -+
63569 - static inline void zero_user_segments(struct page *page,
63570 - unsigned start1, unsigned end1,
63571 - unsigned start2, unsigned end2)
63572 -diff -urNp linux-2.6.32.46/include/linux/i2c.h linux-2.6.32.46/include/linux/i2c.h
63573 ---- linux-2.6.32.46/include/linux/i2c.h 2011-03-27 14:31:47.000000000 -0400
63574 -+++ linux-2.6.32.46/include/linux/i2c.h 2011-08-23 21:22:38.000000000 -0400
63575 -@@ -325,6 +325,7 @@ struct i2c_algorithm {
63576 - /* To determine what the adapter supports */
63577 - u32 (*functionality) (struct i2c_adapter *);
63578 - };
63579 -+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
63580 -
63581 - /*
63582 - * i2c_adapter is the structure used to identify a physical i2c bus along
63583 -diff -urNp linux-2.6.32.46/include/linux/i2o.h linux-2.6.32.46/include/linux/i2o.h
63584 ---- linux-2.6.32.46/include/linux/i2o.h 2011-03-27 14:31:47.000000000 -0400
63585 -+++ linux-2.6.32.46/include/linux/i2o.h 2011-05-04 17:56:28.000000000 -0400
63586 -@@ -564,7 +564,7 @@ struct i2o_controller {
63587 - struct i2o_device *exec; /* Executive */
63588 - #if BITS_PER_LONG == 64
63589 - spinlock_t context_list_lock; /* lock for context_list */
63590 -- atomic_t context_list_counter; /* needed for unique contexts */
63591 -+ atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63592 - struct list_head context_list; /* list of context id's
63593 - and pointers */
63594 - #endif
63595 -diff -urNp linux-2.6.32.46/include/linux/init_task.h linux-2.6.32.46/include/linux/init_task.h
63596 ---- linux-2.6.32.46/include/linux/init_task.h 2011-03-27 14:31:47.000000000 -0400
63597 -+++ linux-2.6.32.46/include/linux/init_task.h 2011-05-18 20:44:59.000000000 -0400
63598 -@@ -83,6 +83,12 @@ extern struct group_info init_groups;
63599 - #define INIT_IDS
63600 - #endif
63601 -
63602 -+#ifdef CONFIG_X86
63603 -+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63604 -+#else
63605 -+#define INIT_TASK_THREAD_INFO
63606 -+#endif
63607 -+
63608 - #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
63609 - /*
63610 - * Because of the reduced scope of CAP_SETPCAP when filesystem
63611 -@@ -156,6 +162,7 @@ extern struct cred init_cred;
63612 - __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
63613 - .comm = "swapper", \
63614 - .thread = INIT_THREAD, \
63615 -+ INIT_TASK_THREAD_INFO \
63616 - .fs = &init_fs, \
63617 - .files = &init_files, \
63618 - .signal = &init_signals, \
63619 -diff -urNp linux-2.6.32.46/include/linux/intel-iommu.h linux-2.6.32.46/include/linux/intel-iommu.h
63620 ---- linux-2.6.32.46/include/linux/intel-iommu.h 2011-03-27 14:31:47.000000000 -0400
63621 -+++ linux-2.6.32.46/include/linux/intel-iommu.h 2011-08-05 20:33:55.000000000 -0400
63622 -@@ -296,7 +296,7 @@ struct iommu_flush {
63623 - u8 fm, u64 type);
63624 - void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
63625 - unsigned int size_order, u64 type);
63626 --};
63627 -+} __no_const;
63628 -
63629 - enum {
63630 - SR_DMAR_FECTL_REG,
63631 -diff -urNp linux-2.6.32.46/include/linux/interrupt.h linux-2.6.32.46/include/linux/interrupt.h
63632 ---- linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:55:35.000000000 -0400
63633 -+++ linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:56:37.000000000 -0400
63634 -@@ -363,7 +363,7 @@ enum
63635 - /* map softirq index to softirq name. update 'softirq_to_name' in
63636 - * kernel/softirq.c when adding a new softirq.
63637 - */
63638 --extern char *softirq_to_name[NR_SOFTIRQS];
63639 -+extern const char * const softirq_to_name[NR_SOFTIRQS];
63640 -
63641 - /* softirq mask and active fields moved to irq_cpustat_t in
63642 - * asm/hardirq.h to get better cache usage. KAO
63643 -@@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63644 -
63645 - struct softirq_action
63646 - {
63647 -- void (*action)(struct softirq_action *);
63648 -+ void (*action)(void);
63649 - };
63650 -
63651 - asmlinkage void do_softirq(void);
63652 - asmlinkage void __do_softirq(void);
63653 --extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63654 -+extern void open_softirq(int nr, void (*action)(void));
63655 - extern void softirq_init(void);
63656 - #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
63657 - extern void raise_softirq_irqoff(unsigned int nr);
63658 -diff -urNp linux-2.6.32.46/include/linux/irq.h linux-2.6.32.46/include/linux/irq.h
63659 ---- linux-2.6.32.46/include/linux/irq.h 2011-03-27 14:31:47.000000000 -0400
63660 -+++ linux-2.6.32.46/include/linux/irq.h 2011-04-17 15:56:46.000000000 -0400
63661 -@@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
63662 - static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
63663 - bool boot)
63664 - {
63665 -+#ifdef CONFIG_CPUMASK_OFFSTACK
63666 - gfp_t gfp = GFP_ATOMIC;
63667 -
63668 - if (boot)
63669 - gfp = GFP_NOWAIT;
63670 -
63671 --#ifdef CONFIG_CPUMASK_OFFSTACK
63672 - if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
63673 - return false;
63674 -
63675 -diff -urNp linux-2.6.32.46/include/linux/kallsyms.h linux-2.6.32.46/include/linux/kallsyms.h
63676 ---- linux-2.6.32.46/include/linux/kallsyms.h 2011-03-27 14:31:47.000000000 -0400
63677 -+++ linux-2.6.32.46/include/linux/kallsyms.h 2011-04-17 15:56:46.000000000 -0400
63678 -@@ -15,7 +15,8 @@
63679 -
63680 - struct module;
63681 -
63682 --#ifdef CONFIG_KALLSYMS
63683 -+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63684 -+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63685 - /* Lookup the address for a symbol. Returns 0 if not found. */
63686 - unsigned long kallsyms_lookup_name(const char *name);
63687 -
63688 -@@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
63689 - /* Stupid that this does nothing, but I didn't create this mess. */
63690 - #define __print_symbol(fmt, addr)
63691 - #endif /*CONFIG_KALLSYMS*/
63692 -+#else /* when included by kallsyms.c, vsnprintf.c, or
63693 -+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63694 -+extern void __print_symbol(const char *fmt, unsigned long address);
63695 -+extern int sprint_symbol(char *buffer, unsigned long address);
63696 -+const char *kallsyms_lookup(unsigned long addr,
63697 -+ unsigned long *symbolsize,
63698 -+ unsigned long *offset,
63699 -+ char **modname, char *namebuf);
63700 -+#endif
63701 -
63702 - /* This macro allows us to keep printk typechecking */
63703 - static void __check_printsym_format(const char *fmt, ...)
63704 -diff -urNp linux-2.6.32.46/include/linux/kgdb.h linux-2.6.32.46/include/linux/kgdb.h
63705 ---- linux-2.6.32.46/include/linux/kgdb.h 2011-03-27 14:31:47.000000000 -0400
63706 -+++ linux-2.6.32.46/include/linux/kgdb.h 2011-08-26 20:25:20.000000000 -0400
63707 -@@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
63708 -
63709 - extern int kgdb_connected;
63710 -
63711 --extern atomic_t kgdb_setting_breakpoint;
63712 --extern atomic_t kgdb_cpu_doing_single_step;
63713 -+extern atomic_unchecked_t kgdb_setting_breakpoint;
63714 -+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63715 -
63716 - extern struct task_struct *kgdb_usethread;
63717 - extern struct task_struct *kgdb_contthread;
63718 -@@ -235,7 +235,7 @@ struct kgdb_arch {
63719 - int (*remove_hw_breakpoint)(unsigned long, int, enum kgdb_bptype);
63720 - void (*remove_all_hw_break)(void);
63721 - void (*correct_hw_break)(void);
63722 --};
63723 -+} __do_const;
63724 -
63725 - /**
63726 - * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
63727 -@@ -257,14 +257,14 @@ struct kgdb_io {
63728 - int (*init) (void);
63729 - void (*pre_exception) (void);
63730 - void (*post_exception) (void);
63731 --};
63732 -+} __do_const;
63733 -
63734 --extern struct kgdb_arch arch_kgdb_ops;
63735 -+extern const struct kgdb_arch arch_kgdb_ops;
63736 -
63737 - extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
63738 -
63739 --extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
63740 --extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
63741 -+extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
63742 -+extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
63743 -
63744 - extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
63745 - extern int kgdb_mem2hex(char *mem, char *buf, int count);
63746 -diff -urNp linux-2.6.32.46/include/linux/kmod.h linux-2.6.32.46/include/linux/kmod.h
63747 ---- linux-2.6.32.46/include/linux/kmod.h 2011-03-27 14:31:47.000000000 -0400
63748 -+++ linux-2.6.32.46/include/linux/kmod.h 2011-04-17 15:56:46.000000000 -0400
63749 -@@ -31,6 +31,8 @@
63750 - * usually useless though. */
63751 - extern int __request_module(bool wait, const char *name, ...) \
63752 - __attribute__((format(printf, 2, 3)));
63753 -+extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
63754 -+ __attribute__((format(printf, 3, 4)));
63755 - #define request_module(mod...) __request_module(true, mod)
63756 - #define request_module_nowait(mod...) __request_module(false, mod)
63757 - #define try_then_request_module(x, mod...) \
63758 -diff -urNp linux-2.6.32.46/include/linux/kobject.h linux-2.6.32.46/include/linux/kobject.h
63759 ---- linux-2.6.32.46/include/linux/kobject.h 2011-03-27 14:31:47.000000000 -0400
63760 -+++ linux-2.6.32.46/include/linux/kobject.h 2011-04-17 15:56:46.000000000 -0400
63761 -@@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
63762 -
63763 - struct kobj_type {
63764 - void (*release)(struct kobject *kobj);
63765 -- struct sysfs_ops *sysfs_ops;
63766 -+ const struct sysfs_ops *sysfs_ops;
63767 - struct attribute **default_attrs;
63768 - };
63769 -
63770 -@@ -118,9 +118,9 @@ struct kobj_uevent_env {
63771 - };
63772 -
63773 - struct kset_uevent_ops {
63774 -- int (*filter)(struct kset *kset, struct kobject *kobj);
63775 -- const char *(*name)(struct kset *kset, struct kobject *kobj);
63776 -- int (*uevent)(struct kset *kset, struct kobject *kobj,
63777 -+ int (* const filter)(struct kset *kset, struct kobject *kobj);
63778 -+ const char *(* const name)(struct kset *kset, struct kobject *kobj);
63779 -+ int (* const uevent)(struct kset *kset, struct kobject *kobj,
63780 - struct kobj_uevent_env *env);
63781 - };
63782 -
63783 -@@ -132,7 +132,7 @@ struct kobj_attribute {
63784 - const char *buf, size_t count);
63785 - };
63786 -
63787 --extern struct sysfs_ops kobj_sysfs_ops;
63788 -+extern const struct sysfs_ops kobj_sysfs_ops;
63789 -
63790 - /**
63791 - * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
63792 -@@ -155,14 +155,14 @@ struct kset {
63793 - struct list_head list;
63794 - spinlock_t list_lock;
63795 - struct kobject kobj;
63796 -- struct kset_uevent_ops *uevent_ops;
63797 -+ const struct kset_uevent_ops *uevent_ops;
63798 - };
63799 -
63800 - extern void kset_init(struct kset *kset);
63801 - extern int __must_check kset_register(struct kset *kset);
63802 - extern void kset_unregister(struct kset *kset);
63803 - extern struct kset * __must_check kset_create_and_add(const char *name,
63804 -- struct kset_uevent_ops *u,
63805 -+ const struct kset_uevent_ops *u,
63806 - struct kobject *parent_kobj);
63807 -
63808 - static inline struct kset *to_kset(struct kobject *kobj)
63809 -diff -urNp linux-2.6.32.46/include/linux/kvm_host.h linux-2.6.32.46/include/linux/kvm_host.h
63810 ---- linux-2.6.32.46/include/linux/kvm_host.h 2011-03-27 14:31:47.000000000 -0400
63811 -+++ linux-2.6.32.46/include/linux/kvm_host.h 2011-04-17 15:56:46.000000000 -0400
63812 -@@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
63813 - void vcpu_load(struct kvm_vcpu *vcpu);
63814 - void vcpu_put(struct kvm_vcpu *vcpu);
63815 -
63816 --int kvm_init(void *opaque, unsigned int vcpu_size,
63817 -+int kvm_init(const void *opaque, unsigned int vcpu_size,
63818 - struct module *module);
63819 - void kvm_exit(void);
63820 -
63821 -@@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
63822 - struct kvm_guest_debug *dbg);
63823 - int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
63824 -
63825 --int kvm_arch_init(void *opaque);
63826 -+int kvm_arch_init(const void *opaque);
63827 - void kvm_arch_exit(void);
63828 -
63829 - int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
63830 -diff -urNp linux-2.6.32.46/include/linux/libata.h linux-2.6.32.46/include/linux/libata.h
63831 ---- linux-2.6.32.46/include/linux/libata.h 2011-03-27 14:31:47.000000000 -0400
63832 -+++ linux-2.6.32.46/include/linux/libata.h 2011-08-26 20:19:09.000000000 -0400
63833 -@@ -525,11 +525,11 @@ struct ata_ioports {
63834 -
63835 - struct ata_host {
63836 - spinlock_t lock;
63837 -- struct device *dev;
63838 -+ struct device *dev;
63839 - void __iomem * const *iomap;
63840 - unsigned int n_ports;
63841 - void *private_data;
63842 -- struct ata_port_operations *ops;
63843 -+ const struct ata_port_operations *ops;
63844 - unsigned long flags;
63845 - #ifdef CONFIG_ATA_ACPI
63846 - acpi_handle acpi_handle;
63847 -@@ -710,7 +710,7 @@ struct ata_link {
63848 -
63849 - struct ata_port {
63850 - struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
63851 -- struct ata_port_operations *ops;
63852 -+ const struct ata_port_operations *ops;
63853 - spinlock_t *lock;
63854 - /* Flags owned by the EH context. Only EH should touch these once the
63855 - port is active */
63856 -@@ -884,7 +884,7 @@ struct ata_port_operations {
63857 - * fields must be pointers.
63858 - */
63859 - const struct ata_port_operations *inherits;
63860 --};
63861 -+} __do_const;
63862 -
63863 - struct ata_port_info {
63864 - unsigned long flags;
63865 -@@ -892,7 +892,7 @@ struct ata_port_info {
63866 - unsigned long pio_mask;
63867 - unsigned long mwdma_mask;
63868 - unsigned long udma_mask;
63869 -- struct ata_port_operations *port_ops;
63870 -+ const struct ata_port_operations *port_ops;
63871 - void *private_data;
63872 - };
63873 -
63874 -@@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
63875 - extern const unsigned long sata_deb_timing_hotplug[];
63876 - extern const unsigned long sata_deb_timing_long[];
63877 -
63878 --extern struct ata_port_operations ata_dummy_port_ops;
63879 -+extern const struct ata_port_operations ata_dummy_port_ops;
63880 - extern const struct ata_port_info ata_dummy_port_info;
63881 -
63882 - static inline const unsigned long *
63883 -@@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
63884 - struct scsi_host_template *sht);
63885 - extern void ata_host_detach(struct ata_host *host);
63886 - extern void ata_host_init(struct ata_host *, struct device *,
63887 -- unsigned long, struct ata_port_operations *);
63888 -+ unsigned long, const struct ata_port_operations *);
63889 - extern int ata_scsi_detect(struct scsi_host_template *sht);
63890 - extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
63891 - extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
63892 -diff -urNp linux-2.6.32.46/include/linux/lockd/bind.h linux-2.6.32.46/include/linux/lockd/bind.h
63893 ---- linux-2.6.32.46/include/linux/lockd/bind.h 2011-03-27 14:31:47.000000000 -0400
63894 -+++ linux-2.6.32.46/include/linux/lockd/bind.h 2011-04-17 15:56:46.000000000 -0400
63895 -@@ -23,13 +23,13 @@ struct svc_rqst;
63896 - * This is the set of functions for lockd->nfsd communication
63897 - */
63898 - struct nlmsvc_binding {
63899 -- __be32 (*fopen)(struct svc_rqst *,
63900 -+ __be32 (* const fopen)(struct svc_rqst *,
63901 - struct nfs_fh *,
63902 - struct file **);
63903 -- void (*fclose)(struct file *);
63904 -+ void (* const fclose)(struct file *);
63905 - };
63906 -
63907 --extern struct nlmsvc_binding * nlmsvc_ops;
63908 -+extern const struct nlmsvc_binding * nlmsvc_ops;
63909 -
63910 - /*
63911 - * Similar to nfs_client_initdata, but without the NFS-specific
63912 -diff -urNp linux-2.6.32.46/include/linux/mca.h linux-2.6.32.46/include/linux/mca.h
63913 ---- linux-2.6.32.46/include/linux/mca.h 2011-03-27 14:31:47.000000000 -0400
63914 -+++ linux-2.6.32.46/include/linux/mca.h 2011-08-05 20:33:55.000000000 -0400
63915 -@@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
63916 - int region);
63917 - void * (*mca_transform_memory)(struct mca_device *,
63918 - void *memory);
63919 --};
63920 -+} __no_const;
63921 -
63922 - struct mca_bus {
63923 - u64 default_dma_mask;
63924 -diff -urNp linux-2.6.32.46/include/linux/memory.h linux-2.6.32.46/include/linux/memory.h
63925 ---- linux-2.6.32.46/include/linux/memory.h 2011-03-27 14:31:47.000000000 -0400
63926 -+++ linux-2.6.32.46/include/linux/memory.h 2011-08-05 20:33:55.000000000 -0400
63927 -@@ -108,7 +108,7 @@ struct memory_accessor {
63928 - size_t count);
63929 - ssize_t (*write)(struct memory_accessor *, const char *buf,
63930 - off_t offset, size_t count);
63931 --};
63932 -+} __no_const;
63933 -
63934 - /*
63935 - * Kernel text modification mutex, used for code patching. Users of this lock
63936 -diff -urNp linux-2.6.32.46/include/linux/mm.h linux-2.6.32.46/include/linux/mm.h
63937 ---- linux-2.6.32.46/include/linux/mm.h 2011-03-27 14:31:47.000000000 -0400
63938 -+++ linux-2.6.32.46/include/linux/mm.h 2011-04-17 15:56:46.000000000 -0400
63939 -@@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
63940 -
63941 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
63942 - #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
63943 -+
63944 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63945 -+#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
63946 -+#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
63947 -+#else
63948 - #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
63949 -+#endif
63950 -+
63951 - #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
63952 - #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
63953 -
63954 -@@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
63955 - int set_page_dirty_lock(struct page *page);
63956 - int clear_page_dirty_for_io(struct page *page);
63957 -
63958 --/* Is the vma a continuation of the stack vma above it? */
63959 --static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
63960 --{
63961 -- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
63962 --}
63963 --
63964 - extern unsigned long move_page_tables(struct vm_area_struct *vma,
63965 - unsigned long old_addr, struct vm_area_struct *new_vma,
63966 - unsigned long new_addr, unsigned long len);
63967 -@@ -890,6 +891,8 @@ struct shrinker {
63968 - extern void register_shrinker(struct shrinker *);
63969 - extern void unregister_shrinker(struct shrinker *);
63970 -
63971 -+pgprot_t vm_get_page_prot(unsigned long vm_flags);
63972 -+
63973 - int vma_wants_writenotify(struct vm_area_struct *vma);
63974 -
63975 - extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
63976 -@@ -1162,6 +1165,7 @@ out:
63977 - }
63978 -
63979 - extern int do_munmap(struct mm_struct *, unsigned long, size_t);
63980 -+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
63981 -
63982 - extern unsigned long do_brk(unsigned long, unsigned long);
63983 -
63984 -@@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
63985 - extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
63986 - struct vm_area_struct **pprev);
63987 -
63988 -+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
63989 -+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
63990 -+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
63991 -+
63992 - /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
63993 - NULL if none. Assume start_addr < end_addr. */
63994 - static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
63995 -@@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
63996 - return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
63997 - }
63998 -
63999 --pgprot_t vm_get_page_prot(unsigned long vm_flags);
64000 - struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
64001 - int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
64002 - unsigned long pfn, unsigned long size, pgprot_t);
64003 -@@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
64004 - extern int __memory_failure(unsigned long pfn, int trapno, int ref);
64005 - extern int sysctl_memory_failure_early_kill;
64006 - extern int sysctl_memory_failure_recovery;
64007 --extern atomic_long_t mce_bad_pages;
64008 -+extern atomic_long_unchecked_t mce_bad_pages;
64009 -+
64010 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64011 -+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
64012 -+#else
64013 -+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
64014 -+#endif
64015 -
64016 - #endif /* __KERNEL__ */
64017 - #endif /* _LINUX_MM_H */
64018 -diff -urNp linux-2.6.32.46/include/linux/mm_types.h linux-2.6.32.46/include/linux/mm_types.h
64019 ---- linux-2.6.32.46/include/linux/mm_types.h 2011-03-27 14:31:47.000000000 -0400
64020 -+++ linux-2.6.32.46/include/linux/mm_types.h 2011-04-17 15:56:46.000000000 -0400
64021 -@@ -186,6 +186,8 @@ struct vm_area_struct {
64022 - #ifdef CONFIG_NUMA
64023 - struct mempolicy *vm_policy; /* NUMA policy for the VMA */
64024 - #endif
64025 -+
64026 -+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
64027 - };
64028 -
64029 - struct core_thread {
64030 -@@ -287,6 +289,24 @@ struct mm_struct {
64031 - #ifdef CONFIG_MMU_NOTIFIER
64032 - struct mmu_notifier_mm *mmu_notifier_mm;
64033 - #endif
64034 -+
64035 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64036 -+ unsigned long pax_flags;
64037 -+#endif
64038 -+
64039 -+#ifdef CONFIG_PAX_DLRESOLVE
64040 -+ unsigned long call_dl_resolve;
64041 -+#endif
64042 -+
64043 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
64044 -+ unsigned long call_syscall;
64045 -+#endif
64046 -+
64047 -+#ifdef CONFIG_PAX_ASLR
64048 -+ unsigned long delta_mmap; /* randomized offset */
64049 -+ unsigned long delta_stack; /* randomized offset */
64050 -+#endif
64051 -+
64052 - };
64053 -
64054 - /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
64055 -diff -urNp linux-2.6.32.46/include/linux/mmu_notifier.h linux-2.6.32.46/include/linux/mmu_notifier.h
64056 ---- linux-2.6.32.46/include/linux/mmu_notifier.h 2011-03-27 14:31:47.000000000 -0400
64057 -+++ linux-2.6.32.46/include/linux/mmu_notifier.h 2011-04-17 15:56:46.000000000 -0400
64058 -@@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
64059 - */
64060 - #define ptep_clear_flush_notify(__vma, __address, __ptep) \
64061 - ({ \
64062 -- pte_t __pte; \
64063 -+ pte_t ___pte; \
64064 - struct vm_area_struct *___vma = __vma; \
64065 - unsigned long ___address = __address; \
64066 -- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
64067 -+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
64068 - mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
64069 -- __pte; \
64070 -+ ___pte; \
64071 - })
64072 -
64073 - #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
64074 -diff -urNp linux-2.6.32.46/include/linux/mmzone.h linux-2.6.32.46/include/linux/mmzone.h
64075 ---- linux-2.6.32.46/include/linux/mmzone.h 2011-03-27 14:31:47.000000000 -0400
64076 -+++ linux-2.6.32.46/include/linux/mmzone.h 2011-04-17 15:56:46.000000000 -0400
64077 -@@ -350,7 +350,7 @@ struct zone {
64078 - unsigned long flags; /* zone flags, see below */
64079 -
64080 - /* Zone statistics */
64081 -- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64082 -+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64083 -
64084 - /*
64085 - * prev_priority holds the scanning priority for this zone. It is
64086 -diff -urNp linux-2.6.32.46/include/linux/mod_devicetable.h linux-2.6.32.46/include/linux/mod_devicetable.h
64087 ---- linux-2.6.32.46/include/linux/mod_devicetable.h 2011-03-27 14:31:47.000000000 -0400
64088 -+++ linux-2.6.32.46/include/linux/mod_devicetable.h 2011-04-17 15:56:46.000000000 -0400
64089 -@@ -12,7 +12,7 @@
64090 - typedef unsigned long kernel_ulong_t;
64091 - #endif
64092 -
64093 --#define PCI_ANY_ID (~0)
64094 -+#define PCI_ANY_ID ((__u16)~0)
64095 -
64096 - struct pci_device_id {
64097 - __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
64098 -@@ -131,7 +131,7 @@ struct usb_device_id {
64099 - #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
64100 - #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
64101 -
64102 --#define HID_ANY_ID (~0)
64103 -+#define HID_ANY_ID (~0U)
64104 -
64105 - struct hid_device_id {
64106 - __u16 bus;
64107 -diff -urNp linux-2.6.32.46/include/linux/module.h linux-2.6.32.46/include/linux/module.h
64108 ---- linux-2.6.32.46/include/linux/module.h 2011-03-27 14:31:47.000000000 -0400
64109 -+++ linux-2.6.32.46/include/linux/module.h 2011-08-05 20:33:55.000000000 -0400
64110 -@@ -16,6 +16,7 @@
64111 - #include <linux/kobject.h>
64112 - #include <linux/moduleparam.h>
64113 - #include <linux/tracepoint.h>
64114 -+#include <linux/fs.h>
64115 -
64116 - #include <asm/local.h>
64117 - #include <asm/module.h>
64118 -@@ -287,16 +288,16 @@ struct module
64119 - int (*init)(void);
64120 -
64121 - /* If this is non-NULL, vfree after init() returns */
64122 -- void *module_init;
64123 -+ void *module_init_rx, *module_init_rw;
64124 -
64125 - /* Here is the actual code + data, vfree'd on unload. */
64126 -- void *module_core;
64127 -+ void *module_core_rx, *module_core_rw;
64128 -
64129 - /* Here are the sizes of the init and core sections */
64130 -- unsigned int init_size, core_size;
64131 -+ unsigned int init_size_rw, core_size_rw;
64132 -
64133 - /* The size of the executable code in each section. */
64134 -- unsigned int init_text_size, core_text_size;
64135 -+ unsigned int init_size_rx, core_size_rx;
64136 -
64137 - /* Arch-specific module values */
64138 - struct mod_arch_specific arch;
64139 -@@ -345,6 +346,10 @@ struct module
64140 - #ifdef CONFIG_EVENT_TRACING
64141 - struct ftrace_event_call *trace_events;
64142 - unsigned int num_trace_events;
64143 -+ struct file_operations trace_id;
64144 -+ struct file_operations trace_enable;
64145 -+ struct file_operations trace_format;
64146 -+ struct file_operations trace_filter;
64147 - #endif
64148 - #ifdef CONFIG_FTRACE_MCOUNT_RECORD
64149 - unsigned long *ftrace_callsites;
64150 -@@ -393,16 +398,46 @@ struct module *__module_address(unsigned
64151 - bool is_module_address(unsigned long addr);
64152 - bool is_module_text_address(unsigned long addr);
64153 -
64154 -+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
64155 -+{
64156 -+
64157 -+#ifdef CONFIG_PAX_KERNEXEC
64158 -+ if (ktla_ktva(addr) >= (unsigned long)start &&
64159 -+ ktla_ktva(addr) < (unsigned long)start + size)
64160 -+ return 1;
64161 -+#endif
64162 -+
64163 -+ return ((void *)addr >= start && (void *)addr < start + size);
64164 -+}
64165 -+
64166 -+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
64167 -+{
64168 -+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
64169 -+}
64170 -+
64171 -+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
64172 -+{
64173 -+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
64174 -+}
64175 -+
64176 -+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64177 -+{
64178 -+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64179 -+}
64180 -+
64181 -+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64182 -+{
64183 -+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64184 -+}
64185 -+
64186 - static inline int within_module_core(unsigned long addr, struct module *mod)
64187 - {
64188 -- return (unsigned long)mod->module_core <= addr &&
64189 -- addr < (unsigned long)mod->module_core + mod->core_size;
64190 -+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64191 - }
64192 -
64193 - static inline int within_module_init(unsigned long addr, struct module *mod)
64194 - {
64195 -- return (unsigned long)mod->module_init <= addr &&
64196 -- addr < (unsigned long)mod->module_init + mod->init_size;
64197 -+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64198 - }
64199 -
64200 - /* Search for module by name: must hold module_mutex. */
64201 -diff -urNp linux-2.6.32.46/include/linux/moduleloader.h linux-2.6.32.46/include/linux/moduleloader.h
64202 ---- linux-2.6.32.46/include/linux/moduleloader.h 2011-03-27 14:31:47.000000000 -0400
64203 -+++ linux-2.6.32.46/include/linux/moduleloader.h 2011-04-17 15:56:46.000000000 -0400
64204 -@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64205 - sections. Returns NULL on failure. */
64206 - void *module_alloc(unsigned long size);
64207 -
64208 -+#ifdef CONFIG_PAX_KERNEXEC
64209 -+void *module_alloc_exec(unsigned long size);
64210 -+#else
64211 -+#define module_alloc_exec(x) module_alloc(x)
64212 -+#endif
64213 -+
64214 - /* Free memory returned from module_alloc. */
64215 - void module_free(struct module *mod, void *module_region);
64216 -
64217 -+#ifdef CONFIG_PAX_KERNEXEC
64218 -+void module_free_exec(struct module *mod, void *module_region);
64219 -+#else
64220 -+#define module_free_exec(x, y) module_free((x), (y))
64221 -+#endif
64222 -+
64223 - /* Apply the given relocation to the (simplified) ELF. Return -error
64224 - or 0. */
64225 - int apply_relocate(Elf_Shdr *sechdrs,
64226 -diff -urNp linux-2.6.32.46/include/linux/moduleparam.h linux-2.6.32.46/include/linux/moduleparam.h
64227 ---- linux-2.6.32.46/include/linux/moduleparam.h 2011-03-27 14:31:47.000000000 -0400
64228 -+++ linux-2.6.32.46/include/linux/moduleparam.h 2011-04-17 15:56:46.000000000 -0400
64229 -@@ -132,7 +132,7 @@ struct kparam_array
64230 -
64231 - /* Actually copy string: maxlen param is usually sizeof(string). */
64232 - #define module_param_string(name, string, len, perm) \
64233 -- static const struct kparam_string __param_string_##name \
64234 -+ static const struct kparam_string __param_string_##name __used \
64235 - = { len, string }; \
64236 - __module_param_call(MODULE_PARAM_PREFIX, name, \
64237 - param_set_copystring, param_get_string, \
64238 -@@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
64239 -
64240 - /* Comma-separated array: *nump is set to number they actually specified. */
64241 - #define module_param_array_named(name, array, type, nump, perm) \
64242 -- static const struct kparam_array __param_arr_##name \
64243 -+ static const struct kparam_array __param_arr_##name __used \
64244 - = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
64245 - sizeof(array[0]), array }; \
64246 - __module_param_call(MODULE_PARAM_PREFIX, name, \
64247 -diff -urNp linux-2.6.32.46/include/linux/mutex.h linux-2.6.32.46/include/linux/mutex.h
64248 ---- linux-2.6.32.46/include/linux/mutex.h 2011-03-27 14:31:47.000000000 -0400
64249 -+++ linux-2.6.32.46/include/linux/mutex.h 2011-04-17 15:56:46.000000000 -0400
64250 -@@ -51,7 +51,7 @@ struct mutex {
64251 - spinlock_t wait_lock;
64252 - struct list_head wait_list;
64253 - #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64254 -- struct thread_info *owner;
64255 -+ struct task_struct *owner;
64256 - #endif
64257 - #ifdef CONFIG_DEBUG_MUTEXES
64258 - const char *name;
64259 -diff -urNp linux-2.6.32.46/include/linux/namei.h linux-2.6.32.46/include/linux/namei.h
64260 ---- linux-2.6.32.46/include/linux/namei.h 2011-03-27 14:31:47.000000000 -0400
64261 -+++ linux-2.6.32.46/include/linux/namei.h 2011-04-17 15:56:46.000000000 -0400
64262 -@@ -22,7 +22,7 @@ struct nameidata {
64263 - unsigned int flags;
64264 - int last_type;
64265 - unsigned depth;
64266 -- char *saved_names[MAX_NESTED_LINKS + 1];
64267 -+ const char *saved_names[MAX_NESTED_LINKS + 1];
64268 -
64269 - /* Intent data */
64270 - union {
64271 -@@ -84,12 +84,12 @@ extern int follow_up(struct path *);
64272 - extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64273 - extern void unlock_rename(struct dentry *, struct dentry *);
64274 -
64275 --static inline void nd_set_link(struct nameidata *nd, char *path)
64276 -+static inline void nd_set_link(struct nameidata *nd, const char *path)
64277 - {
64278 - nd->saved_names[nd->depth] = path;
64279 - }
64280 -
64281 --static inline char *nd_get_link(struct nameidata *nd)
64282 -+static inline const char *nd_get_link(const struct nameidata *nd)
64283 - {
64284 - return nd->saved_names[nd->depth];
64285 - }
64286 -diff -urNp linux-2.6.32.46/include/linux/netdevice.h linux-2.6.32.46/include/linux/netdevice.h
64287 ---- linux-2.6.32.46/include/linux/netdevice.h 2011-08-09 18:35:30.000000000 -0400
64288 -+++ linux-2.6.32.46/include/linux/netdevice.h 2011-08-23 21:22:38.000000000 -0400
64289 -@@ -637,6 +637,7 @@ struct net_device_ops {
64290 - u16 xid);
64291 - #endif
64292 - };
64293 -+typedef struct net_device_ops __no_const net_device_ops_no_const;
64294 -
64295 - /*
64296 - * The DEVICE structure.
64297 -diff -urNp linux-2.6.32.46/include/linux/netfilter/xt_gradm.h linux-2.6.32.46/include/linux/netfilter/xt_gradm.h
64298 ---- linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64299 -+++ linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 2011-04-17 15:56:46.000000000 -0400
64300 -@@ -0,0 +1,9 @@
64301 -+#ifndef _LINUX_NETFILTER_XT_GRADM_H
64302 -+#define _LINUX_NETFILTER_XT_GRADM_H 1
64303 -+
64304 -+struct xt_gradm_mtinfo {
64305 -+ __u16 flags;
64306 -+ __u16 invflags;
64307 -+};
64308 -+
64309 -+#endif
64310 -diff -urNp linux-2.6.32.46/include/linux/nodemask.h linux-2.6.32.46/include/linux/nodemask.h
64311 ---- linux-2.6.32.46/include/linux/nodemask.h 2011-03-27 14:31:47.000000000 -0400
64312 -+++ linux-2.6.32.46/include/linux/nodemask.h 2011-04-17 15:56:46.000000000 -0400
64313 -@@ -464,11 +464,11 @@ static inline int num_node_state(enum no
64314 -
64315 - #define any_online_node(mask) \
64316 - ({ \
64317 -- int node; \
64318 -- for_each_node_mask(node, (mask)) \
64319 -- if (node_online(node)) \
64320 -+ int __node; \
64321 -+ for_each_node_mask(__node, (mask)) \
64322 -+ if (node_online(__node)) \
64323 - break; \
64324 -- node; \
64325 -+ __node; \
64326 - })
64327 -
64328 - #define num_online_nodes() num_node_state(N_ONLINE)
64329 -diff -urNp linux-2.6.32.46/include/linux/oprofile.h linux-2.6.32.46/include/linux/oprofile.h
64330 ---- linux-2.6.32.46/include/linux/oprofile.h 2011-03-27 14:31:47.000000000 -0400
64331 -+++ linux-2.6.32.46/include/linux/oprofile.h 2011-04-17 15:56:46.000000000 -0400
64332 -@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
64333 - int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64334 - char const * name, ulong * val);
64335 -
64336 --/** Create a file for read-only access to an atomic_t. */
64337 -+/** Create a file for read-only access to an atomic_unchecked_t. */
64338 - int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64339 -- char const * name, atomic_t * val);
64340 -+ char const * name, atomic_unchecked_t * val);
64341 -
64342 - /** create a directory */
64343 - struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64344 -diff -urNp linux-2.6.32.46/include/linux/pagemap.h linux-2.6.32.46/include/linux/pagemap.h
64345 ---- linux-2.6.32.46/include/linux/pagemap.h 2011-03-27 14:31:47.000000000 -0400
64346 -+++ linux-2.6.32.46/include/linux/pagemap.h 2011-08-17 19:36:28.000000000 -0400
64347 -@@ -425,6 +425,7 @@ static inline int fault_in_pages_readabl
64348 - if (((unsigned long)uaddr & PAGE_MASK) !=
64349 - ((unsigned long)end & PAGE_MASK))
64350 - ret = __get_user(c, end);
64351 -+ (void)c;
64352 - }
64353 - return ret;
64354 - }
64355 -diff -urNp linux-2.6.32.46/include/linux/perf_event.h linux-2.6.32.46/include/linux/perf_event.h
64356 ---- linux-2.6.32.46/include/linux/perf_event.h 2011-03-27 14:31:47.000000000 -0400
64357 -+++ linux-2.6.32.46/include/linux/perf_event.h 2011-05-04 17:56:28.000000000 -0400
64358 -@@ -476,7 +476,7 @@ struct hw_perf_event {
64359 - struct hrtimer hrtimer;
64360 - };
64361 - };
64362 -- atomic64_t prev_count;
64363 -+ atomic64_unchecked_t prev_count;
64364 - u64 sample_period;
64365 - u64 last_period;
64366 - atomic64_t period_left;
64367 -@@ -557,7 +557,7 @@ struct perf_event {
64368 - const struct pmu *pmu;
64369 -
64370 - enum perf_event_active_state state;
64371 -- atomic64_t count;
64372 -+ atomic64_unchecked_t count;
64373 -
64374 - /*
64375 - * These are the total time in nanoseconds that the event
64376 -@@ -595,8 +595,8 @@ struct perf_event {
64377 - * These accumulate total time (in nanoseconds) that children
64378 - * events have been enabled and running, respectively.
64379 - */
64380 -- atomic64_t child_total_time_enabled;
64381 -- atomic64_t child_total_time_running;
64382 -+ atomic64_unchecked_t child_total_time_enabled;
64383 -+ atomic64_unchecked_t child_total_time_running;
64384 -
64385 - /*
64386 - * Protect attach/detach and child_list:
64387 -diff -urNp linux-2.6.32.46/include/linux/pipe_fs_i.h linux-2.6.32.46/include/linux/pipe_fs_i.h
64388 ---- linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-03-27 14:31:47.000000000 -0400
64389 -+++ linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-04-17 15:56:46.000000000 -0400
64390 -@@ -46,9 +46,9 @@ struct pipe_inode_info {
64391 - wait_queue_head_t wait;
64392 - unsigned int nrbufs, curbuf;
64393 - struct page *tmp_page;
64394 -- unsigned int readers;
64395 -- unsigned int writers;
64396 -- unsigned int waiting_writers;
64397 -+ atomic_t readers;
64398 -+ atomic_t writers;
64399 -+ atomic_t waiting_writers;
64400 - unsigned int r_counter;
64401 - unsigned int w_counter;
64402 - struct fasync_struct *fasync_readers;
64403 -diff -urNp linux-2.6.32.46/include/linux/poison.h linux-2.6.32.46/include/linux/poison.h
64404 ---- linux-2.6.32.46/include/linux/poison.h 2011-03-27 14:31:47.000000000 -0400
64405 -+++ linux-2.6.32.46/include/linux/poison.h 2011-04-17 15:56:46.000000000 -0400
64406 -@@ -19,8 +19,8 @@
64407 - * under normal circumstances, used to verify that nobody uses
64408 - * non-initialized list entries.
64409 - */
64410 --#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64411 --#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64412 -+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64413 -+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64414 -
64415 - /********** include/linux/timer.h **********/
64416 - /*
64417 -diff -urNp linux-2.6.32.46/include/linux/posix-timers.h linux-2.6.32.46/include/linux/posix-timers.h
64418 ---- linux-2.6.32.46/include/linux/posix-timers.h 2011-03-27 14:31:47.000000000 -0400
64419 -+++ linux-2.6.32.46/include/linux/posix-timers.h 2011-08-05 20:33:55.000000000 -0400
64420 -@@ -67,7 +67,7 @@ struct k_itimer {
64421 - };
64422 -
64423 - struct k_clock {
64424 -- int res; /* in nanoseconds */
64425 -+ const int res; /* in nanoseconds */
64426 - int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
64427 - int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
64428 - int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
64429 -diff -urNp linux-2.6.32.46/include/linux/preempt.h linux-2.6.32.46/include/linux/preempt.h
64430 ---- linux-2.6.32.46/include/linux/preempt.h 2011-03-27 14:31:47.000000000 -0400
64431 -+++ linux-2.6.32.46/include/linux/preempt.h 2011-08-05 20:33:55.000000000 -0400
64432 -@@ -110,7 +110,7 @@ struct preempt_ops {
64433 - void (*sched_in)(struct preempt_notifier *notifier, int cpu);
64434 - void (*sched_out)(struct preempt_notifier *notifier,
64435 - struct task_struct *next);
64436 --};
64437 -+} __no_const;
64438 -
64439 - /**
64440 - * preempt_notifier - key for installing preemption notifiers
64441 -diff -urNp linux-2.6.32.46/include/linux/proc_fs.h linux-2.6.32.46/include/linux/proc_fs.h
64442 ---- linux-2.6.32.46/include/linux/proc_fs.h 2011-03-27 14:31:47.000000000 -0400
64443 -+++ linux-2.6.32.46/include/linux/proc_fs.h 2011-08-05 20:33:55.000000000 -0400
64444 -@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64445 - return proc_create_data(name, mode, parent, proc_fops, NULL);
64446 - }
64447 -
64448 -+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64449 -+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64450 -+{
64451 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
64452 -+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64453 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64454 -+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64455 -+#else
64456 -+ return proc_create_data(name, mode, parent, proc_fops, NULL);
64457 -+#endif
64458 -+}
64459 -+
64460 -+
64461 - static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64462 - mode_t mode, struct proc_dir_entry *base,
64463 - read_proc_t *read_proc, void * data)
64464 -@@ -256,7 +269,7 @@ union proc_op {
64465 - int (*proc_show)(struct seq_file *m,
64466 - struct pid_namespace *ns, struct pid *pid,
64467 - struct task_struct *task);
64468 --};
64469 -+} __no_const;
64470 -
64471 - struct ctl_table_header;
64472 - struct ctl_table;
64473 -diff -urNp linux-2.6.32.46/include/linux/ptrace.h linux-2.6.32.46/include/linux/ptrace.h
64474 ---- linux-2.6.32.46/include/linux/ptrace.h 2011-03-27 14:31:47.000000000 -0400
64475 -+++ linux-2.6.32.46/include/linux/ptrace.h 2011-04-17 15:56:46.000000000 -0400
64476 -@@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
64477 - extern void exit_ptrace(struct task_struct *tracer);
64478 - #define PTRACE_MODE_READ 1
64479 - #define PTRACE_MODE_ATTACH 2
64480 --/* Returns 0 on success, -errno on denial. */
64481 --extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64482 - /* Returns true on success, false on denial. */
64483 - extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64484 -+/* Returns true on success, false on denial. */
64485 -+extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64486 -
64487 - static inline int ptrace_reparented(struct task_struct *child)
64488 - {
64489 -diff -urNp linux-2.6.32.46/include/linux/random.h linux-2.6.32.46/include/linux/random.h
64490 ---- linux-2.6.32.46/include/linux/random.h 2011-08-16 20:37:25.000000000 -0400
64491 -+++ linux-2.6.32.46/include/linux/random.h 2011-08-07 19:48:09.000000000 -0400
64492 -@@ -63,6 +63,11 @@ unsigned long randomize_range(unsigned l
64493 - u32 random32(void);
64494 - void srandom32(u32 seed);
64495 -
64496 -+static inline unsigned long pax_get_random_long(void)
64497 -+{
64498 -+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64499 -+}
64500 -+
64501 - #endif /* __KERNEL___ */
64502 -
64503 - #endif /* _LINUX_RANDOM_H */
64504 -diff -urNp linux-2.6.32.46/include/linux/reboot.h linux-2.6.32.46/include/linux/reboot.h
64505 ---- linux-2.6.32.46/include/linux/reboot.h 2011-03-27 14:31:47.000000000 -0400
64506 -+++ linux-2.6.32.46/include/linux/reboot.h 2011-05-22 23:02:06.000000000 -0400
64507 -@@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64508 - * Architecture-specific implementations of sys_reboot commands.
64509 - */
64510 -
64511 --extern void machine_restart(char *cmd);
64512 --extern void machine_halt(void);
64513 --extern void machine_power_off(void);
64514 -+extern void machine_restart(char *cmd) __noreturn;
64515 -+extern void machine_halt(void) __noreturn;
64516 -+extern void machine_power_off(void) __noreturn;
64517 -
64518 - extern void machine_shutdown(void);
64519 - struct pt_regs;
64520 -@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64521 - */
64522 -
64523 - extern void kernel_restart_prepare(char *cmd);
64524 --extern void kernel_restart(char *cmd);
64525 --extern void kernel_halt(void);
64526 --extern void kernel_power_off(void);
64527 -+extern void kernel_restart(char *cmd) __noreturn;
64528 -+extern void kernel_halt(void) __noreturn;
64529 -+extern void kernel_power_off(void) __noreturn;
64530 -
64531 - void ctrl_alt_del(void);
64532 -
64533 -@@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
64534 - * Emergency restart, callable from an interrupt handler.
64535 - */
64536 -
64537 --extern void emergency_restart(void);
64538 -+extern void emergency_restart(void) __noreturn;
64539 - #include <asm/emergency-restart.h>
64540 -
64541 - #endif
64542 -diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs.h linux-2.6.32.46/include/linux/reiserfs_fs.h
64543 ---- linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-03-27 14:31:47.000000000 -0400
64544 -+++ linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-04-17 15:56:46.000000000 -0400
64545 -@@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
64546 - #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64547 -
64548 - #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64549 --#define get_generation(s) atomic_read (&fs_generation(s))
64550 -+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64551 - #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64552 - #define __fs_changed(gen,s) (gen != get_generation (s))
64553 - #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
64554 -@@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
64555 - */
64556 -
64557 - struct item_operations {
64558 -- int (*bytes_number) (struct item_head * ih, int block_size);
64559 -- void (*decrement_key) (struct cpu_key *);
64560 -- int (*is_left_mergeable) (struct reiserfs_key * ih,
64561 -+ int (* const bytes_number) (struct item_head * ih, int block_size);
64562 -+ void (* const decrement_key) (struct cpu_key *);
64563 -+ int (* const is_left_mergeable) (struct reiserfs_key * ih,
64564 - unsigned long bsize);
64565 -- void (*print_item) (struct item_head *, char *item);
64566 -- void (*check_item) (struct item_head *, char *item);
64567 -+ void (* const print_item) (struct item_head *, char *item);
64568 -+ void (* const check_item) (struct item_head *, char *item);
64569 -
64570 -- int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64571 -+ int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64572 - int is_affected, int insert_size);
64573 -- int (*check_left) (struct virtual_item * vi, int free,
64574 -+ int (* const check_left) (struct virtual_item * vi, int free,
64575 - int start_skip, int end_skip);
64576 -- int (*check_right) (struct virtual_item * vi, int free);
64577 -- int (*part_size) (struct virtual_item * vi, int from, int to);
64578 -- int (*unit_num) (struct virtual_item * vi);
64579 -- void (*print_vi) (struct virtual_item * vi);
64580 -+ int (* const check_right) (struct virtual_item * vi, int free);
64581 -+ int (* const part_size) (struct virtual_item * vi, int from, int to);
64582 -+ int (* const unit_num) (struct virtual_item * vi);
64583 -+ void (* const print_vi) (struct virtual_item * vi);
64584 - };
64585 -
64586 --extern struct item_operations *item_ops[TYPE_ANY + 1];
64587 -+extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64588 -
64589 - #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64590 - #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64591 -diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs_sb.h linux-2.6.32.46/include/linux/reiserfs_fs_sb.h
64592 ---- linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-03-27 14:31:47.000000000 -0400
64593 -+++ linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-04-17 15:56:46.000000000 -0400
64594 -@@ -377,7 +377,7 @@ struct reiserfs_sb_info {
64595 - /* Comment? -Hans */
64596 - wait_queue_head_t s_wait;
64597 - /* To be obsoleted soon by per buffer seals.. -Hans */
64598 -- atomic_t s_generation_counter; // increased by one every time the
64599 -+ atomic_unchecked_t s_generation_counter; // increased by one every time the
64600 - // tree gets re-balanced
64601 - unsigned long s_properties; /* File system properties. Currently holds
64602 - on-disk FS format */
64603 -diff -urNp linux-2.6.32.46/include/linux/relay.h linux-2.6.32.46/include/linux/relay.h
64604 ---- linux-2.6.32.46/include/linux/relay.h 2011-03-27 14:31:47.000000000 -0400
64605 -+++ linux-2.6.32.46/include/linux/relay.h 2011-08-05 20:33:55.000000000 -0400
64606 -@@ -159,7 +159,7 @@ struct rchan_callbacks
64607 - * The callback should return 0 if successful, negative if not.
64608 - */
64609 - int (*remove_buf_file)(struct dentry *dentry);
64610 --};
64611 -+} __no_const;
64612 -
64613 - /*
64614 - * CONFIG_RELAY kernel API, kernel/relay.c
64615 -diff -urNp linux-2.6.32.46/include/linux/rfkill.h linux-2.6.32.46/include/linux/rfkill.h
64616 ---- linux-2.6.32.46/include/linux/rfkill.h 2011-03-27 14:31:47.000000000 -0400
64617 -+++ linux-2.6.32.46/include/linux/rfkill.h 2011-08-23 21:22:38.000000000 -0400
64618 -@@ -144,6 +144,7 @@ struct rfkill_ops {
64619 - void (*query)(struct rfkill *rfkill, void *data);
64620 - int (*set_block)(void *data, bool blocked);
64621 - };
64622 -+typedef struct rfkill_ops __no_const rfkill_ops_no_const;
64623 -
64624 - #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
64625 - /**
64626 -diff -urNp linux-2.6.32.46/include/linux/sched.h linux-2.6.32.46/include/linux/sched.h
64627 ---- linux-2.6.32.46/include/linux/sched.h 2011-03-27 14:31:47.000000000 -0400
64628 -+++ linux-2.6.32.46/include/linux/sched.h 2011-08-11 19:48:55.000000000 -0400
64629 -@@ -101,6 +101,7 @@ struct bio;
64630 - struct fs_struct;
64631 - struct bts_context;
64632 - struct perf_event_context;
64633 -+struct linux_binprm;
64634 -
64635 - /*
64636 - * List of flags we want to share for kernel threads,
64637 -@@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
64638 - extern signed long schedule_timeout_uninterruptible(signed long timeout);
64639 - asmlinkage void __schedule(void);
64640 - asmlinkage void schedule(void);
64641 --extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
64642 -+extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
64643 -
64644 - struct nsproxy;
64645 - struct user_namespace;
64646 -@@ -371,9 +372,12 @@ struct user_namespace;
64647 - #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
64648 -
64649 - extern int sysctl_max_map_count;
64650 -+extern unsigned long sysctl_heap_stack_gap;
64651 -
64652 - #include <linux/aio.h>
64653 -
64654 -+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
64655 -+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
64656 - extern unsigned long
64657 - arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
64658 - unsigned long, unsigned long);
64659 -@@ -666,6 +670,16 @@ struct signal_struct {
64660 - struct tty_audit_buf *tty_audit_buf;
64661 - #endif
64662 -
64663 -+#ifdef CONFIG_GRKERNSEC
64664 -+ u32 curr_ip;
64665 -+ u32 saved_ip;
64666 -+ u32 gr_saddr;
64667 -+ u32 gr_daddr;
64668 -+ u16 gr_sport;
64669 -+ u16 gr_dport;
64670 -+ u8 used_accept:1;
64671 -+#endif
64672 -+
64673 - int oom_adj; /* OOM kill score adjustment (bit shift) */
64674 - };
64675 -
64676 -@@ -723,6 +737,11 @@ struct user_struct {
64677 - struct key *session_keyring; /* UID's default session keyring */
64678 - #endif
64679 -
64680 -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
64681 -+ unsigned int banned;
64682 -+ unsigned long ban_expires;
64683 -+#endif
64684 -+
64685 - /* Hash table maintenance information */
64686 - struct hlist_node uidhash_node;
64687 - uid_t uid;
64688 -@@ -1328,8 +1347,8 @@ struct task_struct {
64689 - struct list_head thread_group;
64690 -
64691 - struct completion *vfork_done; /* for vfork() */
64692 -- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
64693 -- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64694 -+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
64695 -+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
64696 -
64697 - cputime_t utime, stime, utimescaled, stimescaled;
64698 - cputime_t gtime;
64699 -@@ -1343,16 +1362,6 @@ struct task_struct {
64700 - struct task_cputime cputime_expires;
64701 - struct list_head cpu_timers[3];
64702 -
64703 --/* process credentials */
64704 -- const struct cred *real_cred; /* objective and real subjective task
64705 -- * credentials (COW) */
64706 -- const struct cred *cred; /* effective (overridable) subjective task
64707 -- * credentials (COW) */
64708 -- struct mutex cred_guard_mutex; /* guard against foreign influences on
64709 -- * credential calculations
64710 -- * (notably. ptrace) */
64711 -- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64712 --
64713 - char comm[TASK_COMM_LEN]; /* executable name excluding path
64714 - - access with [gs]et_task_comm (which lock
64715 - it with task_lock())
64716 -@@ -1369,6 +1378,10 @@ struct task_struct {
64717 - #endif
64718 - /* CPU-specific state of this task */
64719 - struct thread_struct thread;
64720 -+/* thread_info moved to task_struct */
64721 -+#ifdef CONFIG_X86
64722 -+ struct thread_info tinfo;
64723 -+#endif
64724 - /* filesystem information */
64725 - struct fs_struct *fs;
64726 - /* open file information */
64727 -@@ -1436,6 +1449,15 @@ struct task_struct {
64728 - int hardirq_context;
64729 - int softirq_context;
64730 - #endif
64731 -+
64732 -+/* process credentials */
64733 -+ const struct cred *real_cred; /* objective and real subjective task
64734 -+ * credentials (COW) */
64735 -+ struct mutex cred_guard_mutex; /* guard against foreign influences on
64736 -+ * credential calculations
64737 -+ * (notably. ptrace) */
64738 -+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
64739 -+
64740 - #ifdef CONFIG_LOCKDEP
64741 - # define MAX_LOCK_DEPTH 48UL
64742 - u64 curr_chain_key;
64743 -@@ -1456,6 +1478,9 @@ struct task_struct {
64744 -
64745 - struct backing_dev_info *backing_dev_info;
64746 -
64747 -+ const struct cred *cred; /* effective (overridable) subjective task
64748 -+ * credentials (COW) */
64749 -+
64750 - struct io_context *io_context;
64751 -
64752 - unsigned long ptrace_message;
64753 -@@ -1519,6 +1544,21 @@ struct task_struct {
64754 - unsigned long default_timer_slack_ns;
64755 -
64756 - struct list_head *scm_work_list;
64757 -+
64758 -+#ifdef CONFIG_GRKERNSEC
64759 -+ /* grsecurity */
64760 -+ struct dentry *gr_chroot_dentry;
64761 -+ struct acl_subject_label *acl;
64762 -+ struct acl_role_label *role;
64763 -+ struct file *exec_file;
64764 -+ u16 acl_role_id;
64765 -+ /* is this the task that authenticated to the special role */
64766 -+ u8 acl_sp_role;
64767 -+ u8 is_writable;
64768 -+ u8 brute;
64769 -+ u8 gr_is_chrooted;
64770 -+#endif
64771 -+
64772 - #ifdef CONFIG_FUNCTION_GRAPH_TRACER
64773 - /* Index of current stored adress in ret_stack */
64774 - int curr_ret_stack;
64775 -@@ -1542,6 +1582,57 @@ struct task_struct {
64776 - #endif /* CONFIG_TRACING */
64777 - };
64778 -
64779 -+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
64780 -+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
64781 -+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
64782 -+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
64783 -+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
64784 -+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
64785 -+
64786 -+#ifdef CONFIG_PAX_SOFTMODE
64787 -+extern int pax_softmode;
64788 -+#endif
64789 -+
64790 -+extern int pax_check_flags(unsigned long *);
64791 -+
64792 -+/* if tsk != current then task_lock must be held on it */
64793 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64794 -+static inline unsigned long pax_get_flags(struct task_struct *tsk)
64795 -+{
64796 -+ if (likely(tsk->mm))
64797 -+ return tsk->mm->pax_flags;
64798 -+ else
64799 -+ return 0UL;
64800 -+}
64801 -+
64802 -+/* if tsk != current then task_lock must be held on it */
64803 -+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
64804 -+{
64805 -+ if (likely(tsk->mm)) {
64806 -+ tsk->mm->pax_flags = flags;
64807 -+ return 0;
64808 -+ }
64809 -+ return -EINVAL;
64810 -+}
64811 -+#endif
64812 -+
64813 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
64814 -+extern void pax_set_initial_flags(struct linux_binprm *bprm);
64815 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
64816 -+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
64817 -+#endif
64818 -+
64819 -+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
64820 -+extern void pax_report_insns(void *pc, void *sp);
64821 -+extern void pax_report_refcount_overflow(struct pt_regs *regs);
64822 -+extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
64823 -+
64824 -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
64825 -+extern void pax_track_stack(void);
64826 -+#else
64827 -+static inline void pax_track_stack(void) {}
64828 -+#endif
64829 -+
64830 - /* Future-safe accessor for struct task_struct's cpus_allowed. */
64831 - #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
64832 -
64833 -@@ -1740,7 +1831,7 @@ extern void thread_group_times(struct ta
64834 - #define PF_DUMPCORE 0x00000200 /* dumped core */
64835 - #define PF_SIGNALED 0x00000400 /* killed by a signal */
64836 - #define PF_MEMALLOC 0x00000800 /* Allocating memory */
64837 --#define PF_FLUSHER 0x00001000 /* responsible for disk writeback */
64838 -+#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
64839 - #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
64840 - #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
64841 - #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
64842 -@@ -1978,7 +2069,9 @@ void yield(void);
64843 - extern struct exec_domain default_exec_domain;
64844 -
64845 - union thread_union {
64846 -+#ifndef CONFIG_X86
64847 - struct thread_info thread_info;
64848 -+#endif
64849 - unsigned long stack[THREAD_SIZE/sizeof(long)];
64850 - };
64851 -
64852 -@@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
64853 - */
64854 -
64855 - extern struct task_struct *find_task_by_vpid(pid_t nr);
64856 -+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
64857 - extern struct task_struct *find_task_by_pid_ns(pid_t nr,
64858 - struct pid_namespace *ns);
64859 -
64860 -@@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
64861 - extern void exit_itimers(struct signal_struct *);
64862 - extern void flush_itimer_signals(void);
64863 -
64864 --extern NORET_TYPE void do_group_exit(int);
64865 -+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
64866 -
64867 - extern void daemonize(const char *, ...);
64868 - extern int allow_signal(int);
64869 -@@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
64870 -
64871 - #endif
64872 -
64873 --static inline int object_is_on_stack(void *obj)
64874 -+static inline int object_starts_on_stack(void *obj)
64875 - {
64876 -- void *stack = task_stack_page(current);
64877 -+ const void *stack = task_stack_page(current);
64878 -
64879 - return (obj >= stack) && (obj < (stack + THREAD_SIZE));
64880 - }
64881 -
64882 -+#ifdef CONFIG_PAX_USERCOPY
64883 -+extern int object_is_on_stack(const void *obj, unsigned long len);
64884 -+#endif
64885 -+
64886 - extern void thread_info_cache_init(void);
64887 -
64888 - #ifdef CONFIG_DEBUG_STACK_USAGE
64889 -diff -urNp linux-2.6.32.46/include/linux/screen_info.h linux-2.6.32.46/include/linux/screen_info.h
64890 ---- linux-2.6.32.46/include/linux/screen_info.h 2011-03-27 14:31:47.000000000 -0400
64891 -+++ linux-2.6.32.46/include/linux/screen_info.h 2011-04-17 15:56:46.000000000 -0400
64892 -@@ -42,7 +42,8 @@ struct screen_info {
64893 - __u16 pages; /* 0x32 */
64894 - __u16 vesa_attributes; /* 0x34 */
64895 - __u32 capabilities; /* 0x36 */
64896 -- __u8 _reserved[6]; /* 0x3a */
64897 -+ __u16 vesapm_size; /* 0x3a */
64898 -+ __u8 _reserved[4]; /* 0x3c */
64899 - } __attribute__((packed));
64900 -
64901 - #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
64902 -diff -urNp linux-2.6.32.46/include/linux/security.h linux-2.6.32.46/include/linux/security.h
64903 ---- linux-2.6.32.46/include/linux/security.h 2011-03-27 14:31:47.000000000 -0400
64904 -+++ linux-2.6.32.46/include/linux/security.h 2011-04-17 15:56:46.000000000 -0400
64905 -@@ -34,6 +34,7 @@
64906 - #include <linux/key.h>
64907 - #include <linux/xfrm.h>
64908 - #include <linux/gfp.h>
64909 -+#include <linux/grsecurity.h>
64910 - #include <net/flow.h>
64911 -
64912 - /* Maximum number of letters for an LSM name string */
64913 -diff -urNp linux-2.6.32.46/include/linux/seq_file.h linux-2.6.32.46/include/linux/seq_file.h
64914 ---- linux-2.6.32.46/include/linux/seq_file.h 2011-03-27 14:31:47.000000000 -0400
64915 -+++ linux-2.6.32.46/include/linux/seq_file.h 2011-08-23 21:22:38.000000000 -0400
64916 -@@ -32,6 +32,7 @@ struct seq_operations {
64917 - void * (*next) (struct seq_file *m, void *v, loff_t *pos);
64918 - int (*show) (struct seq_file *m, void *v);
64919 - };
64920 -+typedef struct seq_operations __no_const seq_operations_no_const;
64921 -
64922 - #define SEQ_SKIP 1
64923 -
64924 -diff -urNp linux-2.6.32.46/include/linux/shm.h linux-2.6.32.46/include/linux/shm.h
64925 ---- linux-2.6.32.46/include/linux/shm.h 2011-03-27 14:31:47.000000000 -0400
64926 -+++ linux-2.6.32.46/include/linux/shm.h 2011-04-17 15:56:46.000000000 -0400
64927 -@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
64928 - pid_t shm_cprid;
64929 - pid_t shm_lprid;
64930 - struct user_struct *mlock_user;
64931 -+#ifdef CONFIG_GRKERNSEC
64932 -+ time_t shm_createtime;
64933 -+ pid_t shm_lapid;
64934 -+#endif
64935 - };
64936 -
64937 - /* shm_mode upper byte flags */
64938 -diff -urNp linux-2.6.32.46/include/linux/skbuff.h linux-2.6.32.46/include/linux/skbuff.h
64939 ---- linux-2.6.32.46/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400
64940 -+++ linux-2.6.32.46/include/linux/skbuff.h 2011-08-21 15:27:56.000000000 -0400
64941 -@@ -14,6 +14,7 @@
64942 - #ifndef _LINUX_SKBUFF_H
64943 - #define _LINUX_SKBUFF_H
64944 -
64945 -+#include <linux/const.h>
64946 - #include <linux/kernel.h>
64947 - #include <linux/kmemcheck.h>
64948 - #include <linux/compiler.h>
64949 -@@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
64950 - */
64951 - static inline int skb_queue_empty(const struct sk_buff_head *list)
64952 - {
64953 -- return list->next == (struct sk_buff *)list;
64954 -+ return list->next == (const struct sk_buff *)list;
64955 - }
64956 -
64957 - /**
64958 -@@ -557,7 +558,7 @@ static inline int skb_queue_empty(const
64959 - static inline bool skb_queue_is_last(const struct sk_buff_head *list,
64960 - const struct sk_buff *skb)
64961 - {
64962 -- return (skb->next == (struct sk_buff *) list);
64963 -+ return (skb->next == (const struct sk_buff *) list);
64964 - }
64965 -
64966 - /**
64967 -@@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
64968 - static inline bool skb_queue_is_first(const struct sk_buff_head *list,
64969 - const struct sk_buff *skb)
64970 - {
64971 -- return (skb->prev == (struct sk_buff *) list);
64972 -+ return (skb->prev == (const struct sk_buff *) list);
64973 - }
64974 -
64975 - /**
64976 -@@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
64977 - * headroom, you should not reduce this.
64978 - */
64979 - #ifndef NET_SKB_PAD
64980 --#define NET_SKB_PAD 32
64981 -+#define NET_SKB_PAD (_AC(32,UL))
64982 - #endif
64983 -
64984 - extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
64985 -diff -urNp linux-2.6.32.46/include/linux/slab.h linux-2.6.32.46/include/linux/slab.h
64986 ---- linux-2.6.32.46/include/linux/slab.h 2011-03-27 14:31:47.000000000 -0400
64987 -+++ linux-2.6.32.46/include/linux/slab.h 2011-04-17 15:56:46.000000000 -0400
64988 -@@ -11,12 +11,20 @@
64989 -
64990 - #include <linux/gfp.h>
64991 - #include <linux/types.h>
64992 -+#include <linux/err.h>
64993 -
64994 - /*
64995 - * Flags to pass to kmem_cache_create().
64996 - * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
64997 - */
64998 - #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
64999 -+
65000 -+#ifdef CONFIG_PAX_USERCOPY
65001 -+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
65002 -+#else
65003 -+#define SLAB_USERCOPY 0x00000000UL
65004 -+#endif
65005 -+
65006 - #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
65007 - #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
65008 - #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
65009 -@@ -82,10 +90,13 @@
65010 - * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
65011 - * Both make kfree a no-op.
65012 - */
65013 --#define ZERO_SIZE_PTR ((void *)16)
65014 -+#define ZERO_SIZE_PTR \
65015 -+({ \
65016 -+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
65017 -+ (void *)(-MAX_ERRNO-1L); \
65018 -+})
65019 -
65020 --#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
65021 -- (unsigned long)ZERO_SIZE_PTR)
65022 -+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
65023 -
65024 - /*
65025 - * struct kmem_cache related prototypes
65026 -@@ -138,6 +149,7 @@ void * __must_check krealloc(const void
65027 - void kfree(const void *);
65028 - void kzfree(const void *);
65029 - size_t ksize(const void *);
65030 -+void check_object_size(const void *ptr, unsigned long n, bool to);
65031 -
65032 - /*
65033 - * Allocator specific definitions. These are mainly used to establish optimized
65034 -@@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
65035 -
65036 - void __init kmem_cache_init_late(void);
65037 -
65038 -+#define kmalloc(x, y) \
65039 -+({ \
65040 -+ void *___retval; \
65041 -+ intoverflow_t ___x = (intoverflow_t)x; \
65042 -+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
65043 -+ ___retval = NULL; \
65044 -+ else \
65045 -+ ___retval = kmalloc((size_t)___x, (y)); \
65046 -+ ___retval; \
65047 -+})
65048 -+
65049 -+#define kmalloc_node(x, y, z) \
65050 -+({ \
65051 -+ void *___retval; \
65052 -+ intoverflow_t ___x = (intoverflow_t)x; \
65053 -+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
65054 -+ ___retval = NULL; \
65055 -+ else \
65056 -+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
65057 -+ ___retval; \
65058 -+})
65059 -+
65060 -+#define kzalloc(x, y) \
65061 -+({ \
65062 -+ void *___retval; \
65063 -+ intoverflow_t ___x = (intoverflow_t)x; \
65064 -+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
65065 -+ ___retval = NULL; \
65066 -+ else \
65067 -+ ___retval = kzalloc((size_t)___x, (y)); \
65068 -+ ___retval; \
65069 -+})
65070 -+
65071 - #endif /* _LINUX_SLAB_H */
65072 -diff -urNp linux-2.6.32.46/include/linux/slab_def.h linux-2.6.32.46/include/linux/slab_def.h
65073 ---- linux-2.6.32.46/include/linux/slab_def.h 2011-03-27 14:31:47.000000000 -0400
65074 -+++ linux-2.6.32.46/include/linux/slab_def.h 2011-05-04 17:56:28.000000000 -0400
65075 -@@ -69,10 +69,10 @@ struct kmem_cache {
65076 - unsigned long node_allocs;
65077 - unsigned long node_frees;
65078 - unsigned long node_overflow;
65079 -- atomic_t allochit;
65080 -- atomic_t allocmiss;
65081 -- atomic_t freehit;
65082 -- atomic_t freemiss;
65083 -+ atomic_unchecked_t allochit;
65084 -+ atomic_unchecked_t allocmiss;
65085 -+ atomic_unchecked_t freehit;
65086 -+ atomic_unchecked_t freemiss;
65087 -
65088 - /*
65089 - * If debugging is enabled, then the allocator can add additional
65090 -diff -urNp linux-2.6.32.46/include/linux/slub_def.h linux-2.6.32.46/include/linux/slub_def.h
65091 ---- linux-2.6.32.46/include/linux/slub_def.h 2011-03-27 14:31:47.000000000 -0400
65092 -+++ linux-2.6.32.46/include/linux/slub_def.h 2011-08-05 20:33:55.000000000 -0400
65093 -@@ -86,7 +86,7 @@ struct kmem_cache {
65094 - struct kmem_cache_order_objects max;
65095 - struct kmem_cache_order_objects min;
65096 - gfp_t allocflags; /* gfp flags to use on each alloc */
65097 -- int refcount; /* Refcount for slab cache destroy */
65098 -+ atomic_t refcount; /* Refcount for slab cache destroy */
65099 - void (*ctor)(void *);
65100 - int inuse; /* Offset to metadata */
65101 - int align; /* Alignment */
65102 -@@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
65103 - #endif
65104 -
65105 - void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
65106 --void *__kmalloc(size_t size, gfp_t flags);
65107 -+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
65108 -
65109 - #ifdef CONFIG_KMEMTRACE
65110 - extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
65111 -diff -urNp linux-2.6.32.46/include/linux/sonet.h linux-2.6.32.46/include/linux/sonet.h
65112 ---- linux-2.6.32.46/include/linux/sonet.h 2011-03-27 14:31:47.000000000 -0400
65113 -+++ linux-2.6.32.46/include/linux/sonet.h 2011-04-17 15:56:46.000000000 -0400
65114 -@@ -61,7 +61,7 @@ struct sonet_stats {
65115 - #include <asm/atomic.h>
65116 -
65117 - struct k_sonet_stats {
65118 --#define __HANDLE_ITEM(i) atomic_t i
65119 -+#define __HANDLE_ITEM(i) atomic_unchecked_t i
65120 - __SONET_ITEMS
65121 - #undef __HANDLE_ITEM
65122 - };
65123 -diff -urNp linux-2.6.32.46/include/linux/sunrpc/cache.h linux-2.6.32.46/include/linux/sunrpc/cache.h
65124 ---- linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-03-27 14:31:47.000000000 -0400
65125 -+++ linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-08-05 20:33:55.000000000 -0400
65126 -@@ -125,7 +125,7 @@ struct cache_detail {
65127 - */
65128 - struct cache_req {
65129 - struct cache_deferred_req *(*defer)(struct cache_req *req);
65130 --};
65131 -+} __no_const;
65132 - /* this must be embedded in a deferred_request that is being
65133 - * delayed awaiting cache-fill
65134 - */
65135 -diff -urNp linux-2.6.32.46/include/linux/sunrpc/clnt.h linux-2.6.32.46/include/linux/sunrpc/clnt.h
65136 ---- linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-03-27 14:31:47.000000000 -0400
65137 -+++ linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-04-17 15:56:46.000000000 -0400
65138 -@@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
65139 - {
65140 - switch (sap->sa_family) {
65141 - case AF_INET:
65142 -- return ntohs(((struct sockaddr_in *)sap)->sin_port);
65143 -+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65144 - case AF_INET6:
65145 -- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65146 -+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65147 - }
65148 - return 0;
65149 - }
65150 -@@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
65151 - static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65152 - const struct sockaddr *src)
65153 - {
65154 -- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65155 -+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65156 - struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65157 -
65158 - dsin->sin_family = ssin->sin_family;
65159 -@@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
65160 - if (sa->sa_family != AF_INET6)
65161 - return 0;
65162 -
65163 -- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65164 -+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65165 - }
65166 -
65167 - #endif /* __KERNEL__ */
65168 -diff -urNp linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h
65169 ---- linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-03-27 14:31:47.000000000 -0400
65170 -+++ linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-05-04 17:56:28.000000000 -0400
65171 -@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65172 - extern unsigned int svcrdma_max_requests;
65173 - extern unsigned int svcrdma_max_req_size;
65174 -
65175 --extern atomic_t rdma_stat_recv;
65176 --extern atomic_t rdma_stat_read;
65177 --extern atomic_t rdma_stat_write;
65178 --extern atomic_t rdma_stat_sq_starve;
65179 --extern atomic_t rdma_stat_rq_starve;
65180 --extern atomic_t rdma_stat_rq_poll;
65181 --extern atomic_t rdma_stat_rq_prod;
65182 --extern atomic_t rdma_stat_sq_poll;
65183 --extern atomic_t rdma_stat_sq_prod;
65184 -+extern atomic_unchecked_t rdma_stat_recv;
65185 -+extern atomic_unchecked_t rdma_stat_read;
65186 -+extern atomic_unchecked_t rdma_stat_write;
65187 -+extern atomic_unchecked_t rdma_stat_sq_starve;
65188 -+extern atomic_unchecked_t rdma_stat_rq_starve;
65189 -+extern atomic_unchecked_t rdma_stat_rq_poll;
65190 -+extern atomic_unchecked_t rdma_stat_rq_prod;
65191 -+extern atomic_unchecked_t rdma_stat_sq_poll;
65192 -+extern atomic_unchecked_t rdma_stat_sq_prod;
65193 -
65194 - #define RPCRDMA_VERSION 1
65195 -
65196 -diff -urNp linux-2.6.32.46/include/linux/suspend.h linux-2.6.32.46/include/linux/suspend.h
65197 ---- linux-2.6.32.46/include/linux/suspend.h 2011-03-27 14:31:47.000000000 -0400
65198 -+++ linux-2.6.32.46/include/linux/suspend.h 2011-04-17 15:56:46.000000000 -0400
65199 -@@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
65200 - * which require special recovery actions in that situation.
65201 - */
65202 - struct platform_suspend_ops {
65203 -- int (*valid)(suspend_state_t state);
65204 -- int (*begin)(suspend_state_t state);
65205 -- int (*prepare)(void);
65206 -- int (*prepare_late)(void);
65207 -- int (*enter)(suspend_state_t state);
65208 -- void (*wake)(void);
65209 -- void (*finish)(void);
65210 -- void (*end)(void);
65211 -- void (*recover)(void);
65212 -+ int (* const valid)(suspend_state_t state);
65213 -+ int (* const begin)(suspend_state_t state);
65214 -+ int (* const prepare)(void);
65215 -+ int (* const prepare_late)(void);
65216 -+ int (* const enter)(suspend_state_t state);
65217 -+ void (* const wake)(void);
65218 -+ void (* const finish)(void);
65219 -+ void (* const end)(void);
65220 -+ void (* const recover)(void);
65221 - };
65222 -
65223 - #ifdef CONFIG_SUSPEND
65224 -@@ -120,7 +120,7 @@ struct platform_suspend_ops {
65225 - * suspend_set_ops - set platform dependent suspend operations
65226 - * @ops: The new suspend operations to set.
65227 - */
65228 --extern void suspend_set_ops(struct platform_suspend_ops *ops);
65229 -+extern void suspend_set_ops(const struct platform_suspend_ops *ops);
65230 - extern int suspend_valid_only_mem(suspend_state_t state);
65231 -
65232 - /**
65233 -@@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
65234 - #else /* !CONFIG_SUSPEND */
65235 - #define suspend_valid_only_mem NULL
65236 -
65237 --static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
65238 -+static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
65239 - static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
65240 - #endif /* !CONFIG_SUSPEND */
65241 -
65242 -@@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
65243 - * platforms which require special recovery actions in that situation.
65244 - */
65245 - struct platform_hibernation_ops {
65246 -- int (*begin)(void);
65247 -- void (*end)(void);
65248 -- int (*pre_snapshot)(void);
65249 -- void (*finish)(void);
65250 -- int (*prepare)(void);
65251 -- int (*enter)(void);
65252 -- void (*leave)(void);
65253 -- int (*pre_restore)(void);
65254 -- void (*restore_cleanup)(void);
65255 -- void (*recover)(void);
65256 -+ int (* const begin)(void);
65257 -+ void (* const end)(void);
65258 -+ int (* const pre_snapshot)(void);
65259 -+ void (* const finish)(void);
65260 -+ int (* const prepare)(void);
65261 -+ int (* const enter)(void);
65262 -+ void (* const leave)(void);
65263 -+ int (* const pre_restore)(void);
65264 -+ void (* const restore_cleanup)(void);
65265 -+ void (* const recover)(void);
65266 - };
65267 -
65268 - #ifdef CONFIG_HIBERNATION
65269 -@@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
65270 - extern void swsusp_unset_page_free(struct page *);
65271 - extern unsigned long get_safe_page(gfp_t gfp_mask);
65272 -
65273 --extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
65274 -+extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
65275 - extern int hibernate(void);
65276 - extern bool system_entering_hibernation(void);
65277 - #else /* CONFIG_HIBERNATION */
65278 -@@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
65279 - static inline void swsusp_set_page_free(struct page *p) {}
65280 - static inline void swsusp_unset_page_free(struct page *p) {}
65281 -
65282 --static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
65283 -+static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
65284 - static inline int hibernate(void) { return -ENOSYS; }
65285 - static inline bool system_entering_hibernation(void) { return false; }
65286 - #endif /* CONFIG_HIBERNATION */
65287 -diff -urNp linux-2.6.32.46/include/linux/sysctl.h linux-2.6.32.46/include/linux/sysctl.h
65288 ---- linux-2.6.32.46/include/linux/sysctl.h 2011-03-27 14:31:47.000000000 -0400
65289 -+++ linux-2.6.32.46/include/linux/sysctl.h 2011-04-17 15:56:46.000000000 -0400
65290 -@@ -164,7 +164,11 @@ enum
65291 - KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65292 - };
65293 -
65294 --
65295 -+#ifdef CONFIG_PAX_SOFTMODE
65296 -+enum {
65297 -+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65298 -+};
65299 -+#endif
65300 -
65301 - /* CTL_VM names: */
65302 - enum
65303 -@@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
65304 -
65305 - extern int proc_dostring(struct ctl_table *, int,
65306 - void __user *, size_t *, loff_t *);
65307 -+extern int proc_dostring_modpriv(struct ctl_table *, int,
65308 -+ void __user *, size_t *, loff_t *);
65309 - extern int proc_dointvec(struct ctl_table *, int,
65310 - void __user *, size_t *, loff_t *);
65311 - extern int proc_dointvec_minmax(struct ctl_table *, int,
65312 -@@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
65313 -
65314 - extern ctl_handler sysctl_data;
65315 - extern ctl_handler sysctl_string;
65316 -+extern ctl_handler sysctl_string_modpriv;
65317 - extern ctl_handler sysctl_intvec;
65318 - extern ctl_handler sysctl_jiffies;
65319 - extern ctl_handler sysctl_ms_jiffies;
65320 -diff -urNp linux-2.6.32.46/include/linux/sysfs.h linux-2.6.32.46/include/linux/sysfs.h
65321 ---- linux-2.6.32.46/include/linux/sysfs.h 2011-03-27 14:31:47.000000000 -0400
65322 -+++ linux-2.6.32.46/include/linux/sysfs.h 2011-04-17 15:56:46.000000000 -0400
65323 -@@ -75,8 +75,8 @@ struct bin_attribute {
65324 - };
65325 -
65326 - struct sysfs_ops {
65327 -- ssize_t (*show)(struct kobject *, struct attribute *,char *);
65328 -- ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65329 -+ ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65330 -+ ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65331 - };
65332 -
65333 - struct sysfs_dirent;
65334 -diff -urNp linux-2.6.32.46/include/linux/thread_info.h linux-2.6.32.46/include/linux/thread_info.h
65335 ---- linux-2.6.32.46/include/linux/thread_info.h 2011-03-27 14:31:47.000000000 -0400
65336 -+++ linux-2.6.32.46/include/linux/thread_info.h 2011-04-17 15:56:46.000000000 -0400
65337 -@@ -23,7 +23,7 @@ struct restart_block {
65338 - };
65339 - /* For futex_wait and futex_wait_requeue_pi */
65340 - struct {
65341 -- u32 *uaddr;
65342 -+ u32 __user *uaddr;
65343 - u32 val;
65344 - u32 flags;
65345 - u32 bitset;
65346 -diff -urNp linux-2.6.32.46/include/linux/tty.h linux-2.6.32.46/include/linux/tty.h
65347 ---- linux-2.6.32.46/include/linux/tty.h 2011-03-27 14:31:47.000000000 -0400
65348 -+++ linux-2.6.32.46/include/linux/tty.h 2011-08-05 20:33:55.000000000 -0400
65349 -@@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
65350 - /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65351 - extern void tty_ldisc_enable(struct tty_struct *tty);
65352 -
65353 --
65354 - /* n_tty.c */
65355 - extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65356 -
65357 -diff -urNp linux-2.6.32.46/include/linux/tty_ldisc.h linux-2.6.32.46/include/linux/tty_ldisc.h
65358 ---- linux-2.6.32.46/include/linux/tty_ldisc.h 2011-03-27 14:31:47.000000000 -0400
65359 -+++ linux-2.6.32.46/include/linux/tty_ldisc.h 2011-04-17 15:56:46.000000000 -0400
65360 -@@ -139,7 +139,7 @@ struct tty_ldisc_ops {
65361 -
65362 - struct module *owner;
65363 -
65364 -- int refcount;
65365 -+ atomic_t refcount;
65366 - };
65367 -
65368 - struct tty_ldisc {
65369 -diff -urNp linux-2.6.32.46/include/linux/types.h linux-2.6.32.46/include/linux/types.h
65370 ---- linux-2.6.32.46/include/linux/types.h 2011-03-27 14:31:47.000000000 -0400
65371 -+++ linux-2.6.32.46/include/linux/types.h 2011-04-17 15:56:46.000000000 -0400
65372 -@@ -191,10 +191,26 @@ typedef struct {
65373 - volatile int counter;
65374 - } atomic_t;
65375 -
65376 -+#ifdef CONFIG_PAX_REFCOUNT
65377 -+typedef struct {
65378 -+ volatile int counter;
65379 -+} atomic_unchecked_t;
65380 -+#else
65381 -+typedef atomic_t atomic_unchecked_t;
65382 -+#endif
65383 -+
65384 - #ifdef CONFIG_64BIT
65385 - typedef struct {
65386 - volatile long counter;
65387 - } atomic64_t;
65388 -+
65389 -+#ifdef CONFIG_PAX_REFCOUNT
65390 -+typedef struct {
65391 -+ volatile long counter;
65392 -+} atomic64_unchecked_t;
65393 -+#else
65394 -+typedef atomic64_t atomic64_unchecked_t;
65395 -+#endif
65396 - #endif
65397 -
65398 - struct ustat {
65399 -diff -urNp linux-2.6.32.46/include/linux/uaccess.h linux-2.6.32.46/include/linux/uaccess.h
65400 ---- linux-2.6.32.46/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400
65401 -+++ linux-2.6.32.46/include/linux/uaccess.h 2011-10-06 09:37:14.000000000 -0400
65402 -@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65403 - long ret; \
65404 - mm_segment_t old_fs = get_fs(); \
65405 - \
65406 -- set_fs(KERNEL_DS); \
65407 - pagefault_disable(); \
65408 -- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65409 -- pagefault_enable(); \
65410 -+ set_fs(KERNEL_DS); \
65411 -+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
65412 - set_fs(old_fs); \
65413 -+ pagefault_enable(); \
65414 - ret; \
65415 - })
65416 -
65417 -@@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
65418 - * Safely read from address @src to the buffer at @dst. If a kernel fault
65419 - * happens, handle that and return -EFAULT.
65420 - */
65421 --extern long probe_kernel_read(void *dst, void *src, size_t size);
65422 -+extern long probe_kernel_read(void *dst, const void *src, size_t size);
65423 -
65424 - /*
65425 - * probe_kernel_write(): safely attempt to write to a location
65426 -@@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
65427 - * Safely write to address @dst from the buffer at @src. If a kernel fault
65428 - * happens, handle that and return -EFAULT.
65429 - */
65430 --extern long probe_kernel_write(void *dst, void *src, size_t size);
65431 -+extern long probe_kernel_write(void *dst, const void *src, size_t size);
65432 -
65433 - #endif /* __LINUX_UACCESS_H__ */
65434 -diff -urNp linux-2.6.32.46/include/linux/unaligned/access_ok.h linux-2.6.32.46/include/linux/unaligned/access_ok.h
65435 ---- linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-03-27 14:31:47.000000000 -0400
65436 -+++ linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-04-17 15:56:46.000000000 -0400
65437 -@@ -6,32 +6,32 @@
65438 -
65439 - static inline u16 get_unaligned_le16(const void *p)
65440 - {
65441 -- return le16_to_cpup((__le16 *)p);
65442 -+ return le16_to_cpup((const __le16 *)p);
65443 - }
65444 -
65445 - static inline u32 get_unaligned_le32(const void *p)
65446 - {
65447 -- return le32_to_cpup((__le32 *)p);
65448 -+ return le32_to_cpup((const __le32 *)p);
65449 - }
65450 -
65451 - static inline u64 get_unaligned_le64(const void *p)
65452 - {
65453 -- return le64_to_cpup((__le64 *)p);
65454 -+ return le64_to_cpup((const __le64 *)p);
65455 - }
65456 -
65457 - static inline u16 get_unaligned_be16(const void *p)
65458 - {
65459 -- return be16_to_cpup((__be16 *)p);
65460 -+ return be16_to_cpup((const __be16 *)p);
65461 - }
65462 -
65463 - static inline u32 get_unaligned_be32(const void *p)
65464 - {
65465 -- return be32_to_cpup((__be32 *)p);
65466 -+ return be32_to_cpup((const __be32 *)p);
65467 - }
65468 -
65469 - static inline u64 get_unaligned_be64(const void *p)
65470 - {
65471 -- return be64_to_cpup((__be64 *)p);
65472 -+ return be64_to_cpup((const __be64 *)p);
65473 - }
65474 -
65475 - static inline void put_unaligned_le16(u16 val, void *p)
65476 -diff -urNp linux-2.6.32.46/include/linux/vermagic.h linux-2.6.32.46/include/linux/vermagic.h
65477 ---- linux-2.6.32.46/include/linux/vermagic.h 2011-03-27 14:31:47.000000000 -0400
65478 -+++ linux-2.6.32.46/include/linux/vermagic.h 2011-10-08 08:17:48.000000000 -0400
65479 -@@ -26,9 +26,28 @@
65480 - #define MODULE_ARCH_VERMAGIC ""
65481 - #endif
65482 -
65483 -+#ifdef CONFIG_PAX_REFCOUNT
65484 -+#define MODULE_PAX_REFCOUNT "REFCOUNT "
65485 -+#else
65486 -+#define MODULE_PAX_REFCOUNT ""
65487 -+#endif
65488 -+
65489 -+#ifdef CONSTIFY_PLUGIN
65490 -+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
65491 -+#else
65492 -+#define MODULE_CONSTIFY_PLUGIN ""
65493 -+#endif
65494 -+
65495 -+#ifdef CONFIG_GRKERNSEC
65496 -+#define MODULE_GRSEC "GRSEC "
65497 -+#else
65498 -+#define MODULE_GRSEC ""
65499 -+#endif
65500 -+
65501 - #define VERMAGIC_STRING \
65502 - UTS_RELEASE " " \
65503 - MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
65504 - MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
65505 -- MODULE_ARCH_VERMAGIC
65506 -+ MODULE_ARCH_VERMAGIC \
65507 -+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_GRSEC
65508 -
65509 -diff -urNp linux-2.6.32.46/include/linux/vmalloc.h linux-2.6.32.46/include/linux/vmalloc.h
65510 ---- linux-2.6.32.46/include/linux/vmalloc.h 2011-03-27 14:31:47.000000000 -0400
65511 -+++ linux-2.6.32.46/include/linux/vmalloc.h 2011-04-17 15:56:46.000000000 -0400
65512 -@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65513 - #define VM_MAP 0x00000004 /* vmap()ed pages */
65514 - #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65515 - #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65516 -+
65517 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65518 -+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65519 -+#endif
65520 -+
65521 - /* bits [20..32] reserved for arch specific ioremap internals */
65522 -
65523 - /*
65524 -@@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
65525 -
65526 - void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
65527 -
65528 -+#define vmalloc(x) \
65529 -+({ \
65530 -+ void *___retval; \
65531 -+ intoverflow_t ___x = (intoverflow_t)x; \
65532 -+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65533 -+ ___retval = NULL; \
65534 -+ else \
65535 -+ ___retval = vmalloc((unsigned long)___x); \
65536 -+ ___retval; \
65537 -+})
65538 -+
65539 -+#define __vmalloc(x, y, z) \
65540 -+({ \
65541 -+ void *___retval; \
65542 -+ intoverflow_t ___x = (intoverflow_t)x; \
65543 -+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65544 -+ ___retval = NULL; \
65545 -+ else \
65546 -+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65547 -+ ___retval; \
65548 -+})
65549 -+
65550 -+#define vmalloc_user(x) \
65551 -+({ \
65552 -+ void *___retval; \
65553 -+ intoverflow_t ___x = (intoverflow_t)x; \
65554 -+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65555 -+ ___retval = NULL; \
65556 -+ else \
65557 -+ ___retval = vmalloc_user((unsigned long)___x); \
65558 -+ ___retval; \
65559 -+})
65560 -+
65561 -+#define vmalloc_exec(x) \
65562 -+({ \
65563 -+ void *___retval; \
65564 -+ intoverflow_t ___x = (intoverflow_t)x; \
65565 -+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65566 -+ ___retval = NULL; \
65567 -+ else \
65568 -+ ___retval = vmalloc_exec((unsigned long)___x); \
65569 -+ ___retval; \
65570 -+})
65571 -+
65572 -+#define vmalloc_node(x, y) \
65573 -+({ \
65574 -+ void *___retval; \
65575 -+ intoverflow_t ___x = (intoverflow_t)x; \
65576 -+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65577 -+ ___retval = NULL; \
65578 -+ else \
65579 -+ ___retval = vmalloc_node((unsigned long)___x, (y));\
65580 -+ ___retval; \
65581 -+})
65582 -+
65583 -+#define vmalloc_32(x) \
65584 -+({ \
65585 -+ void *___retval; \
65586 -+ intoverflow_t ___x = (intoverflow_t)x; \
65587 -+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65588 -+ ___retval = NULL; \
65589 -+ else \
65590 -+ ___retval = vmalloc_32((unsigned long)___x); \
65591 -+ ___retval; \
65592 -+})
65593 -+
65594 -+#define vmalloc_32_user(x) \
65595 -+({ \
65596 -+ void *___retval; \
65597 -+ intoverflow_t ___x = (intoverflow_t)x; \
65598 -+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
65599 -+ ___retval = NULL; \
65600 -+ else \
65601 -+ ___retval = vmalloc_32_user((unsigned long)___x);\
65602 -+ ___retval; \
65603 -+})
65604 -+
65605 - #endif /* _LINUX_VMALLOC_H */
65606 -diff -urNp linux-2.6.32.46/include/linux/vmstat.h linux-2.6.32.46/include/linux/vmstat.h
65607 ---- linux-2.6.32.46/include/linux/vmstat.h 2011-03-27 14:31:47.000000000 -0400
65608 -+++ linux-2.6.32.46/include/linux/vmstat.h 2011-04-17 15:56:46.000000000 -0400
65609 -@@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
65610 - /*
65611 - * Zone based page accounting with per cpu differentials.
65612 - */
65613 --extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65614 -+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65615 -
65616 - static inline void zone_page_state_add(long x, struct zone *zone,
65617 - enum zone_stat_item item)
65618 - {
65619 -- atomic_long_add(x, &zone->vm_stat[item]);
65620 -- atomic_long_add(x, &vm_stat[item]);
65621 -+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
65622 -+ atomic_long_add_unchecked(x, &vm_stat[item]);
65623 - }
65624 -
65625 - static inline unsigned long global_page_state(enum zone_stat_item item)
65626 - {
65627 -- long x = atomic_long_read(&vm_stat[item]);
65628 -+ long x = atomic_long_read_unchecked(&vm_stat[item]);
65629 - #ifdef CONFIG_SMP
65630 - if (x < 0)
65631 - x = 0;
65632 -@@ -158,7 +158,7 @@ static inline unsigned long global_page_
65633 - static inline unsigned long zone_page_state(struct zone *zone,
65634 - enum zone_stat_item item)
65635 - {
65636 -- long x = atomic_long_read(&zone->vm_stat[item]);
65637 -+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65638 - #ifdef CONFIG_SMP
65639 - if (x < 0)
65640 - x = 0;
65641 -@@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
65642 - static inline unsigned long zone_page_state_snapshot(struct zone *zone,
65643 - enum zone_stat_item item)
65644 - {
65645 -- long x = atomic_long_read(&zone->vm_stat[item]);
65646 -+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65647 -
65648 - #ifdef CONFIG_SMP
65649 - int cpu;
65650 -@@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
65651 -
65652 - static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
65653 - {
65654 -- atomic_long_inc(&zone->vm_stat[item]);
65655 -- atomic_long_inc(&vm_stat[item]);
65656 -+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
65657 -+ atomic_long_inc_unchecked(&vm_stat[item]);
65658 - }
65659 -
65660 - static inline void __inc_zone_page_state(struct page *page,
65661 -@@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
65662 -
65663 - static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
65664 - {
65665 -- atomic_long_dec(&zone->vm_stat[item]);
65666 -- atomic_long_dec(&vm_stat[item]);
65667 -+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
65668 -+ atomic_long_dec_unchecked(&vm_stat[item]);
65669 - }
65670 -
65671 - static inline void __dec_zone_page_state(struct page *page,
65672 -diff -urNp linux-2.6.32.46/include/media/saa7146_vv.h linux-2.6.32.46/include/media/saa7146_vv.h
65673 ---- linux-2.6.32.46/include/media/saa7146_vv.h 2011-03-27 14:31:47.000000000 -0400
65674 -+++ linux-2.6.32.46/include/media/saa7146_vv.h 2011-08-23 21:22:38.000000000 -0400
65675 -@@ -167,7 +167,7 @@ struct saa7146_ext_vv
65676 - int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
65677 -
65678 - /* the extension can override this */
65679 -- struct v4l2_ioctl_ops ops;
65680 -+ v4l2_ioctl_ops_no_const ops;
65681 - /* pointer to the saa7146 core ops */
65682 - const struct v4l2_ioctl_ops *core_ops;
65683 -
65684 -diff -urNp linux-2.6.32.46/include/media/v4l2-dev.h linux-2.6.32.46/include/media/v4l2-dev.h
65685 ---- linux-2.6.32.46/include/media/v4l2-dev.h 2011-03-27 14:31:47.000000000 -0400
65686 -+++ linux-2.6.32.46/include/media/v4l2-dev.h 2011-10-08 08:14:40.000000000 -0400
65687 -@@ -34,7 +34,7 @@ struct v4l2_device;
65688 - #define V4L2_FL_UNREGISTERED (0)
65689 -
65690 - struct v4l2_file_operations {
65691 -- struct module *owner;
65692 -+ struct module * const owner;
65693 - ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
65694 - ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
65695 - unsigned int (*poll) (struct file *, struct poll_table_struct *);
65696 -@@ -46,6 +46,7 @@ struct v4l2_file_operations {
65697 - int (*open) (struct file *);
65698 - int (*release) (struct file *);
65699 - };
65700 -+typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
65701 -
65702 - /*
65703 - * Newer version of video_device, handled by videodev2.c
65704 -diff -urNp linux-2.6.32.46/include/media/v4l2-device.h linux-2.6.32.46/include/media/v4l2-device.h
65705 ---- linux-2.6.32.46/include/media/v4l2-device.h 2011-03-27 14:31:47.000000000 -0400
65706 -+++ linux-2.6.32.46/include/media/v4l2-device.h 2011-05-04 17:56:28.000000000 -0400
65707 -@@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
65708 - this function returns 0. If the name ends with a digit (e.g. cx18),
65709 - then the name will be set to cx18-0 since cx180 looks really odd. */
65710 - int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
65711 -- atomic_t *instance);
65712 -+ atomic_unchecked_t *instance);
65713 -
65714 - /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
65715 - Since the parent disappears this ensures that v4l2_dev doesn't have an
65716 -diff -urNp linux-2.6.32.46/include/media/v4l2-ioctl.h linux-2.6.32.46/include/media/v4l2-ioctl.h
65717 ---- linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-03-27 14:31:47.000000000 -0400
65718 -+++ linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-08-23 21:22:38.000000000 -0400
65719 -@@ -243,6 +243,7 @@ struct v4l2_ioctl_ops {
65720 - long (*vidioc_default) (struct file *file, void *fh,
65721 - int cmd, void *arg);
65722 - };
65723 -+typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
65724 -
65725 -
65726 - /* v4l debugging and diagnostics */
65727 -diff -urNp linux-2.6.32.46/include/net/flow.h linux-2.6.32.46/include/net/flow.h
65728 ---- linux-2.6.32.46/include/net/flow.h 2011-03-27 14:31:47.000000000 -0400
65729 -+++ linux-2.6.32.46/include/net/flow.h 2011-05-04 17:56:28.000000000 -0400
65730 -@@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
65731 - extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
65732 - u8 dir, flow_resolve_t resolver);
65733 - extern void flow_cache_flush(void);
65734 --extern atomic_t flow_cache_genid;
65735 -+extern atomic_unchecked_t flow_cache_genid;
65736 -
65737 - static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
65738 - {
65739 -diff -urNp linux-2.6.32.46/include/net/inetpeer.h linux-2.6.32.46/include/net/inetpeer.h
65740 ---- linux-2.6.32.46/include/net/inetpeer.h 2011-03-27 14:31:47.000000000 -0400
65741 -+++ linux-2.6.32.46/include/net/inetpeer.h 2011-04-17 15:56:46.000000000 -0400
65742 -@@ -24,7 +24,7 @@ struct inet_peer
65743 - __u32 dtime; /* the time of last use of not
65744 - * referenced entries */
65745 - atomic_t refcnt;
65746 -- atomic_t rid; /* Frag reception counter */
65747 -+ atomic_unchecked_t rid; /* Frag reception counter */
65748 - __u32 tcp_ts;
65749 - unsigned long tcp_ts_stamp;
65750 - };
65751 -diff -urNp linux-2.6.32.46/include/net/ip_vs.h linux-2.6.32.46/include/net/ip_vs.h
65752 ---- linux-2.6.32.46/include/net/ip_vs.h 2011-03-27 14:31:47.000000000 -0400
65753 -+++ linux-2.6.32.46/include/net/ip_vs.h 2011-05-04 17:56:28.000000000 -0400
65754 -@@ -365,7 +365,7 @@ struct ip_vs_conn {
65755 - struct ip_vs_conn *control; /* Master control connection */
65756 - atomic_t n_control; /* Number of controlled ones */
65757 - struct ip_vs_dest *dest; /* real server */
65758 -- atomic_t in_pkts; /* incoming packet counter */
65759 -+ atomic_unchecked_t in_pkts; /* incoming packet counter */
65760 -
65761 - /* packet transmitter for different forwarding methods. If it
65762 - mangles the packet, it must return NF_DROP or better NF_STOLEN,
65763 -@@ -466,7 +466,7 @@ struct ip_vs_dest {
65764 - union nf_inet_addr addr; /* IP address of the server */
65765 - __be16 port; /* port number of the server */
65766 - volatile unsigned flags; /* dest status flags */
65767 -- atomic_t conn_flags; /* flags to copy to conn */
65768 -+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
65769 - atomic_t weight; /* server weight */
65770 -
65771 - atomic_t refcnt; /* reference counter */
65772 -diff -urNp linux-2.6.32.46/include/net/irda/ircomm_core.h linux-2.6.32.46/include/net/irda/ircomm_core.h
65773 ---- linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-03-27 14:31:47.000000000 -0400
65774 -+++ linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-08-05 20:33:55.000000000 -0400
65775 -@@ -51,7 +51,7 @@ typedef struct {
65776 - int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
65777 - int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
65778 - struct ircomm_info *);
65779 --} call_t;
65780 -+} __no_const call_t;
65781 -
65782 - struct ircomm_cb {
65783 - irda_queue_t queue;
65784 -diff -urNp linux-2.6.32.46/include/net/irda/ircomm_tty.h linux-2.6.32.46/include/net/irda/ircomm_tty.h
65785 ---- linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-03-27 14:31:47.000000000 -0400
65786 -+++ linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-04-17 15:56:46.000000000 -0400
65787 -@@ -35,6 +35,7 @@
65788 - #include <linux/termios.h>
65789 - #include <linux/timer.h>
65790 - #include <linux/tty.h> /* struct tty_struct */
65791 -+#include <asm/local.h>
65792 -
65793 - #include <net/irda/irias_object.h>
65794 - #include <net/irda/ircomm_core.h>
65795 -@@ -105,8 +106,8 @@ struct ircomm_tty_cb {
65796 - unsigned short close_delay;
65797 - unsigned short closing_wait; /* time to wait before closing */
65798 -
65799 -- int open_count;
65800 -- int blocked_open; /* # of blocked opens */
65801 -+ local_t open_count;
65802 -+ local_t blocked_open; /* # of blocked opens */
65803 -
65804 - /* Protect concurent access to :
65805 - * o self->open_count
65806 -diff -urNp linux-2.6.32.46/include/net/iucv/af_iucv.h linux-2.6.32.46/include/net/iucv/af_iucv.h
65807 ---- linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-03-27 14:31:47.000000000 -0400
65808 -+++ linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-05-04 17:56:28.000000000 -0400
65809 -@@ -87,7 +87,7 @@ struct iucv_sock {
65810 - struct iucv_sock_list {
65811 - struct hlist_head head;
65812 - rwlock_t lock;
65813 -- atomic_t autobind_name;
65814 -+ atomic_unchecked_t autobind_name;
65815 - };
65816 -
65817 - unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
65818 -diff -urNp linux-2.6.32.46/include/net/lapb.h linux-2.6.32.46/include/net/lapb.h
65819 ---- linux-2.6.32.46/include/net/lapb.h 2011-03-27 14:31:47.000000000 -0400
65820 -+++ linux-2.6.32.46/include/net/lapb.h 2011-08-05 20:33:55.000000000 -0400
65821 -@@ -95,7 +95,7 @@ struct lapb_cb {
65822 - struct sk_buff_head write_queue;
65823 - struct sk_buff_head ack_queue;
65824 - unsigned char window;
65825 -- struct lapb_register_struct callbacks;
65826 -+ struct lapb_register_struct *callbacks;
65827 -
65828 - /* FRMR control information */
65829 - struct lapb_frame frmr_data;
65830 -diff -urNp linux-2.6.32.46/include/net/neighbour.h linux-2.6.32.46/include/net/neighbour.h
65831 ---- linux-2.6.32.46/include/net/neighbour.h 2011-03-27 14:31:47.000000000 -0400
65832 -+++ linux-2.6.32.46/include/net/neighbour.h 2011-08-26 20:29:08.000000000 -0400
65833 -@@ -131,7 +131,7 @@ struct neigh_ops
65834 - int (*connected_output)(struct sk_buff*);
65835 - int (*hh_output)(struct sk_buff*);
65836 - int (*queue_xmit)(struct sk_buff*);
65837 --};
65838 -+} __do_const;
65839 -
65840 - struct pneigh_entry
65841 - {
65842 -diff -urNp linux-2.6.32.46/include/net/netlink.h linux-2.6.32.46/include/net/netlink.h
65843 ---- linux-2.6.32.46/include/net/netlink.h 2011-07-13 17:23:04.000000000 -0400
65844 -+++ linux-2.6.32.46/include/net/netlink.h 2011-08-21 18:08:11.000000000 -0400
65845 -@@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct
65846 - {
65847 - return (remaining >= (int) sizeof(struct nlmsghdr) &&
65848 - nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
65849 -- nlh->nlmsg_len <= remaining);
65850 -+ nlh->nlmsg_len <= (unsigned int)remaining);
65851 - }
65852 -
65853 - /**
65854 -@@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
65855 - static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
65856 - {
65857 - if (mark)
65858 -- skb_trim(skb, (unsigned char *) mark - skb->data);
65859 -+ skb_trim(skb, (const unsigned char *) mark - skb->data);
65860 - }
65861 -
65862 - /**
65863 -diff -urNp linux-2.6.32.46/include/net/netns/ipv4.h linux-2.6.32.46/include/net/netns/ipv4.h
65864 ---- linux-2.6.32.46/include/net/netns/ipv4.h 2011-03-27 14:31:47.000000000 -0400
65865 -+++ linux-2.6.32.46/include/net/netns/ipv4.h 2011-05-04 17:56:28.000000000 -0400
65866 -@@ -54,7 +54,7 @@ struct netns_ipv4 {
65867 - int current_rt_cache_rebuild_count;
65868 -
65869 - struct timer_list rt_secret_timer;
65870 -- atomic_t rt_genid;
65871 -+ atomic_unchecked_t rt_genid;
65872 -
65873 - #ifdef CONFIG_IP_MROUTE
65874 - struct sock *mroute_sk;
65875 -diff -urNp linux-2.6.32.46/include/net/sctp/sctp.h linux-2.6.32.46/include/net/sctp/sctp.h
65876 ---- linux-2.6.32.46/include/net/sctp/sctp.h 2011-03-27 14:31:47.000000000 -0400
65877 -+++ linux-2.6.32.46/include/net/sctp/sctp.h 2011-04-17 15:56:46.000000000 -0400
65878 -@@ -305,8 +305,8 @@ extern int sctp_debug_flag;
65879 -
65880 - #else /* SCTP_DEBUG */
65881 -
65882 --#define SCTP_DEBUG_PRINTK(whatever...)
65883 --#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
65884 -+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
65885 -+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
65886 - #define SCTP_ENABLE_DEBUG
65887 - #define SCTP_DISABLE_DEBUG
65888 - #define SCTP_ASSERT(expr, str, func)
65889 -diff -urNp linux-2.6.32.46/include/net/secure_seq.h linux-2.6.32.46/include/net/secure_seq.h
65890 ---- linux-2.6.32.46/include/net/secure_seq.h 2011-08-16 20:37:25.000000000 -0400
65891 -+++ linux-2.6.32.46/include/net/secure_seq.h 2011-08-07 19:48:09.000000000 -0400
65892 -@@ -7,14 +7,14 @@ extern __u32 secure_ip_id(__be32 daddr);
65893 - extern __u32 secure_ipv6_id(const __be32 daddr[4]);
65894 - extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
65895 - extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
65896 -- __be16 dport);
65897 -+ __be16 dport);
65898 - extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
65899 - __be16 sport, __be16 dport);
65900 - extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
65901 -- __be16 sport, __be16 dport);
65902 -+ __be16 sport, __be16 dport);
65903 - extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
65904 -- __be16 sport, __be16 dport);
65905 -+ __be16 sport, __be16 dport);
65906 - extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
65907 -- __be16 sport, __be16 dport);
65908 -+ __be16 sport, __be16 dport);
65909 -
65910 - #endif /* _NET_SECURE_SEQ */
65911 -diff -urNp linux-2.6.32.46/include/net/sock.h linux-2.6.32.46/include/net/sock.h
65912 ---- linux-2.6.32.46/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400
65913 -+++ linux-2.6.32.46/include/net/sock.h 2011-08-21 17:24:37.000000000 -0400
65914 -@@ -272,7 +272,7 @@ struct sock {
65915 - rwlock_t sk_callback_lock;
65916 - int sk_err,
65917 - sk_err_soft;
65918 -- atomic_t sk_drops;
65919 -+ atomic_unchecked_t sk_drops;
65920 - unsigned short sk_ack_backlog;
65921 - unsigned short sk_max_ack_backlog;
65922 - __u32 sk_priority;
65923 -@@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
65924 - extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
65925 - extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
65926 - #else
65927 --static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
65928 -+static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
65929 - int inc)
65930 - {
65931 - }
65932 -diff -urNp linux-2.6.32.46/include/net/tcp.h linux-2.6.32.46/include/net/tcp.h
65933 ---- linux-2.6.32.46/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400
65934 -+++ linux-2.6.32.46/include/net/tcp.h 2011-08-23 21:29:10.000000000 -0400
65935 -@@ -1444,8 +1444,8 @@ enum tcp_seq_states {
65936 - struct tcp_seq_afinfo {
65937 - char *name;
65938 - sa_family_t family;
65939 -- struct file_operations seq_fops;
65940 -- struct seq_operations seq_ops;
65941 -+ file_operations_no_const seq_fops;
65942 -+ seq_operations_no_const seq_ops;
65943 - };
65944 -
65945 - struct tcp_iter_state {
65946 -diff -urNp linux-2.6.32.46/include/net/udp.h linux-2.6.32.46/include/net/udp.h
65947 ---- linux-2.6.32.46/include/net/udp.h 2011-03-27 14:31:47.000000000 -0400
65948 -+++ linux-2.6.32.46/include/net/udp.h 2011-08-23 21:29:34.000000000 -0400
65949 -@@ -187,8 +187,8 @@ struct udp_seq_afinfo {
65950 - char *name;
65951 - sa_family_t family;
65952 - struct udp_table *udp_table;
65953 -- struct file_operations seq_fops;
65954 -- struct seq_operations seq_ops;
65955 -+ file_operations_no_const seq_fops;
65956 -+ seq_operations_no_const seq_ops;
65957 - };
65958 -
65959 - struct udp_iter_state {
65960 -diff -urNp linux-2.6.32.46/include/rdma/iw_cm.h linux-2.6.32.46/include/rdma/iw_cm.h
65961 ---- linux-2.6.32.46/include/rdma/iw_cm.h 2011-03-27 14:31:47.000000000 -0400
65962 -+++ linux-2.6.32.46/include/rdma/iw_cm.h 2011-08-05 20:33:55.000000000 -0400
65963 -@@ -129,7 +129,7 @@ struct iw_cm_verbs {
65964 - int backlog);
65965 -
65966 - int (*destroy_listen)(struct iw_cm_id *cm_id);
65967 --};
65968 -+} __no_const;
65969 -
65970 - /**
65971 - * iw_create_cm_id - Create an IW CM identifier.
65972 -diff -urNp linux-2.6.32.46/include/scsi/libfc.h linux-2.6.32.46/include/scsi/libfc.h
65973 ---- linux-2.6.32.46/include/scsi/libfc.h 2011-03-27 14:31:47.000000000 -0400
65974 -+++ linux-2.6.32.46/include/scsi/libfc.h 2011-08-23 21:22:38.000000000 -0400
65975 -@@ -675,6 +675,7 @@ struct libfc_function_template {
65976 - */
65977 - void (*disc_stop_final) (struct fc_lport *);
65978 - };
65979 -+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
65980 -
65981 - /* information used by the discovery layer */
65982 - struct fc_disc {
65983 -@@ -707,7 +708,7 @@ struct fc_lport {
65984 - struct fc_disc disc;
65985 -
65986 - /* Operational Information */
65987 -- struct libfc_function_template tt;
65988 -+ libfc_function_template_no_const tt;
65989 - u8 link_up;
65990 - u8 qfull;
65991 - enum fc_lport_state state;
65992 -diff -urNp linux-2.6.32.46/include/scsi/scsi_device.h linux-2.6.32.46/include/scsi/scsi_device.h
65993 ---- linux-2.6.32.46/include/scsi/scsi_device.h 2011-04-17 17:00:52.000000000 -0400
65994 -+++ linux-2.6.32.46/include/scsi/scsi_device.h 2011-05-04 17:56:28.000000000 -0400
65995 -@@ -156,9 +156,9 @@ struct scsi_device {
65996 - unsigned int max_device_blocked; /* what device_blocked counts down from */
65997 - #define SCSI_DEFAULT_DEVICE_BLOCKED 3
65998 -
65999 -- atomic_t iorequest_cnt;
66000 -- atomic_t iodone_cnt;
66001 -- atomic_t ioerr_cnt;
66002 -+ atomic_unchecked_t iorequest_cnt;
66003 -+ atomic_unchecked_t iodone_cnt;
66004 -+ atomic_unchecked_t ioerr_cnt;
66005 -
66006 - struct device sdev_gendev,
66007 - sdev_dev;
66008 -diff -urNp linux-2.6.32.46/include/scsi/scsi_transport_fc.h linux-2.6.32.46/include/scsi/scsi_transport_fc.h
66009 ---- linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-03-27 14:31:47.000000000 -0400
66010 -+++ linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-08-26 20:19:09.000000000 -0400
66011 -@@ -708,7 +708,7 @@ struct fc_function_template {
66012 - unsigned long show_host_system_hostname:1;
66013 -
66014 - unsigned long disable_target_scan:1;
66015 --};
66016 -+} __do_const;
66017 -
66018 -
66019 - /**
66020 -diff -urNp linux-2.6.32.46/include/sound/ac97_codec.h linux-2.6.32.46/include/sound/ac97_codec.h
66021 ---- linux-2.6.32.46/include/sound/ac97_codec.h 2011-03-27 14:31:47.000000000 -0400
66022 -+++ linux-2.6.32.46/include/sound/ac97_codec.h 2011-04-17 15:56:46.000000000 -0400
66023 -@@ -419,15 +419,15 @@
66024 - struct snd_ac97;
66025 -
66026 - struct snd_ac97_build_ops {
66027 -- int (*build_3d) (struct snd_ac97 *ac97);
66028 -- int (*build_specific) (struct snd_ac97 *ac97);
66029 -- int (*build_spdif) (struct snd_ac97 *ac97);
66030 -- int (*build_post_spdif) (struct snd_ac97 *ac97);
66031 -+ int (* const build_3d) (struct snd_ac97 *ac97);
66032 -+ int (* const build_specific) (struct snd_ac97 *ac97);
66033 -+ int (* const build_spdif) (struct snd_ac97 *ac97);
66034 -+ int (* const build_post_spdif) (struct snd_ac97 *ac97);
66035 - #ifdef CONFIG_PM
66036 -- void (*suspend) (struct snd_ac97 *ac97);
66037 -- void (*resume) (struct snd_ac97 *ac97);
66038 -+ void (* const suspend) (struct snd_ac97 *ac97);
66039 -+ void (* const resume) (struct snd_ac97 *ac97);
66040 - #endif
66041 -- void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66042 -+ void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66043 - };
66044 -
66045 - struct snd_ac97_bus_ops {
66046 -@@ -477,7 +477,7 @@ struct snd_ac97_template {
66047 -
66048 - struct snd_ac97 {
66049 - /* -- lowlevel (hardware) driver specific -- */
66050 -- struct snd_ac97_build_ops * build_ops;
66051 -+ const struct snd_ac97_build_ops * build_ops;
66052 - void *private_data;
66053 - void (*private_free) (struct snd_ac97 *ac97);
66054 - /* --- */
66055 -diff -urNp linux-2.6.32.46/include/sound/ak4xxx-adda.h linux-2.6.32.46/include/sound/ak4xxx-adda.h
66056 ---- linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-03-27 14:31:47.000000000 -0400
66057 -+++ linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-08-05 20:33:55.000000000 -0400
66058 -@@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
66059 - void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
66060 - unsigned char val);
66061 - void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
66062 --};
66063 -+} __no_const;
66064 -
66065 - #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
66066 -
66067 -diff -urNp linux-2.6.32.46/include/sound/hwdep.h linux-2.6.32.46/include/sound/hwdep.h
66068 ---- linux-2.6.32.46/include/sound/hwdep.h 2011-03-27 14:31:47.000000000 -0400
66069 -+++ linux-2.6.32.46/include/sound/hwdep.h 2011-08-05 20:33:55.000000000 -0400
66070 -@@ -49,7 +49,7 @@ struct snd_hwdep_ops {
66071 - struct snd_hwdep_dsp_status *status);
66072 - int (*dsp_load)(struct snd_hwdep *hw,
66073 - struct snd_hwdep_dsp_image *image);
66074 --};
66075 -+} __no_const;
66076 -
66077 - struct snd_hwdep {
66078 - struct snd_card *card;
66079 -diff -urNp linux-2.6.32.46/include/sound/info.h linux-2.6.32.46/include/sound/info.h
66080 ---- linux-2.6.32.46/include/sound/info.h 2011-03-27 14:31:47.000000000 -0400
66081 -+++ linux-2.6.32.46/include/sound/info.h 2011-08-05 20:33:55.000000000 -0400
66082 -@@ -44,7 +44,7 @@ struct snd_info_entry_text {
66083 - struct snd_info_buffer *buffer);
66084 - void (*write)(struct snd_info_entry *entry,
66085 - struct snd_info_buffer *buffer);
66086 --};
66087 -+} __no_const;
66088 -
66089 - struct snd_info_entry_ops {
66090 - int (*open)(struct snd_info_entry *entry,
66091 -diff -urNp linux-2.6.32.46/include/sound/pcm.h linux-2.6.32.46/include/sound/pcm.h
66092 ---- linux-2.6.32.46/include/sound/pcm.h 2011-03-27 14:31:47.000000000 -0400
66093 -+++ linux-2.6.32.46/include/sound/pcm.h 2011-08-23 21:22:38.000000000 -0400
66094 -@@ -80,6 +80,7 @@ struct snd_pcm_ops {
66095 - int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
66096 - int (*ack)(struct snd_pcm_substream *substream);
66097 - };
66098 -+typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
66099 -
66100 - /*
66101 - *
66102 -diff -urNp linux-2.6.32.46/include/sound/sb16_csp.h linux-2.6.32.46/include/sound/sb16_csp.h
66103 ---- linux-2.6.32.46/include/sound/sb16_csp.h 2011-03-27 14:31:47.000000000 -0400
66104 -+++ linux-2.6.32.46/include/sound/sb16_csp.h 2011-08-05 20:33:55.000000000 -0400
66105 -@@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
66106 - int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
66107 - int (*csp_stop) (struct snd_sb_csp * p);
66108 - int (*csp_qsound_transfer) (struct snd_sb_csp * p);
66109 --};
66110 -+} __no_const;
66111 -
66112 - /*
66113 - * CSP private data
66114 -diff -urNp linux-2.6.32.46/include/sound/ymfpci.h linux-2.6.32.46/include/sound/ymfpci.h
66115 ---- linux-2.6.32.46/include/sound/ymfpci.h 2011-03-27 14:31:47.000000000 -0400
66116 -+++ linux-2.6.32.46/include/sound/ymfpci.h 2011-05-04 17:56:28.000000000 -0400
66117 -@@ -358,7 +358,7 @@ struct snd_ymfpci {
66118 - spinlock_t reg_lock;
66119 - spinlock_t voice_lock;
66120 - wait_queue_head_t interrupt_sleep;
66121 -- atomic_t interrupt_sleep_count;
66122 -+ atomic_unchecked_t interrupt_sleep_count;
66123 - struct snd_info_entry *proc_entry;
66124 - const struct firmware *dsp_microcode;
66125 - const struct firmware *controller_microcode;
66126 -diff -urNp linux-2.6.32.46/include/trace/events/irq.h linux-2.6.32.46/include/trace/events/irq.h
66127 ---- linux-2.6.32.46/include/trace/events/irq.h 2011-03-27 14:31:47.000000000 -0400
66128 -+++ linux-2.6.32.46/include/trace/events/irq.h 2011-04-17 15:56:46.000000000 -0400
66129 -@@ -34,7 +34,7 @@
66130 - */
66131 - TRACE_EVENT(irq_handler_entry,
66132 -
66133 -- TP_PROTO(int irq, struct irqaction *action),
66134 -+ TP_PROTO(int irq, const struct irqaction *action),
66135 -
66136 - TP_ARGS(irq, action),
66137 -
66138 -@@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
66139 - */
66140 - TRACE_EVENT(irq_handler_exit,
66141 -
66142 -- TP_PROTO(int irq, struct irqaction *action, int ret),
66143 -+ TP_PROTO(int irq, const struct irqaction *action, int ret),
66144 -
66145 - TP_ARGS(irq, action, ret),
66146 -
66147 -@@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
66148 - */
66149 - TRACE_EVENT(softirq_entry,
66150 -
66151 -- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
66152 -+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
66153 -
66154 - TP_ARGS(h, vec),
66155 -
66156 -@@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
66157 - */
66158 - TRACE_EVENT(softirq_exit,
66159 -
66160 -- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
66161 -+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
66162 -
66163 - TP_ARGS(h, vec),
66164 -
66165 -diff -urNp linux-2.6.32.46/include/video/uvesafb.h linux-2.6.32.46/include/video/uvesafb.h
66166 ---- linux-2.6.32.46/include/video/uvesafb.h 2011-03-27 14:31:47.000000000 -0400
66167 -+++ linux-2.6.32.46/include/video/uvesafb.h 2011-04-17 15:56:46.000000000 -0400
66168 -@@ -177,6 +177,7 @@ struct uvesafb_par {
66169 - u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66170 - u8 pmi_setpal; /* PMI for palette changes */
66171 - u16 *pmi_base; /* protected mode interface location */
66172 -+ u8 *pmi_code; /* protected mode code location */
66173 - void *pmi_start;
66174 - void *pmi_pal;
66175 - u8 *vbe_state_orig; /*
66176 -diff -urNp linux-2.6.32.46/init/Kconfig linux-2.6.32.46/init/Kconfig
66177 ---- linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:01.000000000 -0400
66178 -+++ linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:34.000000000 -0400
66179 -@@ -1004,7 +1004,7 @@ config SLUB_DEBUG
66180 -
66181 - config COMPAT_BRK
66182 - bool "Disable heap randomization"
66183 -- default y
66184 -+ default n
66185 - help
66186 - Randomizing heap placement makes heap exploits harder, but it
66187 - also breaks ancient binaries (including anything libc5 based).
66188 -diff -urNp linux-2.6.32.46/init/do_mounts.c linux-2.6.32.46/init/do_mounts.c
66189 ---- linux-2.6.32.46/init/do_mounts.c 2011-03-27 14:31:47.000000000 -0400
66190 -+++ linux-2.6.32.46/init/do_mounts.c 2011-04-17 15:56:46.000000000 -0400
66191 -@@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
66192 -
66193 - static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66194 - {
66195 -- int err = sys_mount(name, "/root", fs, flags, data);
66196 -+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66197 - if (err)
66198 - return err;
66199 -
66200 -- sys_chdir("/root");
66201 -+ sys_chdir((__force const char __user *)"/root");
66202 - ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
66203 - printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
66204 - current->fs->pwd.mnt->mnt_sb->s_type->name,
66205 -@@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
66206 - va_start(args, fmt);
66207 - vsprintf(buf, fmt, args);
66208 - va_end(args);
66209 -- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66210 -+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66211 - if (fd >= 0) {
66212 - sys_ioctl(fd, FDEJECT, 0);
66213 - sys_close(fd);
66214 - }
66215 - printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66216 -- fd = sys_open("/dev/console", O_RDWR, 0);
66217 -+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
66218 - if (fd >= 0) {
66219 - sys_ioctl(fd, TCGETS, (long)&termios);
66220 - termios.c_lflag &= ~ICANON;
66221 - sys_ioctl(fd, TCSETSF, (long)&termios);
66222 -- sys_read(fd, &c, 1);
66223 -+ sys_read(fd, (char __user *)&c, 1);
66224 - termios.c_lflag |= ICANON;
66225 - sys_ioctl(fd, TCSETSF, (long)&termios);
66226 - sys_close(fd);
66227 -@@ -416,6 +416,6 @@ void __init prepare_namespace(void)
66228 - mount_root();
66229 - out:
66230 - devtmpfs_mount("dev");
66231 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
66232 -- sys_chroot(".");
66233 -+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66234 -+ sys_chroot((__force char __user *)".");
66235 - }
66236 -diff -urNp linux-2.6.32.46/init/do_mounts.h linux-2.6.32.46/init/do_mounts.h
66237 ---- linux-2.6.32.46/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400
66238 -+++ linux-2.6.32.46/init/do_mounts.h 2011-10-06 09:37:14.000000000 -0400
66239 -@@ -15,15 +15,15 @@ extern int root_mountflags;
66240 -
66241 - static inline int create_dev(char *name, dev_t dev)
66242 - {
66243 -- sys_unlink(name);
66244 -- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66245 -+ sys_unlink((char __force_user *)name);
66246 -+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
66247 - }
66248 -
66249 - #if BITS_PER_LONG == 32
66250 - static inline u32 bstat(char *name)
66251 - {
66252 - struct stat64 stat;
66253 -- if (sys_stat64(name, &stat) != 0)
66254 -+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
66255 - return 0;
66256 - if (!S_ISBLK(stat.st_mode))
66257 - return 0;
66258 -@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
66259 - static inline u32 bstat(char *name)
66260 - {
66261 - struct stat stat;
66262 -- if (sys_newstat(name, &stat) != 0)
66263 -+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
66264 - return 0;
66265 - if (!S_ISBLK(stat.st_mode))
66266 - return 0;
66267 -diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mounts_initrd.c
66268 ---- linux-2.6.32.46/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400
66269 -+++ linux-2.6.32.46/init/do_mounts_initrd.c 2011-10-06 09:37:14.000000000 -0400
66270 -@@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
66271 - sys_close(old_fd);sys_close(root_fd);
66272 - sys_close(0);sys_close(1);sys_close(2);
66273 - sys_setsid();
66274 -- (void) sys_open("/dev/console",O_RDWR,0);
66275 -+ (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
66276 - (void) sys_dup(0);
66277 - (void) sys_dup(0);
66278 - return kernel_execve(shell, argv, envp_init);
66279 -@@ -47,13 +47,13 @@ static void __init handle_initrd(void)
66280 - create_dev("/dev/root.old", Root_RAM0);
66281 - /* mount initrd on rootfs' /root */
66282 - mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66283 -- sys_mkdir("/old", 0700);
66284 -- root_fd = sys_open("/", 0, 0);
66285 -- old_fd = sys_open("/old", 0, 0);
66286 -+ sys_mkdir((const char __force_user *)"/old", 0700);
66287 -+ root_fd = sys_open((const char __force_user *)"/", 0, 0);
66288 -+ old_fd = sys_open((const char __force_user *)"/old", 0, 0);
66289 - /* move initrd over / and chdir/chroot in initrd root */
66290 -- sys_chdir("/root");
66291 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
66292 -- sys_chroot(".");
66293 -+ sys_chdir((const char __force_user *)"/root");
66294 -+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
66295 -+ sys_chroot((const char __force_user *)".");
66296 -
66297 - /*
66298 - * In case that a resume from disk is carried out by linuxrc or one of
66299 -@@ -70,15 +70,15 @@ static void __init handle_initrd(void)
66300 -
66301 - /* move initrd to rootfs' /old */
66302 - sys_fchdir(old_fd);
66303 -- sys_mount("/", ".", NULL, MS_MOVE, NULL);
66304 -+ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
66305 - /* switch root and cwd back to / of rootfs */
66306 - sys_fchdir(root_fd);
66307 -- sys_chroot(".");
66308 -+ sys_chroot((const char __force_user *)".");
66309 - sys_close(old_fd);
66310 - sys_close(root_fd);
66311 -
66312 - if (new_decode_dev(real_root_dev) == Root_RAM0) {
66313 -- sys_chdir("/old");
66314 -+ sys_chdir((const char __force_user *)"/old");
66315 - return;
66316 - }
66317 -
66318 -@@ -86,17 +86,17 @@ static void __init handle_initrd(void)
66319 - mount_root();
66320 -
66321 - printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66322 -- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66323 -+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
66324 - if (!error)
66325 - printk("okay\n");
66326 - else {
66327 -- int fd = sys_open("/dev/root.old", O_RDWR, 0);
66328 -+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
66329 - if (error == -ENOENT)
66330 - printk("/initrd does not exist. Ignored.\n");
66331 - else
66332 - printk("failed\n");
66333 - printk(KERN_NOTICE "Unmounting old root\n");
66334 -- sys_umount("/old", MNT_DETACH);
66335 -+ sys_umount((char __force_user *)"/old", MNT_DETACH);
66336 - printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66337 - if (fd < 0) {
66338 - error = fd;
66339 -@@ -119,11 +119,11 @@ int __init initrd_load(void)
66340 - * mounted in the normal path.
66341 - */
66342 - if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66343 -- sys_unlink("/initrd.image");
66344 -+ sys_unlink((const char __force_user *)"/initrd.image");
66345 - handle_initrd();
66346 - return 1;
66347 - }
66348 - }
66349 -- sys_unlink("/initrd.image");
66350 -+ sys_unlink((const char __force_user *)"/initrd.image");
66351 - return 0;
66352 - }
66353 -diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md.c
66354 ---- linux-2.6.32.46/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400
66355 -+++ linux-2.6.32.46/init/do_mounts_md.c 2011-10-06 09:37:14.000000000 -0400
66356 -@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66357 - partitioned ? "_d" : "", minor,
66358 - md_setup_args[ent].device_names);
66359 -
66360 -- fd = sys_open(name, 0, 0);
66361 -+ fd = sys_open((char __force_user *)name, 0, 0);
66362 - if (fd < 0) {
66363 - printk(KERN_ERR "md: open failed - cannot start "
66364 - "array %s\n", name);
66365 -@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66366 - * array without it
66367 - */
66368 - sys_close(fd);
66369 -- fd = sys_open(name, 0, 0);
66370 -+ fd = sys_open((char __force_user *)name, 0, 0);
66371 - sys_ioctl(fd, BLKRRPART, 0);
66372 - }
66373 - sys_close(fd);
66374 -@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
66375 -
66376 - wait_for_device_probe();
66377 -
66378 -- fd = sys_open("/dev/md0", 0, 0);
66379 -+ fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
66380 - if (fd >= 0) {
66381 - sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
66382 - sys_close(fd);
66383 -diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c
66384 ---- linux-2.6.32.46/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400
66385 -+++ linux-2.6.32.46/init/initramfs.c 2011-10-06 09:37:14.000000000 -0400
66386 -@@ -74,7 +74,7 @@ static void __init free_hash(void)
66387 - }
66388 - }
66389 -
66390 --static long __init do_utime(char __user *filename, time_t mtime)
66391 -+static long __init do_utime(__force char __user *filename, time_t mtime)
66392 - {
66393 - struct timespec t[2];
66394 -
66395 -@@ -109,7 +109,7 @@ static void __init dir_utime(void)
66396 - struct dir_entry *de, *tmp;
66397 - list_for_each_entry_safe(de, tmp, &dir_list, list) {
66398 - list_del(&de->list);
66399 -- do_utime(de->name, de->mtime);
66400 -+ do_utime((char __force_user *)de->name, de->mtime);
66401 - kfree(de->name);
66402 - kfree(de);
66403 - }
66404 -@@ -271,7 +271,7 @@ static int __init maybe_link(void)
66405 - if (nlink >= 2) {
66406 - char *old = find_link(major, minor, ino, mode, collected);
66407 - if (old)
66408 -- return (sys_link(old, collected) < 0) ? -1 : 1;
66409 -+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
66410 - }
66411 - return 0;
66412 - }
66413 -@@ -280,11 +280,11 @@ static void __init clean_path(char *path
66414 - {
66415 - struct stat st;
66416 -
66417 -- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66418 -+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
66419 - if (S_ISDIR(st.st_mode))
66420 -- sys_rmdir(path);
66421 -+ sys_rmdir((char __force_user *)path);
66422 - else
66423 -- sys_unlink(path);
66424 -+ sys_unlink((char __force_user *)path);
66425 - }
66426 - }
66427 -
66428 -@@ -305,7 +305,7 @@ static int __init do_name(void)
66429 - int openflags = O_WRONLY|O_CREAT;
66430 - if (ml != 1)
66431 - openflags |= O_TRUNC;
66432 -- wfd = sys_open(collected, openflags, mode);
66433 -+ wfd = sys_open((char __force_user *)collected, openflags, mode);
66434 -
66435 - if (wfd >= 0) {
66436 - sys_fchown(wfd, uid, gid);
66437 -@@ -317,17 +317,17 @@ static int __init do_name(void)
66438 - }
66439 - }
66440 - } else if (S_ISDIR(mode)) {
66441 -- sys_mkdir(collected, mode);
66442 -- sys_chown(collected, uid, gid);
66443 -- sys_chmod(collected, mode);
66444 -+ sys_mkdir((char __force_user *)collected, mode);
66445 -+ sys_chown((char __force_user *)collected, uid, gid);
66446 -+ sys_chmod((char __force_user *)collected, mode);
66447 - dir_add(collected, mtime);
66448 - } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66449 - S_ISFIFO(mode) || S_ISSOCK(mode)) {
66450 - if (maybe_link() == 0) {
66451 -- sys_mknod(collected, mode, rdev);
66452 -- sys_chown(collected, uid, gid);
66453 -- sys_chmod(collected, mode);
66454 -- do_utime(collected, mtime);
66455 -+ sys_mknod((char __force_user *)collected, mode, rdev);
66456 -+ sys_chown((char __force_user *)collected, uid, gid);
66457 -+ sys_chmod((char __force_user *)collected, mode);
66458 -+ do_utime((char __force_user *)collected, mtime);
66459 - }
66460 - }
66461 - return 0;
66462 -@@ -336,15 +336,15 @@ static int __init do_name(void)
66463 - static int __init do_copy(void)
66464 - {
66465 - if (count >= body_len) {
66466 -- sys_write(wfd, victim, body_len);
66467 -+ sys_write(wfd, (char __force_user *)victim, body_len);
66468 - sys_close(wfd);
66469 -- do_utime(vcollected, mtime);
66470 -+ do_utime((char __force_user *)vcollected, mtime);
66471 - kfree(vcollected);
66472 - eat(body_len);
66473 - state = SkipIt;
66474 - return 0;
66475 - } else {
66476 -- sys_write(wfd, victim, count);
66477 -+ sys_write(wfd, (char __force_user *)victim, count);
66478 - body_len -= count;
66479 - eat(count);
66480 - return 1;
66481 -@@ -355,9 +355,9 @@ static int __init do_symlink(void)
66482 - {
66483 - collected[N_ALIGN(name_len) + body_len] = '\0';
66484 - clean_path(collected, 0);
66485 -- sys_symlink(collected + N_ALIGN(name_len), collected);
66486 -- sys_lchown(collected, uid, gid);
66487 -- do_utime(collected, mtime);
66488 -+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
66489 -+ sys_lchown((char __force_user *)collected, uid, gid);
66490 -+ do_utime((char __force_user *)collected, mtime);
66491 - state = SkipIt;
66492 - next_state = Reset;
66493 - return 0;
66494 -diff -urNp linux-2.6.32.46/init/main.c linux-2.6.32.46/init/main.c
66495 ---- linux-2.6.32.46/init/main.c 2011-05-10 22:12:01.000000000 -0400
66496 -+++ linux-2.6.32.46/init/main.c 2011-10-06 09:37:14.000000000 -0400
66497 -@@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
66498 - #ifdef CONFIG_TC
66499 - extern void tc_init(void);
66500 - #endif
66501 -+extern void grsecurity_init(void);
66502 -
66503 - enum system_states system_state __read_mostly;
66504 - EXPORT_SYMBOL(system_state);
66505 -@@ -183,6 +184,49 @@ static int __init set_reset_devices(char
66506 -
66507 - __setup("reset_devices", set_reset_devices);
66508 -
66509 -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66510 -+extern char pax_enter_kernel_user[];
66511 -+extern char pax_exit_kernel_user[];
66512 -+extern pgdval_t clone_pgd_mask;
66513 -+#endif
66514 -+
66515 -+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66516 -+static int __init setup_pax_nouderef(char *str)
66517 -+{
66518 -+#ifdef CONFIG_X86_32
66519 -+ unsigned int cpu;
66520 -+ struct desc_struct *gdt;
66521 -+
66522 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
66523 -+ gdt = get_cpu_gdt_table(cpu);
66524 -+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66525 -+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66526 -+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66527 -+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66528 -+ }
66529 -+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66530 -+#else
66531 -+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66532 -+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66533 -+ clone_pgd_mask = ~(pgdval_t)0UL;
66534 -+#endif
66535 -+
66536 -+ return 0;
66537 -+}
66538 -+early_param("pax_nouderef", setup_pax_nouderef);
66539 -+#endif
66540 -+
66541 -+#ifdef CONFIG_PAX_SOFTMODE
66542 -+int pax_softmode;
66543 -+
66544 -+static int __init setup_pax_softmode(char *str)
66545 -+{
66546 -+ get_option(&str, &pax_softmode);
66547 -+ return 1;
66548 -+}
66549 -+__setup("pax_softmode=", setup_pax_softmode);
66550 -+#endif
66551 -+
66552 - static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66553 - char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66554 - static const char *panic_later, *panic_param;
66555 -@@ -705,52 +749,53 @@ int initcall_debug;
66556 - core_param(initcall_debug, initcall_debug, bool, 0644);
66557 -
66558 - static char msgbuf[64];
66559 --static struct boot_trace_call call;
66560 --static struct boot_trace_ret ret;
66561 -+static struct boot_trace_call trace_call;
66562 -+static struct boot_trace_ret trace_ret;
66563 -
66564 - int do_one_initcall(initcall_t fn)
66565 - {
66566 - int count = preempt_count();
66567 - ktime_t calltime, delta, rettime;
66568 -+ const char *msg1 = "", *msg2 = "";
66569 -
66570 - if (initcall_debug) {
66571 -- call.caller = task_pid_nr(current);
66572 -- printk("calling %pF @ %i\n", fn, call.caller);
66573 -+ trace_call.caller = task_pid_nr(current);
66574 -+ printk("calling %pF @ %i\n", fn, trace_call.caller);
66575 - calltime = ktime_get();
66576 -- trace_boot_call(&call, fn);
66577 -+ trace_boot_call(&trace_call, fn);
66578 - enable_boot_trace();
66579 - }
66580 -
66581 -- ret.result = fn();
66582 -+ trace_ret.result = fn();
66583 -
66584 - if (initcall_debug) {
66585 - disable_boot_trace();
66586 - rettime = ktime_get();
66587 - delta = ktime_sub(rettime, calltime);
66588 -- ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
66589 -- trace_boot_ret(&ret, fn);
66590 -+ trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
66591 -+ trace_boot_ret(&trace_ret, fn);
66592 - printk("initcall %pF returned %d after %Ld usecs\n", fn,
66593 -- ret.result, ret.duration);
66594 -+ trace_ret.result, trace_ret.duration);
66595 - }
66596 -
66597 - msgbuf[0] = 0;
66598 -
66599 -- if (ret.result && ret.result != -ENODEV && initcall_debug)
66600 -- sprintf(msgbuf, "error code %d ", ret.result);
66601 -+ if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
66602 -+ sprintf(msgbuf, "error code %d ", trace_ret.result);
66603 -
66604 - if (preempt_count() != count) {
66605 -- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
66606 -+ msg1 = " preemption imbalance";
66607 - preempt_count() = count;
66608 - }
66609 - if (irqs_disabled()) {
66610 -- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
66611 -+ msg2 = " disabled interrupts";
66612 - local_irq_enable();
66613 - }
66614 -- if (msgbuf[0]) {
66615 -- printk("initcall %pF returned with %s\n", fn, msgbuf);
66616 -+ if (msgbuf[0] || *msg1 || *msg2) {
66617 -+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
66618 - }
66619 -
66620 -- return ret.result;
66621 -+ return trace_ret.result;
66622 - }
66623 -
66624 -
66625 -@@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
66626 - if (!ramdisk_execute_command)
66627 - ramdisk_execute_command = "/init";
66628 -
66629 -- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
66630 -+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
66631 - ramdisk_execute_command = NULL;
66632 - prepare_namespace();
66633 - }
66634 -
66635 -+ grsecurity_init();
66636 -+
66637 - /*
66638 - * Ok, we have completed the initial bootup, and
66639 - * we're essentially up and running. Get rid of the
66640 -diff -urNp linux-2.6.32.46/init/noinitramfs.c linux-2.6.32.46/init/noinitramfs.c
66641 ---- linux-2.6.32.46/init/noinitramfs.c 2011-03-27 14:31:47.000000000 -0400
66642 -+++ linux-2.6.32.46/init/noinitramfs.c 2011-04-17 15:56:46.000000000 -0400
66643 -@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
66644 - {
66645 - int err;
66646 -
66647 -- err = sys_mkdir("/dev", 0755);
66648 -+ err = sys_mkdir((const char __user *)"/dev", 0755);
66649 - if (err < 0)
66650 - goto out;
66651 -
66652 -@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
66653 - if (err < 0)
66654 - goto out;
66655 -
66656 -- err = sys_mkdir("/root", 0700);
66657 -+ err = sys_mkdir((const char __user *)"/root", 0700);
66658 - if (err < 0)
66659 - goto out;
66660 -
66661 -diff -urNp linux-2.6.32.46/ipc/mqueue.c linux-2.6.32.46/ipc/mqueue.c
66662 ---- linux-2.6.32.46/ipc/mqueue.c 2011-03-27 14:31:47.000000000 -0400
66663 -+++ linux-2.6.32.46/ipc/mqueue.c 2011-04-17 15:56:46.000000000 -0400
66664 -@@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
66665 - mq_bytes = (mq_msg_tblsz +
66666 - (info->attr.mq_maxmsg * info->attr.mq_msgsize));
66667 -
66668 -+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
66669 - spin_lock(&mq_lock);
66670 - if (u->mq_bytes + mq_bytes < u->mq_bytes ||
66671 - u->mq_bytes + mq_bytes >
66672 -diff -urNp linux-2.6.32.46/ipc/msg.c linux-2.6.32.46/ipc/msg.c
66673 ---- linux-2.6.32.46/ipc/msg.c 2011-03-27 14:31:47.000000000 -0400
66674 -+++ linux-2.6.32.46/ipc/msg.c 2011-08-05 20:33:55.000000000 -0400
66675 -@@ -310,18 +310,19 @@ static inline int msg_security(struct ke
66676 - return security_msg_queue_associate(msq, msgflg);
66677 - }
66678 -
66679 -+static struct ipc_ops msg_ops = {
66680 -+ .getnew = newque,
66681 -+ .associate = msg_security,
66682 -+ .more_checks = NULL
66683 -+};
66684 -+
66685 - SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
66686 - {
66687 - struct ipc_namespace *ns;
66688 -- struct ipc_ops msg_ops;
66689 - struct ipc_params msg_params;
66690 -
66691 - ns = current->nsproxy->ipc_ns;
66692 -
66693 -- msg_ops.getnew = newque;
66694 -- msg_ops.associate = msg_security;
66695 -- msg_ops.more_checks = NULL;
66696 --
66697 - msg_params.key = key;
66698 - msg_params.flg = msgflg;
66699 -
66700 -diff -urNp linux-2.6.32.46/ipc/sem.c linux-2.6.32.46/ipc/sem.c
66701 ---- linux-2.6.32.46/ipc/sem.c 2011-03-27 14:31:47.000000000 -0400
66702 -+++ linux-2.6.32.46/ipc/sem.c 2011-08-05 20:33:55.000000000 -0400
66703 -@@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
66704 - return 0;
66705 - }
66706 -
66707 -+static struct ipc_ops sem_ops = {
66708 -+ .getnew = newary,
66709 -+ .associate = sem_security,
66710 -+ .more_checks = sem_more_checks
66711 -+};
66712 -+
66713 - SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
66714 - {
66715 - struct ipc_namespace *ns;
66716 -- struct ipc_ops sem_ops;
66717 - struct ipc_params sem_params;
66718 -
66719 - ns = current->nsproxy->ipc_ns;
66720 -@@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
66721 - if (nsems < 0 || nsems > ns->sc_semmsl)
66722 - return -EINVAL;
66723 -
66724 -- sem_ops.getnew = newary;
66725 -- sem_ops.associate = sem_security;
66726 -- sem_ops.more_checks = sem_more_checks;
66727 --
66728 - sem_params.key = key;
66729 - sem_params.flg = semflg;
66730 - sem_params.u.nsems = nsems;
66731 -@@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
66732 - ushort* sem_io = fast_sem_io;
66733 - int nsems;
66734 -
66735 -+ pax_track_stack();
66736 -+
66737 - sma = sem_lock_check(ns, semid);
66738 - if (IS_ERR(sma))
66739 - return PTR_ERR(sma);
66740 -@@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
66741 - unsigned long jiffies_left = 0;
66742 - struct ipc_namespace *ns;
66743 -
66744 -+ pax_track_stack();
66745 -+
66746 - ns = current->nsproxy->ipc_ns;
66747 -
66748 - if (nsops < 1 || semid < 0)
66749 -diff -urNp linux-2.6.32.46/ipc/shm.c linux-2.6.32.46/ipc/shm.c
66750 ---- linux-2.6.32.46/ipc/shm.c 2011-03-27 14:31:47.000000000 -0400
66751 -+++ linux-2.6.32.46/ipc/shm.c 2011-08-05 20:33:55.000000000 -0400
66752 -@@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
66753 - static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
66754 - #endif
66755 -
66756 -+#ifdef CONFIG_GRKERNSEC
66757 -+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66758 -+ const time_t shm_createtime, const uid_t cuid,
66759 -+ const int shmid);
66760 -+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66761 -+ const time_t shm_createtime);
66762 -+#endif
66763 -+
66764 - void shm_init_ns(struct ipc_namespace *ns)
66765 - {
66766 - ns->shm_ctlmax = SHMMAX;
66767 -@@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
66768 - shp->shm_lprid = 0;
66769 - shp->shm_atim = shp->shm_dtim = 0;
66770 - shp->shm_ctim = get_seconds();
66771 -+#ifdef CONFIG_GRKERNSEC
66772 -+ {
66773 -+ struct timespec timeval;
66774 -+ do_posix_clock_monotonic_gettime(&timeval);
66775 -+
66776 -+ shp->shm_createtime = timeval.tv_sec;
66777 -+ }
66778 -+#endif
66779 - shp->shm_segsz = size;
66780 - shp->shm_nattch = 0;
66781 - shp->shm_file = file;
66782 -@@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
66783 - return 0;
66784 - }
66785 -
66786 -+static struct ipc_ops shm_ops = {
66787 -+ .getnew = newseg,
66788 -+ .associate = shm_security,
66789 -+ .more_checks = shm_more_checks
66790 -+};
66791 -+
66792 - SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
66793 - {
66794 - struct ipc_namespace *ns;
66795 -- struct ipc_ops shm_ops;
66796 - struct ipc_params shm_params;
66797 -
66798 - ns = current->nsproxy->ipc_ns;
66799 -
66800 -- shm_ops.getnew = newseg;
66801 -- shm_ops.associate = shm_security;
66802 -- shm_ops.more_checks = shm_more_checks;
66803 --
66804 - shm_params.key = key;
66805 - shm_params.flg = shmflg;
66806 - shm_params.u.size = size;
66807 -@@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
66808 - if (err)
66809 - goto out_unlock;
66810 -
66811 -+#ifdef CONFIG_GRKERNSEC
66812 -+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
66813 -+ shp->shm_perm.cuid, shmid) ||
66814 -+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
66815 -+ err = -EACCES;
66816 -+ goto out_unlock;
66817 -+ }
66818 -+#endif
66819 -+
66820 - path.dentry = dget(shp->shm_file->f_path.dentry);
66821 - path.mnt = shp->shm_file->f_path.mnt;
66822 - shp->shm_nattch++;
66823 -+#ifdef CONFIG_GRKERNSEC
66824 -+ shp->shm_lapid = current->pid;
66825 -+#endif
66826 - size = i_size_read(path.dentry->d_inode);
66827 - shm_unlock(shp);
66828 -
66829 -diff -urNp linux-2.6.32.46/kernel/acct.c linux-2.6.32.46/kernel/acct.c
66830 ---- linux-2.6.32.46/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400
66831 -+++ linux-2.6.32.46/kernel/acct.c 2011-10-06 09:37:14.000000000 -0400
66832 -@@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
66833 - */
66834 - flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
66835 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
66836 -- file->f_op->write(file, (char *)&ac,
66837 -+ file->f_op->write(file, (char __force_user *)&ac,
66838 - sizeof(acct_t), &file->f_pos);
66839 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
66840 - set_fs(fs);
66841 -diff -urNp linux-2.6.32.46/kernel/audit.c linux-2.6.32.46/kernel/audit.c
66842 ---- linux-2.6.32.46/kernel/audit.c 2011-03-27 14:31:47.000000000 -0400
66843 -+++ linux-2.6.32.46/kernel/audit.c 2011-05-04 17:56:28.000000000 -0400
66844 -@@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
66845 - 3) suppressed due to audit_rate_limit
66846 - 4) suppressed due to audit_backlog_limit
66847 - */
66848 --static atomic_t audit_lost = ATOMIC_INIT(0);
66849 -+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
66850 -
66851 - /* The netlink socket. */
66852 - static struct sock *audit_sock;
66853 -@@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
66854 - unsigned long now;
66855 - int print;
66856 -
66857 -- atomic_inc(&audit_lost);
66858 -+ atomic_inc_unchecked(&audit_lost);
66859 -
66860 - print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
66861 -
66862 -@@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
66863 - printk(KERN_WARNING
66864 - "audit: audit_lost=%d audit_rate_limit=%d "
66865 - "audit_backlog_limit=%d\n",
66866 -- atomic_read(&audit_lost),
66867 -+ atomic_read_unchecked(&audit_lost),
66868 - audit_rate_limit,
66869 - audit_backlog_limit);
66870 - audit_panic(message);
66871 -@@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
66872 - status_set.pid = audit_pid;
66873 - status_set.rate_limit = audit_rate_limit;
66874 - status_set.backlog_limit = audit_backlog_limit;
66875 -- status_set.lost = atomic_read(&audit_lost);
66876 -+ status_set.lost = atomic_read_unchecked(&audit_lost);
66877 - status_set.backlog = skb_queue_len(&audit_skb_queue);
66878 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
66879 - &status_set, sizeof(status_set));
66880 -@@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
66881 - spin_unlock_irq(&tsk->sighand->siglock);
66882 - }
66883 - read_unlock(&tasklist_lock);
66884 -- audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
66885 -- &s, sizeof(s));
66886 -+
66887 -+ if (!err)
66888 -+ audit_send_reply(NETLINK_CB(skb).pid, seq,
66889 -+ AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
66890 - break;
66891 - }
66892 - case AUDIT_TTY_SET: {
66893 -diff -urNp linux-2.6.32.46/kernel/auditsc.c linux-2.6.32.46/kernel/auditsc.c
66894 ---- linux-2.6.32.46/kernel/auditsc.c 2011-03-27 14:31:47.000000000 -0400
66895 -+++ linux-2.6.32.46/kernel/auditsc.c 2011-05-04 17:56:28.000000000 -0400
66896 -@@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
66897 - }
66898 -
66899 - /* global counter which is incremented every time something logs in */
66900 --static atomic_t session_id = ATOMIC_INIT(0);
66901 -+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
66902 -
66903 - /**
66904 - * audit_set_loginuid - set a task's audit_context loginuid
66905 -@@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
66906 - */
66907 - int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
66908 - {
66909 -- unsigned int sessionid = atomic_inc_return(&session_id);
66910 -+ unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
66911 - struct audit_context *context = task->audit_context;
66912 -
66913 - if (context && context->in_syscall) {
66914 -diff -urNp linux-2.6.32.46/kernel/capability.c linux-2.6.32.46/kernel/capability.c
66915 ---- linux-2.6.32.46/kernel/capability.c 2011-03-27 14:31:47.000000000 -0400
66916 -+++ linux-2.6.32.46/kernel/capability.c 2011-04-17 15:56:46.000000000 -0400
66917 -@@ -305,10 +305,26 @@ int capable(int cap)
66918 - BUG();
66919 - }
66920 -
66921 -- if (security_capable(cap) == 0) {
66922 -+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
66923 - current->flags |= PF_SUPERPRIV;
66924 - return 1;
66925 - }
66926 - return 0;
66927 - }
66928 -+
66929 -+int capable_nolog(int cap)
66930 -+{
66931 -+ if (unlikely(!cap_valid(cap))) {
66932 -+ printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
66933 -+ BUG();
66934 -+ }
66935 -+
66936 -+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
66937 -+ current->flags |= PF_SUPERPRIV;
66938 -+ return 1;
66939 -+ }
66940 -+ return 0;
66941 -+}
66942 -+
66943 - EXPORT_SYMBOL(capable);
66944 -+EXPORT_SYMBOL(capable_nolog);
66945 -diff -urNp linux-2.6.32.46/kernel/cgroup.c linux-2.6.32.46/kernel/cgroup.c
66946 ---- linux-2.6.32.46/kernel/cgroup.c 2011-03-27 14:31:47.000000000 -0400
66947 -+++ linux-2.6.32.46/kernel/cgroup.c 2011-05-16 21:46:57.000000000 -0400
66948 -@@ -536,6 +536,8 @@ static struct css_set *find_css_set(
66949 - struct hlist_head *hhead;
66950 - struct cg_cgroup_link *link;
66951 -
66952 -+ pax_track_stack();
66953 -+
66954 - /* First see if we already have a cgroup group that matches
66955 - * the desired set */
66956 - read_lock(&css_set_lock);
66957 -diff -urNp linux-2.6.32.46/kernel/compat.c linux-2.6.32.46/kernel/compat.c
66958 ---- linux-2.6.32.46/kernel/compat.c 2011-03-27 14:31:47.000000000 -0400
66959 -+++ linux-2.6.32.46/kernel/compat.c 2011-10-06 09:37:14.000000000 -0400
66960 -@@ -108,7 +108,7 @@ static long compat_nanosleep_restart(str
66961 - mm_segment_t oldfs;
66962 - long ret;
66963 -
66964 -- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
66965 -+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
66966 - oldfs = get_fs();
66967 - set_fs(KERNEL_DS);
66968 - ret = hrtimer_nanosleep_restart(restart);
66969 -@@ -140,7 +140,7 @@ asmlinkage long compat_sys_nanosleep(str
66970 - oldfs = get_fs();
66971 - set_fs(KERNEL_DS);
66972 - ret = hrtimer_nanosleep(&tu,
66973 -- rmtp ? (struct timespec __user *)&rmt : NULL,
66974 -+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
66975 - HRTIMER_MODE_REL, CLOCK_MONOTONIC);
66976 - set_fs(oldfs);
66977 -
66978 -@@ -247,7 +247,7 @@ asmlinkage long compat_sys_sigpending(co
66979 - mm_segment_t old_fs = get_fs();
66980 -
66981 - set_fs(KERNEL_DS);
66982 -- ret = sys_sigpending((old_sigset_t __user *) &s);
66983 -+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
66984 - set_fs(old_fs);
66985 - if (ret == 0)
66986 - ret = put_user(s, set);
66987 -@@ -266,8 +266,8 @@ asmlinkage long compat_sys_sigprocmask(i
66988 - old_fs = get_fs();
66989 - set_fs(KERNEL_DS);
66990 - ret = sys_sigprocmask(how,
66991 -- set ? (old_sigset_t __user *) &s : NULL,
66992 -- oset ? (old_sigset_t __user *) &s : NULL);
66993 -+ set ? (old_sigset_t __force_user *) &s : NULL,
66994 -+ oset ? (old_sigset_t __force_user *) &s : NULL);
66995 - set_fs(old_fs);
66996 - if (ret == 0)
66997 - if (oset)
66998 -@@ -310,7 +310,7 @@ asmlinkage long compat_sys_old_getrlimit
66999 - mm_segment_t old_fs = get_fs();
67000 -
67001 - set_fs(KERNEL_DS);
67002 -- ret = sys_old_getrlimit(resource, &r);
67003 -+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
67004 - set_fs(old_fs);
67005 -
67006 - if (!ret) {
67007 -@@ -385,7 +385,7 @@ asmlinkage long compat_sys_getrusage(int
67008 - mm_segment_t old_fs = get_fs();
67009 -
67010 - set_fs(KERNEL_DS);
67011 -- ret = sys_getrusage(who, (struct rusage __user *) &r);
67012 -+ ret = sys_getrusage(who, (struct rusage __force_user *) &r);
67013 - set_fs(old_fs);
67014 -
67015 - if (ret)
67016 -@@ -412,8 +412,8 @@ compat_sys_wait4(compat_pid_t pid, compa
67017 - set_fs (KERNEL_DS);
67018 - ret = sys_wait4(pid,
67019 - (stat_addr ?
67020 -- (unsigned int __user *) &status : NULL),
67021 -- options, (struct rusage __user *) &r);
67022 -+ (unsigned int __force_user *) &status : NULL),
67023 -+ options, (struct rusage __force_user *) &r);
67024 - set_fs (old_fs);
67025 -
67026 - if (ret > 0) {
67027 -@@ -438,8 +438,8 @@ asmlinkage long compat_sys_waitid(int wh
67028 - memset(&info, 0, sizeof(info));
67029 -
67030 - set_fs(KERNEL_DS);
67031 -- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
67032 -- uru ? (struct rusage __user *)&ru : NULL);
67033 -+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
67034 -+ uru ? (struct rusage __force_user *)&ru : NULL);
67035 - set_fs(old_fs);
67036 -
67037 - if ((ret < 0) || (info.si_signo == 0))
67038 -@@ -569,8 +569,8 @@ long compat_sys_timer_settime(timer_t ti
67039 - oldfs = get_fs();
67040 - set_fs(KERNEL_DS);
67041 - err = sys_timer_settime(timer_id, flags,
67042 -- (struct itimerspec __user *) &newts,
67043 -- (struct itimerspec __user *) &oldts);
67044 -+ (struct itimerspec __force_user *) &newts,
67045 -+ (struct itimerspec __force_user *) &oldts);
67046 - set_fs(oldfs);
67047 - if (!err && old && put_compat_itimerspec(old, &oldts))
67048 - return -EFAULT;
67049 -@@ -587,7 +587,7 @@ long compat_sys_timer_gettime(timer_t ti
67050 - oldfs = get_fs();
67051 - set_fs(KERNEL_DS);
67052 - err = sys_timer_gettime(timer_id,
67053 -- (struct itimerspec __user *) &ts);
67054 -+ (struct itimerspec __force_user *) &ts);
67055 - set_fs(oldfs);
67056 - if (!err && put_compat_itimerspec(setting, &ts))
67057 - return -EFAULT;
67058 -@@ -606,7 +606,7 @@ long compat_sys_clock_settime(clockid_t
67059 - oldfs = get_fs();
67060 - set_fs(KERNEL_DS);
67061 - err = sys_clock_settime(which_clock,
67062 -- (struct timespec __user *) &ts);
67063 -+ (struct timespec __force_user *) &ts);
67064 - set_fs(oldfs);
67065 - return err;
67066 - }
67067 -@@ -621,7 +621,7 @@ long compat_sys_clock_gettime(clockid_t
67068 - oldfs = get_fs();
67069 - set_fs(KERNEL_DS);
67070 - err = sys_clock_gettime(which_clock,
67071 -- (struct timespec __user *) &ts);
67072 -+ (struct timespec __force_user *) &ts);
67073 - set_fs(oldfs);
67074 - if (!err && put_compat_timespec(&ts, tp))
67075 - return -EFAULT;
67076 -@@ -638,7 +638,7 @@ long compat_sys_clock_getres(clockid_t w
67077 - oldfs = get_fs();
67078 - set_fs(KERNEL_DS);
67079 - err = sys_clock_getres(which_clock,
67080 -- (struct timespec __user *) &ts);
67081 -+ (struct timespec __force_user *) &ts);
67082 - set_fs(oldfs);
67083 - if (!err && tp && put_compat_timespec(&ts, tp))
67084 - return -EFAULT;
67085 -@@ -650,9 +650,9 @@ static long compat_clock_nanosleep_resta
67086 - long err;
67087 - mm_segment_t oldfs;
67088 - struct timespec tu;
67089 -- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
67090 -+ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
67091 -
67092 -- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
67093 -+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
67094 - oldfs = get_fs();
67095 - set_fs(KERNEL_DS);
67096 - err = clock_nanosleep_restart(restart);
67097 -@@ -684,8 +684,8 @@ long compat_sys_clock_nanosleep(clockid_
67098 - oldfs = get_fs();
67099 - set_fs(KERNEL_DS);
67100 - err = sys_clock_nanosleep(which_clock, flags,
67101 -- (struct timespec __user *) &in,
67102 -- (struct timespec __user *) &out);
67103 -+ (struct timespec __force_user *) &in,
67104 -+ (struct timespec __force_user *) &out);
67105 - set_fs(oldfs);
67106 -
67107 - if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
67108 -diff -urNp linux-2.6.32.46/kernel/configs.c linux-2.6.32.46/kernel/configs.c
67109 ---- linux-2.6.32.46/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400
67110 -+++ linux-2.6.32.46/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400
67111 -@@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
67112 - struct proc_dir_entry *entry;
67113 -
67114 - /* create the current config file */
67115 -+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
67116 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
67117 -+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
67118 -+ &ikconfig_file_ops);
67119 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67120 -+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
67121 -+ &ikconfig_file_ops);
67122 -+#endif
67123 -+#else
67124 - entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
67125 - &ikconfig_file_ops);
67126 -+#endif
67127 -+
67128 - if (!entry)
67129 - return -ENOMEM;
67130 -
67131 -diff -urNp linux-2.6.32.46/kernel/cpu.c linux-2.6.32.46/kernel/cpu.c
67132 ---- linux-2.6.32.46/kernel/cpu.c 2011-03-27 14:31:47.000000000 -0400
67133 -+++ linux-2.6.32.46/kernel/cpu.c 2011-04-17 15:56:46.000000000 -0400
67134 -@@ -19,7 +19,7 @@
67135 - /* Serializes the updates to cpu_online_mask, cpu_present_mask */
67136 - static DEFINE_MUTEX(cpu_add_remove_lock);
67137 -
67138 --static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
67139 -+static RAW_NOTIFIER_HEAD(cpu_chain);
67140 -
67141 - /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
67142 - * Should always be manipulated under cpu_add_remove_lock
67143 -diff -urNp linux-2.6.32.46/kernel/cred.c linux-2.6.32.46/kernel/cred.c
67144 ---- linux-2.6.32.46/kernel/cred.c 2011-03-27 14:31:47.000000000 -0400
67145 -+++ linux-2.6.32.46/kernel/cred.c 2011-08-11 19:49:38.000000000 -0400
67146 -@@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
67147 - */
67148 - void __put_cred(struct cred *cred)
67149 - {
67150 -+ pax_track_stack();
67151 -+
67152 - kdebug("__put_cred(%p{%d,%d})", cred,
67153 - atomic_read(&cred->usage),
67154 - read_cred_subscribers(cred));
67155 -@@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
67156 - {
67157 - struct cred *cred;
67158 -
67159 -+ pax_track_stack();
67160 -+
67161 - kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
67162 - atomic_read(&tsk->cred->usage),
67163 - read_cred_subscribers(tsk->cred));
67164 -@@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
67165 - {
67166 - const struct cred *cred;
67167 -
67168 -+ pax_track_stack();
67169 -+
67170 - rcu_read_lock();
67171 -
67172 - do {
67173 -@@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
67174 - {
67175 - struct cred *new;
67176 -
67177 -+ pax_track_stack();
67178 -+
67179 - new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
67180 - if (!new)
67181 - return NULL;
67182 -@@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
67183 - const struct cred *old;
67184 - struct cred *new;
67185 -
67186 -+ pax_track_stack();
67187 -+
67188 - validate_process_creds();
67189 -
67190 - new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67191 -@@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
67192 - struct thread_group_cred *tgcred = NULL;
67193 - struct cred *new;
67194 -
67195 -+ pax_track_stack();
67196 -+
67197 - #ifdef CONFIG_KEYS
67198 - tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
67199 - if (!tgcred)
67200 -@@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
67201 - struct cred *new;
67202 - int ret;
67203 -
67204 -+ pax_track_stack();
67205 -+
67206 - mutex_init(&p->cred_guard_mutex);
67207 -
67208 - if (
67209 -@@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
67210 - struct task_struct *task = current;
67211 - const struct cred *old = task->real_cred;
67212 -
67213 -+ pax_track_stack();
67214 -+
67215 - kdebug("commit_creds(%p{%d,%d})", new,
67216 - atomic_read(&new->usage),
67217 - read_cred_subscribers(new));
67218 -@@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
67219 -
67220 - get_cred(new); /* we will require a ref for the subj creds too */
67221 -
67222 -+ gr_set_role_label(task, new->uid, new->gid);
67223 -+
67224 - /* dumpability changes */
67225 - if (old->euid != new->euid ||
67226 - old->egid != new->egid ||
67227 -@@ -563,10 +581,8 @@ int commit_creds(struct cred *new)
67228 - key_fsgid_changed(task);
67229 -
67230 - /* do it
67231 -- * - What if a process setreuid()'s and this brings the
67232 -- * new uid over his NPROC rlimit? We can check this now
67233 -- * cheaply with the new uid cache, so if it matters
67234 -- * we should be checking for it. -DaveM
67235 -+ * RLIMIT_NPROC limits on user->processes have already been checked
67236 -+ * in set_user().
67237 - */
67238 - alter_cred_subscribers(new, 2);
67239 - if (new->user != old->user)
67240 -@@ -606,6 +622,8 @@ EXPORT_SYMBOL(commit_creds);
67241 - */
67242 - void abort_creds(struct cred *new)
67243 - {
67244 -+ pax_track_stack();
67245 -+
67246 - kdebug("abort_creds(%p{%d,%d})", new,
67247 - atomic_read(&new->usage),
67248 - read_cred_subscribers(new));
67249 -@@ -629,6 +647,8 @@ const struct cred *override_creds(const
67250 - {
67251 - const struct cred *old = current->cred;
67252 -
67253 -+ pax_track_stack();
67254 -+
67255 - kdebug("override_creds(%p{%d,%d})", new,
67256 - atomic_read(&new->usage),
67257 - read_cred_subscribers(new));
67258 -@@ -658,6 +678,8 @@ void revert_creds(const struct cred *old
67259 - {
67260 - const struct cred *override = current->cred;
67261 -
67262 -+ pax_track_stack();
67263 -+
67264 - kdebug("revert_creds(%p{%d,%d})", old,
67265 - atomic_read(&old->usage),
67266 - read_cred_subscribers(old));
67267 -@@ -704,6 +726,8 @@ struct cred *prepare_kernel_cred(struct
67268 - const struct cred *old;
67269 - struct cred *new;
67270 -
67271 -+ pax_track_stack();
67272 -+
67273 - new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67274 - if (!new)
67275 - return NULL;
67276 -@@ -758,6 +782,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
67277 - */
67278 - int set_security_override(struct cred *new, u32 secid)
67279 - {
67280 -+ pax_track_stack();
67281 -+
67282 - return security_kernel_act_as(new, secid);
67283 - }
67284 - EXPORT_SYMBOL(set_security_override);
67285 -@@ -777,6 +803,8 @@ int set_security_override_from_ctx(struc
67286 - u32 secid;
67287 - int ret;
67288 -
67289 -+ pax_track_stack();
67290 -+
67291 - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67292 - if (ret < 0)
67293 - return ret;
67294 -diff -urNp linux-2.6.32.46/kernel/exit.c linux-2.6.32.46/kernel/exit.c
67295 ---- linux-2.6.32.46/kernel/exit.c 2011-03-27 14:31:47.000000000 -0400
67296 -+++ linux-2.6.32.46/kernel/exit.c 2011-08-17 19:19:50.000000000 -0400
67297 -@@ -55,6 +55,10 @@
67298 - #include <asm/pgtable.h>
67299 - #include <asm/mmu_context.h>
67300 -
67301 -+#ifdef CONFIG_GRKERNSEC
67302 -+extern rwlock_t grsec_exec_file_lock;
67303 -+#endif
67304 -+
67305 - static void exit_mm(struct task_struct * tsk);
67306 -
67307 - static void __unhash_process(struct task_struct *p)
67308 -@@ -174,6 +178,10 @@ void release_task(struct task_struct * p
67309 - struct task_struct *leader;
67310 - int zap_leader;
67311 - repeat:
67312 -+#ifdef CONFIG_NET
67313 -+ gr_del_task_from_ip_table(p);
67314 -+#endif
67315 -+
67316 - tracehook_prepare_release_task(p);
67317 - /* don't need to get the RCU readlock here - the process is dead and
67318 - * can't be modifying its own credentials */
67319 -@@ -341,11 +349,22 @@ static void reparent_to_kthreadd(void)
67320 - {
67321 - write_lock_irq(&tasklist_lock);
67322 -
67323 -+#ifdef CONFIG_GRKERNSEC
67324 -+ write_lock(&grsec_exec_file_lock);
67325 -+ if (current->exec_file) {
67326 -+ fput(current->exec_file);
67327 -+ current->exec_file = NULL;
67328 -+ }
67329 -+ write_unlock(&grsec_exec_file_lock);
67330 -+#endif
67331 -+
67332 - ptrace_unlink(current);
67333 - /* Reparent to init */
67334 - current->real_parent = current->parent = kthreadd_task;
67335 - list_move_tail(&current->sibling, &current->real_parent->children);
67336 -
67337 -+ gr_set_kernel_label(current);
67338 -+
67339 - /* Set the exit signal to SIGCHLD so we signal init on exit */
67340 - current->exit_signal = SIGCHLD;
67341 -
67342 -@@ -397,7 +416,7 @@ int allow_signal(int sig)
67343 - * know it'll be handled, so that they don't get converted to
67344 - * SIGKILL or just silently dropped.
67345 - */
67346 -- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67347 -+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67348 - recalc_sigpending();
67349 - spin_unlock_irq(&current->sighand->siglock);
67350 - return 0;
67351 -@@ -433,6 +452,17 @@ void daemonize(const char *name, ...)
67352 - vsnprintf(current->comm, sizeof(current->comm), name, args);
67353 - va_end(args);
67354 -
67355 -+#ifdef CONFIG_GRKERNSEC
67356 -+ write_lock(&grsec_exec_file_lock);
67357 -+ if (current->exec_file) {
67358 -+ fput(current->exec_file);
67359 -+ current->exec_file = NULL;
67360 -+ }
67361 -+ write_unlock(&grsec_exec_file_lock);
67362 -+#endif
67363 -+
67364 -+ gr_set_kernel_label(current);
67365 -+
67366 - /*
67367 - * If we were started as result of loading a module, close all of the
67368 - * user space pages. We don't need them, and if we didn't close them
67369 -@@ -897,17 +927,17 @@ NORET_TYPE void do_exit(long code)
67370 - struct task_struct *tsk = current;
67371 - int group_dead;
67372 -
67373 -- profile_task_exit(tsk);
67374 --
67375 -- WARN_ON(atomic_read(&tsk->fs_excl));
67376 --
67377 -+ /*
67378 -+ * Check this first since set_fs() below depends on
67379 -+ * current_thread_info(), which we better not access when we're in
67380 -+ * interrupt context. Other than that, we want to do the set_fs()
67381 -+ * as early as possible.
67382 -+ */
67383 - if (unlikely(in_interrupt()))
67384 - panic("Aiee, killing interrupt handler!");
67385 -- if (unlikely(!tsk->pid))
67386 -- panic("Attempted to kill the idle task!");
67387 -
67388 - /*
67389 -- * If do_exit is called because this processes oopsed, it's possible
67390 -+ * If do_exit is called because this processes Oops'ed, it's possible
67391 - * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
67392 - * continuing. Amongst other possible reasons, this is to prevent
67393 - * mm_release()->clear_child_tid() from writing to a user-controlled
67394 -@@ -915,6 +945,13 @@ NORET_TYPE void do_exit(long code)
67395 - */
67396 - set_fs(USER_DS);
67397 -
67398 -+ profile_task_exit(tsk);
67399 -+
67400 -+ WARN_ON(atomic_read(&tsk->fs_excl));
67401 -+
67402 -+ if (unlikely(!tsk->pid))
67403 -+ panic("Attempted to kill the idle task!");
67404 -+
67405 - tracehook_report_exit(&code);
67406 -
67407 - validate_creds_for_do_exit(tsk);
67408 -@@ -973,6 +1010,9 @@ NORET_TYPE void do_exit(long code)
67409 - tsk->exit_code = code;
67410 - taskstats_exit(tsk, group_dead);
67411 -
67412 -+ gr_acl_handle_psacct(tsk, code);
67413 -+ gr_acl_handle_exit();
67414 -+
67415 - exit_mm(tsk);
67416 -
67417 - if (group_dead)
67418 -@@ -1188,7 +1228,7 @@ static int wait_task_zombie(struct wait_
67419 -
67420 - if (unlikely(wo->wo_flags & WNOWAIT)) {
67421 - int exit_code = p->exit_code;
67422 -- int why, status;
67423 -+ int why;
67424 -
67425 - get_task_struct(p);
67426 - read_unlock(&tasklist_lock);
67427 -diff -urNp linux-2.6.32.46/kernel/fork.c linux-2.6.32.46/kernel/fork.c
67428 ---- linux-2.6.32.46/kernel/fork.c 2011-03-27 14:31:47.000000000 -0400
67429 -+++ linux-2.6.32.46/kernel/fork.c 2011-08-11 19:50:07.000000000 -0400
67430 -@@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
67431 - *stackend = STACK_END_MAGIC; /* for overflow detection */
67432 -
67433 - #ifdef CONFIG_CC_STACKPROTECTOR
67434 -- tsk->stack_canary = get_random_int();
67435 -+ tsk->stack_canary = pax_get_random_long();
67436 - #endif
67437 -
67438 - /* One for us, one for whoever does the "release_task()" (usually parent) */
67439 -@@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
67440 - mm->locked_vm = 0;
67441 - mm->mmap = NULL;
67442 - mm->mmap_cache = NULL;
67443 -- mm->free_area_cache = oldmm->mmap_base;
67444 -- mm->cached_hole_size = ~0UL;
67445 -+ mm->free_area_cache = oldmm->free_area_cache;
67446 -+ mm->cached_hole_size = oldmm->cached_hole_size;
67447 - mm->map_count = 0;
67448 - cpumask_clear(mm_cpumask(mm));
67449 - mm->mm_rb = RB_ROOT;
67450 -@@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
67451 - tmp->vm_flags &= ~VM_LOCKED;
67452 - tmp->vm_mm = mm;
67453 - tmp->vm_next = tmp->vm_prev = NULL;
67454 -+ tmp->vm_mirror = NULL;
67455 - anon_vma_link(tmp);
67456 - file = tmp->vm_file;
67457 - if (file) {
67458 -@@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
67459 - if (retval)
67460 - goto out;
67461 - }
67462 -+
67463 -+#ifdef CONFIG_PAX_SEGMEXEC
67464 -+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67465 -+ struct vm_area_struct *mpnt_m;
67466 -+
67467 -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67468 -+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67469 -+
67470 -+ if (!mpnt->vm_mirror)
67471 -+ continue;
67472 -+
67473 -+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67474 -+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67475 -+ mpnt->vm_mirror = mpnt_m;
67476 -+ } else {
67477 -+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67478 -+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67479 -+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67480 -+ mpnt->vm_mirror->vm_mirror = mpnt;
67481 -+ }
67482 -+ }
67483 -+ BUG_ON(mpnt_m);
67484 -+ }
67485 -+#endif
67486 -+
67487 - /* a new mm has just been created */
67488 - arch_dup_mmap(oldmm, mm);
67489 - retval = 0;
67490 -@@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
67491 - write_unlock(&fs->lock);
67492 - return -EAGAIN;
67493 - }
67494 -- fs->users++;
67495 -+ atomic_inc(&fs->users);
67496 - write_unlock(&fs->lock);
67497 - return 0;
67498 - }
67499 - tsk->fs = copy_fs_struct(fs);
67500 - if (!tsk->fs)
67501 - return -ENOMEM;
67502 -+ gr_set_chroot_entries(tsk, &tsk->fs->root);
67503 - return 0;
67504 - }
67505 -
67506 -@@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(
67507 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67508 - #endif
67509 - retval = -EAGAIN;
67510 -+
67511 -+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67512 -+
67513 - if (atomic_read(&p->real_cred->user->processes) >=
67514 - p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
67515 -- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67516 -- p->real_cred->user != INIT_USER)
67517 -+ if (p->real_cred->user != INIT_USER &&
67518 -+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
67519 - goto bad_fork_free;
67520 - }
67521 -+ current->flags &= ~PF_NPROC_EXCEEDED;
67522 -
67523 - retval = copy_creds(p, clone_flags);
67524 - if (retval < 0)
67525 -@@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(
67526 - goto bad_fork_free_pid;
67527 - }
67528 -
67529 -+ gr_copy_label(p);
67530 -+
67531 - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67532 - /*
67533 - * Clear TID on mm_release()?
67534 -@@ -1333,6 +1366,8 @@ bad_fork_cleanup_count:
67535 - bad_fork_free:
67536 - free_task(p);
67537 - fork_out:
67538 -+ gr_log_forkfail(retval);
67539 -+
67540 - return ERR_PTR(retval);
67541 - }
67542 -
67543 -@@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags,
67544 - if (clone_flags & CLONE_PARENT_SETTID)
67545 - put_user(nr, parent_tidptr);
67546 -
67547 -+ gr_handle_brute_check();
67548 -+
67549 - if (clone_flags & CLONE_VFORK) {
67550 - p->vfork_done = &vfork;
67551 - init_completion(&vfork);
67552 -@@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unsh
67553 - return 0;
67554 -
67555 - /* don't need lock here; in the worst case we'll do useless copy */
67556 -- if (fs->users == 1)
67557 -+ if (atomic_read(&fs->users) == 1)
67558 - return 0;
67559 -
67560 - *new_fsp = copy_fs_struct(fs);
67561 -@@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67562 - fs = current->fs;
67563 - write_lock(&fs->lock);
67564 - current->fs = new_fs;
67565 -- if (--fs->users)
67566 -+ gr_set_chroot_entries(current, &current->fs->root);
67567 -+ if (atomic_dec_return(&fs->users))
67568 - new_fs = NULL;
67569 - else
67570 - new_fs = fs;
67571 -diff -urNp linux-2.6.32.46/kernel/futex.c linux-2.6.32.46/kernel/futex.c
67572 ---- linux-2.6.32.46/kernel/futex.c 2011-08-29 22:24:44.000000000 -0400
67573 -+++ linux-2.6.32.46/kernel/futex.c 2011-08-29 22:25:07.000000000 -0400
67574 -@@ -54,6 +54,7 @@
67575 - #include <linux/mount.h>
67576 - #include <linux/pagemap.h>
67577 - #include <linux/syscalls.h>
67578 -+#include <linux/ptrace.h>
67579 - #include <linux/signal.h>
67580 - #include <linux/module.h>
67581 - #include <linux/magic.h>
67582 -@@ -223,6 +224,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67583 - struct page *page;
67584 - int err, ro = 0;
67585 -
67586 -+#ifdef CONFIG_PAX_SEGMEXEC
67587 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
67588 -+ return -EFAULT;
67589 -+#endif
67590 -+
67591 - /*
67592 - * The futex address must be "naturally" aligned.
67593 - */
67594 -@@ -1819,6 +1825,8 @@ static int futex_wait(u32 __user *uaddr,
67595 - struct futex_q q;
67596 - int ret;
67597 -
67598 -+ pax_track_stack();
67599 -+
67600 - if (!bitset)
67601 - return -EINVAL;
67602 -
67603 -@@ -1871,7 +1879,7 @@ retry:
67604 -
67605 - restart = &current_thread_info()->restart_block;
67606 - restart->fn = futex_wait_restart;
67607 -- restart->futex.uaddr = (u32 *)uaddr;
67608 -+ restart->futex.uaddr = uaddr;
67609 - restart->futex.val = val;
67610 - restart->futex.time = abs_time->tv64;
67611 - restart->futex.bitset = bitset;
67612 -@@ -2233,6 +2241,8 @@ static int futex_wait_requeue_pi(u32 __u
67613 - struct futex_q q;
67614 - int res, ret;
67615 -
67616 -+ pax_track_stack();
67617 -+
67618 - if (!bitset)
67619 - return -EINVAL;
67620 -
67621 -@@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67622 - {
67623 - struct robust_list_head __user *head;
67624 - unsigned long ret;
67625 -+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67626 - const struct cred *cred = current_cred(), *pcred;
67627 -+#endif
67628 -
67629 - if (!futex_cmpxchg_enabled)
67630 - return -ENOSYS;
67631 -@@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67632 - if (!p)
67633 - goto err_unlock;
67634 - ret = -EPERM;
67635 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67636 -+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
67637 -+ goto err_unlock;
67638 -+#else
67639 - pcred = __task_cred(p);
67640 - if (cred->euid != pcred->euid &&
67641 - cred->euid != pcred->uid &&
67642 - !capable(CAP_SYS_PTRACE))
67643 - goto err_unlock;
67644 -+#endif
67645 - head = p->robust_list;
67646 - rcu_read_unlock();
67647 - }
67648 -@@ -2489,7 +2506,7 @@ retry:
67649 - */
67650 - static inline int fetch_robust_entry(struct robust_list __user **entry,
67651 - struct robust_list __user * __user *head,
67652 -- int *pi)
67653 -+ unsigned int *pi)
67654 - {
67655 - unsigned long uentry;
67656 -
67657 -@@ -2670,6 +2687,7 @@ static int __init futex_init(void)
67658 - {
67659 - u32 curval;
67660 - int i;
67661 -+ mm_segment_t oldfs;
67662 -
67663 - /*
67664 - * This will fail and we want it. Some arch implementations do
67665 -@@ -2681,7 +2699,10 @@ static int __init futex_init(void)
67666 - * implementation, the non functional ones will return
67667 - * -ENOSYS.
67668 - */
67669 -+ oldfs = get_fs();
67670 -+ set_fs(USER_DS);
67671 - curval = cmpxchg_futex_value_locked(NULL, 0, 0);
67672 -+ set_fs(oldfs);
67673 - if (curval == -EFAULT)
67674 - futex_cmpxchg_enabled = 1;
67675 -
67676 -diff -urNp linux-2.6.32.46/kernel/futex_compat.c linux-2.6.32.46/kernel/futex_compat.c
67677 ---- linux-2.6.32.46/kernel/futex_compat.c 2011-03-27 14:31:47.000000000 -0400
67678 -+++ linux-2.6.32.46/kernel/futex_compat.c 2011-04-17 15:56:46.000000000 -0400
67679 -@@ -10,6 +10,7 @@
67680 - #include <linux/compat.h>
67681 - #include <linux/nsproxy.h>
67682 - #include <linux/futex.h>
67683 -+#include <linux/ptrace.h>
67684 -
67685 - #include <asm/uaccess.h>
67686 -
67687 -@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
67688 - {
67689 - struct compat_robust_list_head __user *head;
67690 - unsigned long ret;
67691 -- const struct cred *cred = current_cred(), *pcred;
67692 -+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67693 -+ const struct cred *cred = current_cred();
67694 -+ const struct cred *pcred;
67695 -+#endif
67696 -
67697 - if (!futex_cmpxchg_enabled)
67698 - return -ENOSYS;
67699 -@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
67700 - if (!p)
67701 - goto err_unlock;
67702 - ret = -EPERM;
67703 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67704 -+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
67705 -+ goto err_unlock;
67706 -+#else
67707 - pcred = __task_cred(p);
67708 - if (cred->euid != pcred->euid &&
67709 - cred->euid != pcred->uid &&
67710 - !capable(CAP_SYS_PTRACE))
67711 - goto err_unlock;
67712 -+#endif
67713 - head = p->compat_robust_list;
67714 - read_unlock(&tasklist_lock);
67715 - }
67716 -diff -urNp linux-2.6.32.46/kernel/gcov/base.c linux-2.6.32.46/kernel/gcov/base.c
67717 ---- linux-2.6.32.46/kernel/gcov/base.c 2011-03-27 14:31:47.000000000 -0400
67718 -+++ linux-2.6.32.46/kernel/gcov/base.c 2011-04-17 15:56:46.000000000 -0400
67719 -@@ -102,11 +102,6 @@ void gcov_enable_events(void)
67720 - }
67721 -
67722 - #ifdef CONFIG_MODULES
67723 --static inline int within(void *addr, void *start, unsigned long size)
67724 --{
67725 -- return ((addr >= start) && (addr < start + size));
67726 --}
67727 --
67728 - /* Update list and generate events when modules are unloaded. */
67729 - static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
67730 - void *data)
67731 -@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
67732 - prev = NULL;
67733 - /* Remove entries located in module from linked list. */
67734 - for (info = gcov_info_head; info; info = info->next) {
67735 -- if (within(info, mod->module_core, mod->core_size)) {
67736 -+ if (within_module_core_rw((unsigned long)info, mod)) {
67737 - if (prev)
67738 - prev->next = info->next;
67739 - else
67740 -diff -urNp linux-2.6.32.46/kernel/hrtimer.c linux-2.6.32.46/kernel/hrtimer.c
67741 ---- linux-2.6.32.46/kernel/hrtimer.c 2011-03-27 14:31:47.000000000 -0400
67742 -+++ linux-2.6.32.46/kernel/hrtimer.c 2011-04-17 15:56:46.000000000 -0400
67743 -@@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
67744 - local_irq_restore(flags);
67745 - }
67746 -
67747 --static void run_hrtimer_softirq(struct softirq_action *h)
67748 -+static void run_hrtimer_softirq(void)
67749 - {
67750 - hrtimer_peek_ahead_timers();
67751 - }
67752 -diff -urNp linux-2.6.32.46/kernel/kallsyms.c linux-2.6.32.46/kernel/kallsyms.c
67753 ---- linux-2.6.32.46/kernel/kallsyms.c 2011-03-27 14:31:47.000000000 -0400
67754 -+++ linux-2.6.32.46/kernel/kallsyms.c 2011-04-17 15:56:46.000000000 -0400
67755 -@@ -11,6 +11,9 @@
67756 - * Changed the compression method from stem compression to "table lookup"
67757 - * compression (see scripts/kallsyms.c for a more complete description)
67758 - */
67759 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
67760 -+#define __INCLUDED_BY_HIDESYM 1
67761 -+#endif
67762 - #include <linux/kallsyms.h>
67763 - #include <linux/module.h>
67764 - #include <linux/init.h>
67765 -@@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
67766 -
67767 - static inline int is_kernel_inittext(unsigned long addr)
67768 - {
67769 -+ if (system_state != SYSTEM_BOOTING)
67770 -+ return 0;
67771 -+
67772 - if (addr >= (unsigned long)_sinittext
67773 - && addr <= (unsigned long)_einittext)
67774 - return 1;
67775 - return 0;
67776 - }
67777 -
67778 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67779 -+#ifdef CONFIG_MODULES
67780 -+static inline int is_module_text(unsigned long addr)
67781 -+{
67782 -+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
67783 -+ return 1;
67784 -+
67785 -+ addr = ktla_ktva(addr);
67786 -+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
67787 -+}
67788 -+#else
67789 -+static inline int is_module_text(unsigned long addr)
67790 -+{
67791 -+ return 0;
67792 -+}
67793 -+#endif
67794 -+#endif
67795 -+
67796 - static inline int is_kernel_text(unsigned long addr)
67797 - {
67798 - if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
67799 -@@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
67800 -
67801 - static inline int is_kernel(unsigned long addr)
67802 - {
67803 -+
67804 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67805 -+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
67806 -+ return 1;
67807 -+
67808 -+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
67809 -+#else
67810 - if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
67811 -+#endif
67812 -+
67813 - return 1;
67814 - return in_gate_area_no_task(addr);
67815 - }
67816 -
67817 - static int is_ksym_addr(unsigned long addr)
67818 - {
67819 -+
67820 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
67821 -+ if (is_module_text(addr))
67822 -+ return 0;
67823 -+#endif
67824 -+
67825 - if (all_var)
67826 - return is_kernel(addr);
67827 -
67828 -@@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
67829 -
67830 - static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
67831 - {
67832 -- iter->name[0] = '\0';
67833 - iter->nameoff = get_symbol_offset(new_pos);
67834 - iter->pos = new_pos;
67835 - }
67836 -@@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
67837 - {
67838 - struct kallsym_iter *iter = m->private;
67839 -
67840 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
67841 -+ if (current_uid())
67842 -+ return 0;
67843 -+#endif
67844 -+
67845 - /* Some debugging symbols have no name. Ignore them. */
67846 - if (!iter->name[0])
67847 - return 0;
67848 -@@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
67849 - struct kallsym_iter *iter;
67850 - int ret;
67851 -
67852 -- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
67853 -+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
67854 - if (!iter)
67855 - return -ENOMEM;
67856 - reset_iter(iter, 0);
67857 -diff -urNp linux-2.6.32.46/kernel/kexec.c linux-2.6.32.46/kernel/kexec.c
67858 ---- linux-2.6.32.46/kernel/kexec.c 2011-03-27 14:31:47.000000000 -0400
67859 -+++ linux-2.6.32.46/kernel/kexec.c 2011-10-06 09:37:14.000000000 -0400
67860 -@@ -1028,7 +1028,8 @@ asmlinkage long compat_sys_kexec_load(un
67861 - unsigned long flags)
67862 - {
67863 - struct compat_kexec_segment in;
67864 -- struct kexec_segment out, __user *ksegments;
67865 -+ struct kexec_segment out;
67866 -+ struct kexec_segment __user *ksegments;
67867 - unsigned long i, result;
67868 -
67869 - /* Don't allow clients that don't understand the native
67870 -diff -urNp linux-2.6.32.46/kernel/kgdb.c linux-2.6.32.46/kernel/kgdb.c
67871 ---- linux-2.6.32.46/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400
67872 -+++ linux-2.6.32.46/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
67873 -@@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
67874 - /* Guard for recursive entry */
67875 - static int exception_level;
67876 -
67877 --static struct kgdb_io *kgdb_io_ops;
67878 -+static const struct kgdb_io *kgdb_io_ops;
67879 - static DEFINE_SPINLOCK(kgdb_registration_lock);
67880 -
67881 - /* kgdb console driver is loaded */
67882 -@@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
67883 - */
67884 - static atomic_t passive_cpu_wait[NR_CPUS];
67885 - static atomic_t cpu_in_kgdb[NR_CPUS];
67886 --atomic_t kgdb_setting_breakpoint;
67887 -+atomic_unchecked_t kgdb_setting_breakpoint;
67888 -
67889 - struct task_struct *kgdb_usethread;
67890 - struct task_struct *kgdb_contthread;
67891 -@@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
67892 - sizeof(unsigned long)];
67893 -
67894 - /* to keep track of the CPU which is doing the single stepping*/
67895 --atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67896 -+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67897 -
67898 - /*
67899 - * If you are debugging a problem where roundup (the collection of
67900 -@@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
67901 - return 0;
67902 - if (kgdb_connected)
67903 - return 1;
67904 -- if (atomic_read(&kgdb_setting_breakpoint))
67905 -+ if (atomic_read_unchecked(&kgdb_setting_breakpoint))
67906 - return 1;
67907 - if (print_wait)
67908 - printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
67909 -@@ -1426,8 +1426,8 @@ acquirelock:
67910 - * instance of the exception handler wanted to come into the
67911 - * debugger on a different CPU via a single step
67912 - */
67913 -- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67914 -- atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
67915 -+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67916 -+ atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
67917 -
67918 - atomic_set(&kgdb_active, -1);
67919 - touch_softlockup_watchdog();
67920 -@@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
67921 - *
67922 - * Register it with the KGDB core.
67923 - */
67924 --int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
67925 -+int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
67926 - {
67927 - int err;
67928 -
67929 -@@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67930 - *
67931 - * Unregister it with the KGDB core.
67932 - */
67933 --void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
67934 -+void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
67935 - {
67936 - BUG_ON(kgdb_connected);
67937 -
67938 -@@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
67939 - */
67940 - void kgdb_breakpoint(void)
67941 - {
67942 -- atomic_set(&kgdb_setting_breakpoint, 1);
67943 -+ atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
67944 - wmb(); /* Sync point before breakpoint */
67945 - arch_kgdb_breakpoint();
67946 - wmb(); /* Sync point after breakpoint */
67947 -- atomic_set(&kgdb_setting_breakpoint, 0);
67948 -+ atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
67949 - }
67950 - EXPORT_SYMBOL_GPL(kgdb_breakpoint);
67951 -
67952 -diff -urNp linux-2.6.32.46/kernel/kmod.c linux-2.6.32.46/kernel/kmod.c
67953 ---- linux-2.6.32.46/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400
67954 -+++ linux-2.6.32.46/kernel/kmod.c 2011-10-06 09:37:14.000000000 -0400
67955 -@@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
67956 - * If module auto-loading support is disabled then this function
67957 - * becomes a no-operation.
67958 - */
67959 --int __request_module(bool wait, const char *fmt, ...)
67960 -+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
67961 - {
67962 -- va_list args;
67963 - char module_name[MODULE_NAME_LEN];
67964 - unsigned int max_modprobes;
67965 - int ret;
67966 -- char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
67967 -+ char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
67968 - static char *envp[] = { "HOME=/",
67969 - "TERM=linux",
67970 - "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
67971 -@@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
67972 - if (ret)
67973 - return ret;
67974 -
67975 -- va_start(args, fmt);
67976 -- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
67977 -- va_end(args);
67978 -+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
67979 - if (ret >= MODULE_NAME_LEN)
67980 - return -ENAMETOOLONG;
67981 -
67982 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
67983 -+ if (!current_uid()) {
67984 -+ /* hack to workaround consolekit/udisks stupidity */
67985 -+ read_lock(&tasklist_lock);
67986 -+ if (!strcmp(current->comm, "mount") &&
67987 -+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
67988 -+ read_unlock(&tasklist_lock);
67989 -+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
67990 -+ return -EPERM;
67991 -+ }
67992 -+ read_unlock(&tasklist_lock);
67993 -+ }
67994 -+#endif
67995 -+
67996 - /* If modprobe needs a service that is in a module, we get a recursive
67997 - * loop. Limit the number of running kmod threads to max_threads/2 or
67998 - * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
67999 -@@ -121,6 +132,48 @@ int __request_module(bool wait, const ch
68000 - atomic_dec(&kmod_concurrent);
68001 - return ret;
68002 - }
68003 -+
68004 -+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
68005 -+{
68006 -+ va_list args;
68007 -+ int ret;
68008 -+
68009 -+ va_start(args, fmt);
68010 -+ ret = ____request_module(wait, module_param, fmt, args);
68011 -+ va_end(args);
68012 -+
68013 -+ return ret;
68014 -+}
68015 -+
68016 -+int __request_module(bool wait, const char *fmt, ...)
68017 -+{
68018 -+ va_list args;
68019 -+ int ret;
68020 -+
68021 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
68022 -+ if (current_uid()) {
68023 -+ char module_param[MODULE_NAME_LEN];
68024 -+
68025 -+ memset(module_param, 0, sizeof(module_param));
68026 -+
68027 -+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
68028 -+
68029 -+ va_start(args, fmt);
68030 -+ ret = ____request_module(wait, module_param, fmt, args);
68031 -+ va_end(args);
68032 -+
68033 -+ return ret;
68034 -+ }
68035 -+#endif
68036 -+
68037 -+ va_start(args, fmt);
68038 -+ ret = ____request_module(wait, NULL, fmt, args);
68039 -+ va_end(args);
68040 -+
68041 -+ return ret;
68042 -+}
68043 -+
68044 -+
68045 - EXPORT_SYMBOL(__request_module);
68046 - #endif /* CONFIG_MODULES */
68047 -
68048 -@@ -226,7 +279,7 @@ static int wait_for_helper(void *data)
68049 - *
68050 - * Thus the __user pointer cast is valid here.
68051 - */
68052 -- sys_wait4(pid, (int __user *)&ret, 0, NULL);
68053 -+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
68054 -
68055 - /*
68056 - * If ret is 0, either ____call_usermodehelper failed and the
68057 -diff -urNp linux-2.6.32.46/kernel/kprobes.c linux-2.6.32.46/kernel/kprobes.c
68058 ---- linux-2.6.32.46/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
68059 -+++ linux-2.6.32.46/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
68060 -@@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
68061 - * kernel image and loaded module images reside. This is required
68062 - * so x86_64 can correctly handle the %rip-relative fixups.
68063 - */
68064 -- kip->insns = module_alloc(PAGE_SIZE);
68065 -+ kip->insns = module_alloc_exec(PAGE_SIZE);
68066 - if (!kip->insns) {
68067 - kfree(kip);
68068 - return NULL;
68069 -@@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
68070 - */
68071 - if (!list_is_singular(&kprobe_insn_pages)) {
68072 - list_del(&kip->list);
68073 -- module_free(NULL, kip->insns);
68074 -+ module_free_exec(NULL, kip->insns);
68075 - kfree(kip);
68076 - }
68077 - return 1;
68078 -@@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
68079 - {
68080 - int i, err = 0;
68081 - unsigned long offset = 0, size = 0;
68082 -- char *modname, namebuf[128];
68083 -+ char *modname, namebuf[KSYM_NAME_LEN];
68084 - const char *symbol_name;
68085 - void *addr;
68086 - struct kprobe_blackpoint *kb;
68087 -@@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
68088 - const char *sym = NULL;
68089 - unsigned int i = *(loff_t *) v;
68090 - unsigned long offset = 0;
68091 -- char *modname, namebuf[128];
68092 -+ char *modname, namebuf[KSYM_NAME_LEN];
68093 -
68094 - head = &kprobe_table[i];
68095 - preempt_disable();
68096 -diff -urNp linux-2.6.32.46/kernel/lockdep.c linux-2.6.32.46/kernel/lockdep.c
68097 ---- linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:55:35.000000000 -0400
68098 -+++ linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:56:37.000000000 -0400
68099 -@@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
68100 - /*
68101 - * Various lockdep statistics:
68102 - */
68103 --atomic_t chain_lookup_hits;
68104 --atomic_t chain_lookup_misses;
68105 --atomic_t hardirqs_on_events;
68106 --atomic_t hardirqs_off_events;
68107 --atomic_t redundant_hardirqs_on;
68108 --atomic_t redundant_hardirqs_off;
68109 --atomic_t softirqs_on_events;
68110 --atomic_t softirqs_off_events;
68111 --atomic_t redundant_softirqs_on;
68112 --atomic_t redundant_softirqs_off;
68113 --atomic_t nr_unused_locks;
68114 --atomic_t nr_cyclic_checks;
68115 --atomic_t nr_find_usage_forwards_checks;
68116 --atomic_t nr_find_usage_backwards_checks;
68117 -+atomic_unchecked_t chain_lookup_hits;
68118 -+atomic_unchecked_t chain_lookup_misses;
68119 -+atomic_unchecked_t hardirqs_on_events;
68120 -+atomic_unchecked_t hardirqs_off_events;
68121 -+atomic_unchecked_t redundant_hardirqs_on;
68122 -+atomic_unchecked_t redundant_hardirqs_off;
68123 -+atomic_unchecked_t softirqs_on_events;
68124 -+atomic_unchecked_t softirqs_off_events;
68125 -+atomic_unchecked_t redundant_softirqs_on;
68126 -+atomic_unchecked_t redundant_softirqs_off;
68127 -+atomic_unchecked_t nr_unused_locks;
68128 -+atomic_unchecked_t nr_cyclic_checks;
68129 -+atomic_unchecked_t nr_find_usage_forwards_checks;
68130 -+atomic_unchecked_t nr_find_usage_backwards_checks;
68131 - #endif
68132 -
68133 - /*
68134 -@@ -577,6 +577,10 @@ static int static_obj(void *obj)
68135 - int i;
68136 - #endif
68137 -
68138 -+#ifdef CONFIG_PAX_KERNEXEC
68139 -+ start = ktla_ktva(start);
68140 -+#endif
68141 -+
68142 - /*
68143 - * static variable?
68144 - */
68145 -@@ -592,8 +596,7 @@ static int static_obj(void *obj)
68146 - */
68147 - for_each_possible_cpu(i) {
68148 - start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
68149 -- end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
68150 -- + per_cpu_offset(i);
68151 -+ end = start + PERCPU_ENOUGH_ROOM;
68152 -
68153 - if ((addr >= start) && (addr < end))
68154 - return 1;
68155 -@@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
68156 - if (!static_obj(lock->key)) {
68157 - debug_locks_off();
68158 - printk("INFO: trying to register non-static key.\n");
68159 -+ printk("lock:%pS key:%pS.\n", lock, lock->key);
68160 - printk("the code is fine but needs lockdep annotation.\n");
68161 - printk("turning off the locking correctness validator.\n");
68162 - dump_stack();
68163 -@@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
68164 - if (!class)
68165 - return 0;
68166 - }
68167 -- debug_atomic_inc((atomic_t *)&class->ops);
68168 -+ debug_atomic_inc((atomic_unchecked_t *)&class->ops);
68169 - if (very_verbose(class)) {
68170 - printk("\nacquire class [%p] %s", class->key, class->name);
68171 - if (class->name_version > 1)
68172 -diff -urNp linux-2.6.32.46/kernel/lockdep_internals.h linux-2.6.32.46/kernel/lockdep_internals.h
68173 ---- linux-2.6.32.46/kernel/lockdep_internals.h 2011-03-27 14:31:47.000000000 -0400
68174 -+++ linux-2.6.32.46/kernel/lockdep_internals.h 2011-04-17 15:56:46.000000000 -0400
68175 -@@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
68176 - /*
68177 - * Various lockdep statistics:
68178 - */
68179 --extern atomic_t chain_lookup_hits;
68180 --extern atomic_t chain_lookup_misses;
68181 --extern atomic_t hardirqs_on_events;
68182 --extern atomic_t hardirqs_off_events;
68183 --extern atomic_t redundant_hardirqs_on;
68184 --extern atomic_t redundant_hardirqs_off;
68185 --extern atomic_t softirqs_on_events;
68186 --extern atomic_t softirqs_off_events;
68187 --extern atomic_t redundant_softirqs_on;
68188 --extern atomic_t redundant_softirqs_off;
68189 --extern atomic_t nr_unused_locks;
68190 --extern atomic_t nr_cyclic_checks;
68191 --extern atomic_t nr_cyclic_check_recursions;
68192 --extern atomic_t nr_find_usage_forwards_checks;
68193 --extern atomic_t nr_find_usage_forwards_recursions;
68194 --extern atomic_t nr_find_usage_backwards_checks;
68195 --extern atomic_t nr_find_usage_backwards_recursions;
68196 --# define debug_atomic_inc(ptr) atomic_inc(ptr)
68197 --# define debug_atomic_dec(ptr) atomic_dec(ptr)
68198 --# define debug_atomic_read(ptr) atomic_read(ptr)
68199 -+extern atomic_unchecked_t chain_lookup_hits;
68200 -+extern atomic_unchecked_t chain_lookup_misses;
68201 -+extern atomic_unchecked_t hardirqs_on_events;
68202 -+extern atomic_unchecked_t hardirqs_off_events;
68203 -+extern atomic_unchecked_t redundant_hardirqs_on;
68204 -+extern atomic_unchecked_t redundant_hardirqs_off;
68205 -+extern atomic_unchecked_t softirqs_on_events;
68206 -+extern atomic_unchecked_t softirqs_off_events;
68207 -+extern atomic_unchecked_t redundant_softirqs_on;
68208 -+extern atomic_unchecked_t redundant_softirqs_off;
68209 -+extern atomic_unchecked_t nr_unused_locks;
68210 -+extern atomic_unchecked_t nr_cyclic_checks;
68211 -+extern atomic_unchecked_t nr_cyclic_check_recursions;
68212 -+extern atomic_unchecked_t nr_find_usage_forwards_checks;
68213 -+extern atomic_unchecked_t nr_find_usage_forwards_recursions;
68214 -+extern atomic_unchecked_t nr_find_usage_backwards_checks;
68215 -+extern atomic_unchecked_t nr_find_usage_backwards_recursions;
68216 -+# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
68217 -+# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
68218 -+# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
68219 - #else
68220 - # define debug_atomic_inc(ptr) do { } while (0)
68221 - # define debug_atomic_dec(ptr) do { } while (0)
68222 -diff -urNp linux-2.6.32.46/kernel/lockdep_proc.c linux-2.6.32.46/kernel/lockdep_proc.c
68223 ---- linux-2.6.32.46/kernel/lockdep_proc.c 2011-03-27 14:31:47.000000000 -0400
68224 -+++ linux-2.6.32.46/kernel/lockdep_proc.c 2011-04-17 15:56:46.000000000 -0400
68225 -@@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68226 -
68227 - static void print_name(struct seq_file *m, struct lock_class *class)
68228 - {
68229 -- char str[128];
68230 -+ char str[KSYM_NAME_LEN];
68231 - const char *name = class->name;
68232 -
68233 - if (!name) {
68234 -diff -urNp linux-2.6.32.46/kernel/module.c linux-2.6.32.46/kernel/module.c
68235 ---- linux-2.6.32.46/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
68236 -+++ linux-2.6.32.46/kernel/module.c 2011-04-29 18:52:40.000000000 -0400
68237 -@@ -55,6 +55,7 @@
68238 - #include <linux/async.h>
68239 - #include <linux/percpu.h>
68240 - #include <linux/kmemleak.h>
68241 -+#include <linux/grsecurity.h>
68242 -
68243 - #define CREATE_TRACE_POINTS
68244 - #include <trace/events/module.h>
68245 -@@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
68246 - static BLOCKING_NOTIFIER_HEAD(module_notify_list);
68247 -
68248 - /* Bounds of module allocation, for speeding __module_address */
68249 --static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68250 -+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68251 -+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68252 -
68253 - int register_module_notifier(struct notifier_block * nb)
68254 - {
68255 -@@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
68256 - return true;
68257 -
68258 - list_for_each_entry_rcu(mod, &modules, list) {
68259 -- struct symsearch arr[] = {
68260 -+ struct symsearch modarr[] = {
68261 - { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68262 - NOT_GPL_ONLY, false },
68263 - { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68264 -@@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
68265 - #endif
68266 - };
68267 -
68268 -- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68269 -+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68270 - return true;
68271 - }
68272 - return false;
68273 -@@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
68274 - void *ptr;
68275 - int cpu;
68276 -
68277 -- if (align > PAGE_SIZE) {
68278 -+ if (align-1 >= PAGE_SIZE) {
68279 - printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68280 - name, align, PAGE_SIZE);
68281 - align = PAGE_SIZE;
68282 -@@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
68283 - * /sys/module/foo/sections stuff
68284 - * J. Corbet <corbet@×××.net>
68285 - */
68286 --#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
68287 -+#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68288 -
68289 - static inline bool sect_empty(const Elf_Shdr *sect)
68290 - {
68291 -@@ -1545,7 +1547,8 @@ static void free_module(struct module *m
68292 - destroy_params(mod->kp, mod->num_kp);
68293 -
68294 - /* This may be NULL, but that's OK */
68295 -- module_free(mod, mod->module_init);
68296 -+ module_free(mod, mod->module_init_rw);
68297 -+ module_free_exec(mod, mod->module_init_rx);
68298 - kfree(mod->args);
68299 - if (mod->percpu)
68300 - percpu_modfree(mod->percpu);
68301 -@@ -1554,10 +1557,12 @@ static void free_module(struct module *m
68302 - percpu_modfree(mod->refptr);
68303 - #endif
68304 - /* Free lock-classes: */
68305 -- lockdep_free_key_range(mod->module_core, mod->core_size);
68306 -+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68307 -+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68308 -
68309 - /* Finally, free the core (containing the module structure) */
68310 -- module_free(mod, mod->module_core);
68311 -+ module_free_exec(mod, mod->module_core_rx);
68312 -+ module_free(mod, mod->module_core_rw);
68313 -
68314 - #ifdef CONFIG_MPU
68315 - update_protections(current->mm);
68316 -@@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
68317 - unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
68318 - int ret = 0;
68319 - const struct kernel_symbol *ksym;
68320 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
68321 -+ int is_fs_load = 0;
68322 -+ int register_filesystem_found = 0;
68323 -+ char *p;
68324 -+
68325 -+ p = strstr(mod->args, "grsec_modharden_fs");
68326 -+
68327 -+ if (p) {
68328 -+ char *endptr = p + strlen("grsec_modharden_fs");
68329 -+ /* copy \0 as well */
68330 -+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68331 -+ is_fs_load = 1;
68332 -+ }
68333 -+#endif
68334 -+
68335 -
68336 - for (i = 1; i < n; i++) {
68337 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
68338 -+ const char *name = strtab + sym[i].st_name;
68339 -+
68340 -+ /* it's a real shame this will never get ripped and copied
68341 -+ upstream! ;(
68342 -+ */
68343 -+ if (is_fs_load && !strcmp(name, "register_filesystem"))
68344 -+ register_filesystem_found = 1;
68345 -+#endif
68346 - switch (sym[i].st_shndx) {
68347 - case SHN_COMMON:
68348 - /* We compiled with -fno-common. These are not
68349 -@@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
68350 - strtab + sym[i].st_name, mod);
68351 - /* Ok if resolved. */
68352 - if (ksym) {
68353 -+ pax_open_kernel();
68354 - sym[i].st_value = ksym->value;
68355 -+ pax_close_kernel();
68356 - break;
68357 - }
68358 -
68359 -@@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
68360 - secbase = (unsigned long)mod->percpu;
68361 - else
68362 - secbase = sechdrs[sym[i].st_shndx].sh_addr;
68363 -+ pax_open_kernel();
68364 - sym[i].st_value += secbase;
68365 -+ pax_close_kernel();
68366 - break;
68367 - }
68368 - }
68369 -
68370 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
68371 -+ if (is_fs_load && !register_filesystem_found) {
68372 -+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68373 -+ ret = -EPERM;
68374 -+ }
68375 -+#endif
68376 -+
68377 - return ret;
68378 - }
68379 -
68380 -@@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
68381 - || s->sh_entsize != ~0UL
68382 - || strstarts(secstrings + s->sh_name, ".init"))
68383 - continue;
68384 -- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68385 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68386 -+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68387 -+ else
68388 -+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68389 - DEBUGP("\t%s\n", secstrings + s->sh_name);
68390 - }
68391 -- if (m == 0)
68392 -- mod->core_text_size = mod->core_size;
68393 - }
68394 -
68395 - DEBUGP("Init section allocation order:\n");
68396 -@@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
68397 - || s->sh_entsize != ~0UL
68398 - || !strstarts(secstrings + s->sh_name, ".init"))
68399 - continue;
68400 -- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68401 -- | INIT_OFFSET_MASK);
68402 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68403 -+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68404 -+ else
68405 -+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68406 -+ s->sh_entsize |= INIT_OFFSET_MASK;
68407 - DEBUGP("\t%s\n", secstrings + s->sh_name);
68408 - }
68409 -- if (m == 0)
68410 -- mod->init_text_size = mod->init_size;
68411 - }
68412 - }
68413 -
68414 -@@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
68415 -
68416 - /* As per nm */
68417 - static char elf_type(const Elf_Sym *sym,
68418 -- Elf_Shdr *sechdrs,
68419 -- const char *secstrings,
68420 -- struct module *mod)
68421 -+ const Elf_Shdr *sechdrs,
68422 -+ const char *secstrings)
68423 - {
68424 - if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
68425 - if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
68426 -@@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
68427 -
68428 - /* Put symbol section at end of init part of module. */
68429 - symsect->sh_flags |= SHF_ALLOC;
68430 -- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68431 -+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68432 - symindex) | INIT_OFFSET_MASK;
68433 - DEBUGP("\t%s\n", secstrings + symsect->sh_name);
68434 -
68435 -@@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
68436 - }
68437 -
68438 - /* Append room for core symbols at end of core part. */
68439 -- symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68440 -- mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
68441 -+ symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68442 -+ mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
68443 -
68444 - /* Put string table section at end of init part of module. */
68445 - strsect->sh_flags |= SHF_ALLOC;
68446 -- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68447 -+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68448 - strindex) | INIT_OFFSET_MASK;
68449 - DEBUGP("\t%s\n", secstrings + strsect->sh_name);
68450 -
68451 - /* Append room for core symbols' strings at end of core part. */
68452 -- *pstroffs = mod->core_size;
68453 -+ *pstroffs = mod->core_size_rx;
68454 - __set_bit(0, strmap);
68455 -- mod->core_size += bitmap_weight(strmap, strsect->sh_size);
68456 -+ mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
68457 -
68458 - return symoffs;
68459 - }
68460 -@@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
68461 - mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
68462 - mod->strtab = (void *)sechdrs[strindex].sh_addr;
68463 -
68464 -+ pax_open_kernel();
68465 -+
68466 - /* Set types up while we still have access to sections. */
68467 - for (i = 0; i < mod->num_symtab; i++)
68468 - mod->symtab[i].st_info
68469 -- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
68470 -+ = elf_type(&mod->symtab[i], sechdrs, secstrings);
68471 -
68472 -- mod->core_symtab = dst = mod->module_core + symoffs;
68473 -+ mod->core_symtab = dst = mod->module_core_rx + symoffs;
68474 - src = mod->symtab;
68475 - *dst = *src;
68476 - for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68477 -@@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
68478 - }
68479 - mod->core_num_syms = ndst;
68480 -
68481 -- mod->core_strtab = s = mod->module_core + stroffs;
68482 -+ mod->core_strtab = s = mod->module_core_rx + stroffs;
68483 - for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
68484 - if (test_bit(i, strmap))
68485 - *++s = mod->strtab[i];
68486 -+
68487 -+ pax_close_kernel();
68488 - }
68489 - #else
68490 - static inline unsigned long layout_symtab(struct module *mod,
68491 -@@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
68492 - #endif
68493 - }
68494 -
68495 --static void *module_alloc_update_bounds(unsigned long size)
68496 -+static void *module_alloc_update_bounds_rw(unsigned long size)
68497 - {
68498 - void *ret = module_alloc(size);
68499 -
68500 - if (ret) {
68501 - /* Update module bounds. */
68502 -- if ((unsigned long)ret < module_addr_min)
68503 -- module_addr_min = (unsigned long)ret;
68504 -- if ((unsigned long)ret + size > module_addr_max)
68505 -- module_addr_max = (unsigned long)ret + size;
68506 -+ if ((unsigned long)ret < module_addr_min_rw)
68507 -+ module_addr_min_rw = (unsigned long)ret;
68508 -+ if ((unsigned long)ret + size > module_addr_max_rw)
68509 -+ module_addr_max_rw = (unsigned long)ret + size;
68510 -+ }
68511 -+ return ret;
68512 -+}
68513 -+
68514 -+static void *module_alloc_update_bounds_rx(unsigned long size)
68515 -+{
68516 -+ void *ret = module_alloc_exec(size);
68517 -+
68518 -+ if (ret) {
68519 -+ /* Update module bounds. */
68520 -+ if ((unsigned long)ret < module_addr_min_rx)
68521 -+ module_addr_min_rx = (unsigned long)ret;
68522 -+ if ((unsigned long)ret + size > module_addr_max_rx)
68523 -+ module_addr_max_rx = (unsigned long)ret + size;
68524 - }
68525 - return ret;
68526 - }
68527 -@@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
68528 - unsigned int i;
68529 -
68530 - /* only scan the sections containing data */
68531 -- kmemleak_scan_area(mod->module_core, (unsigned long)mod -
68532 -- (unsigned long)mod->module_core,
68533 -+ kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
68534 -+ (unsigned long)mod->module_core_rw,
68535 - sizeof(struct module), GFP_KERNEL);
68536 -
68537 - for (i = 1; i < hdr->e_shnum; i++) {
68538 -@@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
68539 - && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
68540 - continue;
68541 -
68542 -- kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
68543 -- (unsigned long)mod->module_core,
68544 -+ kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
68545 -+ (unsigned long)mod->module_core_rw,
68546 - sechdrs[i].sh_size, GFP_KERNEL);
68547 - }
68548 - }
68549 -@@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
68550 - secstrings, &stroffs, strmap);
68551 -
68552 - /* Do the allocs. */
68553 -- ptr = module_alloc_update_bounds(mod->core_size);
68554 -+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68555 - /*
68556 - * The pointer to this block is stored in the module structure
68557 - * which is inside the block. Just mark it as not being a
68558 -@@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
68559 - err = -ENOMEM;
68560 - goto free_percpu;
68561 - }
68562 -- memset(ptr, 0, mod->core_size);
68563 -- mod->module_core = ptr;
68564 -+ memset(ptr, 0, mod->core_size_rw);
68565 -+ mod->module_core_rw = ptr;
68566 -
68567 -- ptr = module_alloc_update_bounds(mod->init_size);
68568 -+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68569 - /*
68570 - * The pointer to this block is stored in the module structure
68571 - * which is inside the block. This block doesn't need to be
68572 - * scanned as it contains data and code that will be freed
68573 - * after the module is initialized.
68574 - */
68575 -- kmemleak_ignore(ptr);
68576 -- if (!ptr && mod->init_size) {
68577 -+ kmemleak_not_leak(ptr);
68578 -+ if (!ptr && mod->init_size_rw) {
68579 -+ err = -ENOMEM;
68580 -+ goto free_core_rw;
68581 -+ }
68582 -+ memset(ptr, 0, mod->init_size_rw);
68583 -+ mod->module_init_rw = ptr;
68584 -+
68585 -+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68586 -+ kmemleak_not_leak(ptr);
68587 -+ if (!ptr) {
68588 - err = -ENOMEM;
68589 -- goto free_core;
68590 -+ goto free_init_rw;
68591 - }
68592 -- memset(ptr, 0, mod->init_size);
68593 -- mod->module_init = ptr;
68594 -+
68595 -+ pax_open_kernel();
68596 -+ memset(ptr, 0, mod->core_size_rx);
68597 -+ pax_close_kernel();
68598 -+ mod->module_core_rx = ptr;
68599 -+
68600 -+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68601 -+ kmemleak_not_leak(ptr);
68602 -+ if (!ptr && mod->init_size_rx) {
68603 -+ err = -ENOMEM;
68604 -+ goto free_core_rx;
68605 -+ }
68606 -+
68607 -+ pax_open_kernel();
68608 -+ memset(ptr, 0, mod->init_size_rx);
68609 -+ pax_close_kernel();
68610 -+ mod->module_init_rx = ptr;
68611 -
68612 - /* Transfer each section which specifies SHF_ALLOC */
68613 - DEBUGP("final section addresses:\n");
68614 -@@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
68615 - if (!(sechdrs[i].sh_flags & SHF_ALLOC))
68616 - continue;
68617 -
68618 -- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
68619 -- dest = mod->module_init
68620 -- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
68621 -- else
68622 -- dest = mod->module_core + sechdrs[i].sh_entsize;
68623 -+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
68624 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
68625 -+ dest = mod->module_init_rw
68626 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
68627 -+ else
68628 -+ dest = mod->module_init_rx
68629 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
68630 -+ } else {
68631 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
68632 -+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
68633 -+ else
68634 -+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
68635 -+ }
68636 -+
68637 -+ if (sechdrs[i].sh_type != SHT_NOBITS) {
68638 -
68639 -- if (sechdrs[i].sh_type != SHT_NOBITS)
68640 -- memcpy(dest, (void *)sechdrs[i].sh_addr,
68641 -- sechdrs[i].sh_size);
68642 -+#ifdef CONFIG_PAX_KERNEXEC
68643 -+#ifdef CONFIG_X86_64
68644 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
68645 -+ set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68646 -+#endif
68647 -+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
68648 -+ pax_open_kernel();
68649 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
68650 -+ pax_close_kernel();
68651 -+ } else
68652 -+#endif
68653 -+
68654 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
68655 -+ }
68656 - /* Update sh_addr to point to copy in image. */
68657 -- sechdrs[i].sh_addr = (unsigned long)dest;
68658 -+
68659 -+#ifdef CONFIG_PAX_KERNEXEC
68660 -+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
68661 -+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
68662 -+ else
68663 -+#endif
68664 -+
68665 -+ sechdrs[i].sh_addr = (unsigned long)dest;
68666 - DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
68667 - }
68668 - /* Module has been moved. */
68669 -@@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
68670 - mod->name);
68671 - if (!mod->refptr) {
68672 - err = -ENOMEM;
68673 -- goto free_init;
68674 -+ goto free_init_rx;
68675 - }
68676 - #endif
68677 - /* Now we've moved module, initialize linked lists, etc. */
68678 -@@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
68679 - /* Set up MODINFO_ATTR fields */
68680 - setup_modinfo(mod, sechdrs, infoindex);
68681 -
68682 -+ mod->args = args;
68683 -+
68684 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
68685 -+ {
68686 -+ char *p, *p2;
68687 -+
68688 -+ if (strstr(mod->args, "grsec_modharden_netdev")) {
68689 -+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
68690 -+ err = -EPERM;
68691 -+ goto cleanup;
68692 -+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
68693 -+ p += strlen("grsec_modharden_normal");
68694 -+ p2 = strstr(p, "_");
68695 -+ if (p2) {
68696 -+ *p2 = '\0';
68697 -+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
68698 -+ *p2 = '_';
68699 -+ }
68700 -+ err = -EPERM;
68701 -+ goto cleanup;
68702 -+ }
68703 -+ }
68704 -+#endif
68705 -+
68706 -+
68707 - /* Fix up syms, so that st_value is a pointer to location. */
68708 - err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
68709 - mod);
68710 -@@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
68711 -
68712 - /* Now do relocations. */
68713 - for (i = 1; i < hdr->e_shnum; i++) {
68714 -- const char *strtab = (char *)sechdrs[strindex].sh_addr;
68715 - unsigned int info = sechdrs[i].sh_info;
68716 -+ strtab = (char *)sechdrs[strindex].sh_addr;
68717 -
68718 - /* Not a valid relocation section? */
68719 - if (info >= hdr->e_shnum)
68720 -@@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
68721 - * Do it before processing of module parameters, so the module
68722 - * can provide parameter accessor functions of its own.
68723 - */
68724 -- if (mod->module_init)
68725 -- flush_icache_range((unsigned long)mod->module_init,
68726 -- (unsigned long)mod->module_init
68727 -- + mod->init_size);
68728 -- flush_icache_range((unsigned long)mod->module_core,
68729 -- (unsigned long)mod->module_core + mod->core_size);
68730 -+ if (mod->module_init_rx)
68731 -+ flush_icache_range((unsigned long)mod->module_init_rx,
68732 -+ (unsigned long)mod->module_init_rx
68733 -+ + mod->init_size_rx);
68734 -+ flush_icache_range((unsigned long)mod->module_core_rx,
68735 -+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
68736 -
68737 - set_fs(old_fs);
68738 -
68739 -- mod->args = args;
68740 - if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
68741 - printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
68742 - mod->name);
68743 -@@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
68744 - free_unload:
68745 - module_unload_free(mod);
68746 - #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
68747 -+ free_init_rx:
68748 - percpu_modfree(mod->refptr);
68749 -- free_init:
68750 - #endif
68751 -- module_free(mod, mod->module_init);
68752 -- free_core:
68753 -- module_free(mod, mod->module_core);
68754 -+ module_free_exec(mod, mod->module_init_rx);
68755 -+ free_core_rx:
68756 -+ module_free_exec(mod, mod->module_core_rx);
68757 -+ free_init_rw:
68758 -+ module_free(mod, mod->module_init_rw);
68759 -+ free_core_rw:
68760 -+ module_free(mod, mod->module_core_rw);
68761 - /* mod will be freed with core. Don't access it beyond this line! */
68762 - free_percpu:
68763 - if (percpu)
68764 -@@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
68765 - mod->symtab = mod->core_symtab;
68766 - mod->strtab = mod->core_strtab;
68767 - #endif
68768 -- module_free(mod, mod->module_init);
68769 -- mod->module_init = NULL;
68770 -- mod->init_size = 0;
68771 -- mod->init_text_size = 0;
68772 -+ module_free(mod, mod->module_init_rw);
68773 -+ module_free_exec(mod, mod->module_init_rx);
68774 -+ mod->module_init_rw = NULL;
68775 -+ mod->module_init_rx = NULL;
68776 -+ mod->init_size_rw = 0;
68777 -+ mod->init_size_rx = 0;
68778 - mutex_unlock(&module_mutex);
68779 -
68780 - return 0;
68781 -@@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
68782 - unsigned long nextval;
68783 -
68784 - /* At worse, next value is at end of module */
68785 -- if (within_module_init(addr, mod))
68786 -- nextval = (unsigned long)mod->module_init+mod->init_text_size;
68787 -+ if (within_module_init_rx(addr, mod))
68788 -+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
68789 -+ else if (within_module_init_rw(addr, mod))
68790 -+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
68791 -+ else if (within_module_core_rx(addr, mod))
68792 -+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
68793 -+ else if (within_module_core_rw(addr, mod))
68794 -+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
68795 - else
68796 -- nextval = (unsigned long)mod->module_core+mod->core_text_size;
68797 -+ return NULL;
68798 -
68799 - /* Scan for closest preceeding symbol, and next symbol. (ELF
68800 - starts real symbols at 1). */
68801 -@@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
68802 - char buf[8];
68803 -
68804 - seq_printf(m, "%s %u",
68805 -- mod->name, mod->init_size + mod->core_size);
68806 -+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
68807 - print_unload_info(m, mod);
68808 -
68809 - /* Informative for users. */
68810 -@@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
68811 - mod->state == MODULE_STATE_COMING ? "Loading":
68812 - "Live");
68813 - /* Used by oprofile and other similar tools. */
68814 -- seq_printf(m, " 0x%p", mod->module_core);
68815 -+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
68816 -
68817 - /* Taints info */
68818 - if (mod->taints)
68819 -@@ -2981,7 +3128,17 @@ static const struct file_operations proc
68820 -
68821 - static int __init proc_modules_init(void)
68822 - {
68823 -+#ifndef CONFIG_GRKERNSEC_HIDESYM
68824 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
68825 -+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68826 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
68827 -+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
68828 -+#else
68829 - proc_create("modules", 0, NULL, &proc_modules_operations);
68830 -+#endif
68831 -+#else
68832 -+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
68833 -+#endif
68834 - return 0;
68835 - }
68836 - module_init(proc_modules_init);
68837 -@@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
68838 - {
68839 - struct module *mod;
68840 -
68841 -- if (addr < module_addr_min || addr > module_addr_max)
68842 -+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
68843 -+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
68844 - return NULL;
68845 -
68846 - list_for_each_entry_rcu(mod, &modules, list)
68847 -- if (within_module_core(addr, mod)
68848 -- || within_module_init(addr, mod))
68849 -+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
68850 - return mod;
68851 - return NULL;
68852 - }
68853 -@@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
68854 - */
68855 - struct module *__module_text_address(unsigned long addr)
68856 - {
68857 -- struct module *mod = __module_address(addr);
68858 -+ struct module *mod;
68859 -+
68860 -+#ifdef CONFIG_X86_32
68861 -+ addr = ktla_ktva(addr);
68862 -+#endif
68863 -+
68864 -+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
68865 -+ return NULL;
68866 -+
68867 -+ mod = __module_address(addr);
68868 -+
68869 - if (mod) {
68870 - /* Make sure it's within the text section. */
68871 -- if (!within(addr, mod->module_init, mod->init_text_size)
68872 -- && !within(addr, mod->module_core, mod->core_text_size))
68873 -+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
68874 - mod = NULL;
68875 - }
68876 - return mod;
68877 -diff -urNp linux-2.6.32.46/kernel/mutex-debug.c linux-2.6.32.46/kernel/mutex-debug.c
68878 ---- linux-2.6.32.46/kernel/mutex-debug.c 2011-03-27 14:31:47.000000000 -0400
68879 -+++ linux-2.6.32.46/kernel/mutex-debug.c 2011-04-17 15:56:46.000000000 -0400
68880 -@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
68881 - }
68882 -
68883 - void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68884 -- struct thread_info *ti)
68885 -+ struct task_struct *task)
68886 - {
68887 - SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
68888 -
68889 - /* Mark the current thread as blocked on the lock: */
68890 -- ti->task->blocked_on = waiter;
68891 -+ task->blocked_on = waiter;
68892 - }
68893 -
68894 - void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68895 -- struct thread_info *ti)
68896 -+ struct task_struct *task)
68897 - {
68898 - DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
68899 -- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
68900 -- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
68901 -- ti->task->blocked_on = NULL;
68902 -+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
68903 -+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
68904 -+ task->blocked_on = NULL;
68905 -
68906 - list_del_init(&waiter->list);
68907 - waiter->task = NULL;
68908 -@@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
68909 - return;
68910 -
68911 - DEBUG_LOCKS_WARN_ON(lock->magic != lock);
68912 -- DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
68913 -+ DEBUG_LOCKS_WARN_ON(lock->owner != current);
68914 - DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
68915 - mutex_clear_owner(lock);
68916 - }
68917 -diff -urNp linux-2.6.32.46/kernel/mutex-debug.h linux-2.6.32.46/kernel/mutex-debug.h
68918 ---- linux-2.6.32.46/kernel/mutex-debug.h 2011-03-27 14:31:47.000000000 -0400
68919 -+++ linux-2.6.32.46/kernel/mutex-debug.h 2011-04-17 15:56:46.000000000 -0400
68920 -@@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
68921 - extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
68922 - extern void debug_mutex_add_waiter(struct mutex *lock,
68923 - struct mutex_waiter *waiter,
68924 -- struct thread_info *ti);
68925 -+ struct task_struct *task);
68926 - extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68927 -- struct thread_info *ti);
68928 -+ struct task_struct *task);
68929 - extern void debug_mutex_unlock(struct mutex *lock);
68930 - extern void debug_mutex_init(struct mutex *lock, const char *name,
68931 - struct lock_class_key *key);
68932 -
68933 - static inline void mutex_set_owner(struct mutex *lock)
68934 - {
68935 -- lock->owner = current_thread_info();
68936 -+ lock->owner = current;
68937 - }
68938 -
68939 - static inline void mutex_clear_owner(struct mutex *lock)
68940 -diff -urNp linux-2.6.32.46/kernel/mutex.c linux-2.6.32.46/kernel/mutex.c
68941 ---- linux-2.6.32.46/kernel/mutex.c 2011-03-27 14:31:47.000000000 -0400
68942 -+++ linux-2.6.32.46/kernel/mutex.c 2011-04-17 15:56:46.000000000 -0400
68943 -@@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
68944 - */
68945 -
68946 - for (;;) {
68947 -- struct thread_info *owner;
68948 -+ struct task_struct *owner;
68949 -
68950 - /*
68951 - * If we own the BKL, then don't spin. The owner of
68952 -@@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
68953 - spin_lock_mutex(&lock->wait_lock, flags);
68954 -
68955 - debug_mutex_lock_common(lock, &waiter);
68956 -- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
68957 -+ debug_mutex_add_waiter(lock, &waiter, task);
68958 -
68959 - /* add waiting tasks to the end of the waitqueue (FIFO): */
68960 - list_add_tail(&waiter.list, &lock->wait_list);
68961 -@@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
68962 - * TASK_UNINTERRUPTIBLE case.)
68963 - */
68964 - if (unlikely(signal_pending_state(state, task))) {
68965 -- mutex_remove_waiter(lock, &waiter,
68966 -- task_thread_info(task));
68967 -+ mutex_remove_waiter(lock, &waiter, task);
68968 - mutex_release(&lock->dep_map, 1, ip);
68969 - spin_unlock_mutex(&lock->wait_lock, flags);
68970 -
68971 -@@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
68972 - done:
68973 - lock_acquired(&lock->dep_map, ip);
68974 - /* got the lock - rejoice! */
68975 -- mutex_remove_waiter(lock, &waiter, current_thread_info());
68976 -+ mutex_remove_waiter(lock, &waiter, task);
68977 - mutex_set_owner(lock);
68978 -
68979 - /* set it to 0 if there are no waiters left: */
68980 -diff -urNp linux-2.6.32.46/kernel/mutex.h linux-2.6.32.46/kernel/mutex.h
68981 ---- linux-2.6.32.46/kernel/mutex.h 2011-03-27 14:31:47.000000000 -0400
68982 -+++ linux-2.6.32.46/kernel/mutex.h 2011-04-17 15:56:46.000000000 -0400
68983 -@@ -19,7 +19,7 @@
68984 - #ifdef CONFIG_SMP
68985 - static inline void mutex_set_owner(struct mutex *lock)
68986 - {
68987 -- lock->owner = current_thread_info();
68988 -+ lock->owner = current;
68989 - }
68990 -
68991 - static inline void mutex_clear_owner(struct mutex *lock)
68992 -diff -urNp linux-2.6.32.46/kernel/panic.c linux-2.6.32.46/kernel/panic.c
68993 ---- linux-2.6.32.46/kernel/panic.c 2011-03-27 14:31:47.000000000 -0400
68994 -+++ linux-2.6.32.46/kernel/panic.c 2011-04-17 15:56:46.000000000 -0400
68995 -@@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
68996 - const char *board;
68997 -
68998 - printk(KERN_WARNING "------------[ cut here ]------------\n");
68999 -- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
69000 -+ printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
69001 - board = dmi_get_system_info(DMI_PRODUCT_NAME);
69002 - if (board)
69003 - printk(KERN_WARNING "Hardware name: %s\n", board);
69004 -@@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
69005 - */
69006 - void __stack_chk_fail(void)
69007 - {
69008 -- panic("stack-protector: Kernel stack is corrupted in: %p\n",
69009 -+ dump_stack();
69010 -+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
69011 - __builtin_return_address(0));
69012 - }
69013 - EXPORT_SYMBOL(__stack_chk_fail);
69014 -diff -urNp linux-2.6.32.46/kernel/params.c linux-2.6.32.46/kernel/params.c
69015 ---- linux-2.6.32.46/kernel/params.c 2011-03-27 14:31:47.000000000 -0400
69016 -+++ linux-2.6.32.46/kernel/params.c 2011-04-17 15:56:46.000000000 -0400
69017 -@@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
69018 - return ret;
69019 - }
69020 -
69021 --static struct sysfs_ops module_sysfs_ops = {
69022 -+static const struct sysfs_ops module_sysfs_ops = {
69023 - .show = module_attr_show,
69024 - .store = module_attr_store,
69025 - };
69026 -@@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
69027 - return 0;
69028 - }
69029 -
69030 --static struct kset_uevent_ops module_uevent_ops = {
69031 -+static const struct kset_uevent_ops module_uevent_ops = {
69032 - .filter = uevent_filter,
69033 - };
69034 -
69035 -diff -urNp linux-2.6.32.46/kernel/perf_event.c linux-2.6.32.46/kernel/perf_event.c
69036 ---- linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:35:30.000000000 -0400
69037 -+++ linux-2.6.32.46/kernel/perf_event.c 2011-10-06 09:37:14.000000000 -0400
69038 -@@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
69039 - */
69040 - int sysctl_perf_event_sample_rate __read_mostly = 100000;
69041 -
69042 --static atomic64_t perf_event_id;
69043 -+static atomic64_unchecked_t perf_event_id;
69044 -
69045 - /*
69046 - * Lock for (sysadmin-configurable) event reservations:
69047 -@@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
69048 - * In order to keep per-task stats reliable we need to flip the event
69049 - * values when we flip the contexts.
69050 - */
69051 -- value = atomic64_read(&next_event->count);
69052 -- value = atomic64_xchg(&event->count, value);
69053 -- atomic64_set(&next_event->count, value);
69054 -+ value = atomic64_read_unchecked(&next_event->count);
69055 -+ value = atomic64_xchg_unchecked(&event->count, value);
69056 -+ atomic64_set_unchecked(&next_event->count, value);
69057 -
69058 - swap(event->total_time_enabled, next_event->total_time_enabled);
69059 - swap(event->total_time_running, next_event->total_time_running);
69060 -@@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
69061 - update_event_times(event);
69062 - }
69063 -
69064 -- return atomic64_read(&event->count);
69065 -+ return atomic64_read_unchecked(&event->count);
69066 - }
69067 -
69068 - /*
69069 -@@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
69070 - values[n++] = 1 + leader->nr_siblings;
69071 - if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69072 - values[n++] = leader->total_time_enabled +
69073 -- atomic64_read(&leader->child_total_time_enabled);
69074 -+ atomic64_read_unchecked(&leader->child_total_time_enabled);
69075 - }
69076 - if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69077 - values[n++] = leader->total_time_running +
69078 -- atomic64_read(&leader->child_total_time_running);
69079 -+ atomic64_read_unchecked(&leader->child_total_time_running);
69080 - }
69081 -
69082 - size = n * sizeof(u64);
69083 -@@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
69084 - values[n++] = perf_event_read_value(event);
69085 - if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69086 - values[n++] = event->total_time_enabled +
69087 -- atomic64_read(&event->child_total_time_enabled);
69088 -+ atomic64_read_unchecked(&event->child_total_time_enabled);
69089 - }
69090 - if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69091 - values[n++] = event->total_time_running +
69092 -- atomic64_read(&event->child_total_time_running);
69093 -+ atomic64_read_unchecked(&event->child_total_time_running);
69094 - }
69095 - if (read_format & PERF_FORMAT_ID)
69096 - values[n++] = primary_event_id(event);
69097 -@@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
69098 - static void perf_event_reset(struct perf_event *event)
69099 - {
69100 - (void)perf_event_read(event);
69101 -- atomic64_set(&event->count, 0);
69102 -+ atomic64_set_unchecked(&event->count, 0);
69103 - perf_event_update_userpage(event);
69104 - }
69105 -
69106 -@@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
69107 - ++userpg->lock;
69108 - barrier();
69109 - userpg->index = perf_event_index(event);
69110 -- userpg->offset = atomic64_read(&event->count);
69111 -+ userpg->offset = atomic64_read_unchecked(&event->count);
69112 - if (event->state == PERF_EVENT_STATE_ACTIVE)
69113 -- userpg->offset -= atomic64_read(&event->hw.prev_count);
69114 -+ userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
69115 -
69116 - userpg->time_enabled = event->total_time_enabled +
69117 -- atomic64_read(&event->child_total_time_enabled);
69118 -+ atomic64_read_unchecked(&event->child_total_time_enabled);
69119 -
69120 - userpg->time_running = event->total_time_running +
69121 -- atomic64_read(&event->child_total_time_running);
69122 -+ atomic64_read_unchecked(&event->child_total_time_running);
69123 -
69124 - barrier();
69125 - ++userpg->lock;
69126 -@@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
69127 - u64 values[4];
69128 - int n = 0;
69129 -
69130 -- values[n++] = atomic64_read(&event->count);
69131 -+ values[n++] = atomic64_read_unchecked(&event->count);
69132 - if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69133 - values[n++] = event->total_time_enabled +
69134 -- atomic64_read(&event->child_total_time_enabled);
69135 -+ atomic64_read_unchecked(&event->child_total_time_enabled);
69136 - }
69137 - if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69138 - values[n++] = event->total_time_running +
69139 -- atomic64_read(&event->child_total_time_running);
69140 -+ atomic64_read_unchecked(&event->child_total_time_running);
69141 - }
69142 - if (read_format & PERF_FORMAT_ID)
69143 - values[n++] = primary_event_id(event);
69144 -@@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
69145 - if (leader != event)
69146 - leader->pmu->read(leader);
69147 -
69148 -- values[n++] = atomic64_read(&leader->count);
69149 -+ values[n++] = atomic64_read_unchecked(&leader->count);
69150 - if (read_format & PERF_FORMAT_ID)
69151 - values[n++] = primary_event_id(leader);
69152 -
69153 -@@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
69154 - if (sub != event)
69155 - sub->pmu->read(sub);
69156 -
69157 -- values[n++] = atomic64_read(&sub->count);
69158 -+ values[n++] = atomic64_read_unchecked(&sub->count);
69159 - if (read_format & PERF_FORMAT_ID)
69160 - values[n++] = primary_event_id(sub);
69161 -
69162 -@@ -3525,12 +3525,12 @@ static void perf_event_mmap_event(struct
69163 - * need to add enough zero bytes after the string to handle
69164 - * the 64bit alignment we do later.
69165 - */
69166 -- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
69167 -+ buf = kzalloc(PATH_MAX, GFP_KERNEL);
69168 - if (!buf) {
69169 - name = strncpy(tmp, "//enomem", sizeof(tmp));
69170 - goto got_name;
69171 - }
69172 -- name = d_path(&file->f_path, buf, PATH_MAX);
69173 -+ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
69174 - if (IS_ERR(name)) {
69175 - name = strncpy(tmp, "//toolong", sizeof(tmp));
69176 - goto got_name;
69177 -@@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf
69178 - {
69179 - struct hw_perf_event *hwc = &event->hw;
69180 -
69181 -- atomic64_add(nr, &event->count);
69182 -+ atomic64_add_unchecked(nr, &event->count);
69183 -
69184 - if (!hwc->sample_period)
69185 - return;
69186 -@@ -4040,9 +4040,9 @@ static void cpu_clock_perf_event_update(
69187 - u64 now;
69188 -
69189 - now = cpu_clock(cpu);
69190 -- prev = atomic64_read(&event->hw.prev_count);
69191 -- atomic64_set(&event->hw.prev_count, now);
69192 -- atomic64_add(now - prev, &event->count);
69193 -+ prev = atomic64_read_unchecked(&event->hw.prev_count);
69194 -+ atomic64_set_unchecked(&event->hw.prev_count, now);
69195 -+ atomic64_add_unchecked(now - prev, &event->count);
69196 - }
69197 -
69198 - static int cpu_clock_perf_event_enable(struct perf_event *event)
69199 -@@ -4050,7 +4050,7 @@ static int cpu_clock_perf_event_enable(s
69200 - struct hw_perf_event *hwc = &event->hw;
69201 - int cpu = raw_smp_processor_id();
69202 -
69203 -- atomic64_set(&hwc->prev_count, cpu_clock(cpu));
69204 -+ atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
69205 - perf_swevent_start_hrtimer(event);
69206 -
69207 - return 0;
69208 -@@ -4082,9 +4082,9 @@ static void task_clock_perf_event_update
69209 - u64 prev;
69210 - s64 delta;
69211 -
69212 -- prev = atomic64_xchg(&event->hw.prev_count, now);
69213 -+ prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
69214 - delta = now - prev;
69215 -- atomic64_add(delta, &event->count);
69216 -+ atomic64_add_unchecked(delta, &event->count);
69217 - }
69218 -
69219 - static int task_clock_perf_event_enable(struct perf_event *event)
69220 -@@ -4094,7 +4094,7 @@ static int task_clock_perf_event_enable(
69221 -
69222 - now = event->ctx->time;
69223 -
69224 -- atomic64_set(&hwc->prev_count, now);
69225 -+ atomic64_set_unchecked(&hwc->prev_count, now);
69226 -
69227 - perf_swevent_start_hrtimer(event);
69228 -
69229 -@@ -4289,7 +4289,7 @@ perf_event_alloc(struct perf_event_attr
69230 - event->parent = parent_event;
69231 -
69232 - event->ns = get_pid_ns(current->nsproxy->pid_ns);
69233 -- event->id = atomic64_inc_return(&perf_event_id);
69234 -+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
69235 -
69236 - event->state = PERF_EVENT_STATE_INACTIVE;
69237 -
69238 -@@ -4720,15 +4720,15 @@ static void sync_child_event(struct perf
69239 - if (child_event->attr.inherit_stat)
69240 - perf_event_read_event(child_event, child);
69241 -
69242 -- child_val = atomic64_read(&child_event->count);
69243 -+ child_val = atomic64_read_unchecked(&child_event->count);
69244 -
69245 - /*
69246 - * Add back the child's count to the parent's count:
69247 - */
69248 -- atomic64_add(child_val, &parent_event->count);
69249 -- atomic64_add(child_event->total_time_enabled,
69250 -+ atomic64_add_unchecked(child_val, &parent_event->count);
69251 -+ atomic64_add_unchecked(child_event->total_time_enabled,
69252 - &parent_event->child_total_time_enabled);
69253 -- atomic64_add(child_event->total_time_running,
69254 -+ atomic64_add_unchecked(child_event->total_time_running,
69255 - &parent_event->child_total_time_running);
69256 -
69257 - /*
69258 -diff -urNp linux-2.6.32.46/kernel/pid.c linux-2.6.32.46/kernel/pid.c
69259 ---- linux-2.6.32.46/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400
69260 -+++ linux-2.6.32.46/kernel/pid.c 2011-08-21 19:11:29.000000000 -0400
69261 -@@ -33,6 +33,7 @@
69262 - #include <linux/rculist.h>
69263 - #include <linux/bootmem.h>
69264 - #include <linux/hash.h>
69265 -+#include <linux/security.h>
69266 - #include <linux/pid_namespace.h>
69267 - #include <linux/init_task.h>
69268 - #include <linux/syscalls.h>
69269 -@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69270 -
69271 - int pid_max = PID_MAX_DEFAULT;
69272 -
69273 --#define RESERVED_PIDS 300
69274 -+#define RESERVED_PIDS 500
69275 -
69276 - int pid_max_min = RESERVED_PIDS + 1;
69277 - int pid_max_max = PID_MAX_LIMIT;
69278 -@@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
69279 - */
69280 - struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69281 - {
69282 -- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69283 -+ struct task_struct *task;
69284 -+
69285 -+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69286 -+
69287 -+ if (gr_pid_is_chrooted(task))
69288 -+ return NULL;
69289 -+
69290 -+ return task;
69291 - }
69292 -
69293 - struct task_struct *find_task_by_vpid(pid_t vnr)
69294 -@@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
69295 - return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
69296 - }
69297 -
69298 -+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
69299 -+{
69300 -+ return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
69301 -+}
69302 -+
69303 - struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
69304 - {
69305 - struct pid *pid;
69306 -diff -urNp linux-2.6.32.46/kernel/posix-cpu-timers.c linux-2.6.32.46/kernel/posix-cpu-timers.c
69307 ---- linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-03-27 14:31:47.000000000 -0400
69308 -+++ linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-08-06 09:33:44.000000000 -0400
69309 -@@ -6,6 +6,7 @@
69310 - #include <linux/posix-timers.h>
69311 - #include <linux/errno.h>
69312 - #include <linux/math64.h>
69313 -+#include <linux/security.h>
69314 - #include <asm/uaccess.h>
69315 - #include <linux/kernel_stat.h>
69316 - #include <trace/events/timer.h>
69317 -@@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(st
69318 -
69319 - static __init int init_posix_cpu_timers(void)
69320 - {
69321 -- struct k_clock process = {
69322 -+ static struct k_clock process = {
69323 - .clock_getres = process_cpu_clock_getres,
69324 - .clock_get = process_cpu_clock_get,
69325 - .clock_set = do_posix_clock_nosettime,
69326 -@@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(
69327 - .nsleep = process_cpu_nsleep,
69328 - .nsleep_restart = process_cpu_nsleep_restart,
69329 - };
69330 -- struct k_clock thread = {
69331 -+ static struct k_clock thread = {
69332 - .clock_getres = thread_cpu_clock_getres,
69333 - .clock_get = thread_cpu_clock_get,
69334 - .clock_set = do_posix_clock_nosettime,
69335 -diff -urNp linux-2.6.32.46/kernel/posix-timers.c linux-2.6.32.46/kernel/posix-timers.c
69336 ---- linux-2.6.32.46/kernel/posix-timers.c 2011-03-27 14:31:47.000000000 -0400
69337 -+++ linux-2.6.32.46/kernel/posix-timers.c 2011-08-23 20:22:38.000000000 -0400
69338 -@@ -42,6 +42,7 @@
69339 - #include <linux/compiler.h>
69340 - #include <linux/idr.h>
69341 - #include <linux/posix-timers.h>
69342 -+#include <linux/grsecurity.h>
69343 - #include <linux/syscalls.h>
69344 - #include <linux/wait.h>
69345 - #include <linux/workqueue.h>
69346 -@@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
69347 - * which we beg off on and pass to do_sys_settimeofday().
69348 - */
69349 -
69350 --static struct k_clock posix_clocks[MAX_CLOCKS];
69351 -+static struct k_clock *posix_clocks[MAX_CLOCKS];
69352 -
69353 - /*
69354 - * These ones are defined below.
69355 -@@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
69356 - */
69357 - #define CLOCK_DISPATCH(clock, call, arglist) \
69358 - ((clock) < 0 ? posix_cpu_##call arglist : \
69359 -- (posix_clocks[clock].call != NULL \
69360 -- ? (*posix_clocks[clock].call) arglist : common_##call arglist))
69361 -+ (posix_clocks[clock]->call != NULL \
69362 -+ ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
69363 -
69364 - /*
69365 - * Default clock hook functions when the struct k_clock passed
69366 -@@ -172,7 +173,7 @@ static inline int common_clock_getres(co
69367 - struct timespec *tp)
69368 - {
69369 - tp->tv_sec = 0;
69370 -- tp->tv_nsec = posix_clocks[which_clock].res;
69371 -+ tp->tv_nsec = posix_clocks[which_clock]->res;
69372 - return 0;
69373 - }
69374 -
69375 -@@ -217,9 +218,11 @@ static inline int invalid_clockid(const
69376 - return 0;
69377 - if ((unsigned) which_clock >= MAX_CLOCKS)
69378 - return 1;
69379 -- if (posix_clocks[which_clock].clock_getres != NULL)
69380 -+ if (posix_clocks[which_clock] == NULL)
69381 - return 0;
69382 -- if (posix_clocks[which_clock].res != 0)
69383 -+ if (posix_clocks[which_clock]->clock_getres != NULL)
69384 -+ return 0;
69385 -+ if (posix_clocks[which_clock]->res != 0)
69386 - return 0;
69387 - return 1;
69388 - }
69389 -@@ -266,29 +269,29 @@ int posix_get_coarse_res(const clockid_t
69390 - */
69391 - static __init int init_posix_timers(void)
69392 - {
69393 -- struct k_clock clock_realtime = {
69394 -+ static struct k_clock clock_realtime = {
69395 - .clock_getres = hrtimer_get_res,
69396 - };
69397 -- struct k_clock clock_monotonic = {
69398 -+ static struct k_clock clock_monotonic = {
69399 - .clock_getres = hrtimer_get_res,
69400 - .clock_get = posix_ktime_get_ts,
69401 - .clock_set = do_posix_clock_nosettime,
69402 - };
69403 -- struct k_clock clock_monotonic_raw = {
69404 -+ static struct k_clock clock_monotonic_raw = {
69405 - .clock_getres = hrtimer_get_res,
69406 - .clock_get = posix_get_monotonic_raw,
69407 - .clock_set = do_posix_clock_nosettime,
69408 - .timer_create = no_timer_create,
69409 - .nsleep = no_nsleep,
69410 - };
69411 -- struct k_clock clock_realtime_coarse = {
69412 -+ static struct k_clock clock_realtime_coarse = {
69413 - .clock_getres = posix_get_coarse_res,
69414 - .clock_get = posix_get_realtime_coarse,
69415 - .clock_set = do_posix_clock_nosettime,
69416 - .timer_create = no_timer_create,
69417 - .nsleep = no_nsleep,
69418 - };
69419 -- struct k_clock clock_monotonic_coarse = {
69420 -+ static struct k_clock clock_monotonic_coarse = {
69421 - .clock_getres = posix_get_coarse_res,
69422 - .clock_get = posix_get_monotonic_coarse,
69423 - .clock_set = do_posix_clock_nosettime,
69424 -@@ -296,6 +299,8 @@ static __init int init_posix_timers(void
69425 - .nsleep = no_nsleep,
69426 - };
69427 -
69428 -+ pax_track_stack();
69429 -+
69430 - register_posix_clock(CLOCK_REALTIME, &clock_realtime);
69431 - register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
69432 - register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69433 -@@ -484,7 +489,7 @@ void register_posix_clock(const clockid_
69434 - return;
69435 - }
69436 -
69437 -- posix_clocks[clock_id] = *new_clock;
69438 -+ posix_clocks[clock_id] = new_clock;
69439 - }
69440 - EXPORT_SYMBOL_GPL(register_posix_clock);
69441 -
69442 -@@ -948,6 +953,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
69443 - if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69444 - return -EFAULT;
69445 -
69446 -+ /* only the CLOCK_REALTIME clock can be set, all other clocks
69447 -+ have their clock_set fptr set to a nosettime dummy function
69448 -+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69449 -+ call common_clock_set, which calls do_sys_settimeofday, which
69450 -+ we hook
69451 -+ */
69452 -+
69453 - return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
69454 - }
69455 -
69456 -diff -urNp linux-2.6.32.46/kernel/power/hibernate.c linux-2.6.32.46/kernel/power/hibernate.c
69457 ---- linux-2.6.32.46/kernel/power/hibernate.c 2011-03-27 14:31:47.000000000 -0400
69458 -+++ linux-2.6.32.46/kernel/power/hibernate.c 2011-04-17 15:56:46.000000000 -0400
69459 -@@ -48,14 +48,14 @@ enum {
69460 -
69461 - static int hibernation_mode = HIBERNATION_SHUTDOWN;
69462 -
69463 --static struct platform_hibernation_ops *hibernation_ops;
69464 -+static const struct platform_hibernation_ops *hibernation_ops;
69465 -
69466 - /**
69467 - * hibernation_set_ops - set the global hibernate operations
69468 - * @ops: the hibernation operations to use in subsequent hibernation transitions
69469 - */
69470 -
69471 --void hibernation_set_ops(struct platform_hibernation_ops *ops)
69472 -+void hibernation_set_ops(const struct platform_hibernation_ops *ops)
69473 - {
69474 - if (ops && !(ops->begin && ops->end && ops->pre_snapshot
69475 - && ops->prepare && ops->finish && ops->enter && ops->pre_restore
69476 -diff -urNp linux-2.6.32.46/kernel/power/poweroff.c linux-2.6.32.46/kernel/power/poweroff.c
69477 ---- linux-2.6.32.46/kernel/power/poweroff.c 2011-03-27 14:31:47.000000000 -0400
69478 -+++ linux-2.6.32.46/kernel/power/poweroff.c 2011-04-17 15:56:46.000000000 -0400
69479 -@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69480 - .enable_mask = SYSRQ_ENABLE_BOOT,
69481 - };
69482 -
69483 --static int pm_sysrq_init(void)
69484 -+static int __init pm_sysrq_init(void)
69485 - {
69486 - register_sysrq_key('o', &sysrq_poweroff_op);
69487 - return 0;
69488 -diff -urNp linux-2.6.32.46/kernel/power/process.c linux-2.6.32.46/kernel/power/process.c
69489 ---- linux-2.6.32.46/kernel/power/process.c 2011-03-27 14:31:47.000000000 -0400
69490 -+++ linux-2.6.32.46/kernel/power/process.c 2011-04-17 15:56:46.000000000 -0400
69491 -@@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
69492 - struct timeval start, end;
69493 - u64 elapsed_csecs64;
69494 - unsigned int elapsed_csecs;
69495 -+ bool timedout = false;
69496 -
69497 - do_gettimeofday(&start);
69498 -
69499 - end_time = jiffies + TIMEOUT;
69500 - do {
69501 - todo = 0;
69502 -+ if (time_after(jiffies, end_time))
69503 -+ timedout = true;
69504 - read_lock(&tasklist_lock);
69505 - do_each_thread(g, p) {
69506 - if (frozen(p) || !freezeable(p))
69507 -@@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
69508 - * It is "frozen enough". If the task does wake
69509 - * up, it will immediately call try_to_freeze.
69510 - */
69511 -- if (!task_is_stopped_or_traced(p) &&
69512 -- !freezer_should_skip(p))
69513 -+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69514 - todo++;
69515 -+ if (timedout) {
69516 -+ printk(KERN_ERR "Task refusing to freeze:\n");
69517 -+ sched_show_task(p);
69518 -+ }
69519 -+ }
69520 - } while_each_thread(g, p);
69521 - read_unlock(&tasklist_lock);
69522 - yield(); /* Yield is okay here */
69523 -- if (time_after(jiffies, end_time))
69524 -- break;
69525 -- } while (todo);
69526 -+ } while (todo && !timedout);
69527 -
69528 - do_gettimeofday(&end);
69529 - elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
69530 -diff -urNp linux-2.6.32.46/kernel/power/suspend.c linux-2.6.32.46/kernel/power/suspend.c
69531 ---- linux-2.6.32.46/kernel/power/suspend.c 2011-03-27 14:31:47.000000000 -0400
69532 -+++ linux-2.6.32.46/kernel/power/suspend.c 2011-04-17 15:56:46.000000000 -0400
69533 -@@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
69534 - [PM_SUSPEND_MEM] = "mem",
69535 - };
69536 -
69537 --static struct platform_suspend_ops *suspend_ops;
69538 -+static const struct platform_suspend_ops *suspend_ops;
69539 -
69540 - /**
69541 - * suspend_set_ops - Set the global suspend method table.
69542 - * @ops: Pointer to ops structure.
69543 - */
69544 --void suspend_set_ops(struct platform_suspend_ops *ops)
69545 -+void suspend_set_ops(const struct platform_suspend_ops *ops)
69546 - {
69547 - mutex_lock(&pm_mutex);
69548 - suspend_ops = ops;
69549 -diff -urNp linux-2.6.32.46/kernel/printk.c linux-2.6.32.46/kernel/printk.c
69550 ---- linux-2.6.32.46/kernel/printk.c 2011-03-27 14:31:47.000000000 -0400
69551 -+++ linux-2.6.32.46/kernel/printk.c 2011-04-17 15:56:46.000000000 -0400
69552 -@@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
69553 - char c;
69554 - int error = 0;
69555 -
69556 -+#ifdef CONFIG_GRKERNSEC_DMESG
69557 -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
69558 -+ return -EPERM;
69559 -+#endif
69560 -+
69561 - error = security_syslog(type);
69562 - if (error)
69563 - return error;
69564 -diff -urNp linux-2.6.32.46/kernel/profile.c linux-2.6.32.46/kernel/profile.c
69565 ---- linux-2.6.32.46/kernel/profile.c 2011-03-27 14:31:47.000000000 -0400
69566 -+++ linux-2.6.32.46/kernel/profile.c 2011-05-04 17:56:28.000000000 -0400
69567 -@@ -39,7 +39,7 @@ struct profile_hit {
69568 - /* Oprofile timer tick hook */
69569 - static int (*timer_hook)(struct pt_regs *) __read_mostly;
69570 -
69571 --static atomic_t *prof_buffer;
69572 -+static atomic_unchecked_t *prof_buffer;
69573 - static unsigned long prof_len, prof_shift;
69574 -
69575 - int prof_on __read_mostly;
69576 -@@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69577 - hits[i].pc = 0;
69578 - continue;
69579 - }
69580 -- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69581 -+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69582 - hits[i].hits = hits[i].pc = 0;
69583 - }
69584 - }
69585 -@@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69586 - * Add the current hit(s) and flush the write-queue out
69587 - * to the global buffer:
69588 - */
69589 -- atomic_add(nr_hits, &prof_buffer[pc]);
69590 -+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69591 - for (i = 0; i < NR_PROFILE_HIT; ++i) {
69592 -- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69593 -+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69594 - hits[i].pc = hits[i].hits = 0;
69595 - }
69596 - out:
69597 -@@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69598 - if (prof_on != type || !prof_buffer)
69599 - return;
69600 - pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69601 -- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69602 -+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69603 - }
69604 - #endif /* !CONFIG_SMP */
69605 - EXPORT_SYMBOL_GPL(profile_hits);
69606 -@@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69607 - return -EFAULT;
69608 - buf++; p++; count--; read++;
69609 - }
69610 -- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69611 -+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69612 - if (copy_to_user(buf, (void *)pnt, count))
69613 - return -EFAULT;
69614 - read += count;
69615 -@@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69616 - }
69617 - #endif
69618 - profile_discard_flip_buffers();
69619 -- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69620 -+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69621 - return count;
69622 - }
69623 -
69624 -diff -urNp linux-2.6.32.46/kernel/ptrace.c linux-2.6.32.46/kernel/ptrace.c
69625 ---- linux-2.6.32.46/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
69626 -+++ linux-2.6.32.46/kernel/ptrace.c 2011-05-22 23:02:06.000000000 -0400
69627 -@@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69628 - return ret;
69629 - }
69630 -
69631 --int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69632 -+static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69633 -+ unsigned int log)
69634 - {
69635 - const struct cred *cred = current_cred(), *tcred;
69636 -
69637 -@@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
69638 - cred->gid != tcred->egid ||
69639 - cred->gid != tcred->sgid ||
69640 - cred->gid != tcred->gid) &&
69641 -- !capable(CAP_SYS_PTRACE)) {
69642 -+ ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
69643 -+ (log && !capable(CAP_SYS_PTRACE)))
69644 -+ ) {
69645 - rcu_read_unlock();
69646 - return -EPERM;
69647 - }
69648 -@@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
69649 - smp_rmb();
69650 - if (task->mm)
69651 - dumpable = get_dumpable(task->mm);
69652 -- if (!dumpable && !capable(CAP_SYS_PTRACE))
69653 -+ if (!dumpable &&
69654 -+ ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
69655 -+ (log && !capable(CAP_SYS_PTRACE))))
69656 - return -EPERM;
69657 -
69658 - return security_ptrace_access_check(task, mode);
69659 -@@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
69660 - {
69661 - int err;
69662 - task_lock(task);
69663 -- err = __ptrace_may_access(task, mode);
69664 -+ err = __ptrace_may_access(task, mode, 0);
69665 -+ task_unlock(task);
69666 -+ return !err;
69667 -+}
69668 -+
69669 -+bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
69670 -+{
69671 -+ int err;
69672 -+ task_lock(task);
69673 -+ err = __ptrace_may_access(task, mode, 1);
69674 - task_unlock(task);
69675 - return !err;
69676 - }
69677 -@@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
69678 - goto out;
69679 -
69680 - task_lock(task);
69681 -- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
69682 -+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
69683 - task_unlock(task);
69684 - if (retval)
69685 - goto unlock_creds;
69686 -@@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
69687 - goto unlock_tasklist;
69688 -
69689 - task->ptrace = PT_PTRACED;
69690 -- if (capable(CAP_SYS_PTRACE))
69691 -+ if (capable_nolog(CAP_SYS_PTRACE))
69692 - task->ptrace |= PT_PTRACE_CAP;
69693 -
69694 - __ptrace_link(task, current);
69695 -@@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
69696 - {
69697 - int copied = 0;
69698 -
69699 -+ pax_track_stack();
69700 -+
69701 - while (len > 0) {
69702 - char buf[128];
69703 - int this_len, retval;
69704 -@@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
69705 - {
69706 - int copied = 0;
69707 -
69708 -+ pax_track_stack();
69709 -+
69710 - while (len > 0) {
69711 - char buf[128];
69712 - int this_len, retval;
69713 -@@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
69714 - int ret = -EIO;
69715 - siginfo_t siginfo;
69716 -
69717 -+ pax_track_stack();
69718 -+
69719 - switch (request) {
69720 - case PTRACE_PEEKTEXT:
69721 - case PTRACE_PEEKDATA:
69722 -@@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
69723 - ret = ptrace_setoptions(child, data);
69724 - break;
69725 - case PTRACE_GETEVENTMSG:
69726 -- ret = put_user(child->ptrace_message, (unsigned long __user *) data);
69727 -+ ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
69728 - break;
69729 -
69730 - case PTRACE_GETSIGINFO:
69731 - ret = ptrace_getsiginfo(child, &siginfo);
69732 - if (!ret)
69733 -- ret = copy_siginfo_to_user((siginfo_t __user *) data,
69734 -+ ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
69735 - &siginfo);
69736 - break;
69737 -
69738 - case PTRACE_SETSIGINFO:
69739 -- if (copy_from_user(&siginfo, (siginfo_t __user *) data,
69740 -+ if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
69741 - sizeof siginfo))
69742 - ret = -EFAULT;
69743 - else
69744 -@@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
69745 - goto out;
69746 - }
69747 -
69748 -+ if (gr_handle_ptrace(child, request)) {
69749 -+ ret = -EPERM;
69750 -+ goto out_put_task_struct;
69751 -+ }
69752 -+
69753 - if (request == PTRACE_ATTACH) {
69754 - ret = ptrace_attach(child);
69755 - /*
69756 - * Some architectures need to do book-keeping after
69757 - * a ptrace attach.
69758 - */
69759 -- if (!ret)
69760 -+ if (!ret) {
69761 - arch_ptrace_attach(child);
69762 -+ gr_audit_ptrace(child);
69763 -+ }
69764 - goto out_put_task_struct;
69765 - }
69766 -
69767 -@@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
69768 - copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
69769 - if (copied != sizeof(tmp))
69770 - return -EIO;
69771 -- return put_user(tmp, (unsigned long __user *)data);
69772 -+ return put_user(tmp, (__force unsigned long __user *)data);
69773 - }
69774 -
69775 - int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
69776 -@@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
69777 - siginfo_t siginfo;
69778 - int ret;
69779 -
69780 -+ pax_track_stack();
69781 -+
69782 - switch (request) {
69783 - case PTRACE_PEEKTEXT:
69784 - case PTRACE_PEEKDATA:
69785 -@@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
69786 - goto out;
69787 - }
69788 -
69789 -+ if (gr_handle_ptrace(child, request)) {
69790 -+ ret = -EPERM;
69791 -+ goto out_put_task_struct;
69792 -+ }
69793 -+
69794 - if (request == PTRACE_ATTACH) {
69795 - ret = ptrace_attach(child);
69796 - /*
69797 - * Some architectures need to do book-keeping after
69798 - * a ptrace attach.
69799 - */
69800 -- if (!ret)
69801 -+ if (!ret) {
69802 - arch_ptrace_attach(child);
69803 -+ gr_audit_ptrace(child);
69804 -+ }
69805 - goto out_put_task_struct;
69806 - }
69807 -
69808 -diff -urNp linux-2.6.32.46/kernel/rcutorture.c linux-2.6.32.46/kernel/rcutorture.c
69809 ---- linux-2.6.32.46/kernel/rcutorture.c 2011-03-27 14:31:47.000000000 -0400
69810 -+++ linux-2.6.32.46/kernel/rcutorture.c 2011-05-04 17:56:28.000000000 -0400
69811 -@@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
69812 - { 0 };
69813 - static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
69814 - { 0 };
69815 --static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69816 --static atomic_t n_rcu_torture_alloc;
69817 --static atomic_t n_rcu_torture_alloc_fail;
69818 --static atomic_t n_rcu_torture_free;
69819 --static atomic_t n_rcu_torture_mberror;
69820 --static atomic_t n_rcu_torture_error;
69821 -+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
69822 -+static atomic_unchecked_t n_rcu_torture_alloc;
69823 -+static atomic_unchecked_t n_rcu_torture_alloc_fail;
69824 -+static atomic_unchecked_t n_rcu_torture_free;
69825 -+static atomic_unchecked_t n_rcu_torture_mberror;
69826 -+static atomic_unchecked_t n_rcu_torture_error;
69827 - static long n_rcu_torture_timers;
69828 - static struct list_head rcu_torture_removed;
69829 - static cpumask_var_t shuffle_tmp_mask;
69830 -@@ -187,11 +187,11 @@ rcu_torture_alloc(void)
69831 -
69832 - spin_lock_bh(&rcu_torture_lock);
69833 - if (list_empty(&rcu_torture_freelist)) {
69834 -- atomic_inc(&n_rcu_torture_alloc_fail);
69835 -+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
69836 - spin_unlock_bh(&rcu_torture_lock);
69837 - return NULL;
69838 - }
69839 -- atomic_inc(&n_rcu_torture_alloc);
69840 -+ atomic_inc_unchecked(&n_rcu_torture_alloc);
69841 - p = rcu_torture_freelist.next;
69842 - list_del_init(p);
69843 - spin_unlock_bh(&rcu_torture_lock);
69844 -@@ -204,7 +204,7 @@ rcu_torture_alloc(void)
69845 - static void
69846 - rcu_torture_free(struct rcu_torture *p)
69847 - {
69848 -- atomic_inc(&n_rcu_torture_free);
69849 -+ atomic_inc_unchecked(&n_rcu_torture_free);
69850 - spin_lock_bh(&rcu_torture_lock);
69851 - list_add_tail(&p->rtort_free, &rcu_torture_freelist);
69852 - spin_unlock_bh(&rcu_torture_lock);
69853 -@@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
69854 - i = rp->rtort_pipe_count;
69855 - if (i > RCU_TORTURE_PIPE_LEN)
69856 - i = RCU_TORTURE_PIPE_LEN;
69857 -- atomic_inc(&rcu_torture_wcount[i]);
69858 -+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
69859 - if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69860 - rp->rtort_mbtest = 0;
69861 - rcu_torture_free(rp);
69862 -@@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
69863 - i = rp->rtort_pipe_count;
69864 - if (i > RCU_TORTURE_PIPE_LEN)
69865 - i = RCU_TORTURE_PIPE_LEN;
69866 -- atomic_inc(&rcu_torture_wcount[i]);
69867 -+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
69868 - if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
69869 - rp->rtort_mbtest = 0;
69870 - list_del(&rp->rtort_free);
69871 -@@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
69872 - i = old_rp->rtort_pipe_count;
69873 - if (i > RCU_TORTURE_PIPE_LEN)
69874 - i = RCU_TORTURE_PIPE_LEN;
69875 -- atomic_inc(&rcu_torture_wcount[i]);
69876 -+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
69877 - old_rp->rtort_pipe_count++;
69878 - cur_ops->deferred_free(old_rp);
69879 - }
69880 -@@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
69881 - return;
69882 - }
69883 - if (p->rtort_mbtest == 0)
69884 -- atomic_inc(&n_rcu_torture_mberror);
69885 -+ atomic_inc_unchecked(&n_rcu_torture_mberror);
69886 - spin_lock(&rand_lock);
69887 - cur_ops->read_delay(&rand);
69888 - n_rcu_torture_timers++;
69889 -@@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
69890 - continue;
69891 - }
69892 - if (p->rtort_mbtest == 0)
69893 -- atomic_inc(&n_rcu_torture_mberror);
69894 -+ atomic_inc_unchecked(&n_rcu_torture_mberror);
69895 - cur_ops->read_delay(&rand);
69896 - preempt_disable();
69897 - pipe_count = p->rtort_pipe_count;
69898 -@@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
69899 - rcu_torture_current,
69900 - rcu_torture_current_version,
69901 - list_empty(&rcu_torture_freelist),
69902 -- atomic_read(&n_rcu_torture_alloc),
69903 -- atomic_read(&n_rcu_torture_alloc_fail),
69904 -- atomic_read(&n_rcu_torture_free),
69905 -- atomic_read(&n_rcu_torture_mberror),
69906 -+ atomic_read_unchecked(&n_rcu_torture_alloc),
69907 -+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
69908 -+ atomic_read_unchecked(&n_rcu_torture_free),
69909 -+ atomic_read_unchecked(&n_rcu_torture_mberror),
69910 - n_rcu_torture_timers);
69911 -- if (atomic_read(&n_rcu_torture_mberror) != 0)
69912 -+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
69913 - cnt += sprintf(&page[cnt], " !!!");
69914 - cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
69915 - if (i > 1) {
69916 - cnt += sprintf(&page[cnt], "!!! ");
69917 -- atomic_inc(&n_rcu_torture_error);
69918 -+ atomic_inc_unchecked(&n_rcu_torture_error);
69919 - WARN_ON_ONCE(1);
69920 - }
69921 - cnt += sprintf(&page[cnt], "Reader Pipe: ");
69922 -@@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
69923 - cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
69924 - for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
69925 - cnt += sprintf(&page[cnt], " %d",
69926 -- atomic_read(&rcu_torture_wcount[i]));
69927 -+ atomic_read_unchecked(&rcu_torture_wcount[i]));
69928 - }
69929 - cnt += sprintf(&page[cnt], "\n");
69930 - if (cur_ops->stats)
69931 -@@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
69932 -
69933 - if (cur_ops->cleanup)
69934 - cur_ops->cleanup();
69935 -- if (atomic_read(&n_rcu_torture_error))
69936 -+ if (atomic_read_unchecked(&n_rcu_torture_error))
69937 - rcu_torture_print_module_parms("End of test: FAILURE");
69938 - else
69939 - rcu_torture_print_module_parms("End of test: SUCCESS");
69940 -@@ -1138,13 +1138,13 @@ rcu_torture_init(void)
69941 -
69942 - rcu_torture_current = NULL;
69943 - rcu_torture_current_version = 0;
69944 -- atomic_set(&n_rcu_torture_alloc, 0);
69945 -- atomic_set(&n_rcu_torture_alloc_fail, 0);
69946 -- atomic_set(&n_rcu_torture_free, 0);
69947 -- atomic_set(&n_rcu_torture_mberror, 0);
69948 -- atomic_set(&n_rcu_torture_error, 0);
69949 -+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
69950 -+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
69951 -+ atomic_set_unchecked(&n_rcu_torture_free, 0);
69952 -+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
69953 -+ atomic_set_unchecked(&n_rcu_torture_error, 0);
69954 - for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
69955 -- atomic_set(&rcu_torture_wcount[i], 0);
69956 -+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
69957 - for_each_possible_cpu(cpu) {
69958 - for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
69959 - per_cpu(rcu_torture_count, cpu)[i] = 0;
69960 -diff -urNp linux-2.6.32.46/kernel/rcutree.c linux-2.6.32.46/kernel/rcutree.c
69961 ---- linux-2.6.32.46/kernel/rcutree.c 2011-03-27 14:31:47.000000000 -0400
69962 -+++ linux-2.6.32.46/kernel/rcutree.c 2011-04-17 15:56:46.000000000 -0400
69963 -@@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
69964 - /*
69965 - * Do softirq processing for the current CPU.
69966 - */
69967 --static void rcu_process_callbacks(struct softirq_action *unused)
69968 -+static void rcu_process_callbacks(void)
69969 - {
69970 - /*
69971 - * Memory references from any prior RCU read-side critical sections
69972 -diff -urNp linux-2.6.32.46/kernel/rcutree_plugin.h linux-2.6.32.46/kernel/rcutree_plugin.h
69973 ---- linux-2.6.32.46/kernel/rcutree_plugin.h 2011-03-27 14:31:47.000000000 -0400
69974 -+++ linux-2.6.32.46/kernel/rcutree_plugin.h 2011-04-17 15:56:46.000000000 -0400
69975 -@@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
69976 - */
69977 - void __rcu_read_lock(void)
69978 - {
69979 -- ACCESS_ONCE(current->rcu_read_lock_nesting)++;
69980 -+ ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
69981 - barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
69982 - }
69983 - EXPORT_SYMBOL_GPL(__rcu_read_lock);
69984 -@@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
69985 - struct task_struct *t = current;
69986 -
69987 - barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
69988 -- if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
69989 -+ if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
69990 - unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
69991 - rcu_read_unlock_special(t);
69992 - }
69993 -diff -urNp linux-2.6.32.46/kernel/relay.c linux-2.6.32.46/kernel/relay.c
69994 ---- linux-2.6.32.46/kernel/relay.c 2011-03-27 14:31:47.000000000 -0400
69995 -+++ linux-2.6.32.46/kernel/relay.c 2011-05-16 21:46:57.000000000 -0400
69996 -@@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
69997 - unsigned int flags,
69998 - int *nonpad_ret)
69999 - {
70000 -- unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
70001 -+ unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
70002 - struct rchan_buf *rbuf = in->private_data;
70003 - unsigned int subbuf_size = rbuf->chan->subbuf_size;
70004 - uint64_t pos = (uint64_t) *ppos;
70005 -@@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
70006 - .ops = &relay_pipe_buf_ops,
70007 - .spd_release = relay_page_release,
70008 - };
70009 -+ ssize_t ret;
70010 -+
70011 -+ pax_track_stack();
70012 -
70013 - if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
70014 - return 0;
70015 -diff -urNp linux-2.6.32.46/kernel/resource.c linux-2.6.32.46/kernel/resource.c
70016 ---- linux-2.6.32.46/kernel/resource.c 2011-03-27 14:31:47.000000000 -0400
70017 -+++ linux-2.6.32.46/kernel/resource.c 2011-04-17 15:56:46.000000000 -0400
70018 -@@ -132,8 +132,18 @@ static const struct file_operations proc
70019 -
70020 - static int __init ioresources_init(void)
70021 - {
70022 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
70023 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
70024 -+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
70025 -+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
70026 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70027 -+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
70028 -+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
70029 -+#endif
70030 -+#else
70031 - proc_create("ioports", 0, NULL, &proc_ioports_operations);
70032 - proc_create("iomem", 0, NULL, &proc_iomem_operations);
70033 -+#endif
70034 - return 0;
70035 - }
70036 - __initcall(ioresources_init);
70037 -diff -urNp linux-2.6.32.46/kernel/rtmutex-tester.c linux-2.6.32.46/kernel/rtmutex-tester.c
70038 ---- linux-2.6.32.46/kernel/rtmutex-tester.c 2011-03-27 14:31:47.000000000 -0400
70039 -+++ linux-2.6.32.46/kernel/rtmutex-tester.c 2011-05-04 17:56:28.000000000 -0400
70040 -@@ -21,7 +21,7 @@
70041 - #define MAX_RT_TEST_MUTEXES 8
70042 -
70043 - static spinlock_t rttest_lock;
70044 --static atomic_t rttest_event;
70045 -+static atomic_unchecked_t rttest_event;
70046 -
70047 - struct test_thread_data {
70048 - int opcode;
70049 -@@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
70050 -
70051 - case RTTEST_LOCKCONT:
70052 - td->mutexes[td->opdata] = 1;
70053 -- td->event = atomic_add_return(1, &rttest_event);
70054 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70055 - return 0;
70056 -
70057 - case RTTEST_RESET:
70058 -@@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
70059 - return 0;
70060 -
70061 - case RTTEST_RESETEVENT:
70062 -- atomic_set(&rttest_event, 0);
70063 -+ atomic_set_unchecked(&rttest_event, 0);
70064 - return 0;
70065 -
70066 - default:
70067 -@@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
70068 - return ret;
70069 -
70070 - td->mutexes[id] = 1;
70071 -- td->event = atomic_add_return(1, &rttest_event);
70072 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70073 - rt_mutex_lock(&mutexes[id]);
70074 -- td->event = atomic_add_return(1, &rttest_event);
70075 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70076 - td->mutexes[id] = 4;
70077 - return 0;
70078 -
70079 -@@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
70080 - return ret;
70081 -
70082 - td->mutexes[id] = 1;
70083 -- td->event = atomic_add_return(1, &rttest_event);
70084 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70085 - ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
70086 -- td->event = atomic_add_return(1, &rttest_event);
70087 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70088 - td->mutexes[id] = ret ? 0 : 4;
70089 - return ret ? -EINTR : 0;
70090 -
70091 -@@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
70092 - if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70093 - return ret;
70094 -
70095 -- td->event = atomic_add_return(1, &rttest_event);
70096 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70097 - rt_mutex_unlock(&mutexes[id]);
70098 -- td->event = atomic_add_return(1, &rttest_event);
70099 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70100 - td->mutexes[id] = 0;
70101 - return 0;
70102 -
70103 -@@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
70104 - break;
70105 -
70106 - td->mutexes[dat] = 2;
70107 -- td->event = atomic_add_return(1, &rttest_event);
70108 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70109 - break;
70110 -
70111 - case RTTEST_LOCKBKL:
70112 -@@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
70113 - return;
70114 -
70115 - td->mutexes[dat] = 3;
70116 -- td->event = atomic_add_return(1, &rttest_event);
70117 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70118 - break;
70119 -
70120 - case RTTEST_LOCKNOWAIT:
70121 -@@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
70122 - return;
70123 -
70124 - td->mutexes[dat] = 1;
70125 -- td->event = atomic_add_return(1, &rttest_event);
70126 -+ td->event = atomic_add_return_unchecked(1, &rttest_event);
70127 - return;
70128 -
70129 - case RTTEST_LOCKBKL:
70130 -diff -urNp linux-2.6.32.46/kernel/rtmutex.c linux-2.6.32.46/kernel/rtmutex.c
70131 ---- linux-2.6.32.46/kernel/rtmutex.c 2011-03-27 14:31:47.000000000 -0400
70132 -+++ linux-2.6.32.46/kernel/rtmutex.c 2011-04-17 15:56:46.000000000 -0400
70133 -@@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
70134 - */
70135 - spin_lock_irqsave(&pendowner->pi_lock, flags);
70136 -
70137 -- WARN_ON(!pendowner->pi_blocked_on);
70138 -+ BUG_ON(!pendowner->pi_blocked_on);
70139 - WARN_ON(pendowner->pi_blocked_on != waiter);
70140 - WARN_ON(pendowner->pi_blocked_on->lock != lock);
70141 -
70142 -diff -urNp linux-2.6.32.46/kernel/sched.c linux-2.6.32.46/kernel/sched.c
70143 ---- linux-2.6.32.46/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400
70144 -+++ linux-2.6.32.46/kernel/sched.c 2011-08-21 19:29:25.000000000 -0400
70145 -@@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
70146 - {
70147 - unsigned long flags;
70148 - struct rq *rq;
70149 -- int cpu = get_cpu();
70150 -
70151 - #ifdef CONFIG_SMP
70152 -+ int cpu = get_cpu();
70153 -+
70154 - rq = task_rq_lock(p, &flags);
70155 - p->state = TASK_WAKING;
70156 -
70157 -@@ -5043,7 +5044,7 @@ out:
70158 - * In CONFIG_NO_HZ case, the idle load balance owner will do the
70159 - * rebalancing for all the cpus for whom scheduler ticks are stopped.
70160 - */
70161 --static void run_rebalance_domains(struct softirq_action *h)
70162 -+static void run_rebalance_domains(void)
70163 - {
70164 - int this_cpu = smp_processor_id();
70165 - struct rq *this_rq = cpu_rq(this_cpu);
70166 -@@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
70167 - struct rq *rq;
70168 - int cpu;
70169 -
70170 -+ pax_track_stack();
70171 -+
70172 - need_resched:
70173 - preempt_disable();
70174 - cpu = smp_processor_id();
70175 -@@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
70176 - * Look out! "owner" is an entirely speculative pointer
70177 - * access and not reliable.
70178 - */
70179 --int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70180 -+int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70181 - {
70182 - unsigned int cpu;
70183 - struct rq *rq;
70184 -@@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
70185 - * DEBUG_PAGEALLOC could have unmapped it if
70186 - * the mutex owner just released it and exited.
70187 - */
70188 -- if (probe_kernel_address(&owner->cpu, cpu))
70189 -+ if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70190 - return 0;
70191 - #else
70192 -- cpu = owner->cpu;
70193 -+ cpu = task_thread_info(owner)->cpu;
70194 - #endif
70195 -
70196 - /*
70197 -@@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
70198 - /*
70199 - * Is that owner really running on that cpu?
70200 - */
70201 -- if (task_thread_info(rq->curr) != owner || need_resched())
70202 -+ if (rq->curr != owner || need_resched())
70203 - return 0;
70204 -
70205 - cpu_relax();
70206 -@@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
70207 - /* convert nice value [19,-20] to rlimit style value [1,40] */
70208 - int nice_rlim = 20 - nice;
70209 -
70210 -+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70211 -+
70212 - return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
70213 - capable(CAP_SYS_NICE));
70214 - }
70215 -@@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70216 - if (nice > 19)
70217 - nice = 19;
70218 -
70219 -- if (increment < 0 && !can_nice(current, nice))
70220 -+ if (increment < 0 && (!can_nice(current, nice) ||
70221 -+ gr_handle_chroot_nice()))
70222 - return -EPERM;
70223 -
70224 - retval = security_task_setnice(current, nice);
70225 -@@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int
70226 - long power;
70227 - int weight;
70228 -
70229 -- WARN_ON(!sd || !sd->groups);
70230 -+ BUG_ON(!sd || !sd->groups);
70231 -
70232 - if (cpu != group_first_cpu(sd->groups))
70233 - return;
70234 -diff -urNp linux-2.6.32.46/kernel/signal.c linux-2.6.32.46/kernel/signal.c
70235 ---- linux-2.6.32.46/kernel/signal.c 2011-04-17 17:00:52.000000000 -0400
70236 -+++ linux-2.6.32.46/kernel/signal.c 2011-08-16 21:15:58.000000000 -0400
70237 -@@ -41,12 +41,12 @@
70238 -
70239 - static struct kmem_cache *sigqueue_cachep;
70240 -
70241 --static void __user *sig_handler(struct task_struct *t, int sig)
70242 -+static __sighandler_t sig_handler(struct task_struct *t, int sig)
70243 - {
70244 - return t->sighand->action[sig - 1].sa.sa_handler;
70245 - }
70246 -
70247 --static int sig_handler_ignored(void __user *handler, int sig)
70248 -+static int sig_handler_ignored(__sighandler_t handler, int sig)
70249 - {
70250 - /* Is it explicitly or implicitly ignored? */
70251 - return handler == SIG_IGN ||
70252 -@@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
70253 - static int sig_task_ignored(struct task_struct *t, int sig,
70254 - int from_ancestor_ns)
70255 - {
70256 -- void __user *handler;
70257 -+ __sighandler_t handler;
70258 -
70259 - handler = sig_handler(t, sig);
70260 -
70261 -@@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
70262 - */
70263 - user = get_uid(__task_cred(t)->user);
70264 - atomic_inc(&user->sigpending);
70265 -+
70266 -+ if (!override_rlimit)
70267 -+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70268 - if (override_rlimit ||
70269 - atomic_read(&user->sigpending) <=
70270 - t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
70271 -@@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
70272 -
70273 - int unhandled_signal(struct task_struct *tsk, int sig)
70274 - {
70275 -- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70276 -+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70277 - if (is_global_init(tsk))
70278 - return 1;
70279 - if (handler != SIG_IGN && handler != SIG_DFL)
70280 -@@ -627,6 +630,13 @@ static int check_kill_permission(int sig
70281 - }
70282 - }
70283 -
70284 -+ /* allow glibc communication via tgkill to other threads in our
70285 -+ thread group */
70286 -+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
70287 -+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
70288 -+ && gr_handle_signal(t, sig))
70289 -+ return -EPERM;
70290 -+
70291 - return security_task_kill(t, info, sig, 0);
70292 - }
70293 -
70294 -@@ -968,7 +978,7 @@ __group_send_sig_info(int sig, struct si
70295 - return send_signal(sig, info, p, 1);
70296 - }
70297 -
70298 --static int
70299 -+int
70300 - specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70301 - {
70302 - return send_signal(sig, info, t, 0);
70303 -@@ -1005,6 +1015,7 @@ force_sig_info(int sig, struct siginfo *
70304 - unsigned long int flags;
70305 - int ret, blocked, ignored;
70306 - struct k_sigaction *action;
70307 -+ int is_unhandled = 0;
70308 -
70309 - spin_lock_irqsave(&t->sighand->siglock, flags);
70310 - action = &t->sighand->action[sig-1];
70311 -@@ -1019,9 +1030,18 @@ force_sig_info(int sig, struct siginfo *
70312 - }
70313 - if (action->sa.sa_handler == SIG_DFL)
70314 - t->signal->flags &= ~SIGNAL_UNKILLABLE;
70315 -+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70316 -+ is_unhandled = 1;
70317 - ret = specific_send_sig_info(sig, info, t);
70318 - spin_unlock_irqrestore(&t->sighand->siglock, flags);
70319 -
70320 -+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
70321 -+ normal operation */
70322 -+ if (is_unhandled) {
70323 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70324 -+ gr_handle_crash(t, sig);
70325 -+ }
70326 -+
70327 - return ret;
70328 - }
70329 -
70330 -@@ -1081,8 +1101,11 @@ int group_send_sig_info(int sig, struct
70331 - {
70332 - int ret = check_kill_permission(sig, info, p);
70333 -
70334 -- if (!ret && sig)
70335 -+ if (!ret && sig) {
70336 - ret = do_send_sig_info(sig, info, p, true);
70337 -+ if (!ret)
70338 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70339 -+ }
70340 -
70341 - return ret;
70342 - }
70343 -@@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
70344 - {
70345 - siginfo_t info;
70346 -
70347 -+ pax_track_stack();
70348 -+
70349 - BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70350 -
70351 - memset(&info, 0, sizeof info);
70352 -@@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid,
70353 - int error = -ESRCH;
70354 -
70355 - rcu_read_lock();
70356 -- p = find_task_by_vpid(pid);
70357 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
70358 -+ /* allow glibc communication via tgkill to other threads in our
70359 -+ thread group */
70360 -+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
70361 -+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
70362 -+ p = find_task_by_vpid_unrestricted(pid);
70363 -+ else
70364 -+#endif
70365 -+ p = find_task_by_vpid(pid);
70366 - if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
70367 - error = check_kill_permission(sig, info, p);
70368 - /*
70369 -diff -urNp linux-2.6.32.46/kernel/smp.c linux-2.6.32.46/kernel/smp.c
70370 ---- linux-2.6.32.46/kernel/smp.c 2011-03-27 14:31:47.000000000 -0400
70371 -+++ linux-2.6.32.46/kernel/smp.c 2011-04-17 15:56:46.000000000 -0400
70372 -@@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
70373 - }
70374 - EXPORT_SYMBOL(smp_call_function);
70375 -
70376 --void ipi_call_lock(void)
70377 -+void ipi_call_lock(void) __acquires(call_function.lock)
70378 - {
70379 - spin_lock(&call_function.lock);
70380 - }
70381 -
70382 --void ipi_call_unlock(void)
70383 -+void ipi_call_unlock(void) __releases(call_function.lock)
70384 - {
70385 - spin_unlock(&call_function.lock);
70386 - }
70387 -
70388 --void ipi_call_lock_irq(void)
70389 -+void ipi_call_lock_irq(void) __acquires(call_function.lock)
70390 - {
70391 - spin_lock_irq(&call_function.lock);
70392 - }
70393 -
70394 --void ipi_call_unlock_irq(void)
70395 -+void ipi_call_unlock_irq(void) __releases(call_function.lock)
70396 - {
70397 - spin_unlock_irq(&call_function.lock);
70398 - }
70399 -diff -urNp linux-2.6.32.46/kernel/softirq.c linux-2.6.32.46/kernel/softirq.c
70400 ---- linux-2.6.32.46/kernel/softirq.c 2011-03-27 14:31:47.000000000 -0400
70401 -+++ linux-2.6.32.46/kernel/softirq.c 2011-08-05 20:33:55.000000000 -0400
70402 -@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70403 -
70404 - static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70405 -
70406 --char *softirq_to_name[NR_SOFTIRQS] = {
70407 -+const char * const softirq_to_name[NR_SOFTIRQS] = {
70408 - "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70409 - "TASKLET", "SCHED", "HRTIMER", "RCU"
70410 - };
70411 -@@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70412 -
70413 - asmlinkage void __do_softirq(void)
70414 - {
70415 -- struct softirq_action *h;
70416 -+ const struct softirq_action *h;
70417 - __u32 pending;
70418 - int max_restart = MAX_SOFTIRQ_RESTART;
70419 - int cpu;
70420 -@@ -233,7 +233,7 @@ restart:
70421 - kstat_incr_softirqs_this_cpu(h - softirq_vec);
70422 -
70423 - trace_softirq_entry(h, softirq_vec);
70424 -- h->action(h);
70425 -+ h->action();
70426 - trace_softirq_exit(h, softirq_vec);
70427 - if (unlikely(prev_count != preempt_count())) {
70428 - printk(KERN_ERR "huh, entered softirq %td %s %p"
70429 -@@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
70430 - local_irq_restore(flags);
70431 - }
70432 -
70433 --void open_softirq(int nr, void (*action)(struct softirq_action *))
70434 -+void open_softirq(int nr, void (*action)(void))
70435 - {
70436 -- softirq_vec[nr].action = action;
70437 -+ pax_open_kernel();
70438 -+ *(void **)&softirq_vec[nr].action = action;
70439 -+ pax_close_kernel();
70440 - }
70441 -
70442 - /*
70443 -@@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
70444 -
70445 - EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70446 -
70447 --static void tasklet_action(struct softirq_action *a)
70448 -+static void tasklet_action(void)
70449 - {
70450 - struct tasklet_struct *list;
70451 -
70452 -@@ -454,7 +456,7 @@ static void tasklet_action(struct softir
70453 - }
70454 - }
70455 -
70456 --static void tasklet_hi_action(struct softirq_action *a)
70457 -+static void tasklet_hi_action(void)
70458 - {
70459 - struct tasklet_struct *list;
70460 -
70461 -diff -urNp linux-2.6.32.46/kernel/sys.c linux-2.6.32.46/kernel/sys.c
70462 ---- linux-2.6.32.46/kernel/sys.c 2011-03-27 14:31:47.000000000 -0400
70463 -+++ linux-2.6.32.46/kernel/sys.c 2011-08-11 19:51:54.000000000 -0400
70464 -@@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
70465 - error = -EACCES;
70466 - goto out;
70467 - }
70468 -+
70469 -+ if (gr_handle_chroot_setpriority(p, niceval)) {
70470 -+ error = -EACCES;
70471 -+ goto out;
70472 -+ }
70473 -+
70474 - no_nice = security_task_setnice(p, niceval);
70475 - if (no_nice) {
70476 - error = no_nice;
70477 -@@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
70478 - !(user = find_user(who)))
70479 - goto out_unlock; /* No processes for this user */
70480 -
70481 -- do_each_thread(g, p)
70482 -+ do_each_thread(g, p) {
70483 - if (__task_cred(p)->uid == who)
70484 - error = set_one_prio(p, niceval, error);
70485 -- while_each_thread(g, p);
70486 -+ } while_each_thread(g, p);
70487 - if (who != cred->uid)
70488 - free_uid(user); /* For find_user() */
70489 - break;
70490 -@@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
70491 - !(user = find_user(who)))
70492 - goto out_unlock; /* No processes for this user */
70493 -
70494 -- do_each_thread(g, p)
70495 -+ do_each_thread(g, p) {
70496 - if (__task_cred(p)->uid == who) {
70497 - niceval = 20 - task_nice(p);
70498 - if (niceval > retval)
70499 - retval = niceval;
70500 - }
70501 -- while_each_thread(g, p);
70502 -+ } while_each_thread(g, p);
70503 - if (who != cred->uid)
70504 - free_uid(user); /* for find_user() */
70505 - break;
70506 -@@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70507 - goto error;
70508 - }
70509 -
70510 -+ if (gr_check_group_change(new->gid, new->egid, -1))
70511 -+ goto error;
70512 -+
70513 - if (rgid != (gid_t) -1 ||
70514 - (egid != (gid_t) -1 && egid != old->gid))
70515 - new->sgid = new->egid;
70516 -@@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70517 - goto error;
70518 -
70519 - retval = -EPERM;
70520 -+
70521 -+ if (gr_check_group_change(gid, gid, gid))
70522 -+ goto error;
70523 -+
70524 - if (capable(CAP_SETGID))
70525 - new->gid = new->egid = new->sgid = new->fsgid = gid;
70526 - else if (gid == old->gid || gid == old->sgid)
70527 -@@ -567,12 +580,19 @@ static int set_user(struct cred *new)
70528 - if (!new_user)
70529 - return -EAGAIN;
70530 -
70531 -+ /*
70532 -+ * We don't fail in case of NPROC limit excess here because too many
70533 -+ * poorly written programs don't check set*uid() return code, assuming
70534 -+ * it never fails if called by root. We may still enforce NPROC limit
70535 -+ * for programs doing set*uid()+execve() by harmlessly deferring the
70536 -+ * failure to the execve() stage.
70537 -+ */
70538 - if (atomic_read(&new_user->processes) >=
70539 - current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
70540 -- new_user != INIT_USER) {
70541 -- free_uid(new_user);
70542 -- return -EAGAIN;
70543 -- }
70544 -+ new_user != INIT_USER)
70545 -+ current->flags |= PF_NPROC_EXCEEDED;
70546 -+ else
70547 -+ current->flags &= ~PF_NPROC_EXCEEDED;
70548 -
70549 - free_uid(new->user);
70550 - new->user = new_user;
70551 -@@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70552 - goto error;
70553 - }
70554 -
70555 -+ if (gr_check_user_change(new->uid, new->euid, -1))
70556 -+ goto error;
70557 -+
70558 - if (new->uid != old->uid) {
70559 - retval = set_user(new);
70560 - if (retval < 0)
70561 -@@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70562 - goto error;
70563 -
70564 - retval = -EPERM;
70565 -+
70566 -+ if (gr_check_crash_uid(uid))
70567 -+ goto error;
70568 -+ if (gr_check_user_change(uid, uid, uid))
70569 -+ goto error;
70570 -+
70571 - if (capable(CAP_SETUID)) {
70572 - new->suid = new->uid = uid;
70573 - if (uid != old->uid) {
70574 -@@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70575 - goto error;
70576 - }
70577 -
70578 -+ if (gr_check_user_change(ruid, euid, -1))
70579 -+ goto error;
70580 -+
70581 - if (ruid != (uid_t) -1) {
70582 - new->uid = ruid;
70583 - if (ruid != old->uid) {
70584 -@@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70585 - goto error;
70586 - }
70587 -
70588 -+ if (gr_check_group_change(rgid, egid, -1))
70589 -+ goto error;
70590 -+
70591 - if (rgid != (gid_t) -1)
70592 - new->gid = rgid;
70593 - if (egid != (gid_t) -1)
70594 -@@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70595 - if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
70596 - goto error;
70597 -
70598 -+ if (gr_check_user_change(-1, -1, uid))
70599 -+ goto error;
70600 -+
70601 - if (uid == old->uid || uid == old->euid ||
70602 - uid == old->suid || uid == old->fsuid ||
70603 - capable(CAP_SETUID)) {
70604 -@@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70605 - if (gid == old->gid || gid == old->egid ||
70606 - gid == old->sgid || gid == old->fsgid ||
70607 - capable(CAP_SETGID)) {
70608 -+ if (gr_check_group_change(-1, -1, gid))
70609 -+ goto error;
70610 -+
70611 - if (gid != old_fsgid) {
70612 - new->fsgid = gid;
70613 - goto change_okay;
70614 -@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70615 - error = get_dumpable(me->mm);
70616 - break;
70617 - case PR_SET_DUMPABLE:
70618 -- if (arg2 < 0 || arg2 > 1) {
70619 -+ if (arg2 > 1) {
70620 - error = -EINVAL;
70621 - break;
70622 - }
70623 -diff -urNp linux-2.6.32.46/kernel/sysctl.c linux-2.6.32.46/kernel/sysctl.c
70624 ---- linux-2.6.32.46/kernel/sysctl.c 2011-03-27 14:31:47.000000000 -0400
70625 -+++ linux-2.6.32.46/kernel/sysctl.c 2011-04-17 15:56:46.000000000 -0400
70626 -@@ -63,6 +63,13 @@
70627 - static int deprecated_sysctl_warning(struct __sysctl_args *args);
70628 -
70629 - #if defined(CONFIG_SYSCTL)
70630 -+#include <linux/grsecurity.h>
70631 -+#include <linux/grinternal.h>
70632 -+
70633 -+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70634 -+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70635 -+ const int op);
70636 -+extern int gr_handle_chroot_sysctl(const int op);
70637 -
70638 - /* External variables not in a header file. */
70639 - extern int C_A_D;
70640 -@@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
70641 - static int proc_taint(struct ctl_table *table, int write,
70642 - void __user *buffer, size_t *lenp, loff_t *ppos);
70643 - #endif
70644 -+extern ctl_table grsecurity_table[];
70645 -
70646 - static struct ctl_table root_table[];
70647 - static struct ctl_table_root sysctl_table_root;
70648 -@@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
70649 - int sysctl_legacy_va_layout;
70650 - #endif
70651 -
70652 -+#ifdef CONFIG_PAX_SOFTMODE
70653 -+static ctl_table pax_table[] = {
70654 -+ {
70655 -+ .ctl_name = CTL_UNNUMBERED,
70656 -+ .procname = "softmode",
70657 -+ .data = &pax_softmode,
70658 -+ .maxlen = sizeof(unsigned int),
70659 -+ .mode = 0600,
70660 -+ .proc_handler = &proc_dointvec,
70661 -+ },
70662 -+
70663 -+ { .ctl_name = 0 }
70664 -+};
70665 -+#endif
70666 -+
70667 - extern int prove_locking;
70668 - extern int lock_stat;
70669 -
70670 -@@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
70671 - #endif
70672 -
70673 - static struct ctl_table kern_table[] = {
70674 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
70675 -+ {
70676 -+ .ctl_name = CTL_UNNUMBERED,
70677 -+ .procname = "grsecurity",
70678 -+ .mode = 0500,
70679 -+ .child = grsecurity_table,
70680 -+ },
70681 -+#endif
70682 -+
70683 -+#ifdef CONFIG_PAX_SOFTMODE
70684 -+ {
70685 -+ .ctl_name = CTL_UNNUMBERED,
70686 -+ .procname = "pax",
70687 -+ .mode = 0500,
70688 -+ .child = pax_table,
70689 -+ },
70690 -+#endif
70691 -+
70692 - {
70693 - .ctl_name = CTL_UNNUMBERED,
70694 - .procname = "sched_child_runs_first",
70695 -@@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
70696 - .data = &modprobe_path,
70697 - .maxlen = KMOD_PATH_LEN,
70698 - .mode = 0644,
70699 -- .proc_handler = &proc_dostring,
70700 -- .strategy = &sysctl_string,
70701 -+ .proc_handler = &proc_dostring_modpriv,
70702 -+ .strategy = &sysctl_string_modpriv,
70703 - },
70704 - {
70705 - .ctl_name = CTL_UNNUMBERED,
70706 -@@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
70707 - .mode = 0644,
70708 - .proc_handler = &proc_dointvec
70709 - },
70710 -+ {
70711 -+ .procname = "heap_stack_gap",
70712 -+ .data = &sysctl_heap_stack_gap,
70713 -+ .maxlen = sizeof(sysctl_heap_stack_gap),
70714 -+ .mode = 0644,
70715 -+ .proc_handler = proc_doulongvec_minmax,
70716 -+ },
70717 - #else
70718 - {
70719 - .ctl_name = CTL_UNNUMBERED,
70720 -@@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
70721 - return 0;
70722 - }
70723 -
70724 -+static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
70725 -+
70726 - static int parse_table(int __user *name, int nlen,
70727 - void __user *oldval, size_t __user *oldlenp,
70728 - void __user *newval, size_t newlen,
70729 -@@ -1821,7 +1871,7 @@ repeat:
70730 - if (n == table->ctl_name) {
70731 - int error;
70732 - if (table->child) {
70733 -- if (sysctl_perm(root, table, MAY_EXEC))
70734 -+ if (sysctl_perm_nochk(root, table, MAY_EXEC))
70735 - return -EPERM;
70736 - name++;
70737 - nlen--;
70738 -@@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
70739 - int error;
70740 - int mode;
70741 -
70742 -+ if (table->parent != NULL && table->parent->procname != NULL &&
70743 -+ table->procname != NULL &&
70744 -+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
70745 -+ return -EACCES;
70746 -+ if (gr_handle_chroot_sysctl(op))
70747 -+ return -EACCES;
70748 -+ error = gr_handle_sysctl(table, op);
70749 -+ if (error)
70750 -+ return error;
70751 -+
70752 -+ error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
70753 -+ if (error)
70754 -+ return error;
70755 -+
70756 -+ if (root->permissions)
70757 -+ mode = root->permissions(root, current->nsproxy, table);
70758 -+ else
70759 -+ mode = table->mode;
70760 -+
70761 -+ return test_perm(mode, op);
70762 -+}
70763 -+
70764 -+int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
70765 -+{
70766 -+ int error;
70767 -+ int mode;
70768 -+
70769 - error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
70770 - if (error)
70771 - return error;
70772 -@@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
70773 - buffer, lenp, ppos);
70774 - }
70775 -
70776 -+int proc_dostring_modpriv(struct ctl_table *table, int write,
70777 -+ void __user *buffer, size_t *lenp, loff_t *ppos)
70778 -+{
70779 -+ if (write && !capable(CAP_SYS_MODULE))
70780 -+ return -EPERM;
70781 -+
70782 -+ return _proc_do_string(table->data, table->maxlen, write,
70783 -+ buffer, lenp, ppos);
70784 -+}
70785 -+
70786 -
70787 - static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
70788 - int *valp,
70789 -@@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
70790 - vleft = table->maxlen / sizeof(unsigned long);
70791 - left = *lenp;
70792 -
70793 -- for (; left && vleft--; i++, min++, max++, first=0) {
70794 -+ for (; left && vleft--; i++, first=0) {
70795 - if (write) {
70796 - while (left) {
70797 - char c;
70798 -@@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
70799 - return -ENOSYS;
70800 - }
70801 -
70802 -+int proc_dostring_modpriv(struct ctl_table *table, int write,
70803 -+ void __user *buffer, size_t *lenp, loff_t *ppos)
70804 -+{
70805 -+ return -ENOSYS;
70806 -+}
70807 -+
70808 - int proc_dointvec(struct ctl_table *table, int write,
70809 - void __user *buffer, size_t *lenp, loff_t *ppos)
70810 - {
70811 -@@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
70812 - return 1;
70813 - }
70814 -
70815 -+int sysctl_string_modpriv(struct ctl_table *table,
70816 -+ void __user *oldval, size_t __user *oldlenp,
70817 -+ void __user *newval, size_t newlen)
70818 -+{
70819 -+ if (newval && newlen && !capable(CAP_SYS_MODULE))
70820 -+ return -EPERM;
70821 -+
70822 -+ return sysctl_string(table, oldval, oldlenp, newval, newlen);
70823 -+}
70824 -+
70825 - /*
70826 - * This function makes sure that all of the integers in the vector
70827 - * are between the minimum and maximum values given in the arrays
70828 -@@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
70829 - return -ENOSYS;
70830 - }
70831 -
70832 -+int sysctl_string_modpriv(struct ctl_table *table,
70833 -+ void __user *oldval, size_t __user *oldlenp,
70834 -+ void __user *newval, size_t newlen)
70835 -+{
70836 -+ return -ENOSYS;
70837 -+}
70838 -+
70839 - int sysctl_intvec(struct ctl_table *table,
70840 - void __user *oldval, size_t __user *oldlenp,
70841 - void __user *newval, size_t newlen)
70842 -@@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
70843 - EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
70844 - EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
70845 - EXPORT_SYMBOL(proc_dostring);
70846 -+EXPORT_SYMBOL(proc_dostring_modpriv);
70847 - EXPORT_SYMBOL(proc_doulongvec_minmax);
70848 - EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
70849 - EXPORT_SYMBOL(register_sysctl_table);
70850 -@@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
70851 - EXPORT_SYMBOL(sysctl_jiffies);
70852 - EXPORT_SYMBOL(sysctl_ms_jiffies);
70853 - EXPORT_SYMBOL(sysctl_string);
70854 -+EXPORT_SYMBOL(sysctl_string_modpriv);
70855 - EXPORT_SYMBOL(sysctl_data);
70856 - EXPORT_SYMBOL(unregister_sysctl_table);
70857 -diff -urNp linux-2.6.32.46/kernel/sysctl_check.c linux-2.6.32.46/kernel/sysctl_check.c
70858 ---- linux-2.6.32.46/kernel/sysctl_check.c 2011-03-27 14:31:47.000000000 -0400
70859 -+++ linux-2.6.32.46/kernel/sysctl_check.c 2011-04-17 15:56:46.000000000 -0400
70860 -@@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
70861 - } else {
70862 - if ((table->strategy == sysctl_data) ||
70863 - (table->strategy == sysctl_string) ||
70864 -+ (table->strategy == sysctl_string_modpriv) ||
70865 - (table->strategy == sysctl_intvec) ||
70866 - (table->strategy == sysctl_jiffies) ||
70867 - (table->strategy == sysctl_ms_jiffies) ||
70868 - (table->proc_handler == proc_dostring) ||
70869 -+ (table->proc_handler == proc_dostring_modpriv) ||
70870 - (table->proc_handler == proc_dointvec) ||
70871 - (table->proc_handler == proc_dointvec_minmax) ||
70872 - (table->proc_handler == proc_dointvec_jiffies) ||
70873 -diff -urNp linux-2.6.32.46/kernel/taskstats.c linux-2.6.32.46/kernel/taskstats.c
70874 ---- linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:04.000000000 -0400
70875 -+++ linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:19.000000000 -0400
70876 -@@ -26,9 +26,12 @@
70877 - #include <linux/cgroup.h>
70878 - #include <linux/fs.h>
70879 - #include <linux/file.h>
70880 -+#include <linux/grsecurity.h>
70881 - #include <net/genetlink.h>
70882 - #include <asm/atomic.h>
70883 -
70884 -+extern int gr_is_taskstats_denied(int pid);
70885 -+
70886 - /*
70887 - * Maximum length of a cpumask that can be specified in
70888 - * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
70889 -@@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
70890 - size_t size;
70891 - cpumask_var_t mask;
70892 -
70893 -+ if (gr_is_taskstats_denied(current->pid))
70894 -+ return -EACCES;
70895 -+
70896 - if (!alloc_cpumask_var(&mask, GFP_KERNEL))
70897 - return -ENOMEM;
70898 -
70899 -diff -urNp linux-2.6.32.46/kernel/time/tick-broadcast.c linux-2.6.32.46/kernel/time/tick-broadcast.c
70900 ---- linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:56:59.000000000 -0400
70901 -+++ linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:57:13.000000000 -0400
70902 -@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
70903 - * then clear the broadcast bit.
70904 - */
70905 - if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
70906 -- int cpu = smp_processor_id();
70907 -+ cpu = smp_processor_id();
70908 -
70909 - cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
70910 - tick_broadcast_clear_oneshot(cpu);
70911 -diff -urNp linux-2.6.32.46/kernel/time/timekeeping.c linux-2.6.32.46/kernel/time/timekeeping.c
70912 ---- linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:55:35.000000000 -0400
70913 -+++ linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:56:37.000000000 -0400
70914 -@@ -14,6 +14,7 @@
70915 - #include <linux/init.h>
70916 - #include <linux/mm.h>
70917 - #include <linux/sched.h>
70918 -+#include <linux/grsecurity.h>
70919 - #include <linux/sysdev.h>
70920 - #include <linux/clocksource.h>
70921 - #include <linux/jiffies.h>
70922 -@@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
70923 - */
70924 - struct timespec ts = xtime;
70925 - timespec_add_ns(&ts, nsec);
70926 -- ACCESS_ONCE(xtime_cache) = ts;
70927 -+ ACCESS_ONCE_RW(xtime_cache) = ts;
70928 - }
70929 -
70930 - /* must hold xtime_lock */
70931 -@@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
70932 - if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
70933 - return -EINVAL;
70934 -
70935 -+ gr_log_timechange();
70936 -+
70937 - write_seqlock_irqsave(&xtime_lock, flags);
70938 -
70939 - timekeeping_forward_now();
70940 -diff -urNp linux-2.6.32.46/kernel/time/timer_list.c linux-2.6.32.46/kernel/time/timer_list.c
70941 ---- linux-2.6.32.46/kernel/time/timer_list.c 2011-03-27 14:31:47.000000000 -0400
70942 -+++ linux-2.6.32.46/kernel/time/timer_list.c 2011-04-17 15:56:46.000000000 -0400
70943 -@@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
70944 -
70945 - static void print_name_offset(struct seq_file *m, void *sym)
70946 - {
70947 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
70948 -+ SEQ_printf(m, "<%p>", NULL);
70949 -+#else
70950 - char symname[KSYM_NAME_LEN];
70951 -
70952 - if (lookup_symbol_name((unsigned long)sym, symname) < 0)
70953 - SEQ_printf(m, "<%p>", sym);
70954 - else
70955 - SEQ_printf(m, "%s", symname);
70956 -+#endif
70957 - }
70958 -
70959 - static void
70960 -@@ -112,7 +116,11 @@ next_one:
70961 - static void
70962 - print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
70963 - {
70964 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
70965 -+ SEQ_printf(m, " .base: %p\n", NULL);
70966 -+#else
70967 - SEQ_printf(m, " .base: %p\n", base);
70968 -+#endif
70969 - SEQ_printf(m, " .index: %d\n",
70970 - base->index);
70971 - SEQ_printf(m, " .resolution: %Lu nsecs\n",
70972 -@@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
70973 - {
70974 - struct proc_dir_entry *pe;
70975 -
70976 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
70977 -+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
70978 -+#else
70979 - pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
70980 -+#endif
70981 - if (!pe)
70982 - return -ENOMEM;
70983 - return 0;
70984 -diff -urNp linux-2.6.32.46/kernel/time/timer_stats.c linux-2.6.32.46/kernel/time/timer_stats.c
70985 ---- linux-2.6.32.46/kernel/time/timer_stats.c 2011-03-27 14:31:47.000000000 -0400
70986 -+++ linux-2.6.32.46/kernel/time/timer_stats.c 2011-05-04 17:56:28.000000000 -0400
70987 -@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
70988 - static unsigned long nr_entries;
70989 - static struct entry entries[MAX_ENTRIES];
70990 -
70991 --static atomic_t overflow_count;
70992 -+static atomic_unchecked_t overflow_count;
70993 -
70994 - /*
70995 - * The entries are in a hash-table, for fast lookup:
70996 -@@ -140,7 +140,7 @@ static void reset_entries(void)
70997 - nr_entries = 0;
70998 - memset(entries, 0, sizeof(entries));
70999 - memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
71000 -- atomic_set(&overflow_count, 0);
71001 -+ atomic_set_unchecked(&overflow_count, 0);
71002 - }
71003 -
71004 - static struct entry *alloc_entry(void)
71005 -@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
71006 - if (likely(entry))
71007 - entry->count++;
71008 - else
71009 -- atomic_inc(&overflow_count);
71010 -+ atomic_inc_unchecked(&overflow_count);
71011 -
71012 - out_unlock:
71013 - spin_unlock_irqrestore(lock, flags);
71014 -@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
71015 -
71016 - static void print_name_offset(struct seq_file *m, unsigned long addr)
71017 - {
71018 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
71019 -+ seq_printf(m, "<%p>", NULL);
71020 -+#else
71021 - char symname[KSYM_NAME_LEN];
71022 -
71023 - if (lookup_symbol_name(addr, symname) < 0)
71024 - seq_printf(m, "<%p>", (void *)addr);
71025 - else
71026 - seq_printf(m, "%s", symname);
71027 -+#endif
71028 - }
71029 -
71030 - static int tstats_show(struct seq_file *m, void *v)
71031 -@@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
71032 -
71033 - seq_puts(m, "Timer Stats Version: v0.2\n");
71034 - seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
71035 -- if (atomic_read(&overflow_count))
71036 -+ if (atomic_read_unchecked(&overflow_count))
71037 - seq_printf(m, "Overflow: %d entries\n",
71038 -- atomic_read(&overflow_count));
71039 -+ atomic_read_unchecked(&overflow_count));
71040 -
71041 - for (i = 0; i < nr_entries; i++) {
71042 - entry = entries + i;
71043 -@@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
71044 - {
71045 - struct proc_dir_entry *pe;
71046 -
71047 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
71048 -+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
71049 -+#else
71050 - pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
71051 -+#endif
71052 - if (!pe)
71053 - return -ENOMEM;
71054 - return 0;
71055 -diff -urNp linux-2.6.32.46/kernel/time.c linux-2.6.32.46/kernel/time.c
71056 ---- linux-2.6.32.46/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
71057 -+++ linux-2.6.32.46/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
71058 -@@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
71059 - return error;
71060 -
71061 - if (tz) {
71062 -+ /* we log in do_settimeofday called below, so don't log twice
71063 -+ */
71064 -+ if (!tv)
71065 -+ gr_log_timechange();
71066 -+
71067 - /* SMP safe, global irq locking makes it work. */
71068 - sys_tz = *tz;
71069 - update_vsyscall_tz();
71070 -@@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
71071 - * Avoid unnecessary multiplications/divisions in the
71072 - * two most common HZ cases:
71073 - */
71074 --unsigned int inline jiffies_to_msecs(const unsigned long j)
71075 -+inline unsigned int jiffies_to_msecs(const unsigned long j)
71076 - {
71077 - #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
71078 - return (MSEC_PER_SEC / HZ) * j;
71079 -@@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
71080 - }
71081 - EXPORT_SYMBOL(jiffies_to_msecs);
71082 -
71083 --unsigned int inline jiffies_to_usecs(const unsigned long j)
71084 -+inline unsigned int jiffies_to_usecs(const unsigned long j)
71085 - {
71086 - #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
71087 - return (USEC_PER_SEC / HZ) * j;
71088 -diff -urNp linux-2.6.32.46/kernel/timer.c linux-2.6.32.46/kernel/timer.c
71089 ---- linux-2.6.32.46/kernel/timer.c 2011-03-27 14:31:47.000000000 -0400
71090 -+++ linux-2.6.32.46/kernel/timer.c 2011-04-17 15:56:46.000000000 -0400
71091 -@@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
71092 - /*
71093 - * This function runs timers and the timer-tq in bottom half context.
71094 - */
71095 --static void run_timer_softirq(struct softirq_action *h)
71096 -+static void run_timer_softirq(void)
71097 - {
71098 - struct tvec_base *base = __get_cpu_var(tvec_bases);
71099 -
71100 -diff -urNp linux-2.6.32.46/kernel/trace/blktrace.c linux-2.6.32.46/kernel/trace/blktrace.c
71101 ---- linux-2.6.32.46/kernel/trace/blktrace.c 2011-03-27 14:31:47.000000000 -0400
71102 -+++ linux-2.6.32.46/kernel/trace/blktrace.c 2011-05-04 17:56:28.000000000 -0400
71103 -@@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
71104 - struct blk_trace *bt = filp->private_data;
71105 - char buf[16];
71106 -
71107 -- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
71108 -+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
71109 -
71110 - return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
71111 - }
71112 -@@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
71113 - return 1;
71114 -
71115 - bt = buf->chan->private_data;
71116 -- atomic_inc(&bt->dropped);
71117 -+ atomic_inc_unchecked(&bt->dropped);
71118 - return 0;
71119 - }
71120 -
71121 -@@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
71122 -
71123 - bt->dir = dir;
71124 - bt->dev = dev;
71125 -- atomic_set(&bt->dropped, 0);
71126 -+ atomic_set_unchecked(&bt->dropped, 0);
71127 -
71128 - ret = -EIO;
71129 - bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
71130 -diff -urNp linux-2.6.32.46/kernel/trace/ftrace.c linux-2.6.32.46/kernel/trace/ftrace.c
71131 ---- linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:55:35.000000000 -0400
71132 -+++ linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:56:37.000000000 -0400
71133 -@@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
71134 -
71135 - ip = rec->ip;
71136 -
71137 -+ ret = ftrace_arch_code_modify_prepare();
71138 -+ FTRACE_WARN_ON(ret);
71139 -+ if (ret)
71140 -+ return 0;
71141 -+
71142 - ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
71143 -+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
71144 - if (ret) {
71145 - ftrace_bug(ret, ip);
71146 - rec->flags |= FTRACE_FL_FAILED;
71147 -- return 0;
71148 - }
71149 -- return 1;
71150 -+ return ret ? 0 : 1;
71151 - }
71152 -
71153 - /*
71154 -diff -urNp linux-2.6.32.46/kernel/trace/ring_buffer.c linux-2.6.32.46/kernel/trace/ring_buffer.c
71155 ---- linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-03-27 14:31:47.000000000 -0400
71156 -+++ linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-04-17 15:56:46.000000000 -0400
71157 -@@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
71158 - * the reader page). But if the next page is a header page,
71159 - * its flags will be non zero.
71160 - */
71161 --static int inline
71162 -+static inline int
71163 - rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
71164 - struct buffer_page *page, struct list_head *list)
71165 - {
71166 -diff -urNp linux-2.6.32.46/kernel/trace/trace.c linux-2.6.32.46/kernel/trace/trace.c
71167 ---- linux-2.6.32.46/kernel/trace/trace.c 2011-03-27 14:31:47.000000000 -0400
71168 -+++ linux-2.6.32.46/kernel/trace/trace.c 2011-05-16 21:46:57.000000000 -0400
71169 -@@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
71170 - size_t rem;
71171 - unsigned int i;
71172 -
71173 -+ pax_track_stack();
71174 -+
71175 - /* copy the tracer to avoid using a global lock all around */
71176 - mutex_lock(&trace_types_lock);
71177 - if (unlikely(old_tracer != current_trace && current_trace)) {
71178 -@@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
71179 - int entries, size, i;
71180 - size_t ret;
71181 -
71182 -+ pax_track_stack();
71183 -+
71184 - if (*ppos & (PAGE_SIZE - 1)) {
71185 - WARN_ONCE(1, "Ftrace: previous read must page-align\n");
71186 - return -EINVAL;
71187 -@@ -3816,10 +3820,9 @@ static const struct file_operations trac
71188 - };
71189 - #endif
71190 -
71191 --static struct dentry *d_tracer;
71192 --
71193 - struct dentry *tracing_init_dentry(void)
71194 - {
71195 -+ static struct dentry *d_tracer;
71196 - static int once;
71197 -
71198 - if (d_tracer)
71199 -@@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
71200 - return d_tracer;
71201 - }
71202 -
71203 --static struct dentry *d_percpu;
71204 --
71205 - struct dentry *tracing_dentry_percpu(void)
71206 - {
71207 -+ static struct dentry *d_percpu;
71208 - static int once;
71209 - struct dentry *d_tracer;
71210 -
71211 -diff -urNp linux-2.6.32.46/kernel/trace/trace_events.c linux-2.6.32.46/kernel/trace/trace_events.c
71212 ---- linux-2.6.32.46/kernel/trace/trace_events.c 2011-03-27 14:31:47.000000000 -0400
71213 -+++ linux-2.6.32.46/kernel/trace/trace_events.c 2011-08-05 20:33:55.000000000 -0400
71214 -@@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
71215 - * Modules must own their file_operations to keep up with
71216 - * reference counting.
71217 - */
71218 -+
71219 - struct ftrace_module_file_ops {
71220 - struct list_head list;
71221 - struct module *mod;
71222 -- struct file_operations id;
71223 -- struct file_operations enable;
71224 -- struct file_operations format;
71225 -- struct file_operations filter;
71226 - };
71227 -
71228 - static void remove_subsystem_dir(const char *name)
71229 -@@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
71230 -
71231 - file_ops->mod = mod;
71232 -
71233 -- file_ops->id = ftrace_event_id_fops;
71234 -- file_ops->id.owner = mod;
71235 --
71236 -- file_ops->enable = ftrace_enable_fops;
71237 -- file_ops->enable.owner = mod;
71238 --
71239 -- file_ops->filter = ftrace_event_filter_fops;
71240 -- file_ops->filter.owner = mod;
71241 --
71242 -- file_ops->format = ftrace_event_format_fops;
71243 -- file_ops->format.owner = mod;
71244 -+ pax_open_kernel();
71245 -+ *(void **)&mod->trace_id.owner = mod;
71246 -+ *(void **)&mod->trace_enable.owner = mod;
71247 -+ *(void **)&mod->trace_filter.owner = mod;
71248 -+ *(void **)&mod->trace_format.owner = mod;
71249 -+ pax_close_kernel();
71250 -
71251 - list_add(&file_ops->list, &ftrace_module_file_list);
71252 -
71253 -@@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
71254 - call->mod = mod;
71255 - list_add(&call->list, &ftrace_events);
71256 - event_create_dir(call, d_events,
71257 -- &file_ops->id, &file_ops->enable,
71258 -- &file_ops->filter, &file_ops->format);
71259 -+ &mod->trace_id, &mod->trace_enable,
71260 -+ &mod->trace_filter, &mod->trace_format);
71261 - }
71262 - }
71263 -
71264 -diff -urNp linux-2.6.32.46/kernel/trace/trace_mmiotrace.c linux-2.6.32.46/kernel/trace/trace_mmiotrace.c
71265 ---- linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-03-27 14:31:47.000000000 -0400
71266 -+++ linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-05-04 17:56:28.000000000 -0400
71267 -@@ -23,7 +23,7 @@ struct header_iter {
71268 - static struct trace_array *mmio_trace_array;
71269 - static bool overrun_detected;
71270 - static unsigned long prev_overruns;
71271 --static atomic_t dropped_count;
71272 -+static atomic_unchecked_t dropped_count;
71273 -
71274 - static void mmio_reset_data(struct trace_array *tr)
71275 - {
71276 -@@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
71277 -
71278 - static unsigned long count_overruns(struct trace_iterator *iter)
71279 - {
71280 -- unsigned long cnt = atomic_xchg(&dropped_count, 0);
71281 -+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71282 - unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71283 -
71284 - if (over > prev_overruns)
71285 -@@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
71286 - event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71287 - sizeof(*entry), 0, pc);
71288 - if (!event) {
71289 -- atomic_inc(&dropped_count);
71290 -+ atomic_inc_unchecked(&dropped_count);
71291 - return;
71292 - }
71293 - entry = ring_buffer_event_data(event);
71294 -@@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
71295 - event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71296 - sizeof(*entry), 0, pc);
71297 - if (!event) {
71298 -- atomic_inc(&dropped_count);
71299 -+ atomic_inc_unchecked(&dropped_count);
71300 - return;
71301 - }
71302 - entry = ring_buffer_event_data(event);
71303 -diff -urNp linux-2.6.32.46/kernel/trace/trace_output.c linux-2.6.32.46/kernel/trace/trace_output.c
71304 ---- linux-2.6.32.46/kernel/trace/trace_output.c 2011-03-27 14:31:47.000000000 -0400
71305 -+++ linux-2.6.32.46/kernel/trace/trace_output.c 2011-04-17 15:56:46.000000000 -0400
71306 -@@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
71307 - return 0;
71308 - p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71309 - if (!IS_ERR(p)) {
71310 -- p = mangle_path(s->buffer + s->len, p, "\n");
71311 -+ p = mangle_path(s->buffer + s->len, p, "\n\\");
71312 - if (p) {
71313 - s->len = p - s->buffer;
71314 - return 1;
71315 -diff -urNp linux-2.6.32.46/kernel/trace/trace_stack.c linux-2.6.32.46/kernel/trace/trace_stack.c
71316 ---- linux-2.6.32.46/kernel/trace/trace_stack.c 2011-03-27 14:31:47.000000000 -0400
71317 -+++ linux-2.6.32.46/kernel/trace/trace_stack.c 2011-04-17 15:56:46.000000000 -0400
71318 -@@ -50,7 +50,7 @@ static inline void check_stack(void)
71319 - return;
71320 -
71321 - /* we do not handle interrupt stacks yet */
71322 -- if (!object_is_on_stack(&this_size))
71323 -+ if (!object_starts_on_stack(&this_size))
71324 - return;
71325 -
71326 - local_irq_save(flags);
71327 -diff -urNp linux-2.6.32.46/kernel/trace/trace_workqueue.c linux-2.6.32.46/kernel/trace/trace_workqueue.c
71328 ---- linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-03-27 14:31:47.000000000 -0400
71329 -+++ linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-04-17 15:56:46.000000000 -0400
71330 -@@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
71331 - int cpu;
71332 - pid_t pid;
71333 - /* Can be inserted from interrupt or user context, need to be atomic */
71334 -- atomic_t inserted;
71335 -+ atomic_unchecked_t inserted;
71336 - /*
71337 - * Don't need to be atomic, works are serialized in a single workqueue thread
71338 - * on a single CPU.
71339 -@@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
71340 - spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71341 - list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71342 - if (node->pid == wq_thread->pid) {
71343 -- atomic_inc(&node->inserted);
71344 -+ atomic_inc_unchecked(&node->inserted);
71345 - goto found;
71346 - }
71347 - }
71348 -@@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
71349 - tsk = get_pid_task(pid, PIDTYPE_PID);
71350 - if (tsk) {
71351 - seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71352 -- atomic_read(&cws->inserted), cws->executed,
71353 -+ atomic_read_unchecked(&cws->inserted), cws->executed,
71354 - tsk->comm);
71355 - put_task_struct(tsk);
71356 - }
71357 -diff -urNp linux-2.6.32.46/kernel/user.c linux-2.6.32.46/kernel/user.c
71358 ---- linux-2.6.32.46/kernel/user.c 2011-03-27 14:31:47.000000000 -0400
71359 -+++ linux-2.6.32.46/kernel/user.c 2011-04-17 15:56:46.000000000 -0400
71360 -@@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
71361 - spin_lock_irq(&uidhash_lock);
71362 - up = uid_hash_find(uid, hashent);
71363 - if (up) {
71364 -+ put_user_ns(ns);
71365 - key_put(new->uid_keyring);
71366 - key_put(new->session_keyring);
71367 - kmem_cache_free(uid_cachep, new);
71368 -diff -urNp linux-2.6.32.46/lib/Kconfig.debug linux-2.6.32.46/lib/Kconfig.debug
71369 ---- linux-2.6.32.46/lib/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
71370 -+++ linux-2.6.32.46/lib/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
71371 -@@ -905,7 +905,7 @@ config LATENCYTOP
71372 - select STACKTRACE
71373 - select SCHEDSTATS
71374 - select SCHED_DEBUG
71375 -- depends on HAVE_LATENCYTOP_SUPPORT
71376 -+ depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
71377 - help
71378 - Enable this option if you want to use the LatencyTOP tool
71379 - to find out which userspace is blocking on what kernel operations.
71380 -diff -urNp linux-2.6.32.46/lib/bitmap.c linux-2.6.32.46/lib/bitmap.c
71381 ---- linux-2.6.32.46/lib/bitmap.c 2011-03-27 14:31:47.000000000 -0400
71382 -+++ linux-2.6.32.46/lib/bitmap.c 2011-10-06 09:37:14.000000000 -0400
71383 -@@ -341,7 +341,7 @@ int __bitmap_parse(const char *buf, unsi
71384 - {
71385 - int c, old_c, totaldigits, ndigits, nchunks, nbits;
71386 - u32 chunk;
71387 -- const char __user *ubuf = buf;
71388 -+ const char __user *ubuf = (const char __force_user *)buf;
71389 -
71390 - bitmap_zero(maskp, nmaskbits);
71391 -
71392 -@@ -426,7 +426,7 @@ int bitmap_parse_user(const char __user
71393 - {
71394 - if (!access_ok(VERIFY_READ, ubuf, ulen))
71395 - return -EFAULT;
71396 -- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
71397 -+ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
71398 - }
71399 - EXPORT_SYMBOL(bitmap_parse_user);
71400 -
71401 -diff -urNp linux-2.6.32.46/lib/bug.c linux-2.6.32.46/lib/bug.c
71402 ---- linux-2.6.32.46/lib/bug.c 2011-03-27 14:31:47.000000000 -0400
71403 -+++ linux-2.6.32.46/lib/bug.c 2011-04-17 15:56:46.000000000 -0400
71404 -@@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
71405 - return BUG_TRAP_TYPE_NONE;
71406 -
71407 - bug = find_bug(bugaddr);
71408 -+ if (!bug)
71409 -+ return BUG_TRAP_TYPE_NONE;
71410 -
71411 - printk(KERN_EMERG "------------[ cut here ]------------\n");
71412 -
71413 -diff -urNp linux-2.6.32.46/lib/debugobjects.c linux-2.6.32.46/lib/debugobjects.c
71414 ---- linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:04.000000000 -0400
71415 -+++ linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:19.000000000 -0400
71416 -@@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
71417 - if (limit > 4)
71418 - return;
71419 -
71420 -- is_on_stack = object_is_on_stack(addr);
71421 -+ is_on_stack = object_starts_on_stack(addr);
71422 - if (is_on_stack == onstack)
71423 - return;
71424 -
71425 -diff -urNp linux-2.6.32.46/lib/devres.c linux-2.6.32.46/lib/devres.c
71426 ---- linux-2.6.32.46/lib/devres.c 2011-03-27 14:31:47.000000000 -0400
71427 -+++ linux-2.6.32.46/lib/devres.c 2011-10-06 09:37:14.000000000 -0400
71428 -@@ -80,7 +80,7 @@ void devm_iounmap(struct device *dev, vo
71429 - {
71430 - iounmap(addr);
71431 - WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
71432 -- (void *)addr));
71433 -+ (void __force *)addr));
71434 - }
71435 - EXPORT_SYMBOL(devm_iounmap);
71436 -
71437 -@@ -140,7 +140,7 @@ void devm_ioport_unmap(struct device *de
71438 - {
71439 - ioport_unmap(addr);
71440 - WARN_ON(devres_destroy(dev, devm_ioport_map_release,
71441 -- devm_ioport_map_match, (void *)addr));
71442 -+ devm_ioport_map_match, (void __force *)addr));
71443 - }
71444 - EXPORT_SYMBOL(devm_ioport_unmap);
71445 -
71446 -diff -urNp linux-2.6.32.46/lib/dma-debug.c linux-2.6.32.46/lib/dma-debug.c
71447 ---- linux-2.6.32.46/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400
71448 -+++ linux-2.6.32.46/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400
71449 -@@ -861,7 +861,7 @@ out:
71450 -
71451 - static void check_for_stack(struct device *dev, void *addr)
71452 - {
71453 -- if (object_is_on_stack(addr))
71454 -+ if (object_starts_on_stack(addr))
71455 - err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71456 - "stack [addr=%p]\n", addr);
71457 - }
71458 -diff -urNp linux-2.6.32.46/lib/idr.c linux-2.6.32.46/lib/idr.c
71459 ---- linux-2.6.32.46/lib/idr.c 2011-03-27 14:31:47.000000000 -0400
71460 -+++ linux-2.6.32.46/lib/idr.c 2011-04-17 15:56:46.000000000 -0400
71461 -@@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
71462 - id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
71463 -
71464 - /* if already at the top layer, we need to grow */
71465 -- if (id >= 1 << (idp->layers * IDR_BITS)) {
71466 -+ if (id >= (1 << (idp->layers * IDR_BITS))) {
71467 - *starting_id = id;
71468 - return IDR_NEED_TO_GROW;
71469 - }
71470 -diff -urNp linux-2.6.32.46/lib/inflate.c linux-2.6.32.46/lib/inflate.c
71471 ---- linux-2.6.32.46/lib/inflate.c 2011-03-27 14:31:47.000000000 -0400
71472 -+++ linux-2.6.32.46/lib/inflate.c 2011-04-17 15:56:46.000000000 -0400
71473 -@@ -266,7 +266,7 @@ static void free(void *where)
71474 - malloc_ptr = free_mem_ptr;
71475 - }
71476 - #else
71477 --#define malloc(a) kmalloc(a, GFP_KERNEL)
71478 -+#define malloc(a) kmalloc((a), GFP_KERNEL)
71479 - #define free(a) kfree(a)
71480 - #endif
71481 -
71482 -diff -urNp linux-2.6.32.46/lib/kobject.c linux-2.6.32.46/lib/kobject.c
71483 ---- linux-2.6.32.46/lib/kobject.c 2011-03-27 14:31:47.000000000 -0400
71484 -+++ linux-2.6.32.46/lib/kobject.c 2011-04-17 15:56:46.000000000 -0400
71485 -@@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
71486 - return ret;
71487 - }
71488 -
71489 --struct sysfs_ops kobj_sysfs_ops = {
71490 -+const struct sysfs_ops kobj_sysfs_ops = {
71491 - .show = kobj_attr_show,
71492 - .store = kobj_attr_store,
71493 - };
71494 -@@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
71495 - * If the kset was not able to be created, NULL will be returned.
71496 - */
71497 - static struct kset *kset_create(const char *name,
71498 -- struct kset_uevent_ops *uevent_ops,
71499 -+ const struct kset_uevent_ops *uevent_ops,
71500 - struct kobject *parent_kobj)
71501 - {
71502 - struct kset *kset;
71503 -@@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
71504 - * If the kset was not able to be created, NULL will be returned.
71505 - */
71506 - struct kset *kset_create_and_add(const char *name,
71507 -- struct kset_uevent_ops *uevent_ops,
71508 -+ const struct kset_uevent_ops *uevent_ops,
71509 - struct kobject *parent_kobj)
71510 - {
71511 - struct kset *kset;
71512 -diff -urNp linux-2.6.32.46/lib/kobject_uevent.c linux-2.6.32.46/lib/kobject_uevent.c
71513 ---- linux-2.6.32.46/lib/kobject_uevent.c 2011-03-27 14:31:47.000000000 -0400
71514 -+++ linux-2.6.32.46/lib/kobject_uevent.c 2011-04-17 15:56:46.000000000 -0400
71515 -@@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
71516 - const char *subsystem;
71517 - struct kobject *top_kobj;
71518 - struct kset *kset;
71519 -- struct kset_uevent_ops *uevent_ops;
71520 -+ const struct kset_uevent_ops *uevent_ops;
71521 - u64 seq;
71522 - int i = 0;
71523 - int retval = 0;
71524 -diff -urNp linux-2.6.32.46/lib/kref.c linux-2.6.32.46/lib/kref.c
71525 ---- linux-2.6.32.46/lib/kref.c 2011-03-27 14:31:47.000000000 -0400
71526 -+++ linux-2.6.32.46/lib/kref.c 2011-04-17 15:56:46.000000000 -0400
71527 -@@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
71528 - */
71529 - int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71530 - {
71531 -- WARN_ON(release == NULL);
71532 -+ BUG_ON(release == NULL);
71533 - WARN_ON(release == (void (*)(struct kref *))kfree);
71534 -
71535 - if (atomic_dec_and_test(&kref->refcount)) {
71536 -diff -urNp linux-2.6.32.46/lib/parser.c linux-2.6.32.46/lib/parser.c
71537 ---- linux-2.6.32.46/lib/parser.c 2011-03-27 14:31:47.000000000 -0400
71538 -+++ linux-2.6.32.46/lib/parser.c 2011-04-17 15:56:46.000000000 -0400
71539 -@@ -126,7 +126,7 @@ static int match_number(substring_t *s,
71540 - char *buf;
71541 - int ret;
71542 -
71543 -- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
71544 -+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
71545 - if (!buf)
71546 - return -ENOMEM;
71547 - memcpy(buf, s->from, s->to - s->from);
71548 -diff -urNp linux-2.6.32.46/lib/radix-tree.c linux-2.6.32.46/lib/radix-tree.c
71549 ---- linux-2.6.32.46/lib/radix-tree.c 2011-03-27 14:31:47.000000000 -0400
71550 -+++ linux-2.6.32.46/lib/radix-tree.c 2011-04-17 15:56:46.000000000 -0400
71551 -@@ -81,7 +81,7 @@ struct radix_tree_preload {
71552 - int nr;
71553 - struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71554 - };
71555 --static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71556 -+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71557 -
71558 - static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
71559 - {
71560 -diff -urNp linux-2.6.32.46/lib/random32.c linux-2.6.32.46/lib/random32.c
71561 ---- linux-2.6.32.46/lib/random32.c 2011-03-27 14:31:47.000000000 -0400
71562 -+++ linux-2.6.32.46/lib/random32.c 2011-04-17 15:56:46.000000000 -0400
71563 -@@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
71564 - */
71565 - static inline u32 __seed(u32 x, u32 m)
71566 - {
71567 -- return (x < m) ? x + m : x;
71568 -+ return (x <= m) ? x + m + 1 : x;
71569 - }
71570 -
71571 - /**
71572 -diff -urNp linux-2.6.32.46/lib/vsprintf.c linux-2.6.32.46/lib/vsprintf.c
71573 ---- linux-2.6.32.46/lib/vsprintf.c 2011-03-27 14:31:47.000000000 -0400
71574 -+++ linux-2.6.32.46/lib/vsprintf.c 2011-04-17 15:56:46.000000000 -0400
71575 -@@ -16,6 +16,9 @@
71576 - * - scnprintf and vscnprintf
71577 - */
71578 -
71579 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
71580 -+#define __INCLUDED_BY_HIDESYM 1
71581 -+#endif
71582 - #include <stdarg.h>
71583 - #include <linux/module.h>
71584 - #include <linux/types.h>
71585 -@@ -546,12 +549,12 @@ static char *number(char *buf, char *end
71586 - return buf;
71587 - }
71588 -
71589 --static char *string(char *buf, char *end, char *s, struct printf_spec spec)
71590 -+static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
71591 - {
71592 - int len, i;
71593 -
71594 - if ((unsigned long)s < PAGE_SIZE)
71595 -- s = "<NULL>";
71596 -+ s = "(null)";
71597 -
71598 - len = strnlen(s, spec.precision);
71599 -
71600 -@@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
71601 - unsigned long value = (unsigned long) ptr;
71602 - #ifdef CONFIG_KALLSYMS
71603 - char sym[KSYM_SYMBOL_LEN];
71604 -- if (ext != 'f' && ext != 's')
71605 -+ if (ext != 'f' && ext != 's' && ext != 'a')
71606 - sprint_symbol(sym, value);
71607 - else
71608 - kallsyms_lookup(value, NULL, NULL, NULL, sym);
71609 -@@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
71610 - * - 'f' For simple symbolic function names without offset
71611 - * - 'S' For symbolic direct pointers with offset
71612 - * - 's' For symbolic direct pointers without offset
71613 -+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71614 -+ * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71615 - * - 'R' For a struct resource pointer, it prints the range of
71616 - * addresses (not the name nor the flags)
71617 - * - 'M' For a 6-byte MAC address, it prints the address in the
71618 -@@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
71619 - struct printf_spec spec)
71620 - {
71621 - if (!ptr)
71622 -- return string(buf, end, "(null)", spec);
71623 -+ return string(buf, end, "(nil)", spec);
71624 -
71625 - switch (*fmt) {
71626 - case 'F':
71627 -@@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
71628 - case 's':
71629 - /* Fallthrough */
71630 - case 'S':
71631 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
71632 -+ break;
71633 -+#else
71634 -+ return symbol_string(buf, end, ptr, spec, *fmt);
71635 -+#endif
71636 -+ case 'a':
71637 -+ /* Fallthrough */
71638 -+ case 'A':
71639 - return symbol_string(buf, end, ptr, spec, *fmt);
71640 - case 'R':
71641 - return resource_string(buf, end, ptr, spec);
71642 -@@ -1445,7 +1458,7 @@ do { \
71643 - size_t len;
71644 - if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
71645 - || (unsigned long)save_str < PAGE_SIZE)
71646 -- save_str = "<NULL>";
71647 -+ save_str = "(null)";
71648 - len = strlen(save_str);
71649 - if (str + len + 1 < end)
71650 - memcpy(str, save_str, len + 1);
71651 -@@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
71652 - typeof(type) value; \
71653 - if (sizeof(type) == 8) { \
71654 - args = PTR_ALIGN(args, sizeof(u32)); \
71655 -- *(u32 *)&value = *(u32 *)args; \
71656 -- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71657 -+ *(u32 *)&value = *(const u32 *)args; \
71658 -+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71659 - } else { \
71660 - args = PTR_ALIGN(args, sizeof(type)); \
71661 -- value = *(typeof(type) *)args; \
71662 -+ value = *(const typeof(type) *)args; \
71663 - } \
71664 - args += sizeof(type); \
71665 - value; \
71666 -@@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
71667 - const char *str_arg = args;
71668 - size_t len = strlen(str_arg);
71669 - args += len + 1;
71670 -- str = string(str, end, (char *)str_arg, spec);
71671 -+ str = string(str, end, str_arg, spec);
71672 - break;
71673 - }
71674 -
71675 -diff -urNp linux-2.6.32.46/localversion-grsec linux-2.6.32.46/localversion-grsec
71676 ---- linux-2.6.32.46/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71677 -+++ linux-2.6.32.46/localversion-grsec 2011-04-17 15:56:46.000000000 -0400
71678 -@@ -0,0 +1 @@
71679 -+-grsec
71680 -diff -urNp linux-2.6.32.46/mm/Kconfig linux-2.6.32.46/mm/Kconfig
71681 ---- linux-2.6.32.46/mm/Kconfig 2011-03-27 14:31:47.000000000 -0400
71682 -+++ linux-2.6.32.46/mm/Kconfig 2011-04-17 15:56:46.000000000 -0400
71683 -@@ -228,7 +228,7 @@ config KSM
71684 - config DEFAULT_MMAP_MIN_ADDR
71685 - int "Low address space to protect from user allocation"
71686 - depends on MMU
71687 -- default 4096
71688 -+ default 65536
71689 - help
71690 - This is the portion of low virtual memory which should be protected
71691 - from userspace allocation. Keeping a user from writing to low pages
71692 -diff -urNp linux-2.6.32.46/mm/backing-dev.c linux-2.6.32.46/mm/backing-dev.c
71693 ---- linux-2.6.32.46/mm/backing-dev.c 2011-03-27 14:31:47.000000000 -0400
71694 -+++ linux-2.6.32.46/mm/backing-dev.c 2011-08-11 19:48:17.000000000 -0400
71695 -@@ -272,7 +272,7 @@ static void bdi_task_init(struct backing
71696 - list_add_tail_rcu(&wb->list, &bdi->wb_list);
71697 - spin_unlock(&bdi->wb_lock);
71698 -
71699 -- tsk->flags |= PF_FLUSHER | PF_SWAPWRITE;
71700 -+ tsk->flags |= PF_SWAPWRITE;
71701 - set_freezable();
71702 -
71703 - /*
71704 -@@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
71705 - * Add the default flusher task that gets created for any bdi
71706 - * that has dirty data pending writeout
71707 - */
71708 --void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
71709 -+static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
71710 - {
71711 - if (!bdi_cap_writeback_dirty(bdi))
71712 - return;
71713 -diff -urNp linux-2.6.32.46/mm/filemap.c linux-2.6.32.46/mm/filemap.c
71714 ---- linux-2.6.32.46/mm/filemap.c 2011-03-27 14:31:47.000000000 -0400
71715 -+++ linux-2.6.32.46/mm/filemap.c 2011-04-17 15:56:46.000000000 -0400
71716 -@@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
71717 - struct address_space *mapping = file->f_mapping;
71718 -
71719 - if (!mapping->a_ops->readpage)
71720 -- return -ENOEXEC;
71721 -+ return -ENODEV;
71722 - file_accessed(file);
71723 - vma->vm_ops = &generic_file_vm_ops;
71724 - vma->vm_flags |= VM_CAN_NONLINEAR;
71725 -@@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
71726 - *pos = i_size_read(inode);
71727 -
71728 - if (limit != RLIM_INFINITY) {
71729 -+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71730 - if (*pos >= limit) {
71731 - send_sig(SIGXFSZ, current, 0);
71732 - return -EFBIG;
71733 -diff -urNp linux-2.6.32.46/mm/fremap.c linux-2.6.32.46/mm/fremap.c
71734 ---- linux-2.6.32.46/mm/fremap.c 2011-03-27 14:31:47.000000000 -0400
71735 -+++ linux-2.6.32.46/mm/fremap.c 2011-04-17 15:56:46.000000000 -0400
71736 -@@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71737 - retry:
71738 - vma = find_vma(mm, start);
71739 -
71740 -+#ifdef CONFIG_PAX_SEGMEXEC
71741 -+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71742 -+ goto out;
71743 -+#endif
71744 -+
71745 - /*
71746 - * Make sure the vma is shared, that it supports prefaulting,
71747 - * and that the remapped range is valid and fully within
71748 -@@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71749 - /*
71750 - * drop PG_Mlocked flag for over-mapped range
71751 - */
71752 -- unsigned int saved_flags = vma->vm_flags;
71753 -+ unsigned long saved_flags = vma->vm_flags;
71754 - munlock_vma_pages_range(vma, start, start + size);
71755 - vma->vm_flags = saved_flags;
71756 - }
71757 -diff -urNp linux-2.6.32.46/mm/highmem.c linux-2.6.32.46/mm/highmem.c
71758 ---- linux-2.6.32.46/mm/highmem.c 2011-03-27 14:31:47.000000000 -0400
71759 -+++ linux-2.6.32.46/mm/highmem.c 2011-04-17 15:56:46.000000000 -0400
71760 -@@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
71761 - * So no dangers, even with speculative execution.
71762 - */
71763 - page = pte_page(pkmap_page_table[i]);
71764 -+ pax_open_kernel();
71765 - pte_clear(&init_mm, (unsigned long)page_address(page),
71766 - &pkmap_page_table[i]);
71767 --
71768 -+ pax_close_kernel();
71769 - set_page_address(page, NULL);
71770 - need_flush = 1;
71771 - }
71772 -@@ -177,9 +178,11 @@ start:
71773 - }
71774 - }
71775 - vaddr = PKMAP_ADDR(last_pkmap_nr);
71776 -+
71777 -+ pax_open_kernel();
71778 - set_pte_at(&init_mm, vaddr,
71779 - &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71780 --
71781 -+ pax_close_kernel();
71782 - pkmap_count[last_pkmap_nr] = 1;
71783 - set_page_address(page, (void *)vaddr);
71784 -
71785 -diff -urNp linux-2.6.32.46/mm/hugetlb.c linux-2.6.32.46/mm/hugetlb.c
71786 ---- linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:04.000000000 -0400
71787 -+++ linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:19.000000000 -0400
71788 -@@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
71789 - return 1;
71790 - }
71791 -
71792 -+#ifdef CONFIG_PAX_SEGMEXEC
71793 -+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71794 -+{
71795 -+ struct mm_struct *mm = vma->vm_mm;
71796 -+ struct vm_area_struct *vma_m;
71797 -+ unsigned long address_m;
71798 -+ pte_t *ptep_m;
71799 -+
71800 -+ vma_m = pax_find_mirror_vma(vma);
71801 -+ if (!vma_m)
71802 -+ return;
71803 -+
71804 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71805 -+ address_m = address + SEGMEXEC_TASK_SIZE;
71806 -+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71807 -+ get_page(page_m);
71808 -+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71809 -+}
71810 -+#endif
71811 -+
71812 - static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
71813 - unsigned long address, pte_t *ptep, pte_t pte,
71814 - struct page *pagecache_page)
71815 -@@ -2004,6 +2024,11 @@ retry_avoidcopy:
71816 - huge_ptep_clear_flush(vma, address, ptep);
71817 - set_huge_pte_at(mm, address, ptep,
71818 - make_huge_pte(vma, new_page, 1));
71819 -+
71820 -+#ifdef CONFIG_PAX_SEGMEXEC
71821 -+ pax_mirror_huge_pte(vma, address, new_page);
71822 -+#endif
71823 -+
71824 - /* Make the old page be freed below */
71825 - new_page = old_page;
71826 - }
71827 -@@ -2135,6 +2160,10 @@ retry:
71828 - && (vma->vm_flags & VM_SHARED)));
71829 - set_huge_pte_at(mm, address, ptep, new_pte);
71830 -
71831 -+#ifdef CONFIG_PAX_SEGMEXEC
71832 -+ pax_mirror_huge_pte(vma, address, page);
71833 -+#endif
71834 -+
71835 - if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71836 - /* Optimization, do the COW without a second fault */
71837 - ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71838 -@@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
71839 - static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71840 - struct hstate *h = hstate_vma(vma);
71841 -
71842 -+#ifdef CONFIG_PAX_SEGMEXEC
71843 -+ struct vm_area_struct *vma_m;
71844 -+
71845 -+ vma_m = pax_find_mirror_vma(vma);
71846 -+ if (vma_m) {
71847 -+ unsigned long address_m;
71848 -+
71849 -+ if (vma->vm_start > vma_m->vm_start) {
71850 -+ address_m = address;
71851 -+ address -= SEGMEXEC_TASK_SIZE;
71852 -+ vma = vma_m;
71853 -+ h = hstate_vma(vma);
71854 -+ } else
71855 -+ address_m = address + SEGMEXEC_TASK_SIZE;
71856 -+
71857 -+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
71858 -+ return VM_FAULT_OOM;
71859 -+ address_m &= HPAGE_MASK;
71860 -+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
71861 -+ }
71862 -+#endif
71863 -+
71864 - ptep = huge_pte_alloc(mm, address, huge_page_size(h));
71865 - if (!ptep)
71866 - return VM_FAULT_OOM;
71867 -diff -urNp linux-2.6.32.46/mm/internal.h linux-2.6.32.46/mm/internal.h
71868 ---- linux-2.6.32.46/mm/internal.h 2011-03-27 14:31:47.000000000 -0400
71869 -+++ linux-2.6.32.46/mm/internal.h 2011-07-09 09:13:08.000000000 -0400
71870 -@@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
71871 - * in mm/page_alloc.c
71872 - */
71873 - extern void __free_pages_bootmem(struct page *page, unsigned int order);
71874 -+extern void free_compound_page(struct page *page);
71875 - extern void prep_compound_page(struct page *page, unsigned long order);
71876 -
71877 -
71878 -diff -urNp linux-2.6.32.46/mm/kmemleak.c linux-2.6.32.46/mm/kmemleak.c
71879 ---- linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:55:35.000000000 -0400
71880 -+++ linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:56:37.000000000 -0400
71881 -@@ -358,7 +358,7 @@ static void print_unreferenced(struct se
71882 -
71883 - for (i = 0; i < object->trace_len; i++) {
71884 - void *ptr = (void *)object->trace[i];
71885 -- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
71886 -+ seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
71887 - }
71888 - }
71889 -
71890 -diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c
71891 ---- linux-2.6.32.46/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400
71892 -+++ linux-2.6.32.46/mm/maccess.c 2011-10-06 09:37:14.000000000 -0400
71893 -@@ -14,7 +14,7 @@
71894 - * Safely read from address @src to the buffer at @dst. If a kernel fault
71895 - * happens, handle that and return -EFAULT.
71896 - */
71897 --long probe_kernel_read(void *dst, void *src, size_t size)
71898 -+long probe_kernel_read(void *dst, const void *src, size_t size)
71899 - {
71900 - long ret;
71901 - mm_segment_t old_fs = get_fs();
71902 -@@ -22,7 +22,7 @@ long probe_kernel_read(void *dst, void *
71903 - set_fs(KERNEL_DS);
71904 - pagefault_disable();
71905 - ret = __copy_from_user_inatomic(dst,
71906 -- (__force const void __user *)src, size);
71907 -+ (const void __force_user *)src, size);
71908 - pagefault_enable();
71909 - set_fs(old_fs);
71910 -
71911 -@@ -39,14 +39,14 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
71912 - * Safely write to address @dst from the buffer at @src. If a kernel fault
71913 - * happens, handle that and return -EFAULT.
71914 - */
71915 --long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
71916 -+long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
71917 - {
71918 - long ret;
71919 - mm_segment_t old_fs = get_fs();
71920 -
71921 - set_fs(KERNEL_DS);
71922 - pagefault_disable();
71923 -- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
71924 -+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
71925 - pagefault_enable();
71926 - set_fs(old_fs);
71927 -
71928 -diff -urNp linux-2.6.32.46/mm/madvise.c linux-2.6.32.46/mm/madvise.c
71929 ---- linux-2.6.32.46/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400
71930 -+++ linux-2.6.32.46/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400
71931 -@@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
71932 - pgoff_t pgoff;
71933 - unsigned long new_flags = vma->vm_flags;
71934 -
71935 -+#ifdef CONFIG_PAX_SEGMEXEC
71936 -+ struct vm_area_struct *vma_m;
71937 -+#endif
71938 -+
71939 - switch (behavior) {
71940 - case MADV_NORMAL:
71941 - new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71942 -@@ -103,6 +107,13 @@ success:
71943 - /*
71944 - * vm_flags is protected by the mmap_sem held in write mode.
71945 - */
71946 -+
71947 -+#ifdef CONFIG_PAX_SEGMEXEC
71948 -+ vma_m = pax_find_mirror_vma(vma);
71949 -+ if (vma_m)
71950 -+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71951 -+#endif
71952 -+
71953 - vma->vm_flags = new_flags;
71954 -
71955 - out:
71956 -@@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
71957 - struct vm_area_struct ** prev,
71958 - unsigned long start, unsigned long end)
71959 - {
71960 -+
71961 -+#ifdef CONFIG_PAX_SEGMEXEC
71962 -+ struct vm_area_struct *vma_m;
71963 -+#endif
71964 -+
71965 - *prev = vma;
71966 - if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
71967 - return -EINVAL;
71968 -@@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
71969 - zap_page_range(vma, start, end - start, &details);
71970 - } else
71971 - zap_page_range(vma, start, end - start, NULL);
71972 -+
71973 -+#ifdef CONFIG_PAX_SEGMEXEC
71974 -+ vma_m = pax_find_mirror_vma(vma);
71975 -+ if (vma_m) {
71976 -+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
71977 -+ struct zap_details details = {
71978 -+ .nonlinear_vma = vma_m,
71979 -+ .last_index = ULONG_MAX,
71980 -+ };
71981 -+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
71982 -+ } else
71983 -+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
71984 -+ }
71985 -+#endif
71986 -+
71987 - return 0;
71988 - }
71989 -
71990 -@@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
71991 - if (end < start)
71992 - goto out;
71993 -
71994 -+#ifdef CONFIG_PAX_SEGMEXEC
71995 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71996 -+ if (end > SEGMEXEC_TASK_SIZE)
71997 -+ goto out;
71998 -+ } else
71999 -+#endif
72000 -+
72001 -+ if (end > TASK_SIZE)
72002 -+ goto out;
72003 -+
72004 - error = 0;
72005 - if (end == start)
72006 - goto out;
72007 -diff -urNp linux-2.6.32.46/mm/memory-failure.c linux-2.6.32.46/mm/memory-failure.c
72008 ---- linux-2.6.32.46/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400
72009 -+++ linux-2.6.32.46/mm/memory-failure.c 2011-10-06 09:37:14.000000000 -0400
72010 -@@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
72011 -
72012 - int sysctl_memory_failure_recovery __read_mostly = 1;
72013 -
72014 --atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72015 -+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72016 -
72017 - /*
72018 - * Send all the processes who have the page mapped an ``action optional''
72019 -@@ -64,7 +64,7 @@ static int kill_proc_ao(struct task_stru
72020 - si.si_signo = SIGBUS;
72021 - si.si_errno = 0;
72022 - si.si_code = BUS_MCEERR_AO;
72023 -- si.si_addr = (void *)addr;
72024 -+ si.si_addr = (void __user *)addr;
72025 - #ifdef __ARCH_SI_TRAPNO
72026 - si.si_trapno = trapno;
72027 - #endif
72028 -@@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
72029 - return 0;
72030 - }
72031 -
72032 -- atomic_long_add(1, &mce_bad_pages);
72033 -+ atomic_long_add_unchecked(1, &mce_bad_pages);
72034 -
72035 - /*
72036 - * We need/can do nothing about count=0 pages.
72037 -diff -urNp linux-2.6.32.46/mm/memory.c linux-2.6.32.46/mm/memory.c
72038 ---- linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:04.000000000 -0400
72039 -+++ linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:23.000000000 -0400
72040 -@@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
72041 - return;
72042 -
72043 - pmd = pmd_offset(pud, start);
72044 -+
72045 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
72046 - pud_clear(pud);
72047 - pmd_free_tlb(tlb, pmd, start);
72048 -+#endif
72049 -+
72050 - }
72051 -
72052 - static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
72053 -@@ -219,9 +223,12 @@ static inline void free_pud_range(struct
72054 - if (end - 1 > ceiling - 1)
72055 - return;
72056 -
72057 -+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
72058 - pud = pud_offset(pgd, start);
72059 - pgd_clear(pgd);
72060 - pud_free_tlb(tlb, pud, start);
72061 -+#endif
72062 -+
72063 - }
72064 -
72065 - /*
72066 -@@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
72067 - (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
72068 - i = 0;
72069 -
72070 -- do {
72071 -+ while (nr_pages) {
72072 - struct vm_area_struct *vma;
72073 -
72074 -- vma = find_extend_vma(mm, start);
72075 -+ vma = find_vma(mm, start);
72076 - if (!vma && in_gate_area(tsk, start)) {
72077 - unsigned long pg = start & PAGE_MASK;
72078 - struct vm_area_struct *gate_vma = get_gate_vma(tsk);
72079 -@@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
72080 - continue;
72081 - }
72082 -
72083 -- if (!vma ||
72084 -+ if (!vma || start < vma->vm_start ||
72085 - (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
72086 - !(vm_flags & vma->vm_flags))
72087 - return i ? : -EFAULT;
72088 -@@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
72089 - start += PAGE_SIZE;
72090 - nr_pages--;
72091 - } while (nr_pages && start < vma->vm_end);
72092 -- } while (nr_pages);
72093 -+ }
72094 - return i;
72095 - }
72096 -
72097 -@@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
72098 - page_add_file_rmap(page);
72099 - set_pte_at(mm, addr, pte, mk_pte(page, prot));
72100 -
72101 -+#ifdef CONFIG_PAX_SEGMEXEC
72102 -+ pax_mirror_file_pte(vma, addr, page, ptl);
72103 -+#endif
72104 -+
72105 - retval = 0;
72106 - pte_unmap_unlock(pte, ptl);
72107 - return retval;
72108 -@@ -1560,10 +1571,22 @@ out:
72109 - int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
72110 - struct page *page)
72111 - {
72112 -+
72113 -+#ifdef CONFIG_PAX_SEGMEXEC
72114 -+ struct vm_area_struct *vma_m;
72115 -+#endif
72116 -+
72117 - if (addr < vma->vm_start || addr >= vma->vm_end)
72118 - return -EFAULT;
72119 - if (!page_count(page))
72120 - return -EINVAL;
72121 -+
72122 -+#ifdef CONFIG_PAX_SEGMEXEC
72123 -+ vma_m = pax_find_mirror_vma(vma);
72124 -+ if (vma_m)
72125 -+ vma_m->vm_flags |= VM_INSERTPAGE;
72126 -+#endif
72127 -+
72128 - vma->vm_flags |= VM_INSERTPAGE;
72129 - return insert_page(vma, addr, page, vma->vm_page_prot);
72130 - }
72131 -@@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
72132 - unsigned long pfn)
72133 - {
72134 - BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
72135 -+ BUG_ON(vma->vm_mirror);
72136 -
72137 - if (addr < vma->vm_start || addr >= vma->vm_end)
72138 - return -EFAULT;
72139 -@@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
72140 - copy_user_highpage(dst, src, va, vma);
72141 - }
72142 -
72143 -+#ifdef CONFIG_PAX_SEGMEXEC
72144 -+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
72145 -+{
72146 -+ struct mm_struct *mm = vma->vm_mm;
72147 -+ spinlock_t *ptl;
72148 -+ pte_t *pte, entry;
72149 -+
72150 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
72151 -+ entry = *pte;
72152 -+ if (!pte_present(entry)) {
72153 -+ if (!pte_none(entry)) {
72154 -+ BUG_ON(pte_file(entry));
72155 -+ free_swap_and_cache(pte_to_swp_entry(entry));
72156 -+ pte_clear_not_present_full(mm, address, pte, 0);
72157 -+ }
72158 -+ } else {
72159 -+ struct page *page;
72160 -+
72161 -+ flush_cache_page(vma, address, pte_pfn(entry));
72162 -+ entry = ptep_clear_flush(vma, address, pte);
72163 -+ BUG_ON(pte_dirty(entry));
72164 -+ page = vm_normal_page(vma, address, entry);
72165 -+ if (page) {
72166 -+ update_hiwater_rss(mm);
72167 -+ if (PageAnon(page))
72168 -+ dec_mm_counter(mm, anon_rss);
72169 -+ else
72170 -+ dec_mm_counter(mm, file_rss);
72171 -+ page_remove_rmap(page);
72172 -+ page_cache_release(page);
72173 -+ }
72174 -+ }
72175 -+ pte_unmap_unlock(pte, ptl);
72176 -+}
72177 -+
72178 -+/* PaX: if vma is mirrored, synchronize the mirror's PTE
72179 -+ *
72180 -+ * the ptl of the lower mapped page is held on entry and is not released on exit
72181 -+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
72182 -+ */
72183 -+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72184 -+{
72185 -+ struct mm_struct *mm = vma->vm_mm;
72186 -+ unsigned long address_m;
72187 -+ spinlock_t *ptl_m;
72188 -+ struct vm_area_struct *vma_m;
72189 -+ pmd_t *pmd_m;
72190 -+ pte_t *pte_m, entry_m;
72191 -+
72192 -+ BUG_ON(!page_m || !PageAnon(page_m));
72193 -+
72194 -+ vma_m = pax_find_mirror_vma(vma);
72195 -+ if (!vma_m)
72196 -+ return;
72197 -+
72198 -+ BUG_ON(!PageLocked(page_m));
72199 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72200 -+ address_m = address + SEGMEXEC_TASK_SIZE;
72201 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72202 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
72203 -+ ptl_m = pte_lockptr(mm, pmd_m);
72204 -+ if (ptl != ptl_m) {
72205 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72206 -+ if (!pte_none(*pte_m))
72207 -+ goto out;
72208 -+ }
72209 -+
72210 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72211 -+ page_cache_get(page_m);
72212 -+ page_add_anon_rmap(page_m, vma_m, address_m);
72213 -+ inc_mm_counter(mm, anon_rss);
72214 -+ set_pte_at(mm, address_m, pte_m, entry_m);
72215 -+ update_mmu_cache(vma_m, address_m, entry_m);
72216 -+out:
72217 -+ if (ptl != ptl_m)
72218 -+ spin_unlock(ptl_m);
72219 -+ pte_unmap_nested(pte_m);
72220 -+ unlock_page(page_m);
72221 -+}
72222 -+
72223 -+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72224 -+{
72225 -+ struct mm_struct *mm = vma->vm_mm;
72226 -+ unsigned long address_m;
72227 -+ spinlock_t *ptl_m;
72228 -+ struct vm_area_struct *vma_m;
72229 -+ pmd_t *pmd_m;
72230 -+ pte_t *pte_m, entry_m;
72231 -+
72232 -+ BUG_ON(!page_m || PageAnon(page_m));
72233 -+
72234 -+ vma_m = pax_find_mirror_vma(vma);
72235 -+ if (!vma_m)
72236 -+ return;
72237 -+
72238 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72239 -+ address_m = address + SEGMEXEC_TASK_SIZE;
72240 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72241 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
72242 -+ ptl_m = pte_lockptr(mm, pmd_m);
72243 -+ if (ptl != ptl_m) {
72244 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72245 -+ if (!pte_none(*pte_m))
72246 -+ goto out;
72247 -+ }
72248 -+
72249 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72250 -+ page_cache_get(page_m);
72251 -+ page_add_file_rmap(page_m);
72252 -+ inc_mm_counter(mm, file_rss);
72253 -+ set_pte_at(mm, address_m, pte_m, entry_m);
72254 -+ update_mmu_cache(vma_m, address_m, entry_m);
72255 -+out:
72256 -+ if (ptl != ptl_m)
72257 -+ spin_unlock(ptl_m);
72258 -+ pte_unmap_nested(pte_m);
72259 -+}
72260 -+
72261 -+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
72262 -+{
72263 -+ struct mm_struct *mm = vma->vm_mm;
72264 -+ unsigned long address_m;
72265 -+ spinlock_t *ptl_m;
72266 -+ struct vm_area_struct *vma_m;
72267 -+ pmd_t *pmd_m;
72268 -+ pte_t *pte_m, entry_m;
72269 -+
72270 -+ vma_m = pax_find_mirror_vma(vma);
72271 -+ if (!vma_m)
72272 -+ return;
72273 -+
72274 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72275 -+ address_m = address + SEGMEXEC_TASK_SIZE;
72276 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72277 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
72278 -+ ptl_m = pte_lockptr(mm, pmd_m);
72279 -+ if (ptl != ptl_m) {
72280 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72281 -+ if (!pte_none(*pte_m))
72282 -+ goto out;
72283 -+ }
72284 -+
72285 -+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
72286 -+ set_pte_at(mm, address_m, pte_m, entry_m);
72287 -+out:
72288 -+ if (ptl != ptl_m)
72289 -+ spin_unlock(ptl_m);
72290 -+ pte_unmap_nested(pte_m);
72291 -+}
72292 -+
72293 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72294 -+{
72295 -+ struct page *page_m;
72296 -+ pte_t entry;
72297 -+
72298 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72299 -+ goto out;
72300 -+
72301 -+ entry = *pte;
72302 -+ page_m = vm_normal_page(vma, address, entry);
72303 -+ if (!page_m)
72304 -+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72305 -+ else if (PageAnon(page_m)) {
72306 -+ if (pax_find_mirror_vma(vma)) {
72307 -+ pte_unmap_unlock(pte, ptl);
72308 -+ lock_page(page_m);
72309 -+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72310 -+ if (pte_same(entry, *pte))
72311 -+ pax_mirror_anon_pte(vma, address, page_m, ptl);
72312 -+ else
72313 -+ unlock_page(page_m);
72314 -+ }
72315 -+ } else
72316 -+ pax_mirror_file_pte(vma, address, page_m, ptl);
72317 -+
72318 -+out:
72319 -+ pte_unmap_unlock(pte, ptl);
72320 -+}
72321 -+#endif
72322 -+
72323 - /*
72324 - * This routine handles present pages, when users try to write
72325 - * to a shared page. It is done by copying the page to a new address
72326 -@@ -2156,6 +2360,12 @@ gotten:
72327 - */
72328 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72329 - if (likely(pte_same(*page_table, orig_pte))) {
72330 -+
72331 -+#ifdef CONFIG_PAX_SEGMEXEC
72332 -+ if (pax_find_mirror_vma(vma))
72333 -+ BUG_ON(!trylock_page(new_page));
72334 -+#endif
72335 -+
72336 - if (old_page) {
72337 - if (!PageAnon(old_page)) {
72338 - dec_mm_counter(mm, file_rss);
72339 -@@ -2207,6 +2417,10 @@ gotten:
72340 - page_remove_rmap(old_page);
72341 - }
72342 -
72343 -+#ifdef CONFIG_PAX_SEGMEXEC
72344 -+ pax_mirror_anon_pte(vma, address, new_page, ptl);
72345 -+#endif
72346 -+
72347 - /* Free the old page.. */
72348 - new_page = old_page;
72349 - ret |= VM_FAULT_WRITE;
72350 -@@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
72351 - swap_free(entry);
72352 - if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72353 - try_to_free_swap(page);
72354 -+
72355 -+#ifdef CONFIG_PAX_SEGMEXEC
72356 -+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72357 -+#endif
72358 -+
72359 - unlock_page(page);
72360 -
72361 - if (flags & FAULT_FLAG_WRITE) {
72362 -@@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
72363 -
72364 - /* No need to invalidate - it was non-present before */
72365 - update_mmu_cache(vma, address, pte);
72366 -+
72367 -+#ifdef CONFIG_PAX_SEGMEXEC
72368 -+ pax_mirror_anon_pte(vma, address, page, ptl);
72369 -+#endif
72370 -+
72371 - unlock:
72372 - pte_unmap_unlock(page_table, ptl);
72373 - out:
72374 -@@ -2632,40 +2856,6 @@ out_release:
72375 - }
72376 -
72377 - /*
72378 -- * This is like a special single-page "expand_{down|up}wards()",
72379 -- * except we must first make sure that 'address{-|+}PAGE_SIZE'
72380 -- * doesn't hit another vma.
72381 -- */
72382 --static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72383 --{
72384 -- address &= PAGE_MASK;
72385 -- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72386 -- struct vm_area_struct *prev = vma->vm_prev;
72387 --
72388 -- /*
72389 -- * Is there a mapping abutting this one below?
72390 -- *
72391 -- * That's only ok if it's the same stack mapping
72392 -- * that has gotten split..
72393 -- */
72394 -- if (prev && prev->vm_end == address)
72395 -- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72396 --
72397 -- expand_stack(vma, address - PAGE_SIZE);
72398 -- }
72399 -- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72400 -- struct vm_area_struct *next = vma->vm_next;
72401 --
72402 -- /* As VM_GROWSDOWN but s/below/above/ */
72403 -- if (next && next->vm_start == address + PAGE_SIZE)
72404 -- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72405 --
72406 -- expand_upwards(vma, address + PAGE_SIZE);
72407 -- }
72408 -- return 0;
72409 --}
72410 --
72411 --/*
72412 - * We enter with non-exclusive mmap_sem (to exclude vma changes,
72413 - * but allow concurrent faults), and pte mapped but not yet locked.
72414 - * We return with mmap_sem still held, but pte unmapped and unlocked.
72415 -@@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
72416 - unsigned long address, pte_t *page_table, pmd_t *pmd,
72417 - unsigned int flags)
72418 - {
72419 -- struct page *page;
72420 -+ struct page *page = NULL;
72421 - spinlock_t *ptl;
72422 - pte_t entry;
72423 -
72424 -- pte_unmap(page_table);
72425 --
72426 -- /* Check if we need to add a guard page to the stack */
72427 -- if (check_stack_guard_page(vma, address) < 0)
72428 -- return VM_FAULT_SIGBUS;
72429 --
72430 -- /* Use the zero-page for reads */
72431 - if (!(flags & FAULT_FLAG_WRITE)) {
72432 - entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72433 - vma->vm_page_prot));
72434 -- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72435 -+ ptl = pte_lockptr(mm, pmd);
72436 -+ spin_lock(ptl);
72437 - if (!pte_none(*page_table))
72438 - goto unlock;
72439 - goto setpte;
72440 - }
72441 -
72442 - /* Allocate our own private page. */
72443 -+ pte_unmap(page_table);
72444 -+
72445 - if (unlikely(anon_vma_prepare(vma)))
72446 - goto oom;
72447 - page = alloc_zeroed_user_highpage_movable(vma, address);
72448 -@@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
72449 - if (!pte_none(*page_table))
72450 - goto release;
72451 -
72452 -+#ifdef CONFIG_PAX_SEGMEXEC
72453 -+ if (pax_find_mirror_vma(vma))
72454 -+ BUG_ON(!trylock_page(page));
72455 -+#endif
72456 -+
72457 - inc_mm_counter(mm, anon_rss);
72458 - page_add_new_anon_rmap(page, vma, address);
72459 - setpte:
72460 -@@ -2720,6 +2911,12 @@ setpte:
72461 -
72462 - /* No need to invalidate - it was non-present before */
72463 - update_mmu_cache(vma, address, entry);
72464 -+
72465 -+#ifdef CONFIG_PAX_SEGMEXEC
72466 -+ if (page)
72467 -+ pax_mirror_anon_pte(vma, address, page, ptl);
72468 -+#endif
72469 -+
72470 - unlock:
72471 - pte_unmap_unlock(page_table, ptl);
72472 - return 0;
72473 -@@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
72474 - */
72475 - /* Only go through if we didn't race with anybody else... */
72476 - if (likely(pte_same(*page_table, orig_pte))) {
72477 -+
72478 -+#ifdef CONFIG_PAX_SEGMEXEC
72479 -+ if (anon && pax_find_mirror_vma(vma))
72480 -+ BUG_ON(!trylock_page(page));
72481 -+#endif
72482 -+
72483 - flush_icache_page(vma, page);
72484 - entry = mk_pte(page, vma->vm_page_prot);
72485 - if (flags & FAULT_FLAG_WRITE)
72486 -@@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
72487 -
72488 - /* no need to invalidate: a not-present page won't be cached */
72489 - update_mmu_cache(vma, address, entry);
72490 -+
72491 -+#ifdef CONFIG_PAX_SEGMEXEC
72492 -+ if (anon)
72493 -+ pax_mirror_anon_pte(vma, address, page, ptl);
72494 -+ else
72495 -+ pax_mirror_file_pte(vma, address, page, ptl);
72496 -+#endif
72497 -+
72498 - } else {
72499 - if (charged)
72500 - mem_cgroup_uncharge_page(page);
72501 -@@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
72502 - if (flags & FAULT_FLAG_WRITE)
72503 - flush_tlb_page(vma, address);
72504 - }
72505 -+
72506 -+#ifdef CONFIG_PAX_SEGMEXEC
72507 -+ pax_mirror_pte(vma, address, pte, pmd, ptl);
72508 -+ return 0;
72509 -+#endif
72510 -+
72511 - unlock:
72512 - pte_unmap_unlock(pte, ptl);
72513 - return 0;
72514 -@@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
72515 - pmd_t *pmd;
72516 - pte_t *pte;
72517 -
72518 -+#ifdef CONFIG_PAX_SEGMEXEC
72519 -+ struct vm_area_struct *vma_m;
72520 -+#endif
72521 -+
72522 - __set_current_state(TASK_RUNNING);
72523 -
72524 - count_vm_event(PGFAULT);
72525 -@@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
72526 - if (unlikely(is_vm_hugetlb_page(vma)))
72527 - return hugetlb_fault(mm, vma, address, flags);
72528 -
72529 -+#ifdef CONFIG_PAX_SEGMEXEC
72530 -+ vma_m = pax_find_mirror_vma(vma);
72531 -+ if (vma_m) {
72532 -+ unsigned long address_m;
72533 -+ pgd_t *pgd_m;
72534 -+ pud_t *pud_m;
72535 -+ pmd_t *pmd_m;
72536 -+
72537 -+ if (vma->vm_start > vma_m->vm_start) {
72538 -+ address_m = address;
72539 -+ address -= SEGMEXEC_TASK_SIZE;
72540 -+ vma = vma_m;
72541 -+ } else
72542 -+ address_m = address + SEGMEXEC_TASK_SIZE;
72543 -+
72544 -+ pgd_m = pgd_offset(mm, address_m);
72545 -+ pud_m = pud_alloc(mm, pgd_m, address_m);
72546 -+ if (!pud_m)
72547 -+ return VM_FAULT_OOM;
72548 -+ pmd_m = pmd_alloc(mm, pud_m, address_m);
72549 -+ if (!pmd_m)
72550 -+ return VM_FAULT_OOM;
72551 -+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
72552 -+ return VM_FAULT_OOM;
72553 -+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72554 -+ }
72555 -+#endif
72556 -+
72557 - pgd = pgd_offset(mm, address);
72558 - pud = pud_alloc(mm, pgd, address);
72559 - if (!pud)
72560 -@@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
72561 - gate_vma.vm_start = FIXADDR_USER_START;
72562 - gate_vma.vm_end = FIXADDR_USER_END;
72563 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72564 -- gate_vma.vm_page_prot = __P101;
72565 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72566 - /*
72567 - * Make sure the vDSO gets into every core dump.
72568 - * Dumping its contents makes post-mortem fully interpretable later
72569 -diff -urNp linux-2.6.32.46/mm/mempolicy.c linux-2.6.32.46/mm/mempolicy.c
72570 ---- linux-2.6.32.46/mm/mempolicy.c 2011-03-27 14:31:47.000000000 -0400
72571 -+++ linux-2.6.32.46/mm/mempolicy.c 2011-04-17 15:56:46.000000000 -0400
72572 -@@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
72573 - struct vm_area_struct *next;
72574 - int err;
72575 -
72576 -+#ifdef CONFIG_PAX_SEGMEXEC
72577 -+ struct vm_area_struct *vma_m;
72578 -+#endif
72579 -+
72580 - err = 0;
72581 - for (; vma && vma->vm_start < end; vma = next) {
72582 - next = vma->vm_next;
72583 -@@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
72584 - err = policy_vma(vma, new);
72585 - if (err)
72586 - break;
72587 -+
72588 -+#ifdef CONFIG_PAX_SEGMEXEC
72589 -+ vma_m = pax_find_mirror_vma(vma);
72590 -+ if (vma_m) {
72591 -+ err = policy_vma(vma_m, new);
72592 -+ if (err)
72593 -+ break;
72594 -+ }
72595 -+#endif
72596 -+
72597 - }
72598 - return err;
72599 - }
72600 -@@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
72601 -
72602 - if (end < start)
72603 - return -EINVAL;
72604 -+
72605 -+#ifdef CONFIG_PAX_SEGMEXEC
72606 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72607 -+ if (end > SEGMEXEC_TASK_SIZE)
72608 -+ return -EINVAL;
72609 -+ } else
72610 -+#endif
72611 -+
72612 -+ if (end > TASK_SIZE)
72613 -+ return -EINVAL;
72614 -+
72615 - if (end == start)
72616 - return 0;
72617 -
72618 -@@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72619 - if (!mm)
72620 - return -EINVAL;
72621 -
72622 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72623 -+ if (mm != current->mm &&
72624 -+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72625 -+ err = -EPERM;
72626 -+ goto out;
72627 -+ }
72628 -+#endif
72629 -+
72630 - /*
72631 - * Check if this process has the right to modify the specified
72632 - * process. The right exists if the process has administrative
72633 -@@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72634 - rcu_read_lock();
72635 - tcred = __task_cred(task);
72636 - if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72637 -- cred->uid != tcred->suid && cred->uid != tcred->uid &&
72638 -- !capable(CAP_SYS_NICE)) {
72639 -+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72640 - rcu_read_unlock();
72641 - err = -EPERM;
72642 - goto out;
72643 -@@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
72644 -
72645 - if (file) {
72646 - seq_printf(m, " file=");
72647 -- seq_path(m, &file->f_path, "\n\t= ");
72648 -+ seq_path(m, &file->f_path, "\n\t\\= ");
72649 - } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72650 - seq_printf(m, " heap");
72651 - } else if (vma->vm_start <= mm->start_stack &&
72652 -diff -urNp linux-2.6.32.46/mm/migrate.c linux-2.6.32.46/mm/migrate.c
72653 ---- linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:04.000000000 -0400
72654 -+++ linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:23.000000000 -0400
72655 -@@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
72656 - unsigned long chunk_start;
72657 - int err;
72658 -
72659 -+ pax_track_stack();
72660 -+
72661 - task_nodes = cpuset_mems_allowed(task);
72662 -
72663 - err = -ENOMEM;
72664 -@@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72665 - if (!mm)
72666 - return -EINVAL;
72667 -
72668 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72669 -+ if (mm != current->mm &&
72670 -+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72671 -+ err = -EPERM;
72672 -+ goto out;
72673 -+ }
72674 -+#endif
72675 -+
72676 - /*
72677 - * Check if this process has the right to modify the specified
72678 - * process. The right exists if the process has administrative
72679 -@@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72680 - rcu_read_lock();
72681 - tcred = __task_cred(task);
72682 - if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72683 -- cred->uid != tcred->suid && cred->uid != tcred->uid &&
72684 -- !capable(CAP_SYS_NICE)) {
72685 -+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72686 - rcu_read_unlock();
72687 - err = -EPERM;
72688 - goto out;
72689 -diff -urNp linux-2.6.32.46/mm/mlock.c linux-2.6.32.46/mm/mlock.c
72690 ---- linux-2.6.32.46/mm/mlock.c 2011-03-27 14:31:47.000000000 -0400
72691 -+++ linux-2.6.32.46/mm/mlock.c 2011-04-17 15:56:46.000000000 -0400
72692 -@@ -13,6 +13,7 @@
72693 - #include <linux/pagemap.h>
72694 - #include <linux/mempolicy.h>
72695 - #include <linux/syscalls.h>
72696 -+#include <linux/security.h>
72697 - #include <linux/sched.h>
72698 - #include <linux/module.h>
72699 - #include <linux/rmap.h>
72700 -@@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
72701 - }
72702 - }
72703 -
72704 --static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
72705 --{
72706 -- return (vma->vm_flags & VM_GROWSDOWN) &&
72707 -- (vma->vm_start == addr) &&
72708 -- !vma_stack_continue(vma->vm_prev, addr);
72709 --}
72710 --
72711 - /**
72712 - * __mlock_vma_pages_range() - mlock a range of pages in the vma.
72713 - * @vma: target vma
72714 -@@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
72715 - if (vma->vm_flags & VM_WRITE)
72716 - gup_flags |= FOLL_WRITE;
72717 -
72718 -- /* We don't try to access the guard page of a stack vma */
72719 -- if (stack_guard_page(vma, start)) {
72720 -- addr += PAGE_SIZE;
72721 -- nr_pages--;
72722 -- }
72723 --
72724 - while (nr_pages > 0) {
72725 - int i;
72726 -
72727 -@@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
72728 - {
72729 - unsigned long nstart, end, tmp;
72730 - struct vm_area_struct * vma, * prev;
72731 -- int error;
72732 -+ int error = -EINVAL;
72733 -
72734 - len = PAGE_ALIGN(len);
72735 - end = start + len;
72736 -@@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
72737 - return -EINVAL;
72738 - if (end == start)
72739 - return 0;
72740 -+ if (end > TASK_SIZE)
72741 -+ return -EINVAL;
72742 -+
72743 - vma = find_vma_prev(current->mm, start, &prev);
72744 - if (!vma || vma->vm_start > start)
72745 - return -ENOMEM;
72746 -@@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
72747 - for (nstart = start ; ; ) {
72748 - unsigned int newflags;
72749 -
72750 -+#ifdef CONFIG_PAX_SEGMEXEC
72751 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72752 -+ break;
72753 -+#endif
72754 -+
72755 - /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72756 -
72757 - newflags = vma->vm_flags | VM_LOCKED;
72758 -@@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72759 - lock_limit >>= PAGE_SHIFT;
72760 -
72761 - /* check against resource limits */
72762 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72763 - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72764 - error = do_mlock(start, len, 1);
72765 - up_write(&current->mm->mmap_sem);
72766 -@@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72767 - static int do_mlockall(int flags)
72768 - {
72769 - struct vm_area_struct * vma, * prev = NULL;
72770 -- unsigned int def_flags = 0;
72771 -
72772 - if (flags & MCL_FUTURE)
72773 -- def_flags = VM_LOCKED;
72774 -- current->mm->def_flags = def_flags;
72775 -+ current->mm->def_flags |= VM_LOCKED;
72776 -+ else
72777 -+ current->mm->def_flags &= ~VM_LOCKED;
72778 - if (flags == MCL_FUTURE)
72779 - goto out;
72780 -
72781 - for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72782 -- unsigned int newflags;
72783 -+ unsigned long newflags;
72784 -+
72785 -+#ifdef CONFIG_PAX_SEGMEXEC
72786 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72787 -+ break;
72788 -+#endif
72789 -
72790 -+ BUG_ON(vma->vm_end > TASK_SIZE);
72791 - newflags = vma->vm_flags | VM_LOCKED;
72792 - if (!(flags & MCL_CURRENT))
72793 - newflags &= ~VM_LOCKED;
72794 -@@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
72795 - lock_limit >>= PAGE_SHIFT;
72796 -
72797 - ret = -ENOMEM;
72798 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
72799 - if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72800 - capable(CAP_IPC_LOCK))
72801 - ret = do_mlockall(flags);
72802 -diff -urNp linux-2.6.32.46/mm/mmap.c linux-2.6.32.46/mm/mmap.c
72803 ---- linux-2.6.32.46/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
72804 -+++ linux-2.6.32.46/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
72805 -@@ -45,6 +45,16 @@
72806 - #define arch_rebalance_pgtables(addr, len) (addr)
72807 - #endif
72808 -
72809 -+static inline void verify_mm_writelocked(struct mm_struct *mm)
72810 -+{
72811 -+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72812 -+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72813 -+ up_read(&mm->mmap_sem);
72814 -+ BUG();
72815 -+ }
72816 -+#endif
72817 -+}
72818 -+
72819 - static void unmap_region(struct mm_struct *mm,
72820 - struct vm_area_struct *vma, struct vm_area_struct *prev,
72821 - unsigned long start, unsigned long end);
72822 -@@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
72823 - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72824 - *
72825 - */
72826 --pgprot_t protection_map[16] = {
72827 -+pgprot_t protection_map[16] __read_only = {
72828 - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72829 - __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72830 - };
72831 -
72832 - pgprot_t vm_get_page_prot(unsigned long vm_flags)
72833 - {
72834 -- return __pgprot(pgprot_val(protection_map[vm_flags &
72835 -+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
72836 - (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
72837 - pgprot_val(arch_vm_get_page_prot(vm_flags)));
72838 -+
72839 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72840 -+ if (!nx_enabled &&
72841 -+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72842 -+ (vm_flags & (VM_READ | VM_WRITE)))
72843 -+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72844 -+#endif
72845 -+
72846 -+ return prot;
72847 - }
72848 - EXPORT_SYMBOL(vm_get_page_prot);
72849 -
72850 - int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
72851 - int sysctl_overcommit_ratio = 50; /* default is 50% */
72852 - int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
72853 -+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
72854 - struct percpu_counter vm_committed_as;
72855 -
72856 - /*
72857 -@@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
72858 - struct vm_area_struct *next = vma->vm_next;
72859 -
72860 - might_sleep();
72861 -+ BUG_ON(vma->vm_mirror);
72862 - if (vma->vm_ops && vma->vm_ops->close)
72863 - vma->vm_ops->close(vma);
72864 - if (vma->vm_file) {
72865 -@@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
72866 - * not page aligned -Ram Gupta
72867 - */
72868 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
72869 -+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
72870 - if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
72871 - (mm->end_data - mm->start_data) > rlim)
72872 - goto out;
72873 -@@ -704,6 +726,12 @@ static int
72874 - can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72875 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72876 - {
72877 -+
72878 -+#ifdef CONFIG_PAX_SEGMEXEC
72879 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72880 -+ return 0;
72881 -+#endif
72882 -+
72883 - if (is_mergeable_vma(vma, file, vm_flags) &&
72884 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72885 - if (vma->vm_pgoff == vm_pgoff)
72886 -@@ -723,6 +751,12 @@ static int
72887 - can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72888 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72889 - {
72890 -+
72891 -+#ifdef CONFIG_PAX_SEGMEXEC
72892 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72893 -+ return 0;
72894 -+#endif
72895 -+
72896 - if (is_mergeable_vma(vma, file, vm_flags) &&
72897 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72898 - pgoff_t vm_pglen;
72899 -@@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
72900 - struct vm_area_struct *vma_merge(struct mm_struct *mm,
72901 - struct vm_area_struct *prev, unsigned long addr,
72902 - unsigned long end, unsigned long vm_flags,
72903 -- struct anon_vma *anon_vma, struct file *file,
72904 -+ struct anon_vma *anon_vma, struct file *file,
72905 - pgoff_t pgoff, struct mempolicy *policy)
72906 - {
72907 - pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72908 - struct vm_area_struct *area, *next;
72909 -
72910 -+#ifdef CONFIG_PAX_SEGMEXEC
72911 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72912 -+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72913 -+
72914 -+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72915 -+#endif
72916 -+
72917 - /*
72918 - * We later require that vma->vm_flags == vm_flags,
72919 - * so this tests vma->vm_flags & VM_SPECIAL, too.
72920 -@@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
72921 - if (next && next->vm_end == end) /* cases 6, 7, 8 */
72922 - next = next->vm_next;
72923 -
72924 -+#ifdef CONFIG_PAX_SEGMEXEC
72925 -+ if (prev)
72926 -+ prev_m = pax_find_mirror_vma(prev);
72927 -+ if (area)
72928 -+ area_m = pax_find_mirror_vma(area);
72929 -+ if (next)
72930 -+ next_m = pax_find_mirror_vma(next);
72931 -+#endif
72932 -+
72933 - /*
72934 - * Can it merge with the predecessor?
72935 - */
72936 -@@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
72937 - /* cases 1, 6 */
72938 - vma_adjust(prev, prev->vm_start,
72939 - next->vm_end, prev->vm_pgoff, NULL);
72940 -- } else /* cases 2, 5, 7 */
72941 -+
72942 -+#ifdef CONFIG_PAX_SEGMEXEC
72943 -+ if (prev_m)
72944 -+ vma_adjust(prev_m, prev_m->vm_start,
72945 -+ next_m->vm_end, prev_m->vm_pgoff, NULL);
72946 -+#endif
72947 -+
72948 -+ } else { /* cases 2, 5, 7 */
72949 - vma_adjust(prev, prev->vm_start,
72950 - end, prev->vm_pgoff, NULL);
72951 -+
72952 -+#ifdef CONFIG_PAX_SEGMEXEC
72953 -+ if (prev_m)
72954 -+ vma_adjust(prev_m, prev_m->vm_start,
72955 -+ end_m, prev_m->vm_pgoff, NULL);
72956 -+#endif
72957 -+
72958 -+ }
72959 - return prev;
72960 - }
72961 -
72962 -@@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
72963 - mpol_equal(policy, vma_policy(next)) &&
72964 - can_vma_merge_before(next, vm_flags,
72965 - anon_vma, file, pgoff+pglen)) {
72966 -- if (prev && addr < prev->vm_end) /* case 4 */
72967 -+ if (prev && addr < prev->vm_end) { /* case 4 */
72968 - vma_adjust(prev, prev->vm_start,
72969 - addr, prev->vm_pgoff, NULL);
72970 -- else /* cases 3, 8 */
72971 -+
72972 -+#ifdef CONFIG_PAX_SEGMEXEC
72973 -+ if (prev_m)
72974 -+ vma_adjust(prev_m, prev_m->vm_start,
72975 -+ addr_m, prev_m->vm_pgoff, NULL);
72976 -+#endif
72977 -+
72978 -+ } else { /* cases 3, 8 */
72979 - vma_adjust(area, addr, next->vm_end,
72980 - next->vm_pgoff - pglen, NULL);
72981 -+
72982 -+#ifdef CONFIG_PAX_SEGMEXEC
72983 -+ if (area_m)
72984 -+ vma_adjust(area_m, addr_m, next_m->vm_end,
72985 -+ next_m->vm_pgoff - pglen, NULL);
72986 -+#endif
72987 -+
72988 -+ }
72989 - return area;
72990 - }
72991 -
72992 -@@ -898,14 +978,11 @@ none:
72993 - void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72994 - struct file *file, long pages)
72995 - {
72996 -- const unsigned long stack_flags
72997 -- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72998 --
72999 - if (file) {
73000 - mm->shared_vm += pages;
73001 - if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
73002 - mm->exec_vm += pages;
73003 -- } else if (flags & stack_flags)
73004 -+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
73005 - mm->stack_vm += pages;
73006 - if (flags & (VM_RESERVED|VM_IO))
73007 - mm->reserved_vm += pages;
73008 -@@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
73009 - * (the exception is when the underlying filesystem is noexec
73010 - * mounted, in which case we dont add PROT_EXEC.)
73011 - */
73012 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73013 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73014 - if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
73015 - prot |= PROT_EXEC;
73016 -
73017 -@@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
73018 - /* Obtain the address to map to. we verify (or select) it and ensure
73019 - * that it represents a valid section of the address space.
73020 - */
73021 -- addr = get_unmapped_area(file, addr, len, pgoff, flags);
73022 -+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
73023 - if (addr & ~PAGE_MASK)
73024 - return addr;
73025 -
73026 -@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
73027 - vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
73028 - mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
73029 -
73030 -+#ifdef CONFIG_PAX_MPROTECT
73031 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
73032 -+#ifndef CONFIG_PAX_MPROTECT_COMPAT
73033 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
73034 -+ gr_log_rwxmmap(file);
73035 -+
73036 -+#ifdef CONFIG_PAX_EMUPLT
73037 -+ vm_flags &= ~VM_EXEC;
73038 -+#else
73039 -+ return -EPERM;
73040 -+#endif
73041 -+
73042 -+ }
73043 -+
73044 -+ if (!(vm_flags & VM_EXEC))
73045 -+ vm_flags &= ~VM_MAYEXEC;
73046 -+#else
73047 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73048 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73049 -+#endif
73050 -+ else
73051 -+ vm_flags &= ~VM_MAYWRITE;
73052 -+ }
73053 -+#endif
73054 -+
73055 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73056 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
73057 -+ vm_flags &= ~VM_PAGEEXEC;
73058 -+#endif
73059 -+
73060 - if (flags & MAP_LOCKED)
73061 - if (!can_do_mlock())
73062 - return -EPERM;
73063 -@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
73064 - locked += mm->locked_vm;
73065 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
73066 - lock_limit >>= PAGE_SHIFT;
73067 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73068 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73069 - return -EAGAIN;
73070 - }
73071 -@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
73072 - if (error)
73073 - return error;
73074 -
73075 -+ if (!gr_acl_handle_mmap(file, prot))
73076 -+ return -EACCES;
73077 -+
73078 - return mmap_region(file, addr, len, flags, vm_flags, pgoff);
73079 - }
73080 - EXPORT_SYMBOL(do_mmap_pgoff);
73081 -@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
73082 - */
73083 - int vma_wants_writenotify(struct vm_area_struct *vma)
73084 - {
73085 -- unsigned int vm_flags = vma->vm_flags;
73086 -+ unsigned long vm_flags = vma->vm_flags;
73087 -
73088 - /* If it was private or non-writable, the write bit is already clear */
73089 -- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
73090 -+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
73091 - return 0;
73092 -
73093 - /* The backer wishes to know when pages are first written to? */
73094 -@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
73095 - unsigned long charged = 0;
73096 - struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
73097 -
73098 -+#ifdef CONFIG_PAX_SEGMEXEC
73099 -+ struct vm_area_struct *vma_m = NULL;
73100 -+#endif
73101 -+
73102 -+ /*
73103 -+ * mm->mmap_sem is required to protect against another thread
73104 -+ * changing the mappings in case we sleep.
73105 -+ */
73106 -+ verify_mm_writelocked(mm);
73107 -+
73108 - /* Clear old maps */
73109 - error = -ENOMEM;
73110 --munmap_back:
73111 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73112 - if (vma && vma->vm_start < addr + len) {
73113 - if (do_munmap(mm, addr, len))
73114 - return -ENOMEM;
73115 -- goto munmap_back;
73116 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73117 -+ BUG_ON(vma && vma->vm_start < addr + len);
73118 - }
73119 -
73120 - /* Check against address space limit. */
73121 -@@ -1173,6 +1294,16 @@ munmap_back:
73122 - goto unacct_error;
73123 - }
73124 -
73125 -+#ifdef CONFIG_PAX_SEGMEXEC
73126 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
73127 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73128 -+ if (!vma_m) {
73129 -+ error = -ENOMEM;
73130 -+ goto free_vma;
73131 -+ }
73132 -+ }
73133 -+#endif
73134 -+
73135 - vma->vm_mm = mm;
73136 - vma->vm_start = addr;
73137 - vma->vm_end = addr + len;
73138 -@@ -1195,6 +1326,19 @@ munmap_back:
73139 - error = file->f_op->mmap(file, vma);
73140 - if (error)
73141 - goto unmap_and_free_vma;
73142 -+
73143 -+#ifdef CONFIG_PAX_SEGMEXEC
73144 -+ if (vma_m && (vm_flags & VM_EXECUTABLE))
73145 -+ added_exe_file_vma(mm);
73146 -+#endif
73147 -+
73148 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73149 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
73150 -+ vma->vm_flags |= VM_PAGEEXEC;
73151 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73152 -+ }
73153 -+#endif
73154 -+
73155 - if (vm_flags & VM_EXECUTABLE)
73156 - added_exe_file_vma(mm);
73157 -
73158 -@@ -1218,6 +1362,11 @@ munmap_back:
73159 - vma_link(mm, vma, prev, rb_link, rb_parent);
73160 - file = vma->vm_file;
73161 -
73162 -+#ifdef CONFIG_PAX_SEGMEXEC
73163 -+ if (vma_m)
73164 -+ pax_mirror_vma(vma_m, vma);
73165 -+#endif
73166 -+
73167 - /* Once vma denies write, undo our temporary denial count */
73168 - if (correct_wcount)
73169 - atomic_inc(&inode->i_writecount);
73170 -@@ -1226,6 +1375,7 @@ out:
73171 -
73172 - mm->total_vm += len >> PAGE_SHIFT;
73173 - vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
73174 -+ track_exec_limit(mm, addr, addr + len, vm_flags);
73175 - if (vm_flags & VM_LOCKED) {
73176 - /*
73177 - * makes pages present; downgrades, drops, reacquires mmap_sem
73178 -@@ -1248,6 +1398,12 @@ unmap_and_free_vma:
73179 - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
73180 - charged = 0;
73181 - free_vma:
73182 -+
73183 -+#ifdef CONFIG_PAX_SEGMEXEC
73184 -+ if (vma_m)
73185 -+ kmem_cache_free(vm_area_cachep, vma_m);
73186 -+#endif
73187 -+
73188 - kmem_cache_free(vm_area_cachep, vma);
73189 - unacct_error:
73190 - if (charged)
73191 -@@ -1255,6 +1411,44 @@ unacct_error:
73192 - return error;
73193 - }
73194 -
73195 -+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
73196 -+{
73197 -+ if (!vma) {
73198 -+#ifdef CONFIG_STACK_GROWSUP
73199 -+ if (addr > sysctl_heap_stack_gap)
73200 -+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
73201 -+ else
73202 -+ vma = find_vma(current->mm, 0);
73203 -+ if (vma && (vma->vm_flags & VM_GROWSUP))
73204 -+ return false;
73205 -+#endif
73206 -+ return true;
73207 -+ }
73208 -+
73209 -+ if (addr + len > vma->vm_start)
73210 -+ return false;
73211 -+
73212 -+ if (vma->vm_flags & VM_GROWSDOWN)
73213 -+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
73214 -+#ifdef CONFIG_STACK_GROWSUP
73215 -+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
73216 -+ return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
73217 -+#endif
73218 -+
73219 -+ return true;
73220 -+}
73221 -+
73222 -+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
73223 -+{
73224 -+ if (vma->vm_start < len)
73225 -+ return -ENOMEM;
73226 -+ if (!(vma->vm_flags & VM_GROWSDOWN))
73227 -+ return vma->vm_start - len;
73228 -+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
73229 -+ return vma->vm_start - len - sysctl_heap_stack_gap;
73230 -+ return -ENOMEM;
73231 -+}
73232 -+
73233 - /* Get an address range which is currently unmapped.
73234 - * For shmat() with addr=0.
73235 - *
73236 -@@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
73237 - if (flags & MAP_FIXED)
73238 - return addr;
73239 -
73240 -+#ifdef CONFIG_PAX_RANDMMAP
73241 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73242 -+#endif
73243 -+
73244 - if (addr) {
73245 - addr = PAGE_ALIGN(addr);
73246 -- vma = find_vma(mm, addr);
73247 -- if (TASK_SIZE - len >= addr &&
73248 -- (!vma || addr + len <= vma->vm_start))
73249 -- return addr;
73250 -+ if (TASK_SIZE - len >= addr) {
73251 -+ vma = find_vma(mm, addr);
73252 -+ if (check_heap_stack_gap(vma, addr, len))
73253 -+ return addr;
73254 -+ }
73255 - }
73256 - if (len > mm->cached_hole_size) {
73257 -- start_addr = addr = mm->free_area_cache;
73258 -+ start_addr = addr = mm->free_area_cache;
73259 - } else {
73260 -- start_addr = addr = TASK_UNMAPPED_BASE;
73261 -- mm->cached_hole_size = 0;
73262 -+ start_addr = addr = mm->mmap_base;
73263 -+ mm->cached_hole_size = 0;
73264 - }
73265 -
73266 - full_search:
73267 -@@ -1303,34 +1502,40 @@ full_search:
73268 - * Start a new search - just in case we missed
73269 - * some holes.
73270 - */
73271 -- if (start_addr != TASK_UNMAPPED_BASE) {
73272 -- addr = TASK_UNMAPPED_BASE;
73273 -- start_addr = addr;
73274 -+ if (start_addr != mm->mmap_base) {
73275 -+ start_addr = addr = mm->mmap_base;
73276 - mm->cached_hole_size = 0;
73277 - goto full_search;
73278 - }
73279 - return -ENOMEM;
73280 - }
73281 -- if (!vma || addr + len <= vma->vm_start) {
73282 -- /*
73283 -- * Remember the place where we stopped the search:
73284 -- */
73285 -- mm->free_area_cache = addr + len;
73286 -- return addr;
73287 -- }
73288 -+ if (check_heap_stack_gap(vma, addr, len))
73289 -+ break;
73290 - if (addr + mm->cached_hole_size < vma->vm_start)
73291 - mm->cached_hole_size = vma->vm_start - addr;
73292 - addr = vma->vm_end;
73293 - }
73294 -+
73295 -+ /*
73296 -+ * Remember the place where we stopped the search:
73297 -+ */
73298 -+ mm->free_area_cache = addr + len;
73299 -+ return addr;
73300 - }
73301 - #endif
73302 -
73303 - void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73304 - {
73305 -+
73306 -+#ifdef CONFIG_PAX_SEGMEXEC
73307 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73308 -+ return;
73309 -+#endif
73310 -+
73311 - /*
73312 - * Is this a new hole at the lowest possible address?
73313 - */
73314 -- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73315 -+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73316 - mm->free_area_cache = addr;
73317 - mm->cached_hole_size = ~0UL;
73318 - }
73319 -@@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
73320 - {
73321 - struct vm_area_struct *vma;
73322 - struct mm_struct *mm = current->mm;
73323 -- unsigned long addr = addr0;
73324 -+ unsigned long base = mm->mmap_base, addr = addr0;
73325 -
73326 - /* requested length too big for entire address space */
73327 - if (len > TASK_SIZE)
73328 -@@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
73329 - if (flags & MAP_FIXED)
73330 - return addr;
73331 -
73332 -+#ifdef CONFIG_PAX_RANDMMAP
73333 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73334 -+#endif
73335 -+
73336 - /* requesting a specific address */
73337 - if (addr) {
73338 - addr = PAGE_ALIGN(addr);
73339 -- vma = find_vma(mm, addr);
73340 -- if (TASK_SIZE - len >= addr &&
73341 -- (!vma || addr + len <= vma->vm_start))
73342 -- return addr;
73343 -+ if (TASK_SIZE - len >= addr) {
73344 -+ vma = find_vma(mm, addr);
73345 -+ if (check_heap_stack_gap(vma, addr, len))
73346 -+ return addr;
73347 -+ }
73348 - }
73349 -
73350 - /* check if free_area_cache is useful for us */
73351 -@@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
73352 - /* make sure it can fit in the remaining address space */
73353 - if (addr > len) {
73354 - vma = find_vma(mm, addr-len);
73355 -- if (!vma || addr <= vma->vm_start)
73356 -+ if (check_heap_stack_gap(vma, addr - len, len))
73357 - /* remember the address as a hint for next time */
73358 - return (mm->free_area_cache = addr-len);
73359 - }
73360 -@@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
73361 - * return with success:
73362 - */
73363 - vma = find_vma(mm, addr);
73364 -- if (!vma || addr+len <= vma->vm_start)
73365 -+ if (check_heap_stack_gap(vma, addr, len))
73366 - /* remember the address as a hint for next time */
73367 - return (mm->free_area_cache = addr);
73368 -
73369 -@@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
73370 - mm->cached_hole_size = vma->vm_start - addr;
73371 -
73372 - /* try just below the current vma->vm_start */
73373 -- addr = vma->vm_start-len;
73374 -- } while (len < vma->vm_start);
73375 -+ addr = skip_heap_stack_gap(vma, len);
73376 -+ } while (!IS_ERR_VALUE(addr));
73377 -
73378 - bottomup:
73379 - /*
73380 -@@ -1414,13 +1624,21 @@ bottomup:
73381 - * can happen with large stack limits and large mmap()
73382 - * allocations.
73383 - */
73384 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
73385 -+
73386 -+#ifdef CONFIG_PAX_RANDMMAP
73387 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
73388 -+ mm->mmap_base += mm->delta_mmap;
73389 -+#endif
73390 -+
73391 -+ mm->free_area_cache = mm->mmap_base;
73392 - mm->cached_hole_size = ~0UL;
73393 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
73394 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73395 - /*
73396 - * Restore the topdown base:
73397 - */
73398 -- mm->free_area_cache = mm->mmap_base;
73399 -+ mm->mmap_base = base;
73400 -+ mm->free_area_cache = base;
73401 - mm->cached_hole_size = ~0UL;
73402 -
73403 - return addr;
73404 -@@ -1429,6 +1647,12 @@ bottomup:
73405 -
73406 - void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73407 - {
73408 -+
73409 -+#ifdef CONFIG_PAX_SEGMEXEC
73410 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73411 -+ return;
73412 -+#endif
73413 -+
73414 - /*
73415 - * Is this a new hole at the highest possible address?
73416 - */
73417 -@@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
73418 - mm->free_area_cache = addr;
73419 -
73420 - /* dont allow allocations above current base */
73421 -- if (mm->free_area_cache > mm->mmap_base)
73422 -+ if (mm->free_area_cache > mm->mmap_base) {
73423 - mm->free_area_cache = mm->mmap_base;
73424 -+ mm->cached_hole_size = ~0UL;
73425 -+ }
73426 - }
73427 -
73428 - unsigned long
73429 -@@ -1545,6 +1771,27 @@ out:
73430 - return prev ? prev->vm_next : vma;
73431 - }
73432 -
73433 -+#ifdef CONFIG_PAX_SEGMEXEC
73434 -+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73435 -+{
73436 -+ struct vm_area_struct *vma_m;
73437 -+
73438 -+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73439 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73440 -+ BUG_ON(vma->vm_mirror);
73441 -+ return NULL;
73442 -+ }
73443 -+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73444 -+ vma_m = vma->vm_mirror;
73445 -+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73446 -+ BUG_ON(vma->vm_file != vma_m->vm_file);
73447 -+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73448 -+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
73449 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73450 -+ return vma_m;
73451 -+}
73452 -+#endif
73453 -+
73454 - /*
73455 - * Verify that the stack growth is acceptable and
73456 - * update accounting. This is shared with both the
73457 -@@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
73458 - return -ENOMEM;
73459 -
73460 - /* Stack limit test */
73461 -+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
73462 - if (size > rlim[RLIMIT_STACK].rlim_cur)
73463 - return -ENOMEM;
73464 -
73465 -@@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
73466 - unsigned long limit;
73467 - locked = mm->locked_vm + grow;
73468 - limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
73469 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73470 - if (locked > limit && !capable(CAP_IPC_LOCK))
73471 - return -ENOMEM;
73472 - }
73473 -@@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
73474 - * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73475 - * vma is the last one with address > vma->vm_end. Have to extend vma.
73476 - */
73477 -+#ifndef CONFIG_IA64
73478 -+static
73479 -+#endif
73480 - int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73481 - {
73482 - int error;
73483 -+ bool locknext;
73484 -
73485 - if (!(vma->vm_flags & VM_GROWSUP))
73486 - return -EFAULT;
73487 -
73488 -+ /* Also guard against wrapping around to address 0. */
73489 -+ if (address < PAGE_ALIGN(address+1))
73490 -+ address = PAGE_ALIGN(address+1);
73491 -+ else
73492 -+ return -ENOMEM;
73493 -+
73494 - /*
73495 - * We must make sure the anon_vma is allocated
73496 - * so that the anon_vma locking is not a noop.
73497 - */
73498 - if (unlikely(anon_vma_prepare(vma)))
73499 - return -ENOMEM;
73500 -+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73501 -+ if (locknext && anon_vma_prepare(vma->vm_next))
73502 -+ return -ENOMEM;
73503 - anon_vma_lock(vma);
73504 -+ if (locknext)
73505 -+ anon_vma_lock(vma->vm_next);
73506 -
73507 - /*
73508 - * vma->vm_start/vm_end cannot change under us because the caller
73509 - * is required to hold the mmap_sem in read mode. We need the
73510 -- * anon_vma lock to serialize against concurrent expand_stacks.
73511 -- * Also guard against wrapping around to address 0.
73512 -+ * anon_vma locks to serialize against concurrent expand_stacks
73513 -+ * and expand_upwards.
73514 - */
73515 -- if (address < PAGE_ALIGN(address+4))
73516 -- address = PAGE_ALIGN(address+4);
73517 -- else {
73518 -- anon_vma_unlock(vma);
73519 -- return -ENOMEM;
73520 -- }
73521 - error = 0;
73522 -
73523 - /* Somebody else might have raced and expanded it already */
73524 -- if (address > vma->vm_end) {
73525 -+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73526 -+ error = -ENOMEM;
73527 -+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73528 - unsigned long size, grow;
73529 -
73530 - size = address - vma->vm_start;
73531 -@@ -1640,6 +1900,8 @@ int expand_upwards(struct vm_area_struct
73532 - if (!error)
73533 - vma->vm_end = address;
73534 - }
73535 -+ if (locknext)
73536 -+ anon_vma_unlock(vma->vm_next);
73537 - anon_vma_unlock(vma);
73538 - return error;
73539 - }
73540 -@@ -1652,6 +1914,8 @@ static int expand_downwards(struct vm_ar
73541 - unsigned long address)
73542 - {
73543 - int error;
73544 -+ bool lockprev = false;
73545 -+ struct vm_area_struct *prev;
73546 -
73547 - /*
73548 - * We must make sure the anon_vma is allocated
73549 -@@ -1665,6 +1929,15 @@ static int expand_downwards(struct vm_ar
73550 - if (error)
73551 - return error;
73552 -
73553 -+ prev = vma->vm_prev;
73554 -+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73555 -+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73556 -+#endif
73557 -+ if (lockprev && anon_vma_prepare(prev))
73558 -+ return -ENOMEM;
73559 -+ if (lockprev)
73560 -+ anon_vma_lock(prev);
73561 -+
73562 - anon_vma_lock(vma);
73563 -
73564 - /*
73565 -@@ -1674,9 +1947,17 @@ static int expand_downwards(struct vm_ar
73566 - */
73567 -
73568 - /* Somebody else might have raced and expanded it already */
73569 -- if (address < vma->vm_start) {
73570 -+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73571 -+ error = -ENOMEM;
73572 -+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73573 - unsigned long size, grow;
73574 -
73575 -+#ifdef CONFIG_PAX_SEGMEXEC
73576 -+ struct vm_area_struct *vma_m;
73577 -+
73578 -+ vma_m = pax_find_mirror_vma(vma);
73579 -+#endif
73580 -+
73581 - size = vma->vm_end - address;
73582 - grow = (vma->vm_start - address) >> PAGE_SHIFT;
73583 -
73584 -@@ -1684,9 +1965,20 @@ static int expand_downwards(struct vm_ar
73585 - if (!error) {
73586 - vma->vm_start = address;
73587 - vma->vm_pgoff -= grow;
73588 -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73589 -+
73590 -+#ifdef CONFIG_PAX_SEGMEXEC
73591 -+ if (vma_m) {
73592 -+ vma_m->vm_start -= grow << PAGE_SHIFT;
73593 -+ vma_m->vm_pgoff -= grow;
73594 -+ }
73595 -+#endif
73596 -+
73597 - }
73598 - }
73599 - anon_vma_unlock(vma);
73600 -+ if (lockprev)
73601 -+ anon_vma_unlock(prev);
73602 - return error;
73603 - }
73604 -
73605 -@@ -1762,6 +2054,13 @@ static void remove_vma_list(struct mm_st
73606 - do {
73607 - long nrpages = vma_pages(vma);
73608 -
73609 -+#ifdef CONFIG_PAX_SEGMEXEC
73610 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73611 -+ vma = remove_vma(vma);
73612 -+ continue;
73613 -+ }
73614 -+#endif
73615 -+
73616 - mm->total_vm -= nrpages;
73617 - vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73618 - vma = remove_vma(vma);
73619 -@@ -1807,6 +2106,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73620 - insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73621 - vma->vm_prev = NULL;
73622 - do {
73623 -+
73624 -+#ifdef CONFIG_PAX_SEGMEXEC
73625 -+ if (vma->vm_mirror) {
73626 -+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73627 -+ vma->vm_mirror->vm_mirror = NULL;
73628 -+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
73629 -+ vma->vm_mirror = NULL;
73630 -+ }
73631 -+#endif
73632 -+
73633 - rb_erase(&vma->vm_rb, &mm->mm_rb);
73634 - mm->map_count--;
73635 - tail_vma = vma;
73636 -@@ -1834,10 +2143,25 @@ int split_vma(struct mm_struct * mm, str
73637 - struct mempolicy *pol;
73638 - struct vm_area_struct *new;
73639 -
73640 -+#ifdef CONFIG_PAX_SEGMEXEC
73641 -+ struct vm_area_struct *vma_m, *new_m = NULL;
73642 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73643 -+#endif
73644 -+
73645 - if (is_vm_hugetlb_page(vma) && (addr &
73646 - ~(huge_page_mask(hstate_vma(vma)))))
73647 - return -EINVAL;
73648 -
73649 -+#ifdef CONFIG_PAX_SEGMEXEC
73650 -+ vma_m = pax_find_mirror_vma(vma);
73651 -+
73652 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73653 -+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
73654 -+ if (mm->map_count >= sysctl_max_map_count-1)
73655 -+ return -ENOMEM;
73656 -+ } else
73657 -+#endif
73658 -+
73659 - if (mm->map_count >= sysctl_max_map_count)
73660 - return -ENOMEM;
73661 -
73662 -@@ -1845,6 +2169,16 @@ int split_vma(struct mm_struct * mm, str
73663 - if (!new)
73664 - return -ENOMEM;
73665 -
73666 -+#ifdef CONFIG_PAX_SEGMEXEC
73667 -+ if (vma_m) {
73668 -+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73669 -+ if (!new_m) {
73670 -+ kmem_cache_free(vm_area_cachep, new);
73671 -+ return -ENOMEM;
73672 -+ }
73673 -+ }
73674 -+#endif
73675 -+
73676 - /* most fields are the same, copy all, and then fixup */
73677 - *new = *vma;
73678 -
73679 -@@ -1855,8 +2189,29 @@ int split_vma(struct mm_struct * mm, str
73680 - new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73681 - }
73682 -
73683 -+#ifdef CONFIG_PAX_SEGMEXEC
73684 -+ if (vma_m) {
73685 -+ *new_m = *vma_m;
73686 -+ new_m->vm_mirror = new;
73687 -+ new->vm_mirror = new_m;
73688 -+
73689 -+ if (new_below)
73690 -+ new_m->vm_end = addr_m;
73691 -+ else {
73692 -+ new_m->vm_start = addr_m;
73693 -+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73694 -+ }
73695 -+ }
73696 -+#endif
73697 -+
73698 - pol = mpol_dup(vma_policy(vma));
73699 - if (IS_ERR(pol)) {
73700 -+
73701 -+#ifdef CONFIG_PAX_SEGMEXEC
73702 -+ if (new_m)
73703 -+ kmem_cache_free(vm_area_cachep, new_m);
73704 -+#endif
73705 -+
73706 - kmem_cache_free(vm_area_cachep, new);
73707 - return PTR_ERR(pol);
73708 - }
73709 -@@ -1877,6 +2232,28 @@ int split_vma(struct mm_struct * mm, str
73710 - else
73711 - vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73712 -
73713 -+#ifdef CONFIG_PAX_SEGMEXEC
73714 -+ if (vma_m) {
73715 -+ mpol_get(pol);
73716 -+ vma_set_policy(new_m, pol);
73717 -+
73718 -+ if (new_m->vm_file) {
73719 -+ get_file(new_m->vm_file);
73720 -+ if (vma_m->vm_flags & VM_EXECUTABLE)
73721 -+ added_exe_file_vma(mm);
73722 -+ }
73723 -+
73724 -+ if (new_m->vm_ops && new_m->vm_ops->open)
73725 -+ new_m->vm_ops->open(new_m);
73726 -+
73727 -+ if (new_below)
73728 -+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73729 -+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73730 -+ else
73731 -+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73732 -+ }
73733 -+#endif
73734 -+
73735 - return 0;
73736 - }
73737 -
73738 -@@ -1885,11 +2262,30 @@ int split_vma(struct mm_struct * mm, str
73739 - * work. This now handles partial unmappings.
73740 - * Jeremy Fitzhardinge <jeremy@××××.org>
73741 - */
73742 -+#ifdef CONFIG_PAX_SEGMEXEC
73743 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73744 -+{
73745 -+ int ret = __do_munmap(mm, start, len);
73746 -+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73747 -+ return ret;
73748 -+
73749 -+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73750 -+}
73751 -+
73752 -+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73753 -+#else
73754 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73755 -+#endif
73756 - {
73757 - unsigned long end;
73758 - struct vm_area_struct *vma, *prev, *last;
73759 -
73760 -+ /*
73761 -+ * mm->mmap_sem is required to protect against another thread
73762 -+ * changing the mappings in case we sleep.
73763 -+ */
73764 -+ verify_mm_writelocked(mm);
73765 -+
73766 - if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73767 - return -EINVAL;
73768 -
73769 -@@ -1953,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
73770 - /* Fix up all other VM information */
73771 - remove_vma_list(mm, vma);
73772 -
73773 -+ track_exec_limit(mm, start, end, 0UL);
73774 -+
73775 - return 0;
73776 - }
73777 -
73778 -@@ -1965,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
73779 -
73780 - profile_munmap(addr);
73781 -
73782 -+#ifdef CONFIG_PAX_SEGMEXEC
73783 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73784 -+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73785 -+ return -EINVAL;
73786 -+#endif
73787 -+
73788 - down_write(&mm->mmap_sem);
73789 - ret = do_munmap(mm, addr, len);
73790 - up_write(&mm->mmap_sem);
73791 - return ret;
73792 - }
73793 -
73794 --static inline void verify_mm_writelocked(struct mm_struct *mm)
73795 --{
73796 --#ifdef CONFIG_DEBUG_VM
73797 -- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73798 -- WARN_ON(1);
73799 -- up_read(&mm->mmap_sem);
73800 -- }
73801 --#endif
73802 --}
73803 --
73804 - /*
73805 - * this is really a simplified "do_mmap". it only handles
73806 - * anonymous maps. eventually we may be able to do some
73807 -@@ -1994,6 +2388,7 @@ unsigned long do_brk(unsigned long addr,
73808 - struct rb_node ** rb_link, * rb_parent;
73809 - pgoff_t pgoff = addr >> PAGE_SHIFT;
73810 - int error;
73811 -+ unsigned long charged;
73812 -
73813 - len = PAGE_ALIGN(len);
73814 - if (!len)
73815 -@@ -2005,16 +2400,30 @@ unsigned long do_brk(unsigned long addr,
73816 -
73817 - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73818 -
73819 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73820 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73821 -+ flags &= ~VM_EXEC;
73822 -+
73823 -+#ifdef CONFIG_PAX_MPROTECT
73824 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
73825 -+ flags &= ~VM_MAYEXEC;
73826 -+#endif
73827 -+
73828 -+ }
73829 -+#endif
73830 -+
73831 - error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
73832 - if (error & ~PAGE_MASK)
73833 - return error;
73834 -
73835 -+ charged = len >> PAGE_SHIFT;
73836 -+
73837 - /*
73838 - * mlock MCL_FUTURE?
