mbox series

[GIT,PULL] hardening fixes for v5.18-rc1

Message ID 202203311127.503A3110@keescook (mailing list archive)
State New, archived
Headers show
Series [GIT,PULL] hardening fixes for v5.18-rc1 | expand

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc1-fix1

Message

Kees Cook March 31, 2022, 6:35 p.m. UTC 
Hi Linus,

Please pull these hardening fixes for v5.18-rc1. This addresses an
-Warray-bounds warning found under a few ARM defconfigs, and disables
long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.

Thanks!

-Kees

The following changes since commit afcf5441b9ff22ac57244cd45ff102ebc2e32d1a:

  arm64: Add gcc Shadow Call Stack support (2022-03-10 09:22:09 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc1-fix1

for you to fetch changes up to 229a08a4f4e4f9949801cc39b6480ddc9c487183:

  ARM/dma-mapping: Remove CMA code when not built with CMA (2022-03-31 11:19:25 -0700)

----------------------------------------------------------------
hardening updates for v5.18-rc1-fix1

- Disable CONFIG_HARDENED_USERCOPY_PAGESPAN

- DMA: remove CMA code when not buiding CMA

----------------------------------------------------------------
Kees Cook (2):
      usercopy: Disable CONFIG_HARDENED_USERCOPY_PAGESPAN
      ARM/dma-mapping: Remove CMA code when not built with CMA

 arch/arm/mm/dma-mapping.c | 2 ++
 arch/arm/mm/mm.h          | 4 ++++
 include/linux/cma.h       | 4 ----
 security/Kconfig          | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

Comments

Russell King (Oracle) March 31, 2022, 6:46 p.m. UTC | #1 
On Thu, Mar 31, 2022 at 11:35:40AM -0700, Kees Cook wrote:
> Hi Linus,
> 
> Please pull these hardening fixes for v5.18-rc1. This addresses an
> -Warray-bounds warning found under a few ARM defconfigs, and disables
> long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.

I don't see these patches on linux-arm-kernel... are we doing away with
patch review now? :D
Linus Torvalds March 31, 2022, 6:49 p.m. UTC | #2 
On Thu, Mar 31, 2022 at 11:35 AM Kees Cook <keescook@chromium.org> wrote:
>
> Please pull these hardening fixes for v5.18-rc1. This addresses an
> -Warray-bounds warning found under a few ARM defconfigs, and disables
> long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.

Can't we just remove that HARDENED_USERCOPY_PAGESPAN thing entirely?

Yes, yes, I know Matthew did that as part of other patches that is too
late to go in any more in this merge window, but just the removal
patch is a no-brainer.

IOW, why not just do the attached?

                    Linus
Kees Cook March 31, 2022, 6:57 p.m. UTC | #3 
On Thu, Mar 31, 2022 at 07:46:28PM +0100, Russell King (Oracle) wrote:
> On Thu, Mar 31, 2022 at 11:35:40AM -0700, Kees Cook wrote:
> > Hi Linus,
> > 
> > Please pull these hardening fixes for v5.18-rc1. This addresses an
> > -Warray-bounds warning found under a few ARM defconfigs, and disables
> > long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.
> 
> I don't see these patches on linux-arm-kernel... are we doing away with
> patch review now? :D

Uh, what? The links in the patches show the reviews, even. I assume
you're mainly talking about the DMA one; it's right here:
https://lore.kernel.org/linux-arm-kernel/20220309175107.195182-1-keescook@chromium.org/

I had thought hch was going to take this patch, but the dma tree didn't
have it, so I sent it in.

And the usercopy patch was here, with references to the discussion
around it too:
https://lore.kernel.org/all/20220324230255.1362706-1-keescook@chromium.org/
Kees Cook March 31, 2022, 7 p.m. UTC | #4 
On Thu, Mar 31, 2022 at 11:49:42AM -0700, Linus Torvalds wrote:
> On Thu, Mar 31, 2022 at 11:35 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Please pull these hardening fixes for v5.18-rc1. This addresses an
> > -Warray-bounds warning found under a few ARM defconfigs, and disables
> > long-broken CONFIG_HARDENED_USERCOPY_PAGESPAN.
> 
> Can't we just remove that HARDENED_USERCOPY_PAGESPAN thing entirely?
> 
> Yes, yes, I know Matthew did that as part of other patches that is too
> late to go in any more in this merge window, but just the removal
> patch is a no-brainer.

I can do that, but it seemed like more work for folks: a larger diff to
look at, and a rebase for Matthew or me. It's not MUCH more work, but
given the timing of the merge window, I wanted to have a minimal diff.

> IOW, why not just do the attached?

But I can certainly respin it, if you'd prefer?
Linus Torvalds March 31, 2022, 7:09 p.m. UTC | #5 
On Thu, Mar 31, 2022 at 12:00 PM Kees Cook <keescook@chromium.org> wrote:
>
> I can do that, but it seemed like more work for folks: a larger diff to
> look at, and a rebase for Matthew or me. It's not MUCH more work, but
> given the timing of the merge window, I wanted to have a minimal diff.

Stuff that just does obvious code removal may _look_ big, but I
actually think it's conceptually a smaller patch than the subtle one
that just made the code impossible to enable.

Marking something broken implies that maybe we'll be able to fix it.

This seems to be more of a "let's just get rid of it".

               Linus
pr-tracker-bot@kernel.org March 31, 2022, 7:12 p.m. UTC | #6 
The pull request you sent on Thu, 31 Mar 2022 11:35:40 -0700:

> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v5.18-rc1-fix1

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/f87cbd0565eb7e2fa15296c74210658db1346431

Thank you!