Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r91 - in hardened-sources/2.6/tags: . 2.6.23-8
Date: Wed, 30 Apr 2008 11:35:48
Message-Id: E1JrAZN-00019c-Fe@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:33:52 +0000 (Wed, 30 Apr 2008)
3 New Revision: 91
4
5 Added:
6 hardened-sources/2.6/tags/2.6.23-8/
7 hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch
8 hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch
9 hardened-sources/2.6/tags/2.6.23-8/4425_grsec-2.1.10-mute-warnings.patch
10 hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.10-pax_curr_ip-fixes.patch
11 hardened-sources/2.6/tags/2.6.23-8/4435_grsec-kconfig-gentoo.patch
12 hardened-sources/2.6/tags/2.6.23-8/4440_selinux-avc_audit-log-curr_ip.patch
13 hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-default-gids.patch
14 hardened-sources/2.6/tags/2.6.23-8/4450_disable-compat_vdso.patch
15 hardened-sources/2.6/tags/2.6.23-8/4455_pax-hook-build-error.patch
16 hardened-sources/2.6/tags/2.6.23-8/4460_acct_stack_growth-null-deref.patch
17 hardened-sources/2.6/tags/2.6.23-8/4465_pax-vma-mirroring-fixes.patch
18 hardened-sources/2.6/tags/2.6.23-8/4470_vesafb-pmi-kernexec-fix.patch
19 hardened-sources/2.6/tags/2.6.23-8/4475_deselect-kernexec-on-unsupported-arches.patch
20 hardened-sources/2.6/tags/2.6.23-8/4480_ia64-modular-kernel-compile-fix.patch
21 hardened-sources/2.6/tags/2.6.23-8/4485_grsec-ptrace-recursive-lock-fix.patch
22 hardened-sources/2.6/tags/2.6.23-8/4490_grsec-netlink-security-fixes.patch
23 hardened-sources/2.6/tags/2.6.23-8/4495_pax-hang-when-coredump-disabled-fix.patch
24 hardened-sources/2.6/tags/2.6.23-8/4500_grsec-user_transition-bypass-fix.patch
25 Removed:
26 hardened-sources/2.6/tags/2.6.23-8/4430_grsec-2.1.11-2.6.23.15-20080210.patch
27 hardened-sources/2.6/tags/2.6.23-8/4435_grsec-2.1.10-mute-warnings.patch
28 hardened-sources/2.6/tags/2.6.23-8/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
29 hardened-sources/2.6/tags/2.6.23-8/4445_grsec-kconfig-gentoo.patch
30 hardened-sources/2.6/tags/2.6.23-8/4450_selinux-avc_audit-log-curr_ip.patch
31 hardened-sources/2.6/tags/2.6.23-8/4455_grsec-kconfig-default-gids.patch
32 hardened-sources/2.6/tags/2.6.23-8/4460_disable-compat_vdso.patch
33 hardened-sources/2.6/tags/2.6.23-8/4465_pax-hook-build-error.patch
34 hardened-sources/2.6/tags/2.6.23-8/4470_acct_stack_growth-null-deref.patch
35 hardened-sources/2.6/tags/2.6.23-8/4475_pax-vma-mirroring-fixes.patch
36 hardened-sources/2.6/tags/2.6.23-8/4480_vesafb-pmi-kernexec-fix.patch
37 hardened-sources/2.6/tags/2.6.23-8/4485_deselect-kernexec-on-unsupported-arches.patch
38 hardened-sources/2.6/tags/2.6.23-8/4490_ia64-modular-kernel-compile-fix.patch
39 hardened-sources/2.6/tags/2.6.23-8/4495_grsec-ptrace-recursive-lock-fix.patch
40 hardened-sources/2.6/tags/2.6.23-8/4500_grsec-netlink-security-fixes.patch
41 hardened-sources/2.6/tags/2.6.23-8/4505_grsec-pax_emutramp-only-on-ppc32.patch
42 Log:
43 Tagging hardened-patches-2.6.23-8.
44
45 Copied: hardened-sources/2.6/tags/2.6.23-8 (from rev 86, hardened-sources/2.6/trunk/2.6.23)
46
47 Copied: hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch)
48 ===================================================================
49 --- hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch (rev 0)
50 +++ hardened-sources/2.6/tags/2.6.23-8/1701_x86-signal-setup_frame-clear-df.patch 2008-04-30 11:33:52 UTC (rev 91)
51 @@ -0,0 +1,78 @@
52 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
53 +
54 +x86: Clear DF before calling signal handler
55 +
56 +Linux 2.6-series kernels < 2.6.24.4 do not clear the direction flag
57 +before calling a signal handler, which is required by the x86/x86-64
58 +ABI.
59 +
60 +This bug has come to light as GCC 4.3 assumes that the direction flag
61 +is correctly cleared at the entry of a function.
62 +
63 +This patches changes the setup_frame() functions to clear the
64 +direction before entering the signal handler.
65 +
66 +This is a backport to kernel 2.6.23 of mainline kernel git commit:
67 +e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
68 +
69 +Originally From: Aurelien Jarno <aurelien@×××××××.net>
70 +Originally Signed-off-by: Aurelien Jarno <aurelien@×××××××.net>
71 +Originally Signed-off-by: Chris Wright <chrisw@××××××××.org>
72 +Originally Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
73 +
74 +For more information, view:
75 +https://bugs.gentoo.org/show_bug.cgi?id=213811
76 +http://lkml.org/lkml/2008/3/5/207
77 +http://lwn.net/Articles/272203/
78 +
79 +--- a/arch/i386/kernel/signal.c
80 ++++ b/arch/i386/kernel/signal.c
81 +@@ -399,7 +399,7 @@ static int setup_frame(int sig, struct k
82 + * The tracer may want to single-step inside the
83 + * handler too.
84 + */
85 +- regs->eflags &= ~TF_MASK;
86 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
87 + if (test_thread_flag(TIF_SINGLESTEP))
88 + ptrace_notify(SIGTRAP);
89 +
90 +@@ -494,7 +494,7 @@ static int setup_rt_frame(int sig, struc
91 + * The tracer may want to single-step inside the
92 + * handler too.
93 + */
94 +- regs->eflags &= ~TF_MASK;
95 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
96 + if (test_thread_flag(TIF_SINGLESTEP))
97 + ptrace_notify(SIGTRAP);
98 +
99 +--- a/arch/x86_64/ia32/ia32_signal.c
100 ++++ b/arch/x86_64/ia32/ia32_signal.c
101 +@@ -494,7 +494,7 @@ int ia32_setup_frame(int sig, struct k_s
102 + regs->ss = __USER32_DS;
103 +
104 + set_fs(USER_DS);
105 +- regs->eflags &= ~TF_MASK;
106 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
107 + if (test_thread_flag(TIF_SINGLESTEP))
108 + ptrace_notify(SIGTRAP);
109 +
110 +@@ -601,7 +601,7 @@ int ia32_setup_rt_frame(int sig, struct
111 + regs->ss = __USER32_DS;
112 +
113 + set_fs(USER_DS);
114 +- regs->eflags &= ~TF_MASK;
115 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
116 + if (test_thread_flag(TIF_SINGLESTEP))
117 + ptrace_notify(SIGTRAP);
118 +
119 +--- a/arch/x86_64/kernel/signal.c
120 ++++ b/arch/x86_64/kernel/signal.c
121 +@@ -297,7 +297,7 @@ static int setup_rt_frame(int sig, struc
122 + see include/asm-x86_64/uaccess.h for details. */
123 + set_fs(USER_DS);
124 +
125 +- regs->eflags &= ~TF_MASK;
126 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
127 + if (test_thread_flag(TIF_SINGLESTEP))
128 + ptrace_notify(SIGTRAP);
129 + #ifdef DEBUG_SIG
130
131 Copied: hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch (from rev 90, hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch)
132 ===================================================================
133 --- hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
134 +++ hardened-sources/2.6/tags/2.6.23-8/4420_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:33:52 UTC (rev 91)
135 @@ -0,0 +1,35665 @@
136 +From: Kerin Millar <kerframil@×××××.com>
137 +
138 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
139 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
140 +mmap.c changes.
141 +
142 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
143 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
144 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
145 +@@ -176,14 +176,18 @@ times.h*
146 + tkparse
147 + trix_boot.h
148 + utsrelease.h*
149 ++vdso.lds
150 + version.h*
151 + vmlinux
152 + vmlinux-*
153 + vmlinux.aout
154 ++vmlinux.bin.all
155 + vmlinux.lds
156 ++vmlinux.relocs
157 + vsyscall.lds
158 + wanxlfw.inc
159 + uImage
160 + unifdef
161 ++utsrelease.h
162 + zImage*
163 + zconf.hash.c
164 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
165 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
166 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
167 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
168 +
169 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
170 +
171 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
172 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
173 + -fno-strict-aliasing -fno-common \
174 + -Werror-implicit-function-declaration
175 + AFLAGS := -D__ASSEMBLY__
176 +@@ -560,7 +560,7 @@ export mod_strip_cmd
177 +
178 +
179 + ifeq ($(KBUILD_EXTMOD),)
180 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
181 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
182 +
183 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
184 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
185 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
186 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
187 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
188 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
189 +
190 + /* The small sections were sorted to the end of the segment.
