Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r96 - in hardened-sources/2.6/tags: . 2.6.23-6
Date: Wed, 30 Apr 2008 11:46:44
Message-Id: E1JrAgx-0001HL-B0@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:41:42 +0000 (Wed, 30 Apr 2008)
3 New Revision: 96
4
5 Added:
6 hardened-sources/2.6/tags/2.6.23-6/
7 hardened-sources/2.6/tags/2.6.23-6/1015_2.6.23.Q_scsi-sd-handle-bad-lba-in-sense-information.patch
8 hardened-sources/2.6/tags/2.6.23-6/1016_2.6.23.Q_nfs-fix-a-potential-file-corruption-issue-when-writing.patch
9 hardened-sources/2.6/tags/2.6.23-6/1017_2.6.23.Q_netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch
10 hardened-sources/2.6/tags/2.6.23-6/1018_2.6.23.Q_hrtimer-check-relative-timeouts-for-overflow.patch
11 hardened-sources/2.6/tags/2.6.23-6/1019_2.6.23.Q_genirq-do-not-leave-interupts-enabled-on-free_irq.patch
12 hardened-sources/2.6/tags/2.6.23-6/1020_2.6.23.Q_disable-g5-nap-mode-during-smu-commands-on-u3.patch
13 hardened-sources/2.6/tags/2.6.23-6/1021_2.6.23.Q_be-more-robust-about-bad-arguments-in-get_user_pages.patch
14 hardened-sources/2.6/tags/2.6.23-6/1022_2.6.23.Q_x86_64-cpa-fix-cache-attribute-inconsistency-bug.patch
15 hardened-sources/2.6/tags/2.6.23-6/4405_alpha-sysctl-uac-for-hardened-extras.patch
16 hardened-sources/2.6/tags/2.6.23-6/4450_grsec-2.1.11-2.6.23.15-20080210.patch
17 hardened-sources/2.6/tags/2.6.23-6/4455_grsec-2.1.10-mute-warnings.patch
18 hardened-sources/2.6/tags/2.6.23-6/4460_grsec-2.1.10-pax_curr_ip-fixes.patch
19 hardened-sources/2.6/tags/2.6.23-6/4465_grsec-kconfig-gentoo.patch
20 hardened-sources/2.6/tags/2.6.23-6/4470_selinux-avc_audit-log-curr_ip.patch
21 hardened-sources/2.6/tags/2.6.23-6/4475_disable-compat_vdso.patch
22 hardened-sources/2.6/tags/2.6.23-6/4480_acct_stack_growth-null-deref.patch
23 hardened-sources/2.6/tags/2.6.23-6/4485_pax-vma-mirroring-fixes.patch
24 hardened-sources/2.6/tags/2.6.23-6/4490_vesafb-pmi-kernexec-fix.patch
25 hardened-sources/2.6/tags/2.6.23-6/4495_pax-hook-build-error.patch
26 hardened-sources/2.6/tags/2.6.23-6/4500_deselect-kernexec-on-unsupported-arches.patch
27 Log:
28 Importing patchset for 2.6.23-6 (from hardened-patches-2.6.23-6.extras.tar.bz2).
29
30 Added: hardened-sources/2.6/tags/2.6.23-6/1015_2.6.23.Q_scsi-sd-handle-bad-lba-in-sense-information.patch
31 ===================================================================
32 --- hardened-sources/2.6/tags/2.6.23-6/1015_2.6.23.Q_scsi-sd-handle-bad-lba-in-sense-information.patch (rev 0)
33 +++ hardened-sources/2.6/tags/2.6.23-6/1015_2.6.23.Q_scsi-sd-handle-bad-lba-in-sense-information.patch 2008-04-30 11:41:42 UTC (rev 96)
34 @@ -0,0 +1,76 @@
35 +From 366c246de9cec909c5eba4f784c92d1e75b4dc38 Mon Sep 17 00:00:00 2001
36 +From: James Bottomley <James.Bottomley@×××××××××××××××××.com>
37 +Date: Sat, 2 Feb 2008 16:06:23 -0600
38 +Subject: SCSI: sd: handle bad lba in sense information
39 +
40 +From: James Bottomley <James.Bottomley@×××××××××××××××××.com>
41 +
42 +patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline.
43 +
44 +Some devices report medium error locations incorrectly. Add guards to
45 +make sure the reported bad lba is actually in the request that caused
46 +it. Additionally remove the large case statment for sector sizes and
47 +replace it with the proper u64 divisions.
48 +
49 +Tested-by: Mike Snitzer <snitzer@×××××.com>
50 +Cc: Stable Tree <stable@××××××.org>
51 +Cc: Tony Battersby <tonyb@×××××××××××.com>
52 +Signed-off-by: James Bottomley <James.Bottomley@×××××××××××××××××.com>
53 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
54 +
55 +---
56 + drivers/scsi/sd.c | 34 ++++++++++++++++------------------
57 + 1 file changed, 16 insertions(+), 18 deletions(-)
58 +
59 +--- a/drivers/scsi/sd.c
60 ++++ b/drivers/scsi/sd.c
61 +@@ -901,6 +901,7 @@ static void sd_rw_intr(struct scsi_cmnd
62 + unsigned int xfer_size = SCpnt->request_bufflen;
63 + unsigned int good_bytes = result ? 0 : xfer_size;
64 + u64 start_lba = SCpnt->request->sector;
65 ++ u64 end_lba = SCpnt->request->sector + (xfer_size / 512);
66 + u64 bad_lba;
67 + struct scsi_sense_hdr sshdr;
68 + int sense_valid = 0;
69 +@@ -939,26 +940,23 @@ static void sd_rw_intr(struct scsi_cmnd
70 + goto out;
71 + if (xfer_size <= SCpnt->device->sector_size)
72 + goto out;
73 +- switch (SCpnt->device->sector_size) {
74 +- case 256:
75 ++ if (SCpnt->device->sector_size < 512) {
76 ++ /* only legitimate sector_size here is 256 */
77 + start_lba <<= 1;
78 +- break;
79 +- case 512:
80 +- break;
81 +- case 1024:
82 +- start_lba >>= 1;
83 +- break;
84 +- case 2048:
85 +- start_lba >>= 2;
86 +- break;
87 +- case 4096:
88 +- start_lba >>= 3;
89 +- break;
90 +- default:
91 +- /* Print something here with limiting frequency. */
92 +- goto out;
93 +- break;
94 ++ end_lba <<= 1;
95 ++ } else {
96 ++ /* be careful ... don't want any overflows */
97 ++ u64 factor = SCpnt->device->sector_size / 512;
98 ++ do_div(start_lba, factor);
99 ++ do_div(end_lba, factor);
100 + }
101 ++
102 ++ if (bad_lba < start_lba || bad_lba >= end_lba)
103 ++ /* the bad lba was reported incorrectly, we have
104 ++ * no idea where the error is
105 ++ */
106 ++ goto out;
107 ++
108 + /* This computation should always be done in terms of
109 + * the resolution of the device's medium.
110 + */
111
112 Added: hardened-sources/2.6/tags/2.6.23-6/1016_2.6.23.Q_nfs-fix-a-potential-file-corruption-issue-when-writing.patch
113 ===================================================================
114 --- hardened-sources/2.6/tags/2.6.23-6/1016_2.6.23.Q_nfs-fix-a-potential-file-corruption-issue-when-writing.patch (rev 0)
115 +++ hardened-sources/2.6/tags/2.6.23-6/1016_2.6.23.Q_nfs-fix-a-potential-file-corruption-issue-when-writing.patch 2008-04-30 11:41:42 UTC (rev 96)
116 @@ -0,0 +1,80 @@
117 +From stable-bounces@××××××××××××.org Fri Feb 8 11:13:23 2008
118 +From: Trond Myklebust <Trond.Myklebust@××××××.com>
119 +Date: Fri, 08 Feb 2008 14:12:11 -0500
120 +Subject: NFS: Fix a potential file corruption issue when writing
121 +To: stable@××××××.org
122 +Message-ID: <1202497931.8383.9.camel@×××××××××××××××××.org>
123 +
124 +From: Trond Myklebust <Trond.Myklebust@××××××.com>
125 +
126 +patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline.
127 +
128 +If the inode is flagged as having an invalid mapping, then we can't rely on
129 +the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
130 +write optimisation in nfs_updatepage(), since that will cause NFS to write
131 +out areas of the page that are no longer guaranteed to be up to date.
132 +
133 +A potential corruption could occur in the following scenario:
134 +
135 +client 1 client 2
136 +=============== ===============
137 + fd=open("f",O_CREAT|O_WRONLY,0644);
138 + write(fd,"fubar\n",6); // cache last page
139 + close(fd);
140 +fd=open("f",O_WRONLY|O_APPEND);
141 +write(fd,"foo\n",4);
142 +close(fd);
143 +
144 + fd=open("f",O_WRONLY|O_APPEND);
145 + write(fd,"bar\n",4);
146 + close(fd);
147 +-----
148 +The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
149 +client 2 does not update the cached page after re-opening the file for
150 +write. Instead it keeps it marked as PageUptodate() until someone calls
151 +invaldate_inode_pages2() (typically by calling read()).
152 +
153 +Signed-off-by: Trond Myklebust <Trond.Myklebust@××××××.com>
154 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
155 +
156 +---
157 + fs/nfs/write.c | 20 +++++++++++++++++---
158 + 1 file changed, 17 insertions(+), 3 deletions(-)
159 +
160 +--- a/fs/nfs/write.c
161 ++++ b/fs/nfs/write.c
162 +@@ -717,6 +717,17 @@ int nfs_flush_incompatible(struct file *
163 + }
164 +
165 + /*
166 ++ * If the page cache is marked as unsafe or invalid, then we can't rely on
167 ++ * the PageUptodate() flag. In this case, we will need to turn off
168 ++ * write optimisations that depend on the page contents being correct.
169 ++ */
170 ++static int nfs_write_pageuptodate(struct page *page, struct inode *inode)
171 ++{
172 ++ return PageUptodate(page) &&
173 ++ !(NFS_I(inode)->cache_validity & (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA));
174 ++}
175 ++
176 ++/*
177 + * Update and possibly write a cached page of an NFS file.
178 + *
179 + * XXX: Keep an eye on generic_file_read to make sure it doesn't do bad
180 +@@ -737,10 +748,13 @@ int nfs_updatepage(struct file *file, st
181 + (long long)(page_offset(page) +offset));
182 +
183 + /* If we're not using byte range locks, and we know the page
184 +- * is entirely in cache, it may be more efficient to avoid
185 +- * fragmenting write requests.
186 ++ * is up to date, it may be more efficient to extend the write
187 ++ * to cover the entire page in order to avoid fragmentation
188 ++ * inefficiencies.
189 + */
190 +- if (PageUptodate(page) && inode->i_flock == NULL && !(file->f_mode & O_SYNC)) {
191 ++ if (nfs_write_pageuptodate(page, inode) &&
192 ++ inode->i_flock == NULL &&
193 ++ !(file->f_mode & O_SYNC)) {
194 + count = max(count + offset, nfs_page_length(page));
195 + offset = 0;
196 + }
197
198 Added: hardened-sources/2.6/tags/2.6.23-6/1017_2.6.23.Q_netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch
199 ===================================================================
200 --- hardened-sources/2.6/tags/2.6.23-6/1017_2.6.23.Q_netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch (rev 0)
201 +++ hardened-sources/2.6/tags/2.6.23-6/1017_2.6.23.Q_netfilter-nf_conntrack_tcp-conntrack-reopening-fix.patch 2008-04-30 11:41:42 UTC (rev 96)
202 @@ -0,0 +1,111 @@
203 +From stable-bounces@××××××××××××.org Tue Feb 19 07:43:54 2008
204 +From: Jozsef Kadlecsik <kadlec@××××××××××××××.hu>
205 +From: Patrick McHardy <kaber@×××××.net>
206 +Date: Tue, 19 Feb 2008 16:24:01 +0100
207 +Subject: NETFILTER: nf_conntrack_tcp: conntrack reopening fix
208 +To: stable@××××××.org
209 +Cc: Netfilter Development Mailinglist <netfilter-devel@×××××××××××.org>, "David S. Miller" <davem@×××××××××.net>
210 +Message-ID: <47BAF491.6060601@×××××.net>
211 +
212 +From: Jozsef Kadlecsik <kadlec@××××××××××××××.hu>
213 +
214 +[NETFILTER]: nf_conntrack_tcp: conntrack reopening fix
215 +
216 +[Upstream commits b2155e7f + d0c1fd7a]
217 +
218 +TCP connection tracking in netfilter did not handle TCP reopening
219 +properly: active close was taken into account for one side only and
220 +not for any side, which is fixed now. The patch includes more comments
221 +to explain the logic how the different cases are handled.
