diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-09-06 06:15:14 -0400 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-09-06 06:15:14 -0400 |
commit | 15a4589217638beed6f6ae7eccd986f160eaa920 (patch) | |
tree | 2f25aaf9d2643512bed01eaad91a5253f1b188ba | |
parent | Updated Grsec/PaX (diff) | |
download | hardened-patchset-15a4589217638beed6f6ae7eccd986f160eaa920.tar.gz hardened-patchset-15a4589217638beed6f6ae7eccd986f160eaa920.tar.bz2 hardened-patchset-15a4589217638beed6f6ae7eccd986f160eaa920.zip |
Updated Grsec/PaX20100904
2.2.0-2.6.32.21-201008292122 for 2.6.32.21
2.2.0-2.6.34.6-201008292122 for 2.6.34.6
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201009032133.patch (renamed from 2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201008292122.patch) | 535 | ||||
-rw-r--r-- | 2.6.34/0000_README | 2 | ||||
-rw-r--r-- | 2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201009041352.patch (renamed from 2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201008292122.patch) | 459 |
4 files changed, 692 insertions, 306 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index df48344..6e24f10 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.0-2.6.32.21-201008292122.patch +Patch: 4420_grsecurity-2.2.0-2.6.32.21-201009032133.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201008292122.patch b/2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201009032133.patch index b9f681c..a84a4ea 100644 --- a/2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201008292122.patch +++ b/2.6.32/4420_grsecurity-2.2.0-2.6.32.21-201009032133.patch @@ -3057,8 +3057,8 @@ diff -urNp linux-2.6.32.21/arch/sh/kernel/kgdb.c linux-2.6.32.21/arch/sh/kernel/ .gdb_bpt_instr = { 0x3c, 0xc3 }, diff -urNp linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h --- linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h 2010-08-29 21:08:20.000000000 -0400 -+++ linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h 2010-08-29 21:14:19.000000000 -0400 -@@ -14,18 +14,39 @@ ++++ linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h 2010-08-29 21:46:28.000000000 -0400 +@@ -14,18 +14,40 @@ #define ATOMIC64_INIT(i) { (i) } #define atomic_read(v) ((v)->counter) @@ -3093,20 +3093,23 @@ diff -urNp linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h linux-2.6.32.21/ar +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *); extern int atomic_add_ret(int, atomic_t *); ++extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *); extern long atomic64_add_ret(long, atomic64_t *); +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *); extern int atomic_sub_ret(int, atomic_t *); extern long atomic64_sub_ret(long, atomic64_t *); -@@ -34,6 +55,7 @@ extern long atomic64_sub_ret(long, atomi +@@ -33,7 +55,9 @@ extern long atomic64_sub_ret(long, atomi + #define atomic64_dec_return(v) atomic64_sub_ret(1, v) #define atomic_inc_return(v) atomic_add_ret(1, v) ++#define atomic_inc_return_unchecked(v) atomic_add_ret_unchecked(1, v) #define atomic64_inc_return(v) atomic64_add_ret(1, v) +#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v) #define atomic_sub_return(i, v) atomic_sub_ret(i, v) #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v) -@@ -59,10 +81,26 @@ extern long atomic64_sub_ret(long, atomi +@@ -59,10 +83,26 @@ extern long atomic64_sub_ret(long, atomi #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0) #define atomic_inc(v) atomic_add(1, v) @@ -3133,7 +3136,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h linux-2.6.32.21/ar #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0) #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0) -@@ -72,17 +110,28 @@ extern long atomic64_sub_ret(long, atomi +@@ -72,17 +112,28 @@ extern long atomic64_sub_ret(long, atomi static inline int atomic_add_unless(atomic_t *v, int a, int u) { @@ -3166,7 +3169,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/include/asm/atomic_64.h linux-2.6.32.21/ar } #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) -@@ -93,17 +142,28 @@ static inline int atomic_add_unless(atom +@@ -93,17 +144,28 @@ static inline int atomic_add_unless(atom static inline long atomic64_add_unless(atomic64_t *v, long a, long u) { @@ -3715,7 +3718,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/kernel/traps_64.c linux-2.6.32.21/arch/spa sprintf (buffer, "Bad trap %lx at tl>0", lvl); diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc/lib/atomic_64.S --- linux-2.6.32.21/arch/sparc/lib/atomic_64.S 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/arch/sparc/lib/atomic_64.S 2010-08-13 18:34:40.000000000 -0400 ++++ linux-2.6.32.21/arch/sparc/lib/atomic_64.S 2010-08-29 21:48:28.000000000 -0400 @@ -18,7 +18,12 @@ atomic_add: /* %o0 = increment, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) @@ -3798,7 +3801,28 @@ diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc cas [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %icc, 2f -@@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1 +@@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1 + 2: BACKOFF_SPIN(%o2, %o3, 1b) + .size atomic_add_ret, .-atomic_add_ret + ++ .globl atomic_add_ret_unchecked ++ .type atomic_add_ret_unchecked,#function ++atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: lduw [%o1], %g1 ++ addcc %g1, %o0, %g7 ++ cas [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %icc, 2f ++ add %g7, %o0, %g7 ++ sra %g7, 0, %o0 ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked ++ + .globl atomic_sub_ret + .type atomic_sub_ret,#function atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) 1: lduw [%o1], %g1 @@ -3812,7 +3836,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc cas [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %icc, 2f -@@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1 +@@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) 1: ldx [%o1], %g1 @@ -3826,7 +3850,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 = +@@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 = 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_add, .-atomic64_add @@ -3860,7 +3884,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -105,12 +180,32 @@ atomic64_sub: /* %o0 = decrement, %o1 = +@@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 = 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_sub, .-atomic64_sub @@ -3894,7 +3918,7 @@ diff -urNp linux-2.6.32.21/arch/sparc/lib/atomic_64.S linux-2.6.32.21/arch/sparc casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -121,12 +216,33 @@ atomic64_add_ret: /* %o0 = increment, %o +@@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_add_ret, .-atomic64_add_ret @@ -5955,7 +5979,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_32.h linux-2.6.32.21/arch extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val); diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch/x86/include/asm/atomic_64.h --- linux-2.6.32.21/arch/x86/include/asm/atomic_64.h 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/arch/x86/include/asm/atomic_64.h 2010-08-13 18:34:40.000000000 -0400 ++++ linux-2.6.32.21/arch/x86/include/asm/atomic_64.h 2010-08-29 21:40:54.000000000 -0400 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom } @@ -6203,7 +6227,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter), "=qm" (c) : "ir" (i), "m" (v->counter) : "memory"); return c; -@@ -173,7 +334,15 @@ static inline int atomic_add_negative(in +@@ -173,7 +334,31 @@ static inline int atomic_add_negative(in static inline int atomic_add_return(int i, atomic_t *v) { int __i = i; @@ -6217,10 +6241,34 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch + _ASM_EXTABLE(0b, 0b) +#endif + ++ : "+r" (i), "+m" (v->counter) ++ : : "memory"); ++ return i + __i; ++} ++ ++/** ++ * atomic_add_return_unchecked - add and return ++ * @i: integer value to add ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically adds @i to @v and returns @i + @v ++ */ ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ ++ int __i = i; ++ asm volatile(LOCK_PREFIX "xaddl %0, %1\n" : "+r" (i), "+m" (v->counter) : : "memory"); return i + __i; -@@ -204,6 +373,18 @@ static inline long atomic64_read(const a +@@ -185,6 +370,7 @@ static inline int atomic_sub_return(int + } + + #define atomic_inc_return(v) (atomic_add_return(1, v)) ++#define atomic_inc_return_unchecked(v) (atomic_add_return_unchecked(1, v)) + #define atomic_dec_return(v) (atomic_sub_return(1, v)) + + /* The 64-bit atomic type */ +@@ -204,6 +390,18 @@ static inline long atomic64_read(const a } /** @@ -6239,7 +6287,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch * atomic64_set - set atomic64 variable * @v: pointer to type atomic64_t * @i: required value -@@ -216,6 +397,18 @@ static inline void atomic64_set(atomic64 +@@ -216,6 +414,18 @@ static inline void atomic64_set(atomic64 } /** @@ -6258,7 +6306,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch * atomic64_add - add integer to atomic64 variable * @i: integer value to add * @v: pointer to type atomic64_t -@@ -224,6 +417,28 @@ static inline void atomic64_set(atomic64 +@@ -224,6 +434,28 @@ static inline void atomic64_set(atomic64 */ static inline void atomic64_add(long i, atomic64_t *v) { @@ -6287,7 +6335,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch asm volatile(LOCK_PREFIX "addq %1,%0" : "=m" (v->counter) : "er" (i), "m" (v->counter)); -@@ -238,7 +453,15 @@ static inline void atomic64_add(long i, +@@ -238,7 +470,15 @@ static inline void atomic64_add(long i, */ static inline void atomic64_sub(long i, atomic64_t *v) { @@ -6304,7 +6352,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter) : "er" (i), "m" (v->counter)); } -@@ -256,7 +479,16 @@ static inline int atomic64_sub_and_test( +@@ -256,7 +496,16 @@ static inline int atomic64_sub_and_test( { unsigned char c; @@ -6322,7 +6370,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter), "=qm" (c) : "er" (i), "m" (v->counter) : "memory"); return c; -@@ -270,6 +502,31 @@ static inline int atomic64_sub_and_test( +@@ -270,6 +519,31 @@ static inline int atomic64_sub_and_test( */ static inline void atomic64_inc(atomic64_t *v) { @@ -6354,7 +6402,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch asm volatile(LOCK_PREFIX "incq %0" : "=m" (v->counter) : "m" (v->counter)); -@@ -283,7 +540,32 @@ static inline void atomic64_inc(atomic64 +@@ -283,7 +557,32 @@ static inline void atomic64_inc(atomic64 */ static inline void atomic64_dec(atomic64_t *v) { @@ -6388,7 +6436,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter) : "m" (v->counter)); } -@@ -300,7 +582,20 @@ static inline int atomic64_dec_and_test( +@@ -300,7 +599,20 @@ static inline int atomic64_dec_and_test( { unsigned char c; @@ -6410,7 +6458,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter), "=qm" (c) : "m" (v->counter) : "memory"); return c != 0; -@@ -318,7 +613,20 @@ static inline int atomic64_inc_and_test( +@@ -318,7 +630,20 @@ static inline int atomic64_inc_and_test( { unsigned char c; @@ -6432,7 +6480,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter), "=qm" (c) : "m" (v->counter) : "memory"); return c != 0; -@@ -337,7 +645,16 @@ static inline int atomic64_add_negative( +@@ -337,7 +662,16 @@ static inline int atomic64_add_negative( { unsigned char c; @@ -6450,7 +6498,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "=m" (v->counter), "=qm" (c) : "er" (i), "m" (v->counter) : "memory"); return c; -@@ -353,7 +670,31 @@ static inline int atomic64_add_negative( +@@ -353,7 +687,31 @@ static inline int atomic64_add_negative( static inline long atomic64_add_return(long i, atomic64_t *v) { long __i = i; @@ -6483,7 +6531,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch : "+r" (i), "+m" (v->counter) : : "memory"); return i + __i; -@@ -365,6 +706,7 @@ static inline long atomic64_sub_return(l +@@ -365,6 +723,7 @@ static inline long atomic64_sub_return(l } #define atomic64_inc_return(v) (atomic64_add_return(1, (v))) @@ -6491,7 +6539,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch #define atomic64_dec_return(v) (atomic64_sub_return(1, (v))) static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) -@@ -398,17 +740,29 @@ static inline long atomic_xchg(atomic_t +@@ -398,17 +757,29 @@ static inline long atomic_xchg(atomic_t */ static inline int atomic_add_unless(atomic_t *v, int a, int u) { @@ -6525,7 +6573,7 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/atomic_64.h linux-2.6.32.21/arch } #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) -@@ -424,17 +778,29 @@ static inline int atomic_add_unless(atom +@@ -424,17 +795,29 @@ static inline int atomic_add_unless(atom */ static inline int atomic64_add_unless(atomic64_t *v, long a, long u) { @@ -7691,19 +7739,6 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/page_32_types.h linux-2.6.32.21/ #ifdef CONFIG_4KSTACKS #define THREAD_ORDER 0 #else -diff -urNp linux-2.6.32.21/arch/x86/include/asm/page_64_types.h linux-2.6.32.21/arch/x86/include/asm/page_64_types.h ---- linux-2.6.32.21/arch/x86/include/asm/page_64_types.h 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/arch/x86/include/asm/page_64_types.h 2010-08-13 18:34:40.000000000 -0400 -@@ -39,6 +39,9 @@ - #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START) - #define __START_KERNEL_map _AC(0xffffffff80000000, UL) - -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) -+ - /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */ - #define __PHYSICAL_MASK_SHIFT 46 - #define __VIRTUAL_MASK_SHIFT 47 diff -urNp linux-2.6.32.21/arch/x86/include/asm/paravirt.h linux-2.6.32.21/arch/x86/include/asm/paravirt.h --- linux-2.6.32.21/arch/x86/include/asm/paravirt.h 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.21/arch/x86/include/asm/paravirt.h 2010-08-13 18:34:40.000000000 -0400 @@ -7968,13 +8003,16 @@ diff -urNp linux-2.6.32.21/arch/x86/include/asm/pgtable_64.h linux-2.6.32.21/arc static inline void native_pgd_clear(pgd_t *pgd) diff -urNp linux-2.6.32.21/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.21/arch/x86/include/asm/pgtable_64_types.h --- linux-2.6.32.21/arch/x86/include/asm/pgtable_64_types.h 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/arch/x86/include/asm/pgtable_64_types.h 2010-08-13 18:34:40.000000000 -0400 -@@ -59,5 +59,7 @@ typedef struct { pteval_t pte; } pte_t; ++++ linux-2.6.32.21/arch/x86/include/asm/pgtable_64_types.h 2010-08-29 21:40:54.000000000 -0400 +@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t; #define MODULES_VADDR _AC(0xffffffffa0000000, UL) #define MODULES_END _AC(0xffffffffff000000, UL) #define MODULES_LEN (MODULES_END - MODULES_VADDR) +#define MODULES_EXEC_VADDR MODULES_VADDR +#define MODULES_EXEC_END MODULES_END ++ ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ diff -urNp linux-2.6.32.21/arch/x86/include/asm/pgtable.h linux-2.6.32.21/arch/x86/include/asm/pgtable.h @@ -9696,7 +9734,7 @@ diff -urNp linux-2.6.32.21/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.21/arch jmp bogus_magic diff -urNp linux-2.6.32.21/arch/x86/kernel/alternative.c linux-2.6.32.21/arch/x86/kernel/alternative.c --- linux-2.6.32.21/arch/x86/kernel/alternative.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/arch/x86/kernel/alternative.c 2010-08-13 18:34:40.000000000 -0400 ++++ linux-2.6.32.21/arch/x86/kernel/alternative.c 2010-08-29 21:40:54.000000000 -0400 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str BUG_ON(p->len > MAX_PATCH_LEN); @@ -9715,7 +9753,7 @@ diff -urNp linux-2.6.32.21/arch/x86/kernel/alternative.c linux-2.6.32.21/arch/x8 restart_nmi(); } -@@ -492,12 +492,16 @@ void __init alternative_instructions(voi +@@ -492,13 +492,17 @@ void __init alternative_instructions(voi * instructions. And on the local CPU you need to be protected again NMI or MCE * handlers seeing an inconsistent instruction while you patch. */ @@ -9729,11 +9767,12 @@ diff -urNp linux-2.6.32.21/arch/x86/kernel/alternative.c linux-2.6.32.21/arch/x8 + + pax_open_kernel(); + memcpy(ktla_ktva(addr), opcode, len); + sync_core(); + pax_close_kernel(); + - sync_core(); local_irq_restore(flags); /* Could also do a CLFLUSH here to speed up CPU recovery; but + that causes hangs on some VIA CPUs. */ @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_ */ void *__kprobes text_poke(void *addr, const void *opcode, size_t len) @@ -23649,7 +23688,7 @@ diff -urNp linux-2.6.32.21/drivers/char/keyboard.c linux-2.6.32.21/drivers/char/ MODULE_DEVICE_TABLE(input, kbd_ids); diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c --- linux-2.6.32.21/drivers/char/mem.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/drivers/char/mem.c 2010-08-13 18:34:40.000000000 -0400 ++++ linux-2.6.32.21/drivers/char/mem.c 2010-08-29 21:40:54.000000000 -0400 @@ -18,6 +18,7 @@ #include <linux/raw.h> #include <linux/tty.h> @@ -23669,7 +23708,49 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c static inline unsigned long size_inside_page(unsigned long start, unsigned long size) { -@@ -205,6 +210,11 @@ static ssize_t write_mem(struct file * f +@@ -155,6 +160,8 @@ static ssize_t read_mem(struct file * fi + #endif + + while (count > 0) { ++ char *temp; ++ + /* + * Handle first page in case it's not aligned + */ +@@ -177,11 +184,31 @@ static ssize_t read_mem(struct file * fi + if (!ptr) + return -EFAULT; + +- if (copy_to_user(buf, ptr, sz)) { ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL); ++ if (!temp) { ++ unxlate_dev_mem_ptr(p, ptr); ++ return -ENOMEM; ++ } ++ memcpy(temp, ptr, sz); ++#else ++ temp = ptr; ++#endif ++ ++ if (copy_to_user(buf, temp, sz)) { ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ + unxlate_dev_mem_ptr(p, ptr); + return -EFAULT; + } + ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ + unxlate_dev_mem_ptr(p, ptr); + + buf += sz; +@@ -205,6 +232,11 @@ static ssize_t write_mem(struct file * f if (!valid_phys_addr_range(p, count)) return -EFAULT; @@ -23681,7 +23762,7 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c written = 0; #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED -@@ -337,6 +347,11 @@ static int mmap_mem(struct file * file, +@@ -337,6 +369,11 @@ static int mmap_mem(struct file * file, &vma->vm_page_prot)) return -EINVAL; @@ -23693,7 +23774,51 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff, size, vma->vm_page_prot); -@@ -560,6 +575,11 @@ static ssize_t write_kmem(struct file * +@@ -419,9 +456,8 @@ static ssize_t read_kmem(struct file *fi + size_t count, loff_t *ppos) + { + unsigned long p = *ppos; +- ssize_t low_count, read, sz; ++ ssize_t low_count, read, sz, err = 0; + char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ +- int err = 0; + + read = 0; + if (p < (unsigned long) high_memory) { +@@ -444,6 +480,8 @@ static ssize_t read_kmem(struct file *fi + } + #endif + while (low_count > 0) { ++ char *temp; ++ + sz = size_inside_page(p, low_count); + + /* +@@ -453,7 +491,22 @@ static ssize_t read_kmem(struct file *fi + */ + kbuf = xlate_dev_kmem_ptr((char *)p); + +- if (copy_to_user(buf, kbuf, sz)) ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL); ++ if (!temp) ++ return -ENOMEM; ++ memcpy(temp, kbuf, sz); ++#else ++ temp = kbuf; ++#endif ++ ++ err = copy_to_user(buf, temp, sz); ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ ++ if (err) + return -EFAULT; + buf += sz; + p += sz; +@@ -560,6 +613,11 @@ static ssize_t write_kmem(struct file * char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; @@ -23705,7 +23830,7 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c if (p < (unsigned long) high_memory) { wrote = count; -@@ -765,6 +785,16 @@ static loff_t memory_lseek(struct file * +@@ -765,6 +823,16 @@ static loff_t memory_lseek(struct file * static int open_port(struct inode * inode, struct file * filp) { @@ -23722,7 +23847,7 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } -@@ -772,7 +802,6 @@ static int open_port(struct inode * inod +@@ -772,7 +840,6 @@ static int open_port(struct inode * inod #define full_lseek null_lseek #define write_zero write_null #define read_full read_zero @@ -23730,7 +23855,7 @@ diff -urNp linux-2.6.32.21/drivers/char/mem.c linux-2.6.32.21/drivers/char/mem.c #define open_kmem open_mem #define open_oldmem open_mem -@@ -888,6 +917,9 @@ static const struct memdev { +@@ -888,6 +955,9 @@ static const struct memdev { #ifdef CONFIG_CRASH_DUMP [12] = { "oldmem", 0, &oldmem_fops, NULL }, #endif @@ -27240,6 +27365,18 @@ diff -urNp linux-2.6.32.21/drivers/pci/slot.c linux-2.6.32.21/drivers/pci/slot.c .show = pci_slot_attr_show, .store = pci_slot_attr_store, }; +diff -urNp linux-2.6.32.21/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.21/drivers/pcmcia/pcmcia_ioctl.c +--- linux-2.6.32.21/drivers/pcmcia/pcmcia_ioctl.c 2010-08-13 16:24:37.000000000 -0400 ++++ linux-2.6.32.21/drivers/pcmcia/pcmcia_ioctl.c 2010-08-29 21:40:54.000000000 -0400 +@@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode + return -EFAULT; + } + } +- buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL); ++ buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL); + if (!buf) + return -ENOMEM; + diff -urNp linux-2.6.32.21/drivers/pcmcia/ti113x.h linux-2.6.32.21/drivers/pcmcia/ti113x.h --- linux-2.6.32.21/drivers/pcmcia/ti113x.h 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.21/drivers/pcmcia/ti113x.h 2010-08-13 18:34:40.000000000 -0400 @@ -28374,13 +28511,13 @@ diff -urNp linux-2.6.32.21/drivers/usb/class/cdc-acm.c linux-2.6.32.21/drivers/u MODULE_DEVICE_TABLE(usb, acm_ids); diff -urNp linux-2.6.32.21/drivers/usb/class/cdc-wdm.c linux-2.6.32.21/drivers/usb/class/cdc-wdm.c --- linux-2.6.32.21/drivers/usb/class/cdc-wdm.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/drivers/usb/class/cdc-wdm.c 2010-08-13 18:34:40.000000000 -0400 ++++ linux-2.6.32.21/drivers/usb/class/cdc-wdm.c 2010-08-29 21:40:54.000000000 -0400 @@ -314,7 +314,7 @@ static ssize_t wdm_write if (r < 0) goto outnp; - if (!file->f_flags && O_NONBLOCK) -+ if (!file->f_flags & O_NONBLOCK) ++ if (!(file->f_flags & O_NONBLOCK)) r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE, &desc->flags)); else @@ -33821,8 +33958,51 @@ diff -urNp linux-2.6.32.21/fs/proc/Kconfig linux-2.6.32.21/fs/proc/Kconfig Various /proc files exist to monitor process memory utilization: diff -urNp linux-2.6.32.21/fs/proc/kcore.c linux-2.6.32.21/fs/proc/kcore.c --- linux-2.6.32.21/fs/proc/kcore.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/fs/proc/kcore.c 2010-08-13 18:34:41.000000000 -0400 -@@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use ++++ linux-2.6.32.21/fs/proc/kcore.c 2010-08-29 21:40:54.000000000 -0400 +@@ -477,9 +477,10 @@ read_kcore(struct file *file, char __use + * the addresses in the elf_phdr on our list. + */ + start = kc_offset_to_vaddr(*fpos - elf_buflen); +- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen) ++ tsz = PAGE_SIZE - (start & ~PAGE_MASK); ++ if (tsz > buflen) + tsz = buflen; +- ++ + while (buflen) { + struct kcore_list *m; + +@@ -508,20 +509,18 @@ read_kcore(struct file *file, char __use + kfree(elf_buf); + } else { + if (kern_addr_valid(start)) { +- unsigned long n; ++ char *elf_buf; + +- n = copy_to_user(buffer, (char *)start, tsz); +- /* +- * We cannot distingush between fault on source +- * and fault on destination. When this happens +- * we clear too and hope it will trigger the +- * EFAULT again. +- */ +- if (n) { +- if (clear_user(buffer + tsz - n, +- n)) ++ elf_buf = kmalloc(tsz, GFP_KERNEL); ++ if (!elf_buf) ++ return -ENOMEM; ++ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) { ++ if (copy_to_user(buffer, elf_buf, tsz)) { ++ kfree(elf_buf); + return -EFAULT; ++ } + } ++ kfree(elf_buf); + } else { + if (clear_user(buffer, tsz)) + return -EFAULT; +@@ -541,6 +540,9 @@ read_kcore(struct file *file, char __use static int open_kcore(struct inode *inode, struct file *filp) { @@ -48943,7 +49123,7 @@ diff -urNp linux-2.6.32.21/kernel/hrtimer.c linux-2.6.32.21/kernel/hrtimer.c } diff -urNp linux-2.6.32.21/kernel/kallsyms.c linux-2.6.32.21/kernel/kallsyms.c --- linux-2.6.32.21/kernel/kallsyms.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/kernel/kallsyms.c 2010-08-13 18:34:41.000000000 -0400 ++++ linux-2.6.32.21/kernel/kallsyms.c 2010-08-29 21:40:54.000000000 -0400 @@ -11,6 +11,9 @@ * Changed the compression method from stem compression to "table lookup" * compression (see scripts/kallsyms.c for a more complete description) @@ -48954,39 +49134,41 @@ diff -urNp linux-2.6.32.21/kernel/kallsyms.c linux-2.6.32.21/kernel/kallsyms.c #include <linux/kallsyms.h> #include <linux/module.h> #include <linux/init.h> -@@ -51,23 +54,48 @@ extern const unsigned long kallsyms_mark +@@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark static inline int is_kernel_inittext(unsigned long addr) { + if (system_state != SYSTEM_BOOTING) + return 0; + -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if (addr >= ktla_ktva((unsigned long)_sinittext) -+ && addr <= ktla_ktva((unsigned long)_einittext)) -+#else if (addr >= (unsigned long)_sinittext && addr <= (unsigned long)_einittext) -+#endif return 1; -+ return 0; } - static inline int is_kernel_text(unsigned long addr) - { -+ +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if (addr >= ktla_ktva((unsigned long)_stext) -+ && addr <= ktla_ktva((unsigned long)_etext)) ++#ifdef CONFIG_MODULES ++static inline int is_module_text(unsigned long addr) ++{ ++ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END) ++ return 1; ++ ++ addr = ktla_ktva(addr); ++ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END; ++} +#else - if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) || - arch_is_kernel_text(addr)) ++static inline int is_module_text(unsigned long addr) ++{ ++ return 0; ++} ++#endif +#endif - return 1; + - return in_gate_area_no_task(addr); - } + static inline int is_kernel_text(unsigned long addr) + { + if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) || +@@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne static inline int is_kernel(unsigned long addr) { @@ -49003,7 +49185,19 @@ diff -urNp linux-2.6.32.21/kernel/kallsyms.c linux-2.6.32.21/kernel/kallsyms.c return 1; return in_gate_area_no_task(addr); } -@@ -413,7 +441,6 @@ static unsigned long get_ksymbol_core(st + + static int is_ksym_addr(unsigned long addr) + { ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ if (is_module_text(addr)) ++ return 0; ++#endif ++ + if (all_var) + return is_kernel(addr); + +@@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st static void reset_iter(struct kallsym_iter *iter, loff_t new_pos) { @@ -49011,7 +49205,7 @@ diff -urNp linux-2.6.32.21/kernel/kallsyms.c linux-2.6.32.21/kernel/kallsyms.c iter->nameoff = get_symbol_offset(new_pos); iter->pos = new_pos; } -@@ -461,6 +488,11 @@ static int s_show(struct seq_file *m, vo +@@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo { struct kallsym_iter *iter = m->private; @@ -49023,7 +49217,7 @@ diff -urNp linux-2.6.32.21/kernel/kallsyms.c linux-2.6.32.21/kernel/kallsyms.c /* Some debugging symbols have no name. Ignore them. */ if (!iter->name[0]) return 0; -@@ -501,7 +533,7 @@ static int kallsyms_open(struct inode *i +@@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i struct kallsym_iter *iter; int ret; @@ -50012,16 +50206,24 @@ diff -urNp linux-2.6.32.21/kernel/rcutree.c linux-2.6.32.21/kernel/rcutree.c * Memory references from any prior RCU read-side critical sections diff -urNp linux-2.6.32.21/kernel/relay.c linux-2.6.32.21/kernel/relay.c --- linux-2.6.32.21/kernel/relay.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/kernel/relay.c 2010-08-13 18:34:41.000000000 -0400 -@@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi - return 0; - - ret = *nonpad_ret = splice_to_pipe(pipe, &spd); -- if (ret < 0 || ret < total_len) -+ if ((int)ret < 0 || ret < total_len) - return ret; ++++ linux-2.6.32.21/kernel/relay.c 2010-08-29 21:40:54.000000000 -0400 +@@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi + unsigned int flags, + int *nonpad_ret) + { +- unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret; ++ unsigned int pidx, poff, total_len, subbuf_pages, nr_pages; + struct rchan_buf *rbuf = in->private_data; + unsigned int subbuf_size = rbuf->chan->subbuf_size; + uint64_t pos = (uint64_t) *ppos; +@@ -1241,6 +1241,7 @@ static int subbuf_splice_actor(struct fi + .ops = &relay_pipe_buf_ops, + .spd_release = relay_page_release, + }; ++ ssize_t ret; - if (read_start + ret == nonpad_end) + if (rbuf->subbufs_produced == rbuf->subbufs_consumed) + return 0; diff -urNp linux-2.6.32.21/kernel/resource.c linux-2.6.32.21/kernel/resource.c --- linux-2.6.32.21/kernel/resource.c 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.21/kernel/resource.c 2010-08-13 18:34:41.000000000 -0400 @@ -51832,7 +52034,7 @@ diff -urNp linux-2.6.32.21/mm/mlock.c linux-2.6.32.21/mm/mlock.c ret = do_mlockall(flags); diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c --- linux-2.6.32.21/mm/mmap.c 2010-08-29 21:08:20.000000000 -0400 -+++ linux-2.6.32.21/mm/mmap.c 2010-08-29 21:09:26.000000000 -0400 ++++ linux-2.6.32.21/mm/mmap.c 2010-08-29 21:40:54.000000000 -0400 @@ -45,6 +45,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -52047,15 +52249,21 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (addr & ~PAGE_MASK) return addr; -@@ -969,6 +1045,22 @@ unsigned long do_mmap_pgoff(struct file +@@ -969,6 +1045,28 @@ unsigned long do_mmap_pgoff(struct file vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { -+ if ((prot & (PROT_WRITE | PROT_EXEC)) == (PROT_WRITE | PROT_EXEC)) ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) ++ ++#ifdef CONFIG_PAX_EMUPLT ++ vm_flags &= ~VM_EXEC; ++#else + return -EPERM; -+ if (!(prot & PROT_EXEC)) ++#endif ++ ++ if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; + else + vm_flags &= ~VM_MAYWRITE; @@ -52070,7 +52278,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1072,7 @@ unsigned long do_mmap_pgoff(struct file +@@ -980,6 +1078,7 @@ unsigned long do_mmap_pgoff(struct file locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; @@ -52078,7 +52286,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1146,9 @@ unsigned long do_mmap_pgoff(struct file +@@ -1053,6 +1152,9 @@ unsigned long do_mmap_pgoff(struct file if (error) return error; @@ -52088,7 +52296,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1161,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1167,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -52101,7 +52309,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1213,24 @@ unsigned long mmap_region(struct file *f +@@ -1117,14 +1219,24 @@ unsigned long mmap_region(struct file *f unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -52128,7 +52336,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c } /* Check against address space limit. */ -@@ -1173,6 +1279,16 @@ munmap_back: +@@ -1173,6 +1285,16 @@ munmap_back: goto unacct_error; } @@ -52145,7 +52353,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1195,6 +1311,19 @@ munmap_back: +@@ -1195,6 +1317,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -52165,7 +52373,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1218,6 +1347,11 @@ munmap_back: +@@ -1218,6 +1353,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -52177,7 +52385,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1360,7 @@ out: +@@ -1226,6 +1366,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -52185,7 +52393,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1383,12 @@ unmap_and_free_vma: +@@ -1248,6 +1389,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -52198,7 +52406,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1281,6 +1422,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1281,6 +1428,10 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; @@ -52209,7 +52417,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); -@@ -1289,10 +1434,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1289,10 +1440,10 @@ arch_get_unmapped_area(struct file *filp return addr; } if (len > mm->cached_hole_size) { @@ -52223,7 +52431,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c } full_search: -@@ -1303,9 +1448,8 @@ full_search: +@@ -1303,9 +1454,8 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -52235,7 +52443,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c mm->cached_hole_size = 0; goto full_search; } -@@ -1327,10 +1471,16 @@ full_search: +@@ -1327,10 +1477,16 @@ full_search: void arch_unmap_area(struct mm_struct *mm, unsigned long addr) { @@ -52253,7 +52461,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1348,7 +1498,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1348,7 +1504,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -52262,7 +52470,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,6 +1507,10 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1357,6 +1513,10 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; @@ -52273,7 +52481,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* requesting a specific address */ if (addr) { addr = PAGE_ALIGN(addr); -@@ -1414,13 +1568,21 @@ bottomup: +@@ -1414,13 +1574,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -52297,7 +52505,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c mm->cached_hole_size = ~0UL; return addr; -@@ -1429,6 +1591,12 @@ bottomup: +@@ -1429,6 +1597,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -52310,7 +52518,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1604,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1436,8 +1610,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -52322,7 +52530,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c } unsigned long -@@ -1545,6 +1715,27 @@ out: +@@ -1545,6 +1721,27 @@ out: return prev ? prev->vm_next : vma; } @@ -52350,7 +52558,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1561,6 +1752,7 @@ static int acct_stack_growth(struct vm_a +@@ -1561,6 +1758,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; /* Stack limit test */ @@ -52358,7 +52566,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; -@@ -1570,6 +1762,7 @@ static int acct_stack_growth(struct vm_a +@@ -1570,6 +1768,7 @@ static int acct_stack_growth(struct vm_a unsigned long limit; locked = mm->locked_vm + grow; limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -52366,7 +52574,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1605,35 +1798,40 @@ static +@@ -1605,35 +1804,40 @@ static #endif int expand_upwards(struct vm_area_struct *vma, unsigned long address) { @@ -52417,7 +52625,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c unsigned long size, grow; size = address - vma->vm_start; -@@ -1643,6 +1841,8 @@ int expand_upwards(struct vm_area_struct +@@ -1643,6 +1847,8 @@ int expand_upwards(struct vm_area_struct if (!error) vma->vm_end = address; } @@ -52426,7 +52634,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c anon_vma_unlock(vma); return error; } -@@ -1654,7 +1854,8 @@ int expand_upwards(struct vm_area_struct +@@ -1654,7 +1860,8 @@ int expand_upwards(struct vm_area_struct static int expand_downwards(struct vm_area_struct *vma, unsigned long address) { @@ -52436,7 +52644,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * We must make sure the anon_vma is allocated -@@ -1668,6 +1869,15 @@ static int expand_downwards(struct vm_ar +@@ -1668,6 +1875,15 @@ static int expand_downwards(struct vm_ar if (error) return error; @@ -52452,7 +52660,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c anon_vma_lock(vma); /* -@@ -1677,9 +1887,15 @@ static int expand_downwards(struct vm_ar +@@ -1677,9 +1893,15 @@ static int expand_downwards(struct vm_ar */ /* Somebody else might have raced and expanded it already */ @@ -52469,7 +52677,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1687,9 +1903,20 @@ static int expand_downwards(struct vm_ar +@@ -1687,9 +1909,20 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -52490,7 +52698,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return error; } -@@ -1765,6 +1992,13 @@ static void remove_vma_list(struct mm_st +@@ -1765,6 +1998,13 @@ static void remove_vma_list(struct mm_st do { long nrpages = vma_pages(vma); @@ -52504,7 +52712,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1810,6 +2044,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1810,6 +2050,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -52521,7 +52729,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1837,10 +2081,25 @@ int split_vma(struct mm_struct * mm, str +@@ -1837,10 +2087,25 @@ int split_vma(struct mm_struct * mm, str struct mempolicy *pol; struct vm_area_struct *new; @@ -52547,7 +52755,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -1848,6 +2107,16 @@ int split_vma(struct mm_struct * mm, str +@@ -1848,6 +2113,16 @@ int split_vma(struct mm_struct * mm, str if (!new) return -ENOMEM; @@ -52564,7 +52772,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1858,8 +2127,29 @@ int split_vma(struct mm_struct * mm, str +@@ -1858,8 +2133,29 @@ int split_vma(struct mm_struct * mm, str new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -52594,7 +52802,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1880,6 +2170,28 @@ int split_vma(struct mm_struct * mm, str +@@ -1880,6 +2176,28 @@ int split_vma(struct mm_struct * mm, str else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -52623,7 +52831,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return 0; } -@@ -1888,11 +2200,30 @@ int split_vma(struct mm_struct * mm, str +@@ -1888,11 +2206,30 @@ int split_vma(struct mm_struct * mm, str * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -52654,7 +52862,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -1956,6 +2287,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -1956,6 +2293,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -52663,7 +52871,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return 0; } -@@ -1968,22 +2301,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -1968,22 +2307,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a profile_munmap(addr); @@ -52692,7 +52900,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -1997,6 +2326,7 @@ unsigned long do_brk(unsigned long addr, +@@ -1997,6 +2332,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -52700,7 +52908,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c len = PAGE_ALIGN(len); if (!len) -@@ -2008,16 +2338,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2008,16 +2344,30 @@ unsigned long do_brk(unsigned long addr, flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -52732,7 +52940,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; -@@ -2034,22 +2378,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2034,22 +2384,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -52759,7 +52967,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2063,7 +2407,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2063,7 +2413,7 @@ unsigned long do_brk(unsigned long addr, */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -52768,7 +52976,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return -ENOMEM; } -@@ -2075,11 +2419,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2075,11 +2425,12 @@ unsigned long do_brk(unsigned long addr, vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -52783,7 +52991,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return addr; } -@@ -2126,8 +2471,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2126,8 +2477,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -52795,7 +53003,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2141,6 +2488,10 @@ int insert_vm_struct(struct mm_struct * +@@ -2141,6 +2494,10 @@ int insert_vm_struct(struct mm_struct * struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -52806,7 +53014,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2163,7 +2514,22 @@ int insert_vm_struct(struct mm_struct * +@@ -2163,7 +2520,22 @@ int insert_vm_struct(struct mm_struct * if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -52829,7 +53037,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c return 0; } -@@ -2181,6 +2547,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2181,6 +2553,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -52838,7 +53046,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2224,6 +2592,35 @@ struct vm_area_struct *copy_vma(struct v +@@ -2224,6 +2598,35 @@ struct vm_area_struct *copy_vma(struct v return new_vma; } @@ -52874,7 +53082,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2234,7 +2631,7 @@ int may_expand_vm(struct mm_struct *mm, +@@ -2234,7 +2637,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long lim; lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; @@ -52883,7 +53091,7 @@ diff -urNp linux-2.6.32.21/mm/mmap.c linux-2.6.32.21/mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2303,6 +2700,17 @@ int install_special_mapping(struct mm_st +@@ -2303,6 +2706,17 @@ int install_special_mapping(struct mm_st vma->vm_start = addr; vma->vm_end = addr + len; @@ -53296,25 +53504,15 @@ diff -urNp linux-2.6.32.21/mm/percpu.c linux-2.6.32.21/mm/percpu.c static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */ diff -urNp linux-2.6.32.21/mm/rmap.c linux-2.6.32.21/mm/rmap.c --- linux-2.6.32.21/mm/rmap.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/mm/rmap.c 2010-08-13 18:34:41.000000000 -0400 -@@ -108,6 +108,10 @@ int anon_vma_prepare(struct vm_area_stru - struct mm_struct *mm = vma->vm_mm; - struct anon_vma *allocated; - -+#ifdef CONFIG_PAX_SEGMEXEC -+ struct vm_area_struct *vma_m; -+#endif -+ - anon_vma = find_mergeable_anon_vma(vma); - allocated = NULL; - if (!anon_vma) { -@@ -121,6 +125,16 @@ int anon_vma_prepare(struct vm_area_stru ++++ linux-2.6.32.21/mm/rmap.c 2010-08-29 21:40:54.000000000 -0400 +@@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru /* page_table_lock to protect against threads */ spin_lock(&mm->page_table_lock); if (likely(!vma->anon_vma)) { + +#ifdef CONFIG_PAX_SEGMEXEC -+ vma_m = pax_find_mirror_vma(vma); ++ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma); ++ + if (vma_m) { + BUG_ON(vma_m->anon_vma); + vma_m->anon_vma = anon_vma; @@ -55233,6 +55431,22 @@ diff -urNp linux-2.6.32.21/net/socket.c linux-2.6.32.21/net/socket.c err = security_socket_connect(sock, (struct sockaddr *)&address, addrlen); if (err) +diff -urNp linux-2.6.32.21/net/sunrpc/sched.c linux-2.6.32.21/net/sunrpc/sched.c +--- linux-2.6.32.21/net/sunrpc/sched.c 2010-08-13 16:24:37.000000000 -0400 ++++ linux-2.6.32.21/net/sunrpc/sched.c 2010-08-29 21:40:54.000000000 -0400 +@@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w + #ifdef RPC_DEBUG + static void rpc_task_set_debuginfo(struct rpc_task *task) + { +- static atomic_t rpc_pid; ++ static atomic_unchecked_t rpc_pid; + + task->tk_magic = RPC_TASK_MAGIC_ID; +- task->tk_pid = atomic_inc_return(&rpc_pid); ++ task->tk_pid = atomic_inc_return_unchecked(&rpc_pid); + } + #else + static inline void rpc_task_set_debuginfo(struct rpc_task *task) diff -urNp linux-2.6.32.21/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.21/net/sunrpc/xprtrdma/svc_rdma.c --- linux-2.6.32.21/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.21/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-13 18:34:41.000000000 -0400 @@ -55702,8 +55916,8 @@ diff -urNp linux-2.6.32.21/security/integrity/ima/ima_queue.c linux-2.6.32.21/se return 0; diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig --- linux-2.6.32.21/security/Kconfig 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.21/security/Kconfig 2010-08-13 18:34:41.000000000 -0400 -@@ -4,6 +4,498 @@ ++++ linux-2.6.32.21/security/Kconfig 2010-08-29 21:40:54.000000000 -0400 +@@ -4,6 +4,501 @@ menu "Security options" @@ -55722,7 +55936,7 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig + + config PAX_ENABLE_PAE + bool -+ default y if (X86_32 && (M686 || MPENTIUMII || MPENTIUMIII || MPENTIUM4 || MK7 || MK8 || MVIAC7 || MPSC || MCORE2 || MATOM)) ++ default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM)) + +config PAX + bool "Enable various PaX features" @@ -55936,7 +56150,8 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig + - changing the executable status of memory pages that were + not originally created as executable, + - making read-only executable pages writable again, -+ - creating executable pages from anonymous memory. ++ - creating executable pages from anonymous memory, ++ - making read-only-after-relocations (RELRO) data pages writable again. + + You should say Y here to complete the protection provided by + the enforcement of non-executable pages. @@ -55946,7 +56161,7 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig + +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" -+ depends on PAX_MPROTECT && (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) ++ depends on PAX_MPROTECT + default n + help + Non-executable pages and mprotect() restrictions are effective @@ -55967,6 +56182,7 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig +config PAX_ETEXECRELOCS + bool "Allow ELF ET_EXEC text relocations" + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS + default y + help + On some architectures there are incorrectly created applications @@ -56195,6 +56411,7 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig + + Since this has a negligible performance impact, you should enable + this feature. ++ +endmenu + +endmenu @@ -56202,7 +56419,7 @@ diff -urNp linux-2.6.32.21/security/Kconfig linux-2.6.32.21/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -146,7 +638,7 @@ config INTEL_TXT +@@ -146,7 +641,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/2.6.34/0000_README b/2.6.34/0000_README index eaedbc3..8f83677 100644 --- a/2.6.34/0000_README +++ b/2.6.34/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.0-2.6.34.6-201008292122.patch +Patch: 4420_grsecurity-2.2.0-2.6.34.6-201009041352.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201008292122.patch b/2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201009041352.patch index eb3bf10..6dc7520 100644 --- a/2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201008292122.patch +++ b/2.6.34/4420_grsecurity-2.2.0-2.6.34.6-201009041352.patch @@ -3258,8 +3258,8 @@ diff -urNp linux-2.6.34.6/arch/sh/mm/consistent.c linux-2.6.34.6/arch/sh/mm/cons static int __init dma_init(void) diff -urNp linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h --- linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h 2010-08-29 21:16:43.000000000 -0400 -+++ linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h 2010-08-29 21:18:46.000000000 -0400 -@@ -14,18 +14,39 @@ ++++ linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h 2010-09-03 21:46:55.000000000 -0400 +@@ -14,18 +14,40 @@ #define ATOMIC64_INIT(i) { (i) } #define atomic_read(v) ((v)->counter) @@ -3294,20 +3294,23 @@ diff -urNp linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h linux-2.6.34.6/arch +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *); extern int atomic_add_ret(int, atomic_t *); ++extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *); extern long atomic64_add_ret(long, atomic64_t *); +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *); extern int atomic_sub_ret(int, atomic_t *); extern long atomic64_sub_ret(long, atomic64_t *); -@@ -34,6 +55,7 @@ extern long atomic64_sub_ret(long, atomi +@@ -33,7 +55,9 @@ extern long atomic64_sub_ret(long, atomi + #define atomic64_dec_return(v) atomic64_sub_ret(1, v) #define atomic_inc_return(v) atomic_add_ret(1, v) ++#define atomic_inc_return_unchecked(v) atomic_add_ret_unchecked(1, v) #define atomic64_inc_return(v) atomic64_add_ret(1, v) +#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v) #define atomic_sub_return(i, v) atomic_sub_ret(i, v) #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v) -@@ -59,10 +81,26 @@ extern long atomic64_sub_ret(long, atomi +@@ -59,10 +83,26 @@ extern long atomic64_sub_ret(long, atomi #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0) #define atomic_inc(v) atomic_add(1, v) @@ -3334,7 +3337,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h linux-2.6.34.6/arch #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0) #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0) -@@ -72,17 +110,28 @@ extern long atomic64_sub_ret(long, atomi +@@ -72,17 +112,28 @@ extern long atomic64_sub_ret(long, atomi static inline int atomic_add_unless(atomic_t *v, int a, int u) { @@ -3367,7 +3370,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/include/asm/atomic_64.h linux-2.6.34.6/arch } #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) -@@ -93,17 +142,28 @@ static inline int atomic_add_unless(atom +@@ -93,17 +144,28 @@ static inline int atomic_add_unless(atom static inline long atomic64_add_unless(atomic64_t *v, long a, long u) { @@ -3919,7 +3922,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/kernel/traps_64.c linux-2.6.34.6/arch/sparc sprintf (buffer, "Bad trap %lx at tl>0", lvl); diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/lib/atomic_64.S --- linux-2.6.34.6/arch/sparc/lib/atomic_64.S 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/arch/sparc/lib/atomic_64.S 2010-08-13 18:38:11.000000000 -0400 ++++ linux-2.6.34.6/arch/sparc/lib/atomic_64.S 2010-09-03 21:46:55.000000000 -0400 @@ -18,7 +18,12 @@ atomic_add: /* %o0 = increment, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) @@ -4002,7 +4005,28 @@ diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/l cas [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %icc, 2f -@@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1 +@@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1 + 2: BACKOFF_SPIN(%o2, %o3, 1b) + .size atomic_add_ret, .-atomic_add_ret + ++ .globl atomic_add_ret_unchecked ++ .type atomic_add_ret_unchecked,#function ++atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: lduw [%o1], %g1 ++ addcc %g1, %o0, %g7 ++ cas [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %icc, 2f ++ add %g7, %o0, %g7 ++ sra %g7, 0, %o0 ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked ++ + .globl atomic_sub_ret + .type atomic_sub_ret,#function atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) 1: lduw [%o1], %g1 @@ -4016,7 +4040,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/l cas [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %icc, 2f -@@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1 +@@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */ BACKOFF_SETUP(%o2) 1: ldx [%o1], %g1 @@ -4030,7 +4054,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/l casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 = +@@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 = 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_add, .-atomic64_add @@ -4064,7 +4088,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/l casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -105,12 +180,32 @@ atomic64_sub: /* %o0 = decrement, %o1 = +@@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 = 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_sub, .-atomic64_sub @@ -4098,7 +4122,7 @@ diff -urNp linux-2.6.34.6/arch/sparc/lib/atomic_64.S linux-2.6.34.6/arch/sparc/l casx [%o1], %g1, %g7 cmp %g1, %g7 bne,pn %xcc, 2f -@@ -121,12 +216,33 @@ atomic64_add_ret: /* %o0 = increment, %o +@@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o 2: BACKOFF_SPIN(%o2, %o3, 1b) .size atomic64_add_ret, .-atomic64_add_ret @@ -7601,19 +7625,6 @@ diff -urNp linux-2.6.34.6/arch/x86/include/asm/page_32_types.h linux-2.6.34.6/ar #ifdef CONFIG_4KSTACKS #define THREAD_ORDER 0 #else -diff -urNp linux-2.6.34.6/arch/x86/include/asm/page_64_types.h linux-2.6.34.6/arch/x86/include/asm/page_64_types.h ---- linux-2.6.34.6/arch/x86/include/asm/page_64_types.h 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/arch/x86/include/asm/page_64_types.h 2010-08-13 18:38:11.000000000 -0400 -@@ -39,6 +39,9 @@ - #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START) - #define __START_KERNEL_map _AC(0xffffffff80000000, UL) - -+#define ktla_ktva(addr) (addr) -+#define ktva_ktla(addr) (addr) -+ - /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */ - #define __PHYSICAL_MASK_SHIFT 46 - #define __VIRTUAL_MASK_SHIFT 47 diff -urNp linux-2.6.34.6/arch/x86/include/asm/paravirt.h linux-2.6.34.6/arch/x86/include/asm/paravirt.h --- linux-2.6.34.6/arch/x86/include/asm/paravirt.h 2010-08-13 16:29:15.000000000 -0400 +++ linux-2.6.34.6/arch/x86/include/asm/paravirt.h 2010-08-13 18:38:11.000000000 -0400 @@ -7878,13 +7889,16 @@ diff -urNp linux-2.6.34.6/arch/x86/include/asm/pgtable_64.h linux-2.6.34.6/arch/ static inline void native_pgd_clear(pgd_t *pgd) diff -urNp linux-2.6.34.6/arch/x86/include/asm/pgtable_64_types.h linux-2.6.34.6/arch/x86/include/asm/pgtable_64_types.h --- linux-2.6.34.6/arch/x86/include/asm/pgtable_64_types.h 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/arch/x86/include/asm/pgtable_64_types.h 2010-08-13 18:38:11.000000000 -0400 -@@ -59,5 +59,7 @@ typedef struct { pteval_t pte; } pte_t; ++++ linux-2.6.34.6/arch/x86/include/asm/pgtable_64_types.h 2010-09-03 21:44:58.000000000 -0400 +@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t; #define MODULES_VADDR _AC(0xffffffffa0000000, UL) #define MODULES_END _AC(0xffffffffff000000, UL) #define MODULES_LEN (MODULES_END - MODULES_VADDR) +#define MODULES_EXEC_VADDR MODULES_VADDR +#define MODULES_EXEC_END MODULES_END ++ ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ diff -urNp linux-2.6.34.6/arch/x86/include/asm/pgtable.h linux-2.6.34.6/arch/x86/include/asm/pgtable.h @@ -9646,7 +9660,7 @@ diff -urNp linux-2.6.34.6/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.34.6/arch/x jmp bogus_magic diff -urNp linux-2.6.34.6/arch/x86/kernel/alternative.c linux-2.6.34.6/arch/x86/kernel/alternative.c --- linux-2.6.34.6/arch/x86/kernel/alternative.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/arch/x86/kernel/alternative.c 2010-08-13 18:38:11.000000000 -0400 ++++ linux-2.6.34.6/arch/x86/kernel/alternative.c 2010-09-03 21:44:58.000000000 -0400 @@ -429,7 +429,7 @@ void __init_or_module apply_paravirt(str BUG_ON(p->len > MAX_PATCH_LEN); @@ -9665,7 +9679,7 @@ diff -urNp linux-2.6.34.6/arch/x86/kernel/alternative.c linux-2.6.34.6/arch/x86/ restart_nmi(); } -@@ -514,12 +514,16 @@ void __init alternative_instructions(voi +@@ -514,13 +514,17 @@ void __init alternative_instructions(voi * instructions. And on the local CPU you need to be protected again NMI or MCE * handlers seeing an inconsistent instruction while you patch. */ @@ -9679,11 +9693,12 @@ diff -urNp linux-2.6.34.6/arch/x86/kernel/alternative.c linux-2.6.34.6/arch/x86/ + + pax_open_kernel(); + memcpy(ktla_ktva(addr), opcode, len); + sync_core(); + pax_close_kernel(); + - sync_core(); local_irq_restore(flags); /* Could also do a CLFLUSH here to speed up CPU recovery; but + that causes hangs on some VIA CPUs. */ @@ -542,36 +546,22 @@ static void *__init_or_module text_poke_ */ void *__kprobes text_poke(void *addr, const void *opcode, size_t len) @@ -23144,7 +23159,7 @@ diff -urNp linux-2.6.34.6/drivers/char/keyboard.c linux-2.6.34.6/drivers/char/ke MODULE_DEVICE_TABLE(input, kbd_ids); diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c --- linux-2.6.34.6/drivers/char/mem.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/drivers/char/mem.c 2010-08-13 18:38:12.000000000 -0400 ++++ linux-2.6.34.6/drivers/char/mem.c 2010-09-03 21:44:58.000000000 -0400 @@ -18,6 +18,7 @@ #include <linux/raw.h> #include <linux/tty.h> @@ -23164,7 +23179,40 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c static inline unsigned long size_inside_page(unsigned long start, unsigned long size) { -@@ -161,6 +166,11 @@ static ssize_t write_mem(struct file *fi +@@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil + + while (count > 0) { + unsigned long remaining; ++ char *temp; + + sz = size_inside_page(p, count); + +@@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil + if (!ptr) + return -EFAULT; + +- remaining = copy_to_user(buf, ptr, sz); ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL); ++ if (!temp) { ++ unxlate_dev_mem_ptr(p, ptr); ++ return -ENOMEM; ++ } ++ memcpy(temp, ptr, sz); ++#else ++ temp = ptr; ++#endif ++ ++ remaining = copy_to_user(buf, temp, sz); ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ + unxlate_dev_mem_ptr(p, ptr); + if (remaining) + return -EFAULT; +@@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi if (!valid_phys_addr_range(p, count)) return -EFAULT; @@ -23176,7 +23224,7 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c written = 0; #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED -@@ -316,6 +326,11 @@ static int mmap_mem(struct file *file, s +@@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s &vma->vm_page_prot)) return -EINVAL; @@ -23188,7 +23236,51 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff, size, vma->vm_page_prot); -@@ -530,6 +545,11 @@ static ssize_t write_kmem(struct file *f +@@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi + size_t count, loff_t *ppos) + { + unsigned long p = *ppos; +- ssize_t low_count, read, sz; ++ ssize_t low_count, read, sz, err = 0; + char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ +- int err = 0; + + read = 0; + if (p < (unsigned long) high_memory) { +@@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi + } + #endif + while (low_count > 0) { ++ char *temp; ++ + sz = size_inside_page(p, low_count); + + /* +@@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi + */ + kbuf = xlate_dev_kmem_ptr((char *)p); + +- if (copy_to_user(buf, kbuf, sz)) ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL); ++ if (!temp) ++ return -ENOMEM; ++ memcpy(temp, kbuf, sz); ++#else ++ temp = kbuf; ++#endif ++ ++ err = copy_to_user(buf, temp, sz); ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ ++ if (err) + return -EFAULT; + buf += sz; + p += sz; +@@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; @@ -23200,7 +23292,7 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -@@ -731,6 +751,16 @@ static loff_t memory_lseek(struct file * +@@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file * static int open_port(struct inode * inode, struct file * filp) { @@ -23217,7 +23309,7 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } -@@ -738,7 +768,6 @@ static int open_port(struct inode * inod +@@ -738,7 +801,6 @@ static int open_port(struct inode * inod #define full_lseek null_lseek #define write_zero write_null #define read_full read_zero @@ -23225,7 +23317,7 @@ diff -urNp linux-2.6.34.6/drivers/char/mem.c linux-2.6.34.6/drivers/char/mem.c #define open_kmem open_mem #define open_oldmem open_mem -@@ -854,6 +883,9 @@ static const struct memdev { +@@ -854,6 +916,9 @@ static const struct memdev { #ifdef CONFIG_CRASH_DUMP [12] = { "oldmem", 0, &oldmem_fops, NULL }, #endif @@ -26423,6 +26515,18 @@ diff -urNp linux-2.6.34.6/drivers/pci/proc.c linux-2.6.34.6/drivers/pci/proc.c proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; +diff -urNp linux-2.6.34.6/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.34.6/drivers/pcmcia/pcmcia_ioctl.c +--- linux-2.6.34.6/drivers/pcmcia/pcmcia_ioctl.c 2010-08-13 16:29:15.000000000 -0400 ++++ linux-2.6.34.6/drivers/pcmcia/pcmcia_ioctl.c 2010-09-03 21:44:58.000000000 -0400 +@@ -856,7 +856,7 @@ static int ds_ioctl(struct inode *inode, + return -EFAULT; + } + } +- buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL); ++ buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL); + if (!buf) + return -ENOMEM; + diff -urNp linux-2.6.34.6/drivers/pcmcia/ti113x.h linux-2.6.34.6/drivers/pcmcia/ti113x.h --- linux-2.6.34.6/drivers/pcmcia/ti113x.h 2010-08-13 16:29:15.000000000 -0400 +++ linux-2.6.34.6/drivers/pcmcia/ti113x.h 2010-08-13 18:38:12.000000000 -0400 @@ -27386,13 +27490,13 @@ diff -urNp linux-2.6.34.6/drivers/usb/class/cdc-acm.c linux-2.6.34.6/drivers/usb MODULE_DEVICE_TABLE(usb, acm_ids); diff -urNp linux-2.6.34.6/drivers/usb/class/cdc-wdm.c linux-2.6.34.6/drivers/usb/class/cdc-wdm.c --- linux-2.6.34.6/drivers/usb/class/cdc-wdm.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/drivers/usb/class/cdc-wdm.c 2010-08-13 18:38:12.000000000 -0400 ++++ linux-2.6.34.6/drivers/usb/class/cdc-wdm.c 2010-09-03 21:44:58.000000000 -0400 @@ -342,7 +342,7 @@ static ssize_t wdm_write goto outnp; } - if (!file->f_flags && O_NONBLOCK) -+ if (!file->f_flags & O_NONBLOCK) ++ if (!(file->f_flags & O_NONBLOCK)) r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE, &desc->flags)); else @@ -32495,8 +32599,51 @@ diff -urNp linux-2.6.34.6/fs/proc/Kconfig linux-2.6.34.6/fs/proc/Kconfig Various /proc files exist to monitor process memory utilization: diff -urNp linux-2.6.34.6/fs/proc/kcore.c linux-2.6.34.6/fs/proc/kcore.c --- linux-2.6.34.6/fs/proc/kcore.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/fs/proc/kcore.c 2010-08-13 18:38:12.000000000 -0400 -@@ -542,6 +542,9 @@ read_kcore(struct file *file, char __use ++++ linux-2.6.34.6/fs/proc/kcore.c 2010-09-03 21:44:58.000000000 -0400 +@@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use + * the addresses in the elf_phdr on our list. + */ + start = kc_offset_to_vaddr(*fpos - elf_buflen); +- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen) ++ tsz = PAGE_SIZE - (start & ~PAGE_MASK); ++ if (tsz > buflen) + tsz = buflen; +- ++ + while (buflen) { + struct kcore_list *m; + +@@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use + kfree(elf_buf); + } else { + if (kern_addr_valid(start)) { +- unsigned long n; ++ char *elf_buf; + +- n = copy_to_user(buffer, (char *)start, tsz); +- /* +- * We cannot distingush between fault on source +- * and fault on destination. When this happens +- * we clear too and hope it will trigger the +- * EFAULT again. +- */ +- if (n) { +- if (clear_user(buffer + tsz - n, +- n)) ++ elf_buf = kmalloc(tsz, GFP_KERNEL); ++ if (!elf_buf) ++ return -ENOMEM; ++ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) { ++ if (copy_to_user(buffer, elf_buf, tsz)) { ++ kfree(elf_buf); + return -EFAULT; ++ } + } ++ kfree(elf_buf); + } else { + if (clear_user(buffer, tsz)) + return -EFAULT; +@@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use static int open_kcore(struct inode *inode, struct file *filp) { @@ -47421,7 +47568,7 @@ diff -urNp linux-2.6.34.6/kernel/hrtimer.c linux-2.6.34.6/kernel/hrtimer.c } diff -urNp linux-2.6.34.6/kernel/kallsyms.c linux-2.6.34.6/kernel/kallsyms.c --- linux-2.6.34.6/kernel/kallsyms.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/kernel/kallsyms.c 2010-08-13 18:38:12.000000000 -0400 ++++ linux-2.6.34.6/kernel/kallsyms.c 2010-09-03 21:44:58.000000000 -0400 @@ -11,6 +11,9 @@ * Changed the compression method from stem compression to "table lookup" * compression (see scripts/kallsyms.c for a more complete description) @@ -47432,39 +47579,41 @@ diff -urNp linux-2.6.34.6/kernel/kallsyms.c linux-2.6.34.6/kernel/kallsyms.c #include <linux/kallsyms.h> #include <linux/module.h> #include <linux/init.h> -@@ -52,23 +55,48 @@ extern const unsigned long kallsyms_mark +@@ -52,12 +55,33 @@ extern const unsigned long kallsyms_mark static inline int is_kernel_inittext(unsigned long addr) { + if (system_state != SYSTEM_BOOTING) + return 0; + -+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if (addr >= ktla_ktva((unsigned long)_sinittext) -+ && addr <= ktla_ktva((unsigned long)_einittext)) -+#else if (addr >= (unsigned long)_sinittext && addr <= (unsigned long)_einittext) -+#endif return 1; -+ return 0; } - static inline int is_kernel_text(unsigned long addr) - { -+ +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) -+ if (addr >= ktla_ktva((unsigned long)_stext) -+ && addr <= ktla_ktva((unsigned long)_etext)) ++#ifdef CONFIG_MODULES ++static inline int is_module_text(unsigned long addr) ++{ ++ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END) ++ return 1; ++ ++ addr = ktla_ktva(addr); ++ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END; ++} +#else - if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) || - arch_is_kernel_text(addr)) ++static inline int is_module_text(unsigned long addr) ++{ ++ return 0; ++} ++#endif +#endif - return 1; + - return in_gate_area_no_task(addr); - } + static inline int is_kernel_text(unsigned long addr) + { + if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) || +@@ -68,13 +92,28 @@ static inline int is_kernel_text(unsigne static inline int is_kernel(unsigned long addr) { @@ -47481,7 +47630,19 @@ diff -urNp linux-2.6.34.6/kernel/kallsyms.c linux-2.6.34.6/kernel/kallsyms.c return 1; return in_gate_area_no_task(addr); } -@@ -415,7 +443,6 @@ static unsigned long get_ksymbol_core(st + + static int is_ksym_addr(unsigned long addr) + { ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ if (is_module_text(addr)) ++ return 0; ++#endif ++ + if (all_var) + return is_kernel(addr); + +@@ -415,7 +454,6 @@ static unsigned long get_ksymbol_core(st static void reset_iter(struct kallsym_iter *iter, loff_t new_pos) { @@ -47489,7 +47650,7 @@ diff -urNp linux-2.6.34.6/kernel/kallsyms.c linux-2.6.34.6/kernel/kallsyms.c iter->nameoff = get_symbol_offset(new_pos); iter->pos = new_pos; } -@@ -463,6 +490,11 @@ static int s_show(struct seq_file *m, vo +@@ -463,6 +501,11 @@ static int s_show(struct seq_file *m, vo { struct kallsym_iter *iter = m->private; @@ -47501,7 +47662,7 @@ diff -urNp linux-2.6.34.6/kernel/kallsyms.c linux-2.6.34.6/kernel/kallsyms.c /* Some debugging symbols have no name. Ignore them. */ if (!iter->name[0]) return 0; -@@ -503,7 +535,7 @@ static int kallsyms_open(struct inode *i +@@ -503,7 +546,7 @@ static int kallsyms_open(struct inode *i struct kallsym_iter *iter; int ret; @@ -48441,18 +48602,6 @@ diff -urNp linux-2.6.34.6/kernel/rcutree.c linux-2.6.34.6/kernel/rcutree.c { /* * Memory references from any prior RCU read-side critical sections -diff -urNp linux-2.6.34.6/kernel/relay.c linux-2.6.34.6/kernel/relay.c ---- linux-2.6.34.6/kernel/relay.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/kernel/relay.c 2010-08-13 18:38:12.000000000 -0400 -@@ -1293,7 +1293,7 @@ static ssize_t subbuf_splice_actor(struc - return 0; - - ret = *nonpad_ret = splice_to_pipe(pipe, &spd); -- if (ret < 0 || ret < total_len) -+ if ((int)ret < 0 || ret < total_len) - return ret; - - if (read_start + ret == nonpad_end) diff -urNp linux-2.6.34.6/kernel/resource.c linux-2.6.34.6/kernel/resource.c --- linux-2.6.34.6/kernel/resource.c 2010-08-13 16:29:15.000000000 -0400 +++ linux-2.6.34.6/kernel/resource.c 2010-08-13 18:38:12.000000000 -0400 @@ -50200,7 +50349,7 @@ diff -urNp linux-2.6.34.6/mm/mlock.c linux-2.6.34.6/mm/mlock.c ret = do_mlockall(flags); diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c --- linux-2.6.34.6/mm/mmap.c 2010-08-29 21:16:43.000000000 -0400 -+++ linux-2.6.34.6/mm/mmap.c 2010-08-29 21:17:12.000000000 -0400 ++++ linux-2.6.34.6/mm/mmap.c 2010-09-03 21:44:58.000000000 -0400 @@ -44,6 +44,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -50416,15 +50565,21 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (addr & ~PAGE_MASK) return addr; -@@ -1003,6 +1079,22 @@ unsigned long do_mmap_pgoff(struct file +@@ -1003,6 +1079,28 @@ unsigned long do_mmap_pgoff(struct file vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { -+ if ((prot & (PROT_WRITE | PROT_EXEC)) == (PROT_WRITE | PROT_EXEC)) ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) ++ ++#ifdef CONFIG_PAX_EMUPLT ++ vm_flags &= ~VM_EXEC; ++#else + return -EPERM; -+ if (!(prot & PROT_EXEC)) ++#endif ++ ++ if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; + else + vm_flags &= ~VM_MAYWRITE; @@ -50439,7 +50594,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1014,6 +1106,7 @@ unsigned long do_mmap_pgoff(struct file +@@ -1014,6 +1112,7 @@ unsigned long do_mmap_pgoff(struct file locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -50447,7 +50602,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1084,6 +1177,9 @@ unsigned long do_mmap_pgoff(struct file +@@ -1084,6 +1183,9 @@ unsigned long do_mmap_pgoff(struct file if (error) return error; @@ -50457,7 +50612,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1160,10 +1256,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar +@@ -1160,10 +1262,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -50470,7 +50625,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1212,14 +1308,24 @@ unsigned long mmap_region(struct file *f +@@ -1212,14 +1314,24 @@ unsigned long mmap_region(struct file *f unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -50497,7 +50652,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c } /* Check against address space limit. */ -@@ -1268,6 +1374,16 @@ munmap_back: +@@ -1268,6 +1380,16 @@ munmap_back: goto unacct_error; } @@ -50514,7 +50669,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1291,6 +1407,19 @@ munmap_back: +@@ -1291,6 +1413,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -50534,7 +50689,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1326,6 +1455,11 @@ munmap_back: +@@ -1326,6 +1461,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -50546,7 +50701,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1334,6 +1468,7 @@ out: +@@ -1334,6 +1474,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -50554,7 +50709,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1351,6 +1486,12 @@ unmap_and_free_vma: +@@ -1351,6 +1492,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -50567,7 +50722,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1384,6 +1525,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1384,6 +1531,10 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; @@ -50578,7 +50733,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); -@@ -1392,10 +1537,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1392,10 +1543,10 @@ arch_get_unmapped_area(struct file *filp return addr; } if (len > mm->cached_hole_size) { @@ -50592,7 +50747,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c } full_search: -@@ -1406,9 +1551,8 @@ full_search: +@@ -1406,9 +1557,8 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -50604,7 +50759,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c mm->cached_hole_size = 0; goto full_search; } -@@ -1430,10 +1574,16 @@ full_search: +@@ -1430,10 +1580,16 @@ full_search: void arch_unmap_area(struct mm_struct *mm, unsigned long addr) { @@ -50622,7 +50777,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1451,7 +1601,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1451,7 +1607,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -50631,7 +50786,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1460,6 +1610,10 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1460,6 +1616,10 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; @@ -50642,7 +50797,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* requesting a specific address */ if (addr) { addr = PAGE_ALIGN(addr); -@@ -1517,13 +1671,21 @@ bottomup: +@@ -1517,13 +1677,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -50666,7 +50821,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c mm->cached_hole_size = ~0UL; return addr; -@@ -1532,6 +1694,12 @@ bottomup: +@@ -1532,6 +1700,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -50679,7 +50834,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1539,8 +1707,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1539,8 +1713,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -50691,7 +50846,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c } unsigned long -@@ -1648,6 +1818,27 @@ out: +@@ -1648,6 +1824,27 @@ out: return prev ? prev->vm_next : vma; } @@ -50719,7 +50874,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1664,6 +1855,7 @@ static int acct_stack_growth(struct vm_a +@@ -1664,6 +1861,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; /* Stack limit test */ @@ -50727,7 +50882,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -1674,6 +1866,7 @@ static int acct_stack_growth(struct vm_a +@@ -1674,6 +1872,7 @@ static int acct_stack_growth(struct vm_a locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -50735,7 +50890,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1709,35 +1902,40 @@ static +@@ -1709,35 +1908,40 @@ static #endif int expand_upwards(struct vm_area_struct *vma, unsigned long address) { @@ -50786,7 +50941,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c unsigned long size, grow; size = address - vma->vm_start; -@@ -1747,6 +1945,8 @@ int expand_upwards(struct vm_area_struct +@@ -1747,6 +1951,8 @@ int expand_upwards(struct vm_area_struct if (!error) vma->vm_end = address; } @@ -50795,7 +50950,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c anon_vma_unlock(vma); return error; } -@@ -1758,7 +1958,8 @@ int expand_upwards(struct vm_area_struct +@@ -1758,7 +1964,8 @@ int expand_upwards(struct vm_area_struct static int expand_downwards(struct vm_area_struct *vma, unsigned long address) { @@ -50805,7 +50960,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * We must make sure the anon_vma is allocated -@@ -1772,6 +1973,15 @@ static int expand_downwards(struct vm_ar +@@ -1772,6 +1979,15 @@ static int expand_downwards(struct vm_ar if (error) return error; @@ -50821,7 +50976,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c anon_vma_lock(vma); /* -@@ -1781,9 +1991,15 @@ static int expand_downwards(struct vm_ar +@@ -1781,9 +1997,15 @@ static int expand_downwards(struct vm_ar */ /* Somebody else might have raced and expanded it already */ @@ -50838,7 +50993,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1791,9 +2007,20 @@ static int expand_downwards(struct vm_ar +@@ -1791,9 +2013,20 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -50859,7 +51014,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return error; } -@@ -1867,6 +2094,13 @@ static void remove_vma_list(struct mm_st +@@ -1867,6 +2100,13 @@ static void remove_vma_list(struct mm_st do { long nrpages = vma_pages(vma); @@ -50873,7 +51028,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1912,6 +2146,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1912,6 +2152,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -50890,7 +51045,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1940,14 +2184,33 @@ static int __split_vma(struct mm_struct +@@ -1940,14 +2190,33 @@ static int __split_vma(struct mm_struct struct vm_area_struct *new; int err = -ENOMEM; @@ -50924,7 +51079,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1960,6 +2223,22 @@ static int __split_vma(struct mm_struct +@@ -1960,6 +2229,22 @@ static int __split_vma(struct mm_struct new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -50947,7 +51102,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -1985,6 +2264,42 @@ static int __split_vma(struct mm_struct +@@ -1985,6 +2270,42 @@ static int __split_vma(struct mm_struct else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -50990,7 +51145,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* Success. */ if (!err) return 0; -@@ -2000,6 +2315,15 @@ static int __split_vma(struct mm_struct +@@ -2000,6 +2321,15 @@ static int __split_vma(struct mm_struct out_free_mpol: mpol_put(pol); out_free_vma: @@ -51006,7 +51161,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2012,6 +2336,15 @@ static int __split_vma(struct mm_struct +@@ -2012,6 +2342,15 @@ static int __split_vma(struct mm_struct int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -51022,7 +51177,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2023,11 +2356,30 @@ int split_vma(struct mm_struct *mm, stru +@@ -2023,11 +2362,30 @@ int split_vma(struct mm_struct *mm, stru * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -51053,7 +51208,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2101,6 +2453,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -2101,6 +2459,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -51062,7 +51217,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return 0; } -@@ -2113,22 +2467,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -2113,22 +2473,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a profile_munmap(addr); @@ -51091,7 +51246,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2142,6 +2492,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2142,6 +2498,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -51099,7 +51254,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c len = PAGE_ALIGN(len); if (!len) -@@ -2153,16 +2504,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2153,16 +2510,30 @@ unsigned long do_brk(unsigned long addr, flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -51131,7 +51286,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2179,22 +2544,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2179,22 +2550,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -51158,7 +51313,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2208,7 +2573,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2208,7 +2579,7 @@ unsigned long do_brk(unsigned long addr, */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -51167,7 +51322,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return -ENOMEM; } -@@ -2221,11 +2586,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2221,11 +2592,12 @@ unsigned long do_brk(unsigned long addr, vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -51182,7 +51337,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return addr; } -@@ -2272,8 +2638,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2272,8 +2644,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -51194,7 +51349,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2287,6 +2655,10 @@ int insert_vm_struct(struct mm_struct * +@@ -2287,6 +2661,10 @@ int insert_vm_struct(struct mm_struct * struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -51205,7 +51360,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2309,7 +2681,22 @@ int insert_vm_struct(struct mm_struct * +@@ -2309,7 +2687,22 @@ int insert_vm_struct(struct mm_struct * if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -51228,7 +51383,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c return 0; } -@@ -2327,6 +2714,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2327,6 +2720,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -51237,7 +51392,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2376,6 +2765,39 @@ struct vm_area_struct *copy_vma(struct v +@@ -2376,6 +2771,39 @@ struct vm_area_struct *copy_vma(struct v kmem_cache_free(vm_area_cachep, new_vma); return NULL; } @@ -51277,7 +51432,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c /* * Return true if the calling process may expand its vm space by the passed -@@ -2387,7 +2809,7 @@ int may_expand_vm(struct mm_struct *mm, +@@ -2387,7 +2815,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long lim; lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -51286,7 +51441,7 @@ diff -urNp linux-2.6.34.6/mm/mmap.c linux-2.6.34.6/mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2457,6 +2879,17 @@ int install_special_mapping(struct mm_st +@@ -2457,6 +2885,17 @@ int install_special_mapping(struct mm_st vma->vm_start = addr; vma->vm_end = addr + len; @@ -51711,8 +51866,8 @@ diff -urNp linux-2.6.34.6/mm/percpu.c linux-2.6.34.6/mm/percpu.c static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */ diff -urNp linux-2.6.34.6/mm/rmap.c linux-2.6.34.6/mm/rmap.c --- linux-2.6.34.6/mm/rmap.c 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/mm/rmap.c 2010-08-13 18:38:12.000000000 -0400 -@@ -116,15 +116,29 @@ int anon_vma_prepare(struct vm_area_stru ++++ linux-2.6.34.6/mm/rmap.c 2010-09-03 21:44:58.000000000 -0400 +@@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru struct anon_vma *anon_vma = vma->anon_vma; struct anon_vma_chain *avc; @@ -51723,13 +51878,7 @@ diff -urNp linux-2.6.34.6/mm/rmap.c linux-2.6.34.6/mm/rmap.c might_sleep(); if (unlikely(!anon_vma)) { struct mm_struct *mm = vma->vm_mm; - struct anon_vma *allocated; - -+#ifdef CONFIG_PAX_SEGMEXEC -+ struct vm_area_struct *vma_m; -+#endif -+ - avc = anon_vma_chain_alloc(); +@@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru if (!avc) goto out_enomem; @@ -51742,13 +51891,14 @@ diff -urNp linux-2.6.34.6/mm/rmap.c linux-2.6.34.6/mm/rmap.c anon_vma = find_mergeable_anon_vma(vma); allocated = NULL; if (!anon_vma) { -@@ -138,6 +152,20 @@ int anon_vma_prepare(struct vm_area_stru +@@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru /* page_table_lock to protect against threads */ spin_lock(&mm->page_table_lock); if (likely(!vma->anon_vma)) { + +#ifdef CONFIG_PAX_SEGMEXEC -+ vma_m = pax_find_mirror_vma(vma); ++ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma); ++ + if (vma_m) { + BUG_ON(vma_m->anon_vma); + vma_m->anon_vma = anon_vma; @@ -51763,7 +51913,7 @@ diff -urNp linux-2.6.34.6/mm/rmap.c linux-2.6.34.6/mm/rmap.c vma->anon_vma = anon_vma; avc->anon_vma = anon_vma; avc->vma = vma; -@@ -151,12 +179,24 @@ int anon_vma_prepare(struct vm_area_stru +@@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru if (unlikely(allocated)) anon_vma_free(allocated); @@ -53708,6 +53858,22 @@ diff -urNp linux-2.6.34.6/net/socket.c linux-2.6.34.6/net/socket.c err = security_socket_connect(sock, (struct sockaddr *)&address, addrlen); if (err) +diff -urNp linux-2.6.34.6/net/sunrpc/sched.c linux-2.6.34.6/net/sunrpc/sched.c +--- linux-2.6.34.6/net/sunrpc/sched.c 2010-08-13 16:29:15.000000000 -0400 ++++ linux-2.6.34.6/net/sunrpc/sched.c 2010-09-03 21:44:58.000000000 -0400 +@@ -235,10 +235,10 @@ static int rpc_wait_bit_killable(void *w + #ifdef RPC_DEBUG + static void rpc_task_set_debuginfo(struct rpc_task *task) + { +- static atomic_t rpc_pid; ++ static atomic_unchecked_t rpc_pid; + + task->tk_magic = RPC_TASK_MAGIC_ID; +- task->tk_pid = atomic_inc_return(&rpc_pid); ++ task->tk_pid = atomic_inc_return_unchecked(&rpc_pid); + } + #else + static inline void rpc_task_set_debuginfo(struct rpc_task *task) diff -urNp linux-2.6.34.6/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.34.6/net/sunrpc/xprtrdma/svc_rdma.c --- linux-2.6.34.6/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-13 16:29:15.000000000 -0400 +++ linux-2.6.34.6/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-13 18:38:12.000000000 -0400 @@ -54176,8 +54342,8 @@ diff -urNp linux-2.6.34.6/security/integrity/ima/ima_queue.c linux-2.6.34.6/secu return 0; diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig --- linux-2.6.34.6/security/Kconfig 2010-08-13 16:29:15.000000000 -0400 -+++ linux-2.6.34.6/security/Kconfig 2010-08-13 18:38:12.000000000 -0400 -@@ -4,6 +4,498 @@ ++++ linux-2.6.34.6/security/Kconfig 2010-09-03 21:44:58.000000000 -0400 +@@ -4,6 +4,501 @@ menu "Security options" @@ -54196,7 +54362,7 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig + + config PAX_ENABLE_PAE + bool -+ default y if (X86_32 && (M686 || MPENTIUMII || MPENTIUMIII || MPENTIUM4 || MK7 || MK8 || MVIAC7 || MPSC || MCORE2 || MATOM)) ++ default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM)) + +config PAX + bool "Enable various PaX features" @@ -54410,7 +54576,8 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig + - changing the executable status of memory pages that were + not originally created as executable, + - making read-only executable pages writable again, -+ - creating executable pages from anonymous memory. ++ - creating executable pages from anonymous memory, ++ - making read-only-after-relocations (RELRO) data pages writable again. + + You should say Y here to complete the protection provided by + the enforcement of non-executable pages. @@ -54420,7 +54587,7 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig + +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" -+ depends on PAX_MPROTECT && (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) ++ depends on PAX_MPROTECT + default n + help + Non-executable pages and mprotect() restrictions are effective @@ -54441,6 +54608,7 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig +config PAX_ETEXECRELOCS + bool "Allow ELF ET_EXEC text relocations" + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS + default y + help + On some architectures there are incorrectly created applications @@ -54669,6 +54837,7 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig + + Since this has a negligible performance impact, you should enable + this feature. ++ +endmenu + +endmenu @@ -54676,7 +54845,7 @@ diff -urNp linux-2.6.34.6/security/Kconfig linux-2.6.34.6/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -124,7 +616,7 @@ config INTEL_TXT +@@ -124,7 +619,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |