xavi/android_kernel_m2note/fs/proc/task_mmu.c, branch ng-7.1.2

Replace with globally

2018-11-29T16:49:05+00:00

This was entirely automated, using the script by Al: PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*' sed -i -e "s!$PATT!#include !" \ $(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h) to do the replacement at the end of the merge window. Requested-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Moyster

fs: proc: task_mmu: fix proc_mem_open creds for fs access checks

2017-09-23T16:29:49+00:00

Should fix : [ 2201.337557]<0> (0)[672:android.bg]WARNING: at ../../../../../../kernel/meizu/m2note/kernel/ptrace.c:239 __ptrace_may_access+0x164/0x178() [ 2201.337568]<0> (0)[672:android.bg]denying ptrace access check without PTRACE_MODE_*CREDS [ 2201.337583]<0> (0)[672:android.bg]CPU: 0 PID: 672 Comm: android.bg Tainted: G W 3.10.107-NOyster #1 [ 2201.337593]<0> (0)[672:android.bg]Call trace: [ 2201.337609]<0> (0)[672:android.bg][] dump_backtrace+0x0/0x148 [ 2201.337625]<0> (0)[672:android.bg][] show_stack+0x14/0x1c [ 2201.337642]<0> (0)[672:android.bg][] dump_stack+0x20/0x28 [ 2201.337657]<0> (0)[672:android.bg][] warn_slowpath_fmt+0xb0/0x134 [ 2201.337673]<0> (0)[672:android.bg][] __ptrace_may_access+0x164/0x178 [ 2201.337687]<0> (0)[672:android.bg][] ptrace_may_access+0x2c/0x4c [ 2201.337704]<0> (0)[672:android.bg][] mm_access+0x98/0xe0 [ 2201.337722]<0> (0)[672:android.bg][] proc_mem_open+0x2c/0xa0 [ 2201.337739]<0> (0)[672:android.bg][] pid_smaps_open+0x48/0x88 [ 2201.337756]<0> (0)[672:android.bg][] do_dentry_open+0x178/0x268 [ 2201.337772]<0> (0)[672:android.bg][] finish_open+0x30/0x5c [ 2201.337787]<0> (0)[672:android.bg][] do_last.isra.29+0x45c/0xcbc [ 2201.337802]<0> (0)[672:android.bg][] path_openat.isra.30+0xb8/0x494 [ 2201.337817]<0> (0)[672:android.bg][] do_filp_open+0x40/0xb4 [ 2201.337834]<0> (0)[672:android.bg][] do_sys_open+0x118/0x1f0 [ 2201.337851]<0> (0)[672:android.bg][] SyS_openat+0x10/0x18 [ 2201.337861]<0> (0)[672:android.bg]---[ end trace e7bf4b0b0cb5766d ]--- Signed-off-by: Mister Oyster

seq_file: remove "%n" usage from seq_file users

2017-09-23T13:02:44+00:00

All seq_printf() users are using "%n" for calculating padding size, convert them to use seq_setwidth() / seq_pad() pair. Signed-off-by: Tetsuo Handa Signed-off-by: Kees Cook Cc: Joe Perches Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Git-commit: 652586df95e5d76b37d07a11839126dcfede1621 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [davidb@codeaurora.org: Resolve merge conflicts with ipv4/6 ping changes in upstream] CRs-fixed: 665291 Change-Id: Ia0416c9dbe3d80ff35f24f9c93c3543d1200a327 Signed-off-by: David Brown

mm: larger stack guard gap, between vmas

2017-07-04T10:11:29+00:00

commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in the PAGE_SIZE units) which should cover larger alloca() and VLA stack allocations. It is obviously not a full fix because the problem is somehow inherent, but it should reduce attack space a lot. One could argue that the gap size should be configurable from userspace, but that can be done later when somebody finds that the new 1MB is wrong for some special case applications. For now, add a kernel command line option (stack_guard_gap) to specify the stack gap size (in page units). Implementation wise, first delete all the old code for stack guard page: because although we could get away with accounting one extra page in a stack vma, accounting a larger gap can break userspace - case in point, a program run with "ulimit -S -v 20000" failed when the 1MB gap was counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK and strict non-overcommit mode. Instead of keeping gap inside the stack vma, maintain the stack guard gap as a gap between vmas: using vm_start_gap() in place of vm_start (or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few places which need to respect the gap - mainly arch_get_unmapped_area(), and and the vma tree's subtree_gap support for that. Original-patch-by: Oleg Nesterov Original-patch-by: Michal Hocko Signed-off-by: Hugh Dickins [wt: backport to 4.11: adjust context] [wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide] [wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes] [wt: backport to 3.18: adjust context ; no FOLL_POPULATE ; s390 uses generic arch_get_unmapped_area()] [wt: backport to 3.16: adjust context] [wt: backport to 3.10: adjust context ; code logic in PARISC's arch_get_unmapped_area() wasn't found ; code inserted into expand_upwards() and expand_downwards() runs under anon_vma lock; changes for gup.c:faultin_page go to memory.c:__get_user_pages(); included Hugh Dickins' fixes] Signed-off-by: Willy Tarreau

