Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.2 2015-08-07T01:39:40Z 2015-08-07T01:39:40Z Amanieu d'Antras amanieu@gmail.com 2015-08-06T22:46:26Z urn:sha1:3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 This function can leak kernel stack data when the user siginfo_t has a positive si_code value. The top 16 bits of si_code descibe which fields in the siginfo_t union are active, but they are treated inconsistently between copy_siginfo_from_user32, copy_siginfo_to_user32 and copy_siginfo_to_user. copy_siginfo_from_user32 is called from rt_sigqueueinfo and rt_tgsigqueueinfo in which the user has full control overthe top 16 bits of si_code. This fixes the following information leaks: x86: 8 bytes leaked when sending a signal from a 32-bit process to itself. This leak grows to 16 bytes if the process uses x32. (si_code = __SI_CHLD) x86: 100 bytes leaked when sending a signal from a 32-bit process to a 64-bit process. (si_code = -1) sparc: 4 bytes leaked when sending a signal from a 32-bit process to a 64-bit process. (si_code = any) parsic and s390 have similar bugs, but they are not vulnerable because rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code to a different process. These bugs are also fixed for consistency. Signed-off-by: Amanieu d'Antras <amanieu@gmail.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Russell King <rmk@arm.linux.org.uk> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Chris Metcalf <cmetcalf@ezchip.com> Cc: Paul Mackerras <paulus@samba.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-07-23T18:11:09Z Chris Metcalf cmetcalf@ezchip.com 2015-07-23T18:11:09Z urn:sha1:3f81d2447b37ac697b3c600039f2c6b628c06e21 We were previously using free_bootmem() and just getting lucky that nothing too bad happened. Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com> Cc: stable@vger.kernel.org 2015-07-05T02:36:06Z Linus Torvalds torvalds@linux-foundation.org 2015-07-05T02:36:06Z urn:sha1:1dc51b8288007753ad7cd7d08bb8fa930fc8bb10 Pull more vfs updates from Al Viro: "Assorted VFS fixes and related cleanups (IMO the most interesting in that part are f_path-related things and Eric's descriptor-related stuff). UFS regression fixes (it got broken last cycle). 9P fixes. fs-cache series, DAX patches, Jan's file_remove_suid() work" [ I'd say this is much more than "fixes and related cleanups". The file_table locking rule change by Eric Dumazet is a rather big and fundamental update even if the patch isn't huge. - Linus ] * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (49 commits) 9p: cope with bogus responses from server in p9_client_{read,write} p9_client_write(): avoid double p9_free_req() 9p: forgetting to cancel request on interrupted zero-copy RPC dax: bdev_direct_access() may sleep block: Add support for DAX reads/writes to block devices dax: Use copy_from_iter_nocache dax: Add block size note to documentation fs/file.c: __fget() and dup2() atomicity rules fs/file.c: don't acquire files->file_lock in fd_install() fs:super:get_anon_bdev: fix race condition could cause dev exceed its upper limitation vfs: avoid creation of inode number 0 in get_next_ino namei: make set_root_rcu() return void make simple_positive() public ufs: use dir_pages instead of ufs_dir_pages() pagemap.h: move dir_pages() over there remove the pointless include of lglock.h fs: cleanup slight list_entry abuse xfs: Correctly lock inode when removing suid and file capabilities fs: Call security_ops->inode_killpriv on truncate fs: Provide function telling whether file_remove_privs() will do anything ... 2015-07-02T18:07:27Z Linus Torvalds torvalds@linux-foundation.org 2015-07-02T18:07:27Z urn:sha1:a611fb75d0517fce65f588cde94f80bb4052c6b2 Pull init.h/module.h fragility fixes from Paul Gortmaker: "Fixup various init.h misuses that are fragile wrt code moving to module.h What started as a removal of no longer required include <linux/init.h> due to the earlier __cpuinit and __devinit removal led to the observation that some module specfic support was living in init.h itself, thus preventing the full removal from introducing compile regressions. This series includes a few final fixups needed prior to the relocation of the modular init code from <init.h> to <module.h>. These are things that weren't easily categorized into any of the other previous series categories already requested for pull. That said, each fixup branch (including this one) is independent and there are no ordering constraints. Only the final code relocation (which is NOT in this pull) requires that all my cleanup branches be merged first" * tag 'module-misc-v4.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux: tile: add init.h to usb.c to avoid compile failure arm: fix implicit #include <linux/init.h> in entry asm. x86: replace __init_or_module with __init in non-modular vsmp_64.c 2015-07-01T04:47:12Z Linus Torvalds torvalds@linux-foundation.org 2015-07-01T04:47:12Z urn:sha1:05a8256c586ab75bcd6b793737b2022a1a98cb1e Pull arch/tile updates from Chris Metcalf: "These are a grab bag of changes to improve debugging and respond to a variety of issues raised on LKML over the last couple of months" * git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: tile: avoid a "label not used" warning in do_page_fault() tile: vdso: use raw_read_seqcount_begin() in vdso tile: force CONFIG_TILEGX if ARCH != tilepro tile: improve stack backtrace tile: fix "odd fault" warning for stack backtraces tile: set up initial stack top to honor STACK_TOP_DELTA tile: support delivering NMIs for multicore backtrace drivers/tty/hvc/hvc_tile.c: properly return -EAGAIN tile: add <asm/word-at-a-time.h> and enable support functions tile: use READ_ONCE() in arch_spin_is_locked() tile: modify arch_spin_unlock_wait() semantics 2015-06-23T22:00:05Z Miklos Szeredi mszeredi@suse.cz 2015-06-19T08:29:13Z urn:sha1:9bf39ab2adafd7cf8740859cb49e7b7952813a5d Turn d_path(&file->f_path, ...); into file_path(file, ...); Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2015-06-16T18:12:41Z Paul Gortmaker paul.gortmaker@windriver.com 2015-06-05T13:37:19Z urn:sha1:32e805e7c6a343894c95a3431973e8ddad4aa2cf Pending header cleanups will reveal this file is using the init.h content implicitly with the following fail: arch/tile/kernel/usb.c:69:1: warning: data definition has no type or storage class [enabled by default] arch/tile/kernel/usb.c:69:1: error: type defaults to 'int' in declaration of 'arch_initcall' arch/tile/kernel/usb.c:69:1: warning: parameter names (without types) in function declaration [enabled by default] arch/tile/kernel/usb.c:62:19: warning: 'tilegx_usb_init' defined but not used Explicitly add init.h to get arch_initcall and avoid this. Reported-by: kbuild test robot <fengguang.wu@intel.com> Cc: Chris Metcalf <cmetcalf@ezchip.com> Acked-by: Chris Metcalf <cmetcalf@ezchip.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2015-06-04T17:31:27Z Chris Metcalf cmetcalf@ezchip.com 2015-06-04T17:28:16Z urn:sha1:9ae4d6bf228ec7f338e8220babb87ee4fae10429 Previously we were using read_seqcount_begin(), which works fine until lockdep is enabled in the kernel, at which point lockdep locking shows up in the vdso and userspace will take a GPV accessing a kernel-only SPR when calling gettimeofday() etc. Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com> 2015-05-11T15:22:40Z Chris Metcalf cmetcalf@ezchip.com 2015-05-08T14:27:35Z urn:sha1:47ad7b9bbeaac34e43d9dc8db796f1f68194b9ad This commit fixes a number of issues with the tile backtrace code. - Don't try to identify userspace shared object or executable paths if we are doing a backtrace from an interrupt; it's not legal, and also unlikely to be interesting. Likewise, don't try to do it for other address spaces, since d_path() assumes it is being called in "current" context. - Move "in_backtrace" from thread_struct to thread_info. This way we can access it even if our stack thread_info has been clobbered, which makes backtracing more robust. - Avoid using "current" directly when testing for is_sigreturn(). Since "current" may be corrupt, we're better off using kbt->task explicitly to look up the vdso_base for the current task. Conveniently, this simplifies the internal APIs (we only need one is_sigreturn() function now). - Avoid bogus "Odd fault" warning when pc/sp/ex1 are all zero, as is true for kernel threads above the last frame. - Hook into Tejun Heo's dump_stack() framework in lib/dump_stack.c. - Write last entry in save_stack_trace() as ULONG_MAX, not zero, since ftrace (at least) relies on finding that marker. - Implement save_stack_trace_regs() and save_strack_trace_user(), and set CONFIG_USER_STACKTRACE_SUPPORT. Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com> 2015-05-11T15:22:37Z Chris Metcalf cmetcalf@ezchip.com 2015-05-07T18:34:59Z urn:sha1:e8200baa2fd2e9c4bc7abd824a9e675d914e54a0 We were setting ex1 in new kernel threads to KERNEL_PL. But since we just do a simple context-switch, not an iret, any value set here is ignored anyway, and its presence causes stack backtraces to end with a warning about an "odd fault". Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>