12 files changed, 384 insertions, 133 deletions

diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index 2554a15ecf2b..0c5969fa795f 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -199,11 +199,8 @@ sub_cmd_record_mcount = perl $(srctree)/scripts/recordmcount.pl "$(ARCH)" \
         "$(if $(part-of-module),1,0)" "$(@)";
 recordmcount_source := $(srctree)/scripts/recordmcount.pl
 endif # BUILD_C_RECORDMCOUNT
-cmd_record_mcount =                                             \
-        if [ "$(findstring $(CC_FLAGS_FTRACE),$(_c_flags))" =   \
-             "$(CC_FLAGS_FTRACE)" ]; then                       \
-                $(sub_cmd_record_mcount)                        \
-        fi
+cmd_record_mcount = $(if $(findstring $(strip $(CC_FLAGS_FTRACE)),$(_c_flags)), \
+        $(sub_cmd_record_mcount))
 endif # CC_USING_RECORD_MCOUNT
 endif # CONFIG_FTRACE_MCOUNT_RECORD
 
@@ -225,6 +222,9 @@ endif
 ifdef CONFIG_RETPOLINE
   objtool_args += --retpoline
 endif
+ifdef CONFIG_X86_SMAP
+  objtool_args += --uaccess
+endif
 
 # 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
 # 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 38b2b4818e8e..019771b845c5 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -3,7 +3,6 @@ ifdef CONFIG_UBSAN
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
-      CFLAGS_UBSAN += $(call cc-option, -fsanitize=vla-bound)
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
       CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)
diff --git a/scripts/atomic/gen-atomics.sh b/scripts/atomic/gen-atomics.sh
index 27400b0cd732..000dc6437893 100644
--- a/scripts/atomic/gen-atomics.sh
+++ b/scripts/atomic/gen-atomics.sh
@@ -13,7 +13,7 @@ gen-atomic-long.sh              asm-generic/atomic-long.h
 gen-atomic-fallback.sh          linux/atomic-fallback.h
 EOF
 while read script header; do
-        ${ATOMICDIR}/${script} ${ATOMICTBL} > ${LINUXDIR}/include/${header}
+        /bin/sh ${ATOMICDIR}/${script} ${ATOMICTBL} > ${LINUXDIR}/include/${header}
         HASH="$(sha1sum ${LINUXDIR}/include/${header})"
         HASH="${HASH%% *}"
         printf "// %s\n" "${HASH}" >> ${LINUXDIR}/include/${header}
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index 5b756278df13..a09333fd7cef 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -5977,7 +5977,7 @@ sub process {
                                 while ($fmt =~ /(\%[\*\d\.]*p(\w))/g) {
                                         $specifier = $1;
                                         $extension = $2;
-                                        if ($extension !~ /[SsBKRraEhMmIiUDdgVCbGNOx]/) {
+                                        if ($extension !~ /[SsBKRraEhMmIiUDdgVCbGNOxt]/) {
                                                 $bad_specifier = $specifier;
                                                 last;
                                         }
diff --git a/scripts/coccinelle/api/stream_open.cocci b/scripts/coccinelle/api/stream_open.cocci
new file mode 100644
index 000000000000..350145da7669
--- /dev/null
+++ b/scripts/coccinelle/api/stream_open.cocci
@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: GPL-2.0
+// Author: Kirill Smelkov (kirr@nexedi.com)
+//
+// Search for stream-like files that are using nonseekable_open and convert
+// them to stream_open. A stream-like file is a file that does not use ppos in
+// its read and write. Rationale for the conversion is to avoid deadlock in
+// between read and write.
+
+virtual report
+virtual patch
+virtual explain  // explain decisions in the patch (SPFLAGS="-D explain")
+
+// stream-like reader & writer - ones that do not depend on f_pos.
+@ stream_reader @
+identifier readstream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+  ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos)
+  {
+    ... when != ppos
+  }
+
+@ stream_writer @
+identifier writestream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+  ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos)
+  {
+    ... when != ppos
+  }
+
+
+// a function that blocks
+@ blocks @
+identifier block_f;
+identifier wait_event =~ "^wait_event_.*";
+@@
+  block_f(...) {
+    ... when exists
+    wait_event(...)
+    ... when exists
+  }
+
+// stream_reader that can block inside.
+//
+// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait())
+// XXX currently reader_blocks supports only direct and 1-level indirect cases.
+@ reader_blocks_direct @
+identifier stream_reader.readstream;
+identifier wait_event =~ "^wait_event_.*";
+@@
+  readstream(...)
+  {
+    ... when exists
+    wait_event(...)
+    ... when exists
+  }
+
+@ reader_blocks_1 @
+identifier stream_reader.readstream;
+identifier blocks.block_f;
+@@
+  readstream(...)
+  {
+    ... when exists
+    block_f(...)
+    ... when exists
+  }
+
+@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @
+identifier stream_reader.readstream;
+@@
+  readstream(...) {
+    ...
+  }
+
+
+// file_operations + whether they have _any_ .read, .write, .llseek ... at all.
+//
+// XXX add support for file_operations xxx[N] = ...     (sound/core/pcm_native.c)
+@ fops0 @
+identifier fops;
+@@
+  struct file_operations fops = {
+    ...
+  };
+
+@ has_read @
+identifier fops0.fops;
+identifier read_f;
+@@
+  struct file_operations fops = {
+    .read = read_f,
+  };
+
+@ has_read_iter @
+identifier fops0.fops;
+identifier read_iter_f;
+@@
+  struct file_operations fops = {
+    .read_iter = read_iter_f,
+  };
+
+@ has_write @
+identifier fops0.fops;
+identifier write_f;
+@@
+  struct file_operations fops = {
+    .write = write_f,
