- 27 Sep, 2018 7 commits
-
-
Eric W. Biederman authored
Not all of the signals passed to __do_user_fault can be handled the same way so expand the now tiny __do_user_fault in it's callers and remove it. Reviewed-by:
Catalin Marinas <catalin.marinas@arm.com> Tested-by:
"Eric W. Biederman" <ebiederm@xmission.com>
-
Eric W. Biederman authored
It gets easy to confuse what is going on when some code is shared and some not so stop sharing the trivial bits of signal generation to make future updates easier to understand. Reviewed-by:
-
Eric W. Biederman authored
These two cases are practically the same and use siginfo differently from the other signals sent from do_page_fault. So consolidate them to make future changes easier. Reviewed-by:
-
Eric W. Biederman authored
This pepares for sending signals with something other than arm64_force_sig_info. Reviewed-by:
-
Eric W. Biederman authored
Filling in siginfo is error prone and so it is wise to use more specialized helpers to do that work. Factor out the arm specific unhandled signal reporting from the work of delivering a signal so the code can be modified to use functions that take the information to fill out siginfo as parameters. Reviewed-by:
-
Eric W. Biederman authored
Every caller passes in current for tsk so there is no need to pass tsk. Instead make tsk a local variable initialized to current. Reviewed-by:
-
Eric W. Biederman authored
Instead of generating a struct siginfo before calling arm64_notify_die pass the signal number, tne sicode and the fault address into arm64_notify_die and have it call force_sig_fault instead of force_sig_info to let the generic code generate the struct siginfo. This keeps code passing just the needed information into siginfo generating code, making it easier to see what is happening and harder to get wrong. Further by letting the generic code handle the generation of struct siginfo it reduces the number of sites generating struct siginfo making it possible to review them and verify that all of the fiddly details for a structure passed to userspace are handled properly. Reviewed-by:
-
- 21 Sep, 2018 22 commits
-
-
Eric W. Biederman authored
Reviewed-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
-
Eric W. Biederman authored
Call force_sig_pkuerr directly instead of rolling it by hand in _exception_pkey. Reviewed-by:
-
Eric W. Biederman authored
Now that _exception no longer calls _exception_pkey it is no longer necessary to handle any signal with any si_code. All pkey exceptions are SIGSEGV with paired with SEGV_PKUERR. So just handle that case and remove the now unnecessary parameters from _exception_pkey. Reviewed-by:
-
Eric W. Biederman authored
The callers of _exception don't need the pkey exception logic because they are not processing a pkey exception. So just call exception_common directly and then call force_sig_fault to generate the appropriate siginfo and deliver the appropriate signal. Reviewed-by:
-
Eric W. Biederman authored
It is brittle and wrong to populate si_pkey when there was not a pkey exception. The field does not exist for all si_codes and in some cases another field exists in the same memory location. So factor out the code that all exceptions handlers must run into exception_common, leaving the individual exception handlers to generate the signals themselves. Reviewed-by:
-
Eric W. Biederman authored
Now that bad_key_fault_exception no longer calls __bad_area_nosemaphore there is no reason for __bad_area_nosemaphore to handle pkeys. Reviewed-by:
-
Eric W. Biederman authored
This removes the need for other code paths to deal with pkey exceptions. Reviewed-by:
-
Eric W. Biederman authored
There are no callers of __bad_area that pass in a pkey parameter so it makes no sense to take one. Reviewed-by:
-
Eric W. Biederman authored
In do_sigbus isolate the mceerr signaling code and call force_sig_mceerr instead of falling through to the force_sig_info that works for all of the other signals. Reviewed-by:
-
Eric W. Biederman authored
Reviewed-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
-
Eric W. Biederman authored
Now that si_code == SEGV_PKUERR is the flag indicating that a pkey is present there is no longer a need to pass a pointer to a local pkey value, instead pkey can be passed more efficiently by value. Reviewed-by:
-
Eric W. Biederman authored
Now that the pkey handling has been removed force_sig_info_fault and force_sig_fault perform identical work. Just the type of the address paramter is different. So replace calls to force_sig_info_fault with calls to force_sig_fault, and remove force_sig_info_fault. Reviewed-by:
-
Eric W. Biederman authored
There is only one code path that can generate a pkuerr signal. That code path calls __bad_area_nosemaphore and can be dectected by testing if si_code == SEGV_PKUERR. It can be seen from inspection that all of the other tests in fill_sig_info_pkey are unnecessary. Therefore call force_sig_pkuerr directly from __bad_area_semaphore and remove fill_sig_info_pkey. At the same time move the comment above force_sig_info_pkey into bad_area_access_error, so that the documentation about pkey generation races is not lost. Reviewed-by:
-
Eric W. Biederman authored
There is only one caller of __bad_area that passes in PKUERR and thus will generate a siginfo with si_pkey set. Therefore simplify the logic and hoist reading of vma_pkey up into that caller, and just pass *pkey into __bad_area. Reviewed-by:
-
Eric W. Biederman authored
There are no more users of the computed pkey value in __do_page_fault so stop computing the value. Reviewed-by:
-
Eric W. Biederman authored
After the previous cleanups to do_sigbus and and bad_area_nosemaphore mm_fault_error no now longer uses it's pkey parameter. Therefore remove the unused parameter. Reviewed-by:
-
Eric W. Biederman authored
The function do_sigbus never sets si_code to PKUERR so it can never return a pkey to userspace. Therefore remove the unusable pkey parameter from do_sigbus. Reviewed-by:
-
Eric W. Biederman authored
The function bad_area_nosemaphore always sets si_code to SEGV_MAPERR and as such can never return a pkey parameter. Therefore remove the unusable pkey parameter from bad_area_nosemaphore. Reviewed-by:
-
Eric W. Biederman authored
Update the DO_ERROR macro to take si_code and si_addr values for a siginfo, removing the need for the fill_trap_info function. Update do_trap to also take the sicode and si_addr values for a sigininfo and modify the code to call force_sig when a sicode is not passed in and to call force_sig_fault when all of the information is present. Making this a more obvious, simpler and less error prone construction. Reviewed-by:
-
Eric W. Biederman authored
The function "force_sig(sig, tsk)" is equivalent to " force_sig_info(sig, SEND_SIG_PRIV, tsk)". Using the siginfo variants can be error prone so use the simpler old fashioned force_sig variant, and with luck the force_sig_info variant can go away. Reviewed-by:
-
Eric W. Biederman authored
Instead of generating the siginfo in x86 specific code use the new helper function force_sig_bnderr to separate the concerns of collecting the information and generating a proper siginfo. Making the code easier to understand and maintain. Reviewed-by:
-
Eric W. Biederman authored
The function do_trap_no_signal embodies almost all of the work of the function do_trap. The exceptions are setting of thread.error_code and thread.trap_nr in the case when the signal will be sent, and reporting which signal will be sent with show_signal. Filling in struct siginfo and then calling do_trap is problematic as filling in struct siginfo is an fiddly process that can through inattention has resulted in fields not initialized and the wrong fields being filled in. To avoid this error prone situation I am replacing force_sig_info with a set of functions that take as arguments the information needed to send a specific kind of signal. The function do_trap is called in the context of several different kinds of signals today. Having a solid do_trap_no_signal that can be reused allows call sites that send different kinds of signals to reuse all of the code in do_trap_no_signal. Modify do_trap_no_signal to have a single exit there signals where be sent (aka returning -1) to allow more of the signal sending path to be moved to from do_trap to do_trap_no_signal. Move setting thread.trap_nr and thread.error_code into do_trap_no_signal so the code does not need to be duplicated. Make the type of the string that is passed into do_trap_no_signal to const. The only user of that str is die and it already takes a const string, so this just makes it explicit that the string won't change. All of this prepares the way for using do_trap_no_signal outside of do_trap. Reviewed-by:
-
- 19 Sep, 2018 7 commits
-
-
Eric W. Biederman authored
The code for conditionally printing unhanded signals is duplicated twice in arch/x86/kernel/traps.c. Factor it out into it's own subroutine called show_signal to make the code clearer and easier to maintain. Reviewed-by:
-
Eric W. Biederman authored
This separates the logic of generating the signal from the logic of gathering the information about the bounds violation. Reviewed-by:
-
Eric W. Biederman authored
The value passed in to addr_referenced is of type void __user *, so update the addr_referenced parameter in trace_mpx_bounds_register_exception to match. Also update the addr_referenced paramater in TP_STRUCT__entry as it again holdes the same value. I don't know why this was missed earlier but sparse was complaining when testing test branch so fix this now. Reviewed-by:
-
Eric W. Biederman authored
This simplifies the code making it clearer what is going on. Reviewed-by:
-
Eric W. Biederman authored
Only the call from do_sigbus will send SIGBUS due to a memory machine check error. Consolidate all of the machine check signal generation code in do_sigbus and remove the now unnecessary fault parameter from force_sig_info_fault. Explicitly use the now constant si_code BUS_ADRERR in the call to force_sig_info_fault from do_sigbus. This makes the code in arch/x86/mm/fault.c easier to follower and simpler to maintain. Reviewed-by:
-
Eric W. Biederman authored
The function fill_sigtrap_info now only has one caller so remove it and put it's contents in it's caller. Reviewed-by:
-
Eric W. Biederman authored
Replace user_single_step_siginfo with user_single_step_report that allocates siginfo structure on the stack and sends it. This allows tracehook_report_syscall_exit to become a simple if statement that calls user_single_step_report or ptrace_report_syscall depending on the value of step. Update the default helper function now called user_single_step_report to explicitly set si_code to SI_USER and to set si_uid and si_pid to 0. The default helper has always been doing this (using memset) but it was far from obvious. The powerpc helper can now just call force_sig_fault. The x86 helper can now just call send_sigtrap. Unfortunately the default implementation of user_single_step_report can not use force_sig_fault as it does not use a SIGTRAP si_code. So it has to carefully setup the siginfo and use use force_sig_info. The net result is code that is easier to understand and simpler to maintain. Ref: 85ec7fd9 ("ptrace: introduce user_single_step_siginfo() helper") Reviewed-by:
-
- 16 Sep, 2018 4 commits
-
-
Eric W. Biederman authored
For readability and consistency with the other exports in kernel/signal.c pair the exports of signal sending functions with their functions, instead of having the exports in one big clump. Signed-off-by: -
Eric W. Biederman authored
This function is static and it only has two callers. As specific_send_sig_info is only called twice remembering what specific_send_sig_info does when reading the code is difficutl and it makes it hard to see which sending sending functions are equivalent to which others. So remove specific_send_sig_info to make the code easier to read. Signed-off-by: -
Eric W. Biederman authored
Replace send_sig_info in zap_pid_ns_processes with group_send_sig_info. This makes more sense as the entire process group is being killed. More importantly this allows the kill of those processes with PIDTYPE_MAX to indicate all of the process in the pid namespace are being signaled. This is needed for fork to detect when signals are sent to a group of processes. Admittedly fork has another case to catch SIGKILL but the principle remains that it is desirable to know when a group of processes is being signaled. Signed-off-by: -
Eric W. Biederman authored
Replace send_sig and force_sig in __do_SAK with group_send_sig_info the general helper for sending a signal to a process group. This is wordier but it allows specifying PIDTYPE_SID so that the signal code knows the signal went to a session. Both force_sig() and send_sig(..., 1) specify SEND_SIG_PRIV and the new call of group_send_sig_info does that explicitly. This is enough to ensure even a pid namespace init is killed. The global init remains unkillable. The guarantee that __do_SAK tries to provide is a clean path to login to a machine. As the global init is unkillable, if it chooses to hold open a tty it can violate this guarantee. A technique other than killing processes would be needed to provide this guarantee to userspace. The only difference between force_sig and send_sig when sending SIGKILL is that SIGNAL_UNKILLABLE is cleared. This has no affect on the processing of a signal sent with SEND_SIG_PRIV by any process, making it unnecessary, and not behavior that needs to be preserved. force_sig was used originally because it did not take as many locks as send_sig. Today send_sig, force_sig and group_send_sig_info take the same locks when delivering a signal. group_send_sig_info also contains a permission check that force_sig and send_sig do not. However the presence of SEND_SIG_PRIV makes the permission check a noop. So the permission check does not result in any behavioral differences. Signed-off-by:
-
