* Re: [PATCH v2 3/5] signal: Add unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 12:56 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: linuxppc-dev, Paul Mackerras, linux-kernel
In-Reply-To: <87o88zqf3k.fsf@disp2133>
Le 11/09/2021 à 17:58, Eric W. Biederman a écrit :
> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>
>> On 9/8/21 6:17 PM, Eric W. Biederman wrote:
>>> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>>>
>>>> Le 02/09/2021 à 20:43, Eric W. Biederman a écrit :
>>>>> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>>>>>
>>>>>> In the same spirit as commit fb05121fd6a2 ("signal: Add
>>>>>> unsafe_get_compat_sigset()"), implement an 'unsafe' version of
>>>>>> copy_siginfo_to_user() in order to use it within user access blocks.
>>>>>>
>>>>>> For that, also add an 'unsafe' version of clear_user().
>>>>>
>>>>> Looking at your use cases you need the 32bit compat version of this
>>>>> as well.
>>>>>
>>>>> The 32bit compat version is too complicated to become a macro, so I
>>>>> don't think you can make this work correctly for the 32bit compat case.
>>>>
>>>> When looking into patch 5/5 that you nacked, I think you missed the fact that we
>>>> keep using copy_siginfo_to_user32() as it for the 32 bit compat case.
>>>
>>> I did. My mistake.
>>>
>>> However that mistake was so easy I think it mirrors the comments others
>>> have made that this looks like a maintenance hazard.
>>>
>>> Is improving the performance of 32bit kernels interesting?
>>
>> Yes it is, and that's what this series do.
>>
>>> Is improving the performance of 32bit compat support interesting?
>>
>> For me this is a corner case, so I left it aside for now.
>>
>>>
>>> If performance one or either of those cases is interesting it looks like
>>> we already have copy_siginfo_to_external32 the factor you would need
>>> to build unsafe_copy_siginfo_to_user32.
>>
>> I'm not sure I understand your saying here. What do you expect me to
>> do with copy_siginfo_to_external32() ?
>
> Implement unsafe_copy_siginfo_to_user32.
Ok, initialy I thought it would be a too big job but finaly that's not
so big.
>
>> copy_siginfo_to_user32() is for compat only.
>>
>> Native 32 bits powerpc use copy_siginfo_to_user()
>
> What you implemented doubles the number of test cases necessary to
> compile test the 32bit ppc signal code, and makes the code noticeably
> harder to follow.
Yes and no.
We already have a different copy_siginfo_to_user() for compat and for
native, why would anything be doubled ?
I agree it makes the code harder to follow though
>
> Having a unsafe_copy_to_siginfo_to_user32 at least would allow the
> number of test cases to remain the same as the current code.
Not sure I follow you here, but regardless I have sent a v3 which
tentatively implements copy_siginfo_to_user32() for the compat case.
>
>>> So I am not going to say impossible but please make something
>>> maintainable. I unified all of the compat 32bit siginfo logic because
>>> it simply did not get enough love and attention when it was implemented
>>> per architecture.
>>
>> Yes, and ? I didn't do any modification to the compat case, so what
>> you did remains.
>
> You undid the unification between the 32bit code and the 32bit compat
> code.
>
>>> In general I think that concern applies to this case as well. We really
>>> need an implementation that shares as much burden as possible with other
>>> architectures.
>>
>> I think yes, that's the reason why I made a generic
>> unsafe_copy_siginfo_to_user() and didn't make a powerpc dedicated
>> change.
>>
>> Once this is merged any other architecture can use
>> unsafe_copy_siginfo_to_user().
>>
>> Did I miss something ?
>
> Not dealing with the compat case and making the code signal stack frame
> code noticeably more complicated.
>
> If this optimization profitably applies to other architectures we need
> to figure out how to implement unsafe_copy_siginfo_to_user32 or risk
> making them all much worse to maintain.
>
Ok, let's see what you think about v3.
Thanks for you feedback
Christophe
^ permalink raw reply
* [PATCH v3] powerpc/numa: Fill distance_lookup_table for offline nodes
From: Srikar Dronamraju @ 2021-09-13 12:57 UTC (permalink / raw)
To: Michael Ellerman
Cc: Nathan Lynch, Gautham R Shenoy, Vincent Guittot,
Srikar Dronamraju, Peter Zijlstra, Geetika Moolchandani,
Ingo Molnar, Laurent Dufour, linuxppc-dev, Valentin Schneider,
kernel test robot
Scheduler expects the number of unique node distances to be available
at boot. It iterates over all pairs of nodes and records
node_distance() for that pair, and then calculates the set of unique
distances. As per PAPR, node distances for offline nodes is not
available. However, PAPR already exposes unique possible node
distances. Fake the offline node's distance_lookup_table entries so
that all possible node distances are updated.
However this only needs to be done if the number of unique node
distances that can be computed for online nodes is less than the
number of possible unique node distances as represented by
distance_ref_points_depth. When the node is actually onlined,
distance_lookup_table will be updated with actual entries.
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Nathan Lynch <nathanl@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Valentin Schneider <valentin.schneider@arm.com>
Cc: Gautham R Shenoy <ego@linux.vnet.ibm.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Geetika Moolchandani <Geetika.Moolchandani1@ibm.com>
Cc: Laurent Dufour <ldufour@linux.ibm.com>
Cc: kernel test robot <lkp@intel.com>
Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
---
Changelog:
v2: https://lore.kernel.org/linuxppc-dev/20210821102535.169643-4-srikar@linux.vnet.ibm.com/t/#u
- Updated changelog
- Updated variable names
- Rebased to newer branch
- tweaked the WARN if the depth is greater than sizeof(long)
- All of the above based on comments from Michael Ellerman
v1: https://lore.kernel.org/linuxppc-dev/20210701041552.112072-3-srikar@linux.vnet.ibm.com/t/#u
[ Fixed a missing prototype warning Reported-by: kernel test robot <lkp@intel.com>]
arch/powerpc/mm/numa.c | 68 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index 6f14c8fb6359..5ac9f20ebbc8 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1079,6 +1079,73 @@ void __init dump_numa_cpu_topology(void)
}
}
+/*
+ * Scheduler expects unique number of node distances to be available at
+ * boot. It uses node distance to calculate this unique node distances. On
+ * POWER, node distances for offline nodes is not available. However, POWER
+ * already knows unique possible node distances. Fake the offline node's
+ * distance_lookup_table entries so that all possible node distances are
+ * updated.
+ */
+static void __init fake_update_distance_lookup_table(void)
+{
+ unsigned long distance_map;
+ int i, cur_depth, max_depth, node;
+
+ if (!numa_enabled)
+ return;
+
+ if (affinity_form != FORM1_AFFINITY)
+ return;
+
+ /*
+ * distance_ref_points_depth lists the unique numa domains
+ * available. However it ignore LOCAL_DISTANCE. So add +1
+ * to get the actual number of unique distances.
+ */
+ max_depth = distance_ref_points_depth + 1;
+
+ if (max_depth > sizeof(distance_map)) {
+ WARN(1, "Max depth %d > %ld\n", max_depth, sizeof(distance_map));
+ max_depth = sizeof(distance_map);
+ }
+
+ bitmap_zero(&distance_map, max_depth);
+ bitmap_set(&distance_map, 0, 1);
+
+ for_each_online_node(node) {
+ int nd, distance;
+
+ if (node == first_online_node)
+ continue;
+
+ nd = __node_distance(node, first_online_node);
+ for (i = 0, distance = LOCAL_DISTANCE; i < max_depth; i++, distance *= 2) {
+ if (distance == nd) {
+ bitmap_set(&distance_map, i, 1);
+ break;
+ }
+ }
+ cur_depth = bitmap_weight(&distance_map, max_depth);
+ if (cur_depth == max_depth)
+ return;
+ }
+
+ for_each_node(node) {
+ if (node_online(node))
+ continue;
+
+ i = find_first_zero_bit(&distance_map, max_depth);
+ bitmap_set(&distance_map, i, 1);
+ while (i--)
+ distance_lookup_table[node][i] = node;
+
+ cur_depth = bitmap_weight(&distance_map, max_depth);
+ if (cur_depth == max_depth)
+ return;
+ }
+}
+
/* Initialize NODE_DATA for a node on the local memory */
static void __init setup_node_data(int nid, u64 start_pfn, u64 end_pfn)
{
@@ -1201,6 +1268,7 @@ void __init mem_topology_setup(void)
*/
numa_setup_cpu(cpu);
}
+ fake_update_distance_lookup_table();
}
void __init initmem_init(void)
--
2.27.0
^ permalink raw reply related
* Re: [PATCH v2 3/5] signal: Add unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 12:59 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Peter Zijlstra, linux-kernel, Linus Torvalds, Paul Mackerras,
Josh Poimboeuf, linuxppc-dev
In-Reply-To: <YTB1F7o15FrxmmP1@infradead.org>
Le 02/09/2021 à 08:54, Christoph Hellwig a écrit :
> On Mon, Aug 23, 2021 at 03:35:53PM +0000, Christophe Leroy wrote:
>> In the same spirit as commit fb05121fd6a2 ("signal: Add
>> unsafe_get_compat_sigset()"), implement an 'unsafe' version of
>> copy_siginfo_to_user() in order to use it within user access blocks.
>>
>> For that, also add an 'unsafe' version of clear_user().
>
> I'm a little worried about all these unsafe helper in powerpc and the
> ever increasing scope of the unsafe sections. Can you at least at
> powerpc support to objtool to verify them? objtool verifications has
> helped to find quite a few bugs in unsafe sections on x86.
Ok, I've started looking at it, I have not found any work at all on
objtool for powerpc. I'll see if I can draft something from the ARM64
tentatives.
Christophe
^ permalink raw reply
* [PATCH] powerpc/xics: Set the IRQ chip data for the ICS native backend
From: Cédric Le Goater @ 2021-09-13 13:40 UTC (permalink / raw)
To: linuxppc-dev; +Cc: Cédric Le Goater
The ICS native driver relies on the IRQ chip data to find the struct
'ics_native' describing the ICS controller but it was removed by commit
248af248a8f4 ("powerpc/xics: Rename the map handler in a check handler").
Revert this change to fix the Microwatt SoC platform.
Fixes: 248af248a8f4 ("powerpc/xics: Rename the map handler in a check handler")
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
arch/powerpc/sysdev/xics/xics-common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/sysdev/xics/xics-common.c b/arch/powerpc/sysdev/xics/xics-common.c
index 5c1a157a83b8..244a727c6ba4 100644
--- a/arch/powerpc/sysdev/xics/xics-common.c
+++ b/arch/powerpc/sysdev/xics/xics-common.c
@@ -348,9 +348,9 @@ static int xics_host_map(struct irq_domain *domain, unsigned int virq,
if (xics_ics->check(xics_ics, hwirq))
return -EINVAL;
- /* No chip data for the XICS domain */
+ /* Let the ICS be the chip data for the XICS domain. For ICS native */
irq_domain_set_info(domain, virq, hwirq, xics_ics->chip,
- NULL, handle_fasteoi_irq, NULL, NULL);
+ xics_ics, handle_fasteoi_irq, NULL, NULL);
return 0;
}
--
2.31.1
^ permalink raw reply related
* [PATCH v4] lockdown, selinux: fix wrong subject in some SELinux lockdown checks
From: Ondrej Mosnacek @ 2021-09-13 14:02 UTC (permalink / raw)
To: linux-security-module, James Morris
Cc: linux-efi, linux-pci, linux-cxl, Steffen Klassert, Paul Moore,
x86, linux-acpi, Ingo Molnar, linux-serial, linux-pm, selinux,
Steven Rostedt, linux-fsdevel, Dan Williams, Herbert Xu, netdev,
Stephen Smalley, kexec, linux-kernel, Casey Schaufler, bpf,
linuxppc-dev, David S . Miller
Commit 59438b46471a ("security,lockdown,selinux: implement SELinux
lockdown") added an implementation of the locked_down LSM hook to
SELinux, with the aim to restrict which domains are allowed to perform
operations that would breach lockdown.
However, in several places the security_locked_down() hook is called in
situations where the current task isn't doing any action that would
directly breach lockdown, leading to SELinux checks that are basically
bogus.
To fix this, add an explicit struct cred pointer argument to
security_lockdown() and define NULL as a special value to pass instead
of current_cred() in such situations. LSMs that take the subject
credentials into account can then fall back to some default or ignore
such calls altogether. In the SELinux lockdown hook implementation, use
SECINITSID_KERNEL in case the cred argument is NULL.
Most of the callers are updated to pass current_cred() as the cred
pointer, thus maintaining the same behavior. The following callers are
modified to pass NULL as the cred pointer instead:
1. arch/powerpc/xmon/xmon.c
Seems to be some interactive debugging facility. It appears that
the lockdown hook is called from interrupt context here, so it
should be more appropriate to request a global lockdown decision.
2. fs/tracefs/inode.c:tracefs_create_file()
Here the call is used to prevent creating new tracefs entries when
the kernel is locked down. Assumes that locking down is one-way -
i.e. if the hook returns non-zero once, it will never return zero
again, thus no point in creating these files. Also, the hook is
often called by a module's init function when it is loaded by
userspace, where it doesn't make much sense to do a check against
the current task's creds, since the task itself doesn't actually
use the tracing functionality (i.e. doesn't breach lockdown), just
indirectly makes some new tracepoints available to whoever is
authorized to use them.
3. net/xfrm/xfrm_user.c:copy_to_user_*()
Here a cryptographic secret is redacted based on the value returned
from the hook. There are two possible actions that may lead here:
a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the
task context is relevant, since the dumped data is sent back to
the current task.
b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the
dumped SA is broadcasted to tasks subscribed to XFRM events -
here the current task context is not relevant as it doesn't
represent the tasks that could potentially see the secret.
It doesn't seem worth it to try to keep using the current task's
context in the a) case, since the eventual data leak can be
circumvented anyway via b), plus there is no way for the task to
indicate that it doesn't care about the actual key value, so the
check could generate a lot of "false alert" denials with SELinux.
Thus, let's pass NULL instead of current_cred() here faute de
mieux.
Improvements-suggested-by: Casey Schaufler <casey@schaufler-ca.com>
Improvements-suggested-by: Paul Moore <paul@paul-moore.com>
Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")
Acked-by: Dan Williams <dan.j.williams@intel.com> [cxl]
Acked-by: Steffen Klassert <steffen.klassert@secunet.com> [xfrm]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
v4:
- rebase on top of TODO
- fix rebase conflicts:
* drivers/cxl/pci.c
- trivial: the lockdown reason was corrected in mainline
* kernel/bpf/helpers.c, kernel/trace/bpf_trace.c
- trivial: LOCKDOWN_BPF_READ was renamed to LOCKDOWN_BPF_READ_KERNEL
in mainline
* kernel/power/hibernate.c
- trivial: !secretmem_active() was added to the condition in
hibernation_available()
- cover new security_locked_down() call in kernel/bpf/helpers.c
(LOCKDOWN_BPF_WRITE_USER in BPF_FUNC_probe_write_user case)
v3: https://lore.kernel.org/lkml/20210616085118.1141101-1-omosnace@redhat.com/
- add the cred argument to security_locked_down() and adapt all callers
- keep using current_cred() in BPF, as the hook calls have been shifted
to program load time (commit ff40e51043af ("bpf, lockdown, audit: Fix
buggy SELinux lockdown permission checks"))
- in SELinux, don't ignore hook calls where cred == NULL, but use
SECINITSID_KERNEL as the subject instead
- update explanations in the commit message
v2: https://lore.kernel.org/lkml/20210517092006.803332-1-omosnace@redhat.com/
- change to a single hook based on suggestions by Casey Schaufler
v1: https://lore.kernel.org/lkml/20210507114048.138933-1-omosnace@redhat.com/
arch/powerpc/xmon/xmon.c | 4 ++--
arch/x86/kernel/ioport.c | 4 ++--
arch/x86/kernel/msr.c | 4 ++--
arch/x86/mm/testmmiotrace.c | 2 +-
drivers/acpi/acpi_configfs.c | 2 +-
drivers/acpi/custom_method.c | 2 +-
drivers/acpi/osl.c | 3 ++-
drivers/acpi/tables.c | 2 +-
drivers/char/mem.c | 2 +-
drivers/cxl/pci.c | 2 +-
drivers/firmware/efi/efi.c | 2 +-
drivers/firmware/efi/test/efi_test.c | 2 +-
drivers/pci/pci-sysfs.c | 6 +++---
drivers/pci/proc.c | 6 +++---
drivers/pci/syscall.c | 2 +-
drivers/pcmcia/cistpl.c | 2 +-
drivers/tty/serial/serial_core.c | 2 +-
fs/debugfs/file.c | 2 +-
fs/debugfs/inode.c | 2 +-
fs/proc/kcore.c | 2 +-
fs/tracefs/inode.c | 2 +-
include/linux/lsm_hook_defs.h | 2 +-
include/linux/lsm_hooks.h | 1 +
include/linux/security.h | 4 ++--
kernel/bpf/helpers.c | 10 ++++++----
kernel/events/core.c | 2 +-
kernel/kexec.c | 2 +-
kernel/kexec_file.c | 2 +-
kernel/module.c | 2 +-
kernel/params.c | 2 +-
kernel/power/hibernate.c | 2 +-
kernel/trace/bpf_trace.c | 25 +++++++++++++++----------
kernel/trace/ftrace.c | 4 ++--
kernel/trace/ring_buffer.c | 2 +-
kernel/trace/trace.c | 10 +++++-----
kernel/trace/trace_events.c | 2 +-
kernel/trace/trace_events_hist.c | 4 ++--
kernel/trace/trace_events_synth.c | 2 +-
kernel/trace/trace_events_trigger.c | 2 +-
kernel/trace/trace_kprobe.c | 6 +++---
kernel/trace/trace_printk.c | 2 +-
kernel/trace/trace_stack.c | 2 +-
kernel/trace/trace_stat.c | 2 +-
kernel/trace/trace_uprobe.c | 4 ++--
net/xfrm/xfrm_user.c | 11 +++++++++--
security/lockdown/lockdown.c | 3 ++-
security/security.c | 4 ++--
security/selinux/hooks.c | 7 +++++--
48 files changed, 99 insertions(+), 79 deletions(-)
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index dd8241c009e5..47464e873749 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -309,7 +309,7 @@ static bool xmon_is_locked_down(void)
static bool lockdown;
if (!lockdown) {
- lockdown = !!security_locked_down(LOCKDOWN_XMON_RW);
+ lockdown = !!security_locked_down(NULL, LOCKDOWN_XMON_RW);
if (lockdown) {
printf("xmon: Disabled due to kernel lockdown\n");
xmon_is_ro = true;
@@ -317,7 +317,7 @@ static bool xmon_is_locked_down(void)
}
if (!xmon_is_ro) {
- xmon_is_ro = !!security_locked_down(LOCKDOWN_XMON_WR);
+ xmon_is_ro = !!security_locked_down(NULL, LOCKDOWN_XMON_WR);
if (xmon_is_ro)
printf("xmon: Read-only due to kernel lockdown\n");
}
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index e2fab3ceb09f..838ba45ecc71 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -71,7 +71,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
if (turn_on && (!capable(CAP_SYS_RAWIO) ||
- security_locked_down(LOCKDOWN_IOPORT)))
+ security_locked_down(current_cred(), LOCKDOWN_IOPORT)))
return -EPERM;
/*
@@ -187,7 +187,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
/* Trying to gain more privileges? */
if (level > old) {
if (!capable(CAP_SYS_RAWIO) ||
- security_locked_down(LOCKDOWN_IOPORT))
+ security_locked_down(current_cred(), LOCKDOWN_IOPORT))
return -EPERM;
}
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ed8ac6bcbafb..6a687d91515b 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -116,7 +116,7 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
- err = security_locked_down(LOCKDOWN_MSR);
+ err = security_locked_down(current_cred(), LOCKDOWN_MSR);
if (err)
return err;
@@ -179,7 +179,7 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EFAULT;
break;
}
- err = security_locked_down(LOCKDOWN_MSR);
+ err = security_locked_down(current_cred(), LOCKDOWN_MSR);
if (err)
break;
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index bda73cb7a044..c43a13241ae8 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
@@ -116,7 +116,7 @@ static void do_test_bulk_ioremapping(void)
static int __init init(void)
{
unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
- int ret = security_locked_down(LOCKDOWN_MMIOTRACE);
+ int ret = security_locked_down(current_cred(), LOCKDOWN_MMIOTRACE);
if (ret)
return ret;
diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index c970792b11a4..17c4e79b596e 100644
--- a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c
@@ -26,7 +26,7 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
{
const struct acpi_table_header *header = data;
struct acpi_table *table;
- int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
+ int ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
if (ret)
return ret;
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index d39a9b474727..8cac7f683245 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -30,7 +30,7 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
acpi_status status;
int ret;
- ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
+ ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
if (ret)
return ret;
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index a43f1521efe6..11c462788db8 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -198,7 +198,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
* specific location (if appropriate) so it can be carried
* over further kexec()s.