+  };
+
+@ has_write_iter @
+identifier fops0.fops;
+identifier write_iter_f;
+@@
+  struct file_operations fops = {
+    .write_iter = write_iter_f,
+  };
+
+@ has_llseek @
+identifier fops0.fops;
+identifier llseek_f;
+@@
+  struct file_operations fops = {
+    .llseek = llseek_f,
+  };
+
+@ has_no_llseek @
+identifier fops0.fops;
+@@
+  struct file_operations fops = {
+    .llseek = no_llseek,
+  };
+
+@ has_mmap @
+identifier fops0.fops;
+identifier mmap_f;
+@@
+  struct file_operations fops = {
+    .mmap = mmap_f,
+  };
+
+@ has_copy_file_range @
+identifier fops0.fops;
+identifier copy_file_range_f;
+@@
+  struct file_operations fops = {
+    .copy_file_range = copy_file_range_f,
+  };
+
+@ has_remap_file_range @
+identifier fops0.fops;
+identifier remap_file_range_f;
+@@
+  struct file_operations fops = {
+    .remap_file_range = remap_file_range_f,
+  };
+
+@ has_splice_read @
+identifier fops0.fops;
+identifier splice_read_f;
+@@
+  struct file_operations fops = {
+    .splice_read = splice_read_f,
+  };
+
+@ has_splice_write @
+identifier fops0.fops;
+identifier splice_write_f;
+@@
+  struct file_operations fops = {
+    .splice_write = splice_write_f,
+  };
+
+
+// file_operations that is candidate for stream_open conversion - it does not
+// use mmap and other methods that assume @offset access to file.
+//
+// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now.
+// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops".
+@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @
+identifier fops0.fops;
+@@
+  struct file_operations fops = {
+  };
+
+
+// ---- conversions ----
+
+// XXX .open = nonseekable_open -> .open = stream_open
+// XXX .open = func -> openfunc -> nonseekable_open
+
+// read & write
+//
+// if both are used in the same file_operations together with an opener -
+// under that conditions we can use stream_open instead of nonseekable_open.
+@ fops_rw depends on maybe_stream @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+identifier stream_writer.writestream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .read  = readstream,
+      .write = writestream,
+  };
+
+@ report_rw depends on report @
+identifier fops_rw.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+     nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report && reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+  "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,))
+
+@ script:python depends on report && !reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+
+@ explain_rw_deadlocked depends on explain && reader_blocks @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-    nonseekable_open
++    nonseekable_open /* read & write (was deadlock) */
+    ...>
+  }
+
+
+@ explain_rw_nodeadlock depends on explain && !reader_blocks @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-    nonseekable_open
++    nonseekable_open /* read & write (no direct deadlock) */
+    ...>
+  }
+
+@ patch_rw depends on patch @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// read, but not write
+@ fops_r depends on maybe_stream && !has_write @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .read  = readstream,
+  };
+
+@ report_r depends on report @
+identifier fops_r.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+    nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_r.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_r depends on explain @
+identifier fops_r.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   nonseekable_open /* read only */
+    ...>
+  }
+
+@ patch_r depends on patch @
+identifier fops_r.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// write, but not read
+@ fops_w depends on maybe_stream && !has_read @
+identifier fops0.fops, openfunc;
+identifier stream_writer.writestream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .write = writestream,
+  };
+
+@ report_w depends on report @
+identifier fops_w.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+    nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_w.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_w depends on explain @
+identifier fops_w.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   nonseekable_open /* write only */
+    ...>
+  }
+
+@ patch_w depends on patch @
+identifier fops_w.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// no read, no write - don't change anything
diff --git a/scripts/coccinelle/free/put_device.cocci b/scripts/coccinelle/free/put_device.cocci
index 7395697e7f19..c9f071b0a0ab 100644
--- a/scripts/coccinelle/free/put_device.cocci
+++ b/scripts/coccinelle/free/put_device.cocci
@@ -32,6 +32,7 @@ if (id == NULL || ...) { ... return ...; }
 (    id
 |    (T2)dev_get_drvdata(&id->dev)
 |    (T3)platform_get_drvdata(id)
+|    &id->dev
 );
 | return@p2 ...;
 )
diff --git a/scripts/coccinelle/misc/badty.cocci b/scripts/coccinelle/misc/badty.cocci
index 481cf301ccfc..08470362199c 100644
--- a/scripts/coccinelle/misc/badty.cocci
+++ b/scripts/coccinelle/misc/badty.cocci
@@ -1,4 +1,4 @@
-/// Use ARRAY_SIZE instead of dividing sizeof array with sizeof an element
+/// Correct the size argument to alloc functions
 ///
 //# This makes an effort to find cases where the argument to sizeof is wrong
 //# in memory allocation functions by checking the type of the allocated memory
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 74271dba4f94..80220ed26a35 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
           An arch should select this symbol if it supports building with
           GCC plugins.
 
