1. 02 Dec, 2022 4 commits
    • Kees Cook's avatar
      panic: Expose "warn_count" to sysfs · 8b05aa26
      Kees Cook authored
      Since Warn count is now tracked and is a fairly interesting signal, add
      the entry /sys/kernel/warn_count to expose it to userspace.
      
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: tangmeng <tangmeng@uniontech.com>
      Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221117234328.594699-6-keescook@chromium.org
      8b05aa26
    • Kees Cook's avatar
      panic: Introduce warn_limit · 9fc9e278
      Kees Cook authored
      Like oops_limit, add warn_limit for limiting the number of warnings when
      panic_on_warn is not set.
      
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
      Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
      Cc: Eric Biggers <ebiggers@google.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: tangmeng <tangmeng@uniontech.com>
      Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
      Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: linux-doc@vger.kernel.org
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221117234328.594699-5-keescook@chromium.org
      9fc9e278
    • Kees Cook's avatar
      panic: Consolidate open-coded panic_on_warn checks · 79cc1ba7
      Kees Cook authored
      Several run-time checkers (KASAN, UBSAN, KFENCE, KCSAN, sched) roll
      their own warnings, and each check "panic_on_warn". Consolidate this
      into a single function so that future instrumentation can be added in
      a single location.
      
      Cc: Marco Elver <elver@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Juri Lelli <juri.lelli@redhat.com>
      Cc: Vincent Guittot <vincent.guittot@linaro.org>
      Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Ben Segall <bsegall@google.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
      Cc: Valentin Schneider <vschneid@redhat.com>
      Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Konovalov <andreyknvl@gmail.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: David Gow <davidgow@google.com>
      Cc: tangmeng <tangmeng@uniontech.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: Shuah Khan <skhan@linuxfoundation.org>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: "Paul E. McKenney" <paulmck@kernel.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
      Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
      Cc: kasan-dev@googlegroups.com
      Cc: linux-mm@kvack.org
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarMarco Elver <elver@google.com>
      Reviewed-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
      Link: https://lore.kernel.org/r/20221117234328.594699-4-keescook@chromium.org
      79cc1ba7
    • Kees Cook's avatar
      exit: Allow oops_limit to be disabled · de92f657
      Kees Cook authored
      In preparation for keeping oops_limit logic in sync with warn_limit,
      have oops_limit == 0 disable checking the Oops counter.
      
      Cc: Jann Horn <jannh@google.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
      Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
      Cc: Eric Biggers <ebiggers@google.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: linux-doc@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      de92f657
  2. 01 Dec, 2022 5 commits
    • Kees Cook's avatar
      exit: Expose "oops_count" to sysfs · 9db89b41
      Kees Cook authored
      Since Oops count is now tracked and is a fairly interesting signal, add
      the entry /sys/kernel/oops_count to expose it to userspace.
      
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221117234328.594699-3-keescook@chromium.org
      9db89b41
    • Jann Horn's avatar
      exit: Put an upper limit on how often we can oops · d4ccd54d
      Jann Horn authored
      Many Linux systems are configured to not panic on oops; but allowing an
      attacker to oops the system **really** often can make even bugs that look
      completely unexploitable exploitable (like NULL dereferences and such) if
      each crash elevates a refcount by one or a lock is taken in read mode, and
      this causes a counter to eventually overflow.
      
      The most interesting counters for this are 32 bits wide (like open-coded
      refcounts that don't use refcount_t). (The ldsem reader count on 32-bit
      platforms is just 16 bits, but probably nobody cares about 32-bit platforms
      that much nowadays.)
      
      So let's panic the system if the kernel is constantly oopsing.
      
      The speed of oopsing 2^32 times probably depends on several factors, like
      how long the stack trace is and which unwinder you're using; an empirically
      important one is whether your console is showing a graphical environment or
      a text console that oopses will be printed to.
      In a quick single-threaded benchmark, it looks like oopsing in a vfork()
      child with a very short stack trace only takes ~510 microseconds per run
      when a graphical console is active; but switching to a text console that
      oopses are printed to slows it down around 87x, to ~45 milliseconds per
      run.
      (Adding more threads makes this faster, but the actual oops printing
      happens under &die_lock on x86, so you can maybe speed this up by a factor
      of around 2 and then any further improvement gets eaten up by lock
      contention.)
      
