Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r90 - hardened-sources/2.6/trunk/2.6.23
Date: Wed, 30 Apr 2008 11:23:58
Message-Id: E1JrAO7-0000zh-Ga@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:22:14 +0000 (Wed, 30 Apr 2008)
3 New Revision: 90
4
5 Added:
6 hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch
7 hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch
8 hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch
9 hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch
10 hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch
11 hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch
12 hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch
13 hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch
14 hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch
15 hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch
16 hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch
17 hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch
18 hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch
19 hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch
20 hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch
21 hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch
22 hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch
23 hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch
24 Removed:
25 hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch
26 hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch
27 hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
28 hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch
29 hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch
30 hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch
31 hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch
32 hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch
33 hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch
34 hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch
35 hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch
36 hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch
37 hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch
38 hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch
39 hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch
40 hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp.patch
41 Log:
42 Import an updated patchset from Kerin and Gordon (this should be tagged 2.6.23-r10).
43
44 Added: hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch
45 ===================================================================
46 --- hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch (rev 0)
47 +++ hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch 2008-04-30 11:22:14 UTC (rev 90)
48 @@ -0,0 +1,78 @@
49 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
50 +
51 +x86: Clear DF before calling signal handler
52 +
53 +Linux 2.6-series kernels < 2.6.24.4 do not clear the direction flag
54 +before calling a signal handler, which is required by the x86/x86-64
55 +ABI.
56 +
57 +This bug has come to light as GCC 4.3 assumes that the direction flag
58 +is correctly cleared at the entry of a function.
59 +
60 +This patches changes the setup_frame() functions to clear the
61 +direction before entering the signal handler.
62 +
63 +This is a backport to kernel 2.6.23 of mainline kernel git commit:
64 +e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
65 +
66 +Originally From: Aurelien Jarno <aurelien@×××××××.net>
67 +Originally Signed-off-by: Aurelien Jarno <aurelien@×××××××.net>
68 +Originally Signed-off-by: Chris Wright <chrisw@××××××××.org>
69 +Originally Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
70 +
71 +For more information, view:
72 +https://bugs.gentoo.org/show_bug.cgi?id=213811
73 +http://lkml.org/lkml/2008/3/5/207
74 +http://lwn.net/Articles/272203/
75 +
76 +--- a/arch/i386/kernel/signal.c
77 ++++ b/arch/i386/kernel/signal.c
78 +@@ -399,7 +399,7 @@ static int setup_frame(int sig, struct k
79 + * The tracer may want to single-step inside the
80 + * handler too.
81 + */
82 +- regs->eflags &= ~TF_MASK;
83 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
84 + if (test_thread_flag(TIF_SINGLESTEP))
85 + ptrace_notify(SIGTRAP);
86 +
87 +@@ -494,7 +494,7 @@ static int setup_rt_frame(int sig, struc
88 + * The tracer may want to single-step inside the
89 + * handler too.
90 + */
91 +- regs->eflags &= ~TF_MASK;
92 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
93 + if (test_thread_flag(TIF_SINGLESTEP))
94 + ptrace_notify(SIGTRAP);
95 +
96 +--- a/arch/x86_64/ia32/ia32_signal.c
97 ++++ b/arch/x86_64/ia32/ia32_signal.c
98 +@@ -494,7 +494,7 @@ int ia32_setup_frame(int sig, struct k_s
99 + regs->ss = __USER32_DS;
100 +
101 + set_fs(USER_DS);
102 +- regs->eflags &= ~TF_MASK;
103 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
104 + if (test_thread_flag(TIF_SINGLESTEP))
105 + ptrace_notify(SIGTRAP);
106 +
107 +@@ -601,7 +601,7 @@ int ia32_setup_rt_frame(int sig, struct
108 + regs->ss = __USER32_DS;
109 +
110 + set_fs(USER_DS);
111 +- regs->eflags &= ~TF_MASK;
112 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
113 + if (test_thread_flag(TIF_SINGLESTEP))
114 + ptrace_notify(SIGTRAP);
115 +
116 +--- a/arch/x86_64/kernel/signal.c
117 ++++ b/arch/x86_64/kernel/signal.c
118 +@@ -297,7 +297,7 @@ static int setup_rt_frame(int sig, struc
119 + see include/asm-x86_64/uaccess.h for details. */
120 + set_fs(USER_DS);
121 +
122 +- regs->eflags &= ~TF_MASK;
123 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
124 + if (test_thread_flag(TIF_SINGLESTEP))
125 + ptrace_notify(SIGTRAP);
126 + #ifdef DEBUG_SIG
127
128 Added: hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch
129 ===================================================================
130 --- hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
131 +++ hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:22:14 UTC (rev 90)
132 @@ -0,0 +1,35665 @@
133 +From: Kerin Millar <kerframil@×××××.com>
134 +
135 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
136 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
137 +mmap.c changes.
138 +
139 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
140 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
141 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
142 +@@ -176,14 +176,18 @@ times.h*
143 + tkparse
144 + trix_boot.h
145 + utsrelease.h*
146 ++vdso.lds
147 + version.h*
148 + vmlinux
149 + vmlinux-*
150 + vmlinux.aout
151 ++vmlinux.bin.all
152 + vmlinux.lds
153 ++vmlinux.relocs
154 + vsyscall.lds
155 + wanxlfw.inc
156 + uImage
157 + unifdef
158 ++utsrelease.h
159 + zImage*
160 + zconf.hash.c
161 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
162 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
163 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
164 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
165 +
166 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
167 +
168 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
169 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
170 + -fno-strict-aliasing -fno-common \
171 + -Werror-implicit-function-declaration
172 + AFLAGS := -D__ASSEMBLY__
173 +@@ -560,7 +560,7 @@ export mod_strip_cmd
174 +
175 +
176 + ifeq ($(KBUILD_EXTMOD),)
177 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
178 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
179 +
180 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
181 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
182 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
183 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
184 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
185 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
186 +
187 + /* The small sections were sorted to the end of the segment.
188 + The following should definitely cover them. */
189 +- gp = (u64)me->module_core + me->core_size - 0x8000;
190 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
191 + got = sechdrs[me->arch.gotsecindex].sh_addr;
192 +
193 + for (i = 0; i < n; i++) {
194 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
195 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
196 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
197 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
198 + merely specific addresses, but regions of memory -- perhaps
199 + this feature should be incorporated into all ports? */
200 +
201 ++#ifdef CONFIG_PAX_RANDMMAP
202 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
203 ++#endif
204 ++
205 + if (addr) {
206 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
207 + if (addr != (unsigned long) -ENOMEM)
208 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
209 + }
210 +
211 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
212 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
213 +- len, limit);
214 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
215 ++
216 + if (addr != (unsigned long) -ENOMEM)
217 + return addr;
218 +
219 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
220 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
221 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
222 +@@ -15,6 +15,7 @@
223 + #include <linux/slab.h>
224 + #include <linux/security.h>
225 + #include <linux/signal.h>
226 ++#include <linux/grsecurity.h>
227 +
228 + #include <asm/uaccess.h>
229 + #include <asm/pgtable.h>
230 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
231 + goto out_notsk;
232 + }
233 +
234 ++ if (gr_handle_ptrace(child, request)) {
235 ++ ret = -EPERM;
236 ++ goto out;
237 ++ }
238 ++
239 + if (request == PTRACE_ATTACH) {
240 + ret = ptrace_attach(child);
241 + goto out;
242 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
243 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
244 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
245 +@@ -23,6 +23,7 @@
246 + #include <linux/smp.h>
247 + #include <linux/interrupt.h>
248 + #include <linux/module.h>