-menuconfig GCC_PLUGINS
-        bool "GCC plugins"
+config GCC_PLUGINS
+        bool
         depends on HAVE_GCC_PLUGINS
         depends on PLUGIN_HOSTCC != ""
+        default y
         help
           GCC plugins are loadable modules that provide extra features to the
           compiler. They are useful for runtime instrumentation and static analysis.
 
           See Documentation/gcc-plugins.txt for details.
 
-if GCC_PLUGINS
+menu "GCC plugins"
+        depends on GCC_PLUGINS
 
 config GCC_PLUGIN_CYC_COMPLEXITY
         bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
            * https://grsecurity.net/
            * https://pax.grsecurity.net/
 
-config GCC_PLUGIN_STRUCTLEAK
-        bool "Zero initialize stack variables"
-        help
-          While the kernel is built with warnings enabled for any missed
-          stack variable initializations, this warning is silenced for
-          anything passed by reference to another function, under the
-          occasionally misguided assumption that the function will do
-          the initialization. As this regularly leads to exploitable
-          flaws, this plugin is available to identify and zero-initialize
-          such variables, depending on the chosen level of coverage.
-
-          This plugin was originally ported from grsecurity/PaX. More
-          information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-
-choice
-        prompt "Coverage"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-        help
-          This chooses the level of coverage over classes of potentially
-          uninitialized variables. The selected class will be
-          zero-initialized before use.
-
-        config GCC_PLUGIN_STRUCTLEAK_USER
-                bool "structs marked for userspace"
-                help
-                  Zero-initialize any structures on the stack containing
-                  a __user attribute. This can prevent some classes of
-                  uninitialized stack variable exploits and information
-                  exposures, like CVE-2013-2141:
-                  https://git.kernel.org/linus/b9e146d8eb3b9eca
-
-        config GCC_PLUGIN_STRUCTLEAK_BYREF
-                bool "structs passed by reference"
-                help
-                  Zero-initialize any structures on the stack that may
-                  be passed by reference and had not already been
-                  explicitly initialized. This can prevent most classes
-                  of uninitialized stack variable exploits and information
-                  exposures, like CVE-2017-1000410:
-                  https://git.kernel.org/linus/06e7e776ca4d3654
-
-        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-                bool "anything passed by reference"
-                help
-                  Zero-initialize any stack variables that may be passed
-                  by reference and had not already been explicitly
-                  initialized. This is intended to eliminate all classes
-                  of uninitialized stack variable exploits and information
-                  exposures.
-
-endchoice
-
-config GCC_PLUGIN_STRUCTLEAK_VERBOSE
-        bool "Report forcefully initialized variables"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        depends on !COMPILE_TEST        # too noisy
-        help
-          This option will cause a warning to be printed each time the
-          structleak plugin finds a variable it thinks needs to be
-          initialized. Since not all existing initializers are detected
-          by the plugin, this can produce false positive warnings.
-
 config GCC_PLUGIN_RANDSTRUCT
         bool "Randomize layout of sensitive kernel structures"
         select MODVERSIONS if MODULES
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
           in structures.  This reduces the performance hit of RANDSTRUCT
           at the cost of weakened randomization.
 
