Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.61 2018-01-09T00:35:13+00:00 2018-01-09T00:35:13+00:00 Richard Fellner richard.fellner@student.tugraz.at 2017-05-04T12:26:50+00:00 urn:sha1:f9a1666f97b32836058839ab03f49daef0528ca0 This patch introduces our implementation of KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed), a kernel isolation technique to close hardware side channels on kernel address information. More information about the patch can be found on: https://github.com/IAIK/KAISER From: Richard Fellner <richard.fellner@student.tugraz.at> From: Daniel Gruss <daniel.gruss@iaik.tugraz.at> Subject: [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode Date: Thu, 4 May 2017 14:26:50 +0200 Link: http://marc.info/?l=linux-kernel&m=149390087310405&w=2 Kaiser-4.10-SHA1: c4b1831d44c6144d3762ccc72f0c4e71a0c713e5 To: <linux-kernel@vger.kernel.org> To: <kernel-hardening@lists.openwall.com> Cc: <clementine.maurice@iaik.tugraz.at> Cc: <moritz.lipp@iaik.tugraz.at> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at> Cc: Richard Fellner <richard.fellner@student.tugraz.at> Cc: Ingo Molnar <mingo@kernel.org> Cc: <kirill.shutemov@linux.intel.com> Cc: <anders.fogh@gdata-adan.de> After several recent works [1,2,3] KASLR on x86_64 was basically considered dead by many researchers. We have been working on an efficient but effective fix for this problem and found that not mapping the kernel space when running in user mode is the solution to this problem [4] (the corresponding paper [5] will be presented at ESSoS17). With this RFC patch we allow anybody to configure their kernel with the flag CONFIG_KAISER to add our defense mechanism. If there are any questions we would love to answer them. We also appreciate any comments! Cheers, Daniel (+ the KAISER team from Graz University of Technology) [1] http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf [2] https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf [3] https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf [4] https://github.com/IAIK/KAISER [5] https://gruss.cc/files/kaiser.pdf (cherry picked from Change-Id: I0eb000c33290af01fc4454ca0c701d00f1d30b1d) Conflicts: arch/x86/entry/entry_64.S (not in this tree) arch/x86/kernel/entry_64.S (patched instead of that) arch/x86/entry/entry_64_compat.S (not in this tree) arch/x86/ia32/ia32entry.S (patched instead of that) arch/x86/include/asm/hw_irq.h arch/x86/include/asm/pgtable_types.h arch/x86/include/asm/processor.h arch/x86/kernel/irqinit.c arch/x86/kernel/process.c arch/x86/mm/Makefile arch/x86/mm/pgtable.c init/main.c Signed-off-by: Hugh Dickins <hughd@google.com> [bwh: Folded in the follow-up patches from Hugh: - kaiser: merged update - kaiser: do not set _PAGE_NX on pgd_none - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE - kaiser: fix build and FIXME in alloc_ldt_struct() - kaiser: KAISER depends on SMP - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER - kaiser: fix perf crashes - kaiser: ENOMEM if kaiser_pagetable_walk() NULL - kaiser: tidied up asm/kaiser.h somewhat - kaiser: tidied up kaiser_add/remove_mapping slightly - kaiser: kaiser_remove_mapping() move along the pgd - kaiser: align addition to x86/mm/Makefile - kaiser: cleanups while trying for gold link - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET - kaiser: delete KAISER_REAL_SWITCH option - kaiser: vmstat show NR_KAISERTABLE as nr_overhead - kaiser: enhanced by kernel and user PCIDs - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user - kaiser: PCID 0 for kernel and 128 for user - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user - kaiser: paranoid_entry pass cr3 need to paranoid_exit - kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls - kaiser: fix unlikely error in alloc_ldt_struct() - kaiser: drop is_atomic arg to kaiser_pagetable_walk() Backported to 3.16: - Add missing #include in arch/x86/mm/kaiser.c - Use variable PEBS buffer size since we have "perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2" - Renumber X86_FEATURE_INVPCID_SINGLE to avoid collision - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2014-07-01T20:45:22+00:00 Zhengyu He hzy@google.com 2014-07-01T19:11:47+00:00 urn:sha1:330d282216d6e4d845a21b72572dc4df4122e8fa This fixes a typo that named the read_mostly section of percpu as readmostly. It works fine with SMP because the linker script specifies .data..percpu..readmostly. However, UP kernel builds don't have percpu sections defined and the non-percpu version of the section is called data..read_mostly, so .data..readmostly will float around and may break things unexpectedly. Looking at the original change that introduced data..percpu..readmostly (commit c957ef2c59e952803766ddc22e89981ab534606f), it looks like this was the original intention. Tested: Built UP kernel and confirmed the sections got merged. - Before the patch: $ objdump -h vmlinux.o | grep '\.data\.\.read.*mostly' 38 .data..read_mostly 00004418 0000000000000000 0000000000000000 00431ac0 2**6 50 .data..readmostly 00000014 0000000000000000 0000000000000000 00444000 2**3 - After the patch: $ objdump -h vmlinux.o | grep '\.data\.\.read.*mostly' 38 .data..read_mostly 00004438 0000000000000000 0000000000000000 00431ac0 2**6 Signed-off-by: Zhengyu He <hzy@google.com> Signed-off-by: Filipe Brandenburger <filbranden@google.com> Signed-off-by: Tejun Heo <tj@kernel.org> 2014-06-13T02:18:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-06-13T02:18:49+00:00 urn:sha1:3737a12761636ebde0f09ef49daebb8eed18cc8a Pull more perf updates from Ingo Molnar: "A second round of perf updates: - wide reaching kprobes sanitization and robustization, with the hope of fixing all 'probe this function crashes the kernel' bugs, by Masami Hiramatsu. - uprobes updates from Oleg Nesterov: tmpfs support, corner case fixes and robustization work. - perf tooling updates and fixes from Jiri Olsa, Namhyung Ki, Arnaldo et al: * Add support to accumulate hist periods (Namhyung Kim) * various fixes, refactorings and enhancements" * 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (101 commits) perf: Differentiate exec() and non-exec() comm events perf: Fix perf_event_comm() vs. exec() assumption uprobes/x86: Rename arch_uprobe->def to ->defparam, minor comment updates perf/documentation: Add description for conditional branch filter perf/x86: Add conditional branch filtering support perf/tool: Add conditional branch filter 'cond' to perf record perf: Add new conditional branch filter 'PERF_SAMPLE_BRANCH_COND' uprobes: Teach copy_insn() to support tmpfs uprobes: Shift ->readpage check from __copy_insn() to uprobe_register() perf/x86: Use common PMU interrupt disabled code perf/ARM: Use common PMU interrupt disabled code perf: Disable sampled events if no PMU interrupt perf: Fix use after free in perf_remove_from_context() perf tools: Fix 'make help' message error perf record: Fix poll return value propagation perf tools: Move elide bool into perf_hpp_fmt struct perf tools: Remove elide setup for SORT_MODE__MEMORY mode perf tools: Fix "==" into "=" in ui_browser__warning assignment perf tools: Allow overriding sysfs and proc finding with env var perf tools: Consider header files outside perf directory in tags target ... 2014-05-20T20:19:25+00:00 Rob Herring robh@kernel.org 2014-03-27T13:06:16+00:00 urn:sha1:b0b6abd34c1b508d4ac95dbc614f36c49d29e65a This adds the infrastructure to generic earlycon for earlycon setup using DT. The actual setup is not enabled until a following commit to add the FDT parsing. Signed-off-by: Rob Herring <robh@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jiri Slaby <jslaby@suse.cz> Cc: Arnd Bergmann <arnd@arndb.de> Acked-by: Grant Likely <grant.likely@linaro.org> 2014-05-20T19:24:41+00:00 Rob Herring robh@kernel.org 2014-03-24T21:59:20+00:00 urn:sha1:063092883039e49e5edc1f63133dc5ad437361a2 OF table sections all have the same pattern, so create a macro to define them and insure consistency. Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Rob Herring <robh@kernel.org> 2014-05-20T19:24:41+00:00 Rob Herring robh@kernel.org 2014-03-24T21:11:54+00:00 urn:sha1:9a721c41113a50ccbe184d67a5e551feb99e36a9 The cpu_method_of_table is the oddball of the various OF linker sections. In preparation to have common linker section definitions, align the cpu_method_of_table with the other definitions for the naming and ending with a blank struct. Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Rob Herring <robh@kernel.org> Cc: Russell King <linux@arm.linux.org.uk> 2014-05-20T19:24:40+00:00 Rob Herring robh@kernel.org 2014-03-24T21:06:42+00:00 urn:sha1:735e0da7fc55a0456476f6b40f85024f68f87092 Make the irqchip OF match table section naming aligned with other OF match table sections in preparation to have a common definition. Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Rob Herring <robh@kernel.org> 2014-05-07T19:04:57+00:00 Vineet Gupta Vineet.Gupta1@synopsys.com 2014-05-01T05:26:44+00:00 urn:sha1:69902c718c0b476e94ed7fccd3cf29ca39fe433a ARC Linux (not supporting native unaligned access) was failing to boot because __start_kprobe_blacklist was not aligned. This was because per generated vmlinux.lds it was emitted right next to .rodata with strings etc hence could be randomly unaligned. Fix that by ensuring a word alignment. While 4 would suffice for 32bit arches and problem at hand, it is probably better to put 8. | Path: (null) CPU: 0 PID: 1 Comm: swapper Not tainted | 3.15.0-rc3-next-20140430 #2 | task: 8f044000 ti: 8f01e000 task.ti: 8f01e000 | | [ECR ]: 0x00230400 => Misaligned r/w from 0x800fb0d3 | [EFA ]: 0x800fb0d3 | [BLINK ]: do_one_initcall+0x86/0x1bc | [ERET ]: init_kprobes+0x52/0x120 Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Cc: <torvalds@linux-foundation.org> Cc: <rusty@rustcorp.com.au> Cc: <rdunlap@infradead.org> Cc: <jeremy@goop.org> Cc: <arnd@arndb.de> Cc: <dl9pf@gmx.de> Cc: <sparse@chrisli.org> Cc: <anil.s.keshavamurthy@intel.com> Cc: <davem@davemloft.net> Cc: <ananth@in.ibm.com> Cc: <masami.hiramatsu.pt@hitachi.com> Cc: <chrisw@sous-sol.org> Cc: <akataria@vmware.com> Cc: anton Kolesov <Anton.Kolesov@synopsys.com> Link: http://lkml.kernel.org/r/5361DB14.7010406@synopsys.com Signed-off-by: Ingo Molnar <mingo@kernel.org> 2014-04-24T08:02:56+00:00 Masami Hiramatsu masami.hiramatsu.pt@hitachi.com 2014-04-17T08:17:05+00:00 urn:sha1:376e242429bf8539ef39a080ac113c8799840b13 Introduce NOKPROBE_SYMBOL() macro which builds a kprobes blacklist at kernel build time. The usage of this macro is similar to EXPORT_SYMBOL(), placed after the function definition: NOKPROBE_SYMBOL(function); Since this macro will inhibit inlining of static/inline functions, this patch also introduces a nokprobe_inline macro for static/inline functions. In this case, we must use NOKPROBE_SYMBOL() for the inline function caller. When CONFIG_KPROBES=y, the macro stores the given function address in the "_kprobe_blacklist" section. Since the data structures are not fully initialized by the macro (because there is no "size" information), those are re-initialized at boot time by using kallsyms. Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Link: http://lkml.kernel.org/r/20140417081705.26341.96719.stgit@ltc230.yrl.intra.hitachi.co.jp Cc: Alok Kataria <akataria@vmware.com> Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Christopher Li <sparse@chrisli.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: David S. Miller <davem@davemloft.net> Cc: Jan-Simon Möller <dl9pf@gmx.de> Cc: Jeremy Fitzhardinge <jeremy@goop.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Randy Dunlap <rdunlap@infradead.org> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: linux-arch@vger.kernel.org Cc: linux-doc@vger.kernel.org Cc: linux-sparse@vger.kernel.org Cc: virtualization@lists.linux-foundation.org Signed-off-by: Ingo Molnar <mingo@kernel.org> 2014-04-05T21:19:54+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-04-05T21:19:54+00:00 urn:sha1:ff050ad12c551233e546506409c89eb2f640d9f3 Pull ARM SoC specific changes from Arnd Bergmann: "Lots of changes specific to one of the SoC families. Some that stick out are: - mach-qcom gains new features, most importantly SMP support for the newer chips (Stephen Boyd, Rohit Vaswani) - mvebu gains support for three new SoCs: Armada 375, 380 and 385 (Thomas Petazzoni and Free-electrons team) - SMP support for Rockchips (Heiko Stübner) - Lots of i.MX changes (Shawn Guo) - Added support for BCM5301x SoC (Hauke Mehrtens) - Multiplatform support for Marvell Kirkwood and Dove (Andrew Lunn and Sebastian Hesselbarth doing the final part of a long journey) - Unify davinci platforms and remove obsolete ones (Sekhar Nori, Arnd Bergmann)" * tag 'soc-3.15' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (126 commits) ARM: sunxi: Select HAVE_ARM_ARCH_TIMER ARM: cache-tauros2: remove ARMv6 code ARM: mvebu: don't select CONFIG_NEON ARM: davinci: fix DT booting with default defconfig ARM: configs: bcm_defconfig: enable bcm590xx regulator support ARM: davinci: remove tnetv107x support MAINTAINERS: Update ARM STi maintainers ARM: restrict BCM_KONA_UART to ARCH_BCM_MOBILE ARM: bcm21664: Add board support. ARM: sunxi: Add the new watchog compatibles to the reboot code ARM: enable ARM_HAS_SG_CHAIN for multiplatform ARM: davinci: remove da8xx_omapl_defconfig ARM: davinci: da8xx: fix multiple watchdog device registration ARM: davinci: add da8xx specific configs to davinci_all_defconfig ARM: davinci: enable da8xx build concurrently with older devices ARM: BCM5301X: workaround suppress fault ARM: BCM5301X: add early debugging support ARM: BCM5301X: initial support for the BCM5301X/BCM470X SoCs with ARM CPU ARM: mach-bcm: Remove GENERIC_TIME ARM: shmobile: APMU: Fix warnings due to improper printk formats ...