1. 03 Apr, 2019 23 commits
    • Peter Zijlstra's avatar
      objtool: Add UACCESS validation · ea24213d
      Peter Zijlstra authored
      It is important that UACCESS regions are as small as possible;
      furthermore the UACCESS state is not scheduled, so doing anything that
      might directly call into the scheduler will cause random code to be
      ran with UACCESS enabled.
      
      Teach objtool too track UACCESS state and warn about any CALL made
      while UACCESS is enabled. This very much includes the __fentry__()
      and __preempt_schedule() calls.
      
      Note that exceptions _do_ save/restore the UACCESS state, and therefore
      they can drive preemption. This also means that all exception handlers
      must have an otherwise redundant UACCESS disable instruction;
      therefore ignore this warning for !STT_FUNC code (exception handlers
      are not normal functions).
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      ea24213d
    • Peter Zijlstra's avatar
      objtool: Fix sibling call detection · 54262aa2
      Peter Zijlstra authored
      It turned out that we failed to detect some sibling calls;
      specifically those without relocation records; like:
      
        $ ./objdump-func.sh defconfig-build/mm/kasan/generic.o __asan_loadN
        0000 0000000000000840 <__asan_loadN>:
        0000  840:      48 8b 0c 24             mov    (%rsp),%rcx
        0004  844:      31 d2                   xor    %edx,%edx
        0006  846:      e9 45 fe ff ff          jmpq   690 <check_memory_region>
      
      So extend the cross-function jump to also consider those that are not
      between known (or newly detected) parent/child functions, as
      sibling-cals when they jump to the start of the function.
      
      The second part of that condition is to deal with random jumps to the
      middle of other function, as can be found in
      arch/x86/lib/copy_user_64.S for example.
      
      This then (with later patches applied) makes the above recognise the
      sibling call:
      
        mm/kasan/generic.o: warning: objtool: __asan_loadN()+0x6: call to check_memory_region() with UACCESS enabled
      
      Also make sure to set insn->call_dest for sibling calls so we can know
      who we're calling. This is useful information when printing validation
      warnings later.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      54262aa2
    • Peter Zijlstra's avatar
      objtool: Rewrite alt->skip_orig · 764eef4b
      Peter Zijlstra authored
      Really skip the original instruction flow, instead of letting it
      continue with NOPs.
      
      Since the alternative code flow already continues after the original
      instructions, only the alt-original is skipped.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      764eef4b
    • Peter Zijlstra's avatar
      objtool: Add --backtrace support · 7697eee3
      Peter Zijlstra authored
      For when you want to know the path that reached your fail state:
      
        $ ./objtool check --no-fp --backtrace arch/x86/lib/usercopy_64.o
        arch/x86/lib/usercopy_64.o: warning: objtool: .altinstr_replacement+0x3: UACCESS disable without MEMOPs: __clear_user()
        arch/x86/lib/usercopy_64.o: warning: objtool:   __clear_user()+0x3a: (alt)
        arch/x86/lib/usercopy_64.o: warning: objtool:   __clear_user()+0x2e: (branch)
        arch/x86/lib/usercopy_64.o: warning: objtool:   __clear_user()+0x18: (branch)
        arch/x86/lib/usercopy_64.o: warning: objtool:   .altinstr_replacement+0xffffffffffffffff: (branch)
        arch/x86/lib/usercopy_64.o: warning: objtool:   __clear_user()+0x5: (alt)
        arch/x86/lib/usercopy_64.o: warning: objtool:   __clear_user()+0x0: <=== (func)
      
        0000000000000000 <__clear_user>:
          0:   e8 00 00 00 00          callq  5 <__clear_user+0x5>
                       1: R_X86_64_PLT32       __fentry__-0x4
          5:   90                      nop
          6:   90                      nop
          7:   90                      nop
          8:   48 89 f0                mov    %rsi,%rax
          b:   48 c1 ee 03             shr    $0x3,%rsi
          f:   83 e0 07                and    $0x7,%eax
         12:   48 89 f1                mov    %rsi,%rcx
         15:   48 85 c9                test   %rcx,%rcx
         18:   74 0f                   je     29 <__clear_user+0x29>
         1a:   48 c7 07 00 00 00 00    movq   $0x0,(%rdi)
         21:   48 83 c7 08             add    $0x8,%rdi
         25:   ff c9                   dec    %ecx
         27:   75 f1                   jne    1a <__clear_user+0x1a>
         29:   48 89 c1                mov    %rax,%rcx
         2c:   85 c9                   test   %ecx,%ecx
         2e:   74 0a                   je     3a <__clear_user+0x3a>
         30:   c6 07 00                movb   $0x0,(%rdi)
         33:   48 ff c7                inc    %rdi
         36:   ff c9                   dec    %ecx
         38:   75 f6                   jne    30 <__clear_user+0x30>
         3a:   90                      nop
         3b:   90                      nop
         3c:   90                      nop
         3d:   48 89 c8                mov    %rcx,%rax
         40:   c3                      retq
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      7697eee3
    • Peter Zijlstra's avatar
      objtool: Rewrite add_ignores() · aaf5c623
      Peter Zijlstra authored
      The whole add_ignores() thing was wildly weird; rewrite it according
      to 'modern' ways.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      aaf5c623
    • Peter Zijlstra's avatar
      objtool: Handle function aliases · 09f30d83
      Peter Zijlstra authored
      Function aliases result in different symbols for the same set of
      instructions; track a canonical symbol so there is a unique point of
      access.
      
      This again prepares the way for function attributes. And in particular
      the need for aliases comes from how KASAN uses them.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      09f30d83
    • Peter Zijlstra's avatar
      objtool: Set insn->func for alternatives · a4d09dde
      Peter Zijlstra authored
      In preparation of function attributes, we need each instruction to
      have a valid link back to its function.
      
      Therefore make sure we set the function association for alternative
      instruction sequences; they are, after all, still part of the function.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      a4d09dde
    • Peter Zijlstra's avatar
      x86/uaccess, kcov: Disable stack protector · 40ea9729
      Peter Zijlstra authored
      New tooling noticed this mishap:
      
        kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled
        kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled
      
      All the other instrumentation (KASAN,UBSAN) also have stack protector
      disabled.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      40ea9729
    • Peter Zijlstra's avatar
      x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP · 4a6c91fb
      Peter Zijlstra authored
      For CONFIG_TRACE_BRANCH_PROFILING=y the likely/unlikely things get
      overloaded and generate callouts to this code, and thus also when
      AC=1.
      
      Make it safe.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4a6c91fb
    • Peter Zijlstra's avatar
      x86/uaccess, ubsan: Fix UBSAN vs. SMAP · d08965a2
      Peter Zijlstra authored
      UBSAN can insert extra code in random locations; including AC=1
      sections. Typically this code is not safe and needs wrapping.
      
      So far, only __ubsan_handle_type_mismatch* have been observed in AC=1
      sections and therefore only those are annotated.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d08965a2
    • Peter Zijlstra's avatar
      x86/uaccess, kasan: Fix KASAN vs SMAP · 57b78a62
      Peter Zijlstra authored
      KASAN inserts extra code for every LOAD/STORE emitted by te compiler.
      Much of this code is simple and safe to run with AC=1, however the
      kasan_report() function, called on error, is most certainly not safe
      to call with AC=1.
      
      Therefore wrap kasan_report() in user_access_{save,restore}; which for
      x86 SMAP, saves/restores EFLAGS and clears AC before calling the real
      function.
      
      Also ensure all the functions are without __fentry__ hook. The
      function tracer is also not safe.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      57b78a62
    • Peter Zijlstra's avatar
      x86/smap: Ditch __stringify() · a936af8e
      Peter Zijlstra authored
      Linus noticed all users of __ASM_STAC/__ASM_CLAC are with
      __stringify(). Just make them a string.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      a936af8e
    • Peter Zijlstra's avatar
      x86/uaccess: Introduce user_access_{save,restore}() · e74deb11
      Peter Zijlstra authored
      Introduce common helpers for when we need to safely suspend a
      uaccess section; for instance to generate a {KA,UB}SAN report.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      e74deb11
    • Peter Zijlstra's avatar
      x86/uaccess, signal: Fix AC=1 bloat · 88e47182
      Peter Zijlstra authored
      Occasionally GCC is less agressive with inlining and the following is
      observed:
      
        arch/x86/kernel/signal.o: warning: objtool: restore_sigcontext()+0x3cc: call to force_valid_ss.isra.5() with UACCESS enabled
        arch/x86/kernel/signal.o: warning: objtool: do_signal()+0x384: call to frame_uc_flags.isra.0() with UACCESS enabled
      
      Cure this by moving this code out of the AC=1 region, since it really
      isn't needed for the user access.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      88e47182
    • Peter Zijlstra's avatar
      x86/uaccess: Always inline user_access_begin() · b7f89bfe
      Peter Zijlstra authored
      If GCC out-of-lines it, the STAC and CLAC are in different fuctions
      and objtool gets upset.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      b7f89bfe
    • Peter Zijlstra's avatar
      x86/uaccess, xen: Suppress SMAP warnings · 4fc0f0e9
      Peter Zijlstra authored
      drivers/xen/privcmd.o: warning: objtool: privcmd_ioctl()+0x1414: call to hypercall_page() with UACCESS enabled
      
      Some Xen hypercalls allow parameter buffers in user land, so they need
      to set AC=1. Avoid the warning for those cases.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: andrew.cooper3@citrix.com
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4fc0f0e9
    • Peter Zijlstra's avatar
      x86/nospec, objtool: Introduce ANNOTATE_IGNORE_ALTERNATIVE · ff05ab23
      Peter Zijlstra authored
      To facillitate other usage of ignoring alternatives; rename
      ANNOTATE_NOSPEC_IGNORE to ANNOTATE_IGNORE_ALTERNATIVE.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      ff05ab23
    • Peter Zijlstra's avatar
      x86/uaccess: Fix up the fixup · b69656fa
      Peter Zijlstra authored
      New tooling got confused about this:
      
        arch/x86/lib/memcpy_64.o: warning: objtool: .fixup+0x7: return with UACCESS enabled
      
      While the code isn't wrong, it is tedious (if at all possible) to
      figure out what function a particular chunk of .fixup belongs to.
      
      This then confuses the objtool uaccess validation. Instead of
      returning directly from the .fixup, jump back into the right function.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      b69656fa
    • Peter Zijlstra's avatar
      x86/uaccess: Move copy_user_handle_tail() into asm · 3693ca81
      Peter Zijlstra authored
      By writing the function in asm we avoid cross object code flow and
      objtool no longer gets confused about a 'stray' CLAC.
      
      Also; the asm version is actually _simpler_.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      3693ca81
    • Peter Zijlstra's avatar
      i915, uaccess: Fix redundant CLAC · 8f4faed0
      Peter Zijlstra authored
      New tooling noticed this:
      
       drivers/gpu/drm/i915/i915_gem_execbuffer.o: warning: objtool: .altinstr_replacement+0x3c: redundant UACCESS disable
       drivers/gpu/drm/i915/i915_gem_execbuffer.o: warning: objtool: .altinstr_replacement+0x66: redundant UACCESS disable
      
      You don't need user_access_end() if user_access_begin() fails.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      8f4faed0
    • Peter Zijlstra's avatar
      x86/ia32: Fix ia32_restore_sigcontext() AC leak · 67a0514a
      Peter Zijlstra authored
      Objtool spotted that we call native_load_gs_index() with AC set.
      Re-arrange the code to avoid that.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      67a0514a
    • Josh Poimboeuf's avatar
      tracing: Improve "if" macro code generation · 37686b13
      Josh Poimboeuf authored
      With CONFIG_PROFILE_ALL_BRANCHES=y, the "if" macro converts the
      conditional to an array index.  This can cause GCC to create horrible
      code.  When there are nested ifs, the generated code uses register
      values to encode branching decisions.
      
      Make it easier for GCC to optimize by keeping the conditional as a
      conditional rather than converting it to an integer.  This shrinks the
      generated code quite a bit, and also makes the code sane enough for
      objtool to understand.
      Reported-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: brgerst@gmail.com
      Cc: catalin.marinas@arm.com
      Cc: dvlasenk@redhat.com
      Cc: dvyukov@google.com
      Cc: hpa@zytor.com
      Cc: james.morse@arm.com
      Cc: julien.thierry@arm.com
      Cc: luto@amacapital.net
      Cc: luto@kernel.org
      Cc: rostedt@goodmis.org
      Cc: valentin.schneider@arm.com
      Cc: will.deacon@arm.com
      Link: https://lkml.kernel.org/r/20190307174802.46fmpysxyo35hh43@trebleSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      37686b13
    • Peter Zijlstra's avatar
      sched/x86: Save [ER]FLAGS on context switch · 6690e86b
      Peter Zijlstra authored
      Effectively reverts commit:
      
        2c7577a7 ("sched/x86_64: Don't save flags on context switch")
      
      Specifically because SMAP uses FLAGS.AC which invalidates the claim
      that the kernel has clean flags.
      
      In particular; while preemption from interrupt return is fine (the
      IRET frame on the exception stack contains FLAGS) it breaks any code
      that does synchonous scheduling, including preempt_enable().
      
      This has become a significant issue ever since commit:
      
        5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      
      provided for means of having 'normal' C code between STAC / CLAC,
      exposing the FLAGS.AC state. So far this hasn't led to trouble,
      however fix it before it comes apart.
      Reported-by: default avatarJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org
      Fixes: 5b24a7a2 ("Add 'unsafe' user access functions for batched accesses")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      6690e86b
  2. 01 Apr, 2019 5 commits
  3. 31 Mar, 2019 9 commits
    • Linus Torvalds's avatar
      Linux 5.1-rc3 · 79a3aaa7
      Linus Torvalds authored
      79a3aaa7
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 63fc9c23
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "A collection of x86 and ARM bugfixes, and some improvements to
        documentation.
      
        On top of this, a cleanup of kvm_para.h headers, which were exported
        by some architectures even though they not support KVM at all. This is
        responsible for all the Kbuild changes in the diffstat"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        Documentation: kvm: clarify KVM_SET_USER_MEMORY_REGION
        KVM: doc: Document the life cycle of a VM and its resources
        KVM: selftests: complete IO before migrating guest state
        KVM: selftests: disable stack protector for all KVM tests
        KVM: selftests: explicitly disable PIE for tests
        KVM: selftests: assert on exit reason in CR4/cpuid sync test
        KVM: x86: update %rip after emulating IO
        x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init
        kvm/x86: Move MSR_IA32_ARCH_CAPABILITIES to array emulated_msrs
        KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
        kvm: don't redefine flags as something else
        kvm: mmu: Used range based flushing in slot_handle_level_range
        KVM: export <linux/kvm_para.h> and <asm/kvm_para.h> iif KVM is supported
        KVM: x86: remove check on nr_mmu_pages in kvm_arch_commit_memory_region()
        kvm: nVMX: Add a vmentry check for HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields
        KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)
        KVM: Reject device ioctls from processes other than the VM's creator
        KVM: doc: Fix incorrect word ordering regarding supported use of APIs
        KVM: x86: fix handling of role.cr4_pae and rename it to 'gpte_size'
        KVM: nVMX: Do not inherit quadrant and invalid for the root shadow EPT
        ...
      63fc9c23
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 915ee0da
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A pile of x86 updates:
      
         - Prevent exceeding he valid physical address space in the /dev/mem
           limit checks.
      
         - Move all header content inside the header guard to prevent compile
           failures.
      
         - Fix the bogus __percpu annotation in this_cpu_has() which makes
           sparse very noisy.
      
         - Disable switch jump tables completely when retpolines are enabled.
      
         - Prevent leaking the trampoline address"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/realmode: Make set_real_mode_mem() static inline
        x86/cpufeature: Fix __percpu annotation in this_cpu_has()
        x86/mm: Don't exceed the valid physical address space
        x86/retpolines: Disable switch jump tables when retpolines are enabled
        x86/realmode: Don't leak the trampoline kernel address
        x86/boot: Fix incorrect ifdeffery scope
        x86/resctrl: Remove unused variable
      915ee0da
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 590627f7
      Linus Torvalds authored
      Pull perf tooling fixes from Thomas Gleixner:
       "Core libraries:
         - Fix max perf_event_attr.precise_ip detection.
         - Fix parser error for uncore event alias
         - Fixup ordering of kernel maps after obtaining the main kernel map
           address.
      
        Intel PT:
         - Fix TSC slip where A TSC packet can slip past MTC packets so that
           the timestamp appears to go backwards.
         - Fixes for exported-sql-viewer GUI conversion to python3.
      
        ARM coresight:
         - Fix the build by adding a missing case value for enumeration value
           introduced in newer library, that now is the required one.
      
        tool headers:
         - Syncronize kernel headers with the kernel, getting new io_uring and
           pidfd_send_signal syscalls so that 'perf trace' can handle them"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf pmu: Fix parser error for uncore event alias
        perf scripts python: exported-sql-viewer.py: Fix python3 support
        perf scripts python: exported-sql-viewer.py: Fix never-ending loop
        perf machine: Update kernel map address and re-order properly
        tools headers uapi: Sync powerpc's asm/kvm.h copy with the kernel sources
        tools headers: Update x86's syscall_64.tbl and uapi/asm-generic/unistd
        tools headers uapi: Update drm/i915_drm.h
        tools arch x86: Sync asm/cpufeatures.h with the kernel sources
        tools headers uapi: Sync linux/fcntl.h to get the F_SEAL_FUTURE_WRITE addition
        tools headers uapi: Sync asm-generic/mman-common.h and linux/mman.h
        perf evsel: Fix max perf_event_attr.precise_ip detection
        perf intel-pt: Fix TSC slip
        perf cs-etm: Add missing case value
      590627f7
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c29d8541
      Linus Torvalds authored
      Pull CPU hotplug fixes from Thomas Gleixner:
       "Two SMT/hotplug related fixes:
      
         - Prevent crash when HOTPLUG_CPU is disabled and the CPU bringup
           aborts. This is triggered with the 'nosmt' command line option, but
           can happen by any abort condition. As the real unplug code is not
           compiled in, prevent the fail by keeping the CPU in zombie state.
      
         - Enforce HOTPLUG_CPU for SMP on x86 to avoid the above situation
           completely. With 'nosmt' being a popular option it's required to
           unplug the half brought up sibling CPUs (due to the MCE wreckage)
           completely"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y
        cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n
      c29d8541
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 573efdc5
      Linus Torvalds authored
      Pull locking fixlet from Thomas Gleixner:
       "Trivial update to the maintainers file"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Remove deleted file from futex file pattern
      573efdc5
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f78b5be2
      Linus Torvalds authored
      Pull core fixes from Thomas Gleixner:
       "A small set of core updates:
      
         - Make the watchdog respect the selected CPU mask again. That was
           broken by the rework of the watchdog thread management and caused
           inconsistent state and NMI watchdog being unstoppable.
      
         - Ensure that the objtool build can find the libelf location.
      
         - Remove dead kcore stub code"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        watchdog: Respect watchdog cpumask on CPU hotplug
        objtool: Query pkg-config for libelf location
        proc/kcore: Remove unused kclist_add_remap()
      f78b5be2
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 6536c5f2
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Three non-regression fixes.
      
         - Our optimised memcmp could read past the end of one of the buffers
           and potentially trigger a page fault leading to an oops.
      
         - Some of our code to read energy management data on PowerVM had an
           endian bug leading to bogus results.
      
         - When reporting a machine check exception we incorrectly reported
           TLB multihits as D-Cache multhits due to a missing entry in the
           array of causes.
      
        Thanks to: Chandan Rajendra, Gautham R. Shenoy, Mahesh Salgaonkar,
        Segher Boessenkool, Vaidyanathan Srinivasan"
      
      * tag 'powerpc-5.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries/mce: Fix misleading print for TLB mutlihit
        powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes
        powerpc/64: Fix memcmp reading past the end of src/dest
      6536c5f2
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.1-rc3' of git://git.infradead.org/users/vkoul/slave-dma · c877b3df
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - Revert "dmaengine: stm32-mdma: Add a check on read_u32_array" as that
         caused regression
      
       - Fix MAINTAINER file uniphier-mdmac.c file path
      
      * tag 'dmaengine-fix-5.1-rc3' of git://git.infradead.org/users/vkoul/slave-dma:
        MAINTAINERS: Fix uniphier-mdmac.c file path
        dmaengine: stm32-mdma: Revert "dmaengine: stm32-mdma: Add a check on read_u32_array"
      c877b3df
  4. 30 Mar, 2019 3 commits
    • Linus Torvalds's avatar
      Merge tag 'led-fixes-for-5.1-rc3' of... · b5c8314f
      Linus Torvalds authored
      Merge tag 'led-fixes-for-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fixes from Jacek Anaszewski:
      
       - fix refcnt leak on interface rename
      
       - use memcpy in device_name_store() to avoid including garbage from a
         previous, longer value in the device_name
      
       - fix a potential NULL pointer dereference in case of_match_device()
         cannot find a match
      
      * tag 'led-fixes-for-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: trigger: netdev: use memcpy in device_name_store
        leds: pca9532: fix a potential NULL pointer dereference
        leds: trigger: netdev: fix refcnt leak on interface rename
      b5c8314f
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 3af9a525
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "As you can see [in the git history] I was away on leave and Bartosz
        kindly stepped in and collected a slew of fixes, I pulled them into my
        tree in two sets and merged some two more fixes (fixing my own caused
        bugs) on top.
      
        Summary:
      
         - Revert the extended use of gpio_set_config() and think about how we
           can do this properly.
      
         - Fix up the SPI CS GPIO handling so it now works properly on the SPI
           bus children, as intended.
      
         - Error paths and driver fixes"
      
      * tag 'gpio-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: mockup: use simple_read_from_buffer() in debugfs read callback
        gpio: of: Fix of_gpiochip_add() error path
        gpio: of: Check for "spi-cs-high" in child instead of parent node
        gpio: of: Check propname before applying "cs-gpios" quirks
        gpio: mockup: fix debugfs read
        Revert "gpio: use new gpio_set_config() helper in more places"
        gpio: aspeed: fix a potential NULL pointer dereference
        gpio: amd-fch: Fix bogus SPDX identifier
        gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
        gpio: exar: add a check for the return value of ida_simple_get fails
      3af9a525
    • Rasmus Villemoes's avatar
      leds: trigger: netdev: use memcpy in device_name_store · 90934643
      Rasmus Villemoes authored
      If userspace doesn't end the input with a newline (which can easily
      happen if the write happens from a C program that does write(fd,
      iface, strlen(iface))), we may end up including garbage from a
      previous, longer value in the device_name. For example
      
      # cat device_name
      
      # printf 'eth12' > device_name
      # cat device_name
      eth12
      # printf 'eth3' > device_name
      # cat device_name
      eth32
      
      I highly doubt anybody is relying on this behaviour, so switch to
      simply copying the bytes (we've already checked that size is <
      IFNAMSIZ) and unconditionally zero-terminate it; of course, we also
      still have to strip a trailing newline.
      
      This is also preparation for future patches.
      
      Fixes: 06f502f5 ("leds: trigger: Introduce a NETDEV trigger")
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      90934643