-config GCC_PLUGIN_STACKLEAK
-        bool "Erase the kernel stack before returning from syscalls"
-        depends on GCC_PLUGINS
-        depends on HAVE_ARCH_STACKLEAK
-        help
-          This option makes the kernel erase the kernel stack before
-          returning from system calls. That reduces the information which
-          kernel stack leak bugs can reveal and blocks some uninitialized
-          stack variable attacks.
-
-          The tradeoff is the performance impact: on a single CPU system kernel
-          compilation sees a 1% slowdown, other systems and workloads may vary
-          and you are advised to test this feature on your expected workload
-          before deploying it.
-
-          This plugin was ported from grsecurity/PaX. More information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-
-config STACKLEAK_TRACK_MIN_SIZE
-        int "Minimum stack frame size of functions tracked by STACKLEAK"
-        default 100
-        range 0 4096
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          The STACKLEAK gcc plugin instruments the kernel code for tracking
-          the lowest border of the kernel stack (and for some other purposes).
-          It inserts the stackleak_track_stack() call for the functions with
-          a stack frame size greater than or equal to this parameter.
-          If unsure, leave the default value 100.
-
-config STACKLEAK_METRICS
-        bool "Show STACKLEAK metrics in the /proc file system"
-        depends on GCC_PLUGIN_STACKLEAK
-        depends on PROC_FS
-        help
-          If this is set, STACKLEAK metrics for every task are available in
-          the /proc file system. In particular, /proc/<pid>/stack_depth
-          shows the maximum kernel stack consumption for the current and
-          previous syscalls. Although this information is not precise, it
-          can be useful for estimating the STACKLEAK performance impact for
-          your workloads.
-
-config STACKLEAK_RUNTIME_DISABLE
-        bool "Allow runtime disabling of kernel stack erasing"
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          This option provides 'stack_erasing' sysctl, which can be used in
-          runtime to control kernel stack erasing for kernels built with
-          CONFIG_GCC_PLUGIN_STACKLEAK.
-
 config GCC_PLUGIN_ARM_SSP_PER_TASK
         bool
         depends on GCC_PLUGINS && ARM
 
-endif
+endmenu
diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
index 611945611bf8..1dcfb288ee63 100644
--- a/scripts/kconfig/lxdialog/inputbox.c
+++ b/scripts/kconfig/lxdialog/inputbox.c
@@ -113,7 +113,8 @@ do_resize:
                         case KEY_DOWN:
                                 break;
                         case KEY_BACKSPACE:
-                        case 127:
+                        case 8:   /* ^H */
+                        case 127: /* ^? */
                                 if (pos) {
                                         wattrset(dialog, dlg.inputbox.atr);
                                         if (input_x == 0) {
diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index a4670f4e825a..ac92c0ded6c5 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans)
                 state->match_direction = FIND_NEXT_MATCH_UP;
                 *ans = get_mext_match(state->pattern,
                                 state->match_direction);
-        } else if (key == KEY_BACKSPACE || key == 127) {
+        } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
                 state->pattern[strlen(state->pattern)-1] = '\0';
                 adj_match_dir(&state->match_direction);
         } else
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 7be620a1fcdb..77f525a8617c 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
                 case KEY_F(F_EXIT):
                 case KEY_F(F_BACK):
                         break;
-                case 127:
+                case 8:   /* ^H */
+                case 127: /* ^? */
                 case KEY_BACKSPACE:
                         if (cursor_position > 0) {
                                 memmove(&result[cursor_position-1],
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 0b0d1080b1c5..f277e116e0eb 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -639,7 +639,7 @@ static void handle_modversions(struct module *mod, struct elf_info *info,
                                info->sechdrs[sym->st_shndx].sh_offset -
                                (info->hdr->e_type != ET_REL ?
                                 info->sechdrs[sym->st_shndx].sh_addr : 0);
-                        crc = *crcp;
+                        crc = TO_NATIVE(*crcp);
                 }
                 sym_update_crc(symname + strlen("__crc_"), mod, crc,
                                 export);