73839 - */
73840 - if (mm->def_flags & VM_LOCKED) {
73841 - unsigned long locked, lock_limit;
73842 -- locked = len >> PAGE_SHIFT;
73843 -+ locked = charged;
73844 - locked += mm->locked_vm;
73845 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
73846 - lock_limit >>= PAGE_SHIFT;
73847 -@@ -2031,22 +2440,22 @@ unsigned long do_brk(unsigned long addr,
73848 - /*
73849 - * Clear old maps. this also does some error checking for us
73850 - */
73851 -- munmap_back:
73852 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73853 - if (vma && vma->vm_start < addr + len) {
73854 - if (do_munmap(mm, addr, len))
73855 - return -ENOMEM;
73856 -- goto munmap_back;
73857 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73858 -+ BUG_ON(vma && vma->vm_start < addr + len);
73859 - }
73860 -
73861 - /* Check against address space limits *after* clearing old maps... */
73862 -- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73863 -+ if (!may_expand_vm(mm, charged))
73864 - return -ENOMEM;
73865 -
73866 - if (mm->map_count > sysctl_max_map_count)
73867 - return -ENOMEM;
73868 -
73869 -- if (security_vm_enough_memory(len >> PAGE_SHIFT))
73870 -+ if (security_vm_enough_memory(charged))
73871 - return -ENOMEM;
73872 -
73873 - /* Can we just expand an old private anonymous mapping? */
73874 -@@ -2060,7 +2469,7 @@ unsigned long do_brk(unsigned long addr,
73875 - */
73876 - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73877 - if (!vma) {
73878 -- vm_unacct_memory(len >> PAGE_SHIFT);
73879 -+ vm_unacct_memory(charged);
73880 - return -ENOMEM;
73881 - }
73882 -
73883 -@@ -2072,11 +2481,12 @@ unsigned long do_brk(unsigned long addr,
73884 - vma->vm_page_prot = vm_get_page_prot(flags);
73885 - vma_link(mm, vma, prev, rb_link, rb_parent);
73886 - out:
73887 -- mm->total_vm += len >> PAGE_SHIFT;
73888 -+ mm->total_vm += charged;
73889 - if (flags & VM_LOCKED) {
73890 - if (!mlock_vma_pages_range(vma, addr, addr + len))
73891 -- mm->locked_vm += (len >> PAGE_SHIFT);
73892 -+ mm->locked_vm += charged;
73893 - }
73894 -+ track_exec_limit(mm, addr, addr + len, flags);
73895 - return addr;
73896 - }
73897 -
73898 -@@ -2123,8 +2533,10 @@ void exit_mmap(struct mm_struct *mm)
73899 - * Walk the list again, actually closing and freeing it,
73900 - * with preemption enabled, without holding any MM locks.
73901 - */
73902 -- while (vma)
73903 -+ while (vma) {
73904 -+ vma->vm_mirror = NULL;
73905 - vma = remove_vma(vma);
73906 -+ }
73907 -
73908 - BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73909 - }
73910 -@@ -2138,6 +2550,10 @@ int insert_vm_struct(struct mm_struct *
73911 - struct vm_area_struct * __vma, * prev;
73912 - struct rb_node ** rb_link, * rb_parent;
73913 -
73914 -+#ifdef CONFIG_PAX_SEGMEXEC
73915 -+ struct vm_area_struct *vma_m = NULL;
73916 -+#endif
73917 -+
73918 - /*
73919 - * The vm_pgoff of a purely anonymous vma should be irrelevant
73920 - * until its first write fault, when page's anon_vma and index
73921 -@@ -2160,7 +2576,22 @@ int insert_vm_struct(struct mm_struct *
73922 - if ((vma->vm_flags & VM_ACCOUNT) &&
73923 - security_vm_enough_memory_mm(mm, vma_pages(vma)))
73924 - return -ENOMEM;
73925 -+
73926 -+#ifdef CONFIG_PAX_SEGMEXEC
73927 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73928 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73929 -+ if (!vma_m)
73930 -+ return -ENOMEM;
73931 -+ }
73932 -+#endif
73933 -+
73934 - vma_link(mm, vma, prev, rb_link, rb_parent);
73935 -+
73936 -+#ifdef CONFIG_PAX_SEGMEXEC
73937 -+ if (vma_m)
73938 -+ pax_mirror_vma(vma_m, vma);
73939 -+#endif
73940 -+
73941 - return 0;
73942 - }
73943 -
73944 -@@ -2178,6 +2609,8 @@ struct vm_area_struct *copy_vma(struct v
73945 - struct rb_node **rb_link, *rb_parent;
73946 - struct mempolicy *pol;
73947 -
73948 -+ BUG_ON(vma->vm_mirror);
73949 -+
73950 - /*
73951 - * If anonymous vma has not yet been faulted, update new pgoff
73952 - * to match new location, to increase its chance of merging.
73953 -@@ -2221,6 +2654,35 @@ struct vm_area_struct *copy_vma(struct v
73954 - return new_vma;
73955 - }
73956 -
73957 -+#ifdef CONFIG_PAX_SEGMEXEC
73958 -+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
73959 -+{
73960 -+ struct vm_area_struct *prev_m;
73961 -+ struct rb_node **rb_link_m, *rb_parent_m;
73962 -+ struct mempolicy *pol_m;
73963 -+
73964 -+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
73965 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
73966 -+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
73967 -+ *vma_m = *vma;
73968 -+ pol_m = vma_policy(vma_m);
73969 -+ mpol_get(pol_m);
73970 -+ vma_set_policy(vma_m, pol_m);
73971 -+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
73972 -+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
73973 -+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
73974 -+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
73975 -+ if (vma_m->vm_file)
73976 -+ get_file(vma_m->vm_file);
73977 -+ if (vma_m->vm_ops && vma_m->vm_ops->open)
73978 -+ vma_m->vm_ops->open(vma_m);
73979 -+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
73980 -+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
73981 -+ vma_m->vm_mirror = vma;
73982 -+ vma->vm_mirror = vma_m;
73983 -+}
73984 -+#endif
73985 -+
73986 - /*
73987 - * Return true if the calling process may expand its vm space by the passed
73988 - * number of pages
73989 -@@ -2231,7 +2693,7 @@ int may_expand_vm(struct mm_struct *mm,
73990 - unsigned long lim;
73991 -
73992 - lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
73993 --
73994 -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
73995 - if (cur + npages > lim)
73996 - return 0;
73997 - return 1;
73998 -@@ -2301,6 +2763,22 @@ int install_special_mapping(struct mm_st
73999 - vma->vm_start = addr;
74000 - vma->vm_end = addr + len;
74001 -
74002 -+#ifdef CONFIG_PAX_MPROTECT
74003 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
74004 -+#ifndef CONFIG_PAX_MPROTECT_COMPAT
74005 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
74006 -+ return -EPERM;
74007 -+ if (!(vm_flags & VM_EXEC))
74008 -+ vm_flags &= ~VM_MAYEXEC;
74009 -+#else
74010 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74011 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74012 -+#endif
74013 -+ else
74014 -+ vm_flags &= ~VM_MAYWRITE;
74015 -+ }
74016 -+#endif
74017 -+
74018 - vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
74019 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74020 -
74021 -diff -urNp linux-2.6.32.46/mm/mprotect.c linux-2.6.32.46/mm/mprotect.c
74022 ---- linux-2.6.32.46/mm/mprotect.c 2011-03-27 14:31:47.000000000 -0400
74023 -+++ linux-2.6.32.46/mm/mprotect.c 2011-04-17 15:56:46.000000000 -0400
74024 -@@ -24,10 +24,16 @@
74025 - #include <linux/mmu_notifier.h>
74026 - #include <linux/migrate.h>
74027 - #include <linux/perf_event.h>
74028 -+
74029 -+#ifdef CONFIG_PAX_MPROTECT
74030 -+#include <linux/elf.h>
74031 -+#endif
74032 -+
74033 - #include <asm/uaccess.h>
74034 - #include <asm/pgtable.h>
74035 - #include <asm/cacheflush.h>
74036 - #include <asm/tlbflush.h>
74037 -+#include <asm/mmu_context.h>
74038 -
74039 - #ifndef pgprot_modify
74040 - static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
74041 -@@ -132,6 +138,48 @@ static void change_protection(struct vm_
74042 - flush_tlb_range(vma, start, end);
74043 - }
74044 -
74045 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74046 -+/* called while holding the mmap semaphor for writing except stack expansion */
74047 -+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
74048 -+{
74049 -+ unsigned long oldlimit, newlimit = 0UL;
74050 -+
74051 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
74052 -+ return;
74053 -+
74054 -+ spin_lock(&mm->page_table_lock);
74055 -+ oldlimit = mm->context.user_cs_limit;
74056 -+ if ((prot & VM_EXEC) && oldlimit < end)
74057 -+ /* USER_CS limit moved up */
74058 -+ newlimit = end;
74059 -+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
74060 -+ /* USER_CS limit moved down */
74061 -+ newlimit = start;
74062 -+
74063 -+ if (newlimit) {
74064 -+ mm->context.user_cs_limit = newlimit;
74065 -+
74066 -+#ifdef CONFIG_SMP
74067 -+ wmb();
74068 -+ cpus_clear(mm->context.cpu_user_cs_mask);
74069 -+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
74070 -+#endif
74071 -+
74072 -+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
74073 -+ }
74074 -+ spin_unlock(&mm->page_table_lock);
74075 -+ if (newlimit == end) {
74076 -+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
74077 -+
74078 -+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
74079 -+ if (is_vm_hugetlb_page(vma))
74080 -+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
74081 -+ else
74082 -+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
74083 -+ }
74084 -+}
74085 -+#endif
74086 -+
74087 - int
74088 - mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
74089 - unsigned long start, unsigned long end, unsigned long newflags)
74090 -@@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
74091 - int error;
74092 - int dirty_accountable = 0;
74093 -
74094 -+#ifdef CONFIG_PAX_SEGMEXEC
74095 -+ struct vm_area_struct *vma_m = NULL;
74096 -+ unsigned long start_m, end_m;
74097 -+
74098 -+ start_m = start + SEGMEXEC_TASK_SIZE;
74099 -+ end_m = end + SEGMEXEC_TASK_SIZE;
74100 -+#endif
74101 -+
74102 - if (newflags == oldflags) {
74103 - *pprev = vma;
74104 - return 0;
74105 - }
74106 -
74107 -+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
74108 -+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
74109 -+
74110 -+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
74111 -+ return -ENOMEM;
74112 -+
74113 -+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
74114 -+ return -ENOMEM;
74115 -+ }
74116 -+
74117 - /*
74118 - * If we make a private mapping writable we increase our commit;
74119 - * but (without finer accounting) cannot reduce our commit if we
74120 -@@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
74121 - }
74122 - }
74123 -
74124 -+#ifdef CONFIG_PAX_SEGMEXEC
74125 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
74126 -+ if (start != vma->vm_start) {
74127 -+ error = split_vma(mm, vma, start, 1);
74128 -+ if (error)
74129 -+ goto fail;
74130 -+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
74131 -+ *pprev = (*pprev)->vm_next;
74132 -+ }
74133 -+
74134 -+ if (end != vma->vm_end) {
74135 -+ error = split_vma(mm, vma, end, 0);
74136 -+ if (error)
74137 -+ goto fail;
74138 -+ }
74139 -+
74140 -+ if (pax_find_mirror_vma(vma)) {
74141 -+ error = __do_munmap(mm, start_m, end_m - start_m);
74142 -+ if (error)
74143 -+ goto fail;
74144 -+ } else {
74145 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74146 -+ if (!vma_m) {
74147 -+ error = -ENOMEM;
74148 -+ goto fail;
74149 -+ }
74150 -+ vma->vm_flags = newflags;
74151 -+ pax_mirror_vma(vma_m, vma);
74152 -+ }
74153 -+ }
74154 -+#endif
74155 -+
74156 - /*
74157 - * First try to merge with previous and/or next vma.
74158 - */
74159 -@@ -195,9 +293,21 @@ success:
74160 - * vm_flags and vm_page_prot are protected by the mmap_sem
74161 - * held in write mode.
74162 - */
74163 -+
74164 -+#ifdef CONFIG_PAX_SEGMEXEC
74165 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
74166 -+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
74167 -+#endif
74168 -+
74169 - vma->vm_flags = newflags;
74170 -+
74171 -+#ifdef CONFIG_PAX_MPROTECT
74172 -+ if (mm->binfmt && mm->binfmt->handle_mprotect)
74173 -+ mm->binfmt->handle_mprotect(vma, newflags);
74174 -+#endif
74175 -+
74176 - vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
74177 -- vm_get_page_prot(newflags));
74178 -+ vm_get_page_prot(vma->vm_flags));
74179 -
74180 - if (vma_wants_writenotify(vma)) {
74181 - vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
74182 -@@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74183 - end = start + len;
74184 - if (end <= start)
74185 - return -ENOMEM;
74186 -+
74187 -+#ifdef CONFIG_PAX_SEGMEXEC
74188 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74189 -+ if (end > SEGMEXEC_TASK_SIZE)
74190 -+ return -EINVAL;
74191 -+ } else
74192 -+#endif
74193 -+
74194 -+ if (end > TASK_SIZE)
74195 -+ return -EINVAL;
74196 -+
74197 - if (!arch_validate_prot(prot))
74198 - return -EINVAL;
74199 -
74200 -@@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74201 - /*
74202 - * Does the application expect PROT_READ to imply PROT_EXEC:
74203 - */
74204 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74205 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74206 - prot |= PROT_EXEC;
74207 -
74208 - vm_flags = calc_vm_prot_bits(prot);
74209 -@@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74210 - if (start > vma->vm_start)
74211 - prev = vma;
74212 -
74213 -+#ifdef CONFIG_PAX_MPROTECT
74214 -+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
74215 -+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
74216 -+#endif
74217 -+
74218 - for (nstart = start ; ; ) {
74219 - unsigned long newflags;
74220 -
74221 -@@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74222 -
74223 - /* newflags >> 4 shift VM_MAY% in place of VM_% */
74224 - if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74225 -+ if (prot & (PROT_WRITE | PROT_EXEC))
74226 -+ gr_log_rwxmprotect(vma->vm_file);
74227 -+
74228 -+ error = -EACCES;
74229 -+ goto out;
74230 -+ }
74231 -+
74232 -+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74233 - error = -EACCES;
74234 - goto out;
74235 - }
74236 -@@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74237 - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74238 - if (error)
74239 - goto out;
74240 -+
74241 -+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
74242 -+
74243 - nstart = tmp;
74244 -
74245 - if (nstart < prev->vm_end)
74246 -diff -urNp linux-2.6.32.46/mm/mremap.c linux-2.6.32.46/mm/mremap.c
74247 ---- linux-2.6.32.46/mm/mremap.c 2011-04-17 17:00:52.000000000 -0400
74248 -+++ linux-2.6.32.46/mm/mremap.c 2011-04-17 17:03:58.000000000 -0400
74249 -@@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
74250 - continue;
74251 - pte = ptep_clear_flush(vma, old_addr, old_pte);
74252 - pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74253 -+
74254 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74255 -+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74256 -+ pte = pte_exprotect(pte);
74257 -+#endif
74258 -+
74259 - set_pte_at(mm, new_addr, new_pte, pte);
74260 - }
74261 -
74262 -@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
74263 - if (is_vm_hugetlb_page(vma))
74264 - goto Einval;
74265 -
74266 -+#ifdef CONFIG_PAX_SEGMEXEC
74267 -+ if (pax_find_mirror_vma(vma))
74268 -+ goto Einval;
74269 -+#endif
74270 -+
74271 - /* We can't remap across vm area boundaries */
74272 - if (old_len > vma->vm_end - addr)
74273 - goto Efault;
74274 -@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
74275 - unsigned long ret = -EINVAL;
74276 - unsigned long charged = 0;
74277 - unsigned long map_flags;
74278 -+ unsigned long pax_task_size = TASK_SIZE;
74279 -
74280 - if (new_addr & ~PAGE_MASK)
74281 - goto out;
74282 -
74283 -- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74284 -+#ifdef CONFIG_PAX_SEGMEXEC
74285 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
74286 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
74287 -+#endif
74288 -+
74289 -+ pax_task_size -= PAGE_SIZE;
74290 -+
74291 -+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74292 - goto out;
74293 -
74294 - /* Check if the location we're moving into overlaps the
74295 - * old location at all, and fail if it does.
74296 - */
74297 -- if ((new_addr <= addr) && (new_addr+new_len) > addr)
74298 -- goto out;
74299 --
74300 -- if ((addr <= new_addr) && (addr+old_len) > new_addr)
74301 -+ if (addr + old_len > new_addr && new_addr + new_len > addr)
74302 - goto out;
74303 -
74304 - ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74305 -@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
74306 - struct vm_area_struct *vma;
74307 - unsigned long ret = -EINVAL;
74308 - unsigned long charged = 0;
74309 -+ unsigned long pax_task_size = TASK_SIZE;
74310 -
74311 - if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74312 - goto out;
74313 -@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
74314 - if (!new_len)
74315 - goto out;
74316 -
74317 -+#ifdef CONFIG_PAX_SEGMEXEC
74318 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
74319 -+ pax_task_size = SEGMEXEC_TASK_SIZE;
74320 -+#endif
74321 -+
74322 -+ pax_task_size -= PAGE_SIZE;
74323 -+
74324 -+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74325 -+ old_len > pax_task_size || addr > pax_task_size-old_len)
74326 -+ goto out;
74327 -+
74328 - if (flags & MREMAP_FIXED) {
74329 - if (flags & MREMAP_MAYMOVE)
74330 - ret = mremap_to(addr, old_len, new_addr, new_len);
74331 -@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
74332 - addr + new_len);
74333 - }
74334 - ret = addr;
74335 -+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74336 - goto out;
74337 - }
74338 - }
74339 -@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
74340 - ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74341 - if (ret)
74342 - goto out;
74343 -+
74344 -+ map_flags = vma->vm_flags;
74345 - ret = move_vma(vma, addr, old_len, new_len, new_addr);
74346 -+ if (!(ret & ~PAGE_MASK)) {
74347 -+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74348 -+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74349 -+ }
74350 - }
74351 - out:
74352 - if (ret & ~PAGE_MASK)
74353 -diff -urNp linux-2.6.32.46/mm/nommu.c linux-2.6.32.46/mm/nommu.c
74354 ---- linux-2.6.32.46/mm/nommu.c 2011-03-27 14:31:47.000000000 -0400
74355 -+++ linux-2.6.32.46/mm/nommu.c 2011-04-17 15:56:46.000000000 -0400
74356 -@@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74357 - int sysctl_overcommit_ratio = 50; /* default is 50% */
74358 - int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74359 - int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74360 --int heap_stack_gap = 0;
74361 -
74362 - atomic_long_t mmap_pages_allocated;
74363 -
74364 -@@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
74365 - EXPORT_SYMBOL(find_vma);
74366 -
74367 - /*
74368 -- * find a VMA
74369 -- * - we don't extend stack VMAs under NOMMU conditions
74370 -- */
74371 --struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74372 --{
74373 -- return find_vma(mm, addr);
74374 --}
74375 --
74376 --/*
74377 - * expand a stack to a given address
74378 - * - not supported under NOMMU conditions
74379 - */
74380 -diff -urNp linux-2.6.32.46/mm/page_alloc.c linux-2.6.32.46/mm/page_alloc.c
74381 ---- linux-2.6.32.46/mm/page_alloc.c 2011-06-25 12:55:35.000000000 -0400
74382 -+++ linux-2.6.32.46/mm/page_alloc.c 2011-07-09 09:13:08.000000000 -0400
74383 -@@ -289,7 +289,7 @@ out:
74384 - * This usage means that zero-order pages may not be compound.
74385 - */
74386 -
74387 --static void free_compound_page(struct page *page)
74388 -+void free_compound_page(struct page *page)
74389 - {
74390 - __free_pages_ok(page, compound_order(page));
74391 - }
74392 -@@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
74393 - int bad = 0;
74394 - int wasMlocked = __TestClearPageMlocked(page);
74395 -
74396 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
74397 -+ unsigned long index = 1UL << order;
74398 -+#endif
74399 -+
74400 - kmemcheck_free_shadow(page, order);
74401 -
74402 - for (i = 0 ; i < (1 << order) ; ++i)
74403 -@@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
74404 - debug_check_no_obj_freed(page_address(page),
74405 - PAGE_SIZE << order);
74406 - }
74407 -+
74408 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
74409 -+ for (; index; --index)
74410 -+ sanitize_highpage(page + index - 1);
74411 -+#endif
74412 -+
74413 - arch_free_page(page, order);
74414 - kernel_map_pages(page, 1 << order, 0);
74415 -
74416 -@@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
74417 - arch_alloc_page(page, order);
74418 - kernel_map_pages(page, 1 << order, 1);
74419 -
74420 -+#ifndef CONFIG_PAX_MEMORY_SANITIZE
74421 - if (gfp_flags & __GFP_ZERO)
74422 - prep_zero_page(page, order, gfp_flags);
74423 -+#endif
74424 -
74425 - if (order && (gfp_flags & __GFP_COMP))
74426 - prep_compound_page(page, order);
74427 -@@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
74428 - debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
74429 - debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
74430 - }
74431 -+
74432 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
74433 -+ sanitize_highpage(page);
74434 -+#endif
74435 -+
74436 - arch_free_page(page, 0);
74437 - kernel_map_pages(page, 1, 0);
74438 -
74439 -@@ -2179,6 +2196,8 @@ void show_free_areas(void)
74440 - int cpu;
74441 - struct zone *zone;
74442 -
74443 -+ pax_track_stack();
74444 -+
74445 - for_each_populated_zone(zone) {
74446 - show_node(zone);
74447 - printk("%s per-cpu:\n", zone->name);
74448 -@@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
74449 - zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
74450 - }
74451 - #else
74452 --static void inline setup_usemap(struct pglist_data *pgdat,
74453 -+static inline void setup_usemap(struct pglist_data *pgdat,
74454 - struct zone *zone, unsigned long zonesize) {}
74455 - #endif /* CONFIG_SPARSEMEM */
74456 -
74457 -diff -urNp linux-2.6.32.46/mm/percpu.c linux-2.6.32.46/mm/percpu.c
74458 ---- linux-2.6.32.46/mm/percpu.c 2011-03-27 14:31:47.000000000 -0400
74459 -+++ linux-2.6.32.46/mm/percpu.c 2011-04-17 15:56:46.000000000 -0400
74460 -@@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
74461 - static unsigned int pcpu_last_unit_cpu __read_mostly;
74462 -
74463 - /* the address of the first chunk which starts with the kernel static area */
74464 --void *pcpu_base_addr __read_mostly;
74465 -+void *pcpu_base_addr __read_only;
74466 - EXPORT_SYMBOL_GPL(pcpu_base_addr);
74467 -
74468 - static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74469 -diff -urNp linux-2.6.32.46/mm/rmap.c linux-2.6.32.46/mm/rmap.c
74470 ---- linux-2.6.32.46/mm/rmap.c 2011-03-27 14:31:47.000000000 -0400
74471 -+++ linux-2.6.32.46/mm/rmap.c 2011-04-17 15:56:46.000000000 -0400
74472 -@@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
74473 - /* page_table_lock to protect against threads */
74474 - spin_lock(&mm->page_table_lock);
74475 - if (likely(!vma->anon_vma)) {
74476 -+
74477 -+#ifdef CONFIG_PAX_SEGMEXEC
74478 -+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74479 -+
74480 -+ if (vma_m) {
74481 -+ BUG_ON(vma_m->anon_vma);
74482 -+ vma_m->anon_vma = anon_vma;
74483 -+ list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
74484 -+ }
74485 -+#endif
74486 -+
74487 - vma->anon_vma = anon_vma;
74488 - list_add_tail(&vma->anon_vma_node, &anon_vma->head);
74489 - allocated = NULL;
74490 -diff -urNp linux-2.6.32.46/mm/shmem.c linux-2.6.32.46/mm/shmem.c
74491 ---- linux-2.6.32.46/mm/shmem.c 2011-03-27 14:31:47.000000000 -0400
74492 -+++ linux-2.6.32.46/mm/shmem.c 2011-05-18 20:09:37.000000000 -0400
74493 -@@ -31,7 +31,7 @@
74494 - #include <linux/swap.h>
74495 - #include <linux/ima.h>
74496 -
74497 --static struct vfsmount *shm_mnt;
74498 -+struct vfsmount *shm_mnt;
74499 -
74500 - #ifdef CONFIG_SHMEM
74501 - /*
74502 -@@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
74503 - goto unlock;
74504 - }
74505 - entry = shmem_swp_entry(info, index, NULL);
74506 -+ if (!entry)
74507 -+ goto unlock;
74508 - if (entry->val) {
74509 - /*
74510 - * The more uptodate page coming down from a stacked
74511 -@@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
74512 - struct vm_area_struct pvma;
74513 - struct page *page;
74514 -
74515 -+ pax_track_stack();
74516 -+
74517 - spol = mpol_cond_copy(&mpol,
74518 - mpol_shared_policy_lookup(&info->policy, idx));
74519 -
74520 -@@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
74521 -
74522 - info = SHMEM_I(inode);
74523 - inode->i_size = len-1;
74524 -- if (len <= (char *)inode - (char *)info) {
74525 -+ if (len <= (char *)inode - (char *)info && len <= 64) {
74526 - /* do it inline */
74527 - memcpy(info, symname, len);
74528 - inode->i_op = &shmem_symlink_inline_operations;
74529 -@@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
74530 - int err = -ENOMEM;
74531 -
74532 - /* Round up to L1_CACHE_BYTES to resist false sharing */
74533 -- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74534 -- L1_CACHE_BYTES), GFP_KERNEL);
74535 -+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74536 - if (!sbinfo)
74537 - return -ENOMEM;
74538 -
74539 -diff -urNp linux-2.6.32.46/mm/slab.c linux-2.6.32.46/mm/slab.c
74540 ---- linux-2.6.32.46/mm/slab.c 2011-03-27 14:31:47.000000000 -0400
74541 -+++ linux-2.6.32.46/mm/slab.c 2011-05-04 17:56:20.000000000 -0400
74542 -@@ -174,7 +174,7 @@
74543 -
74544 - /* Legal flag mask for kmem_cache_create(). */
74545 - #if DEBUG
74546 --# define CREATE_MASK (SLAB_RED_ZONE | \
74547 -+# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74548 - SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74549 - SLAB_CACHE_DMA | \
74550 - SLAB_STORE_USER | \
74551 -@@ -182,7 +182,7 @@
74552 - SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74553 - SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74554 - #else
74555 --# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74556 -+# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74557 - SLAB_CACHE_DMA | \
74558 - SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74559 - SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74560 -@@ -308,7 +308,7 @@ struct kmem_list3 {
74561 - * Need this for bootstrapping a per node allocator.
74562 - */
74563 - #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74564 --struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74565 -+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74566 - #define CACHE_CACHE 0
74567 - #define SIZE_AC MAX_NUMNODES
74568 - #define SIZE_L3 (2 * MAX_NUMNODES)
74569 -@@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
74570 - if ((x)->max_freeable < i) \
74571 - (x)->max_freeable = i; \
74572 - } while (0)
74573 --#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74574 --#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74575 --#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74576 --#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74577 -+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74578 -+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74579 -+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74580 -+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74581 - #else
74582 - #define STATS_INC_ACTIVE(x) do { } while (0)
74583 - #define STATS_DEC_ACTIVE(x) do { } while (0)
74584 -@@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
74585 - * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74586 - */
74587 - static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74588 -- const struct slab *slab, void *obj)
74589 -+ const struct slab *slab, const void *obj)
74590 - {
74591 - u32 offset = (obj - slab->s_mem);
74592 - return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74593 -@@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
74594 - sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74595 - sizes[INDEX_AC].cs_size,
74596 - ARCH_KMALLOC_MINALIGN,
74597 -- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74598 -+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74599 - NULL);
74600 -
74601 - if (INDEX_AC != INDEX_L3) {
74602 -@@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
74603 - kmem_cache_create(names[INDEX_L3].name,
74604 - sizes[INDEX_L3].cs_size,
74605 - ARCH_KMALLOC_MINALIGN,
74606 -- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74607 -+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74608 - NULL);
74609 - }
74610 -
74611 -@@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
74612 - sizes->cs_cachep = kmem_cache_create(names->name,
74613 - sizes->cs_size,
74614 - ARCH_KMALLOC_MINALIGN,
74615 -- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74616 -+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74617 - NULL);
74618 - }
74619 - #ifdef CONFIG_ZONE_DMA
74620 -@@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
74621 - }
74622 - /* cpu stats */
74623 - {
74624 -- unsigned long allochit = atomic_read(&cachep->allochit);
74625 -- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
74626 -- unsigned long freehit = atomic_read(&cachep->freehit);
74627 -- unsigned long freemiss = atomic_read(&cachep->freemiss);
74628 -+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
74629 -+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
74630 -+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
74631 -+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
74632 -
74633 - seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
74634 - allochit, allocmiss, freehit, freemiss);
74635 -@@ -4471,15 +4471,66 @@ static const struct file_operations proc
74636 -
74637 - static int __init slab_proc_init(void)
74638 - {
74639 -- proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
74640 -+ mode_t gr_mode = S_IRUGO;
74641 -+
74642 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
74643 -+ gr_mode = S_IRUSR;
74644 -+#endif
74645 -+
74646 -+ proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
74647 - #ifdef CONFIG_DEBUG_SLAB_LEAK
74648 -- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
74649 -+ proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
74650 - #endif
74651 - return 0;
74652 - }
74653 - module_init(slab_proc_init);
74654 - #endif
74655 -
74656 -+void check_object_size(const void *ptr, unsigned long n, bool to)
74657 -+{
74658 -+
74659 -+#ifdef CONFIG_PAX_USERCOPY
74660 -+ struct page *page;
74661 -+ struct kmem_cache *cachep = NULL;
74662 -+ struct slab *slabp;
74663 -+ unsigned int objnr;
74664 -+ unsigned long offset;
74665 -+
74666 -+ if (!n)
74667 -+ return;
74668 -+
74669 -+ if (ZERO_OR_NULL_PTR(ptr))
74670 -+ goto report;
74671 -+
74672 -+ if (!virt_addr_valid(ptr))
74673 -+ return;
74674 -+
74675 -+ page = virt_to_head_page(ptr);
74676 -+
74677 -+ if (!PageSlab(page)) {
74678 -+ if (object_is_on_stack(ptr, n) == -1)
74679 -+ goto report;
74680 -+ return;
74681 -+ }
74682 -+
74683 -+ cachep = page_get_cache(page);
74684 -+ if (!(cachep->flags & SLAB_USERCOPY))
74685 -+ goto report;
74686 -+
74687 -+ slabp = page_get_slab(page);
74688 -+ objnr = obj_to_index(cachep, slabp, ptr);
74689 -+ BUG_ON(objnr >= cachep->num);
74690 -+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
74691 -+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
74692 -+ return;
74693 -+
74694 -+report:
74695 -+ pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
74696 -+#endif
74697 -+
74698 -+}
74699 -+EXPORT_SYMBOL(check_object_size);
74700 -+
74701 - /**
74702 - * ksize - get the actual amount of memory allocated for a given object
74703 - * @objp: Pointer to the object
74704 -diff -urNp linux-2.6.32.46/mm/slob.c linux-2.6.32.46/mm/slob.c
74705 ---- linux-2.6.32.46/mm/slob.c 2011-03-27 14:31:47.000000000 -0400
74706 -+++ linux-2.6.32.46/mm/slob.c 2011-07-06 19:53:33.000000000 -0400
74707 -@@ -29,7 +29,7 @@
74708 - * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
74709 - * alloc_pages() directly, allocating compound pages so the page order
74710 - * does not have to be separately tracked, and also stores the exact
74711 -- * allocation size in page->private so that it can be used to accurately
74712 -+ * allocation size in slob_page->size so that it can be used to accurately
74713 - * provide ksize(). These objects are detected in kfree() because slob_page()
74714 - * is false for them.
74715 - *
74716 -@@ -58,6 +58,7 @@
74717 - */
74718 -
74719 - #include <linux/kernel.h>
74720 -+#include <linux/sched.h>
74721 - #include <linux/slab.h>
74722 - #include <linux/mm.h>
74723 - #include <linux/swap.h> /* struct reclaim_state */
74724 -@@ -100,7 +101,8 @@ struct slob_page {
74725 - unsigned long flags; /* mandatory */
74726 - atomic_t _count; /* mandatory */
74727 - slobidx_t units; /* free units left in page */
74728 -- unsigned long pad[2];
74729 -+ unsigned long pad[1];
74730 -+ unsigned long size; /* size when >=PAGE_SIZE */
74731 - slob_t *free; /* first free slob_t in page */
74732 - struct list_head list; /* linked list of free pages */
74733 - };
74734 -@@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
74735 - */
74736 - static inline int is_slob_page(struct slob_page *sp)
74737 - {
74738 -- return PageSlab((struct page *)sp);
74739 -+ return PageSlab((struct page *)sp) && !sp->size;
74740 - }
74741 -
74742 - static inline void set_slob_page(struct slob_page *sp)
74743 -@@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
74744 -
74745 - static inline struct slob_page *slob_page(const void *addr)
74746 - {
74747 -- return (struct slob_page *)virt_to_page(addr);
74748 -+ return (struct slob_page *)virt_to_head_page(addr);
74749 - }
74750 -
74751 - /*
74752 -@@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
74753 - /*
74754 - * Return the size of a slob block.
74755 - */
74756 --static slobidx_t slob_units(slob_t *s)
74757 -+static slobidx_t slob_units(const slob_t *s)
74758 - {
74759 - if (s->units > 0)
74760 - return s->units;
74761 -@@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
74762 - /*
74763 - * Return the next free slob block pointer after this one.
74764 - */
74765 --static slob_t *slob_next(slob_t *s)
74766 -+static slob_t *slob_next(const slob_t *s)
74767 - {
74768 - slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
74769 - slobidx_t next;
74770 -@@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
74771 - /*
74772 - * Returns true if s is the last free block in its page.
74773 - */
74774 --static int slob_last(slob_t *s)
74775 -+static int slob_last(const slob_t *s)
74776 - {
74777 - return !((unsigned long)slob_next(s) & ~PAGE_MASK);
74778 - }
74779 -@@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
74780 - if (!page)
74781 - return NULL;
74782 -
74783 -+ set_slob_page(page);
74784 - return page_address(page);
74785 - }
74786 -
74787 -@@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
74788 - if (!b)
74789 - return NULL;
74790 - sp = slob_page(b);
74791 -- set_slob_page(sp);
74792 -
74793 - spin_lock_irqsave(&slob_lock, flags);
74794 - sp->units = SLOB_UNITS(PAGE_SIZE);
74795 - sp->free = b;
74796 -+ sp->size = 0;
74797 - INIT_LIST_HEAD(&sp->list);
74798 - set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
74799 - set_slob_page_free(sp, slob_list);
74800 -@@ -475,10 +478,9 @@ out:
74801 - #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
74802 - #endif
74803 -
74804 --void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74805 -+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
74806 - {
74807 -- unsigned int *m;
74808 -- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74809 -+ slob_t *m;
74810 - void *ret;
74811 -
74812 - lockdep_trace_alloc(gfp);
74813 -@@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
74814 -
74815 - if (!m)
74816 - return NULL;
74817 -- *m = size;
74818 -+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
74819 -+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
74820 -+ m[0].units = size;
74821 -+ m[1].units = align;
74822 - ret = (void *)m + align;
74823 -
74824 - trace_kmalloc_node(_RET_IP_, ret,
74825 -@@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
74826 -
74827 - ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
74828 - if (ret) {
74829 -- struct page *page;
74830 -- page = virt_to_page(ret);
74831 -- page->private = size;
74832 -+ struct slob_page *sp;
74833 -+ sp = slob_page(ret);
74834 -+ sp->size = size;
74835 - }
74836 -
74837 - trace_kmalloc_node(_RET_IP_, ret,
74838 - size, PAGE_SIZE << order, gfp, node);
74839 - }
74840 -
74841 -- kmemleak_alloc(ret, size, 1, gfp);
74842 -+ return ret;
74843 -+}
74844 -+
74845 -+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74846 -+{
74847 -+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74848 -+ void *ret = __kmalloc_node_align(size, gfp, node, align);
74849 -+
74850 -+ if (!ZERO_OR_NULL_PTR(ret))
74851 -+ kmemleak_alloc(ret, size, 1, gfp);
74852 - return ret;
74853 - }
74854 - EXPORT_SYMBOL(__kmalloc_node);
74855 -@@ -528,13 +542,88 @@ void kfree(const void *block)
74856 - sp = slob_page(block);
74857 - if (is_slob_page(sp)) {
74858 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74859 -- unsigned int *m = (unsigned int *)(block - align);
74860 -- slob_free(m, *m + align);
74861 -- } else
74862 -+ slob_t *m = (slob_t *)(block - align);
74863 -+ slob_free(m, m[0].units + align);
74864 -+ } else {
74865 -+ clear_slob_page(sp);
74866 -+ free_slob_page(sp);
74867 -+ sp->size = 0;
74868 - put_page(&sp->page);
74869 -+ }
74870 - }
74871 - EXPORT_SYMBOL(kfree);
74872 -
74873 -+void check_object_size(const void *ptr, unsigned long n, bool to)
74874 -+{
74875 -+
74876 -+#ifdef CONFIG_PAX_USERCOPY
74877 -+ struct slob_page *sp;
74878 -+ const slob_t *free;
74879 -+ const void *base;
74880 -+ unsigned long flags;
74881 -+
74882 -+ if (!n)
74883 -+ return;
74884 -+
74885 -+ if (ZERO_OR_NULL_PTR(ptr))
74886 -+ goto report;
74887 -+
74888 -+ if (!virt_addr_valid(ptr))
74889 -+ return;
74890 -+
74891 -+ sp = slob_page(ptr);
74892 -+ if (!PageSlab((struct page*)sp)) {
74893 -+ if (object_is_on_stack(ptr, n) == -1)
74894 -+ goto report;
74895 -+ return;
74896 -+ }
74897 -+
74898 -+ if (sp->size) {
74899 -+ base = page_address(&sp->page);
74900 -+ if (base <= ptr && n <= sp->size - (ptr - base))
74901 -+ return;
74902 -+ goto report;
74903 -+ }
74904 -+
74905 -+ /* some tricky double walking to find the chunk */
74906 -+ spin_lock_irqsave(&slob_lock, flags);
74907 -+ base = (void *)((unsigned long)ptr & PAGE_MASK);
74908 -+ free = sp->free;
74909 -+
74910 -+ while (!slob_last(free) && (void *)free <= ptr) {
74911 -+ base = free + slob_units(free);
74912 -+ free = slob_next(free);
74913 -+ }
74914 -+
74915 -+ while (base < (void *)free) {
74916 -+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
74917 -+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
74918 -+ int offset;
74919 -+
74920 -+ if (ptr < base + align)
74921 -+ break;
74922 -+
74923 -+ offset = ptr - base - align;
74924 -+ if (offset >= m) {
74925 -+ base += size;
74926 -+ continue;
74927 -+ }
74928 -+
74929 -+ if (n > m - offset)
74930 -+ break;
74931 -+
74932 -+ spin_unlock_irqrestore(&slob_lock, flags);
74933 -+ return;
74934 -+ }
74935 -+
74936 -+ spin_unlock_irqrestore(&slob_lock, flags);
74937 -+report:
74938 -+ pax_report_usercopy(ptr, n, to, NULL);
74939 -+#endif
74940 -+
74941 -+}
74942 -+EXPORT_SYMBOL(check_object_size);
74943 -+
74944 - /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
74945 - size_t ksize(const void *block)
74946 - {
74947 -@@ -547,10 +636,10 @@ size_t ksize(const void *block)
74948 - sp = slob_page(block);
74949 - if (is_slob_page(sp)) {
74950 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74951 -- unsigned int *m = (unsigned int *)(block - align);
74952 -- return SLOB_UNITS(*m) * SLOB_UNIT;
74953 -+ slob_t *m = (slob_t *)(block - align);
74954 -+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
74955 - } else
74956 -- return sp->page.private;
74957 -+ return sp->size;
74958 - }
74959 - EXPORT_SYMBOL(ksize);
74960 -
74961 -@@ -566,8 +655,13 @@ struct kmem_cache *kmem_cache_create(con
74962 - {
74963 - struct kmem_cache *c;
74964 -
74965 -+#ifdef CONFIG_PAX_USERCOPY
74966 -+ c = __kmalloc_node_align(sizeof(struct kmem_cache),
74967 -+ GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
74968 -+#else
74969 - c = slob_alloc(sizeof(struct kmem_cache),
74970 - GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
74971 -+#endif
74972 -
74973 - if (c) {
74974 - c->name = name;
74975 -@@ -605,17 +699,25 @@ void *kmem_cache_alloc_node(struct kmem_
74976 - {
74977 - void *b;
74978 -
74979 -+#ifdef CONFIG_PAX_USERCOPY
74980 -+ b = __kmalloc_node_align(c->size, flags, node, c->align);
74981 -+#else
74982 - if (c->size < PAGE_SIZE) {
74983 - b = slob_alloc(c->size, flags, c->align, node);
74984 - trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74985 - SLOB_UNITS(c->size) * SLOB_UNIT,
74986 - flags, node);
74987 - } else {
74988 -+ struct slob_page *sp;
74989 -+
74990 - b = slob_new_pages(flags, get_order(c->size), node);
74991 -+ sp = slob_page(b);
74992 -+ sp->size = c->size;
74993 - trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74994 - PAGE_SIZE << get_order(c->size),
74995 - flags, node);
74996 - }
74997 -+#endif
74998 -
74999 - if (c->ctor)
75000 - c->ctor(b);
75001 -@@ -627,10 +729,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
75002 -
75003 - static void __kmem_cache_free(void *b, int size)
75004 - {
75005 -- if (size < PAGE_SIZE)
75006 -+ struct slob_page *sp = slob_page(b);
75007 -+
75008 -+ if (is_slob_page(sp))
75009 - slob_free(b, size);
75010 -- else
75011 -+ else {
75012 -+ clear_slob_page(sp);
75013 -+ free_slob_page(sp);
75014 -+ sp->size = 0;
75015 - slob_free_pages(b, get_order(size));
75016 -+ }
75017 - }
75018 -
75019 - static void kmem_rcu_free(struct rcu_head *head)
75020 -@@ -643,18 +751,32 @@ static void kmem_rcu_free(struct rcu_hea
75021 -
75022 - void kmem_cache_free(struct kmem_cache *c, void *b)
75023 - {
75024 -+ int size = c->size;
75025 -+
75026 -+#ifdef CONFIG_PAX_USERCOPY
75027 -+ if (size + c->align < PAGE_SIZE) {
75028 -+ size += c->align;
75029 -+ b -= c->align;
75030 -+ }
75031 -+#endif
75032 -+
75033 - kmemleak_free_recursive(b, c->flags);
75034 - if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
75035 - struct slob_rcu *slob_rcu;
75036 -- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
75037 -+ slob_rcu = b + (size - sizeof(struct slob_rcu));
75038 - INIT_RCU_HEAD(&slob_rcu->head);
75039 -- slob_rcu->size = c->size;
75040 -+ slob_rcu->size = size;
75041 - call_rcu(&slob_rcu->head, kmem_rcu_free);
75042 - } else {
75043 -- __kmem_cache_free(b, c->size);
75044 -+ __kmem_cache_free(b, size);
75045 - }
75046 -
75047 -+#ifdef CONFIG_PAX_USERCOPY
75048 -+ trace_kfree(_RET_IP_, b);
75049 -+#else
75050 - trace_kmem_cache_free(_RET_IP_, b);
75051 -+#endif
75052 -+
75053 - }
75054 - EXPORT_SYMBOL(kmem_cache_free);
75055 -
75056 -diff -urNp linux-2.6.32.46/mm/slub.c linux-2.6.32.46/mm/slub.c
75057 ---- linux-2.6.32.46/mm/slub.c 2011-03-27 14:31:47.000000000 -0400
75058 -+++ linux-2.6.32.46/mm/slub.c 2011-09-25 22:23:01.000000000 -0400
75059 -@@ -201,7 +201,7 @@ struct track {
75060 -
75061 - enum track_item { TRACK_ALLOC, TRACK_FREE };
75062 -
75063 --#ifdef CONFIG_SLUB_DEBUG
75064 -+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
75065 - static int sysfs_slab_add(struct kmem_cache *);
75066 - static int sysfs_slab_alias(struct kmem_cache *, const char *);
75067 - static void sysfs_slab_remove(struct kmem_cache *);
75068 -@@ -410,7 +410,7 @@ static void print_track(const char *s, s
75069 - if (!t->addr)
75070 - return;
75071 -
75072 -- printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
75073 -+ printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
75074 - s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
75075 - }
75076 -
75077 -@@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
75078 -
75079 - page = virt_to_head_page(x);
75080 -
75081 -+ BUG_ON(!PageSlab(page));
75082 -+
75083 - slab_free(s, page, x, _RET_IP_);
75084 -
75085 - trace_kmem_cache_free(_RET_IP_, x);
75086 -@@ -1937,7 +1939,7 @@ static int slub_min_objects;
75087 - * Merge control. If this is set then no merging of slab caches will occur.
75088 - * (Could be removed. This was introduced to pacify the merge skeptics.)
75089 - */
75090 --static int slub_nomerge;
75091 -+static int slub_nomerge = 1;
75092 -
75093 - /*
75094 - * Calculate the order of allocation given an slab object size.
75095 -@@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
75096 - * list to avoid pounding the page allocator excessively.
75097 - */
75098 - set_min_partial(s, ilog2(s->size));
75099 -- s->refcount = 1;
75100 -+ atomic_set(&s->refcount, 1);
75101 - #ifdef CONFIG_NUMA
75102 - s->remote_node_defrag_ratio = 1000;
75103 - #endif
75104 -@@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
75105 - void kmem_cache_destroy(struct kmem_cache *s)
75106 - {
75107 - down_write(&slub_lock);
75108 -- s->refcount--;
75109 -- if (!s->refcount) {
75110 -+ if (atomic_dec_and_test(&s->refcount)) {
75111 - list_del(&s->list);
75112 - up_write(&slub_lock);
75113 - if (kmem_cache_close(s)) {
75114 -@@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
75115 - __setup("slub_nomerge", setup_slub_nomerge);
75116 -
75117 - static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
75118 -- const char *name, int size, gfp_t gfp_flags)
75119 -+ const char *name, int size, gfp_t gfp_flags, unsigned int flags)
75120 - {
75121 -- unsigned int flags = 0;
75122 --
75123 - if (gfp_flags & SLUB_DMA)
75124 -- flags = SLAB_CACHE_DMA;
75125 -+ flags |= SLAB_CACHE_DMA;
75126 -
75127 - /*
75128 - * This function is called with IRQs disabled during early-boot on
75129 -@@ -2915,6 +2914,46 @@ void *__kmalloc_node(size_t size, gfp_t
75130 - EXPORT_SYMBOL(__kmalloc_node);
75131 - #endif
75132 -
75133 -+void check_object_size(const void *ptr, unsigned long n, bool to)
75134 -+{
75135 -+
75136 -+#ifdef CONFIG_PAX_USERCOPY
75137 -+ struct page *page;
75138 -+ struct kmem_cache *s = NULL;
75139 -+ unsigned long offset;
75140 -+
75141 -+ if (!n)
75142 -+ return;
75143 -+
75144 -+ if (ZERO_OR_NULL_PTR(ptr))
75145 -+ goto report;
75146 -+
75147 -+ if (!virt_addr_valid(ptr))
75148 -+ return;
75149 -+
75150 -+ page = get_object_page(ptr);
75151 -+
75152 -+ if (!page) {
75153 -+ if (object_is_on_stack(ptr, n) == -1)
75154 -+ goto report;
75155 -+ return;
75156 -+ }
75157 -+
75158 -+ s = page->slab;
75159 -+ if (!(s->flags & SLAB_USERCOPY))
75160 -+ goto report;
75161 -+
75162 -+ offset = (ptr - page_address(page)) % s->size;
75163 -+ if (offset <= s->objsize && n <= s->objsize - offset)
75164 -+ return;
75165 -+
75166 -+report:
75167 -+ pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
75168 -+#endif
75169 -+
75170 -+}
75171 -+EXPORT_SYMBOL(check_object_size);
75172 -+
75173 - size_t ksize(const void *object)
75174 - {
75175 - struct page *page;
75176 -@@ -3185,8 +3224,8 @@ void __init kmem_cache_init(void)
75177 - * kmem_cache_open for slab_state == DOWN.
75178 - */
75179 - create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
75180 -- sizeof(struct kmem_cache_node), GFP_NOWAIT);
75181 -- kmalloc_caches[0].refcount = -1;
75182 -+ sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
75183 -+ atomic_set(&kmalloc_caches[0].refcount, -1);
75184 - caches++;
75185 -
75186 - hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
75187 -@@ -3198,18 +3237,18 @@ void __init kmem_cache_init(void)
75188 - /* Caches that are not of the two-to-the-power-of size */
75189 - if (KMALLOC_MIN_SIZE <= 32) {
75190 - create_kmalloc_cache(&kmalloc_caches[1],
75191 -- "kmalloc-96", 96, GFP_NOWAIT);
75192 -+ "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
75193 - caches++;
75194 - }
75195 - if (KMALLOC_MIN_SIZE <= 64) {
75196 - create_kmalloc_cache(&kmalloc_caches[2],
75197 -- "kmalloc-192", 192, GFP_NOWAIT);
75198 -+ "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
75199 - caches++;
75200 - }
75201 -
75202 - for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75203 - create_kmalloc_cache(&kmalloc_caches[i],
75204 -- "kmalloc", 1 << i, GFP_NOWAIT);
75205 -+ "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
75206 - caches++;
75207 - }
75208 -
75209 -@@ -3293,7 +3332,7 @@ static int slab_unmergeable(struct kmem_
75210 - /*
75211 - * We may have set a slab to be unmergeable during bootstrap.
75212 - */
75213 -- if (s->refcount < 0)
75214 -+ if (atomic_read(&s->refcount) < 0)
75215 - return 1;
75216 -
75217 - return 0;
75218 -@@ -3353,7 +3392,7 @@ struct kmem_cache *kmem_cache_create(con
75219 - if (s) {
75220 - int cpu;
75221 -
75222 -- s->refcount++;
75223 -+ atomic_inc(&s->refcount);
75224 - /*
75225 - * Adjust the object sizes so that we clear
75226 - * the complete object on kzalloc.
75227 -@@ -3372,7 +3411,7 @@ struct kmem_cache *kmem_cache_create(con
75228 -
75229 - if (sysfs_slab_alias(s, name)) {
75230 - down_write(&slub_lock);
75231 -- s->refcount--;
75232 -+ atomic_dec(&s->refcount);
75233 - up_write(&slub_lock);
75234 - goto err;
75235 - }
75236 -@@ -4101,7 +4140,7 @@ SLAB_ATTR_RO(ctor);
75237 -
75238 - static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75239 - {
75240 -- return sprintf(buf, "%d\n", s->refcount - 1);
75241 -+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75242 - }
75243 - SLAB_ATTR_RO(aliases);
75244 -
75245 -@@ -4503,7 +4542,7 @@ static void kmem_cache_release(struct ko
75246 - kfree(s);
75247 - }
75248 -
75249 --static struct sysfs_ops slab_sysfs_ops = {
75250 -+static const struct sysfs_ops slab_sysfs_ops = {
75251 - .show = slab_attr_show,
75252 - .store = slab_attr_store,
75253 - };
75254 -@@ -4522,7 +4561,7 @@ static int uevent_filter(struct kset *ks
75255 - return 0;
75256 - }
75257 -
75258 --static struct kset_uevent_ops slab_uevent_ops = {
75259 -+static const struct kset_uevent_ops slab_uevent_ops = {
75260 - .filter = uevent_filter,
75261 - };
75262 -
75263 -@@ -4564,6 +4603,7 @@ static char *create_unique_id(struct kme
75264 - return name;
75265 - }
75266 -
75267 -+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
75268 - static int sysfs_slab_add(struct kmem_cache *s)
75269 - {
75270 - int err;
75271 -@@ -4619,6 +4659,7 @@ static void sysfs_slab_remove(struct kme
75272 - kobject_del(&s->kobj);
75273 - kobject_put(&s->kobj);
75274 - }
75275 -+#endif
75276 -
75277 - /*
75278 - * Need to buffer aliases during bootup until sysfs becomes
75279 -@@ -4632,6 +4673,7 @@ struct saved_alias {
75280 -
75281 - static struct saved_alias *alias_list;
75282 -
75283 -+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
75284 - static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
75285 - {
75286 - struct saved_alias *al;
75287 -@@ -4654,6 +4696,7 @@ static int sysfs_slab_alias(struct kmem_
75288 - alias_list = al;
75289 - return 0;
75290 - }
75291 -+#endif
75292 -
75293 - static int __init slab_sysfs_init(void)
75294 - {
75295 -@@ -4785,7 +4828,13 @@ static const struct file_operations proc
75296 -
75297 - static int __init slab_proc_init(void)
75298 - {
75299 -- proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75300 -+ mode_t gr_mode = S_IRUGO;
75301 -+
75302 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
75303 -+ gr_mode = S_IRUSR;
75304 -+#endif
75305 -+
75306 -+ proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75307 - return 0;
75308 - }
75309 - module_init(slab_proc_init);
75310 -diff -urNp linux-2.6.32.46/mm/swap.c linux-2.6.32.46/mm/swap.c
75311 ---- linux-2.6.32.46/mm/swap.c 2011-03-27 14:31:47.000000000 -0400
75312 -+++ linux-2.6.32.46/mm/swap.c 2011-07-09 09:15:19.000000000 -0400
75313 -@@ -30,6 +30,7 @@
75314 - #include <linux/notifier.h>
75315 - #include <linux/backing-dev.h>
75316 - #include <linux/memcontrol.h>
75317 -+#include <linux/hugetlb.h>
75318 -
75319 - #include "internal.h"
75320 -
75321 -@@ -65,6 +66,8 @@ static void put_compound_page(struct pag
75322 - compound_page_dtor *dtor;
75323 -
75324 - dtor = get_compound_page_dtor(page);
75325 -+ if (!PageHuge(page))
75326 -+ BUG_ON(dtor != free_compound_page);
75327 - (*dtor)(page);
75328 - }
75329 - }
75330 -diff -urNp linux-2.6.32.46/mm/util.c linux-2.6.32.46/mm/util.c
75331 ---- linux-2.6.32.46/mm/util.c 2011-03-27 14:31:47.000000000 -0400
75332 -+++ linux-2.6.32.46/mm/util.c 2011-04-17 15:56:46.000000000 -0400
75333 -@@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
75334 - void arch_pick_mmap_layout(struct mm_struct *mm)
75335 - {
75336 - mm->mmap_base = TASK_UNMAPPED_BASE;
75337 -+
75338 -+#ifdef CONFIG_PAX_RANDMMAP
75339 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
75340 -+ mm->mmap_base += mm->delta_mmap;
75341 -+#endif
75342 -+
75343 - mm->get_unmapped_area = arch_get_unmapped_area;
75344 - mm->unmap_area = arch_unmap_area;
75345 - }
75346 -diff -urNp linux-2.6.32.46/mm/vmalloc.c linux-2.6.32.46/mm/vmalloc.c
75347 ---- linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:24:44.000000000 -0400
75348 -+++ linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:25:07.000000000 -0400
75349 -@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75350 -
75351 - pte = pte_offset_kernel(pmd, addr);
75352 - do {
75353 -- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75354 -- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75355 -+
75356 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75357 -+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75358 -+ BUG_ON(!pte_exec(*pte));
75359 -+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75360 -+ continue;
75361 -+ }
75362 -+#endif
75363 -+
75364 -+ {
75365 -+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75366 -+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75367 -+ }
75368 - } while (pte++, addr += PAGE_SIZE, addr != end);
75369 - }
75370 -
75371 -@@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75372 - unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75373 - {
75374 - pte_t *pte;
75375 -+ int ret = -ENOMEM;
75376 -
75377 - /*
75378 - * nr is a running index into the array which helps higher level
75379 -@@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
75380 - pte = pte_alloc_kernel(pmd, addr);
75381 - if (!pte)
75382 - return -ENOMEM;
75383 -+
75384 -+ pax_open_kernel();
75385 - do {
75386 - struct page *page = pages[*nr];
75387 -
75388 -- if (WARN_ON(!pte_none(*pte)))
75389 -- return -EBUSY;
75390 -- if (WARN_ON(!page))
75391 -- return -ENOMEM;
75392 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75393 -+ if (!(pgprot_val(prot) & _PAGE_NX))
75394 -+ BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
75395 -+ else
75396 -+#endif
75397 -+
75398 -+ if (WARN_ON(!pte_none(*pte))) {
75399 -+ ret = -EBUSY;
75400 -+ goto out;
75401 -+ }
75402 -+ if (WARN_ON(!page)) {
75403 -+ ret = -ENOMEM;
75404 -+ goto out;
75405 -+ }
75406 - set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75407 - (*nr)++;
75408 - } while (pte++, addr += PAGE_SIZE, addr != end);
75409 -- return 0;
75410 -+ ret = 0;
75411 -+out:
75412 -+ pax_close_kernel();
75413 -+ return ret;
75414 - }
75415 -
75416 - static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75417 -@@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
75418 - * and fall back on vmalloc() if that fails. Others
75419 - * just put it in the vmalloc space.
75420 - */
75421 --#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75422 -+#ifdef CONFIG_MODULES
75423 -+#ifdef MODULES_VADDR
75424 - unsigned long addr = (unsigned long)x;
75425 - if (addr >= MODULES_VADDR && addr < MODULES_END)
75426 - return 1;
75427 - #endif
75428 -+
75429 -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75430 -+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75431 -+ return 1;
75432 -+#endif
75433 -+
75434 -+#endif
75435 -+
75436 - return is_vmalloc_addr(x);
75437 - }
75438 -
75439 -@@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
75440 -
75441 - if (!pgd_none(*pgd)) {
75442 - pud_t *pud = pud_offset(pgd, addr);
75443 -+#ifdef CONFIG_X86
75444 -+ if (!pud_large(*pud))
75445 -+#endif
75446 - if (!pud_none(*pud)) {
75447 - pmd_t *pmd = pmd_offset(pud, addr);
75448 -+#ifdef CONFIG_X86
75449 -+ if (!pmd_large(*pmd))
75450 -+#endif
75451 - if (!pmd_none(*pmd)) {
75452 - pte_t *ptep, pte;
75453 -
75454 -@@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
75455 - struct rb_node *tmp;
75456 -
75457 - while (*p) {
75458 -- struct vmap_area *tmp;
75459 -+ struct vmap_area *varea;
75460 -
75461 - parent = *p;
75462 -- tmp = rb_entry(parent, struct vmap_area, rb_node);
75463 -- if (va->va_start < tmp->va_end)
75464 -+ varea = rb_entry(parent, struct vmap_area, rb_node);
75465 -+ if (va->va_start < varea->va_end)
75466 - p = &(*p)->rb_left;
75467 -- else if (va->va_end > tmp->va_start)
75468 -+ else if (va->va_end > varea->va_start)
75469 - p = &(*p)->rb_right;
75470 - else
75471 - BUG();
75472 -@@ -1233,6 +1275,16 @@ static struct vm_struct *__get_vm_area_n
75473 - struct vm_struct *area;
75474 -
75475 - BUG_ON(in_interrupt());
75476 -+
75477 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75478 -+ if (flags & VM_KERNEXEC) {
75479 -+ if (start != VMALLOC_START || end != VMALLOC_END)
75480 -+ return NULL;
75481 -+ start = (unsigned long)MODULES_EXEC_VADDR;
75482 -+ end = (unsigned long)MODULES_EXEC_END;
75483 -+ }
75484 -+#endif
75485 -+
75486 - if (flags & VM_IOREMAP) {
75487 - int bit = fls(size);
75488 -
75489 -@@ -1458,6 +1510,11 @@ void *vmap(struct page **pages, unsigned
75490 - if (count > totalram_pages)
75491 - return NULL;
75492 -
75493 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75494 -+ if (!(pgprot_val(prot) & _PAGE_NX))
75495 -+ flags |= VM_KERNEXEC;
75496 -+#endif
75497 -+
75498 - area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75499 - __builtin_return_address(0));
75500 - if (!area)
75501 -@@ -1568,6 +1625,13 @@ static void *__vmalloc_node(unsigned lon
75502 - if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75503 - return NULL;
75504 -
75505 -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75506 -+ if (!(pgprot_val(prot) & _PAGE_NX))
75507 -+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75508 -+ node, gfp_mask, caller);
75509 -+ else
75510 -+#endif
75511 -+
75512 - area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
75513 - VMALLOC_END, node, gfp_mask, caller);
75514 -
75515 -@@ -1586,6 +1650,7 @@ static void *__vmalloc_node(unsigned lon
75516 - return addr;
75517 - }
75518 -
75519 -+#undef __vmalloc
75520 - void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75521 - {
75522 - return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75523 -@@ -1602,6 +1667,7 @@ EXPORT_SYMBOL(__vmalloc);
75524 - * For tight control over page level allocator and protection flags
75525 - * use __vmalloc() instead.
75526 - */
75527 -+#undef vmalloc
75528 - void *vmalloc(unsigned long size)
75529 - {
75530 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75531 -@@ -1616,6 +1682,7 @@ EXPORT_SYMBOL(vmalloc);
75532 - * The resulting memory area is zeroed so it can be mapped to userspace
75533 - * without leaking data.
75534 - */
75535 -+#undef vmalloc_user
75536 - void *vmalloc_user(unsigned long size)
75537 - {
75538 - struct vm_struct *area;
75539 -@@ -1643,6 +1710,7 @@ EXPORT_SYMBOL(vmalloc_user);
75540 - * For tight control over page level allocator and protection flags
75541 - * use __vmalloc() instead.
75542 - */
75543 -+#undef vmalloc_node
75544 - void *vmalloc_node(unsigned long size, int node)
75545 - {
75546 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75547 -@@ -1665,10 +1733,10 @@ EXPORT_SYMBOL(vmalloc_node);
75548 - * For tight control over page level allocator and protection flags
75549 - * use __vmalloc() instead.
75550 - */
75551 --
75552 -+#undef vmalloc_exec
75553 - void *vmalloc_exec(unsigned long size)
75554 - {
75555 -- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75556 -+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75557 - -1, __builtin_return_address(0));
75558 - }
75559 -
75560 -@@ -1687,6 +1755,7 @@ void *vmalloc_exec(unsigned long size)
75561 - * Allocate enough 32bit PA addressable pages to cover @size from the
75562 - * page level allocator and map them into contiguous kernel virtual space.
75563 - */
75564 -+#undef vmalloc_32
75565 - void *vmalloc_32(unsigned long size)
75566 - {
75567 - return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75568 -@@ -1701,6 +1770,7 @@ EXPORT_SYMBOL(vmalloc_32);
75569 - * The resulting memory area is 32bit addressable and zeroed so it can be
75570 - * mapped to userspace without leaking data.
75571 - */
75572 -+#undef vmalloc_32_user
75573 - void *vmalloc_32_user(unsigned long size)
75574 - {
75575 - struct vm_struct *area;
75576 -@@ -1965,6 +2035,8 @@ int remap_vmalloc_range(struct vm_area_s
75577 - unsigned long uaddr = vma->vm_start;
75578 - unsigned long usize = vma->vm_end - vma->vm_start;
75579 -
75580 -+ BUG_ON(vma->vm_mirror);
75581 -+
75582 - if ((PAGE_SIZE-1) & (unsigned long)addr)
75583 - return -EINVAL;
75584 -
75585 -diff -urNp linux-2.6.32.46/mm/vmstat.c linux-2.6.32.46/mm/vmstat.c
75586 ---- linux-2.6.32.46/mm/vmstat.c 2011-03-27 14:31:47.000000000 -0400
75587 -+++ linux-2.6.32.46/mm/vmstat.c 2011-04-17 15:56:46.000000000 -0400
75588 -@@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
75589 - *
75590 - * vm_stat contains the global counters
75591 - */
75592 --atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75593 -+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75594 - EXPORT_SYMBOL(vm_stat);
75595 -
75596 - #ifdef CONFIG_SMP
75597 -@@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
75598 - v = p->vm_stat_diff[i];
75599 - p->vm_stat_diff[i] = 0;
75600 - local_irq_restore(flags);
75601 -- atomic_long_add(v, &zone->vm_stat[i]);
75602 -+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75603 - global_diff[i] += v;
75604 - #ifdef CONFIG_NUMA
75605 - /* 3 seconds idle till flush */
75606 -@@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
75607 -
75608 - for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75609 - if (global_diff[i])
75610 -- atomic_long_add(global_diff[i], &vm_stat[i]);
75611 -+ atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75612 - }
75613 -
75614 - #endif
75615 -@@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
75616 - start_cpu_timer(cpu);
75617 - #endif
75618 - #ifdef CONFIG_PROC_FS
75619 -- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
75620 -- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
75621 -- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
75622 -- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
75623 -+ {
75624 -+ mode_t gr_mode = S_IRUGO;
75625 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
75626 -+ gr_mode = S_IRUSR;
75627 -+#endif
75628 -+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
75629 -+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
75630 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
75631 -+ proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
75632 -+#else
75633 -+ proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
75634 -+#endif
75635 -+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
75636 -+ }
75637 - #endif
75638 - return 0;
75639 - }
75640 -diff -urNp linux-2.6.32.46/net/8021q/vlan.c linux-2.6.32.46/net/8021q/vlan.c
75641 ---- linux-2.6.32.46/net/8021q/vlan.c 2011-03-27 14:31:47.000000000 -0400
75642 -+++ linux-2.6.32.46/net/8021q/vlan.c 2011-04-17 15:56:46.000000000 -0400
75643 -@@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
75644 - err = -EPERM;
75645 - if (!capable(CAP_NET_ADMIN))
75646 - break;
75647 -- if ((args.u.name_type >= 0) &&
75648 -- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
75649 -+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
75650 - struct vlan_net *vn;
75651 -
75652 - vn = net_generic(net, vlan_net_id);
75653 -diff -urNp linux-2.6.32.46/net/9p/trans_fd.c linux-2.6.32.46/net/9p/trans_fd.c
75654 ---- linux-2.6.32.46/net/9p/trans_fd.c 2011-03-27 14:31:47.000000000 -0400
75655 -+++ linux-2.6.32.46/net/9p/trans_fd.c 2011-10-06 09:37:14.000000000 -0400
75656 -@@ -419,7 +419,7 @@ static int p9_fd_write(struct p9_client
75657 - oldfs = get_fs();
75658 - set_fs(get_ds());
75659 - /* The cast to a user pointer is valid due to the set_fs() */
75660 -- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
75661 -+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
75662 - set_fs(oldfs);
75663 -
75664 - if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
75665 -diff -urNp linux-2.6.32.46/net/atm/atm_misc.c linux-2.6.32.46/net/atm/atm_misc.c
75666 ---- linux-2.6.32.46/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400
75667 -+++ linux-2.6.32.46/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400
75668 -@@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
75669 - if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
75670 - return 1;
75671 - atm_return(vcc,truesize);
75672 -- atomic_inc(&vcc->stats->rx_drop);
75673 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
75674 - return 0;
75675 - }
75676 -
75677 -@@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
75678 - }
75679 - }
75680 - atm_return(vcc,guess);
75681 -- atomic_inc(&vcc->stats->rx_drop);
75682 -+ atomic_inc_unchecked(&vcc->stats->rx_drop);
75683 - return NULL;
75684 - }
75685 -
75686 -@@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
75687 -
75688 - void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
75689 - {
75690 --#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75691 -+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75692 - __SONET_ITEMS
75693 - #undef __HANDLE_ITEM
75694 - }
75695 -@@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
75696 -
75697 - void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
75698 - {
75699 --#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
75700 -+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
75701 - __SONET_ITEMS
75702 - #undef __HANDLE_ITEM
75703 - }
75704 -diff -urNp linux-2.6.32.46/net/atm/lec.h linux-2.6.32.46/net/atm/lec.h
75705 ---- linux-2.6.32.46/net/atm/lec.h 2011-03-27 14:31:47.000000000 -0400
75706 -+++ linux-2.6.32.46/net/atm/lec.h 2011-08-05 20:33:55.000000000 -0400
75707 -@@ -48,7 +48,7 @@ struct lane2_ops {
75708 - const u8 *tlvs, u32 sizeoftlvs);
75709 - void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
75710 - const u8 *tlvs, u32 sizeoftlvs);
75711 --};
75712 -+} __no_const;
75713 -
75714 - /*
75715 - * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
75716 -diff -urNp linux-2.6.32.46/net/atm/mpc.h linux-2.6.32.46/net/atm/mpc.h
75717 ---- linux-2.6.32.46/net/atm/mpc.h 2011-03-27 14:31:47.000000000 -0400
75718 -+++ linux-2.6.32.46/net/atm/mpc.h 2011-08-23 21:22:38.000000000 -0400
75719 -@@ -33,7 +33,7 @@ struct mpoa_client {
75720 - struct mpc_parameters parameters; /* parameters for this client */
75721 -
75722 - const struct net_device_ops *old_ops;
75723 -- struct net_device_ops new_ops;
75724 -+ net_device_ops_no_const new_ops;
75725 - };
75726 -
75727 -
75728 -diff -urNp linux-2.6.32.46/net/atm/mpoa_caches.c linux-2.6.32.46/net/atm/mpoa_caches.c
75729 ---- linux-2.6.32.46/net/atm/mpoa_caches.c 2011-03-27 14:31:47.000000000 -0400
75730 -+++ linux-2.6.32.46/net/atm/mpoa_caches.c 2011-05-16 21:46:57.000000000 -0400
75731 -@@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
75732 - struct timeval now;
75733 - struct k_message msg;
75734 -
75735 -+ pax_track_stack();
75736 -+
75737 - do_gettimeofday(&now);
75738 -
75739 - write_lock_irq(&client->egress_lock);
75740 -diff -urNp linux-2.6.32.46/net/atm/proc.c linux-2.6.32.46/net/atm/proc.c
75741 ---- linux-2.6.32.46/net/atm/proc.c 2011-03-27 14:31:47.000000000 -0400
75742 -+++ linux-2.6.32.46/net/atm/proc.c 2011-04-17 15:56:46.000000000 -0400
75743 -@@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
75744 - const struct k_atm_aal_stats *stats)
75745 - {
75746 - seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
75747 -- atomic_read(&stats->tx),atomic_read(&stats->tx_err),
75748 -- atomic_read(&stats->rx),atomic_read(&stats->rx_err),
75749 -- atomic_read(&stats->rx_drop));
75750 -+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
75751 -+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
75752 -+ atomic_read_unchecked(&stats->rx_drop));
75753 - }
75754 -
75755 - static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
75756 -@@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
75757 - {
75758 - struct sock *sk = sk_atm(vcc);
75759 -
75760 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
75761 -+ seq_printf(seq, "%p ", NULL);
75762 -+#else
75763 - seq_printf(seq, "%p ", vcc);
75764 -+#endif
75765 -+
75766 - if (!vcc->dev)
75767 - seq_printf(seq, "Unassigned ");
75768 - else
75769 -@@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
75770 - {
75771 - if (!vcc->dev)
75772 - seq_printf(seq, sizeof(void *) == 4 ?
75773 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
75774 -+ "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
75775 -+#else
75776 - "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
75777 -+#endif
75778 - else
75779 - seq_printf(seq, "%3d %3d %5d ",
75780 - vcc->dev->number, vcc->vpi, vcc->vci);
75781 -diff -urNp linux-2.6.32.46/net/atm/resources.c linux-2.6.32.46/net/atm/resources.c
75782 ---- linux-2.6.32.46/net/atm/resources.c 2011-03-27 14:31:47.000000000 -0400
75783 -+++ linux-2.6.32.46/net/atm/resources.c 2011-04-17 15:56:46.000000000 -0400
75784 -@@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
75785 - static void copy_aal_stats(struct k_atm_aal_stats *from,
75786 - struct atm_aal_stats *to)
75787 - {
75788 --#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75789 -+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75790 - __AAL_STAT_ITEMS
75791 - #undef __HANDLE_ITEM
75792 - }
75793 -@@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
75794 - static void subtract_aal_stats(struct k_atm_aal_stats *from,
75795 - struct atm_aal_stats *to)
75796 - {
75797 --#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75798 -+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
75799 - __AAL_STAT_ITEMS
75800 - #undef __HANDLE_ITEM
75801 - }
75802 -diff -urNp linux-2.6.32.46/net/bluetooth/l2cap.c linux-2.6.32.46/net/bluetooth/l2cap.c
75803 ---- linux-2.6.32.46/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
75804 -+++ linux-2.6.32.46/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
75805 -@@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
75806 - err = -ENOTCONN;
75807 - break;
75808 - }
75809 --
75810 -+ memset(&cinfo, 0, sizeof(cinfo));
75811 - cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
75812 - memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
75813 -
75814 -@@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
75815 -
75816 - /* Reject if config buffer is too small. */
75817 - len = cmd_len - sizeof(*req);
75818 -- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75819 -+ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75820 - l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
75821 - l2cap_build_conf_rsp(sk, rsp,
75822 - L2CAP_CONF_REJECT, flags), rsp);
75823 -diff -urNp linux-2.6.32.46/net/bluetooth/rfcomm/sock.c linux-2.6.32.46/net/bluetooth/rfcomm/sock.c
75824 ---- linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
75825 -+++ linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
75826 -@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
75827 -
75828 - l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
75829 -
75830 -+ memset(&cinfo, 0, sizeof(cinfo));
75831 - cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
75832 - memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
75833 -
75834 -diff -urNp linux-2.6.32.46/net/bridge/br_private.h linux-2.6.32.46/net/bridge/br_private.h
75835 ---- linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:35:30.000000000 -0400
75836 -+++ linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:34:01.000000000 -0400
75837 -@@ -255,7 +255,7 @@ extern void br_ifinfo_notify(int event,
75838 -
75839 - #ifdef CONFIG_SYSFS
75840 - /* br_sysfs_if.c */
75841 --extern struct sysfs_ops brport_sysfs_ops;
75842 -+extern const struct sysfs_ops brport_sysfs_ops;
75843 - extern int br_sysfs_addif(struct net_bridge_port *p);
75844 -
75845 - /* br_sysfs_br.c */
75846 -diff -urNp linux-2.6.32.46/net/bridge/br_stp_if.c linux-2.6.32.46/net/bridge/br_stp_if.c
75847 ---- linux-2.6.32.46/net/bridge/br_stp_if.c 2011-03-27 14:31:47.000000000 -0400
75848 -+++ linux-2.6.32.46/net/bridge/br_stp_if.c 2011-04-17 15:56:46.000000000 -0400
75849 -@@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
75850 - char *envp[] = { NULL };
75851 -
75852 - if (br->stp_enabled == BR_USER_STP) {
75853 -- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
75854 -+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
75855 - printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
75856 - br->dev->name, r);
75857 -
75858 -diff -urNp linux-2.6.32.46/net/bridge/br_sysfs_if.c linux-2.6.32.46/net/bridge/br_sysfs_if.c
75859 ---- linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-03-27 14:31:47.000000000 -0400
75860 -+++ linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-04-17 15:56:46.000000000 -0400
75861 -@@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
75862 - return ret;
75863 - }
75864 -
75865 --struct sysfs_ops brport_sysfs_ops = {
75866 -+const struct sysfs_ops brport_sysfs_ops = {
75867 - .show = brport_show,
75868 - .store = brport_store,
75869 - };
75870 -diff -urNp linux-2.6.32.46/net/bridge/netfilter/ebtables.c linux-2.6.32.46/net/bridge/netfilter/ebtables.c
75871 ---- linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:52.000000000 -0400
75872 -+++ linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-05-16 21:46:57.000000000 -0400
75873 -@@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
75874 - unsigned int entries_size, nentries;
75875 - char *entries;
75876 -
75877 -+ pax_track_stack();
75878 -+
75879 - if (cmd == EBT_SO_GET_ENTRIES) {
75880 - entries_size = t->private->entries_size;
75881 - nentries = t->private->nentries;
75882 -diff -urNp linux-2.6.32.46/net/can/bcm.c linux-2.6.32.46/net/can/bcm.c
75883 ---- linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:01.000000000 -0400
75884 -+++ linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:34.000000000 -0400
75885 -@@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
75886 - struct bcm_sock *bo = bcm_sk(sk);
75887 - struct bcm_op *op;
75888 -
75889 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
75890 -+ seq_printf(m, ">>> socket %p", NULL);
75891 -+ seq_printf(m, " / sk %p", NULL);
75892 -+ seq_printf(m, " / bo %p", NULL);
75893 -+#else
75894 - seq_printf(m, ">>> socket %p", sk->sk_socket);
75895 - seq_printf(m, " / sk %p", sk);
75896 - seq_printf(m, " / bo %p", bo);
75897 -+#endif
75898 - seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
75899 - seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
75900 - seq_printf(m, " <<<\n");
75901 -diff -urNp linux-2.6.32.46/net/compat.c linux-2.6.32.46/net/compat.c
75902 ---- linux-2.6.32.46/net/compat.c 2011-03-27 14:31:47.000000000 -0400
75903 -+++ linux-2.6.32.46/net/compat.c 2011-10-06 09:37:14.000000000 -0400
75904 -@@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kms
75905 - __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
75906 - __get_user(kmsg->msg_flags, &umsg->msg_flags))
75907 - return -EFAULT;
75908 -- kmsg->msg_name = compat_ptr(tmp1);
75909 -- kmsg->msg_iov = compat_ptr(tmp2);
75910 -- kmsg->msg_control = compat_ptr(tmp3);
75911 -+ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
75912 -+ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
75913 -+ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
75914 - return 0;
75915 - }
75916 -
75917 -@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *k
75918 - kern_msg->msg_name = NULL;
75919 -
75920 - tot_len = iov_from_user_compat_to_kern(kern_iov,
75921 -- (struct compat_iovec __user *)kern_msg->msg_iov,
75922 -+ (struct compat_iovec __force_user *)kern_msg->msg_iov,
75923 - kern_msg->msg_iovlen);
75924 - if (tot_len >= 0)
75925 - kern_msg->msg_iov = kern_iov;
75926 -@@ -114,20 +114,20 @@ int verify_compat_iovec(struct msghdr *k
75927 -
75928 - #define CMSG_COMPAT_FIRSTHDR(msg) \
75929 - (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
75930 -- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
75931 -+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
75932 - (struct compat_cmsghdr __user *)NULL)
75933 -
75934 - #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
75935 - ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
75936 - (ucmlen) <= (unsigned long) \
75937 - ((mhdr)->msg_controllen - \
75938 -- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
75939 -+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
75940 -
75941 - static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
75942 - struct compat_cmsghdr __user *cmsg, int cmsg_len)
75943 - {
75944 - char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
75945 -- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
75946 -+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
75947 - msg->msg_controllen)
75948 - return NULL;
75949 - return (struct compat_cmsghdr __user *)ptr;
75950 -@@ -219,7 +219,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
75951 - {
75952 - struct compat_timeval ctv;
75953 - struct compat_timespec cts[3];
75954 -- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
75955 -+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
75956 - struct compat_cmsghdr cmhdr;
75957 - int cmlen;
75958 -
75959 -@@ -271,7 +271,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
75960 -
75961 - void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
75962 - {
75963 -- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
75964 -+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
75965 - int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
75966 - int fdnum = scm->fp->count;
75967 - struct file **fp = scm->fp->fp;
75968 -@@ -433,7 +433,7 @@ static int do_get_sock_timeout(struct so
75969 - len = sizeof(ktime);
75970 - old_fs = get_fs();
75971 - set_fs(KERNEL_DS);
75972 -- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
75973 -+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
75974 - set_fs(old_fs);
75975 -
75976 - if (!err) {
75977 -@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *so
75978 - case MCAST_JOIN_GROUP:
75979 - case MCAST_LEAVE_GROUP:
75980 - {
75981 -- struct compat_group_req __user *gr32 = (void *)optval;
75982 -+ struct compat_group_req __user *gr32 = (void __user *)optval;
75983 - struct group_req __user *kgr =
75984 - compat_alloc_user_space(sizeof(struct group_req));
75985 - u32 interface;
75986 -@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *so
75987 - case MCAST_BLOCK_SOURCE:
75988 - case MCAST_UNBLOCK_SOURCE:
75989 - {
75990 -- struct compat_group_source_req __user *gsr32 = (void *)optval;
75991 -+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
75992 - struct group_source_req __user *kgsr = compat_alloc_user_space(
75993 - sizeof(struct group_source_req));
75994 - u32 interface;
75995 -@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *so
75996 - }
75997 - case MCAST_MSFILTER:
75998 - {
75999 -- struct compat_group_filter __user *gf32 = (void *)optval;
76000 -+ struct compat_group_filter __user *gf32 = (void __user *)optval;
76001 - struct group_filter __user *kgf;
76002 - u32 interface, fmode, numsrc;
76003 -
76004 -diff -urNp linux-2.6.32.46/net/core/dev.c linux-2.6.32.46/net/core/dev.c
76005 ---- linux-2.6.32.46/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400
76006 -+++ linux-2.6.32.46/net/core/dev.c 2011-08-05 20:33:55.000000000 -0400
76007 -@@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
76008 - if (no_module && capable(CAP_NET_ADMIN))
76009 - no_module = request_module("netdev-%s", name);
76010 - if (no_module && capable(CAP_SYS_MODULE)) {
76011 -+#ifdef CONFIG_GRKERNSEC_MODHARDEN
76012 -+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
76013 -+#else
76014 - if (!request_module("%s", name))
76015 - pr_err("Loading kernel module for a network device "
76016 - "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
76017 - "instead\n", name);
76018 -+#endif
76019 - }
76020 - }
76021 - EXPORT_SYMBOL(dev_load);
76022 -@@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
76023 -
76024 - struct dev_gso_cb {
76025 - void (*destructor)(struct sk_buff *skb);
76026 --};
76027 -+} __no_const;
76028 -
76029 - #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
76030 -
76031 -@@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
76032 - }
76033 - EXPORT_SYMBOL(netif_rx_ni);
76034 -
76035 --static void net_tx_action(struct softirq_action *h)
76036 -+static void net_tx_action(void)
76037 - {
76038 - struct softnet_data *sd = &__get_cpu_var(softnet_data);
76039 -
76040 -@@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
76041 - EXPORT_SYMBOL(netif_napi_del);
76042 -
76043 -
76044 --static void net_rx_action(struct softirq_action *h)
76045 -+static void net_rx_action(void)
76046 - {
76047 - struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
76048 - unsigned long time_limit = jiffies + 2;
76049 -diff -urNp linux-2.6.32.46/net/core/flow.c linux-2.6.32.46/net/core/flow.c
76050 ---- linux-2.6.32.46/net/core/flow.c 2011-03-27 14:31:47.000000000 -0400
76051 -+++ linux-2.6.32.46/net/core/flow.c 2011-05-04 17:56:20.000000000 -0400
76052 -@@ -35,11 +35,11 @@ struct flow_cache_entry {
76053 - atomic_t *object_ref;
76054 - };
76055 -
76056 --atomic_t flow_cache_genid = ATOMIC_INIT(0);
76057 -+atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
76058 -
76059 - static u32 flow_hash_shift;
76060 - #define flow_hash_size (1 << flow_hash_shift)
76061 --static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
76062 -+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
76063 -
76064 - #define flow_table(cpu) (per_cpu(flow_tables, cpu))
76065 -
76066 -@@ -52,7 +52,7 @@ struct flow_percpu_info {
76067 - u32 hash_rnd;
76068 - int count;
76069 - };
76070 --static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
76071 -+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
76072 -
76073 - #define flow_hash_rnd_recalc(cpu) \
76074 - (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
76075 -@@ -69,7 +69,7 @@ struct flow_flush_info {
76076 - atomic_t cpuleft;
76077 - struct completion completion;
76078 - };
76079 --static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
76080 -+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
76081 -
76082 - #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
76083 -
76084 -@@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
76085 - if (fle->family == family &&
76086 - fle->dir == dir &&
76087 - flow_key_compare(key, &fle->key) == 0) {
76088 -- if (fle->genid == atomic_read(&flow_cache_genid)) {
76089 -+ if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
76090 - void *ret = fle->object;
76091 -
76092 - if (ret)
76093 -@@ -228,7 +228,7 @@ nocache:
76094 - err = resolver(net, key, family, dir, &obj, &obj_ref);
76095 -
76096 - if (fle && !err) {
76097 -- fle->genid = atomic_read(&flow_cache_genid);
76098 -+ fle->genid = atomic_read_unchecked(&flow_cache_genid);
76099 -
76100 - if (fle->object)
76101 - atomic_dec(fle->object_ref);
76102 -@@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
76103 -
76104 - fle = flow_table(cpu)[i];
76105 - for (; fle; fle = fle->next) {
76106 -- unsigned genid = atomic_read(&flow_cache_genid);
76107 -+ unsigned genid = atomic_read_unchecked(&flow_cache_genid);
76108 -
76109 - if (!fle->object || fle->genid == genid)
76110 - continue;
76111 -diff -urNp linux-2.6.32.46/net/core/rtnetlink.c linux-2.6.32.46/net/core/rtnetlink.c
76112 ---- linux-2.6.32.46/net/core/rtnetlink.c 2011-03-27 14:31:47.000000000 -0400
76113 -+++ linux-2.6.32.46/net/core/rtnetlink.c 2011-08-05 20:33:55.000000000 -0400
76114 -@@ -57,7 +57,7 @@ struct rtnl_link
76115 - {
76116 - rtnl_doit_func doit;
76117 - rtnl_dumpit_func dumpit;
76118 --};
76119 -+} __no_const;
76120 -
76121 - static DEFINE_MUTEX(rtnl_mutex);
76122 -
76123 -diff -urNp linux-2.6.32.46/net/core/scm.c linux-2.6.32.46/net/core/scm.c
76124 ---- linux-2.6.32.46/net/core/scm.c 2011-03-27 14:31:47.000000000 -0400
76125 -+++ linux-2.6.32.46/net/core/scm.c 2011-10-06 09:37:14.000000000 -0400
76126 -@@ -190,7 +190,7 @@ error:
76127 - int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
76128 - {
76129 - struct cmsghdr __user *cm
76130 -- = (__force struct cmsghdr __user *)msg->msg_control;
76131 -+ = (struct cmsghdr __force_user *)msg->msg_control;
76132 - struct cmsghdr cmhdr;
76133 - int cmlen = CMSG_LEN(len);
76134 - int err;
76135 -@@ -213,7 +213,7 @@ int put_cmsg(struct msghdr * msg, int le
76136 - err = -EFAULT;
76137 - if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
76138 - goto out;
76139 -- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
76140 -+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
76141 - goto out;
76142 - cmlen = CMSG_SPACE(len);
76143 - if (msg->msg_controllen < cmlen)
76144 -@@ -228,7 +228,7 @@ out:
76145 - void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
76146 - {
76147 - struct cmsghdr __user *cm
76148 -- = (__force struct cmsghdr __user*)msg->msg_control;
76149 -+ = (struct cmsghdr __force_user *)msg->msg_control;
76150 -
76151 - int fdmax = 0;
76152 - int fdnum = scm->fp->count;
76153 -@@ -248,7 +248,7 @@ void scm_detach_fds(struct msghdr *msg,
76154 - if (fdnum < fdmax)
76155 - fdmax = fdnum;
76156 -
76157 -- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
76158 -+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
76159 - i++, cmfptr++)
76160 - {
76161 - int new_fd;
76162 -diff -urNp linux-2.6.32.46/net/core/secure_seq.c linux-2.6.32.46/net/core/secure_seq.c
76163 ---- linux-2.6.32.46/net/core/secure_seq.c 2011-08-16 20:37:25.000000000 -0400
76164 -+++ linux-2.6.32.46/net/core/secure_seq.c 2011-08-07 19:48:09.000000000 -0400
76165 -@@ -57,7 +57,7 @@ __u32 secure_tcpv6_sequence_number(__be3
76166 - EXPORT_SYMBOL(secure_tcpv6_sequence_number);
76167 -
76168 - u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
76169 -- __be16 dport)
76170 -+ __be16 dport)
76171 - {
76172 - u32 secret[MD5_MESSAGE_BYTES / 4];
76173 - u32 hash[MD5_DIGEST_WORDS];
76174 -@@ -71,7 +71,6 @@ u32 secure_ipv6_port_ephemeral(const __b
76175 - secret[i] = net_secret[i];
76176 -
76177 - md5_transform(hash, secret);
76178 --
76179 - return hash[0];
76180 - }
76181 - #endif
76182 -diff -urNp linux-2.6.32.46/net/core/skbuff.c linux-2.6.32.46/net/core/skbuff.c
76183 ---- linux-2.6.32.46/net/core/skbuff.c 2011-03-27 14:31:47.000000000 -0400
76184 -+++ linux-2.6.32.46/net/core/skbuff.c 2011-05-16 21:46:57.000000000 -0400
76185 -@@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
76186 - struct sk_buff *frag_iter;
76187 - struct sock *sk = skb->sk;
76188 -
76189 -+ pax_track_stack();
76190 -+
76191 - /*
76192 - * __skb_splice_bits() only fails if the output has no room left,
76193 - * so no point in going over the frag_list for the error case.
76194 -diff -urNp linux-2.6.32.46/net/core/sock.c linux-2.6.32.46/net/core/sock.c
76195 ---- linux-2.6.32.46/net/core/sock.c 2011-03-27 14:31:47.000000000 -0400
76196 -+++ linux-2.6.32.46/net/core/sock.c 2011-05-04 17:56:20.000000000 -0400
76197 -@@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
76198 - break;
76199 -
76200 - case SO_PEERCRED:
76201 -+ {
76202 -+ struct ucred peercred;
76203 - if (len > sizeof(sk->sk_peercred))
76204 - len = sizeof(sk->sk_peercred);
76205 -- if (copy_to_user(optval, &sk->sk_peercred, len))
76206 -+ peercred = sk->sk_peercred;
76207 -+ if (copy_to_user(optval, &peercred, len))
76208 - return -EFAULT;
76209 - goto lenout;
76210 -+ }
76211 -
76212 - case SO_PEERNAME:
76213 - {
76214 -@@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
76215 - */
76216 - smp_wmb();
76217 - atomic_set(&sk->sk_refcnt, 1);
76218 -- atomic_set(&sk->sk_drops, 0);
76219 -+ atomic_set_unchecked(&sk->sk_drops, 0);
76220 - }
76221 - EXPORT_SYMBOL(sock_init_data);
76222 -
76223 -diff -urNp linux-2.6.32.46/net/decnet/sysctl_net_decnet.c linux-2.6.32.46/net/decnet/sysctl_net_decnet.c
76224 ---- linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-03-27 14:31:47.000000000 -0400
76225 -+++ linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-04-17 15:56:46.000000000 -0400
76226 -@@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
76227 -
76228 - if (len > *lenp) len = *lenp;
76229 -
76230 -- if (copy_to_user(buffer, addr, len))
76231 -+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
76232 - return -EFAULT;
76233 -
76234 - *lenp = len;
76235 -@@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
76236 -
76237 - if (len > *lenp) len = *lenp;
76238 -
76239 -- if (copy_to_user(buffer, devname, len))
76240 -+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
76241 - return -EFAULT;
76242 -
76243 - *lenp = len;
76244 -diff -urNp linux-2.6.32.46/net/econet/Kconfig linux-2.6.32.46/net/econet/Kconfig
76245 ---- linux-2.6.32.46/net/econet/Kconfig 2011-03-27 14:31:47.000000000 -0400
76246 -+++ linux-2.6.32.46/net/econet/Kconfig 2011-04-17 15:56:46.000000000 -0400
76247 -@@ -4,7 +4,7 @@
76248 -
76249 - config ECONET
76250 - tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76251 -- depends on EXPERIMENTAL && INET
76252 -+ depends on EXPERIMENTAL && INET && BROKEN
76253 - ---help---
76254 - Econet is a fairly old and slow networking protocol mainly used by
76255 - Acorn computers to access file and print servers. It uses native
76256 -diff -urNp linux-2.6.32.46/net/ieee802154/dgram.c linux-2.6.32.46/net/ieee802154/dgram.c
76257 ---- linux-2.6.32.46/net/ieee802154/dgram.c 2011-03-27 14:31:47.000000000 -0400
76258 -+++ linux-2.6.32.46/net/ieee802154/dgram.c 2011-05-04 17:56:28.000000000 -0400
76259 -@@ -318,7 +318,7 @@ out:
76260 - static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
76261 - {
76262 - if (sock_queue_rcv_skb(sk, skb) < 0) {
76263 -- atomic_inc(&sk->sk_drops);
76264 -+ atomic_inc_unchecked(&sk->sk_drops);
76265 - kfree_skb(skb);
76266 - return NET_RX_DROP;
76267 - }
76268 -diff -urNp linux-2.6.32.46/net/ieee802154/raw.c linux-2.6.32.46/net/ieee802154/raw.c
76269 ---- linux-2.6.32.46/net/ieee802154/raw.c 2011-03-27 14:31:47.000000000 -0400
76270 -+++ linux-2.6.32.46/net/ieee802154/raw.c 2011-05-04 17:56:28.000000000 -0400
76271 -@@ -206,7 +206,7 @@ out:
76272 - static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
76273 - {
76274 - if (sock_queue_rcv_skb(sk, skb) < 0) {
76275 -- atomic_inc(&sk->sk_drops);
76276 -+ atomic_inc_unchecked(&sk->sk_drops);
76277 - kfree_skb(skb);
76278 - return NET_RX_DROP;
76279 - }
76280 -diff -urNp linux-2.6.32.46/net/ipv4/inet_diag.c linux-2.6.32.46/net/ipv4/inet_diag.c
76281 ---- linux-2.6.32.46/net/ipv4/inet_diag.c 2011-07-13 17:23:04.000000000 -0400
76282 -+++ linux-2.6.32.46/net/ipv4/inet_diag.c 2011-06-20 19:31:13.000000000 -0400
76283 -@@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
76284 - r->idiag_retrans = 0;
76285 -
76286 - r->id.idiag_if = sk->sk_bound_dev_if;
76287 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76288 -+ r->id.idiag_cookie[0] = 0;
76289 -+ r->id.idiag_cookie[1] = 0;
76290 -+#else
76291 - r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76292 - r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76293 -+#endif
76294 -
76295 - r->id.idiag_sport = inet->sport;
76296 - r->id.idiag_dport = inet->dport;
76297 -@@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
76298 - r->idiag_family = tw->tw_family;
76299 - r->idiag_retrans = 0;
76300 - r->id.idiag_if = tw->tw_bound_dev_if;
76301 -+
76302 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76303 -+ r->id.idiag_cookie[0] = 0;
76304 -+ r->id.idiag_cookie[1] = 0;
76305 -+#else
76306 - r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76307 - r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76308 -+#endif
76309 -+
76310 - r->id.idiag_sport = tw->tw_sport;
76311 - r->id.idiag_dport = tw->tw_dport;
76312 - r->id.idiag_src[0] = tw->tw_rcv_saddr;
76313 -@@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
76314 - if (sk == NULL)
76315 - goto unlock;
76316 -
76317 -+#ifndef CONFIG_GRKERNSEC_HIDESYM
76318 - err = -ESTALE;
76319 - if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76320 - req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76321 - ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76322 - (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76323 - goto out;
76324 -+#endif
76325 -
76326 - err = -ENOMEM;
76327 - rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76328 -@@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
76329 - r->idiag_retrans = req->retrans;
76330 -
76331 - r->id.idiag_if = sk->sk_bound_dev_if;
76332 -+
76333 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76334 -+ r->id.idiag_cookie[0] = 0;
76335 -+ r->id.idiag_cookie[1] = 0;
76336 -+#else
76337 - r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76338 - r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76339 -+#endif
76340 -
76341 - tmo = req->expires - jiffies;
76342 - if (tmo < 0)
76343 -diff -urNp linux-2.6.32.46/net/ipv4/inet_hashtables.c linux-2.6.32.46/net/ipv4/inet_hashtables.c
76344 ---- linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:37:25.000000000 -0400
76345 -+++ linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:42:30.000000000 -0400
76346 -@@ -18,12 +18,15 @@
76347 - #include <linux/sched.h>
76348 - #include <linux/slab.h>
76349 - #include <linux/wait.h>
76350 -+#include <linux/security.h>
76351 -
76352 - #include <net/inet_connection_sock.h>
76353 - #include <net/inet_hashtables.h>
76354 - #include <net/secure_seq.h>
76355 - #include <net/ip.h>
76356 -
76357 -+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76358 -+
76359 - /*
76360 - * Allocate and initialize a new local port bind bucket.
76361 - * The bindhash mutex for snum's hash chain must be held here.
76362 -@@ -491,6 +494,8 @@ ok:
76363 - }
76364 - spin_unlock(&head->lock);
76365 -
76366 -+ gr_update_task_in_ip_table(current, inet_sk(sk));
76367 -+
76368 - if (tw) {
76369 - inet_twsk_deschedule(tw, death_row);
76370 - inet_twsk_put(tw);
76371 -diff -urNp linux-2.6.32.46/net/ipv4/inetpeer.c linux-2.6.32.46/net/ipv4/inetpeer.c
76372 ---- linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-16 20:37:25.000000000 -0400
76373 -+++ linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-07 19:48:09.000000000 -0400
76374 -@@ -367,6 +367,8 @@ struct inet_peer *inet_getpeer(__be32 da
76375 - struct inet_peer *p, *n;
76376 - struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
76377 -
76378 -+ pax_track_stack();
76379 -+
76380 - /* Look up for the address quickly. */
76381 - read_lock_bh(&peer_pool_lock);
76382 - p = lookup(daddr, NULL);
76383 -@@ -390,7 +392,7 @@ struct inet_peer *inet_getpeer(__be32 da
76384 - return NULL;
76385 - n->v4daddr = daddr;
76386 - atomic_set(&n->refcnt, 1);
76387 -- atomic_set(&n->rid, 0);
76388 -+ atomic_set_unchecked(&n->rid, 0);
76389 - n->ip_id_count = secure_ip_id(daddr);
76390 - n->tcp_ts_stamp = 0;
76391 -
76392 -diff -urNp linux-2.6.32.46/net/ipv4/ip_fragment.c linux-2.6.32.46/net/ipv4/ip_fragment.c
76393 ---- linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400
76394 -+++ linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400
76395 -@@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
76396 - return 0;
76397 -
76398 - start = qp->rid;
76399 -- end = atomic_inc_return(&peer->rid);
76400 -+ end = atomic_inc_return_unchecked(&peer->rid);
76401 - qp->rid = end;
76402 -
76403 - rc = qp->q.fragments && (end - start) > max;
76404 -diff -urNp linux-2.6.32.46/net/ipv4/ip_sockglue.c linux-2.6.32.46/net/ipv4/ip_sockglue.c
76405 ---- linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400
76406 -+++ linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-10-06 09:37:14.000000000 -0400
76407 -@@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
76408 - int val;
76409 - int len;
76410 -
76411 -+ pax_track_stack();
76412 -+
76413 - if (level != SOL_IP)
76414 - return -EOPNOTSUPP;
76415 -
76416 -@@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock
76417 - if (sk->sk_type != SOCK_STREAM)
76418 - return -ENOPROTOOPT;
76419 -
76420 -- msg.msg_control = optval;
76421 -+ msg.msg_control = (void __force_kernel *)optval;
76422 - msg.msg_controllen = len;
76423 - msg.msg_flags = 0;
76424 -
76425 -diff -urNp linux-2.6.32.46/net/ipv4/ipconfig.c linux-2.6.32.46/net/ipv4/ipconfig.c
76426 ---- linux-2.6.32.46/net/ipv4/ipconfig.c 2011-03-27 14:31:47.000000000 -0400
76427 -+++ linux-2.6.32.46/net/ipv4/ipconfig.c 2011-10-06 09:37:14.000000000 -0400
76428 -@@ -295,7 +295,7 @@ static int __init ic_devinet_ioctl(unsig
76429 -
76430 - mm_segment_t oldfs = get_fs();
76431 - set_fs(get_ds());
76432 -- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
76433 -+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
76434 - set_fs(oldfs);
76435 - return res;
76436 - }
76437 -@@ -306,7 +306,7 @@ static int __init ic_dev_ioctl(unsigned
76438 -
76439 - mm_segment_t oldfs = get_fs();
76440 - set_fs(get_ds());
76441 -- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
76442 -+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
76443 - set_fs(oldfs);
76444 - return res;
76445 - }
76446 -@@ -317,7 +317,7 @@ static int __init ic_route_ioctl(unsigne
76447 -
76448 - mm_segment_t oldfs = get_fs();
76449 - set_fs(get_ds());
76450 -- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
76451 -+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
76452 - set_fs(oldfs);
76453 - return res;
76454 - }
76455 -diff -urNp linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c
76456 ---- linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400
76457 -+++ linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400
76458 -@@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
76459 - private = &tmp;
76460 - }
76461 - #endif
76462 -+ memset(&info, 0, sizeof(info));
76463 - info.valid_hooks = t->valid_hooks;
76464 - memcpy(info.hook_entry, private->hook_entry,
76465 - sizeof(info.hook_entry));
76466 -diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c
76467 ---- linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-03-27 14:31:47.000000000 -0400
76468 -+++ linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-08-21 18:42:53.000000000 -0400
76469 -@@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
76470 -
76471 - if (v->data_len < sizeof(*user_iph))
76472 - return 0;
76473 -+ if (v->data_len > 65535)
76474 -+ return -EMSGSIZE;
76475 -+
76476 - diff = v->data_len - e->skb->len;
76477 - if (diff < 0) {
76478 - if (pskb_trim(e->skb, v->data_len))
76479 -@@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
76480 - static inline void
76481 - __ipq_rcv_skb(struct sk_buff *skb)
76482 - {
76483 -- int status, type, pid, flags, nlmsglen, skblen;
76484 -+ int status, type, pid, flags;
76485 -+ unsigned int nlmsglen, skblen;
76486 - struct nlmsghdr *nlh;
76487 -
76488 - skblen = skb->len;
76489 -diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c
76490 ---- linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400
76491 -+++ linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400
76492 -@@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
76493 - private = &tmp;
76494 - }
76495 - #endif
76496 -+ memset(&info, 0, sizeof(info));
76497 - info.valid_hooks = t->valid_hooks;
76498 - memcpy(info.hook_entry, private->hook_entry,
76499 - sizeof(info.hook_entry));
76500 -diff -urNp linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c
76501 ---- linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-27 14:31:47.000000000 -0400
76502 -+++ linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:56:46.000000000 -0400
76503 -@@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
76504 -
76505 - *len = 0;
76506 -
76507 -- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76508 -+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76509 - if (*octets == NULL) {
76510 - if (net_ratelimit())
76511 - printk("OOM in bsalg (%d)\n", __LINE__);
76512 -diff -urNp linux-2.6.32.46/net/ipv4/raw.c linux-2.6.32.46/net/ipv4/raw.c
76513 ---- linux-2.6.32.46/net/ipv4/raw.c 2011-03-27 14:31:47.000000000 -0400
76514 -+++ linux-2.6.32.46/net/ipv4/raw.c 2011-08-14 11:46:51.000000000 -0400
76515 -@@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
76516 - /* Charge it to the socket. */
76517 -
76518 - if (sock_queue_rcv_skb(sk, skb) < 0) {
76519 -- atomic_inc(&sk->sk_drops);
76520 -+ atomic_inc_unchecked(&sk->sk_drops);
76521 - kfree_skb(skb);
76522 - return NET_RX_DROP;
76523 - }
76524 -@@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
76525 - int raw_rcv(struct sock *sk, struct sk_buff *skb)
76526 - {
76527 - if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76528 -- atomic_inc(&sk->sk_drops);
76529 -+ atomic_inc_unchecked(&sk->sk_drops);
76530 - kfree_skb(skb);
76531 - return NET_RX_DROP;
76532 - }
76533 -@@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
76534 -
76535 - static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76536 - {
76537 -+ struct icmp_filter filter;
76538 -+
76539 -+ if (optlen < 0)
76540 -+ return -EINVAL;
76541 - if (optlen > sizeof(struct icmp_filter))
76542 - optlen = sizeof(struct icmp_filter);
76543 -- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76544 -+ if (copy_from_user(&filter, optval, optlen))
76545 - return -EFAULT;
76546 -+ raw_sk(sk)->filter = filter;
76547 -+
76548 - return 0;
76549 - }
76550 -
76551 - static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76552 - {
76553 - int len, ret = -EFAULT;
76554 -+ struct icmp_filter filter;
76555 -
76556 - if (get_user(len, optlen))
76557 - goto out;
76558 -@@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
76559 - if (len > sizeof(struct icmp_filter))
76560 - len = sizeof(struct icmp_filter);
76561 - ret = -EFAULT;
76562 -- if (put_user(len, optlen) ||
76563 -- copy_to_user(optval, &raw_sk(sk)->filter, len))
76564 -+ filter = raw_sk(sk)->filter;
76565 -+ if (put_user(len, optlen) || len > sizeof filter ||
76566 -+ copy_to_user(optval, &filter, len))
76567 - goto out;
76568 - ret = 0;
76569 - out: return ret;
76570 -@@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
76571 - sk_wmem_alloc_get(sp),
76572 - sk_rmem_alloc_get(sp),
76573 - 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76574 -- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76575 -+ atomic_read(&sp->sk_refcnt),
76576 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76577 -+ NULL,
76578 -+#else
76579 -+ sp,
76580 -+#endif
76581 -+ atomic_read_unchecked(&sp->sk_drops));
76582 - }
76583 -
76584 - static int raw_seq_show(struct seq_file *seq, void *v)
76585 -diff -urNp linux-2.6.32.46/net/ipv4/route.c linux-2.6.32.46/net/ipv4/route.c
76586 ---- linux-2.6.32.46/net/ipv4/route.c 2011-08-16 20:37:25.000000000 -0400
76587 -+++ linux-2.6.32.46/net/ipv4/route.c 2011-08-07 19:48:09.000000000 -0400
76588 -@@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be3
76589 -
76590 - static inline int rt_genid(struct net *net)
76591 - {
76592 -- return atomic_read(&net->ipv4.rt_genid);
76593 -+ return atomic_read_unchecked(&net->ipv4.rt_genid);
76594 - }
76595 -
76596 - #ifdef CONFIG_PROC_FS
76597 -@@ -889,7 +889,7 @@ static void rt_cache_invalidate(struct n
76598 - unsigned char shuffle;
76599 -
76600 - get_random_bytes(&shuffle, sizeof(shuffle));
76601 -- atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76602 -+ atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76603 - }
76604 -
76605 - /*
76606 -@@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_oper
76607 -
76608 - static __net_init int rt_secret_timer_init(struct net *net)
76609 - {
76610 -- atomic_set(&net->ipv4.rt_genid,
76611 -+ atomic_set_unchecked(&net->ipv4.rt_genid,
76612 - (int) ((num_physpages ^ (num_physpages>>8)) ^
76613 - (jiffies ^ (jiffies >> 7))));
76614 -
76615 -diff -urNp linux-2.6.32.46/net/ipv4/tcp.c linux-2.6.32.46/net/ipv4/tcp.c
76616 ---- linux-2.6.32.46/net/ipv4/tcp.c 2011-03-27 14:31:47.000000000 -0400
76617 -+++ linux-2.6.32.46/net/ipv4/tcp.c 2011-05-16 21:46:57.000000000 -0400
76618 -@@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
76619 - int val;
76620 - int err = 0;
76621 -
76622 -+ pax_track_stack();
76623 -+
76624 - /* This is a string value all the others are int's */
76625 - if (optname == TCP_CONGESTION) {
76626 - char name[TCP_CA_NAME_MAX];
76627 -@@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
76628 - struct tcp_sock *tp = tcp_sk(sk);
76629 - int val, len;
76630 -
76631 -+ pax_track_stack();
76632 -+
76633 - if (get_user(len, optlen))
76634 - return -EFAULT;
76635 -
76636 -diff -urNp linux-2.6.32.46/net/ipv4/tcp_ipv4.c linux-2.6.32.46/net/ipv4/tcp_ipv4.c
76637 ---- linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-16 20:37:25.000000000 -0400
76638 -+++ linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-23 21:22:32.000000000 -0400
76639 -@@ -85,6 +85,9 @@
76640 - int sysctl_tcp_tw_reuse __read_mostly;
76641 - int sysctl_tcp_low_latency __read_mostly;
76642 -
76643 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76644 -+extern int grsec_enable_blackhole;
76645 -+#endif
76646 -
76647 - #ifdef CONFIG_TCP_MD5SIG
76648 - static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
76649 -@@ -1543,6 +1546,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
76650 - return 0;
76651 -
76652 - reset:
76653 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76654 -+ if (!grsec_enable_blackhole)
76655 -+#endif
76656 - tcp_v4_send_reset(rsk, skb);
76657 - discard:
76658 - kfree_skb(skb);
76659 -@@ -1604,12 +1610,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
76660 - TCP_SKB_CB(skb)->sacked = 0;
76661 -
76662 - sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76663 -- if (!sk)
76664 -+ if (!sk) {
76665 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76666 -+ ret = 1;
76667 -+#endif
76668 - goto no_tcp_socket;
76669 -+ }
76670 -
76671 - process:
76672 -- if (sk->sk_state == TCP_TIME_WAIT)
76673 -+ if (sk->sk_state == TCP_TIME_WAIT) {
76674 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76675 -+ ret = 2;
76676 -+#endif
76677 - goto do_time_wait;
76678 -+ }
76679 -
76680 - if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
76681 - goto discard_and_relse;
76682 -@@ -1651,6 +1665,10 @@ no_tcp_socket:
76683 - bad_packet:
76684 - TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
76685 - } else {
76686 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76687 -+ if (!grsec_enable_blackhole || (ret == 1 &&
76688 -+ (skb->dev->flags & IFF_LOOPBACK)))
76689 -+#endif
76690 - tcp_v4_send_reset(NULL, skb);
76691 - }
76692 -
76693 -@@ -2238,7 +2256,11 @@ static void get_openreq4(struct sock *sk
76694 - 0, /* non standard timer */
76695 - 0, /* open_requests have no inode */
76696 - atomic_read(&sk->sk_refcnt),
76697 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76698 -+ NULL,
76699 -+#else
76700 - req,
76701 -+#endif
76702 - len);
76703 - }
76704 -
76705 -@@ -2280,7 +2302,12 @@ static void get_tcp4_sock(struct sock *s
76706 - sock_i_uid(sk),
76707 - icsk->icsk_probes_out,
76708 - sock_i_ino(sk),
76709 -- atomic_read(&sk->sk_refcnt), sk,
76710 -+ atomic_read(&sk->sk_refcnt),
76711 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76712 -+ NULL,
76713 -+#else
76714 -+ sk,
76715 -+#endif
76716 - jiffies_to_clock_t(icsk->icsk_rto),
76717 - jiffies_to_clock_t(icsk->icsk_ack.ato),
76718 - (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
76719 -@@ -2308,7 +2335,13 @@ static void get_timewait4_sock(struct in
76720 - " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
76721 - i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
76722 - 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
76723 -- atomic_read(&tw->tw_refcnt), tw, len);
76724 -+ atomic_read(&tw->tw_refcnt),
76725 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76726 -+ NULL,
76727 -+#else
76728 -+ tw,
76729 -+#endif
76730 -+ len);
76731 - }
76732 -
76733 - #define TMPSZ 150
76734 -diff -urNp linux-2.6.32.46/net/ipv4/tcp_minisocks.c linux-2.6.32.46/net/ipv4/tcp_minisocks.c
76735 ---- linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-03-27 14:31:47.000000000 -0400
76736 -+++ linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-04-17 15:56:46.000000000 -0400
76737 -@@ -26,6 +26,10 @@
76738 - #include <net/inet_common.h>
76739 - #include <net/xfrm.h>
76740 -
76741 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76742 -+extern int grsec_enable_blackhole;
76743 -+#endif
76744 -+
76745 - #ifdef CONFIG_SYSCTL
76746 - #define SYNC_INIT 0 /* let the user enable it */
76747 - #else
76748 -@@ -672,6 +676,10 @@ listen_overflow:
76749 -
76750 - embryonic_reset:
76751 - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
76752 -+
76753 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76754 -+ if (!grsec_enable_blackhole)
76755 -+#endif
76756 - if (!(flg & TCP_FLAG_RST))
76757 - req->rsk_ops->send_reset(sk, skb);
76758 -
76759 -diff -urNp linux-2.6.32.46/net/ipv4/tcp_output.c linux-2.6.32.46/net/ipv4/tcp_output.c
76760 ---- linux-2.6.32.46/net/ipv4/tcp_output.c 2011-03-27 14:31:47.000000000 -0400
76761 -+++ linux-2.6.32.46/net/ipv4/tcp_output.c 2011-05-16 21:46:57.000000000 -0400
76762 -@@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
76763 - __u8 *md5_hash_location;
76764 - int mss;
76765 -
76766 -+ pax_track_stack();
76767 -+
76768 - skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
76769 - if (skb == NULL)
76770 - return NULL;
76771 -diff -urNp linux-2.6.32.46/net/ipv4/tcp_probe.c linux-2.6.32.46/net/ipv4/tcp_probe.c
76772 ---- linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-03-27 14:31:47.000000000 -0400
76773 -+++ linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-04-17 15:56:46.000000000 -0400
76774 -@@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
76775 - if (cnt + width >= len)
76776 - break;
76777 -
76778 -- if (copy_to_user(buf + cnt, tbuf, width))
76779 -+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
76780 - return -EFAULT;
76781 - cnt += width;
76782 - }
76783 -diff -urNp linux-2.6.32.46/net/ipv4/tcp_timer.c linux-2.6.32.46/net/ipv4/tcp_timer.c
76784 ---- linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-03-27 14:31:47.000000000 -0400
76785 -+++ linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-04-17 15:56:46.000000000 -0400
76786 -@@ -21,6 +21,10 @@
76787 - #include <linux/module.h>
76788 - #include <net/tcp.h>
76789 -
76790 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76791 -+extern int grsec_lastack_retries;
76792 -+#endif
76793 -+
76794 - int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
76795 - int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
76796 - int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
76797 -@@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
76798 - }
76799 - }
76800 -
76801 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76802 -+ if ((sk->sk_state == TCP_LAST_ACK) &&
76803 -+ (grsec_lastack_retries > 0) &&
76804 -+ (grsec_lastack_retries < retry_until))
76805 -+ retry_until = grsec_lastack_retries;
76806 -+#endif
76807 -+
76808 - if (retransmits_timed_out(sk, retry_until)) {
76809 - /* Has it gone just too far? */
76810 - tcp_write_err(sk);
76811 -diff -urNp linux-2.6.32.46/net/ipv4/udp.c linux-2.6.32.46/net/ipv4/udp.c
76812 ---- linux-2.6.32.46/net/ipv4/udp.c 2011-07-13 17:23:04.000000000 -0400
76813 -+++ linux-2.6.32.46/net/ipv4/udp.c 2011-08-23 21:22:32.000000000 -0400
76814 -@@ -86,6 +86,7 @@
76815 - #include <linux/types.h>
76816 - #include <linux/fcntl.h>
76817 - #include <linux/module.h>
76818 -+#include <linux/security.h>
76819 - #include <linux/socket.h>
76820 - #include <linux/sockios.h>
76821 - #include <linux/igmp.h>
76822 -@@ -106,6 +107,10 @@
76823 - #include <net/xfrm.h>
76824 - #include "udp_impl.h"
76825 -
76826 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76827 -+extern int grsec_enable_blackhole;
76828 -+#endif
76829 -+
76830 - struct udp_table udp_table;
76831 - EXPORT_SYMBOL(udp_table);
76832 -
76833 -@@ -371,6 +376,9 @@ found:
76834 - return s;
76835 - }
76836 -
76837 -+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
76838 -+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
76839 -+
76840 - /*
76841 - * This routine is called by the ICMP module when it gets some
76842 - * sort of error condition. If err < 0 then the socket should
76843 -@@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
76844 - dport = usin->sin_port;
76845 - if (dport == 0)
76846 - return -EINVAL;
76847 -+
76848 -+ err = gr_search_udp_sendmsg(sk, usin);
76849 -+ if (err)
76850 -+ return err;
76851 - } else {
76852 - if (sk->sk_state != TCP_ESTABLISHED)
76853 - return -EDESTADDRREQ;
76854 -+
76855 -+ err = gr_search_udp_sendmsg(sk, NULL);
76856 -+ if (err)
76857 -+ return err;
76858 -+
76859 - daddr = inet->daddr;
76860 - dport = inet->dport;
76861 - /* Open fast path for connected socket.
76862 -@@ -945,6 +962,10 @@ try_again:
76863 - if (!skb)
76864 - goto out;
76865 -
76866 -+ err = gr_search_udp_recvmsg(sk, skb);
76867 -+ if (err)
76868 -+ goto out_free;
76869 -+
76870 - ulen = skb->len - sizeof(struct udphdr);
76871 - copied = len;
76872 - if (copied > ulen)
76873 -@@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
76874 - if (rc == -ENOMEM) {
76875 - UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
76876 - is_udplite);
76877 -- atomic_inc(&sk->sk_drops);
76878 -+ atomic_inc_unchecked(&sk->sk_drops);
76879 - }
76880 - goto drop;
76881 - }
76882 -@@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
76883 - goto csum_error;
76884 -
76885 - UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
76886 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76887 -+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
76888 -+#endif
76889 - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
76890 -
76891 - /*
76892 -@@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
76893 - sk_wmem_alloc_get(sp),
76894 - sk_rmem_alloc_get(sp),
76895 - 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76896 -- atomic_read(&sp->sk_refcnt), sp,
76897 -- atomic_read(&sp->sk_drops), len);
76898 -+ atomic_read(&sp->sk_refcnt),
76899 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
76900 -+ NULL,
76901 -+#else
76902 -+ sp,
76903 -+#endif
76904 -+ atomic_read_unchecked(&sp->sk_drops), len);
76905 - }
76906 -
76907 - int udp4_seq_show(struct seq_file *seq, void *v)
76908 -diff -urNp linux-2.6.32.46/net/ipv6/addrconf.c linux-2.6.32.46/net/ipv6/addrconf.c
76909 ---- linux-2.6.32.46/net/ipv6/addrconf.c 2011-05-10 22:12:02.000000000 -0400
76910 -+++ linux-2.6.32.46/net/ipv6/addrconf.c 2011-10-06 09:37:14.000000000 -0400
76911 -@@ -2053,7 +2053,7 @@ int addrconf_set_dstaddr(struct net *net
76912 - p.iph.ihl = 5;
76913 - p.iph.protocol = IPPROTO_IPV6;
76914 - p.iph.ttl = 64;
76915 -- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
76916 -+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
76917 -
76918 - if (ops->ndo_do_ioctl) {
76919 - mm_segment_t oldfs = get_fs();
76920 -diff -urNp linux-2.6.32.46/net/ipv6/inet6_connection_sock.c linux-2.6.32.46/net/ipv6/inet6_connection_sock.c
76921 ---- linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400
76922 -+++ linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400
76923 -@@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
76924 - #ifdef CONFIG_XFRM
76925 - {
76926 - struct rt6_info *rt = (struct rt6_info *)dst;
76927 -- rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
76928 -+ rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
76929 - }
76930 - #endif
76931 - }
76932 -@@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
76933 - #ifdef CONFIG_XFRM
76934 - if (dst) {
76935 - struct rt6_info *rt = (struct rt6_info *)dst;
76936 -- if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
76937 -+ if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
76938 - sk->sk_dst_cache = NULL;
76939 - dst_release(dst);
76940 - dst = NULL;
76941 -diff -urNp linux-2.6.32.46/net/ipv6/inet6_hashtables.c linux-2.6.32.46/net/ipv6/inet6_hashtables.c
76942 ---- linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-16 20:37:25.000000000 -0400
76943 -+++ linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-07 19:48:09.000000000 -0400
76944 -@@ -119,7 +119,7 @@ out:
76945 - }
76946 - EXPORT_SYMBOL(__inet6_lookup_established);
76947 -
76948 --static int inline compute_score(struct sock *sk, struct net *net,
76949 -+static inline int compute_score(struct sock *sk, struct net *net,
76950 - const unsigned short hnum,
76951 - const struct in6_addr *daddr,
76952 - const int dif)
76953 -diff -urNp linux-2.6.32.46/net/ipv6/ip6_tunnel.c linux-2.6.32.46/net/ipv6/ip6_tunnel.c
76954 ---- linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-09 18:35:30.000000000 -0400
76955 -+++ linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-24 18:52:25.000000000 -0400
76956 -@@ -1466,7 +1466,7 @@ static int __init ip6_tunnel_init(void)
76957 - {
76958 - int err;
76959 -
76960 -- err = register_pernet_device(&ip6_tnl_net_ops);
76961 -+ err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
76962 - if (err < 0)
76963 - goto out_pernet;
76964 -
76965 -@@ -1487,7 +1487,7 @@ static int __init ip6_tunnel_init(void)
76966 - out_ip6ip6:
76967 - xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
76968 - out_ip4ip6:
76969 -- unregister_pernet_device(&ip6_tnl_net_ops);
76970 -+ unregister_pernet_gen_device(ip6_tnl_net_id, &ip6_tnl_net_ops);
76971 - out_pernet:
76972 - return err;
76973 - }
76974 -diff -urNp linux-2.6.32.46/net/ipv6/ipv6_sockglue.c linux-2.6.32.46/net/ipv6/ipv6_sockglue.c
76975 ---- linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400
76976 -+++ linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-10-06 09:37:16.000000000 -0400
76977 -@@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
76978 - int val, valbool;
76979 - int retv = -ENOPROTOOPT;
76980 -
76981 -+ pax_track_stack();
76982 -+
76983 - if (optval == NULL)
76984 - val=0;
76985 - else {
76986 -@@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
76987 - int len;
76988 - int val;
76989 -
76990 -+ pax_track_stack();
76991 -+
76992 - if (ip6_mroute_opt(optname))
76993 - return ip6_mroute_getsockopt(sk, optname, optval, optlen);
76994 -
76995 -@@ -922,7 +926,7 @@ static int do_ipv6_getsockopt(struct soc
76996 - if (sk->sk_type != SOCK_STREAM)
76997 - return -ENOPROTOOPT;
76998 -
76999 -- msg.msg_control = optval;
77000 -+ msg.msg_control = (void __force_kernel *)optval;
77001 - msg.msg_controllen = len;
77002 - msg.msg_flags = 0;
77003 -
77004 -diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c
77005 ---- linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-03-27 14:31:47.000000000 -0400
77006 -+++ linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-08-21 18:43:32.000000000 -0400
77007 -@@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
77008 -
77009 - if (v->data_len < sizeof(*user_iph))
77010 - return 0;
77011 -+ if (v->data_len > 65535)
77012 -+ return -EMSGSIZE;
77013 -+
77014 - diff = v->data_len - e->skb->len;
77015 - if (diff < 0) {
77016 - if (pskb_trim(e->skb, v->data_len))
77017 -@@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
77018 - static inline void
77019 - __ipq_rcv_skb(struct sk_buff *skb)
77020 - {
77021 -- int status, type, pid, flags, nlmsglen, skblen;
77022 -+ int status, type, pid, flags;
77023 -+ unsigned int nlmsglen, skblen;
77024 - struct nlmsghdr *nlh;
77025 -
77026 - skblen = skb->len;
77027 -diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c
77028 ---- linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400
77029 -+++ linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400
77030 -@@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
77031 - private = &tmp;
77032 - }
77033 - #endif
77034 -+ memset(&info, 0, sizeof(info));
77035 - info.valid_hooks = t->valid_hooks;
77036 - memcpy(info.hook_entry, private->hook_entry,
77037 - sizeof(info.hook_entry));
77038 -diff -urNp linux-2.6.32.46/net/ipv6/raw.c linux-2.6.32.46/net/ipv6/raw.c
77039 ---- linux-2.6.32.46/net/ipv6/raw.c 2011-03-27 14:31:47.000000000 -0400
77040 -+++ linux-2.6.32.46/net/ipv6/raw.c 2011-08-14 11:48:20.000000000 -0400
77041 -@@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
77042 - {
77043 - if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
77044 - skb_checksum_complete(skb)) {
77045 -- atomic_inc(&sk->sk_drops);
77046 -+ atomic_inc_unchecked(&sk->sk_drops);
77047 - kfree_skb(skb);
77048 - return NET_RX_DROP;
77049 - }
77050 -
77051 - /* Charge it to the socket. */
77052 - if (sock_queue_rcv_skb(sk,skb)<0) {
77053 -- atomic_inc(&sk->sk_drops);
77054 -+ atomic_inc_unchecked(&sk->sk_drops);
77055 - kfree_skb(skb);
77056 - return NET_RX_DROP;
77057 - }
77058 -@@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77059 - struct raw6_sock *rp = raw6_sk(sk);
77060 -
77061 - if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
77062 -- atomic_inc(&sk->sk_drops);
77063 -+ atomic_inc_unchecked(&sk->sk_drops);
77064 - kfree_skb(skb);
77065 - return NET_RX_DROP;
77066 - }
77067 -@@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77068 -
77069 - if (inet->hdrincl) {
77070 - if (skb_checksum_complete(skb)) {
77071 -- atomic_inc(&sk->sk_drops);
77072 -+ atomic_inc_unchecked(&sk->sk_drops);
77073 - kfree_skb(skb);
77074 - return NET_RX_DROP;
77075 - }
77076 -@@ -518,7 +518,7 @@ csum_copy_err:
77077 - as some normal condition.
77078 - */
77079 - err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
77080 -- atomic_inc(&sk->sk_drops);
77081 -+ atomic_inc_unchecked(&sk->sk_drops);
77082 - goto out;
77083 - }
77084 -
77085 -@@ -600,7 +600,7 @@ out:
77086 - return err;
77087 - }
77088 -
77089 --static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
77090 -+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
77091 - struct flowi *fl, struct rt6_info *rt,
77092 - unsigned int flags)
77093 - {
77094 -@@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
77095 - u16 proto;
77096 - int err;
77097 -
77098 -+ pax_track_stack();
77099 -+
77100 - /* Rough check on arithmetic overflow,
77101 - better check is made in ip6_append_data().
77102 - */
77103 -@@ -916,12 +918,17 @@ do_confirm:
77104 - static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
77105 - char __user *optval, int optlen)
77106 - {
77107 -+ struct icmp6_filter filter;
77108 -+
77109 - switch (optname) {
77110 - case ICMPV6_FILTER:
77111 -+ if (optlen < 0)
77112 -+ return -EINVAL;
77113 - if (optlen > sizeof(struct icmp6_filter))
77114 - optlen = sizeof(struct icmp6_filter);
77115 -- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
77116 -+ if (copy_from_user(&filter, optval, optlen))
77117 - return -EFAULT;
77118 -+ raw6_sk(sk)->filter = filter;
77119 - return 0;
77120 - default:
77121 - return -ENOPROTOOPT;
77122 -@@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
77123 - char __user *optval, int __user *optlen)
77124 - {
77125 - int len;
77126 -+ struct icmp6_filter filter;
77127 -
77128 - switch (optname) {
77129 - case ICMPV6_FILTER:
77130 -@@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
77131 - len = sizeof(struct icmp6_filter);
77132 - if (put_user(len, optlen))
77133 - return -EFAULT;
77134 -- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
77135 -+ filter = raw6_sk(sk)->filter;
77136 -+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
77137 - return -EFAULT;
77138 - return 0;
77139 - default:
77140 -@@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
77141 - 0, 0L, 0,
77142 - sock_i_uid(sp), 0,
77143 - sock_i_ino(sp),
77144 -- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77145 -+ atomic_read(&sp->sk_refcnt),
77146 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77147 -+ NULL,
77148 -+#else
77149 -+ sp,
77150 -+#endif
77151 -+ atomic_read_unchecked(&sp->sk_drops));
77152 - }
77153 -
77154 - static int raw6_seq_show(struct seq_file *seq, void *v)
77155 -diff -urNp linux-2.6.32.46/net/ipv6/tcp_ipv6.c linux-2.6.32.46/net/ipv6/tcp_ipv6.c
77156 ---- linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-16 20:37:25.000000000 -0400
77157 -+++ linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-07 19:48:09.000000000 -0400
77158 -@@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
77159 - }
77160 - #endif
77161 -
77162 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77163 -+extern int grsec_enable_blackhole;
77164 -+#endif
77165 -+
77166 - static void tcp_v6_hash(struct sock *sk)
77167 - {
77168 - if (sk->sk_state != TCP_CLOSE) {
77169 -@@ -1579,6 +1583,9 @@ static int tcp_v6_do_rcv(struct sock *sk
77170 - return 0;
77171 -
77172 - reset:
77173 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77174 -+ if (!grsec_enable_blackhole)
77175 -+#endif
77176 - tcp_v6_send_reset(sk, skb);
77177 - discard:
77178 - if (opt_skb)
77179 -@@ -1656,12 +1663,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
77180 - TCP_SKB_CB(skb)->sacked = 0;
77181 -
77182 - sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77183 -- if (!sk)
77184 -+ if (!sk) {
77185 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77186 -+ ret = 1;
77187 -+#endif
77188 - goto no_tcp_socket;
77189 -+ }
77190 -
77191 - process:
77192 -- if (sk->sk_state == TCP_TIME_WAIT)
77193 -+ if (sk->sk_state == TCP_TIME_WAIT) {
77194 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77195 -+ ret = 2;
77196 -+#endif
77197 - goto do_time_wait;
77198 -+ }
77199 -
77200 - if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
77201 - goto discard_and_relse;
77202 -@@ -1701,6 +1716,10 @@ no_tcp_socket:
77203 - bad_packet:
77204 - TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77205 - } else {
77206 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77207 -+ if (!grsec_enable_blackhole || (ret == 1 &&
77208 -+ (skb->dev->flags & IFF_LOOPBACK)))
77209 -+#endif
77210 - tcp_v6_send_reset(NULL, skb);
77211 - }
77212 -
77213 -@@ -1916,7 +1935,13 @@ static void get_openreq6(struct seq_file
77214 - uid,
77215 - 0, /* non standard timer */
77216 - 0, /* open_requests have no inode */
77217 -- 0, req);
77218 -+ 0,
77219 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77220 -+ NULL
77221 -+#else
77222 -+ req
77223 -+#endif
77224 -+ );
77225 - }
77226 -
77227 - static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
77228 -@@ -1966,7 +1991,12 @@ static void get_tcp6_sock(struct seq_fil
77229 - sock_i_uid(sp),
77230 - icsk->icsk_probes_out,
77231 - sock_i_ino(sp),
77232 -- atomic_read(&sp->sk_refcnt), sp,
77233 -+ atomic_read(&sp->sk_refcnt),
77234 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77235 -+ NULL,
77236 -+#else
77237 -+ sp,
77238 -+#endif
77239 - jiffies_to_clock_t(icsk->icsk_rto),
77240 - jiffies_to_clock_t(icsk->icsk_ack.ato),
77241 - (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
77242 -@@ -2001,7 +2031,13 @@ static void get_timewait6_sock(struct se
77243 - dest->s6_addr32[2], dest->s6_addr32[3], destp,
77244 - tw->tw_substate, 0, 0,
77245 - 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77246 -- atomic_read(&tw->tw_refcnt), tw);
77247 -+ atomic_read(&tw->tw_refcnt),
77248 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77249 -+ NULL
77250 -+#else
77251 -+ tw
77252 -+#endif
77253 -+ );
77254 - }
77255 -
77256 - static int tcp6_seq_show(struct seq_file *seq, void *v)
77257 -diff -urNp linux-2.6.32.46/net/ipv6/udp.c linux-2.6.32.46/net/ipv6/udp.c
77258 ---- linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:04.000000000 -0400
77259 -+++ linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:27.000000000 -0400
77260 -@@ -49,6 +49,10 @@
77261 - #include <linux/seq_file.h>
77262 - #include "udp_impl.h"
77263 -
77264 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77265 -+extern int grsec_enable_blackhole;
77266 -+#endif
77267 -+
77268 - int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
77269 - {
77270 - const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
77271 -@@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
77272 - if (rc == -ENOMEM) {
77273 - UDP6_INC_STATS_BH(sock_net(sk),
77274 - UDP_MIB_RCVBUFERRORS, is_udplite);
77275 -- atomic_inc(&sk->sk_drops);
77276 -+ atomic_inc_unchecked(&sk->sk_drops);
77277 - }
77278 - goto drop;
77279 - }
77280 -@@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77281 - UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77282 - proto == IPPROTO_UDPLITE);
77283 -
77284 -+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77285 -+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77286 -+#endif
77287 - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
77288 -
77289 - kfree_skb(skb);
77290 -@@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
77291 - 0, 0L, 0,
77292 - sock_i_uid(sp), 0,
77293 - sock_i_ino(sp),
77294 -- atomic_read(&sp->sk_refcnt), sp,
77295 -- atomic_read(&sp->sk_drops));
77296 -+ atomic_read(&sp->sk_refcnt),
77297 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77298 -+ NULL,
77299 -+#else
77300 -+ sp,
77301 -+#endif
77302 -+ atomic_read_unchecked(&sp->sk_drops));
77303 - }
77304 -
77305 - int udp6_seq_show(struct seq_file *seq, void *v)
77306 -diff -urNp linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c
77307 ---- linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-03-27 14:31:47.000000000 -0400
77308 -+++ linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:56:46.000000000 -0400
77309 -@@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
77310 - add_wait_queue(&self->open_wait, &wait);
77311 -
77312 - IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77313 -- __FILE__,__LINE__, tty->driver->name, self->open_count );
77314 -+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77315 -
77316 - /* As far as I can see, we protect open_count - Jean II */
77317 - spin_lock_irqsave(&self->spinlock, flags);
77318 - if (!tty_hung_up_p(filp)) {
77319 - extra_count = 1;
77320 -- self->open_count--;
77321 -+ local_dec(&self->open_count);
77322 - }
77323 - spin_unlock_irqrestore(&self->spinlock, flags);
77324 -- self->blocked_open++;
77325 -+ local_inc(&self->blocked_open);
77326 -
77327 - while (1) {
77328 - if (tty->termios->c_cflag & CBAUD) {
77329 -@@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
77330 - }
77331 -
77332 - IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77333 -- __FILE__,__LINE__, tty->driver->name, self->open_count );
77334 -+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77335 -
77336 - schedule();
77337 - }
77338 -@@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
77339 - if (extra_count) {
77340 - /* ++ is not atomic, so this should be protected - Jean II */
77341 - spin_lock_irqsave(&self->spinlock, flags);
77342 -- self->open_count++;
77343 -+ local_inc(&self->open_count);
77344 - spin_unlock_irqrestore(&self->spinlock, flags);
77345 - }
77346 -- self->blocked_open--;
77347 -+ local_dec(&self->blocked_open);
77348 -
77349 - IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77350 -- __FILE__,__LINE__, tty->driver->name, self->open_count);
77351 -+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77352 -
77353 - if (!retval)
77354 - self->flags |= ASYNC_NORMAL_ACTIVE;
77355 -@@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
77356 - }
77357 - /* ++ is not atomic, so this should be protected - Jean II */
77358 - spin_lock_irqsave(&self->spinlock, flags);
77359 -- self->open_count++;
77360 -+ local_inc(&self->open_count);
77361 -
77362 - tty->driver_data = self;
77363 - self->tty = tty;
77364 - spin_unlock_irqrestore(&self->spinlock, flags);
77365 -
77366 - IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77367 -- self->line, self->open_count);
77368 -+ self->line, local_read(&self->open_count));
77369 -
77370 - /* Not really used by us, but lets do it anyway */
77371 - self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77372 -@@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
77373 - return;
77374 - }
77375 -
77376 -- if ((tty->count == 1) && (self->open_count != 1)) {
77377 -+ if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77378 - /*
77379 - * Uh, oh. tty->count is 1, which means that the tty
77380 - * structure will be freed. state->count should always
77381 -@@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
77382 - */
77383 - IRDA_DEBUG(0, "%s(), bad serial port count; "
77384 - "tty->count is 1, state->count is %d\n", __func__ ,
77385 -- self->open_count);
77386 -- self->open_count = 1;
77387 -+ local_read(&self->open_count));
77388 -+ local_set(&self->open_count, 1);
77389 - }
77390 -
77391 -- if (--self->open_count < 0) {
77392 -+ if (local_dec_return(&self->open_count) < 0) {
77393 - IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77394 -- __func__, self->line, self->open_count);
77395 -- self->open_count = 0;
77396 -+ __func__, self->line, local_read(&self->open_count));
77397 -+ local_set(&self->open_count, 0);
77398 - }
77399 -- if (self->open_count) {
77400 -+ if (local_read(&self->open_count)) {
77401 - spin_unlock_irqrestore(&self->spinlock, flags);
77402 -
77403 - IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77404 -@@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
77405 - tty->closing = 0;
77406 - self->tty = NULL;
77407 -
77408 -- if (self->blocked_open) {
77409 -+ if (local_read(&self->blocked_open)) {
77410 - if (self->close_delay)
77411 - schedule_timeout_interruptible(self->close_delay);
77412 - wake_up_interruptible(&self->open_wait);
77413 -@@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
77414 - spin_lock_irqsave(&self->spinlock, flags);
77415 - self->flags &= ~ASYNC_NORMAL_ACTIVE;
77416 - self->tty = NULL;
77417 -- self->open_count = 0;
77418 -+ local_set(&self->open_count, 0);
77419 - spin_unlock_irqrestore(&self->spinlock, flags);
77420 -
77421 - wake_up_interruptible(&self->open_wait);
77422 -@@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
77423 - seq_putc(m, '\n');
77424 -
77425 - seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77426 -- seq_printf(m, "Open count: %d\n", self->open_count);
77427 -+ seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77428 - seq_printf(m, "Max data size: %d\n", self->max_data_size);
77429 - seq_printf(m, "Max header size: %d\n", self->max_header_size);
77430 -
77431 -diff -urNp linux-2.6.32.46/net/iucv/af_iucv.c linux-2.6.32.46/net/iucv/af_iucv.c
77432 ---- linux-2.6.32.46/net/iucv/af_iucv.c 2011-03-27 14:31:47.000000000 -0400
77433 -+++ linux-2.6.32.46/net/iucv/af_iucv.c 2011-05-04 17:56:28.000000000 -0400
77434 -@@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
77435 -
77436 - write_lock_bh(&iucv_sk_list.lock);
77437 -
77438 -- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77439 -+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77440 - while (__iucv_get_sock_by_name(name)) {
77441 - sprintf(name, "%08x",
77442 -- atomic_inc_return(&iucv_sk_list.autobind_name));
77443 -+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77444 - }
77445 -
77446 - write_unlock_bh(&iucv_sk_list.lock);
77447 -diff -urNp linux-2.6.32.46/net/key/af_key.c linux-2.6.32.46/net/key/af_key.c
77448 ---- linux-2.6.32.46/net/key/af_key.c 2011-03-27 14:31:47.000000000 -0400
77449 -+++ linux-2.6.32.46/net/key/af_key.c 2011-05-16 21:46:57.000000000 -0400
77450 -@@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
77451 - struct xfrm_migrate m[XFRM_MAX_DEPTH];
77452 - struct xfrm_kmaddress k;
77453 -
77454 -+ pax_track_stack();
77455 -+
77456 - if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77457 - ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77458 - !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77459 -@@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
77460 - seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77461 - else
77462 - seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77463 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
77464 -+ NULL,
77465 -+#else
77466 - s,
77467 -+#endif
77468 - atomic_read(&s->sk_refcnt),
77469 - sk_rmem_alloc_get(s),
77470 - sk_wmem_alloc_get(s),
77471 -diff -urNp linux-2.6.32.46/net/lapb/lapb_iface.c linux-2.6.32.46/net/lapb/lapb_iface.c
77472 ---- linux-2.6.32.46/net/lapb/lapb_iface.c 2011-03-27 14:31:47.000000000 -0400
77473 -+++ linux-2.6.32.46/net/lapb/lapb_iface.c 2011-08-05 20:33:55.000000000 -0400
77474 -@@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
77475 - goto out;
77476 -
77477 - lapb->dev = dev;
77478 -- lapb->callbacks = *callbacks;
77479 -+ lapb->callbacks = callbacks;
77480 -
77481 - __lapb_insert_cb(lapb);
77482 -
77483 -@@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
77484 -
77485 - void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
77486 - {
77487 -- if (lapb->callbacks.connect_confirmation)
77488 -- lapb->callbacks.connect_confirmation(lapb->dev, reason);
77489 -+ if (lapb->callbacks->connect_confirmation)
77490 -+ lapb->callbacks->connect_confirmation(lapb->dev, reason);
77491 - }
77492 -
77493 - void lapb_connect_indication(struct lapb_cb *lapb, int reason)
77494 - {
77495 -- if (lapb->callbacks.connect_indication)
77496 -- lapb->callbacks.connect_indication(lapb->dev, reason);
77497 -+ if (lapb->callbacks->connect_indication)
77498 -+ lapb->callbacks->connect_indication(lapb->dev, reason);
77499 - }
77500 -
77501 - void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
77502 - {
77503 -- if (lapb->callbacks.disconnect_confirmation)
77504 -- lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
77505 -+ if (lapb->callbacks->disconnect_confirmation)
77506 -+ lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
77507 - }
77508 -
77509 - void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
77510 - {
77511 -- if (lapb->callbacks.disconnect_indication)
77512 -- lapb->callbacks.disconnect_indication(lapb->dev, reason);
77513 -+ if (lapb->callbacks->disconnect_indication)
77514 -+ lapb->callbacks->disconnect_indication(lapb->dev, reason);
77515 - }
77516 -
77517 - int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
77518 - {
77519 -- if (lapb->callbacks.data_indication)
77520 -- return lapb->callbacks.data_indication(lapb->dev, skb);
77521 -+ if (lapb->callbacks->data_indication)
77522 -+ return lapb->callbacks->data_indication(lapb->dev, skb);
77523 -
77524 - kfree_skb(skb);
77525 - return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
77526 -@@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
77527 - {
77528 - int used = 0;
77529 -
77530 -- if (lapb->callbacks.data_transmit) {
77531 -- lapb->callbacks.data_transmit(lapb->dev, skb);
77532 -+ if (lapb->callbacks->data_transmit) {
77533 -+ lapb->callbacks->data_transmit(lapb->dev, skb);
77534 - used = 1;
77535 - }
77536 -
77537 -diff -urNp linux-2.6.32.46/net/mac80211/cfg.c linux-2.6.32.46/net/mac80211/cfg.c
77538 ---- linux-2.6.32.46/net/mac80211/cfg.c 2011-03-27 14:31:47.000000000 -0400
77539 -+++ linux-2.6.32.46/net/mac80211/cfg.c 2011-04-17 15:56:46.000000000 -0400
77540 -@@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
77541 - return err;
77542 - }
77543 -
77544 --struct cfg80211_ops mac80211_config_ops = {
77545 -+const struct cfg80211_ops mac80211_config_ops = {
77546 - .add_virtual_intf = ieee80211_add_iface,
77547 - .del_virtual_intf = ieee80211_del_iface,
77548 - .change_virtual_intf = ieee80211_change_iface,
77549 -diff -urNp linux-2.6.32.46/net/mac80211/cfg.h linux-2.6.32.46/net/mac80211/cfg.h
77550 ---- linux-2.6.32.46/net/mac80211/cfg.h 2011-03-27 14:31:47.000000000 -0400
77551 -+++ linux-2.6.32.46/net/mac80211/cfg.h 2011-04-17 15:56:46.000000000 -0400
77552 -@@ -4,6 +4,6 @@
77553 - #ifndef __CFG_H
77554 - #define __CFG_H
77555 -
77556 --extern struct cfg80211_ops mac80211_config_ops;
77557 -+extern const struct cfg80211_ops mac80211_config_ops;
77558 -
77559 - #endif /* __CFG_H */
77560 -diff -urNp linux-2.6.32.46/net/mac80211/debugfs_key.c linux-2.6.32.46/net/mac80211/debugfs_key.c
77561 ---- linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-03-27 14:31:47.000000000 -0400
77562 -+++ linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-04-17 15:56:46.000000000 -0400
77563 -@@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
77564 - size_t count, loff_t *ppos)
77565 - {
77566 - struct ieee80211_key *key = file->private_data;
77567 -- int i, res, bufsize = 2 * key->conf.keylen + 2;
77568 -+ int i, bufsize = 2 * key->conf.keylen + 2;
77569 - char *buf = kmalloc(bufsize, GFP_KERNEL);
77570 - char *p = buf;
77571 -+ ssize_t res;
77572 -+
77573 -+ if (buf == NULL)
77574 -+ return -ENOMEM;
77575 -
77576 - for (i = 0; i < key->conf.keylen; i++)
77577 - p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
77578 -diff -urNp linux-2.6.32.46/net/mac80211/debugfs_sta.c linux-2.6.32.46/net/mac80211/debugfs_sta.c
77579 ---- linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-03-27 14:31:47.000000000 -0400
77580 -+++ linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-05-16 21:46:57.000000000 -0400
77581 -@@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
77582 - int i;
77583 - struct sta_info *sta = file->private_data;
77584 -
77585 -+ pax_track_stack();
77586 -+
77587 - spin_lock_bh(&sta->lock);
77588 - p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
77589 - sta->ampdu_mlme.dialog_token_allocator + 1);
77590 -diff -urNp linux-2.6.32.46/net/mac80211/ieee80211_i.h linux-2.6.32.46/net/mac80211/ieee80211_i.h
77591 ---- linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-03-27 14:31:47.000000000 -0400
77592 -+++ linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-04-17 15:56:46.000000000 -0400
77593 -@@ -25,6 +25,7 @@
77594 - #include <linux/etherdevice.h>
77595 - #include <net/cfg80211.h>
77596 - #include <net/mac80211.h>
77597 -+#include <asm/local.h>
77598 - #include "key.h"
77599 - #include "sta_info.h"
77600 -
77601 -@@ -635,7 +636,7 @@ struct ieee80211_local {
77602 - /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77603 - spinlock_t queue_stop_reason_lock;
77604 -
77605 -- int open_count;
77606 -+ local_t open_count;
77607 - int monitors, cooked_mntrs;
77608 - /* number of interfaces with corresponding FIF_ flags */
77609 - int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
77610 -diff -urNp linux-2.6.32.46/net/mac80211/iface.c linux-2.6.32.46/net/mac80211/iface.c
77611 ---- linux-2.6.32.46/net/mac80211/iface.c 2011-03-27 14:31:47.000000000 -0400
77612 -+++ linux-2.6.32.46/net/mac80211/iface.c 2011-04-17 15:56:46.000000000 -0400
77613 -@@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
77614 - break;
77615 - }
77616 -
77617 -- if (local->open_count == 0) {
77618 -+ if (local_read(&local->open_count) == 0) {
77619 - res = drv_start(local);
77620 - if (res)
77621 - goto err_del_bss;
77622 -@@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
77623 - * Validate the MAC address for this device.
77624 - */
77625 - if (!is_valid_ether_addr(dev->dev_addr)) {
77626 -- if (!local->open_count)
77627 -+ if (!local_read(&local->open_count))
77628 - drv_stop(local);
77629 - return -EADDRNOTAVAIL;
77630 - }
77631 -@@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
77632 -
77633 - hw_reconf_flags |= __ieee80211_recalc_idle(local);
77634 -
77635 -- local->open_count++;
77636 -+ local_inc(&local->open_count);
77637 - if (hw_reconf_flags) {
77638 - ieee80211_hw_config(local, hw_reconf_flags);
77639 - /*
77640 -@@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
77641 - err_del_interface:
77642 - drv_remove_interface(local, &conf);
77643 - err_stop:
77644 -- if (!local->open_count)
77645 -+ if (!local_read(&local->open_count))
77646 - drv_stop(local);
77647 - err_del_bss:
77648 - sdata->bss = NULL;
77649 -@@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
77650 - WARN_ON(!list_empty(&sdata->u.ap.vlans));
77651 - }
77652 -
77653 -- local->open_count--;
77654 -+ local_dec(&local->open_count);
77655 -
77656 - switch (sdata->vif.type) {
77657 - case NL80211_IFTYPE_AP_VLAN:
77658 -@@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
77659 -
77660 - ieee80211_recalc_ps(local, -1);
77661 -
77662 -- if (local->open_count == 0) {
77663 -+ if (local_read(&local->open_count) == 0) {
77664 - ieee80211_clear_tx_pending(local);
77665 - ieee80211_stop_device(local);
77666 -
77667 -diff -urNp linux-2.6.32.46/net/mac80211/main.c linux-2.6.32.46/net/mac80211/main.c
77668 ---- linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:02.000000000 -0400
77669 -+++ linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:34.000000000 -0400
77670 -@@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
77671 - local->hw.conf.power_level = power;
77672 - }
77673 -
77674 -- if (changed && local->open_count) {
77675 -+ if (changed && local_read(&local->open_count)) {
77676 - ret = drv_config(local, changed);
77677 - /*
77678 - * Goal:
77679 -diff -urNp linux-2.6.32.46/net/mac80211/mlme.c linux-2.6.32.46/net/mac80211/mlme.c
77680 ---- linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:35:30.000000000 -0400
77681 -+++ linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:34:01.000000000 -0400
77682 -@@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
77683 - bool have_higher_than_11mbit = false, newsta = false;
77684 - u16 ap_ht_cap_flags;
77685 -
77686 -+ pax_track_stack();
77687 -+
77688 - /*
77689 - * AssocResp and ReassocResp have identical structure, so process both
77690 - * of them in this function.
77691 -diff -urNp linux-2.6.32.46/net/mac80211/pm.c linux-2.6.32.46/net/mac80211/pm.c
77692 ---- linux-2.6.32.46/net/mac80211/pm.c 2011-03-27 14:31:47.000000000 -0400
77693 -+++ linux-2.6.32.46/net/mac80211/pm.c 2011-04-17 15:56:46.000000000 -0400
77694 -@@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
77695 - }
77696 -
77697 - /* stop hardware - this must stop RX */
77698 -- if (local->open_count)
77699 -+ if (local_read(&local->open_count))
77700 - ieee80211_stop_device(local);
77701 -
77702 - local->suspended = true;
77703 -diff -urNp linux-2.6.32.46/net/mac80211/rate.c linux-2.6.32.46/net/mac80211/rate.c
77704 ---- linux-2.6.32.46/net/mac80211/rate.c 2011-03-27 14:31:47.000000000 -0400
77705 -+++ linux-2.6.32.46/net/mac80211/rate.c 2011-04-17 15:56:46.000000000 -0400
77706 -@@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77707 - struct rate_control_ref *ref, *old;
77708 -
77709 - ASSERT_RTNL();
77710 -- if (local->open_count)
77711 -+ if (local_read(&local->open_count))
77712 - return -EBUSY;
77713 -
77714 - ref = rate_control_alloc(name, local);
77715 -diff -urNp linux-2.6.32.46/net/mac80211/tx.c linux-2.6.32.46/net/mac80211/tx.c
77716 ---- linux-2.6.32.46/net/mac80211/tx.c 2011-03-27 14:31:47.000000000 -0400
77717 -+++ linux-2.6.32.46/net/mac80211/tx.c 2011-04-17 15:56:46.000000000 -0400
77718 -@@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
77719 - return cpu_to_le16(dur);
77720 - }
77721 -
77722 --static int inline is_ieee80211_device(struct ieee80211_local *local,
77723 -+static inline int is_ieee80211_device(struct ieee80211_local *local,
77724 - struct net_device *dev)
77725 - {
77726 - return local == wdev_priv(dev->ieee80211_ptr);
77727 -diff -urNp linux-2.6.32.46/net/mac80211/util.c linux-2.6.32.46/net/mac80211/util.c
77728 ---- linux-2.6.32.46/net/mac80211/util.c 2011-03-27 14:31:47.000000000 -0400
77729 -+++ linux-2.6.32.46/net/mac80211/util.c 2011-04-17 15:56:46.000000000 -0400
77730 -@@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
77731 - local->resuming = true;
77732 -
77733 - /* restart hardware */
77734 -- if (local->open_count) {
77735 -+ if (local_read(&local->open_count)) {
77736 - /*
77737 - * Upon resume hardware can sometimes be goofy due to
77738 - * various platform / driver / bus issues, so restarting
77739 -diff -urNp linux-2.6.32.46/net/netfilter/Kconfig linux-2.6.32.46/net/netfilter/Kconfig
77740 ---- linux-2.6.32.46/net/netfilter/Kconfig 2011-03-27 14:31:47.000000000 -0400
77741 -+++ linux-2.6.32.46/net/netfilter/Kconfig 2011-04-17 15:56:46.000000000 -0400
77742 -@@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
77743 -
77744 - To compile it as a module, choose M here. If unsure, say N.
77745 -
77746 -+config NETFILTER_XT_MATCH_GRADM
77747 -+ tristate '"gradm" match support'
77748 -+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
77749 -+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
77750 -+ ---help---
77751 -+ The gradm match allows to match on grsecurity RBAC being enabled.
77752 -+ It is useful when iptables rules are applied early on bootup to
77753 -+ prevent connections to the machine (except from a trusted host)
77754 -+ while the RBAC system is disabled.
77755 -+
77756 - config NETFILTER_XT_MATCH_HASHLIMIT
77757 - tristate '"hashlimit" match support'
77758 - depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
77759 -diff -urNp linux-2.6.32.46/net/netfilter/Makefile linux-2.6.32.46/net/netfilter/Makefile
77760 ---- linux-2.6.32.46/net/netfilter/Makefile 2011-03-27 14:31:47.000000000 -0400
77761 -+++ linux-2.6.32.46/net/netfilter/Makefile 2011-04-17 15:56:46.000000000 -0400
77762 -@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
77763 - obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
77764 - obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
77765 - obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
77766 -+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
77767 - obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
77768 - obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
77769 - obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
77770 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c
77771 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-03-27 14:31:47.000000000 -0400
77772 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:26:34.000000000 -0400
77773 -@@ -564,7 +564,7 @@ static const struct file_operations ip_v
77774 - .open = ip_vs_app_open,
77775 - .read = seq_read,
77776 - .llseek = seq_lseek,
77777 -- .release = seq_release,
77778 -+ .release = seq_release_net,
77779 - };
77780 - #endif
77781 -
77782 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c
77783 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-03-27 14:31:47.000000000 -0400
77784 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:26:34.000000000 -0400
77785 -@@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77786 - /* if the connection is not template and is created
77787 - * by sync, preserve the activity flag.
77788 - */
77789 -- cp->flags |= atomic_read(&dest->conn_flags) &
77790 -+ cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
77791 - (~IP_VS_CONN_F_INACTIVE);
77792 - else
77793 -- cp->flags |= atomic_read(&dest->conn_flags);
77794 -+ cp->flags |= atomic_read_unchecked(&dest->conn_flags);
77795 - cp->dest = dest;
77796 -
77797 - IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
77798 -@@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
77799 - atomic_set(&cp->refcnt, 1);
77800 -
77801 - atomic_set(&cp->n_control, 0);
77802 -- atomic_set(&cp->in_pkts, 0);
77803 -+ atomic_set_unchecked(&cp->in_pkts, 0);
77804 -
77805 - atomic_inc(&ip_vs_conn_count);
77806 - if (flags & IP_VS_CONN_F_NO_CPORT)
77807 -@@ -871,7 +871,7 @@ static const struct file_operations ip_v
77808 - .open = ip_vs_conn_open,
77809 - .read = seq_read,
77810 - .llseek = seq_lseek,
77811 -- .release = seq_release,
77812 -+ .release = seq_release_net,
77813 - };
77814 -
77815 - static const char *ip_vs_origin_name(unsigned flags)
77816 -@@ -934,7 +934,7 @@ static const struct file_operations ip_v
77817 - .open = ip_vs_conn_sync_open,
77818 - .read = seq_read,
77819 - .llseek = seq_lseek,
77820 -- .release = seq_release,
77821 -+ .release = seq_release_net,
77822 - };
77823 -
77824 - #endif
77825 -@@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
77826 -
77827 - /* Don't drop the entry if its number of incoming packets is not
77828 - located in [0, 8] */
77829 -- i = atomic_read(&cp->in_pkts);
77830 -+ i = atomic_read_unchecked(&cp->in_pkts);
77831 - if (i > 8 || i < 0) return 0;
77832 -
77833 - if (!todrop_rate[i]) return 0;
77834 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c
77835 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-03-27 14:31:47.000000000 -0400
77836 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-05-04 17:56:28.000000000 -0400
77837 -@@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
77838 - ret = cp->packet_xmit(skb, cp, pp);
77839 - /* do not touch skb anymore */
77840 -
77841 -- atomic_inc(&cp->in_pkts);
77842 -+ atomic_inc_unchecked(&cp->in_pkts);
77843 - ip_vs_conn_put(cp);
77844 - return ret;
77845 - }
77846 -@@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
77847 - * Sync connection if it is about to close to
77848 - * encorage the standby servers to update the connections timeout
77849 - */
77850 -- pkts = atomic_add_return(1, &cp->in_pkts);
77851 -+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77852 - if (af == AF_INET &&
77853 - (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
77854 - (((cp->protocol != IPPROTO_TCP ||
77855 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c
77856 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-27 14:31:47.000000000 -0400
77857 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:26:34.000000000 -0400
77858 -@@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
77859 - ip_vs_rs_hash(dest);
77860 - write_unlock_bh(&__ip_vs_rs_lock);
77861 - }
77862 -- atomic_set(&dest->conn_flags, conn_flags);
77863 -+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
77864 -
77865 - /* bind the service */
77866 - if (!dest->svc) {
77867 -@@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
77868 - " %-7s %-6d %-10d %-10d\n",
77869 - &dest->addr.in6,
77870 - ntohs(dest->port),
77871 -- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77872 -+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77873 - atomic_read(&dest->weight),
77874 - atomic_read(&dest->activeconns),
77875 - atomic_read(&dest->inactconns));
77876 -@@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
77877 - "%-7s %-6d %-10d %-10d\n",
77878 - ntohl(dest->addr.ip),
77879 - ntohs(dest->port),
77880 -- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77881 -+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77882 - atomic_read(&dest->weight),
77883 - atomic_read(&dest->activeconns),
77884 - atomic_read(&dest->inactconns));
77885 -@@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
77886 - .open = ip_vs_info_open,
77887 - .read = seq_read,
77888 - .llseek = seq_lseek,
77889 -- .release = seq_release_private,
77890 -+ .release = seq_release_net,
77891 - };
77892 -
77893 - #endif
77894 -@@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
77895 - .open = ip_vs_stats_seq_open,
77896 - .read = seq_read,
77897 - .llseek = seq_lseek,
77898 -- .release = single_release,
77899 -+ .release = single_release_net,
77900 - };
77901 -
77902 - #endif
77903 -@@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
77904 -
77905 - entry.addr = dest->addr.ip;
77906 - entry.port = dest->port;
77907 -- entry.conn_flags = atomic_read(&dest->conn_flags);
77908 -+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
77909 - entry.weight = atomic_read(&dest->weight);
77910 - entry.u_threshold = dest->u_threshold;
77911 - entry.l_threshold = dest->l_threshold;
77912 -@@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
77913 - unsigned char arg[128];
77914 - int ret = 0;
77915 -
77916 -+ pax_track_stack();
77917 -+
77918 - if (!capable(CAP_NET_ADMIN))
77919 - return -EPERM;
77920 -
77921 -@@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
77922 - NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
77923 -
77924 - NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
77925 -- atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77926 -+ atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77927 - NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
77928 - NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
77929 - NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
77930 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c
77931 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-03-27 14:31:47.000000000 -0400
77932 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-05-04 17:56:28.000000000 -0400
77933 -@@ -438,7 +438,7 @@ static void ip_vs_process_message(const
77934 -
77935 - if (opt)
77936 - memcpy(&cp->in_seq, opt, sizeof(*opt));
77937 -- atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
77938 -+ atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
77939 - cp->state = state;
77940 - cp->old_state = cp->state;
77941 - /*
77942 -diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c
77943 ---- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-27 14:31:47.000000000 -0400
77944 -+++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-04 17:56:28.000000000 -0400
77945 -@@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
77946 - else
77947 - rc = NF_ACCEPT;
77948 - /* do not touch skb anymore */
77949 -- atomic_inc(&cp->in_pkts);
77950 -+ atomic_inc_unchecked(&cp->in_pkts);
77951 - goto out;
77952 - }
77953 -
77954 -@@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
77955 - else
77956 - rc = NF_ACCEPT;
77957 - /* do not touch skb anymore */
77958 -- atomic_inc(&cp->in_pkts);
77959 -+ atomic_inc_unchecked(&cp->in_pkts);
77960 - goto out;
77961 - }
77962 -
77963 -diff -urNp linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c
77964 ---- linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-03-27 14:31:47.000000000 -0400
77965 -+++ linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:56:46.000000000 -0400
77966 -@@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
77967 - static int
77968 - ctnetlink_parse_tuple(const struct nlattr * const cda[],
77969 - struct nf_conntrack_tuple *tuple,
77970 -- enum ctattr_tuple type, u_int8_t l3num)
77971 -+ enum ctattr_type type, u_int8_t l3num)
77972 - {
77973 - struct nlattr *tb[CTA_TUPLE_MAX+1];
77974 - int err;
77975 -diff -urNp linux-2.6.32.46/net/netfilter/nfnetlink_log.c linux-2.6.32.46/net/netfilter/nfnetlink_log.c
77976 ---- linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-03-27 14:31:47.000000000 -0400
77977 -+++ linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-05-04 17:56:28.000000000 -0400
77978 -@@ -68,7 +68,7 @@ struct nfulnl_instance {
77979 - };
77980 -
77981 - static DEFINE_RWLOCK(instances_lock);
77982 --static atomic_t global_seq;
77983 -+static atomic_unchecked_t global_seq;
77984 -
77985 - #define INSTANCE_BUCKETS 16
77986 - static struct hlist_head instance_table[INSTANCE_BUCKETS];
77987 -@@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
77988 - /* global sequence number */
77989 - if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
77990 - NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
77991 -- htonl(atomic_inc_return(&global_seq)));
77992 -+ htonl(atomic_inc_return_unchecked(&global_seq)));
77993 -
77994 - if (data_len) {
77995 - struct nlattr *nla;
77996 -diff -urNp linux-2.6.32.46/net/netfilter/xt_gradm.c linux-2.6.32.46/net/netfilter/xt_gradm.c
77997 ---- linux-2.6.32.46/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
77998 -+++ linux-2.6.32.46/net/netfilter/xt_gradm.c 2011-04-17 15:56:46.000000000 -0400
77999 -@@ -0,0 +1,51 @@
78000 -+/*
78001 -+ * gradm match for netfilter
78002 -+ * Copyright © Zbigniew Krzystolik, 2010
78003 -+ *
78004 -+ * This program is free software; you can redistribute it and/or modify
78005 -+ * it under the terms of the GNU General Public License; either version
78006 -+ * 2 or 3 as published by the Free Software Foundation.
78007 -+ */
78008 -+#include <linux/module.h>
78009 -+#include <linux/moduleparam.h>
78010 -+#include <linux/skbuff.h>
78011 -+#include <linux/netfilter/x_tables.h>
78012 -+#include <linux/grsecurity.h>
78013 -+#include <linux/netfilter/xt_gradm.h>
78014 -+
78015 -+static bool
78016 -+gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
78017 -+{
78018 -+ const struct xt_gradm_mtinfo *info = par->matchinfo;
78019 -+ bool retval = false;
78020 -+ if (gr_acl_is_enabled())
78021 -+ retval = true;
78022 -+ return retval ^ info->invflags;
78023 -+}
78024 -+
78025 -+static struct xt_match gradm_mt_reg __read_mostly = {
78026 -+ .name = "gradm",
78027 -+ .revision = 0,
78028 -+ .family = NFPROTO_UNSPEC,
78029 -+ .match = gradm_mt,
78030 -+ .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
78031 -+ .me = THIS_MODULE,
78032 -+};
78033 -+
78034 -+static int __init gradm_mt_init(void)
78035 -+{
78036 -+ return xt_register_match(&gradm_mt_reg);
78037 -+}
78038 -+
78039 -+static void __exit gradm_mt_exit(void)
78040 -+{
78041 -+ xt_unregister_match(&gradm_mt_reg);
78042 -+}
78043 -+
78044 -+module_init(gradm_mt_init);
78045 -+module_exit(gradm_mt_exit);
78046 -+MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@××××××××××.pl>");
78047 -+MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
78048 -+MODULE_LICENSE("GPL");
78049 -+MODULE_ALIAS("ipt_gradm");
78050 -+MODULE_ALIAS("ip6t_gradm");
78051 -diff -urNp linux-2.6.32.46/net/netlink/af_netlink.c linux-2.6.32.46/net/netlink/af_netlink.c
78052 ---- linux-2.6.32.46/net/netlink/af_netlink.c 2011-03-27 14:31:47.000000000 -0400
78053 -+++ linux-2.6.32.46/net/netlink/af_netlink.c 2011-05-04 17:56:28.000000000 -0400
78054 -@@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
78055 - sk->sk_error_report(sk);
78056 - }
78057 - }
78058 -- atomic_inc(&sk->sk_drops);
78059 -+ atomic_inc_unchecked(&sk->sk_drops);
78060 - }
78061 -
78062 - static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
78063 -@@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
78064 - struct netlink_sock *nlk = nlk_sk(s);
78065 -
78066 - seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
78067 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78068 -+ NULL,
78069 -+#else
78070 - s,
78071 -+#endif
78072 - s->sk_protocol,
78073 - nlk->pid,
78074 - nlk->groups ? (u32)nlk->groups[0] : 0,
78075 - sk_rmem_alloc_get(s),
78076 - sk_wmem_alloc_get(s),
78077 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78078 -+ NULL,
78079 -+#else
78080 - nlk->cb,
78081 -+#endif
78082 - atomic_read(&s->sk_refcnt),
78083 -- atomic_read(&s->sk_drops)
78084 -+ atomic_read_unchecked(&s->sk_drops)
78085 - );
78086 -
78087 - }
78088 -diff -urNp linux-2.6.32.46/net/netrom/af_netrom.c linux-2.6.32.46/net/netrom/af_netrom.c
78089 ---- linux-2.6.32.46/net/netrom/af_netrom.c 2011-03-27 14:31:47.000000000 -0400
78090 -+++ linux-2.6.32.46/net/netrom/af_netrom.c 2011-04-17 15:56:46.000000000 -0400
78091 -@@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
78092 - struct sock *sk = sock->sk;
78093 - struct nr_sock *nr = nr_sk(sk);
78094 -
78095 -+ memset(sax, 0, sizeof(*sax));
78096 - lock_sock(sk);
78097 - if (peer != 0) {
78098 - if (sk->sk_state != TCP_ESTABLISHED) {
78099 -@@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
78100 - *uaddr_len = sizeof(struct full_sockaddr_ax25);
78101 - } else {
78102 - sax->fsa_ax25.sax25_family = AF_NETROM;
78103 -- sax->fsa_ax25.sax25_ndigis = 0;
78104 - sax->fsa_ax25.sax25_call = nr->source_addr;
78105 - *uaddr_len = sizeof(struct sockaddr_ax25);
78106 - }
78107 -diff -urNp linux-2.6.32.46/net/packet/af_packet.c linux-2.6.32.46/net/packet/af_packet.c
78108 ---- linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:04.000000000 -0400
78109 -+++ linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:27.000000000 -0400
78110 -@@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_fi
78111 -
78112 - seq_printf(seq,
78113 - "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
78114 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78115 -+ NULL,
78116 -+#else
78117 - s,
78118 -+#endif
78119 - atomic_read(&s->sk_refcnt),
78120 - s->sk_type,
78121 - ntohs(po->num),
78122 -diff -urNp linux-2.6.32.46/net/phonet/af_phonet.c linux-2.6.32.46/net/phonet/af_phonet.c
78123 ---- linux-2.6.32.46/net/phonet/af_phonet.c 2011-03-27 14:31:47.000000000 -0400
78124 -+++ linux-2.6.32.46/net/phonet/af_phonet.c 2011-04-17 15:56:46.000000000 -0400
78125 -@@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
78126 - {
78127 - struct phonet_protocol *pp;
78128 -
78129 -- if (protocol >= PHONET_NPROTO)
78130 -+ if (protocol < 0 || protocol >= PHONET_NPROTO)
78131 - return NULL;
78132 -
78133 - spin_lock(&proto_tab_lock);
78134 -@@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
78135 - {
78136 - int err = 0;
78137 -
78138 -- if (protocol >= PHONET_NPROTO)
78139 -+ if (protocol < 0 || protocol >= PHONET_NPROTO)
78140 - return -EINVAL;
78141 -
78142 - err = proto_register(pp->prot, 1);
78143 -diff -urNp linux-2.6.32.46/net/phonet/datagram.c linux-2.6.32.46/net/phonet/datagram.c
78144 ---- linux-2.6.32.46/net/phonet/datagram.c 2011-03-27 14:31:47.000000000 -0400
78145 -+++ linux-2.6.32.46/net/phonet/datagram.c 2011-05-04 17:56:28.000000000 -0400
78146 -@@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
78147 - if (err < 0) {
78148 - kfree_skb(skb);
78149 - if (err == -ENOMEM)
78150 -- atomic_inc(&sk->sk_drops);
78151 -+ atomic_inc_unchecked(&sk->sk_drops);
78152 - }
78153 - return err ? NET_RX_DROP : NET_RX_SUCCESS;
78154 - }
78155 -diff -urNp linux-2.6.32.46/net/phonet/pep.c linux-2.6.32.46/net/phonet/pep.c
78156 ---- linux-2.6.32.46/net/phonet/pep.c 2011-03-27 14:31:47.000000000 -0400
78157 -+++ linux-2.6.32.46/net/phonet/pep.c 2011-05-04 17:56:28.000000000 -0400
78158 -@@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
78159 -
78160 - case PNS_PEP_CTRL_REQ:
78161 - if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
78162 -- atomic_inc(&sk->sk_drops);
78163 -+ atomic_inc_unchecked(&sk->sk_drops);
78164 - break;
78165 - }
78166 - __skb_pull(skb, 4);
78167 -@@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
78168 - if (!err)
78169 - return 0;
78170 - if (err == -ENOMEM)
78171 -- atomic_inc(&sk->sk_drops);
78172 -+ atomic_inc_unchecked(&sk->sk_drops);
78173 - break;
78174 - }
78175 -
78176 - if (pn->rx_credits == 0) {
78177 -- atomic_inc(&sk->sk_drops);
78178 -+ atomic_inc_unchecked(&sk->sk_drops);
78179 - err = -ENOBUFS;
78180 - break;
78181 - }
78182 -diff -urNp linux-2.6.32.46/net/phonet/socket.c linux-2.6.32.46/net/phonet/socket.c
78183 ---- linux-2.6.32.46/net/phonet/socket.c 2011-03-27 14:31:47.000000000 -0400
78184 -+++ linux-2.6.32.46/net/phonet/socket.c 2011-05-04 17:57:07.000000000 -0400
78185 -@@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
78186 - sk->sk_state,
78187 - sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
78188 - sock_i_uid(sk), sock_i_ino(sk),
78189 -- atomic_read(&sk->sk_refcnt), sk,
78190 -- atomic_read(&sk->sk_drops), &len);
78191 -+ atomic_read(&sk->sk_refcnt),
78192 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78193 -+ NULL,
78194 -+#else
78195 -+ sk,
78196 -+#endif
78197 -+ atomic_read_unchecked(&sk->sk_drops), &len);
78198 - }
78199 - seq_printf(seq, "%*s\n", 127 - len, "");
78200 - return 0;
78201 -diff -urNp linux-2.6.32.46/net/rds/Kconfig linux-2.6.32.46/net/rds/Kconfig
78202 ---- linux-2.6.32.46/net/rds/Kconfig 2011-03-27 14:31:47.000000000 -0400
78203 -+++ linux-2.6.32.46/net/rds/Kconfig 2011-04-17 15:56:46.000000000 -0400
78204 -@@ -1,7 +1,7 @@
78205 -
78206 - config RDS
78207 - tristate "The RDS Protocol (EXPERIMENTAL)"
78208 -- depends on INET && EXPERIMENTAL
78209 -+ depends on INET && EXPERIMENTAL && BROKEN
78210 - ---help---
78211 - The RDS (Reliable Datagram Sockets) protocol provides reliable,
78212 - sequenced delivery of datagrams over Infiniband, iWARP,
78213 -diff -urNp linux-2.6.32.46/net/rds/cong.c linux-2.6.32.46/net/rds/cong.c
78214 ---- linux-2.6.32.46/net/rds/cong.c 2011-03-27 14:31:47.000000000 -0400
78215 -+++ linux-2.6.32.46/net/rds/cong.c 2011-05-04 17:56:28.000000000 -0400
78216 -@@ -77,7 +77,7 @@
78217 - * finds that the saved generation number is smaller than the global generation
78218 - * number, it wakes up the process.
78219 - */
78220 --static atomic_t rds_cong_generation = ATOMIC_INIT(0);
78221 -+static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
78222 -
78223 - /*
78224 - * Congestion monitoring
78225 -@@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
78226 - rdsdebug("waking map %p for %pI4\n",
78227 - map, &map->m_addr);
78228 - rds_stats_inc(s_cong_update_received);
78229 -- atomic_inc(&rds_cong_generation);
78230 -+ atomic_inc_unchecked(&rds_cong_generation);
78231 - if (waitqueue_active(&map->m_waitq))
78232 - wake_up(&map->m_waitq);
78233 - if (waitqueue_active(&rds_poll_waitq))
78234 -@@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
78235 -
78236 - int rds_cong_updated_since(unsigned long *recent)
78237 - {
78238 -- unsigned long gen = atomic_read(&rds_cong_generation);
78239 -+ unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
78240 -
78241 - if (likely(*recent == gen))
78242 - return 0;
78243 -diff -urNp linux-2.6.32.46/net/rds/iw_rdma.c linux-2.6.32.46/net/rds/iw_rdma.c
78244 ---- linux-2.6.32.46/net/rds/iw_rdma.c 2011-03-27 14:31:47.000000000 -0400
78245 -+++ linux-2.6.32.46/net/rds/iw_rdma.c 2011-05-16 21:46:57.000000000 -0400
78246 -@@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78247 - struct rdma_cm_id *pcm_id;
78248 - int rc;
78249 -
78250 -+ pax_track_stack();
78251 -+
78252 - src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78253 - dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78254 -
78255 -diff -urNp linux-2.6.32.46/net/rds/tcp.c linux-2.6.32.46/net/rds/tcp.c
78256 ---- linux-2.6.32.46/net/rds/tcp.c 2011-03-27 14:31:47.000000000 -0400
78257 -+++ linux-2.6.32.46/net/rds/tcp.c 2011-10-06 09:37:16.000000000 -0400
78258 -@@ -57,7 +57,7 @@ void rds_tcp_nonagle(struct socket *sock
78259 - int val = 1;
78260 -
78261 - set_fs(KERNEL_DS);
78262 -- sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
78263 -+ sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
78264 - sizeof(val));
78265 - set_fs(oldfs);
78266 - }
78267 -diff -urNp linux-2.6.32.46/net/rds/tcp_send.c linux-2.6.32.46/net/rds/tcp_send.c
78268 ---- linux-2.6.32.46/net/rds/tcp_send.c 2011-03-27 14:31:47.000000000 -0400
78269 -+++ linux-2.6.32.46/net/rds/tcp_send.c 2011-10-06 09:37:16.000000000 -0400
78270 -@@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *
78271 -
78272 - oldfs = get_fs();
78273 - set_fs(KERNEL_DS);
78274 -- sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
78275 -+ sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
78276 - sizeof(val));
78277 - set_fs(oldfs);
78278 - }
78279 -diff -urNp linux-2.6.32.46/net/rxrpc/af_rxrpc.c linux-2.6.32.46/net/rxrpc/af_rxrpc.c
78280 ---- linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400
78281 -+++ linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400
78282 -@@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
78283 - __be32 rxrpc_epoch;
78284 -
78285 - /* current debugging ID */
78286 --atomic_t rxrpc_debug_id;
78287 -+atomic_unchecked_t rxrpc_debug_id;
78288 -
78289 - /* count of skbs currently in use */
78290 - atomic_t rxrpc_n_skbs;
78291 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-ack.c linux-2.6.32.46/net/rxrpc/ar-ack.c
78292 ---- linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-03-27 14:31:47.000000000 -0400
78293 -+++ linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-05-16 21:46:57.000000000 -0400
78294 -@@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
78295 -
78296 - _enter("{%d,%d,%d,%d},",
78297 - call->acks_hard, call->acks_unacked,
78298 -- atomic_read(&call->sequence),
78299 -+ atomic_read_unchecked(&call->sequence),
78300 - CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78301 -
78302 - stop = 0;
78303 -@@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
78304 -
78305 - /* each Tx packet has a new serial number */
78306 - sp->hdr.serial =
78307 -- htonl(atomic_inc_return(&call->conn->serial));
78308 -+ htonl(atomic_inc_return_unchecked(&call->conn->serial));
78309 -
78310 - hdr = (struct rxrpc_header *) txb->head;
78311 - hdr->serial = sp->hdr.serial;
78312 -@@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
78313 - */
78314 - static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78315 - {
78316 -- rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78317 -+ rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78318 - }
78319 -
78320 - /*
78321 -@@ -627,7 +627,7 @@ process_further:
78322 -
78323 - latest = ntohl(sp->hdr.serial);
78324 - hard = ntohl(ack.firstPacket);
78325 -- tx = atomic_read(&call->sequence);
78326 -+ tx = atomic_read_unchecked(&call->sequence);
78327 -
78328 - _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78329 - latest,
78330 -@@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
78331 - u32 abort_code = RX_PROTOCOL_ERROR;
78332 - u8 *acks = NULL;
78333 -
78334 -+ pax_track_stack();
78335 -+
78336 - //printk("\n--------------------\n");
78337 - _enter("{%d,%s,%lx} [%lu]",
78338 - call->debug_id, rxrpc_call_states[call->state], call->events,
78339 -@@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
78340 - goto maybe_reschedule;
78341 -
78342 - send_ACK_with_skew:
78343 -- ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78344 -+ ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78345 - ntohl(ack.serial));
78346 - send_ACK:
78347 - mtu = call->conn->trans->peer->if_mtu;
78348 -@@ -1171,7 +1173,7 @@ send_ACK:
78349 - ackinfo.rxMTU = htonl(5692);
78350 - ackinfo.jumbo_max = htonl(4);
78351 -
78352 -- hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78353 -+ hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78354 - _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78355 - ntohl(hdr.serial),
78356 - ntohs(ack.maxSkew),
78357 -@@ -1189,7 +1191,7 @@ send_ACK:
78358 - send_message:
78359 - _debug("send message");
78360 -
78361 -- hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78362 -+ hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78363 - _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78364 - send_message_2:
78365 -
78366 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-call.c linux-2.6.32.46/net/rxrpc/ar-call.c
78367 ---- linux-2.6.32.46/net/rxrpc/ar-call.c 2011-03-27 14:31:47.000000000 -0400
78368 -+++ linux-2.6.32.46/net/rxrpc/ar-call.c 2011-05-04 17:56:28.000000000 -0400
78369 -@@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78370 - spin_lock_init(&call->lock);
78371 - rwlock_init(&call->state_lock);
78372 - atomic_set(&call->usage, 1);
78373 -- call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78374 -+ call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78375 - call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78376 -
78377 - memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78378 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-connection.c linux-2.6.32.46/net/rxrpc/ar-connection.c
78379 ---- linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-03-27 14:31:47.000000000 -0400
78380 -+++ linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-05-04 17:56:28.000000000 -0400
78381 -@@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
78382 - rwlock_init(&conn->lock);
78383 - spin_lock_init(&conn->state_lock);
78384 - atomic_set(&conn->usage, 1);
78385 -- conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78386 -+ conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78387 - conn->avail_calls = RXRPC_MAXCALLS;
78388 - conn->size_align = 4;
78389 - conn->header_size = sizeof(struct rxrpc_header);
78390 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-connevent.c linux-2.6.32.46/net/rxrpc/ar-connevent.c
78391 ---- linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-03-27 14:31:47.000000000 -0400
78392 -+++ linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-05-04 17:56:28.000000000 -0400
78393 -@@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78394 -
78395 - len = iov[0].iov_len + iov[1].iov_len;
78396 -
78397 -- hdr.serial = htonl(atomic_inc_return(&conn->serial));
78398 -+ hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78399 - _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78400 -
78401 - ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78402 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-input.c linux-2.6.32.46/net/rxrpc/ar-input.c
78403 ---- linux-2.6.32.46/net/rxrpc/ar-input.c 2011-03-27 14:31:47.000000000 -0400
78404 -+++ linux-2.6.32.46/net/rxrpc/ar-input.c 2011-05-04 17:56:28.000000000 -0400
78405 -@@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
78406 - /* track the latest serial number on this connection for ACK packet
78407 - * information */
78408 - serial = ntohl(sp->hdr.serial);
78409 -- hi_serial = atomic_read(&call->conn->hi_serial);
78410 -+ hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78411 - while (serial > hi_serial)
78412 -- hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78413 -+ hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78414 - serial);
78415 -
78416 - /* request ACK generation for any ACK or DATA packet that requests
78417 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-internal.h linux-2.6.32.46/net/rxrpc/ar-internal.h
78418 ---- linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-03-27 14:31:47.000000000 -0400
78419 -+++ linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-05-04 17:56:28.000000000 -0400
78420 -@@ -272,8 +272,8 @@ struct rxrpc_connection {
78421 - int error; /* error code for local abort */
78422 - int debug_id; /* debug ID for printks */
78423 - unsigned call_counter; /* call ID counter */
78424 -- atomic_t serial; /* packet serial number counter */
78425 -- atomic_t hi_serial; /* highest serial number received */
78426 -+ atomic_unchecked_t serial; /* packet serial number counter */
78427 -+ atomic_unchecked_t hi_serial; /* highest serial number received */
78428 - u8 avail_calls; /* number of calls available */
78429 - u8 size_align; /* data size alignment (for security) */
78430 - u8 header_size; /* rxrpc + security header size */
78431 -@@ -346,7 +346,7 @@ struct rxrpc_call {
78432 - spinlock_t lock;
78433 - rwlock_t state_lock; /* lock for state transition */
78434 - atomic_t usage;
78435 -- atomic_t sequence; /* Tx data packet sequence counter */
78436 -+ atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78437 - u32 abort_code; /* local/remote abort code */
78438 - enum { /* current state of call */
78439 - RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78440 -@@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78441 - */
78442 - extern atomic_t rxrpc_n_skbs;
78443 - extern __be32 rxrpc_epoch;
78444 --extern atomic_t rxrpc_debug_id;
78445 -+extern atomic_unchecked_t rxrpc_debug_id;
78446 - extern struct workqueue_struct *rxrpc_workqueue;
78447 -
78448 - /*
78449 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-key.c linux-2.6.32.46/net/rxrpc/ar-key.c
78450 ---- linux-2.6.32.46/net/rxrpc/ar-key.c 2011-03-27 14:31:47.000000000 -0400
78451 -+++ linux-2.6.32.46/net/rxrpc/ar-key.c 2011-04-17 15:56:46.000000000 -0400
78452 -@@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
78453 - return ret;
78454 -
78455 - plen -= sizeof(*token);
78456 -- token = kmalloc(sizeof(*token), GFP_KERNEL);
78457 -+ token = kzalloc(sizeof(*token), GFP_KERNEL);
78458 - if (!token)
78459 - return -ENOMEM;
78460 -
78461 -- token->kad = kmalloc(plen, GFP_KERNEL);
78462 -+ token->kad = kzalloc(plen, GFP_KERNEL);
78463 - if (!token->kad) {
78464 - kfree(token);
78465 - return -ENOMEM;
78466 -@@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
78467 - goto error;
78468 -
78469 - ret = -ENOMEM;
78470 -- token = kmalloc(sizeof(*token), GFP_KERNEL);
78471 -+ token = kzalloc(sizeof(*token), GFP_KERNEL);
78472 - if (!token)
78473 - goto error;
78474 -- token->kad = kmalloc(plen, GFP_KERNEL);
78475 -+ token->kad = kzalloc(plen, GFP_KERNEL);
78476 - if (!token->kad)
78477 - goto error_free;
78478 -
78479 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-local.c linux-2.6.32.46/net/rxrpc/ar-local.c
78480 ---- linux-2.6.32.46/net/rxrpc/ar-local.c 2011-03-27 14:31:47.000000000 -0400
78481 -+++ linux-2.6.32.46/net/rxrpc/ar-local.c 2011-05-04 17:56:28.000000000 -0400
78482 -@@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78483 - spin_lock_init(&local->lock);
78484 - rwlock_init(&local->services_lock);
78485 - atomic_set(&local->usage, 1);
78486 -- local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78487 -+ local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78488 - memcpy(&local->srx, srx, sizeof(*srx));
78489 - }
78490 -
78491 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-output.c linux-2.6.32.46/net/rxrpc/ar-output.c
78492 ---- linux-2.6.32.46/net/rxrpc/ar-output.c 2011-03-27 14:31:47.000000000 -0400
78493 -+++ linux-2.6.32.46/net/rxrpc/ar-output.c 2011-05-04 17:56:28.000000000 -0400
78494 -@@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
78495 - sp->hdr.cid = call->cid;
78496 - sp->hdr.callNumber = call->call_id;
78497 - sp->hdr.seq =
78498 -- htonl(atomic_inc_return(&call->sequence));
78499 -+ htonl(atomic_inc_return_unchecked(&call->sequence));
78500 - sp->hdr.serial =
78501 -- htonl(atomic_inc_return(&conn->serial));
78502 -+ htonl(atomic_inc_return_unchecked(&conn->serial));
78503 - sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78504 - sp->hdr.userStatus = 0;
78505 - sp->hdr.securityIndex = conn->security_ix;
78506 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-peer.c linux-2.6.32.46/net/rxrpc/ar-peer.c
78507 ---- linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-03-27 14:31:47.000000000 -0400
78508 -+++ linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-05-04 17:56:28.000000000 -0400
78509 -@@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78510 - INIT_LIST_HEAD(&peer->error_targets);
78511 - spin_lock_init(&peer->lock);
78512 - atomic_set(&peer->usage, 1);
78513 -- peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78514 -+ peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78515 - memcpy(&peer->srx, srx, sizeof(*srx));
78516 -
78517 - rxrpc_assess_MTU_size(peer);
78518 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-proc.c linux-2.6.32.46/net/rxrpc/ar-proc.c
78519 ---- linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-03-27 14:31:47.000000000 -0400
78520 -+++ linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-05-04 17:56:28.000000000 -0400
78521 -@@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78522 - atomic_read(&conn->usage),
78523 - rxrpc_conn_states[conn->state],
78524 - key_serial(conn->key),
78525 -- atomic_read(&conn->serial),
78526 -- atomic_read(&conn->hi_serial));
78527 -+ atomic_read_unchecked(&conn->serial),
78528 -+ atomic_read_unchecked(&conn->hi_serial));
78529 -
78530 - return 0;
78531 - }
78532 -diff -urNp linux-2.6.32.46/net/rxrpc/ar-transport.c linux-2.6.32.46/net/rxrpc/ar-transport.c
78533 ---- linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-03-27 14:31:47.000000000 -0400
78534 -+++ linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-05-04 17:56:28.000000000 -0400
78535 -@@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
78536 - spin_lock_init(&trans->client_lock);
78537 - rwlock_init(&trans->conn_lock);
78538 - atomic_set(&trans->usage, 1);
78539 -- trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78540 -+ trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78541 -
78542 - if (peer->srx.transport.family == AF_INET) {
78543 - switch (peer->srx.transport_type) {
78544 -diff -urNp linux-2.6.32.46/net/rxrpc/rxkad.c linux-2.6.32.46/net/rxrpc/rxkad.c
78545 ---- linux-2.6.32.46/net/rxrpc/rxkad.c 2011-03-27 14:31:47.000000000 -0400
78546 -+++ linux-2.6.32.46/net/rxrpc/rxkad.c 2011-05-16 21:46:57.000000000 -0400
78547 -@@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
78548 - u16 check;
78549 - int nsg;
78550 -
78551 -+ pax_track_stack();
78552 -+
78553 - sp = rxrpc_skb(skb);
78554 -
78555 - _enter("");
78556 -@@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
78557 - u16 check;
78558 - int nsg;
78559 -
78560 -+ pax_track_stack();
78561 -+
78562 - _enter("");
78563 -
78564 - sp = rxrpc_skb(skb);
78565 -@@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
78566 -
78567 - len = iov[0].iov_len + iov[1].iov_len;
78568 -
78569 -- hdr.serial = htonl(atomic_inc_return(&conn->serial));
78570 -+ hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78571 - _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78572 -
78573 - ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78574 -@@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
78575 -
78576 - len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78577 -
78578 -- hdr->serial = htonl(atomic_inc_return(&conn->serial));
78579 -+ hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78580 - _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78581 -
78582 - ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78583 -diff -urNp linux-2.6.32.46/net/sctp/proc.c linux-2.6.32.46/net/sctp/proc.c
78584 ---- linux-2.6.32.46/net/sctp/proc.c 2011-03-27 14:31:47.000000000 -0400
78585 -+++ linux-2.6.32.46/net/sctp/proc.c 2011-04-17 15:56:46.000000000 -0400
78586 -@@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
78587 - sctp_for_each_hentry(epb, node, &head->chain) {
78588 - ep = sctp_ep(epb);
78589 - sk = epb->sk;
78590 -- seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78591 -+ seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78592 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78593 -+ NULL, NULL,
78594 -+#else
78595 -+ ep, sk,
78596 -+#endif
78597 - sctp_sk(sk)->type, sk->sk_state, hash,
78598 - epb->bind_addr.port,
78599 - sock_i_uid(sk), sock_i_ino(sk));
78600 -@@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
78601 - seq_printf(seq,
78602 - "%8p %8p %-3d %-3d %-2d %-4d "
78603 - "%4d %8d %8d %7d %5lu %-5d %5d ",
78604 -- assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78605 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
78606 -+ NULL, NULL,
78607 -+#else
78608 -+ assoc, sk,
78609 -+#endif
78610 -+ sctp_sk(sk)->type, sk->sk_state,
78611 - assoc->state, hash,
78612 - assoc->assoc_id,
78613 - assoc->sndbuf_used,
78614 -diff -urNp linux-2.6.32.46/net/sctp/socket.c linux-2.6.32.46/net/sctp/socket.c
78615 ---- linux-2.6.32.46/net/sctp/socket.c 2011-03-27 14:31:47.000000000 -0400
78616 -+++ linux-2.6.32.46/net/sctp/socket.c 2011-04-23 12:56:11.000000000 -0400
78617 -@@ -5802,7 +5802,6 @@ pp_found:
78618 - */
78619 - int reuse = sk->sk_reuse;
78620 - struct sock *sk2;
78621 -- struct hlist_node *node;
78622 -
78623 - SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
78624 - if (pp->fastreuse && sk->sk_reuse &&
78625 -diff -urNp linux-2.6.32.46/net/socket.c linux-2.6.32.46/net/socket.c
78626 ---- linux-2.6.32.46/net/socket.c 2011-03-27 14:31:47.000000000 -0400
78627 -+++ linux-2.6.32.46/net/socket.c 2011-10-06 09:37:16.000000000 -0400
78628 -@@ -87,6 +87,7 @@
78629 - #include <linux/wireless.h>
78630 - #include <linux/nsproxy.h>
78631 - #include <linux/magic.h>
78632 -+#include <linux/in.h>
78633 -
78634 - #include <asm/uaccess.h>
78635 - #include <asm/unistd.h>
78636 -@@ -97,6 +98,21 @@
78637 - #include <net/sock.h>
78638 - #include <linux/netfilter.h>
78639 -
78640 -+extern void gr_attach_curr_ip(const struct sock *sk);
78641 -+extern int gr_handle_sock_all(const int family, const int type,
78642 -+ const int protocol);
78643 -+extern int gr_handle_sock_server(const struct sockaddr *sck);
78644 -+extern int gr_handle_sock_server_other(const struct sock *sck);
78645 -+extern int gr_handle_sock_client(const struct sockaddr *sck);
78646 -+extern int gr_search_connect(struct socket * sock,
78647 -+ struct sockaddr_in * addr);
78648 -+extern int gr_search_bind(struct socket * sock,
78649 -+ struct sockaddr_in * addr);
78650 -+extern int gr_search_listen(struct socket * sock);
78651 -+extern int gr_search_accept(struct socket * sock);
78652 -+extern int gr_search_socket(const int domain, const int type,
78653 -+ const int protocol);
78654 -+
78655 - static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
78656 - static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
78657 - unsigned long nr_segs, loff_t pos);
78658 -@@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
78659 - mnt);
78660 - }
78661 -
78662 --static struct vfsmount *sock_mnt __read_mostly;
78663 -+struct vfsmount *sock_mnt __read_mostly;
78664 -
78665 - static struct file_system_type sock_fs_type = {
78666 - .name = "sockfs",
78667 -@@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
78668 - return -EAFNOSUPPORT;
78669 - if (type < 0 || type >= SOCK_MAX)
78670 - return -EINVAL;
78671 -+ if (protocol < 0)
78672 -+ return -EINVAL;
78673 -
78674 - /* Compatibility.
78675 -
78676 -@@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
78677 - if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
78678 - flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
78679 -
78680 -+ if(!gr_search_socket(family, type, protocol)) {
78681 -+ retval = -EACCES;
78682 -+ goto out;
78683 -+ }
78684 -+
78685 -+ if (gr_handle_sock_all(family, type, protocol)) {
78686 -+ retval = -EACCES;
78687 -+ goto out;
78688 -+ }
78689 -+
78690 - retval = sock_create(family, type, protocol, &sock);
78691 - if (retval < 0)
78692 - goto out;
78693 -@@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78694 - if (sock) {
78695 - err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
78696 - if (err >= 0) {
78697 -+ if (gr_handle_sock_server((struct sockaddr *)&address)) {
78698 -+ err = -EACCES;
78699 -+ goto error;
78700 -+ }
78701 -+ err = gr_search_bind(sock, (struct sockaddr_in *)&address);
78702 -+ if (err)
78703 -+ goto error;
78704 -+
78705 - err = security_socket_bind(sock,
78706 - (struct sockaddr *)&address,
78707 - addrlen);
78708 -@@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78709 - (struct sockaddr *)
78710 - &address, addrlen);
78711 - }
78712 -+error:
78713 - fput_light(sock->file, fput_needed);
78714 - }
78715 - return err;
78716 -@@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
78717 - if ((unsigned)backlog > somaxconn)
78718 - backlog = somaxconn;
78719 -
78720 -+ if (gr_handle_sock_server_other(sock->sk)) {
78721 -+ err = -EPERM;
78722 -+ goto error;
78723 -+ }
78724 -+
78725 -+ err = gr_search_listen(sock);
78726 -+ if (err)
78727 -+ goto error;
78728 -+
78729 - err = security_socket_listen(sock, backlog);
78730 - if (!err)
78731 - err = sock->ops->listen(sock, backlog);
78732 -
78733 -+error:
78734 - fput_light(sock->file, fput_needed);
78735 - }
78736 - return err;
78737 -@@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78738 - newsock->type = sock->type;
78739 - newsock->ops = sock->ops;
78740 -
78741 -+ if (gr_handle_sock_server_other(sock->sk)) {
78742 -+ err = -EPERM;
78743 -+ sock_release(newsock);
78744 -+ goto out_put;
78745 -+ }
78746 -+
78747 -+ err = gr_search_accept(sock);
78748 -+ if (err) {
78749 -+ sock_release(newsock);
78750 -+ goto out_put;
78751 -+ }
78752 -+
78753 - /*
78754 - * We don't need try_module_get here, as the listening socket (sock)
78755 - * has the protocol module (sock->ops->owner) held.
78756 -@@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78757 - fd_install(newfd, newfile);
78758 - err = newfd;
78759 -
78760 -+ gr_attach_curr_ip(newsock->sk);
78761 -+
78762 - out_put:
78763 - fput_light(sock->file, fput_needed);
78764 - out:
78765 -@@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78766 - int, addrlen)
78767 - {
78768 - struct socket *sock;
78769 -+ struct sockaddr *sck;
78770 - struct sockaddr_storage address;
78771 - int err, fput_needed;
78772 -
78773 -@@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78774 - if (err < 0)
78775 - goto out_put;
78776 -
78777 -+ sck = (struct sockaddr *)&address;
78778 -+
78779 -+ if (gr_handle_sock_client(sck)) {
78780 -+ err = -EACCES;
78781 -+ goto out_put;
78782 -+ }
78783 -+
78784 -+ err = gr_search_connect(sock, (struct sockaddr_in *)sck);
78785 -+ if (err)
78786 -+ goto out_put;
78787 -+
78788 - err =
78789 - security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
78790 - if (err)
78791 -@@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
78792 - int err, ctl_len, iov_size, total_len;
78793 - int fput_needed;
78794 -
78795 -+ pax_track_stack();
78796 -+
78797 - err = -EFAULT;
78798 - if (MSG_CMSG_COMPAT & flags) {
78799 - if (get_compat_msghdr(&msg_sys, msg_compat))
78800 -@@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct
78801 - * kernel msghdr to use the kernel address space)
78802 - */
78803 -
78804 -- uaddr = (__force void __user *)msg_sys.msg_name;
78805 -+ uaddr = (void __force_user *)msg_sys.msg_name;
78806 - uaddr_len = COMPAT_NAMELEN(msg);
78807 - if (MSG_CMSG_COMPAT & flags) {
78808 - err = verify_compat_iovec(&msg_sys, iov,
78809 -diff -urNp linux-2.6.32.46/net/sunrpc/sched.c linux-2.6.32.46/net/sunrpc/sched.c
78810 ---- linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:35:30.000000000 -0400
78811 -+++ linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:34:01.000000000 -0400
78812 -@@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
78813 - #ifdef RPC_DEBUG
78814 - static void rpc_task_set_debuginfo(struct rpc_task *task)
78815 - {
78816 -- static atomic_t rpc_pid;
78817 -+ static atomic_unchecked_t rpc_pid;
78818 -
78819 - task->tk_magic = RPC_TASK_MAGIC_ID;
78820 -- task->tk_pid = atomic_inc_return(&rpc_pid);
78821 -+ task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
78822 - }
78823 - #else
78824 - static inline void rpc_task_set_debuginfo(struct rpc_task *task)
78825 -diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c
78826 ---- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-27 14:31:47.000000000 -0400
78827 -+++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-04 17:56:20.000000000 -0400
78828 -@@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
78829 - static unsigned int min_max_inline = 4096;
78830 - static unsigned int max_max_inline = 65536;
78831 -
78832 --atomic_t rdma_stat_recv;
78833 --atomic_t rdma_stat_read;
78834 --atomic_t rdma_stat_write;
78835 --atomic_t rdma_stat_sq_starve;
78836 --atomic_t rdma_stat_rq_starve;
78837 --atomic_t rdma_stat_rq_poll;
78838 --atomic_t rdma_stat_rq_prod;
78839 --atomic_t rdma_stat_sq_poll;
78840 --atomic_t rdma_stat_sq_prod;
78841 -+atomic_unchecked_t rdma_stat_recv;
78842 -+atomic_unchecked_t rdma_stat_read;
78843 -+atomic_unchecked_t rdma_stat_write;
78844 -+atomic_unchecked_t rdma_stat_sq_starve;
78845 -+atomic_unchecked_t rdma_stat_rq_starve;
78846 -+atomic_unchecked_t rdma_stat_rq_poll;
78847 -+atomic_unchecked_t rdma_stat_rq_prod;
78848 -+atomic_unchecked_t rdma_stat_sq_poll;
78849 -+atomic_unchecked_t rdma_stat_sq_prod;
78850 -
78851 - /* Temporary NFS request map and context caches */
78852 - struct kmem_cache *svc_rdma_map_cachep;
78853 -@@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
78854 - len -= *ppos;
78855 - if (len > *lenp)
78856 - len = *lenp;
78857 -- if (len && copy_to_user(buffer, str_buf, len))
78858 -+ if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
78859 - return -EFAULT;
78860 - *lenp = len;
78861 - *ppos += len;
78862 -@@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
78863 - {
78864 - .procname = "rdma_stat_read",
78865 - .data = &rdma_stat_read,
78866 -- .maxlen = sizeof(atomic_t),
78867 -+ .maxlen = sizeof(atomic_unchecked_t),
78868 - .mode = 0644,
78869 - .proc_handler = &read_reset_stat,
78870 - },
78871 - {
78872 - .procname = "rdma_stat_recv",
78873 - .data = &rdma_stat_recv,
78874 -- .maxlen = sizeof(atomic_t),
78875 -+ .maxlen = sizeof(atomic_unchecked_t),
78876 - .mode = 0644,
78877 - .proc_handler = &read_reset_stat,
78878 - },
78879 - {
78880 - .procname = "rdma_stat_write",
78881 - .data = &rdma_stat_write,
78882 -- .maxlen = sizeof(atomic_t),
78883 -+ .maxlen = sizeof(atomic_unchecked_t),
78884 - .mode = 0644,
78885 - .proc_handler = &read_reset_stat,
78886 - },
78887 - {
78888 - .procname = "rdma_stat_sq_starve",
78889 - .data = &rdma_stat_sq_starve,
78890 -- .maxlen = sizeof(atomic_t),
78891 -+ .maxlen = sizeof(atomic_unchecked_t),
78892 - .mode = 0644,
78893 - .proc_handler = &read_reset_stat,
78894 - },
78895 - {
78896 - .procname = "rdma_stat_rq_starve",
78897 - .data = &rdma_stat_rq_starve,
78898 -- .maxlen = sizeof(atomic_t),
78899 -+ .maxlen = sizeof(atomic_unchecked_t),
78900 - .mode = 0644,
78901 - .proc_handler = &read_reset_stat,
78902 - },
78903 - {
78904 - .procname = "rdma_stat_rq_poll",
78905 - .data = &rdma_stat_rq_poll,
78906 -- .maxlen = sizeof(atomic_t),
78907 -+ .maxlen = sizeof(atomic_unchecked_t),
78908 - .mode = 0644,
78909 - .proc_handler = &read_reset_stat,
78910 - },
78911 - {
78912 - .procname = "rdma_stat_rq_prod",
78913 - .data = &rdma_stat_rq_prod,
78914 -- .maxlen = sizeof(atomic_t),
78915 -+ .maxlen = sizeof(atomic_unchecked_t),
78916 - .mode = 0644,
78917 - .proc_handler = &read_reset_stat,
78918 - },
78919 - {
78920 - .procname = "rdma_stat_sq_poll",
78921 - .data = &rdma_stat_sq_poll,
78922 -- .maxlen = sizeof(atomic_t),
78923 -+ .maxlen = sizeof(atomic_unchecked_t),
78924 - .mode = 0644,
78925 - .proc_handler = &read_reset_stat,
78926 - },
78927 - {
78928 - .procname = "rdma_stat_sq_prod",
78929 - .data = &rdma_stat_sq_prod,
78930 -- .maxlen = sizeof(atomic_t),
78931 -+ .maxlen = sizeof(atomic_unchecked_t),
78932 - .mode = 0644,
78933 - .proc_handler = &read_reset_stat,
78934 - },
78935 -diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
78936 ---- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-27 14:31:47.000000000 -0400
78937 -+++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-04 17:56:28.000000000 -0400
78938 -@@ -495,7 +495,7 @@ next_sge:
78939 - svc_rdma_put_context(ctxt, 0);
78940 - goto out;
78941 - }
78942 -- atomic_inc(&rdma_stat_read);
78943 -+ atomic_inc_unchecked(&rdma_stat_read);
78944 -
78945 - if (read_wr.num_sge < chl_map->ch[ch_no].count) {
78946 - chl_map->ch[ch_no].count -= read_wr.num_sge;
78947 -@@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78948 - dto_q);
78949 - list_del_init(&ctxt->dto_q);
78950 - } else {
78951 -- atomic_inc(&rdma_stat_rq_starve);
78952 -+ atomic_inc_unchecked(&rdma_stat_rq_starve);
78953 - clear_bit(XPT_DATA, &xprt->xpt_flags);
78954 - ctxt = NULL;
78955 - }
78956 -@@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78957 - dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
78958 - ctxt, rdma_xprt, rqstp, ctxt->wc_status);
78959 - BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
78960 -- atomic_inc(&rdma_stat_recv);
78961 -+ atomic_inc_unchecked(&rdma_stat_recv);
78962 -
78963 - /* Build up the XDR from the receive buffers. */
78964 - rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
78965 -diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c
78966 ---- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-27 14:31:47.000000000 -0400
78967 -+++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-04 17:56:28.000000000 -0400
78968 -@@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
78969 - write_wr.wr.rdma.remote_addr = to;
78970 -
78971 - /* Post It */
78972 -- atomic_inc(&rdma_stat_write);
78973 -+ atomic_inc_unchecked(&rdma_stat_write);
78974 - if (svc_rdma_send(xprt, &write_wr))
78975 - goto err;
78976 - return 0;
78977 -diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c
78978 ---- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-27 14:31:47.000000000 -0400
78979 -+++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-04 17:56:28.000000000 -0400
78980 -@@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
78981 - return;
78982 -
78983 - ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
78984 -- atomic_inc(&rdma_stat_rq_poll);
78985 -+ atomic_inc_unchecked(&rdma_stat_rq_poll);
78986 -
78987 - while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
78988 - ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
78989 -@@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
78990 - }
78991 -
78992 - if (ctxt)
78993 -- atomic_inc(&rdma_stat_rq_prod);
78994 -+ atomic_inc_unchecked(&rdma_stat_rq_prod);
78995 -
78996 - set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
78997 - /*
78998 -@@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
78999 - return;
79000 -
79001 - ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
79002 -- atomic_inc(&rdma_stat_sq_poll);
79003 -+ atomic_inc_unchecked(&rdma_stat_sq_poll);
79004 - while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
79005 - if (wc.status != IB_WC_SUCCESS)
79006 - /* Close the transport */
79007 -@@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
79008 - }
79009 -
79010 - if (ctxt)
79011 -- atomic_inc(&rdma_stat_sq_prod);
79012 -+ atomic_inc_unchecked(&rdma_stat_sq_prod);
79013 - }
79014 -
79015 - static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
79016 -@@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
79017 - spin_lock_bh(&xprt->sc_lock);
79018 - if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
79019 - spin_unlock_bh(&xprt->sc_lock);
79020 -- atomic_inc(&rdma_stat_sq_starve);
79021 -+ atomic_inc_unchecked(&rdma_stat_sq_starve);
79022 -
79023 - /* See if we can opportunistically reap SQ WR to make room */
79024 - sq_cq_reap(xprt);
79025 -diff -urNp linux-2.6.32.46/net/sysctl_net.c linux-2.6.32.46/net/sysctl_net.c
79026 ---- linux-2.6.32.46/net/sysctl_net.c 2011-03-27 14:31:47.000000000 -0400
79027 -+++ linux-2.6.32.46/net/sysctl_net.c 2011-04-17 15:56:46.000000000 -0400
79028 -@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
79029 - struct ctl_table *table)
79030 - {
79031 - /* Allow network administrator to have same access as root. */
79032 -- if (capable(CAP_NET_ADMIN)) {
79033 -+ if (capable_nolog(CAP_NET_ADMIN)) {
79034 - int mode = (table->mode >> 6) & 7;
79035 - return (mode << 6) | (mode << 3) | mode;
79036 - }
79037 -diff -urNp linux-2.6.32.46/net/tipc/link.c linux-2.6.32.46/net/tipc/link.c
79038 ---- linux-2.6.32.46/net/tipc/link.c 2011-03-27 14:31:47.000000000 -0400
79039 -+++ linux-2.6.32.46/net/tipc/link.c 2011-10-06 09:37:16.000000000 -0400
79040 -@@ -1418,7 +1418,7 @@ again:
79041 -
79042 - if (!sect_rest) {
79043 - sect_rest = msg_sect[++curr_sect].iov_len;
79044 -- sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
79045 -+ sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
79046 - }
79047 -
79048 - if (sect_rest < fragm_rest)
79049 -@@ -1437,7 +1437,7 @@ error:
79050 - }
79051 - } else
79052 - skb_copy_to_linear_data_offset(buf, fragm_crs,
79053 -- sect_crs, sz);
79054 -+ (const void __force_kernel *)sect_crs, sz);
79055 - sect_crs += sz;
79056 - sect_rest -= sz;
79057 - fragm_crs += sz;
79058 -diff -urNp linux-2.6.32.46/net/tipc/subscr.c linux-2.6.32.46/net/tipc/subscr.c
79059 ---- linux-2.6.32.46/net/tipc/subscr.c 2011-03-27 14:31:47.000000000 -0400
79060 -+++ linux-2.6.32.46/net/tipc/subscr.c 2011-10-06 09:37:16.000000000 -0400
79061 -@@ -104,7 +104,7 @@ static void subscr_send_event(struct sub
79062 - {
79063 - struct iovec msg_sect;
79064 -
79065 -- msg_sect.iov_base = (void *)&sub->evt;
79066 -+ msg_sect.iov_base = (void __force_user *)&sub->evt;
79067 - msg_sect.iov_len = sizeof(struct tipc_event);
79068 -
79069 - sub->evt.event = htohl(event, sub->swap);
79070 -diff -urNp linux-2.6.32.46/net/unix/af_unix.c linux-2.6.32.46/net/unix/af_unix.c
79071 ---- linux-2.6.32.46/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400
79072 -+++ linux-2.6.32.46/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -0400
79073 -@@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
79074 - err = -ECONNREFUSED;
79075 - if (!S_ISSOCK(inode->i_mode))
79076 - goto put_fail;
79077 -+
79078 -+ if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
79079 -+ err = -EACCES;
79080 -+ goto put_fail;
79081 -+ }
79082 -+
79083 - u = unix_find_socket_byinode(net, inode);
79084 - if (!u)
79085 - goto put_fail;
79086 -@@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
79087 - if (u) {
79088 - struct dentry *dentry;
79089 - dentry = unix_sk(u)->dentry;
79090 -+
79091 -+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
79092 -+ err = -EPERM;
79093 -+ sock_put(u);
79094 -+ goto fail;
79095 -+ }
79096 -+
79097 - if (dentry)
79098 - touch_atime(unix_sk(u)->mnt, dentry);
79099 - } else
79100 -@@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
79101 - err = security_path_mknod(&nd.path, dentry, mode, 0);
79102 - if (err)
79103 - goto out_mknod_drop_write;
79104 -+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
79105 -+ err = -EACCES;
79106 -+ goto out_mknod_drop_write;
79107 -+ }
79108 - err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
79109 - out_mknod_drop_write:
79110 - mnt_drop_write(nd.path.mnt);
79111 - if (err)
79112 - goto out_mknod_dput;
79113 -+
79114 -+ gr_handle_create(dentry, nd.path.mnt);
79115 -+
79116 - mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
79117 - dput(nd.path.dentry);
79118 - nd.path.dentry = dentry;
79119 -@@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file
79120 - unix_state_lock(s);
79121 -
79122 - seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
79123 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
79124 -+ NULL,
79125 -+#else
79126 - s,
79127 -+#endif
79128 - atomic_read(&s->sk_refcnt),
79129 - 0,
79130 - s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
79131 -diff -urNp linux-2.6.32.46/net/wireless/core.h linux-2.6.32.46/net/wireless/core.h
79132 ---- linux-2.6.32.46/net/wireless/core.h 2011-03-27 14:31:47.000000000 -0400
79133 -+++ linux-2.6.32.46/net/wireless/core.h 2011-08-23 21:22:38.000000000 -0400
79134 -@@ -27,7 +27,7 @@ struct cfg80211_registered_device {
79135 - struct mutex mtx;
79136 -
79137 - /* rfkill support */
79138 -- struct rfkill_ops rfkill_ops;
79139 -+ rfkill_ops_no_const rfkill_ops;
79140 - struct rfkill *rfkill;
79141 - struct work_struct rfkill_sync;
79142 -
79143 -diff -urNp linux-2.6.32.46/net/wireless/wext.c linux-2.6.32.46/net/wireless/wext.c
79144 ---- linux-2.6.32.46/net/wireless/wext.c 2011-03-27 14:31:47.000000000 -0400
79145 -+++ linux-2.6.32.46/net/wireless/wext.c 2011-04-17 15:56:46.000000000 -0400
79146 -@@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
79147 - */
79148 -
79149 - /* Support for very large requests */
79150 -- if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
79151 -- (user_length > descr->max_tokens)) {
79152 -+ if (user_length > descr->max_tokens) {
79153 - /* Allow userspace to GET more than max so
79154 - * we can support any size GET requests.
79155 - * There is still a limit : -ENOMEM.
79156 -@@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
79157 - }
79158 - }
79159 -
79160 -- if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
79161 -- /*
79162 -- * If this is a GET, but not NOMAX, it means that the extra
79163 -- * data is not bounded by userspace, but by max_tokens. Thus
79164 -- * set the length to max_tokens. This matches the extra data
79165 -- * allocation.
79166 -- * The driver should fill it with the number of tokens it
79167 -- * provided, and it may check iwp->length rather than having
79168 -- * knowledge of max_tokens. If the driver doesn't change the
79169 -- * iwp->length, this ioctl just copies back max_token tokens
79170 -- * filled with zeroes. Hopefully the driver isn't claiming
79171 -- * them to be valid data.
79172 -- */
79173 -- iwp->length = descr->max_tokens;
79174 -- }
79175 --
79176 - err = handler(dev, info, (union iwreq_data *) iwp, extra);
79177 -
79178 - iwp->length += essid_compat;
79179 -diff -urNp linux-2.6.32.46/net/xfrm/xfrm_policy.c linux-2.6.32.46/net/xfrm/xfrm_policy.c
79180 ---- linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-03-27 14:31:47.000000000 -0400
79181 -+++ linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-05-04 17:56:20.000000000 -0400
79182 -@@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
79183 - hlist_add_head(&policy->bydst, chain);
79184 - xfrm_pol_hold(policy);
79185 - net->xfrm.policy_count[dir]++;
79186 -- atomic_inc(&flow_cache_genid);
79187 -+ atomic_inc_unchecked(&flow_cache_genid);
79188 - if (delpol)
79189 - __xfrm_policy_unlink(delpol, dir);
79190 - policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
79191 -@@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
79192 - write_unlock_bh(&xfrm_policy_lock);
79193 -
79194 - if (ret && delete) {
79195 -- atomic_inc(&flow_cache_genid);
79196 -+ atomic_inc_unchecked(&flow_cache_genid);
79197 - xfrm_policy_kill(ret);
79198 - }
79199 - return ret;
79200 -@@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
79201 - write_unlock_bh(&xfrm_policy_lock);
79202 -
79203 - if (ret && delete) {
79204 -- atomic_inc(&flow_cache_genid);
79205 -+ atomic_inc_unchecked(&flow_cache_genid);
79206 - xfrm_policy_kill(ret);
79207 - }
79208 - return ret;
79209 -@@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
79210 - }
79211 -
79212 - }
79213 -- atomic_inc(&flow_cache_genid);
79214 -+ atomic_inc_unchecked(&flow_cache_genid);
79215 - out:
79216 - write_unlock_bh(&xfrm_policy_lock);
79217 - return err;
79218 -@@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
79219 - write_unlock_bh(&xfrm_policy_lock);
79220 - if (pol) {
79221 - if (dir < XFRM_POLICY_MAX)
79222 -- atomic_inc(&flow_cache_genid);
79223 -+ atomic_inc_unchecked(&flow_cache_genid);
79224 - xfrm_policy_kill(pol);
79225 - return 0;
79226 - }
79227 -@@ -1477,7 +1477,7 @@ free_dst:
79228 - goto out;
79229 - }
79230 -
79231 --static int inline
79232 -+static inline int
79233 - xfrm_dst_alloc_copy(void **target, void *src, int size)
79234 - {
79235 - if (!*target) {
79236 -@@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
79237 - return 0;
79238 - }
79239 -
79240 --static int inline
79241 -+static inline int
79242 - xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
79243 - {
79244 - #ifdef CONFIG_XFRM_SUB_POLICY
79245 -@@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
79246 - #endif
79247 - }
79248 -
79249 --static int inline
79250 -+static inline int
79251 - xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
79252 - {
79253 - #ifdef CONFIG_XFRM_SUB_POLICY
79254 -@@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
79255 - u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
79256 -
79257 - restart:
79258 -- genid = atomic_read(&flow_cache_genid);
79259 -+ genid = atomic_read_unchecked(&flow_cache_genid);
79260 - policy = NULL;
79261 - for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
79262 - pols[pi] = NULL;
79263 -@@ -1680,7 +1680,7 @@ restart:
79264 - goto error;
79265 - }
79266 - if (nx == -EAGAIN ||
79267 -- genid != atomic_read(&flow_cache_genid)) {
79268 -+ genid != atomic_read_unchecked(&flow_cache_genid)) {
79269 - xfrm_pols_put(pols, npols);
79270 - goto restart;
79271 - }
79272 -diff -urNp linux-2.6.32.46/net/xfrm/xfrm_user.c linux-2.6.32.46/net/xfrm/xfrm_user.c
79273 ---- linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-03-27 14:31:47.000000000 -0400
79274 -+++ linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-05-16 21:46:57.000000000 -0400
79275 -@@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
79276 - struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
79277 - int i;
79278 -
79279 -+ pax_track_stack();
79280 -+
79281 - if (xp->xfrm_nr == 0)
79282 - return 0;
79283 -
79284 -@@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
79285 - int err;
79286 - int n = 0;
79287 -
79288 -+ pax_track_stack();
79289 -+
79290 - if (attrs[XFRMA_MIGRATE] == NULL)
79291 - return -EINVAL;
79292 -
79293 -diff -urNp linux-2.6.32.46/samples/kobject/kset-example.c linux-2.6.32.46/samples/kobject/kset-example.c
79294 ---- linux-2.6.32.46/samples/kobject/kset-example.c 2011-03-27 14:31:47.000000000 -0400
79295 -+++ linux-2.6.32.46/samples/kobject/kset-example.c 2011-04-17 15:56:46.000000000 -0400
79296 -@@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
79297 - }
79298 -
79299 - /* Our custom sysfs_ops that we will associate with our ktype later on */
79300 --static struct sysfs_ops foo_sysfs_ops = {
79301 -+static const struct sysfs_ops foo_sysfs_ops = {
79302 - .show = foo_attr_show,
79303 - .store = foo_attr_store,
79304 - };
79305 -diff -urNp linux-2.6.32.46/scripts/Makefile.build linux-2.6.32.46/scripts/Makefile.build
79306 ---- linux-2.6.32.46/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400
79307 -+++ linux-2.6.32.46/scripts/Makefile.build 2011-08-23 20:45:11.000000000 -0400
79308 -@@ -59,7 +59,7 @@ endif
79309 - endif
79310 -
79311 - # Do not include host rules unless needed
79312 --ifneq ($(hostprogs-y)$(hostprogs-m),)
79313 -+ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79314 - include scripts/Makefile.host
79315 - endif
79316 -
79317 -diff -urNp linux-2.6.32.46/scripts/Makefile.clean linux-2.6.32.46/scripts/Makefile.clean
79318 ---- linux-2.6.32.46/scripts/Makefile.clean 2011-03-27 14:31:47.000000000 -0400
79319 -+++ linux-2.6.32.46/scripts/Makefile.clean 2011-06-04 20:47:19.000000000 -0400
79320 -@@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79321 - __clean-files := $(extra-y) $(always) \
79322 - $(targets) $(clean-files) \
79323 - $(host-progs) \
79324 -- $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79325 -+ $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79326 -+ $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79327 -
79328 - # as clean-files is given relative to the current directory, this adds
79329 - # a $(obj) prefix, except for absolute paths
79330 -diff -urNp linux-2.6.32.46/scripts/Makefile.host linux-2.6.32.46/scripts/Makefile.host
79331 ---- linux-2.6.32.46/scripts/Makefile.host 2011-03-27 14:31:47.000000000 -0400
79332 -+++ linux-2.6.32.46/scripts/Makefile.host 2011-06-04 20:48:22.000000000 -0400
79333 -@@ -31,6 +31,7 @@
79334 - # Note: Shared libraries consisting of C++ files are not supported
79335 -
79336 - __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79337 -+__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79338 -
79339 - # C code
79340 - # Executables compiled from a single .c file
79341 -@@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79342 - # Shared libaries (only .c supported)
79343 - # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79344 - host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79345 -+host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79346 - # Remove .so files from "xxx-objs"
79347 - host-cobjs := $(filter-out %.so,$(host-cobjs))
79348 -
79349 -diff -urNp linux-2.6.32.46/scripts/basic/fixdep.c linux-2.6.32.46/scripts/basic/fixdep.c
79350 ---- linux-2.6.32.46/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400
79351 -+++ linux-2.6.32.46/scripts/basic/fixdep.c 2011-10-06 09:37:14.000000000 -0400
79352 -@@ -162,7 +162,7 @@ static void grow_config(int len)
79353 - /*
79354 - * Lookup a value in the configuration string.
79355 - */
79356 --static int is_defined_config(const char * name, int len)
79357 -+static int is_defined_config(const char * name, unsigned int len)
79358 - {
79359 - const char * pconfig;
79360 - const char * plast = str_config + len_config - len;
79361 -@@ -199,7 +199,7 @@ static void clear_config(void)
79362 - /*
79363 - * Record the use of a CONFIG_* word.
79364 - */
79365 --static void use_config(char *m, int slen)
79366 -+static void use_config(char *m, unsigned int slen)
79367 - {
79368 - char s[PATH_MAX];
79369 - char *p;
79370 -@@ -222,9 +222,9 @@ static void use_config(char *m, int slen
79371 -
79372 - static void parse_config_file(char *map, size_t len)
79373 - {
79374 -- int *end = (int *) (map + len);
79375 -+ unsigned int *end = (unsigned int *) (map + len);
79376 - /* start at +1, so that p can never be < map */
79377 -- int *m = (int *) map + 1;
79378 -+ unsigned int *m = (unsigned int *) map + 1;
79379 - char *p, *q;
79380 -
79381 - for (; m < end; m++) {
79382 -@@ -371,7 +371,7 @@ static void print_deps(void)
79383 - static void traps(void)
79384 - {
79385 - static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79386 -- int *p = (int *)test;
79387 -+ unsigned int *p = (unsigned int *)test;
79388 -
79389 - if (*p != INT_CONF) {
79390 - fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79391 -diff -urNp linux-2.6.32.46/scripts/gcc-plugin.sh linux-2.6.32.46/scripts/gcc-plugin.sh
79392 ---- linux-2.6.32.46/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
79393 -+++ linux-2.6.32.46/scripts/gcc-plugin.sh 2011-10-06 09:37:14.000000000 -0400
79394 -@@ -0,0 +1,2 @@
79395 -+#!/bin/sh
79396 -+echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
79397 -diff -urNp linux-2.6.32.46/scripts/mod/file2alias.c linux-2.6.32.46/scripts/mod/file2alias.c
79398 ---- linux-2.6.32.46/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400
79399 -+++ linux-2.6.32.46/scripts/mod/file2alias.c 2011-10-06 09:37:14.000000000 -0400
79400 -@@ -72,7 +72,7 @@ static void device_id_check(const char *
79401 - unsigned long size, unsigned long id_size,
79402 - void *symval)
79403 - {
79404 -- int i;
79405 -+ unsigned int i;
79406 -
79407 - if (size % id_size || size < id_size) {
79408 - if (cross_build != 0)
79409 -@@ -102,7 +102,7 @@ static void device_id_check(const char *
79410 - /* USB is special because the bcdDevice can be matched against a numeric range */
79411 - /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79412 - static void do_usb_entry(struct usb_device_id *id,
79413 -- unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79414 -+ unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79415 - unsigned char range_lo, unsigned char range_hi,
79416 - struct module *mod)
79417 - {
79418 -@@ -151,7 +151,7 @@ static void do_usb_entry_multi(struct us
79419 - {
79420 - unsigned int devlo, devhi;
79421 - unsigned char chi, clo;
79422 -- int ndigits;
79423 -+ unsigned int ndigits;
79424 -
79425 - id->match_flags = TO_NATIVE(id->match_flags);
79426 - id->idVendor = TO_NATIVE(id->idVendor);
79427 -@@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
79428 - for (i = 0; i < count; i++) {
79429 - const char *id = (char *)devs[i].id;
79430 - char acpi_id[sizeof(devs[0].id)];
79431 -- int j;
79432 -+ unsigned int j;
79433 -
79434 - buf_printf(&mod->dev_table_buf,
79435 - "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79436 -@@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
79437 -
79438 - for (j = 0; j < PNP_MAX_DEVICES; j++) {
79439 - const char *id = (char *)card->devs[j].id;
79440 -- int i2, j2;
79441 -+ unsigned int i2, j2;
79442 - int dup = 0;
79443 -
79444 - if (!id[0])
79445 -@@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
79446 - /* add an individual alias for every device entry */
79447 - if (!dup) {
79448 - char acpi_id[sizeof(card->devs[0].id)];
79449 -- int k;
79450 -+ unsigned int k;
79451 -
79452 - buf_printf(&mod->dev_table_buf,
79453 - "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79454 -@@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
79455 - static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79456 - char *alias)
79457 - {
79458 -- int i, j;
79459 -+ unsigned int i, j;
79460 -
79461 - sprintf(alias, "dmi*");
79462 -
79463 -diff -urNp linux-2.6.32.46/scripts/mod/modpost.c linux-2.6.32.46/scripts/mod/modpost.c
79464 ---- linux-2.6.32.46/scripts/mod/modpost.c 2011-03-27 14:31:47.000000000 -0400
79465 -+++ linux-2.6.32.46/scripts/mod/modpost.c 2011-07-06 19:53:33.000000000 -0400
79466 -@@ -835,6 +835,7 @@ enum mismatch {
79467 - INIT_TO_EXIT,
79468 - EXIT_TO_INIT,
79469 - EXPORT_TO_INIT_EXIT,
79470 -+ DATA_TO_TEXT
79471 - };
79472 -
79473 - struct sectioncheck {
79474 -@@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
79475 - .fromsec = { "__ksymtab*", NULL },
79476 - .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79477 - .mismatch = EXPORT_TO_INIT_EXIT
79478 -+},
79479 -+/* Do not reference code from writable data */
79480 -+{
79481 -+ .fromsec = { DATA_SECTIONS, NULL },
79482 -+ .tosec = { TEXT_SECTIONS, NULL },
79483 -+ .mismatch = DATA_TO_TEXT
79484 - }
79485 - };
79486 -
79487 -@@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
79488 - continue;
79489 - if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79490 - continue;
79491 -- if (sym->st_value == addr)
79492 -- return sym;
79493 - /* Find a symbol nearby - addr are maybe negative */
79494 - d = sym->st_value - addr;
79495 -+ if (d == 0)
79496 -+ return sym;
79497 - if (d < 0)
79498 - d = addr - sym->st_value;
79499 - if (d < distance) {
79500 -@@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
79501 - "Fix this by removing the %sannotation of %s "
79502 - "or drop the export.\n",
79503 - tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
79504 -+ case DATA_TO_TEXT:
79505 -+/*
79506 -+ fprintf(stderr,
79507 -+ "The variable %s references\n"
79508 -+ "the %s %s%s%s\n",
79509 -+ fromsym, to, sec2annotation(tosec), tosym, to_p);
79510 -+*/
79511 -+ break;
79512 - case NO_MISMATCH:
79513 - /* To get warnings on missing members */
79514 - break;
79515 -@@ -1495,7 +1510,7 @@ static void section_rel(const char *modn
79516 - static void check_sec_ref(struct module *mod, const char *modname,
79517 - struct elf_info *elf)
79518 - {
79519 -- int i;
79520 -+ unsigned int i;
79521 - Elf_Shdr *sechdrs = elf->sechdrs;
79522 -
79523 - /* Walk through all sections */
79524 -@@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
79525 - va_end(ap);
79526 - }
79527 -
79528 --void buf_write(struct buffer *buf, const char *s, int len)
79529 -+void buf_write(struct buffer *buf, const char *s, unsigned int len)
79530 - {
79531 - if (buf->size - buf->pos < len) {
79532 - buf->size += len + SZ;
79533 -@@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
79534 - if (fstat(fileno(file), &st) < 0)
79535 - goto close_write;
79536 -
79537 -- if (st.st_size != b->pos)
79538 -+ if (st.st_size != (off_t)b->pos)
79539 - goto close_write;
79540 -
79541 - tmp = NOFAIL(malloc(b->pos));
79542 -diff -urNp linux-2.6.32.46/scripts/mod/modpost.h linux-2.6.32.46/scripts/mod/modpost.h
79543 ---- linux-2.6.32.46/scripts/mod/modpost.h 2011-03-27 14:31:47.000000000 -0400
79544 -+++ linux-2.6.32.46/scripts/mod/modpost.h 2011-04-17 15:56:46.000000000 -0400
79545 -@@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79546 -
79547 - struct buffer {
79548 - char *p;
79549 -- int pos;
79550 -- int size;
79551 -+ unsigned int pos;
79552 -+ unsigned int size;
79553 - };
79554 -
79555 - void __attribute__((format(printf, 2, 3)))
79556 - buf_printf(struct buffer *buf, const char *fmt, ...);
79557 -
79558 - void
79559 --buf_write(struct buffer *buf, const char *s, int len);
79560 -+buf_write(struct buffer *buf, const char *s, unsigned int len);
79561 -
79562 - struct module {
79563 - struct module *next;
79564 -diff -urNp linux-2.6.32.46/scripts/mod/sumversion.c linux-2.6.32.46/scripts/mod/sumversion.c
79565 ---- linux-2.6.32.46/scripts/mod/sumversion.c 2011-03-27 14:31:47.000000000 -0400
79566 -+++ linux-2.6.32.46/scripts/mod/sumversion.c 2011-04-17 15:56:46.000000000 -0400
79567 -@@ -455,7 +455,7 @@ static void write_version(const char *fi
79568 - goto out;
79569 - }
79570 -
79571 -- if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79572 -+ if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79573 - warn("writing sum in %s failed: %s\n",
79574 - filename, strerror(errno));
79575 - goto out;
79576 -diff -urNp linux-2.6.32.46/scripts/package/mkspec linux-2.6.32.46/scripts/package/mkspec
79577 ---- linux-2.6.32.46/scripts/package/mkspec 2011-03-27 14:31:47.000000000 -0400
79578 -+++ linux-2.6.32.46/scripts/package/mkspec 2011-07-19 18:19:12.000000000 -0400
79579 -@@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM
79580 - echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware'
79581 - echo "%endif"
79582 -
79583 --echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= modules_install'
79584 -+echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SRC= modules_install'
79585 - echo "%ifarch ia64"
79586 - echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE"
79587 - echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/"
79588 -diff -urNp linux-2.6.32.46/scripts/pnmtologo.c linux-2.6.32.46/scripts/pnmtologo.c
79589 ---- linux-2.6.32.46/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0400
79590 -+++ linux-2.6.32.46/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0400
79591 -@@ -237,14 +237,14 @@ static void write_header(void)
79592 - fprintf(out, " * Linux logo %s\n", logoname);
79593 - fputs(" */\n\n", out);
79594 - fputs("#include <linux/linux_logo.h>\n\n", out);
79595 -- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79596 -+ fprintf(out, "static unsigned char %s_data[] = {\n",
79597 - logoname);
79598 - }
79599 -
79600 - static void write_footer(void)
79601 - {
79602 - fputs("\n};\n\n", out);
79603 -- fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79604 -+ fprintf(out, "const struct linux_logo %s = {\n", logoname);
79605 - fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79606 - fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79607 - fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79608 -@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79609 - fputs("\n};\n\n", out);
79610 -
79611 - /* write logo clut */
79612 -- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79613 -+ fprintf(out, "static unsigned char %s_clut[] = {\n",
79614 - logoname);
79615 - write_hex_cnt = 0;
79616 - for (i = 0; i < logo_clutsize; i++) {
79617 -diff -urNp linux-2.6.32.46/scripts/tags.sh linux-2.6.32.46/scripts/tags.sh
79618 ---- linux-2.6.32.46/scripts/tags.sh 2011-03-27 14:31:47.000000000 -0400
79619 -+++ linux-2.6.32.46/scripts/tags.sh 2011-06-07 18:06:04.000000000 -0400
79620 -@@ -93,6 +93,11 @@ docscope()
79621 - cscope -b -f cscope.out
79622 - }
79623 -
79624 -+dogtags()
79625 -+{
79626 -+ all_sources | gtags -f -
79627 -+}
79628 -+
79629 - exuberant()
79630 - {
79631 - all_sources | xargs $1 -a \
79632 -@@ -164,6 +169,10 @@ case "$1" in
79633 - docscope
79634 - ;;
79635 -
79636 -+ "gtags")
79637 -+ dogtags
79638 -+ ;;
79639 -+
79640 - "tags")
79641 - rm -f tags
79642 - xtags ctags
79643 -diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig
79644 ---- linux-2.6.32.46/security/Kconfig 2011-03-27 14:31:47.000000000 -0400
79645 -+++ linux-2.6.32.46/security/Kconfig 2011-10-06 09:38:20.000000000 -0400
79646 -@@ -4,6 +4,559 @@
79647 -
79648 - menu "Security options"
79649 -
79650 -+source grsecurity/Kconfig
79651 -+
79652 -+menu "PaX"
79653 -+
79654 -+ config ARCH_TRACK_EXEC_LIMIT
79655 -+ bool
79656 -+
79657 -+ config PAX_KERNEXEC_PLUGIN
79658 -+ bool
79659 -+
79660 -+ config PAX_PER_CPU_PGD
79661 -+ bool
79662 -+
79663 -+ config TASK_SIZE_MAX_SHIFT
79664 -+ int
79665 -+ depends on X86_64
79666 -+ default 47 if !PAX_PER_CPU_PGD
79667 -+ default 42 if PAX_PER_CPU_PGD
79668 -+
79669 -+ config PAX_ENABLE_PAE
79670 -+ bool
79671 -+ default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79672 -+
79673 -+config PAX
79674 -+ bool "Enable various PaX features"
79675 -+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79676 -+ help
79677 -+ This allows you to enable various PaX features. PaX adds
79678 -+ intrusion prevention mechanisms to the kernel that reduce
79679 -+ the risks posed by exploitable memory corruption bugs.
79680 -+
79681 -+menu "PaX Control"
79682 -+ depends on PAX
79683 -+
79684 -+config PAX_SOFTMODE
79685 -+ bool 'Support soft mode'
79686 -+ select PAX_PT_PAX_FLAGS
79687 -+ help
79688 -+ Enabling this option will allow you to run PaX in soft mode, that
79689 -+ is, PaX features will not be enforced by default, only on executables
79690 -+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
79691 -+ is the only way to mark executables for soft mode use.
79692 -+
79693 -+ Soft mode can be activated by using the "pax_softmode=1" kernel command
79694 -+ line option on boot. Furthermore you can control various PaX features
79695 -+ at runtime via the entries in /proc/sys/kernel/pax.
79696 -+
79697 -+config PAX_EI_PAX
79698 -+ bool 'Use legacy ELF header marking'
79699 -+ help
79700 -+ Enabling this option will allow you to control PaX features on
79701 -+ a per executable basis via the 'chpax' utility available at
79702 -+ http://pax.grsecurity.net/. The control flags will be read from
79703 -+ an otherwise reserved part of the ELF header. This marking has
79704 -+ numerous drawbacks (no support for soft-mode, toolchain does not
79705 -+ know about the non-standard use of the ELF header) therefore it
79706 -+ has been deprecated in favour of PT_PAX_FLAGS support.
79707 -+
79708 -+ Note that if you enable PT_PAX_FLAGS marking support as well,
79709 -+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
79710 -+
79711 -+config PAX_PT_PAX_FLAGS
79712 -+ bool 'Use ELF program header marking'
79713 -+ help
79714 -+ Enabling this option will allow you to control PaX features on
79715 -+ a per executable basis via the 'paxctl' utility available at
79716 -+ http://pax.grsecurity.net/. The control flags will be read from
79717 -+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
79718 -+ has the benefits of supporting both soft mode and being fully
79719 -+ integrated into the toolchain (the binutils patch is available
79720 -+ from http://pax.grsecurity.net).
79721 -+
79722 -+ If your toolchain does not support PT_PAX_FLAGS markings,
79723 -+ you can create one in most cases with 'paxctl -C'.
79724 -+
79725 -+ Note that if you enable the legacy EI_PAX marking support as well,
79726 -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
79727 -+
79728 -+choice
79729 -+ prompt 'MAC system integration'
79730 -+ default PAX_HAVE_ACL_FLAGS
79731 -+ help
79732 -+ Mandatory Access Control systems have the option of controlling
79733 -+ PaX flags on a per executable basis, choose the method supported
79734 -+ by your particular system.
79735 -+
79736 -+ - "none": if your MAC system does not interact with PaX,
79737 -+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
79738 -+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
79739 -+
79740 -+ NOTE: this option is for developers/integrators only.
79741 -+
79742 -+ config PAX_NO_ACL_FLAGS
79743 -+ bool 'none'
79744 -+
79745 -+ config PAX_HAVE_ACL_FLAGS
79746 -+ bool 'direct'
79747 -+
79748 -+ config PAX_HOOK_ACL_FLAGS
79749 -+ bool 'hook'
79750 -+endchoice
79751 -+
79752 -+endmenu
79753 -+
79754 -+menu "Non-executable pages"
79755 -+ depends on PAX
79756 -+
79757 -+config PAX_NOEXEC
79758 -+ bool "Enforce non-executable pages"
79759 -+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
79760 -+ help
79761 -+ By design some architectures do not allow for protecting memory
79762 -+ pages against execution or even if they do, Linux does not make
79763 -+ use of this feature. In practice this means that if a page is
79764 -+ readable (such as the stack or heap) it is also executable.
79765 -+
79766 -+ There is a well known exploit technique that makes use of this
79767 -+ fact and a common programming mistake where an attacker can
79768 -+ introduce code of his choice somewhere in the attacked program's
79769 -+ memory (typically the stack or the heap) and then execute it.
79770 -+
79771 -+ If the attacked program was running with different (typically
79772 -+ higher) privileges than that of the attacker, then he can elevate
79773 -+ his own privilege level (e.g. get a root shell, write to files for
79774 -+ which he does not have write access to, etc).
79775 -+
79776 -+ Enabling this option will let you choose from various features
79777 -+ that prevent the injection and execution of 'foreign' code in
79778 -+ a program.
79779 -+
79780 -+ This will also break programs that rely on the old behaviour and
79781 -+ expect that dynamically allocated memory via the malloc() family
79782 -+ of functions is executable (which it is not). Notable examples
79783 -+ are the XFree86 4.x server, the java runtime and wine.
79784 -+
79785 -+config PAX_PAGEEXEC
79786 -+ bool "Paging based non-executable pages"
79787 -+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
79788 -+ select S390_SWITCH_AMODE if S390
79789 -+ select S390_EXEC_PROTECT if S390
79790 -+ select ARCH_TRACK_EXEC_LIMIT if X86_32
79791 -+ help
79792 -+ This implementation is based on the paging feature of the CPU.
79793 -+ On i386 without hardware non-executable bit support there is a
79794 -+ variable but usually low performance impact, however on Intel's
79795 -+ P4 core based CPUs it is very high so you should not enable this
79796 -+ for kernels meant to be used on such CPUs.
79797 -+
79798 -+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
79799 -+ with hardware non-executable bit support there is no performance
79800 -+ impact, on ppc the impact is negligible.
79801 -+
79802 -+ Note that several architectures require various emulations due to
79803 -+ badly designed userland ABIs, this will cause a performance impact
79804 -+ but will disappear as soon as userland is fixed. For example, ppc
79805 -+ userland MUST have been built with secure-plt by a recent toolchain.
79806 -+
79807 -+config PAX_SEGMEXEC
79808 -+ bool "Segmentation based non-executable pages"
79809 -+ depends on PAX_NOEXEC && X86_32
79810 -+ help
79811 -+ This implementation is based on the segmentation feature of the
79812 -+ CPU and has a very small performance impact, however applications
79813 -+ will be limited to a 1.5 GB address space instead of the normal
79814 -+ 3 GB.
79815 -+
79816 -+config PAX_EMUTRAMP
79817 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
79818 -+ default y if PARISC
79819 -+ help
79820 -+ There are some programs and libraries that for one reason or
79821 -+ another attempt to execute special small code snippets from
79822 -+ non-executable memory pages. Most notable examples are the
79823 -+ signal handler return code generated by the kernel itself and
79824 -+ the GCC trampolines.
79825 -+
79826 -+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
79827 -+ such programs will no longer work under your kernel.
79828 -+
79829 -+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
79830 -+ utilities to enable trampoline emulation for the affected programs
79831 -+ yet still have the protection provided by the non-executable pages.
79832 -+
79833 -+ On parisc you MUST enable this option and EMUSIGRT as well, otherwise
79834 -+ your system will not even boot.
79835 -+
79836 -+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
79837 -+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
79838 -+ for the affected files.
79839 -+
79840 -+ NOTE: enabling this feature *may* open up a loophole in the
79841 -+ protection provided by non-executable pages that an attacker
79842 -+ could abuse. Therefore the best solution is to not have any
79843 -+ files on your system that would require this option. This can
79844 -+ be achieved by not using libc5 (which relies on the kernel
79845 -+ signal handler return code) and not using or rewriting programs
79846 -+ that make use of the nested function implementation of GCC.
79847 -+ Skilled users can just fix GCC itself so that it implements
79848 -+ nested function calls in a way that does not interfere with PaX.
79849 -+
79850 -+config PAX_EMUSIGRT
79851 -+ bool "Automatically emulate sigreturn trampolines"
79852 -+ depends on PAX_EMUTRAMP && PARISC
79853 -+ default y
79854 -+ help
79855 -+ Enabling this option will have the kernel automatically detect
79856 -+ and emulate signal return trampolines executing on the stack
79857 -+ that would otherwise lead to task termination.
79858 -+
79859 -+ This solution is intended as a temporary one for users with
79860 -+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
79861 -+ Modula-3 runtime, etc) or executables linked to such, basically
79862 -+ everything that does not specify its own SA_RESTORER function in
79863 -+ normal executable memory like glibc 2.1+ does.
79864 -+
79865 -+ On parisc you MUST enable this option, otherwise your system will
79866 -+ not even boot.
79867 -+
79868 -+ NOTE: this feature cannot be disabled on a per executable basis
79869 -+ and since it *does* open up a loophole in the protection provided
79870 -+ by non-executable pages, the best solution is to not have any
79871 -+ files on your system that would require this option.
79872 -+
79873 -+config PAX_MPROTECT
79874 -+ bool "Restrict mprotect()"
79875 -+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
79876 -+ help
79877 -+ Enabling this option will prevent programs from
79878 -+ - changing the executable status of memory pages that were
79879 -+ not originally created as executable,
79880 -+ - making read-only executable pages writable again,
79881 -+ - creating executable pages from anonymous memory,
79882 -+ - making read-only-after-relocations (RELRO) data pages writable again.
79883 -+
79884 -+ You should say Y here to complete the protection provided by
79885 -+ the enforcement of non-executable pages.
79886 -+
79887 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79888 -+ this feature on a per file basis.
79889 -+
79890 -+config PAX_MPROTECT_COMPAT
79891 -+ bool "Use legacy/compat protection demoting (read help)"
79892 -+ depends on PAX_MPROTECT
79893 -+ default n
79894 -+ help
79895 -+ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
79896 -+ by sending the proper error code to the application. For some broken
79897 -+ userland, this can cause problems with Python or other applications. The
79898 -+ current implementation however allows for applications like clamav to
79899 -+ detect if JIT compilation/execution is allowed and to fall back gracefully
79900 -+ to an interpreter-based mode if it does not. While we encourage everyone
79901 -+ to use the current implementation as-is and push upstream to fix broken
79902 -+ userland (note that the RWX logging option can assist with this), in some
79903 -+ environments this may not be possible. Having to disable MPROTECT
79904 -+ completely on certain binaries reduces the security benefit of PaX,
79905 -+ so this option is provided for those environments to revert to the old
79906 -+ behavior.
79907 -+
79908 -+config PAX_ELFRELOCS
79909 -+ bool "Allow ELF text relocations (read help)"
79910 -+ depends on PAX_MPROTECT
79911 -+ default n
79912 -+ help
79913 -+ Non-executable pages and mprotect() restrictions are effective
79914 -+ in preventing the introduction of new executable code into an
79915 -+ attacked task's address space. There remain only two venues
79916 -+ for this kind of attack: if the attacker can execute already
79917 -+ existing code in the attacked task then he can either have it
79918 -+ create and mmap() a file containing his code or have it mmap()
79919 -+ an already existing ELF library that does not have position
79920 -+ independent code in it and use mprotect() on it to make it
79921 -+ writable and copy his code there. While protecting against
79922 -+ the former approach is beyond PaX, the latter can be prevented
79923 -+ by having only PIC ELF libraries on one's system (which do not
79924 -+ need to relocate their code). If you are sure this is your case,
79925 -+ as is the case with all modern Linux distributions, then leave
79926 -+ this option disabled. You should say 'n' here.
79927 -+
79928 -+config PAX_ETEXECRELOCS
79929 -+ bool "Allow ELF ET_EXEC text relocations"
79930 -+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
79931 -+ select PAX_ELFRELOCS
79932 -+ default y
79933 -+ help
79934 -+ On some architectures there are incorrectly created applications
79935 -+ that require text relocations and would not work without enabling
79936 -+ this option. If you are an alpha, ia64 or parisc user, you should
79937 -+ enable this option and disable it once you have made sure that
79938 -+ none of your applications need it.
79939 -+
79940 -+config PAX_EMUPLT
79941 -+ bool "Automatically emulate ELF PLT"
79942 -+ depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
79943 -+ default y
79944 -+ help
79945 -+ Enabling this option will have the kernel automatically detect
79946 -+ and emulate the Procedure Linkage Table entries in ELF files.
79947 -+ On some architectures such entries are in writable memory, and
79948 -+ become non-executable leading to task termination. Therefore
79949 -+ it is mandatory that you enable this option on alpha, parisc,
79950 -+ sparc and sparc64, otherwise your system would not even boot.
79951 -+
79952 -+ NOTE: this feature *does* open up a loophole in the protection
79953 -+ provided by the non-executable pages, therefore the proper
79954 -+ solution is to modify the toolchain to produce a PLT that does
79955 -+ not need to be writable.
79956 -+
79957 -+config PAX_DLRESOLVE
79958 -+ bool 'Emulate old glibc resolver stub'
79959 -+ depends on PAX_EMUPLT && SPARC
79960 -+ default n
79961 -+ help
79962 -+ This option is needed if userland has an old glibc (before 2.4)
79963 -+ that puts a 'save' instruction into the runtime generated resolver
79964 -+ stub that needs special emulation.
79965 -+
79966 -+config PAX_KERNEXEC
79967 -+ bool "Enforce non-executable kernel pages"
79968 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
79969 -+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
79970 -+ select PAX_KERNEXEC_PLUGIN if X86_64
79971 -+ help
79972 -+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
79973 -+ that is, enabling this option will make it harder to inject
79974 -+ and execute 'foreign' code in kernel memory itself.
79975 -+
79976 -+ Note that on x86_64 kernels there is a known regression when
79977 -+ this feature and KVM/VMX are both enabled in the host kernel.
79978 -+
79979 -+config PAX_KERNEXEC_MODULE_TEXT
79980 -+ int "Minimum amount of memory reserved for module code"
79981 -+ default "4"
79982 -+ depends on PAX_KERNEXEC && X86_32 && MODULES
79983 -+ help
79984 -+ Due to implementation details the kernel must reserve a fixed
79985 -+ amount of memory for module code at compile time that cannot be
79986 -+ changed at runtime. Here you can specify the minimum amount
79987 -+ in MB that will be reserved. Due to the same implementation
79988 -+ details this size will always be rounded up to the next 2/4 MB
79989 -+ boundary (depends on PAE) so the actually available memory for
79990 -+ module code will usually be more than this minimum.
79991 -+
79992 -+ The default 4 MB should be enough for most users but if you have
79993 -+ an excessive number of modules (e.g., most distribution configs
79994 -+ compile many drivers as modules) or use huge modules such as
79995 -+ nvidia's kernel driver, you will need to adjust this amount.
79996 -+ A good rule of thumb is to look at your currently loaded kernel
79997 -+ modules and add up their sizes.
79998 -+
79999 -+endmenu
80000 -+
80001 -+menu "Address Space Layout Randomization"
80002 -+ depends on PAX
80003 -+
80004 -+config PAX_ASLR
80005 -+ bool "Address Space Layout Randomization"
80006 -+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
80007 -+ help
80008 -+ Many if not most exploit techniques rely on the knowledge of
80009 -+ certain addresses in the attacked program. The following options
80010 -+ will allow the kernel to apply a certain amount of randomization
80011 -+ to specific parts of the program thereby forcing an attacker to
80012 -+ guess them in most cases. Any failed guess will most likely crash
80013 -+ the attacked program which allows the kernel to detect such attempts
80014 -+ and react on them. PaX itself provides no reaction mechanisms,
80015 -+ instead it is strongly encouraged that you make use of Nergal's
80016 -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
80017 -+ (http://www.grsecurity.net/) built-in crash detection features or
80018 -+ develop one yourself.
80019 -+
80020 -+ By saying Y here you can choose to randomize the following areas:
80021 -+ - top of the task's kernel stack
80022 -+ - top of the task's userland stack
80023 -+ - base address for mmap() requests that do not specify one
80024 -+ (this includes all libraries)
80025 -+ - base address of the main executable
80026 -+
80027 -+ It is strongly recommended to say Y here as address space layout
80028 -+ randomization has negligible impact on performance yet it provides
80029 -+ a very effective protection.
80030 -+
80031 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80032 -+ this feature on a per file basis.
80033 -+
80034 -+config PAX_RANDKSTACK
80035 -+ bool "Randomize kernel stack base"
80036 -+ depends on X86_TSC && X86
80037 -+ help
80038 -+ By saying Y here the kernel will randomize every task's kernel
80039 -+ stack on every system call. This will not only force an attacker
80040 -+ to guess it but also prevent him from making use of possible
80041 -+ leaked information about it.
80042 -+
80043 -+ Since the kernel stack is a rather scarce resource, randomization
80044 -+ may cause unexpected stack overflows, therefore you should very
80045 -+ carefully test your system. Note that once enabled in the kernel
80046 -+ configuration, this feature cannot be disabled on a per file basis.
80047 -+
80048 -+config PAX_RANDUSTACK
80049 -+ bool "Randomize user stack base"
80050 -+ depends on PAX_ASLR
80051 -+ help
80052 -+ By saying Y here the kernel will randomize every task's userland
80053 -+ stack. The randomization is done in two steps where the second
80054 -+ one may apply a big amount of shift to the top of the stack and
80055 -+ cause problems for programs that want to use lots of memory (more
80056 -+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
80057 -+ For this reason the second step can be controlled by 'chpax' or
80058 -+ 'paxctl' on a per file basis.
80059 -+
80060 -+config PAX_RANDMMAP
80061 -+ bool "Randomize mmap() base"
80062 -+ depends on PAX_ASLR
80063 -+ help
80064 -+ By saying Y here the kernel will use a randomized base address for
80065 -+ mmap() requests that do not specify one themselves. As a result
80066 -+ all dynamically loaded libraries will appear at random addresses
80067 -+ and therefore be harder to exploit by a technique where an attacker
80068 -+ attempts to execute library code for his purposes (e.g. spawn a
80069 -+ shell from an exploited program that is running at an elevated
80070 -+ privilege level).
80071 -+
80072 -+ Furthermore, if a program is relinked as a dynamic ELF file, its
80073 -+ base address will be randomized as well, completing the full
80074 -+ randomization of the address space layout. Attacking such programs
80075 -+ becomes a guess game. You can find an example of doing this at
80076 -+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
80077 -+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
80078 -+
80079 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
80080 -+ feature on a per file basis.
80081 -+
80082 -+endmenu
80083 -+
80084 -+menu "Miscellaneous hardening features"
80085 -+
80086 -+config PAX_MEMORY_SANITIZE
80087 -+ bool "Sanitize all freed memory"
80088 -+ help
80089 -+ By saying Y here the kernel will erase memory pages as soon as they
80090 -+ are freed. This in turn reduces the lifetime of data stored in the
80091 -+ pages, making it less likely that sensitive information such as
80092 -+ passwords, cryptographic secrets, etc stay in memory for too long.
80093 -+
80094 -+ This is especially useful for programs whose runtime is short, long
80095 -+ lived processes and the kernel itself benefit from this as long as
80096 -+ they operate on whole memory pages and ensure timely freeing of pages
80097 -+ that may hold sensitive information.
80098 -+
80099 -+ The tradeoff is performance impact, on a single CPU system kernel
80100 -+ compilation sees a 3% slowdown, other systems and workloads may vary
80101 -+ and you are advised to test this feature on your expected workload
80102 -+ before deploying it.
80103 -+
80104 -+ Note that this feature does not protect data stored in live pages,
80105 -+ e.g., process memory swapped to disk may stay there for a long time.
80106 -+
80107 -+config PAX_MEMORY_STACKLEAK
80108 -+ bool "Sanitize kernel stack"
80109 -+ depends on X86
80110 -+ help
80111 -+ By saying Y here the kernel will erase the kernel stack before it
80112 -+ returns from a system call. This in turn reduces the information
80113 -+ that a kernel stack leak bug can reveal.
80114 -+
80115 -+ Note that such a bug can still leak information that was put on
80116 -+ the stack by the current system call (the one eventually triggering
80117 -+ the bug) but traces of earlier system calls on the kernel stack
80118 -+ cannot leak anymore.
80119 -+
80120 -+ The tradeoff is performance impact, on a single CPU system kernel
80121 -+ compilation sees a 1% slowdown, other systems and workloads may vary
80122 -+ and you are advised to test this feature on your expected workload
80123 -+ before deploying it.
80124 -+
80125 -+ Note: full support for this feature requires gcc with plugin support
80126 -+ so make sure your compiler is at least gcc 4.5.0 (cross compilation
80127 -+ is not supported). Using older gcc versions means that functions
80128 -+ with large enough stack frames may leave uninitialized memory behind
80129 -+ that may be exposed to a later syscall leaking the stack.
80130 -+
80131 -+config PAX_MEMORY_UDEREF
80132 -+ bool "Prevent invalid userland pointer dereference"
80133 -+ depends on X86 && !UML_X86 && !XEN
80134 -+ select PAX_PER_CPU_PGD if X86_64
80135 -+ help
80136 -+ By saying Y here the kernel will be prevented from dereferencing
80137 -+ userland pointers in contexts where the kernel expects only kernel
80138 -+ pointers. This is both a useful runtime debugging feature and a
80139 -+ security measure that prevents exploiting a class of kernel bugs.
80140 -+
80141 -+ The tradeoff is that some virtualization solutions may experience
80142 -+ a huge slowdown and therefore you should not enable this feature
80143 -+ for kernels meant to run in such environments. Whether a given VM
80144 -+ solution is affected or not is best determined by simply trying it
80145 -+ out, the performance impact will be obvious right on boot as this
80146 -+ mechanism engages from very early on. A good rule of thumb is that
80147 -+ VMs running on CPUs without hardware virtualization support (i.e.,
80148 -+ the majority of IA-32 CPUs) will likely experience the slowdown.
80149 -+
80150 -+config PAX_REFCOUNT
80151 -+ bool "Prevent various kernel object reference counter overflows"
80152 -+ depends on GRKERNSEC && (X86 || SPARC64)
80153 -+ help
80154 -+ By saying Y here the kernel will detect and prevent overflowing
80155 -+ various (but not all) kinds of object reference counters. Such
80156 -+ overflows can normally occur due to bugs only and are often, if
80157 -+ not always, exploitable.
80158 -+
80159 -+ The tradeoff is that data structures protected by an overflowed
80160 -+ refcount will never be freed and therefore will leak memory. Note
80161 -+ that this leak also happens even without this protection but in
80162 -+ that case the overflow can eventually trigger the freeing of the
80163 -+ data structure while it is still being used elsewhere, resulting
80164 -+ in the exploitable situation that this feature prevents.
80165 -+
80166 -+ Since this has a negligible performance impact, you should enable
80167 -+ this feature.
80168 -+
80169 -+config PAX_USERCOPY
80170 -+ bool "Harden heap object copies between kernel and userland"
80171 -+ depends on X86 || PPC || SPARC || ARM
80172 -+ depends on GRKERNSEC && (SLAB || SLUB || SLOB)
80173 -+ help
80174 -+ By saying Y here the kernel will enforce the size of heap objects
80175 -+ when they are copied in either direction between the kernel and
80176 -+ userland, even if only a part of the heap object is copied.
80177 -+
80178 -+ Specifically, this checking prevents information leaking from the
80179 -+ kernel heap during kernel to userland copies (if the kernel heap
80180 -+ object is otherwise fully initialized) and prevents kernel heap
80181 -+ overflows during userland to kernel copies.
80182 -+
80183 -+ Note that the current implementation provides the strictest bounds
80184 -+ checks for the SLUB allocator.
80185 -+
80186 -+ Enabling this option also enables per-slab cache protection against
80187 -+ data in a given cache being copied into/out of via userland
80188 -+ accessors. Though the whitelist of regions will be reduced over
80189 -+ time, it notably protects important data structures like task structs.
80190 -+
80191 -+
80192 -+ If frame pointers are enabled on x86, this option will also
80193 -+ restrict copies into and out of the kernel stack to local variables
80194 -+ within a single frame.
80195 -+
80196 -+ Since this has a negligible performance impact, you should enable
80197 -+ this feature.
80198 -+
80199 -+endmenu
80200 -+
80201 -+endmenu
80202 -+
80203 - config KEYS
80204 - bool "Enable access key retention support"
80205 - help
80206 -@@ -146,7 +699,7 @@ config INTEL_TXT
80207 - config LSM_MMAP_MIN_ADDR
80208 - int "Low address space for LSM to protect from user allocation"
80209 - depends on SECURITY && SECURITY_SELINUX
80210 -- default 65536
80211 -+ default 32768
80212 - help
80213 - This is the portion of low virtual memory which should be protected
80214 - from userspace allocation. Keeping a user from writing to low pages
80215 -diff -urNp linux-2.6.32.46/security/capability.c linux-2.6.32.46/security/capability.c
80216 ---- linux-2.6.32.46/security/capability.c 2011-03-27 14:31:47.000000000 -0400
80217 -+++ linux-2.6.32.46/security/capability.c 2011-04-17 15:56:46.000000000 -0400
80218 -@@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
80219 - }
80220 - #endif /* CONFIG_AUDIT */
80221 -
80222 --struct security_operations default_security_ops = {
80223 -+struct security_operations default_security_ops __read_only = {
80224 - .name = "default",
80225 - };
80226 -
80227 -diff -urNp linux-2.6.32.46/security/commoncap.c linux-2.6.32.46/security/commoncap.c
80228 ---- linux-2.6.32.46/security/commoncap.c 2011-03-27 14:31:47.000000000 -0400
80229 -+++ linux-2.6.32.46/security/commoncap.c 2011-08-17 19:22:13.000000000 -0400
80230 -@@ -27,7 +27,7 @@
80231 - #include <linux/sched.h>
80232 - #include <linux/prctl.h>
80233 - #include <linux/securebits.h>
80234 --
80235 -+#include <net/sock.h>
80236 - /*
80237 - * If a non-root user executes a setuid-root binary in
80238 - * !secure(SECURE_NOROOT) mode, then we raise capabilities.
80239 -@@ -50,9 +50,18 @@ static void warn_setuid_and_fcaps_mixed(
80240 - }
80241 - }
80242 -
80243 -+#ifdef CONFIG_NET
80244 -+extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
80245 -+#endif
80246 -+
80247 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
80248 - {
80249 -+#ifdef CONFIG_NET
80250 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
80251 -+#else
80252 - NETLINK_CB(skb).eff_cap = current_cap();
80253 -+#endif
80254 -+
80255 - return 0;
80256 - }
80257 -
80258 -@@ -582,6 +591,9 @@ int cap_bprm_secureexec(struct linux_bin
80259 - {
80260 - const struct cred *cred = current_cred();
80261 -
80262 -+ if (gr_acl_enable_at_secure())
80263 -+ return 1;
80264 -+
80265 - if (cred->uid != 0) {
80266 - if (bprm->cap_effective)
80267 - return 1;
80268 -diff -urNp linux-2.6.32.46/security/integrity/ima/ima.h linux-2.6.32.46/security/integrity/ima/ima.h
80269 ---- linux-2.6.32.46/security/integrity/ima/ima.h 2011-03-27 14:31:47.000000000 -0400
80270 -+++ linux-2.6.32.46/security/integrity/ima/ima.h 2011-04-17 15:56:46.000000000 -0400
80271 -@@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
80272 - extern spinlock_t ima_queue_lock;
80273 -
80274 - struct ima_h_table {
80275 -- atomic_long_t len; /* number of stored measurements in the list */
80276 -- atomic_long_t violations;
80277 -+ atomic_long_unchecked_t len; /* number of stored measurements in the list */
80278 -+ atomic_long_unchecked_t violations;
80279 - struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
80280 - };
80281 - extern struct ima_h_table ima_htable;
80282 -diff -urNp linux-2.6.32.46/security/integrity/ima/ima_api.c linux-2.6.32.46/security/integrity/ima/ima_api.c
80283 ---- linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-03-27 14:31:47.000000000 -0400
80284 -+++ linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-04-17 15:56:46.000000000 -0400
80285 -@@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
80286 - int result;
80287 -
80288 - /* can overflow, only indicator */
80289 -- atomic_long_inc(&ima_htable.violations);
80290 -+ atomic_long_inc_unchecked(&ima_htable.violations);
80291 -
80292 - entry = kmalloc(sizeof(*entry), GFP_KERNEL);
80293 - if (!entry) {
80294 -diff -urNp linux-2.6.32.46/security/integrity/ima/ima_fs.c linux-2.6.32.46/security/integrity/ima/ima_fs.c
80295 ---- linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-03-27 14:31:47.000000000 -0400
80296 -+++ linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-04-17 15:56:46.000000000 -0400
80297 -@@ -27,12 +27,12 @@
80298 - static int valid_policy = 1;
80299 - #define TMPBUFLEN 12
80300 - static ssize_t ima_show_htable_value(char __user *buf, size_t count,
80301 -- loff_t *ppos, atomic_long_t *val)
80302 -+ loff_t *ppos, atomic_long_unchecked_t *val)
80303 - {
80304 - char tmpbuf[TMPBUFLEN];
80305 - ssize_t len;
80306 -
80307 -- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
80308 -+ len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
80309 - return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
80310 - }
80311 -
80312 -diff -urNp linux-2.6.32.46/security/integrity/ima/ima_queue.c linux-2.6.32.46/security/integrity/ima/ima_queue.c
80313 ---- linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-03-27 14:31:47.000000000 -0400
80314 -+++ linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-04-17 15:56:46.000000000 -0400
80315 -@@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
80316 - INIT_LIST_HEAD(&qe->later);
80317 - list_add_tail_rcu(&qe->later, &ima_measurements);
80318 -
80319 -- atomic_long_inc(&ima_htable.len);
80320 -+ atomic_long_inc_unchecked(&ima_htable.len);
80321 - key = ima_hash_key(entry->digest);
80322 - hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
80323 - return 0;
80324 -diff -urNp linux-2.6.32.46/security/keys/keyring.c linux-2.6.32.46/security/keys/keyring.c
80325 ---- linux-2.6.32.46/security/keys/keyring.c 2011-03-27 14:31:47.000000000 -0400
80326 -+++ linux-2.6.32.46/security/keys/keyring.c 2011-04-18 22:03:00.000000000 -0400
80327 -@@ -214,15 +214,15 @@ static long keyring_read(const struct ke
80328 - ret = -EFAULT;
80329 -
80330 - for (loop = 0; loop < klist->nkeys; loop++) {
80331 -+ key_serial_t serial;
80332 - key = klist->keys[loop];
80333 -+ serial = key->serial;
80334 -
80335 - tmp = sizeof(key_serial_t);
80336 - if (tmp > buflen)
80337 - tmp = buflen;
80338 -
80339 -- if (copy_to_user(buffer,
80340 -- &key->serial,
80341 -- tmp) != 0)
80342 -+ if (copy_to_user(buffer, &serial, tmp))
80343 - goto error;
80344 -
80345 - buflen -= tmp;
80346 -diff -urNp linux-2.6.32.46/security/min_addr.c linux-2.6.32.46/security/min_addr.c
80347 ---- linux-2.6.32.46/security/min_addr.c 2011-03-27 14:31:47.000000000 -0400
80348 -+++ linux-2.6.32.46/security/min_addr.c 2011-04-17 15:56:46.000000000 -0400
80349 -@@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
80350 - */
80351 - static void update_mmap_min_addr(void)
80352 - {
80353 -+#ifndef SPARC
80354 - #ifdef CONFIG_LSM_MMAP_MIN_ADDR
80355 - if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
80356 - mmap_min_addr = dac_mmap_min_addr;
80357 -@@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
80358 - #else
80359 - mmap_min_addr = dac_mmap_min_addr;
80360 - #endif
80361 -+#endif
80362 - }
80363 -
80364 - /*
80365 -diff -urNp linux-2.6.32.46/security/root_plug.c linux-2.6.32.46/security/root_plug.c
80366 ---- linux-2.6.32.46/security/root_plug.c 2011-03-27 14:31:47.000000000 -0400
80367 -+++ linux-2.6.32.46/security/root_plug.c 2011-04-17 15:56:46.000000000 -0400
80368 -@@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
80369 - return 0;
80370 - }
80371 -
80372 --static struct security_operations rootplug_security_ops = {
80373 -+static struct security_operations rootplug_security_ops __read_only = {
80374 - .bprm_check_security = rootplug_bprm_check_security,
80375 - };
80376 -
80377 -diff -urNp linux-2.6.32.46/security/security.c linux-2.6.32.46/security/security.c
80378 ---- linux-2.6.32.46/security/security.c 2011-03-27 14:31:47.000000000 -0400
80379 -+++ linux-2.6.32.46/security/security.c 2011-04-17 15:56:46.000000000 -0400
80380 -@@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
80381 - extern struct security_operations default_security_ops;
80382 - extern void security_fixup_ops(struct security_operations *ops);
80383 -
80384 --struct security_operations *security_ops; /* Initialized to NULL */
80385 -+struct security_operations *security_ops __read_only; /* Initialized to NULL */
80386 -
80387 - static inline int verify(struct security_operations *ops)
80388 - {
80389 -@@ -106,7 +106,7 @@ int __init security_module_enable(struct
80390 - * If there is already a security module registered with the kernel,
80391 - * an error will be returned. Otherwise %0 is returned on success.
80392 - */
80393 --int register_security(struct security_operations *ops)
80394 -+int __init register_security(struct security_operations *ops)
80395 - {
80396 - if (verify(ops)) {
80397 - printk(KERN_DEBUG "%s could not verify "
80398 -diff -urNp linux-2.6.32.46/security/selinux/hooks.c linux-2.6.32.46/security/selinux/hooks.c
80399 ---- linux-2.6.32.46/security/selinux/hooks.c 2011-03-27 14:31:47.000000000 -0400
80400 -+++ linux-2.6.32.46/security/selinux/hooks.c 2011-04-17 15:56:46.000000000 -0400
80401 -@@ -131,7 +131,7 @@ int selinux_enabled = 1;
80402 - * Minimal support for a secondary security module,
80403 - * just to allow the use of the capability module.
80404 - */
80405 --static struct security_operations *secondary_ops;
80406 -+static struct security_operations *secondary_ops __read_only;
80407 -
80408 - /* Lists of inode and superblock security structures initialized
80409 - before the policy was loaded. */
80410 -@@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
80411 -
80412 - #endif
80413 -
80414 --static struct security_operations selinux_ops = {
80415 -+static struct security_operations selinux_ops __read_only = {
80416 - .name = "selinux",
80417 -
80418 - .ptrace_access_check = selinux_ptrace_access_check,
80419 -@@ -5841,7 +5841,9 @@ int selinux_disable(void)
80420 - avc_disable();
80421 -
80422 - /* Reset security_ops to the secondary module, dummy or capability. */
80423 -+ pax_open_kernel();
80424 - security_ops = secondary_ops;
80425 -+ pax_close_kernel();
80426 -
80427 - /* Unregister netfilter hooks. */
80428 - selinux_nf_ip_exit();
80429 -diff -urNp linux-2.6.32.46/security/selinux/include/xfrm.h linux-2.6.32.46/security/selinux/include/xfrm.h
80430 ---- linux-2.6.32.46/security/selinux/include/xfrm.h 2011-03-27 14:31:47.000000000 -0400
80431 -+++ linux-2.6.32.46/security/selinux/include/xfrm.h 2011-05-18 20:09:37.000000000 -0400
80432 -@@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80433 -
80434 - static inline void selinux_xfrm_notify_policyload(void)
80435 - {
80436 -- atomic_inc(&flow_cache_genid);
80437 -+ atomic_inc_unchecked(&flow_cache_genid);
80438 - }
80439 - #else
80440 - static inline int selinux_xfrm_enabled(void)
80441 -diff -urNp linux-2.6.32.46/security/selinux/ss/services.c linux-2.6.32.46/security/selinux/ss/services.c
80442 ---- linux-2.6.32.46/security/selinux/ss/services.c 2011-03-27 14:31:47.000000000 -0400
80443 -+++ linux-2.6.32.46/security/selinux/ss/services.c 2011-05-16 21:46:57.000000000 -0400
80444 -@@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
80445 - int rc = 0;
80446 - struct policy_file file = { data, len }, *fp = &file;
80447 -
80448 -+ pax_track_stack();
80449 -+
80450 - if (!ss_initialized) {
80451 - avtab_cache_init();
80452 - if (policydb_read(&policydb, fp)) {
80453 -diff -urNp linux-2.6.32.46/security/smack/smack_lsm.c linux-2.6.32.46/security/smack/smack_lsm.c
80454 ---- linux-2.6.32.46/security/smack/smack_lsm.c 2011-03-27 14:31:47.000000000 -0400
80455 -+++ linux-2.6.32.46/security/smack/smack_lsm.c 2011-04-17 15:56:46.000000000 -0400
80456 -@@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
80457 - return 0;
80458 - }
80459 -
80460 --struct security_operations smack_ops = {
80461 -+struct security_operations smack_ops __read_only = {
80462 - .name = "smack",
80463 -
80464 - .ptrace_access_check = smack_ptrace_access_check,
80465 -diff -urNp linux-2.6.32.46/security/tomoyo/tomoyo.c linux-2.6.32.46/security/tomoyo/tomoyo.c
80466 ---- linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-03-27 14:31:47.000000000 -0400
80467 -+++ linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-04-17 15:56:46.000000000 -0400
80468 -@@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
80469 - * tomoyo_security_ops is a "struct security_operations" which is used for
80470 - * registering TOMOYO.
80471 - */
80472 --static struct security_operations tomoyo_security_ops = {
80473 -+static struct security_operations tomoyo_security_ops __read_only = {
80474 - .name = "tomoyo",
80475 - .cred_alloc_blank = tomoyo_cred_alloc_blank,
80476 - .cred_prepare = tomoyo_cred_prepare,
80477 -diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.c linux-2.6.32.46/sound/aoa/codecs/onyx.c
80478 ---- linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-03-27 14:31:47.000000000 -0400
80479 -+++ linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-04-17 15:56:46.000000000 -0400
80480 -@@ -53,7 +53,7 @@ struct onyx {
80481 - spdif_locked:1,
80482 - analog_locked:1,
80483 - original_mute:2;
80484 -- int open_count;
80485 -+ local_t open_count;
80486 - struct codec_info *codec_info;
80487 -
80488 - /* mutex serializes concurrent access to the device
80489 -@@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
80490 - struct onyx *onyx = cii->codec_data;
80491 -
80492 - mutex_lock(&onyx->mutex);
80493 -- onyx->open_count++;
80494 -+ local_inc(&onyx->open_count);
80495 - mutex_unlock(&onyx->mutex);
80496 -
80497 - return 0;
80498 -@@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
80499 - struct onyx *onyx = cii->codec_data;
80500 -
80501 - mutex_lock(&onyx->mutex);
80502 -- onyx->open_count--;
80503 -- if (!onyx->open_count)
80504 -+ if (local_dec_and_test(&onyx->open_count))
80505 - onyx->spdif_locked = onyx->analog_locked = 0;
80506 - mutex_unlock(&onyx->mutex);
80507 -
80508 -diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.h linux-2.6.32.46/sound/aoa/codecs/onyx.h
80509 ---- linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-03-27 14:31:47.000000000 -0400
80510 -+++ linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-04-17 15:56:46.000000000 -0400
80511 -@@ -11,6 +11,7 @@
80512 - #include <linux/i2c.h>
80513 - #include <asm/pmac_low_i2c.h>
80514 - #include <asm/prom.h>
80515 -+#include <asm/local.h>
80516 -
80517 - /* PCM3052 register definitions */
80518 -
80519 -diff -urNp linux-2.6.32.46/sound/core/oss/pcm_oss.c linux-2.6.32.46/sound/core/oss/pcm_oss.c
80520 ---- linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-03-27 14:31:47.000000000 -0400
80521 -+++ linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-10-06 09:37:16.000000000 -0400
80522 -@@ -1395,7 +1395,7 @@ static ssize_t snd_pcm_oss_write1(struct
80523 - }
80524 - } else {
80525 - tmp = snd_pcm_oss_write2(substream,
80526 -- (const char __force *)buf,
80527 -+ (const char __force_kernel *)buf,
80528 - runtime->oss.period_bytes, 0);
80529 - if (tmp <= 0)
80530 - goto err;
80531 -@@ -1483,7 +1483,7 @@ static ssize_t snd_pcm_oss_read1(struct
80532 - xfer += tmp;
80533 - runtime->oss.buffer_used -= tmp;
80534 - } else {
80535 -- tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
80536 -+ tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
80537 - runtime->oss.period_bytes, 0);
80538 - if (tmp <= 0)
80539 - goto err;
80540 -diff -urNp linux-2.6.32.46/sound/core/pcm_compat.c linux-2.6.32.46/sound/core/pcm_compat.c
80541 ---- linux-2.6.32.46/sound/core/pcm_compat.c 2011-08-09 18:35:30.000000000 -0400
80542 -+++ linux-2.6.32.46/sound/core/pcm_compat.c 2011-10-06 09:37:16.000000000 -0400
80543 -@@ -30,7 +30,7 @@ static int snd_pcm_ioctl_delay_compat(st
80544 - int err;
80545 -
80546 - fs = snd_enter_user();
80547 -- err = snd_pcm_delay(substream, &delay);
80548 -+ err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
80549 - snd_leave_user(fs);
80550 - if (err < 0)
80551 - return err;
80552 -diff -urNp linux-2.6.32.46/sound/core/pcm_native.c linux-2.6.32.46/sound/core/pcm_native.c
80553 ---- linux-2.6.32.46/sound/core/pcm_native.c 2011-03-27 14:31:47.000000000 -0400
80554 -+++ linux-2.6.32.46/sound/core/pcm_native.c 2011-10-06 09:37:16.000000000 -0400
80555 -@@ -2747,11 +2747,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_
80556 - switch (substream->stream) {
80557 - case SNDRV_PCM_STREAM_PLAYBACK:
80558 - result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
80559 -- (void __user *)arg);
80560 -+ (void __force_user *)arg);
80561 - break;
80562 - case SNDRV_PCM_STREAM_CAPTURE:
80563 - result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
80564 -- (void __user *)arg);
80565 -+ (void __force_user *)arg);
80566 - break;
80567 - default:
80568 - result = -EINVAL;
80569 -diff -urNp linux-2.6.32.46/sound/core/seq/seq_device.c linux-2.6.32.46/sound/core/seq/seq_device.c
80570 ---- linux-2.6.32.46/sound/core/seq/seq_device.c 2011-03-27 14:31:47.000000000 -0400
80571 -+++ linux-2.6.32.46/sound/core/seq/seq_device.c 2011-08-05 20:33:55.000000000 -0400
80572 -@@ -63,7 +63,7 @@ struct ops_list {
80573 - int argsize; /* argument size */
80574 -
80575 - /* operators */
80576 -- struct snd_seq_dev_ops ops;
80577 -+ struct snd_seq_dev_ops *ops;
80578 -
80579 - /* registred devices */
80580 - struct list_head dev_list; /* list of devices */
80581 -@@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
80582 -
80583 - mutex_lock(&ops->reg_mutex);
80584 - /* copy driver operators */
80585 -- ops->ops = *entry;
80586 -+ ops->ops = entry;
80587 - ops->driver |= DRIVER_LOADED;
80588 - ops->argsize = argsize;
80589 -
80590 -@@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
80591 - dev->name, ops->id, ops->argsize, dev->argsize);
80592 - return -EINVAL;
80593 - }
80594 -- if (ops->ops.init_device(dev) >= 0) {
80595 -+ if (ops->ops->init_device(dev) >= 0) {
80596 - dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
80597 - ops->num_init_devices++;
80598 - } else {
80599 -@@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
80600 - dev->name, ops->id, ops->argsize, dev->argsize);
80601 - return -EINVAL;
80602 - }
80603 -- if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
80604 -+ if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
80605 - dev->status = SNDRV_SEQ_DEVICE_FREE;
80606 - dev->driver_data = NULL;
80607 - ops->num_init_devices--;
80608 -diff -urNp linux-2.6.32.46/sound/drivers/mts64.c linux-2.6.32.46/sound/drivers/mts64.c
80609 ---- linux-2.6.32.46/sound/drivers/mts64.c 2011-03-27 14:31:47.000000000 -0400
80610 -+++ linux-2.6.32.46/sound/drivers/mts64.c 2011-04-17 15:56:46.000000000 -0400
80611 -@@ -27,6 +27,7 @@
80612 - #include <sound/initval.h>
80613 - #include <sound/rawmidi.h>
80614 - #include <sound/control.h>
80615 -+#include <asm/local.h>
80616 -
80617 - #define CARD_NAME "Miditerminal 4140"
80618 - #define DRIVER_NAME "MTS64"
80619 -@@ -65,7 +66,7 @@ struct mts64 {
80620 - struct pardevice *pardev;
80621 - int pardev_claimed;
80622 -
80623 -- int open_count;
80624 -+ local_t open_count;
80625 - int current_midi_output_port;
80626 - int current_midi_input_port;
80627 - u8 mode[MTS64_NUM_INPUT_PORTS];
80628 -@@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
80629 - {
80630 - struct mts64 *mts = substream->rmidi->private_data;
80631 -
80632 -- if (mts->open_count == 0) {
80633 -+ if (local_read(&mts->open_count) == 0) {
80634 - /* We don't need a spinlock here, because this is just called
80635 - if the device has not been opened before.
80636 - So there aren't any IRQs from the device */
80637 -@@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
80638 -
80639 - msleep(50);
80640 - }
80641 -- ++(mts->open_count);
80642 -+ local_inc(&mts->open_count);
80643 -
80644 - return 0;
80645 - }
80646 -@@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
80647 - struct mts64 *mts = substream->rmidi->private_data;
80648 - unsigned long flags;
80649 -
80650 -- --(mts->open_count);
80651 -- if (mts->open_count == 0) {
80652 -+ if (local_dec_return(&mts->open_count) == 0) {
80653 - /* We need the spinlock_irqsave here because we can still
80654 - have IRQs at this point */
80655 - spin_lock_irqsave(&mts->lock, flags);
80656 -@@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
80657 -
80658 - msleep(500);
80659 -
80660 -- } else if (mts->open_count < 0)
80661 -- mts->open_count = 0;
80662 -+ } else if (local_read(&mts->open_count) < 0)
80663 -+ local_set(&mts->open_count, 0);
80664 -
80665 - return 0;
80666 - }
80667 -diff -urNp linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c
80668 ---- linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-03-27 14:31:47.000000000 -0400
80669 -+++ linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-08-05 20:33:55.000000000 -0400
80670 -@@ -27,7 +27,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
80671 - MODULE_DESCRIPTION("OPL4 driver");
80672 - MODULE_LICENSE("GPL");
80673 -
80674 --static void inline snd_opl4_wait(struct snd_opl4 *opl4)
80675 -+static inline void snd_opl4_wait(struct snd_opl4 *opl4)
80676 - {
80677 - int timeout = 10;
80678 - while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
80679 -diff -urNp linux-2.6.32.46/sound/drivers/portman2x4.c linux-2.6.32.46/sound/drivers/portman2x4.c
80680 ---- linux-2.6.32.46/sound/drivers/portman2x4.c 2011-03-27 14:31:47.000000000 -0400
80681 -+++ linux-2.6.32.46/sound/drivers/portman2x4.c 2011-04-17 15:56:46.000000000 -0400
80682 -@@ -46,6 +46,7 @@
80683 - #include <sound/initval.h>
80684 - #include <sound/rawmidi.h>
80685 - #include <sound/control.h>
80686 -+#include <asm/local.h>
80687 -
80688 - #define CARD_NAME "Portman 2x4"
80689 - #define DRIVER_NAME "portman"
80690 -@@ -83,7 +84,7 @@ struct portman {
80691 - struct pardevice *pardev;
80692 - int pardev_claimed;
80693 -
80694 -- int open_count;
80695 -+ local_t open_count;
80696 - int mode[PORTMAN_NUM_INPUT_PORTS];
80697 - struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
80698 - };
80699 -diff -urNp linux-2.6.32.46/sound/isa/cmi8330.c linux-2.6.32.46/sound/isa/cmi8330.c
80700 ---- linux-2.6.32.46/sound/isa/cmi8330.c 2011-03-27 14:31:47.000000000 -0400
80701 -+++ linux-2.6.32.46/sound/isa/cmi8330.c 2011-08-23 21:22:32.000000000 -0400
80702 -@@ -173,7 +173,7 @@ struct snd_cmi8330 {
80703 -
80704 - struct snd_pcm *pcm;
80705 - struct snd_cmi8330_stream {
80706 -- struct snd_pcm_ops ops;
80707 -+ snd_pcm_ops_no_const ops;
80708 - snd_pcm_open_callback_t open;
80709 - void *private_data; /* sb or wss */
80710 - } streams[2];
80711 -diff -urNp linux-2.6.32.46/sound/oss/sb_audio.c linux-2.6.32.46/sound/oss/sb_audio.c
80712 ---- linux-2.6.32.46/sound/oss/sb_audio.c 2011-03-27 14:31:47.000000000 -0400
80713 -+++ linux-2.6.32.46/sound/oss/sb_audio.c 2011-04-17 15:56:46.000000000 -0400
80714 -@@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
80715 - buf16 = (signed short *)(localbuf + localoffs);
80716 - while (c)
80717 - {
80718 -- locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
80719 -+ locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
80720 - if (copy_from_user(lbuf8,
80721 - userbuf+useroffs + p,
80722 - locallen))
80723 -diff -urNp linux-2.6.32.46/sound/oss/swarm_cs4297a.c linux-2.6.32.46/sound/oss/swarm_cs4297a.c
80724 ---- linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-03-27 14:31:47.000000000 -0400
80725 -+++ linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-04-17 15:56:46.000000000 -0400
80726 -@@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
80727 - {
80728 - struct cs4297a_state *s;
80729 - u32 pwr, id;
80730 -- mm_segment_t fs;
80731 - int rval;
80732 - #ifndef CONFIG_BCM_CS4297A_CSWARM
80733 - u64 cfg;
80734 -@@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
80735 - if (!rval) {
80736 - char *sb1250_duart_present;
80737 -
80738 -+#if 0
80739 -+ mm_segment_t fs;
80740 - fs = get_fs();
80741 - set_fs(KERNEL_DS);
80742 --#if 0
80743 - val = SOUND_MASK_LINE;
80744 - mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
80745 - for (i = 0; i < ARRAY_SIZE(initvol); i++) {
80746 - val = initvol[i].vol;
80747 - mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
80748 - }
80749 -+ set_fs(fs);
80750 - // cs4297a_write_ac97(s, 0x18, 0x0808);
80751 - #else
80752 - // cs4297a_write_ac97(s, 0x5e, 0x180);
80753 - cs4297a_write_ac97(s, 0x02, 0x0808);
80754 - cs4297a_write_ac97(s, 0x18, 0x0808);
80755 - #endif
80756 -- set_fs(fs);
80757 -
80758 - list_add(&s->list, &cs4297a_devs);
80759 -
80760 -diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_codec.c linux-2.6.32.46/sound/pci/ac97/ac97_codec.c
80761 ---- linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-03-27 14:31:47.000000000 -0400
80762 -+++ linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-04-17 15:56:46.000000000 -0400
80763 -@@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
80764 - }
80765 -
80766 - /* build_ops to do nothing */
80767 --static struct snd_ac97_build_ops null_build_ops;
80768 -+static const struct snd_ac97_build_ops null_build_ops;
80769 -
80770 - #ifdef CONFIG_SND_AC97_POWER_SAVE
80771 - static void do_update_power(struct work_struct *work)
80772 -diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_patch.c linux-2.6.32.46/sound/pci/ac97/ac97_patch.c
80773 ---- linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:24:44.000000000 -0400
80774 -+++ linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:25:07.000000000 -0400
80775 -@@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
80776 - return 0;
80777 - }
80778 -
80779 --static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
80780 -+static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
80781 - .build_spdif = patch_yamaha_ymf743_build_spdif,
80782 - .build_3d = patch_yamaha_ymf7x3_3d,
80783 - };
80784 -@@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
80785 - return 0;
80786 - }
80787 -
80788 --static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
80789 -+static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
80790 - .build_3d = patch_yamaha_ymf7x3_3d,
80791 - .build_post_spdif = patch_yamaha_ymf753_post_spdif
80792 - };
80793 -@@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
80794 - return 0;
80795 - }
80796 -
80797 --static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
80798 -+static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
80799 - .build_specific = patch_wolfson_wm9703_specific,
80800 - };
80801 -
80802 -@@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
80803 - return 0;
80804 - }
80805 -
80806 --static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
80807 -+static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
80808 - .build_specific = patch_wolfson_wm9704_specific,
80809 - };
80810 -
80811 -@@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
80812 - return 0;
80813 - }
80814 -
80815 --static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
80816 -+static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
80817 - .build_specific = patch_wolfson_wm9705_specific,
80818 - };
80819 -
80820 -@@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
80821 - return 0;
80822 - }
80823 -
80824 --static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
80825 -+static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
80826 - .build_specific = patch_wolfson_wm9711_specific,
80827 - };
80828 -
80829 -@@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
80830 - }
80831 - #endif
80832 -
80833 --static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
80834 -+static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
80835 - .build_specific = patch_wolfson_wm9713_specific,
80836 - .build_3d = patch_wolfson_wm9713_3d,
80837 - #ifdef CONFIG_PM
80838 -@@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
80839 - return 0;
80840 - }
80841 -
80842 --static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
80843 -+static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
80844 - .build_3d = patch_sigmatel_stac9700_3d,
80845 - .build_specific = patch_sigmatel_stac97xx_specific
80846 - };
80847 -@@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
80848 - return patch_sigmatel_stac97xx_specific(ac97);
80849 - }
80850 -
80851 --static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
80852 -+static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
80853 - .build_3d = patch_sigmatel_stac9708_3d,
80854 - .build_specific = patch_sigmatel_stac9708_specific
80855 - };
80856 -@@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
80857 - return 0;
80858 - }
80859 -
80860 --static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
80861 -+static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
80862 - .build_3d = patch_sigmatel_stac9700_3d,
80863 - .build_specific = patch_sigmatel_stac9758_specific
80864 - };
80865 -@@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
80866 - return 0;
80867 - }
80868 -
80869 --static struct snd_ac97_build_ops patch_cirrus_ops = {
80870 -+static const struct snd_ac97_build_ops patch_cirrus_ops = {
80871 - .build_spdif = patch_cirrus_build_spdif
80872 - };
80873 -
80874 -@@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
80875 - return 0;
80876 - }
80877 -
80878 --static struct snd_ac97_build_ops patch_conexant_ops = {
80879 -+static const struct snd_ac97_build_ops patch_conexant_ops = {
80880 - .build_spdif = patch_conexant_build_spdif
80881 - };
80882 -
80883 -@@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
80884 - }
80885 - }
80886 -
80887 --static struct snd_ac97_build_ops patch_ad1881_build_ops = {
80888 -+static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
80889 - #ifdef CONFIG_PM
80890 - .resume = ad18xx_resume
80891 - #endif
80892 -@@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
80893 - return 0;
80894 - }
80895 -
80896 --static struct snd_ac97_build_ops patch_ad1885_build_ops = {
80897 -+static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
80898 - .build_specific = &patch_ad1885_specific,
80899 - #ifdef CONFIG_PM
80900 - .resume = ad18xx_resume
80901 -@@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
80902 - return 0;
80903 - }
80904 -
80905 --static struct snd_ac97_build_ops patch_ad1886_build_ops = {
80906 -+static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
80907 - .build_specific = &patch_ad1886_specific,
80908 - #ifdef CONFIG_PM
80909 - .resume = ad18xx_resume
80910 -@@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
80911 - ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
80912 - }
80913 -
80914 --static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
80915 -+static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
80916 - .build_post_spdif = patch_ad198x_post_spdif,
80917 - .build_specific = patch_ad1981a_specific,
80918 - #ifdef CONFIG_PM
80919 -@@ -1952,7 +1952,7 @@ static int patch_ad1981b_specific(struct
80920 - ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
80921 - }
80922 -
80923 --static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
80924 -+static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
80925 - .build_post_spdif = patch_ad198x_post_spdif,
80926 - .build_specific = patch_ad1981b_specific,
80927 - #ifdef CONFIG_PM
80928 -@@ -2091,7 +2091,7 @@ static int patch_ad1888_specific(struct
80929 - return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
80930 - }
80931 -
80932 --static struct snd_ac97_build_ops patch_ad1888_build_ops = {
80933 -+static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
80934 - .build_post_spdif = patch_ad198x_post_spdif,
80935 - .build_specific = patch_ad1888_specific,
80936 - #ifdef CONFIG_PM
80937 -@@ -2140,7 +2140,7 @@ static int patch_ad1980_specific(struct
80938 - return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
80939 - }
80940 -
80941 --static struct snd_ac97_build_ops patch_ad1980_build_ops = {
80942 -+static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
80943 - .build_post_spdif = patch_ad198x_post_spdif,
80944 - .build_specific = patch_ad1980_specific,
80945 - #ifdef CONFIG_PM
80946 -@@ -2255,7 +2255,7 @@ static int patch_ad1985_specific(struct
80947 - ARRAY_SIZE(snd_ac97_ad1985_controls));
80948 - }
80949 -
80950 --static struct snd_ac97_build_ops patch_ad1985_build_ops = {
80951 -+static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
80952 - .build_post_spdif = patch_ad198x_post_spdif,
80953 - .build_specific = patch_ad1985_specific,
80954 - #ifdef CONFIG_PM
80955 -@@ -2547,7 +2547,7 @@ static int patch_ad1986_specific(struct
80956 - ARRAY_SIZE(snd_ac97_ad1985_controls));
80957 - }
80958 -
80959 --static struct snd_ac97_build_ops patch_ad1986_build_ops = {
80960 -+static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
80961 - .build_post_spdif = patch_ad198x_post_spdif,
80962 - .build_specific = patch_ad1986_specific,
80963 - #ifdef CONFIG_PM
80964 -@@ -2652,7 +2652,7 @@ static int patch_alc650_specific(struct
80965 - return 0;
80966 - }
80967 -
80968 --static struct snd_ac97_build_ops patch_alc650_ops = {
80969 -+static const struct snd_ac97_build_ops patch_alc650_ops = {
80970 - .build_specific = patch_alc650_specific,
80971 - .update_jacks = alc650_update_jacks
80972 - };
80973 -@@ -2804,7 +2804,7 @@ static int patch_alc655_specific(struct
80974 - return 0;
80975 - }
80976 -
80977 --static struct snd_ac97_build_ops patch_alc655_ops = {
80978 -+static const struct snd_ac97_build_ops patch_alc655_ops = {
80979 - .build_specific = patch_alc655_specific,
80980 - .update_jacks = alc655_update_jacks
80981 - };
80982 -@@ -2916,7 +2916,7 @@ static int patch_alc850_specific(struct
80983 - return 0;
80984 - }
80985 -
80986 --static struct snd_ac97_build_ops patch_alc850_ops = {
80987 -+static const struct snd_ac97_build_ops patch_alc850_ops = {
80988 - .build_specific = patch_alc850_specific,
80989 - .update_jacks = alc850_update_jacks
80990 - };
80991 -@@ -2978,7 +2978,7 @@ static int patch_cm9738_specific(struct
80992 - return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
80993 - }
80994 -
80995 --static struct snd_ac97_build_ops patch_cm9738_ops = {
80996 -+static const struct snd_ac97_build_ops patch_cm9738_ops = {
80997 - .build_specific = patch_cm9738_specific,
80998 - .update_jacks = cm9738_update_jacks
80999 - };
81000 -@@ -3069,7 +3069,7 @@ static int patch_cm9739_post_spdif(struc
81001 - return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
81002 - }
81003 -
81004 --static struct snd_ac97_build_ops patch_cm9739_ops = {
81005 -+static const struct snd_ac97_build_ops patch_cm9739_ops = {
81006 - .build_specific = patch_cm9739_specific,
81007 - .build_post_spdif = patch_cm9739_post_spdif,
81008 - .update_jacks = cm9739_update_jacks
81009 -@@ -3243,7 +3243,7 @@ static int patch_cm9761_specific(struct
81010 - return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
81011 - }
81012 -
81013 --static struct snd_ac97_build_ops patch_cm9761_ops = {
81014 -+static const struct snd_ac97_build_ops patch_cm9761_ops = {
81015 - .build_specific = patch_cm9761_specific,
81016 - .build_post_spdif = patch_cm9761_post_spdif,
81017 - .update_jacks = cm9761_update_jacks
81018 -@@ -3339,7 +3339,7 @@ static int patch_cm9780_specific(struct
81019 - return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
81020 - }
81021 -
81022 --static struct snd_ac97_build_ops patch_cm9780_ops = {
81023 -+static const struct snd_ac97_build_ops patch_cm9780_ops = {
81024 - .build_specific = patch_cm9780_specific,
81025 - .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
81026 - };
81027 -@@ -3459,7 +3459,7 @@ static int patch_vt1616_specific(struct
81028 - return 0;
81029 - }
81030 -
81031 --static struct snd_ac97_build_ops patch_vt1616_ops = {
81032 -+static const struct snd_ac97_build_ops patch_vt1616_ops = {
81033 - .build_specific = patch_vt1616_specific
81034 - };
81035 -
81036 -@@ -3813,7 +3813,7 @@ static int patch_it2646_specific(struct
81037 - return 0;
81038 - }
81039 -
81040 --static struct snd_ac97_build_ops patch_it2646_ops = {
81041 -+static const struct snd_ac97_build_ops patch_it2646_ops = {
81042 - .build_specific = patch_it2646_specific,
81043 - .update_jacks = it2646_update_jacks
81044 - };
81045 -@@ -3847,7 +3847,7 @@ static int patch_si3036_specific(struct
81046 - return 0;
81047 - }
81048 -
81049 --static struct snd_ac97_build_ops patch_si3036_ops = {
81050 -+static const struct snd_ac97_build_ops patch_si3036_ops = {
81051 - .build_specific = patch_si3036_specific,
81052 - };
81053 -
81054 -@@ -3914,7 +3914,7 @@ static int patch_ucb1400_specific(struct
81055 - return 0;
81056 - }
81057 -
81058 --static struct snd_ac97_build_ops patch_ucb1400_ops = {
81059 -+static const struct snd_ac97_build_ops patch_ucb1400_ops = {
81060 - .build_specific = patch_ucb1400_specific,
81061 - };
81062 -
81063 -diff -urNp linux-2.6.32.46/sound/pci/hda/hda_codec.h linux-2.6.32.46/sound/pci/hda/hda_codec.h
81064 ---- linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-03-27 14:31:47.000000000 -0400
81065 -+++ linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-08-23 21:22:32.000000000 -0400
81066 -@@ -580,7 +580,7 @@ struct hda_bus_ops {
81067 - /* notify power-up/down from codec to controller */
81068 - void (*pm_notify)(struct hda_bus *bus);
81069 - #endif
81070 --};
81071 -+} __no_const;
81072 -
81073 - /* template to pass to the bus constructor */
81074 - struct hda_bus_template {
81075 -@@ -675,6 +675,7 @@ struct hda_codec_ops {
81076 - int (*check_power_status)(struct hda_codec *codec, hda_nid_t nid);
81077 - #endif
81078 - };
81079 -+typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
81080 -
81081 - /* record for amp information cache */
81082 - struct hda_cache_head {
81083 -@@ -705,7 +706,7 @@ struct hda_pcm_ops {
81084 - struct snd_pcm_substream *substream);
81085 - int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
81086 - struct snd_pcm_substream *substream);
81087 --};
81088 -+} __no_const;
81089 -
81090 - /* PCM information for each substream */
81091 - struct hda_pcm_stream {
81092 -@@ -760,7 +761,7 @@ struct hda_codec {
81093 - const char *modelname; /* model name for preset */
81094 -
81095 - /* set by patch */
81096 -- struct hda_codec_ops patch_ops;
81097 -+ hda_codec_ops_no_const patch_ops;
81098 -
81099 - /* PCM to create, set by patch_ops.build_pcms callback */
81100 - unsigned int num_pcms;
81101 -diff -urNp linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c
81102 ---- linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-03-27 14:31:47.000000000 -0400
81103 -+++ linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-08-05 20:33:55.000000000 -0400
81104 -@@ -177,7 +177,7 @@ static int patch_atihdmi(struct hda_code
81105 - */
81106 - spec->multiout.dig_out_nid = CVT_NID;
81107 -
81108 -- codec->patch_ops = atihdmi_patch_ops;
81109 -+ memcpy((void *)&codec->patch_ops, &atihdmi_patch_ops, sizeof(atihdmi_patch_ops));
81110 -
81111 - return 0;
81112 - }
81113 -diff -urNp linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c
81114 ---- linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-03-27 14:31:47.000000000 -0400
81115 -+++ linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-08-05 20:33:55.000000000 -0400
81116 -@@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
81117 - cp_ready);
81118 -
81119 - /* TODO */
81120 -- if (cp_state)
81121 -- ;
81122 -- if (cp_ready)
81123 -- ;
81124 -+ if (cp_state) {
81125 -+ }
81126 -+ if (cp_ready) {
81127 -+ }
81128 - }
81129 -
81130 -
81131 -@@ -656,7 +656,7 @@ static int do_patch_intel_hdmi(struct hd
81132 - spec->multiout.dig_out_nid = cvt_nid;
81133 -
81134 - codec->spec = spec;
81135 -- codec->patch_ops = intel_hdmi_patch_ops;
81136 -+ memcpy((void *)&codec->patch_ops, &intel_hdmi_patch_ops, sizeof(intel_hdmi_patch_ops));
81137 -
81138 - snd_hda_eld_proc_new(codec, &spec->sink_eld);
81139 -
81140 -diff -urNp linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c
81141 ---- linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-03-27 14:31:47.000000000 -0400
81142 -+++ linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-08-05 20:33:55.000000000 -0400
81143 -@@ -367,7 +367,7 @@ static int patch_nvhdmi_8ch(struct hda_c
81144 - spec->multiout.max_channels = 8;
81145 - spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
81146 -
81147 -- codec->patch_ops = nvhdmi_patch_ops_8ch;
81148 -+ memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_8ch, sizeof(nvhdmi_patch_ops_8ch));
81149 -
81150 - return 0;
81151 - }
81152 -@@ -386,7 +386,7 @@ static int patch_nvhdmi_2ch(struct hda_c
81153 - spec->multiout.max_channels = 2;
81154 - spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
81155 -
81156 -- codec->patch_ops = nvhdmi_patch_ops_2ch;
81157 -+ memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_2ch, sizeof(nvhdmi_patch_ops_2ch));
81158 -
81159 - return 0;
81160 - }
81161 -diff -urNp linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c
81162 ---- linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-06-25 12:55:35.000000000 -0400
81163 -+++ linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-08-23 21:22:32.000000000 -0400
81164 -@@ -5220,7 +5220,7 @@ again:
81165 - snd_hda_codec_write_cache(codec, nid, 0,
81166 - AC_VERB_SET_CONNECT_SEL, num_dacs);
81167 -
81168 -- codec->patch_ops = stac92xx_patch_ops;
81169 -+ memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
81170 -
81171 - codec->proc_widget_hook = stac92hd_proc_hook;
81172 -
81173 -@@ -5294,7 +5294,7 @@ static int patch_stac92hd71bxx(struct hd
81174 - return -ENOMEM;
81175 -
81176 - codec->spec = spec;
81177 -- codec->patch_ops = stac92xx_patch_ops;
81178 -+ memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
81179 - spec->num_pins = STAC92HD71BXX_NUM_PINS;
81180 - switch (codec->vendor_id) {
81181 - case 0x111d76b6:
81182 -diff -urNp linux-2.6.32.46/sound/pci/ice1712/ice1712.h linux-2.6.32.46/sound/pci/ice1712/ice1712.h
81183 ---- linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-03-27 14:31:47.000000000 -0400
81184 -+++ linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-08-05 20:33:55.000000000 -0400
81185 -@@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
81186 - unsigned int mask_flags; /* total mask bits */
81187 - struct snd_akm4xxx_ops {
81188 - void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
81189 -- } ops;
81190 -+ } __no_const ops;
81191 - };
81192 -
81193 - struct snd_ice1712_spdif {
81194 -@@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
81195 - int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
81196 - void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
81197 - int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
81198 -- } ops;
81199 -+ } __no_const ops;
81200 - };
81201 -
81202 -
81203 -diff -urNp linux-2.6.32.46/sound/pci/intel8x0m.c linux-2.6.32.46/sound/pci/intel8x0m.c
81204 ---- linux-2.6.32.46/sound/pci/intel8x0m.c 2011-03-27 14:31:47.000000000 -0400
81205 -+++ linux-2.6.32.46/sound/pci/intel8x0m.c 2011-04-23 12:56:12.000000000 -0400
81206 -@@ -1264,7 +1264,7 @@ static struct shortname_table {
81207 - { 0x5455, "ALi M5455" },
81208 - { 0x746d, "AMD AMD8111" },
81209 - #endif
81210 -- { 0 },
81211 -+ { 0, },
81212 - };
81213 -
81214 - static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
81215 -diff -urNp linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c
81216 ---- linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-03-27 14:31:47.000000000 -0400
81217 -+++ linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-05-04 17:56:28.000000000 -0400
81218 -@@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
81219 - if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
81220 - break;
81221 - }
81222 -- if (atomic_read(&chip->interrupt_sleep_count)) {
81223 -- atomic_set(&chip->interrupt_sleep_count, 0);
81224 -+ if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
81225 -+ atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
81226 - wake_up(&chip->interrupt_sleep);
81227 - }
81228 - __end:
81229 -@@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
81230 - continue;
81231 - init_waitqueue_entry(&wait, current);
81232 - add_wait_queue(&chip->interrupt_sleep, &wait);
81233 -- atomic_inc(&chip->interrupt_sleep_count);
81234 -+ atomic_inc_unchecked(&chip->interrupt_sleep_count);
81235 - schedule_timeout_uninterruptible(msecs_to_jiffies(50));
81236 - remove_wait_queue(&chip->interrupt_sleep, &wait);
81237 - }
81238 -@@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
81239 - snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
81240 - spin_unlock(&chip->reg_lock);
81241 -
81242 -- if (atomic_read(&chip->interrupt_sleep_count)) {
81243 -- atomic_set(&chip->interrupt_sleep_count, 0);
81244 -+ if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
81245 -+ atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
81246 - wake_up(&chip->interrupt_sleep);
81247 - }
81248 - }
81249 -@@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
81250 - spin_lock_init(&chip->reg_lock);
81251 - spin_lock_init(&chip->voice_lock);
81252 - init_waitqueue_head(&chip->interrupt_sleep);
81253 -- atomic_set(&chip->interrupt_sleep_count, 0);
81254 -+ atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
81255 - chip->card = card;
81256 - chip->pci = pci;
81257 - chip->irq = -1;
81258 -diff -urNp linux-2.6.32.46/sound/soc/soc-core.c linux-2.6.32.46/sound/soc/soc-core.c
81259 ---- linux-2.6.32.46/sound/soc/soc-core.c 2011-03-27 14:31:47.000000000 -0400
81260 -+++ linux-2.6.32.46/sound/soc/soc-core.c 2011-08-23 21:22:32.000000000 -0400
81261 -@@ -609,7 +609,7 @@ static int soc_pcm_trigger(struct snd_pc
81262 - }
81263 -
81264 - /* ASoC PCM operations */
81265 --static struct snd_pcm_ops soc_pcm_ops = {
81266 -+static snd_pcm_ops_no_const soc_pcm_ops = {
81267 - .open = soc_pcm_open,
81268 - .close = soc_codec_close,
81269 - .hw_params = soc_pcm_hw_params,
81270 -diff -urNp linux-2.6.32.46/sound/usb/usbaudio.c linux-2.6.32.46/sound/usb/usbaudio.c
81271 ---- linux-2.6.32.46/sound/usb/usbaudio.c 2011-03-27 14:31:47.000000000 -0400
81272 -+++ linux-2.6.32.46/sound/usb/usbaudio.c 2011-08-05 20:33:55.000000000 -0400
81273 -@@ -963,12 +963,12 @@ static int snd_usb_pcm_playback_trigger(
81274 - switch (cmd) {
81275 - case SNDRV_PCM_TRIGGER_START:
81276 - case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
81277 -- subs->ops.prepare = prepare_playback_urb;
81278 -+ *(void **)&subs->ops.prepare = prepare_playback_urb;
81279 - return 0;
81280 - case SNDRV_PCM_TRIGGER_STOP:
81281 - return deactivate_urbs(subs, 0, 0);
81282 - case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
81283 -- subs->ops.prepare = prepare_nodata_playback_urb;
81284 -+ *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
81285 - return 0;
81286 - default:
81287 - return -EINVAL;
81288 -@@ -985,15 +985,15 @@ static int snd_usb_pcm_capture_trigger(s
81289 -
81290 - switch (cmd) {
81291 - case SNDRV_PCM_TRIGGER_START:
81292 -- subs->ops.retire = retire_capture_urb;
81293 -+ *(void **)&subs->ops.retire = retire_capture_urb;
81294 - return start_urbs(subs, substream->runtime);
81295 - case SNDRV_PCM_TRIGGER_STOP:
81296 - return deactivate_urbs(subs, 0, 0);
81297 - case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
81298 -- subs->ops.retire = retire_paused_capture_urb;
81299 -+ *(void **)&subs->ops.retire = retire_paused_capture_urb;
81300 - return 0;
81301 - case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
81302 -- subs->ops.retire = retire_capture_urb;
81303 -+ *(void **)&subs->ops.retire = retire_capture_urb;
81304 - return 0;
81305 - default:
81306 - return -EINVAL;
81307 -@@ -1542,7 +1542,7 @@ static int snd_usb_pcm_prepare(struct sn
81308 - /* for playback, submit the URBs now; otherwise, the first hwptr_done
81309 - * updates for all URBs would happen at the same time when starting */
81310 - if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK) {
81311 -- subs->ops.prepare = prepare_nodata_playback_urb;
81312 -+ *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
81313 - return start_urbs(subs, runtime);
81314 - } else
81315 - return 0;
81316 -@@ -2228,14 +2228,14 @@ static void init_substream(struct snd_us
81317 - subs->direction = stream;
81318 - subs->dev = as->chip->dev;
81319 - if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL) {
81320 -- subs->ops = audio_urb_ops[stream];
81321 -+ memcpy((void *)&subs->ops, &audio_urb_ops[stream], sizeof(subs->ops));
81322 - } else {
81323 -- subs->ops = audio_urb_ops_high_speed[stream];
81324 -+ memcpy((void *)&subs->ops, &audio_urb_ops_high_speed[stream], sizeof(subs->ops));
81325 - switch (as->chip->usb_id) {
81326 - case USB_ID(0x041e, 0x3f02): /* E-Mu 0202 USB */
81327 - case USB_ID(0x041e, 0x3f04): /* E-Mu 0404 USB */
81328 - case USB_ID(0x041e, 0x3f0a): /* E-Mu Tracker Pre */
81329 -- subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
81330 -+ *(void **)&subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
81331 - break;
81332 - }
81333 - }
81334 -diff -urNp linux-2.6.32.46/tools/gcc/Makefile linux-2.6.32.46/tools/gcc/Makefile
81335 ---- linux-2.6.32.46/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
81336 -+++ linux-2.6.32.46/tools/gcc/Makefile 2011-10-06 09:37:14.000000000 -0400
81337 -@@ -0,0 +1,21 @@
81338 -+#CC := gcc
81339 -+#PLUGIN_SOURCE_FILES := pax_plugin.c
81340 -+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
81341 -+GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
81342 -+#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
81343 -+
81344 -+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
81345 -+
81346 -+hostlibs-y := constify_plugin.so
81347 -+hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
81348 -+hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
81349 -+hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
81350 -+hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
81351 -+
81352 -+always := $(hostlibs-y)
81353 -+
81354 -+stackleak_plugin-objs := stackleak_plugin.o
81355 -+constify_plugin-objs := constify_plugin.o
81356 -+kallocstat_plugin-objs := kallocstat_plugin.o
81357 -+kernexec_plugin-objs := kernexec_plugin.o
81358 -+checker_plugin-objs := checker_plugin.o
81359 -diff -urNp linux-2.6.32.46/tools/gcc/checker_plugin.c linux-2.6.32.46/tools/gcc/checker_plugin.c
81360 ---- linux-2.6.32.46/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500
81361 -+++ linux-2.6.32.46/tools/gcc/checker_plugin.c 2011-10-06 09:37:16.000000000 -0400
81362 -@@ -0,0 +1,169 @@
81363 -+/*
81364 -+ * Copyright 2011 by the PaX Team <pageexec@××××××××.hu>
81365 -+ * Licensed under the GPL v2
81366 -+ *
81367 -+ * Note: the choice of the license means that the compilation process is
81368 -+ * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
81369 -+ * but for the kernel it doesn't matter since it doesn't link against
81370 -+ * any of the gcc libraries
81371 -+ *
81372 -+ * gcc plugin to implement various sparse (source code checker) features
81373 -+ *
81374 -+ * TODO:
81375 -+ * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
81376 -+ *
81377 -+ * BUGS:
81378 -+ * - none known
81379 -+ */
81380 -+#include "gcc-plugin.h"
81381 -+#include "config.h"
81382 -+#include "system.h"
81383 -+#include "coretypes.h"
81384 -+#include "tree.h"
81385 -+#include "tree-pass.h"
81386 -+#include "intl.h"
81387 -+#include "plugin-version.h"
81388 -+#include "tm.h"
81389 -+#include "toplev.h"
81390 -+#include "basic-block.h"
81391 -+#include "gimple.h"
81392 -+//#include "expr.h" where are you...
81393 -+#include "diagnostic.h"
81394 -+#include "rtl.h"
81395 -+#include "emit-rtl.h"
81396 -+#include "function.h"
81397 -+#include "tree-flow.h"
81398 -+#include "target.h"
81399 -+
81400 -+extern void c_register_addr_space (const char *str, addr_space_t as);
81401 -+extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
81402 -+extern enum machine_mode default_addr_space_address_mode (addr_space_t);
81403 -+extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
81404 -+extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
81405 -+extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
81406 -+
81407 -+extern void print_gimple_stmt(FILE *, gimple, int, int);
81408 -+extern rtx emit_move_insn(rtx x, rtx y);
81409 -+
81410 -+int plugin_is_GPL_compatible;
81411 -+
81412 -+static struct plugin_info checker_plugin_info = {
81413 -+ .version = "201110031940",
81414 -+};
81415 -+
81416 -+#define ADDR_SPACE_KERNEL 0
81417 -+#define ADDR_SPACE_FORCE_KERNEL 1
81418 -+#define ADDR_SPACE_USER 2
81419 -+#define ADDR_SPACE_FORCE_USER 3
81420 -+#define ADDR_SPACE_IOMEM 0
81421 -+#define ADDR_SPACE_FORCE_IOMEM 0
81422 -+#define ADDR_SPACE_PERCPU 0
81423 -+#define ADDR_SPACE_FORCE_PERCPU 0
81424 -+#define ADDR_SPACE_RCU 0
81425 -+#define ADDR_SPACE_FORCE_RCU 0
81426 -+
81427 -+static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
81428 -+{
81429 -+ return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
81430 -+}
81431 -+
81432 -+static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
81433 -+{
81434 -+ return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
81435 -+}
81436 -+
81437 -+static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
81438 -+{
81439 -+ return default_addr_space_valid_pointer_mode(mode, as);
81440 -+}
81441 -+
81442 -+static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
81443 -+{
81444 -+ return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
81445 -+}
81446 -+
81447 -+static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
81448 -+{
81449 -+ return default_addr_space_legitimize_address(x, oldx, mode, as);
81450 -+}
81451 -+
81452 -+static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
81453 -+{
81454 -+ if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
81455 -+ return true;
81456 -+
81457 -+ if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
81458 -+ return true;
81459 -+
81460 -+ if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
81461 -+ return true;
81462 -+
81463 -+ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
81464 -+ return true;
81465 -+
81466 -+ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
81467 -+ return true;
81468 -+
81469 -+ if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
81470 -+ return true;
81471 -+
81472 -+ if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
81473 -+ return true;
81474 -+
81475 -+ return subset == superset;
81476 -+}
81477 -+
81478 -+static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
81479 -+{
81480 -+// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
81481 -+// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
81482 -+
81483 -+ return op;
81484 -+}
81485 -+
81486 -+static void register_checker_address_spaces(void *event_data, void *data)
81487 -+{
81488 -+ c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
81489 -+ c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
81490 -+ c_register_addr_space("__user", ADDR_SPACE_USER);
81491 -+ c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
81492 -+// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
81493 -+// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
81494 -+// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
81495 -+// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
81496 -+// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
81497 -+// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
81498 -+
81499 -+ targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
81500 -+ targetm.addr_space.address_mode = checker_addr_space_address_mode;
81501 -+ targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
81502 -+ targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
81503 -+// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
81504 -+ targetm.addr_space.subset_p = checker_addr_space_subset_p;
81505 -+ targetm.addr_space.convert = checker_addr_space_convert;
81506 -+}
81507 -+
81508 -+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81509 -+{
81510 -+ const char * const plugin_name = plugin_info->base_name;
81511 -+ const int argc = plugin_info->argc;
81512 -+ const struct plugin_argument * const argv = plugin_info->argv;
81513 -+ int i;
81514 -+
81515 -+ if (!plugin_default_version_check(version, &gcc_version)) {
81516 -+ error(G_("incompatible gcc/plugin versions"));
81517 -+ return 1;
81518 -+ }
81519 -+
81520 -+ register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
81521 -+
81522 -+ for (i = 0; i < argc; ++i)
81523 -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81524 -+
81525 -+ if (TARGET_64BIT == 0)
81526 -+ return 0;
81527 -+
81528 -+ register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
81529 -+
81530 -+ return 0;
81531 -+}
81532 -diff -urNp linux-2.6.32.46/tools/gcc/constify_plugin.c linux-2.6.32.46/tools/gcc/constify_plugin.c
81533 ---- linux-2.6.32.46/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
81534 -+++ linux-2.6.32.46/tools/gcc/constify_plugin.c 2011-08-30 18:19:52.000000000 -0400
81535 -@@ -0,0 +1,293 @@
81536 -+/*
81537 -+ * Copyright 2011 by Emese Revfy <re.emese@×××××.com>
81538 -+ * Copyright 2011 by PaX Team <pageexec@××××××××.hu>
81539 -+ * Licensed under the GPL v2, or (at your option) v3
81540 -+ *
81541 -+ * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
81542 -+ *
81543 -+ * Homepage:
81544 -+ * http://www.grsecurity.net/~ephox/const_plugin/
81545 -+ *
81546 -+ * Usage:
81547 -+ * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
81548 -+ * $ gcc -fplugin=constify_plugin.so test.c -O2
81549 -+ */
81550 -+
81551 -+#include "gcc-plugin.h"
81552 -+#include "config.h"
81553 -+#include "system.h"
81554 -+#include "coretypes.h"
81555 -+#include "tree.h"
81556 -+#include "tree-pass.h"
81557 -+#include "intl.h"
81558 -+#include "plugin-version.h"
81559 -+#include "tm.h"
81560 -+#include "toplev.h"
81561 -+#include "function.h"
81562 -+#include "tree-flow.h"
81563 -+#include "plugin.h"
81564 -+#include "diagnostic.h"
81565 -+//#include "c-tree.h"
81566 -+
81567 -+#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
81568 -+
81569 -+int plugin_is_GPL_compatible;
81570 -+
81571 -+static struct plugin_info const_plugin_info = {
81572 -+ .version = "20110826",
81573 -+ .help = "no-constify\tturn off constification\n",
81574 -+};
81575 -+
81576 -+static void constify_type(tree type);
81577 -+static bool walk_struct(tree node);
81578 -+
81579 -+static tree deconstify_type(tree old_type)
81580 -+{
81581 -+ tree new_type, field;
81582 -+
81583 -+ new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
81584 -+ TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
81585 -+ for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
81586 -+ DECL_FIELD_CONTEXT(field) = new_type;
81587 -+ TYPE_READONLY(new_type) = 0;
81588 -+ C_TYPE_FIELDS_READONLY(new_type) = 0;
81589 -+ return new_type;
81590 -+}
81591 -+
81592 -+static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
81593 -+{
81594 -+ tree type;
81595 -+
81596 -+ *no_add_attrs = true;
81597 -+ if (TREE_CODE(*node) == FUNCTION_DECL) {
81598 -+ error("%qE attribute does not apply to functions", name);
81599 -+ return NULL_TREE;
81600 -+ }
81601 -+
81602 -+ if (TREE_CODE(*node) == VAR_DECL) {
81603 -+ error("%qE attribute does not apply to variables", name);
81604 -+ return NULL_TREE;
81605 -+ }
81606 -+
81607 -+ if (TYPE_P(*node)) {
81608 -+ if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
81609 -+ *no_add_attrs = false;
81610 -+ else
81611 -+ error("%qE attribute applies to struct and union types only", name);
81612 -+ return NULL_TREE;
81613 -+ }
81614 -+
81615 -+ type = TREE_TYPE(*node);
81616 -+
81617 -+ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
81618 -+ error("%qE attribute applies to struct and union types only", name);
81619 -+ return NULL_TREE;
81620 -+ }
81621 -+
81622 -+ if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
81623 -+ error("%qE attribute is already applied to the type", name);
81624 -+ return NULL_TREE;
81625 -+ }
81626 -+
81627 -+ if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
81628 -+ error("%qE attribute used on type that is not constified", name);
81629 -+ return NULL_TREE;
81630 -+ }
81631 -+
81632 -+ if (TREE_CODE(*node) == TYPE_DECL) {
81633 -+ TREE_TYPE(*node) = deconstify_type(type);
81634 -+ TREE_READONLY(*node) = 0;
81635 -+ return NULL_TREE;
81636 -+ }
81637 -+
81638 -+ return NULL_TREE;
81639 -+}
81640 -+
81641 -+static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
81642 -+{
81643 -+ *no_add_attrs = true;
81644 -+ if (!TYPE_P(*node)) {
81645 -+ error("%qE attribute applies to types only", name);
81646 -+ return NULL_TREE;
81647 -+ }
81648 -+
81649 -+ if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
81650 -+ error("%qE attribute applies to struct and union types only", name);
81651 -+ return NULL_TREE;
81652 -+ }
81653 -+
81654 -+ *no_add_attrs = false;
81655 -+ constify_type(*node);
81656 -+ return NULL_TREE;
81657 -+}
81658 -+
81659 -+static struct attribute_spec no_const_attr = {
81660 -+ .name = "no_const",
81661 -+ .min_length = 0,
81662 -+ .max_length = 0,
81663 -+ .decl_required = false,
81664 -+ .type_required = false,
81665 -+ .function_type_required = false,
81666 -+ .handler = handle_no_const_attribute
81667 -+};
81668 -+
81669 -+static struct attribute_spec do_const_attr = {
81670 -+ .name = "do_const",
81671 -+ .min_length = 0,
81672 -+ .max_length = 0,
81673 -+ .decl_required = false,
81674 -+ .type_required = false,
81675 -+ .function_type_required = false,
81676 -+ .handler = handle_do_const_attribute
81677 -+};
81678 -+
81679 -+static void register_attributes(void *event_data, void *data)
81680 -+{
81681 -+ register_attribute(&no_const_attr);
81682 -+ register_attribute(&do_const_attr);
81683 -+}
81684 -+
81685 -+static void constify_type(tree type)
81686 -+{
81687 -+ TYPE_READONLY(type) = 1;
81688 -+ C_TYPE_FIELDS_READONLY(type) = 1;
81689 -+}
81690 -+
81691 -+static bool is_fptr(tree field)
81692 -+{
81693 -+ tree ptr = TREE_TYPE(field);
81694 -+
81695 -+ if (TREE_CODE(ptr) != POINTER_TYPE)
81696 -+ return false;
81697 -+
81698 -+ return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
81699 -+}
81700 -+
81701 -+static bool walk_struct(tree node)
81702 -+{
81703 -+ tree field;
81704 -+
81705 -+ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
81706 -+ return false;
81707 -+
81708 -+ if (TYPE_FIELDS(node) == NULL_TREE)
81709 -+ return false;
81710 -+
81711 -+ for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
81712 -+ tree type = TREE_TYPE(field);
81713 -+ enum tree_code code = TREE_CODE(type);
81714 -+ if (code == RECORD_TYPE || code == UNION_TYPE) {
81715 -+ if (!(walk_struct(type)))
81716 -+ return false;
81717 -+ } else if (!is_fptr(field) && !TREE_READONLY(field))
81718 -+ return false;
81719 -+ }
81720 -+ return true;
81721 -+}
81722 -+
81723 -+static void finish_type(void *event_data, void *data)
81724 -+{
81725 -+ tree type = (tree)event_data;
81726 -+
81727 -+ if (type == NULL_TREE)
81728 -+ return;
81729 -+
81730 -+ if (TYPE_READONLY(type))
81731 -+ return;
81732 -+
81733 -+ if (walk_struct(type))
81734 -+ constify_type(type);
81735 -+}
81736 -+
81737 -+static unsigned int check_local_variables(void);
81738 -+
81739 -+struct gimple_opt_pass pass_local_variable = {
81740 -+ {
81741 -+ .type = GIMPLE_PASS,
81742 -+ .name = "check_local_variables",
81743 -+ .gate = NULL,
81744 -+ .execute = check_local_variables,
81745 -+ .sub = NULL,
81746 -+ .next = NULL,
81747 -+ .static_pass_number = 0,
81748 -+ .tv_id = TV_NONE,
81749 -+ .properties_required = 0,
81750 -+ .properties_provided = 0,
81751 -+ .properties_destroyed = 0,
81752 -+ .todo_flags_start = 0,
81753 -+ .todo_flags_finish = 0
81754 -+ }
81755 -+};
81756 -+
81757 -+static unsigned int check_local_variables(void)
81758 -+{
81759 -+ tree var;
81760 -+ referenced_var_iterator rvi;
81761 -+
81762 -+#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
81763 -+ FOR_EACH_REFERENCED_VAR(var, rvi) {
81764 -+#else
81765 -+ FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
81766 -+#endif
81767 -+ tree type = TREE_TYPE(var);
81768 -+
81769 -+ if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
81770 -+ continue;
81771 -+
81772 -+ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
81773 -+ continue;
81774 -+
81775 -+ if (!TYPE_READONLY(type))
81776 -+ continue;
81777 -+
81778 -+// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
81779 -+// continue;
81780 -+
81781 -+// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
81782 -+// continue;
81783 -+
81784 -+ if (walk_struct(type)) {
81785 -+ error("constified variable %qE cannot be local", var);
81786 -+ return 1;
81787 -+ }
81788 -+ }
81789 -+ return 0;
81790 -+}
81791 -+
81792 -+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81793 -+{
81794 -+ const char * const plugin_name = plugin_info->base_name;
81795 -+ const int argc = plugin_info->argc;
81796 -+ const struct plugin_argument * const argv = plugin_info->argv;
81797 -+ int i;
81798 -+ bool constify = true;
81799 -+
81800 -+ struct register_pass_info local_variable_pass_info = {
81801 -+ .pass = &pass_local_variable.pass,
81802 -+ .reference_pass_name = "*referenced_vars",
81803 -+ .ref_pass_instance_number = 0,
81804 -+ .pos_op = PASS_POS_INSERT_AFTER
81805 -+ };
81806 -+
81807 -+ if (!plugin_default_version_check(version, &gcc_version)) {
81808 -+ error(G_("incompatible gcc/plugin versions"));
81809 -+ return 1;
81810 -+ }
81811 -+
81812 -+ for (i = 0; i < argc; ++i) {
81813 -+ if (!(strcmp(argv[i].key, "no-constify"))) {
81814 -+ constify = false;
81815 -+ continue;
81816 -+ }
81817 -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81818 -+ }
81819 -+
81820 -+ register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
81821 -+ if (constify) {
81822 -+ register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
81823 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
81824 -+ }
81825 -+ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
81826 -+
81827 -+ return 0;
81828 -+}
81829 -diff -urNp linux-2.6.32.46/tools/gcc/kallocstat_plugin.c linux-2.6.32.46/tools/gcc/kallocstat_plugin.c
81830 ---- linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
81831 -+++ linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 2011-10-06 09:37:16.000000000 -0400
81832 -@@ -0,0 +1,165 @@
81833 -+/*
81834 -+ * Copyright 2011 by the PaX Team <pageexec@××××××××.hu>
81835 -+ * Licensed under the GPL v2
81836 -+ *
81837 -+ * Note: the choice of the license means that the compilation process is
81838 -+ * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
81839 -+ * but for the kernel it doesn't matter since it doesn't link against
81840 -+ * any of the gcc libraries
81841 -+ *
81842 -+ * gcc plugin to find the distribution of k*alloc sizes
81843 -+ *
81844 -+ * TODO:
81845 -+ *
81846 -+ * BUGS:
81847 -+ * - none known
81848 -+ */
81849 -+#include "gcc-plugin.h"
81850 -+#include "config.h"
81851 -+#include "system.h"
81852 -+#include "coretypes.h"
81853 -+#include "tree.h"
81854 -+#include "tree-pass.h"
81855 -+#include "intl.h"
81856 -+#include "plugin-version.h"
81857 -+#include "tm.h"
81858 -+#include "toplev.h"
81859 -+#include "basic-block.h"
81860 -+#include "gimple.h"
81861 -+//#include "expr.h" where are you...
81862 -+#include "diagnostic.h"
81863 -+#include "rtl.h"
81864 -+#include "emit-rtl.h"
81865 -+#include "function.h"
81866 -+
81867 -+extern void print_gimple_stmt(FILE *, gimple, int, int);
81868 -+
81869 -+int plugin_is_GPL_compatible;
81870 -+
81871 -+static const char * const kalloc_functions[] = {
81872 -+ "__kmalloc",
81873 -+ "kmalloc",
81874 -+ "kmalloc_large",
81875 -+ "kmalloc_node",
81876 -+ "kmalloc_order",
81877 -+ "kmalloc_order_trace",
81878 -+ "kmalloc_slab",
81879 -+ "kzalloc",
81880 -+ "kzalloc_node",
81881 -+};
81882 -+
81883 -+static struct plugin_info kallocstat_plugin_info = {
81884 -+ .version = "201109121100",
81885 -+};
81886 -+
81887 -+static unsigned int execute_kallocstat(void);
81888 -+
81889 -+static struct gimple_opt_pass kallocstat_pass = {
81890 -+ .pass = {
81891 -+ .type = GIMPLE_PASS,
81892 -+ .name = "kallocstat",
81893 -+ .gate = NULL,
81894 -+ .execute = execute_kallocstat,
81895 -+ .sub = NULL,
81896 -+ .next = NULL,
81897 -+ .static_pass_number = 0,
81898 -+ .tv_id = TV_NONE,
81899 -+ .properties_required = 0,
81900 -+ .properties_provided = 0,
81901 -+ .properties_destroyed = 0,
81902 -+ .todo_flags_start = 0,
81903 -+ .todo_flags_finish = 0
81904 -+ }
81905 -+};
81906 -+
81907 -+static bool is_kalloc(const char *fnname)
81908 -+{
81909 -+ size_t i;
81910 -+
81911 -+ for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
81912 -+ if (!strcmp(fnname, kalloc_functions[i]))
81913 -+ return true;
81914 -+ return false;
81915 -+}
81916 -+
81917 -+static unsigned int execute_kallocstat(void)
81918 -+{
81919 -+ basic_block bb;
81920 -+
81921 -+ // 1. loop through BBs and GIMPLE statements
81922 -+ FOR_EACH_BB(bb) {
81923 -+ gimple_stmt_iterator gsi;
81924 -+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
81925 -+ // gimple match:
81926 -+ tree fndecl, size;
81927 -+ gimple call_stmt;
81928 -+ const char *fnname;
81929 -+
81930 -+ // is it a call
81931 -+ call_stmt = gsi_stmt(gsi);
81932 -+ if (!is_gimple_call(call_stmt))
81933 -+ continue;
81934 -+ fndecl = gimple_call_fndecl(call_stmt);
81935 -+ if (fndecl == NULL_TREE)
81936 -+ continue;
81937 -+ if (TREE_CODE(fndecl) != FUNCTION_DECL)
81938 -+ continue;
81939 -+
81940 -+ // is it a call to k*alloc
81941 -+ fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
81942 -+ if (!is_kalloc(fnname))
81943 -+ continue;
81944 -+
81945 -+ // is the size arg the result of a simple const assignment
81946 -+ size = gimple_call_arg(call_stmt, 0);
81947 -+ while (true) {
81948 -+ gimple def_stmt;
81949 -+ expanded_location xloc;
81950 -+ size_t size_val;
81951 -+
81952 -+ if (TREE_CODE(size) != SSA_NAME)
81953 -+ break;
81954 -+ def_stmt = SSA_NAME_DEF_STMT(size);
81955 -+ if (!def_stmt || !is_gimple_assign(def_stmt))
81956 -+ break;
81957 -+ if (gimple_num_ops(def_stmt) != 2)
81958 -+ break;
81959 -+ size = gimple_assign_rhs1(def_stmt);
81960 -+ if (!TREE_CONSTANT(size))
81961 -+ continue;
81962 -+ xloc = expand_location(gimple_location(def_stmt));
81963 -+ if (!xloc.file)
81964 -+ xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
81965 -+ size_val = TREE_INT_CST_LOW(size);
81966 -+ fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
81967 -+ break;
81968 -+ }
81969 -+//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
81970 -+//debug_tree(gimple_call_fn(call_stmt));
81971 -+//print_node(stderr, "pax", fndecl, 4);
81972 -+ }
81973 -+ }
81974 -+
81975 -+ return 0;
81976 -+}
81977 -+
81978 -+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81979 -+{
81980 -+ const char * const plugin_name = plugin_info->base_name;
81981 -+ struct register_pass_info kallocstat_pass_info = {
81982 -+ .pass = &kallocstat_pass.pass,
81983 -+ .reference_pass_name = "ssa",
81984 -+ .ref_pass_instance_number = 0,
81985 -+ .pos_op = PASS_POS_INSERT_AFTER
81986 -+ };
81987 -+
81988 -+ if (!plugin_default_version_check(version, &gcc_version)) {
81989 -+ error(G_("incompatible gcc/plugin versions"));
81990 -+ return 1;
81991 -+ }
81992 -+
81993 -+ register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
81994 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
81995 -+
81996 -+ return 0;
81997 -+}
81998 -diff -urNp linux-2.6.32.46/tools/gcc/kernexec_plugin.c linux-2.6.32.46/tools/gcc/kernexec_plugin.c
81999 ---- linux-2.6.32.46/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500
82000 -+++ linux-2.6.32.46/tools/gcc/kernexec_plugin.c 2011-10-06 09:37:16.000000000 -0400
82001 -@@ -0,0 +1,273 @@
82002 -+/*
82003 -+ * Copyright 2011 by the PaX Team <pageexec@××××××××.hu>
82004 -+ * Licensed under the GPL v2
82005 -+ *
82006 -+ * Note: the choice of the license means that the compilation process is
82007 -+ * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
82008 -+ * but for the kernel it doesn't matter since it doesn't link against
82009 -+ * any of the gcc libraries
82010 -+ *
82011 -+ * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
82012 -+ *
82013 -+ * TODO:
82014 -+ *
82015 -+ * BUGS:
82016 -+ * - none known
82017 -+ */
82018 -+#include "gcc-plugin.h"
82019 -+#include "config.h"
82020 -+#include "system.h"
82021 -+#include "coretypes.h"
82022 -+#include "tree.h"
82023 -+#include "tree-pass.h"
82024 -+#include "intl.h"
82025 -+#include "plugin-version.h"
82026 -+#include "tm.h"
82027 -+#include "toplev.h"
82028 -+#include "basic-block.h"
82029 -+#include "gimple.h"
82030 -+//#include "expr.h" where are you...
82031 -+#include "diagnostic.h"
82032 -+#include "rtl.h"
82033 -+#include "emit-rtl.h"
82034 -+#include "function.h"
82035 -+#include "tree-flow.h"
82036 -+
82037 -+extern void print_gimple_stmt(FILE *, gimple, int, int);
82038 -+extern rtx emit_move_insn(rtx x, rtx y);
82039 -+
82040 -+int plugin_is_GPL_compatible;
82041 -+
82042 -+static struct plugin_info kernexec_plugin_info = {
82043 -+ .version = "201110032145",
82044 -+};
82045 -+
82046 -+static unsigned int execute_kernexec_fptr(void);
82047 -+static unsigned int execute_kernexec_retaddr(void);
82048 -+static bool kernexec_cmodel_check(void);
82049 -+
82050 -+static struct gimple_opt_pass kernexec_fptr_pass = {
82051 -+ .pass = {
82052 -+ .type = GIMPLE_PASS,
82053 -+ .name = "kernexec_fptr",
82054 -+ .gate = kernexec_cmodel_check,
82055 -+ .execute = execute_kernexec_fptr,
82056 -+ .sub = NULL,
82057 -+ .next = NULL,
82058 -+ .static_pass_number = 0,
82059 -+ .tv_id = TV_NONE,
82060 -+ .properties_required = 0,
82061 -+ .properties_provided = 0,
82062 -+ .properties_destroyed = 0,
82063 -+ .todo_flags_start = 0,
82064 -+ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
82065 -+ }
82066 -+};
82067 -+
82068 -+static struct rtl_opt_pass kernexec_retaddr_pass = {
82069 -+ .pass = {
82070 -+ .type = RTL_PASS,
82071 -+ .name = "kernexec_retaddr",
82072 -+ .gate = kernexec_cmodel_check,
82073 -+ .execute = execute_kernexec_retaddr,
82074 -+ .sub = NULL,
82075 -+ .next = NULL,
82076 -+ .static_pass_number = 0,
82077 -+ .tv_id = TV_NONE,
82078 -+ .properties_required = 0,
82079 -+ .properties_provided = 0,
82080 -+ .properties_destroyed = 0,
82081 -+ .todo_flags_start = 0,
82082 -+ .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
82083 -+ }
82084 -+};
82085 -+
82086 -+static bool kernexec_cmodel_check(void)
82087 -+{
82088 -+ tree section;
82089 -+
82090 -+ if (ix86_cmodel != CM_KERNEL)
82091 -+ return false;
82092 -+
82093 -+ section = lookup_attribute("__section__", DECL_ATTRIBUTES(current_function_decl));
82094 -+ if (!section || !TREE_VALUE(section))
82095 -+ return true;
82096 -+
82097 -+ section = TREE_VALUE(TREE_VALUE(section));
82098 -+ if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
82099 -+ return true;
82100 -+
82101 -+ return false;
82102 -+}
82103 -+
82104 -+/*
82105 -+ * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
82106 -+ * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
82107 -+ */
82108 -+static void kernexec_instrument_fptr(gimple_stmt_iterator gsi)
82109 -+{
82110 -+ gimple assign_intptr, assign_new_fptr, call_stmt;
82111 -+ tree intptr, old_fptr, new_fptr, kernexec_mask;
82112 -+
82113 -+ call_stmt = gsi_stmt(gsi);
82114 -+ old_fptr = gimple_call_fn(call_stmt);
82115 -+
82116 -+ // create temporary unsigned long variable used for bitops and cast fptr to it
82117 -+ intptr = create_tmp_var(long_unsigned_type_node, NULL);
82118 -+ add_referenced_var(intptr);
82119 -+ mark_sym_for_renaming(intptr);
82120 -+ assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
82121 -+ update_stmt(assign_intptr);
82122 -+ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
82123 -+
82124 -+ // apply logical or to temporary unsigned long and bitmask
82125 -+ kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
82126 -+// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
82127 -+ assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
82128 -+ update_stmt(assign_intptr);
82129 -+ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
82130 -+
82131 -+ // cast temporary unsigned long back to a temporary fptr variable
82132 -+ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL);
82133 -+ add_referenced_var(new_fptr);
82134 -+ mark_sym_for_renaming(new_fptr);
82135 -+ assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
82136 -+ update_stmt(assign_new_fptr);
82137 -+ gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT);
82138 -+
82139 -+ // replace call stmt fn with the new fptr
82140 -+ gimple_call_set_fn(call_stmt, new_fptr);
82141 -+ update_stmt(call_stmt);
82142 -+}
82143 -+
82144 -+/*
82145 -+ * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
82146 -+ */
82147 -+static unsigned int execute_kernexec_fptr(void)
82148 -+{
82149 -+ basic_block bb;
82150 -+ gimple_stmt_iterator gsi;
82151 -+
82152 -+ // 1. loop through BBs and GIMPLE statements
82153 -+ FOR_EACH_BB(bb) {
82154 -+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
82155 -+ // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
82156 -+ tree fn;
82157 -+ gimple call_stmt;
82158 -+
82159 -+ // is it a call ...
82160 -+ call_stmt = gsi_stmt(gsi);
82161 -+ if (!is_gimple_call(call_stmt))
82162 -+ continue;
82163 -+ fn = gimple_call_fn(call_stmt);
82164 -+ if (TREE_CODE(fn) == ADDR_EXPR)
82165 -+ continue;
82166 -+ if (TREE_CODE(fn) != SSA_NAME)
82167 -+ gcc_unreachable();
82168 -+
82169 -+ // ... through a function pointer
82170 -+ fn = SSA_NAME_VAR(fn);
82171 -+ if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL)
82172 -+ continue;
82173 -+ fn = TREE_TYPE(fn);
82174 -+ if (TREE_CODE(fn) != POINTER_TYPE)
82175 -+ continue;
82176 -+ fn = TREE_TYPE(fn);
82177 -+ if (TREE_CODE(fn) != FUNCTION_TYPE)
82178 -+ continue;
82179 -+
82180 -+ kernexec_instrument_fptr(gsi);
82181 -+
82182 -+//debug_tree(gimple_call_fn(call_stmt));
82183 -+//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
82184 -+ }
82185 -+ }
82186 -+
82187 -+ return 0;
82188 -+}
82189 -+
82190 -+// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
82191 -+static void kernexec_instrument_retaddr(rtx insn)
82192 -+{
82193 -+ rtx btsq;
82194 -+ rtvec argvec, constraintvec, labelvec;
82195 -+ int line;
82196 -+
82197 -+ // create asm volatile("btsq $63,(%%rsp)":::)
82198 -+ argvec = rtvec_alloc(0);
82199 -+ constraintvec = rtvec_alloc(0);
82200 -+ labelvec = rtvec_alloc(0);
82201 -+ line = expand_location(RTL_LOCATION(insn)).line;
82202 -+ btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
82203 -+ MEM_VOLATILE_P(btsq) = 1;
82204 -+ RTX_FRAME_RELATED_P(btsq) = 1;
82205 -+ emit_insn_before(btsq, insn);
82206 -+}
82207 -+
82208 -+/*
82209 -+ * find all asm level function returns and forcibly set the highest bit of the return address
82210 -+ */
82211 -+static unsigned int execute_kernexec_retaddr(void)
82212 -+{
82213 -+ rtx insn;
82214 -+
82215 -+ // 1. find function returns
82216 -+ for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
82217 -+ // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
82218 -+ // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
82219 -+ rtx body;
82220 -+
82221 -+ // is it a retn
82222 -+ if (!JUMP_P(insn))
82223 -+ continue;
82224 -+ body = PATTERN(insn);
82225 -+ if (GET_CODE(body) == PARALLEL)
82226 -+ body = XVECEXP(body, 0, 0);
82227 -+ if (GET_CODE(body) != RETURN)
82228 -+ continue;
82229 -+ kernexec_instrument_retaddr(insn);
82230 -+ }
82231 -+
82232 -+// print_simple_rtl(stderr, get_insns());
82233 -+// print_rtl(stderr, get_insns());
82234 -+
82235 -+ return 0;
82236 -+}
82237 -+
82238 -+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
82239 -+{
82240 -+ const char * const plugin_name = plugin_info->base_name;
82241 -+ const int argc = plugin_info->argc;
82242 -+ const struct plugin_argument * const argv = plugin_info->argv;
82243 -+ int i;
82244 -+ struct register_pass_info kernexec_fptr_pass_info = {
82245 -+ .pass = &kernexec_fptr_pass.pass,
82246 -+ .reference_pass_name = "ssa",
82247 -+ .ref_pass_instance_number = 0,
82248 -+ .pos_op = PASS_POS_INSERT_AFTER
82249 -+ };
82250 -+ struct register_pass_info kernexec_retaddr_pass_info = {
82251 -+ .pass = &kernexec_retaddr_pass.pass,
82252 -+ .reference_pass_name = "pro_and_epilogue",
82253 -+ .ref_pass_instance_number = 0,
82254 -+ .pos_op = PASS_POS_INSERT_AFTER
82255 -+ };
82256 -+
82257 -+ if (!plugin_default_version_check(version, &gcc_version)) {
82258 -+ error(G_("incompatible gcc/plugin versions"));
82259 -+ return 1;
82260 -+ }
82261 -+
82262 -+ register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
82263 -+
82264 -+ for (i = 0; i < argc; ++i)
82265 -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
82266 -+
82267 -+ if (TARGET_64BIT == 0)
82268 -+ return 0;
82269 -+
82270 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
82271 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
82272 -+
82273 -+ return 0;
82274 -+}
82275 -diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gcc/stackleak_plugin.c
82276 ---- linux-2.6.32.46/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
82277 -+++ linux-2.6.32.46/tools/gcc/stackleak_plugin.c 2011-10-06 09:37:14.000000000 -0400
82278 -@@ -0,0 +1,251 @@
82279 -+/*
82280 -+ * Copyright 2011 by the PaX Team <pageexec@××××××××.hu>
82281 -+ * Licensed under the GPL v2
82282 -+ *
82283 -+ * Note: the choice of the license means that the compilation process is
82284 -+ * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
82285 -+ * but for the kernel it doesn't matter since it doesn't link against
82286 -+ * any of the gcc libraries
82287 -+ *
82288 -+ * gcc plugin to help implement various PaX features
82289 -+ *
82290 -+ * - track lowest stack pointer
82291 -+ *
82292 -+ * TODO:
82293 -+ * - initialize all local variables
82294 -+ *
82295 -+ * BUGS:
82296 -+ * - none known
82297 -+ */
82298 -+#include "gcc-plugin.h"
82299 -+#include "config.h"
82300 -+#include "system.h"
82301 -+#include "coretypes.h"
82302 -+#include "tree.h"
82303 -+#include "tree-pass.h"
82304 -+#include "intl.h"
82305 -+#include "plugin-version.h"
82306 -+#include "tm.h"
82307 -+#include "toplev.h"
82308 -+#include "basic-block.h"
82309 -+#include "gimple.h"
82310 -+//#include "expr.h" where are you...
82311 -+#include "diagnostic.h"
82312 -+#include "rtl.h"
82313 -+#include "emit-rtl.h"
82314 -+#include "function.h"
82315 -+
82316 -+int plugin_is_GPL_compatible;
82317 -+
82318 -+static int track_frame_size = -1;
82319 -+static const char track_function[] = "pax_track_stack";
82320 -+static bool init_locals;
82321 -+
82322 -+static struct plugin_info stackleak_plugin_info = {
82323 -+ .version = "201109112100",
82324 -+ .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
82325 -+// "initialize-locals\t\tforcibly initialize all stack frames\n"
82326 -+};
82327 -+
82328 -+static bool gate_stackleak_track_stack(void);
82329 -+static unsigned int execute_stackleak_tree_instrument(void);
82330 -+static unsigned int execute_stackleak_final(void);
82331 -+
82332 -+static struct gimple_opt_pass stackleak_tree_instrument_pass = {
82333 -+ .pass = {
82334 -+ .type = GIMPLE_PASS,
82335 -+ .name = "stackleak_tree_instrument",
82336 -+ .gate = gate_stackleak_track_stack,
82337 -+ .execute = execute_stackleak_tree_instrument,
82338 -+ .sub = NULL,
82339 -+ .next = NULL,
82340 -+ .static_pass_number = 0,
82341 -+ .tv_id = TV_NONE,
82342 -+ .properties_required = PROP_gimple_leh | PROP_cfg,
82343 -+ .properties_provided = 0,
82344 -+ .properties_destroyed = 0,
82345 -+ .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
82346 -+ .todo_flags_finish = TODO_verify_stmts | TODO_dump_func
82347 -+ }
82348 -+};
82349 -+
82350 -+static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
82351 -+ .pass = {
82352 -+ .type = RTL_PASS,
82353 -+ .name = "stackleak_final",
82354 -+ .gate = gate_stackleak_track_stack,
82355 -+ .execute = execute_stackleak_final,
82356 -+ .sub = NULL,
82357 -+ .next = NULL,
82358 -+ .static_pass_number = 0,
82359 -+ .tv_id = TV_NONE,
82360 -+ .properties_required = 0,
82361 -+ .properties_provided = 0,
82362 -+ .properties_destroyed = 0,
82363 -+ .todo_flags_start = 0,
82364 -+ .todo_flags_finish = TODO_dump_func
82365 -+ }
82366 -+};
82367 -+
82368 -+static bool gate_stackleak_track_stack(void)
82369 -+{
82370 -+ return track_frame_size >= 0;
82371 -+}
82372 -+
82373 -+static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
82374 -+{
82375 -+ gimple call;
82376 -+ tree fndecl, type;
82377 -+
82378 -+ // insert call to void pax_track_stack(void)
82379 -+ type = build_function_type_list(void_type_node, NULL_TREE);
82380 -+ fndecl = build_fn_decl(track_function, type);
82381 -+ DECL_ASSEMBLER_NAME(fndecl); // for LTO
82382 -+ call = gimple_build_call(fndecl, 0);
82383 -+ if (before)
82384 -+ gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
82385 -+ else
82386 -+ gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
82387 -+}
82388 -+
82389 -+static unsigned int execute_stackleak_tree_instrument(void)
82390 -+{
82391 -+ basic_block bb, entry_bb;
82392 -+ gimple_stmt_iterator gsi;
82393 -+ bool prologue_instrumented = false;
82394 -+
82395 -+ entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
82396 -+
82397 -+ // 1. loop through BBs and GIMPLE statements
82398 -+ FOR_EACH_BB(bb) {
82399 -+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
82400 -+ // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
82401 -+ tree fndecl;
82402 -+ gimple stmt = gsi_stmt(gsi);
82403 -+
82404 -+ if (!is_gimple_call(stmt))
82405 -+ continue;
82406 -+ fndecl = gimple_call_fndecl(stmt);
82407 -+ if (!fndecl)
82408 -+ continue;
82409 -+ if (TREE_CODE(fndecl) != FUNCTION_DECL)
82410 -+ continue;
82411 -+ if (!DECL_BUILT_IN(fndecl))
82412 -+ continue;
82413 -+ if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
82414 -+ continue;
82415 -+ if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA)
82416 -+ continue;
82417 -+
82418 -+ // 2. insert track call after each __builtin_alloca call
82419 -+ stackleak_add_instrumentation(&gsi, false);
82420 -+ if (bb == entry_bb)
82421 -+ prologue_instrumented = true;
82422 -+// print_node(stderr, "pax", fndecl, 4);
82423 -+ }
82424 -+ }
82425 -+
82426 -+ // 3. insert track call at the beginning
82427 -+ if (!prologue_instrumented) {
82428 -+ gsi = gsi_start_bb(entry_bb);
82429 -+ stackleak_add_instrumentation(&gsi, true);
82430 -+ }
82431 -+
82432 -+ return 0;
82433 -+}
82434 -+
82435 -+static unsigned int execute_stackleak_final(void)
82436 -+{
82437 -+ rtx insn;
82438 -+
82439 -+ if (cfun->calls_alloca)
82440 -+ return 0;
82441 -+
82442 -+ // keep calls only if function frame is big enough
82443 -+ if (get_frame_size() >= track_frame_size)
82444 -+ return 0;
82445 -+
82446 -+ // 1. find pax_track_stack calls
82447 -+ for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
82448 -+ // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
82449 -+ rtx body;
82450 -+
82451 -+ if (!CALL_P(insn))
82452 -+ continue;
82453 -+ body = PATTERN(insn);
82454 -+ if (GET_CODE(body) != CALL)
82455 -+ continue;
82456 -+ body = XEXP(body, 0);
82457 -+ if (GET_CODE(body) != MEM)
82458 -+ continue;
82459 -+ body = XEXP(body, 0);
82460 -+ if (GET_CODE(body) != SYMBOL_REF)
82461 -+ continue;
82462 -+ if (strcmp(XSTR(body, 0), track_function))
82463 -+ continue;
82464 -+// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
82465 -+ // 2. delete call
82466 -+ delete_insn_and_edges(insn);
82467 -+ }
82468 -+
82469 -+// print_simple_rtl(stderr, get_insns());
82470 -+// print_rtl(stderr, get_insns());
82471 -+// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
82472 -+
82473 -+ return 0;
82474 -+}
82475 -+
82476 -+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
82477 -+{
82478 -+ const char * const plugin_name = plugin_info->base_name;
82479 -+ const int argc = plugin_info->argc;
82480 -+ const struct plugin_argument * const argv = plugin_info->argv;
82481 -+ int i;
82482 -+ struct register_pass_info stackleak_tree_instrument_pass_info = {
82483 -+ .pass = &stackleak_tree_instrument_pass.pass,
82484 -+// .reference_pass_name = "tree_profile",
82485 -+ .reference_pass_name = "optimized",
82486 -+ .ref_pass_instance_number = 0,
82487 -+ .pos_op = PASS_POS_INSERT_AFTER
82488 -+ };
82489 -+ struct register_pass_info stackleak_final_pass_info = {
82490 -+ .pass = &stackleak_final_rtl_opt_pass.pass,
82491 -+ .reference_pass_name = "final",
82492 -+ .ref_pass_instance_number = 0,
82493 -+ .pos_op = PASS_POS_INSERT_BEFORE
82494 -+ };
82495 -+
82496 -+ if (!plugin_default_version_check(version, &gcc_version)) {
82497 -+ error(G_("incompatible gcc/plugin versions"));
82498 -+ return 1;
82499 -+ }
82500 -+
82501 -+ register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
82502 -+
82503 -+ for (i = 0; i < argc; ++i) {
82504 -+ if (!strcmp(argv[i].key, "track-lowest-sp")) {
82505 -+ if (!argv[i].value) {
82506 -+ error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
82507 -+ continue;
82508 -+ }
82509 -+ track_frame_size = atoi(argv[i].value);
82510 -+ if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
82511 -+ error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
82512 -+ continue;
82513 -+ }
82514 -+ if (!strcmp(argv[i].key, "initialize-locals")) {
82515 -+ if (argv[i].value) {
82516 -+ error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
82517 -+ continue;
82518 -+ }
82519 -+ init_locals = true;
82520 -+ continue;
82521 -+ }
82522 -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
82523 -+ }
82524 -+
82525 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
82526 -+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
82527 -+
82528 -+ return 0;
82529 -+}
82530 -diff -urNp linux-2.6.32.46/usr/gen_init_cpio.c linux-2.6.32.46/usr/gen_init_cpio.c
82531 ---- linux-2.6.32.46/usr/gen_init_cpio.c 2011-03-27 14:31:47.000000000 -0400
82532 -+++ linux-2.6.32.46/usr/gen_init_cpio.c 2011-04-17 15:56:46.000000000 -0400
82533 -@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
82534 - int retval;
82535 - int rc = -1;
82536 - int namesize;
82537 -- int i;
82538 -+ unsigned int i;
82539 -
82540 - mode |= S_IFREG;
82541 -
82542 -@@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
82543 - *env_var = *expanded = '\0';
82544 - strncat(env_var, start + 2, end - start - 2);
82545 - strncat(expanded, new_location, start - new_location);
82546 -- strncat(expanded, getenv(env_var), PATH_MAX);
82547 -- strncat(expanded, end + 1, PATH_MAX);
82548 -+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
82549 -+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
82550 - strncpy(new_location, expanded, PATH_MAX);
82551 -+ new_location[PATH_MAX] = 0;
82552 - } else
82553 - break;
82554 - }
82555 -diff -urNp linux-2.6.32.46/virt/kvm/kvm_main.c linux-2.6.32.46/virt/kvm/kvm_main.c
82556 ---- linux-2.6.32.46/virt/kvm/kvm_main.c 2011-03-27 14:31:47.000000000 -0400
82557 -+++ linux-2.6.32.46/virt/kvm/kvm_main.c 2011-08-05 20:33:55.000000000 -0400
82558 -@@ -2494,7 +2494,7 @@ asmlinkage void kvm_handle_fault_on_rebo
82559 - if (kvm_rebooting)
82560 - /* spin while reset goes on */
82561 - while (true)
82562 -- ;
82563 -+ cpu_relax();
82564 - /* Fault while not rebooting. We want the trace. */
82565 - BUG();
82566 - }
82567 -@@ -2714,7 +2714,7 @@ static void kvm_sched_out(struct preempt
82568 - kvm_arch_vcpu_put(vcpu);
82569 - }
82570 -
82571 --int kvm_init(void *opaque, unsigned int vcpu_size,
82572 -+int kvm_init(const void *opaque, unsigned int vcpu_size,
82573 - struct module *module)
82574 - {
82575 - int r;
82576 -@@ -2767,15 +2767,17 @@ int kvm_init(void *opaque, unsigned int
82577 - /* A kmem cache lets us meet the alignment requirements of fx_save. */
82578 - kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
82579 - __alignof__(struct kvm_vcpu),
82580 -- 0, NULL);
82581 -+ SLAB_USERCOPY, NULL);
82582 - if (!kvm_vcpu_cache) {
82583 - r = -ENOMEM;
82584 - goto out_free_5;
82585 - }
82586 -
82587 -- kvm_chardev_ops.owner = module;
82588 -- kvm_vm_fops.owner = module;
82589 -- kvm_vcpu_fops.owner = module;
82590 -+ pax_open_kernel();
82591 -+ *(void **)&kvm_chardev_ops.owner = module;
82592 -+ *(void **)&kvm_vm_fops.owner = module;
82593 -+ *(void **)&kvm_vcpu_fops.owner = module;
82594 -+ pax_close_kernel();
82595 -
82596 - r = misc_register(&kvm_dev);
82597 - if (r) {
82598
82599 diff --git a/2.6.32/4421_grsec-remove-localversion-grsec.patch b/2.6.32/4421_grsec-remove-localversion-grsec.patch
82600 deleted file mode 100644
82601 index 31cf878..0000000
82602 --- a/2.6.32/4421_grsec-remove-localversion-grsec.patch
82603 +++ /dev/null
82604 @@ -1,9 +0,0 @@
82605 -From: Kerin Millar <kerframil@×××××.com>
82606 -
82607 -Remove grsecurity's localversion-grsec file as it is inconsistent with
82608 -Gentoo's kernel practices and naming scheme.
82609 -
82610 ---- a/localversion-grsec 2008-02-24 14:26:59.000000000 +0000
82611 -+++ b/localversion-grsec 1970-01-01 01:00:00.000000000 +0100
82612 -@@ -1 +0,0 @@
82613 ---grsec
82614
82615 diff --git a/2.6.32/4422_grsec-mute-warnings.patch b/2.6.32/4422_grsec-mute-warnings.patch
82616 deleted file mode 100644
82617 index 0c9c69a..0000000
82618 --- a/2.6.32/4422_grsec-mute-warnings.patch
82619 +++ /dev/null
82620 @@ -1,42 +0,0 @@
82621 -From: Anthony G. Basile <blueness@g.o>
82622 -Updated patch for 2.6.32.39.
82623 -
82624 -The credits/description from the original version of this patch remain accurate
82625 -and are included below.
82626 -
82627 ----
82628 -From: Jory A. Pratt <anarchy@g.o>
82629 -Updated patch for kernel 2.6.32
82630 -
82631 -The credits/description from the original version of this patch remain accurate
82632 -and are included below.
82633 -
82634 ----
82635 -From: Gordon Malm <gengor@g.o>
82636 -
82637 -Updated patch for kernel series 2.6.24.
82638 -
82639 -The credits/description from the original version of this patch remain accurate
82640 -and are included below.
82641 -
82642 ----
82643 -From: Alexander Gabert <gaberta@××××××××.de>
82644 -
82645 -This patch removes the warnings introduced by grsec patch 2.1.9 and later.
82646 -It removes the -W options added by the patch and restores the original
82647 -warning flags of vanilla kernel versions.
82648 -
82649 -Acked-by: Christian Heim <phreak@g.o>
82650 ----
82651 -
82652 ---- a/Makefile 2011-06-05 20:27:54.000000000 -0400
82653 -+++ b/Makefile 2011-06-05 20:28:46.000000000 -0400
82654 -@@ -221,7 +221,7 @@
82655 -
82656 - HOSTCC = gcc
82657 - HOSTCXX = g++
82658 --HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
82659 -+HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -Wno-empty-body -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
82660 - HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
82661 - HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
82662 -
82663
82664 diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4423_grsec-remove-protected-paths.patch
82665 deleted file mode 100644
82666 index 5cec66c..0000000
82667 --- a/2.6.32/4423_grsec-remove-protected-paths.patch
82668 +++ /dev/null
82669 @@ -1,19 +0,0 @@
82670 -From: Anthony G. Basile <blueness@g.o>
82671 -
82672 -We don't want GRSEC's Makefile to change permissions on paths in
82673 -the filesystem.
82674 -
82675 -diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
82676 ---- a/grsecurity/Makefile 2011-10-19 19:48:21.000000000 -0400
82677 -+++ b/grsecurity/Makefile 2011-10-19 19:50:44.000000000 -0400
82678 -@@ -27,10 +27,4 @@
82679 - ifdef CONFIG_GRKERNSEC_HIDESYM
82680 - extra-y := grsec_hidesym.o
82681 - $(obj)/grsec_hidesym.o:
82682 -- @-chmod -f 500 /boot
82683 -- @-chmod -f 500 /lib/modules
82684 -- @-chmod -f 500 /lib64/modules
82685 -- @-chmod -f 500 /lib32/modules
82686 -- @-chmod -f 700 .
82687 -- @echo ' grsec: protected kernel image paths'
82688 - endif
82689
82690 diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4425_grsec-pax-without-grsec.patch
82691 deleted file mode 100644
82692 index 96b85a3..0000000
82693 --- a/2.6.32/4425_grsec-pax-without-grsec.patch
82694 +++ /dev/null
82695 @@ -1,88 +0,0 @@
82696 -From: Anthony G. Basile <blueness@g.o>
82697 -
82698 -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
82699 -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
82700 -This patch has been updated to reflect that change.
82701 ---
82702 -From: Jory Pratt <anarchy@g.o>
82703 -Updated patch for kernel 2.6.32
82704 -
82705 -The credits/description from the original version of this patch remain accurate
82706 -and are included below.
82707 ---
82708 -From: Gordon Malm <gengor@g.o>
82709 -
82710 -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
82711 -
82712 -This patch has been updated to keep current with newer kernel versions.
82713 -The original version of this patch contained no credits/description.
82714 -
82715 -diff -Naur linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c linux-2.6.32-hardened-r44/arch/x86/mm/fault.c
82716 ---- linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400
82717 -+++ linux-2.6.32-hardened-r44/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400
82718 -@@ -658,10 +658,12 @@
82719 -
82720 - #ifdef CONFIG_PAX_KERNEXEC
82721 - if (init_mm.start_code <= address && address < init_mm.end_code) {
82722 -+#ifdef CONFIG_GRKERNSEC
82723 - if (current->signal->curr_ip)
82724 - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
82725 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
82726 - else
82727 -+#endif
82728 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
82729 - current->comm, task_pid_nr(current), current_uid(), current_euid());
82730 - }
82731 -diff -Naur linux-2.6.32-hardened-r44.orig/fs/exec.c linux-2.6.32-hardened-r44/fs/exec.c
82732 ---- linux-2.6.32-hardened-r44.orig/fs/exec.c 2011-04-17 18:15:55.000000000 -0400
82733 -+++ linux-2.6.32-hardened-r44/fs/exec.c 2011-04-17 18:29:40.000000000 -0400
82734 -@@ -1803,9 +1803,11 @@
82735 - }
82736 - up_read(&mm->mmap_sem);
82737 - }
82738 -+#ifdef CONFIG_GRKERNSEC
82739 - if (tsk->signal->curr_ip)
82740 - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
82741 - else
82742 -+#endif
82743 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
82744 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
82745 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
82746 -@@ -1820,10 +1822,12 @@
82747 - #ifdef CONFIG_PAX_REFCOUNT
82748 - void pax_report_refcount_overflow(struct pt_regs *regs)
82749 - {
82750 -+#ifdef CONFIG_GRKERNSEC
82751 - if (current->signal->curr_ip)
82752 - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
82753 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
82754 - else
82755 -+#endif
82756 - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
82757 - current->comm, task_pid_nr(current), current_uid(), current_euid());
82758 - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
82759 -@@ -1883,10 +1887,12 @@
82760 -
82761 - NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
82762 - {
82763 -+#ifdef CONFIG_GRKERNSEC
82764 - if (current->signal->curr_ip)
82765 - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
82766 - &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
82767 - else
82768 -+#endif
82769 - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
82770 - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
82771 -
82772 -diff -Naur linux-2.6.32-hardened-r44.orig/security/Kconfig linux-2.6.32-hardened-r44/security/Kconfig
82773 ---- linux-2.6.32-hardened-r44.orig/security/Kconfig 2011-04-17 18:15:55.000000000 -0400
82774 -+++ linux-2.6.32-hardened-r44/security/Kconfig 2011-04-17 18:28:11.000000000 -0400
82775 -@@ -29,7 +29,7 @@
82776 -
82777 - config PAX
82778 - bool "Enable various PaX features"
82779 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
82780 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
82781 - help
82782 - This allows you to enable various PaX features. PaX adds
82783 - intrusion prevention mechanisms to the kernel that reduce
82784
82785 diff --git a/2.6.32/4430_grsec-kconfig-default-gids.patch b/2.6.32/4430_grsec-kconfig-default-gids.patch
82786 deleted file mode 100644
82787 index b173bab..0000000
82788 --- a/2.6.32/4430_grsec-kconfig-default-gids.patch
82789 +++ /dev/null
82790 @@ -1,77 +0,0 @@
82791 -From: Kerin Millar <kerframil@×××××.com>
82792 -
82793 -grsecurity contains a number of options which allow certain protections
82794 -to be applied to or exempted from members of a given group. However, the
82795 -default GIDs specified in the upstream patch are entirely arbitrary and
82796 -there is no telling which (if any) groups the GIDs will correlate with
82797 -on an end-user's system. Because some users don't pay a great deal of
82798 -attention to the finer points of kernel configuration, it is probably
82799 -wise to specify some reasonable defaults so as to stop careless users
82800 -from shooting themselves in the foot.
82801 -
82802 -diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
82803 ---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400
82804 -+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400
82805 -@@ -432,7 +432,7 @@
82806 - config GRKERNSEC_PROC_GID
82807 - int "GID for special group"
82808 - depends on GRKERNSEC_PROC_USERGROUP
82809 -- default 1001
82810 -+ default 10
82811 -
82812 - config GRKERNSEC_PROC_ADD
82813 - bool "Additional restrictions"
82814 -@@ -656,7 +656,7 @@
82815 - config GRKERNSEC_AUDIT_GID
82816 - int "GID for auditing"
82817 - depends on GRKERNSEC_AUDIT_GROUP
82818 -- default 1007
82819 -+ default 100
82820 -
82821 - config GRKERNSEC_EXECLOG
82822 - bool "Exec logging"
82823 -@@ -834,7 +834,7 @@
82824 - config GRKERNSEC_TPE_GID
82825 - int "GID for untrusted users"
82826 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
82827 -- default 1005
82828 -+ default 100
82829 - help
82830 - Setting this GID determines what group TPE restrictions will be
82831 - *enabled* for. If the sysctl option is enabled, a sysctl option
82832 -@@ -843,7 +843,7 @@
82833 - config GRKERNSEC_TPE_GID
82834 - int "GID for trusted users"
82835 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
82836 -- default 1005
82837 -+ default 10
82838 - help
82839 - Setting this GID determines what group TPE restrictions will be
82840 - *disabled* for. If the sysctl option is enabled, a sysctl option
82841 -@@ -916,7 +916,7 @@
82842 - config GRKERNSEC_SOCKET_ALL_GID
82843 - int "GID to deny all sockets for"
82844 - depends on GRKERNSEC_SOCKET_ALL
82845 -- default 1004
82846 -+ default 65534
82847 - help
82848 - Here you can choose the GID to disable socket access for. Remember to
82849 - add the users you want socket access disabled for to the GID
82850 -@@ -937,7 +937,7 @@
82851 - config GRKERNSEC_SOCKET_CLIENT_GID
82852 - int "GID to deny client sockets for"
82853 - depends on GRKERNSEC_SOCKET_CLIENT
82854 -- default 1003
82855 -+ default 65534
82856 - help
82857 - Here you can choose the GID to disable client socket access for.
82858 - Remember to add the users you want client socket access disabled for to
82859 -@@ -955,7 +955,7 @@
82860 - config GRKERNSEC_SOCKET_SERVER_GID
82861 - int "GID to deny server sockets for"
82862 - depends on GRKERNSEC_SOCKET_SERVER
82863 -- default 1002
82864 -+ default 65534
82865 - help
82866 - Here you can choose the GID to disable server socket access for.
82867 - Remember to add the users you want server socket access disabled for to
82868
82869 diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
82870 deleted file mode 100644
82871 index 0bb8941..0000000
82872 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch
82873 +++ /dev/null
82874 @@ -1,314 +0,0 @@
82875 -From: Anthony G. Basile <blueness@g.o>
82876 -From: Gordon Malm <gengor@g.o>
82877 -From: Jory A. Pratt <anarchy@g.o>
82878 -From: Kerin Millar <kerframil@×××××.com>
82879 -
82880 -Add Hardened Gentoo [server/workstation] predefined grsecurity
82881 -levels. They're designed to provide a comparitively high level of
82882 -security while remaining generally suitable for as great a majority
82883 -of the userbase as possible (particularly new users).
82884 -
82885 -Make Hardened Gentoo [workstation] predefined grsecurity level the
82886 -default. The Hardened Gentoo [server] level is more restrictive
82887 -and conflicts with some software and thus would be less suitable.
82888 -
82889 -The original version of this patch was conceived and created by:
82890 -Ned Ludd <solar@g.o>
82891 -
82892 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
82893 ---- a/grsecurity/Kconfig 2011-04-17 18:41:22.000000000 -0400
82894 -+++ b/grsecurity/Kconfig 2011-04-17 18:42:14.000000000 -0400
82895 -@@ -18,7 +18,7 @@
82896 - choice
82897 - prompt "Security Level"
82898 - depends on GRKERNSEC
82899 -- default GRKERNSEC_CUSTOM
82900 -+ default GRKERNSEC_HARDENED_WORKSTATION
82901 -
82902 - config GRKERNSEC_LOW
82903 - bool "Low"
82904 -@@ -191,6 +191,258 @@
82905 - - Restricted sysfs/debugfs
82906 - - Active kernel exploit response
82907 -
82908 -+config GRKERNSEC_HARDENED_SERVER
82909 -+ bool "Hardened Gentoo [server]"
82910 -+ select GRKERNSEC_LINK
82911 -+ select GRKERNSEC_FIFO
82912 -+ select GRKERNSEC_DMESG
82913 -+ select GRKERNSEC_FORKFAIL
82914 -+ select GRKERNSEC_TIME
82915 -+ select GRKERNSEC_SIGNAL
82916 -+ select GRKERNSEC_CHROOT
82917 -+ select GRKERNSEC_CHROOT_SHMAT
82918 -+ select GRKERNSEC_CHROOT_UNIX
82919 -+ select GRKERNSEC_CHROOT_MOUNT
82920 -+ select GRKERNSEC_CHROOT_FCHDIR
82921 -+ select GRKERNSEC_CHROOT_PIVOT
82922 -+ select GRKERNSEC_CHROOT_DOUBLE
82923 -+ select GRKERNSEC_CHROOT_CHDIR
82924 -+ select GRKERNSEC_CHROOT_MKNOD
82925 -+ select GRKERNSEC_CHROOT_CAPS
82926 -+ select GRKERNSEC_CHROOT_SYSCTL
82927 -+ select GRKERNSEC_CHROOT_FINDTASK
82928 -+ select GRKERNSEC_PROC
82929 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
82930 -+ select GRKERNSEC_HIDESYM
82931 -+ select GRKERNSEC_BRUTE
82932 -+ select GRKERNSEC_PROC_USERGROUP
82933 -+ select GRKERNSEC_KMEM
82934 -+ select GRKERNSEC_RESLOG
82935 -+ select GRKERNSEC_RANDNET
82936 -+ select GRKERNSEC_PROC_ADD
82937 -+ select GRKERNSEC_CHROOT_CHMOD
82938 -+ select GRKERNSEC_CHROOT_NICE
82939 -+ select GRKERNSEC_AUDIT_MOUNT
82940 -+ select GRKERNSEC_MODHARDEN if (MODULES)
82941 -+ select GRKERNSEC_HARDEN_PTRACE
82942 -+ select GRKERNSEC_VM86 if (X86_32)
82943 -+ select GRKERNSEC_IO if (X86)
82944 -+ select GRKERNSEC_PROC_IPADDR
82945 -+ select GRKERNSEC_RWXMAP_LOG
82946 -+ select GRKERNSEC_SYSCTL
82947 -+ select GRKERNSEC_SYSCTL_ON
82948 -+ select PAX
82949 -+ select PAX_RANDUSTACK
82950 -+ select PAX_ASLR
82951 -+ select PAX_RANDMMAP
82952 -+ select PAX_NOEXEC
82953 -+ select PAX_MPROTECT
82954 -+ select PAX_EI_PAX
82955 -+ select PAX_PT_PAX_FLAGS
82956 -+ select PAX_HAVE_ACL_FLAGS
82957 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
82958 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
82959 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
82960 -+ select PAX_SEGMEXEC if (X86_32)
82961 -+ select PAX_PAGEEXEC
82962 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
82963 -+ select PAX_EMUTRAMP if (PARISC)
82964 -+ select PAX_EMUSIGRT if (PARISC)
82965 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
82966 -+ select PAX_REFCOUNT if (X86 || SPARC64)
82967 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
82968 -+ select PAX_MEMORY_SANITIZE
82969 -+ help
82970 -+ If you say Y here, a configuration for grsecurity/PaX features
82971 -+ will be used that is endorsed by the Hardened Gentoo project.
82972 -+ These pre-defined security levels are designed to provide a high
82973 -+ level of security while minimizing incompatibilities with a majority
82974 -+ of Gentoo's available software.
82975 -+
82976 -+ This "Hardened Gentoo [server]" level is identical to the
82977 -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
82978 -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
82979 -+ security level if the system will not be utilizing software incompatible
82980 -+ with these features.
82981 -+
82982 -+ When this level is selected, some security features will be forced on,
82983 -+ while others will default to their suggested values of off or on. The
82984 -+ later can be tweaked at the user's discretion, but may cause problems
82985 -+ in some situations. You can fully customize all grsecurity/PaX features
82986 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
82987 -+ inherit the options selected by this security level as a starting point.
82988 -+ To accomplish this, select this security level, then exit the menuconfig
82989 -+ interface, saving changes when prompted. Run make menuconfig again and
82990 -+ select the "Custom" level.
82991 -+
82992 -+config GRKERNSEC_HARDENED_WORKSTATION
82993 -+ bool "Hardened Gentoo [workstation]"
82994 -+ select GRKERNSEC_LINK
82995 -+ select GRKERNSEC_FIFO
82996 -+ select GRKERNSEC_DMESG
82997 -+ select GRKERNSEC_FORKFAIL
82998 -+ select GRKERNSEC_TIME
82999 -+ select GRKERNSEC_SIGNAL
83000 -+ select GRKERNSEC_CHROOT
83001 -+ select GRKERNSEC_CHROOT_SHMAT
83002 -+ select GRKERNSEC_CHROOT_UNIX
83003 -+ select GRKERNSEC_CHROOT_MOUNT
83004 -+ select GRKERNSEC_CHROOT_FCHDIR
83005 -+ select GRKERNSEC_CHROOT_PIVOT
83006 -+ select GRKERNSEC_CHROOT_DOUBLE
83007 -+ select GRKERNSEC_CHROOT_CHDIR
83008 -+ select GRKERNSEC_CHROOT_MKNOD
83009 -+ select GRKERNSEC_CHROOT_CAPS
83010 -+ select GRKERNSEC_CHROOT_SYSCTL
83011 -+ select GRKERNSEC_CHROOT_FINDTASK
83012 -+ select GRKERNSEC_PROC
83013 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
83014 -+ select GRKERNSEC_HIDESYM
83015 -+ select GRKERNSEC_BRUTE
83016 -+ select GRKERNSEC_PROC_USERGROUP
83017 -+ select GRKERNSEC_KMEM
83018 -+ select GRKERNSEC_RESLOG
83019 -+ select GRKERNSEC_RANDNET
83020 -+ # select GRKERNSEC_PROC_ADD
83021 -+ select GRKERNSEC_CHROOT_CHMOD
83022 -+ select GRKERNSEC_CHROOT_NICE
83023 -+ select GRKERNSEC_AUDIT_MOUNT
83024 -+ select GRKERNSEC_MODHARDEN if (MODULES)
83025 -+ select GRKERNSEC_HARDEN_PTRACE
83026 -+ select GRKERNSEC_VM86 if (X86_32)
83027 -+ # select GRKERNSEC_IO if (X86)
83028 -+ select GRKERNSEC_PROC_IPADDR
83029 -+ select GRKERNSEC_RWXMAP_LOG
83030 -+ select GRKERNSEC_SYSCTL
83031 -+ select GRKERNSEC_SYSCTL_ON
83032 -+ select PAX
83033 -+ select PAX_RANDUSTACK
83034 -+ select PAX_ASLR
83035 -+ select PAX_RANDMMAP
83036 -+ select PAX_NOEXEC
83037 -+ select PAX_MPROTECT
83038 -+ select PAX_EI_PAX
83039 -+ select PAX_PT_PAX_FLAGS
83040 -+ select PAX_HAVE_ACL_FLAGS
83041 -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
83042 -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
83043 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
83044 -+ select PAX_SEGMEXEC if (X86_32)
83045 -+ select PAX_PAGEEXEC
83046 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
83047 -+ select PAX_EMUTRAMP if (PARISC)
83048 -+ select PAX_EMUSIGRT if (PARISC)
83049 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
83050 -+ select PAX_REFCOUNT if (X86 || SPARC64)
83051 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
83052 -+ select PAX_MEMORY_SANITIZE
83053 -+ help
83054 -+ If you say Y here, a configuration for grsecurity/PaX features
83055 -+ will be used that is endorsed by the Hardened Gentoo project.
83056 -+ These pre-defined security levels are designed to provide a high
83057 -+ level of security while minimizing incompatibilities with a majority
83058 -+ of Gentoo's available software.
83059 -+
83060 -+ This "Hardened Gentoo [workstation]" level is identical to the
83061 -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
83062 -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
83063 -+ security level if the system will be utilizing software incompatible
83064 -+ with these features.
83065 -+
83066 -+ When this level is selected, some security features will be forced on,
83067 -+ while others will default to their suggested values of off or on. The
83068 -+ later can be tweaked at the user's discretion, but may cause problems
83069 -+ in some situations. You can fully customize all grsecurity/PaX features
83070 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
83071 -+ inherit the options selected by this security level as a starting point.
83072 -+ To accomplish this, select this security level, then exit the menuconfig
83073 -+ interface, saving changes when prompted. Run make menuconfig again and
83074 -+ select the "Custom" level.
83075 -+
83076 -+config GRKERNSEC_HARDENED_VIRTUALIZATION
83077 -+ bool "Hardened Gentoo [virtualization]"
83078 -+ select GRKERNSEC_LINK
83079 -+ select GRKERNSEC_FIFO
83080 -+ select GRKERNSEC_DMESG
83081 -+ select GRKERNSEC_FORKFAIL
83082 -+ select GRKERNSEC_TIME
83083 -+ select GRKERNSEC_SIGNAL
83084 -+ select GRKERNSEC_CHROOT
83085 -+ select GRKERNSEC_CHROOT_SHMAT
83086 -+ select GRKERNSEC_CHROOT_UNIX
83087 -+ select GRKERNSEC_CHROOT_MOUNT
83088 -+ select GRKERNSEC_CHROOT_FCHDIR
83089 -+ select GRKERNSEC_CHROOT_PIVOT
83090 -+ select GRKERNSEC_CHROOT_DOUBLE
83091 -+ select GRKERNSEC_CHROOT_CHDIR
83092 -+ select GRKERNSEC_CHROOT_MKNOD
83093 -+ select GRKERNSEC_CHROOT_CAPS
83094 -+ select GRKERNSEC_CHROOT_SYSCTL
83095 -+ select GRKERNSEC_CHROOT_FINDTASK
83096 -+ select GRKERNSEC_PROC
83097 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
83098 -+ select GRKERNSEC_HIDESYM
83099 -+ select GRKERNSEC_BRUTE
83100 -+ select GRKERNSEC_PROC_USERGROUP
83101 -+ select GRKERNSEC_KMEM
83102 -+ select GRKERNSEC_RESLOG
83103 -+ select GRKERNSEC_RANDNET
83104 -+ # select GRKERNSEC_PROC_ADD
83105 -+ select GRKERNSEC_CHROOT_CHMOD
83106 -+ select GRKERNSEC_CHROOT_NICE
83107 -+ select GRKERNSEC_AUDIT_MOUNT
83108 -+ select GRKERNSEC_MODHARDEN if (MODULES)
83109 -+ select GRKERNSEC_HARDEN_PTRACE
83110 -+ select GRKERNSEC_VM86 if (X86_32)
83111 -+ # select GRKERNSEC_IO if (X86)
83112 -+ select GRKERNSEC_PROC_IPADDR
83113 -+ select GRKERNSEC_RWXMAP_LOG
83114 -+ select GRKERNSEC_SYSCTL
83115 -+ select GRKERNSEC_SYSCTL_ON
83116 -+ select PAX
83117 -+ select PAX_RANDUSTACK
83118 -+ select PAX_ASLR
83119 -+ select PAX_RANDMMAP
83120 -+ select PAX_NOEXEC
83121 -+ select PAX_MPROTECT
83122 -+ select PAX_EI_PAX
83123 -+ select PAX_PT_PAX_FLAGS
83124 -+ select PAX_HAVE_ACL_FLAGS
83125 -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
83126 -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
83127 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
83128 -+ select PAX_SEGMEXEC if (X86_32)
83129 -+ select PAX_PAGEEXEC
83130 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
83131 -+ select PAX_EMUTRAMP if (PARISC)
83132 -+ select PAX_EMUSIGRT if (PARISC)
83133 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
83134 -+ select PAX_REFCOUNT if (X86 || SPARC64)
83135 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
83136 -+ select PAX_MEMORY_SANITIZE
83137 -+ help
83138 -+ If you say Y here, a configuration for grsecurity/PaX features
83139 -+ will be used that is endorsed by the Hardened Gentoo project.
83140 -+ These pre-defined security levels are designed to provide a high
83141 -+ level of security while minimizing incompatibilities with a majority
83142 -+ of Gentoo's available software.
83143 -+
83144 -+ This "Hardened Gentoo [virtualization]" level is identical to the
83145 -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
83146 -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
83147 -+ security level if the system will be utilizing virtualization software
83148 -+ incompatible with these features, like VirtualBox or kvm.
83149 -+
83150 -+ When this level is selected, some security features will be forced on,
83151 -+ while others will default to their suggested values of off or on. The
83152 -+ later can be tweaked at the user's discretion, but may cause problems
83153 -+ in some situations. You can fully customize all grsecurity/PaX features
83154 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
83155 -+ inherit the options selected by this security level as a starting point.
83156 -+ To accomplish this, select this security level, then exit the menuconfig
83157 -+ interface, saving changes when prompted. Run make menuconfig again and
83158 -+ select the "Custom" level.
83159 -+
83160 - config GRKERNSEC_CUSTOM
83161 - bool "Custom"
83162 - help
83163 -diff -Naur a/security/Kconfig b/security/Kconfig
83164 ---- a/security/Kconfig 2011-04-17 18:36:55.000000000 -0400
83165 -+++ b/security/Kconfig 2011-04-17 18:42:14.000000000 -0400
83166 -@@ -322,9 +322,10 @@
83167 -
83168 - config PAX_KERNEXEC
83169 - bool "Enforce non-executable kernel pages"
83170 -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
83171 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
83172 - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
83173 - select PAX_KERNEXEC_PLUGIN if X86_64
83174 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
83175 - help
83176 - This is the kernel land equivalent of PAGEEXEC and MPROTECT,
83177 - that is, enabling this option will make it harder to inject
83178 -@@ -487,8 +488,9 @@
83179 -
83180 - config PAX_MEMORY_UDEREF
83181 - bool "Prevent invalid userland pointer dereference"
83182 -- depends on X86 && !UML_X86 && !XEN
83183 -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
83184 - select PAX_PER_CPU_PGD if X86_64
83185 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
83186 - help
83187 - By saying Y here the kernel will be prevented from dereferencing
83188 - userland pointers in contexts where the kernel expects only kernel
83189
83190 diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
83191 deleted file mode 100644
83192 index 368d10c..0000000
83193 --- a/2.6.32/4437-grsec-kconfig-proc-user.patch
83194 +++ /dev/null
83195 @@ -1,26 +0,0 @@
83196 -From: Anthony G. Basile <blueness@g.o>
83197 -
83198 -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
83199 -in a different way to avoid bug #366019. This patch should eventually go upstream.
83200 -
83201 -diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig
83202 ---- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
83203 -+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
83204 -@@ -665,7 +665,7 @@
83205 -
83206 - config GRKERNSEC_PROC_USER
83207 - bool "Restrict /proc to user only"
83208 -- depends on GRKERNSEC_PROC
83209 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
83210 - help
83211 - If you say Y here, non-root users will only be able to view their own
83212 - processes, and restricts them from viewing network-related information,
83213 -@@ -673,7 +673,7 @@
83214 -
83215 - config GRKERNSEC_PROC_USERGROUP
83216 - bool "Allow special group"
83217 -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
83218 -+ depends on GRKERNSEC_PROC
83219 - help
83220 - If you say Y here, you will be able to select a group that will be
83221 - able to view all processes and network-related information. If you've
83222
83223 diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
83224 deleted file mode 100644
83225 index 003d903..0000000
83226 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
83227 +++ /dev/null
83228 @@ -1,73 +0,0 @@
83229 -From: Anthony G. Basile <blueness@g.o>
83230 -
83231 -Removed deprecated NIPQUAD macro in favor of %pI4.
83232 -See bug #346333.
83233 -
83234 ----
83235 -From: Gordon Malm <gengor@g.o>
83236 -
83237 -This is a reworked version of the original
83238 -*_selinux-avc_audit-log-curr_ip.patch carried in earlier releases of
83239 -hardened-sources.
83240 -
83241 -Dropping the patch, or simply fixing the #ifdef of the original patch
83242 -could break automated logging setups so this route was necessary.
83243 -
83244 -Suggestions for improving the help text are welcome.
83245 -
83246 -The original patch's description is still accurate and included below.
83247 -
83248 ----
83249 -Provides support for a new field ipaddr within the SELinux
83250 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
83251 -provided by grSecurity patch to be applied before.
83252 -
83253 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
83254 ----
83255 -
83256 -diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
83257 ---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
83258 -+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
83259 -@@ -1264,6 +1264,27 @@
83260 - menu "Logging Options"
83261 - depends on GRKERNSEC
83262 -
83263 -+config GRKERNSEC_SELINUX_AVC_LOG_IPADDR
83264 -+ def_bool n
83265 -+ prompt "Add source IP address to SELinux AVC log messages"
83266 -+ depends on GRKERNSEC && SECURITY_SELINUX
83267 -+ help
83268 -+ If you say Y here, a new field "ipaddr=" will be added to many SELinux
83269 -+ AVC log messages. The value of this field in any given message
83270 -+ represents the source IP address of the remote machine/user that created
83271 -+ the offending process.
83272 -+
83273 -+ This information is sourced from task_struct->curr_ip provided by
83274 -+ grsecurity's GRKERNSEC top-level configuration option. One limitation
83275 -+ is that only IPv4 is supported.
83276 -+
83277 -+ In many instances SELinux AVC log messages already log a superior level
83278 -+ of information that also includes source port and destination ip/port.
83279 -+ Additionally, SELinux's AVC log code supports IPv6.
83280 -+
83281 -+ However, grsecurity's task_struct->curr_ip will sometimes (often?)
83282 -+ provide the offender's IP address where stock SELinux logging fails to.
83283 -+
83284 - config GRKERNSEC_FLOODTIME
83285 - int "Seconds in between log messages (minimum)"
83286 - default 10
83287 -diff -Naur linux-2.6.32-hardened-r44.orig/security/selinux/avc.c linux-2.6.32-hardened-r44/security/selinux/avc.c
83288 ---- linux-2.6.32-hardened-r44.orig/security/selinux/avc.c 2009-12-02 22:51:21.000000000 -0500
83289 -+++ linux-2.6.32-hardened-r44/security/selinux/avc.c 2011-04-17 18:51:15.000000000 -0400
83290 -@@ -203,6 +203,11 @@
83291 - char *scontext;
83292 - u32 scontext_len;
83293 -
83294 -+#ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR
83295 -+ if (current->signal->curr_ip)
83296 -+ audit_log_format(ab, "ipaddr=%pI4 ", &current->signal->curr_ip);
83297 -+#endif
83298 -+
83299 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
83300 - if (rc)
83301 - audit_log_format(ab, "ssid=%d", ssid);
83302
83303 diff --git a/2.6.32/4445_disable-compat_vdso.patch b/2.6.32/4445_disable-compat_vdso.patch
83304 deleted file mode 100644
83305 index c8e1aeb..0000000
83306 --- a/2.6.32/4445_disable-compat_vdso.patch
83307 +++ /dev/null
83308 @@ -1,47 +0,0 @@
83309 -From: Jory A. Pratt <anarchy@g.o>
83310 -
83311 -No need to wrap vdso calls as gentoo does not use any version of
83312 -glibc <=2.3.3
83313 ----
83314 -From: Gordon Malm <gengor@g.o>
83315 -From: Kerin Millar <kerframil@×××××.com>
83316 -
83317 -COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
83318 -conflicts with various parts of PaX, crashing the system if enabled
83319 -while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
83320 -a number of important PaX options from appearing in the configuration
83321 -menu, including all PaX NOEXEC implementations. Unfortunately, the
83322 -reason for the disappearance of these PaX configuration options is
83323 -often far from obvious to inexperienced users.
83324 -
83325 -Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
83326 -COMPAT_VDSO operation can still be enabled via bootparam and sysctl
83327 -interfaces. Consequently, we must also disable the ability to select
83328 -COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
83329 -that selecting COMPAT_VDSO operation at boot/runtime has no effect if
83330 -conflicting PaX options are enabled, leaving VDSO_ENABLED operation
83331 -intact.
83332 -
83333 -Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
83334 -
83335 -diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
83336 ---- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
83337 -+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
83338 -@@ -1616,17 +1616,8 @@
83339 -
83340 - config COMPAT_VDSO
83341 - def_bool n
83342 -- prompt "Compat VDSO support"
83343 - depends on X86_32 || IA32_EMULATION
83344 - depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
83345 -- ---help---
83346 -- Map the 32-bit VDSO to the predictable old-style address too.
83347 -- ---help---
83348 -- Say N here if you are running a sufficiently recent glibc
83349 -- version (2.3.3 or later), to remove the high-mapped
83350 -- VDSO mapping and to exclusively use the randomized VDSO.
83351 --
83352 -- If unsure, say Y.
83353 -
83354 - config CMDLINE_BOOL
83355 - bool "Built-in kernel command line"
83356
83357 diff --git a/2.6.32/4450_check_ssp_fix.patch b/2.6.32/4450_check_ssp_fix.patch
83358 deleted file mode 100644
83359 index 40e0467..0000000
83360 --- a/2.6.32/4450_check_ssp_fix.patch
83361 +++ /dev/null
83362 @@ -1,17 +0,0 @@
83363 -2010-03-31 Magnus Granberg <zorry@g.o>
83364 -
83365 - #312335
83366 - arch/x86/Makefile: Add KBUILD_CPPFLAGS to the SSP test
83367 - commandline for else it build that file with -fPIE
83368 -
83369 ---- a/arch/x86/Makefile 2010-03-31 16:39:32.000000000 +0200
83370 -+++ b/arch/x86/Makefile 2010-03-31 16:36:53.000000000 +0200
83371 -@@ -75,7 +75,7 @@
83372 -
83373 - ifdef CONFIG_CC_STACKPROTECTOR
83374 - cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
83375 -- ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(biarch)),y)
83376 -+ ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
83377 - stackp-y := -fstack-protector
83378 - KBUILD_CFLAGS += $(stackp-y)
83379 - else
83380
83381 diff --git a/3.0.7/4420_Z_3_remove-legacy-ei-pax.patch b/3.0.7/4420_remove-legacy-ei-pax.patch
83382 similarity index 100%
83383 rename from 3.0.7/4420_Z_3_remove-legacy-ei-pax.patch
83384 rename to 3.0.7/4420_remove-legacy-ei-pax.patch
83385
83386 diff --git a/3.0.7/4421_grsec-remove-localversion-grsec.patch b/3.0.7/4421_grsec-remove-localversion-grsec.patch
83387 deleted file mode 100644
83388 index 31cf878..0000000
83389 --- a/3.0.7/4421_grsec-remove-localversion-grsec.patch
83390 +++ /dev/null
83391 @@ -1,9 +0,0 @@
83392 -From: Kerin Millar <kerframil@×××××.com>
83393 -
83394 -Remove grsecurity's localversion-grsec file as it is inconsistent with
83395 -Gentoo's kernel practices and naming scheme.
83396 -
83397 ---- a/localversion-grsec 2008-02-24 14:26:59.000000000 +0000
83398 -+++ b/localversion-grsec 1970-01-01 01:00:00.000000000 +0100
83399 -@@ -1 +0,0 @@
83400 ---grsec
83401
83402 diff --git a/3.0.7/4422_grsec-mute-warnings.patch b/3.0.7/4422_grsec-mute-warnings.patch
83403 deleted file mode 100644
83404 index fbca0bb..0000000
83405 --- a/3.0.7/4422_grsec-mute-warnings.patch
83406 +++ /dev/null
83407 @@ -1,42 +0,0 @@
83408 -From: Anthony G. Basile <blueness@g.o>
83409 -Updated patch for 2.6.38.6
83410 -
83411 -The credits/description from the original version of this patch remain accurate
83412 -and are included below.
83413 -
83414 ----
83415 -From: Jory A. Pratt <anarchy@g.o>
83416 -Updated patch for kernel 2.6.32
83417 -
83418 -The credits/description from the original version of this patch remain accurate
83419 -and are included below.
83420 -
83421 ----
83422 -From: Gordon Malm <gengor@g.o>
83423 -
83424 -Updated patch for kernel series 2.6.24.
83425 -
83426 -The credits/description from the original version of this patch remain accurate
83427 -and are included below.
83428 -
83429 ----
83430 -From: Alexander Gabert <gaberta@××××××××.de>
83431 -
83432 -This patch removes the warnings introduced by grsec patch 2.1.9 and later.
83433 -It removes the -W options added by the patch and restores the original
83434 -warning flags of vanilla kernel versions.
83435 -
83436 -Acked-by: Christian Heim <phreak@g.o>
83437 ----
83438 -
83439 ---- a/Makefile 2011-06-06 00:47:21.000000000 -0400
83440 -+++ b/Makefile 2011-06-06 00:49:13.000000000 -0400
83441 -@@ -245,7 +245,7 @@
83442 -
83443 - HOSTCC = gcc
83444 - HOSTCXX = g++
83445 --HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
83446 -+HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -Wno-empty-body -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
83447 - HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
83448 - HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
83449 -
83450
83451 diff --git a/3.0.7/4423_grsec-remove-protected-paths.patch b/3.0.7/4423_grsec-remove-protected-paths.patch
83452 deleted file mode 100644
83453 index 4afb3e2..0000000
83454 --- a/3.0.7/4423_grsec-remove-protected-paths.patch
83455 +++ /dev/null
83456 @@ -1,19 +0,0 @@
83457 -From: Anthony G. Basile <blueness@g.o>
83458 -
83459 -We don't want GRSEC's Makefile to change permissions on paths in
83460 -the filesystem.
83461 -
83462 -diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
83463 ---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400
83464 -+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400
83465 -@@ -27,10 +27,4 @@
83466 - ifdef CONFIG_GRKERNSEC_HIDESYM
83467 - extra-y := grsec_hidesym.o
83468 - $(obj)/grsec_hidesym.o:
83469 -- @-chmod -f 500 /boot
83470 -- @-chmod -f 500 /lib/modules
83471 -- @-chmod -f 500 /lib64/modules
83472 -- @-chmod -f 500 /lib32/modules
83473 -- @-chmod -f 700 .
83474 -- @echo ' grsec: protected kernel image paths'
83475 - endif
83476
83477 diff --git a/3.0.7/4425_grsec-pax-without-grsec.patch b/3.0.7/4425_grsec-pax-without-grsec.patch
83478 deleted file mode 100644
83479 index 41be0d0..0000000
83480 --- a/3.0.7/4425_grsec-pax-without-grsec.patch
83481 +++ /dev/null
83482 @@ -1,88 +0,0 @@
83483 -From: Anthony G. Basile <blueness@g.o>
83484 -
83485 -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
83486 -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
83487 -This patch has been updated to reflect that change.
83488 ---
83489 -From: Jory Pratt <anarchy@g.o>
83490 -Updated patch for kernel 2.6.32
83491 -
83492 -The credits/description from the original version of this patch remain accurate
83493 -and are included below.
83494 ---
83495 -From: Gordon Malm <gengor@g.o>
83496 -
83497 -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
83498 -
83499 -This patch has been updated to keep current with newer kernel versions.
83500 -The original version of this patch contained no credits/description.
83501 -
83502 -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
83503 ---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400
83504 -+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400
83505 -@@ -647,10 +647,12 @@
83506 -
83507 - #ifdef CONFIG_PAX_KERNEXEC
83508 - if (init_mm.start_code <= address && address < init_mm.end_code) {
83509 -+#ifdef CONFIG_GRKERNSEC
83510 - if (current->signal->curr_ip)
83511 - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
83512 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
83513 - else
83514 -+#endif
83515 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
83516 - current->comm, task_pid_nr(current), current_uid(), current_euid());
83517 - }
83518 -diff -Naur a/fs/exec.c b/fs/exec.c
83519 ---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400
83520 -+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400
83521 -@@ -1958,9 +1958,11 @@
83522 - }
83523 - up_read(&mm->mmap_sem);
83524 - }
83525 -+#ifdef CONFIG_GRKERNSEC
83526 - if (tsk->signal->curr_ip)
83527 - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
83528 - else
83529 -+#endif
83530 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
83531 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
83532 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
83533 -@@ -1975,10 +1977,12 @@
83534 - #ifdef CONFIG_PAX_REFCOUNT
83535 - void pax_report_refcount_overflow(struct pt_regs *regs)
83536 - {
83537 -+#ifdef CONFIG_GRKERNSEC
83538 - if (current->signal->curr_ip)
83539 - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
83540 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
83541 - else
83542 -+#endif
83543 - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
83544 - current->comm, task_pid_nr(current), current_uid(), current_euid());
83545 - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
83546 -@@ -2038,10 +2042,12 @@
83547 -
83548 - NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
83549 - {
83550 -+#ifdef CONFIG_GRKERNSEC
83551 - if (current->signal->curr_ip)
83552 - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
83553 - &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
83554 - else
83555 -+#endif
83556 - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
83557 - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
83558 - dump_stack();
83559 -diff -Naur a/security/Kconfig b/security/Kconfig
83560 ---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400
83561 -+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400
83562 -@@ -29,7 +29,7 @@
83563 -
83564 - config PAX
83565 - bool "Enable various PaX features"
83566 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
83567 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
83568 - help
83569 - This allows you to enable various PaX features. PaX adds
83570 - intrusion prevention mechanisms to the kernel that reduce
83571
83572 diff --git a/3.0.7/4430_grsec-kconfig-default-gids.patch b/3.0.7/4430_grsec-kconfig-default-gids.patch
83573 deleted file mode 100644
83574 index 6a448bf..0000000
83575 --- a/3.0.7/4430_grsec-kconfig-default-gids.patch
83576 +++ /dev/null
83577 @@ -1,77 +0,0 @@
83578 -From: Kerin Millar <kerframil@×××××.com>
83579 -
83580 -grsecurity contains a number of options which allow certain protections
83581 -to be applied to or exempted from members of a given group. However, the
83582 -default GIDs specified in the upstream patch are entirely arbitrary and
83583 -there is no telling which (if any) groups the GIDs will correlate with
83584 -on an end-user's system. Because some users don't pay a great deal of
83585 -attention to the finer points of kernel configuration, it is probably
83586 -wise to specify some reasonable defaults so as to stop careless users
83587 -from shooting themselves in the foot.
83588 -
83589 -diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
83590 ---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400
83591 -+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400
83592 -@@ -433,7 +433,7 @@
83593 - config GRKERNSEC_PROC_GID
83594 - int "GID for special group"
83595 - depends on GRKERNSEC_PROC_USERGROUP
83596 -- default 1001
83597 -+ default 10
83598 -
83599 - config GRKERNSEC_PROC_ADD
83600 - bool "Additional restrictions"
83601 -@@ -657,7 +657,7 @@
83602 - config GRKERNSEC_AUDIT_GID
83603 - int "GID for auditing"
83604 - depends on GRKERNSEC_AUDIT_GROUP
83605 -- default 1007
83606 -+ default 100
83607 -
83608 - config GRKERNSEC_EXECLOG
83609 - bool "Exec logging"
83610 -@@ -835,7 +835,7 @@
83611 - config GRKERNSEC_TPE_GID
83612 - int "GID for untrusted users"
83613 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
83614 -- default 1005
83615 -+ default 100
83616 - help
83617 - Setting this GID determines what group TPE restrictions will be
83618 - *enabled* for. If the sysctl option is enabled, a sysctl option
83619 -@@ -844,7 +844,7 @@
83620 - config GRKERNSEC_TPE_GID
83621 - int "GID for trusted users"
83622 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
83623 -- default 1005
83624 -+ default 10
83625 - help
83626 - Setting this GID determines what group TPE restrictions will be
83627 - *disabled* for. If the sysctl option is enabled, a sysctl option
83628 -@@ -917,7 +917,7 @@
83629 - config GRKERNSEC_SOCKET_ALL_GID
83630 - int "GID to deny all sockets for"
83631 - depends on GRKERNSEC_SOCKET_ALL
83632 -- default 1004
83633 -+ default 65534
83634 - help
83635 - Here you can choose the GID to disable socket access for. Remember to
83636 - add the users you want socket access disabled for to the GID
83637 -@@ -938,7 +938,7 @@
83638 - config GRKERNSEC_SOCKET_CLIENT_GID
83639 - int "GID to deny client sockets for"
83640 - depends on GRKERNSEC_SOCKET_CLIENT
83641 -- default 1003
83642 -+ default 65534
83643 - help
83644 - Here you can choose the GID to disable client socket access for.
83645 - Remember to add the users you want client socket access disabled for to
83646 -@@ -956,7 +956,7 @@
83647 - config GRKERNSEC_SOCKET_SERVER_GID
83648 - int "GID to deny server sockets for"
83649 - depends on GRKERNSEC_SOCKET_SERVER
83650 -- default 1002
83651 -+ default 65534
83652 - help
83653 - Here you can choose the GID to disable server socket access for.
83654 - Remember to add the users you want server socket access disabled for to
83655
83656 diff --git a/3.0.7/4435_grsec-kconfig-gentoo.patch b/3.0.7/4435_grsec-kconfig-gentoo.patch
83657 deleted file mode 100644
83658 index 1bc9742..0000000
83659 --- a/3.0.7/4435_grsec-kconfig-gentoo.patch
83660 +++ /dev/null
83661 @@ -1,315 +0,0 @@
83662 -From: Anthony G. Basile <blueness@g.o>
83663 -From: Gordon Malm <gengor@g.o>
83664 -From: Jory A. Pratt <anarchy@g.o>
83665 -From: Kerin Millar <kerframil@×××××.com>
83666 -
83667 -Add Hardened Gentoo [server/workstation] predefined grsecurity
83668 -levels. They're designed to provide a comparitively high level of
83669 -security while remaining generally suitable for as great a majority
83670 -of the userbase as possible (particularly new users).
83671 -
83672 -Make Hardened Gentoo [workstation] predefined grsecurity level the
83673 -default. The Hardened Gentoo [server] level is more restrictive
83674 -and conflicts with some software and thus would be less suitable.
83675 -
83676 -The original version of this patch was conceived and created by:
83677 -Ned Ludd <solar@g.o>
83678 -
83679 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
83680 ---- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
83681 -+++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400
83682 -@@ -18,7 +18,7 @@
83683 - choice
83684 - prompt "Security Level"
83685 - depends on GRKERNSEC
83686 -- default GRKERNSEC_CUSTOM
83687 -+ default GRKERNSEC_HARDENED_WORKSTATION
83688 -
83689 - config GRKERNSEC_LOW
83690 - bool "Low"
83691 -@@ -191,6 +191,258 @@
83692 - - Restricted sysfs/debugfs
83693 - - Active kernel exploit response
83694 -
83695 -+config GRKERNSEC_HARDENED_SERVER
83696 -+ bool "Hardened Gentoo [server]"
83697 -+ select GRKERNSEC_LINK
83698 -+ select GRKERNSEC_FIFO
83699 -+ select GRKERNSEC_DMESG
83700 -+ select GRKERNSEC_FORKFAIL
83701 -+ select GRKERNSEC_TIME
83702 -+ select GRKERNSEC_SIGNAL
83703 -+ select GRKERNSEC_CHROOT
83704 -+ select GRKERNSEC_CHROOT_SHMAT
83705 -+ select GRKERNSEC_CHROOT_UNIX
83706 -+ select GRKERNSEC_CHROOT_MOUNT
83707 -+ select GRKERNSEC_CHROOT_FCHDIR
83708 -+ select GRKERNSEC_CHROOT_PIVOT
83709 -+ select GRKERNSEC_CHROOT_DOUBLE
83710 -+ select GRKERNSEC_CHROOT_CHDIR
83711 -+ select GRKERNSEC_CHROOT_MKNOD
83712 -+ select GRKERNSEC_CHROOT_CAPS
83713 -+ select GRKERNSEC_CHROOT_SYSCTL
83714 -+ select GRKERNSEC_CHROOT_FINDTASK
83715 -+ select GRKERNSEC_PROC
83716 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
83717 -+ select GRKERNSEC_HIDESYM
83718 -+ select GRKERNSEC_BRUTE
83719 -+ select GRKERNSEC_PROC_USERGROUP
83720 -+ select GRKERNSEC_KMEM
83721 -+ select GRKERNSEC_RESLOG
83722 -+ select GRKERNSEC_RANDNET
83723 -+ select GRKERNSEC_PROC_ADD
83724 -+ select GRKERNSEC_CHROOT_CHMOD
83725 -+ select GRKERNSEC_CHROOT_NICE
83726 -+ select GRKERNSEC_AUDIT_MOUNT
83727 -+ select GRKERNSEC_MODHARDEN if (MODULES)
83728 -+ select GRKERNSEC_HARDEN_PTRACE
83729 -+ select GRKERNSEC_VM86 if (X86_32)
83730 -+ select GRKERNSEC_IO if (X86)
83731 -+ select GRKERNSEC_PROC_IPADDR
83732 -+ select GRKERNSEC_RWXMAP_LOG
83733 -+ select GRKERNSEC_SYSCTL
83734 -+ select GRKERNSEC_SYSCTL_ON
83735 -+ select PAX
83736 -+ select PAX_RANDUSTACK
83737 -+ select PAX_ASLR
83738 -+ select PAX_RANDMMAP
83739 -+ select PAX_NOEXEC
83740 -+ select PAX_MPROTECT
83741 -+ select PAX_EI_PAX
83742 -+ select PAX_PT_PAX_FLAGS
83743 -+ select PAX_HAVE_ACL_FLAGS
83744 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
83745 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
83746 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
83747 -+ select PAX_SEGMEXEC if (X86_32)
83748 -+ select PAX_PAGEEXEC
83749 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
83750 -+ select PAX_EMUTRAMP if (PARISC)
83751 -+ select PAX_EMUSIGRT if (PARISC)
83752 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
83753 -+ select PAX_REFCOUNT if (X86 || SPARC64)
83754 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
83755 -+ select PAX_MEMORY_SANITIZE
83756 -+ help
83757 -+ If you say Y here, a configuration for grsecurity/PaX features
83758 -+ will be used that is endorsed by the Hardened Gentoo project.
83759 -+ These pre-defined security levels are designed to provide a high
83760 -+ level of security while minimizing incompatibilities with a majority
83761 -+ of Gentoo's available software.
83762 -+
83763 -+ This "Hardened Gentoo [server]" level is identical to the
83764 -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
83765 -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
83766 -+ security level if the system will not be utilizing software incompatible
83767 -+ with these features.
83768 -+
83769 -+ When this level is selected, some security features will be forced on,
83770 -+ while others will default to their suggested values of off or on. The
83771 -+ later can be tweaked at the user's discretion, but may cause problems
83772 -+ in some situations. You can fully customize all grsecurity/PaX features
83773 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
83774 -+ inherit the options selected by this security level as a starting point.
83775 -+ To accomplish this, select this security level, then exit the menuconfig
83776 -+ interface, saving changes when prompted. Run make menuconfig again and
83777 -+ select the "Custom" level.
83778 -+
83779 -+config GRKERNSEC_HARDENED_WORKSTATION
83780 -+ bool "Hardened Gentoo [workstation]"
83781 -+ select GRKERNSEC_LINK
83782 -+ select GRKERNSEC_FIFO
83783 -+ select GRKERNSEC_DMESG
83784 -+ select GRKERNSEC_FORKFAIL
83785 -+ select GRKERNSEC_TIME
83786 -+ select GRKERNSEC_SIGNAL
83787 -+ select GRKERNSEC_CHROOT
83788 -+ select GRKERNSEC_CHROOT_SHMAT
83789 -+ select GRKERNSEC_CHROOT_UNIX
83790 -+ select GRKERNSEC_CHROOT_MOUNT
83791 -+ select GRKERNSEC_CHROOT_FCHDIR
83792 -+ select GRKERNSEC_CHROOT_PIVOT
83793 -+ select GRKERNSEC_CHROOT_DOUBLE
83794 -+ select GRKERNSEC_CHROOT_CHDIR
83795 -+ select GRKERNSEC_CHROOT_MKNOD
83796 -+ select GRKERNSEC_CHROOT_CAPS
83797 -+ select GRKERNSEC_CHROOT_SYSCTL
83798 -+ select GRKERNSEC_CHROOT_FINDTASK
83799 -+ select GRKERNSEC_PROC
83800 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
83801 -+ select GRKERNSEC_HIDESYM
83802 -+ select GRKERNSEC_BRUTE
83803 -+ select GRKERNSEC_PROC_USERGROUP
83804 -+ select GRKERNSEC_KMEM
83805 -+ select GRKERNSEC_RESLOG
83806 -+ select GRKERNSEC_RANDNET
83807 -+ # select GRKERNSEC_PROC_ADD
83808 -+ select GRKERNSEC_CHROOT_CHMOD
83809 -+ select GRKERNSEC_CHROOT_NICE
83810 -+ select GRKERNSEC_AUDIT_MOUNT
83811 -+ select GRKERNSEC_MODHARDEN if (MODULES)
83812 -+ select GRKERNSEC_HARDEN_PTRACE
83813 -+ select GRKERNSEC_VM86 if (X86_32)
83814 -+ # select GRKERNSEC_IO if (X86)
83815 -+ select GRKERNSEC_PROC_IPADDR
83816 -+ select GRKERNSEC_RWXMAP_LOG
83817 -+ select GRKERNSEC_SYSCTL
83818 -+ select GRKERNSEC_SYSCTL_ON
83819 -+ select PAX
83820 -+ select PAX_RANDUSTACK
83821 -+ select PAX_ASLR
83822 -+ select PAX_RANDMMAP
83823 -+ select PAX_NOEXEC
83824 -+ select PAX_MPROTECT
83825 -+ select PAX_EI_PAX
83826 -+ select PAX_PT_PAX_FLAGS
83827 -+ select PAX_HAVE_ACL_FLAGS
83828 -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
83829 -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
83830 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
83831 -+ select PAX_SEGMEXEC if (X86_32)
83832 -+ select PAX_PAGEEXEC
83833 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
83834 -+ select PAX_EMUTRAMP if (PARISC)
83835 -+ select PAX_EMUSIGRT if (PARISC)
83836 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
83837 -+ select PAX_REFCOUNT if (X86 || SPARC64)
83838 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
83839 -+ select PAX_MEMORY_SANITIZE
83840 -+ help
83841 -+ If you say Y here, a configuration for grsecurity/PaX features
83842 -+ will be used that is endorsed by the Hardened Gentoo project.
83843 -+ These pre-defined security levels are designed to provide a high
83844 -+ level of security while minimizing incompatibilities with a majority
83845 -+ of Gentoo's available software.
83846 -+
83847 -+ This "Hardened Gentoo [workstation]" level is identical to the
83848 -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
83849 -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
83850 -+ security level if the system will be utilizing software incompatible
83851 -+ with these features.
83852 -+
83853 -+ When this level is selected, some security features will be forced on,
83854 -+ while others will default to their suggested values of off or on. The
83855 -+ later can be tweaked at the user's discretion, but may cause problems
83856 -+ in some situations. You can fully customize all grsecurity/PaX features
83857 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
83858 -+ inherit the options selected by this security level as a starting point.
83859 -+ To accomplish this, select this security level, then exit the menuconfig
83860 -+ interface, saving changes when prompted. Run make menuconfig again and
83861 -+ select the "Custom" level.
83862 -+
83863 -+config GRKERNSEC_HARDENED_VIRTUALIZATION
83864 -+ bool "Hardened Gentoo [virtualization]"
83865 -+ select GRKERNSEC_LINK
83866 -+ select GRKERNSEC_FIFO
83867 -+ select GRKERNSEC_DMESG
83868 -+ select GRKERNSEC_FORKFAIL
83869 -+ select GRKERNSEC_TIME
83870 -+ select GRKERNSEC_SIGNAL
83871 -+ select GRKERNSEC_CHROOT
83872 -+ select GRKERNSEC_CHROOT_SHMAT
83873 -+ select GRKERNSEC_CHROOT_UNIX
83874 -+ select GRKERNSEC_CHROOT_MOUNT
83875 -+ select GRKERNSEC_CHROOT_FCHDIR
83876 -+ select GRKERNSEC_CHROOT_PIVOT
83877 -+ select GRKERNSEC_CHROOT_DOUBLE
83878 -+ select GRKERNSEC_CHROOT_CHDIR
83879 -+ select GRKERNSEC_CHROOT_MKNOD
83880 -+ select GRKERNSEC_CHROOT_CAPS
83881 -+ select GRKERNSEC_CHROOT_SYSCTL
83882 -+ select GRKERNSEC_CHROOT_FINDTASK
83883 -+ select GRKERNSEC_PROC
83884 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
83885 -+ select GRKERNSEC_HIDESYM
83886 -+ select GRKERNSEC_BRUTE
83887 -+ select GRKERNSEC_PROC_USERGROUP
83888 -+ select GRKERNSEC_KMEM
83889 -+ select GRKERNSEC_RESLOG
83890 -+ select GRKERNSEC_RANDNET
83891 -+ # select GRKERNSEC_PROC_ADD
83892 -+ select GRKERNSEC_CHROOT_CHMOD
83893 -+ select GRKERNSEC_CHROOT_NICE
83894 -+ select GRKERNSEC_AUDIT_MOUNT
83895 -+ select GRKERNSEC_MODHARDEN if (MODULES)
83896 -+ select GRKERNSEC_HARDEN_PTRACE
83897 -+ select GRKERNSEC_VM86 if (X86_32)
83898 -+ # select GRKERNSEC_IO if (X86)
83899 -+ select GRKERNSEC_PROC_IPADDR
83900 -+ select GRKERNSEC_RWXMAP_LOG
83901 -+ select GRKERNSEC_SYSCTL
83902 -+ select GRKERNSEC_SYSCTL_ON
83903 -+ select PAX
83904 -+ select PAX_RANDUSTACK
83905 -+ select PAX_ASLR
83906 -+ select PAX_RANDMMAP
83907 -+ select PAX_NOEXEC
83908 -+ select PAX_MPROTECT
83909 -+ select PAX_EI_PAX
83910 -+ select PAX_PT_PAX_FLAGS
83911 -+ select PAX_HAVE_ACL_FLAGS
83912 -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
83913 -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
83914 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
83915 -+ select PAX_SEGMEXEC if (X86_32)
83916 -+ select PAX_PAGEEXEC
83917 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
83918 -+ select PAX_EMUTRAMP if (PARISC)
83919 -+ select PAX_EMUSIGRT if (PARISC)
83920 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
83921 -+ select PAX_REFCOUNT if (X86 || SPARC64)
83922 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
83923 -+ select PAX_MEMORY_SANITIZE
83924 -+ help
83925 -+ If you say Y here, a configuration for grsecurity/PaX features
83926 -+ will be used that is endorsed by the Hardened Gentoo project.
83927 -+ These pre-defined security levels are designed to provide a high
83928 -+ level of security while minimizing incompatibilities with a majority
83929 -+ of Gentoo's available software.
83930 -+
83931 -+ This "Hardened Gentoo [virtualization]" level is identical to the
83932 -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
83933 -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
83934 -+ security level if the system will be utilizing virtualization software
83935 -+ incompatible with these features, like VirtualBox or kvm.
83936 -+
83937 -+ When this level is selected, some security features will be forced on,
83938 -+ while others will default to their suggested values of off or on. The
83939 -+ later can be tweaked at the user's discretion, but may cause problems
83940 -+ in some situations. You can fully customize all grsecurity/PaX features
83941 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
83942 -+ inherit the options selected by this security level as a starting point.
83943 -+ To accomplish this, select this security level, then exit the menuconfig
83944 -+ interface, saving changes when prompted. Run make menuconfig again and
83945 -+ select the "Custom" level.
83946 -+
83947 - config GRKERNSEC_CUSTOM
83948 - bool "Custom"
83949 - help
83950 -diff -Naur a/security/Kconfig b/security/Kconfig
83951 ---- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400
83952 -+++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400
83953 -@@ -322,9 +322,10 @@
83954 -
83955 - config PAX_KERNEXEC
83956 - bool "Enforce non-executable kernel pages"
83957 -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
83958 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
83959 - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
83960 - select PAX_KERNEXEC_PLUGIN if X86_64
83961 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
83962 - help
83963 - This is the kernel land equivalent of PAGEEXEC and MPROTECT,
83964 - that is, enabling this option will make it harder to inject
83965 -@@ -487,8 +488,9 @@
83966 -
83967 - config PAX_MEMORY_UDEREF
83968 - bool "Prevent invalid userland pointer dereference"
83969 -- depends on X86 && !UML_X86 && !XEN
83970 -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
83971 - select PAX_PER_CPU_PGD if X86_64
83972 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
83973 - help
83974 - By saying Y here the kernel will be prevented from dereferencing
83975 - userland pointers in contexts where the kernel expects only kernel
83976 -
83977
83978 diff --git a/3.0.7/4437-grsec-kconfig-proc-user.patch b/3.0.7/4437-grsec-kconfig-proc-user.patch
83979 deleted file mode 100644
83980 index c588683..0000000
83981 --- a/3.0.7/4437-grsec-kconfig-proc-user.patch
83982 +++ /dev/null
83983 @@ -1,26 +0,0 @@
83984 -From: Anthony G. Basile <blueness@g.o>
83985 -
83986 -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
83987 -in a different way to avoid bug #366019. This patch should eventually go upstream.
83988 -
83989 -diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
83990 ---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
83991 -+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
83992 -@@ -666,7 +666,7 @@
83993 -
83994 - config GRKERNSEC_PROC_USER
83995 - bool "Restrict /proc to user only"
83996 -- depends on GRKERNSEC_PROC
83997 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
83998 - help
83999 - If you say Y here, non-root users will only be able to view their own
84000 - processes, and restricts them from viewing network-related information,
84001 -@@ -674,7 +674,7 @@
84002 -
84003 - config GRKERNSEC_PROC_USERGROUP
84004 - bool "Allow special group"
84005 -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
84006 -+ depends on GRKERNSEC_PROC
84007 - help
84008 - If you say Y here, you will be able to select a group that will be
84009 - able to view all processes and network-related information. If you've
84010
84011 diff --git a/3.0.7/4440_selinux-avc_audit-log-curr_ip.patch b/3.0.7/4440_selinux-avc_audit-log-curr_ip.patch
84012 deleted file mode 100644
84013 index 0fd5d2d..0000000
84014 --- a/3.0.7/4440_selinux-avc_audit-log-curr_ip.patch
84015 +++ /dev/null
84016 @@ -1,73 +0,0 @@
84017 -From: Anthony G. Basile <blueness@g.o>
84018 -
84019 -Removed deprecated NIPQUAD macro in favor of %pI4.
84020 -See bug #346333.
84021 -
84022 ----
84023 -From: Gordon Malm <gengor@g.o>
84024 -
84025 -This is a reworked version of the original
84026 -*_selinux-avc_audit-log-curr_ip.patch carried in earlier releases of
84027 -hardened-sources.
84028 -
84029 -Dropping the patch, or simply fixing the #ifdef of the original patch
84030 -could break automated logging setups so this route was necessary.
84031 -
84032 -Suggestions for improving the help text are welcome.
84033 -
84034 -The original patch's description is still accurate and included below.
84035 -
84036 ----
84037 -Provides support for a new field ipaddr within the SELinux
84038 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
84039 -provided by grSecurity patch to be applied before.
84040 -
84041 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
84042 ----
84043 -
84044 -diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
84045 ---- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
84046 -+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
84047 -@@ -1265,6 +1265,27 @@
84048 - menu "Logging Options"
84049 - depends on GRKERNSEC
84050 -
84051 -+config GRKERNSEC_SELINUX_AVC_LOG_IPADDR
84052 -+ def_bool n
84053 -+ prompt "Add source IP address to SELinux AVC log messages"
84054 -+ depends on GRKERNSEC && SECURITY_SELINUX
84055 -+ help
84056 -+ If you say Y here, a new field "ipaddr=" will be added to many SELinux
84057 -+ AVC log messages. The value of this field in any given message
84058 -+ represents the source IP address of the remote machine/user that created
84059 -+ the offending process.
84060 -+
84061 -+ This information is sourced from task_struct->curr_ip provided by
84062 -+ grsecurity's GRKERNSEC top-level configuration option. One limitation
84063 -+ is that only IPv4 is supported.
84064 -+
84065 -+ In many instances SELinux AVC log messages already log a superior level
84066 -+ of information that also includes source port and destination ip/port.
84067 -+ Additionally, SELinux's AVC log code supports IPv6.
84068 -+
84069 -+ However, grsecurity's task_struct->curr_ip will sometimes (often?)
84070 -+ provide the offender's IP address where stock SELinux logging fails to.
84071 -+
84072 - config GRKERNSEC_FLOODTIME
84073 - int "Seconds in between log messages (minimum)"
84074 - default 10
84075 -diff -Naur linux-2.6.38-hardened-r1.orig/security/selinux/avc.c linux-2.6.38-hardened-r1/security/selinux/avc.c
84076 ---- linux-2.6.38-hardened-r1.orig/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400
84077 -+++ linux-2.6.38-hardened-r1/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400
84078 -@@ -139,6 +139,11 @@
84079 - char *scontext;
84080 - u32 scontext_len;
84081 -
84082 -+#ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR
84083 -+ if (current->signal->curr_ip)
84084 -+ audit_log_format(ab, "ipaddr=%pI4 ", &current->signal->curr_ip);
84085 -+#endif
84086 -+
84087 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
84088 - if (rc)
84089 - audit_log_format(ab, "ssid=%d", ssid);
84090
84091 diff --git a/3.0.7/4445_disable-compat_vdso.patch b/3.0.7/4445_disable-compat_vdso.patch
84092 deleted file mode 100644
84093 index 3b76b6c..0000000
84094 --- a/3.0.7/4445_disable-compat_vdso.patch
84095 +++ /dev/null
84096 @@ -1,46 +0,0 @@
84097 -No need to wrap vdso calls as gentoo does not use any version of
84098 -glibc <=2.3.3
84099 ----
84100 -From: Gordon Malm <gengor@g.o>
84101 -From: Kerin Millar <kerframil@×××××.com>
84102 -From: Jory A. Pratt <anarchy@g.o>
84103 -
84104 -COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
84105 -conflicts with various parts of PaX, crashing the system if enabled
84106 -while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
84107 -a number of important PaX options from appearing in the configuration
84108 -menu, including all PaX NOEXEC implementations. Unfortunately, the
84109 -reason for the disappearance of these PaX configuration options is
84110 -often far from obvious to inexperienced users.
84111 -
84112 -Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
84113 -COMPAT_VDSO operation can still be enabled via bootparam and sysctl
84114 -interfaces. Consequently, we must also disable the ability to select
84115 -COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
84116 -that selecting COMPAT_VDSO operation at boot/runtime has no effect if
84117 -conflicting PaX options are enabled, leaving VDSO_ENABLED operation
84118 -intact.
84119 -
84120 -Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
84121 -
84122 -diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
84123 ---- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
84124 -+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
84125 -@@ -1638,17 +1638,8 @@
84126 -
84127 - config COMPAT_VDSO
84128 - def_bool n
84129 -- prompt "Compat VDSO support"
84130 - depends on X86_32 || IA32_EMULATION
84131 - depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
84132 -- ---help---
84133 -- Map the 32-bit VDSO to the predictable old-style address too.
84134 --
84135 -- Say N here if you are running a sufficiently recent glibc
84136 -- version (2.3.3 or later), to remove the high-mapped
84137 -- VDSO mapping and to exclusively use the randomized VDSO.
84138 --
84139 -- If unsure, say Y.
84140 -
84141 - config CMDLINE_BOOL
84142 - bool "Built-in kernel command line"
84143
84144 diff --git a/3.0.7/4420_Z_7_add-xt-pax.patch b/3.0.7/4450_add-xt-pax.patch
84145 similarity index 100%
84146 rename from 3.0.7/4420_Z_7_add-xt-pax.patch
84147 rename to 3.0.7/4450_add-xt-pax.patch
Report Message
Find on MARC Find on Google Groups