and if someone does actually get confused they should
> discover the problem fairly rapidly in testing. ss_token would shorter
> but the abbreviation is less clear, whatever name you prefer is fine by
> me.
Bike shed: shstk_token?
--
Kees Cook
string?
-Kees
>
> Changes made:
> - Make TODO comment more specific about 64-bit vs 32-bit argument
> handling test requirements
> - Clarify comment about task termination during syscall execution
> - Replace vague "bad recv()" with specific "invalid rec
TH_LOG("Filter flag (0x%X) is not found to be
> supported!",
> +flag);
So I've pushed back on "backward compatible" changes to this selftest
because I want it to be validating the _latest_ seccomp. This allows for
expected flags to be missing.
Is there perhaps a way that the backward compat checking could be a
commandline flag or something? That way by default it looks strictly the
more current seccomp features.
-Kees
--
Kees Cook
s
> + * not yet ptraced. This exercises the
> + * code block in de_thread where the
> + * if (!thread_group_leader(tsk)) {
> + * is executed and enters a wait state.
> + */
> +static long thread2_tid;
> +static void *thread2(void *arg)
> +{
> + thread2_tid = syscall(__NR_gettid);
> + sleep(2);
> + execlp("false", "false", NULL);
> + return NULL;
> +}
> +
> +TEST(attach2)
> +{
> + int s, k, pid = fork();
> +
> + if (!pid) {
> + pthread_t pt;
> +
> + pthread_create(&pt, NULL, thread2, NULL);
> + pthread_join(pt, NULL);
> + return;
> + }
> +
> sleep(1);
> k = ptrace(PTRACE_ATTACH, pid, 0L, 0L);
> ASSERT_EQ(k, 0);
> @@ -72,12 +153,46 @@ TEST(attach)
> ASSERT_EQ(k, pid);
> ASSERT_EQ(WIFSTOPPED(s), 1);
> ASSERT_EQ(WSTOPSIG(s), SIGSTOP);
> - k = ptrace(PTRACE_DETACH, pid, 0L, 0L);
> + k = ptrace(PTRACE_SETOPTIONS, pid, 0L, PTRACE_O_TRACEEXIT);
> + ASSERT_EQ(k, 0);
> + thread2_tid = ptrace(PTRACE_PEEKDATA, pid, &thread2_tid, 0L);
> + ASSERT_NE(thread2_tid, -1);
> + ASSERT_NE(thread2_tid, 0);
> + ASSERT_NE(thread2_tid, pid);
> + k = waitpid(-1, &s, WNOHANG);
> + ASSERT_EQ(k, 0);
> + sleep(2);
> + /* deadlock may happen here */
> + k = ptrace(PTRACE_ATTACH, thread2_tid, 0L, 0L);
> + ASSERT_EQ(k, 0);
> + k = waitpid(-1, &s, WNOHANG);
> + ASSERT_EQ(k, pid);
> + ASSERT_EQ(WIFSTOPPED(s), 1);
> + ASSERT_EQ(WSTOPSIG(s), SIGTRAP);
> + k = waitpid(-1, &s, WNOHANG);
> + ASSERT_EQ(k, 0);
> + k = ptrace(PTRACE_CONT, pid, 0L, 0L);
> + ASSERT_EQ(k, 0);
> + k = waitpid(-1, &s, 0);
> + ASSERT_EQ(k, pid);
> + ASSERT_EQ(WIFSTOPPED(s), 1);
> + ASSERT_EQ(WSTOPSIG(s), SIGTRAP);
> + k = waitpid(-1, &s, WNOHANG);
> + ASSERT_EQ(k, 0);
> + k = ptrace(PTRACE_CONT, pid, 0L, 0L);
> + ASSERT_EQ(k, 0);
> + k = waitpid(-1, &s, 0);
> + ASSERT_EQ(k, pid);
> + ASSERT_EQ(WIFSTOPPED(s), 1);
> + ASSERT_EQ(WSTOPSIG(s), SIGSTOP);
> + k = waitpid(-1, &s, WNOHANG);
> + ASSERT_EQ(k, 0);
> + k = ptrace(PTRACE_CONT, pid, 0L, 0L);
> ASSERT_EQ(k, 0);
> k = waitpid(-1, &s, 0);
> ASSERT_EQ(k, pid);
> ASSERT_EQ(WIFEXITED(s), 1);
> - ASSERT_EQ(WEXITSTATUS(s), 0);
> + ASSERT_EQ(WEXITSTATUS(s), 1);
> k = waitpid(-1, NULL, 0);
> ASSERT_EQ(k, -1);
> ASSERT_EQ(errno, ECHILD);
Thank you for adding tests! This will be a nice deadlock to get fixed.
-Kees
--
Kees Cook
https://git.kernel.org/kees/c/cce436aafc2a
[2/2] selftests/seccomp: Add a test for the WAIT_KILLABLE_RECV fast reply race
https://git.kernel.org/kees/c/b0c9bfbab925
Take care,
--
Kees Cook
e
#include
#include
+#include
#include
#include
#include
But, with that, yes, I can confirm the race and the fix. Thank you!
I can fix that up locally.
-Kees
--
Kees Cook
TH_LOG("Child: Failed to send FD");
> + close(unprivileged_tty_fd);
> + _exit(1);
> + }
> +
> + close(unprivileged_tty_fd);
> + close(sockpair[1]);
> + _exit(0); /* Child success */
> +
> + } else {
This doesn't need an else nor indenting: it is the parent no matter what
due to the _exit above.
> + /* Parent process - keep CAP_SYS_ADMIN, receive FD, test
> TIOCSTI */
> + close(sockpair[1]);
> +
> + TH_LOG("Parent: Waiting for TTY FD from unprivileged child...");
> +
> + /* Verify we still have CAP_SYS_ADMIN */
> + ASSERT_TRUE(has_cap_sys_admin());
> +
> + /* Receive the TTY FD from unprivileged child */
> + int received_fd = recv_fd_via_socket(sockpair[0]);
> +
> + ASSERT_GE(received_fd, 0)
> + TH_LOG("Parent: Received FD %d (opened by unprivileged
> process)",
> +received_fd);
> +
> + /*
> + * VULNERABILITY TEST: Try TIOCSTI with FD opened by
> unprivileged process
> + * This should FAIL even though parent has CAP_SYS_ADMIN
> + * because the FD was opened by unprivileged process
> + */
> + char attack_char = 'V'; /* V for Vulnerability */
> + int ret = ioctl(received_fd, TIOCSTI, &attack_char);
Doesn't the child need to stay alive long enough to receive the
character? i.e. is it a problem that the child immediately exits 0 after
sending the fd to the parent?
> +
> + TH_LOG("Parent: Testing TIOCSTI on FD from unprivileged
> process...");
> + if (ret == 0) {
> + TH_LOG("*** VULNERABILITY DETECTED ***");
> + TH_LOG("Privileged process can use TIOCSTI on
> unprivileged FD");
> + } else {
> + TH_LOG("TIOCSTI failed on unprivileged FD: %s",
> +strerror(errno));
> + EXPECT_EQ(errno, EPERM);
> + }
Shouldn't this be arranged with an expect on ret == 0 ?
> + close(received_fd);
> + close(sockpair[0]);
> +
> + /* Wait for child */
> + int status;
> +
> + ASSERT_EQ(waitpid(child_pid, &status, 0), child_pid);
> + EXPECT_EQ(WEXITSTATUS(status), 0);
> + ASSERT_NE(ret, 0);
> + }
> +}
> +
> +TEST_HARNESS_MAIN
Looks like you're on the right track!
-Kees
--
Kees Cook
t;source base with this temporary keyword; instead define "auto" as a
>macro unless the compiler is running in C23+ mode.
Yeah, this is good. We have typeof() used extensively in macros all over. I'll
try this for fortify macros and see if we see any binary output changes...
--
Kees Cook
On Wed, Jul 16, 2025 at 11:32:10PM -0700, Kees Cook wrote:
> This really screams for a struct-based way to in-place declare a
> seq_buf. The current macro only works on the stack. I think this
> will work; I'll send a patch once I get it tested:
>
> #define DECLAR
blocking or otherwise interfering with other processes in binder.
>
> This test is refactored into more meaningful cases in the subsequent
> patch.
>
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
ray would have 750,000 entries.
> This change structures the recursive calls into meaningful test cases so
> that failures are easier to interpret.
>
> Cc: Kees Cook
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
> [...]
> +struct binder_alloc_test_case_info {
o kunit in a subsequent patch in this series.
>
> Acked-by: Carlos Llamas
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
> Signed-off-by: Tiffany Yang
Reviewed-by: Kees Cook
--
Kees Cook
On Wed, Jul 16, 2025 at 10:42:58PM +, Carlos Llamas wrote:
> On Wed, Jul 16, 2025 at 03:28:49PM -0700, Tiffany Yang wrote:
> > Kees Cook writes:
> >
> > > > ...
