Commit Graph

30 Commits

Author SHA1 Message Date
Kees Cook 8779657d29 stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":

   CONFIG_CC_STACKPROTECTOR_NONE
   CONFIG_CC_STACKPROTECTOR_REGULAR
   CONFIG_CC_STACKPROTECTOR_STRONG

"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.

"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.

For reference, the stack protector options available in gcc are:

-fstack-protector-all:
  Adds the stack-canary saving prefix and stack-canary checking
  suffix to _all_ function entry and exit. Results in substantial
  use of stack space for saving the canary for deep stack users
  (e.g. historically xfs), and measurable (though shockingly still
  low) performance hit due to all the saving/checking. Really not
  suitable for sane systems, and was entirely removed as an option
  from the kernel many years ago.

-fstack-protector:
  Adds the canary save/check to functions that define an 8
  (--param=ssp-buffer-size=N, N=8 by default) or more byte local
  char array. Traditionally, stack overflows happened with
  string-based manipulations, so this was a way to find those
  functions. Very few total functions actually get the canary; no
  measurable performance or size overhead.

-fstack-protector-strong
  Adds the canary for a wider set of functions, since it's not
  just those with strings that have ultimately been vulnerable to
  stack-busting. With this superset, more functions end up with a
  canary, but it still remains small compared to all functions
  with only a small change in performance. Based on the original
  design document, a function gets the canary when it contains any
  of:

    - local variable's address used as part of the right hand side
      of an assignment or function argument
    - local variable is an array (or union containing an array),
      regardless of array type or length
    - uses register local variables

  https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU

Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:

  - defconfig
	11430641 kernel text size
	36110 function bodies

  - defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
	11468490 kernel text size (+0.33%)
	1015 of 36110 functions are stack-protected (2.81%)

  - defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
	11692790 kernel text size (+2.24%)
	7401 of 36110 functions are stack-protected (20.5%)

With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.

Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook@chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2013-12-20 09:38:40 +01:00
Shawn Guo 615967b00f ARM: 7671/1: use Kconfig to select uncompress.h
Following the approach handling DEBUG_LL inclusion, the patch creates
a Kconfig symbol CONFIG_UNCOMPRESS_INCLUDE for choosing the correct
uncompress header.  For traditional build, mach/uncompress.h will be
included in arch/arm/boot/compressed/misc.c.  For multiplatform build,
debug/uncompress.h which contains a suite of empty functions will be
used.  In this way, a platform with particular uncompress.h
implementation could choose its own uncompress.h with this Kconfig
option.

Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-15 17:18:51 +00:00
Rob Herring 387798b37c ARM: initial multiplatform support
This lets us build a multiplatform kernel for experimental purposes.
However, it will not be useful for any real work, because it relies
on a number of useful things to be disabled for now:

* SMP support must be turned off because of conflicting symbols.
  Marc Zyngier has proposed a solution by adding a new SOC
  operations structure to hold indirect function pointers
  for these, but that work is currently stalled

* We turn on SPARSE_IRQ unconditionally, which is not supported
  on most platforms. Each of them is currently in a different
  state, but most are being worked on.

* A common clock framework is in place since v3.4 but not yet
  being used. Work on this is on its way.

* DEBUG_LL for early debugging is currently disabled.

* THUMB2_KERNEL does not work with allyesconfig because the
  kernel gets too big

[Rob Herring]: Rebased to not be dependent on the mass mach header rename.
As a result, omap2plus, imx, mxs and ux500 are not converted. Highbank,
picoxcell, mvebu, and socfpga are converted.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Andrew Lunn <andrew@lunn.ch>
Acked-by: Jamie Iles <jamie@jamieiles.com>
Cc: Dinh Nguyen <dinguyen@altera.com>
2012-09-14 09:22:06 -05:00
Nicolas Pitre df4879fa26 ARM: zImage: gather some string functions into string.c
This is a small subset of string functions needed by commits to come.
Except for memcpy() which is unchanged from its original location, their
implementation is meant to be small, and -Os is enforced to prevent gcc
from doing pointless loop unrolling.

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Shawn Guo <shawn.guo@linaro.org>
Tested-by: Dave Martin <dave.martin@linaro.org>
Tested-by: Thomas Abraham <thomas.abraham@linaro.org>
2011-09-14 13:51:58 -04:00
Russell King 7b76415375 Merge branch 'zImage_fixes' of git://git.linaro.org/people/nico/linux into devel-stable 2011-05-07 08:34:02 +01:00
Nicolas Pitre ccc1c7c6c2 ARM: zImage: don't ignore error returned from decompress()
If decompress() returns an error without calling error(), we must
not attempt to boot the resulting kernel.

