1. 18 12月, 2017 2 次提交
  2. 17 12月, 2017 9 次提交
    • M
      xtensa: use __memset in __xtensa_clear_user · e0baa014
      Max Filippov 提交于
      memset on xtensa is capable of accessing user memory, but KASAN checks
      if memset function is actually used for that and reports it as an error:
      
       ==================================================================
       BUG: KASAN: user-memory-access in padzero+0x4d/0x58
       Write of size 519 at addr 0049ddf9 by task init/1
      
       Call Trace:
        [<b0189978>] kasan_report+0x160/0x238
        [<b0188818>] check_memory_region+0xf8/0x100
        [<b018891c>] memset+0x20/0x34
        [<b0238b71>] padzero+0x4d/0x58
       ==================================================================
      
      Use __memset in __xtensa_clear_user to avoid that.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      e0baa014
    • M
      xtensa: add support for KASAN · c633544a
      Max Filippov 提交于
      Cover kernel addresses above 0x90000000 by the shadow map. Enable
      HAVE_ARCH_KASAN when MMU is enabled. Provide kasan_early_init that fills
      shadow map with writable copies of kasan_zero_page. Call
      kasan_early_init right after mmu initialization in the setup_arch.
      Provide kasan_init that allocates proper shadow map pages from the
      memblock and puts these pages into the shadow map for addresses from
      VMALLOC area to the end of KSEG. Call kasan_init right after memblock
      initialization. Don't use KASAN for the boot code, MMU and KASAN
      initialization and page fault handler. Make kernel stack size 4 times
      larger when KASAN is enabled to avoid stack overflows.
      GCC 7.3, 8 or newer is required to build the xtensa kernel with KASAN.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      c633544a
    • M
      xtensa: move fixmap and kmap just above the KSEG · 1af1e8a3
      Max Filippov 提交于
      The virtual address space between the page table and the VMALLOC region
      is big enough to host KASAN shadow map and there's enough space between
      the VMALLOC area and KSEG for the fixmap and kmap.
      Move fixmap and kmap to the gap between VMALLOC area and KSEG, just
      above the KSEG. Reorder entries in the kernel memory layout printing
      code. Drop duplicate PGTABLE_START definition, use
      XCHAL_PAGE_TABLE_VADDR instead.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      1af1e8a3
    • M
      xtensa: don't clear swapper_pg_dir in paging_init · d4e337fe
      Max Filippov 提交于
      swapper_pg_dir is located in the .bss, so it's zero-initialized anyway.
      With KASAN enabled paging_init will be called after KASAN
      initialization, it must not erase page directory entries set up for
      KASAN shadow map.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      d4e337fe
    • M
      xtensa: extract init_kio · c2edb35a
      Max Filippov 提交于
      KIO region placement may be specified in the device tree, that's why
      it's initialized with the rest of MMU after the early_init_devtree. In
      order to support KASAN the MMU must be initialized earlier.
      Separate KIO initialization from the rest of MMU initialization.
      Reinitialize KIO if its location is specified in the device tree.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      c2edb35a
    • M
      xtensa: implement early_trap_init · 501c26e8
      Max Filippov 提交于
      Paging on xtensa architecture requires functioning exception handling
      because hardware cannot transparently access page tables that are not
      currently mapped by TLB. Exception handling is set up late in the
      initialization process, but working paging is needed for KASAN.
      
      Provide early_trap_init that sets up minimal exception handling
      sufficient for KASAN to work.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      501c26e8
    • M
      xtensa: clean up exception handling structure · f21a79ca
      Max Filippov 提交于
      Instead of using flat array of longs use normal C structure and generate
      EXC_TABLE_* constants in the asm-offsets.c
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      f21a79ca
    • M
      xtensa: clean up custom-controlled debug output · c130d3be
      Max Filippov 提交于
      Replace #ifdef'fed/commented out debug printk statements with pr_debug.
      Replace printk statements with pr_* equivalents.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      c130d3be
    • M
      xtensa: enable stack protector · 40d1a07b
      Max Filippov 提交于
      The implementation is adopted from the ARM arch. GCC 7.3, 8 or newer is
      required for building the xtensa kernel with SSP.
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      40d1a07b
  3. 11 12月, 2017 7 次提交
  4. 10 12月, 2017 1 次提交
  5. 13 11月, 2017 3 次提交
    • L
      Linux 4.14 · bebc6082
      Linus Torvalds 提交于
      bebc6082
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 152bbb43
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
       "A set of small fixes:
      
         - make KGDB work again which got broken by the conversion of WARN()
           to #UD. The WARN fixup needs to run before the notifier callchain,
           otherwise KGDB tries to handle it and crashes.
      
         - disable KASAN in the ORC unwinder to prevent false positive KASAN
           warnings
      
         - prevent default mapping above 47bit when 5 level page tables are
           enabled
      
         - make the delay calibration optimization work correctly, which had
           the conditionals the wrong way around and was operating on data
           which was not yet updated.
      
         - remove the bogus X86_TRAP_BP trap init from the default IDT init
           table, which broke 32bit int3 handling by overwriting the correct
           int3 setup.
      
         - replace this_cpu* with boot_cpu_data access in the preemptible
           oprofile init code"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/debug: Handle warnings before the notifier chain, to fix KGDB crash
        x86/mm: Fix ELF_ET_DYN_BASE for 5-level paging
        x86/idt: Remove X86_TRAP_BP initialization in idt_setup_traps()
        x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
        x86/unwind: Disable KASAN checking in the ORC unwinder
        x86/smpboot: Make optimization of delay calibration work correctly
      152bbb43
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 69581c74
      Linus Torvalds 提交于
      Pull perf tool fixes from Thomas Gleixner:
       "A small set of fixes for perf tool:
      
         - synchronize the i915 drm header to avoid the 'out of date' warning
      
         - make sure that perf trace cleans up its temporary files on exit
      
         - unbreak the build with newer flex versions
      
         - add missing braces in the eBPF parsing rules"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tooling/headers: Sync the tools/include/uapi/drm/i915_drm.h UAPI header
        perf trace: Call machine__exit() at exit
        perf tools: Fix eBPF event specification parsing
        perf tools: Add "reject" option for parse-events.l
      69581c74
  6. 12 11月, 2017 1 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b3954568
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Use after free in vlan, from Cong Wang.
      
       2) Handle NAPI poll with a zero budget properly in mlx5 driver, from
          Saeed Mahameed.
      
       3) If DMA mapping fails in mlx5 driver, NULL out page, from Inbar
          Karmy.
      
       4) Handle overrun in RX FIFO of sun4i CAN driver, from Gerhard
          Bertelsmann.
      
       5) Missing return in mdb and vlan prepare phase of DSA layer, from
          Vivien Didelot.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        vlan: fix a use-after-free in vlan_device_event()
        net: dsa: return after vlan prepare phase
        net: dsa: return after mdb prepare phase
        can: ifi: Fix transmitter delay calculation
        tcp: fix tcp_fastretrans_alert warning
        tcp: gso: avoid refcount_t warning from tcp_gso_segment()
        can: peak: Add support for new PCIe/M2 CAN FD interfaces
        can: sun4i: handle overrun in RX FIFO
        can: c_can: don't indicate triple sampling support for D_CAN
        net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs
        net/mlx5e: Set page to null in case dma mapping fails
        net/mlx5e: Fix napi poll with zero budget
        net/mlx5: Cancel health poll before sending panic teardown command
        net/mlx5: Loop over temp list to release delay events
        rds: ib: Fix NULL pointer dereference in debug code
      b3954568
  7. 11 11月, 2017 14 次提交
  8. 10 11月, 2017 3 次提交
    • M
      can: ifi: Fix transmitter delay calculation · 4f711675
      Marek Vasut 提交于
      The CANFD transmitter delay calculation formula was updated in the
      latest software drop from IFI and improves the behavior of the IFI
      CANFD core during bitrate switching. Use the new formula to improve
      stability of the CANFD operation.
      Signed-off-by: NMarek Vasut <marex@denx.de>
      Cc: Markus Marb <markus@marb.org>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      4f711675
    • Y
      tcp: fix tcp_fastretrans_alert warning · 0eb96bf7
      Yuchung Cheng 提交于
      This patch fixes the cause of an WARNING indicatng TCP has pending
      retransmission in Open state in tcp_fastretrans_alert().
      
      The root cause is a bad interaction between path mtu probing,
      if enabled, and the RACK loss detection. Upong receiving a SACK
      above the sequence of the MTU probing packet, RACK could mark the
      probe packet lost in tcp_fastretrans_alert(), prior to calling
      tcp_simple_retransmit().
      
      tcp_simple_retransmit() only enters Loss state if it newly marks
      the probe packet lost. If the probe packet is already identified as
      lost by RACK, the sender remains in Open state with some packets
      marked lost and retransmitted. Then the next SACK would trigger
      the warning. The likely scenario is that the probe packet was
      lost due to its size or network congestion. The actual impact of
      this warning is small by potentially entering fast recovery an
      ACK later.
      
      The simple fix is always entering recovery (Loss) state if some
      packet is marked lost during path MTU probing.
      
      Fixes: a0370b3f ("tcp: enable RACK loss detection to trigger recovery")
      Reported-by: NOleksandr Natalenko <oleksandr@natalenko.name>
      Reported-by: NAlexei Starovoitov <alexei.starovoitov@gmail.com>
      Reported-by: NRoman Gushchin <guro@fb.com>
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0eb96bf7
    • E
      tcp: gso: avoid refcount_t warning from tcp_gso_segment() · 7ec318fe
      Eric Dumazet 提交于
      When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
      and N2, we want to transfer socket ownership to the new fresh skbs.
      
      In order to avoid expensive atomic operations on a cache line subject to
      cache bouncing, we replace the sequence :
      
      refcount_add(N1, &sk->sk_wmem_alloc);
      refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments
      
      refcount_sub(O, &sk->sk_wmem_alloc);
      
      by a single
      
      refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);
      
      Problem is :
      
      In some pathological cases, sum(N) - O might be a negative number, and
      syzkaller bot was apparently able to trigger this trace [1]
      
      atomic_t was ok with this construct, but we need to take care of the
      negative delta with refcount_t
      
      [1]
      refcount_t: saturated; leaking memory.
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:52
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1c4/0x1e0 kernel/panic.c:546
       report_bug+0x211/0x2d0 lib/bug.c:183
       fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
       do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
       do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
       do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
       invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
      RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
      RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282
      RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68
      RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000
      R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c
      R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f
       refcount_add+0x1b/0x60 lib/refcount.c:101
       tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155
       tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51
       inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271
       skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749
       __skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821
       skb_gso_segment include/linux/netdevice.h:3971 [inline]
       validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074
       __dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
       neigh_hh_output include/net/neighbour.h:471 [inline]
       neigh_output include/net/neighbour.h:479 [inline]
       ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229
       ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:238 [inline]
       ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:459 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
       tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137
       tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341
       __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513
       tcp_push_pending_frames include/net/tcp.h:1722 [inline]
       tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline]
       tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497
       tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460
       sk_backlog_rcv include/net/sock.h:909 [inline]
       __release_sock+0x124/0x360 net/core/sock.c:2264
       release_sock+0xa4/0x2a0 net/core/sock.c:2776
       tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
       sock_sendmsg_nosec net/socket.c:632 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:642
       ___sys_sendmsg+0x31c/0x890 net/socket.c:2048
       __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
      
      Fixes: 14afee4b ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ec318fe