222 +The bug was discovered by Jeff Chua.
223 +
224 +Signed-off-by: Jozsef Kadlecsik <kadlec@××××××××××××××.hu>
225 +Signed-off-by: Patrick McHardy <kaber@×××××.net>
226 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
227 +
228 +---
229 + net/netfilter/nf_conntrack_proto_tcp.c | 35 +++++++++++++++++++++++++--------
230 + 1 file changed, 27 insertions(+), 8 deletions(-)
231 +
232 +--- a/net/netfilter/nf_conntrack_proto_tcp.c
233 ++++ b/net/netfilter/nf_conntrack_proto_tcp.c
234 +@@ -135,7 +135,7 @@ enum tcp_bit_set {
235 + * CLOSE_WAIT: ACK seen (after FIN)
236 + * LAST_ACK: FIN seen (after FIN)
237 + * TIME_WAIT: last ACK seen
238 +- * CLOSE: closed connection
239 ++ * CLOSE: closed connection (RST)
240 + *
241 + * LISTEN state is not used.
242 + *
243 +@@ -834,8 +834,21 @@ static int tcp_packet(struct nf_conn *co
244 + case TCP_CONNTRACK_SYN_SENT:
245 + if (old_state < TCP_CONNTRACK_TIME_WAIT)
246 + break;
247 +- if ((conntrack->proto.tcp.seen[!dir].flags &
248 +- IP_CT_TCP_FLAG_CLOSE_INIT)
249 ++ /* RFC 1122: "When a connection is closed actively,
250 ++ * it MUST linger in TIME-WAIT state for a time 2xMSL
251 ++ * (Maximum Segment Lifetime). However, it MAY accept
252 ++ * a new SYN from the remote TCP to reopen the connection
253 ++ * directly from TIME-WAIT state, if..."
254 ++ * We ignore the conditions because we are in the
255 ++ * TIME-WAIT state anyway.
256 ++ *
257 ++ * Handle aborted connections: we and the server
258 ++ * think there is an existing connection but the client
259 ++ * aborts it and starts a new one.
260 ++ */
261 ++ if (((conntrack->proto.tcp.seen[dir].flags
262 ++ | conntrack->proto.tcp.seen[!dir].flags)
263 ++ & IP_CT_TCP_FLAG_CLOSE_INIT)
264 + || (conntrack->proto.tcp.last_dir == dir
265 + && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
266 + /* Attempt to reopen a closed/aborted connection.
267 +@@ -848,18 +861,25 @@ static int tcp_packet(struct nf_conn *co
268 + }
269 + /* Fall through */
270 + case TCP_CONNTRACK_IGNORE:
271 +- /* Ignored packets:
272 ++ /* Ignored packets:
273 ++ *
274 ++ * Our connection entry may be out of sync, so ignore
275 ++ * packets which may signal the real connection between
276 ++ * the client and the server.
277 + *
278 + * a) SYN in ORIGINAL
279 + * b) SYN/ACK in REPLY
280 + * c) ACK in reply direction after initial SYN in original.
281 ++ *
282 ++ * If the ignored packet is invalid, the receiver will send
283 ++ * a RST we'll catch below.
284 + */
285 + if (index == TCP_SYNACK_SET
286 + && conntrack->proto.tcp.last_index == TCP_SYN_SET
287 + && conntrack->proto.tcp.last_dir != dir
288 + && ntohl(th->ack_seq) ==
289 + conntrack->proto.tcp.last_end) {
290 +- /* This SYN/ACK acknowledges a SYN that we earlier
291 ++ /* b) This SYN/ACK acknowledges a SYN that we earlier
292 + * ignored as invalid. This means that the client and
293 + * the server are both in sync, while the firewall is
294 + * not. We kill this session and block the SYN/ACK so
295 +@@ -884,7 +904,7 @@ static int tcp_packet(struct nf_conn *co
296 + write_unlock_bh(&tcp_lock);
297 + if (LOG_INVALID(IPPROTO_TCP))
298 + nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
299 +- "nf_ct_tcp: invalid packed ignored ");
300 ++ "nf_ct_tcp: invalid packet ignored ");
301 + return NF_ACCEPT;
302 + case TCP_CONNTRACK_MAX:
303 + /* Invalid packet */
304 +@@ -938,8 +958,7 @@ static int tcp_packet(struct nf_conn *co
305 +
306 + conntrack->proto.tcp.state = new_state;
307 + if (old_state != new_state
308 +- && (new_state == TCP_CONNTRACK_FIN_WAIT
309 +- || new_state == TCP_CONNTRACK_CLOSE))
310 ++ && new_state == TCP_CONNTRACK_FIN_WAIT)
311 + conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
312 + timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
313 + && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
314
315 Added: hardened-sources/2.6/tags/2.6.23-6/1018_2.6.23.Q_hrtimer-check-relative-timeouts-for-overflow.patch
316 ===================================================================
317 --- hardened-sources/2.6/tags/2.6.23-6/1018_2.6.23.Q_hrtimer-check-relative-timeouts-for-overflow.patch (rev 0)
318 +++ hardened-sources/2.6/tags/2.6.23-6/1018_2.6.23.Q_hrtimer-check-relative-timeouts-for-overflow.patch 2008-04-30 11:41:42 UTC (rev 96)
319 @@ -0,0 +1,154 @@
320 +From stable-bounces@××××××××××××.org Tue Feb 19 16:03:26 2008
321 +From: Thomas Gleixner <tglx@××××××××××.de>
322 +Date: Wed, 20 Feb 2008 01:03:00 +0100 (CET)
323 +Subject: hrtimer: check relative timeouts for overflow
324 +To: Stable Team <stable@××××××.org>
325 +Message-ID: <alpine.LFD.1.00.0802200100000.7583@×××××××××××××××××××××.de>
326 +
327 +From: Thomas Gleixner <tglx@××××××××××.de>
328 +
329 +commit: 5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
330 +
331 +Various user space callers ask for relative timeouts. While we fixed
332 +that overflow issue in hrtimer_start(), the sites which convert
333 +relative user space values to absolute timeouts themself were uncovered.
334 +
335 +Instead of putting overflow checks into each place add a function
336 +which does the sanity checking and convert all affected callers to use
337 +it.
338 +
339 +Thanks to Frans Pop, who reported the problem and tested the fixes.
340 +
341 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
342 +Acked-by: Ingo Molnar <mingo@××××.hu>
343 +Tested-by: Frans Pop <elendil@××××××.nl>
344 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
345 +
346 +
347 +---
348 + include/linux/ktime.h | 2 ++
349 + kernel/futex.c | 2 +-
350 + kernel/futex_compat.c | 2 +-
351 + kernel/hrtimer.c | 38 +++++++++++++++++++++-----------------
352 + kernel/posix-timers.c | 8 +++++---
353 + 5 files changed, 30 insertions(+), 22 deletions(-)
354 +
355 +--- a/include/linux/ktime.h
356 ++++ b/include/linux/ktime.h
357 +@@ -289,6 +289,8 @@ static inline ktime_t ktime_add_us(const
358 + return ktime_add_ns(kt, usec * 1000);
359 + }
360 +
361 ++extern ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs);
362 ++
363 + /*
364 + * The resolution of the clocks. The resolution value is returned in
365 + * the clock_getres() system call to give application programmers an
366 +--- a/kernel/futex.c
367 ++++ b/kernel/futex.c
368 +@@ -2063,7 +2063,7 @@ asmlinkage long sys_futex(u32 __user *ua
369 +
370 + t = timespec_to_ktime(ts);
371 + if (cmd == FUTEX_WAIT)
372 +- t = ktime_add(ktime_get(), t);
373 ++ t = ktime_add_safe(ktime_get(), t);
374 + tp = &t;
375 + }
376 + /*
377 +--- a/kernel/futex_compat.c
378 ++++ b/kernel/futex_compat.c
379 +@@ -175,7 +175,7 @@ asmlinkage long compat_sys_futex(u32 __u
380 +
381 + t = timespec_to_ktime(ts);
382 + if (cmd == FUTEX_WAIT)
383 +- t = ktime_add(ktime_get(), t);
384 ++ t = ktime_add_safe(ktime_get(), t);
385 + tp = &t;
386 + }
387 + if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE)
388 +--- a/kernel/hrtimer.c
389 ++++ b/kernel/hrtimer.c
390 +@@ -301,6 +301,24 @@ unsigned long ktime_divns(const ktime_t
391 + }
392 + #endif /* BITS_PER_LONG >= 64 */
393 +
394 ++/*
395 ++ * Add two ktime values and do a safety check for overflow:
396 ++ */
397 ++
398 ++ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
399 ++{
400 ++ ktime_t res = ktime_add(lhs, rhs);
401 ++
402 ++ /*
403 ++ * We use KTIME_SEC_MAX here, the maximum timeout which we can
404 ++ * return to user space in a timespec:
405 ++ */
406 ++ if (res.tv64 < 0 || res.tv64 < lhs.tv64 || res.tv64 < rhs.tv64)
407 ++ res = ktime_set(KTIME_SEC_MAX, 0);
408 ++
409 ++ return res;
410 ++}
411 ++
412 + /* High resolution timer related functions */
413 + #ifdef CONFIG_HIGH_RES_TIMERS
414 +
415 +@@ -658,13 +676,7 @@ hrtimer_forward(struct hrtimer *timer, k
416 + */
417 + orun++;
418 + }
419 +- timer->expires = ktime_add(timer->expires, interval);
420 +- /*
421 +- * Make sure, that the result did not wrap with a very large
422 +- * interval.
423 +- */
424 +- if (timer->expires.tv64 < 0)
425 +- timer->expires = ktime_set(KTIME_SEC_MAX, 0);
426 ++ timer->expires = ktime_add_safe(timer->expires, interval);
427 +
428 + return orun;
429 + }
430 +@@ -815,7 +827,7 @@ hrtimer_start(struct hrtimer *timer, kti
431 + new_base = switch_hrtimer_base(timer, base);
432 +
433 + if (mode == HRTIMER_MODE_REL) {
434 +- tim = ktime_add(tim, new_base->get_time());
435 ++ tim = ktime_add_safe(tim, new_base->get_time());
436 + /*
437 + * CONFIG_TIME_LOW_RES is a temporary way for architectures
438 + * to signal that they simply return xtime in
439 +@@ -824,16 +836,8 @@ hrtimer_start(struct hrtimer *timer, kti
440 + * timeouts. This will go away with the GTOD framework.
441 + */
442 + #ifdef CONFIG_TIME_LOW_RES
443 +- tim = ktime_add(tim, base->resolution);
444 ++ tim = ktime_add_safe(tim, base->resolution);
445 + #endif
446 +- /*
447 +- * Careful here: User space might have asked for a
448 +- * very long sleep, so the add above might result in a
449 +- * negative number, which enqueues the timer in front
450 +- * of the queue.