*/
- if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) {
+ if (acpi_rsdp && !security_locked_down(current_cred(),
+ LOCKDOWN_ACPI_TABLES)) {
acpi_arch_set_root_pointer(acpi_rsdp);
return acpi_rsdp;
}
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index f9383736fa0f..6569ccacd24b 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -577,7 +577,7 @@ void __init acpi_table_upgrade(void)
if (table_nr == 0)
return;
- if (security_locked_down(LOCKDOWN_ACPI_TABLES)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES)) {
pr_notice("kernel is locked down, ignoring table override\n");
return;
}
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 1c596b5cdb27..330749897cd7 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -617,7 +617,7 @@ static int open_port(struct inode *inode, struct file *filp)
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
- rc = security_locked_down(LOCKDOWN_DEV_MEM);
+ rc = security_locked_down(current_cred(), LOCKDOWN_DEV_MEM);
if (rc)
return rc;
diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
index 8e45aa07d662..539c91959234 100644
--- a/drivers/cxl/pci.c
+++ b/drivers/cxl/pci.c
@@ -575,7 +575,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
return false;
- if (security_locked_down(LOCKDOWN_PCI_ACCESS))
+ if (security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
return false;
if (cxl_raw_allow_all)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 847f33ffc4ae..a885b4c38358 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -200,7 +200,7 @@ static void generic_ops_unregister(void)
static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
static int __init efivar_ssdt_setup(char *str)
{
- int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
+ int ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
if (ret)
return ret;
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 47d67bb0a516..942c25843665 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -722,7 +722,7 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
static int efi_test_open(struct inode *inode, struct file *file)
{
- int ret = security_locked_down(LOCKDOWN_EFI_TEST);
+ int ret = security_locked_down(current_cred(), LOCKDOWN_EFI_TEST);
if (ret)
return ret;
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 7fb5cd17cc98..b76055dbbb03 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -753,7 +753,7 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
u8 *data = (u8 *) buf;
int ret;
- ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
if (ret)
return ret;
@@ -1047,7 +1047,7 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
struct resource *res = &pdev->resource[bar];
int ret;
- ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
if (ret)
return ret;
@@ -1128,7 +1128,7 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
{
int ret;
- ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
if (ret)
return ret;
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index cb18f8a13ab6..1dbdcdf0eff5 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -119,7 +119,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
int size = dev->cfg_size;
int cnt, ret;
- ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
if (ret)
return ret;
@@ -202,7 +202,7 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
#endif /* HAVE_PCI_MMAP */
int ret = 0;
- ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
if (ret)
return ret;
@@ -249,7 +249,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
if (!capable(CAP_SYS_RAWIO) ||
- security_locked_down(LOCKDOWN_PCI_ACCESS))
+ security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
return -EPERM;
if (fpriv->mmap_state == pci_mmap_io) {
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index 61a6fe3cde21..e88cacf8d418 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -93,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
int err = 0;
if (!capable(CAP_SYS_ADMIN) ||
- security_locked_down(LOCKDOWN_PCI_ACCESS))
+ security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
return -EPERM;
dev = pci_get_domain_bus_and_slot(0, bus, dfn);
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
index 948b763dc451..96c96c1cd6da 100644
--- a/drivers/pcmcia/cistpl.c
+++ b/drivers/pcmcia/cistpl.c
@@ -1577,7 +1577,7 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
struct pcmcia_socket *s;
int error;
- error = security_locked_down(LOCKDOWN_PCMCIA_CIS);
+ error = security_locked_down(current_cred(), LOCKDOWN_PCMCIA_CIS);
if (error)
return error;
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 0e2e35ab64c7..7fbec2644b1b 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -840,7 +840,7 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
}
if (change_irq || change_port) {
- retval = security_locked_down(LOCKDOWN_TIOCSSERIAL);
+ retval = security_locked_down(current_cred(), LOCKDOWN_TIOCSSERIAL);
if (retval)
goto exit;
}
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 7d162b0efbf0..a8e44f3e11d2 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -154,7 +154,7 @@ static int debugfs_locked_down(struct inode *inode,
!real_fops->mmap)
return 0;
- if (security_locked_down(LOCKDOWN_DEBUGFS))
+ if (security_locked_down(current_cred(), LOCKDOWN_DEBUGFS))
return -EPERM;
return 0;
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 8129a430d789..17f6438cc1b5 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -48,7 +48,7 @@ static int debugfs_setattr(struct user_namespace *mnt_userns,
int ret;
if (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) {
- ret = security_locked_down(LOCKDOWN_DEBUGFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_DEBUGFS);
if (ret)
return ret;
}
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 982e694aae77..f386fd373ea6 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -586,7 +586,7 @@ out:
static int open_kcore(struct inode *inode, struct file *filp)
{
- int ret = security_locked_down(LOCKDOWN_KCORE);
+ int ret = security_locked_down(current_cred(), LOCKDOWN_KCORE);
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
index 1261e8b41edb..9db8dd52d429 100644
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -396,7 +396,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
struct dentry *dentry;
struct inode *inode;
- if (security_locked_down(LOCKDOWN_TRACEFS))
+ if (security_locked_down(NULL, LOCKDOWN_TRACEFS))
return NULL;
if (!(mode & S_IFMT))
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 2adeea44c0d5..a83a370cc284 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -393,7 +393,7 @@ LSM_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux)
LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
#endif /* CONFIG_BPF_SYSCALL */
-LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
+LSM_HOOK(int, 0, locked_down, const struct cred *cred, enum lockdown_reason what)
#ifdef CONFIG_PERF_EVENTS
LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 5c4c5c0602cb..8156f2dbaab7 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1543,6 +1543,7 @@
* Determine whether a kernel feature that potentially enables arbitrary
* code execution in kernel space should be permitted.
*
+ * @cred: credential asociated with the operation, or NULL if not applicable
* @what: kernel feature being accessed
*
* Security hooks for perf events
diff --git a/include/linux/security.h b/include/linux/security.h
index 5b7288521300..a9001c0ed885 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -471,7 +471,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
-int security_locked_down(enum lockdown_reason what);
+int security_locked_down(const struct cred *cred, enum lockdown_reason what);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1344,7 +1344,7 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
{
return -EOPNOTSUPP;
}
-static inline int security_locked_down(enum lockdown_reason what)
+static inline int security_locked_down(struct cred *cred, enum lockdown_reason what)
{
return 0;
}
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 9aabf84afd4b..61a9645f9b8f 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1424,13 +1424,15 @@ bpf_base_func_proto(enum bpf_func_id func_id)
case BPF_FUNC_probe_read_user:
return &bpf_probe_read_user_proto;
case BPF_FUNC_probe_read_kernel:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_kernel_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_kernel_proto;
case BPF_FUNC_probe_read_user_str:
return &bpf_probe_read_user_str_proto;
case BPF_FUNC_probe_read_kernel_str:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_kernel_str_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_kernel_str_proto;
case BPF_FUNC_snprintf_btf:
return &bpf_snprintf_btf_proto;
case BPF_FUNC_snprintf:
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 744e8726c5b2..d2836e320948 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -12017,7 +12017,7 @@ SYSCALL_DEFINE5(perf_event_open,
/* REGS_INTR can leak data, lockdown must prevent this */
if (attr.sample_type & PERF_SAMPLE_REGS_INTR) {
- err = security_locked_down(LOCKDOWN_PERF);
+ err = security_locked_down(current_cred(), LOCKDOWN_PERF);
if (err)
return err;
}
diff --git a/kernel/kexec.c b/kernel/kexec.c
index b5e40f069768..f908dd7889de 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -208,7 +208,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
* kexec can be used to circumvent module loading restrictions, so
* prevent loading in that case
*/
- result = security_locked_down(LOCKDOWN_KEXEC);
+ result = security_locked_down(current_cred(), LOCKDOWN_KEXEC);
if (result)
return result;
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 33400ff051a8..add00b325f4f 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -204,7 +204,7 @@ kimage_validate_signature(struct kimage *image)
* down.
*/
if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
- security_locked_down(LOCKDOWN_KEXEC))
+ security_locked_down(current_cred(), LOCKDOWN_KEXEC))
return -EPERM;
pr_debug("kernel signature verification failed (%d).\n", ret);
diff --git a/kernel/module.c b/kernel/module.c
index 40ec9a030eec..3cad8055d7a2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2931,7 +2931,7 @@ static int module_sig_check(struct load_info *info, int flags)
return -EKEYREJECTED;
}
- return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
+ return security_locked_down(current_cred(), LOCKDOWN_MODULE_SIGNATURE);
}
#else /* !CONFIG_MODULE_SIG */
static int module_sig_check(struct load_info *info, int flags)
diff --git a/kernel/params.c b/kernel/params.c
index 8299bd764e42..619bf8ad8416 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -100,7 +100,7 @@ bool parameq(const char *a, const char *b)
static bool param_check_unsafe(const struct kernel_param *kp)
{
if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
- security_locked_down(LOCKDOWN_MODULE_PARAMETERS))
+ security_locked_down(current_cred(), LOCKDOWN_MODULE_PARAMETERS))
return false;
if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 559acef3fddb..2625d531ee0e 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -83,7 +83,7 @@ void hibernate_release(void)
bool hibernation_available(void)
{
return nohibernate == 0 &&
- !security_locked_down(LOCKDOWN_HIBERNATION) &&
+ !security_locked_down(current_cred(), LOCKDOWN_HIBERNATION) &&
!secretmem_active();
}
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 8e2eb950aa82..51bdbdf75a5c 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1066,25 +1066,30 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_FUNC_get_prandom_u32:
return &bpf_get_prandom_u32_proto;
case BPF_FUNC_probe_write_user:
- return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ?
- NULL : bpf_get_probe_write_proto();
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_WRITE_USER) < 0)
+ return NULL;
+ return bpf_get_probe_write_proto();
case BPF_FUNC_probe_read_user:
return &bpf_probe_read_user_proto;
case BPF_FUNC_probe_read_kernel:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_kernel_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_kernel_proto;
case BPF_FUNC_probe_read_user_str:
return &bpf_probe_read_user_str_proto;
case BPF_FUNC_probe_read_kernel_str:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_kernel_str_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_kernel_str_proto;
#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
case BPF_FUNC_probe_read:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_compat_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_compat_proto;
case BPF_FUNC_probe_read_str:
- return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
- NULL : &bpf_probe_read_compat_str_proto;
+ if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
+ return NULL;
+ return &bpf_probe_read_compat_str_proto;
#endif
#ifdef CONFIG_CGROUPS
case BPF_FUNC_get_current_cgroup_id:
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 7efbc8aaf7f6..5c1b2681c371 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3694,7 +3694,7 @@ ftrace_avail_open(struct inode *inode, struct file *file)
struct ftrace_iterator *iter;
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
@@ -5822,7 +5822,7 @@ __ftrace_graph_open(struct inode *inode, struct file *file,
int ret;
struct ftrace_hash *new_hash = NULL;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index c5a3fbf19617..13669fcbd466 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5880,7 +5880,7 @@ static __init int test_ringbuffer(void)
int cpu;
int ret = 0;
- if (security_locked_down(LOCKDOWN_TRACEFS)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
pr_warn("Lockdown is enabled, skipping ring buffer tests\n");
return 0;
}
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 7896d30d90f7..2bac9688ff6a 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -486,7 +486,7 @@ int tracing_check_open_get_tr(struct trace_array *tr)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
@@ -2071,7 +2071,7 @@ int __init register_tracer(struct tracer *type)
return -1;
}
- if (security_locked_down(LOCKDOWN_TRACEFS)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
pr_warn("Can not register tracer %s due to lockdown\n",
type->name);
return -EPERM;
@@ -9527,7 +9527,7 @@ int tracing_init_dentry(void)
{
struct trace_array *tr = &global_trace;
- if (security_locked_down(LOCKDOWN_TRACEFS)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
pr_warn("Tracing disabled due to lockdown\n");
return -EPERM;
}
@@ -9989,7 +9989,7 @@ __init static int tracer_alloc_buffers(void)
int ret = -ENOMEM;
- if (security_locked_down(LOCKDOWN_TRACEFS)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
pr_warn("Tracing disabled due to lockdown\n");
return -EPERM;
}
@@ -10155,7 +10155,7 @@ __init static void tracing_set_default_clock(void)
{
/* sched_clock_stable() is determined in late_initcall */
if (!trace_boot_clock && !sched_clock_stable()) {
- if (security_locked_down(LOCKDOWN_TRACEFS)) {
+ if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
pr_warn("Can not set tracing clock due to lockdown\n");
return;
}
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 830b3b9940f4..c1e4f7f93c0e 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -2130,7 +2130,7 @@ ftrace_event_open(struct inode *inode, struct file *file,
struct seq_file *m;
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index a6061a69aa84..e122f0467421 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -4917,7 +4917,7 @@ static int event_hist_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
@@ -5189,7 +5189,7 @@ static int event_hist_debug_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index d54094b7a9d7..deac45f00f3a 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -2174,7 +2174,7 @@ static int synth_events_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 3d5c07239a2a..38226c386f82 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -190,7 +190,7 @@ static int event_trigger_regex_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 3a64ba4bbad6..9178ad52290e 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -479,7 +479,7 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
{
int i, ret;
- ret = security_locked_down(LOCKDOWN_KPROBES);
+ ret = security_locked_down(current_cred(), LOCKDOWN_KPROBES);
if (ret)
return ret;
@@ -1141,7 +1141,7 @@ static int probes_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
@@ -1199,7 +1199,7 @@ static int profile_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
index 4b320fe7df70..47c808484cb2 100644
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
@@ -362,7 +362,7 @@ ftrace_formats_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
index 63c285042051..63b6ebe7bdce 100644
--- a/kernel/trace/trace_stack.c
+++ b/kernel/trace/trace_stack.c
@@ -477,7 +477,7 @@ static int stack_trace_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c
index 8d141c3825a9..2f6ae81ee67e 100644
--- a/kernel/trace/trace_stat.c
+++ b/kernel/trace/trace_stat.c
@@ -236,7 +236,7 @@ static int tracing_stat_open(struct inode *inode, struct file *file)
struct seq_file *m;
struct stat_session *session = inode->i_private;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index 225ce569bf8f..4b114e4fe436 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -781,7 +781,7 @@ static int probes_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
@@ -836,7 +836,7 @@ static int profile_open(struct inode *inode, struct file *file)
{
int ret;
- ret = security_locked_down(LOCKDOWN_TRACEFS);
+ ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
if (ret)
return ret;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 03b66d154b2b..ffd560514d8f 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -850,8 +850,15 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
static bool xfrm_redact(void)
{
- return IS_ENABLED(CONFIG_SECURITY) &&
- security_locked_down(LOCKDOWN_XFRM_SECRET);
+ /* Don't use current_cred() here, since this may be called when
+ * broadcasting a notification that an SA has been created/deleted.
+ * In that case current task is the one triggering the notification,
+ * but the SA key is actually leaked to the event subscribers.
+ * Since we can't easily do the redact decision per-subscriber,
+ * just pass NULL here, indicating to the LSMs that a global lockdown
+ * decision should be made instead.
