1. 09 Jul, 2020 1 commit
    • Linus Torvalds's avatar
      Merge tag 'kallsyms_show_value-v5.8-rc5' of... · ce69fb3b
      Linus Torvalds authored
      Merge tag 'kallsyms_show_value-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
      
      Pull kallsyms fix from Kees Cook:
       "Refactor kallsyms_show_value() users for correct cred.
      
        I'm not delighted by the timing of getting these changes to you, but
        it does fix a handful of kernel address exposures, and no one has
        screamed yet at the patches.
      
        Several users of kallsyms_show_value() were performing checks not
        during "open". Refactor everything needed to gain proper checks
        against file->f_cred for modules, kprobes, and bpf"
      
      * tag 'kallsyms_show_value-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        selftests: kmod: Add module address visibility test
        bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok()
        kprobes: Do not expose probe addresses to non-CAP_SYSLOG
        module: Do not expose section addresses to non-CAP_SYSLOG
        module: Refactor section attr into bin attribute
        kallsyms: Refactor kallsyms_show_value() to take cred
      ce69fb3b
  2. 08 Jul, 2020 9 commits
    • Kees Cook's avatar
      selftests: kmod: Add module address visibility test · 2c795839
      Kees Cook authored
      Make sure we don't regress the CAP_SYSLOG behavior of the module address
      visibility via /proc/modules nor /sys/module/*/sections/*.
      Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      2c795839
    • Kees Cook's avatar
      bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() · 63960260
      Kees Cook authored
      When evaluating access control over kallsyms visibility, credentials at
      open() time need to be used, not the "current" creds (though in BPF's
      case, this has likely always been the same). Plumb access to associated
      file->f_cred down through bpf_dump_raw_ok() and its callers now that
      kallsysm_show_value() has been refactored to take struct cred.
      
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: bpf@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: 7105e828 ("bpf: allow for correlation of maps and helpers in dump")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      63960260
    • Kees Cook's avatar
      kprobes: Do not expose probe addresses to non-CAP_SYSLOG · 60f7bb66
      Kees Cook authored
      The kprobe show() functions were using "current"'s creds instead
      of the file opener's creds for kallsyms visibility. Fix to use
      seq_file->file->f_cred.
      
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Fixes: 81365a94 ("kprobes: Show address of kprobes if kallsyms does")
      Fixes: ffb9bd68 ("kprobes: Show blacklist addresses as same as kallsyms does")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      60f7bb66
    • Kees Cook's avatar
      module: Do not expose section addresses to non-CAP_SYSLOG · b25a7c5a
      Kees Cook authored
      The printing of section addresses in /sys/module/*/sections/* was not
      using the correct credentials to evaluate visibility.
      
      Before:
      
       # cat /sys/module/*/sections/.*text
       0xffffffffc0458000
       ...
       # capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
       0xffffffffc0458000
       ...
      
      After:
      
       # cat /sys/module/*/sections/*.text
       0xffffffffc0458000
       ...
       # capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
       0x0000000000000000
       ...
      
      Additionally replaces the existing (safe) /proc/modules check with
      file->f_cred for consistency.
      Reported-by: default avatarDominik Czarnota <dominik.czarnota@trailofbits.com>
      Fixes: be71eda5 ("module: Fix display of wrong module .text address")
      Cc: stable@vger.kernel.org
      Tested-by: default avatarJessica Yu <jeyu@kernel.org>
      Acked-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      b25a7c5a
    • Kees Cook's avatar
      module: Refactor section attr into bin attribute · ed66f991
      Kees Cook authored
      In order to gain access to the open file's f_cred for kallsym visibility
      permission checks, refactor the module section attributes to use the
      bin_attribute instead of attribute interface. Additionally removes the
      redundant "name" struct member.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Tested-by: default avatarJessica Yu <jeyu@kernel.org>
      Acked-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      ed66f991
    • Kees Cook's avatar
      kallsyms: Refactor kallsyms_show_value() to take cred · 16025184
      Kees Cook authored
      In order to perform future tests against the cred saved during open(),
      switch kallsyms_show_value() to operate on a cred, and have all current
      callers pass current_cred(). This makes it very obvious where callers
      are checking the wrong credential in their "read" contexts. These will
      be fixed in the coming patches.
      
      Additionally switch return value to bool, since it is always used as a
      direct permission check, not a 0-on-success, negative-on-error style
      function return.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      16025184
    • Randy Dunlap's avatar
      Documentation: update for gcc 4.9 requirement · 0bddd227
      Randy Dunlap authored
      Update Documentation for the gcc v4.9 upgrade requirement.
      
      Fixes: 5429ef62 ("compiler/gcc: Raise minimum GCC version for kernel builds to 4.8")
      Fixes: 6ec4476a ("Raise gcc version requirement to 4.9")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarJonathan Corbet <corbet@lwn.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0bddd227
    • Linus Torvalds's avatar
      Merge tag 'sound-5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 63e1968a
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small, mostly device-specific fixes.
      
        The significant one is the regression fix for USB-audio implicit
        feedback devices due to the incorrect frame size calculation, which
        landed in 5.8 and stable trees.
      
        In addition, a few usual HD-audio and USB-audio quirks, Intel HDMI
        fixes, ASoC fsl and rt5682 fixes, as well as the fix in
        compress-offload partial drain operation"
      
      * tag 'sound-5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: compress: fix partial_drain completion state
        ALSA: usb-audio: Add implicit feedback quirk for RTX6001
        ALSA: usb-audio: add quirk for MacroSilicon MS2109
        ALSA: hda/realtek: Enable headset mic of Acer Veriton N4660G with ALC269VC
        ALSA: hda/realtek: Enable headset mic of Acer C20-820 with ALC269VC
        ALSA: hda/realtek - Enable audio jacks of Acer vCopperbox with ALC269VC
        ALSA: hda/realtek - Fix Lenovo Thinkpad X1 Carbon 7th quirk subdevice id
        ALSA: hda/hdmi: improve debug traces for stream lookups
        ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later
        ALSA: opl3: fix infoleak in opl3
        ALSA: usb-audio: Replace s/frame/packet/ where appropriate
        ALSA: usb-audio: Fix packet size calculation
        AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel module
        ALSA: hda - let hs_mic be picked ahead of hp_mic
        ASoC: rt5682: fix the pop noise while OMTP type headset plugin
        ASoC: fsl_mqs: Fix unchecked return value for clk_prepare_enable
        ASoC: fsl_mqs: Don't check clock is NULL before calling clk API
      63e1968a
    • Linus Torvalds's avatar
      Raise gcc version requirement to 4.9 · 6ec4476a
      Linus Torvalds authored
      I realize that we fairly recently raised it to 4.8, but the fact is, 4.9
      is a much better minimum version to target.
      
      We have a number of workarounds for actual bugs in pre-4.9 gcc versions
      (including things like internal compiler errors on ARM), but we also
      have some syntactic workarounds for lacking features.
      
      In particular, raising the minimum to 4.9 means that we can now just
      assume _Generic() exists, which is likely the much better replacement
      for a lot of very convoluted built-time magic with conditionals on
      sizeof and/or __builtin_choose_expr() with same_type() etc.
      
      Using _Generic also means that you will need to have a very recent
      version of 'sparse', but thats easy to build yourself, and much less of
      a hassle than some old gcc version can be.
      
      The latest (in a long string) of reasons for minimum compiler version
      upgrades was commit 5435f73d ("efi/x86: Fix build with gcc 4").
      
      Ard points out that RHEL 7 uses gcc-4.8, but the people who stay back on
      old RHEL versions persumably also don't build their own kernels anyway.
      And maybe they should cross-built or just have a little side affair with
      a newer compiler?
      Acked-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6ec4476a
  3. 07 Jul, 2020 17 commits
  4. 06 Jul, 2020 10 commits
  5. 05 Jul, 2020 3 commits
    • Linus Torvalds's avatar
      Linux 5.8-rc4 · dcb7fd82
      Linus Torvalds authored
      dcb7fd82
    • Linus Torvalds's avatar
      x86/ldt: use "pr_info_once()" instead of open-coding it badly · bb5a93aa
      Linus Torvalds authored
      Using a mutex for "print this warning only once" is so overdesigned as
      to be actively offensive to my sensitive stomach.
      
      Just use "pr_info_once()" that already does this, although in a
      (harmlessly) racy manner that can in theory cause the message to be
      printed twice if more than one CPU races on that "is this the first
      time" test.
      
      [ If somebody really cares about that harmless data race (which sounds
        very unlikely indeed), that person can trivially fix printk_once() by
        using a simple atomic access, preferably with an optimistic non-atomic
        test first before even bothering to treat the pointless "make sure it
        is _really_ just once" case.
      
        A mutex is most definitely never the right primitive to use for
        something like this. ]
      
      Yes, this is a small and meaningless detail in a code path that hardly
      matters.  But let's keep some code quality standards here, and not
      accept outrageously bad code.
      
      Link: https://lore.kernel.org/lkml/CAHk-=wgV9toS7GU3KmNpj8hCS9SeF+A0voHS8F275_mgLhL4Lw@mail.gmail.com/
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bb5a93aa
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 72674d48
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A series of fixes for x86:
      
         - Reset MXCSR in kernel_fpu_begin() to prevent using a stale user
           space value.
      
         - Prevent writing MSR_TEST_CTRL on CPUs which are not explicitly
           whitelisted for split lock detection. Some CPUs which do not
           support it crash even when the MSR is written to 0 which is the
           default value.
      
         - Fix the XEN PV fallout of the entry code rework
      
         - Fix the 32bit fallout of the entry code rework
      
         - Add more selftests to ensure that these entry problems don't come
           back.
      
         - Disable 16 bit segments on XEN PV. It's not supported because XEN
           PV does not implement ESPFIX64"
      
      * tag 'x86-urgent-2020-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/ldt: Disable 16-bit segments on Xen PV
        x86/entry/32: Fix #MC and #DB wiring on x86_32
        x86/entry/xen: Route #DB correctly on Xen PV
        x86/entry, selftests: Further improve user entry sanity checks
        x86/entry/compat: Clear RAX high bits on Xen PV SYSENTER
        selftests/x86: Consolidate and fix get/set_eflags() helpers
        selftests/x86/syscall_nt: Clear weird flags after each test
        selftests/x86/syscall_nt: Add more flag combinations
        x86/entry/64/compat: Fix Xen PV SYSENTER frame setup
        x86/entry: Move SYSENTER's regs->sp and regs->flags fixups into C
        x86/entry: Assert that syscalls are on the right stack
        x86/split_lock: Don't write MSR_TEST_CTRL on CPUs that aren't whitelisted
        x86/fpu: Reset MXCSR to default in kernel_fpu_begin()
      72674d48