mempolicy: fix show_numa_map() vs exec() + do_set_mempolicy() race

2016-09-28T13:15:17+00:00

9e7814404b77 "hold task->mempolicy while numa_maps scans." fixed the race with the exiting task but this is not enough. The current code assumes that get_vma_policy(task) should either see task->mempolicy == NULL or it should be equal to ->task_mempolicy saved by hold_task_mempolicy(), so we can never race with __mpol_put(). But this can only work if we can't race with do_set_mempolicy(), and thus we can't race with another do_set_mempolicy() or do_exit() after that. However, do_set_mempolicy()->down_write(mmap_sem) can not prevent this race. This task can exec, change it's ->mm, and call do_set_mempolicy() after that; in this case they take 2 different locks. Change hold_task_mempolicy() to use get_task_policy(), it never returns NULL, and change show_numa_map() to use __get_vma_policy() or fall back to proc_priv->task_mempolicy. Note: this is the minimal fix, we will cleanup this code later. I think hold_task_mempolicy() and release_task_mempolicy() should die, we can move this logic into show_numa_map(). Or we can move get_task_policy() outside of ->mmap_sem and !CONFIG_NUMA code at least. Signed-off-by: Oleg Nesterov Cc: KAMEZAWA Hiroyuki Cc: David Rientjes Cc: KOSAKI Motohiro Cc: Alexander Viro Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Cc: "Kirill A. Shutemov" Cc: Peter Zijlstra Cc: Hugh Dickins Cc: Andi Kleen Cc: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT

proc/maps: make vm_is_stack() logic namespace-friendly

2016-09-28T13:15:16+00:00

- Rename vm_is_stack() to task_of_stack() and change it to return "struct task_struct *" rather than the global (and thus wrong in general) pid_t. - Add the new pid_of_stack() helper which calls task_of_stack() and uses the right namespace to report the correct pid_t. Unfortunately we need to define this helper twice, in task_mmu.c and in task_nommu.c. perhaps it makes sense to add fs/proc/util.c and move at least pid_of_stack/task_of_stack there to avoid the code duplication. - Change show_map_vma() and show_numa_map() to use the new helper. Signed-off-by: Oleg Nesterov Cc: Alexander Viro Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Cc: Greg Ungerer Cc: "Kirill A. Shutemov" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT Conflicts: fs/proc/task_nommu.c mm/util.c

proc/maps: replace proc_maps_private->pid with "struct inode *inode"

2016-09-28T13:15:15+00:00

m_start() can use get_proc_task() instead, and "struct inode *" provides more potentially useful info, see the next changes. Signed-off-by: Oleg Nesterov Cc: Alexander Viro Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Cc: Greg Ungerer Cc: "Kirill A. Shutemov" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT

fs/proc/task_mmu.c: update m->version in the main loop in m_start()

2016-09-28T13:15:14+00:00

Change the main loop in m_start() to update m->version. Mostly for consistency, but this can help to avoid the same loop if the very 1st ->show() fails due to seq_overflow(). Signed-off-by: Oleg Nesterov Cc: Kirill A. Shutemov Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT

fs/proc/task_mmu.c: reintroduce m->version logic

2016-09-28T13:15:13+00:00

Add the "last_addr" optimization back. Like before, every ->show() method checks !seq_overflow() and sets m->version = vma->vm_start. However, it also checks that m_next_vma(vma) != NULL, otherwise it sets m->version = -1 for the lockless "EOF" fast-path in m_start(). m_start() can simply do find_vma() + m_next_vma() if last_addr is not zero, the code looks clear and simple and this case is clearly separated from "scan vmas" path. Signed-off-by: Oleg Nesterov Cc: Kirill A. Shutemov Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT Conflicts: fs/proc/task_mmu.c

fs/proc/task_mmu.c: introduce m_next_vma() helper

2016-09-28T13:15:12+00:00

Extract the tail_vma/vm_next calculation from m_next() into the new trivial helper, m_next_vma(). Signed-off-by: Oleg Nesterov Cc: Kirill A. Shutemov Cc: Cyrill Gorcunov Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: W4TCH0UT