diff options
Diffstat (limited to '2.6.39')
| -rw-r--r-- | 2.6.39/0000_README | 48 | ||||
| -rw-r--r-- | 2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch | 85756 | ||||
| -rw-r--r-- | 2.6.39/4421_remove-legacy-pax-ei.patch | 191 | ||||
| -rw-r--r-- | 2.6.39/4422_grsec-remove-localversion-grsec.patch | 9 | ||||
| -rw-r--r-- | 2.6.39/4424_grsec-mute-warnings.patch | 42 | ||||
| -rw-r--r-- | 2.6.39/4426_grsec-remove-protected-paths.patch | 20 | ||||
| -rw-r--r-- | 2.6.39/4428_grsec-pax-without-grsec.patch | 88 | ||||
| -rw-r--r-- | 2.6.39/4430_grsec-kconfig-default-gids.patch | 77 | ||||
| -rw-r--r-- | 2.6.39/4435_grsec-kconfig-gentoo.patch | 313 | ||||
| -rw-r--r-- | 2.6.39/4437-grsec-kconfig-proc-user.patch | 26 | ||||
| -rw-r--r-- | 2.6.39/4440_selinux-avc_audit-log-curr_ip.patch | 73 | ||||
| -rw-r--r-- | 2.6.39/4445_disable-compat_vdso.patch | 46 |
12 files changed, 0 insertions, 86689 deletions
diff --git a/2.6.39/0000_README b/2.6.39/0000_README deleted file mode 100644 index 66fcae4..0000000 --- a/2.6.39/0000_README +++ /dev/null @@ -1,48 +0,0 @@ -README ------------------------------------------------------------------------------ - -Individual Patch Descriptions: ------------------------------------------------------------------------------ -Patch: 4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch -From: http://www.grsecurity.net -Desc: hardened-sources base patch from upstream grsecurity - -Patch: 4421_grsec-remove-localversion-grsec.patch -From: Kerin Millar <kerframil@gmail.com> -Desc: Removes grsecurity's localversion-grsec file - -Patch: 4422_grsec-mute-warnings.patch -From: Alexander Gabert <gaberta@fh-trier.de> - Gordon Malm <gengor@gentoo.org> -Desc: Removes verbose compile warning settings from grsecurity, restores - mainline Linux kernel behavior - -Patch: 4423_grsec-remove-protected-paths.patch -From: Anthony G. Basile <blueness@gentoo.org> -Desc: Removes chmod statements from grsecurity/Makefile - -Patch: 4425_grsec-pax-without-grsec.patch -From: Gordon Malm <gengor@gentoo.org> -Desc: Allows PaX features to be selected without enabling GRKERNSEC - -Patch: 4430_grsec-kconfig-default-gids.patch -From: Kerin Millar <kerframil@gmail.com> -Desc: Sets sane(r) default GIDs on various grsecurity group-dependent - features - -Patch: 4435_grsec-kconfig-gentoo.patch -From: Gordon Malm <gengor@gentoo.org> - Kerin Millar <kerframil@gmail.com> - Anthony G. Basile <blueness@gentoo.org> -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, - sets Hardened Gentoo [workstation] as default - -Patch: 4440_selinux-avc_audit-log-curr_ip.patch -From: Gordon Malm <gengor@gentoo.org> - Anthony G. Basile <blueness@gentoo.org> -Desc: Configurable option to add src IP address to SELinux log messages - -Patch: 4445_disable-compat_vdso.patch -From: Gordon Malm <gengor@gentoo.org> - Kerin Millar <kerframil@gmail.com> -Desc: Disables VDSO_COMPAT operation completely diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch deleted file mode 100644 index f85e905..0000000 --- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch +++ /dev/null @@ -1,85756 +0,0 @@ -diff -urNp linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -3,9 +3,9 @@ - - #include <linux/dma-attrs.h> - --extern struct dma_map_ops *dma_ops; -+extern const struct dma_map_ops *dma_ops; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - return dma_ops; - } -diff -urNp linux-2.6.39.3/arch/alpha/include/asm/elf.h linux-2.6.39.3/arch/alpha/include/asm/elf.h ---- linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N - - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL) -+ -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28) -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19) -+#endif -+ - /* $0 is set by ld.so to a pointer to a function which might be - registered using atexit. This provides a mean for the dynamic - linker to call DT_FINI functions for shared libraries that have -diff -urNp linux-2.6.39.3/arch/alpha/include/asm/pgtable.h linux-2.6.39.3/arch/alpha/include/asm/pgtable.h ---- linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400 -@@ -101,6 +101,17 @@ struct vm_area_struct; - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS) - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW) - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW) -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE) -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE) -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE) -+#else -+# define PAGE_SHARED_NOEXEC PAGE_SHARED -+# define PAGE_COPY_NOEXEC PAGE_COPY -+# define PAGE_READONLY_NOEXEC PAGE_READONLY -+#endif -+ - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE) - - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x)) -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_apecs.c linux-2.6.39.3/arch/alpha/kernel/core_apecs.c ---- linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400 -@@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus, - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops apecs_pci_ops = -+const struct pci_ops apecs_pci_ops = - { - .read = apecs_read_config, - .write = apecs_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_cia.c linux-2.6.39.3/arch/alpha/kernel/core_cia.c ---- linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400 -@@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops cia_pci_ops = -+const struct pci_ops cia_pci_ops = - { - .read = cia_read_config, - .write = cia_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_irongate.c linux-2.6.39.3/arch/alpha/kernel/core_irongate.c ---- linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400 -@@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops irongate_pci_ops = -+const struct pci_ops irongate_pci_ops = - { - .read = irongate_read_config, - .write = irongate_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_lca.c linux-2.6.39.3/arch/alpha/kernel/core_lca.c ---- linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400 -@@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops lca_pci_ops = -+const struct pci_ops lca_pci_ops = - { - .read = lca_read_config, - .write = lca_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_marvel.c linux-2.6.39.3/arch/alpha/kernel/core_marvel.c ---- linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400 -@@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus, - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops marvel_pci_ops = -+const struct pci_ops marvel_pci_ops = - { - .read = marvel_read_config, - .write = marvel_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c ---- linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400 -@@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus, - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops mcpcia_pci_ops = -+const struct pci_ops mcpcia_pci_ops = - { - .read = mcpcia_read_config, - .write = mcpcia_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_polaris.c linux-2.6.39.3/arch/alpha/kernel/core_polaris.c ---- linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400 -@@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops polaris_pci_ops = -+const struct pci_ops polaris_pci_ops = - { - .read = polaris_read_config, - .write = polaris_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_t2.c linux-2.6.39.3/arch/alpha/kernel/core_t2.c ---- linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400 -@@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops t2_pci_ops = -+const struct pci_ops t2_pci_ops = - { - .read = t2_read_config, - .write = t2_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_titan.c linux-2.6.39.3/arch/alpha/kernel/core_titan.c ---- linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400 -@@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus, - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops titan_pci_ops = -+const struct pci_ops titan_pci_ops = - { - .read = titan_read_config, - .write = titan_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c ---- linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400 -@@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops tsunami_pci_ops = -+const struct pci_ops tsunami_pci_ops = - { - .read = tsunami_read_config, - .write = tsunami_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c ---- linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400 -@@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops wildfire_pci_ops = -+const struct pci_ops wildfire_pci_ops = - { - .read = wildfire_read_config, - .write = wildfire_write_config, -diff -urNp linux-2.6.39.3/arch/alpha/kernel/module.c linux-2.6.39.3/arch/alpha/kernel/module.c ---- linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, - - /* The small sections were sorted to the end of the segment. - The following should definitely cover them. */ -- gp = (u64)me->module_core + me->core_size - 0x8000; -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000; - got = sechdrs[me->arch.gotsecindex].sh_addr; - - for (i = 0; i < n; i++) { -diff -urNp linux-2.6.39.3/arch/alpha/kernel/osf_sys.c linux-2.6.39.3/arch/alpha/kernel/osf_sys.c ---- linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400 -@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char - return -EFAULT; - - len = namelen; -- if (namelen > 32) -+ if (len > 32) - len = 32; - - down_read(&uts_sem); -@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman - down_read(&uts_sem); - res = sysinfo_table[offset]; - len = strlen(res)+1; -- if (len > count) -+ if ((unsigned long)len > (unsigned long)count) - len = count; - if (copy_to_user(buf, res, len)) - err = -EFAULT; -@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned - return 1; - - case GSI_GET_HWRPB: -- if (nbytes < sizeof(*hwrpb)) -+ if (nbytes > sizeof(*hwrpb)) - return -EINVAL; - if (copy_to_user(buffer, hwrpb, nbytes) != 0) - return -EFAULT; -@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i - { - struct rusage r; - long ret, err; -+ unsigned int status = 0; - mm_segment_t old_fs; - - if (!ur) -@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i - old_fs = get_fs(); - - set_fs (KERNEL_DS); -- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); -+ ret = sys_wait4(pid, (unsigned int __user *) &status, options, -+ (struct rusage __user *) &r); - set_fs (old_fs); - - if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) - return -EFAULT; - - err = 0; -+ err |= put_user(status, ustatus); - err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); - err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); - err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); -@@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a - /* At this point: (!vma || addr < vma->vm_end). */ - if (limit - len < addr) - return -ENOMEM; -- if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - return addr; - addr = vma->vm_end; - vma = vma->vm_next; -@@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp - merely specific addresses, but regions of memory -- perhaps - this feature should be incorporated into all ports? */ - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - if (addr) { - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); - if (addr != (unsigned long) -ENOMEM) -@@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp - } - - /* Next, try allocating at TASK_UNMAPPED_BASE. */ -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE), -- len, limit); -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit); -+ - if (addr != (unsigned long) -ENOMEM) - return addr; - -diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c ---- linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev - return 0; - } - --struct dma_map_ops alpha_pci_ops = { -+const struct dma_map_ops alpha_pci_ops = { - .alloc_coherent = alpha_pci_alloc_coherent, - .free_coherent = alpha_pci_free_coherent, - .map_page = alpha_pci_map_page, -@@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = { - .set_dma_mask = alpha_pci_set_mask, - }; - --struct dma_map_ops *dma_ops = &alpha_pci_ops; -+const struct dma_map_ops *dma_ops = &alpha_pci_ops; - EXPORT_SYMBOL(dma_ops); -diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci-noop.c linux-2.6.39.3/arch/alpha/kernel/pci-noop.c ---- linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400 -@@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de - return 0; - } - --struct dma_map_ops alpha_noop_ops = { -+const struct dma_map_ops alpha_noop_ops = { - .alloc_coherent = alpha_noop_alloc_coherent, - .free_coherent = alpha_noop_free_coherent, - .map_page = alpha_noop_map_page, -@@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = { - .set_dma_mask = alpha_noop_set_mask, - }; - --struct dma_map_ops *dma_ops = &alpha_noop_ops; -+const struct dma_map_ops *dma_ops = &alpha_noop_ops; - EXPORT_SYMBOL(dma_ops); - - void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen) -diff -urNp linux-2.6.39.3/arch/alpha/kernel/proto.h linux-2.6.39.3/arch/alpha/kernel/proto.h ---- linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400 -@@ -17,14 +17,14 @@ struct pci_dev; - struct pci_controller; - - /* core_apecs.c */ --extern struct pci_ops apecs_pci_ops; -+extern const struct pci_ops apecs_pci_ops; - extern void apecs_init_arch(void); - extern void apecs_pci_clr_err(void); - extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr); - extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_cia.c */ --extern struct pci_ops cia_pci_ops; -+extern const struct pci_ops cia_pci_ops; - extern void cia_init_pci(void); - extern void cia_init_arch(void); - extern void pyxis_init_arch(void); -@@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l - extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_irongate.c */ --extern struct pci_ops irongate_pci_ops; -+extern const struct pci_ops irongate_pci_ops; - extern int irongate_pci_clr_err(void); - extern void irongate_init_arch(void); - #define irongate_pci_tbi ((void *)0) - - /* core_lca.c */ --extern struct pci_ops lca_pci_ops; -+extern const struct pci_ops lca_pci_ops; - extern void lca_init_arch(void); - extern void lca_machine_check(unsigned long vector, unsigned long la_ptr); - extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_marvel.c */ --extern struct pci_ops marvel_pci_ops; -+extern const struct pci_ops marvel_pci_ops; - extern void marvel_init_arch(void); - extern void marvel_kill_arch(int); - extern void marvel_machine_check(unsigned long, unsigned long); -@@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 * - void io7_clear_errors(struct io7 *io7); - - /* core_mcpcia.c */ --extern struct pci_ops mcpcia_pci_ops; -+extern const struct pci_ops mcpcia_pci_ops; - extern void mcpcia_init_arch(void); - extern void mcpcia_init_hoses(void); - extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr); - extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_polaris.c */ --extern struct pci_ops polaris_pci_ops; -+extern const struct pci_ops polaris_pci_ops; - extern int polaris_read_config_dword(struct pci_dev *, int, u32 *); - extern int polaris_write_config_dword(struct pci_dev *, int, u32); - extern void polaris_init_arch(void); -@@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign - #define polaris_pci_tbi ((void *)0) - - /* core_t2.c */ --extern struct pci_ops t2_pci_ops; -+extern const struct pci_ops t2_pci_ops; - extern void t2_init_arch(void); - extern void t2_kill_arch(int); - extern void t2_machine_check(unsigned long vector, unsigned long la_ptr); - extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_titan.c */ --extern struct pci_ops titan_pci_ops; -+extern const struct pci_ops titan_pci_ops; - extern void titan_init_arch(void); - extern void titan_kill_arch(int); - extern void titan_machine_check(unsigned long, unsigned long); -@@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con - extern struct _alpha_agp_info *titan_agp_info(void); - - /* core_tsunami.c */ --extern struct pci_ops tsunami_pci_ops; -+extern const struct pci_ops tsunami_pci_ops; - extern void tsunami_init_arch(void); - extern void tsunami_kill_arch(int); - extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr); - extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t); - - /* core_wildfire.c */ --extern struct pci_ops wildfire_pci_ops; -+extern const struct pci_ops wildfire_pci_ops; - extern void wildfire_init_arch(void); - extern void wildfire_kill_arch(int); - extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr); -diff -urNp linux-2.6.39.3/arch/alpha/mm/fault.c linux-2.6.39.3/arch/alpha/mm/fault.c ---- linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct * - __reload_thread(pcb); - } - -+#ifdef CONFIG_PAX_PAGEEXEC -+/* -+ * PaX: decide what to do with offenders (regs->pc = fault address) -+ * -+ * returns 1 when task should be killed -+ * 2 when patched PLT trampoline was detected -+ * 3 when unpatched PLT trampoline was detected -+ */ -+static int pax_handle_fetch_fault(struct pt_regs *regs) -+{ -+ -+#ifdef CONFIG_PAX_EMUPLT -+ int err; -+ -+ do { /* PaX: patched PLT emulation #1 */ -+ unsigned int ldah, ldq, jmp; -+ -+ err = get_user(ldah, (unsigned int *)regs->pc); -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4)); -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8)); -+ -+ if (err) -+ break; -+ -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U && -+ (ldq & 0xFFFF0000U) == 0xA77B0000U && -+ jmp == 0x6BFB0000U) -+ { -+ unsigned long r27, addr; -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16; -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL; -+ -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL); -+ err = get_user(r27, (unsigned long *)addr); -+ if (err) -+ break; -+ -+ regs->r27 = r27; -+ regs->pc = r27; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: patched PLT emulation #2 */ -+ unsigned int ldah, lda, br; -+ -+ err = get_user(ldah, (unsigned int *)regs->pc); -+ err |= get_user(lda, (unsigned int *)(regs->pc+4)); -+ err |= get_user(br, (unsigned int *)(regs->pc+8)); -+ -+ if (err) -+ break; -+ -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U && -+ (lda & 0xFFFF0000U) == 0xA77B0000U && -+ (br & 0xFFE00000U) == 0xC3E00000U) -+ { -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL; -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16; -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL; -+ -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL); -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2); -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: unpatched PLT emulation */ -+ unsigned int br; -+ -+ err = get_user(br, (unsigned int *)regs->pc); -+ -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) { -+ unsigned int br2, ldq, nop, jmp; -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver; -+ -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2); -+ err = get_user(br2, (unsigned int *)addr); -+ err |= get_user(ldq, (unsigned int *)(addr+4)); -+ err |= get_user(nop, (unsigned int *)(addr+8)); -+ err |= get_user(jmp, (unsigned int *)(addr+12)); -+ err |= get_user(resolver, (unsigned long *)(addr+16)); -+ -+ if (err) -+ break; -+ -+ if (br2 == 0xC3600000U && -+ ldq == 0xA77B000CU && -+ nop == 0x47FF041FU && -+ jmp == 0x6B7B0000U) -+ { -+ regs->r28 = regs->pc+4; -+ regs->r27 = addr+16; -+ regs->pc = resolver; -+ return 3; -+ } -+ } -+ } while (0); -+#endif -+ -+ return 1; -+} -+ -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 5; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif - - /* - * This routine handles page faults. It determines the address, -@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns - good_area: - si_code = SEGV_ACCERR; - if (cause < 0) { -- if (!(vma->vm_flags & VM_EXEC)) -+ if (!(vma->vm_flags & VM_EXEC)) { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc) -+ goto bad_area; -+ -+ up_read(&mm->mmap_sem); -+ switch (pax_handle_fetch_fault(regs)) { -+ -+#ifdef CONFIG_PAX_EMUPLT -+ case 2: -+ case 3: -+ return; -+#endif -+ -+ } -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp()); -+ do_group_exit(SIGKILL); -+#else - goto bad_area; -+#endif -+ -+ } - } else if (!cause) { - /* Allow reads even for write-only mappings */ - if (!(vma->vm_flags & (VM_READ | VM_WRITE))) -diff -urNp linux-2.6.39.3/arch/arm/common/it8152.c linux-2.6.39.3/arch/arm/common/it8152.c ---- linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400 -@@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops it8152_ops = { -+static const struct pci_ops it8152_ops = { - .read = it8152_pci_read_config, - .write = it8152_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/common/via82c505.c linux-2.6.39.3/arch/arm/common/via82c505.c ---- linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400 -@@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops via82c505_ops = { -+static const struct pci_ops via82c505_ops = { - .read = via82c505_read_config, - .write = via82c505_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/include/asm/cacheflush.h linux-2.6.39.3/arch/arm/include/asm/cacheflush.h ---- linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400 -@@ -115,7 +115,7 @@ struct cpu_cache_fns { - */ - #ifdef MULTI_CACHE - --extern struct cpu_cache_fns cpu_cache; -+extern const struct cpu_cache_fns cpu_cache; - - #define __cpuc_flush_icache_all cpu_cache.flush_icache_all - #define __cpuc_flush_kern_all cpu_cache.flush_kern_all -diff -urNp linux-2.6.39.3/arch/arm/include/asm/elf.h linux-2.6.39.3/arch/arm/include/asm/elf.h ---- linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t - the loader. We need to make sure that it is out of the way of the program - that it will "exec", and that there is sufficient room for the brk. */ - --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) -+ -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL -+ -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10) -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10) -+#endif - - /* When the program starts, a1 contains a pointer to a function to be - registered with atexit, as per the SVR4 ABI. A value of 0 means we -@@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t - extern void elf_set_personality(const struct elf32_hdr *); - #define SET_PERSONALITY(ex) elf_set_personality(&(ex)) - --struct mm_struct; --extern unsigned long arch_randomize_brk(struct mm_struct *mm); --#define arch_randomize_brk arch_randomize_brk -- - extern int vectors_user_mapping(void); - #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping() - #define ARCH_HAS_SETUP_ADDITIONAL_PAGES -diff -urNp linux-2.6.39.3/arch/arm/include/asm/kmap_types.h linux-2.6.39.3/arch/arm/include/asm/kmap_types.h ---- linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -21,6 +21,7 @@ enum km_type { - KM_L1_CACHE, - KM_L2_CACHE, - KM_KDB, -+ KM_CLEARPAGE, - KM_TYPE_NR - }; - -diff -urNp linux-2.6.39.3/arch/arm/include/asm/outercache.h linux-2.6.39.3/arch/arm/include/asm/outercache.h ---- linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400 -@@ -38,7 +38,7 @@ struct outer_cache_fns { - - #ifdef CONFIG_OUTER_CACHE - --extern struct outer_cache_fns outer_cache; -+extern const struct outer_cache_fns outer_cache; - - static inline void outer_inv_range(phys_addr_t start, phys_addr_t end) - { -diff -urNp linux-2.6.39.3/arch/arm/include/asm/page.h linux-2.6.39.3/arch/arm/include/asm/page.h ---- linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400 -@@ -126,7 +126,7 @@ struct cpu_user_fns { - }; - - #ifdef MULTI_USER --extern struct cpu_user_fns cpu_user; -+extern const struct cpu_user_fns cpu_user; - - #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage - #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage -diff -urNp linux-2.6.39.3/arch/arm/include/asm/uaccess.h linux-2.6.39.3/arch/arm/include/asm/uaccess.h ---- linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-06-29 21:04:12.000000000 -0400 -@@ -22,6 +22,8 @@ - #define VERIFY_READ 0 - #define VERIFY_WRITE 1 - -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+ - /* - * The exception table consists of pairs of addresses: the first is the - * address of an instruction that is allowed to fault, and the second is -@@ -387,8 +389,23 @@ do { \ - - - #ifdef CONFIG_MMU --extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n); --extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n); -+extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n); -+extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n); -+ -+static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n) -+{ -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ return ___copy_from_user(to, from, n); -+} -+ -+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n) -+{ -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); -+ return ___copy_to_user(to, from, n); -+} -+ - extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n); - extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n); - extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n); -@@ -403,6 +420,9 @@ extern unsigned long __must_check __strn - - static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - if (access_ok(VERIFY_READ, from, n)) - n = __copy_from_user(to, from, n); - else /* security hole - plug it */ -@@ -412,6 +432,9 @@ static inline unsigned long __must_check - - static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - if (access_ok(VERIFY_WRITE, to, n)) - n = __copy_to_user(to, from, n); - return n; -diff -urNp linux-2.6.39.3/arch/arm/kernel/armksyms.c linux-2.6.39.3/arch/arm/kernel/armksyms.c ---- linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-07-06 19:52:45.000000000 -0400 -@@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user); - #ifdef CONFIG_MMU - EXPORT_SYMBOL(copy_page); - --EXPORT_SYMBOL(__copy_from_user); --EXPORT_SYMBOL(__copy_to_user); -+EXPORT_SYMBOL(___copy_from_user); -+EXPORT_SYMBOL(___copy_to_user); - EXPORT_SYMBOL(__clear_user); - - EXPORT_SYMBOL(__get_user_1); -diff -urNp linux-2.6.39.3/arch/arm/kernel/kgdb.c linux-2.6.39.3/arch/arm/kernel/kgdb.c ---- linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -246,7 +246,7 @@ void kgdb_arch_exit(void) - * and we handle the normal undef case within the do_undefinstr - * handler. - */ --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - #ifndef __ARMEB__ - .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7} - #else /* ! __ARMEB__ */ -diff -urNp linux-2.6.39.3/arch/arm/kernel/process.c linux-2.6.39.3/arch/arm/kernel/process.c ---- linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -28,7 +28,6 @@ - #include <linux/tick.h> - #include <linux/utsname.h> - #include <linux/uaccess.h> --#include <linux/random.h> - #include <linux/hw_breakpoint.h> - - #include <asm/cacheflush.h> -@@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru - return 0; - } - --unsigned long arch_randomize_brk(struct mm_struct *mm) --{ -- unsigned long range_end = mm->brk + 0x02000000; -- return randomize_range(mm->brk, range_end, 0) ? : mm->brk; --} -- - #ifdef CONFIG_MMU - /* - * The vectors page is always readable from user space for the -diff -urNp linux-2.6.39.3/arch/arm/kernel/traps.c linux-2.6.39.3/arch/arm/kernel/traps.c ---- linux-2.6.39.3/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400 -@@ -258,6 +258,8 @@ static int __die(const char *str, int er - - static DEFINE_SPINLOCK(die_lock); - -+extern void gr_handle_kernel_exploit(void); -+ - /* - * This function is protected against re-entrancy. - */ -@@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs - panic("Fatal exception in interrupt"); - if (panic_on_oops) - panic("Fatal exception"); -+ -+ gr_handle_kernel_exploit(); -+ - if (ret != NOTIFY_STOP) - do_exit(SIGSEGV); - } -diff -urNp linux-2.6.39.3/arch/arm/lib/copy_from_user.S linux-2.6.39.3/arch/arm/lib/copy_from_user.S ---- linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-06-29 20:58:18.000000000 -0400 -@@ -16,7 +16,7 @@ - /* - * Prototype: - * -- * size_t __copy_from_user(void *to, const void *from, size_t n) -+ * size_t ___copy_from_user(void *to, const void *from, size_t n) - * - * Purpose: - * -@@ -84,11 +84,11 @@ - - .text - --ENTRY(__copy_from_user) -+ENTRY(___copy_from_user) - - #include "copy_template.S" - --ENDPROC(__copy_from_user) -+ENDPROC(___copy_from_user) - - .pushsection .fixup,"ax" - .align 0 -diff -urNp linux-2.6.39.3/arch/arm/lib/copy_to_user.S linux-2.6.39.3/arch/arm/lib/copy_to_user.S ---- linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-06-29 20:59:20.000000000 -0400 -@@ -16,7 +16,7 @@ - /* - * Prototype: - * -- * size_t __copy_to_user(void *to, const void *from, size_t n) -+ * size_t ___copy_to_user(void *to, const void *from, size_t n) - * - * Purpose: - * -@@ -88,11 +88,11 @@ - .text - - ENTRY(__copy_to_user_std) --WEAK(__copy_to_user) -+WEAK(___copy_to_user) - - #include "copy_template.S" - --ENDPROC(__copy_to_user) -+ENDPROC(___copy_to_user) - ENDPROC(__copy_to_user_std) - - .pushsection .fixup,"ax" -diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess.S linux-2.6.39.3/arch/arm/lib/uaccess.S ---- linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-06-29 20:59:01.000000000 -0400 -@@ -20,7 +20,7 @@ - - #define PAGE_SHIFT 12 - --/* Prototype: int __copy_to_user(void *to, const char *from, size_t n) -+/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n) - * Purpose : copy a block to user memory from kernel memory - * Params : to - user memory - * : from - kernel memory -@@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f - sub r2, r2, ip - b .Lc2u_dest_aligned - --ENTRY(__copy_to_user) -+ENTRY(___copy_to_user) - stmfd sp!, {r2, r4 - r7, lr} - cmp r2, #4 - blt .Lc2u_not_enough -@@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f - ldrgtb r3, [r1], #0 - USER( T(strgtb) r3, [r0], #1) @ May fault - b .Lc2u_finished --ENDPROC(__copy_to_user) -+ENDPROC(___copy_to_user) - - .pushsection .fixup,"ax" - .align 0 - 9001: ldmfd sp!, {r0, r4 - r7, pc} - .popsection - --/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n); -+/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n); - * Purpose : copy a block from user memory to kernel memory - * Params : to - kernel memory - * : from - user memory -@@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f - sub r2, r2, ip - b .Lcfu_dest_aligned - --ENTRY(__copy_from_user) -+ENTRY(___copy_from_user) - stmfd sp!, {r0, r2, r4 - r7, lr} - cmp r2, #4 - blt .Lcfu_not_enough -@@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f - USER( T(ldrgtb) r3, [r1], #1) @ May fault - strgtb r3, [r0], #1 - b .Lcfu_finished --ENDPROC(__copy_from_user) -+ENDPROC(___copy_from_user) - - .pushsection .fixup,"ax" - .align 0 -diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c ---- linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:59:55.000000000 -0400 -@@ -103,7 +103,7 @@ out: - } - - unsigned long --__copy_to_user(void __user *to, const void *from, unsigned long n) -+___copy_to_user(void __user *to, const void *from, unsigned long n) - { - /* - * This test is stubbed out of the main function above to keep -diff -urNp linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c ---- linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400 -@@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str - return 1; - } - --static struct pci_ops cns3xxx_pcie_ops = { -+static const struct pci_ops cns3xxx_pcie_ops = { - .read = cns3xxx_pci_read_config, - .write = cns3xxx_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-dove/pcie.c linux-2.6.39.3/arch/arm/mach-dove/pcie.c ---- linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400 -@@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus * - return ret; - } - --static struct pci_ops pcie_ops = { -+static const struct pci_ops pcie_ops = { - .read = pcie_rd_conf, - .write = pcie_wr_conf, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c ---- linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400 -@@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops dc21285_ops = { -+static const struct pci_ops dc21285_ops = { - .read = dc21285_read_config, - .write = dc21285_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c ---- linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400 -@@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops pci_v3_ops = { -+static const struct pci_ops pci_v3_ops = { - .read = v3_read_config, - .write = v3_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c ---- linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops iop13xx_atux_ops = { -+static const struct pci_ops iop13xx_atux_ops = { - .read = iop13xx_atux_read_config, - .write = iop13xx_atux_write_config, - }; -@@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops iop13xx_atue_ops = { -+static const struct pci_ops iop13xx_atue_ops = { - .read = iop13xx_atue_read_config, - .write = iop13xx_atue_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c ---- linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400 -@@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru - return PCIBIOS_DEVICE_NOT_FOUND; - } - --static struct pci_ops enp2611_pci_ops = { -+static const struct pci_ops enp2611_pci_ops = { - .read = enp2611_pci_read_config, - .write = enp2611_pci_write_config - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c ---- linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_ - } - - --static struct pci_ops ixp2000_pci_ops = { -+static const struct pci_ops ixp2000_pci_ops = { - .read = ixp2000_pci_read_config, - .write = ixp2000_pci_write_config - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c ---- linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops ixp23xx_pci_ops = { -+const struct pci_ops ixp23xx_pci_ops = { - .read = ixp23xx_pci_read_config, - .write = ixp23xx_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c ---- linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops ixp4xx_ops = { -+const struct pci_ops ixp4xx_ops = { - .read = ixp4xx_pci_read_config, - .write = ixp4xx_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c ---- linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400 -@@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus * - return ret; - } - --static struct pci_ops pcie_ops = { -+static const struct pci_ops pcie_ops = { - .read = pcie_rd_conf, - .write = pcie_wr_conf, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ks8695/pci.c linux-2.6.39.3/arch/arm/mach-ks8695/pci.c ---- linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int - __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD); - } - --static struct pci_ops ks8695_pci_ops = { -+static const struct pci_ops ks8695_pci_ops = { - .read = ks8695_pci_readconfig, - .write = ks8695_pci_writeconfig, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-mmp/clock.c linux-2.6.39.3/arch/arm/mach-mmp/clock.c ---- linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400 -@@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk - __raw_writel(0, clk->clk_rst); - } - --struct clkops apbc_clk_ops = { -+const struct clkops apbc_clk_ops = { - .enable = apbc_clk_enable, - .disable = apbc_clk_disable, - }; -@@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk - __raw_writel(0, clk->clk_rst); - } - --struct clkops apmu_clk_ops = { -+const struct clkops apmu_clk_ops = { - .enable = apmu_clk_enable, - .disable = apmu_clk_disable, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-msm/iommu.c linux-2.6.39.3/arch/arm/mach-msm/iommu.c ---- linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -669,7 +669,7 @@ fail: - return 0; - } - --static struct iommu_ops msm_iommu_ops = { -+static const struct iommu_ops msm_iommu_ops = { - .domain_init = msm_iommu_domain_init, - .domain_destroy = msm_iommu_domain_destroy, - .attach_dev = msm_iommu_attach_dev, -diff -urNp linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c ---- linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400 -@@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc - } - - static struct file_operations last_radio_log_fops = { -+ /* cannot be const, see msm_init_last_radio_log */ - .read = last_radio_log_read, - .llseek = default_llseek, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c ---- linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400 -@@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus * - return ret; - } - --static struct pci_ops pcie_ops = { -+static const struct pci_ops pcie_ops = { - .read = pcie_rd_conf, - .write = pcie_wr_conf, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-orion5x/pci.c linux-2.6.39.3/arch/arm/mach-orion5x/pci.c ---- linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus * - return ret; - } - --static struct pci_ops pcie_ops = { -+static const struct pci_ops pcie_ops = { - .read = pcie_rd_conf, - .write = pcie_wr_conf, - }; -@@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc - PCI_FUNC(devfn), where, size, val); - } - --static struct pci_ops pci_ops = { -+static const struct pci_ops pci_ops = { - .read = orion5x_pci_rd_conf, - .write = orion5x_pci_wr_conf, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c ---- linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400 -@@ -117,7 +117,7 @@ static int nanoengine_write_config(struc - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops pci_nano_ops = { -+static const struct pci_ops pci_nano_ops = { - .read = nanoengine_read_config, - .write = nanoengine_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-tegra/pcie.c linux-2.6.39.3/arch/arm/mach-tegra/pcie.c ---- linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400 -@@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops tegra_pcie_ops = { -+static const struct pci_ops tegra_pcie_ops = { - .read = tegra_pcie_read_conf, - .write = tegra_pcie_write_conf, - }; -diff -urNp linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c ---- linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400 -@@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev - return sprintf(buf, "0x%X\n", mbox_value); - } - --static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo); -+static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo); - - static int mbox_show(struct seq_file *s, void *data) - { -diff -urNp linux-2.6.39.3/arch/arm/mach-versatile/pci.c linux-2.6.39.3/arch/arm/mach-versatile/pci.c ---- linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -165,7 +165,7 @@ static int versatile_write_config(struct - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops pci_versatile_ops = { -+static const struct pci_ops pci_versatile_ops = { - .read = versatile_read_config, - .write = versatile_write_config, - }; -diff -urNp linux-2.6.39.3/arch/arm/mm/fault.c linux-2.6.39.3/arch/arm/mm/fault.c ---- linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk, - } - #endif - -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (fsr & FSR_LNX_PF) { -+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - tsk->thread.address = addr; - tsk->thread.error_code = fsr; - tsk->thread.trap_no = 14; -@@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign - } - #endif /* CONFIG_MMU */ - -+#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(void *pc, void *sp) -+{ -+ long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 20; i++) { -+ unsigned char c; -+ if (get_user(c, (__force unsigned char __user *)pc+i)) -+ printk(KERN_CONT "?? "); -+ else -+ printk(KERN_CONT "%02x ", c); -+ } -+ printk("\n"); -+ -+ printk(KERN_ERR "PAX: bytes at SP-4: "); -+ for (i = -1; i < 20; i++) { -+ unsigned long c; -+ if (get_user(c, (__force unsigned long __user *)sp+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08lx ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - /* - * First Level Translation Fault Handler - * -diff -urNp linux-2.6.39.3/arch/arm/mm/mmap.c linux-2.6.39.3/arch/arm/mm/mmap.c ---- linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400 -@@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp - if (len > TASK_SIZE) - return -ENOMEM; - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - if (addr) { - if (do_align) - addr = COLOUR_ALIGN(addr, pgoff); -@@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp - addr = PAGE_ALIGN(addr); - - vma = find_vma(mm, addr); -- if (TASK_SIZE - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - if (len > mm->cached_hole_size) { -- start_addr = addr = mm->free_area_cache; -+ start_addr = addr = mm->free_area_cache; - } else { -- start_addr = addr = TASK_UNMAPPED_BASE; -- mm->cached_hole_size = 0; -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; - } - /* 8 bits of randomness in 20 address space bits */ - if ((current->flags & PF_RANDOMIZE) && -@@ -100,14 +103,14 @@ full_search: - * Start a new search - just in case we missed - * some holes. - */ -- if (start_addr != TASK_UNMAPPED_BASE) { -- start_addr = addr = TASK_UNMAPPED_BASE; -+ if (start_addr != mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; - mm->cached_hole_size = 0; - goto full_search; - } - return -ENOMEM; - } -- if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { - /* - * Remember the place where we stopped the search: - */ -diff -urNp linux-2.6.39.3/arch/arm/plat-iop/pci.c linux-2.6.39.3/arch/arm/plat-iop/pci.c ---- linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus, - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops iop3xx_ops = { -+static const struct pci_ops iop3xx_ops = { - .read = iop3xx_read_config, - .write = iop3xx_write_config, - }; -diff -urNp linux-2.6.39.3/arch/avr32/include/asm/elf.h linux-2.6.39.3/arch/avr32/include/asm/elf.h ---- linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg - the loader. We need to make sure that it is out of the way of the program - that it will "exec", and that there is sufficient room for the brk. */ - --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL -+ -+#define PAX_DELTA_MMAP_LEN 15 -+#define PAX_DELTA_STACK_LEN 15 -+#endif - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, -diff -urNp linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h ---- linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0, - D(11) KM_IRQ1, - D(12) KM_SOFTIRQ0, - D(13) KM_SOFTIRQ1, --D(14) KM_TYPE_NR -+D(14) KM_CLEARPAGE, -+D(15) KM_TYPE_NR - }; - - #undef D -diff -urNp linux-2.6.39.3/arch/avr32/mm/fault.c linux-2.6.39.3/arch/avr32/mm/fault.c ---- linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru - - int exception_trace = 1; - -+#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 20; i++) { -+ unsigned char c; -+ if (get_user(c, (unsigned char *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%02x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - /* - * This routine handles page faults. It determines the address and the - * problem, and then passes it off to one of the appropriate routines. -@@ -156,6 +173,16 @@ bad_area: - up_read(&mm->mmap_sem); - - if (user_mode(regs)) { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) { -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) { -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp); -+ do_group_exit(SIGKILL); -+ } -+ } -+#endif -+ - if (exception_trace && printk_ratelimit()) - printk("%s%s[%d]: segfault at %08lx pc %08lx " - "sp %08lx ecr %lu\n", -diff -urNp linux-2.6.39.3/arch/blackfin/kernel/kgdb.c linux-2.6.39.3/arch/blackfin/kernel/kgdb.c ---- linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto - return -1; /* this means that we do not want to exit from the handler */ - } - --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - .gdb_bpt_instr = {0xa1}, - .flags = KGDB_HW_BREAKPOINT, - .set_hw_breakpoint = bfin_set_hw_break, -diff -urNp linux-2.6.39.3/arch/blackfin/mm/maccess.c linux-2.6.39.3/arch/blackfin/mm/maccess.c ---- linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400 -@@ -16,7 +16,7 @@ static int validate_memory_access_addres - return bfin_mem_access_type(addr, size); - } - --long probe_kernel_read(void *dst, void *src, size_t size) -+long probe_kernel_read(void *dst, const void *src, size_t size) - { - unsigned long lsrc = (unsigned long)src; - int mem_type; -@@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void * - return -EFAULT; - } - --long probe_kernel_write(void *dst, void *src, size_t size) -+long probe_kernel_write(void *dst, const void *src, size_t size) - { - unsigned long ldst = (unsigned long)dst; - int mem_type; -diff -urNp linux-2.6.39.3/arch/frv/include/asm/kmap_types.h linux-2.6.39.3/arch/frv/include/asm/kmap_types.h ---- linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -23,6 +23,7 @@ enum km_type { - KM_IRQ1, - KM_SOFTIRQ0, - KM_SOFTIRQ1, -+ KM_CLEARPAGE, - KM_TYPE_NR - }; - -diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h ---- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400 -@@ -34,7 +34,7 @@ void pcibios_resource_survey(void); - - extern int __nongpreldata pcibios_last_bus; - extern struct pci_bus *__nongpreldata pci_root_bus; --extern struct pci_ops *__nongpreldata pci_root_ops; -+extern const struct pci_ops *__nongpreldata pci_root_ops; - - /* pci-irq.c */ - extern unsigned int pcibios_irq_mask; -diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c ---- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400 -@@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe = - - int __nongpreldata pcibios_last_bus = -1; - struct pci_bus *__nongpreldata pci_root_bus; --struct pci_ops *__nongpreldata pci_root_ops; -+const struct pci_ops *__nongpreldata pci_root_ops; - - /* - * The accessible PCI window does not cover the entire CPU address space, but -@@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops pci_direct_frv = { -+static const struct pci_ops pci_direct_frv = { - pci_frv_read_config, - pci_frv_write_config, - }; -@@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci - - int __init pcibios_init(void) - { -- struct pci_ops *dir = NULL; -+ const struct pci_ops *dir = NULL; - - if (!mb93090_mb00_detected) - return -ENXIO; -diff -urNp linux-2.6.39.3/arch/frv/mm/elf-fdpic.c linux-2.6.39.3/arch/frv/mm/elf-fdpic.c ---- linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400 -@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str - if (addr) { - addr = PAGE_ALIGN(addr); - vma = find_vma(current->mm, addr); -- if (TASK_SIZE - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) - goto success; - } - -@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str - for (; vma; vma = vma->vm_next) { - if (addr > limit) - break; -- if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - goto success; - addr = vma->vm_end; - } -@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str - for (; vma; vma = vma->vm_next) { - if (addr > limit) - break; -- if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - goto success; - addr = vma->vm_end; - } -diff -urNp linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c ---- linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -17,7 +17,7 @@ - #include <linux/swiotlb.h> - #include <asm/machvec.h> - --extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops; -+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops; - - /* swiotlb declarations & definitions: */ - extern int swiotlb_late_init_with_default_size (size_t size); -@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev - !sba_dma_ops.dma_supported(dev, *dev->dma_mask); - } - --struct dma_map_ops *hwsw_dma_get_ops(struct device *dev) -+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev) - { - if (use_swiotlb(dev)) - return &swiotlb_dma_ops; -diff -urNp linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c ---- linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d - }, - }; - --extern struct dma_map_ops swiotlb_dma_ops; -+extern const struct dma_map_ops swiotlb_dma_ops; - - static int __init - sba_init(void) -@@ -2211,7 +2211,7 @@ sba_page_override(char *str) - - __setup("sbapagesize=",sba_page_override); - --struct dma_map_ops sba_dma_ops = { -+const struct dma_map_ops sba_dma_ops = { - .alloc_coherent = sba_alloc_coherent, - .free_coherent = sba_free_coherent, - .map_page = sba_map_page, -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -14,7 +14,7 @@ - - #define DMA_ERROR_CODE 0 - --extern struct dma_map_ops *dma_ops; -+extern const struct dma_map_ops *dma_ops; - extern struct ia64_machine_vector ia64_mv; - extern void set_iommu_machvec(void); - -@@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d - static inline void *dma_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *daddr, gfp_t gfp) - { -- struct dma_map_ops *ops = platform_dma_get_ops(dev); -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev); - void *caddr; - - caddr = ops->alloc_coherent(dev, size, daddr, gfp); -@@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *caddr, dma_addr_t daddr) - { -- struct dma_map_ops *ops = platform_dma_get_ops(dev); -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev); - debug_dma_free_coherent(dev, size, caddr, daddr); - ops->free_coherent(dev, size, caddr, daddr); - } -@@ -51,13 +51,13 @@ static inline void dma_free_coherent(str - - static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr) - { -- struct dma_map_ops *ops = platform_dma_get_ops(dev); -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev); - return ops->mapping_error(dev, daddr); - } - - static inline int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = platform_dma_get_ops(dev); -+ const struct dma_map_ops *ops = platform_dma_get_ops(dev); - return ops->dma_supported(dev, mask); - } - -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/elf.h linux-2.6.39.3/arch/ia64/include/asm/elf.h ---- linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -42,6 +42,13 @@ - */ - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL) -+ -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13) -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13) -+#endif -+ - #define PT_IA_64_UNWIND 0x70000001 - - /* IA-64 relocations: */ -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/machvec.h linux-2.6.39.3/arch/ia64/include/asm/machvec.h ---- linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400 -@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event - /* DMA-mapping interface: */ - typedef void ia64_mv_dma_init (void); - typedef u64 ia64_mv_dma_get_required_mask (struct device *); --typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *); -+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *); - - /* - * WARNING: The legacy I/O space is _architected_. Platforms are -@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co - # endif /* CONFIG_IA64_GENERIC */ - - extern void swiotlb_dma_init(void); --extern struct dma_map_ops *dma_get_ops(struct device *); -+extern const struct dma_map_ops *dma_get_ops(struct device *); - - /* - * Define default versions so we can extend machvec for new platforms without having -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/pgtable.h linux-2.6.39.3/arch/ia64/include/asm/pgtable.h ---- linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,7 +12,7 @@ - * David Mosberger-Tang <davidm@hpl.hp.com> - */ - -- -+#include <linux/const.h> - #include <asm/mman.h> - #include <asm/page.h> - #include <asm/processor.h> -@@ -143,6 +143,17 @@ - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX) -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW) -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) -+#else -+# define PAGE_SHARED_NOEXEC PAGE_SHARED -+# define PAGE_READONLY_NOEXEC PAGE_READONLY -+# define PAGE_COPY_NOEXEC PAGE_COPY -+#endif -+ - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX) - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX) - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX) -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/spinlock.h linux-2.6.39.3/arch/ia64/include/asm/spinlock.h ---- linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400 -@@ -72,7 +72,7 @@ static __always_inline void __ticket_spi - unsigned short *p = (unsigned short *)&lock->lock + 1, tmp; - - asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p)); -- ACCESS_ONCE(*p) = (tmp + 2) & ~1; -+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1; - } - - static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock) -diff -urNp linux-2.6.39.3/arch/ia64/include/asm/uaccess.h linux-2.6.39.3/arch/ia64/include/asm/uaccess.h ---- linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400 -@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _ - const void *__cu_from = (from); \ - long __cu_len = (n); \ - \ -- if (__access_ok(__cu_to, __cu_len, get_fs())) \ -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \ - __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \ - __cu_len; \ - }) -@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _ - long __cu_len = (n); \ - \ - __chk_user_ptr(__cu_from); \ -- if (__access_ok(__cu_from, __cu_len, get_fs())) \ -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \ - __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \ - __cu_len; \ - }) -diff -urNp linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c ---- linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400 -@@ -3,7 +3,7 @@ - /* Set this to 1 if there is a HW IOMMU in the system */ - int iommu_detected __read_mostly; - --struct dma_map_ops *dma_ops; -+const struct dma_map_ops *dma_ops; - EXPORT_SYMBOL(dma_ops); - - #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16) -@@ -16,7 +16,7 @@ static int __init dma_init(void) - } - fs_initcall(dma_init); - --struct dma_map_ops *dma_get_ops(struct device *dev) -+const struct dma_map_ops *dma_get_ops(struct device *dev) - { - return dma_ops; - } -diff -urNp linux-2.6.39.3/arch/ia64/kernel/module.c linux-2.6.39.3/arch/ia64/kernel/module.c ---- linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -315,8 +315,7 @@ module_alloc (unsigned long size) - void - module_free (struct module *mod, void *module_region) - { -- if (mod && mod->arch.init_unw_table && -- module_region == mod->module_init) { -+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) { - unw_remove_unwind_table(mod->arch.init_unw_table); - mod->arch.init_unw_table = NULL; - } -@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd - } - - static inline int -+in_init_rx (const struct module *mod, uint64_t addr) -+{ -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx; -+} -+ -+static inline int -+in_init_rw (const struct module *mod, uint64_t addr) -+{ -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw; -+} -+ -+static inline int - in_init (const struct module *mod, uint64_t addr) - { -- return addr - (uint64_t) mod->module_init < mod->init_size; -+ return in_init_rx(mod, addr) || in_init_rw(mod, addr); -+} -+ -+static inline int -+in_core_rx (const struct module *mod, uint64_t addr) -+{ -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx; -+} -+ -+static inline int -+in_core_rw (const struct module *mod, uint64_t addr) -+{ -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw; - } - - static inline int - in_core (const struct module *mod, uint64_t addr) - { -- return addr - (uint64_t) mod->module_core < mod->core_size; -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr); - } - - static inline int -@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_ - break; - - case RV_BDREL: -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core); -+ if (in_init_rx(mod, val)) -+ val -= (uint64_t) mod->module_init_rx; -+ else if (in_init_rw(mod, val)) -+ val -= (uint64_t) mod->module_init_rw; -+ else if (in_core_rx(mod, val)) -+ val -= (uint64_t) mod->module_core_rx; -+ else if (in_core_rw(mod, val)) -+ val -= (uint64_t) mod->module_core_rw; - break; - - case RV_LTV: -@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, - * addresses have been selected... - */ - uint64_t gp; -- if (mod->core_size > MAX_LTOFF) -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF) - /* - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated - * at the end of the module. - */ -- gp = mod->core_size - MAX_LTOFF / 2; -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2; - else -- gp = mod->core_size / 2; -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8); -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2; -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8); - mod->arch.gp = gp; - DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp); - } -diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-dma.c linux-2.6.39.3/arch/ia64/kernel/pci-dma.c ---- linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400 -@@ -43,7 +43,7 @@ struct device fallback_dev = { - .dma_mask = &fallback_dev.coherent_dma_mask, - }; - --extern struct dma_map_ops intel_dma_ops; -+extern const struct dma_map_ops intel_dma_ops; - - static int __init pci_iommu_init(void) - { -diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c ---- linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent - return swiotlb_alloc_coherent(dev, size, dma_handle, gfp); - } - --struct dma_map_ops swiotlb_dma_ops = { -+const struct dma_map_ops swiotlb_dma_ops = { - .alloc_coherent = ia64_swiotlb_alloc_coherent, - .free_coherent = swiotlb_free_coherent, - .map_page = swiotlb_map_page, -diff -urNp linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c ---- linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil - if (REGION_NUMBER(addr) == RGN_HPAGE) - addr = 0; - #endif -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ addr = mm->free_area_cache; -+ else -+#endif -+ - if (!addr) - addr = mm->free_area_cache; - -@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { - /* At this point: (!vma || addr < vma->vm_end). */ - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) { -- if (start_addr != TASK_UNMAPPED_BASE) { -+ if (start_addr != mm->mmap_base) { - /* Start a new search --- just in case we missed some holes. */ -- addr = TASK_UNMAPPED_BASE; -+ addr = mm->mmap_base; - goto full_search; - } - return -ENOMEM; - } -- if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { - /* Remember the address where we stopped this search: */ - mm->free_area_cache = addr + len; - return addr; -diff -urNp linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S ---- linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400 -@@ -199,7 +199,7 @@ SECTIONS { - /* Per-cpu data: */ - . = ALIGN(PERCPU_PAGE_SIZE); - PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu) -- __phys_per_cpu_start = __per_cpu_load; -+ __phys_per_cpu_start = per_cpu_load; - /* - * ensure percpu data fits - * into percpu page size -diff -urNp linux-2.6.39.3/arch/ia64/mm/fault.c linux-2.6.39.3/arch/ia64/mm/fault.c ---- linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned - return pte_present(pte); - } - -+#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 8; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - void __kprobes - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs) - { -@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT) - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT)); - -- if ((vma->vm_flags & mask) != mask) -+ if ((vma->vm_flags & mask) != mask) { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) { -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip) -+ goto bad_area; -+ -+ up_read(&mm->mmap_sem); -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - goto bad_area; - -+ } -+ - /* - * If for any reason at all we couldn't handle the fault, make - * sure we exit gracefully rather than endlessly redo the -diff -urNp linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c ---- linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400 -@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area( - /* At this point: (!vmm || addr < vmm->vm_end). */ - if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT) - return -ENOMEM; -- if (!vmm || (addr + len) <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) - return addr; - addr = ALIGN(vmm->vm_end, HPAGE_SIZE); - } -diff -urNp linux-2.6.39.3/arch/ia64/mm/init.c linux-2.6.39.3/arch/ia64/mm/init.c ---- linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400 -@@ -122,6 +122,19 @@ ia64_init_addr_space (void) - vma->vm_start = current->thread.rbs_bot & PAGE_MASK; - vma->vm_end = vma->vm_start + PAGE_SIZE; - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT; -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) { -+ vma->vm_flags &= ~VM_EXEC; -+ -+#ifdef CONFIG_PAX_MPROTECT -+ if (current->mm->pax_flags & MF_PAX_MPROTECT) -+ vma->vm_flags &= ~VM_MAYEXEC; -+#endif -+ -+ } -+#endif -+ - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); - down_write(¤t->mm->mmap_sem); - if (insert_vm_struct(current->mm, vma)) { -diff -urNp linux-2.6.39.3/arch/ia64/pci/pci.c linux-2.6.39.3/arch/ia64/pci/pci.c ---- linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus - devfn, where, size, value); - } - --struct pci_ops pci_root_ops = { -+const struct pci_ops pci_root_ops = { - .read = pci_read, - .write = pci_write, - }; -diff -urNp linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c ---- linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400 -@@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus * - return ret; - } - --static struct dma_map_ops sn_dma_ops = { -+static const struct dma_map_ops sn_dma_ops = { - .alloc_coherent = sn_dma_alloc_coherent, - .free_coherent = sn_dma_free_coherent, - .map_page = sn_dma_map_page, -diff -urNp linux-2.6.39.3/arch/m32r/lib/usercopy.c linux-2.6.39.3/arch/m32r/lib/usercopy.c ---- linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400 -@@ -14,6 +14,9 @@ - unsigned long - __generic_copy_to_user(void __user *to, const void *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - prefetch(from); - if (access_ok(VERIFY_WRITE, to, n)) - __copy_user(to,from,n); -@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, - unsigned long - __generic_copy_from_user(void *to, const void __user *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - prefetchw(to); - if (access_ok(VERIFY_READ, from, n)) - __copy_user_zeroing(to,from,n); -diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/device.h linux-2.6.39.3/arch/microblaze/include/asm/device.h ---- linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400 -@@ -13,7 +13,7 @@ struct device_node; - - struct dev_archdata { - /* DMA operations on that device */ -- struct dma_map_ops *dma_ops; -+ const struct dma_map_ops *dma_ops; - void *dma_data; - }; - -diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -43,14 +43,14 @@ static inline unsigned long device_to_ma - return 0xfffffffful; - } - --extern struct dma_map_ops *dma_ops; -+extern const struct dma_map_ops *dma_ops; - - /* - * Available generic sets of operations - */ --extern struct dma_map_ops dma_direct_ops; -+extern const struct dma_map_ops dma_direct_ops; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - /* We don't handle the NULL dev case for ISA for now. We could - * do it via an out of line call but it is not needed for now. The -@@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm - return dev->archdata.dma_ops; - } - --static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops) -+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops) - { - dev->archdata.dma_ops = ops; - } - - static inline int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (unlikely(!ops)) - return 0; -@@ -81,7 +81,7 @@ static inline int dma_supported(struct d - - static inline int dma_set_mask(struct device *dev, u64 dma_mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (unlikely(ops == NULL)) - return -EIO; -@@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de - - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - if (ops->mapping_error) - return ops->mapping_error(dev, dma_addr); - -@@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru - static inline void *dma_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *dma_handle, gfp_t flag) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - void *memory; - - BUG_ON(!ops); -@@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *cpu_addr, dma_addr_t dma_handle) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - BUG_ON(!ops); - debug_dma_free_coherent(dev, size, cpu_addr, dma_handle); -diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/pci.h linux-2.6.39.3/arch/microblaze/include/asm/pci.h ---- linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400 -@@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_ - } - - #ifdef CONFIG_PCI --extern void set_pci_dma_ops(struct dma_map_ops *dma_ops); --extern struct dma_map_ops *get_pci_dma_ops(void); -+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops); -+extern const struct dma_map_ops *get_pci_dma_ops(void); - #else /* CONFIG_PCI */ - #define set_pci_dma_ops(d) - #define get_pci_dma_ops() NULL -diff -urNp linux-2.6.39.3/arch/microblaze/kernel/dma.c linux-2.6.39.3/arch/microblaze/kernel/dma.c ---- linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400 -@@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page - __dma_sync_page(dma_address, 0 , size, direction); - } - --struct dma_map_ops dma_direct_ops = { -+const struct dma_map_ops dma_direct_ops = { - .alloc_coherent = dma_direct_alloc_coherent, - .free_coherent = dma_direct_free_coherent, - .map_sg = dma_direct_map_sg, -diff -urNp linux-2.6.39.3/arch/microblaze/kernel/kgdb.c linux-2.6.39.3/arch/microblaze/kernel/kgdb.c ---- linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -141,7 +141,7 @@ void kgdb_arch_exit(void) - /* - * Global data - */ --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - #ifdef __MICROBLAZEEL__ - .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */ - #else -diff -urNp linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c ---- linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops indirect_pci_ops = { -+static const struct pci_ops indirect_pci_ops = { - .read = indirect_read_config, - .write = indirect_write_config, - }; -diff -urNp linux-2.6.39.3/arch/microblaze/pci/pci-common.c linux-2.6.39.3/arch/microblaze/pci/pci-common.c ---- linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400 -@@ -48,14 +48,14 @@ resource_size_t isa_mem_base; - /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */ - unsigned int pci_flags; - --static struct dma_map_ops *pci_dma_ops = &dma_direct_ops; -+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops; - --void set_pci_dma_ops(struct dma_map_ops *dma_ops) -+void set_pci_dma_ops(const struct dma_map_ops *dma_ops) - { - pci_dma_ops = dma_ops; - } - --struct dma_map_ops *get_pci_dma_ops(void) -+const struct dma_map_ops *get_pci_dma_ops(void) - { - return pci_dma_ops; - } -@@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u - return PCIBIOS_DEVICE_NOT_FOUND; - } - --static struct pci_ops null_pci_ops = { -+static const struct pci_ops null_pci_ops = { - .read = null_read_config, - .write = null_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/alchemy/common/pci.c linux-2.6.39.3/arch/mips/alchemy/common/pci.c ---- linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -51,7 +51,7 @@ static struct resource pci_mem_resource - .flags = IORESOURCE_MEM - }; - --extern struct pci_ops au1x_pci_ops; -+extern const struct pci_ops au1x_pci_ops; - - static struct pci_controller au1x_controller = { - .pci_ops = &au1x_pci_ops, -diff -urNp linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c ---- linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400 -@@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p - } - - struct octeon_dma_map_ops { -- struct dma_map_ops dma_map_ops; -+ const struct dma_map_ops dma_map_ops; - dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr); - phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr); - }; -@@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon - }, - }; - --struct dma_map_ops *octeon_pci_dma_map_ops; -+const struct dma_map_ops *octeon_pci_dma_map_ops; - - void __init octeon_pci_dma_init(void) - { -diff -urNp linux-2.6.39.3/arch/mips/cobalt/pci.c linux-2.6.39.3/arch/mips/cobalt/pci.c ---- linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -14,7 +14,7 @@ - - #include <asm/gt64120.h> - --extern struct pci_ops gt64xxx_pci0_ops; -+extern const struct pci_ops gt64xxx_pci0_ops; - - static struct resource cobalt_mem_resource = { - .start = GT_DEF_PCI0_MEM0_BASE, -diff -urNp linux-2.6.39.3/arch/mips/include/asm/device.h linux-2.6.39.3/arch/mips/include/asm/device.h ---- linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400 -@@ -10,7 +10,7 @@ struct dma_map_ops; - - struct dev_archdata { - /* DMA operations on that device */ -- struct dma_map_ops *dma_ops; -+ const struct dma_map_ops *dma_ops; - }; - - struct pdev_archdata { -diff -urNp linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -9,9 +9,9 @@ - #include <dma-coherence.h> - #endif - --extern struct dma_map_ops *mips_dma_map_ops; -+extern const struct dma_map_ops *mips_dma_map_ops; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - if (dev && dev->archdata.dma_ops) - return dev->archdata.dma_ops; -@@ -33,13 +33,13 @@ static inline void dma_mark_clean(void * - - static inline int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - return ops->dma_supported(dev, mask); - } - - static inline int dma_mapping_error(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - return ops->mapping_error(dev, mask); - } - -@@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s - dma_addr_t *dma_handle, gfp_t gfp) - { - void *ret; -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - ret = ops->alloc_coherent(dev, size, dma_handle, gfp); - -@@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *vaddr, dma_addr_t dma_handle) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - ops->free_coherent(dev, size, vaddr, dma_handle); - -diff -urNp linux-2.6.39.3/arch/mips/include/asm/elf.h linux-2.6.39.3/arch/mips/include/asm/elf.h ---- linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -372,13 +372,16 @@ extern const char *__elf_platform; - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) - #endif - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL) -+ -+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#endif -+ - #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 - struct linux_binprm; - extern int arch_setup_additional_pages(struct linux_binprm *bprm, - int uses_interp); - --struct mm_struct; --extern unsigned long arch_randomize_brk(struct mm_struct *mm); --#define arch_randomize_brk arch_randomize_brk -- - #endif /* _ASM_ELF_H */ -diff -urNp linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h ---- linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400 -@@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de - phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr); - - struct dma_map_ops; --extern struct dma_map_ops *octeon_pci_dma_map_ops; -+extern const struct dma_map_ops *octeon_pci_dma_map_ops; - extern char *octeon_swiotlb; - - #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */ -diff -urNp linux-2.6.39.3/arch/mips/include/asm/page.h linux-2.6.39.3/arch/mips/include/asm/page.h ---- linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400 -@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa - #ifdef CONFIG_CPU_MIPS32 - typedef struct { unsigned long pte_low, pte_high; } pte_t; - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32)) -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; }) -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; }) - #else - typedef struct { unsigned long long pte; } pte_t; - #define pte_val(x) ((x).pte) -diff -urNp linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h ---- linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400 -@@ -849,6 +849,6 @@ struct bridge_controller { - extern void register_bridge_irq(unsigned int irq); - extern int request_bridge_irq(struct bridge_controller *bc); - --extern struct pci_ops bridge_pci_ops; -+extern const struct pci_ops bridge_pci_ops; - - #endif /* _ASM_PCI_BRIDGE_H */ -diff -urNp linux-2.6.39.3/arch/mips/include/asm/system.h linux-2.6.39.3/arch/mips/include/asm/system.h ---- linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400 -@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void); - */ - #define __ARCH_WANT_UNLOCKED_CTXSW - --extern unsigned long arch_align_stack(unsigned long sp); -+#define arch_align_stack(x) ((x) & ~0xfUL) - - #endif /* _ASM_SYSTEM_H */ -diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c ---- linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N - #undef ELF_ET_DYN_BASE - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL) -+ -+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#endif -+ - #include <asm/processor.h> - #include <linux/module.h> - #include <linux/elfcore.h> -diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c ---- linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N - #undef ELF_ET_DYN_BASE - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL) -+ -+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) -+#endif -+ - #include <asm/processor.h> - - /* -diff -urNp linux-2.6.39.3/arch/mips/kernel/kgdb.c linux-2.6.39.3/arch/mips/kernel/kgdb.c ---- linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto - return -1; - } - --struct kgdb_arch arch_kgdb_ops; -+struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */ - - /* - * We use kgdb_early_setup so that functions we need to call now don't -diff -urNp linux-2.6.39.3/arch/mips/kernel/process.c linux-2.6.39.3/arch/mips/kernel/process.c ---- linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru - out: - return pc; - } -- --/* -- * Don't forget that the stack pointer must be aligned on a 8 bytes -- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI. -- */ --unsigned long arch_align_stack(unsigned long sp) --{ -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) -- sp -= get_random_int() & ~PAGE_MASK; -- -- return sp & ALMASK; --} -diff -urNp linux-2.6.39.3/arch/mips/kernel/syscall.c linux-2.6.39.3/arch/mips/kernel/syscall.c ---- linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400 -@@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str - do_color_align = 0; - if (filp || (flags & MAP_SHARED)) - do_color_align = 1; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - if (addr) { - if (do_color_align) - addr = COLOUR_ALIGN(addr, pgoff); - else - addr = PAGE_ALIGN(addr); - vmm = find_vma(current->mm, addr); -- if (task_size - len >= addr && -- (!vmm || addr + len <= vmm->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len)) - return addr; - } - addr = current->mm->mmap_base; -@@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str - /* At this point: (!vmm || addr < vmm->vm_end). */ - if (task_size - len < addr) - return -ENOMEM; -- if (!vmm || addr + len <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) - return addr; - addr = vmm->vm_end; - if (do_color_align) -@@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str - mm->unmap_area = arch_unmap_area; - } - --static inline unsigned long brk_rnd(void) --{ -- unsigned long rnd = get_random_int(); -- -- rnd = rnd << PAGE_SHIFT; -- /* 8MB for 32bit, 256MB for 64bit */ -- if (TASK_IS_32BIT_ADDR) -- rnd = rnd & 0x7ffffful; -- else -- rnd = rnd & 0xffffffful; -- -- return rnd; --} -- --unsigned long arch_randomize_brk(struct mm_struct *mm) --{ -- unsigned long base = mm->brk; -- unsigned long ret; -- -- ret = PAGE_ALIGN(base + brk_rnd()); -- -- if (ret < mm->brk) -- return mm->brk; -- -- return ret; --} -- - SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len, - unsigned long, prot, unsigned long, flags, unsigned long, - fd, off_t, offset) -diff -urNp linux-2.6.39.3/arch/mips/mm/dma-default.c linux-2.6.39.3/arch/mips/mm/dma-default.c ---- linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400 -@@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev, - - EXPORT_SYMBOL(dma_cache_sync); - --static struct dma_map_ops mips_default_dma_map_ops = { -+static const struct dma_map_ops mips_default_dma_map_ops = { - .alloc_coherent = mips_dma_alloc_coherent, - .free_coherent = mips_dma_free_coherent, - .map_page = mips_dma_map_page, -@@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d - .dma_supported = mips_dma_supported - }; - --struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops; -+const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops; - EXPORT_SYMBOL(mips_dma_map_ops); - - #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16) -diff -urNp linux-2.6.39.3/arch/mips/mm/fault.c linux-2.6.39.3/arch/mips/mm/fault.c ---- linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -28,6 +28,23 @@ - #include <asm/highmem.h> /* For VMALLOC_END */ - #include <linux/kdebug.h> - -+#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 5; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - /* - * This routine handles page faults. It determines the address, - * and the problem, and then passes it off to one of the appropriate -diff -urNp linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c ---- linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -64,9 +64,9 @@ static struct resource msc_io_resource = - .flags = IORESOURCE_IO, - }; - --extern struct pci_ops bonito64_pci_ops; --extern struct pci_ops gt64xxx_pci0_ops; --extern struct pci_ops msc_pci_ops; -+extern const struct pci_ops bonito64_pci_ops; -+extern const struct pci_ops gt64xxx_pci0_ops; -+extern const struct pci_ops msc_pci_ops; - - static struct pci_controller bonito64_controller = { - .pci_ops = &bonito64_pci_ops, -diff -urNp linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c ---- linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -40,7 +40,7 @@ static struct resource pci_mem_resource - .flags = IORESOURCE_MEM - }; - --extern struct pci_ops pnx8550_pci_ops; -+extern const struct pci_ops pnx8550_pci_ops; - - static struct pci_controller pnx8550_controller = { - .pci_ops = &pnx8550_pci_ops, -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-au1000.c linux-2.6.39.3/arch/mips/pci/ops-au1000.c ---- linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400 -@@ -302,7 +302,7 @@ static int config_write(struct pci_bus * - } - } - --struct pci_ops au1x_pci_ops = { -+const struct pci_ops au1x_pci_ops = { - config_read, - config_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c ---- linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400 -@@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_ - where, size, val); - } - --struct pci_ops bcm63xx_pci_ops = { -+const struct pci_ops bcm63xx_pci_ops = { - .read = bcm63xx_pci_read, - .write = bcm63xx_pci_write - }; -@@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b - return PCIBIOS_DEVICE_NOT_FOUND; - } - --struct pci_ops bcm63xx_cb_ops = { -+const struct pci_ops bcm63xx_cb_ops = { - .read = bcm63xx_cb_read, - .write = bcm63xx_cb_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bonito64.c linux-2.6.39.3/arch/mips/pci/ops-bonito64.c ---- linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops bonito64_pci_ops = { -+const struct pci_ops bonito64_pci_ops = { - .read = bonito64_pcibios_read, - .write = bonito64_pcibios_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bridge.c linux-2.6.39.3/arch/mips/pci/ops-bridge.c ---- linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400 -@@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b - return pci_conf0_write_config(bus, devfn, where, size, value); - } - --struct pci_ops bridge_pci_ops = { -+const struct pci_ops bridge_pci_ops = { - .read = pci_read_config, - .write = pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c ---- linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400 -@@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops emma2rh_pci_ops = { -+const struct pci_ops emma2rh_pci_ops = { - .read = pci_config_read, - .write = pci_config_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c ---- linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400 -@@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops gt64xxx_pci0_ops = { -+const struct pci_ops gt64xxx_pci0_ops = { - .read = gt64xxx_pci0_pcibios_read, - .write = gt64xxx_pci0_pcibios_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-loongson2.c linux-2.6.39.3/arch/mips/pci/ops-loongson2.c ---- linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400 -@@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops loongson_pci_ops = { -+const struct pci_ops loongson_pci_ops = { - .read = loongson_pcibios_read, - .write = loongson_pcibios_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-mace.c linux-2.6.39.3/arch/mips/pci/ops-mace.c ---- linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400 -@@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops mace_pci_ops = { -+const struct pci_ops mace_pci_ops = { - .read = mace_pci_read_config, - .write = mace_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-msc.c linux-2.6.39.3/arch/mips/pci/ops-msc.c ---- linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400 -@@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_ - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops msc_pci_ops = { -+const struct pci_ops msc_pci_ops = { - .read = msc_pcibios_read, - .write = msc_pcibios_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-nile4.c linux-2.6.39.3/arch/mips/pci/ops-nile4.c ---- linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400 -@@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops nile4_pci_ops = { -+const struct pci_ops nile4_pci_ops = { - .read = nile4_pcibios_read, - .write = nile4_pcibios_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c ---- linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400 -@@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus - * write - function for Linux to generate PCI Configuration writes. - * - ****************************************************************************/ --struct pci_ops msp_pci_ops = { -+const struct pci_ops msp_pci_ops = { - .read = msp_pcibios_read_config, - .write = msp_pcibios_write_config - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c ---- linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400 -@@ -276,7 +276,7 @@ static int config_write(struct pci_bus * - } - } - --struct pci_ops pnx8550_pci_ops = { -+const struct pci_ops pnx8550_pci_ops = { - config_read, - config_write - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-rc32434.c linux-2.6.39.3/arch/mips/pci/ops-rc32434.c ---- linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400 -@@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b - } - } - --struct pci_ops rc32434_pci_ops = { -+const struct pci_ops rc32434_pci_ops = { - .read = pci_config_read, - .write = pci_config_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-sni.c linux-2.6.39.3/arch/mips/pci/ops-sni.c ---- linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400 -@@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b - return 0; - } - --struct pci_ops sni_pcimt_ops = { -+const struct pci_ops sni_pcimt_ops = { - .read = pcimt_read, - .write = pcimt_write, - }; -@@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu - } - - --struct pci_ops sni_pcit_ops = { -+const struct pci_ops sni_pcit_ops = { - .read = pcit_read, - .write = pcit_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan.c linux-2.6.39.3/arch/mips/pci/ops-titan.c ---- linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400 -@@ -105,7 +105,7 @@ static int titan_write_config(struct pci - /* - * Titan PCI structure - */ --struct pci_ops titan_pci_ops = { -+const struct pci_ops titan_pci_ops = { - titan_read_config, - titan_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c ---- linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400 -@@ -118,7 +118,7 @@ static int titan_ht_config_write(struct - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops titan_ht_pci_ops = { -+const struct pci_ops titan_ht_pci_ops = { - .read = titan_ht_config_read, - .write = titan_ht_config_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-tx3927.c linux-2.6.39.3/arch/mips/pci/ops-tx3927.c ---- linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400 -@@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc - return check_abort(); - } - --static struct pci_ops tx3927_pci_ops = { -+static const struct pci_ops tx3927_pci_ops = { - .read = tx3927_pci_read_config, - .write = tx3927_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c ---- linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400 -@@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops vr41xx_pci_ops = { -+const struct pci_ops vr41xx_pci_ops = { - .read = pci_config_read, - .write = pci_config_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c ---- linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400 -@@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops bcm1480_pci_ops = { -+const struct pci_ops bcm1480_pci_ops = { - bcm1480_pcibios_read, - bcm1480_pcibios_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c ---- linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400 -@@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v - return 0; - } - --struct pci_ops bcm1480ht_pci_ops = { -+const struct pci_ops bcm1480ht_pci_ops = { - .read = bcm1480ht_pcibios_read, - .write = bcm1480ht_pcibios_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h ---- linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400 -@@ -16,8 +16,8 @@ - /* - * defined in ops-bcm63xx.c - */ --extern struct pci_ops bcm63xx_pci_ops; --extern struct pci_ops bcm63xx_cb_ops; -+extern const struct pci_ops bcm63xx_pci_ops; -+extern const struct pci_ops bcm63xx_cb_ops; - - /* - * defined in pci-bcm63xx.c -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c ---- linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400 -@@ -43,7 +43,7 @@ static struct resource pci_mem_resource - .flags = IORESOURCE_MEM, - }; - --extern struct pci_ops emma2rh_pci_ops; -+extern const struct pci_ops emma2rh_pci_ops; - - static struct pci_controller emma2rh_pci_controller = { - .pci_ops = &emma2rh_pci_ops, -diff -urNp linux-2.6.39.3/arch/mips/pci/pcie-octeon.c linux-2.6.39.3/arch/mips/pci/pcie-octeon.c ---- linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400 -@@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str - return octeon_pcie_write_config(1, bus, devfn, reg, size, val); - } - --static struct pci_ops octeon_pcie0_ops = { -+static const struct pci_ops octeon_pcie0_ops = { - octeon_pcie0_read_config, - octeon_pcie0_write_config, - }; -@@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie - .io_resource = &octeon_pcie0_io_resource, - }; - --static struct pci_ops octeon_pcie1_ops = { -+static const struct pci_ops octeon_pcie1_ops = { - octeon_pcie1_read_config, - octeon_pcie1_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip27.c linux-2.6.39.3/arch/mips/pci/pci-ip27.c ---- linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400 -@@ -39,7 +39,7 @@ static struct bridge_controller bridges[ - struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS]; - int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS]; - --extern struct pci_ops bridge_pci_ops; -+extern const struct pci_ops bridge_pci_ops; - - int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid) - { -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip32.c linux-2.6.39.3/arch/mips/pci/pci-ip32.c ---- linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq - } - - --extern struct pci_ops mace_pci_ops; -+extern const struct pci_ops mace_pci_ops; - #ifdef CONFIG_64BIT - static struct resource mace_pci_mem_resource = { - .name = "SGI O2 PCI MEM", -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-lasat.c linux-2.6.39.3/arch/mips/pci/pci-lasat.c ---- linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400 -@@ -14,8 +14,8 @@ - - #include <irq.h> - --extern struct pci_ops nile4_pci_ops; --extern struct pci_ops gt64xxx_pci0_ops; -+extern const struct pci_ops nile4_pci_ops; -+extern const struct pci_ops gt64xxx_pci0_ops; - static struct resource lasat_pci_mem_resource = { - .name = "LASAT PCI MEM", - .start = 0x18000000, -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-octeon.c linux-2.6.39.3/arch/mips/pci/pci-octeon.c ---- linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400 -@@ -334,7 +334,7 @@ static int octeon_write_config(struct pc - } - - --static struct pci_ops octeon_pci_ops = { -+static const struct pci_ops octeon_pci_ops = { - octeon_read_config, - octeon_write_config, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-rc32434.c linux-2.6.39.3/arch/mips/pci/pci-rc32434.c ---- linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400 -@@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i - .flags = IORESOURCE_IO, - }; - --extern struct pci_ops rc32434_pci_ops; -+extern const struct pci_ops rc32434_pci_ops; - - #define PCI_MEM1_START PCI_ADDR_START - #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1) -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-sb1250.c linux-2.6.39.3/arch/mips/pci/pci-sb1250.c ---- linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400 -@@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops sb1250_pci_ops = { -+const struct pci_ops sb1250_pci_ops = { - .read = sb1250_pcibios_read, - .write = sb1250_pcibios_write, - }; -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c ---- linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400 -@@ -36,7 +36,7 @@ - - #include "pci-vr41xx.h" - --extern struct pci_ops vr41xx_pci_ops; -+extern const struct pci_ops vr41xx_pci_ops; - - static void __iomem *pciu_base; - -diff -urNp linux-2.6.39.3/arch/mips/pci/pci-yosemite.c linux-2.6.39.3/arch/mips/pci/pci-yosemite.c ---- linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400 -@@ -11,7 +11,7 @@ - #include <linux/pci.h> - #include <asm/titan_dep.h> - --extern struct pci_ops titan_pci_ops; -+extern const struct pci_ops titan_pci_ops; - - static struct resource py_mem_resource = { - .start = 0xe0000000UL, -diff -urNp linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c ---- linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400 -@@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v - return start; - } - --struct pci_ops titan_pci_ops = { -+const struct pci_ops titan_pci_ops = { - titan_ht_config_read_byte, - titan_ht_config_read_word, - titan_ht_config_read_dword, -diff -urNp linux-2.6.39.3/arch/mips/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/pnx8550/common/pci.c ---- linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -40,7 +40,7 @@ static struct resource pci_mem_resource - .flags = IORESOURCE_MEM - }; - --extern struct pci_ops pnx8550_pci_ops; -+extern const struct pci_ops pnx8550_pci_ops; - - static struct pci_controller pnx8550_controller = { - .pci_ops = &pnx8550_pci_ops, -diff -urNp linux-2.6.39.3/arch/mips/sni/pcimt.c linux-2.6.39.3/arch/mips/sni/pcimt.c ---- linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400 -@@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in - request_resource(&sni_mem_resource, pcimt_mem_resources + i); - } - --extern struct pci_ops sni_pcimt_ops; -+extern const struct pci_ops sni_pcimt_ops; - - static struct pci_controller sni_controller = { - .pci_ops = &sni_pcimt_ops, -diff -urNp linux-2.6.39.3/arch/mips/sni/pcit.c linux-2.6.39.3/arch/mips/sni/pcit.c ---- linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400 -@@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini - } - - --extern struct pci_ops sni_pcit_ops; -+extern const struct pci_ops sni_pcit_ops; - - static struct pci_controller sni_pcit_controller = { - .pci_ops = &sni_pcit_ops, -diff -urNp linux-2.6.39.3/arch/mips/wrppmc/pci.c linux-2.6.39.3/arch/mips/wrppmc/pci.c ---- linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -14,7 +14,7 @@ - - #include <asm/gt64120.h> - --extern struct pci_ops gt64xxx_pci0_ops; -+extern const struct pci_ops gt64xxx_pci0_ops; - - static struct resource pci0_io_resource = { - .name = "pci_0 io", -diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h ---- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400 -@@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void - - extern int pcibios_last_bus; - extern struct pci_bus *pci_root_bus; --extern struct pci_ops *pci_root_ops; -+extern const struct pci_ops *pci_root_ops; - - extern struct irq_routing_table *pcibios_get_irq_routing_table(void); - extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq); -diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c ---- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -24,7 +24,7 @@ unsigned int pci_probe = 1; - - int pcibios_last_bus = -1; - struct pci_bus *pci_root_bus; --struct pci_ops *pci_root_ops; -+const struct pci_ops *pci_root_ops; - - /* - * The accessible PCI window does not cover the entire CPU address space, but -@@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct - } - } - --static struct pci_ops pci_direct_ampci = { -+static const struct pci_ops pci_direct_ampci = { - pci_ampci_read_config, - pci_ampci_write_config, - }; -@@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci = - * This should be close to trivial, but it isn't, because there are buggy - * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID. - */ --static int __init pci_sanity_check(struct pci_ops *o) -+static int __init pci_sanity_check(const struct pci_ops *o) - { - struct pci_bus bus; /* Fake bus and device */ - u32 x; -diff -urNp linux-2.6.39.3/arch/parisc/include/asm/elf.h linux-2.6.39.3/arch/parisc/include/asm/elf.h ---- linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration.. - - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE 0x10000UL -+ -+#define PAX_DELTA_MMAP_LEN 16 -+#define PAX_DELTA_STACK_LEN 16 -+#endif -+ - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, - but it's not easy, and we've already done it here. */ -diff -urNp linux-2.6.39.3/arch/parisc/include/asm/pgtable.h linux-2.6.39.3/arch/parisc/include/asm/pgtable.h ---- linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400 -@@ -207,6 +207,17 @@ struct vm_area_struct; - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED) - #define PAGE_COPY PAGE_EXECREAD - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED) -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED) -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED) -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED) -+#else -+# define PAGE_SHARED_NOEXEC PAGE_SHARED -+# define PAGE_COPY_NOEXEC PAGE_COPY -+# define PAGE_READONLY_NOEXEC PAGE_READONLY -+#endif -+ - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL) - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE) - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE) -diff -urNp linux-2.6.39.3/arch/parisc/kernel/module.c linux-2.6.39.3/arch/parisc/kernel/module.c ---- linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -96,16 +96,38 @@ - - /* three functions to determine where in the module core - * or init pieces the location is */ -+static inline int in_init_rx(struct module *me, void *loc) -+{ -+ return (loc >= me->module_init_rx && -+ loc < (me->module_init_rx + me->init_size_rx)); -+} -+ -+static inline int in_init_rw(struct module *me, void *loc) -+{ -+ return (loc >= me->module_init_rw && -+ loc < (me->module_init_rw + me->init_size_rw)); -+} -+ - static inline int in_init(struct module *me, void *loc) - { -- return (loc >= me->module_init && -- loc <= (me->module_init + me->init_size)); -+ return in_init_rx(me, loc) || in_init_rw(me, loc); -+} -+ -+static inline int in_core_rx(struct module *me, void *loc) -+{ -+ return (loc >= me->module_core_rx && -+ loc < (me->module_core_rx + me->core_size_rx)); -+} -+ -+static inline int in_core_rw(struct module *me, void *loc) -+{ -+ return (loc >= me->module_core_rw && -+ loc < (me->module_core_rw + me->core_size_rw)); - } - - static inline int in_core(struct module *me, void *loc) - { -- return (loc >= me->module_core && -- loc <= (me->module_core + me->core_size)); -+ return in_core_rx(me, loc) || in_core_rw(me, loc); - } - - static inline int in_local(struct module *me, void *loc) -@@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_ - } - - /* align things a bit */ -- me->core_size = ALIGN(me->core_size, 16); -- me->arch.got_offset = me->core_size; -- me->core_size += gots * sizeof(struct got_entry); -- -- me->core_size = ALIGN(me->core_size, 16); -- me->arch.fdesc_offset = me->core_size; -- me->core_size += fdescs * sizeof(Elf_Fdesc); -+ me->core_size_rw = ALIGN(me->core_size_rw, 16); -+ me->arch.got_offset = me->core_size_rw; -+ me->core_size_rw += gots * sizeof(struct got_entry); -+ -+ me->core_size_rw = ALIGN(me->core_size_rw, 16); -+ me->arch.fdesc_offset = me->core_size_rw; -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc); - - me->arch.got_max = gots; - me->arch.fdesc_max = fdescs; -@@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module - - BUG_ON(value == 0); - -- got = me->module_core + me->arch.got_offset; -+ got = me->module_core_rw + me->arch.got_offset; - for (i = 0; got[i].addr; i++) - if (got[i].addr == value) - goto out; -@@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module - #ifdef CONFIG_64BIT - static Elf_Addr get_fdesc(struct module *me, unsigned long value) - { -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset; -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset; - - if (!value) { - printk(KERN_ERR "%s: zero OPD requested!\n", me->name); -@@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module - - /* Create new one */ - fdesc->addr = value; -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset; -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset; - return (Elf_Addr)fdesc; - } - #endif /* CONFIG_64BIT */ -@@ -849,7 +871,7 @@ register_unwind_table(struct module *me, - - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr; - end = table + sechdrs[me->arch.unwind_section].sh_size; -- gp = (Elf_Addr)me->module_core + me->arch.got_offset; -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset; - - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", - me->arch.unwind_section, table, end, gp); -diff -urNp linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c ---- linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400 -@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u - /* At this point: (!vma || addr < vma->vm_end). */ - if (TASK_SIZE - len < addr) - return -ENOMEM; -- if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - return addr; - addr = vma->vm_end; - } -@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str - /* At this point: (!vma || addr < vma->vm_end). */ - if (TASK_SIZE - len < addr) - return -ENOMEM; -- if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - return addr; - addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; - if (addr < vma->vm_end) /* handle wraparound */ -@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str - if (flags & MAP_FIXED) - return addr; - if (!addr) -- addr = TASK_UNMAPPED_BASE; -+ addr = current->mm->mmap_base; - - if (filp) { - addr = get_shared_area(filp->f_mapping, addr, len, pgoff); -diff -urNp linux-2.6.39.3/arch/parisc/kernel/traps.c linux-2.6.39.3/arch/parisc/kernel/traps.c ---- linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400 -@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod - - down_read(¤t->mm->mmap_sem); - vma = find_vma(current->mm,regs->iaoq[0]); -- if (vma && (regs->iaoq[0] >= vma->vm_start) -- && (vma->vm_flags & VM_EXEC)) { -- -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) { - fault_address = regs->iaoq[0]; - fault_space = regs->iasq[0]; - -diff -urNp linux-2.6.39.3/arch/parisc/mm/fault.c linux-2.6.39.3/arch/parisc/mm/fault.c ---- linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -15,6 +15,7 @@ - #include <linux/sched.h> - #include <linux/interrupt.h> - #include <linux/module.h> -+#include <linux/unistd.h> - - #include <asm/uaccess.h> - #include <asm/traps.h> -@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex - static unsigned long - parisc_acctyp(unsigned long code, unsigned int inst) - { -- if (code == 6 || code == 16) -+ if (code == 6 || code == 7 || code == 16) - return VM_EXEC; - - switch (inst & 0xf0000000) { -@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign - } - #endif - -+#ifdef CONFIG_PAX_PAGEEXEC -+/* -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address) -+ * -+ * returns 1 when task should be killed -+ * 2 when rt_sigreturn trampoline was detected -+ * 3 when unpatched PLT trampoline was detected -+ */ -+static int pax_handle_fetch_fault(struct pt_regs *regs) -+{ -+ -+#ifdef CONFIG_PAX_EMUPLT -+ int err; -+ -+ do { /* PaX: unpatched PLT emulation */ -+ unsigned int bl, depwi; -+ -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs)); -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4)); -+ -+ if (err) -+ break; -+ -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) { -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12; -+ -+ err = get_user(ldw, (unsigned int *)addr); -+ err |= get_user(bv, (unsigned int *)(addr+4)); -+ err |= get_user(ldw2, (unsigned int *)(addr+8)); -+ -+ if (err) -+ break; -+ -+ if (ldw == 0x0E801096U && -+ bv == 0xEAC0C000U && -+ ldw2 == 0x0E881095U) -+ { -+ unsigned int resolver, map; -+ -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8)); -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12)); -+ if (err) -+ break; -+ -+ regs->gr[20] = instruction_pointer(regs)+8; -+ regs->gr[21] = map; -+ regs->gr[22] = resolver; -+ regs->iaoq[0] = resolver | 3UL; -+ regs->iaoq[1] = regs->iaoq[0] + 4; -+ return 3; -+ } -+ } -+ } while (0); -+#endif -+ -+#ifdef CONFIG_PAX_EMUTRAMP -+ -+#ifndef CONFIG_PAX_EMUSIGRT -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP)) -+ return 1; -+#endif -+ -+ do { /* PaX: rt_sigreturn emulation */ -+ unsigned int ldi1, ldi2, bel, nop; -+ -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs)); -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4)); -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8)); -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12)); -+ -+ if (err) -+ break; -+ -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) && -+ ldi2 == 0x3414015AU && -+ bel == 0xE4008200U && -+ nop == 0x08000240U) -+ { -+ regs->gr[25] = (ldi1 & 2) >> 1; -+ regs->gr[20] = __NR_rt_sigreturn; -+ regs->gr[31] = regs->iaoq[1] + 16; -+ regs->sr[0] = regs->iasq[1]; -+ regs->iaoq[0] = 0x100UL; -+ regs->iaoq[1] = regs->iaoq[0] + 4; -+ regs->iasq[0] = regs->sr[2]; -+ regs->iasq[1] = regs->sr[2]; -+ return 2; -+ } -+ } while (0); -+#endif -+ -+ return 1; -+} -+ -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 5; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - int fixup_exception(struct pt_regs *regs) - { - const struct exception_table_entry *fix; -@@ -192,8 +303,33 @@ good_area: - - acc_type = parisc_acctyp(code,regs->iir); - -- if ((vma->vm_flags & acc_type) != acc_type) -+ if ((vma->vm_flags & acc_type) != acc_type) { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) && -+ (address & ~3UL) == instruction_pointer(regs)) -+ { -+ up_read(&mm->mmap_sem); -+ switch (pax_handle_fetch_fault(regs)) { -+ -+#ifdef CONFIG_PAX_EMUPLT -+ case 3: -+ return; -+#endif -+ -+#ifdef CONFIG_PAX_EMUTRAMP -+ case 2: -+ return; -+#endif -+ -+ } -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - goto bad_area; -+ } - - /* - * If for any reason at all we couldn't handle the fault, make -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/device.h linux-2.6.39.3/arch/powerpc/include/asm/device.h ---- linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400 -@@ -17,7 +17,7 @@ struct device_node; - */ - struct dev_archdata { - /* DMA operations on that device */ -- struct dma_map_ops *dma_ops; -+ const struct dma_map_ops *dma_ops; - - /* - * When an iommu is in use, dma_data is used as a ptr to the base of the -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -67,12 +67,13 @@ static inline unsigned long device_to_ma - /* - * Available generic sets of operations - */ -+/* cannot be const */ - #ifdef CONFIG_PPC64 --extern struct dma_map_ops dma_iommu_ops; -+extern const struct dma_map_ops dma_iommu_ops; - #endif --extern struct dma_map_ops dma_direct_ops; -+extern const struct dma_map_ops dma_direct_ops; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - /* We don't handle the NULL dev case for ISA for now. We could - * do it via an out of line call but it is not needed for now. The -@@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm - return dev->archdata.dma_ops; - } - --static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops) -+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops) - { - dev->archdata.dma_ops = ops; - } -@@ -119,7 +120,7 @@ static inline void set_dma_offset(struct - - static inline int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *dma_ops = get_dma_ops(dev); -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev); - - if (unlikely(dma_ops == NULL)) - return 0; -@@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d - static inline void *dma_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *dma_handle, gfp_t flag) - { -- struct dma_map_ops *dma_ops = get_dma_ops(dev); -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev); - void *cpu_addr; - - BUG_ON(!dma_ops); -@@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *cpu_addr, dma_addr_t dma_handle) - { -- struct dma_map_ops *dma_ops = get_dma_ops(dev); -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev); - - BUG_ON(!dma_ops); - -@@ -159,7 +160,7 @@ static inline void dma_free_coherent(str - - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr) - { -- struct dma_map_ops *dma_ops = get_dma_ops(dev); -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev); - - if (dma_ops->mapping_error) - return dma_ops->mapping_error(dev, dma_addr); -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/elf.h linux-2.6.39.3/arch/powerpc/include/asm/elf.h ---- linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E - the loader. We need to make sure that it is out of the way of the program - that it will "exec", and that there is sufficient room for the brk. */ - --extern unsigned long randomize_et_dyn(unsigned long base); --#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000)) -+#define ELF_ET_DYN_BASE (0x20000000) -+ -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL) -+ -+#ifdef __powerpc64__ -+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28) -+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28) -+#else -+#define PAX_DELTA_MMAP_LEN 15 -+#define PAX_DELTA_STACK_LEN 15 -+#endif -+#endif - - /* - * Our registers are always unsigned longs, whether we're a 32 bit -@@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s - (0x7ff >> (PAGE_SHIFT - 12)) : \ - (0x3ffff >> (PAGE_SHIFT - 12))) - --extern unsigned long arch_randomize_brk(struct mm_struct *mm); --#define arch_randomize_brk arch_randomize_brk -- - #endif /* __KERNEL__ */ - - /* -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/iommu.h linux-2.6.39.3/arch/powerpc/include/asm/iommu.h ---- linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400 -@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi - extern void iommu_init_early_dart(void); - extern void iommu_init_early_pasemi(void); - -+/* dma-iommu.c */ -+extern int dma_iommu_dma_supported(struct device *dev, u64 mask); -+ - #ifdef CONFIG_PCI - extern void pci_iommu_init(void); - extern void pci_direct_iommu_init(void); -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h ---- linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -27,6 +27,7 @@ enum km_type { - KM_PPC_SYNC_PAGE, - KM_PPC_SYNC_ICACHE, - KM_KDB, -+ KM_CLEARPAGE, - KM_TYPE_NR - }; - -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page_64.h linux-2.6.39.3/arch/powerpc/include/asm/page_64.h ---- linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -172,15 +172,18 @@ do { \ - * stack by default, so in the absence of a PT_GNU_STACK program header - * we turn execute permission off. - */ --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \ -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) -+#define VM_STACK_DEFAULT_FLAGS32 \ -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \ -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) - - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \ - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) - -+#ifndef CONFIG_PAX_PAGEEXEC - #define VM_STACK_DEFAULT_FLAGS \ - (is_32bit_task() ? \ - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64) -+#endif - - #include <asm-generic/getorder.h> - -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page.h linux-2.6.39.3/arch/powerpc/include/asm/page.h ---- linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400 -@@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr; - * and needs to be executable. This means the whole heap ends - * up being executable. - */ --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \ -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) -+#define VM_DATA_DEFAULT_FLAGS32 \ -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \ -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) - - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \ - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) -@@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr; - #define is_kernel_addr(x) ((x) >= PAGE_OFFSET) - #endif - -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) -+ - #ifndef __ASSEMBLY__ - - #undef STRICT_MM_TYPECHECKS -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pci.h linux-2.6.39.3/arch/powerpc/include/asm/pci.h ---- linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400 -@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq - } - - #ifdef CONFIG_PCI --extern void set_pci_dma_ops(struct dma_map_ops *dma_ops); --extern struct dma_map_ops *get_pci_dma_ops(void); -+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops); -+extern const struct dma_map_ops *get_pci_dma_ops(void); - #else /* CONFIG_PCI */ - #define set_pci_dma_ops(d) - #define get_pci_dma_ops() NULL -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h ---- linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400 -@@ -2,6 +2,7 @@ - #define _ASM_POWERPC_PGTABLE_H - #ifdef __KERNEL__ - -+#include <linux/const.h> - #ifndef __ASSEMBLY__ - #include <asm/processor.h> /* For TASK_SIZE */ - #include <asm/mmu.h> -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h ---- linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -21,6 +21,7 @@ - #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */ - #define _PAGE_USER 0x004 /* usermode access allowed */ - #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */ -+#define _PAGE_EXEC _PAGE_GUARDED - #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */ - #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ - #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/reg.h linux-2.6.39.3/arch/powerpc/include/asm/reg.h ---- linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400 -@@ -201,6 +201,7 @@ - #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */ - #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */ - #define DSISR_NOHPTE 0x40000000 /* no translation found */ -+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */ - #define DSISR_PROTFAULT 0x08000000 /* protection fault */ - #define DSISR_ISSTORE 0x02000000 /* access was a store */ - #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */ -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h ---- linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400 -@@ -13,7 +13,7 @@ - - #include <linux/swiotlb.h> - --extern struct dma_map_ops swiotlb_dma_ops; -+extern const struct dma_map_ops swiotlb_dma_ops; - - static inline void dma_mark_clean(void *addr, size_t size) {} - -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/system.h linux-2.6.39.3/arch/powerpc/include/asm/system.h ---- linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400 -@@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi - #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n)) - #endif - --extern unsigned long arch_align_stack(unsigned long sp); -+#define arch_align_stack(x) ((x) & ~0xfUL) - - /* Used in very early kernel initialization. */ - extern unsigned long reloc_offset(void); -diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h ---- linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400 -@@ -13,6 +13,8 @@ - #define VERIFY_READ 0 - #define VERIFY_WRITE 1 - -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+ - /* - * The fs value determines whether argument validity checking should be - * performed or not. If get_fs() == USER_DS, checking is performed, with -@@ -327,52 +329,6 @@ do { \ - extern unsigned long __copy_tofrom_user(void __user *to, - const void __user *from, unsigned long size); - --#ifndef __powerpc64__ -- --static inline unsigned long copy_from_user(void *to, -- const void __user *from, unsigned long n) --{ -- unsigned long over; -- -- if (access_ok(VERIFY_READ, from, n)) -- return __copy_tofrom_user((__force void __user *)to, from, n); -- if ((unsigned long)from < TASK_SIZE) { -- over = (unsigned long)from + n - TASK_SIZE; -- return __copy_tofrom_user((__force void __user *)to, from, -- n - over) + over; -- } -- return n; --} -- --static inline unsigned long copy_to_user(void __user *to, -- const void *from, unsigned long n) --{ -- unsigned long over; -- -- if (access_ok(VERIFY_WRITE, to, n)) -- return __copy_tofrom_user(to, (__force void __user *)from, n); -- if ((unsigned long)to < TASK_SIZE) { -- over = (unsigned long)to + n - TASK_SIZE; -- return __copy_tofrom_user(to, (__force void __user *)from, -- n - over) + over; -- } -- return n; --} -- --#else /* __powerpc64__ */ -- --#define __copy_in_user(to, from, size) \ -- __copy_tofrom_user((to), (from), (size)) -- --extern unsigned long copy_from_user(void *to, const void __user *from, -- unsigned long n); --extern unsigned long copy_to_user(void __user *to, const void *from, -- unsigned long n); --extern unsigned long copy_in_user(void __user *to, const void __user *from, -- unsigned long n); -- --#endif /* __powerpc64__ */ -- - static inline unsigned long __copy_from_user_inatomic(void *to, - const void __user *from, unsigned long n) - { -@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_ - if (ret == 0) - return 0; - } -+ -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ - return __copy_tofrom_user((__force void __user *)to, from, n); - } - -@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us - if (ret == 0) - return 0; - } -+ -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); -+ - return __copy_tofrom_user(to, (__force const void __user *)from, n); - } - -@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us - return __copy_to_user_inatomic(to, from, size); - } - -+#ifndef __powerpc64__ -+ -+static inline unsigned long __must_check copy_from_user(void *to, -+ const void __user *from, unsigned long n) -+{ -+ unsigned long over; -+ -+ if ((long)n < 0) -+ return n; -+ -+ if (access_ok(VERIFY_READ, from, n)) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ return __copy_tofrom_user((__force void __user *)to, from, n); -+ } -+ if ((unsigned long)from < TASK_SIZE) { -+ over = (unsigned long)from + n - TASK_SIZE; -+ if (!__builtin_constant_p(n - over)) -+ check_object_size(to, n - over, false); -+ return __copy_tofrom_user((__force void __user *)to, from, -+ n - over) + over; -+ } -+ return n; -+} -+ -+static inline unsigned long __must_check copy_to_user(void __user *to, -+ const void *from, unsigned long n) -+{ -+ unsigned long over; -+ -+ if ((long)n < 0) -+ return n; -+ -+ if (access_ok(VERIFY_WRITE, to, n)) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); -+ return __copy_tofrom_user(to, (__force void __user *)from, n); -+ } -+ if ((unsigned long)to < TASK_SIZE) { -+ over = (unsigned long)to + n - TASK_SIZE; -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n - over, true); -+ return __copy_tofrom_user(to, (__force void __user *)from, -+ n - over) + over; -+ } -+ return n; -+} -+ -+#else /* __powerpc64__ */ -+ -+#define __copy_in_user(to, from, size) \ -+ __copy_tofrom_user((to), (from), (size)) -+ -+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) -+{ -+ if ((long)n < 0 || n > INT_MAX) -+ return n; -+ -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ -+ if (likely(access_ok(VERIFY_READ, from, n))) -+ n = __copy_from_user(to, from, n); -+ else -+ memset(to, 0, n); -+ return n; -+} -+ -+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) -+{ -+ if ((long)n < 0 || n > INT_MAX) -+ return n; -+ -+ if (likely(access_ok(VERIFY_WRITE, to, n))) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); -+ n = __copy_to_user(to, from, n); -+ } -+ return n; -+} -+ -+extern unsigned long copy_in_user(void __user *to, const void __user *from, -+ unsigned long n); -+ -+#endif /* __powerpc64__ */ -+ - extern unsigned long __clear_user(void __user *addr, unsigned long size); - - static inline unsigned long clear_user(void __user *addr, unsigned long size) -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma.c linux-2.6.39.3/arch/powerpc/kernel/dma.c ---- linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400 -@@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl - } - #endif - --struct dma_map_ops dma_direct_ops = { -+const struct dma_map_ops dma_direct_ops = { - .alloc_coherent = dma_direct_alloc_coherent, - .free_coherent = dma_direct_free_coherent, - .map_sg = dma_direct_map_sg, -@@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops); - - int dma_set_mask(struct device *dev, u64 dma_mask) - { -- struct dma_map_ops *dma_ops = get_dma_ops(dev); -+ const struct dma_map_ops *dma_ops = get_dma_ops(dev); - - if (ppc_md.dma_set_mask) - return ppc_md.dma_set_mask(dev, dma_mask); -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c ---- linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de - } - - /* We support DMA to/from any memory page via the iommu */ --static int dma_iommu_dma_supported(struct device *dev, u64 mask) -+int dma_iommu_dma_supported(struct device *dev, u64 mask) - { - struct iommu_table *tbl = get_iommu_table_base(dev); - -@@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc - return 1; - } - --struct dma_map_ops dma_iommu_ops = { -+struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */ - .alloc_coherent = dma_iommu_alloc_coherent, - .free_coherent = dma_iommu_free_coherent, - .map_sg = dma_iommu_map_sg, -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c ---- linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable; - * map_page, and unmap_page on highmem, use normal dma_ops - * for everything else. - */ --struct dma_map_ops swiotlb_dma_ops = { -+const struct dma_map_ops swiotlb_dma_ops = { - .alloc_coherent = dma_direct_alloc_coherent, - .free_coherent = dma_direct_free_coherent, - .map_sg = swiotlb_map_sg_attrs, -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S ---- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400 -@@ -495,6 +495,7 @@ storage_fault_common: - std r14,_DAR(r1) - std r15,_DSISR(r1) - addi r3,r1,STACK_FRAME_OVERHEAD -+ bl .save_nvgprs - mr r4,r14 - mr r5,r15 - ld r14,PACA_EXGEN+EX_R14(r13) -@@ -504,8 +505,7 @@ storage_fault_common: - cmpdi r3,0 - bne- 1f - b .ret_from_except_lite --1: bl .save_nvgprs -- mr r5,r3 -+1: mr r5,r3 - addi r3,r1,STACK_FRAME_OVERHEAD - ld r4,_DAR(r1) - bl .bad_page_fault -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S ---- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400 -@@ -848,10 +848,10 @@ handle_page_fault: - 11: ld r4,_DAR(r1) - ld r5,_DSISR(r1) - addi r3,r1,STACK_FRAME_OVERHEAD -+ bl .save_nvgprs - bl .do_page_fault - cmpdi r3,0 - beq+ 13f -- bl .save_nvgprs - mr r5,r3 - addi r3,r1,STACK_FRAME_OVERHEAD - lwz r4,_DAR(r1) -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c ---- linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400 -@@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct - return 1; - } - --static struct dma_map_ops ibmebus_dma_ops = { -+static const struct dma_map_ops ibmebus_dma_ops = { - .alloc_coherent = ibmebus_alloc_coherent, - .free_coherent = ibmebus_free_coherent, - .map_sg = ibmebus_map_sg, -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/kgdb.c linux-2.6.39.3/arch/powerpc/kernel/kgdb.c ---- linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto - /* - * Global data - */ --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08}, - }; - -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module_32.c linux-2.6.39.3/arch/powerpc/kernel/module_32.c ---- linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr - me->arch.core_plt_section = i; - } - if (!me->arch.core_plt_section || !me->arch.init_plt_section) { -- printk("Module doesn't contain .plt or .init.plt sections.