OSDN Git Service
Peter Zijlstra [Wed, 3 Apr 2019 07:39:48 +0000 (09:39 +0200)]
BACKPORT: x86/uaccess: Introduce user_access_{save,restore}()
(Upstream commit
e74deb11931ff682b59d5b9d387f7115f689698e).
Introduce common helpers for when we need to safely suspend a
uaccess section; for instance to generate a {KA,UB}SAN report.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Change-Id: I9a1afec5d437689dc9a976b371448c7e81811724
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Qian Cai [Fri, 29 Mar 2019 03:43:15 +0000 (20:43 -0700)]
UPSTREAM: kasan: fix variable 'tag' set but not used warning
(Upstream commit
c412a769d2452161e97f163c4c4f31efc6626f06).
set_tag() compiles away when CONFIG_KASAN_SW_TAGS=n, so make
arch_kasan_set_tag() a static inline function to fix warnings below.
mm/kasan/common.c: In function '__kasan_kmalloc':
mm/kasan/common.c:475:5: warning: variable 'tag' set but not used [-Wunused-but-set-variable]
u8 tag;
^~~
Link: http://lkml.kernel.org/r/20190307185244.54648-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I46b33353a25e5e3e0ef7b61dba56ae52922a5452
Qian Cai [Wed, 6 Mar 2019 21:38:06 +0000 (16:38 -0500)]
UPSTREAM: Revert "x86_64: Increase stack size for KASAN_EXTRA"
(Upstream commit
a2863b53418d7d8f6332adf0cfb32611def0c4b9).
This reverts commit
a8e911d13540487942d53137c156bd7707f66e5d.
KASAN_EXTRA was removed via the commit
7771bdbbfd3d ("kasan: remove use
after scope bugs detection."), so this is no longer needed.
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: bp@alien8.de
Cc: akpm@linux-foundation.org
Cc: aryabinin@virtuozzo.com
Cc: glider@google.com
Cc: dvyukov@google.com
Cc: hpa@zytor.com
Link: https://lkml.kernel.org/r/20190306213806.46139-1-cai@lca.pw
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I81cae91b45c69906239518da0965a139112ccfe2
Andrey Konovalov [Tue, 5 Mar 2019 23:41:31 +0000 (15:41 -0800)]
UPSTREAM: kasan: fix coccinelle warnings in kasan_p*_table
(Upstream commit
5c0198b6fb73867dea296a69a944a4fdbceff3d8).
kasan_p4d_table(), kasan_pmd_table() and kasan_pud_table() are declared
as returning bool, but return 0 instead of false, which produces a
coccinelle warning. Fix it.
Link: http://lkml.kernel.org/r/1fa6fadf644859e8a6a8ecce258444b49be8c7ee.1551716733.git.andreyknvl@google.com
Fixes:
0207df4fa1a8 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: kbuild test robot <lkp@intel.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I6db14d97607078ac7b2231d323653815caddadf1
Arnd Bergmann [Tue, 5 Mar 2019 23:41:27 +0000 (15:41 -0800)]
UPSTREAM: kasan: fix kasan_check_read/write definitions
(Upstream commit
bcf6f55a0d05eedd8ebb6ecc60ae3f93205ad833).
Building little-endian allmodconfig kernels on arm64 started failing
with the generated atomic.h implementation, since we now try to call
kasan helpers from the EFI stub:
aarch64-linux-gnu-ld: drivers/firmware/efi/libstub/arm-stub.stub.o: in function `atomic_set':
include/generated/atomic-instrumented.h:44: undefined reference to `__efistub_kasan_check_write'
I suspect that we get similar problems in other files that explicitly
disable KASAN for some reason but call atomic_t based helper functions.
We can fix this by checking the predefined __SANITIZE_ADDRESS__ macro
that the compiler sets instead of checking CONFIG_KASAN, but this in
turn requires a small hack in mm/kasan/common.c so we do see the extern
declaration there instead of the inline function.
Link: http://lkml.kernel.org/r/20181211133453.2835077-1-arnd@arndb.de
Fixes:
b1864b828644 ("locking/atomics: build atomic headers as required")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>,
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ib6836f63fc9dfe594cd8ce4e99f2ad4489c98a53
Andrey Ryabinin [Tue, 5 Mar 2019 23:41:20 +0000 (15:41 -0800)]
BACKPORT: kasan: remove use after scope bugs detection.
(Upstream commit
7771bdbbfd3d6f204631b6fd9e1bbc30cd15918e).
Use after scope bugs detector seems to be almost entirely useless for
the linux kernel. It exists over two years, but I've seen only one
valid bug so far [1]. And the bug was fixed before it has been
reported. There were some other use-after-scope reports, but they were
false-positives due to different reasons like incompatibility with
structleak plugin.
This feature significantly increases stack usage, especially with GCC <
9 version, and causes a 32K stack overflow. It probably adds
performance penalty too.
Given all that, let's remove use-after-scope detector entirely.
While preparing this patch I've noticed that we mistakenly enable
use-after-scope detection for clang compiler regardless of
CONFIG_KASAN_EXTRA setting. This is also fixed now.
[1] http://lkml.kernel.org/r/<
20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com>
Link: http://lkml.kernel.org/r/20190111185842.13978-1-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Will Deacon <will.deacon@arm.com> [arm64]
Cc: Qian Cai <cai@lca.pw>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I00d869a5e287e3e198950b78ad17bd6ff6a51595
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Arnd Bergmann [Fri, 1 Mar 2019 00:21:58 +0000 (16:21 -0800)]
BACKPORT: kasan: turn off asan-stack for clang-8 and earlier
(Upstream commit
6baec880d7a53cbc2841123e56ee31e830df9b49).
Building an arm64 allmodconfig kernel with clang results in over 140
warnings about overly large stack frames, the worst ones being:
drivers/gpu/drm/panel/panel-sitronix-st7789v.c:196:12: error: stack frame size of 20224 bytes in function 'st7789v_prepare'
drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c:196:12: error: stack frame size of 13120 bytes in function 'td028ttec1_panel_enable'
drivers/usb/host/max3421-hcd.c:1395:1: error: stack frame size of 10048 bytes in function 'max3421_spi_thread'
drivers/net/wan/slic_ds26522.c:209:12: error: stack frame size of 9664 bytes in function 'slic_ds26522_probe'
drivers/crypto/ccp/ccp-ops.c:2434:5: error: stack frame size of 8832 bytes in function 'ccp_run_cmd'
drivers/media/dvb-frontends/stv0367.c:1005:12: error: stack frame size of 7840 bytes in function 'stv0367ter_algo'
None of these happen with gcc today, and almost all of these are the
result of a single known issue in llvm. Hopefully it will eventually
get fixed with the clang-9 release.
In the meantime, the best idea I have is to turn off asan-stack for
clang-8 and earlier, so we can produce a kernel that is safe to run.
I have posted three patches that address the frame overflow warnings
that are not addressed by turning off asan-stack, so in combination with
this change, we get much closer to a clean allmodconfig build, which in
turn is necessary to do meaningful build regression testing.
It is still possible to turn on the CONFIG_ASAN_STACK option on all
versions of clang, and it's always enabled for gcc, but when
CONFIG_COMPILE_TEST is set, the option remains invisible, so
allmodconfig and randconfig builds (which are normally done with a
forced CONFIG_COMPILE_TEST) will still result in a mostly clean build.
Link: http://lkml.kernel.org/r/20190222222950.3997333-1-arnd@arndb.de
Link: https://bugs.llvm.org/show_bug.cgi?id=38809
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Qian Cai <cai@lca.pw>
Reviewed-by: Mark Brown <broonie@kernel.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Ieefb7b14a9a4c36054e0a6d39f018d39ba78313d
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Qian Cai [Thu, 21 Feb 2019 06:20:37 +0000 (22:20 -0800)]
UPSTREAM: slub: fix a crash with SLUB_DEBUG + KASAN_SW_TAGS
(Upstream commit
6373dca16c911b2828ef8d836d7f6f1800e1bbbc).
In process_slab(), "p = get_freepointer()" could return a tagged
pointer, but "addr = page_address()" always return a native pointer. As
the result, slab_index() is messed up here,
return (p - addr) / s->size;
All other callers of slab_index() have the same situation where "addr"
is from page_address(), so just need to untag "p".
# cat /sys/kernel/slab/hugetlbfs_inode_cache/alloc_calls
Unable to handle kernel paging request at virtual address
2bff808aa4856d48
Mem abort info:
ESR = 0x96000007
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000007
CM = 0, WnR = 0
swapper pgtable: 64k pages, 48-bit VAs, pgdp =
0000000002498338
[
2bff808aa4856d48] pgd=
00000097fcfd0003, pud=
00000097fcfd0003, pmd=
00000097fca30003, pte=
00e8008b24850712
Internal error: Oops:
96000007 [#1] SMP
CPU: 3 PID: 79210 Comm: read_all Tainted: G L 5.0.0-rc7+ #84
Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.0.6 07/10/2018
pstate:
00400089 (nzcv daIf +PAN -UAO)
pc : get_map+0x78/0xec
lr : get_map+0xa0/0xec
sp :
aeff808989e3f8e0
x29:
aeff808989e3f940 x28:
ffff800826200000
x27:
ffff100012d47000 x26:
9700000000002500
x25:
0000000000000001 x24:
52ff8008200131f8
x23:
52ff8008200130a0 x22:
52ff800820013098
x21:
ffff800826200000 x20:
ffff100013172ba0
x19:
2bff808a8971bc00 x18:
ffff1000148f5538
x17:
000000000000001b x16:
00000000000000ff
x15:
ffff1000148f5000 x14:
00000000000000d2
x13:
0000000000000001 x12:
0000000000000000
x11:
0000000020000002 x10:
2bff808aa4856d48
x9 :
0000020000000000 x8 :
68ff80082620ebb0
x7 :
0000000000000000 x6 :
ffff1000105da1dc
x5 :
0000000000000000 x4 :
0000000000000000
x3 :
0000000000000010 x2 :
2bff808a8971bc00
x1 :
ffff7fe002098800 x0 :
ffff80082620ceb0
Process read_all (pid: 79210, stack limit = 0x00000000f65b9361)
Call trace:
get_map+0x78/0xec
process_slab+0x7c/0x47c
list_locations+0xb0/0x3c8
alloc_calls_show+0x34/0x40
slab_attr_show+0x34/0x48
sysfs_kf_seq_show+0x2e4/0x570
kernfs_seq_show+0x12c/0x1a0
seq_read+0x48c/0xf84
kernfs_fop_read+0xd4/0x448
__vfs_read+0x94/0x5d4
vfs_read+0xcc/0x194
ksys_read+0x6c/0xe8
__arm64_sys_read+0x68/0xb0
el0_svc_handler+0x230/0x3bc
el0_svc+0x8/0xc
Code:
d3467d2a 9ac92329 8b0a0e6a f9800151 (
c85f7d4b)
---[ end trace
a383a9a44ff13176 ]---
Kernel panic - not syncing: Fatal exception
SMP: stopping secondary CPUs
SMP: failed to stop secondary CPUs 1-7,32,40,127
Kernel Offset: disabled
CPU features: 0x002,
20000c18
Memory Limit: none
---[ end Kernel panic - not syncing: Fatal exception ]---
Link: http://lkml.kernel.org/r/20190220020251.82039-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I14d53cd0c3ce9672edc3b9666c68241e42d2fced
Andrey Konovalov [Thu, 21 Feb 2019 06:20:33 +0000 (22:20 -0800)]
UPSTREAM: kasan, slab: remove redundant kasan_slab_alloc hooks
(Upstream commit
557ea25383a231fe3ffc72881ada35c24b960dbc).
kasan_slab_alloc() calls in kmem_cache_alloc() and kmem_cache_alloc_node()
are redundant as they are already called via slab_alloc/slab_alloc_node()->
slab_post_alloc_hook()->kasan_slab_alloc(). Remove them.
Link: http://lkml.kernel.org/r/4ca1655cdcfc4379c49c50f7bf80f81c4ad01485.1550602886.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I61be422e28a4e31f36f9ec5bea654077691b89b9
Andrey Konovalov [Thu, 21 Feb 2019 06:20:28 +0000 (22:20 -0800)]
UPSTREAM: kasan, slab: make freelist stored without tags
(Upstream commit
51dedad06b5f6c3eea7ec1069631b1ef7796912a).
Similarly to "kasan, slub: move kasan_poison_slab hook before
page_address", move kasan_poison_slab() before alloc_slabmgmt(), which
calls page_address(), to make page_address() return value to be
non-tagged. This, combined with calling kasan_reset_tag() for off-slab
slab management object, leads to freelist being stored non-tagged.
Link: http://lkml.kernel.org/r/dfb53b44a4d00de3879a05a9f04c1f55e584f7a1.1550602886.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I65954f8eed880ff2a0fe76a81bcf2703f707a585
Andrey Konovalov [Thu, 21 Feb 2019 06:20:25 +0000 (22:20 -0800)]
UPSTREAM: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY
(Upstream commit
219667c23c68eb3dbc0d5662b9246f28477fe529).
Similarly to commit
96fedce27e13 ("kasan: make tag based mode work with
CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in
__check_heap_object() in mm/slab.c before doing any pointer math.
Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I411184ecec0e3f77014bb330de3db5728d2065ed
Andrey Konovalov [Thu, 21 Feb 2019 06:20:20 +0000 (22:20 -0800)]
UPSTREAM: kasan: prevent tracing of tags.c
(Upstream commit
dc15a8a2543cb9ebe67998eefe2880ce1a20d42e).
Similarly to commit
0d0c8de8788b ("kasan: mark file common so ftrace
doesn't trace it") add the -pg flag to mm/kasan/tags.c to prevent
conflicts with tracing.
Link: http://lkml.kernel.org/r/9c4c3ce5ccfb894c7fe66d91de7c1da2787b4da4.1550602886.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: Qian Cai <cai@lca.pw>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I41a129790bd12e699f816e27fb086a6570d4223e
Andrey Konovalov [Thu, 21 Feb 2019 06:20:15 +0000 (22:20 -0800)]
UPSTREAM: kasan: fix random seed generation for tag-based mode
(Upstream commit
3f41b609382388f95c0a05b69b8db0d706adafb4).
There are two issues with assigning random percpu seeds right now:
1. We use for_each_possible_cpu() to iterate over cpus, but cpumask is
not set up yet at the moment of kasan_init(), and thus we only set
the seed for cpu #0.
2. A call to get_random_u32() always returns the same number and produces
a message in dmesg, since the random subsystem is not yet initialized.
Fix 1 by calling kasan_init_tags() after cpumask is set up.
Fix 2 by using get_cycles() instead of get_random_u32(). This gives us
lower quality random numbers, but it's good enough, as KASAN is meant to
be used as a debugging tool and not a mitigation.
Link: http://lkml.kernel.org/r/1f815cc914b61f3516ed4cc9bfd9eeca9bd5d9de.1550677973.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ic4b29dfd24515f02302d5cbd0d79eab5c6f0642c
Qian Cai [Thu, 21 Feb 2019 06:19:36 +0000 (22:19 -0800)]
UPSTREAM: slub: fix SLAB_CONSISTENCY_CHECKS + KASAN_SW_TAGS
(Upstream commit
338cfaad4993d3bc35a740e28981747770a65f90).
Enabling SLUB_DEBUG's SLAB_CONSISTENCY_CHECKS with KASAN_SW_TAGS
triggers endless false positives during boot below due to
check_valid_pointer() checks tagged pointers which have no addresses
that is valid within slab pages:
BUG radix_tree_node (Tainted: G B ): Freelist Pointer check fails
-----------------------------------------------------------------------------
INFO: Slab objects=69 used=69 fp=0x (null) flags=0x7ffffffc000200
INFO: Object @offset=
15060037153926966016 fp=0x
Redzone: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 18 6b 06 00 08 80 ff d0 .........k......
Object : 18 6b 06 00 08 80 ff d0 00 00 00 00 00 00 00 00 .k..............
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Redzone: bb bb bb bb bb bb bb bb ........
Padding: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.0.0-rc5+ #18
Call trace:
dump_backtrace+0x0/0x450
show_stack+0x20/0x2c
__dump_stack+0x20/0x28
dump_stack+0xa0/0xfc
print_trailer+0x1bc/0x1d0
object_err+0x40/0x50
alloc_debug_processing+0xf0/0x19c
___slab_alloc+0x554/0x704
kmem_cache_alloc+0x2f8/0x440
radix_tree_node_alloc+0x90/0x2fc
idr_get_free+0x1e8/0x6d0
idr_alloc_u32+0x11c/0x2a4
idr_alloc+0x74/0xe0
worker_pool_assign_id+0x5c/0xbc
workqueue_init_early+0x49c/0xd50
start_kernel+0x52c/0xac4
FIX radix_tree_node: Marking all objects used
Link: http://lkml.kernel.org/r/20190209044128.3290-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: Id7d2fe26fd720bd4bd9fa9ae7f5a04be881066e7
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Andrey Konovalov [Thu, 21 Feb 2019 06:19:32 +0000 (22:19 -0800)]
UPSTREAM: kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED
(Upstream commit
d36a63a943e37081e92e4abdf4a207fd2e83a006).
When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged. Normally,
this doesn't cause any issues, as both set_freepointer() and
get_freepointer() are called with a pointer with the same tag. However,
there are some issues with CONFIG_SLUB_DEBUG code. For example, when
__free_slub() iterates over objects in a cache, it passes untagged
pointers to check_object(). check_object() in turns calls
get_freepointer() with an untagged pointer, which causes the freepointer
to be restored incorrectly.
Add kasan_reset_tag to freelist_ptr(). Also add a detailed comment.
Link: http://lkml.kernel.org/r/bf858f26ef32eb7bd24c665755b3aee4bc58d0e4.1550103861.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: Qian Cai <cai@lca.pw>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ie57f08f676ea7a244a20f1dee98fc725594cafa6
Andrey Konovalov [Thu, 21 Feb 2019 06:19:28 +0000 (22:19 -0800)]
UPSTREAM: kasan, slub: fix conflicts with CONFIG_SLAB_FREELIST_HARDENED
(Upstream commit
18e506610238eda2b0c5a19a123d3d6ec0ab2de6).
CONFIG_SLAB_FREELIST_HARDENED hashes freelist pointer with the address of
the object where the pointer gets stored. With tag based KASAN we don't
account for that when building freelist, as we call set_freepointer() with
the first argument untagged. This patch changes the code to properly
propagate tags throughout the loop.
Link: http://lkml.kernel.org/r/3df171559c52201376f246bf7ce3184fe21c1dc7.1549921721.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: Qian Cai <cai@lca.pw>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I218d23e0fe3164f6f03d4f08bb93630f3e496f82
Andrey Konovalov [Thu, 21 Feb 2019 06:19:23 +0000 (22:19 -0800)]
UPSTREAM: kasan, slub: move kasan_poison_slab hook before page_address
(Upstream commit
a71012242837fe5e67d8c999cfc357174ed5dba0).
With tag based KASAN page_address() looks at the page flags to see whether
the resulting pointer needs to have a tag set. Since we don't want to set
a tag when page_address() is called on SLAB pages, we call
page_kasan_tag_reset() in kasan_poison_slab(). However in allocate_slab()
page_address() is called before kasan_poison_slab(). Fix it by changing
the order.
[andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n]
Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com
Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Qian Cai <cai@lca.pw>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I53ade71e532b3e4163b84a3a23c7c54ab2d059bd
Andrey Konovalov [Thu, 21 Feb 2019 06:19:11 +0000 (22:19 -0800)]
UPSTREAM: kasan, kmemleak: pass tagged pointers to kmemleak
(Upstream commit
53128245b43daad600d9fe72940206570e064112).
Right now we call kmemleak hooks before assigning tags to pointers in
KASAN hooks. As a result, when an objects gets allocated, kmemleak sees a
differently tagged pointer, compared to the one it sees when the object
gets freed. Fix it by calling KASAN hooks before kmemleak's ones.
Link: http://lkml.kernel.org/r/cd825aa4897b0fc37d3316838993881daccbe9f5.1549921721.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: Qian Cai <cai@lca.pw>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I7766731cf2fe22effd91bfb89da915355d0e7981
Andrey Konovalov [Thu, 21 Feb 2019 06:19:01 +0000 (22:19 -0800)]
UPSTREAM: kasan: fix assigning tags twice
(Upstream commit
e1db95befb3e9e3476629afec6e0f5d0707b9825).
When an object is kmalloc()'ed, two hooks are called: kasan_slab_alloc()
and kasan_kmalloc(). Right now we assign a tag twice, once in each of the
hooks. Fix it by assigning a tag only in the former hook.
Link: http://lkml.kernel.org/r/ce8c6431da735aa7ec051fd6497153df690eb021.1549921721.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Qian Cai <cai@lca.pw>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I70f85dda8fcbcc796ebde8294a6f110d390bff3f
Anders Roxell [Fri, 1 Feb 2019 22:21:05 +0000 (14:21 -0800)]
UPSTREAM: kasan: mark file common so ftrace doesn't trace it
(Upstream commit
0d0c8de8788b6c441ea01365612de7efc20cc682).
When option CONFIG_KASAN is enabled toghether with ftrace, function
ftrace_graph_caller() gets in to a recursion, via functions
kasan_check_read() and kasan_check_write().
Breakpoint 2, ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:179
179 mcount_get_pc x0 // function's pc
(gdb) bt
#0 ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:179
#1 0xffffff90101406c8 in ftrace_caller () at ../arch/arm64/kernel/entry-ftrace.S:151
#2 0xffffff90106fd084 in kasan_check_write (p=0xffffffc06c170878, size=4) at ../mm/kasan/common.c:105
#3 0xffffff90104a2464 in atomic_add_return (v=<optimized out>, i=<optimized out>) at ./include/generated/atomic-instrumented.h:71
#4 atomic_inc_return (v=<optimized out>) at ./include/generated/atomic-fallback.h:284
#5 trace_graph_entry (trace=0xffffffc03f5ff380) at ../kernel/trace/trace_functions_graph.c:441
#6 0xffffff9010481774 in trace_graph_entry_watchdog (trace=<optimized out>) at ../kernel/trace/trace_selftest.c:741
#7 0xffffff90104a185c in function_graph_enter (ret=<optimized out>, func=<optimized out>, frame_pointer=
18446743799894897728, retp=<optimized out>) at ../kernel/trace/trace_functions_graph.c:196
#8 0xffffff9010140628 in prepare_ftrace_return (self_addr=
18446743592948977792, parent=0xffffffc03f5ff418, frame_pointer=
18446743799894897728) at ../arch/arm64/kernel/ftrace.c:231
#9 0xffffff90101406f4 in ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:182
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
Rework so that the kasan implementation isn't traced.
Link: http://lkml.kernel.org/r/20181212183447.15890-1-anders.roxell@linaro.org
Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Id4dc25b795f81b4193c5f861657e9091acd99cef
Andrey Konovalov [Fri, 11 Jan 2019 13:47:40 +0000 (14:47 +0100)]
UPSTREAM: kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
(Upstream commit
7fa1e2e6afa7f4c9f46528e61de6a15d9e8dffd9).
Defining ARCH_SLAB_MINALIGN in arch/arm64/include/asm/cache.h when KASAN
is off is not needed, as it is defined in defined in include/linux/slab.h
as ifndef.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I27d13c0ed9f8ab2488028b526561f90b3e2eec0c
Andrey Konovalov [Tue, 8 Jan 2019 23:23:18 +0000 (15:23 -0800)]
UPSTREAM: kasan: fix krealloc handling for tag-based mode
(Upstream commit
a3fe7cdf02e318870fb71218726cc2321ff41f30).
Right now tag-based KASAN can retag the memory that is reallocated via
krealloc and return a differently tagged pointer even if the same slab
object gets used and no reallocated technically happens.
There are a few issues with this approach. One is that krealloc callers
can't rely on comparing the return value with the passed argument to
check whether reallocation happened. Another is that if a caller knows
that no reallocation happened, that it can access object memory through
the old pointer, which leads to false positives. Look at
nf_ct_ext_add() to see an example.
Fix this by keeping the same tag if the memory don't actually gets
reallocated during krealloc.
Link: http://lkml.kernel.org/r/bb2a71d17ed072bcc528cbee46fcbd71a6da3be4.1546540962.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ie9bd73c43fa76ac2ba946bfbd2cb88e5c0000dfb
Andrey Konovalov [Tue, 8 Jan 2019 23:23:15 +0000 (15:23 -0800)]
UPSTREAM: kasan: make tag based mode work with CONFIG_HARDENED_USERCOPY
(Upstream commit
96fedce27e1356a2fff1c270710d9405848db562).
With CONFIG_HARDENED_USERCOPY enabled __check_heap_object() compares and
then subtracts a potentially tagged pointer with a non-tagged address of
the page that this pointer belongs to, which leads to unexpected
behavior.
Untag the pointer in __check_heap_object() before doing any of these
operations.
Link: http://lkml.kernel.org/r/7e756a298d514c4482f52aea6151db34818d395d.1546540962.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Id1a000155fe12fc39b3caee7a097f9bea0ba3fce
Andrey Konovalov [Tue, 8 Jan 2019 23:23:11 +0000 (15:23 -0800)]
UPSTREAM: kasan, arm64: use ARCH_SLAB_MINALIGN instead of manual aligning
(Upstream commit
eb214f2dda31ffa989033b1e0f848ba0d3cb6188).
Instead of changing cache->align to be aligned to KASAN_SHADOW_SCALE_SIZE
in kasan_cache_create() we can reuse the ARCH_SLAB_MINALIGN macro.
Link: http://lkml.kernel.org/r/52ddd881916bcc153a9924c154daacde78522227.1546540962.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Suggested-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ia1c8de45c621b68555f77a569431e232ff4dc781
Qian Cai [Fri, 28 Dec 2018 08:36:29 +0000 (00:36 -0800)]
BACKPORT: mm/memblock.c: skip kmemleak for kasan_init()
(Upstream commit
fed84c78527009d4f799a3ed9a566502fa026d82).
Kmemleak does not play well with KASAN (tested on both HPE Apollo 70 and
Huawei TaiShan 2280 aarch64 servers).
After calling start_kernel()->setup_arch()->kasan_init(), kmemleak early
log buffer went from something like 280 to 260000 which caused kmemleak
disabled and crash dump memory reservation failed. The multitude of
kmemleak_alloc() calls is from nested loops while KASAN is setting up full
memory mappings, so let early kmemleak allocations skip those
memblock_alloc_internal() calls came from kasan_init() given that those
early KASAN memory mappings should not reference to other memory. Hence,
no kmemleak false positives.
kasan_init
kasan_map_populate [1]
kasan_pgd_populate [2]
kasan_pud_populate [3]
kasan_pmd_populate [4]
kasan_pte_populate [5]
kasan_alloc_zeroed_page
memblock_alloc_try_nid
memblock_alloc_internal
kmemleak_alloc
[1] for_each_memblock(memory, reg)
[2] while (pgdp++, addr = next, addr != end)
[3] while (pudp++, addr = next, addr != end && pud_none(READ_ONCE(*pudp)))
[4] while (pmdp++, addr = next, addr != end && pmd_none(READ_ONCE(*pmdp)))
[5] while (ptep++, addr = next, addr != end && pte_none(READ_ONCE(*ptep)))
Link: http://lkml.kernel.org/r/1543442925-17794-1-git-send-email-cai@gmx.us
Signed-off-by: Qian Cai <cai@gmx.us>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I2423d511c3938c882c738341673b13b3beff5475
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Andrey Konovalov [Fri, 28 Dec 2018 08:31:14 +0000 (00:31 -0800)]
UPSTREAM: kasan: add SPDX-License-Identifier mark to source files
(Upstream commit
e886bf9d9abedf8236464bfd21bc5707748b4a02).
This patch adds a "SPDX-License-Identifier: GPL-2.0" mark to all source
files under mm/kasan.
Link: http://lkml.kernel.org/r/bce2d1e618afa5142e81961ab8fa4b4165337380.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ia5cdf04c5183e6c2cb75d98d60e6f4f5d961cd6e
Andrey Konovalov [Fri, 28 Dec 2018 08:31:10 +0000 (00:31 -0800)]
UPSTREAM: kasan: update documentation
(Upstream commit
b3b0e6accb5b3d249760e071f2cf77f696961158).
This patch updates KASAN documentation to reflect the addition of the new
tag-based mode.
Link: http://lkml.kernel.org/r/aabef9de317c54b8a3919a4946ce534c6576726a.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ie0a468a51aa0ad02f00fdbed34605bca9630e398
Andrey Konovalov [Fri, 28 Dec 2018 08:31:07 +0000 (00:31 -0800)]
UPSTREAM: kasan, arm64: select HAVE_ARCH_KASAN_SW_TAGS
(Upstream commit
2d4acb90878b076b8c735500121f73e32756ddce).
Now, that all the necessary infrastructure code has been introduced,
select HAVE_ARCH_KASAN_SW_TAGS for arm64 to enable software tag-based
KASAN mode.
Link: http://lkml.kernel.org/r/25abce9a21d0c1df2d9d72488aced418c3465d7b.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I8e320ea0b7d6cacf358aa7cc72f2399608474bcd
Andrey Konovalov [Fri, 28 Dec 2018 08:31:01 +0000 (00:31 -0800)]
UPSTREAM: kasan: add __must_check annotations to kasan hooks
(Upstream commit
66afc7f1e07a1db74453be9167ac0d1205653854).
This patch adds __must_check annotations to kasan hooks that return a
pointer to make sure that a tagged pointer always gets propagated.
Link: http://lkml.kernel.org/r/03b269c5e453945f724bfca3159d4e1333a8fb1c.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Suggested-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I758f33506b67ed5d4b7539745db311ab31c37f46
Andrey Konovalov [Fri, 28 Dec 2018 08:30:57 +0000 (00:30 -0800)]
UPSTREAM: kasan, mm, arm64: tag non slab memory allocated via pagealloc
(Upstream commit
2813b9c0296259fb11e75c839bab2d958ba4f96c).
Tag-based KASAN doesn't check memory accesses through pointers tagged with
0xff. When page_address is used to get pointer to memory that corresponds
to some page, the tag of the resulting pointer gets set to 0xff, even
though the allocated memory might have been tagged differently.
For slab pages it's impossible to recover the correct tag to return from
page_address, since the page might contain multiple slab objects tagged
with different values, and we can't know in advance which one of them is
going to get accessed. For non slab pages however, we can recover the tag
in page_address, since the whole page was marked with the same tag.
This patch adds tagging to non slab memory allocated with pagealloc. To
set the tag of the pointer returned from page_address, the tag gets stored
to page->flags when the memory gets allocated.
Link: http://lkml.kernel.org/r/d758ddcef46a5abc9970182b9137e2fbee202a2c.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I500bdf42462fee0ee14495a6be51815e7e44460f
Andrey Konovalov [Fri, 28 Dec 2018 08:30:54 +0000 (00:30 -0800)]
UPSTREAM: kasan, arm64: add brk handler for inline instrumentation
(Upstream commit
41eea9cd239c5b3fff726894f85c97f60e5799a3).
Tag-based KASAN inline instrumentation mode (which embeds checks of shadow
memory into the generated code, instead of inserting a callback) generates
a brk instruction when a tag mismatch is detected.
This commit adds a tag-based KASAN specific brk handler, that decodes the
immediate value passed to the brk instructions (to extract information
about the memory access that triggered the mismatch), reads the register
values (x0 contains the guilty address) and reports the bug.
Link: http://lkml.kernel.org/r/c91fe7684070e34dc34b419e6b69498f4dcacc2d.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I9bd12777aad266b54e285f033c9ca2ddda887e31
Andrey Konovalov [Fri, 28 Dec 2018 08:30:50 +0000 (00:30 -0800)]
UPSTREAM: kasan: add hooks implementation for tag-based mode
(Upstream commit
7f94ffbc4c6a1bdb51d39965e4f2acaa19bd798f).
This commit adds tag-based KASAN specific hooks implementation and
adjusts common generic and tag-based KASAN ones.
1. When a new slab cache is created, tag-based KASAN rounds up the size of
the objects in this cache to KASAN_SHADOW_SCALE_SIZE (== 16).
2. On each kmalloc tag-based KASAN generates a random tag, sets the shadow
memory, that corresponds to this object to this tag, and embeds this
tag value into the top byte of the returned pointer.
3. On each kfree tag-based KASAN poisons the shadow memory with a random
tag to allow detection of use-after-free bugs.
The rest of the logic of the hook implementation is very much similar to
the one provided by generic KASAN. Tag-based KASAN saves allocation and
free stack metadata to the slab object the same way generic KASAN does.
Link: http://lkml.kernel.org/r/bda78069e3b8422039794050ddcb2d53d053ed41.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I23c40472207cba40dc962bb182225e378322249e
Andrey Konovalov [Fri, 28 Dec 2018 08:30:46 +0000 (00:30 -0800)]
UPSTREAM: mm: move obj_to_index to include/linux/slab_def.h
(Upstream commit
5b7c4148222d7acaa1612e5eec84fc66c88d54f3).
While with SLUB we can actually preassign tags for caches with contructors
and store them in pointers in the freelist, SLAB doesn't allow that since
the freelist is stored as an array of indexes, so there are no pointers to
store the tags.
Instead we compute the tag twice, once when a slab is created before
calling the constructor and then again each time when an object is
allocated with kmalloc. Tag is computed simply by taking the lowest byte
of the index that corresponds to the object. However in kasan_kmalloc we
only have access to the objects pointer, so we need a way to find out
which index this object corresponds to.
This patch moves obj_to_index from slab.c to include/linux/slab_def.h to
be reused by KASAN.
Link: http://lkml.kernel.org/r/c02cd9e574cfd93858e43ac94b05e38f891fef64.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I6cb3332ea05e6152ab8de0490171ed5d4947def3
Andrey Konovalov [Fri, 28 Dec 2018 08:30:42 +0000 (00:30 -0800)]
UPSTREAM: kasan: add bug reporting routines for tag-based mode
(Upstream commit
121e8f81d38cc43834195722d0768340dc130a33).
This commit adds rountines, that print tag-based KASAN error reports.
Those are quite similar to generic KASAN, the difference is:
1. The way tag-based KASAN finds the first bad shadow cell (with a
mismatching tag). Tag-based KASAN compares memory tags from the shadow
memory to the pointer tag.
2. Tag-based KASAN reports all bugs with the "KASAN: invalid-access"
header.
Also simplify generic KASAN find_first_bad_addr.
Link: http://lkml.kernel.org/r/aee6897b1bd077732a315fd84c6b4f234dbfdfcb.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I20ef95c8c568df73adf69b140dbbf4cd9da52f34
Andrey Konovalov [Fri, 28 Dec 2018 08:30:38 +0000 (00:30 -0800)]
UPSTREAM: kasan: split out generic_report.c from report.c
(Upstream commit
11cd3cd69a256a353dd1a249b48ccd727d945952).
Move generic KASAN specific error reporting routines to generic_report.c
without any functional changes, leaving common error reporting code in
report.c to be later reused by tag-based KASAN.
Link: http://lkml.kernel.org/r/ba48c32f8e5aefedee78998ccff0413bee9e0f5b.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ic65fb3da92607d345be5bbe2c486269d1db53745
Andrey Konovalov [Fri, 28 Dec 2018 08:30:35 +0000 (00:30 -0800)]
UPSTREAM: kasan, mm: perform untagged pointers comparison in krealloc
(Upstream commit
772a2fa50ffb2f4282be8436da6e70530a2ac63c).
The krealloc function checks where the same buffer was reused or a new one
allocated by comparing kernel pointers. Tag-based KASAN changes memory
tag on the krealloc'ed chunk of memory and therefore also changes the
pointer tag of the returned pointer. Therefore we need to perform
comparison on untagged (with tags reset) pointers to check whether it's
the same memory region or not.
Link: http://lkml.kernel.org/r/14f6190d7846186a3506cd66d82446646fe65090.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I1e64158a5a0d683fc19c76296bc5fa345639bf30
Andrey Konovalov [Fri, 28 Dec 2018 08:30:31 +0000 (00:30 -0800)]
BACKPORT: kasan, arm64: enable top byte ignore for the kernel
(Upstream commit
21696c1613244f2ad4e9216c4f6e7804831a992c).
Tag-based KASAN uses the Top Byte Ignore feature of arm64 CPUs to store a
pointer tag in the top byte of each pointer. This commit enables the
TCR_TBI1 bit, which enables Top Byte Ignore for the kernel, when tag-based
KASAN is used.
Link: http://lkml.kernel.org/r/f51eca084c8cdb2f3a55195fe342dc8953b7aead.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Ia31aff11e6b8b80fbbd0be7580f83ee1f5e4db72
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Andrey Konovalov [Fri, 28 Dec 2018 08:30:27 +0000 (00:30 -0800)]
BACKPORT: kasan, arm64: fix up fault handling logic
(Upstream commit
356607f21e603523d4b0a4f918722845214fc6a8).
Right now arm64 fault handling code removes pointer tags from addresses
covered by TTBR0 in faults taken from both EL0 and EL1, but doesn't do
that for pointers covered by TTBR1.
This patch adds two helper functions is_ttbr0_addr() and is_ttbr1_addr(),
where the latter one accounts for the fact that TTBR1 pointers might be
tagged when tag-based KASAN is in use, and uses these helper functions to
perform pointer checks in arch/arm64/mm/fault.c.
Link: http://lkml.kernel.org/r/3f349b0e9e48b5df3298a6b4ae0634332274494a.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Idbb44bff2c2efd296a2e373eaa74f1c0fa17ecca
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Andrey Konovalov [Fri, 28 Dec 2018 08:30:23 +0000 (00:30 -0800)]
UPSTREAM: kasan: preassign tags to objects with ctors or SLAB_TYPESAFE_BY_RCU
(Upstream commit
4d176711ea7a8d4873e7157ac6ab242ade3ba351).
An object constructor can initialize pointers within this objects based on
the address of the object. Since the object address might be tagged, we
need to assign a tag before calling constructor.
The implemented approach is to assign tags to objects with constructors
when a slab is allocated and call constructors once as usual. The
downside is that such object would always have the same tag when it is
reallocated, so we won't catch use-after-frees on it.
Also pressign tags for objects from SLAB_TYPESAFE_BY_RCU caches, since
they can be validy accessed after having been freed.
Link: http://lkml.kernel.org/r/f158a8a74a031d66f0a9398a5b0ed453c37ba09a.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I48b1de0516b9998f3b3e3917a15dd0bde27897cf
Andrey Konovalov [Fri, 28 Dec 2018 08:30:20 +0000 (00:30 -0800)]
UPSTREAM: kasan, arm64: untag address in _virt_addr_is_linear
(Upstream commit
e71fe3f921aeb27f0c65ee7ebfdde7f8c7d60b74).
virt_addr_is_linear (which is used by virt_addr_valid) assumes that the
top byte of the address is 0xff, which isn't always the case with
tag-based KASAN.
This patch resets the tag in this macro.
Link: http://lkml.kernel.org/r/df73a37dd5ed37f4deaf77bc718e9f2e590e69b1.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I8b5de086ef1a63271bc72fefc3ab22f1bc9ac0a0
Andrey Konovalov [Fri, 28 Dec 2018 08:30:16 +0000 (00:30 -0800)]
UPSTREAM: kasan: add tag related helper functions
(Upstream commit
3c9e3aa11094e821aff4a8f6812a6e032293dbc0).
This commit adds a few helper functions, that are meant to be used to work
with tags embedded in the top byte of kernel pointers: to set, to get or
to reset the top byte.
Link: http://lkml.kernel.org/r/f6c6437bb8e143bc44f42c3c259c62e734be7935.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I6a46eb172205fe869d126ae296f64d44e007ac88
Andrey Konovalov [Fri, 28 Dec 2018 08:30:12 +0000 (00:30 -0800)]
UPSTREAM: arm64: move untagged_addr macro from uaccess.h to memory.h
(Upstream commit
9c23f84723d2bb5611a973f56f0952fa74f048f3).
Move the untagged_addr() macro from arch/arm64/include/asm/uaccess.h
to arch/arm64/include/asm/memory.h to be later reused by KASAN.
Also make the untagged_addr() macro accept all kinds of address types
(void *, unsigned long, etc.). This allows not to specify type casts in
each place where the macro is used. This is done by using __typeof__.
Link: http://lkml.kernel.org/r/2e9ef8d2ed594106eca514b268365b5419113f6a.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I1dc81f9698ade663dcf5a30a918eed29a83d8595
Andrey Konovalov [Fri, 28 Dec 2018 08:30:09 +0000 (00:30 -0800)]
BACKPORT: kasan: initialize shadow to 0xff for tag-based mode
Use kasan_alloc_zeroed_page instead of defining kasan_alloc_raw_page.
(Upstream commit
080eb83f54cf5b96ae5b6ce3c1896e35c341aff9).
A tag-based KASAN shadow memory cell contains a memory tag, that
corresponds to the tag in the top byte of the pointer, that points to that
memory. The native top byte value of kernel pointers is 0xff, so with
tag-based KASAN we need to initialize shadow memory to 0xff.
[cai@lca.pw: arm64: skip kmemleak for KASAN again\
Link: http://lkml.kernel.org/r/20181226020550.63712-1-cai@lca.pw
Link: http://lkml.kernel.org/r/5cc1b789aad7c99cf4f3ec5b328b147ad53edb40.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I370390e529de29fee99820f3ae2fc3d0408379ef
Andrey Konovalov [Fri, 28 Dec 2018 08:30:01 +0000 (00:30 -0800)]
BACKPORT: kasan: rename kasan_zero_page to kasan_early_shadow_page
(Upstream commit
9577dd7486487722ed8f0773243223f108e8089f).
With tag based KASAN mode the early shadow value is 0xff and not 0x00, so
this patch renames kasan_zero_(page|pte|pmd|pud|p4d) to
kasan_early_shadow_(page|pte|pmd|pud|p4d) to avoid confusion.
Link: http://lkml.kernel.org/r/3fed313280ebf4f88645f5b89ccbc066d320e177.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Bug:
128674696
Change-Id: I22d043b1f2ce489b12832f6f1ba1593c4ccdaedf
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Andrey Konovalov [Fri, 28 Dec 2018 08:29:57 +0000 (00:29 -0800)]
UPSTREAM: kasan, arm64: adjust shadow size for tag-based mode
(Upstream commit
b2f557eae9ed0ab2b612ce9ce7e3f06174a83e76).
Tag-based KASAN uses 1 shadow byte for 16 bytes of kernel memory, so it
requires 1/16th of the kernel virtual address space for the shadow memory.
This commit sets KASAN_SHADOW_SCALE_SHIFT to 4 when the tag-based KASAN
mode is enabled.
Link: http://lkml.kernel.org/r/308b6bd49f756bb5e533be93c6f085ba99b30339.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ia1e34daa26106be956cc20078f689794c95845d3
Andrey Konovalov [Fri, 28 Dec 2018 08:29:53 +0000 (00:29 -0800)]
BACKPORT: kasan: add CONFIG_KASAN_GENERIC and CONFIG_KASAN_SW_TAGS
The conflict during backport is caused by the
include/linux/compiler_attributes.h file not being present.
(Upstream commit
2bd926b439b4cb6b9ed240a9781cd01958b53d85).
This commit splits the current CONFIG_KASAN config option into two:
1. CONFIG_KASAN_GENERIC, that enables the generic KASAN mode (the one
that exists now);
2. CONFIG_KASAN_SW_TAGS, that enables the software tag-based KASAN mode.
The name CONFIG_KASAN_SW_TAGS is chosen as in the future we will have
another hardware tag-based KASAN mode, that will rely on hardware memory
tagging support in arm64.
With CONFIG_KASAN_SW_TAGS enabled, compiler options are changed to
instrument kernel files with -fsantize=kernel-hwaddress (except the ones
for which KASAN_SANITIZE := n is set).
Both CONFIG_KASAN_GENERIC and CONFIG_KASAN_SW_TAGS support both
CONFIG_KASAN_INLINE and CONFIG_KASAN_OUTLINE instrumentation modes.
This commit also adds empty placeholder (for now) implementation of
tag-based KASAN specific hooks inserted by the compiler and adjusts
common hooks implementation.
While this commit adds the CONFIG_KASAN_SW_TAGS config option, this option
is not selectable, as it depends on HAVE_ARCH_KASAN_SW_TAGS, which we will
enable once all the infrastracture code has been added.
Link: http://lkml.kernel.org/r/b2550106eb8a68b10fefbabce820910b115aa853.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Id95c0c0b6857c6b30f2bea4597aea6c90273ef89
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Andrey Konovalov [Fri, 28 Dec 2018 08:29:49 +0000 (00:29 -0800)]
UPSTREAM: kasan: rename source files to reflect the new naming scheme
(Upstream commit
b938fcf42739de8270e6ea41593722929c8a7dd0).
We now have two KASAN modes: generic KASAN and tag-based KASAN. Rename
kasan.c to generic.c to reflect that. Also rename kasan_init.c to init.c
as it contains initialization code for both KASAN modes.
Link: http://lkml.kernel.org/r/88c6fd2a883e459e6242030497230e5fb0d44d44.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I375981e1e9013517f073b29e27e750c48ba24879
Andrey Konovalov [Fri, 28 Dec 2018 08:29:45 +0000 (00:29 -0800)]
UPSTREAM: kasan: move common generic and tag-based code to common.c
(Upstream commit
bffa986c6f80e39d9903015fc7d0d99a66bbf559).
Tag-based KASAN reuses a significant part of the generic KASAN code, so
move the common parts to common.c without any functional changes.
Link: http://lkml.kernel.org/r/114064d002356e03bb8cc91f7835e20dc61b51d9.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Iffe8a07fa53751e4232c8458aab0a8adda951f55
Andrey Konovalov [Fri, 28 Dec 2018 08:29:41 +0000 (00:29 -0800)]
UPSTREAM: kasan, slub: handle pointer tags in early_kmem_cache_node_alloc
(Upstream commit
12b22386998ccf97497a49c88f9579cf9c0dee55).
The previous patch updated KASAN hooks signatures and their usage in SLAB
and SLUB code, except for the early_kmem_cache_node_alloc function. This
patch handles that function separately, as it requires to reorder some of
the initialization code to correctly propagate a tagged pointer in case a
tag is assigned by kasan_kmalloc.
Link: http://lkml.kernel.org/r/fc8d0fdcf733a7a52e8d0daaa650f4736a57de8c.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: Ifcfcd2a679ebf9444a1c6525ad55b3a65a4a5941
Andrey Konovalov [Fri, 28 Dec 2018 08:29:37 +0000 (00:29 -0800)]
UPSTREAM: kasan, mm: change hooks signatures
(Upstream commit
0116523cfffa62aeb5aa3b85ce7419f3dae0c1b8).
Patch series "kasan: add software tag-based mode for arm64", v13.
This patchset adds a new software tag-based mode to KASAN [1]. (Initially
this mode was called KHWASAN, but it got renamed, see the naming rationale
at the end of this section).
The plan is to implement HWASan [2] for the kernel with the incentive,
that it's going to have comparable to KASAN performance, but in the same
time consume much less memory, trading that off for somewhat imprecise bug
detection and being supported only for arm64.
The underlying ideas of the approach used by software tag-based KASAN are:
1. By using the Top Byte Ignore (TBI) arm64 CPU feature, we can store
pointer tags in the top byte of each kernel pointer.
2. Using shadow memory, we can store memory tags for each chunk of kernel
memory.
3. On each memory allocation, we can generate a random tag, embed it into
the returned pointer and set the memory tags that correspond to this
chunk of memory to the same value.
4. By using compiler instrumentation, before each memory access we can add
a check that the pointer tag matches the tag of the memory that is being
accessed.
5. On a tag mismatch we report an error.
With this patchset the existing KASAN mode gets renamed to generic KASAN,
with the word "generic" meaning that the implementation can be supported
by any architecture as it is purely software.
The new mode this patchset adds is called software tag-based KASAN. The
word "tag-based" refers to the fact that this mode uses tags embedded into
the top byte of kernel pointers and the TBI arm64 CPU feature that allows
to dereference such pointers. The word "software" here means that shadow
memory manipulation and tag checking on pointer dereference is done in
software. As it is the only tag-based implementation right now, "software
tag-based" KASAN is sometimes referred to as simply "tag-based" in this
patchset.
A potential expansion of this mode is a hardware tag-based mode, which
would use hardware memory tagging support (announced by Arm [3]) instead
of compiler instrumentation and manual shadow memory manipulation.
Same as generic KASAN, software tag-based KASAN is strictly a debugging
feature.
[1] https://www.kernel.org/doc/html/latest/dev-tools/kasan.html
[2] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
[3] https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a
====== Rationale
On mobile devices generic KASAN's memory usage is significant problem.
One of the main reasons to have tag-based KASAN is to be able to perform a
similar set of checks as the generic one does, but with lower memory
requirements.
Comment from Vishwath Mohan <vishwath@google.com>:
I don't have data on-hand, but anecdotally both ASAN and KASAN have proven
problematic to enable for environments that don't tolerate the increased
memory pressure well. This includes
(a) Low-memory form factors - Wear, TV, Things, lower-tier phones like Go,
(c) Connected components like Pixel's visual core [1].
These are both places I'd love to have a low(er) memory footprint option at
my disposal.
Comment from Evgenii Stepanov <eugenis@google.com>:
Looking at a live Android device under load, slab (according to
/proc/meminfo) + kernel stack take 8-10% available RAM (~350MB). KASAN's
overhead of 2x - 3x on top of it is not insignificant.
Not having this overhead enables near-production use - ex. running
KASAN/KHWASAN kernel on a personal, daily-use device to catch bugs that do
not reproduce in test configuration. These are the ones that often cost
the most engineering time to track down.
CPU overhead is bad, but generally tolerable. RAM is critical, in our
experience. Once it gets low enough, OOM-killer makes your life
miserable.
[1] https://www.blog.google/products/pixel/pixel-visual-core-image-processing-and-machine-learning-pixel-2/
====== Technical details
Software tag-based KASAN mode is implemented in a very similar way to the
generic one. This patchset essentially does the following:
1. TCR_TBI1 is set to enable Top Byte Ignore.
2. Shadow memory is used (with a different scale, 1:16, so each shadow
byte corresponds to 16 bytes of kernel memory) to store memory tags.
3. All slab objects are aligned to shadow scale, which is 16 bytes.
4. All pointers returned from the slab allocator are tagged with a random
tag and the corresponding shadow memory is poisoned with the same value.
5. Compiler instrumentation is used to insert tag checks. Either by
calling callbacks or by inlining them (CONFIG_KASAN_OUTLINE and
CONFIG_KASAN_INLINE flags are reused).
6. When a tag mismatch is detected in callback instrumentation mode
KASAN simply prints a bug report. In case of inline instrumentation,
clang inserts a brk instruction, and KASAN has it's own brk handler,
which reports the bug.
7. The memory in between slab objects is marked with a reserved tag, and
acts as a redzone.
8. When a slab object is freed it's marked with a reserved tag.
Bug detection is imprecise for two reasons:
1. We won't catch some small out-of-bounds accesses, that fall into the
same shadow cell, as the last byte of a slab object.
2. We only have 1 byte to store tags, which means we have a 1/256
probability of a tag match for an incorrect access (actually even
slightly less due to reserved tag values).
Despite that there's a particular type of bugs that tag-based KASAN can
detect compared to generic KASAN: use-after-free after the object has been
allocated by someone else.
====== Testing
Some kernel developers voiced a concern that changing the top byte of
kernel pointers may lead to subtle bugs that are difficult to discover.
To address this concern deliberate testing has been performed.
It doesn't seem feasible to do some kind of static checking to find
potential issues with pointer tagging, so a dynamic approach was taken.
All pointer comparisons/subtractions have been instrumented in an LLVM
compiler pass and a kernel module that would print a bug report whenever
two pointers with different tags are being compared/subtracted (ignoring
comparisons with NULL pointers and with pointers obtained by casting an
error code to a pointer type) has been used. Then the kernel has been
booted in QEMU and on an Odroid C2 board and syzkaller has been run.
This yielded the following results.
The two places that look interesting are:
is_vmalloc_addr in include/linux/mm.h
is_kernel_rodata in mm/util.c
Here we compare a pointer with some fixed untagged values to make sure
that the pointer lies in a particular part of the kernel address space.
Since tag-based KASAN doesn't add tags to pointers that belong to rodata
or vmalloc regions, this should work as is. To make sure debug checks to
those two functions that check that the result doesn't change whether we
operate on pointers with or without untagging has been added.
A few other cases that don't look that interesting:
Comparing pointers to achieve unique sorting order of pointee objects
(e.g. sorting locks addresses before performing a double lock):
tty_ldisc_lock_pair_timeout in drivers/tty/tty_ldisc.c
pipe_double_lock in fs/pipe.c
unix_state_double_lock in net/unix/af_unix.c
lock_two_nondirectories in fs/inode.c
mutex_lock_double in kernel/events/core.c
ep_cmp_ffd in fs/eventpoll.c
fsnotify_compare_groups fs/notify/mark.c
Nothing needs to be done here, since the tags embedded into pointers
don't change, so the sorting order would still be unique.
Checks that a pointer belongs to some particular allocation:
is_sibling_entry in lib/radix-tree.c
object_is_on_stack in include/linux/sched/task_stack.h
Nothing needs to be done here either, since two pointers can only belong
to the same allocation if they have the same tag.
Overall, since the kernel boots and works, there are no critical bugs.
As for the rest, the traditional kernel testing way (use until fails) is
the only one that looks feasible.
Another point here is that tag-based KASAN is available under a separate
config option that needs to be deliberately enabled. Even though it might
be used in a "near-production" environment to find bugs that are not found
during fuzzing or running tests, it is still a debug tool.
====== Benchmarks
The following numbers were collected on Odroid C2 board. Both generic and
tag-based KASAN were used in inline instrumentation mode.
Boot time [1]:
* ~1.7 sec for clean kernel
* ~5.0 sec for generic KASAN
* ~5.0 sec for tag-based KASAN
Network performance [2]:
* 8.33 Gbits/sec for clean kernel
* 3.17 Gbits/sec for generic KASAN
* 2.85 Gbits/sec for tag-based KASAN
Slab memory usage after boot [3]:
* ~40 kb for clean kernel
* ~105 kb (~260% overhead) for generic KASAN
* ~47 kb (~20% overhead) for tag-based KASAN
KASAN memory overhead consists of three main parts:
1. Increased slab memory usage due to redzones.
2. Shadow memory (the whole reserved once during boot).
3. Quaratine (grows gradually until some preset limit; the more the limit,
the more the chance to detect a use-after-free).
Comparing tag-based vs generic KASAN for each of these points:
1. 20% vs 260% overhead.
2. 1/16th vs 1/8th of physical memory.
3. Tag-based KASAN doesn't require quarantine.
[1] Time before the ext4 driver is initialized.
[2] Measured as `iperf -s & iperf -c 127.0.0.1 -t 30`.
[3] Measured as `cat /proc/meminfo | grep Slab`.
====== Some notes
A few notes:
1. The patchset can be found here:
https://github.com/xairy/kasan-prototype/tree/khwasan
2. Building requires a recent Clang version (7.0.0 or later).
3. Stack instrumentation is not supported yet and will be added later.
This patch (of 25):
Tag-based KASAN changes the value of the top byte of pointers returned
from the kernel allocation functions (such as kmalloc). This patch
updates KASAN hooks signatures and their usage in SLAB and SLUB code to
reflect that.
Link: http://lkml.kernel.org/r/aec2b5e3973781ff8a6bb6760f8543643202c451.1544099024.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I62e554e732ec79ffd195e2269c8a50aed14381c0
Mark Rutland [Fri, 7 Dec 2018 18:08:16 +0000 (18:08 +0000)]
UPSTREAM: arm64: add EXPORT_SYMBOL_NOKASAN()
(Upstream commit
386b3c7bdafcc67aaf4168e9627b381370b6538a).
So that we can export symbols directly from assembly files, let's make
use of the generic <asm/export.h>. We have a few symbols that we'll want
to conditionally export for !KASAN kernel builds, so we add a helper for
that in <asm/assembler.h>.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I7cfd1b717c9b172487f7a872a3b9a4b4485e454a
Martin Schwidefsky [Mon, 5 Nov 2018 06:36:28 +0000 (07:36 +0100)]
BACKPORT: compiler: remove __no_sanitize_address_or_inline again
(Upstream commit
163c8d54a997153ee1a1e07fcac087492ad85b37).
The __no_sanitize_address_or_inline and __no_kasan_or_inline defines
are almost identical. The only difference is that __no_kasan_or_inline
does not have the 'notrace' attribute.
To be able to replace __no_sanitize_address_or_inline with the older
definition, add 'notrace' to __no_kasan_or_inline and change to two
users of __no_sanitize_address_or_inline in the s390 code.
The 'notrace' option is necessary for e.g. the __load_psw_mask function
in arch/s390/include/asm/processor.h. Without the option it is possible
to trace __load_psw_mask which leads to kernel stack overflow.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Pointed-out-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I27af631729f8ea52e55f31c02f584c01a0918073
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Clark Williams [Fri, 26 Oct 2018 22:10:32 +0000 (15:10 -0700)]
UPSTREAM: mm/kasan/quarantine.c: make quarantine_lock a raw_spinlock_t
(Upstream commit
026d1eaf5ef1a5d6258b46e4e411cd9f5ab8c41d).
The static lock quarantine_lock is used in quarantine.c to protect the
quarantine queue datastructures. It is taken inside quarantine queue
manipulation routines (quarantine_put(), quarantine_reduce() and
quarantine_remove_cache()), with IRQs disabled. This is not a problem on
a stock kernel but is problematic on an RT kernel where spin locks are
sleeping spinlocks, which can sleep and can not be acquired with disabled
interrupts.
Convert the quarantine_lock to a raw spinlock_t. The usage of
quarantine_lock is confined to quarantine.c and the work performed while
the lock is held is used for debug purpose.
[bigeasy@linutronix.de: slightly altered the commit message]
Link: http://lkml.kernel.org/r/20181010214945.5owshc3mlrh74z4b@linutronix.de
Signed-off-by: Clark Williams <williams@redhat.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I12f35246b81b23cad5ce8b90407c00b86bf90cc0
Andrey Ryabinin [Fri, 26 Oct 2018 22:02:34 +0000 (15:02 -0700)]
UPSTREAM: lib/test_kasan.c: add tests for several string/memory API functions
(Upstream commit
0c96350a2d2f64fe777b444c995f6bb633c5d069).
Arch code may have asm implementation of string/memory API functions
instead of using generic one from lib/string.c. KASAN don't see memory
accesses in asm code, thus can miss many bugs.
E.g. on ARM64 KASAN don't see bugs in memchr(), memcmp(), str[r]chr(),
str[n]cmp(), str[n]len(). Add tests for these functions to be sure that
we notice the problem on other architectures.
Link: http://lkml.kernel.org/r/20180920135631.23833-3-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: I378fa5e7b3e9f4ff85d29ecadbb0c29c26870de8
Andrey Ryabinin [Fri, 26 Oct 2018 22:02:30 +0000 (15:02 -0700)]
UPSTREAM: arm64: lib: use C string functions with KASAN enabled
(Upstream commit
19a2ca0fb560fd7be7b5293c6b652c6d6078dcde).
ARM64 has asm implementation of memchr(), memcmp(), str[r]chr(),
str[n]cmp(), str[n]len(). KASAN don't see memory accesses in asm code,
thus it can potentially miss many bugs.
Ifdef out __HAVE_ARCH_* defines of these functions when KASAN is enabled,
so the generic implementations from lib/string.c will be used.
We can't just remove the asm functions because efistub uses them. And we
can't have two non-weak functions either, so declare the asm functions as
weak.
Link: http://lkml.kernel.org/r/20180920135631.23833-2-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reported-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: If91aebb7d79172e5a712a5830414aada04dce4b7
Vasily Gorbik [Mon, 20 Nov 2017 10:16:14 +0000 (11:16 +0100)]
UPSTREAM: compiler: introduce __no_sanitize_address_or_inline
(Upstream commit
dde709d1361ab50d3b9f2824f72b4374f5582e84).
Due to conflict between kasan instrumentation and inlining
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368 functions which are
defined as inline could not be called from functions defined with
__no_sanitize_address.
Introduce __no_sanitize_address_or_inline which would expand to
__no_sanitize_address when the kernel is built with kasan support and
to inline otherwise. This helps to avoid disabling kasan
instrumentation for entire files.
Reviewed-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Bug:
128674696
Change-Id: If81ec5a63ae788bfe1a31a1678f9509daa76b01f
Kyrylo Tkachov [Thu, 4 Oct 2018 16:06:46 +0000 (17:06 +0100)]
UPSTREAM: arm64: Fix typo in a comment in arch/arm64/mm/kasan_init.c
(Upstream commit
0293c8ba807c8611ea5503f9511029dd9082025a).
"bellow" -> "below"
The recommendation from kegel.com/kerspell is to only fix the howlers.
"Bellow" is a synonym of "howl" so this should be appropriate.
Signed-off-by: Kyrylo Tkachov <kyrylo.tkachov@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
128674696
Change-Id: I1c4a983d3d08ab1194ae541bfdaa7e5074ddea0e
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Ram Muthiah [Tue, 24 Sep 2019 06:14:50 +0000 (23:14 -0700)]
ANDROID: enable CONFIG_ION_SYSTEM_HEAP for GKI
Test: Treehugger
Bug:
141504808
Change-Id: I8eab5f816b74985292ab876a2220c30c06f0f687
Signed-off-by: Ram Muthiah <rammuthiah@google.com>
Matthias Maennich [Sun, 22 Sep 2019 10:04:18 +0000 (11:04 +0100)]
Update ABI definition after libabigail upgrade
This upgrade introduces Kernel 4.19+ Modules support.
Report:
Leaf changes summary: 17 artifacts changed
Changed leaf types summary: 4 leaf types changed
Removed/Changed/Added functions summary: 13 Removed, 0 Changed, 0 Added function (146 filtered out)
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable (1 filtered out)
13 Removed functions:
[D] 'function void mmc_blk_cqe_recovery(mmc_queue*)'
[D] 'function void mmc_blk_mq_complete(request*)'
[D] 'function void mmc_blk_mq_complete_work(work_struct*)'
[D] 'function mmc_issued mmc_blk_mq_issue_rq(mmc_queue*, request*)'
[D] 'function void mmc_blk_mq_recovery(mmc_queue*)'
[D] 'function void mmc_cleanup_queue(mmc_queue*)'
[D] 'function void mmc_cqe_check_busy(mmc_queue*)'
[D] 'function void mmc_cqe_recovery_notifier(mmc_request*)'
[D] 'function int mmc_init_queue(mmc_queue*, mmc_card*, spinlock_t*, const char*)'
[D] 'function mmc_issue_type mmc_issue_type(mmc_queue*, request*)'
[D] 'function unsigned int mmc_queue_map_sg(mmc_queue*, mmc_queue_req*)'
[D] 'function void mmc_queue_resume(mmc_queue*)'
[D] 'function void mmc_queue_suspend(mmc_queue*)'
'struct files_struct' changed:
type size changed from 0 to 5632 (in bits)
6637 impacted interfaces:
[...]
'struct rq_qos' changed:
type size changed from 0 to 256 (in bits)
426 impacted interfaces:
[...]
'struct seg6_pernet_data' changed:
type size changed from 0 to 320 (in bits)
1483 impacted interfaces:
[...]
'struct tcp_fastopen_context' changed:
type size changed from 0 to 320 (in bits)
1483 impacted interfaces:
[...]
Change-Id: I91e26d808354e9ed3f87e22b811e17bd08f870e1
Signed-off-by: Matthias Maennich <maennich@google.com>
Greg Kroah-Hartman [Sat, 21 Sep 2019 06:39:40 +0000 (08:39 +0200)]
ANDROID: update abi due to 4.19.75 changes
Leaf changes summary: 6 artifacts changed
Changed leaf types summary: 4 leaf types changed
Removed/Changed/Added functions summary: 0 Removed, 1 Changed, 0 Added function (156 filtered out)
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable (4 filtered out)
1 function with some sub-type change:
'struct fb_info at fb.h:464:1' changed:
type size changed from 6144 to 6912 (in bits)
2 data member insertions:
'delayed_work fb_info::deferred_work', at offset 5376 (in bits) at fb.h:496:1
'fb_deferred_io* fb_info::fbdefio', at offset 6080 (in bits) at fb.h:497:1
there are data member changes:
'fb_ops* fb_info::fbops' offset changed from 5376 to 6144 (in bits) (by +768 bits)
'device* fb_info::device' offset changed from 5440 to 6208 (in bits) (by +768 bits)
'device* fb_info::dev' offset changed from 5504 to 6272 (in bits) (by +768 bits)
'int fb_info::class_flag' offset changed from 5568 to 6336 (in bits) (by +768 bits)
while looking at anonymous data member 'union {char* screen_base; char* screen_buffer;}':
the internal name of that anonymous data memberchanged from:
__anonymous_union__4
to:
__anonymous_union__1
This is usually due to an anonymous member type being added or removed from the containing type
offset changed from 5632 to 6400 (in bits) (by +768 bits)
'unsigned long int fb_info::screen_size' offset changed from 5696 to 6464 (in bits) (by +768 bits)
'void* fb_info::pseudo_palette' offset changed from 5760 to 6528 (in bits) (by +768 bits)
'u32 fb_info::state' offset changed from 5824 to 6592 (in bits) (by +768 bits)
'void* fb_info::fbcon_par' offset changed from 5888 to 6656 (in bits) (by +768 bits)
'void* fb_info::par' offset changed from 5952 to 6720 (in bits) (by +768 bits)
'apertures_struct* fb_info::apertures' offset changed from 6016 to 6784 (in bits) (by +768 bits)
'bool fb_info::skip_vt_switch' offset changed from 6080 to 6848 (in bits) (by +768 bits)
411 impacted interfaces:
'struct net at net_namespace.h:51:1' changed:
type size hasn't changed
1 data member insertion:
'sk_buff_head net::wext_nlevents', at offset 33984 (in bits) at net_namespace.h:145:1
there are data member changes:
'net_generic* net::gen' offset changed from 33984 to 34176 (in bits) (by +192 bits)
1495 impacted interfaces:
'struct net_device at netdevice.h:1745:1' changed:
type size hasn't changed
2 data member insertions:
'const iw_handler_def* net_device::wireless_handlers', at offset 3904 (in bits) at netdevice.h:1800:1
'iw_public_data* net_device::wireless_data', at offset 3968 (in bits) at netdevice.h:1801:1
there are data member changes:
'const net_device_ops* net_device::netdev_ops' offset changed from 3904 to 4032 (in bits) (by +128 bits)
'const ethtool_ops* net_device::ethtool_ops' offset changed from 3968 to 4096 (in bits) (by +128 bits)
'const ndisc_ops* net_device::ndisc_ops' offset changed from 4032 to 4160 (in bits) (by +128 bits)
'const header_ops* net_device::header_ops' offset changed from 4096 to 4224 (in bits) (by +128 bits)
'unsigned int net_device::flags' offset changed from 4160 to 4288 (in bits) (by +128 bits)
'unsigned int net_device::priv_flags' offset changed from 4192 to 4320 (in bits) (by +128 bits)
'unsigned short int net_device::gflags' offset changed from 4224 to 4352 (in bits) (by +128 bits)
'unsigned short int net_device::padded' offset changed from 4240 to 4368 (in bits) (by +128 bits)
'unsigned char net_device::operstate' offset changed from 4256 to 4384 (in bits) (by +128 bits)
'unsigned char net_device::link_mode' offset changed from 4264 to 4392 (in bits) (by +128 bits)
'unsigned char net_device::if_port' offset changed from 4272 to 4400 (in bits) (by +128 bits)
'unsigned char net_device::dma' offset changed from 4280 to 4408 (in bits) (by +128 bits)
'unsigned int net_device::mtu' offset changed from 4288 to 4416 (in bits) (by +128 bits)
'unsigned int net_device::min_mtu' offset changed from 4320 to 4448 (in bits) (by +128 bits)
'unsigned int net_device::max_mtu' offset changed from 4352 to 4480 (in bits) (by +128 bits)
'unsigned short int net_device::type' offset changed from 4384 to 4512 (in bits) (by +128 bits)
'unsigned short int net_device::hard_header_len' offset changed from 4400 to 4528 (in bits) (by +128 bits)
'unsigned char net_device::min_header_len' offset changed from 4416 to 4544 (in bits) (by +128 bits)
'unsigned short int net_device::needed_headroom' offset changed from 4432 to 4560 (in bits) (by +128 bits)
'unsigned short int net_device::needed_tailroom' offset changed from 4448 to 4576 (in bits) (by +128 bits)
'unsigned char net_device::perm_addr[32]' offset changed from 4464 to 4592 (in bits) (by +128 bits)
'unsigned char net_device::addr_assign_type' offset changed from 4720 to 4848 (in bits) (by +128 bits)
'unsigned char net_device::addr_len' offset changed from 4728 to 4856 (in bits) (by +128 bits)
'unsigned short int net_device::neigh_priv_len' offset changed from 4736 to 4864 (in bits) (by +128 bits)
'unsigned short int net_device::dev_id' offset changed from 4752 to 4880 (in bits) (by +128 bits)
'unsigned short int net_device::dev_port' offset changed from 4768 to 4896 (in bits) (by +128 bits)
'spinlock_t net_device::addr_list_lock' offset changed from 4800 to 4928 (in bits) (by +128 bits)
'unsigned char net_device::name_assign_type' offset changed from 4832 to 4960 (in bits) (by +128 bits)
'bool net_device::uc_promisc' offset changed from 4840 to 4968 (in bits) (by +128 bits)
'netdev_hw_addr_list net_device::uc' offset changed from 4864 to 4992 (in bits) (by +128 bits)
'netdev_hw_addr_list net_device::mc' offset changed from 5056 to 5184 (in bits) (by +128 bits)
'netdev_hw_addr_list net_device::dev_addrs' offset changed from 5248 to 5376 (in bits) (by +128 bits)
'kset* net_device::queues_kset' offset changed from 5440 to 5568 (in bits) (by +128 bits)
'unsigned int net_device::promiscuity' offset changed from 5504 to 5632 (in bits) (by +128 bits)
'unsigned int net_device::allmulti' offset changed from 5536 to 5664 (in bits) (by +128 bits)
'tipc_bearer* net_device::tipc_ptr' offset changed from 5568 to 5696 (in bits) (by +128 bits)
'in_device* net_device::ip_ptr' offset changed from 5632 to 5760 (in bits) (by +128 bits)
'inet6_dev* net_device::ip6_ptr' offset changed from 5696 to 5824 (in bits) (by +128 bits)
'wireless_dev* net_device::ieee80211_ptr' offset changed from 5760 to 5888 (in bits) (by +128 bits)
'wpan_dev* net_device::ieee802154_ptr' offset changed from 5824 to 5952 (in bits) (by +128 bits)
'unsigned char* net_device::dev_addr' offset changed from 5888 to 6016 (in bits) (by +128 bits)
'netdev_rx_queue* net_device::_rx' offset changed from 5952 to 6080 (in bits) (by +128 bits)
'unsigned int net_device::num_rx_queues' offset changed from 6016 to 6144 (in bits) (by +128 bits)
'unsigned int net_device::real_num_rx_queues' offset changed from 6048 to 6176 (in bits) (by +128 bits)
'bpf_prog* net_device::xdp_prog' offset changed from 6080 to 6208 (in bits) (by +128 bits)
'unsigned long int net_device::gro_flush_timeout' offset changed from 6144 to 6272 (in bits) (by +128 bits)
'rx_handler_func_t* net_device::rx_handler' offset changed from 6208 to 6336 (in bits) (by +128 bits)
'void* net_device::rx_handler_data' offset changed from 6272 to 6400 (in bits) (by +128 bits)
'mini_Qdisc* net_device::miniq_ingress' offset changed from 6336 to 6464 (in bits) (by +128 bits)
'netdev_queue* net_device::ingress_queue' offset changed from 6400 to 6528 (in bits) (by +128 bits)
'nf_hook_entries* net_device::nf_hooks_ingress' offset changed from 6464 to 6592 (in bits) (by +128 bits)
'unsigned char net_device::broadcast[32]' offset changed from 6528 to 6656 (in bits) (by +128 bits)
'cpu_rmap* net_device::rx_cpu_rmap' offset changed from 6784 to 6912 (in bits) (by +128 bits)
'hlist_node net_device::index_hlist' offset changed from 6848 to 6976 (in bits) (by +128 bits)
1332 impacted interfaces:
'struct pinctrl_dev at core.h:43:1' changed:
type size changed from 1152 to 1536 (in bits)
4 data member insertions:
'radix_tree_root pinctrl_dev::pin_group_tree', at offset 320 (in bits) at core.h:48:1
'unsigned int pinctrl_dev::num_groups', at offset 448 (in bits) at core.h:49:1
'radix_tree_root pinctrl_dev::pin_function_tree', at offset 512 (in bits) at core.h:52:1
'unsigned int pinctrl_dev::num_functions', at offset 640 (in bits) at core.h:53:1
there are data member changes:
'list_head pinctrl_dev::gpio_ranges' offset changed from 320 to 704 (in bits) (by +384 bits)
'device* pinctrl_dev::dev' offset changed from 448 to 832 (in bits) (by +384 bits)
'module* pinctrl_dev::owner' offset changed from 512 to 896 (in bits) (by +384 bits)
'void* pinctrl_dev::driver_data' offset changed from 576 to 960 (in bits) (by +384 bits)
'pinctrl* pinctrl_dev::p' offset changed from 640 to 1024 (in bits) (by +384 bits)
'pinctrl_state* pinctrl_dev::hog_default' offset changed from 704 to 1088 (in bits) (by +384 bits)
'pinctrl_state* pinctrl_dev::hog_sleep' offset changed from 768 to 1152 (in bits) (by +384 bits)
'mutex pinctrl_dev::mutex' offset changed from 832 to 1216 (in bits) (by +384 bits)
'dentry* pinctrl_dev::device_root' offset changed from 1088 to 1472 (in bits) (by +384 bits)
29 impacted interfaces:
function pinctrl_dev* devm_pinctrl_register(device*, pinctrl_desc*, void*)
function int devm_pinctrl_register_and_init(device*, pinctrl_desc*, void*, pinctrl_dev**)
function void devm_pinctrl_unregister(device*, pinctrl_dev*)
function bool pin_is_valid(pinctrl_dev*, int)
function void pinconf_generic_dt_free_map(pinctrl_dev*, pinctrl_map*, unsigned int)
function int pinconf_generic_dt_node_to_map(pinctrl_dev*, device_node*, pinctrl_map**, unsigned int*, pinctrl_map_type)
function int pinconf_generic_dt_subnode_to_map(pinctrl_dev*, device_node*, pinctrl_map**, unsigned int*, unsigned int*, pinctrl_map_type)
function void pinconf_generic_dump_config(pinctrl_dev*, seq_file*, unsigned long int)
function void pinctrl_add_gpio_range(pinctrl_dev*, pinctrl_gpio_range*)
function void pinctrl_add_gpio_ranges(pinctrl_dev*, pinctrl_gpio_range*, unsigned int)
function const char* pinctrl_dev_get_devname(pinctrl_dev*)
function void* pinctrl_dev_get_drvdata(pinctrl_dev*)
function const char* pinctrl_dev_get_name(pinctrl_dev*)
function int pinctrl_enable(pinctrl_dev*)
function pinctrl_dev* pinctrl_find_and_add_gpio_range(const char*, pinctrl_gpio_range*)
function pinctrl_gpio_range* pinctrl_find_gpio_range_from_pin(pinctrl_dev*, unsigned int)
function pinctrl_gpio_range* pinctrl_find_gpio_range_from_pin_nolock(pinctrl_dev*, unsigned int)
function int pinctrl_force_default(pinctrl_dev*)
function int pinctrl_force_sleep(pinctrl_dev*)
function int pinctrl_get_group_pins(pinctrl_dev*, const char*, const unsigned int**, unsigned int*)
function pinctrl_dev* pinctrl_register(pinctrl_desc*, device*, void*)
function int pinctrl_register_and_init(pinctrl_desc*, device*, void*, pinctrl_dev**)
function void pinctrl_remove_gpio_range(pinctrl_dev*, pinctrl_gpio_range*)
function void pinctrl_unregister(pinctrl_dev*)
function int pinctrl_utils_add_config(pinctrl_dev*, unsigned long int**, unsigned int*, unsigned long int)
function int pinctrl_utils_add_map_configs(pinctrl_dev*, pinctrl_map**, unsigned int*, unsigned int*, const char*, unsigned long int*, unsigned int, pinctrl_map_type)
function int pinctrl_utils_add_map_mux(pinctrl_dev*, pinctrl_map**, unsigned int*, unsigned int*, const char*, const char*)
function void pinctrl_utils_free_map(pinctrl_dev*, pinctrl_map*, unsigned int)
function int pinctrl_utils_reserve_map(pinctrl_dev*, pinctrl_map**, unsigned int*, unsigned int*, unsigned int)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I940293527b5aa1875b49fad611bac9fc01c2931a
Greg Kroah-Hartman [Sat, 21 Sep 2019 05:55:26 +0000 (07:55 +0200)]
Merge 4.19.75 into android-4.19
Changes in 4.19.75
netfilter: nf_flow_table: set default timeout after successful insertion
HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report
RDMA/restrack: Release task struct which was hold by CM_ID object
Input: elan_i2c - remove Lenovo Legion Y7000 PnpID
powerpc/mm/radix: Use the right page size for vmemmap mapping
USB: usbcore: Fix slab-out-of-bounds bug during device reset
media: tm6000: double free if usb disconnect while streaming
phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current
ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit
udp: correct reuseport selection with connected sockets
xen-netfront: do not assume sk_buff_head list is empty in error handling
net_sched: let qdisc_put() accept NULL pointer
KVM: coalesced_mmio: add bounds checking
firmware: google: check if size is valid when decoding VPD data
serial: sprd: correct the wrong sequence of arguments
tty/serial: atmel: reschedule TX after RX was started
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
ieee802154: hwsim: Fix error handle path in hwsim_init_module
ieee802154: hwsim: unregister hw while hwsim_subscribe_all_others fails
ARM: dts: am57xx: Disable voltage switching for SD card
ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss
bus: ti-sysc: Fix using configured sysc mask value
s390/bpf: fix lcgr instruction encoding
ARM: OMAP2+: Fix omap4 errata warning on other SoCs
ARM: dts: dra74x: Fix iodelay configuration for mmc3
ARM: OMAP1: ams-delta-fiq: Fix missing irq_ack
bus: ti-sysc: Simplify cleanup upon failures in sysc_probe()
s390/bpf: use 32-bit index for tail calls
selftests/bpf: fix "bind{4, 6} deny specific IP & port" on s390
tools: bpftool: close prog FD before exit on showing a single program
fpga: altera-ps-spi: Fix getting of optional confd gpio
netfilter: ebtables: Fix argument order to ADD_COUNTER
netfilter: nft_flow_offload: missing netlink attribute policy
netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info
NFSv4: Fix return values for nfs4_file_open()
NFSv4: Fix return value in nfs_finish_open()
NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
xdp: unpin xdp umem pages in error path
qed: Add cleanup in qed_slowpath_start()
ARM: 8874/1: mm: only adjust sections of valid mm structures
batman-adv: Only read OGM2 tvlv_len after buffer len check
bpf: allow narrow loads of some sk_reuseport_md fields with offset > 0
r8152: Set memory to all 0xFFs on failed reg reads
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
netfilter: xt_physdev: Fix spurious error message in physdev_mt_check
netfilter: nf_conntrack_ftp: Fix debug output
NFSv2: Fix eof handling
NFSv2: Fix write regression
kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving the first symbol
cifs: set domainName when a domain-key is used in multiuser
cifs: Use kzfree() to zero out the password
usb: host: xhci-tegra: Set DMA mask correctly
ARM: 8901/1: add a criteria for pfn_valid of arm
ibmvnic: Do not process reset during or after device removal
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
i2c: designware: Synchronize IRQs when unregistering slave client
perf/x86/intel: Restrict period on Nehalem
perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops
amd-xgbe: Fix error path in xgbe_mod_init()
tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2
tools/power x86_energy_perf_policy: Fix argument parsing
tools/power turbostat: fix buffer overrun
net: aquantia: fix out of memory condition on rx side
net: seeq: Fix the function used to release some memory in an error handling path
dmaengine: ti: dma-crossbar: Fix a memory leak bug
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
x86/hyper-v: Fix overflow bug in fill_gva_list()
keys: Fix missing null pointer check in request_key_auth_describe()
iommu/amd: Flush old domains in kdump kernel
iommu/amd: Fix race in increase_address_space()
PCI: kirin: Fix section mismatch warning
ovl: fix regression caused by overlapping layers detection
floppy: fix usercopy direction
binfmt_elf: move brk out of mmap when doing direct loader exec
arm64: kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field
media: technisat-usb2: break out of loop at end of buffer
Linux 4.19.75
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I1dd841f112ee81497cd085b102979f45ee5e6b9d
Greg Kroah-Hartman [Sat, 21 Sep 2019 05:17:15 +0000 (07:17 +0200)]
Linux 4.19.75
Sean Young [Wed, 3 Jul 2019 14:52:39 +0000 (10:52 -0400)]
media: technisat-usb2: break out of loop at end of buffer
commit
0c4df39e504bf925ab666132ac3c98d6cbbe380b upstream.
Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.
Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Will Deacon [Thu, 13 Dec 2018 13:47:38 +0000 (13:47 +0000)]
arm64: kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field
commit
2a355ec25729053bb9a1a89b6c1d1cdd6c3b3fb1 upstream.
While the CSV3 field of the ID_AA64_PFR0 CPU ID register can be checked
to see if a CPU is susceptible to Meltdown and therefore requires kpti
to be enabled, existing CPUs do not implement this field.
We therefore whitelist all unaffected Cortex-A CPUs that do not implement
the CSV3 field.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Niklas Cassel <niklas.cassel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kees Cook [Tue, 14 May 2019 22:43:57 +0000 (15:43 -0700)]
binfmt_elf: move brk out of mmap when doing direct loader exec
commit
bbdc6076d2e5d07db44e74c11b01a3e27ab90b32 upstream.
Commmit
eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE"),
made changes in the rare case when the ELF loader was directly invoked
(e.g to set a non-inheritable LD_LIBRARY_PATH, testing new versions of
the loader), by moving into the mmap region to avoid both ET_EXEC and
PIE binaries. This had the effect of also moving the brk region into
mmap, which could lead to the stack and brk being arbitrarily close to
each other. An unlucky process wouldn't get its requested stack size
and stack allocations could end up scribbling on the heap.
This is illustrated here. In the case of using the loader directly, brk
(so helpfully identified as "[heap]") is allocated with the _loader_ not
the binary. For example, with ASLR entirely disabled, you can see this
more clearly:
$ /bin/cat /proc/self/maps
555555554000-
55555555c000 r-xp
00000000 ... /bin/cat
55555575b000-
55555575c000 r--p
00007000 ... /bin/cat
55555575c000-
55555575d000 rw-p
00008000 ... /bin/cat
55555575d000-
55555577e000 rw-p
00000000 ... [heap]
...
7ffff7ff7000-
7ffff7ffa000 r--p
00000000 ... [vvar]
7ffff7ffa000-
7ffff7ffc000 r-xp
00000000 ... [vdso]
7ffff7ffc000-
7ffff7ffd000 r--p
00027000 ... /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffd000-
7ffff7ffe000 rw-p
00028000 ... /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffe000-
7ffff7fff000 rw-p
00000000 ...
7ffffffde000-
7ffffffff000 rw-p
00000000 ... [stack]
$ /lib/x86_64-linux-gnu/ld-2.27.so /bin/cat /proc/self/maps
...
7ffff7bcc000-
7ffff7bd4000 r-xp
00000000 ... /bin/cat
7ffff7bd4000-
7ffff7dd3000 ---p
00008000 ... /bin/cat
7ffff7dd3000-
7ffff7dd4000 r--p
00007000 ... /bin/cat
7ffff7dd4000-
7ffff7dd5000 rw-p
00008000 ... /bin/cat
7ffff7dd5000-
7ffff7dfc000 r-xp
00000000 ... /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7fb2000-
7ffff7fd6000 rw-p
00000000 ...
7ffff7ff7000-
7ffff7ffa000 r--p
00000000 ... [vvar]
7ffff7ffa000-
7ffff7ffc000 r-xp
00000000 ... [vdso]
7ffff7ffc000-
7ffff7ffd000 r--p
00027000 ... /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffd000-
7ffff7ffe000 rw-p
00028000 ... /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffe000-
7ffff8020000 rw-p
00000000 ... [heap]
7ffffffde000-
7ffffffff000 rw-p
00000000 ... [stack]
The solution is to move brk out of mmap and into ELF_ET_DYN_BASE since
nothing is there in the direct loader case (and ET_EXEC is still far
away at 0x400000). Anything that ran before should still work (i.e.
the ultimately-launched binary already had the brk very far from its
text, so this should be no different from a COMPAT_BRK standpoint). The
only risk I see here is that if someone started to suddenly depend on
the entire memory space lower than the mmap region being available when
launching binaries via a direct loader execs which seems highly
unlikely, I'd hope: this would mean a binary would _not_ work when
exec()ed normally.
(Note that this is only done under CONFIG_ARCH_HAS_ELF_RANDOMIZATION
when randomization is turned on.)
Link: http://lkml.kernel.org/r/20190422225727.GA21011@beast
Link: https://lkml.kernel.org/r/CAGXu5jJ5sj3emOT2QPxQkNQk0qbU6zEfu9=Omfhx_p0nCKPSjA@mail.gmail.com
Fixes:
eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Ali Saidi <alisaidi@amazon.com>
Cc: Ali Saidi <alisaidi@amazon.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jann Horn [Tue, 26 Mar 2019 22:03:48 +0000 (23:03 +0100)]
floppy: fix usercopy direction
commit
52f6f9d74f31078964ca1574f7bb612da7877ac8 upstream.
As sparse points out, these two copy_from_user() should actually be
copy_to_user().
Fixes:
229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c")
Cc: stable@vger.kernel.org
Acked-by: Alexander Popov <alex.popov@linux.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Amir Goldstein [Fri, 12 Jul 2019 12:24:34 +0000 (15:24 +0300)]
ovl: fix regression caused by overlapping layers detection
commit
0be0bfd2de9dfdd2098a9c5b14bdd8f739c9165d upstream.
Once upon a time, commit
2cac0c00a6cd ("ovl: get exclusive ownership on
upper/work dirs") in v4.13 added some sanity checks on overlayfs layers.
This change caused a docker regression. The root cause was mount leaks
by docker, which as far as I know, still exist.
To mitigate the regression, commit
85fdee1eef1a ("ovl: fix regression
caused by exclusive upper/work dir protection") in v4.14 turned the
mount errors into warnings for the default index=off configuration.
Recently, commit
146d62e5a586 ("ovl: detect overlapping layers") in
v5.2, re-introduced exclusive upper/work dir checks regardless of
index=off configuration.
This changes the status quo and mount leak related bug reports have
started to re-surface. Restore the status quo to fix the regressions.
To clarify, index=off does NOT relax overlapping layers check for this
ovelayfs mount. index=off only relaxes exclusive upper/work dir checks
with another overlayfs mount.
To cover the part of overlapping layers detection that used the
exclusive upper/work dir checks to detect overlap with self upper/work
dir, add a trap also on the work base dir.
Link: https://github.com/moby/moby/issues/34672
Link: https://lore.kernel.org/linux-fsdevel/20171006121405.GA32700@veci.piliscsaba.szeredi.hu/
Link: https://github.com/containers/libpod/issues/3540
Fixes:
146d62e5a586 ("ovl: detect overlapping layers")
Cc: <stable@vger.kernel.org> # v4.19+
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Tested-by: Colin Walters <walters@verbum.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nathan Chancellor [Wed, 19 Sep 2018 05:38:29 +0000 (22:38 -0700)]
PCI: kirin: Fix section mismatch warning
commit
6870b673509779195cab300aedc844b352d9cfbc upstream.
The PCI kirin driver compilation produces the following section mismatch
warning:
WARNING: vmlinux.o(.text+0x4758cc): Section mismatch in reference from
the function kirin_pcie_probe() to the function
.init.text:kirin_add_pcie_port()
The function kirin_pcie_probe() references
the function __init kirin_add_pcie_port().
This is often because kirin_pcie_probe lacks a __init
annotation or the annotation of kirin_add_pcie_port is wrong.
Remove '__init' from kirin_add_pcie_port() to fix it.
Fixes:
fc5165db245a ("PCI: kirin: Add HiSilicon Kirin SoC PCIe controller driver")
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Joerg Roedel [Fri, 6 Sep 2019 08:39:54 +0000 (10:39 +0200)]
iommu/amd: Fix race in increase_address_space()
[ Upstream commit
754265bcab78a9014f0f99cd35e0d610fcd7dfa7 ]
After the conversion to lock-less dma-api call the
increase_address_space() function can be called without any
locking. Multiple CPUs could potentially race for increasing
the address space, leading to invalid domain->mode settings
and invalid page-tables. This has been happening in the wild
under high IO load and memory pressure.
Fix the race by locking this operation. The function is
called infrequently so that this does not introduce
a performance regression in the dma-api path again.
Reported-by: Qian Cai <cai@lca.pw>
Fixes:
256e4621c21a ('iommu/amd: Make use of the generic IOVA allocator')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Stuart Hayes [Thu, 5 Sep 2019 17:09:48 +0000 (12:09 -0500)]
iommu/amd: Flush old domains in kdump kernel
[ Upstream commit
36b7200f67dfe75b416b5281ed4ace9927b513bc ]
When devices are attached to the amd_iommu in a kdump kernel, the old device
table entries (DTEs), which were copied from the crashed kernel, will be
overwritten with a new domain number. When the new DTE is written, the IOMMU
is told to flush the DTE from its internal cache--but it is not told to flush
the translation cache entries for the old domain number.
Without this patch, AMD systems using the tg3 network driver fail when kdump
tries to save the vmcore to a network system, showing network timeouts and
(sometimes) IOMMU errors in the kernel log.
This patch will flush IOMMU translation cache entries for the old domain when
a DTE gets overwritten with a new domain number.
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Fixes:
3ac3e5ee5ed5 ('iommu/amd: Copy old trans table from old kernel')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hillf Danton [Mon, 2 Sep 2019 12:37:29 +0000 (13:37 +0100)]
keys: Fix missing null pointer check in request_key_auth_describe()
[ Upstream commit
d41a3effbb53b1bcea41e328d16a4d046a508381 ]
If a request_key authentication token key gets revoked, there's a window in
which request_key_auth_describe() can see it with a NULL payload - but it
makes no check for this and something like the following oops may occur:
BUG: Kernel NULL pointer dereference at 0x00000038
Faulting instruction address: 0xc0000000004ddf30
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [...] request_key_auth_describe+0x90/0xd0
LR [...] request_key_auth_describe+0x54/0xd0
Call Trace:
[...] request_key_auth_describe+0x54/0xd0 (unreliable)
[...] proc_keys_show+0x308/0x4c0
[...] seq_read+0x3d0/0x540
[...] proc_reg_read+0x90/0x110
[...] __vfs_read+0x3c/0x70
[...] vfs_read+0xb4/0x1b0
[...] ksys_read+0x7c/0x130
[...] system_call+0x5c/0x70
Fix this by checking for a NULL pointer when describing such a key.
Also make the read routine check for a NULL pointer to be on the safe side.
[DH: Modified to not take already-held rcu lock and modified to also check
in the read routine]
Fixes:
04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Tianyu Lan [Mon, 2 Sep 2019 12:41:43 +0000 (20:41 +0800)]
x86/hyper-v: Fix overflow bug in fill_gva_list()
[ Upstream commit
4030b4c585c41eeefec7bd20ce3d0e100a0f2e4d ]
When the 'start' parameter is >= 0xFF000000 on 32-bit
systems, or >= 0xFFFFFFFF'
FF000000 on 64-bit systems,
fill_gva_list() gets into an infinite loop.
With such inputs, 'cur' overflows after adding HV_TLB_FLUSH_UNIT
and always compares as less than end. Memory is filled with
guest virtual addresses until the system crashes.
Fix this by never incrementing 'cur' to be larger than 'end'.
Reported-by: Jong Hyun Park <park.jonghyun@yonsei.ac.kr>
Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes:
2ffd9e33ce4a ("x86/hyper-v: Use hypercall for remote TLB flush")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Peter Zijlstra [Thu, 29 Aug 2019 08:24:45 +0000 (10:24 +0200)]
x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
[ Upstream commit
9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ]
Identical to __put_user(); the __get_user() argument evalution will too
leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
While uncommon this was observed to happen for:
drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))
where UBSAN added array bound checking.
This complements commit:
6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")
Tested-by Sedat Dilek <sedat.dilek@gmail.com>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: broonie@kernel.org
Cc: sfr@canb.auug.org.au
Cc: akpm@linux-foundation.org
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: mhocko@suse.cz
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wenwen Wang [Fri, 16 Aug 2019 06:56:08 +0000 (01:56 -0500)]
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
[ Upstream commit
962411b05a6d3342aa649e39cda1704c1fc042c6 ]
If devm_request_irq() fails to disable all interrupts, no cleanup is
performed before retuning the error. To fix this issue, invoke
omap_dma_free() to do the cleanup.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wenwen Wang [Fri, 16 Aug 2019 06:48:55 +0000 (01:48 -0500)]
dmaengine: ti: dma-crossbar: Fix a memory leak bug
[ Upstream commit
2c231c0c1dec42192aca0f87f2dc68b8f0cbc7d2 ]
In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
of_property_read_u32_array() is invoked to search for the property.
However, if this process fails, 'rsv_events' is not deallocated, leading to
a memory leak bug. To fix this issue, free 'rsv_events' before returning
the error.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/1565938136-7249-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christophe JAILLET [Sat, 31 Aug 2019 07:17:51 +0000 (09:17 +0200)]
net: seeq: Fix the function used to release some memory in an error handling path
[ Upstream commit
e1e54ec7fb55501c33b117c111cb0a045b8eded2 ]
In commit
99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"),
a call to 'get_zeroed_page()' has been turned into a call to
'dma_alloc_coherent()'. Only the remove function has been updated to turn
the corresponding 'free_page()' into 'dma_free_attrs()'.
The error hndling path of the probe function has not been updated.
Fix it now.
Rename the corresponding label to something more in line.
Fixes:
99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dmitry Bogdanov [Fri, 30 Aug 2019 12:08:38 +0000 (12:08 +0000)]
net: aquantia: fix out of memory condition on rx side
[ Upstream commit
be6cef69ba570ebb327eba1ef6438f7af49aaf86 ]
On embedded environments with hard memory limits it is a normal although
rare case when skb can't be allocated on rx part under high traffic.
In such OOM cases napi_complete_done() was not called.
So the napi object became in an invalid state like it is "scheduled".
Kernel do not re-schedules the poll of that napi object.
Consequently, kernel can not remove that object the system hangs on
`ifconfig down` waiting for a poll.
We are fixing this by gracefully closing napi poll routine with correct
invocation of napi_complete_done.
This was reproduced with artificially failing the allocation of skb to
simulate an "out of memory" error case and check that traffic does
not get stuck.
Fixes:
970a2e9864b0 ("net: ethernet: aquantia: Vector operations")
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Naoya Horiguchi [Wed, 3 Apr 2019 07:02:14 +0000 (16:02 +0900)]
tools/power turbostat: fix buffer overrun
[ Upstream commit
eeb71c950bc6eee460f2070643ce137e067b234c ]
turbostat could be terminated by general protection fault on some latest
hardwares which (for example) support 9 levels of C-states and show 18
"tADDED" lines. That bloats the total output and finally causes buffer
overrun. So let's extend the buffer to avoid this.
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zephaniah E. Loss-Cutler-Hull [Sat, 9 Feb 2019 13:25:48 +0000 (05:25 -0800)]
tools/power x86_energy_perf_policy: Fix argument parsing
[ Upstream commit
03531482402a2bc4ab93cf6dde46833775e035e9 ]
The -w argument in x86_energy_perf_policy currently triggers an
unconditional segfault.
This is because the argument string reads: "+a:c:dD:E:e:f:m:M:rt:u:vw" and
yet the argument handler expects an argument.
When parse_optarg_string is called with a null argument, we then proceed to
crash in strncmp, not horribly friendly.
The man page describes -w as taking an argument, the long form
(--hwp-window) is correctly marked as taking a required argument, and the
code expects it.
As such, this patch simply marks the short form (-w) as requiring an
argument.
Signed-off-by: Zephaniah E. Loss-Cutler-Hull <zephaniah@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ben Hutchings [Sun, 16 Sep 2018 15:05:53 +0000 (16:05 +0100)]
tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2
[ Upstream commit
adb8049097a9ec4acd09fbd3aa8636199a78df8a ]
x86_energy_perf_policy first uses __get_cpuid() to check the maximum
CPUID level and exits if it is too low. It then assumes that later
calls will succeed (which I think is architecturally guaranteed). It
also assumes that CPUID works at all (which is not guaranteed on
x86_32).
If optimisations are enabled, gcc warns about potentially
uninitialized variables. Fix this by adding an exit-on-error after
every call to __get_cpuid() instead of just checking the maximum
level.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
YueHaibing [Thu, 29 Aug 2019 02:46:00 +0000 (10:46 +0800)]
amd-xgbe: Fix error path in xgbe_mod_init()
[ Upstream commit
b6b4dc4c1fa7f1c99398e7dc85758049645e9588 ]
In xgbe_mod_init(), we should do cleanup if some error occurs
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes:
efbaa828330a ("amd-xgbe: Add support to handle device renaming")
Fixes:
47f164deab22 ("amd-xgbe: Add PCI device support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kim Phillips [Mon, 26 Aug 2019 19:57:30 +0000 (14:57 -0500)]
perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops
[ Upstream commit
0f4cd769c410e2285a4e9873a684d90423f03090 ]
When counting dispatched micro-ops with cnt_ctl=1, in order to prevent
sample bias, IBS hardware preloads the least significant 7 bits of
current count (IbsOpCurCnt) with random values, such that, after the
interrupt is handled and counting resumes, the next sample taken
will be slightly perturbed.
The current count bitfield is in the IBS execution control h/w register,
alongside the maximum count field.
Currently, the IBS driver writes that register with the maximum count,
leaving zeroes to fill the current count field, thereby overwriting
the random bits the hardware preloaded for itself.
Fix the driver to actually retain and carry those random bits from the
read of the IBS control register, through to its write, instead of
overwriting the lower current count bits with zeroes.
Tested with:
perf record -c 100001 -e ibs_op/cnt_ctl=1/pp -a -C 0 taskset -c 0 <workload>
'perf annotate' output before:
15.70 65: addsd %xmm0,%xmm1
17.30 add $0x1,%rax
15.88 cmp %rdx,%rax
je 82
17.32 72: test $0x1,%al
jne 7c
7.52 movapd %xmm1,%xmm0
5.90 jmp 65
8.23 7c: sqrtsd %xmm1,%xmm0
12.15 jmp 65
'perf annotate' output after:
16.63 65: addsd %xmm0,%xmm1
16.82 add $0x1,%rax
16.81 cmp %rdx,%rax
je 82
16.69 72: test $0x1,%al
jne 7c
8.30 movapd %xmm1,%xmm0
8.13 jmp 65
8.24 7c: sqrtsd %xmm1,%xmm0
8.39 jmp 65
Tested on Family 15h and 17h machines.
Machines prior to family 10h Rev. C don't have the RDWROPCNT capability,
and have the IbsOpCurCnt bitfield reserved, so this patch shouldn't
affect their operation.
It is unknown why commit
db98c5faf8cb ("perf/x86: Implement 64-bit
counter support for IBS") ignored the lower 4 bits of the IbsOpCurCnt
field; the number of preloaded random bits has always been 7, AFAICT.
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: <x86@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "Borislav Petkov" <bp@alien8.de>
Cc: Stephane Eranian <eranian@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: "Namhyung Kim" <namhyung@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Link: https://lkml.kernel.org/r/20190826195730.30614-1-kim.phillips@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Josh Hunt [Mon, 19 Aug 2019 23:13:31 +0000 (19:13 -0400)]
perf/x86/intel: Restrict period on Nehalem
[ Upstream commit
44d3bbb6f5e501b873218142fe08cdf62a4ac1f3 ]
We see our Nehalem machines reporting 'perfevents: irq loop stuck!' in
some cases when using perf:
perfevents: irq loop stuck!
WARNING: CPU: 0 PID: 3485 at arch/x86/events/intel/core.c:2282 intel_pmu_handle_irq+0x37b/0x530
...
RIP: 0010:intel_pmu_handle_irq+0x37b/0x530
...
Call Trace:
<NMI>
? perf_event_nmi_handler+0x2e/0x50
? intel_pmu_save_and_restart+0x50/0x50
perf_event_nmi_handler+0x2e/0x50
nmi_handle+0x6e/0x120
default_do_nmi+0x3e/0x100
do_nmi+0x102/0x160
end_repeat_nmi+0x16/0x50
...
? native_write_msr+0x6/0x20
? native_write_msr+0x6/0x20
</NMI>
intel_pmu_enable_event+0x1ce/0x1f0
x86_pmu_start+0x78/0xa0
x86_pmu_enable+0x252/0x310
__perf_event_task_sched_in+0x181/0x190
? __switch_to_asm+0x41/0x70
? __switch_to_asm+0x35/0x70
? __switch_to_asm+0x41/0x70
? __switch_to_asm+0x35/0x70
finish_task_switch+0x158/0x260
__schedule+0x2f6/0x840
? hrtimer_start_range_ns+0x153/0x210
schedule+0x32/0x80
schedule_hrtimeout_range_clock+0x8a/0x100
? hrtimer_init+0x120/0x120
ep_poll+0x2f7/0x3a0
? wake_up_q+0x60/0x60
do_epoll_wait+0xa9/0xc0
__x64_sys_epoll_wait+0x1a/0x20
do_syscall_64+0x4e/0x110
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fdeb1e96c03
...
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: acme@kernel.org
Cc: Josh Hunt <johunt@akamai.com>
Cc: bpuranda@akamai.com
Cc: mingo@redhat.com
Cc: jolsa@redhat.com
Cc: tglx@linutronix.de
Cc: namhyung@kernel.org
Cc: alexander.shishkin@linux.intel.com
Link: https://lkml.kernel.org/r/1566256411-18820-1-git-send-email-johunt@akamai.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jarkko Nikula [Thu, 15 Aug 2019 13:52:11 +0000 (16:52 +0300)]
i2c: designware: Synchronize IRQs when unregistering slave client
[ Upstream commit
c486dcd2f1bbdd524a1e0149734b79e4ae329650 ]
Make sure interrupt handler i2c_dw_irq_handler_slave() has finished
before clearing the the dev->slave pointer in i2c_dw_unreg_slave().
There is possibility for a race if i2c_dw_irq_handler_slave() is running
on another CPU while clearing the dev->slave pointer.
Reported-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
Reported-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Takashi Iwai [Wed, 28 Aug 2019 06:31:19 +0000 (08:31 +0200)]
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
[ Upstream commit
189308d5823a089b56e2299cd96589507dac7319 ]
A similar workaround for the suspend/resume problem is needed for yet
another ASUS machines, P6X models. Like the previous fix, the BIOS
doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_*
entries are used instead.
Reported-and-tested-by: SteveM <swm@swm1.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Thomas Falcon [Tue, 27 Aug 2019 16:10:04 +0000 (11:10 -0500)]
ibmvnic: Do not process reset during or after device removal
[ Upstream commit
36f1031c51a2538e5558fb44c6d6b88f98d3c0f2 ]
Currently, the ibmvnic driver will not schedule device resets
if the device is being removed, but does not check the device
state before the reset is actually processed. This leads to a race
where a reset is scheduled with a valid device state but is
processed after the driver has been removed, resulting in an oops.
Fix this by checking the device state before processing a queued
reset event.
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Tested-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
zhaoyang [Mon, 26 Aug 2019 03:07:37 +0000 (04:07 +0100)]
ARM: 8901/1: add a criteria for pfn_valid of arm
[ Upstream commit
5b3efa4f1479c91cb8361acef55f9c6662feba57 ]
pfn_valid can be wrong when parsing a invalid pfn whose phys address
exceeds BITS_PER_LONG as the MSB will be trimed when shifted.
The issue originally arise from bellowing call stack, which corresponding to
an access of the /proc/kpageflags from userspace with a invalid pfn parameter
and leads to kernel panic.
[46886.723249] c7 [<
c031ff98>] (stable_page_flags) from [<
c03203f8>]
[46886.723264] c7 [<
c0320368>] (kpageflags_read) from [<
c0312030>]
[46886.723280] c7 [<
c0311fb0>] (proc_reg_read) from [<
c02a6e6c>]
[46886.723290] c7 [<
c02a6e24>] (__vfs_read) from [<
c02a7018>]
[46886.723301] c7 [<
c02a6f74>] (vfs_read) from [<
c02a778c>]
[46886.723315] c7 [<
c02a770c>] (SyS_pread64) from [<
c0108620>]
(ret_fast_syscall+0x0/0x28)
Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nagarjuna Kristam [Wed, 28 Aug 2019 10:54:57 +0000 (16:24 +0530)]
usb: host: xhci-tegra: Set DMA mask correctly
[ Upstream commit
993cc8753453fccfe060a535bbe21fcf1001b626 ]
The Falcon microcontroller that runs the XUSB firmware and which is
responsible for exposing the XHCI interface can address only 40 bits of
memory. Typically that's not a problem because Tegra devices don't have
enough system memory to exceed those 40 bits.
However, if the ARM SMMU is enable on Tegra186 and later, the addresses
passed to the XUSB controller can be anywhere in the 48-bit IOV address
space of the ARM SMMU. Since the DMA/IOMMU API starts allocating from
the top of the IOVA space, the Falcon microcontroller is not able to
load the firmware successfully.
Fix this by setting the DMA mask to 40 bits, which will force the DMA
API to map the buffer for the firmware to an IOVA that is addressable by
the Falcon.
Signed-off-by: Nagarjuna Kristam <nkristam@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/1566989697-13049-1-git-send-email-nkristam@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dan Carpenter [Tue, 27 Aug 2019 10:59:17 +0000 (13:59 +0300)]
cifs: Use kzfree() to zero out the password
[ Upstream commit
478228e57f81f6cb60798d54fc02a74ea7dd267e ]
It's safer to zero out the password so that it can never be disclosed.
Fixes:
0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ronnie Sahlberg [Wed, 21 Aug 2019 22:09:50 +0000 (08:09 +1000)]
cifs: set domainName when a domain-key is used in multiuser
[ Upstream commit
f2aee329a68f5a907bcff11a109dfe17c0b41aeb ]
RHBZ:
1710429
When we use a domain-key to authenticate using multiuser we must also set
the domainnmame for the new volume as it will be used and passed to the server
in the NTLMSSP Domain-name.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Marc Zyngier [Sat, 24 Aug 2019 13:12:31 +0000 (14:12 +0100)]
kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving the first symbol
[ Upstream commit
2a1a3fa0f29270583f0e6e3100d609e09697add1 ]
An arm64 kernel configured with
CONFIG_KPROBES=y
CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
CONFIG_KALLSYMS_BASE_RELATIVE=y
reports the following kprobe failure:
[ 0.032677] kprobes: failed to populate blacklist: -22
[ 0.033376] Please take care of using kprobes.
It appears that kprobe fails to retrieve the symbol at address
0xffff000010081000, despite this symbol being in System.map:
ffff000010081000 T __exception_text_start
This symbol is part of the first group of aliases in the
kallsyms_offsets array (symbol names generated using ugly hacks in
scripts/kallsyms.c):
kallsyms_offsets:
.long 0x1000 // do_undefinstr
.long 0x1000 // efi_header_end
.long 0x1000 // _stext
.long 0x1000 // __exception_text_start
.long 0x12b0 // do_cp15instr
Looking at the implementation of get_symbol_pos(), it returns the
lowest index for aliasing symbols. In this case, it return 0.
But kallsyms_lookup_size_offset() considers 0 as a failure, which
is obviously wrong (there is definitely a valid symbol living there).
In turn, the kprobe blacklisting stops abruptly, hence the original
error.
A CONFIG_KALLSYMS_ALL kernel wouldn't fail as there is always
some random symbols at the beginning of this array, which are never
looked up via kallsyms_lookup_size_offset.
Fix it by considering that get_symbol_pos() is always successful
(which is consistent with the other uses of this function).
Fixes:
ffc5089196446 ("[PATCH] Create kallsyms_lookup_size_offset()")
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trond Myklebust [Tue, 27 Aug 2019 11:03:28 +0000 (07:03 -0400)]
NFSv2: Fix write regression
[ Upstream commit
d33d4beb522987d1c305c12500796f9be3687dee ]
Ensure we update the write result count on success, since the
RPC call itself does not do so.
Reported-by: Jan Stancek <jstancek@redhat.com>
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trond Myklebust [Tue, 27 Aug 2019 00:41:16 +0000 (20:41 -0400)]
NFSv2: Fix eof handling
[ Upstream commit
71affe9be45a5c60b9772e1b2701710712637274 ]
If we received a reply from the server with a zero length read and
no error, then that implies we are at eof.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Thomas Jarosch [Wed, 21 Aug 2019 14:14:28 +0000 (16:14 +0200)]
netfilter: nf_conntrack_ftp: Fix debug output
[ Upstream commit
3a069024d371125227de3ac8fa74223fcf473520 ]
The find_pattern() debug output was printing the 'skip' character.
This can be a NULL-byte and messes up further pr_debug() output.
Output without the fix:
kernel: nf_conntrack_ftp: Pattern matches!
kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8
kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8
Output with the fix:
kernel: nf_conntrack_ftp: Pattern matches!
kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter!
kernel: nf_conntrack_ftp: Match succeeded!
kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at
4150681645)
kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Todd Seidelmann [Wed, 21 Aug 2019 15:47:53 +0000 (11:47 -0400)]
netfilter: xt_physdev: Fix spurious error message in physdev_mt_check
[ Upstream commit
3cf2f450fff304be9cf4868bf0df17f253bc5b1c ]
Simplify the check in physdev_mt_check() to emit an error message
only when passed an invalid chain (ie, NF_INET_LOCAL_OUT).
This avoids cluttering up the log with errors against valid rules.
For large/heavily modified rulesets, current behavior can quickly
overwhelm the ring buffer, because this function gets called on
every change, regardless of the rule that was changed.
Signed-off-by: Todd Seidelmann <tseidelmann@linode.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Thomas Gleixner [Wed, 21 Aug 2019 13:16:31 +0000 (15:16 +0200)]
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
[ Upstream commit
3e5bedc2c258341702ddffbd7688c5e6eb01eafa ]
Rahul Tanwar reported the following bug on DT systems:
> 'ioapic_dynirq_base' contains the virtual IRQ base number. Presently, it is
> updated to the end of hardware IRQ numbers but this is done only when IOAPIC
> configuration type is IOAPIC_DOMAIN_LEGACY or IOAPIC_DOMAIN_STRICT. There is
> a third type IOAPIC_DOMAIN_DYNAMIC which applies when IOAPIC configuration
> comes from devicetree.
>
> See dtb_add_ioapic() in arch/x86/kernel/devicetree.c
>
> In case of IOAPIC_DOMAIN_DYNAMIC (DT/OF based system), 'ioapic_dynirq_base'
> remains to zero initialized value. This means that for OF based systems,
> virtual IRQ base will get set to zero.
Such systems will very likely not even boot.
For DT enabled machines ioapic_dynirq_base is irrelevant and not
updated, so simply map the IRQ base 1:1 instead.
Reported-by: Rahul Tanwar <rahul.tanwar@linux.intel.com>
Tested-by: Rahul Tanwar <rahul.tanwar@linux.intel.com>
Tested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: alan@linux.intel.com
Cc: bp@alien8.de
Cc: cheol.yong.kim@intel.com
Cc: qi-ming.wu@intel.com
Cc: rahul.tanwar@intel.com
Cc: rppt@linux.ibm.com
Cc: tony.luck@intel.com
Link: http://lkml.kernel.org/r/20190821081330.1187-1-rahul.tanwar@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Prashant Malani [Sat, 24 Aug 2019 08:36:19 +0000 (01:36 -0700)]
r8152: Set memory to all 0xFFs on failed reg reads
[ Upstream commit
f53a7ad189594a112167efaf17ea8d0242b5ac00 ]
get_registers() blindly copies the memory written to by the
usb_control_msg() call even if the underlying urb failed.
This could lead to junk register values being read by the driver, since
some indirect callers of get_registers() ignore the return values. One
example is:
ocp_read_dword() ignores the return value of generic_ocp_read(), which
calls get_registers().
So, emulate PCI "Master Abort" behavior by setting the buffer to all
0xFFs when usb_control_msg() fails.
This patch is copied from the r8152 driver (v2.12.0) published by
Realtek (www.realtek.com).
Signed-off-by: Prashant Malani <pmalani@chromium.org>
Acked-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ilya Leoshkevich [Tue, 20 Aug 2019 15:50:25 +0000 (17:50 +0200)]
bpf: allow narrow loads of some sk_reuseport_md fields with offset > 0
[ Upstream commit
2c238177bd7f4b14bdf7447cc1cd9bb791f147e6 ]
test_select_reuseport fails on s390 due to verifier rejecting
test_select_reuseport_kern.o with the following message:
; data_check.eth_protocol = reuse_md->eth_protocol;
18: (69) r1 = *(u16 *)(r6 +22)
invalid bpf_context access off=22 size=2
This is because on big-endian machines casts from __u32 to __u16 are
generated by referencing the respective variable as __u16 with an offset
of 2 (as opposed to 0 on little-endian machines).
The verifier already has all the infrastructure in place to allow such
accesses, it's just that they are not explicitly enabled for
eth_protocol field. Enable them for eth_protocol field by using
bpf_ctx_range instead of offsetof.
Ditto for ip_protocol, bind_inany and len, since they already allow
narrowing, and the same problem can arise when working with them.
Fixes:
2dbb9b9e6df6 ("bpf: Introduce BPF_PROG_TYPE_SK_REUSEPORT")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sven Eckelmann [Thu, 22 Aug 2019 06:55:36 +0000 (08:55 +0200)]
batman-adv: Only read OGM2 tvlv_len after buffer len check
[ Upstream commit
0ff0f15a32c093381ad1abc06abe85afb561ab28 ]
Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
is another additional batadv_ogm2_packet in the skb or not before they
continue processing the packet.
The length for such an OGM2 is BATADV_OGM2_HLEN +
batadv_ogm2_packet->tvlv_len. The check must first check that at least
BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
part of the header. Otherwise it might try read outside of the currently
available skbuff to get the content of tvlv_len.
Fixes:
9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Doug Berger [Mon, 1 Jul 2019 17:50:11 +0000 (18:50 +0100)]
ARM: 8874/1: mm: only adjust sections of valid mm structures
[ Upstream commit
c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ]
A timing hazard exists when an early fork/exec thread begins
exiting and sets its mm pointer to NULL while a separate core
tries to update the section information.
This commit ensures that the mm pointer is not NULL before
setting its section parameters. The arguments provided by
commit
11ce4b33aedc ("ARM: 8672/1: mm: remove tasklist locking
from update_sections_early()") are equally valid for not
requiring grabbing the task_lock around this check.
Fixes:
08925c2f124f ("ARM: 8464/1: Update all mm structures with section adjustments")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Acked-by: Laura Abbott <labbott@redhat.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: Rob Herring <robh@kernel.org>
Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
OSDN Git Service