      It looks like it would take around 8-12 days to overflow a 32-bit counter
      with repeated oopsing on a multi-core X86 system running a graphical
      environment; both me (in an X86 VM) and Seth (with a distro kernel on
      normal hardware in a standard configuration) got numbers in that ballpark.
      
      12 days aren't *that* short on a desktop system, and you'd likely need much
      longer on a typical server system (assuming that people don't run graphical
      desktop environments on their servers), and this is a *very* noisy and
      violent approach to exploiting the kernel; and it also seems to take orders
      of magnitude longer on some machines, probably because stuff like EFI
      pstore will slow it down a ton if that's active.
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.comReviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221117234328.594699-2-keescook@chromium.org
      d4ccd54d
    • Kees Cook's avatar
      panic: Separate sysctl logic from CONFIG_SMP · 9360d035
      Kees Cook authored
      In preparation for adding more sysctls directly in kernel/panic.c, split
      CONFIG_SMP from the logic that adds sysctls.
      
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: tangmeng <tangmeng@uniontech.com>
      Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
      Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221117234328.594699-1-keescook@chromium.org
      9360d035
    • Gustavo A. R. Silva's avatar
      mm/pgtable: Fix multiple -Wstringop-overflow warnings · 25226df4
      Gustavo A. R. Silva authored
      The actual size of the following arrays at run-time depends on
      CONFIG_X86_PAE.
      
      427         pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
      428         pmd_t *pmds[MAX_PREALLOCATED_PMDS];
      
      If CONFIG_X86_PAE is not enabled, their final size will be zero (which
      is technically not a legal storage size in C, but remains "valid" via
      the GNU extension). In that case, the compiler complains about trying to
      access objects of size zero when calling functions where these objects
      are passed as arguments.
      
      Fix this by sanity-checking the size of those arrays just before the
      function calls. Also, the following warnings are fixed by these changes
      when building with GCC 11+ and -Wstringop-overflow enabled:
      
      arch/x86/mm/pgtable.c:437:13: warning: ‘preallocate_pmds.constprop’ accessing 8 bytes in a region of size 0 [-Wstringop-overflow=]
      arch/x86/mm/pgtable.c:440:13: warning: ‘preallocate_pmds.constprop’ accessing 8 bytes in a region of size 0 [-Wstringop-overflow=]
      arch/x86/mm/pgtable.c:462:9: warning: ‘free_pmds.constprop’ accessing 8 bytes in a region of size 0 [-Wstringop-overflow=]
      arch/x86/mm/pgtable.c:455:9: warning: ‘pgd_prepopulate_user_pmd’ accessing 8 bytes in a region of size 0 [-Wstringop-overflow=]
      arch/x86/mm/pgtable.c:464:9: warning: ‘free_pmds.constprop’ accessing 8 bytes in a region of size 0 [-Wstringop-overflow=]
      
      This is one of the last cases in the ongoing effort to globally enable
      -Wstringop-overflow.
      
      The alternative to this is to make the originally suggested change:
      make the pmds argument from an array pointer to a pointer pointer. That
      situation is considered "legal" for C in the sense that it does not have
      a way to reason about the storage. i.e.:
      
      -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
      +static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t **pmds)
      
      With the above change, there's no difference in binary output, and the
      compiler warning is silenced.
      
      However, with this patch, the compiler can actually figure out that it
      isn't using the code at all, and it gets dropped:
      
         text    data     bss     dec     hex filename
         8218     718      32    8968    2308 arch/x86/mm/pgtable.o.before
         7765     694      32    8491    212b arch/x86/mm/pgtable.o.after
      
      So this case (fixing a warning and reducing image size) is a clear win.
      
      Additionally drops an old work-around for GCC in the same code.
      
      Link: https://github.com/KSPP/linux/issues/203
      Link: https://github.com/KSPP/linux/issues/181Signed-off-by: default avatarGustavo A. R. Silva <gustavoars@kernel.org>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/Yytb67xvrnctxnEe@work
      25226df4
    • Kees Cook's avatar
      mm: Make ksize() a reporting-only function · 38931d89
      Kees Cook authored
      With all "silently resizing" callers of ksize() refactored, remove the
      logic in ksize() that would allow it to be used to effectively change
      the size of an allocation (bypassing __alloc_size hints, etc). Users
      wanting this feature need to either use kmalloc_size_roundup() before an
      allocation, or use krealloc() directly.
      
      For kfree_sensitive(), move the unpoisoning logic inline. Replace the
      some of the partially open-coded ksize() in __do_krealloc with ksize()
      now that it doesn't perform unpoisoning.
      
      Adjust the KUnit tests to match the new ksize() behavior. Execution
      tested with:
      
      $ ./tools/testing/kunit/kunit.py run \
      	--kconfig_add CONFIG_KASAN=y \
      	--kconfig_add CONFIG_KASAN_GENERIC=y \
      	--arch x86_64 kasan
      
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Roman Gushchin <roman.gushchin@linux.dev>
      Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
      Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Cc: linux-mm@kvack.org
      Cc: kasan-dev@googlegroups.com
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Enhanced-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      38931d89
  3. 23 Nov, 2022 1 commit
    • Kees Cook's avatar
      kunit/fortify: Validate __alloc_size attribute results · 9124a264
      Kees Cook authored
      Validate the effect of the __alloc_size attribute on allocators. If the
      compiler doesn't support __builtin_dynamic_object_size(), skip the
      associated tests.
      
      (For GCC, just remove the "--make_options" line below...)
      
      $ ./tools/testing/kunit/kunit.py run --arch x86_64 \
              --kconfig_add CONFIG_FORTIFY_SOURCE=y \
      	--make_options LLVM=1
              fortify
      ...
      [15:16:30] ================== fortify (10 subtests) ===================
      [15:16:30] [PASSED] known_sizes_test
      [15:16:30] [PASSED] control_flow_split_test
      [15:16:30] [PASSED] alloc_size_kmalloc_const_test
      [15:16:30] [PASSED] alloc_size_kmalloc_dynamic_test
      [15:16:30] [PASSED] alloc_size_vmalloc_const_test
      [15:16:30] [PASSED] alloc_size_vmalloc_dynamic_test
      [15:16:30] [PASSED] alloc_size_kvmalloc_const_test
      [15:16:30] [PASSED] alloc_size_kvmalloc_dynamic_test
      [15:16:30] [PASSED] alloc_size_devm_kmalloc_const_test
      [15:16:30] [PASSED] alloc_size_devm_kmalloc_dynamic_test
      [15:16:30] ===================== [PASSED] fortify =====================
      [15:16:30] ============================================================
      [15:16:30] Testing complete. Ran 10 tests: passed: 10
      [15:16:31] Elapsed time: 8.348s total, 0.002s configuring, 6.923s building, 1.075s running
      
      For earlier GCC prior to version 12, the dynamic tests will be skipped:
      
      [15:18:59] ================== fortify (10 subtests) ===================
      [15:18:59] [PASSED] known_sizes_test
      [15:18:59] [PASSED] control_flow_split_test
      [15:18:59] [PASSED] alloc_size_kmalloc_const_test
      [15:18:59] [SKIPPED] alloc_size_kmalloc_dynamic_test
      [15:18:59] [PASSED] alloc_size_vmalloc_const_test
      [15:18:59] [SKIPPED] alloc_size_vmalloc_dynamic_test
      [15:18:59] [PASSED] alloc_size_kvmalloc_const_test
      [15:18:59] [SKIPPED] alloc_size_kvmalloc_dynamic_test
      [15:18:59] [PASSED] alloc_size_devm_kmalloc_const_test
      [15:18:59] [SKIPPED] alloc_size_devm_kmalloc_dynamic_test
      [15:18:59] ===================== [PASSED] fortify =====================
      [15:18:59] ============================================================
      [15:18:59] Testing complete. Ran 10 tests: passed: 6, skipped: 4
      [15:18:59] Elapsed time: 11.965s total, 0.002s configuring, 10.540s building, 1.068s running
      
      Cc: David Gow <davidgow@google.com>
      Cc: linux-hardening@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      9124a264
  4. 18 Nov, 2022 3 commits
    • Nathan Chancellor's avatar
      drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() · 0ad811cc
      Nathan Chancellor authored
      With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
      indirect call targets are validated against the expected function
      pointer prototype to make sure the call target is valid to help mitigate
      ROP attacks. If they are not identical, there is a failure at run time,
      which manifests as either a kernel panic or thread getting killed. A
      proposed warning in clang aims to catch these at compile time, which
      reveals:
      
        drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
                .mode_valid = sti_hda_connector_mode_valid,
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
        drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
                .mode_valid = sti_dvo_connector_mode_valid,
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
        drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
                .mode_valid = sti_hdmi_connector_mode_valid,
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      ->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
      type of 'enum drm_mode_status', not 'int'. Adjust the return type of
      sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to
      resolve the warning and CFI failure.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/1750Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org
      0ad811cc
    • Nathan Chancellor's avatar
      drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() · 96d845a6
      Nathan Chancellor authored
      With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
      indirect call targets are validated against the expected function
      pointer prototype to make sure the call target is valid to help mitigate
      ROP attacks. If they are not identical, there is a failure at run time,
      which manifests as either a kernel panic or thread getting killed. A
      proposed warning in clang aims to catch these at compile time, which
      reveals:
      
        drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
                .mode_valid = fsl_dcu_drm_connector_mode_valid,
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        1 error generated.
      
      ->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
      type of 'enum drm_mode_status', not 'int'. Adjust the return type of
      fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve
      the warning and CFI failure.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/1750Reported-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org
      96d845a6
    • Kees Cook's avatar
      driver core: Add __alloc_size hint to devm allocators · 74c8e6bf
      Kees Cook authored
      Mark the devm_*alloc()-family of allocations with appropriate
      __alloc_size()/__realloc_size() hints so the compiler can attempt to
      reason about buffer lengths from allocations.
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Nishanth Menon <nm@ti.com>
      Cc: Michael Kelley <mikelley@microsoft.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Won Chung <wonchung@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20221029074734.gonna.276-kees@kernel.org
      74c8e6bf
  5. 08 Nov, 2022 2 commits
  6. 02 Nov, 2022 1 commit
    • Kees Cook's avatar
      overflow: Introduce overflows_type() and castable_to_type() · 4b21d25b
      Kees Cook authored
      Implement a robust overflows_type() macro to test if a variable or
      constant value would overflow another variable or type. This can be
      used as a constant expression for static_assert() (which requires a
      constant expression[1][2]) when used on constant values. This must be
      constructed manually, since __builtin_add_overflow() does not produce
      a constant expression[3].
      
      Additionally adds castable_to_type(), similar to __same_type(), but for
      checking if a constant value would overflow if cast to a given type.
      
      Add unit tests for overflows_type(), __same_type(), and castable_to_type()
      to the existing KUnit "overflow" test:
      
      [16:03:33] ================== overflow (21 subtests) ==================
      ...
      [16:03:33] [PASSED] overflows_type_test
      [16:03:33] [PASSED] same_type_test
      [16:03:33] [PASSED] castable_to_type_test
      [16:03:33] ==================== [PASSED] overflow =====================
      [16:03:33] ============================================================
      [16:03:33] Testing complete. Ran 21 tests: passed: 21
      [16:03:33] Elapsed time: 24.022s total, 0.002s configuring, 22.598s building, 0.767s running
      
      [1] https://en.cppreference.com/w/c/language/_Static_assert
      [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions
      [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
          6.56 Built-in Functions to Perform Arithmetic with Overflow Checking
          Built-in Function: bool __builtin_add_overflow (type1 a, type2 b,
      
      Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Tom Rix <trix@redhat.com>
      Cc: Daniel Latypov <dlatypov@google.com>
      Cc: Vitor Massaru Iha <vitor@massaru.org>
      Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
      Cc: linux-hardening@vger.kernel.org
      Cc: llvm@lists.linux.dev
      Co-developed-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
      Signed-off-by: default avatarGwan-gyeong Mun <gwan-gyeong.mun@intel.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20221024201125.1416422-1-gwan-gyeong.mun@intel.com
      4b21d25b
  7. 01 Nov, 2022 10 commits
  8. 28 Oct, 2022 3 commits
  9. 25 Oct, 2022 3 commits
  10. 16 Oct, 2022 8 commits
    • Linus Torvalds's avatar
      Linux 6.1-rc1 · 9abf2313
      Linus Torvalds authored
      9abf2313
    • Linus Torvalds's avatar
      Merge tag 'random-6.1-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · f1947d7c
      Linus Torvalds authored
      Pull more random number generator updates from Jason Donenfeld:
       "This time with some large scale treewide cleanups.
      
        The intent of this pull is to clean up the way callers fetch random
        integers. The current rules for doing this right are:
      
         - If you want a secure or an insecure random u64, use get_random_u64()
      
         - If you want a secure or an insecure random u32, use get_random_u32()
      
           The old function prandom_u32() has been deprecated for a while
           now and is just a wrapper around get_random_u32(). Same for
           get_random_int().
      
         - If you want a secure or an insecure random u16, use get_random_u16()
      
         - If you want a secure or an insecure random u8, use get_random_u8()
      
         - If you want secure or insecure random bytes, use get_random_bytes().
      
           The old function prandom_bytes() has been deprecated for a while
           now and has long been a wrapper around get_random_bytes()
      
         - If you want a non-uniform random u32, u16, or u8 bounded by a
           certain open interval maximum, use prandom_u32_max()
      
           I say "non-uniform", because it doesn't do any rejection sampling
           or divisions. Hence, it stays within the prandom_*() namespace, not
           the get_random_*() namespace.
      
           I'm currently investigating a "uniform" function for 6.2. We'll see
           what comes of that.
      
        By applying these rules uniformly, we get several benefits:
      
         - By using prandom_u32_max() with an upper-bound that the compiler
           can prove at compile-time is ≤65536 or ≤256, internally
           get_random_u16() or get_random_u8() is used, which wastes fewer
           batched random bytes, and hence has higher throughput.
      
         - By using prandom_u32_max() instead of %, when the upper-bound is
           not a constant, division is still avoided, because
           prandom_u32_max() uses a faster multiplication-based trick instead.
      
         - By using get_random_u16() or get_random_u8() in cases where the
           return value is intended to indeed be a u16 or a u8, we waste fewer
           batched random bytes, and hence have higher throughput.
      
        This series was originally done by hand while I was on an airplane
        without Internet. Later, Kees and I worked on retroactively figuring
        out what could be done with Coccinelle and what had to be done
        manually, and then we split things up based on that.
      
        So while this touches a lot of files, the actual amount of code that's
        hand fiddled is comfortably small"
      
      * tag 'random-6.1-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        prandom: remove unused functions
        treewide: use get_random_bytes() when possible
        treewide: use get_random_u32() when possible
        treewide: use get_random_{u8,u16}() when possible, part 2
        treewide: use get_random_{u8,u16}() when possible, part 1
        treewide: use prandom_u32_max() when possible, part 2
        treewide: use prandom_u32_max() when possible, part 1
      f1947d7c
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-for-v6.1-2-2022-10-16' of... · 8636df94
      Linus Torvalds authored
      Merge tag 'perf-tools-for-v6.1-2-2022-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull more perf tools updates from Arnaldo Carvalho de Melo:
      
       - Use BPF CO-RE (Compile Once, Run Everywhere) to support old kernels
         when using bperf (perf BPF based counters) with cgroups.
      
       - Support HiSilicon PCIe Performance Monitoring Unit (PMU), that
         monitors bandwidth, latency, bus utilization and buffer occupancy.
      
         Documented in Documentation/admin-guide/perf/hisi-pcie-pmu.rst.
      
       - User space tasks can migrate between CPUs, so when tracing selected
         CPUs, system-wide sideband is still needed, fix it in the setup of
         Intel PT on hybrid systems.
      
       - Fix metricgroups title message in 'perf list', it should state that
         the metrics groups are to be used with the '-M' option, not '-e'.
      
       - Sync the msr-index.h copy with the kernel sources, adding support for
         using "AMD64_TSC_RATIO" in filter expressions in 'perf trace' as well
         as decoding it when printing the MSR tracepoint arguments.
      
       - Fix program header size and alignment when generating a JIT ELF in
         'perf inject'.
      
       - Add multiple new Intel PT 'perf test' entries, including a jitdump
         one.
      
       - Fix the 'perf test' entries for 'perf stat' CSV and JSON output when
         running on PowerPC due to an invalid topology number in that arch.
      
       - Fix the 'perf test' for arm_coresight failures on the ARM Juno
         system.
      
       - Fix the 'perf test' attr entry for PERF_FORMAT_LOST, adding this
         option to the or expression expected in the intercepted
         perf_event_open() syscall.
      
       - Add missing condition flags ('hs', 'lo', 'vc', 'vs') for arm64 in the
         'perf annotate' asm parser.
      
       - Fix 'perf mem record -C' option processing, it was being chopped up
         when preparing the underlying 'perf record -e mem-events' and thus
         being ignored, requiring using '-- -C CPUs' as a workaround.
      
       - Improvements and tidy ups for 'perf test' shell infra.
      
       - Fix Intel PT information printing segfault in uClibc, where a NULL
         format was being passed to fprintf.
      
      * tag 'perf-tools-for-v6.1-2-2022-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: (23 commits)
        tools arch x86: Sync the msr-index.h copy with the kernel sources
        perf auxtrace arm64: Add support for parsing HiSilicon PCIe Trace packet
        perf auxtrace arm64: Add support for HiSilicon PCIe Tune and Trace device driver
        perf auxtrace arm: Refactor event list iteration in auxtrace_record__init()
        perf tests stat+json_output: Include sanity check for topology
        perf tests stat+csv_output: Include sanity check for topology
        perf intel-pt: Fix system_wide dummy event for hybrid
        perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
        perf test: Fix attr tests for PERF_FORMAT_LOST
        perf test: test_intel_pt.sh: Add 9 tests
        perf inject: Fix GEN_ELF_TEXT_OFFSET for jit
        perf test: test_intel_pt.sh: Add jitdump test
        perf test: test_intel_pt.sh: Tidy some alignment
        perf test: test_intel_pt.sh: Print a message when skipping kernel tracing
        perf test: test_intel_pt.sh: Tidy some perf record options
        perf test: test_intel_pt.sh: Fix return checking again
        perf: Skip and warn on unknown format 'configN' attrs
        perf list: Fix metricgroups title message
        perf mem: Fix -C option behavior for perf mem record
        perf annotate: Add missing condition flags for arm64
        ...
      8636df94
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.1' of... · 2df76606
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y compile error for the
         combination of Clang >= 14 and GAS <= 2.35.
      
       - Drop vmlinux.bz2 from the rpm package as it just annoyingly increased
         the package size.
      
       - Fix modpost error under build environments using musl.
      
       - Make *.ll files keep value names for easier debugging
      
       - Fix single directory build
      
       - Prevent RISC-V from selecting the broken DWARF5 support when Clang
         and GAS are used together.
      
      * tag 'kbuild-fixes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5
        kbuild: fix single directory build
        kbuild: add -fno-discard-value-names to cmd_cc_ll_c
        scripts/clang-tools: Convert clang-tidy args to list
        modpost: put modpost options before argument
        kbuild: Stop including vmlinux.bz2 in the rpm's
        Kconfig.debug: add toolchain checks for DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
        Kconfig.debug: simplify the dependency of DEBUG_INFO_DWARF4/5
      2df76606
    • Linus Torvalds's avatar
      Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 2fcd8f10
      Linus Torvalds authored
      Pull more clk updates from Stephen Boyd:
       "This is the final part of the clk patches for this merge window.
      
        The clk rate range series needed another week to fully bake. Maxime
        fixed the bug that broke clk notifiers and prevented this from being
        included in the first pull request. He also added a unit test on top
        to make sure it doesn't break so easily again. The majority of the
        series fixes up how the clk_set_rate_*() APIs work, particularly
        around when the rate constraints are dropped and how they move around
        when reparenting clks. Overall it's a much needed improvement to the
        clk rate range APIs that used to be pretty broken if you looked
        sideways.
      
        Beyond the core changes there are a few driver fixes for a compilation
        issue or improper data causing clks to fail to register or have the
        wrong parents. These are good to get in before the first -rc so that
        the system actually boots on the affected devices"
      
      * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (31 commits)
        clk: tegra: Fix Tegra PWM parent clock
        clk: at91: fix the build with binutils 2.27
        clk: qcom: gcc-msm8660: Drop hardcoded fixed board clocks
        clk: mediatek: clk-mux: Add .determine_rate() callback
        clk: tests: Add tests for notifiers
        clk: Update req_rate on __clk_recalc_rates()
        clk: tests: Add missing test case for ranges
        clk: qcom: clk-rcg2: Take clock boundaries into consideration for gfx3d
        clk: Introduce the clk_hw_get_rate_range function
        clk: Zero the clk_rate_request structure
        clk: Stop forwarding clk_rate_requests to the parent
        clk: Constify clk_has_parent()
        clk: Introduce clk_core_has_parent()
        clk: Switch from __clk_determine_rate to clk_core_round_rate_nolock
        clk: Add our request boundaries in clk_core_init_rate_req
        clk: Introduce clk_hw_init_rate_request()
        clk: Move clk_core_init_rate_req() from clk_core_round_rate_nolock() to its caller
        clk: Change clk_core_init_rate_req prototype
        clk: Set req_rate on reparenting
        clk: Take into account uncached clocks in clk_set_rate_range()
        ...
      2fcd8f10
    • Linus Torvalds's avatar
      Merge tag '6.1-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · b08cd744
      Linus Torvalds authored
      Pull more cifs updates from Steve French:
      
       - fix a regression in guest mounts to old servers
      
       - improvements to directory leasing (caching directory entries safely
         beyond the root directory)
      
       - symlink improvement (reducing roundtrips needed to process symlinks)
      
       - an lseek fix (to problem where some dir entries could be skipped)
      
       - improved ioctl for returning more detailed information on directory
         change notifications
      
       - clarify multichannel interface query warning
      
       - cleanup fix (for better aligning buffers using ALIGN and round_up)
      
       - a compounding fix
      
       - fix some uninitialized variable bugs found by Coverity and the kernel
         test robot
      
      * tag '6.1-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: improve SMB3 change notification support
        cifs: lease key is uninitialized in two additional functions when smb1
        cifs: lease key is uninitialized in smb1 paths
        smb3: must initialize two ACL struct fields to zero
        cifs: fix double-fault crash during ntlmssp
        cifs: fix static checker warning
        cifs: use ALIGN() and round_up() macros
        cifs: find and use the dentry for cached non-root directories also
        cifs: enable caching of directories for which a lease is held
        cifs: prevent copying past input buffer boundaries
        cifs: fix uninitialised var in smb2_compound_op()
        cifs: improve symlink handling for smb2+
        smb3: clarify multichannel warning
        cifs: fix regression in very old smb1 mounts
        cifs: fix skipping to incorrect offset in emit_cached_dirents
      b08cd744
    • Tetsuo Handa's avatar
      Revert "cpumask: fix checking valid cpu range". · 80493877
      Tetsuo Handa authored
      This reverts commit 78e5a339 ("cpumask: fix checking valid cpu range").
      
      syzbot is hitting WARN_ON_ONCE(cpu >= nr_cpumask_bits) warning at
      cpu_max_bits_warn() [1], for commit 78e5a339 ("cpumask: fix checking
      valid cpu range") is broken.  Obviously that patch hits WARN_ON_ONCE()
      when e.g.  reading /proc/cpuinfo because passing "cpu + 1" instead of
      "cpu" will trivially hit cpu == nr_cpumask_bits condition.
      
      Although syzbot found this problem in linux-next.git on 2022/09/27 [2],
      this problem was not fixed immediately.  As a result, that patch was
      sent to linux.git before the patch author recognizes this problem, and
      syzbot started failing to test changes in linux.git since 2022/10/10
      [3].
      
      Andrew Jones proposed a fix for x86 and riscv architectures [4].  But
      [2] and [5] indicate that affected locations are not limited to arch
      code.  More delay before we find and fix affected locations, less tested
      kernel (and more difficult to bisect and fix) before release.
      
      We should have inspected and fixed basically all cpumask users before
      applying that patch.  We should not crash kernels in order to ask
      existing cpumask users to update their code, even if limited to
      CONFIG_DEBUG_PER_CPU_MAPS=y case.
      
      Link: https://syzkaller.appspot.com/bug?extid=d0fd2bf0dd6da72496dd [1]
      Link: https://syzkaller.appspot.com/bug?extid=21da700f3c9f0bc40150 [2]
      Link: https://syzkaller.appspot.com/bug?extid=51a652e2d24d53e75734 [3]
      Link: https://lkml.kernel.org/r/20221014155845.1986223-1-ajones@ventanamicro.com [4]
      Link: https://syzkaller.appspot.com/bug?extid=4d46c43d81c3bd155060 [5]
      Reported-by: default avatarAndrew Jones <ajones@ventanamicro.com>
      Reported-by: syzbot+d0fd2bf0dd6da72496dd@syzkaller.appspotmail.com
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Yury Norov <yury.norov@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      80493877
    • Nathan Chancellor's avatar
      lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5 · 0a6de78c
      Nathan Chancellor authored
      When building with a RISC-V kernel with DWARF5 debug info using clang
      and the GNU assembler, several instances of the following error appear:
      
        /tmp/vgettimeofday-48aa35.s:2963: Error: non-constant .uleb128 is not supported
      
      Dumping the .s file reveals these .uleb128 directives come from
      .debug_loc and .debug_ranges:
      
        .Ldebug_loc0:
                .byte   4                               # DW_LLE_offset_pair
                .uleb128 .Lfunc_begin0-.Lfunc_begin0    #   starting offset
                .uleb128 .Ltmp1-.Lfunc_begin0           #   ending offset
                .byte   1                               # Loc expr size
                .byte   90                              # DW_OP_reg10
                .byte   0                               # DW_LLE_end_of_list
      
        .Ldebug_ranges0:
                .byte   4                               # DW_RLE_offset_pair
                .uleb128 .Ltmp6-.Lfunc_begin0           #   starting offset
                .uleb128 .Ltmp27-.Lfunc_begin0          #   ending offset
                .byte   4                               # DW_RLE_offset_pair
                .uleb128 .Ltmp28-.Lfunc_begin0          #   starting offset
                .uleb128 .Ltmp30-.Lfunc_begin0          #   ending offset
                .byte   0                               # DW_RLE_end_of_list
      
      There is an outstanding binutils issue to support a non-constant operand
      to .sleb128 and .uleb128 in GAS for RISC-V but there does not appear to
      be any movement on it, due to concerns over how it would work with
      linker relaxation.
      
      To avoid these build errors, prevent DWARF5 from being selected when
      using clang and an assembler that does not have support for these symbol
      deltas, which can be easily checked in Kconfig with as-instr plus the
      small test program from the dwz test suite from the binutils issue.
      
      Link: https://sourceware.org/bugzilla/show_bug.cgi?id=27215
      Link: https://github.com/ClangBuiltLinux/linux/issues/1719Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      0a6de78c