191 + The following should definitely cover them. */
192 +- gp = (u64)me->module_core + me->core_size - 0x8000;
193 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
194 + got = sechdrs[me->arch.gotsecindex].sh_addr;
195 +
196 + for (i = 0; i < n; i++) {
197 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
198 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
199 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
200 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
201 + merely specific addresses, but regions of memory -- perhaps
202 + this feature should be incorporated into all ports? */
203 +
204 ++#ifdef CONFIG_PAX_RANDMMAP
205 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
206 ++#endif
207 ++
208 + if (addr) {
209 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
210 + if (addr != (unsigned long) -ENOMEM)
211 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
212 + }
213 +
214 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
215 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
216 +- len, limit);
217 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
218 ++
219 + if (addr != (unsigned long) -ENOMEM)
220 + return addr;
221 +
222 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
223 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
224 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
225 +@@ -15,6 +15,7 @@
226 + #include <linux/slab.h>
227 + #include <linux/security.h>
228 + #include <linux/signal.h>
229 ++#include <linux/grsecurity.h>
230 +
231 + #include <asm/uaccess.h>
232 + #include <asm/pgtable.h>
233 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
234 + goto out_notsk;
235 + }
236 +
237 ++ if (gr_handle_ptrace(child, request)) {
238 ++ ret = -EPERM;
239 ++ goto out;
240 ++ }
241 ++
242 + if (request == PTRACE_ATTACH) {
243 + ret = ptrace_attach(child);
244 + goto out;
245 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
246 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
247 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
248 +@@ -23,6 +23,7 @@
249 + #include <linux/smp.h>
250 + #include <linux/interrupt.h>
251 + #include <linux/module.h>
252 ++#include <linux/binfmts.h>
253 +
254 + #include <asm/system.h>
255 + #include <asm/uaccess.h>
256 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
257 + __reload_thread(pcb);
258 + }
259 +
260 ++#ifdef CONFIG_PAX_PAGEEXEC
261 ++/*
262 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
263 ++ *
264 ++ * returns 1 when task should be killed
265 ++ * 2 when patched PLT trampoline was detected
266 ++ * 3 when unpatched PLT trampoline was detected
267 ++ */
268 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
269 ++{
270 ++
271 ++#ifdef CONFIG_PAX_EMUPLT
272 ++ int err;
273 ++
274 ++ do { /* PaX: patched PLT emulation #1 */
275 ++ unsigned int ldah, ldq, jmp;
276 ++
277 ++ err = get_user(ldah, (unsigned int *)regs->pc);
278 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
279 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
280 ++
281 ++ if (err)
282 ++ break;
283 ++
284 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
285 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
286 ++ jmp == 0x6BFB0000U)
287 ++ {
288 ++ unsigned long r27, addr;
289 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
290 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
291 ++
292 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
293 ++ err = get_user(r27, (unsigned long *)addr);
294 ++ if (err)
295 ++ break;
296 ++
297 ++ regs->r27 = r27;
298 ++ regs->pc = r27;
299 ++ return 2;
300 ++ }
301 ++ } while (0);
302 ++
303 ++ do { /* PaX: patched PLT emulation #2 */
304 ++ unsigned int ldah, lda, br;
305 ++
306 ++ err = get_user(ldah, (unsigned int *)regs->pc);
307 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
308 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
309 ++
310 ++ if (err)
311 ++ break;
312 ++
313 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
314 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
315 ++ (br & 0xFFE00000U) == 0xC3E00000U)
316 ++ {
317 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
318 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
319 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
320 ++
321 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
322 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
323 ++ return 2;
324 ++ }
325 ++ } while (0);
326 ++
327 ++ do { /* PaX: unpatched PLT emulation */
328 ++ unsigned int br;
329 ++
330 ++ err = get_user(br, (unsigned int *)regs->pc);
331 ++
332 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
333 ++ unsigned int br2, ldq, nop, jmp;
334 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
335 ++
336 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
337 ++ err = get_user(br2, (unsigned int *)addr);
338 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
339 ++ err |= get_user(nop, (unsigned int *)(addr+8));
340 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
341 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
342 ++
343 ++ if (err)
344 ++ break;
345 ++
346 ++ if (br2 == 0xC3600000U &&
347 ++ ldq == 0xA77B000CU &&
348 ++ nop == 0x47FF041FU &&
349 ++ jmp == 0x6B7B0000U)
350 ++ {
351 ++ regs->r28 = regs->pc+4;
352 ++ regs->r27 = addr+16;
353 ++ regs->pc = resolver;
354 ++ return 3;
355 ++ }
356 ++ }
357 ++ } while (0);
358 ++#endif
359 ++
360 ++ return 1;
361 ++}
362 ++
363 ++void pax_report_insns(void *pc, void *sp)
364 ++{
365 ++ unsigned long i;
366 ++
367 ++ printk(KERN_ERR "PAX: bytes at PC: ");
368 ++ for (i = 0; i < 5; i++) {
369 ++ unsigned int c;
370 ++ if (get_user(c, (unsigned int *)pc+i))
371 ++ printk("???????? ");
372 ++ else
373 ++ printk("%08x ", c);
374 ++ }
375 ++ printk("\n");
376 ++}
377 ++#endif
378 +
379 + /*
380 + * This routine handles page faults. It determines the address,
381 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
382 + good_area:
383 + si_code = SEGV_ACCERR;
384 + if (cause < 0) {
385 +- if (!(vma->vm_flags & VM_EXEC))
386 ++ if (!(vma->vm_flags & VM_EXEC)) {
387 ++
388 ++#ifdef CONFIG_PAX_PAGEEXEC
389 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
390 ++ goto bad_area;
391 ++
392 ++ up_read(&mm->mmap_sem);
393 ++ switch (pax_handle_fetch_fault(regs)) {
394 ++
395 ++#ifdef CONFIG_PAX_EMUPLT
396 ++ case 2:
397 ++ case 3:
398 ++ return;
399 ++#endif
400 ++
401 ++ }
402 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
403 ++ do_exit(SIGKILL);
404 ++#else
405 + goto bad_area;
406 ++#endif
407 ++
408 ++ }
409 + } else if (!cause) {
410 + /* Allow reads even for write-only mappings */
411 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
412 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
413 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
414 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
415 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
416 + if (len > TASK_SIZE)
417 + return -ENOMEM;
418 +
419 ++#ifdef CONFIG_PAX_RANDMMAP
420 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
421 ++#endif
422 ++
423 + if (addr) {
424 + if (do_align)
425 + addr = COLOUR_ALIGN(addr, pgoff);
426 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
427 + return addr;
428 + }
429 + if (len > mm->cached_hole_size) {
430 +- start_addr = addr = mm->free_area_cache;
431 ++ start_addr = addr = mm->free_area_cache;
432 + } else {
433 +- start_addr = addr = TASK_UNMAPPED_BASE;
434 +- mm->cached_hole_size = 0;
435 ++ start_addr = addr = mm->mmap_base;
436 ++ mm->cached_hole_size = 0;
437 + }
438 +
439 + full_search:
440 +@@ -91,8 +95,8 @@ full_search:
441 + * Start a new search - just in case we missed
442 + * some holes.
443 + */
444 +- if (start_addr != TASK_UNMAPPED_BASE) {
445 +- start_addr = addr = TASK_UNMAPPED_BASE;
446 ++ if (start_addr != mm->mmap_base) {
447 ++ start_addr = addr = mm->mmap_base;
448 + mm->cached_hole_size = 0;
449 + goto full_search;
450 + }
451 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
452 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
453 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
454 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
455 +
456 + int exception_trace = 1;
457 +
458 ++#ifdef CONFIG_PAX_PAGEEXEC
459 ++void pax_report_insns(void *pc, void *sp)
460 ++{
461 ++ unsigned long i;
462 ++
463 ++ printk(KERN_ERR "PAX: bytes at PC: ");
464 ++ for (i = 0; i < 20; i++) {
465 ++ unsigned char c;
466 ++ if (get_user(c, (unsigned char *)pc+i))
467 ++ printk("???????? ");
468 ++ else
469 ++ printk("%02x ", c);
470 ++ }
471 ++ printk("\n");
472 ++}
473 ++#endif
474 ++
475 + /*
476 + * This routine handles page faults. It determines the address and the
477 + * problem, and then passes it off to one of the appropriate routines.
478 +@@ -157,6 +174,16 @@ bad_area:
479 + up_read(&mm->mmap_sem);
480 +
481 + if (user_mode(regs)) {
482 ++
483 ++#ifdef CONFIG_PAX_PAGEEXEC
484 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
485 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
486 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
487 ++ do_exit(SIGKILL);
488 ++ }
489 ++ }
490 ++#endif
491 ++
492 + if (exception_trace && printk_ratelimit())
493 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
494 + "sp %08lx ecr %lu\n",
495 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
496 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
497 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
498 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
499 + hex
500 + default 0xB0000000 if VMSPLIT_3G_OPT
501 + default 0x80000000 if VMSPLIT_2G
502 +- default 0x78000000 if VMSPLIT_2G_OPT
503 ++ default 0x70000000 if VMSPLIT_2G_OPT
504 + default 0x40000000 if VMSPLIT_1G
505 + default 0xC0000000
506 +
507 +@@ -831,7 +831,7 @@ config CRASH_DUMP
508 + config PHYSICAL_START
509 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
510 + default "0x1000000" if X86_NUMAQ
511 +- default "0x100000"
512 ++ default "0x200000"
513 + help
514 + This gives the physical address where the kernel is loaded.
515 +
516 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
517 +
518 + config COMPAT_VDSO
519 + bool "Compat VDSO support"
520 +- default y
521 ++ default n
522 + help
523 + Map the VDSO to the predictable old-style address too.
524 + ---help---
525 +@@ -1092,7 +1092,7 @@ config PCI
526 + choice
527 + prompt "PCI access mode"
528 + depends on PCI && !X86_VISWS
529 +- default PCI_GOANY
530 ++ default PCI_GODIRECT
531 + ---help---
532 + On PCI systems, the BIOS can be used to detect the PCI devices and
533 + determine their configuration. However, some old PCI motherboards
534 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
535 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
536 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
537 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
538 +
539 + config X86_F00F_BUG
540 + bool
541 +- depends on M586MMX || M586TSC || M586 || M486 || M386
542 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
543 + default y
544 +
545 + config X86_WP_WORKS_OK
546 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
547 +
548 + config X86_ALIGNMENT_16
549 + bool
550 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
551 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
552 + default y
553 +
554 + config X86_GOOD_APIC
555 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
556 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
557 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
558 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
559 + This results in a large slowdown, but helps to find certain types
560 + of memory corruptions.
561 +
562 +-config DEBUG_RODATA
563 +- bool "Write protect kernel read-only data structures"
564 +- depends on DEBUG_KERNEL
565 +- help
566 +- Mark the kernel read-only data as write-protected in the pagetables,
567 +- in order to catch accidental (and incorrect) writes to such const
568 +- data. This option may have a slight performance impact because a
569 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
570 +- If in doubt, say "N".
571 +-
572 + config 4KSTACKS
573 + bool "Use 4Kb for kernel stacks instead of 8Kb"
574 + depends on DEBUG_KERNEL
575 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
576 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
577 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
578 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
579 + u8 v;
580 + const u32 *p = (const u32 *)addr;
581 +
582 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
583 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
584 + return v;
585 + }
586 +
587 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
588 +
589 + static inline void set_bit(int nr, void *addr)
590 + {
591 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
592 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
593 + }
594 +
595 + #endif /* BOOT_BITOPS_H */
596 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
597 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
598 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
599 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
600 + static inline u16 ds(void)
601 + {
602 + u16 seg;
603 +- asm("movw %%ds,%0" : "=rm" (seg));
604 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
605 + return seg;
606 + }
607 +
608 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
609 + static inline int memcmp(const void *s1, const void *s2, size_t len)
610 + {
611 + u8 diff;
612 +- asm("repe; cmpsb; setnz %0"
613 ++ asm volatile("repe; cmpsb; setnz %0"
614 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
615 + return diff;
616 + }
617 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
618 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
619 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
620 +@@ -159,9 +159,8 @@ relocated:
621 + */
622 +
623 + 1: subl $4, %edi
624 +- movl 0(%edi), %ecx
625 +- testl %ecx, %ecx
626 +- jz 2f
627 ++ movl (%edi), %ecx
628 ++ jecxz 2f
629 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
630 + jmp 1b
631 + 2:
632 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
633 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
634 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
635 +@@ -10,9 +10,13 @@
636 + #define USE_BSD
637 + #include <endian.h>
638 +
639 ++#include "../../../../include/linux/autoconf.h"
640 ++
641 ++#define MAX_PHDRS 100
642 + #define MAX_SHDRS 100
643 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
644 + static Elf32_Ehdr ehdr;
645 ++static Elf32_Phdr phdr[MAX_PHDRS];
646 + static Elf32_Shdr shdr[MAX_SHDRS];
647 + static Elf32_Sym *symtab[MAX_SHDRS];
648 + static Elf32_Rel *reltab[MAX_SHDRS];
649 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
650 + }
651 + }
652 +
653 ++static void read_phdrs(FILE *fp)
654 ++{
655 ++ int i;
656 ++ if (ehdr.e_phnum > MAX_PHDRS) {
657 ++ die("%d program headers supported: %d\n",
658 ++ ehdr.e_phnum, MAX_PHDRS);
659 ++ }
660 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
661 ++ die("Seek to %d failed: %s\n",
662 ++ ehdr.e_phoff, strerror(errno));
663 ++ }
664 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
665 ++ die("Cannot read ELF program headers: %s\n",
666 ++ strerror(errno));
667 ++ }
668 ++ for(i = 0; i < ehdr.e_phnum; i++) {
669 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
670 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
671 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
672 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
673 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
674 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
675 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
676 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
677 ++ }
678 ++
679 ++}
680 ++
681 + static void read_shdrs(FILE *fp)
682 + {
683 + int i;
684 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
685 + static void read_relocs(FILE *fp)
686 + {
687 + int i,j;
688 ++ uint32_t base;
689 ++
690 + for(i = 0; i < ehdr.e_shnum; i++) {
691 + if (shdr[i].sh_type != SHT_REL) {
692 + continue;
693 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
694 + die("Cannot read symbol table: %s\n",
695 + strerror(errno));
696 + }
697 ++ base = 0;
698 ++ for (j = 0; j < ehdr.e_phnum; j++) {
699 ++ if (phdr[j].p_type != PT_LOAD )
700 ++ continue;
701 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
702 ++ continue;
703 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
704 ++ break;
705 ++ }
706 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
707 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
708 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
709 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
710 + }
711 + }
712 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
713 + if (sym->st_shndx == SHN_ABS) {
714 + continue;
715 + }
716 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
717 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
718 ++ continue;
719 ++ }
720 ++#ifdef CONFIG_PAX_KERNEXEC
721 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
722 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
723 ++ continue;
724 ++ }
725 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
726 ++ continue;
727 ++ }
728 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
729 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
730 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
731 ++ continue;
732 ++ }
733 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
734 ++ continue;
735 ++ }
736 ++#endif
737 + if (r_type == R_386_PC32) {
738 + /* PC relative relocations don't need to be adjusted */
739 + }
740 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
741 + fname, strerror(errno));
742 + }
743 + read_ehdr(fp);
744 ++ read_phdrs(fp);
745 + read_shdrs(fp);
746 + read_strtabs(fp);
747 + read_symtabs(fp);
748 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
749 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
750 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
751 +@@ -90,7 +90,7 @@ static int has_fpu(void)
752 + u16 fcw = -1, fsw = -1;
753 + u32 cr0;
754 +
755 +- asm("movl %%cr0,%0" : "=r" (cr0));
756 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
757 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
758 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
759 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
760 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
761 + {
762 + u32 f0, f1;
763 +
764 +- asm("pushfl ; "
765 ++ asm volatile("pushfl ; "
766 + "pushfl ; "
767 + "popl %0 ; "
768 + "movl %0,%1 ; "
769 +@@ -131,7 +131,7 @@ static void get_flags(void)
770 + set_bit(X86_FEATURE_FPU, cpu.flags);
771 +
772 + if (has_eflag(X86_EFLAGS_ID)) {
773 +- asm("cpuid"
774 ++ asm volatile("cpuid"
775 + : "=a" (max_intel_level),
776 + "=b" (cpu_vendor[0]),
777 + "=d" (cpu_vendor[1]),
778 +@@ -140,7 +140,7 @@ static void get_flags(void)
779 +
780 + if (max_intel_level >= 0x00000001 &&
781 + max_intel_level <= 0x0000ffff) {
782 +- asm("cpuid"
783 ++ asm volatile("cpuid"
784 + : "=a" (tfms),
785 + "=c" (cpu.flags[4]),
786 + "=d" (cpu.flags[0])
787 +@@ -152,7 +152,7 @@ static void get_flags(void)
788 + cpu.model += ((tfms >> 16) & 0xf) << 4;
789 + }
790 +
791 +- asm("cpuid"
792 ++ asm volatile("cpuid"
793 + : "=a" (max_amd_level)
794 + : "a" (0x80000000)
795 + : "ebx", "ecx", "edx");
796 +@@ -160,7 +160,7 @@ static void get_flags(void)
797 + if (max_amd_level >= 0x80000001 &&
798 + max_amd_level <= 0x8000ffff) {
799 + u32 eax = 0x80000001;
800 +- asm("cpuid"
801 ++ asm volatile("cpuid"
802 + : "+a" (eax),
803 + "=c" (cpu.flags[6]),
804 + "=d" (cpu.flags[1])
805 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
806 + u32 ecx = MSR_K7_HWCR;
807 + u32 eax, edx;
808 +
809 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
810 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
811 + eax &= ~(1 << 15);
812 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
813 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
814 +
815 + get_flags(); /* Make sure it really did something */
816 + err = check_flags();
817 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
818 + u32 ecx = MSR_VIA_FCR;
819 + u32 eax, edx;
820 +
821 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
822 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
823 + eax |= (1<<1)|(1<<7);
824 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
825 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
826 +
827 + set_bit(X86_FEATURE_CX8, cpu.flags);
828 + err = check_flags();
829 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
830 + u32 eax, edx;
831 + u32 level = 1;
832 +
833 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
834 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
835 +- asm("cpuid"
836 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
837 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
838 ++ asm volatile("cpuid"
839 + : "+a" (level), "=d" (cpu.flags[0])
840 + : : "ecx", "ebx");
841 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
842 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
843 +
844 + err = check_flags();
845 + }
846 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
847 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
848 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
849 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
850 + ax = 0x4100;
851 + bx = EDDMAGIC1;
852 + dx = devno;
853 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
854 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
855 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
856 + : : "esi", "edi");
857 +
858 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
859 + ei->params.length = sizeof(ei->params);
860 + ax = 0x4800;
861 + dx = devno;
862 +- asm("pushfl; int $0x13; popfl"
863 ++ asm volatile("pushfl; int $0x13; popfl"
864 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
865 + : "S" (&ei->params)
866 + : "ebx", "ecx", "edi");
867 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
868 + ax = 0x0800;
869 + dx = devno;
870 + di = 0;
871 +- asm("pushw %%es; "
872 ++ asm volatile("pushw %%es; "
873 + "movw %%di,%%es; "
874 + "pushfl; stc; int $0x13; setc %%al; popfl; "
875 + "popw %%es"
876 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
877 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
878 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
879 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
880 + */
881 + static void query_ist(void)
882 + {
883 +- asm("int $0x15"
884 ++ asm volatile("int $0x15"
885 + : "=a" (boot_params.ist_info.signature),
886 + "=b" (boot_params.ist_info.command),
887 + "=c" (boot_params.ist_info.event),
888 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
889 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
890 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
891 +@@ -21,7 +21,7 @@ int query_mca(void)
892 + u8 err;
893 + u16 es, bx, len;
894 +
895 +- asm("pushw %%es ; "
896 ++ asm volatile("pushw %%es ; "
897 + "int $0x15 ; "
898 + "setc %0 ; "
899 + "movw %%es, %1 ; "
900 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
901 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
902 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
903 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
904 + /* Important: %edx is clobbered by some BIOSes,
905 + so it must be either used for the error output
906 + or explicitly marked clobbered. */
907 +- asm("int $0x15; setc %0"
908 ++ asm volatile("int $0x15; setc %0"
909 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
910 + "=m" (*desc)
911 + : "D" (desc), "d" (SMAP), "a" (0xe820));
912 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
913 +
914 + bx = cx = dx = 0;
915 + ax = 0xe801;
916 +- asm("stc; int $0x15; setc %0"
917 ++ asm volatile("stc; int $0x15; setc %0"
918 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
919 +
920 + if (err)
921 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
922 + u8 err;
923 +
924 + ax = 0x8800;
925 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
926 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
927 +
928 + boot_params.screen_info.ext_mem_k = ax;
929 +
930 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
931 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
932 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
933 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
934 +
935 + ax = 0x4f00;
936 + di = (size_t)&vginfo;
937 +- asm(INT10
938 ++ asm volatile(INT10
939 + : "+a" (ax), "+D" (di), "=m" (vginfo)
940 + : : "ebx", "ecx", "edx", "esi");
941 +
942 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
943 + ax = 0x4f01;
944 + cx = mode;
945 + di = (size_t)&vminfo;
946 +- asm(INT10