> >
> > > I'm used to the "#ifdef CONFIG_..." idiom, but looking at
int index)
> {
> size_t end, prev;
> int align;
>
> if (index == BUFFER_NUM) {
> - gen_buf_sizes(test, alloc, end_offset);
> + struct binder_alloc_test_case_info tc = {0};
> +
> + stringify_alignments(test, alignments, tc.alignments,
> + ALIGNMENTS_BUFLEN);
> +
> + gen_buf_sizes(test, alloc, &tc, end_offset, runs, failures);
> return;
> }
> prev = index == 0 ? 0 : end_offset[index - 1];
> @@ -276,7 +397,9 @@ static void gen_buf_offsets(struct kunit *test, struct
> binder_alloc *alloc,
> else
> end += BUFFER_MIN_SIZE;
> end_offset[index] = end;
> - gen_buf_offsets(test, alloc, end_offset, index + 1);
> + alignments[index] = align;
> + gen_buf_offsets(test, alloc, end_offset, alignments, runs,
> + failures, index + 1);
> }
> }
>
> @@ -328,10 +451,15 @@ static void binder_alloc_exhaustive_test(struct kunit
> *test)
> {
> struct binder_alloc_test *priv = test->priv;
> size_t end_offset[BUFFER_NUM];
> + int alignments[BUFFER_NUM];
> + unsigned long failures = 0;
> + unsigned long runs = 0;
>
> - gen_buf_offsets(test, &priv->alloc, end_offset, 0);
> + gen_buf_offsets(test, &priv->alloc, end_offset, alignments, &runs,
> + &failures, 0);
>
> - KUNIT_EXPECT_EQ(test, binder_alloc_test_failures, 0);
> + KUNIT_EXPECT_EQ(test, runs, TOTAL_EXHAUSTIVE_CASES);
> + KUNIT_EXPECT_EQ(test, failures, 0);
> }
>
> /* = End test cases = */
> --
> 2.50.0.727.gbf7dc18ff4-goog
>
Otherwise looks good to me.
--
Kees Cook
R(priv->filp) : -ENOMEM;
> + }
> +
> + priv->mmap_uaddr = kunit_vm_mmap(test, priv->filp, 0, BINDER_MMAP_SIZE,
> + PROT_READ, MAP_PRIVATE | MAP_NORESERVE,
> + 0);
> + if (!priv->mmap_uaddr) {
> + kunit_err(test, "Could not map the test's transaction
> memory\n");
> + return -ENOMEM;
> + }
> +
> + return 0;
> +}
> +
> +static void binder_alloc_test_exit(struct kunit *test)
> +{
> + struct binder_alloc_test *priv = test->priv;
> +
> + /* Close the backing file to make sure binder_alloc_vma_close runs */
> + if (!IS_ERR_OR_NULL(priv->filp))
> + fput(priv->filp);
> +
> + if (priv->alloc.mm)
> + binder_alloc_deferred_release(&priv->alloc);
> +
> + /* Make sure freelist is empty */
> + KUNIT_EXPECT_EQ(test, list_lru_count(&priv->binder_test_freelist), 0);
> + list_lru_destroy(&priv->binder_test_freelist);
> +}
> +
> +static struct kunit_case binder_alloc_test_cases[] = {
> + KUNIT_CASE(binder_alloc_test_init_freelist),
> + KUNIT_CASE(binder_alloc_test_mmap),
> + {}
> +};
> +
> +static struct kunit_suite binder_alloc_test_suite = {
> + .name = "binder_alloc",
> + .test_cases = binder_alloc_test_cases,
> + .init = binder_alloc_test_init,
> + .exit = binder_alloc_test_exit,
> +};
> +
> +kunit_test_suite(binder_alloc_test_suite);
> +
> +MODULE_AUTHOR("Tiffany Yang ");
> +MODULE_DESCRIPTION("Binder Alloc KUnit tests");
> +MODULE_LICENSE("GPL");
Reviewed-by: Kees Cook
--
Kees Cook
d attach a new mm if it doesn't already exist. */
> -static int kunit_attach_mm(void)
> +int kunit_attach_mm(void)
> {
> struct mm_struct *mm;
>
> @@ -49,6 +48,7 @@ static int kunit_attach_mm(void)
>
> return 0;
> }
> +EXPORT_SYMBOL_GPL(kunit_attach_mm);
>
> static int kunit_vm_mmap_init(struct kunit_resource *res, void *context)
> {
> --
> 2.50.0.727.gbf7dc18ff4-goog
Reviewed-by: Kees Cook
--
Kees Cook
+ goto cleanup;
> + }
> +
> + if (list_lru_init(&binder_selftest_freelist)) {
> + pr_err("failed to init test freelist\n");
> + goto cleanup;
> + }
> +
> + alloc->freelist = &binder_selftest_freelist;
> +
> pr_info("STARTED\n");
> binder_selftest_alloc_offset(alloc, end_offset, 0);
> - binder_selftest_run = false;
> if (binder_selftest_failures > 0)
> pr_info("%d tests FAILED\n", binder_selftest_failures);
> else
> pr_info("PASSED\n");
>
> + if (list_lru_count(&binder_selftest_freelist))
> + pr_err("expect test freelist to be empty\n");
> +
> +cleanup:
> + /* Even if we didn't run the test, it's no longer thread-safe. */
> + binder_selftest_run = false;
> + alloc->freelist = prev_freelist;
> + list_lru_destroy(&binder_selftest_freelist);
> done:
> mutex_unlock(&binder_selftest_lock);
> }
> --
> 2.50.0.727.gbf7dc18ff4-goog
Otherwise looks good.
--
Kees Cook
; i <= (end - 1) / PAGE_SIZE; i++) {
Nit: this comment is now not aligned correctly. Probably the best would
be the leave the "for" line above the comment.
-Kees
> if (list_empty(page_to_lru(alloc->pages[i]))) {
> pr_err_size_seq(sizes, seq);
>
d_type(type) (((typeof(type))(-1)) < (__force typeof(type))1)
#define is_unsigned_type(type) (!is_signed_type(type))
/*
--
Kees Cook
o update when changes happen. (Well, 3, since
kern-doc already needs updating too.)
Can't we collect error codes programmatically through control flow
analysis? Argument mapping is already present in the SYSCALL macros,
etc. Let's not repeat this info.
-Kees
--
Kees Cook
at was in your v1. :)
>
> Suggested-by: Kees Cook
>
No blank line here -- other tags should all be together with the S-o-b
line.
> Signed-off-by: Sameeksha Sankpal
> ---
> v1 -> v2:
> - Used TH_LOG instead of printf for error logging
> - Moved variable declaration t
On Fri, 16 May 2025 18:17:22 -0700, Sumanth Gavini wrote:
> Fix misspelling reported by codespell
>
>
Applied to for-next/seccomp, thanks!
[1/1] selftests: seccomp: Fix "performace" to "performance"
https://git.kernel.org/kees/c/a9b33aae79ce
Take care,
--
Kees Cook
to use is TH_LOG,
probably like this:
rc = get_nth(_metadata, proc_path, 3, &line);
ASSERT_EQ(rc, 1) {
TH_LOG("user_notification_fifo: failed to read stat for PID %d
(rc=%d)", pid, rc);
}
And please don't introduce new variables in the middle -- they need to
be declared at the top of the function.
-Kees
--
Kees Cook
a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
fix negative_ENOSYS tracer tests on arm32
https://git.kernel.org/kees/c/73989c998814
Take care,
--
Kees Cook
On Fri, May 09, 2025 at 05:41:03PM +0200, Thomas Weißschuh wrote:
> The suppression was actually there at some point and got removed by Kees in
> commit f41c322f17ec ("selftests: Remove KSFT_TAP_LEVEL").
Right, to get consistent output and to work with indentation, there's n
gt; one file.
>
> This is part of a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
educe the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
cts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
f CONFIG_PROC_SYSCTL
> + {
> + .procname = "cad_pid",
> + .data = NULL,
nit: this is redundant, any unspecified member will be zero-initialized.
Regardless:
Reviewed-by: Kees Cook
> + .maxlen = sizeof(int),
> +
ems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
ilter.h
> linux/binfmts.h
>
> Signed-off-by: Joel Granados
This is very nice! :)
Reviewed-by: Kees Cook
--
Kees Cook
On Fri, May 09, 2025 at 02:54:15PM +0200, Joel Granados wrote:
> These comments are older than 2003 and therefore do not bare any
> relevance on the current state of the sysctl.c file. Remove them as they
> confuse more than clarify.
>
> Signed-off-by: Joel Granados
Reviewe
effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
Yup, all looks good, including the variable relocation.
Reviewed-by: Kees Cook
> ---
> include/linux/rtmutex.h |
sctl.c.
nit: do_proc_dointvec_minmax
>
> This is part of a greater effort to move ctl tables into their
> respective subsystems which will reduce the merge conflicts in
> kernel/sysctl.c.
>
> Signed-off-by: Joel Granados
But yes, this looks correct.
Reviewed-by: Kees Cook
s one should be called
"panic_on_stack_exhaustion", but so be it. :)
Reviewed-by: Kees Cook
> ---
> kernel/panic.c | 10 ++
> kernel/sysctl.c | 10 --
> 2 files changed, 10 insertions(+), 10 deletions(-)
>
> diff --gi
RM64 device running in compat mode can report 'armv8l' or 'armv8b'
> which matches with the string 'arm' when only examining the first three
> characters of the string.
