keychord driver causes a kernel warning when writing more than
(1 << (MAX_ORDER - 1)) * PAGE_SIZE bytes to /dev/keychord.
In reality writes to this file should be much smaller, so
limiting data size to PAGE_SIZE seems to be appropriate.
This change checks write data size and if it's more than
PAGE_SIZE causes write to fail.
Bug: 73962978
Change-Id: I8a064a396d4259ffca924fa35d80e9700c4f8d79
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Move inline assembly to a separate object file that's compiled with
LTO disabled due to incompatibility with clang's internal assembler.
Add wrappers to allow indirect calls without tripping CFI.
Bug: 67506682
Change-Id: I582b22dcdbb0bb59149f3b4cfce132b1e2d145cd
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Add C wrappers to allow indirect calls to sha[12]_ce_transform
without tripping CFI.
Bug: 67506682
Change-Id: If872f30095994206bc768eee13670be552b2a247
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Disable CFI to allow an indirect call to a physical address.
Bug: 67506682
Change-Id: I0ec38f34245a4ad52f508f6989093526d3bf442f
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The module_param_call() macro was explicitly casting the .set and
.get function prototypes away. This can lead to hard-to-find type
mismatches. Now that all the function prototypes have been fixed
tree-wide, we can drop these casts, and use named initializers too.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Bug: 67506682
Change-Id: I439c8b4b9f0108ac357267bbc396a63baec2b242
(cherry picked from commit ece1996a21)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Several function prototypes for the set/get functions defined by
module_param_call() have a slightly wrong argument types. This fixes
those in an effort to clean up the calls when running under type-enforced
compiler instrumentation for CFI. This is the result of running the
following semantic patch:
@match_module_param_call_function@
declarer name module_param_call;
identifier _name, _set_func, _get_func;
expression _arg, _mode;
@@
module_param_call(_name, _set_func, _get_func, _arg, _mode);
@fix_set_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._set_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _set_func(
-_val_type _val
+const char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
@fix_get_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._get_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _get_func(
-_val_type _val
+char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
Two additional by-hand changes are included for places where the above
Coccinelle script didn't notice them:
drivers/platform/x86/thinkpad_acpi.c
fs/lockd/svc.c
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Bug: 67506682
Change-Id: I2c9c0ee8ed28065e63270a52c155e5e7d2791295
(cherry picked from commit e4dca7b7aa)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
After actually converting all module_param_call() function prototypes, we
no longer need to do a tricky sizeof(func(thing)) type-check. Remove it.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
Bug: 67506682
Change-Id: Ie20dbd09634c7cbef499c81bf2dbfd762ad0058a
(cherry picked from commit b2f270e874)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With CFI enabled, LLVM appends .cfi to most function names, which
potentially breaks user space tools. While stripping the postfix is
not optimal either, this should at least create less confusion.
Bug: 67506682
Bug: 73328469
Change-Id: I253f34a562629032ddd792b8498e171109ea7cbc
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
This change adds the CONFIG_CFI_CLANG option, CFI error handling,
and a faster look-up table for cross module CFI checks.
Bug: 67506682
Change-Id: Ic009f0a629b552a0eb16e6d89808c7029e91447d
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With LTO, LLVM sorts initcalls in a single translation unit alphabetically
based on the name of the function (or actually, the variable stored in
the initcall section). Use __COUNTER__ in the variable name in an attempt
to preserve the intended order.
Bug: 62093296
Bug: 67506682
Change-Id: I4fa3cb93cba967a1440ac53328eb6b8ac649ff36
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Specifying -fshort-wchar for just one object breaks LTO with the
following error message:
ld.gold: fatal error: Failed to link module drivers/xen/efi.o:
linking module flags 'wchar_size': IDs have conflicting values
Since efi.c doesn't actually use wchar_t, turn off the flag when
LTO is enabled.
Bug: 62093296
Bug: 67506682
Change-Id: I509c18677353add8e1ad04f99f6e42bdab7814e7
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Disable LTO for lkdtm_rodata.o to allow objcopy to be used to
manipulate sections.
Bug: 62093296
Bug: 67506682
Change-Id: Iedd1a3a2a9b06f44e7ceb6ac287ea764eaf5ef0a
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Due to a bug in clang, vdso fails to build when both LTO_CLANG and
CC_OPTIMIZE_FOR_SIZE are enabled:
https://bugs.llvm.org/show_bug.cgi?id=32155
Disable LTO for vdso to work around the problem.
Bug: 62093296
Bug: 67506682
Change-Id: I1d0279535fd389db4c829e4556f9ef728f240a34
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
RANDOMIZE_MODULE_REGION_FULL results in "overflow in relocation type 275"
when loading a module linked with GNU gold. As a workaround, disable when
LTO_CLANG is selected.
Bug: 62093296
Bug: 67506682
Change-Id: I6af3de0dc2e6a5053c527d7cb7fb45cb249b68b3
(am from https://patchwork.kernel.org/patch/10060337/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
LTO requires the use of LLVM's integrated assembler, which doesn't
understand the inline assembly in aes-ce-cipher.c. Disable LTO for
the file.
Bug: 62093296
Bug: 67506682
Change-Id: I7fe82644be0d86420edb4db7923b03dfee87215f
(am from https://patchwork.kernel.org/patch/10060315/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
CONFIG_LTO_CLANG depends on GNU gold, which can generate ADR_PREL_PG_HI21
relocations with --fix-cortex-a53-843419, even when -code-model=large has
been passed to LLVMgold.
Since ARM64_ERRATUM_843419 disables kernel support for these relocations,
disable the erratum when LTO is used.
Bug: 67506682
Change-Id: I5d419cae432a26af5b6eff362b869639c64c6fb3
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With LTO_CLANG, even if we pass -mcmodel to clang, the flag isn't
stored in the generated LLVM IR, which means it won't be used for
the actual compilation at link time. Therefore, the flag needs to
be passed to LLVMgold to actually take effect.
Bug: 62093296
Bug: 67506682
Change-Id: I5cd21f97c800466f1bce039df56101ce4087ae20
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Clang's integrated assembler does not allow assembly macros defined
in one inline asm block using the .macro directive to be used across
separate asm blocks. LLVM developers consider this a feature and not a
bug, recommending code refactoring:
https://bugs.llvm.org/show_bug.cgi?id=19749
As binutils doesn't allow macros to be redefined, this change uses
UNDEFINE_MRS_S and UNDEFINE_MSR_S to define corresponding macros
in-place and workaround gcc and clang limitations on redefining macros
across different assembler blocks.
Bug: 62093296
Bug: 67506682
Change-Id: I803fff57f639b0921ef81f90ec4befe802e7eecf
(am from https://patchwork.kernel.org/patch/10060343/)
Signed-off-by: Alex Matveev <alxmtvv@gmail.com>
Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With CONFIG_LTO_CLANG, we produce LLVM IR instead of object files. Since LTO
is not really needed here and the Makefile assumes we produce an object file,
disable LTO for libstub.
Bug: 62093296
Bug: 67506682
Change-Id: Ieaa3d7e2c694655788f480f4351bf7c4d3fce090
(am from https://patchwork.kernel.org/patch/10060309/)
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With CONFIG_LTO_CLANG, clang generates LLVM IR instead of ELF object
files. As empty.o is used for probing target properties, disable LTO
for it to produce an object file instead.
Bug: 62093296
Bug: 67506682
Change-Id: I0c7ac7ee0134465cac4a8c3a9c7e8b6347076a2b
(am from https://patchwork.kernel.org/patch/10060317/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
With CONFIG_LTO_CLANG enabled, LLVM IR won't be compiled into object
files until modpost_link. This change postpones calls to recordmcount
until after this step.
In order to exclude ftrace_process_locs from inspection, we add a new
code section .text..ftrace, which we tell recordmcount to ignore, and
a __norecordmcount attribute for moving functions to this section.
Bug: 62093296
Bug: 67506682
Change-Id: Iba2c053968206acf533fadab1eb34a743b5088ee
(am from https://patchwork.kernel.org/patch/10060327/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
This change adds the configuration option CONFIG_LTO_CLANG, and
build system support for clang's Link Time Optimization (LTO). In
preparation for LTO support for other compilers, potentially common
parts of the changes are gated behind CONFIG_LTO instead.
With -flto, instead of object files, clang produces LLVM bitcode,
which is compiled into a native object at link time, allowing the
final binary to be optimized globally. For more details, see:
https://llvm.org/docs/LinkTimeOptimization.html
While the kernel normally uses GNU ld for linking, LLVM supports LTO
only with lld or GNU gold linkers. This patch set assumes gold will
be used with the LLVMgold plug-in to perform the LTO link step. Due
to potential incompatibilities with GNU ld, this change also adds
LDFINAL_vmlinux for using a different linker for the vmlinux_link
step, and defaults to using GNU ld.
Assuming LLVMgold.so is in LD_LIBRARY_PATH and CONFIG_LTO_CLANG has
been selected, an LTO kernel can be built simply by running make
CC=clang. LTO requires clang >= 5.0 and gold from binutils >= 2.27.
Bug: 62093296
Bug: 67506682
Change-Id: Ibcd9fc7ec501b4f30b43b4877897615645f8655f
(am from https://patchwork.kernel.org/patch/10060329/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Some versions of GNU gold are known to produce broken code with
--fix-cortex-a53-843419 as explained in this bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=21491
If ARM64_ERRATUM_843419 is disabled and we're using GNU gold, pass
--no-fix-cortex-a53-843419 to the linker to ensure the erratum
fix is not used even if the linker is configured to enable it by
default.
This change also adds a warning if the erratum fix is enabled and
gold version <1.14 is used.
Bug: 62093296
Bug: 67506682
Change-Id: I5669fa920292adc0fd973035f27dafd4a76d919a
(am from https://patchwork.kernel.org/patch/10085777/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Make sure the linker doesn't remove .altinstructions or
.altinstr_replacement when CONFIG_LD_DEAD_CODE_DATA_ELIMINATION is
enabled.
Bug: 62093296
Bug: 67506682
Change-Id: I73f8a96679083909ec6865ee87519163ac7dcbe3
(am from https://patchwork.kernel.org/patch/10085799/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Keep .entry.tramp.text to avoid the "Entry trampoline text too big"
error while linking.
Bug: 62093296
Bug: 67506682
Change-Id: Idab3216244bd2f8537bb2a5bb47e25e8588394da
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Don't remove .head.text or .exitcall.exit when linking with --gc-sections,
and include .init.text.* in .init.text and .init.rodata.* in .init.rodata.
Bug: 62093296
Bug: 67506682
Change-Id: Ia0f9e735d04c2322dcc8bcfc94241f0551b149c4
(am from https://patchwork.kernel.org/patch/10085773/)
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
This change adds macros for testing both compiler name and
version. Current cc-version, cc-ifversion etc. macros that test
gcc version are left unchanged to prevent compatibility issues
with existing tests.
Bug: 62093296
Bug: 67506682
Change-Id: I14965fcc21dae8dfe31881b172214bf6f8a9f440
(am from https://patchwork.kernel.org/patch/10085767/)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Changes in 4.9.85
netfilter: drop outermost socket lock in getsockopt()
xtensa: fix high memory/reserved memory collision
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
cfg80211: fix cfg80211_beacon_dup
X.509: fix BUG_ON() when hash algorithm is unsupported
PKCS#7: fix certificate chain verification
RDMA/uverbs: Protect from command mask overflow
iio: buffer: check if a buffer has been set up when poll is called
iio: adis_lib: Initialize trigger before requesting interrupt
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func()
usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
arm64: Disable unhandled signal log messages by default
Add delay-init quirk for Corsair K70 RGB keyboards
drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
usb: dwc3: gadget: Set maxpacket size for ep0 IN
usb: ldusb: add PIDs for new CASSY devices supported by this driver
Revert "usb: musb: host: don't start next rx urb if current one failed"
usb: gadget: f_fs: Process all descriptors during bind
usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
drm/amdgpu: Add dpm quirk for Jet PRO (v2)
drm/amdgpu: add atpx quirk handling (v2)
drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
drm/amdgpu: add new device to use atpx quirk
binder: add missing binder_unlock()
X.509: fix NULL dereference when restricting key with unsupported_sig
mm: avoid spurious 'bad pmd' warning messages
fs/dax.c: fix inefficiency in dax_writeback_mapping_range()
libnvdimm: fix integer overflow static analysis warning
device-dax: implement ->split() to catch invalid munmap attempts
mm: introduce get_user_pages_longterm
v4l2: disable filesystem-dax mapping support
IB/core: disable memory registration of filesystem-dax vmas
libnvdimm, dax: fix 1GB-aligned namespaces vs physical misalignment
mm: Fix devm_memremap_pages() collision handling
mm: fail get_vaddr_frames() for filesystem-dax mappings
x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface
Linux 4.9.85
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 8e1eb3fa00 upstream.
At entry userspace may have (maliciously) populated the extra registers
outside the syscall calling convention with arbitrary values that could
be useful in a speculative execution (Spectre style) attack.
Clear these registers to minimize the kernel's attack surface.
Note, this only clears the extra registers and not the unused
registers for syscalls less than 6 arguments, since those registers are
likely to be clobbered well before their values could be put to use
under speculation.
Note, Linus found that the XOR instructions can be executed with
minimized cost if interleaved with the PUSH instructions, and Ingo's
analysis found that R10 and R11 should be included in the register
clearing beyond the typical 'extra' syscall calling convention
registers.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Cc: <stable@vger.kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/151787988577.7847.16733592218894189003.stgit@dwillia2-desk3.amr.corp.intel.com
[ Made small improvements to the changelog and the code comments. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 77dd66a3c6 upstream.
If devm_memremap_pages() detects a collision while adding entries
to the radix-tree, we call pgmap_radix_release(). Unfortunately,
the function removes *all* entries for the range -- including the
entries that caused the collision in the first place.
Modify pgmap_radix_release() to take an additional argument to
indicate where to stop, so that only newly added entries are removed
from the tree.
Cc: <stable@vger.kernel.org>
Fixes: 9476df7d80 ("mm: introduce find_dev_pagemap()")
Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
