Merge tag 'hardening-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux (ce5a51bf) · Commits · git / linux-net

arch/arm/mm/fault.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -25,6 +25,8 @@

		#include "fault.h"

		#ifdef CONFIG_MMU

		bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
		{
		unsigned long addr = (unsigned long)unsafe_src;
		@@ -32,8 +34,6 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
		return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
		}

		#ifdef CONFIG_MMU

		/*
		* This is useful to dump out the page tables associated with
		* 'addr' in mm 'mm'.

+9 −0

Original line number	Diff line number	Diff line
		@@ -2414,6 +2414,15 @@ config STRICT_SIGALTSTACK_SIZE

		Say 'N' unless you want to really enforce this check.

		config CFI_AUTO_DEFAULT
		bool "Attempt to use FineIBT by default at boot time"
		depends on FINEIBT
		default y
		help
		Attempt to use FineIBT by default at boot time. If enabled,
		this is the same as booting with "cfi=auto". If disabled,
		this is the same as booting with "cfi=kcfi".

		source "kernel/livepatch/Kconfig"

		endmenu

+1 −1

Original line number	Diff line number	Diff line
		@@ -93,7 +93,7 @@
		*
		*/
		enum cfi_mode {
		CFI_DEFAULT, /* FineIBT if hardware has IBT, otherwise kCFI */
		CFI_AUTO, /* FineIBT if hardware has IBT, otherwise kCFI */
		CFI_OFF, /* Taditional / IBT depending on .config */
		CFI_KCFI, /* Optionally CALL_PADDING, IBT, RETPOLINE */
		CFI_FINEIBT, /* see arch/x86/kernel/alternative.c */

+4 −4

Original line number	Diff line number	Diff line
		@@ -901,8 +901,8 @@ void __init_or_module apply_seal_endbr(s32 start, s32 end) { }

		#endif /* CONFIG_X86_KERNEL_IBT */

		#ifdef CONFIG_FINEIBT
		#define __CFI_DEFAULT CFI_DEFAULT
		#ifdef CONFIG_CFI_AUTO_DEFAULT
		#define __CFI_DEFAULT CFI_AUTO
		#elif defined(CONFIG_CFI_CLANG)
		#define __CFI_DEFAULT CFI_KCFI
		#else
		@@ -1010,7 +1010,7 @@ static __init int cfi_parse_cmdline(char *str)
		}

		if (!strcmp(str, "auto")) {
		cfi_mode = CFI_DEFAULT;
		cfi_mode = CFI_AUTO;
		} else if (!strcmp(str, "off")) {
		cfi_mode = CFI_OFF;
		cfi_rand = false;
		@@ -1270,7 +1270,7 @@ static void __apply_fineibt(s32 start_retpoline, s32 end_retpoline,
		"FineIBT preamble wrong size: %ld", fineibt_preamble_size))
		return;

		if (cfi_mode == CFI_DEFAULT) {
		if (cfi_mode == CFI_AUTO) {
		cfi_mode = CFI_KCFI;
		if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT))
		cfi_mode = CFI_FINEIBT;

+30 −0

Original line number	Diff line number	Diff line
		@@ -286,6 +286,35 @@ static void lkdtm_HARDLOCKUP(void)
		cpu_relax();
		}

		static void __lkdtm_SMP_CALL_LOCKUP(void *unused)
		{
		for (;;)
		cpu_relax();
		}

		static void lkdtm_SMP_CALL_LOCKUP(void)
		{
		unsigned int cpu, target;

		cpus_read_lock();

		cpu = get_cpu();
		target = cpumask_any_but(cpu_online_mask, cpu);

		if (target >= nr_cpu_ids) {
		pr_err("FAIL: no other online CPUs\n");
		goto out_put_cpus;
		}

		smp_call_function_single(target, __lkdtm_SMP_CALL_LOCKUP, NULL, 1);

		pr_err("FAIL: did not hang\n");

		out_put_cpus:
		put_cpu();
		cpus_read_unlock();
		}

		static void lkdtm_SPINLOCKUP(void)
		{
		/* Must be called twice to trigger. */
		@@ -680,6 +709,7 @@ static struct crashtype crashtypes[] = {
		CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
		CRASHTYPE(SOFTLOCKUP),
		CRASHTYPE(HARDLOCKUP),
		CRASHTYPE(SMP_CALL_LOCKUP),
		CRASHTYPE(SPINLOCKUP),
		CRASHTYPE(HUNG_TASK),
		CRASHTYPE(OVERFLOW_SIGNED),