451 +- */
452 +- if (tim.tv64 < 0)
453 +- tim.tv64 = KTIME_MAX;
454 + }
455 + timer->expires = tim;
456 +
457 +--- a/kernel/posix-timers.c
458 ++++ b/kernel/posix-timers.c
459 +@@ -765,9 +765,11 @@ common_timer_set(struct k_itimer *timr,
460 + /* SIGEV_NONE timers are not queued ! See common_timer_get */
461 + if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
462 + /* Setup correct expiry time for relative timers */
463 +- if (mode == HRTIMER_MODE_REL)
464 +- timer->expires = ktime_add(timer->expires,
465 +- timer->base->get_time());
466 ++ if (mode == HRTIMER_MODE_REL) {
467 ++ timer->expires =
468 ++ ktime_add_safe(timer->expires,
469 ++ timer->base->get_time());
470 ++ }
471 + return 0;
472 + }
473 +
474
475 Added: hardened-sources/2.6/tags/2.6.23-6/1019_2.6.23.Q_genirq-do-not-leave-interupts-enabled-on-free_irq.patch
476 ===================================================================
477 --- hardened-sources/2.6/tags/2.6.23-6/1019_2.6.23.Q_genirq-do-not-leave-interupts-enabled-on-free_irq.patch (rev 0)
478 +++ hardened-sources/2.6/tags/2.6.23-6/1019_2.6.23.Q_genirq-do-not-leave-interupts-enabled-on-free_irq.patch 2008-04-30 11:41:42 UTC (rev 96)
479 @@ -0,0 +1,76 @@
480 +From stable-bounces@××××××××××××.org Tue Feb 19 15:29:28 2008
481 +From: Thomas Gleixner <tglx@××××××××××.de>
482 +Date: Wed, 20 Feb 2008 00:29:02 +0100 (CET)
483 +Subject: genirq: do not leave interupts enabled on free_irq
484 +To: Stable Team <stable@××××××.org>
485 +Message-ID: <alpine.LFD.1.00.0802200026480.7583@×××××××××××××××××××××.de>
486 +
487 +From: Thomas Gleixner <tglx@××××××××××.de>
488 +
489 +commit 89d694b9dbe769ca1004e01db0ca43964806a611
490 +
491 +The default_disable() function was changed in commit:
492 +
493 + 76d2160147f43f982dfe881404cfde9fd0a9da21
494 + genirq: do not mask interrupts by default
495 +
496 +It removed the mask function in favour of the default delayed
497 +interrupt disabling. Unfortunately this also broke the shutdown in
498 +free_irq() when the last handler is removed from the interrupt for
499 +those architectures which rely on the default implementations. Now we
500 +can end up with a enabled interrupt line after the last handler was
501 +removed, which can result in spurious interrupts.
502 +
503 +Fix this by adding a default_shutdown function, which is only
504 +installed, when the irqchip implementation does provide neither a
505 +shutdown nor a disable function.
506 +
507 +
508 +Pointed-out-by: Michael Hennerich <Michael.Hennerich@××××××.com>
509 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
510 +Acked-by: Ingo Molnar <mingo@××××.hu>
511 +Tested-by: Michael Hennerich <Michael.Hennerich@××××××.com>
512 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
513 +
514 +
515 +---
516 + kernel/irq/chip.c | 20 +++++++++++++++++++-
517 + 1 file changed, 19 insertions(+), 1 deletion(-)
518 +
519 +--- a/kernel/irq/chip.c
520 ++++ b/kernel/irq/chip.c
521 +@@ -246,6 +246,17 @@ static unsigned int default_startup(unsi
522 + }
523 +
524 + /*
525 ++ * default shutdown function
526 ++ */
527 ++static void default_shutdown(unsigned int irq)
528 ++{
529 ++ struct irq_desc *desc = irq_desc + irq;
530 ++
531 ++ desc->chip->mask(irq);
532 ++ desc->status |= IRQ_MASKED;
533 ++}
534 ++
535 ++/*
536 + * Fixup enable/disable function pointers
537 + */
538 + void irq_chip_set_defaults(struct irq_chip *chip)
539 +@@ -256,8 +267,15 @@ void irq_chip_set_defaults(struct irq_ch
540 + chip->disable = default_disable;
541 + if (!chip->startup)
542 + chip->startup = default_startup;
543 ++ /*
544 ++ * We use chip->disable, when the user provided its own. When
545 ++ * we have default_disable set for chip->disable, then we need
546 ++ * to use default_shutdown, otherwise the irq line is not
547 ++ * disabled on free_irq():
548 ++ */
549 + if (!chip->shutdown)
550 +- chip->shutdown = chip->disable;
551 ++ chip->shutdown = chip->disable != default_disable ?
552 ++ chip->disable : default_shutdown;
553 + if (!chip->name)
554 + chip->name = chip->typename;
555 + if (!chip->end)
556
557 Added: hardened-sources/2.6/tags/2.6.23-6/1020_2.6.23.Q_disable-g5-nap-mode-during-smu-commands-on-u3.patch
558 ===================================================================
559 --- hardened-sources/2.6/tags/2.6.23-6/1020_2.6.23.Q_disable-g5-nap-mode-during-smu-commands-on-u3.patch (rev 0)
560 +++ hardened-sources/2.6/tags/2.6.23-6/1020_2.6.23.Q_disable-g5-nap-mode-during-smu-commands-on-u3.patch 2008-04-30 11:41:42 UTC (rev 96)
561 @@ -0,0 +1,144 @@
562 +From 592a607bbc053bc6f614a0e619326009f4b3829e Mon Sep 17 00:00:00 2001
563 +From: Benjamin Herrenschmidt <benh@×××××××××××××××.org>
564 +Date: Thu, 7 Feb 2008 14:29:43 +1100
565 +Subject: [PATCH] [POWERPC] Disable G5 NAP mode during SMU commands on U3
566 +
567 +From: Benjamin Herrenschmidt <benh@×××××××××××××××.org>
568 +
569 +patch 592a607bbc053bc6f614a0e619326009f4b3829e in mainline.
570 +
571 +It appears that with the U3 northbridge, if the processor is in NAP
572 +mode the whole time while waiting for an SMU command to complete,
573 +then the SMU will fail. It could be related to the weird backward
574 +mechanism the SMU uses to get to system memory via i2c to the
575 +northbridge that doesn't operate properly when the said bridge is
576 +in napping along with the CPU. That is on U3 at least, U4 doesn't
577 +seem to be affected.
578 +
579 +This didn't show before NO_HZ as the timer wakeup was enough to make
580 +it work it seems, but that is no longer the case.
581 +
582 +This fixes it by disabling NAP mode on those machines while
583 +an SMU command is in flight.
584 +
585 +Signed-off-by: Benjamin Herrenschmidt <benh@×××××××××××××××.org>
586 +Signed-off-by: Paul Mackerras <paulus@×××××.org>
587 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
588 +
589 +---
590 + arch/powerpc/platforms/powermac/feature.c | 11 ++++++++++-
591 + drivers/macintosh/smu.c | 25 ++++++++++++++++++++++++-
592 + include/asm-powerpc/pmac_feature.h | 8 ++++++++
593 + 3 files changed, 42 insertions(+), 2 deletions(-)
594 +
595 +--- a/arch/powerpc/platforms/powermac/feature.c
596 ++++ b/arch/powerpc/platforms/powermac/feature.c
597 +@@ -2565,6 +2565,8 @@ static void __init probe_uninorth(void)
598 +
599 + /* Locate core99 Uni-N */
600 + uninorth_node = of_find_node_by_name(NULL, "uni-n");
601 ++ uninorth_maj = 1;
602 ++
603 + /* Locate G5 u3 */
604 + if (uninorth_node == NULL) {
605 + uninorth_node = of_find_node_by_name(NULL, "u3");
606 +@@ -2575,8 +2577,10 @@ static void __init probe_uninorth(void)
607 + uninorth_node = of_find_node_by_name(NULL, "u4");
608 + uninorth_maj = 4;
609 + }
610 +- if (uninorth_node == NULL)
611 ++ if (uninorth_node == NULL) {
612 ++ uninorth_maj = 0;
613 + return;
614 ++ }
615 +
616 + addrp = of_get_property(uninorth_node, "reg", NULL);
617 + if (addrp == NULL)
618 +@@ -3029,3 +3033,8 @@ void pmac_resume_agp_for_card(struct pci
619 + pmac_agp_resume(pmac_agp_bridge);
620 + }
621 + EXPORT_SYMBOL(pmac_resume_agp_for_card);
622 ++
623 ++int pmac_get_uninorth_variant(void)
624 ++{
625 ++ return uninorth_maj;
626 ++}
627 +--- a/drivers/macintosh/smu.c
628 ++++ b/drivers/macintosh/smu.c
629 +@@ -85,6 +85,7 @@ struct smu_device {
630 + u32 cmd_buf_abs; /* command buffer absolute */
631 + struct list_head cmd_list;
632 + struct smu_cmd *cmd_cur; /* pending command */
633 ++ int broken_nap;
634 + struct list_head cmd_i2c_list;
635 + struct smu_i2c_cmd *cmd_i2c_cur; /* pending i2c command */
636 + struct timer_list i2c_timer;
637 +@@ -135,6 +136,19 @@ static void smu_start_cmd(void)
638 + fend = faddr + smu->cmd_buf->length + 2;
639 + flush_inval_dcache_range(faddr, fend);
640 +
641 ++
642 ++ /* We also disable NAP mode for the duration of the command
643 ++ * on U3 based machines.
644 ++ * This is slightly racy as it can be written back to 1 by a sysctl
645 ++ * but that never happens in practice. There seem to be an issue with
646 ++ * U3 based machines such as the iMac G5 where napping for the
647 ++ * whole duration of the command prevents the SMU from fetching it
648 ++ * from memory. This might be related to the strange i2c based
649 ++ * mechanism the SMU uses to access memory.
650 ++ */
651 ++ if (smu->broken_nap)
652 ++ powersave_nap = 0;
653 ++
654 + /* This isn't exactly a DMA mapping here, I suspect
655 + * the SMU is actually communicating with us via i2c to the
656 + * northbridge or the CPU to access RAM.
657 +@@ -211,6 +225,10 @@ static irqreturn_t smu_db_intr(int irq,
658 + misc = cmd->misc;
659 + mb();
660 + cmd->status = rc;
661 ++
662 ++ /* Re-enable NAP mode */
663 ++ if (smu->broken_nap)
664 ++ powersave_nap = 1;
665 + bail:
666 + /* Start next command if any */
667 + smu_start_cmd();
668 +@@ -461,7 +479,7 @@ int __init smu_init (void)
669 + if (np == NULL)
670 + return -ENODEV;
671 +
672 +- printk(KERN_INFO "SMU driver %s %s\n", VERSION, AUTHOR);
673 ++ printk(KERN_INFO "SMU: Driver %s %s\n", VERSION, AUTHOR);
674 +
675 + if (smu_cmdbuf_abs == 0) {
676 + printk(KERN_ERR "SMU: Command buffer not allocated !\n");
677 +@@ -533,6 +551,11 @@ int __init smu_init (void)
678 + goto fail;
679 + }
680 +
681 ++ /* U3 has an issue with NAP mode when issuing SMU commands */
682 ++ smu->broken_nap = pmac_get_uninorth_variant() < 4;
683 ++ if (smu->broken_nap)
684 ++ printk(KERN_INFO "SMU: using NAP mode workaround\n");
685 ++
686 + sys_ctrler = SYS_CTRLER_SMU;
687 + return 0;
688 +
689 +--- a/include/asm-powerpc/pmac_feature.h
690 ++++ b/include/asm-powerpc/pmac_feature.h
691 +@@ -392,6 +392,14 @@ extern u32 __iomem *uninorth_base;
692 + #define UN_BIS(r,v) (UN_OUT((r), UN_IN(r) | (v)))
693 + #define UN_BIC(r,v) (UN_OUT((r), UN_IN(r) & ~(v)))
694 +
695 ++/* Uninorth variant:
696 ++ *
697 ++ * 0 = not uninorth
698 ++ * 1 = U1.x or U2.x
699 ++ * 3 = U3
700 ++ * 4 = U4
701 ++ */
702 ++extern int pmac_get_uninorth_variant(void);
703 +
704 + #endif /* __ASM_POWERPC_PMAC_FEATURE_H */
705 + #endif /* __KERNEL__ */
706
707 Added: hardened-sources/2.6/tags/2.6.23-6/1021_2.6.23.Q_be-more-robust-about-bad-arguments-in-get_user_pages.patch
708 ===================================================================
709 --- hardened-sources/2.6/tags/2.6.23-6/1021_2.6.23.Q_be-more-robust-about-bad-arguments-in-get_user_pages.patch (rev 0)
710 +++ hardened-sources/2.6/tags/2.6.23-6/1021_2.6.23.Q_be-more-robust-about-bad-arguments-in-get_user_pages.patch 2008-04-30 11:41:42 UTC (rev 96)
711 @@ -0,0 +1,47 @@
712 +From 900cf086fd2fbad07f72f4575449e0d0958f860f Mon Sep 17 00:00:00 2001
713 +From: Jonathan Corbet <corbet@×××.net>
714 +Date: Mon, 11 Feb 2008 16:17:33 -0700
715 +Subject: [PATCH] Be more robust about bad arguments in get_user_pages()
716 +
717 +From: Jonathan Corbet <corbet@×××.net>
718 +
719 +patch 900cf086fd2fbad07f72f4575449e0d0958f860f in mainline.