+ */
+ return security_locked_down(NULL, LOCKDOWN_XFRM_SECRET);
}
static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 87cbdc64d272..2abe92157e82 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -55,7 +55,8 @@ early_param("lockdown", lockdown_param);
* lockdown_is_locked_down - Find out if the kernel is locked down
* @what: Tag to use in notice generated if lockdown is in effect
*/
-static int lockdown_is_locked_down(enum lockdown_reason what)
+static int lockdown_is_locked_down(const struct cred *cred,
+ enum lockdown_reason what)
{
if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
"Invalid lockdown reason"))
diff --git a/security/security.c b/security/security.c
index 9ffa9e9c5c55..51245e37b351 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2593,9 +2593,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
}
#endif /* CONFIG_BPF_SYSCALL */
-int security_locked_down(enum lockdown_reason what)
+int security_locked_down(const struct cred *cred, enum lockdown_reason what)
{
- return call_int_hook(locked_down, 0, what);
+ return call_int_hook(locked_down, 0, cred, what);
}
EXPORT_SYMBOL(security_locked_down);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6517f221d52c..300bc9e1ffbf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7013,10 +7013,10 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
}
#endif
-static int selinux_lockdown(enum lockdown_reason what)
+static int selinux_lockdown(const struct cred *cred, enum lockdown_reason what)
{
struct common_audit_data ad;
- u32 sid = current_sid();
+ u32 sid;
int invalid_reason = (what <= LOCKDOWN_NONE) ||
(what == LOCKDOWN_INTEGRITY_MAX) ||
(what >= LOCKDOWN_CONFIDENTIALITY_MAX);
@@ -7028,6 +7028,9 @@ static int selinux_lockdown(enum lockdown_reason what)
return -EINVAL;
}
+ /* Use SECINITSID_KERNEL if there is no relevant cred to check against */
+ sid = cred ? cred_sid(cred) : SECINITSID_KERNEL;
+
ad.type = LSM_AUDIT_DATA_LOCKDOWN;
ad.u.reason = what;
--
2.31.1
^ permalink raw reply related
* [PATCH 0/2] kvm: fix KVM_MAX_VCPU_ID handling
From: Juergen Gross @ 2021-09-13 13:57 UTC (permalink / raw)
To: kvm, x86, linux-kernel, linux-doc, linux-mips, kvm-ppc,
linuxppc-dev, linux-kselftest
Cc: Juergen Gross, Shuah Khan, Thomas Bogendoerfer, Wanpeng Li,
Jonathan Corbet, Sean Christopherson, Joerg Roedel, Huacai Chen,
Aleksandar Markovic, Ingo Molnar, Borislav Petkov, H. Peter Anvin,
Paolo Bonzini, Vitaly Kuznetsov, Shuah Khan, Thomas Gleixner,
Paul Mackerras, Jim Mattson
Revert commit 76b4f357d0e7d8f6f00 which was based on wrong reasoning
and rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS in order to avoid the
same issue in future.
Juergen Gross (2):
x86/kvm: revert commit 76b4f357d0e7d8f6f00
kvm: rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS
Documentation/virt/kvm/devices/xics.rst | 2 +-
Documentation/virt/kvm/devices/xive.rst | 2 +-
arch/mips/kvm/mips.c | 2 +-
arch/powerpc/include/asm/kvm_book3s.h | 2 +-
arch/powerpc/include/asm/kvm_host.h | 4 ++--
arch/powerpc/kvm/book3s_xive.c | 2 +-
arch/powerpc/kvm/powerpc.c | 2 +-
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/ioapic.c | 2 +-
arch/x86/kvm/ioapic.h | 4 ++--
arch/x86/kvm/x86.c | 2 +-
include/linux/kvm_host.h | 4 ++--
tools/testing/selftests/kvm/kvm_create_max_vcpus.c | 2 +-
virt/kvm/kvm_main.c | 2 +-
14 files changed, 17 insertions(+), 17 deletions(-)
--
2.26.2
^ permalink raw reply
* [PATCH 2/2] kvm: rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS
From: Juergen Gross @ 2021-09-13 13:57 UTC (permalink / raw)
To: kvm, x86, linux-doc, linux-kernel, linux-mips, kvm-ppc,
linuxppc-dev, linux-kselftest
Cc: Wanpeng Li, Paul Mackerras, H. Peter Anvin, Shuah Khan,
Jonathan Corbet, Joerg Roedel, Huacai Chen, Aleksandar Markovic,
Ingo Molnar, Eduardo Habkost, Borislav Petkov, Shuah Khan,
Thomas Gleixner, Jim Mattson, Juergen Gross, Thomas Bogendoerfer,
Sean Christopherson, Paolo Bonzini, Vitaly Kuznetsov
In-Reply-To: <20210913135745.13944-1-jgross@suse.com>
KVM_MAX_VCPU_ID is not specifying the highest allowed vcpu-id, but the
number of allowed vcpu-ids. This has already led to confusion, so
rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS to make its semantics more
clear
Suggested-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
---
Documentation/virt/kvm/devices/xics.rst | 2 +-
Documentation/virt/kvm/devices/xive.rst | 2 +-
arch/mips/kvm/mips.c | 2 +-
arch/powerpc/include/asm/kvm_book3s.h | 2 +-
arch/powerpc/include/asm/kvm_host.h | 4 ++--
arch/powerpc/kvm/book3s_xive.c | 2 +-
arch/powerpc/kvm/powerpc.c | 2 +-
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/ioapic.c | 2 +-
arch/x86/kvm/ioapic.h | 4 ++--
arch/x86/kvm/x86.c | 2 +-
include/linux/kvm_host.h | 4 ++--
tools/testing/selftests/kvm/kvm_create_max_vcpus.c | 2 +-
virt/kvm/kvm_main.c | 2 +-
14 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/Documentation/virt/kvm/devices/xics.rst b/Documentation/virt/kvm/devices/xics.rst
index 2d6927e0b776..bf32c77174ab 100644
--- a/Documentation/virt/kvm/devices/xics.rst
+++ b/Documentation/virt/kvm/devices/xics.rst
@@ -22,7 +22,7 @@ Groups:
Errors:
======= ==========================================
- -EINVAL Value greater than KVM_MAX_VCPU_ID.
+ -EINVAL Value greater than KVM_MAX_VCPU_IDS.
-EFAULT Invalid user pointer for attr->addr.
-EBUSY A vcpu is already connected to the device.
======= ==========================================
diff --git a/Documentation/virt/kvm/devices/xive.rst b/Documentation/virt/kvm/devices/xive.rst
index 8bdf3dc38f01..8b5e7b40bdf8 100644
--- a/Documentation/virt/kvm/devices/xive.rst
+++ b/Documentation/virt/kvm/devices/xive.rst
@@ -91,7 +91,7 @@ the legacy interrupt mode, referred as XICS (POWER7/8).
Errors:
======= ==========================================
- -EINVAL Value greater than KVM_MAX_VCPU_ID.
+ -EINVAL Value greater than KVM_MAX_VCPU_IDS.
-EFAULT Invalid user pointer for attr->addr.
-EBUSY A vCPU is already connected to the device.
======= ==========================================
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
index 75c6f264c626..562aa878b266 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -1073,7 +1073,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
r = KVM_MAX_VCPUS;
break;
case KVM_CAP_MAX_VCPU_ID:
- r = KVM_MAX_VCPU_ID;
+ r = KVM_MAX_VCPU_IDS;
break;
case KVM_CAP_MIPS_FPU:
/* We don't handle systems with inconsistent cpu_has_fpu */
diff --git a/arch/powerpc/include/asm/kvm_book3s.h b/arch/powerpc/include/asm/kvm_book3s.h
index caaa0f592d8e..3d31f2c59e43 100644
--- a/arch/powerpc/include/asm/kvm_book3s.h
+++ b/arch/powerpc/include/asm/kvm_book3s.h
@@ -434,7 +434,7 @@ extern int kvmppc_h_logical_ci_store(struct kvm_vcpu *vcpu);
#define SPLIT_HACK_OFFS 0xfb000000
/*
- * This packs a VCPU ID from the [0..KVM_MAX_VCPU_ID) space down to the
+ * This packs a VCPU ID from the [0..KVM_MAX_VCPU_IDS) space down to the
* [0..KVM_MAX_VCPUS) space, using knowledge of the guest's core stride
* (but not its actual threading mode, which is not available) to avoid
* collisions.
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index 080a7feb7731..59cb38b04ede 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -33,11 +33,11 @@
#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
#include <asm/kvm_book3s_asm.h> /* for MAX_SMT_THREADS */
-#define KVM_MAX_VCPU_ID (MAX_SMT_THREADS * KVM_MAX_VCORES)
+#define KVM_MAX_VCPU_IDS (MAX_SMT_THREADS * KVM_MAX_VCORES)
#define KVM_MAX_NESTED_GUESTS KVMPPC_NR_LPIDS
#else
-#define KVM_MAX_VCPU_ID KVM_MAX_VCPUS
+#define KVM_MAX_VCPU_IDS KVM_MAX_VCPUS
#endif /* CONFIG_KVM_BOOK3S_HV_POSSIBLE */
#define __KVM_HAVE_ARCH_INTC_INITIALIZED
diff --git a/arch/powerpc/kvm/book3s_xive.c b/arch/powerpc/kvm/book3s_xive.c
index a18db9e16ea4..225008882958 100644
--- a/arch/powerpc/kvm/book3s_xive.c
+++ b/arch/powerpc/kvm/book3s_xive.c
@@ -1928,7 +1928,7 @@ int kvmppc_xive_set_nr_servers(struct kvmppc_xive *xive, u64 addr)
pr_devel("%s nr_servers=%u\n", __func__, nr_servers);
- if (!nr_servers || nr_servers > KVM_MAX_VCPU_ID)
+ if (!nr_servers || nr_servers > KVM_MAX_VCPU_IDS)
return -EINVAL;
mutex_lock(&xive->lock);
diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
index b4e6f70b97b9..8ab90ce8738f 100644
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -649,7 +649,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
r = KVM_MAX_VCPUS;
break;
case KVM_CAP_MAX_VCPU_ID:
- r = KVM_MAX_VCPU_ID;
+ r = KVM_MAX_VCPU_IDS;
break;
#ifdef CONFIG_PPC_BOOK3S_64
case KVM_CAP_PPC_GET_SMMU_INFO:
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index f8f48a7ec577..261b7d857fc0 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -50,7 +50,7 @@
* so ratio of 4 should be enough.
*/
#define KVM_VCPU_ID_RATIO 4
-#define KVM_MAX_VCPU_ID (KVM_MAX_VCPUS * KVM_VCPU_ID_RATIO)
+#define KVM_MAX_VCPU_IDS (KVM_MAX_VCPUS * KVM_VCPU_ID_RATIO)
/* memory slots that are not exposed to userspace */
#define KVM_PRIVATE_MEM_SLOTS 3
diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
index 698969e18fe3..3358123be946 100644
--- a/arch/x86/kvm/ioapic.c
+++ b/arch/x86/kvm/ioapic.c
@@ -96,7 +96,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
{
ioapic->rtc_status.pending_eoi = 0;
- bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
+ bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_IDS);
}
static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
index 27e61ff3ac3e..e66e620c3bed 100644
--- a/arch/x86/kvm/ioapic.h
+++ b/arch/x86/kvm/ioapic.h
@@ -39,13 +39,13 @@ struct kvm_vcpu;
struct dest_map {
/* vcpu bitmap where IRQ has been sent */
- DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
+ DECLARE_BITMAP(map, KVM_MAX_VCPU_IDS);
/*
* Vector sent to a given vcpu, only valid when
* the vcpu's bit in map is set
*/
- u8 vectors[KVM_MAX_VCPU_ID];
+ u8 vectors[KVM_MAX_VCPU_IDS];
};
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 28ef14155726..fec43997522b 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4070,7 +4070,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
r = KVM_MAX_VCPUS;
break;
case KVM_CAP_MAX_VCPU_ID:
- r = KVM_MAX_VCPU_ID;
+ r = KVM_MAX_VCPU_IDS;
break;
case KVM_CAP_PV_MMU: /* obsolete */
r = 0;
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 041ca7f15ea4..d2b405170f6e 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -39,8 +39,8 @@
#include <asm/kvm_host.h>
#include <linux/kvm_dirty_ring.h>
-#ifndef KVM_MAX_VCPU_ID
-#define KVM_MAX_VCPU_ID KVM_MAX_VCPUS
+#ifndef KVM_MAX_VCPU_IDS
+#define KVM_MAX_VCPU_IDS KVM_MAX_VCPUS
#endif
/*
diff --git a/tools/testing/selftests/kvm/kvm_create_max_vcpus.c b/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
index 0299cd81b8ba..f968dfd4ee88 100644
--- a/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
+++ b/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
@@ -53,7 +53,7 @@ int main(int argc, char *argv[])
kvm_max_vcpu_id = kvm_max_vcpus;
TEST_ASSERT(kvm_max_vcpu_id >= kvm_max_vcpus,
- "KVM_MAX_VCPU_ID (%d) must be at least as large as KVM_MAX_VCPUS (%d).",
+ "KVM_MAX_VCPU_IDS (%d) must be at least as large as KVM_MAX_VCPUS (%d).",
kvm_max_vcpu_id, kvm_max_vcpus);
test_vcpu_creation(0, kvm_max_vcpus);
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 439d3b4cd1a9..62fcbc897e1c 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3557,7 +3557,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
struct kvm_vcpu *vcpu;
struct page *page;
- if (id >= KVM_MAX_VCPU_ID)
+ if (id >= KVM_MAX_VCPU_IDS)
return -EINVAL;
mutex_lock(&kvm->lock);
--
2.26.2
^ permalink raw reply related
* Re: [PATCH 1/1] powerpc: Drop superfluous pci_dev_is_added() calls
From: Oliver O'Halloran @ 2021-09-13 14:58 UTC (permalink / raw)
To: Michael Ellerman
Cc: linux-arch, linux-s390, Niklas Schnelle,
Linux Kernel Mailing List, linux-pci, Bjorn Helgaas, linuxppc-dev
In-Reply-To: <87wnnnl67a.fsf@mpe.ellerman.id.au>
On Sat, Sep 11, 2021 at 9:09 PM Michael Ellerman <mpe@ellerman.id.au> wrote:
>
> Niklas Schnelle <schnelle@linux.ibm.com> writes:
> > On powerpc, pci_dev_is_added() is called as part of SR-IOV fixups
> > that are done under pcibios_add_device() which in turn is only called in
> > pci_device_add() whih is called when a PCI device is scanned.
>
> Thanks for cleaning this up for us.
>
> > Now pci_dev_assign_added() is called in pci_bus_add_device() which is
> > only called after scanning the device. Thus pci_dev_is_added() is always
> > false and can be dropped.
>
> My only query is whether we can pin down when that changed.
>
> Oliver said:
>
> The use of pci_dev_is_added() in arch/powerpc was because in the past
> pci_bus_add_device() could be called before pci_device_add(). That was
> fixed a while ago so It should be safe to remove those calls now.
>
> I trawled back through the history a bit but I can't remember/find which
> commit changed that, Oliver can you remember?
Yeah, on closer inspection that never happened. The re-ordering I was
thinking of was when the boot-time BAR assignments were moved in
3f068aae7a95 so they'd always occur before pci_bus_add_device() was
called. I think I got that change mixed up with commit 30d87ef8b38d
("powerpc/pci: Fix pcibios_setup_device() ordering") which moved some
of what what pcibios_device_add() did into pcibios_bus_add_device() to
harmonise the hot and coldplug paths.
As far as I can tell the pci_dev_is_added() check has been pointless
since the code was added in 6e628c7d33d9 ("powerpc/powernv: Reserve
additional space for IOV BAR according to the number of total_pe").
Even back then pci_device_add() was called first in both the normal
and OF based PCI probing paths so there's no circumstance where that
code would see the added flag set.
That patch was part of the PowerNV SRIOV support series which went
through quite a few iterations. My best guess is that check might have
been needed in an earlier version and was just carried forward until
it got merged. I didn't dig too deeply into the history though.
Reviewed-by: Oliver O'Halloran <oohall@gmail.com>
^ permalink raw reply
* [PATCH] powerpc/mem: Fix arch/powerpc/mm/mem.c:53:12: error: no previous prototype for 'create_section_mapping'
From: Christophe Leroy @ 2021-09-13 15:17 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman
Cc: linuxppc-dev, linux-kernel, kernel test robot
Commit 8e11d62e2e87 ("powerpc/mem: Add back missing header to fix 'no
previous prototype' error") was supposed to fix the problem, but in
the meantime commit a927bd6ba952 ("mm: fix phys_to_target_node() and*
memory_add_physaddr_to_nid() exports") moved create_section_mapping()
prototype from asm/sparsemem.h to asm/mmzone.h
Reported-by: kernel test robot <lkp@intel.com>
Fixes: 8e11d62e2e87 ("powerpc/mem: Add back missing header to fix 'no previous prototype' error")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
arch/powerpc/mm/mem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index ad198b439222..0380efff535a 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -20,8 +20,8 @@
#include <asm/machdep.h>
#include <asm/rtas.h>
#include <asm/kasan.h>
-#include <asm/sparsemem.h>
#include <asm/svm.h>
+#include <asm/mmzone.h>
#include <mm/mmu_decl.h>
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 5/6] powerpc/uaccess: Add unsafe_clear_user()
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
In-Reply-To: <1718f38859d5366f82d5bef531f255cedf537b5d.1631537060.git.christophe.leroy@csgroup.eu>
Implement unsafe_clear_user() for powerpc.
It's a copy/paste of unsafe_copy_to_user() with value 0 as source.
It may be improved in a later patch by using 'dcbz' instruction
to zeroize full cache lines at once.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
arch/powerpc/include/asm/uaccess.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 22c79ab40006..962b675485ff 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -467,6 +467,26 @@ do { \
unsafe_put_user(*(u8*)(_src + _i), (u8 __user *)(_dst + _i), e); \
} while (0)
+#define unsafe_clear_user(d, l, e) \
+do { \
+ u8 __user *_dst = (u8 __user *)(d); \
+ size_t _len = (l); \
+ int _i; \
+ \
+ for (_i = 0; _i < (_len & ~(sizeof(u64) - 1)); _i += sizeof(u64)) \
+ unsafe_put_user(0, (u64 __user *)(_dst + _i), e); \
+ if (_len & 4) { \
+ unsafe_put_user(0, (u32 __user *)(_dst + _i), e); \
+ _i += 4; \
+ } \
+ if (_len & 2) { \
+ unsafe_put_user(0, (u16 __user *)(_dst + _i), e); \
+ _i += 2; \
+ } \
+ if (_len & 1) \
+ unsafe_put_user(0, (u8 __user *)(_dst + _i), e); \
+} while (0)
+
#define HAVE_GET_KERNEL_NOFAULT
#define __get_kernel_nofault(dst, src, type, err_label) \
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 1/6] powerpc/signal64: Access function descriptor with user access block
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
Access the function descriptor of the handler within a
user access block.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
Resending with correct date, sorry for the noise, my new PC seems to have used the fake date from Git instead of adding proper Date: from current date/time.
v3: Flatten the change to avoid nested gotos.
---
arch/powerpc/kernel/signal_64.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 1831bba0582e..7b1cd50bc4fb 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -936,8 +936,13 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
func_descr_t __user *funct_desc_ptr =
(func_descr_t __user *) ksig->ka.sa.sa_handler;
- err |= get_user(regs->ctr, &funct_desc_ptr->entry);
- err |= get_user(regs->gpr[2], &funct_desc_ptr->toc);
+ if (!user_read_access_begin(funct_desc_ptr, sizeof(func_descr_t)))
+ goto badfunc;
+
+ unsafe_get_user(regs->ctr, &funct_desc_ptr->entry, badfunc_block);
+ unsafe_get_user(regs->gpr[2], &funct_desc_ptr->toc, badfunc_block);
+
+ user_read_access_end();
}
/* enter the signal handler in native-endian mode */
@@ -962,5 +967,12 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
badframe:
signal_fault(current, regs, "handle_rt_signal64", frame);
+ return 1;
+
+badfunc_block:
+ user_read_access_end();
+badfunc:
+ signal_fault(current, regs, __func__, (void __user *)ksig->ka.sa.sa_handler);
+
return 1;
}
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 3/6] signal: Add unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
In-Reply-To: <1718f38859d5366f82d5bef531f255cedf537b5d.1631537060.git.christophe.leroy@csgroup.eu>
In the same spirit as commit fb05121fd6a2 ("signal: Add
unsafe_get_compat_sigset()"), implement an 'unsafe' version of
copy_siginfo_to_user() in order to use it within user access blocks.
