linux.git/arch/metag/include/asm, branch v4.12.4 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Merge tag 'metag-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag 2017-05-10T18:40:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2017-05-10T18:40:36+00:00 f94c128eefcce2e3448d543f13cd7d7b8aa660a5 Pull metag updates from James Hogan: "These patches primarily make some usercopy improvements (following on from the recent usercopy fixes): - reformat and simplify rapf copy loops - add 64-bit get_user support And fix a couple more uaccess issues, partily pointed out by Al: - fix access_ok() serious shortcomings - fix strncpy_from_user() address validation Also included is a trivial removal of a redundant increment" * tag 'metag-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag: metag/mm: Drop pointless increment metag/uaccess: Check access_ok in strncpy_from_user metag/uaccess: Fix access_ok() metag/usercopy: Add 64-bit get_user support metag/usercopy: Simplify rapf loop fixup corner case metag/usercopy: Reformat rapf loop inline asm 
Pull metag updates from James Hogan:
 "These patches primarily make some usercopy improvements (following on
  from the recent usercopy fixes):

   - reformat and simplify rapf copy loops

   - add 64-bit get_user support

  And fix a couple more uaccess issues, partily pointed out by Al:

   - fix access_ok() serious shortcomings

   - fix strncpy_from_user() address validation

  Also included is a trivial removal of a redundant increment"

* tag 'metag-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag:
  metag/mm: Drop pointless increment
  metag/uaccess: Check access_ok in strncpy_from_user
  metag/uaccess: Fix access_ok()
  metag/usercopy: Add 64-bit get_user support
  metag/usercopy: Simplify rapf loop fixup corner case
  metag/usercopy: Reformat rapf loop inline asm
metag/uaccess: Check access_ok in strncpy_from_user 2017-05-02T20:11:32+00:00 James Hogan james.hogan@imgtec.com 2017-05-02T18:41:06+00:00 3a158a62da0673db918b53ac1440845a5b64fd90 The metag implementation of strncpy_from_user() doesn't validate the src pointer, which could allow reading of arbitrary kernel memory. Add a short access_ok() check to prevent that. Its still possible for it to read across the user/kernel boundary, but it will invariably reach a NUL character after only 9 bytes, leaking only a static kernel address being loaded into D0Re0 at the beginning of __start, which is acceptable for the immediate fix. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: linux-metag@vger.kernel.org Cc: stable@vger.kernel.org 
The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.

Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
metag/uaccess: Fix access_ok() 2017-05-02T18:03:40+00:00 James Hogan james.hogan@imgtec.com 2017-04-28T09:50:26+00:00 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb The __user_bad() macro used by access_ok() has a few corner cases noticed by Al Viro where it doesn't behave correctly: - The kernel range check has off by 1 errors which permit access to the first and last byte of the kernel mapped range. - The kernel range check ends at LINCORE_BASE rather than META_MEMORY_LIMIT, which is ineffective when the kernel is in global space (an extremely uncommon configuration). There are a couple of other shortcomings here too: - Access to the whole of the other address space is permitted (i.e. the global half of the address space when the kernel is in local space). This isn't ideal as it could theoretically still contain privileged mappings set up by the bootloader. - The size argument is unused, permitting user copies which start on valid pages at the end of the user address range and cross the boundary into the kernel address space (e.g. addr = 0x3ffffff0, size > 0x10). It isn't very convenient to add size checks when disallowing certain regions, and it seems far safer to be sure and explicit about what userland is able to access, so invert the logic to allow certain regions instead, and fix the off by 1 errors and missing size checks. This also allows the get_fs() == KERNEL_DS check to be more easily optimised into the user address range case. We now have 3 such allowed regions: - The user address range (incorporating the get_fs() == KERNEL_DS check). - NULL (some kernel code expects this to work, and we'll always catch the fault anyway). - The core code memory region. Fixes: 373cd784d0fc ("metag: Memory handling") Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: linux-metag@vger.kernel.org Cc: stable@vger.kernel.org 
The __user_bad() macro used by access_ok() has a few corner cases
noticed by Al Viro where it doesn't behave correctly:

 - The kernel range check has off by 1 errors which permit access to the
   first and last byte of the kernel mapped range.

 - The kernel range check ends at LINCORE_BASE rather than
   META_MEMORY_LIMIT, which is ineffective when the kernel is in global
   space (an extremely uncommon configuration).

There are a couple of other shortcomings here too:

 - Access to the whole of the other address space is permitted (i.e. the
   global half of the address space when the kernel is in local space).
   This isn't ideal as it could theoretically still contain privileged
   mappings set up by the bootloader.

 - The size argument is unused, permitting user copies which start on
   valid pages at the end of the user address range and cross the
   boundary into the kernel address space (e.g. addr = 0x3ffffff0, size
   > 0x10).

It isn't very convenient to add size checks when disallowing certain
regions, and it seems far safer to be sure and explicit about what
userland is able to access, so invert the logic to allow certain regions
instead, and fix the off by 1 errors and missing size checks. This also
allows the get_fs() == KERNEL_DS check to be more easily optimised into
the user address range case.

We now have 3 such allowed regions:

 - The user address range (incorporating the get_fs() == KERNEL_DS
   check).

 - NULL (some kernel code expects this to work, and we'll always catch
   the fault anyway).

 - The core code memory region.

Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
Merge branches 'uaccess.alpha', 'uaccess.arc', 'uaccess.arm', 'uaccess.arm64', 'uaccess.avr32', 'uaccess.bfin', 'uaccess.c6x', 'uaccess.cris', 'uaccess.frv', 'uaccess.h8300', 'uaccess.hexagon', 'uaccess.ia64', 'uaccess.m32r', 'uaccess.m68k', 'uaccess.metag', 'uaccess.microblaze', 'uaccess.mips', 'uaccess.mn10300', 'uaccess.nios2', 'uaccess.openrisc', 'uaccess.parisc', 'uaccess.powerpc', 'uaccess.s390', 'uaccess.score', 'uaccess.sh', 'uaccess.sparc', 'uaccess.tile', 'uaccess.um', 'uaccess.unicore32', 'uaccess.x86' and 'uaccess.xtensa' into work.uaccess 2017-04-26T16:06:59+00:00 Al Viro viro@zeniv.linux.org.uk 2017-04-26T16:06:59+00:00 eea86b637a15bc4d4bd518b11330ac96baa6b73d 






metag/usercopy: Switch to RAW_COPY_USER
2017-04-05T15:43:57+00:00

James Hogan
james.hogan@imgtec.com

2017-04-04T14:46:52+00:00

840db3f93849830c4a55c795ddd6057ad40d4f2d

Switch to using raw user copy instead of providing metag specific
[__]copy_{to,from}_user[_inatomic](). This simplifies the metag
uaccess.h and allows us to take advantage of extra checking in the
generic versions.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>





Switch to using raw user copy instead of providing metag specific
[__]copy_{to,from}_user[_inatomic](). This simplifies the metag
uaccess.h and allows us to take advantage of extra checking in the
generic versions.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>







Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag into uaccess.metag
2017-04-05T15:41:09+00:00

Al Viro
viro@zeniv.linux.org.uk

2017-04-05T15:41:09+00:00

a98bba563d262065f230193c4b56c6758e8b4c3b












metag/usercopy: Add 64-bit get_user support
2017-04-05T14:27:32+00:00

James Hogan
james.hogan@imgtec.com

2017-03-31T14:40:52+00:00

d3ba2e922d4d1d61806fcb6e09512d2bee734d06

Metag already supports 64-bit put_user, so add support for 64-bit
get_user too so that the test_user_copy module can test both.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org





Metag already supports 64-bit put_user, so add support for 64-bit
get_user too so that the test_user_copy module can test both.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org







metag/usercopy: Zero rest of buffer from copy_from_user
2017-04-05T14:25:02+00:00

James Hogan
james.hogan@imgtec.com

2017-03-31T10:14:02+00:00

563ddc1076109f2b3f88e6d355eab7b6fd4662cb

Currently we try to zero the destination for a failed read from userland
in fixup code in the usercopy.c macros. The rest of the destination
buffer is then zeroed from __copy_user_zeroing(), which is used for both
copy_from_user() and __copy_from_user().

Unfortunately we fail to zero in the fixup code as D1Ar1 is set to 0
before the fixup code entry labels, and __copy_from_user() shouldn't even
be zeroing the rest of the buffer.

Move the zeroing out into copy_from_user() and rename
__copy_user_zeroing() to raw_copy_from_user() since it no longer does
any zeroing. This also conveniently matches the name needed for
RAW_COPY_USER support in a later patch.

Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org





Currently we try to zero the destination for a failed read from userland
in fixup code in the usercopy.c macros. The rest of the destination
buffer is then zeroed from __copy_user_zeroing(), which is used for both
copy_from_user() and __copy_from_user().

Unfortunately we fail to zero in the fixup code as D1Ar1 is set to 0
before the fixup code entry labels, and __copy_from_user() shouldn't even
be zeroing the rest of the buffer.

Move the zeroing out into copy_from_user() and rename
__copy_user_zeroing() to raw_copy_from_user() since it no longer does
any zeroing. This also conveniently matches the name needed for
RAW_COPY_USER support in a later patch.

Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org







Merge branch 'parisc-4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux into uaccess.parisc
2017-04-02T14:33:48+00:00

Al Viro
viro@zeniv.linux.org.uk

2017-04-02T14:33:48+00:00

bee3f412d6fc94011850f16cddce745d529411a5












metag: kill verify_area()
2017-03-28T22:23:42+00:00

Al Viro
viro@zeniv.linux.org.uk

2016-12-28T06:26:29+00:00

2c3054176e2ef3f49be9ec8b6fd06d6a47156ff5

Deprecated in 2.6.12, killed in 2.6.13.  Time to end that depravity,
let's bury the body...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>





Deprecated in 2.6.12, killed in 2.6.13.  Time to end that depravity,
let's bury the body...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>