720 +
721 +So I spent a while pounding my head against my monitor trying to figure
722 +out the vmsplice() vulnerability - how could a failure to check for
723 +*read* access turn into a root exploit? It turns out that it's a buffer
724 +overflow problem which is made easy by the way get_user_pages() is
725 +coded.
726 +
727 +In particular, "len" is a signed int, and it is only checked at the
728 +*end* of a do {} while() loop. So, if it is passed in as zero, the loop
729 +will execute once and decrement len to -1. At that point, the loop will
730 +proceed until the next invalid address is found; in the process, it will
731 +likely overflow the pages array passed in to get_user_pages().
732 +
733 +I think that, if get_user_pages() has been asked to grab zero pages,
734 +that's what it should do. Thus this patch; it is, among other things,
735 +enough to block the (already fixed) root exploit and any others which
736 +might be lurking in similar code. I also think that the number of pages
737 +should be unsigned, but changing the prototype of this function probably
738 +requires some more careful review.
739 +
740 +Signed-off-by: Jonathan Corbet <corbet@×××.net>
741 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
742 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
743 +
744 +---
745 + mm/memory.c | 2 ++
746 + 1 file changed, 2 insertions(+)
747 +
748 +--- a/mm/memory.c
749 ++++ b/mm/memory.c
750 +@@ -981,6 +981,8 @@ int get_user_pages(struct task_struct *t
751 + int i;
752 + unsigned int vm_flags;
753 +
754 ++ if (len <= 0)
755 ++ return 0;
756 + /*
757 + * Require read or write permissions.
758 + * If 'force' is set, we only require the "MAY" flags.
759
760 Added: hardened-sources/2.6/tags/2.6.23-6/1022_2.6.23.Q_x86_64-cpa-fix-cache-attribute-inconsistency-bug.patch
761 ===================================================================
762 --- hardened-sources/2.6/tags/2.6.23-6/1022_2.6.23.Q_x86_64-cpa-fix-cache-attribute-inconsistency-bug.patch (rev 0)
763 +++ hardened-sources/2.6/tags/2.6.23-6/1022_2.6.23.Q_x86_64-cpa-fix-cache-attribute-inconsistency-bug.patch 2008-04-30 11:41:42 UTC (rev 96)
764 @@ -0,0 +1,62 @@
765 +From linux-kernel-owner+greg=40kroah.com-S1761718AbYBOT7Z@×××××××××××.org Fri Feb 15 12:00:56 2008
766 +From: Ingo Molnar <mingo@××××.hu>
767 +Date: Fri, 15 Feb 2008 20:58:54 +0100
768 +Subject: x86_64: CPA, fix cache attribute inconsistency bug
769 +To: stable@××××××.org
770 +Cc: linux-kernel@×××××××××××.org, Thomas Gleixner <tglx@××××××××××.de>, Andi Kleen <andi@××××××××××.org>
771 +Message-ID: <20080215195854.GB15432@××××.hu>
772 +Content-Disposition: inline
773 +
774 +From: Ingo Molnar <mingo@××××.hu>
775 +
776 +no upstream git id as the code has been rewritten.
777 +
778 +fix CPA cache attribute bug in v2.6.23. When phys_base is nonzero
779 +(when CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates
780 +the secondary alias address by -14 MB (depending on the configured
781 +offset).
782 +
783 +The default 64-bit kernels of Fedora and Ubuntu are affected:
784 +
785 + $ grep RELOCA /boot/config-2.6.23.9-85.fc8
786 + CONFIG_RELOCATABLE=y
787 +
788 + $ grep RELOC /boot/config-2.6.22-14-generic
789 + CONFIG_RELOCATABLE=y
790 +
791 +and probably on many other distros as well.
792 +
793 +the bug affects all pages in the first 40 MB of physical RAM that
794 +are allocated by some subsystem that does ioremap_nocache() on them:
795 +
796 + if (__pa(address) < KERNEL_TEXT_SIZE) {
797 +
798 +Hence we might leave page table entries with inconsistent cache
799 +attributes around (pages mapped at both UnCacheable and Write-Back),
800 +and we can also set the wrong kernel text pages to UnCacheable.
801 +
802 +the effects of this bug can be random slowdowns and other misbehavior.
803 +If for example AGP allocates its aperture pages into the first 40 MB
804 +of physical RAM, then the -14 MB bug might mark random kernel texto
805 +pages as uncacheable, slowing down a random portion of the 64-bit
806 +kernel until the AGP driver is unloaded.
807 +
808 +Signed-off-by: Ingo Molnar <mingo@××××.hu>
809 +Acked-by: Thomas Gleixner <tglx@××××××××××.de>
810 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
811 +
812 +---
813 + arch/x86_64/mm/pageattr.c | 2 +-
814 + 1 file changed, 1 insertion(+), 1 deletion(-)
815 +
816 +--- a/arch/x86_64/mm/pageattr.c
817 ++++ b/arch/x86_64/mm/pageattr.c
818 +@@ -207,7 +207,7 @@ int change_page_attr_addr(unsigned long
819 + if (__pa(address) < KERNEL_TEXT_SIZE) {
820 + unsigned long addr2;
821 + pgprot_t prot2;
822 +- addr2 = __START_KERNEL_map + __pa(address);
823 ++ addr2 = __START_KERNEL_map + __pa(address) - phys_base;
824 + /* Make sure the kernel mappings stay executable */
825 + prot2 = pte_pgprot(pte_mkexec(pfn_pte(0, prot)));
826 + err = __change_page_attr(addr2, pfn, prot2,
827
828 Added: hardened-sources/2.6/tags/2.6.23-6/4405_alpha-sysctl-uac-for-hardened-extras.patch
829 ===================================================================
830 --- hardened-sources/2.6/tags/2.6.23-6/4405_alpha-sysctl-uac-for-hardened-extras.patch (rev 0)
831 +++ hardened-sources/2.6/tags/2.6.23-6/4405_alpha-sysctl-uac-for-hardened-extras.patch 2008-04-30 11:41:42 UTC (rev 96)
832 @@ -0,0 +1,187 @@
833 +---
834 + arch/alpha/Kconfig | 26 ++++++++++++++++++++++++
835 + arch/alpha/kernel/traps.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++
836 + include/linux/sysctl.h | 14 +++++++++++++
837 + kernel/sysctl.c | 12 ++++++++++-
838 + 4 files changed, 100 insertions(+), 1 deletion(-)
839 +
840 +--- a/arch/alpha/Kconfig
841 ++++ b/arch/alpha/Kconfig
842 +@@ -616,6 +616,32 @@ config VERBOSE_MCHECK_ON
843 +
844 + Take the default (1) unless you want more control or more info.
845 +
846 ++config ALPHA_UAC_SYSCTL
847 ++ bool "Configure UAC policy via sysctl"
848 ++ depends on SYSCTL
849 ++ default y
850 ++ ---help---
851 ++ Configuring the UAC (unaligned access control) policy on a Linux
852 ++ system usually involves setting a compile time define. If you say
853 ++ Y here, you will be able to modify the UAC policy at runtime using
854 ++ the /proc interface.
855 ++
856 ++ The UAC policy defines the action Linux should take when an
857 ++ unaligned memory access occurs. The action can include printing a
858 ++ warning message (NOPRINT), sending a signal to the offending
859 ++ program to help developers debug their applications (SIGBUS), or
860 ++ disabling the transparent fixing (NOFIX).
861 ++
862 ++ The sysctls will be initialized to the compile-time defined UAC
863 ++ policy. You can change these manually, or with the sysctl(8)
864 ++ userspace utility.
865 ++
866 ++ To disable the warning messages at runtime, you would use
867 ++
868 ++ echo 1 > /proc/sys/kernel/uac/noprint
869 ++
870 ++ This is pretty harmless. Say Y if you're not sure.