\n"); -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name); - return -ENOEXEC; - } - -@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati - - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location); - /* Init, or core PLT? */ -- if (location >= mod->module_core -- && location < mod->module_core + mod->core_size) -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) || -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw)) - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr; -- else -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) || -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw)) - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr; -+ else { -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name); -+ return ~0UL; -+ } - - /* Find this entry, or if that fails, the next avail. entry */ - while (entry->jump[0]) { -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module.c linux-2.6.39.3/arch/powerpc/kernel/module.c ---- linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -31,11 +31,24 @@ - - LIST_HEAD(module_bug_list); - -+#ifdef CONFIG_PAX_KERNEXEC - void *module_alloc(unsigned long size) - { - if (size == 0) - return NULL; - -+ return vmalloc(size); -+} -+ -+void *module_alloc_exec(unsigned long size) -+#else -+void *module_alloc(unsigned long size) -+#endif -+ -+{ -+ if (size == 0) -+ return NULL; -+ - return vmalloc_exec(size); - } - -@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi - vfree(module_region); - } - -+#ifdef CONFIG_PAX_KERNEXEC -+void module_free_exec(struct module *mod, void *module_region) -+{ -+ module_free(mod, module_region); -+} -+#endif -+ - static const Elf_Shdr *find_section(const Elf_Ehdr *hdr, - const Elf_Shdr *sechdrs, - const char *name) -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/pci-common.c linux-2.6.39.3/arch/powerpc/kernel/pci-common.c ---- linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400 -@@ -53,14 +53,14 @@ resource_size_t isa_mem_base; - unsigned int ppc_pci_flags = 0; - - --static struct dma_map_ops *pci_dma_ops = &dma_direct_ops; -+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops; - --void set_pci_dma_ops(struct dma_map_ops *dma_ops) -+void set_pci_dma_ops(const struct dma_map_ops *dma_ops) - { - pci_dma_ops = dma_ops; - } - --struct dma_map_ops *get_pci_dma_ops(void) -+const struct dma_map_ops *get_pci_dma_ops(void) - { - return pci_dma_ops; - } -@@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u - return PCIBIOS_DEVICE_NOT_FOUND; - } - --static struct pci_ops null_pci_ops = -+static const struct pci_ops null_pci_ops = - { - .read = null_read_config, - .write = null_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/process.c linux-2.6.39.3/arch/powerpc/kernel/process.c ---- linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400 -@@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs) - * Lookup NIP late so we have the best change of getting the - * above info out without failing - */ -- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip); -- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link); -+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip); -+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link); - #endif - show_stack(current, (unsigned long *) regs->gpr[1]); - if (!user_mode(regs)) -@@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk, - newsp = stack[0]; - ip = stack[STACK_FRAME_LR_SAVE]; - if (!firstframe || ip != lr) { -- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip); -+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip); - #ifdef CONFIG_FUNCTION_GRAPH_TRACER - if ((ip == rth || ip == mrth) && curr_frame >= 0) { -- printk(" (%pS)", -+ printk(" (%pA)", - (void *)current->ret_stack[curr_frame].ret); - curr_frame--; - } -@@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk, - struct pt_regs *regs = (struct pt_regs *) - (sp + STACK_FRAME_OVERHEAD); - lr = regs->link; -- printk("--- Exception: %lx at %pS\n LR = %pS\n", -+ printk("--- Exception: %lx at %pA\n LR = %pA\n", - regs->trap, (void *)regs->nip, (void *)lr); - firstframe = 1; - } -@@ -1244,58 +1244,3 @@ void thread_info_cache_init(void) - } - - #endif /* THREAD_SHIFT < PAGE_SHIFT */ -- --unsigned long arch_align_stack(unsigned long sp) --{ -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) -- sp -= get_random_int() & ~PAGE_MASK; -- return sp & ~0xf; --} -- --static inline unsigned long brk_rnd(void) --{ -- unsigned long rnd = 0; -- -- /* 8MB for 32bit, 1GB for 64bit */ -- if (is_32bit_task()) -- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT))); -- else -- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT))); -- -- return rnd << PAGE_SHIFT; --} -- --unsigned long arch_randomize_brk(struct mm_struct *mm) --{ -- unsigned long base = mm->brk; -- unsigned long ret; -- --#ifdef CONFIG_PPC_STD_MMU_64 -- /* -- * If we are using 1TB segments and we are allowed to randomise -- * the heap, we can put it above 1TB so it is backed by a 1TB -- * segment. Otherwise the heap will be in the bottom 1TB -- * which always uses 256MB segments and this may result in a -- * performance penalty. -- */ -- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T)) -- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T); --#endif -- -- ret = PAGE_ALIGN(base + brk_rnd()); -- -- if (ret < mm->brk) -- return mm->brk; -- -- return ret; --} -- --unsigned long randomize_et_dyn(unsigned long base) --{ -- unsigned long ret = PAGE_ALIGN(base + brk_rnd()); -- -- if (ret < base) -- return base; -- -- return ret; --} -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c ---- linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct - return PCIBIOS_DEVICE_NOT_FOUND; - } - --static struct pci_ops rtas_pci_ops = { -+static const struct pci_ops rtas_pci_ops = { - .read = rtas_pci_read_config, - .write = rtas_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_32.c linux-2.6.39.3/arch/powerpc/kernel/signal_32.c ---- linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig - /* Save user registers on the stack */ - frame = &rt_sf->uc.uc_mcontext; - addr = frame; -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) { -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) { - if (save_user_regs(regs, frame, 0, 1)) - goto badframe; - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp; -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_64.c linux-2.6.39.3/arch/powerpc/kernel/signal_64.c ---- linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct - current->thread.fpscr.val = 0; - - /* Set up to return from userspace. */ -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) { -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) { - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp; - } else { - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]); -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/traps.c linux-2.6.39.3/arch/powerpc/kernel/traps.c ---- linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400 -@@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void) - static inline void pmac_backlight_unblank(void) { } - #endif - -+extern void gr_handle_kernel_exploit(void); -+ - int die(const char *str, struct pt_regs *regs, long err) - { - static struct { -@@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs - if (panic_on_oops) - panic("Fatal exception"); - -+ gr_handle_kernel_exploit(); -+ - oops_exit(); - do_exit(err); - -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vdso.c linux-2.6.39.3/arch/powerpc/kernel/vdso.c ---- linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400 -@@ -36,6 +36,7 @@ - #include <asm/firmware.h> - #include <asm/vdso.h> - #include <asm/vdso_datapage.h> -+#include <asm/mman.h> - - #include "setup.h" - -@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l - vdso_base = VDSO32_MBASE; - #endif - -- current->mm->context.vdso_base = 0; -+ current->mm->context.vdso_base = ~0UL; - - /* vDSO has a problem and was disabled, just don't "enable" it for the - * process -@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l - vdso_base = get_unmapped_area(NULL, vdso_base, - (vdso_pages << PAGE_SHIFT) + - ((VDSO_ALIGNMENT - 1) & PAGE_MASK), -- 0, 0); -+ 0, MAP_PRIVATE | MAP_EXECUTABLE); - if (IS_ERR_VALUE(vdso_base)) { - rc = vdso_base; - goto fail_mmapsem; -diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vio.c linux-2.6.39.3/arch/powerpc/kernel/vio.c ---- linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400 -@@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s - return dma_iommu_ops.dma_supported(dev, mask); - } - --struct dma_map_ops vio_dma_mapping_ops = { -+const struct dma_map_ops vio_dma_mapping_ops = { - .alloc_coherent = vio_dma_iommu_alloc_coherent, - .free_coherent = vio_dma_iommu_free_coherent, - .map_sg = vio_dma_iommu_map_sg, - .unmap_sg = vio_dma_iommu_unmap_sg, -+ .dma_supported = dma_iommu_dma_supported, - .map_page = vio_dma_iommu_map_page, - .unmap_page = vio_dma_iommu_unmap_page, - .dma_supported = vio_dma_iommu_dma_supported, -diff -urNp linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c ---- linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -9,22 +9,6 @@ - #include <linux/module.h> - #include <asm/uaccess.h> - --unsigned long copy_from_user(void *to, const void __user *from, unsigned long n) --{ -- if (likely(access_ok(VERIFY_READ, from, n))) -- n = __copy_from_user(to, from, n); -- else -- memset(to, 0, n); -- return n; --} -- --unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) --{ -- if (likely(access_ok(VERIFY_WRITE, to, n))) -- n = __copy_to_user(to, from, n); -- return n; --} -- - unsigned long copy_in_user(void __user *to, const void __user *from, - unsigned long n) - { -@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user * - return n; - } - --EXPORT_SYMBOL(copy_from_user); --EXPORT_SYMBOL(copy_to_user); - EXPORT_SYMBOL(copy_in_user); - -diff -urNp linux-2.6.39.3/arch/powerpc/mm/fault.c linux-2.6.39.3/arch/powerpc/mm/fault.c ---- linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400 -@@ -31,6 +31,10 @@ - #include <linux/kdebug.h> - #include <linux/perf_event.h> - #include <linux/magic.h> -+#include <linux/slab.h> -+#include <linux/pagemap.h> -+#include <linux/compiler.h> -+#include <linux/unistd.h> - - #include <asm/firmware.h> - #include <asm/page.h> -@@ -42,6 +46,7 @@ - #include <asm/tlbflush.h> - #include <asm/siginfo.h> - #include <mm/mmu_decl.h> -+#include <asm/ptrace.h> - - #ifdef CONFIG_KPROBES - static inline int notify_page_fault(struct pt_regs *regs) -@@ -65,6 +70,33 @@ static inline int notify_page_fault(stru - } - #endif - -+#ifdef CONFIG_PAX_PAGEEXEC -+/* -+ * PaX: decide what to do with offenders (regs->nip = fault address) -+ * -+ * returns 1 when task should be killed -+ */ -+static int pax_handle_fetch_fault(struct pt_regs *regs) -+{ -+ return 1; -+} -+ -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 5; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int __user *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - /* - * Check whether the instruction at regs->nip is a store using - * an update addressing form which will update r1. -@@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re - * indicate errors in DSISR but can validly be set in SRR1. - */ - if (trap == 0x400) -- error_code &= 0x48200000; -+ error_code &= 0x58200000; - else - is_write = error_code & DSISR_ISSTORE; - #else -@@ -258,7 +290,7 @@ good_area: - * "undefined". Of those that can be set, this is the only - * one which seems bad. - */ -- if (error_code & 0x10000000) -+ if (error_code & DSISR_GUARDED) - /* Guarded storage error. */ - goto bad_area; - #endif /* CONFIG_8xx */ -@@ -273,7 +305,7 @@ good_area: - * processors use the same I/D cache coherency mechanism - * as embedded. - */ -- if (error_code & DSISR_PROTFAULT) -+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED)) - goto bad_area; - #endif /* CONFIG_PPC_STD_MMU */ - -@@ -342,6 +374,23 @@ bad_area: - bad_area_nosemaphore: - /* User mode accesses cause a SIGSEGV */ - if (user_mode(regs)) { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) { -+#ifdef CONFIG_PPC_STD_MMU -+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) { -+#else -+ if (is_exec && regs->nip == address) { -+#endif -+ switch (pax_handle_fetch_fault(regs)) { -+ } -+ -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]); -+ do_group_exit(SIGKILL); -+ } -+ } -+#endif -+ - _exception(SIGSEGV, regs, code, address); - return 0; - } -diff -urNp linux-2.6.39.3/arch/powerpc/mm/mmap_64.c linux-2.6.39.3/arch/powerpc/mm/mmap_64.c ---- linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str - */ - if (mmap_is_legacy()) { - mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area; - mm->unmap_area = arch_unmap_area; - } else { - mm->mmap_base = mmap_base(); -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area_topdown; - mm->unmap_area = arch_unmap_area_topdown; - } -diff -urNp linux-2.6.39.3/arch/powerpc/mm/slice.c linux-2.6.39.3/arch/powerpc/mm/slice.c ---- linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400 -@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_ - if ((mm->task_size - len) < addr) - return 0; - vma = find_vma(mm, addr); -- return (!vma || (addr + len) <= vma->vm_start); -+ return check_heap_stack_gap(vma, addr, len); - } - - static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) -@@ -256,7 +256,7 @@ full_search: - addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT); - continue; - } -- if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { - /* - * Remember the place where we stopped the search: - */ -@@ -313,10 +313,14 @@ static unsigned long slice_find_area_top - } - } - -- addr = mm->mmap_base; -- while (addr > len) { -+ if (mm->mmap_base < len) -+ addr = -ENOMEM; -+ else -+ addr = mm->mmap_base - len; -+ -+ while (!IS_ERR_VALUE(addr)) { - /* Go down by chunk size */ -- addr = _ALIGN_DOWN(addr - len, 1ul << pshift); -+ addr = _ALIGN_DOWN(addr, 1ul << pshift); - - /* Check for hit with different page size */ - mask = slice_range_to_mask(addr, len); -@@ -336,7 +340,7 @@ static unsigned long slice_find_area_top - * return with success: - */ - vma = find_vma(mm, addr); -- if (!vma || (addr + len) <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { - /* remember the address as a hint for next time */ - if (use_cache) - mm->free_area_cache = addr; -@@ -348,7 +352,7 @@ static unsigned long slice_find_area_top - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = vma->vm_start; -+ addr = skip_heap_stack_gap(vma, len); - } - - /* -@@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un - if (fixed && addr > (mm->task_size - len)) - return -EINVAL; - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP)) -+ addr = 0; -+#endif -+ - /* If hint, make sure it matches our alignment restrictions */ - if (!fixed && addr) { - addr = _ALIGN_UP(addr, 1ul << pshift); -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c ---- linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400 -@@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_ - return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops rtas_pci_ops = { -+static const struct pci_ops rtas_pci_ops = { - .read = rtas_read_config, - .write = rtas_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config( - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops celleb_fake_pci_ops = { -+static const struct pci_ops celleb_fake_pci_ops = { - .read = celleb_fake_pci_read_config, - .write = celleb_fake_pci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c ---- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru - return celleb_epci_check_abort(hose, addr); - } - --struct pci_ops celleb_epci_ops = { -+const struct pci_ops celleb_epci_ops = { - .read = celleb_epci_read_config, - .write = celleb_epci_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c ---- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400 -@@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops scc_pciex_pci_ops = { -+static const struct pci_ops scc_pciex_pci_ops = { - scc_pciex_read_config, - scc_pciex_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c ---- linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc - - static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask); - --struct dma_map_ops dma_iommu_fixed_ops = { -+const struct dma_map_ops dma_iommu_fixed_ops = { - .alloc_coherent = dma_fixed_alloc_coherent, - .free_coherent = dma_fixed_free_coherent, - .map_sg = dma_fixed_map_sg, -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops gg2_pci_ops = -+static const struct pci_ops gg2_pci_ops = - { - .read = gg2_read_config, - .write = gg2_write_config, -@@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu - return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops rtas_pci_ops = -+static const struct pci_ops rtas_pci_ops = - { - .read = rtas_read_config, - .write = rtas_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru - return 0; - } - --static struct pci_ops iSeries_pci_ops = { -+static const struct pci_ops iSeries_pci_ops = { - .read = iSeries_pci_read_config, - .write = iSeries_pci_write_config - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops u3_agp_pci_ops = -+static const struct pci_ops u3_agp_pci_ops = - { - .read = u3_agp_read_config, - .write = u3_agp_write_config, -@@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops u3_ht_pci_ops = -+static const struct pci_ops u3_ht_pci_ops = - { - .read = u3_ht_read_config, - .write = u3_ht_write_config, -@@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops u4_pcie_pci_ops = -+static const struct pci_ops u4_pcie_pci_ops = - { - .read = u4_pcie_read_config, - .write = u4_pcie_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops pa_pxp_ops = { -+static const struct pci_ops pa_pxp_ops = { - .read = pa_pxp_read_config, - .write = pa_pxp_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c ---- linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -218,7 +218,7 @@ static int macrisc_write_config(struct p - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops macrisc_pci_ops = -+static const struct pci_ops macrisc_pci_ops = - { - .read = macrisc_read_config, - .write = macrisc_write_config, -@@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus, - return macrisc_write_config(bus, devfn, offset, len, val); - } - --static struct pci_ops chaos_pci_ops = -+static const struct pci_ops chaos_pci_ops = - { - .read = chaos_read_config, - .write = chaos_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c ---- linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400 -@@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi - return mask >= DMA_BIT_MASK(32); - } - --static struct dma_map_ops ps3_sb_dma_ops = { -+static const struct dma_map_ops ps3_sb_dma_ops = { - .alloc_coherent = ps3_alloc_coherent, - .free_coherent = ps3_free_coherent, - .map_sg = ps3_sb_map_sg, -@@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops - .unmap_page = ps3_unmap_page, - }; - --static struct dma_map_ops ps3_ioc0_dma_ops = { -+static const struct dma_map_ops ps3_ioc0_dma_ops = { - .alloc_coherent = ps3_alloc_coherent, - .free_coherent = ps3_free_coherent, - .map_sg = ps3_ioc0_map_sg, -diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c ---- linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops mpc83xx_pcie_ops = { -+static const struct pci_ops mpc83xx_pcie_ops = { - .read = mpc83xx_pcie_read_config, - .write = mpc83xx_pcie_write_config, - }; -diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c ---- linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops indirect_pci_ops = -+static const struct pci_ops indirect_pci_ops = - { - .read = indirect_read_config, - .write = indirect_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c ---- linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str - return PCIBIOS_SUCCESSFUL; - } - --static struct pci_ops ppc4xx_pciex_pci_ops = -+static const struct pci_ops ppc4xx_pciex_pci_ops = - { - .read = ppc4xx_pciex_read_config, - .write = ppc4xx_pciex_write_config, -diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c ---- linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void) - tsi108_clear_pci_error(tsi108_pci_cfg_phys); - } - --static struct pci_ops tsi108_direct_pci_ops = { -+static const struct pci_ops tsi108_direct_pci_ops = { - .read = tsi108_direct_read_config, - .write = tsi108_direct_write_config, - }; -diff -urNp linux-2.6.39.3/arch/s390/include/asm/elf.h linux-2.6.39.3/arch/s390/include/asm/elf.h ---- linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -162,8 +162,14 @@ extern unsigned int vdso_enabled; - the loader. We need to make sure that it is out of the way of the program - that it will "exec", and that there is sufficient room for the brk. */ - --extern unsigned long randomize_et_dyn(unsigned long base); --#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2)) -+#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2) -+ -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL) -+ -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) -+#endif - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. */ -@@ -222,7 +228,4 @@ struct linux_binprm; - #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 - int arch_setup_additional_pages(struct linux_binprm *, int); - --extern unsigned long arch_randomize_brk(struct mm_struct *mm); --#define arch_randomize_brk arch_randomize_brk -- - #endif -diff -urNp linux-2.6.39.3/arch/s390/include/asm/system.h linux-2.6.39.3/arch/s390/include/asm/system.h ---- linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400 -@@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co - extern void (*_machine_halt)(void); - extern void (*_machine_power_off)(void); - --extern unsigned long arch_align_stack(unsigned long sp); -+#define arch_align_stack(x) ((x) & ~0xfUL) - - static inline int tprot(unsigned long addr) - { -diff -urNp linux-2.6.39.3/arch/s390/include/asm/uaccess.h linux-2.6.39.3/arch/s390/include/asm/uaccess.h ---- linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400 -@@ -234,6 +234,10 @@ static inline unsigned long __must_check - copy_to_user(void __user *to, const void *from, unsigned long n) - { - might_fault(); -+ -+ if ((long)n < 0) -+ return n; -+ - if (access_ok(VERIFY_WRITE, to, n)) - n = __copy_to_user(to, from, n); - return n; -@@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void - static inline unsigned long __must_check - __copy_from_user(void *to, const void __user *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - if (__builtin_constant_p(n) && (n <= 256)) - return uaccess.copy_from_user_small(n, from, to); - else -@@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us - unsigned int sz = __compiletime_object_size(to); - - might_fault(); -+ -+ if ((long)n < 0) -+ return n; -+ - if (unlikely(sz != -1 && sz < n)) { - copy_from_user_overflow(); - return n; -diff -urNp linux-2.6.39.3/arch/s390/Kconfig linux-2.6.39.3/arch/s390/Kconfig ---- linux-2.6.39.3/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400 -@@ -234,11 +234,9 @@ config S390_EXEC_PROTECT - prompt "Data execute protection" - help - This option allows to enable a buffer overflow protection for user -- space programs and it also selects the addressing mode option above. -- The kernel parameter noexec=on will enable this feature and also -- switch the addressing modes, default is disabled. Enabling this (via -- kernel parameter) on machines earlier than IBM System z9 this will -- reduce system performance. -+ space programs. -+ Enabling this (via kernel parameter) on machines earlier than IBM -+ System z9 this will reduce system performance. - - comment "Code generation options" - -diff -urNp linux-2.6.39.3/arch/s390/kernel/module.c linux-2.6.39.3/arch/s390/kernel/module.c ---- linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr, - - /* Increase core size by size of got & plt and set start - offsets for got and plt. */ -- me->core_size = ALIGN(me->core_size, 4); -- me->arch.got_offset = me->core_size; -- me->core_size += me->arch.got_size; -- me->arch.plt_offset = me->core_size; -- me->core_size += me->arch.plt_size; -+ me->core_size_rw = ALIGN(me->core_size_rw, 4); -+ me->arch.got_offset = me->core_size_rw; -+ me->core_size_rw += me->arch.got_size; -+ me->arch.plt_offset = me->core_size_rx; -+ me->core_size_rx += me->arch.plt_size; - return 0; - } - -@@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - if (info->got_initialized == 0) { - Elf_Addr *gotent; - -- gotent = me->module_core + me->arch.got_offset + -+ gotent = me->module_core_rw + me->arch.got_offset + - info->got_offset; - *gotent = val; - info->got_initialized = 1; -@@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - else if (r_type == R_390_GOTENT || - r_type == R_390_GOTPLTENT) - *(unsigned int *) loc = -- (val + (Elf_Addr) me->module_core - loc) >> 1; -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1; - else if (r_type == R_390_GOT64 || - r_type == R_390_GOTPLT64) - *(unsigned long *) loc = val; -@@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */ - if (info->plt_initialized == 0) { - unsigned int *ip; -- ip = me->module_core + me->arch.plt_offset + -+ ip = me->module_core_rx + me->arch.plt_offset + - info->plt_offset; - #ifndef CONFIG_64BIT - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */ -@@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - val - loc + 0xffffUL < 0x1ffffeUL) || - (r_type == R_390_PLT32DBL && - val - loc + 0xffffffffULL < 0x1fffffffeULL))) -- val = (Elf_Addr) me->module_core + -+ val = (Elf_Addr) me->module_core_rx + - me->arch.plt_offset + - info->plt_offset; - val += rela->r_addend - loc; -@@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - case R_390_GOTOFF32: /* 32 bit offset to GOT. */ - case R_390_GOTOFF64: /* 64 bit offset to GOT. */ - val = val + rela->r_addend - -- ((Elf_Addr) me->module_core + me->arch.got_offset); -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset); - if (r_type == R_390_GOTOFF16) - *(unsigned short *) loc = val; - else if (r_type == R_390_GOTOFF32) -@@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base - break; - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */ - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */ -- val = (Elf_Addr) me->module_core + me->arch.got_offset + -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset + - rela->r_addend - loc; - if (r_type == R_390_GOTPC) - *(unsigned int *) loc = val; -diff -urNp linux-2.6.39.3/arch/s390/kernel/process.c linux-2.6.39.3/arch/s390/kernel/process.c ---- linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru - } - return 0; - } -- --unsigned long arch_align_stack(unsigned long sp) --{ -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) -- sp -= get_random_int() & ~PAGE_MASK; -- return sp & ~0xf; --} -- --static inline unsigned long brk_rnd(void) --{ -- /* 8MB for 32bit, 1GB for 64bit */ -- if (is_32bit_task()) -- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT; -- else -- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT; --} -- --unsigned long arch_randomize_brk(struct mm_struct *mm) --{ -- unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd()); -- -- if (ret < mm->brk) -- return mm->brk; -- return ret; --} -- --unsigned long randomize_et_dyn(unsigned long base) --{ -- unsigned long ret = PAGE_ALIGN(base + brk_rnd()); -- -- if (!(current->flags & PF_RANDOMIZE)) -- return base; -- if (ret < base) -- return base; -- return ret; --} -diff -urNp linux-2.6.39.3/arch/s390/kernel/setup.c linux-2.6.39.3/arch/s390/kernel/setup.c ---- linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400 -@@ -271,7 +271,7 @@ static int __init early_parse_mem(char * - } - early_param("mem", early_parse_mem); - --unsigned int user_mode = HOME_SPACE_MODE; -+unsigned int user_mode = SECONDARY_SPACE_MODE; - EXPORT_SYMBOL_GPL(user_mode); - - static int set_amode_and_uaccess(unsigned long user_amode, -@@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne - } - } - --/* -- * Switch kernel/user addressing modes? -- */ --static int __init early_parse_switch_amode(char *p) --{ -- if (user_mode != SECONDARY_SPACE_MODE) -- user_mode = PRIMARY_SPACE_MODE; -- return 0; --} --early_param("switch_amode", early_parse_switch_amode); -- - static int __init early_parse_user_mode(char *p) - { - if (p && strcmp(p, "primary") == 0) -@@ -327,20 +316,6 @@ static int __init early_parse_user_mode( - } - early_param("user_mode", early_parse_user_mode); - --#ifdef CONFIG_S390_EXEC_PROTECT --/* -- * Enable execute protection? -- */ --static int __init early_parse_noexec(char *p) --{ -- if (!strncmp(p, "off", 3)) -- return 0; -- user_mode = SECONDARY_SPACE_MODE; -- return 0; --} --early_param("noexec", early_parse_noexec); --#endif /* CONFIG_S390_EXEC_PROTECT */ -- - static void setup_addressing_mode(void) - { - if (user_mode == SECONDARY_SPACE_MODE) { -diff -urNp linux-2.6.39.3/arch/s390/mm/maccess.c linux-2.6.39.3/arch/s390/mm/maccess.c ---- linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400 -@@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void - return rc ? rc : count; - } - --long probe_kernel_write(void *dst, void *src, size_t size) -+long probe_kernel_write(void *dst, const void *src, size_t size) - { - long copied = 0; - -diff -urNp linux-2.6.39.3/arch/s390/mm/mmap.c linux-2.6.39.3/arch/s390/mm/mmap.c ---- linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400 -@@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str - */ - if (mmap_is_legacy()) { - mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area; - mm->unmap_area = arch_unmap_area; - } else { - mm->mmap_base = mmap_base(); -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area_topdown; - mm->unmap_area = arch_unmap_area_topdown; - } -@@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str - */ - if (mmap_is_legacy()) { - mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ - mm->get_unmapped_area = s390_get_unmapped_area; - mm->unmap_area = arch_unmap_area; - } else { - mm->mmap_base = mmap_base(); -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; -+#endif -+ - mm->get_unmapped_area = s390_get_unmapped_area_topdown; - mm->unmap_area = arch_unmap_area_topdown; - } -diff -urNp linux-2.6.39.3/arch/score/include/asm/system.h linux-2.6.39.3/arch/score/include/asm/system.h ---- linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400 -@@ -17,7 +17,7 @@ do { \ - #define finish_arch_switch(prev) do {} while (0) - - typedef void (*vi_handler_t)(void); --extern unsigned long arch_align_stack(unsigned long sp); -+#define arch_align_stack(x) (x) - - #define mb() barrier() - #define rmb() barrier() -diff -urNp linux-2.6.39.3/arch/score/kernel/process.c linux-2.6.39.3/arch/score/kernel/process.c ---- linux-2.6.39.3/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru - - return task_pt_regs(task)->cp0_epc; - } -- --unsigned long arch_align_stack(unsigned long sp) --{ -- return sp; --} -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c ---- linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400 -@@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops gapspci_pci_ops = { -+const struct pci_ops gapspci_pci_ops = { - .read = gapspci_read, - .write = gapspci_write, - }; -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c ---- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400 -@@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops sh4_pci_ops = { -+const struct pci_ops sh4_pci_ops = { - .read = sh4_pci_read, - .write = sh4_pci_write, - }; -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c ---- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400 -@@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus * - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops sh5_pci_ops = { -+const struct pci_ops sh5_pci_ops = { - .read = sh5pci_read, - .write = sh5pci_write, - }; -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c ---- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400 -@@ -165,7 +165,7 @@ out: - return ret; - } - --struct pci_ops sh7786_pci_ops = { -+const struct pci_ops sh7786_pci_ops = { - .read = sh7786_pcie_read, - .write = sh7786_pcie_write, - }; -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c ---- linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400 -@@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou - }, - }; - --extern struct pci_ops sh7786_pci_ops; -+extern const struct pci_ops sh7786_pci_ops; - - #define DEFINE_CONTROLLER(start, idx) \ - { \ -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h ---- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400 -@@ -161,7 +161,7 @@ - #define SH4_PCIPDR 0x220 /* Port IO Data Register */ - - /* arch/sh/kernel/drivers/pci/ops-sh4.c */ --extern struct pci_ops sh4_pci_ops; -+extern const struct pci_ops sh4_pci_ops; - int pci_fixup_pcic(struct pci_channel *chan); - - struct sh4_pci_address_space { -diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h ---- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400 -@@ -105,6 +105,6 @@ extern unsigned long pcicr_virt; - #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18) - #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18) - --extern struct pci_ops sh5_pci_ops; -+extern const struct pci_ops sh5_pci_ops; - - #endif /* __PCI_SH5_H */ -diff -urNp linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -1,10 +1,10 @@ - #ifndef __ASM_SH_DMA_MAPPING_H - #define __ASM_SH_DMA_MAPPING_H - --extern struct dma_map_ops *dma_ops; -+extern const struct dma_map_ops *dma_ops; - extern void no_iommu_init(void); - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - return dma_ops; - } -@@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm - - static inline int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (ops->dma_supported) - return ops->dma_supported(dev, mask); -@@ -24,7 +24,7 @@ static inline int dma_supported(struct d - - static inline int dma_set_mask(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (!dev->dma_mask || !dma_supported(dev, mask)) - return -EIO; -@@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev, - - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (ops->mapping_error) - return ops->mapping_error(dev, dma_addr); -@@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru - static inline void *dma_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *dma_handle, gfp_t gfp) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - void *memory; - - if (dma_alloc_from_coherent(dev, size, dma_handle, &memory)) -@@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *vaddr, dma_addr_t dma_handle) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - if (dma_release_from_coherent(dev, get_order(size), vaddr)) - return; -diff -urNp linux-2.6.39.3/arch/sh/kernel/dma-nommu.c linux-2.6.39.3/arch/sh/kernel/dma-nommu.c ---- linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device - } - #endif - --struct dma_map_ops nommu_dma_ops = { -+const struct dma_map_ops nommu_dma_ops = { - .alloc_coherent = dma_generic_alloc_coherent, - .free_coherent = dma_generic_free_coherent, - .map_page = nommu_map_page, -diff -urNp linux-2.6.39.3/arch/sh/kernel/kgdb.c linux-2.6.39.3/arch/sh/kernel/kgdb.c ---- linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -319,7 +319,7 @@ void kgdb_arch_exit(void) - unregister_die_notifier(&kgdb_notifier); - } - --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - /* Breakpoint instruction: trapa #0x3c */ - #ifdef CONFIG_CPU_LITTLE_ENDIAN - .gdb_bpt_instr = { 0x3c, 0xc3 }, -diff -urNp linux-2.6.39.3/arch/sh/mm/consistent.c linux-2.6.39.3/arch/sh/mm/consistent.c ---- linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400 -@@ -22,7 +22,7 @@ - - #define PREALLOC_DMA_DEBUG_ENTRIES 4096 - --struct dma_map_ops *dma_ops; -+const struct dma_map_ops *dma_ops; - EXPORT_SYMBOL(dma_ops); - - static int __init dma_init(void) -diff -urNp linux-2.6.39.3/arch/sh/mm/mmap.c linux-2.6.39.3/arch/sh/mm/mmap.c ---- linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400 -@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str - addr = PAGE_ALIGN(addr); - - vma = find_vma(mm, addr); -- if (TASK_SIZE - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - -@@ -106,7 +105,7 @@ full_search: - } - return -ENOMEM; - } -- if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* - * Remember the place where we stopped the search: - */ -@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi - addr = PAGE_ALIGN(addr); - - vma = find_vma(mm, addr); -- if (TASK_SIZE - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - -@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi - /* make sure it can fit in the remaining address space */ - if (likely(addr > len)) { - vma = find_vma(mm, addr-len); -- if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr-len); - } -@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi - if (unlikely(mm->mmap_base < len)) - goto bottomup; - -- addr = mm->mmap_base-len; -- if (do_colour_align) -- addr = COLOUR_ALIGN_DOWN(addr, pgoff); -+ addr = mm->mmap_base - len; - - do { -+ if (do_colour_align) -+ addr = COLOUR_ALIGN_DOWN(addr, pgoff); - /* - * Lookup failure means no vma is above this address, - * else if new region fits below vma->vm_start, - * return with success: - */ - vma = find_vma(mm, addr); -- if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr); - } -@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = vma->vm_start-len; -- if (do_colour_align) -- addr = COLOUR_ALIGN_DOWN(addr, pgoff); -- } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); -+ } while (!IS_ERR_VALUE(addr)); - - bottomup: - /* -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h ---- linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -14,18 +14,40 @@ - #define ATOMIC64_INIT(i) { (i) } - - #define atomic_read(v) (*(volatile int *)&(v)->counter) -+static inline int atomic_read_unchecked(const atomic_unchecked_t *v) -+{ -+ return v->counter; -+} - #define atomic64_read(v) (*(volatile long *)&(v)->counter) -+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) -+{ -+ return v->counter; -+} - - #define atomic_set(v, i) (((v)->counter) = i) -+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) -+{ -+ v->counter = i; -+} - #define atomic64_set(v, i) (((v)->counter) = i) -+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) -+{ -+ v->counter = i; -+} - - extern void atomic_add(int, atomic_t *); -+extern void atomic_add_unchecked(int, atomic_unchecked_t *); - extern void atomic64_add(long, atomic64_t *); -+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *); - extern void atomic_sub(int, atomic_t *); -+extern void atomic_sub_unchecked(int, atomic_unchecked_t *); - extern void atomic64_sub(long, atomic64_t *); -+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *); - - extern int atomic_add_ret(int, atomic_t *); -+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *); - extern long atomic64_add_ret(long, atomic64_t *); -+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *); - extern int atomic_sub_ret(int, atomic_t *); - extern long atomic64_sub_ret(long, atomic64_t *); - -@@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi - #define atomic64_dec_return(v) atomic64_sub_ret(1, v) - - #define atomic_inc_return(v) atomic_add_ret(1, v) -+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v) -+{ -+ return atomic_add_ret_unchecked(1, v); -+} - #define atomic64_inc_return(v) atomic64_add_ret(1, v) -+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) -+{ -+ return atomic64_add_ret_unchecked(1, v); -+} - - #define atomic_sub_return(i, v) atomic_sub_ret(i, v) - #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v) - - #define atomic_add_return(i, v) atomic_add_ret(i, v) -+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) -+{ -+ return atomic_add_ret_unchecked(i, v); -+} - #define atomic64_add_return(i, v) atomic64_add_ret(i, v) - - /* -@@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi - * other cases. - */ - #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0) -+#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0) - #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0) - - #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0) -@@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi - #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0) - - #define atomic_inc(v) atomic_add(1, v) -+static inline void atomic_inc_unchecked(atomic_unchecked_t *v) -+{ -+ atomic_add_unchecked(1, v); -+} - #define atomic64_inc(v) atomic64_add(1, v) -+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v) -+{ -+ atomic64_add_unchecked(1, v); -+} - - #define atomic_dec(v) atomic_sub(1, v) -+static inline void atomic_dec_unchecked(atomic_unchecked_t *v) -+{ -+ atomic_sub_unchecked(1, v); -+} - #define atomic64_dec(v) atomic64_sub(1, v) -+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v) -+{ -+ atomic64_sub_unchecked(1, v); -+} - - #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0) - #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0) - - #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) -+#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) - #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) -+#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new)) - - static inline int atomic_add_unless(atomic_t *v, int a, int u) - { -- int c, old; -+ int c, old, new; - c = atomic_read(v); - for (;;) { -- if (unlikely(c == (u))) -+ if (unlikely(c == u)) - break; -- old = atomic_cmpxchg((v), c, c + (a)); -+ -+ asm volatile("addcc %2, %0, %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "tvs %%icc, 6\n" -+#endif -+ -+ : "=r" (new) -+ : "0" (c), "ir" (a) -+ : "cc"); -+ -+ old = atomic_cmpxchg(v, c, new); - if (likely(old == c)) - break; - c = old; - } -- return c != (u); -+ return c != u; - } - - #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) -@@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom - - static inline long atomic64_add_unless(atomic64_t *v, long a, long u) - { -- long c, old; -+ long c, old, new; - c = atomic64_read(v); - for (;;) { -- if (unlikely(c == (u))) -+ if (unlikely(c == u)) - break; -- old = atomic64_cmpxchg((v), c, c + (a)); -+ -+ asm volatile("addcc %2, %0, %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "tvs %%xcc, 6\n" -+#endif -+ -+ : "=r" (new) -+ : "0" (c), "ir" (a) -+ : "cc"); -+ -+ old = atomic64_cmpxchg(v, c, new); - if (likely(old == c)) - break; - c = old; - } -- return c != (u); -+ return c != u; - } - - #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/cache.h linux-2.6.39.3/arch/sparc/include/asm/cache.h ---- linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400 -@@ -10,7 +10,7 @@ - #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long) - - #define L1_CACHE_SHIFT 5 --#define L1_CACHE_BYTES 32 -+#define L1_CACHE_BYTES 32UL - - #ifdef CONFIG_SPARC32 - #define SMP_CACHE_BYTES_SHIFT 5 -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,10 +12,10 @@ extern int dma_supported(struct device * - #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f) - #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h) - --extern struct dma_map_ops *dma_ops, pci32_dma_ops; -+extern const struct dma_map_ops *dma_ops, pci32_dma_ops; - extern struct bus_type pci_bus_type; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI) - if (dev->bus == &pci_bus_type) -@@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm - static inline void *dma_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *dma_handle, gfp_t flag) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - void *cpu_addr; - - cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag); -@@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *cpu_addr, dma_addr_t dma_handle) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - debug_dma_free_coherent(dev, size, cpu_addr, dma_handle); - ops->free_coherent(dev, size, cpu_addr, dma_handle); -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_32.h linux-2.6.39.3/arch/sparc/include/asm/elf_32.h ---- linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -114,6 +114,13 @@ typedef struct { - - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE) - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE 0x10000UL -+ -+#define PAX_DELTA_MMAP_LEN 16 -+#define PAX_DELTA_STACK_LEN 16 -+#endif -+ - /* This yields a mask that user programs can use to figure out what - instruction set this cpu supports. This can NOT be done in userspace - on Sparc. */ -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_64.h linux-2.6.39.3/arch/sparc/include/asm/elf_64.h ---- linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -162,6 +162,12 @@ typedef struct { - #define ELF_ET_DYN_BASE 0x0000010000000000UL - #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL - -+#ifdef CONFIG_PAX_ASLR -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL) -+ -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28) -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29) -+#endif - - /* This yields a mask that user programs can use to figure out what - instruction set this cpu supports. */ -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h ---- linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd) - BTFIXUPDEF_INT(page_none) - BTFIXUPDEF_INT(page_copy) - BTFIXUPDEF_INT(page_readonly) -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+BTFIXUPDEF_INT(page_shared_noexec) -+BTFIXUPDEF_INT(page_copy_noexec) -+BTFIXUPDEF_INT(page_readonly_noexec) -+#endif -+ - BTFIXUPDEF_INT(page_kernel) - - #define PMD_SHIFT SUN4C_PMD_SHIFT -@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED; - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy)) - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly)) - -+#ifdef CONFIG_PAX_PAGEEXEC -+extern pgprot_t PAGE_SHARED_NOEXEC; -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec)) -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec)) -+#else -+# define PAGE_SHARED_NOEXEC PAGE_SHARED -+# define PAGE_COPY_NOEXEC PAGE_COPY -+# define PAGE_READONLY_NOEXEC PAGE_READONLY -+#endif -+ - extern unsigned long page_kernel; - - #ifdef MODULE -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h ---- linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400 -@@ -115,6 +115,13 @@ - SRMMU_EXEC | SRMMU_REF) - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \ - SRMMU_EXEC | SRMMU_REF) -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF) -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF) -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF) -+#endif -+ - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \ - SRMMU_DIRTY | SRMMU_REF) - -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h ---- linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags( - - /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */ - --static void inline arch_read_lock(arch_rwlock_t *lock) -+static inline void arch_read_lock(arch_rwlock_t *lock) - { - unsigned long tmp1, tmp2; - - __asm__ __volatile__ ( - "1: ldsw [%2], %0\n" - " brlz,pn %0, 2f\n" --"4: add %0, 1, %1\n" -+"4: addcc %0, 1, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+" tvs %%icc, 6\n" -+#endif -+ - " cas [%2], %0, %1\n" - " cmp %0, %1\n" - " bne,pn %%icc, 1b\n" -@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r - " .previous" - : "=&r" (tmp1), "=&r" (tmp2) - : "r" (lock) -- : "memory"); -+ : "memory", "cc"); - } - --static int inline arch_read_trylock(arch_rwlock_t *lock) -+static inline int arch_read_trylock(arch_rwlock_t *lock) - { - int tmp1, tmp2; - -@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch - "1: ldsw [%2], %0\n" - " brlz,a,pn %0, 2f\n" - " mov 0, %0\n" --" add %0, 1, %1\n" -+" addcc %0, 1, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+" tvs %%icc, 6\n" -+#endif -+ - " cas [%2], %0, %1\n" - " cmp %0, %1\n" - " bne,pn %%icc, 1b\n" -@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch - return tmp1; - } - --static void inline arch_read_unlock(arch_rwlock_t *lock) -+static inline void arch_read_unlock(arch_rwlock_t *lock) - { - unsigned long tmp1, tmp2; - - __asm__ __volatile__( - "1: lduw [%2], %0\n" --" sub %0, 1, %1\n" -+" subcc %0, 1, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+" tvs %%icc, 6\n" -+#endif -+ - " cas [%2], %0, %1\n" - " cmp %0, %1\n" - " bne,pn %%xcc, 1b\n" -@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch - : "memory"); - } - --static void inline arch_write_lock(arch_rwlock_t *lock) -+static inline void arch_write_lock(arch_rwlock_t *lock) - { - unsigned long mask, tmp1, tmp2; - -@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_ - : "memory"); - } - --static void inline arch_write_unlock(arch_rwlock_t *lock) -+static inline void arch_write_unlock(arch_rwlock_t *lock) - { - __asm__ __volatile__( - " stw %%g0, [%0]" -@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc - : "memory"); - } - --static int inline arch_write_trylock(arch_rwlock_t *lock) -+static inline int arch_write_trylock(arch_rwlock_t *lock) - { - unsigned long mask, tmp1, tmp2, result; - -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h ---- linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400 -@@ -50,6 +50,8 @@ struct thread_info { - unsigned long w_saved; - - struct restart_block restart_block; -+ -+ unsigned long lowest_stack; - }; - - /* -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h ---- linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400 -@@ -63,6 +63,8 @@ struct thread_info { - struct pt_regs *kern_una_regs; - unsigned int kern_una_insn; - -+ unsigned long lowest_stack; -+ - unsigned long fpregs[0] __attribute__ ((aligned(64))); - }; - -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h ---- linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __ - - static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) - { -- if (n && __access_ok((unsigned long) to, n)) -+ if ((long)n < 0) -+ return n; -+ -+ if (n && __access_ok((unsigned long) to, n)) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); - return __copy_user(to, (__force void __user *) from, n); -- else -+ } else - return n; - } - - static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); -+ - return __copy_user(to, (__force void __user *) from, n); - } - - static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n) - { -- if (n && __access_ok((unsigned long) from, n)) -+ if ((long)n < 0) -+ return n; -+ -+ if (n && __access_ok((unsigned long) from, n)) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); - return __copy_user((__force void __user *) to, from, n); -- else -+ } else - return n; - } - - static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - return __copy_user((__force void __user *) to, from, n); - } - -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h ---- linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -10,6 +10,7 @@ - #include <linux/compiler.h> - #include <linux/string.h> - #include <linux/thread_info.h> -+#include <linux/kernel.h> - #include <asm/asi.h> - #include <asm/system.h> - #include <asm/spitfire.h> -@@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu - static inline unsigned long __must_check - copy_from_user(void *to, const void __user *from, unsigned long size) - { -- unsigned long ret = ___copy_from_user(to, from, size); -+ unsigned long ret; - -+ if ((long)size < 0 || size > INT_MAX) -+ return size; -+ -+ if (!__builtin_constant_p(size)) -+ check_object_size(to, size, false); -+ -+ ret = ___copy_from_user(to, from, size); - if (unlikely(ret)) - ret = copy_from_user_fixup(to, from, size); - -@@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup( - static inline unsigned long __must_check - copy_to_user(void __user *to, const void *from, unsigned long size) - { -- unsigned long ret = ___copy_to_user(to, from, size); -+ unsigned long ret; -+ -+ if ((long)size < 0 || size > INT_MAX) -+ return size; -+ -+ if (!__builtin_constant_p(size)) -+ check_object_size(from, size, true); - -+ ret = ___copy_to_user(to, from, size); - if (unlikely(ret)) - ret = copy_to_user_fixup(to, from, size); - return ret; -diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess.h linux-2.6.39.3/arch/sparc/include/asm/uaccess.h ---- linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400 -@@ -1,5 +1,13 @@ - #ifndef ___ASM_SPARC_UACCESS_H - #define ___ASM_SPARC_UACCESS_H -+ -+#ifdef __KERNEL__ -+#ifndef __ASSEMBLY__ -+#include <linux/types.h> -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+#endif -+#endif -+ - #if defined(__sparc__) && defined(__arch64__) - #include <asm/uaccess_64.h> - #else -diff -urNp linux-2.6.39.3/arch/sparc/kernel/iommu.c linux-2.6.39.3/arch/sparc/kernel/iommu.c ---- linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc - spin_unlock_irqrestore(&iommu->lock, flags); - } - --static struct dma_map_ops sun4u_dma_ops = { -+static const struct dma_map_ops sun4u_dma_ops = { - .alloc_coherent = dma_4u_alloc_coherent, - .free_coherent = dma_4u_free_coherent, - .map_page = dma_4u_map_page, -@@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops - .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu, - }; - --struct dma_map_ops *dma_ops = &sun4u_dma_ops; -+const struct dma_map_ops *dma_ops = &sun4u_dma_ops; - EXPORT_SYMBOL(dma_ops); - - extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask); -diff -urNp linux-2.6.39.3/arch/sparc/kernel/ioport.c linux-2.6.39.3/arch/sparc/kernel/ioport.c ---- linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400 -@@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru - BUG(); - } - --struct dma_map_ops sbus_dma_ops = { -+const struct dma_map_ops sbus_dma_ops = { - .alloc_coherent = sbus_alloc_coherent, - .free_coherent = sbus_free_coherent, - .map_page = sbus_map_page, -@@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str - } - } - --struct dma_map_ops pci32_dma_ops = { -+const struct dma_map_ops pci32_dma_ops = { - .alloc_coherent = pci32_alloc_coherent, - .free_coherent = pci32_free_coherent, - .map_page = pci32_map_page, -diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c ---- linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re - regs->npc = regs->pc + 4; - } - --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - /* Breakpoint instruction: ta 0x7d */ - .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d }, - }; -diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c ---- linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re - regs->tnpc = regs->tpc + 4; - } - --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - /* Breakpoint instruction: ta 0x72 */ - .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 }, - }; -diff -urNp linux-2.6.39.3/arch/sparc/kernel/Makefile linux-2.6.39.3/arch/sparc/kernel/Makefile ---- linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400 -@@ -3,7 +3,7 @@ - # - - asflags-y := -ansi --ccflags-y := -Werror -+#ccflags-y := -Werror - - extra-y := head_$(BITS).o - extra-y += init_task.o -diff -urNp linux-2.6.39.3/arch/sparc/kernel/pcic.c linux-2.6.39.3/arch/sparc/kernel/pcic.c ---- linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400 -@@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_ - return -EINVAL; - } - --static struct pci_ops pcic_ops = { -+static const struct pci_ops pcic_ops = { - .read = pcic_read_config, - .write = pcic_write_config, - }; -diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_common.c linux-2.6.39.3/arch/sparc/kernel/pci_common.c ---- linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400 -@@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops sun4u_pci_ops = { -+const struct pci_ops sun4u_pci_ops = { - .read = sun4u_read_pci_cfg, - .write = sun4u_write_pci_cfg, - }; -@@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops sun4v_pci_ops = { -+const struct pci_ops sun4v_pci_ops = { - .read = sun4v_read_pci_cfg, - .write = sun4v_write_pci_cfg, - }; -diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_impl.h linux-2.6.39.3/arch/sparc/kernel/pci_impl.h ---- linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400 -@@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr, - extern void pci_config_write16(u16 *addr, u16 val); - extern void pci_config_write32(u32 *addr, u32 val); - --extern struct pci_ops sun4u_pci_ops; --extern struct pci_ops sun4v_pci_ops; -+extern const struct pci_ops sun4u_pci_ops; -+extern const struct pci_ops sun4v_pci_ops; - - extern volatile int pci_poke_in_progress; - extern volatile int pci_poke_cpu; -diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c ---- linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400 -@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic - spin_unlock_irqrestore(&iommu->lock, flags); - } - --static struct dma_map_ops sun4v_dma_ops = { -+static const struct dma_map_ops sun4v_dma_ops = { - .alloc_coherent = dma_4v_alloc_coherent, - .free_coherent = dma_4v_free_coherent, - .map_page = dma_4v_map_page, -diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_32.c linux-2.6.39.3/arch/sparc/kernel/process_32.c ---- linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400 -@@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp) - rw->ins[4], rw->ins[5], - rw->ins[6], - rw->ins[7]); -- printk("%pS\n", (void *) rw->ins[7]); -+ printk("%pA\n", (void *) rw->ins[7]); - rw = (struct reg_window32 *) rw->ins[6]; - } - spin_unlock_irqrestore(&sparc_backtrace_lock, flags); -@@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r) - - printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n", - r->psr, r->pc, r->npc, r->y, print_tainted()); -- printk("PC: <%pS>\n", (void *) r->pc); -+ printk("PC: <%pA>\n", (void *) r->pc); - printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", - r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3], - r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]); - printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", - r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11], - r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]); -- printk("RPC: <%pS>\n", (void *) r->u_regs[15]); -+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]); - - printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", - rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3], -@@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk, - rw = (struct reg_window32 *) fp; - pc = rw->ins[7]; - printk("[%08lx : ", pc); -- printk("%pS ] ", (void *) pc); -+ printk("%pA ] ", (void *) pc); - fp = rw->ins[6]; - } while (++count < 16); - printk("\n"); -diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_64.c linux-2.6.39.3/arch/sparc/kernel/process_64.c ---- linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400 -@@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg - printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n", - rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]); - if (regs->tstate & TSTATE_PRIV) -- printk("I7: <%pS>\n", (void *) rwk->ins[7]); -+ printk("I7: <%pA>\n", (void *) rwk->ins[7]); - } - - void show_regs(struct pt_regs *regs) - { - printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate, - regs->tpc, regs->tnpc, regs->y, print_tainted()); -- printk("TPC: <%pS>\n", (void *) regs->tpc); -+ printk("TPC: <%pA>\n", (void *) regs->tpc); - printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n", - regs->u_regs[0], regs->u_regs[1], regs->u_regs[2], - regs->u_regs[3]); -@@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs) - printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n", - regs->u_regs[12], regs->u_regs[13], regs->u_regs[14], - regs->u_regs[15]); -- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]); -+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]); - show_regwindow(regs); - show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]); - } -@@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void - ((tp && tp->task) ? tp->task->pid : -1)); - - if (gp->tstate & TSTATE_PRIV) { -- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n", -+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n", - (void *) gp->tpc, - (void *) gp->o7, - (void *) gp->i7, -diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c ---- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str - if (ARCH_SUN4C && len > 0x20000000) - return -ENOMEM; - if (!addr) -- addr = TASK_UNMAPPED_BASE; -+ addr = current->mm->mmap_base; - - if (flags & MAP_SHARED) - addr = COLOUR_ALIGN(addr); -@@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str - } - if (TASK_SIZE - PAGE_SIZE - len < addr) - return -ENOMEM; -- if (!vmm || addr + len <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) - return addr; - addr = vmm->vm_end; - if (flags & MAP_SHARED) -diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c ---- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str - /* We do not accept a shared mapping if it would violate - * cache aliasing constraints. - */ -- if ((flags & MAP_SHARED) && -+ if ((filp || (flags & MAP_SHARED)) && - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) - return -EINVAL; - return addr; -@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str - if (filp || (flags & MAP_SHARED)) - do_color_align = 1; - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - if (addr) { - if (do_color_align) - addr = COLOUR_ALIGN(addr, pgoff); -@@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str - addr = PAGE_ALIGN(addr); - - vma = find_vma(mm, addr); -- if (task_size - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - - if (len > mm->cached_hole_size) { -- start_addr = addr = mm->free_area_cache; -+ start_addr = addr = mm->free_area_cache; - } else { -- start_addr = addr = TASK_UNMAPPED_BASE; -+ start_addr = addr = mm->mmap_base; - mm->cached_hole_size = 0; - } - -@@ -174,14 +177,14 @@ full_search: - vma = find_vma(mm, VA_EXCLUDE_END); - } - if (unlikely(task_size < addr)) { -- if (start_addr != TASK_UNMAPPED_BASE) { -- start_addr = addr = TASK_UNMAPPED_BASE; -+ if (start_addr != mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; - mm->cached_hole_size = 0; - goto full_search; - } - return -ENOMEM; - } -- if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* - * Remember the place where we stopped the search: - */ -@@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi - /* We do not accept a shared mapping if it would violate - * cache aliasing constraints. - */ -- if ((flags & MAP_SHARED) && -+ if ((filp || (flags & MAP_SHARED)) && - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) - return -EINVAL; - return addr; -@@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi - addr = PAGE_ALIGN(addr); - - vma = find_vma(mm, addr); -- if (task_size - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - -@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi - /* make sure it can fit in the remaining address space */ - if (likely(addr > len)) { - vma = find_vma(mm, addr-len); -- if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr-len); - } -@@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi - if (unlikely(mm->mmap_base < len)) - goto bottomup; - -- addr = mm->mmap_base-len; -- if (do_color_align) -- addr = COLOUR_ALIGN_DOWN(addr, pgoff); -+ addr = mm->mmap_base - len; - - do { -+ if (do_color_align) -+ addr = COLOUR_ALIGN_DOWN(addr, pgoff); - /* - * Lookup failure means no vma is above this address, - * else if new region fits below vma->vm_start, - * return with success: - */ - vma = find_vma(mm, addr); -- if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr); - } -@@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = vma->vm_start-len; -- if (do_color_align) -- addr = COLOUR_ALIGN_DOWN(addr, pgoff); -- } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); -+ } while (!IS_ERR_VALUE(addr)); - - bottomup: - /* -@@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str - gap == RLIM_INFINITY || - sysctl_legacy_va_layout) { - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area; - mm->unmap_area = arch_unmap_area; - } else { -@@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str - gap = (task_size / 6 * 5); - - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area_topdown; - mm->unmap_area = arch_unmap_area_topdown; - } -diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_32.c linux-2.6.39.3/arch/sparc/kernel/traps_32.c ---- linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400 -@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo - #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t") - #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t") - -+extern void gr_handle_kernel_exploit(void); -+ - void die_if_kernel(char *str, struct pt_regs *regs) - { - static int die_counter; -@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_ - count++ < 30 && - (((unsigned long) rw) >= PAGE_OFFSET) && - !(((unsigned long) rw) & 0x7)) { -- printk("Caller[%08lx]: %pS\n", rw->ins[7], -+ printk("Caller[%08lx]: %pA\n", rw->ins[7], - (void *) rw->ins[7]); - rw = (struct reg_window32 *)rw->ins[6]; - } - } - printk("Instruction DUMP:"); - instruction_dump ((unsigned long *) regs->pc); -- if(regs->psr & PSR_PS) -+ if(regs->psr & PSR_PS) { -+ gr_handle_kernel_exploit(); - do_exit(SIGKILL); -+ } - do_exit(SIGSEGV); - } - -diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_64.c linux-2.6.39.3/arch/sparc/kernel/traps_64.c ---- linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400 -@@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_ - i + 1, - p->trapstack[i].tstate, p->trapstack[i].tpc, - p->trapstack[i].tnpc, p->trapstack[i].tt); -- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc); -+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc); - } - } - -@@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long - - lvl -= 0x100; - if (regs->tstate & TSTATE_PRIV) { -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ if (lvl == 6) -+ pax_report_refcount_overflow(regs); -+#endif -+ - sprintf(buffer, "Kernel bad sw trap %lx", lvl); - die_if_kernel(buffer, regs); - } -@@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long - void bad_trap_tl1(struct pt_regs *regs, long lvl) - { - char buffer[32]; -- -+ - if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs, - 0, lvl, SIGTRAP) == NOTIFY_STOP) - return; - -+#ifdef CONFIG_PAX_REFCOUNT -+ if (lvl == 6) -+ pax_report_refcount_overflow(regs); -+#endif -+ - dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); - - sprintf (buffer, "Bad trap %lx at tl>0", lvl); -@@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt - regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate); - printk("%s" "ERROR(%d): ", - (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id()); -- printk("TPC<%pS>\n", (void *) regs->tpc); -+ printk("TPC<%pA>\n", (void *) regs->tpc); - printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n", - (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(), - (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT, -@@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type, - smp_processor_id(), - (type & 0x1) ? 'I' : 'D', - regs->tpc); -- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc); -+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc); - panic("Irrecoverable Cheetah+ parity error."); - } - -@@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type, - smp_processor_id(), - (type & 0x1) ? 'I' : 'D', - regs->tpc); -- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc); -+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc); - } - - struct sun4v_error_entry { -@@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r - - printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", - regs->tpc, tl); -- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc); -+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc); - printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]); -- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n", -+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n", - (void *) regs->u_regs[UREG_I7]); - printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] " - "pte[%lx] error[%lx]\n", -@@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r - - printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n", - regs->tpc, tl); -- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc); -+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc); - printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]); -- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n", -+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n", - (void *) regs->u_regs[UREG_I7]); - printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] " - "pte[%lx] error[%lx]\n", -@@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk, - fp = (unsigned long)sf->fp + STACK_BIAS; - } - -- printk(" [%016lx] %pS\n", pc, (void *) pc); -+ printk(" [%016lx] %pA\n", pc, (void *) pc); - #ifdef CONFIG_FUNCTION_GRAPH_TRACER - if ((pc + 8UL) == (unsigned long) &return_to_handler) { - int index = tsk->curr_ret_stack; - if (tsk->ret_stack && index >= graph) { - pc = tsk->ret_stack[index - graph].ret; -- printk(" [%016lx] %pS\n", pc, (void *) pc); -+ printk(" [%016lx] %pA\n", pc, (void *) pc); - graph++; - } - } -@@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_ - return (struct reg_window *) (fp + STACK_BIAS); - } - -+extern void gr_handle_kernel_exploit(void); -+ - void die_if_kernel(char *str, struct pt_regs *regs) - { - static int die_counter; -@@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_ - while (rw && - count++ < 30 && - kstack_valid(tp, (unsigned long) rw)) { -- printk("Caller[%016lx]: %pS\n", rw->ins[7], -+ printk("Caller[%016lx]: %pA\n", rw->ins[7], - (void *) rw->ins[7]); - - rw = kernel_stack_up(rw); -@@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_ - } - user_instruction_dump ((unsigned int __user *) regs->tpc); - } -- if (regs->tstate & TSTATE_PRIV) -+ if (regs->tstate & TSTATE_PRIV) { -+ gr_handle_kernel_exploit(); - do_exit(SIGKILL); -+ } - do_exit(SIGSEGV); - } - EXPORT_SYMBOL(die_if_kernel); -diff -urNp linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c ---- linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400 -@@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs - static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5); - - if (__ratelimit(&ratelimit)) { -- printk("Kernel unaligned access at TPC[%lx] %pS\n", -+ printk("Kernel unaligned access at TPC[%lx] %pA\n", - regs->tpc, (void *) regs->tpc); - } - } -diff -urNp linux-2.6.39.3/arch/sparc/lib/atomic_64.S linux-2.6.39.3/arch/sparc/lib/atomic_64.S ---- linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400 -@@ -18,7 +18,12 @@ - atomic_add: /* %o0 = increment, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: lduw [%o1], %g1 -- add %g1, %o0, %g7 -+ addcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %icc, 6 -+#endif -+ - cas [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %icc, BACKOFF_LABEL(2f, 1b) -@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic_add, .