1. 24 8月, 2016 5 次提交
  2. 23 8月, 2016 4 次提交
    • J
      usercopy: fix overlap check for kernel text · 94cd97af
      Josh Poimboeuf 提交于
      When running with a local patch which moves the '_stext' symbol to the
      very beginning of the kernel text area, I got the following panic with
      CONFIG_HARDENED_USERCOPY:
      
        usercopy: kernel memory exposure attempt detected from ffff88103dfff000 (<linear kernel text>) (4096 bytes)
        ------------[ cut here ]------------
        kernel BUG at mm/usercopy.c:79!
        invalid opcode: 0000 [#1] SMP
        ...
        CPU: 0 PID: 4800 Comm: cp Not tainted 4.8.0-rc3.after+ #1
        Hardware name: Dell Inc. PowerEdge R720/0X3D66, BIOS 2.5.4 01/22/2016
        task: ffff880817444140 task.stack: ffff880816274000
        RIP: 0010:[<ffffffff8121c796>] __check_object_size+0x76/0x413
        RSP: 0018:ffff880816277c40 EFLAGS: 00010246
        RAX: 000000000000006b RBX: ffff88103dfff000 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: ffff88081f80dfa8 RDI: ffff88081f80dfa8
        RBP: ffff880816277c90 R08: 000000000000054c R09: 0000000000000000
        R10: 0000000000000005 R11: 0000000000000006 R12: 0000000000001000
        R13: ffff88103e000000 R14: ffff88103dffffff R15: 0000000000000001
        FS:  00007fb9d1750800(0000) GS:ffff88081f800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000021d2000 CR3: 000000081a08f000 CR4: 00000000001406f0
        Stack:
         ffff880816277cc8 0000000000010000 000000043de07000 0000000000000000
         0000000000001000 ffff880816277e60 0000000000001000 ffff880816277e28
         000000000000c000 0000000000001000 ffff880816277ce8 ffffffff8136c3a6
        Call Trace:
         [<ffffffff8136c3a6>] copy_page_to_iter_iovec+0xa6/0x1c0
         [<ffffffff8136e766>] copy_page_to_iter+0x16/0x90
         [<ffffffff811970e3>] generic_file_read_iter+0x3e3/0x7c0
         [<ffffffffa06a738d>] ? xfs_file_buffered_aio_write+0xad/0x260 [xfs]
         [<ffffffff816e6262>] ? down_read+0x12/0x40
         [<ffffffffa06a61b1>] xfs_file_buffered_aio_read+0x51/0xc0 [xfs]
         [<ffffffffa06a6692>] xfs_file_read_iter+0x62/0xb0 [xfs]
         [<ffffffff812224cf>] __vfs_read+0xdf/0x130
         [<ffffffff81222c9e>] vfs_read+0x8e/0x140
         [<ffffffff81224195>] SyS_read+0x55/0xc0
         [<ffffffff81003a47>] do_syscall_64+0x67/0x160
         [<ffffffff816e8421>] entry_SYSCALL64_slow_path+0x25/0x25
        RIP: 0033:[<00007fb9d0c33c00>] 0x7fb9d0c33c00
        RSP: 002b:00007ffc9c262f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
        RAX: ffffffffffffffda RBX: fffffffffff8ffff RCX: 00007fb9d0c33c00
        RDX: 0000000000010000 RSI: 00000000021c3000 RDI: 0000000000000004
        RBP: 00000000021c3000 R08: 0000000000000000 R09: 00007ffc9c264d6c
        R10: 00007ffc9c262c50 R11: 0000000000000246 R12: 0000000000010000
        R13: 00007ffc9c2630b0 R14: 0000000000000004 R15: 0000000000010000
        Code: 81 48 0f 44 d0 48 c7 c6 90 4d a3 81 48 c7 c0 bb b3 a2 81 48 0f 44 f0 4d 89 e1 48 89 d9 48 c7 c7 68 16 a3 81 31 c0 e8 f4 57 f7 ff <0f> 0b 48 8d 90 00 40 00 00 48 39 d3 0f 83 22 01 00 00 48 39 c3
        RIP  [<ffffffff8121c796>] __check_object_size+0x76/0x413
         RSP <ffff880816277c40>
      
      The checked object's range [ffff88103dfff000, ffff88103e000000) is
      valid, so there shouldn't have been a BUG.  The hardened usercopy code
      got confused because the range's ending address is the same as the
      kernel's text starting address at 0xffff88103e000000.  The overlap check
      is slightly off.
      
      Fixes: f5509cc1 ("mm: Hardened usercopy")
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      94cd97af
    • E
      usercopy: avoid potentially undefined behavior in pointer math · 7329a655
      Eric Biggers 提交于
      check_bogus_address() checked for pointer overflow using this expression,
      where 'ptr' has type 'const void *':
      
      	ptr + n < ptr
      
      Since pointer wraparound is undefined behavior, gcc at -O2 by default
      treats it like the following, which would not behave as intended:
      
      	(long)n < 0
      
      Fortunately, this doesn't currently happen for kernel code because kernel
      code is compiled with -fno-strict-overflow.  But the expression should be
      fixed anyway to use well-defined integer arithmetic, since it could be
      treated differently by different compilers in the future or could be
      reported by tools checking for undefined behavior.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      7329a655
    • L
      Merge tag 'arc-4.8-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · ef0e1ea8
      Linus Torvalds 提交于
      Pull ARC fixes from Vineet Gupta:
      
       - support for Syscall ABI v4 with upstream gcc 6.x
      
       - lockdep fix (Daniel Mentz)
      
       - gdb register clobber (Liav Rehana)
      
       - couple of missing exports for modules
      
       - other fixes here and there
      
      * tag 'arc-4.8-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: export __udivdi3 for modules
        ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS
        ARC: export kmap
        ARC: Support syscall ABI v4
        ARC: use correct offset in pt_regs for saving/restoring user mode r25
        ARC: Elide redundant setup of DMA callbacks
        ARC: Call trace_hardirqs_on() before enabling irqs
      ef0e1ea8
    • L
      Merge tag 'gpio-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 37c669b2
      Linus Torvalds 提交于
      Pull GPIO fixes from Linus Walleij:
       "Here are a few GPIO fixes for v4.8.
      
        I was expecting some fallout from the new chardev rework but nothing
        like that turned up att all.  Instead a Kconfig confusion that I think
        I have finally nailed, then some ordinary driver noise and trivia.
      
        This fixes a Kconfig issue with UM: when I made GPIOLIB available to
        all archs, that included UM, but the OF part of GPIOLIB requires
        HAS_IOMEM, so we add HAS_IOMEM as a dependency to OF_GPIO.
      
        This in turn exposed the fact that a few GPIO drivers were implicitly
        assuming OF_GPIO as their dependency but instead depended on OF alone
        (the typical problem being a pointer inside gpio_chip not existing
        unless OF_GPIO is selected) and then UM would fail to compile with
        these drivers instead.  Then I lost patience and made any GPIO driver
        depending on just OF depend on OF_GPIO instead, that is certainly what
        they meant and the only thing that makes sense anyway.  GPIO with just
        OF but !OF_GPIO does not make sense.
      
        Also a fix for the max730x driver data pointer, and a minor comment
        fix for the GPIO tools"
      
      * tag 'gpio-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: make any OF dependent driver depend on OF_GPIO
        gpio: Fix OF build problem on UM
        gpio: max730x: set gpiochip data pointer before using it
        tools/gpio: fix gpio-event-mon header comment
      37c669b2
  3. 22 8月, 2016 3 次提交
  4. 20 8月, 2016 13 次提交
    • H
      parisc: Fix order of EREFUSED define in errno.h · 3eb53b20
      Helge Deller 提交于
      When building gccgo in userspace, errno.h gets parsed and the go include file
      sysinfo.go is generated.
      
      Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
      is defined later on in errno.h, this leads to go complaining that EREFUSED
      isn't defined yet.
      
      Fix this trivial problem by moving the define of EREFUSED down after
      ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
      Signed-off-by: NHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      3eb53b20
    • H
      parisc: Fix automatic selection of cr16 clocksource · ae141830
      Helge Deller 提交于
      Commit 54b66800 (parisc: Add native high-resolution sched_clock()
      implementation) added support to use the CPU-internal cr16 counters as reliable
      clocksource with the help of HAVE_UNSTABLE_SCHED_CLOCK.
      
      Sadly the commit missed to remove the hack which prevented cr16 to become the
      default clocksource even on SMP systems.
      Signed-off-by: NHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org # 4.7+
      ae141830
    • V
      ARC: export __udivdi3 for modules · c57653dc
      Vineet Gupta 提交于
      Some module using div_u64() was failing to link because the libgcc 64-bit
      divide assist routine was not being exported for modules
      
      Reported-by: avinashp@quantenna.com
      Cc: stable@vger.kernel.org
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      c57653dc
    • L
      Make the hardened user-copy code depend on having a hardened allocator · 6040e576
      Linus Torvalds 提交于
      The kernel test robot reported a usercopy failure in the new hardened
      sanity checks, due to a page-crossing copy of the FPU state into the
      task structure.
      
      This happened because the kernel test robot was testing with SLOB, which
      doesn't actually do the required book-keeping for slab allocations, and
      as a result the hardening code didn't realize that the task struct
      allocation was one single allocation - and the sanity checks fail.
      
      Since SLOB doesn't even claim to support hardening (and you really
      shouldn't use it), the straightforward solution is to just make the
      usercopy hardening code depend on the allocator supporting it.
      Reported-by: Nkernel test robot <xiaolong.ye@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6040e576
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 8cc9dddd
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "I2C has some pretty standard driver bugfixes and one minor cleanup"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: meson: Use complete() instead of complete_all()
        i2c: brcmstb: Use complete() instead of complete_all()
        i2c: bcm-kona: Use complete() instead of complete_all()
        i2c: bcm-iproc: Use complete() instead of complete_all()
        i2c: at91: fix support of the "alternative command" feature
        i2c: ocores: add missed clk_disable_unprepare() on failure paths
        i2c: cros-ec-tunnel: Fix usage of cros_ec_cmd_xfer()
        i2c: mux: demux-pinctrl: properly roll back when adding adapter fails
      8cc9dddd
    • V
      ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS · 1c3c9093
      Vineet Gupta 提交于
      |  CC      mm/memory.o
      | In file included from ../mm/memory.c:53:0:
      | ../include/linux/pfn_t.h: In function ‘pfn_t_pte’:
      | ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested
      |  return pfn_pte(pfn_t_to_pfn(pfn), pgprot);
      
      With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code
      forces a cast which ends up shifting a struct and hence the gcc warning.
      
      Note that in recent past some of the arches (aarch64, s390) made
      STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly
      worse generated code, given ARC ABI definition of returning structs
      (which pte_t would become)
      
      Quoting from ARC ABI...
      
        "Results of type struct are returned in a caller-supplied temporary
        variable whose address is passed in r0.
        For such functions, the arguments are shifted so that they are
        passed in r1 and up."
      
      So
       - struct to be returned would be allocated on stack requiring extra
         code at call sites
       - callee updates stack memory to facilitate the return (vs. simple
         MOV into return reg r0)
      
      Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC
      
      Cc: <stable@vger.kernel.org>   #4.4+
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      1c3c9093
    • V
      ARC: export kmap · d77976c4
      Vineet Gupta 提交于
      |  MODPOST 7 modules
      | ERROR: "kmap" [fs/ext2/ext2.ko] undefined!
      | ../scripts/Makefile.modpost:91: recipe for target '__modpost' failed
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      d77976c4
    • V
      ARC: Support syscall ABI v4 · 840c054f
      Vineet Gupta 提交于
      The syscall ABI includes the gcc functional calling ABI since a syscall
      implies userland caller and kernel callee.
      
      The current gcc ABI (v3) for ARCv2 ISA required 64-bit data be passed in
      even-odd register pairs, (potentially punching reg holes when passing such
      values as args). This was partly driven by the fact that the double-word
      LDD/STD instructions in ARCv2 expect the register alignment and thus gcc
      forcing this avoids extra MOV at the cost of a few unused register (which we
      have plenty anyways).
      
      This however was rejected as part of upstreaming gcc port to HS. So the new
      ABI v4 doesn't enforce the even-odd reg restriction.
      
      Do note that for ARCompact ISA builds v3 and v4 are practically the same in
      terms of gcc code generation.
      
      In terms of change management, we infer the new ABI if gcc 6.x onwards
      is used for building the kernel.
      
      This also needs a stable backport to enable older kernels to work with
      new tools/user-space
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      840c054f
    • L
      ARC: use correct offset in pt_regs for saving/restoring user mode r25 · 86147e3c
      Liav Rehana 提交于
      User mode callee regs are explicitly collected before signal delivery or
      breakpoint trap. r25 is special for kernel as it serves as task pointer,
      so user mode value is clobbered very early. It is saved in pt_regs where
      generally only scratch (aka caller saved) regs are saved.
      
      The code to access the corresponding pt_regs location had a subtle bug as
      it was using load/store with scaling of offset, whereas the offset was already
      byte wise correct. So fix this by replacing LD.AS with a standard LD
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NLiav Rehana <liavr@mellanox.com>
      Reviewed-by: NAlexey Brodkin <abrodkin@synopsys.com>
      [vgupta: rewrote title and commit log]
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      86147e3c
    • L
      Merge tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 43f4d36c
      Linus Torvalds 提交于
      Pull device mapper fixes from Mike Snitzer:
      
       - a stable fix for DM round robin multipath path selector to disable
         preemption before using this_cpu_ptr()
      
       - a slight increase in DM crypt's mempool reserves to make swap ontop
         of DM crypt more performant
      
       - a few DM raid fixes to issues found while testing changes that were
         merged in v4.8-rc1
      
      * tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm raid: support raid0 with missing metadata devices
        dm raid: enhance attempt_restore_of_faulty_devices() to support more devices
        dm raid: fix restoring of failed devices regression
        dm raid: fix frozen recovery regression
        dm crypt: increase mempool reserve to better support swapping
        dm round robin: do not use this_cpu_ptr() without having preemption disabled
      43f4d36c
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · b2848792
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "Six fairly small fixes.  The ipr, mpt3sas and ses ones all trigger
        oopses.  The megaraid one fixes an attach failure on io mapped only
        cards, the fcoe one is an obvious problem in the error path and the
        aacraid one is a theoretical security issue (ability to trick the
        kernel into a buffer overrun)"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        ses: Fix racy cleanup of /sys in remove_dev()
        mpt3sas: Fix resume on WarpDrive flash cards
        ipr: Fix sync scsi scan
        megaraid_sas: Fix probing cards without io port
        aacraid: Check size values after double-fetch from user
        fcoe: Use kfree_skb() instead of kfree()
      b2848792
    • L
      Merge tag 'usb-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 080ebb15
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are a number of USB fixes for reported issues for your tree.
      
        The normal amount of gadget fixes, xhci fixes, new device ids, and a
        few other minor things.  All of them have been in linux-next for a
        while, the full details are in the shortlog below"
      
      * tag 'usb-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (43 commits)
        xhci: don't dereference a xhci member after removing xhci
        usb: xhci: Fix panic if disconnect
        xhci: really enqueue zero length TRBs.
        xhci: always handle "Command Ring Stopped" events
        cdc-acm: fix wrong pipe type on rx interrupt xfers
        usb: misc: usbtest: add fix for driver hang
        usb: dwc3: gadget: stop processing on HWO set
        usb: dwc3: don't set last bit for ISOC endpoints
        usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG
        usb: udc: core: fix error handling
        usb: gadget: fsl_qe_udc: off by one in setup_received_handle()
        usb/gadget: fix gadgetfs aio support.
        usb: gadget: composite: Fix return value in case of error
        usb: gadget: uvc: Fix return value in case of error
        usb: gadget: fix check in sync read from ep in gadgetfs
        usb: misc: usbtest: usbtest_do_ioctl may return positive integer
        usb: dwc3: fix missing platform_set_drvdata() in dwc3_of_simple_probe()
        usb: phy: omap-otg: Fix missing platform_set_drvdata() in omap_otg_probe()
        usb: gadget: configfs: add mutex lock before unregister gadget
        usb: gadget: u_ether: fix dereference after null check coverify warning
        ...
      080ebb15
    • L
      Merge tag 'xfs-iomap-for-linus-4.8-rc3' of... · a8414fa3
      Linus Torvalds 提交于
      Merge tag 'xfs-iomap-for-linus-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs
      
      Pull xfs and iomap fixes from Dave Chinner:
       "Changes in this update:
      
        Regression fixes for XFS changes introduce in 4.8-rc1:
         - buffer IO accounting assert failure
         - ENOSPC block accounting reservation issue
         - DAX IO path page cache invalidation fix
         - rmapbt on-disk block count in agf
         - correct classification of rmap block type when updating AGFL.
         - iomap support for attribute fork mapping
      
        Regression fixes for iomap infrastructure in 4.8-rc1:
         - fiemap: honor FIEMAP_FLAG_SYNC
         - fiemap: implement FIEMAP_FLAG_XATTR support to fix XFS regression
         - make mark_page_accessed and pagefault_disable usage consistent with
           other IO paths"
      
      * tag 'xfs-iomap-for-linus-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs:
        xfs: remove OWN_AG rmap when allocating a block from the AGFL
        xfs: (re-)implement FIEMAP_FLAG_XATTR
        xfs: simplify xfs_file_iomap_begin
        iomap: mark ->iomap_end as optional
        iomap: prepare iomap_fiemap for attribute mappings
        iomap: fiemap should honor the FIEMAP_FLAG_SYNC flag
        iomap: remove superflous pagefault_disable from iomap_write_actor
        iomap: remove superflous mark_page_accessed from iomap_write_actor
        xfs: store rmapbt block count in the AGF
        xfs: don't invalidate whole file on DAX read/write
        xfs: fix bogus space reservation in xfs_iomap_write_allocate
        xfs: don't assert fail on non-async buffers on ioacct decrement
      a8414fa3
  5. 19 8月, 2016 15 次提交