For that, also add an 'unsafe' version of clear_user().
This commit adds the generic fallback for unsafe_clear_user().
Architectures wanting to use unsafe_copy_siginfo_to_user() within a
user_access_begin() section have to make sure they have their
own unsafe_clear_user().
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
v3: Added precision about unsafe_clear_user() in commit message.
---
include/linux/signal.h | 15 +++++++++++++++
include/linux/uaccess.h | 1 +
kernel/signal.c | 5 -----
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/include/linux/signal.h b/include/linux/signal.h
index 3f96a6374e4f..70ea7e741427 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -35,6 +35,21 @@ static inline void copy_siginfo_to_external(siginfo_t *to,
int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from);
int copy_siginfo_from_user(kernel_siginfo_t *to, const siginfo_t __user *from);
+static __always_inline char __user *si_expansion(const siginfo_t __user *info)
+{
+ return ((char __user *)info) + sizeof(struct kernel_siginfo);
+}
+
+#define unsafe_copy_siginfo_to_user(to, from, label) do { \
+ siginfo_t __user *__ucs_to = to; \
+ const kernel_siginfo_t *__ucs_from = from; \
+ char __user *__ucs_expansion = si_expansion(__ucs_to); \
+ \
+ unsafe_copy_to_user(__ucs_to, __ucs_from, \
+ sizeof(struct kernel_siginfo), label); \
+ unsafe_clear_user(__ucs_expansion, SI_EXPANSION_SIZE, label); \
+} while (0)
+
enum siginfo_layout {
SIL_KILL,
SIL_TIMER,
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index c05e903cef02..37073caac474 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -398,6 +398,7 @@ long strnlen_user_nofault(const void __user *unsafe_addr, long count);
#define unsafe_put_user(x,p,e) unsafe_op_wrap(__put_user(x,p),e)
#define unsafe_copy_to_user(d,s,l,e) unsafe_op_wrap(__copy_to_user(d,s,l),e)
#define unsafe_copy_from_user(d,s,l,e) unsafe_op_wrap(__copy_from_user(d,s,l),e)
+#define unsafe_clear_user(d, l, e) unsafe_op_wrap(__clear_user(d, l), e)
static inline unsigned long user_access_save(void) { return 0UL; }
static inline void user_access_restore(unsigned long flags) { }
#endif
diff --git a/kernel/signal.c b/kernel/signal.c
index 952741f6d0f9..23f168730b7e 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3324,11 +3324,6 @@ enum siginfo_layout siginfo_layout(unsigned sig, int si_code)
return layout;
}
-static inline char __user *si_expansion(const siginfo_t __user *info)
-{
- return ((char __user *)info) + sizeof(struct kernel_siginfo);
-}
-
int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from)
{
char __user *expansion = si_expansion(to);
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 2/6] powerpc/signal: Include the new stack frame inside the user access block
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
In-Reply-To: <1718f38859d5366f82d5bef531f255cedf537b5d.1631537060.git.christophe.leroy@csgroup.eu>
Include the new stack frame inside the user access block and set it up
using unsafe_put_user().
On an mpc 8321 (book3s/32) the improvment is about 4% on a process
sending a signal to itself.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
arch/powerpc/kernel/signal_32.c | 29 +++++++++++++----------------
arch/powerpc/kernel/signal_64.c | 14 +++++++-------
2 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 0608581967f0..ff101e2b3bab 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -726,7 +726,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
struct rt_sigframe __user *frame;
struct mcontext __user *mctx;
struct mcontext __user *tm_mctx = NULL;
- unsigned long newsp = 0;
+ unsigned long __user *newsp;
unsigned long tramp;
struct pt_regs *regs = tsk->thread.regs;
/* Save the thread's msr before get_tm_stackpointer() changes it */
@@ -734,6 +734,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
/* Set up Signal Frame */
frame = get_sigframe(ksig, tsk, sizeof(*frame), 1);
+ newsp = (unsigned long __user *)((unsigned long)frame - (__SIGNAL_FRAMESIZE + 16));
mctx = &frame->uc.uc_mcontext;
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
tm_mctx = &frame->uc_transact.uc_mcontext;
@@ -743,7 +744,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
else
prepare_save_user_regs(1);
- if (!user_access_begin(frame, sizeof(*frame)))
+ if (!user_access_begin(newsp, __SIGNAL_FRAMESIZE + 16 + sizeof(*frame)))
goto badframe;
/* Put the siginfo & fill in most of the ucontext */
@@ -779,6 +780,9 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
}
unsafe_put_sigset_t(&frame->uc.uc_sigmask, oldset, failed);
+ /* create a stack frame for the caller of the handler */
+ unsafe_put_user(regs->gpr[1], newsp, failed);
+
user_access_end();
if (copy_siginfo_to_user(&frame->info, &ksig->info))
@@ -790,13 +794,8 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
tsk->thread.fp_state.fpscr = 0; /* turn off all fp exceptions */
#endif
- /* create a stack frame for the caller of the handler */
- newsp = ((unsigned long)frame) - (__SIGNAL_FRAMESIZE + 16);
- if (put_user(regs->gpr[1], (u32 __user *)newsp))
- goto badframe;
-
/* Fill registers for signal handler */
- regs->gpr[1] = newsp;
+ regs->gpr[1] = (unsigned long)newsp;
regs->gpr[3] = ksig->sig;
regs->gpr[4] = (unsigned long)&frame->info;
regs->gpr[5] = (unsigned long)&frame->uc;
@@ -826,7 +825,7 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
struct sigframe __user *frame;
struct mcontext __user *mctx;
struct mcontext __user *tm_mctx = NULL;
- unsigned long newsp = 0;
+ unsigned long __user *newsp;
unsigned long tramp;
struct pt_regs *regs = tsk->thread.regs;
/* Save the thread's msr before get_tm_stackpointer() changes it */
@@ -834,6 +833,7 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
/* Set up Signal Frame */
frame = get_sigframe(ksig, tsk, sizeof(*frame), 1);
+ newsp = (unsigned long __user *)((unsigned long)frame - __SIGNAL_FRAMESIZE);
mctx = &frame->mctx;
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
tm_mctx = &frame->mctx_transact;
@@ -843,7 +843,7 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
else
prepare_save_user_regs(1);
- if (!user_access_begin(frame, sizeof(*frame)))
+ if (!user_access_begin(newsp, __SIGNAL_FRAMESIZE + sizeof(*frame)))
goto badframe;
sc = (struct sigcontext __user *) &frame->sctx;
@@ -873,6 +873,8 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
unsafe_put_user(PPC_RAW_SC(), &mctx->mc_pad[1], failed);
asm("dcbst %y0; sync; icbi %y0; sync" :: "Z" (mctx->mc_pad[0]));
}
+ /* create a stack frame for the caller of the handler */
+ unsafe_put_user(regs->gpr[1], newsp, failed);
user_access_end();
regs->link = tramp;
@@ -881,12 +883,7 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
tsk->thread.fp_state.fpscr = 0; /* turn off all fp exceptions */
#endif
- /* create a stack frame for the caller of the handler */
- newsp = ((unsigned long)frame) - __SIGNAL_FRAMESIZE;
- if (put_user(regs->gpr[1], (u32 __user *)newsp))
- goto badframe;
-
- regs->gpr[1] = newsp;
+ regs->gpr[1] = (unsigned long)newsp;
regs->gpr[3] = ksig->sig;
regs->gpr[4] = (unsigned long) sc;
regs_set_return_ip(regs, (unsigned long) ksig->ka.sa.sa_handler);
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 7b1cd50bc4fb..d80ff83cacb9 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -847,13 +847,14 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
struct task_struct *tsk)
{
struct rt_sigframe __user *frame;
- unsigned long newsp = 0;
+ unsigned long __user *newsp;
long err = 0;
struct pt_regs *regs = tsk->thread.regs;
/* Save the thread's msr before get_tm_stackpointer() changes it */
unsigned long msr = regs->msr;
frame = get_sigframe(ksig, tsk, sizeof(*frame), 0);
+ newsp = (unsigned long __user *)((unsigned long)frame - __SIGNAL_FRAMESIZE);
/*
* This only applies when calling unsafe_setup_sigcontext() and must be
@@ -862,7 +863,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
if (!MSR_TM_ACTIVE(msr))
prepare_setup_sigcontext(tsk);
- if (!user_write_access_begin(frame, sizeof(*frame)))
+ if (!user_write_access_begin(newsp, __SIGNAL_FRAMESIZE + sizeof(*frame)))
goto badframe;
unsafe_put_user(&frame->info, &frame->pinfo, badframe_block);
@@ -900,6 +901,9 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
}
unsafe_copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set), badframe_block);
+ /* Allocate a dummy caller frame for the signal handler. */
+ unsafe_put_user(regs->gpr[1], newsp, badframe_block);
+
user_write_access_end();
/* Save the siginfo outside of the unsafe block. */
@@ -919,10 +923,6 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
regs_set_return_ip(regs, (unsigned long) &frame->tramp[0]);
}
- /* Allocate a dummy caller frame for the signal handler. */
- newsp = ((unsigned long)frame) - __SIGNAL_FRAMESIZE;
- err |= put_user(regs->gpr[1], (unsigned long __user *)newsp);
-
/* Set up "regs" so we "return" to the signal handler. */
if (is_elf2_task()) {
regs->ctr = (unsigned long) ksig->ka.sa.sa_handler;
@@ -947,7 +947,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
/* enter the signal handler in native-endian mode */
regs_set_return_msr(regs, (regs->msr & ~MSR_LE) | (MSR_KERNEL & MSR_LE));
- regs->gpr[1] = newsp;
+ regs->gpr[1] = (unsigned long)newsp;
regs->gpr[3] = ksig->sig;
regs->result = 0;
if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 6/6] powerpc/signal: Use unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
In-Reply-To: <1718f38859d5366f82d5bef531f255cedf537b5d.1631537060.git.christophe.leroy@csgroup.eu>
Use unsafe_copy_siginfo_to_user() in order to do the copy
within the user access block.
On an mpc 8321 (book3s/32) the improvment is about 5% on a process
sending a signal to itself.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
v3: Don't leave compat aside, use the new unsafe_copy_siginfo_to_user32()
---
arch/powerpc/kernel/signal_32.c | 8 +++-----
arch/powerpc/kernel/signal_64.c | 5 +----
2 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index ff101e2b3bab..3a2db8af2d65 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -710,9 +710,9 @@ static long restore_tm_user_regs(struct pt_regs *regs, struct mcontext __user *s
}
#endif
-#ifdef CONFIG_PPC64
+#ifndef CONFIG_PPC64
-#define copy_siginfo_to_user copy_siginfo_to_user32
+#define unsafe_copy_siginfo_to_user32 unsafe_copy_siginfo_to_user
#endif /* CONFIG_PPC64 */
@@ -779,15 +779,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
asm("dcbst %y0; sync; icbi %y0; sync" :: "Z" (mctx->mc_pad[0]));
}
unsafe_put_sigset_t(&frame->uc.uc_sigmask, oldset, failed);
+ unsafe_copy_siginfo_to_user32(&frame->info, &ksig->info, failed);
/* create a stack frame for the caller of the handler */
unsafe_put_user(regs->gpr[1], newsp, failed);
user_access_end();
- if (copy_siginfo_to_user(&frame->info, &ksig->info))
- goto badframe;
-
regs->link = tramp;
#ifdef CONFIG_PPC_FPU_REGS
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index d80ff83cacb9..56c0c74aa28c 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -901,15 +901,12 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
}
unsafe_copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set), badframe_block);
+ unsafe_copy_siginfo_to_user(&frame->info, &ksig->info, badframe_block);
/* Allocate a dummy caller frame for the signal handler. */
unsafe_put_user(regs->gpr[1], newsp, badframe_block);
user_write_access_end();
- /* Save the siginfo outside of the unsafe block. */
- if (copy_siginfo_to_user(&frame->info, &ksig->info))
- goto badframe;
-
/* Make sure signal handler doesn't get spurious FP exceptions */
tsk->thread.fp_state.fpscr = 0;
--
2.31.1
^ permalink raw reply related
* [PATCH RESEND v3 4/6] signal: Add unsafe_copy_siginfo_to_user32()
From: Christophe Leroy @ 2021-09-13 15:19 UTC (permalink / raw)
To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
ebiederm, hch
Cc: linuxppc-dev, linux-kernel
In-Reply-To: <1718f38859d5366f82d5bef531f255cedf537b5d.1631537060.git.christophe.leroy@csgroup.eu>
In the same spirit as commit fb05121fd6a2 ("signal: Add
unsafe_get_compat_sigset()"), implement an 'unsafe' version of
copy_siginfo_to_user32() in order to use it within user access blocks.
To do so, we need inline version of copy_siginfo_to_external32() as we
don't want any function call inside user access blocks.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
include/linux/compat.h | 83 +++++++++++++++++++++++++++++-
include/linux/signal.h | 58 +++++++++++++++++++++
kernel/signal.c | 114 +----------------------------------------
3 files changed, 141 insertions(+), 114 deletions(-)
diff --git a/include/linux/compat.h b/include/linux/compat.h
index 8e0598c7d1d1..68823f4b86ee 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -412,6 +412,19 @@ int __copy_siginfo_to_user32(struct compat_siginfo __user *to,
#ifndef copy_siginfo_to_user32
#define copy_siginfo_to_user32 __copy_siginfo_to_user32
#endif
+
+#ifdef CONFIG_COMPAT
+#define unsafe_copy_siginfo_to_user32(to, from, label) do { \
+ struct compat_siginfo __user *__ucs_to = to; \
+ const struct kernel_siginfo *__ucs_from = from; \
+ struct compat_siginfo __ucs_new = {0}; \
+ \
+ __copy_siginfo_to_external32(&__ucs_new, __ucs_from); \
+ unsafe_copy_to_user(__ucs_to, &__ucs_new, \
+ sizeof(struct compat_siginfo), label); \
+} while (0)
+#endif
+
int get_compat_sigevent(struct sigevent *event,
const struct compat_sigevent __user *u_event);
@@ -992,15 +1005,81 @@ static inline bool in_compat_syscall(void) { return false; }
* appropriately converted them already.
