From 831e3f545b0771f91fa94cdb8aa569a73b9ec580 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Thu, 24 Apr 2025 09:27:35 -0400 Subject: [PATCH 01/16] Revert "sunrpc: clean cache_detail immediately when flush is written frequently" Ondrej reports that certain SELinux tests are failing after commit fc2a169c56de ("sunrpc: clean cache_detail immediately when flush is written frequently"), merged during the v6.15 merge window. Reported-by: Ondrej Mosnacek Fixes: fc2a169c56de ("sunrpc: clean cache_detail immediately when flush is written frequently") Signed-off-by: Chuck Lever --- net/sunrpc/cache.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index 004cdb59f010..7ce5e28a6c03 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -1536,13 +1536,9 @@ static ssize_t write_flush(struct file *file, const char __user *buf, * or by one second if it has already reached the current time. * Newly added cache entries will always have ->last_refresh greater * that ->flush_time, so they don't get flushed prematurely. - * - * If someone frequently calls the flush interface, we should - * immediately clean the corresponding cache_detail instead of - * continuously accumulating nextcheck. */ - if (cd->flush_time >= now && cd->flush_time < (now + 5)) + if (cd->flush_time >= now) now = cd->flush_time + 1; cd->flush_time = now; -- 2.50.1 From b4432656b36e5cc1d50a1f2dc15357543add530e Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sun, 27 Apr 2025 15:19:23 -0700 Subject: [PATCH 02/16] Linux 6.15-rc4 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 07f818186151..5aa9ee52a765 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ VERSION = 6 PATCHLEVEL = 15 SUBLEVEL = 0 -EXTRAVERSION = -rc3 +EXTRAVERSION = -rc4 NAME = Baby Opossum Posse # *DOCUMENTATION* -- 2.50.1 From 28cd28a752058bf98b38013039bbde81df48b932 Mon Sep 17 00:00:00 2001 From: Harry Yoo Date: Tue, 18 Mar 2025 10:45:33 +0900 Subject: [PATCH 03/16] lkdtm: use SLAB_NO_MERGE instead of an empty constructor Use SLAB_NO_MERGE flag to prevent merging instead of providing an empty constructor. Using an empty constructor in this manner is an abuse of slab interface. The SLAB_NO_MERGE flag should be used with caution, but in this case, it is acceptable as the cache is intended soley for debugging purposes. No functional changes intended. Signed-off-by: Harry Yoo Link: https://lore.kernel.org/r/20250318014533.1624852-1-harry.yoo@oracle.com Signed-off-by: Kees Cook --- drivers/misc/lkdtm/heap.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c index b1b316f99703..c1a05b935894 100644 --- a/drivers/misc/lkdtm/heap.c +++ b/drivers/misc/lkdtm/heap.c @@ -355,23 +355,12 @@ static void lkdtm_SLAB_FREE_PAGE(void) free_page(p); } -/* - * We have constructors to keep the caches distinctly separated without - * needing to boot with "slab_nomerge". - */ -static void ctor_double_free(void *region) -{ } -static void ctor_a(void *region) -{ } -static void ctor_b(void *region) -{ } - void __init lkdtm_heap_init(void) { double_free_cache = kmem_cache_create("lkdtm-heap-double_free", - 64, 0, 0, ctor_double_free); - a_cache = kmem_cache_create("lkdtm-heap-a", 64, 0, 0, ctor_a); - b_cache = kmem_cache_create("lkdtm-heap-b", 64, 0, 0, ctor_b); + 64, 0, SLAB_NO_MERGE, NULL); + a_cache = kmem_cache_create("lkdtm-heap-a", 64, 0, SLAB_NO_MERGE, NULL); + b_cache = kmem_cache_create("lkdtm-heap-b", 64, 0, SLAB_NO_MERGE, NULL); } void __exit lkdtm_heap_exit(void) -- 2.50.1 From b8e147973eca7e07fa0845350d77c9970263fcd7 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 9 Apr 2025 09:04:10 -0700 Subject: [PATCH 04/16] gcc-plugins: Remove ARM_SSP_PER_TASK plugin As part of trying to remove GCC plugins from Linux, drop the ARM_SSP_PER_TASK plugin. The feature is available upstream since GCC 12, so anyone needing newer kernels with per-task ssp can update their compiler[1]. Suggested-by: Arnd Bergmann Link: https://lore.kernel.org/all/08393aa3-05a3-4e3f-8004-f374a3ec4b7e@app.fastmail.com/ [1] Acked-by: Arnd Bergmann Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20250409160409.work.168-kees@kernel.org Signed-off-by: Kees Cook --- arch/arm/Kconfig | 3 +- arch/arm/boot/compressed/Makefile | 2 +- scripts/Makefile.gcc-plugins | 6 - scripts/gcc-plugins/Kconfig | 4 - scripts/gcc-plugins/arm_ssp_per_task_plugin.c | 107 ------------------ 5 files changed, 2 insertions(+), 120 deletions(-) delete mode 100644 scripts/gcc-plugins/arm_ssp_per_task_plugin.c diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 25ed6f1a7c7a..3072731fe09c 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1380,8 +1380,7 @@ config CC_HAVE_STACKPROTECTOR_TLS config STACKPROTECTOR_PER_TASK bool "Use a unique stack canary value for each task" depends on STACKPROTECTOR && CURRENT_POINTER_IN_TPIDRURO && !XIP_DEFLATED_DATA - depends on GCC_PLUGINS || CC_HAVE_STACKPROTECTOR_TLS - select GCC_PLUGIN_ARM_SSP_PER_TASK if !CC_HAVE_STACKPROTECTOR_TLS + depends on CC_HAVE_STACKPROTECTOR_TLS default y help Due to the fact that GCC uses an ordinary symbol reference from diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile index 945b5975fce2..d61369b1eabe 100644 --- a/arch/arm/boot/compressed/Makefile +++ b/arch/arm/boot/compressed/Makefile @@ -96,7 +96,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING ccflags-y := -fpic $(call cc-option,-mno-single-pic-base,) -fno-builtin \ -I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \ - -I$(obj) $(DISABLE_ARM_SSP_PER_TASK_PLUGIN) + -I$(obj) ccflags-remove-$(CONFIG_FUNCTION_TRACER) += -pg asflags-y := -DZIMAGE diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index e4deaf5fa571..5b8a8378ca8a 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -36,12 +36,6 @@ ifdef CONFIG_GCC_PLUGIN_STACKLEAK endif export DISABLE_STACKLEAK_PLUGIN -gcc-plugin-$(CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK) += arm_ssp_per_task_plugin.so -ifdef CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK - DISABLE_ARM_SSP_PER_TASK_PLUGIN += -fplugin-arg-arm_ssp_per_task_plugin-disable -endif -export DISABLE_ARM_SSP_PER_TASK_PLUGIN - # All the plugin CFLAGS are collected here in case a build target needs to # filter them out of the KBUILD_CFLAGS. GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index e383cda05367..231f4a20d617 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -46,8 +46,4 @@ config GCC_PLUGIN_LATENT_ENTROPY * https://grsecurity.net/ * https://pax.grsecurity.net/ -config GCC_PLUGIN_ARM_SSP_PER_TASK - bool - depends on GCC_PLUGINS && ARM - endif diff --git a/scripts/gcc-plugins/arm_ssp_per_task_plugin.c b/scripts/gcc-plugins/arm_ssp_per_task_plugin.c deleted file mode 100644 index 7328d037f975..000000000000 --- a/scripts/gcc-plugins/arm_ssp_per_task_plugin.c +++ /dev/null @@ -1,107 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 - -#include "gcc-common.h" - -__visible int plugin_is_GPL_compatible; - -static unsigned int canary_offset; - -static unsigned int arm_pertask_ssp_rtl_execute(void) -{ - rtx_insn *insn; - - for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) { - const char *sym; - rtx body; - rtx current; - - /* - * Find a SET insn involving a SYMBOL_REF to __stack_chk_guard - */ - if (!INSN_P(insn)) - continue; - body = PATTERN(insn); - if (GET_CODE(body) != SET || - GET_CODE(SET_SRC(body)) != SYMBOL_REF) - continue; - sym = XSTR(SET_SRC(body), 0); - if (strcmp(sym, "__stack_chk_guard")) - continue; - - /* - * Replace the source of the SET insn with an expression that - * produces the address of the current task's stack canary value - */ - current = gen_reg_rtx(Pmode); - - emit_insn_before(gen_load_tp_hard(current), insn); - - SET_SRC(body) = gen_rtx_PLUS(Pmode, current, - GEN_INT(canary_offset)); - } - return 0; -} - -#define PASS_NAME arm_pertask_ssp_rtl - -#define NO_GATE -#include "gcc-generate-rtl-pass.h" - -#if BUILDING_GCC_VERSION >= 9000 -static bool no(void) -{ - return false; -} - -static void arm_pertask_ssp_start_unit(void *gcc_data, void *user_data) -{ - targetm.have_stack_protect_combined_set = no; - targetm.have_stack_protect_combined_test = no; -} -#endif - -__visible int plugin_init(struct plugin_name_args *plugin_info, - struct plugin_gcc_version *version) -{ - const char * const plugin_name = plugin_info->base_name; - const int argc = plugin_info->argc; - const struct plugin_argument *argv = plugin_info->argv; - int i; - - if (!plugin_default_version_check(version, &gcc_version)) { - error(G_("incompatible gcc/plugin versions")); - return 1; - } - - for (i = 0; i < argc; ++i) { - if (!strcmp(argv[i].key, "disable")) - return 0; - - /* all remaining options require a value */ - if (!argv[i].value) { - error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), - plugin_name, argv[i].key); - return 1; - } - - if (!strcmp(argv[i].key, "offset")) { - canary_offset = atoi(argv[i].value); - continue; - } - error(G_("unknown option '-fplugin-arg-%s-%s'"), - plugin_name, argv[i].key); - return 1; - } - - PASS_INFO(arm_pertask_ssp_rtl, "expand", 1, PASS_POS_INSERT_AFTER); - - register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, - NULL, &arm_pertask_ssp_rtl_pass_info); - -#if BUILDING_GCC_VERSION >= 9000 - register_callback(plugin_info->base_name, PLUGIN_START_UNIT, - arm_pertask_ssp_start_unit, NULL); -#endif - - return 0; -} -- 2.50.1 From 0d6efa20e384a41a7f4afdcd8a0aec442c19d33e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Wed, 16 Apr 2025 14:44:19 +0200 Subject: [PATCH 05/16] kunit/usercopy: Disable u64 test on 32-bit SPARC MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit usercopy of 64 bit values does not work on 32-bit SPARC: # usercopy_test_valid: EXPECTATION FAILED at lib/tests/usercopy_kunit.c:209 Expected val_u64 == 0x5a5b5c5d6a6b6c6d, but val_u64 == 1515936861 (0x5a5b5c5d) 0x5a5b5c5d6a6b6c6d == 6510899242581322861 (0x5a5b5c5d6a6b6c6d) Disable the test. Fixes: 4c5d7bc63775 ("usercopy: Add tests for all get_user() sizes") Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20250416-kunit-sparc-usercopy-v1-1-a772054db3af@linutronix.de Signed-off-by: Kees Cook --- lib/tests/usercopy_kunit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tests/usercopy_kunit.c b/lib/tests/usercopy_kunit.c index 77fa00a13df7..80f8abe10968 100644 --- a/lib/tests/usercopy_kunit.c +++ b/lib/tests/usercopy_kunit.c @@ -27,6 +27,7 @@ !defined(CONFIG_MICROBLAZE) && \ !defined(CONFIG_NIOS2) && \ !defined(CONFIG_PPC32) && \ + !defined(CONFIG_SPARC32) && \ !defined(CONFIG_SUPERH)) # define TEST_U64 #endif -- 2.50.1 From a510c186abfc870e5c74cf953b646c8a2c07bee1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 16 Apr 2025 10:20:20 -0700 Subject: [PATCH 06/16] compiler_types: Identify compiler versions for __builtin_dynamic_object_size Clarify when __builtin_dynamic_object_size() is available. All our supported Clang versions support it. GCC 12 and later support it. Link to documentation for both. Acked-by: Miguel Ojeda Link: https://lore.kernel.org/r/20250416172016.work.154-kees@kernel.org Signed-off-by: Kees Cook --- include/linux/compiler_types.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 501cffddc2f4..20881cc761fa 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -449,6 +449,11 @@ struct ftrace_likely_data { /* * When the size of an allocated object is needed, use the best available * mechanism to find it. (For cases where sizeof() cannot be used.) + * + * Optional: only supported since gcc >= 12 + * + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html + * clang: https://clang.llvm.org/docs/LanguageExtensions.html#evaluating-object-size */ #if __has_builtin(__builtin_dynamic_object_size) #define __struct_size(p) __builtin_dynamic_object_size(p, 0) -- 2.50.1 From 9a93048476e7cbdde00cdeebe66b6504995eac92 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 16 Apr 2025 10:29:15 -0700 Subject: [PATCH 07/16] overflow: Clarify expectations for getting DEFINE_FLEX variable sizes Mention the use of __member_size() for DEFINE_FLEX variables as a hint for getting at the compile-time size of the resulting flexible array member. Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20250416172911.work.854-kees@kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 0c7e3dcfe867..6ee67c20b575 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -419,6 +419,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * Define a zeroed, on-stack, instance of @type structure with a trailing * flexible array member. * Use __struct_size(@name) to get compile-time size of it afterwards. + * Use __member_size(@name->member) to get compile-time size of @name members. */ #define DEFINE_RAW_FLEX(type, name, member, count) \ _DEFINE_FLEX(type, name, member, count, = {}) @@ -436,6 +437,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * Define a