diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2011-10-08 09:56:07 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2011-10-08 09:56:07 -0400 |
| commit | dcbd363977ec7e81dc743433e3e48cd24572528e (patch) | |
| tree | b7274b8e20150143ada5e2e89d3f8c9bba723f01 | |
| parent | Grsec/PaX: 2.2.2-2.6.32.46-201109261052 + 2.2.2-3.0.4-201109261052.patch (diff) | |
| download | hardened-patchset-dcbd363977ec7e81dc743433e3e48cd24572528e.tar.gz hardened-patchset-dcbd363977ec7e81dc743433e3e48cd24572528e.tar.bz2 hardened-patchset-dcbd363977ec7e81dc743433e3e48cd24572528e.zip | |
Grsec/PaX: 2.2.2-2.6.32.46-201110061013 + 2.2.2-3.0.4-20111006042120111006
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110061013.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109261052.patch) | 2883 | ||||
| -rw-r--r-- | 2.6.32/4425_grsec-pax-without-grsec.patch | 2 | ||||
| -rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 21 | ||||
| -rw-r--r-- | 3.0.4/0000_README | 2 | ||||
| -rw-r--r-- | 3.0.4/4420_grsecurity-2.2.2-3.0.4-201110060421.patch (renamed from 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109261052.patch) | 3178 | ||||
| -rw-r--r-- | 3.0.4/4435_grsec-kconfig-gentoo.patch | 4 |
7 files changed, 5234 insertions, 858 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 4cb87d7..d9050ac 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109261052.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.46-201110061013.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109261052.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110061013.patch index bab9029..2e6cafe 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109261052.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201110061013.patch @@ -6727,6 +6727,83 @@ diff -urNp linux-2.6.32.46/arch/x86/boot/video-vesa.c linux-2.6.32.46/arch/x86/b } /* +diff -urNp linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S +--- linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -8,6 +8,8 @@ + * including this sentence is retained in full. + */ + ++#include <asm/alternative-asm.h> ++ + .extern crypto_ft_tab + .extern crypto_it_tab + .extern crypto_fl_tab +@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \ + je B192; \ + leaq 32(r9),r9; + ++#define ret pax_force_retaddr; ret ++ + #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \ + movq r1,r2; \ + movq r3,r4; \ +diff -urNp linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S +--- linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -1,3 +1,5 @@ ++#include <asm/alternative-asm.h> ++ + # enter ECRYPT_encrypt_bytes + .text + .p2align 5 +@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes: + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret + # bytesatleast65: + ._bytesatleast65: +@@ -891,6 +894,7 @@ ECRYPT_keysetup: + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret + # enter ECRYPT_ivsetup + .text +@@ -917,4 +921,5 @@ ECRYPT_ivsetup: + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret +diff -urNp linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S +--- linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -21,6 +21,7 @@ + .text + + #include <asm/asm-offsets.h> ++#include <asm/alternative-asm.h> + + #define a_offset 0 + #define b_offset 4 +@@ -269,6 +270,7 @@ twofish_enc_blk: + + popq R1 + movq $1,%rax ++ pax_force_retaddr + ret + + twofish_dec_blk: +@@ -321,4 +323,5 @@ twofish_dec_blk: + + popq R1 + movq $1,%rax ++ pax_force_retaddr + ret diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_aout.c linux-2.6.32.46/arch/x86/ia32/ia32_aout.c --- linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400 @@ -6933,7 +7010,34 @@ diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32entry.S linux-2.6.32.46/arch/x86/ia cmpq $(IA32_NR_syscalls-1),%rax diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ia32/ia32_signal.c --- linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-10-06 09:37:08.000000000 -0400 +@@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const + } + seg = get_fs(); + set_fs(KERNEL_DS); +- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp); ++ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp); + set_fs(seg); + if (ret >= 0 && uoss_ptr) { + if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t))) +@@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct + */ + static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, + size_t frame_size, +- void **fpstate) ++ void __user **fpstate) + { + unsigned long sp; + +@@ -395,7 +395,7 @@ static void __user *get_sigframe(struct + + if (used_math()) { + sp = sp - sig_xstate_ia32_size; +- *fpstate = (struct _fpstate_ia32 *) sp; ++ *fpstate = (struct _fpstate_ia32 __user *) sp; + if (save_i387_xstate_ia32(*fpstate) < 0) + return (void __user *) -1L; + } @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct sp -= frame_size; /* Align the stack pointer according to the i386 ABI, @@ -6948,7 +7052,7 @@ diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ * gdb versions depend on them as a marker. */ - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); } put_user_catch(err); if (err) @@ -6979,10 +7083,88 @@ diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ * versions need it. */ - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); } put_user_catch(err); if (err) +diff -urNp linux-2.6.32.46/arch/x86/ia32/sys_ia32.c linux-2.6.32.46/arch/x86/ia32/sys_ia32.c +--- linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-10-06 09:37:14.000000000 -0400 +@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign + */ + static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat) + { +- typeof(ubuf->st_uid) uid = 0; +- typeof(ubuf->st_gid) gid = 0; ++ typeof(((struct stat64 *)0)->st_uid) uid = 0; ++ typeof(((struct stat64 *)0)->st_gid) gid = 0; + SET_UID(uid, stat->uid); + SET_GID(gid, stat->gid); + if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || +@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int + } + set_fs(KERNEL_DS); + ret = sys_rt_sigprocmask(how, +- set ? (sigset_t __user *)&s : NULL, +- oset ? (sigset_t __user *)&s : NULL, ++ set ? (sigset_t __force_user *)&s : NULL, ++ oset ? (sigset_t __force_user *)&s : NULL, + sigsetsize); + set_fs(old_fs); + if (ret) +@@ -371,7 +371,7 @@ asmlinkage long sys32_sched_rr_get_inter + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t); ++ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t); + set_fs(old_fs); + if (put_compat_timespec(&t, interval)) + return -EFAULT; +@@ -387,7 +387,7 @@ asmlinkage long sys32_rt_sigpending(comp + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize); ++ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize); + set_fs(old_fs); + if (!ret) { + switch (_NSIG_WORDS) { +@@ -412,7 +412,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in + if (copy_siginfo_from_user32(&info, uinfo)) + return -EFAULT; + set_fs(KERNEL_DS); +- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info); ++ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info); + set_fs(old_fs); + return ret; + } +@@ -513,7 +513,7 @@ asmlinkage long sys32_sendfile(int out_f + return -EFAULT; + + set_fs(KERNEL_DS); +- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL, ++ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL, + count); + set_fs(old_fs); + +diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h +--- linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-10-06 09:37:14.000000000 -0400 +@@ -19,4 +19,13 @@ + .endm + #endif + ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++ .macro pax_force_retaddr rip=0 ++ btsq $63,\rip(%rsp) ++ .endm ++#else ++ .macro pax_force_retaddr rip=0 ++ .endm ++#endif ++ + #endif /* __ASSEMBLY__ */ diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative.h linux-2.6.32.46/arch/x86/include/asm/alternative.h --- linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400 @@ -8279,6 +8461,63 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/cache.h linux-2.6.32.46/arch/x86 #ifdef CONFIG_X86_VSMP /* vSMP Internode cacheline shift */ +diff -urNp linux-2.6.32.46/arch/x86/include/asm/calling.h linux-2.6.32.46/arch/x86/include/asm/calling.h +--- linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-10-06 10:08:42.000000000 -0400 +@@ -52,32 +52,32 @@ For 32-bit we have the following convent + * for assembly code: + */ + +-#define R15 0 +-#define R14 8 +-#define R13 16 +-#define R12 24 +-#define RBP 32 +-#define RBX 40 ++#define R15 (0) ++#define R14 (8) ++#define R13 (16) ++#define R12 (24) ++#define RBP (32) ++#define RBX (40) + + /* arguments: interrupts/non tracing syscalls only save up to here: */ +-#define R11 48 +-#define R10 56 +-#define R9 64 +-#define R8 72 +-#define RAX 80 +-#define RCX 88 +-#define RDX 96 +-#define RSI 104 +-#define RDI 112 +-#define ORIG_RAX 120 /* + error_code */ ++#define R11 (48) ++#define R10 (56) ++#define R9 (64) ++#define R8 (72) ++#define RAX (80) ++#define RCX (88) ++#define RDX (96) ++#define RSI (104) ++#define RDI (112) ++#define ORIG_RAX (120) /* + error_code */ + /* end of arguments */ + + /* cpu exception frame or undefined in case of fast syscall: */ +-#define RIP 128 +-#define CS 136 +-#define EFLAGS 144 +-#define RSP 152 +-#define SS 160 ++#define RIP (128) ++#define CS (136) ++#define EFLAGS (144) ++#define RSP (152) ++#define SS (160) + + #define ARGOFFSET R11 + #define SWFRAME ORIG_RAX diff -urNp linux-2.6.32.46/arch/x86/include/asm/checksum_32.h linux-2.6.32.46/arch/x86/include/asm/checksum_32.h --- linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400 @@ -8650,12 +8889,12 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h linux-2.6.32 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86/include/asm/futex.h --- linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-10-06 09:37:08.000000000 -0400 @@ -12,16 +12,18 @@ #include <asm/system.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ ++ typecheck(u32 __user *, uaddr); \ asm volatile("1:\t" insn "\n" \ "2:\t.section .fixup,\"ax\"\n" \ "3:\tmov\t%3, %1\n" \ @@ -8663,11 +8902,11 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86 "\t.previous\n" \ _ASM_EXTABLE(1b, 3b) \ - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \ -+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\ ++ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\ : "i" (-EFAULT), "0" (oparg), "1" (0)) #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ ++ typecheck(u32 __user *, uaddr); \ asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ @@ -8676,7 +8915,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86 _ASM_EXTABLE(2b, 4b) \ : "=&a" (oldval), "=&r" (ret), \ - "+m" (*uaddr), "=&r" (tem) \ -+ "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \ ++ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \ : "r" (oparg), "i" (-EFAULT), "1" (0)) -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr) @@ -9273,7 +9512,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu.h linux-2.6.32.46/arch/x86/i #ifdef CONFIG_SMP diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x86/include/asm/module.h --- linux-2.6.32.46/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/module.h 2011-04-23 13:18:57.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/module.h 2011-10-06 09:45:50.000000000 -0400 @@ -5,6 +5,7 @@ #ifdef CONFIG_X86_64 @@ -9282,7 +9521,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x8 #elif defined CONFIG_M386 #define MODULE_PROC_FAMILY "386 " #elif defined CONFIG_M486 -@@ -59,13 +60,36 @@ +@@ -59,13 +60,42 @@ #error unknown processor family #endif @@ -9293,6 +9532,12 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x8 -# define MODULE_STACKSIZE "" -# endif -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE ++#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS) ++#define MODULE_STACKSIZE "4KSTACKS " ++#else ++#define MODULE_STACKSIZE "" + #endif + +#ifdef CONFIG_PAX_MEMORY_UDEREF +#define MODULE_PAX_UDEREF "UDEREF " +#else @@ -9309,12 +9554,12 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x8 +#define MODULE_PAX_REFCOUNT "REFCOUNT " +#else +#define MODULE_PAX_REFCOUNT "" - #endif - -+#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS) -+#define MODULE_STACKSIZE "4KSTACKS " ++#endif ++ ++#ifdef CONSTIFY_PLUGIN ++#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN " +#else -+#define MODULE_STACKSIZE "" ++#define MODULE_CONSTIFY_PLUGIN "" +#endif + +#ifdef CONFIG_GRKERNSEC @@ -9323,7 +9568,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x8 +#define MODULE_GRSEC "" +#endif + -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN + #endif /* _ASM_X86_MODULE_H */ diff -urNp linux-2.6.32.46/arch/x86/include/asm/page_64_types.h linux-2.6.32.46/arch/x86/include/asm/page_64_types.h @@ -10313,8 +10558,8 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/rwsem.h linux-2.6.32.46/arch/x86 diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x86/include/asm/segment.h --- linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-04-17 15:56:46.000000000 -0400 -@@ -62,8 +62,8 @@ ++++ linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-10-06 09:37:08.000000000 -0400 +@@ -62,10 +62,15 @@ * 26 - ESPFIX small SS * 27 - per-cpu [ offset to per-cpu data area ] * 28 - stack_canary-20 [ for stack protector ] @@ -10324,8 +10569,15 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x + * 30 - PCI BIOS DS * 31 - TSS for double fault handler */ ++#define GDT_ENTRY_KERNEXEC_EFI_CS (1) ++#define GDT_ENTRY_KERNEXEC_EFI_DS (2) ++#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8) ++#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8) ++ #define GDT_ENTRY_TLS_MIN 6 -@@ -77,6 +77,8 @@ + #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1) + +@@ -77,6 +82,8 @@ #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0) @@ -10334,7 +10586,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1) #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4) -@@ -88,7 +90,7 @@ +@@ -88,7 +95,7 @@ #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14) #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8) @@ -10343,7 +10595,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x #ifdef CONFIG_SMP #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8) #else -@@ -102,6 +104,12 @@ +@@ -102,6 +109,12 @@ #define __KERNEL_STACK_CANARY 0 #endif @@ -10356,7 +10608,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x #define GDT_ENTRY_DOUBLEFAULT_TSS 31 /* -@@ -139,7 +147,7 @@ +@@ -139,7 +152,7 @@ */ /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */ @@ -10365,7 +10617,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x #else -@@ -163,6 +171,8 @@ +@@ -163,6 +176,8 @@ #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3) #define __USER32_DS __USER_DS @@ -10374,7 +10626,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x #define GDT_ENTRY_TSS 8 /* needs two entries */ #define GDT_ENTRY_LDT 10 /* needs two entries */ #define GDT_ENTRY_TLS_MIN 12 -@@ -183,6 +193,7 @@ +@@ -183,6 +198,7 @@ #endif #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8) @@ -10858,7 +11110,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h linux-2.6.32.46/arc long __must_check __strncpy_from_user(char *dst, diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h --- linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-10-06 09:37:08.000000000 -0400 @@ -9,6 +9,9 @@ #include <linux/prefetch.h> #include <linux/lockdep.h> @@ -10906,7 +11158,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + src += PAX_USER_SHADOW_BASE; +#endif + -+ return copy_user_generic(dst, (__force const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -10955,7 +11207,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + src += PAX_USER_SHADOW_BASE; +#endif + -+ return copy_user_generic(dst, (__force const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); } } @@ -10968,6 +11220,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc might_fault(); - if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, src, size); + + pax_track_stack(); + @@ -10987,7 +11240,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)dst, src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -11029,18 +11282,18 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc ret, "q", "", "er", 8); return ret; default: +- return copy_user_generic((__force void *)dst, src, size); + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)dst < PAX_USER_SHADOW_BASE) + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); - } - } - - static __always_inline __must_check --int __copy_in_user(void __user *dst, const void __user *src, unsigned size) ++ return copy_user_generic((__force_kernel void *)dst, src, size); ++ } ++} ++ ++static __always_inline __must_check +unsigned long copy_to_user(void __user *to, const void *from, unsigned len) +{ + if (access_ok(VERIFY_WRITE, to, len)) @@ -11060,11 +11313,12 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + if (!__builtin_constant_p(len)) + check_object_size(to, len, false); + memset(to, 0, len); -+ } + } + return len; -+} -+ -+static __always_inline __must_check + } + + static __always_inline __must_check +-int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size) { - int ret = 0; @@ -11072,6 +11326,8 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc might_fault(); - if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); + + pax_track_stack(); + @@ -11094,9 +11350,8 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); ++ return copy_user_generic((__force_kernel void *)dst, ++ (__force_kernel const void *)src, size); + } switch (size) { case 1: { @@ -11137,6 +11392,8 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc return ret; } default: +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)src < PAX_USER_SHADOW_BASE) @@ -11145,9 +11402,8 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); ++ return copy_user_generic((__force_kernel void *)dst, ++ (__force_kernel const void *)src, size); } } @@ -11164,8 +11420,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + + if ((int)size < 0) + return size; - --static __must_check __always_inline int ++ +#ifdef CONFIG_PAX_MEMORY_UDEREF + if (!__access_ok(VERIFY_READ, src, size)) + return size; @@ -11173,13 +11428,15 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + if ((unsigned long)src < PAX_USER_SHADOW_BASE) + src += PAX_USER_SHADOW_BASE; +#endif -+ -+ return copy_user_generic(dst, (__force const void *)src, size); + +-static __must_check __always_inline int ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); +} + +static __must_check __always_inline unsigned long __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size) { +- return copy_user_generic((__force void *)dst, src, size); + if ((int)size < 0) + return size; + @@ -11191,7 +11448,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)dst, src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -11232,13 +11489,14 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arc } -unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); +extern unsigned long - copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); ++copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest); #endif /* _ASM_X86_UACCESS_64_H */ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x86/include/asm/uaccess.h --- linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:56:37.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-10-06 09:37:08.000000000 -0400 @@ -8,12 +8,15 @@ #include <linux/thread_info.h> #include <linux/prefetch.h> @@ -11338,6 +11596,15 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x "3:\n" \ _ASM_EXTABLE(1b, 2b - 1b) \ _ASM_EXTABLE(2b, 3b - 2b) \ +@@ -253,7 +295,7 @@ extern void __put_user_8(void); + __typeof__(*(ptr)) __pu_val; \ + __chk_user_ptr(ptr); \ + might_fault(); \ +- __pu_val = x; \ ++ __pu_val = (x); \ + switch (sizeof(*(ptr))) { \ + case 1: \ + __put_user_x(1, __pu_val, ptr, __ret_pu); \ @@ -374,7 +416,7 @@ do { \ } while (0) @@ -11457,6 +11724,18 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x #ifdef CONFIG_X86_32 # include "uaccess_32.h" #else +diff -urNp linux-2.6.32.46/arch/x86/include/asm/vdso.h linux-2.6.32.46/arch/x86/include/asm/vdso.h +--- linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-10-06 09:37:14.000000000 -0400 +@@ -25,7 +25,7 @@ extern const char VDSO32_PRELINK[]; + #define VDSO32_SYMBOL(base, name) \ + ({ \ + extern const char VDSO32_##name[]; \ +- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \ ++ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \ + }) + #endif + diff -urNp linux-2.6.32.46/arch/x86/include/asm/vgtod.h linux-2.6.32.46/arch/x86/include/asm/vgtod.h --- linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400 @@ -11610,7 +11889,7 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/x86_init.h linux-2.6.32.46/arch/ extern struct x86_cpuinit_ops x86_cpuinit; diff -urNp linux-2.6.32.46/arch/x86/include/asm/xsave.h linux-2.6.32.46/arch/x86/include/asm/xsave.h --- linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-10-06 09:37:08.000000000 -0400 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct static inline int xsave_user(struct xsave_struct __user *buf) { @@ -11624,7 +11903,12 @@ diff -urNp linux-2.6.32.46/arch/x86/include/asm/xsave.h linux-2.6.32.46/arch/x86 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" "2:\n" ".section .fixup,\"ax\"\n" -@@ -82,6 +88,11 @@ static inline int xrestore_user(struct x +@@ -78,10 +84,15 @@ static inline int xsave_user(struct xsav + static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + { + int err; +- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); u32 lmask = mask; u32 hmask = mask >> 32; @@ -13067,8 +13351,8 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/early_printk.c linux-2.6.32.46/arch/x early_console->write(early_console, buf, n); diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/kernel/efi_32.c --- linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-04-17 15:56:46.000000000 -0400 -@@ -38,70 +38,38 @@ ++++ linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-10-06 09:37:08.000000000 -0400 +@@ -38,70 +38,56 @@ */ static unsigned long efi_rt_eflags; @@ -13082,7 +13366,10 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/ker - unsigned long temp; struct desc_ptr gdt_descr; - local_irq_save(efi_rt_eflags); +- local_irq_save(efi_rt_eflags); ++#ifdef CONFIG_PAX_KERNEXEC ++ struct desc_struct d; ++#endif - /* - * If I don't have PAE, I should just duplicate two entries in page @@ -13090,6 +13377,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/ker - * page directory. - */ - cr4 = read_cr4_safe(); ++ local_irq_save(efi_rt_eflags); - if (cr4 & X86_CR4_PAE) { - efi_bak_pg_dir_pointer[0].pgd = @@ -13116,8 +13404,14 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/ker */ __flush_tlb_all(); -- gdt_descr.address = __pa(get_cpu_gdt_table(0)); -+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0)); ++#ifdef CONFIG_PAX_KERNEXEC ++ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); ++ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); ++#endif ++ + gdt_descr.address = __pa(get_cpu_gdt_table(0)); gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); } @@ -13128,8 +13422,15 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/ker - unsigned long cr4; struct desc_ptr gdt_descr; -- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0); -+ gdt_descr.address = get_cpu_gdt_table(0); ++#ifdef CONFIG_PAX_KERNEXEC ++ struct desc_struct d; ++ ++ memset(&d, 0, sizeof d); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); ++#endif ++ + gdt_descr.address = (unsigned long)get_cpu_gdt_table(0); gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); @@ -13150,16 +13451,18 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/ker * After the lock is released, the original page table is restored. diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S --- linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-04-17 15:56:46.000000000 -0400 -@@ -6,6 +6,7 @@ ++++ linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-10-06 09:37:08.000000000 -0400 +@@ -6,7 +6,9 @@ */ #include <linux/linkage.h> +#include <linux/init.h> #include <asm/page_types.h> ++#include <asm/segment.h> /* -@@ -20,7 +21,7 @@ + * efi_call_phys(void *, ...) is a function with variable parameters. +@@ -20,7 +22,7 @@ * service functions will comply with gcc calling convention, too. */ @@ -13168,18 +13471,22 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x8 ENTRY(efi_call_phys) /* * 0. The function can only be called in Linux kernel. So CS has been -@@ -36,9 +37,7 @@ ENTRY(efi_call_phys) +@@ -36,9 +38,11 @@ ENTRY(efi_call_phys) * The mapping of lower virtual memory has been created in prelog and * epilog. */ - movl $1f, %edx - subl $__PAGE_OFFSET, %edx - jmp *%edx -+ jmp 1f-__PAGE_OFFSET ++ movl $(__KERNEXEC_EFI_DS), %edx ++ mov %edx, %ds ++ mov %edx, %es ++ mov %edx, %ss ++ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET 1: /* -@@ -47,14 +46,8 @@ ENTRY(efi_call_phys) +@@ -47,14 +51,8 @@ ENTRY(efi_call_phys) * parameter 2, ..., param n. To make things easy, we save the return * address of efi_call_phys in a global variable. */ @@ -13196,7 +13503,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x8 /* * 3. Clear PG bit in %CR0. -@@ -73,9 +66,8 @@ ENTRY(efi_call_phys) +@@ -73,9 +71,8 @@ ENTRY(efi_call_phys) /* * 5. Call the physical function. */ @@ -13207,7 +13514,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x8 /* * 6. After EFI runtime service returns, control will return to * following instruction. We'd better readjust stack pointer first. -@@ -88,35 +80,28 @@ ENTRY(efi_call_phys) +@@ -88,35 +85,32 @@ ENTRY(efi_call_phys) movl %cr0, %edx orl $0x80000000, %edx movl %edx, %cr0 @@ -13220,8 +13527,12 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x8 */ - movl $1f, %edx - jmp *%edx -+ jmp 1f+__PAGE_OFFSET ++ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET 1: ++ movl $(__KERNEL_DS), %edx ++ mov %edx, %ds ++ mov %edx, %es ++ mov %edx, %ss /* * 9. Balance the stack. And because EAX contain the return value, @@ -13249,6 +13560,72 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x8 saved_return_addr: .long 0 efi_rt_function_ptr: +diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S +--- linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -7,6 +7,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define SAVE_XMM \ + mov %rsp, %rax; \ +@@ -40,6 +41,7 @@ ENTRY(efi_call0) + call *%rdi + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call0) + +@@ -50,6 +52,7 @@ ENTRY(efi_call1) + call *%rdi + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call1) + +@@ -60,6 +63,7 @@ ENTRY(efi_call2) + call *%rdi + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call2) + +@@ -71,6 +75,7 @@ ENTRY(efi_call3) + call *%rdi + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call3) + +@@ -83,6 +88,7 @@ ENTRY(efi_call4) + call *%rdi + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call4) + +@@ -96,6 +102,7 @@ ENTRY(efi_call5) + call *%rdi + addq $48, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call5) + +@@ -112,5 +119,6 @@ ENTRY(efi_call6) + call *%rdi + addq $48, %rsp + RESTORE_XMM ++ pax_force_retaddr + ret + ENDPROC(efi_call6) diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_32.S linux-2.6.32.46/arch/x86/kernel/entry_32.S --- linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-08-30 18:19:52.000000000 -0400 @@ -13742,16 +14119,17 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_32.S linux-2.6.32.46/arch/x86/k CFI_ADJUST_CFA_OFFSET -24 diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/kernel/entry_64.S --- linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-08-26 20:19:09.000000000 -0400 -@@ -53,6 +53,7 @@ ++++ linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-10-06 10:06:40.000000000 -0400 +@@ -53,6 +53,8 @@ #include <asm/paravirt.h> #include <asm/ftrace.h> #include <asm/percpu.h> +#include <asm/pgtable.h> ++#include <asm/alternative-asm.h> /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> -@@ -174,6 +175,264 @@ ENTRY(native_usergs_sysret64) +@@ -174,6 +176,264 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -14016,7 +14394,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -317,7 +576,7 @@ ENTRY(save_args) +@@ -317,7 +577,7 @@ ENTRY(save_args) leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */ movq_cfi rbp, 8 /* push %rbp */ leaq 8(%rsp), %rbp /* mov %rsp, %ebp */ @@ -14025,7 +14403,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k je 1f SWAPGS /* -@@ -409,7 +668,7 @@ ENTRY(ret_from_fork) +@@ -409,7 +669,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -14034,7 +14412,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k je int_ret_from_sys_call testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -455,7 +714,7 @@ END(ret_from_fork) +@@ -455,7 +715,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -14043,7 +14421,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -468,12 +727,13 @@ ENTRY(system_call_after_swapgs) +@@ -468,12 +728,13 @@ ENTRY(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -14058,7 +14436,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) CFI_REL_OFFSET rip,RIP-ARGOFFSET -@@ -502,6 +762,8 @@ sysret_check: +@@ -502,6 +763,8 @@ sysret_check: andl %edi,%edx jnz sysret_careful CFI_REMEMBER_STATE @@ -14067,7 +14445,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k /* * sysretq will re-enable interrupts: */ -@@ -562,6 +824,9 @@ auditsys: +@@ -562,6 +825,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call audit_syscall_entry @@ -14077,7 +14455,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath -@@ -592,6 +857,9 @@ tracesys: +@@ -592,6 +858,9 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -14087,7 +14465,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k /* * Reload arg registers from stack in case ptrace changed them. * We don't reload %rax because syscall_trace_enter() returned -@@ -613,7 +881,7 @@ tracesys: +@@ -613,7 +882,7 @@ tracesys: GLOBAL(int_ret_from_sys_call) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -14096,7 +14474,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k je retint_restore_args movl $_TIF_ALLWORK_MASK,%edi /* edi: mask to check */ -@@ -800,6 +1068,16 @@ END(interrupt) +@@ -800,6 +1069,16 @@ END(interrupt) CFI_ADJUST_CFA_OFFSET 10*8 call save_args PARTIAL_FRAME 0 @@ -14113,7 +14491,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k call \func .endm -@@ -822,7 +1100,7 @@ ret_from_intr: +@@ -822,7 +1101,7 @@ ret_from_intr: CFI_ADJUST_CFA_OFFSET -8 exit_intr: GET_THREAD_INFO(%rcx) @@ -14122,7 +14500,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k je retint_kernel /* Interrupt came from user space */ -@@ -844,12 +1122,15 @@ retint_swapgs: /* return to user-space +@@ -844,12 +1123,16 @@ retint_swapgs: /* return to user-space * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -14135,10 +14513,11 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel ++ pax_force_retaddr RIP-ARGOFFSET /* * The iretq could re-enable interrupts: */ -@@ -1032,6 +1313,16 @@ ENTRY(\sym) +@@ -1032,6 +1315,16 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET 15*8 call error_entry DEFAULT_FRAME 0 @@ -14155,7 +14534,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ call \do_sym -@@ -1049,6 +1340,16 @@ ENTRY(\sym) +@@ -1049,6 +1342,16 @@ ENTRY(\sym) subq $15*8, %rsp call save_paranoid TRACE_IRQS_OFF @@ -14172,7 +14551,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ call \do_sym -@@ -1066,9 +1367,24 @@ ENTRY(\sym) +@@ -1066,9 +1369,24 @@ ENTRY(\sym) subq $15*8, %rsp call save_paranoid TRACE_IRQS_OFF @@ -14198,7 +14577,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp) call \do_sym addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp) -@@ -1085,6 +1401,16 @@ ENTRY(\sym) +@@ -1085,6 +1403,16 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET 15*8 call error_entry DEFAULT_FRAME 0 @@ -14215,7 +14594,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k movq %rsp,%rdi /* pt_regs pointer */ movq ORIG_RAX(%rsp),%rsi /* get error code */ movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1104,6 +1430,16 @@ ENTRY(\sym) +@@ -1104,6 +1432,16 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -14232,7 +14611,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k movq %rsp,%rdi /* pt_regs pointer */ movq ORIG_RAX(%rsp),%rsi /* get error code */ movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1405,14 +1741,27 @@ ENTRY(paranoid_exit) +@@ -1405,16 +1743,31 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF testl %ebx,%ebx /* swapgs needed? */ jnz paranoid_restore @@ -14244,6 +14623,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k + TRACE_IRQS_IRETQ 0 + SWAPGS_UNSAFE_STACK + RESTORE_ALL 8 ++ pax_force_retaddr + jmp irq_return +#endif paranoid_swapgs: @@ -14260,8 +14640,11 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k + pax_exit_kernel TRACE_IRQS_IRETQ 0 RESTORE_ALL 8 ++ pax_force_retaddr jmp irq_return -@@ -1470,7 +1819,7 @@ ENTRY(error_entry) + paranoid_userspace: + GET_THREAD_INFO(%rcx) +@@ -1470,7 +1823,7 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -14270,7 +14653,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k je error_kernelspace error_swapgs: SWAPGS -@@ -1529,6 +1878,16 @@ ENTRY(nmi) +@@ -1529,6 +1882,16 @@ ENTRY(nmi) CFI_ADJUST_CFA_OFFSET 15*8 call save_paranoid DEFAULT_FRAME 0 @@ -14287,7 +14670,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1539,11 +1898,25 @@ ENTRY(nmi) +@@ -1539,12 +1902,28 @@ ENTRY(nmi) DISABLE_INTERRUPTS(CLBR_NONE) testl %ebx,%ebx /* swapgs needed? */ jnz nmi_restore @@ -14298,6 +14681,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k + pax_exit_kernel + SWAPGS_UNSAFE_STACK + RESTORE_ALL 8 ++ pax_force_retaddr + jmp irq_return +#endif nmi_swapgs: @@ -14312,8 +14696,10 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/k nmi_restore: + pax_exit_kernel RESTORE_ALL 8 ++ pax_force_retaddr jmp irq_return nmi_userspace: + GET_THREAD_INFO(%rcx) diff -urNp linux-2.6.32.46/arch/x86/kernel/ftrace.c linux-2.6.32.46/arch/x86/kernel/ftrace.c --- linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400 @@ -15786,20 +16172,20 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_core.c linux-2.6.32.46/arch * Synchronization. diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_intel.c linux-2.6.32.46/arch/x86/kernel/microcode_intel.c --- linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-10-06 09:37:08.000000000 -0400 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod static int get_ucode_user(void *to, const void *from, size_t n) { - return copy_from_user(to, from, n); -+ return copy_from_user(to, (__force const void __user *)from, n); ++ return copy_from_user(to, (const void __force_user *)from, n); } static enum ucode_state request_microcode_user(int cpu, const void __user *buf, size_t size) { - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); -+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user); ++ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user); } static void microcode_fini_cpu(int cpu) @@ -18588,7 +18974,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.46/arch EXPORT_SYMBOL(copy_page); diff -urNp linux-2.6.32.46/arch/x86/kernel/xsave.c linux-2.6.32.46/arch/x86/kernel/xsave.c --- linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-10-06 09:37:08.000000000 -0400 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_ fx_sw_user->xstate_size > fx_sw_user->extended_size) return -1; @@ -18603,7 +18989,7 @@ diff -urNp linux-2.6.32.46/arch/x86/kernel/xsave.c linux-2.6.32.46/arch/x86/kern */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); } /* @@ -19383,8 +19769,31 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/checksum_32.S linux-2.6.32.46/arch/x86/l #undef ROUND1 diff -urNp linux-2.6.32.46/arch/x86/lib/clear_page_64.S linux-2.6.32.46/arch/x86/lib/clear_page_64.S --- linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-04-17 15:56:46.000000000 -0400 -@@ -43,7 +43,7 @@ ENDPROC(clear_page) ++++ linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-10-06 09:37:08.000000000 -0400 +@@ -1,5 +1,6 @@ + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + /* + * Zero a page. +@@ -10,6 +11,7 @@ ENTRY(clear_page_c) + movl $4096/8,%ecx + xorl %eax,%eax + rep stosq ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(clear_page_c) +@@ -33,6 +35,7 @@ ENTRY(clear_page) + leaq 64(%rdi),%rdi + jnz .Lloop + nop ++ pax_force_retaddr + ret + CFI_ENDPROC + .Lclear_page_end: +@@ -43,7 +46,7 @@ ENDPROC(clear_page) #include <asm/cpufeature.h> @@ -19395,8 +19804,31 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/clear_page_64.S linux-2.6.32.46/arch/x86 2: diff -urNp linux-2.6.32.46/arch/x86/lib/copy_page_64.S linux-2.6.32.46/arch/x86/lib/copy_page_64.S --- linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-04-17 15:56:46.000000000 -0400 -@@ -104,7 +104,7 @@ ENDPROC(copy_page) ++++ linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-10-06 09:37:08.000000000 -0400 +@@ -2,12 +2,14 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + ALIGN + copy_page_c: + CFI_STARTPROC + movl $4096/8,%ecx + rep movsq ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(copy_page_c) +@@ -94,6 +96,7 @@ ENTRY(copy_page) + CFI_RESTORE r13 + addq $3*8,%rsp + CFI_ADJUST_CFA_OFFSET -3*8 ++ pax_force_retaddr + ret + .Lcopy_page_end: + CFI_ENDPROC +@@ -104,7 +107,7 @@ ENDPROC(copy_page) #include <asm/cpufeature.h> @@ -19407,12 +19839,13 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/copy_page_64.S linux-2.6.32.46/arch/x86/ 2: diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/lib/copy_user_64.S --- linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:56:37.000000000 -0400 -@@ -15,13 +15,14 @@ ++++ linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-10-06 10:12:52.000000000 -0400 +@@ -15,13 +15,15 @@ #include <asm/asm-offsets.h> #include <asm/thread_info.h> #include <asm/cpufeature.h> +#include <asm/pgtable.h> ++#include <asm/alternative-asm.h> .macro ALTERNATIVE_JUMP feature,orig,alt 0: @@ -19424,7 +19857,7 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/ 2: .byte 0xe9 /* near jump with 32bit immediate */ .long \alt-1b /* offset */ /* or alternatively to alt */ .previous -@@ -64,49 +65,19 @@ +@@ -64,55 +66,26 @@ #endif .endm @@ -19476,10 +19909,40 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/ movl %edx,%ecx xorl %eax,%eax rep + stosb + bad_to_user: + movl %edx,%eax ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(bad_from_user) +@@ -180,6 +153,7 @@ ENTRY(copy_user_generic_unrolled) + decl %ecx + jnz 21b + 23: xor %eax,%eax ++ pax_force_retaddr + ret + + .section .fixup,"ax" +@@ -252,6 +226,7 @@ ENTRY(copy_user_generic_string) + 3: rep + movsb + 4: xorl %eax,%eax ++ pax_force_retaddr + ret + + .section .fixup,"ax" diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S --- linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:56:46.000000000 -0400 -@@ -14,6 +14,7 @@ ++++ linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-10-06 09:37:08.000000000 -0400 +@@ -8,12 +8,14 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + #define FIX_ALIGNMENT 1 + #include <asm/current.h> #include <asm/asm-offsets.h> #include <asm/thread_info.h> @@ -19487,7 +19950,7 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/a .macro ALIGN_DESTINATION #ifdef FIX_ALIGNMENT -@@ -50,6 +51,15 @@ +@@ -50,6 +52,15 @@ */ ENTRY(__copy_user_nocache) CFI_STARTPROC @@ -19503,35 +19966,66 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/a cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ ALIGN_DESTINATION +@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache) + jnz 21b + 23: xorl %eax,%eax + sfence ++ pax_force_retaddr + ret + + .section .fixup,"ax" +diff -urNp linux-2.6.32.46/arch/x86/lib/csum-copy_64.S linux-2.6.32.46/arch/x86/lib/csum-copy_64.S +--- linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -8,6 +8,7 @@ + #include <linux/linkage.h> + #include <asm/dwarf2.h> + #include <asm/errno.h> ++#include <asm/alternative-asm.h> + + /* + * Checksum copy with exception handling. +@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic) + CFI_RESTORE rbp + addq $7*8,%rsp + CFI_ADJUST_CFA_OFFSET -7*8 ++ pax_force_retaddr + ret + CFI_RESTORE_STATE + diff -urNp linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c --- linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-05-04 17:56:20.000000000 -0400 -@@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _ ++++ linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-10-06 09:37:08.000000000 -0400 +@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _ len -= 2; } } +- isum = csum_partial_copy_generic((__force const void *)src, + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)src < PAX_USER_SHADOW_BASE) + src += PAX_USER_SHADOW_BASE; +#endif + - isum = csum_partial_copy_generic((__force const void *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)src, dst, len, isum, errp, NULL); if (unlikely(*errp)) -@@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr + goto out_err; +@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr } *errp = 0; +- return csum_partial_copy_generic(src, (void __force *)dst, + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)dst < PAX_USER_SHADOW_BASE) + dst += PAX_USER_SHADOW_BASE; +#endif + - return csum_partial_copy_generic(src, (void __force *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)dst, len, isum, NULL, errp); } + EXPORT_SYMBOL(csum_partial_copy_to_user); diff -urNp linux-2.6.32.46/arch/x86/lib/getuser.S linux-2.6.32.46/arch/x86/lib/getuser.S --- linux-2.6.32.46/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/lib/getuser.S 2011-04-17 15:56:46.000000000 -0400 @@ -19640,10 +20134,53 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/getuser.S linux-2.6.32.46/arch/x86/lib/g 4: movq -7(%_ASM_AX),%_ASM_DX xor %eax,%eax ret +diff -urNp linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S +--- linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -17,6 +17,7 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + /* + * override generic version in lib/iomap_copy.c +@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy) + CFI_STARTPROC + movl %edx,%ecx + rep movsd ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(__iowrite32_copy) diff -urNp linux-2.6.32.46/arch/x86/lib/memcpy_64.S linux-2.6.32.46/arch/x86/lib/memcpy_64.S --- linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-04-17 15:56:46.000000000 -0400 -@@ -128,7 +128,7 @@ ENDPROC(__memcpy) ++++ linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-10-06 10:13:49.000000000 -0400 +@@ -4,6 +4,7 @@ + + #include <asm/cpufeature.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + /* + * memcpy - Copy a memory block. +@@ -34,6 +35,7 @@ memcpy_c: + rep movsq + movl %edx, %ecx + rep movsb ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(memcpy_c) +@@ -118,6 +120,7 @@ ENTRY(memcpy) + jnz .Lloop_1 + + .Lend: ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(memcpy) +@@ -128,7 +131,7 @@ ENDPROC(__memcpy) * It is also a lot simpler. Use this when possible: */ @@ -19654,8 +20191,32 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/memcpy_64.S linux-2.6.32.46/arch/x86/lib 2: diff -urNp linux-2.6.32.46/arch/x86/lib/memset_64.S linux-2.6.32.46/arch/x86/lib/memset_64.S --- linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-04-17 15:56:46.000000000 -0400 -@@ -118,7 +118,7 @@ ENDPROC(__memset) ++++ linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-10-06 09:37:08.000000000 -0400 +@@ -2,6 +2,7 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + /* + * ISO C memset - set a memory block to a byte value. +@@ -28,6 +29,7 @@ memset_c: + movl %r8d,%ecx + rep stosb + movq %r9,%rax ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(memset_c) +@@ -96,6 +98,7 @@ ENTRY(__memset) + + .Lende: + movq %r10,%rax ++ pax_force_retaddr + ret + + CFI_RESTORE_STATE +@@ -118,7 +121,7 @@ ENDPROC(__memset) #include <asm/cpufeature.h> @@ -20122,6 +20683,89 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/putuser.S linux-2.6.32.46/arch/x86/lib/p #endif xor %eax,%eax EXIT +diff -urNp linux-2.6.32.46/arch/x86/lib/rwlock_64.S linux-2.6.32.46/arch/x86/lib/rwlock_64.S +--- linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -17,6 +17,7 @@ ENTRY(__write_lock_failed) + LOCK_PREFIX + subl $RW_LOCK_BIAS,(%rdi) + jnz __write_lock_failed ++ pax_force_retaddr + ret + CFI_ENDPROC + END(__write_lock_failed) +@@ -33,6 +34,7 @@ ENTRY(__read_lock_failed) + LOCK_PREFIX + decl (%rdi) + js __read_lock_failed ++ pax_force_retaddr + ret + CFI_ENDPROC + END(__read_lock_failed) +diff -urNp linux-2.6.32.46/arch/x86/lib/rwsem_64.S linux-2.6.32.46/arch/x86/lib/rwsem_64.S +--- linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -48,6 +48,7 @@ ENTRY(call_rwsem_down_read_failed) + call rwsem_down_read_failed + popq %rdx + restore_common_regs ++ pax_force_retaddr + ret + ENDPROC(call_rwsem_down_read_failed) + +@@ -56,6 +57,7 @@ ENTRY(call_rwsem_down_write_failed) + movq %rax,%rdi + call rwsem_down_write_failed + restore_common_regs ++ pax_force_retaddr + ret + ENDPROC(call_rwsem_down_write_failed) + +@@ -66,7 +68,8 @@ ENTRY(call_rwsem_wake) + movq %rax,%rdi + call rwsem_wake + restore_common_regs +-1: ret ++1: pax_force_retaddr ++ ret + ENDPROC(call_rwsem_wake) + + /* Fix up special calling conventions */ +@@ -77,5 +80,6 @@ ENTRY(call_rwsem_downgrade_wake) + call rwsem_downgrade_wake + popq %rdx + restore_common_regs ++ pax_force_retaddr + ret + ENDPROC(call_rwsem_downgrade_wake) +diff -urNp linux-2.6.32.46/arch/x86/lib/thunk_64.S linux-2.6.32.46/arch/x86/lib/thunk_64.S +--- linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-10-06 09:37:14.000000000 -0400 +@@ -10,7 +10,8 @@ + #include <asm/dwarf2.h> + #include <asm/calling.h> + #include <asm/rwlock.h> +- ++ #include <asm/alternative-asm.h> ++ + /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ + .macro thunk name,func + .globl \name +@@ -70,6 +71,7 @@ + SAVE_ARGS + restore: + RESTORE_ARGS ++ pax_force_retaddr + ret + CFI_ENDPROC + +@@ -77,5 +79,6 @@ restore: + SAVE_ARGS + restore_norax: + RESTORE_ARGS 1 ++ pax_force_retaddr + ret + CFI_ENDPROC diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_32.c linux-2.6.32.46/arch/x86/lib/usercopy_32.c --- linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400 @@ -20732,7 +21376,7 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_32.c linux-2.6.32.46/arch/x86/l +#endif diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/lib/usercopy_64.c --- linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-05-04 17:56:20.