1. 02 5月, 2019 1 次提交
  2. 28 3月, 2019 1 次提交
    • E
      kallsyms: store type information in its own array · 1c7651f4
      Eugene Loh 提交于
      When a module is loaded, its symbols' Elf_Sym information is stored
      in a symtab.  Further, type information is also captured.  Since
      Elf_Sym has no type field, historically the st_info field has been
      hijacked for storing type:  st_info was overwritten.
      
      commit 5439c985 ("module: Overwrite
      st_size instead of st_info") changes that practice, as its one-liner
      indicates.  Unfortunately, this change overwrites symbol size,
      information that a tool like DTrace expects to find.
      
      Allocate a typetab array to store type information so that no Elf_Sym
      field needs to be overwritten.
      
      Fixes: 5439c985 ("module: Overwrite st_size instead of st_info")
      Signed-off-by: NEugene Loh <eugene.loh@oracle.com>
      Reviewed-by: NNick Alcock <nick.alcock@oracle.com>
      [jeyu: renamed typeoff -> typeoffs ]
      Signed-off-by: NJessica Yu <jeyu@kernel.org>
      1c7651f4
  3. 16 2月, 2019 1 次提交
    • M
      include/linux/module.h: copy __init/__exit attrs to init/cleanup_module · a6e60d84
      Miguel Ojeda 提交于
      The upcoming GCC 9 release extends the -Wmissing-attributes warnings
      (enabled by -Wall) to C and aliases: it warns when particular function
      attributes are missing in the aliases but not in their target.
      
      In particular, it triggers for all the init/cleanup_module
      aliases in the kernel (defined by the module_init/exit macros),
      ending up being very noisy.
      
      These aliases point to the __init/__exit functions of a module,
      which are defined as __cold (among other attributes). However,
      the aliases themselves do not have the __cold attribute.
      
      Since the compiler behaves differently when compiling a __cold
      function as well as when compiling paths leading to calls
      to __cold functions, the warning is trying to point out
      the possibly-forgotten attribute in the alias.
      
      In order to keep the warning enabled, we decided to silence
      this case. Ideally, we would mark the aliases directly
      as __init/__exit. However, there are currently around 132 modules
      in the kernel which are missing __init/__exit in their init/cleanup
      functions (either because they are missing, or for other reasons,
      e.g. the functions being called from somewhere else); and
      a section mismatch is a hard error.
      
      A conservative alternative was to mark the aliases as __cold only.
      However, since we would like to eventually enforce __init/__exit
      to be always marked,  we chose to use the new __copy function
      attribute (introduced by GCC 9 as well to deal with this).
      With it, we copy the attributes used by the target functions
      into the aliases. This way, functions that were not marked
      as __init/__exit won't have their aliases marked either,
      and therefore there won't be a section mismatch.
      
      Note that the warning would go away marking either the extern
      declaration, the definition, or both. However, we only mark
      the definition of the alias, since we do not want callers
      (which only see the declaration) to be compiled as if the function
      was __cold (and therefore the paths leading to those calls
      would be assumed to be unlikely).
      
      Link: https://lore.kernel.org/lkml/20190123173707.GA16603@gmail.com/
      Link: https://lore.kernel.org/lkml/20190206175627.GA20399@gmail.com/Suggested-by: NMartin Sebor <msebor@gcc.gnu.org>
      Acked-by: NJessica Yu <jeyu@kernel.org>
      Signed-off-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      a6e60d84
  4. 11 2月, 2019 1 次提交
    • T
      module: Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity · bf7fbeea
      Thomas Gleixner 提交于
      The original MODULE_LICENSE string for kernel modules licensed under the
      GPL v2 (only / or later) was simply "GPL", which was - and still is -
      completely sufficient for the purpose of module loading and checking
      whether the module is free software or proprietary.
      
      In January 2003 this was changed with commit 3344ea3ad4b7 ("[PATCH]
      MODULE_LICENSE and EXPORT_SYMBOL_GPL support"). This commit can be found in
      the history git repository which holds the 1:1 import of Linus' bitkeeper
      repository:
      
        https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=3344ea3ad4b7c302c846a680dbaeedf96ed45c02
      
      The main intention of the patch was to refuse linking proprietary modules
      against symbols exported with EXPORT_SYMBOL_GPL() at module load time.
      
      As a completely undocumented side effect it also introduced the distinction
      between "GPL" and "GPL v2" MODULE_LICENSE() strings:
      
       *      "GPL"                           [GNU Public License v2 or later]
       *      "GPL v2"                        [GNU Public License v2]
       *      "GPL and additional rights"     [GNU Public License v2 rights and more]
       *      "Dual BSD/GPL"                  [GNU Public License v2
       *                                       or BSD license choice]
       *      "Dual MPL/GPL"                  [GNU Public License v2
       *                                       or Mozilla license choice]
      
      This distinction was and still is wrong in several aspects:
      
       1) It broke all modules which were using the "GPL" string in the
          MODULE_LICENSE() already and were licensed under GPL v2 only.
      
          A quick license scan over the tree at that time shows that at least 480
          out of 1484 modules have been affected by this change back then. The
          number is probably way higher as this was just a quick check for
          clearly identifiable license information.
      
          There was exactly ONE instance of a "GPL v2" module license string in
          the kernel back then - drivers/net/tulip/xircom_tulip_cb.c which
          otherwise had no license information at all. There is no indication
          that the change above is any way related to this driver. The change
          happend with the 2.4.11 release which was on Oct. 9 2001 - so quite
          some time before the above commit. Unfortunately there is no trace on
          the intertubes to any discussion of this.
      
       2) The dual licensed strings became ill defined as well because following
          the "GPL" vs. "GPL v2" distinction all dual licensed (or additional
          rights) MODULE_LICENSE strings would either require those dual licensed
          modules to be licensed under GPL v2 or later or just be unspecified for
          the dual licensing case. Neither choice is coherent with the GPL
          distinction.
      
      Due to the lack of a proper changelog and no real discussion on the patch
      submission other than a few implementation details, it's completely unclear
      why this distinction was introduced at all. Other than the comment in the
      module header file exists no documentation for this at all.
      
      From a license compliance and license scanning POV this distinction is a
      total nightmare.
      
      As of 5.0-rc2 2873 out of 9200 instances of MODULE_LICENSE() strings are
      conflicting with the actual license in the source code (either SPDX or
      license boilerplate/reference). A comparison between the scan of the
      history tree and a scan of current Linus tree shows to the extent that the
      git rename detection over Linus tree grafted with the history tree is
      halfways complete that almost none of the files which got broken in 2003
      have been cleaned up vs. the MODULE_LICENSE string. So subtracting those
      480 known instances from the conflicting 2800 of today more than 25% of the
      module authors got it wrong and it's a high propability that a large
      portion of the rest just got it right by chance.
      
      There is no value for the module loader to convey the detailed license
      information as the only decision to be made is whether the module is free
      software or not.
      
      The "and additional rights", "BSD" and "MPL" strings are not conclusive
      license information either. So there is no point in trying to make the GPL
      part conclusive and exact. As shown above it's already non conclusive for
      dual licensing and incoherent with a large portion of the module source.
      
      As an unintended side effect this distinction causes a major headache for
      license compliance, license scanners and the ongoing effort to clean up the
      license mess of the kernel.
      
      Therefore remove the well meant, but ill defined, distinction between "GPL"
      and "GPL v2" and document that:
      
        - "GPL" and "GPL v2" both express that the module is licensed under GPLv2
          (without a distinction of 'only' and 'or later') and is therefore kernel
          license compliant.
      
        - None of the MODULE_LICENSE strings can be used for expressing or
          determining the exact license
      
        - Their sole purpose is to decide whether the module is free software or
          not.
      
      Add a MODULE_LICENSE subsection to the license rule documentation as well.
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: NPhilippe Ombredanne <pombredanne@nexb.com>
      Acked-by: NJoe Perches <joe@perches.com>
      [jc: Did s/merily/merely/ ]
      Acked-by: NJessica Yu <jeyu@kernel.org>
      Signed-off-by: NJonathan Corbet <corbet@lwn.net>
      bf7fbeea
  5. 09 1月, 2019 1 次提交
    • W
      x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE · e4f35891
      WANG Chao 提交于
      Commit
      
        4cd24de3 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")
      
      replaced the RETPOLINE define with CONFIG_RETPOLINE checks. Remove the
      remaining pieces.
      
       [ bp: Massage commit message. ]
      
      Fixes: 4cd24de3 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")
      Signed-off-by: NWANG Chao <chao.wang@ucloud.cn>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Reviewed-by: NZhenzhong Duan <zhenzhong.duan@oracle.com>
      Reviewed-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: linux-kbuild@vger.kernel.org
      Cc: srinivas.eeda@oracle.com
      Cc: stable <stable@vger.kernel.org>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20181210163725.95977-1-chao.wang@ucloud.cn
      e4f35891
  6. 06 1月, 2019 1 次提交
    • M
      jump_label: move 'asm goto' support test to Kconfig · e9666d10
      Masahiro Yamada 提交于
      Currently, CONFIG_JUMP_LABEL just means "I _want_ to use jump label".
      
      The jump label is controlled by HAVE_JUMP_LABEL, which is defined
      like this:
      
        #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL)
        # define HAVE_JUMP_LABEL
        #endif
      
      We can improve this by testing 'asm goto' support in Kconfig, then
      make JUMP_LABEL depend on CC_HAS_ASM_GOTO.
      
      Ugly #ifdef HAVE_JUMP_LABEL will go away, and CONFIG_JUMP_LABEL will
      match to the real kernel capability.
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
      Tested-by: NSedat Dilek <sedat.dilek@gmail.com>
      e9666d10
  7. 19 12月, 2018 1 次提交
  8. 15 12月, 2018 1 次提交
    • V
      ARM: module: Fix function kallsyms on Thumb-2 · 93d77e7f
      Vincent Whitchurch 提交于
      Thumb-2 functions have the lowest bit set in the symbol value in the
      symtab.  When kallsyms are generated for the vmlinux, the kallsyms are
      generated from the output of nm, and nm clears the lowest bit.
      
       $ arm-linux-gnueabihf-readelf -a vmlinux | grep show_interrupts
        95947: 8015dc89   686 FUNC    GLOBAL DEFAULT    2 show_interrupts
       $ arm-linux-gnueabihf-nm vmlinux | grep show_interrupts
       8015dc88 T show_interrupts
       $ cat /proc/kallsyms | grep show_interrupts
       8015dc88 T show_interrupts
      
      However, for modules, the kallsyms uses the values in the symbol table
      without modification, so for functions in modules, the lowest bit is set
      in kallsyms.
      
       $ arm-linux-gnueabihf-readelf -a drivers/net/tun.ko | grep tun_get_socket
          333: 00002d4d    36 FUNC    GLOBAL DEFAULT    1 tun_get_socket
       $ arm-linux-gnueabihf-nm drivers/net/tun.ko | grep tun_get_socket
       00002d4c T tun_get_socket
       $ cat /proc/kallsyms | grep tun_get_socket
       7f802d4d t tun_get_socket      [tun]
      
      Because of this, the symbol+offset of the crashing instruction shown in
      oopses is incorrect when the crash is in a module.  For example, given a
      tun_get_socket which starts like this,
      
       00002d4c <tun_get_socket>:
           2d4c:       6943            ldr     r3, [r0, #20]
           2d4e:       4a07            ldr     r2, [pc, #28]
           2d50:       4293            cmp     r3, r2
      
      a crash when tun_get_socket is called with NULL results in:
      
       PC is at tun_xdp+0xa3/0xa4 [tun]
       pc : [<7f802d4c>]
      
      As can be seen, the "PC is at" line reports the wrong symbol name, and
      the symbol+offset will point to the wrong source line if it is passed to
      gdb.
      
      To solve this, add a way for archs to fixup the reading of these module
      kallsyms values, and use that to clear the lowest bit for function
      symbols on Thumb-2.
      
      After the fix:
      
       # cat /proc/kallsyms | grep tun_get_socket
       7f802d4c t tun_get_socket       [tun]
      
       PC is at tun_get_socket+0x0/0x24 [tun]
       pc : [<7f802d4c>]
      Signed-off-by: NVincent Whitchurch <vincent.whitchurch@axis.com>
      Signed-off-by: NJessica Yu <jeyu@kernel.org>
      93d77e7f
  9. 18 10月, 2018 1 次提交
    • M
      tracepoint: Fix tracepoint array element size mismatch · 9c0be3f6
      Mathieu Desnoyers 提交于
      commit 46e0c9be ("kernel: tracepoints: add support for relative
      references") changes the layout of the __tracepoint_ptrs section on
      architectures supporting relative references. However, it does so
      without turning struct tracepoint * const into const int elsewhere in
      the tracepoint code, which has the following side-effect:
      
      Setting mod->num_tracepoints is done in by module.c:
      
          mod->tracepoints_ptrs = section_objs(info, "__tracepoints_ptrs",
                                               sizeof(*mod->tracepoints_ptrs),
                                               &mod->num_tracepoints);
      
      Basically, since sizeof(*mod->tracepoints_ptrs) is a pointer size
      (rather than sizeof(int)), num_tracepoints is erroneously set to half the
      size it should be on 64-bit arch. So a module with an odd number of
      tracepoints misses the last tracepoint due to effect of integer
      division.
      
      So in the module going notifier:
      
              for_each_tracepoint_range(mod->tracepoints_ptrs,
                      mod->tracepoints_ptrs + mod->num_tracepoints,
                      tp_module_going_check_quiescent, NULL);
      
      the expression (mod->tracepoints_ptrs + mod->num_tracepoints) actually
      evaluates to something within the bounds of the array, but miss the
      last tracepoint if the number of tracepoints is odd on 64-bit arch.
      
      Fix this by introducing a new typedef: tracepoint_ptr_t, which
      is either "const int" on architectures that have PREL32 relocations,
      or "struct tracepoint * const" on architectures that does not have
      this feature.
      
      Also provide a new tracepoint_ptr_defer() static inline to
      encapsulate deferencing this type rather than duplicate code and
      ugly idefs within the for_each_tracepoint_range() implementation.
      
      This issue appears in 4.19-rc kernels, and should ideally be fixed
      before the end of the rc cycle.
      Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: NJessica Yu <jeyu@kernel.org>
      Link: http://lkml.kernel.org/r/20181013191050.22389-1-mathieu.desnoyers@efficios.com
      Link: http://lkml.kernel.org/r/20180704083651.24360-7-ard.biesheuvel@linaro.org
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: James Morris <james.morris@microsoft.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Nicolas Pitre <nico@linaro.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Cc: Thomas Garnier <thgarnie@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      9c0be3f6
  10. 11 10月, 2018 1 次提交
  11. 25 6月, 2018 1 次提交
  12. 07 2月, 2018 1 次提交
  13. 26 1月, 2018 1 次提交
    • A
      module/retpoline: Warn about missing retpoline in module · caf7501a
      Andi Kleen 提交于
      There's a risk that a kernel which has full retpoline mitigations becomes
      vulnerable when a module gets loaded that hasn't been compiled with the
      right compiler or the right option.
      
      To enable detection of that mismatch at module load time, add a module info
      string "retpoline" at build time when the module was compiled with
      retpoline support. This only covers compiled C source, but assembler source
      or prebuilt object files are not checked.
      
      If a retpoline enabled kernel detects a non retpoline protected module at
      load time, print a warning and report it in the sysfs vulnerability file.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: NAndi Kleen <ak@linux.intel.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: gregkh@linuxfoundation.org
      Cc: torvalds@linux-foundation.org
      Cc: jeyu@kernel.org
      Cc: arjan@linux.intel.com
      Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
      caf7501a
  14. 13 1月, 2018 2 次提交
    • M
      error-injection: Add injectable error types · 663faf9f
      Masami Hiramatsu 提交于
      Add injectable error types for each error-injectable function.
      
      One motivation of error injection test is to find software flaws,
      mistakes or mis-handlings of expectable errors. If we find such
      flaws by the test, that is a program bug, so we need to fix it.
      
      But if the tester miss input the error (e.g. just return success
      code without processing anything), it causes unexpected behavior
      even if the caller is correctly programmed to handle any errors.
      That is not what we want to test by error injection.
      
      To clarify what type of errors the caller must expect for each
      injectable function, this introduces injectable error types:
      
       - EI_ETYPE_NULL : means the function will return NULL if it
      		    fails. No ERR_PTR, just a NULL.
       - EI_ETYPE_ERRNO : means the function will return -ERRNO
      		    if it fails.
       - EI_ETYPE_ERRNO_NULL : means the function will return -ERRNO
      		       (ERR_PTR) or NULL.
      
      ALLOW_ERROR_INJECTION() macro is expanded to get one of
      NULL, ERRNO, ERRNO_NULL to record the error type for
      each function. e.g.
      
       ALLOW_ERROR_INJECTION(open_ctree, ERRNO)
      
      This error types are shown in debugfs as below.
      
        ====
        / # cat /sys/kernel/debug/error_injection/list
        open_ctree [btrfs]	ERRNO
        io_ctl_init [btrfs]	ERRNO
        ====
      Signed-off-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Reviewed-by: NJosef Bacik <jbacik@fb.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      663faf9f
    • M
      error-injection: Separate error-injection from kprobe · 540adea3
      Masami Hiramatsu 提交于
      Since error-injection framework is not limited to be used
      by kprobes, nor bpf. Other kernel subsystems can use it
      freely for checking safeness of error-injection, e.g.
      livepatch, ftrace etc.
      So this separate error-injection framework from kprobes.
      
      Some differences has been made:
      
      - "kprobe" word is removed from any APIs/structures.
      - BPF_ALLOW_ERROR_INJECTION() is renamed to
        ALLOW_ERROR_INJECTION() since it is not limited for BPF too.
      - CONFIG_FUNCTION_ERROR_INJECTION is the config item of this
        feature. It is automatically enabled if the arch supports
        error injection feature for kprobe or ftrace etc.
      Signed-off-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Reviewed-by: NJosef Bacik <jbacik@fb.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      540adea3
  15. 09 1月, 2018 1 次提交
    • S
      sections: split dereference_function_descriptor() · b865ea64
      Sergey Senozhatsky 提交于
      There are two format specifiers to print out a pointer in symbolic
      format: '%pS/%ps' and '%pF/%pf'. On most architectures, the two
      mean exactly the same thing, but some architectures (ia64, ppc64,
      parisc64) use an indirect pointer for C function pointers, where
      the function pointer points to a function descriptor (which in
      turn contains the actual pointer to the code). The '%pF/%pf, when
      used appropriately, automatically does the appropriate function
      descriptor dereference on such architectures.
      
      The "when used appropriately" part is tricky. Basically this is
      a subtle ABI detail, specific to some platforms, that made it to
      the API level and people can be unaware of it and miss the whole
      "we need to dereference the function" business out. [1] proves
      that point (note that it fixes only '%pF' and '%pS', there might
      be '%pf' and '%ps' cases as well).
      
      It appears that we can handle everything within the affected
      arches and make '%pS/%ps' smart enough to retire '%pF/%pf'.
      Function descriptors live in .opd elf section and all affected
      arches (ia64, ppc64, parisc64) handle it properly for kernel
      and modules. So we, technically, can decide if the dereference
      is needed by simply looking at the pointer: if it belongs to
      .opd section then we need to dereference it.
      
      The kernel and modules have their own .opd sections, obviously,
      that's why we need to split dereference_function_descriptor()
      and use separate kernel and module dereference arch callbacks.
      
      This patch does the first step, it
      a) adds dereference_kernel_function_descriptor() function.
      b) adds a weak alias to dereference_module_function_descriptor()
         function.
      
      So, for the time being, we will have:
      1) dereference_function_descriptor()
         A generic function, that simply dereferences the pointer. There is
         bunch of places that call it: kgdbts, init/main.c, extable, etc.
      
      2) dereference_kernel_function_descriptor()
         A function to call on kernel symbols that does kernel .opd section
         address range test.
      
      3) dereference_module_function_descriptor()
         A function to call on modules' symbols that does modules' .opd
         section address range test.
      
      [1] https://marc.info/?l=linux-kernel&m=150472969730573
      
      Link: http://lkml.kernel.org/r/20171109234830.5067-2-sergey.senozhatsky@gmail.com
      To: Fenghua Yu <fenghua.yu@intel.com>
      To: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      To: Paul Mackerras <paulus@samba.org>
      To: Michael Ellerman <mpe@ellerman.id.au>
      To: James Bottomley <jejb@parisc-linux.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-ia64@vger.kernel.org
      Cc: linux-parisc@vger.kernel.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Tested-by: Tony Luck <tony.luck@intel.com> #ia64
      Tested-by: Santosh Sivaraj <santosh@fossix.org> #powerpc
      Tested-by: Helge Deller <deller@gmx.de> #parisc64
      Signed-off-by: NPetr Mladek <pmladek@suse.com>
      b865ea64
  16. 13 12月, 2017 1 次提交
  17. 09 11月, 2017 1 次提交
    • B
      module: export module signature enforcement status · fda784e5
      Bruno E. O. Meneguele 提交于
      A static variable sig_enforce is used as status var to indicate the real
      value of CONFIG_MODULE_SIG_FORCE, once this one is set the var will hold
      true, but if the CONFIG is not set the status var will hold whatever
      value is present in the module.sig_enforce kernel cmdline param: true
      when =1 and false when =0 or not present.
      
      Considering this cmdline param take place over the CONFIG value when
      it's not set, other places in the kernel could misbehave since they
      would have only the CONFIG_MODULE_SIG_FORCE value to rely on. Exporting
      this status var allows the kernel to rely in the effective value of
      module signature enforcement, being it from CONFIG value or cmdline
      param.
      Signed-off-by: NBruno E. O. Meneguele <brdeoliv@redhat.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      fda784e5
  18. 30 7月, 2017 1 次提交
    • M
      module: Remove const attribute from alias for MODULE_DEVICE_TABLE · 0bf8bf50
      Matthias Kaehlcke 提交于
      MODULE_DEVICE_TABLE(type, name) creates an alias of type 'extern const
      typeof(name)'. If 'name' is already constant the 'const' attribute is
      specified twice, which is not allowed in C89 (see discussion at
      https://lkml.org/lkml/2017/5/23/1440). Since the kernel is built with
      -std=gnu89 clang generates warnings like this:
      
      drivers/thermal/x86_pkg_temp_thermal.c:509:1: warning: duplicate 'const'
        declaration specifier
            [-Wduplicate-decl-specifier]
      MODULE_DEVICE_TABLE(x86cpu, pkg_temp_thermal_ids);
      ^
      ./include/linux/module.h:212:8: note: expanded from macro 'MODULE_DEVICE_TABLE'
      extern const typeof(name) __mod_##type##__##name##_device_table
      
      Remove the const attribute from the alias to avoid the duplicate
      specifier. After all it is only an alias and the attribute shouldn't
      have any effect.
      Signed-off-by: NMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: NJessica Yu <jeyu@kernel.org>
      0bf8bf50
  19. 01 7月, 2017 1 次提交
    • K
      randstruct: Mark various structs for randomization · 3859a271
      Kees Cook 提交于
      This marks many critical kernel structures for randomization. These are
      structures that have been targeted in the past in security exploits, or
      contain functions pointers, pointers to function pointer tables, lists,
      workqueues, ref-counters, credentials, permissions, or are otherwise
      sensitive. This initial list was extracted from Brad Spengler/PaX Team's
      code in the last public patch of grsecurity/PaX based on my understanding
      of the code. Changes or omissions from the original code are mine and
      don't reflect the original grsecurity/PaX code.
      
      Left out of this list is task_struct, which requires special handling
      and will be covered in a subsequent patch.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      3859a271
  20. 14 6月, 2017 2 次提交
  21. 24 4月, 2017 1 次提交
  22. 16 3月, 2017 1 次提交
    • T
      locking/lockdep: Handle statically initialized PER_CPU locks properly · 383776fa
      Thomas Gleixner 提交于
      If a PER_CPU struct which contains a spin_lock is statically initialized
      via:
      
      DEFINE_PER_CPU(struct foo, bla) = {
      	.lock = __SPIN_LOCK_UNLOCKED(bla.lock)
      };
      
      then lockdep assigns a seperate key to each lock because the logic for
      assigning a key to statically initialized locks is to use the address as
      the key. With per CPU locks the address is obvioulsy different on each CPU.
      
      That's wrong, because all locks should have the same key.
      
      To solve this the following modifications are required:
      
       1) Extend the is_kernel/module_percpu_addr() functions to hand back the
          canonical address of the per CPU address, i.e. the per CPU address
          minus the per CPU offset.
      
       2) Check the lock address with these functions and if the per CPU check
          matches use the returned canonical address as the lock key, so all per
          CPU locks have the same key.
      
       3) Move the static_obj(key) check into look_up_lock_class() so this check
          can be avoided for statically initialized per CPU locks.  That's
          required because the canonical address fails the static_obj(key) check
          for obvious reasons.
      Reported-by: NMike Galbraith <efault@gmx.de>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      [ Merged Dan's fixups for !MODULES and !SMP into this patch. ]
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dan Murphy <dmurphy@ti.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/20170227143736.pectaimkjkan5kow@linutronix.deSigned-off-by: NIngo Molnar <mingo@kernel.org>
      383776fa
  23. 10 2月, 2017 1 次提交
  24. 08 2月, 2017 1 次提交
  25. 07 2月, 2017 1 次提交
  26. 04 2月, 2017 1 次提交
    • A
      modversions: treat symbol CRCs as 32 bit quantities · 71810db2
      Ard Biesheuvel 提交于
      The modversion symbol CRCs are emitted as ELF symbols, which allows us
      to easily populate the kcrctab sections by relying on the linker to
      associate each kcrctab slot with the correct value.
      
      This has a couple of downsides:
      
       - Given that the CRCs are treated as memory addresses, we waste 4 bytes
         for each CRC on 64 bit architectures,
      
       - On architectures that support runtime relocation, a R_<arch>_RELATIVE
         relocation entry is emitted for each CRC value, which identifies it
         as a quantity that requires fixing up based on the actual runtime
         load offset of the kernel. This results in corrupted CRCs unless we
         explicitly undo the fixup (and this is currently being handled in the
         core module code)
      
       - Such runtime relocation entries take up 24 bytes of __init space
         each, resulting in a x8 overhead in [uncompressed] kernel size for
         CRCs.
      
      Switching to explicit 32 bit values on 64 bit architectures fixes most
      of these issues, given that 32 bit values are not treated as quantities
      that require fixing up based on the actual runtime load offset.  Note
      that on some ELF64 architectures [such as PPC64], these 32-bit values
      are still emitted as [absolute] runtime relocatable quantities, even if
      the value resolves to a build time constant.  Since relative relocations
      are always resolved at build time, this patch enables MODULE_REL_CRCS on
      powerpc when CONFIG_RELOCATABLE=y, which turns the absolute CRC
      references into relative references into .rodata where the actual CRC
      value is stored.
      
      So redefine all CRC fields and variables as u32, and redefine the
      __CRC_SYMBOL() macro for 64 bit builds to emit the CRC reference using
      inline assembler (which is necessary since 64-bit C code cannot use
      32-bit types to hold memory addresses, even if they are ultimately
      resolved using values that do not exceed 0xffffffff).  To avoid
      potential problems with legacy 32-bit architectures using legacy
      toolchains, the equivalent C definition of the kcrctab entry is retained
      for 32-bit architectures.
      
      Note that this mostly reverts commit d4703aef ("module: handle ppc64
      relocating kcrctabs when CONFIG_RELOCATABLE=y")
      Acked-by: NRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      71810db2
  27. 04 1月, 2017 1 次提交
  28. 27 11月, 2016 2 次提交
  29. 04 8月, 2016 2 次提交
    • J
      modules: add ro_after_init support · 444d13ff
      Jessica Yu 提交于
      Add ro_after_init support for modules by adding a new page-aligned section
      in the module layout (after rodata) for ro_after_init data and enabling RO
      protection for that section after module init runs.
      Signed-off-by: NJessica Yu <jeyu@redhat.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      444d13ff
    • P
      exceptions: fork exception table content from module.h into extable.h · 0ef76537
      Paul Gortmaker 提交于
      For historical reasons (i.e. pre-git) the exception table stuff was
      buried in the middle of the module.h file.  I noticed this while
      doing an audit for needless includes of module.h and found core
      kernel files (both arch specific and arch independent) were just
      including module.h for this.
      
      The converse is also true, in that conventional drivers, be they
      for filesystems or actual hardware peripherals or similar, do not
      normally care about the exception tables.
      
      Here we fork the exception table content out of module.h into a
      new file called extable.h -- and temporarily include it into the
      module.h itself.
      
      Then we will work our way across the arch independent and arch
      specific files needing just exception table content, and move
      them off module.h and onto extable.h
      
      Once that is done, we can remove the extable.h from module.h
      and in doing it like this, we avoid introducing build failures
      into the git history.
      
      The gain here is that module.h gets a bit smaller, across all
      modular drivers that we build for allmodconfig.  Also the core
      files that only need exception table stuff don't have an include
      of module.h that brings in lots of extra stuff and just looks
      generally out of place.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      0ef76537
  30. 27 7月, 2016 1 次提交
  31. 01 4月, 2016 1 次提交
    • J
      module: preserve Elf information for livepatch modules · 1ce15ef4
      Jessica Yu 提交于
      For livepatch modules, copy Elf section, symbol, and string information
      from the load_info struct in the module loader. Persist copies of the
      original symbol table and string table.
      
      Livepatch manages its own relocation sections in order to reuse module
      loader code to write relocations. Livepatch modules must preserve Elf
      information such as section indices in order to apply livepatch relocation
      sections using the module loader's apply_relocate_add() function.
      
      In order to apply livepatch relocation sections, livepatch modules must
      keep a complete copy of their original symbol table in memory. Normally, a
      stripped down copy of a module's symbol table (containing only "core"
      symbols) is made available through module->core_symtab. But for livepatch
      modules, the symbol table copied into memory on module load must be exactly
      the same as the symbol table produced when the patch module was compiled.
      This is because the relocations in each livepatch relocation section refer
      to their respective symbols with their symbol indices, and the original
      symbol indices (and thus the symtab ordering) must be preserved in order
      for apply_relocate_add() to find the right symbol.
      Signed-off-by: NJessica Yu <jeyu@redhat.com>
      Reviewed-by: NMiroslav Benes <mbenes@suse.cz>
      Acked-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Acked-by: NRusty Russell <rusty@rustcorp.com.au>
      Reviewed-by: NRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      1ce15ef4
  32. 03 2月, 2016 1 次提交
    • R
      modules: fix longstanding /proc/kallsyms vs module insertion race. · 8244062e
      Rusty Russell 提交于
      For CONFIG_KALLSYMS, we keep two symbol tables and two string tables.
      There's one full copy, marked SHF_ALLOC and laid out at the end of the
      module's init section.  There's also a cut-down version that only
      contains core symbols and strings, and lives in the module's core
      section.
      
      After module init (and before we free the module memory), we switch
      the mod->symtab, mod->num_symtab and mod->strtab to point to the core
      versions.  We do this under the module_mutex.
      
      However, kallsyms doesn't take the module_mutex: it uses
      preempt_disable() and rcu tricks to walk through the modules, because
      it's used in the oops path.  It's also used in /proc/kallsyms.
      There's nothing atomic about the change of these variables, so we can
      get the old (larger!) num_symtab and the new symtab pointer; in fact
      this is what I saw when trying to reproduce.
      
      By grouping these variables together, we can use a
      carefully-dereferenced pointer to ensure we always get one or the
      other (the free of the module init section is already done in an RCU
      callback, so that's safe).  We allocate the init one at the end of the
      module init section, and keep the core one inside the struct module
      itself (it could also have been allocated at the end of the module
      core, but that's probably overkill).
      Reported-by: NWeilong Chen <chenweilong@huawei.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111541
      Cc: stable@kernel.org
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      8244062e
  33. 05 12月, 2015 2 次提交
  34. 06 7月, 2015 1 次提交
    • P
      module: relocate module_init from init.h to module.h · 0fd972a7
      Paul Gortmaker 提交于
      Modular users will always be users of init functionality, but
      users of init functionality are not necessarily always modules.
      
      Hence any functionality like module_init and module_exit would
      be more at home in the module.h file.  And module.h should
      explicitly include init.h to make the dependency clear.
      
      We've already done all the legwork needed to ensure that this
      move does not cause any build regressions due to implicit
      header file include assumptions about where module_init lives.
      
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Acked-by: NRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
      0fd972a7
  35. 28 6月, 2015 1 次提交