Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r97 - in hardened-sources/2.6/tags: . 2.6.23-7
Date: Wed, 30 Apr 2008 11:49:26
Message-Id: E1JrAi6-0001JE-7V@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:42:53 +0000 (Wed, 30 Apr 2008)
3 New Revision: 97
4
5 Added:
6 hardened-sources/2.6/tags/2.6.23-7/
7 hardened-sources/2.6/tags/2.6.23-7/4405_alpha-sysctl-uac-for-hardened-extras.patch
8 hardened-sources/2.6/tags/2.6.23-7/4430_grsec-2.1.11-2.6.23.15-20080210.patch
9 hardened-sources/2.6/tags/2.6.23-7/4435_grsec-2.1.10-mute-warnings.patch
10 hardened-sources/2.6/tags/2.6.23-7/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
11 hardened-sources/2.6/tags/2.6.23-7/4445_grsec-kconfig-gentoo.patch
12 hardened-sources/2.6/tags/2.6.23-7/4450_selinux-avc_audit-log-curr_ip.patch
13 hardened-sources/2.6/tags/2.6.23-7/4455_disable-compat_vdso.patch
14 hardened-sources/2.6/tags/2.6.23-7/4460_pax-hook-build-error.patch
15 hardened-sources/2.6/tags/2.6.23-7/4465_acct_stack_growth-null-deref.patch
16 hardened-sources/2.6/tags/2.6.23-7/4470_pax-vma-mirroring-fixes.patch
17 hardened-sources/2.6/tags/2.6.23-7/4475_vesafb-pmi-kernexec-fix.patch
18 hardened-sources/2.6/tags/2.6.23-7/4480_deselect-kernexec-on-unsupported-arches.patch
19 hardened-sources/2.6/tags/2.6.23-7/4485_ia64-modular-kernel-compile-fix.patch
20 hardened-sources/2.6/tags/2.6.23-7/4490_grsec-ptrace-recursive-lock-fix.patch
21 hardened-sources/2.6/tags/2.6.23-7/4495_grsec-netlink-security-fixes.patch
22 Log:
23 Importing patchset for 2.6.23-7 (from hardened-patches-2.6.23-7.extras.tar.bz2).
24
25 Added: hardened-sources/2.6/tags/2.6.23-7/4405_alpha-sysctl-uac-for-hardened-extras.patch
26 ===================================================================
27 --- hardened-sources/2.6/tags/2.6.23-7/4405_alpha-sysctl-uac-for-hardened-extras.patch (rev 0)
28 +++ hardened-sources/2.6/tags/2.6.23-7/4405_alpha-sysctl-uac-for-hardened-extras.patch 2008-04-30 11:42:53 UTC (rev 97)
29 @@ -0,0 +1,187 @@
30 +---
31 + arch/alpha/Kconfig | 26 ++++++++++++++++++++++++
32 + arch/alpha/kernel/traps.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++
33 + include/linux/sysctl.h | 14 +++++++++++++
34 + kernel/sysctl.c | 12 ++++++++++-
35 + 4 files changed, 100 insertions(+), 1 deletion(-)
36 +
37 +--- a/arch/alpha/Kconfig
38 ++++ b/arch/alpha/Kconfig
39 +@@ -616,6 +616,32 @@ config VERBOSE_MCHECK_ON
40 +
41 + Take the default (1) unless you want more control or more info.
42 +
43 ++config ALPHA_UAC_SYSCTL
44 ++ bool "Configure UAC policy via sysctl"
45 ++ depends on SYSCTL
46 ++ default y
47 ++ ---help---
48 ++ Configuring the UAC (unaligned access control) policy on a Linux
49 ++ system usually involves setting a compile time define. If you say
50 ++ Y here, you will be able to modify the UAC policy at runtime using
51 ++ the /proc interface.
52 ++
53 ++ The UAC policy defines the action Linux should take when an
54 ++ unaligned memory access occurs. The action can include printing a
55 ++ warning message (NOPRINT), sending a signal to the offending
56 ++ program to help developers debug their applications (SIGBUS), or
57 ++ disabling the transparent fixing (NOFIX).
58 ++
59 ++ The sysctls will be initialized to the compile-time defined UAC
60 ++ policy. You can change these manually, or with the sysctl(8)
61 ++ userspace utility.
62 ++
63 ++ To disable the warning messages at runtime, you would use
64 ++
65 ++ echo 1 > /proc/sys/kernel/uac/noprint
66 ++
67 ++ This is pretty harmless. Say Y if you're not sure.
68 ++
69 + source "drivers/pci/Kconfig"
70 + source "drivers/eisa/Kconfig"
71 +
72 +--- a/arch/alpha/kernel/traps.c
73 ++++ b/arch/alpha/kernel/traps.c
74 +@@ -14,6 +14,7 @@
75 + #include <linux/delay.h>
76 + #include <linux/smp_lock.h>
77 + #include <linux/module.h>
78 ++#include <linux/sysctl.h>
79 + #include <linux/init.h>
80 + #include <linux/kallsyms.h>
81 +
82 +@@ -102,6 +103,38 @@ static char * ireg_name[] = {"v0", "t0",
83 + "t10", "t11", "ra", "pv", "at", "gp", "sp", "zero"};
84 + #endif
85 +
86 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
87 ++static struct ctl_table_header *uac_sysctl_header;
88 ++
89 ++static int enabled_noprint = 0;
90 ++static int enabled_sigbus = 0;
91 ++static int enabled_nofix = 0;
92 ++
93 ++ctl_table uac_table[] = {
94 ++ {KERN_UAC_NOPRINT, "noprint", &enabled_noprint, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
95 ++ {KERN_UAC_SIGBUS, "sigbus", &enabled_sigbus, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
96 ++ {KERN_UAC_NOFIX, "nofix", &enabled_nofix, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
97 ++ {0}
98 ++};
99 ++
100 ++static int __init init_uac_sysctl(void)
101 ++{
102 ++ /* Initialize sysctls with the #defined UAC policy */
103 ++ enabled_noprint = (test_thread_flag (TIF_UAC_NOPRINT)) ? 1 : 0;
104 ++ enabled_sigbus = (test_thread_flag (TIF_UAC_SIGBUS)) ? 1 : 0;
105 ++ enabled_nofix = (test_thread_flag (TIF_UAC_NOFIX)) ? 1 : 0;
106 ++
107 ++ /* save this for later so we can clean up */
108 ++ uac_sysctl_header = register_sysctl_table(uac_table);
109 ++ return 0;
110 ++}
111 ++
112 ++static void __exit exit_uac_sysctl(void)
113 ++{
114 ++ unregister_sysctl_table(uac_sysctl_header);
115 ++}
116 ++#endif
117 ++
118 + static void
119 + dik_show_code(unsigned int *pc)
120 + {
121 +@@ -780,7 +813,11 @@ do_entUnaUser(void __user * va, unsigned
122 + /* Check the UAC bits to decide what the user wants us to do
123 + with the unaliged access. */
124 +
125 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
126 + if (!test_thread_flag (TIF_UAC_NOPRINT)) {
127 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
128 ++ if (!(enabled_noprint)) {
129 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
130 + if (cnt >= 5 && jiffies - last_time > 5*HZ) {
131 + cnt = 0;
132 + }
133 +@@ -791,10 +828,18 @@ do_entUnaUser(void __user * va, unsigned
134 + }
135 + last_time = jiffies;
136 + }
137 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
138 + if (test_thread_flag (TIF_UAC_SIGBUS))
139 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
140 ++ if (enabled_sigbus)
141 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
142 + goto give_sigbus;
143 + /* Not sure why you'd want to use this, but... */
144 ++#ifndef CONFIG_ALPHA_UAC_SYSCTL
145 + if (test_thread_flag (TIF_UAC_NOFIX))
146 ++#else /* CONFIG_ALPHA_UAC_SYSCTL */
147 ++ if (enabled_nofix)
148 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
149 + return;
150 +
151 + /* Don't bother reading ds in the access check since we already
152 +@@ -1089,3 +1134,7 @@ trap_init(void)
153 + wrent(entSys, 5);
154 + wrent(entDbg, 6);
155 + }
156 ++
157 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
158 ++__initcall(init_uac_sysctl);
159 ++#endif
160 +--- a/include/linux/sysctl.h
161 ++++ b/include/linux/sysctl.h
162 +@@ -165,6 +165,9 @@ enum
163 + KERN_MAX_LOCK_DEPTH=74,
164 + KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
165 + KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
166 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
167 ++ KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
168 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
169 + };
170 +
171 +
172 +@@ -258,6 +261,17 @@ enum
173 + PTY_NR=2
174 + };
175 +
176 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
177 ++/* /proc/sys/kernel/uac */
178 ++enum
179 ++{
180 ++ /* UAC policy on Alpha */
181 ++ KERN_UAC_NOPRINT=1, /* int: printk() on unaligned access */
182 ++ KERN_UAC_SIGBUS=2, /* int: send SIGBUS on unaligned access */
183 ++ KERN_UAC_NOFIX=3, /* int: don't fix the unaligned access */
184 ++};
185 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
186 ++
187 + /* /proc/sys/bus/isa */
188 + enum
189 + {
190 +--- a/kernel/sysctl.c
191 ++++ b/kernel/sysctl.c
192 +@@ -155,6 +155,9 @@ extern ctl_table pty_table[];
193 + #ifdef CONFIG_INOTIFY_USER
194 + extern ctl_table inotify_table[];
195 + #endif
196 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
197 ++extern ctl_table uac_table[];
198 ++#endif
199 +
200 + #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
201 + int sysctl_legacy_va_layout;
202 +@@ -208,6 +211,14 @@ static ctl_table root_table[] = {
203 + * NOTE: do not add new entries to this table unless you have read
204 + * Documentation/sysctl/ctl_unnumbered.txt
205 + */
206 ++#ifdef CONFIG_ALPHA_UAC_SYSCTL
207 ++ {
208 ++ .ctl_name = KERN_UAC_POLICY,
209 ++ .procname = "uac",
210 ++ .mode = 0555,
211 ++ .child = uac_table,
212 ++ },
213 ++#endif /* CONFIG_ALPHA_UAC_SYSCTL */
214 + { .ctl_name = 0 }
215 + };
216 +
217
218 Added: hardened-sources/2.6/tags/2.6.23-7/4430_grsec-2.1.11-2.6.23.15-20080210.patch
219 ===================================================================
220 --- hardened-sources/2.6/tags/2.6.23-7/4430_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
221 +++ hardened-sources/2.6/tags/2.6.23-7/4430_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:42:53 UTC (rev 97)
222 @@ -0,0 +1,35665 @@
223 +From: Kerin Millar <kerframil@×××××.com>
224 +
225 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
226 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
227 +mmap.c changes.
228 +
229 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
230 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
231 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
232 +@@ -176,14 +176,18 @@ times.h*
233 + tkparse
234 + trix_boot.h
235 + utsrelease.h*
236 ++vdso.lds
237 + version.h*
238 + vmlinux
239 + vmlinux-*
240 + vmlinux.aout
241 ++vmlinux.bin.all
242 + vmlinux.lds
243 ++vmlinux.relocs
244 + vsyscall.lds
245 + wanxlfw.inc
246 + uImage
247 + unifdef
248 ++utsrelease.h
249 + zImage*
250 + zconf.hash.c
251 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
252 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
253 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
254 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
255 +
256 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
257 +
258 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
259 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
260 + -fno-strict-aliasing -fno-common \
261 + -Werror-implicit-function-declaration
262 + AFLAGS := -D__ASSEMBLY__
263 +@@ -560,7 +560,7 @@ export mod_strip_cmd
264 +
265 +
266 + ifeq ($(KBUILD_EXTMOD),)
267 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
268 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
269 +
270 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
271 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
272 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
273 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
274 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
275 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
276 +
277 + /* The small sections were sorted to the end of the segment.
278 + The following should definitely cover them. */
279 +- gp = (u64)me->module_core + me->core_size - 0x8000;
280 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
281 + got = sechdrs[me->arch.gotsecindex].sh_addr;
282 +
283 + for (i = 0; i < n; i++) {
284 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
285 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
286 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
287 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
288 + merely specific addresses, but regions of memory -- perhaps
289 + this feature should be incorporated into all ports? */
290 +
291 ++#ifdef CONFIG_PAX_RANDMMAP
292 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
293 ++#endif
294 ++
295 + if (addr) {
296 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
297 + if (addr != (unsigned long) -ENOMEM)
298 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
299 + }
300 +
301 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
302 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
303 +- len, limit);
304 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
305 ++
306 + if (addr != (unsigned long) -ENOMEM)
307 + return addr;
308 +
309 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
310 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
311 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
312 +@@ -15,6 +15,7 @@
313 + #include <linux/slab.h>
314 + #include <linux/security.h>
315 + #include <linux/signal.h>
316 ++#include <linux/grsecurity.h>
317 +
318 + #include <asm/uaccess.h>
319 + #include <asm/pgtable.h>
320 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
321 + goto out_notsk;
322 + }
323 +
324 ++ if (gr_handle_ptrace(child, request)) {
325 ++ ret = -EPERM;
326 ++ goto out;
327 ++ }
328 ++
329 + if (request == PTRACE_ATTACH) {
330 + ret = ptrace_attach(child);
331 + goto out;
332 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
333 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
334 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
335 +@@ -23,6 +23,7 @@
336 + #include <linux/smp.h>
337 + #include <linux/interrupt.h>
338 + #include <linux/module.h>
339 ++#include <linux/binfmts.h>
340 +
341 + #include <asm/system.h>
342 + #include <asm/uaccess.h>
343 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
344 + __reload_thread(pcb);
345 + }
346 +
347 ++#ifdef CONFIG_PAX_PAGEEXEC
348 ++/*
349 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
350 ++ *
351 ++ * returns 1 when task should be killed
352 ++ * 2 when patched PLT trampoline was detected
353 ++ * 3 when unpatched PLT trampoline was detected
354 ++ */
355 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
356 ++{
357 ++
358 ++#ifdef CONFIG_PAX_EMUPLT
359 ++ int err;
360 ++
361 ++ do { /* PaX: patched PLT emulation #1 */
362 ++ unsigned int ldah, ldq, jmp;
363 ++
364 ++ err = get_user(ldah, (unsigned int *)regs->pc);
365 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
366 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
367 ++
368 ++ if (err)
369 ++ break;
370 ++
371 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
372 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
373 ++ jmp == 0x6BFB0000U)
374 ++ {
375 ++ unsigned long r27, addr;
376 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
377 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
378 ++
379 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
380 ++ err = get_user(r27, (unsigned long *)addr);
381 ++ if (err)
382 ++ break;
383 ++
384 ++ regs->r27 = r27;
385 ++ regs->pc = r27;
386 ++ return 2;
387 ++ }
388 ++ } while (0);
389 ++
390 ++ do { /* PaX: patched PLT emulation #2 */
391 ++ unsigned int ldah, lda, br;
392 ++
393 ++ err = get_user(ldah, (unsigned int *)regs->pc);
394 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
395 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
396 ++
397 ++ if (err)
398 ++ break;
399 ++
400 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
401 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
402 ++ (br & 0xFFE00000U) == 0xC3E00000U)
403 ++ {
404 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
405 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
406 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
407 ++
408 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
409 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
410 ++ return 2;
411 ++ }
412 ++ } while (0);
413 ++
414 ++ do { /* PaX: unpatched PLT emulation */
415 ++ unsigned int br;
416 ++
417 ++ err = get_user(br, (unsigned int *)regs->pc);
418 ++
419 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
420 ++ unsigned int br2, ldq, nop, jmp;
421 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
422 ++
423 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
424 ++ err = get_user(br2, (unsigned int *)addr);
425 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
426 ++ err |= get_user(nop, (unsigned int *)(addr+8));
427 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
428 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
429 ++
430 ++ if (err)
431 ++ break;
432 ++
433 ++ if (br2 == 0xC3600000U &&
434 ++ ldq == 0xA77B000CU &&
435 ++ nop == 0x47FF041FU &&
436 ++ jmp == 0x6B7B0000U)
437 ++ {
438 ++ regs->r28 = regs->pc+4;
439 ++ regs->r27 = addr+16;
440 ++ regs->pc = resolver;
441 ++ return 3;
442 ++ }
443 ++ }
444 ++ } while (0);
445 ++#endif
446 ++
447 ++ return 1;
448 ++}
449 ++
450 ++void pax_report_insns(void *pc, void *sp)
451 ++{
452 ++ unsigned long i;
453 ++
454 ++ printk(KERN_ERR "PAX: bytes at PC: ");
455 ++ for (i = 0; i < 5; i++) {
456 ++ unsigned int c;
457 ++ if (get_user(c, (unsigned int *)pc+i))
458 ++ printk("???????? ");
459 ++ else
460 ++ printk("%08x ", c);
461 ++ }
462 ++ printk("\n");
463 ++}
464 ++#endif
465 +
466 + /*
467 + * This routine handles page faults. It determines the address,
468 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
469 + good_area:
470 + si_code = SEGV_ACCERR;
471 + if (cause < 0) {
472 +- if (!(vma->vm_flags & VM_EXEC))
473 ++ if (!(vma->vm_flags & VM_EXEC)) {
474 ++
475 ++#ifdef CONFIG_PAX_PAGEEXEC
476 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
477 ++ goto bad_area;
478 ++
479 ++ up_read(&mm->mmap_sem);
480 ++ switch (pax_handle_fetch_fault(regs)) {
481 ++
482 ++#ifdef CONFIG_PAX_EMUPLT
483 ++ case 2:
484 ++ case 3:
485 ++ return;
486 ++#endif
487 ++
488 ++ }
489 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
490 ++ do_exit(SIGKILL);
491 ++#else
492 + goto bad_area;
493 ++#endif
494 ++
495 ++ }
496 + } else if (!cause) {
497 + /* Allow reads even for write-only mappings */
498 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
499 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
500 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
501 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
502 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
503 + if (len > TASK_SIZE)
504 + return -ENOMEM;
505 +
506 ++#ifdef CONFIG_PAX_RANDMMAP
507 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
508 ++#endif
509 ++
510 + if (addr) {
511 + if (do_align)
512 + addr = COLOUR_ALIGN(addr, pgoff);
513 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
514 + return addr;
515 + }
516 + if (len > mm->cached_hole_size) {
517 +- start_addr = addr = mm->free_area_cache;
518 ++ start_addr = addr = mm->free_area_cache;
519 + } else {
520 +- start_addr = addr = TASK_UNMAPPED_BASE;
521 +- mm->cached_hole_size = 0;
522 ++ start_addr = addr = mm->mmap_base;
523 ++ mm->cached_hole_size = 0;
524 + }
525 +
526 + full_search:
527 +@@ -91,8 +95,8 @@ full_search:
528 + * Start a new search - just in case we missed
529 + * some holes.
530 + */
531 +- if (start_addr != TASK_UNMAPPED_BASE) {
532 +- start_addr = addr = TASK_UNMAPPED_BASE;
533 ++ if (start_addr != mm->mmap_base) {
534 ++ start_addr = addr = mm->mmap_base;
535 + mm->cached_hole_size = 0;
536 + goto full_search;
537 + }
538 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
539 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
540 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
541 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
542 +
543 + int exception_trace = 1;
544 +
545 ++#ifdef CONFIG_PAX_PAGEEXEC
546 ++void pax_report_insns(void *pc, void *sp)
547 ++{
548 ++ unsigned long i;
549 ++
550 ++ printk(KERN_ERR "PAX: bytes at PC: ");
551 ++ for (i = 0; i < 20; i++) {
552 ++ unsigned char c;
553 ++ if (get_user(c, (unsigned char *)pc+i))
554 ++ printk("???????? ");
555 ++ else
556 ++ printk("%02x ", c);
557 ++ }
558 ++ printk("\n");
559 ++}
560 ++#endif
561 ++
562 + /*
563 + * This routine handles page faults. It determines the address and the
564 + * problem, and then passes it off to one of the appropriate routines.
565 +@@ -157,6 +174,16 @@ bad_area:
566 + up_read(&mm->mmap_sem);
567 +
568 + if (user_mode(regs)) {
569 ++
570 ++#ifdef CONFIG_PAX_PAGEEXEC
571 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
572 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
573 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
574 ++ do_exit(SIGKILL);
575 ++ }
576 ++ }
577 ++#endif
578 ++
579 + if (exception_trace && printk_ratelimit())
580 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
581 + "sp %08lx ecr %lu\n",
582 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
583 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
584 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
585 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
586 + hex
587 + default 0xB0000000 if VMSPLIT_3G_OPT
588 + default 0x80000000 if VMSPLIT_2G
589 +- default 0x78000000 if VMSPLIT_2G_OPT
590 ++ default 0x70000000 if VMSPLIT_2G_OPT
591 + default 0x40000000 if VMSPLIT_1G
592 + default 0xC0000000
593 +
594 +@@ -831,7 +831,7 @@ config CRASH_DUMP
595 + config PHYSICAL_START
596 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
597 + default "0x1000000" if X86_NUMAQ
598 +- default "0x100000"
599 ++ default "0x200000"
600 + help
601 + This gives the physical address where the kernel is loaded.
602 +
603 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
604 +
605 + config COMPAT_VDSO
606 + bool "Compat VDSO support"
607 +- default y
608 ++ default n
609 + help
610 + Map the VDSO to the predictable old-style address too.
611 + ---help---
612 +@@ -1092,7 +1092,7 @@ config PCI
613 + choice
614 + prompt "PCI access mode"
615 + depends on PCI && !X86_VISWS
616 +- default PCI_GOANY
617 ++ default PCI_GODIRECT
618 + ---help---
619 + On PCI systems, the BIOS can be used to detect the PCI devices and
620 + determine their configuration. However, some old PCI motherboards
621 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
622 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
623 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
624 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
625 +
626 + config X86_F00F_BUG
627 + bool
628 +- depends on M586MMX || M586TSC || M586 || M486 || M386
629 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
630 + default y
631 +
632 + config X86_WP_WORKS_OK
633 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
634 +
635 + config X86_ALIGNMENT_16
636 + bool
637 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
638 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
639 + default y
640 +
641 + config X86_GOOD_APIC
642 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
643 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
644 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
645 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
646 + This results in a large slowdown, but helps to find certain types
647 + of memory corruptions.
648 +
649 +-config DEBUG_RODATA
650 +- bool "Write protect kernel read-only data structures"
651 +- depends on DEBUG_KERNEL
652 +- help
653 +- Mark the kernel read-only data as write-protected in the pagetables,
654 +- in order to catch accidental (and incorrect) writes to such const
655 +- data. This option may have a slight performance impact because a
656 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
657 +- If in doubt, say "N".
658 +-
659 + config 4KSTACKS
660 + bool "Use 4Kb for kernel stacks instead of 8Kb"
661 + depends on DEBUG_KERNEL
662 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
663 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
664 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
665 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
666 + u8 v;
667 + const u32 *p = (const u32 *)addr;
668 +
669 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
670 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
671 + return v;
672 + }
673 +
674 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
675 +
676 + static inline void set_bit(int nr, void *addr)
677 + {
678 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
679 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
680 + }
681 +
682 + #endif /* BOOT_BITOPS_H */
683 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
684 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
685 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
686 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
687 + static inline u16 ds(void)
688 + {
689 + u16 seg;
690 +- asm("movw %%ds,%0" : "=rm" (seg));
691 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
692 + return seg;
693 + }
694 +
695 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
696 + static inline int memcmp(const void *s1, const void *s2, size_t len)
697 + {
698 + u8 diff;
699 +- asm("repe; cmpsb; setnz %0"
700 ++ asm volatile("repe; cmpsb; setnz %0"
701 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
702 + return diff;
703 + }
704 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
705 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
706 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
707 +@@ -159,9 +159,8 @@ relocated:
708 + */
709 +
710 + 1: subl $4, %edi
711 +- movl 0(%edi), %ecx
712 +- testl %ecx, %ecx
713 +- jz 2f
714 ++ movl (%edi), %ecx
715 ++ jecxz 2f
716 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
717 + jmp 1b
718 + 2:
719 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
720 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
721 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
722 +@@ -10,9 +10,13 @@
723 + #define USE_BSD
724 + #include <endian.h>
725 +
726 ++#include "../../../../include/linux/autoconf.h"
727 ++
728 ++#define MAX_PHDRS 100
729 + #define MAX_SHDRS 100
730 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
731 + static Elf32_Ehdr ehdr;
732 ++static Elf32_Phdr phdr[MAX_PHDRS];
733 + static Elf32_Shdr shdr[MAX_SHDRS];
734 + static Elf32_Sym *symtab[MAX_SHDRS];
735 + static Elf32_Rel *reltab[MAX_SHDRS];
736 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
737 + }
738 + }
739 +
740 ++static void read_phdrs(FILE *fp)
741 ++{
742 ++ int i;
743 ++ if (ehdr.e_phnum > MAX_PHDRS) {
744 ++ die("%d program headers supported: %d\n",
745 ++ ehdr.e_phnum, MAX_PHDRS);
746 ++ }
747 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
748 ++ die("Seek to %d failed: %s\n",
749 ++ ehdr.e_phoff, strerror(errno));
750 ++ }
751 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
752 ++ die("Cannot read ELF program headers: %s\n",
753 ++ strerror(errno));
754 ++ }
755 ++ for(i = 0; i < ehdr.e_phnum; i++) {
756 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
757 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
758 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
759 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
760 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
761 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
762 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
763 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
764 ++ }
765 ++
766 ++}
767 ++
768 + static void read_shdrs(FILE *fp)
769 + {
770 + int i;
771 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
772 + static void read_relocs(FILE *fp)
773 + {
774 + int i,j;
775 ++ uint32_t base;
776 ++
777 + for(i = 0; i < ehdr.e_shnum; i++) {
778 + if (shdr[i].sh_type != SHT_REL) {
779 + continue;
780 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
781 + die("Cannot read symbol table: %s\n",
782 + strerror(errno));
783 + }
784 ++ base = 0;
785 ++ for (j = 0; j < ehdr.e_phnum; j++) {
786 ++ if (phdr[j].p_type != PT_LOAD )
787 ++ continue;
788 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
789 ++ continue;
790 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
791 ++ break;
792 ++ }
793 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
794 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
795 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
796 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
797 + }
798 + }
799 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
800 + if (sym->st_shndx == SHN_ABS) {
801 + continue;
802 + }
803 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
804 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
805 ++ continue;
806 ++ }
807 ++#ifdef CONFIG_PAX_KERNEXEC
808 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
809 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
810 ++ continue;
811 ++ }
812 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
813 ++ continue;
814 ++ }
815 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
816 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
817 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
818 ++ continue;
819 ++ }
820 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
821 ++ continue;
822 ++ }
823 ++#endif
824 + if (r_type == R_386_PC32) {
825 + /* PC relative relocations don't need to be adjusted */
826 + }
827 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
828 + fname, strerror(errno));
829 + }
830 + read_ehdr(fp);
831 ++ read_phdrs(fp);
832 + read_shdrs(fp);
833 + read_strtabs(fp);
834 + read_symtabs(fp);
835 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
836 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
837 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
838 +@@ -90,7 +90,7 @@ static int has_fpu(void)
839 + u16 fcw = -1, fsw = -1;
840 + u32 cr0;
841 +
842 +- asm("movl %%cr0,%0" : "=r" (cr0));
843 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
844 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
845 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
846 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
847 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
848 + {
849 + u32 f0, f1;
850 +
851 +- asm("pushfl ; "
852 ++ asm volatile("pushfl ; "
853 + "pushfl ; "
854 + "popl %0 ; "
855 + "movl %0,%1 ; "
856 +@@ -131,7 +131,7 @@ static void get_flags(void)
857 + set_bit(X86_FEATURE_FPU, cpu.flags);
858 +
859 + if (has_eflag(X86_EFLAGS_ID)) {
860 +- asm("cpuid"
861 ++ asm volatile("cpuid"
862 + : "=a" (max_intel_level),
863 + "=b" (cpu_vendor[0]),
864 + "=d" (cpu_vendor[1]),
865 +@@ -140,7 +140,7 @@ static void get_flags(void)
866 +
867 + if (max_intel_level >= 0x00000001 &&
868 + max_intel_level <= 0x0000ffff) {
869 +- asm("cpuid"
870 ++ asm volatile("cpuid"
871 + : "=a" (tfms),
872 + "=c" (cpu.flags[4]),
873 + "=d" (cpu.flags[0])
874 +@@ -152,7 +152,7 @@ static void get_flags(void)
875 + cpu.model += ((tfms >> 16) & 0xf) << 4;
876 + }
877 +
878 +- asm("cpuid"
879 ++ asm volatile("cpuid"
880 + : "=a" (max_amd_level)
881 + : "a" (0x80000000)
882 + : "ebx", "ecx", "edx");
883 +@@ -160,7 +160,7 @@ static void get_flags(void)
884 + if (max_amd_level >= 0x80000001 &&
885 + max_amd_level <= 0x8000ffff) {
886 + u32 eax = 0x80000001;
887 +- asm("cpuid"
888 ++ asm volatile("cpuid"
889 + : "+a" (eax),
890 + "=c" (cpu.flags[6]),
891 + "=d" (cpu.flags[1])
892 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
893 + u32 ecx = MSR_K7_HWCR;
894 + u32 eax, edx;
895 +
896 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
897 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
898 + eax &= ~(1 << 15);
899 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
900 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
901 +
902 + get_flags(); /* Make sure it really did something */
903 + err = check_flags();
904 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
905 + u32 ecx = MSR_VIA_FCR;
906 + u32 eax, edx;
907 +
908 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
909 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
910 + eax |= (1<<1)|(1<<7);
911 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
912 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
913 +
914 + set_bit(X86_FEATURE_CX8, cpu.flags);
915 + err = check_flags();
916 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
917 + u32 eax, edx;
918 + u32 level = 1;
919 +
920 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
921 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
922 +- asm("cpuid"
923 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
924 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
925 ++ asm volatile("cpuid"
926 + : "+a" (level), "=d" (cpu.flags[0])
927 + : : "ecx", "ebx");
928 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
929 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
930 +
931 + err = check_flags();
932 + }
933 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
934 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
935 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
936 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
937 + ax = 0x4100;
938 + bx = EDDMAGIC1;
939 + dx = devno;
940 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
941 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
942 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
943 + : : "esi", "edi");
944 +
945 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
946 + ei->params.length = sizeof(ei->params);
947 + ax = 0x4800;
948 + dx = devno;
949 +- asm("pushfl; int $0x13; popfl"
950 ++ asm volatile("pushfl; int $0x13; popfl"
951 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
952 + : "S" (&ei->params)
953 + : "ebx", "ecx", "edi");
954 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
955 + ax = 0x0800;
956 + dx = devno;
957 + di = 0;
958 +- asm("pushw %%es; "
959 ++ asm volatile("pushw %%es; "
960 + "movw %%di,%%es; "
961 + "pushfl; stc; int $0x13; setc %%al; popfl; "
962 + "popw %%es"
963 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
964 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
965 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
966 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
967 + */
968 + static void query_ist(void)
969 + {
970 +- asm("int $0x15"
971 ++ asm volatile("int $0x15"
972 + : "=a" (boot_params.ist_info.signature),
973 + "=b" (boot_params.ist_info.command),
974 + "=c" (boot_params.ist_info.event),
975 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
976 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
977 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
978 +@@ -21,7 +21,7 @@ int query_mca(void)
979 + u8 err;
980 + u16 es, bx, len;
981 +
982 +- asm("pushw %%es ; "
983 ++ asm volatile("pushw %%es ; "
984 + "int $0x15 ; "
985 + "setc %0 ; "
986 + "movw %%es, %1 ; "
987 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
988 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
989 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
990 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
991 + /* Important: %edx is clobbered by some BIOSes,
992 + so it must be either used for the error output
993 + or explicitly marked clobbered. */
994 +- asm("int $0x15; setc %0"
995 ++ asm volatile("int $0x15; setc %0"
996 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
997 + "=m" (*desc)
998 + : "D" (desc), "d" (SMAP), "a" (0xe820));
999 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
1000 +
1001 + bx = cx = dx = 0;
1002 + ax = 0xe801;
1003 +- asm("stc; int $0x15; setc %0"
1004 ++ asm volatile("stc; int $0x15; setc %0"
1005 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
1006 +
1007 + if (err)
1008 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
1009 + u8 err;
1010 +
1011 + ax = 0x8800;
1012 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
1013 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
1014 +
1015 + boot_params.screen_info.ext_mem_k = ax;
1016 +
1017 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
1018 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
1019 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
1020 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
1021 +
1022 + ax = 0x4f00;
1023 + di = (size_t)&vginfo;
1024 +- asm(INT10
1025 ++ asm volatile(INT10
1026 + : "+a" (ax), "+D" (di), "=m" (vginfo)
1027 + : : "ebx", "ecx", "edx", "esi");
1028 +
1029 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
1030 + ax = 0x4f01;
1031 + cx = mode;
1032 + di = (size_t)&vminfo;
1033 +- asm(INT10
1034 ++ asm volatile(INT10
1035 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
1036 + : : "ebx", "edx", "esi");
1037 +
1038 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
1039 + ax = 0x4f01;
1040 + cx = vesa_mode;
1041 + di = (size_t)&vminfo;
1042 +- asm(INT10
1043 ++ asm volatile(INT10
1044 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
1045 + : : "ebx", "edx", "esi");
1046 +
1047 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
1048 + /* Save the VESA protected mode info */
1049 + static void vesa_store_pm_info(void)
1050 + {
1051 +- u16 ax, bx, di, es;
1052 ++ u16 ax, bx, cx, di, es;
1053 +
1054 + ax = 0x4f0a;
1055 +- bx = di = 0;
1056 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
1057 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
1058 +- : : "ecx", "esi");
1059 ++ bx = cx = di = 0;
1060 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
1061 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
1062 ++ : : "esi");
1063 +
1064 + if (ax != 0x004f)
1065 + return;
1066 +
1067 + boot_params.screen_info.vesapm_seg = es;
1068 + boot_params.screen_info.vesapm_off = di;
1069 ++ boot_params.screen_info.vesapm_size = cx;
1070 + }
1071 +
1072 + /*
1073 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
1074 + /* Note: The VBE DDC spec is different from the main VESA spec;
1075 + we genuinely have to assume all registers are destroyed here. */
1076 +
1077 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
1078 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
1079 + : "+a" (ax), "+b" (bx)
1080 + : "c" (cx), "D" (di)
1081 + : "esi");
1082 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
1083 + cx = 0; /* Controller 0 */
1084 + dx = 0; /* EDID block number */
1085 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
1086 +- asm(INT10
1087 ++ asm volatile(INT10
1088 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
1089 + : "c" (cx), "D" (di)
1090 + : "esi");
1091 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1092 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1093 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1094 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1095 + };
1096 + u8 vga_flag;
1097 +
1098 +- asm(INT10
1099 ++ asm volatile(INT10
1100 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1101 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1102 + : "ecx", "edx", "esi", "edi");
1103 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1104 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1105 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1106 + /* EGA/VGA */
1107 +- asm(INT10
1108 ++ asm volatile(INT10
1109 + : "=a" (vga_flag)
1110 + : "a" (0x1a00)
1111 + : "ebx", "ecx", "edx", "esi", "edi");
1112 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1113 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1114 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1115 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1116 +
1117 + ax = 0x0300;
1118 + bx = 0;
1119 +- asm(INT10
1120 ++ asm volatile(INT10
1121 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1122 + : : "ecx", "esi", "edi");
1123 +
1124 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1125 + /* N.B.: the saving of the video page here is a bit silly,
1126 + since we pretty much assume page 0 everywhere. */
1127 + ax = 0x0f00;
1128 +- asm(INT10
1129 ++ asm volatile(INT10
1130 + : "+a" (ax), "=b" (page)
1131 + : : "ecx", "edx", "esi", "edi");
1132 +
1133 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1134 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1135 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1136 +@@ -27,7 +27,7 @@ int query_voyager(void)
1137 +
1138 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1139 +
1140 +- asm("pushw %%es ; "
1141 ++ asm volatile("pushw %%es ; "
1142 + "int $0x15 ; "
1143 + "setc %0 ; "
1144 + "movw %%es, %1 ; "
1145 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1146 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1147 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1148 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1149 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1150 + },
1151 + },
1152 +- {}
1153 ++ { NULL, NULL, {{0, NULL}}, NULL}
1154 + };
1155 +
1156 + #endif /* __i386__ */
1157 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1158 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1159 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1160 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1161 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1162 + },
1163 + },
1164 +- {}
1165 ++ { NULL, NULL, {{0, NULL}}, NULL}
1166 + };
1167 +
1168 + static int __init acpisleep_dmi_init(void)
1169 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1170 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1171 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1172 +@@ -2,6 +2,7 @@
1173 + #include <linux/linkage.h>
1174 + #include <asm/segment.h>
1175 + #include <asm/page.h>
1176 ++#include <asm/msr-index.h>
1177 +
1178 + #
1179 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1180 +@@ -84,7 +85,7 @@ wakeup_code:
1181 + # restore efer setting
1182 + movl real_save_efer_edx - wakeup_code, %edx
1183 + movl real_save_efer_eax - wakeup_code, %eax
1184 +- mov $0xc0000080, %ecx
1185 ++ mov $MSR_EFER, %ecx
1186 + wrmsr
1187 + 4:
1188 + # make sure %cr4 is set correctly (features, etc)
1189 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1190 + # and restore the stack ... but you need gdt for this to work
1191 + movl saved_context_esp, %esp
1192 +
1193 +- movl %cs:saved_magic, %eax
1194 +- cmpl $0x12345678, %eax
1195 ++ cmpl $0x12345678, saved_magic
1196 + jne bogus_magic
1197 +
1198 + # jump to place where we left off
1199 +- movl saved_eip,%eax
1200 +- jmp *%eax
1201 ++ jmp *(saved_eip)
1202 +
1203 + bogus_magic:
1204 + movw $0x0e00 + 'B', 0xb8018
1205 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
1206 + # save efer setting
1207 + pushl %eax
1208 + movl %eax, %ebx
1209 +- mov $0xc0000080, %ecx
1210 ++ mov $MSR_EFER, %ecx
1211 + rdmsr
1212 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
1213 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
1214 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
1215 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
1216 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
1217 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
1218 + */
1219 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
1220 + {
1221 ++
1222 ++#ifdef CONFIG_PAX_KERNEXEC
1223 ++ unsigned long cr0;
1224 ++
1225 ++ pax_open_kernel(cr0);
1226 ++#endif
1227 ++
1228 ++ addr += __KERNEL_TEXT_OFFSET;
1229 + memcpy(addr, opcode, len);
1230 ++
1231 ++#ifdef CONFIG_PAX_KERNEXEC
1232 ++ pax_close_kernel(cr0);
1233 ++#endif
1234 ++
1235 + sync_core();
1236 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
1237 + that causes hangs on some VIA CPUs. */
1238 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
1239 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
1240 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
1241 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
1242 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
1243 + static struct apm_user * user_list;
1244 + static DEFINE_SPINLOCK(user_list_lock);
1245 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
1246 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
1247 +
1248 + static const char driver_version[] = "1.16ac"; /* no spaces */
1249 +
1250 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
1251 + struct desc_struct save_desc_40;
1252 + struct desc_struct *gdt;
1253 +
1254 ++#ifdef CONFIG_PAX_KERNEXEC
1255 ++ unsigned long cr0;
1256 ++#endif
1257 ++
1258 + cpus = apm_save_cpus();
1259 +
1260 + cpu = get_cpu();
1261 + gdt = get_cpu_gdt_table(cpu);
1262 + save_desc_40 = gdt[0x40 / 8];
1263 ++
1264 ++#ifdef CONFIG_PAX_KERNEXEC
1265 ++ pax_open_kernel(cr0);
1266 ++#endif
1267 ++
1268 + gdt[0x40 / 8] = bad_bios_desc;
1269 +
1270 ++#ifdef CONFIG_PAX_KERNEXEC
1271 ++ pax_close_kernel(cr0);
1272 ++#endif
1273 ++
1274 + apm_irq_save(flags);
1275 + APM_DO_SAVE_SEGS;
1276 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
1277 + APM_DO_RESTORE_SEGS;
1278 + apm_irq_restore(flags);
1279 ++
1280 ++#ifdef CONFIG_PAX_KERNEXEC
1281 ++ pax_open_kernel(cr0);
1282 ++#endif
1283 ++
1284 + gdt[0x40 / 8] = save_desc_40;
1285 ++
1286 ++#ifdef CONFIG_PAX_KERNEXEC
1287 ++ pax_close_kernel(cr0);
1288 ++#endif
1289 ++
1290 + put_cpu();
1291 + apm_restore_cpus(cpus);
1292 +
1293 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
1294 + struct desc_struct save_desc_40;
1295 + struct desc_struct *gdt;
1296 +
1297 ++#ifdef CONFIG_PAX_KERNEXEC
1298 ++ unsigned long cr0;
1299 ++#endif
1300 ++
1301 + cpus = apm_save_cpus();
1302 +
1303 + cpu = get_cpu();
1304 + gdt = get_cpu_gdt_table(cpu);
1305 + save_desc_40 = gdt[0x40 / 8];
1306 ++
1307 ++#ifdef CONFIG_PAX_KERNEXEC
1308 ++ pax_open_kernel(cr0);
1309 ++#endif
1310 ++
1311 + gdt[0x40 / 8] = bad_bios_desc;
1312 +
1313 ++#ifdef CONFIG_PAX_KERNEXEC
1314 ++ pax_close_kernel(cr0);
1315 ++#endif
1316 ++
1317 + apm_irq_save(flags);
1318 + APM_DO_SAVE_SEGS;
1319 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
1320 + APM_DO_RESTORE_SEGS;
1321 + apm_irq_restore(flags);
1322 ++
1323 ++#ifdef CONFIG_PAX_KERNEXEC
1324 ++ pax_open_kernel(cr0);
1325 ++#endif
1326 ++
1327 + gdt[0x40 / 8] = save_desc_40;
1328 ++
1329 ++#ifdef CONFIG_PAX_KERNEXEC
1330 ++ pax_close_kernel(cr0);
1331 ++#endif
1332 ++
1333 + put_cpu();
1334 + apm_restore_cpus(cpus);
1335 + return error;
1336 +@@ -924,7 +970,7 @@ recalc:
1337 +
1338 + static void apm_power_off(void)
1339 + {
1340 +- unsigned char po_bios_call[] = {
1341 ++ const unsigned char po_bios_call[] = {
1342 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
1343 + 0x8e, 0xd0, /* movw ax,ss */
1344 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
1345 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
1346 + static struct miscdevice apm_device = {
1347 + APM_MINOR_DEV,
1348 + "apm_bios",
1349 +- &apm_bios_fops
1350 ++ &apm_bios_fops,
1351 ++ {NULL, NULL},
1352 ++ NULL,
1353 ++ NULL
1354 + };
1355 +
1356 +
1357 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
1358 + print_if_true,
1359 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
1360 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
1361 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
1362 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
1363 + },
1364 + { /* Handle problems with APM on the C600 */
1365 + broken_ps2_resume, "Dell Latitude C600",
1366 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1367 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
1368 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
1369 + },
1370 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
1371 + set_apm_ints, "Dell Latitude",
1372 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1373 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
1374 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
1375 + },
1376 + { /* APM crashes */
1377 + apm_is_horked, "Dell Inspiron 2500",
1378 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1379 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1380 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1381 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1382 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1383 + },
1384 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
1385 + set_apm_ints, "Dell Inspiron", {
1386 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1387 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
1388 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
1389 + },
1390 + { /* Handle problems with APM on Inspiron 5000e */
1391 + broken_apm_power, "Dell Inspiron 5000e",
1392 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1393 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
1394 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
1395 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
1396 + },
1397 + { /* Handle problems with APM on Inspiron 2500 */
1398 + broken_apm_power, "Dell Inspiron 2500",
1399 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1400 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
1401 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
1402 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
1403 + },
1404 + { /* APM crashes */
1405 + apm_is_horked, "Dell Dimension 4100",
1406 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1407 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
1408 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
1409 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1410 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1411 + },
1412 + { /* Allow interrupts during suspend on Compaq Laptops*/
1413 + set_apm_ints, "Compaq 12XL125",
1414 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
1415 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
1416 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1417 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
1418 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
1419 + },
1420 + { /* Allow interrupts during APM or the clock goes slow */
1421 + set_apm_ints, "ASUSTeK",
1422 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
1423 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
1424 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
1425 + },
1426 + { /* APM blows on shutdown */
1427 + apm_is_horked, "ABIT KX7-333[R]",
1428 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
1429 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
1430 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
1431 + },
1432 + { /* APM crashes */
1433 + apm_is_horked, "Trigem Delhi3",
1434 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
1435 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
1436 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
1437 + },
1438 + { /* APM crashes */
1439 + apm_is_horked, "Fujitsu-Siemens",
1440 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
1441 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
1442 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
1443 + },
1444 + { /* APM crashes */
1445 + apm_is_horked_d850md, "Intel D850MD",
1446 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1447 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
1448 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
1449 + },
1450 + { /* APM crashes */
1451 + apm_is_horked, "Intel D810EMO",
1452 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1453 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
1454 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
1455 + },
1456 + { /* APM crashes */
1457 + apm_is_horked, "Dell XPS-Z",
1458 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1459 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
1460 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
1461 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
1462 + },
1463 + { /* APM crashes */
1464 + apm_is_horked, "Sharp PC-PJ/AX",
1465 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
1466 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
1467 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
1468 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
1469 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
1470 + },
1471 + { /* APM crashes */
1472 + apm_is_horked, "Dell Inspiron 2500",
1473 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1474 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1475 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1476 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1477 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1478 + },
1479 + { /* APM idle hangs */
1480 + apm_likes_to_melt, "Jabil AMD",
1481 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1482 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
1483 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
1484 + },
1485 + { /* APM idle hangs */
1486 + apm_likes_to_melt, "AMI Bios",
1487 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1488 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
1489 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
1490 + },
1491 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
1492 + swab_apm_power_in_minutes, "Sony VAIO",
1493 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1494 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
1495 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
1496 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
1497 + },
1498 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
1499 + swab_apm_power_in_minutes, "Sony VAIO",
1500 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1501 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
1502 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
1503 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
1504 + },
1505 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
1506 + swab_apm_power_in_minutes, "Sony VAIO",
1507 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1508 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
1509 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
1510 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
1511 + },
1512 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1513 + swab_apm_power_in_minutes, "Sony VAIO",
1514 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1515 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
1516 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
1517 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
1518 + },
1519 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1520 + swab_apm_power_in_minutes, "Sony VAIO",
1521 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1522 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
1523 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
1524 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
1525 + },
1526 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
1527 + swab_apm_power_in_minutes, "Sony VAIO",
1528 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1529 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
1530 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
1531 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
1532 + },
1533 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1534 + swab_apm_power_in_minutes, "Sony VAIO",
1535 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1536 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
1537 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
1538 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
1539 + },
1540 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1541 + swab_apm_power_in_minutes, "Sony VAIO",
1542 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1543 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
1544 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
1545 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
1546 + },
1547 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
1548 + swab_apm_power_in_minutes, "Sony VAIO",
1549 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1550 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
1551 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
1552 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
1553 + },
1554 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
1555 + swab_apm_power_in_minutes, "Sony VAIO",
1556 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1557 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
1558 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
1559 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
1560 + },
1561 +
1562 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
1563 + swab_apm_power_in_minutes, "Sony VAIO",
1564 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1565 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
1566 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
1567 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
1568 + },
1569 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1570 + swab_apm_power_in_minutes, "Sony VAIO",
1571 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1572 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
1573 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
1574 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
1575 + },
1576 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1577 + swab_apm_power_in_minutes, "Sony VAIO",
1578 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1579 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
1580 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
1581 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
1582 + },
1583 + { /* broken PM poweroff bios */
1584 + set_realmode_power_off, "Award Software v4.60 PGMA",
1585 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
1586 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
1587 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
1588 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
1589 + },
1590 +
1591 + /* Generic per vendor APM settings */
1592 +
1593 + { /* Allow interrupts during suspend on IBM laptops */
1594 + set_apm_ints, "IBM",
1595 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
1596 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
1597 + },
1598 +
1599 +- { }
1600 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
1601 + };
1602 +
1603 + /*
1604 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
1605 + struct desc_struct *gdt;
1606 + int err;
1607 +
1608 ++#ifdef CONFIG_PAX_KERNEXEC
1609 ++ unsigned long cr0;
1610 ++#endif
1611 ++
1612 + dmi_check_system(apm_dmi_table);
1613 +
1614 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
1615 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
1616 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
1617 + * even though they are called in protected mode.
1618 + */
1619 ++
1620 ++#ifdef CONFIG_PAX_KERNEXEC
1621 ++ pax_open_kernel(cr0);
1622 ++#endif
1623 ++
1624 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
1625 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
1626 +
1627 ++#ifdef CONFIG_PAX_KERNEXEC
1628 ++ pax_close_kernel(cr0);
1629 ++#endif
1630 ++
1631 + /*
1632 + * Set up the long jump entry point to the APM BIOS, which is called
1633 + * from inline assembly.
1634 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
1635 + * code to that CPU.
1636 + */
1637 + gdt = get_cpu_gdt_table(0);
1638 ++
1639 ++#ifdef CONFIG_PAX_KERNEXEC
1640 ++ pax_open_kernel(cr0);
1641 ++#endif
1642 ++
1643 + set_base(gdt[APM_CS >> 3],
1644 + __va((unsigned long)apm_info.bios.cseg << 4));
1645 + set_base(gdt[APM_CS_16 >> 3],
1646 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
1647 + set_base(gdt[APM_DS >> 3],
1648 + __va((unsigned long)apm_info.bios.dseg << 4));
1649 +
1650 ++#ifdef CONFIG_PAX_KERNEXEC
1651 ++ pax_close_kernel(cr0);
1652 ++#endif
1653 ++
1654 + apm_proc = create_proc_entry("apm", 0, NULL);
1655 + if (apm_proc)
1656 + apm_proc->proc_fops = &apm_file_ops;
1657 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
1658 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
1659 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
1660 +@@ -109,6 +109,7 @@ void foo(void)
1661 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
1662 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
1663 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
1664 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
1665 +
1666 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
1667 +
1668 +@@ -122,6 +123,7 @@ void foo(void)
1669 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
1670 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
1671 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
1672 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
1673 + #endif
1674 +
1675 + #ifdef CONFIG_XEN
1676 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
1677 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
1678 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
1679 +@@ -4,7 +4,6 @@
1680 + #include <linux/smp.h>
1681 + #include <linux/module.h>
1682 + #include <linux/percpu.h>
1683 +-#include <linux/bootmem.h>
1684 + #include <asm/semaphore.h>
1685 + #include <asm/processor.h>
1686 + #include <asm/i387.h>
1687 +@@ -21,39 +20,15 @@
1688 +
1689 + #include "cpu.h"
1690 +
1691 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
1692 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
1693 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
1694 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
1695 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
1696 +- /*
1697 +- * Segments used for calling PnP BIOS have byte granularity.
1698 +- * They code segments and data segments have fixed 64k limits,
1699 +- * the transfer segment sizes are set at run time.
1700 +- */
1701 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1702 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
1703 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
1704 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
1705 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
1706 +- /*
1707 +- * The APM segments have byte granularity and their bases
1708 +- * are set at run time. All have 64k limits.
1709 +- */
1710 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1711 +- /* 16-bit code */
1712 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
1713 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
1714 +-
1715 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
1716 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
1717 +-} };
1718 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
1719 +-
1720 + static int cachesize_override __cpuinitdata = -1;
1721 + static int disable_x86_fxsr __cpuinitdata;
1722 + static int disable_x86_serial_nr __cpuinitdata = 1;
1723 +-static int disable_x86_sep __cpuinitdata;
1724 ++
1725 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1726 ++int disable_x86_sep __cpuinitdata = 1;
1727 ++#else
1728 ++int disable_x86_sep __cpuinitdata;
1729 ++#endif
1730 +
1731 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
1732 +
1733 +@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
1734 + void __init cpu_detect(struct cpuinfo_x86 *c)
1735 + {
1736 + /* Get vendor name */
1737 +- cpuid(0x00000000, &c->cpuid_level,
1738 +- (int *)&c->x86_vendor_id[0],
1739 +- (int *)&c->x86_vendor_id[8],
1740 +- (int *)&c->x86_vendor_id[4]);
1741 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1742 ++ (unsigned int *)&c->x86_vendor_id[0],
1743 ++ (unsigned int *)&c->x86_vendor_id[8],
1744 ++ (unsigned int *)&c->x86_vendor_id[4]);
1745 +
1746 + c->x86 = 4;
1747 + if (c->cpuid_level >= 0x00000001) {
1748 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
1749 +
1750 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
1751 + {
1752 +- u32 tfms, xlvl;
1753 +- int ebx;
1754 ++ u32 tfms, xlvl, ebx;
1755 +
1756 + if (have_cpuid_p()) {
1757 + /* Get vendor name */
1758 +- cpuid(0x00000000, &c->cpuid_level,
1759 +- (int *)&c->x86_vendor_id[0],
1760 +- (int *)&c->x86_vendor_id[8],
1761 +- (int *)&c->x86_vendor_id[4]);
1762 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1763 ++ (unsigned int *)&c->x86_vendor_id[0],
1764 ++ (unsigned int *)&c->x86_vendor_id[8],
1765 ++ (unsigned int *)&c->x86_vendor_id[4]);
1766 +
1767 + get_cpu_vendor(c, 0);
1768 + /* Initialize the standard set of capabilities */
1769 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
1770 + {
1771 + struct Xgt_desc_struct gdt_descr;
1772 +
1773 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
1774 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
1775 + gdt_descr.size = GDT_SIZE - 1;
1776 + load_gdt(&gdt_descr);
1777 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
1778 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
1779 + {
1780 + int cpu = smp_processor_id();
1781 + struct task_struct *curr = current;
1782 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
1783 ++ struct tss_struct *t = init_tss + cpu;
1784 + struct thread_struct *thread = &curr->thread;
1785 +
1786 + if (cpu_test_and_set(cpu, cpu_initialized)) {
1787 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
1788 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
1789 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
1790 +@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
1791 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
1792 + },
1793 + },
1794 +- { }
1795 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
1796 + };
1797 + #endif
1798 +
1799 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
1800 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
1801 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
1802 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
1803 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
1804 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
1805 +
1806 +- { NULL, }
1807 ++ { NULL, NULL, 0, NULL}
1808 + };
1809 + #undef _BANIAS
1810 + #undef BANIAS
1811 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
1812 +--- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
1813 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
1814 +@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
1815 + */
1816 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
1817 + /* supports eax=2 call */
1818 +- int i, j, n;
1819 +- int regs[4];
1820 ++ int j, n;
1821 ++ unsigned int regs[4];
1822 + unsigned char *dp = (unsigned char *)regs;
1823 + int only_trace = 0;
1824 +
1825 +@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
1826 +
1827 + /* If bit 31 is set, this is an unknown format */
1828 + for ( j = 0 ; j < 3 ; j++ ) {
1829 +- if ( regs[j] < 0 ) regs[j] = 0;
1830 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
1831 + }
1832 +
1833 + /* Byte 0 is level count, not a descriptor */
1834 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
1835 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
1836 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
1837 +@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
1838 + return NOTIFY_OK;
1839 + }
1840 +
1841 +-static struct notifier_block thermal_throttle_cpu_notifier =
1842 ++static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
1843 + {
1844 + .notifier_call = thermal_throttle_cpu_callback,
1845 + };
1846 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
1847 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
1848 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
1849 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
1850 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
1851 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
1852 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
1853 +- {}
1854 ++ { 0, 0 }
1855 + };
1856 +
1857 + static unsigned long smp_changes_mask;
1858 +-static struct mtrr_state mtrr_state = {};
1859 ++static struct mtrr_state mtrr_state;
1860 +
1861 + #undef MODULE_PARAM_PREFIX
1862 + #define MODULE_PARAM_PREFIX "mtrr."
1863 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
1864 +--- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
1865 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
1866 +@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
1867 + return NOTIFY_STOP;
1868 + local_irq_disable();
1869 +
1870 +- if (!user_mode_vm(regs)) {
1871 ++ if (!user_mode(regs)) {
1872 + crash_fixup_ss_esp(&fixed_regs, regs);
1873 + regs = &fixed_regs;
1874 + }
1875 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
1876 +--- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
1877 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
1878 +@@ -11,17 +11,17 @@
1879 +
1880 + #define DOUBLEFAULT_STACKSIZE (1024)
1881 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1882 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1883 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1884 +
1885 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1886 +
1887 + static void doublefault_fn(void)
1888 + {
1889 +- struct Xgt_desc_struct gdt_desc = {0, 0};
1890 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1891 + unsigned long gdt, tss;
1892 +
1893 + store_gdt(&gdt_desc);
1894 +- gdt = gdt_desc.address;
1895 ++ gdt = (unsigned long)gdt_desc.address;
1896 +
1897 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1898 +
1899 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1900 + /* 0x2 bit is always set */
1901 + .eflags = X86_EFLAGS_SF | 0x2,
1902 + .esp = STACK_START,
1903 +- .es = __USER_DS,
1904 ++ .es = __KERNEL_DS,
1905 + .cs = __KERNEL_CS,
1906 + .ss = __KERNEL_DS,
1907 +- .ds = __USER_DS,
1908 ++ .ds = __KERNEL_DS,
1909 + .fs = __KERNEL_PERCPU,
1910 +
1911 + .__cr3 = __pa(swapper_pg_dir)
1912 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
1913 +--- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
1914 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
1915 +@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1916 +
1917 + static unsigned long efi_rt_eflags;
1918 + static DEFINE_SPINLOCK(efi_rt_lock);
1919 +-static pgd_t efi_bak_pg_dir_pointer[2];
1920 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
1921 +
1922 + static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
1923 + {
1924 +- unsigned long cr4;
1925 +- unsigned long temp;
1926 + struct Xgt_desc_struct gdt_descr;
1927 +
1928 + spin_lock(&efi_rt_lock);
1929 + local_irq_save(efi_rt_eflags);
1930 +
1931 +- /*
1932 +- * If I don't have PSE, I should just duplicate two entries in page
1933 +- * directory. If I have PSE, I just need to duplicate one entry in
1934 +- * page directory.
1935 +- */
1936 +- cr4 = read_cr4();
1937 +-
1938 +- if (cr4 & X86_CR4_PSE) {
1939 +- efi_bak_pg_dir_pointer[0].pgd =
1940 +- swapper_pg_dir[pgd_index(0)].pgd;
1941 +- swapper_pg_dir[0].pgd =
1942 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1943 +- } else {
1944 +- efi_bak_pg_dir_pointer[0].pgd =
1945 +- swapper_pg_dir[pgd_index(0)].pgd;
1946 +- efi_bak_pg_dir_pointer[1].pgd =
1947 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
1948 +- swapper_pg_dir[pgd_index(0)].pgd =
1949 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1950 +- temp = PAGE_OFFSET + 0x400000;
1951 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1952 +- swapper_pg_dir[pgd_index(temp)].pgd;
1953 +- }
1954 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
1955 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1956 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
1957 +
1958 + /*
1959 + * After the lock is released, the original page table is restored.
1960 + */
1961 +- local_flush_tlb();
1962 ++ __flush_tlb_all();
1963 +
1964 + gdt_descr.address = __pa(get_cpu_gdt_table(0));
1965 + gdt_descr.size = GDT_SIZE - 1;
1966 +@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
1967 +
1968 + static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
1969 + {
1970 +- unsigned long cr4;
1971 + struct Xgt_desc_struct gdt_descr;
1972 +
1973 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
1974 ++ gdt_descr.address = get_cpu_gdt_table(0);
1975 + gdt_descr.size = GDT_SIZE - 1;
1976 + load_gdt(&gdt_descr);
1977 +-
1978 +- cr4 = read_cr4();
1979 +-
1980 +- if (cr4 & X86_CR4_PSE) {
1981 +- swapper_pg_dir[pgd_index(0)].pgd =
1982 +- efi_bak_pg_dir_pointer[0].pgd;
1983 +- } else {
1984 +- swapper_pg_dir[pgd_index(0)].pgd =
1985 +- efi_bak_pg_dir_pointer[0].pgd;
1986 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1987 +- efi_bak_pg_dir_pointer[1].pgd;
1988 +- }
1989 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
1990 +
1991 + /*
1992 + * After the lock is released, the original page table is restored.
1993 + */
1994 +- local_flush_tlb();
1995 ++ __flush_tlb_all();
1996 +
1997 + local_irq_restore(efi_rt_eflags);
1998 + spin_unlock(&efi_rt_lock);
1999 + }
2000 +
2001 +-static efi_status_t
2002 ++static efi_status_t __init
2003 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
2004 + unsigned long descriptor_size,
2005 + u32 descriptor_version,
2006 +@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
2007 + return status;
2008 + }
2009 +
2010 +-static efi_status_t
2011 ++static efi_status_t __init
2012 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
2013 + {
2014 + efi_status_t status;
2015 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
2016 +--- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
2017 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
2018 +@@ -6,6 +6,7 @@
2019 + */
2020 +
2021 + #include <linux/linkage.h>
2022 ++#include <linux/init.h>
2023 + #include <asm/page.h>
2024 +
2025 + /*
2026 +@@ -20,7 +21,7 @@
2027 + * service functions will comply with gcc calling convention, too.
2028 + */
2029 +
2030 +-.text
2031 ++__INIT
2032 + ENTRY(efi_call_phys)
2033 + /*
2034 + * 0. The function can only be called in Linux kernel. So CS has been
2035 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
2036 + * The mapping of lower virtual memory has been created in prelog and
2037 + * epilog.
2038 + */
2039 +- movl $1f, %edx
2040 +- subl $__PAGE_OFFSET, %edx
2041 +- jmp *%edx
2042 ++ jmp 1f-__PAGE_OFFSET
2043 + 1:
2044 +
2045 + /*
2046 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
2047 + * parameter 2, ..., param n. To make things easy, we save the return
2048 + * address of efi_call_phys in a global variable.
2049 + */
2050 +- popl %edx
2051 +- movl %edx, saved_return_addr
2052 +- /* get the function pointer into ECX*/
2053 +- popl %ecx
2054 +- movl %ecx, efi_rt_function_ptr
2055 +- movl $2f, %edx
2056 +- subl $__PAGE_OFFSET, %edx
2057 +- pushl %edx
2058 ++ popl (saved_return_addr)
2059 ++ popl (efi_rt_function_ptr)
2060 +
2061 + /*
2062 + * 3. Clear PG bit in %CR0.
2063 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
2064 + /*
2065 + * 5. Call the physical function.
2066 + */
2067 +- jmp *%ecx
2068 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
2069 +
2070 +-2:
2071 + /*
2072 + * 6. After EFI runtime service returns, control will return to
2073 + * following instruction. We'd better readjust stack pointer first.
2074 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
2075 + movl %cr0, %edx
2076 + orl $0x80000000, %edx
2077 + movl %edx, %cr0
2078 +- jmp 1f
2079 +-1:
2080 ++
2081 + /*
2082 + * 8. Now restore the virtual mode from flat mode by
2083 + * adding EIP with PAGE_OFFSET.
2084 + */
2085 +- movl $1f, %edx
2086 +- jmp *%edx
2087 ++ jmp 1f+__PAGE_OFFSET
2088 + 1:
2089 +
2090 + /*
2091 + * 9. Balance the stack. And because EAX contain the return value,
2092 + * we'd better not clobber it.
2093 + */
2094 +- leal efi_rt_function_ptr, %edx
2095 +- movl (%edx), %ecx
2096 +- pushl %ecx
2097 ++ pushl (efi_rt_function_ptr)
2098 +
2099 + /*
2100 +- * 10. Push the saved return address onto the stack and return.
2101 ++ * 10. Return to the saved return address.
2102 + */
2103 +- leal saved_return_addr, %edx
2104 +- movl (%edx), %ecx
2105 +- pushl %ecx
2106 +- ret
2107 ++ jmpl *(saved_return_addr)
2108 + .previous
2109 +
2110 +-.data
2111 ++__INITDATA
2112 + saved_return_addr:
2113 + .long 0
2114 + efi_rt_function_ptr:
2115 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
2116 +--- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
2117 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
2118 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
2119 + #define resume_userspace_sig resume_userspace
2120 + #endif
2121 +
2122 +-#define SAVE_ALL \
2123 ++#define __SAVE_ALL(_DS) \
2124 + cld; \
2125 + pushl %fs; \
2126 + CFI_ADJUST_CFA_OFFSET 4;\
2127 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
2128 + pushl %ebx; \
2129 + CFI_ADJUST_CFA_OFFSET 4;\
2130 + CFI_REL_OFFSET ebx, 0;\
2131 +- movl $(__USER_DS), %edx; \
2132 ++ movl $(_DS), %edx; \
2133 + movl %edx, %ds; \
2134 + movl %edx, %es; \
2135 + movl $(__KERNEL_PERCPU), %edx; \
2136 + movl %edx, %fs
2137 +
2138 ++#ifdef CONFIG_PAX_KERNEXEC
2139 ++#define SAVE_ALL \
2140 ++ __SAVE_ALL(__KERNEL_DS); \
2141 ++ GET_CR0_INTO_EDX; \
2142 ++ movl %edx, %esi; \
2143 ++ orl $X86_CR0_WP, %edx; \
2144 ++ xorl %edx, %esi; \
2145 ++ SET_CR0_FROM_EDX
2146 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2147 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
2148 ++#else
2149 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
2150 ++#endif
2151 ++
2152 + #define RESTORE_INT_REGS \
2153 + popl %ebx; \
2154 + CFI_ADJUST_CFA_OFFSET -4;\
2155 +@@ -248,7 +262,17 @@ check_userspace:
2156 + movb PT_CS(%esp), %al
2157 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
2158 + cmpl $USER_RPL, %eax
2159 ++
2160 ++#ifdef CONFIG_PAX_KERNEXEC
2161 ++ jae resume_userspace
2162 ++
2163 ++ GET_CR0_INTO_EDX
2164 ++ xorl %esi, %edx
2165 ++ SET_CR0_FROM_EDX
2166 ++ jmp resume_kernel
2167 ++#else
2168 + jb resume_kernel # not returning to v8086 or userspace
2169 ++#endif
2170 +
2171 + ENTRY(resume_userspace)
2172 + DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
2173 +@@ -307,10 +331,9 @@ sysenter_past_esp:
2174 + /*CFI_REL_OFFSET cs, 0*/
2175 + /*
2176 + * Push current_thread_info()->sysenter_return to the stack.
2177 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
2178 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
2179 + */
2180 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
2181 ++ GET_THREAD_INFO(%ebp)
2182 ++ pushl TI_sysenter_return(%ebp)
2183 + CFI_ADJUST_CFA_OFFSET 4
2184 + CFI_REL_OFFSET eip, 0
2185 +
2186 +@@ -318,9 +341,17 @@ sysenter_past_esp:
2187 + * Load the potential sixth argument from user stack.
2188 + * Careful about security.
2189 + */
2190 ++ movl 12(%esp),%ebp
2191 ++
2192 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2193 ++ mov 16(%esp),%ds
2194 ++1: movl %ds:(%ebp),%ebp
2195 ++#else
2196 + cmpl $__PAGE_OFFSET-3,%ebp
2197 + jae syscall_fault
2198 + 1: movl (%ebp),%ebp
2199 ++#endif
2200 ++
2201 + .section __ex_table,"a"
2202 + .align 4
2203 + .long 1b,syscall_fault
2204 +@@ -343,20 +374,37 @@ sysenter_past_esp:
2205 + movl TI_flags(%ebp), %ecx
2206 + testw $_TIF_ALLWORK_MASK, %cx
2207 + jne syscall_exit_work
2208 ++
2209 ++#ifdef CONFIG_PAX_RANDKSTACK
2210 ++ pushl %eax
2211 ++ CFI_ADJUST_CFA_OFFSET 4
2212 ++ call pax_randomize_kstack
2213 ++ popl %eax
2214 ++ CFI_ADJUST_CFA_OFFSET -4
2215 ++#endif
2216 ++
2217 + /* if something modifies registers it must also disable sysexit */
2218 + movl PT_EIP(%esp), %edx
2219 + movl PT_OLDESP(%esp), %ecx
2220 + xorl %ebp,%ebp
2221 + TRACE_IRQS_ON
2222 + 1: mov PT_FS(%esp), %fs
2223 ++2: mov PT_DS(%esp), %ds
2224 ++3: mov PT_ES(%esp), %es
2225 + ENABLE_INTERRUPTS_SYSEXIT
2226 + CFI_ENDPROC
2227 + .pushsection .fixup,"ax"
2228 +-2: movl $0,PT_FS(%esp)
2229 ++4: movl $0,PT_FS(%esp)
2230 + jmp 1b
2231 ++5: movl $0,PT_DS(%esp)
2232 ++ jmp 2b
2233 ++6: movl $0,PT_ES(%esp)
2234 ++ jmp 3b
2235 + .section __ex_table,"a"
2236 + .align 4
2237 +- .long 1b,2b
2238 ++ .long 1b,4b
2239 ++ .long 2b,5b
2240 ++ .long 3b,6b
2241 + .popsection
2242 + ENDPROC(sysenter_entry)
2243 +
2244 +@@ -389,6 +437,10 @@ no_singlestep:
2245 + testw $_TIF_ALLWORK_MASK, %cx # current->work
2246 + jne syscall_exit_work
2247 +
2248 ++#ifdef CONFIG_PAX_RANDKSTACK
2249 ++ call pax_randomize_kstack
2250 ++#endif
2251 ++
2252 + restore_all:
2253 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
2254 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
2255 +@@ -552,17 +604,24 @@ syscall_badsys:
2256 + END(syscall_badsys)
2257 + CFI_ENDPROC
2258 +
2259 +-#define FIXUP_ESPFIX_STACK \
2260 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
2261 +- PER_CPU(gdt_page, %ebx); \
2262 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
2263 +- addl %esp, %eax; \
2264 +- pushl $__KERNEL_DS; \
2265 +- CFI_ADJUST_CFA_OFFSET 4; \
2266 +- pushl %eax; \
2267 +- CFI_ADJUST_CFA_OFFSET 4; \
2268 +- lss (%esp), %esp; \
2269 ++.macro FIXUP_ESPFIX_STACK
2270 ++ /* since we are on a wrong stack, we cant make it a C code :( */
2271 ++#ifdef CONFIG_SMP
2272 ++ movl PER_CPU_VAR(cpu_number), %ebx;
2273 ++ shll $PAGE_SHIFT_asm, %ebx;
2274 ++ addl $cpu_gdt_table, %ebx;
2275 ++#else
2276 ++ movl $cpu_gdt_table, %ebx;
2277 ++#endif
2278 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
2279 ++ addl %esp, %eax;
2280 ++ pushl $__KERNEL_DS;
2281 ++ CFI_ADJUST_CFA_OFFSET 4;
2282 ++ pushl %eax;
2283 ++ CFI_ADJUST_CFA_OFFSET 4;
2284 ++ lss (%esp), %esp;
2285 + CFI_ADJUST_CFA_OFFSET -8;
2286 ++.endm
2287 + #define UNWIND_ESPFIX_STACK \
2288 + movl %ss, %eax; \
2289 + /* see if on espfix stack */ \
2290 +@@ -579,7 +638,7 @@ END(syscall_badsys)
2291 + * Build the entry stubs and pointer table with
2292 + * some assembler magic.
2293 + */
2294 +-.data
2295 ++.section .rodata,"a",@progbits
2296 + ENTRY(interrupt)
2297 + .text
2298 +
2299 +@@ -679,12 +738,21 @@ error_code:
2300 + popl %ecx
2301 + CFI_ADJUST_CFA_OFFSET -4
2302 + /*CFI_REGISTER es, ecx*/
2303 ++
2304 ++#ifdef CONFIG_PAX_KERNEXEC
2305 ++ GET_CR0_INTO_EDX
2306 ++ movl %edx, %esi
2307 ++ orl $X86_CR0_WP, %edx
2308 ++ xorl %edx, %esi
2309 ++ SET_CR0_FROM_EDX
2310 ++#endif
2311 ++
2312 + movl PT_FS(%esp), %edi # get the function address
2313 + movl PT_ORIG_EAX(%esp), %edx # get the error code
2314 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
2315 + mov %ecx, PT_FS(%esp)
2316 + /*CFI_REL_OFFSET fs, ES*/
2317 +- movl $(__USER_DS), %ecx
2318 ++ movl $(__KERNEL_DS), %ecx
2319 + movl %ecx, %ds
2320 + movl %ecx, %es
2321 + movl %esp,%eax # pt_regs pointer
2322 +@@ -818,6 +886,13 @@ nmi_stack_correct:
2323 + xorl %edx,%edx # zero error code
2324 + movl %esp,%eax # pt_regs pointer
2325 + call do_nmi
2326 ++
2327 ++#ifdef CONFIG_PAX_KERNEXEC
2328 ++ GET_CR0_INTO_EDX
2329 ++ xorl %esi, %edx
2330 ++ SET_CR0_FROM_EDX
2331 ++#endif
2332 ++
2333 + jmp restore_nocheck_notrace
2334 + CFI_ENDPROC
2335 +
2336 +@@ -858,6 +933,13 @@ nmi_espfix_stack:
2337 + FIXUP_ESPFIX_STACK # %eax == %esp
2338 + xorl %edx,%edx # zero error code
2339 + call do_nmi
2340 ++
2341 ++#ifdef CONFIG_PAX_KERNEXEC
2342 ++ GET_CR0_INTO_EDX
2343 ++ xorl %esi, %edx
2344 ++ SET_CR0_FROM_EDX
2345 ++#endif
2346 ++
2347 + RESTORE_REGS
2348 + lss 12+4(%esp), %esp # back to espfix stack
2349 + CFI_ADJUST_CFA_OFFSET -24
2350 +@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
2351 +
2352 + #endif /* CONFIG_XEN */
2353 +
2354 +-.section .rodata,"a"
2355 + #include "syscall_table.S"
2356 +
2357 + syscall_table_size=(.-sys_call_table)
2358 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
2359 +--- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
2360 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
2361 +@@ -18,6 +18,7 @@
2362 + #include <asm/thread_info.h>
2363 + #include <asm/asm-offsets.h>
2364 + #include <asm/setup.h>
2365 ++#include <asm/msr-index.h>
2366 +
2367 + /*
2368 + * References to members of the new_cpu_data structure.
2369 +@@ -51,17 +52,22 @@
2370 + */
2371 + LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
2372 +
2373 +-#if PTRS_PER_PMD > 1
2374 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
2375 +-#else
2376 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
2377 +-#endif
2378 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
2379 + BOOTBITMAP_SIZE = LOW_PAGES / 8
2380 + ALLOCATOR_SLOP = 4
2381 +
2382 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
2383 +
2384 + /*
2385 ++ * Real beginning of normal "text" segment
2386 ++ */
2387 ++ENTRY(stext)
2388 ++ENTRY(_stext)
2389 ++
2390 ++.section .text.startup,"ax",@progbits
2391 ++ ljmp $(__BOOT_CS),$phys_startup_32
2392 ++
2393 ++/*
2394 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
2395 + * %esi points to the real-mode code as a 32-bit pointer.
2396 + * CS and DS must be 4 GB flat segments, but we don't depend on
2397 +@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
2398 + * can.
2399 + */
2400 + .section .text.head,"ax",@progbits
2401 ++
2402 ++#ifdef CONFIG_PAX_KERNEXEC
2403 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
2404 ++.fill 4096,1,0xcc
2405 ++#endif
2406 ++
2407 + ENTRY(startup_32)
2408 +
2409 + /*
2410 +@@ -82,6 +94,43 @@ ENTRY(startup_32)
2411 + movl %eax,%fs
2412 + movl %eax,%gs
2413 +
2414 ++ movl $__per_cpu_start,%eax
2415 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
2416 ++ rorl $16,%eax
2417 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
2418 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
2419 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
2420 ++ subl $__per_cpu_start,%eax
2421 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
2422 ++
2423 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2424 ++ /* check for VMware */
2425 ++ movl $0x564d5868,%eax
2426 ++ xorl %ebx,%ebx
2427 ++ movl $0xa,%ecx
2428 ++ movl $0x5658,%edx
2429 ++ in (%dx),%eax
2430 ++ cmpl $0x564d5868,%ebx
2431 ++ jz 1f
2432 ++
2433 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
2434 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
2435 ++1:
2436 ++#endif
2437 ++
2438 ++#ifdef CONFIG_PAX_KERNEXEC
2439 ++ movl $KERNEL_TEXT_OFFSET,%eax
2440 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
2441 ++ rorl $16,%eax
2442 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
2443 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
2444 ++
2445 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
2446 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
2447 ++ rorl $16,%eax
2448 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
2449 ++#endif
2450 ++
2451 + /*
2452 + * Clear BSS first so that there are no surprises...
2453 + * No need to cld as DF is already clear from cld above...
2454 +@@ -129,24 +178,42 @@ ENTRY(startup_32)
2455 + * Warning: don't use %esi or the stack in this code. However, %esp
2456 + * can be used as a GPR if you really need it...
2457 + */
2458 +-page_pde_offset = (__PAGE_OFFSET >> 20);
2459 +-
2460 ++#ifdef CONFIG_X86_PAE
2461 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2462 ++#else
2463 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2464 ++#endif
2465 + movl $(pg0 - __PAGE_OFFSET), %edi
2466 ++#ifdef CONFIG_X86_PAE
2467 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
2468 ++#else
2469 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2470 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2471 ++#endif
2472 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
2473 + 10:
2474 +- leal 0x007(%edi),%ecx /* Create PDE entry */
2475 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
2476 + movl %ecx,(%edx) /* Store identity PDE entry */
2477 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
2478 ++#ifdef CONFIG_X86_PAE
2479 ++ movl $0,4(%edx)
2480 ++ movl $0,page_pde_offset+4(%edx)
2481 ++ addl $8,%edx
2482 ++ movl $512, %ecx
2483 ++#else
2484 + addl $4,%edx
2485 + movl $1024, %ecx
2486 ++#endif
2487 + 11:
2488 + stosl
2489 ++#ifdef CONFIG_X86_PAE
2490 ++ movl $0,(%edi)
2491 ++ addl $4,%edi
2492 ++#endif
2493 + addl $0x1000,%eax
2494 + loop 11b
2495 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
2496 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
2497 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
2498 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
2499 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
2500 + cmpl %ebp,%eax
2501 + jb 10b
2502 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
2503 +@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
2504 + #endif
2505 +
2506 + /* Do an early initialization of the fixmap area */
2507 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2508 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
2509 +- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2510 +- movl %eax, 4092(%edx)
2511 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
2512 ++#ifdef CONFIG_X86_PAE
2513 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
2514 ++#else
2515 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
2516 ++#endif
2517 +
2518 + #ifdef CONFIG_SMP
2519 + ENTRY(startup_32_smp)
2520 +@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
2521 + movl %eax,%fs
2522 + movl %eax,%gs
2523 +
2524 ++ /* This is a secondary processor (AP) */
2525 ++ xorl %ebx,%ebx
2526 ++ incl %ebx
2527 ++#endif /* CONFIG_SMP */
2528 ++
2529 + /*
2530 + * New page tables may be in 4Mbyte page mode and may
2531 + * be using the global pages.
2532 +@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
2533 + * not yet offset PAGE_OFFSET..
2534 + */
2535 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
2536 ++3:
2537 + movl cr4_bits,%edx
2538 + andl %edx,%edx
2539 +- jz 6f
2540 ++ jz 5f
2541 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
2542 + orl %edx,%eax
2543 + movl %eax,%cr4
2544 +
2545 +- btl $5, %eax # check if PAE is enabled
2546 +- jnc 6f
2547 ++#ifdef CONFIG_X86_PAE
2548 ++ movl %ebx,%edi
2549 +
2550 + /* Check if extended functions are implemented */