>
> [...]
Applied to for-next/seccomp, thanks!
[1/1] selftests/seccomp: fix syscall
> > > base
> > > further patches on. For that I'd like to pick up all the nolibc patches
> > > from
> > > this series through the nolibc tree. They got Acks from Willy.
> > >
> > > Any objections?
> >
> > No objection on my side!
> >
>
> Thanks.
>
> Kees, do you have any comments on this series? If you are okay
> with it, I would like to apply this for next.
Fine by me! :)
--
Kees Cook
l_tests.config so they are enabled when the KUnit
> runner builds the kernel.
>
>
> [...]
Applied to for-linus/hardening, thanks!
[1/1] lib: Ensure prime numbers tests are included in KUnit test runs
https://git.kernel.org/kees/c/4ea404fdbc39
Take care,
--
Kees Cook
f --git a/tools/testing/kunit/configs/all_tests.config
b/tools/testing/kunit/configs/all_tests.config
index cdd9782f9646..554da9df02f2 100644
--- a/tools/testing/kunit/configs/all_tests.config
+++ b/tools/testing/kunit/configs/all_tests.config
@@ -51,3 +51,5 @@ CONFIG_SOUND=y
CONFIG_SND=y
CONFIG_SND_SOC=y
CONFIG_SND_SOC_TOPOLOGY_BUILD=y
+
+CONFIG_PRIME_NUMBERS=y
--
Kees Cook
n a system where PRIME_NUMBERS
> is not enabled by default. Resurrect CONFIG_PRIME_NUMBERS=m in
> tools/testing/selftests/lib/config for the latter use case.
>
> [...]
Applied to for-linus/hardening, thanks!
[1/1] lib: PRIME_NUMBERS_KUNIT_TEST should not select PRIME_NUMBERS
:)
Reviewed-by: Kees Cook
--
Kees Cook
On Fri, Mar 21, 2025 at 01:47:26PM +0100, Joel Granados wrote:
> As we add more test functions in lib/tests_sysctl the main test function
> (test_sysctl_init) grows. Condense the logic to make it easier to
> add/remove tests.
>
> Signed-off-by: Joel Granados
Nice cleanup!
Re
to lib/test_sysctl.c where the registration reference is
> handled on module exit
>
> 'Fixes: b5ffbd139688 ("sysctl: move the extra1/2 boundary check of u8 to
Typoe: drop leading '
> sysctl_check_table_array")'
And avoid wrapping this line for the field.
>
out of range.
>
> Signed-off-by: Joel Granados
Reviewed-by: Kees Cook
--
Kees Cook
; removal of the "Test Module" kselftest machinery.
>
> I tested this using:
>
> [...]
(I had to rebase on the printf move, but I think it got it all.)
Applied to for-next/move-kunit-tests, thanks!
[1/6] scanf: implicate test line in failure messages
https://git.kernel
gt; scanf: convert self-test to KUnit
> > scanf: break kunit into test cases
>
> Kees, could you please take the above 5 patches as well
> via the tree moving the KUNIT tests to lib/tests ?
I think you mean 4? Sure!
-Kees
>
> They seem to be ready for linux-
On Fri, Mar 14, 2025 at 05:48:00PM +0100, Christophe Leroy wrote:
>
>
> Le 12/03/2025 à 17:30, Kees Cook a écrit :
> > On Wed, Mar 12, 2025 at 04:45:24PM +0100, Vlastimil Babka wrote:
> > > On 3/6/25 17:57, Luis Chamberlain wrote:
> > > > + linux-
the file. Additionally, merge the
> >> message on a single line because checkpatch.pl recommends that for the
> >> ability to grep for the string.
> >>
> >> Suggested-by: Kees Cook
> >> Signed-off-by: Petr Pavlu
> >> ---
> >> I opted to
can carry this in
the "lib/ kunit tests move to lib/tests/" tree.
-Kees
--
Kees Cook
On Fri, Feb 21, 2025 at 08:04:05PM -0500, Tamir Duberstein wrote:
> On Fri, Feb 21, 2025 at 7:57 PM Kees Cook wrote:
> >
> > On Mon, 17 Feb 2025 08:30:44 -0500, Tamir Duberstein wrote:
> > > Remove a leftover shell script reference from commit 313b38a6ecb4
> > >
selftets: lib: remove reference to prime_numbers
https://git.kernel.org/kees/c/03d0e920d775
Take care,
--
Kees Cook
uot;
> echo "make sure the test passes a series of tests."
