1. 23 Sep, 2016 10 commits
  2. 22 Sep, 2016 8 commits
    • Niklas Cassel's avatar
      cris: use generic io.h · 4c241d3c
      Niklas Cassel authored
      fixes the warning:
      
      lib/iomap.c: In function ‘ioread8_rep’:
      ./arch/cris/include/asm/io.h:139:31: warning: statement with no effect [-Wunused-value]
       #define insb(port,addr,count) (cris_iops ? cris_iops->read_io(port,addr,1,count) : 0)
                                     ^
      lib/iomap.c:56:3: note: in definition of macro ‘IO_COND’
         is_pio;      \
         ^
      lib/iomap.c:197:16: note: in expansion of macro ‘insb’
        IO_COND(addr, insb(port,dst,count), mmio_insb(addr, dst, count));
                      ^
      
      cris_iops was previously set to NULL (no matter if CONFIG_PCI was set or
      not), but was removed in commit ab28e96f ("CRIS v32: remove old GPIO
      and LEDs code"). Before commit ab28e96f ("CRIS v32: remove old GPIO
      and LEDs code"), cris_iops could have been set from an external module,
      since it was exported, but as commit c24bf9b4 ("CRIS: fix I/O
      macros") noted, the macros using cris_iops have been broken since first
      included, so they could never have worked.
      
      Because of this, instead of readding cris_iops, remove all special
      handling of cris_iops. By doing so, we can rely on the default
      implementation of almost all functions previously defined in our arch
      specific io.h.
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      4c241d3c
    • Niklas Cassel's avatar
      cris: fix Kconfig mismatch when building with CONFIG_PCI · 2765262f
      Niklas Cassel authored
      I/O port access. Normally there is no I/O space on CRIS but when
      Cardbus/PCI is enabled the request is passed through the bridge.
      
      lib/pci_iomap.c: In function ‘pci_iomap_range’:
      lib/pci_iomap.c:43:3: error: implicit declaration of function ‘ioport_map’ [-Werror=implicit-function-declaration]
         return __pci_ioport_map(dev, start, len);
         ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      2765262f
    • Niklas Cassel's avatar
      cris: cardbus: fix header include path · d6094ced
      Niklas Cassel authored
      arch/cris/arch-v32/drivers/pci/bios.c:3:35: fatal error: arch/hwregs/intr_vect.h: No such file or directory
       #include <arch/hwregs/intr_vect.h>
                                         ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      d6094ced
    • Niklas Cassel's avatar
      cris: add dev88_defconfig · 7daa7709
      Niklas Cassel authored
      It is not possible to netboot a dev88 using etraxfs_defconfig,
      since etraxfs_defconfig does not set CONFIG_ETRAX_MEM_GRP*_CONFIG
      or CONFIG_ETRAX_SDRAM_GRP*_CONFIG, and the default values does not work.
      
      This new defconfig has correct memory configuration values,
      points out the correct DTB to build in (CONFIG_BUILTIN_DTB="dev88"),
      enables the serial driver (CONFIG_SERIAL_ETRAXFS) and the
      GPIO driver (CONFIG_GPIO_ETRAXFS), and enables LEDS.
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      7daa7709
    • Niklas Cassel's avatar
      cris: irq: stop loop from accessing array out of bounds · 75e52ba1
      Niklas Cassel authored
      array "interrupt" only has 32 or 64 elements, depending on machine.
      
      arch/cris/arch-v32/kernel/irq.c: In function ‘init_IRQ’:
      arch/cris/arch-v32/kernel/irq.c:475:3: warning: iteration 32u invokes undefined behavior [-Waggressive-loop-optimizations]
         set_exception_vector(i, interrupt[j]);
         ^
      arch/cris/arch-v32/kernel/irq.c:474:2: note: containing loop
        for (i = FIRST_IRQ, j = 0; j < NBR_INTR_VECT; i++, j++) {
        ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      75e52ba1
    • Niklas Cassel's avatar
      cris: fasttimer: fix mixed declarations and code compile warning · d355bcb0
      Niklas Cassel authored
      arch/cris/arch-v32/kernel/fasttimer.c: In function ‘timer_trig_handler’:
      arch/cris/arch-v32/kernel/fasttimer.c:353:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
        fast_timer_function_type *f;
        ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jespern@axis.com>
      d355bcb0
    • Niklas Cassel's avatar
      cris: intmem: fix pointer comparison compile warning · 506823f6
      Niklas Cassel authored
      The code previously depended on list_head being defined
      as the first item in struct intmem_allocation.
      
      arch/cris/arch-v32/mm/intmem.c: In function ‘crisv32_intmem_free’:
      arch/cris/arch-v32/mm/intmem.c:116:14: warning: comparison of distinct pointer types lacks a cast
          if ((prev != &intmem_allocations) &&
                    ^
      arch/cris/arch-v32/mm/intmem.c:123:14: warning: comparison of distinct pointer types lacks a cast
          if ((next != &intmem_allocations) &&
                    ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jesper.nilsson@axis.com>
      506823f6
    • Jesper Nilsson's avatar
      cris: intmem: fix device_initcall compile warning · 9d74179a
      Jesper Nilsson authored
      Cannot add __init macro to crisv32_intmem_init,
      since the function is being called by other functions.
      Creating a wrapper instead.
      
      arch/cris/arch-v32/mm/intmem.c: At top level:
      arch/cris/arch-v32/mm/intmem.c:148:17: warning: initialization from incompatible pointer type
       device_initcall(crisv32_intmem_init);
                       ^
      include/linux/init.h:184:58: note: in definition of macro ‘__define_initcall’
        __attribute__((__section__(".initcall" #id ".init"))) = fn; \
      
      arch/cris/arch-v32/mm/intmem.c:148:1: note: in expansion of macro ‘device_initcall’
       device_initcall(crisv32_intmem_init);
       ^
      Signed-off-by: default avatarNiklas Cassel <nks@flawful.org>
      Signed-off-by: default avatarJesper Nilsson <jesper.nilsson@axis.com>
      9d74179a
  3. 21 Sep, 2016 1 commit
  4. 20 Sep, 2016 4 commits
    • Al Viro's avatar
      fix fault_in_multipages_...() on architectures with no-op access_ok() · e23d4159
      Al Viro authored
      Switching iov_iter fault-in to multipages variants has exposed an old
      bug in underlying fault_in_multipages_...(); they break if the range
      passed to them wraps around.  Normally access_ok() done by callers will
      prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
      such a range and they should not point to any valid objects).
      
      However, on architectures where userland and kernel live in different
      MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
      with a wraparound can reach fault_in_multipages_...().
      
      Since any wraparound means EFAULT there, the fix is trivial - turn
      those
      
          while (uaddr <= end)
      	    ...
      into
      
          if (unlikely(uaddr > end))
      	    return -EFAULT;
          do
      	    ...
          while (uaddr <= end);
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Cc: stable@vger.kernel.org # v3.5+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e23d4159
    • Laura Abbott's avatar
      mm: usercopy: Check for module addresses · aa4f0601
      Laura Abbott authored
      While running a compile on arm64, I hit a memory exposure
      
      usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
      ------------[ cut here ]------------
      kernel BUG at mm/usercopy.c:75!
      Internal error: Oops - BUG: 0 [#1] SMP
      Modules linked in: ip6t_rpfilter ip6t_REJECT
      nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
      llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
      nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
      iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
      nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
      ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
      xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
      mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
      auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
      sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
      CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
      Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
      task: fffffe03df944c00 task.stack: fffffe00d128c000
      PC is at __check_object_size+0x70/0x3f0
      LR is at __check_object_size+0x70/0x3f0
      ...
      [<fffffc00082b4280>] __check_object_size+0x70/0x3f0
      [<fffffc00082cdc30>] filldir64+0x158/0x1a0
      [<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
      [<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
      [<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
      [<fffffc00082cde58>] SyS_getdents64+0x88/0x120
      [<fffffc0008082c70>] el0_svc_naked+0x24/0x28
      
      fffffc0000f3b1a8 is a module address. Modules may have compiled in
      strings which could get copied to userspace. In this instance, it
      looks like "." which matches with a size of 1 byte. Extend the
      is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
      all possible cases.
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      aa4f0601
    • Jiri Olsa's avatar
      fs/proc/kcore.c: Add bounce buffer for ktext data · df04abfd
      Jiri Olsa authored
      We hit hardened usercopy feature check for kernel text access by reading
      kcore file:
      
        usercopy: kernel memory exposure attempt detected from ffffffff8179a01f (<kernel text>) (4065 bytes)
        kernel BUG at mm/usercopy.c:75!
      
      Bypassing this check for kcore by adding bounce buffer for ktext data.
      Reported-by: default avatarSteve Best <sbest@redhat.com>
      Fixes: f5509cc1 ("mm: Hardened usercopy")
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      df04abfd
    • Jiri Olsa's avatar
      fs/proc/kcore.c: Make bounce buffer global for read · f5beeb18
      Jiri Olsa authored
      Next patch adds bounce buffer for ktext area, so it's
      convenient to have single bounce buffer for both
      vmalloc/module and ktext cases.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f5beeb18
  5. 19 Sep, 2016 17 commits