1. 02 Mar, 2016 3 commits
  2. 01 Mar, 2016 9 commits
    • Kees Cook's avatar
      lkdtm: improve use-after-free tests · 7c0ae5be
      Kees Cook authored
      This improves the order of operations on the use-after-free tests to
      try to make sure we've executed any available sanity-checking code,
      and to report the poisoning that was found.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      7c0ae5be
    • David Windsor's avatar
      lkdtm: add test for atomic_t underflow/overflow · 5fd9e480
      David Windsor authored
      dmesg output of running this LKDTM test with PaX:
      
      [187095.475573] lkdtm: No crash points registered, enable through debugfs
      [187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
      [187118.030045] lkdtm: attempting atomic underflow
      [187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
      [187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.111321] RIP: 0010:[<ffffffffc00fc2fe>]  [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
      ...
      [187118.128074] lkdtm: attempting atomic overflow
      [187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
      [187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.128092] RIP: 0010:[<ffffffffc00fc316>]  [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
      Signed-off-by: default avatarDavid Windsor <dave@progbits.org>
      [cleaned up whitespacing, keescook]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      5fd9e480
    • Laura Abbott's avatar
      lkdtm: Add read/write after free tests for buddy memory · 920d451f
      Laura Abbott authored
      The current tests for read/write after free work on slab
      allocated memory. Memory straight from the buddy allocator
      may behave slightly differently and have a different set
      of parameters to test. Add tests for those cases as well.
      
      On a basic x86 boot:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   22.292983] lkdtm: Writing to the buddy page before free
      [   22.293950] lkdtm: Attempting bad write to the buddy page after free
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   32.379896] lkdtm: Value in memory before free: 12345678
      [   32.383854] lkdtm: Attempting to read from freed memory
      [   32.389309] lkdtm: Buddy page was not poisoned
      
      On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   17.477360] lkdtm: Writing to the buddy page before free
      [   17.479089] lkdtm: Attempting bad write to the buddy page after free
      [   17.480904] BUG: unable to handle kernel paging request at
      ffff88000ebd8000
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   14.607447] lkdtm: Value in memory before free: 12345678
      [   14.608161] lkdtm: Attempting to read from freed memory
      [   14.608860] BUG: unable to handle kernel paging request at
      ffff88000eba3000
      
      Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
      produce the same crash.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      920d451f
    • Laura Abbott's avatar
      lkdtm: Update WRITE_AFTER_FREE test · 250a8988
      Laura Abbott authored
      The SLUB allocator may use the first word of a freed block to store the
      freelist information. This may make it harder to test poisoning
      features. Change the WRITE_AFTER_FREE test to better match what
      the READ_AFTER_FREE test does and also print out a big more information.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      250a8988
    • Laura Abbott's avatar
      lkdtm: Add READ_AFTER_FREE test · bc0b8cc6
      Laura Abbott authored
      In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
      test to test free poisoning features. Sample output when
      no sanitization is present:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
      [   17.543866] lkdtm: Value in memory before free: 12345678
      [   17.545212] lkdtm: Attempting bad read from freed memory
      [   17.546542] lkdtm: Memory was not poisoned
      
      with slub_debug=P:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
      [   22.416366] lkdtm: Value in memory before free: 12345678
      [   22.417137] lkdtm: Attempting bad read from freed memory
      [   22.417897] lkdtm: Memory correctly poisoned, calling BUG
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      bc0b8cc6
    • Kees Cook's avatar
      MAINTAINERS: add myself as lkdtm maintainer · ea861d73
      Kees Cook authored
      Officially claim maintainership over the LKDTM code.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      ea861d73
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 7d46af20
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) System call tracing doesn't handle register contents properly across
          the trace.  From Mike Frysinger.
      
       2) Hook up copy_file_range
      
       3) Build fix for 32-bit with newer tools.
      
       4) New sun4v watchdog driver, from Wim Coekaerts.
      
       5) Set context system call has to allow for servicable faults when we
          flush the register windows to memory
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix sparc64_set_context stack handling.
        sparc32: Add -Wa,-Av8 to KBUILD_CFLAGS.
        Add sun4v_wdt watchdog driver
        sparc: Fix system call tracing register handling.
        sparc: Hook up copy_file_range syscall.
      7d46af20
    • David S. Miller's avatar
      sparc64: Fix sparc64_set_context stack handling. · 397d1533
      David S. Miller authored
      Like a signal return, we should use synchronize_user_stack() rather
      than flush_user_windows().
      Reported-by: default avatarIlya Malakhov <ilmalakhovthefirst@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      397d1533
    • David S. Miller's avatar
      sparc32: Add -Wa,-Av8 to KBUILD_CFLAGS. · 22be3b10
      David S. Miller authored
      Binutils used to be (erroneously) extremely permissive about
      instruction usage.  But that got fixed and if you don't properly tell
      it to accept classes of instructions it will fail.
      
      This uncovered a specs bug on sparc in gcc where it wouldn't pass the
      proper options to binutils options.
      
      Deal with this in the kernel build by adding -Wa,-Av8 to KBUILD_CFLAGS.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22be3b10
  3. 29 Feb, 2016 1 commit
  4. 28 Feb, 2016 15 commits
    • Linus Torvalds's avatar
      Linux 4.5-rc6 · fc77dbd3
      Linus Torvalds authored
      fc77dbd3
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1b9540ce
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "A rather largish series of 12 patches addressing a maze of race
        conditions in the perf core code from Peter Zijlstra"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf: Robustify task_function_call()
        perf: Fix scaling vs. perf_install_in_context()
        perf: Fix scaling vs. perf_event_enable()
        perf: Fix scaling vs. perf_event_enable_on_exec()
        perf: Fix ctx time tracking by introducing EVENT_TIME
        perf: Cure event->pending_disable race
        perf: Fix race between event install and jump_labels
        perf: Fix cloning
        perf: Only update context time when active
        perf: Allow perf_release() with !event->ctx
        perf: Do not double free
        perf: Close install vs. exit race
      1b9540ce
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b696dcb
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "This update contains:
      
         - Hopefully the last ASM CLAC fixups
      
         - A fix for the Quark family related to the IMR lock which makes
           kexec work again
      
         - A off-by-one fix in the MPX code.  Ironic, isn't it?
      
         - A fix for X86_PAE which addresses once more an unsigned long vs
           phys_addr_t hickup"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mpx: Fix off-by-one comparison with nr_registers
        x86/mm: Fix slow_virt_to_phys() for X86_PAE again
        x86/entry/compat: Add missing CLAC to entry_INT80_32
        x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32
        x86/platform/intel/quark: Change the kernel's IMR lock bit to false
      4b696dcb
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 76c03f0f
      Linus Torvalds authored
      Pull scheduler fixlet from Thomas Gleixner:
       "A trivial printk typo fix"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/deadline: Fix trivial typo in printk() message
      76c03f0f
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f055ae04
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "Four small fixes for irqchip drivers:
      
         - Add missing low level irq handler initialization on mxs, so
           interrupts can acutally be delivered
      
         - Add a missing barrier to the GIC driver
      
         - Two fixes for the GIC-V3-ITS driver, addressing a double EOI write
           and a cache flush beyond the actual region"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
        irqchip/mxs: Add missing set_handle_irq()
        irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
        irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1
      f055ae04
    • Linus Torvalds's avatar
      Merge tag 'staging-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 8da51430
      Linus Torvalds authored
      Pull staging/android fix from Greg KH:
       "Here is one patch, for the android binder driver, to resolve a
        reported problem.  Turns out it has been around for a while (since
        3.15), so it is good to finally get it resolved.
      
        It has been in linux-next for a while with no reported issues"
      
      * tag 'staging-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE
      8da51430
    • Linus Torvalds's avatar
      Merge tag 'usb-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 62718e30
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a few USB fixes for 4.5-rc6
      
        They fix a reported bug for some USB 3 devices by reverting the recent
        patch, a MAINTAINERS change for some drivers, some new device ids, and
        of course, the usual bunch of USB gadget driver fixes.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'usb-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        MAINTAINERS: drop OMAP USB and MUSB maintainership
        usb: musb: fix DMA for host mode
        usb: phy: msm: Trigger USB state detection work in DRD mode
        usb: gadget: net2280: fix endpoint max packet for super speed connections
        usb: gadget: gadgetfs: unregister gadget only if it got successfully registered
        usb: gadget: remove driver from pending list on probe error
        Revert "usb: hub: do not clear BOS field during reset device"
        usb: chipidea: fix return value check in ci_hdrc_pci_probe()
        usb: chipidea: error on overflow for port_test_write
        USB: option: add "4G LTE usb-modem U901"
        USB: cp210x: add IDs for GE B650V3 and B850V3 boards
        USB: option: add support for SIM7100E
        usb: musb: Fix DMA desired mode for Mentor DMA engine
        usb: gadget: fsl_qe_udc: fix IS_ERR_VALUE usage
        usb: dwc2: USB_DWC2 should depend on HAS_DMA
        usb: dwc2: host: fix the data toggle error in full speed descriptor dma
        usb: dwc2: host: fix logical omissions in dwc2_process_non_isoc_desc
        usb: dwc3: Fix assignment of EP transfer resources
        usb: dwc2: Add extra delay when forcing dr_mode
      62718e30
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 12b9fa6a
      Linus Torvalds authored
      Pull vfs fixes from Al Viro.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        do_last(): ELOOP failure exit should be done after leaving RCU mode
        should_follow_link(): validate ->d_seq after having decided to follow
        namei: ->d_inode of a pinned dentry is stable only for positives
        do_last(): don't let a bogus return value from ->open() et.al. to confuse us
        fs: return -EOPNOTSUPP if clone is not supported
        hpfs: don't truncate the file when delete fails
      12b9fa6a
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 340b3a5b
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "We didn't have a batch last week, so this one is slightly larger.
      
        None of them are scary though, a handful of fixes for small DT pieces,
        replacing properties with newer conventions.
      
        Highlights:
         - N900 fix for setting system revision
         - onenand init fix to avoid filesystem corruption
         - Clock fix for audio on Beaglebone-x15
         - Fixes on shmobile to deal with CONFIG_DEBUG_RODATA (default y in 4.6)
      
        + misc smaller stuff"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        MAINTAINERS: Extend info, add wiki and ml for meson arch
        MAINTAINERS: alpine: add a new maintainer and update the entry
        ARM: at91/dt: fix typo in sama5d2 pinmux descriptions
        ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption
        Revert "regulator: tps65217: remove tps65217.dtsi file"
        ARM: shmobile: Remove shmobile_boot_arg
        ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss
        ARM: shmobile: r8a7779: Remove remainings of removed SCU boot setup code
        ARM: shmobile: Move shmobile_scu_base from .text to .bss
        ARM: OMAP2+: Fix omap_device for module reload on PM runtime forbid
        ARM: OMAP2+: Improve omap_device error for driver writers
        ARM: DTS: am57xx-beagle-x15: Select SYS_CLK2 for audio clocks
        ARM: dts: am335x/am57xx: replace gpio-key,wakeup with wakeup-source property
        ARM: OMAP2+: Set system_rev from ATAGS for n900
        ARM: dts: orion5x: fix the missing mtd flash on linkstation lswtgl
        ARM: dts: kirkwood: use unique machine name for ds112
        ARM: dts: imx6: remove bogus interrupt-parent from CAAM node
      340b3a5b
    • Al Viro's avatar
      do_last(): ELOOP failure exit should be done after leaving RCU mode · 5129fa48
      Al Viro authored
      ... or we risk seeing a bogus value of d_is_symlink() there.
      
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5129fa48
    • Al Viro's avatar
      should_follow_link(): validate ->d_seq after having decided to follow · a7f77542
      Al Viro authored
      ... otherwise d_is_symlink() above might have nothing to do with
      the inode value we've got.
      
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a7f77542
    • Al Viro's avatar
      namei: ->d_inode of a pinned dentry is stable only for positives · d4565649
      Al Viro authored
      both do_last() and walk_component() risk picking a NULL inode out
      of dentry about to become positive, *then* checking its flags and
      seeing that it's not negative anymore and using (already stale by
      then) value they'd fetched earlier.  Usually ends up oopsing soon
      after that...
      
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d4565649
    • Al Viro's avatar
      do_last(): don't let a bogus return value from ->open() et.al. to confuse us · c80567c8
      Al Viro authored
      ... into returning a positive to path_openat(), which would interpret that
      as "symlink had been encountered" and proceed to corrupt memory, etc.
      It can only happen due to a bug in some ->open() instance or in some LSM
      hook, etc., so we report any such event *and* make sure it doesn't trick
      us into further unpleasantness.
      
      Cc: stable@vger.kernel.org # v3.6+, at least
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c80567c8
    • Christoph Hellwig's avatar
      fs: return -EOPNOTSUPP if clone is not supported · 0fcbf996
      Christoph Hellwig authored
      -EBADF is a rather confusing error if an operations is not supported,
      and nfsd gets rather upset about it.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0fcbf996
    • Mikulas Patocka's avatar
      hpfs: don't truncate the file when delete fails · b6853f78
      Mikulas Patocka authored
      The delete opration can allocate additional space on the HPFS filesystem
      due to btree split. The HPFS driver checks in advance if there is
      available space, so that it won't corrupt the btree if we run out of space
      during splitting.
      
      If there is not enough available space, the HPFS driver attempted to
      truncate the file, but this results in a deadlock since the commit
      7dd29d8d ("HPFS: Introduce a global mutex
      and lock it on every callback from VFS").
      
      This patch removes the code that tries to truncate the file and -ENOSPC is
      returned instead. If the user hits -ENOSPC on delete, he should try to
      delete other files (that are stored in a leaf btree node), so that the
      delete operation will make some space for deleting the file stored in
      non-leaf btree node.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarMikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
      Cc: stable@vger.kernel.org	# 2.6.39+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b6853f78
  5. 27 Feb, 2016 12 commits