* [GIT PULL] hardening fixes for v6.9-rc5
@ 2024-04-19 20:16 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-04-19 20:16 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Nathan Chancellor
Hi Linus,
Please pull these handful of hardening fixes for v6.9-rc5.
Thanks!
-Kees
The following changes since commit 0bbac3facb5d6cc0171c45c9873a2dc96bea9680:
Linux 6.9-rc4 (2024-04-14 13:38:39 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc5
for you to fetch changes up to f4626c12e4b538f757a73d08f4d86d564175b4f7:
ubsan: Add awareness of signed integer overflow traps (2024-04-15 17:42:43 -0700)
----------------------------------------------------------------
hardening fixes for v6.9-rc5
- Correctly disable UBSAN configs in configs/hardening (Nathan Chancellor)
- Add missing signed integer overflow trap types to arm64 handler
----------------------------------------------------------------
Kees Cook (1):
ubsan: Add awareness of signed integer overflow traps
Nathan Chancellor (2):
configs/hardening: Fix disabling UBSAN configurations
configs/hardening: Disable CONFIG_UBSAN_SIGNED_WRAP
kernel/configs/hardening.config | 11 ++++++-----
lib/ubsan.c | 18 ++++++++++++++++--
2 files changed, 22 insertions(+), 7 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v6.9-rc4
@ 2024-04-10 16:36 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-04-10 16:36 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Arnd Bergmann, Kees Cook,
kernel test robot
Hi Linus,
Please pull these hardening fixes for v6.9-rc4.
Thanks!
-Kees
The following changes since commit 39cd87c4eb2b893354f3b850f916353f2658ae6f:
Linux 6.9-rc2 (2024-03-31 14:32:39 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc4
for you to fetch changes up to 9c573cd313433f6c1f7236fe64b9b743500c1628:
randomize_kstack: Improve entropy diffusion (2024-04-03 14:45:03 -0700)
----------------------------------------------------------------
hardening fixes for v6.9-rc4
- gcc-plugins/stackleak: Avoid .head.text section (Ard Biesheuvel)
- ubsan: fix unused variable warning in test module (Arnd Bergmann)
- Improve entropy diffusion in randomize_kstack
----------------------------------------------------------------
Ard Biesheuvel (1):
gcc-plugins/stackleak: Avoid .head.text section
Arnd Bergmann (1):
ubsan: fix unused variable warning in test module
Kees Cook (1):
randomize_kstack: Improve entropy diffusion
include/linux/randomize_kstack.h | 2 +-
lib/test_ubsan.c | 2 +-
scripts/gcc-plugins/stackleak_plugin.c | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve fixes for v6.9-rc2
@ 2024-03-26 22:44 88% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-26 22:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Justin Stitt, Kees Cook, linux-hardening,
Max Filippov, Muhammad Usama Anjum
Hi Linus,
Please pull these execve fixes for v6.9-rc2.
Thanks!
-Kees
The following changes since commit 725d50261285ccf02501f2a1a6d10b31ce014597:
exec: Simplify remove_arg_zero() error path (2024-03-09 13:46:30 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.9-rc2
for you to fetch changes up to 5248f4097308c1cdcf163314a6ea3c8c88c98cd9:
binfmt: replace deprecated strncpy (2024-03-21 20:20:52 -0700)
----------------------------------------------------------------
execve fixes for v6.9-rc2
- Fix selftests to conform to the TAP output format (Muhammad Usama Anjum)
- Fix NOMMU linux_binprm::exec pointer in auxv (Max Filippov)
- Replace deprecated strncpy usage (Justin Stitt)
- Replace another /bin/sh instance in selftests
----------------------------------------------------------------
Justin Stitt (1):
binfmt: replace deprecated strncpy
Kees Cook (2):
selftests/exec: execveat: Improve debug reporting
selftests/exec: Convert remaining /bin/sh to /bin/bash
Max Filippov (1):
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
Muhammad Usama Anjum (3):
selftests/exec: binfmt_script: Add the overall result line according to TAP
selftests/exec: load_address: conform test to TAP format output
selftests/exec: recursion-depth: conform test to TAP format output
fs/binfmt_elf_fdpic.c | 2 +-
fs/exec.c | 1 +
tools/testing/selftests/exec/Makefile | 4 +-
tools/testing/selftests/exec/binfmt_script.py | 10 ++++-
tools/testing/selftests/exec/execveat.c | 12 +++---
tools/testing/selftests/exec/load_address.c | 34 ++++++++---------
tools/testing/selftests/exec/recursion-depth.c | 53 +++++++++++++-------------
7 files changed, 61 insertions(+), 55 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 88%]
* [GIT PULL] hardening fixes for v6.9-rc1
@ 2024-03-22 23:57 83% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-22 23:57 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bjorn Helgaas, David Gow, Guenter Roeck,
Gustavo A. R. Silva, Kees Cook, kernel test robot, Liu Song,
Marco Elver, Nathan Chancellor, Przemek Kitszel, Randy Dunlap
Hi Linus,
Please pull these handful of hardening fixes for v6.9-rc1. One of the two
"end of -rc1 API refactors" I mentioned in the first PR is included here,
for DEFINE_FLEX(), now that netdev has landed.
Thanks!
-Kees
The following changes since commit 0a7b0acecea273c8816f4f5b0e189989470404cf:
Merge tag 'vfs-6.9-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs (2024-03-18 09:15:50 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1-fixes
for you to fetch changes up to 231dc3f0c936db142ef3fa922f1ab751dd532d70:
lkdtm/bugs: Improve warning message for compilers without counted_by support (2024-03-22 16:25:31 -0700)
----------------------------------------------------------------
hardening fixes for v6.9-rc1
- CONFIG_MEMCPY_SLOW_KUNIT_TEST is no longer needed (Guenter Roeck)
- Fix needless UTF-8 character in arch/Kconfig (Liu Song)
- Improve __counted_by warning message in LKDTM (Nathan Chancellor)
- Refactor DEFINE_FLEX() for default use of __counted_by
- Disable signed integer overflow sanitizer on GCC < 8
----------------------------------------------------------------
Guenter Roeck (1):
Revert "kunit: memcpy: Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST"
Kees Cook (2):
ubsan: Disable signed integer overflow sanitizer on GCC < 8
overflow: Change DEFINE_FLEX to take __counted_by member
Liu Song (1):
arch/Kconfig: eliminate needless UTF-8 character in Kconfig help
Nathan Chancellor (1):
lkdtm/bugs: Improve warning message for compilers without counted_by support
arch/Kconfig | 2 +-
drivers/misc/lkdtm/bugs.c | 2 +-
drivers/net/ethernet/intel/ice/ice_base.c | 4 ++--
drivers/net/ethernet/intel/ice/ice_common.c | 4 ++--
drivers/net/ethernet/intel/ice/ice_ddp.c | 8 ++++----
drivers/net/ethernet/intel/ice/ice_lag.c | 6 +++---
drivers/net/ethernet/intel/ice/ice_sched.c | 4 ++--
drivers/net/ethernet/intel/ice/ice_switch.c | 10 +++++-----
include/linux/overflow.h | 25 +++++++++++++++++++++----
lib/Kconfig.debug | 12 ------------
lib/Kconfig.ubsan | 2 ++
lib/memcpy_kunit.c | 3 ---
lib/overflow_kunit.c | 19 +++++++++++++++++++
13 files changed, 62 insertions(+), 39 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 83%]
* [GIT PULL] hardening updates for v6.9-rc1
@ 2024-03-12 1:18 48% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-12 1:18 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Lobakin, Al Viro, Andrew Morton,
Andrey Konovalov, Andrey Ryabinin, Andy Shevchenko,
Andy Shevchenko, Andy Shevchenko, Arnd Bergmann, Bill Wendling,
Dan Carpenter, Douglas Anderson, Fangrui Song,
Geert Uytterhoeven, Greg Kroah-Hartman, Guenter Roeck,
Guixiong Wei, Gustavo A. R. Silva, Hao Luo, Harshit Mogalapalli,
Jacob Keller, Jakub Kicinski, Jani Nikula, Jingzi Meng,
John Paul Adrian Glaubitz, Josh Poimboeuf, Juergen Gross,
Justin Stitt, Kees Cook, Kent Overstreet, kernel test robot,
linux-doc, linux-hardening, linux-kbuild, linux-sh, linux-um,
llvm, Lukas Bulwahn, Marco Elver, Mark Rutland, Masahiro Yamada,
Matthieu Baerts, Michael Ellerman, Michal Wajdeczko,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Nicolas Schier, Nicolas Schier, Peter Zijlstra, Randy Dunlap,
Richard Weinberger, Rich Felker, Sachin Sant, Sam Ravnborg,
syzkaller, Tanzir Hasan, Tycho Andersen, Vasiliy Kovalev,
Vegard Nossum, Yoshinori Sato
Hi Linus,
Please pull these kernel hardening updates for v6.9-rc1. As is pretty
normal for this tree, there are changes all over the place, especially
for small fixes, selftest improvements, and improved macro usability.
Some header changes ended up landing via this tree as they depended on
the string header cleanups. Also, a notable set of changes is the work
for the reintroduction of the UBSAN signed integer overflow sanitizer
so that we can continue to make improvements on the compiler side to
make this sanitizer a more viable future security hardening option.
Everything has been in -next for a while, but there are a couple small
merge conflicts to deal with:
kbuild tree:
https://lore.kernel.org/linux-next/20240226165811.56f71171@canb.auug.org.au/
bcachefs tree:
https://lore.kernel.org/linux-next/20240301154351.1d097566@canb.auug.org.au/
Later in the merge window I intend to send some macro adjustment
collateral changes, but since they're mechanical, I figured it would be
simpler to wait for the end of -rc1.
Thanks!
-Kees
The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:
Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.9-rc1
for you to fetch changes up to 3fe1eb4dd2e4b872ffb7b9b081b34ffcfa934ba7:
selftests/powerpc: Fix load_unaligned_zeropad build failure (2024-03-05 10:29:15 -0800)
----------------------------------------------------------------
hardening updates for v6.9-rc1
- string.h and related header cleanups (Tanzir Hasan, Andy Shevchenko)
- VMCI memcpy() usage and struct_size() cleanups (Vasiliy Kovalev, Harshit
Mogalapalli)
- selftests/powerpc: Fix load_unaligned_zeropad build failure (Michael
Ellerman)
- hardened Kconfig fragment updates (Marco Elver, Lukas Bulwahn)
- Handle tail call optimization better in LKDTM (Douglas Anderson)
- Use long form types in overflow.h (Andy Shevchenko)
- Add flags param to string_get_size() (Andy Shevchenko)
- Add Coccinelle script for potential struct_size() use (Jacob Keller)
- Fix objtool corner case under KCFI (Josh Poimboeuf)
- Drop 13 year old backward compat CAP_SYS_ADMIN check (Jingzi Meng)
- Add str_plural() helper (Michal Wajdeczko, Kees Cook)
- Ignore relocations in .notes section
- Add comments to explain how __is_constexpr() works
- Fix m68k stack alignment expectations in stackinit Kunit test
- Convert string selftests to KUnit
- Add KUnit tests for fortified string functions
- Improve reporting during fortified string warnings
- Allow non-type arg to type_max() and type_min()
- Allow strscpy() to be called with only 2 arguments
- Add binary mode to leaking_addresses scanner
- Various small cleanups to leaking_addresses scanner
- Adding wrapping_*() arithmetic helper
- Annotate initial signed integer wrap-around in refcount_t
- Add explicit UBSAN section to MAINTAINERS
- Fix UBSAN self-test warnings
- Simplify UBSAN build via removal of CONFIG_UBSAN_SANITIZE_ALL
- Reintroduce UBSAN's signed overflow sanitizer
----------------------------------------------------------------
Andy Shevchenko (4):
kernel.h: Move upper_*_bits() and lower_*_bits() to wordpart.h
kernel.h: Move lib/cmdline.c prototypes to string.h
overflow: Use POD in check_shl_overflow()
lib/string_helpers: Add flags param to string_get_size()
Douglas Anderson (3):
lkdtm: Make lkdtm_do_action() return to avoid tail call optimization
lkdtm/bugs: Adjust lkdtm_HUNG_TASK() to avoid tail call optimization
lkdtm/bugs: In lkdtm_HUNG_TASK() use BUG(), not BUG_ON(1)
Harshit Mogalapalli (2):
VMCI: Use struct_size() in kmalloc()
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Jacob Keller (1):
coccinelle: semantic patch to check for potential struct_size calls
Jingzi Meng (1):
cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict
Josh Poimboeuf (1):
objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks
Kees Cook (31):
MAINTAINERS: Add UBSAN section
ubsan: Use Clang's -fsanitize-trap=undefined option
ubsan: Silence W=1 warnings in self-test
ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL
ubsan: Reintroduce signed overflow sanitizer
string: Redefine strscpy_pad() as a macro
string: Allow 2-argument strscpy()
string: Allow 2-argument strscpy_pad()
um: Convert strscpy() usage to 2-argument style
overflow: Adjust check_*_overflow() kern-doc to reflect results
overflow: Introduce wrapping_add(), wrapping_sub(), and wrapping_mul()
overflow: Introduce wrapping_assign_add() and wrapping_assign_sub()
coccinelle: Add rules to find str_plural() replacements
refcount: Annotated intentional signed integer wrap-around
fortify: Split reporting and avoid passing string pointer
fortify: Allow KUnit test to build without FORTIFY
fortify: Provide KUnit counters for failure testing
fortify: Add KUnit tests for runtime overflows
fortify: Improve buffer overflow reporting
MAINTAINERS: Update LEAKING_ADDRESSES details
leaking_addresses: Use File::Temp for /tmp files
leaking_addresses: Ignore input device status lines
leaking_addresses: Provide mechanism to scan binary files
sparc: vdso: Disable UBSAN instrumentation
lib: stackinit: Adjust target string to 8 bytes for m68k
x86, relocs: Ignore relocations in .notes section
overflow: Allow non-type arg to type_max() and type_min()
compiler.h: Explain how __is_constexpr() works
sh: Fix build with CONFIG_UBSAN=y
string: Convert selftest to KUnit
string: Convert helpers selftest to KUnit
Lukas Bulwahn (2):
hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment
hardening: drop obsolete DRM_LEGACY from config fragment
Marco Elver (1):
hardening: Enable KFENCE in the hardening config
Michael Ellerman (1):
selftests/powerpc: Fix load_unaligned_zeropad build failure
Michal Wajdeczko (1):
lib/string_choices: Add str_plural() helper
Tanzir Hasan (2):
kernel.h: removed REPEAT_BYTE from kernel.h
lib/string: shrink lib/string.i via IWYU
Vasiliy Kovalev (1):
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
Documentation/dev-tools/ubsan.rst | 28 +-
MAINTAINERS | 26 +-
arch/arm/Kconfig | 2 +-
arch/arm/boot/compressed/misc.c | 2 +-
arch/arm/boot/compressed/misc.h | 2 +-
arch/arm/include/asm/word-at-a-time.h | 3 +-
arch/arm64/Kconfig | 2 +-
arch/arm64/include/asm/word-at-a-time.h | 3 +-
arch/mips/Kconfig | 2 +-
arch/parisc/Kconfig | 2 +-
arch/powerpc/Kconfig | 2 +-
arch/powerpc/include/asm/word-at-a-time.h | 4 +-
arch/riscv/Kconfig | 2 +-
arch/riscv/include/asm/word-at-a-time.h | 3 +-
arch/s390/Kconfig | 2 +-
arch/s390/include/asm/word-at-a-time.h | 3 +-
arch/sh/boot/compressed/Makefile | 1 +
arch/sh/include/asm/word-at-a-time.h | 2 +
arch/sparc/vdso/Makefile | 1 +
arch/um/drivers/net_kern.c | 2 +-
arch/um/drivers/vector_kern.c | 2 +-
arch/um/drivers/vector_user.c | 4 +-
arch/um/include/shared/user.h | 3 +-
arch/um/os-Linux/drivers/ethertap_user.c | 2 +-
arch/um/os-Linux/drivers/tuntap_user.c | 2 +-
arch/um/os-Linux/umid.c | 6 +-
arch/x86/Kconfig | 2 +-
arch/x86/boot/compressed/misc.c | 2 +-
arch/x86/include/asm/word-at-a-time.h | 3 +-
arch/x86/kvm/mmu/mmu.c | 1 +
arch/x86/tools/relocs.c | 8 +
drivers/misc/lkdtm/bugs.c | 3 +-
drivers/misc/lkdtm/core.c | 22 +-
drivers/misc/vmw_vmci/vmci_datagram.c | 10 +-
fs/namei.c | 2 +-
include/asm-generic/word-at-a-time.h | 3 +-
include/linux/compiler.h | 39 ++
include/linux/compiler_types.h | 9 +-
include/linux/fortify-string.h | 122 ++--
include/linux/kernel.h | 44 +-
include/linux/overflow.h | 115 +++-
include/linux/refcount.h | 9 +-
include/linux/string.h | 86 ++-
include/linux/string_choices.h | 11 +
include/linux/string_helpers.h | 10 +-
include/linux/wordpart.h | 42 ++
kernel/configs/hardening.config | 7 +-
kernel/printk/printk.c | 11 -
lib/Kconfig.debug | 14 +-
lib/Kconfig.ubsan | 28 +-
lib/Makefile | 7 +-
lib/fortify_kunit.c | 662 ++++++++++++++++++++-
lib/overflow_kunit.c | 67 ++-
lib/stackinit_kunit.c | 19 +-
lib/string.c | 23 +-
lib/string_helpers.c | 89 ++-
...est-string_helpers.c => string_helpers_kunit.c} | 255 ++++----
lib/string_kunit.c | 199 +++++++
lib/test_string.c | 257 --------
lib/test_ubsan.c | 41 +-
lib/ubsan.c | 68 +++
lib/ubsan.h | 4 +
scripts/Makefile.lib | 5 +-
scripts/Makefile.ubsan | 5 +-
scripts/coccinelle/api/string_choices.cocci | 41 ++
scripts/coccinelle/misc/struct_size.cocci | 74 +++
scripts/leaking_addresses.pl | 90 ++-
tools/objtool/check.c | 12 +
tools/objtool/noreturns.h | 2 +-
.../selftests/powerpc/primitives/linux/bitops.h | 0
.../selftests/powerpc/primitives/linux/wordpart.h | 1 +
71 files changed, 1949 insertions(+), 688 deletions(-)
create mode 100644 include/linux/wordpart.h
rename lib/{test-string_helpers.c => string_helpers_kunit.c} (67%)
create mode 100644 lib/string_kunit.c
delete mode 100644 lib/test_string.c
create mode 100644 scripts/coccinelle/api/string_choices.cocci
create mode 100644 scripts/coccinelle/misc/struct_size.cocci
create mode 100644 tools/testing/selftests/powerpc/primitives/linux/bitops.h
create mode 120000 tools/testing/selftests/powerpc/primitives/linux/wordpart.h
--
Kees Cook
^ permalink raw reply [relevance 48%]
* [GIT PULL] seccomp updates for v6.9-rc1
@ 2024-03-11 23:41 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-11 23:41 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Lutomirski, Arnd Bergmann, Kees Cook,
kernel test robot, Mark Brown, Terry Tritton, Tycho Andersen,
Will Drewry
Hi Linus,
Please pull these several seccomp updates for v6.9-rc1. There are no core
kernel changes here; it's entirely selftests and samples. Details below.
Thanks!
-Kees
The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:
Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v6.9-rc1
for you to fetch changes up to 56af94aace8a0489fb1a32fd6f1cf0c548fe3911:
samples: user-trap: fix strict-aliasing warning (2024-02-12 10:42:02 -0800)
----------------------------------------------------------------
seccomp updates for v6.9-rc1
- Improve reliability of selftests (Terry Tritton, Kees Cook)
- Fix strict-aliasing warning in samples (Arnd Bergmann)
----------------------------------------------------------------
Arnd Bergmann (1):
samples: user-trap: fix strict-aliasing warning
Kees Cook (1):
selftests/seccomp: Pin benchmark to single CPU
Terry Tritton (3):
selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)
selftests/seccomp: Change the syscall used in KILL_THREAD test
selftests/seccomp: user_notification_addfd check nextfd is available
samples/seccomp/user-trap.c | 8 +++--
.../testing/selftests/seccomp/seccomp_benchmark.c | 38 ++++++++++++++++++--
tools/testing/selftests/seccomp/seccomp_bpf.c | 41 ++++++++++++++++------
3 files changed, 73 insertions(+), 14 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] execve updates for v6.9-rc1
@ 2024-03-11 23:37 89% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-11 23:37 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Viro, Christian Brauner, Eric Biederman,
Jan Kara, Kees Cook, Li kunyu, linux-fsdevel, linux-kselftest,
linux-mm, Mark Brown, Max Filippov, Muhammad Usama Anjum,
Shuah Khan
Hi Linus,
Please pull these small execve updates for v6.9-rc1. Details below.
Thanks!
-Kees
The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:
Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.9-rc1
for you to fetch changes up to 725d50261285ccf02501f2a1a6d10b31ce014597:
exec: Simplify remove_arg_zero() error path (2024-03-09 13:46:30 -0800)
----------------------------------------------------------------
execve updates for v6.9-rc1
- Drop needless error path code in remove_arg_zero() (Li kunyu, Kees Cook)
- binfmt_elf_efpic: Don't use missing interpreter's properties (Max Filippov)
- Use /bin/bash for execveat selftests
----------------------------------------------------------------
Kees Cook (2):
selftests/exec: Perform script checks with /bin/bash
exec: Simplify remove_arg_zero() error path
Li kunyu (1):
exec: Delete unnecessary statements in remove_arg_zero()
Max Filippov (1):
fs: binfmt_elf_efpic: don't use missing interpreter's properties
fs/binfmt_elf_fdpic.c | 2 +-
fs/exec.c | 11 +++--------
tools/testing/selftests/exec/execveat.c | 2 +-
3 files changed, 5 insertions(+), 10 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* [GIT PULL] pstore updates for v6.9-rc1
@ 2024-03-11 23:32 87% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-03-11 23:32 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Viro, AngeloGioacchino Del Regno,
Christophe JAILLET, David Heidelberg, Guilherme G. Piccoli,
Kees Cook, Kunwu Chan, linux-hardening,
Nícolas F. R. A. Prado, Tony Luck
Hi Linus,
Please pull these handful of pstore updates for v6.9-rc1. Details below.
Thanks!
-Kees
The following changes since commit 41bccc98fb7931d63d03f326a746ac4d429c1dd3:
Linux 6.8-rc2 (2024-01-28 17:01:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.9-rc1
for you to fetch changes up to c8d25d696f526a42ad8cf615dc1131c0b00c662e:
pstore/zone: Don't clear memory twice (2024-03-09 12:33:22 -0800)
----------------------------------------------------------------
pstore updates for v6.9-rc1
- Make PSTORE_RAM available by default on arm64 (Nícolas F. R. A. Prado)
- Allow for dynamic initialization in modular build (Guilherme G. Piccoli)
- Add missing allocation failure check (Kunwu Chan)
- Avoid duplicate memory zeroing (Christophe JAILLET)
- Avoid potential double-free during pstorefs umount
----------------------------------------------------------------
Christophe JAILLET (1):
pstore/zone: Don't clear memory twice
Guilherme G. Piccoli (1):
efi: pstore: Allow dynamic initialization based on module parameter
Kees Cook (1):
pstore: inode: Only d_invalidate() is needed
Kunwu Chan (1):
pstore/zone: Add a null pointer check to the psz_kmsg_read
Nícolas F. R. A. Prado (2):
pstore/ram: Register to module device table
arm64: defconfig: Enable PSTORE_RAM
arch/arm64/configs/defconfig | 1 +
drivers/firmware/efi/efi-pstore.c | 43 +++++++++++++++++++++++++++++++--------
fs/pstore/inode.c | 10 +++------
fs/pstore/ram.c | 1 +
fs/pstore/zone.c | 3 ++-
5 files changed, 42 insertions(+), 16 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 87%]
* Re: [GIT PULL] Enable -Wstringop-overflow globally
@ 2024-01-26 22:24 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-26 22:24 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Linus Torvalds, Gustavo A. R. Silva, linux-hardening, linux-kernel
On Fri, Jan 26, 2024 at 03:30:20PM -0600, Gustavo A. R. Silva wrote:
>
>
> On 1/26/24 15:22, Linus Torvalds wrote:
> > On Mon, 22 Jan 2024 at 07:29, Gustavo A. R. Silva <gustavoars@kernel.org> wrote:
> > >
> > > Enable -Wstringop-overflow globally
> >
> > I suspect I'll have to revert this.
> >
> > On arm64, I get a "writing 16 bytes into a region of size 0" in the Xe driver
> >
> > drivers/gpu/drm/xe/xe_gt_pagefault.c:340
> >
> > but I haven't looked into it much yet.
> >
> > It's not some gcc-11 issue, though, this is with gcc version 13.2.1
> >
> > It looks like the kernel test robot reported this too (for s390), at
> >
> > https://lore.kernel.org/all/202401161031.hjGJHMiJ-lkp@intel.com/T/
> >
> > and in that case it was gcc-13.2.0.
> >
> > So I don't think the issue is about gcc-11 at all, but about other
> > random details.
>
> Let me take a look.
I think xe has some other weird problems too. This may be related (under
allocating):
../drivers/gpu/drm/xe/xe_vm.c: In function 'xe_vma_create':
../drivers/gpu/drm/xe/xe_vm.c:806:21: warning: allocation of insufficient size '224' for type 'struct xe_vma' with size '368' [-Walloc-size]
806 | vma = kzalloc(sizeof(*vma) - sizeof(struct xe_userptr),
| ^
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve fixes for v6.8-rc2
@ 2024-01-24 20:05 86% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-24 20:05 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Viro, Alexey Dobriyan, Andrew Morton,
Askar Safin, Bernd Edlinger, Christian Brauner, Eric Biederman,
Jan Kara, Kees Cook, Kentaro Takeda, linux-fsdevel, linux-mm,
Sebastian Andrzej Siewior, Tetsuo Handa
Hi Linus,
Please pull these execve fixes for v6.8-rc2. One change was sent as part
of the original -rc1 PR, one is a recent fix, and the rest are cleanups
related to moving the open() earlier. I was waiting for a couple -next
cycles since -rc1, and since we were already working on the in_execve fix,
I figured I should send this PR now too.
Thanks!
-Kees
The following changes since commit 6613476e225e090cc9aad49be7fa504e290dd33d:
Linux 6.8-rc1 (2024-01-21 14:11:32 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.8-rc2
for you to fetch changes up to 90383cc07895183c75a0db2460301c2ffd912359:
exec: Distinguish in_execve from in_exec (2024-01-24 11:48:52 -0800)
----------------------------------------------------------------
execve fixes for v6.8-rc2
- Fix error handling in begin_new_exec() (Bernd Edlinger)
- MAINTAINERS: specifically mention ELF (Alexey Dobriyan)
- Various cleanups related to earlier open() (Askar Safin, Kees Cook)
----------------------------------------------------------------
Alexey Dobriyan (1):
ELF, MAINTAINERS: specifically mention ELF
Askar Safin (1):
exec: remove useless comment
Bernd Edlinger (1):
exec: Fix error handling in begin_new_exec()
Kees Cook (2):
exec: Add do_close_execat() helper
exec: Distinguish in_execve from in_exec
MAINTAINERS | 3 ++-
fs/exec.c | 39 ++++++++++++++++++++++++++++++---------
include/linux/sched.h | 2 +-
kernel/fork.c | 1 +
4 files changed, 34 insertions(+), 11 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL] execve updates for v6.8-rc1
@ 2024-01-21 8:05 99% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-21 8:05 UTC (permalink / raw)
To: Linus Torvalds, Al Viro
Cc: Josh Triplett, Kees Cook, linux-kernel, Alexey Dobriyan
On January 20, 2024 2:18:36 PM PST, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>End result: I committed my "move do_open_execat() to the beginning of
>execve()" patch, since it's clearly an improvement on the existing
>behavior, and that whole "struct file allocations are unnecessarily
>expensive" issue is a separate thing.
Thanks! I'll add the other bits of refactoring I did in my version of the clean-up (I created do_close_execat() for the repeated "allow_write_access(file); fput(file);" calls, along with some comments):
https://lore.kernel.org/lkml/202209161637.9EDAF6B18@keescook/
I like your removal of the "out" label! :)
-Kees
--
Kees Cook
^ permalink raw reply [relevance 99%]
* Re: [GIT PULL] strlcpy removal for v6.8-rc1
@ 2024-01-19 22:53 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-19 22:53 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Andy Shevchenko, Andy Whitcroft,
Azeem Shaikh, Brian Foster, Dwaipayan Ray, Joe Perches,
Kent Overstreet, linux-bcachefs, linux-hardening, Lukas Bulwahn
On Fri, Jan 19, 2024 at 02:00:14PM -0800, Linus Torvalds wrote:
> On Fri, 19 Jan 2024 at 13:14, Kees Cook <keescook@chromium.org> wrote:
> >
> > The kernel is now free of the strlcpy() API!
>
> .. still mentioned in docs and checkpatch. Maybe remove that too?
Sorry, I should have called that out in the PR, but the commit itself
had my rationale for intentionally leaving those in:
Leave mentions in Documentation (about its deprecation), and in
checkpatch.pl (to help migrate host-only tools/ usage).
If you feel like that's not right, I can either respin or send a
follow-up patch?
-Kees
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] strlcpy removal for v6.8-rc1
@ 2024-01-19 21:14 86% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-19 21:14 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Andy Shevchenko, Andy Whitcroft,
Azeem Shaikh, Brian Foster, Dwaipayan Ray, Joe Perches,
Kees Cook, Kent Overstreet, linux-bcachefs, linux-hardening,
Lukas Bulwahn
Hi Linus,
Please pull this strlcpy removal for v6.8-rc1. As promised, it is the
"part 2" of the hardening tree, late in -rc1 now that all the other trees
with strlcpy() removals have landed. One new user appeared (in bcachefs)
but was a trivial refactor. The kernel is now free of the strlcpy() API!
Thanks!
-Kees
The following changes since commit b0d326da462e20285236e11e4cbc32085de9f363:
Merge tag 'sched-urgent-2024-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2024-01-18 11:57:33 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/strlcpy-removal-v6.8-rc1
for you to fetch changes up to d26270061ae66b915138af7cd73ca6f8b85e6b44:
string: Remove strlcpy() (2024-01-19 11:59:11 -0800)
----------------------------------------------------------------
strlcpy removal for v6.8-rc1
- Remove of the final (very recent) user of strlcpy() (in bcachefs).
- Remove the strlcpy() API. Long live strscpy().
----------------------------------------------------------------
Kees Cook (2):
bcachefs: Replace strlcpy() with strscpy()
string: Remove strlcpy()
fs/bcachefs/super.c | 4 +--
include/linux/fortify-string.h | 51 ---------------------------
include/linux/string.h | 3 --
lib/nlattr.c | 2 +-
lib/string.c | 15 --------
lib/test_fortify/write_overflow-strlcpy-src.c | 5 ---
lib/test_fortify/write_overflow-strlcpy.c | 5 ---
7 files changed, 3 insertions(+), 82 deletions(-)
delete mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
delete mode 100644 lib/test_fortify/write_overflow-strlcpy.c
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL] bcachefs updates for 6.8
@ 2024-01-12 0:18 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-12 0:18 UTC (permalink / raw)
To: Kent Overstreet
Cc: Matthew Wilcox, Linus Torvalds, linux-bcachefs, linux-fsdevel,
linux-kernel, linux-hardening
On Thu, Jan 11, 2024 at 07:05:06PM -0500, Kent Overstreet wrote:
> On Thu, Jan 11, 2024 at 03:42:19PM -0800, Kees Cook wrote:
> > On Thu, Jan 11, 2024 at 10:57:18PM +0000, Matthew Wilcox wrote:
> > > On Wed, Jan 10, 2024 at 05:47:20PM -0800, Linus Torvalds wrote:
> > > > No, because the whole idea of "let me mark something deprecated and
> > > > then not just remove it" is GARBAGE.
> > > >
> > > > If somebody wants to deprecate something, it is up to *them* to finish
> > > > the job. Not annoy thousands of other developers with idiotic
> > > > warnings.
> > >
> > > What would be nice is something that warned about _new_ uses being
> > > added. ie checkpatch. Let's at least not make the problem worse.
> >
> > For now, we've just kind of "dealt with it". For things that show up
> > with new -W options we've enlisted sfr to do the -next builds with it
> > explicitly added (but not to the tree) so he could generate nag emails
> > when new warnings appeared. That could happen if we added it to W=1
> > builds, or some other flag like REPORT_DEPRECATED=1.
> >
> > Another ugly idea would be to do a treewide replacement of "func" to
> > "func_deprecated", and make "func" just a wrapper for it that is marked
> > with __deprecated. Then only new instances would show up (assuming people
> > weren't trying to actively bypass the deprecation work by adding calls to
> > "func_deprecated"). :P Then the refactoring to replace "func_deprecated"
> > could happen a bit more easily.
> >
> > Most past deprecations have pretty narrow usage. This is not true with
> > the string functions, which is why it's more noticeable here. :P
>
> Before doing the renaming - why not just leave a kdoc comment that marks
> it as deprecated? Seems odd that checkpatch was patched, but I can't
> find anything marking it as deprecated when I cscope to it.
It doesn't explicitly say "deprecated", but this language has been in
the kdoc for a while now (not that people go read this often):
* Do not use this function. While FORTIFY_SOURCE tries to avoid
* over-reads when calculating strlen(@q), it is still possible.
* Prefer strscpy(), though note its different return values for
* detecting truncation.
But it's all fine -- we're about to wipe out strlcpy for v6.8. Once the
drivers-core and drm-misc-next trees land, (and the bcachefs patch[1])
we'll be at 0 users. :)
-Kees
[1] https://lore.kernel.org/lkml/20240110235438.work.385-kees@kernel.org/
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] bcachefs updates for 6.8
@ 2024-01-11 23:42 91% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-11 23:42 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Linus Torvalds, Kent Overstreet, linux-bcachefs, linux-fsdevel,
linux-kernel, linux-hardening
On Thu, Jan 11, 2024 at 10:57:18PM +0000, Matthew Wilcox wrote:
> On Wed, Jan 10, 2024 at 05:47:20PM -0800, Linus Torvalds wrote:
> > No, because the whole idea of "let me mark something deprecated and
> > then not just remove it" is GARBAGE.
> >
> > If somebody wants to deprecate something, it is up to *them* to finish
> > the job. Not annoy thousands of other developers with idiotic
> > warnings.
>
> What would be nice is something that warned about _new_ uses being
> added. ie checkpatch. Let's at least not make the problem worse.
For now, we've just kind of "dealt with it". For things that show up
with new -W options we've enlisted sfr to do the -next builds with it
explicitly added (but not to the tree) so he could generate nag emails
when new warnings appeared. That could happen if we added it to W=1
builds, or some other flag like REPORT_DEPRECATED=1.
Another ugly idea would be to do a treewide replacement of "func" to
"func_deprecated", and make "func" just a wrapper for it that is marked
with __deprecated. Then only new instances would show up (assuming people
weren't trying to actively bypass the deprecation work by adding calls to
"func_deprecated"). :P Then the refactoring to replace "func_deprecated"
could happen a bit more easily.
Most past deprecations have pretty narrow usage. This is not true with
the string functions, which is why it's more noticeable here. :P
-Kees
--
Kees Cook
^ permalink raw reply [relevance 91%]
* Re: [GIT PULL] bcachefs updates for 6.8
@ 2024-01-11 0:39 88% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-11 0:39 UTC (permalink / raw)
To: Kent Overstreet
Cc: Linus Torvalds, linux-bcachefs, linux-fsdevel, linux-kernel,
linux-hardening
On Wed, Jan 10, 2024 at 07:04:47PM -0500, Kent Overstreet wrote:
> On Wed, Jan 10, 2024 at 03:48:43PM -0800, Kees Cook wrote:
> > On Wed, Jan 10, 2024 at 02:36:30PM -0500, Kent Overstreet wrote:
> > > [...]
> > > bcachefs: %pg is banished
> >
> > Hi!
> >
> > Not a PR blocker, but this patch re-introduces users of strlcpy() which
> > has been otherwise removed this cycle. I'll send a patch to replace
> > these new uses, but process-wise, I'd like check on how bcachefs patches
> > are reviewed.
>
> I'm happy to fix it. Perhaps the declaration could get a depracated
> warning, though?
That's one of checkpatch.pl's purposes, seeing as how deprecation warnings
are ... deprecated. :P
https://docs.kernel.org/process/deprecated.html#id1
This has made treewide changes like this more difficult, but these are
the Rules From Linus. ;)
> > Normally I'd go find the original email that posted the patch and reply
> > there, but I couldn't find a development list where this patch was
> > posted. Where is this happening? (Being posted somewhere is supposed
> > to be a prerequisite for living in -next. E.g. quoting from the -next
> > inclusion boiler-plate: "* posted to the relevant mailing list,") It
> > looks like it was authored 5 days ago, which is cutting it awfully close
> > to the merge window opening:
> >
> > AuthorDate: Fri Jan 5 11:58:50 2024 -0500
>
> I'm confident in my testing; if it was a patch that needed more soak
> time it would have waited.
>
> > Actually, it looks like you rebased onto v6.7-rc7? This is normally
> > strongly discouraged. The common merge base is -rc2.
>
> Is there something special about rc2?
It's what sfr suggested as it's when many subsystem maintainers merge
to when opening their trees for development. Usually it's a good tree
state: after stabilization fixes from any rc1 rough edges.
> I reorder patches fairly often just in the normal course of backporting
> fixes, and if I have to rebase everything for a backport I'll often
> rebase onto a newer kernel so that the people who are running my tree
> are testing something more stable - it does come up.
Okay, gotcha. I personally don't care how maintainers handle rebasing; I
was just confused about the timing and why I couldn't find the original
patch on any lists. :) And to potentially warn about Linus possibly not
liking the rebase too.
>
> > It also seems it didn't get a run through scripts/checkpatch.pl, which
> > shows 4 warnings, 2 or which point out the strlcpy deprecation:
> >
> > WARNING: Prefer strscpy over strlcpy - see: https://github.com/KSPP/linux/issues/89
> > #123: FILE: fs/bcachefs/super.c:1389:
> > + strlcpy(c->name, name.buf, sizeof(c->name));
> >
> > WARNING: Prefer strscpy over strlcpy - see: https://github.com/KSPP/linux/issues/89
> > #124: FILE: fs/bcachefs/super.c:1390:
> > + strlcpy(ca->name, name.buf, sizeof(ca->name));
> >
> > Please make sure you're running checkpatch.pl -- it'll make integration,
> > technical debt reduction, and coding style adjustments much easier. :)
>
> Well, we do have rather a lot of linters these days.
>
> That's actually something I've been meaning to raise - perhaps we could
> start thinking about some pluggable way of running linters so that
> they're all run as part of a normal kernel build (and something that
> would be easy to drop new linters in to; I'd like to write some bcachefs
> specific ones).
With no central CI, the best we've got is everyone running the same
"minimum set" of checks. I'm most familiar with netdev's CI which has
such things (and checkpatch.pl is included). For example see:
https://patchwork.kernel.org/project/netdevbpf/patch/20240110110451.5473-3-ptikhomirov@virtuozzo.com/
> The current model of "I have to remember to run these 5 things, and then
> I'm going to get email nags for 3 more that I can't run" is not terribly
> scalable :)
Oh, I hear you. It's positively agonizing for those of us doing treewide
changes. I've got at least 4 CIs I check (in addition to my own) just to
check everyone's various coverage tools.
At the very least, checkpatch.pl is the common denominator:
https://docs.kernel.org/process/submitting-patches.html#style-check-your-changes
-Kees
--
Kees Cook
^ permalink raw reply [relevance 88%]
* Re: [GIT PULL] bcachefs updates for 6.8
@ 2024-01-10 23:48 86% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-10 23:48 UTC (permalink / raw)
To: Kent Overstreet
Cc: Linus Torvalds, linux-bcachefs, linux-fsdevel, linux-kernel,
linux-hardening
On Wed, Jan 10, 2024 at 02:36:30PM -0500, Kent Overstreet wrote:
> [...]
> bcachefs: %pg is banished
Hi!
Not a PR blocker, but this patch re-introduces users of strlcpy() which
has been otherwise removed this cycle. I'll send a patch to replace
these new uses, but process-wise, I'd like check on how bcachefs patches
are reviewed.
Normally I'd go find the original email that posted the patch and reply
there, but I couldn't find a development list where this patch was
posted. Where is this happening? (Being posted somewhere is supposed
to be a prerequisite for living in -next. E.g. quoting from the -next
inclusion boiler-plate: "* posted to the relevant mailing list,") It
looks like it was authored 5 days ago, which is cutting it awfully close
to the merge window opening:
AuthorDate: Fri Jan 5 11:58:50 2024 -0500
Actually, it looks like you rebased onto v6.7-rc7? This is normally
strongly discouraged. The common merge base is -rc2.
It also seems it didn't get a run through scripts/checkpatch.pl, which
shows 4 warnings, 2 or which point out the strlcpy deprecation:
WARNING: Prefer strscpy over strlcpy - see: https://github.com/KSPP/linux/issues/89
#123: FILE: fs/bcachefs/super.c:1389:
+ strlcpy(c->name, name.buf, sizeof(c->name));
WARNING: Prefer strscpy over strlcpy - see: https://github.com/KSPP/linux/issues/89
#124: FILE: fs/bcachefs/super.c:1390:
+ strlcpy(ca->name, name.buf, sizeof(ca->name));
Please make sure you're running checkpatch.pl -- it'll make integration,
technical debt reduction, and coding style adjustments much easier. :)
Thanks!
-Kees
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL] execve updates for v6.8-rc1
@ 2024-01-10 19:24 92% ` Kees Cook
1 sibling, 0 replies; 200+ results
From: Kees Cook @ 2024-01-10 19:24 UTC (permalink / raw)
To: Josh Triplett; +Cc: Linus Torvalds, Kees Cook, linux-kernel, Alexey Dobriyan
On Tue, Jan 09, 2024 at 06:21:26PM -0800, Josh Triplett wrote:
> With Linus's fastpath patch ("no patch" with Linus's applied, and the
> followup -ENOMEM fix applied):
>
> === With only PATH ===
> 0.28user 2.44system 0:02.80elapsed 97%CPU (0avgtext+0avgdata 1152maxresident)k
> 0inputs+0outputs (0major+694706minor)pagefaults 0swaps
>
> === With 64 extra environment variables ===
> 0.29user 2.68system 0:03.06elapsed 97%CPU (0avgtext+0avgdata 1152maxresident)k
> 0inputs+0outputs (0major+712431minor)pagefaults 0swaps
Thanks for digging into this!
I've been trying to figure out how to measure only the execve portion of
a workload (with perf)[1] to get a more real-world measurement, but the
above does show improvements for the "open once early". I'll get the
behavior landed in -next after the merge window closes, and we can
continue examining if we can make do_filp_open() better...
-Kees
[1] https://lore.kernel.org/linux-perf-users/ZZ32p0LRSt5-vFPX@kernel.org/
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] execve updates for v6.8-rc1
@ 2024-01-09 1:48 99% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-09 1:48 UTC (permalink / raw)
To: Linus Torvalds, Kees Cook; +Cc: linux-kernel, Alexey Dobriyan, Josh Triplett
On January 8, 2024 4:19:45 PM PST, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>On Mon, 8 Jan 2024 at 10:35, Kees Cook <keescook@chromium.org> wrote:
>>
>> Josh Triplett (1):
>> fs/exec.c: Add fast path for ENOENT on PATH search before allocating mm
>
>No, we're not doing this.
>
>If you want to open the file before the allocations, then dammit, do
>exactly that.
This was exactly the feedback I had originally and wrote almost what you suggest:
https://lore.kernel.org/lkml/202209161637.9EDAF6B18@keescook/
>Anyway, I want to repeat: this patch is UNTESTED. It compiles for me.
>But that is literally all the testing it has gotten apart from a
>cursory "this patch looks sane".
>
>There might be something seriously wrong with this patch, but it at
>least makes sense, unlike that horror that will look up the filename
>twice.
>
>I bet whatever benchmark did the original was not using long filenames
>with lots of components, or was only testing the ENOENT case.
But the perf testing of my proposed "look it up once" patch showed a net loss to the successful execs which no one could explain. In the end we went with the original proposal.
If you think this is too much of a hack, I'm happy to drop it. My very first reaction was "fix userspace; shells use access() not execve()" but it seems enough other runtimes (Python?) use execve PATH searches that it would make a measurable real-world difference.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 99%]
* [GIT PULL] execve updates for v6.8-rc1
@ 2024-01-08 18:35 92% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2024-01-08 18:35 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Alexey Dobriyan, Josh Triplett, Kees Cook
Hi Linus,
Please pull these execve updates for v6.8-rc1. A fast-fail check has
been added to dramatically speed up execve-based PATH searches, and has
been in -next for the entire development window. A minor conflict with
netdev exists due to neighboring MAINTAINERS entries:
https://lore.kernel.org/linux-next/20231218161704.05c25766@canb.auug.org.au/
Thanks!
-Kees
The following changes since commit 21ca59b365c091d583f36ac753eaa8baf947be6f:
binfmt_misc: enable sandboxed mounts (2023-10-11 08:46:01 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.8-rc1
for you to fetch changes up to 0a8a952a75f2c5c140939c1616423e240677666c:
ELF, MAINTAINERS: specifically mention ELF (2023-12-06 14:55:31 -0800)
----------------------------------------------------------------
execve updates for v6.8-rc1
- Update MAINTAINERS entry to explicitly mention ELF (Alexey Dobriyan)
- Add a fail-fast check to speed up execve-based PATH searches (Josh
Triplett)
----------------------------------------------------------------
Alexey Dobriyan (1):
ELF, MAINTAINERS: specifically mention ELF
Josh Triplett (1):
fs/exec.c: Add fast path for ENOENT on PATH search before allocating mm
MAINTAINERS | 3 ++-
fs/exec.c | 13 +++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v6.8-rc1
@ 2024-01-08 18:24 89% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-08 18:24 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Guilherme G. Piccoli, Kees Cook, linux-hardening,
Matthias Brugger, Sergey Shtylyov, Tony Luck, Weichen Chen
Hi Linus,
Please pull these pstore updates for v6.8-rc1. These are a couple small
fixes, and a refactoring to use cleanup.h now that it has had time to
bake in a full release.
Thanks!
-Kees
The following changes since commit 98b1cc82c4affc16f5598d4fa14b1858671b2263:
Linux 6.7-rc2 (2023-11-19 15:02:14 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.8-rc1
for you to fetch changes up to 24a0b5e196cf70ccff97bc0add6fa7178ad50cc4:
pstore: inode: Use cleanup.h for struct pstore_private (2023-12-08 14:15:44 -0800)
----------------------------------------------------------------
pstore updates for v6.8-rc1
- Do not allow misconfigured ECC sizes (Sergey Shtylyov)
- Allow for odd number of CPUs (Weichen Chen)
- Refactor error handling to use cleanup.h
----------------------------------------------------------------
Kees Cook (4):
pstore: inode: Convert kfree() usage to __free(kfree)
pstore: inode: Convert mutex usage to guard(mutex)
pstore: inode: Use __free(pstore_iput) for inode allocations
pstore: inode: Use cleanup.h for struct pstore_private
Sergey Shtylyov (1):
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
Weichen Chen (1):
pstore/ram: Fix crash when setting number of cpus to an odd number
fs/pstore/inode.c | 109 +++++++++++++++++++++------------------------------
fs/pstore/ram.c | 1 +
fs/pstore/ram_core.c | 2 +-
3 files changed, 46 insertions(+), 66 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* [GIT PULL] hardening updates for v6.8-rc1
@ 2024-01-08 18:20 69% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2024-01-08 18:20 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Potapenko, Anders Larsen, Andrew Morton,
Andy Shevchenko, Anna Schumaker, Arnd Bergmann, Azeem Shaikh,
Christophe JAILLET, Chuck Lever, Dai Ngo, David S. Miller,
Dmitry Vyukov, Eric Dumazet, Geliang Tang, Greg Kroah-Hartman,
Gurucharan G, Gustavo A. R. Silva, Jakub Kicinski, Jeff Layton,
Jesse Brandeburg, Justin Stitt, kasan-dev, Kees Cook,
linux-hardening, linux-nfs, linux-trace-kernel, Luis Chamberlain,
Marco Elver, Masami Hiramatsu (Google),
Neil Brown, netdev, Olga Kornievskaia, Paolo Abeni,
Ronald Monthero, Shiraz Saleem, Stephen Boyd,
Steven Rostedt (Google),
Thomas Gleixner, Tom Talpey, Tony Nguyen, Trond Myklebust,
Valentin Schneider, Xu Panda
Hi Linus,
Please pull these hardening updates for v6.8-rc1. There will be a second
pull request coming at the end of the rc1 window, as we can now finally
remove the "strlcpy" API entirely from the kernel. However, that depends
on other trees landing first. As always, my tree has been in -next the
whole time, and anything touching other subsystems was either explicitly
Acked by those maintainers or they were sufficiently trivial and went
ignored so I picked them up.
Thanks!
-Kees
The following changes since commit 98b1cc82c4affc16f5598d4fa14b1858671b2263:
Linux 6.7-rc2 (2023-11-19 15:02:14 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.8-rc1
for you to fetch changes up to a75b3809dce2ad006ebf7fa641f49881fa0d79d7:
qnx4: Use get_directory_fname() in qnx4_match() (2023-12-13 11:19:18 -0800)
----------------------------------------------------------------
hardening updates for v6.8-rc1
- Introduce the param_unknown_fn type and other clean ups (Andy Shevchenko)
- Various __counted_by annotations (Christophe JAILLET, Gustavo A. R. Silva,
Kees Cook)
- Add KFENCE test to LKDTM (Stephen Boyd)
- Various strncpy() refactorings (Justin Stitt)
- Fix qnx4 to avoid writing into the smaller of two overlapping buffers
- Various strlcpy() refactorings
----------------------------------------------------------------
Andy Shevchenko (5):
params: Introduce the param_unknown_fn type
params: Do not go over the limit when getting the string length
params: Use size_add() for kmalloc()
params: Sort headers
params: Fix multi-line comment style
Christophe JAILLET (1):
VMCI: Annotate struct vmci_handle_arr with __counted_by
Gustavo A. R. Silva (2):
afs: Add __counted_by for struct afs_acl and use struct_size()
atags_proc: Add __counted_by for struct buffer and use struct_size()
Justin Stitt (5):
HID: uhid: replace deprecated strncpy with strscpy
drm/modes: replace deprecated strncpy with strscpy_pad
nvme-fabrics: replace deprecated strncpy with strscpy
nvdimm/btt: replace deprecated strncpy with strscpy
nvme-fc: replace deprecated strncpy with strscpy
Kees Cook (6):
SUNRPC: Replace strlcpy() with strscpy()
samples: Replace strlcpy() with strscpy()
i40e: Annotate struct i40e_qvlist_info with __counted_by
tracing/uprobe: Replace strlcpy() with strscpy()
qnx4: Extract dir entry filename processing into helper
qnx4: Use get_directory_fname() in qnx4_match()
Stephen Boyd (1):
lkdtm: Add kfence read after free crash type
arch/arm/kernel/atags_proc.c | 4 +-
drivers/gpu/drm/drm_modes.c | 6 +--
drivers/hid/uhid.c | 15 ++++----
drivers/misc/lkdtm/heap.c | 60 ++++++++++++++++++++++++++++++
drivers/misc/vmw_vmci/vmci_handle_array.h | 2 +-
drivers/nvdimm/btt.c | 2 +-
drivers/nvme/host/fabrics.c | 4 +-
drivers/nvme/host/fc.c | 8 ++--
fs/afs/internal.h | 2 +-
fs/afs/xattr.c | 2 +-
fs/qnx4/dir.c | 52 ++++----------------------
fs/qnx4/namei.c | 29 ++++++---------
fs/qnx4/qnx4.h | 60 ++++++++++++++++++++++++++++++
include/linux/kfence.h | 2 +
include/linux/moduleparam.h | 6 +--
include/linux/net/intel/i40e_client.h | 2 +-
kernel/params.c | 52 ++++++++++++++------------
kernel/trace/trace_uprobe.c | 2 +-
net/sunrpc/clnt.c | 10 ++++-
samples/trace_events/trace-events-sample.h | 2 +-
samples/v4l/v4l2-pci-skeleton.c | 10 ++---
21 files changed, 208 insertions(+), 124 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 69%]
* [GIT PULL] hardening fixes for v6.7-rc4
@ 2023-11-30 21:38 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-11-30 21:38 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bill Wendling, Dmitry Antipov, Gustavo A. R. Silva,
Kees Cook, kernel test robot, Masahiro Yamada, Miguel Ojeda,
Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull these hardening fixes for v6.7-rc4.
Thanks!
-Kees
The following changes since commit 98b1cc82c4affc16f5598d4fa14b1858671b2263:
Linux 6.7-rc2 (2023-11-19 15:02:14 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.7-rc4
for you to fetch changes up to d71f22365a9caca82d424f3a33445de46567e198:
gcc-plugins: randstruct: Update code comment in relayout_struct() (2023-11-27 16:30:05 -0800)
----------------------------------------------------------------
hardening fixes for v6.7-rc4
- struct_group: propagate attributes to top-level union (Dmitry Antipov)
- gcc-plugins: randstruct: Update code comment in relayout_struct (Gustavo
A. R. Silva)
- MAINTAINERS: refresh LLVM support (Nick Desaulniers)
----------------------------------------------------------------
Dmitry Antipov (1):
uapi: propagate __struct_group() attributes to the container union
Gustavo A. R. Silva (1):
gcc-plugins: randstruct: Update code comment in relayout_struct()
ndesaulniers@google.com (1):
MAINTAINERS: refresh LLVM support
MAINTAINERS | 8 +++-----
include/uapi/linux/stddef.h | 2 +-
scripts/gcc-plugins/randomize_layout_plugin.c | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] hardening fixes for v6.7-rc2
@ 2023-11-14 17:41 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-11-14 17:41 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Bill Wendling, Gustavo A. R. Silva,
Kees Cook, kernel test robot, Konstantin Runov, KP Singh,
linux-hardening
Hi Linus,
Please pull these small hardening fixes for v6.7-rc2.
Thanks!
-Kees
The following changes since commit 9cca73d7b4bfec75b2fcef751015f31691afa792:
hwmon: (acpi_power_meter) replace open-coded kmemdup_nul (2023-10-24 14:10:53 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.7-rc2
for you to fetch changes up to 782ce431613cf08c3a00dca42ad925c3b1108d09:
gcc-plugins: latent_entropy: Fix typo (args -> argc) in plugin description (2023-11-14 09:32:47 -0800)
----------------------------------------------------------------
kernel hardening fixes for v6.7-rc2
- stackleak: add declarations for global functions (Arnd Bergmann)
- gcc-plugins: randstruct: Only warn about true flexible arrays (Kees Cook)
- gcc-plugins: latent_entropy: Fix description typo (Konstantin Runov)
----------------------------------------------------------------
Arnd Bergmann (1):
stackleak: add declarations for global functions
Kees Cook (1):
gcc-plugins: randstruct: Only warn about true flexible arrays
Konstantin Runov (1):
gcc-plugins: latent_entropy: Fix typo (args -> argc) in plugin description
include/linux/stackleak.h | 6 ++++++
scripts/gcc-plugins/latent_entropy_plugin.c | 4 ++--
scripts/gcc-plugins/randomize_layout_plugin.c | 10 ----------
3 files changed, 8 insertions(+), 12 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] execve updates for v6.7-rc1
@ 2023-10-30 17:22 74% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-10-30 17:22 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alejandro Colomar, Alexander Viro, Andrei Vagin,
Andrew Morton, Arnd Bergmann, Christian Brauner,
Christian Brauner, Dave Jones, David Howells, Eric Biederman,
Greg Ungerer, Henning Schild, Jann Horn, Kees Cook,
Laurent Vivier, linux-fsdevel, linux-mm, Matthew Wilcox,
Paul E. McKenney, Pedro Falcato, Rolf Eike Beer, Sargun Dhillon,
Sebastian Ott, Serge Hallyn, Thomas Gleixner,
Thomas Weißschuh
Hi Linus,
Please pull these execve updates for v6.7-rc1. This includes 3
changes I want to explicitly call attention to:
1) Eric Biederman and I refactored ELF segment loading to handle the case
where a segment has a smaller filesz than memsz. Traditionally linkers
only did this for .bss and it was always the last segment. As a result,
the kernel only handled this case when it was the last segment. We've
had two recent cases where linkers were trying to use these kinds of
segments for other reasons, and the were in the middle of the segment
list. There was no good reason for the kernel not to support this,
and the refactor actually ends up making things more readable too.
2) Christian Brauner has made it possible to use binfmt_misc with mount
namespaces. This means some traditionally root-only interfaces (for
adding/removing formats) are now more exposed (but believed to be safe).
3) Alejandro Colomar noticed that the ELF UAPI has been polluting the
struct namespace with an unused and overly generic tag named "dynamic"
for no discernible reason for many many years. After double-checking
various distro source repositories, it has been removed.
All three changes have been living in linux-next without any reported
problems.
Thanks!
-Kees
The following changes since commit ce9ecca0238b140b88f43859b211c9fdfd8e5b70:
Linux 6.6-rc2 (2023-09-17 14:40:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.7-rc1
for you to fetch changes up to 21ca59b365c091d583f36ac753eaa8baf947be6f:
binfmt_misc: enable sandboxed mounts (2023-10-11 08:46:01 -0700)
----------------------------------------------------------------
execve updates for v6.7-rc1
- Support non-BSS ELF segments with 0 filesz (Eric W. Biederman, Kees Cook)
- Enable namespaced binfmt_misc (Christian Brauner)
- Remove struct tag 'dynamic' from ELF UAPI (Alejandro Colomar)
- Clean up binfmt_elf_fdpic debug output (Greg Ungerer)
----------------------------------------------------------------
Alejandro Colomar (1):
elf, uapi: Remove struct tag 'dynamic'
Christian Brauner (2):
binfmt_misc: cleanup on filesystem umount
binfmt_misc: enable sandboxed mounts
Eric W. Biederman (1):
binfmt_elf: Support segments with 0 filesz and misaligned starts
Greg Ungerer (1):
binfmt_elf_fdpic: clean up debug warnings
Kees Cook (5):
binfmt_elf: elf_bss no longer used by load_elf_binary()
binfmt_elf: Use elf_load() for interpreter
binfmt_elf: Use elf_load() for library
binfmt_elf: Only report padzero() errors when PROT_WRITE
mm: Remove unused vm_brk()
fs/binfmt_elf.c | 215 ++++++++---------------
fs/binfmt_elf_fdpic.c | 20 ++-
fs/binfmt_misc.c | 386 ++++++++++++++++++++++++++++++++++-------
include/linux/binfmts.h | 10 ++
include/linux/mm.h | 3 +-
include/linux/user_namespace.h | 8 +
include/uapi/linux/elf.h | 2 +-
kernel/user.c | 13 ++
kernel/user_namespace.c | 3 +
mm/mmap.c | 6 -
mm/nommu.c | 5 -
11 files changed, 443 insertions(+), 228 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 74%]
* [GIT PULL] pstore updates for v6.7-rc1
@ 2023-10-30 17:05 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-10-30 17:05 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Jiasheng Jiang, Kees Cook, Tudor Ambarus
Hi Linus,
Please pull these small pstore updates for v6.7-rc1.
Thanks!
-Kees
The following changes since commit ce9ecca0238b140b88f43859b211c9fdfd8e5b70:
Linux 6.6-rc2 (2023-09-17 14:40:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.7-rc1
for you to fetch changes up to a19d48f7c5d57c0f0405a7d4334d1d38fe9d3c1c:
pstore/platform: Add check for kstrdup (2023-10-12 09:47:01 -0700)
----------------------------------------------------------------
pstore updates for v6.7-rc1
- Check for out-of-memory condition during initialization (Jiasheng Jiang)
- Fix documentation typos (Tudor Ambarus)
----------------------------------------------------------------
Jiasheng Jiang (1):
pstore/platform: Add check for kstrdup
Tudor Ambarus (2):
docs: pstore-blk.rst: use "about" as a preposition after "care"
docs: pstore-blk.rst: fix typo, s/console/ftrace
Documentation/admin-guide/pstore-blk.rst | 8 ++++----
fs/pstore/platform.c | 9 ++++++++-
2 files changed, 12 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening updates for v6.7-rc1
@ 2023-10-30 17:02 56% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-10-30 17:02 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Mark Rutland, Elena Reshetova,
Ricardo Cañuelo, Gustavo A. R. Silva, Justin Stitt,
Azeem Shaikh, Lukas Bulwahn, Amit Shah, Arnd Bergmann,
Baoquan He, David Windsor, Douglas Anderson, Hans Liljestrand,
Joseph Qi, Lukas Loidolt, Michael Ellerman, Michal Simek,
Mimi Zohar, Stanislaw Gruszka, Stephen Boyd, Vasant Hegde,
Viresh Kumar, Xiubo Li, linux-hardening
Hi Linus,
Please pull these kernel hardening updates for v6.7-rc1. As always,
changes made outside of the more traditional kernel hardening areas of the
tree are patches that were either explicitly asked to be carried by the
respective maintainers or were reviewed by others but ignored by regular
maintainers for the duration of the development window. One of the more
voluminous set of changes is for adding the new __counted_by annotation[1]
to gain run-time bounds checking of dynamically sized arrays with UBSan.
Thanks!
-Kees
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/compiler_attributes.h?h=v6.6#n97
The following changes since commit ce9ecca0238b140b88f43859b211c9fdfd8e5b70:
Linux 6.6-rc2 (2023-09-17 14:40:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.7-rc1
for you to fetch changes up to 9cca73d7b4bfec75b2fcef751015f31691afa792:
hwmon: (acpi_power_meter) replace open-coded kmemdup_nul (2023-10-24 14:10:53 -0700)
----------------------------------------------------------------
hardening updates for v6.7-rc1
- Add LKDTM test for stuck CPUs (Mark Rutland)
- Improve LKDTM selftest behavior under UBSan (Ricardo Cañuelo)
- Refactor more 1-element arrays into flexible arrays (Gustavo A. R. Silva)
- Analyze and replace strlcpy and strncpy uses (Justin Stitt, Azeem Shaikh)
- Convert group_info.usage to refcount_t (Elena Reshetova)
- Add __counted_by annotations (Kees Cook, Gustavo A. R. Silva)
- Add Kconfig fragment for basic hardening options (Kees Cook, Lukas Bulwahn)
- Fix randstruct GCC plugin performance mode to stay in groups (Kees Cook)
- Fix strtomem() compile-time check for small sources (Kees Cook)
----------------------------------------------------------------
Azeem Shaikh (2):
init/version.c: Replace strlcpy with strscpy
kobject: Replace strlcpy with strscpy
Elena Reshetova (1):
groups: Convert group_info.usage to refcount_t
Gustavo A. R. Silva (5):
nouveau/svm: Replace one-element array with flexible-array member in struct nouveau_svm
nouveau/svm: Split assignment from if conditional
drm/gud: Use size_add() in call to struct_size()
usb: atm: Use size_add() in call to struct_size()
ima: Add __counted_by for struct modsig and use struct_size()
Justin Stitt (13):
um,ethertap: Replace deprecated strncpy() with strscpy()
auxdisplay: panel: Replace deprecated strncpy() with strtomem_pad()
bus: fsl-mc: Replace deprecated strncpy() with strscpy_pad()
cpufreq: Replace deprecated strncpy() with strscpy()
cpuidle: dt: Replace deprecated strncpy() with strscpy()
firmware: tegra: bpmp: Replace deprecated strncpy() with strscpy_pad()
HID: prodikeys: Replace deprecated strncpy() with strscpy()
hwmon: (ibmpowernv) Replace deprecated strncpy() with memcpy()
hwmon: (asus_wmi_sensors) Replace deprecated strncpy() with strscpy()
EDAC/mc_sysfs: Replace deprecated strncpy() with memcpy()
isdn: replace deprecated strncpy with strscpy
isdn: kcapi: replace deprecated strncpy with strscpy_pad
hwmon: (acpi_power_meter) replace open-coded kmemdup_nul
Kees Cook (32):
hardening: Provide Kconfig fragments for basic options
MAINTAINERS: hardening: Add __counted_by regex
accel/ivpu: Annotate struct ivpu_job with __counted_by
MAINTAINERS: hardening: Add Gustavo as Reviewer
ocfs2: Annotate struct ocfs2_slot_info with __counted_by
ceph: Annotate struct ceph_osd_request with __counted_by
afs: Annotate struct afs_permits with __counted_by
afs: Annotate struct afs_addr_list with __counted_by
usb: Annotate struct urb_priv with __counted_by
usb: gadget: f_fs: Annotate struct ffs_buffer with __counted_by
usb: gadget: f_midi: Annotate struct f_midi with __counted_by
drbd: Annotate struct fifo_buffer with __counted_by
dm raid: Annotate struct raid_set with __counted_by
dm crypt: Annotate struct crypt_config with __counted_by
dm: Annotate struct stripe_c with __counted_by
dm: Annotate struct dm_stat with __counted_by
dm: Annotate struct dm_bio_prison with __counted_by
nfs41: Annotate struct nfs4_file_layout_dsaddr with __counted_by
NFS/flexfiles: Annotate struct nfs4_ff_layout_segment with __counted_by
sparc: Annotate struct cpuinfo_tree with __counted_by
hwmon: Annotate struct gsc_hwmon_platform_data with __counted_by
virt: acrn: Annotate struct vm_memory_region_batch with __counted_by
KVM: Annotate struct kvm_irq_routing_table with __counted_by
irqchip/imx-intmux: Annotate struct intmux_data with __counted_by
drivers: thermal: tsens: Annotate struct tsens_priv with __counted_by
mailbox: zynqmp: Annotate struct zynqmp_ipi_pdata with __counted_by
randstruct: Fix gcc-plugin performance mode to stay in group
string: Adjust strtomem() logic to allow for smaller sources
MAINTAINERS: Include stackleak paths in hardening entry
virtio_console: Annotate struct port_buffer with __counted_by
kexec: Annotate struct crash_mem with __counted_by
reset: Annotate struct reset_control_array with __counted_by
Lukas Bulwahn (1):
hardening: x86: drop reference to removed config AMD_IOMMU_V2
Mark Rutland (1):
lkdtm/bugs: add test for panic() with stuck secondary CPUs
Ricardo Cañuelo (1):
selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config
MAINTAINERS | 6 ++
arch/arm/configs/hardening.config | 7 ++
arch/arm64/configs/hardening.config | 22 ++++++
arch/powerpc/configs/hardening.config | 10 +++
arch/sparc/kernel/cpumap.c | 2 +-
arch/um/os-Linux/drivers/ethertap_user.c | 2 +-
arch/x86/configs/hardening.config | 14 ++++
drivers/accel/ivpu/ivpu_job.h | 2 +-
drivers/auxdisplay/panel.c | 7 +-
drivers/block/drbd/drbd_int.h | 2 +-
drivers/bus/fsl-mc/dprc.c | 12 ++--
drivers/char/virtio_console.c | 2 +-
drivers/cpufreq/cpufreq.c | 4 +-
drivers/cpuidle/dt_idle_states.c | 4 +-
drivers/edac/edac_mc_sysfs.c | 4 +-
drivers/firmware/tegra/bpmp-debugfs.c | 4 +-
drivers/gpu/drm/gud/gud_pipe.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_svm.c | 5 +-
drivers/hid/hid-prodikeys.c | 8 +--
drivers/hwmon/acpi_power_meter.c | 5 +-
drivers/hwmon/asus_wmi_sensors.c | 2 +-
drivers/hwmon/ibmpowernv.c | 2 +-
drivers/irqchip/irq-imx-intmux.c | 2 +-
drivers/isdn/capi/kcapi.c | 4 +-
drivers/isdn/mISDN/clock.c | 2 +-
drivers/mailbox/zynqmp-ipi-mailbox.c | 2 +-
drivers/md/dm-bio-prison-v1.c | 2 +-
drivers/md/dm-crypt.c | 2 +-
drivers/md/dm-raid.c | 2 +-
drivers/md/dm-stats.c | 2 +-
drivers/md/dm-stripe.c | 2 +-
drivers/misc/lkdtm/bugs.c | 30 +++++++-
drivers/reset/core.c | 4 +-
drivers/thermal/qcom/tsens.h | 2 +-
drivers/usb/atm/usbatm.c | 3 +-
drivers/usb/gadget/function/f_fs.c | 2 +-
drivers/usb/gadget/function/f_midi.c | 4 +-
drivers/usb/host/ohci.h | 2 +-
drivers/usb/host/xhci.h | 2 +-
drivers/virt/acrn/acrn_drv.h | 2 +-
drivers/virt/acrn/mm.c | 2 +-
fs/afs/internal.h | 4 +-
fs/nfs/filelayout/filelayout.h | 2 +-
fs/nfs/flexfilelayout/flexfilelayout.h | 2 +-
fs/ocfs2/slot_map.c | 2 +-
include/linux/ceph/osd_client.h | 2 +-
include/linux/crash_core.h | 2 +-
include/linux/cred.h | 7 +-
include/linux/kvm_host.h | 2 +-
include/linux/platform_data/gsc_hwmon.h | 2 +-
include/linux/string.h | 7 +-
init/version.c | 6 +-
kernel/configs/hardening.config | 98 +++++++++++++++++++++++++++
kernel/cred.c | 2 +-
kernel/groups.c | 2 +-
lib/kobject_uevent.c | 8 +--
scripts/gcc-plugins/randomize_layout_plugin.c | 11 ++-
security/integrity/ima/ima_modsig.c | 6 +-
tools/testing/selftests/lkdtm/config | 1 -
tools/testing/selftests/lkdtm/tests.txt | 3 +-
60 files changed, 280 insertions(+), 90 deletions(-)
create mode 100644 arch/arm/configs/hardening.config
create mode 100644 arch/arm64/configs/hardening.config
create mode 100644 arch/powerpc/configs/hardening.config
create mode 100644 arch/x86/configs/hardening.config
create mode 100644 kernel/configs/hardening.config
--
Kees Cook
^ permalink raw reply [relevance 56%]
* [GIT PULL] seccomp fix for v6.6-rc7
@ 2023-10-19 0:53 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-10-19 0:53 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrei Vagin, Jiri Slaby (SUSE),
Kees Cook, Peter Zijlstra (Intel)
Hi Linus,
Please pull this seccomp fix for v6.6-rc7.
Thanks!
-Kees
The following changes since commit ce9ecca0238b140b88f43859b211c9fdfd8e5b70:
Linux 6.6-rc2 (2023-09-17 14:40:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v6.6-rc7
for you to fetch changes up to 31c65705a8cfa5f80d3824c686ab74b0409ee76d:
perf/benchmark: fix seccomp_unotify benchmark for 32-bit (2023-10-18 17:47:18 -0700)
----------------------------------------------------------------
seccomp fix for v6.6-rc7
- Fix seccomp_unotify perf benchmark for 32-bit (Jiri Slaby)
----------------------------------------------------------------
Jiri Slaby (SUSE) (1):
perf/benchmark: fix seccomp_unotify benchmark for 32-bit
tools/arch/x86/include/uapi/asm/unistd_32.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] hardening fixes for v6.6-rc3
@ 2023-09-23 3:49 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-09-23 3:49 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Alexey Dobriyan, linux-hardening
On Fri, Sep 22, 2023 at 04:55:45PM -0700, Linus Torvalds wrote:
> On Fri, 22 Sept 2023 at 09:59, Kees Cook <keescook@chromium.org> wrote:
> >
> > - Fix UAPI stddef.h to avoid C++-ism (Alexey Dobriyan)
>
> Ugh. Did we really have to make two different versions of that define?
>
> Ok, so C++ did something stupid wrt an empty struct. Fine.
>
> But I think we could have still shared the same definition by just
> using the same 'zero-sized array' trick, regardless of any 'empty
> struct has a size in C++'.
>
> IOW, wouldn't this just work universally, without any "two completely
> different versions" hack?
>
> #define __DECLARE_FLEX_ARRAY(TYPE, NAME) \
> struct { \
> char __empty_ ## NAME[0]; \
> TYPE NAME[]; \
> }
>
> I didn't test. I'm just hating on that '#ifdef __cplusplus'.
Yeah, I had same thought[1], but in the end I left it the way Alexey
suggested for one decent reason, and one weak reason:
1) As discovered[2] while porting this helper to ACPICA, using a flexible
array in a struct like this does not fly with MSVC, so for MSVC
ingesting UAPI, having the separate struct is likely more robust.
2) __cplusplus is relatively common in UAPI headers already:
$ git grep __cplusplus -- include/uapi | wc -l
58
-Kees
[1] https://lore.kernel.org/all/202309151208.C99747375@keescook/
[2] https://github.com/acpica/acpica/pull/837
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v6.6-rc3
@ 2023-09-22 16:59 92% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-09-22 16:59 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Alexey Dobriyan, Kees Cook
Hi Linus,
Please pull these hardening fixes for v6.6-rc3. These have been in -next
for a week now.
Thanks!
-Kees
The following changes since commit 5f536ac6a5a7b67351e4e5ae4f9e1e57d31268e6:
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by (2023-08-25 16:07:30 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc3
for you to fetch changes up to 32a4ec211d4164e667d9d0b807fadf02053cd2e9:
uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (2023-09-13 20:09:49 -0700)
----------------------------------------------------------------
hardening fixes for v6.6-rc3
- Fix UAPI stddef.h to avoid C++-ism (Alexey Dobriyan)
- Fix harmless UAPI stddef.h header guard endif (Alexey Dobriyan)
----------------------------------------------------------------
Alexey Dobriyan (2):
uapi: stddef.h: Fix header guard location
uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++
include/uapi/linux/stddef.h | 7 +++++++
1 file changed, 7 insertions(+)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] bcachefs
@ 2023-09-07 0:03 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-09-07 0:03 UTC (permalink / raw)
To: Kent Overstreet
Cc: Nathan Chancellor, torvalds, linux-kernel, linux-fsdevel, linux-bcachefs
On Wed, Sep 06, 2023 at 03:28:47PM -0700, Nathan Chancellor wrote:
> Hi Kent,
>
> On Sat, Sep 02, 2023 at 11:25:55PM -0400, Kent Overstreet wrote:
> > here's the bcachefs pull request, for 6.6. Hopefully everything
> > outstanding from the previous PR thread has been resolved; the block
> > layer prereqs are in now via Jens's tree and the dcache helper has a
> > reviewed-by from Christain.
>
> I pulled this into mainline locally and did an LLVM build, which found
> an immediate issue. It appears the bcachefs codes uses zero length
It looks like this series hasn't been in -next at all? That seems like a
pretty important step.
Also, when I look at the PR, it seems to be a branch history going
back _years_. For this kind of a feature, I'd expect a short series of
"here's the code" in incremental additions (e.g. look at the x86 shstk
series), not the development history from it being out of tree -- this
could easily lead to ugly bisection problems, etc.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore fix for v6.6-rc1
@ 2023-09-01 18:27 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-09-01 18:27 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Eric Biggers, Herbert Xu,
Kees Cook, Linus Torvalds
Hi Linus,
Please pull this pstore fix for v6.6-rc1. This should solve the
issues[1] you saw after the initial v6.6-rc1 pull.
Thanks!
-Kees
[1] https://lore.kernel.org/lkml/CAHk-=wi_WxZ2dEsQR0-wDtYAh4sxVEQkU7HK5JSboVv7v7NwcQ@mail.gmail.com/
The following changes since commit af58740d8b06a6a97b7594235a1be11bd6aa37fa:
pstore: Fix kernel-doc warning (2023-08-18 13:27:28 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.6-rc1-fix
for you to fetch changes up to 94160062396d7e7cff4ed69320ffc5e22d51a0ab:
pstore: Base compression input buffer size on estimated compressed size (2023-08-31 13:58:49 -0700)
----------------------------------------------------------------
pstore fix for v6.6-rc1
- Adjust sizes of buffers just avoid uncompress failures (Ard Biesheuvel)
----------------------------------------------------------------
Ard Biesheuvel (1):
pstore: Base compression input buffer size on estimated compressed size
fs/pstore/platform.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] pstore updates for v6.6-rc1
@ 2023-08-30 17:00 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-08-30 17:00 UTC (permalink / raw)
To: Ard Biesheuvel
Cc: Eric Biggers, Linus Torvalds, Kees Cook, linux-kernel, Enlin Mu,
Guilherme G. Piccoli, Matthew Wilcox (Oracle),
Yunlong Xing, Yuxiao Zhang
On Wed, Aug 30, 2023 at 09:48:48AM +0200, Ard Biesheuvel wrote:
> In any case, I'll rate limit the error so it doesn't clutter up the logs.
Great; thanks for looking at it!
A related issue I'm going to tackle is dealing with the risk of
ever-growing record counts for backends that don't treat their storage
as a circular buffer. (e.g. ramoops will overwrite the latest record
when it runs out of empty areas, but EFI will just keep on writing new
records.) It's clear we can't depend on userspace to do this clean-up.
I think pstore tossing the oldest records above a (configurable) limit
(say, 32) per dump type makes sense...
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] pstore updates for v6.6-rc1
@ 2023-08-29 3:44 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-08-29 3:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: Kees Cook, linux-kernel, Ard Biesheuvel, Enlin Mu, Eric Biggers,
Guilherme G. Piccoli, Matthew Wilcox (Oracle),
Yunlong Xing, Yuxiao Zhang
On Mon, Aug 28, 2023 at 06:44:02PM -0700, Linus Torvalds wrote:
> The only thing that is new is the kernel pstore implementation. Why
> was this not a problem before? The warning existed back then too, but
> I never actually got it.
Right -- if the compression method from before was different, it'll fail
now. (i.e. we removed everything but zlib.)
> I get the feeling that you are overlooking that basic fact.
That's why I was wondering about the prior config; it could confirm the
default compression algo. But digging around it seems like zlib is the
default in the F37 kernel config. I'll keep looking; there is clearly
some combination I don't know.
I remain concerned about why there are 124. That's a LOT, and without
prior warnings, I don't know why systemd-pstore wasn't removing them.
Can you send me "ls -la /sys/fs/pstore" ? Maybe they aren't a dump type
that systemd knows about.
I will try to reproduce this with an F37 image...
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] pstore updates for v6.6-rc1
@ 2023-08-29 1:28 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-08-29 1:28 UTC (permalink / raw)
To: Linus Torvalds, Kees Cook
Cc: linux-kernel, Ard Biesheuvel, Enlin Mu, Eric Biggers,
Guilherme G. Piccoli, Matthew Wilcox (Oracle),
Yunlong Xing, Yuxiao Zhang
On August 28, 2023 4:56:00 PM PDT, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>On Mon, 28 Aug 2023 at 11:21, Kees Cook <keescook@chromium.org> wrote:
>>
>> Please pull these pstore updates for v6.6-rc1. This contains a fair bit
>> of code _removal_ which is always nice.
>
>Hmm. The diffstat certainly looks good, but the end result isn't great..
>
>I now get 124 lines of
>
> pstore: zlib_inflate() failed, ret = -5!
>
>in my bootup dmesg.
>
>Considering that there's no reason for pstore to even be active on
>this machine, I think it's because pstore now goes and tries to
>uncompress something entirely invalid.
>
>The message itself does not seem to be new, but with the switch from
>the crypto code, it apparently used to be
>
> crypto_comp_decompress failed, ret = %d!
>
>but the key word here is *apparently*. I never got that message
>before. So something else has changed, and I'm thinking that the old
>code probably didn't even try to decompress the bogus data it found?
>
>I dunno. But 124 lines of insane garbage in the kernel messages is not
>a good thing.
Oh dear! That's obviously unexpected. I have so many questions. :P
- does this happen at every boot? (I assume yes.)
- what CONFIG are you built with?
- what was the prior CONFIG?
- what backend is in use? (Or better yet, what does "dmesg | grep pstore" report?)
- are you using systemd?
Decompression is only attempted if it's a valid record. If the records aren't being removed after boot (i.e. unlinked from /sys/fs/pstore) they won't get cleared. Normally systemd-pstore moves everything to /var/lib/systemd/pstore. But that must not be happening since you keep seeing the warnings.
That you have 124 of these makes me think you've got the EFI backend (CONFIG_EFI_VARS_PSTORE) built and it's default enabled (CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=n). The latter config was created to keep the EFI backend from filling the EFI variable space. I think distros started setting it to "n" once systemd-pstore was added, which keeps the EFI variables from piling up...
So, I assume either systemd-pstore isn't running for you or something has gone sideways with it. And since I did testing of "changed compression type" without systemd-pstore, I bet systemd-pstore ignores the failed records...
https://github.com/systemd/systemd/blob/599a3124849819ba5af0a71b7572e87256814881/src/pstore/pstore.c#L225
Yup. Ugh. (Though I still find it odd that you have 124 records...)
Let me think about the best way to deal with this. I expect I'll have pstore wipe the failed records as it is expressly not expected to work across differing configs/kernel versions. And permanently spewing errors is not ok.
In the meantime, you can make the warnings go away with:
rm /sys/fs/pstore/*enc.z
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening updates for v6.6-rc1
@ 2023-08-28 18:42 70% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-08-28 18:42 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Shevchenko, Anton Ivanov, Azeem Shaikh,
Christian Brauner, David Windsor, Elena Reshetova,
Gustavo A. R. Silva, Hans Liljestrand, Jann Horn,
Jarkko Sakkinen, Juergen Gross, Justin Stitt, Marco Elver,
Mark Rutland, Miguel Ojeda, Mimi Zohar, Nathan Chancellor,
Nick Desaulniers, Song Liu, Steven Rostedt (Google),
Yonghong Song, Zhen Lei, linux-hardening
Hi Linus,
Please pull these hardening updates for v6.6-rc1. As has become normal,
changes are scattered around the tree (either explicitly maintainer
Acked or for trivial stuff that went ignored). Details in the log below,
and all have been in -next for a while.
Thanks!
-Kees
The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:
Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.6-rc1
for you to fetch changes up to 5f536ac6a5a7b67351e4e5ae4f9e1e57d31268e6:
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by (2023-08-25 16:07:30 -0700)
----------------------------------------------------------------
hardening updates for v6.6-rc1
- Carve out the new CONFIG_LIST_HARDENED as a more focused subset of
CONFIG_DEBUG_LIST (Marco Elver).
- Fix kallsyms lookup failure under Clang LTO (Yonghong Song).
- Clarify documentation for CONFIG_UBSAN_TRAP (Jann Horn).
- Flexible array member conversion not carried in other tree (Gustavo
A. R. Silva).
- Various strlcpy() and strncpy() removals not carried in other trees
(Azeem Shaikh, Justin Stitt).
- Convert nsproxy.count to refcount_t (Elena Reshetova).
- Add handful of __counted_by annotations not carried in other trees,
as well as an LKDTM test.
- Fix build failure with gcc-plugins on GCC 14+.
- Fix selftests to respect SKIP for signal-delivery tests.
- Fix CFI warning for paravirt callback prototype.
- Clarify documentation for seq_show_option_n() usage.
----------------------------------------------------------------
Azeem Shaikh (4):
soc: fsl: qe: Replace all non-returning strlcpy with strscpy
um: Remove strlcpy declaration
perf: Replace strlcpy with strscpy
EISA: Replace all non-returning strlcpy with strscpy
Elena Reshetova (1):
nsproxy: Convert nsproxy.count to refcount_t
Gustavo A. R. Silva (1):
alpha: Replace one-element array with flexible-array member
Jann Horn (1):
ubsan: Clarify Kconfig text for CONFIG_UBSAN_TRAP
Justin Stitt (2):
um: vector: refactor deprecated strncpy
um: refactor deprecated strncpy to memcpy
Kees Cook (8):
seq_file: seq_show_option_n() is used for precise sizes
x86/paravirt: Fix tlb_remove_table function callback prototype warning
selftests/harness: Actually report SKIP for signal tests
gcc-plugins: Rename last_stmt() for GCC 14+
Compiler Attributes: counted_by: Adjust name and identifier expansion
lkdtm: Add FAM_BOUNDS test for __counted_by
integrity: Annotate struct ima_rule_opt_list with __counted_by
LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by
Marco Elver (4):
compiler_types: Introduce the Clang __preserve_most function attribute
list_debug: Introduce inline wrappers for debug checks
list: Introduce CONFIG_LIST_HARDENED
hardening: Move BUG_ON_DATA_CORRUPTION to hardening options
Yonghong Song (2):
kallsyms: Fix kallsyms_selftest failure
kallsyms: Change func signature for cleanup_symbol_name()
arch/alpha/kernel/osf_sys.c | 2 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/arm64/kvm/hyp/nvhe/list_debug.c | 8 ++-
arch/um/drivers/mconsole_kern.c | 4 +-
arch/um/drivers/vector_user.c | 4 +-
arch/um/include/shared/user.h | 1 -
arch/um/os-Linux/umid.c | 6 +-
arch/x86/kernel/paravirt.c | 8 ++-
drivers/eisa/eisa-bus.c | 2 +-
drivers/misc/lkdtm/bugs.c | 51 +++++++++++++++--
drivers/soc/fsl/qe/qe.c | 4 +-
include/linux/compiler_attributes.h | 26 ++++-----
include/linux/compiler_types.h | 28 +++++++++
include/linux/dm-verity-loadpin.h | 2 +-
include/linux/list.h | 89 +++++++++++++++++++++++++++--
include/linux/nsproxy.h | 7 +--
include/linux/seq_file.h | 7 ++-
include/uapi/linux/stddef.h | 4 ++
kernel/events/core.c | 6 +-
kernel/kallsyms.c | 27 ++++-----
kernel/kallsyms_selftest.c | 23 +-------
kernel/nsproxy.c | 4 +-
lib/Kconfig.debug | 21 +++----
lib/Kconfig.ubsan | 10 +++-
lib/Makefile | 2 +-
lib/list_debug.c | 16 +++---
scripts/gcc-plugins/gcc-common.h | 4 ++
security/Kconfig.hardening | 23 ++++++++
security/integrity/ima/ima_policy.c | 4 +-
security/loadpin/loadpin.c | 3 +-
tools/testing/selftests/kselftest_harness.h | 11 ++--
31 files changed, 286 insertions(+), 123 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 70%]
* [GIT PULL] pstore updates for v6.6-rc1
@ 2023-08-28 18:21 89% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-08-28 18:21 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Enlin Mu, Eric Biggers,
Guilherme G. Piccoli, Kees Cook, Matthew Wilcox (Oracle),
Yunlong Xing, Yuxiao Zhang
Hi Linus,
Please pull these pstore updates for v6.6-rc1. This contains a fair bit
of code _removal_ which is always nice. Changes have been in -next for
most of the development cycle.
Thanks!
-Kees
The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:
Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.6-rc1
for you to fetch changes up to af58740d8b06a6a97b7594235a1be11bd6aa37fa:
pstore: Fix kernel-doc warning (2023-08-18 13:27:28 -0700)
----------------------------------------------------------------
pstore updates for v6.6-rc1
- Greatly simplify compression support (Ard Biesheuvel).
- Avoid crashes for corrupted offsets when prz size is 0 (Enlin Mu).
- Expand range of usable record sizes (Yuxiao Zhang).
- Fix kernel-doc warning (Matthew Wilcox).
----------------------------------------------------------------
Ard Biesheuvel (2):
pstore: Remove worst-case compression size logic
pstore: Replace crypto API compression with zlib_deflate library calls
Enlin Mu (1):
pstore/ram: Check start of empty przs during init
Matthew Wilcox (Oracle) (1):
pstore: Fix kernel-doc warning
Yuxiao Zhang (1):
pstore: Support record sizes larger than kmalloc() limit
fs/pstore/Kconfig | 100 ++-------------
fs/pstore/inode.c | 2 +-
fs/pstore/platform.c | 353 +++++++++++++++++----------------------------------
fs/pstore/ram.c | 11 +-
fs/pstore/ram_core.c | 17 ++-
5 files changed, 137 insertions(+), 346 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* [GIT PULL] seccomp updates for v6.6-rc1
@ 2023-08-28 18:15 79% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-08-28 18:15 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrei Vagin, Andy Lutomirski, Arnd Bergmann,
Arnd Bergmann, Kees Cook, kernel test robot, Lecopzer Chen,
linux-arm-kernel, Oleg Nesterov, Peter Oskolkov,
Peter Zijlstra (Intel),
Russell King, Will Drewry
Hi Linus,
Please pull these seccomp updates for v6.6-rc1. These changes touch stuff
that doesn't normally look like things related to seccomp (sched, perf,
arm), but it is intentional. :) Each have been acked by maintainers and
have been in -next for a while.
Thanks!
-Kees
The following changes since commit fdf0eaf11452d72945af31804e2a1048ee1b574c:
Linux 6.5-rc2 (2023-07-16 15:10:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v6.6-rc1
for you to fetch changes up to 46822860a5a9a5a558475d323a55c8aab0b54012:
seccomp: Add missing kerndoc notations (2023-08-17 12:32:15 -0700)
----------------------------------------------------------------
seccomp updates for v6.6-rc1
- Provide USER_NOTIFY flag for synchronous mode (Andrei Vagin, Peter
Oskolkov). This touches the scheduler and perf but has been Acked by
Peter Zijlstra.
- Fix regression in syscall skipping and restart tracing on arm32.
This touches arch/arm/ but has been Acked by Arnd Bergmann.
----------------------------------------------------------------
Andrei Vagin (5):
seccomp: don't use semaphore and wait_queue together
sched: add a few helpers to wake up tasks on the current cpu
seccomp: add the synchronous mode for seccomp_unotify
selftest/seccomp: add a new test for the sync mode of seccomp_user_notify
perf/benchmark: add a new benchmark for seccom_unotify
Kees Cook (4):
selftests/seccomp: Handle arm32 corner cases better
ARM: ptrace: Restore syscall restart tracing
ARM: ptrace: Restore syscall skipping for tracers
seccomp: Add missing kerndoc notations
Peter Oskolkov (1):
sched: add WF_CURRENT_CPU and externise ttwu
arch/arm/include/asm/syscall.h | 3 +
arch/arm/kernel/entry-common.S | 1 +
arch/arm/kernel/ptrace.c | 5 +-
include/linux/completion.h | 1 +
include/linux/swait.h | 2 +-
include/linux/wait.h | 3 +
include/uapi/linux/seccomp.h | 4 +
kernel/sched/completion.c | 26 ++--
kernel/sched/core.c | 5 +-
kernel/sched/fair.c | 4 +
kernel/sched/sched.h | 13 +-
kernel/sched/swait.c | 8 +-
kernel/sched/wait.c | 5 +
kernel/seccomp.c | 84 ++++++++++--
tools/arch/x86/include/uapi/asm/unistd_32.h | 3 +
tools/arch/x86/include/uapi/asm/unistd_64.h | 3 +
tools/perf/bench/Build | 1 +
tools/perf/bench/bench.h | 1 +
tools/perf/bench/sched-seccomp-notify.c | 178 ++++++++++++++++++++++++++
tools/perf/builtin-bench.c | 1 +
tools/testing/selftests/seccomp/seccomp_bpf.c | 67 +++++++++-
21 files changed, 384 insertions(+), 34 deletions(-)
create mode 100644 tools/perf/bench/sched-seccomp-notify.c
--
Kees Cook
^ permalink raw reply [relevance 79%]
* [GIT PULL] hardening fixes for v6.5-rc6
@ 2023-08-08 21:16 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-08-08 21:16 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Gustavo A. R. Silva, Hans de Goede, Kees Cook,
Larry Finger, Vikash Garodia
Hi Linus,
Please pull these couple of hardening fixes for v6.5-rc6.
Thanks!
-Kees
The following changes since commit ec7633de404e7ce704d8f79081b97bca5b616c23:
sparc: mark __arch_xchg() as __always_inline (2023-07-13 09:54:32 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.5-rc6
for you to fetch changes up to cdddb626dc053a2bbe8be4150e9b67395130a683:
media: venus: Use struct_size_t() helper in pkt_session_unset_buffers() (2023-07-27 10:11:11 -0700)
----------------------------------------------------------------
hardening fixes for v6.5-rc6
- Replace remaining open-coded struct_size_t() instance (Gustavo A. R. Silva)
- Adjust vboxsf's trailing arrays to be proper flexible arrays
----------------------------------------------------------------
Gustavo A. R. Silva (1):
media: venus: Use struct_size_t() helper in pkt_session_unset_buffers()
Kees Cook (1):
vboxsf: Use flexible arrays for trailing string member
drivers/media/platform/qcom/venus/hfi_cmds.c | 4 ++--
fs/vboxsf/shfl_hostintf.h | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v6.5-rc2
@ 2023-07-16 0:42 86% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-07-16 0:42 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andi Shyti, Andy Shevchenko, Arnd Bergmann,
Guenter Roeck, Kees Cook, Mark Rutland, Nick Desaulniers,
Palmer Dabbelt, Petr Pavlu, Sam Ravnborg, Song Liu,
Yonghong Song, Zhen Lei
Hi Linus,
Please pull this odd collection of hardening fixes for v6.5-rc2. I
included the somewhat unrelated sparc fix[1] since no one else had picked
it up yet, it was Acked, it had been pinged by the regression tracker,
and I was on CC. :)
Thanks!
-Kees
[1] https://lore.kernel.org/lkml/20230628094938.2318171-1-arnd@kernel.org/
The following changes since commit 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5:
Linux 6.5-rc1 (2023-07-09 13:53:13 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.5-rc2
for you to fetch changes up to ec7633de404e7ce704d8f79081b97bca5b616c23:
sparc: mark __arch_xchg() as __always_inline (2023-07-13 09:54:32 -0700)
----------------------------------------------------------------
hardening fixes for v6.5-rc2
- Remove LTO-only suffixes from promoted global function symbols (Yonghong Song)
- Remove unused .text..refcount section from vmlinux.lds.h (Petr Pavlu)
- Add missing __always_inline to sparc __arch_xchg() (Arnd Bergmann)
- Claim maintainership of string routines
----------------------------------------------------------------
Arnd Bergmann (1):
sparc: mark __arch_xchg() as __always_inline
Kees Cook (1):
MAINTAINERS: Foolishly claim maintainership of string routines
Petr Pavlu (1):
vmlinux.lds.h: Remove a reference to no longer used sections .text..refcount
Yonghong Song (1):
kallsyms: strip LTO-only suffixes from promoted global functions
MAINTAINERS | 5 ++++-
arch/sparc/include/asm/cmpxchg_32.h | 2 +-
arch/sparc/include/asm/cmpxchg_64.h | 2 +-
include/asm-generic/vmlinux.lds.h | 1 -
kernel/kallsyms.c | 5 ++---
scripts/kallsyms.c | 6 +++---
6 files changed, 11 insertions(+), 10 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL] bcachefs
@ 2023-07-12 19:48 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-07-12 19:48 UTC (permalink / raw)
To: Kent Overstreet
Cc: torvalds, linux-kernel, linux-fsdevel, linux-bcachefs, djwong,
dchinner, sandeen, willy, josef, tytso, bfoster, jack,
andreas.gruenbacher, brauner, peterz, akpm, dhowells, snitzer
On Tue, Jul 11, 2023 at 10:54:59PM -0400, Kent Overstreet wrote:
> - Prereq patch series has been pruned down a bit more; also Mike
> Snitzer suggested putting those patches in their own branch:
>
> https://evilpiepirate.org/git/bcachefs.git/log/?h=bcachefs-prereqs
>
> "iov_iter: copy_folio_from_iter_atomic()" was dropped and replaced
> with willy's "iov_iter: Handle compound highmem pages in
> copy_page_from_iter_atomic()"; he said he'd try to send this for -rc4
> since it's technically a bug fix; in the meantime, it'll be getting
> more testing from my users.
>
> The two lockdep patches have been dropped for now; the
> bcachefs-for-upstream branch is switched back to
> lockdep_set_novalidate_class() for btree node locks.
>
> six locks, mean and variance have been moved into fs/bcachefs/ for
> now; this means there's a new prereq patch to export
> osq_(lock|unlock)
>
> The remaining prereq patches are pretty trivial, with the exception
> of "block: Don't block on s_umount from __invalidate_super()". I
> would like to get a reviewed-by for that patch, and it wouldn't hurt
> for others.
>
> previously posting:
> https://lore.kernel.org/linux-bcachefs/20230509165657.1735798-1-kent.overstreet@linux.dev/T/#m34397a4d39f5988cc0b635e29f70a6170927746f
Can you send these prereqs out again, with maintainers CCed
appropriately? (I think some feedback from the prior revision needs to
be addressed first, though. For example, __flatten already exists, etc.)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening updates for v6.5-rc1-fixes
@ 2023-07-07 18:12 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-07-07 18:12 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Borislav Petkov (AMD),
Geert Uytterhoeven, Greg Kroah-Hartman, Gustavo A. R. Silva,
Kees Cook, Matthias Kaehlcke, Mirsad Todorovac
Hi Linus,
Please pull these handful of kernel hardening fixes for v6.5-rc1.
Thanks!
-Kees
The following changes since commit acf15e07eb06507c69f92394c36052677029b0a8:
netfilter: ipset: Replace strlcpy with strscpy (2023-06-20 13:35:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.5-rc1-fixes
for you to fetch changes up to 01f23c5f1526f5b6ff744887aa511b9e69d4401b:
usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array (2023-07-05 14:11:30 -0700)
----------------------------------------------------------------
hardening fixes for v6.5-rc1
- Check for NULL bdev in LoadPin (Matthias Kaehlcke)
- Revert unwanted KUnit FORTIFY build default
- Fix 1-element array causing boot warnings with xhci-hub
----------------------------------------------------------------
Kees Cook (2):
Revert "fortify: Allow KUnit test to build without FORTIFY"
usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array
Matthias Kaehlcke (1):
dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter
drivers/md/dm-verity-loadpin.c | 3 +++
include/uapi/linux/usb/ch9.h | 6 +++++-
lib/Kconfig.debug | 2 +-
lib/fortify_kunit.c | 14 --------------
4 files changed, 9 insertions(+), 16 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* Re: [GIT PULL] pid: use flex array
@ 2023-06-30 16:59 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-06-30 16:59 UTC (permalink / raw)
To: Christian Brauner; +Cc: Linus Torvalds, linux-kernel
On Fri, Jun 30, 2023 at 10:04:14AM +0200, Christian Brauner wrote:
> On Fri, Jun 30, 2023 at 12:12:22AM -0700, Linus Torvalds wrote:
> > On Thu, 29 Jun 2023 at 23:51, Christian Brauner <brauner@kernel.org> wrote:
> > >
> > > I have no preference for either syntax. Both work. But this is probably
> > > more an objection to this being mixed in with the flex array change in
> > > the first place.
> >
> > Yes. I looked at it, and tried to figure out if it was related
> > somehow, and decided that no, it can't possibly be, and must be just
> > an unrelated change.
Yes, those changes were style changes because I was annoyed that a grep
for 'numbers[' didn't turn anything up. :P Since it's an array I think
it's just good form to use [] when accessing an element. But yes, it's
conceptually the same.
> > > I did react to that in the original review here:
> > > https://lore.kernel.org/all/20230518-zuneigen-brombeeren-0a57cd32b1a7@brauner
> > > but then I grepped for it and saw it done in a few other places already
> >
> > Yeah, we do end up growing new uses of 'use 0 as a pointer' almost as
> > quickly as we get rid of them.
Apologies on this -- this patch was just before the addition of
struct_size_t(), so I missed it in the cleanup I did for that:
https://git.kernel.org/linus/d67790ddf0219aa0ad3e13b53ae0a7619b3425a2
> I've grepped around a bit and I saw that the
> struct_size((struct bla *)NULL, ...)
> pattern seems to be used in most places that have similar needs. Not
> sure if there's something nicer.
The above patch fixes them all (excepting struct pid). In retrospect, I
should have asked to carry the struct pid fix in the hardening tree due
to that.
> I gave this thing a stab myself since I have a few minutes and so Kees
> doesn't have to do it. Authorship retained and dropped the ack. Is the
> following more acceptable?
Thanks for reworking it!
> [...]
> [brauner: dropped unrelated changes and remove 0 with NULL cast]
However, this should use struct_size_t(); I'll send a new patch and
double check that UBSAN stays happy, etc.
Sorry for the mess!
-Kees
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] hardening updates for v6.5-rc1
@ 2023-06-28 16:29 80% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-06-28 16:29 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Linus Torvalds, Alexander Lobakin, Alexander Potapenko,
Alex Deucher, Andy Shevchenko, Arnd Bergmann, Arne Welzel,
Azeem Shaikh, Bill Wendling, Conor Dooley, Darrick J. Wong,
Dave Hansen, Fangrui Song, Gustavo A. R. Silva, Hans de Goede,
Jakub Kicinski, Jan Kara, Joe Perches, John Paul Adrian Glaubitz,
John Stultz, Jozsef Kadlecsik, Marco Elver, Martin K. Petersen,
Masami Hiramatsu, Miguel Ojeda, Nathan Chancellor,
Nick Desaulniers, Palmer Dabbelt, Simon Horman, Song Liu,
Thorsten Leemhuis, Tyrel Datwyler, Wyes Karny, linux-kernel,
linux-hardening
On Tue, Jun 27, 2023 at 11:20:05PM -0700, Christoph Hellwig wrote:
> On Tue, Jun 27, 2023 at 05:34:57PM -0700, Kees Cook wrote:
> > - The under-development compiler attribute __counted_by has been added
> > so that we can start annotating flexible array members with their
> > associated structure member that tracks the count of flexible array
> > elements at run-time. It is possible (likely?) that the exact syntax
> > of the attribute will change before it is finalized, but GCC and Clang
> > are working together to sort it out. Any changes can be made to the
> > macro while we continue to add annotations. As an example, I have a
> > treewide commit waiting with such annotations found via Coccinelle:
> > https://git.kernel.org/linus/adc5b3cb48a049563dc673f348eab7b6beba8a9b
> > See commit dd06e72e68bcb4070ef211be100d2896e236c8fb for more details.
>
> So I've been following the discussion of that feature for clang and
> I can't wait to actually be able to use it.
Me too! :)
> But this feels a bit premature to me, not only due to the ongoing
> discussions on the syntax, but more importantly because I fear it
I was on the fence about this too, and in the end, I decided that any
syntax changes are going to be mostly mechanical, and in the meantime
we needed a way to capture the associations. This has been a pain point
for years as we've been doing flexible array conversions, since when
doing the work it usually becomes clear which struct member is tracking
the element count, but that information couldn't be reliably recorded
anywhere. Now we can include the annotation (which is the really important
part). If/when the exact syntax changes, we can either adjust the macro,
or at worst we can easily do a tree-wide change. But I really want to
start capturing the associations _now_, and get us all into the habit
of doing it, and I want it to be through some kind of regular syntax
(now that there are patches to both GCC and Clang that can validate the
results), not just comments.
> will be completely misued before we have a compiler actually supporting
> available widely enough that we have it in the usual test bots.
How do you see it being misused? Your mention of the test bots, I think,
means you're worried the annotations will go unchecked for valid syntax?
FWIW, I've got builders with the GCC and Clang patches that should catch
this.
--
Kees Cook
^ permalink raw reply [relevance 80%]
* [GIT PULL] hardening updates for v6.5-rc1
@ 2023-06-28 0:34 49% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-06-28 0:34 UTC (permalink / raw)
To: Linus Torvalds
Cc: Alexander Lobakin, Alexander Potapenko, Alex Deucher,
Andy Shevchenko, Arnd Bergmann, Arne Welzel, Azeem Shaikh,
Bill Wendling, Christoph Hellwig, Conor Dooley, Darrick J. Wong,
Dave Hansen, Fangrui Song, Gustavo A. R. Silva, Hans de Goede,
Jakub Kicinski, Jan Kara, Joe Perches, John Paul Adrian Glaubitz,
John Stultz, Jozsef Kadlecsik, Kees Cook, Marco Elver,
Martin K. Petersen, Masami Hiramatsu, Miguel Ojeda,
Nathan Chancellor, Nick Desaulniers, Palmer Dabbelt,
Simon Horman, Song Liu, Thorsten Leemhuis, Tyrel Datwyler,
Wyes Karny, linux-kernel, linux-hardening
Hi Linus,
Please pull these hardening updates for v6.5-rc1. There are 3 areas of
note:
- A bunch of strlcpy()->strscpy() conversions ended up living in my tree
since they were either Acked by maintainers for me to carry, or got
ignored for multiple weeks (and were trivial changes).
- The compiler option -fstrict-flex-arrays=3 has been enabled globally,
and has been in -next for the entire devel cycle. This changes compiler
diagnostics (though mainly just -Warray-bounds which is disabled) and
potential UBSAN_BOUNDS and FORTIFY _warning_ coverage. In other words,
there are no new restrictions, just potentially new warnings. Any new
FORTIFY warnings we've seen have been fixed (usually in their
respective subsystem trees). For more details, see commit
df8fc4e934c12b906d08050d7779f292b9c5c6b5.
- The under-development compiler attribute __counted_by has been added
so that we can start annotating flexible array members with their
associated structure member that tracks the count of flexible array
elements at run-time. It is possible (likely?) that the exact syntax
of the attribute will change before it is finalized, but GCC and Clang
are working together to sort it out. Any changes can be made to the
macro while we continue to add annotations. As an example, I have a
treewide commit waiting with such annotations found via Coccinelle:
https://git.kernel.org/linus/adc5b3cb48a049563dc673f348eab7b6beba8a9b
See commit dd06e72e68bcb4070ef211be100d2896e236c8fb for more details.
These and the other updates and fixes are noted below.
Thanks!
-Kees
The following changes since commit f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6:
Linux 6.4-rc2 (2023-05-14 12:51:40 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.5-rc1
for you to fetch changes up to acf15e07eb06507c69f92394c36052677029b0a8:
netfilter: ipset: Replace strlcpy with strscpy (2023-06-20 13:35:37 -0700)
----------------------------------------------------------------
hardening updates for v6.5-rc1
- Fix KMSAN vs FORTIFY in strlcpy/strlcat (Alexander Potapenko)
- Convert strreplace() to return string start (Andy Shevchenko)
- Flexible array conversions (Arnd Bergmann, Wyes Karny, Kees Cook)
- Add missing function prototypes seen with W=1 (Arnd Bergmann)
- Fix strscpy() kerndoc typo (Arne Welzel)
- Replace strlcpy() with strscpy() across many subsystems which were
either Acked by respective maintainers or were trivial changes that
went ignored for multiple weeks (Azeem Shaikh)
- Remove unneeded cc-option test for UBSAN_TRAP (Nick Desaulniers)
- Add KUnit tests for strcat()-family
- Enable KUnit tests of FORTIFY wrappers under UML
- Add more complete FORTIFY protections for strlcat()
- Add missed disabling of FORTIFY for all arch purgatories.
- Enable -fstrict-flex-arrays=3 globally
- Tightening UBSAN_BOUNDS when using GCC
- Improve checkpatch to check for strcpy, strncpy, and fake flex arrays
- Improve use of const variables in FORTIFY
- Add requested struct_size_t() helper for types not pointers
- Add __counted_by macro for annotating flexible array size members
----------------------------------------------------------------
Alexander Potapenko (1):
string: use __builtin_memcpy() in strlcpy/strlcat
Andy Shevchenko (3):
jbd2: Avoid printing outside the boundary of the buffer
lib/string_helpers: Change returned value of the strreplace()
kobject: Use return value of strreplace()
Arnd Bergmann (2):
autofs: use flexible array in ioctl structure
ubsan: add prototypes for internal functions
Arne Welzel (1):
fortify: strscpy: Fix flipped q and p docstring typo
Azeem Shaikh (27):
dlm: Replace all non-returning strlcpy with strscpy
NFS: Prefer strscpy over strlcpy calls
vboxsf: Replace all non-returning strlcpy with strscpy
scsi: ibmvscsi: Replace all non-returning strlcpy with strscpy
scsi: qedi: Replace all non-returning strlcpy with strscpy
scsi: bnx2i: Replace all non-returning strlcpy with strscpy
scsi: aacraid: Replace all non-returning strlcpy with strscpy
scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy
tracing: Replace all non-returning strlcpy with strscpy
drm/radeon: Replace all non-returning strlcpy with strscpy
drm/amd/pm: Replace all non-returning strlcpy with strscpy
befs: Replace all non-returning strlcpy with strscpy
ftrace: Replace all non-returning strlcpy with strscpy
drm/display/dp_mst: Replace all non-returning strlcpy with strscpy
drm/rockchip: Replace all non-returning strlcpy with strscpy
drm/mediatek: Replace all non-returning strlcpy with strscpy
drm/sun4i: hdmi: Replace all non-returning strlcpy with strscpy
drm/i2c: tda998x: Replace all non-returning strlcpy with strscpy
staging: most: Replace all non-returning strlcpy with strscpy
clocksource: Replace all non-returning strlcpy with strscpy
Hexagon: Replace all non-returning strlcpy with strscpy
sparc64: Replace all non-returning strlcpy with strscpy
of/flattree: Replace all non-returning strlcpy with strscpy
sh: Replace all non-returning strlcpy with strscpy
kallsyms: Replace all non-returning strlcpy with strscpy
uml: Replace strlcpy with strscpy
netfilter: ipset: Replace strlcpy with strscpy
Kees Cook (18):
ubsan: Tighten UBSAN_BOUNDS on GCC
kunit: tool: Enable CONFIG_FORTIFY_SOURCE under UML
fortify: Allow KUnit test to build without FORTIFY
string: Add Kunit tests for strcat() family
fortify: Use const variables for __member_size tracking
fortify: Add protection for strlcat()
fortify: strcat: Move definition to use fortified strlcat()
kbuild: Enable -fstrict-flex-arrays=3
overflow: Add struct_size_t() helper
md/raid5: Convert stripe_head's "dev" to flexible array member
lkdtm/bugs: Switch from 1-element array to flexible array
Compiler Attributes: Add __counted_by macro
checkpatch: Check for strcpy and strncpy too
x86/purgatory: Do not use fortified string functions
s390/purgatory: Do not use fortified string functions
riscv/purgatory: Do not use fortified string functions
checkpatch: Check for 0-length and 1-element arrays
um: Use HOST_DIR for mrproper
Nick Desaulniers (1):
ubsan: remove cc-option test for UBSAN_TRAP
Wyes Karny (1):
acpi: Replace struct acpi_table_slit 1-element array with flex-array
Documentation/filesystems/autofs-mount-control.rst | 2 +-
Documentation/filesystems/autofs.rst | 2 +-
MAINTAINERS | 1 +
Makefile | 6 +
arch/hexagon/kernel/setup.c | 6 +-
arch/microblaze/kernel/prom.c | 2 +-
arch/riscv/purgatory/Makefile | 2 +-
arch/s390/purgatory/Makefile | 2 +-
arch/sh/drivers/dma/dma-api.c | 2 +-
arch/sh/kernel/setup.c | 4 +-
arch/sparc/kernel/ioport.c | 2 +-
arch/sparc/kernel/setup_32.c | 2 +-
arch/sparc/kernel/setup_64.c | 2 +-
arch/sparc/prom/bootstr_32.c | 2 +-
arch/um/Makefile | 2 +-
arch/um/include/shared/user.h | 1 +
arch/um/os-Linux/drivers/tuntap_user.c | 2 +-
arch/x86/purgatory/Makefile | 2 +-
drivers/gpu/drm/amd/amdgpu/atom.c | 2 +-
drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 2 +-
drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
drivers/gpu/drm/display/drm_dp_mst_topology.c | 2 +-
drivers/gpu/drm/drm_mipi_dsi.c | 2 +-
drivers/gpu/drm/i2c/tda998x_drv.c | 2 +-
drivers/gpu/drm/mediatek/mtk_hdmi_ddc.c | 2 +-
drivers/gpu/drm/radeon/radeon_atombios.c | 4 +-
drivers/gpu/drm/radeon/radeon_combios.c | 4 +-
drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
drivers/gpu/drm/sun4i/sun4i_hdmi_i2c.c | 2 +-
drivers/md/raid5.c | 4 +-
drivers/md/raid5.h | 2 +-
drivers/misc/lkdtm/bugs.c | 4 +-
drivers/most/configfs.c | 8 +-
drivers/net/ethernet/intel/ice/ice_ddp.h | 9 +-
drivers/nvme/host/fc.c | 8 +-
drivers/scsi/3w-9xxx.c | 2 +-
drivers/scsi/aacraid/aachba.c | 2 +-
drivers/scsi/bnx2i/bnx2i_init.c | 2 +-
drivers/scsi/hptiop.c | 4 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 6 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 12 +-
drivers/scsi/megaraid/megaraid_sas_fp.c | 6 +-
drivers/scsi/qedi/qedi_main.c | 2 +-
drivers/scsi/smartpqi/smartpqi_init.c | 2 +-
fs/befs/btree.c | 2 +-
fs/befs/linuxvfs.c | 2 +-
fs/dlm/config.c | 4 +-
fs/jbd2/journal.c | 6 +-
fs/nfs/nfsroot.c | 2 +-
fs/vboxsf/super.c | 2 +-
fs/xfs/libxfs/xfs_btree.h | 2 +-
fs/xfs/scrub/btree.h | 2 +-
include/acpi/actbl3.h | 2 +-
include/linux/compiler_attributes.h | 13 ++
include/linux/fortify-string.h | 161 ++++++++++++++-------
include/linux/overflow.h | 18 ++-
include/linux/string.h | 2 +-
include/uapi/linux/auto_dev-ioctl.h | 2 +-
kernel/kallsyms.c | 4 +-
kernel/params.c | 2 +-
kernel/time/clocksource.c | 2 +-
kernel/trace/ftrace.c | 18 +--
kernel/trace/trace.c | 8 +-
kernel/trace/trace_events.c | 4 +-
kernel/trace/trace_events_inject.c | 4 +-
kernel/trace/trace_kprobe.c | 2 +-
kernel/trace/trace_probe.c | 2 +-
lib/Kconfig.debug | 7 +-
lib/Kconfig.ubsan | 57 ++++----
lib/Makefile | 1 +
lib/fortify_kunit.c | 14 ++
lib/kobject.c | 3 +-
lib/overflow_kunit.c | 2 +-
lib/strcat_kunit.c | 104 +++++++++++++
lib/string.c | 4 +-
lib/string_helpers.c | 12 +-
lib/ubsan.c | 3 -
lib/ubsan.h | 11 ++
net/netfilter/ipset/ip_set_hash_netiface.c | 10 +-
scripts/Makefile.ubsan | 2 +-
scripts/checkpatch.pl | 24 ++-
tools/testing/kunit/configs/all_tests.config | 2 +
tools/testing/kunit/configs/arch_uml.config | 3 +
84 files changed, 467 insertions(+), 203 deletions(-)
create mode 100644 lib/strcat_kunit.c
--
Kees Cook
^ permalink raw reply [relevance 49%]
* [GIT PULL] pstore updates for v6.5-rc1
@ 2023-06-27 23:55 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-06-27 23:55 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Guilherme G. Piccoli, Jiasheng Jiang, Kees Cook,
Uwe Kleine-König
Hi Linus,
Please pull these tiny pstore updates for v6.5-rc1.
Thanks!
-Kees
The following changes since commit ac9a78681b921877518763ba0e89202254349d1b:
Linux 6.4-rc1 (2023-05-07 13:34:35 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.5-rc1
for you to fetch changes up to d97038d5ec2062733c1e016caf9baaf68cf64ea1:
pstore/ram: Add check for kstrdup (2023-06-14 11:52:10 -0700)
----------------------------------------------------------------
pstore updates for v6.5-rc1
- Check for out-of-memory condition (Jiasheng Jiang)
- Convert to platform remove callback returning void (Uwe Kleine-König)
----------------------------------------------------------------
Jiasheng Jiang (1):
pstore/ram: Add check for kstrdup
Uwe Kleine-König (1):
pstore/ram: Convert to platform remove callback returning void
fs/pstore/ram.c | 6 ++----
fs/pstore/ram_core.c | 2 ++
2 files changed, 4 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve updates for v6.5-rc1
@ 2023-06-27 23:43 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-06-27 23:43 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Baruch Siach, Christophe JAILLET,
Eric W. Biederman, Fangrui Song, Kees Cook
Hi Linus,
Please pull these execve updates for v6.5-rc1.
Thanks!
-Kees
The following changes since commit f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6:
Linux 6.4-rc2 (2023-05-14 12:51:40 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.5-rc1
for you to fetch changes up to aa88054b70905069d1cf706aa5e9a3418d1d341d:
binfmt_elf: fix comment typo s/reset/regset/ (2023-06-23 09:36:30 -0700)
----------------------------------------------------------------
execve updates for v6.5-rc1
- Fix a few comments for correctness and typos (Baruch Siach)
- Small simplifications for binfmt (Christophe JAILLET)
- Set p_align to 4 for PT_NOTE in core dump (Fangrui Song)
----------------------------------------------------------------
Baruch Siach (2):
elf: correct note name comment
binfmt_elf: fix comment typo s/reset/regset/
Christophe JAILLET (2):
binfmt: Use struct_size()
binfmt: Slightly simplify elf_fdpic_map_file()
Fangrui Song (1):
coredump, vmcore: Set p_align to 4 for PT_NOTE
fs/binfmt_elf.c | 4 ++--
fs/binfmt_elf_fdpic.c | 12 ++++--------
fs/proc/vmcore.c | 4 ++--
include/uapi/linux/elf.h | 3 ++-
4 files changed, 10 insertions(+), 13 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore update for v6.4-rc1
@ 2023-04-26 18:10 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-04-26 18:10 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Anton Vorontsov,
Chunhui Li (李春辉),
Guilherme G. Piccoli, John Stultz, Kees Cook, kernel-team,
Midas Chien, Steven Rostedt, Tony Luck, Wei Wang
Hi Linus,
Please pull this tiny pstore update for v6.4-rc1.
Thanks!
-Kees
The following changes since commit fe15c26ee26efa11741a7b632e9f23b01aca4cc6:
Linux 6.3-rc1 (2023-03-05 14:52:03 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.4-rc1
for you to fetch changes up to 5239a89b06d6b199f133bf0ffea421683187f257:
pstore: Revert pmsg_lock back to a normal mutex (2023-03-08 15:00:25 -0800)
----------------------------------------------------------------
pstore update for v6.4-rc1
- Revert pmsg_lock back to a normal mutex (John Stultz)
----------------------------------------------------------------
John Stultz (1):
pstore: Revert pmsg_lock back to a normal mutex
fs/pstore/pmsg.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening update for v6.4-rc1
@ 2023-04-26 18:09 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-04-26 18:09 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Lobakin, Jakub Kicinski, Joel Fernandes,
Kees Cook
Hi Linus,
Please pull this tiny kernel hardening update for v6.4-rc1.
Thanks!
-Kees
The following changes since commit eeac8ede17557680855031c6f305ece2378af326:
Linux 6.3-rc2 (2023-03-12 16:36:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.4-rc1
for you to fetch changes up to b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb:
kheaders: Use array declaration instead of char (2023-03-24 20:10:59 -0700)
----------------------------------------------------------------
hardening update for v6.4-rc1
- Fix kheaders array declaration to avoid tripping FORTIFY_SOURCE
----------------------------------------------------------------
Kees Cook (1):
kheaders: Use array declaration instead of char
kernel/kheaders.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] hardening updates for v6.3-rc1
@ 2023-02-21 19:49 99% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-02-21 19:49 UTC (permalink / raw)
To: Linus Torvalds, Kees Cook
Cc: linux-kernel, Paulo Miguel Almeida, Sam James, Andy Shevchenko,
Eric Biggers, Stephen Rothwell, linux-hardening
On February 21, 2023 11:16:33 AM PST, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>On Fri, Feb 17, 2023 at 11:38 AM Kees Cook <keescook@chromium.org> wrote:
>>
>> Please pull these hardening updates for v6.3-rc1.
>
>So I've pulled this, but while looking at it, I see commit
>5c0f220e1b2d ("Merge branch 'for-linus/hardening' into
>for-next/hardening").
>
>And that one-liner shortlog part is literally the whole commit message.
>
>I've said this before, and apparently I need to say this again: if you
>cannot be bothered to explain *WHY* a merge exists, then that merge is
>buggy garbage by definition.
Okay, understood. This was a merge of the fixes for v6.2. I'll explain that more clearly in the log from now on. :)
-Kees
--
Kees Cook
^ permalink raw reply [relevance 99%]
* [GIT PULL] hardening updates for v6.3-rc1
@ 2023-02-17 19:38 74% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2023-02-17 19:38 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Paulo Miguel Almeida, Sam James, Andy Shevchenko,
Eric Biggers, Stephen Rothwell, linux-hardening
Hi Linus,
Please pull these hardening updates for v6.3-rc1. Beyond some specific
LoadPin, UBSAN, and fortify features, there are other fixes scattered
around in various subsystems where maintainers were okay with me carrying
them in my tree or were non-responsive but the patches were reviewed
by others.
Thanks!
-Kees
The following changes since commit be0d8f48ad97f5b775b0af3310343f676dbf318a:
bcache: Silence memcpy() run-time false positive warnings (2023-01-25 12:24:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.3-rc1
for you to fetch changes up to 78f7a3fd6dc66cb788c21d7705977ed13c879351:
randstruct: disable Clang 15 support (2023-02-08 15:26:58 -0800)
----------------------------------------------------------------
hardening updates for v6.3-rc1
- Replace 0-length and 1-element arrays with flexible arrays in various
subsystems (Paulo Miguel Almeida, Stephen Rothwell, Kees Cook)
- randstruct: Disable Clang 15 support (Eric Biggers)
- GCC plugins: Drop -std=gnu++11 flag (Sam James)
- strpbrk(): Refactor to use strchr() (Andy Shevchenko)
- LoadPin LSM: Allow root filesystem switching when non-enforcing
- UBSAN: Improve arm64 trap code reporting
- fortify: Use dynamic object size hints when available
- ext4: Fix CFI function prototype mismatch
- Nouveau: Fix DP buffer size arguments
- hisilicon: Wipe entire crypto DMA pool on error
- coda: Fully allocate sig_inputArgs
- copy_struct_from_user(): Add minimum bounds check on kernel buffer size
----------------------------------------------------------------
Andy Shevchenko (1):
lib/string: Use strchr() in strpbrk()
Eric Biggers (1):
randstruct: disable Clang 15 support
Kees Cook (15):
fortify: Use __builtin_dynamic_object_size() when available
ARM: ixp4xx: Replace 0-length arrays with flexible arrays
LoadPin: Refactor read-only check into a helper
LoadPin: Refactor sysctl initialization
LoadPin: Move pin reporting cleanly out of locking
LoadPin: Allow filesystem switch when not enforcing
drm/nouveau/disp: Fix nvif_outp_acquire_dp() argument size
ext4: Fix function prototype mismatch for ext4_feat_ktype
io_uring: Replace 0-length array with flexible array
net/i40e: Replace 0-length array with flexible array
crypto: hisilicon: Wipe entire pool on error
Merge branch 'for-linus/hardening' into for-next/hardening
coda: Avoid partial allocation of sig_inputArgs
arm64: Support Clang UBSAN trap codes for better reporting
uaccess: Add minimum bounds check on kernel buffer size
Paulo Miguel Almeida (1):
i915/gvt: Replace one-element array with flexible-array member
Sam James (1):
gcc-plugins: drop -std=gnu++11 to fix GCC 13 build
Stephen Rothwell (1):
rxrpc: replace zero-lenth array with DECLARE_FLEX_ARRAY() helper
arch/arm64/include/asm/brk-imm.h | 3 +
arch/arm64/kernel/traps.c | 21 +++++++
drivers/crypto/hisilicon/sgl.c | 3 +-
drivers/gpu/drm/i915/gvt/firmware.c | 4 +-
drivers/gpu/drm/nouveau/include/nvif/outp.h | 3 +-
drivers/gpu/drm/nouveau/nvif/outp.c | 2 +-
drivers/misc/lkdtm/heap.c | 1 +
drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
drivers/soc/ixp4xx/ixp4xx-npe.c | 6 +-
fs/coda/upcall.c | 2 +-
fs/ext4/sysfs.c | 7 ++-
include/linux/compiler_attributes.h | 5 ++
include/linux/fortify-string.h | 7 +++
include/linux/uaccess.h | 4 ++
include/linux/ubsan.h | 9 +++
include/uapi/linux/io_uring.h | 2 +-
lib/Makefile | 2 -
lib/string.c | 10 ++--
lib/ubsan.c | 68 ++++++++++++++++++++++
lib/ubsan.h | 32 +++++++++++
net/rxrpc/ar-internal.h | 2 +-
scripts/gcc-plugins/Makefile | 2 +-
security/Kconfig.hardening | 3 +
security/loadpin/loadpin.c | 89 +++++++++++++++++------------
24 files changed, 229 insertions(+), 60 deletions(-)
create mode 100644 include/linux/ubsan.h
--
Kees Cook
^ permalink raw reply [relevance 74%]
* [GIT PULL] seccomp update for v6.3-rc1
@ 2023-02-17 19:17 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-02-17 19:17 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Lutomirski, Kees Cook, Randy Dunlap, Will Drewry
Hi Linus,
Please pull this tiny seccomp update for v6.3-rc1. In the future, I may
collapse these kinds of tiny changes into my larger kernel hardening tree,
but figured I wouldn't do it this time without a heads-up. :)
Thanks!