> echo
> - echo Example uses:
> + echo Example usage:
> echo
> echo "$TEST_NAME.sh-- executes all tests"
> echo "$TEST_NAME.sh -t 0002-- Executes test ID 0002 number of times
> is recomended"
> --
> 2.34.1
>
--
Kees Cook
t right now.
> >
> > Log:
> > https://download.copr.fedorainfracloud.org/results/@kernel-vanilla/next/fedora-rawhide-x86_64/08642966-next-next-all/builder-live.log.gz
> >
> > Cioa, Thorsten
> >
>
> Hmm... this definitely seems like a problem, but I haven't been able
> to reproduce it here (either under x86_64 or UML, both as a module and
> built-in). The suggested fix of changing the path to "../utf8n.h"
> doesn't seem to have broken it, though.
Thanks for the reports! I've squashed this path correction into my tree
and it should be fix in the next -next. :)
-Kees
--
Kees Cook
On Tue, Feb 11, 2025 at 06:51:09AM -0500, Tamir Duberstein wrote:
> Kees, it looks like the private header didn't make it to your tree.
> This bit is missing:
Whoops! Thanks. I've added it (and fixed the comment style).
I really need to do my build/run testing from a fresh checko
rtions(+), 77 deletions(-)
Thanks! I've applied this and rebased it onto:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=for-next/move-kunit-tests
--
Kees Cook
.com/
> > [2]
> > ---
> >
> > Bruno Sobreira França (1):
> >lib/math: Add int_log test suite
> >
> > Diego Vieira (1):
> >lib/tests/kfifo_kunit.c: add tests for the kfifo structure
> >
> > Gabriela Bittencourt (2):
> >
gt; Link: https://refspecs.linuxfoundation.org/elf/gabi4+/ch4.symtab.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
docs.oracle.com/cd/E19683-01/816-1386/chapter6-80869/index.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
Link:
> https://refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/symversion.html#VERDEFEXTS
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
;
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
Link:
> https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/libc-ddefs.html
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Kees Cook
--
Kees Cook
On Tue, Feb 04, 2025 at 04:17:03PM +0100, Thomas Weißschuh wrote:
> On Tue, Feb 04, 2025 at 07:10:00AM -0800, Kees Cook wrote:
> > On Mon, Feb 03, 2025 at 10:05:05AM +0100, Thomas Weißschuh wrote:
> > > The definitions are used by tools/testing/selftests/vDSO/parse_vdso.c.
&
ed libc header somewhere?
-Kees
--
Kees Cook
ritten function pointer, not that they already have arbitrary
execution control. (i.e. taking a "jump anywhere" primitive and
upgrading it to "execute anything".) Is the expectation that existing
ROP/JOP techniques make protecting memfd irrelevant?
--
Kees Cook
main declaration with argc/argv present. But it's mostly
aesthetic.
And if you think use of kselftest.h isn't universal, then perhaps we can
avoid the macro, but it does seem nicer and more "normal" feeling for
the rest of kernel development.
-Kees
--
Kees Cook
-git a/tools/testing/selftests/mm/hugetlb-madvise.c
> b/tools/testing/selftests/mm/hugetlb-madvise.c
> index e74107185324f..43f16c12c8e9a 100644
> --- a/tools/testing/selftests/mm/hugetlb-madvise.c
> +++ b/tools/testing/selftests/mm/hugetlb-madvise.c
> @@ -58,7 +58,7 @@ void read_fault_pages(void *addr, unsigned long nr_pages)
> }
> }
>
> -int main(int argc, char **argv)
> +int main(int __attribute__((unused)) argc, char **argv)
Can we add a macro in kselftest.h for "__unused" like the kernel already
does? Then instead of removing args, we can just mark them, like you're
doing here.
--
Kees Cook
On Wed, Jan 08, 2025 at 07:06:13PM +, Lorenzo Stoakes wrote:
> On Mon, Jan 06, 2025 at 04:44:33PM -0800, Kees Cook wrote:
> > On Mon, Jan 06, 2025 at 10:26:27AM -0800, Jeff Xu wrote:
> > > + Kees because this is related to W^X memfd and security.
> > >
> > >
:Expected exp_args[2] (3134324433)
> == info.entry.args[1] (18446744072548908753)
>
> Fixes: b5bb6d3068ea ("selftests/seccomp: fix 32-bit build warnings")
> Signed-off-by: Dmitry V. Levin
Ah nice, thanks!
Reviewed-by: Kees Cook
--
Kees Cook
On Mon, Jan 06, 2025 at 10:26:27AM -0800, Jeff Xu wrote:
> + Kees because this is related to W^X memfd and security.