zeroed, on-stack, instance of @TYPE structure with a trailing * flexible array member. * Use __struct_size(@NAME) to get compile-time size of it afterwards. + * Use __member_size(@NAME->member) to get compile-time size of @NAME members. */ #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT) \ _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, }) -- 2.50.1 From 655862865c97ff55e4f3f2aaa7708f42f0ea3bd8 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 15 Apr 2025 16:14:24 -0700 Subject: [PATCH 08/16] mod_devicetable: Enlarge the maximum platform_device_id name length The 20 byte length of struct platform_device_id::name is not long enough for many devices (especially regulators), where the string initialization is getting truncated and missing the trailing NUL byte. This is seen with GCC 15's -Wunterminated-string-initialization option: drivers/regulator/hi6421v530-regulator.c:189:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 189 | { .name = "hi6421v530-regulator" }, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/regulator/hi6421v600-regulator.c:278:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 278 | { .name = "hi6421v600-regulator" }, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/regulator/lp87565-regulator.c:233:11: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 233 | { "lp87565-q1-regulator", }, | ^~~~~~~~~~~~~~~~~~~~~~ sound/soc/fsl/imx-pcm-rpmsg.c:818:19: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 818 | { .name = "rpmsg-micfil-channel" }, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/iio/light/hid-sensor-als.c:457:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 457 | .name = "HID-SENSOR-LISS-0041", | ^~~~~~~~~~~~~~~~~~~~~~ drivers/iio/light/hid-sensor-prox.c:366:25: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (21 chars into 20 available) [-Wunterminated-string-initialization] 366 | .name = "HID-SENSOR-LISS-0226", | ^~~~~~~~~~~~~~~~~~~~~~ Increase the length to 24, slightly more than is currently being used by the affected drivers. The string is used in '%s' format strings and via the module code, which appears to do its own length encoding. This size was chosen because there was already a 4 byte hole in the structure: struct platform_device_id { char name[20]; /* 0 20 */ /* XXX 4 bytes hole, try to pack */ kernel_ulong_t driver_data; /* 24 8 */ /* size: 32, cachelines: 1, members: 2 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20250415231420.work.066-kees@kernel.org Signed-off-by: Kees Cook --- include/linux/mod_devicetable.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h index bd7e60c0b72f..ebcee9328168 100644 --- a/include/linux/mod_devicetable.h +++ b/include/linux/mod_devicetable.h @@ -601,7 +601,7 @@ struct dmi_system_id { #define DMI_MATCH(a, b) { .slot = a, .substr = b } #define DMI_EXACT_MATCH(a, b) { .slot = a, .substr = b, .exact_match = 1 } -#define PLATFORM_NAME_SIZE 20 +#define PLATFORM_NAME_SIZE 24 #define PLATFORM_MODULE_PREFIX "platform:" struct platform_device_id { -- 2.50.1 From 8e28276a569addb8a2324439ae473848ee52b056 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 15 Apr 2025 15:52:49 -0700 Subject: [PATCH 09/16] watchdog: exar: Shorten identity name to fit correctly The static initializer for struct watchdog_info::identity is too long and gets initialized without a trailing NUL byte. Since the length of "identity" is part of UAPI and tied to ioctls, just shorten the name of the device. Avoids the warning seen with GCC 15's -Wunterminated-string-initialization option: drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization] 224 | .identity = "Exar/MaxLinear XR28V38x Watchdog", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver") Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org Signed-off-by: Kees Cook --- drivers/watchdog/exar_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c index 7c61ff343271..c2e3bb08df89 100644 --- a/drivers/watchdog/exar_wdt.c +++ b/drivers/watchdog/exar_wdt.c @@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = { .options = WDIOF_KEEPALIVEPING | WDIOF_SETTIMEOUT | WDIOF_MAGICCLOSE, - .identity = "Exar/MaxLinear XR28V38x Watchdog", + .identity = "Exar XR28V38x Watchdog", }; static const struct watchdog_ops