diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-10-12 20:41:59 -0400 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-10-12 20:41:59 -0400 |
commit | fd6b693f458730a84d91eff47b6a63cd2e619bee (patch) | |
tree | 6ed1b6803f3ec88eea5fa5262086c3b1865263d0 | |
parent | Updated Grsec/PaX (diff) | |
download | hardened-patchset-fd6b693f458730a84d91eff47b6a63cd2e619bee.tar.gz hardened-patchset-fd6b693f458730a84d91eff47b6a63cd2e619bee.tar.bz2 hardened-patchset-fd6b693f458730a84d91eff47b6a63cd2e619bee.zip |
Updated Grsec/PaX
2.2.0-2.6.35.7-201010112244 for 2.6.35.7
-rw-r--r-- | 2.6.35/0000_README | 2 | ||||
-rw-r--r-- | 2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010112244.patch (renamed from 2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010101609.patch) | 536 |
2 files changed, 468 insertions, 70 deletions
diff --git a/2.6.35/0000_README b/2.6.35/0000_README index 14e1d5e..280891e 100644 --- a/2.6.35/0000_README +++ b/2.6.35/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.0-2.6.35.7-201010101609.patch +Patch: 4420_grsecurity-2.2.0-2.6.35.7-201010112244.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010101609.patch b/2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010112244.patch index 0e953fd..fbe5a60 100644 --- a/2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010101609.patch +++ b/2.6.35/4420_grsecurity-2.2.0-2.6.35.7-201010112244.patch @@ -1552,13 +1552,13 @@ diff -urNp linux-2.6.35.7/arch/mips/loongson/common/pm.c linux-2.6.35.7/arch/mip }; diff -urNp linux-2.6.35.7/arch/mips/mm/fault.c linux-2.6.35.7/arch/mips/mm/fault.c --- linux-2.6.35.7/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/mips/mm/fault.c 2010-10-11 22:41:44.000000000 -0400 @@ -26,6 +26,23 @@ #include <asm/ptrace.h> #include <asm/highmem.h> /* For VMALLOC_END */ +#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(void *pc) ++void pax_report_insns(void *pc, void *sp) +{ + unsigned long i; + @@ -3413,7 +3413,7 @@ diff -urNp linux-2.6.35.7/arch/sh/mm/mmap.c linux-2.6.35.7/arch/sh/mm/mmap.c } diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h --- linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h 2010-10-11 22:41:44.000000000 -0400 @@ -14,18 +14,40 @@ #define ATOMIC64_INIT(i) { (i) } @@ -3455,7 +3455,7 @@ diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch extern int atomic_sub_ret(int, atomic_t *); extern long atomic64_sub_ret(long, atomic64_t *); -@@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi +@@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi #define atomic64_dec_return(v) atomic64_sub_ret(1, v) #define atomic_inc_return(v) atomic_add_ret(1, v) @@ -3471,7 +3471,16 @@ diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch #define atomic_sub_return(i, v) atomic_sub_ret(i, v) #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v) -@@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi + + #define atomic_add_return(i, v) atomic_add_ret(i, v) ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ ++ return atomic_add_ret_unchecked(i, v); ++} + #define atomic64_add_return(i, v) atomic64_add_ret(i, v) + + /* +@@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0) #define atomic_inc(v) atomic_add(1, v) @@ -3498,7 +3507,7 @@ diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0) #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0) -@@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi +@@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi static inline int atomic_add_unless(atomic_t *v, int a, int u) { @@ -3531,7 +3540,7 @@ diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch } #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) -@@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom +@@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom static inline long atomic64_add_unless(atomic64_t *v, long a, long u) { @@ -6057,7 +6066,7 @@ diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32entry.S linux-2.6.35.7/arch/x86/ia32 * disabled irqs and here we enable it straight after entry: diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32_signal.c linux-2.6.35.7/arch/x86/ia32/ia32_signal.c --- linux-2.6.35.7/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/ia32/ia32_signal.c 2010-10-11 22:41:44.000000000 -0400 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct sp -= frame_size; /* Align the stack pointer according to the i386 ABI, @@ -6076,6 +6085,20 @@ diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32_signal.c linux-2.6.35.7/arch/x86/ia }; frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate); +@@ -534,8 +534,11 @@ int ia32_setup_rt_frame(int sig, struct + if (ka->sa.sa_flags & SA_RESTORER) + restorer = ka->sa.sa_restorer; + else +- restorer = VDSO32_SYMBOL(current->mm->context.vdso, +- rt_sigreturn); ++ /* Return stub is in 32bit vsyscall page */ ++ if (current->mm->context.vdso) ++ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ else ++ restorer = &frame->retcode; + put_user_ex(ptr_to_compat(restorer), &frame->pretcode); + + /* diff -urNp linux-2.6.35.7/arch/x86/include/asm/alternative.h linux-2.6.35.7/arch/x86/include/asm/alternative.h --- linux-2.6.35.7/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400 @@ -8908,6 +8931,18 @@ diff -urNp linux-2.6.35.7/arch/x86/include/asm/segment.h linux-2.6.35.7/arch/x86 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8) #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3) #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3) +diff -urNp linux-2.6.35.7/arch/x86/include/asm/smp.h linux-2.6.35.7/arch/x86/include/asm/smp.h +--- linux-2.6.35.7/arch/x86/include/asm/smp.h 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/include/asm/smp.h 2010-10-11 22:41:44.000000000 -0400 +@@ -24,7 +24,7 @@ extern unsigned int num_processors; + DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map); + DECLARE_PER_CPU(cpumask_var_t, cpu_core_map); + DECLARE_PER_CPU(u16, cpu_llc_id); +-DECLARE_PER_CPU(int, cpu_number); ++DECLARE_PER_CPU(unsigned int, cpu_number); + + static inline struct cpumask *cpu_sibling_mask(int cpu) + { diff -urNp linux-2.6.35.7/arch/x86/include/asm/spinlock.h linux-2.6.35.7/arch/x86/include/asm/spinlock.h --- linux-2.6.35.7/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400 @@ -12638,7 +12673,7 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/kprobes.c linux-2.6.35.7/arch/x86/kern switch (val) { diff -urNp linux-2.6.35.7/arch/x86/kernel/ldt.c linux-2.6.35.7/arch/x86/kernel/ldt.c --- linux-2.6.35.7/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/kernel/ldt.c 2010-10-11 22:41:44.000000000 -0400 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i if (reload) { #ifdef CONFIG_SMP @@ -12670,7 +12705,7 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/ldt.c linux-2.6.35.7/arch/x86/kernel/l } + + if (tsk == current) { -+ mm->context.vdso = ~0UL; ++ mm->context.vdso = 0; + +#ifdef CONFIG_X86_32 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) @@ -13466,13 +13501,14 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/setup.c linux-2.6.35.7/arch/x86/kernel bss_resource.end = virt_to_phys(&__bss_stop)-1; diff -urNp linux-2.6.35.7/arch/x86/kernel/setup_percpu.c linux-2.6.35.7/arch/x86/kernel/setup_percpu.c --- linux-2.6.35.7/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/kernel/setup_percpu.c 2010-10-11 22:41:44.000000000 -0400 @@ -21,19 +21,17 @@ #include <asm/cpu.h> #include <asm/stackprotector.h> +-DEFINE_PER_CPU(int, cpu_number); +#ifdef CONFIG_SMP - DEFINE_PER_CPU(int, cpu_number); ++DEFINE_PER_CPU(unsigned int, cpu_number); EXPORT_PER_CPU_SYMBOL(cpu_number); +#endif @@ -13531,7 +13567,7 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/setup_percpu.c linux-2.6.35.7/arch/x86 * area. Reload any changed state for the boot CPU. diff -urNp linux-2.6.35.7/arch/x86/kernel/signal.c linux-2.6.35.7/arch/x86/kernel/signal.c --- linux-2.6.35.7/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/kernel/signal.c 2010-10-11 22:41:44.000000000 -0400 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi * Align the stack pointer according to the i386 ABI, * i.e. so that on function entry ((sp + 4) & 15) == 0. @@ -13576,16 +13612,19 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/signal.c linux-2.6.35.7/arch/x86/kerne if (err) return -EFAULT; -@@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str +@@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ if (current->mm->context.vdso) ++ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ else ++ restorer = (void __user *)&frame->retcode; if (ka->sa.sa_flags & SA_RESTORER) restorer = ka->sa.sa_restorer; put_user_ex(restorer, &frame->pretcode); -@@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str +@@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str * reasons and because gdb uses it as a signature to notice * signal handler stack frames. */ @@ -13594,7 +13633,7 @@ diff -urNp linux-2.6.35.7/arch/x86/kernel/signal.c linux-2.6.35.7/arch/x86/kerne } put_user_catch(err); if (err) -@@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re +@@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re * X86_32: vm86 regs switched out by assembly code before reaching * here, so testing against kernel CS suffices. */ @@ -17399,7 +17438,7 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/extable.c linux-2.6.35.7/arch/x86/mm/extab pnp_bios_is_utter_crap = 1; diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c --- linux-2.6.35.7/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400 ++++ linux-2.6.35.7/arch/x86/mm/fault.c 2010-10-11 22:41:44.000000000 -0400 @@ -11,10 +11,19 @@ #include <linux/kprobes.h> /* __kprobes, ... */ #include <linux/mmiotrace.h> /* kmmio_handler, ... */ @@ -17595,7 +17634,7 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c + struct mm_struct *mm = tsk->mm; + +#ifdef CONFIG_X86_64 -+ if (mm && (error_code & PF_INSTR)) { ++ if (mm && (error_code & PF_INSTR) && mm->context.vdso) { + if (regs->ip == (unsigned long)vgettimeofday) { + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday); + return; @@ -17614,7 +17653,7 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c + unsigned long ip = regs->ip; + + if (v8086_mode(regs)) -+ ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff); ++ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff); + + /* + * It's possible to have interrupts off here: @@ -17623,7 +17662,7 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c + +#ifdef CONFIG_PAX_PAGEEXEC + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && -+ (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) { ++ (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) { + +#ifdef CONFIG_PAX_EMUTRAMP + switch (pax_handle_fetch_fault(regs)) { @@ -17632,13 +17671,13 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c + } +#endif + -+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp); ++ pax_report_fault(regs, (void *)ip, (void *)regs->sp); + do_group_exit(SIGKILL); + } +#endif + +#ifdef CONFIG_PAX_SEGMEXEC -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) { ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) { + +#ifdef CONFIG_PAX_EMUTRAMP + switch (pax_handle_fetch_fault(regs)) { @@ -17647,7 +17686,7 @@ diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c + } +#endif + -+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp); ++ pax_report_fault(regs, (void *)ip, (void *)regs->sp); + do_group_exit(SIGKILL); + } +#endif @@ -20941,7 +20980,7 @@ diff -urNp linux-2.6.35.7/drivers/ata/libata-acpi.c linux-2.6.35.7/drivers/ata/l }; diff -urNp linux-2.6.35.7/drivers/ata/libata-core.c linux-2.6.35.7/drivers/ata/libata-core.c --- linux-2.6.35.7/drivers/ata/libata-core.c 2010-09-20 17:33:09.000000000 -0400 -+++ linux-2.6.35.7/drivers/ata/libata-core.c 2010-09-20 17:33:32.000000000 -0400 ++++ linux-2.6.35.7/drivers/ata/libata-core.c 2010-10-11 22:41:44.000000000 -0400 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent { { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 }, { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 }, @@ -20969,6 +21008,24 @@ diff -urNp linux-2.6.35.7/drivers/ata/libata-core.c linux-2.6.35.7/drivers/ata/l }; static int strn_pattern_cmp(const char *patt, const char *name, int wildchar) +@@ -4884,7 +4884,7 @@ void ata_qc_free(struct ata_queued_cmd * + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4900,7 +4900,7 @@ void __ata_qc_complete(struct ata_queued + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; @@ -5881,7 +5881,7 @@ static void ata_host_stop(struct device * LOCKING: * None. @@ -24459,6 +24516,18 @@ diff -urNp linux-2.6.35.7/drivers/firmware/dmi_scan.c linux-2.6.35.7/drivers/fir p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; +diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c +--- linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c 2010-09-20 17:33:09.000000000 -0400 ++++ linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c 2010-10-11 22:41:44.000000000 -0400 +@@ -262,7 +262,7 @@ static bool drm_encoder_crtc_ok(struct d + struct drm_crtc *tmp; + int crtc_mask = 1; + +- WARN(!crtc, "checking null crtc?"); ++ BUG_ON(!crtc); + + dev = crtc->dev; + diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_drv.c linux-2.6.35.7/drivers/gpu/drm/drm_drv.c --- linux-2.6.35.7/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400 @@ -24525,6 +24594,37 @@ diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_fops.c linux-2.6.35.7/drivers/gpu/ if (atomic_read(&dev->ioctl_count)) { DRM_ERROR("Device busy: %d\n", atomic_read(&dev->ioctl_count)); +diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_info.c linux-2.6.35.7/drivers/gpu/drm/drm_info.c +--- linux-2.6.35.7/drivers/gpu/drm/drm_info.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/drivers/gpu/drm/drm_info.c 2010-10-11 22:41:44.000000000 -0400 +@@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void + struct drm_local_map *map; + struct drm_map_list *r_list; + +- /* Hardcoded from _DRM_FRAME_BUFFER, +- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and +- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */ +- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" }; ++ static const char * const types[] = { ++ [_DRM_FRAME_BUFFER] = "FB", ++ [_DRM_REGISTERS] = "REG", ++ [_DRM_SHM] = "SHM", ++ [_DRM_AGP] = "AGP", ++ [_DRM_SCATTER_GATHER] = "SG", ++ [_DRM_CONSISTENT] = "PCI", ++ [_DRM_GEM] = "GEM" }; + const char *type; + int i; + +@@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void + map = r_list->map; + if (!map) + continue; +- if (map->type < 0 || map->type > 5) ++ if (map->type >= ARRAY_SIZE(types)) + type = "??"; + else + type = types[map->type]; diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c --- linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400 @@ -26005,6 +26105,34 @@ diff -urNp linux-2.6.35.7/drivers/message/fusion/mptsas.c linux-2.6.35.7/drivers static inline struct sas_port * mptsas_get_port(struct mptsas_phyinfo *phy_info) { +diff -urNp linux-2.6.35.7/drivers/message/fusion/mptscsih.c linux-2.6.35.7/drivers/message/fusion/mptscsih.c +--- linux-2.6.35.7/drivers/message/fusion/mptscsih.c 2010-09-26 17:32:11.000000000 -0400 ++++ linux-2.6.35.7/drivers/message/fusion/mptscsih.c 2010-10-11 22:41:44.000000000 -0400 +@@ -1244,15 +1244,16 @@ mptscsih_info(struct Scsi_Host *SChost) + + h = shost_priv(SChost); + +- if (h) { +- if (h->info_kbuf == NULL) +- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL) +- return h->info_kbuf; +- h->info_kbuf[0] = '\0'; ++ if (!h) ++ return NULL; + +- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0); +- h->info_kbuf[size-1] = '\0'; +- } ++ if (h->info_kbuf == NULL) ++ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL) ++ return h->info_kbuf; ++ h->info_kbuf[0] = '\0'; ++ ++ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0); ++ h->info_kbuf[size-1] = '\0'; + + return h->info_kbuf; + } diff -urNp linux-2.6.35.7/drivers/message/i2o/i2o_proc.c linux-2.6.35.7/drivers/message/i2o/i2o_proc.c --- linux-2.6.35.7/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400 @@ -28017,6 +28145,18 @@ diff -urNp linux-2.6.35.7/drivers/staging/vme/devices/vme_user.c linux-2.6.35.7/ .open = vme_user_open, .release = vme_user_release, .read = vme_user_read, +diff -urNp linux-2.6.35.7/drivers/usb/atm/cxacru.c linux-2.6.35.7/drivers/usb/atm/cxacru.c +--- linux-2.6.35.7/drivers/usb/atm/cxacru.c 2010-09-20 17:33:09.000000000 -0400 ++++ linux-2.6.35.7/drivers/usb/atm/cxacru.c 2010-10-11 22:41:44.000000000 -0400 +@@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c + ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp); + if (ret < 2) + return -EINVAL; +- if (index < 0 || index > 0x7f) ++ if (index > 0x7f) + return -EINVAL; + pos += tmp; + diff -urNp linux-2.6.35.7/drivers/usb/atm/usbatm.c linux-2.6.35.7/drivers/usb/atm/usbatm.c --- linux-2.6.35.7/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400 @@ -29879,8 +30019,24 @@ diff -urNp linux-2.6.35.7/fs/block_dev.c linux-2.6.35.7/fs/block_dev.c return false; /* is a partition of a held device */ diff -urNp linux-2.6.35.7/fs/btrfs/ctree.c linux-2.6.35.7/fs/btrfs/ctree.c --- linux-2.6.35.7/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400 -@@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran ++++ linux-2.6.35.7/fs/btrfs/ctree.c 2010-10-11 22:41:44.000000000 -0400 +@@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st + free_extent_buffer(buf); + add_root_to_dirty_list(root); + } else { +- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) +- parent_start = parent->start; +- else ++ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) { ++ if (parent) ++ parent_start = parent->start; ++ else ++ parent_start = 0; ++ } else + parent_start = 0; + + WARN_ON(trans->transid != btrfs_header_generation(parent)); +@@ -3763,7 +3766,6 @@ setup_items_for_insert(struct btrfs_tran ret = 0; if (slot == 0) { @@ -30014,6 +30170,18 @@ diff -urNp linux-2.6.35.7/fs/btrfs/inode.c linux-2.6.35.7/fs/btrfs/inode.c .fill_delalloc = run_delalloc_range, .submit_bio_hook = btrfs_submit_bio_hook, .merge_bio_hook = btrfs_merge_bio_hook, +diff -urNp linux-2.6.35.7/fs/btrfs/relocation.c linux-2.6.35.7/fs/btrfs/relocation.c +--- linux-2.6.35.7/fs/btrfs/relocation.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/fs/btrfs/relocation.c 2010-10-11 22:41:44.000000000 -0400 +@@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt + } + spin_unlock(&rc->reloc_root_tree.lock); + +- BUG_ON((struct btrfs_root *)node->data != root); ++ BUG_ON(!node || (struct btrfs_root *)node->data != root); + + if (!del) { + spin_lock(&rc->reloc_root_tree.lock); diff -urNp linux-2.6.35.7/fs/cachefiles/bind.c linux-2.6.35.7/fs/cachefiles/bind.c --- linux-2.6.35.7/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400 @@ -30084,6 +30252,27 @@ diff -urNp linux-2.6.35.7/fs/cachefiles/rdwr.c linux-2.6.35.7/fs/cachefiles/rdwr set_fs(old_fs); kunmap(page); if (ret != len) +diff -urNp linux-2.6.35.7/fs/ceph/dir.c linux-2.6.35.7/fs/ceph/dir.c +--- linux-2.6.35.7/fs/ceph/dir.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/fs/ceph/dir.c 2010-10-11 22:41:44.000000000 -0400 +@@ -228,7 +228,7 @@ static int ceph_readdir(struct file *fil + struct ceph_client *client = ceph_inode_to_client(inode); + struct ceph_mds_client *mdsc = &client->mdsc; + unsigned frag = fpos_frag(filp->f_pos); +- int off = fpos_off(filp->f_pos); ++ unsigned int off = fpos_off(filp->f_pos); + int err; + u32 ftype; + struct ceph_mds_reply_info_parsed *rinfo; +@@ -357,7 +357,7 @@ more: + rinfo = &fi->last_readdir->r_reply_info; + dout("readdir frag %x num %d off %d chunkoff %d\n", frag, + rinfo->dir_nr, off, fi->offset); +- while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) { ++ while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) { + u64 pos = ceph_make_fpos(frag, off); + struct ceph_mds_reply_inode *in = + rinfo->dir_in[off - fi->offset].in; diff -urNp linux-2.6.35.7/fs/cifs/cifs_uniupr.h linux-2.6.35.7/fs/cifs/cifs_uniupr.h --- linux-2.6.35.7/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400 @@ -30127,7 +30316,16 @@ diff -urNp linux-2.6.35.7/fs/compat_binfmt_elf.c linux-2.6.35.7/fs/compat_binfmt /* diff -urNp linux-2.6.35.7/fs/compat.c linux-2.6.35.7/fs/compat.c --- linux-2.6.35.7/fs/compat.c 2010-09-26 17:32:11.000000000 -0400 -+++ linux-2.6.35.7/fs/compat.c 2010-09-21 20:51:20.000000000 -0400 ++++ linux-2.6.35.7/fs/compat.c 2010-10-11 22:41:44.000000000 -0400 +@@ -590,7 +590,7 @@ ssize_t compat_rw_copy_check_uvector(int + goto out; + + ret = -EINVAL; +- if (nr_segs > UIO_MAXIOV || nr_segs < 0) ++ if (nr_segs > UIO_MAXIOV) + goto out; + if (nr_segs > fast_segs) { + ret = -ENOMEM; @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc, if (!kmapped_page || kpos != (pos & PAGE_MASK)) { struct page *page; @@ -30227,6 +30425,18 @@ diff -urNp linux-2.6.35.7/fs/compat.c linux-2.6.35.7/fs/compat.c out: if (bprm->mm) mmput(bprm->mm); +diff -urNp linux-2.6.35.7/fs/compat_ioctl.c linux-2.6.35.7/fs/compat_ioctl.c +--- linux-2.6.35.7/fs/compat_ioctl.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/fs/compat_ioctl.c 2010-10-11 22:41:44.000000000 -0400 +@@ -227,6 +227,8 @@ static int do_video_set_spu_palette(unsi + + err = get_user(palp, &up->palette); + err |= get_user(length, &up->length); ++ if (err) ++ return -EFAULT; + + up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); + err = put_user(compat_ptr(palp), &up_native->palette); diff -urNp linux-2.6.35.7/fs/debugfs/inode.c linux-2.6.35.7/fs/debugfs/inode.c --- linux-2.6.35.7/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400 @@ -32364,6 +32574,18 @@ diff -urNp linux-2.6.35.7/fs/nls/nls_base.c linux-2.6.35.7/fs/nls/nls_base.c }; #define UNICODE_MAX 0x0010ffff +diff -urNp linux-2.6.35.7/fs/ntfs/dir.c linux-2.6.35.7/fs/ntfs/dir.c +--- linux-2.6.35.7/fs/ntfs/dir.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/fs/ntfs/dir.c 2010-10-11 22:41:44.000000000 -0400 +@@ -1329,7 +1329,7 @@ find_next_index_buffer: + ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK & + ~(s64)(ndir->itype.index.block_size - 1))); + /* Bounds checks. */ +- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) { ++ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) { + ntfs_error(sb, "Out of bounds check failed. Corrupt directory " + "inode 0x%lx or driver bug.", vdir->i_ino); + goto err_out; diff -urNp linux-2.6.35.7/fs/ntfs/file.c linux-2.6.35.7/fs/ntfs/file.c --- linux-2.6.35.7/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400 @@ -32634,7 +32856,16 @@ diff -urNp linux-2.6.35.7/fs/open.c linux-2.6.35.7/fs/open.c newattrs.ia_valid |= ATTR_UID; diff -urNp linux-2.6.35.7/fs/pipe.c linux-2.6.35.7/fs/pipe.c --- linux-2.6.35.7/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400 ++++ linux-2.6.35.7/fs/pipe.c 2010-10-11 22:41:44.000000000 -0400 +@@ -382,7 +382,7 @@ pipe_read(struct kiocb *iocb, const stru + error = ops->confirm(pipe, buf); + if (error) { + if (!ret) +- error = ret; ++ ret = error; + break; + } + @@ -420,9 +420,9 @@ redo: } if (bufs) /* More to do? */ @@ -43506,7 +43737,7 @@ diff -urNp linux-2.6.35.7/include/acpi/acpi_drivers.h linux-2.6.35.7/include/acp return -ENODEV; diff -urNp linux-2.6.35.7/include/asm-generic/atomic-long.h linux-2.6.35.7/include/asm-generic/atomic-long.h --- linux-2.6.35.7/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.7/include/asm-generic/atomic-long.h 2010-10-11 22:41:44.000000000 -0400 @@ -22,6 +22,12 @@ typedef atomic64_t atomic_long_t; @@ -43725,7 +43956,7 @@ diff -urNp linux-2.6.35.7/include/asm-generic/atomic-long.h linux-2.6.35.7/inclu static inline long atomic_long_dec_return(atomic_long_t *l) { atomic_t *v = (atomic_t *)l; -@@ -255,4 +375,37 @@ static inline long atomic_long_add_unles +@@ -255,4 +375,39 @@ static inline long atomic_long_add_unles #endif /* BITS_PER_LONG == 64 */ @@ -43738,6 +43969,7 @@ diff -urNp linux-2.6.35.7/include/asm-generic/atomic-long.h linux-2.6.35.7/inclu + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL); + atomic_inc_unchecked((atomic_unchecked_t *)NULL); + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL); ++ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL); + + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL); + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0); @@ -43753,6 +43985,7 @@ diff -urNp linux-2.6.35.7/include/asm-generic/atomic-long.h linux-2.6.35.7/inclu +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v)) +#define atomic_inc_unchecked(v) atomic_inc(v) +#define atomic_inc_return_unchecked(v) atomic_inc_return(v) ++#define atomic_add_return_unchecked(v) atomic_add_return(v) + +#define atomic_long_read_unchecked(v) atomic_long_read(v) +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i)) @@ -46185,6 +46418,27 @@ diff -urNp linux-2.6.35.7/include/linux/moduleloader.h linux-2.6.35.7/include/li /* Apply the given relocation to the (simplified) ELF. Return -error or 0. */ int apply_relocate(Elf_Shdr *sechdrs, +diff -urNp linux-2.6.35.7/include/linux/moduleparam.h linux-2.6.35.7/include/linux/moduleparam.h +--- linux-2.6.35.7/include/linux/moduleparam.h 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/include/linux/moduleparam.h 2010-10-11 22:41:44.000000000 -0400 +@@ -132,7 +132,7 @@ struct kparam_array + + /* Actually copy string: maxlen param is usually sizeof(string). */ + #define module_param_string(name, string, len, perm) \ +- static const struct kparam_string __param_string_##name \ ++ static const struct kparam_string __param_string_##name __used \ + = { len, string }; \ + __module_param_call(MODULE_PARAM_PREFIX, name, \ + param_set_copystring, param_get_string, \ +@@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe + + /* Comma-separated array: *nump is set to number they actually specified. */ + #define module_param_array_named(name, array, type, nump, perm) \ +- static const struct kparam_array __param_arr_##name \ ++ static const struct kparam_array __param_arr_##name __used \ + = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\ + sizeof(array[0]), array }; \ + __module_param_call(MODULE_PARAM_PREFIX, name, \ diff -urNp linux-2.6.35.7/include/linux/namei.h linux-2.6.35.7/include/linux/namei.h --- linux-2.6.35.7/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400 @@ -47178,6 +47432,29 @@ diff -urNp linux-2.6.35.7/include/linux/vmstat.h linux-2.6.35.7/include/linux/vm } static inline void __dec_zone_page_state(struct page *page, +diff -urNp linux-2.6.35.7/include/net/inetpeer.h linux-2.6.35.7/include/net/inetpeer.h +--- linux-2.6.35.7/include/net/inetpeer.h 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/include/net/inetpeer.h 2010-10-11 22:41:44.000000000 -0400 +@@ -22,8 +22,8 @@ struct inet_peer { + __u32 dtime; /* the time of last use of not + * referenced entries */ + atomic_t refcnt; +- atomic_t rid; /* Frag reception counter */ +- atomic_t ip_id_count; /* IP ID for the next packet */ ++ atomic_unchecked_t rid; /* Frag reception counter */ ++ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */ + __u32 tcp_ts; + __u32 tcp_ts_stamp; + }; +@@ -40,7 +40,7 @@ extern void inet_putpeer(struct inet_pee + static inline __u16 inet_getid(struct inet_peer *p, int more) + { + more++; +- return atomic_add_return(more, &p->ip_id_count) - more; ++ return atomic_add_return_unchecked(more, &p->ip_id_count) - more; + } + + #endif /* _NET_INETPEER_H */ diff -urNp linux-2.6.35.7/include/net/irda/ircomm_tty.h linux-2.6.35.7/include/net/irda/ircomm_tty.h --- linux-2.6.35.7/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400 @@ -47646,7 +47923,7 @@ diff -urNp linux-2.6.35.7/init/Kconfig linux-2.6.35.7/init/Kconfig also breaks ancient binaries (including anything libc5 based). diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c --- linux-2.6.35.7/init/main.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/init/main.c 2010-09-17 20:12:37.000000000 -0400 ++++ linux-2.6.35.7/init/main.c 2010-10-11 22:41:44.000000000 -0400 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void) #ifdef CONFIG_TC extern void tc_init(void); @@ -47655,7 +47932,7 @@ diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c enum system_states system_state __read_mostly; EXPORT_SYMBOL(system_state); -@@ -200,6 +201,50 @@ static int __init set_reset_devices(char +@@ -200,6 +201,47 @@ static int __init set_reset_devices(char __setup("reset_devices", set_reset_devices); @@ -47679,11 +47956,8 @@ diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory"); + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory"); +#else -+ char *p; -+ p = (char *)pax_enter_kernel_user; -+ *p = 0xc3; -+ p = (char *)pax_exit_kernel_user; -+ *p = 0xc3; ++ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1); ++ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1); + clone_pgd_mask = ~(pgdval_t)0UL; +#endif + @@ -47706,7 +47980,7 @@ diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -725,52 +770,53 @@ int initcall_debug; +@@ -725,52 +767,53 @@ int initcall_debug; core_param(initcall_debug, initcall_debug, bool, 0644); static char msgbuf[64]; @@ -47776,7 +48050,7 @@ diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c } -@@ -902,7 +948,7 @@ static int __init kernel_init(void * unu +@@ -902,7 +945,7 @@ static int __init kernel_init(void * unu do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -47785,7 +48059,7 @@ diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -915,11 +961,13 @@ static int __init kernel_init(void * unu +@@ -915,11 +958,13 @@ static int __init kernel_init(void * unu if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -49665,9 +49939,21 @@ diff -urNp linux-2.6.35.7/kernel/resource.c linux-2.6.35.7/kernel/resource.c return 0; } __initcall(ioresources_init); +diff -urNp linux-2.6.35.7/kernel/rtmutex.c linux-2.6.35.7/kernel/rtmutex.c +--- linux-2.6.35.7/kernel/rtmutex.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/kernel/rtmutex.c 2010-10-11 22:41:44.000000000 -0400 +@@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt + */ + raw_spin_lock_irqsave(&pendowner->pi_lock, flags); + +- WARN_ON(!pendowner->pi_blocked_on); ++ BUG_ON(!pendowner->pi_blocked_on); + WARN_ON(pendowner->pi_blocked_on != waiter); + WARN_ON(pendowner->pi_blocked_on->lock != lock); + diff -urNp linux-2.6.35.7/kernel/sched.c linux-2.6.35.7/kernel/sched.c --- linux-2.6.35.7/kernel/sched.c 2010-09-26 17:32:11.000000000 -0400 -+++ linux-2.6.35.7/kernel/sched.c 2010-09-26 17:32:50.000000000 -0400 ++++ linux-2.6.35.7/kernel/sched.c 2010-10-11 22:41:44.000000000 -0400 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -49695,6 +49981,15 @@ diff -urNp linux-2.6.35.7/kernel/sched.c linux-2.6.35.7/kernel/sched.c /* can't set/change the rt policy */ if (policy != p->policy && !rlim_rtprio) return -EPERM; +@@ -6588,7 +6592,7 @@ static void init_sched_groups_power(int + long power; + int weight; + +- WARN_ON(!sd || !sd->groups); ++ BUG_ON(!sd || !sd->groups); + + if (cpu != group_first_cpu(sd->groups)) + return; diff -urNp linux-2.6.35.7/kernel/sched_fair.c linux-2.6.35.7/kernel/sched_fair.c --- linux-2.6.35.7/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400 @@ -50008,7 +50303,7 @@ diff -urNp linux-2.6.35.7/kernel/sys.c linux-2.6.35.7/kernel/sys.c } diff -urNp linux-2.6.35.7/kernel/sysctl.c linux-2.6.35.7/kernel/sysctl.c --- linux-2.6.35.7/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/kernel/sysctl.c 2010-10-10 15:59:25.000000000 -0400 ++++ linux-2.6.35.7/kernel/sysctl.c 2010-10-11 22:41:44.000000000 -0400 @@ -78,6 +78,13 @@ @@ -50124,6 +50419,19 @@ diff -urNp linux-2.6.35.7/kernel/sysctl.c linux-2.6.35.7/kernel/sysctl.c unsigned long val; if (write) { +@@ -2506,8 +2563,11 @@ static int __do_proc_doulongvec_minmax(v + *i = val; + } else { + val = convdiv * (*i) / convmul; +- if (!first) ++ if (!first) { + err = proc_put_char(&buffer, &left, '\t'); ++ if (err) ++ break; ++ } + err = proc_put_long(&buffer, &left, val, false); + if (err) + break; diff -urNp linux-2.6.35.7/kernel/taskstats.c linux-2.6.35.7/kernel/taskstats.c --- linux-2.6.35.7/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400 @@ -50437,6 +50745,18 @@ diff -urNp linux-2.6.35.7/lib/Kconfig.debug linux-2.6.35.7/lib/Kconfig.debug help Enable this option if you want to use the LatencyTOP tool to find out which userspace is blocking on what kernel operations. +diff -urNp linux-2.6.35.7/lib/kref.c linux-2.6.35.7/lib/kref.c +--- linux-2.6.35.7/lib/kref.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/lib/kref.c 2010-10-11 22:41:44.000000000 -0400 +@@ -52,7 +52,7 @@ void kref_get(struct kref *kref) + */ + int kref_put(struct kref *kref, void (*release)(struct kref *kref)) + { +- WARN_ON(release == NULL); ++ BUG_ON(release == NULL); + WARN_ON(release == (void (*)(struct kref *))kfree); + + if (atomic_dec_and_test(&kref->refcount)) { diff -urNp linux-2.6.35.7/lib/parser.c linux-2.6.35.7/lib/parser.c --- linux-2.6.35.7/lib/parser.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/lib/parser.c 2010-09-17 20:12:09.000000000 -0400 @@ -50813,7 +51133,7 @@ diff -urNp linux-2.6.35.7/mm/madvise.c linux-2.6.35.7/mm/madvise.c goto out; diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c --- linux-2.6.35.7/mm/memory.c 2010-09-26 17:32:11.000000000 -0400 -+++ linux-2.6.35.7/mm/memory.c 2010-09-26 17:32:50.000000000 -0400 ++++ linux-2.6.35.7/mm/memory.c 2010-10-11 22:41:44.000000000 -0400 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct return; @@ -50827,12 +51147,12 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c } static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, -@@ -292,8 +296,12 @@ static inline void free_pud_range(struct +@@ -291,9 +295,12 @@ static inline void free_pud_range(struct + if (end - 1 > ceiling - 1) return; - pud = pud_offset(pgd, start); -+ +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD) + pud = pud_offset(pgd, start); pgd_clear(pgd); pud_free_tlb(tlb, pud, start); +#endif @@ -50840,7 +51160,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c } /* -@@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct +@@ -1363,10 +1370,10 @@ int __get_user_pages(struct task_struct (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE); i = 0; @@ -50853,7 +51173,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c if (!vma && in_gate_area(tsk, start)) { unsigned long pg = start & PAGE_MASK; struct vm_area_struct *gate_vma = get_gate_vma(tsk); -@@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct +@@ -1418,7 +1425,7 @@ int __get_user_pages(struct task_struct continue; } @@ -50862,7 +51182,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c (vma->vm_flags & (VM_IO | VM_PFNMAP)) || !(vm_flags & vma->vm_flags)) return i ? : -EFAULT; -@@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct +@@ -1493,7 +1500,7 @@ int __get_user_pages(struct task_struct start += PAGE_SIZE; nr_pages--; } while (nr_pages && start < vma->vm_end); @@ -50871,7 +51191,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c return i; } -@@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct +@@ -2089,6 +2096,186 @@ static inline void cow_user_page(struct copy_user_highpage(dst, src, va, vma); } @@ -51058,7 +51378,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2275,6 +2463,12 @@ gotten: +@@ -2275,6 +2462,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -51071,7 +51391,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2326,6 +2520,10 @@ gotten: +@@ -2326,6 +2519,10 @@ gotten: page_remove_rmap(old_page); } @@ -51082,7 +51402,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -2749,19 +2947,12 @@ static int do_swap_page(struct mm_struct +@@ -2749,19 +2946,12 @@ static int do_swap_page(struct mm_struct swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -51107,7 +51427,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c if (flags & FAULT_FLAG_WRITE) { ret |= do_wp_page(mm, vma, address, page_table, pmd, ptl, pte); -@@ -2772,6 +2963,11 @@ static int do_swap_page(struct mm_struct +@@ -2772,6 +2962,11 @@ static int do_swap_page(struct mm_struct /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -51119,7 +51439,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -2783,48 +2979,10 @@ out_page: +@@ -2783,48 +2978,10 @@ out_page: unlock_page(page); out_release: page_cache_release(page); @@ -51168,7 +51488,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -2833,27 +2991,23 @@ static int do_anonymous_page(struct mm_s +@@ -2833,27 +2990,23 @@ static int do_anonymous_page(struct mm_s unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -51201,7 +51521,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -2872,6 +3026,11 @@ static int do_anonymous_page(struct mm_s +@@ -2872,6 +3025,11 @@ static int do_anonymous_page(struct mm_s if (!pte_none(*page_table)) goto release; @@ -51213,7 +51533,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -2879,6 +3038,12 @@ setpte: +@@ -2879,6 +3037,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -51226,7 +51546,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3021,6 +3186,12 @@ static int __do_fault(struct mm_struct * +@@ -3021,6 +3185,12 @@ static int __do_fault(struct mm_struct * */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -51239,7 +51559,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3040,6 +3211,14 @@ static int __do_fault(struct mm_struct * +@@ -3040,6 +3210,14 @@ static int __do_fault(struct mm_struct * /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -51254,7 +51574,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c } else { if (charged) mem_cgroup_uncharge_page(page); -@@ -3187,6 +3366,12 @@ static inline int handle_pte_fault(struc +@@ -3187,6 +3365,12 @@ static inline int handle_pte_fault(struc if (flags & FAULT_FLAG_WRITE) flush_tlb_page(vma, address); } @@ -51267,7 +51587,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3203,6 +3388,10 @@ int handle_mm_fault(struct mm_struct *mm +@@ -3203,6 +3387,10 @@ int handle_mm_fault(struct mm_struct *mm pmd_t *pmd; pte_t *pte; @@ -51278,7 +51598,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3213,6 +3402,34 @@ int handle_mm_fault(struct mm_struct *mm +@@ -3213,6 +3401,34 @@ int handle_mm_fault(struct mm_struct *mm if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -51313,7 +51633,7 @@ diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3310,7 +3527,7 @@ static int __init gate_vma_init(void) +@@ -3310,7 +3526,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -54330,6 +54650,18 @@ diff -urNp linux-2.6.35.7/net/atm/resources.c linux-2.6.35.7/net/atm/resources.c __AAL_STAT_ITEMS #undef __HANDLE_ITEM } +diff -urNp linux-2.6.35.7/net/bridge/br_multicast.c linux-2.6.35.7/net/bridge/br_multicast.c +--- linux-2.6.35.7/net/bridge/br_multicast.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/net/bridge/br_multicast.c 2010-10-11 22:41:44.000000000 -0400 +@@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct + nexthdr = ip6h->nexthdr; + offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr); + +- if (offset < 0 || nexthdr != IPPROTO_ICMPV6) ++ if (nexthdr != IPPROTO_ICMPV6) + return 0; + + /* Okay, we found ICMPv6 header */ diff -urNp linux-2.6.35.7/net/bridge/br_stp_if.c linux-2.6.35.7/net/bridge/br_stp_if.c --- linux-2.6.35.7/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400 @@ -54496,6 +54828,32 @@ diff -urNp linux-2.6.35.7/net/ipv4/inet_hashtables.c linux-2.6.35.7/net/ipv4/ine if (tw) { inet_twsk_deschedule(tw, death_row); while (twrefcnt) { +diff -urNp linux-2.6.35.7/net/ipv4/inetpeer.c linux-2.6.35.7/net/ipv4/inetpeer.c +--- linux-2.6.35.7/net/ipv4/inetpeer.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/net/ipv4/inetpeer.c 2010-10-11 22:41:44.000000000 -0400 +@@ -386,8 +386,8 @@ struct inet_peer *inet_getpeer(__be32 da + return NULL; + n->v4daddr = daddr; + atomic_set(&n->refcnt, 1); +- atomic_set(&n->rid, 0); +- atomic_set(&n->ip_id_count, secure_ip_id(daddr)); ++ atomic_set_unchecked(&n->rid, 0); ++ atomic_set_unchecked(&n->ip_id_count, secure_ip_id(daddr)); + n->tcp_ts_stamp = 0; + + write_lock_bh(&peer_pool_lock); +diff -urNp linux-2.6.35.7/net/ipv4/ip_fragment.c linux-2.6.35.7/net/ipv4/ip_fragment.c +--- linux-2.6.35.7/net/ipv4/ip_fragment.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/net/ipv4/ip_fragment.c 2010-10-11 22:41:44.000000000 -0400 +@@ -282,7 +282,7 @@ static inline int ip_frag_too_far(struct + return 0; + + start = qp->rid; +- end = atomic_inc_return(&peer->rid); ++ end = atomic_inc_return_unchecked(&peer->rid); + qp->rid = end; + + rc = qp->q.fragments && (end - start) > max; diff -urNp linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c --- linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400 @@ -54508,6 +54866,18 @@ diff -urNp linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.7/ if (*octets == NULL) { if (net_ratelimit()) pr_notice("OOM in bsalg (%d)\n", __LINE__); +diff -urNp linux-2.6.35.7/net/ipv4/route.c linux-2.6.35.7/net/ipv4/route.c +--- linux-2.6.35.7/net/ipv4/route.c 2010-09-26 17:32:11.000000000 -0400 ++++ linux-2.6.35.7/net/ipv4/route.c 2010-10-11 22:41:44.000000000 -0400 +@@ -2889,7 +2889,7 @@ static int rt_fill_info(struct net *net, + error = rt->u.dst.error; + expires = rt->u.dst.expires ? rt->u.dst.expires - jiffies : 0; + if (rt->peer) { +- id = atomic_read(&rt->peer->ip_id_count) & 0xffff; ++ id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff; + if (rt->peer->tcp_ts_stamp) { + ts = rt->peer->tcp_ts; + tsage = get_seconds() - rt->peer->tcp_ts_stamp; diff -urNp linux-2.6.35.7/net/ipv4/tcp_ipv4.c linux-2.6.35.7/net/ipv4/tcp_ipv4.c --- linux-2.6.35.7/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400 @@ -55257,8 +55627,19 @@ diff -urNp linux-2.6.35.7/net/netlink/af_netlink.c linux-2.6.35.7/net/netlink/af sock_i_ino(s) diff -urNp linux-2.6.35.7/net/packet/af_packet.c linux-2.6.35.7/net/packet/af_packet.c --- linux-2.6.35.7/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.7/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400 -@@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock ++++ linux-2.6.35.7/net/packet/af_packet.c 2010-10-11 22:41:44.000000000 -0400 +@@ -1595,8 +1595,9 @@ static int packet_recvmsg(struct kiocb * + + err = -EINVAL; + vnet_hdr_len = sizeof(vnet_hdr); +- if ((len -= vnet_hdr_len) < 0) ++ if (len < vnet_hdr_len) + goto out_free; ++ len -= vnet_hdr_len; + + if (skb_is_gso(skb)) { + struct skb_shared_info *sinfo = skb_shinfo(skb); +@@ -2093,7 +2094,7 @@ static int packet_getsockopt(struct sock case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -55267,7 +55648,7 @@ diff -urNp linux-2.6.35.7/net/packet/af_packet.c linux-2.6.35.7/net/packet/af_pa return -EFAULT; switch (val) { case TPACKET_V1: -@@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock +@@ -2125,7 +2126,7 @@ static int packet_getsockopt(struct sock if (put_user(len, optlen)) return -EFAULT; @@ -55276,7 +55657,7 @@ diff -urNp linux-2.6.35.7/net/packet/af_packet.c linux-2.6.35.7/net/packet/af_pa return -EFAULT; return 0; } -@@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi +@@ -2604,7 +2605,11 @@ static int packet_seq_show(struct seq_fi seq_printf(seq, "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n", @@ -56759,6 +57140,23 @@ diff -urNp linux-2.6.35.7/sound/oss/sb_audio.c linux-2.6.35.7/sound/oss/sb_audio if (copy_from_user(lbuf8, userbuf+useroffs + p, locallen)) +diff -urNp linux-2.6.35.7/sound/oss/soundcard.c linux-2.6.35.7/sound/oss/soundcard.c +--- linux-2.6.35.7/sound/oss/soundcard.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.7/sound/oss/soundcard.c 2010-10-11 22:44:36.000000000 -0400 +@@ -389,11 +389,11 @@ static long sound_ioctl(struct file *fil + case SND_DEV_DSP: + case SND_DEV_DSP16: + case SND_DEV_AUDIO: +- return audio_ioctl(dev, file, cmd, p); ++ ret = audio_ioctl(dev, file, cmd, p); + break; + + case SND_DEV_MIDIN: +- return MIDIbuf_ioctl(dev, file, cmd, p); ++ ret = MIDIbuf_ioctl(dev, file, cmd, p); + break; + + } diff -urNp linux-2.6.35.7/sound/pci/ac97/ac97_codec.c linux-2.6.35.7/sound/pci/ac97/ac97_codec.c --- linux-2.6.35.7/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.7/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400 |