1. 26 3月, 2016 1 次提交
    • A
      mm, kasan: stackdepot implementation. Enable stackdepot for SLAB · cd11016e
      Alexander Potapenko 提交于
      Implement the stack depot and provide CONFIG_STACKDEPOT.  Stack depot
      will allow KASAN store allocation/deallocation stack traces for memory
      chunks.  The stack traces are stored in a hash table and referenced by
      handles which reside in the kasan_alloc_meta and kasan_free_meta
      structures in the allocated memory chunks.
      
      IRQ stack traces are cut below the IRQ entry point to avoid unnecessary
      duplication.
      
      Right now stackdepot support is only enabled in SLAB allocator.  Once
      KASAN features in SLAB are on par with those in SLUB we can switch SLUB
      to stackdepot as well, thus removing the dependency on SLUB stack
      bookkeeping, which wastes a lot of memory.
      
      This patch is based on the "mm: kasan: stack depots" patch originally
      prepared by Dmitry Chernenkov.
      
      Joonsoo has said that he plans to reuse the stackdepot code for the
      mm/page_owner.c debugging facility.
      
      [akpm@linux-foundation.org: s/depot_stack_handle/depot_stack_handle_t]
      [aryabinin@virtuozzo.com: comment style fixes]
      Signed-off-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Andrey Konovalov <adech.fo@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Konstantin Serebryany <kcc@google.com>
      Cc: Dmitry Chernenkov <dmitryc@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cd11016e
  2. 23 3月, 2016 1 次提交
    • D
      kernel: add kcov code coverage · 5c9a8750
      Dmitry Vyukov 提交于
      kcov provides code coverage collection for coverage-guided fuzzing
      (randomized testing).  Coverage-guided fuzzing is a testing technique
      that uses coverage feedback to determine new interesting inputs to a
      system.  A notable user-space example is AFL
      (http://lcamtuf.coredump.cx/afl/).  However, this technique is not
      widely used for kernel testing due to missing compiler and kernel
      support.
      
      kcov does not aim to collect as much coverage as possible.  It aims to
      collect more or less stable coverage that is function of syscall inputs.
      To achieve this goal it does not collect coverage in soft/hard
      interrupts and instrumentation of some inherently non-deterministic or
      non-interesting parts of kernel is disbled (e.g.  scheduler, locking).
      
      Currently there is a single coverage collection mode (tracing), but the
      API anticipates additional collection modes.  Initially I also
      implemented a second mode which exposes coverage in a fixed-size hash
      table of counters (what Quentin used in his original patch).  I've
      dropped the second mode for simplicity.
      
      This patch adds the necessary support on kernel side.  The complimentary
      compiler support was added in gcc revision 231296.
      
      We've used this support to build syzkaller system call fuzzer, which has
      found 90 kernel bugs in just 2 months:
      
        https://github.com/google/syzkaller/wiki/Found-Bugs
      
      We've also found 30+ bugs in our internal systems with syzkaller.
      Another (yet unexplored) direction where kcov coverage would greatly
      help is more traditional "blob mutation".  For example, mounting a
      random blob as a filesystem, or receiving a random blob over wire.
      
      Why not gcov.  Typical fuzzing loop looks as follows: (1) reset
      coverage, (2) execute a bit of code, (3) collect coverage, repeat.  A
      typical coverage can be just a dozen of basic blocks (e.g.  an invalid
      input).  In such context gcov becomes prohibitively expensive as
      reset/collect coverage steps depend on total number of basic
      blocks/edges in program (in case of kernel it is about 2M).  Cost of
      kcov depends only on number of executed basic blocks/edges.  On top of
      that, kernel requires per-thread coverage because there are always
      background threads and unrelated processes that also produce coverage.
      With inlined gcov instrumentation per-thread coverage is not possible.
      
      kcov exposes kernel PCs and control flow to user-space which is
      insecure.  But debugfs should not be mapped as user accessible.
      
      Based on a patch by Quentin Casasnovas.
      
      [akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode']
      [akpm@linux-foundation.org: unbreak allmodconfig]
      [akpm@linux-foundation.org: follow x86 Makefile layout standards]
      Signed-off-by: NDmitry Vyukov <dvyukov@google.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: Vegard Nossum <vegard.nossum@oracle.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Tavis Ormandy <taviso@google.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Kees Cook <keescook@google.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: David Drysdale <drysdale@google.com>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5c9a8750
  3. 02 3月, 2016 1 次提交
  4. 20 2月, 2016 1 次提交
  5. 21 1月, 2016 3 次提交
  6. 12 12月, 2015 1 次提交
  7. 02 12月, 2015 1 次提交
    • N
      net: add support for netdev notifier error injection · 02fff96a
      Nikolay Aleksandrov 提交于
      This module allows to insert errors in some of netdevice's notifier
      events. All network drivers use these notifiers to signal various events
      and to check if they are allowed, e.g. PRECHANGEMTU and CHANGEMTU
      afterwards. Until recently I had to run failure tests by injecting
      a custom module, but now this infrastructure makes it trivial to test
      these failure paths. Some of the recent bugs I fixed were found using
      this module.
      Here's an example:
       $ cd /sys/kernel/debug/notifier-error-inject/netdev
       $ echo -22 > actions/NETDEV_CHANGEMTU/error
       $ ip link set eth0 mtu 1024
       RTNETLINK answers: Invalid argument
      
      CC: Akinobu Mita <akinobu.mita@gmail.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netdev <netdev@vger.kernel.org>
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02fff96a
  8. 07 11月, 2015 1 次提交
    • R
      test_printf: test printf family at runtime · 707cc728
      Rasmus Villemoes 提交于
      This adds a simple module for testing the kernel's printf facilities.
      Previously, some %p extensions have caused a wrong return value in case
      the entire output didn't fit and/or been unusable in kasprintf().  This
      should help catch such issues.  Also, it should help ensure that changes
      to the formatting algorithms don't break anything.
      
      I'm not sure if we have a struct dentry or struct file lying around at
      boot time or if we can fake one, but most %p extensions should be
      testable, as should the ordinary number and string formatting.
      
      The nature of vararg functions means we can't use a more conventional
      table-driven approach.
      
      For now, this is mostly a skeleton; contributions are very
      welcome. Some tests are/will be slightly annoying to write, since the
      expected output depends on stuff like CONFIG_*, sizeof(long), runtime
      values etc.
      Signed-off-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Martin Kletzander <mkletzan@redhat.com>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      707cc728
  9. 08 10月, 2015 1 次提交
  10. 27 8月, 2015 1 次提交
  11. 25 8月, 2015 1 次提交
    • R
      lib: scatterlist: add sg splitting function · f8bcbe62
      Robert Jarzmik 提交于
      Sometimes a scatter-gather has to be split into several chunks, or sub
      scatter lists. This happens for example if a scatter list will be
      handled by multiple DMA channels, each one filling a part of it.
      
      A concrete example comes with the media V4L2 API, where the scatter list
      is allocated from userspace to hold an image, regardless of the
      knowledge of how many DMAs will fill it :
       - in a simple RGB565 case, one DMA will pump data from the camera ISP
         to memory
       - in the trickier YUV422 case, 3 DMAs will pump data from the camera
         ISP pipes, one for pipe Y, one for pipe U and one for pipe V
      
      For these cases, it is necessary to split the original scatter list into
      multiple scatter lists, which is the purpose of this patch.
      
      The guarantees that are required for this patch are :
       - the intersection of spans of any couple of resulting scatter lists is
         empty.
       - the union of spans of all resulting scatter lists is a subrange of
         the span of the original scatter list.
       - streaming DMA API operations (mapping, unmapping) should not happen
         both on both the resulting and the original scatter list. It's either
         the first or the later ones.
       - the caller is reponsible to call kfree() on the resulting
         scatterlists.
      Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: NJens Axboe <axboe@fb.com>
      f8bcbe62
  12. 03 8月, 2015 2 次提交
  13. 17 7月, 2015 1 次提交
  14. 11 6月, 2015 1 次提交
    • R
      kbuild: include core debug info when DEBUG_INFO_REDUCED · 50ab9a69
      Rasmus Villemoes 提交于
      With CONFIG_DEBUG_INFO_REDUCED, we do get quite a lot of debug info
      (around 22.7 MB for a defconfig+DEBUG_INFO_REDUCED). However, the
      "basenames must match" rule used by -femit-struct-debug-baseonly
      option means that we miss some core data structures, such as struct
      {device, file, inode, mm_struct, page} etc.
      
      We can easily get these included as well, while still getting the
      benefits of CONFIG_DEBUG_INFO_REDUCED (faster build times and smaller
      individual object files): All it takes is a dummy translation unit
      including a few strategic headers and compiled with a flag overriding
      -femit-struct-debug-baseonly.
      
      This increases the size of .debug_info by ~0.3%, but these 90 KB
      contain some rather useful info.
      Signed-off-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: NMichal Marek <mmarek@suse.cz>
      50ab9a69
  15. 11 5月, 2015 1 次提交
    • D
      lib: add software 842 compression/decompression · 2da572c9
      Dan Streetman 提交于
      Add 842-format software compression and decompression functions.
      Update the MAINTAINERS 842 section to include the new files.
      
      The 842 compression function can compress any input data into the 842
      compression format.  The 842 decompression function can decompress any
      standard-format 842 compressed data - specifically, either a compressed
      data buffer created by the 842 software compression function, or a
      compressed data buffer created by the 842 hardware compressor (located
      in PowerPC coprocessors).
      
      The 842 compressed data format is explained in the header comments.
      
      This is used in a later patch to provide a full software 842 compression
      and decompression crypto interface.
      Signed-off-by: NDan Streetman <ddstreet@ieee.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      2da572c9
  16. 19 4月, 2015 2 次提交
  17. 17 4月, 2015 3 次提交
  18. 18 2月, 2015 1 次提交
  19. 14 2月, 2015 1 次提交
    • A
      lib: add kasan test module · 3f15801c
      Andrey Ryabinin 提交于
      This is a test module doing various nasty things like out of bounds
      accesses, use after free.  It is useful for testing kernel debugging
      features like kernel address sanitizer.
      
      It mostly concentrates on testing of slab allocator, but we might want to
      add more different stuff here in future (like stack/global variables out
      of bounds accesses and so on).
      Signed-off-by: NAndrey Ryabinin <a.ryabinin@samsung.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Konstantin Serebryany <kcc@google.com>
      Cc: Dmitry Chernenkov <dmitryc@google.com>
      Signed-off-by: NAndrey Konovalov <adech.fo@gmail.com>
      Cc: Yuri Gribov <tetra2005@gmail.com>
      Cc: Konstantin Khlebnikov <koct9i@gmail.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3f15801c
  20. 13 2月, 2015 1 次提交
  21. 04 2月, 2015 1 次提交
  22. 31 1月, 2015 1 次提交
  23. 29 1月, 2015 1 次提交
  24. 11 12月, 2014 1 次提交
  25. 20 11月, 2014 1 次提交
    • S
      seq_buf: Move the seq_buf code to lib/ · 8d58e99a
      Steven Rostedt (Red Hat) 提交于
      The seq_buf functions are rather useful outside of tracing. Instead
      of having it be dependent on CONFIG_TRACING, move the code into lib/
      and allow other users to have access to it even when tracing is not
      configured.
      
      The seq_buf utility is similar to the seq_file utility, but instead of
      writing sending data back up to userland, it writes it into a buffer
      defined at seq_buf_init(). This allows us to send a descriptor around
      that writes printf() formatted strings into it that can be retrieved
      later.
      
      It is currently used by the tracing facility for such things like trace
      events to convert its binary saved data in the ring buffer into an
      ASCII human readable context to be displayed in /sys/kernel/debug/trace.
      
      It can also be used for doing NMI prints safely from NMI context into
      the seq_buf and retrieved later and dumped to printk() safely. Doing
      printk() from an NMI context is dangerous because an NMI can preempt
      a current printk() and deadlock on it.
      
      Link: http://lkml.kernel.org/p/20140619213952.058255809@goodmis.orgTested-by: NJiri Kosina <jkosina@suse.cz>
      Acked-by: NJiri Kosina <jkosina@suse.cz>
      Reviewed-by: NPetr Mladek <pmladek@suse.cz>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      8d58e99a
  26. 17 11月, 2014 1 次提交
  27. 15 11月, 2014 1 次提交
    • J
      Revert "fast_hash: avoid indirect function calls" · a77f9c5d
      Jay Vosburgh 提交于
      This reverts commit e5a2c899.
      
      	Commit e5a2c899 introduced an alternative_call, arch_fast_hash2,
      that selects between __jhash2 and __intel_crc4_2_hash based on the
      X86_FEATURE_XMM4_2.
      
      	Unfortunately, the alternative_call system does not appear to be
      suitable for use with C functions, as register usage is not handled
      properly for the called functions.  The __jhash2 function in particular
      clobbers registers that are not preserved when called via
      alternative_call, resulting in a panic for direct callers of
      arch_fast_hash2 on older CPUs lacking sse4_2.  It is possible that
      __intel_crc4_2_hash works merely by chance because it uses fewer
      registers.
      
      	This commit was suggested as the source of the problem by Jesse
      Gross <jesse@nicira.com>.
      Signed-off-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a77f9c5d
  28. 06 11月, 2014 1 次提交
  29. 14 10月, 2014 2 次提交
    • V
      lib: rename TEST_MODULE to TEST_LKM · 8a6f0b47
      Valentin Rothberg 提交于
      The "_MODULE" suffix is reserved for tristates compiled as loadable kernel
      modules (LKM).  The "TEST_MODULE" feature thereby violates this
      convention.  The feature is used to compile the lib/test_module.c kernel
      module.
      
      Sadly this convention is not made explicit, but the Kconfig code documents
      it.  The following code (./scripts/kconfig/confdata.c) is used to generate
      the autoconf.h header file during the build process.  When a feature is
      selected as a kernel module ('m'), it is suffixed with "_MODULE" to
      indicate it.
      
      	switch (*value) {
      	case 'n':
      		break;
      	case 'm':
      		suffix = "_MODULE";
      		/* fall through */
      
      This causes problems for static code analysis, which assumes a consistent
      use of the "_MODULE" suffix.
      
      This patch renames the feature and its reference in a Makefile to
      "TEST_LKM", which still expresses the test of a LKM.
      Signed-off-by: NValentin Rothberg <valentinrothberg@gmail.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8a6f0b47
    • L
      lib: remove prio_heap · 6de8ab68
      Lai Jiangshan 提交于
      The prio_heap code is unused since commit 889ed9ce ("cgroup: remove
      css_scan_tasks()").  It should be compiled out to shrink the binary
      kernel size which can be done via introducing CONFIG_PRIO_HEAD or by
      removing the code.
      
      We can simply recover the code from git when needed, so it would be
      better to remove it IMO.
      Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com>
      Acked-by: NTejun Heo <tj@kernel.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Ingo Molnar <mingo@kernel.org>
      Acked-by: NPeter Zijlstra <peterz@infradead.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Francesco Fusco <ffusco@redhat.com>
      Cc: Greg Thelen <gthelen@google.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: George Spelvin <linux@horizon.com>
      Cc: Mark Salter <msalter@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6de8ab68
  30. 07 8月, 2014 1 次提交
  31. 03 8月, 2014 1 次提交
  32. 18 7月, 2014 1 次提交
  33. 12 5月, 2014 1 次提交