exar_wdt_ops = { -- 2.50.1 From ccf1d2b4a1d9ef4287ff51e634c626fd4683b10c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 15 Apr 2025 16:24:05 -0700 Subject: [PATCH 10/16] input/joystick: magellan: Mark __nonstring look-up table const GCC 15's new -Wunterminated-string-initialization notices that the 16 character lookup table "nibbles" (which is not used as a C-String) needs to be marked as "nonstring": drivers/input/joystick/magellan.c: In function 'magellan_crunch_nibbles': drivers/input/joystick/magellan.c:51:44: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (17 chars into 16 available) [-Wunterminated-string-initialization] 51 | static unsigned char nibbles[16] = "0AB3D56GH9:K --- drivers/input/joystick/magellan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/joystick/magellan.c b/drivers/input/joystick/magellan.c index d73389af4dd5..7622638e5bb8 100644 --- a/drivers/input/joystick/magellan.c +++ b/drivers/input/joystick/magellan.c @@ -48,7 +48,7 @@ struct magellan { static int magellan_crunch_nibbles(unsigned char *data, int count) { - static unsigned char nibbles[16] __nonstring = "0AB3D56GH9:K Date: Tue, 22 Apr 2025 15:05:18 -0600 Subject: [PATCH 11/16] overflow: Add STACK_FLEX_ARRAY_SIZE() helper Add new STACK_FLEX_ARRAY_SIZE() helper to get the size of a flexible-array member defined using DEFINE_FLEX()/DEFINE_RAW_FLEX() at compile time. This is essentially the same as ARRAY_SIZE() but for on-stack flexible-array members. Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/83d53744e11c80eb3f03765238cbe648855f4168.1745355442.git.gustavoars@kernel.org Signed-off-by: Kees Cook --- include/linux/overflow.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 6ee67c20b575..f33d74dac06f 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -420,6 +420,8 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * flexible array member. * Use __struct_size(@name) to get compile-time size of it afterwards. * Use __member_size(@name->member) to get compile-time size of @name members. + * Use STACK_FLEX_ARRAY_SIZE(@name, @member) to get compile-time number of + * elements in array @member. */ #define DEFINE_RAW_FLEX(type, name, member, count) \ _DEFINE_FLEX(type, name, member, count, = {}) @@ -438,8 +440,21 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * flexible array member. * Use __struct_size(@NAME) to get compile-time size of it afterwards. * Use __member_size(@NAME->member) to get compile-time size of @NAME members. + * Use STACK_FLEX_ARRAY_SIZE(@name, @member) to get compile-time number of + * elements in array @member. */ #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT) \ _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, }) +/** + * STACK_FLEX_ARRAY_SIZE() - helper macro for DEFINE_FLEX() family. + * Returns the number of elements in @array. + * + * @name: Name for a variable defined in DEFINE_RAW_FLEX()/DEFINE_FLEX(). + * @array: Name of the array member. + */ +#define STACK_FLEX_ARRAY_SIZE(name, array) \ + (__member_size((name)->array) / sizeof(*(name)->array) + \ + __must_be_array((name)->array)) + #endif /* __LINUX_OVERFLOW_H */ -- 2.50.1 From 6e6500e4e4a7f7431a6d7ab02a332ea5fca5c9fa Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Tue, 22 Apr 2025 15:07:41 -0600 Subject: [PATCH 12/16] kunit/overflow: Add tests for STACK_FLEX_ARRAY_SIZE() helper Add a couple of tests for new STACK_FLEX_ARRAY_SIZE() helper. Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/c127631a03cdd7f59bfa091b9666a93bf69d0322.1745355442.git.gustavoars@kernel.org Signed-off-by: Kees Cook --- lib/tests/overflow_kunit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/tests/overflow_kunit.c b/lib/tests/overflow_kunit.c index 894691b4411a..19cb03b25dc5 100644 --- a/lib/tests/overflow_kunit.c +++ b/lib/tests/overflow_kunit.c @@ -1210,6 +1210,10 @@ static void DEFINE_FLEX_test(struct kunit *test) KUNIT_EXPECT_EQ(test, __struct_size(empty->array), 0); KUNIT_EXPECT_EQ(test, __member_size(empty->array), 0); + KUNIT_EXPECT_EQ(test, STACK_FLEX_ARRAY_SIZE(two, array), 2); + KUNIT_EXPECT_EQ(test, STACK_FLEX_ARRAY_SIZE(eight, array), 8); + KUNIT_EXPECT_EQ(test, STACK_FLEX_ARRAY_SIZE(empty, array), 0); + /* If __counted_by is not being used, array size will have the on-stack