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Shawn Guo <shawn.guo@linaro.org>
Tested-by: Tony Lindgren <tony@atomide.com>
2011-05-07 00:08:01 -04:00
Nicolas Pitre e40f1e9fb3 ARM: zImage: simplify decompress_kernel()
The return value for decompress_kernel() is no longer used.  Furthermore,
this was obtained and stored in a variable called output_ptr which is
a complete misnomer for what is actually the size of the decompressed
kernel image.  Let's get rid of it.

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Shawn Guo <shawn.guo@linaro.org>
Tested-by: Tony Lindgren <tony@atomide.com>
2011-05-07 00:08:00 -04:00
Stephen Boyd dfad549d98 ARM: 6826/1: Merge v6 and v7 DEBUG_LL DCC support
The inline assembly differences for v6 vs. v7 are purely
optimizations. On a v7 processor, an mrc with the pc sets the
condition codes to the 28-31 bits of the register being read. It
just so happens that the TX/RX full bits the DCC support code is
testing for are high enough in the register to be put into the
condition codes. On a v6 processor, this "feature" isn't
implemented and thus we have to do the usual read, mask, test
operations to check for TX/RX full. Thus, we can drop the v7
implementation and just use the v6 implementation for both.

Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2011-03-28 19:01:43 +01:00
Russell King e399b1a4e1 ARM: v6k: introduce CPU_V6K option
Introduce a CPU_V6K configuration option for platforms to select if they
have a V6K CPU core.  This allows us to identify whether we need to
support ARMv6 CPUs without the V6K SMP extensions at build time.

Currently CPU_V6K is just an alias for CPU_V6, and all places which
reference CPU_V6 are replaced by (CPU_V6 || CPU_V6K).

Select CPU_V6K from platforms which are known to be V6K-only.

Acked-by: Tony Lindgren <tony@atomide.com>
Tested-by: Sourav Poddar <sourav.poddar@ti.com>
Tested-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2011-02-02 21:23:26 +00:00
Uwe Kleine-König 7179304bfc ARM: remove bit-rotten STANDALONE_DEBUG for decompressor
I tried to get this running to debug the regression introduced by
e7db7b4 without success.  But this has several problems that make it
hard to fix:

  - lib/decompress_inflate.c includes in-kernel headers that make
    it difficult to compile for user space.
  - the binary formats changed both in kernel and user space and
    at least for the kernel side there isn't only a single
    variant.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Nicolas Pitre <nicolas.pitre@linaro.org>
2010-07-07 16:38:16 +02:00
Mark Brown a2302b45d8 ARM: 5985/2: ARM: Fix Samsung build after "ARM: Eliminate decompressor -Dstatic= PIC hack"
Commit 5de813b6 (ARM: Eliminate decompressor -Dstatic= PIC hack) among
other things changed the declared type of the error() function to an
extern, conflicting with the forward declartion in the Samsung
plat/uncompress.h which appears to have been relying on the static
being defined away, causing build failures since error() ends up with
a GOT relocation but the linker script discards all GOT relocated
data and functions:

arch/arm/boot/compressed/decompress.o: In function `gunzip':
/home/broonie/git/linux-2.6/arch/arm/boot/compressed/../../../../lib/decompress_
+inflate.c:68: undefined reference to `error'

and so on. Fix this by moving the declaration into uncompress/misc.c
where it is shared with the rest of the code, correcting the definition
as we go.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-03-13 10:48:21 +00:00
Russell King 2741ecb4ce Merge branch 'misc2' into devel 2010-02-25 22:09:41 +00:00
Russell King 5de813b6cd ARM: Eliminate decompressor -Dstatic= PIC hack
We used to build decompressors with -Dstatic= to avoid any local data
being generated.  The problem is that local data generates GOTOFF
relocations, which means we can't relocate the data relative to the
text segment.

Global data, on the other hand, goes through the GOT, and can be
relocated anywhere.

Unfortunately, with the new decompressors, this presents a problem
since they declare static data within functions, and this leads to
stack overflow.

Fix this by separating out the decompressor code into a separate file,
and removing 'static' from BSS data in misc.c.

Also, discard the .data section - this means that should we end up
with read/write initialized data, the decompressor will fail to link
and the problem will be obvious.