947 ++ asm volatile(INT10
948 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
949 + : : "ebx", "edx", "esi");
950 +
951 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
952 + ax = 0x4f01;
953 + cx = vesa_mode;
954 + di = (size_t)&vminfo;
955 +- asm(INT10
956 ++ asm volatile(INT10
957 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
958 + : : "ebx", "edx", "esi");
959 +
960 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
961 + /* Save the VESA protected mode info */
962 + static void vesa_store_pm_info(void)
963 + {
964 +- u16 ax, bx, di, es;
965 ++ u16 ax, bx, cx, di, es;
966 +
967 + ax = 0x4f0a;
968 +- bx = di = 0;
969 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
970 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
971 +- : : "ecx", "esi");
972 ++ bx = cx = di = 0;
973 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
974 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
975 ++ : : "esi");
976 +
977 + if (ax != 0x004f)
978 + return;
979 +
980 + boot_params.screen_info.vesapm_seg = es;
981 + boot_params.screen_info.vesapm_off = di;
982 ++ boot_params.screen_info.vesapm_size = cx;
983 + }
984 +
985 + /*
986 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
987 + /* Note: The VBE DDC spec is different from the main VESA spec;
988 + we genuinely have to assume all registers are destroyed here. */
989 +
990 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
991 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
992 + : "+a" (ax), "+b" (bx)
993 + : "c" (cx), "D" (di)
994 + : "esi");
995 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
996 + cx = 0; /* Controller 0 */
997 + dx = 0; /* EDID block number */
998 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
999 +- asm(INT10
1000 ++ asm volatile(INT10
1001 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
1002 + : "c" (cx), "D" (di)
1003 + : "esi");
1004 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1005 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1006 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1007 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1008 + };
1009 + u8 vga_flag;
1010 +
1011 +- asm(INT10
1012 ++ asm volatile(INT10
1013 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1014 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1015 + : "ecx", "edx", "esi", "edi");
1016 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1017 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1018 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1019 + /* EGA/VGA */
1020 +- asm(INT10
1021 ++ asm volatile(INT10
1022 + : "=a" (vga_flag)
1023 + : "a" (0x1a00)
1024 + : "ebx", "ecx", "edx", "esi", "edi");
1025 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1026 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1027 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1028 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1029 +
1030 + ax = 0x0300;
1031 + bx = 0;
1032 +- asm(INT10
1033 ++ asm volatile(INT10
1034 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1035 + : : "ecx", "esi", "edi");
1036 +
1037 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1038 + /* N.B.: the saving of the video page here is a bit silly,
1039 + since we pretty much assume page 0 everywhere. */
1040 + ax = 0x0f00;
1041 +- asm(INT10
1042 ++ asm volatile(INT10
1043 + : "+a" (ax), "=b" (page)
1044 + : : "ecx", "edx", "esi", "edi");
1045 +
1046 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1047 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1048 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1049 +@@ -27,7 +27,7 @@ int query_voyager(void)
1050 +
1051 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1052 +
1053 +- asm("pushw %%es ; "
1054 ++ asm volatile("pushw %%es ; "
1055 + "int $0x15 ; "
1056 + "setc %0 ; "
1057 + "movw %%es, %1 ; "
1058 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1059 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1060 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1061 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1062 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1063 + },
1064 + },
1065 +- {}
1066 ++ { NULL, NULL, {{0, NULL}}, NULL}
1067 + };
1068 +
1069 + #endif /* __i386__ */
1070 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1071 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1072 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1073 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1074 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1075 + },
1076 + },
1077 +- {}
1078 ++ { NULL, NULL, {{0, NULL}}, NULL}
1079 + };
1080 +
1081 + static int __init acpisleep_dmi_init(void)
1082 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1083 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1084 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1085 +@@ -2,6 +2,7 @@
1086 + #include <linux/linkage.h>
1087 + #include <asm/segment.h>
1088 + #include <asm/page.h>
1089 ++#include <asm/msr-index.h>
1090 +
1091 + #
1092 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1093 +@@ -84,7 +85,7 @@ wakeup_code:
1094 + # restore efer setting
1095 + movl real_save_efer_edx - wakeup_code, %edx
1096 + movl real_save_efer_eax - wakeup_code, %eax
1097 +- mov $0xc0000080, %ecx
1098 ++ mov $MSR_EFER, %ecx
1099 + wrmsr
1100 + 4:
1101 + # make sure %cr4 is set correctly (features, etc)
1102 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1103 + # and restore the stack ... but you need gdt for this to work
1104 + movl saved_context_esp, %esp
1105 +
1106 +- movl %cs:saved_magic, %eax
1107 +- cmpl $0x12345678, %eax
1108 ++ cmpl $0x12345678, saved_magic
1109 + jne bogus_magic
1110 +
1111 + # jump to place where we left off
1112 +- movl saved_eip,%eax
1113 +- jmp *%eax
1114 ++ jmp *(saved_eip)
1115 +
1116 + bogus_magic:
1117 + movw $0x0e00 + 'B', 0xb8018
1118 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
1119 + # save efer setting
1120 + pushl %eax
1121 + movl %eax, %ebx
1122 +- mov $0xc0000080, %ecx
1123 ++ mov $MSR_EFER, %ecx
1124 + rdmsr
1125 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
1126 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
1127 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
1128 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
1129 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
1130 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
1131 + */
1132 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
1133 + {
1134 ++
1135 ++#ifdef CONFIG_PAX_KERNEXEC
1136 ++ unsigned long cr0;
1137 ++
1138 ++ pax_open_kernel(cr0);
1139 ++#endif
1140 ++
1141 ++ addr += __KERNEL_TEXT_OFFSET;
1142 + memcpy(addr, opcode, len);
1143 ++
1144 ++#ifdef CONFIG_PAX_KERNEXEC
1145 ++ pax_close_kernel(cr0);
1146 ++#endif
1147 ++
1148 + sync_core();
1149 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
1150 + that causes hangs on some VIA CPUs. */
1151 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
1152 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
1153 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
1154 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
1155 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
1156 + static struct apm_user * user_list;
1157 + static DEFINE_SPINLOCK(user_list_lock);
1158 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
1159 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
1160 +
1161 + static const char driver_version[] = "1.16ac"; /* no spaces */
1162 +
1163 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
1164 + struct desc_struct save_desc_40;
1165 + struct desc_struct *gdt;
1166 +
1167 ++#ifdef CONFIG_PAX_KERNEXEC
1168 ++ unsigned long cr0;
1169 ++#endif
1170 ++
1171 + cpus = apm_save_cpus();
1172 +
1173 + cpu = get_cpu();
1174 + gdt = get_cpu_gdt_table(cpu);
1175 + save_desc_40 = gdt[0x40 / 8];
1176 ++
1177 ++#ifdef CONFIG_PAX_KERNEXEC
1178 ++ pax_open_kernel(cr0);
1179 ++#endif
1180 ++
1181 + gdt[0x40 / 8] = bad_bios_desc;
1182 +
1183 ++#ifdef CONFIG_PAX_KERNEXEC
1184 ++ pax_close_kernel(cr0);
1185 ++#endif
1186 ++
1187 + apm_irq_save(flags);
1188 + APM_DO_SAVE_SEGS;
1189 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
1190 + APM_DO_RESTORE_SEGS;
1191 + apm_irq_restore(flags);
1192 ++
1193 ++#ifdef CONFIG_PAX_KERNEXEC
1194 ++ pax_open_kernel(cr0);
1195 ++#endif
1196 ++
1197 + gdt[0x40 / 8] = save_desc_40;
1198 ++
1199 ++#ifdef CONFIG_PAX_KERNEXEC
1200 ++ pax_close_kernel(cr0);
1201 ++#endif
1202 ++
1203 + put_cpu();
1204 + apm_restore_cpus(cpus);
1205 +
1206 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
1207 + struct desc_struct save_desc_40;
1208 + struct desc_struct *gdt;
1209 +
1210 ++#ifdef CONFIG_PAX_KERNEXEC
1211 ++ unsigned long cr0;
1212 ++#endif
1213 ++
1214 + cpus = apm_save_cpus();
1215 +
1216 + cpu = get_cpu();
1217 + gdt = get_cpu_gdt_table(cpu);
1218 + save_desc_40 = gdt[0x40 / 8];
1219 ++
1220 ++#ifdef CONFIG_PAX_KERNEXEC
1221 ++ pax_open_kernel(cr0);
1222 ++#endif
1223 ++
1224 + gdt[0x40 / 8] = bad_bios_desc;
1225 +
1226 ++#ifdef CONFIG_PAX_KERNEXEC
1227 ++ pax_close_kernel(cr0);
1228 ++#endif
1229 ++
1230 + apm_irq_save(flags);
1231 + APM_DO_SAVE_SEGS;
1232 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
1233 + APM_DO_RESTORE_SEGS;
1234 + apm_irq_restore(flags);
1235 ++
1236 ++#ifdef CONFIG_PAX_KERNEXEC
1237 ++ pax_open_kernel(cr0);
1238 ++#endif
1239 ++
1240 + gdt[0x40 / 8] = save_desc_40;
1241 ++
1242 ++#ifdef CONFIG_PAX_KERNEXEC
1243 ++ pax_close_kernel(cr0);
1244 ++#endif
1245 ++
1246 + put_cpu();
1247 + apm_restore_cpus(cpus);
1248 + return error;
1249 +@@ -924,7 +970,7 @@ recalc:
1250 +
1251 + static void apm_power_off(void)
1252 + {
1253 +- unsigned char po_bios_call[] = {
1254 ++ const unsigned char po_bios_call[] = {
1255 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
1256 + 0x8e, 0xd0, /* movw ax,ss */
1257 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
1258 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
1259 + static struct miscdevice apm_device = {
1260 + APM_MINOR_DEV,
1261 + "apm_bios",
1262 +- &apm_bios_fops
1263 ++ &apm_bios_fops,
1264 ++ {NULL, NULL},
1265 ++ NULL,
1266 ++ NULL
1267 + };
1268 +
1269 +
1270 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
1271 + print_if_true,
1272 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
1273 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
1274 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
1275 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
1276 + },
1277 + { /* Handle problems with APM on the C600 */
1278 + broken_ps2_resume, "Dell Latitude C600",
1279 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1280 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
1281 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
1282 + },
1283 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
1284 + set_apm_ints, "Dell Latitude",
1285 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1286 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
1287 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
1288 + },
1289 + { /* APM crashes */
1290 + apm_is_horked, "Dell Inspiron 2500",
1291 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1292 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1293 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1294 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1295 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1296 + },
1297 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
1298 + set_apm_ints, "Dell Inspiron", {
1299 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1300 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
1301 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
1302 + },
1303 + { /* Handle problems with APM on Inspiron 5000e */
1304 + broken_apm_power, "Dell Inspiron 5000e",
1305 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1306 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
1307 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
1308 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
1309 + },
1310 + { /* Handle problems with APM on Inspiron 2500 */
1311 + broken_apm_power, "Dell Inspiron 2500",
1312 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1313 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
1314 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
1315 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
1316 + },
1317 + { /* APM crashes */
1318 + apm_is_horked, "Dell Dimension 4100",
1319 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1320 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
1321 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
1322 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1323 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1324 + },