size. */ if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY)) array_size_override = 2 * sizeof(s16); -- 2.50.1 From 47e36ed7840661a9f7fb53554a1b04a5f8daffea Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Thu, 1 May 2025 18:44:43 -0600 Subject: [PATCH 13/16] overflow: Fix direct struct member initialization in _DEFINE_FLEX() Currently, to statically initialize the struct members of the `type` object created by _DEFINE_FLEX(), the internal `obj` member must be explicitly referenced at the call site. See: struct flex { int a; int b; struct foo flex_array[]; }; _DEFINE_FLEX(struct flex, instance, flex_array, FIXED_SIZE, = { .obj = { .a = 0, .b = 1, }, }); This leaks _DEFINE_FLEX() internal implementation details and make the helper harder to use and read. Fix this and allow for a more natural and intuitive C99 init-style: _DEFINE_FLEX(struct flex, instance, flex_array, FIXED_SIZE, = { .a = 0, .b = 1, }); Note that before these changes, the `initializer` argument was optional, but now it's required. Also, update "counter" member initialization in DEFINE_FLEX(). Fixes: 26dd68d293fd ("overflow: add DEFINE_FLEX() for on-stack allocs") Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/aBQVeyKfLOkO9Yss@kspp Signed-off-by: Kees Cook --- include/linux/overflow.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index f33d74dac06f..7b7be27ca113 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -396,7 +396,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * @name: Name for a variable to define. * @member: Name of the array member. * @count: Number of elements in the array; must be compile-time const. - * @initializer: initializer expression (could be empty for no init). + * @initializer: Initializer expression (e.g., pass `= { }` at minimum). */ #define _DEFINE_FLEX(type, name, member, count, initializer...) \ _Static_assert(__builtin_constant_p(count), \ @@ -404,7 +404,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) union { \ u8 bytes[struct_size_t(type, member, count)]; \ type obj; \ - } name##_u initializer; \ + } name##_u = { .obj initializer }; \ type *name = (type *)&name##_u /** @@ -444,7 +444,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) * elements in array @member. */ #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT) \ - _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, }) + _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .COUNTER = COUNT, }) /** * STACK_FLEX_ARRAY_SIZE() - helper macro for DEFINE_FLEX() family. -- 2.50.1 From 5106c6506c51aa93198908b094228a7143292b9e Mon Sep 17 00:00:00 2001 From: Jan Hendrik Farr Date: Wed, 30 Apr 2025 20:42:31 +0200 Subject: [PATCH 14/16] hardening: simplify CONFIG_CC_HAS_COUNTED_BY Simplifies CONFIG_CC_HAS_COUNTED_BY by removing the build test and relying solely on gcc/clang version numbering (GCC_VERSION >= 150100 and CLANG_VERSION >= 190103). The build test was used to allow unreleased gcc 15.0 builds to use the __counted_by attribute. Now that gcc 15.1.0 has been released, this is not needed anymore. Note: This will disable __counted_by on unreleased gcc 15.0 builds. clang version support for __counted_by remains unchanged. Link: https://lore.kernel.org/all/Zw8iawAF5W2uzGuh@archlinux/T/#m204c09f63c076586a02d194b87dffc7e81b8de7b Link: https://lore.kernel.org/r/20241029140036.577804-2-kernel@jfarr.cc Suggested-by: Nathan Chancellor Signed-off-by: Jan Hendrik Farr Link: https://lore.kernel.org/r/20250430184231.671365-2-kernel@jfarr.cc Reviewed-by: Nathan Chancellor Signed-off-by: Kees Cook --- init/Kconfig | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index 63f5974b9fa6..017fde21d0ba 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -121,13 +121,14 @@ config CC_HAS_NO_PROFILE_FN_ATTR def_bool $(success,echo '__attribute__((no_profile_instrument_function)) int x();' | $(CC) -x c - -c -o /dev/null -Werror) config CC_HAS_COUNTED_BY - # TODO: when gcc 15 is released remove the build test and add - # a gcc version check - def_bool $(success,echo 'struct flex { int count; int array[] __attribute__((__counted_by__(count))); };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror) + bool # clang needs to be at least 19.1.3 to avoid __bdos miscalculations # https://github.com/llvm/llvm-project/pull/110497 # https://github.com/llvm/llvm-project/pull/112636 - depends on !