>
> On Fri, Jan 3, 2025 at 7:14 AM Jann Horn wrote:
> >
> > On Fri, Dec 6, 2024 at 7:19 PM Lorenzo Stoakes
> > wrote:
> > > On Thu, Dec 0
mode for that?)
Also, why is it too late to cancel? Can we set the module to the
"Unloading" state to stop any dependent modules from loading on top of
it, and then request it unload?
--
Kees Cook
it doesn't hurt to keep.
>
> Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping
> core")
> Cc: sta...@vger.kernel.org
> Cc: Eric W. Biederman
> Acked-by: Oleg Nesterov
> Signed-off-by: Nam Cao
Thanks for fixing this!
Acked-by: Kees Cook
--
Kees Cook
e added by this commit.
This is great! One tiny nit below...
> +#define STACKDUMP_FILE "/tmp/kselftest_stackdump"
Please move this to the local directory (and have the Makefile and/or
test itself clean it up). (Or use mkstemp()) I don't want to have "well
known" filena
rt of
> the subsystem name. So for example, instead of "(supporter:SUBSYSTEM)"
> report "(maintainer:SUBSYSTEM [supported])".
>
> [1]
> https://lore.kernel.org/all/20221006162413.858527-1-bryan.odonog...@linaro.org/
>
> Cc: "Theodore Ts'o&quo
On Sat, Nov 02, 2024 at 11:29:55AM +, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Oct 31, 2024 at 03:10:37PM -0700, Kees Cook wrote:
> > On Wed, 30 Oct 2024 14:37:31 -0600, Tycho Andersen wrote:
> > > Zbigniew mentioned at Linux Plumber's that systemd is intereste
at(AT_EMPTY_PATH) case
https://git.kernel.org/kees/c/7bdc6fc85c9a
[2/2] selftests/exec: add a test for execveat()'s comm
https://git.kernel.org/kees/c/bd104872311a
Take care,
--
Kees Cook
s regardless of bprm->fdpath.
>
> It will be a change of behavior on when executing symlinks and possibly
> mount points but I don't think we care. If we do then we can add make
> it conditional with "if (bprm->fdpath)"
>
> At the very least using the above version unconditionally ought to flush
> out any bugs.
I'm not super comfortable doing this regardless of bprm->fdpath; that
seems like too many cases getting changed. Can we just leave it as
depending on bprm->fdpath?
Also, is d_name.name always going to be set? e.g. what about memfd, etc?
--
Kees Cook
not described in 'kunit_kfree_const'
>
> Reported-by: Stephen Rothwell
> Closes: https://lore.kernel.org/lkml/20240827160631.67e12...@canb.auug.org.au/
> Fixes: f2c6dbd22017 ("kunit: Device wrappers should also manage driver name")
> Signed-off-by: David Gow
Reviewed-by: Kees Cook
--
Kees Cook
suffix before sorting symbols
https://git.kernel.org/kees/c/020925ce9299
[2/2] kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
https://git.kernel.org/kees/c/fb6a421fb615
Take care,
--
Kees Cook
ching is probably not used by a lot of users, so I guess we
> are OK without Fixes tags? I personally don't have a strong preference
> either way.
>
> It is not necessary to invert the order of the two patches. Only applying
> one of the two patches won't cause more issues than what we have today.
Which tree should carry this series?
--
Kees Cook
On Fri, Jul 05, 2024 at 09:10:36AM +0200, Peter Zijlstra wrote:
> On Wed, Jul 03, 2024 at 01:36:19PM -0700, Kees Cook wrote:
>
> > Yes, please use struct_size_t(). This is exactly what it was designed for.
>
> Kees, please, just let up, not going to happen. I'm getting re
() is not.
>
> This hack with __maybe_unused is more readable than the standard
> struct_size() helper that was added specifically for cases like this,
> really?
>
> I wonder if Kees agrees and whether there are any downsides to using
> struct_size()
>
> struct_siz
odpost: missing MODULE_DESCRIPTION() in lib/test_bits.o
>
> Add the missing invocations of the MODULE_DESCRIPTION() macro.
>
> Signed-off-by: Jeff Johnson
Thanks for chasing these down!
Reviewed-by: Kees Cook
--
Kees Cook
thanks!
[1/1] tracing: Add sched_prepare_exec tracepoint
https://git.kernel.org/kees/c/5c5fad46e48c
Take care,
--
Kees Cook
rp=/usr/bin/dmesg filename=/usr/bin/dmesg pid=389 comm=bash
>
> Signed-off-by: Marco Elver
This looks good to me. If tracing wants to take it:
Acked-by: Kees Cook
If not, I can take it in my tree if I get a tracing Ack. :)
-Kees
--
Kees Cook
On Tue, Apr 09, 2024 at 08:25:45PM +0200, Marco Elver wrote:
> On Tue, Apr 09, 2024 at 08:46AM -0700, Kees Cook wrote:
> [...]
