27 May, 2020
1 commit
-
commit 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 upstream.
I don't see what security concern is addressed by obfuscating NULL
and IS_ERR() error pointers, printed with %p/%pK. Given the number
of sites where %p is used (over 10000) and the fact that NULL pointers
aren't uncommon, it probably wouldn't take long for an attacker to
find the hash that corresponds to 0. Although harder, the same goes
for most common error values, such as -1, -2, -11, -14, etc.The NULL part actually fixes a regression: NULL pointers weren't
obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when
dereferencing invalid pointers") which went into 5.2. I'm tacking
the IS_ERR() part on here because error pointers won't leak kernel
addresses and printing them as pointers shouldn't be any different
from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes
debugging based on existing pr_debug and friends excruciating.Note that the "always print 0's for %pK when kptr_restrict == 2"
behaviour which goes way back is left as is.Example output with the patch applied:
ptr error-ptr NULL
%p: 0000000001f8cc5b fffffffffffffff2 0000000000000000
%pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000
%px: ffff888048c04020 fffffffffffffff2 0000000000000000
%pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000
%pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
Signed-off-by: Ilya Dryomov
Reviewed-by: Petr Mladek
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Acked-by: Steven Rostedt (VMware)
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
15 Aug, 2019
1 commit
-
Commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid
pointers") prevents most crash except for %pD.
There is an additional pointer dereferencing before dentry_name.At least, vma->file can be NULL and be passed to printk %pD in
print_bad_pte, which can cause crash.This patch fixes it with introducing a new file_dentry_name.
Link: http://lkml.kernel.org/r/20190809012457.56685-1-justin.he@arm.com
Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
To: Geert Uytterhoeven
To: Thomas Gleixner
To: Andy Shevchenko
To: linux-kernel@vger.kernel.org
Cc: Kees Cook
Cc: "Steven Rostedt (VMware)"
Cc: Shuah Khan
Cc: "Tobin C. Harding"
Signed-off-by: Jia He
Reviewed-by: Andy Shevchenko
Reviewed-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
10 Jul, 2019
1 commit
-
Pull printk updates from Petr Mladek:
- distinguish different legacy clocks again
- small clean up
* tag 'printk-for-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
lib/vsprintf: Reinstate printing of legacy clock IDs
vsprintf: fix data type of variable in string_nocheck()
04 Jul, 2019
1 commit
-
When using the legacy clock framework, clock pointers are no longer
printed as IDs, as the !CONFIG_COMMON_CLK case was accidentally
considered an error case.Fix this by reverting to the old behavior, which allows to distinguish
clocks by ID, as the legacy clock framework does not store names with
clocks.Fixes: 0b74d4d763fd4ee9 ("vsprintf: Consolidate handling of unknown pointer specifiers")
Link: http://lkml.kernel.org/r/20190701140009.23683-1-geert+renesas@glider.be
Cc: Sergey Senozhatsky
Cc: Andy Shevchenko
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Petr Mladek
12 Jun, 2019
1 commit
-
This patch fixes data type of precision with int.
The precision is declared as signed int in struct printf_spec.Link: http://lkml.kernel.org/r/040301d51f60$b4959100$1dc0b300$@samsung.com
To:
To:
To:
To:
Signed-off-by: Youngmin Nam
Reviewed-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
21 May, 2019
1 commit
-
Add SPDX license identifiers to all files which:
- Have no license information of any form
- Have EXPORT_.*_SYMBOL_GPL inside which was used in the
initial scan/conversion to ignore the fileThese files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:GPL-2.0-only
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
10 May, 2019
1 commit
-
The commit 3e5903eb9cff70730 ("vsprintf: Prevent crash when dereferencing
invalid pointers") broke boot on several architectures. The common
pattern is that probe_kernel_read() is not working during early
boot because userspace access framework is not ready.It is a generic problem. We have to avoid any complex external
functions in vsprintf() code, especially in the common path.
They might break printk() easily and are hard to debug.Replace probe_kernel_read() with some simple checks for obvious
problems.Details:
1. Report on Power:
Kernel crashes very early during boot with with CONFIG_PPC_KUAP and
CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUGThe problem is the combination of some new code called via printk(),
check_pointer() which calls probe_kernel_read(). That then calls
allow_user_access() (PPC_KUAP) and that uses mmu_has_feature() too early
(before we've patched features). With the JUMP_LABEL debug enabled that
causes us to call printk() & dump_stack() and we end up recursing and
overflowing the stack.Because it happens so early you don't get any output, just an apparently
dead system.The stack trace (which you don't see) is something like:
...
dump_stack+0xdc
probe_kernel_read+0x1a4
check_pointer+0x58
string+0x3c
vsnprintf+0x1bc
vscnprintf+0x20
printk_safe_log_store+0x7c
printk+0x40
dump_stack_print_info+0xbc
dump_stack+0x8
probe_kernel_read+0x1a4
probe_kernel_read+0x19c
check_pointer+0x58
string+0x3c
vsnprintf+0x1bc
vscnprintf+0x20
vprintk_store+0x6c
vprintk_emit+0xec
vprintk_func+0xd4
printk+0x40
cpufeatures_process_feature+0xc8
scan_cpufeatures_subnodes+0x380
of_scan_flat_dt_subnodes+0xb4
dt_cpu_ftrs_scan_callback+0x158
of_scan_flat_dt+0xf0
dt_cpu_ftrs_scan+0x3c
early_init_devtree+0x360
early_setup+0x9c2. Report on s390:
vsnprintf invocations, are broken on s390. For example, the early boot
output now looks like this where the first (efault) should be
the linux_banner:[ 0.099985] (efault)
[ 0.099985] setup: Linux is running as a z/VM guest operating system in 64-bit mode
[ 0.100066] setup: The maximum memory size is 8192MB
[ 0.100070] cma: Reserved 4 MiB at (efault)
[ 0.100100] numa: NUMA mode: (efault)The reason for this, is that the code assumes that
probe_kernel_address() works very early. This however is not true on
at least s390. Uaccess on KERNEL_DS works only after page tables have
been setup on s390, which happens with setup_arch()->paging_init().Any probe_kernel_address() invocation before that will return -EFAULT.
Fixes: 3e5903eb9cff70730 ("vsprintf: Prevent crash when dereferencing invalid pointers")
Link: http://lkml.kernel.org/r/20190510084213.22149-1-pmladek@suse.com
Cc: Andy Shevchenko
Cc: Rasmus Villemoes
Cc: "Tobin C . Harding"
Cc: Michal Hocko
Cc: Sergey Senozhatsky
Cc: Steven Rostedt
Cc: linux-kernel@vger.kernel.org
Cc: Michael Ellerman
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Russell Currey
Cc: Christophe Leroy
Cc: Stephen Rothwell
Cc: Heiko Carstens
Cc: linux-arch@vger.kernel.org
Cc: linux-s390@vger.kernel.org
Cc: Martin Schwidefsky
Cc: Petr Mladek
Reviewed-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
29 Apr, 2019
1 commit
-
Fix sparse warning:
lib/vsprintf.c:673:6: warning:
symbol 'pointer_string' was not declared. Should it be static?Link: http://lkml.kernel.org/r/20190426164630.22104-1-yuehaibing@huawei.com
To:
To:
To:
To:
Signed-off-by: YueHaibing
Signed-off-by: Petr Mladek
26 Apr, 2019
10 commits
-
The inlined error messages must be used carefully because
they need to fit into the given buffer.Handle them using a custom wrapper that makes people aware
of the problem. Also define a reasonable hard limit to
avoid a completely insane usage.Suggested-by: Sergey Senozhatsky
Link: http://lkml.kernel.org/r/20190417115350.20479-11-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
We are able to detect invalid values handled by %p[iI] printk specifier.
The current error message is "invalid address". It might cause confusion
against "(efault)" reported by the generic valid_pointer_address() check.Let's unify the style and use the more appropriate error code description
"(einval)".Link: http://lkml.kernel.org/r/20190417115350.20479-10-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
We already prevent crash when dereferencing some obviously broken
pointers. But the handling is not consistent. Sometimes we print "(null)"
only for pure NULL pointer, sometimes for pointers in the first
page and sometimes also for pointers in the last page (error codes).Note that printk() call this code under logbuf_lock. Any recursive
printks are redirected to the printk_safe implementation and the messages
are stored into per-CPU buffers. These buffers might be eventually flushed
in printk_safe_flush_on_panic() but it is not guaranteed.This patch adds a check using probe_kernel_read(). It is not a full-proof
test. But it should help to see the error message in 99% situations where
the kernel would silently crash otherwise.Also it makes the error handling unified for "%s" and the many %p*
specifiers that need to read the data from a given address. We print:+ (null) when accessing data on pure pure NULL address
+ (efault) when accessing data on an invalid addressIt does not affect the %p* specifiers that just print the given address
in some form, namely %pF, %pf, %pS, %ps, %pB, %pK, %px, and plain %p.Note that we print (efault) from security reasons. In fact, the real
address can be seen only by %px or eventually %pK.Link: http://lkml.kernel.org/r/20190417115350.20479-9-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
There are few printk formats that make sense only with two or more
specifiers. Also some specifiers make sense only when a kernel feature
is enabled.The handling of unknown specifiers is inconsistent and not helpful.
Using WARN() looks like an overkill for this type of error. pr_warn()
is not good either. It would by handled via printk_safe buffer and
it might be hard to match it with the problematic string.A reasonable compromise seems to be writing the unknown format specifier
into the original string with a question mark, for example (%pC?).
It should be self-explaining enough. Note that it is in brackets
to follow the (null) style.Note that it introduces a warning about that test_hashed() function
is unused. It is going to be used again by a later patch.Link: http://lkml.kernel.org/r/20190417115350.20479-8-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
Move code from the long pointer() function. We are going to improve
error handling that will make it even more complicated.This patch does not change the existing behavior.
Link: http://lkml.kernel.org/r/20190417115350.20479-7-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
Move the code from the long pointer() function. We are going to improve
error handling that will make it more complicated.This patch does not change the existing behavior.
Link: http://lkml.kernel.org/r/20190417115350.20479-6-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
Move the non-trivial code from the long pointer() function. We are going
to improve error handling that will make it even more complicated.This patch does not change the existing behavior.
Link: http://lkml.kernel.org/r/20190417115350.20479-5-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Sergey Senozhatsky
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
We are going to check the address using probe_kernel_address(). It will
be more expensive and it does not make sense for well known address.This patch splits the string() function. The variant without the check
is then used on locations that handle string constants or strings defined
as local variables.This patch does not change the existing behavior.
Link: http://lkml.kernel.org/r/20190417115350.20479-4-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek
Reviewed-by: Sergey Senozhatsky -
restricted_pointer() pretends that it prints the address when kptr_restrict
is set to zero. But it is never called in this situation. Instead,
pointer() falls back to ptr_to_id() and hashes the pointer.This patch removes the potential confusion. klp_restrict is checked only
in restricted_pointer().It actually fixes a small race when the address might get printed unhashed:
CPU0 CPU1
pointer()
if (!kptr_restrict)
/* for example set to 2 */
restricted_pointer()
/* echo 0 >/proc/sys/kernel/kptr_restrict */
proc_dointvec_minmax_sysadmin()
klpr_restrict = 0;
switch(kptr_restrict)
case 0:
break:number()
Fixes: ef0010a30935de4e0211 ("vsprintf: don't use 'restricted_pointer()' when not restricting")
Link: http://lkml.kernel.org/r/20190417115350.20479-3-pmladek@suse.com
To: Andy Shevchenko
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Cc: Kees Cook
Reviewed-by: Andy Shevchenko
Reviewed-by: Steven Rostedt (VMware)
Reviewed-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek -
This is just a preparation step for further changes.
The patch does not change the code.
Link: http://lkml.kernel.org/r/20190417115350.20479-2-pmladek@suse.com
To: Rasmus Villemoes
Cc: Linus Torvalds
Cc: "Tobin C . Harding"
Cc: Joe Perches
Cc: Andrew Morton
Cc: Michal Hocko
Cc: Steven Rostedt
Cc: Sergey Senozhatsky
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Andy Shevchenko
Reviewed-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
10 Mar, 2019
1 commit
-
Pull printk updates from Petr Mladek:
- Allow to sort mixed lines by an extra information about the caller
- Remove no longer used LOG_PREFIX.
- Some clean up and documentation update.
* tag 'printk-for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
printk/docs: Add extra integer types to printk-formats
printk: Remove no longer used LOG_PREFIX.
lib/vsprintf: Remove %pCr remnant in comment
printk: Pass caller information to log_store().
printk: Add caller information to printk() output.
08 Mar, 2019
1 commit
-
At the time of commit d048419311ff ("lib/vsprintf.c: expand field_width
to 24 bits"), there was no compiletime_assert/BUILD_BUG/.... variant
that could be used outside function scope. Now we have static_assert(),
so move the assertion next to the definition instead of hiding it in
some arbitrary function.Also add the appropriate #include to avoid relying on build_bug.h being
pulled in via some arbitrary chain of includes.Link: http://lkml.kernel.org/r/20190208203015.29702-2-linux@rasmusvillemoes.dk
Signed-off-by: Rasmus Villemoes
Cc: Alexander Viro
Cc: Kees Cook
Cc: Luc Van Oostenryck
Cc: Masahiro Yamada
Cc: Nick Desaulniers
Cc: Alexey Dobriyan
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Feb, 2019
1 commit
-
Support for "%pCr" was removed, but a reference in a comment was
forgotten.Fixes: 666902e42fd8344b ("lib/vsprintf: Remove atomic-unsafe support for %pCr")
Link: http://lkml.kernel.org/r/20190228105315.744-1-geert+renesas@glider.be
To: Andy Shevchenko
To: Andrew Morton
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Petr Mladek
11 Dec, 2018
1 commit
-
There are users which print time and date represented by content of
struct rtc_time in human readable format.Instead of open coding that each time introduce %ptR[dt][r] specifier.
Cc: Arnd Bergmann
Cc: Bartlomiej Zolnierkiewicz
Cc: Dmitry Torokhov
Cc: Geert Uytterhoeven
Cc: Guan Xuetao
Cc: Ingo Molnar
Cc: Jason Wessel
Cc: Jonathan Corbet
Cc: Jonathan Hunter
Cc: Krzysztof Kozlowski
Cc: "Rafael J. Wysocki"
Cc: Thierry Reding
Cc: Petr Mladek
Signed-off-by: Andy Shevchenko
Reviewed-by: Petr Mladek
Signed-off-by: Alexandre Belloni
27 Oct, 2018
1 commit
-
Pull Devicetree updates from Rob Herring:
"A bit bigger than normal as I've been busy this cycle.There's a few things with dependencies and a few things subsystem
maintainers didn't pick up, so I'm taking them thru my tree.The fixes from Johan didn't get into linux-next, but they've been
waiting for some time now and they are what's left of what subsystem
maintainers didn't pick up.Summary:
- Sync dtc with upstream version v1.4.7-14-gc86da84d30e4
- Work to get rid of direct accesses to struct device_node name and
type pointers in preparation for removing them. New helpers for
parsing DT cpu nodes and conversions to use the helpers. printk
conversions to %pOFn for printing DT node names. Most went thru
subystem trees, so this is the remainder.- Fixes to DT child node lookups to actually be restricted to child
nodes instead of treewide.- Refactoring of dtb targets out of arch code. This makes the support
more uniform and enables building all dtbs on c6x, microblaze, and
powerpc.- Various DT binding updates for Renesas r8a7744 SoC
- Vendor prefixes for Facebook, OLPC
- Restructuring of some ARM binding docs moving some peripheral
bindings out of board/SoC binding files- New "secure-chosen" binding for secure world settings on ARM
- Dual licensing of 2 DT IRQ binding headers"
* tag 'devicetree-for-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: (78 commits)
ARM: dt: relicense two DT binding IRQ headers
power: supply: twl4030-charger: fix OF sibling-node lookup
NFC: nfcmrvl_uart: fix OF child-node lookup
net: stmmac: dwmac-sun8i: fix OF child-node lookup
net: bcmgenet: fix OF child-node lookup
drm/msm: fix OF child-node lookup
drm/mediatek: fix OF sibling-node lookup
of: Add missing exports of node name compare functions
dt-bindings: Add OLPC vendor prefix
dt-bindings: misc: bk4: Add device tree binding for Liebherr's BK4 SPI bus
dt-bindings: thermal: samsung: Add SPDX license identifier
dt-bindings: clock: samsung: Add SPDX license identifiers
dt-bindings: timer: ostm: Add R7S9210 support
dt-bindings: phy: rcar-gen2: Add r8a7744 support
dt-bindings: can: rcar_can: Add r8a7744 support
dt-bindings: timer: renesas, cmt: Document r8a7744 CMT support
dt-bindings: watchdog: renesas-wdt: Document r8a7744 support
dt-bindings: thermal: rcar: Add device tree support for r8a7744
Documentation: dt: Add binding for /secure-chosen/stdout-path
dt-bindings: arm: zte: Move sysctrl bindings to their own doc
...
26 Oct, 2018
1 commit
-
Pull printk updates from Petr Mladek:
- Fix two more locations where printf formatting leaked pointers
- Better log_buf_len parameter handling
- Add prefix to messages from printk code
- Do not miss messages on other consoles when the log is replayed on a
new one- Reduce race between console registration and panic() when the log
might get replayed on all consoles- Some cont buffer code clean up
- Call console only when there is something to do (log vs cont buffer)
* tag 'printk-for-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
lib/vsprintf: Hash printed address for netdev bits fallback
lib/vsprintf: Hash legacy clock addresses
lib/vsprintf: Prepare for more general use of ptr_to_id()
lib/vsprintf: Make ptr argument conts in ptr_to_id()
printk: fix integer overflow in setup_log_buf()
printk: do not preliminary split up cont buffer
printk: lock/unlock console only for new logbuf entries
printk: keep kernel cont support always enabled
printk: Give error on attempt to set log buffer length to over 2G
printk: Add KBUILD_MODNAME and remove a redundant print prefix
printk: Correct wrong casting
printk: Fix panic caused by passing log_buf_len to command line
printk: CON_PRINTBUFFER console registration is a bit racy
printk: Do not miss new messages when replaying the log
25 Oct, 2018
1 commit
-
Pull documentation updates from Jonathan Corbet:
"This is a fairly typical cycle for documentation. There's some welcome
readability improvements for the formatted output, some LICENSES
updates including the addition of the ISC license, the removal of the
unloved and unmaintained 00-INDEX files, the deprecated APIs document
from Kees, more MM docs from Mike Rapoport, and the usual pile of typo
fixes and corrections"* tag 'docs-4.20' of git://git.lwn.net/linux: (41 commits)
docs: Fix typos in histogram.rst
docs: Introduce deprecated APIs list
kernel-doc: fix declaration type determination
doc: fix a typo in adding-syscalls.rst
docs/admin-guide: memory-hotplug: remove table of contents
doc: printk-formats: Remove bogus kobject references for device nodes
Documentation: preempt-locking: Use better example
dm flakey: Document "error_writes" feature
docs/completion.txt: Fix a couple of punctuation nits
LICENSES: Add ISC license text
LICENSES: Add note to CDDL-1.0 license that it should not be used
docs/core-api: memory-hotplug: add some details about locking internals
docs/core-api: rename memory-hotplug-notifier to memory-hotplug
docs: improve readability for people with poorer eyesight
yama: clarify ptrace_scope=2 in Yama documentation
docs/vm: split memory hotplug notifier description to Documentation/core-api
docs: move memory hotplug description into admin-guide/mm
doc: Fix acronym "FEKEK" in ecryptfs
docs: fix some broken documentation references
iommu: Fix passthrough option documentation
...
13 Oct, 2018
1 commit
-
When converting from text to rst, the kobjects section and its sole
subsection about device tree nodes were coalesced into a single section,
yielding an inconsistent result.Remove all references to kobjects, as
1. Device tree object pointers are not compatible to kobject pointers
(the former may embed the latter, though), and
2. there are no printk formats defined for kobject types.Update the vsprintf() source code comments to match the above.
Fixes: b3ed23213eab1e08 ("doc: convert printk-formats.txt to rst")
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Jonathan Corbet
12 Oct, 2018
4 commits
-
The handler for "%pN" falls back to printing the raw pointer value when
using a different format than the (sole supported) special format
"%pNF", potentially leaking sensitive information regarding the kernel
layout in memory.Avoid this leak by printing the hashed address instead.
Note that there are no in-tree users of the fallback.Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
Link: http://lkml.kernel.org/r/20181011084249.4520-4-geert+renesas@glider.be
To: "Tobin C . Harding"
To: Andrew Morton
To: Jonathan Corbet
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
On platforms using the Common Clock Framework, "%pC" prints the clock's
name. On legacy platforms, it prints the unhashed clock's address,
potentially leaking sensitive information regarding the kernel layout in
memory.Avoid this leak by printing the hashed address instead. To distinguish
between clocks, a 32-bit unique identifier is as good as an actual
pointer value.Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
Link: http://lkml.kernel.org/r/20181011084249.4520-3-geert+renesas@glider.be
To: "Tobin C . Harding"
To: Andrew Morton
To: Jonathan Corbet
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Andy Shevchenko
Signed-off-by: Petr Mladek -
Move the function and its dependencies up so it can be called from
special pointer type formatting routines.Link: http://lkml.kernel.org/r/20181011084249.4520-2-geert+renesas@glider.be
To: "Tobin C . Harding"
To: Andrew Morton
To: Jonathan Corbet
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Andy Shevchenko
[pmladek@suse.com: Split into separate patch]
Signed-off-by: Petr Mladek -
Make the ptr argument const to avoid adding casts in future callers.
Link: http://lkml.kernel.org/r/20181011084249.4520-2-geert+renesas@glider.be
To: "Tobin C . Harding"
To: Andrew Morton
To: Jonathan Corbet
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Andy Shevchenko
[pmladek@suse.com: split into separate patch]
Signed-off-by: Petr Mladek
05 Oct, 2018
1 commit
-
The functions vbin_printf() and bstr_printf() are used by trace_printk() to
try to keep the overhead down during printing. trace_printk() uses
vbin_printf() at the time of execution, as it only scans the fmt string to
record the printf values into the buffer, and then uses vbin_printf() to do
the conversions to print the string based on the format and the saved
values in the buffer.This is an issue for dereferenced pointers, as before commit 841a915d20c7b,
the processing of the pointer could happen some time after the pointer value
was recorded (reading the trace buffer). This means the processing of the
value at a later time could show different results, or even crash the
system, if the pointer no longer existed.Commit 841a915d20c7b addressed this by processing dereferenced pointers at
the time of execution and save the result in the ring buffer as a string.
The bstr_printf() would then treat these pointers as normal strings, and
print the value. But there was an off-by-one bug here, where after
processing the argument, it move the pointer only "strlen(arg)" which made
the arg pointer not point to the next argument in the ring buffer, but
instead point to the nul character of the last argument. This causes any
values after a dereferenced pointer to be corrupted.Cc: stable@vger.kernel.org
Fixes: 841a915d20c7b ("vsprintf: Do not have bprintf dereference pointers")
Reported-by: Nikolay Borisov
Tested-by: Nikolay Borisov
Signed-off-by: Steven Rostedt (VMware)
08 Sep, 2018
1 commit
-
In preparation to remove the node name pointer from struct device_node,
convert the node name print to get the node name from the full name.Reviewed-by: Frank Rowand
Signed-off-by: Rob Herring
16 Aug, 2018
1 commit
-
Pull random updates from Ted Ts'o:
"Some changes to trust cpu-based hwrng (such as RDRAND) for
initializing hashed pointers and (optionally, controlled by a config
option) to initialize the CRNG to avoid boot hangs"* tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
random: Make crng state queryable
random: remove preempt disabled region
random: add a config option to trust the CPU's hwrng
vsprintf: Add command line option debug_boot_weak_hash
vsprintf: Use hw RNG for ptr_key
random: Return nbytes filled from hw RNG
random: Fix whitespace pre random-bytes work
07 Aug, 2018
1 commit
-
This patch avoids that gcc reports the following when building with W=1:
lib/vsprintf.c:1941:3: warning: this statement may fall through [-Wimplicit-fallthrough=]
switch (fmt[1]) {
^~~~~~Fixes: 7b1924a1d930eb2 ("vsprintf: add printk specifier %px")
Link: http://lkml.kernel.org/r/20180806223421.11995-1-bart.vanassche@wdc.com
Cc: linux-kernel@vger.kernel.org
Cc: Bart Van Assche
Cc: Pantelis Antoniou
Cc: Joe Perches
Cc: Rob Herring
Cc: v4.15+
Signed-off-by: Bart Van Assche
Signed-off-by: Petr Mladek
18 Jul, 2018
2 commits
-
Currently printing [hashed] pointers requires enough entropy to be
available. Early in the boot sequence this may not be the case
resulting in a dummy string '(____ptrval____)' being printed. This
makes debugging the early boot sequence difficult. We can relax the
requirement to use cryptographically secure hashing during debugging.
This enables debugging while keeping development/production kernel
behaviour the same.If new command line option debug_boot_weak_hash is enabled use
cryptographically insecure hashing and hash pointer value immediately.Reviewed-by: Steven Rostedt (VMware)
Signed-off-by: Tobin C. Harding
Signed-off-by: Theodore Ts'o -
Currently we must wait for enough entropy to become available before
hashed pointers can be printed. We can remove this wait by using the
hw RNG if available.Use hw RNG to get keying material.
Reviewed-by: Steven Rostedt (VMware)
Suggested-by: Kees Cook
Signed-off-by: Tobin C. Harding
Signed-off-by: Theodore Ts'o
07 Jun, 2018
1 commit
-
Pull printk updates from Petr Mladek:
- Help userspace log daemons to catch up with a flood of messages. They
will get woken after each message even if the console is far behind
and handled by another process.- Flush printk safe buffers safely even when panic() happens in the
normal context.- Fix possible va_list reuse when race happened in printk_safe().
- Remove %pCr printf format to prevent sleeping in the atomic context.
- Misc vsprintf code cleanup.
* tag 'printk-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
printk: drop in_nmi check from printk_safe_flush_on_panic()
lib/vsprintf: Remove atomic-unsafe support for %pCr
serial: sh-sci: Stop using printk format %pCr
thermal: bcm2835: Stop using printk format %pCr
clk: renesas: cpg-mssr: Stop using printk format %pCr
printk: fix possible reuse of va_list variable
printk: wake up klogd in vprintk_emit
vsprintf: Tweak pF/pf comment
lib/vsprintf: Mark expected switch fall-through
lib/vsprintf: Replace space with '_' before crng is ready
lib/vsprintf: Deduplicate pointer_string()
lib/vsprintf: Move pointer_string() upper
lib/vsprintf: Make flag_spec global
lib/vsprintf: Make strspec global
lib/vsprintf: Make dec_spec global
lib/test_printf: Mark big constant with UL
05 Jun, 2018
2 commits
-
"%pCr" formats the current rate of a clock, and calls clk_get_rate().
The latter obtains a mutex, hence it must not be called from atomic
context.Remove support for this rarely-used format, as vsprintf() (and e.g.
printk()) must be callable from any context.Any remaining out-of-tree users will start seeing the clock's name
printed instead of its rate.Reported-by: Jia-Ju Bai
Fixes: 900cca2944254edd ("lib/vsprintf: add %pC{,n,r} format specifiers for clocks")
Link: http://lkml.kernel.org/r/1527845302-12159-5-git-send-email-geert+renesas@glider.be
To: Jia-Ju Bai
To: Jonathan Corbet
To: Michael Turquette
To: Stephen Boyd
To: Zhang Rui
To: Eduardo Valentin
To: Eric Anholt
To: Stefan Wahren
To: Greg Kroah-Hartman
Cc: Sergey Senozhatsky
Cc: Petr Mladek
Cc: Linus Torvalds
Cc: Steven Rostedt
Cc: linux-doc@vger.kernel.org
Cc: linux-clk@vger.kernel.org
Cc: linux-pm@vger.kernel.org
Cc: linux-serial@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-renesas-soc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Geert Uytterhoeven
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Petr Mladek
16 May, 2018
1 commit
-
Reviewing Tobin's patches for getting pointers out early before
entropy has been established, I noticed that there's a lone smp_mb() in
the code. As with most lone memory barriers, this one appears to be
incorrectly used.We currently basically have this:
get_random_bytes(&ptr_key, sizeof(ptr_key));
/*
* have_filled_random_ptr_key==true is dependent on get_random_bytes().
* ptr_to_id() needs to see have_filled_random_ptr_key==true
* after get_random_bytes() returns.
*/
smp_mb();
WRITE_ONCE(have_filled_random_ptr_key, true);And later we have:
if (unlikely(!have_filled_random_ptr_key))
return string(buf, end, "(ptrval)", spec);/* Missing memory barrier here. */
hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key);
As the CPU can perform speculative loads, we could have a situation
with the following:CPU0 CPU1
---- ----
load ptr_key = 0
store ptr_key = random
smp_mb()
store have_filled_random_ptr_keyload have_filled_random_ptr_key = true
BAD BAD BAD! (you're so bad!)
Because nothing prevents CPU1 from loading ptr_key before loading
have_filled_random_ptr_key.But this race is very unlikely, but we can't keep an incorrect smp_mb() in
place. Instead, replace the have_filled_random_ptr_key with a static_branch
not_filled_random_ptr_key, that is initialized to true and changed to false
when we get enough entropy. If the update happens in early boot, the
static_key is updated immediately, otherwise it will have to wait till
entropy is filled and this happens in an interrupt handler which can't
enable a static_key, as that requires a preemptible context. In that case, a
work_queue is used to enable it, as entropy already took too long to
establish in the first place waiting a little more shouldn't hurt anything.The benefit of using the static key is that the unlikely branch in
vsprintf() now becomes a nop.Link: http://lkml.kernel.org/r/20180515100558.21df515e@gandalf.local.home
Cc: stable@vger.kernel.org
Fixes: ad67b74d2469d ("printk: hash addresses printed with %p")
Acked-by: Linus Torvalds
Signed-off-by: Steven Rostedt (VMware)