*/
#ifndef compat_ptr
-static inline void __user *compat_ptr(compat_uptr_t uptr)
+static __always_inline void __user *compat_ptr(compat_uptr_t uptr)
{
return (void __user *)(unsigned long)uptr;
}
#endif
-static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+static __always_inline compat_uptr_t ptr_to_compat(void __user *uptr)
{
return (u32)(unsigned long)uptr;
}
+static __always_inline void
+__copy_siginfo_to_external32(struct compat_siginfo *to,
+ const struct kernel_siginfo *from)
+{
+ to->si_signo = from->si_signo;
+ to->si_errno = from->si_errno;
+ to->si_code = from->si_code;
+ switch(__siginfo_layout(from->si_signo, from->si_code)) {
+ case SIL_KILL:
+ to->si_pid = from->si_pid;
+ to->si_uid = from->si_uid;
+ break;
+ case SIL_TIMER:
+ to->si_tid = from->si_tid;
+ to->si_overrun = from->si_overrun;
+ to->si_int = from->si_int;
+ break;
+ case SIL_POLL:
+ to->si_band = from->si_band;
+ to->si_fd = from->si_fd;
+ break;
+ case SIL_FAULT:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ break;
+ case SIL_FAULT_TRAPNO:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ to->si_trapno = from->si_trapno;
+ break;
+ case SIL_FAULT_MCEERR:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ to->si_addr_lsb = from->si_addr_lsb;
+ break;
+ case SIL_FAULT_BNDERR:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ to->si_lower = ptr_to_compat(from->si_lower);
+ to->si_upper = ptr_to_compat(from->si_upper);
+ break;
+ case SIL_FAULT_PKUERR:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ to->si_pkey = from->si_pkey;
+ break;
+ case SIL_FAULT_PERF_EVENT:
+ to->si_addr = ptr_to_compat(from->si_addr);
+ to->si_perf_data = from->si_perf_data;
+ to->si_perf_type = from->si_perf_type;
+ break;
+ case SIL_CHLD:
+ to->si_pid = from->si_pid;
+ to->si_uid = from->si_uid;
+ to->si_status = from->si_status;
+ to->si_utime = from->si_utime;
+ to->si_stime = from->si_stime;
+ break;
+ case SIL_RT:
+ to->si_pid = from->si_pid;
+ to->si_uid = from->si_uid;
+ to->si_int = from->si_int;
+ break;
+ case SIL_SYS:
+ to->si_call_addr = ptr_to_compat(from->si_call_addr);
+ to->si_syscall = from->si_syscall;
+ to->si_arch = from->si_arch;
+ break;
+ }
+}
+
#endif /* _LINUX_COMPAT_H */
diff --git a/include/linux/signal.h b/include/linux/signal.h
index 70ea7e741427..637260bc193d 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -65,6 +65,64 @@ enum siginfo_layout {
SIL_SYS,
};
+static const struct {
+ unsigned char limit, layout;
+} sig_sicodes[] = {
+ [SIGILL] = { NSIGILL, SIL_FAULT },
+ [SIGFPE] = { NSIGFPE, SIL_FAULT },
+ [SIGSEGV] = { NSIGSEGV, SIL_FAULT },
+ [SIGBUS] = { NSIGBUS, SIL_FAULT },
+ [SIGTRAP] = { NSIGTRAP, SIL_FAULT },
+#if defined(SIGEMT)
+ [SIGEMT] = { NSIGEMT, SIL_FAULT },
+#endif
+ [SIGCHLD] = { NSIGCHLD, SIL_CHLD },
+ [SIGPOLL] = { NSIGPOLL, SIL_POLL },
+ [SIGSYS] = { NSIGSYS, SIL_SYS },
+};
+
+static __always_inline enum
+siginfo_layout __siginfo_layout(unsigned sig, int si_code)
+{
+ enum siginfo_layout layout = SIL_KILL;
+
+ if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
+ if ((sig < ARRAY_SIZE(sig_sicodes)) &&
+ (si_code <= sig_sicodes[sig].limit)) {
+ layout = sig_sicodes[sig].layout;
+ /* Handle the exceptions */
+ if ((sig == SIGBUS) &&
+ (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))
+ layout = SIL_FAULT_MCEERR;
+ else if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))
+ layout = SIL_FAULT_BNDERR;
+#ifdef SEGV_PKUERR
+ else if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))
+ layout = SIL_FAULT_PKUERR;
+#endif
+ else if ((sig == SIGTRAP) && (si_code == TRAP_PERF))
+ layout = SIL_FAULT_PERF_EVENT;
+ else if (IS_ENABLED(CONFIG_SPARC) &&
+ (sig == SIGILL) && (si_code == ILL_ILLTRP))
+ layout = SIL_FAULT_TRAPNO;
+ else if (IS_ENABLED(CONFIG_ALPHA) &&
+ ((sig == SIGFPE) ||
+ ((sig == SIGTRAP) && (si_code == TRAP_UNK))))
+ layout = SIL_FAULT_TRAPNO;
+ }
+ else if (si_code <= NSIGPOLL)
+ layout = SIL_POLL;
+ } else {
+ if (si_code == SI_TIMER)
+ layout = SIL_TIMER;
+ else if (si_code == SI_SIGIO)
+ layout = SIL_POLL;
+ else if (si_code < 0)
+ layout = SIL_RT;
+ }
+ return layout;
+}
+
enum siginfo_layout siginfo_layout(unsigned sig, int si_code);
/*
diff --git a/kernel/signal.c b/kernel/signal.c
index 23f168730b7e..0d402bdb174e 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3249,22 +3249,6 @@ COMPAT_SYSCALL_DEFINE2(rt_sigpending, compat_sigset_t __user *, uset,
}
#endif
-static const struct {
- unsigned char limit, layout;
-} sig_sicodes[] = {
- [SIGILL] = { NSIGILL, SIL_FAULT },
- [SIGFPE] = { NSIGFPE, SIL_FAULT },
- [SIGSEGV] = { NSIGSEGV, SIL_FAULT },
- [SIGBUS] = { NSIGBUS, SIL_FAULT },
- [SIGTRAP] = { NSIGTRAP, SIL_FAULT },
-#if defined(SIGEMT)
- [SIGEMT] = { NSIGEMT, SIL_FAULT },
-#endif
- [SIGCHLD] = { NSIGCHLD, SIL_CHLD },
- [SIGPOLL] = { NSIGPOLL, SIL_POLL },
- [SIGSYS] = { NSIGSYS, SIL_SYS },
-};
-
static bool known_siginfo_layout(unsigned sig, int si_code)
{
if (si_code == SI_KERNEL)
@@ -3286,42 +3270,7 @@ static bool known_siginfo_layout(unsigned sig, int si_code)
enum siginfo_layout siginfo_layout(unsigned sig, int si_code)
{
- enum siginfo_layout layout = SIL_KILL;
- if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
- if ((sig < ARRAY_SIZE(sig_sicodes)) &&
- (si_code <= sig_sicodes[sig].limit)) {
- layout = sig_sicodes[sig].layout;
- /* Handle the exceptions */
- if ((sig == SIGBUS) &&
- (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))
- layout = SIL_FAULT_MCEERR;
- else if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))
- layout = SIL_FAULT_BNDERR;
-#ifdef SEGV_PKUERR
- else if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))
- layout = SIL_FAULT_PKUERR;
-#endif
- else if ((sig == SIGTRAP) && (si_code == TRAP_PERF))
- layout = SIL_FAULT_PERF_EVENT;
- else if (IS_ENABLED(CONFIG_SPARC) &&
- (sig == SIGILL) && (si_code == ILL_ILLTRP))
- layout = SIL_FAULT_TRAPNO;
- else if (IS_ENABLED(CONFIG_ALPHA) &&
- ((sig == SIGFPE) ||
- ((sig == SIGTRAP) && (si_code == TRAP_UNK))))
- layout = SIL_FAULT_TRAPNO;
- }
- else if (si_code <= NSIGPOLL)
- layout = SIL_POLL;
- } else {
- if (si_code == SI_TIMER)
- layout = SIL_TIMER;
- else if (si_code == SI_SIGIO)
- layout = SIL_POLL;
- else if (si_code < 0)
- layout = SIL_RT;
- }
- return layout;
+ return __siginfo_layout(sig, si_code);
}
int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from)
@@ -3389,66 +3338,7 @@ void copy_siginfo_to_external32(struct compat_siginfo *to,
{
memset(to, 0, sizeof(*to));
- to->si_signo = from->si_signo;
- to->si_errno = from->si_errno;
- to->si_code = from->si_code;
- switch(siginfo_layout(from->si_signo, from->si_code)) {
- case SIL_KILL:
- to->si_pid = from->si_pid;
- to->si_uid = from->si_uid;
- break;
- case SIL_TIMER:
- to->si_tid = from->si_tid;
- to->si_overrun = from->si_overrun;
- to->si_int = from->si_int;
- break;
- case SIL_POLL:
- to->si_band = from->si_band;
- to->si_fd = from->si_fd;
- break;
- case SIL_FAULT:
- to->si_addr = ptr_to_compat(from->si_addr);
- break;
- case SIL_FAULT_TRAPNO:
- to->si_addr = ptr_to_compat(from->si_addr);
- to->si_trapno = from->si_trapno;
- break;
- case SIL_FAULT_MCEERR:
- to->si_addr = ptr_to_compat(from->si_addr);
- to->si_addr_lsb = from->si_addr_lsb;
- break;
- case SIL_FAULT_BNDERR:
- to->si_addr = ptr_to_compat(from->si_addr);
- to->si_lower = ptr_to_compat(from->si_lower);
- to->si_upper = ptr_to_compat(from->si_upper);
- break;
- case SIL_FAULT_PKUERR:
- to->si_addr = ptr_to_compat(from->si_addr);
- to->si_pkey = from->si_pkey;
- break;
- case SIL_FAULT_PERF_EVENT:
- to->si_addr = ptr_to_compat(from->si_addr);
- to->si_perf_data = from->si_perf_data;
- to->si_perf_type = from->si_perf_type;
- break;
- case SIL_CHLD:
- to->si_pid = from->si_pid;
- to->si_uid = from->si_uid;
- to->si_status = from->si_status;
- to->si_utime = from->si_utime;
- to->si_stime = from->si_stime;
- break;
- case SIL_RT:
- to->si_pid = from->si_pid;
- to->si_uid = from->si_uid;
- to->si_int = from->si_int;
- break;
- case SIL_SYS:
- to->si_call_addr = ptr_to_compat(from->si_call_addr);
- to->si_syscall = from->si_syscall;
- to->si_arch = from->si_arch;
- break;
- }
+ __copy_siginfo_to_external32(to, from);
}
int __copy_siginfo_to_user32(struct compat_siginfo __user *to,
--
2.31.1
^ permalink raw reply related
* [PATCH] pci: Rename pcibios_add_device to match
From: Oliver O'Halloran @ 2021-09-13 15:27 UTC (permalink / raw)
To: Michal Simek, Michael Ellerman, Benjamin Herrenschmidt,
Paul Mackerras, Niklas Schnelle, Gerald Schaefer, Heiko Carstens,
Vasily Gorbik, Christian Borntraeger, David S. Miller,
Bjorn Helgaas, Thomas Gleixner, Ingo Molnar, Borislav Petkov, x86,
H. Peter Anvin
Cc: linux-s390, linux-pci, linux-kernel, Oliver O'Halloran,
sparclinux, linuxppc-dev
The general convention for pcibios_* hooks is that they're named after
the corresponding pci_* function they provide a hook for. The exception
is pcibios_add_device() which provides a hook for pci_device_add(). This
has been irritating me for years so rename it.
Also, remove the export of the microblaze version. The only caller
must be compiled as a built-in so there's no reason for the export.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
arch/microblaze/pci/pci-common.c | 3 +--
arch/powerpc/kernel/pci-common.c | 2 +-
arch/powerpc/platforms/powernv/pci-sriov.c | 2 +-
arch/s390/pci/pci.c | 2 +-
arch/sparc/kernel/pci.c | 2 +-
arch/x86/pci/common.c | 2 +-
drivers/pci/pci.c | 4 ++--
drivers/pci/probe.c | 4 ++--
include/linux/pci.h | 2 +-
9 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/arch/microblaze/pci/pci-common.c b/arch/microblaze/pci/pci-common.c
index 557585f1be41..622a4867f9e9 100644
--- a/arch/microblaze/pci/pci-common.c
+++ b/arch/microblaze/pci/pci-common.c
@@ -587,13 +587,12 @@ static void pcibios_fixup_resources(struct pci_dev *dev)
}
DECLARE_PCI_FIXUP_HEADER(PCI_ANY_ID, PCI_ANY_ID, pcibios_fixup_resources);
-int pcibios_add_device(struct pci_dev *dev)
+int pcibios_device_add(struct pci_dev *dev)
{
dev->irq = of_irq_parse_and_map_pci(dev, 0, 0);
return 0;
}
-EXPORT_SYMBOL(pcibios_add_device);
/*
* Reparent resource children of pr that conflict with res
diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c
index c3573430919d..6749905932f4 100644
--- a/arch/powerpc/kernel/pci-common.c
+++ b/arch/powerpc/kernel/pci-common.c
@@ -1059,7 +1059,7 @@ void pcibios_bus_add_device(struct pci_dev *dev)
ppc_md.pcibios_bus_add_device(dev);
}
-int pcibios_add_device(struct pci_dev *dev)
+int pcibios_device_add(struct pci_dev *dev)
{
struct irq_domain *d;
diff --git a/arch/powerpc/platforms/powernv/pci-sriov.c b/arch/powerpc/platforms/powernv/pci-sriov.c
index 28aac933a439..486c2937b159 100644
--- a/arch/powerpc/platforms/powernv/pci-sriov.c
+++ b/arch/powerpc/platforms/powernv/pci-sriov.c
@@ -54,7 +54,7 @@
* to "new_size", calculated above. Implementing this is a convoluted process
* which requires several hooks in the PCI core:
*
- * 1. In pcibios_add_device() we call pnv_pci_ioda_fixup_iov().
+ * 1. In pcibios_device_add() we call pnv_pci_ioda_fixup_iov().
*
* At this point the device has been probed and the device's BARs are sized,
* but no resource allocations have been done. The SR-IOV BARs are sized
diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
index e7e6788d75a8..ded3321b7208 100644
--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@ -561,7 +561,7 @@ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)
zdev->has_resources = 0;
}
-int pcibios_add_device(struct pci_dev *pdev)
+int pcibios_device_add(struct pci_dev *pdev)
{
struct zpci_dev *zdev = to_zpci(pdev);
struct resource *res;
diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c
index 9c2b720bfd20..31b0c1983286 100644
--- a/arch/sparc/kernel/pci.c
+++ b/arch/sparc/kernel/pci.c
@@ -1010,7 +1010,7 @@ void pcibios_set_master(struct pci_dev *dev)
}
#ifdef CONFIG_PCI_IOV
-int pcibios_add_device(struct pci_dev *dev)
+int pcibios_device_add(struct pci_dev *dev)
{
struct pci_dev *pdev;
diff --git a/arch/x86/pci/common.c b/arch/x86/pci/common.c
index 3507f456fcd0..9e1e6b8d8876 100644
--- a/arch/x86/pci/common.c
+++ b/arch/x86/pci/common.c
@@ -632,7 +632,7 @@ static void set_dev_domain_options(struct pci_dev *pdev)
pdev->hotplug_user_indicators = 1;
}
-int pcibios_add_device(struct pci_dev *dev)
+int pcibios_device_add(struct pci_dev *dev)
{
struct pci_setup_rom *rom;
struct irq_domain *msidom;
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index ce2ab62b64cf..c63598c1cdd8 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2091,14 +2091,14 @@ void pcim_pin_device(struct pci_dev *pdev)
EXPORT_SYMBOL(pcim_pin_device);
/*
- * pcibios_add_device - provide arch specific hooks when adding device dev
+ * pcibios_device_add - provide arch specific hooks when adding device dev
* @dev: the PCI device being added
*
* Permits the platform to provide architecture specific functionality when
* devices are added. This is the default implementation. Architecture
* implementations can override this.
*/
-int __weak pcibios_add_device(struct pci_dev *dev)
+int __weak pcibios_device_add(struct pci_dev *dev)
{
return 0;
}
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index d9fc02a71baa..2ba43b6adf31 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -2450,7 +2450,7 @@ static struct irq_domain *pci_dev_msi_domain(struct pci_dev *dev)
struct irq_domain *d;
/*
- * If a domain has been set through the pcibios_add_device()
+ * If a domain has been set through the pcibios_device_add()
* callback, then this is the one (platform code knows best).
*/
d = dev_get_msi_domain(&dev->dev);
@@ -2518,7 +2518,7 @@ void pci_device_add(struct pci_dev *dev, struct pci_bus *bus)
list_add_tail(&dev->bus_list, &bus->devices);
up_write(&pci_bus_sem);
- ret = pcibios_add_device(dev);
+ ret = pcibios_device_add(dev);
WARN_ON(ret < 0);
/* Set up MSI IRQ domain */
diff --git a/include/linux/pci.h b/include/linux/pci.h
index cd8aa6fce204..7e0ce3a4d5a1 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -2126,7 +2126,7 @@ void pcibios_disable_device(struct pci_dev *dev);
void pcibios_set_master(struct pci_dev *dev);
int pcibios_set_pcie_reset_state(struct pci_dev *dev,
enum pcie_reset_state state);
-int pcibios_add_device(struct pci_dev *dev);
+int pcibios_device_add(struct pci_dev *dev);
void pcibios_release_device(struct pci_dev *dev);
#ifdef CONFIG_PCI
void pcibios_penalize_isa_irq(int irq, int active);
--
2.31.1
^ permalink raw reply related
* Re: [PATCH RESEND v3 4/6] signal: Add unsafe_copy_siginfo_to_user32()
From: Eric W. Biederman @ 2021-09-13 15:54 UTC (permalink / raw)
To: Christophe Leroy; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <e1b94e52688cd99ed4a3ab86170cd9ec48849291.1631537060.git.christophe.leroy@csgroup.eu>
Christophe Leroy <christophe.leroy@csgroup.eu> writes:
> In the same spirit as commit fb05121fd6a2 ("signal: Add
> unsafe_get_compat_sigset()"), implement an 'unsafe' version of
> copy_siginfo_to_user32() in order to use it within user access blocks.
>
> To do so, we need inline version of copy_siginfo_to_external32() as we
> don't want any function call inside user access blocks.
I don't understand. What is wrong with?
#define unsafe_copy_siginfo_to_user32(to, from, label) do { \
struct compat_siginfo __user *__ucs_to = to; \
const struct kernel_siginfo *__ucs_from = from; \
struct compat_siginfo __ucs_new; \
\
copy_siginfo_to_external32(&__ucs_new, __ucs_from); \
unsafe_copy_to_user(__ucs_to, &__ucs_new, \
sizeof(struct compat_siginfo), label); \
} while (0)
Your replacement of "memset(to, 0, sizeof(*to))" with
"struct compat_siginfo __ucs_new = {0}". is actively unsafe as the
compiler is free not to initialize any holes in the structure to 0 in
the later case.
Is there something about the unsafe macros that I am not aware of that
makes it improper to actually call C functions? Is that a requirement
for the instructions that change the user space access behavior?
From the looks of this change all that you are doing is making it so
that all of copy_siginfo_to_external32 is being inlined. If that is not
a hard requirement of the instructions it seems like the wrong thing to
do here. copy_siginfo_to_external32 has not failures so it does not need
to be inlined so you can jump to the label.
Eric
>
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> include/linux/compat.h | 83 +++++++++++++++++++++++++++++-
> include/linux/signal.h | 58 +++++++++++++++++++++
> kernel/signal.c | 114 +----------------------------------------
> 3 files changed, 141 insertions(+), 114 deletions(-)
>
> diff --git a/include/linux/compat.h b/include/linux/compat.h
> index 8e0598c7d1d1..68823f4b86ee 100644
> --- a/include/linux/compat.h
> +++ b/include/linux/compat.h
> @@ -412,6 +412,19 @@ int __copy_siginfo_to_user32(struct compat_siginfo __user *to,
> #ifndef copy_siginfo_to_user32
> #define copy_siginfo_to_user32 __copy_siginfo_to_user32
> #endif
> +
> +#ifdef CONFIG_COMPAT
> +#define unsafe_copy_siginfo_to_user32(to, from, label) do { \
> + struct compat_siginfo __user *__ucs_to = to; \
> + const struct kernel_siginfo *__ucs_from = from; \
> + struct compat_siginfo __ucs_new = {0}; \
> + \
> + __copy_siginfo_to_external32(&__ucs_new, __ucs_from); \
> + unsafe_copy_to_user(__ucs_to, &__ucs_new, \
> + sizeof(struct compat_siginfo), label); \
> +} while (0)
> +#endif
> +
> int get_compat_sigevent(struct sigevent *event,
> const struct compat_sigevent __user *u_event);
>
> @@ -992,15 +1005,81 @@ static inline bool in_compat_syscall(void) { return false; }
> * appropriately converted them already.
> */
> #ifndef compat_ptr
> -static inline void __user *compat_ptr(compat_uptr_t uptr)
> +static __always_inline void __user *compat_ptr(compat_uptr_t uptr)
> {
> return (void __user *)(unsigned long)uptr;
> }
> #endif
>
> -static inline compat_uptr_t ptr_to_compat(void __user *uptr)
> +static __always_inline compat_uptr_t ptr_to_compat(void __user *uptr)
> {
> return (u32)(unsigned long)uptr;
> }
>
> +static __always_inline void
> +__copy_siginfo_to_external32(struct compat_siginfo *to,
> + const struct kernel_siginfo *from)
> +{
> + to->si_signo = from->si_signo;
> + to->si_errno = from->si_errno;
> + to->si_code = from->si_code;
> + switch(__siginfo_layout(from->si_signo, from->si_code)) {
> + case SIL_KILL:
> + to->si_pid = from->si_pid;
> + to->si_uid = from->si_uid;
> + break;
> + case SIL_TIMER:
> + to->si_tid = from->si_tid;
> + to->si_overrun = from->si_overrun;
> + to->si_int = from->si_int;
> + break;
> + case SIL_POLL:
> + to->si_band = from->si_band;
> + to->si_fd = from->si_fd;
> + break;
> + case SIL_FAULT:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + break;
> + case SIL_FAULT_TRAPNO:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + to->si_trapno = from->si_trapno;
> + break;
> + case SIL_FAULT_MCEERR:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + to->si_addr_lsb = from->si_addr_lsb;
> + break;
> + case SIL_FAULT_BNDERR:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + to->si_lower = ptr_to_compat(from->si_lower);
> + to->si_upper = ptr_to_compat(from->si_upper);
> + break;
> + case SIL_FAULT_PKUERR:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + to->si_pkey = from->si_pkey;
> + break;
> + case SIL_FAULT_PERF_EVENT:
> + to->si_addr = ptr_to_compat(from->si_addr);
> + to->si_perf_data = from->si_perf_data;
> + to->si_perf_type = from->si_perf_type;
> + break;
> + case SIL_CHLD:
> + to->si_pid = from->si_pid;
> + to->si_uid = from->si_uid;
> + to->si_status = from->si_status;
> + to->si_utime = from->si_utime;
> + to->si_stime = from->si_stime;
> + break;
> + case SIL_RT:
> + to->si_pid = from->si_pid;
> + to->si_uid = from->si_uid;
> + to->si_int = from->si_int;
> + break;
> + case SIL_SYS:
> + to->si_call_addr = ptr_to_compat(from->si_call_addr);
> + to->si_syscall = from->si_syscall;
> + to->si_arch = from->si_arch;
> + break;
> + }
> +}
> +
> #endif /* _LINUX_COMPAT_H */
> diff --git a/include/linux/signal.h b/include/linux/signal.h
> index 70ea7e741427..637260bc193d 100644
> --- a/include/linux/signal.h
> +++ b/include/linux/signal.h
> @@ -65,6 +65,64 @@ enum siginfo_layout {
> SIL_SYS,
> };
>
> +static const struct {
> + unsigned char limit, layout;
> +} sig_sicodes[] = {
> + [SIGILL] = { NSIGILL, SIL_FAULT },
> + [SIGFPE] = { NSIGFPE, SIL_FAULT },
> + [SIGSEGV] = { NSIGSEGV, SIL_FAULT },
> + [SIGBUS] = { NSIGBUS, SIL_FAULT },
> + [SIGTRAP] = { NSIGTRAP, SIL_FAULT },
> +#if defined(SIGEMT)
> + [SIGEMT] = { NSIGEMT, SIL_FAULT },
> +#endif
> + [SIGCHLD] = { NSIGCHLD, SIL_CHLD },
> + [SIGPOLL] = { NSIGPOLL, SIL_POLL },
> + [SIGSYS] = { NSIGSYS, SIL_SYS },
> +};
> +
> +static __always_inline enum
> +siginfo_layout __siginfo_layout(unsigned sig, int si_code)
> +{
> + enum siginfo_layout layout = SIL_KILL;
> +
> + if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
> + if ((sig < ARRAY_SIZE(sig_sicodes)) &&
> + (si_code <= sig_sicodes[sig].limit)) {
> + layout = sig_sicodes[sig].layout;
> + /* Handle the exceptions */
> + if ((sig == SIGBUS) &&
> + (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))
> + layout = SIL_FAULT_MCEERR;
> + else if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))
> + layout = SIL_FAULT_BNDERR;
> +#ifdef SEGV_PKUERR
> + else if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))
> + layout = SIL_FAULT_PKUERR;
> +#endif
> + else if ((sig == SIGTRAP) && (si_code == TRAP_PERF))
> + layout = SIL_FAULT_PERF_EVENT;
> + else if (IS_ENABLED(CONFIG_SPARC) &&
> + (sig == SIGILL) && (si_code == ILL_ILLTRP))
> + layout = SIL_FAULT_TRAPNO;
> + else if (IS_ENABLED(CONFIG_ALPHA) &&
> + ((sig == SIGFPE) ||
> + ((sig == SIGTRAP) && (si_code == TRAP_UNK))))
> + layout = SIL_FAULT_TRAPNO;
> + }
> + else if (si_code <= NSIGPOLL)
> + layout = SIL_POLL;
> + } else {
> + if (si_code == SI_TIMER)
> + layout = SIL_TIMER;
> + else if (si_code == SI_SIGIO)
> + layout = SIL_POLL;
> + else if (si_code < 0)
> + layout = SIL_RT;
> + }
> + return layout;
> +}
> +
> enum siginfo_layout siginfo_layout(unsigned sig, int si_code);
>
> /*
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 23f168730b7e..0d402bdb174e 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -3249,22 +3249,6 @@ COMPAT_SYSCALL_DEFINE2(rt_sigpending, compat_sigset_t __user *, uset,
> }
> #endif
>
> -static const struct {
> - unsigned char limit, layout;
> -} sig_sicodes[] = {
> - [SIGILL] = { NSIGILL, SIL_FAULT },
> - [SIGFPE] = { NSIGFPE, SIL_FAULT },
> - [SIGSEGV] = { NSIGSEGV, SIL_FAULT },
> - [SIGBUS] = { NSIGBUS, SIL_FAULT },
> - [SIGTRAP] = { NSIGTRAP, SIL_FAULT },
> -#if defined(SIGEMT)
> - [SIGEMT] = { NSIGEMT, SIL_FAULT },
> -#endif
> - [SIGCHLD] = { NSIGCHLD, SIL_CHLD },
> - [SIGPOLL] = { NSIGPOLL, SIL_POLL },
> - [SIGSYS] = { NSIGSYS, SIL_SYS },
> -};
> -
> static bool known_siginfo_layout(unsigned sig, int si_code)
> {
> if (si_code == SI_KERNEL)
> @@ -3286,42 +3270,7 @@ static bool known_siginfo_layout(unsigned sig, int si_code)
>
> enum siginfo_layout siginfo_layout(unsigned sig, int si_code)
> {
> - enum siginfo_layout layout = SIL_KILL;
> - if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
> - if ((sig < ARRAY_SIZE(sig_sicodes)) &&
> - (si_code <= sig_sicodes[sig].limit)) {
> - layout = sig_sicodes[sig].layout;
> - /* Handle the exceptions */
> - if ((sig == SIGBUS) &&
> - (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))
> - layout = SIL_FAULT_MCEERR;
> - else if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))
> - layout = SIL_FAULT_BNDERR;
> -#ifdef SEGV_PKUERR
> - else if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))
> - layout = SIL_FAULT_PKUERR;
> -#endif
> - else if ((sig == SIGTRAP) && (si_code == TRAP_PERF))
> - layout = SIL_FAULT_PERF_EVENT;
> - else if (IS_ENABLED(CONFIG_SPARC) &&
> - (sig == SIGILL) && (si_code == ILL_ILLTRP))
> - layout = SIL_FAULT_TRAPNO;
> - else if (IS_ENABLED(CONFIG_ALPHA) &&
> - ((sig == SIGFPE) ||
> - ((sig == SIGTRAP) && (si_code == TRAP_UNK))))
> - layout = SIL_FAULT_TRAPNO;
> - }
> - else if (si_code <= NSIGPOLL)
> - layout = SIL_POLL;
> - } else {
> - if (si_code == SI_TIMER)
> - layout = SIL_TIMER;
> - else if (si_code == SI_SIGIO)
> - layout = SIL_POLL;
> - else if (si_code < 0)
> - layout = SIL_RT;
> - }
> - return layout;
> + return __siginfo_layout(sig, si_code);
> }
>
> int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from)
> @@ -3389,66 +3338,7 @@ void copy_siginfo_to_external32(struct compat_siginfo *to,
> {
> memset(to, 0, sizeof(*to));
>
> - to->si_signo = from->si_signo;
> - to->si_errno = from->si_errno;
> - to->si_code = from->si_code;
> - switch(siginfo_layout(from->si_signo, from->si_code)) {
> - case SIL_KILL:
> - to->si_pid = from->si_pid;
> - to->si_uid = from->si_uid;
> - break;
> - case SIL_TIMER:
> - to->si_tid = from->si_tid;
> - to->si_overrun = from->si_overrun;
> - to->si_int = from->si_int;
> - break;
> - case SIL_POLL:
> - to->si_band = from->si_band;
> - to->si_fd = from->si_fd;
> - break;
> - case SIL_FAULT:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - break;
> - case SIL_FAULT_TRAPNO:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - to->si_trapno = from->si_trapno;
> - break;
> - case SIL_FAULT_MCEERR:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - to->si_addr_lsb = from->si_addr_lsb;
> - break;
> - case SIL_FAULT_BNDERR:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - to->si_lower = ptr_to_compat(from->si_lower);
> - to->si_upper = ptr_to_compat(from->si_upper);
> - break;
> - case SIL_FAULT_PKUERR:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - to->si_pkey = from->si_pkey;
> - break;
> - case SIL_FAULT_PERF_EVENT:
> - to->si_addr = ptr_to_compat(from->si_addr);
> - to->si_perf_data = from->si_perf_data;
> - to->si_perf_type = from->si_perf_type;
> - break;
> - case SIL_CHLD:
> - to->si_pid = from->si_pid;
> - to->si_uid = from->si_uid;
> - to->si_status = from->si_status;
> - to->si_utime = from->si_utime;
> - to->si_stime = from->si_stime;
> - break;
> - case SIL_RT:
> - to->si_pid = from->si_pid;
> - to->si_uid = from->si_uid;
> - to->si_int = from->si_int;
> - break;
> - case SIL_SYS:
> - to->si_call_addr = ptr_to_compat(from->si_call_addr);
> - to->si_syscall = from->si_syscall;
> - to->si_arch = from->si_arch;
> - break;
> - }
> + __copy_siginfo_to_external32(to, from);
> }
>
> int __copy_siginfo_to_user32(struct compat_siginfo __user *to,
^ permalink raw reply
* Re: [PATCH RESEND v3 6/6] powerpc/signal: Use unsafe_copy_siginfo_to_user()
From: Eric W. Biederman @ 2021-09-13 15:57 UTC (permalink / raw)
To: Christophe Leroy; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <2b179deba4fd4ec0868cdc48a0230dfa3aa5a22f.1631537060.git.christophe.leroy@csgroup.eu>
Christophe Leroy <christophe.leroy@csgroup.eu> writes:
> Use unsafe_copy_siginfo_to_user() in order to do the copy
> within the user access block.
>
> On an mpc 8321 (book3s/32) the improvment is about 5% on a process
> sending a signal to itself.
>
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> v3: Don't leave compat aside, use the new unsafe_copy_siginfo_to_user32()
> ---
> arch/powerpc/kernel/signal_32.c | 8 +++-----
> arch/powerpc/kernel/signal_64.c | 5 +----
> 2 files changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
> index ff101e2b3bab..3a2db8af2d65 100644
> --- a/arch/powerpc/kernel/signal_32.c
> +++ b/arch/powerpc/kernel/signal_32.c
> @@ -710,9 +710,9 @@ static long restore_tm_user_regs(struct pt_regs *regs, struct mcontext __user *s
> }
> #endif
>
> -#ifdef CONFIG_PPC64
> +#ifndef CONFIG_PPC64
>
> -#define copy_siginfo_to_user copy_siginfo_to_user32
> +#define unsafe_copy_siginfo_to_user32 unsafe_copy_siginfo_to_user
>
> #endif /* CONFIG_PPC64 */
Any particular reason to reverse the sense of this #ifdef?
Otherwise this change looks much cleaner.
Eric
>
> @@ -779,15 +779,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
> asm("dcbst %y0; sync; icbi %y0; sync" :: "Z" (mctx->mc_pad[0]));
> }
> unsafe_put_sigset_t(&frame->uc.uc_sigmask, oldset, failed);
> + unsafe_copy_siginfo_to_user32(&frame->info, &ksig->info, failed);
>
> /* create a stack frame for the caller of the handler */
> unsafe_put_user(regs->gpr[1], newsp, failed);
>
> user_access_end();
>
> - if (copy_siginfo_to_user(&frame->info, &ksig->info))
> - goto badframe;
> -
> regs->link = tramp;
>
> #ifdef CONFIG_PPC_FPU_REGS
> diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
> index d80ff83cacb9..56c0c74aa28c 100644
> --- a/arch/powerpc/kernel/signal_64.c
> +++ b/arch/powerpc/kernel/signal_64.c
> @@ -901,15 +901,12 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
> }
>
> unsafe_copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set), badframe_block);
> + unsafe_copy_siginfo_to_user(&frame->info, &ksig->info, badframe_block);
> /* Allocate a dummy caller frame for the signal handler. */
> unsafe_put_user(regs->gpr[1], newsp, badframe_block);
>
> user_write_access_end();
>
> - /* Save the siginfo outside of the unsafe block. */
> - if (copy_siginfo_to_user(&frame->info, &ksig->info))
> - goto badframe;
> -
> /* Make sure signal handler doesn't get spurious FP exceptions */
> tsk->thread.fp_state.fpscr = 0;
^ permalink raw reply
* Re: [PATCH AUTOSEL 5.14 38/99] KVM: PPC: Book3S HV: XICS: Fix mapping of passthrough interrupts
From: Cédric Le Goater @ 2021-09-13 16:19 UTC (permalink / raw)
To: Sasha Levin; +Cc: kvm-ppc, linuxppc-dev, linux-kernel, stable
In-Reply-To: <YTy+xUtEEpln2Sq4@sashalap>
On 9/11/21 4:35 PM, Sasha Levin wrote:
> On Fri, Sep 10, 2021 at 07:48:18AM +0200, Cédric Le Goater wrote:
>> On 9/10/21 2:14 AM, Sasha Levin wrote:
>>> From: Cédric Le Goater <clg@kaod.org>
>>>
>>> [ Upstream commit 1753081f2d445f9157550692fcc4221cd3ff0958 ]
>>>
>>> PCI MSIs now live in an MSI domain but the underlying calls, which
>>> will EOI the interrupt in real mode, need an HW IRQ number mapped in
>>> the XICS IRQ domain. Grab it there.
>>>
>>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
>>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>>> Link: https://lore.kernel.org/r/20210701132750.1475580-31-clg@kaod.org
>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>
>>
>> Why are we backporting this patch in stable trees ?
>>
>> It should be fine but to compile, we need a partial backport of commit
>> 51be9e51a800 ("KVM: PPC: Book3S HV: XIVE: Fix mapping of passthrough
>> interrupts") which exports irq_get_default_host().
>
> Or, I can drop it if it makes no sense?
Yes I would.
It makes sense only with the full patchset, the one reworking PCI MSI
support in the PPC pSeries and PowerNV platforms.
Thanks,
C.
^ permalink raw reply
* Re: [PATCH RESEND v3 6/6] powerpc/signal: Use unsafe_copy_siginfo_to_user()
From: Eric W. Biederman @ 2021-09-13 16:21 UTC (permalink / raw)
To: Christophe Leroy; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <87h7eopixa.fsf@disp2133>
ebiederm@xmission.com (Eric W. Biederman) writes:
> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>
>> Use unsafe_copy_siginfo_to_user() in order to do the copy
>> within the user access block.
>>
>> On an mpc 8321 (book3s/32) the improvment is about 5% on a process
>> sending a signal to itself.
If you can't make function calls from an unsafe macro there is another
way to handle this that doesn't require everything to be inline.
From a safety perspective it is probably even a better approach.
Eric
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 0608581967f0..1b30bb78b863 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -205,6 +205,12 @@ struct sigframe {
int abigap[56];
};
+#ifdef CONFIG_PPC64
+# define user_siginfo_t compat_siginfo_t
+#else
+# define user_siginfo_t siginfo_t
+#endif
+
/*
* When we have rt signals to deliver, we set up on the
* user stack, going down from the original stack pointer:
@@ -217,11 +223,7 @@ struct sigframe {
*
*/
struct rt_sigframe {
-#ifdef CONFIG_PPC64
- compat_siginfo_t info;
-#else
- struct siginfo info;
-#endif
+ user_siginfo_t info;
struct ucontext uc;
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
struct ucontext uc_transact;
@@ -712,7 +714,7 @@ static long restore_tm_user_regs(struct pt_regs *regs, struct mcontext __user *s
#ifdef CONFIG_PPC64
-#define copy_siginfo_to_user copy_siginfo_to_user32
+#define copy_siginfo_to_external copy_siginfo_to_external32
#endif /* CONFIG_PPC64 */
@@ -731,6 +733,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
struct pt_regs *regs = tsk->thread.regs;
/* Save the thread's msr before get_tm_stackpointer() changes it */
unsigned long msr = regs->msr;
+ user_siginfo_t uinfo;
/* Set up Signal Frame */
frame = get_sigframe(ksig, tsk, sizeof(*frame), 1);
@@ -743,6 +746,8 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
else
prepare_save_user_regs(1);
+ copy_siginfo_to_external(&uinfo, &ksig->info);
+
if (!user_access_begin(frame, sizeof(*frame)))
goto badframe;
@@ -778,12 +783,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
asm("dcbst %y0; sync; icbi %y0; sync" :: "Z" (mctx->mc_pad[0]));
}
unsafe_put_sigset_t(&frame->uc.uc_sigmask, oldset, failed);
+ unsafe_copy_to_user(&frame->info, &uinfo, failed);
user_access_end();
- if (copy_siginfo_to_user(&frame->info, &ksig->info))
- goto badframe;
-
regs->link = tramp;
#ifdef CONFIG_PPC_FPU_REGS
Eric
^ permalink raw reply related
* Re: [PATCH 2/2] kvm: rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS
From: Sean Christopherson @ 2021-09-13 16:24 UTC (permalink / raw)
To: Juergen Gross
Cc: x86, Wanpeng Li, kvm, linux-doc, linux-kernel, Paul Mackerras,
linux-kselftest, H. Peter Anvin, Shuah Khan, Jonathan Corbet,
Joerg Roedel, Huacai Chen, Aleksandar Markovic, Ingo Molnar,
Eduardo Habkost, kvm-ppc, Borislav Petkov, Shuah Khan,
Thomas Gleixner, Jim Mattson, Thomas Bogendoerfer, linux-mips,
Paolo Bonzini, Vitaly Kuznetsov, linuxppc-dev
In-Reply-To: <20210913135745.13944-3-jgross@suse.com>
On Mon, Sep 13, 2021, Juergen Gross wrote:
> KVM_MAX_VCPU_ID is not specifying the highest allowed vcpu-id, but the
> number of allowed vcpu-ids. This has already led to confusion, so
> rename KVM_MAX_VCPU_ID to KVM_MAX_VCPU_IDS to make its semantics more
> clear
My hesitation with this rename is that the max _number_ of IDs is not the same
thing as the max allowed ID. E.g. on x86, given a capability that enumerates the
max number of IDs, I would expect to be able to create vCPUs with arbitrary 32-bit
x2APIC IDs so long as the total number of IDs is below the max.
^ permalink raw reply
* Re: [PATCH RESEND v3 4/6] signal: Add unsafe_copy_siginfo_to_user32()
From: Christophe Leroy @ 2021-09-13 17:01 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <87r1dspj2c.fsf@disp2133>
Le 13/09/2021 à 17:54, Eric W. Biederman a écrit :
> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>
>> In the same spirit as commit fb05121fd6a2 ("signal: Add
>> unsafe_get_compat_sigset()"), implement an 'unsafe' version of
>> copy_siginfo_to_user32() in order to use it within user access blocks.
>>
>> To do so, we need inline version of copy_siginfo_to_external32() as we
>> don't want any function call inside user access blocks.
>
> I don't understand. What is wrong with?
>
> #define unsafe_copy_siginfo_to_user32(to, from, label) do { \
> struct compat_siginfo __user *__ucs_to = to; \
> const struct kernel_siginfo *__ucs_from = from; \
> struct compat_siginfo __ucs_new; \
> \
> copy_siginfo_to_external32(&__ucs_new, __ucs_from); \
> unsafe_copy_to_user(__ucs_to, &__ucs_new, \
> sizeof(struct compat_siginfo), label); \
> } while (0)
As far as I understood, it is forbidden to call functions within user
access blocks.
On powerpc it doesn't matter (yet), but as far as I understand x86 as a
tool called "objtool" to enforce that.
>
> Your replacement of "memset(to, 0, sizeof(*to))" with
> "struct compat_siginfo __ucs_new = {0}". is actively unsafe as the
> compiler is free not to initialize any holes in the structure to 0 in
> the later case.
Ah ? I didn't know that.
Maybe we can make as exception for memset(). Or we can hard-code a
zeroizing loop.
>
> Is there something about the unsafe macros that I am not aware of that
> makes it improper to actually call C functions? Is that a requirement
> for the instructions that change the user space access behavior?
See see
https://lore.kernel.org/lkml/20190318155142.025214872@infradead.org/T/ ?
>
> From the looks of this change all that you are doing is making it so
> that all of copy_siginfo_to_external32 is being inlined. If that is not
> a hard requirement of the instructions it seems like the wrong thing to
> do here. copy_siginfo_to_external32 has not failures so it does not need
> to be inlined so you can jump to the label.
Yes that's what I did, make sure everything is inlined. Or maybe I
misunderstood something ?
Christophe
^ permalink raw reply
* Re: [PATCH v4] lockdown,selinux: fix wrong subject in some SELinux lockdown checks
From: Rafael J. Wysocki @ 2021-09-13 17:13 UTC (permalink / raw)
To: Ondrej Mosnacek
Cc: linux-efi, Linux PCI, linux-cxl, Steffen Klassert, Herbert Xu,
the arch/x86 maintainers, James Morris, ACPI Devel Maling List,
Ingo Molnar, linux-serial, Linux PM, selinux, Steven Rostedt,
Casey Schaufler, Dan Williams, Paul Moore, netdev,
Stephen Smalley, Kexec Mailing List, Linux Kernel Mailing List,
linux-security-module, linux-fsdevel, bpf, linuxppc-dev,
David S . Miller
In-Reply-To: <20210913140229.24797-1-omosnace@redhat.com>
On Mon, Sep 13, 2021 at 4:04 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Commit 59438b46471a ("security,lockdown,selinux: implement SELinux
> lockdown") added an implementation of the locked_down LSM hook to
> SELinux, with the aim to restrict which domains are allowed to perform
> operations that would breach lockdown.
>
> However, in several places the security_locked_down() hook is called in
> situations where the current task isn't doing any action that would
> directly breach lockdown, leading to SELinux checks that are basically
> bogus.
>
> To fix this, add an explicit struct cred pointer argument to
> security_lockdown() and define NULL as a special value to pass instead
> of current_cred() in such situations. LSMs that take the subject
> credentials into account can then fall back to some default or ignore
> such calls altogether. In the SELinux lockdown hook implementation, use
> SECINITSID_KERNEL in case the cred argument is NULL.
>
> Most of the callers are updated to pass current_cred() as the cred
> pointer, thus maintaining the same behavior. The following callers are
> modified to pass NULL as the cred pointer instead:
> 1. arch/powerpc/xmon/xmon.c
> Seems to be some interactive debugging facility. It appears that
> the lockdown hook is called from interrupt context here, so it
> should be more appropriate to request a global lockdown decision.
> 2. fs/tracefs/inode.c:tracefs_create_file()
> Here the call is used to prevent creating new tracefs entries when
> the kernel is locked down. Assumes that locking down is one-way -
> i.e. if the hook returns non-zero once, it will never return zero
> again, thus no point in creating these files. Also, the hook is
> often called by a module's init function when it is loaded by
> userspace, where it doesn't make much sense to do a check against
> the current task's creds, since the task itself doesn't actually
> use the tracing functionality (i.e. doesn't breach lockdown), just
> indirectly makes some new tracepoints available to whoever is
> authorized to use them.
> 3. net/xfrm/xfrm_user.c:copy_to_user_*()
> Here a cryptographic secret is redacted based on the value returned
> from the hook. There are two possible actions that may lead here:
> a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the
> task context is relevant, since the dumped data is sent back to
> the current task.
> b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the
> dumped SA is broadcasted to tasks subscribed to XFRM events -
> here the current task context is not relevant as it doesn't
> represent the tasks that could potentially see the secret.
> It doesn't seem worth it to try to keep using the current task's
> context in the a) case, since the eventual data leak can be
> circumvented anyway via b), plus there is no way for the task to
> indicate that it doesn't care about the actual key value, so the
> check could generate a lot of "false alert" denials with SELinux.
> Thus, let's pass NULL instead of current_cred() here faute de
> mieux.
>
> Improvements-suggested-by: Casey Schaufler <casey@schaufler-ca.com>
> Improvements-suggested-by: Paul Moore <paul@paul-moore.com>
> Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")
> Acked-by: Dan Williams <dan.j.williams@intel.com> [cxl]
> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> [xfrm]
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
for the ACPI and hibernation changes.
> ---
>
> v4:
> - rebase on top of TODO
> - fix rebase conflicts:
> * drivers/cxl/pci.c
> - trivial: the lockdown reason was corrected in mainline
> * kernel/bpf/helpers.c, kernel/trace/bpf_trace.c
> - trivial: LOCKDOWN_BPF_READ was renamed to LOCKDOWN_BPF_READ_KERNEL
> in mainline
> * kernel/power/hibernate.c
> - trivial: !secretmem_active() was added to the condition in
> hibernation_available()
> - cover new security_locked_down() call in kernel/bpf/helpers.c
> (LOCKDOWN_BPF_WRITE_USER in BPF_FUNC_probe_write_user case)
>
> v3: https://lore.kernel.org/lkml/20210616085118.1141101-1-omosnace@redhat.com/
> - add the cred argument to security_locked_down() and adapt all callers
> - keep using current_cred() in BPF, as the hook calls have been shifted
> to program load time (commit ff40e51043af ("bpf, lockdown, audit: Fix
> buggy SELinux lockdown permission checks"))
> - in SELinux, don't ignore hook calls where cred == NULL, but use
> SECINITSID_KERNEL as the subject instead
> - update explanations in the commit message
>
> v2: https://lore.kernel.org/lkml/20210517092006.803332-1-omosnace@redhat.com/
> - change to a single hook based on suggestions by Casey Schaufler
>
> v1: https://lore.kernel.org/lkml/20210507114048.138933-1-omosnace@redhat.com/
>
> arch/powerpc/xmon/xmon.c | 4 ++--
> arch/x86/kernel/ioport.c | 4 ++--
> arch/x86/kernel/msr.c | 4 ++--
> arch/x86/mm/testmmiotrace.c | 2 +-
> drivers/acpi/acpi_configfs.c | 2 +-
> drivers/acpi/custom_method.c | 2 +-
> drivers/acpi/osl.c | 3 ++-
> drivers/acpi/tables.c | 2 +-
> drivers/char/mem.c | 2 +-
> drivers/cxl/pci.c | 2 +-
> drivers/firmware/efi/efi.c | 2 +-
> drivers/firmware/efi/test/efi_test.c | 2 +-
> drivers/pci/pci-sysfs.c | 6 +++---
> drivers/pci/proc.c | 6 +++---
> drivers/pci/syscall.c | 2 +-
> drivers/pcmcia/cistpl.c | 2 +-
> drivers/tty/serial/serial_core.c | 2 +-
> fs/debugfs/file.c | 2 +-
> fs/debugfs/inode.c | 2 +-
> fs/proc/kcore.c | 2 +-
> fs/tracefs/inode.c | 2 +-
> include/linux/lsm_hook_defs.h | 2 +-
> include/linux/lsm_hooks.h | 1 +
> include/linux/security.h | 4 ++--
> kernel/bpf/helpers.c | 10 ++++++----
> kernel/events/core.c | 2 +-
> kernel/kexec.c | 2 +-
> kernel/kexec_file.c | 2 +-
> kernel/module.c | 2 +-
> kernel/params.c | 2 +-
> kernel/power/hibernate.c | 2 +-
> kernel/trace/bpf_trace.c | 25 +++++++++++++++----------
> kernel/trace/ftrace.c | 4 ++--
> kernel/trace/ring_buffer.c | 2 +-
> kernel/trace/trace.c | 10 +++++-----
> kernel/trace/trace_events.c | 2 +-
> kernel/trace/trace_events_hist.c | 4 ++--
> kernel/trace/trace_events_synth.c | 2 +-
> kernel/trace/trace_events_trigger.c | 2 +-
> kernel/trace/trace_kprobe.c | 6 +++---
> kernel/trace/trace_printk.c | 2 +-
> kernel/trace/trace_stack.c | 2 +-
> kernel/trace/trace_stat.c | 2 +-
> kernel/trace/trace_uprobe.c | 4 ++--
> net/xfrm/xfrm_user.c | 11 +++++++++--
> security/lockdown/lockdown.c | 3 ++-
> security/security.c | 4 ++--
> security/selinux/hooks.c | 7 +++++--
> 48 files changed, 99 insertions(+), 79 deletions(-)
>
> diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
> index dd8241c009e5..47464e873749 100644
> --- a/arch/powerpc/xmon/xmon.c
> +++ b/arch/powerpc/xmon/xmon.c
> @@ -309,7 +309,7 @@ static bool xmon_is_locked_down(void)
> static bool lockdown;
>
> if (!lockdown) {
> - lockdown = !!security_locked_down(LOCKDOWN_XMON_RW);
> + lockdown = !!security_locked_down(NULL, LOCKDOWN_XMON_RW);
> if (lockdown) {
> printf("xmon: Disabled due to kernel lockdown\n");
> xmon_is_ro = true;
> @@ -317,7 +317,7 @@ static bool xmon_is_locked_down(void)
> }
>
> if (!xmon_is_ro) {
> - xmon_is_ro = !!security_locked_down(LOCKDOWN_XMON_WR);
> + xmon_is_ro = !!security_locked_down(NULL, LOCKDOWN_XMON_WR);
> if (xmon_is_ro)
> printf("xmon: Read-only due to kernel lockdown\n");
> }
> diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
> index e2fab3ceb09f..838ba45ecc71 100644
> --- a/arch/x86/kernel/ioport.c
> +++ b/arch/x86/kernel/ioport.c
> @@ -71,7 +71,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
> if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
> return -EINVAL;
> if (turn_on && (!capable(CAP_SYS_RAWIO) ||
> - security_locked_down(LOCKDOWN_IOPORT)))
> + security_locked_down(current_cred(), LOCKDOWN_IOPORT)))
> return -EPERM;
>
> /*
> @@ -187,7 +187,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
> /* Trying to gain more privileges? */
> if (level > old) {
> if (!capable(CAP_SYS_RAWIO) ||
> - security_locked_down(LOCKDOWN_IOPORT))
> + security_locked_down(current_cred(), LOCKDOWN_IOPORT))
> return -EPERM;
> }
>
> diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
> index ed8ac6bcbafb..6a687d91515b 100644
> --- a/arch/x86/kernel/msr.c
> +++ b/arch/x86/kernel/msr.c
> @@ -116,7 +116,7 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
> int err = 0;
> ssize_t bytes = 0;
>
> - err = security_locked_down(LOCKDOWN_MSR);
> + err = security_locked_down(current_cred(), LOCKDOWN_MSR);
> if (err)
> return err;
>
> @@ -179,7 +179,7 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
> err = -EFAULT;
> break;
> }
> - err = security_locked_down(LOCKDOWN_MSR);
> + err = security_locked_down(current_cred(), LOCKDOWN_MSR);
> if (err)
> break;
>
> diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
> index bda73cb7a044..c43a13241ae8 100644
> --- a/arch/x86/mm/testmmiotrace.c
> +++ b/arch/x86/mm/testmmiotrace.c
> @@ -116,7 +116,7 @@ static void do_test_bulk_ioremapping(void)
> static int __init init(void)
> {
> unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
> - int ret = security_locked_down(LOCKDOWN_MMIOTRACE);
> + int ret = security_locked_down(current_cred(), LOCKDOWN_MMIOTRACE);
>
> if (ret)
> return ret;
> diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
> index c970792b11a4..17c4e79b596e 100644
> --- a/drivers/acpi/acpi_configfs.c
> +++ b/drivers/acpi/acpi_configfs.c
> @@ -26,7 +26,7 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
> {
> const struct acpi_table_header *header = data;
> struct acpi_table *table;
> - int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> + int ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
>
> if (ret)
> return ret;
> diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
> index d39a9b474727..8cac7f683245 100644
> --- a/drivers/acpi/custom_method.c
> +++ b/drivers/acpi/custom_method.c
> @@ -30,7 +30,7 @@ static ssize_t cm_write(struct file *file, const char __user *user_buf,
> acpi_status status;
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> + ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
> if (ret)
> return ret;
>
> diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
> index a43f1521efe6..11c462788db8 100644
> --- a/drivers/acpi/osl.c
> +++ b/drivers/acpi/osl.c
> @@ -198,7 +198,8 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
> * specific location (if appropriate) so it can be carried
> * over further kexec()s.
> */
> - if (acpi_rsdp && !security_locked_down(LOCKDOWN_ACPI_TABLES)) {
> + if (acpi_rsdp && !security_locked_down(current_cred(),
> + LOCKDOWN_ACPI_TABLES)) {
> acpi_arch_set_root_pointer(acpi_rsdp);
> return acpi_rsdp;
> }
> diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
> index f9383736fa0f..6569ccacd24b 100644
> --- a/drivers/acpi/tables.c
> +++ b/drivers/acpi/tables.c
> @@ -577,7 +577,7 @@ void __init acpi_table_upgrade(void)
> if (table_nr == 0)
> return;
>
> - if (security_locked_down(LOCKDOWN_ACPI_TABLES)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES)) {
> pr_notice("kernel is locked down, ignoring table override\n");
> return;
> }
> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
> index 1c596b5cdb27..330749897cd7 100644
> --- a/drivers/char/mem.c
> +++ b/drivers/char/mem.c
> @@ -617,7 +617,7 @@ static int open_port(struct inode *inode, struct file *filp)
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
>
> - rc = security_locked_down(LOCKDOWN_DEV_MEM);
> + rc = security_locked_down(current_cred(), LOCKDOWN_DEV_MEM);
> if (rc)
> return rc;
>
> diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
> index 8e45aa07d662..539c91959234 100644
> --- a/drivers/cxl/pci.c
> +++ b/drivers/cxl/pci.c
> @@ -575,7 +575,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
> if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
> return false;
>
> - if (security_locked_down(LOCKDOWN_PCI_ACCESS))
> + if (security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
> return false;
>
> if (cxl_raw_allow_all)
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 847f33ffc4ae..a885b4c38358 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -200,7 +200,7 @@ static void generic_ops_unregister(void)
> static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
> static int __init efivar_ssdt_setup(char *str)
> {
> - int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> + int ret = security_locked_down(current_cred(), LOCKDOWN_ACPI_TABLES);
>
> if (ret)
> return ret;
> diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
> index 47d67bb0a516..942c25843665 100644
> --- a/drivers/firmware/efi/test/efi_test.c
> +++ b/drivers/firmware/efi/test/efi_test.c
> @@ -722,7 +722,7 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
>
> static int efi_test_open(struct inode *inode, struct file *file)
> {
> - int ret = security_locked_down(LOCKDOWN_EFI_TEST);
> + int ret = security_locked_down(current_cred(), LOCKDOWN_EFI_TEST);
>
> if (ret)
> return ret;
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index 7fb5cd17cc98..b76055dbbb03 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -753,7 +753,7 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
> u8 *data = (u8 *) buf;
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
> if (ret)
> return ret;
>
> @@ -1047,7 +1047,7 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
> struct resource *res = &pdev->resource[bar];
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
> if (ret)
> return ret;
>
> @@ -1128,7 +1128,7 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
> if (ret)
> return ret;
>
> diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
> index cb18f8a13ab6..1dbdcdf0eff5 100644
> --- a/drivers/pci/proc.c
> +++ b/drivers/pci/proc.c
> @@ -119,7 +119,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
> int size = dev->cfg_size;
> int cnt, ret;
>
> - ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
> if (ret)
> return ret;
>
> @@ -202,7 +202,7 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
> #endif /* HAVE_PCI_MMAP */
> int ret = 0;
>
> - ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS);
> if (ret)
> return ret;
>
> @@ -249,7 +249,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
> int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
>
> if (!capable(CAP_SYS_RAWIO) ||
> - security_locked_down(LOCKDOWN_PCI_ACCESS))
> + security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
> return -EPERM;
>
> if (fpriv->mmap_state == pci_mmap_io) {
> diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
> index 61a6fe3cde21..e88cacf8d418 100644
> --- a/drivers/pci/syscall.c
> +++ b/drivers/pci/syscall.c
> @@ -93,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
> int err = 0;
>
> if (!capable(CAP_SYS_ADMIN) ||
> - security_locked_down(LOCKDOWN_PCI_ACCESS))
> + security_locked_down(current_cred(), LOCKDOWN_PCI_ACCESS))
> return -EPERM;
>
> dev = pci_get_domain_bus_and_slot(0, bus, dfn);
> diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
> index 948b763dc451..96c96c1cd6da 100644
> --- a/drivers/pcmcia/cistpl.c
> +++ b/drivers/pcmcia/cistpl.c
> @@ -1577,7 +1577,7 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
> struct pcmcia_socket *s;
> int error;
>
> - error = security_locked_down(LOCKDOWN_PCMCIA_CIS);
> + error = security_locked_down(current_cred(), LOCKDOWN_PCMCIA_CIS);
> if (error)
> return error;
>
> diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
> index 0e2e35ab64c7..7fbec2644b1b 100644
> --- a/drivers/tty/serial/serial_core.c
> +++ b/drivers/tty/serial/serial_core.c
> @@ -840,7 +840,7 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
> }
>
> if (change_irq || change_port) {
> - retval = security_locked_down(LOCKDOWN_TIOCSSERIAL);
> + retval = security_locked_down(current_cred(), LOCKDOWN_TIOCSSERIAL);
> if (retval)
> goto exit;
> }
> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
> index 7d162b0efbf0..a8e44f3e11d2 100644
> --- a/fs/debugfs/file.c
> +++ b/fs/debugfs/file.c
> @@ -154,7 +154,7 @@ static int debugfs_locked_down(struct inode *inode,
> !real_fops->mmap)
> return 0;
>
> - if (security_locked_down(LOCKDOWN_DEBUGFS))
> + if (security_locked_down(current_cred(), LOCKDOWN_DEBUGFS))
> return -EPERM;
>
> return 0;
> diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
> index 8129a430d789..17f6438cc1b5 100644
> --- a/fs/debugfs/inode.c
> +++ b/fs/debugfs/inode.c
> @@ -48,7 +48,7 @@ static int debugfs_setattr(struct user_namespace *mnt_userns,
> int ret;
>
> if (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) {
> - ret = security_locked_down(LOCKDOWN_DEBUGFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_DEBUGFS);
> if (ret)
> return ret;
> }
> diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
> index 982e694aae77..f386fd373ea6 100644
> --- a/fs/proc/kcore.c
> +++ b/fs/proc/kcore.c
> @@ -586,7 +586,7 @@ out:
>
> static int open_kcore(struct inode *inode, struct file *filp)
> {
> - int ret = security_locked_down(LOCKDOWN_KCORE);
> + int ret = security_locked_down(current_cred(), LOCKDOWN_KCORE);
>
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
> diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
> index 1261e8b41edb..9db8dd52d429 100644
> --- a/fs/tracefs/inode.c
> +++ b/fs/tracefs/inode.c
> @@ -396,7 +396,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
> struct dentry *dentry;
> struct inode *inode;
>
> - if (security_locked_down(LOCKDOWN_TRACEFS))
> + if (security_locked_down(NULL, LOCKDOWN_TRACEFS))
> return NULL;
>
> if (!(mode & S_IFMT))
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 2adeea44c0d5..a83a370cc284 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -393,7 +393,7 @@ LSM_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux)
> LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
> #endif /* CONFIG_BPF_SYSCALL */
>
> -LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
> +LSM_HOOK(int, 0, locked_down, const struct cred *cred, enum lockdown_reason what)
>
> #ifdef CONFIG_PERF_EVENTS
> LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 5c4c5c0602cb..8156f2dbaab7 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1543,6 +1543,7 @@
> * Determine whether a kernel feature that potentially enables arbitrary
> * code execution in kernel space should be permitted.
> *
> + * @cred: credential asociated with the operation, or NULL if not applicable
> * @what: kernel feature being accessed
> *
> * Security hooks for perf events
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 5b7288521300..a9001c0ed885 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -471,7 +471,7 @@ void security_inode_invalidate_secctx(struct inode *inode);
> int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
> int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> -int security_locked_down(enum lockdown_reason what);
> +int security_locked_down(const struct cred *cred, enum lockdown_reason what);
> #else /* CONFIG_SECURITY */
>
> static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1344,7 +1344,7 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
> {
> return -EOPNOTSUPP;
> }
> -static inline int security_locked_down(enum lockdown_reason what)
> +static inline int security_locked_down(struct cred *cred, enum lockdown_reason what)
> {
> return 0;
> }
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 9aabf84afd4b..61a9645f9b8f 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -1424,13 +1424,15 @@ bpf_base_func_proto(enum bpf_func_id func_id)
> case BPF_FUNC_probe_read_user:
> return &bpf_probe_read_user_proto;
> case BPF_FUNC_probe_read_kernel:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_kernel_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_kernel_proto;
> case BPF_FUNC_probe_read_user_str:
> return &bpf_probe_read_user_str_proto;
> case BPF_FUNC_probe_read_kernel_str:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_kernel_str_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_kernel_str_proto;
> case BPF_FUNC_snprintf_btf:
> return &bpf_snprintf_btf_proto;
> case BPF_FUNC_snprintf:
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 744e8726c5b2..d2836e320948 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -12017,7 +12017,7 @@ SYSCALL_DEFINE5(perf_event_open,
>
> /* REGS_INTR can leak data, lockdown must prevent this */
> if (attr.sample_type & PERF_SAMPLE_REGS_INTR) {
> - err = security_locked_down(LOCKDOWN_PERF);
> + err = security_locked_down(current_cred(), LOCKDOWN_PERF);
> if (err)
> return err;
> }
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index b5e40f069768..f908dd7889de 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -208,7 +208,7 @@ static inline int kexec_load_check(unsigned long nr_segments,
> * kexec can be used to circumvent module loading restrictions, so
> * prevent loading in that case
> */
> - result = security_locked_down(LOCKDOWN_KEXEC);
> + result = security_locked_down(current_cred(), LOCKDOWN_KEXEC);
> if (result)
> return result;
>
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 33400ff051a8..add00b325f4f 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -204,7 +204,7 @@ kimage_validate_signature(struct kimage *image)
> * down.
> */
> if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
> - security_locked_down(LOCKDOWN_KEXEC))
> + security_locked_down(current_cred(), LOCKDOWN_KEXEC))
> return -EPERM;
>
> pr_debug("kernel signature verification failed (%d).\n", ret);
> diff --git a/kernel/module.c b/kernel/module.c
> index 40ec9a030eec..3cad8055d7a2 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2931,7 +2931,7 @@ static int module_sig_check(struct load_info *info, int flags)
> return -EKEYREJECTED;
> }
>
> - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
> + return security_locked_down(current_cred(), LOCKDOWN_MODULE_SIGNATURE);
> }
> #else /* !CONFIG_MODULE_SIG */
> static int module_sig_check(struct load_info *info, int flags)
> diff --git a/kernel/params.c b/kernel/params.c
> index 8299bd764e42..619bf8ad8416 100644
> --- a/kernel/params.c
> +++ b/kernel/params.c
> @@ -100,7 +100,7 @@ bool parameq(const char *a, const char *b)
> static bool param_check_unsafe(const struct kernel_param *kp)
> {
> if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
> - security_locked_down(LOCKDOWN_MODULE_PARAMETERS))
> + security_locked_down(current_cred(), LOCKDOWN_MODULE_PARAMETERS))
> return false;
>
> if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
> diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> index 559acef3fddb..2625d531ee0e 100644
> --- a/kernel/power/hibernate.c
> +++ b/kernel/power/hibernate.c
> @@ -83,7 +83,7 @@ void hibernate_release(void)
> bool hibernation_available(void)
> {
> return nohibernate == 0 &&
> - !security_locked_down(LOCKDOWN_HIBERNATION) &&
> + !security_locked_down(current_cred(), LOCKDOWN_HIBERNATION) &&
> !secretmem_active();
> }
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 8e2eb950aa82..51bdbdf75a5c 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -1066,25 +1066,30 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> case BPF_FUNC_get_prandom_u32:
> return &bpf_get_prandom_u32_proto;
> case BPF_FUNC_probe_write_user:
> - return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ?
> - NULL : bpf_get_probe_write_proto();
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_WRITE_USER) < 0)
> + return NULL;
> + return bpf_get_probe_write_proto();
> case BPF_FUNC_probe_read_user:
> return &bpf_probe_read_user_proto;
> case BPF_FUNC_probe_read_kernel:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_kernel_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_kernel_proto;
> case BPF_FUNC_probe_read_user_str:
> return &bpf_probe_read_user_str_proto;
> case BPF_FUNC_probe_read_kernel_str:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_kernel_str_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_kernel_str_proto;
> #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
> case BPF_FUNC_probe_read:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_compat_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_compat_proto;
> case BPF_FUNC_probe_read_str:
> - return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
> - NULL : &bpf_probe_read_compat_str_proto;
> + if (security_locked_down(current_cred(), LOCKDOWN_BPF_READ_KERNEL) < 0)
> + return NULL;
> + return &bpf_probe_read_compat_str_proto;
> #endif
> #ifdef CONFIG_CGROUPS
> case BPF_FUNC_get_current_cgroup_id:
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index 7efbc8aaf7f6..5c1b2681c371 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -3694,7 +3694,7 @@ ftrace_avail_open(struct inode *inode, struct file *file)
> struct ftrace_iterator *iter;
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> @@ -5822,7 +5822,7 @@ __ftrace_graph_open(struct inode *inode, struct file *file,
> int ret;
> struct ftrace_hash *new_hash = NULL;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> index c5a3fbf19617..13669fcbd466 100644
> --- a/kernel/trace/ring_buffer.c
> +++ b/kernel/trace/ring_buffer.c
> @@ -5880,7 +5880,7 @@ static __init int test_ringbuffer(void)
> int cpu;
> int ret = 0;
>
> - if (security_locked_down(LOCKDOWN_TRACEFS)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
> pr_warn("Lockdown is enabled, skipping ring buffer tests\n");
> return 0;
> }
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 7896d30d90f7..2bac9688ff6a 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -486,7 +486,7 @@ int tracing_check_open_get_tr(struct trace_array *tr)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> @@ -2071,7 +2071,7 @@ int __init register_tracer(struct tracer *type)
> return -1;
> }
>
> - if (security_locked_down(LOCKDOWN_TRACEFS)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
> pr_warn("Can not register tracer %s due to lockdown\n",
> type->name);
> return -EPERM;
> @@ -9527,7 +9527,7 @@ int tracing_init_dentry(void)
> {
> struct trace_array *tr = &global_trace;
>
> - if (security_locked_down(LOCKDOWN_TRACEFS)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
> pr_warn("Tracing disabled due to lockdown\n");
> return -EPERM;
> }
> @@ -9989,7 +9989,7 @@ __init static int tracer_alloc_buffers(void)
> int ret = -ENOMEM;
>
>
> - if (security_locked_down(LOCKDOWN_TRACEFS)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
> pr_warn("Tracing disabled due to lockdown\n");
> return -EPERM;
> }
> @@ -10155,7 +10155,7 @@ __init static void tracing_set_default_clock(void)
> {
> /* sched_clock_stable() is determined in late_initcall */
> if (!trace_boot_clock && !sched_clock_stable()) {
> - if (security_locked_down(LOCKDOWN_TRACEFS)) {
> + if (security_locked_down(current_cred(), LOCKDOWN_TRACEFS)) {
> pr_warn("Can not set tracing clock due to lockdown\n");
> return;
> }
> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
> index 830b3b9940f4..c1e4f7f93c0e 100644
> --- a/kernel/trace/trace_events.c
> +++ b/kernel/trace/trace_events.c
> @@ -2130,7 +2130,7 @@ ftrace_event_open(struct inode *inode, struct file *file,
> struct seq_file *m;
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index a6061a69aa84..e122f0467421 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -4917,7 +4917,7 @@ static int event_hist_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> @@ -5189,7 +5189,7 @@ static int event_hist_debug_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> index d54094b7a9d7..deac45f00f3a 100644
> --- a/kernel/trace/trace_events_synth.c
> +++ b/kernel/trace/trace_events_synth.c
> @@ -2174,7 +2174,7 @@ static int synth_events_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
> index 3d5c07239a2a..38226c386f82 100644
> --- a/kernel/trace/trace_events_trigger.c
> +++ b/kernel/trace/trace_events_trigger.c
> @@ -190,7 +190,7 @@ static int event_trigger_regex_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
> index 3a64ba4bbad6..9178ad52290e 100644
> --- a/kernel/trace/trace_kprobe.c
> +++ b/kernel/trace/trace_kprobe.c
> @@ -479,7 +479,7 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
> {
> int i, ret;
>
> - ret = security_locked_down(LOCKDOWN_KPROBES);
> + ret = security_locked_down(current_cred(), LOCKDOWN_KPROBES);
> if (ret)
> return ret;
>
> @@ -1141,7 +1141,7 @@ static int probes_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> @@ -1199,7 +1199,7 @@ static int profile_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
> index 4b320fe7df70..47c808484cb2 100644
> --- a/kernel/trace/trace_printk.c
> +++ b/kernel/trace/trace_printk.c
> @@ -362,7 +362,7 @@ ftrace_formats_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
> index 63c285042051..63b6ebe7bdce 100644
> --- a/kernel/trace/trace_stack.c
> +++ b/kernel/trace/trace_stack.c
> @@ -477,7 +477,7 @@ static int stack_trace_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c
> index 8d141c3825a9..2f6ae81ee67e 100644
> --- a/kernel/trace/trace_stat.c
> +++ b/kernel/trace/trace_stat.c
> @@ -236,7 +236,7 @@ static int tracing_stat_open(struct inode *inode, struct file *file)
> struct seq_file *m;
> struct stat_session *session = inode->i_private;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index 225ce569bf8f..4b114e4fe436 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -781,7 +781,7 @@ static int probes_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> @@ -836,7 +836,7 @@ static int profile_open(struct inode *inode, struct file *file)
> {
> int ret;
>
> - ret = security_locked_down(LOCKDOWN_TRACEFS);
> + ret = security_locked_down(current_cred(), LOCKDOWN_TRACEFS);
> if (ret)
> return ret;
>
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 03b66d154b2b..ffd560514d8f 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -850,8 +850,15 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
>
> static bool xfrm_redact(void)
> {
> - return IS_ENABLED(CONFIG_SECURITY) &&
> - security_locked_down(LOCKDOWN_XFRM_SECRET);
> + /* Don't use current_cred() here, since this may be called when
> + * broadcasting a notification that an SA has been created/deleted.
> + * In that case current task is the one triggering the notification,
> + * but the SA key is actually leaked to the event subscribers.
> + * Since we can't easily do the redact decision per-subscriber,
> + * just pass NULL here, indicating to the LSMs that a global lockdown
> + * decision should be made instead.
> + */
> + return security_locked_down(NULL, LOCKDOWN_XFRM_SECRET);
> }
>
> static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 87cbdc64d272..2abe92157e82 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -55,7 +55,8 @@ early_param("lockdown", lockdown_param);
> * lockdown_is_locked_down - Find out if the kernel is locked down
> * @what: Tag to use in notice generated if lockdown is in effect
> */
> -static int lockdown_is_locked_down(enum lockdown_reason what)
> +static int lockdown_is_locked_down(const struct cred *cred,
> + enum lockdown_reason what)
> {
> if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
> "Invalid lockdown reason"))
> diff --git a/security/security.c b/security/security.c
> index 9ffa9e9c5c55..51245e37b351 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2593,9 +2593,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
> }
> #endif /* CONFIG_BPF_SYSCALL */
>
> -int security_locked_down(enum lockdown_reason what)
> +int security_locked_down(const struct cred *cred, enum lockdown_reason what)
> {
> - return call_int_hook(locked_down, 0, what);
> + return call_int_hook(locked_down, 0, cred, what);
> }
> EXPORT_SYMBOL(security_locked_down);
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6517f221d52c..300bc9e1ffbf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7013,10 +7013,10 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
> }
> #endif
>
> -static int selinux_lockdown(enum lockdown_reason what)
> +static int selinux_lockdown(const struct cred *cred, enum lockdown_reason what)
> {
> struct common_audit_data ad;
> - u32 sid = current_sid();
> + u32 sid;
> int invalid_reason = (what <= LOCKDOWN_NONE) ||
> (what == LOCKDOWN_INTEGRITY_MAX) ||
> (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
> @@ -7028,6 +7028,9 @@ static int selinux_lockdown(enum lockdown_reason what)
> return -EINVAL;
> }
>
> + /* Use SECINITSID_KERNEL if there is no relevant cred to check against */
> + sid = cred ? cred_sid(cred) : SECINITSID_KERNEL;
> +
> ad.type = LSM_AUDIT_DATA_LOCKDOWN;
> ad.u.reason = what;
>
> --
> 2.31.1
>
^ permalink raw reply
* Re: [PATCH RESEND v3 6/6] powerpc/signal: Use unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 17:14 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <87h7eopixa.fsf@disp2133>
Le 13/09/2021 à 17:57, Eric W. Biederman a écrit :
> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>
>> Use unsafe_copy_siginfo_to_user() in order to do the copy
>> within the user access block.
>>
>> On an mpc 8321 (book3s/32) the improvment is about 5% on a process
>> sending a signal to itself.
>>
>> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
>> ---
>> v3: Don't leave compat aside, use the new unsafe_copy_siginfo_to_user32()
>> ---
>> arch/powerpc/kernel/signal_32.c | 8 +++-----
>> arch/powerpc/kernel/signal_64.c | 5 +----
>> 2 files changed, 4 insertions(+), 9 deletions(-)
>>
>> diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
>> index ff101e2b3bab..3a2db8af2d65 100644
>> --- a/arch/powerpc/kernel/signal_32.c
>> +++ b/arch/powerpc/kernel/signal_32.c
>> @@ -710,9 +710,9 @@ static long restore_tm_user_regs(struct pt_regs *regs, struct mcontext __user *s
>> }
>> #endif
>>
>> -#ifdef CONFIG_PPC64
>> +#ifndef CONFIG_PPC64
>>
>> -#define copy_siginfo_to_user copy_siginfo_to_user32
>> +#define unsafe_copy_siginfo_to_user32 unsafe_copy_siginfo_to_user
>>
>> #endif /* CONFIG_PPC64 */
>
> Any particular reason to reverse the sense of this #ifdef?
Yes I had double definition of unsafe_copy_siginfo_to_user(), I could
have ifdefed out unsafe_copy_siginfo_to_user() in signal.h, but I
prefered to ifdef out copy_siginfo_to_user32() in compat.h
>
> Otherwise this change looks much cleaner.
Thanks
Christophe
^ permalink raw reply
* Re: [PATCH RESEND v3 6/6] powerpc/signal: Use unsafe_copy_siginfo_to_user()
From: Christophe Leroy @ 2021-09-13 17:19 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: linux-kernel, hch, Paul Mackerras, linuxppc-dev
In-Reply-To: <87y280o38q.fsf@disp2133>
Le 13/09/2021 à 18:21, Eric W. Biederman a écrit :
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
>> Christophe Leroy <christophe.leroy@csgroup.eu> writes:
>>
>>> Use unsafe_copy_siginfo_to_user() in order to do the copy
>>> within the user access block.
>>>
>>> On an mpc 8321 (book3s/32) the improvment is about 5% on a process
>>> sending a signal to itself.
>
> If you can't make function calls from an unsafe macro there is another
> way to handle this that doesn't require everything to be inline.
>
> From a safety perspective it is probably even a better approach.
Yes but that's exactly what I wanted to avoid for the native ppc32 case:
this double hop means useless pressure on the cache. The siginfo_t
structure is 128 bytes large, that means 8 lines of cache on powerpc 8xx.
But maybe it is acceptable to do that only for the compat case. Let me
think about it, it might be quite easy.
Christophe
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox