Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.4.118 2017-06-26T05:13:11Z 2017-06-26T05:13:11Z Hugh Dickins hughd@google.com 2017-06-19T11:03:24Z urn:sha1:4b359430674caa2c98d0049a6941f157d2a33741 commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in the PAGE_SIZE units) which should cover larger alloca() and VLA stack allocations. It is obviously not a full fix because the problem is somehow inherent, but it should reduce attack space a lot. One could argue that the gap size should be configurable from userspace, but that can be done later when somebody finds that the new 1MB is wrong for some special case applications. For now, add a kernel command line option (stack_guard_gap) to specify the stack gap size (in page units). Implementation wise, first delete all the old code for stack guard page: because although we could get away with accounting one extra page in a stack vma, accounting a larger gap can break userspace - case in point, a program run with "ulimit -S -v 20000" failed when the 1MB gap was counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK and strict non-overcommit mode. Instead of keeping gap inside the stack vma, maintain the stack guard gap as a gap between vmas: using vm_start_gap() in place of vm_start (or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few places which need to respect the gap - mainly arch_get_unmapped_area(), and and the vma tree's subtree_gap support for that. Original-patch-by: Oleg Nesterov <oleg@redhat.com> Original-patch-by: Michal Hocko <mhocko@suse.com> Signed-off-by: Hugh Dickins <hughd@google.com> Acked-by: Michal Hocko <mhocko@suse.com> Tested-by: Helge Deller <deller@gmx.de> # parisc Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [wt: backport to 4.11: adjust context] [wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide] [wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes] Signed-off-by: Willy Tarreau <w@1wt.eu> [gkh: minor build fixes for 4.4] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-06-17T04:39:38Z Max Filippov jcmvbkbc@gmail.com 2017-06-05T09:43:51Z urn:sha1:afb415f72daa0d9d8169a20f3ea3efbf05f630ca commit e5c86679d5e864947a52fb31e45a425dea3e7fa9 upstream. Linux IRQ #0 is reserved for error reporting and may not be used. Increase NR_IRQS for one additional slot and increase irq_domain_add_legacy parameter first_irq value to 1, so that linux IRQ #0 is not associated with hardware IRQ #0 in legacy IRQ domains. Introduce macro XTENSA_PIC_LINUX_IRQ for static translation of xtensa PIC hardware IRQ # to linux IRQ #. Use this macro in XTFPGA platform data definitions. This fixes inability to use hardware IRQ #0 in configurations that don't use device tree and allows for non-identity mapping between linux IRQ # and hardware IRQ #. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-03-15T01:57:14Z Max Filippov jcmvbkbc@gmail.com 2017-01-03T17:37:34Z urn:sha1:21096328c97e707f2190b26a06d8b805551a543d commit 4ab18701c66552944188dbcd0ce0012729baab84 upstream. FDT tag parsing is not related to whether BLK_DEV_INITRD is configured or not, move it out of the corresponding #ifdef/#endif block. This fixes passing external FDT to the kernel configured w/o BLK_DEV_INITRD support. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-04-12T16:08:55Z Max Filippov jcmvbkbc@gmail.com 2016-03-03T15:34:29Z urn:sha1:1f841628aca5d4133ad2aba0e2f279c8ab65b9d8 commit 7de7ac785ae18a2cdc78d7560f48e3213d9ea0ab upstream. There are XCHAL_NUM_DBREAK registers, clear them all. This also fixes cryptic assembler error message with binutils 2.25 when XCHAL_NUM_DBREAK is 0: as: out of memory allocating 18446744073709551575 bytes after a total of 495616 bytes Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-11-10T00:32:13Z Linus Torvalds torvalds@linux-foundation.org 2015-11-10T00:32:13Z urn:sha1:3510ca19a82ba4c6a17af79c1f0448622a406efa Pull xtensa updates from Chris Zankel: - fix remaining issues with noMMU cores - fix build for cores w/o cache or zero overhead loop options - fix boot of secondary cores in SMP configuration - add support for DMA to high memory pages - add dma_to_phys and phys_to_dma functions. * tag 'xtensa-20151108' of git://github.com/czankel/xtensa-linux: xtensa: implement dma_to_phys and phys_to_dma xtensa: support DMA to high memory Revert "xtensa: cache inquiry and unaligned cache handling functions" xtensa: drop unused sections and remapped reset handlers xtensa: fix secondary core boot in SMP xtensa: add FORCE_MAX_ZONEORDER to Kconfig xtensa: nommu: provide defconfig for de212 on kc705 xtensa: nommu: xtfpga: add kc705 DTS xtensa: add de212 core variant xtensa: nommu: select HAVE_FUTEX_CMPXCHG xtensa: nommu: fix default memory start address xtensa: nommu: provide correct KIO addresses xtensa: nommu: fix USER_RING definition xtensa: xtfpga: fix integer overflow in TASK_SIZE xtensa: fix build for configs without cache options xtensa: fixes for configs without loop option 2015-11-08T22:25:37Z Max Filippov jcmvbkbc@gmail.com 2015-10-08T23:44:23Z urn:sha1:c7ca9fe17b84719ef2edbe854e1b0cac04a91e2f - don't bugcheck if high memory page is passed to xtensa_map_page; - turn empty dcache flush macros into functions so that they could be passed as function parameters; - use kmap_atomic to map high memory pages for cache invalidation/ flushing performed by xtensa_sync_single_for_{cpu,device}. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> 2015-11-03T14:19:39Z Max Filippov jcmvbkbc@gmail.com 2015-10-16T15:30:37Z urn:sha1:0d848afe117ac3e31b9d57b65553ff18ef9d288f There are no .bootstrap or .ResetVector.text sections linked to the vmlinux image, drop these sections from vmlinux.ld.S. Drop RESET_VECTOR_VADDR definition only used for .ResetVector.text. Drop remapped copies of primary and secondary reset vectors, as modern gdb don't have problems stepping through instructions at arbitrary locations. Drop corresponding sections from the corresponding linker scripts. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> 2015-11-03T14:19:38Z Max Filippov jcmvbkbc@gmail.com 2015-10-16T14:01:04Z urn:sha1:ab45fb145096799dabd18afc58bb5f97171017cd There are multiple factors adding to the issue in different configurations: - commit 17290231df16eeee ("xtensa: add fixup for double exception raised in window overflow") added function window_overflow_restore_a0_fixup to double exception vector overlapping reset vector location of secondary processor cores. - on MMUv2 cores RESET_VECTOR1_VADDR may point to uncached kernel memory making code overlapping depend on cache type and size, so that without cache or with WT cache reset vector code overwrites double exception code, making issue even harder to detect. - on MMUv3 cores RESET_VECTOR1_VADDR may point to unmapped area, as MMUv3 cores change virtual address map to match MMUv2 layout, but reset vector virtual address is given for the original MMUv3 mapping. - physical memory region of the secondary reset vector is not reserved in the physical memory map, and thus may be allocated and overwritten at arbitrary moment. Fix it as follows: - move window_overflow_restore_a0_fixup code to .text section. - define RESET_VECTOR1_VADDR so that it points to reset vector in the cacheable MMUv2 map for cores with MMU. - reserve reset vector region in the physical memory map. Drop separate literal section and build mxhead.S with text section literals. Cc: <stable@vger.kernel.org> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> 2015-11-02T15:03:02Z Max Filippov jcmvbkbc@gmail.com 2015-09-24T20:36:45Z urn:sha1:260c64bbabdb8da7248c87e0cdd92023bd7b76c6 KIO region location is different for noMMU cores. Provide different default physical address and make KIO virtual address equal to physical. Move xtensa_get_kio_paddr function close to XCHAL_KIO_PADDR definition and define it not only for MMUv3, but for all MMU options except MMUv2. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> 2015-11-02T15:02:47Z Max Filippov jcmvbkbc@gmail.com 2015-09-24T20:11:53Z urn:sha1:5029615e25dc5040beb065f36743c127a8e51497 Build-time fixes: - make lbeg/lend/lcount save/restore conditional on kernel entry; - don't clear lcount in platform_restart functions unconditionally. Run-time fixes: - use correct end of range register in __endla paired with __loopt, not the unused temporary register. This fixes .bss zero-initialization. Update comments in asmmacro.h; - don't clobber a10 in the usercopy that leads to access to unmapped memory. Cc: <stable@vger.kernel.org> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>