249 ++#include <linux/binfmts.h>
250 +
251 + #include <asm/system.h>
252 + #include <asm/uaccess.h>
253 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
254 + __reload_thread(pcb);
255 + }
256 +
257 ++#ifdef CONFIG_PAX_PAGEEXEC
258 ++/*
259 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
260 ++ *
261 ++ * returns 1 when task should be killed
262 ++ * 2 when patched PLT trampoline was detected
263 ++ * 3 when unpatched PLT trampoline was detected
264 ++ */
265 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
266 ++{
267 ++
268 ++#ifdef CONFIG_PAX_EMUPLT
269 ++ int err;
270 ++
271 ++ do { /* PaX: patched PLT emulation #1 */
272 ++ unsigned int ldah, ldq, jmp;
273 ++
274 ++ err = get_user(ldah, (unsigned int *)regs->pc);
275 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
276 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
277 ++
278 ++ if (err)
279 ++ break;
280 ++
281 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
282 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
283 ++ jmp == 0x6BFB0000U)
284 ++ {
285 ++ unsigned long r27, addr;
286 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
287 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
288 ++
289 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
290 ++ err = get_user(r27, (unsigned long *)addr);
291 ++ if (err)
292 ++ break;
293 ++
294 ++ regs->r27 = r27;
295 ++ regs->pc = r27;
296 ++ return 2;
297 ++ }
298 ++ } while (0);
299 ++
300 ++ do { /* PaX: patched PLT emulation #2 */
301 ++ unsigned int ldah, lda, br;
302 ++
303 ++ err = get_user(ldah, (unsigned int *)regs->pc);
304 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
305 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
306 ++
307 ++ if (err)
308 ++ break;
309 ++
310 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
311 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
312 ++ (br & 0xFFE00000U) == 0xC3E00000U)
313 ++ {
314 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
315 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
316 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
317 ++
318 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
319 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
320 ++ return 2;
321 ++ }
322 ++ } while (0);
323 ++
324 ++ do { /* PaX: unpatched PLT emulation */
325 ++ unsigned int br;
326 ++
327 ++ err = get_user(br, (unsigned int *)regs->pc);
328 ++
329 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
330 ++ unsigned int br2, ldq, nop, jmp;
331 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
332 ++
333 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
334 ++ err = get_user(br2, (unsigned int *)addr);
335 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
336 ++ err |= get_user(nop, (unsigned int *)(addr+8));
337 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
338 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
339 ++
340 ++ if (err)
341 ++ break;
342 ++
343 ++ if (br2 == 0xC3600000U &&
344 ++ ldq == 0xA77B000CU &&
345 ++ nop == 0x47FF041FU &&
346 ++ jmp == 0x6B7B0000U)
347 ++ {
348 ++ regs->r28 = regs->pc+4;
349 ++ regs->r27 = addr+16;
350 ++ regs->pc = resolver;
351 ++ return 3;
352 ++ }
353 ++ }
354 ++ } while (0);
355 ++#endif
356 ++
357 ++ return 1;
358 ++}
359 ++
360 ++void pax_report_insns(void *pc, void *sp)
361 ++{
362 ++ unsigned long i;
363 ++
364 ++ printk(KERN_ERR "PAX: bytes at PC: ");
365 ++ for (i = 0; i < 5; i++) {
366 ++ unsigned int c;
367 ++ if (get_user(c, (unsigned int *)pc+i))
368 ++ printk("???????? ");
369 ++ else
370 ++ printk("%08x ", c);
371 ++ }
372 ++ printk("\n");
373 ++}
374 ++#endif
375 +
376 + /*
377 + * This routine handles page faults. It determines the address,
378 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
379 + good_area:
380 + si_code = SEGV_ACCERR;
381 + if (cause < 0) {
382 +- if (!(vma->vm_flags & VM_EXEC))
383 ++ if (!(vma->vm_flags & VM_EXEC)) {
384 ++
385 ++#ifdef CONFIG_PAX_PAGEEXEC
386 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
387 ++ goto bad_area;
388 ++
389 ++ up_read(&mm->mmap_sem);
390 ++ switch (pax_handle_fetch_fault(regs)) {
391 ++
392 ++#ifdef CONFIG_PAX_EMUPLT
393 ++ case 2:
394 ++ case 3:
395 ++ return;
396 ++#endif
397 ++
398 ++ }
399 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
400 ++ do_exit(SIGKILL);
401 ++#else
402 + goto bad_area;
403 ++#endif
404 ++
405 ++ }
406 + } else if (!cause) {
407 + /* Allow reads even for write-only mappings */
408 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
409 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
410 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
411 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
412 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
413 + if (len > TASK_SIZE)
414 + return -ENOMEM;
415 +
416 ++#ifdef CONFIG_PAX_RANDMMAP
417 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
418 ++#endif
419 ++
420 + if (addr) {
421 + if (do_align)
422 + addr = COLOUR_ALIGN(addr, pgoff);
423 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
424 + return addr;
425 + }
426 + if (len > mm->cached_hole_size) {
427 +- start_addr = addr = mm->free_area_cache;
428 ++ start_addr = addr = mm->free_area_cache;
429 + } else {
430 +- start_addr = addr = TASK_UNMAPPED_BASE;
431 +- mm->cached_hole_size = 0;
432 ++ start_addr = addr = mm->mmap_base;
433 ++ mm->cached_hole_size = 0;
434 + }
435 +
436 + full_search:
437 +@@ -91,8 +95,8 @@ full_search:
438 + * Start a new search - just in case we missed
439 + * some holes.
440 + */
441 +- if (start_addr != TASK_UNMAPPED_BASE) {
442 +- start_addr = addr = TASK_UNMAPPED_BASE;
443 ++ if (start_addr != mm->mmap_base) {
444 ++ start_addr = addr = mm->mmap_base;
445 + mm->cached_hole_size = 0;
446 + goto full_search;
447 + }
448 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
449 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
450 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
451 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
452 +
453 + int exception_trace = 1;
454 +
455 ++#ifdef CONFIG_PAX_PAGEEXEC
456 ++void pax_report_insns(void *pc, void *sp)
457 ++{
458 ++ unsigned long i;
459 ++
460 ++ printk(KERN_ERR "PAX: bytes at PC: ");
461 ++ for (i = 0; i < 20; i++) {
462 ++ unsigned char c;
463 ++ if (get_user(c, (unsigned char *)pc+i))
464 ++ printk("???????? ");
465 ++ else
466 ++ printk("%02x ", c);
467 ++ }
468 ++ printk("\n");
469 ++}
470 ++#endif
471 ++
472 + /*
473 + * This routine handles page faults. It determines the address and the
474 + * problem, and then passes it off to one of the appropriate routines.
475 +@@ -157,6 +174,16 @@ bad_area:
476 + up_read(&mm->mmap_sem);
477 +
478 + if (user_mode(regs)) {
479 ++
480 ++#ifdef CONFIG_PAX_PAGEEXEC
481 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
482 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
483 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
484 ++ do_exit(SIGKILL);
485 ++ }
486 ++ }
487 ++#endif
488 ++
489 + if (exception_trace && printk_ratelimit())
490 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
491 + "sp %08lx ecr %lu\n",
492 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
493 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
494 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
495 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
496 + hex
497 + default 0xB0000000 if VMSPLIT_3G_OPT
498 + default 0x80000000 if VMSPLIT_2G
499 +- default 0x78000000 if VMSPLIT_2G_OPT
500 ++ default 0x70000000 if VMSPLIT_2G_OPT
501 + default 0x40000000 if VMSPLIT_1G
502 + default 0xC0000000
503 +
504 +@@ -831,7 +831,7 @@ config CRASH_DUMP
505 + config PHYSICAL_START
506 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
507 + default "0x1000000" if X86_NUMAQ
508 +- default "0x100000"
509 ++ default "0x200000"
510 + help
511 + This gives the physical address where the kernel is loaded.
512 +
513 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
514 +
515 + config COMPAT_VDSO
516 + bool "Compat VDSO support"
517 +- default y
518 ++ default n
519 + help
520 + Map the VDSO to the predictable old-style address too.
521 + ---help---
522 +@@ -1092,7 +1092,7 @@ config PCI
523 + choice
524 + prompt "PCI access mode"
525 + depends on PCI && !X86_VISWS
526 +- default PCI_GOANY
527 ++ default PCI_GODIRECT
528 + ---help---
529 + On PCI systems, the BIOS can be used to detect the PCI devices and
530 + determine their configuration. However, some old PCI motherboards
531 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
532 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
533 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
534 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
535 +
536 + config X86_F00F_BUG
537 + bool
538 +- depends on M586MMX || M586TSC || M586 || M486 || M386
539 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
540 + default y
541 +
542 + config X86_WP_WORKS_OK
543 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
544 +
545 + config X86_ALIGNMENT_16
546 + bool
547 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
548 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
549 + default y
550 +
551 + config X86_GOOD_APIC
552 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
553 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
554 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
555 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
556 + This results in a large slowdown, but helps to find certain types
557 + of memory corruptions.
558 +
559 +-config DEBUG_RODATA
560 +- bool "Write protect kernel read-only data structures"
561 +- depends on DEBUG_KERNEL
562 +- help
563 +- Mark the kernel read-only data as write-protected in the pagetables,
564 +- in order to catch accidental (and incorrect) writes to such const
565 +- data. This option may have a slight performance impact because a
566 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
567 +- If in doubt, say "N".