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-10-06 09:37:08.000000000 -0400 @@ -42,6 +42,12 @@ long __strncpy_from_user(char *dst, const char __user *src, long count) { @@ -20764,6 +21408,9 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/l unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len) { - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { +- return copy_user_generic((__force void *)to, (__force void *)from, len); +- } +- return len; + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { + +#ifdef CONFIG_PAX_MEMORY_UDEREF @@ -20773,14 +21420,21 @@ diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/l + from += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)to, (__force void *)from, len); -- } -- return len; ++ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); + } + return len; } EXPORT_SYMBOL(copy_in_user); +@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user); + * it is not necessary to optimize tail handling. + */ + unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) ++copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest) + { + char c; + unsigned zero_len; diff -urNp linux-2.6.32.46/arch/x86/Makefile linux-2.6.32.46/arch/x86/Makefile --- linux-2.6.32.46/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -0400 @@ -20883,7 +21537,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/extable.c linux-2.6.32.46/arch/x86/mm/ext pnp_bios_is_utter_crap = 1; diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault.c --- linux-2.6.32.46/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/arch/x86/mm/fault.c 2011-08-17 20:06:44.000000000 -0400 ++++ linux-2.6.32.46/arch/x86/mm/fault.c 2011-10-06 09:37:08.000000000 -0400 @@ -11,10 +11,19 @@ #include <linux/kprobes.h> /* __kprobes, ... */ #include <linux/mmiotrace.h> /* kmmio_handler, ... */ @@ -20919,7 +21573,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault /* Prefetch instruction is 0x0F0D or 0x0F18 */ - if (probe_kernel_address(instr, opcode)) + if (user_mode(regs)) { -+ if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1)) ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) + return 0; + } else if (probe_kernel_address(instr, opcode)) return 0; @@ -20931,7 +21585,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault - if (probe_kernel_address(instr, opcode)) + if (user_mode(regs)) { -+ if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1)) ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) + break; + } else if (probe_kernel_address(instr, opcode)) break; @@ -21523,7 +22177,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault + printk(KERN_ERR "PAX: bytes at PC: "); + for (i = 0; i < 20; i++) { + unsigned char c; -+ if (get_user(c, (__force unsigned char __user *)pc+i)) ++ if (get_user(c, (unsigned char __force_user *)pc+i)) + printk(KERN_CONT "?? "); + else + printk(KERN_CONT "%02x ", c); @@ -21533,7 +22187,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long)); + for (i = -1; i < 80 / (long)sizeof(long); i++) { + unsigned long c; -+ if (get_user(c, (__force unsigned long __user *)sp+i)) ++ if (get_user(c, (unsigned long __force_user *)sp+i)) +#ifdef CONFIG_X86_32 + printk(KERN_CONT "???????? "); +#else @@ -21563,7 +22217,7 @@ diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault + set_fs(KERNEL_DS); + pagefault_disable(); + pax_open_kernel(); -+ ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); ++ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size); + pax_close_kernel(); + pagefault_enable(); + set_fs(old_fs); @@ -24158,7 +24812,7 @@ diff -urNp linux-2.6.32.46/block/blk-sysfs.c linux-2.6.32.46/block/blk-sysfs.c }; diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c --- linux-2.6.32.46/block/bsg.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/block/bsg.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/block/bsg.c 2011-10-06 09:37:08.000000000 -0400 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r struct sg_io_v4 *hdr, struct bsg_device *bd, fmode_t has_write_perm) @@ -24176,7 +24830,7 @@ diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c + cmdptr = tmpcmd; - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request, -+ if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request, ++ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request, hdr->request_len)) return -EFAULT; @@ -24186,6 +24840,49 @@ diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) { if (blk_verify_command(rq->cmd, has_write_perm)) return -EPERM; +@@ -282,7 +290,7 @@ bsg_map_hdr(struct bsg_device *bd, struc + rq->next_rq = next_rq; + next_rq->cmd_type = rq->cmd_type; + +- dxferp = (void*)(unsigned long)hdr->din_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->din_xferp; + ret = blk_rq_map_user(q, next_rq, NULL, dxferp, + hdr->din_xfer_len, GFP_KERNEL); + if (ret) +@@ -291,10 +299,10 @@ bsg_map_hdr(struct bsg_device *bd, struc + + if (hdr->dout_xfer_len) { + dxfer_len = hdr->dout_xfer_len; +- dxferp = (void*)(unsigned long)hdr->dout_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->dout_xferp; + } else if (hdr->din_xfer_len) { + dxfer_len = hdr->din_xfer_len; +- dxferp = (void*)(unsigned long)hdr->din_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->din_xferp; + } else + dxfer_len = 0; + +@@ -436,7 +444,7 @@ static int blk_complete_sgv4_hdr_rq(stru + int len = min_t(unsigned int, hdr->max_response_len, + rq->sense_len); + +- ret = copy_to_user((void*)(unsigned long)hdr->response, ++ ret = copy_to_user((void __user *)(unsigned long)hdr->response, + rq->sense, len); + if (!ret) + hdr->response_len = len; +diff -urNp linux-2.6.32.46/block/compat_ioctl.c linux-2.6.32.46/block/compat_ioctl.c +--- linux-2.6.32.46/block/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/block/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400 +@@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_ + err |= __get_user(f->spec1, &uf->spec1); + err |= __get_user(f->fmt_gap, &uf->fmt_gap); + err |= __get_user(name, &uf->name); +- f->name = compat_ptr(name); ++ f->name = (void __force_kernel *)compat_ptr(name); + if (err) { + err = -EFAULT; + goto out; diff -urNp linux-2.6.32.46/block/elevator.c linux-2.6.32.46/block/elevator.c --- linux-2.6.32.46/block/elevator.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/block/elevator.c 2011-04-17 15:56:46.000000000 -0400 @@ -27575,6 +28272,18 @@ diff -urNp linux-2.6.32.46/drivers/block/DAC960.c linux-2.6.32.46/drivers/block/ if (!init_dma_loaf(Controller->PCIDevice, &local_dma, DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) + sizeof(DAC960_SCSI_Inquiry_T) + +diff -urNp linux-2.6.32.46/drivers/block/loop.c linux-2.6.32.46/drivers/block/loop.c +--- linux-2.6.32.46/drivers/block/loop.c 2011-06-25 12:55:34.000000000 -0400 ++++ linux-2.6.32.46/drivers/block/loop.c 2011-10-06 09:37:14.000000000 -0400 +@@ -282,7 +282,7 @@ static int __do_lo_send_write(struct fil + mm_segment_t old_fs = get_fs(); + + set_fs(get_ds()); +- bw = file->f_op->write(file, buf, len, &pos); ++ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos); + set_fs(old_fs); + if (likely(bw == len)) + return 0; diff -urNp linux-2.6.32.46/drivers/block/nbd.c linux-2.6.32.46/drivers/block/nbd.c --- linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400 +++ linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400 @@ -28512,7 +29221,7 @@ diff -urNp linux-2.6.32.46/drivers/char/stallion.c linux-2.6.32.46/drivers/char/ portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr, diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/char/tpm/tpm_bios.c --- linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-10-06 09:37:08.000000000 -0400 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start event = addr; @@ -28541,7 +29250,7 @@ diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/c return 0; } -@@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log +@@ -409,8 +410,13 @@ static int read_log(struct tpm_bios_log log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_memory(start, len); @@ -28551,8 +29260,11 @@ diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/c + return -EFAULT; + } - memcpy(log->bios_event_log, virt, len); +- memcpy(log->bios_event_log, virt, len); ++ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len); + acpi_os_unmap_memory(virt, len); + return 0; diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm.c linux-2.6.32.46/drivers/char/tpm/tpm.c --- linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-05-16 21:46:57.000000000 -0400 @@ -29049,7 +29761,7 @@ diff -urNp linux-2.6.32.46/drivers/firewire/core-transaction.c linux-2.6.32.46/d fw_send_request(card, &t, tcode, destination_id, generation, speed, diff -urNp linux-2.6.32.46/drivers/firmware/dmi_scan.c linux-2.6.32.46/drivers/firmware/dmi_scan.c --- linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-10-06 09:37:08.000000000 -0400 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void) } } @@ -29062,6 +29774,15 @@ diff -urNp linux-2.6.32.46/drivers/firmware/dmi_scan.c linux-2.6.32.46/drivers/f p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; +@@ -667,7 +662,7 @@ int dmi_walk(void (*decode)(const struct + if (buf == NULL) + return -1; + +- dmi_table(buf, dmi_len, dmi_num, decode, private_data); ++ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data); + + iounmap(buf); + return 0; diff -urNp linux-2.6.32.46/drivers/firmware/edd.c linux-2.6.32.46/drivers/firmware/edd.c --- linux-2.6.32.46/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400 @@ -29122,6 +29843,83 @@ diff -urNp linux-2.6.32.46/drivers/gpio/vr41xx_giu.c linux-2.6.32.46/drivers/gpi return -EINVAL; } +diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c +--- linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-10-06 09:37:14.000000000 -0400 +@@ -1323,7 +1323,7 @@ int drm_mode_getconnector(struct drm_dev + */ + if ((out_resp->count_modes >= mode_count) && mode_count) { + copied = 0; +- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr; ++ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr; + list_for_each_entry(mode, &connector->modes, head) { + drm_crtc_convert_to_umode(&u_mode, mode); + if (copy_to_user(mode_ptr + copied, +@@ -1338,8 +1338,8 @@ int drm_mode_getconnector(struct drm_dev + + if ((out_resp->count_props >= props_count) && props_count) { + copied = 0; +- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr); +- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr); ++ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr); ++ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr); + for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) { + if (connector->property_ids[i] != 0) { + if (put_user(connector->property_ids[i], +@@ -1361,7 +1361,7 @@ int drm_mode_getconnector(struct drm_dev + + if ((out_resp->count_encoders >= encoders_count) && encoders_count) { + copied = 0; +- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr); ++ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr); + for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) { + if (connector->encoder_ids[i] != 0) { + if (put_user(connector->encoder_ids[i], +@@ -1513,7 +1513,7 @@ int drm_mode_setcrtc(struct drm_device * + } + + for (i = 0; i < crtc_req->count_connectors; i++) { +- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr; ++ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; + if (get_user(out_id, &set_connectors_ptr[i])) { + ret = -EFAULT; + goto out; +@@ -2118,7 +2118,7 @@ int drm_mode_getproperty_ioctl(struct dr + out_resp->flags = property->flags; + + if ((out_resp->count_values >= value_count) && value_count) { +- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr; ++ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr; + for (i = 0; i < value_count; i++) { + if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) { + ret = -EFAULT; +@@ -2131,7 +2131,7 @@ int drm_mode_getproperty_ioctl(struct dr + if (property->flags & DRM_MODE_PROP_ENUM) { + if ((out_resp->count_enum_blobs >= enum_count) && enum_count) { + copied = 0; +- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr; ++ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr; + list_for_each_entry(prop_enum, &property->enum_blob_list, head) { + + if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) { +@@ -2154,7 +2154,7 @@ int drm_mode_getproperty_ioctl(struct dr + if ((out_resp->count_enum_blobs >= blob_count) && blob_count) { + copied = 0; + blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr; +- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr; ++ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr; + + list_for_each_entry(prop_blob, &property->enum_blob_list, head) { + if (put_user(prop_blob->base.id, blob_id_ptr + copied)) { +@@ -2226,7 +2226,7 @@ int drm_mode_getblob_ioctl(struct drm_de + blob = obj_to_blob(obj); + + if (out_resp->length == blob->length) { +- blob_ptr = (void *)(unsigned long)out_resp->data; ++ blob_ptr = (void __user *)(unsigned long)out_resp->data; + if (copy_to_user(blob_ptr, blob->data, blob->length)){ + ret = -EFAULT; + goto done; diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c --- linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400 @@ -29327,6 +30125,27 @@ diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_info.c linux-2.6.32.46/drivers/gp #if defined(__i386__) pgprot = pgprot_val(vma->vm_page_prot); +diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c +--- linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-10-06 09:37:14.000000000 -0400 +@@ -463,7 +463,7 @@ static int compat_drm_infobufs(struct fi + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_desc *) (request + 1); ++ list = (struct drm_buf_desc __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) +@@ -525,7 +525,7 @@ static int compat_drm_mapbufs(struct fil + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_pub *) (request + 1); ++ list = (struct drm_buf_pub __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c --- linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400 @@ -36883,6 +37702,18 @@ diff -urNp linux-2.6.32.46/drivers/scsi/scsi_sysfs.c linux-2.6.32.46/drivers/scs return snprintf(buf, 20, "0x%llx\n", count); \ } \ static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL) +diff -urNp linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c +--- linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-10-06 09:37:14.000000000 -0400 +@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc + int err; + + dprintk("%lx %u\n", uaddr, len); +- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL); ++ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL); + if (err) { + /* + * TODO: need to fixup sg_tablesize, max_segment_size, diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c --- linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400 @@ -36975,7 +37806,16 @@ diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c linux-2.6.32.46/dri transport_setup_device(&rport->dev); diff -urNp linux-2.6.32.46/drivers/scsi/sg.c linux-2.6.32.46/drivers/scsi/sg.c --- linux-2.6.32.46/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/drivers/scsi/sg.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/drivers/scsi/sg.c 2011-10-06 09:37:08.000000000 -0400 +@@ -1064,7 +1064,7 @@ sg_ioctl(struct inode *inode, struct fil + sdp->disk->disk_name, + MKDEV(SCSI_GENERIC_MAJOR, sdp->index), + NULL, +- (char *)arg); ++ (char __user *)arg); + case BLKTRACESTART: + return blk_trace_startstop(sdp->device->request_queue, 1); + case BLKTRACESTOP: @@ -2292,7 +2292,7 @@ struct sg_proc_leaf { const struct file_operations * fops; }; @@ -41466,6 +42306,18 @@ diff -urNp linux-2.6.32.46/fs/autofs4/symlink.c linux-2.6.32.46/fs/autofs4/symli return NULL; } +diff -urNp linux-2.6.32.46/fs/autofs4/waitq.c linux-2.6.32.46/fs/autofs4/waitq.c +--- linux-2.6.32.46/fs/autofs4/waitq.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/fs/autofs4/waitq.c 2011-10-06 09:37:14.000000000 -0400 +@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi + { + unsigned long sigpipe, flags; + mm_segment_t fs; +- const char *data = (const char *)addr; ++ const char __user *data = (const char __force_user *)addr; + ssize_t wr = 0; + + /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/ diff -urNp linux-2.6.32.46/fs/befs/linuxvfs.c linux-2.6.32.46/fs/befs/linuxvfs.c --- linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:24:44.000000000 -0400 +++ linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:25:07.000000000 -0400 @@ -42281,7 +43133,7 @@ diff -urNp linux-2.6.32.46/fs/binfmt_flat.c linux-2.6.32.46/fs/binfmt_flat.c } diff -urNp linux-2.6.32.46/fs/bio.c linux-2.6.32.46/fs/bio.c --- linux-2.6.32.46/fs/bio.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/bio.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/bio.c 2011-10-06 09:37:14.000000000 -0400 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr i = 0; @@ -42296,7 +43148,7 @@ diff -urNp linux-2.6.32.46/fs/bio.c linux-2.6.32.46/fs/bio.c struct bio_map_data *bmd = bio->bi_private; int i; - char *p = bmd->sgvecs[0].iov_base; -+ char *p = (__force char *)bmd->sgvecs[0].iov_base; ++ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base; __bio_for_each_segment(bvec, bio, i, 0) { char *addr = page_address(bvec->bv_page); @@ -42690,13 +43542,13 @@ diff -urNp linux-2.6.32.46/fs/cachefiles/proc.c linux-2.6.32.46/fs/cachefiles/pr diff -urNp linux-2.6.32.46/fs/cachefiles/rdwr.c linux-2.6.32.46/fs/cachefiles/rdwr.c --- linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-10-06 09:37:14.000000000 -0400 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache old_fs = get_fs(); set_fs(KERNEL_DS); ret = file->f_op->write( - file, (const void __user *) data, len, &pos); -+ file, (__force const void __user *) data, len, &pos); ++ file, (const void __force_user *) data, len, &pos); set_fs(old_fs); kunmap(page); if (ret != len) @@ -43012,7 +43864,27 @@ diff -urNp linux-2.6.32.46/fs/compat_binfmt_elf.c linux-2.6.32.46/fs/compat_binf /* diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c --- linux-2.6.32.46/fs/compat.c 2011-04-17 17:00:52.000000000 -0400 -+++ linux-2.6.32.46/fs/compat.c 2011-08-11 19:56:56.000000000 -0400 ++++ linux-2.6.32.46/fs/compat.c 2011-10-06 09:37:14.000000000 -0400 +@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char _ + static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + { + compat_ino_t ino = stat->ino; +- typeof(ubuf->st_uid) uid = 0; +- typeof(ubuf->st_gid) gid = 0; ++ typeof(((struct compat_stat *)0)->st_uid) uid = 0; ++ typeof(((struct compat_stat *)0)->st_gid) gid = 0; + int err; + + SET_UID(uid, stat->uid); +@@ -533,7 +533,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3 + + set_fs(KERNEL_DS); + /* The __user pointer cast is valid because of the set_fs() */ +- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64); ++ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64); + set_fs(oldfs); + /* truncating is ok because it's a user address */ + if (!ret) @@ -830,6 +830,7 @@ struct compat_old_linux_dirent { struct compat_readdir_callback { @@ -43086,7 +43958,7 @@ diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c dirent = buf->previous; if (dirent) { -@@ -1054,6 +1071,7 @@ asmlinkage long compat_sys_getdents64(un +@@ -1054,13 +1071,14 @@ asmlinkage long compat_sys_getdents64(un buf.previous = NULL; buf.count = count; buf.error = 0; @@ -43094,6 +43966,14 @@ diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c error = vfs_readdir(file, compat_filldir64, &buf); if (error >= 0) + error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = file->f_pos; ++ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos; + if (__put_user_unaligned(d_off, &lastdirent->d_off)) + error = -EFAULT; + else @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in * verify all the pointers */ @@ -43221,9 +44101,18 @@ diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c if (n < 0) goto out_nofds; +@@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(in + oldfs = get_fs(); + set_fs(KERNEL_DS); + /* The __user pointer casts are valid because of the set_fs() */ +- err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres); ++ err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres); + set_fs(oldfs); + + if (err) diff -urNp linux-2.6.32.46/fs/compat_ioctl.c linux-2.6.32.46/fs/compat_ioctl.c --- linux-2.6.32.46/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/compat_ioctl.c 2011-04-23 12:56:11.000000000 -0400 ++++ linux-2.6.32.46/fs/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi up = (struct compat_video_spu_palette __user *) arg; err = get_user(palp, &up->palette); @@ -43233,6 +44122,24 @@ diff -urNp linux-2.6.32.46/fs/compat_ioctl.c linux-2.6.32.46/fs/compat_ioctl.c up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); err = put_user(compat_ptr(palp), &up_native->palette); +@@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned + return -EFAULT; + if (__get_user(udata, &ss32->iomem_base)) + return -EFAULT; +- ss.iomem_base = compat_ptr(udata); ++ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata); + if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || + __get_user(ss.port_high, &ss32->port_high)) + return -EFAULT; +@@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(stru + copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || + copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || + copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) || +- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32))) ++ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32))) + return -EFAULT; + + return ioctl_preallocate(file, p); diff -urNp linux-2.6.32.46/fs/configfs/dir.c linux-2.6.32.46/fs/configfs/dir.c --- linux-2.6.32.46/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400 @@ -43295,13 +44202,13 @@ diff -urNp linux-2.6.32.46/fs/dlm/lockspace.c linux-2.6.32.46/fs/dlm/lockspace.c }; diff -urNp linux-2.6.32.46/fs/ecryptfs/inode.c linux-2.6.32.46/fs/ecryptfs/inode.c --- linux-2.6.32.46/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/ecryptfs/inode.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/ecryptfs/inode.c 2011-10-06 09:37:14.000000000 -0400 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc old_fs = get_fs(); set_fs(get_ds()); rc = lower_dentry->d_inode->i_op->readlink(lower_dentry, - (char __user *)lower_buf, -+ (__force char __user *)lower_buf, ++ (char __force_user *)lower_buf, lower_bufsiz); set_fs(old_fs); if (rc < 0) @@ -43316,7 +44223,7 @@ diff -urNp linux-2.6.32.46/fs/ecryptfs/inode.c linux-2.6.32.46/fs/ecryptfs/inode goto out_free; diff -urNp linux-2.6.32.46/fs/exec.c linux-2.6.32.46/fs/exec.c --- linux-2.6.32.46/fs/exec.c 2011-06-25 12:55:34.000000000 -0400 -+++ linux-2.6.32.46/fs/exec.c 2011-08-11 19:56:19.000000000 -0400 ++++ linux-2.6.32.46/fs/exec.c 2011-10-06 09:37:14.000000000 -0400 @@ -56,12 +56,24 @@ #include <linux/fsnotify.h> #include <linux/fs_struct.h> @@ -43500,7 +44407,7 @@ diff -urNp linux-2.6.32.46/fs/exec.c linux-2.6.32.46/fs/exec.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - result = vfs_read(file, (void __user *)addr, count, &pos); -+ result = vfs_read(file, (__force void __user *)addr, count, &pos); ++ result = vfs_read(file, (void __force_user *)addr, count, &pos); set_fs(old_fs); return result; } @@ -44118,7 +45025,7 @@ diff -urNp linux-2.6.32.46/fs/ext4/super.c linux-2.6.32.46/fs/ext4/super.c }; diff -urNp linux-2.6.32.46/fs/fcntl.c linux-2.6.32.46/fs/fcntl.c --- linux-2.6.32.46/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/fcntl.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/fcntl.c 2011-10-06 09:37:14.000000000 -0400 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct if (err) return err; @@ -44131,6 +45038,24 @@ diff -urNp linux-2.6.32.46/fs/fcntl.c linux-2.6.32.46/fs/fcntl.c f_modown(filp, pid, type, force); return 0; } +@@ -265,7 +270,7 @@ pid_t f_getown(struct file *filp) + + static int f_setown_ex(struct file *filp, unsigned long arg) + { +- struct f_owner_ex * __user owner_p = (void * __user)arg; ++ struct f_owner_ex __user *owner_p = (void __user *)arg; + struct f_owner_ex owner; + struct pid *pid; + int type; +@@ -305,7 +310,7 @@ static int f_setown_ex(struct file *filp + + static int f_getown_ex(struct file *filp, unsigned long arg) + { +- struct f_owner_ex * __user owner_p = (void * __user)arg; ++ struct f_owner_ex __user *owner_p = (void __user *)arg; + struct f_owner_ex owner; + int ret = 0; + @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in switch (cmd) { case F_DUPFD: @@ -46162,7 +47087,7 @@ diff -urNp linux-2.6.32.46/fs/mbcache.c linux-2.6.32.46/fs/mbcache.c #ifdef MB_CACHE_INDEXES_COUNT diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c --- linux-2.6.32.46/fs/namei.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/namei.c 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/fs/namei.c 2011-10-06 03:36:41.000000000 -0400 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino return ret; @@ -46212,7 +47137,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = 0; if (s) error = __vfs_follow_link(nd, s); -@@ -669,6 +670,13 @@ static inline int do_follow_link(struct +@@ -669,6 +670,18 @@ static inline int do_follow_link(struct err = security_inode_follow_link(path->dentry, nd); if (err) goto loop; @@ -46223,10 +47148,15 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c + goto loop; + } + ++ if (!gr_acl_handle_hidden_file(path->dentry, nd->path.mnt)) { ++ err = -ENOENT; ++ goto loop; ++ } ++ current->link_count++; current->total_link_count++; nd->depth++; -@@ -1016,11 +1024,18 @@ return_reval: +@@ -1016,11 +1029,18 @@ return_reval: break; } return_base: @@ -46245,7 +47175,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c path_put(&nd->path); return_err: return err; -@@ -1091,13 +1106,20 @@ static int do_path_lookup(int dfd, const +@@ -1091,13 +1111,20 @@ static int do_path_lookup(int dfd, const int retval = path_init(dfd, name, flags, nd); if (!retval) retval = path_walk(name, nd); @@ -46269,7 +47199,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c return retval; } -@@ -1576,6 +1598,20 @@ int may_open(struct path *path, int acc_ +@@ -1576,6 +1603,20 @@ int may_open(struct path *path, int acc_ if (error) goto err_out; @@ -46290,7 +47220,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c if (flag & O_TRUNC) { error = get_write_access(inode); if (error) -@@ -1621,12 +1657,19 @@ static int __open_namei_create(struct na +@@ -1621,12 +1662,19 @@ static int __open_namei_create(struct na int error; struct dentry *dir = nd->path.dentry; @@ -46310,7 +47240,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1709,6 +1752,22 @@ struct file *do_filp_open(int dfd, const +@@ -1709,6 +1757,22 @@ struct file *do_filp_open(int dfd, const &nd, flag); if (error) return ERR_PTR(error); @@ -46333,7 +47263,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c goto ok; } -@@ -1795,6 +1854,14 @@ do_last: +@@ -1795,6 +1859,14 @@ do_last: /* * It already exists. */ @@ -46348,7 +47278,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1954,13 @@ do_link: +@@ -1887,6 +1959,13 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -46362,7 +47292,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -2061,6 +2135,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2061,6 +2140,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const error = may_mknod(mode); if (error) goto out_dput; @@ -46380,7 +47310,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2166,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2081,6 +2171,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -46390,7 +47320,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2222,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2134,6 +2227,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const if (IS_ERR(dentry)) goto out_unlock; @@ -46402,7 +47332,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2238,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2145,6 +2243,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -46413,7 +47343,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2323,8 @@ static long do_rmdir(int dfd, const char +@@ -2226,6 +2328,8 @@ static long do_rmdir(int dfd, const char char * name; struct dentry *dentry; struct nameidata nd; @@ -46422,7 +47352,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2349,19 @@ static long do_rmdir(int dfd, const char +@@ -2250,6 +2354,19 @@ static long do_rmdir(int dfd, const char error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -46442,7 +47372,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2369,8 @@ static long do_rmdir(int dfd, const char +@@ -2257,6 +2374,8 @@ static long do_rmdir(int dfd, const char if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -46451,7 +47381,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2432,8 @@ static long do_unlinkat(int dfd, const c +@@ -2318,6 +2437,8 @@ static long do_unlinkat(int dfd, const c struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -46460,7 +47390,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2453,19 @@ static long do_unlinkat(int dfd, const c +@@ -2337,8 +2458,19 @@ static long do_unlinkat(int dfd, const c if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -46481,7 +47411,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2473,8 @@ static long do_unlinkat(int dfd, const c +@@ -2346,6 +2478,8 @@ static long do_unlinkat(int dfd, const c if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -46490,7 +47420,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2553,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2424,6 +2558,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (IS_ERR(dentry)) goto out_unlock; @@ -46502,7 +47432,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2565,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2431,6 +2570,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -46511,7 +47441,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2660,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2524,6 +2665,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -46532,7 +47462,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2681,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2531,6 +2686,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -46541,7 +47471,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2708,6 +2860,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -2708,6 +2865,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c char *to; int error; @@ -46550,7 +47480,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -2764,6 +2918,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -2764,6 +2923,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c if (new_dentry == trap) goto exit5; @@ -46563,7 +47493,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2933,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -2773,6 +2938,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -46573,7 +47503,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -2798,6 +2961,8 @@ SYSCALL_DEFINE2(rename, const char __use +@@ -2798,6 +2966,8 @@ SYSCALL_DEFINE2(rename, const char __use int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -46582,7 +47512,7 @@ diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c int len; len = PTR_ERR(link); -@@ -2807,7 +2972,14 @@ int vfs_readlink(struct dentry *dentry, +@@ -2807,7 +2977,14 @@ int vfs_readlink(struct dentry *dentry, len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -46805,13 +47735,13 @@ diff -urNp linux-2.6.32.46/fs/nfsd/nfs4xdr.c linux-2.6.32.46/fs/nfsd/nfs4xdr.c BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion)); diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c --- linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400 -+++ linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:33.000000000 -0400 ++++ linux-2.6.32.46/fs/nfsd/vfs.c 2011-10-06 09:37:14.000000000 -0400 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st } else { oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset); -+ host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset); ++ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset); set_fs(oldfs); } @@ -46820,7 +47750,7 @@ diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c /* Write the data. */ oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset); -+ host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset); ++ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset); set_fs(oldfs); if (host_err < 0) goto out_nfserr; @@ -46829,7 +47759,7 @@ diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = inode->i_op->readlink(dentry, buf, *lenp); -+ host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp); ++ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp); set_fs(oldfs); if (host_err < 0) @@ -48392,7 +49322,7 @@ diff -urNp linux-2.6.32.46/fs/proc/task_nommu.c linux-2.6.32.46/fs/proc/task_nom seq_putc(m, '\n'); diff -urNp linux-2.6.32.46/fs/readdir.c linux-2.6.32.46/fs/readdir.c --- linux-2.6.32.46/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/readdir.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/readdir.c 2011-10-06 09:37:14.000000000 -0400 @@ -16,6 +16,7 @@ #include <linux/security.h> #include <linux/syscalls.h> @@ -48482,6 +49412,15 @@ diff -urNp linux-2.6.32.46/fs/readdir.c linux-2.6.32.46/fs/readdir.c buf.count = count; buf.error = 0; +@@ -297,7 +316,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int + error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = file->f_pos; ++ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos; + if (__put_user(d_off, &lastdirent->d_off)) + error = -EFAULT; + else diff -urNp linux-2.6.32.46/fs/reiserfs/dir.c linux-2.6.32.46/fs/reiserfs/dir.c --- linux-2.6.32.46/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400 @@ -48809,7 +49748,7 @@ diff -urNp linux-2.6.32.46/fs/smbfs/symlink.c linux-2.6.32.46/fs/smbfs/symlink.c } diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c --- linux-2.6.32.46/fs/splice.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/splice.c 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/fs/splice.c 2011-10-06 09:37:14.000000000 -0400 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode pipe_lock(pipe); @@ -48845,7 +49784,7 @@ diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos); -+ res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos); ++ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos); set_fs(old_fs); return res; @@ -48854,7 +49793,7 @@ diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - res = vfs_write(file, (const char __user *)buf, count, &pos); -+ res = vfs_write(file, (__force const char __user *)buf, count, &pos); ++ res = vfs_write(file, (const char __force_user *)buf, count, &pos); set_fs(old_fs); return res; @@ -60125,8 +61064,58 @@ diff -urNp linux-2.6.32.46/include/linux/compiler-gcc4.h linux-2.6.32.46/include #endif diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linux/compiler.h --- linux-2.6.32.46/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/include/linux/compiler.h 2011-08-26 20:19:09.000000000 -0400 -@@ -247,6 +247,14 @@ void ftrace_likely_update(struct ftrace_ ++++ linux-2.6.32.46/include/linux/compiler.h 2011-10-06 09:37:14.000000000 -0400 +@@ -5,11 +5,14 @@ + + #ifdef __CHECKER__ + # define __user __attribute__((noderef, address_space(1))) ++# define __force_user __force __user + # define __kernel /* default address space */ ++# define __force_kernel __force __kernel + # define __safe __attribute__((safe)) + # define __force __attribute__((force)) + # define __nocast __attribute__((nocast)) + # define __iomem __attribute__((noderef, address_space(2))) ++# define __force_iomem __force __iomem + # define __acquires(x) __attribute__((context(x,0,1))) + # define __releases(x) __attribute__((context(x,1,0))) + # define __acquire(x) __context__(x,1) +@@ -17,13 +20,34 @@ + # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0) + extern void __chk_user_ptr(const volatile void __user *); + extern void __chk_io_ptr(const volatile void __iomem *); ++#elif defined(CHECKER_PLUGIN) ++//# define __user ++//# define __force_user ++//# define __kernel ++//# define __force_kernel ++# define __safe ++# define __force ++# define __nocast ++# define __iomem ++# define __force_iomem ++# define __chk_user_ptr(x) (void)0 ++# define __chk_io_ptr(x) (void)0 ++# define __builtin_warning(x, y...) (1) ++# define __acquires(x) ++# define __releases(x) ++# define __acquire(x) (void)0 ++# define __release(x) (void)0 ++# define __cond_lock(x,c) (c) + #else + # define __user ++# define __force_user + # define __kernel ++# define __force_kernel + # define __safe + # define __force + # define __nocast + # define __iomem ++# define __force_iomem + # define __chk_user_ptr(x) (void)0 + # define __chk_io_ptr(x) (void)0 + # define __builtin_warning(x, y...) (1) +@@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_ # define __attribute_const__ /* unimplemented */ #endif @@ -60141,7 +61130,7 @@ diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linu /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. -@@ -256,6 +264,22 @@ void ftrace_likely_update(struct ftrace_ +@@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_ #define __cold #endif @@ -60164,7 +61153,7 @@ diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linu /* Simple shorthand for a section definition */ #ifndef __section # define __section(S) __attribute__ ((__section__(#S))) -@@ -278,6 +302,7 @@ void ftrace_likely_update(struct ftrace_ +@@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_ * use is to mediate communication between process-level code and irq/NMI * handlers, all running on the same CPU. */ @@ -63507,16 +64496,17 @@ diff -urNp linux-2.6.32.46/include/linux/types.h linux-2.6.32.46/include/linux/t struct ustat { diff -urNp linux-2.6.32.46/include/linux/uaccess.h linux-2.6.32.46/include/linux/uaccess.h --- linux-2.6.32.46/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/include/linux/uaccess.h 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/include/linux/uaccess.h 2011-10-06 09:37:14.000000000 -0400 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_ long ret; \ mm_segment_t old_fs = get_fs(); \ \ - set_fs(KERNEL_DS); \ pagefault_disable(); \ -+ set_fs(KERNEL_DS); \ - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \ +- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \ - pagefault_enable(); \ ++ set_fs(KERNEL_DS); \ ++ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \ set_fs(old_fs); \ + pagefault_enable(); \ ret; \ @@ -64290,15 +65280,15 @@ diff -urNp linux-2.6.32.46/init/do_mounts.c linux-2.6.32.46/init/do_mounts.c } diff -urNp linux-2.6.32.46/init/do_mounts.h linux-2.6.32.46/init/do_mounts.h --- linux-2.6.32.46/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/init/do_mounts.h 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/init/do_mounts.h 2011-10-06 09:37:14.000000000 -0400 @@ -15,15 +15,15 @@ extern int root_mountflags; static inline int create_dev(char *name, dev_t dev) { - sys_unlink(name); - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev)); -+ sys_unlink((__force char __user *)name); -+ return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev)); ++ sys_unlink((char __force_user *)name); ++ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev)); } #if BITS_PER_LONG == 32 @@ -64306,13 +65296,22 @@ diff -urNp linux-2.6.32.46/init/do_mounts.h linux-2.6.32.46/init/do_mounts.h { struct stat64 stat; - if (sys_stat64(name, &stat) != 0) -+ if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0) ++ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0) + return 0; + if (!S_ISBLK(stat.st_mode)) + return 0; +@@ -35,7 +35,7 @@ static inline u32 bstat(char *name) + static inline u32 bstat(char *name) + { + struct stat stat; +- if (sys_newstat(name, &stat) != 0) ++ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0) return 0; if (!S_ISBLK(stat.st_mode)) return 0; diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mounts_initrd.c --- linux-2.6.32.46/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/init/do_mounts_initrd.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/init/do_mounts_initrd.c 2011-10-06 09:37:14.000000000 -0400 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel sys_close(old_fd);sys_close(root_fd); sys_close(0);sys_close(1);sys_close(2); @@ -64329,16 +65328,16 @@ diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mount - sys_mkdir("/old", 0700); - root_fd = sys_open("/", 0, 0); - old_fd = sys_open("/old", 0, 0); -+ sys_mkdir((__force const char __user *)"/old", 0700); -+ root_fd = sys_open((__force const char __user *)"/", 0, 0); -+ old_fd = sys_open((__force const char __user *)"/old", 0, 0); ++ sys_mkdir((const char __force_user *)"/old", 0700); ++ root_fd = sys_open((const char __force_user *)"/", 0, 0); ++ old_fd = sys_open((const char __force_user *)"/old", 0, 0); /* move initrd over / and chdir/chroot in initrd root */ - sys_chdir("/root"); - sys_mount(".", "/", NULL, MS_MOVE, NULL); - sys_chroot("."); -+ sys_chdir((__force const char __user *)"/root"); -+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL); -+ sys_chroot((__force const char __user *)"."); ++ sys_chdir((const char __force_user *)"/root"); ++ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); ++ sys_chroot((const char __force_user *)"."); /* * In case that a resume from disk is carried out by linuxrc or one of @@ -64347,17 +65346,17 @@ diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mount /* move initrd to rootfs' /old */ sys_fchdir(old_fd); - sys_mount("/", ".", NULL, MS_MOVE, NULL); -+ sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL); ++ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL); /* switch root and cwd back to / of rootfs */ sys_fchdir(root_fd); - sys_chroot("."); -+ sys_chroot((__force const char __user *)"."); ++ sys_chroot((const char __force_user *)"."); sys_close(old_fd); sys_close(root_fd); if (new_decode_dev(real_root_dev) == Root_RAM0) { - sys_chdir("/old"); -+ sys_chdir((__force const char __user *)"/old"); ++ sys_chdir((const char __force_user *)"/old"); return; } @@ -64366,19 +65365,19 @@ diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mount printk(KERN_NOTICE "Trying to move old root to /initrd ... "); - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL); -+ error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL); ++ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL); if (!error) printk("okay\n"); else { - int fd = sys_open("/dev/root.old", O_RDWR, 0); -+ int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0); ++ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0); if (error == -ENOENT) printk("/initrd does not exist. Ignored.\n"); else printk("failed\n"); printk(KERN_NOTICE "Unmounting old root\n"); - sys_umount("/old", MNT_DETACH); -+ sys_umount((__force char __user *)"/old", MNT_DETACH); ++ sys_umount((char __force_user *)"/old", MNT_DETACH); printk(KERN_NOTICE "Trying to free ramdisk memory ... "); if (fd < 0) { error = fd; @@ -64387,24 +65386,24 @@ diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mount */ if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) { - sys_unlink("/initrd.image"); -+ sys_unlink((__force const char __user *)"/initrd.image"); ++ sys_unlink((const char __force_user *)"/initrd.image"); handle_initrd(); return 1; } } - sys_unlink("/initrd.image"); -+ sys_unlink((__force const char __user *)"/initrd.image"); ++ sys_unlink((const char __force_user *)"/initrd.image"); return 0; } diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md.c --- linux-2.6.32.46/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/init/do_mounts_md.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/init/do_mounts_md.c 2011-10-06 09:37:14.000000000 -0400 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void) partitioned ? "_d" : "", minor, md_setup_args[ent].device_names); - fd = sys_open(name, 0, 0); -+ fd = sys_open((__force char __user *)name, 0, 0); ++ fd = sys_open((char __force_user *)name, 0, 0); if (fd < 0) { printk(KERN_ERR "md: open failed - cannot start " "array %s\n", name); @@ -64413,7 +65412,7 @@ diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md */ sys_close(fd); - fd = sys_open(name, 0, 0); -+ fd = sys_open((__force char __user *)name, 0, 0); ++ fd = sys_open((char __force_user *)name, 0, 0); sys_ioctl(fd, BLKRRPART, 0); } sys_close(fd); @@ -64428,7 +65427,7 @@ diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md sys_close(fd); diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c --- linux-2.6.32.46/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/init/initramfs.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/init/initramfs.c 2011-10-06 09:37:14.000000000 -0400 @@ -74,7 +74,7 @@ static void __init free_hash(void) } } @@ -64443,7 +65442,7 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c list_for_each_entry_safe(de, tmp, &dir_list, list) { list_del(&de->list); - do_utime(de->name, de->mtime); -+ do_utime((__force char __user *)de->name, de->mtime); ++ do_utime((char __force_user *)de->name, de->mtime); kfree(de->name); kfree(de); } @@ -64452,7 +65451,7 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c char *old = find_link(major, minor, ino, mode, collected); if (old) - return (sys_link(old, collected) < 0) ? -1 : 1; -+ return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1; ++ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1; } return 0; } @@ -64461,13 +65460,13 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c struct stat st; - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) { -+ if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) { ++ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) { if (S_ISDIR(st.st_mode)) - sys_rmdir(path); -+ sys_rmdir((__force char __user *)path); ++ sys_rmdir((char __force_user *)path); else - sys_unlink(path); -+ sys_unlink((__force char __user *)path); ++ sys_unlink((char __force_user *)path); } } @@ -64476,7 +65475,7 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c if (ml != 1) openflags |= O_TRUNC; - wfd = sys_open(collected, openflags, mode); -+ wfd = sys_open((__force char __user *)collected, openflags, mode); ++ wfd = sys_open((char __force_user *)collected, openflags, mode); if (wfd >= 0) { sys_fchown(wfd, uid, gid); @@ -64487,9 +65486,9 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c - sys_mkdir(collected, mode); - sys_chown(collected, uid, gid); - sys_chmod(collected, mode); -+ sys_mkdir((__force char __user *)collected, mode); -+ sys_chown((__force char __user *)collected, uid, gid); -+ sys_chmod((__force char __user *)collected, mode); ++ sys_mkdir((char __force_user *)collected, mode); ++ sys_chown((char __force_user *)collected, uid, gid); ++ sys_chmod((char __force_user *)collected, mode); dir_add(collected, mtime); } else if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISFIFO(mode) || S_ISSOCK(mode)) { @@ -64498,10 +65497,10 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c - sys_chown(collected, uid, gid); - sys_chmod(collected, mode); - do_utime(collected, mtime); -+ sys_mknod((__force char __user *)collected, mode, rdev); -+ sys_chown((__force char __user *)collected, uid, gid); -+ sys_chmod((__force char __user *)collected, mode); -+ do_utime((__force char __user *)collected, mtime); ++ sys_mknod((char __force_user *)collected, mode, rdev); ++ sys_chown((char __force_user *)collected, uid, gid); ++ sys_chmod((char __force_user *)collected, mode); ++ do_utime((char __force_user *)collected, mtime); } } return 0; @@ -64510,17 +65509,17 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c { if (count >= body_len) { - sys_write(wfd, victim, body_len); -+ sys_write(wfd, (__force char __user *)victim, body_len); ++ sys_write(wfd, (char __force_user *)victim, body_len); sys_close(wfd); - do_utime(vcollected, mtime); -+ do_utime((__force char __user *)vcollected, mtime); ++ do_utime((char __force_user *)vcollected, mtime); kfree(vcollected); eat(body_len); state = SkipIt; return 0; } else { - sys_write(wfd, victim, count); -+ sys_write(wfd, (__force char __user *)victim, count); ++ sys_write(wfd, (char __force_user *)victim, count); body_len -= count; eat(count); return 1; @@ -64531,9 +65530,9 @@ diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c - sys_symlink(collected + N_ALIGN(name_len), collected); - sys_lchown(collected, uid, gid); - do_utime(collected, mtime); -+ sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected); -+ sys_lchown((__force char __user *)collected, uid, gid); -+ do_utime((__force char __user *)collected, mtime); ++ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected); ++ sys_lchown((char __force_user *)collected, uid, gid); ++ do_utime((char __force_user *)collected, mtime); state = SkipIt; next_state = Reset; return 0; @@ -64551,7 +65550,7 @@ diff -urNp linux-2.6.32.46/init/Kconfig linux-2.6.32.46/init/Kconfig also breaks ancient binaries (including anything libc5 based). diff -urNp linux-2.6.32.46/init/main.c linux-2.6.32.46/init/main.c --- linux-2.6.32.46/init/main.c 2011-05-10 22:12:01.000000000 -0400 -+++ linux-2.6.32.46/init/main.c 2011-08-05 20:33:55.000000000 -0400 ++++ linux-2.6.32.46/init/main.c 2011-10-06 09:37:14.000000000 -0400 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) #ifdef CONFIG_TC extern void tc_init(void); @@ -64685,7 +65684,7 @@ diff -urNp linux-2.6.32.46/init/main.c linux-2.6.32.46/init/main.c ramdisk_execute_command = "/init"; - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) { -+ if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) { ++ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) { ramdisk_execute_command = NULL; prepare_namespace(); } @@ -64886,13 +65885,13 @@ diff -urNp linux-2.6.32.46/ipc/shm.c linux-2.6.32.46/ipc/shm.c diff -urNp linux-2.6.32.46/kernel/acct.c linux-2.6.32.46/kernel/acct.c --- linux-2.6.32.46/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/kernel/acct.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/kernel/acct.c 2011-10-06 09:37:14.000000000 -0400 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a */ flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur; current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; - file->f_op->write(file, (char *)&ac, -+ file->f_op->write(file, (__force char __user *)&ac, ++ file->f_op->write(file, (char __force_user *)&ac, sizeof(acct_t), &file->f_pos); current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); @@ -65012,6 +66011,157 @@ diff -urNp linux-2.6.32.46/kernel/cgroup.c linux-2.6.32.46/kernel/cgroup.c /* First see if we already have a cgroup group that matches * the desired set */ read_lock(&css_set_lock); +diff -urNp linux-2.6.32.46/kernel/compat.c linux-2.6.32.46/kernel/compat.c +--- linux-2.6.32.46/kernel/compat.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/kernel/compat.c 2011-10-06 09:37:14.000000000 -0400 +@@ -108,7 +108,7 @@ static long compat_nanosleep_restart(str + mm_segment_t oldfs; + long ret; + +- restart->nanosleep.rmtp = (struct timespec __user *) &rmt; ++ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt; + oldfs = get_fs(); + set_fs(KERNEL_DS); + ret = hrtimer_nanosleep_restart(restart); +@@ -140,7 +140,7 @@ asmlinkage long compat_sys_nanosleep(str + oldfs = get_fs(); + set_fs(KERNEL_DS); + ret = hrtimer_nanosleep(&tu, +- rmtp ? (struct timespec __user *)&rmt : NULL, ++ rmtp ? (struct timespec __force_user *)&rmt : NULL, + HRTIMER_MODE_REL, CLOCK_MONOTONIC); + set_fs(oldfs); + +@@ -247,7 +247,7 @@ asmlinkage long compat_sys_sigpending(co + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_sigpending((old_sigset_t __user *) &s); ++ ret = sys_sigpending((old_sigset_t __force_user *) &s); + set_fs(old_fs); + if (ret == 0) + ret = put_user(s, set); +@@ -266,8 +266,8 @@ asmlinkage long compat_sys_sigprocmask(i + old_fs = get_fs(); + set_fs(KERNEL_DS); + ret = sys_sigprocmask(how, +- set ? (old_sigset_t __user *) &s : NULL, +- oset ? (old_sigset_t __user *) &s : NULL); ++ set ? (old_sigset_t __force_user *) &s : NULL, ++ oset ? (old_sigset_t __force_user *) &s : NULL); + set_fs(old_fs); + if (ret == 0) + if (oset) +@@ -310,7 +310,7 @@ asmlinkage long compat_sys_old_getrlimit + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_old_getrlimit(resource, &r); ++ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r); + set_fs(old_fs); + + if (!ret) { +@@ -385,7 +385,7 @@ asmlinkage long compat_sys_getrusage(int + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_getrusage(who, (struct rusage __user *) &r); ++ ret = sys_getrusage(who, (struct rusage __force_user *) &r); + set_fs(old_fs); + + if (ret) +@@ -412,8 +412,8 @@ compat_sys_wait4(compat_pid_t pid, compa + set_fs (KERNEL_DS); + ret = sys_wait4(pid, + (stat_addr ? +- (unsigned int __user *) &status : NULL), +- options, (struct rusage __user *) &r); ++ (unsigned int __force_user *) &status : NULL), ++ options, (struct rusage __force_user *) &r); + set_fs (old_fs); + + if (ret > 0) { +@@ -438,8 +438,8 @@ asmlinkage long compat_sys_waitid(int wh + memset(&info, 0, sizeof(info)); + + set_fs(KERNEL_DS); +- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options, +- uru ? (struct rusage __user *)&ru : NULL); ++ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options, ++ uru ? (struct rusage __force_user *)&ru : NULL); + set_fs(old_fs); + + if ((ret < 0) || (info.si_signo == 0)) +@@ -569,8 +569,8 @@ long compat_sys_timer_settime(timer_t ti + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_timer_settime(timer_id, flags, +- (struct itimerspec __user *) &newts, +- (struct itimerspec __user *) &oldts); ++ (struct itimerspec __force_user *) &newts, ++ (struct itimerspec __force_user *) &oldts); + set_fs(oldfs); + if (!err && old && put_compat_itimerspec(old, &oldts)) + return -EFAULT; +@@ -587,7 +587,7 @@ long compat_sys_timer_gettime(timer_t ti + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_timer_gettime(timer_id, +- (struct itimerspec __user *) &ts); ++ (struct itimerspec __force_user *) &ts); + set_fs(oldfs); + if (!err && put_compat_itimerspec(setting, &ts)) + return -EFAULT; +@@ -606,7 +606,7 @@ long compat_sys_clock_settime(clockid_t + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_settime(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + return err; + } +@@ -621,7 +621,7 @@ long compat_sys_clock_gettime(clockid_t + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_gettime(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + if (!err && put_compat_timespec(&ts, tp)) + return -EFAULT; +@@ -638,7 +638,7 @@ long compat_sys_clock_getres(clockid_t w + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_getres(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + if (!err && tp && put_compat_timespec(&ts, tp)) + return -EFAULT; +@@ -650,9 +650,9 @@ static long compat_clock_nanosleep_resta + long err; + mm_segment_t oldfs; + struct timespec tu; +- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp; ++ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp; + +- restart->nanosleep.rmtp = (struct timespec __user *) &tu; ++ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu; + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = clock_nanosleep_restart(restart); +@@ -684,8 +684,8 @@ long compat_sys_clock_nanosleep(clockid_ + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_nanosleep(which_clock, flags, +- (struct timespec __user *) &in, +- (struct timespec __user *) &out); ++ (struct timespec __force_user *) &in, ++ (struct timespec __force_user *) &out); + set_fs(oldfs); + + if ((err == -ERESTART_RESTARTBLOCK) && rmtp && diff -urNp linux-2.6.32.46/kernel/configs.c linux-2.6.32.46/kernel/configs.c --- linux-2.6.32.46/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400 @@ -65761,6 +66911,19 @@ diff -urNp linux-2.6.32.46/kernel/kallsyms.c linux-2.6.32.46/kernel/kallsyms.c if (!iter) return -ENOMEM; reset_iter(iter, 0); +diff -urNp linux-2.6.32.46/kernel/kexec.c linux-2.6.32.46/kernel/kexec.c +--- linux-2.6.32.46/kernel/kexec.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/kernel/kexec.c 2011-10-06 09:37:14.000000000 -0400 +@@ -1028,7 +1028,8 @@ asmlinkage long compat_sys_kexec_load(un + unsigned long flags) + { + struct compat_kexec_segment in; +- struct kexec_segment out, __user *ksegments; ++ struct kexec_segment out; ++ struct kexec_segment __user *ksegments; + unsigned long i, result; + + /* Don't allow clients that don't understand the native diff -urNp linux-2.6.32.46/kernel/kgdb.c linux-2.6.32.46/kernel/kgdb.c --- linux-2.6.32.46/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.46/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400 @@ -65845,7 +67008,7 @@ diff -urNp linux-2.6.32.46/kernel/kgdb.c linux-2.6.32.46/kernel/kgdb.c diff -urNp linux-2.6.32.46/kernel/kmod.c linux-2.6.32.46/kernel/kmod.c --- linux-2.6.32.46/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/kernel/kmod.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/kernel/kmod.c 2011-10-06 09:37:14.000000000 -0400 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb * If module auto-loading support is disabled then this function * becomes a no-operation. @@ -65939,6 +67102,15 @@ diff -urNp linux-2.6.32.46/kernel/kmod.c linux-2.6.32.46/kernel/kmod.c EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ +@@ -226,7 +279,7 @@ static int wait_for_helper(void *data) + * + * Thus the __user pointer cast is valid here. + */ +- sys_wait4(pid, (int __user *)&ret, 0, NULL); ++ sys_wait4(pid, (int __force_user *)&ret, 0, NULL); + + /* + * If ret is 0, either ____call_usermodehelper failed and the diff -urNp linux-2.6.32.46/kernel/kprobes.c linux-2.6.32.46/kernel/kprobes.c --- linux-2.6.32.46/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400 @@ -66919,7 +68091,7 @@ diff -urNp linux-2.6.32.46/kernel/params.c linux-2.6.32.46/kernel/params.c diff -urNp linux-2.6.32.46/kernel/perf_event.c linux-2.6.32.46/kernel/perf_event.c --- linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:35:30.000000000 -0400 -+++ linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:34:01.000000000 -0400 ++++ linux-2.6.32.46/kernel/perf_event.c 2011-10-06 09:37:14.000000000 -0400 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl */ int sysctl_perf_event_sample_rate __read_mostly = 100000; @@ -67044,6 +68216,21 @@ diff -urNp linux-2.6.32.46/kernel/perf_event.c linux-2.6.32.46/kernel/perf_event if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(sub); +@@ -3525,12 +3525,12 @@ static void perf_event_mmap_event(struct + * need to add enough zero bytes after the string to handle + * the 64bit alignment we do later. + */ +- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL); ++ buf = kzalloc(PATH_MAX, GFP_KERNEL); + if (!buf) { + name = strncpy(tmp, "//enomem", sizeof(tmp)); + goto got_name; + } +- name = d_path(&file->f_path, buf, PATH_MAX); ++ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64)); + if (IS_ERR(name)) { + name = strncpy(tmp, "//toolong", sizeof(tmp)); + goto got_name; @@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf { struct hw_perf_event *hwc = &event->hw; @@ -69235,6 +70422,27 @@ diff -urNp linux-2.6.32.46/kernel/user.c linux-2.6.32.46/kernel/user.c key_put(new->uid_keyring); key_put(new->session_keyring); kmem_cache_free(uid_cachep, new); +diff -urNp linux-2.6.32.46/lib/bitmap.c linux-2.6.32.46/lib/bitmap.c +--- linux-2.6.32.46/lib/bitmap.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/lib/bitmap.c 2011-10-06 09:37:14.000000000 -0400 +@@ -341,7 +341,7 @@ int __bitmap_parse(const char *buf, unsi + { + int c, old_c, totaldigits, ndigits, nchunks, nbits; + u32 chunk; +- const char __user *ubuf = buf; ++ const char __user *ubuf = (const char __force_user *)buf; + + bitmap_zero(maskp, nmaskbits); + +@@ -426,7 +426,7 @@ int bitmap_parse_user(const char __user + { + if (!access_ok(VERIFY_READ, ubuf, ulen)) + return -EFAULT; +- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits); ++ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits); + } + EXPORT_SYMBOL(bitmap_parse_user); + diff -urNp linux-2.6.32.46/lib/bug.c linux-2.6.32.46/lib/bug.c --- linux-2.6.32.46/lib/bug.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/lib/bug.c 2011-04-17 15:56:46.000000000 -0400 @@ -69259,6 +70467,27 @@ diff -urNp linux-2.6.32.46/lib/debugobjects.c linux-2.6.32.46/lib/debugobjects.c if (is_on_stack == onstack) return; +diff -urNp linux-2.6.32.46/lib/devres.c linux-2.6.32.46/lib/devres.c +--- linux-2.6.32.46/lib/devres.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/lib/devres.c 2011-10-06 09:37:14.000000000 -0400 +@@ -80,7 +80,7 @@ void devm_iounmap(struct device *dev, vo + { + iounmap(addr); + WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match, +- (void *)addr)); ++ (void __force *)addr)); + } + EXPORT_SYMBOL(devm_iounmap); + +@@ -140,7 +140,7 @@ void devm_ioport_unmap(struct device *de + { + ioport_unmap(addr); + WARN_ON(devres_destroy(dev, devm_ioport_map_release, +- devm_ioport_map_match, (void *)addr)); ++ devm_ioport_map_match, (void __force *)addr)); + } + EXPORT_SYMBOL(devm_ioport_unmap); + diff -urNp linux-2.6.32.46/lib/dma-debug.c linux-2.6.32.46/lib/dma-debug.c --- linux-2.6.32.46/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400 @@ -69507,7 +70736,7 @@ diff -urNp linux-2.6.32.46/localversion-grsec linux-2.6.32.46/localversion-grsec +-grsec diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile --- linux-2.6.32.46/Makefile 2011-08-29 22:24:44.000000000 -0400 -+++ linux-2.6.32.46/Makefile 2011-09-01 17:24:34.000000000 -0400 ++++ linux-2.6.32.46/Makefile 2011-10-06 09:43:36.000000000 -0400 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" HOSTCC = gcc @@ -69533,15 +70762,18 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile KBUILD_AFLAGS := -D__ASSEMBLY__ # Read KERNELRELEASE from include/config/kernel.release (if it exists) -@@ -377,6 +380,7 @@ export RCS_TAR_IGNORE := --exclude SCCS +@@ -376,8 +379,8 @@ export RCS_TAR_IGNORE := --exclude SCCS + # Rules shared between *config targets and build targets # Basic helpers built in scripts/ - PHONY += scripts_basic -+scripts_basic: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS)) - scripts_basic: +-PHONY += scripts_basic +-scripts_basic: ++PHONY += scripts_basic gcc-plugins ++scripts_basic: gcc-plugins $(Q)$(MAKE) $(build)=scripts/basic -@@ -403,7 +407,7 @@ endif + # To avoid any implicit rule to kick in, define an empty command. +@@ -403,7 +406,7 @@ endif # of make so .config is not included in this case either (for *config). no-dot-config-targets := clean mrproper distclean \ @@ -69550,16 +70782,28 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile include/linux/version.h headers_% \ kernelrelease kernelversion -@@ -526,6 +530,24 @@ else +@@ -526,6 +529,36 @@ else KBUILD_CFLAGS += -O2 endif -+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC)), y) ++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y) +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN +ifdef CONFIG_PAX_MEMORY_STACKLEAK +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100 +endif -+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN ++ifdef CONFIG_KALLOCSTAT_PLUGIN ++KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so ++endif ++ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so ++endif ++ifdef CONFIG_CHECKER_PLUGIN ++ifeq ($(call cc-ifversion, -ge, 0406, y), y) ++CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN ++endif ++endif ++GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN) ++export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN +gcc-plugins: + $(Q)$(MAKE) $(build)=tools/gcc +else @@ -69575,7 +70819,7 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -644,7 +666,7 @@ export mod_strip_cmd +@@ -644,7 +677,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -69584,34 +70828,34 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -840,6 +862,8 @@ define rule_vmlinux-modpost +@@ -840,6 +873,8 @@ define rule_vmlinux-modpost endef # vmlinux image - including updated kernel symbols -+$(vmlinux-all): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++$(vmlinux-all): KBUILD_CFLAGS += $(GCC_PLUGINS) +$(vmlinux-all): gcc-plugins vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE ifdef CONFIG_HEADERS_CHECK $(Q)$(MAKE) -f $(srctree)/Makefile headers_check -@@ -874,7 +898,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) +@@ -874,7 +909,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) # Error messages still appears in the original language PHONY += $(vmlinux-dirs) -$(vmlinux-dirs): prepare scripts -+$(vmlinux-dirs): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++$(vmlinux-dirs): KBUILD_CFLAGS += $(GCC_PLUGINS) +$(vmlinux-dirs): gcc-plugins prepare scripts $(Q)$(MAKE) $(build)=$@ # Build the kernel release string -@@ -983,6 +1008,7 @@ prepare0: archprepare FORCE +@@ -983,6 +1019,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. missing-syscalls # All the preparing.. -+prepare: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS)) ++prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS)) prepare: prepare0 # The asm symlink changes when $(ARCH) changes. -@@ -1133,7 +1159,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B +@@ -1133,7 +1170,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B # Target to prepare building external modules PHONY += modules_prepare @@ -69620,7 +70864,7 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile # Target to install modules PHONY += modules_install -@@ -1198,7 +1224,7 @@ MRPROPER_FILES += .config .config.old in +@@ -1198,7 +1235,7 @@ MRPROPER_FILES += .config .config.old in include/linux/autoconf.h include/linux/version.h \ include/linux/utsrelease.h \ include/linux/bounds.h include/asm*/asm-offsets.h \ @@ -69629,7 +70873,7 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile # clean - Delete most, but leave enough to build external modules # -@@ -1242,7 +1268,7 @@ distclean: mrproper +@@ -1242,7 +1279,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -69638,7 +70882,7 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1289,6 +1315,7 @@ help: +@@ -1289,6 +1326,7 @@ help: @echo ' modules_prepare - Set up for building external modules' @echo ' tags/TAGS - Generate tags file for editors' @echo ' cscope - Generate cscope index' @@ -69646,15 +70890,15 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile @echo ' kernelrelease - Output the release version string' @echo ' kernelversion - Output the version stored in Makefile' @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \ -@@ -1390,6 +1417,7 @@ PHONY += $(module-dirs) modules +@@ -1390,6 +1428,7 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) -+modules: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS) modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1445,7 +1473,7 @@ endif # KBUILD_EXTMOD +@@ -1445,7 +1484,7 @@ endif # KBUILD_EXTMOD quiet_cmd_tags = GEN $@ cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@ @@ -69663,18 +70907,18 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile $(call cmd,tags) # Scripts to check various things for consistency -@@ -1510,17 +1538,19 @@ else +@@ -1510,17 +1549,19 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif -%.s: %.c prepare scripts FORCE -+%.s: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.s: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.s: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.i: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -%.o: %.c prepare scripts FORCE -+%.o: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.o: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.o: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.lst: %.c prepare scripts FORCE @@ -69687,18 +70931,18 @@ diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1530,11 +1560,13 @@ endif +@@ -1530,11 +1571,13 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%/: prepare scripts FORCE -+%/: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%/: KBUILD_CFLAGS += $(GCC_PLUGINS) +%/: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%.ko: prepare scripts FORCE -+%.ko: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.ko: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ @@ -69915,7 +71159,7 @@ diff -urNp linux-2.6.32.46/mm/kmemleak.c linux-2.6.32.46/mm/kmemleak.c diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c --- linux-2.6.32.46/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/mm/maccess.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/mm/maccess.c 2011-10-06 09:37:14.000000000 -0400 @@ -14,7 +14,7 @@ * Safely read from address @src to the buffer at @dst. If a kernel fault * happens, handle that and return -EFAULT. @@ -69925,7 +71169,16 @@ diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c { long ret; mm_segment_t old_fs = get_fs(); -@@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read); +@@ -22,7 +22,7 @@ long probe_kernel_read(void *dst, void * + set_fs(KERNEL_DS); + pagefault_disable(); + ret = __copy_from_user_inatomic(dst, +- (__force const void __user *)src, size); ++ (const void __force_user *)src, size); + pagefault_enable(); + set_fs(old_fs); + +@@ -39,14 +39,14 @@ EXPORT_SYMBOL_GPL(probe_kernel_read); * Safely write to address @dst from the buffer at @src. If a kernel fault * happens, handle that and return -EFAULT. */ @@ -69934,6 +71187,14 @@ diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c { long ret; mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); + pagefault_disable(); +- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); ++ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size); + pagefault_enable(); + set_fs(old_fs); + diff -urNp linux-2.6.32.46/mm/madvise.c linux-2.6.32.46/mm/madvise.c --- linux-2.6.32.46/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400 @@ -70547,7 +71808,7 @@ diff -urNp linux-2.6.32.46/mm/memory.c linux-2.6.32.46/mm/memory.c * Dumping its contents makes post-mortem fully interpretable later diff -urNp linux-2.6.32.46/mm/memory-failure.c linux-2.6.32.46/mm/memory-failure.c --- linux-2.6.32.46/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/mm/memory-failure.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/mm/memory-failure.c 2011-10-06 09:37:14.000000000 -0400 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r int sysctl_memory_failure_recovery __read_mostly = 1; @@ -70557,6 +71818,15 @@ diff -urNp linux-2.6.32.46/mm/memory-failure.c linux-2.6.32.46/mm/memory-failure /* * Send all the processes who have the page mapped an ``action optional'' +@@ -64,7 +64,7 @@ static int kill_proc_ao(struct task_stru + si.si_signo = SIGBUS; + si.si_errno = 0; + si.si_code = BUS_MCEERR_AO; +- si.si_addr = (void *)addr; ++ si.si_addr = (void __user *)addr; + #ifdef __ARCH_SI_TRAPNO + si.si_trapno = trapno; + #endif @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn, return 0; } @@ -73650,6 +74920,18 @@ diff -urNp linux-2.6.32.46/net/8021q/vlan.c linux-2.6.32.46/net/8021q/vlan.c struct vlan_net *vn; vn = net_generic(net, vlan_net_id); +diff -urNp linux-2.6.32.46/net/9p/trans_fd.c linux-2.6.32.46/net/9p/trans_fd.c +--- linux-2.6.32.46/net/9p/trans_fd.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/9p/trans_fd.c 2011-10-06 09:37:14.000000000 -0400 +@@ -419,7 +419,7 @@ static int p9_fd_write(struct p9_client + oldfs = get_fs(); + set_fs(get_ds()); + /* The cast to a user pointer is valid due to the set_fs() */ +- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos); ++ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos); + set_fs(oldfs); + + if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN) diff -urNp linux-2.6.32.46/net/atm/atm_misc.c linux-2.6.32.46/net/atm/atm_misc.c --- linux-2.6.32.46/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400 @@ -73886,6 +75168,109 @@ diff -urNp linux-2.6.32.46/net/can/bcm.c linux-2.6.32.46/net/can/bcm.c seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs); seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex)); seq_printf(m, " <<<\n"); +diff -urNp linux-2.6.32.46/net/compat.c linux-2.6.32.46/net/compat.c +--- linux-2.6.32.46/net/compat.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/compat.c 2011-10-06 09:37:14.000000000 -0400 +@@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kms + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; +- kmsg->msg_name = compat_ptr(tmp1); +- kmsg->msg_iov = compat_ptr(tmp2); +- kmsg->msg_control = compat_ptr(tmp3); ++ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1); ++ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2); ++ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3); + return 0; + } + +@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *k + kern_msg->msg_name = NULL; + + tot_len = iov_from_user_compat_to_kern(kern_iov, +- (struct compat_iovec __user *)kern_msg->msg_iov, ++ (struct compat_iovec __force_user *)kern_msg->msg_iov, + kern_msg->msg_iovlen); + if (tot_len >= 0) + kern_msg->msg_iov = kern_iov; +@@ -114,20 +114,20 @@ int verify_compat_iovec(struct msghdr *k + + #define CMSG_COMPAT_FIRSTHDR(msg) \ + (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ +- (struct compat_cmsghdr __user *)((msg)->msg_control) : \ ++ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \ + (struct compat_cmsghdr __user *)NULL) + + #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \ + ((ucmlen) >= sizeof(struct compat_cmsghdr) && \ + (ucmlen) <= (unsigned long) \ + ((mhdr)->msg_controllen - \ +- ((char *)(ucmsg) - (char *)(mhdr)->msg_control))) ++ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control))) + + static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg, + struct compat_cmsghdr __user *cmsg, int cmsg_len) + { + char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len); +- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) > ++ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) > + msg->msg_controllen) + return NULL; + return (struct compat_cmsghdr __user *)ptr; +@@ -219,7 +219,7 @@ int put_cmsg_compat(struct msghdr *kmsg, + { + struct compat_timeval ctv; + struct compat_timespec cts[3]; +- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; ++ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control; + struct compat_cmsghdr cmhdr; + int cmlen; + +@@ -271,7 +271,7 @@ int put_cmsg_compat(struct msghdr *kmsg, + + void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) + { +- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; ++ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control; + int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); + int fdnum = scm->fp->count; + struct file **fp = scm->fp->fp; +@@ -433,7 +433,7 @@ static int do_get_sock_timeout(struct so + len = sizeof(ktime); + old_fs = get_fs(); + set_fs(KERNEL_DS); +- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len); ++ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len); + set_fs(old_fs); + + if (!err) { +@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *so + case MCAST_JOIN_GROUP: + case MCAST_LEAVE_GROUP: + { +- struct compat_group_req __user *gr32 = (void *)optval; ++ struct compat_group_req __user *gr32 = (void __user *)optval; + struct group_req __user *kgr = + compat_alloc_user_space(sizeof(struct group_req)); + u32 interface; +@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *so + case MCAST_BLOCK_SOURCE: + case MCAST_UNBLOCK_SOURCE: + { +- struct compat_group_source_req __user *gsr32 = (void *)optval; ++ struct compat_group_source_req __user *gsr32 = (void __user *)optval; + struct group_source_req __user *kgsr = compat_alloc_user_space( + sizeof(struct group_source_req)); + u32 interface; +@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *so + } + case MCAST_MSFILTER: + { +- struct compat_group_filter __user *gf32 = (void *)optval; ++ struct compat_group_filter __user *gf32 = (void __user *)optval; + struct group_filter __user *kgf; + u32 interface, fmode, numsrc; + diff -urNp linux-2.6.32.46/net/core/dev.c linux-2.6.32.46/net/core/dev.c --- linux-2.6.32.46/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.46/net/core/dev.c 2011-08-05 20:33:55.000000000 -0400 @@ -74005,6 +75390,45 @@ diff -urNp linux-2.6.32.46/net/core/rtnetlink.c linux-2.6.32.46/net/core/rtnetli static DEFINE_MUTEX(rtnl_mutex); +diff -urNp linux-2.6.32.46/net/core/scm.c linux-2.6.32.46/net/core/scm.c +--- linux-2.6.32.46/net/core/scm.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/core/scm.c 2011-10-06 09:37:14.000000000 -0400 +@@ -190,7 +190,7 @@ error: + int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) + { + struct cmsghdr __user *cm +- = (__force struct cmsghdr __user *)msg->msg_control; ++ = (struct cmsghdr __force_user *)msg->msg_control; + struct cmsghdr cmhdr; + int cmlen = CMSG_LEN(len); + int err; +@@ -213,7 +213,7 @@ int put_cmsg(struct msghdr * msg, int le + err = -EFAULT; + if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) + goto out; +- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) ++ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr))) + goto out; + cmlen = CMSG_SPACE(len); + if (msg->msg_controllen < cmlen) +@@ -228,7 +228,7 @@ out: + void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) + { + struct cmsghdr __user *cm +- = (__force struct cmsghdr __user*)msg->msg_control; ++ = (struct cmsghdr __force_user *)msg->msg_control; + + int fdmax = 0; + int fdnum = scm->fp->count; +@@ -248,7 +248,7 @@ void scm_detach_fds(struct msghdr *msg, + if (fdnum < fdmax) + fdmax = fdnum; + +- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; ++ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax; + i++, cmfptr++) + { + int new_fd; diff -urNp linux-2.6.32.46/net/core/secure_seq.c linux-2.6.32.46/net/core/secure_seq.c --- linux-2.6.32.46/net/core/secure_seq.c 2011-08-16 20:37:25.000000000 -0400 +++ linux-2.6.32.46/net/core/secure_seq.c 2011-08-07 19:48:09.000000000 -0400 @@ -74235,6 +75659,36 @@ diff -urNp linux-2.6.32.46/net/ipv4/inetpeer.c linux-2.6.32.46/net/ipv4/inetpeer n->ip_id_count = secure_ip_id(daddr); n->tcp_ts_stamp = 0; +diff -urNp linux-2.6.32.46/net/ipv4/ipconfig.c linux-2.6.32.46/net/ipv4/ipconfig.c +--- linux-2.6.32.46/net/ipv4/ipconfig.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/ipv4/ipconfig.c 2011-10-06 09:37:14.000000000 -0400 +@@ -295,7 +295,7 @@ static int __init ic_devinet_ioctl(unsig + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg); ++ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg); + set_fs(oldfs); + return res; + } +@@ -306,7 +306,7 @@ static int __init ic_dev_ioctl(unsigned + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg); ++ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg); + set_fs(oldfs); + return res; + } +@@ -317,7 +317,7 @@ static int __init ic_route_ioctl(unsigne + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg); ++ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg); + set_fs(oldfs); + return res; + } diff -urNp linux-2.6.32.46/net/ipv4/ip_fragment.c linux-2.6.32.46/net/ipv4/ip_fragment.c --- linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400 @@ -74249,7 +75703,7 @@ diff -urNp linux-2.6.32.46/net/ipv4/ip_fragment.c linux-2.6.32.46/net/ipv4/ip_fr rc = qp->q.fragments && (end - start) > max; diff -urNp linux-2.6.32.46/net/ipv4/ip_sockglue.c linux-2.6.32.46/net/ipv4/ip_sockglue.c --- linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-10-06 09:37:14.000000000 -0400 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock int val; int len; @@ -74259,6 +75713,15 @@ diff -urNp linux-2.6.32.46/net/ipv4/ip_sockglue.c linux-2.6.32.46/net/ipv4/ip_so if (level != SOL_IP) return -EOPNOTSUPP; +@@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock + if (sk->sk_type != SOCK_STREAM) + return -ENOPROTOOPT; + +- msg.msg_control = optval; ++ msg.msg_control = (void __force_kernel *)optval; + msg.msg_controllen = len; + msg.msg_flags = 0; + diff -urNp linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c --- linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400 @@ -74712,6 +76175,18 @@ diff -urNp linux-2.6.32.46/net/ipv4/udp.c linux-2.6.32.46/net/ipv4/udp.c } int udp4_seq_show(struct seq_file *seq, void *v) +diff -urNp linux-2.6.32.46/net/ipv6/addrconf.c linux-2.6.32.46/net/ipv6/addrconf.c +--- linux-2.6.32.46/net/ipv6/addrconf.c 2011-05-10 22:12:02.000000000 -0400 ++++ linux-2.6.32.46/net/ipv6/addrconf.c 2011-10-06 09:37:14.000000000 -0400 +@@ -2053,7 +2053,7 @@ int addrconf_set_dstaddr(struct net *net + p.iph.ihl = 5; + p.iph.protocol = IPPROTO_IPV6; + p.iph.ttl = 64; +- ifr.ifr_ifru.ifru_data = (__force void __user *)&p; ++ ifr.ifr_ifru.ifru_data = (void __force_user *)&p; + + if (ops->ndo_do_ioctl) { + mm_segment_t oldfs = get_fs(); diff -urNp linux-2.6.32.46/net/ipv6/inet6_connection_sock.c linux-2.6.32.46/net/ipv6/inet6_connection_sock.c --- linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400 @@ -74768,7 +76243,7 @@ diff -urNp linux-2.6.32.46/net/ipv6/ip6_tunnel.c linux-2.6.32.46/net/ipv6/ip6_tu } diff -urNp linux-2.6.32.46/net/ipv6/ipv6_sockglue.c linux-2.6.32.46/net/ipv6/ipv6_sockglue.c --- linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-10-06 09:37:16.000000000 -0400 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc int val, valbool; int retv = -ENOPROTOOPT; @@ -74787,6 +76262,15 @@ diff -urNp linux-2.6.32.46/net/ipv6/ipv6_sockglue.c linux-2.6.32.46/net/ipv6/ipv if (ip6_mroute_opt(optname)) return ip6_mroute_getsockopt(sk, optname, optval, optlen); +@@ -922,7 +926,7 @@ static int do_ipv6_getsockopt(struct soc + if (sk->sk_type != SOCK_STREAM) + return -ENOPROTOOPT; + +- msg.msg_control = optval; ++ msg.msg_control = (void __force_kernel *)optval; + msg.msg_controllen = len; + msg.msg_flags = 0; + diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c --- linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-08-21 18:43:32.000000000 -0400 @@ -76038,6 +77522,30 @@ diff -urNp linux-2.6.32.46/net/rds/Kconfig linux-2.6.32.46/net/rds/Kconfig ---help--- The RDS (Reliable Datagram Sockets) protocol provides reliable, sequenced delivery of datagrams over Infiniband, iWARP, +diff -urNp linux-2.6.32.46/net/rds/tcp.c linux-2.6.32.46/net/rds/tcp.c +--- linux-2.6.32.46/net/rds/tcp.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/rds/tcp.c 2011-10-06 09:37:16.000000000 -0400 +@@ -57,7 +57,7 @@ void rds_tcp_nonagle(struct socket *sock + int val = 1; + + set_fs(KERNEL_DS); +- sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val, ++ sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val, + sizeof(val)); + set_fs(oldfs); + } +diff -urNp linux-2.6.32.46/net/rds/tcp_send.c linux-2.6.32.46/net/rds/tcp_send.c +--- linux-2.6.32.46/net/rds/tcp_send.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/rds/tcp_send.c 2011-10-06 09:37:16.000000000 -0400 +@@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket * + + oldfs = get_fs(); + set_fs(KERNEL_DS); +- sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val, ++ sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val, + sizeof(val)); + set_fs(oldfs); + } diff -urNp linux-2.6.32.46/net/rxrpc/af_rxrpc.c linux-2.6.32.46/net/rxrpc/af_rxrpc.c --- linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400 @@ -76386,7 +77894,7 @@ diff -urNp linux-2.6.32.46/net/sctp/socket.c linux-2.6.32.46/net/sctp/socket.c if (pp->fastreuse && sk->sk_reuse && diff -urNp linux-2.6.32.46/net/socket.c linux-2.6.32.46/net/socket.c --- linux-2.6.32.46/net/socket.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/net/socket.c 2011-05-16 21:46:57.000000000 -0400 ++++ linux-2.6.32.46/net/socket.c 2011-10-06 09:37:16.000000000 -0400 @@ -87,6 +87,7 @@ #include <linux/wireless.h> #include <linux/nsproxy.h> @@ -76559,6 +78067,15 @@ diff -urNp linux-2.6.32.46/net/socket.c linux-2.6.32.46/net/socket.c err = -EFAULT; if (MSG_CMSG_COMPAT & flags) { if (get_compat_msghdr(&msg_sys, msg_compat)) +@@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct + * kernel msghdr to use the kernel address space) + */ + +- uaddr = (__force void __user *)msg_sys.msg_name; ++ uaddr = (void __force_user *)msg_sys.msg_name; + uaddr_len = COMPAT_NAMELEN(msg); + if (MSG_CMSG_COMPAT & flags) { + err = verify_compat_iovec(&msg_sys, iov, diff -urNp linux-2.6.32.46/net/sunrpc/sched.c linux-2.6.32.46/net/sunrpc/sched.c --- linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:35:30.000000000 -0400 +++ linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:34:01.000000000 -0400 @@ -76787,6 +78304,39 @@ diff -urNp linux-2.6.32.46/net/sysctl_net.c linux-2.6.32.46/net/sysctl_net.c int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; } +diff -urNp linux-2.6.32.46/net/tipc/link.c linux-2.6.32.46/net/tipc/link.c +--- linux-2.6.32.46/net/tipc/link.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/tipc/link.c 2011-10-06 09:37:16.000000000 -0400 +@@ -1418,7 +1418,7 @@ again: + + if (!sect_rest) { + sect_rest = msg_sect[++curr_sect].iov_len; +- sect_crs = (const unchar *)msg_sect[curr_sect].iov_base; ++ sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base; + } + + if (sect_rest < fragm_rest) +@@ -1437,7 +1437,7 @@ error: + } + } else + skb_copy_to_linear_data_offset(buf, fragm_crs, +- sect_crs, sz); ++ (const void __force_kernel *)sect_crs, sz); + sect_crs += sz; + sect_rest -= sz; + fragm_crs += sz; +diff -urNp linux-2.6.32.46/net/tipc/subscr.c linux-2.6.32.46/net/tipc/subscr.c +--- linux-2.6.32.46/net/tipc/subscr.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/net/tipc/subscr.c 2011-10-06 09:37:16.000000000 -0400 +@@ -104,7 +104,7 @@ static void subscr_send_event(struct sub + { + struct iovec msg_sect; + +- msg_sect.iov_base = (void *)&sub->evt; ++ msg_sect.iov_base = (void __force_user *)&sub->evt; + msg_sect.iov_len = sizeof(struct tipc_event); + + sub->evt.event = htohl(event, sub->swap); diff -urNp linux-2.6.32.46/net/unix/af_unix.c linux-2.6.32.46/net/unix/af_unix.c --- linux-2.6.32.46/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400 +++ linux-2.6.32.46/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -0400 @@ -77024,7 +78574,25 @@ diff -urNp linux-2.6.32.46/samples/kobject/kset-example.c linux-2.6.32.46/sample }; diff -urNp linux-2.6.32.46/scripts/basic/fixdep.c linux-2.6.32.46/scripts/basic/fixdep.c --- linux-2.6.32.46/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/scripts/basic/fixdep.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/scripts/basic/fixdep.c 2011-10-06 09:37:14.000000000 -0400 +@@ -162,7 +162,7 @@ static void grow_config(int len) + /* + * Lookup a value in the configuration string. + */ +-static int is_defined_config(const char * name, int len) ++static int is_defined_config(const char * name, unsigned int len) + { + const char * pconfig; + const char * plast = str_config + len_config - len; +@@ -199,7 +199,7 @@ static void clear_config(void) + /* + * Record the use of a CONFIG_* word. + */ +-static void use_config(char *m, int slen) ++static void use_config(char *m, unsigned int slen) + { + char s[PATH_MAX]; + char *p; @@ -222,9 +222,9 @@ static void use_config(char *m, int slen static void parse_config_file(char *map, size_t len) @@ -77048,10 +78616,10 @@ diff -urNp linux-2.6.32.46/scripts/basic/fixdep.c linux-2.6.32.46/scripts/basic/ fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n", diff -urNp linux-2.6.32.46/scripts/gcc-plugin.sh linux-2.6.32.46/scripts/gcc-plugin.sh --- linux-2.6.32.46/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/scripts/gcc-plugin.sh 2011-08-31 18:38:41.000000000 -0400 ++++ linux-2.6.32.46/scripts/gcc-plugin.sh 2011-10-06 09:37:14.000000000 -0400 @@ -0,0 +1,2 @@ +#!/bin/sh -+echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $* -x c -shared - -o /dev/null -I`$* -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y" ++echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y" diff -urNp linux-2.6.32.46/scripts/Makefile.build linux-2.6.32.46/scripts/Makefile.build --- linux-2.6.32.46/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/scripts/Makefile.build 2011-08-23 20:45:11.000000000 -0400 @@ -77098,7 +78666,7 @@ diff -urNp linux-2.6.32.46/scripts/Makefile.host linux-2.6.32.46/scripts/Makefil diff -urNp linux-2.6.32.46/scripts/mod/file2alias.c linux-2.6.32.46/scripts/mod/file2alias.c --- linux-2.6.32.46/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/scripts/mod/file2alias.