> > > + trace_new_exec(current, bprm);
> > > +
> >
> > All other steps in this function have explicit comments about
> > wha
e]
*/
> +TRACE_EVENT(new_exec,
> +
> + TP_PROTO(struct task_struct *task, struct linux_binprm *bprm),
> +
> + TP_ARGS(task, bprm),
> +
> + TP_STRUCT__entry(
> + __string( filename, bprm->filename )
> + __field(pid_t, pid )
&
On Sat, Mar 09, 2024 at 01:51:16PM -0500, Steven Rostedt wrote:
> On Sat, 9 Mar 2024 10:27:47 -0800
> Kees Cook wrote:
>
> > On Tue, Mar 05, 2024 at 08:59:10PM -0500, Steven Rostedt wrote:
> > > This is a way to map a ring buffer instance across reboots.
> >
&
quot; in fs/pstore/ram.c to see how to plumb a new
frontend into the RAM backend.
I continue to want to lift the frontend configuration options up into
the pstore core, since it would avoid a bunch of redundancy, but this is
where we are currently. :)
-Kees
[1] CONFIG_PSTORE et. al. in fs/pstore
t; signed and unsigned overflow sanitizers")
> https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git
> devel/overflow/sanitizers
>
> in testcase: boot
>
> compiler: gcc-11
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please
es
> all be the same")
> Signed-off-by: Steven Rostedt (Google)
Since I reviewed the earlier patch, I will repeat here for the formal
one too. :) Thanks for avoiding the hashing!
Reviewed-by: Kees Cook
--
Kees Cook
On December 21, 2023 4:16:56 AM PST, Michael Ellerman
wrote:
>Cc +Kees
>
>Christophe Leroy writes:
>> Declaring rodata_enabled and mark_rodata_ro() at all time
>> helps removing related #ifdefery in C files.
>>
>> Signed-off-by: Christophe Leroy
>
On Mon, 20 Nov 2023 17:11:41 +0200, Andy Shevchenko wrote:
> A couple of patches are for get the string ops, used in the module,
> slightly harden. On top a few cleanups.
>
> Since the main part is rather hardening, I think the Kees' tree is
> the best fit for the series.
exact situation (casting an error pointer to another type).
>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/1947
> Fixes: 5790b1fb3d67 ("eventfs: Remove eventfs_file and just use
> eventfs_inode")
> Signed-off-by: Nathan Chancellor
Yes, please. That's the correct method to do such casts. Thanks!
Reviewed-by: Kees Cook
--
Kees Cook
how to deal with the global
> W=1 already, tracking all per-subsystem WERRORs is too much...
>
> Link:
> https://lore.kernel.org/all/0da9874b6e9fcbaaa5edeb345d7e2a7c859fc818.1696271334.git.thomas.lenda...@amd.com/
> Signed-off-by: Jakub Kicinski
Yeah, best to have just the global
On Mon, Oct 02, 2023 at 03:48:51PM +0300, Andy Shevchenko wrote:
> A couple of patches are for get the string ops, used in the module,
> slightly harden. On top a few cleanups.
>
> Since the main part is rather hardening, I think the Kees' tree is
> the best fit for the seri
e way or another about using strnlen() here, since we
know the string will be terminated.
-Kees
>
> Signed-off-by: Andy Shevchenko
> ---
> kernel/params.c | 9 ++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/params.c b/kernel/params
@@ -19302,8 +19302,8 @@ F: include/uapi/linux/seccomp.h
F: kernel/seccomp.c
F: tools/testing/selftests/kselftest_harness.h
F: tools/testing/selftests/seccomp/*
-K: \bsecure_computing
-K: \bTIF_SECCOMP\b
+D: \bsecure_computing
+D: \bTIF_SECCOMP\b
SECURE DIGITAL HOST CONTROLLER INTERFACE (SDHCI) Broadcom BRCMSTB DRIVER
M: Kamal Dasu
--
Kees Cook
re are used when rendering:
https://docs.kernel.org/process/maintainers.html
In this case, I assume "D" is inspired by "Diff", so perhaps reword this
to get a proper emphasis hint, and add additional context:
D: *Diff content regex* (perl extended) pattern match that applies
only to patches and not entire files (e.g. when using the
get_maintainers.pl script).
--
Kees Cook
1 - 100 of 4772 matches
Mail list logo
