1. 17 12月, 2017 1 次提交
  2. 12 12月, 2017 1 次提交
  3. 07 11月, 2017 2 次提交
  4. 04 11月, 2017 1 次提交
    • J
      objtool: Prevent GCC from merging annotate_unreachable(), take 2 · ec1e1b61
      Josh Poimboeuf 提交于
      This fixes the following warning with GCC 4.6:
      
        mm/migrate.o: warning: objtool: migrate_misplaced_transhuge_page()+0x71: unreachable instruction
      
      The problem is that the compiler merged identical annotate_unreachable()
      inline asm blocks, resulting in a missing 'unreachable' annotation.
      
      This problem happened before, and was partially fixed with:
      
        3d1e2360 ("objtool: Prevent GCC from merging annotate_unreachable()")
      
      That commit tried to ensure that each instance of the
      annotate_unreachable() inline asm statement has a unique label.  It used
      the __LINE__ macro to generate the label number.  However, even the line
      number isn't necessarily unique when used in an inline function with
      multiple callers (in this case, __alloc_pages_node()'s use of
      VM_BUG_ON).
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: kbuild-all@01.org
      Cc: tipbuild@zytor.com
      Fixes: 3d1e2360 ("objtool: Prevent GCC from merging annotate_unreachable()")
      Link: http://lkml.kernel.org/r/20171103221941.cajpwszir7ujxyc4@trebleSigned-off-by: NIngo Molnar <mingo@kernel.org>
      ec1e1b61
  5. 02 11月, 2017 1 次提交
    • G
      License cleanup: add SPDX GPL-2.0 license identifier to files with no license · b2441318
      Greg Kroah-Hartman 提交于
      Many source files in the tree are missing licensing information, which
      makes it harder for compliance tools to determine the correct license.
      
      By default all files without license information are under the default
      license of the kernel, which is GPL version 2.
      
      Update the files which contain no license information with the 'GPL-2.0'
      SPDX license identifier.  The SPDX identifier is a legally binding
      shorthand, which can be used instead of the full boiler plate text.
      
      This patch is based on work done by Thomas Gleixner and Kate Stewart and
      Philippe Ombredanne.
      
      How this work was done:
      
      Patches were generated and checked against linux-4.14-rc6 for a subset of
      the use cases:
       - file had no licensing information it it.
       - file was a */uapi/* one with no licensing information in it,
       - file was a */uapi/* one with existing licensing information,
      
      Further patches will be generated in subsequent months to fix up cases
      where non-standard license headers were used, and references to license
      had to be inferred by heuristics based on keywords.
      
      The analysis to determine which SPDX License Identifier to be applied to
      a file was done in a spreadsheet of side by side results from of the
      output of two independent scanners (ScanCode & Windriver) producing SPDX
      tag:value files created by Philippe Ombredanne.  Philippe prepared the
      base worksheet, and did an initial spot review of a few 1000 files.
      
      The 4.13 kernel was the starting point of the analysis with 60,537 files
      assessed.  Kate Stewart did a file by file comparison of the scanner
      results in the spreadsheet to determine which SPDX license identifier(s)
      to be applied to the file. She confirmed any determination that was not
      immediately clear with lawyers working with the Linux Foundation.
      
      Criteria used to select files for SPDX license identifier tagging was:
       - Files considered eligible had to be source code files.
       - Make and config files were included as candidates if they contained >5
         lines of source
       - File already had some variant of a license header in it (even if <5
         lines).
      
      All documentation files were explicitly excluded.
      
      The following heuristics were used to determine which SPDX license
      identifiers to apply.
      
       - when both scanners couldn't find any license traces, file was
         considered to have no license information in it, and the top level
         COPYING file license applied.
      
         For non */uapi/* files that summary was:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|-------
         GPL-2.0                                              11139
      
         and resulted in the first patch in this series.
      
         If that file was a */uapi/* path one, it was "GPL-2.0 WITH
         Linux-syscall-note" otherwise it was "GPL-2.0".  Results of that was:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|-------
         GPL-2.0 WITH Linux-syscall-note                        930
      
         and resulted in the second patch in this series.
      
       - if a file had some form of licensing information in it, and was one
         of the */uapi/* ones, it was denoted with the Linux-syscall-note if
         any GPL family license was found in the file or had no licensing in
         it (per prior point).  Results summary:
      
         SPDX license identifier                            # files
         ---------------------------------------------------|------
         GPL-2.0 WITH Linux-syscall-note                       270
         GPL-2.0+ WITH Linux-syscall-note                      169
         ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause)    21
         ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)    17
         LGPL-2.1+ WITH Linux-syscall-note                      15
         GPL-1.0+ WITH Linux-syscall-note                       14
         ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause)    5
         LGPL-2.0+ WITH Linux-syscall-note                       4
         LGPL-2.1 WITH Linux-syscall-note                        3
         ((GPL-2.0 WITH Linux-syscall-note) OR MIT)              3
         ((GPL-2.0 WITH Linux-syscall-note) AND MIT)             1
      
         and that resulted in the third patch in this series.
      
       - when the two scanners agreed on the detected license(s), that became
         the concluded license(s).
      
       - when there was disagreement between the two scanners (one detected a
         license but the other didn't, or they both detected different
         licenses) a manual inspection of the file occurred.
      
       - In most cases a manual inspection of the information in the file
         resulted in a clear resolution of the license that should apply (and
         which scanner probably needed to revisit its heuristics).
      
       - When it was not immediately clear, the license identifier was
         confirmed with lawyers working with the Linux Foundation.
      
       - If there was any question as to the appropriate license identifier,
         the file was flagged for further research and to be revisited later
         in time.
      
      In total, over 70 hours of logged manual review was done on the
      spreadsheet to determine the SPDX license identifiers to apply to the
      source files by Kate, Philippe, Thomas and, in some cases, confirmation
      by lawyers working with the Linux Foundation.
      
      Kate also obtained a third independent scan of the 4.13 code base from
      FOSSology, and compared selected files where the other two scanners
      disagreed against that SPDX file, to see if there was new insights.  The
      Windriver scanner is based on an older version of FOSSology in part, so
      they are related.
      
      Thomas did random spot checks in about 500 files from the spreadsheets
      for the uapi headers and agreed with SPDX license identifier in the
      files he inspected. For the non-uapi files Thomas did random spot checks
      in about 15000 files.
      
      In initial set of patches against 4.14-rc6, 3 files were found to have
      copy/paste license identifier errors, and have been fixed to reflect the
      correct identifier.
      
      Additionally Philippe spent 10 hours this week doing a detailed manual
      inspection and review of the 12,461 patched files from the initial patch
      version early this week with:
       - a full scancode scan run, collecting the matched texts, detected
         license ids and scores
       - reviewing anything where there was a license detected (about 500+
         files) to ensure that the applied SPDX license was correct
       - reviewing anything where there was no detection but the patch license
         was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
         SPDX license was correct
      
      This produced a worksheet with 20 files needing minor correction.  This
      worksheet was then exported into 3 different .csv files for the
      different types of files to be modified.
      
      These .csv files were then reviewed by Greg.  Thomas wrote a script to
      parse the csv files and add the proper SPDX tag to the file, in the
      format that the file expected.  This script was further refined by Greg
      based on the output to detect more types of files automatically and to
      distinguish between header and source .c files (which need different
      comment types.)  Finally Greg ran the script using the .csv files to
      generate the patches.
      Reviewed-by: NKate Stewart <kstewart@linuxfoundation.org>
      Reviewed-by: NPhilippe Ombredanne <pombredanne@nexb.com>
      Reviewed-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2441318
  6. 24 10月, 2017 3 次提交
    • W
      locking/barriers: Kill lockless_dereference() · 59ecbbe7
      Will Deacon 提交于
      lockless_dereference() is a nice idea, but it gained little traction in
      kernel code since its introduction three years ago. This is partly
      because it's a pain to type, but also because using READ_ONCE() instead
      has worked correctly on all architectures apart from Alpha, which is a
      fully supported but somewhat niche architecture these days.
      
      Now that READ_ONCE() has been upgraded to contain an implicit
      smp_read_barrier_depends() and the few callers of lockless_dereference()
      have been converted, we can remove lockless_dereference() altogether.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1508840570-22169-5-git-send-email-will.deacon@arm.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      59ecbbe7
    • W
      locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE() · 76ebbe78
      Will Deacon 提交于
      In preparation for the removal of lockless_dereference(), which is the
      same as READ_ONCE() on all architectures other than Alpha, add an
      implicit smp_read_barrier_depends() to READ_ONCE() so that it can be
      used to head dependency chains on all architectures.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1508840570-22169-3-git-send-email-will.deacon@arm.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      76ebbe78
    • W
      linux/compiler.h: Split into compiler.h and compiler_types.h · d1515582
      Will Deacon 提交于
      linux/compiler.h is included indirectly by linux/types.h via
      uapi/linux/types.h -> uapi/linux/posix_types.h -> linux/stddef.h
      -> uapi/linux/stddef.h and is needed to provide a proper definition of
      offsetof.
      
      Unfortunately, compiler.h requires a definition of
      smp_read_barrier_depends() for defining lockless_dereference() and soon
      for defining READ_ONCE(), which means that all
      users of READ_ONCE() will need to include asm/barrier.h to avoid splats
      such as:
      
         In file included from include/uapi/linux/stddef.h:1:0,
                          from include/linux/stddef.h:4,
                          from arch/h8300/kernel/asm-offsets.c:11:
         include/linux/list.h: In function 'list_empty':
      >> include/linux/compiler.h:343:2: error: implicit declaration of function 'smp_read_barrier_depends' [-Werror=implicit-function-declaration]
           smp_read_barrier_depends(); /* Enforce dependency ordering from x */ \
           ^
      
      A better alternative is to include asm/barrier.h in linux/compiler.h,
      but this requires a type definition for "bool" on some architectures
      (e.g. x86), which is defined later by linux/types.h. Type "bool" is also
      used directly in linux/compiler.h, so the whole thing is pretty fragile.
      
      This patch splits compiler.h in two: compiler_types.h contains type
      annotations, definitions and the compiler-specific parts, whereas
      compiler.h #includes compiler-types.h and additionally defines macros
      such as {READ,WRITE.ACCESS}_ONCE().
      
      uapi/linux/stddef.h and linux/linkage.h are then moved over to include
      linux/compiler_types.h, which fixes the build for h8 and blackfin.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1508840570-22169-2-git-send-email-will.deacon@arm.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      d1515582
  7. 01 9月, 2017 1 次提交
    • J
      include/linux/compiler.h: don't perform compiletime_assert with -O0 · c03567a8
      Joe Stringer 提交于
      Commit c7acec71 ("kernel.h: handle pointers to arrays better in
      container_of()") made use of __compiletime_assert() from container_of()
      thus increasing the usage of this macro, allowing developers to notice
      type conflicts in usage of container_of() at compile time.
      
      However, the implementation of __compiletime_assert relies on compiler
      optimizations to report an error.  This means that if a developer uses
      "-O0" with any code that performs container_of(), the compiler will always
      report an error regardless of whether there is an actual problem in the
      code.
      
      This patch disables compile_time_assert when optimizations are disabled to
      allow such code to compile with CFLAGS="-O0".
      
      Example compilation failure:
      
      ./include/linux/compiler.h:547:38: error: call to `__compiletime_assert_94' declared with attribute error: pointer type mismatch in container_of()
        _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
                                            ^
      ./include/linux/compiler.h:530:4: note: in definition of macro `__compiletime_assert'
          prefix ## suffix();    \
          ^~~~~~
      ./include/linux/compiler.h:547:2: note: in expansion of macro `_compiletime_assert'
        _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
        ^~~~~~~~~~~~~~~~~~~
      ./include/linux/build_bug.h:46:37: note: in expansion of macro `compiletime_assert'
       #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
                                           ^~~~~~~~~~~~~~~~~~
      ./include/linux/kernel.h:860:2: note: in expansion of macro `BUILD_BUG_ON_MSG'
        BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
        ^~~~~~~~~~~~~~~~
      
      [akpm@linux-foundation.org: use do{}while(0), per Michal]
      Link: http://lkml.kernel.org/r/20170829230114.11662-1-joe@ovn.org
      Fixes: c7acec71 ("kernel.h: handle pointers to arrays better in container_of()")
      Signed-off-by: NJoe Stringer <joe@ovn.org>
      Cc: Ian Abbott <abbotti@mev.co.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Michal Nazarewicz <mina86@mina86.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c03567a8
  8. 28 7月, 2017 1 次提交
    • J
      objtool: Assume unannotated UD2 instructions are dead ends · 649ea4d5
      Josh Poimboeuf 提交于
      Arnd reported some false positive warnings with GCC 7:
      
        drivers/hid/wacom_wac.o: warning: objtool: wacom_bpt3_touch()+0x2a5: stack state mismatch: cfa1=7+8 cfa2=6+16
        drivers/iio/adc/vf610_adc.o: warning: objtool: vf610_adc_calculate_rates() falls through to next function vf610_adc_sample_set()
        drivers/pwm/pwm-hibvt.o: warning: objtool: hibvt_pwm_get_state() falls through to next function hibvt_pwm_remove()
        drivers/pwm/pwm-mediatek.o: warning: objtool: mtk_pwm_config() falls through to next function mtk_pwm_enable()
        drivers/spi/spi-bcm2835.o: warning: objtool: .text: unexpected end of section
        drivers/spi/spi-bcm2835aux.o: warning: objtool: .text: unexpected end of section
        drivers/watchdog/digicolor_wdt.o: warning: objtool: dc_wdt_get_timeleft() falls through to next function dc_wdt_restart()
      
      When GCC 7 detects a potential divide-by-zero condition, it sometimes
      inserts a UD2 instruction for the case where the divisor is zero,
      instead of letting the hardware trap on the divide instruction.
      
      Objtool doesn't consider UD2 to be fatal unless it's annotated with
      unreachable().  So it considers the GCC-generated UD2 to be non-fatal,
      and it tries to follow the control flow past the UD2 and gets
      confused.
      
      Previously, objtool *did* assume UD2 was always a dead end.  That
      changed with the following commit:
      
        d1091c7f ("objtool: Improve detection of BUG() and other dead ends")
      
      The motivation behind that change was that Peter was planning on using
      UD2 for __WARN(), which is *not* a dead end.  However, it turns out
      that some emulators rely on UD2 being fatal, so he ended up using
      'ud0' instead:
      
        9a93848f ("x86/debug: Implement __WARN() using UD0")
      
      For GCC 4.5+, it should be safe to go back to the previous assumption
      that UD2 is fatal, even when it's not annotated with unreachable().
      
      But for pre-4.5 versions of GCC, the unreachable() macro isn't
      supported, so such cases of UD2 need to be explicitly annotated as
      reachable.
      Reported-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: d1091c7f ("objtool: Improve detection of BUG() and other dead ends")
      Link: http://lkml.kernel.org/r/e57fa9dfede25f79487da8126ee9cdf7b856db65.1501188854.git.jpoimboe@redhat.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      649ea4d5
  9. 25 7月, 2017 1 次提交
    • K
      x86/asm: Add ASM_UNREACHABLE · aa5d1b81
      Kees Cook 提交于
      This creates an unreachable annotation in asm for CONFIG_STACK_VALIDATION=y.
      While here, adjust earlier uses of \t\n into \n\t.
      Suggested-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Elena Reshetova <elena.reshetova@intel.com>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Hans Liljestrand <ishkamiel@gmail.com>
      Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Serge E. Hallyn <serge@hallyn.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: arozansk@redhat.com
      Cc: axboe@kernel.dk
      Cc: kernel-hardening@lists.openwall.com
      Cc: linux-arch <linux-arch@vger.kernel.org>
      Link: http://lkml.kernel.org/r/1500921349-10803-3-git-send-email-keescook@chromium.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
      aa5d1b81
  10. 19 7月, 2017 1 次提交
    • T
      compiler-gcc.h: Introduce __nostackprotector function attribute · 7375ae3a
      Tom Lendacky 提交于
      Create a new function attribute, __nostackprotector, that can used to turn off
      stack protection on a per function basis.
      Signed-off-by: NTom Lendacky <thomas.lendacky@amd.com>
      Reviewed-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Cc: Dave Young <dyoung@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Larry Woodman <lwoodman@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Toshimitsu Kani <toshi.kani@hpe.com>
      Cc: kasan-dev@googlegroups.com
      Cc: kvm@vger.kernel.org
      Cc: linux-arch@vger.kernel.org
      Cc: linux-doc@vger.kernel.org
      Cc: linux-efi@vger.kernel.org
      Cc: linux-mm@kvack.org
      Link: http://lkml.kernel.org/r/0576fd5c74440ad0250f16ac6609ecf587812456.1500319216.git.thomas.lendacky@amd.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      7375ae3a
  11. 01 7月, 2017 1 次提交
    • K
      task_struct: Allow randomized layout · 29e48ce8
      Kees Cook 提交于
      This marks most of the layout of task_struct as randomizable, but leaves
      thread_info and scheduler state untouched at the start, and thread_struct
      untouched at the end.
      
      Other parts of the kernel use unnamed structures, but the 0-day builder
      using gcc-4.4 blows up on static initializers. Officially, it's documented
      as only working on gcc 4.6 and later, which further confuses me:
      	https://gcc.gnu.org/wiki/C11Status
      The structure layout randomization already requires gcc 4.7, but instead
      of depending on the plugin being enabled, just check the gcc versions
      for wider build testing. At Linus's suggestion, the marking is hidden
      in a macro to reduce how ugly it looks. Additionally, indenting is left
      unchanged since it would make things harder to read.
      
      Randomization of task_struct is modified from Brad Spengler/PaX Team's
      code in the last public patch of grsecurity/PaX based on my understanding
      of the code. Changes or omissions from the original code are mine and
      don't reflect the original grsecurity/PaX code.
      
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      29e48ce8
  12. 23 6月, 2017 1 次提交
    • K
      gcc-plugins: Add the randstruct plugin · 313dd1b6
      Kees Cook 提交于
      This randstruct plugin is modified from Brad Spengler/PaX Team's code
      in the last public patch of grsecurity/PaX based on my understanding
      of the code. Changes or omissions from the original code are mine and
      don't reflect the original grsecurity/PaX code.
      
      The randstruct GCC plugin randomizes the layout of selected structures
      at compile time, as a probabilistic defense against attacks that need to
      know the layout of structures within the kernel. This is most useful for
      "in-house" kernel builds where neither the randomization seed nor other
      build artifacts are made available to an attacker. While less useful for
      distribution kernels (where the randomization seed must be exposed for
      third party kernel module builds), it still has some value there since now
      all kernel builds would need to be tracked by an attacker.
      
      In more performance sensitive scenarios, GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
      can be selected to make a best effort to restrict randomization to
      cacheline-sized groups of elements, and will not randomize bitfields. This
      comes at the cost of reduced randomization.
      
      Two annotations are defined,__randomize_layout and __no_randomize_layout,
      which respectively tell the plugin to either randomize or not to
      randomize instances of the struct in question. Follow-on patches enable
      the auto-detection logic for selecting structures for randomization
      that contain only function pointers. It is disabled here to assist with
      bisection.
      
      Since any randomized structs must be initialized using designated
      initializers, __randomize_layout includes the __designated_init annotation
      even when the plugin is disabled so that all builds will require
      the needed initialization. (With the plugin enabled, annotations for
      automatically chosen structures are marked as well.)
      
      The main differences between this implemenation and grsecurity are:
      - disable automatic struct selection (to be enabled in follow-up patch)
      - add designated_init attribute at runtime and for manual marking
      - clarify debugging output to differentiate bad cast warnings
      - add whitelisting infrastructure
      - support gcc 7's DECL_ALIGN and DECL_MODE changes (Laura Abbott)
      - raise minimum required GCC version to 4.7
      
      Earlier versions of this patch series were ported by Michael Leibowitz.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      313dd1b6
  13. 09 6月, 2017 1 次提交
  14. 29 5月, 2017 1 次提交
  15. 28 2月, 2017 1 次提交
    • L
      kprobes: move kprobe declarations to asm-generic/kprobes.h · 7d134b2c
      Luis R. Rodriguez 提交于
      Often all is needed is these small helpers, instead of compiler.h or a
      full kprobes.h.  This is important for asm helpers, in fact even some
      asm/kprobes.h make use of these helpers...  instead just keep a generic
      asm file with helpers useful for asm code with the least amount of
      clutter as possible.
      
      Likewise we need now to also address what to do about this file for both
      when architectures have CONFIG_HAVE_KPROBES, and when they do not.  Then
      for when architectures have CONFIG_HAVE_KPROBES but have disabled
      CONFIG_KPROBES.
      
      Right now most asm/kprobes.h do not have guards against CONFIG_KPROBES,
      this means most architecture code cannot include asm/kprobes.h safely.
      Correct this and add guards for architectures missing them.
      Additionally provide architectures that not have kprobes support with
      the default asm-generic solution.  This lets us force asm/kprobes.h on
      the header include/linux/kprobes.h always, but most importantly we can
      now safely include just asm/kprobes.h on architecture code without
      bringing the full kitchen sink of header files.
      
      Two architectures already provided a guard against CONFIG_KPROBES on its
      kprobes.h: sh, arch.  The rest of the architectures needed gaurds added.
      We avoid including any not-needed headers on asm/kprobes.h unless
      kprobes have been enabled.
      
      In a subsequent atomic change we can try now to remove compiler.h from
      include/linux/kprobes.h.
      
      During this sweep I've also identified a few architectures defining a
      common macro needed for both kprobes and ftrace, that of the definition
      of the breakput instruction up.  Some refer to this as
      BREAKPOINT_INSTRUCTION.  This must be kept outside of the #ifdef
      CONFIG_KPROBES guard.
      
      [mcgrof@kernel.org: fix arm64 build]
        Link: http://lkml.kernel.org/r/CAB=NE6X1WMByuARS4mZ1g9+W=LuVBnMDnh_5zyN0CLADaVh=Jw@mail.gmail.com
      [sfr@canb.auug.org.au: fixup for kprobes declarations moving]
        Link: http://lkml.kernel.org/r/20170214165933.13ebd4f4@canb.auug.org.au
      Link: http://lkml.kernel.org/r/20170203233139.32682-1-mcgrof@kernel.orgSigned-off-by: NLuis R. Rodriguez <mcgrof@kernel.org>
      Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
      Acked-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7d134b2c
  16. 19 1月, 2017 2 次提交
  17. 18 1月, 2017 1 次提交
    • S
      tracing: Process constants for (un)likely() profiler · d45ae1f7
      Steven Rostedt (VMware) 提交于
      When running the likely/unlikely profiler, one of the results did not look
      accurate. It noted that the unlikely() in link_path_walk() was 100%
      incorrect. When I added a trace_printk() to see what was happening there, it
      became 80% correct! Looking deeper into what whas happening, I found that
      gcc split that if statement into two paths. One where the if statement
      became a constant, the other path a variable. The other path had the if
      statement always hit (making the unlikely there, always false), but since
      the #define unlikely() has:
      
        #define unlikely() (__builtin_constant_p(x) ? !!(x) : __branch_check__(x, 0))
      
      Where constants are ignored by the branch profiler, the "constant" path
      made by the compiler was ignored, even though it was hit 80% of the time.
      
      By just passing the constant value to the __branch_check__() function and
      tracing it out of line (as always correct, as likely/unlikely isn't a factor
      for constants), then we get back the accurate readings of branches that were
      optimized by gcc causing part of the execution to become constant.
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      d45ae1f7
  18. 11 10月, 2016 1 次提交
    • E
      latent_entropy: Mark functions with __latent_entropy · 0766f788
      Emese Revfy 提交于
      The __latent_entropy gcc attribute can be used only on functions and
      variables.  If it is on a function then the plugin will instrument it for
      gathering control-flow entropy. If the attribute is on a variable then
      the plugin will initialize it with random contents.  The variable must
      be an integer, an integer array type or a structure with integer fields.
      
      These specific functions have been selected because they are init
      functions (to help gather boot-time entropy), are called at unpredictable
      times, or they have variable loops, each of which provide some level of
      latent entropy.
      Signed-off-by: NEmese Revfy <re.emese@gmail.com>
      [kees: expanded commit message]
      Signed-off-by: NKees Cook <keescook@chromium.org>
      0766f788
  19. 09 9月, 2016 1 次提交
    • N
      kbuild: allow archs to select link dead code/data elimination · b67067f1
      Nicholas Piggin 提交于
      Introduce LD_DEAD_CODE_DATA_ELIMINATION option for architectures to
      select to build with -ffunction-sections, -fdata-sections, and link
      with --gc-sections. It requires some work (documented) to ensure all
      unreferenced entrypoints are live, and requires toolchain and build
      verification, so it is made a per-arch option for now.
      
      On a random powerpc64le build, this yelds a significant size saving,
      it boots and runs fine, but there is a lot I haven't tested as yet, so
      these savings may be reduced if there are bugs in the link.
      
          text      data        bss        dec   filename
      11169741   1180744    1923176	14273661   vmlinux
      10445269   1004127    1919707	13369103   vmlinux.dce
      
      ~700K text, ~170K data, 6% removed from kernel image size.
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: NMichal Marek <mmarek@suse.com>
      b67067f1
  20. 05 9月, 2016 1 次提交
  21. 18 8月, 2016 1 次提交
  22. 13 7月, 2016 1 次提交
    • D
      pmem: kill __pmem address space · 7a9eb206
      Dan Williams 提交于
      The __pmem address space was meant to annotate codepaths that touch
      persistent memory and need to coordinate a call to wmb_pmem().  Now that
      wmb_pmem() is gone, there is little need to keep this annotation.
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      7a9eb206
  23. 14 6月, 2016 3 次提交
  24. 08 6月, 2016 1 次提交
  25. 20 5月, 2016 1 次提交
    • R
      compiler.h: add support for malloc attribute · d64e85d3
      Rasmus Villemoes 提交于
      gcc as far back as at least 3.04 documents the function attribute
      __malloc__.  Add a shorthand for attaching that to a function
      declaration.  This was also suggested by Andi Kleen way back in 2002
      [1], but didn't get applied, perhaps because gcc at that time generated
      the exact same code with and without this attribute.
      
      This attribute tells the compiler that the return value (if non-NULL)
      can be assumed not to alias any other valid pointers at the time of the
      call.
      
      Please note that the documentation for a range of gcc versions (starting
      from around 4.7) contained a somewhat confusing and self-contradicting
      text:
      
        The malloc attribute is used to tell the compiler that a function may
        be treated as if any non-NULL pointer it returns cannot alias any other
        pointer valid when the function returns and *that the memory has
        undefined content*.  [...] Standard functions with this property include
        malloc and *calloc*.
      
      (emphasis mine). The intended meaning has later been clarified [2]:
      
        This tells the compiler that a function is malloc-like, i.e., that the
        pointer P returned by the function cannot alias any other pointer valid
        when the function returns, and moreover no pointers to valid objects
        occur in any storage addressed by P.
      
      What this means is that we can apply the attribute to kmalloc and
      friends, and it is ok for the returned memory to have well-defined
      contents (__GFP_ZERO).  But it is not ok to apply it to kmemdup(), nor
      to other functions which both allocate and possibly initialize the
      memory with existing pointers.  So unless someone is doing something
      pretty perverted kstrdup() should also be a fine candidate.
      
      [1] http://thread.gmane.org/gmane.linux.kernel/57172
      [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56955Signed-off-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d64e85d3
  26. 24 2月, 2016 1 次提交
    • B
      sparse: Add __private to privatize members of structs · ad315455
      Boqun Feng 提交于
      In C programming language, we don't have a easy way to privatize a
      member of a structure. However in kernel, sometimes there is a need to
      privatize a member in case of potential bugs or misuses.
      
      Fortunately, the noderef attribute of sparse is a way to privatize a
      member, as by defining a member as noderef, the address-of operator on
      the member will produce a noderef pointer to that member, and if anyone
      wants to dereference that kind of pointers to read or modify the member,
      sparse will yell.
      
      Based on this, __private modifier and related operation ACCESS_PRIVATE()
      are introduced, which could help detect undesigned public uses of
      private members of structs. Here is an example of sparse's output if it
      detect an undersigned public use:
      
      | kernel/rcu/tree.c:4453:25: warning: incorrect type in argument 1 (different modifiers)
      | kernel/rcu/tree.c:4453:25:    expected struct raw_spinlock [usertype] *lock
      | kernel/rcu/tree.c:4453:25:    got struct raw_spinlock [noderef] *<noident>
      
      Also, this patch improves compiler.h a little bit by adding comments for
      "#else" and "#endif".
      Signed-off-by: NBoqun Feng <boqun.feng@gmail.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      ad315455
  27. 16 2月, 2016 1 次提交
    • A
      tracing: Fix freak link error caused by branch tracer · b33c8ff4
      Arnd Bergmann 提交于
      In my randconfig tests, I came across a bug that involves several
      components:
      
      * gcc-4.9 through at least 5.3
      * CONFIG_GCOV_PROFILE_ALL enabling -fprofile-arcs for all files
      * CONFIG_PROFILE_ALL_BRANCHES overriding every if()
      * The optimized implementation of do_div() that tries to
        replace a library call with an division by multiplication
      * code in drivers/media/dvb-frontends/zl10353.c doing
      
              u32 adc_clock = 450560; /* 45.056 MHz */
              if (state->config.adc_clock)
                      adc_clock = state->config.adc_clock;
              do_div(value, adc_clock);
      
      In this case, gcc fails to determine whether the divisor
      in do_div() is __builtin_constant_p(). In particular, it
      concludes that __builtin_constant_p(adc_clock) is false, while
      __builtin_constant_p(!!adc_clock) is true.
      
      That in turn throws off the logic in do_div() that also uses
      __builtin_constant_p(), and instead of picking either the
      constant- optimized division, and the code in ilog2() that uses
      __builtin_constant_p() to figure out whether it knows the answer at
      compile time. The result is a link error from failing to find
      multiple symbols that should never have been called based on
      the __builtin_constant_p():
      
      dvb-frontends/zl10353.c:138: undefined reference to `____ilog2_NaN'
      dvb-frontends/zl10353.c:138: undefined reference to `__aeabi_uldivmod'
      ERROR: "____ilog2_NaN" [drivers/media/dvb-frontends/zl10353.ko] undefined!
      ERROR: "__aeabi_uldivmod" [drivers/media/dvb-frontends/zl10353.ko] undefined!
      
      This patch avoids the problem by changing __trace_if() to check
      whether the condition is known at compile-time to be nonzero, rather
      than checking whether it is actually a constant.
      
      I see this one link error in roughly one out of 1600 randconfig builds
      on ARM, and the patch fixes all known instances.
      
      Link: http://lkml.kernel.org/r/1455312410-1058841-1-git-send-email-arnd@arndb.deAcked-by: NNicolas Pitre <nico@linaro.org>
      Fixes: ab3c9c68 ("branch tracer, intel-iommu: fix build with CONFIG_BRANCH_TRACER=y")
      Cc: stable@vger.kernel.org # v2.6.30+
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      b33c8ff4
  28. 09 2月, 2016 1 次提交
  29. 04 12月, 2015 1 次提交
    • P
      locking, sched: Introduce smp_cond_acquire() and use it · b3e0b1b6
      Peter Zijlstra 提交于
      Introduce smp_cond_acquire() which combines a control dependency and a
      read barrier to form acquire semantics.
      
      This primitive has two benefits:
      
       - it documents control dependencies,
       - its typically cheaper than using smp_load_acquire() in a loop.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      b3e0b1b6
  30. 06 11月, 2015 1 次提交
  31. 04 11月, 2015 1 次提交
    • L
      atomic: remove all traces of READ_ONCE_CTRL() and atomic*_read_ctrl() · 105ff3cb
      Linus Torvalds 提交于
      This seems to be a mis-reading of how alpha memory ordering works, and
      is not backed up by the alpha architecture manual.  The helper functions
      don't do anything special on any other architectures, and the arguments
      that support them being safe on other architectures also argue that they
      are safe on alpha.
      
      Basically, the "control dependency" is between a previous read and a
      subsequent write that is dependent on the value read.  Even if the
      subsequent write is actually done speculatively, there is no way that
      such a speculative write could be made visible to other cpu's until it
      has been committed, which requires validating the speculation.
      
      Note that most weakely ordered architectures (very much including alpha)
      do not guarantee any ordering relationship between two loads that depend
      on each other on a control dependency:
      
          read A
          if (val == 1)
              read B
      
      because the conditional may be predicted, and the "read B" may be
      speculatively moved up to before reading the value A.  So we require the
      user to insert a smp_rmb() between the two accesses to be correct:
      
          read A;
          if (A == 1)
              smp_rmb()
              read B
      
      Alpha is further special in that it can break that ordering even if the
      *address* of B depends on the read of A, because the cacheline that is
      read later may be stale unless you have a memory barrier in between the
      pointer read and the read of the value behind a pointer:
      
          read ptr
          read offset(ptr)
      
      whereas all other weakly ordered architectures guarantee that the data
      dependency (as opposed to just a control dependency) will order the two
      accesses.  As a result, alpha needs a "smp_read_barrier_depends()" in
      between those two reads for them to be ordered.
      
      The coontrol dependency that "READ_ONCE_CTRL()" and "atomic_read_ctrl()"
      had was a control dependency to a subsequent *write*, however, and
      nobody can finalize such a subsequent write without having actually done
      the read.  And were you to write such a value to a "stale" cacheline
      (the way the unordered reads came to be), that would seem to lose the
      write entirely.
      
      So the things that make alpha able to re-order reads even more
      aggressively than other weak architectures do not seem to be relevant
      for a subsequent write.  Alpha memory ordering may be strange, but
      there's no real indication that it is *that* strange.
      
      Also, the alpha architecture reference manual very explicitly talks
      about the definition of "Dependence Constraints" in section 5.6.1.7,
      where a preceding read dominates a subsequent write.
      
      Such a dependence constraint admittedly does not impose a BEFORE (alpha
      architecture term for globally visible ordering), but it does guarantee
      that there can be no "causal loop".  I don't see how you could avoid
      such a loop if another cpu could see the stored value and then impact
      the value of the first read.  Put another way: the read and the write
      could not be seen as being out of order wrt other cpus.
      
      So I do not see how these "x_ctrl()" functions can currently be necessary.
      
      I may have to eat my words at some point, but in the absense of clear
      proof that alpha actually needs this, or indeed even an explanation of
      how alpha could _possibly_ need it, I do not believe these functions are
      called for.
      
      And if it turns out that alpha really _does_ need a barrier for this
      case, that barrier still should not be "smp_read_barrier_depends()".
      We'd have to make up some new speciality barrier just for alpha, along
      with the documentation for why it really is necessary.
      
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Paul E McKenney <paulmck@us.ibm.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      105ff3cb
  32. 20 10月, 2015 1 次提交
    • A
      compiler, atomics, kasan: Provide READ_ONCE_NOCHECK() · d976441f
      Andrey Ryabinin 提交于
      Some code may perform racy by design memory reads. This could be
      harmless, yet such code may produce KASAN warnings.
      
      To hide such accesses from KASAN this patch introduces
      READ_ONCE_NOCHECK() macro. KASAN will not check the memory
      accessed by READ_ONCE_NOCHECK(). The KernelThreadSanitizer
      (KTSAN) is going to ignore it as well.
      
      This patch creates __read_once_size_nocheck() a clone of
      __read_once_size(). The only difference between them is
      'no_sanitized_address' attribute appended to '*_nocheck'
      function. This attribute tells the compiler that instrumentation
      of memory accesses should not be applied to that function. We
      declare it as static '__maybe_unsed' because GCC is not capable
      to inline such function:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368
      
      With KASAN=n READ_ONCE_NOCHECK() is just a clone of READ_ONCE().
      Signed-off-by: NAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de>
      Cc: kasan-dev <kasan-dev@googlegroups.com>
      Link: http://lkml.kernel.org/r/1445243838-17763-2-git-send-email-aryabinin@virtuozzo.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      d976441f
  33. 14 10月, 2015 1 次提交
  34. 12 8月, 2015 1 次提交