(CC_IS_CLANG && CLANG_VERSION < 190103) + default y if CC_IS_CLANG && CLANG_VERSION >= 190103 + # supported since gcc 15.1.0 + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896 + default y if CC_IS_GCC && GCC_VERSION >= 150100 config CC_HAS_MULTIDIMENSIONAL_NONSTRING def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror) -- 2.50.1 From 5e88c48cb4bcbd0ea683373a106268933bb4edd2 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 18 Apr 2025 14:32:39 -0700 Subject: [PATCH 15/16] kbuild: Switch from -Wvla to -Wvla-larger-than=1 Variable Length Arrays (VLAs) on the stack must not be used in the kernel. Function parameter VLAs[1] should be usable, but -Wvla will warn for those. For example, this will produce a warning but it is not using a stack VLA: int something(size_t n, int array[n]) { ... Clang has no way yet to distinguish between the VLA types[2], so depend on GCC for now to keep stack VLAs out of the tree by using GCC's -Wvla-larger-than=N option (though GCC may split -Wvla similarly[3] to how Clang is planning to). While GCC 8+ supports -Wvla-larger-than, only 9+ supports ...=0[4], so use -Wvla-larger-than=1. Adjust mm/kasan/Makefile to remove it from CFLAGS (GCC <9 appears unable to disable the warning correctly[5]). The VLA usage in lib/test_ubsan.c was removed in commit 9d7ca61b1366 ("lib/test_ubsan.c: VLA no longer used in kernel") so the lib/Makefile disabling of VLA checking can be entirely removed. Link: https://en.cppreference.com/w/c/language/array [1] Link: https://github.com/llvm/llvm-project/issues/57098 [2] Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98217 [3] Link: https://lore.kernel.org/lkml/7780883c-0ac8-4aaa-b850-469e33b50672@linux.ibm.com/ [4] Link: https://lore.kernel.org/r/202505071331.4iOzqmuE-lkp@intel.com/ [5] Reviewed-by: Nathan Chancellor Reviewed-by: Christoph Hellwig Tested-by: Venkat Rao Bagalkote Link: https://lore.kernel.org/r/20250418213235.work.532-kees@kernel.org Signed-off-by: Kees Cook --- lib/Makefile | 1 - mm/kasan/Makefile | 3 ++- scripts/Makefile.extrawarn | 9 +++++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index f07b24ce1b3f..c38582f187dd 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -71,7 +71,6 @@ CFLAGS_test_bitops.o += -Werror obj-$(CONFIG_TEST_SYSCTL) += test_sysctl.o obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o -CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) CFLAGS_test_ubsan.o += $(call cc-disable-warning, unused-but-set-variable) UBSAN_SANITIZE_test_ubsan.o := y obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile index 1a958e7c8a46..dd93ae8a6beb 100644 --- a/mm/kasan/Makefile +++ b/mm/kasan/Makefile @@ -35,7 +35,7 @@ CFLAGS_shadow.o := $(CC_FLAGS_KASAN_RUNTIME) CFLAGS_hw_tags.o := $(CC_FLAGS_KASAN_RUNTIME) CFLAGS_sw_tags.o := $(CC_FLAGS_KASAN_RUNTIME) -CFLAGS_KASAN_TEST := $(CFLAGS_KASAN) $(call cc-disable-warning, vla) +CFLAGS_KASAN_TEST := $(CFLAGS_KASAN) ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX # If compiler instruments memintrinsics by prefixing them with __asan/__hwasan, # we need to treat them normally (as builtins), otherwise the compiler won't @@ -44,6 +44,7 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX CFLAGS_KASAN_TEST += -fno-builtin endif +CFLAGS_REMOVE_kasan_test_c.o += $(call cc-option, -Wvla-larger-than=1) CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST) RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN) diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn index 2d6e59561c9d..59d3d196fe4f 100644 --- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -45,8 +45,13 @@ endif # These result in bogus false positives KBUILD_CFLAGS += $(call cc-disable-warning, dangling-pointer) -# Variable Length Arrays (VLAs) should not be used anywhere in the kernel -KBUILD_CFLAGS += -Wvla +# Stack Variable Length Arrays (VLAs) must not be used in the kernel. +# Function array parameters should, however, be usable, but -Wvla will +# warn for those. Clang has no way yet to distinguish between the VLA +# types, so depend on GCC for now to keep stack VLAs out of the tree. +# https://github.com/llvm/llvm-project/issues/57098 +# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98217 +KBUILD_CFLAGS += $(call cc-option,-Wvla-larger-than=1) # disable pointer signed / unsigned warnings in gcc 4.0 KBUILD_CFLAGS += -Wno-pointer-sign -- 2.50.1 From 0cecd37daef3d57e6656c0023978d5ec2d7409c1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 3 May 2025 11:46:18 -0700 Subject: [PATCH 16/16] gcc-plugins: Force full rebuild when plugins change There was no dependency between the plugins changing and the rest of the kernel being built. This could cause strange behaviors as instrumentation could vary between targets depending on when they were built. Generate a new header file, gcc-plugins.h, any time the GCC plugins change. Include the header file in compiler-version.h when its associated feature name, GCC_PLUGINS, is defined. This will be picked up by fixdep and force rebuilds where needed. Add a generic "touch" kbuild command, which will be used again in a following patch. Add a "normalize_path" string helper to make the "TOUCH" output less ugly. Link: https://lore.kernel.org/r/20250503184623.2572355-1-kees@kernel.org Tested-by: Nicolas Schier Reviewed-by: Nicolas Schier Signed-off-by: Kees Cook --- include/linux/compiler-version.h | 11 +++++++++++ scripts/Makefile.gcc-plugins | 2 +- scripts/Makefile.lib | 18 ++++++++++++++++++ scripts/gcc-plugins/Makefile | 4 ++++ 4 files changed, 34 insertions(+), 1 deletion(-) diff --git a/include/linux/compiler-version.h b/include/linux/compiler-version.h index 573fa85b6c0c..5dba398a9412 100644 --- a/include/linux/compiler-version.h +++ b/include/linux/compiler-version.h @@ -12,3 +12,14 @@ * and add dependency on include/config/CC_VERSION_TEXT, which is touched * by Kconfig when the version string from the compiler changes. */ + +/* Additional tree-wide dependencies start here. */ + +/* + * If any of the GCC plugins change, we need to rebuild everything that + * was built with them, as they may have changed their behavior and those + * behaviors may need to be synchronized across all translation units. + */ +#ifdef GCC_PLUGINS +#include +#endif diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 5b8a8378ca8a..e50dc931be49 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -38,7 +38,7 @@ export DISABLE_STACKLEAK_PLUGIN # All the plugin CFLAGS are collected here in case a build target needs to # filter them out of the KBUILD_CFLAGS. -GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) +GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -DGCC_PLUGINS export GCC_PLUGINS_CFLAGS # Add the flags to the build! diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 2fe73cda0bdd..6fc2a82ee3bb 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -296,6 +296,19 @@ $(foreach m, $1, \ $(addprefix $(obj)/, $(call suffix-search, $(patsubst $(obj)/%,%,$m), $2, $3)))) endef +# Remove ".." and "." from a path, without using "realpath" +# Usage: +# $(call normalize_path,path/to/../file) +define normalize_path +$(strip $(eval elements :=) \ +$(foreach elem,$(subst /, ,$1), \ + $(if $(filter-out .,$(elem)), \ + $(if $(filter ..,$(elem)), \ + $(eval elements := $(wordlist 2,$(words $(elements)),x $(elements))), \ + $(eval elements := $(elements) $(elem))))) \ +$(subst $(space),/,$(elements))) +endef + # Build commands # =========================================================================== # These are shared by some Makefile.* files. @@ -343,6 +356,11 @@ quiet_cmd_copy = COPY $@ $(obj)/%: $(src)/%_shipped $(call cmd,copy) +# Touch a file +# =========================================================================== +quiet_cmd_touch = TOUCH $(call normalize_path,$@) + cmd_touch = touch $@ + # Commands useful for building a boot image # =========================================================================== # diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile index 320afd3cf8e8..05b14aba41ef 100644 --- a/scripts/gcc-plugins/Makefile +++ b/scripts/gcc-plugins/Makefile @@ -66,3 +66,7 @@ quiet_cmd_plugin_cxx_o_c = HOSTCXX $@ $(plugin-objs): $(obj)/%.o: $(src)/%.c FORCE $(call if_changed_dep,plugin_cxx_o_c) + +$(obj)/../../include/generated/gcc-plugins.h: $(plugin-single) $(plugin-multi) FORCE + $(call if_changed,touch) +always-y += ../../include/generated/gcc-plugins.h -- 2.50.1