871 ++
872 + source "drivers/pci/Kconfig"
873 + source "drivers/eisa/Kconfig"
874 +
875 +--- a/arch/alpha/kernel/traps.c
876 ++++ b/arch/alpha/kernel/traps.c
877 +@@ -14,6 +14,7 @@
878 + #include <linux/delay.h>
879 + #include <linux/smp_lock.h>
880 + #include <linux/module.h>
881 ++#include <linux/sysctl.h>
882 + #include <linux/init.h>
883 + #include <linux/kallsyms.h>
884 +
885 +@@ -102,6 +103,38 @@ static char * ireg_name[] = {"v0", "t0",
886 + "t10", "t11", "ra", "pv", "at", "gp", "sp", "zero"};
887 + #endif
888 +
889 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
890 ++static struct ctl_table_header *uac_sysctl_header;
891 ++
892 ++static int enabled_noprint = 0;
893 ++static int enabled_sigbus = 0;
894 ++static int enabled_nofix = 0;
895 ++
896 ++ctl_table uac_table[] = {
897 ++ {KERN_UAC_NOPRINT, "noprint", &enabled_noprint, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
898 ++ {KERN_UAC_SIGBUS, "sigbus", &enabled_sigbus, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
899 ++ {KERN_UAC_NOFIX, "nofix", &enabled_nofix, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
900 ++ {0}
901 ++};
902 ++
903 ++static int __init init_uac_sysctl(void)
904 ++{
905 ++ /* Initialize sysctls with the #defined UAC policy */
906 ++ enabled_noprint = (test_thread_flag (TIF_UAC_NOPRINT)) ? 1 : 0;
907 ++ enabled_sigbus = (test_thread_flag (TIF_UAC_SIGBUS)) ? 1 : 0;
908 ++ enabled_nofix = (test_thread_flag (TIF_UAC_NOFIX)) ? 1 : 0;
909 ++
910 ++ /* save this for later so we can clean up */
911 ++ uac_sysctl_header = register_sysctl_table(uac_table);
912 ++ return 0;
913 ++}
914 ++
915 ++static void __exit exit_uac_sysctl(void)
916 ++{
917 ++ unregister_sysctl_table(uac_sysctl_header);
918 ++}
919 ++#endif
920 ++
921 + static void
922 + dik_show_code(unsigned int *pc)
923 + {
924 +@@ -780,7 +813,11 @@ do_entUnaUser(void __user * va, unsigned
925 + /* Check the UAC bits to decide what the user wants us to do
926 + with the unaliged access. */
927 +
928 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
929 + if (!test_thread_flag (TIF_UAC_NOPRINT)) {
930 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
931 ++ if (!(enabled_noprint)) {
932 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
933 + if (cnt >= 5 && jiffies - last_time > 5*HZ) {
934 + cnt = 0;
935 + }
936 +@@ -791,10 +828,18 @@ do_entUnaUser(void __user * va, unsigned
937 + }
938 + last_time = jiffies;
939 + }
940 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
941 + if (test_thread_flag (TIF_UAC_SIGBUS))
942 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
943 ++ if (enabled_sigbus)
944 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
945 + goto give_sigbus;
946 + /* Not sure why you'd want to use this, but... */
947 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
948 + if (test_thread_flag (TIF_UAC_NOFIX))
949 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
950 ++ if (enabled_nofix)
951 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
952 + return;
953 +
954 + /* Don't bother reading ds in the access check since we already
955 +@@ -1089,3 +1134,7 @@ trap_init(void)
956 + wrent(entSys, 5);
957 + wrent(entDbg, 6);
958 + }
959 ++
960 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
961 ++__initcall(init_uac_sysctl);
962 ++#endif
963 +--- a/include/linux/sysctl.h
964 ++++ b/include/linux/sysctl.h
965 +@@ -165,6 +165,9 @@ enum
966 + KERN_MAX_LOCK_DEPTH=74,
967 + KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
968 + KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
969 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
970 ++ KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
971 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
972 + };
973 +
974 +
975 +@@ -258,6 +261,17 @@ enum
976 + PTY_NR=2
977 + };
978 +
979 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
980 ++/* /proc/sys/kernel/uac */
981 ++enum
982 ++{
983 ++ /* UAC policy on Alpha */
984 ++ KERN_UAC_NOPRINT=1, /* int: printk() on unaligned access */
985 ++ KERN_UAC_SIGBUS=2, /* int: send SIGBUS on unaligned access */
986 ++ KERN_UAC_NOFIX=3, /* int: don't fix the unaligned access */
987 ++};
988 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
989 ++
990 + /* /proc/sys/bus/isa */
991 + enum
992 + {
993 +--- a/kernel/sysctl.c
994 ++++ b/kernel/sysctl.c
995 +@@ -155,6 +155,9 @@ extern ctl_table pty_table[];
996 + #ifdef CONFIG_INOTIFY_USER
997 + extern ctl_table inotify_table[];
998 + #endif
999 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
1000 ++extern ctl_table uac_table[];
1001 ++#endif
1002 +
1003 + #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
1004 + int sysctl_legacy_va_layout;
1005 +@@ -208,6 +211,14 @@ static ctl_table root_table[] = {
1006 + * NOTE: do not add new entries to this table unless you have read
1007 + * Documentation/sysctl/ctl_unnumbered.txt
1008 + */
1009 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
1010 ++ {
1011 ++ .ctl_name = KERN_UAC_POLICY,
1012 ++ .procname = "uac",
1013 ++ .mode = 0555,
1014 ++ .child = uac_table,
1015 ++ },
1016 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
1017 + { .ctl_name = 0 }
1018 + };
1019 +
1020
1021 Added: hardened-sources/2.6/tags/2.6.23-6/4450_grsec-2.1.11-2.6.23.15-20080210.patch
1022 ===================================================================
1023 --- hardened-sources/2.6/tags/2.6.23-6/4450_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
1024 +++ hardened-sources/2.6/tags/2.6.23-6/4450_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:41:42 UTC (rev 96)
1025 @@ -0,0 +1,35665 @@
1026 +From: Kerin Millar <kerframil@×××××.com>
1027 +
1028 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
1029 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
1030 +mmap.c changes.
1031 +
1032 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
1033 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
1034 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
1035 +@@ -176,14 +176,18 @@ times.h*
1036 + tkparse
1037 + trix_boot.h
1038 + utsrelease.h*
1039 ++vdso.lds
1040 + version.h*
1041 + vmlinux
1042 + vmlinux-*
1043 + vmlinux.aout
1044 ++vmlinux.bin.all
1045 + vmlinux.lds
1046 ++vmlinux.relocs
1047 + vsyscall.lds
1048 + wanxlfw.inc
1049 + uImage
1050 + unifdef
1051 ++utsrelease.h
1052 + zImage*
1053 + zconf.hash.c
1054 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
1055 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
1056 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
1057 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
1058 +
1059 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
1060 +
1061 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
1062 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
1063 + -fno-strict-aliasing -fno-common \
1064 + -Werror-implicit-function-declaration
1065 + AFLAGS := -D__ASSEMBLY__
1066 +@@ -560,7 +560,7 @@ export mod_strip_cmd
1067 +
1068 +
1069 + ifeq ($(KBUILD_EXTMOD),)
1070 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
1071 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
1072 +
1073 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
1074 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
1075 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
1076 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
1077 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
1078 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
1079 +
1080 + /* The small sections were sorted to the end of the segment.
1081 + The following should definitely cover them. */
1082 +- gp = (u64)me->module_core + me->core_size - 0x8000;
1083 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
1084 + got = sechdrs[me->arch.gotsecindex].sh_addr;
1085 +
1086 + for (i = 0; i < n; i++) {
1087 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
1088 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
1089 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
1090 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
1091 + merely specific addresses, but regions of memory -- perhaps
1092 + this feature should be incorporated into all ports? */
1093 +
1094 ++#ifdef CONFIG_PAX_RANDMMAP
1095 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
1096 ++#endif
1097 ++
1098 + if (addr) {
1099 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
1100 + if (addr != (unsigned long) -ENOMEM)
1101 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
1102 + }
1103 +
1104 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
1105 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
1106 +- len, limit);
1107 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
1108 ++
1109 + if (addr != (unsigned long) -ENOMEM)
1110 + return addr;
1111 +
1112 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
1113 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
1114 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
1115 +@@ -15,6 +15,7 @@
1116 + #include <linux/slab.h>
1117 + #include <linux/security.h>
1118 + #include <linux/signal.h>
1119 ++#include <linux/grsecurity.h>
1120 +
1121 + #include <asm/uaccess.h>
1122 + #include <asm/pgtable.h>
1123 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
1124 + goto out_notsk;
1125 + }
1126 +
1127 ++ if (gr_handle_ptrace(child, request)) {
1128 ++ ret = -EPERM;
1129 ++ goto out;
1130 ++ }
1131 ++
1132 + if (request == PTRACE_ATTACH) {
1133 + ret = ptrace_attach(child);
1134 + goto out;
1135 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
1136 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
1137 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
1138 +@@ -23,6 +23,7 @@
1139 + #include <linux/smp.h>
1140 + #include <linux/interrupt.h>
1141 + #include <linux/module.h>
1142 ++#include <linux/binfmts.h>
1143 +
1144 + #include <asm/system.h>
1145 + #include <asm/uaccess.h>
1146 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
1147 + __reload_thread(pcb);
1148 + }
1149 +
1150 ++#ifdef CONFIG_PAX_PAGEEXEC
1151 ++/*
1152 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
1153 ++ *
1154 ++ * returns 1 when task should be killed
1155 ++ * 2 when patched PLT trampoline was detected
1156 ++ * 3 when unpatched PLT trampoline was detected
1157 ++ */
1158 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
1159 ++{
1160 ++
1161 ++#ifdef CONFIG_PAX_EMUPLT
1162 ++ int err;
1163 ++
1164 ++ do { /* PaX: patched PLT emulation #1 */
1165 ++ unsigned int ldah, ldq, jmp;
1166 ++
1167 ++ err = get_user(ldah, (unsigned int *)regs->pc);
1168 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
1169 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
1170 ++
1171 ++ if (err)
1172 ++ break;
1173 ++
1174 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
1175 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
1176 ++ jmp == 0x6BFB0000U)
1177 ++ {
1178 ++ unsigned long r27, addr;
1179 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
1180 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
1181 ++
1182 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
1183 ++ err = get_user(r27, (unsigned long *)addr);
1184 ++ if (err)
1185 ++ break;
1186 ++
1187 ++ regs->r27 = r27;
1188 ++ regs->pc = r27;
1189 ++ return 2;
1190 ++ }
1191 ++ } while (0);
1192 ++
1193 ++ do { /* PaX: patched PLT emulation #2 */
1194 ++ unsigned int ldah, lda, br;
1195 ++
1196 ++ err = get_user(ldah, (unsigned int *)regs->pc);
1197 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
1198 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
1199 ++
1200 ++ if (err)
1201 ++ break;
1202 ++
1203 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
1204 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
1205 ++ (br & 0xFFE00000U) == 0xC3E00000U)
1206 ++ {
1207 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
1208 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
1209 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
1210 ++
1211 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
1212 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
1213 ++ return 2;
1214 ++ }
1215 ++ } while (0);
1216 ++
1217 ++ do { /* PaX: unpatched PLT emulation */
1218 ++ unsigned int br;
1219 ++
1220 ++ err = get_user(br, (unsigned int *)regs->pc);
1221 ++
1222 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
1223 ++ unsigned int br2, ldq, nop, jmp;
1224 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
1225 ++
1226 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
1227 ++ err = get_user(br2, (unsigned int *)addr);
1228 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
1229 ++ err |= get_user(nop, (unsigned int *)(addr+8));
1230 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
1231 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
1232 ++
1233 ++ if (err)
1234 ++ break;
1235 ++
1236 ++ if (br2 == 0xC3600000U &&
1237 ++ ldq == 0xA77B000CU &&
1238 ++ nop == 0x47FF041FU &&
1239 ++ jmp == 0x6B7B0000U)
1240 ++ {
1241 ++ regs->r28 = regs->pc+4;
1242 ++ regs->r27 = addr+16;
1243 ++ regs->pc = resolver;
1244 ++ return 3;
1245 ++ }
1246 ++ }
1247 ++ } while (0);
1248 ++#endif
1249 ++
1250 ++ return 1;
1251 ++}
1252 ++
1253 ++void pax_report_insns(void *pc, void *sp)
1254 ++{
1255 ++ unsigned long i;
1256 ++
1257 ++ printk(KERN_ERR "PAX: bytes at PC: ");
1258 ++ for (i = 0; i < 5; i++) {
1259 ++ unsigned int c;
1260 ++ if (get_user(c, (unsigned int *)pc+i))
1261 ++ printk("???????? ");
1262 ++ else
1263 ++ printk("%08x ", c);
1264 ++ }
1265 ++ printk("\n");
1266 ++}
1267 ++#endif
1268 +
1269 + /*
1270 + * This routine handles page faults. It determines the address,
1271 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
1272 + good_area:
1273 + si_code = SEGV_ACCERR;
1274 + if (cause < 0) {
1275 +- if (!(vma->vm_flags & VM_EXEC))
1276 ++ if (!(vma->vm_flags & VM_EXEC)) {
1277 ++
1278 ++#ifdef CONFIG_PAX_PAGEEXEC
1279 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
1280 ++ goto bad_area;
1281 ++
1282 ++ up_read(&mm->mmap_sem);
1283 ++ switch (pax_handle_fetch_fault(regs)) {
1284 ++
1285 ++#ifdef CONFIG_PAX_EMUPLT
1286 ++ case 2:
1287 ++ case 3:
1288 ++ return;
1289 ++#endif
1290 ++
1291 ++ }
1292 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
1293 ++ do_exit(SIGKILL);
1294 ++#else
1295 + goto bad_area;
1296 ++#endif
1297 ++
1298 ++ }
1299 + } else if (!cause) {
1300 + /* Allow reads even for write-only mappings */
1301 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
1302 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
1303 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
1304 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
1305 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
1306 + if (len > TASK_SIZE)
1307 + return -ENOMEM;
1308 +
1309 ++#ifdef CONFIG_PAX_RANDMMAP
1310 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
1311 ++#endif
1312 ++
1313 + if (addr) {
1314 + if (do_align)
1315 + addr = COLOUR_ALIGN(addr, pgoff);
1316 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
1317 + return addr;
1318 + }
1319 + if (len > mm->cached_hole_size) {
1320 +- start_addr = addr = mm->free_area_cache;
1321 ++ start_addr = addr = mm->free_area_cache;
1322 + } else {
1323 +- start_addr = addr = TASK_UNMAPPED_BASE;
1324 +- mm->cached_hole_size = 0;
1325 ++ start_addr = addr = mm->mmap_base;
1326 ++ mm->cached_hole_size = 0;
1327 + }
1328 +
1329 + full_search:
1330 +@@ -91,8 +95,8 @@ full_search:
1331 + * Start a new search - just in case we missed
1332 + * some holes.
1333 + */
1334 +- if (start_addr != TASK_UNMAPPED_BASE) {
1335 +- start_addr = addr = TASK_UNMAPPED_BASE;
1336 ++ if (start_addr != mm->mmap_base) {
1337 ++ start_addr = addr = mm->mmap_base;
1338 + mm->cached_hole_size = 0;
1339 + goto full_search;
1340 + }
1341 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
1342 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
1343 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
1344 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1345 +
1346 + int exception_trace = 1;
1347 +
1348 ++#ifdef CONFIG_PAX_PAGEEXEC
1349 ++void pax_report_insns(void *pc, void *sp)
1350 ++{
1351 ++ unsigned long i;
1352 ++
1353 ++ printk(KERN_ERR "PAX: bytes at PC: ");
1354 ++ for (i = 0; i < 20; i++) {
1355 ++ unsigned char c;
1356 ++ if (get_user(c, (unsigned char *)pc+i))
1357 ++ printk("???????? ");
1358 ++ else
1359 ++ printk("%02x ", c);
1360 ++ }
1361 ++ printk("\n");
1362 ++}
1363 ++#endif
1364 ++
1365 + /*
1366 + * This routine handles page faults. It determines the address and the
1367 + * problem, and then passes it off to one of the appropriate routines.
1368 +@@ -157,6 +174,16 @@ bad_area:
1369 + up_read(&mm->mmap_sem);
1370 +
1371 + if (user_mode(regs)) {
1372 ++
1373 ++#ifdef CONFIG_PAX_PAGEEXEC
1374 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1375 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1376 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1377 ++ do_exit(SIGKILL);
1378 ++ }
1379 ++ }
1380 ++#endif
1381 ++
1382 + if (exception_trace && printk_ratelimit())
1383 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
1384 + "sp %08lx ecr %lu\n",
1385 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
1386 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
1387 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
1388 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
1389 + hex
1390 + default 0xB0000000 if VMSPLIT_3G_OPT
1391 + default 0x80000000 if VMSPLIT_2G
1392 +- default 0x78000000 if VMSPLIT_2G_OPT
1393 ++ default 0x70000000 if VMSPLIT_2G_OPT
1394 + default 0x40000000 if VMSPLIT_1G
1395 + default 0xC0000000
1396 +
1397 +@@ -831,7 +831,7 @@ config CRASH_DUMP
1398 + config PHYSICAL_START
1399 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
1400 + default "0x1000000" if X86_NUMAQ
1401 +- default "0x100000"
1402 ++ default "0x200000"
1403 + help
1404 + This gives the physical address where the kernel is loaded.
1405 +
1406 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
1407 +
1408 + config COMPAT_VDSO
1409 + bool "Compat VDSO support"
1410 +- default y
1411 ++ default n
1412 + help
1413 + Map the VDSO to the predictable old-style address too.
1414 + ---help---
1415 +@@ -1092,7 +1092,7 @@ config PCI
1416 + choice
1417 + prompt "PCI access mode"
1418 + depends on PCI && !X86_VISWS
1419 +- default PCI_GOANY
1420 ++ default PCI_GODIRECT
1421 + ---help---
1422 + On PCI systems, the BIOS can be used to detect the PCI devices and
1423 + determine their configuration. However, some old PCI motherboards
1424 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
1425 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
1426 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
1427 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
1428 +
1429 + config X86_F00F_BUG
1430 + bool
1431 +- depends on M586MMX || M586TSC || M586 || M486 || M386
1432 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
1433 + default y
1434 +
1435 + config X86_WP_WORKS_OK
1436 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
1437 +
1438 + config X86_ALIGNMENT_16
1439 + bool
1440 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
1441 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
1442 + default y
1443 +
1444 + config X86_GOOD_APIC
1445 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
1446 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
1447 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
1448 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
1449 + This results in a large slowdown, but helps to find certain types
1450 + of memory corruptions.
1451 +
1452 +-config DEBUG_RODATA
1453 +- bool "Write protect kernel read-only data structures"
1454 +- depends on DEBUG_KERNEL
1455 +- help
1456 +- Mark the kernel read-only data as write-protected in the pagetables,
1457 +- in order to catch accidental (and incorrect) writes to such const
1458 +- data. This option may have a slight performance impact because a
1459 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
1460 +- If in doubt, say "N".
1461 +-
1462 + config 4KSTACKS
1463 + bool "Use 4Kb for kernel stacks instead of 8Kb"
1464 + depends on DEBUG_KERNEL
1465 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
1466 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
1467 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
1468 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
1469 + u8 v;
1470 + const u32 *p = (const u32 *)addr;
1471 +
1472 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
1473 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
1474 + return v;
1475 + }
1476 +
1477 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
1478 +
1479 + static inline void set_bit(int nr, void *addr)
1480 + {
1481 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
1482 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
1483 + }
1484 +
1485 + #endif /* BOOT_BITOPS_H */
1486 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
1487 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
1488 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
1489 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
1490 + static inline u16 ds(void)
1491 + {
1492 + u16 seg;
1493 +- asm("movw %%ds,%0" : "=rm" (seg));
1494 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
1495 + return seg;
1496 + }
1497 +
1498 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
1499 + static inline int memcmp(const void *s1, const void *s2, size_t len)
1500 + {
1501 + u8 diff;
1502 +- asm("repe; cmpsb; setnz %0"
1503 ++ asm volatile("repe; cmpsb; setnz %0"
1504 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
1505 + return diff;
1506 + }
1507 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
1508 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
1509 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
1510 +@@ -159,9 +159,8 @@ relocated:
1511 + */
1512 +
1513 + 1: subl $4, %edi
1514 +- movl 0(%edi), %ecx
1515 +- testl %ecx, %ecx
1516 +- jz 2f
1517 ++ movl (%edi), %ecx
1518 ++ jecxz 2f
1519 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
1520 + jmp 1b
1521 + 2:
1522 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
1523 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
1524 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
1525 +@@ -10,9 +10,13 @@
1526 + #define USE_BSD
1527 + #include <endian.h>
1528 +
1529 ++#include "../../../../include/linux/autoconf.h"
1530 ++
1531 ++#define MAX_PHDRS 100
1532 + #define MAX_SHDRS 100
1533 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
1534 + static Elf32_Ehdr ehdr;
1535 ++static Elf32_Phdr phdr[MAX_PHDRS];
1536 + static Elf32_Shdr shdr[MAX_SHDRS];
1537 + static Elf32_Sym *symtab[MAX_SHDRS];
1538 + static Elf32_Rel *reltab[MAX_SHDRS];
1539 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
1540 + }
1541 + }
1542 +
1543 ++static void read_phdrs(FILE *fp)
1544 ++{
1545 ++ int i;
1546 ++ if (ehdr.e_phnum > MAX_PHDRS) {
1547 ++ die("%d program headers supported: %d\n",
1548 ++ ehdr.e_phnum, MAX_PHDRS);
1549 ++ }
1550 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
1551 ++ die("Seek to %d failed: %s\n",
1552 ++ ehdr.e_phoff, strerror(errno));
1553 ++ }
1554 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
1555 ++ die("Cannot read ELF program headers: %s\n",
1556 ++ strerror(errno));
1557 ++ }
1558 ++ for(i = 0; i < ehdr.e_phnum; i++) {
1559 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
1560 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
1561 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
1562 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
1563 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
1564 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
1565 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
1566 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
1567 ++ }
1568 ++
1569 ++}
1570 ++
1571 + static void read_shdrs(FILE *fp)
1572 + {
1573 + int i;
1574 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
1575 + static void read_relocs(FILE *fp)
1576 + {
1577 + int i,j;
1578 ++ uint32_t base;
1579 ++
1580 + for(i = 0; i < ehdr.e_shnum; i++) {
1581 + if (shdr[i].sh_type != SHT_REL) {
1582 + continue;
1583 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
1584 + die("Cannot read symbol table: %s\n",
1585 + strerror(errno));
1586 + }
1587 ++ base = 0;
1588 ++ for (j = 0; j < ehdr.e_phnum; j++) {
1589 ++ if (phdr[j].p_type != PT_LOAD )
1590 ++ continue;
1591 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
1592 ++ continue;
1593 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
1594 ++ break;
1595 ++ }
1596 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
1597 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
1598 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
1599 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
1600 + }
1601 + }
1602 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
1603 + if (sym->st_shndx == SHN_ABS) {
1604 + continue;
1605 + }
1606 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
1607 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
1608 ++ continue;
1609 ++ }
1610 ++#ifdef CONFIG_PAX_KERNEXEC
1611 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
1612 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
1613 ++ continue;
1614 ++ }
1615 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
1616 ++ continue;
1617 ++ }
1618 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
1619 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
1620 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
1621 ++ continue;
1622 ++ }
1623 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
1624 ++ continue;
1625 ++ }
1626 ++#endif
1627 + if (r_type == R_386_PC32) {
1628 + /* PC relative relocations don't need to be adjusted */
1629 + }
1630 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
1631 + fname, strerror(errno));
1632 + }
1633 + read_ehdr(fp);
1634 ++ read_phdrs(fp);
1635 + read_shdrs(fp);
1636 + read_strtabs(fp);
1637 + read_symtabs(fp);
1638 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
1639 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
1640 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
1641 +@@ -90,7 +90,7 @@ static int has_fpu(void)
1642 + u16 fcw = -1, fsw = -1;
1643 + u32 cr0;
1644 +
1645 +- asm("movl %%cr0,%0" : "=r" (cr0));
1646 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
1647 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
1648 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
1649 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
1650 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
1651 + {
1652 + u32 f0, f1;
1653 +
1654 +- asm("pushfl ; "
1655 ++ asm volatile("pushfl ; "
1656 + "pushfl ; "
1657 + "popl %0 ; "
1658 + "movl %0,%1 ; "
1659 +@@ -131,7 +131,7 @@ static void get_flags(void)
1660 + set_bit(X86_FEATURE_FPU, cpu.flags);
1661 +
1662 + if (has_eflag(X86_EFLAGS_ID)) {
1663 +- asm("cpuid"
1664 ++ asm volatile("cpuid"
1665 + : "=a" (max_intel_level),
1666 + "=b" (cpu_vendor[0]),
1667 + "=d" (cpu_vendor[1]),
1668 +@@ -140,7 +140,7 @@ static void get_flags(void)
1669 +
1670 + if (max_intel_level >= 0x00000001 &&
1671 + max_intel_level <= 0x0000ffff) {
1672 +- asm("cpuid"
1673 ++ asm volatile("cpuid"
1674 + : "=a" (tfms),
1675 + "=c" (cpu.flags[4]),
1676 + "=d" (cpu.flags[0])
1677 +@@ -152,7 +152,7 @@ static void get_flags(void)
1678 + cpu.model += ((tfms >> 16) & 0xf) << 4;
1679 + }
1680 +
1681 +- asm("cpuid"
1682 ++ asm volatile("cpuid"
1683 + : "=a" (max_amd_level)
1684 + : "a" (0x80000000)
1685 + : "ebx", "ecx", "edx");
1686 +@@ -160,7 +160,7 @@ static void get_flags(void)
1687 + if (max_amd_level >= 0x80000001 &&
1688 + max_amd_level <= 0x8000ffff) {
1689 + u32 eax = 0x80000001;
1690 +- asm("cpuid"
1691 ++ asm volatile("cpuid"
1692 + : "+a" (eax),
1693 + "=c" (cpu.flags[6]),
1694 + "=d" (cpu.flags[1])
1695 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
1696 + u32 ecx = MSR_K7_HWCR;
1697 + u32 eax, edx;
1698 +
1699 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1700 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1701 + eax &= ~(1 << 15);
1702 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1703 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1704 +
1705 + get_flags(); /* Make sure it really did something */
1706 + err = check_flags();
1707 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
1708 + u32 ecx = MSR_VIA_FCR;
1709 + u32 eax, edx;
1710 +
1711 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1712 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1713 + eax |= (1<<1)|(1<<7);
1714 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1715 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1716 +
1717 + set_bit(X86_FEATURE_CX8, cpu.flags);
1718 + err = check_flags();
1719 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
1720 + u32 eax, edx;
1721 + u32 level = 1;
1722 +
1723 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1724 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
1725 +- asm("cpuid"
1726 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
1727 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
1728 ++ asm volatile("cpuid"
1729 + : "+a" (level), "=d" (cpu.flags[0])
1730 + : : "ecx", "ebx");
1731 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1732 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
1733 +
1734 + err = check_flags();
1735 + }
1736 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
1737 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
1738 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
1739 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
1740 + ax = 0x4100;
1741 + bx = EDDMAGIC1;
1742 + dx = devno;
1743 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
1744 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
1745 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
1746 + : : "esi", "edi");
1747 +
1748 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
1749 + ei->params.length = sizeof(ei->params);
1750 + ax = 0x4800;
1751 + dx = devno;
1752 +- asm("pushfl; int $0x13; popfl"
1753 ++ asm volatile("pushfl; int $0x13; popfl"
1754 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
1755 + : "S" (&ei->params)
1756 + : "ebx", "ecx", "edi");
1757 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
1758 + ax = 0x0800;
1759 + dx = devno;
1760 + di = 0;
1761 +- asm("pushw %%es; "
1762 ++ asm volatile("pushw %%es; "
1763 + "movw %%di,%%es; "
1764 + "pushfl; stc; int $0x13; setc %%al; popfl; "
1765 + "popw %%es"
1766 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
1767 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
1768 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
1769 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
1770 + */
1771 + static void query_ist(void)
1772 + {
1773 +- asm("int $0x15"
1774 ++ asm volatile("int $0x15"
1775 + : "=a" (boot_params.ist_info.signature),
1776 + "=b" (boot_params.ist_info.command),
1777 + "=c" (boot_params.ist_info.event),
1778 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
1779 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
1780 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
1781 +@@ -21,7 +21,7 @@ int query_mca(void)
1782 + u8 err;
1783 + u16 es, bx, len;
1784 +
1785 +- asm("pushw %%es ; "
1786 ++ asm volatile("pushw %%es ; "
1787 + "int $0x15 ; "
1788 + "setc %0 ; "
1789 + "movw %%es, %1 ; "
1790 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
1791 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
1792 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
1793 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
1794 + /* Important: %edx is clobbered by some BIOSes,
1795 + so it must be either used for the error output
1796 + or explicitly marked clobbered. */
1797 +- asm("int $0x15; setc %0"
1798 ++ asm volatile("int $0x15; setc %0"
1799 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
1800 + "=m" (*desc)
1801 + : "D" (desc), "d" (SMAP), "a" (0xe820));
1802 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
1803 +
1804 + bx = cx = dx = 0;
1805 + ax = 0xe801;
1806 +- asm("stc; int $0x15; setc %0"
1807 ++ asm volatile("stc; int $0x15; setc %0"
1808 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
1809 +
1810 + if (err)
1811 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
1812 + u8 err;
1813 +
1814 + ax = 0x8800;
1815 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
1816 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
1817 +
1818 + boot_params.screen_info.ext_mem_k = ax;
1819 +
1820 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
1821 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
1822 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
1823 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
1824 +
1825 + ax = 0x4f00;
1826 + di = (size_t)&vginfo;
1827 +- asm(INT10
1828 ++ asm volatile(INT10
1829 + : "+a" (ax), "+D" (di), "=m" (vginfo)
1830 + : : "ebx", "ecx", "edx", "esi");
1831 +
1832 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
1833 + ax = 0x4f01;
1834 + cx = mode;
1835 + di = (size_t)&vminfo;
1836 +- asm(INT10
1837 ++ asm volatile(INT10
1838 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
1839 + : : "ebx", "edx", "esi");
1840 +
1841 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
1842 + ax = 0x4f01;
1843 + cx = vesa_mode;
1844 + di = (size_t)&vminfo;
1845 +- asm(INT10
1846 ++ asm volatile(INT10
1847 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
1848 + : : "ebx", "edx", "esi");
1849 +
1850 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
1851 + /* Save the VESA protected mode info */
1852 + static void vesa_store_pm_info(void)
1853 + {
1854 +- u16 ax, bx, di, es;
1855 ++ u16 ax, bx, cx, di, es;
1856 +
1857 + ax = 0x4f0a;
1858 +- bx = di = 0;
1859 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
1860 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
1861 +- : : "ecx", "esi");
1862 ++ bx = cx = di = 0;
1863 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
1864 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
1865 ++ : : "esi");
1866 +
1867 + if (ax != 0x004f)
1868 + return;
1869 +
1870 + boot_params.screen_info.vesapm_seg = es;
1871 + boot_params.screen_info.vesapm_off = di;
1872 ++ boot_params.screen_info.vesapm_size = cx;
1873 + }
1874 +
1875 + /*
1876 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
1877 + /* Note: The VBE DDC spec is different from the main VESA spec;
1878 + we genuinely have to assume all registers are destroyed here. */
1879 +
1880 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
1881 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
1882 + : "+a" (ax), "+b" (bx)
1883 + : "c" (cx), "D" (di)
1884 + : "esi");
1885 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
1886 + cx = 0; /* Controller 0 */
1887 + dx = 0; /* EDID block number */
1888 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
1889 +- asm(INT10
1890 ++ asm volatile(INT10
1891 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
1892 + : "c" (cx), "D" (di)
1893 + : "esi");
1894 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1895 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1896 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1897 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1898 + };
1899 + u8 vga_flag;
1900 +
1901 +- asm(INT10
1902 ++ asm volatile(INT10
1903 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1904 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1905 + : "ecx", "edx", "esi", "edi");
1906 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1907 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1908 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1909 + /* EGA/VGA */
1910 +- asm(INT10
1911 ++ asm volatile(INT10
1912 + : "=a" (vga_flag)
1913 + : "a" (0x1a00)
1914 + : "ebx", "ecx", "edx", "esi", "edi");
1915 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1916 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1917 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1918 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1919 +
1920 + ax = 0x0300;
1921 + bx = 0;
1922 +- asm(INT10
1923 ++ asm volatile(INT10
1924 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1925 + : : "ecx", "esi", "edi");
1926 +
1927 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1928 + /* N.B.: the saving of the video page here is a bit silly,
1929 + since we pretty much assume page 0 everywhere. */
1930 + ax = 0x0f00;
1931 +- asm(INT10
1932 ++ asm volatile(INT10
1933 + : "+a" (ax), "=b" (page)
1934 + : : "ecx", "edx", "esi", "edi");
1935 +
1936 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1937 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1938 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1939 +@@ -27,7 +27,7 @@ int query_voyager(void)
1940 +
1941 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1942 +
1943 +- asm("pushw %%es ; "
1944 ++ asm volatile("pushw %%es ; "
1945 + "int $0x15 ; "
1946 + "setc %0 ; "
1947 + "movw %%es, %1 ; "
1948 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1949 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1950 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1951 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1952 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1953 + },
1954 + },
1955 +- {}
1956 ++ { NULL, NULL, {{0, NULL}}, NULL}
1957 + };
1958 +
1959 + #endif /* __i386__ */
1960 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1961 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1962 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1963 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1964 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1965 + },
1966 + },
1967 +- {}
1968 ++ { NULL, NULL, {{0, NULL}}, NULL}
1969 + };
1970 +
1971 + static int __init acpisleep_dmi_init(void)
1972 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1973 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1974 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1975 +@@ -2,6 +2,7 @@
1976 + #include <linux/linkage.h>
1977 + #include <asm/segment.h>
1978 + #include <asm/page.h>
1979 ++#include <asm/msr-index.h>
1980 +
1981 + #
1982 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1983 +@@ -84,7 +85,7 @@ wakeup_code:
1984 + # restore efer setting
1985 + movl real_save_efer_edx - wakeup_code, %edx
1986 + movl real_save_efer_eax - wakeup_code, %eax
1987 +- mov $0xc0000080, %ecx
1988 ++ mov $MSR_EFER, %ecx
1989 + wrmsr
1990 + 4:
1991 + # make sure %cr4 is set correctly (features, etc)
1992 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1993 + # and restore the stack ... but you need gdt for this to work
1994 + movl saved_context_esp, %esp
1995 +
1996 +- movl %cs:saved_magic, %eax
1997 +- cmpl $0x12345678, %eax
1998 ++ cmpl $0x12345678, saved_magic
1999 + jne bogus_magic
2000 +
2001 + # jump to place where we left off
2002 +- movl saved_eip,%eax
2003 +- jmp *%eax
2004 ++ jmp *(saved_eip)
2005 +
2006 + bogus_magic:
2007 + movw $0x0e00 + 'B', 0xb8018
2008 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
2009 + # save efer setting
2010 + pushl %eax
2011 + movl %eax, %ebx
2012 +- mov $0xc0000080, %ecx
2013 ++ mov $MSR_EFER, %ecx
2014 + rdmsr
2015 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
2016 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
2017 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
2018 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
2019 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
2020 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
2021 + */
2022 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
2023 + {
2024 ++
2025 ++#ifdef CONFIG_PAX_KERNEXEC
2026 ++ unsigned long cr0;
2027 ++
2028 ++ pax_open_kernel(cr0);
2029 ++#endif
2030 ++
2031 ++ addr += __KERNEL_TEXT_OFFSET;
2032 + memcpy(addr, opcode, len);
2033 ++
2034 ++#ifdef CONFIG_PAX_KERNEXEC
2035 ++ pax_close_kernel(cr0);
2036 ++#endif
2037 ++
2038 + sync_core();
2039 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
2040 + that causes hangs on some VIA CPUs. */
2041 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
2042 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
2043 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
2044 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
2045 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
2046 + static struct apm_user * user_list;
2047 + static DEFINE_SPINLOCK(user_list_lock);
2048 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
2049 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
2050 +
2051 + static const char driver_version[] = "1.16ac"; /* no spaces */
2052 +
2053 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
2054 + struct desc_struct save_desc_40;
2055 + struct desc_struct *gdt;
2056 +
2057 ++#ifdef CONFIG_PAX_KERNEXEC
2058 ++ unsigned long cr0;
2059 ++#endif
2060 ++
2061 + cpus = apm_save_cpus();
2062 +
2063 + cpu = get_cpu();
2064 + gdt = get_cpu_gdt_table(cpu);
2065 + save_desc_40 = gdt[0x40 / 8];
2066 ++
2067 ++#ifdef CONFIG_PAX_KERNEXEC
2068 ++ pax_open_kernel(cr0);
2069 ++#endif
2070 ++
2071 + gdt[0x40 / 8] = bad_bios_desc;
2072 +
2073 ++#ifdef CONFIG_PAX_KERNEXEC
2074 ++ pax_close_kernel(cr0);
2075 ++#endif
2076 ++
2077 + apm_irq_save(flags);
2078 + APM_DO_SAVE_SEGS;
2079 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
2080 + APM_DO_RESTORE_SEGS;
2081 + apm_irq_restore(flags);
2082 ++
2083 ++#ifdef CONFIG_PAX_KERNEXEC
2084 ++ pax_open_kernel(cr0);
2085 ++#endif
2086 ++
2087 + gdt[0x40 / 8] = save_desc_40;
2088 ++
2089 ++#ifdef CONFIG_PAX_KERNEXEC
2090 ++ pax_close_kernel(cr0);
2091 ++#endif
2092 ++
2093 + put_cpu();
2094 + apm_restore_cpus(cpus);
2095 +
2096 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
2097 + struct desc_struct save_desc_40;
2098 + struct desc_struct *gdt;
2099 +
2100 ++#ifdef CONFIG_PAX_KERNEXEC
2101 ++ unsigned long cr0;
2102 ++#endif
2103 ++
2104 + cpus = apm_save_cpus();
2105 +
2106 + cpu = get_cpu();
2107 + gdt = get_cpu_gdt_table(cpu);
2108 + save_desc_40 = gdt[0x40 / 8];
2109 ++
2110 ++#ifdef CONFIG_PAX_KERNEXEC
2111 ++ pax_open_kernel(cr0);
2112 ++#endif
2113 ++
2114 + gdt[0x40 / 8] = bad_bios_desc;
2115 +
2116 ++#ifdef CONFIG_PAX_KERNEXEC
2117 ++ pax_close_kernel(cr0);
2118 ++#endif
2119 ++
2120 + apm_irq_save(flags);
2121 + APM_DO_SAVE_SEGS;
2122 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
2123 + APM_DO_RESTORE_SEGS;
2124 + apm_irq_restore(flags);
2125 ++
2126 ++#ifdef CONFIG_PAX_KERNEXEC
2127 ++ pax_open_kernel(cr0);
2128 ++#endif
2129 ++
2130 + gdt[0x40 / 8] = save_desc_40;
2131 ++
2132 ++#ifdef CONFIG_PAX_KERNEXEC
2133 ++ pax_close_kernel(cr0);
2134 ++#endif
2135 ++
2136 + put_cpu();
2137 + apm_restore_cpus(cpus);
2138 + return error;
2139 +@@ -924,7 +970,7 @@ recalc:
2140 +
2141 + static void apm_power_off(void)
2142 + {
2143 +- unsigned char po_bios_call[] = {
2144 ++ const unsigned char po_bios_call[] = {
2145 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
2146 + 0x8e, 0xd0, /* movw ax,ss */
2147 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
2148 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
2149 + static struct miscdevice apm_device = {
2150 + APM_MINOR_DEV,
2151 + "apm_bios",
2152 +- &apm_bios_fops
2153 ++ &apm_bios_fops,
2154 ++ {NULL, NULL},
2155 ++ NULL,
2156 ++ NULL
2157 + };
2158 +
2159 +
2160 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
2161 + print_if_true,
2162 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
2163 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
2164 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
2165 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
2166 + },
2167 + { /* Handle problems with APM on the C600 */
2168 + broken_ps2_resume, "Dell Latitude C600",
2169 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
2170 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
2171 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
2172 + },
2173 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
2174 + set_apm_ints, "Dell Latitude",
2175 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
2176 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
2177 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
2178 + },
2179 + { /* APM crashes */
2180 + apm_is_horked, "Dell Inspiron 2500",
2181 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
2182 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
2183 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
2184 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
2185 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
2186 + },
2187 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
2188 + set_apm_ints, "Dell Inspiron", {
2189 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
2190 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
2191 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
2192 + },
2193 + { /* Handle problems with APM on Inspiron 5000e */
2194 + broken_apm_power, "Dell Inspiron 5000e",
2195 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2196 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
2197 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
2198 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
2199 + },
2200 + { /* Handle problems with APM on Inspiron 2500 */
2201 + broken_apm_power, "Dell Inspiron 2500",
2202 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2203 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
2204 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
2205 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
2206 + },
2207 + { /* APM crashes */
2208 + apm_is_horked, "Dell Dimension 4100",
2209 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
2210 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
2211 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
2212 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
2213 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
2214 + },
2215 + { /* Allow interrupts during suspend on Compaq Laptops*/
2216 + set_apm_ints, "Compaq 12XL125",
2217 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
2218 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
2219 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2220 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
2221 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
2222 + },
2223 + { /* Allow interrupts during APM or the clock goes slow */
2224 + set_apm_ints, "ASUSTeK",
2225 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
2226 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
2227 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
2228 + },
2229 + { /* APM blows on shutdown */
2230 + apm_is_horked, "ABIT KX7-333[R]",
2231 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
2232 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
2233 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
2234 + },
2235 + { /* APM crashes */
2236 + apm_is_horked, "Trigem Delhi3",
2237 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
2238 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
2239 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
2240 + },
2241 + { /* APM crashes */
2242 + apm_is_horked, "Fujitsu-Siemens",
2243 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
2244 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
2245 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
2246 + },
2247 + { /* APM crashes */
2248 + apm_is_horked_d850md, "Intel D850MD",
2249 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
2250 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
2251 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
2252 + },
2253 + { /* APM crashes */
2254 + apm_is_horked, "Intel D810EMO",
2255 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
2256 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
2257 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
2258 + },
2259 + { /* APM crashes */
2260 + apm_is_horked, "Dell XPS-Z",
2261 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
2262 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
2263 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
2264 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
2265 + },
2266 + { /* APM crashes */
2267 + apm_is_horked, "Sharp PC-PJ/AX",
2268 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
2269 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
2270 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
2271 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
2272 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
2273 + },
2274 + { /* APM crashes */
2275 + apm_is_horked, "Dell Inspiron 2500",
2276 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
2277 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
2278 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
2279 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
2280 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
2281 + },
2282 + { /* APM idle hangs */
2283 + apm_likes_to_melt, "Jabil AMD",
2284 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
2285 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
2286 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
2287 + },
2288 + { /* APM idle hangs */
2289 + apm_likes_to_melt, "AMI Bios",
2290 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
2291 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
2292 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
2293 + },
2294 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
2295 + swab_apm_power_in_minutes, "Sony VAIO",
2296 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2297 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
2298 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
2299 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
2300 + },
2301 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
2302 + swab_apm_power_in_minutes, "Sony VAIO",
2303 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2304 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
2305 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
2306 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
2307 + },
2308 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
2309 + swab_apm_power_in_minutes, "Sony VAIO",
2310 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2311 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
2312 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
2313 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
2314 + },
2315 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
2316 + swab_apm_power_in_minutes, "Sony VAIO",
2317 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2318 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
2319 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
2320 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
2321 + },
2322 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
2323 + swab_apm_power_in_minutes, "Sony VAIO",
2324 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2325 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
2326 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
2327 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
2328 + },
2329 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
2330 + swab_apm_power_in_minutes, "Sony VAIO",
2331 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2332 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
2333 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
2334 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
2335 + },
2336 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
2337 + swab_apm_power_in_minutes, "Sony VAIO",
2338 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2339 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
2340 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
2341 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
2342 + },
2343 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
2344 + swab_apm_power_in_minutes, "Sony VAIO",
2345 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2346 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
2347 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
2348 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
2349 + },
2350 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
2351 + swab_apm_power_in_minutes, "Sony VAIO",
2352 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2353 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
2354 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
2355 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
2356 + },
2357 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
2358 + swab_apm_power_in_minutes, "Sony VAIO",
2359 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2360 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
2361 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
2362 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
2363 + },
2364 +
2365 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
2366 + swab_apm_power_in_minutes, "Sony VAIO",
2367 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2368 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
2369 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
2370 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
2371 + },
2372 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
2373 + swab_apm_power_in_minutes, "Sony VAIO",
2374 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2375 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
2376 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
2377 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
2378 + },
2379 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
2380 + swab_apm_power_in_minutes, "Sony VAIO",
2381 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
2382 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
2383 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
2384 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
2385 + },
2386 + { /* broken PM poweroff bios */
2387 + set_realmode_power_off, "Award Software v4.60 PGMA",
2388 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
2389 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
2390 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
2391 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
2392 + },
2393 +
2394 + /* Generic per vendor APM settings */
2395 +
2396 + { /* Allow interrupts during suspend on IBM laptops */
2397 + set_apm_ints, "IBM",
2398 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
2399 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
2400 + },
2401 +
2402 +- { }
2403 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
2404 + };
2405 +
2406 + /*
2407 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
2408 + struct desc_struct *gdt;
2409 + int err;
2410 +
2411 ++#ifdef CONFIG_PAX_KERNEXEC
2412 ++ unsigned long cr0;
2413 ++#endif
2414 ++
2415 + dmi_check_system(apm_dmi_table);
2416 +
2417 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
2418 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
2419 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
2420 + * even though they are called in protected mode.
2421 + */
2422 ++
2423 ++#ifdef CONFIG_PAX_KERNEXEC
2424 ++ pax_open_kernel(cr0);
2425 ++#endif
2426 ++
2427 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
2428 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
2429 +
2430 ++#ifdef CONFIG_PAX_KERNEXEC
2431 ++ pax_close_kernel(cr0);
2432 ++#endif
2433 ++
2434 + /*
2435 + * Set up the long jump entry point to the APM BIOS, which is called
2436 + * from inline assembly.
2437 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
2438 + * code to that CPU.
2439 + */
2440 + gdt = get_cpu_gdt_table(0);
2441 ++
2442 ++#ifdef CONFIG_PAX_KERNEXEC
2443 ++ pax_open_kernel(cr0);
2444 ++#endif
2445 ++
2446 + set_base(gdt[APM_CS >> 3],
2447 + __va((unsigned long)apm_info.bios.cseg << 4));
2448 + set_base(gdt[APM_CS_16 >> 3],
2449 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
2450 + set_base(gdt[APM_DS >> 3],
2451 + __va((unsigned long)apm_info.bios.dseg << 4));
2452 +
2453 ++#ifdef CONFIG_PAX_KERNEXEC
2454 ++ pax_close_kernel(cr0);
2455 ++#endif
2456 ++
2457 + apm_proc = create_proc_entry("apm", 0, NULL);
2458 + if (apm_proc)
2459 + apm_proc->proc_fops = &apm_file_ops;
2460 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
2461 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
2462 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
2463 +@@ -109,6 +109,7 @@ void foo(void)
2464 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
2465 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
2466 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
2467 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
2468 +
2469 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
2470 +
2471 +@@ -122,6 +123,7 @@ void foo(void)
2472 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
2473 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
2474 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
2475 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
2476 + #endif
2477 +
2478 + #ifdef CONFIG_XEN
2479 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
2480 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
2481 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
2482 +@@ -4,7 +4,6 @@
2483 + #include <linux/smp.h>
2484 + #include <linux/module.h>
2485 + #include <linux/percpu.h>
2486 +-#include <linux/bootmem.h>
2487 + #include <asm/semaphore.h>
2488 + #include <asm/processor.h>
2489 + #include <asm/i387.h>
2490 +@@ -21,39 +20,15 @@
2491 +
2492 + #include "cpu.h"
2493 +
2494 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
2495 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
2496 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
2497 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
2498 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
2499 +- /*
2500 +- * Segments used for calling PnP BIOS have byte granularity.
2501 +- * They code segments and data segments have fixed 64k limits,
2502 +- * the transfer segment sizes are set at run time.
2503 +- */
2504 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
2505 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
2506 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
2507 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
2508 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
2509 +- /*
2510 +- * The APM segments have byte granularity and their bases
2511 +- * are set at run time. All have 64k limits.
2512 +- */
2513 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
2514 +- /* 16-bit code */
2515 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
2516 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
2517 +-
2518 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
2519 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
2520 +-} };
2521 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
2522 +-
2523 + static int cachesize_override __cpuinitdata = -1;
2524 + static int disable_x86_fxsr __cpuinitdata;
2525 + static int disable_x86_serial_nr __cpuinitdata = 1;
2526 +-static int disable_x86_sep __cpuinitdata;
2527 ++
2528 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2529 ++int disable_x86_sep __cpuinitdata = 1;
2530 ++#else
2531 ++int disable_x86_sep __cpuinitdata;
<