1. 23 1月, 2015 4 次提交
    • A
      x86, tls: Interpret an all-zero struct user_desc as "no segment" · 3669ef9f
      Andy Lutomirski 提交于
      The Witcher 2 did something like this to allocate a TLS segment index:
      
              struct user_desc u_info;
              bzero(&u_info, sizeof(u_info));
              u_info.entry_number = (uint32_t)-1;
      
              syscall(SYS_set_thread_area, &u_info);
      
      Strictly speaking, this code was never correct.  It should have set
      read_exec_only and seg_not_present to 1 to indicate that it wanted
      to find a free slot without putting anything there, or it should
      have put something sensible in the TLS slot if it wanted to allocate
      a TLS entry for real.  The actual effect of this code was to
      allocate a bogus segment that could be used to exploit espfix.
      
      The set_thread_area hardening patches changed the behavior, causing
      set_thread_area to return -EINVAL and crashing the game.
      
      This changes set_thread_area to interpret this as a request to find
      a free slot and to leave it empty, which isn't *quite* what the game
      expects but should be close enough to keep it working.  In
      particular, using the code above to allocate two segments will
      allocate the same segment both times.
      
      According to FrostbittenKing on Github, this fixes The Witcher 2.
      
      If this somehow still causes problems, we could instead allocate
      a limit==0 32-bit data segment, but that seems rather ugly to me.
      
      Fixes: 41bdc785 x86/tls: Validate TLS entries to protect espfix
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      Cc: stable@vger.kernel.org
      Cc: torvalds@linux-foundation.org
      Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.netSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      3669ef9f
    • A
      x86, tls, ldt: Stop checking lm in LDT_empty · e30ab185
      Andy Lutomirski 提交于
      32-bit programs don't have an lm bit in their ABI, so they can't
      reliably cause LDT_empty to return true without resorting to memset.
      They shouldn't need to do this.
      
      This should fix a longstanding, if minor, issue in all 64-bit kernels
      as well as a potential regression in the TLS hardening code.
      
      Fixes: 41bdc785 x86/tls: Validate TLS entries to protect espfix
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      Cc: torvalds@linux-foundation.org
      Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.netSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      e30ab185
    • D
      x86, mpx: Fix potential performance issue on unmaps · c922228e
      Dave Hansen 提交于
      The 3.19 merge window saw some TLB modifications merged which caused a
      performance regression. They were fixed in commit 045bbb9fa.
      
      Once that fix was applied, I also noticed that there was a small
      but intermittent regression still present.  It was not present
      consistently enough to bisect reliably, but I'm fairly confident
      that it came from (my own) MPX patches.  The source was reading
      a relatively unused field in the mm_struct via arch_unmap.
      
      I also noted that this code was in the main instruction flow of
      do_munmap() and probably had more icache impact than we want.
      
      This patch does two things:
      1. Adds a static (via Kconfig) and dynamic (via cpuid) check
         for MPX with cpu_feature_enabled().  This keeps us from
         reading that cacheline in the mm and trades it for a check
         of the global CPUID variables at least on CPUs without MPX.
      2. Adds an unlikely() to ensure that the MPX call ends up out
         of the main instruction flow in do_munmap().  I've added
         a detailed comment about why this was done and why we want
         it even on systems where MPX is present.
      Signed-off-by: NDave Hansen <dave.hansen@linux.intel.com>
      Cc: luto@amacapital.net
      Cc: Dave Hansen <dave@sr71.net>
      Link: http://lkml.kernel.org/r/20150108223021.AEEAB987@viggo.jf.intel.comSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      c922228e
    • D
      x86, mpx: Explicitly disable 32-bit MPX support on 64-bit kernels · 814564a0
      Dave Hansen 提交于
      We had originally planned on submitting MPX support in one patch
      set.  We eventually broke it up in to two pieces for easier
      review.  One of the features that didn't make the first round
      was supporting 32-bit binaries on 64-bit kernels.
      
      Once we split the set up, we never added code to restrict 32-bit
      binaries from _using_ MPX on 64-bit kernels.
      
      The 32-bit bounds tables are a different format than the 64-bit
      ones.  Without this patch, the kernel will try to read a 32-bit
      binary's tables as if they were the 64-bit version.  They will
      likely be noticed as being invalid rather quickly and the app
      will get killed, but that's kinda mean.
      
      This patch adds an explicit check, and will make a 64-bit kernel
      essentially behave as if it has no MPX support when called from
      a 32-bit binary.
      Signed-off-by: NDave Hansen <dave.hansen@linux.intel.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Hansen <dave@sr71.net>
      Link: http://lkml.kernel.org/r/20150108223020.9E9AA511@viggo.jf.intel.comSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      814564a0
  2. 20 1月, 2015 6 次提交
  3. 17 1月, 2015 4 次提交
  4. 16 1月, 2015 3 次提交
  5. 15 1月, 2015 1 次提交
    • S
      ftrace/jprobes/x86: Fix conflict between jprobes and function graph tracing · 237d28db
      Steven Rostedt (Red Hat) 提交于
      If the function graph tracer traces a jprobe callback, the system will
      crash. This can easily be demonstrated by compiling the jprobe
      sample module that is in the kernel tree, loading it and running the
      function graph tracer.
      
       # modprobe jprobe_example.ko
       # echo function_graph > /sys/kernel/debug/tracing/current_tracer
       # ls
      
      The first two commands end up in a nice crash after the first fork.
      (do_fork has a jprobe attached to it, so "ls" just triggers that fork)
      
      The problem is caused by the jprobe_return() that all jprobe callbacks
      must end with. The way jprobes works is that the function a jprobe
      is attached to has a breakpoint placed at the start of it (or it uses
      ftrace if fentry is supported). The breakpoint handler (or ftrace callback)
      will copy the stack frame and change the ip address to return to the
      jprobe handler instead of the function. The jprobe handler must end
      with jprobe_return() which swaps the stack and does an int3 (breakpoint).
      This breakpoint handler will then put back the saved stack frame,
      simulate the instruction at the beginning of the function it added
      a breakpoint to, and then continue on.
      
      For function tracing to work, it hijakes the return address from the
      stack frame, and replaces it with a hook function that will trace
      the end of the call. This hook function will restore the return
      address of the function call.
      
      If the function tracer traces the jprobe handler, the hook function
      for that handler will not be called, and its saved return address
      will be used for the next function. This will result in a kernel crash.
      
      To solve this, pause function tracing before the jprobe handler is called
      and unpause it before it returns back to the function it probed.
      
      Some other updates:
      
      Used a variable "saved_sp" to hold kcb->jprobe_saved_sp. This makes the
      code look a bit cleaner and easier to understand (various tries to fix
      this bug required this change).
      
      Note, if fentry is being used, jprobes will change the ip address before
      the function graph tracer runs and it will not be able to trace the
      function that the jprobe is probing.
      
      Link: http://lkml.kernel.org/r/20150114154329.552437962@goodmis.org
      
      Cc: stable@vger.kernel.org # 2.6.30+
      Acked-by: NMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      237d28db
  6. 14 1月, 2015 4 次提交
    • S
      net: fec: fix MDIO bus assignement for dual fec SoC's · 3d125f9c
      Stefan Agner 提交于
      On i.MX28, the MDIO bus is shared between the two FEC instances.
      The driver makes sure that the second FEC uses the MDIO bus of the
      first FEC. This is done conditionally if FEC_QUIRK_ENET_MAC is set.
      However, in newer designs, such as Vybrid or i.MX6SX, each FEC MAC
      has its own MDIO bus. Simply removing the quirk FEC_QUIRK_ENET_MAC
      is not an option since other logic, triggered by this quirk, is
      still needed.
      
      Furthermore, there are board designs which use the same MDIO bus
      for both PHY's even though the second bus would be available on the
      SoC side. Such layout are popular since it saves pins on SoC side.
      Due to the above quirk, those boards currently do work fine. The
      boards in the mainline tree with such a layout are:
      - Freescale Vybrid Tower with TWR-SER2 (vf610-twr.dts)
      - Freescale i.MX6 SoloX SDB Board (imx6sx-sdb.dts)
      
      This patch adds a new quirk FEC_QUIRK_SINGLE_MDIO for i.MX28, which
      makes sure that the MDIO bus of the first FEC is used in any case.
      
      However, the boards above do have a SoC with a MDIO bus for each FEC
      instance. But the PHY's are not connected in a 1:1 configuration. A
      proper device tree description is needed to allow the driver to
      figure out where to find its PHY. This patch fixes that shortcoming
      by adding a MDIO bus child node to the first FEC instance, along
      with the two PHY's on that bus, and making use of the phy-handle
      property to add a reference to the PHY's.
      Acked-by: NSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: NStefan Agner <stefan@agner.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d125f9c
    • D
      x86: entry_64.S: fold SAVE_ARGS_IRQ macro into its sole user · f6f64681
      Denys Vlasenko 提交于
      No code changes.
      
      This is a preparatory patch for change in "struct pt_regs" handling.
      
      CC: Linus Torvalds <torvalds@linux-foundation.org>
      CC: Oleg Nesterov <oleg@redhat.com>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      CC: Andy Lutomirski <luto@amacapital.net>
      CC: Frederic Weisbecker <fweisbec@gmail.com>
      CC: X86 ML <x86@kernel.org>
      CC: Alexei Starovoitov <ast@plumgrid.com>
      CC: Will Drewry <wad@chromium.org>
      CC: Kees Cook <keescook@chromium.org>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: NDenys Vlasenko <dvlasenk@redhat.com>
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      f6f64681
    • D
      x86: ia32entry.S: fix wrong symbolic constant usage: R11->ARGOFFSET · 6c3176a2
      Denys Vlasenko 提交于
      The values of these two constants are the same, the meaning is different.
      Acked-by: NBorislav Petkov <bp@suse.de>
      CC: Linus Torvalds <torvalds@linux-foundation.org>
      CC: Oleg Nesterov <oleg@redhat.com>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      CC: Borislav Petkov <bp@alien8.de>
      CC: Frederic Weisbecker <fweisbec@gmail.com>
      CC: X86 ML <x86@kernel.org>
      CC: Alexei Starovoitov <ast@plumgrid.com>
      CC: Will Drewry <wad@chromium.org>
      CC: Kees Cook <keescook@chromium.org>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: NDenys Vlasenko <dvlasenk@redhat.com>
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      6c3176a2
    • D
      x86: entry_64.S: delete unused code · af9cfe27
      Denys Vlasenko 提交于
      A define, two macros and an unreferenced bit of assembly are gone.
      Acked-by: NBorislav Petkov <bp@suse.de>
      CC: Linus Torvalds <torvalds@linux-foundation.org>
      CC: Oleg Nesterov <oleg@redhat.com>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      CC: Andy Lutomirski <luto@amacapital.net>
      CC: Frederic Weisbecker <fweisbec@gmail.com>
      CC: X86 ML <x86@kernel.org>
      CC: Alexei Starovoitov <ast@plumgrid.com>
      CC: Will Drewry <wad@chromium.org>
      CC: Kees Cook <keescook@chromium.org>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: NDenys Vlasenko <dvlasenk@redhat.com>
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      af9cfe27
  7. 13 1月, 2015 2 次提交
    • J
      x86/xen: properly retrieve NMI reason · f221b04f
      Jan Beulich 提交于
      Using the native code here can't work properly, as the hypervisor would
      normally have cleared the two reason bits by the time Dom0 gets to see
      the NMI (if passed to it at all). There's a shared info field for this,
      and there's an existing hook to use - just fit the two together. This
      is particularly relevant so that NMIs intended to be handled by APEI /
      GHES actually make it to the respective handler.
      
      Note that the hook can (and should) be used irrespective of whether
      being in Dom0, as accessing port 0x61 in a DomU would be even worse,
      while the shared info field would just hold zero all the time. Note
      further that hardware NMI handling for PVH doesn't currently work
      anyway due to missing code in the hypervisor (but it is expected to
      work the native rather than the PV way).
      Signed-off-by: NJan Beulich <jbeulich@suse.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NDavid Vrabel <david.vrabel@citrix.com>
      f221b04f
    • W
      arm64: compat: wire up compat_sys_execveat · cd25b85b
      Will Deacon 提交于
      With 841ee230 ("ARM: wire up execveat syscall"), arch/arm/ has grown
      support for the execveat system call.
      
      This patch wires up the compat variant for arm64.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      cd25b85b
  8. 12 1月, 2015 15 次提交
  9. 11 1月, 2015 1 次提交
    • G
      m68k: Wire up execveat · f27bd5bf
      Geert Uytterhoeven 提交于
      Check success of execveat(3, '../execveat', 0)... [OK]
      Check success of execveat(5, 'execveat', 0)... [OK]
      Check success of execveat(6, 'execveat', 0)... [OK]
      Check success of execveat(-100, '/root/selftest-exec/exec/execveat', 0)... [OK]
      Check success of execveat(99, '/root/selftest-exec/exec/execveat', 0)... [OK]
      Check success of execveat(8, '', 4096)... [OK]
      Check success of execveat(17, '', 4096)... [OK]
      Check success of execveat(9, '', 4096)... [OK]
      Check success of execveat(14, '', 4096)... [OK]
      Check success of execveat(14, '', 4096)... [OK]
      Check success of execveat(15, '', 4096)... [OK]
      Check failure of execveat(8, '', 0) with ENOENT... [OK]
      Check failure of execveat(8, '(null)', 4096) with EFAULT... [OK]
      Check success of execveat(5, 'execveat.symlink', 0)... [OK]
      Check success of execveat(6, 'execveat.symlink', 0)... [OK]
      Check success of execveat(-100, '/root/selftest-exec/...xec/execveat.symlink', 0)... [OK]
      Check success of execveat(10, '', 4096)... [OK]
      Check success of execveat(10, '', 4352)... [OK]
      Check failure of execveat(5, 'execveat.symlink', 256) with ELOOP... [OK]
      Check failure of execveat(6, 'execveat.symlink', 256) with ELOOP... [OK]
      Check failure of execveat(-100, '/root/selftest-exec/exec/execveat.symlink', 256) with ELOOP... [OK]
      Check success of execveat(3, '../script', 0)... [OK]
      Check success of execveat(5, 'script', 0)... [OK]
      Check success of execveat(6, 'script', 0)... [OK]
      Check success of execveat(-100, '/root/selftest-exec/exec/script', 0)... [OK]
      Check success of execveat(13, '', 4096)... [OK]
      Check success of execveat(13, '', 4352)... [OK]
      Check failure of execveat(18, '', 4096) with ENOENT... [OK]
      Check failure of execveat(7, 'script', 0) with ENOENT... [OK]
      Check success of execveat(16, '', 4096)... [OK]
      Check success of execveat(16, '', 4096)... [OK]
      Check success of execveat(4, '../script', 0)... [OK]
      Check success of execveat(4, 'script', 0)... [OK]
      Check success of execveat(4, '../script', 0)... [OK]
      Check failure of execveat(4, 'script', 0) with ENOENT... [OK]
      Check failure of execveat(5, 'execveat', 65535) with EINVAL... [OK]
      Check failure of execveat(5, 'no-such-file', 0) with ENOENT... [OK]
      Check failure of execveat(6, 'no-such-file', 0) with ENOENT... [OK]
      Check failure of execveat(-100, 'no-such-file', 0) with ENOENT... [OK]
      Check failure of execveat(5, '', 4096) with EACCES... [OK]
      Check failure of execveat(5, 'Makefile', 0) with EACCES... [OK]
      Check failure of execveat(11, '', 4096) with EACCES... [OK]
      Check failure of execveat(12, '', 4096) with EACCES... [OK]
      Check failure of execveat(99, '', 4096) with EBADF... [OK]
      Check failure of execveat(99, 'execveat', 0) with EBADF... [OK]
      Check failure of execveat(8, 'execveat', 0) with ENOTDIR... [OK]
      Invoke copy of 'execveat' via filename of length 4093:
      Check success of execveat(19, '', 4096)... [OK]
      Check success of execveat(5, 'xxxxxxxxxxxxxxxxxxxx...yyyyyyyyyyyyyyyyyyyy', 0)... [OK]
      Invoke copy of 'script' via filename of length 4093:
      Check success of execveat(20, '', 4096)... [OK]
      Check success of execveat(5, 'xxxxxxxxxxxxxxxxxxxx...yyyyyyyyyyyyyyyyyyyy', 0)... [OK]
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      f27bd5bf