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/scripts/mod/file2alias.c 2011-10-06 09:37:14.000000000 -0400 @@ -72,7 +72,7 @@ static void device_id_check(const char * unsigned long size, unsigned long id_size, void *symval) @@ -77117,6 +78685,15 @@ diff -urNp linux-2.6.32.46/scripts/mod/file2alias.c linux-2.6.32.46/scripts/mod/ unsigned char range_lo, unsigned char range_hi, struct module *mod) { +@@ -151,7 +151,7 @@ static void do_usb_entry_multi(struct us + { + unsigned int devlo, devhi; + unsigned char chi, clo; +- int ndigits; ++ unsigned int ndigits; + + id->match_flags = TO_NATIVE(id->match_flags); + id->idVendor = TO_NATIVE(id->idVendor); @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy for (i = 0; i < count; i++) { const char *id = (char *)devs[i].id; @@ -77444,8 +79021,8 @@ diff -urNp linux-2.6.32.46/security/integrity/ima/ima_queue.c linux-2.6.32.46/se return 0; diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig --- linux-2.6.32.46/security/Kconfig 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/security/Kconfig 2011-07-06 19:58:11.000000000 -0400 -@@ -4,6 +4,555 @@ ++++ linux-2.6.32.46/security/Kconfig 2011-10-06 09:38:20.000000000 -0400 +@@ -4,6 +4,559 @@ menu "Security options" @@ -77456,6 +79033,9 @@ diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig + config ARCH_TRACK_EXEC_LIMIT + bool + ++ config PAX_KERNEXEC_PLUGIN ++ bool ++ + config PAX_PER_CPU_PGD + bool + @@ -77764,8 +79344,9 @@ diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig + +config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" -+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) ++ select PAX_KERNEXEC_PLUGIN if X86_64 + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject @@ -77831,7 +79412,7 @@ diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig + +config PAX_RANDKSTACK + bool "Randomize kernel stack base" -+ depends on PAX_ASLR && X86_TSC && X86 ++ depends on X86_TSC && X86 + help + By saying Y here the kernel will randomize every task's kernel + stack on every system call. This will not only force an attacker @@ -78001,7 +79582,7 @@ diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -146,7 +695,7 @@ config INTEL_TXT +@@ -146,7 +699,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -78205,6 +79786,56 @@ diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.h linux-2.6.32.46/sound/aoa/cod /* PCM3052 register definitions */ +diff -urNp linux-2.6.32.46/sound/core/oss/pcm_oss.c linux-2.6.32.46/sound/core/oss/pcm_oss.c +--- linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-10-06 09:37:16.000000000 -0400 +@@ -1395,7 +1395,7 @@ static ssize_t snd_pcm_oss_write1(struct + } + } else { + tmp = snd_pcm_oss_write2(substream, +- (const char __force *)buf, ++ (const char __force_kernel *)buf, + runtime->oss.period_bytes, 0); + if (tmp <= 0) + goto err; +@@ -1483,7 +1483,7 @@ static ssize_t snd_pcm_oss_read1(struct + xfer += tmp; + runtime->oss.buffer_used -= tmp; + } else { +- tmp = snd_pcm_oss_read2(substream, (char __force *)buf, ++ tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf, + runtime->oss.period_bytes, 0); + if (tmp <= 0) + goto err; +diff -urNp linux-2.6.32.46/sound/core/pcm_compat.c linux-2.6.32.46/sound/core/pcm_compat.c +--- linux-2.6.32.46/sound/core/pcm_compat.c 2011-08-09 18:35:30.000000000 -0400 ++++ linux-2.6.32.46/sound/core/pcm_compat.c 2011-10-06 09:37:16.000000000 -0400 +@@ -30,7 +30,7 @@ static int snd_pcm_ioctl_delay_compat(st + int err; + + fs = snd_enter_user(); +- err = snd_pcm_delay(substream, &delay); ++ err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay); + snd_leave_user(fs); + if (err < 0) + return err; +diff -urNp linux-2.6.32.46/sound/core/pcm_native.c linux-2.6.32.46/sound/core/pcm_native.c +--- linux-2.6.32.46/sound/core/pcm_native.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.46/sound/core/pcm_native.c 2011-10-06 09:37:16.000000000 -0400 +@@ -2747,11 +2747,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_ + switch (substream->stream) { + case SNDRV_PCM_STREAM_PLAYBACK: + result = snd_pcm_playback_ioctl1(NULL, substream, cmd, +- (void __user *)arg); ++ (void __force_user *)arg); + break; + case SNDRV_PCM_STREAM_CAPTURE: + result = snd_pcm_capture_ioctl1(NULL, substream, cmd, +- (void __user *)arg); ++ (void __force_user *)arg); + break; + default: + result = -EINVAL; diff -urNp linux-2.6.32.46/sound/core/seq/seq_device.c linux-2.6.32.46/sound/core/seq/seq_device.c --- linux-2.6.32.46/sound/core/seq/seq_device.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.46/sound/core/seq/seq_device.c 2011-08-05 20:33:55.000000000 -0400 @@ -78970,6 +80601,179 @@ diff -urNp linux-2.6.32.46/sound/usb/usbaudio.c linux-2.6.32.46/sound/usb/usbaud break; } } +diff -urNp linux-2.6.32.46/tools/gcc/checker_plugin.c linux-2.6.32.46/tools/gcc/checker_plugin.c +--- linux-2.6.32.46/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.32.46/tools/gcc/checker_plugin.c 2011-10-06 09:37:16.000000000 -0400 +@@ -0,0 +1,169 @@ ++/* ++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to implement various sparse (source code checker) features ++ * ++ * TODO: ++ * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch) ++ * ++ * BUGS: ++ * - none known ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "intl.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "toplev.h" ++#include "basic-block.h" ++#include "gimple.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "function.h" ++#include "tree-flow.h" ++#include "target.h" ++ ++extern void c_register_addr_space (const char *str, addr_space_t as); ++extern enum machine_mode default_addr_space_pointer_mode (addr_space_t); ++extern enum machine_mode default_addr_space_address_mode (addr_space_t); ++extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as); ++extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as); ++extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as); ++ ++extern void print_gimple_stmt(FILE *, gimple, int, int); ++extern rtx emit_move_insn(rtx x, rtx y); ++ ++int plugin_is_GPL_compatible; ++ ++static struct plugin_info checker_plugin_info = { ++ .version = "201110031940", ++}; ++ ++#define ADDR_SPACE_KERNEL 0 ++#define ADDR_SPACE_FORCE_KERNEL 1 ++#define ADDR_SPACE_USER 2 ++#define ADDR_SPACE_FORCE_USER 3 ++#define ADDR_SPACE_IOMEM 0 ++#define ADDR_SPACE_FORCE_IOMEM 0 ++#define ADDR_SPACE_PERCPU 0 ++#define ADDR_SPACE_FORCE_PERCPU 0 ++#define ADDR_SPACE_RCU 0 ++#define ADDR_SPACE_FORCE_RCU 0 ++ ++static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace) ++{ ++ return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC); ++} ++ ++static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace) ++{ ++ return default_addr_space_address_mode(ADDR_SPACE_GENERIC); ++} ++ ++static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as) ++{ ++ return default_addr_space_valid_pointer_mode(mode, as); ++} ++ ++static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as) ++{ ++ return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC); ++} ++ ++static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as) ++{ ++ return default_addr_space_legitimize_address(x, oldx, mode, as); ++} ++ ++static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset) ++{ ++ if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL) ++ return true; ++ ++ if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER) ++ return true; ++ ++ if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM) ++ return true; ++ ++ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER) ++ return true; ++ ++ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM) ++ return true; ++ ++ if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL) ++ return true; ++ ++ if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL) ++ return true; ++ ++ return subset == superset; ++} ++ ++static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type) ++{ ++// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type)); ++// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type)); ++ ++ return op; ++} ++ ++static void register_checker_address_spaces(void *event_data, void *data) ++{ ++ c_register_addr_space("__kernel", ADDR_SPACE_KERNEL); ++ c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL); ++ c_register_addr_space("__user", ADDR_SPACE_USER); ++ c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER); ++// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM); ++// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM); ++// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU); ++// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU); ++// c_register_addr_space("__rcu", ADDR_SPACE_RCU); ++// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU); ++ ++ targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode; ++ targetm.addr_space.address_mode = checker_addr_space_address_mode; ++ targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode; ++ targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p; ++// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address; ++ targetm.addr_space.subset_p = checker_addr_space_subset_p; ++ targetm.addr_space.convert = checker_addr_space_convert; ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ const int argc = plugin_info->argc; ++ const struct plugin_argument * const argv = plugin_info->argv; ++ int i; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info); ++ ++ for (i = 0; i < argc; ++i) ++ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ ++ if (TARGET_64BIT == 0) ++ return 0; ++ ++ register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL); ++ ++ return 0; ++} diff -urNp linux-2.6.32.46/tools/gcc/constify_plugin.c linux-2.6.32.46/tools/gcc/constify_plugin.c --- linux-2.6.32.46/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.32.46/tools/gcc/constify_plugin.c 2011-08-30 18:19:52.000000000 -0400 @@ -79267,10 +81071,456 @@ diff -urNp linux-2.6.32.46/tools/gcc/constify_plugin.c linux-2.6.32.46/tools/gcc + + return 0; +} +diff -urNp linux-2.6.32.46/tools/gcc/kallocstat_plugin.c linux-2.6.32.46/tools/gcc/kallocstat_plugin.c +--- linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 2011-10-06 09:37:16.000000000 -0400 +@@ -0,0 +1,165 @@ ++/* ++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to find the distribution of k*alloc sizes ++ * ++ * TODO: ++ * ++ * BUGS: ++ * - none known ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "intl.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "toplev.h" ++#include "basic-block.h" ++#include "gimple.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "function.h" ++ ++extern void print_gimple_stmt(FILE *, gimple, int, int); ++ ++int plugin_is_GPL_compatible; ++ ++static const char * const kalloc_functions[] = { ++ "__kmalloc", ++ "kmalloc", ++ "kmalloc_large", ++ "kmalloc_node", ++ "kmalloc_order", ++ "kmalloc_order_trace", ++ "kmalloc_slab", ++ "kzalloc", ++ "kzalloc_node", ++}; ++ ++static struct plugin_info kallocstat_plugin_info = { ++ .version = "201109121100", ++}; ++ ++static unsigned int execute_kallocstat(void); ++ ++static struct gimple_opt_pass kallocstat_pass = { ++ .pass = { ++ .type = GIMPLE_PASS, ++ .name = "kallocstat", ++ .gate = NULL, ++ .execute = execute_kallocstat, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = 0, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, ++ .todo_flags_finish = 0 ++ } ++}; ++ ++static bool is_kalloc(const char *fnname) ++{ ++ size_t i; ++ ++ for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++) ++ if (!strcmp(fnname, kalloc_functions[i])) ++ return true; ++ return false; ++} ++ ++static unsigned int execute_kallocstat(void) ++{ ++ basic_block bb; ++ ++ // 1. loop through BBs and GIMPLE statements ++ FOR_EACH_BB(bb) { ++ gimple_stmt_iterator gsi; ++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { ++ // gimple match: ++ tree fndecl, size; ++ gimple call_stmt; ++ const char *fnname; ++ ++ // is it a call ++ call_stmt = gsi_stmt(gsi); ++ if (!is_gimple_call(call_stmt)) ++ continue; ++ fndecl = gimple_call_fndecl(call_stmt); ++ if (fndecl == NULL_TREE) ++ continue; ++ if (TREE_CODE(fndecl) != FUNCTION_DECL) ++ continue; ++ ++ // is it a call to k*alloc ++ fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl)); ++ if (!is_kalloc(fnname)) ++ continue; ++ ++ // is the size arg the result of a simple const assignment ++ size = gimple_call_arg(call_stmt, 0); ++ while (true) { ++ gimple def_stmt; ++ expanded_location xloc; ++ size_t size_val; ++ ++ if (TREE_CODE(size) != SSA_NAME) ++ break; ++ def_stmt = SSA_NAME_DEF_STMT(size); ++ if (!def_stmt || !is_gimple_assign(def_stmt)) ++ break; ++ if (gimple_num_ops(def_stmt) != 2) ++ break; ++ size = gimple_assign_rhs1(def_stmt); ++ if (!TREE_CONSTANT(size)) ++ continue; ++ xloc = expand_location(gimple_location(def_stmt)); ++ if (!xloc.file) ++ xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl)); ++ size_val = TREE_INT_CST_LOW(size); ++ fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line); ++ break; ++ } ++//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO); ++//debug_tree(gimple_call_fn(call_stmt)); ++//print_node(stderr, "pax", fndecl, 4); ++ } ++ } ++ ++ return 0; ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ struct register_pass_info kallocstat_pass_info = { ++ .pass = &kallocstat_pass.pass, ++ .reference_pass_name = "ssa", ++ .ref_pass_instance_number = 0, ++ .pos_op = PASS_POS_INSERT_AFTER ++ }; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info); ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info); ++ ++ return 0; ++} +diff -urNp linux-2.6.32.46/tools/gcc/kernexec_plugin.c linux-2.6.32.46/tools/gcc/kernexec_plugin.c +--- linux-2.6.32.46/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.32.46/tools/gcc/kernexec_plugin.c 2011-10-06 09:37:16.000000000 -0400 +@@ -0,0 +1,273 @@ ++/* ++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386 ++ * ++ * TODO: ++ * ++ * BUGS: ++ * - none known ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "intl.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "toplev.h" ++#include "basic-block.h" ++#include "gimple.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "function.h" ++#include "tree-flow.h" ++ ++extern void print_gimple_stmt(FILE *, gimple, int, int); ++extern rtx emit_move_insn(rtx x, rtx y); ++ ++int plugin_is_GPL_compatible; ++ ++static struct plugin_info kernexec_plugin_info = { ++ .version = "201110032145", ++}; ++ ++static unsigned int execute_kernexec_fptr(void); ++static unsigned int execute_kernexec_retaddr(void); ++static bool kernexec_cmodel_check(void); ++ ++static struct gimple_opt_pass kernexec_fptr_pass = { ++ .pass = { ++ .type = GIMPLE_PASS, ++ .name = "kernexec_fptr", ++ .gate = kernexec_cmodel_check, ++ .execute = execute_kernexec_fptr, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = 0, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, ++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi ++ } ++}; ++ ++static struct rtl_opt_pass kernexec_retaddr_pass = { ++ .pass = { ++ .type = RTL_PASS, ++ .name = "kernexec_retaddr", ++ .gate = kernexec_cmodel_check, ++ .execute = execute_kernexec_retaddr, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = 0, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, ++ .todo_flags_finish = TODO_dump_func | TODO_ggc_collect ++ } ++}; ++ ++static bool kernexec_cmodel_check(void) ++{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("__section__", DECL_ATTRIBUTES(current_function_decl)); ++ if (!section || !TREE_VALUE(section)) ++ return true; ++ ++ section = TREE_VALUE(TREE_VALUE(section)); ++ if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10)) ++ return true; ++ ++ return false; ++} ++ ++/* ++ * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce ++ * a non-canonical address from a userland ptr and will just trigger a GPF on dereference ++ */ ++static void kernexec_instrument_fptr(gimple_stmt_iterator gsi) ++{ ++ gimple assign_intptr, assign_new_fptr, call_stmt; ++ tree intptr, old_fptr, new_fptr, kernexec_mask; ++ ++ call_stmt = gsi_stmt(gsi); ++ old_fptr = gimple_call_fn(call_stmt); ++ ++ // create temporary unsigned long variable used for bitops and cast fptr to it ++ intptr = create_tmp_var(long_unsigned_type_node, NULL); ++ add_referenced_var(intptr); ++ mark_sym_for_renaming(intptr); ++ assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr)); ++ update_stmt(assign_intptr); ++ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT); ++ ++ // apply logical or to temporary unsigned long and bitmask ++ kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL); ++// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL); ++ assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask)); ++ update_stmt(assign_intptr); ++ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT); ++ ++ // cast temporary unsigned long back to a temporary fptr variable ++ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL); ++ add_referenced_var(new_fptr); ++ mark_sym_for_renaming(new_fptr); ++ assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr)); ++ update_stmt(assign_new_fptr); ++ gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT); ++ ++ // replace call stmt fn with the new fptr ++ gimple_call_set_fn(call_stmt, new_fptr); ++ update_stmt(call_stmt); ++} ++ ++/* ++ * find all C level function pointer dereferences and forcibly set the highest bit of the pointer ++ */ ++static unsigned int execute_kernexec_fptr(void) ++{ ++ basic_block bb; ++ gimple_stmt_iterator gsi; ++ ++ // 1. loop through BBs and GIMPLE statements ++ FOR_EACH_BB(bb) { ++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { ++ // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D)); ++ tree fn; ++ gimple call_stmt; ++ ++ // is it a call ... ++ call_stmt = gsi_stmt(gsi); ++ if (!is_gimple_call(call_stmt)) ++ continue; ++ fn = gimple_call_fn(call_stmt); ++ if (TREE_CODE(fn) == ADDR_EXPR) ++ continue; ++ if (TREE_CODE(fn) != SSA_NAME) ++ gcc_unreachable(); ++ ++ // ... through a function pointer ++ fn = SSA_NAME_VAR(fn); ++ if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL) ++ continue; ++ fn = TREE_TYPE(fn); ++ if (TREE_CODE(fn) != POINTER_TYPE) ++ continue; ++ fn = TREE_TYPE(fn); ++ if (TREE_CODE(fn) != FUNCTION_TYPE) ++ continue; ++ ++ kernexec_instrument_fptr(gsi); ++ ++//debug_tree(gimple_call_fn(call_stmt)); ++//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO); ++ } ++ } ++ ++ return 0; ++} ++ ++// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn ++static void kernexec_instrument_retaddr(rtx insn) ++{ ++ rtx btsq; ++ rtvec argvec, constraintvec, labelvec; ++ int line; ++ ++ // create asm volatile("btsq $63,(%%rsp)":::) ++ argvec = rtvec_alloc(0); ++ constraintvec = rtvec_alloc(0); ++ labelvec = rtvec_alloc(0); ++ line = expand_location(RTL_LOCATION(insn)).line; ++ btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line); ++ MEM_VOLATILE_P(btsq) = 1; ++ RTX_FRAME_RELATED_P(btsq) = 1; ++ emit_insn_before(btsq, insn); ++} ++ ++/* ++ * find all asm level function returns and forcibly set the highest bit of the return address ++ */ ++static unsigned int execute_kernexec_retaddr(void) ++{ ++ rtx insn; ++ ++ // 1. find function returns ++ for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) { ++ // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil)) ++ // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil)) ++ rtx body; ++ ++ // is it a retn ++ if (!JUMP_P(insn)) ++ continue; ++ body = PATTERN(insn); ++ if (GET_CODE(body) == PARALLEL) ++ body = XVECEXP(body, 0, 0); ++ if (GET_CODE(body) != RETURN) ++ continue; ++ kernexec_instrument_retaddr(insn); ++ } ++ ++// print_simple_rtl(stderr, get_insns()); ++// print_rtl(stderr, get_insns()); ++ ++ return 0; ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ const int argc = plugin_info->argc; ++ const struct plugin_argument * const argv = plugin_info->argv; ++ int i; ++ struct register_pass_info kernexec_fptr_pass_info = { ++ .pass = &kernexec_fptr_pass.pass, ++ .reference_pass_name = "ssa", ++ .ref_pass_instance_number = 0, ++ .pos_op = PASS_POS_INSERT_AFTER ++ }; ++ struct register_pass_info kernexec_retaddr_pass_info = { ++ .pass = &kernexec_retaddr_pass.pass, ++ .reference_pass_name = "pro_and_epilogue", ++ .ref_pass_instance_number = 0, ++ .pos_op = PASS_POS_INSERT_AFTER ++ }; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info); ++ ++ for (i = 0; i < argc; ++i) ++ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ ++ if (TARGET_64BIT == 0) ++ return 0; ++ ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info); ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info); ++ ++ return 0; ++} diff -urNp linux-2.6.32.46/tools/gcc/Makefile linux-2.6.32.46/tools/gcc/Makefile --- linux-2.6.32.46/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/tools/gcc/Makefile 2011-08-05 20:33:55.000000000 -0400 -@@ -0,0 +1,12 @@ ++++ linux-2.6.32.46/tools/gcc/Makefile 2011-10-06 09:37:14.000000000 -0400 +@@ -0,0 +1,21 @@ +#CC := gcc +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) @@ -79279,14 +81529,23 @@ diff -urNp linux-2.6.32.46/tools/gcc/Makefile linux-2.6.32.46/tools/gcc/Makefile + +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include + -+hostlibs-y := stackleak_plugin.so constify_plugin.so ++hostlibs-y := constify_plugin.so ++hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so ++hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so ++hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so ++hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so ++ +always := $(hostlibs-y) ++ +stackleak_plugin-objs := stackleak_plugin.o +constify_plugin-objs := constify_plugin.o ++kallocstat_plugin-objs := kallocstat_plugin.o ++kernexec_plugin-objs := kernexec_plugin.o ++checker_plugin-objs := checker_plugin.o diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gcc/stackleak_plugin.c --- linux-2.6.32.46/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/tools/gcc/stackleak_plugin.c 2011-08-23 20:24:26.000000000 -0400 -@@ -0,0 +1,243 @@ ++++ linux-2.6.32.46/tools/gcc/stackleak_plugin.c 2011-10-06 09:37:14.000000000 -0400 +@@ -0,0 +1,251 @@ +/* + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -79304,7 +81563,7 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + * - initialize all local variables + * + * BUGS: -+ * - cloned functions are instrumented twice ++ * - none known + */ +#include "gcc-plugin.h" +#include "config.h" @@ -79331,7 +81590,7 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201106030000", ++ .version = "201109112100", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -79354,7 +81613,7 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts, -+ .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func ++ .todo_flags_finish = TODO_verify_stmts | TODO_dump_func + } +}; + @@ -79372,7 +81631,7 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, -+ .todo_flags_finish = 0 ++ .todo_flags_finish = TODO_dump_func + } +}; + @@ -79384,13 +81643,13 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before) +{ + gimple call; -+ tree decl, type; ++ tree fndecl, type; + + // insert call to void pax_track_stack(void) + type = build_function_type_list(void_type_node, NULL_TREE); -+ decl = build_fn_decl(track_function, type); -+ DECL_ASSEMBLER_NAME(decl); // for LTO -+ call = gimple_build_call(decl, 0); ++ fndecl = build_fn_decl(track_function, type); ++ DECL_ASSEMBLER_NAME(fndecl); // for LTO ++ call = gimple_build_call(fndecl, 0); + if (before) + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING); + else @@ -79399,40 +81658,46 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + +static unsigned int execute_stackleak_tree_instrument(void) +{ -+ basic_block bb; ++ basic_block bb, entry_bb; + gimple_stmt_iterator gsi; ++ bool prologue_instrumented = false; ++ ++ entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb; + + // 1. loop through BBs and GIMPLE statements + FOR_EACH_BB(bb) { + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450> -+ tree decl; ++ tree fndecl; + gimple stmt = gsi_stmt(gsi); + + if (!is_gimple_call(stmt)) + continue; -+ decl = gimple_call_fndecl(stmt); -+ if (!decl) ++ fndecl = gimple_call_fndecl(stmt); ++ if (!fndecl) + continue; -+ if (TREE_CODE(decl) != FUNCTION_DECL) ++ if (TREE_CODE(fndecl) != FUNCTION_DECL) + continue; -+ if (!DECL_BUILT_IN(decl)) ++ if (!DECL_BUILT_IN(fndecl)) + continue; -+ if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL) ++ if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL) + continue; -+ if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA) ++ if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA) + continue; + + // 2. insert track call after each __builtin_alloca call + stackleak_add_instrumentation(&gsi, false); -+// print_node(stderr, "pax", decl, 4); ++ if (bb == entry_bb) ++ prologue_instrumented = true; ++// print_node(stderr, "pax", fndecl, 4); + } + } + + // 3. insert track call at the beginning -+ bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb; -+ gsi = gsi_start_bb(bb); -+ stackleak_add_instrumentation(&gsi, true); ++ if (!prologue_instrumented) { ++ gsi = gsi_start_bb(entry_bb); ++ stackleak_add_instrumentation(&gsi, true); ++ } + + return 0; +} @@ -79444,6 +81709,10 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + if (cfun->calls_alloca) + return 0; + ++ // keep calls only if function frame is big enough ++ if (get_frame_size() >= track_frame_size) ++ return 0; ++ + // 1. find pax_track_stack calls + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) { + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil)) @@ -79463,9 +81732,7 @@ diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gc + if (strcmp(XSTR(body, 0), track_function)) + continue; +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size); -+ // 2. delete call if function frame is not big enough -+ if (get_frame_size() >= track_frame_size) -+ continue; ++ // 2. delete call + delete_insn_and_edges(insn); + } + diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4425_grsec-pax-without-grsec.patch index cc3b6ca..96b85a3 100644 --- a/2.6.32/4425_grsec-pax-without-grsec.patch +++ b/2.6.32/4425_grsec-pax-without-grsec.patch @@ -77,7 +77,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/fs/exec.c linux-2.6.32-hardened-r44/fs diff -Naur linux-2.6.32-hardened-r44.orig/security/Kconfig linux-2.6.32-hardened-r44/security/Kconfig --- linux-2.6.32-hardened-r44.orig/security/Kconfig 2011-04-17 18:15:55.000000000 -0400 +++ linux-2.6.32-hardened-r44/security/Kconfig 2011-04-17 18:28:11.000000000 -0400 -@@ -26,7 +26,7 @@ +@@ -29,7 +29,7 @@ config PAX bool "Enable various PaX features" diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index a2b16d6..0bb8941 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -15,9 +15,9 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> -diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig ---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:41:22.000000000 -0400 -+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:42:14.000000000 -0400 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2011-04-17 18:41:22.000000000 -0400 ++++ b/grsecurity/Kconfig 2011-04-17 18:42:14.000000000 -0400 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -286,21 +286,22 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden config GRKERNSEC_CUSTOM bool "Custom" help -diff -Naur linux-2.6.32-hardened-r44.orig/security/Kconfig linux-2.6.32-hardened-r44/security/Kconfig ---- linux-2.6.32-hardened-r44.orig/security/Kconfig 2011-04-17 18:36:55.000000000 -0400 -+++ linux-2.6.32-hardened-r44/security/Kconfig 2011-04-17 18:42:14.000000000 -0400 -@@ -319,8 +319,9 @@ +diff -Naur a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2011-04-17 18:36:55.000000000 -0400 ++++ b/security/Kconfig 2011-04-17 18:42:14.000000000 -0400 +@@ -322,9 +322,10 @@ config PAX_KERNEXEC bool "Enforce non-executable kernel pages" -- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION +- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + select PAX_KERNEXEC_PLUGIN if X86_64 + default y if GRKERNSEC_HARDENED_WORKSTATION help This is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, enabling this option will make it harder to inject -@@ -483,8 +484,9 @@ +@@ -487,8 +488,9 @@ config PAX_MEMORY_UDEREF bool "Prevent invalid userland pointer dereference" diff --git a/3.0.4/0000_README b/3.0.4/0000_README index 5afed8c..ccc36e4 100644 --- a/3.0.4/0000_README +++ b/3.0.4/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-3.0.4-201109261052.patch +Patch: 4420_grsecurity-2.2.2-3.0.4-201110060421.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109261052.patch b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201110060421.patch index cce98cf..51e088f 100644 --- a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109261052.patch +++ b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201110060421.patch @@ -5591,71 +5591,80 @@ diff -urNp linux-3.0.4/arch/x86/boot/video-vesa.c linux-3.0.4/arch/x86/boot/vide /* diff -urNp linux-3.0.4/arch/x86/crypto/aes-x86_64-asm_64.S linux-3.0.4/arch/x86/crypto/aes-x86_64-asm_64.S --- linux-3.0.4/arch/x86/crypto/aes-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/crypto/aes-x86_64-asm_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -71,6 +71,12 @@ FUNC: movq r1,r2; \ ++++ linux-3.0.4/arch/x86/crypto/aes-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -8,6 +8,8 @@ + * including this sentence is retained in full. + */ + ++#include <asm/alternative-asm.h> ++ + .extern crypto_ft_tab + .extern crypto_it_tab + .extern crypto_fl_tab +@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \ je B192; \ leaq 32(r9),r9; -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+#define ret orb $0x80, 0x7(%rsp); ret -+#else -+#define ret ret -+#endif ++#define ret pax_force_retaddr; ret + #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \ movq r1,r2; \ movq r3,r4; \ diff -urNp linux-3.0.4/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-3.0.4/arch/x86/crypto/salsa20-x86_64-asm_64.S --- linux-3.0.4/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -790,6 +790,9 @@ ECRYPT_encrypt_bytes: ++++ linux-3.0.4/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -1,3 +1,5 @@ ++#include <asm/alternative-asm.h> ++ + # enter ECRYPT_encrypt_bytes + .text + .p2align 5 +@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes: add %r11,%rsp mov %rdi,%rax mov %rsi,%rdx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret # bytesatleast65: ._bytesatleast65: -@@ -891,6 +894,9 @@ ECRYPT_keysetup: +@@ -891,6 +894,7 @@ ECRYPT_keysetup: add %r11,%rsp mov %rdi,%rax mov %rsi,%rdx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret # enter ECRYPT_ivsetup .text -@@ -917,4 +923,7 @@ ECRYPT_ivsetup: +@@ -917,4 +921,5 @@ ECRYPT_ivsetup: add %r11,%rsp mov %rdi,%rax mov %rsi,%rdx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret diff -urNp linux-3.0.4/arch/x86/crypto/twofish-x86_64-asm_64.S linux-3.0.4/arch/x86/crypto/twofish-x86_64-asm_64.S --- linux-3.0.4/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -269,6 +269,9 @@ twofish_enc_blk: ++++ linux-3.0.4/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -21,6 +21,7 @@ + .text + + #include <asm/asm-offsets.h> ++#include <asm/alternative-asm.h> + + #define a_offset 0 + #define b_offset 4 +@@ -269,6 +270,7 @@ twofish_enc_blk: popq R1 movq $1,%rax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret twofish_dec_blk: -@@ -321,4 +324,7 @@ twofish_dec_blk: +@@ -321,4 +323,5 @@ twofish_dec_blk: popq R1 movq $1,%rax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret diff -urNp linux-3.0.4/arch/x86/ia32/ia32_aout.c linux-3.0.4/arch/x86/ia32/ia32_aout.c --- linux-3.0.4/arch/x86/ia32/ia32_aout.c 2011-07-21 22:17:23.000000000 -0400 @@ -5850,7 +5859,34 @@ diff -urNp linux-3.0.4/arch/x86/ia32/ia32entry.S linux-3.0.4/arch/x86/ia32/ia32e cmpq $(IA32_NR_syscalls-1),%rax diff -urNp linux-3.0.4/arch/x86/ia32/ia32_signal.c linux-3.0.4/arch/x86/ia32/ia32_signal.c --- linux-3.0.4/arch/x86/ia32/ia32_signal.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/ia32/ia32_signal.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/ia32/ia32_signal.c 2011-10-06 04:17:55.000000000 -0400 +@@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const + } + seg = get_fs(); + set_fs(KERNEL_DS); +- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp); ++ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp); + set_fs(seg); + if (ret >= 0 && uoss_ptr) { + if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t))) +@@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct + */ + static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, + size_t frame_size, +- void **fpstate) ++ void __user **fpstate) + { + unsigned long sp; + +@@ -395,7 +395,7 @@ static void __user *get_sigframe(struct + + if (used_math()) { + sp = sp - sig_xstate_ia32_size; +- *fpstate = (struct _fpstate_ia32 *) sp; ++ *fpstate = (struct _fpstate_ia32 __user *) sp; + if (save_i387_xstate_ia32(*fpstate) < 0) + return (void __user *) -1L; + } @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct sp -= frame_size; /* Align the stack pointer according to the i386 ABI, @@ -5865,7 +5901,7 @@ diff -urNp linux-3.0.4/arch/x86/ia32/ia32_signal.c linux-3.0.4/arch/x86/ia32/ia3 * gdb versions depend on them as a marker. */ - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); } put_user_catch(err); if (err) @@ -5896,10 +5932,99 @@ diff -urNp linux-3.0.4/arch/x86/ia32/ia32_signal.c linux-3.0.4/arch/x86/ia32/ia3 * versions need it. */ - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); } put_user_catch(err); if (err) +diff -urNp linux-3.0.4/arch/x86/ia32/sys_ia32.c linux-3.0.4/arch/x86/ia32/sys_ia32.c +--- linux-3.0.4/arch/x86/ia32/sys_ia32.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/arch/x86/ia32/sys_ia32.c 2011-10-06 04:17:55.000000000 -0400 +@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign + */ + static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat) + { +- typeof(ubuf->st_uid) uid = 0; +- typeof(ubuf->st_gid) gid = 0; ++ typeof(((struct stat64 *)0)->st_uid) uid = 0; ++ typeof(((struct stat64 *)0)->st_gid) gid = 0; + SET_UID(uid, stat->uid); + SET_GID(gid, stat->gid); + if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || +@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int + } + set_fs(KERNEL_DS); + ret = sys_rt_sigprocmask(how, +- set ? (sigset_t __user *)&s : NULL, +- oset ? (sigset_t __user *)&s : NULL, ++ set ? (sigset_t __force_user *)&s : NULL, ++ oset ? (sigset_t __force_user *)&s : NULL, + sigsetsize); + set_fs(old_fs); + if (ret) +@@ -332,7 +332,7 @@ asmlinkage long sys32_alarm(unsigned int + return alarm_setitimer(seconds); + } + +-asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int *stat_addr, ++asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int __user *stat_addr, + int options) + { + return compat_sys_wait4(pid, stat_addr, options, NULL); +@@ -353,7 +353,7 @@ asmlinkage long sys32_sched_rr_get_inter + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t); ++ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t); + set_fs(old_fs); + if (put_compat_timespec(&t, interval)) + return -EFAULT; +@@ -369,7 +369,7 @@ asmlinkage long sys32_rt_sigpending(comp + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize); ++ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize); + set_fs(old_fs); + if (!ret) { + switch (_NSIG_WORDS) { +@@ -394,7 +394,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in + if (copy_siginfo_from_user32(&info, uinfo)) + return -EFAULT; + set_fs(KERNEL_DS); +- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info); ++ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info); + set_fs(old_fs); + return ret; + } +@@ -439,7 +439,7 @@ asmlinkage long sys32_sendfile(int out_f + return -EFAULT; + + set_fs(KERNEL_DS); +- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL, ++ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL, + count); + set_fs(old_fs); + +diff -urNp linux-3.0.4/arch/x86/include/asm/alternative-asm.h linux-3.0.4/arch/x86/include/asm/alternative-asm.h +--- linux-3.0.4/arch/x86/include/asm/alternative-asm.h 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/alternative-asm.h 2011-10-06 04:17:55.000000000 -0400 +@@ -15,6 +15,15 @@ + .endm + #endif + ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++ .macro pax_force_retaddr rip=0 ++ btsq $63,\rip(%rsp) ++ .endm ++#else ++ .macro pax_force_retaddr rip=0 ++ .endm ++#endif ++ + .macro altinstruction_entry orig alt feature orig_len alt_len + .align 8 + .quad \orig diff -urNp linux-3.0.4/arch/x86/include/asm/alternative.h linux-3.0.4/arch/x86/include/asm/alternative.h --- linux-3.0.4/arch/x86/include/asm/alternative.h 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/arch/x86/include/asm/alternative.h 2011-08-23 21:47:55.000000000 -0400 @@ -7226,12 +7351,12 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/emergency-restart.h linux-3.0.4/arch #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff -urNp linux-3.0.4/arch/x86/include/asm/futex.h linux-3.0.4/arch/x86/include/asm/futex.h --- linux-3.0.4/arch/x86/include/asm/futex.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/futex.h 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/futex.h 2011-10-06 04:17:55.000000000 -0400 @@ -12,16 +12,18 @@ #include <asm/system.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ ++ typecheck(u32 __user *, uaddr); \ asm volatile("1:\t" insn "\n" \ "2:\t.section .fixup,\"ax\"\n" \ "3:\tmov\t%3, %1\n" \ @@ -7239,11 +7364,11 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/futex.h linux-3.0.4/arch/x86/include "\t.previous\n" \ _ASM_EXTABLE(1b, 3b) \ - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \ -+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\ ++ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\ : "i" (-EFAULT), "0" (oparg), "1" (0)) #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ ++ typecheck(u32 __user *, uaddr); \ asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ @@ -7252,7 +7377,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/futex.h linux-3.0.4/arch/x86/include _ASM_EXTABLE(2b, 4b) \ : "=&a" (oldval), "=&r" (ret), \ - "+m" (*uaddr), "=&r" (tem) \ -+ "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \ ++ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \ : "r" (oparg), "i" (-EFAULT), "1" (0)) static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) @@ -7281,7 +7406,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/futex.h linux-3.0.4/arch/x86/include "\t.previous\n" _ASM_EXTABLE(1b, 3b) - : "+r" (ret), "=a" (oldval), "+m" (*uaddr) -+ : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr)) ++ : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr)) : "i" (-EFAULT), "r" (newval), "1" (oldval) : "memory" ); @@ -7301,14 +7426,14 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/hw_irq.h linux-3.0.4/arch/x86/includ extern void eisa_set_level_irq(unsigned int irq); diff -urNp linux-3.0.4/arch/x86/include/asm/i387.h linux-3.0.4/arch/x86/include/asm/i387.h --- linux-3.0.4/arch/x86/include/asm/i387.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/i387.h 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/i387.h 2011-10-06 04:17:55.000000000 -0400 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc { int err; +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE); ++ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE); +#endif + /* See comment in fxsave() below. */ @@ -7758,7 +7883,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/mmu.h linux-3.0.4/arch/x86/include/a #ifdef CONFIG_SMP diff -urNp linux-3.0.4/arch/x86/include/asm/module.h linux-3.0.4/arch/x86/include/asm/module.h --- linux-3.0.4/arch/x86/include/asm/module.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/module.h 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/module.h 2011-10-06 04:21:18.000000000 -0400 @@ -5,6 +5,7 @@ #ifdef CONFIG_X86_64 @@ -7767,7 +7892,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/module.h linux-3.0.4/arch/x86/includ #elif defined CONFIG_M386 #define MODULE_PROC_FAMILY "386 " #elif defined CONFIG_M486 -@@ -59,8 +60,30 @@ +@@ -59,8 +60,36 @@ #error unknown processor family #endif @@ -7783,12 +7908,18 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/module.h linux-3.0.4/arch/x86/includ +#define MODULE_PAX_KERNEXEC "KERNEXEC " +#else +#define MODULE_PAX_KERNEXEC "" - #endif - ++#endif ++ +#ifdef CONFIG_PAX_REFCOUNT +#define MODULE_PAX_REFCOUNT "REFCOUNT " +#else +#define MODULE_PAX_REFCOUNT "" + #endif + ++#ifdef CONSTIFY_PLUGIN ++#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN " ++#else ++#define MODULE_CONSTIFY_PLUGIN "" +#endif + +#ifdef CONFIG_GRKERNSEC @@ -7797,7 +7928,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/module.h linux-3.0.4/arch/x86/includ +#define MODULE_GRSEC "" +#endif + -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN + #endif /* _ASM_X86_MODULE_H */ diff -urNp linux-3.0.4/arch/x86/include/asm/page_64_types.h linux-3.0.4/arch/x86/include/asm/page_64_types.h @@ -8988,6 +9119,18 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/stacktrace.h linux-3.0.4/arch/x86/in }; void dump_trace(struct task_struct *tsk, struct pt_regs *regs, +diff -urNp linux-3.0.4/arch/x86/include/asm/sys_ia32.h linux-3.0.4/arch/x86/include/asm/sys_ia32.h +--- linux-3.0.4/arch/x86/include/asm/sys_ia32.h 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/sys_ia32.h 2011-10-06 04:17:55.000000000 -0400 +@@ -40,7 +40,7 @@ asmlinkage long sys32_rt_sigprocmask(int + compat_sigset_t __user *, unsigned int); + asmlinkage long sys32_alarm(unsigned int); + +-asmlinkage long sys32_waitpid(compat_pid_t, unsigned int *, int); ++asmlinkage long sys32_waitpid(compat_pid_t, unsigned int __user *, int); + asmlinkage long sys32_sysfs(int, u32, u32); + + asmlinkage long sys32_sched_rr_get_interval(compat_pid_t, diff -urNp linux-3.0.4/arch/x86/include/asm/system.h linux-3.0.4/arch/x86/include/asm/system.h --- linux-3.0.4/arch/x86/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/arch/x86/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400 @@ -9355,7 +9498,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_32.h linux-3.0.4/arch/x86/in diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/include/asm/uaccess_64.h --- linux-3.0.4/arch/x86/include/asm/uaccess_64.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/uaccess_64.h 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/uaccess_64.h 2011-10-06 04:17:55.000000000 -0400 @@ -10,6 +10,9 @@ #include <asm/alternative.h> #include <asm/cpufeature.h> @@ -9453,7 +9596,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + src += PAX_USER_SHADOW_BASE; +#endif + -+ return copy_user_generic(dst, (__force const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -9502,7 +9645,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + src += PAX_USER_SHADOW_BASE; +#endif + -+ return copy_user_generic(dst, (__force const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); } } @@ -9516,6 +9659,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in might_fault(); - if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, src, size); + + pax_track_stack(); + @@ -9542,7 +9686,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)dst, src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -9584,13 +9728,14 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in ret, "q", "", "er", 8); return ret; default: +- return copy_user_generic((__force void *)dst, src, size); + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)dst < PAX_USER_SHADOW_BASE) + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)dst, src, size); } } @@ -9603,6 +9748,8 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in might_fault(); - if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); + + if ((int)size < 0) + return size; @@ -9623,9 +9770,8 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); ++ return copy_user_generic((__force_kernel void *)dst, ++ (__force_kernel const void *)src, size); + } switch (size) { case 1: { @@ -9666,6 +9812,8 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in return ret; } default: +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)src < PAX_USER_SHADOW_BASE) @@ -9674,9 +9822,8 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); ++ return copy_user_generic((__force_kernel void *)dst, ++ (__force_kernel const void *)src, size); } } @@ -9684,6 +9831,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in static __must_check __always_inline int __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size) { +- return copy_user_generic(dst, (__force const void *)src, size); + pax_track_stack(); + + if ((int)size < 0) @@ -9697,13 +9845,14 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + src += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic(dst, (__force const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)src, size); } -static __must_check __always_inline int +static __must_check __always_inline unsigned long __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size) { +- return copy_user_generic((__force void *)dst, src, size); + if ((int)size < 0) + return size; + @@ -9715,7 +9864,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in + dst += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)dst, src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -9756,13 +9905,14 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess_64.h linux-3.0.4/arch/x86/in } -unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); +extern unsigned long - copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); ++copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest); #endif /* _ASM_X86_UACCESS_64_H */ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess.h linux-3.0.4/arch/x86/include/asm/uaccess.h --- linux-3.0.4/arch/x86/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/uaccess.h 2011-10-06 04:17:55.000000000 -0400 @@ -7,12 +7,15 @@ #include <linux/compiler.h> #include <linux/thread_info.h> @@ -9862,6 +10012,15 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess.h linux-3.0.4/arch/x86/inclu "3:\n" \ _ASM_EXTABLE(1b, 2b - 1b) \ _ASM_EXTABLE(2b, 3b - 2b) \ +@@ -252,7 +294,7 @@ extern void __put_user_8(void); + __typeof__(*(ptr)) __pu_val; \ + __chk_user_ptr(ptr); \ + might_fault(); \ +- __pu_val = x; \ ++ __pu_val = (x); \ + switch (sizeof(*(ptr))) { \ + case 1: \ + __put_user_x(1, __pu_val, ptr, __ret_pu); \ @@ -373,7 +415,7 @@ do { \ } while (0) @@ -9973,6 +10132,18 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/uaccess.h linux-3.0.4/arch/x86/inclu } while (0) #ifdef CONFIG_X86_WP_WORKS_OK +diff -urNp linux-3.0.4/arch/x86/include/asm/vdso.h linux-3.0.4/arch/x86/include/asm/vdso.h +--- linux-3.0.4/arch/x86/include/asm/vdso.h 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/vdso.h 2011-10-06 04:17:55.000000000 -0400 +@@ -11,7 +11,7 @@ extern const char VDSO32_PRELINK[]; + #define VDSO32_SYMBOL(base, name) \ + ({ \ + extern const char VDSO32_##name[]; \ +- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \ ++ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \ + }) + #endif + diff -urNp linux-3.0.4/arch/x86/include/asm/x86_init.h linux-3.0.4/arch/x86/include/asm/x86_init.h --- linux-3.0.4/arch/x86/include/asm/x86_init.h 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/arch/x86/include/asm/x86_init.h 2011-08-23 21:47:55.000000000 -0400 @@ -10095,7 +10266,7 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/x86_init.h linux-3.0.4/arch/x86/incl extern struct x86_cpuinit_ops x86_cpuinit; diff -urNp linux-3.0.4/arch/x86/include/asm/xsave.h linux-3.0.4/arch/x86/include/asm/xsave.h --- linux-3.0.4/arch/x86/include/asm/xsave.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/include/asm/xsave.h 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/include/asm/xsave.h 2011-10-06 04:17:55.000000000 -0400 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav { int err; @@ -10108,7 +10279,12 @@ diff -urNp linux-3.0.4/arch/x86/include/asm/xsave.h linux-3.0.4/arch/x86/include /* * Clear the xsave header first, so that reserved fields are * initialized to zero. -@@ -100,6 +105,11 @@ static inline int xrestore_user(struct x +@@ -96,10 +101,15 @@ static inline int xsave_user(struct xsav + static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + { + int err; +- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); u32 lmask = mask; u32 hmask = mask >> 32; @@ -10941,7 +11117,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-3.0.4/arch/x86/kern int replace_reg); diff -urNp linux-3.0.4/arch/x86/kernel/cpu/perf_event.c linux-3.0.4/arch/x86/kernel/cpu/perf_event.c --- linux-3.0.4/arch/x86/kernel/cpu/perf_event.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kernel/cpu/perf_event.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/arch/x86/kernel/cpu/perf_event.c 2011-10-06 04:17:55.000000000 -0400 @@ -781,6 +781,8 @@ static int x86_schedule_events(struct cp int i, j, w, wmax, num = 0; struct hw_perf_event *hwc; @@ -10956,7 +11132,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/perf_event.c linux-3.0.4/arch/x86/ker perf_callchain_store(entry, frame.return_address); - fp = frame.next_frame; -+ fp = (__force const void __user *)frame.next_frame; ++ fp = (const void __force_user *)frame.next_frame; } } @@ -11794,16 +11970,17 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_32.S linux-3.0.4/arch/x86/kernel/en CFI_ADJUST_CFA_OFFSET -24 diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/entry_64.S --- linux-3.0.4/arch/x86/kernel/entry_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kernel/entry_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -53,6 +53,7 @@ ++++ linux-3.0.4/arch/x86/kernel/entry_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -53,6 +53,8 @@ #include <asm/paravirt.h> #include <asm/ftrace.h> #include <asm/percpu.h> +#include <asm/pgtable.h> ++#include <asm/alternative-asm.h> /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> -@@ -176,6 +177,264 @@ ENTRY(native_usergs_sysret64) +@@ -176,6 +178,264 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -12068,7 +12245,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -318,7 +577,7 @@ ENTRY(save_args) +@@ -318,7 +578,7 @@ ENTRY(save_args) leaq -RBP+8(%rsp),%rdi /* arg1 for handler */ movq_cfi rbp, 8 /* push %rbp */ leaq 8(%rsp), %rbp /* mov %rsp, %ebp */ @@ -12077,7 +12254,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en je 1f SWAPGS /* -@@ -409,7 +668,7 @@ ENTRY(ret_from_fork) +@@ -409,7 +669,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -12086,7 +12263,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en je int_ret_from_sys_call testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -455,7 +714,7 @@ END(ret_from_fork) +@@ -455,7 +715,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -12095,7 +12272,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -468,12 +727,13 @@ ENTRY(system_call_after_swapgs) +@@ -468,12 +728,13 @@ ENTRY(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -12110,7 +12287,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) CFI_REL_OFFSET rip,RIP-ARGOFFSET -@@ -502,6 +762,8 @@ sysret_check: +@@ -502,6 +763,8 @@ sysret_check: andl %edi,%edx jnz sysret_careful CFI_REMEMBER_STATE @@ -12119,7 +12296,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en /* * sysretq will re-enable interrupts: */ -@@ -560,6 +822,9 @@ auditsys: +@@ -560,6 +823,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call audit_syscall_entry @@ -12129,7 +12306,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath -@@ -590,6 +855,9 @@ tracesys: +@@ -590,6 +856,9 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -12139,7 +12316,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en /* * Reload arg registers from stack in case ptrace changed them. * We don't reload %rax because syscall_trace_enter() returned -@@ -611,7 +879,7 @@ tracesys: +@@ -611,7 +880,7 @@ tracesys: GLOBAL(int_ret_from_sys_call) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -12148,7 +12325,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en je retint_restore_args movl $_TIF_ALLWORK_MASK,%edi /* edi: mask to check */ -@@ -793,6 +1061,16 @@ END(interrupt) +@@ -793,6 +1062,16 @@ END(interrupt) CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP call save_args PARTIAL_FRAME 0 @@ -12165,7 +12342,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en call \func .endm -@@ -825,7 +1103,7 @@ ret_from_intr: +@@ -825,7 +1104,7 @@ ret_from_intr: CFI_ADJUST_CFA_OFFSET -8 exit_intr: GET_THREAD_INFO(%rcx) @@ -12174,7 +12351,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en je retint_kernel /* Interrupt came from user space */ -@@ -847,12 +1125,18 @@ retint_swapgs: /* return to user-space +@@ -847,12 +1126,16 @@ retint_swapgs: /* return to user-space * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -12187,13 +12364,11 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80,0x7+RIP-ARGOFFSET(%rsp) -+#endif ++ pax_force_retaddr RIP-ARGOFFSET /* * The iretq could re-enable interrupts: */ -@@ -1027,6 +1311,16 @@ ENTRY(\sym) +@@ -1027,6 +1310,16 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -12210,7 +12385,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ call \do_sym -@@ -1044,6 +1338,16 @@ ENTRY(\sym) +@@ -1044,6 +1337,16 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -12227,7 +12402,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ call \do_sym -@@ -1052,7 +1356,7 @@ ENTRY(\sym) +@@ -1052,7 +1355,7 @@ ENTRY(\sym) END(\sym) .endm @@ -12236,7 +12411,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1062,8 +1366,24 @@ ENTRY(\sym) +@@ -1062,8 +1365,24 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -12261,7 +12436,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) call \do_sym addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) -@@ -1080,6 +1400,16 @@ ENTRY(\sym) +@@ -1080,6 +1399,16 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -12278,7 +12453,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en movq %rsp,%rdi /* pt_regs pointer */ movq ORIG_RAX(%rsp),%rsi /* get error code */ movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1099,6 +1429,16 @@ ENTRY(\sym) +@@ -1099,6 +1428,16 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -12295,7 +12470,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en movq %rsp,%rdi /* pt_regs pointer */ movq ORIG_RAX(%rsp),%rsi /* get error code */ movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1361,16 +1701,35 @@ ENTRY(paranoid_exit) +@@ -1361,16 +1700,31 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF testl %ebx,%ebx /* swapgs needed? */ jnz paranoid_restore @@ -12307,9 +12482,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en + TRACE_IRQS_IRETQ 0 + SWAPGS_UNSAFE_STACK + RESTORE_ALL 8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80,0x7(%rsp) -+#endif ++ pax_force_retaddr + jmp irq_return +#endif paranoid_swapgs: @@ -12326,13 +12499,11 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en + pax_exit_kernel TRACE_IRQS_IRETQ 0 RESTORE_ALL 8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80,0x7(%rsp) -+#endif ++ pax_force_retaddr jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1426,7 +1785,7 @@ ENTRY(error_entry) +@@ -1426,7 +1780,7 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -12341,7 +12512,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en je error_kernelspace error_swapgs: SWAPGS -@@ -1490,6 +1849,16 @@ ENTRY(nmi) +@@ -1490,6 +1844,16 @@ ENTRY(nmi) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid DEFAULT_FRAME 0 @@ -12358,7 +12529,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1500,12 +1869,32 @@ ENTRY(nmi) +@@ -1500,12 +1864,28 @@ ENTRY(nmi) DISABLE_INTERRUPTS(CLBR_NONE) testl %ebx,%ebx /* swapgs needed? */ jnz nmi_restore @@ -12369,9 +12540,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en + pax_exit_kernel + SWAPGS_UNSAFE_STACK + RESTORE_ALL 8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80,0x7(%rsp) -+#endif ++ pax_force_retaddr + jmp irq_return +#endif nmi_swapgs: @@ -12386,9 +12555,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/entry_64.S linux-3.0.4/arch/x86/kernel/en nmi_restore: + pax_exit_kernel RESTORE_ALL 8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80,0x7(%rsp) -+#endif ++ pax_force_retaddr jmp irq_return nmi_userspace: GET_THREAD_INFO(%rcx) @@ -13750,20 +13917,20 @@ diff -urNp linux-3.0.4/arch/x86/kernel/machine_kexec_32.c linux-3.0.4/arch/x86/k page_list[PA_CONTROL_PAGE] = __pa(control_page); diff -urNp linux-3.0.4/arch/x86/kernel/microcode_intel.c linux-3.0.4/arch/x86/kernel/microcode_intel.c --- linux-3.0.4/arch/x86/kernel/microcode_intel.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kernel/microcode_intel.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/kernel/microcode_intel.c 2011-10-06 04:17:55.000000000 -0400 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod static int get_ucode_user(void *to, const void *from, size_t n) { - return copy_from_user(to, from, n); -+ return copy_from_user(to, (__force const void __user *)from, n); ++ return copy_from_user(to, (const void __force_user *)from, n); } static enum ucode_state request_microcode_user(int cpu, const void __user *buf, size_t size) { - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); -+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user); ++ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user); } static void microcode_fini_cpu(int cpu) @@ -14593,7 +14760,16 @@ diff -urNp linux-3.0.4/arch/x86/kernel/reboot.c linux-3.0.4/arch/x86/kernel/rebo struct machine_ops machine_ops = { diff -urNp linux-3.0.4/arch/x86/kernel/setup.c linux-3.0.4/arch/x86/kernel/setup.c --- linux-3.0.4/arch/x86/kernel/setup.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kernel/setup.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/kernel/setup.c 2011-10-06 04:17:55.000000000 -0400 +@@ -447,7 +447,7 @@ static void __init parse_setup_data(void + + switch (data->type) { + case SETUP_E820_EXT: +- parse_e820_ext(data); ++ parse_e820_ext((struct setup_data __force_kernel *)data); + break; + case SETUP_DTB: + add_dtb(pa_data); @@ -650,7 +650,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. @@ -15953,7 +16129,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/x8664_ksyms_64.c linux-3.0.4/arch/x86/ker EXPORT_SYMBOL(clear_page); diff -urNp linux-3.0.4/arch/x86/kernel/xsave.c linux-3.0.4/arch/x86/kernel/xsave.c --- linux-3.0.4/arch/x86/kernel/xsave.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kernel/xsave.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/kernel/xsave.c 2011-10-06 04:17:55.000000000 -0400 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_ fx_sw_user->xstate_size > fx_sw_user->extended_size) return -EINVAL; @@ -15968,7 +16144,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/xsave.c linux-3.0.4/arch/x86/kernel/xsave */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); } /* @@ -15977,7 +16153,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/xsave.c linux-3.0.4/arch/x86/kernel/xsave err = restore_user_xstate(buf); else - err = fxrstor_checking((__force struct i387_fxsave_struct *) -+ err = fxrstor_checking((struct i387_fxsave_struct __user *) ++ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *) buf); if (unlikely(err)) { /* @@ -16053,7 +16229,16 @@ diff -urNp linux-3.0.4/arch/x86/kvm/mmu.c linux-3.0.4/arch/x86/kvm/mmu.c ++vcpu->kvm->stat.mmu_pte_write; diff -urNp linux-3.0.4/arch/x86/kvm/paging_tmpl.h linux-3.0.4/arch/x86/kvm/paging_tmpl.h --- linux-3.0.4/arch/x86/kvm/paging_tmpl.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kvm/paging_tmpl.h 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/arch/x86/kvm/paging_tmpl.h 2011-10-06 04:17:55.000000000 -0400 +@@ -182,7 +182,7 @@ walk: + break; + } + +- ptep_user = (pt_element_t __user *)((void *)host_addr + offset); ++ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset); + if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte)))) { + present = false; + break; @@ -583,6 +583,8 @@ static int FNAME(page_fault)(struct kvm_ unsigned long mmu_seq; bool map_writable; @@ -16181,7 +16366,18 @@ diff -urNp linux-3.0.4/arch/x86/kvm/vmx.c linux-3.0.4/arch/x86/kvm/vmx.c vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); diff -urNp linux-3.0.4/arch/x86/kvm/x86.c linux-3.0.4/arch/x86/kvm/x86.c --- linux-3.0.4/arch/x86/kvm/x86.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/kvm/x86.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/kvm/x86.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1313,8 +1313,8 @@ static int xen_hvm_config(struct kvm_vcp + { + struct kvm *kvm = vcpu->kvm; + int lm = is_long_mode(vcpu); +- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64 +- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32; ++ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64 ++ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32; + u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 + : kvm->arch.xen_hvm_config.blob_size_32; + u32 page_num = data & ~PAGE_MASK; @@ -2057,6 +2057,8 @@ long kvm_arch_dev_ioctl(struct file *fil if (n < msr_list.nmsrs) goto out; @@ -16612,14 +16808,12 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_386_32.S linux-3.0.4/arch/x86/lib/a movl %edx, 4(v) diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S --- linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S 2011-09-17 18:31:51.000000000 -0400 -@@ -35,10 +35,24 @@ ENTRY(atomic64_read_cx8) ++++ linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S 2011-10-06 04:17:55.000000000 -0400 +@@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8) CFI_STARTPROC read64 %ecx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(atomic64_read_cx8) @@ -16628,9 +16822,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a + CFI_STARTPROC + + read64 %ecx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr + ret + CFI_ENDPROC +ENDPROC(atomic64_read_unchecked_cx8) @@ -16638,13 +16830,11 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a ENTRY(atomic64_set_cx8) CFI_STARTPROC -@@ -48,10 +62,29 @@ ENTRY(atomic64_set_cx8) +@@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8) cmpxchg8b (%esi) jne 1b -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(atomic64_set_cx8) @@ -16658,9 +16848,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a + cmpxchg8b (%esi) + jne 1b + -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr + ret + CFI_ENDPROC +ENDPROC(atomic64_set_unchecked_cx8) @@ -16668,13 +16856,11 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a ENTRY(atomic64_xchg_cx8) CFI_STARTPROC -@@ -62,12 +95,15 @@ ENTRY(atomic64_xchg_cx8) +@@ -62,12 +87,13 @@ ENTRY(atomic64_xchg_cx8) cmpxchg8b (%esi) jne 1b -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(atomic64_xchg_cx8) @@ -16686,7 +16872,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a CFI_STARTPROC SAVE ebp SAVE ebx -@@ -84,27 +120,46 @@ ENTRY(atomic64_\func\()_return_cx8) +@@ -84,27 +110,44 @@ ENTRY(atomic64_\func\()_return_cx8) movl %edx, %ecx \ins\()l %esi, %ebx \insc\()l %edi, %ecx @@ -16717,9 +16903,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a RESTORE esi RESTORE ebx RESTORE ebp -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC -ENDPROC(atomic64_\func\()_return_cx8) @@ -16738,7 +16922,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a CFI_STARTPROC SAVE ebx -@@ -114,21 +169,41 @@ ENTRY(atomic64_\func\()_return_cx8) +@@ -114,21 +157,39 @@ ENTRY(atomic64_\func\()_return_cx8) movl %edx, %ecx \ins\()l $1, %ebx \insc\()l $0, %ecx @@ -16766,9 +16950,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a +.endif + RESTORE ebx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC -ENDPROC(atomic64_\func\()_return_cx8) @@ -16782,7 +16964,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a ENTRY(atomic64_dec_if_positive_cx8) CFI_STARTPROC -@@ -140,6 +215,13 @@ ENTRY(atomic64_dec_if_positive_cx8) +@@ -140,6 +201,13 @@ ENTRY(atomic64_dec_if_positive_cx8) movl %edx, %ecx subl $1, %ebx sbb $0, %ecx @@ -16796,17 +16978,15 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a js 2f LOCK_PREFIX cmpxchg8b (%esi) -@@ -149,6 +231,9 @@ ENTRY(atomic64_dec_if_positive_cx8) +@@ -149,6 +217,7 @@ ENTRY(atomic64_dec_if_positive_cx8) movl %ebx, %eax movl %ecx, %edx RESTORE ebx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(atomic64_dec_if_positive_cx8) -@@ -174,6 +259,13 @@ ENTRY(atomic64_add_unless_cx8) +@@ -174,6 +243,13 @@ ENTRY(atomic64_add_unless_cx8) movl %edx, %ecx addl %esi, %ebx adcl %edi, %ecx @@ -16820,17 +17000,15 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a LOCK_PREFIX cmpxchg8b (%ebp) jne 1b -@@ -184,6 +276,9 @@ ENTRY(atomic64_add_unless_cx8) +@@ -184,6 +260,7 @@ ENTRY(atomic64_add_unless_cx8) CFI_ADJUST_CFA_OFFSET -8 RESTORE ebx RESTORE ebp -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret 4: cmpl %edx, 4(%esp) -@@ -206,6 +301,13 @@ ENTRY(atomic64_inc_not_zero_cx8) +@@ -206,6 +283,13 @@ ENTRY(atomic64_inc_not_zero_cx8) movl %edx, %ecx addl $1, %ebx adcl $0, %ecx @@ -16844,13 +17022,11 @@ diff -urNp linux-3.0.4/arch/x86/lib/atomic64_cx8_32.S linux-3.0.4/arch/x86/lib/a LOCK_PREFIX cmpxchg8b (%esi) jne 1b -@@ -213,6 +315,9 @@ ENTRY(atomic64_inc_not_zero_cx8) +@@ -213,6 +297,7 @@ ENTRY(atomic64_inc_not_zero_cx8) movl $1, %eax 3: RESTORE ebx -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret 4: testl %edx, %edx @@ -17103,38 +17279,32 @@ diff -urNp linux-3.0.4/arch/x86/lib/checksum_32.S linux-3.0.4/arch/x86/lib/check #undef ROUND1 diff -urNp linux-3.0.4/arch/x86/lib/clear_page_64.S linux-3.0.4/arch/x86/lib/clear_page_64.S --- linux-3.0.4/arch/x86/lib/clear_page_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/clear_page_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -11,6 +11,9 @@ ENTRY(clear_page_c) ++++ linux-3.0.4/arch/x86/lib/clear_page_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -11,6 +11,7 @@ ENTRY(clear_page_c) movl $4096/8,%ecx xorl %eax,%eax rep stosq -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(clear_page_c) -@@ -20,6 +23,9 @@ ENTRY(clear_page_c_e) +@@ -20,6 +21,7 @@ ENTRY(clear_page_c_e) movl $4096,%ecx xorl %eax,%eax rep stosb -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(clear_page_c_e) -@@ -43,6 +49,9 @@ ENTRY(clear_page) +@@ -43,6 +45,7 @@ ENTRY(clear_page) leaq 64(%rdi),%rdi jnz .Lloop nop -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC .Lclear_page_end: -@@ -58,7 +67,7 @@ ENDPROC(clear_page) +@@ -58,7 +61,7 @@ ENDPROC(clear_page) #include <asm/cpufeature.h> @@ -17145,28 +17315,31 @@ diff -urNp linux-3.0.4/arch/x86/lib/clear_page_64.S linux-3.0.4/arch/x86/lib/cle 2: .byte 0xeb /* jmp <disp8> */ diff -urNp linux-3.0.4/arch/x86/lib/copy_page_64.S linux-3.0.4/arch/x86/lib/copy_page_64.S --- linux-3.0.4/arch/x86/lib/copy_page_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/copy_page_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -8,6 +8,9 @@ copy_page_c: ++++ linux-3.0.4/arch/x86/lib/copy_page_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -2,12 +2,14 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + ALIGN + copy_page_c: CFI_STARTPROC movl $4096/8,%ecx rep movsq -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(copy_page_c) -@@ -94,6 +97,9 @@ ENTRY(copy_page) +@@ -94,6 +96,7 @@ ENTRY(copy_page) CFI_RESTORE r13 addq $3*8,%rsp CFI_ADJUST_CFA_OFFSET -3*8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .Lcopy_page_end: CFI_ENDPROC -@@ -104,7 +110,7 @@ ENDPROC(copy_page) +@@ -104,7 +107,7 @@ ENDPROC(copy_page) #include <asm/cpufeature.h> @@ -17177,7 +17350,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/copy_page_64.S linux-3.0.4/arch/x86/lib/copy 2: diff -urNp linux-3.0.4/arch/x86/lib/copy_user_64.S linux-3.0.4/arch/x86/lib/copy_user_64.S --- linux-3.0.4/arch/x86/lib/copy_user_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/copy_user_64.S 2011-09-17 18:31:51.000000000 -0400 ++++ linux-3.0.4/arch/x86/lib/copy_user_64.S 2011-10-06 04:17:55.000000000 -0400 @@ -16,6 +16,7 @@ #include <asm/thread_info.h> #include <asm/cpufeature.h> @@ -17195,7 +17368,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/copy_user_64.S linux-3.0.4/arch/x86/lib/copy 2: .byte 0xe9 /* near jump with 32bit immediate */ .long \alt1-1b /* offset */ /* or alternatively to alt1 */ 3: .byte 0xe9 /* near jump with 32bit immediate */ -@@ -71,47 +72,22 @@ +@@ -71,47 +72,20 @@ #endif .endm @@ -17242,46 +17415,45 @@ diff -urNp linux-3.0.4/arch/x86/lib/copy_user_64.S linux-3.0.4/arch/x86/lib/copy stosb bad_to_user: movl %edx,%eax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(bad_from_user) -@@ -179,6 +155,9 @@ ENTRY(copy_user_generic_unrolled) +@@ -179,6 +153,7 @@ ENTRY(copy_user_generic_unrolled) decl %ecx jnz 21b 23: xor %eax,%eax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .section .fixup,"ax" -@@ -251,6 +230,9 @@ ENTRY(copy_user_generic_string) +@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string) 3: rep movsb 4: xorl %eax,%eax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .section .fixup,"ax" -@@ -287,6 +269,9 @@ ENTRY(copy_user_enhanced_fast_string) +@@ -287,6 +263,7 @@ ENTRY(copy_user_enhanced_fast_string) 1: rep movsb 2: xorl %eax,%eax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .section .fixup,"ax" diff -urNp linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S --- linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -14,6 +14,7 @@ ++++ linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -8,12 +8,14 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + #define FIX_ALIGNMENT 1 + #include <asm/current.h> #include <asm/asm-offsets.h> #include <asm/thread_info.h> @@ -17289,7 +17461,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S linux-3.0.4/arch/x86/ .macro ALIGN_DESTINATION #ifdef FIX_ALIGNMENT -@@ -50,6 +51,15 @@ +@@ -50,6 +52,15 @@ */ ENTRY(__copy_user_nocache) CFI_STARTPROC @@ -17305,58 +17477,66 @@ diff -urNp linux-3.0.4/arch/x86/lib/copy_user_nocache_64.S linux-3.0.4/arch/x86/ cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ ALIGN_DESTINATION -@@ -98,6 +108,9 @@ ENTRY(__copy_user_nocache) +@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache) jnz 21b 23: xorl %eax,%eax sfence -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .section .fixup,"ax" diff -urNp linux-3.0.4/arch/x86/lib/csum-copy_64.S linux-3.0.4/arch/x86/lib/csum-copy_64.S --- linux-3.0.4/arch/x86/lib/csum-copy_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/csum-copy_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -228,6 +228,9 @@ ENTRY(csum_partial_copy_generic) ++++ linux-3.0.4/arch/x86/lib/csum-copy_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -8,6 +8,7 @@ + #include <linux/linkage.h> + #include <asm/dwarf2.h> + #include <asm/errno.h> ++#include <asm/alternative-asm.h> + + /* + * Checksum copy with exception handling. +@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic) CFI_RESTORE rbp addq $7*8, %rsp CFI_ADJUST_CFA_OFFSET -7*8 -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_RESTORE_STATE diff -urNp linux-3.0.4/arch/x86/lib/csum-wrappers_64.c linux-3.0.4/arch/x86/lib/csum-wrappers_64.c --- linux-3.0.4/arch/x86/lib/csum-wrappers_64.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/csum-wrappers_64.c 2011-08-23 21:47:55.000000000 -0400 -@@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _ ++++ linux-3.0.4/arch/x86/lib/csum-wrappers_64.c 2011-10-06 04:17:55.000000000 -0400 +@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _ len -= 2; } } +- isum = csum_partial_copy_generic((__force const void *)src, + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)src < PAX_USER_SHADOW_BASE) + src += PAX_USER_SHADOW_BASE; +#endif + - isum = csum_partial_copy_generic((__force const void *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)src, dst, len, isum, errp, NULL); if (unlikely(*errp)) -@@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr + goto out_err; +@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr } *errp = 0; +- return csum_partial_copy_generic(src, (void __force *)dst, + +#ifdef CONFIG_PAX_MEMORY_UDEREF + if ((unsigned long)dst < PAX_USER_SHADOW_BASE) + dst += PAX_USER_SHADOW_BASE; +#endif + - return csum_partial_copy_generic(src, (void __force *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)dst, len, isum, NULL, errp); } + EXPORT_SYMBOL(csum_partial_copy_to_user); diff -urNp linux-3.0.4/arch/x86/lib/getuser.S linux-3.0.4/arch/x86/lib/getuser.S --- linux-3.0.4/arch/x86/lib/getuser.S 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/arch/x86/lib/getuser.S 2011-08-23 21:47:55.000000000 -0400 @@ -17493,133 +17673,125 @@ diff -urNp linux-3.0.4/arch/x86/lib/insn.c linux-3.0.4/arch/x86/lib/insn.c if (x86_64) diff -urNp linux-3.0.4/arch/x86/lib/iomap_copy_64.S linux-3.0.4/arch/x86/lib/iomap_copy_64.S --- linux-3.0.4/arch/x86/lib/iomap_copy_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/iomap_copy_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -25,6 +25,9 @@ ENTRY(__iowrite32_copy) ++++ linux-3.0.4/arch/x86/lib/iomap_copy_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -17,6 +17,7 @@ + + #include <linux/linkage.h> + #include <asm/dwarf2.h> ++#include <asm/alternative-asm.h> + + /* + * override generic version in lib/iomap_copy.c +@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy) CFI_STARTPROC movl %edx,%ecx rep movsd -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(__iowrite32_copy) diff -urNp linux-3.0.4/arch/x86/lib/memcpy_64.S linux-3.0.4/arch/x86/lib/memcpy_64.S --- linux-3.0.4/arch/x86/lib/memcpy_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/memcpy_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -34,6 +34,9 @@ ++++ linux-3.0.4/arch/x86/lib/memcpy_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -34,6 +34,7 @@ rep movsq movl %edx, %ecx rep movsb -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .Lmemcpy_e: .previous -@@ -51,6 +54,9 @@ +@@ -51,6 +52,7 @@ movl %edx, %ecx rep movsb -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .Lmemcpy_e_e: .previous -@@ -141,6 +147,9 @@ ENTRY(memcpy) +@@ -141,6 +143,7 @@ ENTRY(memcpy) movq %r9, 1*8(%rdi) movq %r10, -2*8(%rdi, %rdx) movq %r11, -1*8(%rdi, %rdx) -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq .p2align 4 .Lless_16bytes: -@@ -153,6 +162,9 @@ ENTRY(memcpy) +@@ -153,6 +156,7 @@ ENTRY(memcpy) movq -1*8(%rsi, %rdx), %r9 movq %r8, 0*8(%rdi) movq %r9, -1*8(%rdi, %rdx) -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq .p2align 4 .Lless_8bytes: -@@ -166,6 +178,9 @@ ENTRY(memcpy) +@@ -166,6 +170,7 @@ ENTRY(memcpy) movl -4(%rsi, %rdx), %r8d movl %ecx, (%rdi) movl %r8d, -4(%rdi, %rdx) -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq .p2align 4 .Lless_3bytes: -@@ -183,6 +198,9 @@ ENTRY(memcpy) +@@ -183,6 +188,7 @@ ENTRY(memcpy) jnz .Lloop_1 .Lend: -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq CFI_ENDPROC ENDPROC(memcpy) diff -urNp linux-3.0.4/arch/x86/lib/memmove_64.S linux-3.0.4/arch/x86/lib/memmove_64.S --- linux-3.0.4/arch/x86/lib/memmove_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/memmove_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -201,6 +201,9 @@ ENTRY(memmove) ++++ linux-3.0.4/arch/x86/lib/memmove_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -9,6 +9,7 @@ + #include <linux/linkage.h> + #include <asm/dwarf2.h> + #include <asm/cpufeature.h> ++#include <asm/alternative-asm.h> + + #undef memmove + +@@ -201,6 +202,7 @@ ENTRY(memmove) movb (%rsi), %r11b movb %r11b, (%rdi) 13: -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq CFI_ENDPROC -@@ -209,6 +212,9 @@ ENTRY(memmove) +@@ -209,6 +211,7 @@ ENTRY(memmove) /* Forward moving data. */ movq %rdx, %rcx rep movsb -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr retq .Lmemmove_end_forward_efs: .previous diff -urNp linux-3.0.4/arch/x86/lib/memset_64.S linux-3.0.4/arch/x86/lib/memset_64.S --- linux-3.0.4/arch/x86/lib/memset_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/memset_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -31,6 +31,9 @@ ++++ linux-3.0.4/arch/x86/lib/memset_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -31,6 +31,7 @@ movl %r8d,%ecx rep stosb movq %r9,%rax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .Lmemset_e: .previous -@@ -53,6 +56,9 @@ +@@ -53,6 +54,7 @@ movl %edx,%ecx rep stosb movq %r9,%rax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret .Lmemset_e_e: .previous -@@ -121,6 +127,9 @@ ENTRY(__memset) +@@ -121,6 +123,7 @@ ENTRY(__memset) .Lende: movq %r10,%rax -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_RESTORE_STATE @@ -18083,81 +18255,78 @@ diff -urNp linux-3.0.4/arch/x86/lib/putuser.S linux-3.0.4/arch/x86/lib/putuser.S EXIT diff -urNp linux-3.0.4/arch/x86/lib/rwlock_64.S linux-3.0.4/arch/x86/lib/rwlock_64.S --- linux-3.0.4/arch/x86/lib/rwlock_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/rwlock_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -17,6 +17,9 @@ ENTRY(__write_lock_failed) ++++ linux-3.0.4/arch/x86/lib/rwlock_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -17,6 +17,7 @@ ENTRY(__write_lock_failed) LOCK_PREFIX subl $RW_LOCK_BIAS,(%rdi) jnz __write_lock_failed -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC END(__write_lock_failed) -@@ -33,6 +36,9 @@ ENTRY(__read_lock_failed) +@@ -33,6 +34,7 @@ ENTRY(__read_lock_failed) LOCK_PREFIX decl (%rdi) js __read_lock_failed -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC END(__read_lock_failed) diff -urNp linux-3.0.4/arch/x86/lib/rwsem_64.S linux-3.0.4/arch/x86/lib/rwsem_64.S --- linux-3.0.4/arch/x86/lib/rwsem_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/rwsem_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -51,6 +51,9 @@ ENTRY(call_rwsem_down_read_failed) ++++ linux-3.0.4/arch/x86/lib/rwsem_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -51,6 +51,7 @@ ENTRY(call_rwsem_down_read_failed) popq_cfi %rdx CFI_RESTORE rdx restore_common_regs -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(call_rwsem_down_read_failed) -@@ -61,6 +64,9 @@ ENTRY(call_rwsem_down_write_failed) +@@ -61,6 +62,7 @@ ENTRY(call_rwsem_down_write_failed) movq %rax,%rdi call rwsem_down_write_failed restore_common_regs -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(call_rwsem_down_write_failed) -@@ -73,6 +79,9 @@ ENTRY(call_rwsem_wake) +@@ -73,6 +75,7 @@ ENTRY(call_rwsem_wake) movq %rax,%rdi call rwsem_wake restore_common_regs -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr 1: ret CFI_ENDPROC ENDPROC(call_rwsem_wake) -@@ -88,6 +97,9 @@ ENTRY(call_rwsem_downgrade_wake) +@@ -88,6 +91,7 @@ ENTRY(call_rwsem_downgrade_wake) popq_cfi %rdx CFI_RESTORE rdx restore_common_regs -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret CFI_ENDPROC ENDPROC(call_rwsem_downgrade_wake) diff -urNp linux-3.0.4/arch/x86/lib/thunk_64.S linux-3.0.4/arch/x86/lib/thunk_64.S --- linux-3.0.4/arch/x86/lib/thunk_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/thunk_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -50,5 +50,8 @@ ++++ linux-3.0.4/arch/x86/lib/thunk_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -10,7 +10,8 @@ + #include <asm/dwarf2.h> + #include <asm/calling.h> + #include <asm/rwlock.h> +- ++ #include <asm/alternative-asm.h> ++ + /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ + .macro thunk name,func + .globl \name +@@ -50,5 +51,6 @@ SAVE_ARGS restore: RESTORE_ARGS -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif - ret +- ret ++ pax_force_retaddr ++ ret CFI_ENDPROC diff -urNp linux-3.0.4/arch/x86/lib/usercopy_32.c linux-3.0.4/arch/x86/lib/usercopy_32.c --- linux-3.0.4/arch/x86/lib/usercopy_32.c 2011-07-21 22:17:23.000000000 -0400 @@ -18784,7 +18953,7 @@ diff -urNp linux-3.0.4/arch/x86/lib/usercopy_32.c linux-3.0.4/arch/x86/lib/userc +#endif diff -urNp linux-3.0.4/arch/x86/lib/usercopy_64.c linux-3.0.4/arch/x86/lib/usercopy_64.c --- linux-3.0.4/arch/x86/lib/usercopy_64.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/lib/usercopy_64.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/lib/usercopy_64.c 2011-10-06 04:17:55.000000000 -0400 @@ -42,6 +42,12 @@ long __strncpy_from_user(char *dst, const char __user *src, long count) { @@ -18816,6 +18985,9 @@ diff -urNp linux-3.0.4/arch/x86/lib/usercopy_64.c linux-3.0.4/arch/x86/lib/userc unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len) { - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { +- return copy_user_generic((__force void *)to, (__force void *)from, len); +- } +- return len; + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { + +#ifdef CONFIG_PAX_MEMORY_UDEREF @@ -18825,14 +18997,21 @@ diff -urNp linux-3.0.4/arch/x86/lib/usercopy_64.c linux-3.0.4/arch/x86/lib/userc + from += PAX_USER_SHADOW_BASE; +#endif + - return copy_user_generic((__force void *)to, (__force void *)from, len); -- } -- return len; ++ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); + } + return len; } EXPORT_SYMBOL(copy_in_user); +@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user); + * it is not necessary to optimize tail handling. + */ + unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) ++copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest) + { + char c; + unsigned zero_len; diff -urNp linux-3.0.4/arch/x86/Makefile linux-3.0.4/arch/x86/Makefile --- linux-3.0.4/arch/x86/Makefile 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/arch/x86/Makefile 2011-08-23 21:48:14.000000000 -0400 @@ -18871,7 +19050,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/extable.c linux-3.0.4/arch/x86/mm/extable.c pnp_bios_is_utter_crap = 1; diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c --- linux-3.0.4/arch/x86/mm/fault.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/mm/fault.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/arch/x86/mm/fault.c 2011-10-06 04:17:55.000000000 -0400 @@ -13,10 +13,18 @@ #include <linux/perf_event.h> /* perf_sw_event */ #include <linux/hugetlb.h> /* hstate_index_to_shift */ @@ -18906,7 +19085,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c /* Prefetch instruction is 0x0F0D or 0x0F18 */ - if (probe_kernel_address(instr, opcode)) + if (user_mode(regs)) { -+ if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1)) ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) + return 0; + } else if (probe_kernel_address(instr, opcode)) return 0; @@ -18918,7 +19097,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c - if (probe_kernel_address(instr, opcode)) + if (user_mode(regs)) { -+ if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1)) ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) + break; + } else if (probe_kernel_address(instr, opcode)) break; @@ -19491,7 +19670,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c + printk(KERN_ERR "PAX: bytes at PC: "); + for (i = 0; i < 20; i++) { + unsigned char c; -+ if (get_user(c, (__force unsigned char __user *)pc+i)) ++ if (get_user(c, (unsigned char __force_user *)pc+i)) + printk(KERN_CONT "?? "); + else + printk(KERN_CONT "%02x ", c); @@ -19501,7 +19680,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long)); + for (i = -1; i < 80 / (long)sizeof(long); i++) { + unsigned long c; -+ if (get_user(c, (__force unsigned long __user *)sp+i)) ++ if (get_user(c, (unsigned long __force_user *)sp+i)) +#ifdef CONFIG_X86_32 + printk(KERN_CONT "???????? "); +#else @@ -19531,7 +19710,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/fault.c linux-3.0.4/arch/x86/mm/fault.c + set_fs(KERNEL_DS); + pagefault_disable(); + pax_open_kernel(); -+ ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); ++ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size); + pax_close_kernel(); + pagefault_enable(); + set_fs(old_fs); @@ -20053,7 +20232,7 @@ diff -urNp linux-3.0.4/arch/x86/mm/init_32.c linux-3.0.4/arch/x86/mm/init_32.c size >> 10); diff -urNp linux-3.0.4/arch/x86/mm/init_64.c linux-3.0.4/arch/x86/mm/init_64.c --- linux-3.0.4/arch/x86/mm/init_64.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/mm/init_64.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/mm/init_64.c 2011-10-06 04:17:55.000000000 -0400 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpa * around without checking the pgd every time. */ @@ -20132,6 +20311,24 @@ diff -urNp linux-3.0.4/arch/x86/mm/init_64.c linux-3.0.4/arch/x86/mm/init_64.c } pmd = pmd_offset(pud, phys); BUG_ON(!pmd_none(*pmd)); +@@ -330,7 +344,7 @@ static __ref void *alloc_low_page(unsign + if (pfn >= pgt_buf_top) + panic("alloc_low_page: ran out of memory"); + +- adr = early_memremap(pfn * PAGE_SIZE, PAGE_SIZE); ++ adr = (void __force_kernel *)early_memremap(pfn * PAGE_SIZE, PAGE_SIZE); + clear_page(adr); + *phys = pfn * PAGE_SIZE; + return adr; +@@ -346,7 +360,7 @@ static __ref void *map_low_page(void *vi + + phys = __pa(virt); + left = phys & (PAGE_SIZE - 1); +- adr = early_memremap(phys & PAGE_MASK, PAGE_SIZE); ++ adr = (void __force_kernel *)early_memremap(phys & PAGE_MASK, PAGE_SIZE); + adr = (void *)(((unsigned long)adr) | left); + + return adr; @@ -693,6 +707,12 @@ void __init mem_init(void) pci_iommu_alloc(); @@ -21008,7 +21205,30 @@ diff -urNp linux-3.0.4/arch/x86/net/bpf_jit_comp.c linux-3.0.4/arch/x86/net/bpf_ if (!image) diff -urNp linux-3.0.4/arch/x86/oprofile/backtrace.c linux-3.0.4/arch/x86/oprofile/backtrace.c --- linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-09-02 18:11:21.000000000 -0400 -+++ linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-10-06 04:17:55.000000000 -0400 +@@ -83,11 +83,11 @@ dump_user_backtrace_32(struct stack_fram + struct stack_frame_ia32 *fp; + unsigned long bytes; + +- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); ++ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) + return NULL; + +- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame); ++ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame); + + oprofile_add_trace(bufhead[0].return_address); + +@@ -129,7 +129,7 @@ static struct stack_frame *dump_user_bac + struct stack_frame bufhead[2]; + unsigned long bytes; + +- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); ++ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) + return NULL; + @@ -148,7 +148,7 @@ x86_backtrace(struct pt_regs * const reg { struct stack_frame *head = (struct stack_frame *)frame_pointer(regs); @@ -21341,7 +21561,7 @@ diff -urNp linux-3.0.4/arch/x86/pci/pcbios.c linux-3.0.4/arch/x86/pci/pcbios.c EXPORT_SYMBOL(pcibios_set_irq_routing); diff -urNp linux-3.0.4/arch/x86/platform/efi/efi_32.c linux-3.0.4/arch/x86/platform/efi/efi_32.c --- linux-3.0.4/arch/x86/platform/efi/efi_32.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/platform/efi/efi_32.c 2011-09-19 09:16:58.000000000 -0400 ++++ linux-3.0.4/arch/x86/platform/efi/efi_32.c 2011-10-06 04:17:55.000000000 -0400 @@ -38,70 +38,56 @@ */ @@ -21396,9 +21616,9 @@ diff -urNp linux-3.0.4/arch/x86/platform/efi/efi_32.c linux-3.0.4/arch/x86/platf +#ifdef CONFIG_PAX_KERNEXEC + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC); -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_EFI_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC); -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_EFI_DS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); +#endif + gdt_descr.address = __pa(get_cpu_gdt_table(0)); @@ -21416,8 +21636,8 @@ diff -urNp linux-3.0.4/arch/x86/platform/efi/efi_32.c linux-3.0.4/arch/x86/platf + struct desc_struct d; + + memset(&d, 0, sizeof d); -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_EFI_CS, &d, DESCTYPE_S); -+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_EFI_DS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); +#endif + gdt_descr.address = (unsigned long)get_cpu_gdt_table(0); @@ -21552,74 +21772,68 @@ diff -urNp linux-3.0.4/arch/x86/platform/efi/efi_stub_32.S linux-3.0.4/arch/x86/ efi_rt_function_ptr: diff -urNp linux-3.0.4/arch/x86/platform/efi/efi_stub_64.S linux-3.0.4/arch/x86/platform/efi/efi_stub_64.S --- linux-3.0.4/arch/x86/platform/efi/efi_stub_64.S 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/arch/x86/platform/efi/efi_stub_64.S 2011-09-17 18:31:51.000000000 -0400 -@@ -40,6 +40,9 @@ ENTRY(efi_call0) ++++ linux-3.0.4/arch/x86/platform/efi/efi_stub_64.S 2011-10-06 04:17:55.000000000 -0400 +@@ -7,6 +7,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define SAVE_XMM \ + mov %rsp, %rax; \ +@@ -40,6 +41,7 @@ ENTRY(efi_call0) call *%rdi addq $32, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call0) -@@ -50,6 +53,9 @@ ENTRY(efi_call1) +@@ -50,6 +52,7 @@ ENTRY(efi_call1) call *%rdi addq $32, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call1) -@@ -60,6 +66,9 @@ ENTRY(efi_call2) +@@ -60,6 +63,7 @@ ENTRY(efi_call2) call *%rdi addq $32, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call2) -@@ -71,6 +80,9 @@ ENTRY(efi_call3) +@@ -71,6 +75,7 @@ ENTRY(efi_call3) call *%rdi addq $32, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call3) -@@ -83,6 +95,9 @@ ENTRY(efi_call4) +@@ -83,6 +88,7 @@ ENTRY(efi_call4) call *%rdi addq $32, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call4) -@@ -96,6 +111,9 @@ ENTRY(efi_call5) +@@ -96,6 +102,7 @@ ENTRY(efi_call5) call *%rdi addq $48, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call5) -@@ -112,5 +130,8 @@ ENTRY(efi_call6) +@@ -112,5 +119,6 @@ ENTRY(efi_call6) call *%rdi addq $48, %rsp RESTORE_XMM -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+ orb $0x80, 0x7(%rsp) -+#endif ++ pax_force_retaddr ret ENDPROC(efi_call6) diff -urNp linux-3.0.4/arch/x86/platform/mrst/mrst.c linux-3.0.4/arch/x86/platform/mrst/mrst.c @@ -22136,7 +22350,7 @@ diff -urNp linux-3.0.4/block/blk-softirq.c linux-3.0.4/block/blk-softirq.c diff -urNp linux-3.0.4/block/bsg.c linux-3.0.4/block/bsg.c --- linux-3.0.4/block/bsg.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/block/bsg.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/block/bsg.c 2011-10-06 04:17:55.000000000 -0400 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r struct sg_io_v4 *hdr, struct bsg_device *bd, fmode_t has_write_perm) @@ -22154,7 +22368,7 @@ diff -urNp linux-3.0.4/block/bsg.c linux-3.0.4/block/bsg.c + cmdptr = tmpcmd; - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request, -+ if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request, ++ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request, hdr->request_len)) return -EFAULT; @@ -22164,6 +22378,58 @@ diff -urNp linux-3.0.4/block/bsg.c linux-3.0.4/block/bsg.c if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) { if (blk_verify_command(rq->cmd, has_write_perm)) return -EPERM; +@@ -249,7 +257,7 @@ bsg_map_hdr(struct bsg_device *bd, struc + struct request *rq, *next_rq = NULL; + int ret, rw; + unsigned int dxfer_len; +- void *dxferp = NULL; ++ void __user *dxferp = NULL; + struct bsg_class_device *bcd = &q->bsg_dev; + + /* if the LLD has been removed then the bsg_unregister_queue will +@@ -291,7 +299,7 @@ bsg_map_hdr(struct bsg_device *bd, struc + rq->next_rq = next_rq; + next_rq->cmd_type = rq->cmd_type; + +- dxferp = (void*)(unsigned long)hdr->din_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->din_xferp; + ret = blk_rq_map_user(q, next_rq, NULL, dxferp, + hdr->din_xfer_len, GFP_KERNEL); + if (ret) +@@ -300,10 +308,10 @@ bsg_map_hdr(struct bsg_device *bd, struc + + if (hdr->dout_xfer_len) { + dxfer_len = hdr->dout_xfer_len; +- dxferp = (void*)(unsigned long)hdr->dout_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->dout_xferp; + } else if (hdr->din_xfer_len) { + dxfer_len = hdr->din_xfer_len; +- dxferp = (void*)(unsigned long)hdr->din_xferp; ++ dxferp = (void __user *)(unsigned long)hdr->din_xferp; + } else + dxfer_len = 0; + +@@ -445,7 +453,7 @@ static int blk_complete_sgv4_hdr_rq(stru + int len = min_t(unsigned int, hdr->max_response_len, + rq->sense_len); + +- ret = copy_to_user((void*)(unsigned long)hdr->response, ++ ret = copy_to_user((void __user *)(unsigned long)hdr->response, + rq->sense, len); + if (!ret) + hdr->response_len = len; +diff -urNp linux-3.0.4/block/compat_ioctl.c linux-3.0.4/block/compat_ioctl.c +--- linux-3.0.4/block/compat_ioctl.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/block/compat_ioctl.c 2011-10-06 04:17:55.000000000 -0400 +@@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_ + err |= __get_user(f->spec1, &uf->spec1); + err |= __get_user(f->fmt_gap, &uf->fmt_gap); + err |= __get_user(name, &uf->name); +- f->name = compat_ptr(name); ++ f->name = (void __force_kernel *)compat_ptr(name); + if (err) { + err = -EFAULT; + goto out; diff -urNp linux-3.0.4/block/scsi_ioctl.c linux-3.0.4/block/scsi_ioctl.c --- linux-3.0.4/block/scsi_ioctl.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/block/scsi_ioctl.c 2011-08-23 21:47:55.000000000 -0400 @@ -23578,6 +23844,18 @@ diff -urNp linux-3.0.4/drivers/atm/zatm.c linux-3.0.4/drivers/atm/zatm.c wake_up(&zatm_vcc->tx_wait); } +diff -urNp linux-3.0.4/drivers/base/devtmpfs.c linux-3.0.4/drivers/base/devtmpfs.c +--- linux-3.0.4/drivers/base/devtmpfs.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/base/devtmpfs.c 2011-10-06 04:17:55.000000000 -0400 +@@ -357,7 +357,7 @@ int devtmpfs_mount(const char *mntdir) + if (!dev_mnt) + return 0; + +- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL); ++ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL); + if (err) + printk(KERN_INFO "devtmpfs: error mounting %i\n", err); + else diff -urNp linux-3.0.4/drivers/base/power/wakeup.c linux-3.0.4/drivers/base/power/wakeup.c --- linux-3.0.4/drivers/base/power/wakeup.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/base/power/wakeup.c 2011-08-23 21:47:55.000000000 -0400 @@ -23908,7 +24186,7 @@ diff -urNp linux-3.0.4/drivers/block/DAC960.c linux-3.0.4/drivers/block/DAC960.c sizeof(DAC960_SCSI_Inquiry_T) + diff -urNp linux-3.0.4/drivers/block/drbd/drbd_int.h linux-3.0.4/drivers/block/drbd/drbd_int.h --- linux-3.0.4/drivers/block/drbd/drbd_int.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/block/drbd/drbd_int.h 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/block/drbd/drbd_int.h 2011-10-06 04:17:55.000000000 -0400 @@ -737,7 +737,7 @@ struct drbd_request; struct drbd_epoch { struct list_head list; @@ -23927,6 +24205,45 @@ diff -urNp linux-3.0.4/drivers/block/drbd/drbd_int.h linux-3.0.4/drivers/block/d unsigned int peer_seq; spinlock_t peer_seq_lock; unsigned int minor; +@@ -1618,30 +1618,30 @@ static inline int drbd_setsockopt(struct + + static inline void drbd_tcp_cork(struct socket *sock) + { +- int __user val = 1; ++ int val = 1; + (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK, +- (char __user *)&val, sizeof(val)); ++ (char __force_user *)&val, sizeof(val)); + } + + static inline void drbd_tcp_uncork(struct socket *sock) + { +- int __user val = 0; ++ int val = 0; + (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK, +- (char __user *)&val, sizeof(val)); ++ (char __force_user *)&val, sizeof(val)); + } + + static inline void drbd_tcp_nodelay(struct socket *sock) + { +- int __user val = 1; ++ int val = 1; + (void) drbd_setsockopt(sock, SOL_TCP, TCP_NODELAY, +- (char __user *)&val, sizeof(val)); ++ (char __force_user *)&val, sizeof(val)); + } + + static inline void drbd_tcp_quickack(struct socket *sock) + { +- int __user val = 2; ++ int val = 2; + (void) drbd_setsockopt(sock, SOL_TCP, TCP_QUICKACK, +- (char __user *)&val, sizeof(val)); ++ (char __force_user *)&val, sizeof(val)); + } + + void drbd_bump_write_ordering(struct drbd_conf *mdev, enum write_ordering_e wo); diff -urNp linux-3.0.4/drivers/block/drbd/drbd_main.c linux-3.0.4/drivers/block/drbd/drbd_main.c --- linux-3.0.4/drivers/block/drbd/drbd_main.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/block/drbd/drbd_main.c 2011-08-23 21:47:55.000000000 -0400 @@ -24104,6 +24421,18 @@ diff -urNp linux-3.0.4/drivers/block/drbd/drbd_receiver.c linux-3.0.4/drivers/bl D_ASSERT(list_empty(&mdev->current_epoch->list)); } +diff -urNp linux-3.0.4/drivers/block/loop.c linux-3.0.4/drivers/block/loop.c +--- linux-3.0.4/drivers/block/loop.c 2011-09-02 18:11:26.000000000 -0400 ++++ linux-3.0.4/drivers/block/loop.c 2011-10-06 04:17:55.000000000 -0400 +@@ -283,7 +283,7 @@ static int __do_lo_send_write(struct fil + mm_segment_t old_fs = get_fs(); + + set_fs(get_ds()); +- bw = file->f_op->write(file, buf, len, &pos); ++ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos); + set_fs(old_fs); + if (likely(bw == len)) + return 0; diff -urNp linux-3.0.4/drivers/block/nbd.c linux-3.0.4/drivers/block/nbd.c --- linux-3.0.4/drivers/block/nbd.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/block/nbd.c 2011-08-23 21:48:14.000000000 -0400 @@ -24543,7 +24872,7 @@ diff -urNp linux-3.0.4/drivers/char/sonypi.c linux-3.0.4/drivers/char/sonypi.c return 0; diff -urNp linux-3.0.4/drivers/char/tpm/tpm_bios.c linux-3.0.4/drivers/char/tpm/tpm_bios.c --- linux-3.0.4/drivers/char/tpm/tpm_bios.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/char/tpm/tpm_bios.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/char/tpm/tpm_bios.c 2011-10-06 04:17:55.000000000 -0400 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start event = addr; @@ -24572,7 +24901,7 @@ diff -urNp linux-3.0.4/drivers/char/tpm/tpm_bios.c linux-3.0.4/drivers/char/tpm/ return 0; } -@@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log +@@ -410,8 +411,13 @@ static int read_log(struct tpm_bios_log log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_memory(start, len); @@ -24582,8 +24911,11 @@ diff -urNp linux-3.0.4/drivers/char/tpm/tpm_bios.c linux-3.0.4/drivers/char/tpm/ + return -EFAULT; + } - memcpy(log->bios_event_log, virt, len); +- memcpy(log->bios_event_log, virt, len); ++ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len); + acpi_os_unmap_memory(virt, len); + return 0; diff -urNp linux-3.0.4/drivers/char/tpm/tpm.c linux-3.0.4/drivers/char/tpm/tpm.c --- linux-3.0.4/drivers/char/tpm/tpm.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/char/tpm/tpm.c 2011-08-23 21:48:14.000000000 -0400 @@ -24605,6 +24937,27 @@ diff -urNp linux-3.0.4/drivers/char/tpm/tpm.c linux-3.0.4/drivers/char/tpm/tpm.c tpm_cmd.header.in = tpm_readpubek_header; err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE, "attempting to read the PUBEK"); +diff -urNp linux-3.0.4/drivers/char/virtio_console.c linux-3.0.4/drivers/char/virtio_console.c +--- linux-3.0.4/drivers/char/virtio_console.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/char/virtio_console.c 2011-10-06 04:17:55.000000000 -0400 +@@ -555,7 +555,7 @@ static ssize_t fill_readbuf(struct port + if (to_user) { + ssize_t ret; + +- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count); ++ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count); + if (ret) + return -EFAULT; + } else { +@@ -654,7 +654,7 @@ static ssize_t port_fops_read(struct fil + if (!port_has_data(port) && !port->host_connected) + return 0; + +- return fill_readbuf(port, ubuf, count, true); ++ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true); + } + + static ssize_t port_fops_write(struct file *filp, const char __user *ubuf, diff -urNp linux-3.0.4/drivers/crypto/hifn_795x.c linux-3.0.4/drivers/crypto/hifn_795x.c --- linux-3.0.4/drivers/crypto/hifn_795x.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/crypto/hifn_795x.c 2011-08-23 21:48:14.000000000 -0400 @@ -24785,7 +25138,7 @@ diff -urNp linux-3.0.4/drivers/firewire/core-transaction.c linux-3.0.4/drivers/f d.payload = payload; diff -urNp linux-3.0.4/drivers/firmware/dmi_scan.c linux-3.0.4/drivers/firmware/dmi_scan.c --- linux-3.0.4/drivers/firmware/dmi_scan.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/firmware/dmi_scan.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/firmware/dmi_scan.c 2011-10-06 04:17:55.000000000 -0400 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void) } } @@ -24798,6 +25151,15 @@ diff -urNp linux-3.0.4/drivers/firmware/dmi_scan.c linux-3.0.4/drivers/firmware/ p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; +@@ -725,7 +720,7 @@ int dmi_walk(void (*decode)(const struct + if (buf == NULL) + return -1; + +- dmi_table(buf, dmi_len, dmi_num, decode, private_data); ++ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data); + + iounmap(buf); + return 0; diff -urNp linux-3.0.4/drivers/gpio/vr41xx_giu.c linux-3.0.4/drivers/gpio/vr41xx_giu.c --- linux-3.0.4/drivers/gpio/vr41xx_giu.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/gpio/vr41xx_giu.c 2011-08-23 21:47:55.000000000 -0400 @@ -24810,6 +25172,101 @@ diff -urNp linux-3.0.4/drivers/gpio/vr41xx_giu.c linux-3.0.4/drivers/gpio/vr41xx return -EINVAL; } +diff -urNp linux-3.0.4/drivers/gpu/drm/drm_crtc.c linux-3.0.4/drivers/gpu/drm/drm_crtc.c +--- linux-3.0.4/drivers/gpu/drm/drm_crtc.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/drm_crtc.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1372,7 +1372,7 @@ int drm_mode_getconnector(struct drm_dev + */ + if ((out_resp->count_modes >= mode_count) && mode_count) { + copied = 0; +- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr; ++ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr; + list_for_each_entry(mode, &connector->modes, head) { + drm_crtc_convert_to_umode(&u_mode, mode); + if (copy_to_user(mode_ptr + copied, +@@ -1387,8 +1387,8 @@ int drm_mode_getconnector(struct drm_dev + + if ((out_resp->count_props >= props_count) && props_count) { + copied = 0; +- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr); +- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr); ++ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr); ++ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr); + for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) { + if (connector->property_ids[i] != 0) { + if (put_user(connector->property_ids[i], +@@ -1410,7 +1410,7 @@ int drm_mode_getconnector(struct drm_dev + + if ((out_resp->count_encoders >= encoders_count) && encoders_count) { + copied = 0; +- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr); ++ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr); + for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) { + if (connector->encoder_ids[i] != 0) { + if (put_user(connector->encoder_ids[i], +@@ -1569,7 +1569,7 @@ int drm_mode_setcrtc(struct drm_device * + } + + for (i = 0; i < crtc_req->count_connectors; i++) { +- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr; ++ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr; + if (get_user(out_id, &set_connectors_ptr[i])) { + ret = -EFAULT; + goto out; +@@ -1850,7 +1850,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_de + fb = obj_to_fb(obj); + + num_clips = r->num_clips; +- clips_ptr = (struct drm_clip_rect *)(unsigned long)r->clips_ptr; ++ clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; + + if (!num_clips != !clips_ptr) { + ret = -EINVAL; +@@ -2270,7 +2270,7 @@ int drm_mode_getproperty_ioctl(struct dr + out_resp->flags = property->flags; + + if ((out_resp->count_values >= value_count) && value_count) { +- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr; ++ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr; + for (i = 0; i < value_count; i++) { + if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) { + ret = -EFAULT; +@@ -2283,7 +2283,7 @@ int drm_mode_getproperty_ioctl(struct dr + if (property->flags & DRM_MODE_PROP_ENUM) { + if ((out_resp->count_enum_blobs >= enum_count) && enum_count) { + copied = 0; +- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr; ++ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr; + list_for_each_entry(prop_enum, &property->enum_blob_list, head) { + + if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) { +@@ -2306,7 +2306,7 @@ int drm_mode_getproperty_ioctl(struct dr + if ((out_resp->count_enum_blobs >= blob_count) && blob_count) { + copied = 0; + blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr; +- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr; ++ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr; + + list_for_each_entry(prop_blob, &property->enum_blob_list, head) { + if (put_user(prop_blob->base.id, blob_id_ptr + copied)) { +@@ -2367,7 +2367,7 @@ int drm_mode_getblob_ioctl(struct drm_de + struct drm_mode_get_blob *out_resp = data; + struct drm_property_blob *blob; + int ret = 0; +- void *blob_ptr; ++ void __user *blob_ptr; + + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; +@@ -2381,7 +2381,7 @@ int drm_mode_getblob_ioctl(struct drm_de + blob = obj_to_blob(obj); + + if (out_resp->length == blob->length) { +- blob_ptr = (void *)(unsigned long)out_resp->data; ++ blob_ptr = (void __user *)(unsigned long)out_resp->data; + if (copy_to_user(blob_ptr, blob->data, blob->length)){ + ret = -EFAULT; + goto done; diff -urNp linux-3.0.4/drivers/gpu/drm/drm_crtc_helper.c linux-3.0.4/drivers/gpu/drm/drm_crtc_helper.c --- linux-3.0.4/drivers/gpu/drm/drm_crtc_helper.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/drm_crtc_helper.c 2011-08-23 21:48:14.000000000 -0400 @@ -24833,7 +25290,16 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/drm_crtc_helper.c linux-3.0.4/drivers/gpu return true; diff -urNp linux-3.0.4/drivers/gpu/drm/drm_drv.c linux-3.0.4/drivers/gpu/drm/drm_drv.c --- linux-3.0.4/drivers/gpu/drm/drm_drv.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/gpu/drm/drm_drv.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/drm_drv.c 2011-10-06 04:17:55.000000000 -0400 +@@ -307,7 +307,7 @@ module_exit(drm_core_exit); + /** + * Copy and IOCTL return string to user space + */ +-static int drm_copy_field(char *buf, size_t *buf_len, const char *value) ++static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + int len; + @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp, dev = file_priv->minor->dev; @@ -24998,6 +25464,27 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/drm_info.c linux-3.0.4/drivers/gpu/drm/dr #if defined(__i386__) pgprot = pgprot_val(vma->vm_page_prot); +diff -urNp linux-3.0.4/drivers/gpu/drm/drm_ioc32.c linux-3.0.4/drivers/gpu/drm/drm_ioc32.c +--- linux-3.0.4/drivers/gpu/drm/drm_ioc32.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/drm_ioc32.c 2011-10-06 04:17:55.000000000 -0400 +@@ -455,7 +455,7 @@ static int compat_drm_infobufs(struct fi + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_desc *) (request + 1); ++ list = (struct drm_buf_desc __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) +@@ -516,7 +516,7 @@ static int compat_drm_mapbufs(struct fil + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_pub *) (request + 1); ++ list = (struct drm_buf_pub __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) diff -urNp linux-3.0.4/drivers/gpu/drm/drm_ioctl.c linux-3.0.4/drivers/gpu/drm/drm_ioctl.c --- linux-3.0.4/drivers/gpu/drm/drm_ioctl.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/drm_ioctl.c 2011-08-23 21:47:55.000000000 -0400 @@ -25072,7 +25559,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i810/i810_drv.h linux-3.0.4/drivers/gpu/d } drm_i810_private_t; diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c --- linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c 2011-10-06 04:17:55.000000000 -0400 @@ -497,7 +497,7 @@ static int i915_interrupt_info(struct se I915_READ(GTIMR)); } @@ -25082,6 +25569,15 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.4/drivers/g for (i = 0; i < I915_NUM_RINGS; i++) { if (IS_GEN6(dev)) { seq_printf(m, "Graphics Interrupt mask (%s): %08x\n", +@@ -1147,7 +1147,7 @@ static int i915_opregion(struct seq_file + return ret; + + if (opregion->header) +- seq_write(m, opregion->header, OPREGION_SIZE); ++ seq_write(m, (const void __force_kernel *)opregion->header, OPREGION_SIZE); + + mutex_unlock(&dev->struct_mutex); + diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c --- linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:47:55.000000000 -0400 @@ -25828,6 +26324,18 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-3.0.4/drivers/g wait_queue_head_t fence_queue; wait_queue_head_t fifo_queue; atomic_t fence_queue_waiters; +diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +--- linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-10-06 04:17:55.000000000 -0400 +@@ -610,7 +610,7 @@ int vmw_execbuf_ioctl(struct drm_device + struct drm_vmw_fence_rep fence_rep; + struct drm_vmw_fence_rep __user *user_fence_rep; + int ret; +- void *user_cmd; ++ void __user *user_cmd; + void *cmd; + uint32_t sequence; + struct vmw_sw_context *sw_context = &dev_priv->ctx; diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c --- linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-08-23 21:47:55.000000000 -0400 @@ -25842,7 +26350,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.0.4/drivers struct vmw_fence, head); diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c --- linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-08-23 21:47:55.000000000 -0400 ++++ linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-10-06 04:17:55.000000000 -0400 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de (unsigned int) min, (unsigned int) fifo->capabilities); @@ -25852,6 +26360,15 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.0.4/drivers/ iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE); vmw_fence_queue_init(&fifo->fence_queue); return vmw_fifo_send_fence(dev_priv, &dummy); +@@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_privat + if (reserveable) + iowrite32(bytes, fifo_mem + + SVGA_FIFO_RESERVED); +- return fifo_mem + (next_cmd >> 2); ++ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2); + } else { + need_bounce = true; + } @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva fm = vmw_fifo_reserve(dev_priv, bytes); @@ -32243,6 +32760,18 @@ diff -urNp linux-3.0.4/drivers/scsi/scsi_sysfs.c linux-3.0.4/drivers/scsi/scsi_s return snprintf(buf, 20, "0x%llx\n", count); \ } \ static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL) +diff -urNp linux-3.0.4/drivers/scsi/scsi_tgt_lib.c linux-3.0.4/drivers/scsi/scsi_tgt_lib.c +--- linux-3.0.4/drivers/scsi/scsi_tgt_lib.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/drivers/scsi/scsi_tgt_lib.c 2011-10-06 04:17:55.000000000 -0400 +@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc + int err; + + dprintk("%lx %u\n", uaddr, len); +- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL); ++ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL); + if (err) { + /* + * TODO: need to fixup sg_tablesize, max_segment_size, diff -urNp linux-3.0.4/drivers/scsi/scsi_transport_fc.c linux-3.0.4/drivers/scsi/scsi_transport_fc.c --- linux-3.0.4/drivers/scsi/scsi_transport_fc.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/drivers/scsi/scsi_transport_fc.c 2011-08-23 21:47:56.000000000 -0400 @@ -32344,7 +32873,16 @@ diff -urNp linux-3.0.4/drivers/scsi/scsi_transport_srp.c linux-3.0.4/drivers/scs transport_setup_device(&rport->dev); diff -urNp linux-3.0.4/drivers/scsi/sg.c linux-3.0.4/drivers/scsi/sg.c --- linux-3.0.4/drivers/scsi/sg.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/drivers/scsi/sg.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/drivers/scsi/sg.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1075,7 +1075,7 @@ sg_ioctl(struct file *filp, unsigned int + sdp->disk->disk_name, + MKDEV(SCSI_GENERIC_MAJOR, sdp->index), + NULL, +- (char *)arg); ++ (char __user *)arg); + case BLKTRACESTART: + return blk_trace_startstop(sdp->device->request_queue, 1); + case BLKTRACESTOP: @@ -2310,7 +2310,7 @@ struct sg_proc_leaf { const struct file_operations * fops; }; @@ -37190,6 +37728,18 @@ diff -urNp linux-3.0.4/fs/attr.c linux-3.0.4/fs/attr.c if (limit != RLIM_INFINITY && offset > limit) goto out_sig; if (offset > inode->i_sb->s_maxbytes) +diff -urNp linux-3.0.4/fs/autofs4/waitq.c linux-3.0.4/fs/autofs4/waitq.c +--- linux-3.0.4/fs/autofs4/waitq.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/fs/autofs4/waitq.c 2011-10-06 04:17:55.000000000 -0400 +@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi + { + unsigned long sigpipe, flags; + mm_segment_t fs; +- const char *data = (const char *)addr; ++ const char __user *data = (const char __force_user *)addr; + ssize_t wr = 0; + + /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/ diff -urNp linux-3.0.4/fs/befs/linuxvfs.c linux-3.0.4/fs/befs/linuxvfs.c --- linux-3.0.4/fs/befs/linuxvfs.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/fs/befs/linuxvfs.c 2011-08-29 23:26:27.000000000 -0400 @@ -38024,13 +38574,13 @@ diff -urNp linux-3.0.4/fs/binfmt_flat.c linux-3.0.4/fs/binfmt_flat.c } diff -urNp linux-3.0.4/fs/bio.c linux-3.0.4/fs/bio.c --- linux-3.0.4/fs/bio.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/bio.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/fs/bio.c 2011-10-06 04:17:55.000000000 -0400 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b const int read = bio_data_dir(bio) == READ; struct bio_map_data *bmd = bio->bi_private; int i; - char *p = bmd->sgvecs[0].iov_base; -+ char *p = (__force char *)bmd->sgvecs[0].iov_base; ++ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base; __bio_for_each_segment(bvec, bio, i, 0) { char *addr = page_address(bvec->bv_page); @@ -38094,7 +38644,7 @@ diff -urNp linux-3.0.4/fs/btrfs/inode.c linux-3.0.4/fs/btrfs/inode.c * directory. diff -urNp linux-3.0.4/fs/btrfs/ioctl.c linux-3.0.4/fs/btrfs/ioctl.c --- linux-3.0.4/fs/btrfs/ioctl.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/btrfs/ioctl.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/btrfs/ioctl.c 2011-10-06 04:17:55.000000000 -0400 @@ -2676,9 +2676,12 @@ long btrfs_ioctl_space_info(struct btrfs for (i = 0; i < num_types; i++) { struct btrfs_space_info *tmp; @@ -38108,7 +38658,7 @@ diff -urNp linux-3.0.4/fs/btrfs/ioctl.c linux-3.0.4/fs/btrfs/ioctl.c info = NULL; rcu_read_lock(); list_for_each_entry_rcu(tmp, &root->fs_info->space_info, -@@ -2700,10 +2703,7 @@ long btrfs_ioctl_space_info(struct btrfs +@@ -2700,15 +2703,12 @@ long btrfs_ioctl_space_info(struct btrfs memcpy(dest, &space, sizeof(space)); dest++; space_args.total_spaces++; @@ -38119,6 +38669,12 @@ diff -urNp linux-3.0.4/fs/btrfs/ioctl.c linux-3.0.4/fs/btrfs/ioctl.c } up_read(&info->groups_sem); } + +- user_dest = (struct btrfs_ioctl_space_info *) ++ user_dest = (struct btrfs_ioctl_space_info __user *) + (arg + sizeof(struct btrfs_ioctl_space_args)); + + if (copy_to_user(user_dest, dest_orig, alloc_size)) diff -urNp linux-3.0.4/fs/btrfs/relocation.c linux-3.0.4/fs/btrfs/relocation.c --- linux-3.0.4/fs/btrfs/relocation.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/fs/btrfs/relocation.c 2011-08-23 21:47:56.000000000 -0400 @@ -38269,13 +38825,13 @@ diff -urNp linux-3.0.4/fs/cachefiles/proc.c linux-3.0.4/fs/cachefiles/proc.c diff -urNp linux-3.0.4/fs/cachefiles/rdwr.c linux-3.0.4/fs/cachefiles/rdwr.c --- linux-3.0.4/fs/cachefiles/rdwr.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/cachefiles/rdwr.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/fs/cachefiles/rdwr.c 2011-10-06 04:17:55.000000000 -0400 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache old_fs = get_fs(); set_fs(KERNEL_DS); ret = file->f_op->write( - file, (const void __user *) data, len, &pos); -+ file, (__force const void __user *) data, len, &pos); ++ file, (const void __force_user *) data, len, &pos); set_fs(old_fs); kunmap(page); if (ret != len) @@ -38628,7 +39184,27 @@ diff -urNp linux-3.0.4/fs/compat_binfmt_elf.c linux-3.0.4/fs/compat_binfmt_elf.c /* diff -urNp linux-3.0.4/fs/compat.c linux-3.0.4/fs/compat.c --- linux-3.0.4/fs/compat.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/compat.c 2011-08-23 22:49:33.000000000 -0400 ++++ linux-3.0.4/fs/compat.c 2011-10-06 04:17:55.000000000 -0400 +@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(const + static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + { + compat_ino_t ino = stat->ino; +- typeof(ubuf->st_uid) uid = 0; +- typeof(ubuf->st_gid) gid = 0; ++ typeof(((struct compat_stat *)0)->st_uid) uid = 0; ++ typeof(((struct compat_stat *)0)->st_gid) gid = 0; + int err; + + SET_UID(uid, stat->uid); +@@ -508,7 +508,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3 + + set_fs(KERNEL_DS); + /* The __user pointer cast is valid because of the set_fs() */ +- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64); ++ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64); + set_fs(oldfs); + /* truncating is ok because it's a user address */ + if (!ret) @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int goto out; @@ -38711,7 +39287,7 @@ diff -urNp linux-3.0.4/fs/compat.c linux-3.0.4/fs/compat.c dirent = buf->previous; if (dirent) { -@@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un +@@ -1073,13 +1090,14 @@ asmlinkage long compat_sys_getdents64(un buf.previous = NULL; buf.count = count; buf.error = 0; @@ -38719,6 +39295,14 @@ diff -urNp linux-3.0.4/fs/compat.c linux-3.0.4/fs/compat.c error = vfs_readdir(file, compat_filldir64, &buf); if (error >= 0) + error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = file->f_pos; ++ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos; + if (__put_user_unaligned(d_off, &lastdirent->d_off)) + error = -EFAULT; + else @@ -1446,6 +1464,8 @@ int compat_core_sys_select(int n, compat struct fdtable *fdt; long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; @@ -38728,9 +39312,18 @@ diff -urNp linux-3.0.4/fs/compat.c linux-3.0.4/fs/compat.c if (n < 0) goto out_nofds; +@@ -1904,7 +1924,7 @@ asmlinkage long compat_sys_nfsservctl(in + oldfs = get_fs(); + set_fs(KERNEL_DS); + /* The __user pointer casts are valid because of the set_fs() */ +- err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres); ++ err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres); + set_fs(oldfs); + + if (err) diff -urNp linux-3.0.4/fs/compat_ioctl.c linux-3.0.4/fs/compat_ioctl.c --- linux-3.0.4/fs/compat_ioctl.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/compat_ioctl.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/fs/compat_ioctl.c 2011-10-06 04:17:55.000000000 -0400 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi err = get_user(palp, &up->palette); @@ -38740,6 +39333,24 @@ diff -urNp linux-3.0.4/fs/compat_ioctl.c linux-3.0.4/fs/compat_ioctl.c up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); err = put_user(compat_ptr(palp), &up_native->palette); +@@ -619,7 +621,7 @@ static int serial_struct_ioctl(unsigned + return -EFAULT; + if (__get_user(udata, &ss32->iomem_base)) + return -EFAULT; +- ss.iomem_base = compat_ptr(udata); ++ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata); + if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || + __get_user(ss.port_high, &ss32->port_high)) + return -EFAULT; +@@ -794,7 +796,7 @@ static int compat_ioctl_preallocate(stru + copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || + copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || + copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) || +- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32))) ++ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32))) + return -EFAULT; + + return ioctl_preallocate(file, p); @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne static int __init init_sys32_ioctl_cmp(const void *p, const void *q) { @@ -38792,13 +39403,13 @@ diff -urNp linux-3.0.4/fs/dcache.c linux-3.0.4/fs/dcache.c inode_init(); diff -urNp linux-3.0.4/fs/ecryptfs/inode.c linux-3.0.4/fs/ecryptfs/inode.c --- linux-3.0.4/fs/ecryptfs/inode.c 2011-09-02 18:11:21.000000000 -0400 -+++ linux-3.0.4/fs/ecryptfs/inode.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/fs/ecryptfs/inode.c 2011-10-06 04:17:55.000000000 -0400 @@ -704,7 +704,7 @@ static int ecryptfs_readlink_lower(struc old_fs = get_fs(); set_fs(get_ds()); rc = lower_dentry->d_inode->i_op->readlink(lower_dentry, - (char __user *)lower_buf, -+ (__force char __user *)lower_buf, ++ (char __force_user *)lower_buf, lower_bufsiz); set_fs(old_fs); if (rc < 0) @@ -38807,7 +39418,7 @@ diff -urNp linux-3.0.4/fs/ecryptfs/inode.c linux-3.0.4/fs/ecryptfs/inode.c old_fs = get_fs(); set_fs(get_ds()); - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); -+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len); ++ rc = dentry->d_inode->i_op->readlink(dentry, (char __force_user *)buf, len); set_fs(old_fs); if (rc < 0) { kfree(buf); @@ -38832,9 +39443,30 @@ diff -urNp linux-3.0.4/fs/ecryptfs/miscdev.c linux-3.0.4/fs/ecryptfs/miscdev.c goto out_unlock_msg_ctx; i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) +diff -urNp linux-3.0.4/fs/ecryptfs/read_write.c linux-3.0.4/fs/ecryptfs/read_write.c +--- linux-3.0.4/fs/ecryptfs/read_write.c 2011-09-02 18:11:21.000000000 -0400 ++++ linux-3.0.4/fs/ecryptfs/read_write.c 2011-10-06 04:17:55.000000000 -0400 +@@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *e + return -EIO; + fs_save = get_fs(); + set_fs(get_ds()); +- rc = vfs_write(lower_file, data, size, &offset); ++ rc = vfs_write(lower_file, (const char __force_user *)data, size, &offset); + set_fs(fs_save); + mark_inode_dirty_sync(ecryptfs_inode); + return rc; +@@ -235,7 +235,7 @@ int ecryptfs_read_lower(char *data, loff + return -EIO; + fs_save = get_fs(); + set_fs(get_ds()); +- rc = vfs_read(lower_file, data, size, &offset); ++ rc = vfs_read(lower_file, (char __force_user *)data, size, &offset); + set_fs(fs_save); + return rc; + } diff -urNp linux-3.0.4/fs/exec.c linux-3.0.4/fs/exec.c --- linux-3.0.4/fs/exec.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/exec.c 2011-08-25 17:26:58.000000000 -0400 ++++ linux-3.0.4/fs/exec.c 2011-10-06 04:17:55.000000000 -0400 @@ -55,12 +55,24 @@ #include <linux/pipe_fs_i.h> #include <linux/oom.h> @@ -38946,12 +39578,47 @@ diff -urNp linux-3.0.4/fs/exec.c linux-3.0.4/fs/exec.c { const char __user *native; +@@ -424,14 +427,14 @@ static const char __user *get_user_arg_p + compat_uptr_t compat; + + if (get_user(compat, argv.ptr.compat + nr)) +- return ERR_PTR(-EFAULT); ++ return (const char __force_user *)ERR_PTR(-EFAULT); + + return compat_ptr(compat); + } + #endif + + if (get_user(native, argv.ptr.native + nr)) +- return ERR_PTR(-EFAULT); ++ return (const char __force_user *)ERR_PTR(-EFAULT); + + return native; + } +@@ -450,7 +453,7 @@ static int count(struct user_arg_ptr arg + if (!p) + break; + +- if (IS_ERR(p)) ++ if (IS_ERR((const char __force_kernel *)p)) + return -EFAULT; + + if (i++ >= max) +@@ -484,7 +487,7 @@ static int copy_strings(int argc, struct + + ret = -EFAULT; + str = get_user_arg_ptr(argv, argc); +- if (IS_ERR(str)) ++ if (IS_ERR((const char __force_kernel *)str)) + goto out; + + len = strnlen_user(str, MAX_ARG_STRLEN); @@ -566,7 +569,7 @@ int copy_strings_kernel(int argc, const int r; mm_segment_t oldfs = get_fs(); struct user_arg_ptr argv = { - .ptr.native = (const char __user *const __user *)__argv, -+ .ptr.native = (__force const char __user *const __user *)__argv, ++ .ptr.native = (const char __force_user *const __force_user *)__argv, }; set_fs(KERNEL_DS); @@ -39044,7 +39711,7 @@ diff -urNp linux-3.0.4/fs/exec.c linux-3.0.4/fs/exec.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - result = vfs_read(file, (void __user *)addr, count, &pos); -+ result = vfs_read(file, (__force void __user *)addr, count, &pos); ++ result = vfs_read(file, (void __force_user *)addr, count, &pos); set_fs(old_fs); return result; } @@ -39474,6 +40141,15 @@ diff -urNp linux-3.0.4/fs/exec.c linux-3.0.4/fs/exec.c fail_unlock: kfree(cn.corename); fail_corename: +@@ -2211,7 +2519,7 @@ fail: + */ + int dump_write(struct file *file, const void *addr, int nr) + { +- return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr; ++ return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr; + } + EXPORT_SYMBOL(dump_write); + diff -urNp linux-3.0.4/fs/ext2/balloc.c linux-3.0.4/fs/ext2/balloc.c --- linux-3.0.4/fs/ext2/balloc.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/fs/ext2/balloc.c 2011-08-23 21:48:14.000000000 -0400 @@ -39498,6 +40174,27 @@ diff -urNp linux-3.0.4/fs/ext3/balloc.c linux-3.0.4/fs/ext3/balloc.c sbi->s_resuid != current_fsuid() && (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) { return 0; +diff -urNp linux-3.0.4/fs/ext3/ioctl.c linux-3.0.4/fs/ext3/ioctl.c +--- linux-3.0.4/fs/ext3/ioctl.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/fs/ext3/ioctl.c 2011-10-06 04:17:55.000000000 -0400 +@@ -285,7 +285,7 @@ group_add_out: + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- if (copy_from_user(&range, (struct fstrim_range *)arg, ++ if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; + +@@ -293,7 +293,7 @@ group_add_out: + if (ret < 0) + return ret; + +- if (copy_to_user((struct fstrim_range *)arg, &range, ++ if (copy_to_user((struct fstrim_range __user *)arg, &range, + sizeof(range))) + return -EFAULT; + diff -urNp linux-3.0.4/fs/ext4/balloc.c linux-3.0.4/fs/ext4/balloc.c --- linux-3.0.4/fs/ext4/balloc.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/fs/ext4/balloc.c 2011-08-23 21:48:14.000000000 -0400 @@ -39545,6 +40242,27 @@ diff -urNp linux-3.0.4/fs/ext4/ext4.h linux-3.0.4/fs/ext4/ext4.h atomic_t s_lock_busy; /* locality groups */ +diff -urNp linux-3.0.4/fs/ext4/ioctl.c linux-3.0.4/fs/ext4/ioctl.c +--- linux-3.0.4/fs/ext4/ioctl.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/fs/ext4/ioctl.c 2011-10-06 04:17:55.000000000 -0400 +@@ -344,7 +344,7 @@ mext_out: + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + +- if (copy_from_user(&range, (struct fstrim_range *)arg, ++ if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; + +@@ -354,7 +354,7 @@ mext_out: + if (ret < 0) + return ret; + +- if (copy_to_user((struct fstrim_range *)arg, &range, ++ if (copy_to_user((struct fstrim_range __user *)arg, &range, + sizeof(range))) + return -EFAULT; + diff -urNp linux-3.0.4/fs/ext4/mballoc.c linux-3.0.4/fs/ext4/mballoc.c --- linux-3.0.4/fs/ext4/mballoc.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/ext4/mballoc.c 2011-08-23 21:48:14.000000000 -0400 @@ -39672,7 +40390,7 @@ diff -urNp linux-3.0.4/fs/ext4/mballoc.c linux-3.0.4/fs/ext4/mballoc.c return 0; diff -urNp linux-3.0.4/fs/fcntl.c linux-3.0.4/fs/fcntl.c --- linux-3.0.4/fs/fcntl.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/fcntl.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/fcntl.c 2011-10-06 04:17:55.000000000 -0400 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct if (err) return err; @@ -39685,6 +40403,24 @@ diff -urNp linux-3.0.4/fs/fcntl.c linux-3.0.4/fs/fcntl.c f_modown(filp, pid, type, force); return 0; } +@@ -266,7 +271,7 @@ pid_t f_getown(struct file *filp) + + static int f_setown_ex(struct file *filp, unsigned long arg) + { +- struct f_owner_ex * __user owner_p = (void * __user)arg; ++ struct f_owner_ex __user *owner_p = (void __user *)arg; + struct f_owner_ex owner; + struct pid *pid; + int type; +@@ -306,7 +311,7 @@ static int f_setown_ex(struct file *filp + + static int f_getown_ex(struct file *filp, unsigned long arg) + { +- struct f_owner_ex * __user owner_p = (void * __user)arg; ++ struct f_owner_ex __user *owner_p = (void __user *)arg; + struct f_owner_ex owner; + int ret = 0; + @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in switch (cmd) { case F_DUPFD: @@ -41609,7 +42345,7 @@ diff -urNp linux-3.0.4/fs/logfs/super.c linux-3.0.4/fs/logfs/super.c if (err) diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c --- linux-3.0.4/fs/namei.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/namei.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/namei.c 2011-10-06 03:40:11.000000000 -0400 @@ -237,21 +237,31 @@ int generic_permission(struct inode *ino return ret; @@ -41680,7 +42416,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c return ret; ok: -@@ -703,11 +723,19 @@ follow_link(struct path *link, struct na +@@ -703,11 +723,26 @@ follow_link(struct path *link, struct na return error; } @@ -41692,6 +42428,13 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c + return error; + } + ++ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) { ++ error = -ENOENT; ++ *p = ERR_PTR(error); /* no ->put_link(), please */ ++ path_put(&nd->path); ++ return error; ++ } ++ nd->last_type = LAST_BIND; *p = dentry->d_inode->i_op->follow_link(dentry, nd); error = PTR_ERR(*p); @@ -41701,7 +42444,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = 0; if (s) error = __vfs_follow_link(nd, s); -@@ -1625,6 +1653,9 @@ static int do_path_lookup(int dfd, const +@@ -1625,6 +1660,9 @@ static int do_path_lookup(int dfd, const retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd); if (likely(!retval)) { @@ -41711,7 +42454,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c if (unlikely(!audit_dummy_context())) { if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); -@@ -1935,6 +1966,30 @@ int vfs_create(struct inode *dir, struct +@@ -1935,6 +1973,30 @@ int vfs_create(struct inode *dir, struct return error; } @@ -41742,7 +42485,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c static int may_open(struct path *path, int acc_mode, int flag) { struct dentry *dentry = path->dentry; -@@ -1987,7 +2042,27 @@ static int may_open(struct path *path, i +@@ -1987,7 +2049,27 @@ static int may_open(struct path *path, i /* * Ensure there are no outstanding leases on the file. */ @@ -41771,7 +42514,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c } static int handle_truncate(struct file *filp) -@@ -2013,30 +2088,6 @@ static int handle_truncate(struct file * +@@ -2013,30 +2095,6 @@ static int handle_truncate(struct file * } /* @@ -41802,7 +42545,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c * Handle the last step of open() */ static struct file *do_last(struct nameidata *nd, struct path *path, -@@ -2045,6 +2096,7 @@ static struct file *do_last(struct namei +@@ -2045,6 +2103,7 @@ static struct file *do_last(struct namei struct dentry *dir = nd->path.dentry; struct dentry *dentry; int open_flag = op->open_flag; @@ -41810,7 +42553,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c int will_truncate = open_flag & O_TRUNC; int want_write = 0; int acc_mode = op->acc_mode; -@@ -2132,6 +2184,12 @@ static struct file *do_last(struct namei +@@ -2132,6 +2191,12 @@ static struct file *do_last(struct namei /* Negative dentry, just create the file */ if (!dentry->d_inode) { int mode = op->mode; @@ -41823,7 +42566,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2155,6 +2213,8 @@ static struct file *do_last(struct namei +@@ -2155,6 +2220,8 @@ static struct file *do_last(struct namei error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -41832,7 +42575,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2164,6 +2224,14 @@ static struct file *do_last(struct namei +@@ -2164,6 +2231,14 @@ static struct file *do_last(struct namei /* * It already exists. */ @@ -41847,7 +42590,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2450,6 +2518,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2450,6 +2525,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const error = may_mknod(mode); if (error) goto out_dput; @@ -41865,7 +42608,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2470,6 +2549,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2470,6 +2556,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -41875,7 +42618,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2522,6 +2604,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2522,6 +2611,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const if (IS_ERR(dentry)) goto out_unlock; @@ -41887,7 +42630,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2533,6 +2620,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2533,6 +2627,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -41898,7 +42641,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2613,6 +2704,8 @@ static long do_rmdir(int dfd, const char +@@ -2613,6 +2711,8 @@ static long do_rmdir(int dfd, const char char * name; struct dentry *dentry; struct nameidata nd; @@ -41907,7 +42650,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2641,6 +2734,17 @@ static long do_rmdir(int dfd, const char +@@ -2641,6 +2741,17 @@ static long do_rmdir(int dfd, const char error = -ENOENT; goto exit3; } @@ -41925,7 +42668,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2648,6 +2752,8 @@ static long do_rmdir(int dfd, const char +@@ -2648,6 +2759,8 @@ static long do_rmdir(int dfd, const char if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -41934,7 +42677,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2710,6 +2816,8 @@ static long do_unlinkat(int dfd, const c +@@ -2710,6 +2823,8 @@ static long do_unlinkat(int dfd, const c struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -41943,7 +42686,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2732,6 +2840,16 @@ static long do_unlinkat(int dfd, const c +@@ -2732,6 +2847,16 @@ static long do_unlinkat(int dfd, const c if (!inode) goto slashes; ihold(inode); @@ -41960,7 +42703,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2739,6 +2857,8 @@ static long do_unlinkat(int dfd, const c +@@ -2739,6 +2864,8 @@ static long do_unlinkat(int dfd, const c if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -41969,7 +42712,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2816,6 +2936,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2816,6 +2943,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (IS_ERR(dentry)) goto out_unlock; @@ -41981,7 +42724,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2823,6 +2948,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2823,6 +2955,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -41990,7 +42733,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2931,6 +3058,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2931,6 +3065,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -42011,7 +42754,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2938,6 +3079,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2938,6 +3086,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -42020,7 +42763,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -3113,6 +3256,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -3113,6 +3263,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c char *to; int error; @@ -42029,7 +42772,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -3169,6 +3314,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -3169,6 +3321,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c if (new_dentry == trap) goto exit5; @@ -42042,7 +42785,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3178,6 +3329,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -3178,6 +3336,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -42052,7 +42795,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3203,6 +3357,8 @@ SYSCALL_DEFINE2(rename, const char __use +@@ -3203,6 +3364,8 @@ SYSCALL_DEFINE2(rename, const char __use int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -42061,7 +42804,7 @@ diff -urNp linux-3.0.4/fs/namei.c linux-3.0.4/fs/namei.c int len; len = PTR_ERR(link); -@@ -3212,7 +3368,14 @@ int vfs_readlink(struct dentry *dentry, +@@ -3212,7 +3375,14 @@ int vfs_readlink(struct dentry *dentry, len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -42257,13 +43000,13 @@ diff -urNp linux-3.0.4/fs/nfsd/nfs4xdr.c linux-3.0.4/fs/nfsd/nfs4xdr.c BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion)); diff -urNp linux-3.0.4/fs/nfsd/vfs.c linux-3.0.4/fs/nfsd/vfs.c --- linux-3.0.4/fs/nfsd/vfs.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/nfsd/vfs.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/fs/nfsd/vfs.c 2011-10-06 04:17:55.000000000 -0400 @@ -896,7 +896,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st } else { oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset); -+ host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset); ++ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset); set_fs(oldfs); } @@ -42272,7 +43015,7 @@ diff -urNp linux-3.0.4/fs/nfsd/vfs.c linux-3.0.4/fs/nfsd/vfs.c /* Write the data. */ oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset); -+ host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset); ++ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset); set_fs(oldfs); if (host_err < 0) goto out_nfserr; @@ -42281,7 +43024,7 @@ diff -urNp linux-3.0.4/fs/nfsd/vfs.c linux-3.0.4/fs/nfsd/vfs.c oldfs = get_fs(); set_fs(KERNEL_DS); - host_err = inode->i_op->readlink(dentry, buf, *lenp); -+ host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp); ++ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp); set_fs(oldfs); if (host_err < 0) @@ -43793,7 +44536,7 @@ diff -urNp linux-3.0.4/fs/quota/netlink.c linux-3.0.4/fs/quota/netlink.c printk(KERN_ERR diff -urNp linux-3.0.4/fs/readdir.c linux-3.0.4/fs/readdir.c --- linux-3.0.4/fs/readdir.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/readdir.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/readdir.c 2011-10-06 04:17:55.000000000 -0400 @@ -17,6 +17,7 @@ #include <linux/security.h> #include <linux/syscalls.h> @@ -43883,6 +44626,15 @@ diff -urNp linux-3.0.4/fs/readdir.c linux-3.0.4/fs/readdir.c buf.count = count; buf.error = 0; +@@ -299,7 +318,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int + error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = file->f_pos; ++ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos; + if (__put_user(d_off, &lastdirent->d_off)) + error = -EFAULT; + else diff -urNp linux-3.0.4/fs/reiserfs/dir.c linux-3.0.4/fs/reiserfs/dir.c --- linux-3.0.4/fs/reiserfs/dir.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/fs/reiserfs/dir.c 2011-08-23 21:48:14.000000000 -0400 @@ -44105,7 +44857,7 @@ diff -urNp linux-3.0.4/fs/seq_file.c linux-3.0.4/fs/seq_file.c if (op) { diff -urNp linux-3.0.4/fs/splice.c linux-3.0.4/fs/splice.c --- linux-3.0.4/fs/splice.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/splice.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/splice.c 2011-10-06 04:17:55.000000000 -0400 @@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode pipe_lock(pipe); @@ -44141,7 +44893,7 @@ diff -urNp linux-3.0.4/fs/splice.c linux-3.0.4/fs/splice.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos); -+ res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos); ++ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos); set_fs(old_fs); return res; @@ -44150,7 +44902,7 @@ diff -urNp linux-3.0.4/fs/splice.c linux-3.0.4/fs/splice.c set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ - res = vfs_write(file, (const char __user *)buf, count, &pos); -+ res = vfs_write(file, (__force const char __user *)buf, count, &pos); ++ res = vfs_write(file, (const char __force_user *)buf, count, &pos); set_fs(old_fs); return res; @@ -44168,7 +44920,7 @@ diff -urNp linux-3.0.4/fs/splice.c linux-3.0.4/fs/splice.c this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset); - vec[i].iov_base = (void __user *) page_address(page); -+ vec[i].iov_base = (__force void __user *) page_address(page); ++ vec[i].iov_base = (void __force_user *) page_address(page); vec[i].iov_len = this_len; spd.pages[i] = page; spd.nr_pages++; @@ -54992,8 +55744,81 @@ diff -urNp linux-3.0.4/include/linux/compiler-gcc4.h linux-3.0.4/include/linux/c #if __GNUC_MINOR__ > 0 diff -urNp linux-3.0.4/include/linux/compiler.h linux-3.0.4/include/linux/compiler.h --- linux-3.0.4/include/linux/compiler.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/include/linux/compiler.h 2011-08-26 19:49:56.000000000 -0400 -@@ -264,6 +264,14 @@ void ftrace_likely_update(struct ftrace_ ++++ linux-3.0.4/include/linux/compiler.h 2011-10-06 04:17:55.000000000 -0400 +@@ -5,31 +5,62 @@ + + #ifdef __CHECKER__ + # define __user __attribute__((noderef, address_space(1))) ++# define __force_user __force __user + # define __kernel __attribute__((address_space(0))) ++# define __force_kernel __force __kernel + # define __safe __attribute__((safe)) + # define __force __attribute__((force)) + # define __nocast __attribute__((nocast)) + # define __iomem __attribute__((noderef, address_space(2))) ++# define __force_iomem __force __iomem + # define __acquires(x) __attribute__((context(x,0,1))) + # define __releases(x) __attribute__((context(x,1,0))) + # define __acquire(x) __context__(x,1) + # define __release(x) __context__(x,-1) + # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0) + # define __percpu __attribute__((noderef, address_space(3))) ++# define __force_percpu __force __percpu + #ifdef CONFIG_SPARSE_RCU_POINTER + # define __rcu __attribute__((noderef, address_space(4))) ++# define __force_rcu __force __rcu + #else + # define __rcu ++# define __force_rcu + #endif + extern void __chk_user_ptr(const volatile void __user *); + extern void __chk_io_ptr(const volatile void __iomem *); ++#elif defined(CHECKER_PLUGIN) ++//# define __user ++//# define __force_user ++//# define __kernel ++//# define __force_kernel ++# define __safe ++# define __force ++# define __nocast ++# define __iomem ++# define __force_iomem ++# define __chk_user_ptr(x) (void)0 ++# define __chk_io_ptr(x) (void)0 ++# define __builtin_warning(x, y...) (1) ++# define __acquires(x) ++# define __releases(x) ++# define __acquire(x) (void)0 ++# define __release(x) (void)0 ++# define __cond_lock(x,c) (c) ++# define __percpu ++# define __force_percpu ++# define __rcu ++# define __force_rcu + #else + # define __user ++# define __force_user + # define __kernel ++# define __force_kernel + # define __safe + # define __force + # define __nocast + # define __iomem ++# define __force_iomem + # define __chk_user_ptr(x) (void)0 + # define __chk_io_ptr(x) (void)0 + # define __builtin_warning(x, y...) (1) +@@ -39,7 +70,9 @@ extern void __chk_io_ptr(const volatile + # define __release(x) (void)0 + # define __cond_lock(x,c) (c) + # define __percpu ++# define __force_percpu + # define __rcu ++# define __force_rcu + #endif + + #ifdef __KERNEL__ +@@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_ # define __attribute_const__ /* unimplemented */ #endif @@ -55008,7 +55833,7 @@ diff -urNp linux-3.0.4/include/linux/compiler.h linux-3.0.4/include/linux/compil /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. -@@ -273,6 +281,22 @@ void ftrace_likely_update(struct ftrace_ +@@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_ #define __cold #endif @@ -55031,7 +55856,7 @@ diff -urNp linux-3.0.4/include/linux/compiler.h linux-3.0.4/include/linux/compil /* Simple shorthand for a section definition */ #ifndef __section # define __section(S) __attribute__ ((__section__(#S))) -@@ -306,6 +330,7 @@ void ftrace_likely_update(struct ftrace_ +@@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_ * use is to mediate communication between process-level code and irq/NMI * handlers, all running on the same CPU. */ @@ -57980,16 +58805,17 @@ diff -urNp linux-3.0.4/include/linux/types.h linux-3.0.4/include/linux/types.h struct list_head { diff -urNp linux-3.0.4/include/linux/uaccess.h linux-3.0.4/include/linux/uaccess.h --- linux-3.0.4/include/linux/uaccess.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/include/linux/uaccess.h 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/include/linux/uaccess.h 2011-10-06 04:17:55.000000000 -0400 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_ long ret; \ mm_segment_t old_fs = get_fs(); \ \ - set_fs(KERNEL_DS); \ pagefault_disable(); \ -+ set_fs(KERNEL_DS); \ - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \ +- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \ - pagefault_enable(); \ ++ set_fs(KERNEL_DS); \ ++ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \ set_fs(old_fs); \ + pagefault_enable(); \ ret; \ @@ -58735,16 +59561,21 @@ diff -urNp linux-3.0.4/include/video/uvesafb.h linux-3.0.4/include/video/uvesafb u8 *vbe_state_orig; /* diff -urNp linux-3.0.4/init/do_mounts.c linux-3.0.4/init/do_mounts.c --- linux-3.0.4/init/do_mounts.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/do_mounts.c 2011-08-23 21:47:56.000000000 -0400 -@@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa ++++ linux-3.0.4/init/do_mounts.c 2011-10-06 04:17:55.000000000 -0400 +@@ -287,11 +287,11 @@ static void __init get_fs_names(char *pa static int __init do_mount_root(char *name, char *fs, int flags, void *data) { - int err = sys_mount(name, "/root", fs, flags, data); -+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data); ++ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data); if (err) return err; +- sys_chdir((const char __user __force *)"/root"); ++ sys_chdir((const char __force_user*)"/root"); + ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev; + printk(KERN_INFO + "VFS: Mounted root (%s filesystem)%s on device %u:%u.\n", @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ... va_start(args, fmt); vsprintf(buf, fmt, args); @@ -58772,20 +59603,21 @@ diff -urNp linux-3.0.4/init/do_mounts.c linux-3.0.4/init/do_mounts.c out: devtmpfs_mount("dev"); - sys_mount(".", "/", NULL, MS_MOVE, NULL); -+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL); - sys_chroot((const char __user __force *)"."); +- sys_chroot((const char __user __force *)"."); ++ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); ++ sys_chroot((const char __force_user *)"."); } diff -urNp linux-3.0.4/init/do_mounts.h linux-3.0.4/init/do_mounts.h --- linux-3.0.4/init/do_mounts.h 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/do_mounts.h 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/init/do_mounts.h 2011-10-06 04:17:55.000000000 -0400 @@ -15,15 +15,15 @@ extern int root_mountflags; static inline int create_dev(char *name, dev_t dev) { - sys_unlink(name); - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev)); -+ sys_unlink((__force char __user *)name); -+ return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev)); ++ sys_unlink((char __force_user *)name); ++ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev)); } #if BITS_PER_LONG == 32 @@ -58793,13 +59625,22 @@ diff -urNp linux-3.0.4/init/do_mounts.h linux-3.0.4/init/do_mounts.h { struct stat64 stat; - if (sys_stat64(name, &stat) != 0) -+ if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0) ++ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0) + return 0; + if (!S_ISBLK(stat.st_mode)) + return 0; +@@ -35,7 +35,7 @@ static inline u32 bstat(char *name) + static inline u32 bstat(char *name) + { + struct stat stat; +- if (sys_newstat(name, &stat) != 0) ++ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0) return 0; if (!S_ISBLK(stat.st_mode)) return 0; diff -urNp linux-3.0.4/init/do_mounts_initrd.c linux-3.0.4/init/do_mounts_initrd.c --- linux-3.0.4/init/do_mounts_initrd.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/do_mounts_initrd.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/init/do_mounts_initrd.c 2011-10-06 04:17:55.000000000 -0400 @@ -44,13 +44,13 @@ static void __init handle_initrd(void) create_dev("/dev/root.old", Root_RAM0); /* mount initrd on rootfs' /root */ @@ -58807,16 +59648,16 @@ diff -urNp linux-3.0.4/init/do_mounts_initrd.c linux-3.0.4/init/do_mounts_initrd - sys_mkdir("/old", 0700); - root_fd = sys_open("/", 0, 0); - old_fd = sys_open("/old", 0, 0); -+ sys_mkdir((__force const char __user *)"/old", 0700); -+ root_fd = sys_open((__force const char __user *)"/", 0, 0); -+ old_fd = sys_open((__force const char __user *)"/old", 0, 0); ++ sys_mkdir((const char __force_user *)"/old", 0700); ++ root_fd = sys_open((const char __force_user *)"/", 0, 0); ++ old_fd = sys_open((const char __force_user *)"/old", 0, 0); /* move initrd over / and chdir/chroot in initrd root */ - sys_chdir("/root"); - sys_mount(".", "/", NULL, MS_MOVE, NULL); - sys_chroot("."); -+ sys_chdir((__force const char __user *)"/root"); -+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL); -+ sys_chroot((__force const char __user *)"."); ++ sys_chdir((const char __force_user *)"/root"); ++ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); ++ sys_chroot((const char __force_user *)"."); /* * In case that a resume from disk is carried out by linuxrc or one of @@ -58825,17 +59666,17 @@ diff -urNp linux-3.0.4/init/do_mounts_initrd.c linux-3.0.4/init/do_mounts_initrd /* move initrd to rootfs' /old */ sys_fchdir(old_fd); - sys_mount("/", ".", NULL, MS_MOVE, NULL); -+ sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL); ++ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL); /* switch root and cwd back to / of rootfs */ sys_fchdir(root_fd); - sys_chroot("."); -+ sys_chroot((__force const char __user *)"."); ++ sys_chroot((const char __force_user *)"."); sys_close(old_fd); sys_close(root_fd); if (new_decode_dev(real_root_dev) == Root_RAM0) { - sys_chdir("/old"); -+ sys_chdir((__force const char __user *)"/old"); ++ sys_chdir((const char __force_user *)"/old"); return; } @@ -58844,19 +59685,19 @@ diff -urNp linux-3.0.4/init/do_mounts_initrd.c linux-3.0.4/init/do_mounts_initrd printk(KERN_NOTICE "Trying to move old root to /initrd ... "); - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL); -+ error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL); ++ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL); if (!error) printk("okay\n"); else { - int fd = sys_open("/dev/root.old", O_RDWR, 0); -+ int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0); ++ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0); if (error == -ENOENT) printk("/initrd does not exist. Ignored.\n"); else printk("failed\n"); printk(KERN_NOTICE "Unmounting old root\n"); - sys_umount("/old", MNT_DETACH); -+ sys_umount((__force char __user *)"/old", MNT_DETACH); ++ sys_umount((char __force_user *)"/old", MNT_DETACH); printk(KERN_NOTICE "Trying to free ramdisk memory ... "); if (fd < 0) { error = fd; @@ -58865,24 +59706,24 @@ diff -urNp linux-3.0.4/init/do_mounts_initrd.c linux-3.0.4/init/do_mounts_initrd */ if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) { - sys_unlink("/initrd.image"); -+ sys_unlink((__force const char __user *)"/initrd.image"); ++ sys_unlink((const char __force_user *)"/initrd.image"); handle_initrd(); return 1; } } - sys_unlink("/initrd.image"); -+ sys_unlink((__force const char __user *)"/initrd.image"); ++ sys_unlink((const char __force_user *)"/initrd.image"); return 0; } diff -urNp linux-3.0.4/init/do_mounts_md.c linux-3.0.4/init/do_mounts_md.c --- linux-3.0.4/init/do_mounts_md.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/do_mounts_md.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/init/do_mounts_md.c 2011-10-06 04:17:55.000000000 -0400 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void) partitioned ? "_d" : "", minor, md_setup_args[ent].device_names); - fd = sys_open(name, 0, 0); -+ fd = sys_open((__force char __user *)name, 0, 0); ++ fd = sys_open((char __force_user *)name, 0, 0); if (fd < 0) { printk(KERN_ERR "md: open failed - cannot start " "array %s\n", name); @@ -58891,13 +59732,22 @@ diff -urNp linux-3.0.4/init/do_mounts_md.c linux-3.0.4/init/do_mounts_md.c */ sys_close(fd); - fd = sys_open(name, 0, 0); -+ fd = sys_open((__force char __user *)name, 0, 0); ++ fd = sys_open((char __force_user *)name, 0, 0); sys_ioctl(fd, BLKRRPART, 0); } sys_close(fd); +@@ -283,7 +283,7 @@ static void __init autodetect_raid(void) + + wait_for_device_probe(); + +- fd = sys_open((const char __user __force *) "/dev/md0", 0, 0); ++ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0); + if (fd >= 0) { + sys_ioctl(fd, RAID_AUTORUN, raid_autopart); + sys_close(fd); diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c --- linux-3.0.4/init/initramfs.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/initramfs.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/init/initramfs.c 2011-10-06 04:17:55.000000000 -0400 @@ -74,7 +74,7 @@ static void __init free_hash(void) } } @@ -58912,7 +59762,7 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c list_for_each_entry_safe(de, tmp, &dir_list, list) { list_del(&de->list); - do_utime(de->name, de->mtime); -+ do_utime((__force char __user *)de->name, de->mtime); ++ do_utime((char __force_user *)de->name, de->mtime); kfree(de->name); kfree(de); } @@ -58921,7 +59771,7 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c char *old = find_link(major, minor, ino, mode, collected); if (old) - return (sys_link(old, collected) < 0) ? -1 : 1; -+ return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1; ++ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1; } return 0; } @@ -58930,13 +59780,13 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c struct stat st; - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) { -+ if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) { ++ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) { if (S_ISDIR(st.st_mode)) - sys_rmdir(path); -+ sys_rmdir((__force char __user *)path); ++ sys_rmdir((char __force_user *)path); else - sys_unlink(path); -+ sys_unlink((__force char __user *)path); ++ sys_unlink((char __force_user *)path); } } @@ -58945,7 +59795,7 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c if (ml != 1) openflags |= O_TRUNC; - wfd = sys_open(collected, openflags, mode); -+ wfd = sys_open((__force char __user *)collected, openflags, mode); ++ wfd = sys_open((char __force_user *)collected, openflags, mode); if (wfd >= 0) { sys_fchown(wfd, uid, gid); @@ -58956,9 +59806,9 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c - sys_mkdir(collected, mode); - sys_chown(collected, uid, gid); - sys_chmod(collected, mode); -+ sys_mkdir((__force char __user *)collected, mode); -+ sys_chown((__force char __user *)collected, uid, gid); -+ sys_chmod((__force char __user *)collected, mode); ++ sys_mkdir((char __force_user *)collected, mode); ++ sys_chown((char __force_user *)collected, uid, gid); ++ sys_chmod((char __force_user *)collected, mode); dir_add(collected, mtime); } else if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISFIFO(mode) || S_ISSOCK(mode)) { @@ -58967,10 +59817,10 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c - sys_chown(collected, uid, gid); - sys_chmod(collected, mode); - do_utime(collected, mtime); -+ sys_mknod((__force char __user *)collected, mode, rdev); -+ sys_chown((__force char __user *)collected, uid, gid); -+ sys_chmod((__force char __user *)collected, mode); -+ do_utime((__force char __user *)collected, mtime); ++ sys_mknod((char __force_user *)collected, mode, rdev); ++ sys_chown((char __force_user *)collected, uid, gid); ++ sys_chmod((char __force_user *)collected, mode); ++ do_utime((char __force_user *)collected, mtime); } } return 0; @@ -58979,17 +59829,17 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c { if (count >= body_len) { - sys_write(wfd, victim, body_len); -+ sys_write(wfd, (__force char __user *)victim, body_len); ++ sys_write(wfd, (char __force_user *)victim, body_len); sys_close(wfd); - do_utime(vcollected, mtime); -+ do_utime((__force char __user *)vcollected, mtime); ++ do_utime((char __force_user *)vcollected, mtime); kfree(vcollected); eat(body_len); state = SkipIt; return 0; } else { - sys_write(wfd, victim, count); -+ sys_write(wfd, (__force char __user *)victim, count); ++ sys_write(wfd, (char __force_user *)victim, count); body_len -= count; eat(count); return 1; @@ -59000,9 +59850,9 @@ diff -urNp linux-3.0.4/init/initramfs.c linux-3.0.4/init/initramfs.c - sys_symlink(collected + N_ALIGN(name_len), collected); - sys_lchown(collected, uid, gid); - do_utime(collected, mtime); -+ sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected); -+ sys_lchown((__force char __user *)collected, uid, gid); -+ do_utime((__force char __user *)collected, mtime); ++ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected); ++ sys_lchown((char __force_user *)collected, uid, gid); ++ do_utime((char __force_user *)collected, mtime); state = SkipIt; next_state = Reset; return 0; @@ -59020,7 +59870,7 @@ diff -urNp linux-3.0.4/init/Kconfig linux-3.0.4/init/Kconfig also breaks ancient binaries (including anything libc5 based). diff -urNp linux-3.0.4/init/main.c linux-3.0.4/init/main.c --- linux-3.0.4/init/main.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/init/main.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/init/main.c 2011-10-06 04:17:55.000000000 -0400 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) extern void tc_init(void); #endif @@ -59113,7 +59963,7 @@ diff -urNp linux-3.0.4/init/main.c linux-3.0.4/init/main.c /* Open the /dev/console on the rootfs, this should never fail */ - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0) -+ if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0) ++ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0) printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); @@ -59122,7 +59972,7 @@ diff -urNp linux-3.0.4/init/main.c linux-3.0.4/init/main.c ramdisk_execute_command = "/init"; - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) { -+ if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) { ++ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) { ramdisk_execute_command = NULL; prepare_namespace(); } @@ -59311,13 +60161,13 @@ diff -urNp linux-3.0.4/ipc/shm.c linux-3.0.4/ipc/shm.c diff -urNp linux-3.0.4/kernel/acct.c linux-3.0.4/kernel/acct.c --- linux-3.0.4/kernel/acct.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/kernel/acct.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/kernel/acct.c 2011-10-06 04:17:55.000000000 -0400 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a */ flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur; current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; - file->f_op->write(file, (char *)&ac, -+ file->f_op->write(file, (__force char __user *)&ac, ++ file->f_op->write(file, (char __force_user *)&ac, sizeof(acct_t), &file->f_pos); current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); @@ -59458,7 +60308,7 @@ diff -urNp linux-3.0.4/kernel/cgroup.c linux-3.0.4/kernel/cgroup.c read_lock(&css_set_lock); diff -urNp linux-3.0.4/kernel/compat.c linux-3.0.4/kernel/compat.c --- linux-3.0.4/kernel/compat.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/kernel/compat.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/kernel/compat.c 2011-10-06 04:17:55.000000000 -0400 @@ -13,6 +13,7 @@ #include <linux/linkage.h> @@ -59467,6 +60317,163 @@ diff -urNp linux-3.0.4/kernel/compat.c linux-3.0.4/kernel/compat.c #include <linux/errno.h> #include <linux/time.h> #include <linux/signal.h> +@@ -166,7 +167,7 @@ static long compat_nanosleep_restart(str + mm_segment_t oldfs; + long ret; + +- restart->nanosleep.rmtp = (struct timespec __user *) &rmt; ++ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt; + oldfs = get_fs(); + set_fs(KERNEL_DS); + ret = hrtimer_nanosleep_restart(restart); +@@ -198,7 +199,7 @@ asmlinkage long compat_sys_nanosleep(str + oldfs = get_fs(); + set_fs(KERNEL_DS); + ret = hrtimer_nanosleep(&tu, +- rmtp ? (struct timespec __user *)&rmt : NULL, ++ rmtp ? (struct timespec __force_user *)&rmt : NULL, + HRTIMER_MODE_REL, CLOCK_MONOTONIC); + set_fs(oldfs); + +@@ -307,7 +308,7 @@ asmlinkage long compat_sys_sigpending(co + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_sigpending((old_sigset_t __user *) &s); ++ ret = sys_sigpending((old_sigset_t __force_user *) &s); + set_fs(old_fs); + if (ret == 0) + ret = put_user(s, set); +@@ -330,8 +331,8 @@ asmlinkage long compat_sys_sigprocmask(i + old_fs = get_fs(); + set_fs(KERNEL_DS); + ret = sys_sigprocmask(how, +- set ? (old_sigset_t __user *) &s : NULL, +- oset ? (old_sigset_t __user *) &s : NULL); ++ set ? (old_sigset_t __force_user *) &s : NULL, ++ oset ? (old_sigset_t __force_user *) &s : NULL); + set_fs(old_fs); + if (ret == 0) + if (oset) +@@ -368,7 +369,7 @@ asmlinkage long compat_sys_old_getrlimit + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_old_getrlimit(resource, &r); ++ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r); + set_fs(old_fs); + + if (!ret) { +@@ -440,7 +441,7 @@ asmlinkage long compat_sys_getrusage(int + mm_segment_t old_fs = get_fs(); + + set_fs(KERNEL_DS); +- ret = sys_getrusage(who, (struct rusage __user *) &r); ++ ret = sys_getrusage(who, (struct rusage __force_user *) &r); + set_fs(old_fs); + + if (ret) +@@ -467,8 +468,8 @@ compat_sys_wait4(compat_pid_t pid, compa + set_fs (KERNEL_DS); + ret = sys_wait4(pid, + (stat_addr ? +- (unsigned int __user *) &status : NULL), +- options, (struct rusage __user *) &r); ++ (unsigned int __force_user *) &status : NULL), ++ options, (struct rusage __force_user *) &r); + set_fs (old_fs); + + if (ret > 0) { +@@ -493,8 +494,8 @@ asmlinkage long compat_sys_waitid(int wh + memset(&info, 0, sizeof(info)); + + set_fs(KERNEL_DS); +- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options, +- uru ? (struct rusage __user *)&ru : NULL); ++ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options, ++ uru ? (struct rusage __force_user *)&ru : NULL); + set_fs(old_fs); + + if ((ret < 0) || (info.si_signo == 0)) +@@ -624,8 +625,8 @@ long compat_sys_timer_settime(timer_t ti + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_timer_settime(timer_id, flags, +- (struct itimerspec __user *) &newts, +- (struct itimerspec __user *) &oldts); ++ (struct itimerspec __force_user *) &newts, ++ (struct itimerspec __force_user *) &oldts); + set_fs(oldfs); + if (!err && old && put_compat_itimerspec(old, &oldts)) + return -EFAULT; +@@ -642,7 +643,7 @@ long compat_sys_timer_gettime(timer_t ti + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_timer_gettime(timer_id, +- (struct itimerspec __user *) &ts); ++ (struct itimerspec __force_user *) &ts); + set_fs(oldfs); + if (!err && put_compat_itimerspec(setting, &ts)) + return -EFAULT; +@@ -661,7 +662,7 @@ long compat_sys_clock_settime(clockid_t + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_settime(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + return err; + } +@@ -676,7 +677,7 @@ long compat_sys_clock_gettime(clockid_t + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_gettime(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + if (!err && put_compat_timespec(&ts, tp)) + return -EFAULT; +@@ -696,7 +697,7 @@ long compat_sys_clock_adjtime(clockid_t + + oldfs = get_fs(); + set_fs(KERNEL_DS); +- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc); ++ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc); + set_fs(oldfs); + + err = compat_put_timex(utp, &txc); +@@ -716,7 +717,7 @@ long compat_sys_clock_getres(clockid_t w + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_getres(which_clock, +- (struct timespec __user *) &ts); ++ (struct timespec __force_user *) &ts); + set_fs(oldfs); + if (!err && tp && put_compat_timespec(&ts, tp)) + return -EFAULT; +@@ -728,9 +729,9 @@ static long compat_clock_nanosleep_resta + long err; + mm_segment_t oldfs; + struct timespec tu; +- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp; ++ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp; + +- restart->nanosleep.rmtp = (struct timespec __user *) &tu; ++ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu; + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = clock_nanosleep_restart(restart); +@@ -762,8 +763,8 @@ long compat_sys_clock_nanosleep(clockid_ + oldfs = get_fs(); + set_fs(KERNEL_DS); + err = sys_clock_nanosleep(which_clock, flags, +- (struct timespec __user *) &in, +- (struct timespec __user *) &out); ++ (struct timespec __force_user *) &in, ++ (struct timespec __force_user *) &out); + set_fs(oldfs); + + if ((err == -ERESTART_RESTARTBLOCK) && rmtp && diff -urNp linux-3.0.4/kernel/configs.c linux-3.0.4/kernel/configs.c --- linux-3.0.4/kernel/configs.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/kernel/configs.c 2011-08-23 21:48:14.000000000 -0400 @@ -60538,9 +61545,22 @@ diff -urNp linux-3.0.4/kernel/kallsyms.c linux-3.0.4/kernel/kallsyms.c if (!iter) return -ENOMEM; reset_iter(iter, 0); +diff -urNp linux-3.0.4/kernel/kexec.c linux-3.0.4/kernel/kexec.c +--- linux-3.0.4/kernel/kexec.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/kernel/kexec.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1033,7 +1033,8 @@ asmlinkage long compat_sys_kexec_load(un + unsigned long flags) + { + struct compat_kexec_segment in; +- struct kexec_segment out, __user *ksegments; ++ struct kexec_segment out; ++ struct kexec_segment __user *ksegments; + unsigned long i, result; + + /* Don't allow clients that don't understand the native diff -urNp linux-3.0.4/kernel/kmod.c linux-3.0.4/kernel/kmod.c --- linux-3.0.4/kernel/kmod.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/kernel/kmod.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/kernel/kmod.c 2011-10-06 04:17:55.000000000 -0400 @@ -73,13 +73,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb * If module auto-loading support is disabled then this function * becomes a no-operation. @@ -60637,6 +61657,15 @@ diff -urNp linux-3.0.4/kernel/kmod.c linux-3.0.4/kernel/kmod.c EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ +@@ -220,7 +272,7 @@ static int wait_for_helper(void *data) + * + * Thus the __user pointer cast is valid here. + */ +- sys_wait4(pid, (int __user *)&ret, 0, NULL); ++ sys_wait4(pid, (int __force_user *)&ret, 0, NULL); + + /* + * If ret is 0, either ____call_usermodehelper failed and the diff -urNp linux-3.0.4/kernel/kprobes.c linux-3.0.4/kernel/kprobes.c --- linux-3.0.4/kernel/kprobes.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/kernel/kprobes.c 2011-08-23 21:47:56.000000000 -0400 @@ -62816,7 +63845,7 @@ diff -urNp linux-3.0.4/kernel/softirq.c linux-3.0.4/kernel/softirq.c diff -urNp linux-3.0.4/kernel/sys.c linux-3.0.4/kernel/sys.c --- linux-3.0.4/kernel/sys.c 2011-09-02 18:11:26.000000000 -0400 -+++ linux-3.0.4/kernel/sys.c 2011-08-29 23:26:27.000000000 -0400 ++++ linux-3.0.4/kernel/sys.c 2011-10-06 04:17:55.000000000 -0400 @@ -158,6 +158,12 @@ static int set_one_prio(struct task_stru error = -EACCES; goto out; @@ -62952,6 +63981,31 @@ diff -urNp linux-3.0.4/kernel/sys.c linux-3.0.4/kernel/sys.c abort_creds(new); return old_fsgid; +@@ -1205,19 +1248,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_ + return -EFAULT; + + down_read(&uts_sem); +- error = __copy_to_user(&name->sysname, &utsname()->sysname, ++ error = __copy_to_user(name->sysname, &utsname()->sysname, + __OLD_UTS_LEN); + error |= __put_user(0, name->sysname + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->nodename, &utsname()->nodename, ++ error |= __copy_to_user(name->nodename, &utsname()->nodename, + __OLD_UTS_LEN); + error |= __put_user(0, name->nodename + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->release, &utsname()->release, ++ error |= __copy_to_user(name->release, &utsname()->release, + __OLD_UTS_LEN); + error |= __put_user(0, name->release + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->version, &utsname()->version, ++ error |= __copy_to_user(name->version, &utsname()->version, + __OLD_UTS_LEN); + error |= __put_user(0, name->version + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->machine, &utsname()->machine, ++ error |= __copy_to_user(name->machine, &utsname()->machine, + __OLD_UTS_LEN); + error |= __put_user(0, name->machine + __OLD_UTS_LEN); + up_read(&uts_sem); @@ -1680,7 +1723,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi error = get_dumpable(me->mm); break; @@ -62961,6 +64015,72 @@ diff -urNp linux-3.0.4/kernel/sys.c linux-3.0.4/kernel/sys.c error = -EINVAL; break; } +diff -urNp linux-3.0.4/kernel/sysctl_binary.c linux-3.0.4/kernel/sysctl_binary.c +--- linux-3.0.4/kernel/sysctl_binary.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/kernel/sysctl_binary.c 2011-10-06 04:17:55.000000000 -0400 +@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *f + int i; + + set_fs(KERNEL_DS); +- result = vfs_read(file, buffer, BUFSZ - 1, &pos); ++ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos); + set_fs(old_fs); + if (result < 0) + goto out_kfree; +@@ -1034,7 +1034,7 @@ static ssize_t bin_intvec(struct file *f + } + + set_fs(KERNEL_DS); +- result = vfs_write(file, buffer, str - buffer, &pos); ++ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos); + set_fs(old_fs); + if (result < 0) + goto out_kfree; +@@ -1067,7 +1067,7 @@ static ssize_t bin_ulongvec(struct file + int i; + + set_fs(KERNEL_DS); +- result = vfs_read(file, buffer, BUFSZ - 1, &pos); ++ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos); + set_fs(old_fs); + if (result < 0) + goto out_kfree; +@@ -1112,7 +1112,7 @@ static ssize_t bin_ulongvec(struct file + } + + set_fs(KERNEL_DS); +- result = vfs_write(file, buffer, str - buffer, &pos); ++ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos); + set_fs(old_fs); + if (result < 0) + goto out_kfree; +@@ -1138,7 +1138,7 @@ static ssize_t bin_uuid(struct file *fil + int i; + + set_fs(KERNEL_DS); +- result = vfs_read(file, buf, sizeof(buf) - 1, &pos); ++ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos); + set_fs(old_fs); + if (result < 0) + goto out; +@@ -1185,7 +1185,7 @@ static ssize_t bin_dn_node_address(struc + __le16 dnaddr; + + set_fs(KERNEL_DS); +- result = vfs_read(file, buf, sizeof(buf) - 1, &pos); ++ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos); + set_fs(old_fs); + if (result < 0) + goto out; +@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struc + le16_to_cpu(dnaddr) & 0x3ff); + + set_fs(KERNEL_DS); +- result = vfs_write(file, buf, len, &pos); ++ result = vfs_write(file, (const char __force_user *)buf, len, &pos); + set_fs(old_fs); + if (result < 0) + goto out; diff -urNp linux-3.0.4/kernel/sysctl.c linux-3.0.4/kernel/sysctl.c --- linux-3.0.4/kernel/sysctl.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/kernel/sysctl.c 2011-08-23 21:48:14.000000000 -0400 @@ -63532,6 +64652,45 @@ diff -urNp linux-3.0.4/kernel/trace/trace_events.c linux-3.0.4/kernel/trace/trac } } +diff -urNp linux-3.0.4/kernel/trace/trace_kprobe.c linux-3.0.4/kernel/trace/trace_kprobe.c +--- linux-3.0.4/kernel/trace/trace_kprobe.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/kernel/trace/trace_kprobe.c 2011-10-06 04:17:55.000000000 -0400 +@@ -217,7 +217,7 @@ static __kprobes void FETCH_FUNC_NAME(me + long ret; + int maxlen = get_rloc_len(*(u32 *)dest); + u8 *dst = get_rloc_data(dest); +- u8 *src = addr; ++ const u8 __user *src = (const u8 __force_user *)addr; + mm_segment_t old_fs = get_fs(); + if (!maxlen) + return; +@@ -229,7 +229,7 @@ static __kprobes void FETCH_FUNC_NAME(me + pagefault_disable(); + do + ret = __copy_from_user_inatomic(dst++, src++, 1); +- while (dst[-1] && ret == 0 && src - (u8 *)addr < maxlen); ++ while (dst[-1] && ret == 0 && src - (const u8 __force_user *)addr < maxlen); + dst[-1] = '\0'; + pagefault_enable(); + set_fs(old_fs); +@@ -238,7 +238,7 @@ static __kprobes void FETCH_FUNC_NAME(me + ((u8 *)get_rloc_data(dest))[0] = '\0'; + *(u32 *)dest = make_data_rloc(0, get_rloc_offs(*(u32 *)dest)); + } else +- *(u32 *)dest = make_data_rloc(src - (u8 *)addr, ++ *(u32 *)dest = make_data_rloc(src - (const u8 __force_user *)addr, + get_rloc_offs(*(u32 *)dest)); + } + /* Return the length of string -- including null terminal byte */ +@@ -252,7 +252,7 @@ static __kprobes void FETCH_FUNC_NAME(me + set_fs(KERNEL_DS); + pagefault_disable(); + do { +- ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1); ++ ret = __copy_from_user_inatomic(&c, (const u8 __force_user *)addr + len, 1); + len++; + } while (c && ret == 0 && len < MAX_STRING_SIZE); + pagefault_enable(); diff -urNp linux-3.0.4/kernel/trace/trace_mmiotrace.c linux-3.0.4/kernel/trace/trace_mmiotrace.c --- linux-3.0.4/kernel/trace/trace_mmiotrace.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/kernel/trace/trace_mmiotrace.c 2011-08-23 21:47:56.000000000 -0400 @@ -63625,6 +64784,45 @@ diff -urNp linux-3.0.4/kernel/trace/trace_workqueue.c linux-3.0.4/kernel/trace/t tsk->comm); put_task_struct(tsk); } +diff -urNp linux-3.0.4/lib/bitmap.c linux-3.0.4/lib/bitmap.c +--- linux-3.0.4/lib/bitmap.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/lib/bitmap.c 2011-10-06 04:17:55.000000000 -0400 +@@ -421,7 +421,7 @@ int __bitmap_parse(const char *buf, unsi + { + int c, old_c, totaldigits, ndigits, nchunks, nbits; + u32 chunk; +- const char __user *ubuf = buf; ++ const char __user *ubuf = (const char __force_user *)buf; + + bitmap_zero(maskp, nmaskbits); + +@@ -506,7 +506,7 @@ int bitmap_parse_user(const char __user + { + if (!access_ok(VERIFY_READ, ubuf, ulen)) + return -EFAULT; +- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits); ++ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits); + } + EXPORT_SYMBOL(bitmap_parse_user); + +@@ -596,7 +596,7 @@ static int __bitmap_parselist(const char + { + unsigned a, b; + int c, old_c, totaldigits; +- const char __user *ubuf = buf; ++ const char __user *ubuf = (const char __force_user *)buf; + int exp_digit, in_range; + + totaldigits = c = 0; +@@ -696,7 +696,7 @@ int bitmap_parselist_user(const char __u + { + if (!access_ok(VERIFY_READ, ubuf, ulen)) + return -EFAULT; +- return __bitmap_parselist((const char *)ubuf, ++ return __bitmap_parselist((const char __force_kernel *)ubuf, + ulen, 1, maskp, nmaskbits); + } + EXPORT_SYMBOL(bitmap_parselist_user); diff -urNp linux-3.0.4/lib/bug.c linux-3.0.4/lib/bug.c --- linux-3.0.4/lib/bug.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/lib/bug.c 2011-08-23 21:47:56.000000000 -0400 @@ -63649,6 +64847,27 @@ diff -urNp linux-3.0.4/lib/debugobjects.c linux-3.0.4/lib/debugobjects.c if (is_on_stack == onstack) return; +diff -urNp linux-3.0.4/lib/devres.c linux-3.0.4/lib/devres.c +--- linux-3.0.4/lib/devres.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/lib/devres.c 2011-10-06 04:17:55.000000000 -0400 +@@ -81,7 +81,7 @@ void devm_iounmap(struct device *dev, vo + { + iounmap(addr); + WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match, +- (void *)addr)); ++ (void __force *)addr)); + } + EXPORT_SYMBOL(devm_iounmap); + +@@ -141,7 +141,7 @@ void devm_ioport_unmap(struct device *de + { + ioport_unmap(addr); + WARN_ON(devres_destroy(dev, devm_ioport_map_release, +- devm_ioport_map_match, (void *)addr)); ++ devm_ioport_map_match, (void __force *)addr)); + } + EXPORT_SYMBOL(devm_ioport_unmap); + diff -urNp linux-3.0.4/lib/dma-debug.c linux-3.0.4/lib/dma-debug.c --- linux-3.0.4/lib/dma-debug.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/lib/dma-debug.c 2011-08-23 21:47:56.000000000 -0400 @@ -63833,7 +65052,7 @@ diff -urNp linux-3.0.4/localversion-grsec linux-3.0.4/localversion-grsec +-grsec diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile --- linux-3.0.4/Makefile 2011-09-02 18:11:26.000000000 -0400 -+++ linux-3.0.4/Makefile 2011-09-17 00:56:07.000000000 -0400 ++++ linux-3.0.4/Makefile 2011-10-06 04:17:55.000000000 -0400 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" HOSTCC = gcc @@ -63870,23 +65089,28 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -564,6 +567,31 @@ else +@@ -564,6 +567,36 @@ else KBUILD_CFLAGS += -O2 endif +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y) +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN -+ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so ++ifdef CONFIG_PAX_MEMORY_STACKLEAK ++STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100 +endif +ifdef CONFIG_KALLOCSTAT_PLUGIN +KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so +endif -+ifdef CONFIG_PAX_MEMORY_STACKLEAK -+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100 ++ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so ++endif ++ifdef CONFIG_CHECKER_PLUGIN ++ifeq ($(call cc-ifversion, -ge, 0406, y), y) ++CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN ++endif +endif -+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) -+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN ++GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN) ++export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN +gcc-plugins: + $(Q)$(MAKE) $(build)=tools/gcc +else @@ -63902,7 +65126,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -708,7 +736,7 @@ export mod_strip_cmd +@@ -708,7 +741,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -63911,7 +65135,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -907,6 +935,8 @@ define rule_vmlinux-modpost +@@ -907,6 +940,8 @@ define rule_vmlinux-modpost endef # vmlinux image - including updated kernel symbols @@ -63920,7 +65144,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE ifdef CONFIG_HEADERS_CHECK $(Q)$(MAKE) -f $(srctree)/Makefile headers_check -@@ -941,7 +971,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) +@@ -941,7 +976,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -63930,7 +65154,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -986,6 +1017,7 @@ prepare0: archprepare FORCE +@@ -986,6 +1022,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. missing-syscalls # All the preparing.. @@ -63938,7 +65162,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile prepare: prepare0 # Generate some files -@@ -1102,7 +1134,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu +@@ -1102,7 +1139,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu # Target to prepare building external modules PHONY += modules_prepare @@ -63947,7 +65171,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile # Target to install modules PHONY += modules_install -@@ -1198,7 +1230,7 @@ distclean: mrproper +@@ -1198,7 +1235,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -63956,7 +65180,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1359,6 +1391,7 @@ PHONY += $(module-dirs) modules +@@ -1359,6 +1396,7 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -63964,7 +65188,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1485,17 +1518,19 @@ else +@@ -1485,17 +1523,19 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -63988,7 +65212,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1505,11 +1540,13 @@ endif +@@ -1505,11 +1545,13 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -64206,6 +65430,27 @@ diff -urNp linux-3.0.4/mm/kmemleak.c linux-3.0.4/mm/kmemleak.c } } +diff -urNp linux-3.0.4/mm/maccess.c linux-3.0.4/mm/maccess.c +--- linux-3.0.4/mm/maccess.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/mm/maccess.c 2011-10-06 04:17:55.000000000 -0400 +@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, cons + set_fs(KERNEL_DS); + pagefault_disable(); + ret = __copy_from_user_inatomic(dst, +- (__force const void __user *)src, size); ++ (const void __force_user *)src, size); + pagefault_enable(); + set_fs(old_fs); + +@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, con + + set_fs(KERNEL_DS); + pagefault_disable(); +- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); ++ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size); + pagefault_enable(); + set_fs(old_fs); + diff -urNp linux-3.0.4/mm/madvise.c linux-3.0.4/mm/madvise.c --- linux-3.0.4/mm/madvise.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/mm/madvise.c 2011-08-23 21:47:56.000000000 -0400 @@ -64853,7 +66098,7 @@ diff -urNp linux-3.0.4/mm/memory.c linux-3.0.4/mm/memory.c * Dumping its contents makes post-mortem fully interpretable later diff -urNp linux-3.0.4/mm/memory-failure.c linux-3.0.4/mm/memory-failure.c --- linux-3.0.4/mm/memory-failure.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/mm/memory-failure.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/mm/memory-failure.c 2011-10-06 04:17:55.000000000 -0400 @@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r int sysctl_memory_failure_recovery __read_mostly = 1; @@ -64863,6 +66108,15 @@ diff -urNp linux-3.0.4/mm/memory-failure.c linux-3.0.4/mm/memory-failure.c #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE) +@@ -200,7 +200,7 @@ static int kill_proc_ao(struct task_stru + si.si_signo = SIGBUS; + si.si_errno = 0; + si.si_code = BUS_MCEERR_AO; +- si.si_addr = (void *)addr; ++ si.si_addr = (void __user *)addr; + #ifdef __ARCH_SI_TRAPNO + si.si_trapno = trapno; + #endif @@ -1008,7 +1008,7 @@ int __memory_failure(unsigned long pfn, } @@ -68153,6 +69407,39 @@ diff -urNp linux-3.0.4/net/8021q/vlan.c linux-3.0.4/net/8021q/vlan.c struct vlan_net *vn; vn = net_generic(net, vlan_net_id); +diff -urNp linux-3.0.4/net/9p/trans_fd.c linux-3.0.4/net/9p/trans_fd.c +--- linux-3.0.4/net/9p/trans_fd.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/9p/trans_fd.c 2011-10-06 04:17:55.000000000 -0400 +@@ -423,7 +423,7 @@ static int p9_fd_write(struct p9_client + oldfs = get_fs(); + set_fs(get_ds()); + /* The cast to a user pointer is valid due to the set_fs() */ +- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos); ++ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos); + set_fs(oldfs); + + if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN) +diff -urNp linux-3.0.4/net/9p/trans_virtio.c linux-3.0.4/net/9p/trans_virtio.c +--- linux-3.0.4/net/9p/trans_virtio.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/9p/trans_virtio.c 2011-10-06 04:17:55.000000000 -0400 +@@ -328,7 +328,7 @@ req_retry_pinned: + } else { + char *pbuf; + if (req->tc->pubuf) +- pbuf = (__force char *) req->tc->pubuf; ++ pbuf = (char __force_kernel *) req->tc->pubuf; + else + pbuf = req->tc->pkbuf; + outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf, +@@ -357,7 +357,7 @@ req_retry_pinned: + } else { + char *pbuf; + if (req->tc->pubuf) +- pbuf = (__force char *) req->tc->pubuf; ++ pbuf = (char __force_kernel *) req->tc->pubuf; + else + pbuf = req->tc->pkbuf; + diff -urNp linux-3.0.4/net/atm/atm_misc.c linux-3.0.4/net/atm/atm_misc.c --- linux-3.0.4/net/atm/atm_misc.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/atm/atm_misc.c 2011-08-23 21:47:56.000000000 -0400 @@ -68583,6 +69870,136 @@ diff -urNp linux-3.0.4/net/caif/cfctrl.c linux-3.0.4/net/caif/cfctrl.c cfpkt_extr_head(pkt, &cmdrsp, 1); cmd = cmdrsp & CFCTRL_CMD_MASK; +diff -urNp linux-3.0.4/net/compat.c linux-3.0.4/net/compat.c +--- linux-3.0.4/net/compat.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/compat.c 2011-10-06 04:17:55.000000000 -0400 +@@ -70,9 +70,9 @@ int get_compat_msghdr(struct msghdr *kms + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; +- kmsg->msg_name = compat_ptr(tmp1); +- kmsg->msg_iov = compat_ptr(tmp2); +- kmsg->msg_control = compat_ptr(tmp3); ++ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1); ++ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2); ++ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3); + return 0; + } + +@@ -84,7 +84,7 @@ int verify_compat_iovec(struct msghdr *k + + if (kern_msg->msg_namelen) { + if (mode == VERIFY_READ) { +- int err = move_addr_to_kernel(kern_msg->msg_name, ++ int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name, + kern_msg->msg_namelen, + kern_address); + if (err < 0) +@@ -95,7 +95,7 @@ int verify_compat_iovec(struct msghdr *k + kern_msg->msg_name = NULL; + + tot_len = iov_from_user_compat_to_kern(kern_iov, +- (struct compat_iovec __user *)kern_msg->msg_iov, ++ (struct compat_iovec __force_user *)kern_msg->msg_iov, + kern_msg->msg_iovlen); + if (tot_len >= 0) + kern_msg->msg_iov = kern_iov; +@@ -115,20 +115,20 @@ int verify_compat_iovec(struct msghdr *k + + #define CMSG_COMPAT_FIRSTHDR(msg) \ + (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ +- (struct compat_cmsghdr __user *)((msg)->msg_control) : \ ++ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \ + (struct compat_cmsghdr __user *)NULL) + + #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \ + ((ucmlen) >= sizeof(struct compat_cmsghdr) && \ + (ucmlen) <= (unsigned long) \ + ((mhdr)->msg_controllen - \ +- ((char *)(ucmsg) - (char *)(mhdr)->msg_control))) ++ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control))) + + static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg, + struct compat_cmsghdr __user *cmsg, int cmsg_len) + { + char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len); +- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) > ++ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) > + msg->msg_controllen) + return NULL; + return (struct compat_cmsghdr __user *)ptr; +@@ -220,7 +220,7 @@ int put_cmsg_compat(struct msghdr *kmsg, + { + struct compat_timeval ctv; + struct compat_timespec cts[3]; +- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; ++ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control; + struct compat_cmsghdr cmhdr; + int cmlen; + +@@ -272,7 +272,7 @@ int put_cmsg_compat(struct msghdr *kmsg, + + void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) + { +- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; ++ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control; + int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); + int fdnum = scm->fp->count; + struct file **fp = scm->fp->fp; +@@ -369,7 +369,7 @@ static int do_set_sock_timeout(struct so + return -EFAULT; + old_fs = get_fs(); + set_fs(KERNEL_DS); +- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime)); ++ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime)); + set_fs(old_fs); + + return err; +@@ -430,7 +430,7 @@ static int do_get_sock_timeout(struct so + len = sizeof(ktime); + old_fs = get_fs(); + set_fs(KERNEL_DS); +- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len); ++ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len); + set_fs(old_fs); + + if (!err) { +@@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *so + case MCAST_JOIN_GROUP: + case MCAST_LEAVE_GROUP: + { +- struct compat_group_req __user *gr32 = (void *)optval; ++ struct compat_group_req __user *gr32 = (void __user *)optval; + struct group_req __user *kgr = + compat_alloc_user_space(sizeof(struct group_req)); + u32 interface; +@@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *so + case MCAST_BLOCK_SOURCE: + case MCAST_UNBLOCK_SOURCE: + { +- struct compat_group_source_req __user *gsr32 = (void *)optval; ++ struct compat_group_source_req __user *gsr32 = (void __user *)optval; + struct group_source_req __user *kgsr = compat_alloc_user_space( + sizeof(struct group_source_req)); + u32 interface; +@@ -607,7 +607,7 @@ int compat_mc_setsockopt(struct sock *so + } + case MCAST_MSFILTER: + { +- struct compat_group_filter __user *gf32 = (void *)optval; ++ struct compat_group_filter __user *gf32 = (void __user *)optval; + struct group_filter __user *kgf; + u32 interface, fmode, numsrc; + +@@ -645,7 +645,7 @@ int compat_mc_getsockopt(struct sock *so + char __user *optval, int __user *optlen, + int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) + { +- struct compat_group_filter __user *gf32 = (void *)optval; ++ struct compat_group_filter __user *gf32 = (void __user *)optval; + struct group_filter __user *kgf; + int __user *koptlen; + u32 interface, fmode, numsrc; diff -urNp linux-3.0.4/net/core/datagram.c linux-3.0.4/net/core/datagram.c --- linux-3.0.4/net/core/datagram.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/core/datagram.c 2011-08-23 21:47:56.000000000 -0400 @@ -68679,6 +70096,27 @@ diff -urNp linux-3.0.4/net/core/flow.c linux-3.0.4/net/core/flow.c if (!IS_ERR(flo)) fle->object = flo; else +diff -urNp linux-3.0.4/net/core/iovec.c linux-3.0.4/net/core/iovec.c +--- linux-3.0.4/net/core/iovec.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/core/iovec.c 2011-10-06 04:17:55.000000000 -0400 +@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struc + if (m->msg_namelen) { + if (mode == VERIFY_READ) { + void __user *namep; +- namep = (void __user __force *) m->msg_name; ++ namep = (void __force_user *) m->msg_name; + err = move_addr_to_kernel(namep, m->msg_namelen, + address); + if (err < 0) +@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struc + } + + size = m->msg_iovlen * sizeof(struct iovec); +- if (copy_from_user(iov, (void __user __force *) m->msg_iov, size)) ++ if (copy_from_user(iov, (void __force_user *) m->msg_iov, size)) + return -EFAULT; + + m->msg_iov = iov; diff -urNp linux-3.0.4/net/core/rtnetlink.c linux-3.0.4/net/core/rtnetlink.c --- linux-3.0.4/net/core/rtnetlink.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/core/rtnetlink.c 2011-08-23 21:47:56.000000000 -0400 @@ -68691,6 +70129,45 @@ diff -urNp linux-3.0.4/net/core/rtnetlink.c linux-3.0.4/net/core/rtnetlink.c static DEFINE_MUTEX(rtnl_mutex); +diff -urNp linux-3.0.4/net/core/scm.c linux-3.0.4/net/core/scm.c +--- linux-3.0.4/net/core/scm.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/core/scm.c 2011-10-06 04:17:55.000000000 -0400 +@@ -218,7 +218,7 @@ EXPORT_SYMBOL(__scm_send); + int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) + { + struct cmsghdr __user *cm +- = (__force struct cmsghdr __user *)msg->msg_control; ++ = (struct cmsghdr __force_user *)msg->msg_control; + struct cmsghdr cmhdr; + int cmlen = CMSG_LEN(len); + int err; +@@ -241,7 +241,7 @@ int put_cmsg(struct msghdr * msg, int le + err = -EFAULT; + if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) + goto out; +- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) ++ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr))) + goto out; + cmlen = CMSG_SPACE(len); + if (msg->msg_controllen < cmlen) +@@ -257,7 +257,7 @@ EXPORT_SYMBOL(put_cmsg); + void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) + { + struct cmsghdr __user *cm +- = (__force struct cmsghdr __user*)msg->msg_control; ++ = (struct cmsghdr __force_user *)msg->msg_control; + + int fdmax = 0; + int fdnum = scm->fp->count; +@@ -277,7 +277,7 @@ void scm_detach_fds(struct msghdr *msg, + if (fdnum < fdmax) + fdmax = fdnum; + +- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; ++ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax; + i++, cmfptr++) + { + int new_fd; diff -urNp linux-3.0.4/net/core/skbuff.c linux-3.0.4/net/core/skbuff.c --- linux-3.0.4/net/core/skbuff.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/core/skbuff.c 2011-08-23 21:48:14.000000000 -0400 @@ -68974,6 +70451,36 @@ diff -urNp linux-3.0.4/net/ipv4/inetpeer.c linux-3.0.4/net/ipv4/inetpeer.c p->tcp_ts_stamp = 0; p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; p->rate_tokens = 0; +diff -urNp linux-3.0.4/net/ipv4/ipconfig.c linux-3.0.4/net/ipv4/ipconfig.c +--- linux-3.0.4/net/ipv4/ipconfig.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/ipv4/ipconfig.c 2011-10-06 04:17:55.000000000 -0400 +@@ -313,7 +313,7 @@ static int __init ic_devinet_ioctl(unsig + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg); ++ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg); + set_fs(oldfs); + return res; + } +@@ -324,7 +324,7 @@ static int __init ic_dev_ioctl(unsigned + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg); ++ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg); + set_fs(oldfs); + return res; + } +@@ -335,7 +335,7 @@ static int __init ic_route_ioctl(unsigne + + mm_segment_t oldfs = get_fs(); + set_fs(get_ds()); +- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg); ++ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg); + set_fs(oldfs); + return res; + } diff -urNp linux-3.0.4/net/ipv4/ip_fragment.c linux-3.0.4/net/ipv4/ip_fragment.c --- linux-3.0.4/net/ipv4/ip_fragment.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/ipv4/ip_fragment.c 2011-08-23 21:47:56.000000000 -0400 @@ -68988,7 +70495,7 @@ diff -urNp linux-3.0.4/net/ipv4/ip_fragment.c linux-3.0.4/net/ipv4/ip_fragment.c rc = qp->q.fragments && (end - start) > max; diff -urNp linux-3.0.4/net/ipv4/ip_sockglue.c linux-3.0.4/net/ipv4/ip_sockglue.c --- linux-3.0.4/net/ipv4/ip_sockglue.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/net/ipv4/ip_sockglue.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/net/ipv4/ip_sockglue.c 2011-10-06 04:17:55.000000000 -0400 @@ -1073,6 +1073,8 @@ static int do_ip_getsockopt(struct sock int val; int len; @@ -69008,6 +70515,15 @@ diff -urNp linux-3.0.4/net/ipv4/ip_sockglue.c linux-3.0.4/net/ipv4/ip_sockglue.c return -EFAULT; return 0; } +@@ -1238,7 +1241,7 @@ static int do_ip_getsockopt(struct sock + if (sk->sk_type != SOCK_STREAM) + return -ENOPROTOOPT; + +- msg.msg_control = optval; ++ msg.msg_control = (void __force_kernel *)optval; + msg.msg_controllen = len; + msg.msg_flags = 0; + diff -urNp linux-3.0.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-3.0.4/net/ipv4/netfilter/nf_nat_snmp_basic.c --- linux-3.0.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-08-23 21:47:56.000000000 -0400 @@ -69434,6 +70950,18 @@ diff -urNp linux-3.0.4/net/ipv4/udp.c linux-3.0.4/net/ipv4/udp.c } int udp4_seq_show(struct seq_file *seq, void *v) +diff -urNp linux-3.0.4/net/ipv6/addrconf.c linux-3.0.4/net/ipv6/addrconf.c +--- linux-3.0.4/net/ipv6/addrconf.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/ipv6/addrconf.c 2011-10-06 04:17:55.000000000 -0400 +@@ -2072,7 +2072,7 @@ int addrconf_set_dstaddr(struct net *net + p.iph.ihl = 5; + p.iph.protocol = IPPROTO_IPV6; + p.iph.ttl = 64; +- ifr.ifr_ifru.ifru_data = (__force void __user *)&p; ++ ifr.ifr_ifru.ifru_data = (void __force_user *)&p; + + if (ops->ndo_do_ioctl) { + mm_segment_t oldfs = get_fs(); diff -urNp linux-3.0.4/net/ipv6/inet6_connection_sock.c linux-3.0.4/net/ipv6/inet6_connection_sock.c --- linux-3.0.4/net/ipv6/inet6_connection_sock.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/ipv6/inet6_connection_sock.c 2011-08-23 21:47:56.000000000 -0400 @@ -69457,7 +70985,7 @@ diff -urNp linux-3.0.4/net/ipv6/inet6_connection_sock.c linux-3.0.4/net/ipv6/ine } diff -urNp linux-3.0.4/net/ipv6/ipv6_sockglue.c linux-3.0.4/net/ipv6/ipv6_sockglue.c --- linux-3.0.4/net/ipv6/ipv6_sockglue.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/net/ipv6/ipv6_sockglue.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/net/ipv6/ipv6_sockglue.c 2011-10-06 04:17:55.000000000 -0400 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc int val, valbool; int retv = -ENOPROTOOPT; @@ -69476,6 +71004,15 @@ diff -urNp linux-3.0.4/net/ipv6/ipv6_sockglue.c linux-3.0.4/net/ipv6/ipv6_sockgl if (ip6_mroute_opt(optname)) return ip6_mroute_getsockopt(sk, optname, optval, optlen); +@@ -960,7 +964,7 @@ static int do_ipv6_getsockopt(struct soc + if (sk->sk_type != SOCK_STREAM) + return -ENOPROTOOPT; + +- msg.msg_control = optval; ++ msg.msg_control = (void __force_kernel *)optval; + msg.msg_controllen = len; + msg.msg_flags = 0; + diff -urNp linux-3.0.4/net/ipv6/raw.c linux-3.0.4/net/ipv6/raw.c --- linux-3.0.4/net/ipv6/raw.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/ipv6/raw.c 2011-08-23 21:48:14.000000000 -0400 @@ -70754,6 +72291,30 @@ diff -urNp linux-3.0.4/net/rds/iw_recv.c linux-3.0.4/net/rds/iw_recv.c } #endif +diff -urNp linux-3.0.4/net/rds/tcp.c linux-3.0.4/net/rds/tcp.c +--- linux-3.0.4/net/rds/tcp.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/rds/tcp.c 2011-10-06 04:17:55.000000000 -0400 +@@ -58,7 +58,7 @@ void rds_tcp_nonagle(struct socket *sock + int val = 1; + + set_fs(KERNEL_DS); +- sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val, ++ sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val, + sizeof(val)); + set_fs(oldfs); + } +diff -urNp linux-3.0.4/net/rds/tcp_send.c linux-3.0.4/net/rds/tcp_send.c +--- linux-3.0.4/net/rds/tcp_send.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/rds/tcp_send.c 2011-10-06 04:17:55.000000000 -0400 +@@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket * + + oldfs = get_fs(); + set_fs(KERNEL_DS); +- sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val, ++ sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val, + sizeof(val)); + set_fs(oldfs); + } diff -urNp linux-3.0.4/net/rxrpc/af_rxrpc.c linux-3.0.4/net/rxrpc/af_rxrpc.c --- linux-3.0.4/net/rxrpc/af_rxrpc.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/rxrpc/af_rxrpc.c 2011-08-23 21:47:56.000000000 -0400 @@ -71055,7 +72616,7 @@ diff -urNp linux-3.0.4/net/sctp/socket.c linux-3.0.4/net/sctp/socket.c cnt++; diff -urNp linux-3.0.4/net/socket.c linux-3.0.4/net/socket.c --- linux-3.0.4/net/socket.c 2011-09-02 18:11:21.000000000 -0400 -+++ linux-3.0.4/net/socket.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/net/socket.c 2011-10-06 04:17:55.000000000 -0400 @@ -88,6 +88,7 @@ #include <linux/nsproxy.h> #include <linux/magic.h> @@ -71215,6 +72776,114 @@ diff -urNp linux-3.0.4/net/socket.c linux-3.0.4/net/socket.c err = -EFAULT; if (MSG_CMSG_COMPAT & flags) { if (get_compat_msghdr(msg_sys, msg_compat)) +@@ -1950,7 +2012,7 @@ static int __sys_sendmsg(struct socket * + * checking falls down on this. + */ + if (copy_from_user(ctl_buf, +- (void __user __force *)msg_sys->msg_control, ++ (void __force_user *)msg_sys->msg_control, + ctl_len)) + goto out_freectl; + msg_sys->msg_control = ctl_buf; +@@ -2118,7 +2180,7 @@ static int __sys_recvmsg(struct socket * + * kernel msghdr to use the kernel address space) + */ + +- uaddr = (__force void __user *)msg_sys->msg_name; ++ uaddr = (void __force_user *)msg_sys->msg_name; + uaddr_len = COMPAT_NAMELEN(msg); + if (MSG_CMSG_COMPAT & flags) { + err = verify_compat_iovec(msg_sys, iov, +@@ -2746,7 +2808,7 @@ static int ethtool_ioctl(struct net *net + } + + ifr = compat_alloc_user_space(buf_size); +- rxnfc = (void *)ifr + ALIGN(sizeof(struct ifreq), 8); ++ rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8); + + if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ)) + return -EFAULT; +@@ -2770,12 +2832,12 @@ static int ethtool_ioctl(struct net *net + offsetof(struct ethtool_rxnfc, fs.ring_cookie)); + + if (copy_in_user(rxnfc, compat_rxnfc, +- (void *)(&rxnfc->fs.m_ext + 1) - +- (void *)rxnfc) || ++ (void __user *)(&rxnfc->fs.m_ext + 1) - ++ (void __user *)rxnfc) || + copy_in_user(&rxnfc->fs.ring_cookie, + &compat_rxnfc->fs.ring_cookie, +- (void *)(&rxnfc->fs.location + 1) - +- (void *)&rxnfc->fs.ring_cookie) || ++ (void __user *)(&rxnfc->fs.location + 1) - ++ (void __user *)&rxnfc->fs.ring_cookie) || + copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, + sizeof(rxnfc->rule_cnt))) + return -EFAULT; +@@ -2787,12 +2849,12 @@ static int ethtool_ioctl(struct net *net + + if (convert_out) { + if (copy_in_user(compat_rxnfc, rxnfc, +- (const void *)(&rxnfc->fs.m_ext + 1) - +- (const void *)rxnfc) || ++ (const void __user *)(&rxnfc->fs.m_ext + 1) - ++ (const void __user *)rxnfc) || + copy_in_user(&compat_rxnfc->fs.ring_cookie, + &rxnfc->fs.ring_cookie, +- (const void *)(&rxnfc->fs.location + 1) - +- (const void *)&rxnfc->fs.ring_cookie) || ++ (const void __user *)(&rxnfc->fs.location + 1) - ++ (const void __user *)&rxnfc->fs.ring_cookie) || + copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, + sizeof(rxnfc->rule_cnt))) + return -EFAULT; +@@ -2862,7 +2924,7 @@ static int bond_ioctl(struct net *net, u + old_fs = get_fs(); + set_fs(KERNEL_DS); + err = dev_ioctl(net, cmd, +- (struct ifreq __user __force *) &kifr); ++ (struct ifreq __force_user *) &kifr); + set_fs(old_fs); + + return err; +@@ -2971,7 +3033,7 @@ static int compat_sioc_ifmap(struct net + + old_fs = get_fs(); + set_fs(KERNEL_DS); +- err = dev_ioctl(net, cmd, (void __user __force *)&ifr); ++ err = dev_ioctl(net, cmd, (void __force_user *)&ifr); + set_fs(old_fs); + + if (cmd == SIOCGIFMAP && !err) { +@@ -3076,7 +3138,7 @@ static int routing_ioctl(struct net *net + ret |= __get_user(rtdev, &(ur4->rt_dev)); + if (rtdev) { + ret |= copy_from_user(devname, compat_ptr(rtdev), 15); +- r4.rt_dev = (char __user __force *)devname; ++ r4.rt_dev = (char __force_user *)devname; + devname[15] = 0; + } else + r4.rt_dev = NULL; +@@ -3316,8 +3378,8 @@ int kernel_getsockopt(struct socket *soc + int __user *uoptlen; + int err; + +- uoptval = (char __user __force *) optval; +- uoptlen = (int __user __force *) optlen; ++ uoptval = (char __force_user *) optval; ++ uoptlen = (int __force_user *) optlen; + + set_fs(KERNEL_DS); + if (level == SOL_SOCKET) +@@ -3337,7 +3399,7 @@ int kernel_setsockopt(struct socket *soc + char __user *uoptval; + int err; + +- uoptval = (char __user __force *) optval; ++ uoptval = (char __force_user *) optval; + + set_fs(KERNEL_DS); + if (level == SOL_SOCKET) diff -urNp linux-3.0.4/net/sunrpc/sched.c linux-3.0.4/net/sunrpc/sched.c --- linux-3.0.4/net/sunrpc/sched.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/sunrpc/sched.c 2011-08-23 21:47:56.000000000 -0400 @@ -71230,6 +72899,18 @@ diff -urNp linux-3.0.4/net/sunrpc/sched.c linux-3.0.4/net/sunrpc/sched.c } #else static inline void rpc_task_set_debuginfo(struct rpc_task *task) +diff -urNp linux-3.0.4/net/sunrpc/svcsock.c linux-3.0.4/net/sunrpc/svcsock.c +--- linux-3.0.4/net/sunrpc/svcsock.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/sunrpc/svcsock.c 2011-10-06 04:17:55.000000000 -0400 +@@ -392,7 +392,7 @@ static int svc_partial_recvfrom(struct s + int buflen, unsigned int base) + { + size_t save_iovlen; +- void __user *save_iovbase; ++ void *save_iovbase; + unsigned int i; + int ret; + diff -urNp linux-3.0.4/net/sunrpc/xprtrdma/svc_rdma.c linux-3.0.4/net/sunrpc/xprtrdma/svc_rdma.c --- linux-3.0.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-08-23 21:47:56.000000000 -0400 @@ -71442,6 +73123,60 @@ diff -urNp linux-3.0.4/net/sysctl_net.c linux-3.0.4/net/sysctl_net.c int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; } +diff -urNp linux-3.0.4/net/tipc/link.c linux-3.0.4/net/tipc/link.c +--- linux-3.0.4/net/tipc/link.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/tipc/link.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1170,7 +1170,7 @@ static int link_send_sections_long(struc + struct tipc_msg fragm_hdr; + struct sk_buff *buf, *buf_chain, *prev; + u32 fragm_crs, fragm_rest, hsz, sect_rest; +- const unchar *sect_crs; ++ const unchar __user *sect_crs; + int curr_sect; + u32 fragm_no; + +@@ -1214,7 +1214,7 @@ again: + + if (!sect_rest) { + sect_rest = msg_sect[++curr_sect].iov_len; +- sect_crs = (const unchar *)msg_sect[curr_sect].iov_base; ++ sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base; + } + + if (sect_rest < fragm_rest) +@@ -1233,7 +1233,7 @@ error: + } + } else + skb_copy_to_linear_data_offset(buf, fragm_crs, +- sect_crs, sz); ++ (const void __force_kernel *)sect_crs, sz); + sect_crs += sz; + sect_rest -= sz; + fragm_crs += sz; +diff -urNp linux-3.0.4/net/tipc/msg.c linux-3.0.4/net/tipc/msg.c +--- linux-3.0.4/net/tipc/msg.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/tipc/msg.c 2011-10-06 04:17:55.000000000 -0400 +@@ -101,7 +101,7 @@ int tipc_msg_build(struct tipc_msg *hdr, + msg_sect[cnt].iov_len); + else + skb_copy_to_linear_data_offset(*buf, pos, +- msg_sect[cnt].iov_base, ++ (const void __force_kernel *)msg_sect[cnt].iov_base, + msg_sect[cnt].iov_len); + pos += msg_sect[cnt].iov_len; + } +diff -urNp linux-3.0.4/net/tipc/subscr.c linux-3.0.4/net/tipc/subscr.c +--- linux-3.0.4/net/tipc/subscr.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/net/tipc/subscr.c 2011-10-06 04:17:55.000000000 -0400 +@@ -101,7 +101,7 @@ static void subscr_send_event(struct sub + { + struct iovec msg_sect; + +- msg_sect.iov_base = (void *)&sub->evt; ++ msg_sect.iov_base = (void __force_user *)&sub->evt; + msg_sect.iov_len = sizeof(struct tipc_event); + + sub->evt.event = htohl(event, sub->swap); diff -urNp linux-3.0.4/net/unix/af_unix.c linux-3.0.4/net/unix/af_unix.c --- linux-3.0.4/net/unix/af_unix.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/net/unix/af_unix.c 2011-08-23 21:48:14.000000000 -0400 @@ -71637,7 +73372,29 @@ diff -urNp linux-3.0.4/net/xfrm/xfrm_user.c linux-3.0.4/net/xfrm/xfrm_user.c diff -urNp linux-3.0.4/scripts/basic/fixdep.c linux-3.0.4/scripts/basic/fixdep.c --- linux-3.0.4/scripts/basic/fixdep.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/scripts/basic/fixdep.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/scripts/basic/fixdep.c 2011-10-06 04:17:55.000000000 -0400 +@@ -161,7 +161,7 @@ static unsigned int strhash(const char * + /* + * Lookup a value in the configuration string. + */ +-static int is_defined_config(const char *name, int len, unsigned int hash) ++static int is_defined_config(const char *name, unsigned int len, unsigned int hash) + { + struct item *aux; + +@@ -211,10 +211,10 @@ static void clear_config(void) + /* + * Record the use of a CONFIG_* word. + */ +-static void use_config(const char *m, int slen) ++static void use_config(const char *m, unsigned int slen) + { + unsigned int hash = strhash(m, slen); +- int c, i; ++ unsigned int c, i; + + if (is_defined_config(m, slen, hash)) + return; @@ -235,9 +235,9 @@ static void use_config(const char *m, in static void parse_config_file(const char *map, size_t len) @@ -71711,7 +73468,7 @@ diff -urNp linux-3.0.4/scripts/Makefile.host linux-3.0.4/scripts/Makefile.host diff -urNp linux-3.0.4/scripts/mod/file2alias.c linux-3.0.4/scripts/mod/file2alias.c --- linux-3.0.4/scripts/mod/file2alias.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/scripts/mod/file2alias.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/scripts/mod/file2alias.c 2011-10-06 04:17:55.000000000 -0400 @@ -72,7 +72,7 @@ static void device_id_check(const char * unsigned long size, unsigned long id_size, void *symval) @@ -71730,6 +73487,15 @@ diff -urNp linux-3.0.4/scripts/mod/file2alias.c linux-3.0.4/scripts/mod/file2ali unsigned char range_lo, unsigned char range_hi, unsigned char max, struct module *mod) { +@@ -203,7 +203,7 @@ static void do_usb_entry_multi(struct us + { + unsigned int devlo, devhi; + unsigned char chi, clo, max; +- int ndigits; ++ unsigned int ndigits; + + id->match_flags = TO_NATIVE(id->match_flags); + id->idVendor = TO_NATIVE(id->idVendor); @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy for (i = 0; i < count; i++) { const char *id = (char *)devs[i].id; @@ -72008,7 +73774,7 @@ diff -urNp linux-3.0.4/security/integrity/ima/ima_queue.c linux-3.0.4/security/i return 0; diff -urNp linux-3.0.4/security/Kconfig linux-3.0.4/security/Kconfig --- linux-3.0.4/security/Kconfig 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/security/Kconfig 2011-09-17 00:58:04.000000000 -0400 ++++ linux-3.0.4/security/Kconfig 2011-10-06 04:19:25.000000000 -0400 @@ -4,6 +4,558 @@ menu "Security options" @@ -72331,7 +74097,7 @@ diff -urNp linux-3.0.4/security/Kconfig linux-3.0.4/security/Kconfig + +config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" -+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + select PAX_KERNEXEC_PLUGIN if X86_64 + help @@ -72399,7 +74165,7 @@ diff -urNp linux-3.0.4/security/Kconfig linux-3.0.4/security/Kconfig + +config PAX_RANDKSTACK + bool "Randomize kernel stack base" -+ depends on PAX_ASLR && X86_TSC && X86 ++ depends on X86_TSC && X86 + help + By saying Y here the kernel will randomize every task's kernel + stack on every system call. This will not only force an attacker @@ -72577,6 +74343,57 @@ diff -urNp linux-3.0.4/security/Kconfig linux-3.0.4/security/Kconfig default 65536 help This is the portion of low virtual memory which should be protected +diff -urNp linux-3.0.4/security/keys/compat.c linux-3.0.4/security/keys/compat.c +--- linux-3.0.4/security/keys/compat.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/security/keys/compat.c 2011-10-06 04:17:55.000000000 -0400 +@@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov( + if (ret == 0) + goto no_payload_free; + +- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); ++ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid); + + if (iov != iovstack) + kfree(iov); +diff -urNp linux-3.0.4/security/keys/keyctl.c linux-3.0.4/security/keys/keyctl.c +--- linux-3.0.4/security/keys/keyctl.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/security/keys/keyctl.c 2011-10-06 04:17:55.000000000 -0400 +@@ -921,7 +921,7 @@ static int keyctl_change_reqkey_auth(str + /* + * Copy the iovec data from userspace + */ +-static long copy_from_user_iovec(void *buffer, const struct iovec *iov, ++static long copy_from_user_iovec(void *buffer, const struct iovec __user *iov, + unsigned ioc) + { + for (; ioc > 0; ioc--) { +@@ -943,7 +943,7 @@ static long copy_from_user_iovec(void *b + * If successful, 0 will be returned. + */ + long keyctl_instantiate_key_common(key_serial_t id, +- const struct iovec *payload_iov, ++ const struct iovec __user *payload_iov, + unsigned ioc, + size_t plen, + key_serial_t ringid) +@@ -1038,7 +1038,7 @@ long keyctl_instantiate_key(key_serial_t + [0].iov_len = plen + }; + +- return keyctl_instantiate_key_common(id, iov, 1, plen, ringid); ++ return keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, 1, plen, ringid); + } + + return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid); +@@ -1071,7 +1071,7 @@ long keyctl_instantiate_key_iov(key_seri + if (ret == 0) + goto no_payload_free; + +- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); ++ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid); + + if (iov != iovstack) + kfree(iov); diff -urNp linux-3.0.4/security/keys/keyring.c linux-3.0.4/security/keys/keyring.c --- linux-3.0.4/security/keys/keyring.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/security/keys/keyring.c 2011-08-23 21:47:56.000000000 -0400 @@ -72752,6 +74569,109 @@ diff -urNp linux-3.0.4/sound/aoa/codecs/onyx.h linux-3.0.4/sound/aoa/codecs/onyx /* PCM3052 register definitions */ +diff -urNp linux-3.0.4/sound/core/oss/pcm_oss.c linux-3.0.4/sound/core/oss/pcm_oss.c +--- linux-3.0.4/sound/core/oss/pcm_oss.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/sound/core/oss/pcm_oss.c 2011-10-06 04:17:55.000000000 -0400 +@@ -1189,10 +1189,10 @@ snd_pcm_sframes_t snd_pcm_oss_write3(str + if (in_kernel) { + mm_segment_t fs; + fs = snd_enter_user(); +- ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames); ++ ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames); + snd_leave_user(fs); + } else { +- ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames); ++ ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames); + } + if (ret != -EPIPE && ret != -ESTRPIPE) + break; +@@ -1234,10 +1234,10 @@ snd_pcm_sframes_t snd_pcm_oss_read3(stru + if (in_kernel) { + mm_segment_t fs; + fs = snd_enter_user(); +- ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames); ++ ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames); + snd_leave_user(fs); + } else { +- ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames); ++ ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames); + } + if (ret == -EPIPE) { + if (runtime->status->state == SNDRV_PCM_STATE_DRAINING) { +@@ -1337,7 +1337,7 @@ static ssize_t snd_pcm_oss_write2(struct + struct snd_pcm_plugin_channel *channels; + size_t oss_frame_bytes = (runtime->oss.plugin_first->src_width * runtime->oss.plugin_first->src_format.channels) / 8; + if (!in_kernel) { +- if (copy_from_user(runtime->oss.buffer, (const char __force __user *)buf, bytes)) ++ if (copy_from_user(runtime->oss.buffer, (const char __force_user *)buf, bytes)) + return -EFAULT; + buf = runtime->oss.buffer; + } +@@ -1407,7 +1407,7 @@ static ssize_t snd_pcm_oss_write1(struct + } + } else { + tmp = snd_pcm_oss_write2(substream, +- (const char __force *)buf, ++ (const char __force_kernel *)buf, + runtime->oss.period_bytes, 0); + if (tmp <= 0) + goto err; +@@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct + struct snd_pcm_runtime *runtime = substream->runtime; + snd_pcm_sframes_t frames, frames1; + #ifdef CONFIG_SND_PCM_OSS_PLUGINS +- char __user *final_dst = (char __force __user *)buf; ++ char __user *final_dst = (char __force_user *)buf; + if (runtime->oss.plugin_first) { + struct snd_pcm_plugin_channel *channels; + size_t oss_frame_bytes = (runtime->oss.plugin_last->dst_width * runtime->oss.plugin_last->dst_format.channels) / 8; +@@ -1495,7 +1495,7 @@ static ssize_t snd_pcm_oss_read1(struct + xfer += tmp; + runtime->oss.buffer_used -= tmp; + } else { +- tmp = snd_pcm_oss_read2(substream, (char __force *)buf, ++ tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf, + runtime->oss.period_bytes, 0); + if (tmp <= 0) + goto err; +@@ -1663,7 +1663,7 @@ static int snd_pcm_oss_sync(struct snd_p + size1); + size1 /= runtime->channels; /* frames */ + fs = snd_enter_user(); +- snd_pcm_lib_write(substream, (void __force __user *)runtime->oss.buffer, size1); ++ snd_pcm_lib_write(substream, (void __force_user *)runtime->oss.buffer, size1); + snd_leave_user(fs); + } + } else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) { +diff -urNp linux-3.0.4/sound/core/pcm_compat.c linux-3.0.4/sound/core/pcm_compat.c +--- linux-3.0.4/sound/core/pcm_compat.c 2011-09-02 18:11:21.000000000 -0400 ++++ linux-3.0.4/sound/core/pcm_compat.c 2011-10-06 04:17:55.000000000 -0400 +@@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(st + int err; + + fs = snd_enter_user(); +- err = snd_pcm_delay(substream, &delay); ++ err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay); + snd_leave_user(fs); + if (err < 0) + return err; +diff -urNp linux-3.0.4/sound/core/pcm_native.c linux-3.0.4/sound/core/pcm_native.c +--- linux-3.0.4/sound/core/pcm_native.c 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/sound/core/pcm_native.c 2011-10-06 04:17:55.000000000 -0400 +@@ -2770,11 +2770,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_ + switch (substream->stream) { + case SNDRV_PCM_STREAM_PLAYBACK: + result = snd_pcm_playback_ioctl1(NULL, substream, cmd, +- (void __user *)arg); ++ (void __force_user *)arg); + break; + case SNDRV_PCM_STREAM_CAPTURE: + result = snd_pcm_capture_ioctl1(NULL, substream, cmd, +- (void __user *)arg); ++ (void __force_user *)arg); + break; + default: + result = -EINVAL; diff -urNp linux-3.0.4/sound/core/seq/seq_device.c linux-3.0.4/sound/core/seq/seq_device.c --- linux-3.0.4/sound/core/seq/seq_device.c 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/sound/core/seq/seq_device.c 2011-08-23 21:47:56.000000000 -0400 @@ -73161,6 +75081,179 @@ diff -urNp linux-3.0.4/sound/usb/card.h linux-3.0.4/sound/usb/card.h }; struct snd_usb_stream { +diff -urNp linux-3.0.4/tools/gcc/checker_plugin.c linux-3.0.4/tools/gcc/checker_plugin.c +--- linux-3.0.4/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-3.0.4/tools/gcc/checker_plugin.c 2011-10-06 04:17:55.000000000 -0400 +@@ -0,0 +1,169 @@ ++/* ++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to implement various sparse (source code checker) features ++ * ++ * TODO: ++ * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch) ++ * ++ * BUGS: ++ * - none known ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "intl.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "toplev.h" ++#include "basic-block.h" ++#include "gimple.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "function.h" ++#include "tree-flow.h" ++#include "target.h" ++ ++extern void c_register_addr_space (const char *str, addr_space_t as); ++extern enum machine_mode default_addr_space_pointer_mode (addr_space_t); ++extern enum machine_mode default_addr_space_address_mode (addr_space_t); ++extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as); ++extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as); ++extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as); ++ ++extern void print_gimple_stmt(FILE *, gimple, int, int); ++extern rtx emit_move_insn(rtx x, rtx y); ++ ++int plugin_is_GPL_compatible; ++ ++static struct plugin_info checker_plugin_info = { ++ .version = "201110031940", ++}; ++ ++#define ADDR_SPACE_KERNEL 0 ++#define ADDR_SPACE_FORCE_KERNEL 1 ++#define ADDR_SPACE_USER 2 ++#define ADDR_SPACE_FORCE_USER 3 ++#define ADDR_SPACE_IOMEM 0 ++#define ADDR_SPACE_FORCE_IOMEM 0 ++#define ADDR_SPACE_PERCPU 0 ++#define ADDR_SPACE_FORCE_PERCPU 0 ++#define ADDR_SPACE_RCU 0 ++#define ADDR_SPACE_FORCE_RCU 0 ++ ++static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace) ++{ ++ return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC); ++} ++ ++static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace) ++{ ++ return default_addr_space_address_mode(ADDR_SPACE_GENERIC); ++} ++ ++static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as) ++{ ++ return default_addr_space_valid_pointer_mode(mode, as); ++} ++ ++static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as) ++{ ++ return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC); ++} ++ ++static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as) ++{ ++ return default_addr_space_legitimize_address(x, oldx, mode, as); ++} ++ ++static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset) ++{ ++ if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL) ++ return true; ++ ++ if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER) ++ return true; ++ ++ if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM) ++ return true; ++ ++ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER) ++ return true; ++ ++ if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM) ++ return true; ++ ++ if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL) ++ return true; ++ ++ if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL) ++ return true; ++ ++ return subset == superset; ++} ++ ++static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type) ++{ ++// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type)); ++// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type)); ++ ++ return op; ++} ++ ++static void register_checker_address_spaces(void *event_data, void *data) ++{ ++ c_register_addr_space("__kernel", ADDR_SPACE_KERNEL); ++ c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL); ++ c_register_addr_space("__user", ADDR_SPACE_USER); ++ c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER); ++// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM); ++// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM); ++// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU); ++// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU); ++// c_register_addr_space("__rcu", ADDR_SPACE_RCU); ++// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU); ++ ++ targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode; ++ targetm.addr_space.address_mode = checker_addr_space_address_mode; ++ targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode; ++ targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p; ++// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address; ++ targetm.addr_space.subset_p = checker_addr_space_subset_p; ++ targetm.addr_space.convert = checker_addr_space_convert; ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ const int argc = plugin_info->argc; ++ const struct plugin_argument * const argv = plugin_info->argv; ++ int i; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info); ++ ++ for (i = 0; i < argc; ++i) ++ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ ++ if (TARGET_64BIT == 0) ++ return 0; ++ ++ register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL); ++ ++ return 0; ++} diff -urNp linux-3.0.4/tools/gcc/constify_plugin.c linux-3.0.4/tools/gcc/constify_plugin.c --- linux-3.0.4/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-3.0.4/tools/gcc/constify_plugin.c 2011-08-30 18:23:52.000000000 -0400 @@ -73460,7 +75553,7 @@ diff -urNp linux-3.0.4/tools/gcc/constify_plugin.c linux-3.0.4/tools/gcc/constif +} diff -urNp linux-3.0.4/tools/gcc/kallocstat_plugin.c linux-3.0.4/tools/gcc/kallocstat_plugin.c --- linux-3.0.4/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/tools/gcc/kallocstat_plugin.c 2011-09-17 00:53:44.000000000 -0400 ++++ linux-3.0.4/tools/gcc/kallocstat_plugin.c 2011-10-06 04:17:55.000000000 -0400 @@ -0,0 +1,165 @@ +/* + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> @@ -73549,10 +75642,10 @@ diff -urNp linux-3.0.4/tools/gcc/kallocstat_plugin.c linux-3.0.4/tools/gcc/kallo +static unsigned int execute_kallocstat(void) +{ + basic_block bb; -+ gimple_stmt_iterator gsi; + + // 1. loop through BBs and GIMPLE statements + FOR_EACH_BB(bb) { ++ gimple_stmt_iterator gsi; + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + // gimple match: + tree fndecl, size; @@ -73629,8 +75722,8 @@ diff -urNp linux-3.0.4/tools/gcc/kallocstat_plugin.c linux-3.0.4/tools/gcc/kallo +} diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexec_plugin.c --- linux-3.0.4/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/tools/gcc/kernexec_plugin.c 2011-09-19 09:16:58.000000000 -0400 -@@ -0,0 +1,265 @@ ++++ linux-3.0.4/tools/gcc/kernexec_plugin.c 2011-10-06 04:17:55.000000000 -0400 +@@ -0,0 +1,273 @@ +/* + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -73667,21 +75760,23 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe +#include "tree-flow.h" + +extern void print_gimple_stmt(FILE *, gimple, int, int); ++extern rtx emit_move_insn(rtx x, rtx y); + +int plugin_is_GPL_compatible; + +static struct plugin_info kernexec_plugin_info = { -+ .version = "201109191200", ++ .version = "201110032145", +}; + +static unsigned int execute_kernexec_fptr(void); +static unsigned int execute_kernexec_retaddr(void); ++static bool kernexec_cmodel_check(void); + +static struct gimple_opt_pass kernexec_fptr_pass = { + .pass = { + .type = GIMPLE_PASS, + .name = "kernexec_fptr", -+ .gate = NULL, ++ .gate = kernexec_cmodel_check, + .execute = execute_kernexec_fptr, + .sub = NULL, + .next = NULL, @@ -73699,7 +75794,7 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + .pass = { + .type = RTL_PASS, + .name = "kernexec_retaddr", -+ .gate = NULL, ++ .gate = kernexec_cmodel_check, + .execute = execute_kernexec_retaddr, + .sub = NULL, + .next = NULL, @@ -73709,10 +75804,28 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, -+ .todo_flags_finish = TODO_dump_func ++ .todo_flags_finish = TODO_dump_func | TODO_ggc_collect + } +}; + ++static bool kernexec_cmodel_check(void) ++{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("__section__", DECL_ATTRIBUTES(current_function_decl)); ++ if (!section || !TREE_VALUE(section)) ++ return true; ++ ++ section = TREE_VALUE(TREE_VALUE(section)); ++ if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10)) ++ return true; ++ ++ return false; ++} ++ +/* + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference @@ -73731,18 +75844,14 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + mark_sym_for_renaming(intptr); + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr)); + update_stmt(assign_intptr); -+ gsi_insert_before(&gsi, assign_intptr, GSI_NEW_STMT); -+ -+ gsi_next(&gsi); ++ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT); + + // apply logical or to temporary unsigned long and bitmask + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL); +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL); + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask)); + update_stmt(assign_intptr); -+ gsi_insert_before(&gsi, assign_intptr, GSI_NEW_STMT); -+ -+ gsi_next(&gsi); ++ gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT); + + // cast temporary unsigned long back to a temporary fptr variable + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL); @@ -73750,9 +75859,7 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + mark_sym_for_renaming(new_fptr); + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr)); + update_stmt(assign_new_fptr); -+ gsi_insert_before(&gsi, assign_new_fptr, GSI_NEW_STMT); -+ -+ gsi_next(&gsi); ++ gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT); + + // replace call stmt fn with the new fptr + gimple_call_set_fn(call_stmt, new_fptr); @@ -73805,28 +75912,22 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + return 0; +} + -+// add special KERNEXEC instrumentation: orb $0x80,7(%rsp) just before retn ++// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn +static void kernexec_instrument_retaddr(rtx insn) +{ -+ rtx ret_addr, clob, or; -+ -+ start_sequence(); -+ -+ // compute 7(%rsp) -+ ret_addr = gen_rtx_MEM(QImode, gen_rtx_PLUS(Pmode, stack_pointer_rtx, GEN_INT(7))); -+ MEM_VOLATILE_P(ret_addr) = 1; ++ rtx btsq; ++ rtvec argvec, constraintvec, labelvec; ++ int line; + -+ // create orb $0x80,7(%rsp) -+ or = gen_rtx_SET(VOIDmode, ret_addr, gen_rtx_IOR(QImode, ret_addr, GEN_INT(0xffffffffffffff80))); -+ clob = gen_rtx_CLOBBER(VOIDmode, gen_rtx_REG(CCmode, FLAGS_REG)); -+ -+ // put everything together -+ or = emit_insn(gen_rtx_PARALLEL(VOIDmode, gen_rtvec(2, or, clob))); -+ RTX_FRAME_RELATED_P(or) = 1; -+ -+ end_sequence(); -+ -+ emit_insn_before(or, insn); ++ // create asm volatile("btsq $63,(%%rsp)":::) ++ argvec = rtvec_alloc(0); ++ constraintvec = rtvec_alloc(0); ++ labelvec = rtvec_alloc(0); ++ line = expand_location(RTL_LOCATION(insn)).line; ++ btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line); ++ MEM_VOLATILE_P(btsq) = 1; ++ RTX_FRAME_RELATED_P(btsq) = 1; ++ emit_insn_before(btsq, insn); +} + +/* @@ -73888,7 +75989,7 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe + for (i = 0; i < argc; ++i) + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + -+ if (TARGET_64BIT == 0 || ix86_cmodel != CM_KERNEL) ++ if (TARGET_64BIT == 0) + return 0; + + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info); @@ -73898,8 +75999,8 @@ diff -urNp linux-3.0.4/tools/gcc/kernexec_plugin.c linux-3.0.4/tools/gcc/kernexe +} diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile --- linux-3.0.4/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/tools/gcc/Makefile 2011-09-17 00:53:44.000000000 -0400 -@@ -0,0 +1,14 @@ ++++ linux-3.0.4/tools/gcc/Makefile 2011-10-06 04:17:55.000000000 -0400 +@@ -0,0 +1,21 @@ +#CC := gcc +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) @@ -73908,12 +76009,19 @@ diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile + +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include + -+hostlibs-y := stackleak_plugin.so constify_plugin.so kallocstat_plugin.so kernexec_plugin.so ++hostlibs-y := constify_plugin.so ++hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so ++hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so ++hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so ++hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so ++ +always := $(hostlibs-y) ++ +stackleak_plugin-objs := stackleak_plugin.o +constify_plugin-objs := constify_plugin.o +kallocstat_plugin-objs := kallocstat_plugin.o +kernexec_plugin-objs := kernexec_plugin.o ++checker_plugin-objs := checker_plugin.o diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackleak_plugin.c --- linux-3.0.4/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-3.0.4/tools/gcc/stackleak_plugin.c 2011-09-17 00:53:44.000000000 -0400 diff --git a/3.0.4/4435_grsec-kconfig-gentoo.patch b/3.0.4/4435_grsec-kconfig-gentoo.patch index 82d188e..1bc9742 100644 --- a/3.0.4/4435_grsec-kconfig-gentoo.patch +++ b/3.0.4/4435_grsec-kconfig-gentoo.patch @@ -293,8 +293,8 @@ diff -Naur a/security/Kconfig b/security/Kconfig config PAX_KERNEXEC bool "Enforce non-executable kernel pages" -- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION +- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) select PAX_KERNEXEC_PLUGIN if X86_64 + default y if GRKERNSEC_HARDENED_WORKSTATION |