-atomic_add - -+ .globl atomic_add_unchecked -+ .type atomic_add_unchecked,#function -+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: lduw [%o1], %g1 -+ add %g1, %o0, %g7 -+ cas [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %icc, 2f -+ nop -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic_add_unchecked, .-atomic_add_unchecked -+ - .globl atomic_sub - .type atomic_sub,#function - atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: lduw [%o1], %g1 -- sub %g1, %o0, %g7 -+ subcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %icc, 6 -+#endif -+ - cas [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %icc, BACKOFF_LABEL(2f, 1b) -@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic_sub, .-atomic_sub - -+ .globl atomic_sub_unchecked -+ .type atomic_sub_unchecked,#function -+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: lduw [%o1], %g1 -+ sub %g1, %o0, %g7 -+ cas [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %icc, 2f -+ nop -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic_sub_unchecked, .-atomic_sub_unchecked -+ - .globl atomic_add_ret - .type atomic_add_ret,#function - atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: lduw [%o1], %g1 -- add %g1, %o0, %g7 -+ addcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %icc, 6 -+#endif -+ - cas [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %icc, BACKOFF_LABEL(2f, 1b) -@@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1 - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic_add_ret, .-atomic_add_ret - -+ .globl atomic_add_ret_unchecked -+ .type atomic_add_ret_unchecked,#function -+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: lduw [%o1], %g1 -+ addcc %g1, %o0, %g7 -+ cas [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %icc, 2f -+ add %g7, %o0, %g7 -+ sra %g7, 0, %o0 -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked -+ - .globl atomic_sub_ret - .type atomic_sub_ret,#function - atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: lduw [%o1], %g1 -- sub %g1, %o0, %g7 -+ subcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %icc, 6 -+#endif -+ - cas [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %icc, BACKOFF_LABEL(2f, 1b) -@@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1 - atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: ldx [%o1], %g1 -- add %g1, %o0, %g7 -+ addcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %xcc, 6 -+#endif -+ - casx [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %xcc, BACKOFF_LABEL(2f, 1b) -@@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 = - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic64_add, .-atomic64_add - -+ .globl atomic64_add_unchecked -+ .type atomic64_add_unchecked,#function -+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: ldx [%o1], %g1 -+ addcc %g1, %o0, %g7 -+ casx [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %xcc, 2f -+ nop -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic64_add_unchecked, .-atomic64_add_unchecked -+ - .globl atomic64_sub - .type atomic64_sub,#function - atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: ldx [%o1], %g1 -- sub %g1, %o0, %g7 -+ subcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %xcc, 6 -+#endif -+ - casx [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %xcc, BACKOFF_LABEL(2f, 1b) -@@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 = - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic64_sub, .-atomic64_sub - -+ .globl atomic64_sub_unchecked -+ .type atomic64_sub_unchecked,#function -+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: ldx [%o1], %g1 -+ subcc %g1, %o0, %g7 -+ casx [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %xcc, 2f -+ nop -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked -+ - .globl atomic64_add_ret - .type atomic64_add_ret,#function - atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: ldx [%o1], %g1 -- add %g1, %o0, %g7 -+ addcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %xcc, 6 -+#endif -+ - casx [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %xcc, BACKOFF_LABEL(2f, 1b) -@@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o - 2: BACKOFF_SPIN(%o2, %o3, 1b) - .size atomic64_add_ret, .-atomic64_add_ret - -+ .globl atomic64_add_ret_unchecked -+ .type atomic64_add_ret_unchecked,#function -+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ -+ BACKOFF_SETUP(%o2) -+1: ldx [%o1], %g1 -+ addcc %g1, %o0, %g7 -+ casx [%o1], %g1, %g7 -+ cmp %g1, %g7 -+ bne,pn %xcc, 2f -+ add %g7, %o0, %g7 -+ mov %g7, %o0 -+ retl -+ nop -+2: BACKOFF_SPIN(%o2, %o3, 1b) -+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked -+ - .globl atomic64_sub_ret - .type atomic64_sub_ret,#function - atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */ - BACKOFF_SETUP(%o2) - 1: ldx [%o1], %g1 -- sub %g1, %o0, %g7 -+ subcc %g1, %o0, %g7 -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ tvs %xcc, 6 -+#endif -+ - casx [%o1], %g1, %g7 - cmp %g1, %g7 - bne,pn %xcc, BACKOFF_LABEL(2f, 1b) -diff -urNp linux-2.6.39.3/arch/sparc/lib/ksyms.c linux-2.6.39.3/arch/sparc/lib/ksyms.c ---- linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400 -@@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write); - - /* Atomic counter implementation. */ - EXPORT_SYMBOL(atomic_add); -+EXPORT_SYMBOL(atomic_add_unchecked); - EXPORT_SYMBOL(atomic_add_ret); - EXPORT_SYMBOL(atomic_sub); -+EXPORT_SYMBOL(atomic_sub_unchecked); - EXPORT_SYMBOL(atomic_sub_ret); - EXPORT_SYMBOL(atomic64_add); -+EXPORT_SYMBOL(atomic64_add_unchecked); - EXPORT_SYMBOL(atomic64_add_ret); -+EXPORT_SYMBOL(atomic64_add_ret_unchecked); - EXPORT_SYMBOL(atomic64_sub); -+EXPORT_SYMBOL(atomic64_sub_unchecked); - EXPORT_SYMBOL(atomic64_sub_ret); - - /* Atomic bit operations. */ -diff -urNp linux-2.6.39.3/arch/sparc/lib/Makefile linux-2.6.39.3/arch/sparc/lib/Makefile ---- linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400 -@@ -2,7 +2,7 @@ - # - - asflags-y := -ansi -DST_DIV0=0x02 --ccflags-y := -Werror -+#ccflags-y := -Werror - - lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o - lib-$(CONFIG_SPARC32) += memcpy.o memset.o -diff -urNp linux-2.6.39.3/arch/sparc/Makefile linux-2.6.39.3/arch/sparc/Makefile ---- linux-2.6.39.3/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400 -@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc - # Export what is needed by arch/sparc/boot/Makefile - export VMLINUX_INIT VMLINUX_MAIN - VMLINUX_INIT := $(head-y) $(init-y) --VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ -+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ - VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y) - VMLINUX_MAIN += $(drivers-y) $(net-y) - -diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_32.c linux-2.6.39.3/arch/sparc/mm/fault_32.c ---- linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -22,6 +22,9 @@ - #include <linux/interrupt.h> - #include <linux/module.h> - #include <linux/kdebug.h> -+#include <linux/slab.h> -+#include <linux/pagemap.h> -+#include <linux/compiler.h> - - #include <asm/system.h> - #include <asm/page.h> -@@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str - return safe_compute_effective_address(regs, insn); - } - -+#ifdef CONFIG_PAX_PAGEEXEC -+#ifdef CONFIG_PAX_DLRESOLVE -+static void pax_emuplt_close(struct vm_area_struct *vma) -+{ -+ vma->vm_mm->call_dl_resolve = 0UL; -+} -+ -+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf) -+{ -+ unsigned int *kaddr; -+ -+ vmf->page = alloc_page(GFP_HIGHUSER); -+ if (!vmf->page) -+ return VM_FAULT_OOM; -+ -+ kaddr = kmap(vmf->page); -+ memset(kaddr, 0, PAGE_SIZE); -+ kaddr[0] = 0x9DE3BFA8U; /* save */ -+ flush_dcache_page(vmf->page); -+ kunmap(vmf->page); -+ return VM_FAULT_MAJOR; -+} -+ -+static const struct vm_operations_struct pax_vm_ops = { -+ .close = pax_emuplt_close, -+ .fault = pax_emuplt_fault -+}; -+ -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) -+{ -+ int ret; -+ -+ INIT_LIST_HEAD(&vma->anon_vma_chain); -+ vma->vm_mm = current->mm; -+ vma->vm_start = addr; -+ vma->vm_end = addr + PAGE_SIZE; -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC; -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); -+ vma->vm_ops = &pax_vm_ops; -+ -+ ret = insert_vm_struct(current->mm, vma); -+ if (ret) -+ return ret; -+ -+ ++current->mm->total_vm; -+ return 0; -+} -+#endif -+ -+/* -+ * PaX: decide what to do with offenders (regs->pc = fault address) -+ * -+ * returns 1 when task should be killed -+ * 2 when patched PLT trampoline was detected -+ * 3 when unpatched PLT trampoline was detected -+ */ -+static int pax_handle_fetch_fault(struct pt_regs *regs) -+{ -+ -+#ifdef CONFIG_PAX_EMUPLT -+ int err; -+ -+ do { /* PaX: patched PLT emulation #1 */ -+ unsigned int sethi1, sethi2, jmpl; -+ -+ err = get_user(sethi1, (unsigned int *)regs->pc); -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4)); -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U && -+ (sethi2 & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U) -+ { -+ unsigned int addr; -+ -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10; -+ addr = regs->u_regs[UREG_G1]; -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); -+ regs->pc = addr; -+ regs->npc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ { /* PaX: patched PLT emulation #2 */ -+ unsigned int ba; -+ -+ err = get_user(ba, (unsigned int *)regs->pc); -+ -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) { -+ unsigned int addr; -+ -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); -+ regs->pc = addr; -+ regs->npc = addr+4; -+ return 2; -+ } -+ } -+ -+ do { /* PaX: patched PLT emulation #3 */ -+ unsigned int sethi, jmpl, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->pc); -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4)); -+ err |= get_user(nop, (unsigned int *)(regs->pc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U && -+ nop == 0x01000000U) -+ { -+ unsigned int addr; -+ -+ addr = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G1] = addr; -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); -+ regs->pc = addr; -+ regs->npc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: unpatched PLT emulation step 1 */ -+ unsigned int sethi, ba, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->pc); -+ err |= get_user(ba, (unsigned int *)(regs->pc+4)); -+ err |= get_user(nop, (unsigned int *)(regs->pc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) && -+ nop == 0x01000000U) -+ { -+ unsigned int addr, save, call; -+ -+ if ((ba & 0xFFC00000U) == 0x30800000U) -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); -+ else -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); -+ -+ err = get_user(save, (unsigned int *)addr); -+ err |= get_user(call, (unsigned int *)(addr+4)); -+ err |= get_user(nop, (unsigned int *)(addr+8)); -+ if (err) -+ break; -+ -+#ifdef CONFIG_PAX_DLRESOLVE -+ if (save == 0x9DE3BFA8U && -+ (call & 0xC0000000U) == 0x40000000U && -+ nop == 0x01000000U) -+ { -+ struct vm_area_struct *vma; -+ unsigned long call_dl_resolve; -+ -+ down_read(¤t->mm->mmap_sem); -+ call_dl_resolve = current->mm->call_dl_resolve; -+ up_read(¤t->mm->mmap_sem); -+ if (likely(call_dl_resolve)) -+ goto emulate; -+ -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); -+ -+ down_write(¤t->mm->mmap_sem); -+ if (current->mm->call_dl_resolve) { -+ call_dl_resolve = current->mm->call_dl_resolve; -+ up_write(¤t->mm->mmap_sem); -+ if (vma) -+ kmem_cache_free(vm_area_cachep, vma); -+ goto emulate; -+ } -+ -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE); -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) { -+ up_write(¤t->mm->mmap_sem); -+ if (vma) -+ kmem_cache_free(vm_area_cachep, vma); -+ return 1; -+ } -+ -+ if (pax_insert_vma(vma, call_dl_resolve)) { -+ up_write(¤t->mm->mmap_sem); -+ kmem_cache_free(vm_area_cachep, vma); -+ return 1; -+ } -+ -+ current->mm->call_dl_resolve = call_dl_resolve; -+ up_write(¤t->mm->mmap_sem); -+ -+emulate: -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; -+ regs->pc = call_dl_resolve; -+ regs->npc = addr+4; -+ return 3; -+ } -+#endif -+ -+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */ -+ if ((save & 0xFFC00000U) == 0x05000000U && -+ (call & 0xFFFFE000U) == 0x85C0A000U && -+ nop == 0x01000000U) -+ { -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G2] = addr + 4; -+ addr = (save & 0x003FFFFFU) << 10; -+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); -+ regs->pc = addr; -+ regs->npc = addr+4; -+ return 3; -+ } -+ } -+ } while (0); -+ -+ do { /* PaX: unpatched PLT emulation step 2 */ -+ unsigned int save, call, nop; -+ -+ err = get_user(save, (unsigned int *)(regs->pc-4)); -+ err |= get_user(call, (unsigned int *)regs->pc); -+ err |= get_user(nop, (unsigned int *)(regs->pc+4)); -+ if (err) -+ break; -+ -+ if (save == 0x9DE3BFA8U && -+ (call & 0xC0000000U) == 0x40000000U && -+ nop == 0x01000000U) -+ { -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2); -+ -+ regs->u_regs[UREG_RETPC] = regs->pc; -+ regs->pc = dl_resolve; -+ regs->npc = dl_resolve+4; -+ return 3; -+ } -+ } while (0); -+#endif -+ -+ return 1; -+} -+ -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 8; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs, - int text_fault) - { -@@ -281,6 +546,24 @@ good_area: - if(!(vma->vm_flags & VM_WRITE)) - goto bad_area; - } else { -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) { -+ up_read(&mm->mmap_sem); -+ switch (pax_handle_fetch_fault(regs)) { -+ -+#ifdef CONFIG_PAX_EMUPLT -+ case 2: -+ case 3: -+ return; -+#endif -+ -+ } -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - /* Allow reads even for write-only mappings */ - if(!(vma->vm_flags & (VM_READ | VM_EXEC))) - goto bad_area; -diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_64.c linux-2.6.39.3/arch/sparc/mm/fault_64.c ---- linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400 -@@ -21,6 +21,9 @@ - #include <linux/kprobes.h> - #include <linux/kdebug.h> - #include <linux/percpu.h> -+#include <linux/slab.h> -+#include <linux/pagemap.h> -+#include <linux/compiler.h> - - #include <asm/page.h> - #include <asm/pgtable.h> -@@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru - printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n", - regs->tpc); - printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]); -- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]); -+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]); - printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr); - dump_stack(); - unhandled_fault(regs->tpc, current, regs); -@@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b - show_regs(regs); - } - -+#ifdef CONFIG_PAX_PAGEEXEC -+#ifdef CONFIG_PAX_DLRESOLVE -+static void pax_emuplt_close(struct vm_area_struct *vma) -+{ -+ vma->vm_mm->call_dl_resolve = 0UL; -+} -+ -+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf) -+{ -+ unsigned int *kaddr; -+ -+ vmf->page = alloc_page(GFP_HIGHUSER); -+ if (!vmf->page) -+ return VM_FAULT_OOM; -+ -+ kaddr = kmap(vmf->page); -+ memset(kaddr, 0, PAGE_SIZE); -+ kaddr[0] = 0x9DE3BFA8U; /* save */ -+ flush_dcache_page(vmf->page); -+ kunmap(vmf->page); -+ return VM_FAULT_MAJOR; -+} -+ -+static const struct vm_operations_struct pax_vm_ops = { -+ .close = pax_emuplt_close, -+ .fault = pax_emuplt_fault -+}; -+ -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) -+{ -+ int ret; -+ -+ INIT_LIST_HEAD(&vma->anon_vma_chain); -+ vma->vm_mm = current->mm; -+ vma->vm_start = addr; -+ vma->vm_end = addr + PAGE_SIZE; -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC; -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); -+ vma->vm_ops = &pax_vm_ops; -+ -+ ret = insert_vm_struct(current->mm, vma); -+ if (ret) -+ return ret; -+ -+ ++current->mm->total_vm; -+ return 0; -+} -+#endif -+ -+/* -+ * PaX: decide what to do with offenders (regs->tpc = fault address) -+ * -+ * returns 1 when task should be killed -+ * 2 when patched PLT trampoline was detected -+ * 3 when unpatched PLT trampoline was detected -+ */ -+static int pax_handle_fetch_fault(struct pt_regs *regs) -+{ -+ -+#ifdef CONFIG_PAX_EMUPLT -+ int err; -+ -+ do { /* PaX: patched PLT emulation #1 */ -+ unsigned int sethi1, sethi2, jmpl; -+ -+ err = get_user(sethi1, (unsigned int *)regs->tpc); -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U && -+ (sethi2 & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U) -+ { -+ unsigned long addr; -+ -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10; -+ addr = regs->u_regs[UREG_G1]; -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ { /* PaX: patched PLT emulation #2 */ -+ unsigned int ba; -+ -+ err = get_user(ba, (unsigned int *)regs->tpc); -+ -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) { -+ unsigned long addr; -+ -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } -+ -+ do { /* PaX: patched PLT emulation #3 */ -+ unsigned int sethi, jmpl, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U && -+ nop == 0x01000000U) -+ { -+ unsigned long addr; -+ -+ addr = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G1] = addr; -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: patched PLT emulation #4 */ -+ unsigned int sethi, mov1, call, mov2; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(call, (unsigned int *)(regs->tpc+8)); -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ mov1 == 0x8210000FU && -+ (call & 0xC0000000U) == 0x40000000U && -+ mov2 == 0x9E100001U) -+ { -+ unsigned long addr; -+ -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC]; -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: patched PLT emulation #5 */ -+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8)); -+ err |= get_user(or1, (unsigned int *)(regs->tpc+12)); -+ err |= get_user(or2, (unsigned int *)(regs->tpc+16)); -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20)); -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24)); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+28)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (sethi1 & 0xFFC00000U) == 0x03000000U && -+ (sethi2 & 0xFFC00000U) == 0x0B000000U && -+ (or1 & 0xFFFFE000U) == 0x82106000U && -+ (or2 & 0xFFFFE000U) == 0x8A116000U && -+ sllx == 0x83287020U && -+ jmpl == 0x81C04005U && -+ nop == 0x01000000U) -+ { -+ unsigned long addr; -+ -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU); -+ regs->u_regs[UREG_G1] <<= 32; -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU); -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5]; -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: patched PLT emulation #6 */ -+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8)); -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12)); -+ err |= get_user(or, (unsigned int *)(regs->tpc+16)); -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20)); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (sethi1 & 0xFFC00000U) == 0x03000000U && -+ (sethi2 & 0xFFC00000U) == 0x0B000000U && -+ sllx == 0x83287020U && -+ (or & 0xFFFFE000U) == 0x8A116000U && -+ jmpl == 0x81C04005U && -+ nop == 0x01000000U) -+ { -+ unsigned long addr; -+ -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G1] <<= 32; -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU); -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5]; -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+ do { /* PaX: unpatched PLT emulation step 1 */ -+ unsigned int sethi, ba, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) && -+ nop == 0x01000000U) -+ { -+ unsigned long addr; -+ unsigned int save, call; -+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl; -+ -+ if ((ba & 0xFFC00000U) == 0x30800000U) -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); -+ else -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ err = get_user(save, (unsigned int *)addr); -+ err |= get_user(call, (unsigned int *)(addr+4)); -+ err |= get_user(nop, (unsigned int *)(addr+8)); -+ if (err) -+ break; -+ -+#ifdef CONFIG_PAX_DLRESOLVE -+ if (save == 0x9DE3BFA8U && -+ (call & 0xC0000000U) == 0x40000000U && -+ nop == 0x01000000U) -+ { -+ struct vm_area_struct *vma; -+ unsigned long call_dl_resolve; -+ -+ down_read(¤t->mm->mmap_sem); -+ call_dl_resolve = current->mm->call_dl_resolve; -+ up_read(¤t->mm->mmap_sem); -+ if (likely(call_dl_resolve)) -+ goto emulate; -+ -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); -+ -+ down_write(¤t->mm->mmap_sem); -+ if (current->mm->call_dl_resolve) { -+ call_dl_resolve = current->mm->call_dl_resolve; -+ up_write(¤t->mm->mmap_sem); -+ if (vma) -+ kmem_cache_free(vm_area_cachep, vma); -+ goto emulate; -+ } -+ -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE); -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) { -+ up_write(¤t->mm->mmap_sem); -+ if (vma) -+ kmem_cache_free(vm_area_cachep, vma); -+ return 1; -+ } -+ -+ if (pax_insert_vma(vma, call_dl_resolve)) { -+ up_write(¤t->mm->mmap_sem); -+ kmem_cache_free(vm_area_cachep, vma); -+ return 1; -+ } -+ -+ current->mm->call_dl_resolve = call_dl_resolve; -+ up_write(¤t->mm->mmap_sem); -+ -+emulate: -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; -+ regs->tpc = call_dl_resolve; -+ regs->tnpc = addr+4; -+ return 3; -+ } -+#endif -+ -+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */ -+ if ((save & 0xFFC00000U) == 0x05000000U && -+ (call & 0xFFFFE000U) == 0x85C0A000U && -+ nop == 0x01000000U) -+ { -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G2] = addr + 4; -+ addr = (save & 0x003FFFFFU) << 10; -+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 3; -+ } -+ -+ /* PaX: 64-bit PLT stub */ -+ err = get_user(sethi1, (unsigned int *)addr); -+ err |= get_user(sethi2, (unsigned int *)(addr+4)); -+ err |= get_user(or1, (unsigned int *)(addr+8)); -+ err |= get_user(or2, (unsigned int *)(addr+12)); -+ err |= get_user(sllx, (unsigned int *)(addr+16)); -+ err |= get_user(add, (unsigned int *)(addr+20)); -+ err |= get_user(jmpl, (unsigned int *)(addr+24)); -+ err |= get_user(nop, (unsigned int *)(addr+28)); -+ if (err) -+ break; -+ -+ if ((sethi1 & 0xFFC00000U) == 0x09000000U && -+ (sethi2 & 0xFFC00000U) == 0x0B000000U && -+ (or1 & 0xFFFFE000U) == 0x88112000U && -+ (or2 & 0xFFFFE000U) == 0x8A116000U && -+ sllx == 0x89293020U && -+ add == 0x8A010005U && -+ jmpl == 0x89C14000U && -+ nop == 0x01000000U) -+ { -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU); -+ regs->u_regs[UREG_G4] <<= 32; -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU); -+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4]; -+ regs->u_regs[UREG_G4] = addr + 24; -+ addr = regs->u_regs[UREG_G5]; -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 3; -+ } -+ } -+ } while (0); -+ -+#ifdef CONFIG_PAX_DLRESOLVE -+ do { /* PaX: unpatched PLT emulation step 2 */ -+ unsigned int save, call, nop; -+ -+ err = get_user(save, (unsigned int *)(regs->tpc-4)); -+ err |= get_user(call, (unsigned int *)regs->tpc); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4)); -+ if (err) -+ break; -+ -+ if (save == 0x9DE3BFA8U && -+ (call & 0xC0000000U) == 0x40000000U && -+ nop == 0x01000000U) -+ { -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ dl_resolve &= 0xFFFFFFFFUL; -+ -+ regs->u_regs[UREG_RETPC] = regs->tpc; -+ regs->tpc = dl_resolve; -+ regs->tnpc = dl_resolve+4; -+ return 3; -+ } -+ } while (0); -+#endif -+ -+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */ -+ unsigned int sethi, ba, nop; -+ -+ err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4)); -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); -+ -+ if (err) -+ break; -+ -+ if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (ba & 0xFFF00000U) == 0x30600000U && -+ nop == 0x01000000U) -+ { -+ unsigned long addr; -+ -+ addr = (sethi & 0x003FFFFFU) << 10; -+ regs->u_regs[UREG_G1] = addr; -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); -+ -+ if (test_thread_flag(TIF_32BIT)) -+ addr &= 0xFFFFFFFFUL; -+ -+ regs->tpc = addr; -+ regs->tnpc = addr+4; -+ return 2; -+ } -+ } while (0); -+ -+#endif -+ -+ return 1; -+} -+ -+void pax_report_insns(void *pc, void *sp) -+{ -+ unsigned long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 8; i++) { -+ unsigned int c; -+ if (get_user(c, (unsigned int *)pc+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08x ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs) - { - struct mm_struct *mm = current->mm; -@@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau - if (!vma) - goto bad_area; - -+#ifdef CONFIG_PAX_PAGEEXEC -+ /* PaX: detect ITLB misses on non-exec pages */ -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address && -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB)) -+ { -+ if (address != regs->tpc) -+ goto good_area; -+ -+ up_read(&mm->mmap_sem); -+ switch (pax_handle_fetch_fault(regs)) { -+ -+#ifdef CONFIG_PAX_EMUPLT -+ case 2: -+ case 3: -+ return; -+#endif -+ -+ } -+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS)); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - /* Pure DTLB misses do not tell us whether the fault causing - * load/store/atomic was a write or not, it only says that there - * was no match. So in such a case we (carefully) read the -diff -urNp linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c ---- linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400 -@@ -68,7 +68,7 @@ full_search: - } - return -ENOMEM; - } -- if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* - * Remember the place where we stopped the search: - */ -@@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct - /* make sure it can fit in the remaining address space */ - if (likely(addr > len)) { - vma = find_vma(mm, addr-len); -- if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr-len); - } -@@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct - if (unlikely(mm->mmap_base < len)) - goto bottomup; - -- addr = (mm->mmap_base-len) & HPAGE_MASK; -+ addr = mm->mmap_base - len; - - do { -+ addr &= HPAGE_MASK; - /* - * Lookup failure means no vma is above this address, - * else if new region fits below vma->vm_start, - * return with success: - */ - vma = find_vma(mm, addr); -- if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { - /* remember the address as a hint for next time */ - return (mm->free_area_cache = addr); - } -@@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = (vma->vm_start-len) & HPAGE_MASK; -- } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); -+ } while (!IS_ERR_VALUE(addr)); - - bottomup: - /* -@@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f - if (addr) { - addr = ALIGN(addr, HPAGE_SIZE); - vma = find_vma(mm, addr); -- if (task_size - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - if (mm->get_unmapped_area == arch_get_unmapped_area) -diff -urNp linux-2.6.39.3/arch/sparc/mm/init_32.c linux-2.6.39.3/arch/sparc/mm/init_32.c ---- linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -318,6 +318,9 @@ extern void device_scan(void); - pgprot_t PAGE_SHARED __read_mostly; - EXPORT_SYMBOL(PAGE_SHARED); - -+pgprot_t PAGE_SHARED_NOEXEC __read_mostly; -+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC); -+ - void __init paging_init(void) - { - switch(sparc_cpu_model) { -@@ -346,17 +349,17 @@ void __init paging_init(void) - - /* Initialize the protection map with non-constant, MMU dependent values. */ - protection_map[0] = PAGE_NONE; -- protection_map[1] = PAGE_READONLY; -- protection_map[2] = PAGE_COPY; -- protection_map[3] = PAGE_COPY; -+ protection_map[1] = PAGE_READONLY_NOEXEC; -+ protection_map[2] = PAGE_COPY_NOEXEC; -+ protection_map[3] = PAGE_COPY_NOEXEC; - protection_map[4] = PAGE_READONLY; - protection_map[5] = PAGE_READONLY; - protection_map[6] = PAGE_COPY; - protection_map[7] = PAGE_COPY; - protection_map[8] = PAGE_NONE; -- protection_map[9] = PAGE_READONLY; -- protection_map[10] = PAGE_SHARED; -- protection_map[11] = PAGE_SHARED; -+ protection_map[9] = PAGE_READONLY_NOEXEC; -+ protection_map[10] = PAGE_SHARED_NOEXEC; -+ protection_map[11] = PAGE_SHARED_NOEXEC; - protection_map[12] = PAGE_READONLY; - protection_map[13] = PAGE_READONLY; - protection_map[14] = PAGE_SHARED; -diff -urNp linux-2.6.39.3/arch/sparc/mm/Makefile linux-2.6.39.3/arch/sparc/mm/Makefile ---- linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400 -@@ -2,7 +2,7 @@ - # - - asflags-y := -ansi --ccflags-y := -Werror -+#ccflags-y := -Werror - - obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o - obj-y += fault_$(BITS).o -diff -urNp linux-2.6.39.3/arch/sparc/mm/srmmu.c linux-2.6.39.3/arch/sparc/mm/srmmu.c ---- linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void) - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED); - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY)); - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY)); -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC); -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC)); -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC)); -+#endif -+ - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL)); - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL); - -diff -urNp linux-2.6.39.3/arch/tile/kernel/pci.c linux-2.6.39.3/arch/tile/kernel/pci.c ---- linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 13:00:25.000000000 -0400 -@@ -60,7 +60,7 @@ int __write_once tile_plx_gen1; - static struct pci_controller controllers[TILE_NUM_PCIE]; - static int num_controllers; - --static struct pci_ops tile_cfg_ops; -+static const struct pci_ops tile_cfg_ops; - - - /* -@@ -563,7 +563,7 @@ static int __devinit tile_cfg_write(stru - } - - --static struct pci_ops tile_cfg_ops = { -+static const struct pci_ops tile_cfg_ops = { - .read = tile_cfg_read, - .write = tile_cfg_write, - }; -diff -urNp linux-2.6.39.3/arch/um/include/asm/kmap_types.h linux-2.6.39.3/arch/um/include/asm/kmap_types.h ---- linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -23,6 +23,7 @@ enum km_type { - KM_IRQ1, - KM_SOFTIRQ0, - KM_SOFTIRQ1, -+ KM_CLEARPAGE, - KM_TYPE_NR - }; - -diff -urNp linux-2.6.39.3/arch/um/include/asm/page.h linux-2.6.39.3/arch/um/include/asm/page.h ---- linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400 -@@ -14,6 +14,9 @@ - #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT) - #define PAGE_MASK (~(PAGE_SIZE-1)) - -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) -+ - #ifndef __ASSEMBLY__ - - struct page; -diff -urNp linux-2.6.39.3/arch/um/kernel/process.c linux-2.6.39.3/arch/um/kernel/process.c ---- linux-2.6.39.3/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -404,22 +404,6 @@ int singlestepping(void * t) - return 2; - } - --/* -- * Only x86 and x86_64 have an arch_align_stack(). -- * All other arches have "#define arch_align_stack(x) (x)" -- * in their asm/system.h -- * As this is included in UML from asm-um/system-generic.h, -- * we can use it to behave as the subarch does. -- */ --#ifndef arch_align_stack --unsigned long arch_align_stack(unsigned long sp) --{ -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) -- sp -= get_random_int() % 8192; -- return sp & ~0xf; --} --#endif -- - unsigned long get_wchan(struct task_struct *p) - { - unsigned long stack_page, sp, ip; -diff -urNp linux-2.6.39.3/arch/um/sys-i386/syscalls.c linux-2.6.39.3/arch/um/sys-i386/syscalls.c ---- linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400 -@@ -11,6 +11,21 @@ - #include "asm/uaccess.h" - #include "asm/unistd.h" - -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) -+{ -+ unsigned long pax_task_size = TASK_SIZE; -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) -+ pax_task_size = SEGMEXEC_TASK_SIZE; -+#endif -+ -+ if (len > pax_task_size || addr > pax_task_size - len) -+ return -EINVAL; -+ -+ return 0; -+} -+ - /* - * The prototype on i386 is: - * -diff -urNp linux-2.6.39.3/arch/unicore32/kernel/pci.c linux-2.6.39.3/arch/unicore32/kernel/pci.c ---- linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400 -@@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u - return PCIBIOS_SUCCESSFUL; - } - --struct pci_ops pci_puv3_ops = { -+const struct pci_ops pci_puv3_ops = { - .read = puv3_read_config, - .write = puv3_write_config, - }; -diff -urNp linux-2.6.39.3/arch/x86/boot/bitops.h linux-2.6.39.3/arch/x86/boot/bitops.h ---- linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400 -@@ -26,7 +26,7 @@ static inline int variable_test_bit(int - u8 v; - const u32 *p = (const u32 *)addr; - -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr)); -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr)); - return v; - } - -@@ -37,7 +37,7 @@ static inline int variable_test_bit(int - - static inline void set_bit(int nr, void *addr) - { -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr)); -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr)); - } - - #endif /* BOOT_BITOPS_H */ -diff -urNp linux-2.6.39.3/arch/x86/boot/boot.h linux-2.6.39.3/arch/x86/boot/boot.h ---- linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400 -@@ -85,7 +85,7 @@ static inline void io_delay(void) - static inline u16 ds(void) - { - u16 seg; -- asm("movw %%ds,%0" : "=rm" (seg)); -+ asm volatile("movw %%ds,%0" : "=rm" (seg)); - return seg; - } - -@@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t - static inline int memcmp(const void *s1, const void *s2, size_t len) - { - u8 diff; -- asm("repe; cmpsb; setnz %0" -+ asm volatile("repe; cmpsb; setnz %0" - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len)); - return diff; - } -diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_32.S linux-2.6.39.3/arch/x86/boot/compressed/head_32.S ---- linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400 -@@ -76,7 +76,7 @@ ENTRY(startup_32) - notl %eax - andl %eax, %ebx - #else -- movl $LOAD_PHYSICAL_ADDR, %ebx -+ movl $____LOAD_PHYSICAL_ADDR, %ebx - #endif - - /* Target address to relocate to for decompression */ -@@ -162,7 +162,7 @@ relocated: - * and where it was actually loaded. - */ - movl %ebp, %ebx -- subl $LOAD_PHYSICAL_ADDR, %ebx -+ subl $____LOAD_PHYSICAL_ADDR, %ebx - jz 2f /* Nothing to be done if loaded at compiled addr. */ - /* - * Process relocations. -@@ -170,8 +170,7 @@ relocated: - - 1: subl $4, %edi - movl (%edi), %ecx -- testl %ecx, %ecx -- jz 2f -+ jecxz 2f - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx) - jmp 1b - 2: -diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_64.S linux-2.6.39.3/arch/x86/boot/compressed/head_64.S ---- linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400 -@@ -91,7 +91,7 @@ ENTRY(startup_32) - notl %eax - andl %eax, %ebx - #else -- movl $LOAD_PHYSICAL_ADDR, %ebx -+ movl $____LOAD_PHYSICAL_ADDR, %ebx - #endif - - /* Target address to relocate to for decompression */ -@@ -233,7 +233,7 @@ ENTRY(startup_64) - notq %rax - andq %rax, %rbp - #else -- movq $LOAD_PHYSICAL_ADDR, %rbp -+ movq $____LOAD_PHYSICAL_ADDR, %rbp - #endif - - /* Target address to relocate to for decompression */ -diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/misc.c linux-2.6.39.3/arch/x86/boot/compressed/misc.c ---- linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400 -@@ -310,7 +310,7 @@ static void parse_elf(void *output) - case PT_LOAD: - #ifdef CONFIG_RELOCATABLE - dest = output; -- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR); -+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR); - #else - dest = (void *)(phdr->p_paddr); - #endif -@@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void * - error("Destination address too large"); - #endif - #ifndef CONFIG_RELOCATABLE -- if ((unsigned long)output != LOAD_PHYSICAL_ADDR) -+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR) - error("Wrong destination address"); - #endif - -diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/relocs.c linux-2.6.39.3/arch/x86/boot/compressed/relocs.c ---- linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400 -@@ -13,8 +13,11 @@ - - static void die(char *fmt, ...); - -+#include "../../../../include/generated/autoconf.h" -+ - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) - static Elf32_Ehdr ehdr; -+static Elf32_Phdr *phdr; - static unsigned long reloc_count, reloc_idx; - static unsigned long *relocs; - -@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp) - } - } - -+static void read_phdrs(FILE *fp) -+{ -+ unsigned int i; -+ -+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr)); -+ if (!phdr) { -+ die("Unable to allocate %d program headers\n", -+ ehdr.e_phnum); -+ } -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) { -+ die("Seek to %d failed: %s\n", -+ ehdr.e_phoff, strerror(errno)); -+ } -+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) { -+ die("Cannot read ELF program headers: %s\n", -+ strerror(errno)); -+ } -+ for(i = 0; i < ehdr.e_phnum; i++) { -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type); -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset); -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr); -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr); -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz); -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz); -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags); -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align); -+ } -+ -+} -+ - static void read_shdrs(FILE *fp) - { -- int i; -+ unsigned int i; - Elf32_Shdr shdr; - - secs = calloc(ehdr.e_shnum, sizeof(struct section)); -@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp) - - static void read_strtabs(FILE *fp) - { -- int i; -+ unsigned int i; - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; - if (sec->shdr.sh_type != SHT_STRTAB) { -@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp) - - static void read_symtabs(FILE *fp) - { -- int i,j; -+ unsigned int i,j; - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; - if (sec->shdr.sh_type != SHT_SYMTAB) { -@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp) - - static void read_relocs(FILE *fp) - { -- int i,j; -+ unsigned int i,j; -+ uint32_t base; -+ - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; - if (sec->shdr.sh_type != SHT_REL) { -@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp) - die("Cannot read symbol table: %s\n", - strerror(errno)); - } -+ base = 0; -+ for (j = 0; j < ehdr.e_phnum; j++) { -+ if (phdr[j].p_type != PT_LOAD ) -+ continue; -+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz) -+ continue; -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr; -+ break; -+ } - for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) { - Elf32_Rel *rel = &sec->reltab[j]; -- rel->r_offset = elf32_to_cpu(rel->r_offset); -+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base; - rel->r_info = elf32_to_cpu(rel->r_info); - } - } -@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp) - - static void print_absolute_symbols(void) - { -- int i; -+ unsigned int i; - printf("Absolute symbols\n"); - printf(" Num: Value Size Type Bind Visibility Name\n"); - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; - char *sym_strtab; - Elf32_Sym *sh_symtab; -- int j; -+ unsigned int j; - - if (sec->shdr.sh_type != SHT_SYMTAB) { - continue; -@@ -431,14 +475,14 @@ static void print_absolute_symbols(void) - - static void print_absolute_relocs(void) - { -- int i, printed = 0; -+ unsigned int i, printed = 0; - - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; - struct section *sec_applies, *sec_symtab; - char *sym_strtab; - Elf32_Sym *sh_symtab; -- int j; -+ unsigned int j; - if (sec->shdr.sh_type != SHT_REL) { - continue; - } -@@ -499,13 +543,13 @@ static void print_absolute_relocs(void) - - static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) - { -- int i; -+ unsigned int i; - /* Walk through the relocations */ - for (i = 0; i < ehdr.e_shnum; i++) { - char *sym_strtab; - Elf32_Sym *sh_symtab; - struct section *sec_applies, *sec_symtab; -- int j; -+ unsigned int j; - struct section *sec = &secs[i]; - - if (sec->shdr.sh_type != SHT_REL) { -@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El - !is_rel_reloc(sym_name(sym_strtab, sym))) { - continue; - } -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */ -+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load")) -+ continue; -+ -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR")) -+ continue; -+#endif -+ - switch (r_type) { - case R_386_NONE: - case R_386_PC32: -@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co - - static void emit_relocs(int as_text) - { -- int i; -+ unsigned int i; - /* Count how many relocations I have and allocate space for them. */ - reloc_count = 0; - walk_relocs(count_reloc); -@@ -665,6 +725,7 @@ int main(int argc, char **argv) - fname, strerror(errno)); - } - read_ehdr(fp); -+ read_phdrs(fp); - read_shdrs(fp); - read_strtabs(fp); - read_symtabs(fp); -diff -urNp linux-2.6.39.3/arch/x86/boot/cpucheck.c linux-2.6.39.3/arch/x86/boot/cpucheck.c ---- linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400 -@@ -74,7 +74,7 @@ static int has_fpu(void) - u16 fcw = -1, fsw = -1; - u32 cr0; - -- asm("movl %%cr0,%0" : "=r" (cr0)); -+ asm volatile("movl %%cr0,%0" : "=r" (cr0)); - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) { - cr0 &= ~(X86_CR0_EM|X86_CR0_TS); - asm volatile("movl %0,%%cr0" : : "r" (cr0)); -@@ -90,7 +90,7 @@ static int has_eflag(u32 mask) - { - u32 f0, f1; - -- asm("pushfl ; " -+ asm volatile("pushfl ; " - "pushfl ; " - "popl %0 ; " - "movl %0,%1 ; " -@@ -115,7 +115,7 @@ static void get_flags(void) - set_bit(X86_FEATURE_FPU, cpu.flags); - - if (has_eflag(X86_EFLAGS_ID)) { -- asm("cpuid" -+ asm volatile("cpuid" - : "=a" (max_intel_level), - "=b" (cpu_vendor[0]), - "=d" (cpu_vendor[1]), -@@ -124,7 +124,7 @@ static void get_flags(void) - - if (max_intel_level >= 0x00000001 && - max_intel_level <= 0x0000ffff) { -- asm("cpuid" -+ asm volatile("cpuid" - : "=a" (tfms), - "=c" (cpu.flags[4]), - "=d" (cpu.flags[0]) -@@ -136,7 +136,7 @@ static void get_flags(void) - cpu.model += ((tfms >> 16) & 0xf) << 4; - } - -- asm("cpuid" -+ asm volatile("cpuid" - : "=a" (max_amd_level) - : "a" (0x80000000) - : "ebx", "ecx", "edx"); -@@ -144,7 +144,7 @@ static void get_flags(void) - if (max_amd_level >= 0x80000001 && - max_amd_level <= 0x8000ffff) { - u32 eax = 0x80000001; -- asm("cpuid" -+ asm volatile("cpuid" - : "+a" (eax), - "=c" (cpu.flags[6]), - "=d" (cpu.flags[1]) -@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r - u32 ecx = MSR_K7_HWCR; - u32 eax, edx; - -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); - eax &= ~(1 << 15); -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); - - get_flags(); /* Make sure it really did something */ - err = check_flags(); -@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r - u32 ecx = MSR_VIA_FCR; - u32 eax, edx; - -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); - eax |= (1<<1)|(1<<7); -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); - - set_bit(X86_FEATURE_CX8, cpu.flags); - err = check_flags(); -@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r - u32 eax, edx; - u32 level = 1; - -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx)); -- asm("cpuid" -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx)); -+ asm volatile("cpuid" - : "+a" (level), "=d" (cpu.flags[0]) - : : "ecx", "ebx"); -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); - - err = check_flags(); - } -diff -urNp linux-2.6.39.3/arch/x86/boot/header.S linux-2.6.39.3/arch/x86/boot/header.S ---- linux-2.6.39.3/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400 -@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical - # single linked list of - # struct setup_data - --pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr -+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr - - #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset) - #define VO_INIT_SIZE (VO__end - VO__text) -diff -urNp linux-2.6.39.3/arch/x86/boot/memory.c linux-2.6.39.3/arch/x86/boot/memory.c ---- linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400 -@@ -19,7 +19,7 @@ - - static int detect_memory_e820(void) - { -- int count = 0; -+ unsigned int count = 0; - struct biosregs ireg, oreg; - struct e820entry *desc = boot_params.e820_map; - static struct e820entry buf; /* static so it is zeroed */ -diff -urNp linux-2.6.39.3/arch/x86/boot/video.c linux-2.6.39.3/arch/x86/boot/video.c ---- linux-2.6.39.3/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400 -@@ -96,7 +96,7 @@ static void store_mode_params(void) - static unsigned int get_entry(void) - { - char entry_buf[4]; -- int i, len = 0; -+ unsigned int i, len = 0; - int key; - unsigned int v; - -diff -urNp linux-2.6.39.3/arch/x86/boot/video-vesa.c linux-2.6.39.3/arch/x86/boot/video-vesa.c ---- linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400 -@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void) - - boot_params.screen_info.vesapm_seg = oreg.es; - boot_params.screen_info.vesapm_off = oreg.di; -+ boot_params.screen_info.vesapm_size = oreg.cx; - } - - /* -diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_aout.c linux-2.6.39.3/arch/x86/ia32/ia32_aout.c ---- linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400 -@@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st - unsigned long dump_start, dump_size; - struct user32 dump; - -+ memset(&dump, 0, sizeof(dump)); -+ - fs = get_fs(); - set_fs(KERNEL_DS); - has_dumped = 1; -diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32entry.S linux-2.6.39.3/arch/x86/ia32/ia32entry.S ---- linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400 -@@ -13,6 +13,7 @@ - #include <asm/thread_info.h> - #include <asm/segment.h> - #include <asm/irqflags.h> -+#include <asm/pgtable.h> - #include <linux/linkage.h> - - /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ -@@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit) - ENDPROC(native_irq_enable_sysexit) - #endif - -+ .macro pax_enter_kernel_user -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ call pax_enter_kernel_user -+#endif -+ .endm -+ -+ .macro pax_exit_kernel_user -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ call pax_exit_kernel_user -+#endif -+#ifdef CONFIG_PAX_RANDKSTACK -+ pushq %rax -+ call pax_randomize_kstack -+ popq %rax -+#endif -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+ call pax_erase_kstack -+#endif -+ .endm -+ -+ .macro pax_erase_kstack -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+ call pax_erase_kstack -+#endif -+ .endm -+ - /* - * 32bit SYSENTER instruction entry. - * -@@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target) - CFI_REGISTER rsp,rbp - SWAPGS_UNSAFE_STACK - movq PER_CPU_VAR(kernel_stack), %rsp -- addq $(KERNEL_STACK_OFFSET),%rsp -+ pax_enter_kernel_user - /* - * No need to follow this irqs on/off section: the syscall - * disabled irqs, here we enable it straight after entry: -@@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target) - CFI_REL_OFFSET rsp,0 - pushfq_cfi - /*CFI_REL_OFFSET rflags,0*/ -- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d -+ GET_THREAD_INFO(%r10) -+ movl TI_sysenter_return(%r10), %r10d - CFI_REGISTER rip,r10 - pushq_cfi $__USER32_CS - /*CFI_REL_OFFSET cs,0*/ -@@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target) - SAVE_ARGS 0,0,1 - /* no need to do an access_ok check here because rbp has been - 32bit zero extended */ -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov $PAX_USER_SHADOW_BASE,%r10 -+ add %r10,%rbp -+#endif -+ - 1: movl (%rbp),%ebp - .section __ex_table,"a" - .quad 1b,ia32_badarg -@@ -168,6 +202,7 @@ sysenter_dispatch: - testl $_TIF_ALLWORK_MASK,TI_flags(%r10) - jnz sysexit_audit - sysexit_from_sys_call: -+ pax_exit_kernel_user - andl $~TS_COMPAT,TI_status(%r10) - /* clear IF, that popfq doesn't enable interrupts early */ - andl $~0x200,EFLAGS-R11(%rsp) -@@ -194,6 +229,9 @@ sysexit_from_sys_call: - movl %eax,%esi /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ - call audit_syscall_entry -+ -+ pax_erase_kstack -+ - movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ - cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys -@@ -246,6 +284,9 @@ sysenter_tracesys: - movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter -+ -+ pax_erase_kstack -+ - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST - cmpq $(IA32_NR_syscalls-1),%rax -@@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target) - ENTRY(ia32_cstar_target) - CFI_STARTPROC32 simple - CFI_SIGNAL_FRAME -- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET -+ CFI_DEF_CFA rsp,0 - CFI_REGISTER rip,rcx - /*CFI_REGISTER rflags,r11*/ - SWAPGS_UNSAFE_STACK - movl %esp,%r8d - CFI_REGISTER rsp,r8 - movq PER_CPU_VAR(kernel_stack),%rsp -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ pax_enter_kernel_user -+#endif -+ - /* - * No need to follow this irqs on/off section: the syscall - * disabled irqs and here we enable it straight after entry: - */ - ENABLE_INTERRUPTS(CLBR_NONE) -- SAVE_ARGS 8,1,1 -+ SAVE_ARGS 8*6,1,1 - movl %eax,%eax /* zero extension */ - movq %rax,ORIG_RAX-ARGOFFSET(%rsp) - movq %rcx,RIP-ARGOFFSET(%rsp) -@@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target) - /* no need to do an access_ok check here because r8 has been - 32bit zero extended */ - /* hardware stack frame is complete now */ -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov $PAX_USER_SHADOW_BASE,%r10 -+ add %r10,%r8 -+#endif -+ - 1: movl (%r8),%r9d - .section __ex_table,"a" - .quad 1b,ia32_badarg -@@ -327,6 +379,7 @@ cstar_dispatch: - testl $_TIF_ALLWORK_MASK,TI_flags(%r10) - jnz sysretl_audit - sysretl_from_sys_call: -+ pax_exit_kernel_user - andl $~TS_COMPAT,TI_status(%r10) - RESTORE_ARGS 1,-ARG_SKIP,1,1,1 - movl RIP-ARGOFFSET(%rsp),%ecx -@@ -364,6 +417,9 @@ cstar_tracesys: - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter -+ -+ pax_erase_kstack -+ - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ - RESTORE_REST - xchgl %ebp,%r9d -@@ -409,6 +465,7 @@ ENTRY(ia32_syscall) - CFI_REL_OFFSET rip,RIP-RIP - PARAVIRT_ADJUST_EXCEPTION_FRAME - SWAPGS -+ pax_enter_kernel_user - /* - * No need to follow this irqs on/off section: the syscall - * disabled irqs and here we enable it straight after entry: -@@ -441,6 +498,9 @@ ia32_tracesys: - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter -+ -+ pax_erase_kstack -+ - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST - cmpq $(IA32_NR_syscalls-1),%rax -diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_signal.c linux-2.6.39.3/arch/x86/ia32/ia32_signal.c ---- linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400 -@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct - sp -= frame_size; - /* Align the stack pointer according to the i386 ABI, - * i.e. so that on function entry ((sp + 4) & 15) == 0. */ -- sp = ((sp + 4) & -16ul) - 4; -+ sp = ((sp - 12) & -16ul) - 4; - return (void __user *) sp; - } - -@@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s - * These are actually not used anymore, but left because some - * gdb versions depend on them as a marker. - */ -- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); - } put_user_catch(err); - - if (err) -@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct - 0xb8, - __NR_ia32_rt_sigreturn, - 0x80cd, -- 0, -+ 0 - }; - - frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate); -@@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct - - if (ka->sa.sa_flags & SA_RESTORER) - restorer = ka->sa.sa_restorer; -+ else if (current->mm->context.vdso) -+ /* Return stub is in 32bit vsyscall page */ -+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); - else -- restorer = VDSO32_SYMBOL(current->mm->context.vdso, -- rt_sigreturn); -+ restorer = &frame->retcode; - put_user_ex(ptr_to_compat(restorer), &frame->pretcode); - - /* - * Not actually used anymore, but left because some gdb - * versions need it. - */ -- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode); -+ put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode); - } put_user_catch(err); - - if (err) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/alternative.h linux-2.6.39.3/arch/x86/include/asm/alternative.h ---- linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400 -@@ -94,7 +94,7 @@ static inline int alternatives_text_rese - ".section .discard,\"aw\",@progbits\n" \ - " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \ - ".previous\n" \ -- ".section .altinstr_replacement, \"ax\"\n" \ -+ ".section .altinstr_replacement, \"a\"\n" \ - "663:\n\t" newinstr "\n664:\n" /* replacement */ \ - ".previous" - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/apm.h linux-2.6.39.3/arch/x86/include/asm/apm.h ---- linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400 -@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 - __asm__ __volatile__(APM_DO_ZERO_SEGS - "pushl %%edi\n\t" - "pushl %%ebp\n\t" -- "lcall *%%cs:apm_bios_entry\n\t" -+ "lcall *%%ss:apm_bios_entry\n\t" - "setc %%al\n\t" - "popl %%ebp\n\t" - "popl %%edi\n\t" -@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as - __asm__ __volatile__(APM_DO_ZERO_SEGS - "pushl %%edi\n\t" - "pushl %%ebp\n\t" -- "lcall *%%cs:apm_bios_entry\n\t" -+ "lcall *%%ss:apm_bios_entry\n\t" - "setc %%bl\n\t" - "popl %%ebp\n\t" - "popl %%edi\n\t" -diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h ---- linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,6 +12,14 @@ typedef struct { - u64 __aligned(8) counter; - } atomic64_t; - -+#ifdef CONFIG_PAX_REFCOUNT -+typedef struct { -+ u64 __aligned(8) counter; -+} atomic64_unchecked_t; -+#else -+typedef atomic64_t atomic64_unchecked_t; -+#endif -+ - #define ATOMIC64_INIT(val) { (val) } - - #ifdef CONFIG_X86_CMPXCHG64 -@@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg - } - - /** -+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable -+ * @p: pointer to type atomic64_unchecked_t -+ * @o: expected value -+ * @n: new value -+ * -+ * Atomically sets @v to @n if it was equal to @o and returns -+ * the old value. -+ */ -+ -+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n) -+{ -+ return cmpxchg64(&v->counter, o, n); -+} -+ -+/** - * atomic64_xchg - xchg atomic64 variable - * @v: pointer to type atomic64_t - * @n: value to assign -@@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64 - } - - /** -+ * atomic64_set_unchecked - set atomic64 variable -+ * @v: pointer to type atomic64_unchecked_t -+ * @n: value to assign -+ * -+ * Atomically sets the value of @v to @n. -+ */ -+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i) -+{ -+ unsigned high = (unsigned)(i >> 32); -+ unsigned low = (unsigned)i; -+ asm volatile(ATOMIC64_ALTERNATIVE(set) -+ : "+b" (low), "+c" (high) -+ : "S" (v) -+ : "eax", "edx", "memory" -+ ); -+} -+ -+/** - * atomic64_read - read atomic64 variable - * @v: pointer to type atomic64_t - * -@@ -93,6 +134,22 @@ static inline long long atomic64_read(at - } - - /** -+ * atomic64_read_unchecked - read atomic64 variable -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically reads the value of @v and returns it. -+ */ -+static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v) -+{ -+ long long r; -+ asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked) -+ : "=A" (r), "+c" (v) -+ : : "memory" -+ ); -+ return r; -+ } -+ -+/** - * atomic64_add_return - add and return - * @i: integer value to add - * @v: pointer to type atomic64_t -@@ -108,6 +165,22 @@ static inline long long atomic64_add_ret - return i; - } - -+/** -+ * atomic64_add_return_unchecked - add and return -+ * @i: integer value to add -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically adds @i to @v and returns @i + *@v -+ */ -+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v) -+{ -+ asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked) -+ : "+A" (i), "+c" (v) -+ : : "memory" -+ ); -+ return i; -+} -+ - /* - * Other variants with different arithmetic operators: - */ -@@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret - return a; - } - -+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) -+{ -+ long long a; -+ asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked) -+ : "=A" (a) -+ : "S" (v) -+ : "memory", "ecx" -+ ); -+ return a; -+} -+ - static inline long long atomic64_dec_return(atomic64_t *v) - { - long long a; -@@ -159,6 +243,22 @@ static inline long long atomic64_add(lon - } - - /** -+ * atomic64_add_unchecked - add integer to atomic64 variable -+ * @i: integer value to add -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically adds @i to @v. -+ */ -+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v) -+{ -+ asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked) -+ : "+A" (i), "+c" (v) -+ : : "memory" -+ ); -+ return i; -+} -+ -+/** - * atomic64_sub - subtract the atomic64 variable - * @i: integer value to subtract - * @v: pointer to type atomic64_t -diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h ---- linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -18,7 +18,19 @@ - */ - static inline long atomic64_read(const atomic64_t *v) - { -- return (*(volatile long *)&(v)->counter); -+ return (*(volatile const long *)&(v)->counter); -+} -+ -+/** -+ * atomic64_read_unchecked - read atomic64 variable -+ * @v: pointer of type atomic64_unchecked_t -+ * -+ * Atomically reads the value of @v. -+ * Doesn't imply a read memory barrier. -+ */ -+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) -+{ -+ return (*(volatile const long *)&(v)->counter); - } - - /** -@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64 - } - - /** -+ * atomic64_set_unchecked - set atomic64 variable -+ * @v: pointer to type atomic64_unchecked_t -+ * @i: required value -+ * -+ * Atomically sets the value of @v to @i. -+ */ -+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) -+{ -+ v->counter = i; -+} -+ -+/** - * atomic64_add - add integer to atomic64 variable - * @i: integer value to add - * @v: pointer to type atomic64_t -@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64 - */ - static inline void atomic64_add(long i, atomic64_t *v) - { -+ asm volatile(LOCK_PREFIX "addq %1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "subq %1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=m" (v->counter) -+ : "er" (i), "m" (v->counter)); -+} -+ -+/** -+ * atomic64_add_unchecked - add integer to atomic64 variable -+ * @i: integer value to add -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically adds @i to @v. -+ */ -+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v) -+{ - asm volatile(LOCK_PREFIX "addq %1,%0" - : "=m" (v->counter) - : "er" (i), "m" (v->counter)); -@@ -56,7 +102,29 @@ static inline void atomic64_add(long i, - */ - static inline void atomic64_sub(long i, atomic64_t *v) - { -- asm volatile(LOCK_PREFIX "subq %1,%0" -+ asm volatile(LOCK_PREFIX "subq %1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "addq %1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=m" (v->counter) -+ : "er" (i), "m" (v->counter)); -+} -+ -+/** -+ * atomic64_sub_unchecked - subtract the atomic64 variable -+ * @i: integer value to subtract -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically subtracts @i from @v. -+ */ -+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "subq %1,%0\n" - : "=m" (v->counter) - : "er" (i), "m" (v->counter)); - } -@@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test( - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1" -+ asm volatile(LOCK_PREFIX "subq %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "addq %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "=m" (v->counter), "=qm" (c) - : "er" (i), "m" (v->counter) : "memory"); - return c; -@@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test( - */ - static inline void atomic64_inc(atomic64_t *v) - { -+ asm volatile(LOCK_PREFIX "incq %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "decq %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=m" (v->counter) -+ : "m" (v->counter)); -+} -+ -+/** -+ * atomic64_inc_unchecked - increment atomic64 variable -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically increments @v by 1. -+ */ -+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v) -+{ - asm volatile(LOCK_PREFIX "incq %0" - : "=m" (v->counter) - : "m" (v->counter)); -@@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64 - */ - static inline void atomic64_dec(atomic64_t *v) - { -- asm volatile(LOCK_PREFIX "decq %0" -+ asm volatile(LOCK_PREFIX "decq %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "incq %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=m" (v->counter) -+ : "m" (v->counter)); -+} -+ -+/** -+ * atomic64_dec_unchecked - decrement atomic64 variable -+ * @v: pointer to type atomic64_t -+ * -+ * Atomically decrements @v by 1. -+ */ -+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "decq %0\n" - : "=m" (v->counter) - : "m" (v->counter)); - } -@@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test( - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "decq %0; sete %1" -+ asm volatile(LOCK_PREFIX "decq %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "incq %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "=m" (v->counter), "=qm" (c) - : "m" (v->counter) : "memory"); - return c != 0; -@@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test( - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "incq %0; sete %1" -+ asm volatile(LOCK_PREFIX "incq %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "decq %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "=m" (v->counter), "=qm" (c) - : "m" (v->counter) : "memory"); - return c != 0; -@@ -155,7 +292,16 @@ static inline int atomic64_add_negative( - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1" -+ asm volatile(LOCK_PREFIX "addq %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "subq %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sets %1\n" - : "=m" (v->counter), "=qm" (c) - : "er" (i), "m" (v->counter) : "memory"); - return c; -@@ -171,7 +317,31 @@ static inline int atomic64_add_negative( - static inline long atomic64_add_return(long i, atomic64_t *v) - { - long __i = i; -- asm volatile(LOCK_PREFIX "xaddq %0, %1;" -+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "movq %0, %1\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+r" (i), "+m" (v->counter) -+ : : "memory"); -+ return i + __i; -+} -+ -+/** -+ * atomic64_add_return_unchecked - add and return -+ * @i: integer value to add -+ * @v: pointer to type atomic64_unchecked_t -+ * -+ * Atomically adds @i to @v and returns @i + @v -+ */ -+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v) -+{ -+ long __i = i; -+ asm volatile(LOCK_PREFIX "xaddq %0, %1" - : "+r" (i), "+m" (v->counter) - : : "memory"); - return i + __i; -@@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l - } - - #define atomic64_inc_return(v) (atomic64_add_return(1, (v))) -+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) -+{ -+ return atomic64_add_return_unchecked(1, v); -+} - #define atomic64_dec_return(v) (atomic64_sub_return(1, (v))) - - static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) -@@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom - return cmpxchg(&v->counter, old, new); - } - -+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new) -+{ -+ return cmpxchg(&v->counter, old, new); -+} -+ - static inline long atomic64_xchg(atomic64_t *v, long new) - { - return xchg(&v->counter, new); -@@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6 - */ - static inline int atomic64_add_unless(atomic64_t *v, long a, long u) - { -- long c, old; -+ long c, old, new; - c = atomic64_read(v); - for (;;) { -- if (unlikely(c == (u))) -+ if (unlikely(c == u)) - break; -- old = atomic64_cmpxchg((v), c, c + (a)); -+ -+ asm volatile("add %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "sub %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=r" (new) -+ : "0" (c), "ir" (a)); -+ -+ old = atomic64_cmpxchg(v, c, new); - if (likely(old == c)) - break; - c = old; - } -- return c != (u); -+ return c != u; - } - - #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic.h linux-2.6.39.3/arch/x86/include/asm/atomic.h ---- linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400 -@@ -22,7 +22,18 @@ - */ - static inline int atomic_read(const atomic_t *v) - { -- return (*(volatile int *)&(v)->counter); -+ return (*(volatile const int *)&(v)->counter); -+} -+ -+/** -+ * atomic_read_unchecked - read atomic variable -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically reads the value of @v. -+ */ -+static inline int atomic_read_unchecked(const atomic_unchecked_t *v) -+{ -+ return (*(volatile const int *)&(v)->counter); - } - - /** -@@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t * - } - - /** -+ * atomic_set_unchecked - set atomic variable -+ * @v: pointer of type atomic_unchecked_t -+ * @i: required value -+ * -+ * Atomically sets the value of @v to @i. -+ */ -+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) -+{ -+ v->counter = i; -+} -+ -+/** - * atomic_add - add integer to atomic variable - * @i: integer value to add - * @v: pointer of type atomic_t -@@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t * - */ - static inline void atomic_add(int i, atomic_t *v) - { -- asm volatile(LOCK_PREFIX "addl %1,%0" -+ asm volatile(LOCK_PREFIX "addl %1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "subl %1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+m" (v->counter) -+ : "ir" (i)); -+} -+ -+/** -+ * atomic_add_unchecked - add integer to atomic variable -+ * @i: integer value to add -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically adds @i to @v. -+ */ -+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "addl %1,%0\n" - : "+m" (v->counter) - : "ir" (i)); - } -@@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato - */ - static inline void atomic_sub(int i, atomic_t *v) - { -- asm volatile(LOCK_PREFIX "subl %1,%0" -+ asm volatile(LOCK_PREFIX "subl %1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "addl %1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+m" (v->counter) -+ : "ir" (i)); -+} -+ -+/** -+ * atomic_sub_unchecked - subtract integer from atomic variable -+ * @i: integer value to subtract -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically subtracts @i from @v. -+ */ -+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "subl %1,%0\n" - : "+m" (v->counter) - : "ir" (i)); - } -@@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1" -+ asm volatile(LOCK_PREFIX "subl %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "addl %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "+m" (v->counter), "=qm" (c) - : "ir" (i) : "memory"); - return c; -@@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in - */ - static inline void atomic_inc(atomic_t *v) - { -- asm volatile(LOCK_PREFIX "incl %0" -+ asm volatile(LOCK_PREFIX "incl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "decl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+m" (v->counter)); -+} -+ -+/** -+ * atomic_inc_unchecked - increment atomic variable -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically increments @v by 1. -+ */ -+static inline void atomic_inc_unchecked(atomic_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "incl %0\n" - : "+m" (v->counter)); - } - -@@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t * - */ - static inline void atomic_dec(atomic_t *v) - { -- asm volatile(LOCK_PREFIX "decl %0" -+ asm volatile(LOCK_PREFIX "decl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "incl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+m" (v->counter)); -+} -+ -+/** -+ * atomic_dec_unchecked - decrement atomic variable -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically decrements @v by 1. -+ */ -+static inline void atomic_dec_unchecked(atomic_unchecked_t *v) -+{ -+ asm volatile(LOCK_PREFIX "decl %0\n" - : "+m" (v->counter)); - } - -@@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "decl %0; sete %1" -+ asm volatile(LOCK_PREFIX "decl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "incl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "+m" (v->counter), "=qm" (c) - : : "memory"); - return c != 0; -@@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "incl %0; sete %1" -+ asm volatile(LOCK_PREFIX "incl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "decl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" -+ : "+m" (v->counter), "=qm" (c) -+ : : "memory"); -+ return c != 0; -+} -+ -+/** -+ * atomic_inc_and_test_unchecked - increment and test -+ * @v: pointer of type atomic_unchecked_t -+ * -+ * Atomically increments @v by 1 -+ * and returns true if the result is zero, or false for all -+ * other cases. -+ */ -+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) -+{ -+ unsigned char c; -+ -+ asm volatile(LOCK_PREFIX "incl %0\n" -+ "sete %1\n" - : "+m" (v->counter), "=qm" (c) - : : "memory"); - return c != 0; -@@ -157,7 +310,16 @@ static inline int atomic_add_negative(in - { - unsigned char c; - -- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1" -+ asm volatile(LOCK_PREFIX "addl %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "subl %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sets %1\n" - : "+m" (v->counter), "=qm" (c) - : "ir" (i) : "memory"); - return c; -@@ -180,6 +342,46 @@ static inline int atomic_add_return(int - #endif - /* Modern 486+ processor */ - __i = i; -+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "movl %0, %1\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "+r" (i), "+m" (v->counter) -+ : : "memory"); -+ return i + __i; -+ -+#ifdef CONFIG_M386 -+no_xadd: /* Legacy 386 processor */ -+ local_irq_save(flags); -+ __i = atomic_read(v); -+ atomic_set(v, i + __i); -+ local_irq_restore(flags); -+ return i + __i; -+#endif -+} -+ -+/** -+ * atomic_add_return_unchecked - add integer and return -+ * @v: pointer of type atomic_unchecked_t -+ * @i: integer value to add -+ * -+ * Atomically adds @i to @v and returns @i + @v -+ */ -+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) -+{ -+ int __i; -+#ifdef CONFIG_M386 -+ unsigned long flags; -+ if (unlikely(boot_cpu_data.x86 <= 3)) -+ goto no_xadd; -+#endif -+ /* Modern 486+ processor */ -+ __i = i; - asm volatile(LOCK_PREFIX "xaddl %0, %1" - : "+r" (i), "+m" (v->counter) - : : "memory"); -@@ -208,6 +410,10 @@ static inline int atomic_sub_return(int - } - - #define atomic_inc_return(v) (atomic_add_return(1, v)) -+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v) -+{ -+ return atomic_add_return_unchecked(1, v); -+} - #define atomic_dec_return(v) (atomic_sub_return(1, v)) - - static inline int atomic_cmpxchg(atomic_t *v, int old, int new) -@@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_ - return cmpxchg(&v->counter, old, new); - } - -+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new) -+{ -+ return cmpxchg(&v->counter, old, new); -+} -+ - static inline int atomic_xchg(atomic_t *v, int new) - { - return xchg(&v->counter, new); - } - -+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) -+{ -+ return xchg(&v->counter, new); -+} -+ - /** - * atomic_add_unless - add unless the number is already a given value - * @v: pointer of type atomic_t -@@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t * - */ - static inline int atomic_add_unless(atomic_t *v, int a, int u) - { -- int c, old; -+ int c, old, new; - c = atomic_read(v); - for (;;) { -- if (unlikely(c == (u))) -+ if (unlikely(c == u)) - break; -- old = atomic_cmpxchg((v), c, c + (a)); -+ -+ asm volatile("addl %2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "subl %2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=r" (new) -+ : "0" (c), "ir" (a)); -+ -+ old = atomic_cmpxchg(v, c, new); - if (likely(old == c)) - break; - c = old; - } -- return c != (u); -+ return c != u; - } - - #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) - -+/** -+ * atomic_inc_not_zero_hint - increment if not null -+ * @v: pointer of type atomic_t -+ * @hint: probable value of the atomic before the increment -+ * -+ * This version of atomic_inc_not_zero() gives a hint of probable -+ * value of the atomic. This helps processor to not read the memory -+ * before doing the atomic read/modify/write cycle, lowering -+ * number of bus transactions on some arches. -+ * -+ * Returns: 0 if increment was not done, 1 otherwise. -+ */ -+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint -+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint) -+{ -+ int val, c = hint, new; -+ -+ /* sanity test, should be removed by compiler if hint is a constant */ -+ if (!hint) -+ return atomic_inc_not_zero(v); -+ -+ do { -+ asm volatile("incl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "decl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ : "=r" (new) -+ : "0" (c)); -+ -+ val = atomic_cmpxchg(v, c, new); -+ if (val == c) -+ return 1; -+ c = val; -+ } while (c); -+ -+ return 0; -+} -+ - /* - * atomic_dec_if_positive - decrement by 1 if old value positive - * @v: pointer of type atomic_t -diff -urNp linux-2.6.39.3/arch/x86/include/asm/bitops.h linux-2.6.39.3/arch/x86/include/asm/bitops.h ---- linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400 -@@ -38,7 +38,7 @@ - * a mask operation on a byte. - */ - #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr)) --#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3)) -+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3)) - #define CONST_MASK(nr) (1 << ((nr) & 7)) - - /** -diff -urNp linux-2.6.39.3/arch/x86/include/asm/boot.h linux-2.6.39.3/arch/x86/include/asm/boot.h ---- linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400 -@@ -11,10 +11,15 @@ - #include <asm/pgtable_types.h> - - /* Physical address where kernel should be loaded. */ --#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \ -+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \ - + (CONFIG_PHYSICAL_ALIGN - 1)) \ - & ~(CONFIG_PHYSICAL_ALIGN - 1)) - -+#ifndef __ASSEMBLY__ -+extern unsigned char __LOAD_PHYSICAL_ADDR[]; -+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR) -+#endif -+ - /* Minimum kernel alignment, as a power of two */ - #ifdef CONFIG_X86_64 - #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT -diff -urNp linux-2.6.39.3/arch/x86/include/asm/cacheflush.h linux-2.6.39.3/arch/x86/include/asm/cacheflush.h ---- linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400 -@@ -26,7 +26,7 @@ static inline unsigned long get_page_mem - unsigned long pg_flags = pg->flags & _PGMT_MASK; - - if (pg_flags == _PGMT_DEFAULT) -- return -1; -+ return ~0UL; - else if (pg_flags == _PGMT_WC) - return _PAGE_CACHE_WC; - else if (pg_flags == _PGMT_UC_MINUS) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/cache.h linux-2.6.39.3/arch/x86/include/asm/cache.h ---- linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400 -@@ -5,12 +5,13 @@ - - /* L1 cache line size */ - #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT) --#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) -+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) - - #define __read_mostly __attribute__((__section__(".data..read_mostly"))) -+#define __read_only __attribute__((__section__(".data..read_only"))) - - #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT --#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT) -+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT) - - #ifdef CONFIG_X86_VSMP - #ifdef CONFIG_SMP -diff -urNp linux-2.6.39.3/arch/x86/include/asm/checksum_32.h linux-2.6.39.3/arch/x86/include/asm/checksum_32.h ---- linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene - int len, __wsum sum, - int *src_err_ptr, int *dst_err_ptr); - -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst, -+ int len, __wsum sum, -+ int *src_err_ptr, int *dst_err_ptr); -+ -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst, -+ int len, __wsum sum, -+ int *src_err_ptr, int *dst_err_ptr); -+ - /* - * Note: when you get a NULL pointer exception here this means someone - * passed in an incorrect kernel address to one of these functions. -@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f - int *err_ptr) - { - might_sleep(); -- return csum_partial_copy_generic((__force void *)src, dst, -+ return csum_partial_copy_generic_from_user((__force void *)src, dst, - len, sum, err_ptr, NULL); - } - -@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us - { - might_sleep(); - if (access_ok(VERIFY_WRITE, dst, len)) -- return csum_partial_copy_generic(src, (__force void *)dst, -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst, - len, sum, NULL, err_ptr); - - if (len) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/cpufeature.h linux-2.6.39.3/arch/x86/include/asm/cpufeature.h ---- linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400 -@@ -351,7 +351,7 @@ static __always_inline __pure bool __sta - ".section .discard,\"aw\",@progbits\n" - " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ - ".previous\n" -- ".section .altinstr_replacement,\"ax\"\n" -+ ".section .altinstr_replacement,\"a\"\n" - "3: movb $1,%0\n" - "4:\n" - ".previous\n" -diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc_defs.h linux-2.6.39.3/arch/x86/include/asm/desc_defs.h ---- linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400 -@@ -31,6 +31,12 @@ struct desc_struct { - unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1; - unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8; - }; -+ struct { -+ u16 offset_low; -+ u16 seg; -+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1; -+ unsigned offset_high: 16; -+ } gate; - }; - } __attribute__((packed)); - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc.h linux-2.6.39.3/arch/x86/include/asm/desc.h ---- linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400 -@@ -4,6 +4,7 @@ - #include <asm/desc_defs.h> - #include <asm/ldt.h> - #include <asm/mmu.h> -+#include <asm/pgtable.h> - #include <linux/smp.h> - - static inline void fill_ldt(struct desc_struct *desc, -@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_ - desc->base1 = (info->base_addr & 0x00ff0000) >> 16; - desc->type = (info->read_exec_only ^ 1) << 1; - desc->type |= info->contents << 2; -+ desc->type |= info->seg_not_present ^ 1; - desc->s = 1; - desc->dpl = 0x3; - desc->p = info->seg_not_present ^ 1; -@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_ - } - - extern struct desc_ptr idt_descr; --extern gate_desc idt_table[]; -- --struct gdt_page { -- struct desc_struct gdt[GDT_ENTRIES]; --} __attribute__((aligned(PAGE_SIZE))); --DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page); -+extern gate_desc idt_table[256]; - -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)]; - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu) - { -- return per_cpu(gdt_page, cpu).gdt; -+ return cpu_gdt_table[cpu]; - } - - #ifdef CONFIG_X86_64 -@@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc * - unsigned long base, unsigned dpl, unsigned flags, - unsigned short seg) - { -- gate->a = (seg << 16) | (base & 0xffff); -- gate->b = (base & 0xffff0000) | -- (((0x80 | type | (dpl << 5)) & 0xff) << 8); -+ gate->gate.offset_low = base; -+ gate->gate.seg = seg; -+ gate->gate.reserved = 0; -+ gate->gate.type = type; -+ gate->gate.s = 0; -+ gate->gate.dpl = dpl; -+ gate->gate.p = 1; -+ gate->gate.offset_high = base >> 16; - } - - #endif -@@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str - static inline void native_write_idt_entry(gate_desc *idt, int entry, - const gate_desc *gate) - { -+ pax_open_kernel(); - memcpy(&idt[entry], gate, sizeof(*gate)); -+ pax_close_kernel(); - } - - static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, - const void *desc) - { -+ pax_open_kernel(); - memcpy(&ldt[entry], desc, 8); -+ pax_close_kernel(); - } - - static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry, -@@ -139,7 +146,10 @@ static inline void native_write_gdt_entr - size = sizeof(struct desc_struct); - break; - } -+ -+ pax_open_kernel(); - memcpy(&gdt[entry], desc, size); -+ pax_close_kernel(); - } - - static inline void pack_descriptor(struct desc_struct *desc, unsigned long base, -@@ -211,7 +221,9 @@ static inline void native_set_ldt(const - - static inline void native_load_tr_desc(void) - { -+ pax_open_kernel(); - asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8)); -+ pax_close_kernel(); - } - - static inline void native_load_gdt(const struct desc_ptr *dtr) -@@ -246,8 +258,10 @@ static inline void native_load_tls(struc - unsigned int i; - struct desc_struct *gdt = get_cpu_gdt_table(cpu); - -+ pax_open_kernel(); - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++) - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i]; -+ pax_close_kernel(); - } - - #define _LDT_empty(info) \ -@@ -309,7 +323,7 @@ static inline void set_desc_limit(struct - desc->limit = (limit >> 16) & 0xf; - } - --static inline void _set_gate(int gate, unsigned type, void *addr, -+static inline void _set_gate(int gate, unsigned type, const void *addr, - unsigned dpl, unsigned ist, unsigned seg) - { - gate_desc s; -@@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u - * Pentium F0 0F bugfix can have resulted in the mapped - * IDT being write-protected. - */ --static inline void set_intr_gate(unsigned int n, void *addr) -+static inline void set_intr_gate(unsigned int n, const void *addr) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS); -@@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig - /* - * This routine sets up an interrupt gate at directory privilege level 3. - */ --static inline void set_system_intr_gate(unsigned int n, void *addr) -+static inline void set_system_intr_gate(unsigned int n, const void *addr) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS); - } - --static inline void set_system_trap_gate(unsigned int n, void *addr) -+static inline void set_system_trap_gate(unsigned int n, const void *addr) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS); - } - --static inline void set_trap_gate(unsigned int n, void *addr) -+static inline void set_trap_gate(unsigned int n, const void *addr) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); -@@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne - static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) - { - BUG_ON((unsigned)n > 0xFF); -- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3)); -+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3)); - } - --static inline void set_intr_gate_ist(int n, void *addr, unsigned ist) -+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS); - } - --static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist) -+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist) - { - BUG_ON((unsigned)n > 0xFF); - _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); - } - -+#ifdef CONFIG_X86_32 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu) -+{ -+ struct desc_struct d; -+ -+ if (likely(limit)) -+ limit = (limit - 1UL) >> PAGE_SHIFT; -+ pack_descriptor(&d, base, limit, 0xFB, 0xC); -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S); -+} -+#endif -+ - #endif /* _ASM_X86_DESC_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/device.h linux-2.6.39.3/arch/x86/include/asm/device.h ---- linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400 -@@ -6,7 +6,7 @@ struct dev_archdata { - void *acpi_handle; - #endif - #ifdef CONFIG_X86_64 --struct dma_map_ops *dma_ops; -+ const struct dma_map_ops *dma_ops; - #endif - #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU) - void *iommu; /* hook for IOMMU specific extension */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h ---- linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400 -@@ -26,9 +26,9 @@ extern int iommu_merge; - extern struct device x86_dma_fallback_dev; - extern int panic_on_overflow; - --extern struct dma_map_ops *dma_ops; -+extern const struct dma_map_ops *dma_ops; - --static inline struct dma_map_ops *get_dma_ops(struct device *dev) -+static inline const struct dma_map_ops *get_dma_ops(struct device *dev) - { - #ifdef CONFIG_X86_32 - return dma_ops; -@@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm - /* Make sure we keep the same behaviour */ - static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - if (ops->mapping_error) - return ops->mapping_error(dev, dma_addr); - -@@ -115,7 +115,7 @@ static inline void * - dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle, - gfp_t gfp) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - void *memory; - - gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32); -@@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s - static inline void dma_free_coherent(struct device *dev, size_t size, - void *vaddr, dma_addr_t bus) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - WARN_ON(irqs_disabled()); /* for portability */ - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/e820.h linux-2.6.39.3/arch/x86/include/asm/e820.h ---- linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400 -@@ -69,7 +69,7 @@ struct e820map { - #define ISA_START_ADDRESS 0xa0000 - #define ISA_END_ADDRESS 0x100000 - --#define BIOS_BEGIN 0x000a0000 -+#define BIOS_BEGIN 0x000c0000 - #define BIOS_END 0x00100000 - - #define BIOS_ROM_BASE 0xffe00000 -diff -urNp linux-2.6.39.3/arch/x86/include/asm/elf.h linux-2.6.39.3/arch/x86/include/asm/elf.h ---- linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400 -@@ -237,7 +237,25 @@ extern int force_personality32; - the loader. We need to make sure that it is out of the way of the program - that it will "exec", and that there is sufficient room for the brk. */ - -+#ifdef CONFIG_PAX_SEGMEXEC -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2) -+#else - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) -+#endif -+ -+#ifdef CONFIG_PAX_ASLR -+#ifdef CONFIG_X86_32 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL -+ -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16) -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16) -+#else -+#define PAX_ELF_ET_DYN_BASE 0x400000UL -+ -+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3) -+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3) -+#endif -+#endif - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, -@@ -291,8 +309,7 @@ do { \ - #define ARCH_DLINFO \ - do { \ - if (vdso_enabled) \ -- NEW_AUX_ENT(AT_SYSINFO_EHDR, \ -- (unsigned long)current->mm->context.vdso); \ -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\ - } while (0) - - #define AT_SYSINFO 32 -@@ -303,7 +320,7 @@ do { \ - - #endif /* !CONFIG_X86_32 */ - --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso) -+#define VDSO_CURRENT_BASE (current->mm->context.vdso) - - #define VDSO_ENTRY \ - ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall)) -@@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s - extern int syscall32_setup_pages(struct linux_binprm *, int exstack); - #define compat_arch_setup_additional_pages syscall32_setup_pages - --extern unsigned long arch_randomize_brk(struct mm_struct *mm); --#define arch_randomize_brk arch_randomize_brk -- - #endif /* _ASM_X86_ELF_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h ---- linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400 -@@ -15,6 +15,6 @@ enum reboot_type { - - extern enum reboot_type reboot_type; - --extern void machine_emergency_restart(void); -+extern void machine_emergency_restart(void) __noreturn; - - #endif /* _ASM_X86_EMERGENCY_RESTART_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/futex.h linux-2.6.39.3/arch/x86/include/asm/futex.h ---- linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,16 +12,18 @@ - #include <asm/system.h> - - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ - asm volatile("1:\t" insn "\n" \ - "2:\t.section .fixup,\"ax\"\n" \ - "3:\tmov\t%3, %1\n" \ - "\tjmp\t2b\n" \ - "\t.previous\n" \ - _ASM_EXTABLE(1b, 3b) \ -- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \ -+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\ - : "i" (-EFAULT), "0" (oparg), "1" (0)) - - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \ -+ typecheck(u32 *, uaddr); \ - asm volatile("1:\tmovl %2, %0\n" \ - "\tmovl\t%0, %3\n" \ - "\t" insn "\n" \ -@@ -34,7 +36,7 @@ - _ASM_EXTABLE(1b, 4b) \ - _ASM_EXTABLE(2b, 4b) \ - : "=&a" (oldval), "=&r" (ret), \ -- "+m" (*uaddr), "=&r" (tem) \ -+ "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \ - : "r" (oparg), "i" (-EFAULT), "1" (0)) - - static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) -@@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser - - switch (op) { - case FUTEX_OP_SET: -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); -+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg); - break; - case FUTEX_OP_ADD: -- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval, -+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval, - uaddr, oparg); - break; - case FUTEX_OP_OR: -@@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) - return -EFAULT; - -- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" -+ asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n" - "2:\t.section .fixup, \"ax\"\n" - "3:\tmov %3, %0\n" - "\tjmp 2b\n" - "\t.previous\n" - _ASM_EXTABLE(1b, 3b) -- : "+r" (ret), "=a" (oldval), "+m" (*uaddr) -+ : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr)) - : "i" (-EFAULT), "r" (newval), "1" (oldval) - : "memory" - ); -diff -urNp linux-2.6.39.3/arch/x86/include/asm/hw_irq.h linux-2.6.39.3/arch/x86/include/asm/hw_irq.h ---- linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400 -@@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void); - extern void enable_IO_APIC(void); - - /* Statistics */ --extern atomic_t irq_err_count; --extern atomic_t irq_mis_count; -+extern atomic_unchecked_t irq_err_count; -+extern atomic_unchecked_t irq_mis_count; - - /* EISA */ - extern void eisa_set_level_irq(unsigned int irq); -diff -urNp linux-2.6.39.3/arch/x86/include/asm/i387.h linux-2.6.39.3/arch/x86/include/asm/i387.h ---- linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400 -@@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc - { - int err; - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE); -+#endif -+ - /* See comment in fxsave() below. */ - #ifdef CONFIG_AS_FXSAVEQ - asm volatile("1: fxrstorq %[fx]\n\t" -@@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38 - { - int err; - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE); -+#endif -+ - /* - * Clear the bytes not touched by the fxsave and reserved - * for the SW usage. -@@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu - #endif /* CONFIG_X86_64 */ - - /* We need a safe address that is cheap to find and that is already -- in L1 during context switch. The best choices are unfortunately -- different for UP and SMP */ --#ifdef CONFIG_SMP --#define safe_address (__per_cpu_offset[0]) --#else --#define safe_address (kstat_cpu(0).cpustat.user) --#endif -+ in L1 during context switch. */ -+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0) - - /* - * These must be called with preempt disabled -@@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void - struct thread_info *me = current_thread_info(); - preempt_disable(); - if (me->status & TS_USEDFPU) -- __save_init_fpu(me->task); -+ __save_init_fpu(current); - else - clts(); - } -diff -urNp linux-2.6.39.3/arch/x86/include/asm/io.h linux-2.6.39.3/arch/x86/include/asm/io.h ---- linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400 -@@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void); - - #include <linux/vmalloc.h> - -+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE -+static inline int valid_phys_addr_range(unsigned long addr, size_t count) -+{ -+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0; -+} -+ -+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count) -+{ -+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0; -+} -+ - /* - * Convert a virtual cached pointer to an uncached pointer - */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/iommu.h linux-2.6.39.3/arch/x86/include/asm/iommu.h ---- linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400 -@@ -1,7 +1,7 @@ - #ifndef _ASM_X86_IOMMU_H - #define _ASM_X86_IOMMU_H - --extern struct dma_map_ops nommu_dma_ops; -+extern const struct dma_map_ops nommu_dma_ops; - extern int force_iommu, no_iommu; - extern int iommu_detected; - extern int iommu_pass_through; -diff -urNp linux-2.6.39.3/arch/x86/include/asm/irqflags.h linux-2.6.39.3/arch/x86/include/asm/irqflags.h ---- linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400 -@@ -140,6 +140,11 @@ static inline unsigned long arch_local_i - sti; \ - sysexit - -+#define GET_CR0_INTO_RDI mov %cr0, %rdi -+#define SET_RDI_INTO_CR0 mov %rdi, %cr0 -+#define GET_CR3_INTO_RDI mov %cr3, %rdi -+#define SET_RDI_INTO_CR3 mov %rdi, %cr3 -+ - #else - #define INTERRUPT_RETURN iret - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit -diff -urNp linux-2.6.39.3/arch/x86/include/asm/kprobes.h linux-2.6.39.3/arch/x86/include/asm/kprobes.h ---- linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400 -@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t; - #define RELATIVEJUMP_SIZE 5 - #define RELATIVECALL_OPCODE 0xe8 - #define RELATIVE_ADDR_SIZE 4 --#define MAX_STACK_SIZE 64 --#define MIN_STACK_SIZE(ADDR) \ -- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \ -- THREAD_SIZE - (unsigned long)(ADDR))) \ -- ? (MAX_STACK_SIZE) \ -- : (((unsigned long)current_thread_info()) + \ -- THREAD_SIZE - (unsigned long)(ADDR))) -+#define MAX_STACK_SIZE 64UL -+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR)) - - #define flush_insn_slot(p) do { } while (0) - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/kvm_host.h linux-2.6.39.3/arch/x86/include/asm/kvm_host.h ---- linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400 -@@ -419,7 +419,7 @@ struct kvm_arch { - unsigned int n_used_mmu_pages; - unsigned int n_requested_mmu_pages; - unsigned int n_max_mmu_pages; -- atomic_t invlpg_counter; -+ atomic_unchecked_t invlpg_counter; - struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES]; - /* - * Hash table of struct kvm_mmu_page. -@@ -599,7 +599,7 @@ struct kvm_arch_async_pf { - bool direct_map; - }; - --extern struct kvm_x86_ops *kvm_x86_ops; -+extern const struct kvm_x86_ops *kvm_x86_ops; - - int kvm_mmu_module_init(void); - void kvm_mmu_module_exit(void); -diff -urNp linux-2.6.39.3/arch/x86/include/asm/local.h linux-2.6.39.3/arch/x86/include/asm/local.h ---- linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400 -@@ -18,26 +18,58 @@ typedef struct { - - static inline void local_inc(local_t *l) - { -- asm volatile(_ASM_INC "%0" -+ asm volatile(_ASM_INC "%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_DEC "%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (l->a.counter)); - } - - static inline void local_dec(local_t *l) - { -- asm volatile(_ASM_DEC "%0" -+ asm volatile(_ASM_DEC "%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_INC "%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (l->a.counter)); - } - - static inline void local_add(long i, local_t *l) - { -- asm volatile(_ASM_ADD "%1,%0" -+ asm volatile(_ASM_ADD "%1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_SUB "%1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (l->a.counter) - : "ir" (i)); - } - - static inline void local_sub(long i, local_t *l) - { -- asm volatile(_ASM_SUB "%1,%0" -+ asm volatile(_ASM_SUB "%1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_ADD "%1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (l->a.counter) - : "ir" (i)); - } -@@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon - { - unsigned char c; - -- asm volatile(_ASM_SUB "%2,%0; sete %1" -+ asm volatile(_ASM_SUB "%2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_ADD "%2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "+m" (l->a.counter), "=qm" (c) - : "ir" (i) : "memory"); - return c; -@@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc - { - unsigned char c; - -- asm volatile(_ASM_DEC "%0; sete %1" -+ asm volatile(_ASM_DEC "%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_INC "%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "+m" (l->a.counter), "=qm" (c) - : : "memory"); - return c != 0; -@@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc - { - unsigned char c; - -- asm volatile(_ASM_INC "%0; sete %1" -+ asm volatile(_ASM_INC "%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_DEC "%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sete %1\n" - : "+m" (l->a.counter), "=qm" (c) - : : "memory"); - return c != 0; -@@ -110,7 +169,16 @@ static inline int local_add_negative(lon - { - unsigned char c; - -- asm volatile(_ASM_ADD "%2,%0; sets %1" -+ asm volatile(_ASM_ADD "%2,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_SUB "%2,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ "sets %1\n" - : "+m" (l->a.counter), "=qm" (c) - : "ir" (i) : "memory"); - return c; -@@ -133,7 +201,15 @@ static inline long local_add_return(long - #endif - /* Modern 486+ processor */ - __i = i; -- asm volatile(_ASM_XADD "%0, %1;" -+ asm volatile(_ASM_XADD "%0, %1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ _ASM_MOV "%0,%1\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+r" (i), "+m" (l->a.counter) - : : "memory"); - return i + __i; -diff -urNp linux-2.6.39.3/arch/x86/include/asm/mce.h linux-2.6.39.3/arch/x86/include/asm/mce.h ---- linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400 -@@ -198,7 +198,7 @@ int mce_notify_irq(void); - void mce_notify_process(void); - - DECLARE_PER_CPU(struct mce, injectm); --extern struct file_operations mce_chrdev_ops; -+extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */ - - /* - * Exception handler -diff -urNp linux-2.6.39.3/arch/x86/include/asm/microcode.h linux-2.6.39.3/arch/x86/include/asm/microcode.h ---- linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,13 +12,13 @@ struct device; - enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND }; - - struct microcode_ops { -- enum ucode_state (*request_microcode_user) (int cpu, -+ enum ucode_state (* const request_microcode_user) (int cpu, - const void __user *buf, size_t size); - -- enum ucode_state (*request_microcode_fw) (int cpu, -+ enum ucode_state (* const request_microcode_fw) (int cpu, - struct device *device); - -- void (*microcode_fini_cpu) (int cpu); -+ void (* const microcode_fini_cpu) (int cpu); - - /* - * The generic 'microcode_core' part guarantees that -@@ -38,16 +38,16 @@ struct ucode_cpu_info { - extern struct ucode_cpu_info ucode_cpu_info[]; - - #ifdef CONFIG_MICROCODE_INTEL --extern struct microcode_ops * __init init_intel_microcode(void); -+extern const struct microcode_ops * __init init_intel_microcode(void); - #else --static inline struct microcode_ops * __init init_intel_microcode(void) -+static inline const struct microcode_ops * __init init_intel_microcode(void) - { - return NULL; - } - #endif /* CONFIG_MICROCODE_INTEL */ - - #ifdef CONFIG_MICROCODE_AMD --extern struct microcode_ops * __init init_amd_microcode(void); -+extern const struct microcode_ops * __init init_amd_microcode(void); - - static inline void get_ucode_data(void *to, const u8 *from, size_t n) - { -@@ -55,7 +55,7 @@ static inline void get_ucode_data(void * - } - - #else --static inline struct microcode_ops * __init init_amd_microcode(void) -+static inline const struct microcode_ops * __init init_amd_microcode(void) - { - return NULL; - } -diff -urNp linux-2.6.39.3/arch/x86/include/asm/mman.h linux-2.6.39.3/arch/x86/include/asm/mman.h ---- linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400 -@@ -5,4 +5,14 @@ - - #include <asm-generic/mman.h> - -+#ifdef __KERNEL__ -+#ifndef __ASSEMBLY__ -+#ifdef CONFIG_X86_32 -+#define arch_mmap_check i386_mmap_check -+int i386_mmap_check(unsigned long addr, unsigned long len, -+ unsigned long flags); -+#endif -+#endif -+#endif -+ - #endif /* _ASM_X86_MMAN_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu_context.h linux-2.6.39.3/arch/x86/include/asm/mmu_context.h ---- linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400 -@@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m - - static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) - { -+ -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ unsigned int i; -+ pgd_t *pgd; -+ -+ pax_open_kernel(); -+ pgd = get_cpu_pgd(smp_processor_id()); -+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) -+ if (paravirt_enabled()) -+ set_pgd(pgd+i, native_make_pgd(0)); -+ else -+ pgd[i] = native_make_pgd(0); -+ pax_close_kernel(); -+#endif -+ - #ifdef CONFIG_SMP - if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK) - percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); -@@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s - struct task_struct *tsk) - { - unsigned cpu = smp_processor_id(); -+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) -+ int tlbstate = TLBSTATE_OK; -+#endif - - if (likely(prev != next)) { - #ifdef CONFIG_SMP -+#ifdef CONFIG_X86_32 -+ tlbstate = percpu_read(cpu_tlbstate.state); -+#endif - percpu_write(cpu_tlbstate.state, TLBSTATE_OK); - percpu_write(cpu_tlbstate.active_mm, next); - #endif - cpumask_set_cpu(cpu, mm_cpumask(next)); - - /* Re-load page tables */ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS); -+ pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); -+#else - load_cr3(next->pgd); -+#endif - - /* stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); -@@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s - */ - if (unlikely(prev->context.ldt != next->context.ldt)) - load_LDT_nolock(&next->context); -- } -+ -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) -+ if (!(__supported_pte_mask & _PAGE_NX)) { -+ smp_mb__before_clear_bit(); -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask); -+ smp_mb__after_clear_bit(); -+ cpu_set(cpu, next->context.cpu_user_cs_mask); -+ } -+#endif -+ -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base || -+ prev->context.user_cs_limit != next->context.user_cs_limit)) -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); - #ifdef CONFIG_SMP -+ else if (unlikely(tlbstate != TLBSTATE_OK)) -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); -+#endif -+#endif -+ -+ } - else { -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS); -+ pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); -+#endif -+ -+#ifdef CONFIG_SMP - percpu_write(cpu_tlbstate.state, TLBSTATE_OK); - BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next); - -@@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. - */ -+ -+#ifndef CONFIG_PAX_PER_CPU_PGD - load_cr3(next->pgd); -+#endif -+ - load_LDT_nolock(&next->context); -+ -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) -+ if (!(__supported_pte_mask & _PAGE_NX)) -+ cpu_set(cpu, next->context.cpu_user_cs_mask); -+#endif -+ -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX))) -+#endif -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); -+#endif -+ - } -- } - #endif -+ } - } - - #define activate_mm(prev, next) \ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu.h linux-2.6.39.3/arch/x86/include/asm/mmu.h ---- linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400 -@@ -9,10 +9,22 @@ - * we put the segment information here. - */ - typedef struct { -- void *ldt; -+ struct desc_struct *ldt; - int size; - struct mutex lock; -- void *vdso; -+ unsigned long vdso; -+ -+#ifdef CONFIG_X86_32 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) -+ unsigned long user_cs_base; -+ unsigned long user_cs_limit; -+ -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) -+ cpumask_t cpu_user_cs_mask; -+#endif -+ -+#endif -+#endif - - #ifdef CONFIG_X86_64 - /* True if mm supports a task running in 32 bit compatibility mode. */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/module.h linux-2.6.39.3/arch/x86/include/asm/module.h ---- linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400 -@@ -5,6 +5,7 @@ - - #ifdef CONFIG_X86_64 - /* X86_64 does not define MODULE_PROC_FAMILY */ -+#define MODULE_PROC_FAMILY "" - #elif defined CONFIG_M386 - #define MODULE_PROC_FAMILY "386 " - #elif defined CONFIG_M486 -@@ -59,8 +60,30 @@ - #error unknown processor family - #endif - --#ifdef CONFIG_X86_32 --# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+#define MODULE_PAX_UDEREF "UDEREF " -+#else -+#define MODULE_PAX_UDEREF "" -+#endif -+ -+#ifdef CONFIG_PAX_KERNEXEC -+#define MODULE_PAX_KERNEXEC "KERNEXEC " -+#else -+#define MODULE_PAX_KERNEXEC "" - #endif - -+#ifdef CONFIG_PAX_REFCOUNT -+#define MODULE_PAX_REFCOUNT "REFCOUNT " -+#else -+#define MODULE_PAX_REFCOUNT "" -+#endif -+ -+#ifdef CONFIG_GRKERNSEC -+#define MODULE_GRSEC "GRSECURITY " -+#else -+#define MODULE_GRSEC "" -+#endif -+ -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT -+ - #endif /* _ASM_X86_MODULE_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/page_64_types.h linux-2.6.39.3/arch/x86/include/asm/page_64_types.h ---- linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -56,7 +56,7 @@ void copy_page(void *to, void *from); - - /* duplicated to the one in bootmem.h */ - extern unsigned long max_pfn; --extern unsigned long phys_base; -+extern const unsigned long phys_base; - - extern unsigned long __phys_addr(unsigned long); - #define __phys_reloc_hide(x) (x) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt.h linux-2.6.39.3/arch/x86/include/asm/paravirt.h ---- linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400 -@@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned - pv_mmu_ops.set_fixmap(idx, phys, flags); - } - -+#ifdef CONFIG_PAX_KERNEXEC -+static inline unsigned long pax_open_kernel(void) -+{ -+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel); -+} -+ -+static inline unsigned long pax_close_kernel(void) -+{ -+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel); -+} -+#else -+static inline unsigned long pax_open_kernel(void) { return 0; } -+static inline unsigned long pax_close_kernel(void) { return 0; } -+#endif -+ - #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS) - - static inline int arch_spin_is_locked(struct arch_spinlock *lock) -@@ -955,7 +970,7 @@ extern void default_banner(void); - - #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4) - #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4) --#define PARA_INDIRECT(addr) *%cs:addr -+#define PARA_INDIRECT(addr) *%ss:addr - #endif - - #define INTERRUPT_RETURN \ -@@ -1032,6 +1047,21 @@ extern void default_banner(void); - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \ - CLBR_NONE, \ - jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit)) -+ -+#define GET_CR0_INTO_RDI \ -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \ -+ mov %rax,%rdi -+ -+#define SET_RDI_INTO_CR0 \ -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0) -+ -+#define GET_CR3_INTO_RDI \ -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \ -+ mov %rax,%rdi -+ -+#define SET_RDI_INTO_CR3 \ -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3) -+ - #endif /* CONFIG_X86_32 */ - - #endif /* __ASSEMBLY__ */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h ---- linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -317,6 +317,12 @@ struct pv_mmu_ops { - an mfn. We can tell which is which from the index. */ - void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx, - phys_addr_t phys, pgprot_t flags); -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ unsigned long (*pax_open_kernel)(void); -+ unsigned long (*pax_close_kernel)(void); -+#endif -+ - }; - - struct arch_spinlock; -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pci_x86.h linux-2.6.39.3/arch/x86/include/asm/pci_x86.h ---- linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400 -@@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct - extern void (*pcibios_disable_irq)(struct pci_dev *dev); - - struct pci_raw_ops { -- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn, -+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn, - int reg, int len, u32 *val); -- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn, -+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn, - int reg, int len, u32 val); - }; - --extern struct pci_raw_ops *raw_pci_ops; --extern struct pci_raw_ops *raw_pci_ext_ops; -+extern const struct pci_raw_ops *raw_pci_ops; -+extern const struct pci_raw_ops *raw_pci_ext_ops; - --extern struct pci_raw_ops pci_direct_conf1; -+extern const struct pci_raw_ops pci_direct_conf1; - extern bool port_cf9_safe; - - /* arch_initcall level */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgalloc.h linux-2.6.39.3/arch/x86/include/asm/pgalloc.h ---- linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400 -@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s - pmd_t *pmd, pte_t *pte) - { - paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT); -+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE)); -+} -+ -+static inline void pmd_populate_user(struct mm_struct *mm, -+ pmd_t *pmd, pte_t *pte) -+{ -+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT); - set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE)); - } - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400 -@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t - - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) - { -+ pax_open_kernel(); - *pmdp = pmd; -+ pax_close_kernel(); - } - - static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -25,9 +25,6 @@ - struct mm_struct; - struct vm_area_struct; - --extern pgd_t swapper_pg_dir[1024]; --extern pgd_t initial_page_table[1024]; -- - static inline void pgtable_cache_init(void) { } - static inline void check_pgt_cache(void) { } - void paging_init(void); -@@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u - # include <asm/pgtable-2level.h> - #endif - -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; -+extern pgd_t initial_page_table[PTRS_PER_PGD]; -+#ifdef CONFIG_X86_PAE -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD]; -+#endif -+ - #if defined(CONFIG_HIGHPTE) - #define pte_offset_map(dir, address) \ - ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \ -@@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u - /* Clear a kernel PTE and flush it from the TLB */ - #define kpte_clear_flush(ptep, vaddr) \ - do { \ -+ pax_open_kernel(); \ - pte_clear(&init_mm, (vaddr), (ptep)); \ -+ pax_close_kernel(); \ - __flush_tlb_one((vaddr)); \ - } while (0) - -@@ -74,6 +79,9 @@ do { \ - - #endif /* !__ASSEMBLY__ */ - -+#define HAVE_ARCH_UNMAPPED_AREA -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN -+ - /* - * kern_addr_valid() is (1) for FLATMEM and (0) for - * SPARSEMEM and DISCONTIGMEM -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -8,7 +8,7 @@ - */ - #ifdef CONFIG_X86_PAE - # include <asm/pgtable-3level_types.h> --# define PMD_SIZE (1UL << PMD_SHIFT) -+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT) - # define PMD_MASK (~(PMD_SIZE - 1)) - #else - # include <asm/pgtable-2level_types.h> -@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set - # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE) - #endif - -+#ifdef CONFIG_PAX_KERNEXEC -+#ifndef __ASSEMBLY__ -+extern unsigned char MODULES_EXEC_VADDR[]; -+extern unsigned char MODULES_EXEC_END[]; -+#endif -+#include <asm/boot.h> -+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET) -+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET) -+#else -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) -+#endif -+ - #define MODULES_VADDR VMALLOC_START - #define MODULES_END VMALLOC_END - #define MODULES_LEN (MODULES_VADDR - MODULES_END) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400 -@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic - - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) - { -+ pax_open_kernel(); - set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd)); -+ pax_close_kernel(); - } - - static inline void native_set_pud(pud_t *pudp, pud_t pud) - { -+ pax_open_kernel(); - set_64bit((unsigned long long *)(pudp), native_pud_val(pud)); -+ pax_close_kernel(); - } - - /* -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -16,10 +16,13 @@ - - extern pud_t level3_kernel_pgt[512]; - extern pud_t level3_ident_pgt[512]; -+extern pud_t level3_vmalloc_pgt[512]; -+extern pud_t level3_vmemmap_pgt[512]; -+extern pud_t level2_vmemmap_pgt[512]; - extern pmd_t level2_kernel_pgt[512]; - extern pmd_t level2_fixmap_pgt[512]; --extern pmd_t level2_ident_pgt[512]; --extern pgd_t init_level4_pgt[]; -+extern pmd_t level2_ident_pgt[512*2]; -+extern pgd_t init_level4_pgt[512]; - - #define swapper_pg_dir init_level4_pgt - -@@ -61,7 +64,9 @@ static inline void native_set_pte_atomic - - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) - { -+ pax_open_kernel(); - *pmdp = pmd; -+ pax_close_kernel(); - } - - static inline void native_pmd_clear(pmd_t *pmd) -@@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_ - - static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) - { -+ pax_open_kernel(); - *pgdp = pgd; -+ pax_close_kernel(); - } - - static inline void native_pgd_clear(pgd_t *pgd) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t; - #define MODULES_VADDR _AC(0xffffffffa0000000, UL) - #define MODULES_END _AC(0xffffffffff000000, UL) - #define MODULES_LEN (MODULES_END - MODULES_VADDR) -+#define MODULES_EXEC_VADDR MODULES_VADDR -+#define MODULES_EXEC_END MODULES_END -+ -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) - - #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable.h linux-2.6.39.3/arch/x86/include/asm/pgtable.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400 -@@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm - - #define arch_end_context_switch(prev) do {} while(0) - -+#define pax_open_kernel() native_pax_open_kernel() -+#define pax_close_kernel() native_pax_close_kernel() - #endif /* CONFIG_PARAVIRT */ - -+#define __HAVE_ARCH_PAX_OPEN_KERNEL -+#define __HAVE_ARCH_PAX_CLOSE_KERNEL -+ -+#ifdef CONFIG_PAX_KERNEXEC -+static inline unsigned long native_pax_open_kernel(void) -+{ -+ unsigned long cr0; -+ -+ preempt_disable(); -+ barrier(); -+ cr0 = read_cr0() ^ X86_CR0_WP; -+ BUG_ON(unlikely(cr0 & X86_CR0_WP)); -+ write_cr0(cr0); -+ return cr0 ^ X86_CR0_WP; -+} -+ -+static inline unsigned long native_pax_close_kernel(void) -+{ -+ unsigned long cr0; -+ -+ cr0 = read_cr0() ^ X86_CR0_WP; -+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP))); -+ write_cr0(cr0); -+ barrier(); -+ preempt_enable_no_resched(); -+ return cr0 ^ X86_CR0_WP; -+} -+#else -+static inline unsigned long native_pax_open_kernel(void) { return 0; } -+static inline unsigned long native_pax_close_kernel(void) { return 0; } -+#endif -+ - /* - * The following only work if pte_present() is true. - * Undefined behaviour if not.. - */ -+static inline int pte_user(pte_t pte) -+{ -+ return pte_val(pte) & _PAGE_USER; -+} -+ - static inline int pte_dirty(pte_t pte) - { - return pte_flags(pte) & _PAGE_DIRTY; -@@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t - return pte_clear_flags(pte, _PAGE_RW); - } - -+static inline pte_t pte_mkread(pte_t pte) -+{ -+ return __pte(pte_val(pte) | _PAGE_USER); -+} -+ - static inline pte_t pte_mkexec(pte_t pte) - { -- return pte_clear_flags(pte, _PAGE_NX); -+#ifdef CONFIG_X86_PAE -+ if (__supported_pte_mask & _PAGE_NX) -+ return pte_clear_flags(pte, _PAGE_NX); -+ else -+#endif -+ return pte_set_flags(pte, _PAGE_USER); -+} -+ -+static inline pte_t pte_exprotect(pte_t pte) -+{ -+#ifdef CONFIG_X86_PAE -+ if (__supported_pte_mask & _PAGE_NX) -+ return pte_set_flags(pte, _PAGE_NX); -+ else -+#endif -+ return pte_clear_flags(pte, _PAGE_USER); - } - - static inline pte_t pte_mkdirty(pte_t pte) -@@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long - #endif - - #ifndef __ASSEMBLY__ -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD]; -+static inline pgd_t *get_cpu_pgd(unsigned int cpu) -+{ -+ return cpu_pgd[cpu]; -+} -+#endif -+ - #include <linux/mm_types.h> - - static inline int pte_none(pte_t pte) -@@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p - - static inline int pgd_bad(pgd_t pgd) - { -- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE; -+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE; - } - - static inline int pgd_none(pgd_t pgd) -@@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd) - * pgd_offset() returns a (pgd_t *) - * pgd_index() is used get the offset into the pgd page's array of pgd_t's; - */ --#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address))) -+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address)) -+#endif -+ - /* - * a shortcut which implies the use of the kernel's pgd, instead - * of a process's -@@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd) - #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) - #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) - -+#ifdef CONFIG_X86_32 -+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY -+#else -+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT -+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT)) -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT) -+#else -+#define PAX_USER_SHADOW_BASE (_AC(0,UL)) -+#endif -+ -+#endif -+ - #ifndef __ASSEMBLY__ - - extern int direct_gbpages; -@@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st - * dst and src can be on the same page, but the range must not overlap, - * and must not cross a page boundary. - */ --static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count) -+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count) - { -- memcpy(dst, src, count * sizeof(pgd_t)); -+ pax_open_kernel(); -+ while (count--) -+ *dst++ = *src++; -+ pax_close_kernel(); - } - -+#ifdef CONFIG_PAX_PER_CPU_PGD -+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count); -+#endif -+ -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count); -+#else -+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {} -+#endif - - #include <asm-generic/pgtable.h> - #endif /* __ASSEMBLY__ */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h ---- linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400 -@@ -16,13 +16,12 @@ - #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */ - #define _PAGE_BIT_PAT 7 /* on 4KB pages */ - #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */ --#define _PAGE_BIT_UNUSED1 9 /* available for programmer */ -+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */ - #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */ - #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */ - #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */ --#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1 --#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1 --#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */ -+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL -+#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */ - #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */ - - /* If _PAGE_BIT_PRESENT is clear, we use these: */ -@@ -40,7 +39,6 @@ - #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY) - #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE) - #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL) --#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1) - #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP) - #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT) - #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE) -@@ -57,8 +55,10 @@ - - #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) - #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX) --#else -+#elif defined(CONFIG_KMEMCHECK) - #define _PAGE_NX (_AT(pteval_t, 0)) -+#else -+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN) - #endif - - #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE) -@@ -96,6 +96,9 @@ - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \ - _PAGE_ACCESSED) - -+#define PAGE_READONLY_NOEXEC PAGE_READONLY -+#define PAGE_SHARED_NOEXEC PAGE_SHARED -+ - #define __PAGE_KERNEL_EXEC \ - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL) - #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX) -@@ -106,8 +109,8 @@ - #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC) - #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT) - #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD) --#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER) --#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT) -+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER) -+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER) - #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE) - #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE) - #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE) -@@ -166,8 +169,8 @@ - * bits are combined, this will alow user to access the high address mapped - * VDSO in the presence of CONFIG_COMPAT_VDSO - */ --#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */ --#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */ -+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */ -+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */ - #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */ - #endif - -@@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p - { - return native_pgd_val(pgd) & PTE_FLAGS_MASK; - } -+#endif - -+#if PAGETABLE_LEVELS == 3 -+#include <asm-generic/pgtable-nopud.h> -+#endif -+ -+#if PAGETABLE_LEVELS == 2 -+#include <asm-generic/pgtable-nopmd.h> -+#endif -+ -+#ifndef __ASSEMBLY__ - #if PAGETABLE_LEVELS > 3 - typedef struct { pudval_t pud; } pud_t; - -@@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu - return pud.pud; - } - #else --#include <asm-generic/pgtable-nopud.h> -- - static inline pudval_t native_pud_val(pud_t pud) - { - return native_pgd_val(pud.pgd); -@@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm - return pmd.pmd; - } - #else --#include <asm-generic/pgtable-nopmd.h> -- - static inline pmdval_t native_pmd_val(pmd_t pmd) - { - return native_pgd_val(pmd.pud.pgd); -@@ -281,7 +290,6 @@ typedef struct page *pgtable_t; - - extern pteval_t __supported_pte_mask; - extern void set_nx(void); --extern int nx_enabled; - - #define pgprot_writecombine pgprot_writecombine - extern pgprot_t pgprot_writecombine(pgprot_t prot); -diff -urNp linux-2.6.39.3/arch/x86/include/asm/processor.h linux-2.6.39.3/arch/x86/include/asm/processor.h ---- linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400 -@@ -266,7 +266,7 @@ struct tss_struct { - - } ____cacheline_aligned; - --DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss); -+extern struct tss_struct init_tss[NR_CPUS]; - - /* - * Save the original ist values for checking stack pointers during debugging -@@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co - */ - #define TASK_SIZE PAGE_OFFSET - #define TASK_SIZE_MAX TASK_SIZE -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2) -+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE) -+#else - #define STACK_TOP TASK_SIZE --#define STACK_TOP_MAX STACK_TOP -+#endif -+ -+#define STACK_TOP_MAX TASK_SIZE - - #define INIT_THREAD { \ -- .sp0 = sizeof(init_stack) + (long)&init_stack, \ -+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \ - .vm86_info = NULL, \ - .sysenter_cs = __KERNEL_CS, \ - .io_bitmap_ptr = NULL, \ -@@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co - */ - #define INIT_TSS { \ - .x86_tss = { \ -- .sp0 = sizeof(init_stack) + (long)&init_stack, \ -+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \ - .ss0 = __KERNEL_DS, \ - .ss1 = __KERNEL_CS, \ - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ -@@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co - extern unsigned long thread_saved_pc(struct task_struct *tsk); - - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) --#define KSTK_TOP(info) \ --({ \ -- unsigned long *__ptr = (unsigned long *)(info); \ -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \ --}) -+#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0) - - /* - * The below -8 is to reserve 8 bytes on top of the ring0 stack. -@@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str - #define task_pt_regs(task) \ - ({ \ - struct pt_regs *__regs__; \ -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \ -+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \ - __regs__ - 1; \ - }) - -@@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str - /* - * User space process size. 47bits minus one guard page. - */ --#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE) -+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE) - - /* This decides where the kernel will search for a free chunk of vm - * space during mmap's. - */ - #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \ -- 0xc0000000 : 0xFFFFe000) -+ 0xc0000000 : 0xFFFFf000) - - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \ - IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str - #define STACK_TOP_MAX TASK_SIZE_MAX - - #define INIT_THREAD { \ -- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \ -+ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \ - } - - #define INIT_TSS { \ -- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \ -+ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \ - } - - /* -@@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs - */ - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) - -+#ifdef CONFIG_PAX_SEGMEXEC -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3)) -+#endif -+ - #define KSTK_EIP(task) (task_pt_regs(task)->ip) - - /* Get/set a process' ability to use the timestamp counter instruction */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/ptrace.h linux-2.6.39.3/arch/x86/include/asm/ptrace.h ---- linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400 -@@ -152,28 +152,29 @@ static inline unsigned long regs_return_ - } - - /* -- * user_mode_vm(regs) determines whether a register set came from user mode. -+ * user_mode(regs) determines whether a register set came from user mode. - * This is true if V8086 mode was enabled OR if the register set was from - * protected mode with RPL-3 CS value. This tricky test checks that with - * one comparison. Many places in the kernel can bypass this full check -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used. -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can -+ * be used. - */ --static inline int user_mode(struct pt_regs *regs) -+static inline int user_mode_novm(struct pt_regs *regs) - { - #ifdef CONFIG_X86_32 - return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL; - #else -- return !!(regs->cs & 3); -+ return !!(regs->cs & SEGMENT_RPL_MASK); - #endif - } - --static inline int user_mode_vm(struct pt_regs *regs) -+static inline int user_mode(struct pt_regs *regs) - { - #ifdef CONFIG_X86_32 - return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >= - USER_RPL; - #else -- return user_mode(regs); -+ return user_mode_novm(regs); - #endif - } - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/reboot.h linux-2.6.39.3/arch/x86/include/asm/reboot.h ---- linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400 -@@ -6,19 +6,19 @@ - struct pt_regs; - - struct machine_ops { -- void (*restart)(char *cmd); -- void (*halt)(void); -- void (*power_off)(void); -+ void (* __noreturn restart)(char *cmd); -+ void (* __noreturn halt)(void); -+ void (* __noreturn power_off)(void); - void (*shutdown)(void); - void (*crash_shutdown)(struct pt_regs *); -- void (*emergency_restart)(void); -+ void (* __noreturn emergency_restart)(void); - }; - - extern struct machine_ops machine_ops; - - void native_machine_crash_shutdown(struct pt_regs *regs); - void native_machine_shutdown(void); --void machine_real_restart(unsigned int type); -+void machine_real_restart(unsigned int type) __noreturn; - /* These must match dispatch_table in reboot_32.S */ - #define MRR_BIOS 0 - #define MRR_APM 1 -diff -urNp linux-2.6.39.3/arch/x86/include/asm/rwsem.h linux-2.6.39.3/arch/x86/include/asm/rwsem.h ---- linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400 -@@ -64,6 +64,14 @@ static inline void __down_read(struct rw - { - asm volatile("# beginning down_read\n\t" - LOCK_PREFIX _ASM_INC "(%1)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX _ASM_DEC "(%1)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - /* adds 0x00000001 */ - " jns 1f\n" - " call call_rwsem_down_read_failed\n" -@@ -85,6 +93,14 @@ static inline int __down_read_trylock(st - "1:\n\t" - " mov %1,%2\n\t" - " add %3,%2\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "sub %3,%2\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - " jle 2f\n\t" - LOCK_PREFIX " cmpxchg %2,%0\n\t" - " jnz 1b\n\t" -@@ -104,6 +120,14 @@ static inline void __down_write_nested(s - long tmp; - asm volatile("# beginning down_write\n\t" - LOCK_PREFIX " xadd %1,(%2)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "mov %1,(%2)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - /* adds 0xffff0001, returns the old value */ - " test %1,%1\n\t" - /* was the count 0 before? */ -@@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s - long tmp; - asm volatile("# beginning __up_read\n\t" - LOCK_PREFIX " xadd %1,(%2)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "mov %1,(%2)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - /* subtracts 1, returns the old value */ - " jns 1f\n\t" - " call call_rwsem_wake\n" /* expects old value in %edx */ -@@ -159,6 +191,14 @@ static inline void __up_write(struct rw_ - long tmp; - asm volatile("# beginning __up_write\n\t" - LOCK_PREFIX " xadd %1,(%2)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "mov %1,(%2)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - /* subtracts 0xffff0001, returns the old value */ - " jns 1f\n\t" - " call call_rwsem_wake\n" /* expects old value in %edx */ -@@ -176,6 +216,14 @@ static inline void __downgrade_write(str - { - asm volatile("# beginning __downgrade_write\n\t" - LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - /* - * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386) - * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64) -@@ -194,7 +242,15 @@ static inline void __downgrade_write(str - */ - static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) - { -- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0" -+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX _ASM_SUB "%1,%0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (sem->count) - : "er" (delta)); - } -@@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l - { - long tmp = delta; - -- asm volatile(LOCK_PREFIX "xadd %0,%1" -+ asm volatile(LOCK_PREFIX "xadd %0,%1\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ "mov %0,%1\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+r" (tmp), "+m" (sem->count) - : : "memory"); - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/segment.h linux-2.6.39.3/arch/x86/include/asm/segment.h ---- linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400 -@@ -64,8 +64,8 @@ - * 26 - ESPFIX small SS - * 27 - per-cpu [ offset to per-cpu data area ] - * 28 - stack_canary-20 [ for stack protector ] -- * 29 - unused -- * 30 - unused -+ * 29 - PCI BIOS CS -+ * 30 - PCI BIOS DS - * 31 - TSS for double fault handler - */ - #define GDT_ENTRY_TLS_MIN 6 -@@ -79,6 +79,8 @@ - - #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0) - -+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4) -+ - #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1) - - #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4) -@@ -104,6 +106,12 @@ - #define __KERNEL_STACK_CANARY 0 - #endif - -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17) -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8) -+ -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18) -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8) -+ - #define GDT_ENTRY_DOUBLEFAULT_TSS 31 - - /* -@@ -141,7 +149,7 @@ - */ - - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */ --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8) -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16) - - - #else -@@ -165,6 +173,8 @@ - #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3) - #define __USER32_DS __USER_DS - -+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7 -+ - #define GDT_ENTRY_TSS 8 /* needs two entries */ - #define GDT_ENTRY_LDT 10 /* needs two entries */ - #define GDT_ENTRY_TLS_MIN 12 -@@ -185,6 +195,7 @@ - #endif - - #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) -+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) - #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) - #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3) - #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/smp.h linux-2.6.39.3/arch/x86/include/asm/smp.h ---- linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400 -@@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_ - /* cpus sharing the last level cache: */ - DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map); - DECLARE_PER_CPU(u16, cpu_llc_id); --DECLARE_PER_CPU(int, cpu_number); -+DECLARE_PER_CPU(unsigned int, cpu_number); - - static inline struct cpumask *cpu_sibling_mask(int cpu) - { -@@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd - extern int safe_smp_processor_id(void); - - #elif defined(CONFIG_X86_64_SMP) --#define raw_smp_processor_id() (percpu_read(cpu_number)) -- --#define stack_smp_processor_id() \ --({ \ -- struct thread_info *ti; \ -- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \ -- ti->cpu; \ --}) -+#define raw_smp_processor_id() (percpu_read(cpu_number)) -+#define stack_smp_processor_id() raw_smp_processor_id() - #define safe_smp_processor_id() smp_processor_id() - - #endif -diff -urNp linux-2.6.39.3/arch/x86/include/asm/spinlock.h linux-2.6.39.3/arch/x86/include/asm/spinlock.h ---- linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400 -@@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar - static inline void arch_read_lock(arch_rwlock_t *rw) - { - asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX " addl $1,(%0)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - "jns 1f\n" - "call __read_lock_failed\n\t" - "1:\n" -@@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r - static inline void arch_write_lock(arch_rwlock_t *rw) - { - asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX " addl %1,(%0)\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - "jz 1f\n" - "call __write_lock_failed\n\t" - "1:\n" -@@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc - - static inline void arch_read_unlock(arch_rwlock_t *rw) - { -- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory"); -+ asm volatile(LOCK_PREFIX "incl %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "decl %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ -+ :"+m" (rw->lock) : : "memory"); - } - - static inline void arch_write_unlock(arch_rwlock_t *rw) - { -- asm volatile(LOCK_PREFIX "addl %1, %0" -+ asm volatile(LOCK_PREFIX "addl %1, %0\n" -+ -+#ifdef CONFIG_PAX_REFCOUNT -+ "jno 0f\n" -+ LOCK_PREFIX "subl %1, %0\n" -+ "int $4\n0:\n" -+ _ASM_EXTABLE(0b, 0b) -+#endif -+ - : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory"); - } - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/stackprotector.h linux-2.6.39.3/arch/x86/include/asm/stackprotector.h ---- linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-07-06 20:00:13.000000000 -0400 -@@ -48,7 +48,7 @@ - * head_32 for boot CPU and setup_per_cpu_areas() for others. - */ - #define GDT_STACK_CANARY_INIT \ -- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18), -+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17), - - /* - * Initialize the stackprotector canary value. -@@ -113,7 +113,7 @@ static inline void setup_stack_canary_se - - static inline void load_stack_canary_segment(void) - { --#ifdef CONFIG_X86_32 -+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF) - asm volatile ("mov %0, %%gs" : : "r" (0)); - #endif - } -diff -urNp linux-2.6.39.3/arch/x86/include/asm/stacktrace.h linux-2.6.39.3/arch/x86/include/asm/stacktrace.h ---- linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400 -@@ -11,28 +11,20 @@ - - extern int kstack_depth_to_print; - --struct thread_info; -+struct task_struct; - struct stacktrace_ops; - --typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo, -- unsigned long *stack, -- unsigned long bp, -- const struct stacktrace_ops *ops, -- void *data, -- unsigned long *end, -- int *graph); -- --extern unsigned long --print_context_stack(struct thread_info *tinfo, -- unsigned long *stack, unsigned long bp, -- const struct stacktrace_ops *ops, void *data, -- unsigned long *end, int *graph); -- --extern unsigned long --print_context_stack_bp(struct thread_info *tinfo, -- unsigned long *stack, unsigned long bp, -- const struct stacktrace_ops *ops, void *data, -- unsigned long *end, int *graph); -+typedef unsigned long walk_stack_t(struct task_struct *task, -+ void *stack_start, -+ unsigned long *stack, -+ unsigned long bp, -+ const struct stacktrace_ops *ops, -+ void *data, -+ unsigned long *end, -+ int *graph); -+ -+extern walk_stack_t print_context_stack; -+extern walk_stack_t print_context_stack_bp; - - /* Generic stack tracer with callbacks */ - -@@ -43,7 +35,7 @@ struct stacktrace_ops { - void (*address)(void *data, unsigned long address, int reliable); - /* On negative return stop dumping */ - int (*stack)(void *data, char *name); -- walk_stack_t walk_stack; -+ walk_stack_t *walk_stack; - }; - - void dump_trace(struct task_struct *tsk, struct pt_regs *regs, -diff -urNp linux-2.6.39.3/arch/x86/include/asm/system.h linux-2.6.39.3/arch/x86/include/asm/system.h ---- linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400 -@@ -129,7 +129,7 @@ do { \ - "call __switch_to\n\t" \ - "movq "__percpu_arg([current_task])",%%rsi\n\t" \ - __switch_canary \ -- "movq %P[thread_info](%%rsi),%%r8\n\t" \ -+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \ - "movq %%rax,%%rdi\n\t" \ - "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \ - "jnz ret_from_fork\n\t" \ -@@ -140,7 +140,7 @@ do { \ - [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \ - [ti_flags] "i" (offsetof(struct thread_info, flags)), \ - [_tif_fork] "i" (_TIF_FORK), \ -- [thread_info] "i" (offsetof(struct task_struct, stack)), \ -+ [thread_info] "m" (current_tinfo), \ - [current_task] "m" (current_task) \ - __switch_canary_iparam \ - : "memory", "cc" __EXTRA_CLOBBER) -@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un - { - unsigned long __limit; - asm("lsll %1,%0" : "=r" (__limit) : "r" (segment)); -- return __limit + 1; -+ return __limit; - } - - static inline void native_clts(void) -@@ -340,12 +340,12 @@ void enable_hlt(void); - - void cpu_idle_wait(void); - --extern unsigned long arch_align_stack(unsigned long sp); -+#define arch_align_stack(x) ((x) & ~0xfUL) - extern void free_init_pages(char *what, unsigned long begin, unsigned long end); - - void default_idle(void); - --void stop_this_cpu(void *dummy); -+void stop_this_cpu(void *dummy) __noreturn; - - /* - * Force strict CPU ordering. -diff -urNp linux-2.6.39.3/arch/x86/include/asm/thread_info.h linux-2.6.39.3/arch/x86/include/asm/thread_info.h ---- linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400 -@@ -10,6 +10,7 @@ - #include <linux/compiler.h> - #include <asm/page.h> - #include <asm/types.h> -+#include <asm/percpu.h> - - /* - * low level task data that entry.S needs immediate access to -@@ -24,7 +25,6 @@ struct exec_domain; - #include <asm/atomic.h> - - struct thread_info { -- struct task_struct *task; /* main task structure */ - struct exec_domain *exec_domain; /* execution domain */ - __u32 flags; /* low level flags */ - __u32 status; /* thread synchronous flags */ -@@ -34,18 +34,12 @@ struct thread_info { - mm_segment_t addr_limit; - struct restart_block restart_block; - void __user *sysenter_return; --#ifdef CONFIG_X86_32 -- unsigned long previous_esp; /* ESP of the previous stack in -- case of nested (IRQ) stacks -- */ -- __u8 supervisor_stack[0]; --#endif -+ unsigned long lowest_stack; - int uaccess_err; - }; - --#define INIT_THREAD_INFO(tsk) \ -+#define INIT_THREAD_INFO \ - { \ -- .task = &tsk, \ - .exec_domain = &default_exec_domain, \ - .flags = 0, \ - .cpu = 0, \ -@@ -56,7 +50,7 @@ struct thread_info { - }, \ - } - --#define init_thread_info (init_thread_union.thread_info) -+#define init_thread_info (init_thread_union.stack) - #define init_stack (init_thread_union.stack) - - #else /* !__ASSEMBLY__ */ -@@ -170,6 +164,23 @@ struct thread_info { - ret; \ - }) - -+#ifdef __ASSEMBLY__ -+/* how to get the thread information struct from ASM */ -+#define GET_THREAD_INFO(reg) \ -+ mov PER_CPU_VAR(current_tinfo), reg -+ -+/* use this one if reg already contains %esp */ -+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg) -+#else -+/* how to get the thread information struct from C */ -+DECLARE_PER_CPU(struct thread_info *, current_tinfo); -+ -+static __always_inline struct thread_info *current_thread_info(void) -+{ -+ return percpu_read_stable(current_tinfo); -+} -+#endif -+ - #ifdef CONFIG_X86_32 - - #define STACK_WARN (THREAD_SIZE/8) -@@ -180,35 +191,13 @@ struct thread_info { - */ - #ifndef __ASSEMBLY__ - -- - /* how to get the current stack pointer from C */ - register unsigned long current_stack_pointer asm("esp") __used; - --/* how to get the thread information struct from C */ --static inline struct thread_info *current_thread_info(void) --{ -- return (struct thread_info *) -- (current_stack_pointer & ~(THREAD_SIZE - 1)); --} -- --#else /* !__ASSEMBLY__ */ -- --/* how to get the thread information struct from ASM */ --#define GET_THREAD_INFO(reg) \ -- movl $-THREAD_SIZE, reg; \ -- andl %esp, reg -- --/* use this one if reg already contains %esp */ --#define GET_THREAD_INFO_WITH_ESP(reg) \ -- andl $-THREAD_SIZE, reg -- - #endif - - #else /* X86_32 */ - --#include <asm/percpu.h> --#define KERNEL_STACK_OFFSET (5*8) -- - /* - * macros/functions for gaining access to the thread information structure - * preempt_count needs to be 1 initially, until the scheduler is functional. -@@ -216,21 +205,8 @@ static inline struct thread_info *curren - #ifndef __ASSEMBLY__ - DECLARE_PER_CPU(unsigned long, kernel_stack); - --static inline struct thread_info *current_thread_info(void) --{ -- struct thread_info *ti; -- ti = (void *)(percpu_read_stable(kernel_stack) + -- KERNEL_STACK_OFFSET - THREAD_SIZE); -- return ti; --} -- --#else /* !__ASSEMBLY__ */ -- --/* how to get the thread information struct from ASM */ --#define GET_THREAD_INFO(reg) \ -- movq PER_CPU_VAR(kernel_stack),reg ; \ -- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg -- -+/* how to get the current stack pointer from C */ -+register unsigned long current_stack_pointer asm("rsp") __used; - #endif - - #endif /* !X86_32 */ -@@ -266,5 +242,16 @@ extern void arch_task_cache_init(void); - extern void free_thread_info(struct thread_info *ti); - extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); - #define arch_task_cache_init arch_task_cache_init -+ -+#define __HAVE_THREAD_FUNCTIONS -+#define task_thread_info(task) (&(task)->tinfo) -+#define task_stack_page(task) ((task)->stack) -+#define setup_thread_stack(p, org) do {} while (0) -+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1) -+ -+#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR -+extern struct task_struct *alloc_task_struct_node(int node); -+extern void free_task_struct(struct task_struct *); -+ - #endif - #endif /* _ASM_X86_THREAD_INFO_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h ---- linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400 -@@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u - static __always_inline unsigned long __must_check - __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) - { -+ pax_track_stack(); -+ -+ if ((long)n < 0) -+ return n; -+ - if (__builtin_constant_p(n)) { - unsigned long ret; - -@@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to, - return ret; - } - } -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); - return __copy_to_user_ll(to, from, n); - } - -@@ -83,12 +90,16 @@ static __always_inline unsigned long __m - __copy_to_user(void __user *to, const void *from, unsigned long n) - { - might_fault(); -+ - return __copy_to_user_inatomic(to, from, n); - } - - static __always_inline unsigned long - __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) - { -+ if ((long)n < 0) -+ return n; -+ - /* Avoid zeroing the tail if the copy fails.. - * If 'n' is constant and 1, 2, or 4, we do still zero on a failure, - * but as the zeroing behaviour is only significant when n is not -@@ -138,6 +149,12 @@ static __always_inline unsigned long - __copy_from_user(void *to, const void __user *from, unsigned long n) - { - might_fault(); -+ -+ pax_track_stack(); -+ -+ if ((long)n < 0) -+ return n; -+ - if (__builtin_constant_p(n)) { - unsigned long ret; - -@@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __ - return ret; - } - } -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); - return __copy_from_user_ll(to, from, n); - } - -@@ -160,6 +179,10 @@ static __always_inline unsigned long __c - const void __user *from, unsigned long n) - { - might_fault(); -+ -+ if ((long)n < 0) -+ return n; -+ - if (__builtin_constant_p(n)) { - unsigned long ret; - -@@ -182,15 +205,19 @@ static __always_inline unsigned long - __copy_from_user_inatomic_nocache(void *to, const void __user *from, - unsigned long n) - { -- return __copy_from_user_ll_nocache_nozero(to, from, n); --} -+ if ((long)n < 0) -+ return n; - --unsigned long __must_check copy_to_user(void __user *to, -- const void *from, unsigned long n); --unsigned long __must_check _copy_from_user(void *to, -- const void __user *from, -- unsigned long n); -+ return __copy_from_user_ll_nocache_nozero(to, from, n); -+} - -+extern void copy_to_user_overflow(void) -+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS -+ __compiletime_error("copy_to_user() buffer size is not provably correct") -+#else -+ __compiletime_warning("copy_to_user() buffer size is not provably correct") -+#endif -+; - - extern void copy_from_user_overflow(void) - #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS -@@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void - #endif - ; - --static inline unsigned long __must_check copy_from_user(void *to, -- const void __user *from, -- unsigned long n) -+/** -+ * copy_to_user: - Copy a block of data into user space. -+ * @to: Destination address, in user space. -+ * @from: Source address, in kernel space. -+ * @n: Number of bytes to copy. -+ * -+ * Context: User context only. This function may sleep. -+ * -+ * Copy data from kernel space to user space. -+ * -+ * Returns number of bytes that could not be copied. -+ * On success, this will be zero. -+ */ -+static inline unsigned long __must_check -+copy_to_user(void __user *to, const void *from, unsigned long n) -+{ -+ int sz = __compiletime_object_size(from); -+ -+ if (unlikely(sz != -1 && sz < n)) -+ copy_to_user_overflow(); -+ else if (access_ok(VERIFY_WRITE, to, n)) -+ n = __copy_to_user(to, from, n); -+ return n; -+} -+ -+/** -+ * copy_from_user: - Copy a block of data from user space. -+ * @to: Destination address, in kernel space. -+ * @from: Source address, in user space. -+ * @n: Number of bytes to copy. -+ * -+ * Context: User context only. This function may sleep. -+ * -+ * Copy data from user space to kernel space. -+ * -+ * Returns number of bytes that could not be copied. -+ * On success, this will be zero. -+ * -+ * If some data could not be copied, this function will pad the copied -+ * data to the requested size using zero bytes. -+ */ -+static inline unsigned long __must_check -+copy_from_user(void *to, const void __user *from, unsigned long n) - { - int sz = __compiletime_object_size(to); - -- if (likely(sz == -1 || sz >= n)) -- n = _copy_from_user(to, from, n); -- else -+ if (unlikely(sz != -1 && sz < n)) - copy_from_user_overflow(); -- -+ else if (access_ok(VERIFY_READ, from, n)) -+ n = __copy_from_user(to, from, n); -+ else if ((long)n > 0) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ memset(to, 0, n); -+ } - return n; - } - -diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h ---- linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400 -@@ -11,6 +11,9 @@ - #include <asm/alternative.h> - #include <asm/cpufeature.h> - #include <asm/page.h> -+#include <asm/pgtable.h> -+ -+#define set_fs(x) (current_thread_info()->addr_limit = (x)) - - /* - * Copy To/From Userspace -@@ -37,26 +40,26 @@ copy_user_generic(void *to, const void * - return ret; - } - --__must_check unsigned long --_copy_to_user(void __user *to, const void *from, unsigned len); --__must_check unsigned long --_copy_from_user(void *to, const void __user *from, unsigned len); -+static __always_inline __must_check unsigned long -+__copy_to_user(void __user *to, const void *from, unsigned len); -+static __always_inline __must_check unsigned long -+__copy_from_user(void *to, const void __user *from, unsigned len); - __must_check unsigned long - copy_in_user(void __user *to, const void __user *from, unsigned len); - - static inline unsigned long __must_check copy_from_user(void *to, - const void __user *from, -- unsigned long n) -+ unsigned n) - { -- int sz = __compiletime_object_size(to); -- - might_fault(); -- if (likely(sz == -1 || sz >= n)) -- n = _copy_from_user(to, from, n); --#ifdef CONFIG_DEBUG_VM -- else -- WARN(1, "Buffer overflow detected!\n"); --#endif -+ -+ if (access_ok(VERIFY_READ, from, n)) -+ n = __copy_from_user(to, from, n); -+ else if ((int)n > 0) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); -+ memset(to, 0, n); -+ } - return n; - } - -@@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const - { - might_fault(); - -- return _copy_to_user(dst, src, size); -+ if (access_ok(VERIFY_WRITE, dst, size)) -+ size = __copy_to_user(dst, src, size); -+ return size; - } - - static __always_inline __must_check --int __copy_from_user(void *dst, const void __user *src, unsigned size) -+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size) - { -- int ret = 0; -+ int sz = __compiletime_object_size(dst); -+ unsigned ret = 0; - - might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic(dst, (__force void *)src, size); -+ -+ pax_track_stack(); -+ -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+#endif -+ -+ if (unlikely(sz != -1 && sz < size)) { -+#ifdef CONFIG_DEBUG_VM -+ WARN(1, "Buffer overflow detected!\n"); -+#endif -+ return size; -+ } -+ -+ if (!__builtin_constant_p(size)) { -+ check_object_size(dst, size, false); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force const void *)src, size); -+ } - switch (size) { -- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, -+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src, - ret, "b", "b", "=q", 1); - return ret; -- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src, -+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src, - ret, "w", "w", "=r", 2); - return ret; -- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src, -+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src, - ret, "l", "k", "=r", 4); - return ret; -- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src, -+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src, - ret, "q", "", "=r", 8); - return ret; - case 10: -- __get_user_asm(*(u64 *)dst, (u64 __user *)src, -+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src, - ret, "q", "", "=r", 10); - if (unlikely(ret)) - return ret; - __get_user_asm(*(u16 *)(8 + (char *)dst), -- (u16 __user *)(8 + (char __user *)src), -+ (const u16 __user *)(8 + (const char __user *)src), - ret, "w", "w", "=r", 2); - return ret; - case 16: -- __get_user_asm(*(u64 *)dst, (u64 __user *)src, -+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src, - ret, "q", "", "=r", 16); - if (unlikely(ret)) - return ret; - __get_user_asm(*(u64 *)(8 + (char *)dst), -- (u64 __user *)(8 + (char __user *)src), -+ (const u64 __user *)(8 + (const char __user *)src), - ret, "q", "", "=r", 8); - return ret; - default: -- return copy_user_generic(dst, (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force const void *)src, size); - } - } - - static __always_inline __must_check --int __copy_to_user(void __user *dst, const void *src, unsigned size) -+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size) - { -- int ret = 0; -+ int sz = __compiletime_object_size(src); -+ unsigned ret = 0; - - might_fault(); -- if (!__builtin_constant_p(size)) -+ -+ pax_track_stack(); -+ -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+#endif -+ -+ if (unlikely(sz != -1 && sz < size)) { -+#ifdef CONFIG_DEBUG_VM -+ WARN(1, "Buffer overflow detected!\n"); -+#endif -+ return size; -+ } -+ -+ if (!__builtin_constant_p(size)) { -+ check_object_size(src, size, true); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic((__force void *)dst, src, size); -+ } - switch (size) { -- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, -+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst, - ret, "b", "b", "iq", 1); - return ret; -- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst, -+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst, - ret, "w", "w", "ir", 2); - return ret; -- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst, -+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst, - ret, "l", "k", "ir", 4); - return ret; -- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst, -+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 8); - return ret; - case 10: -- __put_user_asm(*(u64 *)src, (u64 __user *)dst, -+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 10); - if (unlikely(ret)) - return ret; - asm("":::"memory"); -- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst, -+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst, - ret, "w", "w", "ir", 2); - return ret; - case 16: -- __put_user_asm(*(u64 *)src, (u64 __user *)dst, -+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 16); - if (unlikely(ret)) - return ret; - asm("":::"memory"); -- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst, -+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst, - ret, "q", "", "er", 8); - return ret; - default: -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic((__force void *)dst, src, size); - } - } - - static __always_inline __must_check --int __copy_in_user(void __user *dst, const void __user *src, unsigned size) -+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size) - { -- int ret = 0; -+ unsigned ret = 0; - - might_fault(); -- if (!__builtin_constant_p(size)) -+ -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+#endif -+ -+ if (!__builtin_constant_p(size)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); -+ } - switch (size) { - case 1: { - u8 tmp; -- __get_user_asm(tmp, (u8 __user *)src, -+ __get_user_asm(tmp, (const u8 __user *)src, - ret, "b", "b", "=q", 1); - if (likely(!ret)) - __put_user_asm(tmp, (u8 __user *)dst, -@@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con - } - case 2: { - u16 tmp; -- __get_user_asm(tmp, (u16 __user *)src, -+ __get_user_asm(tmp, (const u16 __user *)src, - ret, "w", "w", "=r", 2); - if (likely(!ret)) - __put_user_asm(tmp, (u16 __user *)dst, -@@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con - - case 4: { - u32 tmp; -- __get_user_asm(tmp, (u32 __user *)src, -+ __get_user_asm(tmp, (const u32 __user *)src, - ret, "l", "k", "=r", 4); - if (likely(!ret)) - __put_user_asm(tmp, (u32 __user *)dst, -@@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con - } - case 8: { - u64 tmp; -- __get_user_asm(tmp, (u64 __user *)src, -+ __get_user_asm(tmp, (const u64 __user *)src, - ret, "q", "", "=r", 8); - if (likely(!ret)) - __put_user_asm(tmp, (u64 __user *)dst, -@@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con - return ret; - } - default: -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic((__force void *)dst, -- (__force void *)src, size); -+ (__force const void *)src, size); - } - } - -@@ -222,33 +321,72 @@ __must_check unsigned long __clear_user( - static __must_check __always_inline int - __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size) - { -+ pax_track_stack(); -+ -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+ -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic(dst, (__force const void *)src, size); - } - --static __must_check __always_inline int -+static __must_check __always_inline unsigned long - __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size) - { -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+ -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ - return copy_user_generic((__force void *)dst, src, size); - } - --extern long __copy_user_nocache(void *dst, const void __user *src, -+extern unsigned long __copy_user_nocache(void *dst, const void __user *src, - unsigned size, int zerorest); - --static inline int --__copy_from_user_nocache(void *dst, const void __user *src, unsigned size) -+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size) - { - might_sleep(); -+ -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+#endif -+ - return __copy_user_nocache(dst, src, size, 1); - } - --static inline int --__copy_from_user_inatomic_nocache(void *dst, const void __user *src, -+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src, - unsigned size) - { -+ if ((int)size < 0) -+ return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+#endif -+ - return __copy_user_nocache(dst, src, size, 0); - } - --unsigned long -+extern unsigned long - copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); - - #endif /* _ASM_X86_UACCESS_64_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess.h linux-2.6.39.3/arch/x86/include/asm/uaccess.h ---- linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400 -@@ -8,12 +8,15 @@ - #include <linux/thread_info.h> - #include <linux/prefetch.h> - #include <linux/string.h> -+#include <linux/sched.h> - #include <asm/asm.h> - #include <asm/page.h> - - #define VERIFY_READ 0 - #define VERIFY_WRITE 1 - -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+ - /* - * The fs value determines whether argument validity checking should be - * performed or not. If get_fs() == USER_DS, checking is performed, with -@@ -29,7 +32,12 @@ - - #define get_ds() (KERNEL_DS) - #define get_fs() (current_thread_info()->addr_limit) -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -+void __set_fs(mm_segment_t x); -+void set_fs(mm_segment_t x); -+#else - #define set_fs(x) (current_thread_info()->addr_limit = (x)) -+#endif - - #define segment_eq(a, b) ((a).seg == (b).seg) - -@@ -77,7 +85,33 @@ - * checks that the pointer is in the user space range - after calling - * this function, memory access functions may still return -EFAULT. - */ --#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0)) -+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0)) -+#define access_ok(type, addr, size) \ -+({ \ -+ long __size = size; \ -+ unsigned long __addr = (unsigned long)addr; \ -+ unsigned long __addr_ao = __addr & PAGE_MASK; \ -+ unsigned long __end_ao = __addr + __size - 1; \ -+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \ -+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \ -+ while(__addr_ao <= __end_ao) { \ -+ char __c_ao; \ -+ __addr_ao += PAGE_SIZE; \ -+ if (__size > PAGE_SIZE) \ -+ cond_resched(); \ -+ if (__get_user(__c_ao, (char __user *)__addr)) \ -+ break; \ -+ if (type != VERIFY_WRITE) { \ -+ __addr = __addr_ao; \ -+ continue; \ -+ } \ -+ if (__put_user(__c_ao, (char __user *)__addr)) \ -+ break; \ -+ __addr = __addr_ao; \ -+ } \ -+ } \ -+ __ret_ao; \ -+}) - - /* - * The exception table consists of pairs of addresses: the first is the -@@ -183,12 +217,20 @@ extern int __get_user_bad(void); - asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ - : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") - -- -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -+#define __copyuser_seg "gs;" -+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n" -+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n" -+#else -+#define __copyuser_seg -+#define __COPYUSER_SET_ES -+#define __COPYUSER_RESTORE_ES -+#endif - - #ifdef CONFIG_X86_32 - #define __put_user_asm_u64(x, addr, err, errret) \ -- asm volatile("1: movl %%eax,0(%2)\n" \ -- "2: movl %%edx,4(%2)\n" \ -+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \ -+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \ - "3:\n" \ - ".section .fixup,\"ax\"\n" \ - "4: movl %3,%0\n" \ -@@ -200,8 +242,8 @@ extern int __get_user_bad(void); - : "A" (x), "r" (addr), "i" (errret), "0" (err)) - - #define __put_user_asm_ex_u64(x, addr) \ -- asm volatile("1: movl %%eax,0(%1)\n" \ -- "2: movl %%edx,4(%1)\n" \ -+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \ -+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \ - "3:\n" \ - _ASM_EXTABLE(1b, 2b - 1b) \ - _ASM_EXTABLE(2b, 3b - 2b) \ -@@ -374,7 +416,7 @@ do { \ - } while (0) - - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ -- asm volatile("1: mov"itype" %2,%"rtype"1\n" \ -+ asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\ - "2:\n" \ - ".section .fixup,\"ax\"\n" \ - "3: mov %3,%0\n" \ -@@ -382,7 +424,7 @@ do { \ - " jmp 2b\n" \ - ".previous\n" \ - _ASM_EXTABLE(1b, 3b) \ -- : "=r" (err), ltype(x) \ -+ : "=r" (err), ltype (x) \ - : "m" (__m(addr)), "i" (errret), "0" (err)) - - #define __get_user_size_ex(x, ptr, size) \ -@@ -407,7 +449,7 @@ do { \ - } while (0) - - #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ -- asm volatile("1: mov"itype" %1,%"rtype"0\n" \ -+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\ - "2:\n" \ - _ASM_EXTABLE(1b, 2b - 1b) \ - : ltype(x) : "m" (__m(addr))) -@@ -424,13 +466,24 @@ do { \ - int __gu_err; \ - unsigned long __gu_val; \ - __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ -- (x) = (__force __typeof__(*(ptr)))__gu_val; \ -+ (x) = (__typeof__(*(ptr)))__gu_val; \ - __gu_err; \ - }) - - /* FIXME: this hack is definitely wrong -AK */ - struct __large_struct { unsigned long buf[100]; }; --#define __m(x) (*(struct __large_struct __user *)(x)) -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+#define ____m(x) \ -+({ \ -+ unsigned long ____x = (unsigned long)(x); \ -+ if (____x < PAX_USER_SHADOW_BASE) \ -+ ____x += PAX_USER_SHADOW_BASE; \ -+ (void __user *)____x; \ -+}) -+#else -+#define ____m(x) (x) -+#endif -+#define __m(x) (*(struct __large_struct __user *)____m(x)) - - /* - * Tell gcc we read from memory instead of writing: this is because -@@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu - * aliasing issues. - */ - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ -- asm volatile("1: mov"itype" %"rtype"1,%2\n" \ -+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\ - "2:\n" \ - ".section .fixup,\"ax\"\n" \ - "3: mov %3,%0\n" \ -@@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu - ".previous\n" \ - _ASM_EXTABLE(1b, 3b) \ - : "=r"(err) \ -- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err)) -+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err)) - - #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \ -- asm volatile("1: mov"itype" %"rtype"0,%1\n" \ -+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\ - "2:\n" \ - _ASM_EXTABLE(1b, 2b - 1b) \ - : : ltype(x), "m" (__m(addr))) -@@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu - * On error, the variable @x is set to zero. - */ - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+#define __get_user(x, ptr) get_user((x), (ptr)) -+#else - #define __get_user(x, ptr) \ - __get_user_nocheck((x), (ptr), sizeof(*(ptr))) -+#endif - - /** - * __put_user: - Write a simple value into user space, with less checking. -@@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu - * Returns zero on success, or -EFAULT on error. - */ - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+#define __put_user(x, ptr) put_user((x), (ptr)) -+#else - #define __put_user(x, ptr) \ - __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr))) -+#endif - - #define __get_user_unaligned __get_user - #define __put_user_unaligned __put_user -@@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu - #define get_user_ex(x, ptr) do { \ - unsigned long __gue_val; \ - __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ -- (x) = (__force __typeof__(*(ptr)))__gue_val; \ -+ (x) = (__typeof__(*(ptr)))__gue_val; \ - } while (0) - - #ifdef CONFIG_X86_WP_WORKS_OK -@@ -567,6 +628,7 @@ extern struct movsl_mask { - - #define ARCH_HAS_NOCACHE_UACCESS 1 - -+#define ARCH_HAS_SORT_EXTABLE - #ifdef CONFIG_X86_32 - # include "uaccess_32.h" - #else -diff -urNp linux-2.6.39.3/arch/x86/include/asm/vgtod.h linux-2.6.39.3/arch/x86/include/asm/vgtod.h ---- linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400 -@@ -14,6 +14,7 @@ struct vsyscall_gtod_data { - int sysctl_enabled; - struct timezone sys_tz; - struct { /* extract of a clocksource struct */ -+ char name[8]; - cycle_t (*vread)(void); - cycle_t cycle_last; - cycle_t mask; -diff -urNp linux-2.6.39.3/arch/x86/include/asm/vsyscall.h linux-2.6.39.3/arch/x86/include/asm/vsyscall.h ---- linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400 -@@ -15,9 +15,10 @@ enum vsyscall_num { - - #ifdef __KERNEL__ - #include <linux/seqlock.h> -+#include <linux/getcpu.h> -+#include <linux/time.h> - - #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16))) --#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16))) - - /* Definitions for CONFIG_GENERIC_TIME definitions */ - #define __section_vsyscall_gtod_data __attribute__ \ -@@ -31,7 +32,6 @@ enum vsyscall_num { - #define VGETCPU_LSL 2 - - extern int __vgetcpu_mode; --extern volatile unsigned long __jiffies; - - /* kernel space (writeable) */ - extern int vgetcpu_mode; -@@ -39,6 +39,9 @@ extern struct timezone sys_tz; - - extern void map_vsyscall(void); - -+extern int vgettimeofday(struct timeval * tv, struct timezone * tz); -+extern time_t vtime(time_t *t); -+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache); - #endif /* __KERNEL__ */ - - #endif /* _ASM_X86_VSYSCALL_H */ -diff -urNp linux-2.6.39.3/arch/x86/include/asm/xen/pci.h linux-2.6.39.3/arch/x86/include/asm/xen/pci.h ---- linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400 -@@ -33,7 +33,7 @@ struct xen_pci_frontend_ops { - void (*disable_msix)(struct pci_dev *dev); - }; - --extern struct xen_pci_frontend_ops *xen_pci_frontend; -+extern const struct xen_pci_frontend_ops *xen_pci_frontend; - - static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev, - int vectors[]) -diff -urNp linux-2.6.39.3/arch/x86/include/asm/xsave.h linux-2.6.39.3/arch/x86/include/asm/xsave.h ---- linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400 -@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav - { - int err; - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE) -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE); -+#endif -+ - /* - * Clear the xsave header first, so that reserved fields are - * initialized to zero. -@@ -100,6 +105,11 @@ static inline int xrestore_user(struct x - u32 lmask = mask; - u32 hmask = mask >> 32; - -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE) -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE); -+#endif -+ - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" - "2:\n" - ".section .fixup,\"ax\"\n" -diff -urNp linux-2.6.39.3/arch/x86/Kconfig linux-2.6.39.3/arch/x86/Kconfig ---- linux-2.6.39.3/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400 -@@ -224,7 +224,7 @@ config X86_HT - - config X86_32_LAZY_GS - def_bool y -- depends on X86_32 && !CC_STACKPROTECTOR -+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF - - config ARCH_HWEIGHT_CFLAGS - string -@@ -1022,7 +1022,7 @@ choice - - config NOHIGHMEM - bool "off" -- depends on !X86_NUMAQ -+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE) - ---help--- - Linux can use up to 64 Gigabytes of physical memory on x86 systems. - However, the address space of 32-bit x86 processors is only 4 -@@ -1059,7 +1059,7 @@ config NOHIGHMEM - - config HIGHMEM4G - bool "4GB" -- depends on !X86_NUMAQ -+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE) - ---help--- - Select this if you have a 32-bit processor and between 1 and 4 - gigabytes of physical RAM. -@@ -1113,7 +1113,7 @@ config PAGE_OFFSET - hex - default 0xB0000000 if VMSPLIT_3G_OPT - default 0x80000000 if VMSPLIT_2G -- default 0x78000000 if VMSPLIT_2G_OPT -+ default 0x70000000 if VMSPLIT_2G_OPT - default 0x40000000 if VMSPLIT_1G - default 0xC0000000 - depends on X86_32 -@@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED - - config EFI - bool "EFI runtime service support" -- depends on ACPI -+ depends on ACPI && !PAX_KERNEXEC - ---help--- - This enables the kernel to use EFI runtime services that are - available (such as the EFI variable services). -@@ -1487,6 +1487,7 @@ config SECCOMP - - config CC_STACKPROTECTOR - bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)" -+ depends on X86_64 || !PAX_MEMORY_UDEREF - ---help--- - This option turns on the -fstack-protector GCC feature. This - feature puts, at the beginning of functions, a canary value on -@@ -1544,6 +1545,7 @@ config KEXEC_JUMP - config PHYSICAL_START - hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP) - default "0x1000000" -+ range 0x400000 0x40000000 - ---help--- - This gives the physical address where the kernel is loaded. - -@@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS - config PHYSICAL_ALIGN - hex "Alignment value to which kernel should be aligned" if X86_32 - default "0x1000000" -+ range 0x400000 0x1000000 if PAX_KERNEXEC - range 0x2000 0x1000000 - ---help--- - This value puts the alignment restrictions on physical address -@@ -1638,9 +1641,10 @@ config HOTPLUG_CPU - Say N if you want to disable CPU hotplug. - - config COMPAT_VDSO -- def_bool y -+ def_bool n - prompt "Compat VDSO support" - depends on X86_32 || IA32_EMULATION -+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF - ---help--- - Map the 32-bit VDSO to the predictable old-style address too. - -diff -urNp linux-2.6.39.3/arch/x86/Kconfig.cpu linux-2.6.39.3/arch/x86/Kconfig.cpu ---- linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400 -@@ -334,7 +334,7 @@ config X86_PPRO_FENCE - - config X86_F00F_BUG - def_bool y -- depends on M586MMX || M586TSC || M586 || M486 || M386 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC - - config X86_INVD_BUG - def_bool y -@@ -358,7 +358,7 @@ config X86_POPAD_OK - - config X86_ALIGNMENT_16 - def_bool y -- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1 -+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1 - - config X86_INTEL_USERCOPY - def_bool y -@@ -404,7 +404,7 @@ config X86_CMPXCHG64 - # generates cmov. - config X86_CMOV - def_bool y -- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) -+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) - - config X86_MINIMUM_CPU_FAMILY - int -diff -urNp linux-2.6.39.3/arch/x86/Kconfig.debug linux-2.6.39.3/arch/x86/Kconfig.debug ---- linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400 -@@ -101,7 +101,7 @@ config X86_PTDUMP - config DEBUG_RODATA - bool "Write protect kernel read-only data structures" - default y -- depends on DEBUG_KERNEL -+ depends on DEBUG_KERNEL && BROKEN - ---help--- - Mark the kernel read-only data as write-protected in the pagetables, - in order to catch accidental (and incorrect) writes to such const -@@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST - - config DEBUG_SET_MODULE_RONX - bool "Set loadable kernel module data as NX and text as RO" -- depends on MODULES -+ depends on MODULES && BROKEN - ---help--- - This option helps catch unintended modifications to loadable - kernel module's text and read-only data. It also prevents execution -diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S ---- linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:18:51.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:19:18.000000000 -0400 -@@ -108,6 +108,9 @@ wakeup_code: - /* Do any other stuff... */ - - #ifndef CONFIG_64BIT -+ /* Recheck NX bit overrides (64bit path does this in trampoline */ -+ call verify_cpu -+ - /* This could also be done in C code... */ - movl pmode_cr3, %eax - movl %eax, %cr3 -@@ -131,6 +134,7 @@ wakeup_code: - movl pmode_cr0, %eax - movl %eax, %cr0 - jmp pmode_return -+# include "../../verify_cpu.S" - #else - pushw $0 - pushw trampoline_segment -diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c ---- linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:18:51.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:19:18.000000000 -0400 -@@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void) - header->trampoline_segment = trampoline_address() >> 4; - #ifdef CONFIG_SMP - stack_start = (unsigned long)temp_stack + sizeof(temp_stack); -+ -+ pax_open_kernel(); - early_gdt_descr.address = - (unsigned long)get_cpu_gdt_table(smp_processor_id()); -+ pax_close_kernel(); -+ - initial_gs = per_cpu_offset(smp_processor_id()); - #endif - initial_code = (unsigned long)wakeup_long64; -diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S ---- linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400 -@@ -30,13 +30,11 @@ wakeup_pmode_return: - # and restore the stack ... but you need gdt for this to work - movl saved_context_esp, %esp - -- movl %cs:saved_magic, %eax -- cmpl $0x12345678, %eax -+ cmpl $0x12345678, saved_magic - jne bogus_magic - - # jump to place where we left off -- movl saved_eip, %eax -- jmp *%eax -+ jmp *(saved_eip) - - bogus_magic: - jmp bogus_magic -diff -urNp linux-2.6.39.3/arch/x86/kernel/alternative.c linux-2.6.39.3/arch/x86/kernel/alternative.c ---- linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400 -@@ -248,7 +248,7 @@ static void alternatives_smp_lock(const - if (!*poff || ptr < text || ptr >= text_end) - continue; - /* turn DS segment override prefix into lock prefix */ -- if (*ptr == 0x3e) -+ if (*ktla_ktva(ptr) == 0x3e) - text_poke(ptr, ((unsigned char []){0xf0}), 1); - }; - mutex_unlock(&text_mutex); -@@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons - if (!*poff || ptr < text || ptr >= text_end) - continue; - /* turn lock prefix into DS segment override prefix */ -- if (*ptr == 0xf0) -+ if (*ktla_ktva(ptr) == 0xf0) - text_poke(ptr, ((unsigned char []){0x3E}), 1); - }; - mutex_unlock(&text_mutex); -@@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str - - BUG_ON(p->len > MAX_PATCH_LEN); - /* prep the buffer with the original instructions */ -- memcpy(insnbuf, p->instr, p->len); -+ memcpy(insnbuf, ktla_ktva(p->instr), p->len); - used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf, - (unsigned long)p->instr, p->len); - -@@ -506,7 +506,7 @@ void __init alternative_instructions(voi - if (smp_alt_once) - free_init_pages("SMP alternatives", - (unsigned long)__smp_locks, -- (unsigned long)__smp_locks_end); -+ PAGE_ALIGN((unsigned long)__smp_locks_end)); - - restart_nmi(); - } -@@ -523,13 +523,17 @@ void __init alternative_instructions(voi - * instructions. And on the local CPU you need to be protected again NMI or MCE - * handlers seeing an inconsistent instruction while you patch. - */ --void *__init_or_module text_poke_early(void *addr, const void *opcode, -+void *__kprobes text_poke_early(void *addr, const void *opcode, - size_t len) - { - unsigned long flags; - local_irq_save(flags); -- memcpy(addr, opcode, len); -+ -+ pax_open_kernel(); -+ memcpy(ktla_ktva(addr), opcode, len); - sync_core(); -+ pax_close_kernel(); -+ - local_irq_restore(flags); - /* Could also do a CLFLUSH here to speed up CPU recovery; but - that causes hangs on some VIA CPUs. */ -@@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v - */ - void *__kprobes text_poke(void *addr, const void *opcode, size_t len) - { -- unsigned long flags; -- char *vaddr; -+ unsigned char *vaddr = ktla_ktva(addr); - struct page *pages[2]; -- int i; -+ size_t i; - - if (!core_kernel_text((unsigned long)addr)) { -- pages[0] = vmalloc_to_page(addr); -- pages[1] = vmalloc_to_page(addr + PAGE_SIZE); -+ pages[0] = vmalloc_to_page(vaddr); -+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE); - } else { -- pages[0] = virt_to_page(addr); -+ pages[0] = virt_to_page(vaddr); - WARN_ON(!PageReserved(pages[0])); -- pages[1] = virt_to_page(addr + PAGE_SIZE); -+ pages[1] = virt_to_page(vaddr + PAGE_SIZE); - } - BUG_ON(!pages[0]); -- local_irq_save(flags); -- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0])); -- if (pages[1]) -- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1])); -- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0); -- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len); -- clear_fixmap(FIX_TEXT_POKE0); -- if (pages[1]) -- clear_fixmap(FIX_TEXT_POKE1); -- local_flush_tlb(); -- sync_core(); -- /* Could also do a CLFLUSH here to speed up CPU recovery; but -- that causes hangs on some VIA CPUs. */ -+ text_poke_early(addr, opcode, len); - for (i = 0; i < len; i++) -- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); -- local_irq_restore(flags); -+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]); - return addr; - } - -@@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc - #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL) - - #ifdef CONFIG_X86_64 --unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 }; -+unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 }; - #else --unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 }; -+unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 }; - #endif - - void __init arch_init_ideal_nop5(void) -diff -urNp linux-2.6.39.3/arch/x86/kernel/amd_iommu.c linux-2.6.39.3/arch/x86/kernel/amd_iommu.c ---- linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 13:00:25.000000000 -0400 -@@ -49,7 +49,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc - */ - static struct protection_domain *pt_domain; - --static struct iommu_ops amd_iommu_ops; -+static const struct iommu_ops amd_iommu_ops; - - /* - * general struct to manage commands send to an IOMMU -@@ -2307,7 +2307,7 @@ static void prealloc_protection_domains( - } - } - --static struct dma_map_ops amd_iommu_dma_ops = { -+static const struct dma_map_ops amd_iommu_dma_ops = { - .alloc_coherent = alloc_coherent, - .free_coherent = free_coherent, - .map_page = map_page, -@@ -2624,7 +2624,7 @@ static int amd_iommu_domain_has_cap(stru - return 0; - } - --static struct iommu_ops amd_iommu_ops = { -+static const struct iommu_ops amd_iommu_ops = { - .domain_init = amd_iommu_domain_init, - .domain_destroy = amd_iommu_domain_destroy, - .attach_dev = amd_iommu_attach_device, -diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/apic.c linux-2.6.39.3/arch/x86/kernel/apic/apic.c ---- linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400 -@@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs - apic_write(APIC_ESR, 0); - v1 = apic_read(APIC_ESR); - ack_APIC_irq(); -- atomic_inc(&irq_err_count); -+ atomic_inc_unchecked(&irq_err_count); - - /* - * Here is what the APIC error bits mean: -@@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo - u16 *bios_cpu_apicid; - DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS); - -+ pax_track_stack(); -+ - bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid); - bitmap_zero(clustermap, NUM_APIC_CLUSTERS); - -diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c ---- linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400 -@@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi - ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics, - GFP_ATOMIC); - if (!ioapic_entries) -- return 0; -+ return NULL; - - for (apic = 0; apic < nr_ioapics; apic++) { - ioapic_entries[apic] = -@@ -640,7 +640,7 @@ nomem: - kfree(ioapic_entries[apic]); - kfree(ioapic_entries); - -- return 0; -+ return NULL; - } - - /* -@@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus, - } - EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector); - --void lock_vector_lock(void) -+void lock_vector_lock(void) __acquires(vector_lock) - { - /* Used to the online set of cpus does not change - * during assign_irq_vector. -@@ -1048,7 +1048,7 @@ void lock_vector_lock(void) - raw_spin_lock(&vector_lock); - } - --void unlock_vector_lock(void) -+void unlock_vector_lock(void) __releases(vector_lock) - { - raw_spin_unlock(&vector_lock); - } -@@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat - ack_APIC_irq(); - } - --atomic_t irq_mis_count; -+atomic_unchecked_t irq_mis_count; - - /* - * IO-APIC versions below 0x20 don't support EOI register. -@@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da - * at the cpu. - */ - if (!(v & (1 << (i & 0x1f)))) { -- atomic_inc(&irq_mis_count); -+ atomic_inc_unchecked(&irq_mis_count); - - eoi_ioapic_irq(irq, cfg); - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/apm_32.c linux-2.6.39.3/arch/x86/kernel/apm_32.c ---- linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex); - * This is for buggy BIOS's that refer to (real mode) segment 0x40 - * even though they are called in protected mode. - */ --static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, -+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093, - (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1); - - static const char driver_version[] = "1.16ac"; /* no spaces */ -@@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call) - BUG_ON(cpu != 0); - gdt = get_cpu_gdt_table(cpu); - save_desc_40 = gdt[0x40 / 8]; -+ -+ pax_open_kernel(); - gdt[0x40 / 8] = bad_bios_desc; -+ pax_close_kernel(); - - apm_irq_save(flags); - APM_DO_SAVE_SEGS; -@@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call) - &call->esi); - APM_DO_RESTORE_SEGS; - apm_irq_restore(flags); -+ -+ pax_open_kernel(); - gdt[0x40 / 8] = save_desc_40; -+ pax_close_kernel(); -+ - put_cpu(); - - return call->eax & 0xff; -@@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void - BUG_ON(cpu != 0); - gdt = get_cpu_gdt_table(cpu); - save_desc_40 = gdt[0x40 / 8]; -+ -+ pax_open_kernel(); - gdt[0x40 / 8] = bad_bios_desc; -+ pax_close_kernel(); - - apm_irq_save(flags); - APM_DO_SAVE_SEGS; -@@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void - &call->eax); - APM_DO_RESTORE_SEGS; - apm_irq_restore(flags); -+ -+ pax_open_kernel(); - gdt[0x40 / 8] = save_desc_40; -+ pax_close_kernel(); -+ - put_cpu(); - return error; - } -@@ -2351,12 +2365,15 @@ static int __init apm_init(void) - * code to that CPU. - */ - gdt = get_cpu_gdt_table(0); -+ -+ pax_open_kernel(); - set_desc_base(&gdt[APM_CS >> 3], - (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4)); - set_desc_base(&gdt[APM_CS_16 >> 3], - (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4)); - set_desc_base(&gdt[APM_DS >> 3], - (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4)); -+ pax_close_kernel(); - - proc_create("apm", 0, NULL, &apm_file_ops); - -diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c ---- linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -69,6 +69,7 @@ int main(void) - BLANK(); - #undef ENTRY - -+ DEFINE(TSS_size, sizeof(struct tss_struct)); - OFFSET(TSS_ist, tss_struct, x86_tss.ist); - BLANK(); - -diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets.c linux-2.6.39.3/arch/x86/kernel/asm-offsets.c ---- linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400 -@@ -33,6 +33,8 @@ void common(void) { - OFFSET(TI_status, thread_info, status); - OFFSET(TI_addr_limit, thread_info, addr_limit); - OFFSET(TI_preempt_count, thread_info, preempt_count); -+ OFFSET(TI_lowest_stack, thread_info, lowest_stack); -+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo)); - - BLANK(); - OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx); -@@ -53,8 +55,26 @@ void common(void) { - OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit); - OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0); - OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2); -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0); -+#endif -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3); -+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3); -+#ifdef CONFIG_X86_64 -+ OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd); -+#endif - #endif - -+#endif -+ -+ BLANK(); -+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE); -+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT); -+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE); -+ - #ifdef CONFIG_XEN - BLANK(); - OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask); -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/amd.c linux-2.6.39.3/arch/x86/kernel/cpu/amd.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400 -@@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c - unsigned int size) - { - /* AMD errata T13 (order #21922) */ -- if ((c->x86 == 6)) { -+ if (c->x86 == 6) { - /* Duron Rev A0 */ - if (c->x86_model == 3 && c->x86_mask == 0) - size = 64; -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/common.c linux-2.6.39.3/arch/x86/kernel/cpu/common.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400 -@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon - - static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu; - --DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = { --#ifdef CONFIG_X86_64 -- /* -- * We need valid kernel segments for data and code in long mode too -- * IRET will check the segment types kkeil 2000/10/28 -- * Also sysret mandates a special GDT layout -- * -- * TLS descriptors are currently at a different place compared to i386. -- * Hopefully nobody expects them at a fixed place (Wine?) -- */ -- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff), -- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff), -- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff), -- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff), -- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff), -- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff), --#else -- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff), -- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), -- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff), -- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff), -- /* -- * Segments used for calling PnP BIOS have byte granularity. -- * They code segments and data segments have fixed 64k limits, -- * the transfer segment sizes are set at run time. -- */ -- /* 32-bit code */ -- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff), -- /* 16-bit code */ -- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff), -- /* 16-bit data */ -- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff), -- /* 16-bit data */ -- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0), -- /* 16-bit data */ -- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0), -- /* -- * The APM segments have byte granularity and their bases -- * are set at run time. All have 64k limits. -- */ -- /* 32-bit code */ -- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff), -- /* 16-bit code */ -- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff), -- /* data */ -- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff), -- -- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), -- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), -- GDT_STACK_CANARY_INIT --#endif --} }; --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page); -- - static int __init x86_xsave_setup(char *s) - { - setup_clear_cpu_cap(X86_FEATURE_XSAVE); -@@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu) - { - struct desc_ptr gdt_descr; - -- gdt_descr.address = (long)get_cpu_gdt_table(cpu); -+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu); - gdt_descr.size = GDT_SIZE - 1; - load_gdt(&gdt_descr); - /* Reload the per-cpu base */ -@@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc - /* Filter out anything that depends on CPUID levels we don't have */ - filter_cpuid_features(c, true); - -+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)) -+ setup_clear_cpu_cap(X86_FEATURE_SEP); -+#endif -+ - /* If the model name is still unset, do table lookup. */ - if (!c->x86_model_id[0]) { - const char *p; -@@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha - } - __setup("clearcpuid=", setup_disablecpuid); - -+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo; -+EXPORT_PER_CPU_SYMBOL(current_tinfo); -+ - #ifdef CONFIG_X86_64 - struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table }; - -@@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur - EXPORT_PER_CPU_SYMBOL(current_task); - - DEFINE_PER_CPU(unsigned long, kernel_stack) = -- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE; -+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE; - EXPORT_PER_CPU_SYMBOL(kernel_stack); - - DEFINE_PER_CPU(char *, irq_stack_ptr) = -@@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str - { - memset(regs, 0, sizeof(struct pt_regs)); - regs->fs = __KERNEL_PERCPU; -- regs->gs = __KERNEL_STACK_CANARY; -+ savesegment(gs, regs->gs); - - return regs; - } -@@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void) - int i; - - cpu = stack_smp_processor_id(); -- t = &per_cpu(init_tss, cpu); -+ t = init_tss + cpu; - oist = &per_cpu(orig_ist, cpu); - - #ifdef CONFIG_NUMA -@@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void) - switch_to_new_gdt(cpu); - loadsegment(fs, 0); - -- load_idt((const struct desc_ptr *)&idt_descr); -+ load_idt(&idt_descr); - - memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8); - syscall_init(); -@@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void) - wrmsrl(MSR_KERNEL_GS_BASE, 0); - barrier(); - -- x86_configure_nx(); - if (cpu != 0) - enable_x2apic(); - -@@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void) - { - int cpu = smp_processor_id(); - struct task_struct *curr = current; -- struct tss_struct *t = &per_cpu(init_tss, cpu); -+ struct tss_struct *t = init_tss + cpu; - struct thread_struct *thread = &curr->thread; - - if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) { -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/intel.c linux-2.6.39.3/arch/x86/kernel/cpu/intel.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400 -@@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug - * Update the IDT descriptor and reload the IDT so that - * it uses the read-only mapped virtual address. - */ -- idt_descr.address = fix_to_virt(FIX_F00F_IDT); -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT); - load_idt(&idt_descr); - } - #endif -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/Makefile linux-2.6.39.3/arch/x86/kernel/cpu/Makefile ---- linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400 -@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg - CFLAGS_REMOVE_perf_event.o = -pg - endif - --# Make sure load_percpu_segment has no stackprotector --nostackp := $(call cc-option, -fno-stack-protector) --CFLAGS_common.o := $(nostackp) -- - obj-y := intel_cacheinfo.o scattered.o topology.o - obj-y += proc.o capflags.o powerflags.o common.o - obj-y += vmware.o hypervisor.o sched.o mshyperv.o -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400 -@@ -46,6 +46,7 @@ - #include <asm/ipi.h> - #include <asm/mce.h> - #include <asm/msr.h> -+#include <asm/local.h> - - #include "mce-internal.h" - -@@ -220,7 +221,7 @@ static void print_mce(struct mce *m) - !