568 +-
569 + config 4KSTACKS
570 + bool "Use 4Kb for kernel stacks instead of 8Kb"
571 + depends on DEBUG_KERNEL
572 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
573 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
574 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
575 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
576 + u8 v;
577 + const u32 *p = (const u32 *)addr;
578 +
579 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
580 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
581 + return v;
582 + }
583 +
584 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
585 +
586 + static inline void set_bit(int nr, void *addr)
587 + {
588 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
589 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
590 + }
591 +
592 + #endif /* BOOT_BITOPS_H */
593 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
594 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
595 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
596 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
597 + static inline u16 ds(void)
598 + {
599 + u16 seg;
600 +- asm("movw %%ds,%0" : "=rm" (seg));
601 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
602 + return seg;
603 + }
604 +
605 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
606 + static inline int memcmp(const void *s1, const void *s2, size_t len)
607 + {
608 + u8 diff;
609 +- asm("repe; cmpsb; setnz %0"
610 ++ asm volatile("repe; cmpsb; setnz %0"
611 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
612 + return diff;
613 + }
614 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
615 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
616 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
617 +@@ -159,9 +159,8 @@ relocated:
618 + */
619 +
620 + 1: subl $4, %edi
621 +- movl 0(%edi), %ecx
622 +- testl %ecx, %ecx
623 +- jz 2f
624 ++ movl (%edi), %ecx
625 ++ jecxz 2f
626 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
627 + jmp 1b
628 + 2:
629 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
630 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
631 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
632 +@@ -10,9 +10,13 @@
633 + #define USE_BSD
634 + #include <endian.h>
635 +
636 ++#include "../../../../include/linux/autoconf.h"
637 ++
638 ++#define MAX_PHDRS 100
639 + #define MAX_SHDRS 100
640 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
641 + static Elf32_Ehdr ehdr;
642 ++static Elf32_Phdr phdr[MAX_PHDRS];
643 + static Elf32_Shdr shdr[MAX_SHDRS];
644 + static Elf32_Sym *symtab[MAX_SHDRS];
645 + static Elf32_Rel *reltab[MAX_SHDRS];
646 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
647 + }
648 + }
649 +
650 ++static void read_phdrs(FILE *fp)
651 ++{
652 ++ int i;
653 ++ if (ehdr.e_phnum > MAX_PHDRS) {
654 ++ die("%d program headers supported: %d\n",
655 ++ ehdr.e_phnum, MAX_PHDRS);
656 ++ }
657 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
658 ++ die("Seek to %d failed: %s\n",
659 ++ ehdr.e_phoff, strerror(errno));
660 ++ }
661 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
662 ++ die("Cannot read ELF program headers: %s\n",
663 ++ strerror(errno));
664 ++ }
665 ++ for(i = 0; i < ehdr.e_phnum; i++) {
666 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
667 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
668 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
669 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
670 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
671 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
672 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
673 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
674 ++ }
675 ++
676 ++}
677 ++
678 + static void read_shdrs(FILE *fp)
679 + {
680 + int i;
681 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
682 + static void read_relocs(FILE *fp)
683 + {
684 + int i,j;
685 ++ uint32_t base;
686 ++
687 + for(i = 0; i < ehdr.e_shnum; i++) {
688 + if (shdr[i].sh_type != SHT_REL) {
689 + continue;
690 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
691 + die("Cannot read symbol table: %s\n",
692 + strerror(errno));
693 + }
694 ++ base = 0;
695 ++ for (j = 0; j < ehdr.e_phnum; j++) {
696 ++ if (phdr[j].p_type != PT_LOAD )
697 ++ continue;
698 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
699 ++ continue;
700 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
701 ++ break;
702 ++ }
703 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
704 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
705 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
706 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
707 + }
708 + }
709 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
710 + if (sym->st_shndx == SHN_ABS) {
711 + continue;
712 + }
713 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
714 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
715 ++ continue;
716 ++ }
717 ++#ifdef CONFIG_PAX_KERNEXEC
718 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
719 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
720 ++ continue;
721 ++ }
722 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
723 ++ continue;
724 ++ }
725 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
726 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
727 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
728 ++ continue;
729 ++ }
730 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
731 ++ continue;
732 ++ }
733 ++#endif
734 + if (r_type == R_386_PC32) {
735 + /* PC relative relocations don't need to be adjusted */
736 + }
737 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
738 + fname, strerror(errno));
739 + }
740 + read_ehdr(fp);
741 ++ read_phdrs(fp);
742 + read_shdrs(fp);
743 + read_strtabs(fp);
744 + read_symtabs(fp);
745 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
746 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
747 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
748 +@@ -90,7 +90,7 @@ static int has_fpu(void)
749 + u16 fcw = -1, fsw = -1;
750 + u32 cr0;
751 +
752 +- asm("movl %%cr0,%0" : "=r" (cr0));
753 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
754 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
755 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
756 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
757 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
758 + {
759 + u32 f0, f1;
760 +
761 +- asm("pushfl ; "
762 ++ asm volatile("pushfl ; "
763 + "pushfl ; "
764 + "popl %0 ; "
765 + "movl %0,%1 ; "
766 +@@ -131,7 +131,7 @@ static void get_flags(void)
767 + set_bit(X86_FEATURE_FPU, cpu.flags);
768 +
769 + if (has_eflag(X86_EFLAGS_ID)) {
770 +- asm("cpuid"
771 ++ asm volatile("cpuid"
772 + : "=a" (max_intel_level),
773 + "=b" (cpu_vendor[0]),
774 + "=d" (cpu_vendor[1]),
775 +@@ -140,7 +140,7 @@ static void get_flags(void)
776 +
777 + if (max_intel_level >= 0x00000001 &&
778 + max_intel_level <= 0x0000ffff) {
779 +- asm("cpuid"
780 ++ asm volatile("cpuid"
781 + : "=a" (tfms),
782 + "=c" (cpu.flags[4]),
783 + "=d" (cpu.flags[0])
784 +@@ -152,7 +152,7 @@ static void get_flags(void)
785 + cpu.model += ((tfms >> 16) & 0xf) << 4;
786 + }
787 +
788 +- asm("cpuid"
789 ++ asm volatile("cpuid"
790 + : "=a" (max_amd_level)
791 + : "a" (0x80000000)
792 + : "ebx", "ecx", "edx");
793 +@@ -160,7 +160,7 @@ static void get_flags(void)
794 + if (max_amd_level >= 0x80000001 &&
795 + max_amd_level <= 0x8000ffff) {
796 + u32 eax = 0x80000001;
797 +- asm("cpuid"
798 ++ asm volatile("cpuid"
799 + : "+a" (eax),
800 + "=c" (cpu.flags[6]),
801 + "=d" (cpu.flags[1])
802 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
803 + u32 ecx = MSR_K7_HWCR;
804 + u32 eax, edx;
805 +
806 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
807 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
808 + eax &= ~(1 << 15);
809 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
810 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
811 +
812 + get_flags(); /* Make sure it really did something */
813 + err = check_flags();
814 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
815 + u32 ecx = MSR_VIA_FCR;
816 + u32 eax, edx;
817 +
818 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
819 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
820 + eax |= (1<<1)|(1<<7);
821 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
822 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
823 +
824 + set_bit(X86_FEATURE_CX8, cpu.flags);
825 + err = check_flags();
826 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
827 + u32 eax, edx;
828 + u32 level = 1;
829 +
830 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
831 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
832 +- asm("cpuid"
833 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
834 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
835 ++ asm volatile("cpuid"
836 + : "+a" (level), "=d" (cpu.flags[0])
837 + : : "ecx", "ebx");
838 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
839 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
840 +
841 + err = check_flags();
842 + }
843 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
844 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
845 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
846 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
847 + ax = 0x4100;
848 + bx = EDDMAGIC1;
849 + dx = devno;
850 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
851 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
852 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
853 + : : "esi", "edi");
854 +
855 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
856 + ei->params.length = sizeof(ei->params);
857 + ax = 0x4800;
858 + dx = devno;
859 +- asm("pushfl; int $0x13; popfl"
860 ++ asm volatile("pushfl; int $0x13; popfl"
861 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
862 + : "S" (&ei->params)
863 + : "ebx", "ecx", "edi");
864 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
865 + ax = 0x0800;
866 + dx = devno;
867 + di = 0;
868 +- asm("pushw %%es; "
869 ++ asm volatile("pushw %%es; "
870 + "movw %%di,%%es; "
871 + "pushfl; stc; int $0x13; setc %%al; popfl; "
872 + "popw %%es"
873 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
874 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
875 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
876 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
877 + */
878 + static void query_ist(void)
879 + {
880 +- asm("int $0x15"
881 ++ asm volatile("int $0x15"
882 + : "=a" (boot_params.ist_info.signature),
883 + "=b" (boot_params.ist_info.command),
884 + "=c" (boot_params.ist_info.event),
885 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
886 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
887 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
888 +@@ -21,7 +21,7 @@ int query_mca(void)
889 + u8 err;
890 + u16 es, bx, len;
891 +
892 +- asm("pushw %%es ; "
893 ++ asm volatile("pushw %%es ; "
894 + "int $0x15 ; "
895 + "setc %0 ; "
896 + "movw %%es, %1 ; "
897 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
898 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
899 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
900 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
901 + /* Important: %edx is clobbered by some BIOSes,
902 + so it must be either used for the error output
903 + or explicitly marked clobbered. */
904 +- asm("int $0x15; setc %0"
905 ++ asm volatile("int $0x15; setc %0"
906 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
907 + "=m" (*desc)
908 + : "D" (desc), "d" (SMAP), "a" (0xe820));
909 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
910 +
911 + bx = cx = dx = 0;
912 + ax = 0xe801;
913 +- asm("stc; int $0x15; setc %0"
914 ++ asm volatile("stc; int $0x15; setc %0"
915 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
916 +
917 + if (err)
918 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
919 + u8 err;
920 +
921 + ax = 0x8800;
922 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
923 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
924 +
925 + boot_params.screen_info.ext_mem_k = ax;
926 +
927 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
928 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
929 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
930 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
931 +
932 + ax = 0x4f00;
933 + di = (size_t)&vginfo;
934 +- asm(INT10
935 ++ asm volatile(INT10
936 + : "+a" (ax), "+D" (di), "=m" (vginfo)
937 + : : "ebx", "ecx", "edx", "esi");
938 +
939 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
940 + ax = 0x4f01;
941 + cx = mode;
942 + di = (size_t)&vminfo;
943 +- asm(INT10
944 ++ asm volatile(INT10
945 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
946 + : : "ebx", "edx", "esi");
947 +
948 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
949 + ax = 0x4f01;
950 + cx = vesa_mode;
951 + di = (size_t)&vminfo;
952 +- asm(INT10
953 ++ asm volatile(INT10
954 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
955 + : : "ebx", "edx", "esi");
956 +
957 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
958 + /* Save the VESA protected mode info */
959 + static void vesa_store_pm_info(void)
960 + {
961 +- u16 ax, bx, di, es;
962 ++ u16 ax, bx, cx, di, es;
963 +
964 + ax = 0x4f0a;
965 +- bx = di = 0;
966 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
967 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
968 +- : : "ecx", "esi");
969 ++ bx = cx = di = 0;
970 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
971 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
972 ++ : : "esi");
973 +
974 + if (ax != 0x004f)
975 + return;
976 +
977 + boot_params.screen_info.vesapm_seg = es;
978 + boot_params.screen_info.vesapm_off = di;
979 ++ boot_params.screen_info.vesapm_size = cx;
980 + }
981 +
982 + /*
983 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
984 + /* Note: The VBE DDC spec is different from the main VESA spec;
985 + we genuinely have to assume all registers are destroyed here. */
986 +
987 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
988 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
989 + : "+a" (ax), "+b" (bx)
990 + : "c" (cx), "D" (di)
991 + : "esi");
992 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
993 + cx = 0; /* Controller 0 */
994 + dx = 0; /* EDID block number */
995 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
996 +- asm(INT10
997 ++ asm volatile(INT10
998 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
999 + : "c" (cx), "D" (di)
1000 + : "esi");
1001 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1002 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1003 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1004 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1005 + };
1006 + u8 vga_flag;
1007 +
1008 +- asm(INT10
1009 ++ asm volatile(INT10
1010 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1011 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1012 + : "ecx", "edx", "esi", "edi");
1013 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1014 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1015 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1016 + /* EGA/VGA */
1017 +- asm(INT10
1018 ++ asm volatile(INT10
1019 + : "=a" (vga_flag)
1020 + : "a" (0x1a00)
1021 + : "ebx", "ecx", "edx", "esi", "edi");
1022 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1023 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1024 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1025 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1026 +
1027 + ax = 0x0300;
1028 + bx = 0;
1029 +- asm(INT10
1030 ++ asm volatile(INT10
1031 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1032 + : : "ecx", "esi", "edi");
1033 +
1034 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1035 + /* N.B.: the saving of the video page here is a bit silly,
1036 + since we pretty much assume page 0 everywhere. */
1037 + ax = 0x0f00;
1038 +- asm(INT10
1039 ++ asm volatile(INT10
1040 + : "+a" (ax), "=b" (page)
1041 + : : "ecx", "edx", "esi", "edi");
1042 +
1043 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1044 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1045 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1046 +@@ -27,7 +27,7 @@ int query_voyager(void)
1047 +
1048 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1049 +
1050 +- asm("pushw %%es ; "
1051 ++ asm volatile("pushw %%es ; "
1052 + "int $0x15 ; "
1053 + "setc %0 ; "
1054 + "movw %%es, %1 ; "
1055 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1056 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1057 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1058 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1059 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1060 + },
1061 + },
1062 +- {}
1063 ++ { NULL, NULL, {{0, NULL}}, NULL}
1064 + };
1065 +
1066 + #endif /* __i386__ */
1067 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1068 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1069 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1070 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1071 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1072 + },
1073 + },
1074 +- {}
1075 ++ { NULL, NULL, {{0, NULL}}, NULL}
1076 + };
1077 +
1078 + static int __init acpisleep_dmi_init(void)
1079 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1080 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1081 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1082 +@@ -2,6 +2,7 @@
1083 + #include <linux/linkage.h>
1084 + #include <asm/segment.h>
1085 + #include <asm/page.h>
1086 ++#include <asm/msr-index.h>
1087 +
1088 + #
1089 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1090 +@@ -84,7 +85,7 @@ wakeup_code:
1091 + # restore efer setting
1092 + movl real_save_efer_edx - wakeup_code, %edx
1093 + movl real_save_efer_eax - wakeup_code, %eax
1094 +- mov $0xc0000080, %ecx
1095 ++ mov $MSR_EFER, %ecx
1096 + wrmsr
1097 + 4:
1098 + # make sure %cr4 is set correctly (features, etc)
1099 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1100 + # and restore the stack ... but you need gdt for this to work
1101 + movl saved_context_esp, %esp
1102 +
1103 +- movl %cs:saved_magic, %eax
1104 +- cmpl $0x12345678, %eax
1105 ++ cmpl $0x12345678, saved_magic
1106 + jne bogus_magic
1107 +
1108 + # jump to place where we left off
1109 +- movl saved_eip,%eax
1110 +- jmp *%eax
1111 ++ jmp *(saved_eip)
1112 +
1113 + bogus_magic:
1114 + movw $0x0e00 + 'B', 0xb8018
1115 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
1116 + # save efer setting
1117 + pushl %eax
1118 + movl %eax, %ebx
1119 +- mov $0xc0000080, %ecx
1120 ++ mov $MSR_EFER, %ecx
1121 + rdmsr
1122 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
1123 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
1124 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
1125 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
1126 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
1127 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
1128 + */
1129 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
1130 + {
1131 ++
1132 ++#ifdef CONFIG_PAX_KERNEXEC
1133 ++ unsigned long cr0;
1134 ++
1135 ++ pax_open_kernel(cr0);
1136 ++#endif
1137 ++
1138 ++ addr += __KERNEL_TEXT_OFFSET;
1139 + memcpy(addr, opcode, len);
1140 ++
1141 ++#ifdef CONFIG_PAX_KERNEXEC
1142 ++ pax_close_kernel(cr0);
1143 ++#endif
1144 ++
1145 + sync_core();
1146 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
1147 + that causes hangs on some VIA CPUs. */
1148 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
1149 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
1150 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
1151 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
1152 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
1153 + static struct apm_user * user_list;
1154 + static DEFINE_SPINLOCK(user_list_lock);
1155 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
1156 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
1157 +
1158 + static const char driver_version[] = "1.16ac"; /* no spaces */
1159 +
1160 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
1161 + struct desc_struct save_desc_40;
1162 + struct desc_struct *gdt;
1163 +
1164 ++#ifdef CONFIG_PAX_KERNEXEC
1165 ++ unsigned long cr0;
1166 ++#endif
1167 ++
1168 + cpus = apm_save_cpus();
1169 +
1170 + cpu = get_cpu();
1171 + gdt = get_cpu_gdt_table(cpu);
1172 + save_desc_40 = gdt[0x40 / 8];
1173 ++
1174 ++#ifdef CONFIG_PAX_KERNEXEC
1175 ++ pax_open_kernel(cr0);
1176 ++#endif
1177 ++
1178 + gdt[0x40 / 8] = bad_bios_desc;
1179 +
1180 ++#ifdef CONFIG_PAX_KERNEXEC
1181 ++ pax_close_kernel(cr0);
1182 ++#endif
1183 ++
1184 + apm_irq_save(flags);
1185 + APM_DO_SAVE_SEGS;
1186 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
1187 + APM_DO_RESTORE_SEGS;
1188 + apm_irq_restore(flags);
1189 ++
1190 ++#ifdef CONFIG_PAX_KERNEXEC
1191 ++ pax_open_kernel(cr0);
1192 ++#endif
1193 ++
1194 + gdt[0x40 / 8] = save_desc_40;
1195 ++
1196 ++#ifdef CONFIG_PAX_KERNEXEC
1197 ++ pax_close_kernel(cr0);
1198 ++#endif
1199 ++
1200 + put_cpu();
1201 + apm_restore_cpus(cpus);
1202 +
1203 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
1204 + struct desc_struct save_desc_40;
1205 + struct desc_struct *gdt;
1206 +
1207 ++#ifdef CONFIG_PAX_KERNEXEC
1208 ++ unsigned long cr0;
1209 ++#endif
1210 ++
1211 + cpus = apm_save_cpus();
1212 +
1213 + cpu = get_cpu();
1214 + gdt = get_cpu_gdt_table(cpu);
1215 + save_desc_40 = gdt[0x40 / 8];
1216 ++
1217 ++#ifdef CONFIG_PAX_KERNEXEC
1218 ++ pax_open_kernel(cr0);
1219 ++#endif
1220 ++
1221 + gdt[0x40 / 8] = bad_bios_desc;
1222 +
1223 ++#ifdef CONFIG_PAX_KERNEXEC
1224 ++ pax_close_kernel(cr0);
1225 ++#endif
1226 ++
1227 + apm_irq_save(flags);
1228 + APM_DO_SAVE_SEGS;
1229 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
1230 + APM_DO_RESTORE_SEGS;
1231 + apm_irq_restore(flags);
1232 ++
1233 ++#ifdef CONFIG_PAX_KERNEXEC
1234 ++ pax_open_kernel(cr0);
1235 ++#endif
1236 ++
1237 + gdt[0x40 / 8] = save_desc_40;
1238 ++
1239 ++#ifdef CONFIG_PAX_KERNEXEC
1240 ++ pax_close_kernel(cr0);
1241 ++#endif
1242 ++
1243 + put_cpu();
1244 + apm_restore_cpus(cpus);
1245 + return error;
1246 +@@ -924,7 +970,7 @@ recalc:
1247 +
1248 + static void apm_power_off(void)
1249 + {
1250 +- unsigned char po_bios_call[] = {
1251 ++ const unsigned char po_bios_call[] = {
1252 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
1253 + 0x8e, 0xd0, /* movw ax,ss */
1254 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
1255 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
1256 + static struct miscdevice apm_device = {
1257 + APM_MINOR_DEV,
1258 + "apm_bios",
1259 +- &apm_bios_fops
1260 ++ &apm_bios_fops,
1261 ++ {NULL, NULL},
1262 ++ NULL,
1263 ++ NULL
1264 + };
1265 +
1266 +
1267 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
1268 + print_if_true,
1269 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
1270 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
1271 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
1272 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
1273 + },
1274 + { /* Handle problems with APM on the C600 */
1275 + broken_ps2_resume, "Dell Latitude C600",
1276 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1277 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
1278 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
1279 + },
1280 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
1281 + set_apm_ints, "Dell Latitude",
1282 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1283 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
1284 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
1285 + },
1286 + { /* APM crashes */
1287 + apm_is_horked, "Dell Inspiron 2500",
1288 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1289 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1290 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1291 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1292 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1293 + },
1294 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
1295 + set_apm_ints, "Dell Inspiron", {
1296 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1297 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
1298 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
1299 + },
1300 + { /* Handle problems with APM on Inspiron 5000e */
1301 + broken_apm_power, "Dell Inspiron 5000e",
1302 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1303 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
1304 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
1305 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
1306 + },
1307 + { /* Handle problems with APM on Inspiron 2500 */
1308 + broken_apm_power, "Dell Inspiron 2500",
1309 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1310 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
1311 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
1312 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
1313 + },
1314 + { /* APM crashes */
1315 + apm_is_horked, "Dell Dimension 4100",
1316 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1317 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
1318 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
1319 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1320 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1321 + },
1322 + { /* Allow interrupts during suspend on Compaq Laptops*/
1323 + set_apm_ints, "Compaq 12XL125",
1324 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
1325 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
1326 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1327 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
1328 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
1329 + },
1330 + { /* Allow interrupts during APM or the clock goes slow */
1331 + set_apm_ints, "ASUSTeK",
1332 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
1333 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
1334 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
1335 + },
1336 + { /* APM blows on shutdown */
1337 + apm_is_horked, "ABIT KX7-333[R]",
1338 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
1339 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
1340 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
1341 + },
1342 + { /* APM crashes */
1343 + apm_is_horked, "Trigem Delhi3",
1344 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
1345 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
1346 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
1347 + },
1348 + { /* APM crashes */
1349 + apm_is_horked, "Fujitsu-Siemens",
1350 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
1351 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
1352 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
1353 + },
1354 + { /* APM crashes */
1355 + apm_is_horked_d850md, "Intel D850MD",
1356 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1357 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
1358 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
1359 + },
1360 + { /* APM crashes */
1361 + apm_is_horked, "Intel D810EMO",
1362 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1363 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
1364 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
1365 + },
1366 + { /* APM crashes */
1367 + apm_is_horked, "Dell XPS-Z",
1368 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1369 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
1370 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
1371 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
1372 + },
1373 + { /* APM crashes */
1374 + apm_is_horked, "Sharp PC-PJ/AX",
1375 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
1376 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
1377 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
1378 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
1379 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
1380 + },
1381 + { /* APM crashes */
1382 + apm_is_horked, "Dell Inspiron 2500",
1383 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1384 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1385 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1386 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1387 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1388 + },
1389 + { /* APM idle hangs */
1390 + apm_likes_to_melt, "Jabil AMD",
1391 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1392 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
1393 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
1394 + },
1395 + { /* APM idle hangs */
1396 + apm_likes_to_melt, "AMI Bios",
1397 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1398 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
1399 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
1400 + },
1401 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
1402 + swab_apm_power_in_minutes, "Sony VAIO",
1403 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1404 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
1405 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
1406 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
1407 + },
1408 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
1409 + swab_apm_power_in_minutes, "Sony VAIO",
1410 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1411 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
1412 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
1413 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
1414 + },
1415 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
1416 + swab_apm_power_in_minutes, "Sony VAIO",
1417 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1418 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
1419 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
1420 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
1421 + },
1422 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1423 + swab_apm_power_in_minutes, "Sony VAIO",
1424 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1425 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
1426 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
1427 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
1428 + },
1429 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1430 + swab_apm_power_in_minutes, "Sony VAIO",
1431 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1432 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
1433 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
1434 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
1435 + },
1436 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
1437 + swab_apm_power_in_minutes, "Sony VAIO",
1438 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1439 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
1440 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
1441 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
1442 + },
1443 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1444 + swab_apm_power_in_minutes, "Sony VAIO",
1445 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1446 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
1447 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
1448 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
1449 + },
1450 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1451 + swab_apm_power_in_minutes, "Sony VAIO",
1452 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1453 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
1454 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
1455 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
1456 + },
1457 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
1458 + swab_apm_power_in_minutes, "Sony VAIO",
1459 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1460 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
1461 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
1462 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
1463 + },
1464 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
1465 + swab_apm_power_in_minutes, "Sony VAIO",
1466 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1467 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
1468 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
1469 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
1470 + },
1471 +
1472 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
1473 + swab_apm_power_in_minutes, "Sony VAIO",
1474 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1475 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
1476 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
1477 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
1478 + },
1479 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1480 + swab_apm_power_in_minutes, "Sony VAIO",
1481 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1482 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
1483 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
1484 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
1485 + },
1486 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1487 + swab_apm_power_in_minutes, "Sony VAIO",
1488 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1489 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
1490 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
1491 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
1492 + },
1493 + { /* broken PM poweroff bios */
1494 + set_realmode_power_off, "Award Software v4.60 PGMA",
1495 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
1496 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
1497 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
1498 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
1499 + },
1500 +
1501 + /* Generic per vendor APM settings */
1502 +
1503 + { /* Allow interrupts during suspend on IBM laptops */
1504 + set_apm_ints, "IBM",
1505 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
1506 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
1507 + },
1508 +
1509 +- { }
1510 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
1511 + };
1512 +
1513 + /*
1514 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
1515 + struct desc_struct *gdt;
1516 + int err;
1517 +
1518 ++#ifdef CONFIG_PAX_KERNEXEC
1519 ++ unsigned long cr0;
1520 ++#endif
1521 ++
1522 + dmi_check_system(apm_dmi_table);
1523 +
1524 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
1525 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
1526 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
1527 + * even though they are called in protected mode.
1528 + */
1529 ++
1530 ++#ifdef CONFIG_PAX_KERNEXEC
1531 ++ pax_open_kernel(cr0);
1532 ++#endif
1533 ++
1534 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
1535 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
1536 +
1537 ++#ifdef CONFIG_PAX_KERNEXEC
1538 ++ pax_close_kernel(cr0);
1539 ++#endif
1540 ++
1541 + /*
1542 + * Set up the long jump entry point to the APM BIOS, which is called
1543 + * from inline assembly.
1544 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
1545 + * code to that CPU.
1546 + */
1547 + gdt = get_cpu_gdt_table(0);
1548 ++
1549 ++#ifdef CONFIG_PAX_KERNEXEC
1550 ++ pax_open_kernel(cr0);
1551 ++#endif
1552 ++
1553 + set_base(gdt[APM_CS >> 3],
1554 + __va((unsigned long)apm_info.bios.cseg << 4));
1555 + set_base(gdt[APM_CS_16 >> 3],
1556 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
1557 + set_base(gdt[APM_DS >> 3],
1558 + __va((unsigned long)apm_info.bios.dseg << 4));
1559 +
1560 ++#ifdef CONFIG_PAX_KERNEXEC
1561 ++ pax_close_kernel(cr0);
1562 ++#endif
1563 ++
1564 + apm_proc = create_proc_entry("apm", 0, NULL);
1565 + if (apm_proc)
1566 + apm_proc->proc_fops = &apm_file_ops;
1567 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
1568 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
1569 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
1570 +@@ -109,6 +109,7 @@ void foo(void)
1571 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
1572 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
1573 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
1574 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
1575 +
1576 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
1577 +
1578 +@@ -122,6 +123,7 @@ void foo(void)
1579 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
1580 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
1581 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
1582 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
1583 + #endif
1584 +
1585 + #ifdef CONFIG_XEN
1586 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
1587 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
1588 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
1589 +@@ -4,7 +4,6 @@
1590 + #include <linux/smp.h>
1591 + #include <linux/module.h>
1592 + #include <linux/percpu.h>
1593 +-#include <linux/bootmem.h>
1594 + #include <asm/semaphore.h>
1595 + #include <asm/processor.h>
1596 + #include <asm/i387.h>
1597 +@@ -21,39 +20,15 @@
1598 +
1599 + #include "cpu.h"
1600 +
1601 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
1602 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
1603 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
1604 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
1605 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
1606 +- /*
1607 +- * Segments used for calling PnP BIOS have byte granularity.
1608 +- * They code segments and data segments have fixed 64k limits,
1609 +- * the transfer segment sizes are set at run time.
1610 +- */
1611 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1612 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
1613 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
1614 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
1615 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
1616 +- /*
1617 +- * The APM segments have byte granularity and their bases
1618 +- * are set at run time. All have 64k limits.
1619 +- */
1620 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1621 +- /* 16-bit code */
1622 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
1623 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
1624 +-
1625 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
1626 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
1627 +-} };
1628 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
1629 +-
1630 + static int cachesize_override __cpuinitdata = -1;
1631 + static int disable_x86_fxsr __cpuinitdata;
1632 + static int disable_x86_serial_nr __cpuinitdata = 1;
1633 +-static int disable_x86_sep __cpuinitdata;
1634 ++
1635 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1636 ++int disable_x86_sep __cpuinitdata = 1;
1637 ++#else
1638 ++int disable_x86_sep __cpuinitdata;
1639 ++#endif
1640 +
1641 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
1642 +
1643 +@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
1644 + void __init cpu_detect(struct cpuinfo_x86 *c)
1645 + {
1646 + /* Get vendor name */
1647 +- cpuid(0x00000000, &c->cpuid_level,
1648 +- (int *)&c->x86_vendor_id[0],
1649 +- (int *)&c->x86_vendor_id[8],
1650 +- (int *)&c->x86_vendor_id[4]);
1651 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1652 ++ (unsigned int *)&c->x86_vendor_id[0],
1653 ++ (unsigned int *)&c->x86_vendor_id[8],
1654 ++ (unsigned int *)&c->x86_vendor_id[4]);
1655 +
1656 + c->x86 = 4;
1657 + if (c->cpuid_level >= 0x00000001) {
1658 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
1659 +
1660 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
1661 + {
1662 +- u32 tfms, xlvl;
1663 +- int ebx;
1664 ++ u32 tfms, xlvl, ebx;
1665 +
1666 + if (have_cpuid_p()) {
1667 + /* Get vendor name */
1668 +- cpuid(0x00000000, &c->cpuid_level,
1669 +- (int *)&c->x86_vendor_id[0],
1670 +- (int *)&c->x86_vendor_id[8],
1671 +- (int *)&c->x86_vendor_id[4]);
1672 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1673 ++ (unsigned int *)&c->x86_vendor_id[0],
1674 ++ (unsigned int *)&c->x86_vendor_id[8],
1675 ++ (unsigned int *)&c->x86_vendor_id[4]);
1676 +
1677 + get_cpu_vendor(c, 0);
1678 + /* Initialize the standard set of capabilities */
1679 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
1680 + {
1681 + struct Xgt_desc_struct gdt_descr;
1682 +
1683 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
1684 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
1685 + gdt_descr.size = GDT_SIZE - 1;
1686 + load_gdt(&gdt_descr);
1687 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
1688 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
1689 + {
1690 + int cpu = smp_processor_id();
1691 + struct task_struct *curr = current;
1692 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
1693 ++ struct tss_struct *t = init_tss + cpu;
1694 + struct thread_struct *thread = &curr->thread;
1695 +
1696 + if (cpu_test_and_set(cpu, cpu_initialized)) {
1697 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
1698 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
1699 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
1700 +@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
1701 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
1702 + },
1703 + },
1704 +- { }
1705 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
1706 + };
1707 + #endif
1708 +
1709 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
1710 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
1711 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
1712 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
1713 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
1714 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
1715 +
1716 +- { NULL, }
1717 ++ { NULL, NULL, 0, NULL}
1718 + };
1719 + #undef _BANIAS
1720 + #undef BANIAS
1721 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
1722 +--- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
1723 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
1724 +@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
1725 + */
1726 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
1727 + /* supports eax=2 call */
1728 +- int i, j, n;
1729 +- int regs[4];
1730 ++ int j, n;
1731 ++ unsigned int regs[4];
1732 + unsigned char *dp = (unsigned char *)regs;
1733 + int only_trace = 0;
1734 +
1735 +@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
1736 +
1737 + /* If bit 31 is set, this is an unknown format */
1738 + for ( j = 0 ; j < 3 ; j++ ) {
1739 +- if ( regs[j] < 0 ) regs[j] = 0;
1740 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
1741 + }
1742 +
1743 + /* Byte 0 is level count, not a descriptor */
1744 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
1745 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
1746 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
1747 +@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
1748 + return NOTIFY_OK;
1749 + }
1750 +
1751 +-static struct notifier_block thermal_throttle_cpu_notifier =
1752 ++static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
1753 + {
1754 + .notifier_call = thermal_throttle_cpu_callback,
1755 + };
1756 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
1757 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
1758 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
1759 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
1760 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
1761 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
1762 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
1763 +- {}
1764 ++ { 0, 0 }
1765 + };
1766 +
1767 + static unsigned long smp_changes_mask;
1768 +-static struct mtrr_state mtrr_state = {};
1769 ++static struct mtrr_state mtrr_state;
1770 +
1771 + #undef MODULE_PARAM_PREFIX
1772 + #define MODULE_PARAM_PREFIX "mtrr."
1773 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
1774 +--- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
1775 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
1776 +@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
1777 + return NOTIFY_STOP;
1778 + local_irq_disable();
1779 +
1780 +- if (!user_mode_vm(regs)) {
1781 ++ if (!user_mode(regs)) {
1782 + crash_fixup_ss_esp(&fixed_regs, regs);
1783 + regs = &fixed_regs;
1784 + }
1785 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
1786 +--- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
1787 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
1788 +@@ -11,17 +11,17 @@
1789 +
1790 + #define DOUBLEFAULT_STACKSIZE (1024)
1791 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1792 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1793 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1794 +
1795 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1796 +
1797 + static void doublefault_fn(void)
1798 + {
1799 +- struct Xgt_desc_struct gdt_desc = {0, 0};
1800 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1801 + unsigned long gdt, tss;
1802 +
1803 + store_gdt(&gdt_desc);
1804 +- gdt = gdt_desc.address;
1805 ++ gdt = (unsigned long)gdt_desc.address;
1806 +
1807 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1808 +
1809 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1810 + /* 0x2 bit is always set */
1811 + .eflags = X86_EFLAGS_SF | 0x2,
1812 + .esp = STACK_START,
1813 +- .es = __USER_DS,
1814 ++ .es = __KERNEL_DS,
1815 + .cs = __KERNEL_CS,
1816 + .ss = __KERNEL_DS,
1817 +- .ds = __USER_DS,
1818 ++ .ds = __KERNEL_DS,
1819 + .fs = __KERNEL_PERCPU,
1820 +
1821 + .__cr3 = __pa(swapper_pg_dir)
1822 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
1823 +--- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
1824 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
1825 +@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1826 +
1827 + static unsigned long efi_rt_eflags;
1828 + static DEFINE_SPINLOCK(efi_rt_lock);
1829 +-static pgd_t efi_bak_pg_dir_pointer[2];
1830 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
1831 +
1832 + static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
1833 + {
1834 +- unsigned long cr4;
1835 +- unsigned long temp;
1836 + struct Xgt_desc_struct gdt_descr;
1837 +
1838 + spin_lock(&efi_rt_lock);
1839 + local_irq_save(efi_rt_eflags);
1840 +
1841 +- /*
1842 +- * If I don't have PSE, I should just duplicate two entries in page
1843 +- * directory. If I have PSE, I just need to duplicate one entry in
1844 +- * page directory.
1845 +- */
1846 +- cr4 = read_cr4();
1847 +-
1848 +- if (cr4 & X86_CR4_PSE) {
1849 +- efi_bak_pg_dir_pointer[0].pgd =
1850 +- swapper_pg_dir[pgd_index(0)].pgd;
1851 +- swapper_pg_dir[0].pgd =
1852 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1853 +- } else {
1854 +- efi_bak_pg_dir_pointer[0].pgd =
1855 +- swapper_pg_dir[pgd_index(0)].pgd;
1856 +- efi_bak_pg_dir_pointer[1].pgd =
1857 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
1858 +- swapper_pg_dir[pgd_index(0)].pgd =
1859 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1860 +- temp = PAGE_OFFSET + 0x400000;
1861 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1862 +- swapper_pg_dir[pgd_index(temp)].pgd;
1863 +- }
1864 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
1865 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1866 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
1867 +
1868 + /*
1869 + * After the lock is released, the original page table is restored.
1870 + */
1871 +- local_flush_tlb();
1872 ++ __flush_tlb_all();
1873 +
1874 + gdt_descr.address = __pa(get_cpu_gdt_table(0));
1875 + gdt_descr.size = GDT_SIZE - 1;
1876 +@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
1877 +
1878 + static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
1879 + {
1880 +- unsigned long cr4;
1881 + struct Xgt_desc_struct gdt_descr;
1882 +
1883 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
1884 ++ gdt_descr.address = get_cpu_gdt_table(0);
1885 + gdt_descr.size = GDT_SIZE - 1;
1886 + load_gdt(&gdt_descr);
1887 +-
1888 +- cr4 = read_cr4();
1889 +-
1890 +- if (cr4 & X86_CR4_PSE) {
1891 +- swapper_pg_dir[pgd_index(0)].pgd =
1892 +- efi_bak_pg_dir_pointer[0].pgd;
1893 +- } else {
1894 +- swapper_pg_dir[pgd_index(0)].pgd =
1895 +- efi_bak_pg_dir_pointer[0].pgd;
1896 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1897 +- efi_bak_pg_dir_pointer[1].pgd;
1898 +- }
1899 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
1900 +
1901 + /*
1902 + * After the lock is released, the original page table is restored.
1903 + */
1904 +- local_flush_tlb();
1905 ++ __flush_tlb_all();
1906 +
1907 + local_irq_restore(efi_rt_eflags);
1908 + spin_unlock(&efi_rt_lock);
1909 + }
1910 +
1911 +-static efi_status_t
1912 ++static efi_status_t __init
1913 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
1914 + unsigned long descriptor_size,
1915 + u32 descriptor_version,
1916 +@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
1917 + return status;
1918 + }
1919 +
1920 +-static efi_status_t
1921 ++static efi_status_t __init
1922 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
1923 + {
1924 + efi_status_t status;
1925 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
1926 +--- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
1927 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
1928 +@@ -6,6 +6,7 @@
1929 + */
1930 +
1931 + #include <linux/linkage.h>
1932 ++#include <linux/init.h>
1933 + #include <asm/page.h>
1934 +
1935 + /*
1936 +@@ -20,7 +21,7 @@
1937 + * service functions will comply with gcc calling convention, too.
1938 + */
1939 +
1940 +-.text
1941 ++__INIT
1942 + ENTRY(efi_call_phys)
1943 + /*
1944 + * 0. The function can only be called in Linux kernel. So CS has been
1945 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
1946 + * The mapping of lower virtual memory has been created in prelog and
1947 + * epilog.
1948 + */
1949 +- movl $1f, %edx
1950 +- subl $__PAGE_OFFSET, %edx
1951 +- jmp *%edx
1952 ++ jmp 1f-__PAGE_OFFSET
1953 + 1:
1954 +
1955 + /*
1956 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
1957 + * parameter 2, ..., param n. To make things easy, we save the return
1958 + * address of efi_call_phys in a global variable.
1959 + */
1960 +- popl %edx
1961 +- movl %edx, saved_return_addr
1962 +- /* get the function pointer into ECX*/
1963 +- popl %ecx
1964 +- movl %ecx, efi_rt_function_ptr
1965 +- movl $2f, %edx
1966 +- subl $__PAGE_OFFSET, %edx
1967 +- pushl %edx
1968 ++ popl (saved_return_addr)
1969 ++ popl (efi_rt_function_ptr)
1970 +
1971 + /*
1972 + * 3. Clear PG bit in %CR0.
1973 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
1974 + /*
1975 + * 5. Call the physical function.
1976 + */
1977 +- jmp *%ecx
1978 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
1979 +
1980 +-2:
1981 + /*
1982 + * 6. After EFI runtime service returns, control will return to
1983 + * following instruction. We'd better readjust stack pointer first.
1984 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
1985 + movl %cr0, %edx
1986 + orl $0x80000000, %edx
1987 + movl %edx, %cr0
1988 +- jmp 1f
1989 +-1:
1990 ++
1991 + /*
1992 + * 8. Now restore the virtual mode from flat mode by
1993 + * adding EIP with PAGE_OFFSET.
1994 + */
1995 +- movl $1f, %edx
1996 +- jmp *%edx
1997 ++ jmp 1f+__PAGE_OFFSET
1998 + 1:
1999 +
2000 + /*
2001 + * 9. Balance the stack. And because EAX contain the return value,
2002 + * we'd better not clobber it.
2003 + */
2004 +- leal efi_rt_function_ptr, %edx
2005 +- movl (%edx), %ecx
2006 +- pushl %ecx
2007 ++ pushl (efi_rt_function_ptr)
2008 +
2009 + /*
2010 +- * 10. Push the saved return address onto the stack and return.
2011 ++ * 10. Return to the saved return address.
2012 + */
2013 +- leal saved_return_addr, %edx
2014 +- movl (%edx), %ecx
2015 +- pushl %ecx
2016 +- ret
2017 ++ jmpl *(saved_return_addr)
2018 + .previous
2019 +
2020 +-.data
2021 ++__INITDATA
2022 + saved_return_addr:
2023 + .long 0
2024 + efi_rt_function_ptr:
2025 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
2026 +--- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
2027 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
2028 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
2029 + #define resume_userspace_sig resume_userspace
2030 + #endif
2031 +
2032 +-#define SAVE_ALL \
2033 ++#define __SAVE_ALL(_DS) \
2034 + cld; \
2035 + pushl %fs; \
2036 + CFI_ADJUST_CFA_OFFSET 4;\
2037 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
2038 + pushl %ebx; \
2039 + CFI_ADJUST_CFA_OFFSET 4;\
2040 + CFI_REL_OFFSET ebx, 0;\
2041 +- movl $(__USER_DS), %edx; \
2042 ++ movl $(_DS), %edx; \
2043 + movl %edx, %ds; \
2044 + movl %edx, %es; \
2045 + movl $(__KERNEL_PERCPU), %edx; \
2046 + movl %edx, %fs
2047 +
2048 ++#ifdef CONFIG_PAX_KERNEXEC
2049 ++#define SAVE_ALL \
2050 ++ __SAVE_ALL(__KERNEL_DS); \
2051 ++ GET_CR0_INTO_EDX; \
2052 ++ movl %edx, %esi; \
2053 ++ orl $X86_CR0_WP, %edx; \
2054 ++ xorl %edx, %esi; \
2055 ++ SET_CR0_FROM_EDX
2056 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2057 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
2058 ++#else
2059 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
2060 ++#endif
2061 ++
2062 + #define RESTORE_INT_REGS \
2063 + popl %ebx; \
2064 + CFI_ADJUST_CFA_OFFSET -4;\
2065 +@@ -248,7 +262,17 @@ check_userspace:
2066 + movb PT_CS(%esp), %al
2067 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
2068 + cmpl $USER_RPL, %eax
2069 ++
2070 ++#ifdef CONFIG_PAX_KERNEXEC
2071 ++ jae resume_userspace
2072 ++
2073 ++ GET_CR0_INTO_EDX
2074 ++ xorl %esi, %edx
2075 ++ SET_CR0_FROM_EDX
2076 ++ jmp resume_kernel
2077 ++#else
2078 + jb resume_kernel # not returning to v8086 or userspace
2079 ++#endif
2080 +
2081 + ENTRY(resume_userspace)
2082 + DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
2083 +@@ -307,10 +331,9 @@ sysenter_past_esp:
2084 + /*CFI_REL_OFFSET cs, 0*/
2085 + /*
2086 + * Push current_thread_info()->sysenter_return to the stack.
2087 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
2088 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
2089 + */
2090 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
2091 ++ GET_THREAD_INFO(%ebp)
2092 ++ pushl TI_sysenter_return(%ebp)
2093 + CFI_ADJUST_CFA_OFFSET 4
2094 + CFI_REL_OFFSET eip, 0
2095 +
2096 +@@ -318,9 +341,17 @@ sysenter_past_esp:
2097 + * Load the potential sixth argument from user stack.
2098 + * Careful about security.
2099 + */
2100 ++ movl 12(%esp),%ebp
2101 ++
2102 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2103 ++ mov 16(%esp),%ds
2104 ++1: movl %ds:(%ebp),%ebp
2105 ++#else
2106 + cmpl $__PAGE_OFFSET-3,%ebp
2107 + jae syscall_fault
2108 + 1: movl (%ebp),%ebp
2109 ++#endif
2110 ++
2111 + .section __ex_table,"a"
2112 + .align 4
2113 + .long 1b,syscall_fault
2114 +@@ -343,20 +374,37 @@ sysenter_past_esp:
2115 + movl TI_flags(%ebp), %ecx
2116 + testw $_TIF_ALLWORK_MASK, %cx
2117 + jne syscall_exit_work
2118 ++
2119 ++#ifdef CONFIG_PAX_RANDKSTACK
2120 ++ pushl %eax
2121 ++ CFI_ADJUST_CFA_OFFSET 4
2122 ++ call pax_randomize_kstack
2123 ++ popl %eax
2124 ++ CFI_ADJUST_CFA_OFFSET -4
2125 ++#endif
2126 ++
2127 + /* if something modifies registers it must also disable sysexit */
2128 + movl PT_EIP(%esp), %edx
2129 + movl PT_OLDESP(%esp), %ecx
2130 + xorl %ebp,%ebp
2131 + TRACE_IRQS_ON
2132 + 1: mov PT_FS(%esp), %fs
2133 ++2: mov PT_DS(%esp), %ds
2134 ++3: mov PT_ES(%esp), %es
2135 + ENABLE_INTERRUPTS_SYSEXIT
2136 + CFI_ENDPROC
2137 + .pushsection .fixup,"ax"
2138 +-2: movl $0,PT_FS(%esp)
2139 ++4: movl $0,PT_FS(%esp)
2140 + jmp 1b
2141 ++5: movl $0,PT_DS(%esp)
2142 ++ jmp 2b
2143 ++6: movl $0,PT_ES(%esp)
2144 ++ jmp 3b
2145 + .section __ex_table,"a"
2146 + .align 4
2147 +- .long 1b,2b
2148 ++ .long 1b,4b
2149 ++ .long 2b,5b
2150 ++ .long 3b,6b
2151 + .popsection
2152 + ENDPROC(sysenter_entry)
2153 +
2154 +@@ -389,6 +437,10 @@ no_singlestep:
2155 + testw $_TIF_ALLWORK_MASK, %cx # current->work
2156 + jne syscall_exit_work
2157 +
2158 ++#ifdef CONFIG_PAX_RANDKSTACK
2159 ++ call pax_randomize_kstack
2160 ++#endif
2161 ++
2162 + restore_all:
2163 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
2164 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
2165 +@@ -552,17 +604,24 @@ syscall_badsys:
2166 + END(syscall_badsys)
2167 + CFI_ENDPROC
2168 +
2169 +-#define FIXUP_ESPFIX_STACK \
2170 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
2171 +- PER_CPU(gdt_page, %ebx); \
2172 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
2173 +- addl %esp, %eax; \
2174 +- pushl $__KERNEL_DS; \
2175 +- CFI_ADJUST_CFA_OFFSET 4; \
2176 +- pushl %eax; \
2177 +- CFI_ADJUST_CFA_OFFSET 4; \
2178 +- lss (%esp), %esp; \
2179 ++.macro FIXUP_ESPFIX_STACK
2180 ++ /* since we are on a wrong stack, we cant make it a C code :( */
2181 ++#ifdef CONFIG_SMP
2182 ++ movl PER_CPU_VAR(cpu_number), %ebx;
2183 ++ shll $PAGE_SHIFT_asm, %ebx;
2184 ++ addl $cpu_gdt_table, %ebx;
2185 ++#else
2186 ++ movl $cpu_gdt_table, %ebx;
2187 ++#endif
2188 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
2189 ++ addl %esp, %eax;
2190 ++ pushl $__KERNEL_DS;
2191 ++ CFI_ADJUST_CFA_OFFSET 4;
2192 ++ pushl %eax;
2193 ++ CFI_ADJUST_CFA_OFFSET 4;
2194 ++ lss (%esp), %esp;
2195 + CFI_ADJUST_CFA_OFFSET -8;
2196 ++.endm
2197 + #define UNWIND_ESPFIX_STACK \
2198 + movl %ss, %eax; \
2199 + /* see if on espfix stack */ \
2200 +@@ -579,7 +638,7 @@ END(syscall_badsys)
2201 + * Build the entry stubs and pointer table with
2202 + * some assembler magic.
2203 + */
2204 +-.data
2205 ++.section .rodata,"a",@progbits
2206 + ENTRY(interrupt)
2207 + .text
2208 +
2209 +@@ -679,12 +738,21 @@ error_code:
2210 + popl %ecx
2211 + CFI_ADJUST_CFA_OFFSET -4
2212 + /*CFI_REGISTER es, ecx*/
2213 ++
2214 ++#ifdef CONFIG_PAX_KERNEXEC
2215 ++ GET_CR0_INTO_EDX
2216 ++ movl %edx, %esi
2217 ++ orl $X86_CR0_WP, %edx
2218 ++ xorl %edx, %esi
2219 ++ SET_CR0_FROM_EDX
2220 ++#endif
2221 ++
2222 + movl PT_FS(%esp), %edi # get the function address
2223 + movl PT_ORIG_EAX(%esp), %edx # get the error code
2224 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
2225 + mov %ecx, PT_FS(%esp)
2226 + /*CFI_REL_OFFSET fs, ES*/
2227 +- movl $(__USER_DS), %ecx
2228 ++ movl $(__KERNEL_DS), %ecx
2229 + movl %ecx, %ds
2230 + movl %ecx, %es
2231 + movl %esp,%eax # pt_regs pointer
2232 +@@ -818,6 +886,13 @@ nmi_stack_correct:
2233 + xorl %edx,%edx # zero error code
2234 + movl %esp,%eax # pt_regs pointer
2235 + call do_nmi
2236 ++
2237 ++#ifdef CONFIG_PAX_KERNEXEC
2238 ++ GET_CR0_INTO_EDX
2239 ++ xorl %esi, %edx
2240 ++ SET_CR0_FROM_EDX
2241 ++#endif
2242 ++
2243 + jmp restore_nocheck_notrace
2244 + CFI_ENDPROC
2245 +
2246 +@@ -858,6 +933,13 @@ nmi_espfix_stack:
2247 + FIXUP_ESPFIX_STACK # %eax == %esp
2248 + xorl %edx,%edx # zero error code
2249 + call do_nmi
2250 ++
2251 ++#ifdef CONFIG_PAX_KERNEXEC
2252 ++ GET_CR0_INTO_EDX
2253 ++ xorl %esi, %edx
2254 ++ SET_CR0_FROM_EDX
2255 ++#endif
2256 ++
2257 + RESTORE_REGS
2258 + lss 12+4(%esp), %esp # back to espfix stack
2259 + CFI_ADJUST_CFA_OFFSET -24
2260 +@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
2261 +
2262 + #endif /* CONFIG_XEN */
2263 +
2264 +-.section .rodata,"a"
2265 + #include "syscall_table.S"
2266 +
2267 + syscall_table_size=(.-sys_call_table)
2268 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
2269 +--- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
2270 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
2271 +@@ -18,6 +18,7 @@
2272 + #include <asm/thread_info.h>
2273 + #include <asm/asm-offsets.h>
2274 + #include <asm/setup.h>
2275 ++#include <asm/msr-index.h>
2276 +
2277 + /*
2278 + * References to members of the new_cpu_data structure.
2279 +@@ -51,17 +52,22 @@
2280 + */
2281 + LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
2282 +
2283 +-#if PTRS_PER_PMD > 1
2284 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
2285 +-#else
2286 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
2287 +-#endif
2288 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
2289 + BOOTBITMAP_SIZE = LOW_PAGES / 8
2290 + ALLOCATOR_SLOP = 4
2291 +
2292 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
2293 +
2294 + /*
2295 ++ * Real beginning of normal "text" segment
2296 ++ */
2297 ++ENTRY(stext)
2298 ++ENTRY(_stext)
2299 ++
2300 ++.section .text.startup,"ax",@progbits
2301 ++ ljmp $(__BOOT_CS),$phys_startup_32
2302 ++
2303 ++/*
2304 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
2305 + * %esi points to the real-mode code as a 32-bit pointer.
2306 + * CS and DS must be 4 GB flat segments, but we don't depend on
2307 +@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
2308 + * can.
2309 + */
2310 + .section .text.head,"ax",@progbits
2311 ++
2312 ++#ifdef CONFIG_PAX_KERNEXEC
2313 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
2314 ++.fill 4096,1,0xcc
2315 ++#endif
2316 ++
2317 + ENTRY(startup_32)
2318 +
2319 + /*
2320 +@@ -82,6 +94,43 @@ ENTRY(startup_32)
2321 + movl %eax,%fs
2322 + movl %eax,%gs
2323 +
2324 ++ movl $__per_cpu_start,%eax
2325 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
2326 ++ rorl $16,%eax
2327 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
2328 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
2329 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
2330 ++ subl $__per_cpu_start,%eax
2331 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
2332 ++
2333 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2334 ++ /* check for VMware */
2335 ++ movl $0x564d5868,%eax
2336 ++ xorl %ebx,%ebx
2337 ++ movl $0xa,%ecx
2338 ++ movl $0x5658,%edx
2339 ++ in (%dx),%eax
2340 ++ cmpl $0x564d5868,%ebx
2341 ++ jz 1f
2342 ++
2343 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
2344 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
2345 ++1:
2346 ++#endif
2347 ++
2348 ++#ifdef CONFIG_PAX_KERNEXEC
2349 ++ movl $KERNEL_TEXT_OFFSET,%eax
2350 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
2351 ++ rorl $16,%eax
2352 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
2353 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
2354 ++
2355 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
2356 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
2357 ++ rorl $16,%eax
2358 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
2359 ++#endif
2360 ++
2361 + /*
2362 + * Clear BSS first so that there are no surprises...
2363 + * No need to cld as DF is already clear from cld above...
2364 +@@ -129,24 +178,42 @@ ENTRY(startup_32)
2365 + * Warning: don't use %esi or the stack in this code. However, %esp
2366 + * can be used as a GPR if you really need it...
2367 + */
2368 +-page_pde_offset = (__PAGE_OFFSET >> 20);
2369 +-
2370 ++#ifdef CONFIG_X86_PAE
2371 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2372 ++#else
2373 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2374 ++#endif
2375 + movl $(pg0 - __PAGE_OFFSET), %edi
2376 ++#ifdef CONFIG_X86_PAE
2377 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
2378 ++#else
2379 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2380 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2381 ++#endif
2382 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
2383 + 10:
2384 +- leal 0x007(%edi),%ecx /* Create PDE entry */
2385 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
2386 + movl %ecx,(%edx) /* Store identity PDE entry */
2387 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
2388 ++#ifdef CONFIG_X86_PAE
2389 ++ movl $0,4(%edx)
2390 ++ movl $0,page_pde_offset+4(%edx)
2391 ++ addl $8,%edx
2392 ++ movl $512, %ecx
2393 ++#else
2394 + addl $4,%edx
2395 + movl $1024, %ecx
2396 ++#endif
2397 + 11:
2398 + stosl
2399 ++#ifdef CONFIG_X86_PAE
2400 ++ movl $0,(%edi)
2401 ++ addl $4,%edi
2402 ++#endif
2403 + addl $0x1000,%eax
2404 + loop 11b
2405 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
2406 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
2407 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
2408 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
2409 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
2410 + cmpl %ebp,%eax
2411 + jb 10b
2412 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
2413 +@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
2414 + #endif
2415 +
2416 + /* Do an early initialization of the fixmap area */
2417 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2418 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
2419 +- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2420 +- movl %eax, 4092(%edx)
2421 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
2422 ++#ifdef CONFIG_X86_PAE
2423 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
2424 ++#else
2425 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
2426 ++#endif
2427 +
2428 + #ifdef CONFIG_SMP
2429 + ENTRY(startup_32_smp)
2430 +@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
2431 + movl %eax,%fs
2432 + movl %eax,%gs
2433 +
2434 ++ /* This is a secondary processor (AP) */
2435 ++ xorl %ebx,%ebx
2436 ++ incl %ebx
2437 ++#endif /* CONFIG_SMP */
2438 ++
2439 + /*
2440 + * New page tables may be in 4Mbyte page mode and may
2441 + * be using the global pages.
2442 +@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
2443 + * not yet offset PAGE_OFFSET..
2444 + */
2445 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
2446 ++3:
2447 + movl cr4_bits,%edx
2448 + andl %edx,%edx
2449 +- jz 6f
2450 ++ jz 5f
2451 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
2452 + orl %edx,%eax
2453 + movl %eax,%cr4
2454 +
2455 +- btl $5, %eax # check if PAE is enabled
2456 +- jnc 6f
2457 ++#ifdef CONFIG_X86_PAE
2458 ++ movl %ebx,%edi
2459 +
2460 + /* Check if extended functions are implemented */
2461 + movl $0x80000000, %eax
2462 + cpuid
2463 + cmpl $0x80000000, %eax
2464 +- jbe 6f
2465 ++ jbe 4f
2466 + mov $0x80000001, %eax
2467 + cpuid
2468 + /* Execute Disable bit supported? */
2469 + btl $20, %edx
2470 +- jnc 6f
2471 ++ jnc 4f
2472 +
2473 + /* Setup EFER (Extended Feature Enable Register) */
2474 +- movl $0xc0000080, %ecx
2475 ++ movl $MSR_EFER, %ecx
2476 + rdmsr
2477 +
2478 + btsl $11, %eax
2479 + /* Make changes effective */
2480 + wrmsr
2481 +
2482 +-6:
2483 +- /* This is a secondary processor (AP) */
2484 +- xorl %ebx,%ebx
2485 +- incl %ebx
2486 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
2487 ++ movl $1,nx_enabled-__PAGE_OFFSET
2488 +
2489 +-#endif /* CONFIG_SMP */
2490 +-3:
2491 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
2492 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
2493 ++#endif
2494 ++
2495 ++4:
2496 ++ movl %edi,%ebx
2497 ++#endif
2498 ++5:
2499 +
2500 + /*
2501 + * Enable paging
2502 +@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
2503 +
2504 + #ifdef CONFIG_SMP
2505 + andl %ebx,%ebx
2506 +- jz 1f /* Initial CPU cleans BSS */
2507 +- jmp checkCPUtype
2508 +-1:
2509 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
2510 + #endif /* CONFIG_SMP */
2511 +
2512 + /*
2513 +@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
2514 + ljmp $(__KERNEL_CS),$1f
2515 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
2516 + movl %eax,%ss # after changing gdt.
2517 +- movl %eax,%fs # gets reset once there's real percpu
2518 +-
2519 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
2520 + movl %eax,%ds
2521 + movl %eax,%es
2522 +
2523 ++ movl $(__KERNEL_PERCPU), %eax
2524 ++ movl %eax,%fs # set this cpu's percpu
2525 ++
2526 + xorl %eax,%eax # Clear GS and LDT
2527 + movl %eax,%gs
2528 + lldt %ax
2529 +@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
2530 + movb ready, %cl
2531 + movb $1, ready
2532 + cmpb $0,%cl # the first CPU calls start_kernel
2533 +- je 1f
2534 +- movl $(__KERNEL_PERCPU), %eax
2535 +- movl %eax,%fs # set this cpu's percpu
2536 +- jmp initialize_secondary # all other CPUs call initialize_secondary
2537 +-1:
2538 ++ jne initialize_secondary # all other CPUs call initialize_secondary
2539 + #endif /* CONFIG_SMP */
2540 + jmp start_kernel
2541 +
2542 +@@ -441,8 +514,8 @@ early_page_fault:
2543 + jmp early_fault
2544 +
2545 + early_fault:
2546 +- cld
2547 + #ifdef CONFIG_PRINTK
2548 ++ cld
2549 + movl $(__KERNEL_DS),%eax