1325 + { /* Allow interrupts during suspend on Compaq Laptops*/
1326 + set_apm_ints, "Compaq 12XL125",
1327 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
1328 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
1329 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1330 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
1331 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
1332 + },
1333 + { /* Allow interrupts during APM or the clock goes slow */
1334 + set_apm_ints, "ASUSTeK",
1335 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
1336 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
1337 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
1338 + },
1339 + { /* APM blows on shutdown */
1340 + apm_is_horked, "ABIT KX7-333[R]",
1341 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
1342 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
1343 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
1344 + },
1345 + { /* APM crashes */
1346 + apm_is_horked, "Trigem Delhi3",
1347 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
1348 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
1349 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
1350 + },
1351 + { /* APM crashes */
1352 + apm_is_horked, "Fujitsu-Siemens",
1353 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
1354 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
1355 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
1356 + },
1357 + { /* APM crashes */
1358 + apm_is_horked_d850md, "Intel D850MD",
1359 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1360 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
1361 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
1362 + },
1363 + { /* APM crashes */
1364 + apm_is_horked, "Intel D810EMO",
1365 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1366 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
1367 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
1368 + },
1369 + { /* APM crashes */
1370 + apm_is_horked, "Dell XPS-Z",
1371 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1372 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
1373 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
1374 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
1375 + },
1376 + { /* APM crashes */
1377 + apm_is_horked, "Sharp PC-PJ/AX",
1378 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
1379 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
1380 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
1381 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
1382 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
1383 + },
1384 + { /* APM crashes */
1385 + apm_is_horked, "Dell Inspiron 2500",
1386 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1387 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1388 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1389 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1390 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1391 + },
1392 + { /* APM idle hangs */
1393 + apm_likes_to_melt, "Jabil AMD",
1394 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1395 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
1396 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
1397 + },
1398 + { /* APM idle hangs */
1399 + apm_likes_to_melt, "AMI Bios",
1400 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1401 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
1402 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
1403 + },
1404 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
1405 + swab_apm_power_in_minutes, "Sony VAIO",
1406 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1407 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
1408 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
1409 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
1410 + },
1411 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
1412 + swab_apm_power_in_minutes, "Sony VAIO",
1413 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1414 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
1415 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
1416 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
1417 + },
1418 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
1419 + swab_apm_power_in_minutes, "Sony VAIO",
1420 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1421 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
1422 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
1423 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
1424 + },
1425 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1426 + swab_apm_power_in_minutes, "Sony VAIO",
1427 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1428 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
1429 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
1430 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
1431 + },
1432 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1433 + swab_apm_power_in_minutes, "Sony VAIO",
1434 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1435 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
1436 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
1437 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
1438 + },
1439 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
1440 + swab_apm_power_in_minutes, "Sony VAIO",
1441 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1442 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
1443 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
1444 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
1445 + },
1446 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1447 + swab_apm_power_in_minutes, "Sony VAIO",
1448 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1449 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
1450 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
1451 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
1452 + },
1453 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1454 + swab_apm_power_in_minutes, "Sony VAIO",
1455 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1456 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
1457 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
1458 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
1459 + },
1460 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
1461 + swab_apm_power_in_minutes, "Sony VAIO",
1462 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1463 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
1464 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
1465 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
1466 + },
1467 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
1468 + swab_apm_power_in_minutes, "Sony VAIO",
1469 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1470 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
1471 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
1472 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
1473 + },
1474 +
1475 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
1476 + swab_apm_power_in_minutes, "Sony VAIO",
1477 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1478 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
1479 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
1480 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
1481 + },
1482 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1483 + swab_apm_power_in_minutes, "Sony VAIO",
1484 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1485 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
1486 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
1487 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
1488 + },
1489 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1490 + swab_apm_power_in_minutes, "Sony VAIO",
1491 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1492 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
1493 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
1494 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
1495 + },
1496 + { /* broken PM poweroff bios */
1497 + set_realmode_power_off, "Award Software v4.60 PGMA",
1498 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
1499 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
1500 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
1501 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
1502 + },
1503 +
1504 + /* Generic per vendor APM settings */
1505 +
1506 + { /* Allow interrupts during suspend on IBM laptops */
1507 + set_apm_ints, "IBM",
1508 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
1509 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
1510 + },
1511 +
1512 +- { }
1513 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
1514 + };
1515 +
1516 + /*
1517 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
1518 + struct desc_struct *gdt;
1519 + int err;
1520 +
1521 ++#ifdef CONFIG_PAX_KERNEXEC
1522 ++ unsigned long cr0;
1523 ++#endif
1524 ++
1525 + dmi_check_system(apm_dmi_table);
1526 +
1527 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
1528 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
1529 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
1530 + * even though they are called in protected mode.
1531 + */
1532 ++
1533 ++#ifdef CONFIG_PAX_KERNEXEC
1534 ++ pax_open_kernel(cr0);
1535 ++#endif
1536 ++
1537 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
1538 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
1539 +
1540 ++#ifdef CONFIG_PAX_KERNEXEC
1541 ++ pax_close_kernel(cr0);
1542 ++#endif
1543 ++
1544 + /*
1545 + * Set up the long jump entry point to the APM BIOS, which is called
1546 + * from inline assembly.
1547 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
1548 + * code to that CPU.
1549 + */
1550 + gdt = get_cpu_gdt_table(0);
1551 ++
1552 ++#ifdef CONFIG_PAX_KERNEXEC
1553 ++ pax_open_kernel(cr0);
1554 ++#endif
1555 ++
1556 + set_base(gdt[APM_CS >> 3],
1557 + __va((unsigned long)apm_info.bios.cseg << 4));
1558 + set_base(gdt[APM_CS_16 >> 3],
1559 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
1560 + set_base(gdt[APM_DS >> 3],
1561 + __va((unsigned long)apm_info.bios.dseg << 4));
1562 +
1563 ++#ifdef CONFIG_PAX_KERNEXEC
1564 ++ pax_close_kernel(cr0);
1565 ++#endif
1566 ++
1567 + apm_proc = create_proc_entry("apm", 0, NULL);
1568 + if (apm_proc)
1569 + apm_proc->proc_fops = &apm_file_ops;
1570 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
1571 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
1572 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
1573 +@@ -109,6 +109,7 @@ void foo(void)
1574 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
1575 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
1576 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
1577 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
1578 +
1579 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
1580 +
1581 +@@ -122,6 +123,7 @@ void foo(void)
1582 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
1583 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
1584 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
1585 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
1586 + #endif
1587 +
1588 + #ifdef CONFIG_XEN
1589 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
1590 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
1591 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
1592 +@@ -4,7 +4,6 @@
1593 + #include <linux/smp.h>
1594 + #include <linux/module.h>
1595 + #include <linux/percpu.h>
1596 +-#include <linux/bootmem.h>
1597 + #include <asm/semaphore.h>
1598 + #include <asm/processor.h>
1599 + #include <asm/i387.h>
1600 +@@ -21,39 +20,15 @@
1601 +
1602 + #include "cpu.h"
1603 +
1604 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
1605 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
1606 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
1607 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
1608 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
1609 +- /*
1610 +- * Segments used for calling PnP BIOS have byte granularity.
1611 +- * They code segments and data segments have fixed 64k limits,
1612 +- * the transfer segment sizes are set at run time.
1613 +- */
1614 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1615 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
1616 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
1617 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
1618 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
1619 +- /*
1620 +- * The APM segments have byte granularity and their bases
1621 +- * are set at run time. All have 64k limits.
