Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull RCU updates from Ingo Molnar: "The main RCU changes in this development cycle were: - Miscellaneous fixes, including a change to call_rcu()'s rcu_head alignment check. - Security-motivated list consistency checks, which are disabled by default behind DEBUG_LIST. - Torture-test updates. - Documentation updates, yet again just simple changes" * 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: torture: Prevent jitter from delaying build-only runs torture: Remove obsolete files from rcutorture .gitignore rcu: Don't kick unless grace period or request rcu: Make expedited grace periods recheck dyntick idle state torture: Trace long read-side delays rcu: RCU_TRACE enables event tracing as well as debugfs rcu: Remove obsolete comment from __call_rcu() rcu: Remove obsolete rcu_check_callbacks() header comment rcu: Tighten up __call_rcu() rcu_head alignment check Documentation/RCU: Fix minor typo documentation: Present updated RCU guarantee bug: Avoid Kconfig warning for BUG_ON_DATA_CORRUPTION lib/Kconfig.debug: Fix typo in select statement lkdtm: Add tests for struct list corruption bug: Provide toggle for BUG on data corruption list: Split list_del() debug checking into separate function rculist: Consolidate DEBUG_LIST for list_add_rcu() list: Split list_add() debug checking into separate function
author: Linus Torvalds <torvalds@linux-foundation.org> 2016-12-12 12:09:54 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2016-12-12 12:09:54 -0500
commit: 718c0ddd6aa911fd2a6fb1b6e050fbaee8060e61 (patch)
tree: 8f502a67605f864773d96dca7c8c6e1a9fa3f322 /drivers/misc
parent: 8fa3b6f9392bf6d90cb7b908e07bd90166639f0a (diff)
parent: af91a81131aee3e233a977632a23b839857a327b (diff)
3 files changed, 72 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index fdf954c2107f..cfa1039c62e7 100644
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -21,6 +21,8 @@ void lkdtm_SPINLOCKUP(void);
 void lkdtm_HUNG_TASK(void);
 void lkdtm_ATOMIC_UNDERFLOW(void);
 void lkdtm_ATOMIC_OVERFLOW(void);
+void lkdtm_CORRUPT_LIST_ADD(void);
+void lkdtm_CORRUPT_LIST_DEL(void);
 /* lkdtm_heap.c */
 void lkdtm_OVERWRITE_ALLOCATION(void);
diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
index 182ae1894b32..f336206d4b1f 100644
--- a/drivers/misc/lkdtm_bugs.c
+++ b/drivers/misc/lkdtm_bugs.c
@@ -5,8 +5,13 @@
 * test source files.
 */
 #include "lkdtm.h"
+#include <linux/list.h>
 #include <linux/sched.h>
+struct lkdtm_list {
+        struct list_head node;
+};
 /*
 * Make sure our attempts to over run the kernel stack doesn't trigger
 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
@@ -146,3 +151,66 @@ void lkdtm_ATOMIC_OVERFLOW(void)
        pr_info("attempting bad atomic overflow\n");
        atomic_inc(&over);
 }
+void lkdtm_CORRUPT_LIST_ADD(void)
+{
+        /*
+         * Initially, an empty list via LIST_HEAD:
+         *      test_head.next = &test_head
+         *      test_head.prev = &test_head
+         */
+        LIST_HEAD(test_head);
+        struct lkdtm_list good, bad;
+        void *target[2] = { };
+        void *redirection = &target;
+        pr_info("attempting good list addition\n");
+        /*
+         * Adding to the list performs these actions:
+         *      test_head.next->prev = &good.node
+         *      good.node.next = test_head.next
+         *      good.node.prev = test_head
+         *      test_head.next = good.node
+         */
+        list_add(&good.node, &test_head);
+        pr_info("attempting corrupted list addition\n");
+        /*
+         * In simulating this "write what where" primitive, the "what" is
+         * the address of &bad.node, and the "where" is the address held
+         * by "redirection".
+         */
+        test_head.next = redirection;
+        list_add(&bad.node, &test_head);
+        if (target[0] == NULL && target[1] == NULL)
+                pr_err("Overwrite did not happen, but no BUG?!\n");
+        else
+                pr_err("list_add() corruption not detected!\n");
+}
+void lkdtm_CORRUPT_LIST_DEL(void)
+{
+        LIST_HEAD(test_head);
+        struct lkdtm_list item;
+        void *target[2] = { };
+        void *redirection = &target;
+        list_add(&item.node, &test_head);
+        pr_info("attempting good list removal\n");
+        list_del(&item.node);
+        pr_info("attempting corrupted list removal\n");
+        list_add(&item.node, &test_head);
+        /* As with the list_add() test above, this corrupts "next". */
+        item.node.next = redirection;
+        list_del(&item.node);
+        if (target[0] == NULL && target[1] == NULL)
+                pr_err("Overwrite did not happen, but no BUG?!\n");
+        else
+                pr_err("list_del() corruption not detected!\n");
+}
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index f9154b8d67f6..7eeb71a75549 100644
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -197,6 +197,8 @@ struct crashtype crashtypes[] = {
        CRASHTYPE(EXCEPTION),
        CRASHTYPE(LOOP),
        CRASHTYPE(OVERFLOW),
+        CRASHTYPE(CORRUPT_LIST_ADD),
+        CRASHTYPE(CORRUPT_LIST_DEL),
        CRASHTYPE(CORRUPT_STACK),
        CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
        CRASHTYPE(OVERWRITE_ALLOCATION),
author	Linus Torvalds <torvalds@linux-foundation.org>	2016-12-12 12:09:54 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-12-12 12:09:54 -0500
commit	718c0ddd6aa911fd2a6fb1b6e050fbaee8060e61 (patch)
tree	8f502a67605f864773d96dca7c8c6e1a9fa3f322 /drivers/misc
parent	8fa3b6f9392bf6d90cb7b908e07bd90166639f0a (diff)
parent	af91a81131aee3e233a977632a23b839857a327b (diff)

diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index fdf954c2107f..cfa1039c62e7 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h
@@ -21,6 +21,8 @@ void lkdtm_SPINLOCKUP(void);
21	void lkdtm_HUNG_TASK(void);	21	void lkdtm_HUNG_TASK(void);
22	void lkdtm_ATOMIC_UNDERFLOW(void);	22	void lkdtm_ATOMIC_UNDERFLOW(void);
23	void lkdtm_ATOMIC_OVERFLOW(void);	23	void lkdtm_ATOMIC_OVERFLOW(void);
		24	void lkdtm_CORRUPT_LIST_ADD(void);
		25	void lkdtm_CORRUPT_LIST_DEL(void);
24		26
25	/* lkdtm_heap.c */	27	/* lkdtm_heap.c */
26	void lkdtm_OVERWRITE_ALLOCATION(void);	28	void lkdtm_OVERWRITE_ALLOCATION(void);


diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index 182ae1894b32..f336206d4b1f 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c
@@ -5,8 +5,13 @@
5	* test source files.	5	* test source files.
6	*/	6	*/
7	#include "lkdtm.h"	7	#include "lkdtm.h"
		8	#include <linux/list.h>
8	#include <linux/sched.h>	9	#include <linux/sched.h>
9		10
		11	struct lkdtm_list {
		12	struct list_head node;
		13	};
		14
10	/*	15	/*
11	* Make sure our attempts to over run the kernel stack doesn't trigger	16	* Make sure our attempts to over run the kernel stack doesn't trigger
12	* a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we	17	* a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
@@ -146,3 +151,66 @@ void lkdtm_ATOMIC_OVERFLOW(void)
146	pr_info("attempting bad atomic overflow\n");	151	pr_info("attempting bad atomic overflow\n");
147	atomic_inc(&over);	152	atomic_inc(&over);
148	}	153	}
		154
		155	void lkdtm_CORRUPT_LIST_ADD(void)
		156	{
		157	/*
		158	* Initially, an empty list via LIST_HEAD:
		159	* test_head.next = &test_head
		160	* test_head.prev = &test_head
		161	*/
		162	LIST_HEAD(test_head);
		163	struct lkdtm_list good, bad;
		164	void *target[2] = { };
		165	void *redirection = &target;
		166
		167	pr_info("attempting good list addition\n");
		168
		169	/*
		170	* Adding to the list performs these actions:
		171	* test_head.next->prev = &good.node
		172	* good.node.next = test_head.next
		173	* good.node.prev = test_head
		174	* test_head.next = good.node
		175	*/
		176	list_add(&good.node, &test_head);
		177
		178	pr_info("attempting corrupted list addition\n");
		179	/*
		180	* In simulating this "write what where" primitive, the "what" is
		181	* the address of &bad.node, and the "where" is the address held
		182	* by "redirection".
		183	*/
		184	test_head.next = redirection;
		185	list_add(&bad.node, &test_head);
		186
		187	if (target[0] == NULL && target[1] == NULL)
		188	pr_err("Overwrite did not happen, but no BUG?!\n");
		189	else
		190	pr_err("list_add() corruption not detected!\n");
		191	}
		192
		193	void lkdtm_CORRUPT_LIST_DEL(void)
		194	{
		195	LIST_HEAD(test_head);
		196	struct lkdtm_list item;
		197	void *target[2] = { };
		198	void *redirection = &target;
		199
		200	list_add(&item.node, &test_head);
		201
		202	pr_info("attempting good list removal\n");
		203	list_del(&item.node);
		204
		205	pr_info("attempting corrupted list removal\n");
		206	list_add(&item.node, &test_head);
		207
		208	/* As with the list_add() test above, this corrupts "next". */
		209	item.node.next = redirection;
		210	list_del(&item.node);
		211
		212	if (target[0] == NULL && target[1] == NULL)
		213	pr_err("Overwrite did not happen, but no BUG?!\n");
		214	else
		215	pr_err("list_del() corruption not detected!\n");
		216	}


diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index f9154b8d67f6..7eeb71a75549 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c
@@ -197,6 +197,8 @@ struct crashtype crashtypes[] = {
197	CRASHTYPE(EXCEPTION),	197	CRASHTYPE(EXCEPTION),
198	CRASHTYPE(LOOP),	198	CRASHTYPE(LOOP),
199	CRASHTYPE(OVERFLOW),	199	CRASHTYPE(OVERFLOW),
		200	CRASHTYPE(CORRUPT_LIST_ADD),
		201	CRASHTYPE(CORRUPT_LIST_DEL),
200	CRASHTYPE(CORRUPT_STACK),	202	CRASHTYPE(CORRUPT_STACK),
201	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),	203	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
202	CRASHTYPE(OVERWRITE_ALLOCATION),	204	CRASHTYPE(OVERWRITE_ALLOCATION),