mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
152 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Richard Raya
|
9cdc78c354 |
Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common
* 'android-4.14-stable' of https://android.googlesource.com/kernel/common: (2966 commits) Linux 4.14.331 net: sched: fix race condition in qdisc_graft() scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: correct return value of ext4_convert_meta_bg ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: apply umask if ACL support is disabled media: venus: hfi: fix the check to handle session buffer requirement media: sharp: fix sharp encoding i2c: i801: fix potential race in i801_block_transaction_byte_by_byte net: dsa: lan9303: consequently nested-lock physical MDIO ALSA: info: Fix potential deadlock at disconnection parisc/pgtable: Do not drop upper 5 address bits of physical address parisc: Prevent booting 64-bit kernels on PA1.x machines mcb: fix error handling for different scenarios when parsing jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware mmc: meson-gx: Remove setting of CMD_CFG_ERROR PM: hibernate: Clean up sync_read handling in snapshot_write_next() PM: hibernate: Use __get_safe_page() rather than touching the list ... Change-Id: I755d2aa7c525ace28adc4aee433572b3110ea39b |
||
Greg Kroah-Hartman
|
4415bf5e08 |
This is the 4.14.305 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPgol4ACgkQONu9yGCS aT4TVBAA0hReFdGDL6oRRy4HWh1EEJNpDpFE92pxpObOZdM4mZD5TebHvFpBMyK8 pET5upYQ6icDKWpVusNhYzZJpLdYYCZmwCXZnPAtsUTw2msFDRyrQlN/jv+AQYV3 Zdbjy/uF+W1T6HbNAS3fWP9StW3Y1jItm8bGmB53uyKb/Zwz3hgfq4G/LsuRu11g wUh/odsuQX4dM6G+kZAdsPgxasUf8tOpZpxqfT84nqWftJgH2Ro6pJMPUQGGKZTP Dmw2zhQtSi/zMYZxCaaB5JFx4aO2vePFMJJNW06OOtvKhFZIOJStmuGNyozYRtp5 IQfDkqtwNQFOl4KojZj/ETtfDnzxG978XHhl3VykMdtInoBJ9vER3GeV0Sx1JBJk O3phudZ97ePX9JZq3gCuYCI7YlBDF3/hwhNBmv0mHeyd0EJF06r/7M+egdp9GnP3 nbSZo+IrfsnurwRyIu+1o4648vJbYT66CclD4K1sDqbHJ8P3J1bf/Eiz5J33Na05 nGyGY70jJNfmJbnU+MEmbSndjulio46FqieQNhEn5BWiW05IkDQ2ZZpsWz/b8NfR 6Zt6Gp6YGQzpSecpyQ/TRrEIZ/sbDuYgRUUtNYdlxNHJIloXzecw8fN4/ACRfmHo IsXxq6V1sZu7CClHv7tfLvxIBFMCgJmE00WbM+Fk/jJEthhI/As= =8UAu -----END PGP SIGNATURE----- Merge 4.14.305 into android-4.14 Changes in 4.14.305 ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' HID: intel_ish-hid: Add check for ishtp_dma_tx_map EDAC/highbank: Fix memory leak in highbank_mc_probe() tomoyo: fix broken dependency on *.conf.default IB/hfi1: Reject a zero-length user expected buffer IB/hfi1: Reserve user expected TIDs affs: initialize fsdata in affs_truncate() amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() net: nfc: Fix use-after-free in local_cleanup() wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid net: usb: sr9700: Handle negative len net: mdio: validate parameter addr in mdiobus_get_phy() HID: check empty report_list in hid_validate_values() usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: gadget: f_fs: Ensure ep0req is dequeued before free_request net: mlx5: eliminate anonymous module_init & module_exit dmaengine: Fix double increment of client_count in dma_chan_get() HID: betop: check shape of output reports w1: fix deadloop in __w1_remove_master_device() w1: fix WARNING after calling w1_process() comedi: adv_pci1760: Fix PWM instruction handling fs: reiserfs: remove useless new_opts in reiserfs_remount Bluetooth: hci_sync: cancel cmd_timer if hci_open failed scsi: hpsa: Fix allocation size for scsi_host_alloc() module: Don't wait for GOING modules tracing: Make sure trace_printk() can output as soon as it can be used ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment EDAC/device: Respect any driver-supplied workqueue polling value netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around sk_state netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE netrom: Fix use-after-free of a listening socket. sctp: fail if no bound addresses can be used for a given scope net: ravb: Fix possible hang if RIS2_QFF1 happen net/tg3: resolve deadlock in tg3_reset_task() during EEH Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL wifi: brcmfmac: fix up incorrect 4.14.y backport for brcmf_fw_map_chip_to_name() xen: Fix up build warning with xen_init_time_ops() reference drm/radeon/dp: make radeon_dp_get_dp_link_config static scsi: qla2xxx: don't break the bsg-lib abstractions x86/asm: Fix an assembler warning with current binutils x86/entry/64: Add instruction suffix to SYSRET sysctl: add a new register_sysctl_init() interface panic: unset panic_on_warn inside panic() exit: Add and use make_task_dead. objtool: Add a missing comma to avoid string concatenation hexagon: Fix function name in die() h8300: Fix build errors from do_exit() to make_task_dead() transition ia64: make IA64_MCA_RECOVERY bool instead of tristate exit: Put an upper limit on how often we can oops exit: Expose "oops_count" to sysfs exit: Allow oops_limit to be disabled panic: Consolidate open-coded panic_on_warn checks panic: Introduce warn_limit panic: Expose "warn_count" to sysfs docs: Fix path paste-o for /sys/kernel/warn_count exit: Use READ_ONCE() for all oops/warn limit reads mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags ipv6: ensure sane device mtu in tunnels usb: host: xhci-plat: add wakeup entry at sysfs Linux 4.14.305 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I63d98b772289d5417008eec559caf16812d343a1 |
||
Kees Cook
|
a83bcc5fc4 |
panic: Consolidate open-coded panic_on_warn checks
commit 79cc1ba7badf9e7a12af99695a557e9ce27ee967 upstream. Several run-time checkers (KASAN, UBSAN, KFENCE, KCSAN, sched) roll their own warnings, and each check "panic_on_warn". Consolidate this into a single function so that future instrumentation can be added in a single location. Cc: Marco Elver <elver@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Juri Lelli <juri.lelli@redhat.com> Cc: Vincent Guittot <vincent.guittot@linaro.org> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Ben Segall <bsegall@google.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Daniel Bristot de Oliveira <bristot@redhat.com> Cc: Valentin Schneider <vschneid@redhat.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: David Gow <davidgow@google.com> Cc: tangmeng <tangmeng@uniontech.com> Cc: Jann Horn <jannh@google.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Petr Mladek <pmladek@suse.com> Cc: "Paul E. McKenney" <paulmck@kernel.org> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Cc: kasan-dev@googlegroups.com Cc: linux-mm@kvack.org Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Marco Elver <elver@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> Link: https://lore.kernel.org/r/20221117234328.594699-4-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
qctecmdr
|
6f13dd45a9 | Merge "kasan: remove duplicate function" | ||
jianzhou
|
3230d6d4f8 |
mm/kasan: Remove redefined functions in common.c
Redefined functions was invoked when fix conflicts, it will cause build error with generic.c. Change-Id: Idfa5d8bffb21e252fcfea32ccd6420139a5b7e5a Signed-off-by: jianzhou <quic_jianzhou@quicinc.com> |
||
Srinivasarao Pathipati
|
d1c2a3bf02 |
kasan: remove duplicate function
function kasan_report_invalid_free() defined twice leading to build error so delete duplicate. Change-Id: I2e3be2fea8d59dae9cc1c50f929681907b4c266c Signed-off-by: Srinivasarao Pathipati <quic_spathi@quicinc.com> |
||
Blagovest Kolenichev
|
8ad87c80a2 |
Merge android-4.14.151 (2bb70f4) into msm-4.14
* refs/heads/tmp-2bb70f4:
ANDROID: virtio: virtio_input: Set the amount of multitouch slots in virtio input
ANDROID: dummy_cpufreq: Implement get()
rtlwifi: Fix potential overflow on P2P code
ANDROID: cpufreq: create dummy cpufreq driver
ANDROID: Allow DRM_IOCTL_MODE_*_DUMB for render clients.
ANDROID: sdcardfs: evict dentries on fscrypt key removal
ANDROID: fscrypt: add key removal notifier chain
ANDROID: Move from clang r353983c to r365631c
ANDROID: move up spin_unlock_bh() ahead of remove_proc_entry()
BACKPORT: arm64: tags: Preserve tags for addresses translated via TTBR1
UPSTREAM: arm64: memory: Implement __tag_set() as common function
UPSTREAM: arm64/mm: fix variable 'tag' set but not used
UPSTREAM: arm64: avoid clang warning about self-assignment
ANDROID: refactor build.config files to remove duplication
UPSTREAM: mm: vmalloc: show number of vmalloc pages in /proc/meminfo
BACKPORT: PM/sleep: Expose suspend stats in sysfs
UPSTREAM: power: supply: Init device wakeup after device_add()
UPSTREAM: PM / wakeup: Unexport wakeup_source_sysfs_{add,remove}()
UPSTREAM: PM / wakeup: Register wakeup class kobj after device is added
BACKPORT: PM / wakeup: Fix sysfs registration error path
BACKPORT: PM / wakeup: Show wakeup sources stats in sysfs
UPSTREAM: PM / wakeup: Print warn if device gets enabled as wakeup source during sleep
UPSTREAM: PM / wakeup: Use wakeup_source_register() in wakelock.c
UPSTREAM: PM / wakeup: Only update last time for active wakeup sources
UPSTREAM: PM / core: Add support to skip power management in device/driver model
cuttlefish-4.14: Enable CONFIG_DM_SNAPSHOT
ANDROID: cuttlefish_defconfig: Enable BPF_JIT and BPF_JIT_ALWAYS_ON
UPSTREAM: netfilter: xt_IDLETIMER: fix sysfs callback function type
UPSTREAM: mm: untag user pointers in mmap/munmap/mremap/brk
UPSTREAM: vfio/type1: untag user pointers in vaddr_get_pfn
UPSTREAM: media/v4l2-core: untag user pointers in videobuf_dma_contig_user_get
UPSTREAM: drm/radeon: untag user pointers in radeon_gem_userptr_ioctl
BACKPORT: drm/amdgpu: untag user pointers
UPSTREAM: userfaultfd: untag user pointers
UPSTREAM: fs/namespace: untag user pointers in copy_mount_options
UPSTREAM: mm: untag user pointers in get_vaddr_frames
UPSTREAM: mm: untag user pointers in mm/gup.c
BACKPORT: mm: untag user pointers passed to memory syscalls
BACKPORT: lib: untag user pointers in strn*_user
UPSTREAM: arm64: Fix reference to docs for ARM64_TAGGED_ADDR_ABI
UPSTREAM: selftests, arm64: add kernel headers path for tags_test
BACKPORT: arm64: Relax Documentation/arm64/tagged-pointers.rst
UPSTREAM: arm64: Define Documentation/arm64/tagged-address-abi.rst
UPSTREAM: arm64: Change the tagged_addr sysctl control semantics to only prevent the opt-in
UPSTREAM: arm64: Tighten the PR_{SET, GET}_TAGGED_ADDR_CTRL prctl() unused arguments
UPSTREAM: selftests, arm64: fix uninitialized symbol in tags_test.c
UPSTREAM: arm64: mm: Really fix sparse warning in untagged_addr()
UPSTREAM: selftests, arm64: add a selftest for passing tagged pointers to kernel
BACKPORT: arm64: Introduce prctl() options to control the tagged user addresses ABI
UPSTREAM: thread_info: Add update_thread_flag() helpers
UPSTREAM: arm64: untag user pointers in access_ok and __uaccess_mask_ptr
UPSTREAM: uaccess: add noop untagged_addr definition
BACKPORT: block: annotate refault stalls from IO submission
ext4: add verity flag check for dax
ANDROID: usb: gadget: Fix dependency for f_accessory
ANDROID: sched: fair: balance for single core cluster
UPSTREAM: mm/kasan: fix false positive invalid-free reports with CONFIG_KASAN_SW_TAGS=y
f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()
f2fs: fix to add missing F2FS_IO_ALIGNED() condition
f2fs: fix to fallback to buffered IO in IO aligned mode
f2fs: fix to handle error path correctly in f2fs_map_blocks
f2fs: fix extent corrupotion during directIO in LFS mode
f2fs: check all the data segments against all node ones
f2fs: Add a small clarification to CONFIG_FS_F2FS_FS_SECURITY
f2fs: fix inode rwsem regression
f2fs: fix to avoid accessing uninitialized field of inode page in is_alive()
f2fs: avoid infinite GC loop due to stale atomic files
f2fs: Fix indefinite loop in f2fs_gc()
f2fs: convert inline_data in prior to i_size_write
f2fs: fix error path of f2fs_convert_inline_page()
f2fs: add missing documents of reserve_root/resuid/resgid
f2fs: fix flushing node pages when checkpoint is disabled
f2fs: enhance f2fs_is_checkpoint_ready()'s readability
f2fs: clean up __bio_alloc()'s parameter
f2fs: fix wrong error injection path in inc_valid_block_count()
f2fs: fix to writeout dirty inode during node flush
f2fs: optimize case-insensitive lookups
f2fs: introduce f2fs_match_name() for cleanup
f2fs: Fix indefinite loop in f2fs_gc()
f2fs: allocate memory in batch in build_sit_info()
f2fs: fix to avoid data corruption by forbidding SSR overwrite
f2fs: Fix build error while CONFIG_NLS=m
Revert "f2fs: avoid out-of-range memory access"
f2fs: cleanup the code in build_sit_entries.
f2fs: fix wrong available node count calculation
f2fs: remove duplicate code in f2fs_file_write_iter
f2fs: fix to migrate blocks correctly during defragment
f2fs: use wrapped f2fs_cp_error()
f2fs: fix to use more generic EOPNOTSUPP
f2fs: use wrapped IS_SWAPFILE()
f2fs: Support case-insensitive file name lookups
f2fs: include charset encoding information in the superblock
fs: Reserve flag for casefolding
f2fs: fix to avoid call kvfree under spinlock
fs: f2fs: Remove unnecessary checks of SM_I(sbi) in update_general_status()
f2fs: disallow direct IO in atomic write
f2fs: fix to handle quota_{on,off} correctly
f2fs: fix to detect cp error in f2fs_setxattr()
f2fs: fix to spread f2fs_is_checkpoint_ready()
f2fs: support fiemap() for directory inode
f2fs: fix to avoid discard command leak
f2fs: fix to avoid tagging SBI_QUOTA_NEED_REPAIR incorrectly
f2fs: fix to drop meta/node pages during umount
f2fs: disallow switching io_bits option during remount
f2fs: fix panic of IO alignment feature
f2fs: introduce {page,io}_is_mergeable() for readability
f2fs: fix livelock in swapfile writes
f2fs: add fs-verity support
ext4: update on-disk format documentation for fs-verity
ext4: add fs-verity read support
ext4: add basic fs-verity support
fs-verity: support builtin file signatures
fs-verity: add SHA-512 support
fs-verity: implement FS_IOC_MEASURE_VERITY ioctl
fs-verity: implement FS_IOC_ENABLE_VERITY ioctl
fs-verity: add data verification hooks for ->readpages()
fs-verity: add the hook for file ->setattr()
fs-verity: add the hook for file ->open()
fs-verity: add inode and superblock fields
fs-verity: add Kconfig and the helper functions for hashing
fs: uapi: define verity bit for FS_IOC_GETFLAGS
fs-verity: add UAPI header
fs-verity: add MAINTAINERS file entry
fs-verity: add a documentation file
ext4: fix kernel oops caused by spurious casefold flag
ext4: fix coverity warning on error path of filename setup
ext4: optimize case-insensitive lookups
ext4: fix dcache lookup of !casefolded directories
unicode: update to Unicode 12.1.0 final
unicode: add missing check for an error return from utf8lookup()
ext4: export /sys/fs/ext4/feature/casefold if Unicode support is present
unicode: refactor the rule for regenerating utf8data.h
ext4: Support case-insensitive file name lookups
ext4: include charset encoding information in the superblock
unicode: update unicode database unicode version 12.1.0
unicode: introduce test module for normalized utf8 implementation
unicode: implement higher level API for string handling
unicode: reduce the size of utf8data[]
unicode: introduce code for UTF-8 normalization
unicode: introduce UTF-8 character database
ext4 crypto: fix to check feature status before get policy
fscrypt: document the new ioctls and policy version
ubifs: wire up new fscrypt ioctls
f2fs: wire up new fscrypt ioctls
ext4: wire up new fscrypt ioctls
fscrypt: require that key be added when setting a v2 encryption policy
fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl
fscrypt: allow unprivileged users to add/remove keys for v2 policies
fscrypt: v2 encryption policy support
fscrypt: add an HKDF-SHA512 implementation
fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl
fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl
fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl
fscrypt: rename keyinfo.c to keysetup.c
fscrypt: move v1 policy key setup to keysetup_v1.c
fscrypt: refactor key setup code in preparation for v2 policies
fscrypt: rename fscrypt_master_key to fscrypt_direct_key
fscrypt: add ->ci_inode to fscrypt_info
fscrypt: use FSCRYPT_* definitions, not FS_*
fscrypt: use FSCRYPT_ prefix for uapi constants
fs, fscrypt: move uapi definitions to new header <linux/fscrypt.h>
fscrypt: use ENOPKG when crypto API support missing
fscrypt: improve warnings for missing crypto API support
fscrypt: improve warning messages for unsupported encryption contexts
fscrypt: make fscrypt_msg() take inode instead of super_block
fscrypt: clean up base64 encoding/decoding
fscrypt: remove loadable module related code
ANDROID: arm64: bpf: implement arch_bpf_jit_check_func
ANDROID: bpf: validate bpf_func when BPF_JIT is enabled with CFI
UPSTREAM: kcm: use BPF_PROG_RUN
UPSTREAM: psi: get poll_work to run when calling poll syscall next time
UPSTREAM: sched/psi: Do not require setsched permission from the trigger creator
UPSTREAM: sched/psi: Reduce psimon FIFO priority
BACKPORT: arm64: Add support for relocating the kernel with RELR relocations
ANDROID: Log which device failed to suspend in dpm_suspend_start()
ANDROID: Revert "ANDROID: sched: Disallow WALT with CFS bandwidth control"
ANDROID: sched: WALT: Add support for CFS_BANDWIDTH
ANDROID: sched: WALT: Refactor cumulative runnable average fixup
ANDROID: sched: Disallow WALT with CFS bandwidth control
fscrypt: document testing with xfstests
fscrypt: remove selection of CONFIG_CRYPTO_SHA256
fscrypt: remove unnecessary includes of ratelimit.h
fscrypt: don't set policy for a dead directory
fscrypt: decrypt only the needed blocks in __fscrypt_decrypt_bio()
fscrypt: support decrypting multiple filesystem blocks per page
fscrypt: introduce fscrypt_decrypt_block_inplace()
fscrypt: handle blocksize < PAGE_SIZE in fscrypt_zeroout_range()
fscrypt: support encrypting multiple filesystem blocks per page
fscrypt: introduce fscrypt_encrypt_block_inplace()
fscrypt: clean up some BUG_ON()s in block encryption/decryption
fscrypt: rename fscrypt_do_page_crypto() to fscrypt_crypt_block()
fscrypt: remove the "write" part of struct fscrypt_ctx
fscrypt: simplify bounce page handling
ANDROID: fiq_debugger: remove
UPSTREAM: lib/test_meminit.c: use GFP_ATOMIC in RCU critical section
UPSTREAM: mm: slub: Fix slab walking for init_on_free
UPSTREAM: lib/test_meminit.c: minor test fixes
UPSTREAM: lib/test_meminit.c: fix -Wmaybe-uninitialized false positive
UPSTREAM: lib: introduce test_meminit module
UPSTREAM: mm: init: report memory auto-initialization features at boot time
BACKPORT: mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options
UPSTREAM: arm64: move jump_label_init() before parse_early_param()
ANDROID: Add a tracepoint for mapping inode to full path
BACKPORT: arch: add pidfd and io_uring syscalls everywhere
UPSTREAM: dma-buf: add show_fdinfo handler
UPSTREAM: dma-buf: add DMA_BUF_SET_NAME ioctls
BACKPORT: dma-buf: give each buffer a full-fledged inode
ANDROID: fix kernelci build-break
UPSTREAM: drm/virtio: Fix cache entry creation race.
UPSTREAM: drm/virtio: Wake up all waiters when capset response comes in.
UPSTREAM: drm/virtio: Ensure cached capset entries are valid before copying.
UPSTREAM: drm/virtio: use u64_to_user_ptr macro
UPSTREAM: drm/virtio: remove irrelevant DRM_UNLOCKED flag
UPSTREAM: drm/virtio: Remove redundant return type
UPSTREAM: drm/virtio: allocate fences with GFP_KERNEL
UPSTREAM: drm/virtio: add trace events for commands
UPSTREAM: drm/virtio: trace drm_fence_emit
BACKPORT: drm/virtio: set seqno for dma-fence
BACKPORT: drm/virtio: move drm_connector_update_edid_property() call
UPSTREAM: drm/virtio: add missing drm_atomic_helper_shutdown() call.
BACKPORT: drm/virtio: rework resource creation workflow.
UPSTREAM: drm/virtio: params struct for virtio_gpu_cmd_create_resource_3d()
BACKPORT: drm/virtio: params struct for virtio_gpu_cmd_create_resource()
BACKPORT: drm/virtio: use struct to pass params to virtio_gpu_object_create()
UPSTREAM: drm/virtio: add virtio-gpu-features debugfs file.
UPSTREAM: drm/virtio: remove set but not used variable 'vgdev'
BACKPORT: drm/virtio: implement prime export
UPSTREAM: drm/virtio: remove prime pin/unpin callbacks.
UPSTREAM: drm/virtio: implement prime mmap
UPSTREAM: drm/virtio: drop virtio_gpu_fence_cleanup()
UPSTREAM: drm/virtio: fix pageflip flush
UPSTREAM: drm/virtio: log error responses
UPSTREAM: drm/virtio: Add missing virtqueue reset
UPSTREAM: drm/virtio: Remove incorrect kfree()
UPSTREAM: drm/virtio: virtio_gpu_cmd_resource_create_3d: drop unused fence arg
UPSTREAM: drm/virtio: fence: pass plain pointer
BACKPORT: drm/virtio: add edid support
UPSTREAM: virtio-gpu: add VIRTIO_GPU_F_EDID feature
BACKPORT: drm/virtio: fix memory leak of vfpriv on error return path
UPSTREAM: drm/virtio: bump driver version after explicit synchronization addition
UPSTREAM: drm/virtio: add in/out fence support for explicit synchronization
UPSTREAM: drm/virtio: add uapi for in and out explicit fences
UPSTREAM: drm/virtio: add virtio_gpu_alloc_fence()
UPSTREAM: drm/virtio: Handle error from virtio_gpu_resource_id_get
UPSTREAM: gpu/drm/virtio/virtgpu_vq.c: Use kmem_cache_zalloc
UPSTREAM: drm/virtio: fix resource id handling
UPSTREAM: drm/virtio: drop resource_id argument.
UPSTREAM: drm/virtio: use virtio_gpu_object->hw_res_handle in virtio_gpu_resource_create_ioctl()
UPSTREAM: drm/virtio: use virtio_gpu_object->hw_res_handle in virtio_gpu_mode_dumb_create()
UPSTREAM: drm/virtio: use virtio_gpu_object->hw_res_handle in virtio_gpufb_create()
BACKPORT: drm/virtio: track created object state
UPSTREAM: drm/virtio: document drm_dev_set_unique workaround
UPSTREAM: virtio: Support prime objects vmap/vunmap
UPSTREAM: virtio: Rework virtio_gpu_object_kmap()
UPSTREAM: virtio: Add virtio_gpu_object_kunmap()
UPSTREAM: drm/virtio: pass virtio_gpu_object to virtio_gpu_cmd_transfer_to_host_{2d, 3d}
UPSTREAM: drm/virtio: add dma sync for dma mapped virtio gpu framebuffer pages
UPSTREAM: drm/virtio: Remove set but not used variable 'bo'
UPSTREAM: drm/virtio: add iommu support.
UPSTREAM: drm/virtio: add virtio_gpu_object_detach() function
UPSTREAM: drm/virtio: track virtual output state
UPSTREAM: drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
UPSTREAM: gpu: drm: virtio: code cleanup
UPSTREAM: drm/virtio: Place GEM BOs in drm_framebuffer
UPSTREAM: drm/virtio: fix mode_valid's return type
UPSTREAM: drm/virtio: Add spaces around operators
UPSTREAM: drm/virtio: Remove multiple blank lines
UPSTREAM: drm/virtio: Replace 'unsigned' for 'unsigned int'
UPSTREAM: drm/virtio: Remove return from void function
UPSTREAM: drm/virtio: Add */ in block comments to separate line
UPSTREAM: drm/virtio: Add blank line after variable declarations
UPSTREAM: drm/virtio: Add tabs at the start of a line
UPSTREAM: drm/virtio: Don't return invalid caps on timeout
UPSTREAM: virtgpu: remove redundant task_comm copying
UPSTREAM: drm/virtio: add create_handle support.
UPSTREAM: drm: virtio: replace reference/unreference with get/put
UPSTREAM: drm/virtio: Replace instances of reference/unreference with get/put
UPSTREAM: drm: byteorder: add DRM_FORMAT_HOST_*
UPSTREAM: drm: add drm_connector_attach_edid_property()
BACKPORT: drm/prime: Add drm_gem_prime_mmap()
f2fs: fix build error on android tracepoints
ANDROID: cuttlefish_defconfig: Enable CAN/VCAN
UPSTREAM: pidfd: fix a poll race when setting exit_state
BACKPORT: arch: wire-up pidfd_open()
BACKPORT: pid: add pidfd_open()
UPSTREAM: pidfd: add polling support
UPSTREAM: signal: improve comments
UPSTREAM: fork: do not release lock that wasn't taken
BACKPORT: signal: support CLONE_PIDFD with pidfd_send_signal
BACKPORT: clone: add CLONE_PIDFD
UPSTREAM: Make anon_inodes unconditional
UPSTREAM: signal: use fdget() since we don't allow O_PATH
UPSTREAM: signal: don't silently convert SI_USER signals to non-current pidfd
BACKPORT: signal: add pidfd_send_signal() syscall
UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
ANDROID: fix up 9p filesystem due to CFI non-upstream patches
f2fs: use EINVAL for superblock with invalid magic
f2fs: fix to read source block before invalidating it
f2fs: remove redundant check from f2fs_setflags_common()
f2fs: use generic checking function for FS_IOC_FSSETXATTR
f2fs: use generic checking and prep function for FS_IOC_SETFLAGS
ubifs, fscrypt: cache decrypted symlink target in ->i_link
vfs: use READ_ONCE() to access ->i_link
fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
ANDROID: (arm64) cuttlefish_defconfig: enable CONFIG_CPU_FREQ_TIMES
ANDROID: xfrm: remove in_compat_syscall() checks
ANDROID: enable CONFIG_RTC_DRV_TEST on cuttlefish
UPSTREAM: binder: Set end of SG buffer area properly.
ANDROID: x86_64_cuttlefish_defconfig: enable CONFIG_CPU_FREQ_TIMES
ANDROID: f2fs: add android fsync tracepoint
ANDROID: f2fs: fix wrong android tracepoint
fscrypt: cache decrypted symlink target in ->i_link
fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext
fscrypt: only set dentry_operations on ciphertext dentries
fscrypt: fix race allowing rename() and link() of ciphertext dentries
fscrypt: clean up and improve dentry revalidation
fscrypt: use READ_ONCE() to access ->i_crypt_info
fscrypt: remove WARN_ON_ONCE() when decryption fails
fscrypt: drop inode argument from fscrypt_get_ctx()
f2fs: improve print log in f2fs_sanity_check_ckpt()
f2fs: avoid out-of-range memory access
f2fs: fix to avoid long latency during umount
f2fs: allow all the users to pin a file
f2fs: support swap file w/ DIO
f2fs: allocate blocks for pinned file
f2fs: fix is_idle() check for discard type
f2fs: add a rw_sem to cover quota flag changes
f2fs: set SBI_NEED_FSCK for xattr corruption case
f2fs: use generic EFSBADCRC/EFSCORRUPTED
f2fs: Use DIV_ROUND_UP() instead of open-coding
f2fs: print kernel message if filesystem is inconsistent
f2fs: introduce f2fs_<level> macros to wrap f2fs_printk()
f2fs: avoid get_valid_blocks() for cleanup
f2fs: ioctl for removing a range from F2FS
f2fs: only set project inherit bit for directory
f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags
UPSTREAM: kasan: initialize tag to 0xff in __kasan_kmalloc
UPSTREAM: x86/boot: Provide KASAN compatible aliases for string routines
UPSTREAM: mm/kasan: Remove the ULONG_MAX stack trace hackery
UPSTREAM: x86/uaccess, kasan: Fix KASAN vs SMAP
UPSTREAM: x86/uaccess: Introduce user_access_{save,restore}()
UPSTREAM: kasan: fix variable 'tag' set but not used warning
UPSTREAM: Revert "x86_64: Increase stack size for KASAN_EXTRA"
UPSTREAM: kasan: fix coccinelle warnings in kasan_p*_table
UPSTREAM: kasan: fix kasan_check_read/write definitions
BACKPORT: kasan: remove use after scope bugs detection.
BACKPORT: kasan: turn off asan-stack for clang-8 and earlier
UPSTREAM: slub: fix a crash with SLUB_DEBUG + KASAN_SW_TAGS
UPSTREAM: kasan, slab: remove redundant kasan_slab_alloc hooks
UPSTREAM: kasan, slab: make freelist stored without tags
UPSTREAM: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY
UPSTREAM: kasan: prevent tracing of tags.c
UPSTREAM: kasan: fix random seed generation for tag-based mode
UPSTREAM: slub: fix SLAB_CONSISTENCY_CHECKS + KASAN_SW_TAGS
UPSTREAM: kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED
UPSTREAM: kasan, slub: fix conflicts with CONFIG_SLAB_FREELIST_HARDENED
UPSTREAM: kasan, slub: move kasan_poison_slab hook before page_address
UPSTREAM: kasan, kmemleak: pass tagged pointers to kmemleak
UPSTREAM: kasan: fix assigning tags twice
UPSTREAM: kasan: mark file common so ftrace doesn't trace it
UPSTREAM: kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
UPSTREAM: kasan: fix krealloc handling for tag-based mode
UPSTREAM: kasan: make tag based mode work with CONFIG_HARDENED_USERCOPY
UPSTREAM: kasan, arm64: use ARCH_SLAB_MINALIGN instead of manual aligning
BACKPORT: mm/memblock.c: skip kmemleak for kasan_init()
UPSTREAM: kasan: add SPDX-License-Identifier mark to source files
BACKPORT: kasan: update documentation
UPSTREAM: kasan, arm64: select HAVE_ARCH_KASAN_SW_TAGS
UPSTREAM: kasan: add __must_check annotations to kasan hooks
BACKPORT: kasan, mm, arm64: tag non slab memory allocated via pagealloc
UPSTREAM: kasan, arm64: add brk handler for inline instrumentation
UPSTREAM: kasan: add hooks implementation for tag-based mode
UPSTREAM: mm: move obj_to_index to include/linux/slab_def.h
UPSTREAM: kasan: add bug reporting routines for tag-based mode
UPSTREAM: kasan: split out generic_report.c from report.c
UPSTREAM: kasan, mm: perform untagged pointers comparison in krealloc
BACKPORT: kasan, arm64: enable top byte ignore for the kernel
BACKPORT: kasan, arm64: fix up fault handling logic
UPSTREAM: kasan: preassign tags to objects with ctors or SLAB_TYPESAFE_BY_RCU
UPSTREAM: kasan, arm64: untag address in _virt_addr_is_linear
UPSTREAM: kasan: add tag related helper functions
BACKPORT: arm64: move untagged_addr macro from uaccess.h to memory.h
BACKPORT: kasan: initialize shadow to 0xff for tag-based mode
BACKPORT: kasan: rename kasan_zero_page to kasan_early_shadow_page
BACKPORT: kasan, arm64: adjust shadow size for tag-based mode
BACKPORT: kasan: add CONFIG_KASAN_GENERIC and CONFIG_KASAN_SW_TAGS
UPSTREAM: kasan: rename source files to reflect the new naming scheme
BACKPORT: kasan: move common generic and tag-based code to common.c
UPSTREAM: kasan, slub: handle pointer tags in early_kmem_cache_node_alloc
UPSTREAM: kasan, mm: change hooks signatures
UPSTREAM: arm64: add EXPORT_SYMBOL_NOKASAN()
BACKPORT: compiler: remove __no_sanitize_address_or_inline again
UPSTREAM: mm/kasan/quarantine.c: make quarantine_lock a raw_spinlock_t
UPSTREAM: lib/test_kasan.c: add tests for several string/memory API functions
UPSTREAM: arm64: lib: use C string functions with KASAN enabled
UPSTREAM: compiler: introduce __no_sanitize_address_or_inline
UPSTREAM: arm64: Fix typo in a comment in arch/arm64/mm/kasan_init.c
BACKPORT: kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN
BACKPORT: mm/mempool.c: remove unused argument in kasan_unpoison_element() and remove_element()
UPSTREAM: kasan: only select SLUB_DEBUG with SYSFS=y
UPSTREAM: kasan: depend on CONFIG_SLUB_DEBUG
UPSTREAM: KASAN: prohibit KASAN+STRUCTLEAK combination
UPSTREAM: arm64: kasan: avoid pfn_to_nid() before page array is initialized
UPSTREAM: kasan: fix invalid-free test crashing the kernel
UPSTREAM: kasan, slub: fix handling of kasan_slab_free hook
UPSTREAM: slab, slub: skip unnecessary kasan_cache_shutdown()
BACKPORT: kasan: make kasan_cache_create() work with 32-bit slab cache sizes
UPSTREAM: locking/atomics: Instrument cmpxchg_double*()
UPSTREAM: locking/atomics: Instrument xchg()
UPSTREAM: locking/atomics: Simplify cmpxchg() instrumentation
UPSTREAM: locking/atomics/x86: Reduce arch_cmpxchg64*() instrumentation
UPSTREAM: locking/atomic, asm-generic, x86: Add comments for atomic instrumentation
UPSTREAM: locking/atomic, asm-generic: Add KASAN instrumentation to atomic operations
UPSTREAM: locking/atomic/x86: Switch atomic.h to use atomic-instrumented.h
UPSTREAM: locking/atomic, asm-generic: Add asm-generic/atomic-instrumented.h
BACKPORT: kasan, arm64: clean up KASAN_SHADOW_SCALE_SHIFT usage
UPSTREAM: kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage
UPSTREAM: kasan: fix prototype author email address
UPSTREAM: kasan: detect invalid frees
UPSTREAM: kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
UPSTREAM: kasan: detect invalid frees for large mempool objects
UPSTREAM: kasan: don't use __builtin_return_address(1)
UPSTREAM: kasan: detect invalid frees for large objects
UPSTREAM: kasan: add functions for unpoisoning stack variables
UPSTREAM: kasan: add tests for alloca poisoning
UPSTREAM: kasan: support alloca() poisoning
UPSTREAM: kasan/Makefile: support LLVM style asan parameters
BACKPORT: kasan: add compiler support for clang
BACKPORT: fs: dcache: Revert "manually unpoison dname after allocation to shut up kasan's reports"
UPSTREAM: fs/dcache: Use read_word_at_a_time() in dentry_string_cmp()
UPSTREAM: lib/strscpy: Shut up KASAN false-positives in strscpy()
UPSTREAM: compiler.h: Add read_word_at_a_time() function.
UPSTREAM: compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
UPSTREAM: arm64/mm/kasan: don't use vmemmap_populate() to initialize shadow
UPSTREAM: Documentation/features/KASAN: mark KASAN as supported only on 64-bit on x86
f2fs: Add option to limit required GC for checkpoint=disable
f2fs: Fix accounting for unusable blocks
f2fs: Fix root reserved on remount
f2fs: Lower threshold for disable_cp_again
f2fs: fix sparse warning
f2fs: fix f2fs_show_options to show nodiscard mount option
f2fs: add error prints for debugging mount failure
f2fs: fix to do sanity check on segment bitmap of LFS curseg
f2fs: add missing sysfs entries in documentation
f2fs: fix to avoid deadloop if data_flush is on
f2fs: always assume that the device is idle under gc_urgent
f2fs: add bio cache for IPU
f2fs: allow ssr block allocation during checkpoint=disable period
f2fs: fix to check layout on last valid checkpoint park
Conflicts:
arch/arm64/configs/cuttlefish_defconfig
arch/arm64/include/asm/memory.h
arch/arm64/include/asm/thread_info.h
arch/x86/configs/x86_64_cuttlefish_defconfig
build.config.common
drivers/dma-buf/dma-buf.c
fs/crypto/Makefile
fs/crypto/bio.c
fs/crypto/fscrypt_private.h
fs/crypto/keyinfo.c
fs/ext4/page-io.c
fs/f2fs/data.c
fs/f2fs/f2fs.h
fs/f2fs/inode.c
fs/f2fs/segment.c
fs/userfaultfd.c
include/linux/dma-buf.h
include/linux/fscrypt.h
include/linux/kasan.h
include/linux/platform_data/ds2482.h
include/uapi/linux/fs.h
kernel/sched/deadline.c
kernel/sched/fair.c
kernel/sched/rt.c
kernel/sched/sched.h
kernel/sched/stop_task.c
kernel/sched/walt.c
kernel/sched/walt.h
lib/test_kasan.c
mm/kasan/common.c
mm/kasan/kasan.h
mm/kasan/report.c
mm/slub.c
mm/vmalloc.c
scripts/Makefile.kasan
Changed below files to fix build errors:
drivers/char/diag/diagchar_core.c
drivers/power/supply/qcom/battery.c
drivers/power/supply/qcom/smb1390-charger-psy.c
drivers/power/supply/qcom/smb1390-charger.c
drivers/power/supply/qcom/step-chg-jeita.c
fs/crypto/fscrypt_ice.c
fs/crypto/fscrypt_private.h
fs/f2fs/inode.c
include/uapi/linux/fscrypt.h
net/qrtr/qrtr.c
gen_headers_arm.bp
gen_headers_arm64.bp
Extra added fixes in fs/f2fs/data.c for FBE:
* Fix FBE regression with 9937c21ce1 ("f2fs: add bio cache
for IPU"). The above commit is not setting the DUN for
bio, due to which the bio's could get corrupted when FBE
is enabled.
* The f2fs_merge_page_bio() incorrectly uses the bio after
it is submitted for IO when fscrypt_mergeable_bio()
returns false. Fix it by making the submitted bio NULL
so that a new bio gets allocated for the next/new page.
Ignored the below scheduler patches as they are already present:
ANDROID: sched: WALT: Add support for CFS_BANDWIDTH
ANDROID: sched: WALT: Refactor cumulative runnable average fixup
picked below patches from 4.14.159 and 4.14.172 versions to fix issues
0e39aa9d5 "UPSTREAM: arm64: Validate tagged addresses in access_ok() called from kernel threads"
352902650 "fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY"
Change-Id: I205b796ee125fa6e9d27fa30f881e4e8fe8bea29
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
Andrey Ryabinin
|
d649ef04c3 |
UPSTREAM: mm/kasan: fix false positive invalid-free reports with CONFIG_KASAN_SW_TAGS=y
(Upstream commit 00fb24a42a68b1ee0f6495993fe1be7124433dfb). The code like this: ptr = kmalloc(size, GFP_KERNEL); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); may produce false-positive invalid-free reports on the kernel with CONFIG_KASAN_SW_TAGS=y. In the example above we lose the original tag assigned to 'ptr', so kfree() gets the pointer with 0xFF tag. In kfree() we check that 0xFF tag is different from the tag in shadow hence print false report. Instead of just comparing tags, do the following: 1) Check that shadow doesn't contain KASAN_TAG_INVALID. Otherwise it's double-free and it doesn't matter what tag the pointer have. 2) If pointer tag is different from 0xFF, make sure that tag in the shadow is the same as in the pointer. Link: http://lkml.kernel.org/r/20190819172540.19581-1-aryabinin@virtuozzo.com Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reported-by: Walter Wu <walter-zh.wu@mediatek.com> Reported-by: Mark Rutland <mark.rutland@arm.com> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Idea0193d125b9d695b025c00800b06758a37b3ba Bug: 128674696 |
||
Nathan Chancellor
|
88590f0a97 |
UPSTREAM: kasan: initialize tag to 0xff in __kasan_kmalloc
Upstream commit 0600597c854e53d2f9b7a6a718c1da2b8b4cb4db.
When building with -Wuninitialized and CONFIG_KASAN_SW_TAGS unset, Clang
warns:
mm/kasan/common.c:484:40: warning: variable 'tag' is uninitialized when
used here [-Wuninitialized]
kasan_unpoison_shadow(set_tag(object, tag), size);
^~~
set_tag ignores tag in this configuration but clang doesn't realize it at
this point in its pipeline, as it points to arch_kasan_set_tag as being
the point where it is used, which will later be expanded to (void
*)(object) without a use of tag. Initialize tag to 0xff, as it removes
this warning and doesn't change the meaning of the code.
Link: https://github.com/ClangBuiltLinux/linux/issues/465
Link: http://lkml.kernel.org/r/20190502163057.6603-1-natechancellor@gmail.com
Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode")
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: I5860952772ae66e9eaafe138899e14da1892cab6
Bug: 128674696
|
||
Thomas Gleixner
|
7095baad73 |
UPSTREAM: mm/kasan: Remove the ULONG_MAX stack trace hackery
Upstream commit ead97a49ec3a3cb9b5133acbfed9a49b91ebf37c. No architecture terminates the stack trace with ULONG_MAX anymore. Remove the cruft. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: kasan-dev@googlegroups.com Cc: linux-mm@kvack.org Link: https://lkml.kernel.org/r/20190410103644.750219625@linutronix.de Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I57b225e2bb8bdec599c386732ffe6837653c2a25 Bug: 128674696 |
||
Peter Zijlstra
|
10be9094e3 |
UPSTREAM: x86/uaccess, kasan: Fix KASAN vs SMAP
Upstream commit 57b78a62e7f23c4686fe54091cdc3d12e60d6513.
KASAN inserts extra code for every LOAD/STORE emitted by te compiler.
Much of this code is simple and safe to run with AC=1, however the
kasan_report() function, called on error, is most certainly not safe
to call with AC=1.
Therefore wrap kasan_report() in user_access_{save,restore}; which for
x86 SMAP, saves/restores EFLAGS and clears AC before calling the real
function.
Also ensure all the functions are without __fentry__ hook. The
function tracer is also not safe.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: Iad2644e0d40d2ba468c1442fd10c546c5b6dcee3
Bug: 128674696
|
||
Qian Cai
|
9fcb43e16d |
UPSTREAM: kasan: fix variable 'tag' set but not used warning
Upstream commit c412a769d2452161e97f163c4c4f31efc6626f06.
set_tag() compiles away when CONFIG_KASAN_SW_TAGS=n, so make
arch_kasan_set_tag() a static inline function to fix warnings below.
mm/kasan/common.c: In function '__kasan_kmalloc':
mm/kasan/common.c:475:5: warning: variable 'tag' set but not used [-Wunused-but-set-variable]
u8 tag;
^~~
Link: http://lkml.kernel.org/r/20190307185244.54648-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: I04b94f7e65044e101edf6c1bbc9bd7014783864c
Bug: 128674696
|
||
Andrey Konovalov
|
e8079b78ab |
UPSTREAM: kasan: fix coccinelle warnings in kasan_p*_table
Upstream commit 5c0198b6fb73867dea296a69a944a4fdbceff3d8. kasan_p4d_table(), kasan_pmd_table() and kasan_pud_table() are declared as returning bool, but return 0 instead of false, which produces a coccinelle warning. Fix it. Link: http://lkml.kernel.org/r/1fa6fadf644859e8a6a8ecce258444b49be8c7ee.1551716733.git.andreyknvl@google.com Fixes: 0207df4fa1a8 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN") Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reported-by: kbuild test robot <lkp@intel.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I1c407d7095f5bd676b0ed68914de6bfcaa7a4cab Bug: 128674696 |
||
Arnd Bergmann
|
6b13a81d45 |
UPSTREAM: kasan: fix kasan_check_read/write definitions
Upstream commit bcf6f55a0d05eedd8ebb6ecc60ae3f93205ad833. Building little-endian allmodconfig kernels on arm64 started failing with the generated atomic.h implementation, since we now try to call kasan helpers from the EFI stub: aarch64-linux-gnu-ld: drivers/firmware/efi/libstub/arm-stub.stub.o: in function `atomic_set': include/generated/atomic-instrumented.h:44: undefined reference to `__efistub_kasan_check_write' I suspect that we get similar problems in other files that explicitly disable KASAN for some reason but call atomic_t based helper functions. We can fix this by checking the predefined __SANITIZE_ADDRESS__ macro that the compiler sets instead of checking CONFIG_KASAN, but this in turn requires a small hack in mm/kasan/common.c so we do see the extern declaration there instead of the inline function. Link: http://lkml.kernel.org/r/20181211133453.2835077-1-arnd@arndb.de Fixes: b1864b828644 ("locking/atomics: build atomic headers as required") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reported-by: Anders Roxell <anders.roxell@linaro.org> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Konovalov <andreyknvl@google.com> Cc: Stephen Rothwell <sfr@canb.auug.org.au>, Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Ifa3f88490494ef2d338348ea045a1e0857d90c0c Bug: 128674696 |
||
|
Andrey Ryabinin
|
e3ea178cf1 |
BACKPORT: kasan: remove use after scope bugs detection.
Upstream commit 7771bdbbfd3d6f204631b6fd9e1bbc30cd15918e. Use after scope bugs detector seems to be almost entirely useless for the linux kernel. It exists over two years, but I've seen only one valid bug so far [1]. And the bug was fixed before it has been reported. There were some other use-after-scope reports, but they were false-positives due to different reasons like incompatibility with structleak plugin. This feature significantly increases stack usage, especially with GCC < 9 version, and causes a 32K stack overflow. It probably adds performance penalty too. Given all that, let's remove use-after-scope detector entirely. While preparing this patch I've noticed that we mistakenly enable use-after-scope detection for clang compiler regardless of CONFIG_KASAN_EXTRA setting. This is also fixed now. [1] http://lkml.kernel.org/r/<20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com> Link: http://lkml.kernel.org/r/20190111185842.13978-1-aryabinin@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Acked-by: Will Deacon <will.deacon@arm.com> [arm64] Cc: Qian Cai <cai@lca.pw> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I67be36061700f476683933db9e9a901a582b7553 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
0de342cf92 |
UPSTREAM: kasan: prevent tracing of tags.c
Upstream commit dc15a8a2543cb9ebe67998eefe2880ce1a20d42e.
Similarly to commit 0d0c8de8788b ("kasan: mark file common so ftrace
doesn't trace it") add the -pg flag to mm/kasan/tags.c to prevent
conflicts with tracing.
Link: http://lkml.kernel.org/r/9c4c3ce5ccfb894c7fe66d91de7c1da2787b4da4.1550602886.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: Qian Cai <cai@lca.pw>
Tested-by: Qian Cai <cai@lca.pw>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Evgeniy Stepanov <eugenis@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: Id03760451d60fdb162cd3bddf78972684faa6028
Bug: 128674696
|
||
|
Andrey Konovalov
|
6c078fd067 |
UPSTREAM: kasan: fix random seed generation for tag-based mode
Upstream commit 3f41b609382388f95c0a05b69b8db0d706adafb4. There are two issues with assigning random percpu seeds right now: 1. We use for_each_possible_cpu() to iterate over cpus, but cpumask is not set up yet at the moment of kasan_init(), and thus we only set the seed for cpu #0. 2. A call to get_random_u32() always returns the same number and produces a message in dmesg, since the random subsystem is not yet initialized. Fix 1 by calling kasan_init_tags() after cpumask is set up. Fix 2 by using get_cycles() instead of get_random_u32(). This gives us lower quality random numbers, but it's good enough, as KASAN is meant to be used as a debugging tool and not a mitigation. Link: http://lkml.kernel.org/r/1f815cc914b61f3516ed4cc9bfd9eeca9bd5d9de.1550677973.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I6e0f8b60588a1502ba085c57bdb44a0fbc294fc1 Bug: 128674696 |
||
|
Andrey Konovalov
|
e31f66f864 |
UPSTREAM: kasan: fix assigning tags twice
Upstream commit e1db95befb3e9e3476629afec6e0f5d0707b9825. When an object is kmalloc()'ed, two hooks are called: kasan_slab_alloc() and kasan_kmalloc(). Right now we assign a tag twice, once in each of the hooks. Fix it by assigning a tag only in the former hook. Link: http://lkml.kernel.org/r/ce8c6431da735aa7ec051fd6497153df690eb021.1549921721.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Evgeniy Stepanov <eugenis@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Kostya Serebryany <kcc@google.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Qian Cai <cai@lca.pw> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I3fac3e0f21094cf14009a1110fac85f064d105fe Bug: 128674696 |
||
Anders Roxell
|
86fa63a115 |
UPSTREAM: kasan: mark file common so ftrace doesn't trace it
Upstream commit 0d0c8de8788b6c441ea01365612de7efc20cc682. When option CONFIG_KASAN is enabled toghether with ftrace, function ftrace_graph_caller() gets in to a recursion, via functions kasan_check_read() and kasan_check_write(). Breakpoint 2, ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:179 179 mcount_get_pc x0 // function's pc (gdb) bt #0 ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:179 #1 0xffffff90101406c8 in ftrace_caller () at ../arch/arm64/kernel/entry-ftrace.S:151 #2 0xffffff90106fd084 in kasan_check_write (p=0xffffffc06c170878, size=4) at ../mm/kasan/common.c:105 #3 0xffffff90104a2464 in atomic_add_return (v=<optimized out>, i=<optimized out>) at ./include/generated/atomic-instrumented.h:71 #4 atomic_inc_return (v=<optimized out>) at ./include/generated/atomic-fallback.h:284 #5 trace_graph_entry (trace=0xffffffc03f5ff380) at ../kernel/trace/trace_functions_graph.c:441 #6 0xffffff9010481774 in trace_graph_entry_watchdog (trace=<optimized out>) at ../kernel/trace/trace_selftest.c:741 #7 0xffffff90104a185c in function_graph_enter (ret=<optimized out>, func=<optimized out>, frame_pointer=18446743799894897728, retp=<optimized out>) at ../kernel/trace/trace_functions_graph.c:196 #8 0xffffff9010140628 in prepare_ftrace_return (self_addr=18446743592948977792, parent=0xffffffc03f5ff418, frame_pointer=18446743799894897728) at ../arch/arm64/kernel/ftrace.c:231 #9 0xffffff90101406f4 in ftrace_graph_caller () at ../arch/arm64/kernel/entry-ftrace.S:182 Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) Rework so that the kasan implementation isn't traced. Link: http://lkml.kernel.org/r/20181212183447.15890-1-anders.roxell@linaro.org Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Acked-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Ia8874ccdfcca676f6dc480d6e62f197ee1fc6594 Bug: 128674696 |
||
|
Andrey Konovalov
|
87d15639e1 |
UPSTREAM: kasan: fix krealloc handling for tag-based mode
Upstream commit a3fe7cdf02e318870fb71218726cc2321ff41f30. Right now tag-based KASAN can retag the memory that is reallocated via krealloc and return a differently tagged pointer even if the same slab object gets used and no reallocated technically happens. There are a few issues with this approach. One is that krealloc callers can't rely on comparing the return value with the passed argument to check whether reallocation happened. Another is that if a caller knows that no reallocation happened, that it can access object memory through the old pointer, which leads to false positives. Look at nf_ct_ext_add() to see an example. Fix this by keeping the same tag if the memory don't actually gets reallocated during krealloc. Link: http://lkml.kernel.org/r/bb2a71d17ed072bcc528cbee46fcbd71a6da3be4.1546540962.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I93c371b65d1470621cce5d781e7f33fb42349a3a Bug: 128674696 |
||
|
Andrey Konovalov
|
6f4b0fa978 |
UPSTREAM: kasan, arm64: use ARCH_SLAB_MINALIGN instead of manual aligning
Upstream commit eb214f2dda31ffa989033b1e0f848ba0d3cb6188. Instead of changing cache->align to be aligned to KASAN_SHADOW_SCALE_SIZE in kasan_cache_create() we can reuse the ARCH_SLAB_MINALIGN macro. Link: http://lkml.kernel.org/r/52ddd881916bcc153a9924c154daacde78522227.1546540962.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Suggested-by: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I9ab03979c58c5f59d2c78854ec51c4b5f30605e6 Bug: 128674696 |
||
|
Andrey Konovalov
|
7312999192 |
UPSTREAM: kasan: add SPDX-License-Identifier mark to source files
Upstream commit e886bf9d9abedf8236464bfd21bc5707748b4a02. This patch adds a "SPDX-License-Identifier: GPL-2.0" mark to all source files under mm/kasan. Link: http://lkml.kernel.org/r/bce2d1e618afa5142e81961ab8fa4b4165337380.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I275a48a1721e2ccb089c1a30d439868e83ee4834 Bug: 128674696 |
||
|
Andrey Konovalov
|
5314ddc3e8 |
UPSTREAM: kasan: add __must_check annotations to kasan hooks
Upstream commit 66afc7f1e07a1db74453be9167ac0d1205653854. This patch adds __must_check annotations to kasan hooks that return a pointer to make sure that a tagged pointer always gets propagated. Link: http://lkml.kernel.org/r/03b269c5e453945f724bfca3159d4e1333a8fb1c.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Suggested-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Ibe51f1fb4a9554d1c31d84beb2ea7dcfb16f8e70 Bug: 128674696 |
||
|
Andrey Konovalov
|
278b23427e |
BACKPORT: kasan, mm, arm64: tag non slab memory allocated via pagealloc
Upstream commit 2813b9c0296259fb11e75c839bab2d958ba4f96c. Tag-based KASAN doesn't check memory accesses through pointers tagged with 0xff. When page_address is used to get pointer to memory that corresponds to some page, the tag of the resulting pointer gets set to 0xff, even though the allocated memory might have been tagged differently. For slab pages it's impossible to recover the correct tag to return from page_address, since the page might contain multiple slab objects tagged with different values, and we can't know in advance which one of them is going to get accessed. For non slab pages however, we can recover the tag in page_address, since the whole page was marked with the same tag. This patch adds tagging to non slab memory allocated with pagealloc. To set the tag of the pointer returned from page_address, the tag gets stored to page->flags when the memory gets allocated. Link: http://lkml.kernel.org/r/d758ddcef46a5abc9970182b9137e2fbee202a2c.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Will Deacon <will.deacon@arm.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I5fa30138b528c8372c129d30e3a362403faca712 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
703bb1f9e9 |
UPSTREAM: kasan: add hooks implementation for tag-based mode
Upstream commit 7f94ffbc4c6a1bdb51d39965e4f2acaa19bd798f. This commit adds tag-based KASAN specific hooks implementation and adjusts common generic and tag-based KASAN ones. 1. When a new slab cache is created, tag-based KASAN rounds up the size of the objects in this cache to KASAN_SHADOW_SCALE_SIZE (== 16). 2. On each kmalloc tag-based KASAN generates a random tag, sets the shadow memory, that corresponds to this object to this tag, and embeds this tag value into the top byte of the returned pointer. 3. On each kfree tag-based KASAN poisons the shadow memory with a random tag to allow detection of use-after-free bugs. The rest of the logic of the hook implementation is very much similar to the one provided by generic KASAN. Tag-based KASAN saves allocation and free stack metadata to the slab object the same way generic KASAN does. Link: http://lkml.kernel.org/r/bda78069e3b8422039794050ddcb2d53d053ed41.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I406f33d5860ee5b261eb0673be8c384ce9b36313 Bug: 128674696 |
||
|
Andrey Konovalov
|
22200356af |
UPSTREAM: kasan: add bug reporting routines for tag-based mode
Upstream commit 121e8f81d38cc43834195722d0768340dc130a33. This commit adds rountines, that print tag-based KASAN error reports. Those are quite similar to generic KASAN, the difference is: 1. The way tag-based KASAN finds the first bad shadow cell (with a mismatching tag). Tag-based KASAN compares memory tags from the shadow memory to the pointer tag. 2. Tag-based KASAN reports all bugs with the "KASAN: invalid-access" header. Also simplify generic KASAN find_first_bad_addr. Link: http://lkml.kernel.org/r/aee6897b1bd077732a315fd84c6b4f234dbfdfcb.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Ie15bb8c27d6202d9744f1755eff214b98ee9941f Bug: 128674696 |
||
|
Andrey Konovalov
|
346ed760d4 |
UPSTREAM: kasan: split out generic_report.c from report.c
Upstream commit 11cd3cd69a256a353dd1a249b48ccd727d945952. Move generic KASAN specific error reporting routines to generic_report.c without any functional changes, leaving common error reporting code in report.c to be later reused by tag-based KASAN. Link: http://lkml.kernel.org/r/ba48c32f8e5aefedee78998ccff0413bee9e0f5b.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Id497accec79f984fbdaf2d54b701a41fba1e6a18 Bug: 128674696 |
||
|
Andrey Konovalov
|
229ec2bb14 |
UPSTREAM: kasan: add tag related helper functions
Upstream commit 3c9e3aa11094e821aff4a8f6812a6e032293dbc0. This commit adds a few helper functions, that are meant to be used to work with tags embedded in the top byte of kernel pointers: to set, to get or to reset the top byte. Link: http://lkml.kernel.org/r/f6c6437bb8e143bc44f42c3c259c62e734be7935.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I9cc1f21e7ef63d6237b8f80a6f5e56b19dc433b9 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
70e11758af |
BACKPORT: kasan: initialize shadow to 0xff for tag-based mode
Upstream commit 080eb83f54cf5b96ae5b6ce3c1896e35c341aff9. A tag-based KASAN shadow memory cell contains a memory tag, that corresponds to the tag in the top byte of the pointer, that points to that memory. The native top byte value of kernel pointers is 0xff, so with tag-based KASAN we need to initialize shadow memory to 0xff. [cai@lca.pw: arm64: skip kmemleak for KASAN again\ Link: http://lkml.kernel.org/r/20181226020550.63712-1-cai@lca.pw Link: http://lkml.kernel.org/r/5cc1b789aad7c99cf4f3ec5b328b147ad53edb40.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I623fcd78e14b7f03b7042b3e2a25c7f24093cd8b Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
dd93739e18 |
BACKPORT: kasan: rename kasan_zero_page to kasan_early_shadow_page
Upstream commit 9577dd7486487722ed8f0773243223f108e8089f. With tag based KASAN mode the early shadow value is 0xff and not 0x00, so this patch renames kasan_zero_(page|pte|pmd|pud|p4d) to kasan_early_shadow_(page|pte|pmd|pud|p4d) to avoid confusion. Link: http://lkml.kernel.org/r/3fed313280ebf4f88645f5b89ccbc066d320e177.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Suggested-by: Mark Rutland <mark.rutland@arm.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I23ff09d4a9c4e1d6a79289b6db9d6a63f1578475 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
8a94e7d158 |
BACKPORT: kasan: add CONFIG_KASAN_GENERIC and CONFIG_KASAN_SW_TAGS
Upstream commit 2bd926b439b4cb6b9ed240a9781cd01958b53d85. There were a couple of issues during backport. The first one is caused by the upstream commit using cc-option in Kconfig, which android kernel doesn't support. Instead of using cc-option, this backport moves the compiler check to the Makefile. The other one is that older GCCs (before version 5) don't support the __has_attribute macro. The upstream has dealt with this via a special header file (compiler_attributes.h) that emulates this macro for some cases. Instead of backporting the whole series that adds this header do a direct GCC version check to determine the presense of the no_sanitize_address attribute. This commit splits the current CONFIG_KASAN config option into two: 1. CONFIG_KASAN_GENERIC, that enables the generic KASAN mode (the one that exists now); 2. CONFIG_KASAN_SW_TAGS, that enables the software tag-based KASAN mode. The name CONFIG_KASAN_SW_TAGS is chosen as in the future we will have another hardware tag-based KASAN mode, that will rely on hardware memory tagging support in arm64. With CONFIG_KASAN_SW_TAGS enabled, compiler options are changed to instrument kernel files with -fsantize=kernel-hwaddress (except the ones for which KASAN_SANITIZE := n is set). Both CONFIG_KASAN_GENERIC and CONFIG_KASAN_SW_TAGS support both CONFIG_KASAN_INLINE and CONFIG_KASAN_OUTLINE instrumentation modes. This commit also adds empty placeholder (for now) implementation of tag-based KASAN specific hooks inserted by the compiler and adjusts common hooks implementation. While this commit adds the CONFIG_KASAN_SW_TAGS config option, this option is not selectable, as it depends on HAVE_ARCH_KASAN_SW_TAGS, which we will enable once all the infrastracture code has been added. Link: http://lkml.kernel.org/r/b2550106eb8a68b10fefbabce820910b115aa853.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: Iaf18eccf0c6ee952a14bb13cd14dc1ddaf9e7698 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
4bc7100ce0 |
UPSTREAM: kasan: rename source files to reflect the new naming scheme
Upstream commit b938fcf42739de8270e6ea41593722929c8a7dd0. We now have two KASAN modes: generic KASAN and tag-based KASAN. Rename kasan.c to generic.c to reflect that. Also rename kasan_init.c to init.c as it contains initialization code for both KASAN modes. Link: http://lkml.kernel.org/r/88c6fd2a883e459e6242030497230e5fb0d44d44.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I3bc6a81f7d3ec28fe89ccb0510ca4e7b3b52bd71 Bug: 128674696 |
||
|
Andrey Konovalov
|
748038be9c |
BACKPORT: kasan: move common generic and tag-based code to common.c
Upstream commit bffa986c6f80e39d9903015fc7d0d99a66bbf559. Tag-based KASAN reuses a significant part of the generic KASAN code, so move the common parts to common.c without any functional changes. Link: http://lkml.kernel.org/r/114064d002356e03bb8cc91f7835e20dc61b51d9.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I4e0a463cd0b9671cf9ce5ac27418894d45a06b80 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
30847271f7 |
UPSTREAM: kasan, mm: change hooks signatures
Upstream commit 0116523cfffa62aeb5aa3b85ce7419f3dae0c1b8. Patch series "kasan: add software tag-based mode for arm64", v13. This patchset adds a new software tag-based mode to KASAN [1]. (Initially this mode was called KHWASAN, but it got renamed, see the naming rationale at the end of this section). The plan is to implement HWASan [2] for the kernel with the incentive, that it's going to have comparable to KASAN performance, but in the same time consume much less memory, trading that off for somewhat imprecise bug detection and being supported only for arm64. The underlying ideas of the approach used by software tag-based KASAN are: 1. By using the Top Byte Ignore (TBI) arm64 CPU feature, we can store pointer tags in the top byte of each kernel pointer. 2. Using shadow memory, we can store memory tags for each chunk of kernel memory. 3. On each memory allocation, we can generate a random tag, embed it into the returned pointer and set the memory tags that correspond to this chunk of memory to the same value. 4. By using compiler instrumentation, before each memory access we can add a check that the pointer tag matches the tag of the memory that is being accessed. 5. On a tag mismatch we report an error. With this patchset the existing KASAN mode gets renamed to generic KASAN, with the word "generic" meaning that the implementation can be supported by any architecture as it is purely software. The new mode this patchset adds is called software tag-based KASAN. The word "tag-based" refers to the fact that this mode uses tags embedded into the top byte of kernel pointers and the TBI arm64 CPU feature that allows to dereference such pointers. The word "software" here means that shadow memory manipulation and tag checking on pointer dereference is done in software. As it is the only tag-based implementation right now, "software tag-based" KASAN is sometimes referred to as simply "tag-based" in this patchset. A potential expansion of this mode is a hardware tag-based mode, which would use hardware memory tagging support (announced by Arm [3]) instead of compiler instrumentation and manual shadow memory manipulation. Same as generic KASAN, software tag-based KASAN is strictly a debugging feature. [1] https://www.kernel.org/doc/html/latest/dev-tools/kasan.html [2] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html [3] https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a ====== Rationale On mobile devices generic KASAN's memory usage is significant problem. One of the main reasons to have tag-based KASAN is to be able to perform a similar set of checks as the generic one does, but with lower memory requirements. Comment from Vishwath Mohan <vishwath@google.com>: I don't have data on-hand, but anecdotally both ASAN and KASAN have proven problematic to enable for environments that don't tolerate the increased memory pressure well. This includes (a) Low-memory form factors - Wear, TV, Things, lower-tier phones like Go, (c) Connected components like Pixel's visual core [1]. These are both places I'd love to have a low(er) memory footprint option at my disposal. Comment from Evgenii Stepanov <eugenis@google.com>: Looking at a live Android device under load, slab (according to /proc/meminfo) + kernel stack take 8-10% available RAM (~350MB). KASAN's overhead of 2x - 3x on top of it is not insignificant. Not having this overhead enables near-production use - ex. running KASAN/KHWASAN kernel on a personal, daily-use device to catch bugs that do not reproduce in test configuration. These are the ones that often cost the most engineering time to track down. CPU overhead is bad, but generally tolerable. RAM is critical, in our experience. Once it gets low enough, OOM-killer makes your life miserable. [1] https://www.blog.google/products/pixel/pixel-visual-core-image-processing-and-machine-learning-pixel-2/ ====== Technical details Software tag-based KASAN mode is implemented in a very similar way to the generic one. This patchset essentially does the following: 1. TCR_TBI1 is set to enable Top Byte Ignore. 2. Shadow memory is used (with a different scale, 1:16, so each shadow byte corresponds to 16 bytes of kernel memory) to store memory tags. 3. All slab objects are aligned to shadow scale, which is 16 bytes. 4. All pointers returned from the slab allocator are tagged with a random tag and the corresponding shadow memory is poisoned with the same value. 5. Compiler instrumentation is used to insert tag checks. Either by calling callbacks or by inlining them (CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE flags are reused). 6. When a tag mismatch is detected in callback instrumentation mode KASAN simply prints a bug report. In case of inline instrumentation, clang inserts a brk instruction, and KASAN has it's own brk handler, which reports the bug. 7. The memory in between slab objects is marked with a reserved tag, and acts as a redzone. 8. When a slab object is freed it's marked with a reserved tag. Bug detection is imprecise for two reasons: 1. We won't catch some small out-of-bounds accesses, that fall into the same shadow cell, as the last byte of a slab object. 2. We only have 1 byte to store tags, which means we have a 1/256 probability of a tag match for an incorrect access (actually even slightly less due to reserved tag values). Despite that there's a particular type of bugs that tag-based KASAN can detect compared to generic KASAN: use-after-free after the object has been allocated by someone else. ====== Testing Some kernel developers voiced a concern that changing the top byte of kernel pointers may lead to subtle bugs that are difficult to discover. To address this concern deliberate testing has been performed. It doesn't seem feasible to do some kind of static checking to find potential issues with pointer tagging, so a dynamic approach was taken. All pointer comparisons/subtractions have been instrumented in an LLVM compiler pass and a kernel module that would print a bug report whenever two pointers with different tags are being compared/subtracted (ignoring comparisons with NULL pointers and with pointers obtained by casting an error code to a pointer type) has been used. Then the kernel has been booted in QEMU and on an Odroid C2 board and syzkaller has been run. This yielded the following results. The two places that look interesting are: is_vmalloc_addr in include/linux/mm.h is_kernel_rodata in mm/util.c Here we compare a pointer with some fixed untagged values to make sure that the pointer lies in a particular part of the kernel address space. Since tag-based KASAN doesn't add tags to pointers that belong to rodata or vmalloc regions, this should work as is. To make sure debug checks to those two functions that check that the result doesn't change whether we operate on pointers with or without untagging has been added. A few other cases that don't look that interesting: Comparing pointers to achieve unique sorting order of pointee objects (e.g. sorting locks addresses before performing a double lock): tty_ldisc_lock_pair_timeout in drivers/tty/tty_ldisc.c pipe_double_lock in fs/pipe.c unix_state_double_lock in net/unix/af_unix.c lock_two_nondirectories in fs/inode.c mutex_lock_double in kernel/events/core.c ep_cmp_ffd in fs/eventpoll.c fsnotify_compare_groups fs/notify/mark.c Nothing needs to be done here, since the tags embedded into pointers don't change, so the sorting order would still be unique. Checks that a pointer belongs to some particular allocation: is_sibling_entry in lib/radix-tree.c object_is_on_stack in include/linux/sched/task_stack.h Nothing needs to be done here either, since two pointers can only belong to the same allocation if they have the same tag. Overall, since the kernel boots and works, there are no critical bugs. As for the rest, the traditional kernel testing way (use until fails) is the only one that looks feasible. Another point here is that tag-based KASAN is available under a separate config option that needs to be deliberately enabled. Even though it might be used in a "near-production" environment to find bugs that are not found during fuzzing or running tests, it is still a debug tool. ====== Benchmarks The following numbers were collected on Odroid C2 board. Both generic and tag-based KASAN were used in inline instrumentation mode. Boot time [1]: * ~1.7 sec for clean kernel * ~5.0 sec for generic KASAN * ~5.0 sec for tag-based KASAN Network performance [2]: * 8.33 Gbits/sec for clean kernel * 3.17 Gbits/sec for generic KASAN * 2.85 Gbits/sec for tag-based KASAN Slab memory usage after boot [3]: * ~40 kb for clean kernel * ~105 kb (~260% overhead) for generic KASAN * ~47 kb (~20% overhead) for tag-based KASAN KASAN memory overhead consists of three main parts: 1. Increased slab memory usage due to redzones. 2. Shadow memory (the whole reserved once during boot). 3. Quaratine (grows gradually until some preset limit; the more the limit, the more the chance to detect a use-after-free). Comparing tag-based vs generic KASAN for each of these points: 1. 20% vs 260% overhead. 2. 1/16th vs 1/8th of physical memory. 3. Tag-based KASAN doesn't require quarantine. [1] Time before the ext4 driver is initialized. [2] Measured as `iperf -s & iperf -c 127.0.0.1 -t 30`. [3] Measured as `cat /proc/meminfo | grep Slab`. ====== Some notes A few notes: 1. The patchset can be found here: https://github.com/xairy/kasan-prototype/tree/khwasan 2. Building requires a recent Clang version (7.0.0 or later). 3. Stack instrumentation is not supported yet and will be added later. This patch (of 25): Tag-based KASAN changes the value of the top byte of pointers returned from the kernel allocation functions (such as kmalloc). This patch updates KASAN hooks signatures and their usage in SLAB and SLUB code to reflect that. Link: http://lkml.kernel.org/r/aec2b5e3973781ff8a6bb6760f8543643202c451.1544099024.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Iefef37d9c54869df0873af75345262a24150ee80 Bug: 128674696 |
||
Clark Williams
|
a1044e0868 |
UPSTREAM: mm/kasan/quarantine.c: make quarantine_lock a raw_spinlock_t
Upstream commit 026d1eaf5ef1a5d6258b46e4e411cd9f5ab8c41d. The static lock quarantine_lock is used in quarantine.c to protect the quarantine queue datastructures. It is taken inside quarantine queue manipulation routines (quarantine_put(), quarantine_reduce() and quarantine_remove_cache()), with IRQs disabled. This is not a problem on a stock kernel but is problematic on an RT kernel where spin locks are sleeping spinlocks, which can sleep and can not be acquired with disabled interrupts. Convert the quarantine_lock to a raw spinlock_t. The usage of quarantine_lock is confined to quarantine.c and the work performed while the lock is held is used for debug purpose. [bigeasy@linutronix.de: slightly altered the commit message] Link: http://lkml.kernel.org/r/20181010214945.5owshc3mlrh74z4b@linutronix.de Signed-off-by: Clark Williams <williams@redhat.com> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Acked-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I59453f5d5c8b1bc2b841979a8b75d9e74b554389 Bug: 128674696 |
||
|
Andrey Ryabinin
|
69c0f72d6c |
BACKPORT: kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN
Upstream commit 0207df4fa1a869281ddbf72db6203dbf036b3e1a. KASAN learns about hotadded memory via the memory hotplug notifier. devm_memremap_pages() intentionally skips calling memory hotplug notifiers. So KASAN doesn't know anything about new memory added by devm_memremap_pages(). This causes a crash when KASAN tries to access non-existent shadow memory: BUG: unable to handle kernel paging request at ffffed0078000000 RIP: 0010:check_memory_region+0x82/0x1e0 Call Trace: memcpy+0x1f/0x50 pmem_do_bvec+0x163/0x720 pmem_make_request+0x305/0xac0 generic_make_request+0x54f/0xcf0 submit_bio+0x9c/0x370 submit_bh_wbc+0x4c7/0x700 block_read_full_page+0x5ef/0x870 do_read_cache_page+0x2b8/0xb30 read_dev_sector+0xbd/0x3f0 read_lba.isra.0+0x277/0x670 efi_partition+0x41a/0x18f0 check_partition+0x30d/0x5e9 rescan_partitions+0x18c/0x840 __blkdev_get+0x859/0x1060 blkdev_get+0x23f/0x810 __device_add_disk+0x9c8/0xde0 pmem_attach_disk+0x9a8/0xf50 nvdimm_bus_probe+0xf3/0x3c0 driver_probe_device+0x493/0xbd0 bus_for_each_drv+0x118/0x1b0 __device_attach+0x1cd/0x2b0 bus_probe_device+0x1ac/0x260 device_add+0x90d/0x1380 nd_async_device_register+0xe/0x50 async_run_entry_fn+0xc3/0x5d0 process_one_work+0xa0a/0x1810 worker_thread+0x87/0xe80 kthread+0x2d7/0x390 ret_from_fork+0x3a/0x50 Add kasan_add_zero_shadow()/kasan_remove_zero_shadow() - post mm_init() interface to map/unmap kasan_zero_page at requested virtual addresses. And use it to add/remove the shadow memory for hotplugged/unplugged device memory. Link: http://lkml.kernel.org/r/20180629164932.740-1-aryabinin@virtuozzo.com Fixes: 41e94a851304 ("add devm_memremap_pages") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reported-by: Dave Chinner <david@fromorbit.com> Reviewed-by: Dan Williams <dan.j.williams@intel.com> Tested-by: Dan Williams <dan.j.williams@intel.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: Ia9960843404dcd3168334cc3c4cf79d77d247430 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
Shakeel Butt
|
b7c4789e62 |
UPSTREAM: slab, slub: skip unnecessary kasan_cache_shutdown()
Upstream commit f9e13c0a5a33d1eaec374d6d4dab53a4f72756a0.
The kasan quarantine is designed to delay freeing slab objects to catch
use-after-free. The quarantine can be large (several percent of machine
memory size). When kmem_caches are deleted related objects are flushed
from the quarantine but this requires scanning the entire quarantine
which can be very slow. We have seen the kernel busily working on this
while holding slab_mutex and badly affecting cache_reaper, slabinfo
readers and memcg kmem cache creations.
It can easily reproduced by following script:
yes . | head -1000000 | xargs stat > /dev/null
for i in `seq 1 10`; do
seq 500 | (cd /cg/memory && xargs mkdir)
seq 500 | xargs -I{} sh -c 'echo $BASHPID > \
/cg/memory/{}/tasks && exec stat .' > /dev/null
seq 500 | (cd /cg/memory && xargs rmdir)
done
The busy stack:
kasan_cache_shutdown
shutdown_cache
memcg_destroy_kmem_caches
mem_cgroup_css_free
css_free_rwork_fn
process_one_work
worker_thread
kthread
ret_from_fork
This patch is based on the observation that if the kmem_cache to be
destroyed is empty then there should not be any objects of this cache in
the quarantine.
Without the patch the script got stuck for couple of hours. With the
patch the script completed within a second.
Link: http://lkml.kernel.org/r/20180327230603.54721-1-shakeelb@google.com
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: Id191e26b2daf1159cda3af80270d3c58394b4867
Bug: 128674696
|
||
Alexey Dobriyan
|
c9dcc8241b |
BACKPORT: kasan: make kasan_cache_create() work with 32-bit slab cache sizes
Upstream commit be4a7988b35db9e6f95dca818d5e94785840fb58. If SLAB doesn't support 4GB+ kmem caches (it never did), KASAN should not do it as well. Link: http://lkml.kernel.org/r/20180305200730.15812-20-adobriyan@gmail.com Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I100b702c264de821101befe853052f331b752b41 Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 128674696 |
||
|
Andrey Konovalov
|
a1d9f205fb |
UPSTREAM: kasan: fix prototype author email address
Upstream commit 5f21f3a8f4dcba77792d60bcc711131470a689bb. Use the new one. Link: http://lkml.kernel.org/r/de3b7ffc30a55178913a7d3865216aa7accf6c40.1515775666.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I886a38ef9e3bd0e999c77300a93fdc0afaf144fc Bug: 128674696 |
||
Dmitry Vyukov
|
8bb837f698 |
UPSTREAM: kasan: detect invalid frees
Upstream commit b1d5728939ebe01a773a75a72e7161408ec9805e. Detect frees of pointers into middle of heap objects. Link: http://lkml.kernel.org/r/cb569193190356beb018a03bb8d6fbae67e7adbc.1514378558.git.dvyukov@google.com Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Ife74864d3465730bdf195155c9747f7a375081da Bug: 128674696 |
||
|
Dmitry Vyukov
|
8e456d930f |
UPSTREAM: kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
Upstream commit 1db0e0f9dd9816e5d018518f933066d7b9bc0e33. Both of these functions deal with freeing of slab objects. However, kasan_poison_kfree() mishandles SLAB_TYPESAFE_BY_RCU (must also not poison such objects) and does not detect double-frees. Unify code between these functions. This solves both of the problems and allows to add more common code (e.g. detection of invalid frees). Link: http://lkml.kernel.org/r/385493d863acf60408be219a021c3c8e27daa96f.1514378558.git.dvyukov@google.com Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I4fc3b8c674714aa7b4b9a2714df5a85255d638e0 Bug: 128674696 |
||
|
Dmitry Vyukov
|
fa2dac74d6 |
UPSTREAM: kasan: detect invalid frees for large mempool objects
Upstream commit 6860f6340c0918cddcd3c9fcf8c36401c8184268. Detect frees of pointers into middle of mempool objects. I did a one-off test, but it turned out to be very tricky, so I reverted it. First, mempool does not call kasan_poison_kfree() unless allocation function fails. I stubbed an allocation function to fail on second and subsequent allocations. But then mempool stopped to call kasan_poison_kfree() at all, because it does it only when allocation function is mempool_kmalloc(). We could support this special failing test allocation function in mempool, but it also can't live with kasan tests, because these are in a module. Link: http://lkml.kernel.org/r/bf7a7d035d7a5ed62d2dd0e3d2e8a4fcdf456aa7.1514378558.git.dvyukov@google.com Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I3bd798d0cf0034240a9a150bb4d0c4c7b2208d4c Bug: 128674696 |
||
|
Dmitry Vyukov
|
eff86ebf0a |
UPSTREAM: kasan: don't use __builtin_return_address(1)
Upstream commit ee3ce779b58c31acacdfab0ad6c86d428ba2c2e3. __builtin_return_address(1) is unreliable without frame pointers. With defconfig on kmalloc_pagealloc_invalid_free test I am getting: BUG: KASAN: double-free or invalid-free in (null) Pass caller PC from callers explicitly. Link: http://lkml.kernel.org/r/9b01bc2d237a4df74ff8472a3bf6b7635908de01.1514378558.git.dvyukov@google.com Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: Iad86bf93c908fc2f10db7a712f0d424c8b3c5ee0 Bug: 128674696 |
||
|
Dmitry Vyukov
|
d80cc7c859 |
UPSTREAM: kasan: detect invalid frees for large objects
Upstream commit 47adccce3e8a31d315f47183ab1185862b2fc5d4. Patch series "kasan: detect invalid frees". KASAN detects double-frees, but does not detect invalid-frees (when a pointer into a middle of heap object is passed to free). We recently had a very unpleasant case in crypto code which freed an inner object inside of a heap allocation. This left unnoticed during free, but totally corrupted heap and later lead to a bunch of random crashes all over kernel code. Detect invalid frees. This patch (of 5): Detect frees of pointers into middle of large heap objects. I dropped const from kasan_kfree_large() because it starts propagating through a bunch of functions in kasan_report.c, slab/slub nearest_obj(), all of their local variables, fixup_red_left(), etc. Link: http://lkml.kernel.org/r/1b45b4fe1d20fc0de1329aab674c1dd973fee723.1514378558.git.dvyukov@google.com Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I9bbb41f6d0eb6bdcd8811a32d22565aac84296ee Bug: 128674696 |
||
Alexander Potapenko
|
b31daa8964 |
UPSTREAM: kasan: add functions for unpoisoning stack variables
Upstream commit d321599cf6b861beefe92327476b617435c7fc4a. As a code-size optimization, LLVM builds since r279383 may bulk-manipulate the shadow region when (un)poisoning large memory blocks. This requires new callbacks that simply do an uninstrumented memset(). This fixes linking the Clang-built kernel when using KASAN. [arnd@arndb.de: add declarations for internal functions] Link: http://lkml.kernel.org/r/20180105094112.2690475-1-arnd@arndb.de [fengguang.wu@intel.com: __asan_set_shadow_00 can be static] Link: http://lkml.kernel.org/r/20171223125943.GA74341@lkp-ib03 [ghackmann@google.com: fix memset() parameters, and tweak commit message to describe new callbacks] Link: http://lkml.kernel.org/r/20171204191735.132544-6-paullawrence@google.com Signed-off-by: Alexander Potapenko <glider@google.com> Signed-off-by: Greg Hackmann <ghackmann@google.com> Signed-off-by: Paul Lawrence <paullawrence@google.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Cc: Matthias Kaehlcke <mka@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I0d42489c6b9cfb42251f7c348d2f8fca6033a39e Bug: 128674696 |
||
Paul Lawrence
|
86eab9d124 |
UPSTREAM: kasan: support alloca() poisoning
Upstream commit 342061ee4ef3d80001d1ae494378f3979c861dba. clang's AddressSanitizer implementation adds redzones on either side of alloca()ed buffers. These redzones are 32-byte aligned and at least 32 bytes long. __asan_alloca_poison() is passed the size and address of the allocated buffer, *excluding* the redzones on either side. The left redzone will always be to the immediate left of this buffer; but AddressSanitizer may need to add padding between the end of the buffer and the right redzone. If there are any 8-byte chunks inside this padding, we should poison those too. __asan_allocas_unpoison() is just passed the top and bottom of the dynamic stack area, so unpoisoning is simpler. Link: http://lkml.kernel.org/r/20171204191735.132544-4-paullawrence@google.com Signed-off-by: Greg Hackmann <ghackmann@google.com> Signed-off-by: Paul Lawrence <paullawrence@google.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Cc: Matthias Kaehlcke <mka@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Change-Id: I5b411d4fdac9b6706721baf1eedd31853268784f Bug: 128674696 |
||
|
Blagovest Kolenichev
|
313f4c9c8f |
Merge android-4.14.109 (80571db) into msm-4.14
* refs/heads/tmp-80571db: Revert "ANDROID: input: keychord: Add keychord driver" Revert "ANDROID: input: keychord: log when keychord triggered" Revert "ANDROID: input: keychord: Fix a slab out-of-bounds read." Revert "ANDROID: input: keychord: Fix races in keychord_write." Revert "ANDROID: input: keychord: Fix for a memory leak in keychord." ANDROID: drop CONFIG_INPUT_KEYCHORD from cuttlefish UPSTREAM: filemap: add a comment about FAULT_FLAG_RETRY_NOWAIT behavior BACKPORT: filemap: drop the mmap_sem for all blocking operations BACKPORT: filemap: kill page_cache_read usage in filemap_fault UPSTREAM: filemap: pass vm_fault to the mmap ra helpers ANDROID: Remove Android paranoid check for socket creation BACKPORT: mm/debug.c: provide useful debugging information for VM_BUG UPSTREAM: x86/alternative: Print unadorned pointers UPSTREAM: trace_uprobe: Display correct offset in uprobe_events UPSTREAM: usercopy: Remove pointer from overflow report UPSTREAM: Do not hash userspace addresses in fault handlers UPSTREAM: mm/slab.c: do not hash pointers when debugging slab UPSTREAM: kasan: use %px to print addresses instead of %p UPSTREAM: vsprintf: add printk specifier %px UPSTREAM: printk: hash addresses printed with %p UPSTREAM: vsprintf: refactor %pK code out of pointer() UPSTREAM: docs: correct documentation for %pK ANDROID: binder: remove extra declaration left after backport FROMGIT: binder: fix BUG_ON found by selinux-testsuite Linux 4.14.109 ath10k: avoid possible string overflow power: supply: charger-manager: Fix incorrect return value pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. sched/cpufreq/schedutil: Fix error path mutex unlock rtc: Fix overflow when converting time64_t to rtc_time PCI: endpoint: Use EPC's device in dma_alloc_coherent()/dma_free_coherent() PCI: designware-ep: Read-only registers need DBI_RO_WR_EN to be writable PCI: designware-ep: dw_pcie_ep_set_msi() should only set MMC bits scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 USB: core: only clean up what we allocated lib/int_sqrt: optimize small argument ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec ALSA: hda - Record the current power state before suspend/resume calls locking/lockdep: Add debug_locks check in __lock_downgrade() x86/unwind: Add hardcoded ORC entry for NULL x86/unwind: Handle NULL pointer calls better in frame unwinder netfilter: ebtables: remove BUGPRINT messages drm: Reorder set_property_atomic to avoid returning with an active ww_ctx Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Bluetooth: hci_ldisc: Initialize hci_dev before open() Bluetooth: Fix decrementing reference count twice in releasing socket Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() media: v4l2-ctrls.c/uvc: zero v4l2_event ext4: brelse all indirect buffer in ext4_ind_remove_space() ext4: fix data corruption caused by unaligned direct AIO ext4: fix NULL pointer dereference while journal is aborted ALSA: x86: Fix runtime PM for hdmi-lpe-audio objtool: Move objtool_file struct off the stack perf probe: Fix getting the kernel map futex: Ensure that futex address is aligned in handle_futex_death() scsi: ibmvscsi: Fix empty event pool access during host removal scsi: ibmvscsi: Protect ibmvscsi_head from concurrent modificaiton MIPS: Fix kernel crash for R6 in jump label branch function MIPS: Ensure ELF appended dtb is relocated mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. udf: Fix crash on IO error during truncate libceph: wait for latest osdmap in ceph_monc_blacklist_add() iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE drm/vmwgfx: Don't double-free the mode stored in par->set_mode mmc: pxamci: fix enum type confusion ANDROID: dm-bow: Fix 32 bit compile errors ANDROID: Add dm-bow to cuttlefish configuration UPSTREAM: binder: fix handling of misaligned binder object UPSTREAM: binder: fix sparse issue in binder_alloc_selftest.c BACKPORT: binder: use userspace pointer as base of buffer space UPSTREAM: binder: fix kerneldoc header for struct binder_buffer BACKPORT: binder: remove user_buffer_offset UPSTREAM: binder: remove kernel vm_area for buffer space UPSTREAM: binder: avoid kernel vm_area for buffer fixups BACKPORT: binder: add function to copy binder object from buffer BACKPORT: binder: add functions to copy to/from binder buffers UPSTREAM: binder: create userspace-to-binder-buffer copy function ANDROID: dm-bow: backport to 4.14 ANDROID: dm-bow: Add dm-bow feature f2fs: set pin_file under CAP_SYS_ADMIN f2fs: fix to avoid deadlock in f2fs_read_inline_dir() f2fs: fix to adapt small inline xattr space in __find_inline_xattr() f2fs: fix to do sanity check with inode.i_inline_xattr_size f2fs: give some messages for inline_xattr_size f2fs: don't trigger read IO for beyond EOF page f2fs: fix to add refcount once page is tagged PG_private f2fs: remove wrong comment in f2fs_invalidate_page() f2fs: fix to use kvfree instead of kzfree f2fs: print more parameters in trace_f2fs_map_blocks f2fs: trace f2fs_ioc_shutdown f2fs: fix to avoid deadlock of atomic file operations f2fs: fix to dirty inode for i_mode recovery f2fs: give random value to i_generation f2fs: no need to take page lock in readdir f2fs: fix to update iostat correctly in IPU path f2fs: fix encrypted page memory leak f2fs: make fault injection covering __submit_flush_wait() f2fs: fix to retry fill_super only if recovery failed f2fs: silence VM_WARN_ON_ONCE in mempool_alloc f2fs: correct spelling mistake f2fs: fix wrong #endif f2fs: don't clear CP_QUOTA_NEED_FSCK_FLAG f2fs: don't allow negative ->write_io_size_bits f2fs: fix to check inline_xattr_size boundary correctly Revert "f2fs: fix to avoid deadlock of atomic file operations" Revert "f2fs: fix to check inline_xattr_size boundary correctly" f2fs: do not use mutex lock in atomic context f2fs: fix potential data inconsistence of checkpoint f2fs: fix to avoid deadlock of atomic file operations f2fs: fix to check inline_xattr_size boundary correctly f2fs: jump to label 'free_node_inode' when failing from d_make_root() f2fs: fix to document inline_xattr_size option f2fs: fix to data block override node segment by mistake f2fs: fix typos in code comments f2fs: use xattr_prefix to wrap up f2fs: sync filesystem after roll-forward recovery f2fs: flush quota blocks after turnning it off f2fs: avoid null pointer exception in dcc_info f2fs: don't wake up too frequently, if there is lots of IOs f2fs: try to keep CP_TRIMMED_FLAG after successful umount f2fs: add quick mode of checkpoint=disable for QA f2fs: run discard jobs when put_super f2fs: fix to set sbi dirty correctly f2fs: fix to initialize variable to avoid UBSAN/smatch warning f2fs: UBSAN: set boolean value iostat_enable correctly f2fs: add brackets for macros f2fs: check if file namelen exceeds max value f2fs: fix to trigger fsck if dirent.name_len is zero f2fs: no need to check return value of debugfs_create functions f2fs: export FS_NOCOW_FL flag to user f2fs: check inject_rate validity during configuring f2fs: remove set but not used variable 'err' f2fs: fix compile warnings: 'struct *' declared inside parameter list f2fs: change error code to -ENOMEM from -EINVAL Conflicts: drivers/md/Makefile mm/filemap.c net/ipv4/af_inet.c Change-Id: Id050d9a819404a8af08f83bf7fcc5c5536980fe9 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
Tobin C. Harding
|
6ea6d8b105 |
UPSTREAM: kasan: use %px to print addresses instead of %p
Pointers printed with %p are now hashed by default. Kasan needs the actual address. We can use the new printk specifier %px for this purpose. Use %px instead of %p to print addresses. Signed-off-by: Tobin C. Harding <me@tobin.cc> (cherry picked from commit 6424f6bb432752c7eb90cbeeb1c31d6125bba39a) Signed-off-by: Sandeep Patil <sspatil@android.com> Bug: 78533979 Test: Build and boot cuttlefish Change-Id: I8059d086c2cb2ec8ca01520acb2227335330e067 |
||
|
Blagovest Kolenichev
|
da15d88574 |
Merge android-4.14-p.67 (75ac55a) into msm-4.14
* refs/heads/tmp-75ac55a: Linux 4.14.67 reiserfs: fix broken xattr handling (heap corruption, bad retval) i2c: imx: Fix race condition in dma read i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes PCI: pciehp: Fix unprotected list iteration in IRQ handler PCI: pciehp: Fix use-after-free on unplug PCI: Skip MPS logic for Virtual Functions (VFs) PCI: hotplug: Don't leak pci_slot on registration failure parisc: Remove unnecessary barriers from spinlock.h net/smc: no shutdown in state SMC_LISTEN packet: refine ring v3 block size test to hold one frame netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state xfrm_user: prevent leaking 2 bytes of kernel memory parisc: Remove ordered stores from syscall.S f2fs: sanity check for total valid node blocks f2fs: return error during fill_super KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer nvme: fix handling of metadata_len for NVME_IOCTL_IO_CMD ARM: dts: imx6: RDU2: fix irq type for mv88e6xxx switch ACPI / EC: Use ec_no_wakeup on more Thinkpad X1 Carbon 6th systems soc: imx: gpc: restrict register range for regmap access tcp: identify cryptic messages as TCP seq # bugs net: qca_spi: Fix log level if probe fails net: qca_spi: Make sure the QCA7000 reset is triggered net: qca_spi: Avoid packet drop during initial sync PCI: versatile: Fix I/O space page leak PCI: OF: Fix I/O space page leak kvmclock: fix TSC calibration for nested guests net: usb: rtl8150: demote allmulti message to dev_dbg() octeon_mgmt: Fix MIX registers configuration on MTU setup btrfs: scrub: Don't use inode page cache in scrub_handle_errored_block() ibmvnic: Fix error recovery on login failure net/ethernet/freescale/fman: fix cross-build error hv/netvsc: fix handling of fallback to single queue mode drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() pinctrl: nsp: Fix potential NULL dereference pinctrl: nsp: off by ones in nsp_pinmux_enable() pinctrl: ingenic: Fix inverted direction for < JZ4770 tcp: remove DELAYED ACK events in DCTCP qlogic: check kstrtoul() for errors packet: reset network header if packet shorter than ll reserved space kbuild: suppress warnings from 'getconf LFS_*' tools: build: Use HOSTLDFLAGS with fixdep ixgbe: Be more careful when modifying MAC filters ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of BTB) for secondary cores ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path nfit: fix unchecked dereference in acpi_nfit_ctl perf script python: Fix dict reference counting perf tools: Fix compilation errors on gcc8 perf llvm-utils: Remove bashism from kernel include fetch script scsi: qedi: Send driver state to MFW scsi: qedf: Send the driver state to MFW bnxt_en: Fix for system hang if request_irq fails bnxt_en: Always set output parameters in bnxt_get_max_rings(). bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic. ARC: Improve cmpxchg syscall implementation netfilter: nf_conntrack: Fix possible possible crash on module loading. netfilter: nft_compat: explicitly reject ERROR and standard target drm/armada: fix irq handling drm/armada: fix colorkey mode property drm/tegra: Fix comparison operator for buffer size gpu: host1x: Check whether size of unpin isn't 0 ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem ieee802154: at86rf230: use __func__ macro for debug messages ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem nvmem: Don't let a NULL cell_id for nvmem_cell_get() crash us net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used ARM: pxa: irq: fix handling of ICMR registers in suspend/resume ravb: fix invalid context bug while changing link options by ethtool ravb: fix invalid context bug while calling auto-negotiation by ethtool sh_eth: fix invalid context bug while changing link options by ethtool sh_eth: fix invalid context bug while calling auto-negotiation by ethtool net: qrtr: Broadcast messages only from control port ipv6: make ipv6_renew_options() interrupt/kernel safe netfilter: x_tables: set module owner for icmp(6) matches ieee802154: 6lowpan: set IFLA_LINK samples/bpf: Check the error of write() and read() samples/bpf: Check the result of system() samples/bpf: add missing <linux/if_vlan.h> drm/bridge/sii8620: Fix display of packed pixel modes smsc75xx: Add workaround for gigabit link up hardware errata. kasan: fix shadow_size calculation error in kasan_module_alloc tracing: Use __printf markup to silence compiler bpf: hash map: decrement counter on error ARM: imx_v4_v5_defconfig: Select ULPI support ARM: imx_v6_v7_defconfig: Select ULPI support HID: wacom: Correct touch maximum XY of 2nd-gen Intuos x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all() drm/amdgpu: fix swapped emit_ib_size in vce3 ipvlan: call dev_change_flags when ipvlan mode is reset objtool: Support GCC 8 '-fnoreorder-functions' m68k: fix "bad page state" oops on ColdFire boot openrisc: entry: Fix delay slot exception detection acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value dpaa_eth: DPAA SGT needs to be 256B fsl/fman: fix parser reporting bad checksum on short frames bnx2x: Fix receiving tx-timeout in error or recovery state. PCI: faraday: Add missing of_node_put() PCI: xilinx-nwl: Add missing of_node_put() PCI: xilinx: Add missing of_node_put() bpf, s390: fix potential memleak when later bpf_jit_prog fails drbd: Fix drbd_request_prepare() discard handling drm/exynos: decon5433: Fix WINCONx reset value drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes nl80211: check nla_parse_nested() return values nl80211: relax ht operation checks for mesh dev-dax: check_vma: ratelimit dev_info-s md/raid10: fix that replacement cannot complete recovery after reassemble ath10k: update the phymode along with bandwidth change request dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() dmaengine: pl330: report BURST residue granularity ARM64: dts: meson-gxl: fix Mali GPU compatible string ARM: dts: da850: Fix interrups property for gpio selftests/x86/sigreturn: Do minor cleanups selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs nfp: cast sizeof() to int when comparing with error code net/mlx5: E-Switch, Disallow vlan/spoofcheck setup if not being esw manager ceph: fix dentry leak in splice_dentry() netfilter: nf_log: fix uninit read in nf_log_proc_dostring ARM: davinci: board-da850-evm: fix WP pin polarity for MMC/SD perf bench: Fix numa report output code perf tools: Fix a clang 7.0 compilation error perf report powerpc: Fix crash if callchain is empty perf test session topology: Fix test on s390 perf record: Support s390 random socket_id assignment kconfig: fix line numbers for if-entries in menu tree typec: tcpm: Fix a msecs vs jiffies bug NFC: pn533: Fix wrong GFP flag usage usb: xhci: increase CRS timeout value usb: xhci: remove the code build warning ALSA: seq: Fix UBSAN warning at SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT ioctl ARM: dts: am437x: make edt-ft5x06 a wakeup source brcmfmac: stop watchdog before detach and free everything iio: pressure: bmp280: fix relative humidity unit cxgb4: when disabling dcb set txq dcb priority to 0 batman-adv: Fix multicast TT issues with bogus ROAM flags batman-adv: Avoid storing non-TT-sync flags on singular entries too batman-adv: Fix bat_v best gw refcnt after netlink dump batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump arm64: dts: msm8916: fix Coresight ETF graph connections Smack: Mark inode instant in smack_task_to_inode ipv6: mcast: fix unsolicited report interval after receiving querys x86/microcode/intel: Fix memleak in save_microcode_patch() mtd: dataflash: Use ULL suffix for 64-bit constants selftests: bpf: notification about privilege required to run test_kmod.sh testing script locking/lockdep: Do not record IRQ state within lockdep code drm/bridge/sii8620: fix display of packed pixel modes in MHL2 KVM: arm/arm64: Drop resource size check for GICV window sctp: fix erroneous inc of snmp SctpFragUsrMsgs net: davinci_emac: match the mdio device against its compatible if possible nbd: Add the nbd NBD_DISCONNECT_ON_CLOSE config flag. ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP block: sed-opal: Fix a couple off by one bugs nvmet: reset keep alive timer in controller enable net: stmmac: socfpga: add additional ocp reset line for Stratix10 net: propagate dev_get_valid_name return code net: hamradio: use eth_broadcast_addr enic: initialize enic->rfs_h.lock in enic_probe qed: Do not advertise DCBX_LLD_MANAGED capability. qed: Add sanity check for SIMD fastpath handler. qed: Fix possible memory leak in Rx error path handling. arm64: make secondary_start_kernel() notrace arm64: dma-mapping: clear buffers allocated with FORCE_CONTIGUOUS flag xen/scsiback: add error handling for xenbus_printf scsi: xen-scsifront: add error handling for xenbus_printf pNFS: Always free the session slot on error in nfs4_layoutget_handle_exception xen: add error handling for xenbus_printf dwc2: gadget: Fix ISOC IN DDMA PID bitfield value calculation usb: gadget: dwc2: fix memory leak in gadget_init() usb: gadget: composite: fix delayed_status race condition when set_interface usb: dwc2: fix isoc split in transfer with no data usb: dwc2: alloc dma aligned buffer for isoc split in libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store() IB/rxe: Fix missing completion for mem_reg work requests drm/arm/malidp: Preserve LAYER_FORMAT contents when setting format drm: mali-dp: Enable Global SE interrupts mask for DP500 drivers/perf: xgene_pmu: Fix IOB SLOW PMU parser error arm64: dts: Stingray: Fix I2C controller interrupt type arm64: dts: ns2: Fix PCIe controller interrupt type arm64: dts: ns2: Fix I2C controller interrupt type arm64: dts: specify 1.8V EMMC capabilities for bcm958742t arm64: dts: specify 1.8V EMMC capabilities for bcm958742k ARM: dts: Cygnus: Fix PCIe controller interrupt type ARM: dts: Cygnus: Fix I2C controller interrupt type ARM: dts: BCM5301x: Fix i2c controller interrupt type ARM: dts: NSP: Fix PCIe controllers interrupt types ARM: dts: NSP: Fix i2c controller interrupt type selftests: sync: add config fragment for testing sync framework selftests: vm: return Kselftest Skip code for skipped tests selftests: zram: return Kselftest Skip code for skipped tests selftests: user: return Kselftest Skip code for skipped tests selftests: sysctl: return Kselftest Skip code for skipped tests selftests: static_keys: return Kselftest Skip code for skipped tests selftests: pstore: return Kselftest Skip code for skipped tests netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister netfilter: ipv6: nf_defrag: reduce struct net memory waste ACPI / EC: Use ec_no_wakeup on Thinkpad X1 Carbon 6th usb: dwc3: of-simple: fix use-after-free on remove usb: dwc2: gadget: Fix issue in dwc2_gadget_start_isoc() usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers usb: dwc3: pci: add support for Intel IceLake soc: imx: gpcv2: correct PGC offset hwmon: (nct6775) Fix loop limit ARC: Explicitly add -mmedium-calls to CFLAGS drm/bridge/sii8620: fix potential buffer overflow drm/bridge/sii8620: fix loops in EDID fetch logic IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' Input: synaptics-rmi4 - fix axis-swap behavior perf tools: Fix error index for pmu event parser vfio: ccw: fix error return in vfio_ccw_sch_event arm: dts: armada: Fix "#cooling-cells" property's name pty: fix O_CLOEXEC for TIOCGPTPEER EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[] drm/i915/kvmgt: Fix potential Spectre v1 ext4: fix spectre gadget in ext4_mb_regular_allocator() Conflicts: drivers/usb/gadget/function/f_fs.c net/qrtr/qrtr.c Change-Id: I52226cb0e1405455b7e11255f1620d5e5fdfe916 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
Zhen Lei
|
6e7084e2c3 |
kasan: fix shadow_size calculation error in kasan_module_alloc
[ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ]
There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1]. The
operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the
roundup operation can not retrieve the missed one page. For example:
size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
shadow_size=0x5000, but actually we need 6 pages.
shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);
This can lead to a kernel crash when kasan is enabled and the value of
mod->core_layout.size or mod->init_layout.size is like above. Because
the shadow memory of X has not been allocated and mapped.
move_module:
ptr = module_alloc(mod->core_layout.size);
...
memset(ptr, 0, mod->core_layout.size); //crashed
Unable to handle kernel paging request at virtual address ffff0fffff97b000
......
Call trace:
__asan_storeN+0x174/0x1a8
memset+0x24/0x48
layout_and_allocate+0xcd8/0x1800
load_module+0x190/0x23e8
SyS_finit_module+0x148/0x180
Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Reviewed-by: Dmitriy Vyukov <dvyukov@google.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Libin <huawei.libin@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|