1622 +- */
1623 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1624 +- /* 16-bit code */
1625 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
1626 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
1627 +-
1628 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
1629 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
1630 +-} };
1631 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
1632 +-
1633 + static int cachesize_override __cpuinitdata = -1;
1634 + static int disable_x86_fxsr __cpuinitdata;
1635 + static int disable_x86_serial_nr __cpuinitdata = 1;
1636 +-static int disable_x86_sep __cpuinitdata;
1637 ++
1638 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1639 ++int disable_x86_sep __cpuinitdata = 1;
1640 ++#else
1641 ++int disable_x86_sep __cpuinitdata;
1642 ++#endif
1643 +
1644 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
1645 +
1646 +@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
1647 + void __init cpu_detect(struct cpuinfo_x86 *c)
1648 + {
1649 + /* Get vendor name */
1650 +- cpuid(0x00000000, &c->cpuid_level,
1651 +- (int *)&c->x86_vendor_id[0],
1652 +- (int *)&c->x86_vendor_id[8],
1653 +- (int *)&c->x86_vendor_id[4]);
1654 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1655 ++ (unsigned int *)&c->x86_vendor_id[0],
1656 ++ (unsigned int *)&c->x86_vendor_id[8],
1657 ++ (unsigned int *)&c->x86_vendor_id[4]);
1658 +
1659 + c->x86 = 4;
1660 + if (c->cpuid_level >= 0x00000001) {
1661 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
1662 +
1663 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
1664 + {
1665 +- u32 tfms, xlvl;
1666 +- int ebx;
1667 ++ u32 tfms, xlvl, ebx;
1668 +
1669 + if (have_cpuid_p()) {
1670 + /* Get vendor name */
1671 +- cpuid(0x00000000, &c->cpuid_level,
1672 +- (int *)&c->x86_vendor_id[0],
1673 +- (int *)&c->x86_vendor_id[8],
1674 +- (int *)&c->x86_vendor_id[4]);
1675 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1676 ++ (unsigned int *)&c->x86_vendor_id[0],
1677 ++ (unsigned int *)&c->x86_vendor_id[8],
1678 ++ (unsigned int *)&c->x86_vendor_id[4]);
1679 +
1680 + get_cpu_vendor(c, 0);
1681 + /* Initialize the standard set of capabilities */
1682 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
1683 + {
1684 + struct Xgt_desc_struct gdt_descr;
1685 +
1686 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
1687 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
1688 + gdt_descr.size = GDT_SIZE - 1;
1689 + load_gdt(&gdt_descr);
1690 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
1691 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
1692 + {
1693 + int cpu = smp_processor_id();
1694 + struct task_struct *curr = current;
1695 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
1696 ++ struct tss_struct *t = init_tss + cpu;
1697 + struct thread_struct *thread = &curr->thread;
1698 +
1699 + if (cpu_test_and_set(cpu, cpu_initialized)) {
1700 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
1701 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
1702 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
1703 +@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
1704 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
1705 + },
1706 + },
1707 +- { }
1708 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
1709 + };
1710 + #endif
1711 +
1712 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
1713 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
1714 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
1715 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
1716 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
1717 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
1718 +
1719 +- { NULL, }
1720 ++ { NULL, NULL, 0, NULL}
1721 + };
1722 + #undef _BANIAS
1723 + #undef BANIAS
1724 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
1725 +--- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
1726 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
1727 +@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
1728 + */
1729 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
1730 + /* supports eax=2 call */
1731 +- int i, j, n;
1732 +- int regs[4];
1733 ++ int j, n;
1734 ++ unsigned int regs[4];
1735 + unsigned char *dp = (unsigned char *)regs;
1736 + int only_trace = 0;
1737 +
1738 +@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
1739 +
1740 + /* If bit 31 is set, this is an unknown format */
1741 + for ( j = 0 ; j < 3 ; j++ ) {
1742 +- if ( regs[j] < 0 ) regs[j] = 0;
1743 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
1744 + }
1745 +
1746 + /* Byte 0 is level count, not a descriptor */
1747 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
1748 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
1749 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
1750 +@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
1751 + return NOTIFY_OK;
1752 + }
1753 +
1754 +-static struct notifier_block thermal_throttle_cpu_notifier =
1755 ++static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
1756 + {
1757 + .notifier_call = thermal_throttle_cpu_callback,
1758 + };
1759 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
1760 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
1761 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
1762 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
1763 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
1764 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
1765 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
1766 +- {}
1767 ++ { 0, 0 }
1768 + };
1769 +
1770 + static unsigned long smp_changes_mask;
1771 +-static struct mtrr_state mtrr_state = {};
1772 ++static struct mtrr_state mtrr_state;
1773 +
1774 + #undef MODULE_PARAM_PREFIX
1775 + #define MODULE_PARAM_PREFIX "mtrr."
1776 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
1777 +--- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
1778 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
1779 +@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
1780 + return NOTIFY_STOP;
1781 + local_irq_disable();
1782 +
1783 +- if (!user_mode_vm(regs)) {
1784 ++ if (!user_mode(regs)) {
1785 + crash_fixup_ss_esp(&fixed_regs, regs);
1786 + regs = &fixed_regs;
1787 + }
1788 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
1789 +--- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
1790 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
1791 +@@ -11,17 +11,17 @@
1792 +
1793 + #define DOUBLEFAULT_STACKSIZE (1024)
1794 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1795 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1796 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1797 +
1798 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1799 +
1800 + static void doublefault_fn(void)
1801 + {
1802 +- struct Xgt_desc_struct gdt_desc = {0, 0};
1803 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1804 + unsigned long gdt, tss;
1805 +
1806 + store_gdt(&gdt_desc);
1807 +- gdt = gdt_desc.address;
1808 ++ gdt = (unsigned long)gdt_desc.address;
1809 +
1810 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1811 +
1812 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1813 + /* 0x2 bit is always set */
1814 + .eflags = X86_EFLAGS_SF | 0x2,
1815 + .esp = STACK_START,
1816 +- .es = __USER_DS,
1817 ++ .es = __KERNEL_DS,
1818 + .cs = __KERNEL_CS,
1819 + .ss = __KERNEL_DS,
1820 +- .ds = __USER_DS,
1821 ++ .ds = __KERNEL_DS,
1822 + .fs = __KERNEL_PERCPU,
1823 +
1824 + .__cr3 = __pa(swapper_pg_dir)
1825 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
1826 +--- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
1827 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
1828 +@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1829 +
1830 + static unsigned long efi_rt_eflags;
1831 + static DEFINE_SPINLOCK(efi_rt_lock);
1832 +-static pgd_t efi_bak_pg_dir_pointer[2];
1833 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
1834 +
1835 + static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
1836 + {
1837 +- unsigned long cr4;
1838 +- unsigned long temp;
1839 + struct Xgt_desc_struct gdt_descr;
1840 +
1841 + spin_lock(&efi_rt_lock);
1842 + local_irq_save(efi_rt_eflags);
1843 +
1844 +- /*
1845 +- * If I don't have PSE, I should just duplicate two entries in page
1846 +- * directory. If I have PSE, I just need to duplicate one entry in
1847 +- * page directory.
1848 +- */
1849 +- cr4 = read_cr4();
1850 +-
1851 +- if (cr4 & X86_CR4_PSE) {
1852 +- efi_bak_pg_dir_pointer[0].pgd =
1853 +- swapper_pg_dir[pgd_index(0)].pgd;
1854 +- swapper_pg_dir[0].pgd =
1855 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1856 +- } else {
1857 +- efi_bak_pg_dir_pointer[0].pgd =
1858 +- swapper_pg_dir[pgd_index(0)].pgd;
1859 +- efi_bak_pg_dir_pointer[1].pgd =
1860 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
1861 +- swapper_pg_dir[pgd_index(0)].pgd =
1862 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1863 +- temp = PAGE_OFFSET + 0x400000;
1864 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1865 +- swapper_pg_dir[pgd_index(temp)].pgd;
1866 +- }
1867 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
1868 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1869 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
1870 +
1871 + /*
1872 + * After the lock is released, the original page table is restored.
1873 + */
1874 +- local_flush_tlb();
1875 ++ __flush_tlb_all();
1876 +
1877 + gdt_descr.address = __pa(get_cpu_gdt_table(0));
1878 + gdt_descr.size = GDT_SIZE - 1;
1879 +@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
1880 +
1881 + static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
1882 + {
1883 +- unsigned long cr4;
1884 + struct Xgt_desc_struct gdt_descr;
1885 +
1886 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
1887 ++ gdt_descr.address = get_cpu_gdt_table(0);
1888 + gdt_descr.size = GDT_SIZE - 1;
1889 + load_gdt(&gdt_descr);
1890 +-
1891 +- cr4 = read_cr4();
1892 +-
1893 +- if (cr4 & X86_CR4_PSE) {
1894 +- swapper_pg_dir[pgd_index(0)].pgd =
1895 +- efi_bak_pg_dir_pointer[0].pgd;
1896 +- } else {
1897 +- swapper_pg_dir[pgd_index(0)].pgd =
1898 +- efi_bak_pg_dir_pointer[0].pgd;
1899 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1900 +- efi_bak_pg_dir_pointer[1].pgd;
1901 +- }
1902 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
1903 +
1904 + /*
1905 + * After the lock is released, the original page table is restored.
1906 + */
1907 +- local_flush_tlb();
1908 ++ __flush_tlb_all();
1909 +
1910 + local_irq_restore(efi_rt_eflags);
1911 + spin_unlock(&efi_rt_lock);
1912 + }
1913 +
1914 +-static efi_status_t
1915 ++static efi_status_t __init
1916 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
1917 + unsigned long descriptor_size,
1918 + u32 descriptor_version,
1919 +@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
1920 + return status;
1921 + }
1922 +
1923 +-static efi_status_t
1924 ++static efi_status_t __init
1925 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
1926 + {
1927 + efi_status_t status;
1928 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
1929 +--- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
1930 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
1931 +@@ -6,6 +6,7 @@
1932 + */
1933 +
1934 + #include <linux/linkage.h>
1935 ++#include <linux/init.h>
1936 + #include <asm/page.h>
1937 +
1938 + /*
1939 +@@ -20,7 +21,7 @@
1940 + * service functions will comply with gcc calling convention, too.
1941 + */
1942 +
1943 +-.text
1944 ++__INIT
1945 + ENTRY(efi_call_phys)
1946 + /*
1947 + * 0. The function can only be called in Linux kernel. So CS has been
1948 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
1949 + * The mapping of lower virtual memory has been created in prelog and
1950 + * epilog.
1951 + */
1952 +- movl $1f, %edx
1953 +- subl $__PAGE_OFFSET, %edx
1954 +- jmp *%edx
1955 ++ jmp 1f-__PAGE_OFFSET
1956 + 1:
1957 +
1958 + /*
1959 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
1960 + * parameter 2, ..., param n. To make things easy, we save the return
1961 + * address of efi_call_phys in a global variable.
1962 + */
1963 +- popl %edx
1964 +- movl %edx, saved_return_addr
1965 +- /* get the function pointer into ECX*/
1966 +- popl %ecx
1967 +- movl %ecx, efi_rt_function_ptr
1968 +- movl $2f, %edx
1969 +- subl $__PAGE_OFFSET, %edx
1970 +- pushl %edx
1971 ++ popl (saved_return_addr)
1972 ++ popl (efi_rt_function_ptr)
1973 +
1974 + /*
1975 + * 3. Clear PG bit in %CR0.
1976 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
1977 + /*
1978 + * 5. Call the physical function.
1979 + */
1980 +- jmp *%ecx
1981 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
1982 +
1983 +-2:
1984 + /*
1985 + * 6. After EFI runtime service returns, control will return to
1986 + * following instruction. We'd better readjust stack pointer first.
1987 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
1988 + movl %cr0, %edx
1989 + orl $0x80000000, %edx
1990 + movl %edx, %cr0
1991 +- jmp 1f
1992 +-1:
1993 ++
1994 + /*
1995 + * 8. Now restore the virtual mode from flat mode by
1996 + * adding EIP with PAGE_OFFSET.
1997 + */
1998 +- movl $1f, %edx
1999 +- jmp *%edx
2000 ++ jmp 1f+__PAGE_OFFSET
2001 + 1:
2002 +
2003 + /*
2004 + * 9. Balance the stack. And because EAX contain the return value,
2005 + * we'd better not clobber it.
2006 + */
2007 +- leal efi_rt_function_ptr, %edx
2008 +- movl (%edx), %ecx
2009 +- pushl %ecx
2010 ++ pushl (efi_rt_function_ptr)
2011 +
2012 + /*
2013 +- * 10. Push the saved return address onto the stack and return.
2014 ++ * 10. Return to the saved return address.
2015 + */
2016 +- leal saved_return_addr, %edx
2017 +- movl (%edx), %ecx
2018 +- pushl %ecx
2019 +- ret
2020 ++ jmpl *(saved_return_addr)
2021 + .previous
2022 +
2023 +-.data
2024 ++__INITDATA
2025 + saved_return_addr:
2026 + .long 0
2027 + efi_rt_function_ptr:
2028 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
2029 +--- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
2030 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
2031 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
2032 + #define resume_userspace_sig resume_userspace
2033 + #endif
2034 +
2035 +-#define SAVE_ALL \
2036 ++#define __SAVE_ALL(_DS) \
2037 + cld; \
2038 + pushl %fs; \
2039 + CFI_ADJUST_CFA_OFFSET 4;\
2040 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
2041 + pushl %ebx; \
2042 + CFI_ADJUST_CFA_OFFSET 4;\
2043 + CFI_REL_OFFSET ebx, 0;\
2044 +- movl $(__USER_DS), %edx; \
2045 ++ movl $(_DS), %edx; \
2046 + movl %edx, %ds; \
2047 + movl %edx, %es; \
2048 + movl $(__KERNEL_PERCPU), %edx; \
2049 + movl %edx, %fs
2050 +
2051 ++#ifdef CONFIG_PAX_KERNEXEC
2052 ++#define SAVE_ALL \
2053 ++ __SAVE_ALL(__KERNEL_DS); \
2054 ++ GET_CR0_INTO_EDX; \
2055 ++ movl %edx, %esi; \
2056 ++ orl $X86_CR0_WP, %edx; \
2057 ++ xorl %edx, %esi; \
2058 ++ SET_CR0_FROM_EDX
2059 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2060 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
2061 ++#else
2062 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
2063 ++#endif
2064 ++
2065 + #define RESTORE_INT_REGS \
2066 + popl %ebx; \
2067 + CFI_ADJUST_CFA_OFFSET -4;\
2068 +@@ -248,7 +262,17 @@ check_userspace:
2069 + movb PT_CS(%esp), %al
2070 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
2071 + cmpl $USER_RPL, %eax
2072 ++
2073 ++#ifdef CONFIG_PAX_KERNEXEC
2074 ++ jae resume_userspace
2075 ++
2076 ++ GET_CR0_INTO_EDX
2077 ++ xorl %esi, %edx
2078 ++ SET_CR0_FROM_EDX
2079 ++ jmp resume_kernel
2080 ++#else
2081 + jb resume_kernel # not returning to v8086 or userspace
2082 ++#endif
2083 +
2084 + ENTRY(resume_userspace)
2085 + DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
2086 +@@ -307,10 +331,9 @@ sysenter_past_esp:
2087 + /*CFI_REL_OFFSET cs, 0*/
2088 + /*
2089 + * Push current_thread_info()->sysenter_return to the stack.
2090 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
2091 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
2092 + */
2093 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
2094 ++ GET_THREAD_INFO(%ebp)
2095 ++ pushl TI_sysenter_return(%ebp)
2096 + CFI_ADJUST_CFA_OFFSET 4
2097 + CFI_REL_OFFSET eip, 0
2098 +
2099 +@@ -318,9 +341,17 @@ sysenter_past_esp:
2100 + * Load the potential sixth argument from user stack.
2101 + * Careful about security.
2102 + */
2103 ++ movl 12(%esp),%ebp
2104 ++
2105 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2106 ++ mov 16(%esp),%ds
2107 ++1: movl %ds:(%ebp),%ebp
2108 ++#else
2109 + cmpl $__PAGE_OFFSET-3,%ebp
2110 + jae syscall_fault
2111 + 1: movl (%ebp),%ebp
2112 ++#endif
2113 ++
2114 + .section __ex_table,"a"
2115 + .align 4
2116 + .long 1b,syscall_fault
2117 +@@ -343,20 +374,37 @@ sysenter_past_esp:
2118 + movl TI_flags(%ebp), %ecx
2119 + testw $_TIF_ALLWORK_MASK, %cx
2120 + jne syscall_exit_work
2121 ++
2122 ++#ifdef CONFIG_PAX_RANDKSTACK
2123 ++ pushl %eax
2124 ++ CFI_ADJUST_CFA_OFFSET 4
2125 ++ call pax_randomize_kstack
2126 ++ popl %eax
2127 ++ CFI_ADJUST_CFA_OFFSET -4
2128 ++#endif
2129 ++
2130 + /* if something modifies registers it must also disable sysexit */
2131 + movl PT_EIP(%esp), %edx
2132 + movl PT_OLDESP(%esp), %ecx
2133 + xorl %ebp,%ebp
2134 + TRACE_IRQS_ON
2135 + 1: mov PT_FS(%esp), %fs
2136 ++2: mov PT_DS(%esp), %ds
2137 ++3: mov PT_ES(%esp), %es
2138 + ENABLE_INTERRUPTS_SYSEXIT
2139 + CFI_ENDPROC
2140 + .pushsection .fixup,"ax"
2141 +-2: movl $0,PT_FS(%esp)
2142 ++4: movl $0,PT_FS(%esp)
2143 + jmp 1b
2144 ++5: movl $0,PT_DS(%esp)
2145 ++ jmp 2b
2146 ++6: movl $0,PT_ES(%esp)
2147 ++ jmp 3b
2148 + .section __ex_table,"a"
2149 + .align 4
2150 +- .long 1b,2b
2151 ++ .long 1b,4b
2152 ++ .long 2b,5b
2153 ++ .long 3b,6b
2154 + .popsection
2155 + ENDPROC(sysenter_entry)
2156 +
2157 +@@ -389,6 +437,10 @@ no_singlestep:
2158 + testw $_TIF_ALLWORK_MASK, %cx # current->work
2159 + jne syscall_exit_work
2160 +
2161 ++#ifdef CONFIG_PAX_RANDKSTACK
2162 ++ call pax_randomize_kstack
2163 ++#endif
2164 ++
2165 + restore_all:
2166 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
2167 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
2168 +@@ -552,17 +604,24 @@ syscall_badsys:
2169 + END(syscall_badsys)
2170 + CFI_ENDPROC
2171 +
2172 +-#define FIXUP_ESPFIX_STACK \
2173 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
2174 +- PER_CPU(gdt_page, %ebx); \
2175 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
2176 +- addl %esp, %eax; \
2177 +- pushl $__KERNEL_DS; \
2178 +- CFI_ADJUST_CFA_OFFSET 4; \
2179 +- pushl %eax; \
2180 +- CFI_ADJUST_CFA_OFFSET 4; \
2181 +- lss (%esp), %esp; \
2182 ++.macro FIXUP_ESPFIX_STACK
2183 ++ /* since we are on a wrong stack, we cant make it a C code :( */
2184 ++#ifdef CONFIG_SMP
2185 ++ movl PER_CPU_VAR(cpu_number), %ebx;
2186 ++ shll $PAGE_SHIFT_asm, %ebx;
2187 ++ addl $cpu_gdt_table, %ebx;
2188 ++#else
2189 ++ movl $cpu_gdt_table, %ebx;
2190 ++#endif
2191 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
2192 ++ addl %esp, %eax;
2193 ++ pushl $__KERNEL_DS;
2194 ++ CFI_ADJUST_CFA_OFFSET 4;
2195 ++ pushl %eax;
2196 ++ CFI_ADJUST_CFA_OFFSET 4;
2197 ++ lss (%esp), %esp;
2198 + CFI_ADJUST_CFA_OFFSET -8;
2199 ++.endm
2200 + #define UNWIND_ESPFIX_STACK \
2201 + movl %ss, %eax; \
2202 + /* see if on espfix stack */ \
2203 +@@ -579,7 +638,7 @@ END(syscall_badsys)
2204 + * Build the entry stubs and pointer table with
2205 + * some assembler magic.