Acked-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-02-25 19:34:31 +00:00
Tony Lindgren 200b7a8dc0 ARM: 5884/1: arm: Fix DCC console for v7
Without this patch arch/arm/compressed/head.S defaults to generic
DCC code that does not work for v7.

For more information on the v7 DCC, see Cortex-A8 TRM
"12.11.1 Debug communications channel".

To use it with post 2.6.33-rc1 or later, you need to have:

CONFIG_DEBUG_LL=y
ONFIG_DEBUG_ICEDCC=y
CONFIG_EARLY_PRINTK=y

Earlier kernels need commit 93fd03a8c6
backported.

Tested on omap3430.

Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-01-19 20:23:16 +00:00
Tony Lindgren b53e9b5ebd ARM: 5882/1: ARM: Fix uncompress code compile for different defines of flush(void)
Because of the include of the decompress_inflate.c file from
boot/compress/misc.c, there are different flush() defines:

In file included from arch/arm/boot/compressed/misc.c:249:
arch/arm/boot/compressed/../../../../lib/decompress_inflate.c:138:29: error: macro "flush" passed 2 arguments, but takes just 0

Fix this by removing the define of flush() in misc.c for
CONFIG_DEBUG_ICEDCC as it's already defined in mach/uncompress.h,
and that is being included unconditionally.

Also use a static inline function instead of define
for mach-mxc and mach-gemini to avoid similar bug
for those platforms.

Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2010-01-18 12:44:51 +00:00
Albin Tonnerre e7db7b4270 arm: add support for LZO-compressed kernels
- changes to ach/arch/boot/Makefile to make it easier to add new
   compression types
 - new piggy.lzo.S necessary for lzo compression
 - changes in arch/arm/boot/compressed/misc.c to allow the use of lzo or
   gzip, depending on the config
 - Kconfig support

Signed-off-by: Albin Tonnerre <albin.tonnerre@free-electrons.com>
Tested-by: Wu Zhangjin <wuzhangjin@gmail.com>
Acked-by: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Russell King <rmk@arm.linux.org.uk>
Acked-by: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Martin Michlmayr <tbm@cyrius.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-01-11 09:34:05 -08:00
Jaswinder Singh Rajput 81566a060b ARM: includecheck fix: misc.c
fix the following 'make includecheck' warning:

  arch/arm/boot/compressed/misc.c: linux/compiler.h is included more than once.

Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-07-25 17:07:00 +01:00
Rusty Russell aa0d3bb77e arm: allow usage of string functions in linux/string.h
In introducing a trivial "strstarts()" function in linux/string.h, we
hit:

	arch/arm/boot/compressed/misc.o: In function `strstarts':
	misc.c:(.text+0x368): undefined reference to `strlen'
	misc.c:(.text+0x378): undefined reference to `strncmp'

This is because of "CFLAGS_misc.o := -Dstatic=" in the Makefile.
"static inline strstarts(...)" becomes non-inline, and refers to the
other string ops.

The simplest workaround is to include asm/string.h.  This makes sense
anyway, since lib/string.c won't be linked against this so we can't
use those functions anyway.

Compile tested here.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-03-31 13:05:36 +10:30
Jean-Christop PLAGNIOL-VILLARD c633c3cfcf [ARM] 5412/1: XSCALE: add ice dcc support
SCALE: add ice dcc support

Tested on the ixp425 with the ice PEEDI

Ack-by: Eric Miao <eric.miao@marvell.com>

Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2009-02-27 20:57:46 +00:00
Russell King 59f0cb0fdd [ARM] remove memzero()
As suggested by Andrew Morton, remove memzero() - it's not supported
on other architectures so use of it is a potential build breaking bug.
Since the compiler optimizes memset(x,0,n) to __memzero() perfectly
well, we don't miss out on the underlying benefits of memzero().

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2008-11-27 12:37:59 +00:00
Russell King a09e64fbc0 [ARM] Move include/asm-arm/arch-* to arch/arm/*/include/mach
This just leaves include/asm-arm/plat-* to deal with.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2008-08-07 09:55:48 +01:00
Thomas Petazzoni 2d6ffcca62 inflate: refactor inflate malloc code
Inflate requires some dynamic memory allocation very early in the boot
process and this is provided with a set of four functions:
malloc/free/gzip_mark/gzip_release.

The old inflate code used a mark/release strategy rather than implement
free.  This new version instead keeps a count on the number of outstanding
allocations and when it hits zero, it resets the malloc arena.

This allows removing all the mark and release implementations and unifying
all the malloc/free implementations.

The architecture-dependent code must define two addresses:
 - free_mem_ptr, the address of the beginning of the area in which
   allocations should be made
 - free_mem_end_ptr, the address of the end of the area in which
   allocations should be made. If set to 0, then no check is made on
   the number of allocations, it just grows as much as needed

The architecture-dependent code can also provide an arch_decomp_wdog()
function call.  This function will be called several times during the
decompression process, and allow to notify the watchdog that the system is
still running.  If an architecture provides such a call, then it must
define ARCH_HAS_DECOMP_WDOG so that the generic inflate code calls
arch_decomp_wdog().

Work initially done by Matt Mackall, updated to a recent version of the
kernel and improved by me.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Mikael Starvik <mikael.starvik@axis.com>
Cc: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Haavard Skinnemoen <hskinnemoen@atmel.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Acked-by: Paul Mundt <lethal@linux-sh.org>
Acked-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-07-25 10:53:28 -07:00
Jeremy Fitzhardinge 35c7422649 [PATCH] x86: deflate stack usage in lib/inflate.c
inflate_fixed and huft_build together use around 2.7k of stack.  When
using 4k stacks, I saw stack overflows from interrupts arriving while
unpacking the root initrd:

do_IRQ: stack overflow: 384
 [<c0106b64>] show_trace_log_lvl+0x1a/0x30
 [<c01075e6>] show_trace+0x12/0x14
 [<c010763f>] dump_stack+0x16/0x18
 [<c0107ca4>] do_IRQ+0x6d/0xd9
 [<c010202b>] xen_evtchn_do_upcall+0x6e/0xa2
 [<c0106781>] xen_hypervisor_callback+0x25/0x2c
 [<c010116c>] xen_restore_fl+0x27/0x29
 [<c0330f63>] _spin_unlock_irqrestore+0x4a/0x50
 [<c0117aab>] change_page_attr+0x577/0x584
 [<c0117b45>] kernel_map_pages+0x8d/0xb4
 [<c016a314>] cache_alloc_refill+0x53f/0x632
 [<c016a6c2>] __kmalloc+0xc1/0x10d
 [<c0463d34>] malloc+0x10/0x12
 [<c04641c1>] huft_build+0x2a7/0x5fa
 [<c04645a5>] inflate_fixed+0x91/0x136
 [<c04657e2>] unpack_to_rootfs+0x5f2/0x8c1
 [<c0465acf>] populate_rootfs+0x1e/0xe4

(This was under Xen, but there's no reason it couldn't happen on bare
  hardware.)

This patch mallocs the local variables, thereby reducing the stack
usage to sane levels.

Also, up the heap size for the kernel decompressor to deal with the
extra allocation.

Signed-off-by: Jeremy Fitzhardinge <jeremy@xensource.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Cc: Tim Yamin <plasmaroo@gentoo.org>
Cc: Andi Kleen <ak@suse.de>
Cc: Matt Mackall <mpm@selenic.com>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ian Molton <spyro@f2s.com>
2007-05-02 19:27:15 +02:00
Tony Lindgren 7d95ded911 [ARM] 3838/1: ARM: DCC debug console support for ARM11
Adds support for CONFIG_DEBUG_ICEDCC for ARM11.
Tested on ARM1136 (OMAP2420).

Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-09-25 10:36:09 +01:00
Uwe Zeisberger b2556da55f [ARM] 3488/1: make icedcc_putc do the right thing
Patch from Uwe Zeisberger

 a) use coprocessor 14
 b) make reading the dcc status volatile

Signed-off-by: Uwe Zeisberger <Uwe_Zeisberger@digi.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-02 20:40:56 +01:00
Russell King de4533a04e [ARM] Move ice-dcc code into misc.c
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-28 10:34:05 +01:00
Russell King a081568d70 [ARM] Fix decompressor serial IO to give CRLF not LFCR
As per the corresponding change to the serial drivers, arrange
for ARM decompressors to give CRLF.  Move the common putstr code
into misc.c such that machines only need to supply "putc" and
"flush" functions.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-03-28 10:24:33 +01:00
Ben Dooks f8c905d368 [ARM] 3132/1: S3C2410 - reset on decompression error
Patch from Ben Dooks

Force a watchdog reset if the system fails to
decompress properly.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2005-11-08 22:43:05 +00:00
Al Viro 942b6f6216 [PATCH] type fix in arm/boot/compressed/misc.c
spot the typo...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 10:35:08 -07:00
Linus Torvalds 1da177e4c3 Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!
2005-04-16 15:20:36 -07:00