-Kees
The following changes since commit 88603b6dc419445847923fcb7fe5080067a30f98:
Linux 6.2-rc2 (2023-01-01 13:53:16 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v6.3-rc1
for you to fetch changes up to 0fb0624b15d21622c214617fda5c05a203b04564:
seccomp: fix kernel-doc function name warning (2023-01-13 17:01:06 -0800)
----------------------------------------------------------------
seccomp update for v6.3-rc1
- Fix kernel-doc function name ordering to avoid warning (Randy Dunlap)
----------------------------------------------------------------
Randy Dunlap (1):
seccomp: fix kernel-doc function name warning
kernel/seccomp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
@ 2023-02-08 19:32 90% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-02-08 19:32 UTC (permalink / raw)
To: Mickaël Salaün
Cc: concord, linux-hardening, Linus Torvalds, Al Viro, Andrew Morton,
Christian Heimes, Geert Uytterhoeven, James Morris,
Luis Chamberlain, Mimi Zohar, Muhammad Usama Anjum, Paul Moore,
Philippe Trébuchet, Shuah Khan, Steve Dower,
Thibaut Sautereau, Vincent Strubel, linux-fsdevel,
linux-integrity, Linux Kernel Mailing List, LSM List,
Christian Brauner, Theodore Ts'o
*thread necromancy*
On Tue, Apr 05, 2022 at 06:09:03PM +0200, Mickaël Salaün wrote:
>
> On 05/04/2022 01:26, Linus Torvalds wrote:
> > On Mon, Apr 4, 2022 at 3:25 PM Kees Cook <keescook@chromium.org> wrote:
>
> [...]
>
> >
> > > I think this already exists as AT_EACCESS? It was added with
> > > faccessat2() itself, if I'm reading the history correctly.
> >
> > Yeah, I noticed myself, I just hadn't looked (and I don't do enough
> > user-space programming to be aware of if that way).
>
> I think AT_EACCESS should be usable with the new EXECVE_OK too.
>
>
> >
> > > > (a) "what about suid bits that user space cannot react to"
> > >
> > > What do you mean here? Do you mean setid bits on the file itself?
> >
> > Right.
> >
> > Maybe we don't care.
>
> I think we don't. I think the only corner case that could be different is
> for files that are executable, SUID and non-readable. In this case it
> wouldn't matter because userspace could not read the file, which is required
> for interpretation/execution. Anyway, S[GU]ID bits in scripts are just
> ignored by execve and we want to follow the same semantic.
Hi Mickaël,
Is there a new version of this being worked on? It would be really nice
to have the O_MAYEXEC/faccessat2() visibility for script execution control
in userspace. It seems like it would be mainly a respin of an earlier
version of this series before trusted_for() was proposed.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] kernel hardening fixes for v6.2-rc6
@ 2023-01-27 18:59 89% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-01-27 18:59 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexandre Pereira, Andrew Morton, Coly Li,
David Gow, Guenter Roeck, Kees Cook, Kent Overstreet,
linux-bcache, linux-hardening, Nathan Chancellor,
Nick Desaulniers, Palmer Dabbelt
Hi Linus,
Please pull this small set of kernel hardening fixes for v6.2-rc6 that
haven't gone via other trees.
Thanks!
-Kees
The following changes since commit 42633ed852deadc14d44660ad71e2f6640239120:
kbuild: Fix CFI hash randomization with KASAN (2023-01-13 15:22:03 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.2-rc6
for you to fetch changes up to be0d8f48ad97f5b775b0af3310343f676dbf318a:
bcache: Silence memcpy() run-time false positive warnings (2023-01-25 12:24:50 -0800)
----------------------------------------------------------------
hardening fixes for v6.2-rc6
- Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST
- Reorganize gcc-plugin includes for GCC 13
- Silence bcache memcpy run-time false positive warnings
----------------------------------------------------------------
Kees Cook (3):
kunit: memcpy: Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST
gcc-plugins: Reorganize gimple includes for GCC 13
bcache: Silence memcpy() run-time false positive warnings
drivers/md/bcache/bcache_ondisk.h | 3 ++-
drivers/md/bcache/journal.c | 3 ++-
lib/Kconfig.debug | 9 +++++++++
lib/memcpy_kunit.c | 2 ++
scripts/gcc-plugins/gcc-common.h | 4 ++--
5 files changed, 17 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* [GIT PULL] kernel hardening fixes for v6.2-rc4
@ 2023-01-13 23:27 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2023-01-13 23:27 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Brian Norris, Greg Kroah-Hartman, Guenter Roeck,
Jack Rosenthal, Julius Werner, Kees Cook, Paul Menzel,
Peter Zijlstra, Sami Tolvanen, Stephen Boyd
Hi Linus,
Please pull these two kernel hardening fixes for v6.2-rc4.
Thanks!
-Kees
The following changes since commit 88603b6dc419445847923fcb7fe5080067a30f98:
Linux 6.2-rc2 (2023-01-01 13:53:16 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.2-rc4
for you to fetch changes up to 42633ed852deadc14d44660ad71e2f6640239120:
kbuild: Fix CFI hash randomization with KASAN (2023-01-13 15:22:03 -0800)
----------------------------------------------------------------
kernel hardening fixes for v6.2-rc4
- Fix CFI hash randomization with KASAN (Sami Tolvanen)
- Check size of coreboot table entry and use flex-array
----------------------------------------------------------------
Kees Cook (1):
firmware: coreboot: Check size of table entry and use flex-array
Sami Tolvanen (1):
kbuild: Fix CFI hash randomization with KASAN
drivers/firmware/google/coreboot_table.c | 9 +++++++--
drivers/firmware/google/coreboot_table.h | 1 +
init/Makefile | 1 +
scripts/Makefile.vmlinux | 1 +
4 files changed, 10 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] kernel hardening fixes for v6.1-rc1
2022-12-23 18:10 82% [GIT PULL] kernel hardening fixes for v6.1-rc1 Kees Cook
@ 2022-12-23 18:41 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-23 18:41 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Arnd Bergmann, Daniel Díaz,
Eric W. Biederman, James Morris, Jann Horn, kernel test robot,
Kristina Martsenko, linux-hardening, linux-security-module,
Luis Chamberlain, Marco Elver, Mark Rutland, Nathan Chancellor,
Paul Moore, Peter Zijlstra, Petr Mladek, Ping-Ke Shih,
Sami Tolvanen, Sebastian Andrzej Siewior, Serge E. Hallyn,
tangmeng, Tiezhu Yang
On Fri, Dec 23, 2022 at 10:10:19AM -0800, Kees Cook wrote:
> Please pull these kernel hardening fixes for v6.1-rc1, collected over the
> last week.
Ugh. I mistyped the version obviously. This should be v6.2-rc1. I've
sent another PR with the tag fixed. Sorry about the noise.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] kernel hardening fixes for v6.2-rc1
@ 2022-12-23 18:40 82% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-23 18:40 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Arnd Bergmann, Daniel Díaz,
Eric W. Biederman, James Morris, Jann Horn, Kees Cook,
kernel test robot, Kristina Martsenko, linux-hardening,
linux-security-module, Luis Chamberlain, Marco Elver,
Mark Rutland, Nathan Chancellor, Paul Moore, Peter Zijlstra,
Petr Mladek, Ping-Ke Shih, Sami Tolvanen,
Sebastian Andrzej Siewior, Serge E. Hallyn, tangmeng,
Tiezhu Yang
Hi Linus,
Please pull these kernel hardening fixes for v6.2-rc1. (Yay typos.)
Thanks!
-Kees
The following changes since commit d272e01fa0a2f15c5c331a37cd99c6875c7b7186:
ksmbd: replace one-element arrays with flexible-array members (2022-12-02 13:14:29 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.2-rc1-fixes
for you to fetch changes up to cf8016408d880afe9c5dc495af40dc2932874e77:
cfi: Fix CFI failure with KASAN (2022-12-23 10:04:31 -0800)
----------------------------------------------------------------
kernel hardening fixes for v6.2-rc1
- Fix CFI failure with KASAN (Sami Tolvanen)
- Fix LKDTM + CFI under GCC 7 and 8 (Kristina Martsenko)
- Limit CONFIG_ZERO_CALL_USED_REGS to Clang > 15.0.6 (Nathan Chancellor)
- Ignore "contents" argument in LoadPin's LSM hook handling
- Fix paste-o in /sys/kernel/warn_count API docs
- Use READ_ONCE() consistently for oops/warn limit reading
----------------------------------------------------------------
Kees Cook (3):
LoadPin: Ignore the "contents" argument of the LSM hooks
docs: Fix path paste-o for /sys/kernel/warn_count
exit: Use READ_ONCE() for all oops/warn limit reads
Kristina Martsenko (1):
lkdtm: cfi: Make PAC test work with GCC 7 and 8
Nathan Chancellor (1):
security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
Sami Tolvanen (1):
cfi: Fix CFI failure with KASAN
Documentation/ABI/testing/sysfs-kernel-warn_count | 2 +-
drivers/misc/lkdtm/cfi.c | 6 ++++-
kernel/Makefile | 3 ---
kernel/exit.c | 6 +++--
kernel/panic.c | 7 ++++--
security/Kconfig.hardening | 3 +++
security/loadpin/loadpin.c | 30 ++++++++++++++---------
7 files changed, 36 insertions(+), 21 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 82%]
* [GIT PULL] pstore updates for v6.2-rc1-fixes
@ 2022-12-23 18:38 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-23 18:38 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Anton Vorontsov, Colin Cross, Connor O'Brien,
John Stultz, Kees Cook, kernel-team, kernel test robot,
Luca Stefani, Midas Chien, Tony Luck, Wei Wang
Hi Linus,
Please pull these pstore fixes for v6.2-rc1.
Thanks!
-Kees
The following changes since commit e6b842741b4f39007215fd7e545cb55aa3d358a2:
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP (2022-12-05 16:15:09 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.2-rc1-fixes
for you to fetch changes up to beca3e311a49cd3c55a056096531737d7afa4361:
pstore: Properly assign mem_type property (2022-12-23 10:34:25 -0800)
----------------------------------------------------------------
pstore updates for v6.2-rc1-fixes
- Switch pmsg_lock to an rt_mutex to avoid priority inversion (John Stultz)
- Correctly assign mem_type property (Luca Stefani)
----------------------------------------------------------------
John Stultz (2):
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
Luca Stefani (1):
pstore: Properly assign mem_type property
fs/pstore/Kconfig | 1 +
fs/pstore/pmsg.c | 7 ++++---
fs/pstore/ram.c | 2 +-
3 files changed, 6 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] kernel hardening fixes for v6.1-rc1
@ 2022-12-23 18:10 82% Kees Cook
2022-12-23 18:41 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-12-23 18:10 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Arnd Bergmann, Daniel Díaz,
Eric W. Biederman, James Morris, Jann Horn, Kees Cook,
kernel test robot, Kristina Martsenko, linux-hardening,
linux-security-module, Luis Chamberlain, Marco Elver,
Mark Rutland, Nathan Chancellor, Paul Moore, Peter Zijlstra,
Petr Mladek, Ping-Ke Shih, Sami Tolvanen,
Sebastian Andrzej Siewior, Serge E. Hallyn, tangmeng,
Tiezhu Yang
Hi Linus,
Please pull these kernel hardening fixes for v6.1-rc1, collected over the
last week.
Thanks!
-Kees
The following changes since commit d272e01fa0a2f15c5c331a37cd99c6875c7b7186:
ksmbd: replace one-element arrays with flexible-array members (2022-12-02 13:14:29 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc1-fixes
for you to fetch changes up to cf8016408d880afe9c5dc495af40dc2932874e77:
cfi: Fix CFI failure with KASAN (2022-12-23 10:04:31 -0800)
----------------------------------------------------------------
kernel hardening fixes for v6.1-rc1
- Fix CFI failure with KASAN (Sami Tolvanen)
- Fix LKDTM + CFI under GCC 7 and 8 (Kristina Martsenko)
- Limit CONFIG_ZERO_CALL_USED_REGS to Clang > 15.0.6 (Nathan Chancellor)
- Ignore "contents" argument in LoadPin's LSM hook handling
- Fix paste-o in /sys/kernel/warn_count API docs
- Use READ_ONCE() consistently for oops/warn limit reading
----------------------------------------------------------------
Kees Cook (3):
LoadPin: Ignore the "contents" argument of the LSM hooks
docs: Fix path paste-o for /sys/kernel/warn_count
exit: Use READ_ONCE() for all oops/warn limit reads
Kristina Martsenko (1):
lkdtm: cfi: Make PAC test work with GCC 7 and 8
Nathan Chancellor (1):
security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
Sami Tolvanen (1):
cfi: Fix CFI failure with KASAN
Documentation/ABI/testing/sysfs-kernel-warn_count | 2 +-
drivers/misc/lkdtm/cfi.c | 6 ++++-
kernel/Makefile | 3 ---
kernel/exit.c | 6 +++--
kernel/panic.c | 7 ++++--
security/Kconfig.hardening | 3 +++
security/loadpin/loadpin.c | 30 ++++++++++++++---------
7 files changed, 36 insertions(+), 21 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 82%]
* [GIT PULL] kernel hardening updates for v6.2-rc1
@ 2022-12-14 4:04 61% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-14 4:04 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Anders Roxell, David Gow, Eric W. Biederman,
Gustavo A. R. Silva, haifeng.xu, Nathan Chancellor,
Nick Desaulniers, Xin Li
Hi Linus,
Please pull these hardening updates for v6.2-rc1. This tree's various
collected improvements, noted below, have been in -next for a while
now. The only merge note I have is that this tree's ksize() work depends
on behavioral changes in the slab and netdev trees, but those trees have
now been merged into your tree, so there should be no surprises.
Thanks!
-Kees
The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:
Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.2-rc1
for you to fetch changes up to d272e01fa0a2f15c5c331a37cd99c6875c7b7186:
ksmbd: replace one-element arrays with flexible-array members (2022-12-02 13:14:29 -0800)
----------------------------------------------------------------
hardening updates for v6.2-rc1
- Convert flexible array members, fix -Wstringop-overflow warnings,
and fix KCFI function type mismatches that went ignored by
maintainers (Gustavo A. R. Silva, Nathan Chancellor, Kees Cook).
- Remove the remaining side-effect users of ksize() by converting
dma-buf, btrfs, and coredump to using kmalloc_size_roundup(),
add more __alloc_size attributes, and introduce full testing
of all allocator functions. Finally remove the ksize() side-effect
so that each allocation-aware checker can finally behave without
exceptions.
- Introduce oops_limit (default 10,000) and warn_limit (default off)
to provide greater granularity of control for panic_on_oops and
panic_on_warn (Jann Horn, Kees Cook).
- Introduce overflows_type() and castable_to_type() helpers for
cleaner overflow checking.
- Disable structleak plugin in FORTIFY KUnit test (Anders Roxell).
- Adjust orphan linker section checking to respect CONFIG_WERROR
(Xin Li).
- Make sure siginfo is cleared for forced SIGKILL (haifeng.xu).
- Improve code generation for strscpy() and update str*() kern-doc.
- Convert strscpy and sigphash tests to KUnit, and expand memcpy
tests.
- Always use a non-NULL argument for prepare_kernel_cred().
- Fix um vs FORTIFY warnings for always-NULL arguments.
----------------------------------------------------------------
Anders Roxell (1):
lib: fortify_kunit: build without structleak plugin
Gustavo A. R. Silva (2):
mm/pgtable: Fix multiple -Wstringop-overflow warnings
ksmbd: replace one-element arrays with flexible-array members
Jann Horn (1):
exit: Put an upper limit on how often we can oops
Kees Cook (27):
overflow: Fix kern-doc markup for functions
overflow: Refactor test skips for Clang-specific issues
fortify: Capture __bos() results in const temp vars
string: Rewrite and add more kern-doc for the str*() functions
kunit/memcpy: Add dynamic size and window tests
string: Add __realloc_size hint to kmemdup()
string: Convert strscpy() self-test to KUnit
fortify: Short-circuit known-safe calls to strscpy()
siphash: Convert selftest to KUnit
fortify: Do not cast to "unsigned char"
cred: Do not default to init_cred in prepare_kernel_cred()
dma-buf: Proactively round up to kmalloc bucket size
btrfs: send: Proactively round up to kmalloc bucket size
coredump: Proactively round up to kmalloc bucket size
overflow: Introduce overflows_type() and castable_to_type()
Merge branch 'for-linus/hardening' into for-next/hardening
driver core: Add __alloc_size hint to devm allocators
kunit/fortify: Validate __alloc_size attribute results
mm: Make ksize() a reporting-only function
panic: Separate sysctl logic from CONFIG_SMP
exit: Expose "oops_count" to sysfs
exit: Allow oops_limit to be disabled
panic: Consolidate open-coded panic_on_warn checks
panic: Introduce warn_limit
panic: Expose "warn_count" to sysfs
um: virt-pci: Avoid GCC non-NULL warning
hpet: Replace one-element array with flexible-array member
Nathan Chancellor (3):
vmlinux.lds.h: Fix placement of '.data..decrypted' section
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
Nick Desaulniers (1):
overflow: disable failing tests for older clang versions
Xin Li (1):
kbuild: upgrade the orphan section warning to an error if CONFIG_WERROR is set
haifeng.xu (1):
signal: Initialize the info in ksignal
Documentation/ABI/testing/sysfs-kernel-oops_count | 6 +
Documentation/ABI/testing/sysfs-kernel-warn_count | 6 +
Documentation/admin-guide/sysctl/kernel.rst | 19 +
Documentation/core-api/kernel-api.rst | 9 +
Documentation/driver-api/basics.rst | 3 -
MAINTAINERS | 6 +-
Makefile | 2 +-
arch/arm/boot/compressed/Makefile | 2 +-
arch/arm64/kernel/vdso/Makefile | 2 +-
arch/arm64/kernel/vdso32/Makefile | 2 +-
arch/um/drivers/virt-pci.c | 9 +-
arch/x86/boot/compressed/Makefile | 2 +-
arch/x86/mm/pgtable.c | 22 +-
drivers/base/firmware_loader/main.c | 2 +-
drivers/dma-buf/dma-resv.c | 9 +-
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +-
drivers/gpu/drm/i915/i915_user_extensions.c | 2 +-
drivers/gpu/drm/i915/i915_utils.h | 4 -
drivers/gpu/drm/sti/sti_dvo.c | 5 +-
drivers/gpu/drm/sti/sti_hda.c | 5 +-
drivers/gpu/drm/sti/sti_hdmi.c | 5 +-
fs/btrfs/send.c | 11 +-
fs/cifs/cifs_spnego.c | 2 +-
fs/cifs/cifsacl.c | 2 +-
fs/coredump.c | 7 +-
fs/ksmbd/smb2pdu.c | 4 +-
fs/ksmbd/smb2pdu.h | 2 +-
fs/ksmbd/smb_common.c | 2 +-
fs/ksmbd/smb_common.h | 12 +-
fs/nfs/flexfilelayout/flexfilelayout.c | 4 +-
fs/nfs/nfs4idmap.c | 2 +-
fs/nfsd/nfs4callback.c | 2 +-
include/asm-generic/vmlinux.lds.h | 2 +-
include/linux/compiler.h | 1 +
include/linux/device.h | 7 +-
include/linux/fortify-string.h | 161 +++++++-
include/linux/hpet.h | 2 +-
include/linux/overflow.h | 85 +++--
include/linux/panic.h | 1 +
include/linux/string.h | 2 +-
init/Kconfig | 15 +-
kernel/cred.c | 15 +-
kernel/exit.c | 60 +++
kernel/kcsan/report.c | 3 +-
kernel/panic.c | 45 ++-
kernel/sched/core.c | 3 +-
kernel/signal.c | 1 +
lib/Kconfig.debug | 28 +-
lib/Makefile | 7 +-
lib/fortify_kunit.c | 255 +++++++++++++
lib/memcpy_kunit.c | 205 +++++++++++
lib/overflow_kunit.c | 428 +++++++++++++++++++++-
lib/{test_siphash.c => siphash_kunit.c} | 165 ++++-----
lib/string.c | 82 -----
lib/strscpy_kunit.c | 142 +++++++
lib/test_strscpy.c | 150 --------
lib/ubsan.c | 3 +-
mm/kasan/kasan_test.c | 19 +-
mm/kasan/report.c | 4 +-
mm/kfence/report.c | 3 +-
mm/slab_common.c | 26 +-
net/dns_resolver/dns_key.c | 2 +-
scripts/kernel-doc | 6 +-
63 files changed, 1601 insertions(+), 504 deletions(-)
create mode 100644 Documentation/ABI/testing/sysfs-kernel-oops_count
create mode 100644 Documentation/ABI/testing/sysfs-kernel-warn_count
rename lib/{test_siphash.c => siphash_kunit.c} (60%)
create mode 100644 lib/strscpy_kunit.c
delete mode 100644 lib/test_strscpy.c
--
Kees Cook
^ permalink raw reply [relevance 61%]
* [GIT PULL] execve updates for v6.2-rc1
@ 2022-12-06 0:41 77% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-06 0:41 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Viro, Alexey Dobriyan, Alexey Izbyshev,
Andrei Vagin, Bernd Edlinger, Bo Liu, Christian Brauner,
David Hildenbrand, Dmitry Safonov, Eric Biederman,
Florian Weimer, Kees Cook, Linus Torvalds, linux-fsdevel,
linux-mm, Liu Shixin, Li Zetao, Rolf Eike Beer, Wang Yufen
Hi Linus,
Please pull these execve updates for v6.2-rc1. Most are small
refactorings and bug fixes, but three things stand out: switching timens
(which got reverted before) looks solid now, FOLL_FORCE has been removed
(no failures seen yet across several weeks in -next), and some
whitespace cleanups (which are long overdue). The latter does end up
conflicting with changes from Al[1], but should be trivial to resolve.
Thanks!
-Kees
[1] https://lore.kernel.org/linux-next/20221128143704.3fe8f7b1@canb.auug.org.au/
The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:
Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.2-rc1
for you to fetch changes up to 6a46bf558803dd2b959ca7435a5c143efe837217:
binfmt_misc: fix shift-out-of-bounds in check_special_flags (2022-12-02 13:57:04 -0800)
----------------------------------------------------------------
execve updates for v6.2-rc1
- Add timens support (when switching mm). This version has survived
in -next for the entire cycle (Andrei Vagin).
- Various small bug fixes, refactoring, and readability improvements
(Bernd Edlinger, Rolf Eike Beer, Bo Liu, Li Zetao Liu Shixin).
- Remove FOLL_FORCE for stack setup (Kees Cook).
- Whilespace cleanups (Rolf Eike Beer, Kees Cook).
----------------------------------------------------------------
Andrei Vagin (2):
fs/exec: switch timens when a task gets a new mm
selftests/timens: add a test for vfork+exit
Bernd Edlinger (1):
exec: Copy oldsighand->action under spin-lock
Bo Liu (1):
binfmt_elf: replace IS_ERR() with IS_ERR_VALUE()
Kees Cook (3):
exec: Add comments on check_unsafe_exec() fs counting
binfmt: Fix whitespace issues
exec: Remove FOLL_FORCE for stack setup
Li Zetao (1):
fs/binfmt_elf: Fix memory leak in load_elf_binary()
Liu Shixin (1):
binfmt_misc: fix shift-out-of-bounds in check_special_flags
Rolf Eike Beer (4):
ELF uapi: add spaces before '{'
exec: simplify initial stack size expansion
binfmt_elf: fix documented return value for load_elf_phdrs()
binfmt_elf: simplify error handling in load_elf_phdrs()
Wang Yufen (1):
binfmt: Fix error return code in load_elf_fdpic_binary()
fs/binfmt_elf.c | 35 +++----
fs/binfmt_elf_fdpic.c | 7 +-
fs/binfmt_misc.c | 8 +-
fs/exec.c | 38 +++++---
include/linux/nsproxy.h | 1 +
include/uapi/linux/elf.h | 14 +--
kernel/fork.c | 9 --
kernel/nsproxy.c | 23 ++++-
tools/testing/selftests/timens/.gitignore | 1 +
tools/testing/selftests/timens/Makefile | 2 +-
tools/testing/selftests/timens/vfork_exec.c | 139 ++++++++++++++++++++++++++++
11 files changed, 219 insertions(+), 58 deletions(-)
create mode 100644 tools/testing/selftests/timens/vfork_exec.c
--
Kees Cook
^ permalink raw reply [relevance 77%]
* [GIT PULL] seccomp updates for v6.2-rc1
@ 2022-12-06 0:30 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-06 0:30 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ayushman Dutta, Christian Brauner, Gautam Menghani,
Kees Cook, Kuniyuki Iwashima, Randy Dunlap,
syzbot+ab17848fe269b573eb71
Hi Linus,
Please pull these 3 seccomp updates for v6.2-rc1.
Thanks!
-Kees
The following changes since commit 247f34f7b80357943234f93f247a1ae6b6c3a740:
Linux 6.1-rc2 (2022-10-23 15:27:33 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v6.2-rc1
for you to fetch changes up to b9069728a70c23dad00684eb994a3f5295f127cf:
seccomp: document the "filter_count" field (2022-12-02 11:33:48 -0800)
----------------------------------------------------------------
seccomp updates for v6.2-rc1
- Add missing kerndoc parameter (Randy Dunlap).
- Improve seccomp selftest to check CAP_SYS_ADMIN (Gautam Menghani).
- Fix allocation leak when cloned thread immediately dies (Kuniyuki Iwashima).
----------------------------------------------------------------
Gautam Menghani (1):
selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp
Kuniyuki Iwashima (1):
seccomp: Move copy_seccomp() to no failure path.
Randy Dunlap (1):
seccomp: document the "filter_count" field
include/linux/seccomp.h | 1 +
kernel/fork.c | 17 +++++++++++------
tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++--
3 files changed, 16 insertions(+), 8 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v6.2-rc1
@ 2022-12-06 0:24 83% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-12-06 0:24 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Anton Vorontsov, Ard Biesheuvel,
Brian Geffon, Colin Cross, Guilherme G. Piccoli, Kees Cook,
Mike Rapoport, Paramjit Oberoi, Qiujun Huang, Stephen Boyd,
Tony Luck, Wang Yufen, WeiXiong Liao
Hi Linus,
Please pull these pstore updates for v6.2-rc1. It's a small collection
of bug fixes, refactorings, and general improvements noted below.
Thanks!
-Kees
The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:
Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.2-rc1
for you to fetch changes up to e6b842741b4f39007215fd7e545cb55aa3d358a2:
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP (2022-12-05 16:15:09 -0800)
----------------------------------------------------------------
pstore updates for v6.2-rc1
- Reporting improvements and return path fixes (Guilherme G. Piccoli,
Wang Yufen, Kees Cook).
- Clean up kmsg_bytes module parameter usage (Guilherme G. Piccoli).
- Add Guilherme to pstore MAINTAINERS entry.
- Choose friendlier allocation flags (Qiujun Huang, Stephen Boyd).
----------------------------------------------------------------
Guilherme G. Piccoli (5):
pstore: Improve error reporting in case of backend overlap
pstore: Expose kmsg_bytes as a module parameter
pstore: Inform unregistered backend names as well
efi: pstore: Follow convention for the efi-pstore backend name
pstore: Alert on backend write error
Kees Cook (5):
pstore/ram: Consolidate kfree() paths
pstore/ram: Move pmsg init earlier
pstore/ram: Move internal definitions out of kernel-wide include
pstore/ram: Set freed addresses to NULL
MAINTAINERS: Update pstore maintainers
Qiujun Huang (1):
pstore/zone: Use GFP_ATOMIC to allocate zone buffer
Stephen Boyd (1):
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
Wang Yufen (1):
pstore/ram: Fix error return code in ramoops_probe()
MAINTAINERS | 8 ++--
drivers/firmware/efi/efi-pstore.c | 2 +-
fs/pstore/platform.c | 25 ++++++++--
fs/pstore/ram.c | 44 +++++++++--------
fs/pstore/ram_core.c | 20 ++++++--
fs/pstore/ram_internal.h | 98 ++++++++++++++++++++++++++++++++++++++
fs/pstore/zone.c | 2 +-
include/linux/pstore_ram.h | 99 ---------------------------------------
8 files changed, 165 insertions(+), 133 deletions(-)
create mode 100644 fs/pstore/ram_internal.h
--
Kees Cook
^ permalink raw reply [relevance 83%]
* [GIT PULL] kernel hardening fix for v6.1-rc5
@ 2022-11-11 18:37 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-11-11 18:37 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Kees Cook, Nathan Chancellor, xiafukun, Zhao Wenhui
Hi Linus,
Please pull this kernel hardening fix for v6.1-rc5: a small fix for !SMP
linker section orphan handling.
Thanks!
-Kees
The following changes since commit 6f7630b1b5bc672b54c1285ee6aba752b446672c:
fortify: Capture __bos() results in const temp vars (2022-10-28 16:07:01 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc5
for you to fetch changes up to 000f8870a47bdc36730357883b6aef42bced91ee:
vmlinux.lds.h: Fix placement of '.data..decrypted' section (2022-11-08 09:59:19 -0800)
----------------------------------------------------------------
kernel hardening fix for v6.1-rc5
- Fix !SMP placement of '.data..decrypted' section (Nathan Chancellor)
----------------------------------------------------------------
Nathan Chancellor (1):
vmlinux.lds.h: Fix placement of '.data..decrypted' section
include/asm-generic/vmlinux.lds.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fix for v6.1-rc4
@ 2022-11-04 16:26 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-11-04 16:26 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Dr. David Alan Gilbert, Kees Cook, linux-hardening, llvm
Hi Linus,
Please pull this tiny kernel hardening fix for v6.1-rc4.
Thanks!
-Kees
The following changes since commit 72c3ebea375c39413d02113758319b74ecd790bd:
overflow: Refactor test skips for Clang-specific issues (2022-10-25 14:57:42 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc4
for you to fetch changes up to 6f7630b1b5bc672b54c1285ee6aba752b446672c:
fortify: Capture __bos() results in const temp vars (2022-10-28 16:07:01 -0700)
----------------------------------------------------------------
kernel hardening fix for v6.1-rc4
- Correctly report struct member size on memcpy overflow (Kees Cook)
----------------------------------------------------------------
Kees Cook (1):
fortify: Capture __bos() results in const temp vars
include/linux/fortify-string.h | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve fixes for v6.1-rc3
@ 2022-10-27 19:08 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-27 19:08 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexey Dobriyan, Bernd Edlinger, Kees Cook, Li Zetao
Hi Linus,
Please pull these execve fixes for v6.1-rc3.
Thanks!
-Kees
The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:
Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.1-rc3
for you to fetch changes up to 594d2a14f2168c09b13b114c3d457aa939403e52:
fs/binfmt_elf: Fix memory leak in load_elf_binary() (2022-10-25 15:11:21 -0700)
----------------------------------------------------------------
execve fixes for v6.1-rc3
- Fix an ancient signal action copy race. (Bernd Edlinger)
- Fix a memory leak in ELF loader, when under memory pressure. (Li Zetao)
----------------------------------------------------------------
Bernd Edlinger (1):
exec: Copy oldsighand->action under spin-lock
Li Zetao (1):
fs/binfmt_elf: Fix memory leak in load_elf_binary()
fs/binfmt_elf.c | 3 ++-
fs/exec.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v6.1-rc3
@ 2022-10-27 19:03 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-27 19:03 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Akira Yokosawa, Daniel Latypov,
Gustavo A. R. Silva, Gwan-gyeong Mun, Jonathan Corbet, Kees Cook,
linux-doc, linux-hardening, llvm, Nathan Chancellor,
Nick Desaulniers, Tom Rix
Hi Linus,
Please pull these hardening fixes for v6.1-rc3.
Thanks!
-Kees
The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:
Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc3
for you to fetch changes up to 72c3ebea375c39413d02113758319b74ecd790bd:
overflow: Refactor test skips for Clang-specific issues (2022-10-25 14:57:42 -0700)
----------------------------------------------------------------
hardening fixes for v6.1-rc3
- Fix older Clang vs recent overflow KUnit test additions. (Nick
Desaulniers, Kees Cook)
- Fix kern-doc visibility for overflow helpers. (Kees Cook)
----------------------------------------------------------------
Kees Cook (2):
overflow: Fix kern-doc markup for functions
overflow: Refactor test skips for Clang-specific issues
Nick Desaulniers (1):
overflow: disable failing tests for older clang versions
Documentation/core-api/kernel-api.rst | 6 +++++
Documentation/driver-api/basics.rst | 3 ---
include/linux/overflow.h | 38 ++++++++++++----------------
lib/overflow_kunit.c | 47 +++++++++++++++++++++++++++--------
4 files changed, 58 insertions(+), 36 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* Re: [GIT PULL] Rust introduction for v6.1-rc1
@ 2022-10-01 22:50 86% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-01 22:50 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Linus Torvalds, linux-kernel, Adam Bratschi-Kaye, Alex Gaynor,
Antonio Terceiro, Björn Roy Baron, Boqun Feng,
Boris-Chengbiao Zhou, Daniel Xu, Dariusz Sosnowski, David Gow,
Douglas Su, Finn Behrens, Fox Chen, Gary Guo, Geert Stappers,
Geoffrey Thomas, Greg Kroah-Hartman, Jiapeng Chong, Joe Perches,
John Baublitz, Julian Merkle, Léo Lanteri Thauvin,
Maciej Falkowski, Martin Rodriguez Reboredo, Matthew Bakhtiari,
Matthew Wilcox, Michael Ellerman, Miguel Cano, Miguel Ojeda,
Milan Landaverde, Morgan Bartlett,
Nándor István Krácser, Nick Desaulniers,
Niklas Mohrin, Petr Mladek, Sumera Priyadarsini,
Sven Van Asbroeck, Tiago Lam, Viktor Garske,
Wedson Almeida Filho, Wei Liu, Wu XiangCheng, Yuki Okushi
On Sun, Oct 02, 2022 at 05:21:17AM +0900, Masahiro Yamada wrote:
> On Sun, Oct 2, 2022 at 12:59 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Hi Linus,
> >
> > Please pull the initial Rust support for v6.1-rc1. The tree has a recent
> > base, but has fundamentally been in linux-next for a year and a half[1].
> > It's been updated based on feedback from the Kernel Maintainer's Summit,
> > and to gain recent Reviewed-by: tags. Miguel is the primary maintainer,
> > with me helping where needed/wanted. Our plan is for the tree to switch to
> > the standard non-rebasing practice once this initial infrastructure series
> > lands. The contents are the absolute minimum to get Rust code building
> > in the kernel, with many more interfaces[2] (and drivers[3]) on the way.
> >
> > Expected conflicts are minimal:
> > - docs-next: https://lore.kernel.org/lkml/87czbegets.fsf@meer.lwn.net/
>
>
> Also, conflicts against the Kbuild tree.
Ah, yes. Apologies; I missed this while checking the list. The latest
I found are from 9/28:
https://lore.kernel.org/linux-next/20220927181647.487727-1-broonie@kernel.org/
Miguel verified the conflict resolution at the time.
> linux-next 20220930 fails to build with CONFIG_RUST=y because the merge
> conflicts between Kbuild and Rust trees were not correctly resolved.
Ah, did something change between 28 and 30?
> I will try my best to address merge conflicts when I send my pull request.
Thank you!
--
Kees Cook
^ permalink raw reply [relevance 86%]
* [GIT PULL] kernel hardening updates for v6.1-rc1
@ 2022-10-01 17:46 64% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-01 17:46 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bart Van Assche, Bill Wendling, Sami Tolvanen,
Matthias Kaehlcke, Gustavo A. R. Silva, Kees Cook
Hi Linus,
Please pull these kernel hardening updates for v6.1-rc1. Most of
the collected changes here are fixes across the tree for various
hardening features (noted in the tag commit log below).
The most notable new feature here is the addition of the memcpy()
overflow warning (under CONFIG_FORTIFY_SOURCE), which is the next step
on the path to killing the common class of "trivially detectable" buffer
overflow conditions (i.e. on arrays with sizes known at compile time)
that have resulted in many exploitable vulnerabilities over the years
(e.g. BleedingTooth).
This feature is expected to still have some undiscovered false
positives. It's been in -next for a full development cycle and all
the reported false positives have been fixed in their respective trees.
All the known-bad code patterns we could find with Coccinelle are
also either fixed in their respective trees or in flight.
The commit log[1] for the feature has extensive details, but I'll repeat
here that this is a warning _only_, and is not intended to actually block
overflows (yet). The many patches fixing array sizes and struct members
have been landing for several years now, and we're finally able to turn
this on to find any remaining stragglers.
1 expected conflict is minimal:
- https://lore.kernel.org/linux-next/20220906174946.61819060@canb.auug.org.au/
Thanks!
-Kees
[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=54d9469bc515dc5fcbc20eecbe19cea868b70d68
The following changes since commit 1c23f9e627a7b412978b4e852793c5e3c3efc555:
Linux 6.0-rc2 (2022-08-21 17:32:54 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.1-rc1
for you to fetch changes up to 2120635108b35ecad9c59c8b44f6cbdf4f98214e:
Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 (2022-10-01 07:46:05 -0700)
----------------------------------------------------------------
hardening updates for v6.1-rc1
Various fixes across several hardening areas:
- loadpin: Fix verity target enforcement (Matthias Kaehlcke).
- zero-call-used-regs: Add missing clobbers in paravirt (Bill Wendling).
- CFI: clean up sparc function pointer type mismatches (Bart Van Assche).
- Clang: Adjust compiler flag detection for various Clang changes (Sami
Tolvanen, Kees Cook).
- fortify: Fix warnings in arch-specific code in sh, ARM, and xen.
Improvements to existing features:
- testing: improve overflow KUnit test, introduce fortify KUnit test,
add more coverage to LKDTM tests (Bart Van Assche, Kees Cook).
- overflow: Relax overflow type checking for wider utility.
New features:
- string: Introduce strtomem() and strtomem_pad() to fill a gap in
strncpy() replacement needs.
- um: Enable FORTIFY_SOURCE support.
- fortify: Enable run-time struct member memcpy() overflow warning.
----------------------------------------------------------------
Bart Van Assche (4):
testing/selftests: Add tests for the is_signed_type() macro
overflow, tracing: Define the is_signed_type() macro once
lib: Improve the is_signed_type() kunit test
sparc: Unbreak the build
Bill Wendling (2):
x86/paravirt: clean up typos and grammaros
x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled
Kees Cook (17):
overflow: Allow mixed type arguments
overflow: Split up kunit tests for smaller stack frames
string: Introduce strtomem() and strtomem_pad()
fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
fortify: Add KUnit test for FORTIFY_SOURCE internals
fortify: Use SIZE_MAX instead of (size_t)-1
fortify: Add run-time WARN for cross-field memcpy()
lkdtm: Update tests for memcpy() run-time warnings
um: Enable FORTIFY_SOURCE
kunit/memcpy: Avoid pathological compile-time string size
sh: machvec: Use char[] for section boundaries
fortify: Adjust KUnit test for modular build
ARM: decompressor: Include .data.rel.ro.local
x86/entry: Work around Clang __bdos() bug
fortify: Explicitly check bounds are compile-time constants
fortify: Convert to struct vs member helpers
hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero
Matthias Kaehlcke (3):
LoadPin: Fix Kconfig doc about format of file with verity digests
dm: verity-loadpin: Only trust verity targets with enforcement
LoadPin: Require file with verity root digests to have a header
Sami Tolvanen (1):
Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
Documentation/process/deprecated.rst | 11 +-
MAINTAINERS | 1 +
Makefile | 4 +-
arch/arm/boot/compressed/vmlinux.lds.S | 2 +
arch/sh/include/asm/sections.h | 2 +-
arch/sh/kernel/machvec.c | 10 +-
arch/sparc/include/asm/smp_32.h | 15 +-
arch/sparc/kernel/leon_smp.c | 12 +-
arch/sparc/kernel/sun4d_smp.c | 12 +-
arch/sparc/kernel/sun4m_smp.c | 10 +-
arch/sparc/mm/srmmu.c | 29 ++--
arch/um/Kconfig | 1 +
arch/um/os-Linux/user_syms.c | 1 +
arch/x86/include/asm/paravirt_types.h | 27 ++--
arch/x86/xen/enlighten_pv.c | 3 +-
drivers/md/dm-verity-loadpin.c | 8 ++
drivers/md/dm-verity-target.c | 16 +++
drivers/md/dm-verity.h | 1 +
drivers/misc/lkdtm/fortify.c | 96 +++++++++++--
include/linux/compiler.h | 6 +
include/linux/fortify-string.h | 245 +++++++++++++++++++++++---------
include/linux/overflow.h | 73 +++++-----
include/linux/string.h | 43 ++++++
include/linux/trace_events.h | 2 -
lib/Kconfig.debug | 21 +++
lib/Makefile | 2 +
lib/fortify_kunit.c | 76 ++++++++++
lib/is_signed_type_kunit.c | 53 +++++++
lib/memcpy_kunit.c | 59 +++++++-
lib/overflow_kunit.c | 177 ++++++++++++++++-------
scripts/Makefile.extrawarn | 1 +
security/Kconfig.hardening | 14 +-
security/loadpin/Kconfig | 7 +-
security/loadpin/loadpin.c | 16 ++-
tools/testing/selftests/lkdtm/tests.txt | 8 +-
35 files changed, 821 insertions(+), 243 deletions(-)
create mode 100644 lib/fortify_kunit.c
create mode 100644 lib/is_signed_type_kunit.c
--
Kees Cook
^ permalink raw reply [relevance 64%]
* [GIT PULL] execve updates for v6.1-rc1
@ 2022-10-01 16:40 86% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-01 16:40 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Eric W. Biederman, Kees Cook, Lukas Bulwahn
Hi Linus,
Please pull these execve updates for v6.1-rc1. This removes a.out
support globally; it has been disabled for a while now.
Thanks!
-Kees
The following changes since commit 33a2d6bc3480f9f8ac8c8def29854f98cc8bfee2:
Revert "fs/exec: allow to unshare a time namespace on vfork+exec" (2022-09-13 10:38:43 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.1-rc1
for you to fetch changes up to 9f4beead610c83065cc0410bfe97ff51d8e9578d:
binfmt: remove taso from linux_binprm struct (2022-09-29 16:38:05 -0700)
----------------------------------------------------------------
execve updates for v6.1-rc1
- Remove a.out implementation globally (Eric W. Biederman)
- Remove unused linux_binprm::taso member (Lukas Bulwahn)
----------------------------------------------------------------
Eric W. Biederman (1):
a.out: Remove the a.out implementation
Lukas Bulwahn (1):
binfmt: remove taso from linux_binprm struct
MAINTAINERS | 1 -
arch/alpha/include/asm/a.out.h | 16 --
arch/alpha/kernel/Makefile | 4 -
arch/alpha/kernel/binfmt_loader.c | 46 -----
arch/alpha/kernel/osf_sys.c | 30 ---
arch/arm/configs/badge4_defconfig | 1 -
arch/arm/configs/corgi_defconfig | 1 -
arch/arm/configs/ezx_defconfig | 1 -
arch/arm/configs/footbridge_defconfig | 1 -
arch/arm/configs/hackkit_defconfig | 1 -
arch/arm/configs/iop32x_defconfig | 1 -
arch/arm/configs/jornada720_defconfig | 1 -
arch/arm/configs/lart_defconfig | 1 -
arch/arm/configs/neponset_defconfig | 1 -
arch/arm/configs/netwinder_defconfig | 1 -
arch/arm/configs/rpc_defconfig | 1 -
arch/arm/configs/spitz_defconfig | 1 -
fs/Kconfig.binfmt | 33 ----
fs/Makefile | 1 -
fs/binfmt_aout.c | 342 ----------------------------------
fs/exec.c | 3 +-
include/linux/a.out.h | 18 --
include/linux/binfmts.h | 3 -
23 files changed, 1 insertion(+), 508 deletions(-)
delete mode 100644 arch/alpha/include/asm/a.out.h
delete mode 100644 arch/alpha/kernel/binfmt_loader.c
delete mode 100644 fs/binfmt_aout.c
delete mode 100644 include/linux/a.out.h
--
Kees Cook
^ permalink raw reply [relevance 86%]
* [GIT PULL] kcfi updates for v6.1-rc1
@ 2022-10-01 16:36 66% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-10-01 16:36 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Josh Poimboeuf, Kees Cook, Mark Rutland,
Nathan Chancellor, Nick Desaulniers, Peter Zijlstra,
Sami Tolvanen, Sedat Dilek, Moreira, Joao
Hi Linus,
Please pull these Control Flow Integrity updates for v6.1-rc1. As this
touches treewide things, arm64, and x86, I carried this tree instead of
it living in -tip, etc. This replaces the more fragile Clang CFI with
the new Clang KCFI that has been designed specifically for the Linux
kernel. GCC support is expected[1] in the future.
3 expected conflicts are minimal:
- arm64: https://lore.kernel.org/linux-next/20220927185911.512737-1-broonie@kernel.org/
- bpf-next: https://lore.kernel.org/linux-next/20220927190811.514527-1-broonie@kernel.org/
Note that the above fix actually has a typo: the ")) ||" should be
") ||", which was later fixed in linux-next.
- arm64-fixes: https://lore.kernel.org/linux-next/20220927190318.513999-1-broonie@kernel.org/
The conflicting commit in arm64-fixes is needed for a bug in the older
Clang CFI support. Merging arm64-fixes first may help resolve this
one in a way that is easier for -stable to consume (i.e. arm64-fixes
CFI fix lands, then the kcfi tree removes the block entirely), but
the CFI fix could also just be sent directly to -stable directly if
anything goes wrong.
Thanks!
-Kees
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
The following changes since commit 7e18e42e4b280c85b76967a9106a13ca61c16179:
Linux 6.0-rc4 (2022-09-04 13:10:01 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kcfi-v6.1-rc1
for you to fetch changes up to 3c516f89e17e56b4738f05588e51267e295b5e63:
x86: Add support for CONFIG_CFI_CLANG (2022-09-26 10:13:16 -0700)
----------------------------------------------------------------
kcfi updates for v6.1-rc1
This replaces the prior support for Clang's standard Control Flow
Integrity (CFI) instrumentation, which has required a lot of special
conditions (e.g. LTO) and work-arounds. The current implementation
("Kernel CFI") is specific to C, directly designed for the Linux kernel,
and takes advantage of architectural features like x86's IBT. This
series retains arm64 support and adds x86 support. Additional "generic"
architectural support is expected soon:
https://github.com/samitolvanen/llvm-project/commits/kcfi_generic
- treewide: Remove old CFI support details
- arm64: Replace Clang CFI support with Clang KCFI support
- x86: Introduce Clang KCFI support
----------------------------------------------------------------
Sami Tolvanen (22):
treewide: Filter out CC_FLAGS_CFI
scripts/kallsyms: Ignore __kcfi_typeid_
cfi: Remove CONFIG_CFI_CLANG_SHADOW
cfi: Drop __CFI_ADDRESSABLE
cfi: Switch to -fsanitize=kcfi
cfi: Add type helper macros
lkdtm: Emit an indirect call for CFI tests
psci: Fix the function type for psci_initcall_t
arm64: Add types to indirect called assembly functions
arm64: Add CFI error handling
arm64: Drop unneeded __nocfi attributes
init: Drop __nocfi from __init
treewide: Drop function_nocfi
treewide: Drop WARN_ON_FUNCTION_MISMATCH
treewide: Drop __cficanonical
objtool: Preserve special st_shndx indexes in elf_update_symbol
objtool: Disable CFI warnings
kallsyms: Drop CONFIG_CFI_CLANG workarounds
x86/tools/relocs: Ignore __kcfi_typeid_ relocations
x86: Add types to indirectly called assembly functions
x86/purgatory: Disable CFI
x86: Add support for CONFIG_CFI_CLANG
Makefile | 13 +-
arch/Kconfig | 18 +-
arch/arm64/crypto/ghash-ce-core.S | 5 +-
arch/arm64/crypto/sm3-ce-core.S | 3 +-
arch/arm64/include/asm/brk-imm.h | 6 +
arch/arm64/include/asm/ftrace.h | 2 +-
arch/arm64/include/asm/linkage.h | 4 +
arch/arm64/include/asm/mmu_context.h | 4 +-
arch/arm64/kernel/acpi_parking_protocol.c | 2 +-
arch/arm64/kernel/alternative.c | 2 +-
arch/arm64/kernel/cpu-reset.S | 5 +-
arch/arm64/kernel/cpufeature.c | 4 +-
arch/arm64/kernel/ftrace.c | 2 +-
arch/arm64/kernel/machine_kexec.c | 2 +-
arch/arm64/kernel/psci.c | 2 +-
arch/arm64/kernel/smp_spin_table.c | 2 +-
arch/arm64/kernel/traps.c | 47 +++-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/arm64/mm/proc.S | 5 +-
arch/x86/Kconfig | 2 +
arch/x86/crypto/blowfish-x86_64-asm_64.S | 5 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/include/asm/cfi.h | 22 ++
arch/x86/include/asm/linkage.h | 12 +
arch/x86/kernel/Makefile | 2 +
arch/x86/kernel/cfi.c | 86 ++++++++
arch/x86/kernel/traps.c | 4 +-
arch/x86/lib/memcpy_64.S | 3 +-
arch/x86/purgatory/Makefile | 4 +
arch/x86/tools/relocs.c | 1 +
drivers/firmware/efi/libstub/Makefile | 2 +
drivers/firmware/psci/psci.c | 12 +-
drivers/misc/lkdtm/cfi.c | 15 +-
drivers/misc/lkdtm/usercopy.c | 2 +-
include/asm-generic/bug.h | 16 --
include/asm-generic/vmlinux.lds.h | 37 ++--
include/linux/cfi.h | 59 ++---
include/linux/cfi_types.h | 45 ++++
include/linux/compiler-clang.h | 14 +-
include/linux/compiler.h | 16 +-
include/linux/compiler_types.h | 4 -
include/linux/init.h | 6 +-
include/linux/module.h | 10 +-
include/linux/pci.h | 4 +-
kernel/cfi.c | 352 +++++-------------------------
kernel/kallsyms.c | 17 --
kernel/kthread.c | 3 +-
kernel/module/main.c | 50 +----
kernel/workqueue.c | 2 +-
scripts/kallsyms.c | 1 +
scripts/module.lds.S | 23 +-
tools/objtool/check.c | 7 +-
tools/objtool/elf.c | 7 +-
53 files changed, 425 insertions(+), 554 deletions(-)
create mode 100644 arch/x86/include/asm/cfi.h
create mode 100644 arch/x86/kernel/cfi.c
create mode 100644 include/linux/cfi_types.h
--
Kees Cook
^ permalink raw reply [relevance 66%]
* [GIT PULL] Rust introduction for v6.1-rc1
@ 2022-10-01 15:58 45% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-10-01 15:58 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Adam Bratschi-Kaye, Alex Gaynor, Antonio Terceiro,
Björn Roy Baron, Boqun Feng, Boris-Chengbiao Zhou,
Daniel Xu, Dariusz Sosnowski, David Gow, Douglas Su,
Finn Behrens, Fox Chen, Gary Guo, Geert Stappers,
Geoffrey Thomas, Greg Kroah-Hartman, Jiapeng Chong, Joe Perches,
John Baublitz, Julian Merkle, Kees Cook,
Léo Lanteri Thauvin, Maciej Falkowski,
Martin Rodriguez Reboredo, Matthew Bakhtiari, Matthew Wilcox,
Michael Ellerman, Miguel Cano, Miguel Ojeda, Milan Landaverde,
Morgan Bartlett, Nándor István Krácser,
Nick Desaulniers, Niklas Mohrin, Petr Mladek,
Sumera Priyadarsini, Sven Van Asbroeck, Tiago Lam, Viktor Garske,
Wedson Almeida Filho, Wei Liu, Wu XiangCheng, Yuki Okushi
Hi Linus,
Please pull the initial Rust support for v6.1-rc1. The tree has a recent
base, but has fundamentally been in linux-next for a year and a half[1].
It's been updated based on feedback from the Kernel Maintainer's Summit,
and to gain recent Reviewed-by: tags. Miguel is the primary maintainer,
with me helping where needed/wanted. Our plan is for the tree to switch to
the standard non-rebasing practice once this initial infrastructure series
lands. The contents are the absolute minimum to get Rust code building
in the kernel, with many more interfaces[2] (and drivers[3]) on the way.
Expected conflicts are minimal:
- docs-next: https://lore.kernel.org/lkml/87czbegets.fsf@meer.lwn.net/
Thanks!
-Kees
[1] https://lwn.net/Articles/849849/
[2] https://github.com/Rust-for-Linux/linux/commits/rust
[3] NVMe: https://github.com/metaspace/rust-linux/commit/d88c3744d6cbdf11767e08bad56cbfb67c4c96d0
9p: https://github.com/wedsonaf/linux/commit/9367032607f7670de0ba1537cf09ab0f4365a338
M1 GPU: https://github.com/AsahiLinux/linux/commits/gpu/rust-wip
The following changes since commit f76349cf41451c5c42a99f18a9163377e4b364ff:
Linux 6.0-rc7 (2022-09-25 14:01:02 -0700)
are available in the Git repository at:
https://github.com/Rust-for-Linux/linux.git tags/rust-v6.1-rc1
for you to fetch changes up to 615131b8e9bcd88e2d3ef78a4954ff4abfbb1fb7:
MAINTAINERS: Rust (2022-09-28 09:05:20 +0200)
----------------------------------------------------------------
Rust introduction for v6.1-rc1
The initial support of Rust-for-Linux comes in roughly 4 areas:
- Kernel internals (kallsyms expansion for Rust symbols, %pA format)
- Kbuild infrastructure (Rust build rules and support scripts)
- Rust crates and bindings for initial minimum viable build
- Rust kernel documentation and samples
Rust support has been in linux-next for a year and a half now, and the
short log doesn't do justice to the number of people who have contributed
both to the Linux kernel side but also to the upstream Rust side to
support the kernel's needs. Thanks to these 173 people, and many more,
who have been involved in all kinds of ways:
Miguel Ojeda, Wedson Almeida Filho, Alex Gaynor, Boqun Feng, Gary Guo,
Björn Roy Baron, Andreas Hindborg, Adam Bratschi-Kaye, Benno Lossin,
Maciej Falkowski, Finn Behrens, Sven Van Asbroeck, Asahi Lina, FUJITA
Tomonori, John Baublitz, Wei Liu, Geoffrey Thomas, Philip Herron,
Arthur Cohen, David Faust, Antoni Boucher, Philip Li, Yujie Liu,
Jonathan Corbet, Greg Kroah-Hartman, Paul E. McKenney, Josh Triplett,
Kent Overstreet, David Gow, Alice Ryhl, Robin Randhawa, Kees Cook,
Nick Desaulniers, Matthew Wilcox, Linus Walleij, Joe Perches, Michael
Ellerman, Petr Mladek, Masahiro Yamada, Arnaldo Carvalho de Melo,
Andrii Nakryiko, Konstantin Shelekhin, Rasmus Villemoes, Konstantin
Ryabitsev, Stephen Rothwell, Andy Shevchenko, Sergey Senozhatsky, John
Paul Adrian Glaubitz, David Laight, Nathan Chancellor, Jonathan
Cameron, Daniel Latypov, Shuah Khan, Brendan Higgins, Julia Lawall,
Laurent Pinchart, Geert Uytterhoeven, Akira Yokosawa, Pavel Machek,
David S. Miller, John Hawley, James Bottomley, Arnd Bergmann,
Christian Brauner, Dan Robertson, Nicholas Piggin, Zhouyi Zhou, Elena
Zannoni, Jose E. Marchesi, Leon Romanovsky, Will Deacon, Richard
Weinberger, Randy Dunlap, Paolo Bonzini, Roland Dreier, Mark Brown,
Sasha Levin, Ted Ts'o, Steven Rostedt, Jarkko Sakkinen, Michal
Kubecek, Marco Elver, Al Viro, Keith Busch, Johannes Berg, Jan Kara,
David Sterba, Connor Kuehl, Andy Lutomirski, Andrew Lunn, Alexandre
Belloni, Peter Zijlstra, Russell King, Eric W. Biederman, Willy
Tarreau, Christoph Hellwig, Emilio Cobos Álvarez, Christian Poveda,
Mark Rousskov, John Ericson, TennyZhuang, Xuanwo, Daniel Paoliello,
Manish Goregaokar, comex, Josh Stone, Stephan Sokolow, Philipp Krones,
Guillaume Gomez, Joshua Nelson, Mats Larsen, Marc Poulhiès, Samantha
Miller, Esteban Blanc, Martin Schmidt, Martin Rodriguez Reboredo,
Daniel Xu, Viresh Kumar, Bartosz Golaszewski, Vegard Nossum, Milan
Landaverde, Dariusz Sosnowski, Yuki Okushi, Matthew Bakhtiari, Wu
XiangCheng, Tiago Lam, Boris-Chengbiao Zhou, Sumera Priyadarsini,
Viktor Garske, Niklas Mohrin, Nándor István Krácser, Morgan Bartlett,
Miguel Cano, Léo Lanteri Thauvin, Julian Merkle, Andreas Reindl,
Jiapeng Chong, Fox Chen, Douglas Su, Antonio Terceiro, SeongJae Park,
Sergio González Collado, Ngo Iok Ui (Wu Yu Wei), Joshua Abraham,
Milan, Daniel Kolsoi, ahomescu, Manas, Luis Gerhorst, Li Hongyu,
Philipp Gesang, Russell Currey, Jalil David Salamé Messina, Jon Olson,
Raghvender, Angelos, Kaviraj Kanagaraj, Paul Römer, Sladyn Nunes,
Mauro Baladés, Hsiang-Cheng Yang, Abhik Jain, Hongyu Li, Sean Nash,
Yuheng Su, Peng Hao, Anhad Singh, Roel Kluin, Sara Saa, Geert
Stappers, Garrett LeSage, IFo Hancroft, and Linus Torvalds.
----------------------------------------------------------------
Boqun Feng (2):
kallsyms: use `ARRAY_SIZE` instead of hardcoded size
kallsyms: avoid hardcoding buffer size
Daniel Xu (1):
scripts: add `is_rust_module.sh`
Gary Guo (1):
vsprintf: add new `%pA` format specifier
Miguel Ojeda (22):
kallsyms: add static relationship between `KSYM_NAME_LEN{,_BUFFER}`
kallsyms: support "big" kernel symbols
kallsyms: increase maximum kernel symbol length to 512
rust: add C helpers
rust: import upstream `alloc` crate
rust: adapt `alloc` crate to the kernel
rust: add `compiler_builtins` crate
rust: add `macros` crate
rust: add `bindings` crate
rust: export generated symbols
scripts: checkpatch: diagnose uses of `%pA` in the C side as errors
scripts: checkpatch: enable language-independent checks for Rust
scripts: decode_stacktrace: demangle Rust symbols
scripts: add `generate_rust_analyzer.py`
scripts: add `generate_rust_target.rs`
scripts: add `rust_is_available.sh`
rust: add `.rustfmt.toml`
Kbuild: add Rust support
docs: add Rust documentation
x86: enable initial Rust support
samples: add first Rust examples
MAINTAINERS: Rust
Wedson Almeida Filho (1):
rust: add `kernel` crate
.gitignore | 6 +
.rustfmt.toml | 12 +
Documentation/core-api/printk-formats.rst | 10 +
Documentation/doc-guide/kernel-doc.rst | 3 +
Documentation/index.rst | 1 +
Documentation/kbuild/kbuild.rst | 17 +
Documentation/kbuild/makefiles.rst | 50 +-
Documentation/process/changes.rst | 41 +
Documentation/rust/arch-support.rst | 19 +
Documentation/rust/coding-guidelines.rst | 216 ++
Documentation/rust/general-information.rst | 79 +
Documentation/rust/index.rst | 22 +
Documentation/rust/quick-start.rst | 232 ++
MAINTAINERS | 18 +
Makefile | 172 +-
arch/Kconfig | 6 +
arch/x86/Kconfig | 1 +
arch/x86/Makefile | 10 +
include/linux/compiler_types.h | 6 +-
include/linux/kallsyms.h | 2 +-
init/Kconfig | 46 +-
kernel/configs/rust.config | 1 +
kernel/kallsyms.c | 26 +-
kernel/livepatch/core.c | 4 +-
lib/Kconfig.debug | 34 +
lib/vsprintf.c | 13 +
rust/.gitignore | 8 +
rust/Makefile | 381 ++++
rust/alloc/README.md | 33 +
rust/alloc/alloc.rs | 440 ++++
rust/alloc/borrow.rs | 498 ++++
rust/alloc/boxed.rs | 2028 +++++++++++++++++
rust/alloc/collections/mod.rs | 156 ++
rust/alloc/lib.rs | 244 ++
rust/alloc/raw_vec.rs | 527 +++++
rust/alloc/slice.rs | 1204 ++++++++++
rust/alloc/vec/drain.rs | 186 ++
rust/alloc/vec/drain_filter.rs | 145 ++
rust/alloc/vec/into_iter.rs | 366 +++
rust/alloc/vec/is_zero.rs | 120 +
rust/alloc/vec/mod.rs | 3140 ++++++++++++++++++++++++++
rust/alloc/vec/partial_eq.rs | 49 +
rust/bindgen_parameters | 21 +
rust/bindings/bindings_helper.h | 13 +
rust/bindings/lib.rs | 53 +
rust/compiler_builtins.rs | 63 +
rust/exports.c | 21 +
rust/helpers.c | 51 +
rust/kernel/allocator.rs | 64 +
rust/kernel/error.rs | 59 +
rust/kernel/lib.rs | 78 +
rust/kernel/prelude.rs | 20 +
rust/kernel/print.rs | 198 ++
rust/kernel/str.rs | 72 +
rust/macros/helpers.rs | 51 +
rust/macros/lib.rs | 72 +
rust/macros/module.rs | 282 +++
samples/Kconfig | 2 +
samples/Makefile | 1 +
samples/rust/Kconfig | 30 +
samples/rust/Makefile | 5 +
samples/rust/hostprogs/.gitignore | 3 +
samples/rust/hostprogs/Makefile | 5 +
samples/rust/hostprogs/a.rs | 7 +
samples/rust/hostprogs/b.rs | 5 +
samples/rust/hostprogs/single.rs | 12 +
samples/rust/rust_minimal.rs | 38 +
scripts/.gitignore | 1 +
scripts/Kconfig.include | 6 +-
scripts/Makefile | 3 +
scripts/Makefile.build | 60 +
scripts/Makefile.debug | 8 +
scripts/Makefile.host | 34 +-
scripts/Makefile.lib | 12 +
scripts/Makefile.modfinal | 8 +-
scripts/cc-version.sh | 12 +-
scripts/checkpatch.pl | 12 +-
scripts/decode_stacktrace.sh | 14 +
scripts/generate_rust_analyzer.py | 135 ++
scripts/generate_rust_target.rs | 182 ++
scripts/is_rust_module.sh | 16 +
scripts/kallsyms.c | 53 +-
scripts/kconfig/confdata.c | 75 +
scripts/min-tool-version.sh | 6 +
scripts/rust_is_available.sh | 160 ++
scripts/rust_is_available_bindgen_libclang.h | 2 +
tools/include/linux/kallsyms.h | 2 +-
tools/lib/perf/include/perf/event.h | 2 +-
tools/lib/symbol/kallsyms.h | 2 +-
89 files changed, 12552 insertions(+), 51 deletions(-)
create mode 100644 .rustfmt.toml
create mode 100644 Documentation/rust/arch-support.rst
create mode 100644 Documentation/rust/coding-guidelines.rst
create mode 100644 Documentation/rust/general-information.rst
create mode 100644 Documentation/rust/index.rst
create mode 100644 Documentation/rust/quick-start.rst
create mode 100644 kernel/configs/rust.config
create mode 100644 rust/.gitignore
create mode 100644 rust/Makefile
create mode 100644 rust/alloc/README.md
create mode 100644 rust/alloc/alloc.rs
create mode 100644 rust/alloc/borrow.rs
create mode 100644 rust/alloc/boxed.rs
create mode 100644 rust/alloc/collections/mod.rs
create mode 100644 rust/alloc/lib.rs
create mode 100644 rust/alloc/raw_vec.rs
create mode 100644 rust/alloc/slice.rs
create mode 100644 rust/alloc/vec/drain.rs
create mode 100644 rust/alloc/vec/drain_filter.rs
create mode 100644 rust/alloc/vec/into_iter.rs
create mode 100644 rust/alloc/vec/is_zero.rs
create mode 100644 rust/alloc/vec/mod.rs
create mode 100644 rust/alloc/vec/partial_eq.rs
create mode 100644 rust/bindgen_parameters
create mode 100644 rust/bindings/bindings_helper.h
create mode 100644 rust/bindings/lib.rs
create mode 100644 rust/compiler_builtins.rs
create mode 100644 rust/exports.c
create mode 100644 rust/helpers.c
create mode 100644 rust/kernel/allocator.rs
create mode 100644 rust/kernel/error.rs
create mode 100644 rust/kernel/lib.rs
create mode 100644 rust/kernel/prelude.rs
create mode 100644 rust/kernel/print.rs
create mode 100644 rust/kernel/str.rs
create mode 100644 rust/macros/helpers.rs
create mode 100644 rust/macros/lib.rs
create mode 100644 rust/macros/module.rs
create mode 100644 samples/rust/Kconfig
create mode 100644 samples/rust/Makefile
create mode 100644 samples/rust/hostprogs/.gitignore
create mode 100644 samples/rust/hostprogs/Makefile
create mode 100644 samples/rust/hostprogs/a.rs
create mode 100644 samples/rust/hostprogs/b.rs
create mode 100644 samples/rust/hostprogs/single.rs
create mode 100644 samples/rust/rust_minimal.rs
create mode 100755 scripts/generate_rust_analyzer.py
create mode 100644 scripts/generate_rust_target.rs
create mode 100755 scripts/is_rust_module.sh
create mode 100755 scripts/rust_is_available.sh
create mode 100644 scripts/rust_is_available_bindgen_libclang.h
--
Kees Cook
^ permalink raw reply [relevance 45%]
* [GIT PULL] pstore revert for v6.0-rc8
@ 2022-09-30 15:31 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-09-30 15:31 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Guilherme G. Piccoli, Kees Cook
Hi Linus,
Please pull this pstore revert for v6.0. A misbehavior with some
compression backends in pstore was just discovered due to the recent
crypto acomp migration. Since we're so close to release, it seems better
to just simply revert it, and we can figure out what's going on without
leaving it broken for a release.
Thanks!
-Kees
The following changes since commit 568035b01cfb107af8d2e4bd2fb9aea22cf5b868:
Linux 6.0-rc1 (2022-08-14 15:50:18 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v6.0-rc8
for you to fetch changes up to 40158dbf7eb2b13d8851fe0b875b4c3170ea15db:
Revert "pstore: migrate to crypto acomp interface" (2022-09-30 08:16:06 -0700)
----------------------------------------------------------------
pstore revert for v6.0-rc8
- Revert crypto acomp migration (Guilherme G. Piccoli)
----------------------------------------------------------------
Guilherme G. Piccoli (1):
Revert "pstore: migrate to crypto acomp interface"
fs/pstore/platform.c | 63 ++++++++++------------------------------------------
1 file changed, 12 insertions(+), 51 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve reverts for v6.0-rc7
@ 2022-09-19 19:51 86% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-09-19 19:51 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexey Izbyshev, Andrei Vagin, Christian Brauner,
Dmitry Safonov, Eric W. Biederman, Florian Weimer, Kees Cook
Hi Linus,
Please pull these execve reverts for v6.0-rc7. The recent work to
support time namespace unsharing turns out to have some undesirable
corner cases, so rather than allowing the API to stay exposed for
another release, it'd be best to remove it ASAP, with the replacement
getting another cycle of testing. Nothing is known to use this yet,
so no userspace breakage is expected. For more details, see:
https://lore.kernel.org/lkml/ed418e43ad28b8688cfea2b7c90fce1c@ispras.ru/
Also note that this is expected to introduce a small merge conflict for
the coming v6.1 merge window, as seen in linux-next:
https://lore.kernel.org/linux-next/20220914155533.70c10493@canb.auug.org.au/
Thanks!
-Kees
The following changes since commit 1c23f9e627a7b412978b4e852793c5e3c3efc555:
Linux 6.0-rc2 (2022-08-21 17:32:54 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.0-rc7
for you to fetch changes up to 33a2d6bc3480f9f8ac8c8def29854f98cc8bfee2:
Revert "fs/exec: allow to unshare a time namespace on vfork+exec" (2022-09-13 10:38:43 -0700)
----------------------------------------------------------------
execve reverts for v6.0-rc7
- Remove the recent "unshare time namespace on vfork+exec" feature (Andrei Vagin)
----------------------------------------------------------------
Andrei Vagin (2):
Revert "selftests/timens: add a test for vfork+exit"
Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
fs/exec.c | 7 ---
kernel/fork.c | 5 +-
kernel/nsproxy.c | 3 +-
tools/testing/selftests/timens/Makefile | 2 +-
tools/testing/selftests/timens/vfork_exec.c | 90 -----------------------------
5 files changed, 3 insertions(+), 104 deletions(-)
delete mode 100644 tools/testing/selftests/timens/vfork_exec.c
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL] execve fix for v6.0-rc2
@ 2022-08-19 22:04 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-19 22:04 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Eric W. Biederman, Fabio M. De Francesco, Ira Weiny
On Fri, Aug 19, 2022 at 02:11:38PM -0700, Linus Torvalds wrote:
> On Fri, Aug 19, 2022 at 12:04 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > Please pull this execve fix for v6.0-rc2.
>
> Hmm. I've pulled this, but "fix" it isn't.
>
> There's no actual bug in the old code that I can see. It' just that
> local kmaps are the preferred model these days.
Yeah, that's true. I figured it was better to get it in ASAP to help with
the transition and avoid having both APIs in the same file. Thanks for
taking it!
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve fix for v6.0-rc2
@ 2022-08-19 19:04 92% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-08-19 19:04 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Eric W. Biederman, Fabio M. De Francesco,
Ira Weiny, Kees Cook
Hi Linus,
Please pull this execve fix for v6.0-rc2.
Thanks!
-Kees
The following changes since commit c6e8e36c6ae4b11bed5643317afb66b6c3cadba8:
exec: Call kmap_local_page() in copy_string_kernel() (2022-07-27 14:15:09 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v6.0-rc2
for you to fetch changes up to 3a608cfee97e99b3fff9ffe62246a098042e725d:
exec: Replace kmap{,_atomic}() with kmap_local_page() (2022-08-16 12:11:27 -0700)
----------------------------------------------------------------
execve fix for v6.0-rc2
- Replace remaining kmap() uses with kmap_local_page() (Fabio M. De Francesco)
----------------------------------------------------------------
Fabio M. De Francesco (1):
exec: Replace kmap{,_atomic}() with kmap_local_page()
fs/exec.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v6.0-rc2
@ 2022-08-19 19:01 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-19 19:01 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Donnellan, Dan Carpenter, Erhard Furtner,
James Morris, Kees Cook, kernel test robot,
linux-security-module, Matthias Kaehlcke, Serge E. Hallyn,
Yury Norov
Hi Linus,
Please pull these two kernel hardening fixes for v6.0-rc2.
Thanks!
-Kees
The following changes since commit 27603a606fda0806d7c08914bc976931aa42020e:
dm: verity-loadpin: Drop use of dm_table_get_num_targets() (2022-07-28 21:48:12 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.0-rc2
for you to fetch changes up to 012e8d2034f1bda8863435cd589636e618d6a659:
gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file (2022-08-16 12:25:53 -0700)
----------------------------------------------------------------
hardening fixes for v6.0-rc2
- Also undef LATENT_ENTROPY_PLUGIN for per-file disabling (Andrew Donnellan)
- Return EFAULT on copy_from_user() failures in LoadPin (Kees Cook)
----------------------------------------------------------------
Andrew Donnellan (1):
gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file
Kees Cook (1):
LoadPin: Return EFAULT on copy_from_user() failures
scripts/Makefile.gcc-plugins | 2 +-
security/loadpin/loadpin.c | 6 ++----
2 files changed, 3 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] kernel hardening updates for v5.20-rc1
@ 2022-08-01 17:53 80% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-01 17:53 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, GONG Ruiqi, Jason A. Donenfeld, Justin Stitt,
Kees Cook, Lukas Bulwahn, Matthias Kaehlcke, Mike Snitzer
Hi Linus,
Please pull these kernel hardening updates for v5.20-rc1. Two
cross-maintainer notes: the dm-verity/loadpin changes are Acked by
Mike Snitzer but they have been carried in my treer; the LKDTM change
is duplicated in the drivers/misc tree (it was late in cycle when Greg
and I both picked it up).
Thanks!
-Kees
The following changes since commit a111daf0c53ae91e71fd2bfe7497862d14132e3e:
Linux 5.19-rc3 (2022-06-19 15:06:47 -0500)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.20-rc1
for you to fetch changes up to 27603a606fda0806d7c08914bc976931aa42020e:
dm: verity-loadpin: Drop use of dm_table_get_num_targets() (2022-07-28 21:48:12 -0700)
----------------------------------------------------------------
hardening updates for v5.20-rc1
- Fix Sparse warnings with randomizd kstack (GONG, Ruiqi)
- Replace uintptr_t with unsigned long in usercopy (Jason A. Donenfeld)
- Fix Clang -Wforward warning in LKDTM (Justin Stitt)
- Fix comment to correctly refer to STRICT_DEVMEM (Lukas Bulwahn)
- Introduce dm-verity binding logic to LoadPin LSM (Matthias Kaehlcke)
- Clean up warnings and overflow and KASAN tests (Kees Cook)
----------------------------------------------------------------
GONG, Ruiqi (1):
stack: Declare {randomize_,}kstack_offset to fix Sparse warnings
Jason A. Donenfeld (1):
usercopy: use unsigned long instead of uintptr_t
Justin Stitt (1):
drivers: lkdtm: fix clang -Wformat warning
Kees Cook (3):
MAINTAINERS: Add a general "kernel hardening" section
lib: overflow: Do not define 64-bit tests on 32-bit
kasan: test: Silence GCC 12 warnings
Lukas Bulwahn (1):
x86: mm: refer to the intended config STRICT_DEVMEM in a comment
Matthias Kaehlcke (4):
dm: Add verity helpers for LoadPin
LoadPin: Enable loading from trusted dm-verity devices
dm: verity-loadpin: Use CONFIG_SECURITY_LOADPIN_VERITY for conditional compilation
dm: verity-loadpin: Drop use of dm_table_get_num_targets()
MAINTAINERS | 21 ++++-
arch/x86/mm/init.c | 2 +-
drivers/md/Makefile | 1 +
drivers/md/dm-verity-loadpin.c | 75 +++++++++++++++++
drivers/md/dm-verity-target.c | 33 +++++++-
drivers/md/dm-verity.h | 4 +
drivers/misc/lkdtm/bugs.c | 2 +-
include/linux/dm-verity-loadpin.h | 27 ++++++
include/uapi/linux/loadpin.h | 22 +++++
init/main.c | 1 +
lib/overflow_kunit.c | 6 ++
lib/test_kasan.c | 10 +++
mm/usercopy.c | 2 +-
security/loadpin/Kconfig | 16 ++++
security/loadpin/loadpin.c | 167 +++++++++++++++++++++++++++++++++++++-
15 files changed, 380 insertions(+), 9 deletions(-)
create mode 100644 drivers/md/dm-verity-loadpin.c
create mode 100644 include/linux/dm-verity-loadpin.h
create mode 100644 include/uapi/linux/loadpin.h
--
Kees Cook
^ permalink raw reply [relevance 80%]
* [GIT PULL] execve updates for v5.20-rc1
@ 2022-08-01 17:37 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-01 17:37 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrei Vagin, Christian Brauner,
Fabio M. De Francesco, Florian Weimer, Ira Weiny, Kees Cook,
Souptick Joarder, Zhang Jiaming
Hi Linus,
Please pull these execve updates for v5.20-rc1.
Thanks!
-Kees
The following changes since commit b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3:
Linux 5.19-rc2 (2022-06-12 16:11:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v5.20-rc1
for you to fetch changes up to c6e8e36c6ae4b11bed5643317afb66b6c3cadba8:
exec: Call kmap_local_page() in copy_string_kernel() (2022-07-27 14:15:09 -0700)
----------------------------------------------------------------
execve updates for v5.20-rc1
- Allow unsharing time namespace on vfork+exec (Andrei Vagin)
- Replace usage of deprecated kmap APIs (Fabio M. De Francesco)
- Fix spelling mistake (Zhang Jiaming)
----------------------------------------------------------------
Andrei Vagin (2):
fs/exec: allow to unshare a time namespace on vfork+exec
selftests/timens: add a test for vfork+exit
Fabio M. De Francesco (1):
exec: Call kmap_local_page() in copy_string_kernel()
Zhang Jiaming (1):
exec: Fix a spelling mistake
fs/exec.c | 15 +++--
kernel/fork.c | 5 +-
kernel/nsproxy.c | 3 +-
tools/testing/selftests/timens/Makefile | 2 +-
tools/testing/selftests/timens/vfork_exec.c | 90 +++++++++++++++++++++++++++++
5 files changed, 106 insertions(+), 9 deletions(-)
create mode 100644 tools/testing/selftests/timens/vfork_exec.c
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] seccomp update for v5.20-rc1
@ 2022-08-01 17:34 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-01 17:34 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, YiFei Zhu
Hi Linus,
Please pull this tiny seccomp update for v5.20-rc1.
Thanks!
-Kees
The following changes since commit a111daf0c53ae91e71fd2bfe7497862d14132e3e:
Linux 5.19-rc3 (2022-06-19 15:06:47 -0500)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.20-rc1
for you to fetch changes up to 3ce4b78f73e8e00fb86bad67ee7f6fe12019707e:
selftests/seccomp: Fix compile warning when CC=clang (2022-07-27 12:12:16 -0700)
----------------------------------------------------------------
seccomp update for v5.20-rc1
- Fix Clang build warning (YiFei Zhu)
----------------------------------------------------------------
YiFei Zhu (1):
selftests/seccomp: Fix compile warning when CC=clang
tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v5.20-rc1
@ 2022-08-01 17:32 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-08-01 17:32 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Ard Biesheuvel, Dan Carpenter, Kees Cook
Hi Linus,
Please pull these pstore updates for v5.20-rc1. The base (v5.18-rc2) is
correct -- I intentionally skipped this tree last merge window.
Thanks!
-Kees
The following changes since commit ce522ba9ef7e2d9fb22a39eb3371c0c64e2a433e:
Linux 5.18-rc2 (2022-04-10 14:21:36 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.20-rc1
for you to fetch changes up to 2c09d1443b9b8b6e25bfb2acf51ad442cf9b314e:
pstore/zone: cleanup "rcnt" type (2022-06-23 08:27:52 -0700)
----------------------------------------------------------------
pstore updates for v5.20-rc1
- Migrate to modern acomp crypto interface (Ard Biesheuvel)
- Use better return type for "rcnt" (Dan Carpenter)
----------------------------------------------------------------
Ard Biesheuvel (1):
pstore: migrate to crypto acomp interface
Dan Carpenter (1):
pstore/zone: cleanup "rcnt" type
fs/pstore/platform.c | 63 ++++++++++++++++++++++++++++++++++++++++++----------
fs/pstore/zone.c | 12 +++++-----
2 files changed, 57 insertions(+), 18 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v5.19-rc3
@ 2022-06-15 21:07 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-06-15 21:07 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Kees Cook, Matthew Wilcox, Sami Tolvanen,
Uladzislau Rezki, Zorro Lang, Nathan Chancellor
Hi Linus,
Please pull these kernel hardening fixes for v5.19-rc3.
Thanks!
-Kees
The following changes since commit b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3:
Linux 5.19-rc2 (2022-06-12 16:11:37 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.19-rc3
for you to fetch changes up to 1dfbe9fcda4afc957f0e371e207ae3cb7e8f3b0e:
usercopy: Make usercopy resilient against ridiculously large copies (2022-06-13 09:54:52 -0700)
----------------------------------------------------------------
hardening fixes for v5.19-rc3
- Correctly handle vm_map areas in hardened usercopy (Matthew Wilcox)
- Adjust CFI RCU usage to avoid boot splats with cpuidle (Sami Tolvanen)
----------------------------------------------------------------
Matthew Wilcox (Oracle) (3):
usercopy: Handle vm_map_ram() areas
usercopy: Cast pointer to an integer once
usercopy: Make usercopy resilient against ridiculously large copies
Sami Tolvanen (1):
cfi: Fix __cfi_slowpath_diag RCU usage with cpuidle
include/linux/vmalloc.h | 1 +
kernel/cfi.c | 22 ++++++++++++++++------
mm/usercopy.c | 26 ++++++++++++--------------
mm/vmalloc.c | 2 +-
4 files changed, 30 insertions(+), 21 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] kernel hardening fix for v5.19-rc1
@ 2022-05-26 15:30 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-26 15:30 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Guenter Roeck, Kees Cook, kernel test robot,
Masahiro Yamada, Anders Roxell
Hi Linus,
Please pull this kernel hardening fix for v5.19-rc1. This fixes an unlucky
build race condition when using the GCC plugins, noticed by a few folks.
Thanks!
-Kees
The following changes since commit ed5edd5a70b9525085403f193786395179ea303d:
loadpin: stop using bdevname (2022-05-16 16:02:21 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.19-rc1-fix1
for you to fetch changes up to d37aa2efc89b387cda93bf15317883519683d435:
gcc-plugins: use KERNELVERSION for plugin version (2022-05-24 08:25:16 -0700)
----------------------------------------------------------------
kernel hardening fix for v5.19-rc1
- Avoid GCC plugins needing utsrelease.h build target (Masahiro Yamada)
----------------------------------------------------------------
Masahiro Yamada (1):
gcc-plugins: use KERNELVERSION for plugin version
scripts/gcc-plugins/Makefile | 2 +-
scripts/gcc-plugins/latent_entropy_plugin.c | 2 +-
scripts/gcc-plugins/randomize_layout_plugin.c | 2 +-
scripts/gcc-plugins/sancov_plugin.c | 2 +-
scripts/gcc-plugins/stackleak_plugin.c | 2 +-
scripts/gcc-plugins/structleak_plugin.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve updates for v5.19-rc1
@ 2022-05-23 19:18 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-23 19:18 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Damien Le Moal, Eric W. Biederman, Greg Ungerer,
Kees Cook, kernel test robot, Niklas Cassel, Patrice Chotard,
Vladimir Murzin
Hi Linus,
Please pull these execve updates for v5.19-rc1.
Thanks!
-Kees
The following changes since commit ce522ba9ef7e2d9fb22a39eb3371c0c64e2a433e:
Linux 5.18-rc2 (2022-04-10 14:21:36 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v5.19-rc1
for you to fetch changes up to 70578ff3367dd4ad8f212a9b5c05cffadabf39a8:
binfmt_flat: Remove shared library support (2022-04-22 10:57:18 -0700)
----------------------------------------------------------------
execve updates for v5.19-rc1
- Fix binfmt_flat GOT handling for riscv (Niklas Cassel)
- Remove unused/broken shared library and coredump code (Eric W. Biederman)
----------------------------------------------------------------
Eric W. Biederman (2):
binfmt_flat: Drop vestiges of coredump support
binfmt_flat: Remove shared library support
Niklas Cassel (1):
binfmt_flat: do not stop relocating GOT entries prematurely on riscv
arch/arm/configs/lpc18xx_defconfig | 1 -
arch/arm/configs/mps2_defconfig | 1 -
arch/arm/configs/stm32_defconfig | 1 -
arch/arm/configs/vf610m4_defconfig | 1 -
arch/sh/configs/rsk7201_defconfig | 1 -
arch/sh/configs/rsk7203_defconfig | 1 -
arch/sh/configs/se7206_defconfig | 1 -
fs/Kconfig.binfmt | 6 -
fs/binfmt_flat.c | 239 ++++++++++---------------------------
9 files changed, 66 insertions(+), 186 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] seccomp updates for v5.19-rc1
@ 2022-05-23 19:15 87% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-23 19:15 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Colin Ian King, David Yang,
Jann Horn, Kees Cook, linux-kselftest, Sargun Dhillon,
Shuah Khan, Tycho Andersen, Yang Guang
Hi Linus,
Please pull these seccomp updates for v5.19-rc1.
Thanks!
-Kees
The following changes since commit 2bfed7d2ffa5d86c462d3e2067f2832eaf8c04c7:
selftests/seccomp: Don't call read() on TTY from background pgrp (2022-04-29 11:28:41 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.19-rc1
for you to fetch changes up to 5e91d2a4146946ea0abc984ca957f12b70632901:
selftests/seccomp: Fix spelling mistake "Coud" -> "Could" (2022-05-04 13:31:21 -0700)
----------------------------------------------------------------
seccomp updates for v5.19-rc1
- Rework USER_NOTIF notification ordering and kill logic (Sargun Dhillon)
- Improved PTRACE_O_SUSPEND_SECCOMP selftest (Jann Horn)
- Gracefully handle failed unshare() in selftests (Yang Guang)
- Spelling fix (Colin Ian King)
----------------------------------------------------------------
Colin Ian King (1):
selftests/seccomp: Fix spelling mistake "Coud" -> "Could"
Jann Horn (1):
selftests/seccomp: Test PTRACE_O_SUSPEND_SECCOMP without CAP_SYS_ADMIN
Sargun Dhillon (5):
seccomp: Use FIFO semantics to order notifications
selftests/seccomp: Ensure that notifications come in FIFO order
seccomp: Add wait_killable semantic to seccomp user notifier
selftests/seccomp: Refactor get_proc_stat to split out file reading code
selftests/seccomp: Add test for wait killable notifier
Yang Guang (1):
selftests/seccomp: Add SKIP for failed unshare()
Documentation/userspace-api/seccomp_filter.rst | 10 +
include/linux/seccomp.h | 3 +-
include/uapi/linux/seccomp.h | 2 +
kernel/seccomp.c | 44 ++-
tools/testing/selftests/seccomp/Makefile | 1 +
tools/testing/selftests/seccomp/seccomp_bpf.c | 427 ++++++++++++++++++++++++-
6 files changed, 482 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 87%]
* [GIT PULL] kernel hardening updates for v5.19-rc1
@ 2022-05-23 19:10 62% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-23 19:10 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Popov, Bill Wendling, David Howells,
Jeff Layton, Kees Cook, linux-hardening, Mark Rutland,
Matthew Wilcox (Oracle),
Sami Tolvanen, Yuanzheng Song
Hi Linus,
Please pull these kernel hardening updates for v5.19-rc1. As hardening
features are now supported by various combinations of native GCC,
native Clang, and GCC plugins, the dependencies don't allow for a clean
separation between a "gcc plugins" tree and a "clang features" tree, and
similarly, the tweaks for the "small" LSMs (e.g. LoadPin) don't really
make sense to carry separately either. So, here is the combined tree,
which I was already heading toward during the last merge window.
Please note there are 2 easy conflicts to deal with, but I wanted to
make sure they were clear and to give some context for why they happened:
1) drivers/misc/lkdtm/stackleak.c
char-misc
73f62e60d80c ("lkdtm: Move crashtype definitions into each category")
hardening:
f03a50938dec ("lkdtm/stackleak: prevent unexpected stack usage")
73f62e60d80c is a larger refactoring of how all the LKDTM tests are
registered with the LKDTM core, but the stackleak test updates depend on
the arm64 changes, so these came via separate trees. The resolution is
easy; the linux-next notes are here:
https://lore.kernel.org/linux-next/202205091610.4375DD0A@keescook/
2) include/linux/netfs.h
fscache
713423282ae1 ("netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context")
hardening
3b5eed3c71a2 ("netfs: Eliminate Clang randstruct warning")
3b5eed3c71a2 can be entirely dropped in favor of 713423282ae1, which
is the more complete solution, keeping both Clang and GCC happy.
3b5eed3c71a2 was committed before GCC 12 was released and 713423282ae1
was being worked on right up until yesterday, so to keep the commit history
intact and avoid Clang-specific allmodconfig warnings to appear, I kept it
in the hardening tree rather than doing a revert just to avoid the conflict.
The linux-next notes are here:
https://lore.kernel.org/linux-next/20220523205716.4a641c41@canb.auug.org.au/
Thanks!
-Kees
The following changes since commit a19944809fe9942e6a96292490717904d0690c21:
Merge tag 'hardening-v5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux (2022-04-12 14:29:40 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kernel-hardening-v5.19-rc1
for you to fetch changes up to ed5edd5a70b9525085403f193786395179ea303d:
loadpin: stop using bdevname (2022-05-16 16:02:21 -0700)
----------------------------------------------------------------
kernel-hardening updates for v5.19-rc1
- usercopy hardening expanded to check other allocation types
(Matthew Wilcox, Yuanzheng Song)
- arm64 stackleak behavioral improvements (Mark Rutland)
- arm64 CFI code gen improvement (Sami Tolvanen)
- LoadPin LSM block dev API adjustment (Christoph Hellwig)
- Clang randstruct support (Bill Wendling, Kees Cook)
----------------------------------------------------------------
Bill Wendling (1):
security: don't treat structure as an array of struct hlist_head
Christoph Hellwig (1):
loadpin: stop using bdevname
Kees Cook (12):
netfs: Eliminate Clang randstruct warning
sancov: Split plugin build from plugin CFLAGS
randstruct: Reorganize Kconfigs and attribute macros
randstruct: Split randstruct Makefile and CFLAGS
randstruct: Move seed generation into scripts/basic/
randstruct: Enable Clang support
randomize_kstack: Improve docs on requirements/rationale
gcc-plugins: Change all version strings match kernel
big_keys: Use struct for internal payload
niu: Silence randstruct warnings
af_unix: Silence randstruct GCC plugin warning
gcc-plugins: randstruct: Remove cast exception handling
Mark Rutland (14):
arm64: stackleak: fix current_top_of_stack()
stackleak: move skip_erasing() check earlier
stackleak: remove redundant check
stackleak: rework stack low bound handling
stackleak: clarify variable names
stackleak: rework stack high bound handling
stackleak: rework poison scanning
lkdtm/stackleak: avoid spurious failure
lkdtm/stackleak: rework boundary management
lkdtm/stackleak: prevent unexpected stack usage
lkdtm/stackleak: check stack boundaries
stackleak: add on/off stack variants
arm64: entry: use stackleak_erase_on_task_stack()
lkdtm/stackleak: fix CONFIG_GCC_PLUGIN_STACKLEAK=n
Matthew Wilcox (Oracle) (4):
mm/usercopy: Check kmap addresses properly
mm/usercopy: Detect vmalloc overruns
mm/usercopy: Detect large folio overruns
usercopy: Remove HARDENED_USERCOPY_PAGESPAN
Sami Tolvanen (1):
cfi: Use __builtin_function_start
Yuanzheng Song (1):
mm: usercopy: move the virt_addr_valid() below the is_vmalloc_addr()
Documentation/dontdiff | 1 +
Documentation/kbuild/reproducible-builds.rst | 8 +-
Makefile | 1 +
arch/Kconfig | 5 +-
arch/arm/vdso/Makefile | 2 +-
arch/arm64/include/asm/compiler.h | 16 ---
arch/arm64/include/asm/processor.h | 10 +-
arch/arm64/kernel/entry.S | 2 +-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/riscv/Kconfig | 2 +-
arch/sparc/vdso/Makefile | 3 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/include/asm/highmem.h | 1 +
arch/x86/mm/pti.c | 2 +-
drivers/misc/lkdtm/stackleak.c | 145 ++++++++++++++++++--------
drivers/net/ethernet/sun/niu.c | 41 ++++++--
include/linux/compiler-clang.h | 10 ++
include/linux/compiler-gcc.h | 8 --
include/linux/compiler_types.h | 14 +--
include/linux/highmem-internal.h | 10 ++
include/linux/netfs.h | 4 +-
include/linux/randomize_kstack.h | 27 ++++-
include/linux/stackleak.h | 55 +++++++++-
include/linux/vermagic.h | 10 +-
kernel/panic.c | 2 +-
kernel/stackleak.c | 105 +++++++++++--------
mm/usercopy.c | 91 +++++-----------
net/unix/af_unix.c | 8 +-
scripts/Makefile.gcc-plugins | 22 ++--
scripts/Makefile.randstruct | 17 +++
scripts/basic/.gitignore | 1 +
scripts/basic/Makefile | 11 ++
scripts/gcc-plugins/Kconfig | 38 -------
scripts/gcc-plugins/Makefile | 24 +++--
scripts/gcc-plugins/gen-random-seed.sh | 9 --
scripts/gcc-plugins/latent_entropy_plugin.c | 2 +-
scripts/gcc-plugins/randomize_layout_plugin.c | 89 +---------------
scripts/gcc-plugins/sancov_plugin.c | 2 +-
scripts/gcc-plugins/stackleak_plugin.c | 2 +-
scripts/gcc-plugins/structleak_plugin.c | 2 +-
scripts/gen-randstruct-seed.sh | 7 ++
security/Kconfig | 13 +--
security/Kconfig.hardening | 73 +++++++++++++
security/keys/big_key.c | 73 +++++++------
security/loadpin/loadpin.c | 5 +-
security/security.c | 9 +-
46 files changed, 539 insertions(+), 449 deletions(-)
create mode 100644 scripts/Makefile.randstruct
delete mode 100755 scripts/gcc-plugins/gen-random-seed.sh
create mode 100755 scripts/gen-randstruct-seed.sh
--
Kees Cook
^ permalink raw reply [relevance 62%]
* [GIT PULL] lkdtm updates for -next
@ 2022-05-17 21:52 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-17 21:52 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Arnd Bergmann, Matthew Wilcox, Kees Cook,
Muhammad Usama Anjum
Hi Greg,
Please pull these lkdtm updates for -next (preferably for the coming
merge window).
Thanks!
-Kees
The following changes since commit 2a0338769f27a38b5dd60b6bef5b83003789439b:
lkdtm: cfi: Fix type width for masking PAC bits (2022-04-26 17:11:05 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/lkdtm-next
for you to fetch changes up to f260fd59e3f387432bda51072fff4494fba10b91:
lkdtm/heap: Hide allocation size from -Warray-bounds (2022-05-17 14:47:08 -0700)
----------------------------------------------------------------
lkdtm updates for -next
- Test for new usercopy memory regions
- avoid GCC 12 warnings
- update expected CONFIGs for selftests
----------------------------------------------------------------
Kees Cook (3):
lkdtm/usercopy: Rename "heap" to "slab"
lkdtm/usercopy: Check vmalloc and >0-order folios
lkdtm/heap: Hide allocation size from -Warray-bounds
Muhammad Usama Anjum (1):
selftests/lkdtm: Add configs for stackleak and "after free" tests
drivers/misc/lkdtm/heap.c | 1 +
drivers/misc/lkdtm/usercopy.c | 113 +++++++++++++++++++++++++++-----
tools/testing/selftests/lkdtm/config | 2 +
tools/testing/selftests/lkdtm/tests.txt | 8 +--
4 files changed, 105 insertions(+), 19 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fix for v5.18-rc6
@ 2022-05-03 21:34 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-05-03 21:34 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Jann Horn, Kees Cook
Hi Linus,
Please pull this small seccomp selftest fix for v5.18-rc6. The selftest
environment assumptions that seccomp depended on changed slightly in
v5.17 and Jann found a simple fix.
Thanks!
-Kees
The following changes since commit ce522ba9ef7e2d9fb22a39eb3371c0c64e2a433e:
Linux 5.18-rc2 (2022-04-10 14:21:36 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.18-rc6
for you to fetch changes up to 2bfed7d2ffa5d86c462d3e2067f2832eaf8c04c7:
selftests/seccomp: Don't call read() on TTY from background pgrp (2022-04-29 11:28:41 -0700)
----------------------------------------------------------------
seccomp fix for v5.18-rc6
- Avoid using stdin for read syscall testing (Jann Horn)
----------------------------------------------------------------
Jann Horn (1):
selftests/seccomp: Don't call read() on TTY from background pgrp
tools/testing/selftests/seccomp/seccomp_bpf.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL drivers/misc] lkdtm updates for next
@ 2022-04-16 21:20 88% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-04-16 21:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Arnd Bergmann, Christophe Leroy, Dan Carpenter,
Dan Li, Greg Kroah-Hartman, Jiasheng Jiang, Kees Cook,
linux-kselftest, Muhammad Usama Anjum, Shuah Khan
Hi Greg,
Please pull these lkdtm updates for -next.
Thanks!
-Kees
The following changes since commit ce522ba9ef7e2d9fb22a39eb3371c0c64e2a433e:
Linux 5.18-rc2 (2022-04-10 14:21:36 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/lkdtm-next
for you to fetch changes up to 2e53b877dc1258d4ac3de98f496bb88ec3bf5e25:
lkdtm: Add CFI_BACKWARD to test ROP mitigations (2022-04-16 13:57:23 -0700)
----------------------------------------------------------------
lkdtm updates for next
Christophe Leroy (1):
lkdtm/bugs: Don't expect thread termination without CONFIG_UBSAN_TRAP
Jiasheng Jiang (1):
lkdtm/bugs: Check for the NULL pointer after calling kmalloc
Kees Cook (4):
lkdtm/heap: Note conditions for SLAB_LINEAR_OVERFLOW
lkdtm/usercopy: Expand size of "out of frame" object
lkdtm: Move crashtype definitions into each category
lkdtm: Add CFI_BACKWARD to test ROP mitigations
----------------------------------------------------------------
drivers/misc/lkdtm/bugs.c | 96 +++++++++++++++------
drivers/misc/lkdtm/cfi.c | 145 +++++++++++++++++++++++++++++++-
drivers/misc/lkdtm/core.c | 138 +++++++-----------------------
drivers/misc/lkdtm/fortify.c | 17 +++-
drivers/misc/lkdtm/heap.c | 47 ++++++++---
drivers/misc/lkdtm/lkdtm.h | 142 ++++++++-----------------------
drivers/misc/lkdtm/perms.c | 47 ++++++++---
drivers/misc/lkdtm/powerpc.c | 11 ++-
drivers/misc/lkdtm/refcount.c | 65 +++++++++-----
drivers/misc/lkdtm/stackleak.c | 11 ++-
drivers/misc/lkdtm/usercopy.c | 49 ++++++++---
tools/testing/selftests/lkdtm/config | 2 +
tools/testing/selftests/lkdtm/tests.txt | 1 +
13 files changed, 471 insertions(+), 300 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 88%]
* [GIT PULL] kernel hardening fixes for v5.18-rc3
@ 2022-04-12 23:36 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-04-12 23:36 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Jason A. Donenfeld, Kees Cook, PaX Team, Tadeusz Struk
Hi Linus,
Please pull these kernel hardening fixes for v5.18-rc3.
Thanks!
-Kees
The following changes since commit 229a08a4f4e4f9949801cc39b6480ddc9c487183:
ARM/dma-mapping: Remove CMA code when not built with CMA (2022-03-31 11:19:25 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc3
for you to fetch changes up to c40160f2998c897231f8454bf797558d30a20375:
gcc-plugins: latent_entropy: use /dev/urandom (2022-04-12 11:31:40 -0700)
----------------------------------------------------------------
hardening fixes for v5.18-rc3
- latent_entropy: Use /dev/urandom instead of small GCC seed (Jason Donenfeld)
- uapi/stddef.h: add missed include guards (Tadeusz Struk)
----------------------------------------------------------------
Jason A. Donenfeld (1):
gcc-plugins: latent_entropy: use /dev/urandom
Tadeusz Struk (1):
uapi/linux/stddef.h: Add include guards
include/uapi/linux/stddef.h | 4 +++
scripts/gcc-plugins/latent_entropy_plugin.c | 44 ++++++++++++++++++-----------
2 files changed, 31 insertions(+), 17 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
@ 2022-04-04 22:25 85% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-04-04 22:25 UTC (permalink / raw)
To: Linus Torvalds
Cc: Mickaël Salaün, Al Viro, Andrew Morton,
Christian Heimes, Geert Uytterhoeven, James Morris,
Luis Chamberlain, Mimi Zohar, Muhammad Usama Anjum, Paul Moore,
Philippe Trébuchet, Shuah Khan, Steve Dower,
Thibaut Sautereau, Vincent Strubel, linux-fsdevel,
linux-integrity, Linux Kernel Mailing List, LSM List,
Christian Brauner
On Mon, Apr 04, 2022 at 02:28:19PM -0700, Linus Torvalds wrote:
> Now, what I *think* you mean is
>
> (1) user-space executable loaders want to be able to test the *same*
> policy as the kernel does for execve()
Right. The script interpreter wants to ask "if this file were actually
an ELF going through execve(), would the kernel allow it?"
> (2) access(path, EXECVE_OK) will do the same permission checks as
> "execve()" would do for that path
Maybe. I defer to Mickaël here, but my instinct is to avoid creating an
API that can be accidentally misused. I'd like this to be fd-only based,
since that removes path name races. (e.g. trusted_for() required an fd.)
> (3) if you already have the fd open, use "faccess(fd, NULL,
> F_OK_TO_EXECUTE, AT_EMPTY_PATH)"
Yes, specifically faccessat2(). (And continuing the race thought above,
yes, there could still be races if the content of the file could be
changed, but that case is less problematic under real-world conditions.)
> (4) maybe we want to add a flag for the "euid vs real uid", and that
> would be in the "flags" field, since that changes the actual *lookup*
> semantics
>
> Note that that (4) is something that some normal user space has wanted
> in the past too (GNU libcs has a "eaccess()" thing for "effective uid
> access").
I think this already exists as AT_EACCESS? It was added with
faccessat2() itself, if I'm reading the history correctly.
And I just need to say that the thought of setuid script interpreters
still makes me sad. :)
> - I really want the exact semantics very clearly defined. I think
> it's ok to say "exact same security check as for 'execve()'", but even
> then we need to have that discussion about
>
> (a) "what about suid bits that user space cannot react to"
What do you mean here? Do you mean setid bits on the file itself?
> (b) that whole "effective vs real" discussion
I think this is handled with AT_EACCESS?
--
Kees Cook
^ permalink raw reply [relevance 85%]
* Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
@ 2022-04-04 18:40 91% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-04-04 18:40 UTC (permalink / raw)
To: Linus Torvalds
Cc: Mickaël Salaün, Al Viro, Andrew Morton,
Christian Heimes, Geert Uytterhoeven, James Morris,
Luis Chamberlain, Mimi Zohar, Muhammad Usama Anjum, Paul Moore,
Philippe Trébuchet, Shuah Khan, Steve Dower,
Thibaut Sautereau, Vincent Strubel, linux-fsdevel,
linux-integrity, linux-kernel, linux-security-module
On Mon, Mar 21, 2022 at 05:15:57PM +0100, Mickaël Salaün wrote:
> [...]
> For further details, please see the latest cover letter:
> https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net
>
> Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin()
> to sysctl.c") was recently added due to the sysctl refactoring.
>
> Commit e674341a90b9 ("selftests/interpreter: fix separate directory
> build") will fix some test build cases as explained here:
> https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@collabora.com
> Merging this commit without the new KHDR_INCLUDES is not an issue.
> The upcoming kselftest pull request is ready:
> https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next
>
> This patch series has been open for review for more than three years and
> got a lot of feedbacks (and bikeshedding) which were all considered.
> Since I heard no objection, please consider to pull this code for
> v5.18-rc1 . These five patches have been successfully tested in the
> latest linux-next releases for several weeks.
Hi Linus,
It looks like this didn't get pulled for -rc1 even though it was sent
during the merge window and has been in -next for a while. It would be
really nice to get this landed since userspace can't make any forward
progress without the kernel support.
Was there some issue blocking this from being merged? All the feedback I
can find on prior versions was addressed.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 91%]
* Re: [GIT PULL] hardening fixes for v5.18-rc1
@ 2022-03-31 19:00 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-31 19:00 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, Andrew Morton, Christoph Hellwig,
David Hildenbrand, Hari Bathini, Linux ARM, Logan Gunthorpe,
Martin Oliveira, Matthew Wilcox (Oracle),
Mike Kravetz, Minchan Kim, Russell King, Stephen Rothwell,
Zi Yan
On Thu, Mar 31, 2022 at 11:49:42AM -0700, Linus Torvalds wrote:
> On Thu, Mar 31, 2022 at 11:35 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Please pull these hardening fixes for v5.18-rc1. This addresses an
> > -Warray-bounds warning found under a few ARM defconfigs, and disables
> > long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.
>
> Can't we just remove that HARDENED_USERCOPY_PAGESPAN thing entirely?
>
> Yes, yes, I know Matthew did that as part of other patches that is too
> late to go in any more in this merge window, but just the removal
> patch is a no-brainer.
I can do that, but it seemed like more work for folks: a larger diff to
look at, and a rebase for Matthew or me. It's not MUCH more work, but
given the timing of the merge window, I wanted to have a minimal diff.
> IOW, why not just do the attached?
But I can certainly respin it, if you'd prefer?
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] hardening fixes for v5.18-rc1
@ 2022-03-31 18:57 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-31 18:57 UTC (permalink / raw)
To: Russell King (Oracle)
Cc: Linus Torvalds, linux-kernel, Andrew Morton, Christoph Hellwig,
David Hildenbrand, Hari Bathini, linux-arm-kernel,
Logan Gunthorpe, Martin Oliveira, Matthew Wilcox (Oracle),
Mike Kravetz, Minchan Kim, Stephen Rothwell, Zi Yan
On Thu, Mar 31, 2022 at 07:46:28PM +0100, Russell King (Oracle) wrote:
> On Thu, Mar 31, 2022 at 11:35:40AM -0700, Kees Cook wrote:
> > Hi Linus,
> >
> > Please pull these hardening fixes for v5.18-rc1. This addresses an
> > -Warray-bounds warning found under a few ARM defconfigs, and disables
> > long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.
>
> I don't see these patches on linux-arm-kernel... are we doing away with
> patch review now? :D
Uh, what? The links in the patches show the reviews, even. I assume
you're mainly talking about the DMA one; it's right here:
https://lore.kernel.org/linux-arm-kernel/20220309175107.195182-1-keescook@chromium.org/
I had thought hch was going to take this patch, but the dma tree didn't
have it, so I sent it in.
And the usercopy patch was here, with references to the discussion
around it too:
https://lore.kernel.org/all/20220324230255.1362706-1-keescook@chromium.org/
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening fixes for v5.18-rc1
@ 2022-03-31 18:35 89% Kees Cook
0 siblings, 2 replies; 200+ results
From: Kees Cook @ 2022-03-31 18:35 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrew Morton, Christoph Hellwig,
David Hildenbrand, Hari Bathini, Kees Cook, linux-arm-kernel,
Logan Gunthorpe, Martin Oliveira, Matthew Wilcox (Oracle),
Mike Kravetz, Minchan Kim, Russell King, Stephen Rothwell,
Zi Yan
Hi Linus,
Please pull these hardening fixes for v5.18-rc1. This addresses an
-Warray-bounds warning found under a few ARM defconfigs, and disables
long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.
Thanks!
-Kees
The following changes since commit afcf5441b9ff22ac57244cd45ff102ebc2e32d1a:
arm64: Add gcc Shadow Call Stack support (2022-03-10 09:22:09 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc1-fix1
for you to fetch changes up to 229a08a4f4e4f9949801cc39b6480ddc9c487183:
ARM/dma-mapping: Remove CMA code when not built with CMA (2022-03-31 11:19:25 -0700)
----------------------------------------------------------------
hardening updates for v5.18-rc1-fix1
- Disable CONFIG_HARDENED_USERCOPY_PAGESPAN
- DMA: remove CMA code when not buiding CMA
----------------------------------------------------------------
Kees Cook (2):
usercopy: Disable CONFIG_HARDENED_USERCOPY_PAGESPAN
ARM/dma-mapping: Remove CMA code when not built with CMA
arch/arm/mm/dma-mapping.c | 2 ++
arch/arm/mm/mm.h | 4 ++++
include/linux/cma.h | 4 ----
security/Kconfig | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* Re: [GIT PULL] FORTIFY_SOURCE updates for v5.18-rc1
@ 2022-03-28 16:01 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-28 16:01 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, George Burgess IV, linux-hardening,
llvm, Miguel Ojeda, Nathan Chancellor, Nick Desaulniers
On Sat, Mar 26, 2022 at 12:40:18PM -0700, Linus Torvalds wrote:
> On Sat, Mar 26, 2022 at 12:29 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > Because if all the compiler issues and warnings have been sorted out,
> > it sounds to me like the compile-time side could/should be done
> > unconditionally if there are no runtime downsides.
Yeah, I'd like to do this. The way the header files are currently split
up makes this slightly weird, and there have been issues with some
arch/compiler combinations, so it's not quite as cut-and-dried as I'd
like. I'll investigate what it could look like.
> .. or do the existing compiler warnings for the builtins already cover
> all cases, and the only reason the fortify-source code has
> compile-time warnings is that the option takes over the builtins?
This mostly depends on the compiler version, and they often overlap, but
the new FORTIFY logic tends to be more strict (where possible) and is more
consistent; I view the two diagnostic capabilities as complementary.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] array-bounds updates for v5.18-rc1
@ 2022-03-25 22:29 84% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-25 22:29 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Gustavo A. R. Silva, Kees Cook,
linux-kbuild, Masahiro Yamada, Nick Desaulniers
Hi Linus,
Please pull these array-bounds updates for v5.18-rc1. Like the
FORTIFY_SOURCE tree, I was waiting for all the various other trees with
fixes to get merged. It looks like scsi was the last major tree I was
waiting on. This enables -Warray-bounds and -Wzero-length-bounds, now
that the many bug fixes have landed all over the place in the kernel,
and in GCC itself[1].
Earlier build testing of this series merged against your tree didn't show
any new warnings, but as this option has been a bit of a whack-a-mole
over the last development cycle in -next, it's possible new cases
have appeared. We will remain vigilant. :) A couple fixes[2] for known
corner-case issues currently live in my "pending-fixes" tree which I'm
expecting to send next week if other maintainers still haven't picked
them up.
I'm also expecting we can enable -Wstringop-overflow next cycle, as
there are only a few stragglers[3], but it might even be possible for
this release.
Thanks!
-Kees
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578
[2] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/pending-fixes&id=2d253138910eec553fc706379914243d71de9b85
[3] https://github.com/KSPP/linux/issues/181
The following changes since commit dfd42facf1e4ada021b939b4e19c935dcdd55566:
Linux 5.17-rc3 (2022-02-06 12:20:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/array-bounds-v5.18-rc1
for you to fetch changes up to 00a4f836eb369723b148e3f250c850a028778832:
Makefile: Enable -Wzero-length-bounds (2022-02-13 16:49:40 -0800)
----------------------------------------------------------------
array-bounds updates for v5.18-rc1
- Enable -Warray-bounds globally
- Enable -Wzero-length-bounds globally
----------------------------------------------------------------
Kees Cook (2):
Makefile: Enable -Warray-bounds
Makefile: Enable -Wzero-length-bounds
Makefile | 2 --
1 file changed, 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 84%]
* [GIT PULL] FORTIFY_SOURCE updates for v5.18-rc1
@ 2022-03-25 22:03 70% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-03-25 22:03 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, George Burgess IV, Kees Cook, linux-hardening,
llvm, Miguel Ojeda, Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull these FORTIFY_SOURCE updates for v5.18-rc1.
This series consists of two halves:
- strict compile-time buffer size checking under FORTIFY_SOURCE for
the memcpy()-family of functions (for extensive details and rationale,
see the first commit),
- enabling FORTIFY_SOURCE for Clang, which has had many overlapping bugs
that we've finally worked past.
It looks like all the dependent trees with related buffer fixes have been
merged (I was waiting for the scsi tree to get pulled). This has been
in -next for almost 2 development cycles, and I did overnight build
testing merged against your tree under the following combinations,
with no new warnings (there is one Clang 14+ specific issue in
drivers/net/ethernet/huawei/hinic that we're still tracking down as a
likely compiler regression[1]):
gcc 11.2.1 (Fedora 35) defconfig: x86_64 i386 arm64
gcc 11.2.1 (Fedora 35) allmodconfig: x86_64 i386 arm64
gcc 11.2.0 (Ubuntu 21.10) defconfig: x86_64 i386 arm64
gcc 11.2.0 (Ubuntu 21.10) allmodconfig: x86_64 i386 arm64
gcc 10.3.0 (Ubuntu 21.10) defconfig: x86_64 i386 arm64
gcc 10.3.0 (Ubuntu 21.10) allmodconfig: x86_64 i386 arm64
gcc 9.4.0 (Ubuntu 21.10) defconfig: x86_64 i386 arm64
gcc 9.4.0 (Ubuntu 21.10) allmodconfig: x86_64 i386 arm64
gcc 8.5.0 (Ubuntu 21.10) defconfig: x86_64 i386 arm64
gcc 8.5.0 (Ubuntu 21.10) allmodconfig: x86_64 i386 arm64
clang 15.0.0 (local build) defconfig: x86_64 i386 arm64
clang 14.0.0 (Ubuntu 22.04) defconfig: x86_64 i386 arm64
clang 13.0.0 (Fedora 35) defconfig: x86_64 i386 arm64
clang 12.0.1 (Ubuntu 21.10) defconfig: x86_64 i386 arm64
clang 13.0.0 (Ubuntu 21.10) allmodconfig: x86_64 i386
clang 12.0.1 (Ubuntu 21.10) allmodconfig: x86_64 i386
There is also still 1 runtime fix pending for the comedi driver's
selftests[2], which is living in my "pending-fixes" tree (for fixes that
maintainers appear to have picked up, but haven't appeared in -next yet).
Beyond that, as far as I've been able to track, all the other architecture
also build cleanly; we've been fixing any issues as they are reported
by various builders, and when we find them in our builds.
Thanks!
-Kees
[1] https://github.com/ClangBuiltLinux/linux/issues/1592
[2] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/pending-fixes&id=77cc24d543c46076d753348b6178473eb16fc788
The following changes since commit dfd42facf1e4ada021b939b4e19c935dcdd55566:
Linux 5.17-rc3 (2022-02-06 12:20:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/memcpy-v5.18-rc1
for you to fetch changes up to 281d0c962752fb40866dd8d4cade68656f34bd1f:
fortify: Add Clang support (2022-02-13 16:50:07 -0800)
----------------------------------------------------------------
memcpy updates for v5.18-rc1
- Enable strict FORTIFY_SOURCE compile-time validation of memcpy buffers
- Add Clang features needed for FORTIFY_SOURCE support
- Enable FORTIFY_SOURCE for Clang where possible
----------------------------------------------------------------
Kees Cook (12):
fortify: Detect struct member overflows in memcpy() at compile-time
fortify: Detect struct member overflows in memmove() at compile-time
fortify: Detect struct member overflows in memset() at compile-time
fortify: Update compile-time tests for Clang 14
fortify: Replace open-coded __gnu_inline attribute
Compiler Attributes: Add __pass_object_size for Clang
Compiler Attributes: Add __overloadable for Clang
Compiler Attributes: Add __diagnose_as for Clang
fortify: Make pointer arguments const
fortify: Use __diagnose_as() for better diagnostic coverage
fortify: Make sure strlen() may still be used as a constant expression
fortify: Add Clang support
arch/x86/boot/compressed/misc.c | 3 +-
arch/x86/lib/memcpy_32.c | 1 +
include/linux/compiler_attributes.h | 39 ++++
include/linux/fortify-string.h | 238 +++++++++++++++++++-----
lib/Makefile | 3 +-
lib/string_helpers.c | 6 +
lib/test_fortify/read_overflow2_field-memcpy.c | 5 +
lib/test_fortify/read_overflow2_field-memmove.c | 5 +
lib/test_fortify/write_overflow_field-memcpy.c | 5 +
lib/test_fortify/write_overflow_field-memmove.c | 5 +
lib/test_fortify/write_overflow_field-memset.c | 5 +
scripts/test_fortify.sh | 8 +-
security/Kconfig | 5 +-
13 files changed, 272 insertions(+), 56 deletions(-)
create mode 100644 lib/test_fortify/read_overflow2_field-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2_field-memmove.c
create mode 100644 lib/test_fortify/write_overflow_field-memcpy.c
create mode 100644 lib/test_fortify/write_overflow_field-memmove.c
create mode 100644 lib/test_fortify/write_overflow_field-memset.c
--
Kees Cook
^ permalink raw reply [relevance 70%]
* Re: [GIT PULL] bounds fixes for v5.18-rc1
@ 2022-03-23 14:51 91% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-23 14:51 UTC (permalink / raw)
To: Sakari Ailus
Cc: Linus Torvalds, linux-kernel, Alexander Shishkin, Arnd Bergmann,
Geert Uytterhoeven, Greg Ungerer, Guenter Roeck,
Gustavo A. R. Silva, Ivan Kokshaysky, Jarkko Sakkinen,
Jason Gunthorpe, Laurent Pinchart, Mark Rutland, Matt Turner,
Mauro Carvalho Chehab, Peter Huewe, Peter Zijlstra (Intel),
Richard Henderson, Sean Christopherson, Stefan Berger
On March 23, 2022 4:44:56 AM PDT, Sakari Ailus <sakari.ailus@linux.intel.com> wrote:
>Hi Kees,
>
>On Mon, Mar 21, 2022 at 08:52:31AM -0700, Kees Cook wrote:
>> media: omap3isp: Use struct_group() for memcpy() region
>
>This patch has been applied to linux-media tree about a month ago. It may
>have taken a bit more time than usual to get to linux-next though.
>
>Please try to remember to agree with maintainers in advance when merging
>patches via non-default routes.
Ah-ha; thank you for grabbing this one! I'm sorry I missed it while tending this tree; given the ordering of merges in -next, I've had to carry these kinds of fixes to avoid warnings popping up for various builders, but dropping accepted patches has been a manual process. I will see what I can do to automate this going forward.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 91%]
* Re: [GIT PULL] seccomp update for v5.18-rc1
@ 2022-03-22 4:54 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-22 4:54 UTC (permalink / raw)
To: Linus Torvalds; +Cc: Linux Kernel Mailing List
On March 21, 2022 7:45:51 PM PDT, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>On Mon, Mar 21, 2022 at 8:07 AM Kees Cook <keescook@chromium.org> wrote:
>>
>> Please pull this tiny seccomp update for v5.18-rc1.
>
>Well, that *really* didn't work at all.
>
> In file included from samples/seccomp/dropper.c:29:
> usr/include/linux/ptrace.h:50: warning: "PTRACE_GETREGSET" redefined
> 50 | #define PTRACE_GETREGSET 0x4204
> |
> In file included from samples/seccomp/dropper.c:24:
> /usr/include/sys/ptrace.h:153: note: this is the location of the
>previous definition
> 153 | #define PTRACE_GETREGSET PTRACE_GETREGSET
> |
> [...]
>
>.. and a lot of similar warnings.
Oh, eww. Apologies! That didn't happen for my builders, but yeah, that code is super fragile anyway, so this just confirms my suspicion that the changes weren't useful. I'll drop it from my tree.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] bounds fixes for v5.18-rc1
@ 2022-03-21 15:52 83% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-03-21 15:52 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Shishkin, Arnd Bergmann,
Geert Uytterhoeven, Greg Ungerer, Guenter Roeck,
Gustavo A. R. Silva, Ivan Kokshaysky, Jarkko Sakkinen,
Jason Gunthorpe, Kees Cook, Laurent Pinchart, Mark Rutland,
Matt Turner, Mauro Carvalho Chehab, Peter Huewe,
Peter Zijlstra (Intel),
Richard Henderson, Sakari Ailus, Sean Christopherson,
Stefan Berger
Hi Linus,
Please pull these scattered buffer and array bounds fixes for v5.18-rc1.
These are a handful of fixes that I've been carrying in -next in
preparation for the coming memcpy improvements and the enabling of
-Warray-bounds globally. There are additional similar fixes in other
maintainer's trees, but these ended up getting carried by me. :)
Thanks!
-Kees
The following changes since commit dfd42facf1e4ada021b939b4e19c935dcdd55566:
Linux 5.17-rc3 (2022-02-06 12:20:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/bounds-fixes-v5.18-rc1
for you to fetch changes up to fad278388e01e3658a356118bed8ee2c2408d280:
media: omap3isp: Use struct_group() for memcpy() region (2022-02-27 10:58:04 -0800)
----------------------------------------------------------------
bounds-fixes updates for v5.18-rc1
- Various buffer and array bounds related fixes
----------------------------------------------------------------
Kees Cook (5):
intel_th: msu: Use memset_startat() for clearing hw header
m68k: cmpxchg: Dereference matching size
alpha: Silence -Warray-bounds warnings
tpm: vtpm_proxy: Check length to avoid compiler warning
media: omap3isp: Use struct_group() for memcpy() region
Sean Christopherson (1):
KVM: x86: Replace memset() "optimization" with normal per-field writes
arch/alpha/mm/init.c | 6 +++---
arch/m68k/include/asm/cmpxchg.h | 9 ++++-----
arch/x86/kvm/emulate.c | 9 +++++++--
arch/x86/kvm/kvm_emulate.h | 6 +-----
drivers/char/tpm/tpm_vtpm_proxy.c | 2 +-
drivers/hwtracing/intel_th/msu.c | 4 +---
drivers/media/platform/omap3isp/ispstat.c | 5 +++--
include/uapi/linux/omap3isp.h | 21 +++++++++++++--------
8 files changed, 33 insertions(+), 29 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 83%]
* [GIT PULL] overflow updates for v5.18-rc1
@ 2022-03-21 15:26 84% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-21 15:26 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Anton Ivanov, Arnd Bergmann, Daniel Latypov,
David Gow, Gustavo A. R. Silva, Jason Gunthorpe, Jeff Dike,
Kees Cook, Keith Busch, Len Baker, Leon Romanovsky, linux-kbuild,
Masahiro Yamada, Nathan Chancellor, Nick Desaulniers,
Rasmus Villemoes, Richard Weinberger, Vitor Massaru Iha
Hi Linus,
Please pull these overflow updates for v5.18-rc1. These changes come in
roughly two halves: support of Gustavo A. R. Silva's struct_size()
work via additional helpers for catching overflow allocation size
calculations, and conversions of selftests to KUnit (which includes
some tweaks for UML + Clang).
Thanks!
-Kees
The following changes since commit dfd42facf1e4ada021b939b4e19c935dcdd55566:
Linux 5.17-rc3 (2022-02-06 12:20:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.18-rc1
for you to fetch changes up to 02788ebcf521fe78c24eb221fd1ed7f86792c330:
lib: stackinit: Convert to KUnit (2022-03-21 08:13:04 -0700)
----------------------------------------------------------------
overflow updates for v5.18-rc1
- Convert overflow selftest to KUnit
- Convert stackinit selftest to KUnit
- Implement size_t saturating arithmetic helpers
- Allow struct_size() to be used in initializers
----------------------------------------------------------------
Kees Cook (6):
test_overflow: Regularize test reporting output
overflow: Implement size_t saturating arithmetic helpers
overflow: Provide constant expression struct_size
lib: overflow: Convert to Kunit
um: Allow builds with Clang
lib: stackinit: Convert to KUnit
Documentation/process/deprecated.rst | 20 +-
arch/um/os-Linux/execvp.c | 1 +
arch/x86/um/user-offsets.c | 9 +-
include/linux/overflow.h | 114 +++---
lib/Kconfig.debug | 38 +-
lib/Makefile | 6 +-
lib/{test_overflow.c => overflow_kunit.c} | 518 +++++++++++++++-------------
lib/{test_stackinit.c => stackinit_kunit.c} | 269 ++++++---------
scripts/Makefile.clang | 1 +
9 files changed, 518 insertions(+), 458 deletions(-)
rename lib/{test_overflow.c => overflow_kunit.c} (54%)
rename lib/{test_stackinit.c => stackinit_kunit.c} (66%)
--
Kees Cook
^ permalink raw reply [relevance 84%]
* [GIT PULL] seccomp update for v5.18-rc1
@ 2022-03-21 15:06 92% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-03-21 15:06 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook
Hi Linus,
Please pull this tiny seccomp update for v5.18-rc1.
Thanks!
-Kees
The following changes since commit eed09ad261822a7bdc441ed192c6f444375e5527:
samples/seccomp: Adjust sample to also provide kill option (2022-02-10 19:09:12 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.18-rc1
for you to fetch changes up to b5caa8dd9cc8ad5126f06e9266c326d38a1fc6d2:
samples/seccomp: Improve arch hints (2022-02-13 10:16:25 -0800)
----------------------------------------------------------------
seccomp update for v5.18-rc1
- Improve architecture hints in sample (Kees Cook)
----------------------------------------------------------------
Kees Cook (1):
samples/seccomp: Improve arch hints
samples/seccomp/dropper.c | 84 ++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 73 insertions(+), 11 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] hardening updates for v5.18-rc1
@ 2022-03-21 15:03 80% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-21 15:03 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Popov, Andrew Morton, Chris Zankel,
Dan Li, Geert Uytterhoeven, Josh Poimboeuf, Kees Cook,
Marco Elver, Marc Zyngier, Matthew Wilcox, Max Filippov,
Muhammad Usama Anjum, Nathan Chancellor, Nick Desaulniers,
Peter Zijlstra
Hi Linus,
Please pull these hardening updates for v5.18-rc1. A notable change is
support for arm64 Shadow Call Stack under GCC 12, which was originally
proposed[1] as a kernel-specific gcc plugin, but was instead implemented
in upstream[2] GCC.
Thanks!
-Kees
[1] https://lore.kernel.org/linux-hardening/1632069436-25075-1-git-send-email-ashimida@linux.alibaba.com/
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e
The following changes since commit 26291c54e111ff6ba87a164d85d4a4e134b7315c:
Linux 5.17-rc2 (2022-01-30 15:37:07 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc1
for you to fetch changes up to afcf5441b9ff22ac57244cd45ff102ebc2e32d1a:
arm64: Add gcc Shadow Call Stack support (2022-03-10 09:22:09 -0800)
----------------------------------------------------------------
hardening updates for v5.18-rc1
- Add arm64 Shadow Call Stack support for GCC 12 (Dan Li)
- Avoid memset with stack offset randomization under Clang (Marco Elver)
- Clean up stackleak plugin to play nice with .noinstr (Kees Cook)
- Check stack depth for greater usercopy hardening coverage (Kees Cook)
----------------------------------------------------------------
Dan Li (1):
arm64: Add gcc Shadow Call Stack support
Kees Cook (6):
gcc-plugins/stackleak: Provide verbose mode
gcc-plugins/stackleak: Exactly match strings instead of prefixes
gcc-plugins/stackleak: Ignore .noinstr.text and .entry.text
usercopy: Check valid lifetime via stack depth
xtensa: Implement "current_stack_pointer"
m68k: Implement "current_stack_pointer"
Marco Elver (2):
stack: Introduce CONFIG_RANDOMIZE_KSTACK_OFFSET
stack: Constrain and fix stack offset randomization with Clang builds
arch/Kconfig | 43 +++++++++++++++++++++++-----------
arch/arm/Kconfig | 1 +
arch/arm64/Kconfig | 3 ++-
arch/m68k/Kconfig | 1 +
arch/m68k/include/asm/current.h | 4 +++-
arch/powerpc/Kconfig | 1 +
arch/s390/Kconfig | 1 +
arch/sh/Kconfig | 1 +
arch/x86/Kconfig | 1 +
arch/xtensa/Kconfig | 1 +
arch/xtensa/include/asm/current.h | 2 ++
arch/xtensa/include/asm/stacktrace.h | 8 +++----
arch/xtensa/kernel/irq.c | 3 +--
include/linux/compiler-gcc.h | 4 ++++
include/linux/randomize_kstack.h | 21 +++++++++++++++--
init/main.c | 2 +-
mm/Kconfig | 9 +++++++
mm/usercopy.c | 23 ++++++++++++++++--
scripts/Makefile.gcc-plugins | 2 ++
scripts/gcc-plugins/stackleak_plugin.c | 29 +++++++++++++++++++----
security/Kconfig.hardening | 10 ++++++++
21 files changed, 139 insertions(+), 31 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 80%]
* [GIT PULL] pstore updates for v5.18-rc1
@ 2022-03-21 14:47 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-21 14:47 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Jann Horn, Kees Cook, Sebastian Andrzej Siewior,
Vincent Whitchurch
Hi Linus,
Please pull these two pstore updates for v5.18-rc1.
Thanks!
-Kees
The following changes since commit 26291c54e111ff6ba87a164d85d4a4e134b7315c:
Linux 5.17-rc2 (2022-01-30 15:37:07 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.18-rc1
for you to fetch changes up to 8126b1c73108bc691f5643df19071a59a69d0bc6:
pstore: Don't use semaphores in always-atomic-context code (2022-03-15 11:08:23 -0700)
----------------------------------------------------------------
pstore updates for v5.18-rc1
- Don't use semaphores in always-atomic-context code (Jann Horn)
- Add "ECC:" prefix to ECC messages (Vincent Whitchurch)
----------------------------------------------------------------
Jann Horn (1):
pstore: Don't use semaphores in always-atomic-context code
Vincent Whitchurch (1):
pstore: Add prefix to ECC messages
drivers/firmware/efi/efi-pstore.c | 2 +-
fs/pstore/platform.c | 38 ++++++++++++++++++--------------------
fs/pstore/ram_core.c | 4 ++--
include/linux/pstore.h | 6 +++---
4 files changed, 24 insertions(+), 26 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] execve updates for v5.18-rc1
@ 2022-03-21 14:44 70% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-21 14:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Akira Kawata, Alexander Viro, Alexey Dobriyan,
Andrew Morton, Andy Lutomirski, Ariadne Conill, Bill Messmer,
Catalin Marinas, Christian Brauner, Dave Martin, David Gow,
Eric Biederman, Geert Uytterhoeven, Ivan Kokshaysky, Jann Horn,
Kees Cook, Magnus Groß,
Matthew Wilcox, Matt Turner, Michael Kerrisk,
Peter Collingbourne, Randy Dunlap, Richard Henderson,
Rich Felker, Rick Edgecombe, Shuah Khan, Tom Rix, Yang Yingliang,
Yu-cheng Yu
Hi Linus,
Please pull these execve and binfmt updates for v5.18-rc1. Eric and I
have stepped up to be the active maintainers of this area, so here's our
first collection. The bulk of the work was in coredump handling fixes;
additional details are noted below.
Thanks!
-Kees
The following changes since commit 439a8468242b313486e69b8cc3b45ddcfa898fbf:
binfmt_elf: Avoid total_mapping_size for ET_EXEC (2022-03-01 10:29:20 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/execve-v5.18-rc1
for you to fetch changes up to dd664099002db909912a23215f8775c97f7f4f10:
binfmt_elf: Don't write past end of notes for regset gap (2022-03-18 10:17:09 -0700)
----------------------------------------------------------------
execve updates for v5.18-rc1
- Handle unusual AT_PHDR offsets (Akira Kawata)
- Fix initial mapping size when PT_LOADs are not ordered (Alexey Dobriyan)
- Move more code under CONFIG_COREDUMP (Alexey Dobriyan)
- Fix missing mmap_lock in file_files_note (Eric W. Biederman)
- Remove a.out support for alpha and m68k (Eric W. Biederman)
- Include first pages of non-exec ELF libraries in coredump (Jann Horn)
- Don't write past end of notes for regset gap in coredump (Rick Edgecombe)
- Comment clean-ups (Tom Rix)
- Force single empty string when argv is empty (Kees Cook)
- Add NULL argv selftest (Kees Cook)
- Properly redefine PT_GNU_* in terms of PT_LOOS (Kees Cook)
- MAINTAINERS: Update execve entry with tree (Kees Cook)
- Introduce initial KUnit testing for binfmt_elf (Kees Cook)
----------------------------------------------------------------
Akira Kawata (2):
fs/binfmt_elf: Fix AT_PHDR for unusual ELF files
fs/binfmt_elf: Refactor load_elf_binary function
Alexey Dobriyan (2):
ELF: fix overflow in total mapping size calculation
binfmt: move more stuff undef CONFIG_COREDUMP
Eric W. Biederman (7):
coredump: Move definition of struct coredump_params into coredump.h
coredump: Snapshot the vmas in do_coredump
coredump: Remove the WARN_ON in dump_vma_snapshot
coredump/elf: Pass coredump_params into fill_note_info
coredump: Use the vma snapshot in fill_files_note
coredump: Don't compile flat_core_dump when coredumps are disabled
a.out: Stop building a.out/osf1 support on alpha and m68k
Jann Horn (1):
coredump: Also dump first pages of non-executable ELF libraries
Kees Cook (6):
exec: Force single empty string when argv is empty
selftests/exec: Test for empty string on NULL argv
MAINTAINERS: Update execve entry with more details
ELF: Properly redefine PT_GNU_* in terms of PT_LOOS
binfmt_elf: Introduce KUnit test
Merge branch 'coredump-vma-snapshot-fix-for-v5.18' of https://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace into for-next/execve
Rick Edgecombe (1):
binfmt_elf: Don't write past end of notes for regset gap
Tom Rix (1):
exec: cleanup comments
MAINTAINERS | 4 +
arch/alpha/Kconfig | 1 -
arch/m68k/Kconfig | 1 -
fs/Kconfig.binfmt | 10 ++
fs/binfmt_elf.c | 153 +++++++++++++++++--------------
fs/binfmt_elf_fdpic.c | 20 ++--
fs/binfmt_elf_test.c | 64 +++++++++++++
fs/binfmt_flat.c | 7 ++
fs/compat_binfmt_elf.c | 2 +
fs/coredump.c | 86 +++++++++++++----
fs/exec.c | 32 ++++++-
include/linux/binfmts.h | 15 +--
include/linux/coredump.h | 20 +++-
include/uapi/linux/elf.h | 7 +-
tools/testing/selftests/exec/Makefile | 1 +
tools/testing/selftests/exec/null-argv.c | 78 ++++++++++++++++
16 files changed, 374 insertions(+), 127 deletions(-)
create mode 100644 fs/binfmt_elf_test.c
create mode 100644 tools/testing/selftests/exec/null-argv.c
--
Kees Cook
^ permalink raw reply [relevance 70%]
* Re: [GIT PULL] Fix fill_files_note
@ 2022-03-09 21:45 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-09 21:45 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Matthew Wilcox, linux-fsdevel, linux-kernel, Alexander Viro,
Denys Vlasenko, Vlastimil Babka, Liam R . Howlett, Jann Horn,
linux-mm
On Wed, Mar 09, 2022 at 02:27:07PM -0600, Eric W. Biederman wrote:
> It turns out I missed a crazy corner case of binfmt_flat, when coredumps
> are disabled. This fixes a compile error that was reported.
>
> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git coredump-vma-snapshot-fix-for-v5.18
> HEAD: f833116ad2c3eabf9c739946170e07825cca67ed coredump: Don't compile flat_core_dump when coredumps are disabled
>
> Can you include this as well.
Thanks! Pulled and pushed out.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Fix fill_files_note
@ 2022-03-09 16:32 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-03-09 16:32 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Matthew Wilcox, linux-fsdevel, linux-kernel, Alexander Viro,
Denys Vlasenko, Vlastimil Babka, Liam R . Howlett, Jann Horn,
linux-mm
On Wed, Mar 09, 2022 at 10:29:10AM -0600, Eric W. Biederman wrote:
> Kees Cook <keescook@chromium.org> writes:
>
> > On Tue, Mar 08, 2022 at 01:35:03PM -0600, Eric W. Biederman wrote:
> >>
> >> Kees,
> >>
> >> Please pull the coredump-vma-snapshot-fix branch from the git tree:
> >>
> >> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git coredump-vma-snapshot-fix
> >>
> >> HEAD: 390031c942116d4733310f0684beb8db19885fe6 coredump: Use the vma snapshot in fill_files_note
> >>
> >> Matthew Wilcox has reported that a missing mmap_lock in file_files_note,
> >> which could cause trouble.
> >>
> >> Refactor the code and clean it up so that the vma snapshot makes
> >> it to fill_files_note, and then use the vma snapshot in fill_files_note.
> >>
> >> Eric W. Biederman (5):
> >> coredump: Move definition of struct coredump_params into coredump.h
> >> coredump: Snapshot the vmas in do_coredump
> >> coredump: Remove the WARN_ON in dump_vma_snapshot
> >> coredump/elf: Pass coredump_params into fill_note_info
> >> coredump: Use the vma snapshot in fill_files_note
> >>
> >> fs/binfmt_elf.c | 66 ++++++++++++++++++++++--------------------------
> >> fs/binfmt_elf_fdpic.c | 18 +++++--------
> >> fs/binfmt_flat.c | 1 +
> >> fs/coredump.c | 59 ++++++++++++++++++++++++++++---------------
> >> include/linux/binfmts.h | 13 +---------
> >> include/linux/coredump.h | 20 ++++++++++++---
> >> 6 files changed, 93 insertions(+), 84 deletions(-)
> >>
> >> ---
> >>
> >> Kees I realized I needed to rebase this on Jann Horn's commit
> >> 84158b7f6a06 ("coredump: Also dump first pages of non-executable ELF
> >> libraries"). Unfortunately before I got that done I got distracted and
> >> these changes have been sitting in limbo for most of the development
> >> cycle. Since you are running a tree that is including changes like this
> >> including Jann's can you please pull these changes into your tree.
> >
> > Sure! Can you make a signed tag for this pull?
>
> Not yet.
>
> Hopefully I will get the time to set that up soon, but I am not at all
> setup to do signed tags at this point.
Okay, cool. Since I'd already review these before, I've pulled and it
should be in -next now.
> [...]
> Thanks. That looks like a good place to start.
I will try to clean up that work-flow and stuff it into my kernel-tools
repo.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Fix fill_files_note
@ 2022-03-08 21:49 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2022-03-08 21:49 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Matthew Wilcox, linux-fsdevel, linux-kernel, Alexander Viro,
Denys Vlasenko, Vlastimil Babka, Liam R . Howlett, Jann Horn,
linux-mm
On Tue, Mar 08, 2022 at 01:35:03PM -0600, Eric W. Biederman wrote:
>
> Kees,
>
> Please pull the coredump-vma-snapshot-fix branch from the git tree:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git coredump-vma-snapshot-fix
>
> HEAD: 390031c942116d4733310f0684beb8db19885fe6 coredump: Use the vma snapshot in fill_files_note
>
> Matthew Wilcox has reported that a missing mmap_lock in file_files_note,
> which could cause trouble.
>
> Refactor the code and clean it up so that the vma snapshot makes
> it to fill_files_note, and then use the vma snapshot in fill_files_note.
>
> Eric W. Biederman (5):
> coredump: Move definition of struct coredump_params into coredump.h
> coredump: Snapshot the vmas in do_coredump
> coredump: Remove the WARN_ON in dump_vma_snapshot
> coredump/elf: Pass coredump_params into fill_note_info
> coredump: Use the vma snapshot in fill_files_note
>
> fs/binfmt_elf.c | 66 ++++++++++++++++++++++--------------------------
> fs/binfmt_elf_fdpic.c | 18 +++++--------
> fs/binfmt_flat.c | 1 +
> fs/coredump.c | 59 ++++++++++++++++++++++++++++---------------
> include/linux/binfmts.h | 13 +---------
> include/linux/coredump.h | 20 ++++++++++++---
> 6 files changed, 93 insertions(+), 84 deletions(-)
>
> ---
>
> Kees I realized I needed to rebase this on Jann Horn's commit
> 84158b7f6a06 ("coredump: Also dump first pages of non-executable ELF
> libraries"). Unfortunately before I got that done I got distracted and
> these changes have been sitting in limbo for most of the development
> cycle. Since you are running a tree that is including changes like this
> including Jann's can you please pull these changes into your tree.
Sure! Can you make a signed tag for this pull?
If it helps, my workflow look like this, though I assume there might be
better ways. (tl;dr: "git tag -s TAG BRANCH")
PULL_BRANCH=name-of-branch
BASE=sha-of-base
FOR=someone
TOPIC=topic-name
TAG="for-$FOR/$TOPIC"
SIGNED=~/.pull-request-signed-"$TAG"
echo "$TOPIC update" > "$SIGNED"
git request-pull "$BASE" git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git "$PULL_BRANCH" | awk '{print "# " $0}' >> "$SIGNED"
vi "$SIGNED"
git tag -sF "$SIGNED" "$TAG" "$PULL_BRANCH"
git push origin "$PULL_BRANCH"
git push origin +"$TAG"
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] binfmt_elf fix for v5.17-rc7
@ 2022-03-01 18:35 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-03-01 18:35 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Viro, Eric Biederman, Kees Cook,
linux-fsdevel, linux-mm, matoro, matoro,
John Paul Adrian Glaubitz
Hi Linus,
Please pull this binfmt_elf fix for v5.17-rc7. This addresses a
regression[1] under ia64 where some ET_EXEC binaries were not loading.
Thanks!
-Kees
[1] https://linux-regtracking.leemhuis.info/regzbot/regression/a3edd529-c42d-3b09-135c-7e98a15b150f@leemhuis.info/
The following changes since commit dfd42facf1e4ada021b939b4e19c935dcdd55566:
Linux 5.17-rc3 (2022-02-06 12:20:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/binfmt_elf-v5.17-rc7
for you to fetch changes up to 439a8468242b313486e69b8cc3b45ddcfa898fbf:
binfmt_elf: Avoid total_mapping_size for ET_EXEC (2022-03-01 10:29:20 -0800)
----------------------------------------------------------------
binfmt_elf fix for v5.17-rc7
- Fix ia64 ET_EXEC loading
----------------------------------------------------------------
Kees Cook (1):
binfmt_elf: Avoid total_mapping_size for ET_EXEC
fs/binfmt_elf.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fixes for v5.17-rc4
@ 2022-02-12 3:02 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-02-12 3:02 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Lutomirski, Eric W. Biederman, Kees Cook,
Robert Święcki, Will Drewry
Hi Linus,
Please pull these signal and seccomp fixes for v5.17-rc4. This fixes a
corner case of fatal SIGSYS being ignored since v5.15. Along with the
signal fix is a change to seccomp so that seeing another syscall after
a fatal filter result will cause seccomp to kill the process harder.
Thanks!
-Kees
The following changes since commit 26291c54e111ff6ba87a164d85d4a4e134b7315c:
Linux 5.17-rc2 (2022-01-30 15:37:07 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.17-rc4
for you to fetch changes up to eed09ad261822a7bdc441ed192c6f444375e5527:
samples/seccomp: Adjust sample to also provide kill option (2022-02-10 19:09:12 -0800)
----------------------------------------------------------------
seccomp fixes for v5.17-rc4
- Force HANDLER_EXIT even for SIGNAL_UNKILLABLE.
- Make seccomp self-destruct after fatal filter results.
- Update seccomp samples for easier behavioral demonstration.
----------------------------------------------------------------
Kees Cook (3):
signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE
seccomp: Invalidate seccomp mode to catch death failures
samples/seccomp: Adjust sample to also provide kill option
kernel/seccomp.c | 10 ++++++++++
kernel/signal.c | 5 +++--
samples/seccomp/dropper.c | 9 +++++++--
3 files changed, 20 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* Re: Stackleak vs noinstr (Was: [GIT pull] objtool/core for v5.16-rc1)
@ 2022-02-01 23:59 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-02-01 23:59 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Linus Torvalds, Thomas Gleixner, Josh Poimboeuf,
Linux Kernel Mailing List, the arch/x86 maintainers,
Alexander Popov
On Tue, Nov 02, 2021 at 11:03:44AM +0100, Peter Zijlstra wrote:
> On Tue, Nov 02, 2021 at 10:05:50AM +0100, Peter Zijlstra wrote:
> > On Tue, Nov 02, 2021 at 09:00:36AM +0100, Peter Zijlstra wrote:
> > > On Mon, Nov 01, 2021 at 01:44:39PM -0700, Linus Torvalds wrote:
> >
> > > > do_machine_check()+0x27: call to stackleak_track_stack ...
> > > > do_syscall_64()+0x9: call to stackleak_track_stack ...
> > > > do_int80_syscall_32()+0x9: call to stackleak_track_stack ...
> > > > exc_general_protection()+0x22: call to stackleak_track_stack ...
> > > > fixup_bad_iret()+0x20: call to stackleak_track_stack ...
> > > > .entry.text+0x10e6: call to stackleak_erase ...
> > > > .entry.text+0x143: call to stackleak_erase ...
> > > > .entry.text+0x17d9: call to stackleak_erase ...
> > > >
> > > > most seem to be about the stackleak thing,
> > >
> > > Right, I recently ran into this and hacen't yet had time to look into
> > > it. I suspect my normal build box doesn't have the GCC plugin crud
> > > enabled or somesuch.
> > >
> > > I think the GCC stackleak plugin needs fixing, specifically it needs a
> > > function attribute such that it will not emit instrumentation in noinstr
> > > functions. I'll go chase down the developer of that thing.
> >
> > Alexander, is there any way to make this plugin grow a function
> > attribute which we can add to noinstr ? There's a strict requirement the
> > compiler doesn't add extra code to noinstr functions these days.
> >
> > We'll 'soon' be running noinstr C code before switching to kernel page
> > tables even.
>
> Using my pre-release GCC-12 compiler (the only one I have with plugin
> crud enabled apparently), the below seems to work.
>
> Having the plugin gate on section name seems a lot hacky, but given it's
> already doing that, one more doesn't hurt.
>
> ---
> diff --git a/kernel/stackleak.c b/kernel/stackleak.c
> index ce161a8e8d97..135866ca8878 100644
> --- a/kernel/stackleak.c
> +++ b/kernel/stackleak.c
> @@ -48,7 +48,7 @@ int stack_erasing_sysctl(struct ctl_table *table, int write,
> #define skip_erasing() false
> #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
>
> -asmlinkage void notrace stackleak_erase(void)
> +asmlinkage noinstr void stackleak_erase(void)
> {
> /* It would be nice not to have 'kstack_ptr' and 'boundary' on stack */
> unsigned long kstack_ptr = current->lowest_stack;
> @@ -102,7 +102,6 @@ asmlinkage void notrace stackleak_erase(void)
> /* Reset the 'lowest_stack' value for the next syscall */
> current->lowest_stack = current_top_of_stack() - THREAD_SIZE/64;
> }
> -NOKPROBE_SYMBOL(stackleak_erase);
>
> void __used __no_caller_saved_registers notrace stackleak_track_stack(void)
> {
> diff --git a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c
> index e9db7dcb3e5f..07688a1c686b 100644
> --- a/scripts/gcc-plugins/stackleak_plugin.c
> +++ b/scripts/gcc-plugins/stackleak_plugin.c
> @@ -446,6 +446,8 @@ static bool stackleak_gate(void)
> return false;
> if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13))
> return false;
> + if (!strncmp(TREE_STRING_POINTER(section), ".noinstr.text", 13))
> + return false;
> }
>
> return track_frame_size >= 0;
Did this ever turn into a real patch? I don't see anything in -next for
it, so I assume it's still needed.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.17-rc1
@ 2022-01-05 17:20 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-01-05 17:20 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Lutomirski, Eric W. Biederman, Kees Cook,
linux-kselftest, Will Drewry
Hi Linus,
Please pull these seccomp selftest updates for v5.17-rc1. The core
seccomp code hasn't changed for this cycle, but the selftests were
improved while helping to debug the recent signal handling refactoring
work Eric did.
Thanks!
-Kees
The following changes since commit d9bbdbf324cda23aa44873f505be77ed4b61d79c:
x86: deduplicate the spectre_v2_user documentation (2021-10-04 12:12:57 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.17-rc1
for you to fetch changes up to 1e6d69c7b9cd7735bbf4c6754ccbb9cce8bd8ff4:
selftests/seccomp: Report event mismatches more clearly (2021-11-03 12:02:07 -0700)
----------------------------------------------------------------
seccomp updates for v5.17-rc1
- Improve seccomp selftests in support of signal handler refactoring (Kees Cook)
----------------------------------------------------------------
Kees Cook (2):
selftests/seccomp: Stop USER_NOTIF test if kcmp() fails
selftests/seccomp: Report event mismatches more clearly
tools/testing/selftests/seccomp/seccomp_bpf.c | 56 ++++++++++++++++++++++++---
1 file changed, 50 insertions(+), 6 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore update for v5.17-rc1
@ 2022-01-05 17:12 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2022-01-05 17:12 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Uwe Kleine-König
Hi Linus,
Please pull this tiny pstore update for v5.17-rc1. The pstore tree has
been pretty quiet, which just a single change queued up.
Thanks!
-Kees
The following changes since commit fa55b7dcdc43c1aa1ba12bca9d2dd4318c2a0dbf:
Linux 5.16-rc1 (2021-11-14 13:56:52 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.17-rc1
for you to fetch changes up to a5d05b07961a2df47d3b4aae3bdae61ac095a43c:
pstore/ftrace: Allow immediate recording (2021-11-18 10:29:52 -0800)
----------------------------------------------------------------
pstore update for v5.17-rc1
- Add boot param for early ftrace recording in pstore (Uwe Kleine-König)
----------------------------------------------------------------
Uwe Kleine-König (1):
pstore/ftrace: Allow immediate recording
fs/pstore/ftrace.c | 46 ++++++++++++++++++++++++++++++----------------
1 file changed, 30 insertions(+), 16 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] lkdtm updates for -next
@ 2021-12-17 0:02 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-12-17 0:02 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Ard Biesheuvel, Arnd Bergmann, Christophe Leroy,
Greg Kroah-Hartman, Kees Cook, Misono Tomohiro,
Nathan Chancellor, Nick Desaulniers
Hi Greg,
Please pull these lkdtm updates for -next.
Thanks!
-Kees
The following changes since commit 136057256686de39cc3a07c2e39ef6bc43003ff6:
Linux 5.16-rc2 (2021-11-21 13:47:39 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/lkdtm-v5.17-rc1
for you to fetch changes up to 90091c367e74d5b58d9ebe979cc363f7468f58d3:
selftest/lkdtm: Skip stack-entropy test if lkdtm is not available (2021-12-16 15:54:38 -0800)
----------------------------------------------------------------
lkdtm updates for v5.17-rc1
- Fix printk() usage during recursion (Ard Biesheuvel)
- Fix rodata section to actually have contents (Christophe Leroy)
- Add notes about lkdtm_kernel_info usage (Kees Cook)
- Avoid stack-entropy selftest when LKDTM is disabled (Misono Tomohiro)
----------------------------------------------------------------
Ard Biesheuvel (1):
lkdtm: avoid printk() in recursive_loop()
Christophe Leroy (1):
lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
Kees Cook (1):
lkdtm: Note that lkdtm_kernel_info should be removed in the future
Misono Tomohiro (1):
selftest/lkdtm: Skip stack-entropy test if lkdtm is not available
drivers/misc/lkdtm/Makefile | 2 +-
drivers/misc/lkdtm/bugs.c | 16 +++++++++-------
drivers/misc/lkdtm/core.c | 6 +++++-
tools/testing/selftests/lkdtm/stack-entropy.sh | 16 +++++++++++++++-
4 files changed, 30 insertions(+), 10 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] seccomp updates for v5.16-rc1
@ 2021-11-01 16:44 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-11-01 16:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andrea Arcangeli, Josh Poimboeuf, Kees Cook, Waiman Long
Hi Linus,
Please pull these seccomp updates for v5.16-rc1. These are x86-specific,
but I carried these since they're also seccomp-specific. This flips
the prior conservative defaults for spec_store_bypass_disable and
spectre_v2_user from "seccomp" to "prctl", as enough time has passed
to allow system owners to have updated the defensive stances of their
various workloads, and it's long overdue to unpessimize seccomp threads.
Extensive rationale and details are in Andrea's main patch[1].
Thanks!
-Kees
[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/seccomp&id=2f46993d83ff4abb310ef7b4beced56ba96f0d9d
The following changes since commit e4e737bb5c170df6135a127739a9e6148ee3da82:
Linux 5.15-rc2 (2021-09-19 17:28:22 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.16-rc1
for you to fetch changes up to d9bbdbf324cda23aa44873f505be77ed4b61d79c:
x86: deduplicate the spectre_v2_user documentation (2021-10-04 12:12:57 -0700)
----------------------------------------------------------------
seccomp updates for v5.16-rc1
- set spec_store_bypass_disable & spectre_v2_user to prctl (Andrea Arcangeli)
----------------------------------------------------------------
Andrea Arcangeli (2):
x86: change default to spec_store_bypass_disable=prctl spectre_v2_user=prctl
x86: deduplicate the spectre_v2_user documentation
Documentation/admin-guide/hw-vuln/spectre.rst | 61 +++----------------------
Documentation/admin-guide/kernel-parameters.txt | 5 +-
arch/x86/kernel/cpu/bugs.c | 4 +-
3 files changed, 10 insertions(+), 60 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] overflow updates for v5.16-rc1
@ 2021-11-01 16:35 50% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-11-01 16:35 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Daniel Vetter, Dan Williams,
Rasmus Villemoes, Greg Kroah-Hartman, Gustavo A. R. Silva,
Keith Packard, Nathan Chancellor, Nick Desaulniers,
linux-hardening
Hi Linus,
Please pull these overflow detection updates for v5.16-rc1. These
have been in -next for (more than) the entire past development
cycle. 1 trivial conflict recently emerged in the treewide flex
array patch vs the wireless tree, which was resolved by sfr here:
https://lore.kernel.org/linux-next/20211028192934.01520d7e@canb.auug.org.au/
Extensive details about the series are in the tag below.
Thanks!
-Kees
The following changes since commit e4e737bb5c170df6135a127739a9e6148ee3da82:
Linux 5.15-rc2 (2021-09-19 17:28:22 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.16-rc1
for you to fetch changes up to 95cadae320be46583078690ac89ffe63c95cc9d2:
fortify: strlen: Avoid shadowing previous locals (2021-10-25 15:34:41 -0700)
----------------------------------------------------------------
overflow updates for v5.16-rc1
The end goal of the current buffer overflow detection work[0] is to gain
full compile-time and run-time coverage of all detectable buffer overflows
seen via array indexing or memcpy(), memmove(), and memset(). The str*()
family of functions already have full coverage.
While much of the work for these changes have been on-going for many
releases (i.e. 0-element and 1-element array replacements, as well as
avoiding false positives and fixing discovered overflows[1]), this series
contains the foundational elements of several related buffer overflow
detection improvements by providing new common helpers and FORTIFY_SOURCE
changes needed to gain the introspection required for compiler visibility
into array sizes. Also included are a handful of already Acked instances
using the helpers (or related clean-ups), with many more waiting at the
ready to be taken via subsystem-specific trees[2]. The new helpers are:
- struct_group() for gaining struct member range introspection.
- memset_after() and memset_startat() for clearing to the end of structures.
- DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs.
Also included is the beginning of the refactoring of FORTIFY_SOURCE to
support memcpy() introspection, fix missing and regressed coverage under
GCC, and to prepare to fix the currently broken Clang support. Finishing
this work is part of the larger series[0], but depends on all the false
positives and buffer overflow bug fixes to have landed already and those
that depend on this series to land.
As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time
and run-time tests are added for FORTIFY_SOURCE and the mem*()-family
functions respectively. The compile time tests have found a legitimate
(though corner-case) bug[6] already.
Please note that the appearance of "panic" and "BUG" in the
FORTIFY_SOURCE refactoring are the result of relocating existing code,
and no new use of those code-paths are expected nor desired.
Finally, there are two tree-wide conversions for 0-element arrays and
flexible array unions to gain sane compiler introspection coverage that
result in no known object code differences.
After this series (and the changes that have now landed via netdev
and usb), we are very close to finally being able to build with
-Warray-bounds and -Wzero-length-bounds. However, due corner cases in
GCC[3] and Clang[4], I have not included the last two patches that turn
on these options, as I don't want to introduce any known warnings to
the build. Hopefully these can be solved soon.
[0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE
[2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/
[3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/
[4] https://bugs.llvm.org/show_bug.cgi?id=51682
[5] https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/
[6] https://lore.kernel.org/lkml/20211020200039.170424-1-keescook@chromium.org/
----------------------------------------------------------------
Kees Cook (29):
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
powerpc: Split memset() to avoid multi-field overflow
stddef: Fix kerndoc for sizeof_field() and offsetofend()
stddef: Introduce struct_group() helper macro
cxl/core: Replace unions with struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
HID: roccat: Use struct_group() to zero kone_mouse_event
can: flexcan: Use struct_group() to zero struct flexcan_regs regions
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
fortify: Fix dropped strcpy() compile-time write overflow check
fortify: Prepare to improve strnlen() and strlen() warnings
fortify: Allow strlen() and strnlen() to pass compile-time known lengths
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
string.h: Introduce memset_startat() for wiping trailing members and padding
btrfs: Use memset_startat() to clear end of struct
stddef: Introduce DECLARE_FLEX_ARRAY() helper
treewide: Replace open-coded flex arrays in unions
treewide: Replace 0-element memcpy() destinations with flexible arrays
compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer
Qian Cai (1):
fortify: strlen: Avoid shadowing previous locals
MAINTAINERS | 9 +
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch/x86/lib/string_32.c | 1 +
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/crypto/chelsio/chcr_crypto.h | 14 +-
drivers/cxl/cxl.h | 61 ++---
drivers/gpu/drm/mga/mga_ioc32.c | 27 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/net/can/flexcan.c | 68 ++---
drivers/net/can/usb/etas_es58x/es581_4.h | 2 +-
drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/wireless/ath/ath10k/bmi.h | 10 +-
drivers/net/wireless/ath/ath10k/htt.h | 7 +-
drivers/net/wireless/intel/iwlegacy/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/tx.h | 12 +-
drivers/scsi/aic94xx/aic94xx_sds.c | 6 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +-
drivers/scsi/qla4xxx/ql4_def.h | 4 +-
drivers/staging/r8188eu/include/ieee80211.h | 6 +-
drivers/staging/rtl8712/ieee80211.h | 4 +-
drivers/staging/rtl8723bs/include/ieee80211.h | 6 +-
fs/btrfs/root-tree.c | 6 +-
fs/hpfs/hpfs.h | 8 +-
include/linux/compiler-gcc.h | 10 +-
include/linux/compiler_types.h | 5 -
include/linux/filter.h | 6 +-
include/linux/fortify-string.h | 77 ++++--
include/linux/ieee80211.h | 30 +--
include/linux/stddef.h | 65 ++++-
include/linux/string.h | 44 +++-
include/linux/thread_info.h | 2 +-
include/scsi/sas.h | 12 +-
include/uapi/drm/mga_drm.h | 22 +-
include/uapi/linux/dlm_device.h | 4 +-
include/uapi/linux/stddef.h | 37 +++
include/uapi/rdma/rdma_user_rxe.h | 4 +-
include/uapi/sound/asoc.h | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 11 +
lib/Makefile | 34 +++
lib/memcpy_kunit.c | 289 ++++++++++++++++++++++
lib/string.c | 210 +---------------
lib/string_helpers.c | 195 +++++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 35 +++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strcpy-lit.c | 5 +
lib/test_fortify/write_overflow-strcpy.c | 5 +
lib/test_fortify/write_overflow-strlcpy-src.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy-src.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/kernel-doc | 9 +
scripts/test_fortify.sh | 62 +++++
security/Kconfig | 3 +
76 files changed, 1160 insertions(+), 446 deletions(-)
create mode 100644 lib/memcpy_kunit.c
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c
create mode 100644 lib/test_fortify/write_overflow-strcpy.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 scripts/test_fortify.sh
--
Kees Cook
^ permalink raw reply [relevance 50%]
* [GIT PULL] hardening updates for v5.16-rc1
@ 2021-11-01 16:20 78% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-11-01 16:20 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Fangrui Song, Greg Kroah-Hartman,
James Morris, Jonathan Corbet, Kees Cook, KE.LI, linux-doc,
linux-hardening, linux-kbuild, linux-security-module, llvm,
Masahiro Yamada, Michal Marek, Miguel Ojeda, Nathan Chancellor,
Nick Desaulniers, Padmanabha Srinivasaiah, Sami Tolvanen,
Serge E. Hallyn, Will Deacon, Ye Guojin, Zeal Robot
Hi Linus,
Please pull these hardening updates for v5.16-rc1. These are various
compiler-related hardening feature updates. Notable is the addition of an
explicit limited rationale for, and deprecation schedule of, gcc-plugins.
More details in the tag below.
Thanks!
-Kees
The following changes since commit e4e737bb5c170df6135a127739a9e6148ee3da82:
Linux 5.15-rc2 (2021-09-19 17:28:22 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.16-rc1
for you to fetch changes up to 6425392acf24b6d469932dd1b217dc7b20d6447f:
gcc-plugins: remove duplicate include in gcc-common.h (2021-10-21 08:41:51 -0700)
----------------------------------------------------------------
compiler hardening updates for v5.16-rc1
This collects various compiler hardening feature related updates:
- gcc-plugins:
- remove support for GCC 4.9 and older (Ard Biesheuvel)
- remove duplicate include in gcc-common.h (Ye Guojin)
- Explicitly document purpose and deprecation schedule (Kees Cook)
- Remove cyc_complexity (Kees Cook)
- instrumentation:
- Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO (Kees Cook)
- Clang LTO:
- kallsyms: strip LTO suffixes from static functions (Nick Desaulniers)
----------------------------------------------------------------
Ard Biesheuvel (1):
gcc-plugins: remove support for GCC 4.9 and older
Kees Cook (3):
hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
gcc-plugins: Explicitly document purpose and deprecation schedule
gcc-plugins: Remove cyc_complexity
Nick Desaulniers (1):
kallsyms: strip LTO suffixes from static functions
Ye Guojin (1):
gcc-plugins: remove duplicate include in gcc-common.h
Documentation/kbuild/gcc-plugins.rst | 28 ++++-
Makefile | 6 +-
kernel/kallsyms.c | 46 +++++--
scripts/Makefile.gcc-plugins | 2 -
scripts/gcc-plugins/Kconfig | 20 +---
scripts/gcc-plugins/cyc_complexity_plugin.c | 69 -----------
scripts/gcc-plugins/gcc-common.h | 132 +--------------------
scripts/gcc-plugins/gcc-generate-gimple-pass.h | 19 ---
scripts/gcc-plugins/gcc-generate-ipa-pass.h | 19 ---
scripts/gcc-plugins/gcc-generate-rtl-pass.h | 19 ---
scripts/gcc-plugins/gcc-generate-simple_ipa-pass.h | 19 ---
scripts/gcc-plugins/structleak_plugin.c | 2 -
security/Kconfig.hardening | 14 ++-
13 files changed, 75 insertions(+), 320 deletions(-)
delete mode 100644 scripts/gcc-plugins/cyc_complexity_plugin.c
--
Kees Cook
^ permalink raw reply [relevance 78%]
* [GIT PULL] cpu-to-thread_info update for v5.16-rc1
@ 2021-11-01 16:12 77% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-11-01 16:12 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Borislav Petkov, Catalin Marinas,
Heiko Carstens, Mark Rutland, Michael Ellerman, Palmer Dabbelt
Hi Linus,
Please pull this cpu-to-thread_info update for v5.16-rc1. Since I've
tended to carry other cross-architecture changes in the past, and mpe
wanted a stable topic branch for powerpc for this, I carried Ard's PR.
Since it was a stable topic branch and I wanted to capture Ard's summary,
it also includes an explicit Merge commit; please let me know if that
shouldn't be done in the future. This has been in -next for most of the
last cycle, and has been Acked by all the arch maintainers.
Thanks!
-Kees
The following changes since commit e4e737bb5c170df6135a127739a9e6148ee3da82:
Linux 5.15-rc2 (2021-09-19 17:28:22 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/cpu-to-thread_info-v5.16-rc1
for you to fetch changes up to d9f2a53f64a6fcae994457e64a7124d2a3efd323:
Merge tag 'pr-move-task-cpu-to-ti' of git://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git (2021-09-30 10:36:44 -0700)
----------------------------------------------------------------
cpu-to-thread_info update for v5.16-rc1
Cross-architecture update to move task_struct::cpu back into thread_info
on arm64, x86, s390, powerpc, and riscv. All Acked by arch maintainers.
Quoting Ard Biesheuvel:
"Move task_struct::cpu back into thread_info
Keeping CPU in task_struct is problematic for architectures that define
raw_smp_processor_id() in terms of this field, as it requires
linux/sched.h to be included, which causes a lot of pain in terms of
circular dependencies (aka 'header soup')
This series moves it back into thread_info (where it came from) for all
architectures that enable THREAD_INFO_IN_TASK, addressing the header
soup issue as well as some pointless differences in the implementations
of task_cpu() and set_task_cpu()."
----------------------------------------------------------------
Ard Biesheuvel (7):
arm64: add CPU field to struct thread_info
x86: add CPU field to struct thread_info
s390: add CPU field to struct thread_info
powerpc: add CPU field to struct thread_info
sched: move CPU field back into thread_info if THREAD_INFO_IN_TASK=y
powerpc: smp: remove hack to obtain offset of task_struct::cpu
riscv: rely on core code to keep thread_info::cpu updated
Kees Cook (1):
Merge tag 'pr-move-task-cpu-to-ti' of git://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git
arch/arm64/include/asm/thread_info.h | 1 +
arch/arm64/kernel/asm-offsets.c | 2 +-
arch/arm64/kernel/head.S | 2 +-
arch/powerpc/Makefile | 11 -----------
arch/powerpc/include/asm/smp.h | 17 +----------------
arch/powerpc/include/asm/thread_info.h | 3 +++
arch/powerpc/kernel/asm-offsets.c | 4 +---
arch/powerpc/kernel/smp.c | 2 +-
arch/riscv/kernel/asm-offsets.c | 1 -
arch/riscv/kernel/entry.S | 5 -----
arch/riscv/kernel/head.S | 1 -
arch/s390/include/asm/thread_info.h | 1 +
arch/x86/include/asm/thread_info.h | 3 +++
include/linux/sched.h | 13 +------------
kernel/sched/sched.h | 4 ----
15 files changed, 14 insertions(+), 56 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 77%]
* Re: [GIT PULL] ksmbd server security fixes
@ 2021-09-23 18:21 87% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-23 18:21 UTC (permalink / raw)
To: Steve French; +Cc: Linus Torvalds, CIFS, LKML, Namjae Jeon
On Wed, Sep 22, 2021 at 10:20:01PM -0500, Steve French wrote:
> After lots of discussion about areas to review - we created this wiki
> page to track some of the detailed security review ongoing:
>
> https://wiki.samba.org/index.php/Ksmbd-review
Great!
> That (adding additional functional tests for smb3 overflows, and
> also it restarts a discussion about creating open source "smb3 fuzzing"
> tools to help Samba and ksmbd both) ... that is a discussion I have
> been having with others on the Samba team as well, some of
> the security bugs could have been found with additions
> to the "smbtorture" set of functional tests (which are hosted in the Samba
> server projects).
Yeah, I think this is really important, and especially for bug fixing:
if a bug gets fixed in protocol or filesystem handling, there needs to
be a test to go with it. Without that, no one can say with a straight
face that it is actually fixed. It's just a band-aid unless there is an
accompanying test that exercises the flaw to make sure the fix doesn't
regress in the future.
So, I think each of the recent fixes needs to have an associated test --
especially the path walking and buffer overflows.
Is there a "patch requirements" doc for doing reviews? I don't see
anything specific to the "on going" review process at the wiki. The wiki
just calls out a number of areas that need out-of-band examination
(which is great!) in the form of basically a detailed TODO list. But I
don't see an actual patch review process. Specifically, what things must
a patch author do before the maintainer will be happy to accept a patch?
> I am pleased with the progress that Namjae et al have been making
> addressing the problems identified, but agree it is not ready for production
> use yet, despite good functional test results - and testing events
> (like the SMB3
> plugfest next week) are going to be important, as well as the security reviews.
> Fortunately the code size is manageable (25KLOC), and without legacy,
> insecure dialects to worry about (SMB1, LANMAN etc.), unlike most servers,
> the reviews should proceed reasonably quickly.
Great! I'm glad to hear it. For those events do you build kernels will
full KASAN, KMSAN, KCSAN, etc enabled? There might be a lot of flaws
that wouldn't otherwise get noticed.
> There is some good news (relating to security), once Namjae et al get past
> these buffer overflow etc. patches.
> - he has already implemented the strongest encryption supported in SMB3.1.1
> - he has implemented the man in the middle attack prevention features
> of the protocol
> - strong (Kerberos) authentication is implemented
Sounds excellent -- have these received professional crypto review?
There are a lot of corner cases in crypto negotiation procotols.
> - he has removed support for weak older dialects (including SMB1 and
> SMB2) of the protocol
> - he will be removing support for weaker authentication (including NTLMv1)
Yay attack surface reduction! :)
> Any feedback you have on the security list identified in the wiki list
> above, or other
> things you see in Coverity or the mailing list discussions reviewing the patches
> would be helpful.
Thanks for making these recent changes; I feel much better about ksmbd's
direction. I'll take a look through the Wiki.
Thanks!
-Kees
--
Kees Cook
^ permalink raw reply [relevance 87%]
* Re: [GIT PULL] ksmbd server security fixes
@ 2021-09-23 2:47 79% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-09-23 2:47 UTC (permalink / raw)
To: Steve French; +Cc: Linus Torvalds, CIFS, LKML
On Sun, Sep 19, 2021 at 09:22:31AM -0500, Steve French wrote:
> 3 ksmbd fixes: including an important security fix for path
> processing, and a missing buffer overflow check, and a trivial fix for
> incorrect header inclusion
>
> There are three additional patches (and also a patch to improve
> symlink checks) for other buffer overflow cases that are being
> reviewed and tested.
Hi Steve,
I was looking through the history[1] of the ksmbd work, and I'm kind
of surprised at some of the flaws being found here. This looks like new
code being written, too, I think (I found[0])? Some of these flaws are
pretty foundational filesystem security properties[2] that weren't being
tested for, besides the upsetting case of having buffer overflows[3]
in an in-kernel filesystem server.
I'm concerned about code quality here, and I think something needs to
change about the review and testing processes.
> Regression test results:
> http://smb3-test-rhel-75.southcentralus.cloudapp.azure.com/#/builders/8/builds/67
> and
> https://app.travis-ci.com/github/namjaejeon/ksmbd/builds/237919800
Can you tell me more about these tests? I'm not immediately filled with
confidence, when I see on the second line of the test harness:
- wget --no-check-certificate https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.4.109.tar.gz
^^^^^^^^^^^^^^^^^^^^^^
(and why isn't this a sparse clone?)
I see xfstests and smbtorture getting run. Were these not catching
things like "../../../../../" and the buffer overflows? And if not,
where are the new tests that make sure these bugs can never recur?
(Also, I see they're being run individually -- why not run the totality?)
And looking at the Coverity report[4] under fs/ksmbd/* for linux-next, I
see 12 issues dating back to Mar 17, and 1 from 2 days ago: 5 concurrency,
4 memory corruptions, 1 hang, and 2 resource leaks. Coverity is hardly
free from false positives, but those seems worth addressing. (Both you and
Namjae have accounts already; thank you for doing that a few months back!)
Anyway, I think my point is: this doesn't look ready for production use.
I understand having bugs, growing new features, etc, but I think more
work is needed here to really prove this code is ready to expose the
kernel to SMB protocol based attacks. Any binary parsing code needs to be
extremely paranoid, and a network file server gets it coming and going:
filesystem metadata and protocol handling (and crypto)! :P
Anyway, I hope something can change here; if we're going to have an
in-kernel SMB server, it should have a distinct advantage over userspace
options.
-Kees
[0] https://lore.kernel.org/lkml/20210322051344.1706-1-namjae.jeon@samsung.com/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log/fs/ksmbd
[2] https://git.kernel.org/linus/f58eae6c5fa882d6d0a6b7587a099602a59d57b5
[3] https://git.kernel.org/linus/6d56262c3d224699b29b9bb6b4ace8bab7d692c2
[4] https://scan.coverity.com/projects/linux-next-weekly-scan
View Defects, Settings cog, Filters, File: *ksmbd*, OK
--
Kees Cook
^ permalink raw reply [relevance 79%]
* Re: [GIT PULL] Misc driver fix for 5.15-rc1
@ 2021-09-12 22:26 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-12 22:26 UTC (permalink / raw)
To: Linus Torvalds
Cc: Greg KH, Andrew Morton, Arnd Bergmann, Linux Kernel Mailing List
On Sun, Sep 12, 2021 at 12:55:54PM -0700, Linus Torvalds wrote:
> On Sun, Sep 12, 2021 at 12:44 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > Right, I completely understand that. If you really want it gone, I
> > will rip it out; it'll just make it more time consuming to analyze some
> > CI reports.
>
> Well, I've pulled it, so it is what it is.
>
> I would ask you to try to get the CI cases fixed, and then remove the
> odd printouts from LKDTM, but it's certainly ok by me if that doesn't
> happen immediately.
Okay, sounds good. Thanks!
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Misc driver fix for 5.15-rc1
@ 2021-09-12 19:44 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-09-12 19:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: Greg KH, Andrew Morton, Arnd Bergmann, Linux Kernel Mailing List
On Sun, Sep 12, 2021 at 12:22:39PM -0700, Linus Torvalds wrote:
> On Sun, Sep 12, 2021 at 12:17 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > This was done to deal with the various mangling of reports (i.e.
> > "summaries") I've been getting from CI systems that run LKDTM.
>
> .. and what makes LKDTM so special?
>
> IOW, what about ALL THE OTHER REPORTS?
I'm not sure I consider it "special", but since it reports hints about the
build/test configuration combinations (i.e. "this test failed probably
because CONFIG_FOO is missing"), it seemed trivial to also include the
specifics of the version and arch.
> And no, my argument is most definitely not "ok, everything should do this".
Right, I completely understand that. If you really want it gone, I
will rip it out; it'll just make it more time consuming to analyze some
CI reports.
> It's the reverse. The CI systems should be the ones that are fixed,
> not random messages from random places in the kernel have version
> information added.
Completely agreed, and I've been _also_ been spending my time sending
patches[1] to CI tooling too, trying to solve this from both sides. But
not all CIs have the source for their machinery open for patching. :(
-Kees
[1] https://github.com/Linaro/test-definitions/commit/8bd338bbcfa5a03efcf1d12e25b5d341d5a29cbc
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Misc driver fix for 5.15-rc1
@ 2021-09-12 19:17 92% ` Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-09-12 19:17 UTC (permalink / raw)
To: Linus Torvalds
Cc: Greg KH, Andrew Morton, Arnd Bergmann, Linux Kernel Mailing List
On Sun, Sep 12, 2021 at 12:03:35PM -0700, Linus Torvalds wrote:
> Could we please just stop pointlessly printing out kernel version data
> that is already available other ways? Just do 'dmesg', or 'uname -r'
> or whatever instead of insisting on printing out redundant
> information?
This was done to deal with the various mangling of reports (i.e.
"summaries") I've been getting from CI systems that run LKDTM. It has been
difficult to reliably extract actionable details, so instead I included
it with the test output. And the extra details go the other way too:
frequently folks configuring the CI have no context for why tests fail,
and LKDTM usually has a reasonable amount of information about what
Kconfig settings have gone missing, etc, so those hints are reported as
well.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL v3] overflow updates for v5.15-rc1-take3
@ 2021-09-10 17:08 50% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-10 17:08 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Daniel Vetter, Dan Williams,
Rasmus Villemoes, Greg Kroah-Hartman, Gustavo A. R. Silva,
Keith Packard, Nathan Chancellor, Nick Desaulniers,
linux-hardening
Hi Linus,
Please pull these overflow updates for v5.15-rc1 (take3). I confirmed
with more build testing over-night that there was another false positive
hiding in yet another combination under GCC 8, so I've added an additional
patch on top of take2 to cover those issues as well.
Current GCC build test matrix is:
Config targets:
defconfig
allmodconfig
allyesconfig
Architectures:
x86_64
i386
arm64
arm
Compilers:
gcc-7 (Ubuntu 7.5.0-6ubuntu4) 7.5.0
gcc-8 (Ubuntu 8.4.0-7ubuntu3) 8.4.0
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
gcc (Ubuntu 10.2.0-13ubuntu1) 10.2.0
gcc (Ubuntu 10.3.0-1ubuntu1) 10.3.0
gcc (Ubuntu 11.2.0-3ubuntu1) 11.2.0
gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)
Thanks!
-Kees
The following changes since commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c:
Linux 5.14-rc2 (2021-07-18 14:13:49 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.15-rc1-take3
for you to fetch changes up to 76a839366b84f17c7452192c6982f797a8a9ac69:
fortify: Lower verbosity on compile-time test failures (2021-09-10 00:06:17 -0700)
----------------------------------------------------------------
overflow updates for v5.15-rc1 (take3)
The end goal of the current buffer overflow detection work[0] is to gain
full compile-time and run-time coverage of all detectable buffer overflows
seen via array indexing or memcpy(), memmove(), and memset(). The str*()
family of functions already have full coverage.
While much of the work for these changes have been on-going for many
releases (i.e. 0-element and 1-element array replacements, as well as
avoiding false positives and fixing discovered overflows[1]), this series
contains the foundational elements of several related buffer overflow
detection improvements by providing new common helpers and FORTIFY_SOURCE
changes needed to gain the introspection needed for compiler visibility
into array sizes. Also included are a handful of already Acked instances
using the helpers (or related clean-ups), with many more waiting at the
ready to be taken via subsystem-specific trees[2]. The new helpers are:
- struct_group() for gaining struct member range introspection.
- memset_after() and memset_startat() for clearing to the end of structures.
- DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs.
Also included is the beginning of the refactoring of FORTIFY_SOURCE to
support memcpy() introspection, fix missing and regressed coverage under
GCC, and to prepare to fix the currently broken Clang support. Finishing
this work is part of the larger series[0], but depends on all the false
positives and buffer overflow bug fixes to have landed already and those
that depend on this series to land.
As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time
and run-time tests are added for FORTIFY_SOURCE and the mem*()-family
functions respectively. (Now with the LANG=C grep mismatch[5] fixed from
PR take 1). Please note that the appearance of "panic" and "BUG" in the
FORTIFY_SOURCE refactoring are the result of relocating existing code,
and no new use of those code-paths are expected nor desired.
Finally, there are two tree-wide conversions for 0-element arrays and
flexible array unions to gain sane compiler introspection coverage that
result in no known object code differences.
After this series (and the changes that have now landed via netdev
and usb), we are so very close to finally being able to build with
-Warray-bounds and -Wzero-length-bounds. However, due two recently found
corner cases in GCC[3] and Clang[4], I have not included the last two
patches that turn on these options, as I don't want to introduce any known
warnings to the build. I am expecting to solve them before rc2, though,
so hopefully there will be a small follow-up to this series before then.
[0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE
[2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/
[3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/
[4] https://bugs.llvm.org/show_bug.cgi?id=51682
[5] https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/
----------------------------------------------------------------
Kees Cook (29):
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
powerpc: Split memset() to avoid multi-field overflow
stddef: Fix kerndoc for sizeof_field() and offsetofend()
stddef: Introduce struct_group() helper macro
cxl/core: Replace unions with struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
HID: roccat: Use struct_group() to zero kone_mouse_event
can: flexcan: Use struct_group() to zero struct flexcan_regs regions
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
fortify: Fix dropped strcpy() compile-time write overflow check
fortify: Prepare to improve strnlen() and strlen() warnings
fortify: Allow strlen() and strnlen() to pass compile-time known lengths
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
string.h: Introduce memset_startat() for wiping trailing members and padding
btrfs: Use memset_startat() to clear end of struct
stddef: Introduce DECLARE_FLEX_ARRAY() helper
treewide: Replace open-coded flex arrays in unions
treewide: Replace 0-element memcpy() destinations with flexible arrays
fortify: Lower verbosity on compile-time test failures
MAINTAINERS | 9 +
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch/x86/lib/string_32.c | 1 +
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/crypto/chelsio/chcr_crypto.h | 14 +-
drivers/cxl/cxl.h | 61 ++---
drivers/gpu/drm/mga/mga_ioc32.c | 27 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/net/can/flexcan.c | 68 ++---
drivers/net/can/usb/etas_es58x/es581_4.h | 2 +-
drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/wireless/ath/ath10k/bmi.h | 10 +-
drivers/net/wireless/ath/ath10k/htt.h | 7 +-
drivers/net/wireless/intel/iwlegacy/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/tx.h | 12 +-
drivers/scsi/aic94xx/aic94xx_sds.c | 6 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +-
drivers/scsi/qla4xxx/ql4_def.h | 4 +-
drivers/staging/rtl8188eu/include/ieee80211.h | 6 +-
drivers/staging/rtl8712/ieee80211.h | 4 +-
drivers/staging/rtl8723bs/include/ieee80211.h | 6 +-
fs/btrfs/root-tree.c | 6 +-
fs/hpfs/hpfs.h | 8 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/filter.h | 6 +-
include/linux/fortify-string.h | 77 ++++--
include/linux/ieee80211.h | 30 +--
include/linux/stddef.h | 65 ++++-
include/linux/string.h | 44 +++-
include/linux/thread_info.h | 2 +-
include/scsi/sas.h | 12 +-
include/uapi/drm/mga_drm.h | 22 +-
include/uapi/linux/dlm_device.h | 4 +-
include/uapi/linux/stddef.h | 37 +++
include/uapi/rdma/rdma_user_rxe.h | 4 +-
include/uapi/sound/asoc.h | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 11 +
lib/Makefile | 34 +++
lib/memcpy_kunit.c | 289 ++++++++++++++++++++++
lib/string.c | 210 +---------------
lib/string_helpers.c | 195 +++++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 35 +++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strcpy-lit.c | 5 +
lib/test_fortify/write_overflow-strcpy.c | 5 +
lib/test_fortify/write_overflow-strlcpy-src.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy-src.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/kernel-doc | 9 +
scripts/test_fortify.sh | 62 +++++
security/Kconfig | 3 +
76 files changed, 1152 insertions(+), 445 deletions(-)
create mode 100644 lib/memcpy_kunit.c
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c
create mode 100644 lib/test_fortify/write_overflow-strcpy.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 scripts/test_fortify.sh
--
Kees Cook
^ permalink raw reply [relevance 50%]
* [GIT PULL v2] overflow updates for v5.15-rc1-take2
@ 2021-09-10 4:51 49% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-10 4:51 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Daniel Vetter, Dan Williams,
Rasmus Villemoes, Greg Kroah-Hartman, Gustavo A. R. Silva,
Keith Packard, Nathan Chancellor, Nick Desaulniers,
linux-hardening
Hi Linus,
Please pull these overflow updates for v5.15-rc1 (take2). (I realized
I hadn't updated the tag name before, so now the tag also reflects the
"take 2"ness more clearly.) The series has been in -next for several
weeks. The LANG bug present in "take 1" is fixed. I've also added a
Fedora 34 instance to my builders, so my resulting current minimum build
testing is all combinations of:
Config targets:
defconfig
allmodconfig
allyesconfig
Architectures:
x86_64
i386
arm64
arm
Compilers:
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
gcc (Ubuntu 10.2.0-13ubuntu1) 10.2.0
gcc (Ubuntu 10.3.0-1ubuntu1) 10.3.0
gcc (Ubuntu 11.2.0-3ubuntu1) 11.2.0
gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)
For Clang, I'm mainly testing specific bootable configs for x86_64 and
arm64 with versions:
Ubuntu clang version 13.0.0-+rc2-2
latest clang git
These are all without surprises. (i.e. there are some existing Clang
warnings that are already being tracked, and there was a recent arm
warning that has also been fixed, none of which are from this series.)
Thanks!
-Kees
The following changes since commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c:
Linux 5.14-rc2 (2021-07-18 14:13:49 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.15-rc1-take2
for you to fetch changes up to cdea12025e0dd96bdbcafb45a46f23f3fdffb56c:
treewide: Replace 0-element memcpy() destinations with flexible arrays (2021-09-09 09:23:57 -0700)
----------------------------------------------------------------
overflow updates for v5.15-rc1 (take2)
The end goal of the current buffer overflow detection work[0] is to gain
full compile-time and run-time coverage of all detectable buffer overflows
seen via array indexing or memcpy(), memmove(), and memset(). The str*()
family of functions already have full coverage.
While much of the work for these changes have been on-going for many
releases (i.e. 0-element and 1-element array replacements, as well as
avoiding false positives and fixing discovered overflows[1]), this series
contains the foundational elements of several related buffer overflow
detection improvements by providing new common helpers and FORTIFY_SOURCE
changes needed to gain the introspection needed for compiler visibility
into array sizes. Also included are a handful of already Acked instances
using the helpers (or related clean-ups), with many more waiting at the
ready to be taken via subsystem-specific trees[2]. The new helpers are:
- struct_group() for gaining struct member range introspection.
- memset_after() and memset_startat() for clearing to the end of structures.
- DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs.
Also included is the beginning of the refactoring of FORTIFY_SOURCE to
support memcpy() introspection, fix missing and regressed coverage under
GCC, and to prepare to fix the currently broken Clang support. Finishing
this work is part of the larger series[0], but depends on all the false
positives and buffer overflow bug fixes to have landed already and those
that depend on this series to land.
As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time
and run-time tests are added for FORTIFY_SOURCE and the mem*()-family
functions respectively. (Now with the LANG=C grep mismatch[5] fixed from
PR take 1). Please note that the appearance of "panic" and "BUG" in the
FORTIFY_SOURCE refactoring are the result of relocating existing code,
and no new use of those code-paths are expected nor desired.
Finally, there are two tree-wide conversions for 0-element arrays and
flexible array unions to gain sane compiler introspection coverage that
result in no known object code differences.
After this series (and the changes that have now landed via netdev
and usb), we are so very close to finally being able to build with
-Warray-bounds and -Wzero-length-bounds. However, due two recently found
corner cases in GCC[3] and Clang[4], I have not included the last two
patches that turn on these options, as I don't want to introduce any known
warnings to the build. I am expecting to solve them before rc2, though,
so hopefully there will be a small follow-up to this series before then.
[0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE
[2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/
[3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/
[4] https://bugs.llvm.org/show_bug.cgi?id=51682
[5] https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/
----------------------------------------------------------------
Kees Cook (28):
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
powerpc: Split memset() to avoid multi-field overflow
stddef: Fix kerndoc for sizeof_field() and offsetofend()
stddef: Introduce struct_group() helper macro
cxl/core: Replace unions with struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
HID: roccat: Use struct_group() to zero kone_mouse_event
can: flexcan: Use struct_group() to zero struct flexcan_regs regions
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
fortify: Fix dropped strcpy() compile-time write overflow check
fortify: Prepare to improve strnlen() and strlen() warnings
fortify: Allow strlen() and strnlen() to pass compile-time known lengths
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
string.h: Introduce memset_startat() for wiping trailing members and padding
btrfs: Use memset_startat() to clear end of struct
stddef: Introduce DECLARE_FLEX_ARRAY() helper
treewide: Replace open-coded flex arrays in unions
treewide: Replace 0-element memcpy() destinations with flexible arrays
MAINTAINERS | 9 +
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch/x86/lib/string_32.c | 1 +
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/crypto/chelsio/chcr_crypto.h | 14 +-
drivers/cxl/cxl.h | 61 ++---
drivers/gpu/drm/mga/mga_ioc32.c | 27 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/net/can/flexcan.c | 68 ++---
drivers/net/can/usb/etas_es58x/es581_4.h | 2 +-
drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/wireless/ath/ath10k/bmi.h | 10 +-
drivers/net/wireless/ath/ath10k/htt.h | 7 +-
drivers/net/wireless/intel/iwlegacy/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/tx.h | 12 +-
drivers/scsi/aic94xx/aic94xx_sds.c | 6 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +-
drivers/scsi/qla4xxx/ql4_def.h | 4 +-
drivers/staging/rtl8188eu/include/ieee80211.h | 6 +-
drivers/staging/rtl8712/ieee80211.h | 4 +-
drivers/staging/rtl8723bs/include/ieee80211.h | 6 +-
fs/btrfs/root-tree.c | 6 +-
fs/hpfs/hpfs.h | 8 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/filter.h | 6 +-
include/linux/fortify-string.h | 77 ++++--
include/linux/ieee80211.h | 30 +--
include/linux/stddef.h | 65 ++++-
include/linux/string.h | 44 +++-
include/linux/thread_info.h | 2 +-
include/scsi/sas.h | 12 +-
include/uapi/drm/mga_drm.h | 22 +-
include/uapi/linux/dlm_device.h | 4 +-
include/uapi/linux/stddef.h | 37 +++
include/uapi/rdma/rdma_user_rxe.h | 4 +-
include/uapi/sound/asoc.h | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 11 +
lib/Makefile | 34 +++
lib/memcpy_kunit.c | 289 ++++++++++++++++++++++
lib/string.c | 210 +---------------
lib/string_helpers.c | 195 +++++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 35 +++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strcpy-lit.c | 5 +
lib/test_fortify/write_overflow-strcpy.c | 5 +
lib/test_fortify/write_overflow-strlcpy-src.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy-src.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/kernel-doc | 9 +
scripts/test_fortify.sh | 63 +++++
security/Kconfig | 3 +
76 files changed, 1153 insertions(+), 445 deletions(-)
create mode 100644 lib/memcpy_kunit.c
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c
create mode 100644 lib/test_fortify/write_overflow-strcpy.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 scripts/test_fortify.sh
--
Kees Cook
^ permalink raw reply [relevance 49%]
* Re: [GIT PULL] overflow updates for v5.15-rc1
@ 2021-09-06 17:19 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-06 17:19 UTC (permalink / raw)
To: Mark Brown
Cc: Linus Torvalds, Linux Kernel Mailing List, Arnd Bergmann,
Daniel Vetter, Dan Williams, Rasmus Villemoes,
Greg Kroah-Hartman, Gustavo A. R. Silva, Keith Packard,
Nathan Chancellor, Nick Desaulniers, linux-hardening
On Mon, Sep 06, 2021 at 12:43:50PM +0100, Mark Brown wrote:
> If you're looking for coverage on this stuff it's also good to check
> with clang as well, it's sufficiently different that it often triggers
> extra stuff [...]
Yup, I tested across multiple GCC and Clang versions, which is
why the failures came as such a surprise. And specifically, these
overflow changes have been designed with Clang in mind (as well as GCC
obviously). (i.e. see the patch[0] in this series, and the last patch[1]
in the coming series.)
-Kees
[0] https://lore.kernel.org/lkml/20210822075122.864511-17-keescook@chromium.org/
[1] https://lore.kernel.org/lkml/20210818060533.3569517-64-keescook@chromium.org/
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] overflow updates for v5.15-rc1
@ 2021-09-06 17:12 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-06 17:12 UTC (permalink / raw)
To: Stephen Rothwell
Cc: Linus Torvalds, Linux Kernel Mailing List, Arnd Bergmann,
Daniel Vetter, Dan Williams, Rasmus Villemoes,
Greg Kroah-Hartman, Gustavo A. R. Silva, Keith Packard,
Nathan Chancellor, Nick Desaulniers, linux-hardening
On Mon, Sep 06, 2021 at 03:27:31PM +1000, Stephen Rothwell wrote:
> Hi Linus,
>
> On Sun, 5 Sep 2021 10:36:22 -0700 Linus Torvalds <torvalds@linux-foundation.org> wrote:
> >
> > On Sun, Sep 5, 2021 at 12:38 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > Yeech. Yeah, no, that was not expected at all. I even did test merge builds against your latest tree before sending the Pull Request. This has been in -next for weeks, too.
> >
> > Sadly, I don't think linux-next checks for warnings.
>
> Yes, I do. And report them. I did not get these warnings for some
> reason. One of my builds is an X86_64 allmodconfig, currently using
>
> x86_64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110
FWIW, the difference turned out to be LANG=C.UTF-8 in Fedora (vs LANG=C or
LANG=en_US.UTF-8), and the warning analysis being done in the self-tests
I added got unlucky when I tried to avoid setting "LANG". (i.e. I didn't
want to depend on matching English output, and used the trailing "'" in
the function name matcher -- which is a "`" under C.UTF-8.)
This has been fixed now -- I just got fantastically unlucky, it seems,
as literally only Linus appears to have been building with LANG=C.UTF-8.
(None of the other build bots warned about this for the weeks it's been
in -next). :(
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL][take 2] overflow updates for v5.15-rc1
@ 2021-09-05 21:40 51% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-05 21:40 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Daniel Vetter, Dan Williams,
Rasmus Villemoes, Greg Kroah-Hartman, Gustavo A. R. Silva,
Keith Packard, Nathan Chancellor, Nick Desaulniers,
linux-hardening
Hi Linus,
Please pull these (now LANG-fixed) overflow updates for v5.15-rc1.
Thanks!
-Kees
The following changes since commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c:
Linux 5.14-rc2 (2021-07-18 14:13:49 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.15-rc1
for you to fetch changes up to 7d81191ddf3a456eb6644fd63a9b282e040ad49b:
treewide: Replace 0-element memcpy() destinations with flexible arrays (2021-09-05 14:03:25 -0700)
----------------------------------------------------------------
overflow updates for v5.15-rc1 (take 2)
The end goal of the current buffer overflow detection work[0] is to gain
full compile-time and run-time coverage of all detectable buffer overflows
seen via array indexing or memcpy(), memmove(), and memset(). The str*()
family of functions already have full coverage.
While much of the work for these changes have been on-going for many
releases (i.e. 0-element and 1-element array replacements, as well as
avoiding false positives and fixing discovered overflows[1]), this series
contains the foundational elements of several related buffer overflow
detection improvements by providing new common helpers and FORTIFY_SOURCE
changes needed to gain the introspection needed for compiler visibility
into array sizes. Also included are a handful of already Acked instances
using the helpers (or related clean-ups), with many more waiting at the
ready to be taken via subsystem-specific trees[2]. The new helpers are:
- struct_group() for gaining struct member range introspection.
- memset_after() and memset_startat() for clearing to the end of structures.
- DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs.
Also included is the beginning of the refactoring of FORTIFY_SOURCE to
support memcpy() introspection, fix missing and regressed coverage under
GCC, and to prepare to fix the currently broken Clang support. Finishing
this work is part of the larger series[0], but depends on all the false
positives and buffer overflow bug fixes to have landed already and those
that depend on this series to land.
As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time
and run-time tests are added for FORTIFY_SOURCE and the mem*()-family
functions respectively. (Now with the LANG=C grep mismatch[5] fixed from
PR take 1). Please note that the appearance of "panic" and "BUG" in the
FORTIFY_SOURCE refactoring are the result of relocating existing code,
and no new use of those code-paths are expected nor desired.
Finally, there are two tree-wide conversions for 0-element arrays and
flexible array unions to gain sane compiler introspection coverage that
result in no known object code differences.
After this series (and the changes that have now landed via netdev
and usb), we are so very close to finally being able to build with
-Warray-bounds and -Wzero-length-bounds. However, due two recently found
corner cases in GCC[3] and Clang[4], I have not included the last two
patches that turn on these options, as I don't want to introduce any known
warnings to the build. I am expecting to solve them before rc2, though,
so hopefully there will be a small follow-up to this series before then.
[0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE
[2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/
[3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/
[4] https://bugs.llvm.org/show_bug.cgi?id=51682
[5] https://lore.kernel.org/lkml/202109051257.29B29745C0@keescook/
----------------------------------------------------------------
Kees Cook (28):
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
powerpc: Split memset() to avoid multi-field overflow
stddef: Fix kerndoc for sizeof_field() and offsetofend()
stddef: Introduce struct_group() helper macro
cxl/core: Replace unions with struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
HID: roccat: Use struct_group() to zero kone_mouse_event
can: flexcan: Use struct_group() to zero struct flexcan_regs regions
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
fortify: Fix dropped strcpy() compile-time write overflow check
fortify: Prepare to improve strnlen() and strlen() warnings
fortify: Allow strlen() and strnlen() to pass compile-time known lengths
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
string.h: Introduce memset_startat() for wiping trailing members and padding
btrfs: Use memset_startat() to clear end of struct
stddef: Introduce DECLARE_FLEX_ARRAY() helper
treewide: Replace open-coded flex arrays in unions
treewide: Replace 0-element memcpy() destinations with flexible arrays
MAINTAINERS | 9 +
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch/x86/lib/string_32.c | 1 +
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/crypto/chelsio/chcr_crypto.h | 14 +-
drivers/cxl/cxl.h | 61 ++---
drivers/gpu/drm/mga/mga_ioc32.c | 27 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/net/can/flexcan.c | 68 ++---
drivers/net/can/usb/etas_es58x/es581_4.h | 2 +-
drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/wireless/ath/ath10k/bmi.h | 10 +-
drivers/net/wireless/ath/ath10k/htt.h | 7 +-
drivers/net/wireless/intel/iwlegacy/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/tx.h | 12 +-
drivers/scsi/aic94xx/aic94xx_sds.c | 6 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +-
drivers/scsi/qla4xxx/ql4_def.h | 4 +-
drivers/staging/rtl8188eu/include/ieee80211.h | 6 +-
drivers/staging/rtl8712/ieee80211.h | 4 +-
drivers/staging/rtl8723bs/include/ieee80211.h | 6 +-
fs/btrfs/root-tree.c | 6 +-
fs/hpfs/hpfs.h | 8 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/filter.h | 6 +-
include/linux/fortify-string.h | 77 ++++--
include/linux/ieee80211.h | 30 +--
include/linux/stddef.h | 65 ++++-
include/linux/string.h | 44 +++-
include/linux/thread_info.h | 2 +-
include/scsi/sas.h | 12 +-
include/uapi/drm/mga_drm.h | 22 +-
include/uapi/linux/dlm_device.h | 4 +-
include/uapi/linux/stddef.h | 37 +++
include/uapi/rdma/rdma_user_rxe.h | 4 +-
include/uapi/sound/asoc.h | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 11 +
lib/Makefile | 34 +++
lib/memcpy_kunit.c | 289 ++++++++++++++++++++++
lib/string.c | 210 +---------------
lib/string_helpers.c | 195 +++++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 35 +++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strcpy-lit.c | 5 +
lib/test_fortify/write_overflow-strcpy.c | 5 +
lib/test_fortify/write_overflow-strlcpy-src.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy-src.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/kernel-doc | 9 +
scripts/test_fortify.sh | 63 +++++
security/Kconfig | 3 +
76 files changed, 1153 insertions(+), 445 deletions(-)
create mode 100644 lib/memcpy_kunit.c
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c
create mode 100644 lib/test_fortify/write_overflow-strcpy.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 scripts/test_fortify.sh
--
Kees Cook
^ permalink raw reply [relevance 51%]
* Re: [GIT PULL] overflow updates for v5.15-rc1
2021-09-05 18:31 92% ` Kees Cook
@ 2021-09-05 20:52 88% ` Kees Cook
2 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-09-05 20:52 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, Arnd Bergmann, Daniel Vetter,
Dan Williams, Rasmus Villemoes, Greg Kroah-Hartman,
Gustavo A. R. Silva, Keith Packard, Nathan Chancellor,
Nick Desaulniers, linux-hardening
On Sun, Sep 05, 2021 at 10:36:22AM -0700, Linus Torvalds wrote:
> This is actually just bog-standard gcc-11.2 from F34, and an allmodconfig build.
I've checked this on F32 now, and I still wasn't seeing the testsuite
warnings. I did see this, though, unrelated to (but certainly thematically
associated with) the overflow series:
fs/qnx4/dir.c: In function 'qnx4_readdir':
fs/qnx4/dir.c:51:32: warning: 'strnlen' specified bound 48 exceeds source size 16 [-Wstringop-overread]
51 | size = strnlen(de->di_fname, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from fs/qnx4/qnx4.h:3,
from fs/qnx4/dir.c:16:
./include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
45 | char di_fname[QNX4_SHORT_NAME_MAX];
| ^~~~~~~~
> Three errors due to "-Werror=unused-value", but 17 each of variations on
These are just side-effects of the actual warning going "missing".
> error: call to ‘__read_overflow’ declared with attribute error:
> detected read beyond size of object (1st parameter)
>
> and
>
> warning: unsafe xyz() usage lacked '__read_overflow' warning
>
> warnings.
The latter is complaining about not seeing the former... O_o
Oh... I found it:
> error: call to ‘__read_overflow’ declared with attribute error:
^ ^
vs:
error: call to '__read_overflow' declared with attribute error:
^ ^
Looks like it's LANG biting me! Ugh.
LANG=en.US.UTF-8 is '
LANG=C is '
LANG=C.UTF-8 is `
Fedora uses C.UTF-8 by default, but my build tooling (and seemingly many
others) are using LANG=en_US.UTF-8 or LANG=C. Specifically, this appears
to be LC_NAME? Fixing now...
--
Kees Cook
^ permalink raw reply [relevance 88%]
* Re: [GIT PULL] overflow updates for v5.15-rc1
@ 2021-09-05 18:31 92% ` Kees Cook
2021-09-05 20:52 88% ` Kees Cook
2 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-09-05 18:31 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, Arnd Bergmann, Daniel Vetter,
Dan Williams, Rasmus Villemoes, Greg Kroah-Hartman,
Gustavo A. R. Silva, Keith Packard, Nathan Chancellor,
Nick Desaulniers, linux-hardening
On Sun, Sep 05, 2021 at 10:36:22AM -0700, Linus Torvalds wrote:
> On Sun, Sep 5, 2021 at 12:38 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Yeech. Yeah, no, that was not expected at all. I even did test merge builds against your latest tree before sending the Pull Request. This has been in -next for weeks, too.
>
> Sadly, I don't think linux-next checks for warnings.
Oh, I thought I'd gotten such reports from sfr before, but certainly the
0day bot and others have yelled loudly about new warnings (from earlier
iterations of this series in -next).
> I really want to enable -Werror at some point, but every time I think
> I should, I just end up worrying about another random new compiler (or
> a random old one).
>
> We do have -Werror in various configurations (and in some sub-trees).
Yup, I think ppc and drm?
> > What was the build environment?
>
> This is actually just bog-standard gcc-11.2 from F34, and an allmodconfig build.
Ah, fun. Yeah, I'm behind on versions, it seems. Default gcc version on
latest stable Ubuntu release is 10.3. I will go retest on the devel
release.
> > Seeing an unexpected "-Wunused-value" in your output makes me think I've got a compiler version blind-spot, with some different default flags.)
>
> There were lots of other ones too, I just pasted a small subset. Thne
> full error log was 400+ lines. Most of those lines are just because of
> the very verbose warnings.
>
> Three errors due to "-Werror=unused-value", but 17 each of variations on
>
> error: call to ‘__read_overflow’ declared with attribute error:
> detected read beyond size of object (1st parameter)
>
> and
>
> warning: unsafe xyz() usage lacked '__read_overflow' warning
>
> warnings.
>
> Full 400+ lines (25kB) of errors/warnings messages attached in case
> you care about the whole thing and can't easily reproduce.
Yeah, the tests are designed to freak out if it gets an unexpected
warning (since it's trying to check for _expected_ warnings), but
regardless, they were not at all supposed to be spewing like this
immediately! :P
Sorry for the noise; I will get it cleaned up and re-sent.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] overflow updates for v5.15-rc1
@ 2021-09-03 3:22 52% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-09-03 3:22 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Daniel Vetter, Dan Williams,
Rasmus Villemoes, Greg Kroah-Hartman, Gustavo A. R. Silva,
Keith Packard, Nathan Chancellor, Nick Desaulniers,
linux-hardening
Hi Linus,
Please pull these overflow updates for v5.15-rc1.
Thanks!
-Kees
The following changes since commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c:
Linux 5.14-rc2 (2021-07-18 14:13:49 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.15-rc1
for you to fetch changes up to 5975fbb6f1eb0615b96873425a363c80859060ef:
treewide: Replace 0-element memcpy() destinations with flexible arrays (2021-08-30 11:32:10 -0700)
----------------------------------------------------------------
overflow updates for v5.15-rc1
The end goal of the current buffer overflow detection work[0] is to gain
full compile-time and run-time coverage of all detectable buffer overflows
seen via array indexing or memcpy(), memmove(), and memset(). The str*()
family of functions already have full coverage.
While much of the work for these changes have been on-going for many
releases (i.e. 0-element and 1-element array replacements, as well as
avoiding false positives and fixing discovered overflows[1]), this series
contains the foundational elements of several related buffer overflow
detection improvements by providing new common helpers and FORTIFY_SOURCE
changes needed to gain the introspection needed for compiler visibility
into array sizes. Also included are a handful of already Acked instances
using the helpers (or related clean-ups), with many more waiting at the
ready to be taken via subsystem-specific trees[2]. The new helpers are:
- struct_group() for gaining struct member range introspection.
- memset_after() and memset_startat() for clearing to the end of structures.
- DECLARE_FLEX_ARRAY() for using flex arrays in unions or alone in structs.
Also included is the beginning of the refactoring of FORTIFY_SOURCE to
support memcpy() introspection, fix missing and regressed coverage under
GCC, and to prepare to fix the currently broken Clang support. Finishing
this work is part of the larger series[0], but depends on all the false
positives and buffer overflow bug fixes to have landed already and those
that depend on this series to land.
As part of the FORTIFY_SOURCE refactoring, a set of both a compile-time
and run-time tests are added for FORTIFY_SOURCE and the mem*()-family
functions respectively. Please note that the appearance of "panic" and
"BUG" in the FORTIFY_SOURCE refactoring are the result of relocating
existing code, and no new use of those code-paths are expected nor
desired.
Finally, there are two tree-wide conversions for 0-element arrays and
flexible array unions to gain sane compiler introspection coverage that
result in no known object code differences.
After this series (and the changes that have now landed via netdev
and usb), we are so very close to finally being able to build with
-Warray-bounds and -Wzero-length-bounds. However, due two recently found
corner cases in GCC[3] and Clang[4], I have not included the last two
patches that turn on these options, as I don't want to introduce any known
warnings to the build. I am expecting to solve them before rc2, though,
so hopefully there will be a small follow-up to this series before then.
[0] https://lore.kernel.org/lkml/20210818060533.3569517-1-keescook@chromium.org/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=FORTIFY_SOURCE
[2] https://lore.kernel.org/lkml/202108220107.3E26FE6C9C@keescook/
[3] https://lore.kernel.org/lkml/3ab153ec-2798-da4c-f7b1-81b0ac8b0c5b@roeck-us.net/
[4] https://bugs.llvm.org/show_bug.cgi?id=51682
----------------------------------------------------------------
Kees Cook (28):
scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp
powerpc: Split memset() to avoid multi-field overflow
stddef: Fix kerndoc for sizeof_field() and offsetofend()
stddef: Introduce struct_group() helper macro
cxl/core: Replace unions with struct_group()
bnxt_en: Use struct_group_attr() for memcpy() region
iommu/amd: Use struct_group() for memcpy() region
drm/mga/mga_ioc32: Use struct_group() for memcpy() region
HID: cp2112: Use struct_group() for memcpy() region
HID: roccat: Use struct_group() to zero kone_mouse_event
can: flexcan: Use struct_group() to zero struct flexcan_regs regions
cm4000_cs: Use struct_group() to zero struct cm4000_dev region
compiler_types.h: Remove __compiletime_object_size()
lib/string: Move helper functions out of string.c
fortify: Move remaining fortify helpers into fortify-string.h
fortify: Explicitly disable Clang support
fortify: Fix dropped strcpy() compile-time write overflow check
fortify: Prepare to improve strnlen() and strlen() warnings
fortify: Allow strlen() and strnlen() to pass compile-time known lengths
fortify: Add compile-time FORTIFY_SOURCE tests
lib: Introduce CONFIG_MEMCPY_KUNIT_TEST
string.h: Introduce memset_after() for wiping trailing members/padding
xfrm: Use memset_after() to clear padding
string.h: Introduce memset_startat() for wiping trailing members and padding
btrfs: Use memset_startat() to clear end of struct
stddef: Introduce DECLARE_FLEX_ARRAY() helper
treewide: Replace open-coded flex arrays in unions
treewide: Replace 0-element memcpy() destinations with flexible arrays
MAINTAINERS | 9 +
arch/arm/boot/compressed/string.c | 1 +
arch/s390/lib/string.c | 3 +
arch/x86/boot/compressed/misc.h | 2 +
arch/x86/boot/compressed/pgtable_64.c | 2 +
arch/x86/lib/string_32.c | 1 +
drivers/char/pcmcia/cm4000_cs.c | 9 +-
drivers/crypto/chelsio/chcr_crypto.h | 14 +-
drivers/cxl/cxl.h | 61 ++---
drivers/gpu/drm/mga/mga_ioc32.c | 27 +-
drivers/hid/hid-cp2112.c | 14 +-
drivers/hid/hid-roccat-kone.c | 2 +-
drivers/hid/hid-roccat-kone.h | 12 +-
drivers/iommu/amd/init.c | 9 +-
drivers/macintosh/smu.c | 3 +-
drivers/net/can/flexcan.c | 68 ++---
drivers/net/can/usb/etas_es58x/es581_4.h | 2 +-
drivers/net/can/usb/etas_es58x/es58x_fd.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.h | 14 +-
drivers/net/wireless/ath/ath10k/bmi.h | 10 +-
drivers/net/wireless/ath/ath10k/htt.h | 7 +-
drivers/net/wireless/intel/iwlegacy/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/tx.h | 12 +-
drivers/scsi/aic94xx/aic94xx_sds.c | 6 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +-
drivers/scsi/qla4xxx/ql4_def.h | 4 +-
drivers/staging/rtl8188eu/include/ieee80211.h | 6 +-
drivers/staging/rtl8712/ieee80211.h | 4 +-
drivers/staging/rtl8723bs/include/ieee80211.h | 6 +-
fs/btrfs/root-tree.c | 6 +-
fs/hpfs/hpfs.h | 8 +-
include/linux/compiler-gcc.h | 2 -
include/linux/compiler_types.h | 4 -
include/linux/filter.h | 6 +-
include/linux/fortify-string.h | 77 ++++--
include/linux/ieee80211.h | 30 +--
include/linux/stddef.h | 65 ++++-
include/linux/string.h | 44 +++-
include/linux/thread_info.h | 2 +-
include/scsi/sas.h | 12 +-
include/uapi/drm/mga_drm.h | 22 +-
include/uapi/linux/dlm_device.h | 4 +-
include/uapi/linux/stddef.h | 37 +++
include/uapi/rdma/rdma_user_rxe.h | 4 +-
include/uapi/sound/asoc.h | 4 +-
lib/.gitignore | 2 +
lib/Kconfig.debug | 11 +
lib/Makefile | 34 +++
lib/memcpy_kunit.c | 289 ++++++++++++++++++++++
lib/string.c | 210 +---------------
lib/string_helpers.c | 195 +++++++++++++++
lib/test_fortify/read_overflow-memchr.c | 5 +
lib/test_fortify/read_overflow-memchr_inv.c | 5 +
lib/test_fortify/read_overflow-memcmp.c | 5 +
lib/test_fortify/read_overflow-memscan.c | 5 +
lib/test_fortify/read_overflow2-memcmp.c | 5 +
lib/test_fortify/read_overflow2-memcpy.c | 5 +
lib/test_fortify/read_overflow2-memmove.c | 5 +
lib/test_fortify/test_fortify.h | 35 +++
lib/test_fortify/write_overflow-memcpy.c | 5 +
lib/test_fortify/write_overflow-memmove.c | 5 +
lib/test_fortify/write_overflow-memset.c | 5 +
lib/test_fortify/write_overflow-strcpy-lit.c | 5 +
lib/test_fortify/write_overflow-strcpy.c | 5 +
lib/test_fortify/write_overflow-strlcpy-src.c | 5 +
lib/test_fortify/write_overflow-strlcpy.c | 5 +
lib/test_fortify/write_overflow-strncpy-src.c | 5 +
lib/test_fortify/write_overflow-strncpy.c | 5 +
lib/test_fortify/write_overflow-strscpy.c | 5 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_user.c | 2 +-
scripts/kernel-doc | 9 +
scripts/test_fortify.sh | 59 +++++
security/Kconfig | 3 +
76 files changed, 1149 insertions(+), 445 deletions(-)
create mode 100644 lib/memcpy_kunit.c
create mode 100644 lib/test_fortify/read_overflow-memchr.c
create mode 100644 lib/test_fortify/read_overflow-memchr_inv.c
create mode 100644 lib/test_fortify/read_overflow-memcmp.c
create mode 100644 lib/test_fortify/read_overflow-memscan.c
create mode 100644 lib/test_fortify/read_overflow2-memcmp.c
create mode 100644 lib/test_fortify/read_overflow2-memcpy.c
create mode 100644 lib/test_fortify/read_overflow2-memmove.c
create mode 100644 lib/test_fortify/test_fortify.h
create mode 100644 lib/test_fortify/write_overflow-memcpy.c
create mode 100644 lib/test_fortify/write_overflow-memmove.c
create mode 100644 lib/test_fortify/write_overflow-memset.c
create mode 100644 lib/test_fortify/write_overflow-strcpy-lit.c
create mode 100644 lib/test_fortify/write_overflow-strcpy.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strlcpy.c
create mode 100644 lib/test_fortify/write_overflow-strncpy-src.c
create mode 100644 lib/test_fortify/write_overflow-strncpy.c
create mode 100644 lib/test_fortify/write_overflow-strscpy.c
create mode 100644 scripts/test_fortify.sh
--
Kees Cook
^ permalink raw reply [relevance 52%]
* [GIT PULL] hardening updates for v5.15-rc1
@ 2021-08-30 18:27 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-08-30 18:27 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Arnd Bergmann, clang-built-linux,
glider, Gustavo A. R. Silva, Kees Cook, linux-security-module,
Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull these hardening updates for v5.15-rc1.
Thanks!
-Kees
The following changes since commit 2734d6c1b1a089fb593ef6a23d4b70903526fe0c:
Linux 5.14-rc2 (2021-07-18 14:13:49 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.15-rc1
for you to fetch changes up to a8fc576d4af2f23a87a586424252df97f0ad0b06:
lib/test_stackinit: Add assigned initializers (2021-08-22 00:21:36 -0700)
----------------------------------------------------------------
hardening updates for v5.15-rc1
- Expand lib/test_stackinit to include more initialization styles
- Improve Kconfig for CLang's auto-var-init feature
- Introduce support for GCC's zero-call-used-regs feature
----------------------------------------------------------------
Kees Cook (5):
hardening: Introduce CONFIG_ZERO_CALL_USED_REGS
hardening: Clarify Kconfig text for auto-var-init
lib/test_stackinit: Fix static initializer test
lib/test_stackinit: Allow building stand-alone
lib/test_stackinit: Add assigned initializers
Makefile | 5 +
lib/test_stackinit.c | 253 +++++++++++++++++++++++++++++++++------------
security/Kconfig.hardening | 71 +++++++++----
3 files changed, 242 insertions(+), 87 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] Clang CFI fix for v5.14-rc7
@ 2021-08-18 8:35 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-08-18 8:35 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Elliot Berman, Kees Cook, Sami Tolvanen
Hi Linus,
Please pull this Clang CFI fix for v5.14-rc7.
Thanks!
-Kees
The following changes since commit 36a21d51725af2ce0700c6ebcb6b9594aac658a6:
Linux 5.14-rc5 (2021-08-08 13:49:31 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/cfi-v5.14-rc7
for you to fetch changes up to 14c4c8e41511aa8fba7fb239b20b6539b5bce201:
cfi: Use rcu_read_{un}lock_sched_notrace (2021-08-11 13:11:12 -0700)
----------------------------------------------------------------
cfi fix for v5.14-rc7
- Use rcu_read_{un}lock_sched_notrace to avoid recursion (Elliot Berman)
----------------------------------------------------------------
Elliot Berman (1):
cfi: Use rcu_read_{un}lock_sched_notrace
kernel/cfi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] orphan sections fix for v5.14-rc6
@ 2021-08-11 19:36 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-08-11 19:36 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Fangrui Song, Kees Cook, Marco Elver,
Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull this orphan sections fix for v5.14-rc6.
Thanks!
-Kees
The following changes since commit 36a21d51725af2ce0700c6ebcb6b9594aac658a6:
Linux 5.14-rc5 (2021-08-08 13:49:31 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/orphans-v5.14-rc6
for you to fetch changes up to 848378812e40152abe9b9baf58ce2004f76fb988:
vmlinux.lds.h: Handle clang's module.{c,d}tor sections (2021-08-11 12:19:58 -0700)
----------------------------------------------------------------
orphans fix for v5.14-rc6
- Handle changes to Clang's Sanitizer section layout (Nathan Chancellor)
----------------------------------------------------------------
Nathan Chancellor (1):
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
include/asm-generic/vmlinux.lds.h | 1 +
1 file changed, 1 insertion(+)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fixes for v5.14-rc6
@ 2021-08-11 19:00 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-08-11 19:00 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Hsuan-Chi Kuo, Kees Cook,
Rodrigo Campos, Wiktor Garbacz
Hi Linus,
Please pull these small seccomp fixes for v5.14-rc6.
Thanks!
-Kees
The following changes since commit 9a03abc16c77062c73972df08206f1031862d9b4:
selftests/seccomp: Avoid using "sysctl" for report (2021-06-28 12:49:52 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.14-rc6
for you to fetch changes up to b4d8a58f8dcfcc890f296696cadb76e77be44b5f:
seccomp: Fix setting loaded filter count during TSYNC (2021-08-11 11:48:28 -0700)
----------------------------------------------------------------
seccomp fixes for v5.14-rc6
- Fix typo in user notification documentation (Rodrigo Campos)
- Fix userspace counter report when using TSYNC (Hsuan-Chi Kuo, Wiktor Garbacz)
----------------------------------------------------------------
Hsuan-Chi Kuo (1):
seccomp: Fix setting loaded filter count during TSYNC
Rodrigo Campos (1):
Documentation: seccomp: Fix typo in user notification
Documentation/userspace-api/seccomp_filter.rst | 2 +-
kernel/seccomp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] Clang feature updates for v5.14-rc1 (take 2)
@ 2021-06-29 20:55 84% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-29 20:55 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Catalin Marinas, Fangrui Song, Heiko Carstens,
Kees Cook, Mark Rutland, Masahiro Yamada, Miguel Ojeda,
Nathan Chancellor, Nick Desaulniers, Peter Oberparleiter,
Peter Zijlstra, Philippe Mathieu-Daudé,
Sami Tolvanen, Sedat Dilek, Will Deacon
Hi Linus,
Please pull these Clang feature updates for v5.14-rc1 (take 2). This is
everything except the big PGO portion from the original pull request
and includes an additional CFI fix that had gotten lost.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.14-rc1
for you to fetch changes up to fca41af18e10318e4de090db47d9fa7169e1bf2f:
qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute (2021-06-29 13:25:20 -0700)
----------------------------------------------------------------
Clang feature updates for v5.14-rc1
- Add CC_HAS_NO_PROFILE_FN_ATTR in preparation for PGO support in
the face of the noinstr attribute, paving the way for PGO and fixing
GCOV. (Nick Desaulniers)
- x86_64 LTO coverage is expanded to 32-bit x86. (Nathan Chancellor)
- Small fixes to CFI. (Mark Rutland, Nathan Chancellor)
----------------------------------------------------------------
Mark Rutland (1):
CFI: Move function_nocfi() into compiler.h
Nathan Chancellor (3):
MAINTAINERS: Add Clang CFI section
x86, lto: Enable Clang LTO for 32-bit as well
qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
Nick Desaulniers (3):
compiler_attributes.h: define __no_profile, add to noinstr
compiler_attributes.h: cleanups for GCC 4.9+
Kconfig: Introduce ARCH_WANTS_NO_INSTR and CC_HAS_NO_PROFILE_FN_ATTR
MAINTAINERS | 12 ++++++++++++
arch/Kconfig | 7 +++++++
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/compiler.h | 16 ++++++++++++++++
arch/arm64/include/asm/memory.h | 16 ----------------
arch/s390/Kconfig | 1 +
arch/x86/Kconfig | 5 +++--
drivers/firmware/qemu_fw_cfg.c | 8 +++-----
include/linux/compiler.h | 10 ++++++++++
include/linux/compiler_attributes.h | 19 ++++++++++++++++---
include/linux/compiler_types.h | 2 +-
include/linux/mm.h | 10 ----------
init/Kconfig | 3 +++
kernel/gcov/Kconfig | 1 +
14 files changed, 74 insertions(+), 37 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 84%]
* Re: [GIT PULL] Clang feature updates for v5.14-rc1
@ 2021-06-29 20:44 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-29 20:44 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, Bill Wendling, Bill Wendling,
Catalin Marinas, clang-built-linux, Fangrui Song, Heiko Carstens,
Jarmo Tiitto, Lukas Bulwahn, Mark Rutland, Masahiro Yamada,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Peter Oberparleiter, Peter Zijlstra, Sami Tolvanen, Will Deacon
On Mon, Jun 28, 2021 at 07:49:04PM -0700, Linus Torvalds wrote:
> On Mon, Jun 28, 2021 at 12:32 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > The big addition for this merge window is the core support for Clang's
> > Profile Guided Optimization, which lets Clang build the kernel for
> > improved performance when running specific kernel workloads. This
> > currently covers only vmlinux, but module support is under active
> > development. (Sami Tolvanen, Bill Wendling, Kees Cook, Jarmo Tiitto,
> > Lukas Bulwahn)
>
> Am I misreading this?
>
> The PGO data seems to be done by using clang instrumentation, instead
> of done sanely using sample data from a regular "perf" run?
Right, yes. My understanding is that PGO is measurably better than
sample-based profiling. Additionally, it's arch-agnostic (not that that's
meaningful here with only x86 finished), and can gain other analysis
features that aren't possible with perf. I'll let Nick, Fangrui, Bill,
or Sami answer this more directly.
In the meantime I will split the pull request into "PGO" and "everything
else".
> That odd decision seems to not be documented anywhere, and it seems
> odd and counter-productive, and causes all that odd special buffer
> handling and that vmlinux.profraw file etc.
>
> And it causes the kernel to be bigger and run slower.
Right -- that's expected. It's not designed to be the final kernel
someone uses. :)
-Kees
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Clang feature updates for v5.14-rc1
@ 2021-06-29 20:11 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-29 20:11 UTC (permalink / raw)
To: Mark Rutland
Cc: Peter Zijlstra, Linus Torvalds, linux-kernel, Bill Wendling,
Bill Wendling, Catalin Marinas, clang-built-linux, Fangrui Song,
Heiko Carstens, Jarmo Tiitto, Lukas Bulwahn, Masahiro Yamada,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Peter Oberparleiter, Sami Tolvanen, Will Deacon
On Tue, Jun 29, 2021 at 02:14:00PM +0100, Mark Rutland wrote:
> Hi Kees,
>
> On Mon, Jun 28, 2021 at 12:32:24PM -0700, Kees Cook wrote:
> > Hi Linus,
> >
> > Please pull these Clang feature updates for v5.14-rc1.
> >
> > Thanks!
> >
> > -Kees
> >
> > The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
> >
> > Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
> >
> > are available in the Git repository at:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.14-rc1
> >
> > for you to fetch changes up to 6a0544606ec7f03e4a2534c87ea989de4bac41ae:
> >
> > pgo: rectify comment to proper kernel-doc syntax (2021-06-28 12:10:31 -0700)
> >
> > ----------------------------------------------------------------
> > Clang feature updates for v5.14-rc1
> >
> > The big addition for this merge window is the core support for Clang's
> > Profile Guided Optimization, which lets Clang build the kernel for
> > improved performance when running specific kernel workloads. This
> > currently covers only vmlinux, but module support is under active
> > development. (Sami Tolvanen, Bill Wendling, Kees Cook, Jarmo Tiitto,
> > Lukas Bulwahn)
>
> I thought the PGO stuff was on hold given Peter had open concerns, e.g.
>
> https://lore.kernel.org/r/20210614154639.GB68749@worktop.programming.kicks-ass.net
>
> ... and there didn't seem to be a strong conclusion to the contrary.
Hi! Whoops, I think you weren't CCed on the later threads over noinstr:
https://lore.kernel.org/lkml/YNGQV09E9xAvvppO@hirez.programming.kicks-ass.net/
I understood that as the blocker for Peter from the earlier thread.
>
> > Added CC_HAS_NO_PROFILE_FN_ATTR in preparation for PGO support in
> > the face of the noinstr attribute, paving the way for PGO and fixing
> > GCOV. (Nick Desaulniers)
> >
> > x86_64 LTO coverage is expaned to 32-bit x86. (Nathan Chancellor)
> >
> > Small fixes to CFI. (Mark Rutland, Nathan Chancellor)
>
> FWIW, all the rest of this looks good to me.
Thanks!
-Kees
>
> Thanks,
> Mark.
>
> >
> > ----------------------------------------------------------------
> > Bill Wendling (1):
> > pgo: rename the raw profile file to vmlinux.profraw
> >
> > Jarmo Tiitto (2):
> > pgo: Limit allocate_node() to vmlinux sections
> > pgo: Fix sleep in atomic section in prf_open()
> >
> > Kees Cook (2):
> > MAINTAINERS: Expand and relocate PGO entry
> > pgo: Clean up prf_open() error paths
> >
> > Lukas Bulwahn (1):
> > pgo: rectify comment to proper kernel-doc syntax
> >
> > Mark Rutland (1):
> > CFI: Move function_nocfi() into compiler.h
> >
> > Nathan Chancellor (2):
> > MAINTAINERS: Add Clang CFI section
> > x86, lto: Enable Clang LTO for 32-bit as well
> >
> > Nick Desaulniers (3):
> > compiler_attributes.h: define __no_profile, add to noinstr
> > compiler_attributes.h: cleanups for GCC 4.9+
> > Kconfig: Introduce ARCH_WANTS_NO_INSTR and CC_HAS_NO_PROFILE_FN_ATTR
> >
> > Sami Tolvanen (1):
> > pgo: Add Clang's Profile Guided Optimization infrastructure
> >
> > Documentation/dev-tools/index.rst | 1 +
> > Documentation/dev-tools/pgo.rst | 127 +++++++++++
> > MAINTAINERS | 25 ++
> > Makefile | 3 +
> > arch/Kconfig | 8 +
> > arch/arm64/Kconfig | 1 +
> > arch/arm64/include/asm/compiler.h | 16 ++
> > arch/arm64/include/asm/memory.h | 16 --
> > arch/s390/Kconfig | 1 +
> > arch/x86/Kconfig | 6 +-
> > arch/x86/boot/Makefile | 1 +
> > arch/x86/boot/compressed/Makefile | 1 +
> > arch/x86/crypto/Makefile | 3 +
> > arch/x86/entry/vdso/Makefile | 1 +
> > arch/x86/kernel/Makefile | 3 +
> > arch/x86/kernel/vmlinux.lds.S | 2 +
> > arch/x86/platform/efi/Makefile | 1 +
> > arch/x86/purgatory/Makefile | 1 +
> > arch/x86/realmode/rm/Makefile | 1 +
> > arch/x86/um/vdso/Makefile | 1 +
> > drivers/firmware/efi/libstub/Makefile | 1 +
> > include/asm-generic/vmlinux.lds.h | 32 +++
> > include/linux/compiler.h | 10 +
> > include/linux/compiler_attributes.h | 19 +-
> > include/linux/compiler_types.h | 2 +-
> > include/linux/mm.h | 10 -
> > init/Kconfig | 3 +
> > kernel/Makefile | 1 +
> > kernel/gcov/Kconfig | 1 +
> > kernel/pgo/Kconfig | 37 +++
> > kernel/pgo/Makefile | 5 +
> > kernel/pgo/fs.c | 413 ++++++++++++++++++++++++++++++++++
> > kernel/pgo/instrument.c | 188 ++++++++++++++++
> > kernel/pgo/pgo.h | 211 +++++++++++++++++
> > scripts/Makefile.lib | 10 +
> > 35 files changed, 1130 insertions(+), 32 deletions(-)
> > create mode 100644 Documentation/dev-tools/pgo.rst
> > create mode 100644 kernel/pgo/Kconfig
> > create mode 100644 kernel/pgo/Makefile
> > create mode 100644 kernel/pgo/fs.c
> > create mode 100644 kernel/pgo/instrument.c
> > create mode 100644 kernel/pgo/pgo.h
> >
> > --
> > Kees Cook
>
> --
> You received this message because you are subscribed to the Google Groups "Clang Built Linux" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20210629131400.GA24514%40C02TD0UTHF1T.local.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v5.14-rc1
@ 2021-06-28 20:17 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-28 20:17 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Anton Vorontsov, Christoph Hellwig, Colin Cross,
Pu Lehui, Kees Cook, Tony Luck
Hi Linus,
Please pull these pstore updates for v5.14-rc1.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.14-rc1
for you to fetch changes up to 1d1f6cc5818c750ac69473e4951e7165913fbf16:
pstore/blk: Include zone in pstore_device_info (2021-06-16 21:09:31 -0700)
----------------------------------------------------------------
pstore updates for v5.14-rc1
Use normal block device I/O path for pstore/blk. (Christoph Hellwig,
Kees Cook, Pu Lehui)
----------------------------------------------------------------
Kees Cook (5):
pstore/blk: Improve failure reporting
pstore/blk: Move verify_size() macro out of function
pstore/blk: Use the normal block device I/O path
pstore/blk: Fix kerndoc and redundancy on blkdev param
pstore/blk: Include zone in pstore_device_info
Documentation/admin-guide/pstore-blk.rst | 14 +-
drivers/mtd/mtdpstore.c | 10 +-
fs/pstore/blk.c | 403 ++++++++++++-------------------
include/linux/pstore_blk.h | 27 +--
4 files changed, 171 insertions(+), 283 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.14-rc1
@ 2021-06-28 19:57 88% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-28 19:57 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Kees Cook, Rodrigo Campos,
Sargun Dhillon, Tycho Andersen, Will Drewry
Hi Linus,
Please pull these seccomp updates for v5.14-rc1. Note that the commit
dates show "today", but this has been in -next for a while. I didn't
correctly manage my "for-linus/seccomp" fixes branch (which this is
based on) that was pulled for v5.13-rc4.
Thanks!
-Kees
The following changes since commit ddc473916955f7710d1eb17c1273d91c8622a9fe:
seccomp: Refactor notification handler to prepare for new semantics (2021-05-29 11:13:27 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.14-rc1
for you to fetch changes up to 9a03abc16c77062c73972df08206f1031862d9b4:
selftests/seccomp: Avoid using "sysctl" for report (2021-06-28 12:49:52 -0700)
----------------------------------------------------------------
seccomp updates for v5.14-rc1
Add "atomic addfd + send reply" mode to SECCOMP_USER_NOTIF to better
handle EINTR races visible to seccomp monitors. (Rodrigo Campos,
Sargun Dhillon)
Improve seccomp selftests for readability in CI systems. (Kees Cook)
----------------------------------------------------------------
Kees Cook (3):
selftests/seccomp: More closely track fds being assigned
selftests/seccomp: Flush benchmark output
selftests/seccomp: Avoid using "sysctl" for report
Rodrigo Campos (2):
seccomp: Support atomic "addfd + send reply"
selftests/seccomp: Add test for atomic addfd+send
Documentation/userspace-api/seccomp_filter.rst | 12 +++++
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 51 +++++++++++++++++++---
.../testing/selftests/seccomp/seccomp_benchmark.c | 10 ++++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 51 ++++++++++++++++++++--
5 files changed, 113 insertions(+), 12 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 88%]
* [GIT PULL] Clang feature updates for v5.14-rc1
@ 2021-06-28 19:32 73% Kees Cook
0 siblings, 2 replies; 200+ results
From: Kees Cook @ 2021-06-28 19:32 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bill Wendling, Bill Wendling, Catalin Marinas,
clang-built-linux, Fangrui Song, Heiko Carstens, Jarmo Tiitto,
Kees Cook, Lukas Bulwahn, Mark Rutland, Masahiro Yamada,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Peter Oberparleiter, Peter Zijlstra, Sami Tolvanen, Will Deacon
Hi Linus,
Please pull these Clang feature updates for v5.14-rc1.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.14-rc1
for you to fetch changes up to 6a0544606ec7f03e4a2534c87ea989de4bac41ae:
pgo: rectify comment to proper kernel-doc syntax (2021-06-28 12:10:31 -0700)
----------------------------------------------------------------
Clang feature updates for v5.14-rc1
The big addition for this merge window is the core support for Clang's
Profile Guided Optimization, which lets Clang build the kernel for
improved performance when running specific kernel workloads. This
currently covers only vmlinux, but module support is under active
development. (Sami Tolvanen, Bill Wendling, Kees Cook, Jarmo Tiitto,
Lukas Bulwahn)
Added CC_HAS_NO_PROFILE_FN_ATTR in preparation for PGO support in
the face of the noinstr attribute, paving the way for PGO and fixing
GCOV. (Nick Desaulniers)
x86_64 LTO coverage is expaned to 32-bit x86. (Nathan Chancellor)
Small fixes to CFI. (Mark Rutland, Nathan Chancellor)
----------------------------------------------------------------
Bill Wendling (1):
pgo: rename the raw profile file to vmlinux.profraw
Jarmo Tiitto (2):
pgo: Limit allocate_node() to vmlinux sections
pgo: Fix sleep in atomic section in prf_open()
Kees Cook (2):
MAINTAINERS: Expand and relocate PGO entry
pgo: Clean up prf_open() error paths
Lukas Bulwahn (1):
pgo: rectify comment to proper kernel-doc syntax
Mark Rutland (1):
CFI: Move function_nocfi() into compiler.h
Nathan Chancellor (2):
MAINTAINERS: Add Clang CFI section
x86, lto: Enable Clang LTO for 32-bit as well
Nick Desaulniers (3):
compiler_attributes.h: define __no_profile, add to noinstr
compiler_attributes.h: cleanups for GCC 4.9+
Kconfig: Introduce ARCH_WANTS_NO_INSTR and CC_HAS_NO_PROFILE_FN_ATTR
Sami Tolvanen (1):
pgo: Add Clang's Profile Guided Optimization infrastructure
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/pgo.rst | 127 +++++++++++
MAINTAINERS | 25 ++
Makefile | 3 +
arch/Kconfig | 8 +
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/compiler.h | 16 ++
arch/arm64/include/asm/memory.h | 16 --
arch/s390/Kconfig | 1 +
arch/x86/Kconfig | 6 +-
arch/x86/boot/Makefile | 1 +
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/crypto/Makefile | 3 +
arch/x86/entry/vdso/Makefile | 1 +
arch/x86/kernel/Makefile | 3 +
arch/x86/kernel/vmlinux.lds.S | 2 +
arch/x86/platform/efi/Makefile | 1 +
arch/x86/purgatory/Makefile | 1 +
arch/x86/realmode/rm/Makefile | 1 +
arch/x86/um/vdso/Makefile | 1 +
drivers/firmware/efi/libstub/Makefile | 1 +
include/asm-generic/vmlinux.lds.h | 32 +++
include/linux/compiler.h | 10 +
include/linux/compiler_attributes.h | 19 +-
include/linux/compiler_types.h | 2 +-
include/linux/mm.h | 10 -
init/Kconfig | 3 +
kernel/Makefile | 1 +
kernel/gcov/Kconfig | 1 +
kernel/pgo/Kconfig | 37 +++
kernel/pgo/Makefile | 5 +
kernel/pgo/fs.c | 413 ++++++++++++++++++++++++++++++++++
kernel/pgo/instrument.c | 188 ++++++++++++++++
kernel/pgo/pgo.h | 211 +++++++++++++++++
scripts/Makefile.lib | 10 +
35 files changed, 1130 insertions(+), 32 deletions(-)
create mode 100644 Documentation/dev-tools/pgo.rst
create mode 100644 kernel/pgo/Kconfig
create mode 100644 kernel/pgo/Makefile
create mode 100644 kernel/pgo/fs.c
create mode 100644 kernel/pgo/instrument.c
create mode 100644 kernel/pgo/pgo.h
--
Kees Cook
^ permalink raw reply [relevance 73%]
* [GIT PULL] Clang features fix for v5.13-rc7
@ 2021-06-15 23:19 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-15 23:19 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Kees Cook, Nathan Chancellor, Nick Desaulniers, Tor Vic
Hi Linus,
Please pull this additional Clang feature fix for v5.13-rc7. It seems
Clang has been scrubbing through the missing LTO IR flags for Clang 13,
and the last of these "only with LTO" flags is fixed now. I've asked
that they please consider making these changes in a less "break all the
Clang kernel builds" kind of way in the future. :P
Thanks!
-Kees
The following changes since commit 2398ce80152aae33b9501ef54452e09e8e8d4262:
x86, lto: Pass -stack-alignment only on LLD < 13.0.0 (2021-06-11 10:33:45 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.13-rc7
for you to fetch changes up to 0236526d76b87c1dc2cbe3eb31ae29be5b0ca151:
Makefile: lto: Pass -warn-stack-size only on LLD < 13.0.0 (2021-06-14 14:52:38 -0700)
----------------------------------------------------------------
Clang feature fix for v5.13-rc7
- The "-warn-stack-size" option under LTO has moved in Clang 13 (Tor Vic)
----------------------------------------------------------------
Tor Vic (1):
Makefile: lto: Pass -warn-stack-size only on LLD < 13.0.0
Makefile | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] clang-features fix for v5.13-rc6
@ 2021-06-11 18:21 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-11 18:21 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Nathan Chancellor, Tor Vic
Hi Linus,
Please pull this clang-features fix for v5.13-rc6. Clang 13 fixed some
IR behavior for LTO, but this broke work-arounds used in the kernel.
Thanks!
-Kees
The following changes since commit 06af8679449d4ed282df13191fc52d5ba28ec536:
coredump: Limit what can interrupt coredumps (2021-06-10 14:02:29 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.13-rc6
for you to fetch changes up to 2398ce80152aae33b9501ef54452e09e8e8d4262:
x86, lto: Pass -stack-alignment only on LLD < 13.0.0 (2021-06-11 10:33:45 -0700)
----------------------------------------------------------------
Clang feature fix for v5.13-rc6
- Handle changes to needed LTO flags in Clang 13 (Tor Vic)
----------------------------------------------------------------
Tor Vic (1):
x86, lto: Pass -stack-alignment only on LLD < 13.0.0
arch/x86/Makefile | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] orphan section fixes for v5.13-rc6
@ 2021-06-08 17:21 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-06-08 17:21 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Arnd Bergmann, Kees Cook, kernel test robot,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull these orphan sections fixes for v5.13-rc6. These two corner
case fixes have been in -next for about a week.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/orphans-v5.13-rc6
for you to fetch changes up to d4c6399900364facd84c9e35ce1540b6046c345f:
vmlinux.lds.h: Avoid orphan section with !SMP (2021-06-02 12:43:55 -0700)
----------------------------------------------------------------
orphan section fixes for v5.13-rc6
- Avoid orphan section in ARM cpuidle (Arnd Bergmann)
- Avoid orphan section with !SMP (Nathan Chancellor)
----------------------------------------------------------------
Arnd Bergmann (1):
ARM: cpuidle: Avoid orphan section warning
Nathan Chancellor (1):
vmlinux.lds.h: Avoid orphan section with !SMP
arch/arm/include/asm/cpuidle.h | 5 +++--
include/asm-generic/vmlinux.lds.h | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fixes for v5.13-rc4
@ 2021-05-29 18:16 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-05-29 18:16 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Kees Cook, Rodrigo Campos,
Sargun Dhillon, Tycho Andersen
Hi Linus,
Please pull these seccomp fixes for v5.13-rc4. This fixes a hard-to-hit
race condition in the addfd user_notif feature of seccomp, visible since
v5.9.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-fixes-v5.13-rc4
for you to fetch changes up to ddc473916955f7710d1eb17c1273d91c8622a9fe:
seccomp: Refactor notification handler to prepare for new semantics (2021-05-29 11:13:27 -0700)
----------------------------------------------------------------
seccomp fixes for v5.13-rc4
- Fix addfd notification race condition (Sargun Dhillon)
----------------------------------------------------------------
Sargun Dhillon (2):
Documentation: seccomp: Fix user notification documentation
seccomp: Refactor notification handler to prepare for new semantics
Documentation/userspace-api/seccomp_filter.rst | 16 +++++++-------
kernel/seccomp.c | 30 ++++++++++++++------------
2 files changed, 24 insertions(+), 22 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] Clang feature fixes for v5.13-rc4
@ 2021-05-28 17:23 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-05-28 17:23 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Candle Sun, Fangrui Song, Kees Cook, Marco Elver,
Miguel Ojeda, Nathan Chancellor, Nick Desaulniers,
Paul E. McKenney, Sami Tolvanen
Hi Linus,
Please pull these Clang feature fixes for v5.13-rc4. One small fix each
for LTO and CFI.
Thanks!
-Kees
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-features-v5.13-rc4
for you to fetch changes up to 24845dcb170e16b3100bd49743687648c71387ae:
Makefile: LTO: have linker check -Wframe-larger-than (2021-05-24 15:24:34 -0700)
----------------------------------------------------------------
Clang feature fixes for v5.13-rc4
- Correctly pass stack frame size checking under LTO (Nick Desaulniers)
- Avoid CFI mismatches by checking initcall_t types (Marco Elver)
----------------------------------------------------------------
Marco Elver (1):
init: verify that function is initcall_t at compile-time
Nick Desaulniers (1):
Makefile: LTO: have linker check -Wframe-larger-than
Makefile | 5 +++++
include/linux/init.h | 3 ++-
2 files changed, 7 insertions(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] Stack randomization fix
@ 2021-05-21 18:12 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-05-21 18:12 UTC (permalink / raw)
To: Ingo Molnar
Cc: Linus Torvalds, Linux Kernel Mailing List, Thomas Gleixner,
Peter Zijlstra, Borislav Petkov, Andrew Morton, Nick Desaulniers,
Elena Reshetova
On Sun, May 16, 2021 at 09:29:39AM +0200, Ingo Molnar wrote:
> Without stackprotector we get:
>
> ffffffff81080330 <dummy_dummy>:
> ffffffff81080330: 55 push %rbp
> ffffffff81080331: 65 8b 05 88 12 f9 7e mov %gs:0x7ef91288(%rip),%eax # 115c0 <kstack_offset>
> ffffffff81080338: 25 ff 03 00 00 and $0x3ff,%eax
> ffffffff8108033d: 48 83 c0 0f add $0xf,%rax
> ffffffff81080341: 48 89 e5 mov %rsp,%rbp
> ffffffff81080344: 25 f8 07 00 00 and $0x7f8,%eax
> ffffffff81080349: 48 29 c4 sub %rax,%rsp
> ffffffff8108034c: 48 8d 44 24 0f lea 0xf(%rsp),%rax
> ffffffff81080351: 48 83 e0 f0 and $0xfffffffffffffff0,%rax
> ffffffff81080355: c9 leave
> ffffffff81080356: c3 ret
>
> Which is still quite a bit longer than it probably should be, IMO. Since we
> are relying on assembly anyway, we don't we force frame pointers explicitly
> and do this in assembly? The key sequence should only be something like:
>
> 65 8b 05 88 12 f9 7e mov %gs:0x7ef91288(%rip),%eax # 115c0 <kstack_offset>
> 48 29 c4 sub %rax,%rsp
>
> There's no fundamental reason for all the masking games IMO.
Mainly the mask is for enforcing stack alignment (and the compiler
does it). The top-level mask is to limit the resulting entropy while
keeping the rest of the entropy for mixing the per-cpu variable.
However, the compile almost entirely fails to optimize the masking:
> 25 ff 03 00 00 and $0x3ff,%eax
> 48 83 c0 0f add $0xf,%rax
> 25 f8 07 00 00 and $0x7f8,%eax
This should just be and $0x3f0, I suspect (I need to double-check the
rounding up it wants to do with the "add"...)
Luckily, while long, it is very fast.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] CFI on arm64 series for v5.13-rc1
@ 2021-04-26 19:12 64% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-04-26 19:12 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ben Dai, Bjorn Helgaas, Christoph Hellwig,
Jack Pham, Jessica Yu, Kees Cook, Mark Rutland,
Nathan Chancellor, Nick Desaulniers, Sami Tolvanen
Hi Linus,
Please pull this CFI-on-arm64 series for v5.13-rc1. This builds on last
cycle's LTO work, and allows the arm64 kernels to be built with Clang's
Control Flow Integrity feature. This feature has happily lived in Android
kernels for almost 3 years[1], so I'm excited to have it ready for upstream.
While in -next, it gained one small conflict when the prototype for
arm64's __apply_alternatives() got tweaked:
https://lore.kernel.org/linux-next/20210426103433.01f527e0@canb.auug.org.au/
The wide diffstat is mainly due to the treewide fixing of mismatched
list_sort prototypes. Other things in core kernel are to address
various CFI corner cases. The largest code portion is the CFI runtime
implementation itself (which will be shared by all architectures
implementing support for CFI). The arm64 pieces are Acked by arm64
maintainers rather than coming through the arm64 tree since carrying
this tree over there was going to be awkward.
CFI support for x86 is still under development, but is pretty close.
There are a handful of corner cases on x86 that need some improvements
to Clang and objtool, but otherwise works well.
Finally, before your grep finds the panic() in this series, I'd like to
call your attention to CONFIG_CFI_PERMISSIVE which exists to provide
the WARN-only mode for CFI, useful for system builders exploring this
feature before they enable the "kill my machine" mode, which is the mode
used by Android (and by other folks enabling CFI as a meaningful defense).
Thanks!
-Kees
[1] https://android-developers.googleblog.com/2018/10/control-flow-integrity-in-android-kernel.html
The following changes since commit e49d033bddf5b565044e2abe4241353959bc9120:
Linux 5.12-rc6 (2021-04-04 14:15:36 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/cfi-v5.13-rc1
for you to fetch changes up to 9186ad8e66bab6a1edc66a939dd56c4638cda948:
arm64: allow CONFIG_CFI_CLANG to be selected (2021-04-08 16:04:23 -0700)
----------------------------------------------------------------
CFI on arm64 series for v5.13-rc1
- Clean up list_sort prototypes (Sami Tolvanen)
- Introduce CONFIG_CFI_CLANG for arm64 (Sami Tolvanen)
----------------------------------------------------------------
Sami Tolvanen (18):
add support for Clang CFI
cfi: add __cficanonical
mm: add generic function_nocfi macro
module: ensure __cfi_check alignment
workqueue: use WARN_ON_FUNCTION_MISMATCH
kthread: use WARN_ON_FUNCTION_MISMATCH
kallsyms: strip ThinLTO hashes from static functions
bpf: disable CFI in dispatcher functions
treewide: Change list_sort to use const pointers
lkdtm: use function_nocfi
psci: use function_nocfi for cpu_resume
arm64: implement function_nocfi
arm64: use function_nocfi with __pa_symbol
arm64: add __nocfi to functions that jump to a physical address
arm64: add __nocfi to __apply_alternatives
arm64: ftrace: use function_nocfi for ftrace_call
KVM: arm64: Disable CFI for nVHE
arm64: allow CONFIG_CFI_CLANG to be selected
Makefile | 17 ++
arch/Kconfig | 45 +++
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/memory.h | 16 +
arch/arm64/include/asm/mmu_context.h | 4 +-
arch/arm64/kernel/acpi_parking_protocol.c | 3 +-
arch/arm64/kernel/alternative.c | 4 +-
arch/arm64/kernel/cpu-reset.h | 10 +-
arch/arm64/kernel/cpufeature.c | 4 +-
arch/arm64/kernel/ftrace.c | 2 +-
arch/arm64/kernel/psci.c | 3 +-
arch/arm64/kernel/smp_spin_table.c | 3 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 6 +-
arch/arm64/kvm/vgic/vgic-its.c | 8 +-
arch/arm64/kvm/vgic/vgic.c | 3 +-
block/blk-mq-sched.c | 3 +-
block/blk-mq.c | 3 +-
drivers/acpi/nfit/core.c | 3 +-
drivers/acpi/numa/hmat.c | 3 +-
drivers/clk/keystone/sci-clk.c | 4 +-
drivers/firmware/psci/psci.c | 7 +-
drivers/gpu/drm/drm_modes.c | 3 +-
drivers/gpu/drm/i915/gt/intel_engine_user.c | 3 +-
drivers/gpu/drm/i915/gvt/debugfs.c | 2 +-
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 3 +-
drivers/gpu/drm/radeon/radeon_cs.c | 4 +-
.../infiniband/hw/usnic/usnic_uiom_interval_tree.c | 3 +-
drivers/interconnect/qcom/bcm-voter.c | 2 +-
drivers/md/raid5.c | 3 +-
drivers/misc/lkdtm/usercopy.c | 2 +-
drivers/misc/sram.c | 4 +-
drivers/nvme/host/core.c | 3 +-
drivers/pci/controller/cadence/pcie-cadence-host.c | 3 +-
drivers/spi/spi-loopback-test.c | 3 +-
fs/btrfs/raid56.c | 3 +-
fs/btrfs/tree-log.c | 3 +-
fs/btrfs/volumes.c | 3 +-
fs/ext4/fsmap.c | 4 +-
fs/gfs2/glock.c | 3 +-
fs/gfs2/log.c | 2 +-
fs/gfs2/lops.c | 3 +-
fs/iomap/buffered-io.c | 3 +-
fs/ubifs/gc.c | 7 +-
fs/ubifs/replay.c | 4 +-
fs/xfs/scrub/bitmap.c | 4 +-
fs/xfs/xfs_bmap_item.c | 4 +-
fs/xfs/xfs_buf.c | 6 +-
fs/xfs/xfs_extent_busy.c | 4 +-
fs/xfs/xfs_extent_busy.h | 3 +-
fs/xfs/xfs_extfree_item.c | 4 +-
fs/xfs/xfs_refcount_item.c | 4 +-
fs/xfs/xfs_rmap_item.c | 4 +-
include/asm-generic/bug.h | 16 +
include/asm-generic/vmlinux.lds.h | 20 +-
include/linux/bpf.h | 4 +-
include/linux/cfi.h | 41 +++
include/linux/compiler-clang.h | 3 +
include/linux/compiler_types.h | 8 +
include/linux/init.h | 6 +-
include/linux/list_sort.h | 7 +-
include/linux/mm.h | 10 +
include/linux/module.h | 13 +-
include/linux/pci.h | 4 +-
init/Kconfig | 2 +-
kernel/Makefile | 4 +
kernel/cfi.c | 329 +++++++++++++++++++++
kernel/kallsyms.c | 55 +++-
kernel/kthread.c | 3 +-
kernel/module.c | 43 +++
kernel/workqueue.c | 2 +-
lib/list_sort.c | 17 +-
lib/test_list_sort.c | 3 +-
net/tipc/name_table.c | 4 +-
scripts/Makefile.modfinal | 2 +-
scripts/module.lds.S | 19 +-
75 files changed, 760 insertions(+), 113 deletions(-)
create mode 100644 include/linux/cfi.h
create mode 100644 kernel/cfi.c
--
Kees Cook
^ permalink raw reply [relevance 64%]
* [GIT PULL] overflow update for v5.13-rc1
@ 2021-04-26 18:36 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-04-26 18:36 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Jason Gunthorpe, Kees Cook, Keith Busch
Hi Linus,
Please pull this overflow update for v5.13-rc1. I was expecting more
in this tree for this cycle, but the other work has not yet landed for
-next. As a result, only this single typo fix exists. Yay tiny pulls. :)
Thanks!
-Kees
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:
Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.13-rc1
for you to fetch changes up to 4578be130a6470d85ff05b13b75a00e6224eeeeb:
overflow: Correct check_shl_overflow() comment (2021-04-01 14:07:41 -0700)
----------------------------------------------------------------
overflow update for v5.13-rc1
- Fix typo in check_shl_overflow() kern-dec (Keith Busch)
----------------------------------------------------------------
Keith Busch (1):
overflow: Correct check_shl_overflow() comment
include/linux/overflow.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore update for v5.13-rc1
@ 2021-04-26 18:32 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-04-26 18:32 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Mukesh Ojha
Hi Linus,
Please pull this single pstore update for v5.13-rc1.
Thanks!
-Kees
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:
Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.13-rc1
for you to fetch changes up to 9d843e8fafc7c0b15d8f511d146c0c3d7c816634:
pstore: Add mem_type property DT parsing support (2021-03-31 10:06:23 -0700)
----------------------------------------------------------------
pstore update for v5.13-rc1
- Add mem_type property to expand support for >2 memory types (Mukesh Ojha)
----------------------------------------------------------------
Mukesh Ojha (1):
pstore: Add mem_type property DT parsing support
Documentation/admin-guide/ramoops.rst | 4 +++-
.../devicetree/bindings/reserved-memory/ramoops.txt | 10 ++++++++--
fs/pstore/ram.c | 7 ++++++-
fs/pstore/ram_core.c | 18 ++++++++++++++++--
4 files changed, 33 insertions(+), 6 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.13-rc1
@ 2021-04-26 18:29 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-04-26 18:29 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Cui GaoSheng, Hulk Robot, Kees Cook, Kenta Tada
Hi Linus,
Please pull these tiny seccomp updates for v5.13-rc1.
Thanks!
-Kees
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:
Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.13-rc1
for you to fetch changes up to a3fc712c5b37aec802438fe0de095d7f6f3827a3:
seccomp: Fix "cacheable" typo in comments (2021-03-30 22:34:30 -0700)
----------------------------------------------------------------
seccomp updates for v5.13-rc1
- Fix "cacheable" typo in comments (Cui GaoSheng)
- Fix CONFIG for /proc/$pid/status Seccomp_filters (Kenta.Tada@sony.com)
----------------------------------------------------------------
Cui GaoSheng (1):
seccomp: Fix "cacheable" typo in comments
Kenta.Tada@sony.com (1):
seccomp: Fix CONFIG tests for Seccomp_filters
fs/proc/array.c | 2 ++
init/init_task.c | 2 +-
kernel/seccomp.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] LTO fix for v5.12-rc6
@ 2021-04-01 21:39 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-04-01 21:39 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Kees Cook, Nick Desaulniers, Sami Tolvanen,
Sean Christopherson
Hi Linus,
Please pull this LTO fix for v5.12-rc6. It seems that there is a bug in
ld.bfd when doing module section merging. As explicit merging is only
needed for LTO, the work-around is to only do it under LTO, leaving the
original section layout choices alone under normal builds.
Thanks!
-Kees
The following changes since commit a5e13c6df0e41702d2b2c77c8ad41677ebb065b3:
Linux 5.12-rc5 (2021-03-28 15:48:16 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/lto-v5.12-rc6
for you to fetch changes up to 6a3193cdd5e5b96ac65f04ee42555c216da332af:
kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG is enabled (2021-04-01 14:15:59 -0700)
----------------------------------------------------------------
LTO fix for v5.12-rc6
- Only perform explicit module section merges under LTO (Sean Christopherson)
----------------------------------------------------------------
Sean Christopherson (1):
kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG is enabled
scripts/module.lds.S | 2 ++
1 file changed, 2 insertions(+)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] gcc-plugins fixes for v5.12-rc2
@ 2021-03-05 23:14 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-03-05 23:14 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Hulk Robot, Jason Yan, Kees Cook
Hi Linus,
Please pull these tiny gcc-plugin fixes for v5.12-rc2. These issues
are small but have been reported a couple times now by static analyzers,
so best to get them fixed to reduce the noise. :)
Thanks!
-Kees
The following changes since commit fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8:
Linux 5.12-rc1 (2021-02-28 16:05:19 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.12-rc2
for you to fetch changes up to 5477edcacaacb8af8169450180a1d3bd0dfb9c99:
gcc-plugins: latent_entropy: remove unneeded semicolon (2021-03-01 19:19:50 -0800)
----------------------------------------------------------------
gcc-plugins fixes for v5.12-rc2
- Fix coding style issues (Jason Yan)
----------------------------------------------------------------
Jason Yan (2):
gcc-plugins: structleak: remove unneeded variable 'ret'
gcc-plugins: latent_entropy: remove unneeded semicolon
scripts/gcc-plugins/latent_entropy_plugin.c | 2 +-
scripts/gcc-plugins/structleak_plugin.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore fixes for v5.12-rc2
@ 2021-03-05 23:09 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-03-05 23:09 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Dmitry Osipenko, Kees Cook, syzbot, Tetsuo Handa
Hi Linus,
Please pull these small pstore fixes for v5.12-rc2.
Thanks!
-Kees
The following changes since commit 19d8e9149c27b689c6224f5c84b96a159342195a:
pstore: Fix typo in compression option name (2021-02-18 12:27:49 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.12-rc2
for you to fetch changes up to 7db688e99c0f770ae73e0f1f3fb67f9b64266445:
pstore/ram: Rate-limit "uncorrectable error in header" message (2021-03-02 11:52:31 -0800)
----------------------------------------------------------------
pstore fixes for v5.12-rc2
- Rate-limit ECC warnings (Dmitry Osipenko)
- Fix error path check for NULL (Tetsuo Handa)
----------------------------------------------------------------
Dmitry Osipenko (1):
pstore/ram: Rate-limit "uncorrectable error in header" message
Tetsuo Handa (1):
pstore: Fix warning in pstore_kill_sb()
fs/pstore/inode.c | 2 +-
fs/pstore/ram_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] orphan-handling fix for v5.12-rc1
@ 2021-02-25 21:21 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-25 21:21 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Fangrui Song, Kees Cook, kernel test robot,
Nathan Chancellor, Nick Desaulniers
Hi Linus,
Please pull this small orphan-handling fix for v5.12-rc1. Another case
of bogus .eh_frame emission was noticed under CONFIG_GCOV_KERNEL=y.
Thanks!
-Kees
The following changes since commit f40ddce88593482919761f74910f42f4b84c004b:
Linux 5.11 (2021-02-14 14:32:24 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/orphan-handling-v5.12-rc1
for you to fetch changes up to f5b6a74d9c08b19740ca056876bf6584acdba582:
vmlinux.lds.h: Define SANTIZER_DISCARDS with CONFIG_GCOV_KERNEL=y (2021-02-25 13:15:25 -0800)
----------------------------------------------------------------
orphan-handling fix for v5.12-rc1
- Define SANTIZER_DISCARDS with CONFIG_GCOV_KERNEL=y (Nathan Chancellor)
----------------------------------------------------------------
Nathan Chancellor (1):
vmlinux.lds.h: Define SANTIZER_DISCARDS with CONFIG_GCOV_KERNEL=y
include/asm-generic/vmlinux.lds.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] clang-lto fixes for v5.12-rc1
@ 2021-02-25 20:53 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-25 20:53 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Guenter Roeck, Kees Cook, Masahiro Yamada, Sami Tolvanen
Hi Linus,
Please pull these clang-lto fixes for v5.12-rc1. This gets parisc
building again and moves LTO artifact caching cleanup from the
"distclean" build target to "clean".
Thanks!
-Kees
The following changes since commit 5e95325fbbbdea96de91e7bdb05fe95a3031e37d:
kbuild: lto: force rebuilds when switching CONFIG_LTO (2021-02-23 14:10:44 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-lto-v5.12-rc1-fix1
for you to fetch changes up to 4c7858b9001c85aacf86a74b3a68aa384bc33760:
kbuild: Move .thinlto-cache removal to 'make clean' (2021-02-25 12:21:06 -0800)
----------------------------------------------------------------
clang-lto fixes for v5.12-rc1
- Fix parisc build for ftrace vs mcount (Sami Tolvanen)
- Move .thinlto-cache remove to "clean" from "distclean" (Masahiro Yamada)
----------------------------------------------------------------
Masahiro Yamada (1):
kbuild: Move .thinlto-cache removal to 'make clean'
Sami Tolvanen (1):
parisc: select FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY
Makefile | 4 ++--
arch/parisc/Kconfig | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] clang-lto (part 2) for v5.12-rc1
@ 2021-02-23 22:32 82% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-23 22:32 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Sami Tolvanen, Peter Zijlstra, Josh Poimboeuf,
Nick Desaulniers
Hi Linus,
Please pull this Clang LTO x86 enablement series for v5.12-rc1. Full
disclosure: while this has _not_ been in linux-next (since it initially
looked like the objtool dependencies weren't going to make v5.12), it
has been under daily build and runtime testing by Sami for quite some
time. These x86 portions have been discussed[1] on lkml, with Peter,
Josh, and others helping nail things down[2].
The bulk of the changes are to get objtool working happily. The rest of
the x86 enablement is very small.
Thanks!
-Kees
[1] https://lore.kernel.org/lkml/20201013003203.4168817-26-samitolvanen@google.com/
[2] https://lore.kernel.org/lkml/cover.1611263461.git.jpoimboe@redhat.com/
The following changes since commit 2b8689520520175075ca97bc4eaf51ff3f7253aa:
kbuild: prevent CC_FLAGS_LTO self-bloating on recursive rebuilds (2021-02-17 10:10:37 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-lto-v5.12-rc1-part2
for you to fetch changes up to 5e95325fbbbdea96de91e7bdb05fe95a3031e37d:
kbuild: lto: force rebuilds when switching CONFIG_LTO (2021-02-23 14:10:44 -0800)
----------------------------------------------------------------
clang-lto for v5.12-rc1 (part2)
- Generate __mcount_loc in objtool (Peter Zijlstra)
- Support running objtool against vmlinux.o (Sami Tolvanen)
- Clang LTO enablement for x86 (Sami Tolvanen)
----------------------------------------------------------------
Peter Zijlstra (1):
objtool: Add a pass for generating __mcount_loc
Sami Tolvanen (10):
objtool: Fix __mcount_loc generation with Clang's assembler
objtool: Don't autodetect vmlinux.o
tracing: add support for objtool mcount
x86, build: use objtool mcount
objtool: Split noinstr validation from --vmlinux
kbuild: lto: postpone objtool
x86, vdso: disable LTO only for vDSO
x86, cpu: disable LTO for cpu.c
x86, build: allow LTO to be selected
kbuild: lto: force rebuilds when switching CONFIG_LTO
Makefile | 10 ++++-
arch/x86/Kconfig | 3 ++
arch/x86/Makefile | 5 +++
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/power/Makefile | 4 ++
kernel/trace/Kconfig | 13 ++++++
scripts/Makefile.build | 19 +--------
scripts/Makefile.lib | 12 ++++++
scripts/Makefile.modfinal | 19 +++++++--
scripts/link-vmlinux.sh | 28 +++++++++++--
tools/objtool/builtin-check.c | 10 ++---
tools/objtool/builtin.h | 2 +-
tools/objtool/check.c | 97 ++++++++++++++++++++++++++++++++++++++++++-
tools/objtool/check.h | 1 +
tools/objtool/objtool.c | 1 +
tools/objtool/objtool.h | 1 +
16 files changed, 195 insertions(+), 33 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 82%]
* Re: [GIT PULL v2] clang-lto for v5.12-rc1
@ 2021-02-23 20:43 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-23 20:43 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, Alexander Lobakin, Sami Tolvanen,
Bill Wendling, Bjorn Helgaas, George Burgess IV,
Nick Desaulniers, Steven Rostedt, Will Deacon
On Tue, Feb 23, 2021 at 12:33:05PM -0800, Linus Torvalds wrote:
> On Tue, Feb 23, 2021 at 9:49 AM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Mon, Feb 22, 2021 at 3:11 PM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > While x86 LTO enablement is done[1], it depends on some objtool
> > > clean-ups[2], though it appears those actually have been in linux-next
> > > (via tip/objtool/core), so it's possible that if that tree lands [..]
> >
> > That tree is actually next on my list of things to merge after this
> > one, so it should be out soonish.
>
> "soonish" turned out to be later than I thought, because my "build
> changes" set of pulls included the module change that I then wasted a
> lot of time on trying to figure out why it slowed down my build so
> much.
>
> But it's out now, as pr-tracker-bot already noted.
Great! Thanks for the updates; I'll prepare "part 2" right away. :)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL v2] clang-lto for v5.12-rc1
@ 2021-02-22 23:11 74% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2021-02-22 23:11 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Lobakin, Sami Tolvanen, Bill Wendling,
Bjorn Helgaas, George Burgess IV, Nick Desaulniers,
Steven Rostedt, Will Deacon
Hi Linus,
Please pull this Clang Link Time Optimization series for v5.12-rc1.
This has been in linux-next for the entire last development cycle,
and is built on the work done preparing[0] for LTO by arm64 folks,
tracing folks, etc. This series includes the core changes as well as
the remaining pieces for arm64 (LTO has been the default build method on
Android for about 3 years now, as it is the prerequisite for the Control
Flow Integrity protections).
While x86 LTO enablement is done[1], it depends on some objtool
clean-ups[2], though it appears those actually have been in linux-next
(via tip/objtool/core), so it's possible that if that tree lands, I'll
send a "part 2" pull request for LTO that includes x86 support (though
I guess that depends on the length of the merge window).
For merge log posterity, and as detailed in commit dc5723b02e52 ("kbuild:
add support for Clang LTO"), here is the lt;dr to do an LTO build:
make LLVM=1 LLVM_IAS=1 defconfig
scripts/config -e LTO_CLANG_THIN
make LLVM=1 LLVM_IAS=1
(To do a cross-compile of arm64, add "CROSS_COMPILE=aarch64-linux-gnu-"
and "ARCH=arm64" to the "make" command lines.)
Thanks!
-Kees
[0] https://git.kernel.org/linus/3c09ec59cdea5b132212d97154d625fd34e436dd
[1] https://github.com/samitolvanen/linux/commits/clang-lto
[2] https://lore.kernel.org/lkml/cover.1611263461.git.jpoimboe@redhat.com/
The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62:
Linux 5.11-rc2 (2021-01-03 15:55:30 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-lto-v5.12-rc1
for you to fetch changes up to 2b8689520520175075ca97bc4eaf51ff3f7253aa:
kbuild: prevent CC_FLAGS_LTO self-bloating on recursive rebuilds (2021-02-17 10:10:37 -0800)
----------------------------------------------------------------
clang-lto series for v5.12-rc1
- Clang LTO build infrastructure and arm64-specific enablement (Sami Tolvanen)
- Recursive build CC_FLAGS_LTO fix (Alexander Lobakin)
----------------------------------------------------------------
Alexander Lobakin (1):
kbuild: prevent CC_FLAGS_LTO self-bloating on recursive rebuilds
Sami Tolvanen (16):
tracing: move function tracer options to Kconfig
kbuild: add support for Clang LTO
kbuild: lto: fix module versioning
kbuild: lto: limit inlining
kbuild: lto: merge module sections
kbuild: lto: add a default list of used symbols
init: lto: ensure initcall ordering
init: lto: fix PREL32 relocations
PCI: Fix PREL32 relocations for LTO
modpost: lto: strip .lto from module names
scripts/mod: disable LTO for empty.c
efi/libstub: disable LTO
drivers/misc/lkdtm: disable LTO for rodata.o
arm64: vdso: disable LTO
arm64: disable recordmcount with DYNAMIC_FTRACE_WITH_REGS
arm64: allow LTO to be selected
.gitignore | 1 +
Makefile | 45 ++++--
arch/Kconfig | 90 ++++++++++++
arch/arm64/Kconfig | 4 +
arch/arm64/kernel/vdso/Makefile | 3 +-
drivers/firmware/efi/libstub/Makefile | 2 +
drivers/misc/lkdtm/Makefile | 1 +
include/asm-generic/vmlinux.lds.h | 11 +-
include/linux/init.h | 79 ++++++++--
include/linux/pci.h | 27 +++-
init/Kconfig | 1 +
kernel/trace/Kconfig | 16 ++
scripts/Makefile.build | 48 +++++-
scripts/Makefile.lib | 6 +-
scripts/Makefile.modfinal | 9 +-
scripts/Makefile.modpost | 25 +++-
scripts/generate_initcall_order.pl | 270 ++++++++++++++++++++++++++++++++++
scripts/link-vmlinux.sh | 70 +++++++--
scripts/lto-used-symbollist.txt | 5 +
scripts/mod/Makefile | 1 +
scripts/mod/modpost.c | 16 +-
scripts/mod/modpost.h | 9 ++
scripts/mod/sumversion.c | 6 +-
scripts/module.lds.S | 24 +++
24 files changed, 707 insertions(+), 62 deletions(-)
create mode 100755 scripts/generate_initcall_order.pl
create mode 100644 scripts/lto-used-symbollist.txt
--
Kees Cook
^ permalink raw reply [relevance 74%]
* [GIT PULL] pstore update for v5.12-rc1
@ 2021-02-18 20:35 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-18 20:35 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Jiri Bohac, Kees Cook, Matteo Croce
Hi Linus,
Please pull this tiny pstore update for v5.12-rc1 to fix a CONFIG typo.
Thanks!
-Kees
The following changes since commit f40ddce88593482919761f74910f42f4b84c004b:
Linux 5.11 (2021-02-14 14:32:24 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.12-rc1
for you to fetch changes up to 19d8e9149c27b689c6224f5c84b96a159342195a:
pstore: Fix typo in compression option name (2021-02-18 12:27:49 -0800)
----------------------------------------------------------------
pstore update for v5.12-rc1
- Fix a CONFIG typo (Jiri Bohac)
----------------------------------------------------------------
Jiri Bohac (1):
pstore: Fix typo in compression option name
fs/pstore/platform.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.12-rc1
@ 2021-02-17 20:54 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-17 20:54 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Paul Cercueil, wanghongzhe
Hi Linus,
Please pull these two small seccomp updates for v5.12-rc1. This contains a
fix for a build failure that went unnoticed for many years, and a memory
barrier correction.
Thanks!
-Kees
The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62:
Linux 5.11-rc2 (2021-01-03 15:55:30 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.12-rc1
for you to fetch changes up to a381b70a1cf88e4a2d54f24d59abdcad0ff2dfe6:
seccomp: Improve performace by optimizing rmb() (2021-02-10 12:40:11 -0800)
----------------------------------------------------------------
seccomp updates for v5.12-rc1
- Fix a non-FILTER build failure for some architectures (Paul Cercueil)
- Improve performance with correct memory barrier (wanghongzhe)
----------------------------------------------------------------
Paul Cercueil (1):
seccomp: Add missing return in non-void function
wanghongzhe (1):
seccomp: Improve performace by optimizing rmb()
kernel/seccomp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] clang-lto for v5.12-rc1
@ 2021-02-17 18:08 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-17 18:08 UTC (permalink / raw)
To: Alexander Lobakin
Cc: Linus Torvalds, linux-kernel, Bill Wendling, Bjorn Helgaas,
George Burgess IV, Nick Desaulniers, Sami Tolvanen,
Steven Rostedt, Will Deacon
On Tue, Feb 16, 2021 at 10:48:10PM +0000, Alexander Lobakin wrote:
> From: Kees Cook <keescook@chromium.org>
> Date: Tue, 16 Feb 2021 12:34:37 -0800
>
> > Hi Linus,
> >
> > Please pull this Clang Link Time Optimization series for v5.12-rc1. This
> > has been in linux-next for the entire last development cycle, and is
> > built on the work done preparing[0] for LTO by arm64 folks, tracing folks,
> > etc. This series includes the core changes as well as the remaining pieces
> > for arm64 (LTO has been the default build method on Android for about
> > 3 years now, as it is the prerequisite for the Control Flow Integrity
> > protections). While x86 LTO support is done[1], there is still some
> > on-going clean-up work happening for objtool[2] that should hopefully
> > land by the v5.13 merge window.
>
[...]
>
> Seems like you forgot the fix from [0], didn't you?
>
[...]
>
> [0] https://lore.kernel.org/lkml/20210121184544.659998-1-alobakin@pm.me
Ah yes, sorry for overlooking that. I can send a follow-up PR. AIUI,
it's usually better for Linus's workflow for me to build on sent PRs
instead of resending. (But given the merge window disruption, we'll see
what happens!)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] clang-lto for v5.12-rc1
@ 2021-02-16 20:34 76% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-02-16 20:34 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bill Wendling, Bjorn Helgaas, George Burgess IV,
Kees Cook, Nick Desaulniers, Sami Tolvanen, Steven Rostedt,
Will Deacon
Hi Linus,
Please pull this Clang Link Time Optimization series for v5.12-rc1. This
has been in linux-next for the entire last development cycle, and is
built on the work done preparing[0] for LTO by arm64 folks, tracing folks,
etc. This series includes the core changes as well as the remaining pieces
for arm64 (LTO has been the default build method on Android for about
3 years now, as it is the prerequisite for the Control Flow Integrity
protections). While x86 LTO support is done[1], there is still some
on-going clean-up work happening for objtool[2] that should hopefully
land by the v5.13 merge window.
For merge log posterity, and as detailed in commit dc5723b02e52 ("kbuild:
add support for Clang LTO"), here is the lt;dr to do an LTO build:
make LLVM=1 LLVM_IAS=1 defconfig
scripts/config -e LTO_CLANG_THIN
make LLVM=1 LLVM_IAS=1
(To do a cross-compile of arm64, add "CROSS_COMPILE=aarch64-linux-gnu-"
and "ARCH=arm64" to the "make" command lines.)
Thanks!
-Kees
[0] https://git.kernel.org/linus/3c09ec59cdea5b132212d97154d625fd34e436dd
[1] https://github.com/samitolvanen/linux/commits/clang-lto
[2] https://lore.kernel.org/lkml/cover.1611263461.git.jpoimboe@redhat.com/
The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62:
Linux 5.11-rc2 (2021-01-03 15:55:30 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/clang-lto-v5.12-rc1
for you to fetch changes up to 112b6a8e038d793d016e330f53acb9383ac504b3:
arm64: allow LTO to be selected (2021-01-14 08:21:10 -0800)
----------------------------------------------------------------
clang-lto for v5.12-rc1
Provide build infrastructure for arm64 Clang LTO.
----------------------------------------------------------------
Sami Tolvanen (16):
tracing: move function tracer options to Kconfig
kbuild: add support for Clang LTO
kbuild: lto: fix module versioning
kbuild: lto: limit inlining
kbuild: lto: merge module sections
kbuild: lto: add a default list of used symbols
init: lto: ensure initcall ordering
init: lto: fix PREL32 relocations
PCI: Fix PREL32 relocations for LTO
modpost: lto: strip .lto from module names
scripts/mod: disable LTO for empty.c
efi/libstub: disable LTO
drivers/misc/lkdtm: disable LTO for rodata.o
arm64: vdso: disable LTO
arm64: disable recordmcount with DYNAMIC_FTRACE_WITH_REGS
arm64: allow LTO to be selected
.gitignore | 1 +
Makefile | 45 ++++--
arch/Kconfig | 90 ++++++++++++
arch/arm64/Kconfig | 4 +
arch/arm64/kernel/vdso/Makefile | 3 +-
drivers/firmware/efi/libstub/Makefile | 2 +
drivers/misc/lkdtm/Makefile | 1 +
include/asm-generic/vmlinux.lds.h | 11 +-
include/linux/init.h | 79 ++++++++--
include/linux/pci.h | 27 +++-
init/Kconfig | 1 +
kernel/trace/Kconfig | 16 ++
scripts/Makefile.build | 48 +++++-
scripts/Makefile.lib | 6 +-
scripts/Makefile.modfinal | 9 +-
scripts/Makefile.modpost | 25 +++-
scripts/generate_initcall_order.pl | 270 ++++++++++++++++++++++++++++++++++
scripts/link-vmlinux.sh | 70 +++++++--
scripts/lto-used-symbollist.txt | 5 +
scripts/mod/Makefile | 1 +
scripts/mod/modpost.c | 16 +-
scripts/mod/modpost.h | 9 ++
scripts/mod/sumversion.c | 6 +-
scripts/module.lds.S | 24 +++
24 files changed, 707 insertions(+), 62 deletions(-)
create mode 100755 scripts/generate_initcall_order.pl
create mode 100644 scripts/lto-used-symbollist.txt
--
Kees Cook
^ permalink raw reply [relevance 76%]
* [GIT PULL] gcc-plugins fix for v5.11-rc3
@ 2021-01-07 23:18 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2021-01-07 23:18 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Josh Poimboeuf, Kees Cook, Valdis Kletnieks
Hi Linus,
Please pull this gcc-plugins fix for v5.11-rc3. This makes them build
again with the latest GCC 11 in Fedora Rawhide.
Thanks!
-Kees
The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62:
Linux 5.11-rc2 (2021-01-03 15:55:30 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.11-rc3
for you to fetch changes up to 67a5a68013056cbcf0a647e36cb6f4622fb6a470:
gcc-plugins: fix gcc 11 indigestion with plugins... (2021-01-06 15:08:23 -0800)
----------------------------------------------------------------
gcc-plugins fix for v5.11-rc3
- Bump c++ standard version for latest GCC versions (Valdis Kletnieks)
----------------------------------------------------------------
Valdis Kletnieks (1):
gcc-plugins: fix gcc 11 indigestion with plugins...
scripts/gcc-plugins/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] gcc-plugins updates for v5.11-rc1
@ 2020-12-16 20:23 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-12-16 20:23 UTC (permalink / raw)
To: Linus Torvalds; +Cc: Linux Kernel Mailing List, Masahiro Yamada
On Wed, Dec 16, 2020 at 11:24:04AM -0800, Linus Torvalds wrote:
> On Tue, Dec 15, 2020 at 12:15 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > Please pull these gcc-plugins updates for v5.11-rc1.
>
> Hmm, I pulled this and then did an allmodconfig build.
>
> I expected that to be a full rebuild, since the plugins got
> recompiled, but it turned out to just take 16 seconds because it only
> compiled the plugins, not any of the object files.
Hmm. Yeah, that's a bug. I think that's an existing bug, though. I feel
like I scratched my head on that too. I will see if there is a sensible
way to have Kbuild "notice" that -- I hope there's an easier way to
invalidate all object files instead of adding all the plugins as a dep
to all .o builds. O_o
Thanks for the heads-up!
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.11-rc1
@ 2020-12-15 20:30 78% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-12-15 20:30 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Dimitrios Skarlatos, Heiko Carstens, Helge Deller,
Jann Horn, Kees Cook, Mickaël Salaün, Shuah Khan,
Tycho Andersen, Tyler Hicks, YiFei Zhu
Hi Linus,
Please pull these seccomp updates for v5.11-rc1. The major change here
is finally gaining seccomp constant-action bitmaps, which internally
reduces the seccomp overhead for many real-world syscall filters to O(1),
as discussed at Plumbers this year.
Thanks!
-Kees
The following changes since commit 4c222f31fb1db4d590503a181a6268ced9252379:
selftests/seccomp: sh: Fix register names (2020-11-20 11:03:08 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.11-rc1
for you to fetch changes up to 2c07343abd8932200a45ff7b10950e71081e9e77:
selftests/seccomp: Update kernel config (2020-12-02 11:20:54 -0800)
----------------------------------------------------------------
seccomp updates for v5.11-rc1
- Improve seccomp performance via constant-action bitmaps (YiFei Zhu & Kees Cook)
- Fix bogus __user annotations (Jann Horn)
- Add missed CONFIG for improved selftest coverage (Mickaël Salaün)
----------------------------------------------------------------
Jann Horn (1):
seccomp: Remove bogus __user annotations
Kees Cook (5):
x86: Enable seccomp architecture tracking
selftests/seccomp: Compare bitmap vs filter overhead
arm64: Enable seccomp architecture tracking
arm: Enable seccomp architecture tracking
Merge branch 'for-linus/seccomp' into for-next/seccomp
Mickaël Salaün (1):
selftests/seccomp: Update kernel config
YiFei Zhu (10):
seccomp/cache: Lookup syscall allowlist bitmap for fast path
seccomp/cache: Add "emulator" to check if filter is constant allow
csky: Enable seccomp architecture tracking
parisc: Enable seccomp architecture tracking
powerpc: Enable seccomp architecture tracking
riscv: Enable seccomp architecture tracking
s390: Enable seccomp architecture tracking
sh: Enable seccomp architecture tracking
xtensa: Enable seccomp architecture tracking
seccomp/cache: Report cache data through /proc/pid/seccomp_cache
arch/Kconfig | 17 ++
arch/arm/include/asm/Kbuild | 1 -
arch/arm/include/asm/seccomp.h | 11 +
arch/arm64/include/asm/seccomp.h | 9 +
arch/csky/include/asm/Kbuild | 1 -
arch/csky/include/asm/seccomp.h | 11 +
arch/parisc/include/asm/Kbuild | 1 -
arch/parisc/include/asm/seccomp.h | 22 ++
arch/powerpc/include/asm/seccomp.h | 23 ++
arch/riscv/include/asm/seccomp.h | 10 +
arch/s390/include/asm/seccomp.h | 9 +
arch/sh/include/asm/seccomp.h | 10 +
arch/x86/include/asm/seccomp.h | 20 ++
arch/xtensa/include/asm/Kbuild | 1 -
arch/xtensa/include/asm/seccomp.h | 11 +
fs/proc/base.c | 6 +
include/linux/seccomp.h | 7 +
kernel/seccomp.c | 296 ++++++++++++++++++++-
tools/testing/selftests/seccomp/config | 1 +
.../testing/selftests/seccomp/seccomp_benchmark.c | 151 +++++++++--
tools/testing/selftests/seccomp/settings | 2 +-
21 files changed, 590 insertions(+), 30 deletions(-)
create mode 100644 arch/arm/include/asm/seccomp.h
create mode 100644 arch/csky/include/asm/seccomp.h
create mode 100644 arch/parisc/include/asm/seccomp.h
create mode 100644 arch/xtensa/include/asm/seccomp.h
--
Kees Cook
^ permalink raw reply [relevance 78%]
* [GIT PULL] gcc-plugins updates for v5.11-rc1
@ 2020-12-15 20:15 90% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2020-12-15 20:15 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Masahiro Yamada
Hi Linus,
Please pull these gcc-plugins updates for v5.11-rc1.
Thanks!
-Kees
The following changes since commit b65054597872ce3aefbc6a666385eabdf9e288da:
Linux 5.10-rc6 (2020-11-29 15:50:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.11-rc1
for you to fetch changes up to 53a57e60de74a3531ae769b3241cc5169e1431ac:
MAINTAINERS: Drop inactive gcc-plugins maintainer (2020-12-04 14:11:05 -0800)
----------------------------------------------------------------
gcc-plugins updates for v5.11-rc1
- Clean up gcc plugin builds now that GCC must be 4.9+ (Masahiro Yamada)
- Update MAINTAINERS (Kees Cook)
----------------------------------------------------------------
Kees Cook (1):
MAINTAINERS: Drop inactive gcc-plugins maintainer
Masahiro Yamada (2):
gcc-plugins: remove code for GCC versions older than 4.9
gcc-plugins: simplify GCC plugin-dev capability test
MAINTAINERS | 1 -
scripts/gcc-plugin.sh | 19 -
scripts/gcc-plugins/Kconfig | 2 +-
scripts/gcc-plugins/gcc-common.h | 407 ---------------------
scripts/gcc-plugins/gcc-generate-gimple-pass.h | 12 -
scripts/gcc-plugins/gcc-generate-ipa-pass.h | 23 --
scripts/gcc-plugins/gcc-generate-rtl-pass.h | 17 -
scripts/gcc-plugins/gcc-generate-simple_ipa-pass.h | 17 -
scripts/gcc-plugins/latent_entropy_plugin.c | 12 -
scripts/gcc-plugins/randomize_layout_plugin.c | 4 -
scripts/gcc-plugins/sancov_plugin.c | 6 -
scripts/gcc-plugins/stackleak_plugin.c | 4 +-
scripts/gcc-plugins/structleak_plugin.c | 4 -
13 files changed, 2 insertions(+), 526 deletions(-)
delete mode 100755 scripts/gcc-plugin.sh
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] pstore updates for v5.11-rc1
@ 2020-12-15 20:19 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-12-15 20:19 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christoph Hellwig, Kees Cook,
Vasile-Laurentiu Stanimir, WeiXiong Liao
Hi Linus,
Please pull these pstore updates for v5.11-rc1.
Thanks!
-Kees
The following changes since commit 3cea11cd5e3b00d91caf0b4730194039b45c5891:
Linux 5.10-rc2 (2020-11-01 14:43:51 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.11-rc1
for you to fetch changes up to 26fecbf7602dd69b649914e61526bd67c557fece:
pstore: Move kmsg_bytes default into Kconfig (2020-12-01 12:09:17 -0800)
----------------------------------------------------------------
pstore updates for v5.11-rc1
- Clean up unused but exposed API (Christoph Hellwig)
- Provide KCONFIG for default size of kmsg buffer (Vasile-Laurentiu Stanimir)
----------------------------------------------------------------
Christoph Hellwig (3):
pstore/zone: cap the maximum device size
pstore/blk: update the command line example
pstore/blk: remove {un,}register_pstore_blk
Vasile-Laurentiu Stanimir (1):
pstore: Move kmsg_bytes default into Kconfig
Documentation/admin-guide/pstore-blk.rst | 7 +--
fs/pstore/Kconfig | 8 +++
fs/pstore/blk.c | 83 ++++----------------------------
fs/pstore/inode.c | 2 +-
fs/pstore/internal.h | 1 -
fs/pstore/platform.c | 2 +-
fs/pstore/zone.c | 4 ++
include/linux/pstore_blk.h | 42 ----------------
8 files changed, 26 insertions(+), 123 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL 2/2] Kconfig updates for v5.10-rc1
@ 2020-12-02 18:58 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-12-02 18:58 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Linus Torvalds, Emese Revfy, Linux Kbuild mailing list,
Linux Kernel Mailing List
On Wed, Dec 02, 2020 at 10:03:47PM +0900, Masahiro Yamada wrote:
> On Wed, Dec 2, 2020 at 9:53 PM Masahiro Yamada <masahiroy@kernel.org> wrote:
> >
> > Hi Linus,
> >
> > On Sun, Nov 29, 2020 at 3:28 AM Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > >
> > > On Fri, Nov 27, 2020 at 11:05 PM Masahiro Yamada <masahiroy@kernel.org> wrote:
> > > >
> > > > As for the cc1plus cost, I got a similar result.
> > > >
> > > > Running scripts/gcc-plugin.sh directly
> > > > took me 0.5 sec, which is a fourth
> > > > of the allmodconfig run-time.
> > > >
> > > > Actually, I did not know this shell script
> > > > was so expensive to run...
> > >
> > > So it turns out that one reason it's so expensive to run is that it
> > > does a *lot* more than it claims to do.
> > >
> > > It says "we need a c++ compiler that supports the designated
> > > initializer GNU extension", but then it actually includes a header
> > > file from hell, rather than just test designated initializers.
> > >
> > > This patch makes the cc1plus overhead go down a lot. That said, I'm
> > > doubtful we really want gcc plugins at all, considering that the only
> > > real users have all apparently migrated to clang builtin functionality
> > > instead.
> > >
> > > Linus
> >
> >
> > The attached patch looks OK to me.
> >
> > Just a nit:
> > Now that the test code does not include any header,
> > you can also delete
> > "-I $srctree/gcc-plugins -I $gccplugins_dir/include"
> >
> >
> > If you apply it directly, please feel free to add
> >
> > Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
>
>
> BTW, gcc plugins are always compiled with g++.
>
> Why do we need to compile the following in the first place?
>
> class test {
> public:
> int test;
> } test = {
> .test = 1
> };
>
>
> I think any C++ compiler will succeed
> in compiling such simple code.
>
>
>
> So,
>
> test -e "$gccplugins_dir/include/plugin-version.h"
>
> looks enough to me.
>
>
>
> What is the intention of this compile test?
Yeah, I'd agree: we're just looking for a g++ and plugin-version.h.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL 2/2] Kconfig updates for v5.10-rc1
@ 2020-12-02 0:55 92% ` Kees Cook
1 sibling, 0 replies; 200+ results
From: Kees Cook @ 2020-12-02 0:55 UTC (permalink / raw)
To: Linus Torvalds
Cc: Masahiro Yamada, Emese Revfy, Linux Kbuild mailing list,
Linux Kernel Mailing List
On Sat, Nov 28, 2020 at 10:28:31AM -0800, Linus Torvalds wrote:
> On Fri, Nov 27, 2020 at 11:05 PM Masahiro Yamada <masahiroy@kernel.org> wrote:
> >
> > As for the cc1plus cost, I got a similar result.
> >
> > Running scripts/gcc-plugin.sh directly
> > took me 0.5 sec, which is a fourth
> > of the allmodconfig run-time.
> >
> > Actually, I did not know this shell script
> > was so expensive to run...
>
> So it turns out that one reason it's so expensive to run is that it
> does a *lot* more than it claims to do.
>
> It says "we need a c++ compiler that supports the designated
> initializer GNU extension", but then it actually includes a header
> file from hell, rather than just test designated initializers.
>
> This patch makes the cc1plus overhead go down a lot. That said, I'm
> doubtful we really want gcc plugins at all, considering that the only
> real users have all apparently migrated to clang builtin functionality
> instead.
>
> Linus
> scripts/gcc-plugin.sh | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh
> index b79fd0bea838..59db87bff456 100755
> --- a/scripts/gcc-plugin.sh
> +++ b/scripts/gcc-plugin.sh
> @@ -8,8 +8,8 @@ srctree=$(dirname "$0")
> gccplugins_dir=$($* -print-file-name=plugin)
>
> # we need a c++ compiler that supports the designated initializer GNU extension
> +test -e "$gccplugins_dir/include/plugin-version.h" &&
> $HOSTCC -c -x c++ -std=gnu++98 - -fsyntax-only -I $srctree/gcc-plugins -I $gccplugins_dir/include 2>/dev/null <<EOF
> -#include "gcc-common.h"
> class test {
> public:
> int test;
I'm fine dropping this -- I think the need for that portion of the
script's test has evaporated as we've brought the minimum GCC version
up into the neighborhood of "modern".
As for dropping GCC plugins entirely, I'd prefer not -- the big hold-out
for the very paranoid system builders is the randstruct plugin (though
they tend to also use the entropy one too). Clang's version of randstruct
has not gotten unstuck yet.
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fixes for v5.10-rc5
@ 2020-11-20 19:13 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-11-20 19:13 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Eric Paris, Jann Horn,
John Paul Adrian Glaubitz, Michael Ellerman,
Mickaël Salaün, Oleg Nesterov, Serge E. Hallyn,
Tyler Hicks, Will Drewry
Hi Linus,
Please pull these seccomp fixes for v5.10-rc5. This gets the seccomp
selftests running against on powerpc and sh, and fixes an audit
reporting oversight noticed in both seccomp and ptrace.
Thanks!
-Kees
The following changes since commit 09162bc32c880a791c6c0668ce0745cf7958f576:
Linux 5.10-rc4 (2020-11-15 16:44:31 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.10-rc5
for you to fetch changes up to 4c222f31fb1db4d590503a181a6268ced9252379:
selftests/seccomp: sh: Fix register names (2020-11-20 11:03:08 -0800)
----------------------------------------------------------------
seccomp fixes for v5.10-rc5
- Fix typos in seccomp selftests on powerpc and sh (Kees Cook)
- Fix PF_SUPERPRIV audit marking in seccomp and ptrace (Mickaël Salaün)
----------------------------------------------------------------
Kees Cook (2):
selftests/seccomp: powerpc: Fix typo in macro variable name
selftests/seccomp: sh: Fix register names
Mickaël Salaün (2):
ptrace: Set PF_SUPERPRIV when checking capability
seccomp: Set PF_SUPERPRIV when checking capability
kernel/ptrace.c | 16 +++++-----------
kernel/seccomp.c | 5 ++---
tools/testing/selftests/seccomp/seccomp_bpf.c | 8 ++++----
3 files changed, 11 insertions(+), 18 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] orphan-handling fixes for v5.10-rc2
@ 2020-10-27 18:52 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-10-27 18:52 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Nathan Chancellor, Nick Desaulniers, Stephen Rothwell
Hi Linus,
Please pull these orphan-handling fixes for v5.10-rc2. A couple corner
cases were found from the link-time orphan section handling series that
landed via -tip in -rc1. As other folks are busy with other things, I've
collected this to send.
Thanks!
-Kees
The following changes since commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec:
Linux 5.10-rc1 (2020-10-25 15:14:11 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/orphan-handling-v5.10-rc2
for you to fetch changes up to c39866f268f89868df17724cd2262d121552d8c9:
arm/build: Always handle .ARM.exidx and .ARM.extab sections (2020-10-27 11:32:21 -0700)
----------------------------------------------------------------
orphan-handling fixes for v5.10-rc2
- arm: handle .ARM.exidx and .ARM.extab sections (Nathan Chancellor)
- x86: collect .ctors.* with .ctors (Kees Cook)
----------------------------------------------------------------
Kees Cook (1):
vmlinux.lds.h: Keep .ctors.* with .ctors
Nathan Chancellor (1):
arm/build: Always handle .ARM.exidx and .ARM.extab sections
arch/arm/kernel/vmlinux.lds.S | 4 ++++
include/asm-generic/vmlinux.lds.h | 1 +
2 files changed, 5 insertions(+)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] overflow update for v5.10-rc1
@ 2020-10-12 22:38 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-10-12 22:38 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Rasmus Villemoes
Hi Linus,
Please pull this overflow update for v5.10-rc1. This tree is pretty
quiet this last dev cycle, so it's just a single change to help enforce
all callers are actually checking the results of the helpers.
Thanks!
-Kees
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.10-rc1
for you to fetch changes up to 9b80e4c4ddaca3501177ed41e49d0928ba2122a8:
overflow: Add __must_check attribute to check_*() helpers (2020-10-12 15:19:07 -0700)
----------------------------------------------------------------
overflow update for v5.10-rc1
- Add __must_check to check_*_overflow() helpers
----------------------------------------------------------------
Kees Cook (1):
overflow: Add __must_check attribute to check_*() helpers
include/linux/overflow.h | 39 ++++++++++++++++++++++++---------------
1 file changed, 24 insertions(+), 15 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.10-rc1
@ 2020-10-12 22:15 76% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-10-12 22:15 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Denis Efremov, Hulk Robot,
Jann Horn, Michael Ellerman, Rich Felker, Shuah Khan,
Thadeu Lima de Souza Cascardo, Tycho Andersen, YiFei Zhu,
Zou Wei
Hi Linus,
Please pull these seccomp updates for v5.10-rc1. The bulk of the changes
are with the seccomp selftests to accommodate some powerpc-specific
behavioral characteristics. Additional cleanups, fixes, and improvements
are also included, noted in the tag description.
Thanks!
-Kees
The following changes since commit e839317900e9f13c83d8711d684de88c625b307a:
seccomp: don't leave dangling ->notif if file allocation fails (2020-09-08 11:30:16 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.10-rc1
for you to fetch changes up to dfe719fef03d752f1682fa8aeddf30ba501c8555:
seccomp: Make duplicate listener detection non-racy (2020-10-08 13:17:47 -0700)
----------------------------------------------------------------
seccomp updates for v5.10-rc1
- heavily refactor seccomp selftests (and clone3 selftests dependency) to
fix powerpc (Kees Cook, Thadeu Lima de Souza Cascardo)
- fix style issue in selftests (Zou Wei)
- upgrade "unknown action" from KILL_THREAD to KILL_PROCESS (Rich Felker)
- replace task_pt_regs(current) with current_pt_regs() (Denis Efremov)
- fix corner-case race in USER_NOTIF (Jann Horn)
- make CONFIG_SECCOMP no longer per-arch (YiFei Zhu)
----------------------------------------------------------------
Denis Efremov (1):
seccomp: Use current_pt_regs() instead of task_pt_regs(current)
Jann Horn (1):
seccomp: Make duplicate listener detection non-racy
Kees Cook (18):
selftests/seccomp: Add test for unknown SECCOMP_RET kill behavior
selftests/seccomp: Use __NR_mknodat instead of __NR_mknod
selftests/seccomp: Refactor arch register macros to avoid xtensa special case
selftests/seccomp: Provide generic syscall setting macro
selftests/seccomp: mips: Define SYSCALL_NUM_SET macro
selftests/seccomp: arm: Define SYSCALL_NUM_SET macro
selftests/seccomp: arm64: Define SYSCALL_NUM_SET macro
selftests/seccomp: mips: Remove O32-specific macro
selftests/seccomp: Remove syscall setting #ifdefs
selftests/seccomp: Convert HAVE_GETREG into ARCH_GETREG/ARCH_SETREG
selftests/seccomp: Convert REGSET calls into ARCH_GETREG/ARCH_SETREG
selftests/seccomp: Avoid redundant register flushes
selftests/seccomp: Remove SYSCALL_NUM_RET_SHARE_REG in favor of SYSCALL_RET_SET
selftests/seccomp: powerpc: Fix seccomp return value testing
selftests/seccomp: Record syscall during ptrace entry
selftests/seccomp: Allow syscall nr and ret value to be set separately
selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit
selftests/clone3: Avoid OS-defined clone_args
Rich Felker (1):
seccomp: kill process instead of thread for unknown actions
YiFei Zhu (1):
seccomp: Move config option SECCOMP to arch/Kconfig
Zou Wei (1):
selftests/seccomp: Use bitwise instead of arithmetic operator for flags
arch/Kconfig | 30 ++
arch/arm/Kconfig | 15 +-
arch/arm64/Kconfig | 13 -
arch/csky/Kconfig | 13 -
arch/microblaze/Kconfig | 18 +-
arch/mips/Kconfig | 17 -
arch/parisc/Kconfig | 16 -
arch/powerpc/Kconfig | 17 -
arch/riscv/Kconfig | 13 -
arch/s390/Kconfig | 17 -
arch/sh/Kconfig | 16 -
arch/sparc/Kconfig | 18 +-
arch/um/Kconfig | 16 -
arch/x86/Kconfig | 16 -
arch/xtensa/Kconfig | 14 -
kernel/seccomp.c | 64 ++-
tools/testing/selftests/clone3/clone3.c | 45 +--
.../clone3/clone3_cap_checkpoint_restore.c | 4 +-
.../selftests/clone3/clone3_clear_sighand.c | 2 +-
tools/testing/selftests/clone3/clone3_selftests.h | 24 +-
tools/testing/selftests/clone3/clone3_set_tid.c | 4 +-
tools/testing/selftests/pidfd/pidfd_setns_test.c | 2 +-
tools/testing/selftests/seccomp/seccomp_bpf.c | 440 +++++++++++++--------
23 files changed, 397 insertions(+), 437 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 76%]
* [GIT PULL] seccomp fixes for v5.9-rc5
@ 2020-09-12 0:20 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-09-12 0:20 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Christian Brauner, Kees Cook,
syzbot+3ad9614a12f80994c32e, Tycho Andersen
Hi Linus,
Please pull these seccomp fixes for v5.9-rc5. This fixes a rare race
condition in seccomp when using TSYNC and USER_NOTIF together where a
memory allocation would not get freed (found by syzkaller, fixed by
Tycho). Additionally updates Tycho's MAINTAINERS and .mailmap entries
for his new address.
Thanks!
-Kees
The following changes since commit d012a7190fc1fd72ed48911e77ca97ba4521bccd:
Linux 5.9-rc2 (2020-08-23 14:08:43 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.9-rc5
for you to fetch changes up to e839317900e9f13c83d8711d684de88c625b307a:
seccomp: don't leave dangling ->notif if file allocation fails (2020-09-08 11:30:16 -0700)
----------------------------------------------------------------
seccomp fixes for v5.9-rc5
- Fix memory resource leak of user_notif under TSYNC race (Tycho Andersen)
----------------------------------------------------------------
Tycho Andersen (3):
seccomp: don't leak memory when filter install races
mailmap, MAINTAINERS: move to tycho.pizza
seccomp: don't leave dangling ->notif if file allocation fails
.mailmap | 1 +
MAINTAINERS | 2 +-
kernel/seccomp.c | 24 ++++++++++++++++++------
3 files changed, 20 insertions(+), 7 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] USB fixes for 5.9-rc3
@ 2020-08-26 15:57 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-26 15:57 UTC (permalink / raw)
To: Greg KH
Cc: Marek Szyprowski, Brooke Basile, Linus Torvalds, Andrew Morton,
linux-kernel, linux-usb, Ilja Van Sprundel, Felipe Balbi,
Bartlomiej Zolnierkiewicz
On Wed, Aug 26, 2020 at 05:33:47PM +0200, Greg KH wrote:
> On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > Hi Greg,
> >
> > On 26.08.2020 15:43, Greg KH wrote:
> > > The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
> > >
> > > Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
> > >
> > > are available in the Git repository at:
> > >
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git tags/usb-5.9-rc3
> > >
> > > for you to fetch changes up to 23e26d0577535f5ffe4ff8ed6d06e009553c0bca:
> > >
> > > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures (2020-08-25 16:02:35 +0200)
> > >
> > > ----------------------------------------------------------------
> > > USB fixes for 5.9-rc3
> > >
> > > Here are a small set of USB fixes for 5.9-rc3.
> > >
> > > Like most set of USB bugfixes, they include the usual:
> > > - usb gadget driver fixes
> > > - xhci driver fixes
> > > - typec fixes
> > > - new qurks and ids
> > > - fixes for USB patches merged in 5.9-rc1
> > >
> > > Nothing huge, all of these have been in linux-next with no reported
> > > issues:
> > >
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > >
> > > ----------------------------------------------------------------
> > > Alan Stern (1):
> > > USB: yurex: Fix bad gfp argument
> > >
> > > Andy Shevchenko (1):
> > > usb: hcd: Fix use after free in usb_hcd_pci_remove()
> > >
> > > Badhri Jagan Sridharan (1):
> > > usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures
> > >
> > > Bastien Nocera (2):
> > > USB: Also match device drivers using the ->match vfunc
> > > USB: Fix device driver race
> > >
> > > Brooke Basile (2):
> > > USB: gadget: u_f: add overflow checks to VLA macros
> >
> > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > didn't get the proper testing in linux-next (next-20200826 is the first
> > one with this patch).
> >
> > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > g_ether module loaded:
> >
> > ------------[ cut here ]------------
> > kernel BUG at mm/slub.c:4116!
>
> Why is slub.c erroring? How is this related to freeing memory?
I assume this is related to the size calculations in the VLA macros...
nothing _looks_ wrong with that patch, but obviously something is. :)
Hmmm
--
Kees Cook
^ permalink raw reply [relevance 92%]
* Re: [GIT PULL] mailmap update for v5.9-rc2
@ 2020-08-18 21:57 92% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-18 21:57 UTC (permalink / raw)
To: Linus Torvalds; +Cc: Linux Kernel Mailing List, WeiXiong Liao
On Mon, Aug 17, 2020 at 05:32:32PM -0700, Linus Torvalds wrote:
> If you want dictionary sorting you'd use "sort -d".
>
> But the commit message says "sort -f".
O_o Err, I don't know how that happened. I must have cut/pasted into the
commit log from my command history at the wrong place or something. Sorry
about that and thanks for the pull!
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] mailmap update for v5.9-rc2
@ 2020-08-17 23:27 92% Kees Cook
0 siblings, 1 reply; 200+ results
From: Kees Cook @ 2020-08-17 23:27 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, WeiXiong Liao
Hi Linus,
Please pull this mailmap update for v5.9-rc2. This was originally part of
my pstore tree, but when I realized that mailmap needed re-alphabetizing,
I decided to wait until -rc1 to send this, as I saw a lot of mailmap
additions pending in -next for the merge window. It's a programmatic
reordering and the addition of a pstore contributor's preferred email
address.
Thanks!
-Kees
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.9-rc2
for you to fetch changes up to 5a4fe0624687e62919a5913dc7c937fbfcf61fdc:
mailmap: Add WeiXiong Liao (2020-08-17 14:32:44 -0700)
----------------------------------------------------------------
mailmap alphabetizing and addition
----------------------------------------------------------------
Kees Cook (2):
mailmap: Restore dictionary sorting
mailmap: Add WeiXiong Liao
.mailmap | 115 ++++++++++++++++++++++++++++++++-------------------------------
1 file changed, 58 insertions(+), 57 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] kallsyms_show_value-fix updates for v5.9-rc1
@ 2020-08-07 19:55 88% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-07 19:55 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Greg Kroah-Hartman, Jessica Yu, kernel test robot,
Shuah Khan
Hi Linus,
Please pull this fix to my kallsyms_show_value() refactoring for
v5.9-rc1. About a month after the original refactoring landed, 0day
noticed that there was a path through the kernfs binattr read handlers
that did not have PAGE_SIZEd buffers, and the module "sections" read
handler made a bad assumption about this, resulting in it stomping on
memory when reached through small-sized splice() calls. I've added a set
of tests to find these kinds of regressions more quickly in the future
as well.
Thanks!
-Kees
The following changes since commit bcf876870b95592b52519ed4aafcf9d95999bc9c:
Linux 5.8 (2020-08-02 14:21:45 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kallsyms_show_value-fix-v5.9-rc1
for you to fetch changes up to 9af47666cb0f331bfcd76799ee368cdfcb00882c:
selftests: splice: Check behavior of full and short splices (2020-08-07 10:50:11 -0700)
----------------------------------------------------------------
Fix sysfs module section output overflow
----------------------------------------------------------------
Kees Cook (2):
module: Correctly truncate sysfs sections output
selftests: splice: Check behavior of full and short splices
kernel/module.c | 22 +++++++--
tools/testing/selftests/splice/.gitignore | 1 +
tools/testing/selftests/splice/Makefile | 4 +-
tools/testing/selftests/splice/config | 1 +
tools/testing/selftests/splice/settings | 1 +
.../testing/selftests/splice/short_splice_read.sh | 56 +++++++++++++++++++++
tools/testing/selftests/splice/splice_read.c | 57 ++++++++++++++++++++++
7 files changed, 137 insertions(+), 5 deletions(-)
create mode 100644 tools/testing/selftests/splice/config
create mode 100644 tools/testing/selftests/splice/settings
create mode 100755 tools/testing/selftests/splice/short_splice_read.sh
create mode 100644 tools/testing/selftests/splice/splice_read.c
--
Kees Cook
^ permalink raw reply [relevance 88%]
* [GIT PULL] seccomp update for v5.9-rc1-fix1
@ 2020-08-07 19:46 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-07 19:46 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alex Xu (Hello71),
Christian Zigotzky, Thadeu Lima de Souza Cascardo
Hi Linus,
Please pull this seccomp update for v5.9-rc1-fix1. This fixes my typo in
the SCM_RIGHTS refactoring, thanks to Thadeu Lima de Souza Cascardo for
tracking it down, and to Christian Zigotzky and Alex Xu for their
reports.
Thanks!
-Kees
The following changes since commit 25d8d4eecace9de5a6a2193e4df1917afbdd3052:
Merge tag 'powerpc-5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux (2020-08-07 10:33:50 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.9-rc1-fix1
for you to fetch changes up to 16b89f695313d91c99bdaf6898f28a51d0af1b17:
net/scm: Fix typo in SCM_RIGHTS compat refactoring (2020-08-07 12:43:25 -0700)
----------------------------------------------------------------
Fix SCM_RIGHTS compat mode
----------------------------------------------------------------
Kees Cook (1):
net/scm: Fix typo in SCM_RIGHTS compat refactoring
net/compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.9-rc1
@ 2020-08-03 19:39 74% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 19:39 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Aleksa Sarai, Chris Palmer, Christian Brauner,
Christoph Hellwig, Matt Denton, Robert Sesek,
Thadeu Lima de Souza Cascardo, Sargun Dhillon, Shuah Khan,
Tycho Andersen, Will Deacon, Will Drewry, Yonghong Song
Hi Linus,
Please pull these seccomp updates for v5.9-rc1. There are a bunch of
clean ups and selftest improvements along with two major updates to the
SECCOMP_RET_USER_NOTIF filter return: EPOLLHUP support to more easily
detect the death of a monitored process, and being able to inject fds when
intercepting syscalls that expect an fd-opening side-effect (needed by
both container folks and Chrome). The latter continued the refactoring
of __scm_install_fd() started by Christoph, and in the process found
and fixed a handful of bugs in various callers.
Thanks!
-Kees
The following changes since commit b3a9e3b9622ae10064826dccb4f7a52bd88c7407:
Linux 5.8-rc1 (2020-06-14 12:45:04 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.9-rc1
for you to fetch changes up to c97aedc52dce4c87d4c44de4e6af941cd102600c:
selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD (2020-07-14 16:30:22 -0700)
----------------------------------------------------------------
seccomp updates for v5.9-rc1
- Improved selftest coverage, timeouts, and reporting
- Add EPOLLHUP support for SECCOMP_RET_USER_NOTIF (Christian Brauner)
- Refactor __scm_install_fd() into __receive_fd() and fix buggy callers
- Introduce "addfd" command for SECCOMP_RET_USER_NOTIF (Sargun Dhillon)
----------------------------------------------------------------
Christian Brauner (5):
seccomp: rename "usage" to "refs" and document
seccomp: release filter after task is fully dead
seccomp: Lift wait_queue into struct seccomp_filter
seccomp: notify about unused filter
selftests/seccomp: Check for EPOLLHUP for user_notif
Kees Cook (21):
selftests/seccomp: Rename XFAIL to SKIP
selftests/seccomp: Add SKIPs for failed unshare()
selftests/seccomp: Set NNP for TSYNC ESRCH flag test
seccomp: Report number of loaded filters in /proc/$pid/status
selftests/seccomp: Expand benchmark to per-filter measurements
selftests/seccomp: Improve calibration loop
seccomp: Use pr_fmt
selftests/seccomp: Make kcmp() less required
selftests/seccomp: Rename user_trap_syscall() to user_notif_syscall()
seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID
seccomp: Use -1 marker for end of mode 1 syscall list
selftests/harness: Clean up kern-doc for fixtures
selftests/seccomp: Refactor to use fixture variants
selftests/seccomp: Check ENOSYS under tracing
net/compat: Add missing sock updates for SCM_RIGHTS
pidfd: Add missing sock updates for pidfd_getfd()
net/scm: Regularize compat handling of scm_detach_fds()
fs: Move __scm_install_fd() to __receive_fd()
fs: Add receive_fd() wrapper for __receive_fd()
pidfd: Replace open-coded receive_fd()
fs: Expand __receive_fd() to accept existing fd
Sargun Dhillon (3):
seccomp: Add find_notification helper
seccomp: Introduce addfd ioctl to seccomp user notifier
selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD
Thadeu Lima de Souza Cascardo (1):
selftests/seccomp: use 90s as timeout
arch/mips/include/asm/seccomp.h | 4 +-
fs/file.c | 61 ++
fs/proc/array.c | 2 +
include/asm-generic/seccomp.h | 2 +-
include/linux/file.h | 19 +
include/linux/seccomp.h | 10 +-
include/net/sock.h | 4 +
include/uapi/linux/seccomp.h | 25 +-
init/init_task.c | 3 +
kernel/exit.c | 1 +
kernel/fork.c | 1 -
kernel/pid.c | 14 +-
kernel/seccomp.c | 376 ++++++++---
net/compat.c | 55 +-
net/core/scm.c | 50 +-
net/core/sock.c | 21 +
tools/testing/selftests/kselftest_harness.h | 15 +-
tools/testing/selftests/seccomp/config | 1 +
.../testing/selftests/seccomp/seccomp_benchmark.c | 80 ++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 708 +++++++++++++++------
tools/testing/selftests/seccomp/settings | 1 +
21 files changed, 1061 insertions(+), 392 deletions(-)
create mode 100644 tools/testing/selftests/seccomp/settings
--
Kees Cook
^ permalink raw reply [relevance 74%]
* [GIT PULL] Remove uninitialized_var() for v5.9-rc1
@ 2020-08-03 19:16 50% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 19:16 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Bart van Assche, Chao Yu, Gustavo A. R. Silva,
Jason Gunthorpe, Jason Yan, Joe Perches, Jonathan Corbet,
Kalle Valo, Kees Cook, Leon Romanovsky, Linus Torvalds,
linux-doc, Mark Brown, Miguel Ojeda, Nathan Chancellor,
Nick Desaulniers, Sedat Dilek, Stephen Boyd
Hi Linus,
Please pull this uninitialized_var() macro removal series for v5.9-rc1.
This is long overdue, and has hidden too many bugs over the years. The
series has several "by hand" fixes, and then a trivial treewide
replacement. As you might imagine, this had a few conflicts while
living in -next. Resolution is easy, of course: just remove any
uninitialize_var() wrappings, but if you want to see the specifics,
they are:
kernel/debug/kdb/kdb_io.c
https://lore.kernel.org/linux-next/20200629154305.0067d113@canb.auug.org.au/
drivers/gpu/drm/drm_edid.c
https://lore.kernel.org/linux-next/20200703143550.7ebbe771@canb.auug.org.au/
net/ipv6/ip6_flowlabel.c
https://lore.kernel.org/linux-next/20200727192721.53af345a@canb.auug.org.au/
drivers/infiniband/core/uverbs_cmd.c
https://lore.kernel.org/linux-next/20200728184520.5634a0a0@canb.auug.org.au/
If you prefer, I can rebase and re-run my script, but your default
position has been to let you deal with conflicts, so here we are. :)
Thanks!
-Kees
The following changes since commit 9ebcfadb0610322ac537dd7aa5d9cbc2b2894c68:
Linux 5.8-rc3 (2020-06-28 15:00:24 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/uninit-macro-v5.9-rc1
for you to fetch changes up to 63a0895d960aa3d3653ef0ecad5bd8579388f14b:
compiler: Remove uninitialized_var() macro (2020-07-16 12:35:31 -0700)
----------------------------------------------------------------
Remove uninitialized_var() macro for v5.9-rc1
- Clean up non-trivial uses of uninitialized_var()
- Update documentation and checkpatch for uninitialized_var() removal
- Treewide removal of uninitialized_var()
----------------------------------------------------------------
Jason Yan (1):
f2fs: Eliminate usage of uninitialized_var() macro
Kees Cook (15):
docs: deprecated.rst: Add uninitialized_var()
x86/mm/numa: Remove uninitialized_var() usage
drbd: Remove uninitialized_var() usage
b43: Remove uninitialized_var() usage
rtlwifi: rtl8192cu: Remove uninitialized_var() usage
ide: Remove uninitialized_var() usage
spi: davinci: Remove uninitialized_var() usage
clk: st: Remove uninitialized_var() usage
clk: spear: Remove uninitialized_var() usage
KVM: PPC: Book3S PR: Remove uninitialized_var() usage
media: sur40: Remove uninitialized_var() usage
mm/debug_vm_pgtable: Remove uninitialized_var() usage
checkpatch: Remove awareness of uninitialized_var() macro
treewide: Remove uninitialized_var() usage
compiler: Remove uninitialized_var() macro
Documentation/process/deprecated.rst | 18 ++++++++++++++++++
arch/arm/mach-sa1100/assabet.c | 2 +-
arch/arm/mm/alignment.c | 2 +-
arch/ia64/kernel/process.c | 2 +-
arch/ia64/mm/discontig.c | 2 +-
arch/ia64/mm/tlb.c | 2 +-
arch/mips/lib/dump_tlb.c | 2 +-
arch/mips/mm/init.c | 2 +-
arch/mips/mm/tlb-r4k.c | 6 +++---
arch/powerpc/kvm/book3s_64_mmu_radix.c | 2 +-
arch/powerpc/kvm/book3s_pr.c | 3 ---
arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/platforms/52xx/mpc52xx_pic.c | 2 +-
arch/s390/kernel/smp.c | 2 +-
arch/x86/kernel/quirks.c | 10 +++++-----
arch/x86/kvm/mmu/mmu.c | 2 +-
arch/x86/kvm/mmu/paging_tmpl.h | 2 +-
arch/x86/kvm/x86.c | 2 +-
arch/x86/mm/numa.c | 18 +++++++++---------
block/blk-merge.c | 2 +-
drivers/acpi/acpi_pad.c | 2 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/atm/zatm.c | 2 +-
drivers/block/drbd/drbd_nl.c | 6 +++---
drivers/block/drbd/drbd_state.c | 2 +-
drivers/block/rbd.c | 2 +-
drivers/clk/clk-gate.c | 2 +-
drivers/clk/spear/clk-vco-pll.c | 2 +-
drivers/clk/st/clkgen-fsyn.c | 1 -
drivers/firewire/ohci.c | 14 +++++++-------
drivers/gpu/drm/bridge/sil-sii8620.c | 2 +-
drivers/gpu/drm/drm_edid.c | 2 +-
drivers/gpu/drm/exynos/exynos_drm_dsi.c | 6 +++---
drivers/gpu/drm/i915/display/intel_fbc.c | 2 +-
drivers/gpu/drm/i915/gt/intel_lrc.c | 2 +-
drivers/gpu/drm/i915/intel_uncore.c | 2 +-
drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 4 ++--
drivers/i2c/busses/i2c-rk3x.c | 2 +-
drivers/ide/ide-acpi.c | 2 +-
drivers/ide/ide-atapi.c | 2 +-
drivers/ide/ide-io-std.c | 4 ++--
drivers/ide/ide-io.c | 8 ++++----
drivers/ide/ide-sysfs.c | 2 +-
drivers/ide/ide-taskfile.c | 1 -
drivers/ide/umc8672.c | 2 +-
drivers/idle/intel_idle.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 4 ++--
drivers/infiniband/hw/cxgb4/cm.c | 2 +-
drivers/infiniband/hw/cxgb4/cq.c | 2 +-
drivers/infiniband/hw/mlx4/qp.c | 6 +++---
drivers/infiniband/hw/mlx5/cq.c | 6 +++---
drivers/infiniband/hw/mlx5/devx.c | 2 +-
drivers/infiniband/hw/mlx5/wr.c | 2 +-
drivers/infiniband/hw/mthca/mthca_qp.c | 10 +++++-----
drivers/infiniband/sw/siw/siw_qp_rx.c | 2 +-
drivers/input/serio/serio_raw.c | 2 +-
drivers/input/touchscreen/sur40.c | 4 +---
drivers/iommu/intel/iommu.c | 2 +-
drivers/md/dm-io.c | 2 +-
drivers/md/dm-ioctl.c | 2 +-
drivers/md/dm-snap-persistent.c | 2 +-
drivers/md/dm-table.c | 2 +-
drivers/md/dm-writecache.c | 2 +-
drivers/md/raid5.c | 2 +-
drivers/media/dvb-frontends/rtl2832.c | 2 +-
drivers/media/tuners/qt1010.c | 4 ++--
drivers/media/usb/gspca/vicam.c | 2 +-
drivers/media/usb/uvc/uvc_video.c | 8 ++++----
drivers/memstick/host/jmb38x_ms.c | 2 +-
drivers/memstick/host/tifm_ms.c | 2 +-
drivers/mmc/host/sdhci.c | 2 +-
drivers/mtd/nand/raw/nand_ecc.c | 2 +-
drivers/mtd/nand/raw/s3c2410.c | 2 +-
drivers/mtd/parsers/afs.c | 4 ++--
drivers/mtd/ubi/eba.c | 2 +-
drivers/net/can/janz-ican3.c | 2 +-
drivers/net/ethernet/broadcom/bnx2.c | 4 ++--
drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 4 ++--
drivers/net/ethernet/neterion/s2io.c | 2 +-
drivers/net/ethernet/qlogic/qla3xxx.c | 2 +-
drivers/net/ethernet/sun/cassini.c | 2 +-
drivers/net/ethernet/sun/niu.c | 6 +++---
drivers/net/wan/z85230.c | 2 +-
drivers/net/wireless/ath/ath10k/core.c | 2 +-
drivers/net/wireless/ath/ath6kl/init.c | 2 +-
drivers/net/wireless/ath/ath9k/init.c | 2 +-
drivers/net/wireless/broadcom/b43/debugfs.c | 2 +-
drivers/net/wireless/broadcom/b43/dma.c | 2 +-
drivers/net/wireless/broadcom/b43/lo.c | 2 +-
drivers/net/wireless/broadcom/b43/phy_n.c | 4 ++--
drivers/net/wireless/broadcom/b43/xmit.c | 12 ++++++------
drivers/net/wireless/broadcom/b43legacy/debugfs.c | 2 +-
drivers/net/wireless/broadcom/b43legacy/main.c | 2 +-
drivers/net/wireless/intel/iwlegacy/3945.c | 2 +-
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 +-
drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 8 ++++----
drivers/pci/pcie/aer.c | 2 +-
drivers/platform/x86/hdaps.c | 4 ++--
drivers/scsi/dc395x.c | 2 +-
drivers/scsi/pm8001/pm8001_hwi.c | 2 +-
drivers/scsi/pm8001/pm80xx_hwi.c | 2 +-
drivers/spi/spi-davinci.c | 1 -
drivers/ssb/driver_chipcommon.c | 4 ++--
drivers/tty/cyclades.c | 2 +-
drivers/tty/isicom.c | 2 +-
drivers/usb/musb/cppi_dma.c | 2 +-
drivers/usb/storage/sddr55.c | 4 ++--
drivers/vhost/net.c | 6 +++---
drivers/video/fbdev/matrox/matroxfb_maven.c | 6 +++---
drivers/video/fbdev/pm3fb.c | 6 +++---
drivers/video/fbdev/riva/riva_hw.c | 3 +--
drivers/virtio/virtio_ring.c | 6 +++---
fs/afs/dir.c | 2 +-
fs/afs/security.c | 2 +-
fs/dlm/netlink.c | 2 +-
fs/erofs/data.c | 4 ++--
fs/erofs/zdata.c | 2 +-
fs/f2fs/data.c | 4 +---
fs/fat/dir.c | 2 +-
fs/fuse/control.c | 4 ++--
fs/fuse/cuse.c | 2 +-
fs/fuse/file.c | 2 +-
fs/gfs2/aops.c | 2 +-
fs/gfs2/bmap.c | 2 +-
fs/gfs2/lops.c | 2 +-
fs/hfsplus/unicode.c | 2 +-
fs/isofs/namei.c | 4 ++--
fs/jffs2/erase.c | 2 +-
fs/nfsd/nfsctl.c | 2 +-
fs/ocfs2/alloc.c | 4 ++--
fs/ocfs2/dir.c | 14 +++++++-------
fs/ocfs2/extent_map.c | 4 ++--
fs/ocfs2/namei.c | 2 +-
fs/ocfs2/refcounttree.c | 2 +-
fs/ocfs2/xattr.c | 2 +-
fs/omfs/file.c | 2 +-
fs/overlayfs/copy_up.c | 2 +-
fs/ubifs/commit.c | 6 +++---
fs/ubifs/dir.c | 2 +-
fs/ubifs/file.c | 4 ++--
fs/ubifs/journal.c | 4 ++--
fs/ubifs/lpt.c | 2 +-
fs/ubifs/tnc.c | 6 +++---
fs/ubifs/tnc_misc.c | 4 ++--
fs/udf/balloc.c | 2 +-
fs/xfs/xfs_bmap_util.c | 2 +-
include/linux/compiler-clang.h | 2 --
include/linux/compiler-gcc.h | 6 ------
include/linux/page-flags-layout.h | 4 +++-
include/net/flow_offload.h | 2 +-
kernel/async.c | 4 ++--
kernel/audit.c | 2 +-
kernel/debug/kdb/kdb_io.c | 2 +-
kernel/dma/debug.c | 2 +-
kernel/events/core.c | 2 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
kernel/futex.c | 14 +++++++-------
kernel/locking/lockdep.c | 16 ++++++++--------
kernel/trace/ring_buffer.c | 2 +-
lib/radix-tree.c | 2 +-
lib/test_lockup.c | 2 +-
mm/debug_vm_pgtable.c | 2 +-
mm/frontswap.c | 2 +-
mm/ksm.c | 2 +-
mm/memcontrol.c | 2 +-
mm/memory.c | 2 +-
mm/mempolicy.c | 4 ++--
mm/page_alloc.c | 2 +-
mm/percpu.c | 2 +-
mm/slub.c | 4 ++--
mm/swap.c | 4 ++--
net/dccp/options.c | 2 +-
net/ipv4/netfilter/nf_socket_ipv4.c | 6 +++---
net/ipv6/ip6_flowlabel.c | 2 +-
net/ipv6/netfilter/nf_socket_ipv6.c | 2 +-
net/netfilter/nf_conntrack_ftp.c | 2 +-
net/netfilter/nfnetlink_log.c | 2 +-
net/netfilter/nfnetlink_queue.c | 4 ++--
net/sched/cls_flow.c | 2 +-
net/sched/sch_cake.c | 2 +-
net/sched/sch_cbq.c | 2 +-
net/sched/sch_fq_codel.c | 2 +-
net/sched/sch_fq_pie.c | 2 +-
net/sched/sch_hfsc.c | 2 +-
net/sched/sch_htb.c | 2 +-
net/sched/sch_sfq.c | 2 +-
net/sunrpc/svcsock.c | 4 ++--
net/sunrpc/xprtsock.c | 10 +++++-----
net/tls/tls_sw.c | 2 +-
scripts/checkpatch.pl | 16 +++++-----------
sound/core/control_compat.c | 2 +-
sound/isa/sb/sb16_csp.c | 2 +-
sound/usb/endpoint.c | 2 +-
tools/include/linux/compiler.h | 2 --
tools/virtio/linux/kernel.h | 2 --
196 files changed, 321 insertions(+), 330 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 50%]
* [GIT PULL] tasklets updates for v5.9-rc1
@ 2020-08-03 19:05 85% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 19:05 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Allen Pais, Greg Kroah-Hartman, Kees Cook,
Romain Perier, Thomas Gleixner
Hi Linus,
Please pull these tasklets updates for v5.9-rc1. These are the
infrastructure updates needed to support converting the tasklet API
to something more modern (and hopefully for removal further down the
road). There is a 300-patch series waiting in the wings to get set out
to subsystem maintainers, but these changes need to be present in the
kernel first. Since this has some treewide changes, I carried this series
for -next instead of paining Thomas with it in -tip, but it's got his Ack.
This is similar to the timer_struct modernization from a while back, but
not nearly as messy (I hope). :)
Thanks!
-Kees
The following changes since commit 11ba468877bb23f28956a35e896356252d63c983:
Linux 5.8-rc5 (2020-07-12 16:34:50 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/tasklets-v5.9-rc1
for you to fetch changes up to 12cc923f1ccc1df467e046b02a72c2b3b321b6a2:
tasklet: Introduce new initialization API (2020-07-30 11:16:01 -0700)
----------------------------------------------------------------
tasklets API update for v5.9-rc1
- Prepare for tasklet API modernization (Romain Perier, Allen Pais, Kees Cook)
----------------------------------------------------------------
Kees Cook (2):
usb: gadget: udc: Avoid tasklet passing a global
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
Romain Perier (1):
tasklet: Introduce new initialization API
drivers/input/keyboard/omap-keypad.c | 2 +-
drivers/input/serio/hil_mlc.c | 2 +-
drivers/net/wan/farsync.c | 4 ++--
drivers/s390/crypto/ap_bus.c | 2 +-
drivers/staging/most/dim2/dim2.c | 2 +-
drivers/staging/octeon/ethernet-tx.c | 2 +-
drivers/tty/vt/keyboard.c | 2 +-
drivers/usb/gadget/udc/snps_udc_core.c | 6 ++---
drivers/usb/host/fhci-sched.c | 2 +-
include/linux/interrupt.h | 41 +++++++++++++++++++++++++++++-----
kernel/backtracetest.c | 2 +-
kernel/debug/debug_core.c | 2 +-
kernel/irq/resend.c | 2 +-
kernel/softirq.c | 18 ++++++++++++++-
net/atm/pppoatm.c | 2 +-
net/iucv/iucv.c | 2 +-
sound/drivers/pcsp/pcsp_lib.c | 2 +-
17 files changed, 70 insertions(+), 25 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 85%]
* [GIT PULL] var-init update for v5.9-rc1
@ 2020-08-03 18:57 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 18:57 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander Potapenko, Greg Kroah-Hartman, Kees Cook,
Maciej Żenczykowski, Nick Desaulniers
Hi Linus,
Please pull this var-init update for v5.9-rc1. (This is the tree formerly
known as "mem-init", which you correctly pointed out was not a good
name.) This adds the "zero" init option from Clang, which is being used
widely in production builds of Android and Chrome OS (though it keeps the
"pattern" init, which is better for debug builds).
Thanks!
-Kees
The following changes since commit b3a9e3b9622ae10064826dccb4f7a52bd88c7407:
Linux 5.8-rc1 (2020-06-14 12:45:04 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/var-init-v5.9-rc1
for you to fetch changes up to f0fe00d4972a8cd4b98cc2c29758615e4d51cdfe:
security: allow using Clang's zero initialization for stack variables (2020-06-16 02:06:23 -0700)
----------------------------------------------------------------
Automatic variable initialization updates for v5.9-rc1
- Introduce CONFIG_INIT_STACK_ALL_ZERO (Alexander Potapenko)
----------------------------------------------------------------
glider@google.com (1):
security: allow using Clang's zero initialization for stack variables
Makefile | 13 +++++++++++--
init/main.c | 12 +++++++-----
security/Kconfig.hardening | 29 +++++++++++++++++++++++++----
3 files changed, 43 insertions(+), 11 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] gcc-plugins updates for v5.9-rc1
@ 2020-08-03 18:51 90% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 18:51 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexander A. Klimov, Alexander Popov, Kees Cook,
Miguel Ojeda
Hi Linus,
Please pull these gcc-plugins updates for v5.9-rc1. It is primarily
improvements to STACKLEAK from Alexander Popov, along with some additional
cleanups.
Thanks!
-Kees
The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110:
Linux 5.8-rc2 (2020-06-21 15:45:29 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.9-rc1
for you to fetch changes up to 496b24ec6d47f2d304a0c5836ba4b1bb5d30bab8:
gcc-plugins: Replace HTTP links with HTTPS ones (2020-07-13 09:29:09 -0700)
----------------------------------------------------------------
GCC plugins updates for v5.9-rc1
- Update URLs for HTTPS scheme where available (Alexander A. Klimov)
- Improve STACKLEAK code generation on x86 (Alexander Popov)
----------------------------------------------------------------
Alexander A. Klimov (1):
gcc-plugins: Replace HTTP links with HTTPS ones
Alexander Popov (4):
gcc-plugins/stackleak: Don't instrument itself
ARM: vdso: Don't use gcc plugins for building vgettimeofday.c
gcc-plugins/stackleak: Use asm instrumentation to avoid useless register saving
gcc-plugins/stackleak: Add 'verbose' plugin parameter
arch/arm/vdso/Makefile | 2 +-
include/linux/compiler_attributes.h | 13 ++
kernel/Makefile | 1 +
kernel/stackleak.c | 16 +-
scripts/Makefile.gcc-plugins | 2 +
scripts/gcc-plugins/cyc_complexity_plugin.c | 2 +-
scripts/gcc-plugins/sancov_plugin.c | 2 +-
scripts/gcc-plugins/stackleak_plugin.c | 248 ++++++++++++++++++++++++----
scripts/gcc-plugins/structleak_plugin.c | 2 +-
9 files changed, 241 insertions(+), 47 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 90%]
* [GIT PULL] pstore update for v5.9-rc1
@ 2020-08-03 18:46 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-08-03 18:46 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Kees Cook, Matteo Croce
Hi Linus,
Please pull this tiny pstore update for v5.9-rc1, which fixes a very
corner-case build failure.
Thanks!
-Kees
The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110:
Linux 5.8-rc2 (2020-06-21 15:45:29 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.9-rc1
for you to fetch changes up to fd49e03280e596e54edb93a91bc96170f8e97e4a:
pstore: Fix linking when crypto API disabled (2020-07-06 19:42:31 -0700)
----------------------------------------------------------------
pstore update
- Fix linking when crypto API disabled (Matteo Croce)
----------------------------------------------------------------
Matteo Croce (1):
pstore: Fix linking when crypto API disabled
fs/pstore/platform.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] kallsyms_show_value() refactoring for v5.8-rc5
@ 2020-07-08 23:16 86% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-07-08 23:16 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Alexei Starovoitov, bpf, Daniel Borkmann,
Dominik Czarnota, Greg Kroah-Hartman, Jessica Yu,
Luis Chamberlain, Masami Hiramatsu
Hi Linus,
Please pull this kallsyms_show_value() refactoring for v5.8-rc5. I'm not
delighted by the timing of getting these changes to you, but it does fix
a handful of kernel address exposures, and no one has screamed yet at the
patches nor their existence in -next for a few days. Folks have reviewed
(and even tested!) the series. :)
(I'm leaving the more experimental current_cred() WARN() stuff for
later, obviously.)
Thanks!
-Kees
The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110:
Linux 5.8-rc2 (2020-06-21 15:45:29 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kallsyms_show_value-v5.8-rc5
for you to fetch changes up to 2c79583927bb8154ecaa45a67dde97661d895ecd:
selftests: kmod: Add module address visibility test (2020-07-08 16:01:36 -0700)
----------------------------------------------------------------
Refactor kallsyms_show_value() users for correct cred
Several users of kallsyms_show_value() were performing checks not
during "open". Refactor everything needed to gain proper checks against
file->f_cred for modules, kprobes, and bpf.
----------------------------------------------------------------
Kees Cook (6):
kallsyms: Refactor kallsyms_show_value() to take cred
module: Refactor section attr into bin attribute
module: Do not expose section addresses to non-CAP_SYSLOG
kprobes: Do not expose probe addresses to non-CAP_SYSLOG
bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok()
selftests: kmod: Add module address visibility test
include/linux/filter.h | 4 +--
include/linux/kallsyms.h | 5 ++--
kernel/bpf/syscall.c | 37 +++++++++++++++-----------
kernel/kallsyms.c | 17 +++++++-----
kernel/kprobes.c | 4 +--
kernel/module.c | 51 +++++++++++++++++++-----------------
net/core/sysctl_net_core.c | 2 +-
tools/testing/selftests/kmod/kmod.sh | 36 +++++++++++++++++++++++++
8 files changed, 103 insertions(+), 53 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 86%]
* Re: [GIT PULL][PATCH v6 0/8] Add support for ZSTD-compressed kernel and initramfs
@ 2020-07-07 21:32 91% ` Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-07-07 21:32 UTC (permalink / raw)
To: Borislav Petkov, Thomas Gleixner, x86
Cc: Nick Terrell, linux-kernel, Chris Mason, linux-kbuild, gregkh,
Petr Malat, Kernel Team, Adam Borowski, Patrick Williams, rmikey,
mingo, Patrick Williams, Sedat Dilek, Norbert Lange,
Andrew Morton, Nick Terrell
On Mon, Jul 06, 2020 at 08:45:56PM -0700, Nick Terrell wrote:
> From: Nick Terrell <terrelln@fb.com>
>
> Please pull from
>
> git@github.com:terrelln/linux.git tags/v6-zstd
>
> to get these changes. Alternatively the patchset is included.
>
> Hi all,
>
> This patch set adds support for a ZSTD-compressed kernel, ramdisk, and
> initramfs in the kernel boot process. ZSTD-compressed ramdisk and initramfs
> are supported on all architectures. The ZSTD-compressed kernel is only
> hooked up to x86 in this patch set.
Hello x86 maintainers!
I think this series is ready to go. Notes below...
> [...]
> x86: bump ZO_z_extra_bytes margin for zstd
The above patch is really the only thing that has any external visibility
to kernels that have ZSTD disabled. Given the ratios of memory sizes
involved (an extra 64K when we're dealing with 2MB windows) seems
reasonable to me. If that isn't acceptable, it should be trivial to make
it CONFIG-selectable (like we already do with BOOT_HEAP_SIZE).
What do you think? If the non-x86 parts should land first in -mm, I
guess that would be okay, but I think it makes sense for all of this to
go via -tip.
-Kees
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] overflow helper addition for v5.8-rc2
@ 2020-06-19 2:42 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-06-19 2:42 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Gustavo A. R. Silva
Hi Linus,
Please pull this tiny overflow helper addition for v5.8-rc2. During the
treewide clean-ups of zero-length "flexible arrays", the struct_size()
helper was heavily used, but it was noticed that many times it would
have been nice to have an additional helper to get the size of just the
flexible array itself. This need appears to be even more common when
cleaning up the 1-byte array "flexible arrays", so Gustavo implemented
it. I'd love to get this landed before -rc2 so it can be used during
the v5.9 dev cycle to ease the 1-byte array cleanups.
Thanks!
-Kees
The following changes since commit b3a9e3b9622ae10064826dccb4f7a52bd88c7407:
Linux 5.8-rc1 (2020-06-14 12:45:04 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/overflow-v5.8-rc2
for you to fetch changes up to b19d57d0f3cc6f1022edf94daf1d70506a09e3c2:
overflow.h: Add flex_array_size() helper (2020-06-16 20:45:08 -0700)
----------------------------------------------------------------
Add flex-array size helper
----------------------------------------------------------------
Gustavo A. R. Silva (1):
overflow.h: Add flex_array_size() helper
include/linux/overflow.h | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v5.8-rc1
@ 2020-06-01 2:57 71% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-06-01 2:57 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Colin Ian King, Luis Henriques, Michael Ellerman,
Pavel Tatashin, Petr Mladek, Sergey Senozhatsky, WeiXiong Liao
Hi Linus,
Please pull these pstore updates for v5.8-rc1. This is a pretty big set
of changes (relative to past pstore pulls), but they've lived in -next
for a while. The biggest change here is the ability to support a block
device as a pstore backend, which has been desired for a while. A lot of
additional fixes and refactorings are also included, mostly in support
of the new features.
Thanks!
-Kees
The following changes since commit 8f3d9f354286745c751374f5f1fcafee6b3f3136:
Linux 5.7-rc1 (2020-04-12 12:35:55 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.8-rc1
for you to fetch changes up to 78c08247b9d3e03192f8b359aa079024e805a948:
mtd: Support kmsg dumper based on pstore/blk (2020-05-31 19:49:01 -0700)
----------------------------------------------------------------
Fixes and new features for pstore
- refactor pstore locking for safer module unloading (Kees Cook)
- remove orphaned records from pstorefs when backend unloaded (Kees Cook)
- refactor dump_oops parameter into max_reason (Pavel Tatashin)
- introduce pstore/zone for common code for contiguous storage (WeiXiong Liao)
- introduce pstore/blk for block device backend (WeiXiong Liao)
- introduce mtd backend (WeiXiong Liao)
----------------------------------------------------------------
Kees Cook (22):
pstore: Drop useless try_module_get() for backend
pstore: Rename "pstore_lock" to "psinfo_lock"
pstore: Convert "psinfo" locking to mutex
pstore: Rename "allpstore" to "records_list"
pstore: Convert "records_list" locking to mutex
pstore: Add proper unregister lock checking
pstore: Refactor pstorefs record list removal
pstore: Add locking around superblock changes
pstore: Do not leave timer disabled for next backend
pstore: Remove filesystem records when backend is unregistered
pstore: Make sure console capturing will restart
pstore/platform: Switch pstore_info::name to const
pstore/platform: Use backend name for console registration
pstore/platform: Move module params after declarations
pstore/ram: Adjust module param permissions to reflect reality
pstore/ram: Refactor DT size parsing
pstore/ram: Refactor ftrace buffer merging
pstore/ftrace: Provide ftrace log merging routine
printk: Collapse shutdown types into a single dump reason
printk: Introduce kmsg_dump_reason_str()
pstore/ram: Introduce max_reason and convert dump_oops
pstore/blk: Introduce "best_effort" mode
Pavel Tatashin (3):
printk: honor the max_reason field in kmsg_dumper
pstore/platform: Pass max_reason to kmesg dump
ramoops: Add "max-reason" optional field to ramoops DT node
WeiXiong Liao (10):
pstore/zone: Introduce common layer to manage storage zones
pstore/blk: Introduce backend for block devices
pstore/zone,blk: Add support for pmsg frontend
pstore/zone,blk: Add console frontend support
pstore/zone,blk: Add ftrace frontend support
Documentation: Add details for pstore/blk
pstore/zone: Provide way to skip "broken" zone for MTD devices
pstore/blk: Provide way to query pstore configuration
pstore/blk: Support non-block storage devices
mtd: Support kmsg dumper based on pstore/blk
Documentation/admin-guide/pstore-blk.rst | 243 ++++
Documentation/admin-guide/ramoops.rst | 14 +-
.../bindings/reserved-memory/ramoops.txt | 13 +-
MAINTAINERS | 1 +
arch/powerpc/kernel/nvram_64.c | 4 +-
drivers/mtd/Kconfig | 10 +
drivers/mtd/Makefile | 1 +
drivers/mtd/mtdpstore.c | 578 ++++++++
drivers/platform/chrome/chromeos_pstore.c | 2 +-
fs/pstore/Kconfig | 109 ++
fs/pstore/Makefile | 6 +
fs/pstore/blk.c | 517 +++++++
fs/pstore/ftrace.c | 54 +
fs/pstore/inode.c | 129 +-
fs/pstore/internal.h | 11 +-
fs/pstore/platform.c | 117 +-
fs/pstore/ram.c | 155 +--
fs/pstore/zone.c | 1465 ++++++++++++++++++++
include/linux/kmsg_dump.h | 12 +-
include/linux/pstore.h | 9 +-
include/linux/pstore_blk.h | 118 ++
include/linux/pstore_ram.h | 2 +-
include/linux/pstore_zone.h | 60 +
kernel/printk/printk.c | 32 +-
kernel/reboot.c | 6 +-
tools/testing/selftests/pstore/pstore_tests | 2 +-
26 files changed, 3464 insertions(+), 206 deletions(-)
create mode 100644 Documentation/admin-guide/pstore-blk.rst
create mode 100644 drivers/mtd/mtdpstore.c
create mode 100644 fs/pstore/blk.c
create mode 100644 fs/pstore/zone.c
create mode 100644 include/linux/pstore_blk.h
create mode 100644 include/linux/pstore_zone.h
--
Kees Cook
^ permalink raw reply [relevance 71%]
* [GIT PULL] gcc-plugins fixes for v5.7-rc5
@ 2020-05-04 17:46 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-05-04 17:46 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Frédéric Pierret
Hi Linus,
Please pull these gcc-plugins fixes for v5.7-rc5. These are some more
clean-ups for using the plugins under GCC 10.
Thanks!
-Kees
The following changes since commit 8f3d9f354286745c751374f5f1fcafee6b3f3136:
Linux 5.7-rc1 (2020-04-12 12:35:55 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.7-rc5
for you to fetch changes up to c7527373fe28f97d8a196ab562db5589be0d34b9:
gcc-common.h: Update for GCC 10 (2020-04-13 10:19:20 -0700)
----------------------------------------------------------------
GCC 10 fixes for gcc-plugins
- Adjust caller of cgraph_create_edge for GCC 10 argument usage
- Update common headers to build under GCC 10 (Frédéric Pierret)
----------------------------------------------------------------
Frédéric Pierret (fepitre) (1):
gcc-common.h: Update for GCC 10
Kees Cook (1):
gcc-plugins/stackleak: Avoid assignment for unused macro argument
scripts/gcc-plugins/Makefile | 1 +
scripts/gcc-plugins/gcc-common.h | 4 ++++
scripts/gcc-plugins/stackleak_plugin.c | 5 ++---
3 files changed, 7 insertions(+), 3 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] pstore updates for v5.7-rc1
@ 2020-03-30 4:21 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-03-30 4:21 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, chenqiwu, Gustavo A. R. Silva, Kees Cook, Vasily Averin
Hi Linus,
Please pull these pstore updates for v5.7-rc1. These mostly some minor
cleanups and a bug fix for an ftrace corner case.
Thanks!
-Kees
The following changes since commit 11a48a5a18c63fd7621bb050228cebf13566e4d8:
Linux 5.6-rc2 (2020-02-16 13:16:59 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.7-rc1
for you to fetch changes up to 8128d3aac0ee3420ede34950c9c0ef9ee118bec9:
pstore/ram: Replace zero-length array with flexible-array member (2020-03-09 14:45:40 -0700)
----------------------------------------------------------------
pstore updates
- Improve failure paths (chenqiwu)
- Fix ftrace position index (Vasily Averin)
- Use proper flexible-array member (Gustavo A. R. Silva)
----------------------------------------------------------------
Gustavo A. R. Silva (1):
pstore/ram: Replace zero-length array with flexible-array member
Vasily Averin (1):
pstore: pstore_ftrace_seq_next should increase position index
chenqiwu (2):
pstore/platform: fix potential mem leak if pstore_init_fs failed
pstore/ram: remove unnecessary ramoops_unregister_dummy()
fs/pstore/inode.c | 5 ++++-
fs/pstore/platform.c | 4 ++--
fs/pstore/ram.c | 1 -
fs/pstore/ram_core.c | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp updates for v5.7-rc1
@ 2020-03-30 4:16 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-03-30 4:16 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Kees Cook, Matthew Denton, Sven Schnelle, Tycho Andersen
Hi Linus,
Please pull these couple of seccomp updates for v5.7-rc1. They're both
mostly bug fixes that I wanted to have sit in linux-next for a while.
That's done now, so here they are for v5.7.
Thanks!
-Kees
The following changes since commit 11a48a5a18c63fd7621bb050228cebf13566e4d8:
Linux 5.6-rc2 (2020-02-16 13:16:59 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.7-rc1
for you to fetch changes up to 3db81afd99494a33f1c3839103f0429c8f30cb9d:
seccomp: Add missing compat_ioctl for notify (2020-03-29 21:10:51 -0700)
----------------------------------------------------------------
updates for seccomp
- allow TSYNC and USER_NOTIF together (Tycho Andersen)
- Add missing compat_ioctl for notify (Sven Schnelle)
----------------------------------------------------------------
Sven Schnelle (1):
seccomp: Add missing compat_ioctl for notify
Tycho Andersen (1):
seccomp: allow TSYNC and USER_NOTIF together
include/linux/seccomp.h | 3 +-
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 15 ++++--
tools/testing/selftests/seccomp/seccomp_bpf.c | 74 ++++++++++++++++++++++++++-
4 files changed, 87 insertions(+), 6 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] READ_IMPLIES_EXEC cleanup for -tip next
@ 2020-03-03 4:25 89% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-03-03 4:25 UTC (permalink / raw)
To: Thomas Gleixner
Cc: linux-kernel, Catalin Marinas, Hector Marco-Gisbert, Jason Gunthorpe
Hi Thomas,
Please pull these READ_IMPLIES_EXEC cleanups. They've got Acks, and have
been sitting without further commented since v4:
https://lore.kernel.org/lkml/20200225051307.6401-1-keescook@chromium.org/#r
Catalin specifically asked me during Plumbers if I could get this series
refreshed and finalized, so here we are! :) I'd wanted to keep these all
together so per-arch RIE special cases were changed at the same time.
Thanks!
-Kees
The following changes since commit 11a48a5a18c63fd7621bb050228cebf13566e4d8:
Linux 5.6-rc2 (2020-02-16 13:16:59 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/rie-cleanup-next
for you to fetch changes up to 631551ed971466e4a7ea0b6b11a4ddf2b80513d3:
arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces (2020-02-24 21:00:51 -0800)
----------------------------------------------------------------
READ_IMPLIES_EXEC cleanups
- Fix READ_IMPLIES_EXEC across x86, arm64, and arm
----------------------------------------------------------------
Kees Cook (6):
x86/elf: Add table to document READ_IMPLIES_EXEC
x86/elf: Split READ_IMPLIES_EXEC from executable GNU_STACK
x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces
arm32/64, elf: Add tables to document READ_IMPLIES_EXEC
arm32/64, elf: Split READ_IMPLIES_EXEC from executable GNU_STACK
arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces
arch/arm/kernel/elf.c | 27 +++++++++++++++++++++++----
arch/arm64/include/asm/elf.h | 23 ++++++++++++++++++++++-
arch/x86/include/asm/elf.h | 22 +++++++++++++++++++++-
fs/compat_binfmt_elf.c | 5 +++++
4 files changed, 71 insertions(+), 6 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 89%]
* [GIT PULL] pstore fix for v5.5-rc6
@ 2020-01-10 4:46 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-01-10 4:46 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Cengiz Can
Hi Linus,
Please pull this pstore fix for v5.5-rc6. Cengiz Can forwarded a Coverity
report about more problems with a rare pstore initialization error path,
so the allocation lifetime was rearranged to avoid needing to share the
kfree() responsibilities between caller and callee.
Thanks!
-Kees
The following changes since commit 9e5f1c19800b808a37fb9815a26d382132c26c3d:
pstore/ram: Write new dumps to start of recycled zones (2020-01-02 12:30:50 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.5-rc6
for you to fetch changes up to e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8:
pstore/ram: Regularize prz label allocation lifetime (2020-01-08 17:05:45 -0800)
----------------------------------------------------------------
pstore fix for rare error path
- Fix label allocation lifetime/visibility to avoid further mistakes
----------------------------------------------------------------
Kees Cook (1):
pstore/ram: Regularize prz label allocation lifetime
fs/pstore/ram.c | 4 ++--
fs/pstore/ram_core.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] FIELD_SIZEOF() removal for v5.5-rc5
@ 2020-01-02 21:48 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-01-02 21:48 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel
Hi Linus,
Please pull this last change for the sizeof_field() conversion for
v5.5-rc5. With all FIELD_SIZEOF() users now gone from both your tree and
linux-next, we can remove it and the conversion is done! :)
Thanks!
-Kees
The following changes since commit fd6988496e79a6a4bdb514a4655d2920209eb85d:
Linux 5.5-rc4 (2019-12-29 15:29:16 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/sizeof_field-v5.5-rc5
for you to fetch changes up to 1f07dcc459d5f2c639f185f6e94829a0c79f2b4c:
kernel.h: Remove unused FIELD_SIZEOF() (2019-12-30 12:01:56 -0800)
----------------------------------------------------------------
sizeof_field conversion
- Remove now unused FIELD_SIZEOF() macro (Kees Cook)
----------------------------------------------------------------
Kees Cook (1):
kernel.h: Remove unused FIELD_SIZEOF()
include/linux/kernel.h | 9 ---------
1 file changed, 9 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] gcc-plugins fix for v5.5-rc5
@ 2020-01-02 21:38 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-01-02 21:38 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Ard Biesheuvel, Arnd Bergmann, Kees Cook, Masahiro Yamada
Hi Linus,
Please pull this gcc-plugins fix for v5.5-rc5. This change will make
some builder's lives easier again for build configuration testing
with/without gcc-plugins. Masahiro asked that it go via my tree, so here
it is! :)
Thanks!
-Kees
The following changes since commit fd6988496e79a6a4bdb514a4655d2920209eb85d:
Linux 5.5-rc4 (2019-12-29 15:29:16 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v5.5-rc5
for you to fetch changes up to a5b0dc5a46c221725c43bd9b01570239a4cd78b1:
gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (2020-01-02 13:30:14 -0800)
----------------------------------------------------------------
gcc-plugins build flexibility fix
- Allow builds to disable plugins even when plugins available (Arnd Bergmann)
----------------------------------------------------------------
Arnd Bergmann (1):
gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again
scripts/gcc-plugins/Kconfig | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 92%]
* [GIT PULL] seccomp fixes for v5.5-rc5
@ 2020-01-02 21:28 91% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-01-02 21:28 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Aleksa Sarai, Christian Brauner, Sargun Dhillon,
Tycho Andersen
Hi Linus,
Please pull these seccomp fixes for v5.5-rc5. The bulk of this is fixing
the surrounding samples and selftests so that seccomp can correctly
validate the seccomp_notify_ioctl buffer as being initially zeroed.
Thanks!
-Kees
The following changes since commit fd6988496e79a6a4bdb514a4655d2920209eb85d:
Linux 5.5-rc4 (2019-12-29 15:29:16 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.5-rc5
for you to fetch changes up to e4ab5ccc357b978999328fadae164e098c26fa40:
selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV (2020-01-02 13:15:45 -0800)
----------------------------------------------------------------
Fixes for seccomp_notify_ioctl uapi sanity
- Fix samples and selftests to zero passed-in buffer (Sargun Dhillon)
- Enforce zeroed buffer checking (Sargun Dhillon)
- Verify buffer sanity check in selftest (Sargun Dhillon)
----------------------------------------------------------------
Sargun Dhillon (4):
samples/seccomp: Zero out members based on seccomp_notif_sizes
selftests/seccomp: Zero out seccomp_notif
seccomp: Check that seccomp_notif is zeroed out by the user
selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV
kernel/seccomp.c | 7 +++++++
samples/seccomp/user-trap.c | 4 ++--
tools/testing/selftests/seccomp/seccomp_bpf.c | 15 ++++++++++++++-
3 files changed, 23 insertions(+), 3 deletions(-)
--
Kees Cook
^ permalink raw reply [relevance 91%]
* [GIT PULL] pstore fixes for v5.5-rc5
@ 2020-01-02 20:55 92% Kees Cook
0 siblings, 0 replies; 200+ results
From: Kees Cook @ 2020-01-02 20:55 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Aleksandr Yashkin, Ariel Gilman, Navid Emamdoost,
Nikolay Merinov
Hi Linus,
Please pull these two pstore fixes for v5.5-rc5.
Thanks!
-Kees
The following changes since commit d1eef1c619749b2a57e514a3fa67d9a516ffa919:
Linux 5.5-rc2 (2019-12-15 15:16:08 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/pstore-v5.5-rc5
for you to fetch changes up to 9e5f1c19800b808a37fb9815a26d382132c26c3d:
pstore/ram: Write new dumps to start of recycled zones (2020-01-02 12:30:50 -0800)
----------------------------------------------------------------
pstore bug fixes
- always reset circular buffer state when writing new dump (Aleksandr Yashkin)
- fix rare error-path memory leak (Kees Cook)
----------------------------------------------------------------
Aleksandr Yashkin (1):
pstore/ram: Write new dumps to start of recycled zones
Kees Cook (1):
pstore/ram: Fix error-path memory leak in persistent_ram_new() callers
fs/pstore/ram.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--
Kees Cook
^ permalink raw reply [relevance 92%]
Results 1-200 of ~400 next (older) | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2020-01-02 20:55 92% [GIT PULL] pstore fixes for v5.5-rc5 Kees Cook
2020-01-02 21:28 91% [GIT PULL] seccomp " Kees Cook
2020-01-02 21:38 92% [GIT PULL] gcc-plugins fix " Kees Cook
2020-01-02 21:48 92% [GIT PULL] FIELD_SIZEOF() removal " Kees Cook
2020-01-10 4:46 92% [GIT PULL] pstore fix for v5.5-rc6 Kees Cook
2020-03-03 4:25 89% [GIT PULL] READ_IMPLIES_EXEC cleanup for -tip next Kees Cook
2020-03-30 4:16 92% [GIT PULL] seccomp updates for v5.7-rc1 Kees Cook
2020-03-30 4:21 92% [GIT PULL] pstore " Kees Cook
2020-05-04 17:46 92% [GIT PULL] gcc-plugins fixes for v5.7-rc5 Kees Cook
2020-06-01 2:57 71% [GIT PULL] pstore updates for v5.8-rc1 Kees Cook
2020-06-19 2:42 92% [GIT PULL] overflow helper addition for v5.8-rc2 Kees Cook
2020-07-07 3:45 [GIT PULL][PATCH v6 0/8] Add support for ZSTD-compressed kernel and initramfs Nick Terrell
2020-07-07 21:32 91% ` Kees Cook
2020-07-08 23:16 86% [GIT PULL] kallsyms_show_value() refactoring for v5.8-rc5 Kees Cook
2020-08-03 18:46 92% [GIT PULL] pstore update for v5.9-rc1 Kees Cook
2020-08-03 18:51 90% [GIT PULL] gcc-plugins updates " Kees Cook
2020-08-03 18:57 92% [GIT PULL] var-init update " Kees Cook
2020-08-03 19:05 85% [GIT PULL] tasklets updates " Kees Cook
2020-08-03 19:16 50% [GIT PULL] Remove uninitialized_var() " Kees Cook
2020-08-03 19:39 74% [GIT PULL] seccomp updates " Kees Cook
2020-08-07 19:46 92% [GIT PULL] seccomp update for v5.9-rc1-fix1 Kees Cook
2020-08-07 19:55 88% [GIT PULL] kallsyms_show_value-fix updates for v5.9-rc1 Kees Cook
2020-08-17 23:27 92% [GIT PULL] mailmap update for v5.9-rc2 Kees Cook
2020-08-18 0:32 ` Linus Torvalds
2020-08-18 21:57 92% ` Kees Cook
2020-08-26 13:43 [GIT PULL] USB fixes for 5.9-rc3 Greg KH
[not found] ` <CGME20200826150239eucas1p24c59716cc31edfeb2eece84d97936b93@eucas1p2.samsung.com>
2020-08-26 15:02 ` Marek Szyprowski
2020-08-26 15:33 ` Greg KH
2020-08-26 15:57 92% ` Kees Cook
2020-09-12 0:20 92% [GIT PULL] seccomp fixes for v5.9-rc5 Kees Cook
2020-10-12 22:15 76% [GIT PULL] seccomp updates for v5.10-rc1 Kees Cook
2020-10-12 22:38 92% [GIT PULL] overflow update " Kees Cook
2020-10-22 13:49 [GIT PULL 2/2] Kconfig updates " Masahiro Yamada
2020-11-27 21:08 ` Linus Torvalds
2020-11-27 21:15 ` Linus Torvalds
2020-11-27 21:53 ` Linus Torvalds
2020-11-27 22:05 ` Linus Torvalds
2020-11-28 7:04 ` Masahiro Yamada
2020-11-28 18:28 ` Linus Torvalds
2020-12-02 0:55 92% ` Kees Cook
2020-12-02 12:53 ` Masahiro Yamada
2020-12-02 13:03 ` Masahiro Yamada
2020-12-02 18:58 92% ` Kees Cook
2020-10-27 18:52 92% [GIT PULL] orphan-handling fixes for v5.10-rc2 Kees Cook
2020-11-20 19:13 90% [GIT PULL] seccomp fixes for v5.10-rc5 Kees Cook
2020-12-15 20:15 90% [GIT PULL] gcc-plugins updates for v5.11-rc1 Kees Cook
2020-12-16 19:24 ` Linus Torvalds
2020-12-16 20:23 92% ` Kees Cook
2020-12-15 20:19 92% [GIT PULL] pstore " Kees Cook
2020-12-15 20:30 78% [GIT PULL] seccomp " Kees Cook
2021-01-07 23:18 92% [GIT PULL] gcc-plugins fix for v5.11-rc3 Kees Cook
2021-02-16 20:34 76% [GIT PULL] clang-lto for v5.12-rc1 Kees Cook
2021-02-16 22:48 Alexander Lobakin
2021-02-17 18:08 92% ` Kees Cook
2021-02-17 20:54 92% [GIT PULL] seccomp updates " Kees Cook
2021-02-18 20:35 92% [GIT PULL] pstore update " Kees Cook
2021-02-22 23:11 74% [GIT PULL v2] clang-lto " Kees Cook
2021-02-23 17:49 ` Linus Torvalds
2021-02-23 20:33 ` Linus Torvalds
2021-02-23 20:43 92% ` Kees Cook
2021-02-23 22:32 82% [GIT PULL] clang-lto (part 2) " Kees Cook
2021-02-25 20:53 92% [GIT PULL] clang-lto fixes " Kees Cook
2021-02-25 21:21 92% [GIT PULL] orphan-handling fix " Kees Cook
2021-03-05 23:09 92% [GIT PULL] pstore fixes for v5.12-rc2 Kees Cook
2021-03-05 23:14 92% [GIT PULL] gcc-plugins " Kees Cook
2021-04-01 21:39 92% [GIT PULL] LTO fix for v5.12-rc6 Kees Cook
2021-04-26 18:29 92% [GIT PULL] seccomp updates for v5.13-rc1 Kees Cook
2021-04-26 18:32 92% [GIT PULL] pstore update " Kees Cook
2021-04-26 18:36 92% [GIT PULL] overflow " Kees Cook
2021-04-26 19:12 64% [GIT PULL] CFI on arm64 series " Kees Cook
2021-05-15 7:34 [GIT PULL] Stack randomization fix Ingo Molnar
2021-05-15 17:13 ` Linus Torvalds
2021-05-16 7:29 ` Ingo Molnar
2021-05-21 18:12 92% ` Kees Cook
2021-05-28 17:23 92% [GIT PULL] Clang feature fixes for v5.13-rc4 Kees Cook
2021-05-29 18:16 92% [GIT PULL] seccomp " Kees Cook
2021-06-08 17:21 92% [GIT PULL] orphan section fixes for v5.13-rc6 Kees Cook
2021-06-11 18:21 92% [GIT PULL] clang-features fix " Kees Cook
2021-06-15 23:19 92% [GIT PULL] Clang features fix for v5.13-rc7 Kees Cook
2021-06-28 19:32 73% [GIT PULL] Clang feature updates for v5.14-rc1 Kees Cook
2021-06-29 2:49 ` Linus Torvalds
2021-06-29 20:44 92% ` Kees Cook
2021-06-29 13:14 ` Mark Rutland
2021-06-29 20:11 92% ` Kees Cook
2021-06-28 19:57 88% [GIT PULL] seccomp " Kees Cook
2021-06-28 20:17 92% [GIT PULL] pstore " Kees Cook
2021-06-29 20:55 84% [GIT PULL] Clang feature updates for v5.14-rc1 (take 2) Kees Cook
2021-08-11 19:00 92% [GIT PULL] seccomp fixes for v5.14-rc6 Kees Cook
2021-08-11 19:36 92% [GIT PULL] orphan sections fix " Kees Cook
2021-08-18 8:35 92% [GIT PULL] Clang CFI fix for v5.14-rc7 Kees Cook
2021-08-30 18:27 92% [GIT PULL] hardening updates for v5.15-rc1 Kees Cook
2021-09-03 3:22 52% [GIT PULL] overflow " Kees Cook
2021-09-04 20:47 ` Linus Torvalds
[not found] ` <45312958-B844-4B4C-9808-8205866675A1@chromium.org>
2021-09-05 17:36 ` Linus Torvalds
2021-09-05 18:31 92% ` Kees Cook
2021-09-06 11:43 ` Mark Brown
2021-09-06 17:19 92% ` Kees Cook
2021-09-05 20:52 88% ` Kees Cook
2021-09-06 5:27 ` Stephen Rothwell
2021-09-06 17:12 92% ` Kees Cook
2021-09-05 21:40 51% [GIT PULL][take 2] " Kees Cook
2021-09-10 4:51 49% [GIT PULL v2] overflow updates for v5.15-rc1-take2 Kees Cook
2021-09-10 17:08 50% [GIT PULL v3] overflow updates for v5.15-rc1-take3 Kees Cook
2021-09-12 14:03 [GIT PULL] Misc driver fix for 5.15-rc1 Greg KH
2021-09-12 19:03 ` Linus Torvalds
2021-09-12 19:17 92% ` Kees Cook
2021-09-12 19:22 ` Linus Torvalds
2021-09-12 19:44 92% ` Kees Cook
2021-09-12 19:55 ` Linus Torvalds
2021-09-12 22:26 92% ` Kees Cook
2021-09-19 14:22 [GIT PULL] ksmbd server security fixes Steve French
2021-09-23 2:47 79% ` Kees Cook
2021-09-23 3:20 ` Steve French
2021-09-23 18:21 87% ` Kees Cook
2021-11-01 1:15 [GIT pull] irq/core for v5.16-rc1 Thomas Gleixner
2021-11-01 1:16 ` [GIT pull] objtool/core " Thomas Gleixner
2021-11-01 20:44 ` Linus Torvalds
2021-11-02 8:00 ` Peter Zijlstra
2021-11-02 9:05 ` Stackleak vs noinstr (Was: [GIT pull] objtool/core for v5.16-rc1) Peter Zijlstra
2021-11-02 10:03 ` Peter Zijlstra
2022-02-01 23:59 92% ` Kees Cook
2021-11-01 16:12 77% [GIT PULL] cpu-to-thread_info update for v5.16-rc1 Kees Cook
2021-11-01 16:20 78% [GIT PULL] hardening updates " Kees Cook
2021-11-01 16:35 50% [GIT PULL] overflow " Kees Cook
2021-11-01 16:44 90% [GIT PULL] seccomp " Kees Cook
2021-12-17 0:02 90% [GIT PULL] lkdtm updates for -next Kees Cook
2022-01-05 17:12 92% [GIT PULL] pstore update for v5.17-rc1 Kees Cook
2022-01-05 17:20 92% [GIT PULL] seccomp updates " Kees Cook
2022-01-31 15:37 [PATCH] binfmt_elf: Take the mmap lock when walking the VMA list Matthew Wilcox (Oracle)
2022-01-31 16:03 ` Eric W. Biederman
2022-01-31 16:13 ` Matthew Wilcox
2022-01-31 16:26 ` Eric W. Biederman
2022-01-31 16:35 ` Matthew Wilcox
2022-01-31 17:13 ` Jann Horn
2022-01-31 18:44 ` [PATCH 0/5] Fix fill_files_note Eric W. Biederman
2022-03-08 19:35 ` [GIT PULL] " Eric W. Biederman
2022-03-08 21:49 92% ` Kees Cook
2022-03-09 16:29 ` Eric W. Biederman
2022-03-09 16:32 92% ` Kees Cook
2022-03-09 20:27 ` Eric W. Biederman
2022-03-09 21:45 92% ` Kees Cook
2022-02-12 3:02 91% [GIT PULL] seccomp fixes for v5.17-rc4 Kees Cook
2022-03-01 18:35 92% [GIT PULL] binfmt_elf fix for v5.17-rc7 Kees Cook
2022-03-21 14:44 70% [GIT PULL] execve updates for v5.18-rc1 Kees Cook
2022-03-21 14:47 92% [GIT PULL] pstore " Kees Cook
2022-03-21 15:03 80% [GIT PULL] hardening " Kees Cook
2022-03-21 15:06 92% [GIT PULL] seccomp update " Kees Cook
2022-03-22 2:45 ` Linus Torvalds
2022-03-22 4:54 92% ` Kees Cook
2022-03-21 15:26 84% [GIT PULL] overflow updates " Kees Cook
2022-03-21 15:52 83% [GIT PULL] bounds fixes " Kees Cook
2022-03-23 11:44 ` Sakari Ailus
2022-03-23 14:51 91% ` Kees Cook
2022-03-21 16:15 [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2022-04-04 18:40 91% ` Kees Cook
2022-04-04 18:47 ` Linus Torvalds
2022-04-04 20:30 ` Mickaël Salaün
2022-04-04 21:28 ` Linus Torvalds
2022-04-04 22:25 85% ` Kees Cook
2022-04-04 23:26 ` Linus Torvalds
2022-04-05 16:09 ` Mickaël Salaün
2023-02-08 19:32 90% ` Kees Cook
2022-03-25 22:03 70% [GIT PULL] FORTIFY_SOURCE updates for v5.18-rc1 Kees Cook
2022-03-26 19:29 ` Linus Torvalds
2022-03-26 19:40 ` Linus Torvalds
2022-03-28 16:01 92% ` Kees Cook
2022-03-25 22:29 84% [GIT PULL] array-bounds " Kees Cook
2022-03-31 18:35 89% [GIT PULL] hardening fixes " Kees Cook
2022-03-31 18:46 ` Russell King (Oracle)
2022-03-31 18:57 92% ` Kees Cook
2022-03-31 18:49 ` Linus Torvalds
2022-03-31 19:00 92% ` Kees Cook
2022-04-12 23:36 92% [GIT PULL] kernel hardening fixes for v5.18-rc3 Kees Cook
2022-04-16 21:20 88% [GIT PULL drivers/misc] lkdtm updates for next Kees Cook
2022-05-03 21:34 92% [GIT PULL] seccomp fix for v5.18-rc6 Kees Cook
2022-05-17 21:52 92% [GIT PULL] lkdtm updates for -next Kees Cook
2022-05-23 19:10 62% [GIT PULL] kernel hardening updates for v5.19-rc1 Kees Cook
2022-05-23 19:15 87% [GIT PULL] seccomp " Kees Cook
2022-05-23 19:18 91% [GIT PULL] execve " Kees Cook
2022-05-26 15:30 92% [GIT PULL] kernel hardening fix " Kees Cook
2022-06-15 21:07 92% [GIT PULL] hardening fixes for v5.19-rc3 Kees Cook
2022-08-01 17:32 92% [GIT PULL] pstore updates for v5.20-rc1 Kees Cook
2022-08-01 17:34 92% [GIT PULL] seccomp update " Kees Cook
2022-08-01 17:37 90% [GIT PULL] execve updates " Kees Cook
2022-08-01 17:53 80% [GIT PULL] kernel hardening " Kees Cook
2022-08-19 19:01 91% [GIT PULL] hardening fixes for v6.0-rc2 Kees Cook
2022-08-19 19:04 92% [GIT PULL] execve fix " Kees Cook
2022-08-19 21:11 ` Linus Torvalds
2022-08-19 22:04 92% ` Kees Cook
2022-09-19 19:51 86% [GIT PULL] execve reverts for v6.0-rc7 Kees Cook
2022-09-30 15:31 92% [GIT PULL] pstore revert for v6.0-rc8 Kees Cook
2022-10-01 15:58 45% [GIT PULL] Rust introduction for v6.1-rc1 Kees Cook
2022-10-01 20:21 ` Masahiro Yamada
2022-10-01 22:50 86% ` Kees Cook
2022-10-01 16:36 66% [GIT PULL] kcfi updates " Kees Cook
2022-10-01 16:40 86% [GIT PULL] execve " Kees Cook
2022-10-01 17:46 64% [GIT PULL] kernel hardening " Kees Cook
2022-10-27 19:03 90% [GIT PULL] hardening fixes for v6.1-rc3 Kees Cook
2022-10-27 19:08 92% [GIT PULL] execve " Kees Cook
2022-11-04 16:26 92% [GIT PULL] hardening fix for v6.1-rc4 Kees Cook
2022-11-11 18:37 92% [GIT PULL] kernel hardening fix for v6.1-rc5 Kees Cook
2022-12-06 0:24 83% [GIT PULL] pstore updates for v6.2-rc1 Kees Cook
2022-12-06 0:30 92% [GIT PULL] seccomp " Kees Cook
2022-12-06 0:41 77% [GIT PULL] execve " Kees Cook
2022-12-14 4:04 61% [GIT PULL] kernel hardening " Kees Cook
2022-12-23 18:10 82% [GIT PULL] kernel hardening fixes for v6.1-rc1 Kees Cook
2022-12-23 18:41 92% ` Kees Cook
2022-12-23 18:38 91% [GIT PULL] pstore updates for v6.2-rc1-fixes Kees Cook
2022-12-23 18:40 82% [GIT PULL] kernel hardening fixes for v6.2-rc1 Kees Cook
2023-01-13 23:27 92% [GIT PULL] kernel hardening fixes for v6.2-rc4 Kees Cook
2023-01-27 18:59 89% [GIT PULL] kernel hardening fixes for v6.2-rc6 Kees Cook
2023-02-17 19:17 92% [GIT PULL] seccomp update for v6.3-rc1 Kees Cook
2023-02-17 19:38 74% [GIT PULL] hardening updates " Kees Cook
2023-02-21 19:16 ` Linus Torvalds
2023-02-21 19:49 99% ` Kees Cook
2023-04-26 18:09 92% [GIT PULL] hardening update for v6.4-rc1 Kees Cook
2023-04-26 18:10 92% [GIT PULL] pstore " Kees Cook
2023-06-26 21:46 [GIT PULL] bcachefs Kent Overstreet
2023-07-06 15:56 ` Kent Overstreet
2023-07-12 2:54 ` Kent Overstreet
2023-07-12 19:48 92% ` Kees Cook
2023-06-27 23:43 92% [GIT PULL] execve updates for v6.5-rc1 Kees Cook
2023-06-27 23:55 92% [GIT PULL] pstore " Kees Cook
2023-06-28 0:34 49% [GIT PULL] hardening " Kees Cook
2023-06-28 6:20 ` Christoph Hellwig
2023-06-28 16:29 80% ` Kees Cook
2023-06-28 10:37 [GIT PULL] pid: use flex array Christian Brauner
2023-06-29 23:52 ` Linus Torvalds
2023-06-30 6:51 ` Christian Brauner
2023-06-30 7:12 ` Linus Torvalds
2023-06-30 8:04 ` Christian Brauner
2023-06-30 16:59 92% ` Kees Cook
2023-07-07 18:12 91% [GIT PULL] hardening updates for v6.5-rc1-fixes Kees Cook
2023-07-16 0:42 86% [GIT PULL] hardening fixes for v6.5-rc2 Kees Cook
2023-08-08 21:16 92% [GIT PULL] hardening fixes for v6.5-rc6 Kees Cook
2023-08-28 18:15 79% [GIT PULL] seccomp updates for v6.6-rc1 Kees Cook
2023-08-28 18:21 89% [GIT PULL] pstore " Kees Cook
2023-08-28 23:56 ` Linus Torvalds
2023-08-29 1:28 92% ` Kees Cook
2023-08-29 1:44 ` Linus Torvalds
2023-08-29 3:44 92% ` Kees Cook
2023-08-29 17:13 ` Linus Torvalds
2023-08-29 17:29 ` Ard Biesheuvel
2023-08-29 18:03 ` Linus Torvalds
2023-08-29 21:43 ` Ard Biesheuvel
2023-08-30 6:05 ` Eric Biggers
2023-08-30 7:48 ` Ard Biesheuvel
2023-08-30 17:00 92% ` Kees Cook
2023-08-28 18:42 70% [GIT PULL] hardening " Kees Cook
2023-09-01 18:27 92% [GIT PULL] pstore fix " Kees Cook
2023-09-03 3:25 [GIT PULL] bcachefs Kent Overstreet
2023-09-06 22:28 ` Nathan Chancellor
2023-09-07 0:03 92% ` Kees Cook
2023-09-22 16:59 92% [GIT PULL] hardening fixes for v6.6-rc3 Kees Cook
2023-09-22 23:55 ` Linus Torvalds
2023-09-23 3:49 92% ` Kees Cook
2023-10-19 0:53 92% [GIT PULL] seccomp fix for v6.6-rc7 Kees Cook
2023-10-30 17:02 56% [GIT PULL] hardening updates for v6.7-rc1 Kees Cook
2023-10-30 17:05 92% [GIT PULL] pstore " Kees Cook
2023-10-30 17:22 74% [GIT PULL] execve " Kees Cook
2023-11-14 17:41 91% [GIT PULL] hardening fixes for v6.7-rc2 Kees Cook
2023-11-30 21:38 91% [GIT PULL] hardening fixes for v6.7-rc4 Kees Cook
2024-01-08 18:20 69% [GIT PULL] hardening updates for v6.8-rc1 Kees Cook
2024-01-08 18:24 89% [GIT PULL] pstore " Kees Cook
2024-01-08 18:35 92% [GIT PULL] execve " Kees Cook
2024-01-09 0:19 ` Linus Torvalds
2024-01-09 1:48 99% ` Kees Cook
2024-01-09 18:57 ` Josh Triplett
2024-01-09 23:40 ` Linus Torvalds
2024-01-10 2:21 ` Josh Triplett
2024-01-10 3:54 ` Linus Torvalds
2024-01-11 9:47 ` Al Viro
2024-01-11 10:05 ` Al Viro
2024-01-11 17:42 ` Linus Torvalds
2024-01-20 22:18 ` Linus Torvalds
2024-01-21 8:05 99% ` Kees Cook
2024-01-10 19:24 92% ` Kees Cook
2024-01-10 19:36 [GIT PULL] bcachefs updates for 6.8 Kent Overstreet
2024-01-10 23:48 86% ` Kees Cook
2024-01-11 0:04 ` Kent Overstreet
2024-01-11 0:39 88% ` Kees Cook
2024-01-11 0:58 ` Kent Overstreet
2024-01-11 1:47 ` Linus Torvalds
2024-01-11 22:57 ` Matthew Wilcox
2024-01-11 23:42 91% ` Kees Cook
2024-01-12 0:05 ` Kent Overstreet
2024-01-12 0:18 92% ` Kees Cook
2024-01-19 21:14 86% [GIT PULL] strlcpy removal for v6.8-rc1 Kees Cook
2024-01-19 22:00 ` Linus Torvalds
2024-01-19 22:53 92% ` Kees Cook
2024-01-22 15:29 [GIT PULL] Enable -Wstringop-overflow globally Gustavo A. R. Silva
2024-01-26 21:22 ` Linus Torvalds
2024-01-26 21:30 ` Gustavo A. R. Silva
2024-01-26 22:24 92% ` Kees Cook
2024-01-24 20:05 86% [GIT PULL] execve fixes for v6.8-rc2 Kees Cook
2024-03-11 23:32 87% [GIT PULL] pstore updates for v6.9-rc1 Kees Cook
2024-03-11 23:37 89% [GIT PULL] execve " Kees Cook
2024-03-11 23:41 90% [GIT PULL] seccomp " Kees Cook
2024-03-12 1:18 48% [GIT PULL] hardening " Kees Cook
2024-03-22 23:57 83% [GIT PULL] hardening fixes " Kees Cook
2024-03-26 22:44 88% [GIT PULL] execve fixes for v6.9-rc2 Kees Cook
2024-04-10 16:36 92% [GIT PULL] hardening fixes for v6.9-rc4 Kees Cook
2024-04-19 20:16 92% [GIT PULL] hardening fixes for v6.9-rc5 Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).