2206 + */
2207 +-.data
2208 ++.section .rodata,"a",@progbits
2209 + ENTRY(interrupt)
2210 + .text
2211 +
2212 +@@ -679,12 +738,21 @@ error_code:
2213 + popl %ecx
2214 + CFI_ADJUST_CFA_OFFSET -4
2215 + /*CFI_REGISTER es, ecx*/
2216 ++
2217 ++#ifdef CONFIG_PAX_KERNEXEC
2218 ++ GET_CR0_INTO_EDX
2219 ++ movl %edx, %esi
2220 ++ orl $X86_CR0_WP, %edx
2221 ++ xorl %edx, %esi
2222 ++ SET_CR0_FROM_EDX
2223 ++#endif
2224 ++
2225 + movl PT_FS(%esp), %edi # get the function address
2226 + movl PT_ORIG_EAX(%esp), %edx # get the error code
2227 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
2228 + mov %ecx, PT_FS(%esp)
2229 + /*CFI_REL_OFFSET fs, ES*/
2230 +- movl $(__USER_DS), %ecx
2231 ++ movl $(__KERNEL_DS), %ecx
2232 + movl %ecx, %ds
2233 + movl %ecx, %es
2234 + movl %esp,%eax # pt_regs pointer
2235 +@@ -818,6 +886,13 @@ nmi_stack_correct:
2236 + xorl %edx,%edx # zero error code
2237 + movl %esp,%eax # pt_regs pointer
2238 + call do_nmi
2239 ++
2240 ++#ifdef CONFIG_PAX_KERNEXEC
2241 ++ GET_CR0_INTO_EDX
2242 ++ xorl %esi, %edx
2243 ++ SET_CR0_FROM_EDX
2244 ++#endif
2245 ++
2246 + jmp restore_nocheck_notrace
2247 + CFI_ENDPROC
2248 +
2249 +@@ -858,6 +933,13 @@ nmi_espfix_stack:
2250 + FIXUP_ESPFIX_STACK # %eax == %esp
2251 + xorl %edx,%edx # zero error code
2252 + call do_nmi
2253 ++
2254 ++#ifdef CONFIG_PAX_KERNEXEC
2255 ++ GET_CR0_INTO_EDX
2256 ++ xorl %esi, %edx
2257 ++ SET_CR0_FROM_EDX
2258 ++#endif
2259 ++
2260 + RESTORE_REGS
2261 + lss 12+4(%esp), %esp # back to espfix stack
2262 + CFI_ADJUST_CFA_OFFSET -24
2263 +@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
2264 +
2265 + #endif /* CONFIG_XEN */
2266 +
2267 +-.section .rodata,"a"
2268 + #include "syscall_table.S"
2269 +
2270 + syscall_table_size=(.-sys_call_table)
2271 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
2272 +--- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
2273 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
2274 +@@ -18,6 +18,7 @@
2275 + #include <asm/thread_info.h>
2276 + #include <asm/asm-offsets.h>
2277 + #include <asm/setup.h>
2278 ++#include <asm/msr-index.h>
2279 +
2280 + /*
2281 + * References to members of the new_cpu_data structure.
2282 +@@ -51,17 +52,22 @@
2283 + */
2284 + LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
2285 +
2286 +-#if PTRS_PER_PMD > 1
2287 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
2288 +-#else
2289 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
2290 +-#endif
2291 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
2292 + BOOTBITMAP_SIZE = LOW_PAGES / 8
2293 + ALLOCATOR_SLOP = 4
2294 +
2295 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
2296 +
2297 + /*
2298 ++ * Real beginning of normal "text" segment
2299 ++ */
2300 ++ENTRY(stext)
2301 ++ENTRY(_stext)
2302 ++
2303 ++.section .text.startup,"ax",@progbits
2304 ++ ljmp $(__BOOT_CS),$phys_startup_32
2305 ++
2306 ++/*
2307 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
2308 + * %esi points to the real-mode code as a 32-bit pointer.
2309 + * CS and DS must be 4 GB flat segments, but we don't depend on
2310 +@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
2311 + * can.
2312 + */
2313 + .section .text.head,"ax",@progbits
2314 ++
2315 ++#ifdef CONFIG_PAX_KERNEXEC
2316 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
2317 ++.fill 4096,1,0xcc
2318 ++#endif
2319 ++
2320 + ENTRY(startup_32)
2321 +
2322 + /*
2323 +@@ -82,6 +94,43 @@ ENTRY(startup_32)
2324 + movl %eax,%fs
2325 + movl %eax,%gs
2326 +
2327 ++ movl $__per_cpu_start,%eax
2328 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
2329 ++ rorl $16,%eax
2330 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
2331 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
2332 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
2333 ++ subl $__per_cpu_start,%eax
2334 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
2335 ++
2336 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2337 ++ /* check for VMware */
2338 ++ movl $0x564d5868,%eax
2339 ++ xorl %ebx,%ebx
2340 ++ movl $0xa,%ecx
2341 ++ movl $0x5658,%edx
2342 ++ in (%dx),%eax
2343 ++ cmpl $0x564d5868,%ebx
2344 ++ jz 1f
2345 ++
2346 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
2347 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
2348 ++1:
2349 ++#endif
2350 ++
2351 ++#ifdef CONFIG_PAX_KERNEXEC
2352 ++ movl $KERNEL_TEXT_OFFSET,%eax
2353 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
2354 ++ rorl $16,%eax
2355 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
2356 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
2357 ++
2358 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
2359 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
2360 ++ rorl $16,%eax
2361 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
2362 ++#endif
2363 ++
2364 + /*
2365 + * Clear BSS first so that there are no surprises...
2366 + * No need to cld as DF is already clear from cld above...
2367 +@@ -129,24 +178,42 @@ ENTRY(startup_32)
2368 + * Warning: don't use %esi or the stack in this code. However, %esp
2369 + * can be used as a GPR if you really need it...
2370 + */
2371 +-page_pde_offset = (__PAGE_OFFSET >> 20);
2372 +-
2373 ++#ifdef CONFIG_X86_PAE
2374 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2375 ++#else
2376 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2377 ++#endif
2378 + movl $(pg0 - __PAGE_OFFSET), %edi
2379 ++#ifdef CONFIG_X86_PAE
2380 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
2381 ++#else
2382 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2383 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2384 ++#endif
2385 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
2386 + 10:
2387 +- leal 0x007(%edi),%ecx /* Create PDE entry */
2388 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
2389 + movl %ecx,(%edx) /* Store identity PDE entry */
2390 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
2391 ++#ifdef CONFIG_X86_PAE
2392 ++ movl $0,4(%edx)
2393 ++ movl $0,page_pde_offset+4(%edx)
2394 ++ addl $8,%edx
2395 ++ movl $512, %ecx
2396 ++#else
2397 + addl $4,%edx
2398 + movl $1024, %ecx
2399 ++#endif
2400 + 11:
2401 + stosl
2402 ++#ifdef CONFIG_X86_PAE
2403 ++ movl $0,(%edi)
2404 ++ addl $4,%edi
2405 ++#endif
2406 + addl $0x1000,%eax
2407 + loop 11b
2408 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
2409 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
2410 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
2411 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
2412 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
2413 + cmpl %ebp,%eax
2414 + jb 10b
2415 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
2416 +@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
2417 + #endif
2418 +
2419 + /* Do an early initialization of the fixmap area */
2420 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2421 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
2422 +- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2423 +- movl %eax, 4092(%edx)
2424 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
2425 ++#ifdef CONFIG_X86_PAE
2426 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
2427 ++#else
2428 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
2429 ++#endif
2430 +
2431 + #ifdef CONFIG_SMP
2432 + ENTRY(startup_32_smp)
2433 +@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
2434 + movl %eax,%fs
2435 + movl %eax,%gs
2436 +
2437 ++ /* This is a secondary processor (AP) */
2438 ++ xorl %ebx,%ebx
2439 ++ incl %ebx
2440 ++#endif /* CONFIG_SMP */
2441 ++
2442 + /*
2443 + * New page tables may be in 4Mbyte page mode and may
2444 + * be using the global pages.
2445 +@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
2446 + * not yet offset PAGE_OFFSET..
2447 + */
2448 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
2449 ++3:
2450 + movl cr4_bits,%edx
2451 + andl %edx,%edx
2452 +- jz 6f
2453 ++ jz 5f
2454 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
2455 + orl %edx,%eax
2456 + movl %eax,%cr4
2457 +
2458 +- btl $5, %eax # check if PAE is enabled
2459 +- jnc 6f
2460 ++#ifdef CONFIG_X86_PAE
2461 ++ movl %ebx,%edi
2462 +
2463 + /* Check if extended functions are implemented */
2464 + movl $0x80000000, %eax
2465 + cpuid
2466 + cmpl $0x80000000, %eax
2467 +- jbe 6f
2468 ++ jbe 4f
2469 + mov $0x80000001, %eax
2470 + cpuid
2471 + /* Execute Disable bit supported? */
2472 + btl $20, %edx
2473 +- jnc 6f
2474 ++ jnc 4f
2475 +
2476 + /* Setup EFER (Extended Feature Enable Register) */
2477 +- movl $0xc0000080, %ecx
2478 ++ movl $MSR_EFER, %ecx
2479 + rdmsr
2480 +
2481 + btsl $11, %eax
2482 + /* Make changes effective */
2483 + wrmsr
2484 +
2485 +-6:
2486 +- /* This is a secondary processor (AP) */
2487 +- xorl %ebx,%ebx
2488 +- incl %ebx
2489 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
2490 ++ movl $1,nx_enabled-__PAGE_OFFSET
2491 +
2492 +-#endif /* CONFIG_SMP */
2493 +-3:
2494 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
2495 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
2496 ++#endif
2497 ++
2498 ++4:
2499 ++ movl %edi,%ebx
2500 ++#endif
2501 ++5:
2502 +
2503 + /*
2504 + * Enable paging
2505 +@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
2506 +
2507 + #ifdef CONFIG_SMP
2508 + andl %ebx,%ebx
2509 +- jz 1f /* Initial CPU cleans BSS */
2510 +- jmp checkCPUtype
2511 +-1:
2512 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
2513 + #endif /* CONFIG_SMP */
2514 +
2515 + /*
2516 +@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
2517 + ljmp $(__KERNEL_CS),$1f
2518 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
2519 + movl %eax,%ss # after changing gdt.
2520 +- movl %eax,%fs # gets reset once there's real percpu
2521 +-
2522 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
2523 + movl %eax,%ds
2524 + movl %eax,%es
2525 +
2526 ++ movl $(__KERNEL_PERCPU), %eax
2527 ++ movl %eax,%fs # set this cpu's percpu
2528 ++
2529 + xorl %eax,%eax # Clear GS and LDT
2530 + movl %eax,%gs
2531 + lldt %ax
2532 +@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
2533 + movb ready, %cl
2534 + movb $1, ready
2535 + cmpb $0,%cl # the first CPU calls start_kernel
2536 +- je 1f
2537 +- movl $(__KERNEL_PERCPU), %eax
2538 +- movl %eax,%fs # set this cpu's percpu
2539 +- jmp initialize_secondary # all other CPUs call initialize_secondary
2540 +-1:
2541 ++ jne initialize_secondary # all other CPUs call initialize_secondary
2542 + #endif /* CONFIG_SMP */
2543 + jmp start_kernel
2544 +
2545 +@@ -441,8 +514,8 @@ early_page_fault:
2546 + jmp early_fault
2547 +
2548 + early_fault: