07 Jun, 2011

1 commit

• 5cec93c21   x86-64: Emulate legacy vsyscalls ... Browse Code »

  There's a fair amount of code in the vsyscall page. It contains
  a syscall instruction (in the gettimeofday fallback) and who
  knows what will happen if an exploit jumps into the middle of
  some other code.

  Reduce the risk by replacing the vsyscalls with short magic
  incantations that cause the kernel to emulate the real
  vsyscalls. These incantations are useless if entered in the
  middle.

  This causes vsyscalls to be a little more expensive than real
  syscalls. Fortunately sensible programs don't use them.
  The only exception is time() which is still called by glibc
  through the vsyscall - but calling time() millions of times
  per second is not sensible. glibc has this fixed in the
  development tree.

  This patch is not perfect: the vread_tsc and vread_hpet
  functions are still at a fixed address. Fixing that might
  involve making alternative patching work in the vDSO.

  Signed-off-by: Andy Lutomirski
  Acked-by: Linus Torvalds
  Cc: Jesper Juhl
  Cc: Borislav Petkov
  Cc: Arjan van de Ven
  Cc: Jan Beulich
  Cc: richard -rw- weinberger
  Cc: Mikael Pettersson
  Cc: Andi Kleen
  Cc: Brian Gerst
  Cc: Louis Rilling
  Cc: Valdis.Kletnieks@vt.edu
  Cc: pageexec@freemail.hu
  Link: http://lkml.kernel.org/r/e64e1b3c64858820d12c48fa739efbd1485e79d5.1307292171.git.luto@mit.edu
  [ Removed the CONFIG option - it's simpler to just do it unconditionally. Tidied up the code as well. ]
  Signed-off-by: Ingo Molnar

  Andy Lutomirski

  2011-06-07 16:02:35 +0800  

20 Apr, 2009

1 commit

• 42a17ad27   <linux/seccomp.h> needs to include <linux/errno.h>. ... Browse Code »

  uses EINVAL so should include . This
  fixes a build error on 64-bit MIPS if CONFIG_SECCOMP is disabled.

  Signed-off-by: Ralf Baechle
  Signed-off-by: Linus Torvalds

  Ralf Baechle

  2009-04-20 01:47:45 +0800  

17 Jul, 2007

2 commits

• cf99abace   make seccomp zerocost in schedule ... Browse Code »

  This follows a suggestion from Chuck Ebbert on how to make seccomp
  absolutely zerocost in schedule too. The only remaining footprint of
  seccomp is in terms of the bzImage size that becomes a few bytes (perhaps
  even a few kbytes) larger, measure it if you care in the embedded.

  Signed-off-by: Andrea Arcangeli
  Cc: Andi Kleen
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Andrea Arcangeli

  2007-07-17 00:05:50 +0800  
• 1d9d02fee   move seccomp from /proc to a prctl ... Browse Code »

  This reduces the memory footprint and it enforces that only the current
  task can enable seccomp on itself (this is a requirement for a
  strightforward [modulo preempt ;) ] TIF_NOTSC implementation).

  Signed-off-by: Andrea Arcangeli
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Andrea Arcangeli

  2007-07-17 00:05:50 +0800  

26 Apr, 2006

1 commit

• 62c4f0a2d   Don't include linux/config.h from anywhere else in include/ ... Browse Code »

  Signed-off-by: David Woodhouse

  David Woodhouse

  2006-04-26 19:56:16 +0800  

09 Jan, 2006

1 commit

• a13656470   [PATCH] remove gcc-2 checks ... Browse Code »

  Remove various things which were checking for gcc-1.x and gcc-2.x compilers.

  From: Adrian Bunk

  Some documentation updates and removes some code paths for gcc < 3.2.

  Acked-by: Russell King
  Signed-off-by: Adrian Bunk
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Andrew Morton

  2006-01-09 12:14:02 +0800  

28 Jun, 2005

1 commit

• ffaa8bd6c   [PATCH] seccomp: tsc disable ... Browse Code »

  I believe at least for seccomp it's worth to turn off the tsc, not just for
  HT but for the L2 cache too. So it's up to you, either you turn it off
  completely (which isn't very nice IMHO) or I recommend to apply this below
  patch.

  This has been tested successfully on x86-64 against current cogito
  repository (i686 compiles so I didn't bother testing ;). People selling
  the cpu through cpushare may appreciate this bit for a peace of mind.

  There's no way to get any timing info anymore with this applied
  (gettimeofday is forbidden of course). The seccomp environment is
  completely deterministic so it can't be allowed to get timing info, it has
  to be deterministic so in the future I can enable a computing mode that
  does a parallel computing for each task with server side transparent
  checkpointing and verification that the output is the same from all the 2/3
  seller computers for each task, without the buyer even noticing (for now
  the verification is left to the buyer client side and there's no
  checkpointing, since that would require more kernel changes to track the
  dirty bits but it'll be easy to extend once the basic mode is finished).

  Eliminating a cold-cache read of the cr4 global variable will save one
  cacheline during the tlb flush while making the code per-cpu-safe at the
  same time. Thanks to Mikael Pettersson for noticing the tlb flush wasn't
  per-cpu-safe.

  The global tlb flush can run from irq (IPI calling do_flush_tlb_all) but
  it'll be transparent to the switch_to code since the IPI won't make any
  change to the cr4 contents from the point of view of the interrupted code
  and since it's now all per-cpu stuff, it will not race. So no need to
  disable irqs in switch_to slow path.

  Signed-off-by: Andrea Arcangeli
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Andrea Arcangeli

  2005-06-28 06:11:44 +0800  

17 Apr, 2005

1 commit

• 1da177e4c   Linux-2.6.12-rc2 ... Browse Code »

  Initial git repository build. I'm not bothering with the full history,
  even though we have it. We can create a separate "historical" git
  archive of that later if we want to, and in the meantime it's about
  3.2GB when imported into git - space that would just make the early
  git days unnecessarily complicated, when we don't have a lot of good
  infrastructure for it.

  Let it rip!

  Linus Torvalds

  2005-04-17 06:20:36 +0800