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "", - m->cs, m->ip); - -- if (m->cs == __KERNEL_CS) -+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS) - print_symbol("{%s}", m->ip); - pr_cont("\n"); - } -@@ -244,10 +245,10 @@ static void print_mce(struct mce *m) - - #define PANIC_TIMEOUT 5 /* 5 seconds */ - --static atomic_t mce_paniced; -+static atomic_unchecked_t mce_paniced; - - static int fake_panic; --static atomic_t mce_fake_paniced; -+static atomic_unchecked_t mce_fake_paniced; - - /* Panic in progress. Enable interrupts and wait for final IPI */ - static void wait_for_panic(void) -@@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct - /* - * Make sure only one CPU runs in machine check panic - */ -- if (atomic_inc_return(&mce_paniced) > 1) -+ if (atomic_inc_return_unchecked(&mce_paniced) > 1) - wait_for_panic(); - barrier(); - -@@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct - console_verbose(); - } else { - /* Don't log too much for fake panic */ -- if (atomic_inc_return(&mce_fake_paniced) > 1) -+ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1) - return; - } - /* First print corrected ones that are still unlogged */ -@@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t) - * might have been modified by someone else. - */ - rmb(); -- if (atomic_read(&mce_paniced)) -+ if (atomic_read_unchecked(&mce_paniced)) - wait_for_panic(); - if (!monarch_timeout) - goto out; -@@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp - */ - - static DEFINE_SPINLOCK(mce_state_lock); --static int open_count; /* #times opened */ -+static local_t open_count; /* #times opened */ - static int open_exclu; /* already open exclusive? */ - - static int mce_open(struct inode *inode, struct file *file) - { - spin_lock(&mce_state_lock); - -- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) { -+ if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) { - spin_unlock(&mce_state_lock); - - return -EBUSY; -@@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode, - - if (file->f_flags & O_EXCL) - open_exclu = 1; -- open_count++; -+ local_inc(&open_count); - - spin_unlock(&mce_state_lock); - -@@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino - { - spin_lock(&mce_state_lock); - -- open_count--; -+ local_dec(&open_count); - open_exclu = 0; - - spin_unlock(&mce_state_lock); -@@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void) - static void mce_reset(void) - { - cpu_missing = 0; -- atomic_set(&mce_fake_paniced, 0); -+ atomic_set_unchecked(&mce_fake_paniced, 0); - atomic_set(&mce_executing, 0); - atomic_set(&mce_callin, 0); - atomic_set(&global_nwo, 0); -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400 -@@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex); - u64 size_or_mask, size_and_mask; - static bool mtrr_aps_delayed_init; - --static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM]; -+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only; - - const struct mtrr_ops *mtrr_if; - -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h ---- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400 -@@ -12,19 +12,19 @@ - extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES]; - - struct mtrr_ops { -- u32 vendor; -- u32 use_intel_if; -- void (*set)(unsigned int reg, unsigned long base, -+ const u32 vendor; -+ const u32 use_intel_if; -+ void (* const set)(unsigned int reg, unsigned long base, - unsigned long size, mtrr_type type); -- void (*set_all)(void); -+ void (* const set_all)(void); - -- void (*get)(unsigned int reg, unsigned long *base, -+ void (* const get)(unsigned int reg, unsigned long *base, - unsigned long *size, mtrr_type *type); -- int (*get_free_region)(unsigned long base, unsigned long size, -+ int (* const get_free_region)(unsigned long base, unsigned long size, - int replace_reg); -- int (*validate_add_page)(unsigned long base, unsigned long size, -+ int (* const validate_add_page)(unsigned long base, unsigned long size, - unsigned int type); -- int (*have_wrcomb)(void); -+ int (* const have_wrcomb)(void); - }; - - extern int generic_get_free_region(unsigned long base, unsigned long size, -diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c ---- linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400 -@@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp - int i, j, w, wmax, num = 0; - struct hw_perf_event *hwc; - -+ pax_track_stack(); -+ - bitmap_zero(used_mask, X86_PMC_IDX_MAX); - - for (i = 0; i < n; i++) { -@@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai - break; - - perf_callchain_store(entry, frame.return_address); -- fp = frame.next_frame; -+ fp = (__force const void __user *)frame.next_frame; - } - } - -diff -urNp linux-2.6.39.3/arch/x86/kernel/crash.c linux-2.6.39.3/arch/x86/kernel/crash.c ---- linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400 -@@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu, - regs = args->regs; - - #ifdef CONFIG_X86_32 -- if (!user_mode_vm(regs)) { -+ if (!user_mode(regs)) { - crash_fixup_ss_esp(&fixed_regs, regs); - regs = &fixed_regs; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/doublefault_32.c linux-2.6.39.3/arch/x86/kernel/doublefault_32.c ---- linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -11,7 +11,7 @@ - - #define DOUBLEFAULT_STACKSIZE (1024) - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE]; --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE) -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2) - - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM) - -@@ -21,7 +21,7 @@ static void doublefault_fn(void) - unsigned long gdt, tss; - - store_gdt(&gdt_desc); -- gdt = gdt_desc.address; -+ gdt = (unsigned long)gdt_desc.address; - - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size); - -@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach - /* 0x2 bit is always set */ - .flags = X86_EFLAGS_SF | 0x2, - .sp = STACK_START, -- .es = __USER_DS, -+ .es = __KERNEL_DS, - .cs = __KERNEL_CS, - .ss = __KERNEL_DS, -- .ds = __USER_DS, -+ .ds = __KERNEL_DS, - .fs = __KERNEL_PERCPU, - - .__cr3 = __pa_nodebug(swapper_pg_dir), -diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c ---- linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task - bp = stack_frame(task, regs); - - for (;;) { -- struct thread_info *context; -+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1)); - -- context = (struct thread_info *) -- ((unsigned long)stack & (~(THREAD_SIZE - 1))); -- bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph); -+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph); - -- stack = (unsigned long *)context->previous_esp; -- if (!stack) -+ if (stack_start == task_stack_page(task)) - break; -+ stack = *(unsigned long **)stack_start; - if (ops->stack(data, "IRQ") < 0) - break; - touch_nmi_watchdog(); -@@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs - * When in-kernel, we also print out the stack and code at the - * time of the fault.. - */ -- if (!user_mode_vm(regs)) { -+ if (!user_mode(regs)) { - unsigned int code_prologue = code_bytes * 43 / 64; - unsigned int code_len = code_bytes; - unsigned char c; - u8 *ip; -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]); - - printk(KERN_EMERG "Stack:\n"); - show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG); - - printk(KERN_EMERG "Code: "); - -- ip = (u8 *)regs->ip - code_prologue; -+ ip = (u8 *)regs->ip - code_prologue + cs_base; - if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) { - /* try starting at IP */ -- ip = (u8 *)regs->ip; -+ ip = (u8 *)regs->ip + cs_base; - code_len = code_len - code_prologue + 1; - } - for (i = 0; i < code_len; i++, ip++) { -@@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs - printk(" Bad EIP value."); - break; - } -- if (ip == (u8 *)regs->ip) -+ if (ip == (u8 *)regs->ip + cs_base) - printk("<%02x> ", c); - else - printk("%02x ", c); -@@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip) - { - unsigned short ud2; - -+ ip = ktla_ktva(ip); - if (ip < PAGE_OFFSET) - return 0; - if (probe_kernel_address((unsigned short *)ip, ud2)) -diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c ---- linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task - unsigned long *irq_stack_end = - (unsigned long *)per_cpu(irq_stack_ptr, cpu); - unsigned used = 0; -- struct thread_info *tinfo; - int graph = 0; - unsigned long dummy; -+ void *stack_start; - - if (!task) - task = current; -@@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task - * current stack address. If the stacks consist of nested - * exceptions - */ -- tinfo = task_thread_info(task); - for (;;) { - char *id; - unsigned long *estack_end; -+ - estack_end = in_exception_stack(cpu, (unsigned long)stack, - &used, &id); - -@@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task - if (ops->stack(data, id) < 0) - break; - -- bp = ops->walk_stack(tinfo, stack, bp, ops, -+ bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops, - data, estack_end, &graph); - ops->stack(data, "<EOE>"); - /* -@@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task - if (in_irq_stack(stack, irq_stack, irq_stack_end)) { - if (ops->stack(data, "IRQ") < 0) - break; -- bp = ops->walk_stack(tinfo, stack, bp, -+ bp = ops->walk_stack(task, irq_stack, stack, bp, - ops, data, irq_stack_end, &graph); - /* - * We link to the next stack (which would be -@@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task - /* - * This handles the process stack: - */ -- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph); -+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1)); -+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph); - put_cpu(); - } - EXPORT_SYMBOL(dump_trace); -diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack.c linux-2.6.39.3/arch/x86/kernel/dumpstack.c ---- linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400 -@@ -2,6 +2,9 @@ - * Copyright (C) 1991, 1992 Linus Torvalds - * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs - */ -+#ifdef CONFIG_GRKERNSEC_HIDESYM -+#define __INCLUDED_BY_HIDESYM 1 -+#endif - #include <linux/kallsyms.h> - #include <linux/kprobes.h> - #include <linux/uaccess.h> -@@ -35,9 +38,8 @@ void printk_address(unsigned long addres - static void - print_ftrace_graph_addr(unsigned long addr, void *data, - const struct stacktrace_ops *ops, -- struct thread_info *tinfo, int *graph) -+ struct task_struct *task, int *graph) - { -- struct task_struct *task = tinfo->task; - unsigned long ret_addr; - int index = task->curr_ret_stack; - -@@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad - static inline void - print_ftrace_graph_addr(unsigned long addr, void *data, - const struct stacktrace_ops *ops, -- struct thread_info *tinfo, int *graph) -+ struct task_struct *task, int *graph) - { } - #endif - -@@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad - * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack - */ - --static inline int valid_stack_ptr(struct thread_info *tinfo, -- void *p, unsigned int size, void *end) -+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end) - { -- void *t = tinfo; - if (end) { - if (p < end && p >= (end-THREAD_SIZE)) - return 1; -@@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct - } - - unsigned long --print_context_stack(struct thread_info *tinfo, -+print_context_stack(struct task_struct *task, void *stack_start, - unsigned long *stack, unsigned long bp, - const struct stacktrace_ops *ops, void *data, - unsigned long *end, int *graph) - { - struct stack_frame *frame = (struct stack_frame *)bp; - -- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) { -+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) { - unsigned long addr; - - addr = *stack; -@@ -102,7 +102,7 @@ print_context_stack(struct thread_info * - } else { - ops->address(data, addr, 0); - } -- print_ftrace_graph_addr(addr, data, ops, tinfo, graph); -+ print_ftrace_graph_addr(addr, data, ops, task, graph); - } - stack++; - } -@@ -111,7 +111,7 @@ print_context_stack(struct thread_info * - EXPORT_SYMBOL_GPL(print_context_stack); - - unsigned long --print_context_stack_bp(struct thread_info *tinfo, -+print_context_stack_bp(struct task_struct *task, void *stack_start, - unsigned long *stack, unsigned long bp, - const struct stacktrace_ops *ops, void *data, - unsigned long *end, int *graph) -@@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf - struct stack_frame *frame = (struct stack_frame *)bp; - unsigned long *ret_addr = &frame->return_address; - -- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) { -+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) { - unsigned long addr = *ret_addr; - - if (!__kernel_text_address(addr)) -@@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf - ops->address(data, addr, 1); - frame = frame->next_frame; - ret_addr = &frame->return_address; -- print_ftrace_graph_addr(addr, data, ops, tinfo, graph); -+ print_ftrace_graph_addr(addr, data, ops, task, graph); - } - - return (unsigned long)frame; -@@ -202,7 +202,7 @@ void dump_stack(void) - - bp = stack_frame(current, NULL); - printk("Pid: %d, comm: %.20s %s %s %.*s\n", -- current->pid, current->comm, print_tainted(), -+ task_pid_nr(current), current->comm, print_tainted(), - init_utsname()->release, - (int)strcspn(init_utsname()->version, " "), - init_utsname()->version); -@@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void) - } - EXPORT_SYMBOL_GPL(oops_begin); - -+extern void gr_handle_kernel_exploit(void); -+ - void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) - { - if (regs && kexec_should_crash(current)) -@@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl - panic("Fatal exception in interrupt"); - if (panic_on_oops) - panic("Fatal exception"); -- do_exit(signr); -+ -+ gr_handle_kernel_exploit(); -+ -+ do_group_exit(signr); - } - - int __kprobes __die(const char *str, struct pt_regs *regs, long err) -@@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str - - show_registers(regs); - #ifdef CONFIG_X86_32 -- if (user_mode_vm(regs)) { -+ if (user_mode(regs)) { - sp = regs->sp; - ss = regs->ss & 0xffff; - } else { -@@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs - unsigned long flags = oops_begin(); - int sig = SIGSEGV; - -- if (!user_mode_vm(regs)) -+ if (!user_mode(regs)) - report_bug(regs->ip, regs); - - if (__die(str, regs, err)) -diff -urNp linux-2.6.39.3/arch/x86/kernel/early_printk.c linux-2.6.39.3/arch/x86/kernel/early_printk.c ---- linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400 -@@ -7,6 +7,7 @@ - #include <linux/pci_regs.h> - #include <linux/pci_ids.h> - #include <linux/errno.h> -+#include <linux/sched.h> - #include <asm/io.h> - #include <asm/processor.h> - #include <asm/fcntl.h> -@@ -179,6 +180,8 @@ asmlinkage void early_printk(const char - int n; - va_list ap; - -+ pax_track_stack(); -+ - va_start(ap, fmt); - n = vscnprintf(buf, sizeof(buf), fmt, ap); - early_console->write(early_console, buf, n); -diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_32.S linux-2.6.39.3/arch/x86/kernel/entry_32.S ---- linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400 -@@ -185,13 +185,146 @@ - /*CFI_REL_OFFSET gs, PT_GS*/ - .endm - .macro SET_KERNEL_GS reg -+ -+#ifdef CONFIG_CC_STACKPROTECTOR - movl $(__KERNEL_STACK_CANARY), \reg -+#elif defined(CONFIG_PAX_MEMORY_UDEREF) -+ movl $(__USER_DS), \reg -+#else -+ xorl \reg, \reg -+#endif -+ - movl \reg, %gs - .endm - - #endif /* CONFIG_X86_32_LAZY_GS */ - --.macro SAVE_ALL -+.macro pax_enter_kernel -+#ifdef CONFIG_PAX_KERNEXEC -+ call pax_enter_kernel -+#endif -+.endm -+ -+.macro pax_exit_kernel -+#ifdef CONFIG_PAX_KERNEXEC -+ call pax_exit_kernel -+#endif -+.endm -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ENTRY(pax_enter_kernel) -+#ifdef CONFIG_PARAVIRT -+ pushl %eax -+ pushl %ecx -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0) -+ mov %eax, %esi -+#else -+ mov %cr0, %esi -+#endif -+ bts $16, %esi -+ jnc 1f -+ mov %cs, %esi -+ cmp $__KERNEL_CS, %esi -+ jz 3f -+ ljmp $__KERNEL_CS, $3f -+1: ljmp $__KERNEXEC_KERNEL_CS, $2f -+2: -+#ifdef CONFIG_PARAVIRT -+ mov %esi, %eax -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0) -+#else -+ mov %esi, %cr0 -+#endif -+3: -+#ifdef CONFIG_PARAVIRT -+ popl %ecx -+ popl %eax -+#endif -+ ret -+ENDPROC(pax_enter_kernel) -+ -+ENTRY(pax_exit_kernel) -+#ifdef CONFIG_PARAVIRT -+ pushl %eax -+ pushl %ecx -+#endif -+ mov %cs, %esi -+ cmp $__KERNEXEC_KERNEL_CS, %esi -+ jnz 2f -+#ifdef CONFIG_PARAVIRT -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); -+ mov %eax, %esi -+#else -+ mov %cr0, %esi -+#endif -+ btr $16, %esi -+ ljmp $__KERNEL_CS, $1f -+1: -+#ifdef CONFIG_PARAVIRT -+ mov %esi, %eax -+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0); -+#else -+ mov %esi, %cr0 -+#endif -+2: -+#ifdef CONFIG_PARAVIRT -+ popl %ecx -+ popl %eax -+#endif -+ ret -+ENDPROC(pax_exit_kernel) -+#endif -+ -+.macro pax_erase_kstack -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+ call pax_erase_kstack -+#endif -+.endm -+ -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+/* -+ * ebp: thread_info -+ * ecx, edx: can be clobbered -+ */ -+ENTRY(pax_erase_kstack) -+ pushl %edi -+ pushl %eax -+ -+ mov TI_lowest_stack(%ebp), %edi -+ mov $-0xBEEF, %eax -+ std -+ -+1: mov %edi, %ecx -+ and $THREAD_SIZE_asm - 1, %ecx -+ shr $2, %ecx -+ repne scasl -+ jecxz 2f -+ -+ cmp $2*16, %ecx -+ jc 2f -+ -+ mov $2*16, %ecx -+ repe scasl -+ jecxz 2f -+ jne 1b -+ -+2: cld -+ mov %esp, %ecx -+ sub %edi, %ecx -+ shr $2, %ecx -+ rep stosl -+ -+ mov TI_task_thread_sp0(%ebp), %edi -+ sub $128, %edi -+ mov %edi, TI_lowest_stack(%ebp) -+ -+ popl %eax -+ popl %edi -+ ret -+ENDPROC(pax_erase_kstack) -+#endif -+ -+.macro __SAVE_ALL _DS - cld - PUSH_GS - pushl_cfi %fs -@@ -214,7 +347,7 @@ - CFI_REL_OFFSET ecx, 0 - pushl_cfi %ebx - CFI_REL_OFFSET ebx, 0 -- movl $(__USER_DS), %edx -+ movl $\_DS, %edx - movl %edx, %ds - movl %edx, %es - movl $(__KERNEL_PERCPU), %edx -@@ -222,6 +355,15 @@ - SET_KERNEL_GS %edx - .endm - -+.macro SAVE_ALL -+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) -+ __SAVE_ALL __KERNEL_DS -+ pax_enter_kernel -+#else -+ __SAVE_ALL __USER_DS -+#endif -+.endm -+ - .macro RESTORE_INT_REGS - popl_cfi %ebx - CFI_RESTORE ebx -@@ -332,7 +474,15 @@ check_userspace: - movb PT_CS(%esp), %al - andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax - cmpl $USER_RPL, %eax -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ jae resume_userspace -+ -+ PAX_EXIT_KERNEL -+ jmp resume_kernel -+#else - jb resume_kernel # not returning to v8086 or userspace -+#endif - - ENTRY(resume_userspace) - LOCKDEP_SYS_EXIT -@@ -344,7 +494,7 @@ ENTRY(resume_userspace) - andl $_TIF_WORK_MASK, %ecx # is there any work to be done on - # int/exception return? - jne work_pending -- jmp restore_all -+ jmp restore_all_pax - END(ret_from_exception) - - #ifdef CONFIG_PREEMPT -@@ -394,23 +544,34 @@ sysenter_past_esp: - /*CFI_REL_OFFSET cs, 0*/ - /* - * Push current_thread_info()->sysenter_return to the stack. -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words -- * pushed above; +8 corresponds to copy_thread's esp0 setting. - */ -- pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp) -+ pushl_cfi $0 - CFI_REL_OFFSET eip, 0 - - pushl_cfi %eax - SAVE_ALL -+ GET_THREAD_INFO(%ebp) -+ movl TI_sysenter_return(%ebp),%ebp -+ movl %ebp,PT_EIP(%esp) - ENABLE_INTERRUPTS(CLBR_NONE) - - /* - * Load the potential sixth argument from user stack. - * Careful about security. - */ -+ movl PT_OLDESP(%esp),%ebp -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov PT_OLDSS(%esp),%ds -+1: movl %ds:(%ebp),%ebp -+ push %ss -+ pop %ds -+#else - cmpl $__PAGE_OFFSET-3,%ebp - jae syscall_fault - 1: movl (%ebp),%ebp -+#endif -+ - movl %ebp,PT_EBP(%esp) - .section __ex_table,"a" - .align 4 -@@ -433,12 +594,23 @@ sysenter_do_call: - testl $_TIF_ALLWORK_MASK, %ecx - jne sysexit_audit - sysenter_exit: -+ -+#ifdef CONFIG_PAX_RANDKSTACK -+ pushl_cfi %eax -+ call pax_randomize_kstack -+ popl_cfi %eax -+#endif -+ -+ pax_erase_kstack -+ - /* if something modifies registers it must also disable sysexit */ - movl PT_EIP(%esp), %edx - movl PT_OLDESP(%esp), %ecx - xorl %ebp,%ebp - TRACE_IRQS_ON - 1: mov PT_FS(%esp), %fs -+2: mov PT_DS(%esp), %ds -+3: mov PT_ES(%esp), %es - PTGS_TO_GS - ENABLE_INTERRUPTS_SYSEXIT - -@@ -455,6 +627,9 @@ sysenter_audit: - movl %eax,%edx /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ - call audit_syscall_entry -+ -+ pax_erase_kstack -+ - pushl_cfi %ebx - movl PT_EAX(%esp),%eax /* reload syscall number */ - jmp sysenter_do_call -@@ -481,11 +656,17 @@ sysexit_audit: - - CFI_ENDPROC - .pushsection .fixup,"ax" --2: movl $0,PT_FS(%esp) -+4: movl $0,PT_FS(%esp) -+ jmp 1b -+5: movl $0,PT_DS(%esp) -+ jmp 1b -+6: movl $0,PT_ES(%esp) - jmp 1b - .section __ex_table,"a" - .align 4 -- .long 1b,2b -+ .long 1b,4b -+ .long 2b,5b -+ .long 3b,6b - .popsection - PTGS_TO_GS_EX - ENDPROC(ia32_sysenter_target) -@@ -518,6 +699,14 @@ syscall_exit: - testl $_TIF_ALLWORK_MASK, %ecx # current->work - jne syscall_exit_work - -+restore_all_pax: -+ -+#ifdef CONFIG_PAX_RANDKSTACK -+ call pax_randomize_kstack -+#endif -+ -+ pax_erase_kstack -+ - restore_all: - TRACE_IRQS_IRET - restore_all_notrace: -@@ -577,14 +766,21 @@ ldt_ss: - * compensating for the offset by changing to the ESPFIX segment with - * a base address that matches for the difference. - */ --#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8) -+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx) - mov %esp, %edx /* load kernel esp */ - mov PT_OLDESP(%esp), %eax /* load userspace esp */ - mov %dx, %ax /* eax: new kernel esp */ - sub %eax, %edx /* offset (low word is 0) */ -+#ifdef CONFIG_SMP -+ movl PER_CPU_VAR(cpu_number), %ebx -+ shll $PAGE_SHIFT_asm, %ebx -+ addl $cpu_gdt_table, %ebx -+#else -+ movl $cpu_gdt_table, %ebx -+#endif - shr $16, %edx -- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */ -- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */ -+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */ -+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */ - pushl_cfi $__ESPFIX_SS - pushl_cfi %eax /* new kernel esp */ - /* Disable interrupts, but do not irqtrace this section: we -@@ -613,29 +809,23 @@ work_resched: - movl TI_flags(%ebp), %ecx - andl $_TIF_WORK_MASK, %ecx # is there any work to be done other - # than syscall tracing? -- jz restore_all -+ jz restore_all_pax - testb $_TIF_NEED_RESCHED, %cl - jnz work_resched - - work_notifysig: # deal with pending signals and - # notify-resume requests -+ movl %esp, %eax - #ifdef CONFIG_VM86 - testl $X86_EFLAGS_VM, PT_EFLAGS(%esp) -- movl %esp, %eax -- jne work_notifysig_v86 # returning to kernel-space or -+ jz 1f # returning to kernel-space or - # vm86-space -- xorl %edx, %edx -- call do_notify_resume -- jmp resume_userspace_sig - -- ALIGN --work_notifysig_v86: - pushl_cfi %ecx # save ti_flags for do_notify_resume - call save_v86_state # %eax contains pt_regs pointer - popl_cfi %ecx - movl %eax, %esp --#else -- movl %esp, %eax -+1: - #endif - xorl %edx, %edx - call do_notify_resume -@@ -648,6 +838,9 @@ syscall_trace_entry: - movl $-ENOSYS,PT_EAX(%esp) - movl %esp, %eax - call syscall_trace_enter -+ -+ pax_erase_kstack -+ - /* What it returned is what we'll actually use. */ - cmpl $(nr_syscalls), %eax - jnae syscall_call -@@ -670,6 +863,10 @@ END(syscall_exit_work) - - RING0_INT_FRAME # can't unwind into user space anyway - syscall_fault: -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ push %ss -+ pop %ds -+#endif - GET_THREAD_INFO(%ebp) - movl $-EFAULT,PT_EAX(%esp) - jmp resume_userspace -@@ -752,6 +949,36 @@ ptregs_clone: - CFI_ENDPROC - ENDPROC(ptregs_clone) - -+ ALIGN; -+ENTRY(kernel_execve) -+ CFI_STARTPROC -+ pushl_cfi %ebp -+ sub $PT_OLDSS+4,%esp -+ pushl_cfi %edi -+ pushl_cfi %ecx -+ pushl_cfi %eax -+ lea 3*4(%esp),%edi -+ mov $PT_OLDSS/4+1,%ecx -+ xorl %eax,%eax -+ rep stosl -+ popl_cfi %eax -+ popl_cfi %ecx -+ popl_cfi %edi -+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp) -+ pushl_cfi %esp -+ call sys_execve -+ add $4,%esp -+ CFI_ADJUST_CFA_OFFSET -4 -+ GET_THREAD_INFO(%ebp) -+ test %eax,%eax -+ jz syscall_exit -+ add $PT_OLDSS+4,%esp -+ CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4 -+ popl_cfi %ebp -+ ret -+ CFI_ENDPROC -+ENDPROC(kernel_execve) -+ - .macro FIXUP_ESPFIX_STACK - /* - * Switch back for ESPFIX stack to the normal zerobased stack -@@ -761,8 +988,15 @@ ENDPROC(ptregs_clone) - * normal stack and adjusts ESP with the matching offset. - */ - /* fixup the stack */ -- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */ -- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */ -+#ifdef CONFIG_SMP -+ movl PER_CPU_VAR(cpu_number), %ebx -+ shll $PAGE_SHIFT_asm, %ebx -+ addl $cpu_gdt_table, %ebx -+#else -+ movl $cpu_gdt_table, %ebx -+#endif -+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */ -+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */ - shl $16, %eax - addl %esp, %eax /* the adjusted stack pointer */ - pushl_cfi $__KERNEL_DS -@@ -1213,7 +1447,6 @@ return_to_handler: - jmp *%ecx - #endif - --.section .rodata,"a" - #include "syscall_table_32.S" - - syscall_table_size=(.-sys_call_table) -@@ -1259,9 +1492,12 @@ error_code: - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart - REG_TO_PTGS %ecx - SET_KERNEL_GS %ecx -- movl $(__USER_DS), %ecx -+ movl $(__KERNEL_DS), %ecx - movl %ecx, %ds - movl %ecx, %es -+ -+ pax_enter_kernel -+ - TRACE_IRQS_OFF - movl %esp,%eax # pt_regs pointer - call *%edi -@@ -1346,6 +1582,9 @@ nmi_stack_correct: - xorl %edx,%edx # zero error code - movl %esp,%eax # pt_regs pointer - call do_nmi -+ -+ pax_exit_kernel -+ - jmp restore_all_notrace - CFI_ENDPROC - -@@ -1382,6 +1621,9 @@ nmi_espfix_stack: - FIXUP_ESPFIX_STACK # %eax == %esp - xorl %edx,%edx # zero error code - call do_nmi -+ -+ pax_exit_kernel -+ - RESTORE_REGS - lss 12+4(%esp), %esp # back to espfix stack - CFI_ADJUST_CFA_OFFSET -24 -diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_64.S linux-2.6.39.3/arch/x86/kernel/entry_64.S ---- linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400 -@@ -53,6 +53,7 @@ - #include <asm/paravirt.h> - #include <asm/ftrace.h> - #include <asm/percpu.h> -+#include <asm/pgtable.h> - - /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ - #include <linux/elf-em.h> -@@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64) - ENDPROC(native_usergs_sysret64) - #endif /* CONFIG_PARAVIRT */ - -+ .macro ljmpq sel, off -+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM) -+ .byte 0x48; ljmp *1234f(%rip) -+ .pushsection .rodata -+ .align 16 -+ 1234: .quad \off; .word \sel -+ .popsection -+#else -+ pushq $\sel -+ pushq $\off -+ lretq -+#endif -+ .endm -+ -+ .macro pax_enter_kernel -+#ifdef CONFIG_PAX_KERNEXEC -+ call pax_enter_kernel -+#endif -+ .endm -+ -+ .macro pax_exit_kernel -+#ifdef CONFIG_PAX_KERNEXEC -+ call pax_exit_kernel -+#endif -+ .endm -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ENTRY(pax_enter_kernel) -+ pushq %rdi -+ -+#ifdef CONFIG_PARAVIRT -+ PV_SAVE_REGS(CLBR_RDI) -+#endif -+ -+ GET_CR0_INTO_RDI -+ bts $16,%rdi -+ jnc 1f -+ mov %cs,%edi -+ cmp $__KERNEL_CS,%edi -+ jz 3f -+ ljmpq __KERNEL_CS,3f -+1: ljmpq __KERNEXEC_KERNEL_CS,2f -+2: SET_RDI_INTO_CR0 -+3: -+ -+#ifdef CONFIG_PARAVIRT -+ PV_RESTORE_REGS(CLBR_RDI) -+#endif -+ -+ popq %rdi -+ retq -+ENDPROC(pax_enter_kernel) -+ -+ENTRY(pax_exit_kernel) -+ pushq %rdi -+ -+#ifdef CONFIG_PARAVIRT -+ PV_SAVE_REGS(CLBR_RDI) -+#endif -+ -+ mov %cs,%rdi -+ cmp $__KERNEXEC_KERNEL_CS,%edi -+ jnz 2f -+ GET_CR0_INTO_RDI -+ btr $16,%rdi -+ ljmpq __KERNEL_CS,1f -+1: SET_RDI_INTO_CR0 -+2: -+ -+#ifdef CONFIG_PARAVIRT -+ PV_RESTORE_REGS(CLBR_RDI); -+#endif -+ -+ popq %rdi -+ retq -+ENDPROC(pax_exit_kernel) -+#endif -+ -+ .macro pax_enter_kernel_user -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ call pax_enter_kernel_user -+#endif -+ .endm -+ -+ .macro pax_exit_kernel_user -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ call pax_exit_kernel_user -+#endif -+#ifdef CONFIG_PAX_RANDKSTACK -+ push %rax -+ call pax_randomize_kstack -+ pop %rax -+#endif -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+ call pax_erase_kstack -+#endif -+ .endm -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ENTRY(pax_enter_kernel_user) -+ pushq %rdi -+ pushq %rbx -+ -+#ifdef CONFIG_PARAVIRT -+ PV_SAVE_REGS(CLBR_RDI) -+#endif -+ -+ GET_CR3_INTO_RDI -+ mov %rdi,%rbx -+ add $__START_KERNEL_map,%rbx -+ sub phys_base(%rip),%rbx -+ -+#ifdef CONFIG_PARAVIRT -+ pushq %rdi -+ cmpl $0, pv_info+PARAVIRT_enabled -+ jz 1f -+ i = 0 -+ .rept USER_PGD_PTRS -+ mov i*8(%rbx),%rsi -+ mov $0,%sil -+ lea i*8(%rbx),%rdi -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd) -+ i = i + 1 -+ .endr -+ jmp 2f -+1: -+#endif -+ -+ i = 0 -+ .rept USER_PGD_PTRS -+ movb $0,i*8(%rbx) -+ i = i + 1 -+ .endr -+ -+#ifdef CONFIG_PARAVIRT -+2: popq %rdi -+#endif -+ SET_RDI_INTO_CR3 -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ GET_CR0_INTO_RDI -+ bts $16,%rdi -+ SET_RDI_INTO_CR0 -+#endif -+ -+#ifdef CONFIG_PARAVIRT -+ PV_RESTORE_REGS(CLBR_RDI) -+#endif -+ -+ popq %rbx -+ popq %rdi -+ retq -+ENDPROC(pax_enter_kernel_user) -+ -+ENTRY(pax_exit_kernel_user) -+ push %rdi -+ -+#ifdef CONFIG_PARAVIRT -+ pushq %rbx -+ PV_SAVE_REGS(CLBR_RDI) -+#endif -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ GET_CR0_INTO_RDI -+ btr $16,%rdi -+ SET_RDI_INTO_CR0 -+#endif -+ -+ GET_CR3_INTO_RDI -+ add $__START_KERNEL_map,%rdi -+ sub phys_base(%rip),%rdi -+ -+#ifdef CONFIG_PARAVIRT -+ cmpl $0, pv_info+PARAVIRT_enabled -+ jz 1f -+ mov %rdi,%rbx -+ i = 0 -+ .rept USER_PGD_PTRS -+ mov i*8(%rbx),%rsi -+ mov $0x67,%sil -+ lea i*8(%rbx),%rdi -+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd) -+ i = i + 1 -+ .endr -+ jmp 2f -+1: -+#endif -+ -+ i = 0 -+ .rept USER_PGD_PTRS -+ movb $0x67,i*8(%rdi) -+ i = i + 1 -+ .endr -+ -+#ifdef CONFIG_PARAVIRT -+2: PV_RESTORE_REGS(CLBR_RDI) -+ popq %rbx -+#endif -+ -+ popq %rdi -+ retq -+ENDPROC(pax_exit_kernel_user) -+#endif -+ -+ .macro pax_erase_kstack -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+ call pax_erase_kstack -+#endif -+ .endm -+ -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+/* -+ * r10: thread_info -+ * rcx, rdx: can be clobbered -+ */ -+ENTRY(pax_erase_kstack) -+ pushq %rdi -+ pushq %rax -+ -+ GET_THREAD_INFO(%r10) -+ mov TI_lowest_stack(%r10), %rdi -+ mov $-0xBEEF, %rax -+ std -+ -+1: mov %edi, %ecx -+ and $THREAD_SIZE_asm - 1, %ecx -+ shr $3, %ecx -+ repne scasq -+ jecxz 2f -+ -+ cmp $2*8, %ecx -+ jc 2f -+ -+ mov $2*8, %ecx -+ repe scasq -+ jecxz 2f -+ jne 1b -+ -+2: cld -+ mov %esp, %ecx -+ sub %edi, %ecx -+ shr $3, %ecx -+ rep stosq -+ -+ mov TI_task_thread_sp0(%r10), %rdi -+ sub $256, %rdi -+ mov %rdi, TI_lowest_stack(%r10) -+ -+ popq %rax -+ popq %rdi -+ ret -+ENDPROC(pax_erase_kstack) -+#endif - - .macro TRACE_IRQS_IRETQ offset=ARGOFFSET - #ifdef CONFIG_TRACE_IRQFLAGS -@@ -318,7 +572,7 @@ ENTRY(save_args) - leaq -RBP+8(%rsp),%rdi /* arg1 for handler */ - movq_cfi rbp, 8 /* push %rbp */ - leaq 8(%rsp), %rbp /* mov %rsp, %ebp */ -- testl $3, CS(%rdi) -+ testb $3, CS(%rdi) - je 1f - SWAPGS - /* -@@ -409,7 +663,7 @@ ENTRY(ret_from_fork) - - RESTORE_REST - -- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread? -+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread? - je int_ret_from_sys_call - - testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -455,7 +709,7 @@ END(ret_from_fork) - ENTRY(system_call) - CFI_STARTPROC simple - CFI_SIGNAL_FRAME -- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET -+ CFI_DEF_CFA rsp,0 - CFI_REGISTER rip,rcx - /*CFI_REGISTER rflags,r11*/ - SWAPGS_UNSAFE_STACK -@@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs) - - movq %rsp,PER_CPU_VAR(old_rsp) - movq PER_CPU_VAR(kernel_stack),%rsp -+ pax_enter_kernel_user - /* - * No need to follow this irqs off/on section - it's straight - * and short: - */ - ENABLE_INTERRUPTS(CLBR_NONE) -- SAVE_ARGS 8,1 -+ SAVE_ARGS 8*6,1 - movq %rax,ORIG_RAX-ARGOFFSET(%rsp) - movq %rcx,RIP-ARGOFFSET(%rsp) - CFI_REL_OFFSET rip,RIP-ARGOFFSET -@@ -502,6 +757,7 @@ sysret_check: - andl %edi,%edx - jnz sysret_careful - CFI_REMEMBER_STATE -+ pax_exit_kernel_user - /* - * sysretq will re-enable interrupts: - */ -@@ -560,6 +816,9 @@ auditsys: - movq %rax,%rsi /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ - call audit_syscall_entry -+ -+ pax_erase_kstack -+ - LOAD_ARGS 0 /* reload call-clobbered registers */ - jmp system_call_fastpath - -@@ -590,6 +849,9 @@ tracesys: - FIXUP_TOP_OF_STACK %rdi - movq %rsp,%rdi - call syscall_trace_enter -+ -+ pax_erase_kstack -+ - /* - * Reload arg registers from stack in case ptrace changed them. - * We don't reload %rax because syscall_trace_enter() returned -@@ -611,7 +873,7 @@ tracesys: - GLOBAL(int_ret_from_sys_call) - DISABLE_INTERRUPTS(CLBR_NONE) - TRACE_IRQS_OFF -- testl $3,CS-ARGOFFSET(%rsp) -+ testb $3,CS-ARGOFFSET(%rsp) - je retint_restore_args - movl $_TIF_ALLWORK_MASK,%edi - /* edi: mask to check */ -@@ -793,6 +1055,16 @@ END(interrupt) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP - call save_args - PARTIAL_FRAME 0 -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rdi) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - call \func - .endm - -@@ -825,7 +1097,7 @@ ret_from_intr: - CFI_ADJUST_CFA_OFFSET -8 - exit_intr: - GET_THREAD_INFO(%rcx) -- testl $3,CS-ARGOFFSET(%rsp) -+ testb $3,CS-ARGOFFSET(%rsp) - je retint_kernel - - /* Interrupt came from user space */ -@@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space - * The iretq could re-enable interrupts: - */ - DISABLE_INTERRUPTS(CLBR_ANY) -+ pax_exit_kernel_user - TRACE_IRQS_IRETQ - SWAPGS - jmp restore_args - - retint_restore_args: /* return to kernel space */ - DISABLE_INTERRUPTS(CLBR_ANY) -+ pax_exit_kernel - /* - * The iretq could re-enable interrupts: - */ -@@ -1027,6 +1301,16 @@ ENTRY(\sym) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 - call error_entry - DEFAULT_FRAME 0 -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - movq %rsp,%rdi /* pt_regs pointer */ - xorl %esi,%esi /* no error code */ - call \do_sym -@@ -1044,6 +1328,16 @@ ENTRY(\sym) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 - call save_paranoid - TRACE_IRQS_OFF -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - movq %rsp,%rdi /* pt_regs pointer */ - xorl %esi,%esi /* no error code */ - call \do_sym -@@ -1052,7 +1346,7 @@ ENTRY(\sym) - END(\sym) - .endm - --#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8) -+#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12) - .macro paranoidzeroentry_ist sym do_sym ist - ENTRY(\sym) - INTR_FRAME -@@ -1062,8 +1356,24 @@ ENTRY(\sym) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 - call save_paranoid - TRACE_IRQS_OFF -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - movq %rsp,%rdi /* pt_regs pointer */ - xorl %esi,%esi /* no error code */ -+#ifdef CONFIG_SMP -+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d -+ lea init_tss(%r12), %r12 -+#else -+ lea init_tss(%rip), %r12 -+#endif - subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) - call \do_sym - addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) -@@ -1080,6 +1390,16 @@ ENTRY(\sym) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 - call error_entry - DEFAULT_FRAME 0 -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - movq %rsp,%rdi /* pt_regs pointer */ - movq ORIG_RAX(%rsp),%rsi /* get error code */ - movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1099,6 +1419,16 @@ ENTRY(\sym) - call save_paranoid - DEFAULT_FRAME 0 - TRACE_IRQS_OFF -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - movq %rsp,%rdi /* pt_regs pointer */ - movq ORIG_RAX(%rsp),%rsi /* get error code */ - movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */ -@@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit) - TRACE_IRQS_OFF - testl %ebx,%ebx /* swapgs needed? */ - jnz paranoid_restore -- testl $3,CS(%rsp) -+ testb $3,CS(%rsp) - jnz paranoid_userspace -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ pax_exit_kernel -+ TRACE_IRQS_IRETQ 0 -+ SWAPGS_UNSAFE_STACK -+ RESTORE_ALL 8 -+ jmp irq_return -+#endif - paranoid_swapgs: -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ pax_exit_kernel_user -+#else -+ pax_exit_kernel -+#endif - TRACE_IRQS_IRETQ 0 - SWAPGS_UNSAFE_STACK - RESTORE_ALL 8 - jmp irq_return - paranoid_restore: -+ pax_exit_kernel - TRACE_IRQS_IRETQ 0 - RESTORE_ALL 8 - jmp irq_return -@@ -1426,7 +1769,7 @@ ENTRY(error_entry) - movq_cfi r14, R14+8 - movq_cfi r15, R15+8 - xorl %ebx,%ebx -- testl $3,CS+8(%rsp) -+ testb $3,CS+8(%rsp) - je error_kernelspace - error_swapgs: - SWAPGS -@@ -1490,6 +1833,16 @@ ENTRY(nmi) - CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 - call save_paranoid - DEFAULT_FRAME 0 -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel -+#endif - /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ - movq %rsp,%rdi - movq $-1,%rsi -@@ -1500,11 +1853,25 @@ ENTRY(nmi) - DISABLE_INTERRUPTS(CLBR_NONE) - testl %ebx,%ebx /* swapgs needed? */ - jnz nmi_restore -- testl $3,CS(%rsp) -+ testb $3,CS(%rsp) - jnz nmi_userspace -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ pax_exit_kernel -+ SWAPGS_UNSAFE_STACK -+ RESTORE_ALL 8 -+ jmp irq_return -+#endif - nmi_swapgs: -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ pax_exit_kernel_user -+#else -+ pax_exit_kernel -+#endif - SWAPGS_UNSAFE_STACK -+ RESTORE_ALL 8 -+ jmp irq_return - nmi_restore: -+ pax_exit_kernel - RESTORE_ALL 8 - jmp irq_return - nmi_userspace: -diff -urNp linux-2.6.39.3/arch/x86/kernel/ftrace.c linux-2.6.39.3/arch/x86/kernel/ftrace.c ---- linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400 -@@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the - static void *mod_code_newcode; /* holds the text to write to the IP */ - - static unsigned nmi_wait_count; --static atomic_t nmi_update_count = ATOMIC_INIT(0); -+static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0); - - int ftrace_arch_read_dyn_info(char *buf, int size) - { -@@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf, - - r = snprintf(buf, size, "%u %u", - nmi_wait_count, -- atomic_read(&nmi_update_count)); -+ atomic_read_unchecked(&nmi_update_count)); - return r; - } - -@@ -177,8 +177,10 @@ void ftrace_nmi_enter(void) - - if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) { - smp_rmb(); -+ pax_open_kernel(); - ftrace_mod_code(); -- atomic_inc(&nmi_update_count); -+ pax_close_kernel(); -+ atomic_inc_unchecked(&nmi_update_count); - } - /* Must have previous changes seen before executions */ - smp_mb(); -@@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns - { - unsigned char replaced[MCOUNT_INSN_SIZE]; - -+ ip = ktla_ktva(ip); -+ - /* - * Note: Due to modules and __init, code can - * disappear and change, we need to protect against faulting -@@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun - unsigned char old[MCOUNT_INSN_SIZE], *new; - int ret; - -- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE); -+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE); - new = ftrace_call_replace(ip, (unsigned long)func); - ret = ftrace_modify_code(ip, old, new); - -@@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long - { - unsigned char code[MCOUNT_INSN_SIZE]; - -+ ip = ktla_ktva(ip); -+ - if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE)) - return -EFAULT; - -diff -urNp linux-2.6.39.3/arch/x86/kernel/head32.c linux-2.6.39.3/arch/x86/kernel/head32.c ---- linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -19,6 +19,7 @@ - #include <asm/io_apic.h> - #include <asm/bios_ebda.h> - #include <asm/tlbflush.h> -+#include <asm/boot.h> - - static void __init i386_default_early_setup(void) - { -@@ -34,7 +35,7 @@ void __init i386_start_kernel(void) - { - memblock_init(); - -- memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS"); -+ memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS"); - - #ifdef CONFIG_BLK_DEV_INITRD - /* Reserve INITRD */ -diff -urNp linux-2.6.39.3/arch/x86/kernel/head_32.S linux-2.6.39.3/arch/x86/kernel/head_32.S ---- linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-07-06 20:00:13.000000000 -0400 -@@ -25,6 +25,12 @@ - /* Physical address */ - #define pa(X) ((X) - __PAGE_OFFSET) - -+#ifdef CONFIG_PAX_KERNEXEC -+#define ta(X) (X) -+#else -+#define ta(X) ((X) - __PAGE_OFFSET) -+#endif -+ - /* - * References to members of the new_cpu_data structure. - */ -@@ -54,11 +60,7 @@ - * and small than max_low_pfn, otherwise will waste some page table entries - */ - --#if PTRS_PER_PMD > 1 --#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD) --#else --#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD) --#endif -+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE) - - /* Number of possible pages in the lowmem region */ - LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT) -@@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P - RESERVE_BRK(pagetables, INIT_MAP_SIZE) - - /* -+ * Real beginning of normal "text" segment -+ */ -+ENTRY(stext) -+ENTRY(_stext) -+ -+/* - * 32-bit kernel entrypoint; only used by the boot CPU. On entry, - * %esi points to the real-mode code as a 32-bit pointer. - * CS and DS must be 4 GB flat segments, but we don't depend on -@@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE) - * can. - */ - __HEAD -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ jmp startup_32 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */ -+.fill PAGE_SIZE-5,1,0xcc -+#endif -+ - ENTRY(startup_32) - movl pa(stack_start),%ecx - -@@ -105,6 +120,57 @@ ENTRY(startup_32) - 2: - leal -__PAGE_OFFSET(%ecx),%esp - -+#ifdef CONFIG_SMP -+ movl $pa(cpu_gdt_table),%edi -+ movl $__per_cpu_load,%eax -+ movw %ax,__KERNEL_PERCPU + 2(%edi) -+ rorl $16,%eax -+ movb %al,__KERNEL_PERCPU + 4(%edi) -+ movb %ah,__KERNEL_PERCPU + 7(%edi) -+ movl $__per_cpu_end - 1,%eax -+ subl $__per_cpu_start,%eax -+ movw %ax,__KERNEL_PERCPU + 0(%edi) -+#endif -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ movl $NR_CPUS,%ecx -+ movl $pa(cpu_gdt_table),%edi -+1: -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi) -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi) -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi) -+ addl $PAGE_SIZE_asm,%edi -+ loop 1b -+#endif -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ movl $pa(boot_gdt),%edi -+ movl $__LOAD_PHYSICAL_ADDR,%eax -+ movw %ax,__BOOT_CS + 2(%edi) -+ rorl $16,%eax -+ movb %al,__BOOT_CS + 4(%edi) -+ movb %ah,__BOOT_CS + 7(%edi) -+ rorl $16,%eax -+ -+ ljmp $(__BOOT_CS),$1f -+1: -+ -+ movl $NR_CPUS,%ecx -+ movl $pa(cpu_gdt_table),%edi -+ addl $__PAGE_OFFSET,%eax -+1: -+ movw %ax,__KERNEL_CS + 2(%edi) -+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi) -+ rorl $16,%eax -+ movb %al,__KERNEL_CS + 4(%edi) -+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi) -+ movb %ah,__KERNEL_CS + 7(%edi) -+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi) -+ rorl $16,%eax -+ addl $PAGE_SIZE_asm,%edi -+ loop 1b -+#endif -+ - /* - * Clear BSS first so that there are no surprises... - */ -@@ -195,8 +261,11 @@ ENTRY(startup_32) - movl %eax, pa(max_pfn_mapped) - - /* Do early initialization of the fixmap area */ -- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax -- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8) -+#ifdef CONFIG_COMPAT_VDSO -+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8) -+#else -+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8) -+#endif - #else /* Not PAE */ - - page_pde_offset = (__PAGE_OFFSET >> 20); -@@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20); - movl %eax, pa(max_pfn_mapped) - - /* Do early initialization of the fixmap area */ -- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax -- movl %eax,pa(initial_page_table+0xffc) -+#ifdef CONFIG_COMPAT_VDSO -+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc) -+#else -+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc) -+#endif - #endif - - #ifdef CONFIG_PARAVIRT -@@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20); - cmpl $num_subarch_entries, %eax - jae bad_subarch - -- movl pa(subarch_entries)(,%eax,4), %eax -- subl $__PAGE_OFFSET, %eax -- jmp *%eax -+ jmp *pa(subarch_entries)(,%eax,4) - - bad_subarch: - WEAK(lguest_entry) -@@ -255,10 +325,10 @@ WEAK(xen_entry) - __INITDATA - - subarch_entries: -- .long default_entry /* normal x86/PC */ -- .long lguest_entry /* lguest hypervisor */ -- .long xen_entry /* Xen hypervisor */ -- .long default_entry /* Moorestown MID */ -+ .long ta(default_entry) /* normal x86/PC */ -+ .long ta(lguest_entry) /* lguest hypervisor */ -+ .long ta(xen_entry) /* Xen hypervisor */ -+ .long ta(default_entry) /* Moorestown MID */ - num_subarch_entries = (. - subarch_entries) / 4 - .previous - #else -@@ -312,6 +382,7 @@ default_entry: - orl %edx,%eax - movl %eax,%cr4 - -+#ifdef CONFIG_X86_PAE - testb $X86_CR4_PAE, %al # check if PAE is enabled - jz 6f - -@@ -340,6 +411,9 @@ default_entry: - /* Make changes effective */ - wrmsr - -+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4) -+#endif -+ - 6: - - /* -@@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers - movl %eax,%ss # after changing gdt. - -- movl $(__USER_DS),%eax # DS/ES contains default USER segment -+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment - movl %eax,%ds - movl %eax,%es - -@@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP - */ - cmpb $0,ready - jne 1f -- movl $gdt_page,%eax -+ movl $cpu_gdt_table,%eax - movl $stack_canary,%ecx -+#ifdef CONFIG_SMP -+ addl $__per_cpu_load,%ecx -+#endif - movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax) - shrl $16, %ecx - movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax) - movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax) - 1: --#endif - movl $(__KERNEL_STACK_CANARY),%eax -+#elif defined(CONFIG_PAX_MEMORY_UDEREF) -+ movl $(__USER_DS),%eax -+#else -+ xorl %eax,%eax -+#endif - movl %eax,%gs - - xorl %eax,%eax # Clear LDT -@@ -558,22 +639,22 @@ early_page_fault: - jmp early_fault - - early_fault: -- cld - #ifdef CONFIG_PRINTK -+ cmpl $1,%ss:early_recursion_flag -+ je hlt_loop -+ incl %ss:early_recursion_flag -+ cld - pusha - movl $(__KERNEL_DS),%eax - movl %eax,%ds - movl %eax,%es -- cmpl $2,early_recursion_flag -- je hlt_loop -- incl early_recursion_flag - movl %cr2,%eax - pushl %eax - pushl %edx /* trapno */ - pushl $fault_msg - call printk -+; call dump_stack - #endif -- call dump_stack - hlt_loop: - hlt - jmp hlt_loop -@@ -581,8 +662,11 @@ hlt_loop: - /* This is the default interrupt "handler" :-) */ - ALIGN - ignore_int: -- cld - #ifdef CONFIG_PRINTK -+ cmpl $2,%ss:early_recursion_flag -+ je hlt_loop -+ incl %ss:early_recursion_flag -+ cld - pushl %eax - pushl %ecx - pushl %edx -@@ -591,9 +675,6 @@ ignore_int: - movl $(__KERNEL_DS),%eax - movl %eax,%ds - movl %eax,%es -- cmpl $2,early_recursion_flag -- je hlt_loop -- incl early_recursion_flag - pushl 16(%esp) - pushl 24(%esp) - pushl 32(%esp) -@@ -622,29 +703,43 @@ ENTRY(initial_code) - /* - * BSS section - */ --__PAGE_ALIGNED_BSS -- .align PAGE_SIZE - #ifdef CONFIG_X86_PAE -+.section .initial_pg_pmd,"a",@progbits - initial_pg_pmd: - .fill 1024*KPMDS,4,0 - #else -+.section .initial_page_table,"a",@progbits - ENTRY(initial_page_table) - .fill 1024,4,0 - #endif -+.section .initial_pg_fixmap,"a",@progbits - initial_pg_fixmap: - .fill 1024,4,0 -+.section .empty_zero_page,"a",@progbits - ENTRY(empty_zero_page) - .fill 4096,1,0 -+.section .swapper_pg_dir,"a",@progbits - ENTRY(swapper_pg_dir) -+#ifdef CONFIG_X86_PAE -+ .fill 4,8,0 -+#else - .fill 1024,4,0 -+#endif -+ -+/* -+ * The IDT has to be page-aligned to simplify the Pentium -+ * F0 0F bug workaround.. We have a special link segment -+ * for this. -+ */ -+.section .idt,"a",@progbits -+ENTRY(idt_table) -+ .fill 256,8,0 - - /* - * This starts the data section. - */ - #ifdef CONFIG_X86_PAE --__PAGE_ALIGNED_DATA -- /* Page-aligned for the benefit of paravirt? */ -- .align PAGE_SIZE -+.section .initial_page_table,"a",@progbits - ENTRY(initial_page_table) - .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ - # if KPMDS == 3 -@@ -663,18 +758,27 @@ ENTRY(initial_page_table) - # error "Kernel PMDs should be 1, 2 or 3" - # endif - .align PAGE_SIZE /* needs to be page-sized too */ -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ENTRY(cpu_pgd) -+ .rept NR_CPUS -+ .fill 4,8,0 -+ .endr -+#endif -+ - #endif - - .data - .balign 4 - ENTRY(stack_start) -- .long init_thread_union+THREAD_SIZE -+ .long init_thread_union+THREAD_SIZE-8 -+ -+ready: .byte 0 - -+.section .rodata,"a",@progbits - early_recursion_flag: - .long 0 - --ready: .byte 0 -- - int_msg: - .asciz "Unknown interrupt or fault at: %p %p %p\n" - -@@ -707,7 +811,7 @@ fault_msg: - .word 0 # 32 bit align gdt_desc.address - boot_gdt_descr: - .word __BOOT_DS+7 -- .long boot_gdt - __PAGE_OFFSET -+ .long pa(boot_gdt) - - .word 0 # 32-bit align idt_desc.address - idt_descr: -@@ -718,7 +822,7 @@ idt_descr: - .word 0 # 32 bit align gdt_desc.address - ENTRY(early_gdt_descr) - .word GDT_ENTRIES*8-1 -- .long gdt_page /* Overwritten for secondary CPUs */ -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */ - - /* - * The boot_gdt must mirror the equivalent in setup.S and is -@@ -727,5 +831,65 @@ ENTRY(early_gdt_descr) - .align L1_CACHE_BYTES - ENTRY(boot_gdt) - .fill GDT_ENTRY_BOOT_CS,8,0 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */ -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */ -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */ -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */ -+ -+ .align PAGE_SIZE_asm -+ENTRY(cpu_gdt_table) -+ .rept NR_CPUS -+ .quad 0x0000000000000000 /* NULL descriptor */ -+ .quad 0x0000000000000000 /* 0x0b reserved */ -+ .quad 0x0000000000000000 /* 0x13 reserved */ -+ .quad 0x0000000000000000 /* 0x1b reserved */ -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */ -+#else -+ .quad 0x0000000000000000 /* 0x20 unused */ -+#endif -+ -+ .quad 0x0000000000000000 /* 0x28 unused */ -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */ -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */ -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */ -+ .quad 0x0000000000000000 /* 0x4b reserved */ -+ .quad 0x0000000000000000 /* 0x53 reserved */ -+ .quad 0x0000000000000000 /* 0x5b reserved */ -+ -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */ -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */ -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */ -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */ -+ -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */ -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */ -+ -+ /* -+ * Segments used for calling PnP BIOS have byte granularity. -+ * The code segments and data segments have fixed 64k limits, -+ * the transfer segment sizes are set at run time. -+ */ -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */ -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */ -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */ -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */ -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */ -+ -+ /* -+ * The APM segments have byte granularity and their bases -+ * are set at run time. All have 64k limits. -+ */ -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */ -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */ -+ -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */ -+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ -+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */ -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */ -+ -+ /* Be sure this is zeroed to avoid false validations in Xen */ -+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0 -+ .endr -diff -urNp linux-2.6.39.3/arch/x86/kernel/head_64.S linux-2.6.39.3/arch/x86/kernel/head_64.S ---- linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400 -@@ -19,6 +19,7 @@ - #include <asm/cache.h> - #include <asm/processor-flags.h> - #include <asm/percpu.h> -+#include <asm/cpufeature.h> - - #ifdef CONFIG_PARAVIRT - #include <asm/asm-offsets.h> -@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET - L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET) - L4_START_KERNEL = pgd_index(__START_KERNEL_map) - L3_START_KERNEL = pud_index(__START_KERNEL_map) -+L4_VMALLOC_START = pgd_index(VMALLOC_START) -+L3_VMALLOC_START = pud_index(VMALLOC_START) -+L4_VMEMMAP_START = pgd_index(VMEMMAP_START) -+L3_VMEMMAP_START = pud_index(VMEMMAP_START) - - .text - __HEAD -@@ -85,35 +90,22 @@ startup_64: - */ - addq %rbp, init_level4_pgt + 0(%rip) - addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip) -+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip) -+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip) - addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip) - - addq %rbp, level3_ident_pgt + 0(%rip) -+#ifndef CONFIG_XEN -+ addq %rbp, level3_ident_pgt + 8(%rip) -+#endif - -- addq %rbp, level3_kernel_pgt + (510*8)(%rip) -- addq %rbp, level3_kernel_pgt + (511*8)(%rip) -+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) - -- addq %rbp, level2_fixmap_pgt + (506*8)(%rip) -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip) - -- /* Add an Identity mapping if I am above 1G */ -- leaq _text(%rip), %rdi -- andq $PMD_PAGE_MASK, %rdi -- -- movq %rdi, %rax -- shrq $PUD_SHIFT, %rax -- andq $(PTRS_PER_PUD - 1), %rax -- jz ident_complete -- -- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx -- leaq level3_ident_pgt(%rip), %rbx -- movq %rdx, 0(%rbx, %rax, 8) -- -- movq %rdi, %rax -- shrq $PMD_SHIFT, %rax -- andq $(PTRS_PER_PMD - 1), %rax -- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx -- leaq level2_spare_pgt(%rip), %rbx -- movq %rdx, 0(%rbx, %rax, 8) --ident_complete: -+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip) -+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip) - - /* - * Fixup the kernel text+data virtual addresses. Note that -@@ -160,8 +152,8 @@ ENTRY(secondary_startup_64) - * after the boot processor executes this code. - */ - -- /* Enable PAE mode and PGE */ -- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax -+ /* Enable PAE mode and PSE/PGE */ -+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax - movq %rax, %cr4 - - /* Setup early boot stage 4 level pagetables. */ -@@ -183,9 +175,14 @@ ENTRY(secondary_startup_64) - movl $MSR_EFER, %ecx - rdmsr - btsl $_EFER_SCE, %eax /* Enable System Call */ -- btl $20,%edi /* No Execute supported? */ -+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */ - jnc 1f - btsl $_EFER_NX, %eax -+ leaq init_level4_pgt(%rip), %rdi -+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi) -+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi) -+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi) -+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip) - 1: wrmsr /* Make changes effective */ - - /* Setup cr0 */ -@@ -269,7 +266,7 @@ ENTRY(secondary_startup_64) - bad_address: - jmp bad_address - -- .section ".init.text","ax" -+ __INIT - #ifdef CONFIG_EARLY_PRINTK - .globl early_idt_handlers - early_idt_handlers: -@@ -314,18 +311,23 @@ ENTRY(early_idt_handler) - #endif /* EARLY_PRINTK */ - 1: hlt - jmp 1b -+ .previous - - #ifdef CONFIG_EARLY_PRINTK -+ __INITDATA - early_recursion_flag: - .long 0 -+ .previous - -+ .section .rodata,"a",@progbits - early_idt_msg: - .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" - early_idt_ripmsg: - .asciz "RIP %s\n" --#endif /* CONFIG_EARLY_PRINTK */ - .previous -+#endif /* CONFIG_EARLY_PRINTK */ - -+ .section .rodata,"a",@progbits - #define NEXT_PAGE(name) \ - .balign PAGE_SIZE; \ - ENTRY(name) -@@ -338,7 +340,6 @@ ENTRY(name) - i = i + 1 ; \ - .endr - -- .data - /* - * This default setting generates an ident mapping at address 0x100000 - * and a mapping for the kernel that precisely maps virtual address -@@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt) - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE - .org init_level4_pgt + L4_PAGE_OFFSET*8, 0 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE -+ .org init_level4_pgt + L4_VMALLOC_START*8, 0 -+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE -+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0 -+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE - .org init_level4_pgt + L4_START_KERNEL*8, 0 - /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */ - .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE - -+#ifdef CONFIG_PAX_PER_CPU_PGD -+NEXT_PAGE(cpu_pgd) -+ .rept NR_CPUS -+ .fill 512,8,0 -+ .endr -+#endif -+ - NEXT_PAGE(level3_ident_pgt) - .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE -+#ifdef CONFIG_XEN - .fill 511,8,0 -+#else -+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE -+ .fill 510,8,0 -+#endif -+ -+NEXT_PAGE(level3_vmalloc_pgt) -+ .fill 512,8,0 -+ -+NEXT_PAGE(level3_vmemmap_pgt) -+ .fill L3_VMEMMAP_START,8,0 -+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE - - NEXT_PAGE(level3_kernel_pgt) - .fill L3_START_KERNEL,8,0 -@@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt) - .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE - .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE - -+NEXT_PAGE(level2_vmemmap_pgt) -+ .fill 512,8,0 -+ - NEXT_PAGE(level2_fixmap_pgt) -- .fill 506,8,0 -- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE -- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */ -- .fill 5,8,0 -+ .fill 507,8,0 -+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE -+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */ -+ .fill 4,8,0 - --NEXT_PAGE(level1_fixmap_pgt) -+NEXT_PAGE(level1_vsyscall_pgt) - .fill 512,8,0 - --NEXT_PAGE(level2_ident_pgt) -- /* Since I easily can, map the first 1G. -+ /* Since I easily can, map the first 2G. - * Don't set NX because code runs from these pages. - */ -- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD) -+NEXT_PAGE(level2_ident_pgt) -+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD) - - NEXT_PAGE(level2_kernel_pgt) - /* -@@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt) - * If you want to increase this then increase MODULES_VADDR - * too.) - */ -- PMDS(0, __PAGE_KERNEL_LARGE_EXEC, -- KERNEL_IMAGE_SIZE/PMD_SIZE) -- --NEXT_PAGE(level2_spare_pgt) -- .fill 512, 8, 0 -+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE) - - #undef PMDS - #undef NEXT_PAGE - -- .data -+ .align PAGE_SIZE -+ENTRY(cpu_gdt_table) -+ .rept NR_CPUS -+ .quad 0x0000000000000000 /* NULL descriptor */ -+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */ -+ .quad 0x00af9b000000ffff /* __KERNEL_CS */ -+ .quad 0x00cf93000000ffff /* __KERNEL_DS */ -+ .quad 0x00cffb000000ffff /* __USER32_CS */ -+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */ -+ .quad 0x00affb000000ffff /* __USER_CS */ -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */ -+#else -+ .quad 0x0 /* unused */ -+#endif -+ -+ .quad 0,0 /* TSS */ -+ .quad 0,0 /* LDT */ -+ .quad 0,0,0 /* three TLS descriptors */ -+ .quad 0x0000f40000000000 /* node/CPU stored in limit */ -+ /* asm/segment.h:GDT_ENTRIES must match this */ -+ -+ /* zero the remaining page */ -+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 -+ .endr -+ - .align 16 - .globl early_gdt_descr - early_gdt_descr: - .word GDT_ENTRIES*8-1 - early_gdt_descr_base: -- .quad INIT_PER_CPU_VAR(gdt_page) -+ .quad cpu_gdt_table - - ENTRY(phys_base) - /* This must match the first entry in level2_kernel_pgt */ - .quad 0x0000000000000000 - - #include "../../x86/xen/xen-head.S" -- -- .section .bss, "aw", @nobits -+ -+ .section .rodata,"a",@progbits - .align L1_CACHE_BYTES - ENTRY(idt_table) -- .skip IDT_ENTRIES * 16 -+ .fill 512,8,0 - - __PAGE_ALIGNED_BSS - .align PAGE_SIZE -diff -urNp linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c ---- linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void); - EXPORT_SYMBOL(cmpxchg8b_emu); - #endif - -+EXPORT_SYMBOL_GPL(cpu_gdt_table); -+ - /* Networking helper routines. */ - EXPORT_SYMBOL(csum_partial_copy_generic); -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user); -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user); - - EXPORT_SYMBOL(__get_user_1); - EXPORT_SYMBOL(__get_user_2); -@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr); - - EXPORT_SYMBOL(csum_partial); - EXPORT_SYMBOL(empty_zero_page); -+ -+#ifdef CONFIG_PAX_KERNEXEC -+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); -+#endif -diff -urNp linux-2.6.39.3/arch/x86/kernel/i8259.c linux-2.6.39.3/arch/x86/kernel/i8259.c ---- linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400 -@@ -210,7 +210,7 @@ spurious_8259A_irq: - "spurious 8259A interrupt: IRQ%d.\n", irq); - spurious_irq_mask |= irqmask; - } -- atomic_inc(&irq_err_count); -+ atomic_inc_unchecked(&irq_err_count); - /* - * Theoretically we do not have to handle this IRQ, - * but in Linux this does not cause problems and is -diff -urNp linux-2.6.39.3/arch/x86/kernel/init_task.c linux-2.6.39.3/arch/x86/kernel/init_task.c ---- linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400 -@@ -20,8 +20,7 @@ static struct sighand_struct init_sighan - * way process stacks are handled. This is done by having a special - * "init_task" linker map entry.. - */ --union thread_union init_thread_union __init_task_data = -- { INIT_THREAD_INFO(init_task) }; -+union thread_union init_thread_union __init_task_data; - - /* - * Initial task structure. -@@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task); - * section. Since TSS's are completely CPU-local, we want them - * on exact cacheline boundaries, to eliminate cacheline ping-pong. - */ --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS; -- -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS }; -+EXPORT_SYMBOL(init_tss); -diff -urNp linux-2.6.39.3/arch/x86/kernel/ioport.c linux-2.6.39.3/arch/x86/kernel/ioport.c ---- linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400 -@@ -6,6 +6,7 @@ - #include <linux/sched.h> - #include <linux/kernel.h> - #include <linux/capability.h> -+#include <linux/security.h> - #include <linux/errno.h> - #include <linux/types.h> - #include <linux/ioport.h> -@@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -+#ifdef CONFIG_GRKERNSEC_IO -+ if (turn_on && grsec_disable_privio) { -+ gr_handle_ioperm(); -+ return -EPERM; -+ } -+#endif - if (turn_on && !capable(CAP_SYS_RAWIO)) - return -EPERM; - -@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long - * because the ->io_bitmap_max value must match the bitmap - * contents: - */ -- tss = &per_cpu(init_tss, get_cpu()); -+ tss = init_tss + get_cpu(); - - if (turn_on) - bitmap_clear(t->io_bitmap_ptr, from, num); -@@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -+#ifdef CONFIG_GRKERNSEC_IO -+ if (grsec_disable_privio) { -+ gr_handle_iopl(); -+ return -EPERM; -+ } -+#endif - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/irq_32.c linux-2.6.39.3/arch/x86/kernel/irq_32.c ---- linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-07-06 20:00:13.000000000 -0400 -@@ -36,7 +36,7 @@ static int check_stack_overflow(void) - __asm__ __volatile__("andl %%esp,%0" : - "=r" (sp) : "0" (THREAD_SIZE - 1)); - -- return sp < (sizeof(struct thread_info) + STACK_WARN); -+ return sp < STACK_WARN; - } - - static void print_stack_overflow(void) -@@ -54,8 +54,8 @@ static inline void print_stack_overflow( - * per-CPU IRQ handling contexts (thread information and stack) - */ - union irq_ctx { -- struct thread_info tinfo; -- u32 stack[THREAD_SIZE/sizeof(u32)]; -+ unsigned long previous_esp; -+ u32 stack[THREAD_SIZE/sizeof(u32)]; - } __attribute__((aligned(THREAD_SIZE))); - - static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx); -@@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo - static inline int - execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) - { -- union irq_ctx *curctx, *irqctx; -+ union irq_ctx *irqctx; - u32 *isp, arg1, arg2; - -- curctx = (union irq_ctx *) current_thread_info(); - irqctx = __this_cpu_read(hardirq_ctx); - - /* -@@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc - * handler) we can't do that and just have to keep using the - * current stack (which is the irq stack already after all) - */ -- if (unlikely(curctx == irqctx)) -+ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE)) - return 0; - - /* build the stack frame on the IRQ stack */ -- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx)); -- irqctx->tinfo.task = curctx->tinfo.task; -- irqctx->tinfo.previous_esp = current_stack_pointer; -+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8); -+ irqctx->previous_esp = current_stack_pointer; - -- /* -- * Copy the softirq bits in preempt_count so that the -- * softirq checks work in the hardirq context. -- */ -- irqctx->tinfo.preempt_count = -- (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) | -- (curctx->tinfo.preempt_count & SOFTIRQ_MASK); -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ __set_fs(MAKE_MM_SEG(0)); -+#endif - - if (unlikely(overflow)) - call_on_stack(print_stack_overflow, isp); -@@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc - : "0" (irq), "1" (desc), "2" (isp), - "D" (desc->handle_irq) - : "memory", "cc", "ecx"); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ __set_fs(current_thread_info()->addr_limit); -+#endif -+ - return 1; - } - -@@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc - */ - void __cpuinit irq_ctx_init(int cpu) - { -- union irq_ctx *irqctx; -- - if (per_cpu(hardirq_ctx, cpu)) - return; - -- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu), -- THREAD_FLAGS, -- THREAD_ORDER)); -- memset(&irqctx->tinfo, 0, sizeof(struct thread_info)); -- irqctx->tinfo.cpu = cpu; -- irqctx->tinfo.preempt_count = HARDIRQ_OFFSET; -- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0); -- -- per_cpu(hardirq_ctx, cpu) = irqctx; -- -- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu), -- THREAD_FLAGS, -- THREAD_ORDER)); -- memset(&irqctx->tinfo, 0, sizeof(struct thread_info)); -- irqctx->tinfo.cpu = cpu; -- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0); -- -- per_cpu(softirq_ctx, cpu) = irqctx; -+ per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER)); -+ per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER)); - - printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n", - cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu)); -@@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu) - asmlinkage void do_softirq(void) - { - unsigned long flags; -- struct thread_info *curctx; - union irq_ctx *irqctx; - u32 *isp; - -@@ -162,15 +142,22 @@ asmlinkage void do_softirq(void) - local_irq_save(flags); - - if (local_softirq_pending()) { -- curctx = current_thread_info(); - irqctx = __this_cpu_read(softirq_ctx); -- irqctx->tinfo.task = curctx->task; -- irqctx->tinfo.previous_esp = current_stack_pointer; -+ irqctx->previous_esp = current_stack_pointer; - - /* build the stack frame on the softirq stack */ -- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx)); -+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ __set_fs(MAKE_MM_SEG(0)); -+#endif - - call_on_stack(__do_softirq, isp); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ __set_fs(current_thread_info()->addr_limit); -+#endif -+ - /* - * Shouldn't happen, we returned above if in_interrupt(): - */ -diff -urNp linux-2.6.39.3/arch/x86/kernel/irq.c linux-2.6.39.3/arch/x86/kernel/irq.c ---- linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400 -@@ -17,7 +17,7 @@ - #include <asm/mce.h> - #include <asm/hw_irq.h> - --atomic_t irq_err_count; -+atomic_unchecked_t irq_err_count; - - /* Function pointer for generic interrupt vector handling */ - void (*x86_platform_ipi_callback)(void) = NULL; -@@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file - seq_printf(p, "%10u ", per_cpu(mce_poll_count, j)); - seq_printf(p, " Machine check polls\n"); - #endif -- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count)); -+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count)); - #if defined(CONFIG_X86_IO_APIC) -- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count)); -+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count)); - #endif - return 0; - } -@@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu) - - u64 arch_irq_stat(void) - { -- u64 sum = atomic_read(&irq_err_count); -+ u64 sum = atomic_read_unchecked(&irq_err_count); - - #ifdef CONFIG_X86_IO_APIC -- sum += atomic_read(&irq_mis_count); -+ sum += atomic_read_unchecked(&irq_mis_count); - #endif - return sum; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/kgdb.c linux-2.6.39.3/arch/x86/kernel/kgdb.c ---- linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem, - #ifdef CONFIG_X86_32 - switch (regno) { - case GDB_SS: -- if (!user_mode_vm(regs)) -+ if (!user_mode(regs)) - *(unsigned long *)mem = __KERNEL_DS; - break; - case GDB_SP: -- if (!user_mode_vm(regs)) -+ if (!user_mode(regs)) - *(unsigned long *)mem = kernel_stack_pointer(regs); - break; - case GDB_GS: -@@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec - case 'k': - /* clear the trace bit */ - linux_regs->flags &= ~X86_EFLAGS_TF; -- atomic_set(&kgdb_cpu_doing_single_step, -1); -+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1); - - /* set the trace bit if we're stepping */ - if (remcomInBuffer[0] == 's') { - linux_regs->flags |= X86_EFLAGS_TF; -- atomic_set(&kgdb_cpu_doing_single_step, -+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, - raw_smp_processor_id()); - } - -@@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args - return NOTIFY_DONE; - - case DIE_DEBUG: -- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) { -+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) { - if (user_mode(regs)) - return single_step_cont(regs, args); - break; -@@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re - regs->ip = ip; - } - --struct kgdb_arch arch_kgdb_ops = { -+const struct kgdb_arch arch_kgdb_ops = { - /* Breakpoint instruction: */ - .gdb_bpt_instr = { 0xcc }, - .flags = KGDB_HW_BREAKPOINT, -diff -urNp linux-2.6.39.3/arch/x86/kernel/kprobes.c linux-2.6.39.3/arch/x86/kernel/kprobes.c ---- linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400 -@@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat - } __attribute__((packed)) *insn; - - insn = (struct __arch_relative_insn *)from; -+ -+ pax_open_kernel(); - insn->raddr = (s32)((long)(to) - ((long)(from) + 5)); - insn->op = op; -+ pax_close_kernel(); - } - - /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/ -@@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op - kprobe_opcode_t opcode; - kprobe_opcode_t *orig_opcodes = opcodes; - -- if (search_exception_tables((unsigned long)opcodes)) -+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes))) - return 0; /* Page fault may occur on this address. */ - - retry: -@@ -314,7 +317,9 @@ static int __kprobes __copy_instruction( - } - } - insn_get_length(&insn); -+ pax_open_kernel(); - memcpy(dest, insn.kaddr, insn.length); -+ pax_close_kernel(); - - #ifdef CONFIG_X86_64 - if (insn_rip_relative(&insn)) { -@@ -338,7 +343,9 @@ static int __kprobes __copy_instruction( - (u8 *) dest; - BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */ - disp = (u8 *) dest + insn_offset_displacement(&insn); -+ pax_open_kernel(); - *(s32 *) disp = (s32) newdisp; -+ pax_close_kernel(); - } - #endif - return insn.length; -@@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s - */ - __copy_instruction(p->ainsn.insn, p->addr, 0); - -- if (can_boost(p->addr)) -+ if (can_boost(ktla_ktva(p->addr))) - p->ainsn.boostable = 0; - else - p->ainsn.boostable = -1; - -- p->opcode = *p->addr; -+ p->opcode = *(ktla_ktva(p->addr)); - } - - int __kprobes arch_prepare_kprobe(struct kprobe *p) -@@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s - * nor set current_kprobe, because it doesn't use single - * stepping. - */ -- regs->ip = (unsigned long)p->ainsn.insn; -+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn); - preempt_enable_no_resched(); - return; - } -@@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s - if (p->opcode == BREAKPOINT_INSTRUCTION) - regs->ip = (unsigned long)p->addr; - else -- regs->ip = (unsigned long)p->ainsn.insn; -+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn); - } - - /* -@@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru - setup_singlestep(p, regs, kcb, 0); - return 1; - } -- } else if (*addr != BREAKPOINT_INSTRUCTION) { -+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) { - /* - * The breakpoint instruction was removed right - * after we hit it. Another cpu has removed -@@ -817,7 +824,7 @@ static void __kprobes resume_execution(s - struct pt_regs *regs, struct kprobe_ctlblk *kcb) - { - unsigned long *tos = stack_addr(regs); -- unsigned long copy_ip = (unsigned long)p->ainsn.insn; -+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn); - unsigned long orig_ip = (unsigned long)p->addr; - kprobe_opcode_t *insn = p->ainsn.insn; - -@@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s - struct die_args *args = data; - int ret = NOTIFY_DONE; - -- if (args->regs && user_mode_vm(args->regs)) -+ if (args->regs && user_mode(args->regs)) - return ret; - - switch (val) { -@@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr - * Verify if the address gap is in 2GB range, because this uses - * a relative jump. - */ -- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE; -+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE; - if (abs(rel) > 0x7fffffff) - return -ERANGE; - -@@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr - synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op); - - /* Set probe function call */ -- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback); -+ synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback)); - - /* Set returning jmp instruction at the tail of out-of-line buffer */ - synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, -- (u8 *)op->kp.addr + op->optinsn.size); -+ (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size); - - flush_icache_range((unsigned long) buf, - (unsigned long) buf + TMPL_END_IDX + -@@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr - ((long)op->kp.addr + RELATIVEJUMP_SIZE)); - - /* Backup instructions which will be replaced by jump address */ -- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE, -+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE, - RELATIVE_ADDR_SIZE); - - insn_buf[0] = RELATIVEJUMP_OPCODE; -diff -urNp linux-2.6.39.3/arch/x86/kernel/ldt.c linux-2.6.39.3/arch/x86/kernel/ldt.c ---- linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400 -@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i - if (reload) { - #ifdef CONFIG_SMP - preempt_disable(); -- load_LDT(pc); -+ load_LDT_nolock(pc); - if (!cpumask_equal(mm_cpumask(current->mm), - cpumask_of(smp_processor_id()))) - smp_call_function(flush_ldt, current->mm, 1); - preempt_enable(); - #else -- load_LDT(pc); -+ load_LDT_nolock(pc); - #endif - } - if (oldsize) { -@@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t - return err; - - for (i = 0; i < old->size; i++) -- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE); -+ write_ldt_entry(new->ldt, i, old->ldt + i); - return 0; - } - -@@ -116,6 +116,24 @@ int init_new_context(struct task_struct - retval = copy_ldt(&mm->context, &old_mm->context); - mutex_unlock(&old_mm->context.lock); - } -+ -+ if (tsk == current) { -+ mm->context.vdso = 0; -+ -+#ifdef CONFIG_X86_32 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) -+ mm->context.user_cs_base = 0UL; -+ mm->context.user_cs_limit = ~0UL; -+ -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) -+ cpus_clear(mm->context.cpu_user_cs_mask); -+#endif -+ -+#endif -+#endif -+ -+ } -+ - return retval; - } - -@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u - } - } - -+#ifdef CONFIG_PAX_SEGMEXEC -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) { -+ error = -EINVAL; -+ goto out_unlock; -+ } -+#endif -+ - fill_ldt(&ldt, &ldt_info); - if (oldmode) - ldt.avl = 0; -diff -urNp linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c ---- linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -27,7 +27,7 @@ - #include <asm/cacheflush.h> - #include <asm/debugreg.h> - --static void set_idt(void *newidt, __u16 limit) -+static void set_idt(struct desc_struct *newidt, __u16 limit) - { - struct desc_ptr curidt; - -@@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16 - } - - --static void set_gdt(void *newgdt, __u16 limit) -+static void set_gdt(struct desc_struct *newgdt, __u16 limit) - { - struct desc_ptr curgdt; - -@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image) - } - - control_page = page_address(image->control_code_page); -- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE); -+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE); - - relocate_kernel_ptr = control_page; - page_list[PA_CONTROL_PAGE] = __pa(control_page); -diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_amd.c linux-2.6.39.3/arch/x86/kernel/microcode_amd.c ---- linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400 -@@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c - uci->mc = NULL; - } - --static struct microcode_ops microcode_amd_ops = { -+static const struct microcode_ops microcode_amd_ops = { - .request_microcode_user = request_microcode_user, - .request_microcode_fw = request_microcode_amd, - .collect_cpu_info = collect_cpu_info_amd, -@@ -347,7 +347,7 @@ static struct microcode_ops microcode_am - .microcode_fini_cpu = microcode_fini_cpu_amd, - }; - --struct microcode_ops * __init init_amd_microcode(void) -+const struct microcode_ops * __init init_amd_microcode(void) - { - return µcode_amd_ops; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_core.c linux-2.6.39.3/arch/x86/kernel/microcode_core.c ---- linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400 -@@ -93,7 +93,7 @@ MODULE_LICENSE("GPL"); - - #define MICROCODE_VERSION "2.00" - --static struct microcode_ops *microcode_ops; -+static const struct microcode_ops *microcode_ops; - - /* - * Synchronization. -diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_intel.c linux-2.6.39.3/arch/x86/kernel/microcode_intel.c ---- linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400 -@@ -440,13 +440,13 @@ static enum ucode_state request_microcod - - static int get_ucode_user(void *to, const void *from, size_t n) - { -- return copy_from_user(to, from, n); -+ return copy_from_user(to, (__force const void __user *)from, n); - } - - static enum ucode_state - request_microcode_user(int cpu, const void __user *buf, size_t size) - { -- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); -+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user); - } - - static void microcode_fini_cpu(int cpu) -@@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu) - uci->mc = NULL; - } - --static struct microcode_ops microcode_intel_ops = { -+static const struct microcode_ops microcode_intel_ops = { - .request_microcode_user = request_microcode_user, - .request_microcode_fw = request_microcode_fw, - .collect_cpu_info = collect_cpu_info, -@@ -465,7 +465,7 @@ static struct microcode_ops microcode_in - .microcode_fini_cpu = microcode_fini_cpu, - }; - --struct microcode_ops * __init init_intel_microcode(void) -+const struct microcode_ops * __init init_intel_microcode(void) - { - return µcode_intel_ops; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/module.c linux-2.6.39.3/arch/x86/kernel/module.c ---- linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400 -@@ -35,21 +35,66 @@ - #define DEBUGP(fmt...) - #endif - --void *module_alloc(unsigned long size) -+static inline void *__module_alloc(unsigned long size, pgprot_t prot) - { - if (PAGE_ALIGN(size) > MODULES_LEN) - return NULL; - return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END, -- GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC, -+ GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot, - -1, __builtin_return_address(0)); - } - -+void *module_alloc(unsigned long size) -+{ -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ return __module_alloc(size, PAGE_KERNEL); -+#else -+ return __module_alloc(size, PAGE_KERNEL_EXEC); -+#endif -+ -+} -+ - /* Free memory returned from module_alloc */ - void module_free(struct module *mod, void *module_region) - { - vfree(module_region); - } - -+#ifdef CONFIG_PAX_KERNEXEC -+#ifdef CONFIG_X86_32 -+void *module_alloc_exec(unsigned long size) -+{ -+ struct vm_struct *area; -+ -+ if (size == 0) -+ return NULL; -+ -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END); -+ return area ? area->addr : NULL; -+} -+EXPORT_SYMBOL(module_alloc_exec); -+ -+void module_free_exec(struct module *mod, void *module_region) -+{ -+ vunmap(module_region); -+} -+EXPORT_SYMBOL(module_free_exec); -+#else -+void module_free_exec(struct module *mod, void *module_region) -+{ -+ module_free(mod, module_region); -+} -+EXPORT_SYMBOL(module_free_exec); -+ -+void *module_alloc_exec(unsigned long size) -+{ -+ return __module_alloc(size, PAGE_KERNEL_RX); -+} -+EXPORT_SYMBOL(module_alloc_exec); -+#endif -+#endif -+ - /* We don't need anything special. */ - int module_frob_arch_sections(Elf_Ehdr *hdr, - Elf_Shdr *sechdrs, -@@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs, - unsigned int i; - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr; - Elf32_Sym *sym; -- uint32_t *location; -+ uint32_t *plocation, location; - - DEBUGP("Applying relocate section %u to %u\n", relsec, - sechdrs[relsec].sh_info); - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) { - /* This is where to make the change */ -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr -- + rel[i].r_offset; -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset; -+ location = (uint32_t)plocation; -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR) -+ plocation = ktla_ktva((void *)plocation); - /* This is the symbol it is referring to. Note that all - undefined symbols have been resolved. */ - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr -@@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs, - switch (ELF32_R_TYPE(rel[i].r_info)) { - case R_386_32: - /* We add the value into the location given */ -- *location += sym->st_value; -+ pax_open_kernel(); -+ *plocation += sym->st_value; -+ pax_close_kernel(); - break; - case R_386_PC32: - /* Add the value, subtract its postition */ -- *location += sym->st_value - (uint32_t)location; -+ pax_open_kernel(); -+ *plocation += sym->st_value - location; -+ pax_close_kernel(); - break; - default: - printk(KERN_ERR "module %s: Unknown relocation: %u\n", -@@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd - case R_X86_64_NONE: - break; - case R_X86_64_64: -+ pax_open_kernel(); - *(u64 *)loc = val; -+ pax_close_kernel(); - break; - case R_X86_64_32: -+ pax_open_kernel(); - *(u32 *)loc = val; -+ pax_close_kernel(); - if (val != *(u32 *)loc) - goto overflow; - break; - case R_X86_64_32S: -+ pax_open_kernel(); - *(s32 *)loc = val; -+ pax_close_kernel(); - if ((s64)val != *(s32 *)loc) - goto overflow; - break; - case R_X86_64_PC32: - val -= (u64)loc; -+ pax_open_kernel(); - *(u32 *)loc = val; -+ pax_close_kernel(); -+ - #if 0 - if ((s64)val != *(s32 *)loc) - goto overflow; -diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt.c linux-2.6.39.3/arch/x86/kernel/paravirt.c ---- linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-07-19 18:26:58.000000000 -0400 -@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x) - { - return x; - } -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) -+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64); -+#endif - - void __init default_banner(void) - { -@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu - * corresponding structure. */ - static void *get_call_destination(u8 type) - { -- struct paravirt_patch_template tmpl = { -+ const struct paravirt_patch_template tmpl = { - .pv_init_ops = pv_init_ops, - .pv_time_ops = pv_time_ops, - .pv_cpu_ops = pv_cpu_ops, -@@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ - .pv_lock_ops = pv_lock_ops, - #endif - }; -+ -+ pax_track_stack(); -+ - return *((void **)&tmpl + type); - } - -@@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type, - if (opfunc == NULL) - /* If there's no function, patch it with a ud2a (BUG) */ - ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a)); -- else if (opfunc == _paravirt_nop) -+ else if (opfunc == (void *)_paravirt_nop) - /* If the operation is a nop, then nop the callsite */ - ret = paravirt_patch_nop(); - - /* identity functions just return their single argument */ -- else if (opfunc == _paravirt_ident_32) -+ else if (opfunc == (void *)_paravirt_ident_32) - ret = paravirt_patch_ident_32(insnbuf, len); -- else if (opfunc == _paravirt_ident_64) -+ else if (opfunc == (void *)_paravirt_ident_64) - ret = paravirt_patch_ident_64(insnbuf, len); -+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) -+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64) -+ ret = paravirt_patch_ident_64(insnbuf, len); -+#endif - - else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) || - type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) || -@@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn - if (insn_len > len || start == NULL) - insn_len = len; - else -- memcpy(insnbuf, start, insn_len); -+ memcpy(insnbuf, ktla_ktva(start), insn_len); - - return insn_len; - } -@@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void) - preempt_enable(); - } - --struct pv_info pv_info = { -+struct pv_info pv_info __read_only = { - .name = "bare hardware", - .paravirt_enabled = 0, - .kernel_rpl = 0, - .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */ - }; - --struct pv_init_ops pv_init_ops = { -+struct pv_init_ops pv_init_ops __read_only = { - .patch = native_patch, - }; - --struct pv_time_ops pv_time_ops = { -+struct pv_time_ops pv_time_ops __read_only = { - .sched_clock = native_sched_clock, - }; - --struct pv_irq_ops pv_irq_ops = { -+struct pv_irq_ops pv_irq_ops __read_only = { - .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl), - .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl), - .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable), -@@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops = { - #endif - }; - --struct pv_cpu_ops pv_cpu_ops = { -+struct pv_cpu_ops pv_cpu_ops __read_only = { - .cpuid = native_cpuid, - .get_debugreg = native_get_debugreg, - .set_debugreg = native_set_debugreg, -@@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops = { - .end_context_switch = paravirt_nop, - }; - --struct pv_apic_ops pv_apic_ops = { -+struct pv_apic_ops pv_apic_ops __read_only = { - #ifdef CONFIG_X86_LOCAL_APIC - .startup_ipi_hook = paravirt_nop, - #endif - }; - --#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE) -+#ifdef CONFIG_X86_32 -+#ifdef CONFIG_X86_PAE -+/* 64-bit pagetable entries */ -+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64) -+#else - /* 32-bit pagetable entries */ - #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32) -+#endif - #else - /* 64-bit pagetable entries */ - #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64) - #endif - --struct pv_mmu_ops pv_mmu_ops = { -+struct pv_mmu_ops pv_mmu_ops __read_only = { - - .read_cr2 = native_read_cr2, - .write_cr2 = native_write_cr2, -@@ -465,6 +480,12 @@ struct pv_mmu_ops pv_mmu_ops = { - }, - - .set_fixmap = native_set_fixmap, -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ .pax_open_kernel = native_pax_open_kernel, -+ .pax_close_kernel = native_pax_close_kernel, -+#endif -+ - }; - - EXPORT_SYMBOL_GPL(pv_time_ops); -diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c ---- linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400 -@@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t - arch_spin_lock(lock); - } - --struct pv_lock_ops pv_lock_ops = { -+struct pv_lock_ops pv_lock_ops __read_only = { - #ifdef CONFIG_SMP - .spin_is_locked = __ticket_spin_is_locked, - .spin_is_contended = __ticket_spin_is_contended, -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c ---- linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru - static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl); - static void get_tce_space_from_tar(void); - --static struct cal_chipset_ops calgary_chip_ops = { -+static const struct cal_chipset_ops calgary_chip_ops = { - .handle_quirks = calgary_handle_quirks, - .tce_cache_blast = calgary_tce_cache_blast, - .dump_error_regs = calgary_dump_error_regs - }; - --static struct cal_chipset_ops calioc2_chip_ops = { -+static const struct cal_chipset_ops calioc2_chip_ops = { - .handle_quirks = calioc2_handle_quirks, - .tce_cache_blast = calioc2_tce_cache_blast, - .dump_error_regs = calioc2_dump_error_regs -@@ -476,7 +476,7 @@ static void calgary_free_coherent(struct - free_pages((unsigned long)vaddr, get_order(size)); - } - --static struct dma_map_ops calgary_dma_ops = { -+static const struct dma_map_ops calgary_dma_ops = { - .alloc_coherent = calgary_alloc_coherent, - .free_coherent = calgary_free_coherent, - .map_sg = calgary_map_sg, -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-dma.c linux-2.6.39.3/arch/x86/kernel/pci-dma.c ---- linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400 -@@ -16,7 +16,7 @@ - - static int forbid_dac __read_mostly; - --struct dma_map_ops *dma_ops = &nommu_dma_ops; -+const struct dma_map_ops *dma_ops = &nommu_dma_ops; - EXPORT_SYMBOL(dma_ops); - - static int iommu_sac_force __read_mostly; -@@ -250,7 +250,7 @@ early_param("iommu", iommu_setup); - - int dma_supported(struct device *dev, u64 mask) - { -- struct dma_map_ops *ops = get_dma_ops(dev); -+ const struct dma_map_ops *ops = get_dma_ops(dev); - - #ifdef CONFIG_PCI - if (mask > 0xffffffff && forbid_dac > 0) { -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c ---- linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a - return -1; - } - --static struct dma_map_ops gart_dma_ops = { -+static const struct dma_map_ops gart_dma_ops = { - .map_sg = gart_map_sg, - .unmap_sg = gart_unmap_sg, - .map_page = gart_map_page, -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c ---- linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400 -@@ -2,7 +2,7 @@ - #include <asm/iommu_table.h> - #include <linux/string.h> - #include <linux/kallsyms.h> -- -+#include <linux/sched.h> - - #define DEBUG 1 - -@@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i - char sym_p[KSYM_SYMBOL_LEN]; - char sym_q[KSYM_SYMBOL_LEN]; - -+ pax_track_stack(); -+ - /* Simple cyclic dependency checker. */ - for (p = start; p < finish; p++) { - q = find_dependents_of(start, finish, p); -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-nommu.c linux-2.6.39.3/arch/x86/kernel/pci-nommu.c ---- linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400 -@@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str - flush_write_buffers(); - } - --struct dma_map_ops nommu_dma_ops = { -+const struct dma_map_ops nommu_dma_ops = { - .alloc_coherent = dma_generic_alloc_coherent, - .free_coherent = nommu_free_coherent, - .map_sg = nommu_map_sg, -diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c ---- linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400 -@@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent( - return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags); - } - --static struct dma_map_ops swiotlb_dma_ops = { -+static const struct dma_map_ops swiotlb_dma_ops = { - .mapping_error = swiotlb_dma_mapping_error, - .alloc_coherent = x86_swiotlb_alloc_coherent, - .free_coherent = swiotlb_free_coherent, -diff -urNp linux-2.6.39.3/arch/x86/kernel/process_32.c linux-2.6.39.3/arch/x86/kernel/process_32.c ---- linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 13:00:25.000000000 -0400 -@@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as - unsigned long thread_saved_pc(struct task_struct *tsk) - { - return ((unsigned long *)tsk->thread.sp)[3]; -+//XXX return tsk->thread.eip; - } - - #ifndef CONFIG_SMP -@@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i - unsigned long sp; - unsigned short ss, gs; - -- if (user_mode_vm(regs)) { -+ if (user_mode(regs)) { - sp = regs->sp; - ss = regs->ss & 0xffff; -- gs = get_user_gs(regs); - } else { - sp = kernel_stack_pointer(regs); - savesegment(ss, ss); -- savesegment(gs, gs); - } -+ gs = get_user_gs(regs); - - show_regs_common(); - -@@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag - struct task_struct *tsk; - int err; - -- childregs = task_pt_regs(p); -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8; - *childregs = *regs; - childregs->ax = 0; - childregs->sp = sp; - - p->thread.sp = (unsigned long) childregs; - p->thread.sp0 = (unsigned long) (childregs+1); -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); - - p->thread.ip = (unsigned long) ret_from_fork; - -@@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p, - struct thread_struct *prev = &prev_p->thread, - *next = &next_p->thread; - int cpu = smp_processor_id(); -- struct tss_struct *tss = &per_cpu(init_tss, cpu); -+ struct tss_struct *tss = init_tss + cpu; - bool preload_fpu; - - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */ -@@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p, - */ - lazy_save_gs(prev->gs); - -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ __set_fs(task_thread_info(next_p)->addr_limit); -+#endif -+ - /* - * Load the per-thread Thread-Local Storage descriptor. - */ -@@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p, - */ - arch_end_context_switch(next_p); - -+ percpu_write(current_task, next_p); -+ percpu_write(current_tinfo, &next_p->tinfo); -+ - if (preload_fpu) - __math_state_restore(); - -@@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p, - if (prev->gs | next->gs) - lazy_load_gs(next->gs); - -- percpu_write(current_task, next_p); -- - return prev_p; - } - -@@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru - } while (count++ < 16); - return 0; - } -- -diff -urNp linux-2.6.39.3/arch/x86/kernel/process_64.c linux-2.6.39.3/arch/x86/kernel/process_64.c ---- linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 13:00:25.000000000 -0400 -@@ -87,7 +87,7 @@ static void __exit_idle(void) - void exit_idle(void) - { - /* idle loop has pid 0 */ -- if (current->pid) -+ if (task_pid_nr(current)) - return; - __exit_idle(); - } -@@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag - struct pt_regs *childregs; - struct task_struct *me = current; - -- childregs = ((struct pt_regs *) -- (THREAD_SIZE + task_stack_page(p))) - 1; -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16; - *childregs = *regs; - - childregs->ax = 0; -@@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag - p->thread.sp = (unsigned long) childregs; - p->thread.sp0 = (unsigned long) (childregs+1); - p->thread.usersp = me->thread.usersp; -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); - - set_tsk_thread_flag(p, TIF_FORK); - -@@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p, - struct thread_struct *prev = &prev_p->thread; - struct thread_struct *next = &next_p->thread; - int cpu = smp_processor_id(); -- struct tss_struct *tss = &per_cpu(init_tss, cpu); -+ struct tss_struct *tss = init_tss + cpu; - unsigned fsindex, gsindex; - bool preload_fpu; - -@@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p, - prev->usersp = percpu_read(old_rsp); - percpu_write(old_rsp, next->usersp); - percpu_write(current_task, next_p); -+ percpu_write(current_tinfo, &next_p->tinfo); - -- percpu_write(kernel_stack, -- (unsigned long)task_stack_page(next_p) + -- THREAD_SIZE - KERNEL_STACK_OFFSET); -+ percpu_write(kernel_stack, next->sp0); - - /* - * Now maybe reload the debug registers and handle I/O bitmaps -@@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru - if (!p || p == current || p->state == TASK_RUNNING) - return 0; - stack = (unsigned long)task_stack_page(p); -- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE) -+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64)) - return 0; - fp = *(u64 *)(p->thread.sp); - do { -- if (fp < (unsigned long)stack || -- fp >= (unsigned long)stack+THREAD_SIZE) -+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64)) - return 0; - ip = *(u64 *)(fp+8); - if (!in_sched_functions(ip)) -diff -urNp linux-2.6.39.3/arch/x86/kernel/process.c linux-2.6.39.3/arch/x86/kernel/process.c ---- linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400 -@@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru - - void free_thread_info(struct thread_info *ti) - { -- free_thread_xstate(ti->task); - free_pages((unsigned long)ti, get_order(THREAD_SIZE)); - } - -+static struct kmem_cache *task_struct_cachep; -+ - void arch_task_cache_init(void) - { -- task_xstate_cachep = -- kmem_cache_create("task_xstate", xstate_size, -+ /* create a slab on which task_structs can be allocated */ -+ task_struct_cachep = -+ kmem_cache_create("task_struct", sizeof(struct task_struct), -+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL); -+ -+ task_xstate_cachep = -+ kmem_cache_create("task_xstate", xstate_size, - __alignof__(union thread_xstate), -- SLAB_PANIC | SLAB_NOTRACK, NULL); -+ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL); -+} -+ -+struct task_struct *alloc_task_struct_node(int node) -+{ -+ return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node); -+} -+ -+void free_task_struct(struct task_struct *task) -+{ -+ free_thread_xstate(task); -+ kmem_cache_free(task_struct_cachep, task); - } - - /* -@@ -70,7 +87,7 @@ void exit_thread(void) - unsigned long *bp = t->io_bitmap_ptr; - - if (bp) { -- struct tss_struct *tss = &per_cpu(init_tss, get_cpu()); -+ struct tss_struct *tss = init_tss + get_cpu(); - - t->io_bitmap_ptr = NULL; - clear_thread_flag(TIF_IO_BITMAP); -@@ -106,7 +123,7 @@ void show_regs_common(void) - - printk(KERN_CONT "\n"); - printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s", -- current->pid, current->comm, print_tainted(), -+ task_pid_nr(current), current->comm, print_tainted(), - init_utsname()->release, - (int)strcspn(init_utsname()->version, " "), - init_utsname()->version); -@@ -120,6 +137,9 @@ void flush_thread(void) - { - struct task_struct *tsk = current; - -+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF) -+ loadsegment(gs, 0); -+#endif - flush_ptrace_hw_breakpoint(tsk); - memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array)); - /* -@@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi - regs.di = (unsigned long) arg; - - #ifdef CONFIG_X86_32 -- regs.ds = __USER_DS; -- regs.es = __USER_DS; -+ regs.ds = __KERNEL_DS; -+ regs.es = __KERNEL_DS; - regs.fs = __KERNEL_PERCPU; -- regs.gs = __KERNEL_STACK_CANARY; -+ savesegment(gs, regs.gs); - #else - regs.ss = __KERNEL_DS; - #endif -@@ -401,7 +421,7 @@ void default_idle(void) - EXPORT_SYMBOL(default_idle); - #endif - --void stop_this_cpu(void *dummy) -+__noreturn void stop_this_cpu(void *dummy) - { - local_irq_disable(); - /* -@@ -665,16 +685,34 @@ static int __init idle_setup(char *str) - } - early_param("idle", idle_setup); - --unsigned long arch_align_stack(unsigned long sp) -+#ifdef CONFIG_PAX_RANDKSTACK -+asmlinkage void pax_randomize_kstack(void) - { -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) -- sp -= get_random_int() % 8192; -- return sp & ~0xf; --} -+ struct thread_struct *thread = ¤t->thread; -+ unsigned long time; - --unsigned long arch_randomize_brk(struct mm_struct *mm) --{ -- unsigned long range_end = mm->brk + 0x02000000; -- return randomize_range(mm->brk, range_end, 0) ? : mm->brk; --} -+ if (!randomize_va_space) -+ return; -+ -+ rdtscl(time); -+ -+ /* P4 seems to return a 0 LSB, ignore it */ -+#ifdef CONFIG_MPENTIUM4 -+ time &= 0x3EUL; -+ time <<= 2; -+#elif defined(CONFIG_X86_64) -+ time &= 0xFUL; -+ time <<= 4; -+#else -+ time &= 0x1FUL; -+ time <<= 3; -+#endif -+ -+ thread->sp0 ^= time; -+ load_sp0(init_tss + smp_processor_id(), thread); - -+#ifdef CONFIG_X86_64 -+ percpu_write(kernel_stack, thread->sp0); -+#endif -+} -+#endif -diff -urNp linux-2.6.39.3/arch/x86/kernel/ptrace.c linux-2.6.39.3/arch/x86/kernel/ptrace.c ---- linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400 -@@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi - unsigned long addr, unsigned long data) - { - int ret; -- unsigned long __user *datap = (unsigned long __user *)data; -+ unsigned long __user *datap = (__force unsigned long __user *)data; - - switch (request) { - /* read the word at location addr in the USER area. */ -@@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi - if ((int) addr < 0) - return -EIO; - ret = do_get_thread_area(child, addr, -- (struct user_desc __user *)data); -+ (__force struct user_desc __user *) data); - break; - - case PTRACE_SET_THREAD_AREA: - if ((int) addr < 0) - return -EIO; - ret = do_set_thread_area(child, addr, -- (struct user_desc __user *)data, 0); -+ (__force struct user_desc __user *) data, 0); - break; - #endif - -@@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas - memset(info, 0, sizeof(*info)); - info->si_signo = SIGTRAP; - info->si_code = si_code; -- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL; -+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL; - } - - void user_single_step_siginfo(struct task_struct *tsk, -@@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts - * We must return the syscall number to actually look up in the table. - * This can be -1L to skip running any syscall at all. - */ --asmregparm long syscall_trace_enter(struct pt_regs *regs) -+long syscall_trace_enter(struct pt_regs *regs) - { - long ret = 0; - -@@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru - return ret ?: regs->orig_ax; - } - --asmregparm void syscall_trace_leave(struct pt_regs *regs) -+void syscall_trace_leave(struct pt_regs *regs) - { - bool step; - -diff -urNp linux-2.6.39.3/arch/x86/kernel/pvclock.c linux-2.6.39.3/arch/x86/kernel/pvclock.c ---- linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400 -@@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc - return pv_tsc_khz; - } - --static atomic64_t last_value = ATOMIC64_INIT(0); -+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0); - - void pvclock_resume(void) - { -- atomic64_set(&last_value, 0); -+ atomic64_set_unchecked(&last_value, 0); - } - - cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src) -@@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct - * updating at the same time, and one of them could be slightly behind, - * making the assumption that last_value always go forward fail to hold. - */ -- last = atomic64_read(&last_value); -+ last = atomic64_read_unchecked(&last_value); - do { - if (ret < last) - return last; -- last = atomic64_cmpxchg(&last_value, last, ret); -+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret); - } while (unlikely(last != ret)); - - return ret; -diff -urNp linux-2.6.39.3/arch/x86/kernel/reboot.c linux-2.6.39.3/arch/x86/kernel/reboot.c ---- linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400 -@@ -35,7 +35,7 @@ void (*pm_power_off)(void); - EXPORT_SYMBOL(pm_power_off); - - static const struct desc_ptr no_idt = {}; --static int reboot_mode; -+static unsigned short reboot_mode; - enum reboot_type reboot_type = BOOT_KBD; - int reboot_force; - -@@ -307,13 +307,17 @@ core_initcall(reboot_init); - extern const unsigned char machine_real_restart_asm[]; - extern const u64 machine_real_restart_gdt[3]; - --void machine_real_restart(unsigned int type) -+__noreturn void machine_real_restart(unsigned int type) - { - void *restart_va; - unsigned long restart_pa; -- void (*restart_lowmem)(unsigned int); -+ void (* __noreturn restart_lowmem)(unsigned int); - u64 *lowmem_gdt; - -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) -+ struct desc_struct *gdt; -+#endif -+ - local_irq_disable(); - - /* Write zero to CMOS register number 0x0f, which the BIOS POST -@@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t - boot)". This seems like a fairly standard thing that gets set by - REBOOT.COM programs, and the previous reset routine did this - too. */ -- *((unsigned short *)0x472) = reboot_mode; -+ *(unsigned short *)(__va(0x472)) = reboot_mode; - - /* Patch the GDT in the low memory trampoline */ - lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt); - - restart_va = TRAMPOLINE_SYM(machine_real_restart_asm); - restart_pa = virt_to_phys(restart_va); -- restart_lowmem = (void (*)(unsigned int))restart_pa; -+ restart_lowmem = (void *)restart_pa; - - /* GDT[0]: GDT self-pointer */ - lowmem_gdt[0] = -@@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t - GDT_ENTRY(0x009b, restart_pa, 0xffff); - - /* Jump to the identity-mapped low memory code */ -+ -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) -+ gdt = get_cpu_gdt_table(smp_processor_id()); -+ pax_open_kernel(); -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ gdt[GDT_ENTRY_KERNEL_DS].type = 3; -+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; -+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory"); -+#endif -+#ifdef CONFIG_PAX_KERNEXEC -+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0; -+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0; -+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0; -+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff; -+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf; -+ gdt[GDT_ENTRY_KERNEL_CS].g = 1; -+#endif -+ pax_close_kernel(); -+#endif -+ -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type)); -+ unreachable(); -+#else - restart_lowmem(type); -+#endif -+ - } - #ifdef CONFIG_APM_MODULE - EXPORT_SYMBOL(machine_real_restart); -@@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f - { - } - --static void native_machine_emergency_restart(void) -+__noreturn static void native_machine_emergency_restart(void) - { - int i; - -@@ -593,13 +623,13 @@ void native_machine_shutdown(void) - #endif - } - --static void __machine_emergency_restart(int emergency) -+static __noreturn void __machine_emergency_restart(int emergency) - { - reboot_emergency = emergency; - machine_ops.emergency_restart(); - } - --static void native_machine_restart(char *__unused) -+static __noreturn void native_machine_restart(char *__unused) - { - printk("machine restart\n"); - -@@ -608,7 +638,7 @@ static void native_machine_restart(char - __machine_emergency_restart(0); - } - --static void native_machine_halt(void) -+static __noreturn void native_machine_halt(void) - { - /* stop other cpus and apics */ - machine_shutdown(); -@@ -619,7 +649,7 @@ static void native_machine_halt(void) - stop_this_cpu(NULL); - } - --static void native_machine_power_off(void) -+__noreturn static void native_machine_power_off(void) - { - if (pm_power_off) { - if (!reboot_force) -@@ -628,6 +658,7 @@ static void native_machine_power_off(voi - } - /* a fallback in case there is no PM info available */ - tboot_shutdown(TB_SHUTDOWN_HALT); -+ unreachable(); - } - - struct machine_ops machine_ops = { -diff -urNp linux-2.6.39.3/arch/x86/kernel/setup.c linux-2.6.39.3/arch/x86/kernel/setup.c ---- linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 13:00:25.000000000 -0400 -@@ -650,7 +650,7 @@ static void __init trim_bios_range(void) - * area (640->1Mb) as ram even though it is not. - * take them out. - */ -- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); -+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1); - sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); - } - -@@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p) - - if (!boot_params.hdr.root_flags) - root_mountflags &= ~MS_RDONLY; -- init_mm.start_code = (unsigned long) _text; -- init_mm.end_code = (unsigned long) _etext; -+ init_mm.start_code = ktla_ktva((unsigned long) _text); -+ init_mm.end_code = ktla_ktva((unsigned long) _etext); - init_mm.end_data = (unsigned long) _edata; - init_mm.brk = _brk_end; - -- code_resource.start = virt_to_phys(_text); -- code_resource.end = virt_to_phys(_etext)-1; -- data_resource.start = virt_to_phys(_etext); -+ code_resource.start = virt_to_phys(ktla_ktva(_text)); -+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1; -+ data_resource.start = virt_to_phys(_sdata); - data_resource.end = virt_to_phys(_edata)-1; - bss_resource.start = virt_to_phys(&__bss_start); - bss_resource.end = virt_to_phys(&__bss_stop)-1; -diff -urNp linux-2.6.39.3/arch/x86/kernel/setup_percpu.c linux-2.6.39.3/arch/x86/kernel/setup_percpu.c ---- linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400 -@@ -21,19 +21,17 @@ - #include <asm/cpu.h> - #include <asm/stackprotector.h> - --DEFINE_PER_CPU(int, cpu_number); -+#ifdef CONFIG_SMP -+DEFINE_PER_CPU(unsigned int, cpu_number); - EXPORT_PER_CPU_SYMBOL(cpu_number); -+#endif - --#ifdef CONFIG_X86_64 - #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load) --#else --#define BOOT_PERCPU_OFFSET 0 --#endif - - DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET; - EXPORT_PER_CPU_SYMBOL(this_cpu_off); - --unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = { -+unsigned long __per_cpu_offset[NR_CPUS] __read_only = { - [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET, - }; - EXPORT_SYMBOL(__per_cpu_offset); -@@ -155,10 +153,10 @@ static inline void setup_percpu_segment( - { - #ifdef CONFIG_X86_32 - struct desc_struct gdt; -+ unsigned long base = per_cpu_offset(cpu); - -- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF, -- 0x2 | DESCTYPE_S, 0x8); -- gdt.s = 1; -+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT, -+ 0x83 | DESCTYPE_S, 0xC); - write_gdt_entry(get_cpu_gdt_table(cpu), - GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S); - #endif -@@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void) - /* alrighty, percpu areas up and running */ - delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; - for_each_possible_cpu(cpu) { -+#ifdef CONFIG_CC_STACKPROTECTOR -+#ifdef CONFIG_X86_32 -+ unsigned long canary = per_cpu(stack_canary.canary, cpu); -+#endif -+#endif - per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu]; - per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu); - per_cpu(cpu_number, cpu) = cpu; -@@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void) - */ - set_cpu_numa_node(cpu, early_cpu_to_node(cpu)); - #endif -+#ifdef CONFIG_CC_STACKPROTECTOR -+#ifdef CONFIG_X86_32 -+ if (!cpu) -+ per_cpu(stack_canary.canary, cpu) = canary; -+#endif -+#endif - /* - * Up to this point, the boot CPU has been using .init.data - * area. Reload any changed state for the boot CPU. -diff -urNp linux-2.6.39.3/arch/x86/kernel/signal.c linux-2.6.39.3/arch/x86/kernel/signal.c ---- linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400 -@@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi - * Align the stack pointer according to the i386 ABI, - * i.e. so that on function entry ((sp + 4) & 15) == 0. - */ -- sp = ((sp + 4) & -16ul) - 4; -+ sp = ((sp - 12) & -16ul) - 4; - #else /* !CONFIG_X86_32 */ - sp = round_down(sp, 16) - 8; - #endif -@@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str - * Return an always-bogus address instead so we will die with SIGSEGV. - */ - if (onsigstack && !likely(on_sig_stack(sp))) -- return (void __user *)-1L; -+ return (__force void __user *)-1L; - - /* save i387 state */ - if (used_math() && save_i387_xstate(*fpstate) < 0) -- return (void __user *)-1L; -+ return (__force void __user *)-1L; - - return (void __user *)sp; - } -@@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio - } - - if (current->mm->context.vdso) -- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); - else -- restorer = &frame->retcode; -+ restorer = (void __user *)&frame->retcode; - if (ka->sa.sa_flags & SA_RESTORER) - restorer = ka->sa.sa_restorer; - -@@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio - * reasons and because gdb uses it as a signature to notice - * signal handler stack frames. - */ -- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode); -+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode); - - if (err) - return -EFAULT; -@@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); - - /* Set up to return from userspace. */ -- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); -+ if (current->mm->context.vdso) -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); -+ else -+ restorer = (void __user *)&frame->retcode; - if (ka->sa.sa_flags & SA_RESTORER) - restorer = ka->sa.sa_restorer; - put_user_ex(restorer, &frame->pretcode); -@@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str - * reasons and because gdb uses it as a signature to notice - * signal handler stack frames. - */ -- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode); -+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode); - } put_user_catch(err); - - if (err) -@@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re - int signr; - sigset_t *oldset; - -+ pax_track_stack(); -+ - /* - * We want the common case to go fast, which is why we may in certain - * cases get here from kernel mode. Just return without doing anything -@@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re - * X86_32: vm86 regs switched out by assembly code before reaching - * here, so testing against kernel CS suffices. - */ -- if (!user_mode(regs)) -+ if (!user_mode_novm(regs)) - return; - - if (current_thread_info()->status & TS_RESTORE_SIGMASK) -diff -urNp linux-2.6.39.3/arch/x86/kernel/smpboot.c linux-2.6.39.3/arch/x86/kernel/smpboot.c ---- linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 12:55:22.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 13:00:25.000000000 -0400 -@@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api - set_idle_for_cpu(cpu, c_idle.idle); - do_rest: - per_cpu(current_task, cpu) = c_idle.idle; -+ per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo; - #ifdef CONFIG_X86_32 - /* Stack for startup_32 can be just as for start_secondary onwards */ - irq_ctx_init(cpu); - #else - clear_tsk_thread_flag(c_idle.idle, TIF_FORK); - initial_gs = per_cpu_offset(cpu); -- per_cpu(kernel_stack, cpu) = -- (unsigned long)task_stack_page(c_idle.idle) - -- KERNEL_STACK_OFFSET + THREAD_SIZE; -+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE; - #endif -+ -+ pax_open_kernel(); - early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu); -+ pax_close_kernel(); -+ - initial_code = (unsigned long)start_secondary; - stack_start = c_idle.idle->thread.sp; - -@@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int - - per_cpu(cpu_state, cpu) = CPU_UP_PREPARE; - -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY, -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY, -+ KERNEL_PGD_PTRS); -+#endif -+ - err = do_boot_cpu(apicid, cpu); - if (err) { - pr_debug("do_boot_cpu failed %d\n", err); -diff -urNp linux-2.6.39.3/arch/x86/kernel/step.c linux-2.6.39.3/arch/x86/kernel/step.c ---- linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400 -@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc - struct desc_struct *desc; - unsigned long base; - -- seg &= ~7UL; -+ seg >>= 3; - - mutex_lock(&child->mm->context.lock); -- if (unlikely((seg >> 3) >= child->mm->context.size)) -+ if (unlikely(seg >= child->mm->context.size)) - addr = -1L; /* bogus selector, access would fault */ - else { - desc = child->mm->context.ldt + seg; -@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc - addr += base; - } - mutex_unlock(&child->mm->context.lock); -- } -+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS) -+ addr = ktla_ktva(addr); - - return addr; - } -@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t - unsigned char opcode[15]; - unsigned long addr = convert_ip_to_linear(child, regs); - -+ if (addr == -EINVAL) -+ return 0; -+ - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0); - for (i = 0; i < copied; i++) { - switch (opcode[i]) { -@@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t - - #ifdef CONFIG_X86_64 - case 0x40 ... 0x4f: -- if (regs->cs != __USER_CS) -+ if ((regs->cs & 0xffff) != __USER_CS) - /* 32-bit mode: register increment */ - return 0; - /* 64-bit mode: REX prefix */ -diff -urNp linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S ---- linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400 -@@ -1,3 +1,4 @@ -+.section .rodata,"a",@progbits - ENTRY(sys_call_table) - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */ - .long sys_exit -diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c ---- linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400 -@@ -24,17 +24,224 @@ - - #include <asm/syscalls.h> - --/* -- * Do a system call from kernel instead of calling sys_execve so we -- * end up with proper pt_regs. -- */ --int kernel_execve(const char *filename, -- const char *const argv[], -- const char *const envp[]) -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) - { -- long __res; -- asm volatile ("int $0x80" -- : "=a" (__res) -- : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory"); -- return __res; -+ unsigned long pax_task_size = TASK_SIZE; -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) -+ pax_task_size = SEGMEXEC_TASK_SIZE; -+#endif -+ -+ if (len > pax_task_size || addr > pax_task_size - len) -+ return -EINVAL; -+ -+ return 0; -+} -+ -+unsigned long -+arch_get_unmapped_area(struct file *filp, unsigned long addr, -+ unsigned long len, unsigned long pgoff, unsigned long flags) -+{ -+ struct mm_struct *mm = current->mm; -+ struct vm_area_struct *vma; -+ unsigned long start_addr, pax_task_size = TASK_SIZE; -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) -+ pax_task_size = SEGMEXEC_TASK_SIZE; -+#endif -+ -+ pax_task_size -= PAGE_SIZE; -+ -+ if (len > pax_task_size) -+ return -ENOMEM; -+ -+ if (flags & MAP_FIXED) -+ return addr; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ -+ if (addr) { -+ addr = PAGE_ALIGN(addr); -+ if (pax_task_size - len >= addr) { -+ vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) -+ return addr; -+ } -+ } -+ if (len > mm->cached_hole_size) { -+ start_addr = addr = mm->free_area_cache; -+ } else { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ } -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) { -+ start_addr = 0x00110000UL; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ start_addr += mm->delta_mmap & 0x03FFF000UL; -+#endif -+ -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base) -+ start_addr = addr = mm->mmap_base; -+ else -+ addr = start_addr; -+ } -+#endif -+ -+full_search: -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { -+ /* At this point: (!vma || addr < vma->vm_end). */ -+ if (pax_task_size - len < addr) { -+ /* -+ * Start a new search - just in case we missed -+ * some holes. -+ */ -+ if (start_addr != mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ goto full_search; -+ } -+ return -ENOMEM; -+ } -+ if (check_heap_stack_gap(vma, addr, len)) -+ break; -+ if (addr + mm->cached_hole_size < vma->vm_start) -+ mm->cached_hole_size = vma->vm_start - addr; -+ addr = vma->vm_end; -+ if (mm->start_brk <= addr && addr < mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ goto full_search; -+ } -+ } -+ -+ /* -+ * Remember the place where we stopped the search: -+ */ -+ mm->free_area_cache = addr + len; -+ return addr; -+} -+ -+unsigned long -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, -+ const unsigned long len, const unsigned long pgoff, -+ const unsigned long flags) -+{ -+ struct vm_area_struct *vma; -+ struct mm_struct *mm = current->mm; -+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) -+ pax_task_size = SEGMEXEC_TASK_SIZE; -+#endif -+ -+ pax_task_size -= PAGE_SIZE; -+ -+ /* requested length too big for entire address space */ -+ if (len > pax_task_size) -+ return -ENOMEM; -+ -+ if (flags & MAP_FIXED) -+ return addr; -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) -+ goto bottomup; -+#endif -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ -+ /* requesting a specific address */ -+ if (addr) { -+ addr = PAGE_ALIGN(addr); -+ if (pax_task_size - len >= addr) { -+ vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) -+ return addr; -+ } -+ } -+ -+ /* check if free_area_cache is useful for us */ -+ if (len <= mm->cached_hole_size) { -+ mm->cached_hole_size = 0; -+ mm->free_area_cache = mm->mmap_base; -+ } -+ -+ /* either no address requested or can't fit in requested address hole */ -+ addr = mm->free_area_cache; -+ -+ /* make sure it can fit in the remaining address space */ -+ if (addr > len) { -+ vma = find_vma(mm, addr-len); -+ if (check_heap_stack_gap(vma, addr - len, len)) -+ /* remember the address as a hint for next time */ -+ return (mm->free_area_cache = addr-len); -+ } -+ -+ if (mm->mmap_base < len) -+ goto bottomup; -+ -+ addr = mm->mmap_base-len; -+ -+ do { -+ /* -+ * Lookup failure means no vma is above this address, -+ * else if new region fits below vma->vm_start, -+ * return with success: -+ */ -+ vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) -+ /* remember the address as a hint for next time */ -+ return (mm->free_area_cache = addr); -+ -+ /* remember the largest hole we saw so far */ -+ if (addr + mm->cached_hole_size < vma->vm_start) -+ mm->cached_hole_size = vma->vm_start - addr; -+ -+ /* try just below the current vma->vm_start */ -+ addr = skip_heap_stack_gap(vma, len); -+ } while (!IS_ERR_VALUE(addr)); -+ -+bottomup: -+ /* -+ * A failed mmap() very likely causes application failure, -+ * so fall back to the bottom-up function here. This scenario -+ * can happen with large stack limits and large mmap() -+ * allocations. -+ */ -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE; -+ else -+#endif -+ -+ mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ -+ mm->free_area_cache = mm->mmap_base; -+ mm->cached_hole_size = ~0UL; -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags); -+ /* -+ * Restore the topdown base: -+ */ -+ mm->mmap_base = base; -+ mm->free_area_cache = base; -+ mm->cached_hole_size = ~0UL; -+ -+ return addr; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c ---- linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400 -@@ -32,8 +32,8 @@ out: - return error; - } - --static void find_start_end(unsigned long flags, unsigned long *begin, -- unsigned long *end) -+static void find_start_end(struct mm_struct *mm, unsigned long flags, -+ unsigned long *begin, unsigned long *end) - { - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) { - unsigned long new_begin; -@@ -52,7 +52,7 @@ static void find_start_end(unsigned long - *begin = new_begin; - } - } else { -- *begin = TASK_UNMAPPED_BASE; -+ *begin = mm->mmap_base; - *end = TASK_SIZE; - } - } -@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp - if (flags & MAP_FIXED) - return addr; - -- find_start_end(flags, &begin, &end); -+ find_start_end(mm, flags, &begin, &end); - - if (len > end) - return -ENOMEM; - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - if (addr) { - addr = PAGE_ALIGN(addr); - vma = find_vma(mm, addr); -- if (end - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len)) - return addr; - } - if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32)) -@@ -106,7 +109,7 @@ full_search: - } - return -ENOMEM; - } -- if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { - /* - * Remember the place where we stopped the search: - */ -@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi - { - struct vm_area_struct *vma; - struct mm_struct *mm = current->mm; -- unsigned long addr = addr0; -+ unsigned long base = mm->mmap_base, addr = addr0; - - /* requested length too big for entire address space */ - if (len > TASK_SIZE) -@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) - goto bottomup; - -+#ifdef CONFIG_PAX_RANDMMAP -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) -+#endif -+ - /* requesting a specific address */ - if (addr) { - addr = PAGE_ALIGN(addr); -- vma = find_vma(mm, addr); -- if (TASK_SIZE - len >= addr && -- (!vma || addr + len <= vma->vm_start)) -- return addr; -+ if (TASK_SIZE - len >= addr) { -+ vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) -+ return addr; -+ } - } - - /* check if free_area_cache is useful for us */ -@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi - /* make sure it can fit in the remaining address space */ - if (addr > len) { - vma = find_vma(mm, addr-len); -- if (!vma || addr <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr - len, len)) - /* remember the address as a hint for next time */ - return mm->free_area_cache = addr-len; - } -@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi - * return with success: - */ - vma = find_vma(mm, addr); -- if (!vma || addr+len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) - /* remember the address as a hint for next time */ - return mm->free_area_cache = addr; - -@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = vma->vm_start-len; -- } while (len < vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); -+ } while (!IS_ERR_VALUE(addr)); - - bottomup: - /* -@@ -198,13 +206,21 @@ bottomup: - * can happen with large stack limits and large mmap() - * allocations. - */ -+ mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ -+ mm->free_area_cache = mm->mmap_base; - mm->cached_hole_size = ~0UL; -- mm->free_area_cache = TASK_UNMAPPED_BASE; - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags); - /* - * Restore the topdown base: - */ -- mm->free_area_cache = mm->mmap_base; -+ mm->mmap_base = base; -+ mm->free_area_cache = base; - mm->cached_hole_size = ~0UL; - - return addr; -diff -urNp linux-2.6.39.3/arch/x86/kernel/tboot.c linux-2.6.39.3/arch/x86/kernel/tboot.c ---- linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400 -@@ -218,7 +218,7 @@ static int tboot_setup_sleep(void) - - void tboot_shutdown(u32 shutdown_type) - { -- void (*shutdown)(void); -+ void (* __noreturn shutdown)(void); - - if (!tboot_enabled()) - return; -@@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type) - - switch_to_tboot_pt(); - -- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry; -+ shutdown = (void *)tboot->shutdown_entry; - shutdown(); - - /* should not reach here */ -@@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1 - tboot_shutdown(acpi_shutdown_map[sleep_state]); - } - --static atomic_t ap_wfs_count; -+static atomic_unchecked_t ap_wfs_count; - - static int tboot_wait_for_aps(int num_aps) - { -@@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback( - { - switch (action) { - case CPU_DYING: -- atomic_inc(&ap_wfs_count); -+ atomic_inc_unchecked(&ap_wfs_count); - if (num_online_cpus() == 1) -- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count))) -+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count))) - return NOTIFY_BAD; - break; - } -@@ -342,7 +342,7 @@ static __init int tboot_late_init(void) - - tboot_create_trampoline(); - -- atomic_set(&ap_wfs_count, 0); -+ atomic_set_unchecked(&ap_wfs_count, 0); - register_hotcpu_notifier(&tboot_cpu_notifier); - return 0; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/time.c linux-2.6.39.3/arch/x86/kernel/time.c ---- linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400 -@@ -22,17 +22,13 @@ - #include <asm/hpet.h> - #include <asm/time.h> - --#ifdef CONFIG_X86_64 --volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES; --#endif -- - unsigned long profile_pc(struct pt_regs *regs) - { - unsigned long pc = instruction_pointer(regs); - -- if (!user_mode_vm(regs) && in_lock_functions(pc)) { -+ if (!user_mode(regs) && in_lock_functions(pc)) { - #ifdef CONFIG_FRAME_POINTER -- return *(unsigned long *)(regs->bp + sizeof(long)); -+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long))); - #else - unsigned long *sp = - (unsigned long *)kernel_stack_pointer(regs); -@@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs - * or above a saved flags. Eflags has bits 22-31 zero, - * kernel addresses don't. - */ -+ -+#ifdef CONFIG_PAX_KERNEXEC -+ return ktla_ktva(sp[0]); -+#else - if (sp[0] >> 22) - return sp[0]; - if (sp[1] >> 22) - return sp[1]; - #endif -+ -+#endif - } - return pc; - } -diff -urNp linux-2.6.39.3/arch/x86/kernel/tls.c linux-2.6.39.3/arch/x86/kernel/tls.c ---- linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400 -@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) - return -EINVAL; - |