Re: [PATCH 03/11] fs: don't allow splice read/write without explicit ops
On Tue, Aug 18, 2020 at 09:54:46PM +0200, Christoph Hellwig wrote: > On Tue, Aug 18, 2020 at 12:39:34PM -0700, Kees Cook wrote: > > On Mon, Aug 17, 2020 at 09:32:04AM +0200, Christoph Hellwig wrote: > > > default_file_splice_write is the last piece of generic code that uses > > > set_fs to make the uaccess routines operate on kernel pointers. It > > > implements a "fallback loop" for splicing from files that do not actually > > > provide a proper splice_read method. The usual file systems and other > > > high bandwith instances all provide a ->splice_read, so this just removes > > > support for various device drivers and procfs/debugfs files. If splice > > > support for any of those turns out to be important it can be added back > > > by switching them to the iter ops and using generic_file_splice_read. > > > > > > Signed-off-by: Christoph Hellwig > > > > This seems a bit disruptive? I feel like this is going to make fuzzers > > really noisy (e.g. trinity likes to splice random stuff out of /sys and > > /proc). > > Noisy in the sence of triggering the pr_debug or because they can't > handle -EINVAL? Well, maybe both? I doubt much _expects_ to be using splice, so I'm fine with that, but it seems weird not to have a fall-back, especially if something would like to splice a file out of there. But, I'm not opposed to the change, it just seems like it might cause pain down the road. -- Kees Cook
Re: [PATCH 09/11] x86: remove address space overrides using set_fs()
On Mon, Aug 17, 2020 at 09:32:10AM +0200, Christoph Hellwig wrote: > Stop providing the possibility to override the address space using > set_fs() now that there is no need for that any more. To properly > handle the TASK_SIZE_MAX checking for 4 vs 5-level page tables on > x86 a new alternative is introduced, which just like the one in > entry_64.S has to use the hardcoded virtual address bits to escape > the fact that TASK_SIZE_MAX isn't actually a constant when 5-level > page tables are enabled. > > Signed-off-by: Christoph Hellwig Awesome. :) Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 08/11] x86: make TASK_SIZE_MAX usable from assembly code
On Mon, Aug 17, 2020 at 09:32:09AM +0200, Christoph Hellwig wrote: > For 64-bit the only hing missing was a strategic _AC, and for 32-bit we typo: thing > need to use __PAGE_OFFSET instead of PAGE_OFFSET in the TASK_SIZE > definition to escape the explicit unsigned long cast. This just works > because __PAGE_OFFSET is defined using _AC itself and thus never needs > the cast anyway. Shouldn't this be folded into the prior patch so there's no bisection problem? -Kees > > Signed-off-by: Christoph Hellwig > --- > arch/x86/include/asm/page_32_types.h | 4 ++-- > arch/x86/include/asm/page_64_types.h | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/include/asm/page_32_types.h > b/arch/x86/include/asm/page_32_types.h > index 26236925fb2c36..f462895a33e452 100644 > --- a/arch/x86/include/asm/page_32_types.h > +++ b/arch/x86/include/asm/page_32_types.h > @@ -44,8 +44,8 @@ > /* > * User space process size: 3GB (default). > */ > -#define IA32_PAGE_OFFSET PAGE_OFFSET > -#define TASK_SIZEPAGE_OFFSET > +#define IA32_PAGE_OFFSET __PAGE_OFFSET > +#define TASK_SIZE__PAGE_OFFSET > #define TASK_SIZE_LOWTASK_SIZE > #define TASK_SIZE_MAXTASK_SIZE > #define DEFAULT_MAP_WINDOW TASK_SIZE > diff --git a/arch/x86/include/asm/page_64_types.h > b/arch/x86/include/asm/page_64_types.h > index 996595c9897e0a..838515daf87b36 100644 > --- a/arch/x86/include/asm/page_64_types.h > +++ b/arch/x86/include/asm/page_64_types.h > @@ -76,7 +76,7 @@ > * > * With page table isolation enabled, we map the LDT in ... [stay tuned] > */ > -#define TASK_SIZE_MAX((1UL << __VIRTUAL_MASK_SHIFT) - PAGE_SIZE) > +#define TASK_SIZE_MAX((_AC(1,UL) << __VIRTUAL_MASK_SHIFT) - > PAGE_SIZE) > > #define DEFAULT_MAP_WINDOW ((1UL << 47) - PAGE_SIZE) > > -- > 2.28.0 > -- Kees Cook
Re: [PATCH 05/11] test_bitmap: skip user bitmap tests for !CONFIG_SET_FS
On Mon, Aug 17, 2020 at 09:32:06AM +0200, Christoph Hellwig wrote: > We can't run the tests for userspace bitmap parsing if set_fs() doesn't > exist. > > Signed-off-by: Christoph Hellwig Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 04/11] uaccess: add infrastructure for kernel builds with set_fs()
On Mon, Aug 17, 2020 at 09:32:05AM +0200, Christoph Hellwig wrote: > Add a CONFIG_SET_FS option that is selected by architecturess that > implement set_fs, which is all of them initially. If the option is not > set stubs for routines related to overriding the address space are > provided so that architectures can start to opt out of providing set_fs. > > Signed-off-by: Christoph Hellwig Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 03/11] fs: don't allow splice read/write without explicit ops
On Mon, Aug 17, 2020 at 09:32:04AM +0200, Christoph Hellwig wrote: > default_file_splice_write is the last piece of generic code that uses > set_fs to make the uaccess routines operate on kernel pointers. It > implements a "fallback loop" for splicing from files that do not actually > provide a proper splice_read method. The usual file systems and other > high bandwith instances all provide a ->splice_read, so this just removes > support for various device drivers and procfs/debugfs files. If splice > support for any of those turns out to be important it can be added back > by switching them to the iter ops and using generic_file_splice_read. > > Signed-off-by: Christoph Hellwig This seems a bit disruptive? I feel like this is going to make fuzzers really noisy (e.g. trinity likes to splice random stuff out of /sys and /proc). Conceptually, though: Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 02/11] fs: don't allow kernel reads and writes without iter ops
On Mon, Aug 17, 2020 at 09:32:03AM +0200, Christoph Hellwig wrote: > Don't allow calling ->read or ->write with set_fs as a preparation for > killing off set_fs. All the instances that we use kernel_read/write on > are using the iter ops already. > > If a file has both the regular ->read/->write methods and the iter > variants those could have different semantics for messed up enough > drivers. Also fails the kernel access to them in that case. > > Signed-off-by: Christoph Hellwig Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 01/11] mem: remove duplicate ops for /dev/zero and /dev/null
On Mon, Aug 17, 2020 at 09:32:02AM +0200, Christoph Hellwig wrote: > There is no good reason to implement both the traditional ->read and > ->write as well as the iter based ops. So implement just the iter > based ones. > > Suggested-by: Al Viro > Signed-off-by: Christoph Hellwig Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 06/11] lkdtm: disable set_fs-based tests for !CONFIG_SET_FS
On Mon, Aug 17, 2020 at 09:32:07AM +0200, Christoph Hellwig wrote:
> Once we can't manipulate the address limit, we also can't test what
> happens when the manipulation is abused.
>
> Signed-off-by: Christoph Hellwig
> ---
> drivers/misc/lkdtm/bugs.c | 2 ++
> drivers/misc/lkdtm/core.c | 4
> drivers/misc/lkdtm/usercopy.c | 2 ++
> 3 files changed, 8 insertions(+)
>
> diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
> index 4dfbfd51bdf774..66f1800b1cb82d 100644
> --- a/drivers/misc/lkdtm/bugs.c
> +++ b/drivers/misc/lkdtm/bugs.c
> @@ -312,6 +312,7 @@ void lkdtm_CORRUPT_LIST_DEL(void)
> pr_err("list_del() corruption not detected!\n");
> }
>
> +#ifdef CONFIG_SET_FS
> /* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */
> void lkdtm_CORRUPT_USER_DS(void)
> {
> @@ -321,6 +322,7 @@ void lkdtm_CORRUPT_USER_DS(void)
> /* Make sure we do not keep running with a KERNEL_DS! */
> force_sig(SIGKILL);
> }
> +#endif
Please let the test defined, but it should XFAIL with a message about
the CONFIG (see similar ifdefs in lkdtm).
> /* Test that VMAP_STACK is actually allocating with a leading guard page */
> void lkdtm_STACK_GUARD_PAGE_LEADING(void)
> diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
> index a5e344df916632..aae08b33a7ee2a 100644
> --- a/drivers/misc/lkdtm/core.c
> +++ b/drivers/misc/lkdtm/core.c
> @@ -112,7 +112,9 @@ static const struct crashtype crashtypes[] = {
> CRASHTYPE(CORRUPT_STACK_STRONG),
> CRASHTYPE(CORRUPT_LIST_ADD),
> CRASHTYPE(CORRUPT_LIST_DEL),
> +#ifdef CONFIG_SET_FS
> CRASHTYPE(CORRUPT_USER_DS),
> +#endif
> CRASHTYPE(STACK_GUARD_PAGE_LEADING),
> CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
> CRASHTYPE(UNSET_SMEP),
> @@ -172,7 +174,9 @@ static const struct crashtype crashtypes[] = {
> CRASHTYPE(USERCOPY_STACK_FRAME_FROM),
> CRASHTYPE(USERCOPY_STACK_BEYOND),
> CRASHTYPE(USERCOPY_KERNEL),
> +#ifdef CONFIG_SET_FS
> CRASHTYPE(USERCOPY_KERNEL_DS),
> +#endif
> CRASHTYPE(STACKLEAK_ERASING),
> CRASHTYPE(CFI_FORWARD_PROTO),
Then none of these are needed.
> #ifdef CONFIG_X86_32
Hmpf, this ifdef was missed in ae56942c1474 ("lkdtm: Make arch-specific
tests always available"). I will fix that.
> diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c
> index b833367a45d053..4b632fe79ab6bb 100644
> --- a/drivers/misc/lkdtm/usercopy.c
> +++ b/drivers/misc/lkdtm/usercopy.c
> @@ -325,6 +325,7 @@ void lkdtm_USERCOPY_KERNEL(void)
> vm_munmap(user_addr, PAGE_SIZE);
> }
>
> +#ifdef CONFIG_SET_FS
> void lkdtm_USERCOPY_KERNEL_DS(void)
> {
> char __user *user_ptr =
> @@ -339,6 +340,7 @@ void lkdtm_USERCOPY_KERNEL_DS(void)
> pr_err("copy_to_user() to noncanonical address succeeded!?\n");
> set_fs(old_fs);
> }
> +#endif
(Same here, please.)
>
> void __init lkdtm_usercopy_init(void)
> {
> --
> 2.28.0
>
--
Kees Cook
Re: [PATCH 07/11] x86: move PAGE_OFFSET, TASK_SIZE & friends to page_{32,64}_types.h
On Mon, Aug 17, 2020 at 09:32:08AM +0200, Christoph Hellwig wrote: > At least for 64-bit this moves them closer to some of the defines > they are based on, and it prepares for using the TASK_SIZE_MAX > definition from assembly. > > Signed-off-by: Christoph Hellwig Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 0/8] scsi: convert tasklets to use new tasklet_setup()
On Mon, Aug 17, 2020 at 07:41:58AM -0700, James Bottomley wrote:
> On Mon, 2020-08-17 at 14:24 +0530, Allen Pais wrote:
> > From: Allen Pais
> >
> > Commit 12cc923f1ccc ("tasklet: Introduce new initialization API")'
> > introduced a new tasklet initialization API. This series converts
> > all the scsi drivers to use the new tasklet_setup() API
>
> I've got to say I agree with Jens, this was a silly obfuscation:
>
> +#define from_tasklet(var, callback_tasklet, tasklet_fieldname) \
> + container_of(callback_tasklet, typeof(*var), tasklet_fieldname)
>
> Just use container_of directly since we all understand what it does.
But then the lines get really long, wrapped, etc. This is what the
timer_struct conversion did too (added a container_of wrapper), so I
think it makes sense here too.
--
Kees Cook
Re: [Latest Git kernel/Linux-next kernel] Xorg doesn't start after the seccomp updates v5.9-rc1
On Fri, Aug 07, 2020 at 04:45:14PM +0200, Christian Zigotzky wrote: > But Xorg works on Ubuntu 10.04.4 (PowerPC 32-bit), openSUSE Tumbleweed > 20190722 PPC64 and on Fedora 27 PPC64 with the latest Git kernel. > > I bisected today [4]. > > Result: net/scm: Regularize compat handling of scm_detach_fds() > (c0029de50982c1fb215330a5f9d433cec0cfd8cc) [5] is the first bad commit. > > This commit has been merged with the seccomp updates v5.9-rc1 on 2020-08-04 > 14:11:08 -0700 [1]. Since these updates, Xorg doesn't start anymore on some > Linux distributions. Hi! Thanks for bisecting; yes, sorry for the trouble (I'm still trying to understand why my compat tests _passed_...). Regardless, can you try this patch: https://lore.kernel.org/lkml/20200807173609.GJ4402@mussarela/ -- Kees Cook
Re: [PATCH v2 5/5] powerpc: Add LKDTM test to hijack a patch mapping
wake_up_process(patching_kthrd);
> +
> + addr = offset_in_page(patch_site) |
> read_cpu_patching_addr(patching_cpu);
> +
> + pr_info("starting hijacker_cpu=%d\n", hijacker_cpu);
> + for (attempts = 0; attempts < 10; ++attempts) {
> + /* Use __put_user to catch faults without an Oops */
> + hijacked = !__put_user(0xbad00bad, (unsigned int *)addr);
> +
> + if (hijacked) {
> + if (kthread_stop(patching_kthrd))
> + goto out;
> + break;
> + }
> + }
> + pr_info("hijack attempts: %d\n", attempts);
> +
> + if (hijacked) {
> + if (*(unsigned int *)READ_ONCE(patch_site) == 0xbad00bad)
> + pr_err("overwrote kernel text\n");
> + /*
> + * There are window conditions where the hijacker cpu manages to
> + * write to the patch site but the site gets overwritten again
> by
> + * the patching cpu. We still consider that a "successful"
> hijack
> + * since the hijacker cpu did not fault on the write.
> + */
> + pr_err("FAIL: wrote to another cpu's patching area\n");
> + } else {
> + kthread_stop(patching_kthrd);
> + }
> +
> +out:
> + /* Restore the original insn for any future lkdtm tests */
> + patch_instruction(patch_site, original_insn);
Can this test be done for x86's instruction patching too?
> +}
> +
> +#else
> +
> +void lkdtm_HIJACK_PATCH(void)
> +{
> + if (!IS_ENABLED(CONFIG_PPC))
> + pr_err("XFAIL: this test is powerpc-only\n");
> + if (!IS_ENABLED(CONFIG_STRICT_KERNEL_RWX))
> + pr_err("XFAIL: this test requires CONFIG_STRICT_KERNEL_RWX\n");
> +}
> +
> +#endif /* CONFIG_PPC && CONFIG_STRICT_KERNEL_RWX */
> +
> void __init lkdtm_perms_init(void)
> {
> /* Make sure we can write to __ro_after_init values during __init */
> --
> 2.27.0
Otherwise, looks good!
--
Kees Cook
Re: [PATCH v5 06/12] arch: xtensa: add linker section for KUnit test suites
On Fri, Jun 26, 2020 at 02:09:11PM -0700, Brendan Higgins wrote: > Add a linker section to xtensa where KUnit can put references to its > test suites. This patch is an early step in transitioning to dispatching > all KUnit tests from a centralized executor rather than having each as > its own separate late_initcall. > > Signed-off-by: Brendan Higgins > --- > arch/xtensa/kernel/vmlinux.lds.S | 4 If you ever find yourself modifying multiple arch linker scripts for a series, something has gone wrong. ;) -- Kees Cook
Re: [PATCH v5 01/12] vmlinux.lds.h: add linker section for KUnit test suites
On Fri, Jun 26, 2020 at 02:09:06PM -0700, Brendan Higgins wrote: > Add a linker section where KUnit can put references to its test suites. > This patch is the first step in transitioning to dispatching all KUnit > tests from a centralized executor rather than having each as its own > separate late_initcall. > > Co-developed-by: Iurii Zaikin > Signed-off-by: Iurii Zaikin > Signed-off-by: Brendan Higgins > Reviewed-by: Stephen Boyd > --- > include/asm-generic/vmlinux.lds.h | 8 > 1 file changed, 8 insertions(+) > > diff --git a/include/asm-generic/vmlinux.lds.h > b/include/asm-generic/vmlinux.lds.h > index db600ef218d7d..4f9b036fc9616 100644 > --- a/include/asm-generic/vmlinux.lds.h > +++ b/include/asm-generic/vmlinux.lds.h > @@ -881,6 +881,13 @@ > KEEP(*(.con_initcall.init)) \ > __con_initcall_end = .; > > +/* Alignment must be consistent with (kunit_suite *) in include/kunit/test.h > */ Nit on naming: > +#define KUNIT_TEST_SUITES\ I would call this KUNIT_TABLE to maintain the same names as other things of this nature. > + . = ALIGN(8); \ > + __kunit_suites_start = .; \ > + KEEP(*(.kunit_test_suites)) \ > + __kunit_suites_end = .; > + > #ifdef CONFIG_BLK_DEV_INITRD > #define INIT_RAM_FS \ > . = ALIGN(4); \ > @@ -1056,6 +1063,7 @@ > INIT_CALLS \ > CON_INITCALL\ > INIT_RAM_FS \ > + KUNIT_TEST_SUITES \ > } Nack: this must be in INIT_DATA, not in INIT_DATA_SECTION. Not all architectures use the INIT_DATA_SECTION macro (e.g. arm64), but everything uses INIT_DATA. -- Kees Cook
Re: [PATCH 17/17] arch: rename copy_thread_tls() back to copy_thread()
On Tue, Jun 23, 2020 at 01:43:26AM +0200, Christian Brauner wrote: > Now that HAVE_COPY_THREAD_TLS has been removed, rename copy_thread_tls() > back simply copy_thread(). It's a simpler name, and doesn't imply that only > tls is copied here. This finishes an outstanding chunk of internal process > creation work since we've added clone3(). > [...] > -copy_thread_tls(unsigned long clone_flags, unsigned long user_stack_base, > +copy_thread(unsigned long clone_flags, unsigned long user_stack_base, > unsigned long user_stack_size, struct task_struct *p, > unsigned long tls) Maybe clean up the arg indentation too? I'm not sure how strongly people feel about that, but I think it'd be nice. Either way: Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 16/17] arch: remove HAVE_COPY_THREAD_TLS
On Tue, Jun 23, 2020 at 01:43:25AM +0200, Christian Brauner wrote: > All architectures support copy_thread_tls() now, so remove the legacy > copy_thread() function and the HAVE_COPY_THREAD_TLS config option. Everyone > uses the same process creation calling convention based on > copy_thread_tls() and struct kernel_clone_args. This will make it easier to > maintain the core process creation code under kernel/, simplifies the > callpaths and makes the identical for all architectures. > [...] > Signed-off-by: Christian Brauner Massive CC list. ;) linux-arch@ may be sufficient. Reviewed-by: Kees Cook -- Kees Cook
[PATCH] powerpc/mm: Fix typo in IS_ENABLED()
From: Joe Perches
IS_ENABLED() matches names exactly, so the missing "CONFIG_" prefix
means this code would never be built.
Also fixes a missing newline in pr_warn().
Signed-off-by: Joe Perches
Link:
https://lore.kernel.org/lkml/b08611018fdb6d88757c6008a5c02fa0e07b32fb.ca...@perches.com
Signed-off-by: Kees Cook
---
arch/powerpc/mm/book3s64/hash_utils.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/mm/book3s64/hash_utils.c
b/arch/powerpc/mm/book3s64/hash_utils.c
index 8ed2411c3f39..cf2e1b06e5d4 100644
--- a/arch/powerpc/mm/book3s64/hash_utils.c
+++ b/arch/powerpc/mm/book3s64/hash_utils.c
@@ -660,11 +660,10 @@ static void __init htab_init_page_sizes(void)
* Pick a size for the linear mapping. Currently, we only
* support 16M, 1M and 4K which is the default
*/
- if (IS_ENABLED(STRICT_KERNEL_RWX) &&
+ if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX) &&
(unsigned long)_stext % 0x100) {
if (mmu_psize_defs[MMU_PAGE_16M].shift)
- pr_warn("Kernel not 16M aligned, "
- "disabling 16M linear map alignment");
+ pr_warn("Kernel not 16M aligned, disabling 16M
linear map alignment\n");
aligned = false;
}
--
2.25.1
--
Kees Cook
Re: [PATCH] pwm: Add missing "CONFIG_" prefix
On Wed, Jun 03, 2020 at 04:04:31PM -0700, Joe Perches wrote:
> On Wed, 2020-06-03 at 15:40 -0700, Kees Cook wrote:
> > The IS_ENABLED() use was missing the CONFIG_ prefix which would have
> > lead to skipping this code.
> >
> > Fixes: 3ad1f3a33286 ("pwm: Implement some checks for lowlevel drivers")
> > Signed-off-by: Kees Cook
> > ---
> > drivers/pwm/core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c
> > index 9973c442b455..6b3cbc0490c6 100644
> > --- a/drivers/pwm/core.c
> > +++ b/drivers/pwm/core.c
> > @@ -121,7 +121,7 @@ static int pwm_device_request(struct pwm_device *pwm,
> > const char *label)
> > pwm->chip->ops->get_state(pwm->chip, pwm, >state);
> > trace_pwm_get(pwm, >state);
> >
> > - if (IS_ENABLED(PWM_DEBUG))
> > + if (IS_ENABLED(CONFIG_PWM_DEBUG))
> > pwm->last = pwm->state;
> > }
> >
> > --
> > 2.25.1
> >
>
> more odd uses (mostly in comments)
>
> $ git grep -P -oh '\bIS_ENABLED\s*\(\s*\w+\s*\)'| \
> sed -r 's/\s+//g'| \
> grep -v '(CONFIG_' | \
> sort | uniq -c | sort -rn
> 7 IS_ENABLED(DEBUG)
> 4 IS_ENABLED(DRM_I915_SELFTEST)
> 4 IS_ENABLED(cfg)
> 2 IS_ENABLED(opt_name)
> 2 IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)
> 2 IS_ENABLED(config)
> 2 IS_ENABLED(cond)
> 2 IS_ENABLED(__BIG_ENDIAN)
> 1 IS_ENABLED(x)
> 1 IS_ENABLED(STRICT_KERNEL_RWX)
> 1 IS_ENABLED(PWM_DEBUG)
> 1 IS_ENABLED(option)
> 1 IS_ENABLED(ETHTOOL_NETLINK)
> 1 IS_ENABLED(DEBUG_RANDOM_TRIE)
> 1 IS_ENABLED(DEBUG_CHACHA20POLY1305_SLOW_CHUNK_TEST)
>
> STRICT_KERNEL_RWX is misused here in ppc
>
> ---
>
> Fix pr_warn without newline too.
>
> arch/powerpc/mm/book3s64/hash_utils.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/mm/book3s64/hash_utils.c
> b/arch/powerpc/mm/book3s64/hash_utils.c
> index 51e3c15f7aff..dd60c5f2b991 100644
> --- a/arch/powerpc/mm/book3s64/hash_utils.c
> +++ b/arch/powerpc/mm/book3s64/hash_utils.c
> @@ -660,11 +660,10 @@ static void __init htab_init_page_sizes(void)
>* Pick a size for the linear mapping. Currently, we only
>* support 16M, 1M and 4K which is the default
>*/
> - if (IS_ENABLED(STRICT_KERNEL_RWX) &&
> + if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX) &&
> (unsigned long)_stext % 0x100) {
> if (mmu_psize_defs[MMU_PAGE_16M].shift)
> - pr_warn("Kernel not 16M aligned, "
> - "disabling 16M linear map alignment");
> + pr_warn("Kernel not 16M aligned, disabling 16M
> linear map alignment\n");
> aligned = false;
> }
Joe, I was going to send all of the fixes for these issues, but your
patch doesn't have a SoB. Shall I add one for the above patch?
--
Kees Cook
Re: [PATCH] pwm: Add missing "CONFIG_" prefix
On Wed, Jun 03, 2020 at 04:04:31PM -0700, Joe Perches wrote:
> more odd uses (mostly in comments)
>
> $ git grep -P -oh '\bIS_ENABLED\s*\(\s*\w+\s*\)'| \
> sed -r 's/\s+//g'| \
> grep -v '(CONFIG_' | \
> sort | uniq -c | sort -rn
I think a missed a bunch because my grep was messy. :) This is much
easier to scan.
> 7 IS_ENABLED(DEBUG)
> 4 IS_ENABLED(cfg)
> 2 IS_ENABLED(opt_name)
> 2 IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)
> 2 IS_ENABLED(config)
> 2 IS_ENABLED(cond)
> 2 IS_ENABLED(__BIG_ENDIAN)
> 1 IS_ENABLED(x)
> 1 IS_ENABLED(PWM_DEBUG)
> 1 IS_ENABLED(option)
> 1 IS_ENABLED(DEBUG_RANDOM_TRIE)
> 1 IS_ENABLED(DEBUG_CHACHA20POLY1305_SLOW_CHUNK_TEST)
These seem to be "as expected".
> 4 IS_ENABLED(DRM_I915_SELFTEST)
> 1 IS_ENABLED(STRICT_KERNEL_RWX)
> 1 IS_ENABLED(ETHTOOL_NETLINK)
But these are not.
>
> STRICT_KERNEL_RWX is misused here in ppc
>
> ---
>
> Fix pr_warn without newline too.
>
> arch/powerpc/mm/book3s64/hash_utils.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/mm/book3s64/hash_utils.c
> b/arch/powerpc/mm/book3s64/hash_utils.c
> index 51e3c15f7aff..dd60c5f2b991 100644
> --- a/arch/powerpc/mm/book3s64/hash_utils.c
> +++ b/arch/powerpc/mm/book3s64/hash_utils.c
> @@ -660,11 +660,10 @@ static void __init htab_init_page_sizes(void)
>* Pick a size for the linear mapping. Currently, we only
>* support 16M, 1M and 4K which is the default
>*/
> - if (IS_ENABLED(STRICT_KERNEL_RWX) &&
> + if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX) &&
> (unsigned long)_stext % 0x100) {
> if (mmu_psize_defs[MMU_PAGE_16M].shift)
> - pr_warn("Kernel not 16M aligned, "
> - "disabling 16M linear map alignment");
> + pr_warn("Kernel not 16M aligned, disabling 16M
> linear map alignment\n");
> aligned = false;
> }
Reviewed-by: Kees Cook
--
Kees Cook
Re: [Intel-gfx] [PATCH 06/13] ocfs2: use new sysctl subdir helper register_sysctl_subdir()
On Fri, May 29, 2020 at 11:49:12AM +, Luis Chamberlain wrote: > Yikes, sense, you're right. Nope, I left the random config tests to > 0day. Will fix, thanks! Yeah, I do the same for randconfig, but I always do an "allmodconfig" build before sending stuff. It's a good smoke test. -- Kees Cook
Re: [PATCH 06/13] ocfs2: use new sysctl subdir helper register_sysctl_subdir()
On Fri, May 29, 2020 at 07:41:01AM +, Luis Chamberlain wrote:
> This simplifies the code considerably. The following coccinelle
> SmPL grammar rule was used to transform this code.
>
> // pycocci sysctl-subdir.cocci fs/ocfs2/stackglue.c
>
> @c1@
> expression E1;
> identifier subdir, sysctls;
> @@
>
> static struct ctl_table subdir[] = {
> {
> .procname = E1,
> .maxlen = 0,
> .mode = 0555,
> .child = sysctls,
> },
> { }
> };
>
> @c2@
> identifier c1.subdir;
>
> expression E2;
> identifier base;
> @@
>
> static struct ctl_table base[] = {
> {
> .procname = E2,
> .maxlen = 0,
> .mode = 0555,
> .child = subdir,
> },
> { }
> };
>
> @c3@
> identifier c2.base;
> identifier header;
> @@
>
> header = register_sysctl_table(base);
>
> @r1 depends on c1 && c2 && c3@
> expression c1.E1;
> identifier c1.subdir, c1.sysctls;
> @@
>
> -static struct ctl_table subdir[] = {
> - {
> - .procname = E1,
> - .maxlen = 0,
> - .mode = 0555,
> - .child = sysctls,
> - },
> - { }
> -};
>
> @r2 depends on c1 && c2 && c3@
> identifier c1.subdir;
>
> expression c2.E2;
> identifier c2.base;
> @@
> -static struct ctl_table base[] = {
> - {
> - .procname = E2,
> - .maxlen = 0,
> - .mode = 0555,
> - .child = subdir,
> - },
> - { }
> -};
>
> @r3 depends on c1 && c2 && c3@
> expression c1.E1;
> identifier c1.sysctls;
> expression c2.E2;
> identifier c2.base;
> identifier c3.header;
> @@
>
> header =
> -register_sysctl_table(base);
> +register_sysctl_subdir(E2, E1, sysctls);
>
> Generated-by: Coccinelle SmPL
>
> Signed-off-by: Luis Chamberlain
> ---
> fs/ocfs2/stackglue.c | 27 ---
> 1 file changed, 4 insertions(+), 23 deletions(-)
>
> diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
> index a191094694c6..addafced7f59 100644
> --- a/fs/ocfs2/stackglue.c
> +++ b/fs/ocfs2/stackglue.c
> @@ -677,28 +677,8 @@ static struct ctl_table ocfs2_mod_table[] = {
> },
> { }
> };
> -
> -static struct ctl_table ocfs2_kern_table[] = {
> - {
> - .procname = "ocfs2",
> - .data = NULL,
> - .maxlen = 0,
> - .mode = 0555,
> - .child = ocfs2_mod_table
> - },
> - { }
> -};
> -
> -static struct ctl_table ocfs2_root_table[] = {
> - {
> - .procname = "fs",
> - .data = NULL,
> - .maxlen = 0,
> - .mode = 0555,
> - .child = ocfs2_kern_table
> - },
> - { }
> -};
> + .data = NULL,
> + .data = NULL,
The conversion script doesn't like the .data field assignments. ;)
Was this series built with allmodconfig? I would have expected this to
blow up very badly. :)
--
Kees Cook
Re: [PATCH 12/13] sysctl: add helper to register empty subdir
On Fri, May 29, 2020 at 07:41:07AM +, Luis Chamberlain wrote: > The way to create a subdirectory from the base set of directories > is a bit obscure, so provide a helper which makes this clear, and > also helps remove boiler plate code required to do this work. > > Signed-off-by: Luis Chamberlain Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH 13/13] fs: move binfmt_misc sysctl to its own file
On Fri, May 29, 2020 at 07:41:08AM +, Luis Chamberlain wrote:
> This moves the binfmt_misc sysctl to its own file to help remove
> clutter from kernel/sysctl.c.
>
> Signed-off-by: Luis Chamberlain
> ---
> fs/binfmt_misc.c | 1 +
> kernel/sysctl.c | 7 ---
> 2 files changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
> index f69a043f562b..656b3f5f3bbf 100644
> --- a/fs/binfmt_misc.c
> +++ b/fs/binfmt_misc.c
> @@ -821,6 +821,7 @@ static int __init init_misc_binfmt(void)
> int err = register_filesystem(_fs_type);
> if (!err)
> insert_binfmt(_format);
> + register_sysctl_empty_subdir("fs", "binfmt_misc");
> return err;
Nit: let's make the dir before registering the filesystem. I can't
imagine a realistic situation where userspace is reacting so fast it
would actually fail to mount the fs on /proc/sys/fs/binfmt_misc, but why
risk it?
-Kees
> }
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 460532cd5ac8..7714e7b476c2 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -3042,13 +3042,6 @@ static struct ctl_table fs_table[] = {
> .extra1 = SYSCTL_ZERO,
> .extra2 = SYSCTL_TWO,
> },
> -#if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
> - {
> - .procname = "binfmt_misc",
> - .mode = 0555,
> - .child = sysctl_mount_point,
> - },
> -#endif
> {
> .procname = "pipe-max-size",
> .data = _max_size,
> --
> 2.26.2
>
--
Kees Cook
Re: [PATCH v4 2/6] printk: honor the max_reason field in kmsg_dumper
On Fri, May 22, 2020 at 06:51:20PM +0200, Petr Mladek wrote: > On Fri 2020-05-15 11:44:30, Kees Cook wrote: > > From: Pavel Tatashin > > > > kmsg_dump() allows to dump kmesg buffer for various system events: oops, > > panic, reboot, etc. It provides an interface to register a callback call > > for clients, and in that callback interface there is a field "max_reason" > > which gets ignored unless always_kmsg_dump is passed as kernel parameter. > > Strictly speaking, this is not fully true. "max_reason" field is not > ignored when set to KMSG_DUMP_PANIC even when always_kmsg_dump was not set. > > It should be something like: > > "which gets ignored for reason higher than KMSG_DUMP_OOPS unless > always_kmsg_dump is passed as kernel parameter". > > Heh, I wonder if anyone will be able to parse this ;-) Ah yeah, good point. I've reworded things like this: kmsg_dump() allows to dump kmesg buffer for various system events: oops, panic, reboot, etc. It provides an interface to register a callback call for clients, and in that callback interface there is a field "max_reason", but it was getting ignored when set to any "reason" higher than KMSG_DUMP_OOPS unless "always_kmsg_dump" was passed as kernel parameter. Allow clients to actually control their "max_reason", and keep the current behavior when "max_reason" is not set. > Otherwise, it looks good to me. With the updated commit message: > > Reviewed-by: Petr Mladek Thanks! -- Kees Cook
Re: [PATCH] soc: fsl: qe: Replace one-element array and use struct_size() helper
On Wed, May 20, 2020 at 06:52:21PM -0500, Li Yang wrote:
> On Mon, May 18, 2020 at 5:57 PM Kees Cook wrote:
> > Hm, looking at this code, I see a few other things that need to be
> > fixed:
> >
> > 1) drivers/tty/serial/ucc_uart.c does not do a be32_to_cpu() conversion
> >on the length test (understandably, a little-endian system has never run
> >this code since it's ppc specific), but it's still wrong:
> >
> > if (firmware->header.length != fw->size) {
> >
> >compare to the firmware loader:
> >
> > length = be32_to_cpu(hdr->length);
> >
> > 2) drivers/soc/fsl/qe/qe.c does not perform bounds checking on the
> >per-microcode offsets, so the uploader might send data outside the
> >firmware buffer. Perhaps:
>
> We do validate the CRC for each microcode, it is unlikely the CRC
> check can pass if the offset or length is not correct. But you are
> probably right that it will be safer to check the boundary and fail
Right, but a malicious firmware file could still match CRC but trick the
kernel code.
> quicker before we actually start the CRC check. Will you come up with
> a formal patch or you want us to deal with it?
It sounds like Gustavo will be sending one, though I don't think either
of us have the hardware to test it with, so if you could do that part,
that would be great! :)
--
Kees Cook
Re: [PATCH v4 6/6] ramoops: Add max_reason optional field to ramoops DT node
On Mon, May 18, 2020 at 04:45:32PM -0600, Rob Herring wrote: > On Fri, May 15, 2020 at 12:44 PM Kees Cook wrote: > > > > From: Pavel Tatashin > > Subject still has 'max_reason'. > > > > > Currently, it is possible to dump kmsges for panic, or oops. > > With max_reason it is possible to dump messages for other > > And here. Ah yeah, this was, I think, describing the internal field name, but I see it would be less confusing to refer to this by the DT name. I will adjust it. Thanks! -Kees > > > kmesg_dump events, for example reboot, halt, shutdown, kexec. > > > > Signed-off-by: Pavel Tatashin > > Link: > > https://lore.kernel.org/lkml/20200506211523.15077-6-keesc...@chromium.org/ > > Signed-off-by: Kees Cook > > --- > > .../devicetree/bindings/reserved-memory/ramoops.txt | 13 +++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > > > diff --git a/Documentation/devicetree/bindings/reserved-memory/ramoops.txt > > b/Documentation/devicetree/bindings/reserved-memory/ramoops.txt > > index 0eba562fe5c6..b7886fea368c 100644 > > --- a/Documentation/devicetree/bindings/reserved-memory/ramoops.txt > > +++ b/Documentation/devicetree/bindings/reserved-memory/ramoops.txt > > @@ -30,7 +30,7 @@ Optional properties: > > - ecc-size: enables ECC support and specifies ECC buffer size in bytes > >(defaults to 0: no ECC) > > > > -- record-size: maximum size in bytes of each dump done on oops/panic > > +- record-size: maximum size in bytes of each kmsg dump. > >(defaults to 0: disabled) > > > > - console-size: size in bytes of log buffer reserved for kernel messages > > @@ -45,7 +45,16 @@ Optional properties: > > - unbuffered: if present, use unbuffered mappings to map the reserved > > region > >(defaults to buffered mappings) > > > > -- no-dump-oops: if present, only dump panics (defaults to panics and oops) > > +- max-reason: if present, sets maximum type of kmsg dump reasons to store > > + (defaults to 2: log Oopses and Panics). This can be set to INT_MAX to > > + store all kmsg dumps. See include/linux/kmsg_dump.h KMSG_DUMP_* for other > > + kmsg dump reason values. Setting this to 0 (KMSG_DUMP_UNDEF), means the > > + reason filtering will be controlled by the printk.always_kmsg_dump boot > > + param: if unset, it will be KMSG_DUMP_OOPS, otherwise KMSG_DUMP_MAX. > > + > > +- no-dump-oops: deprecated, use max_reason instead. If present, and > > + max_reason is not specified, it is equivalent to max_reason = 1 > > And here (3 times). > > > + (KMSG_DUMP_PANIC). > > > > - flags: if present, pass ramoops behavioral flags (defaults to 0, > >see include/linux/pstore_ram.h RAMOOPS_FLAG_* for flag values). > > -- > > 2.20.1 > > -- Kees Cook
Re: [PATCH] soc: fsl: qe: Replace one-element array and use struct_size() helper
32 *)firmware_end);
if (crc != crc32(0, firmware, calc_size)) {
printk(KERN_ERR "qe-firmware: firmware CRC is invalid\n");
return -EIO;
}
+ /* Validate ucode lengths and offsets */
+ for (i = 0; i < firmware->count; i++) {
+ const struct qe_microcode *ucode = >microcode[i];
+ __be32 *code;
+ size_t count;
+
+ if (!ucode->code_offset)
+ continue;
+
+ code = (void *)firmware + be32_to_cpu(ucode->code_offset);
+ count = be32_to_cpu(ucode->count) * sizeof(*code);
+
+ if (code < firmware || code >= firmware_end ||
+ code + count < firmware || code + count >= firmware_end) {
+ printk(KERN_ERR "qe-firmware: invalid ucode offset\n");
+ return -EIO;
+ }
+ }
+
/*
* If the microcode calls for it, split the I-RAM.
*/
I haven't tested this.
--
Kees Cook
Re: [PATCH v4 5/6] pstore/ram: Introduce max_reason and convert dump_oops
On Fri, May 15, 2020 at 03:40:14PM -0400, Pavel Tatashin wrote: > pdata.dump_oops = dump_oops; > > + /* If "max_reason" is set, its value has priority over "dump_oops". > > */ > > + if (ramoops_max_reason != -1) > > + pdata.max_reason = ramoops_max_reason; > > (ramoops_max_reason >= 0) might make more sense here, we do not want > negative max_reason even if it was provided by the user. Yeah, that's a good point. I'll tweak that. Thanks! -- Kees Cook
Re: [PATCH v4 5/6] pstore/ram: Introduce max_reason and convert dump_oops
On Fri, May 15, 2020 at 03:30:27PM -0400, Pavel Tatashin wrote:
> > #define parse_u32(name, field, default_value) {
> > \
> > ret = ramoops_parse_dt_u32(pdev, name, default_value, \
>
> The series seems to be missing the patch where ramoops_parse_dt_size
> -> ramoops_parse_dt_u32 get renamed, and updated to handle default
> value.
Oops! Sorry, I cut the line in the wrong place for sending out the delta
on top of the pstore tree. :)
It's unchanged from:
https://lore.kernel.org/lkml/20200506211523.15077-4-keesc...@chromium.org/
--
Kees Cook
[PATCH v4 6/6] ramoops: Add max_reason optional field to ramoops DT node
From: Pavel Tatashin Currently, it is possible to dump kmsges for panic, or oops. With max_reason it is possible to dump messages for other kmesg_dump events, for example reboot, halt, shutdown, kexec. Signed-off-by: Pavel Tatashin Link: https://lore.kernel.org/lkml/20200506211523.15077-6-keesc...@chromium.org/ Signed-off-by: Kees Cook --- .../devicetree/bindings/reserved-memory/ramoops.txt | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Documentation/devicetree/bindings/reserved-memory/ramoops.txt b/Documentation/devicetree/bindings/reserved-memory/ramoops.txt index 0eba562fe5c6..b7886fea368c 100644 --- a/Documentation/devicetree/bindings/reserved-memory/ramoops.txt +++ b/Documentation/devicetree/bindings/reserved-memory/ramoops.txt @@ -30,7 +30,7 @@ Optional properties: - ecc-size: enables ECC support and specifies ECC buffer size in bytes (defaults to 0: no ECC) -- record-size: maximum size in bytes of each dump done on oops/panic +- record-size: maximum size in bytes of each kmsg dump. (defaults to 0: disabled) - console-size: size in bytes of log buffer reserved for kernel messages @@ -45,7 +45,16 @@ Optional properties: - unbuffered: if present, use unbuffered mappings to map the reserved region (defaults to buffered mappings) -- no-dump-oops: if present, only dump panics (defaults to panics and oops) +- max-reason: if present, sets maximum type of kmsg dump reasons to store + (defaults to 2: log Oopses and Panics). This can be set to INT_MAX to + store all kmsg dumps. See include/linux/kmsg_dump.h KMSG_DUMP_* for other + kmsg dump reason values. Setting this to 0 (KMSG_DUMP_UNDEF), means the + reason filtering will be controlled by the printk.always_kmsg_dump boot + param: if unset, it will be KMSG_DUMP_OOPS, otherwise KMSG_DUMP_MAX. + +- no-dump-oops: deprecated, use max_reason instead. If present, and + max_reason is not specified, it is equivalent to max_reason = 1 + (KMSG_DUMP_PANIC). - flags: if present, pass ramoops behavioral flags (defaults to 0, see include/linux/pstore_ram.h RAMOOPS_FLAG_* for flag values). -- 2.20.1
[PATCH v4 0/6] allow ramoops to collect all kmesg_dump events
Hello! I wanted to get the pstore tree nailed down, so here's the v4 of Pavel's series, tweaked for the feedback during v3 review. -Kees v4: - rebase on pstore tree - collapse shutdown types into a single dump reason https://lore.kernel.org/lkml/ca+ck2bapv5u1ih5y9t5funtyximtfctdyxjcpuyjoyhnokr...@mail.gmail.com/ - fix dump_oops vs max_reason module params https://lore.kernel.org/lkml/20200512233504.GA118720@sequoia/ - typos https://lore.kernel.org/lkml/4cdeaa2af2fe0d6cc2ca8ce3a37608340799df8a.ca...@perches.com/ - rename DT parsing routines ..._size -> ..._u32 https://lore.kernel.org/lkml/ca+ck2bcu8efomiu+nebjvn-o2dbuecxwrfssnjb3ys3cacb...@mail.gmail.com/ v3: https://lore.kernel.org/lkml/20200506211523.15077-1-keesc...@chromium.org/ v2: https://lore.kernel.org/lkml/20200505154510.93506-1-pasha.tatas...@soleen.com v1: https://lore.kernel.org/lkml/20200502143555.543636-1-pasha.tatas...@soleen.com Kees Cook (3): printk: Collapse shutdown types into a single dump reason printk: Introduce kmsg_dump_reason_str() pstore/ram: Introduce max_reason and convert dump_oops Pavel Tatashin (3): printk: honor the max_reason field in kmsg_dumper pstore/platform: Pass max_reason to kmesg dump ramoops: Add max_reason optional field to ramoops DT node Documentation/admin-guide/ramoops.rst | 14 +++-- .../bindings/reserved-memory/ramoops.txt | 13 - arch/powerpc/kernel/nvram_64.c| 4 +- drivers/platform/chrome/chromeos_pstore.c | 2 +- fs/pstore/platform.c | 26 ++--- fs/pstore/ram.c | 58 +-- include/linux/kmsg_dump.h | 12 +++- include/linux/pstore.h| 7 +++ include/linux/pstore_ram.h| 2 +- kernel/printk/printk.c| 32 -- kernel/reboot.c | 6 +- 11 files changed, 114 insertions(+), 62 deletions(-) -- 2.20.1
[PATCH v4 2/6] printk: honor the max_reason field in kmsg_dumper
From: Pavel Tatashin
kmsg_dump() allows to dump kmesg buffer for various system events: oops,
panic, reboot, etc. It provides an interface to register a callback call
for clients, and in that callback interface there is a field "max_reason"
which gets ignored unless always_kmsg_dump is passed as kernel parameter.
Allow clients to decide max_reason, and keep the current behavior when
max_reason is not set.
Signed-off-by: Pavel Tatashin
Link: https://lore.kernel.org/lkml/20200506211523.15077-2-keesc...@chromium.org/
Signed-off-by: Kees Cook
---
include/linux/kmsg_dump.h | 1 +
kernel/printk/printk.c| 15 +++
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/include/linux/kmsg_dump.h b/include/linux/kmsg_dump.h
index 3f82b5cb2d82..9826014771ab 100644
--- a/include/linux/kmsg_dump.h
+++ b/include/linux/kmsg_dump.h
@@ -26,6 +26,7 @@ enum kmsg_dump_reason {
KMSG_DUMP_OOPS,
KMSG_DUMP_EMERG,
KMSG_DUMP_SHUTDOWN,
+ KMSG_DUMP_MAX
};
/**
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 9a9b6156270b..a121c2255737 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -3157,12 +3157,19 @@ void kmsg_dump(enum kmsg_dump_reason reason)
struct kmsg_dumper *dumper;
unsigned long flags;
- if ((reason > KMSG_DUMP_OOPS) && !always_kmsg_dump)
- return;
-
rcu_read_lock();
list_for_each_entry_rcu(dumper, _list, list) {
- if (dumper->max_reason && reason > dumper->max_reason)
+ enum kmsg_dump_reason max_reason = dumper->max_reason;
+
+ /*
+* If client has not provided a specific max_reason, default
+* to KMSG_DUMP_OOPS, unless always_kmsg_dump was set.
+*/
+ if (max_reason == KMSG_DUMP_UNDEF) {
+ max_reason = always_kmsg_dump ? KMSG_DUMP_MAX :
+ KMSG_DUMP_OOPS;
+ }
+ if (reason > max_reason)
continue;
/* initialize iterator with data about the stored records */
--
2.20.1
[PATCH v4 1/6] printk: Collapse shutdown types into a single dump reason
To turn the KMSG_DUMP_* reasons into a more ordered list, collapse
the redundant KMSG_DUMP_(RESTART|HALT|POWEROFF) reasons into
KMSG_DUMP_SHUTDOWN. The current users already don't meaningfully
distinguish between them, so there's no need to, as discussed here:
https://lore.kernel.org/lkml/ca+ck2bapv5u1ih5y9t5funtyximtfctdyxjcpuyjoyhnokr...@mail.gmail.com/
Signed-off-by: Kees Cook
---
arch/powerpc/kernel/nvram_64.c | 4 +---
fs/pstore/platform.c | 8 ++--
include/linux/kmsg_dump.h | 4 +---
kernel/reboot.c| 6 +++---
4 files changed, 7 insertions(+), 15 deletions(-)
diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c
index fb4f61096613..0cd1c88bfc8b 100644
--- a/arch/powerpc/kernel/nvram_64.c
+++ b/arch/powerpc/kernel/nvram_64.c
@@ -655,9 +655,7 @@ static void oops_to_nvram(struct kmsg_dumper *dumper,
int rc = -1;
switch (reason) {
- case KMSG_DUMP_RESTART:
- case KMSG_DUMP_HALT:
- case KMSG_DUMP_POWEROFF:
+ case KMSG_DUMP_SHUTDOWN:
/* These are almost always orderly shutdowns. */
return;
case KMSG_DUMP_OOPS:
diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
index 072440457c08..90d74ebaa70a 100644
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -144,12 +144,8 @@ static const char *get_reason_str(enum kmsg_dump_reason
reason)
return "Oops";
case KMSG_DUMP_EMERG:
return "Emergency";
- case KMSG_DUMP_RESTART:
- return "Restart";
- case KMSG_DUMP_HALT:
- return "Halt";
- case KMSG_DUMP_POWEROFF:
- return "Poweroff";
+ case KMSG_DUMP_SHUTDOWN:
+ return "Shutdown";
default:
return "Unknown";
}
diff --git a/include/linux/kmsg_dump.h b/include/linux/kmsg_dump.h
index 2e7a1e032c71..3f82b5cb2d82 100644
--- a/include/linux/kmsg_dump.h
+++ b/include/linux/kmsg_dump.h
@@ -25,9 +25,7 @@ enum kmsg_dump_reason {
KMSG_DUMP_PANIC,
KMSG_DUMP_OOPS,
KMSG_DUMP_EMERG,
- KMSG_DUMP_RESTART,
- KMSG_DUMP_HALT,
- KMSG_DUMP_POWEROFF,
+ KMSG_DUMP_SHUTDOWN,
};
/**
diff --git a/kernel/reboot.c b/kernel/reboot.c
index c4d472b7f1b4..491f1347bf43 100644
--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -250,7 +250,7 @@ void kernel_restart(char *cmd)
pr_emerg("Restarting system\n");
else
pr_emerg("Restarting system with command '%s'\n", cmd);
- kmsg_dump(KMSG_DUMP_RESTART);
+ kmsg_dump(KMSG_DUMP_SHUTDOWN);
machine_restart(cmd);
}
EXPORT_SYMBOL_GPL(kernel_restart);
@@ -274,7 +274,7 @@ void kernel_halt(void)
migrate_to_reboot_cpu();
syscore_shutdown();
pr_emerg("System halted\n");
- kmsg_dump(KMSG_DUMP_HALT);
+ kmsg_dump(KMSG_DUMP_SHUTDOWN);
machine_halt();
}
EXPORT_SYMBOL_GPL(kernel_halt);
@@ -292,7 +292,7 @@ void kernel_power_off(void)
migrate_to_reboot_cpu();
syscore_shutdown();
pr_emerg("Power down\n");
- kmsg_dump(KMSG_DUMP_POWEROFF);
+ kmsg_dump(KMSG_DUMP_SHUTDOWN);
machine_power_off();
}
EXPORT_SYMBOL_GPL(kernel_power_off);
--
2.20.1
[PATCH v4 4/6] pstore/platform: Pass max_reason to kmesg dump
From: Pavel Tatashin
Add a new member to struct pstore_info for passing information about
kmesg dump maximum reason. This allows a finer control of what kmesg
dumps are sent to pstore storage backends.
Those backends that do not explicitly set this field (keeping it equal to
0), get the default behavior: store only Oopses and Panics, or everything
if the printk.always_kmsg_dump boot param is set.
Signed-off-by: Pavel Tatashin
Link: https://lore.kernel.org/lkml/20200506211523.15077-3-keesc...@chromium.org/
Co-developed-by: Kees Cook
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 4 +++-
include/linux/pstore.h | 7 +++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
index 5e6c6022deb9..a9e297eefdff 100644
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -595,8 +595,10 @@ int pstore_register(struct pstore_info *psi)
pstore_get_records(0);
- if (psi->flags & PSTORE_FLAGS_DMESG)
+ if (psi->flags & PSTORE_FLAGS_DMESG) {
+ pstore_dumper.max_reason = psinfo->max_reason;
pstore_register_kmsg();
+ }
if (psi->flags & PSTORE_FLAGS_CONSOLE)
pstore_register_console();
if (psi->flags & PSTORE_FLAGS_FTRACE)
diff --git a/include/linux/pstore.h b/include/linux/pstore.h
index f6f22b13e04f..eb93a54cff31 100644
--- a/include/linux/pstore.h
+++ b/include/linux/pstore.h
@@ -96,6 +96,12 @@ struct pstore_record {
*
* @read_mutex:serializes @open, @read, @close, and @erase callbacks
* @flags: bitfield of frontends the backend can accept writes for
+ * @max_reason:Used when PSTORE_FLAGS_DMESG is set. Contains the
+ * kmsg_dump_reason enum value. KMSG_DUMP_UNDEF means
+ * "use existing kmsg_dump() filtering, based on the
+ * printk.always_kmsg_dump boot param" (which is either
+ * KMSG_DUMP_OOPS when false, or KMSG_DUMP_MAX when
+ * true); see printk.always_kmsg_dump for more details.
* @data: backend-private pointer passed back during callbacks
*
* Callbacks:
@@ -179,6 +185,7 @@ struct pstore_info {
struct mutexread_mutex;
int flags;
+ int max_reason;
void*data;
int (*open)(struct pstore_info *psi);
--
2.20.1
[PATCH v4 5/6] pstore/ram: Introduce max_reason and convert dump_oops
Now that pstore_register() can correctly pass max_reason to the kmesg
dump facility, introduce a new "max_reason" module parameter and
"max-reason" Device Tree field.
The "dump_oops" module parameter and "dump-oops" Device
Tree field are now considered deprecated, but are now automatically
converted to their corresponding max_reason values when present, though
the new max_reason setting has precedence.
For struct ramoops_platform_data, the "dump_oops" member is entirely
replaced by a new "max_reason" member, with the only existing user
updated in place.
Additionally remove the "reason" filter logic from ramoops_pstore_write(),
as that is not specifically needed anymore, though technically
this is a change in behavior for any ramoops users also setting the
printk.always_kmsg_dump boot param, which will cause ramoops to behave as
if max_reason was set to KMSG_DUMP_MAX.
Co-developed-by: Pavel Tatashin
Signed-off-by: Pavel Tatashin
Link: https://lore.kernel.org/lkml/20200506211523.15077-5-keesc...@chromium.org/
Signed-off-by: Kees Cook
---
Documentation/admin-guide/ramoops.rst | 14 --
drivers/platform/chrome/chromeos_pstore.c | 2 +-
fs/pstore/ram.c | 58 +++
include/linux/pstore_ram.h| 2 +-
4 files changed, 51 insertions(+), 25 deletions(-)
diff --git a/Documentation/admin-guide/ramoops.rst
b/Documentation/admin-guide/ramoops.rst
index 6dbcc5481000..a60a96218ba9 100644
--- a/Documentation/admin-guide/ramoops.rst
+++ b/Documentation/admin-guide/ramoops.rst
@@ -32,11 +32,17 @@ memory to be mapped strongly ordered, and atomic operations
on strongly ordered
memory are implementation defined, and won't work on many ARMs such as omaps.
The memory area is divided into ``record_size`` chunks (also rounded down to
-power of two) and each oops/panic writes a ``record_size`` chunk of
+power of two) and each kmesg dump writes a ``record_size`` chunk of
information.
-Dumping both oopses and panics can be done by setting 1 in the ``dump_oops``
-variable while setting 0 in that variable dumps only the panics.
+Limiting which kinds of kmsg dumps are stored can be controlled via
+the ``max_reason`` value, as defined in include/linux/kmsg_dump.h's
+``enum kmsg_dump_reason``. For example, to store both Oopses and Panics,
+``max_reason`` should be set to 2 (KMSG_DUMP_OOPS), to store only Panics
+``max_reason`` should be set to 1 (KMSG_DUMP_PANIC). Setting this to 0
+(KMSG_DUMP_UNDEF), means the reason filtering will be controlled by the
+``printk.always_kmsg_dump`` boot param: if unset, it'll be KMSG_DUMP_OOPS,
+otherwise KMSG_DUMP_MAX.
The module uses a counter to record multiple dumps but the counter gets reset
on restart (i.e. new dumps after the restart will overwrite old ones).
@@ -90,7 +96,7 @@ Setting the ramoops parameters can be done in several
different manners:
.mem_address= <...>,
.mem_type = <...>,
.record_size= <...>,
-.dump_oops = <...>,
+.max_reason = <...>,
.ecc= <...>,
};
diff --git a/drivers/platform/chrome/chromeos_pstore.c
b/drivers/platform/chrome/chromeos_pstore.c
index d13770785fb5..fa51153688b4 100644
--- a/drivers/platform/chrome/chromeos_pstore.c
+++ b/drivers/platform/chrome/chromeos_pstore.c
@@ -57,7 +57,7 @@ static struct ramoops_platform_data chromeos_ramoops_data = {
.record_size= 0x4,
.console_size = 0x2,
.ftrace_size= 0x2,
- .dump_oops = 1,
+ .max_reason = KMSG_DUMP_OOPS,
};
static struct platform_device chromeos_ramoops = {
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index 31f277633beb..f6eace1dbf7e 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -58,10 +58,10 @@ module_param(mem_type, uint, 0400);
MODULE_PARM_DESC(mem_type,
"set to 1 to try to use unbuffered memory (default 0)");
-static int dump_oops = 1;
-module_param(dump_oops, int, 0400);
-MODULE_PARM_DESC(dump_oops,
- "set to 1 to dump oopses, 0 to only dump panics (default 1)");
+static int ramoops_max_reason = -1;
+module_param_named(max_reason, ramoops_max_reason, int, 0400);
+MODULE_PARM_DESC(max_reason,
+"maximum reason for kmsg dump (default 2: Oops and Panic) ");
static int ramoops_ecc;
module_param_named(ecc, ramoops_ecc, int, 0400);
@@ -70,6 +70,11 @@ MODULE_PARM_DESC(ramoops_ecc,
"ECC buffer size in bytes (1 is a special value, means 16 "
"bytes ECC)");
+static int ramoops_dump_oops = -1;
+module_param_named(dump_oops, ramoops_dump_oops, int, 0400);
+MODULE_PARM_DESC(dump_oops,
+"(deprecated: use max_reason instead) set to 1 to dump oopses
& panics
[PATCH v4 3/6] printk: Introduce kmsg_dump_reason_str()
The pstore subsystem already had a private version of this function.
With the coming addition of the pstore/zone driver, this needs to be
shared. As it really should live with printk, move it there instead.
Link: https://lore.kernel.org/lkml/20200510202436.63222-8-keesc...@chromium.org/
Acked-by: Petr Mladek
Acked-by: Sergey Senozhatsky
Signed-off-by: Kees Cook
---
fs/pstore/platform.c | 18 +-
include/linux/kmsg_dump.h | 7 +++
kernel/printk/printk.c| 17 +
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
index 90d74ebaa70a..5e6c6022deb9 100644
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -135,22 +135,6 @@ enum pstore_type_id pstore_name_to_type(const char *name)
}
EXPORT_SYMBOL_GPL(pstore_name_to_type);
-static const char *get_reason_str(enum kmsg_dump_reason reason)
-{
- switch (reason) {
- case KMSG_DUMP_PANIC:
- return "Panic";
- case KMSG_DUMP_OOPS:
- return "Oops";
- case KMSG_DUMP_EMERG:
- return "Emergency";
- case KMSG_DUMP_SHUTDOWN:
- return "Shutdown";
- default:
- return "Unknown";
- }
-}
-
static void pstore_timer_kick(void)
{
if (pstore_update_ms < 0)
@@ -403,7 +387,7 @@ static void pstore_dump(struct kmsg_dumper *dumper,
unsigned intpart = 1;
int ret;
- why = get_reason_str(reason);
+ why = kmsg_dump_reason_str(reason);
if (down_trylock(>buf_lock)) {
/* Failed to acquire lock: give up if we cannot wait. */
diff --git a/include/linux/kmsg_dump.h b/include/linux/kmsg_dump.h
index 9826014771ab..3378bcbe585e 100644
--- a/include/linux/kmsg_dump.h
+++ b/include/linux/kmsg_dump.h
@@ -70,6 +70,8 @@ void kmsg_dump_rewind(struct kmsg_dumper *dumper);
int kmsg_dump_register(struct kmsg_dumper *dumper);
int kmsg_dump_unregister(struct kmsg_dumper *dumper);
+
+const char *kmsg_dump_reason_str(enum kmsg_dump_reason reason);
#else
static inline void kmsg_dump(enum kmsg_dump_reason reason)
{
@@ -111,6 +113,11 @@ static inline int kmsg_dump_unregister(struct kmsg_dumper
*dumper)
{
return -EINVAL;
}
+
+static inline const char *kmsg_dump_reason_str(enum kmsg_dump_reason reason)
+{
+ return "Disabled";
+}
#endif
#endif /* _LINUX_KMSG_DUMP_H */
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index a121c2255737..14ca4d05d902 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -3144,6 +3144,23 @@ EXPORT_SYMBOL_GPL(kmsg_dump_unregister);
static bool always_kmsg_dump;
module_param_named(always_kmsg_dump, always_kmsg_dump, bool, S_IRUGO |
S_IWUSR);
+const char *kmsg_dump_reason_str(enum kmsg_dump_reason reason)
+{
+ switch (reason) {
+ case KMSG_DUMP_PANIC:
+ return "Panic";
+ case KMSG_DUMP_OOPS:
+ return "Oops";
+ case KMSG_DUMP_EMERG:
+ return "Emergency";
+ case KMSG_DUMP_SHUTDOWN:
+ return "Shutdown";
+ default:
+ return "Unknown";
+ }
+}
+EXPORT_SYMBOL_GPL(kmsg_dump_reason_str);
+
/**
* kmsg_dump - dump kernel log to kernel message dumpers.
* @reason: the reason (oops, panic etc) for dumping
--
2.20.1
Re: [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
On Thu, Apr 02, 2020 at 12:26:52PM -0700, Linus Torvalds wrote: > On Thu, Apr 2, 2020 at 11:36 AM Kees Cook wrote: > > > > Yup, I think it's a weakness of the ARM implementation and I'd like to > > not extend it further. AFAIK we should never nest, but I would not be > > surprised at all if we did. > > Wel, at least the user_access_begin/end() sections can't nest. objtool > verifies and warns about that on x86. Right, yes, I mentioned that earlier in the thread. I meant I wasn't 100% sure about ARM's corner cases. I would _hope_ it doesn't. > > If we were looking at a design goal for all architectures, I'd like > > to be doing what the public PaX patchset > > We already do better than PaX ever did. Seriously. Mainline has long > since passed their hacky garbage. I was just speaking to design principles in this area: if the "enable" is called when already enabled, Something Is Wrong. :) (And one thing still missing in this general subject is that x86 still lacks SMAP emulation. And yes, I understand it's just not been a priority for anyone that can work on it, but it is still a gap.) -- Kees Cook
Re: [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
On Thu, Apr 02, 2020 at 06:50:32PM +0100, Al Viro wrote:
> On Thu, Apr 02, 2020 at 07:03:28PM +0200, Christophe Leroy wrote:
>
> > user_access_begin() grants both read and write.
> >
> > This patch adds user_read_access_begin() and user_write_access_begin() but
> > it doesn't remove user_access_begin()
>
> Ouch... So the most generic name is for the rarest case?
>
> > > What should we do about that? Do we prohibit such blocks outside
> > > of arch?
> > >
> > > What should we do about arm and s390? There we want a cookie passed
> > > from beginning of block to its end; should that be a return value?
> >
> > That was the way I implemented it in January, see
> > https://patchwork.ozlabs.org/patch/1227926/
> >
> > There was some discussion around that and most noticeable was:
> >
> > H. Peter (hpa) said about it: "I have *deep* concern with carrying state in
> > a "key" variable: it's a direct attack vector for a crowbar attack,
> > especially since it is by definition live inside a user access region."
>
> > This patch minimises the change by just adding user_read_access_begin() and
> > user_write_access_begin() keeping the same parameters as the existing
> > user_access_begin().
>
> Umm... What about the arm situation? The same concerns would apply there,
> wouldn't they? Currently we have
> static __always_inline unsigned int uaccess_save_and_enable(void)
> {
> #ifdef CONFIG_CPU_SW_DOMAIN_PAN
> unsigned int old_domain = get_domain();
>
> /* Set the current domain access to permit user accesses */
> set_domain((old_domain & ~domain_mask(DOMAIN_USER)) |
>domain_val(DOMAIN_USER, DOMAIN_CLIENT));
>
> return old_domain;
> #else
> return 0;
> #endif
> }
> and
> static __always_inline void uaccess_restore(unsigned int flags)
> {
> #ifdef CONFIG_CPU_SW_DOMAIN_PAN
> /* Restore the user access mask */
> set_domain(flags);
> #endif
> }
>
> How much do we need nesting on those, anyway? rmk?
Yup, I think it's a weakness of the ARM implementation and I'd like to
not extend it further. AFAIK we should never nest, but I would not be
surprised at all if we did.
If we were looking at a design goal for all architectures, I'd like
to be doing what the public PaX patchset did for their memory access
switching, which is to alarm if calling into "enable" found the access
already enabled, etc. Such a condition would show an unexpected nesting
(like we've seen with similar constructs with set_fs() not getting reset
during an exception handler, etc etc).
--
Kees Cook
Re: [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
On Thu, Apr 02, 2020 at 07:03:28PM +0200, Christophe Leroy wrote: > > What should we do about arm and s390? There we want a cookie passed > > from beginning of block to its end; should that be a return value? > > That was the way I implemented it in January, see > https://patchwork.ozlabs.org/patch/1227926/ > > There was some discussion around that and most noticeable was: > > H. Peter (hpa) said about it: "I have *deep* concern with carrying state in > a "key" variable: it's a direct attack vector for a crowbar attack, > especially since it is by definition live inside a user access region." I share this concern -- we want to keep user/kernel access as static as possible. It should be provable with static analysis, etc (e.g. objtool does this already for x86). Since this doesn't disrupt existing R+W access, I'd prefer the design of this series as-is. -- Kees Cook
Re: [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
On Thu, Apr 02, 2020 at 07:34:16AM +, Christophe Leroy wrote:
> Some architectures like powerpc64 have the capability to separate
> read access and write access protection.
> For get_user() and copy_from_user(), powerpc64 only open read access.
> For put_user() and copy_to_user(), powerpc64 only open write access.
> But when using unsafe_get_user() or unsafe_put_user(),
> user_access_begin open both read and write.
>
> Other architectures like powerpc book3s 32 bits only allow write
> access protection. And on this architecture protection is an heavy
> operation as it requires locking/unlocking per segment of 256Mbytes.
> On those architecture it is therefore desirable to do the unlocking
> only for write access. (Note that book3s/32 ranges from very old
> powermac from the 90's with powerpc 601 processor, till modern
> ADSL boxes with PowerQuicc II modern processors for instance so it
> is still worth considering)
>
> In order to avoid any risk based of hacking some variable parameters
> passed to user_access_begin/end that would allow hacking and
> leaving user access open or opening too much, it is preferable to
> use dedicated static functions that can't be overridden.
>
> Add a user_read_access_begin and user_read_access_end to only open
> read access.
>
> Add a user_write_access_begin and user_write_access_end to only open
> write access.
>
> By default, when undefined, those new access helpers default on the
> existing user_access_begin and user_access_end.
>
> Signed-off-by: Christophe Leroy
Reviewed-by: Kees Cook
-Kees
> Link: https://patchwork.ozlabs.org/patch/1227926/
> ---
> Resending this series as I mistakenly only sent it to powerpc list
> begining of February (https://patchwork.ozlabs.org/patch/1233172/)
>
> This series is based on the discussion we had in January, see
> https://patchwork.ozlabs.org/patch/1227926/ . I tried to
> take into account all remarks, especially @hpa 's remark to use
> a fixed API on not base the relocking on a magic id returned at
> unlocking.
>
> This series is awaited for implementing selective lkdtm test to
> test powerpc64 independant read and write protection, see
> https://patchwork.ozlabs.org/patch/1231765/
>
> include/linux/uaccess.h | 8
> 1 file changed, 8 insertions(+)
>
> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> index 67f016010aad..9861c89f93be 100644
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -378,6 +378,14 @@ extern long strnlen_unsafe_user(const void __user
> *unsafe_addr, long count);
> static inline unsigned long user_access_save(void) { return 0UL; }
> static inline void user_access_restore(unsigned long flags) { }
> #endif
> +#ifndef user_write_access_begin
> +#define user_write_access_begin user_access_begin
> +#define user_write_access_end user_access_end
> +#endif
> +#ifndef user_read_access_begin
> +#define user_read_access_begin user_access_begin
> +#define user_read_access_end user_access_end
> +#endif
>
> #ifdef CONFIG_HARDENED_USERCOPY
> void usercopy_warn(const char *name, const char *detail, bool to_user,
> --
> 2.25.0
>
--
Kees Cook
Re: [PATCH RESEND 4/4] powerpc/uaccess: Implement user_read_access_begin and user_write_access_begin
On Thu, Apr 02, 2020 at 07:34:19AM +, Christophe Leroy wrote:
> Add support for selective read or write user access with
> user_read_access_begin/end and user_write_access_begin/end.
>
> Signed-off-by: Christophe Leroy
Reviewed-by: Kees Cook
-Kees
> ---
> arch/powerpc/include/asm/book3s/32/kup.h | 4 ++--
> arch/powerpc/include/asm/kup.h | 14 +-
> arch/powerpc/include/asm/uaccess.h | 22 ++
> 3 files changed, 37 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/book3s/32/kup.h
> b/arch/powerpc/include/asm/book3s/32/kup.h
> index 3c0ba22dc360..1617e73bee30 100644
> --- a/arch/powerpc/include/asm/book3s/32/kup.h
> +++ b/arch/powerpc/include/asm/book3s/32/kup.h
> @@ -108,7 +108,7 @@ static __always_inline void allow_user_access(void __user
> *to, const void __user
> u32 addr, end;
>
> BUILD_BUG_ON(!__builtin_constant_p(dir));
> - BUILD_BUG_ON(dir == KUAP_CURRENT);
> + BUILD_BUG_ON(dir & ~KUAP_READ_WRITE);
>
> if (!(dir & KUAP_WRITE))
> return;
> @@ -131,7 +131,7 @@ static __always_inline void prevent_user_access(void
> __user *to, const void __us
>
> BUILD_BUG_ON(!__builtin_constant_p(dir));
>
> - if (dir == KUAP_CURRENT) {
> + if (dir & KUAP_CURRENT_WRITE) {
> u32 kuap = current->thread.kuap;
>
> if (unlikely(!kuap))
> diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h
> index 92bcd1a26d73..c745ee41ad66 100644
> --- a/arch/powerpc/include/asm/kup.h
> +++ b/arch/powerpc/include/asm/kup.h
> @@ -10,7 +10,9 @@
> * Use the current saved situation instead of the to/from/size params.
> * Used on book3s/32
> */
> -#define KUAP_CURRENT 4
> +#define KUAP_CURRENT_READ4
> +#define KUAP_CURRENT_WRITE 8
> +#define KUAP_CURRENT (KUAP_CURRENT_READ | KUAP_CURRENT_WRITE)
>
> #ifdef CONFIG_PPC64
> #include
> @@ -101,6 +103,16 @@ static inline void prevent_current_access_user(void)
> prevent_user_access(NULL, NULL, ~0UL, KUAP_CURRENT);
> }
>
> +static inline void prevent_current_read_from_user(void)
> +{
> + prevent_user_access(NULL, NULL, ~0UL, KUAP_CURRENT_READ);
> +}
> +
> +static inline void prevent_current_write_to_user(void)
> +{
> + prevent_user_access(NULL, NULL, ~0UL, KUAP_CURRENT_WRITE);
> +}
> +
> #endif /* !__ASSEMBLY__ */
>
> #endif /* _ASM_POWERPC_KUAP_H_ */
> diff --git a/arch/powerpc/include/asm/uaccess.h
> b/arch/powerpc/include/asm/uaccess.h
> index 2f500debae21..4427d419eb1d 100644
> --- a/arch/powerpc/include/asm/uaccess.h
> +++ b/arch/powerpc/include/asm/uaccess.h
> @@ -468,6 +468,28 @@ static __must_check inline bool user_access_begin(const
> void __user *ptr, size_t
> #define user_access_save prevent_user_access_return
> #define user_access_restore restore_user_access
>
> +static __must_check inline bool
> +user_read_access_begin(const void __user *ptr, size_t len)
> +{
> + if (unlikely(!access_ok(ptr, len)))
> + return false;
> + allow_read_from_user(ptr, len);
> + return true;
> +}
> +#define user_read_access_begin user_read_access_begin
> +#define user_read_access_end prevent_current_read_from_user
> +
> +static __must_check inline bool
> +user_write_access_begin(const void __user *ptr, size_t len)
> +{
> + if (unlikely(!access_ok(ptr, len)))
> + return false;
> + allow_write_to_user((void __user *)ptr, len);
> + return true;
> +}
> +#define user_write_access_begin user_write_access_begin
> +#define user_write_access_end prevent_current_write_to_user
> +
> #define unsafe_op_wrap(op, err) do { if (unlikely(op)) goto err; } while (0)
> #define unsafe_get_user(x, p, e) unsafe_op_wrap(__get_user_allowed(x, p), e)
> #define unsafe_put_user(x, p, e) unsafe_op_wrap(__put_user_allowed(x, p), e)
> --
> 2.25.0
>
--
Kees Cook
Re: [PATCH RESEND 3/4] drm/i915/gem: Replace user_access_begin by user_write_access_begin
On Thu, Apr 02, 2020 at 07:34:18AM +, Christophe Leroy wrote:
> When i915_gem_execbuffer2_ioctl() is using user_access_begin(),
> that's only to perform unsafe_put_user() so use
> user_write_access_begin() in order to only open write access.
>
> Signed-off-by: Christophe Leroy
Why is this split from the other conversions?
Reviewed-by: Kees Cook
> ---
> drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 11 ++-
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> index 7643a30ba4cd..4be8205a70b6 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> @@ -1611,14 +1611,14 @@ static int eb_copy_relocations(const struct
> i915_execbuffer *eb)
>* happened we would make the mistake of assuming that the
>* relocations were valid.
>*/
> - if (!user_access_begin(urelocs, size))
> + if (!user_write_access_begin(urelocs, size))
> goto end;
>
> for (copied = 0; copied < nreloc; copied++)
> unsafe_put_user(-1,
> [copied].presumed_offset,
> end_user);
> - user_access_end();
> + user_write_access_end();
>
> eb->exec[i].relocs_ptr = (uintptr_t)relocs;
> }
> @@ -1626,7 +1626,7 @@ static int eb_copy_relocations(const struct
> i915_execbuffer *eb)
> return 0;
>
> end_user:
> - user_access_end();
> + user_write_access_end();
> end:
> kvfree(relocs);
> err = -EFAULT;
> @@ -2991,7 +2991,8 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void
> *data,
>* And this range already got effectively checked earlier
>* when we did the "copy_from_user()" above.
>*/
> - if (!user_access_begin(user_exec_list, count *
> sizeof(*user_exec_list)))
> + if (!user_write_access_begin(user_exec_list,
> + count * sizeof(*user_exec_list)))
> goto end;
>
> for (i = 0; i < args->buffer_count; i++) {
> @@ -3005,7 +3006,7 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void
> *data,
> end_user);
> }
> end_user:
> - user_access_end();
> + user_write_access_end();
> end:;
> }
>
> --
> 2.25.0
>
--
Kees Cook
Re: [PATCH RESEND 2/4] uaccess: Selectively open read or write user access
On Thu, Apr 02, 2020 at 07:34:17AM +, Christophe Leroy wrote:
> [...]
> diff --git a/kernel/compat.c b/kernel/compat.c
> index 843dd17e6078..705ca7e418c6 100644
> --- a/kernel/compat.c
> +++ b/kernel/compat.c
> @@ -199,7 +199,7 @@ long compat_get_bitmap(unsigned long *mask, const
> compat_ulong_t __user *umask,
> bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
> nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
>
> - if (!user_access_begin(umask, bitmap_size / 8))
> + if (!user_write_access_begin(umask, bitmap_size / 8))
This looks mismatched: should be user_read_access_begin()?
> return -EFAULT;
>
> while (nr_compat_longs > 1) {
> @@ -211,11 +211,11 @@ long compat_get_bitmap(unsigned long *mask, const
> compat_ulong_t __user *umask,
> }
> if (nr_compat_longs)
> unsafe_get_user(*mask, umask++, Efault);
> - user_access_end();
> + user_read_access_end();
> return 0;
>
> Efault:
> - user_access_end();
> + user_read_access_end();
> return -EFAULT;
> }
(These correctly end read access.)
>
> @@ -228,7 +228,7 @@ long compat_put_bitmap(compat_ulong_t __user *umask,
> unsigned long *mask,
> bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
> nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
>
> - if (!user_access_begin(umask, bitmap_size / 8))
> + if (!user_read_access_begin(umask, bitmap_size / 8))
And ..._write_... here?
> return -EFAULT;
>
> while (nr_compat_longs > 1) {
> @@ -239,10 +239,10 @@ long compat_put_bitmap(compat_ulong_t __user *umask,
> unsigned long *mask,
> }
> if (nr_compat_longs)
> unsafe_put_user((compat_ulong_t)*mask, umask++, Efault);
> - user_access_end();
> + user_write_access_end();
> return 0;
> Efault:
> - user_access_end();
> + user_write_access_end();
> return -EFAULT;
> }
(These correctly end write access.)
All the others look correct. With the above fixed:
Reviewed-by: Kees Cook
--
Kees Cook
Re: [PATCH] selftest/lkdtm: Use local .gitignore
On Thu, Feb 27, 2020 at 02:07:10PM +, Christophe Leroy wrote:
> Commit 68ca0fd272da ("selftest/lkdtm: Don't pollute 'git status'")
> introduced patterns for git to ignore files generated in
> tools/testing/selftests/lkdtm/
>
> Use local .gitignore file instead of using the root one.
>
> Fixes: 68ca0fd272da ("selftest/lkdtm: Don't pollute 'git status'")
> Signed-off-by: Christophe Leroy
Yeah, that's better. Thanks!
Acked-by: Kees Cook
-Kees
> ---
> .gitignore | 4
> tools/testing/selftests/lkdtm/.gitignore | 2 ++
> 2 files changed, 2 insertions(+), 4 deletions(-)
> create mode 100644 tools/testing/selftests/lkdtm/.gitignore
>
> diff --git a/.gitignore b/.gitignore
> index bb05dce58f8e..b849a72d69d5 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -100,10 +100,6 @@ modules.order
> /include/ksym/
> /arch/*/include/generated/
>
> -# Generated lkdtm tests
> -/tools/testing/selftests/lkdtm/*.sh
> -!/tools/testing/selftests/lkdtm/run.sh
> -
> # stgit generated dirs
> patches-*
>
> diff --git a/tools/testing/selftests/lkdtm/.gitignore
> b/tools/testing/selftests/lkdtm/.gitignore
> new file mode 100644
> index ..f26212605b6b
> --- /dev/null
> +++ b/tools/testing/selftests/lkdtm/.gitignore
> @@ -0,0 +1,2 @@
> +*.sh
> +!run.sh
> --
> 2.25.0
>
--
Kees Cook
Re: [PATCH v5 3/8] powerpc/mm/ptdump: debugfs handler for W+X checks at runtime
On Wed, Feb 26, 2020 at 05:35:46PM +1100, Russell Currey wrote:
> Very rudimentary, just
>
> echo 1 > [debugfs]/check_wx_pages
>
> and check the kernel log. Useful for testing strict module RWX.
>
> Updated the Kconfig entry to reflect this.
Oh, I like this! This would be handy to have on all architectures.
Reviewed-by: Kees Cook
-Kees
>
> Also fixed a typo.
>
> Signed-off-by: Russell Currey
> ---
> arch/powerpc/Kconfig.debug | 6 --
> arch/powerpc/mm/ptdump/ptdump.c | 21 -
> 2 files changed, 24 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
> index 0b063830eea8..e37960ef68c6 100644
> --- a/arch/powerpc/Kconfig.debug
> +++ b/arch/powerpc/Kconfig.debug
> @@ -370,7 +370,7 @@ config PPC_PTDUMP
> If you are unsure, say N.
>
> config PPC_DEBUG_WX
> - bool "Warn on W+X mappings at boot"
> + bool "Warn on W+X mappings at boot & enable manual checks at runtime"
> depends on PPC_PTDUMP && STRICT_KERNEL_RWX
> help
> Generate a warning if any W+X mappings are found at boot.
> @@ -384,7 +384,9 @@ config PPC_DEBUG_WX
> of other unfixed kernel bugs easier.
>
> There is no runtime or memory usage effect of this option
> - once the kernel has booted up - it's a one time check.
> + once the kernel has booted up, it only automatically checks once.
> +
> + Enables the "check_wx_pages" debugfs entry for checking at runtime.
>
> If in doubt, say "Y".
>
> diff --git a/arch/powerpc/mm/ptdump/ptdump.c b/arch/powerpc/mm/ptdump/ptdump.c
> index 206156255247..a15e19a3b14e 100644
> --- a/arch/powerpc/mm/ptdump/ptdump.c
> +++ b/arch/powerpc/mm/ptdump/ptdump.c
> @@ -4,7 +4,7 @@
> *
> * This traverses the kernel pagetables and dumps the
> * information about the used sections of memory to
> - * /sys/kernel/debug/kernel_pagetables.
> + * /sys/kernel/debug/kernel_page_tables.
> *
> * Derived from the arm64 implementation:
> * Copyright (c) 2014, The Linux Foundation, Laura Abbott.
> @@ -413,6 +413,25 @@ void ptdump_check_wx(void)
> else
> pr_info("Checked W+X mappings: passed, no W+X pages found\n");
> }
> +
> +static int check_wx_debugfs_set(void *data, u64 val)
> +{
> + if (val != 1ULL)
> + return -EINVAL;
> +
> + ptdump_check_wx();
> +
> + return 0;
> +}
> +
> +DEFINE_SIMPLE_ATTRIBUTE(check_wx_fops, NULL, check_wx_debugfs_set, "%llu\n");
> +
> +static int ptdump_check_wx_init(void)
> +{
> + return debugfs_create_file("check_wx_pages", 0200, NULL,
> +NULL, _wx_fops) ? 0 : -ENOMEM;
> +}
> +device_initcall(ptdump_check_wx_init);
> #endif
>
> static int ptdump_init(void)
> --
> 2.25.1
>
--
Kees Cook
Re: [PATCH] selftest/lkdtm: Don't pollute 'git status'
On Thu, Feb 06, 2020 at 08:11:39AM +, Christophe Leroy wrote:
> Commit 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets")
> added generation of lkdtm test scripts.
>
> Ignore those generated scripts when performing 'git status'
>
> Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets")
> Signed-off-by: Christophe Leroy
Ah! Yes, a very good idea. Thanks!
Reviewed-by: Kees Cook
-Kees
> ---
> .gitignore | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/.gitignore b/.gitignore
> index b849a72d69d5..bb05dce58f8e 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -100,6 +100,10 @@ modules.order
> /include/ksym/
> /arch/*/include/generated/
>
> +# Generated lkdtm tests
> +/tools/testing/selftests/lkdtm/*.sh
> +!/tools/testing/selftests/lkdtm/run.sh
> +
> # stgit generated dirs
> patches-*
>
> --
> 2.25.0
>
--
Kees Cook
Re: [PATCH] lkdtm: Test KUAP directional user access unlocks on powerpc
On Fri, Jan 31, 2020 at 05:53:14PM +1100, Russell Currey wrote: > Correct, the ACCESS_USERSPACE test does the same thing. Splitting this > into separate R and W tests makes sense, even if it is unlikely that > one would be broken without the other. That would be my preference too -- the reason it wasn't separated before was because it was one big toggle before. I just had both directions in the test out of a desire for completeness. Splitting into WRITE_USERSPACE and READ_USERSPACE seems good. Though if you want to test functionality (read while only write disabled), then I'm not sure what that should look like. Does the new user_access_begin() API provide a way to query existing state? I'll go read the series... -- Kees Cook
Re: [PATCH] init: fix misleading "This architecture does not have kernel memory protection" message
On Thu, Jan 09, 2020 at 08:15:01AM +, Christophe Leroy wrote:
> This message leads to think that memory protection is not implemented
> for the said architecture, whereas absence of CONFIG_STRICT_KERNEL_RWX
> only means that memory protection has not been selected at
> compile time.
>
> Don't print this message when CONFIG_ARCH_HAS_STRICT_KERNEL_RWX is
> selected by the architecture. Instead, print "Kernel memory protection
> not selected by kernel config."
>
> Signed-off-by: Christophe Leroy
Oh, yes, I like this. Should the message include a hint to the config
name?
Regardless:
Acked-by: Kees Cook
-Kees
> ---
> init/main.c | 5 +
> 1 file changed, 5 insertions(+)
>
> diff --git a/init/main.c b/init/main.c
> index 2cd736059416..fd31b15cc910 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -1090,6 +1090,11 @@ static void mark_readonly(void)
> } else
> pr_info("Kernel memory protection disabled.\n");
> }
> +#elif defined(CONFIG_ARCH_HAS_STRICT_KERNEL_RWX)
> +static inline void mark_readonly(void)
> +{
> + pr_warn("Kernel memory protection not selected by kernel config.\n");
> +}
> #else
> static inline void mark_readonly(void)
> {
> --
> 2.13.3
>
--
Kees Cook
Re: [PATCH 0/6] implement KASLR for powerpc/fsl_booke/64
On Fri, Nov 15, 2019 at 05:32:03PM +0800, Jason Yan wrote: > This is a try to implement KASLR for Freescale BookE64 which is based on > my earlier implementation for Freescale BookE32: > https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=131718 Whee! :) I've updated https://github.com/KSPP/linux/issues/3 with a link to this current series. -- Kees Cook
Re: [PATCH v15 0/9] open: introduce openat2(2) syscall
On Tue, Nov 12, 2019 at 12:24:04AM +1100, Aleksa Sarai wrote: > On 2019-11-05, Aleksa Sarai wrote: > > This patchset is being developed here: > > <https://github.com/cyphar/linux/tree/openat2/master> > > > > Patch changelog: > > v15: > > * Fix code style for LOOKUP_IN_ROOT handling in path_init(). [Linus > > Torvalds] > > * Split out patches for each individual LOOKUP flag. > > * Reword commit messages to give more background information about the > > series, as well as mention the semantics of each flag in more detail. > > [...] > > Ping -- this patch hasn't been touched for a week. Thanks. If I've been following correctly, everyone is happy with this series. (i.e. Linus's comment appear to have been addressed.) Perhaps the next question is should this go via a pull request by you to Linus directly during the v5.5 merge window, via akpm, via akpm, via Christian, or some other path? Besides Linus, it's not been clear who should "claim" this series. :) -- Kees Cook
Re: [PATCH v2 11/29] vmlinux.lds.h: Replace RODATA with RO_DATA
On Mon, Nov 11, 2019 at 07:08:51PM +0100, Geert Uytterhoeven wrote: > Hi Kees, > > On Mon, Nov 11, 2019 at 6:23 PM Kees Cook wrote: > > On Mon, Nov 11, 2019 at 05:58:06PM +0100, Geert Uytterhoeven wrote: > > > On Fri, Oct 11, 2019 at 2:07 AM Kees Cook wrote: > > > > There's no reason to keep the RODATA macro: replace the callers with > > > > the expected RO_DATA macro. > > > > > > > > Signed-off-by: Kees Cook > > > > --- > > > > arch/alpha/kernel/vmlinux.lds.S | 2 +- > > > > arch/ia64/kernel/vmlinux.lds.S | 2 +- > > > > arch/microblaze/kernel/vmlinux.lds.S | 2 +- > > > > arch/mips/kernel/vmlinux.lds.S | 2 +- > > > > arch/um/include/asm/common.lds.S | 2 +- > > > > arch/xtensa/kernel/vmlinux.lds.S | 2 +- > > > > include/asm-generic/vmlinux.lds.h| 4 +--- > > > > 7 files changed, 7 insertions(+), 9 deletions(-) > > > > > > Somehow you missed: > > > > > > arch/m68k/kernel/vmlinux-std.lds: RODATA > > > arch/m68k/kernel/vmlinux-sun3.lds: RODATA > > > > Argh. I've sent a patch; sorry and thanks for catching this. For my own > > cross-build testing, which defconfig targets will hit these two linker > > scripts? > > vmlinux-sun3.lds: sun3_defconfig > vmlinux-std.lds: All other classic 680x0 targets with an MMU, e.g. plain > defconfig aka multi_defconfig. Excellent, thank you; I've updated my multi-arch build list. :) -- Kees Cook
Re: [PATCH v2 11/29] vmlinux.lds.h: Replace RODATA with RO_DATA
On Mon, Nov 11, 2019 at 05:58:06PM +0100, Geert Uytterhoeven wrote:
> Hi Kees,
>
> On Fri, Oct 11, 2019 at 2:07 AM Kees Cook wrote:
> > There's no reason to keep the RODATA macro: replace the callers with
> > the expected RO_DATA macro.
> >
> > Signed-off-by: Kees Cook
> > ---
> > arch/alpha/kernel/vmlinux.lds.S | 2 +-
> > arch/ia64/kernel/vmlinux.lds.S | 2 +-
> > arch/microblaze/kernel/vmlinux.lds.S | 2 +-
> > arch/mips/kernel/vmlinux.lds.S | 2 +-
> > arch/um/include/asm/common.lds.S | 2 +-
> > arch/xtensa/kernel/vmlinux.lds.S | 2 +-
> > include/asm-generic/vmlinux.lds.h| 4 +---
> > 7 files changed, 7 insertions(+), 9 deletions(-)
>
> Somehow you missed:
>
> arch/m68k/kernel/vmlinux-std.lds: RODATA
> arch/m68k/kernel/vmlinux-sun3.lds: RODATA
Argh. I've sent a patch; sorry and thanks for catching this. For my own
cross-build testing, which defconfig targets will hit these two linker
scripts?
-Kees
>
> Leading to build failures in next-2019:
>
>
> /opt/cross/kisskb/gcc-4.6.3-nolibc/m68k-linux/bin/m68k-linux-ld:./arch/m68k/kernel/vmlinux.lds:29:
> syntax error
> make[1]: *** [/kisskb/src/Makefile:1075: vmlinux] Error 1
>
> Reported-by: nore...@ellerman.id.au
> http://kisskb.ellerman.id.au/kisskb/buildresult/14022846/
>
> Gr{oetje,eeting}s,
>
> Geert
>
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 --
> ge...@linux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like
> that.
> -- Linus Torvalds
--
Kees Cook
[tip: x86/build] h8300: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip: Commit-ID: 380e57e2d41e9631132beccac30058228dfd376f Gitweb: https://git.kernel.org/tip/380e57e2d41e9631132beccac30058228dfd376f Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:42 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 18:12:55 +01:00 h8300: Move EXCEPTION_TABLE to RO_DATA segment Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: Geert Uytterhoeven Cc: Heiko Carstens Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Michael Ellerman Cc: Michal Simek Cc: Rick Edgecombe Cc: Segher Boessenkool Cc: uclinux-h8-de...@lists.sourceforge.jp Cc: Will Deacon Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-21-keesc...@chromium.org --- arch/h8300/kernel/vmlinux.lds.S | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S index 2ac7bdc..6b1afc2 100644 --- a/arch/h8300/kernel/vmlinux.lds.S +++ b/arch/h8300/kernel/vmlinux.lds.S @@ -1,4 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ + +#define RO_EXCEPTION_TABLE_ALIGN 16 + #include #include #include @@ -37,7 +40,6 @@ SECTIONS #endif _etext = . ; } - EXCEPTION_TABLE(16) RO_DATA(4) ROMEND = .; #if defined(CONFIG_ROMKERNEL)
[tip: x86/build] x86/vmlinux: Restore "text" Program Header with dummy section
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 7a42d41d9dc2829bdf589db855ce3f948de2da6b
Gitweb:
https://git.kernel.org/tip/7a42d41d9dc2829bdf589db855ce3f948de2da6b
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:29 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:36 +01:00
x86/vmlinux: Restore "text" Program Header with dummy section
In a linker script, if one places a section in one or more segments using
":PHDR", then the linker will place all subsequent allocatable sections,
which do not specify ":PHDR", into the same segments. In order to have
the NOTES section in both PT_LOAD (":text") and PT_NOTE (":note"), both
segments are marked, and the only way to undo this to keep subsequent
sections out of PT_NOTE is to mark the following section with just the
single desired PT_LOAD (":text").
In preparation for having a common NOTES macro, perform the segment
assignment using a dummy section (as done by other architectures).
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: Yoshinori Sato
Cc: x86-ml
Link: https://lkml.kernel.org/r/20191029211351.13243-8-keesc...@chromium.org
---
arch/x86/kernel/vmlinux.lds.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index e2feacf..788e789 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -147,8 +147,9 @@ SECTIONS
} :text = 0x9090
NOTES :text :note
+ .dummy : { *(.dummy) } :text
- EXCEPTION_TABLE(16) :text = 0x9090
+ EXCEPTION_TABLE(16)
/* .text should occupy whole number of pages */
. = ALIGN(PAGE_SIZE);
[tip: x86/build] xtensa: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 94174c9b71c62a0e1a4364c2594e1422ba8fffcd
Gitweb:
https://git.kernel.org/tip/94174c9b71c62a0e1a4364c2594e1422ba8fffcd
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:47 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:42:27 +01:00
xtensa: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Max Filippov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Chris Zankel
Cc: Dave Hansen
Cc: Geert Uytterhoeven
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: linux-xte...@linux-xtensa.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-26-keesc...@chromium.org
---
arch/xtensa/kernel/vmlinux.lds.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
index bdbd7c4..0043d58 100644
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -14,6 +14,8 @@
* Joe Taylor
*/
+#define RO_EXCEPTION_TABLE_ALIGN 16
+
#include
#include
#include
@@ -130,7 +132,6 @@ SECTIONS
.fixup : { *(.fixup) }
- EXCEPTION_TABLE(16)
/* Data section */
_sdata = .;
[tip: x86/build] ia64: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 9b30e704dd0d9ef9d99c7f88712318840cc8a338
Gitweb:
https://git.kernel.org/tip/9b30e704dd0d9ef9d99c7f88712318840cc8a338
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:43 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:14:41 +01:00
ia64: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Fenghua Yu
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Tony Luck
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-22-keesc...@chromium.org
---
arch/ia64/kernel/vmlinux.lds.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index 11d5115..1ec6b70 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -6,6 +6,7 @@
#include
#define EMITS_PT_NOTE
+#define RO_EXCEPTION_TABLE_ALIGN 16
#include
@@ -70,7 +71,6 @@ SECTIONS {
/*
* Read-only data
*/
- EXCEPTION_TABLE(16)
/* MCA table */
. = ALIGN(16);
[tip: x86/build] x86/mm: Remove redundant address-of operators on addresses
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 2d0004d19829c84aaf2c7d48b5e2892d548970b6
Gitweb:
https://git.kernel.org/tip/2d0004d19829c84aaf2c7d48b5e2892d548970b6
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:48 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:46:55 +01:00
x86/mm: Remove redundant address-of operators on addresses
The on addresses are redundant. Remove them to match all the other
similar functions.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Heiko Carstens
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Peter Zijlstra
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Thomas Gleixner
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-27-keesc...@chromium.org
---
arch/x86/mm/init_64.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 26299e9..e67ddca 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1300,9 +1300,9 @@ void mark_rodata_ro(void)
{
unsigned long start = PFN_ALIGN(_text);
unsigned long rodata_start = PFN_ALIGN(__start_rodata);
- unsigned long end = (unsigned long) &__end_rodata_hpage_align;
- unsigned long text_end = PFN_ALIGN(&_etext);
- unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
+ unsigned long end = (unsigned long)__end_rodata_hpage_align;
+ unsigned long text_end = PFN_ALIGN(_etext);
+ unsigned long rodata_end = PFN_ALIGN(__end_rodata);
unsigned long all_end;
printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
[tip: x86/build] vmlinux.lds.h: Replace RODATA with RO_DATA
The following commit has been merged into the x86/build branch of tip:
Commit-ID: c82318254d15e5f83c75f60aedf2bb9eb408308f
Gitweb:
https://git.kernel.org/tip/c82318254d15e5f83c75f60aedf2bb9eb408308f
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:33 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:53:15 +01:00
vmlinux.lds.h: Replace RODATA with RO_DATA
There's no reason to keep the RODATA macro: replace the callers with
the expected RO_DATA macro.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-12-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 2 +-
arch/ia64/kernel/vmlinux.lds.S | 2 +-
arch/microblaze/kernel/vmlinux.lds.S | 2 +-
arch/mips/kernel/vmlinux.lds.S | 2 +-
arch/um/include/asm/common.lds.S | 2 +-
arch/xtensa/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h| 4 +---
7 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index bf28043..af41181 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -34,7 +34,7 @@ SECTIONS
swapper_pg_dir = SWAPPER_PGD;
_etext = .; /* End of text section */
- RODATA
+ RO_DATA(4096)
EXCEPTION_TABLE(16)
/* Will be freed after init */
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index fae0775..11d5115 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -104,7 +104,7 @@ SECTIONS {
code_continues2 : {
} :text
- RODATA
+ RO_DATA(4096)
.opd : AT(ADDR(.opd) - LOAD_OFFSET) {
__start_opd = .;
diff --git a/arch/microblaze/kernel/vmlinux.lds.S
b/arch/microblaze/kernel/vmlinux.lds.S
index d008e50..2299694 100644
--- a/arch/microblaze/kernel/vmlinux.lds.S
+++ b/arch/microblaze/kernel/vmlinux.lds.S
@@ -51,7 +51,7 @@ SECTIONS {
}
. = ALIGN(16);
- RODATA
+ RO_DATA(4096)
EXCEPTION_TABLE(16)
/*
diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
index 91e566d..a5f00ec 100644
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -82,7 +82,7 @@ SECTIONS
}
_sdata = .; /* Start of data section */
- RODATA
+ RO_DATA(4096)
/* writeable */
.data : { /* Data */
diff --git a/arch/um/include/asm/common.lds.S b/arch/um/include/asm/common.lds.S
index 91aca35..7145ce6 100644
--- a/arch/um/include/asm/common.lds.S
+++ b/arch/um/include/asm/common.lds.S
@@ -9,7 +9,7 @@
_sdata = .;
PROVIDE (sdata = .);
- RODATA
+ RO_DATA(4096)
.unprotected : { *(.unprotected) }
. = ALIGN(4096);
diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
index a0a8437..b97e579 100644
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -124,7 +124,7 @@ SECTIONS
. = ALIGN(16);
- RODATA
+ RO_DATA(4096)
/* Relocation table */
diff --git a/include/asm-generic/vmlinux.lds.h
b/include/asm-generic/vmlinux.lds.h
index dc3390e..a0a989f 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -518,9 +518,7 @@
. = ALIGN((align)); \
__end_rodata = .;
-/* RODATA & RO_DATA provided for backward compatibility.
- * All archs are supposed to use RO_DATA() */
-#define RODATA RO_DATA_SECTION(4096)
+/* All archs are supposed to use RO_DATA() */
#define RO_DATA(align) RO_DATA_SECTION(align)
/*
[tip: x86/build] arm64: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip: Commit-ID: 19f6bc32c6f4216e099963f416de91eba7ca1430 Gitweb: https://git.kernel.org/tip/19f6bc32c6f4216e099963f416de91eba7ca1430 Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:40 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 18:02:35 +01:00 arm64: Move EXCEPTION_TABLE to RO_DATA segment Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Also removes the redundant ALIGN, which is already present at the end of the RO_DATA macro. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Acked-by: Will Deacon Cc: Andy Lutomirski Cc: Ard Biesheuvel Cc: Arnd Bergmann Cc: Catalin Marinas Cc: Dave Hansen Cc: Heiko Carstens Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Michael Ellerman Cc: Michal Simek Cc: Peter Collingbourne Cc: Rick Edgecombe Cc: Segher Boessenkool Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-19-keesc...@chromium.org --- arch/arm64/kernel/vmlinux.lds.S | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index a4b3e6c..9128a26 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -5,6 +5,8 @@ * Written by Martin Mares */ +#define RO_EXCEPTION_TABLE_ALIGN 8 + #include #include #include @@ -135,10 +137,9 @@ SECTIONS . = ALIGN(SEGMENT_ALIGN); _etext = .; /* End of text section */ - RO_DATA(PAGE_SIZE) /* everything from this point to */ - EXCEPTION_TABLE(8) /* __init_begin will be marked RO NX */ + /* everything from this point to __init_begin will be marked RO NX */ + RO_DATA(PAGE_SIZE) - . = ALIGN(PAGE_SIZE); idmap_pg_dir = .; . += IDMAP_DIR_SIZE;
[tip: x86/build] alpha: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip: Commit-ID: 172c8b85dccf331826deda9ef6d7e75fa4f2b3e2 Gitweb: https://git.kernel.org/tip/172c8b85dccf331826deda9ef6d7e75fa4f2b3e2 Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:39 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 17:57:56 +01:00 alpha: Move EXCEPTION_TABLE to RO_DATA segment Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: Geert Uytterhoeven Cc: Heiko Carstens Cc: Ivan Kokshaysky Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Matt Turner Cc: Michael Ellerman Cc: Michal Simek Cc: Richard Henderson Cc: Rick Edgecombe Cc: Segher Boessenkool Cc: Will Deacon Cc: x...@kernel.org Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-18-keesc...@chromium.org --- arch/alpha/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S index edc45f4..bc6f727 100644 --- a/arch/alpha/kernel/vmlinux.lds.S +++ b/arch/alpha/kernel/vmlinux.lds.S @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ #define EMITS_PT_NOTE +#define RO_EXCEPTION_TABLE_ALIGN 16 #include #include @@ -35,7 +36,6 @@ SECTIONS _etext = .; /* End of text section */ RO_DATA(4096) - EXCEPTION_TABLE(16) /* Will be freed after init */ __init_begin = ALIGN(PAGE_SIZE);
[tip: x86/build] c6x: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 1e51cd538809112a6ac702a48e9719a75152c902
Gitweb:
https://git.kernel.org/tip/1e51cd538809112a6ac702a48e9719a75152c902
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:41 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:10:58 +01:00
c6x: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Aurelien Jacquiot
Cc: Dave Hansen
Cc: Geert Uytterhoeven
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Mark Salter
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-20-keesc...@chromium.org
---
arch/c6x/kernel/vmlinux.lds.S | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/c6x/kernel/vmlinux.lds.S b/arch/c6x/kernel/vmlinux.lds.S
index a3547f9..ac99ba0 100644
--- a/arch/c6x/kernel/vmlinux.lds.S
+++ b/arch/c6x/kernel/vmlinux.lds.S
@@ -5,6 +5,9 @@
* Copyright (C) 2010, 2011 Texas Instruments Incorporated
* Mark Salter
*/
+
+#define RO_EXCEPTION_TABLE_ALIGN 16
+
#include
#include
#include
@@ -80,8 +83,6 @@ SECTIONS
*(.gnu.warning)
}
- EXCEPTION_TABLE(16)
-
RO_DATA(PAGE_SIZE)
.const :
{
[tip: x86/build] parisc: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 6e85e23ef2d004def8e1acd36eb155411499b7cc
Gitweb:
https://git.kernel.org/tip/6e85e23ef2d004def8e1acd36eb155411499b7cc
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:45 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:22:10 +01:00
parisc: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Helge Deller
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Geert Uytterhoeven
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-par...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Sven Schnelle
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-24-keesc...@chromium.org
---
arch/parisc/kernel/vmlinux.lds.S | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/parisc/kernel/vmlinux.lds.S b/arch/parisc/kernel/vmlinux.lds.S
index 12b3d7d..53e29d8 100644
--- a/arch/parisc/kernel/vmlinux.lds.S
+++ b/arch/parisc/kernel/vmlinux.lds.S
@@ -19,6 +19,7 @@
*(.data..vm0.pte)
#define CC_USING_PATCHABLE_FUNCTION_ENTRY
+#define RO_EXCEPTION_TABLE_ALIGN 8
#include
@@ -129,9 +130,6 @@ SECTIONS
RO_DATA(8)
- /* RO because of BUILDTIME_EXTABLE_SORT */
- EXCEPTION_TABLE(8)
-
/* unwind info */
.PARISC.unwind : {
__start___unwind = .;
[tip: x86/build] x86/mm: Report which part of kernel image is freed
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 5494c3a6a0b965906ffdcb620d94079ea4cb69ea
Gitweb:
https://git.kernel.org/tip/5494c3a6a0b965906ffdcb620d94079ea4cb69ea
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:49 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:50:33 +01:00
x86/mm: Report which part of kernel image is freed
The memory freeing report wasn't very useful for figuring out which
parts of the kernel image were being freed. Add the details for clearer
reporting in dmesg.
Before:
Freeing unused kernel image memory: 1348K
Write protecting the kernel read-only data: 20480k
Freeing unused kernel image memory: 2040K
Freeing unused kernel image memory: 172K
After:
Freeing unused kernel image (initmem) memory: 1348K
Write protecting the kernel read-only data: 20480k
Freeing unused kernel image (text/rodata gap) memory: 2040K
Freeing unused kernel image (rodata/data gap) memory: 172K
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Heiko Carstens
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Peter Zijlstra
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Thomas Gleixner
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-28-keesc...@chromium.org
---
arch/x86/include/asm/processor.h | 2 +-
arch/x86/mm/init.c | 8
arch/x86/mm/init_64.c| 6 --
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 6e0a3b4..790f250 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -958,7 +958,7 @@ static inline uint32_t hypervisor_cpuid_base(const char
*sig, uint32_t leaves)
extern unsigned long arch_align_stack(unsigned long sp);
void free_init_pages(const char *what, unsigned long begin, unsigned long end);
-extern void free_kernel_image_pages(void *begin, void *end);
+extern void free_kernel_image_pages(const char *what, void *begin, void *end);
void default_idle(void);
#ifdef CONFIG_XEN
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
index fd10d91..e7bb483 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -829,14 +829,13 @@ void free_init_pages(const char *what, unsigned long
begin, unsigned long end)
* used for the kernel image only. free_init_pages() will do the
* right thing for either kind of address.
*/
-void free_kernel_image_pages(void *begin, void *end)
+void free_kernel_image_pages(const char *what, void *begin, void *end)
{
unsigned long begin_ul = (unsigned long)begin;
unsigned long end_ul = (unsigned long)end;
unsigned long len_pages = (end_ul - begin_ul) >> PAGE_SHIFT;
-
- free_init_pages("unused kernel image", begin_ul, end_ul);
+ free_init_pages(what, begin_ul, end_ul);
/*
* PTI maps some of the kernel into userspace. For performance,
@@ -865,7 +864,8 @@ void __ref free_initmem(void)
mem_encrypt_free_decrypted_mem();
- free_kernel_image_pages(&__init_begin, &__init_end);
+ free_kernel_image_pages("unused kernel image (initmem)",
+ &__init_begin, &__init_end);
}
#ifdef CONFIG_BLK_DEV_INITRD
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index e67ddca..dcb9bc9 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1334,8 +1334,10 @@ void mark_rodata_ro(void)
set_memory_ro(start, (end-start) >> PAGE_SHIFT);
#endif
- free_kernel_image_pages((void *)text_end, (void *)rodata_start);
- free_kernel_image_pages((void *)rodata_end, (void *)_sdata);
+ free_kernel_image_pages("unused kernel image (text/rodata gap)",
+ (void *)text_end, (void *)rodata_start);
+ free_kernel_image_pages("unused kernel image (rodata/data gap)",
+ (void *)rodata_end, (void *)_sdata);
debug_checkwx();
}
[tip: x86/build] x86/vmlinux: Actually use _etext for the end of the text segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: b907693883fdcff5b492cf0cd02a0e264623055e
Gitweb:
https://git.kernel.org/tip/b907693883fdcff5b492cf0cd02a0e264623055e
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:37 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 17:54:16 +01:00
x86/vmlinux: Actually use _etext for the end of the text segment
Various calculations are using the end of the exception table (which
does not need to be executable) as the end of the text segment. Instead,
in preparation for moving the exception table into RO_DATA, move _etext
after the exception table and update the calculations.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Heiko Carstens
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Nick Desaulniers
Cc: Peter Zijlstra
Cc: Rick Edgecombe
Cc: Ross Zwisler
Cc: Segher Boessenkool
Cc: Thomas Gleixner
Cc: Thomas Lendacky
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-16-keesc...@chromium.org
---
arch/x86/include/asm/sections.h | 1 -
arch/x86/kernel/vmlinux.lds.S | 7 +++
arch/x86/mm/init_64.c | 6 +++---
arch/x86/mm/pti.c | 2 +-
4 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/arch/x86/include/asm/sections.h b/arch/x86/include/asm/sections.h
index 71b32f2..036c360 100644
--- a/arch/x86/include/asm/sections.h
+++ b/arch/x86/include/asm/sections.h
@@ -6,7 +6,6 @@
#include
extern char __brk_base[], __brk_limit[];
-extern struct exception_table_entry __stop___ex_table[];
extern char __end_rodata_aligned[];
#if defined(CONFIG_X86_64)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 41362e9..a1a758e 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -143,15 +143,14 @@ SECTIONS
*(.text.__x86.indirect_thunk)
__indirect_thunk_end = .;
#endif
-
- /* End of text section */
- _etext = .;
} :text = 0x9090
EXCEPTION_TABLE(16)
- /* .text should occupy whole number of pages */
+ /* End of text section, which should occupy whole number of pages */
+ _etext = .;
. = ALIGN(PAGE_SIZE);
+
X86_ALIGN_RODATA_BEGIN
RO_DATA(PAGE_SIZE)
X86_ALIGN_RODATA_END
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index a6b5c65..26299e9 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1263,7 +1263,7 @@ int kernel_set_to_readonly;
void set_kernel_text_rw(void)
{
unsigned long start = PFN_ALIGN(_text);
- unsigned long end = PFN_ALIGN(__stop___ex_table);
+ unsigned long end = PFN_ALIGN(_etext);
if (!kernel_set_to_readonly)
return;
@@ -1282,7 +1282,7 @@ void set_kernel_text_rw(void)
void set_kernel_text_ro(void)
{
unsigned long start = PFN_ALIGN(_text);
- unsigned long end = PFN_ALIGN(__stop___ex_table);
+ unsigned long end = PFN_ALIGN(_etext);
if (!kernel_set_to_readonly)
return;
@@ -1301,7 +1301,7 @@ void mark_rodata_ro(void)
unsigned long start = PFN_ALIGN(_text);
unsigned long rodata_start = PFN_ALIGN(__start_rodata);
unsigned long end = (unsigned long) &__end_rodata_hpage_align;
- unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
+ unsigned long text_end = PFN_ALIGN(&_etext);
unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
unsigned long all_end;
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 7f21404..44a9f06 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -574,7 +574,7 @@ static void pti_clone_kernel_text(void)
*/
unsigned long start = PFN_ALIGN(_text);
unsigned long end_clone = (unsigned long)__end_rodata_aligned;
- unsigned long end_global = PFN_ALIGN((unsigned long)__stop___ex_table);
+ unsigned long end_global = PFN_ALIGN((unsigned long)_etext);
if (!pti_kernel_image_global_ok())
return;
[tip: x86/build] x86/vmlinux: Use INT3 instead of NOP for linker fill bytes
The following commit has been merged into the x86/build branch of tip: Commit-ID: 7705dc8557973d8ad8f10840f61d8ec805695e9e Gitweb: https://git.kernel.org/tip/7705dc8557973d8ad8f10840f61d8ec805695e9e Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:51 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 19:10:08 +01:00 x86/vmlinux: Use INT3 instead of NOP for linker fill bytes Instead of using 0x90 (NOP) to fill bytes between functions, which makes it easier to sloppily target functions in function pointer overwrite attacks, fill with 0xCC (INT3) to force a trap. Also drop the space between "=" and the value to better match the binutils documentation https://sourceware.org/binutils/docs/ld/Output-Section-Fill.html#Output-Section-Fill Example "objdump -d" before: ... 810001e0 : 810001e0: 48 8b 25 e1 b1 51 01mov 0x151b1e1(%rip),%rsp # 8251b3c8 810001e7: e9 d5 fe ff ff jmpq 81c1 810001ec: 90 nop 810001ed: 90 nop 810001ee: 90 nop 810001ef: 90 nop 810001f0 <__startup_64>: ... After: ... 810001e0 : 810001e0: 48 8b 25 41 79 53 01mov 0x1537941(%rip),%rsp # 82537b28 810001e7: e9 d5 fe ff ff jmpq 81c1 810001ec: cc int3 810001ed: cc int3 810001ee: cc int3 810001ef: cc int3 810001f0 <__startup_64>: ... Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: Heiko Carstens Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Michael Ellerman Cc: Michal Simek Cc: Rick Edgecombe Cc: Ross Zwisler Cc: Segher Boessenkool Cc: Thomas Gleixner Cc: Thomas Lendacky Cc: Will Deacon Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-30-keesc...@chromium.org --- arch/x86/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b06d6e1..3a1a819 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -144,7 +144,7 @@ SECTIONS *(.text.__x86.indirect_thunk) __indirect_thunk_end = .; #endif - } :text = 0x9090 + } :text =0x /* End of text section, which should occupy whole number of pages */ _etext = .;
[tip: x86/build] powerpc: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip: Commit-ID: 4e9e559a0385930649c1c9cad703d475ee030206 Gitweb: https://git.kernel.org/tip/4e9e559a0385930649c1c9cad703d475ee030206 Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:46 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 18:30:13 +01:00 powerpc: Move EXCEPTION_TABLE to RO_DATA segment Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linux-s...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: Michael Ellerman Cc: Michal Simek Cc: Rick Edgecombe Cc: Segher Boessenkool Cc: Will Deacon Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-25-keesc...@chromium.org --- arch/powerpc/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S index 4e7cec0..8834220 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S @@ -7,6 +7,7 @@ #define BSS_FIRST_SECTIONS *(.bss.prominit) #define EMITS_PT_NOTE +#define RO_EXCEPTION_TABLE_ALIGN 0 #include #include @@ -162,7 +163,6 @@ SECTIONS __stop__btb_flush_fixup = .; } #endif - EXCEPTION_TABLE(0) /* * Init sections discarded at runtime
[tip: x86/build] s390: Move RO_DATA into "text" PT_LOAD Program Header
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 6434efbd9aefa3786b446c8e4745d1f49d2983b4
Gitweb:
https://git.kernel.org/tip/6434efbd9aefa3786b446c8e4745d1f49d2983b4
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:28 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:32 +01:00
s390: Move RO_DATA into "text" PT_LOAD Program Header
In preparation for moving NOTES into RO_DATA, move RO_DATA back into the
"text" PT_LOAD Program Header, as done with other architectures. The
"data" PT_LOAD now starts with the writable data section.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-7-keesc...@chromium.org
---
arch/s390/kernel/vmlinux.lds.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 7e0eb40..13294fe 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -52,7 +52,7 @@ SECTIONS
NOTES :text :note
- .dummy : { *(.dummy) } :data
+ .dummy : { *(.dummy) } :text
RO_DATA_SECTION(PAGE_SIZE)
@@ -64,7 +64,7 @@ SECTIONS
.data..ro_after_init : {
*(.data..ro_after_init)
JUMP_TABLE_DATA
- }
+ } :data
EXCEPTION_TABLE(16)
. = ALIGN(PAGE_SIZE);
__end_ro_after_init = .;
[tip: x86/build] vmlinux.lds.h: Move Program Header restoration into NOTES macro
The following commit has been merged into the x86/build branch of tip:
Commit-ID: fbe6a8e618a2d70621cff277e24f6eb338d3d149
Gitweb:
https://git.kernel.org/tip/fbe6a8e618a2d70621cff277e24f6eb338d3d149
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:31 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:39 +01:00
vmlinux.lds.h: Move Program Header restoration into NOTES macro
In preparation for moving NOTES into RO_DATA, make the Program Header
assignment restoration be part of the NOTES macro itself.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens # s390
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-10-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 5 +
arch/ia64/kernel/vmlinux.lds.S| 4 +---
arch/mips/kernel/vmlinux.lds.S| 3 +--
arch/powerpc/kernel/vmlinux.lds.S | 4 +---
arch/s390/kernel/vmlinux.lds.S| 4 +---
arch/x86/kernel/vmlinux.lds.S | 3 +--
include/asm-generic/vmlinux.lds.h | 13 +++--
7 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index 363a60b..cdfdc91 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -34,10 +34,7 @@ SECTIONS
swapper_pg_dir = SWAPPER_PGD;
_etext = .; /* End of text section */
- NOTES :text :note
- .dummy : {
- *(.dummy)
- } :text
+ NOTES
RODATA
EXCEPTION_TABLE(16)
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index 7cf4958..bfc937e 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -70,9 +70,7 @@ SECTIONS {
/*
* Read-only data
*/
- NOTES :text :note /* put .notes in text and mark in PT_NOTE */
- code_continues : {
- } :text/* switch back to regular program... */
+ NOTES
EXCEPTION_TABLE(16)
diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
index 1c95612..6a22f53 100644
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -81,8 +81,7 @@ SECTIONS
__stop___dbe_table = .;
}
- NOTES NOTES_HEADERS
- .dummy : { *(.dummy) } :text
+ NOTES
_sdata = .; /* Start of data section */
RODATA
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S
index 7e26e20..4f19d81 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -164,9 +164,7 @@ SECTIONS
#endif
EXCEPTION_TABLE(0)
- NOTES :text :note
- /* Restore program header away from PT_NOTE. */
- .dummy : { *(.dummy) } :text
+ NOTES
/*
* Init sections discarded at runtime
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 646d939..f88eede 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -52,9 +52,7 @@ SECTIONS
_etext = .; /* End of text section */
} :text = 0x0700
- NOTES :text :note
-
- .dummy : { *(.dummy) } :text
+ NOTES
RO_DATA_SECTION(PAGE_SIZE)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 2e18bf5..8be25b0 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -148,8 +148,7 @@ SECTIONS
_etext = .;
} :text = 0x9090
- NOTES :text :note
- .dummy : { *(.dummy) } :text
+ NOTES
EXCEPTION_TABLE(16)
diff --git a/include/asm-generic/vmlinux.lds.h
b/include/asm-generic/vmlinux.lds.h
index f5dd45c..97d4299 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -56,10 +56,18 @@
/*
* Only some architectures want to have the .notes segment visible in
- * a separate PT_NOTE ELF Program Header.
+ * a separate PT_NOTE ELF Program Header. When this happens, it needs
+ * to be visible in both the kernel text's PT_LOAD and the PT_NOTE
+ * Program Headers. In this case, though, the PT_LOAD needs to be made
+ * the default again so that all the following sections don't also end
+ * up in the PT_NOTE Program Header.
*/
#ifdef EMITS_PT_NOTE
#define NOTES_HEADERS :text :note
+#define NOTES_HEADERS_RESTORE __restore_ph : { *(.__restore_ph) } :text
+#else
+#define NOTES_HEADERS
+#define NOTES_HEADERS_RESTORE
#endif
/* Align
[tip: x86/build] vmlinux.lds.h: Provide EMIT_PT_NOTE to indicate export of .notes
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 441110a547f86a2fd0c40bf04b274853622c53cc
Gitweb:
https://git.kernel.org/tip/441110a547f86a2fd0c40bf04b274853622c53cc
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:30 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:38 +01:00
vmlinux.lds.h: Provide EMIT_PT_NOTE to indicate export of .notes
In preparation for moving NOTES into RO_DATA, provide a mechanism for
architectures that want to emit a PT_NOTE Program Header to do so.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens # s390
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-9-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 3 +++
arch/ia64/kernel/vmlinux.lds.S| 2 ++
arch/mips/kernel/vmlinux.lds.S| 12 ++--
arch/powerpc/kernel/vmlinux.lds.S | 1 +
arch/s390/kernel/vmlinux.lds.S| 2 ++
arch/x86/kernel/vmlinux.lds.S | 2 ++
include/asm-generic/vmlinux.lds.h | 8
7 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index 781090c..363a60b 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -1,4 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0 */
+
+#define EMITS_PT_NOTE
+
#include
#include
#include
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index 2c4f23c..7cf4958 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -5,6 +5,8 @@
#include
#include
+#define EMITS_PT_NOTE
+
#include
OUTPUT_FORMAT("elf64-ia64-little")
diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
index 33ee0d1..1c95612 100644
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -10,6 +10,11 @@
*/
#define BSS_FIRST_SECTIONS *(.bss..swapper_pg_dir)
+/* Cavium Octeon should not have a separate PT_NOTE Program Header. */
+#ifndef CONFIG_CAVIUM_OCTEON_SOC
+#define EMITS_PT_NOTE
+#endif
+
#include
#undef mips
@@ -76,12 +81,7 @@ SECTIONS
__stop___dbe_table = .;
}
-#ifdef CONFIG_CAVIUM_OCTEON_SOC
-#define NOTES_HEADER
-#else /* CONFIG_CAVIUM_OCTEON_SOC */
-#define NOTES_HEADER :note
-#endif /* CONFIG_CAVIUM_OCTEON_SOC */
- NOTES :text NOTES_HEADER
+ NOTES NOTES_HEADERS
.dummy : { *(.dummy) } :text
_sdata = .; /* Start of data section */
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S
index e184a63..7e26e20 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -6,6 +6,7 @@
#endif
#define BSS_FIRST_SECTIONS *(.bss.prominit)
+#define EMITS_PT_NOTE
#include
#include
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 13294fe..646d939 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -15,6 +15,8 @@
/* Handle ro_after_init data on our own. */
#define RO_AFTER_INIT_DATA
+#define EMITS_PT_NOTE
+
#include
#include
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 788e789..2e18bf5 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -21,6 +21,8 @@
#define LOAD_OFFSET __START_KERNEL_map
#endif
+#define EMITS_PT_NOTE
+
#include
#include
#include
diff --git a/include/asm-generic/vmlinux.lds.h
b/include/asm-generic/vmlinux.lds.h
index dae6460..f5dd45c 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -54,6 +54,14 @@
#define LOAD_OFFSET 0
#endif
+/*
+ * Only some architectures want to have the .notes segment visible in
+ * a separate PT_NOTE ELF Program Header.
+ */
+#ifdef EMITS_PT_NOTE
+#define NOTES_HEADERS :text :note
+#endif
+
/* Align . to a 8 byte boundary equals to maximum function alignment. */
#define ALIGN_FUNCTION() . = ALIGN(8)
[tip: x86/build] powerpc: Remove PT_NOTE workaround
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 6fc4000656a10fb679ab6566dcd516ee672f1706
Gitweb:
https://git.kernel.org/tip/6fc4000656a10fb679ab6566dcd516ee672f1706
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:24 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:33:39 +01:00
powerpc: Remove PT_NOTE workaround
In preparation for moving NOTES into RO_DATA, remove the PT_NOTE
workaround since the kernel requires at least gcc 4.6 now.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Michael Ellerman
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x...@kernel.org
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-3-keesc...@chromium.org
---
arch/powerpc/kernel/vmlinux.lds.S | 24 ++--
1 file changed, 2 insertions(+), 22 deletions(-)
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S
index 81e6726..a3c8492 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -20,20 +20,6 @@ ENTRY(_stext)
PHDRS {
kernel PT_LOAD FLAGS(7); /* RWX */
note PT_NOTE FLAGS(0);
- dummy PT_NOTE FLAGS(0);
-
- /* binutils < 2.18 has a bug that makes it misbehave when taking an
- ELF file with all segments at load address 0 as input. This
- happens when running "strip" on vmlinux, because of the AT() magic
- in this linker script. People using GCC >= 4.2 won't run into
- this problem, because the "build-id" support will put some data
- into the "notes" segment (at a non-zero load address).
-
- To work around this, we force some data into both the "dummy"
- segment and the kernel segment, so the dummy segment will get a
- non-zero load address. It's not enough to always create the
- "notes" segment, since if nothing gets assigned to it, its load
- address will be zero. */
}
#ifdef CONFIG_PPC64
@@ -178,14 +164,8 @@ SECTIONS
EXCEPTION_TABLE(0)
NOTES :kernel :note
-
- /* The dummy segment contents for the bug workaround mentioned above
- near PHDRS. */
- .dummy : AT(ADDR(.dummy) - LOAD_OFFSET) {
- LONG(0)
- LONG(0)
- LONG(0)
- } :kernel :dummy
+ /* Restore program header away from PT_NOTE. */
+ .dummy : { *(.dummy) } :kernel
/*
* Init sections discarded at runtime
[tip: x86/build] alpha: Rename PT_LOAD identifier "kernel" to "text"
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 65182e6e36195fbf9340808ac4a00d1c146bc05c
Gitweb:
https://git.kernel.org/tip/65182e6e36195fbf9340808ac4a00d1c146bc05c
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:26 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:17 +01:00
alpha: Rename PT_LOAD identifier "kernel" to "text"
In preparation for moving NOTES into RO_DATA, rename the linker script
internal identifier for the PT_LOAD Program Header from "kernel" to
"text" to match other architectures.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Heiko Carstens
Cc: Ivan Kokshaysky
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Matt Turner
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Richard Henderson
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-5-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index c4b5cec..781090c 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -8,7 +8,7 @@
OUTPUT_FORMAT("elf64-alpha")
OUTPUT_ARCH(alpha)
ENTRY(__start)
-PHDRS { kernel PT_LOAD; note PT_NOTE; }
+PHDRS { text PT_LOAD; note PT_NOTE; }
jiffies = jiffies_64;
SECTIONS
{
@@ -27,14 +27,14 @@ SECTIONS
LOCK_TEXT
*(.fixup)
*(.gnu.warning)
- } :kernel
+ } :text
swapper_pg_dir = SWAPPER_PGD;
_etext = .; /* End of text section */
- NOTES :kernel :note
+ NOTES :text :note
.dummy : {
*(.dummy)
- } :kernel
+ } :text
RODATA
EXCEPTION_TABLE(16)
[tip: x86/build] powerpc: Rename PT_LOAD identifier "kernel" to "text"
The following commit has been merged into the x86/build branch of tip:
Commit-ID: af0f3e9e205c3d1bad91ad83e06bfd04df9712b2
Gitweb:
https://git.kernel.org/tip/af0f3e9e205c3d1bad91ad83e06bfd04df9712b2
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:25 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:11 +01:00
powerpc: Rename PT_LOAD identifier "kernel" to "text"
In preparation for moving NOTES into RO_DATA, rename the linker script
internal identifier for the PT_LOAD Program Header from "kernel" to
"text" to match other architectures.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Michael Ellerman
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x...@kernel.org
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-4-keesc...@chromium.org
---
arch/powerpc/kernel/vmlinux.lds.S | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S
index a3c8492..e184a63 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -18,7 +18,7 @@
ENTRY(_stext)
PHDRS {
- kernel PT_LOAD FLAGS(7); /* RWX */
+ text PT_LOAD FLAGS(7); /* RWX */
note PT_NOTE FLAGS(0);
}
@@ -63,7 +63,7 @@ SECTIONS
#else /* !CONFIG_PPC64 */
HEAD_TEXT
#endif
- } :kernel
+ } :text
__head_end = .;
@@ -112,7 +112,7 @@ SECTIONS
__got2_end = .;
#endif /* CONFIG_PPC32 */
- } :kernel
+ } :text
. = ALIGN(ETEXT_ALIGN_SIZE);
_etext = .;
@@ -163,9 +163,9 @@ SECTIONS
#endif
EXCEPTION_TABLE(0)
- NOTES :kernel :note
+ NOTES :text :note
/* Restore program header away from PT_NOTE. */
- .dummy : { *(.dummy) } :kernel
+ .dummy : { *(.dummy) } :text
/*
* Init sections discarded at runtime
@@ -180,7 +180,7 @@ SECTIONS
#ifdef CONFIG_PPC64
*(.tramp.ftrace.init);
#endif
- } :kernel
+ } :text
/* .exit.text is discarded at runtime, not link time,
* to deal with references from __bug_table
[tip: x86/build] powerpc: Rename "notes" PT_NOTE to "note"
The following commit has been merged into the x86/build branch of tip:
Commit-ID: ec556271bbb33809b73cdb238f8cb357345908e8
Gitweb:
https://git.kernel.org/tip/ec556271bbb33809b73cdb238f8cb357345908e8
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:23 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:33:28 +01:00
powerpc: Rename "notes" PT_NOTE to "note"
The Program Header identifiers are internal to the linker scripts. In
preparation for moving the NOTES segment declaration into RO_DATA,
standardize the identifier for the PT_NOTE entry to "note" as used by
all other architectures that emit PT_NOTE.
Note that there was discussion about changing all architectures to use
"notes" instead, but I prefer to avoid that at this time. Changing only
powerpc is the smallest change to standardize the entire kernel. And
while this standardization does use singular "note" for a section that
has more than one note in it, this is just an internal identifier. It
matches the ELF "PT_NOTE", and is 4 characters (like "text", and "data")
for pretty alignment. The more exposed macro, "NOTES", use the more
sensible plural wording.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Michael Ellerman
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-2-keesc...@chromium.org
---
arch/powerpc/kernel/vmlinux.lds.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S
index 060a1ac..81e6726 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -19,7 +19,7 @@ ENTRY(_stext)
PHDRS {
kernel PT_LOAD FLAGS(7); /* RWX */
- notes PT_NOTE FLAGS(0);
+ note PT_NOTE FLAGS(0);
dummy PT_NOTE FLAGS(0);
/* binutils < 2.18 has a bug that makes it misbehave when taking an
@@ -177,7 +177,7 @@ SECTIONS
#endif
EXCEPTION_TABLE(0)
- NOTES :kernel :notes
+ NOTES :kernel :note
/* The dummy segment contents for the bug workaround mentioned above
near PHDRS. */
[tip: x86/build] vmlinux.lds.h: Replace RW_DATA_SECTION with RW_DATA
The following commit has been merged into the x86/build branch of tip:
Commit-ID: c9174047b48d700a785b633319dd7d27288b86be
Gitweb:
https://git.kernel.org/tip/c9174047b48d700a785b633319dd7d27288b86be
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:35 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:57:41 +01:00
vmlinux.lds.h: Replace RW_DATA_SECTION with RW_DATA
Rename RW_DATA_SECTION to RW_DATA. (Calling this a "section" is a lie,
since it's multiple sections and section flags cannot be applied to
the macro.)
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens # s390
Acked-by: Geert Uytterhoeven # m68k
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-14-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 2 +-
arch/arc/kernel/vmlinux.lds.S| 2 +-
arch/arm/kernel/vmlinux-xip.lds.S| 2 +-
arch/arm/kernel/vmlinux.lds.S| 2 +-
arch/arm64/kernel/vmlinux.lds.S | 2 +-
arch/csky/kernel/vmlinux.lds.S | 2 +-
arch/h8300/kernel/vmlinux.lds.S | 2 +-
arch/hexagon/kernel/vmlinux.lds.S| 2 +-
arch/m68k/kernel/vmlinux-nommu.lds | 2 +-
arch/m68k/kernel/vmlinux-std.lds | 2 +-
arch/m68k/kernel/vmlinux-sun3.lds| 2 +-
arch/microblaze/kernel/vmlinux.lds.S | 2 +-
arch/nds32/kernel/vmlinux.lds.S | 2 +-
arch/nios2/kernel/vmlinux.lds.S | 2 +-
arch/openrisc/kernel/vmlinux.lds.S | 2 +-
arch/parisc/kernel/vmlinux.lds.S | 2 +-
arch/riscv/kernel/vmlinux.lds.S | 2 +-
arch/s390/kernel/vmlinux.lds.S | 2 +-
arch/sh/kernel/vmlinux.lds.S | 2 +-
arch/sparc/kernel/vmlinux.lds.S | 2 +-
arch/unicore32/kernel/vmlinux.lds.S | 2 +-
arch/xtensa/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h| 4 ++--
23 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index af41181..edc45f4 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .; /* Start of rw data section */
_data = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
.got : {
*(.got)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 7d1d270..54139a6 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -101,7 +101,7 @@ SECTIONS
* 1. this is .data essentially
* 2. THREAD_SIZE for init.task, must be kernel-stk sz aligned
*/
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/arm/kernel/vmlinux-xip.lds.S
b/arch/arm/kernel/vmlinux-xip.lds.S
index d2a9651..21b8b27 100644
--- a/arch/arm/kernel/vmlinux-xip.lds.S
+++ b/arch/arm/kernel/vmlinux-xip.lds.S
@@ -112,7 +112,7 @@ SECTIONS
. = ALIGN(THREAD_SIZE);
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
.data.ro_after_init : AT(ADDR(.data.ro_after_init) - LOAD_OFFSET) {
*(.data..ro_after_init)
}
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index 068db68..319ccb1 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -141,7 +141,7 @@ SECTIONS
__init_end = .;
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
BSS_SECTION(0, 0, 0)
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index e7dafc2..a4b3e6c 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -214,7 +214,7 @@ SECTIONS
_data = .;
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
/*
* Data written with the MMU off but read with the MMU on requires
diff --git a/arch/csky/kernel/vmlinux.lds.S b/arch/csky/kernel/vmlinux.lds.S
index 8598bd7..2ff37be 100644
--- a/arch/csky/kernel/vmlinux.lds.S
+++ b/arch/csky/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .;
RO_DATA(PAGE_SIZE)
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES,
[tip: x86/build] ia64: Rename PT_LOAD identifier "code" to "text"
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 430c6b2647e215c4129f36646ad28a725996b410
Gitweb:
https://git.kernel.org/tip/430c6b2647e215c4129f36646ad28a725996b410
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:27 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:29 +01:00
ia64: Rename PT_LOAD identifier "code" to "text"
In preparation for moving NOTES into RO_DATA, rename the linker script
internal identifier for the PT_LOAD Program Header from "code" to "text"
to match other architectures.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Fenghua Yu
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Tony Luck
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-6-keesc...@chromium.org
---
arch/ia64/kernel/vmlinux.lds.S | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index d9d4e21..2c4f23c 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -13,7 +13,7 @@ ENTRY(phys_start)
jiffies = jiffies_64;
PHDRS {
- code PT_LOAD;
+ text PT_LOAD;
percpu PT_LOAD;
data PT_LOAD;
note PT_NOTE;
@@ -36,7 +36,7 @@ SECTIONS {
phys_start = _start - LOAD_OFFSET;
code : {
- } :code
+ } :text
. = KERNEL_START;
_text = .;
@@ -68,9 +68,9 @@ SECTIONS {
/*
* Read-only data
*/
- NOTES :code :note /* put .notes in text and mark in PT_NOTE */
+ NOTES :text :note /* put .notes in text and mark in PT_NOTE */
code_continues : {
- } : code /* switch back to regular program... */
+ } :text/* switch back to regular program... */
EXCEPTION_TABLE(16)
@@ -102,9 +102,9 @@ SECTIONS {
__start_unwind = .;
*(.IA_64.unwind*)
__end_unwind = .;
- } :code :unwind
+ } :text :unwind
code_continues2 : {
- } : code
+ } :text
RODATA
@@ -214,7 +214,7 @@ SECTIONS {
_end = .;
code : {
- } :code
+ } :text
STABS_DEBUG
DWARF_DEBUG
[tip: x86/build] vmlinux.lds.h: Replace RO_DATA_SECTION with RO_DATA
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 93240b327929ff03c1878ea8badc5c6bd86f053f
Gitweb:
https://git.kernel.org/tip/93240b327929ff03c1878ea8badc5c6bd86f053f
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:34 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:56:16 +01:00
vmlinux.lds.h: Replace RO_DATA_SECTION with RO_DATA
Finish renaming RO_DATA_SECTION to RO_DATA. (Calling this a "section"
is a lie, since it's multiple sections and section flags cannot be
applied to the macro.)
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens # s390
Acked-by: Geert Uytterhoeven # m68k
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-13-keesc...@chromium.org
---
arch/arc/kernel/vmlinux.lds.S | 2 +-
arch/c6x/kernel/vmlinux.lds.S | 2 +-
arch/csky/kernel/vmlinux.lds.S | 2 +-
arch/h8300/kernel/vmlinux.lds.S | 2 +-
arch/hexagon/kernel/vmlinux.lds.S | 2 +-
arch/m68k/kernel/vmlinux-nommu.lds | 2 +-
arch/nds32/kernel/vmlinux.lds.S | 2 +-
arch/nios2/kernel/vmlinux.lds.S | 2 +-
arch/openrisc/kernel/vmlinux.lds.S | 4 ++--
arch/parisc/kernel/vmlinux.lds.S| 4 ++--
arch/riscv/kernel/vmlinux.lds.S | 2 +-
arch/s390/kernel/vmlinux.lds.S | 2 +-
arch/unicore32/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h | 7 ++-
14 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 1d6eef4..7d1d270 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -95,7 +95,7 @@ SECTIONS
_etext = .;
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
/*
* 1. this is .data essentially
diff --git a/arch/c6x/kernel/vmlinux.lds.S b/arch/c6x/kernel/vmlinux.lds.S
index d6e3802..a3547f9 100644
--- a/arch/c6x/kernel/vmlinux.lds.S
+++ b/arch/c6x/kernel/vmlinux.lds.S
@@ -82,7 +82,7 @@ SECTIONS
EXCEPTION_TABLE(16)
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
.const :
{
*(.const .const.* .gnu.linkonce.r.*)
diff --git a/arch/csky/kernel/vmlinux.lds.S b/arch/csky/kernel/vmlinux.lds.S
index 75dd314..8598bd7 100644
--- a/arch/csky/kernel/vmlinux.lds.S
+++ b/arch/csky/kernel/vmlinux.lds.S
@@ -49,7 +49,7 @@ SECTIONS
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S
index 88776e7..d3247d3 100644
--- a/arch/h8300/kernel/vmlinux.lds.S
+++ b/arch/h8300/kernel/vmlinux.lds.S
@@ -38,7 +38,7 @@ SECTIONS
_etext = . ;
}
EXCEPTION_TABLE(16)
- RO_DATA_SECTION(4)
+ RO_DATA(4)
ROMEND = .;
#if defined(CONFIG_ROMKERNEL)
. = RAMTOP;
diff --git a/arch/hexagon/kernel/vmlinux.lds.S
b/arch/hexagon/kernel/vmlinux.lds.S
index 6a6e8fc..0145251 100644
--- a/arch/hexagon/kernel/vmlinux.lds.S
+++ b/arch/hexagon/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .;
RW_DATA_SECTION(32,PAGE_SIZE,_THREAD_SIZE)
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
_edata = .;
EXCEPTION_TABLE(16)
diff --git a/arch/m68k/kernel/vmlinux-nommu.lds
b/arch/m68k/kernel/vmlinux-nommu.lds
index cf6edda..de80f8b 100644
--- a/arch/m68k/kernel/vmlinux-nommu.lds
+++ b/arch/m68k/kernel/vmlinux-nommu.lds
@@ -60,7 +60,7 @@ SECTIONS {
#endif
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(16, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/nds32/kernel/vmlinux.lds.S b/arch/nds32/kernel/vmlinux.lds.S
index c4f1c5a..10ff570 100644
--- a/arch/nds32/kernel/vmlinux.lds.S
+++ b/arch/nds32/kernel/vmlinux.lds.S
@@ -53,7 +53,7 @@ SECTIONS
_etext = .; /* End of text and rodata section */
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/nios2/kernel/vmlinux.lds.S b/arch/nios2/kernel/vmlinux.lds.S
index 20e4078..318804a 100644
--- a/arch/nios2/kernel/vmlinux.lds.S
+++ b/arch/nios2/kernel/vmlinux.lds.S
@@ -49,7 +49,7 @@ SECTIONS
__init_end = .;
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+
[tip: x86/build] microblaze: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip:
Commit-ID: 3bda6f37a7949c803b84cf27e11a3995d900a179
Gitweb:
https://git.kernel.org/tip/3bda6f37a7949c803b84cf27e11a3995d900a179
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:44 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 18:18:23 +01:00
microblaze: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Geert Uytterhoeven
Cc: Heiko Carstens
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-23-keesc...@chromium.org
---
arch/microblaze/kernel/vmlinux.lds.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/microblaze/kernel/vmlinux.lds.S
b/arch/microblaze/kernel/vmlinux.lds.S
index b8efb08..760cac4 100644
--- a/arch/microblaze/kernel/vmlinux.lds.S
+++ b/arch/microblaze/kernel/vmlinux.lds.S
@@ -11,6 +11,8 @@
OUTPUT_ARCH(microblaze)
ENTRY(microblaze_start)
+#define RO_EXCEPTION_TABLE_ALIGN 16
+
#include
#include
#include
@@ -52,7 +54,6 @@ SECTIONS {
. = ALIGN(16);
RO_DATA(4096)
- EXCEPTION_TABLE(16)
/*
* sdata2 section can go anywhere, but must be word aligned
[tip: x86/build] vmlinux.lds.h: Allow EXCEPTION_TABLE to live in RO_DATA
The following commit has been merged into the x86/build branch of tip: Commit-ID: b8c2f776164c8f74ac31c5e370ca3f029be0aa19 Gitweb: https://git.kernel.org/tip/b8c2f776164c8f74ac31c5e370ca3f029be0aa19 Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:36 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 15:59:01 +01:00 vmlinux.lds.h: Allow EXCEPTION_TABLE to live in RO_DATA Many architectures have an EXCEPTION_TABLE that needs to be only readable. As such, it should live in RO_DATA. Create a macro to identify this case for the architectures that can move EXCEPTION_TABLE into RO_DATA. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Acked-by: Will Deacon Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Michael Ellerman Cc: Michal Simek Cc: Rick Edgecombe Cc: Segher Boessenkool Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-15-keesc...@chromium.org --- include/asm-generic/vmlinux.lds.h | 12 1 file changed, 12 insertions(+) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 356078e..9867d8e 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -69,6 +69,17 @@ #define NOTES_HEADERS_RESTORE #endif +/* + * Some architectures have non-executable read-only exception tables. + * They can be added to the RO_DATA segment by specifying their desired + * alignment. + */ +#ifdef RO_EXCEPTION_TABLE_ALIGN +#define RO_EXCEPTION_TABLE EXCEPTION_TABLE(RO_EXCEPTION_TABLE_ALIGN) +#else +#define RO_EXCEPTION_TABLE +#endif + /* Align . to a 8 byte boundary equals to maximum function alignment. */ #define ALIGN_FUNCTION() . = ALIGN(8) @@ -513,6 +524,7 @@ __stop___modver = .;\ } \ \ + RO_EXCEPTION_TABLE \ NOTES \ \ . = ALIGN((align)); \
[tip: x86/build] vmlinux.lds.h: Move NOTES into RO_DATA
The following commit has been merged into the x86/build branch of tip:
Commit-ID: eaf937075c9a42eb8ba51eb3050773d7205d3595
Gitweb:
https://git.kernel.org/tip/eaf937075c9a42eb8ba51eb3050773d7205d3595
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:32 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 15:34:41 +01:00
vmlinux.lds.h: Move NOTES into RO_DATA
The .notes section should be non-executable read-only data. As such,
move it to the RO_DATA macro instead of being per-architecture defined.
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Acked-by: Heiko Carstens # s390
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linux-s...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Segher Boessenkool
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-11-keesc...@chromium.org
---
arch/alpha/kernel/vmlinux.lds.S | 2 --
arch/arc/kernel/vmlinux.lds.S| 2 --
arch/arm/kernel/vmlinux-xip.lds.S| 2 --
arch/arm/kernel/vmlinux.lds.S| 2 --
arch/arm64/kernel/vmlinux.lds.S | 1 -
arch/c6x/kernel/vmlinux.lds.S| 1 -
arch/csky/kernel/vmlinux.lds.S | 1 -
arch/h8300/kernel/vmlinux.lds.S | 1 -
arch/hexagon/kernel/vmlinux.lds.S| 1 -
arch/ia64/kernel/vmlinux.lds.S | 2 --
arch/microblaze/kernel/vmlinux.lds.S | 1 -
arch/mips/kernel/vmlinux.lds.S | 2 --
arch/nds32/kernel/vmlinux.lds.S | 1 -
arch/nios2/kernel/vmlinux.lds.S | 1 -
arch/openrisc/kernel/vmlinux.lds.S | 1 -
arch/parisc/kernel/vmlinux.lds.S | 1 -
arch/powerpc/kernel/vmlinux.lds.S| 2 --
arch/riscv/kernel/vmlinux.lds.S | 1 -
arch/s390/kernel/vmlinux.lds.S | 2 --
arch/sh/kernel/vmlinux.lds.S | 1 -
arch/sparc/kernel/vmlinux.lds.S | 1 -
arch/um/include/asm/common.lds.S | 1 -
arch/unicore32/kernel/vmlinux.lds.S | 1 -
arch/x86/kernel/vmlinux.lds.S| 2 --
arch/xtensa/kernel/vmlinux.lds.S | 1 -
include/asm-generic/vmlinux.lds.h| 9 +
26 files changed, 5 insertions(+), 38 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index cdfdc91..bf28043 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -34,8 +34,6 @@ SECTIONS
swapper_pg_dir = SWAPPER_PGD;
_etext = .; /* End of text section */
- NOTES
-
RODATA
EXCEPTION_TABLE(16)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 6c693a9..1d6eef4 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -118,8 +118,6 @@ SECTIONS
/DISCARD/ : { *(.eh_frame) }
#endif
- NOTES
-
. = ALIGN(PAGE_SIZE);
_end = . ;
diff --git a/arch/arm/kernel/vmlinux-xip.lds.S
b/arch/arm/kernel/vmlinux-xip.lds.S
index 8c74037..d2a9651 100644
--- a/arch/arm/kernel/vmlinux-xip.lds.S
+++ b/arch/arm/kernel/vmlinux-xip.lds.S
@@ -70,8 +70,6 @@ SECTIONS
ARM_UNWIND_SECTIONS
#endif
- NOTES
-
_etext = .; /* End of text and rodata section */
ARM_VECTORS
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index 23150c0..068db68 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -81,8 +81,6 @@ SECTIONS
ARM_UNWIND_SECTIONS
#endif
- NOTES
-
#ifdef CONFIG_STRICT_KERNEL_RWX
. = ALIGN(1<
[tip: x86/build] x86/vmlinux: Move EXCEPTION_TABLE to RO_DATA segment
The following commit has been merged into the x86/build branch of tip: Commit-ID: f0d7ee17d57c7a8510518a1e60366d053e2f3ff5 Gitweb: https://git.kernel.org/tip/f0d7ee17d57c7a8510518a1e60366d053e2f3ff5 Author:Kees Cook AuthorDate:Tue, 29 Oct 2019 14:13:38 -07:00 Committer: Borislav Petkov CommitterDate: Mon, 04 Nov 2019 17:55:02 +01:00 x86/vmlinux: Move EXCEPTION_TABLE to RO_DATA segment The exception table was needlessly marked executable. In preparation for execute-only memory, move the table into the RO_DATA segment via the new macro that can be used by any architectures that want to make a similar consolidation. Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Dave Hansen Cc: Heiko Carstens Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: linux-al...@vger.kernel.org Cc: linux-a...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-c6x-...@linux-c6x.org Cc: linux-i...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: Michael Ellerman Cc: Michal Simek Cc: Rick Edgecombe Cc: Ross Zwisler Cc: Segher Boessenkool Cc: Thomas Gleixner Cc: Thomas Lendacky Cc: Will Deacon Cc: x86-ml Cc: Yoshinori Sato Link: https://lkml.kernel.org/r/20191029211351.13243-17-keesc...@chromium.org --- arch/x86/kernel/vmlinux.lds.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index a1a758e..b06d6e1 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -22,6 +22,7 @@ #endif #define EMITS_PT_NOTE +#define RO_EXCEPTION_TABLE_ALIGN 16 #include #include @@ -145,8 +146,6 @@ SECTIONS #endif } :text = 0x9090 - EXCEPTION_TABLE(16) - /* End of text section, which should occupy whole number of pages */ _etext = .; . = ALIGN(PAGE_SIZE);
[tip: x86/build] x86/mm: Report actual image regions in /proc/iomem
The following commit has been merged into the x86/build branch of tip:
Commit-ID: a329975491aafcb1fb6e2fad0de22cae5c16154f
Gitweb:
https://git.kernel.org/tip/a329975491aafcb1fb6e2fad0de22cae5c16154f
Author:Kees Cook
AuthorDate:Tue, 29 Oct 2019 14:13:50 -07:00
Committer: Borislav Petkov
CommitterDate: Mon, 04 Nov 2019 19:02:25 +01:00
x86/mm: Report actual image regions in /proc/iomem
The resource reservations in /proc/iomem made for the kernel image did
not reflect the gaps between text, rodata, and data. Add the "rodata"
resource and update the start/end calculations to match the respective
calls to free_kernel_image_pages().
Before (booted with "nokaslr" for easier comparison):
0010-bffd9fff : System RAM
0100-01e011d0 : Kernel code
01e011d1-025619bf : Kernel data
02a95000-035f : Kernel bss
After:
0010-bffd9fff : System RAM
0100-01e011d0 : Kernel code
0200-023d4fff : Kernel rodata
0240-025619ff : Kernel data
02a95000-035f : Kernel bss
Signed-off-by: Kees Cook
Signed-off-by: Borislav Petkov
Cc: Andy Lutomirski
Cc: Arnd Bergmann
Cc: Dave Hansen
Cc: Dave Young
Cc: David Howells
Cc: Heiko Carstens
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Juergen Gross
Cc: linux-al...@vger.kernel.org
Cc: linux-a...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-c6x-...@linux-c6x.org
Cc: linux-i...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-s...@vger.kernel.org
Cc: Michael Ellerman
Cc: Michal Simek
Cc: Rick Edgecombe
Cc: Robert Richter
Cc: Segher Boessenkool
Cc: Thomas Gleixner
Cc: Thomas Lendacky
Cc: Will Deacon
Cc: x86-ml
Cc: Yoshinori Sato
Link: https://lkml.kernel.org/r/20191029211351.13243-29-keesc...@chromium.org
---
arch/x86/kernel/setup.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 77ea96b..591e885 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -143,6 +143,13 @@ struct boot_params boot_params;
/*
* Machine setup..
*/
+static struct resource rodata_resource = {
+ .name = "Kernel rodata",
+ .start = 0,
+ .end= 0,
+ .flags = IORESOURCE_BUSY | IORESOURCE_SYSTEM_RAM
+};
+
static struct resource data_resource = {
.name = "Kernel data",
.start = 0,
@@ -951,7 +958,9 @@ void __init setup_arch(char **cmdline_p)
code_resource.start = __pa_symbol(_text);
code_resource.end = __pa_symbol(_etext)-1;
- data_resource.start = __pa_symbol(_etext);
+ rodata_resource.start = __pa_symbol(__start_rodata);
+ rodata_resource.end = __pa_symbol(__end_rodata)-1;
+ data_resource.start = __pa_symbol(_sdata);
data_resource.end = __pa_symbol(_edata)-1;
bss_resource.start = __pa_symbol(__bss_start);
bss_resource.end = __pa_symbol(__bss_stop)-1;
@@ -1040,6 +1049,7 @@ void __init setup_arch(char **cmdline_p)
/* after parse_early_param, so could debug it */
insert_resource(_resource, _resource);
+ insert_resource(_resource, _resource);
insert_resource(_resource, _resource);
insert_resource(_resource, _resource);
Re: [PATCH v4 0/4] Implement STRICT_MODULE_RWX for powerpc
On Wed, Oct 30, 2019 at 11:16:22AM +1100, Michael Ellerman wrote: > Kees Cook writes: > > On Mon, Oct 14, 2019 at 04:13:16PM +1100, Russell Currey wrote: > >> v3 cover letter here: > >> https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198023.html > >> > >> Only minimal changes since then: > >> > >> - patch 2/4 commit message update thanks to Andrew Donnellan > >> - patch 3/4 made neater thanks to Christophe Leroy > >> - patch 3/4 updated Kconfig description thanks to Daniel Axtens > > > > I continue to be excited about this work. :) Is there anything holding > > it back from landing in linux-next? > > I had some concerns, which I stupidly posted in reply to v3: > > https://lore.kernel.org/linuxppc-dev/87pnio5fva@mpe.ellerman.id.au/ Ah-ha! Thanks; I missed that. :) -- Kees Cook
Re: [PATCH v5 0/5] Implement STRICT_MODULE_RWX for powerpc
On Wed, Oct 30, 2019 at 09:58:19AM +0100, Christophe Leroy wrote: > > > Le 30/10/2019 à 08:31, Russell Currey a écrit : > > v4 cover letter: > > https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198268.html > > v3 cover letter: > > https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198023.html > > > > Changes since v4: > > [1/5]: Addressed review comments from Michael Ellerman (thanks!) > > [4/5]: make ARCH_HAS_STRICT_MODULE_RWX depend on > >ARCH_HAS_STRICT_KERNEL_RWX to simplify things and avoid > >STRICT_MODULE_RWX being *on by default* in cases where > >STRICT_KERNEL_RWX is *unavailable* > > [5/5]: split skiroot_defconfig changes out into its own patch > > > > The whole Kconfig situation is really weird and confusing, I believe the > > correct resolution is to change arch/Kconfig but the consequences are so > > minor that I don't think it's worth it, especially given that I expect > > powerpc to have mandatory strict RWX Soon(tm). > > I'm not such strict RWX can be made mandatory due to the impact it has on > some subarches: > - On the 8xx, unless all areas are 8Mbytes aligned, there is a significant > overhead on TLB misses. And Aligning everthing to 8M is a waste of RAM which > is not acceptable on systems having very few RAM. > - On hash book3s32, we are able to map the kernel BATs. With a few alignment > constraints, we are able to provide STRICT_KERNEL_RWX. But we are unable to > provide exec protection on page granularity. Only on 256Mbytes segments. So > for modules, we have to have the vmspace X. It is also not possible to have > a kernel area RO. Only user areas can be made RO. As I understand it, the idea was for it to be mandatory (or at least default-on) only for the subarches where it wasn't totally insane to accomplish. :) (I'm not familiar with all the details on the subarchs, but it sounded like the more modern systems would be the targets for this?) -- Kees Cook
Re: [PATCH v4 0/4] Implement STRICT_MODULE_RWX for powerpc
On Mon, Oct 14, 2019 at 04:13:16PM +1100, Russell Currey wrote: > v3 cover letter here: > https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198023.html > > Only minimal changes since then: > > - patch 2/4 commit message update thanks to Andrew Donnellan > - patch 3/4 made neater thanks to Christophe Leroy > - patch 3/4 updated Kconfig description thanks to Daniel Axtens I continue to be excited about this work. :) Is there anything holding it back from landing in linux-next? -Kees > > Russell Currey (4): > powerpc/mm: Implement set_memory() routines > powerpc/kprobes: Mark newly allocated probes as RO > powerpc/mm/ptdump: debugfs handler for W+X checks at runtime > powerpc: Enable STRICT_MODULE_RWX > > arch/powerpc/Kconfig | 2 + > arch/powerpc/Kconfig.debug | 6 ++- > arch/powerpc/configs/skiroot_defconfig | 1 + > arch/powerpc/include/asm/set_memory.h | 32 ++ > arch/powerpc/kernel/kprobes.c | 3 ++ > arch/powerpc/mm/Makefile | 1 + > arch/powerpc/mm/pageattr.c | 60 ++ > arch/powerpc/mm/ptdump/ptdump.c| 21 - > 8 files changed, 123 insertions(+), 3 deletions(-) > create mode 100644 arch/powerpc/include/asm/set_memory.h > create mode 100644 arch/powerpc/mm/pageattr.c > > -- > 2.23.0 > -- Kees Cook
[PATCH v3 28/29] x86/mm: Report actual image regions in /proc/iomem
The resource reservations in /proc/iomem made for the kernel image did
not reflect the gaps between text, rodata, and data. Add the "rodata"
resource and update the start/end calculations to match the respective
calls to free_kernel_image_pages().
Before (booted with "nokaslr" for easier comparison):
0010-bffd9fff : System RAM
0100-01e011d0 : Kernel code
01e011d1-025619bf : Kernel data
02a95000-035f : Kernel bss
After:
0010-bffd9fff : System RAM
0100-01e011d0 : Kernel code
0200-023d4fff : Kernel rodata
0240-025619ff : Kernel data
02a95000-035f : Kernel bss
Signed-off-by: Kees Cook
---
arch/x86/kernel/setup.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 77ea96b794bd..591e885a852e 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -143,6 +143,13 @@ struct boot_params boot_params;
/*
* Machine setup..
*/
+static struct resource rodata_resource = {
+ .name = "Kernel rodata",
+ .start = 0,
+ .end= 0,
+ .flags = IORESOURCE_BUSY | IORESOURCE_SYSTEM_RAM
+};
+
static struct resource data_resource = {
.name = "Kernel data",
.start = 0,
@@ -951,7 +958,9 @@ void __init setup_arch(char **cmdline_p)
code_resource.start = __pa_symbol(_text);
code_resource.end = __pa_symbol(_etext)-1;
- data_resource.start = __pa_symbol(_etext);
+ rodata_resource.start = __pa_symbol(__start_rodata);
+ rodata_resource.end = __pa_symbol(__end_rodata)-1;
+ data_resource.start = __pa_symbol(_sdata);
data_resource.end = __pa_symbol(_edata)-1;
bss_resource.start = __pa_symbol(__bss_start);
bss_resource.end = __pa_symbol(__bss_stop)-1;
@@ -1040,6 +1049,7 @@ void __init setup_arch(char **cmdline_p)
/* after parse_early_param, so could debug it */
insert_resource(_resource, _resource);
+ insert_resource(_resource, _resource);
insert_resource(_resource, _resource);
insert_resource(_resource, _resource);
--
2.17.1
[PATCH v3 25/29] xtensa: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Acked-by: Max Filippov
---
arch/xtensa/kernel/vmlinux.lds.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
index bdbd7c4056c1..0043d5858f14 100644
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -14,6 +14,8 @@
* Joe Taylor
*/
+#define RO_EXCEPTION_TABLE_ALIGN 16
+
#include
#include
#include
@@ -130,7 +132,6 @@ SECTIONS
.fixup : { *(.fixup) }
- EXCEPTION_TABLE(16)
/* Data section */
_sdata = .;
--
2.17.1
[PATCH v3 22/29] microblaze: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
---
arch/microblaze/kernel/vmlinux.lds.S | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/microblaze/kernel/vmlinux.lds.S
b/arch/microblaze/kernel/vmlinux.lds.S
index b8efb08204a1..760cac41cbfe 100644
--- a/arch/microblaze/kernel/vmlinux.lds.S
+++ b/arch/microblaze/kernel/vmlinux.lds.S
@@ -11,6 +11,8 @@
OUTPUT_ARCH(microblaze)
ENTRY(microblaze_start)
+#define RO_EXCEPTION_TABLE_ALIGN 16
+
#include
#include
#include
@@ -52,7 +54,6 @@ SECTIONS {
. = ALIGN(16);
RO_DATA(4096)
- EXCEPTION_TABLE(16)
/*
* sdata2 section can go anywhere, but must be word aligned
--
2.17.1
[PATCH v3 23/29] parisc: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
Acked-by: Helge Deller
---
arch/parisc/kernel/vmlinux.lds.S | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/parisc/kernel/vmlinux.lds.S b/arch/parisc/kernel/vmlinux.lds.S
index 12b3d7d5e9e4..53e29d88f99c 100644
--- a/arch/parisc/kernel/vmlinux.lds.S
+++ b/arch/parisc/kernel/vmlinux.lds.S
@@ -19,6 +19,7 @@
*(.data..vm0.pte)
#define CC_USING_PATCHABLE_FUNCTION_ENTRY
+#define RO_EXCEPTION_TABLE_ALIGN 8
#include
@@ -129,9 +130,6 @@ SECTIONS
RO_DATA(8)
- /* RO because of BUILDTIME_EXTABLE_SORT */
- EXCEPTION_TABLE(8)
-
/* unwind info */
.PARISC.unwind : {
__start___unwind = .;
--
2.17.1
[PATCH v3 27/29] x86/mm: Report which part of kernel image is freed
The memory freeing report wasn't very useful for figuring out which
parts of the kernel image were being freed. Add the details for clearer
reporting in dmesg.
Before:
[2.150450] Freeing unused kernel image memory: 1348K
[2.154574] Write protecting the kernel read-only data: 20480k
[2.157641] Freeing unused kernel image memory: 2040K
[2.158827] Freeing unused kernel image memory: 172K
After:
[2.329678] Freeing unused kernel image (initmem) memory: 1348K
[2.331953] Write protecting the kernel read-only data: 20480k
[2.335361] Freeing unused kernel image (text/rodata gap) memory: 2040K
[2.336927] Freeing unused kernel image (rodata/data gap) memory: 172K
Signed-off-by: Kees Cook
---
arch/x86/include/asm/processor.h | 2 +-
arch/x86/mm/init.c | 8
arch/x86/mm/init_64.c| 6 --
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 6e0a3b43d027..790f250d39a8 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -958,7 +958,7 @@ static inline uint32_t hypervisor_cpuid_base(const char
*sig, uint32_t leaves)
extern unsigned long arch_align_stack(unsigned long sp);
void free_init_pages(const char *what, unsigned long begin, unsigned long end);
-extern void free_kernel_image_pages(void *begin, void *end);
+extern void free_kernel_image_pages(const char *what, void *begin, void *end);
void default_idle(void);
#ifdef CONFIG_XEN
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
index fd10d91a6115..e7bb483557c9 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -829,14 +829,13 @@ void free_init_pages(const char *what, unsigned long
begin, unsigned long end)
* used for the kernel image only. free_init_pages() will do the
* right thing for either kind of address.
*/
-void free_kernel_image_pages(void *begin, void *end)
+void free_kernel_image_pages(const char *what, void *begin, void *end)
{
unsigned long begin_ul = (unsigned long)begin;
unsigned long end_ul = (unsigned long)end;
unsigned long len_pages = (end_ul - begin_ul) >> PAGE_SHIFT;
-
- free_init_pages("unused kernel image", begin_ul, end_ul);
+ free_init_pages(what, begin_ul, end_ul);
/*
* PTI maps some of the kernel into userspace. For performance,
@@ -865,7 +864,8 @@ void __ref free_initmem(void)
mem_encrypt_free_decrypted_mem();
- free_kernel_image_pages(&__init_begin, &__init_end);
+ free_kernel_image_pages("unused kernel image (initmem)",
+ &__init_begin, &__init_end);
}
#ifdef CONFIG_BLK_DEV_INITRD
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index e67ddca8b7a8..dcb9bc961b39 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1334,8 +1334,10 @@ void mark_rodata_ro(void)
set_memory_ro(start, (end-start) >> PAGE_SHIFT);
#endif
- free_kernel_image_pages((void *)text_end, (void *)rodata_start);
- free_kernel_image_pages((void *)rodata_end, (void *)_sdata);
+ free_kernel_image_pages("unused kernel image (text/rodata gap)",
+ (void *)text_end, (void *)rodata_start);
+ free_kernel_image_pages("unused kernel image (rodata/data gap)",
+ (void *)rodata_end, (void *)_sdata);
debug_checkwx();
}
--
2.17.1
[PATCH v3 24/29] powerpc: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Signed-off-by: Kees Cook --- arch/powerpc/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S index 4e7cec088c8b..8834220036a5 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S @@ -7,6 +7,7 @@ #define BSS_FIRST_SECTIONS *(.bss.prominit) #define EMITS_PT_NOTE +#define RO_EXCEPTION_TABLE_ALIGN 0 #include #include @@ -162,7 +163,6 @@ SECTIONS __stop__btb_flush_fixup = .; } #endif - EXCEPTION_TABLE(0) /* * Init sections discarded at runtime -- 2.17.1
[PATCH v3 11/29] vmlinux.lds.h: Replace RODATA with RO_DATA
There's no reason to keep the RODATA macro: replace the callers with
the expected RO_DATA macro.
Signed-off-by: Kees Cook
---
arch/alpha/kernel/vmlinux.lds.S | 2 +-
arch/ia64/kernel/vmlinux.lds.S | 2 +-
arch/microblaze/kernel/vmlinux.lds.S | 2 +-
arch/mips/kernel/vmlinux.lds.S | 2 +-
arch/um/include/asm/common.lds.S | 2 +-
arch/xtensa/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h| 4 +---
7 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index bf28043485f6..af411817dd7d 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -34,7 +34,7 @@ SECTIONS
swapper_pg_dir = SWAPPER_PGD;
_etext = .; /* End of text section */
- RODATA
+ RO_DATA(4096)
EXCEPTION_TABLE(16)
/* Will be freed after init */
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index fae077595756..11d5115bc44d 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -104,7 +104,7 @@ SECTIONS {
code_continues2 : {
} :text
- RODATA
+ RO_DATA(4096)
.opd : AT(ADDR(.opd) - LOAD_OFFSET) {
__start_opd = .;
diff --git a/arch/microblaze/kernel/vmlinux.lds.S
b/arch/microblaze/kernel/vmlinux.lds.S
index d008e50bb212..2299694748ea 100644
--- a/arch/microblaze/kernel/vmlinux.lds.S
+++ b/arch/microblaze/kernel/vmlinux.lds.S
@@ -51,7 +51,7 @@ SECTIONS {
}
. = ALIGN(16);
- RODATA
+ RO_DATA(4096)
EXCEPTION_TABLE(16)
/*
diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
index 91e566defc16..a5f00ec73ea6 100644
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -82,7 +82,7 @@ SECTIONS
}
_sdata = .; /* Start of data section */
- RODATA
+ RO_DATA(4096)
/* writeable */
.data : { /* Data */
diff --git a/arch/um/include/asm/common.lds.S b/arch/um/include/asm/common.lds.S
index 91aca356095f..7145ce699982 100644
--- a/arch/um/include/asm/common.lds.S
+++ b/arch/um/include/asm/common.lds.S
@@ -9,7 +9,7 @@
_sdata = .;
PROVIDE (sdata = .);
- RODATA
+ RO_DATA(4096)
.unprotected : { *(.unprotected) }
. = ALIGN(4096);
diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
index a0a843745695..b97e5798b9cf 100644
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -124,7 +124,7 @@ SECTIONS
. = ALIGN(16);
- RODATA
+ RO_DATA(4096)
/* Relocation table */
diff --git a/include/asm-generic/vmlinux.lds.h
b/include/asm-generic/vmlinux.lds.h
index dc3390ec6b60..a0a989fbe411 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -518,9 +518,7 @@
. = ALIGN((align)); \
__end_rodata = .;
-/* RODATA & RO_DATA provided for backward compatibility.
- * All archs are supposed to use RO_DATA() */
-#define RODATA RO_DATA_SECTION(4096)
+/* All archs are supposed to use RO_DATA() */
#define RO_DATA(align) RO_DATA_SECTION(align)
/*
--
2.17.1
[PATCH v3 21/29] ia64: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA.
Signed-off-by: Kees Cook
---
arch/ia64/kernel/vmlinux.lds.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
index 11d5115bc44d..1ec6b703c5b4 100644
--- a/arch/ia64/kernel/vmlinux.lds.S
+++ b/arch/ia64/kernel/vmlinux.lds.S
@@ -6,6 +6,7 @@
#include
#define EMITS_PT_NOTE
+#define RO_EXCEPTION_TABLE_ALIGN 16
#include
@@ -70,7 +71,6 @@ SECTIONS {
/*
* Read-only data
*/
- EXCEPTION_TABLE(16)
/* MCA table */
. = ALIGN(16);
--
2.17.1
[PATCH v3 12/29] vmlinux.lds.h: Replace RO_DATA_SECTION with RO_DATA
Finish renaming RO_DATA_SECTION to RO_DATA. (Calling this a "section"
is a lie, since it's multiple sections and section flags cannot be
applied to the macro.)
Signed-off-by: Kees Cook
Acked-by: Heiko Carstens # s390
Acked-by: Geert Uytterhoeven # m68k
---
arch/arc/kernel/vmlinux.lds.S | 2 +-
arch/c6x/kernel/vmlinux.lds.S | 2 +-
arch/csky/kernel/vmlinux.lds.S | 2 +-
arch/h8300/kernel/vmlinux.lds.S | 2 +-
arch/hexagon/kernel/vmlinux.lds.S | 2 +-
arch/m68k/kernel/vmlinux-nommu.lds | 2 +-
arch/nds32/kernel/vmlinux.lds.S | 2 +-
arch/nios2/kernel/vmlinux.lds.S | 2 +-
arch/openrisc/kernel/vmlinux.lds.S | 4 ++--
arch/parisc/kernel/vmlinux.lds.S| 4 ++--
arch/riscv/kernel/vmlinux.lds.S | 2 +-
arch/s390/kernel/vmlinux.lds.S | 2 +-
arch/unicore32/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h | 7 ++-
14 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 1d6eef4b6976..7d1d27066deb 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -95,7 +95,7 @@ SECTIONS
_etext = .;
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
/*
* 1. this is .data essentially
diff --git a/arch/c6x/kernel/vmlinux.lds.S b/arch/c6x/kernel/vmlinux.lds.S
index d6e3802536b3..a3547f9d415b 100644
--- a/arch/c6x/kernel/vmlinux.lds.S
+++ b/arch/c6x/kernel/vmlinux.lds.S
@@ -82,7 +82,7 @@ SECTIONS
EXCEPTION_TABLE(16)
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
.const :
{
*(.const .const.* .gnu.linkonce.r.*)
diff --git a/arch/csky/kernel/vmlinux.lds.S b/arch/csky/kernel/vmlinux.lds.S
index 75dd31412242..8598bd7a7bcd 100644
--- a/arch/csky/kernel/vmlinux.lds.S
+++ b/arch/csky/kernel/vmlinux.lds.S
@@ -49,7 +49,7 @@ SECTIONS
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S
index 88776e785245..d3247d33b115 100644
--- a/arch/h8300/kernel/vmlinux.lds.S
+++ b/arch/h8300/kernel/vmlinux.lds.S
@@ -38,7 +38,7 @@ SECTIONS
_etext = . ;
}
EXCEPTION_TABLE(16)
- RO_DATA_SECTION(4)
+ RO_DATA(4)
ROMEND = .;
#if defined(CONFIG_ROMKERNEL)
. = RAMTOP;
diff --git a/arch/hexagon/kernel/vmlinux.lds.S
b/arch/hexagon/kernel/vmlinux.lds.S
index 6a6e8fc422ee..0145251fa317 100644
--- a/arch/hexagon/kernel/vmlinux.lds.S
+++ b/arch/hexagon/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .;
RW_DATA_SECTION(32,PAGE_SIZE,_THREAD_SIZE)
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
_edata = .;
EXCEPTION_TABLE(16)
diff --git a/arch/m68k/kernel/vmlinux-nommu.lds
b/arch/m68k/kernel/vmlinux-nommu.lds
index cf6edda38971..de80f8b8ae78 100644
--- a/arch/m68k/kernel/vmlinux-nommu.lds
+++ b/arch/m68k/kernel/vmlinux-nommu.lds
@@ -60,7 +60,7 @@ SECTIONS {
#endif
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(16, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/nds32/kernel/vmlinux.lds.S b/arch/nds32/kernel/vmlinux.lds.S
index c4f1c5a604c3..10ff570ba95b 100644
--- a/arch/nds32/kernel/vmlinux.lds.S
+++ b/arch/nds32/kernel/vmlinux.lds.S
@@ -53,7 +53,7 @@ SECTIONS
_etext = .; /* End of text and rodata section */
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/nios2/kernel/vmlinux.lds.S b/arch/nios2/kernel/vmlinux.lds.S
index 20e4078b3477..318804a2c7a1 100644
--- a/arch/nios2/kernel/vmlinux.lds.S
+++ b/arch/nios2/kernel/vmlinux.lds.S
@@ -49,7 +49,7 @@ SECTIONS
__init_end = .;
_sdata = .;
- RO_DATA_SECTION(PAGE_SIZE)
+ RO_DATA(PAGE_SIZE)
RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/openrisc/kernel/vmlinux.lds.S
b/arch/openrisc/kernel/vmlinux.lds.S
index 142c51c994f5..f73e0d3ea09f 100644
--- a/arch/openrisc/kernel/vmlinux.lds.S
+++ b/arch/openrisc/kernel/vmlinux.lds.S
@@ -67,8 +67,8 @@ SECTIONS
_sdata = .;
- /* Page alignment required for RO_DATA_SECTION */
- RO_DATA_SECTION(PAGE_SIZE)
+ /* Page alignment required for RO_DATA */
+ RO_DATA(PAGE_SIZE)
_e_kernel_ro = .;
/* Whatever comes after _e_kernel_ro had better be page-aligend, too */
diff --git a/arch/parisc/kernel/vmlinux.lds.S b/arch/parisc/kernel/vmlinux.lds.S
index 168d12b2ebb8..e1c563c7dca1 100644
--- a/arch/parisc/kernel/vmlinux.lds.S
+++ b/arch/parisc/kernel/vmlinux.lds.S
@@ -109,7 +109,7 @@ SECTIONS
[PATCH v3 20/29] h8300: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Signed-off-by: Kees Cook --- arch/h8300/kernel/vmlinux.lds.S | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S index 2ac7bdcd2fe0..6b1afc2f9b68 100644 --- a/arch/h8300/kernel/vmlinux.lds.S +++ b/arch/h8300/kernel/vmlinux.lds.S @@ -1,4 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ + +#define RO_EXCEPTION_TABLE_ALIGN 16 + #include #include #include @@ -37,7 +40,6 @@ SECTIONS #endif _etext = . ; } - EXCEPTION_TABLE(16) RO_DATA(4) ROMEND = .; #if defined(CONFIG_ROMKERNEL) -- 2.17.1
[PATCH v3 13/29] vmlinux.lds.h: Replace RW_DATA_SECTION with RW_DATA
Rename RW_DATA_SECTION to RW_DATA. (Calling this a "section" is a lie,
since it's multiple sections and section flags cannot be applied to
the macro.)
Signed-off-by: Kees Cook
Acked-by: Heiko Carstens # s390
Acked-by: Geert Uytterhoeven # m68k
---
arch/alpha/kernel/vmlinux.lds.S | 2 +-
arch/arc/kernel/vmlinux.lds.S| 2 +-
arch/arm/kernel/vmlinux-xip.lds.S| 2 +-
arch/arm/kernel/vmlinux.lds.S| 2 +-
arch/arm64/kernel/vmlinux.lds.S | 2 +-
arch/csky/kernel/vmlinux.lds.S | 2 +-
arch/h8300/kernel/vmlinux.lds.S | 2 +-
arch/hexagon/kernel/vmlinux.lds.S| 2 +-
arch/m68k/kernel/vmlinux-nommu.lds | 2 +-
arch/m68k/kernel/vmlinux-std.lds | 2 +-
arch/m68k/kernel/vmlinux-sun3.lds| 2 +-
arch/microblaze/kernel/vmlinux.lds.S | 2 +-
arch/nds32/kernel/vmlinux.lds.S | 2 +-
arch/nios2/kernel/vmlinux.lds.S | 2 +-
arch/openrisc/kernel/vmlinux.lds.S | 2 +-
arch/parisc/kernel/vmlinux.lds.S | 2 +-
arch/riscv/kernel/vmlinux.lds.S | 2 +-
arch/s390/kernel/vmlinux.lds.S | 2 +-
arch/sh/kernel/vmlinux.lds.S | 2 +-
arch/sparc/kernel/vmlinux.lds.S | 2 +-
arch/unicore32/kernel/vmlinux.lds.S | 2 +-
arch/xtensa/kernel/vmlinux.lds.S | 2 +-
include/asm-generic/vmlinux.lds.h| 4 ++--
23 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/arch/alpha/kernel/vmlinux.lds.S b/arch/alpha/kernel/vmlinux.lds.S
index af411817dd7d..edc45f45523b 100644
--- a/arch/alpha/kernel/vmlinux.lds.S
+++ b/arch/alpha/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .; /* Start of rw data section */
_data = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
.got : {
*(.got)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 7d1d27066deb..54139a6f469b 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -101,7 +101,7 @@ SECTIONS
* 1. this is .data essentially
* 2. THREAD_SIZE for init.task, must be kernel-stk sz aligned
*/
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
diff --git a/arch/arm/kernel/vmlinux-xip.lds.S
b/arch/arm/kernel/vmlinux-xip.lds.S
index d2a9651c24ad..21b8b271c80d 100644
--- a/arch/arm/kernel/vmlinux-xip.lds.S
+++ b/arch/arm/kernel/vmlinux-xip.lds.S
@@ -112,7 +112,7 @@ SECTIONS
. = ALIGN(THREAD_SIZE);
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
.data.ro_after_init : AT(ADDR(.data.ro_after_init) - LOAD_OFFSET) {
*(.data..ro_after_init)
}
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index 068db6860867..319ccb10846a 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -141,7 +141,7 @@ SECTIONS
__init_end = .;
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
BSS_SECTION(0, 0, 0)
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index e7dafc29b1fa..a4b3e6c0680c 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -214,7 +214,7 @@ SECTIONS
_data = .;
_sdata = .;
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
/*
* Data written with the MMU off but read with the MMU on requires
diff --git a/arch/csky/kernel/vmlinux.lds.S b/arch/csky/kernel/vmlinux.lds.S
index 8598bd7a7bcd..2ff37beaf2bf 100644
--- a/arch/csky/kernel/vmlinux.lds.S
+++ b/arch/csky/kernel/vmlinux.lds.S
@@ -50,7 +50,7 @@ SECTIONS
_sdata = .;
RO_DATA(PAGE_SIZE)
- RW_DATA_SECTION(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_SIZE)
_edata = .;
EXCEPTION_TABLE(L1_CACHE_BYTES)
diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S
index d3247d33b115..2ac7bdcd2fe0 100644
--- a/arch/h8300/kernel/vmlinux.lds.S
+++ b/arch/h8300/kernel/vmlinux.lds.S
@@ -47,7 +47,7 @@ SECTIONS
#endif
_sdata = . ;
__data_start = . ;
- RW_DATA_SECTION(0, PAGE_SIZE, THREAD_SIZE)
+ RW_DATA(0, PAGE_SIZE, THREAD_SIZE)
#if defined(CONFIG_ROMKERNEL)
#undef ADDR
#endif
diff --git a/arch/hexagon/kernel/vmlinux.lds.S
b/arch/hexagon/kernel/vmlinux.lds.S
index 0145251fa317..0ca2471ddb9f 100644
--- a/arch/hexagon/kernel/vmlinux.lds.S
+++ b/arch/hexagon/kernel/vmlinux.lds.S
@@ -49,7 +49,7 @@ SECTIONS
INIT_DATA_SECTION(PAGE_SIZE)
_sdata = .;
- RW_DATA_SECTION(32,PAGE_SIZE,_THREAD_SIZE)
+ RW_DATA(32
Re: [PATCH v2 01/29] powerpc: Rename "notes" PT_NOTE to "note"
On Tue, Oct 15, 2019 at 06:54:13PM +0200, Borislav Petkov wrote: > On Fri, Oct 11, 2019 at 11:25:52AM -0500, Segher Boessenkool wrote: > > Names *matter*, internal names doubly so. So why replace a good name with > > a worse name? Because it is slightly less work for you? > > So if we agree on the name "notes" and we decide to rename the other > arches, this should all be done in a separate patchset anyway, and ontop > of this one. And I believe Kees wouldn't mind doing it ontop since he's > gotten his hands dirty already. :-P I've added more rationale to patch #1 in the just-sent v3 of this series. If I still can't convince you Segher, I'm happy to send "patch 30/29" to do a bulk rename to "notes". Let me know. :) -- Kees Cook
[PATCH v3 26/29] x86/mm: Remove redundant on addresses
The on addresses are redundant. Remove them to match all the other
similar functions.
Signed-off-by: Kees Cook
---
arch/x86/mm/init_64.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 26299e9ce6da..e67ddca8b7a8 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1300,9 +1300,9 @@ void mark_rodata_ro(void)
{
unsigned long start = PFN_ALIGN(_text);
unsigned long rodata_start = PFN_ALIGN(__start_rodata);
- unsigned long end = (unsigned long) &__end_rodata_hpage_align;
- unsigned long text_end = PFN_ALIGN(&_etext);
- unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
+ unsigned long end = (unsigned long)__end_rodata_hpage_align;
+ unsigned long text_end = PFN_ALIGN(_etext);
+ unsigned long rodata_end = PFN_ALIGN(__end_rodata);
unsigned long all_end;
printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
--
2.17.1
[PATCH v3 29/29] x86: Use INT3 instead of NOP for linker fill bytes
Instead of using 0x90 (NOP) to fill bytes between functions, which makes it easier to sloppily target functions in function pointer overwrite attacks, fill with 0xCC (INT3) to force a trap. Also drop the space between "=" and the value to better match the binutils documentation https://sourceware.org/binutils/docs/ld/Output-Section-Fill.html#Output-Section-Fill Example "objdump -d" before: ... 810001e0 : 810001e0: 48 8b 25 e1 b1 51 01mov 0x151b1e1(%rip),%rsp # 8251b3c8 810001e7: e9 d5 fe ff ff jmpq 81c1 810001ec: 90 nop 810001ed: 90 nop 810001ee: 90 nop 810001ef: 90 nop 810001f0 <__startup_64>: ... After: ... 810001e0 : 810001e0: 48 8b 25 41 79 53 01mov 0x1537941(%rip),%rsp # 82537b28 810001e7: e9 d5 fe ff ff jmpq 81c1 810001ec: cc int3 810001ed: cc int3 810001ee: cc int3 810001ef: cc int3 810001f0 <__startup_64>: ... Signed-off-by: Kees Cook --- arch/x86/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b06d6e1188de..3a1a819da137 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -144,7 +144,7 @@ SECTIONS *(.text.__x86.indirect_thunk) __indirect_thunk_end = .; #endif - } :text = 0x9090 + } :text =0x /* End of text section, which should occupy whole number of pages */ _etext = .; -- 2.17.1
[PATCH v3 18/29] arm64: Move EXCEPTION_TABLE to RO_DATA segment
Since the EXCEPTION_TABLE is read-only, collapse it into RO_DATA. Also removes the redundant ALIGN, which is already present at the end of the RO_DATA macro. Signed-off-by: Kees Cook Acked-by: Will Deacon --- arch/arm64/kernel/vmlinux.lds.S | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index a4b3e6c0680c..9128a26eb45b 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -5,6 +5,8 @@ * Written by Martin Mares */ +#define RO_EXCEPTION_TABLE_ALIGN 8 + #include #include #include @@ -135,10 +137,9 @@ SECTIONS . = ALIGN(SEGMENT_ALIGN); _etext = .; /* End of text section */ - RO_DATA(PAGE_SIZE) /* everything from this point to */ - EXCEPTION_TABLE(8) /* __init_begin will be marked RO NX */ + /* everything from this point to __init_begin will be marked RO NX */ + RO_DATA(PAGE_SIZE) - . = ALIGN(PAGE_SIZE); idmap_pg_dir = .; . += IDMAP_DIR_SIZE; -- 2.17.1
