Compatibility with grsecurity kernels#1070
Draft
minipli-oss wants to merge 58 commits intoNVIDIA:mainfrom
Draft
Conversation
The return type is expected to be 'enum drm_mode_status', fix that. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
nvswitch_task_dispatch() is supposed to be of type nv_q_func_t which expects a void pointer argument. Fix that to make it compatible with strongly type-based CFI implementations like RAP, as found in grsecurity. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The retun type should be 'void' as all users of tmrCtrlCmdEventCreate() pass a 'void (*)(void *)' function pointer. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
gcc warns about the use of the wrong enum type, fix that!
.../src/nvidia/src/kernel/gpu/mem_mgr/arch/maxwell/virt_mem_allocator_gm107.c:1720:76: warning: implicit conversion from ‘GMMU_APERTURE’ to ‘FB_CACHE_MEMTYPE’ [-Wenum-conversion]
1720 | kmemsysCacheOp_HAL(pGpu, GPU_GET_KERNEL_MEMORY_SYSTEM(pGpu), NULL, aperture, FB_CACHE_INVALIDATE);
| ^~~~~~~~
.../src/nvidia/generated/g_kern_mem_sys_nvoc.h:632:135: note: in definition of macro ‘kmemsysCacheOp_HAL’
632 | #define kmemsysCacheOp_HAL(pGpu, pKernelMemorySystem, arg3, arg4, operation) kmemsysCacheOp_DISPATCH(pGpu, pKernelMemorySystem, arg3, arg4, operation)
| ^~~~
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
In case tmrEventCreate() fails, we will copy the uninitialized value of the stack local variable 'pEvent' and expose it to the caller. Prevent that by initializing it to NULL, as all other users do. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Targets added to 'clean-files' shouldn't have the '$(obj)/' prefix or won't be found for the 'make clean' target. Fix that to ensure 'nv_compiler.h' will be removed on 'make clean'. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The drm_connector_helper_funcs.mode_valid() hook is expected to return a
'enum drm_mode_status' since Linux commit 0993f1d0d8a1 ("drm: Make the
connector mode_valid() func return a drm_mode_status enum") merged in
v3.14.
Add a conftest test for it to fix that without breaking older kernels.
The test is slightly evolved as C considers mismatched enum vs. int
return types as compatible but they still violate CFI checks for
advanced implementations like RAP as found in grsecurity.
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
There is no need to initialize 'g_exported_uvm_events' at runtime, initialize at compile time. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Actual implementations of the NVEvoSubDevRec.scanLockState hook want an 'NVEvoLockAction'-typed 'action' argument. Fix that. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Test the kernel for having RANDSTRUCT enabled and break the build, if it is as this would otherwise lead to ABI-incompatibilities with the OS-agnostic part that doesn't get compiled with RANDSTRCUT enabled. A visible outcome of this would be calling the wrong callback function via structures that purely consist of function pointers (which RANDSTRUCT randomizes). Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Get rid of system header includes in preparation for upcoming kbuild support which prevents their usage via -nostdinc. The change is mostly mechanic, by making use of appropriate substitutes: - stddef.h gets replaced by a new nv-stddef.h header that uses kernel headers when appropriate defines are set or the regular system header otherwise, - stdarg.h gets replaced by nv_stdarg.h, which already uses kernel headers, if needed For softfloat the additional headers get wrapped: - stdbool.h, which makes use of Linux's <linux/types.h> for kernel builds and the system's <stdbool.h> otherwise. - stdint.h, which also makes use of Linux's <linux/types.h> for kernel builds but also provide the missing [u]int_fast*_t typedefs Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Use designated initializers for initializing static nvswitch discovery handler objects to resolve incompatibilities with Linux's RANDSTRUCT gcc plugin. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Use designated initializers for initializing static Nv3dHal objects to resolve incompatibilities with Linux's RANDSTRUCT gcc plugin. Signed-off-by: PaX Team <pageexec@freemail.hu> Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Use designated initializers for initializing NvKmsNvPushImports to resolve incompatibilities with Linux's RANDSTRUCT gcc plugin. Signed-off-by: PaX Team <pageexec@freemail.hu> Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Use designated initializers for initializing static MMU walk callback objects to resolve incompatibilities with Linux's RANDSTRUCT gcc plugin. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Make the union of GPUHWREG use proper flexible arrays to avoid UBSAN out-of-bounds warnings when accessing hardware registers. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Define 'NULL' directly instead of depending on system headers to do so. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The ASSIGN_PER_OBJ_CFLAGS helper tries to support older kbuild versions that used the full path as the target-stem by not only assigning the basenamed "CFLAGS_" variable but also one with the full path. However, if the object file's directory part is empty, ASSIGN_PER_OBJ_CFLAGS would add the flags twice, as "$(notdir $(1))" and "$(1)" evaluate to the same. Avoid that by filtering duplicates via $(sort ...). Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Provide an ASSIGN_PER_OBJ_CFLAGS_REMOVE macro to be able to set per-object-file CFLAGS_REMOVE variables. For it to be effective, move the *.Kbuild include to after setting early cflags, allowing to override these via ASSIGN_PER_OBJ_CFLAGS_REMOVE. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Add support for the GENERATE_NVIDSTRING macro for pure kbuild-based builds. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Provide ASSIGN_PER_OBJ_LDFLAGS and ASSIGN_PER_OBJ_OBJCOPYFLAGS macros that can be used to to set per-object-file LDFLAGS and OBJCOPYFLAGS variables. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Add rules to work around kbuild's lack of compound object file support for modules. It's implemented by building stub modules composed of the object files intended to group plus kernel-open/common/mod_stub.o for the .modinfo bits which get stripped by an intermediate objcopy call. The stub module should be named $foo.stub.o, the created (and depended on) object file will be called $foo.clean.o. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Don't build the regular modules during preparation, which is an intermediate step for full kbuild support. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Extract compiler flags into defs.mk for reuse by upcomming kbuild support. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Move the definitions of LINKER_SCRIPT and EXPORTS_LINK_COMMAND to srcs.mk. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Provide a Kbuild file to be able to build src/nvidia/ using Linux's kbuild. It's meant to be included by kernel-open/nvidia/. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Support building the dependent src/nv-kernel.o using Linux's kbuild. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Try to deduce a fitting C++ compiler from the kernel's config and pass it as CXX to the kernel's make file. This is required for the upcomming kbuild support. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Wrap C++-defined types and keywords prior to including Linux kernel headers to avoid clashing with the ones defined there. This is required for the upcoming kbuild support which cannot make use of standard system headers but has to rely on kernel headers. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Make sure to always declare xz_crc32_init() in xz.h as nvidia-3d-fermi.c unconditionally makes use of it. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The preprocessor symbol DP_OPTION_AUTO_ENABLE_MST_STREAM_ENCR doesn't get defined by the build system, causing build errors under '-Werror=undef'. Fix that by providing a default definition of 0 for it. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Extract compiler flags into defs.mk as well as shaders to srcs.mk for reuse by upcomming kbuild support. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Provide a Kbuild file to be able to build src/nvidia-modeset/ using Linux's kbuild. It's meant to be included by kernel-open/nvidia-modeset/. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The C++ code of nv-modeset-kernel.o causes a lot of comdat sections to be generated which interferes badly with objtool trying to instrument / reference these, especially when some of the comdat sections do get dropped during linking of the final module. Resolve this issue by collapsing the comdat sections early and squashing the scattered sections with the help of a linker script. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Support building the dependent src/nvidia-modeset-kernel.o using Linux's kbuild. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Add experimental support for using the Linux kernel's kbuild system to not only compile code below kernel-open/ but src/ as well. The build is still done in two phases, as in first building src/, then kernel-open/ as otherwise the build would run into errors, trying to link too many objects, hitting shell command argument limits. Compiling the code below src/ via kbuild is needed to, e.g., support more recent kernel features like IBT or to add required marker locations via objtool for features like RETHUNK. Using kbuild is disabled by default and needs to be explicitly opt-in via `make USE_KBUILD=1`. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The RANDSTRUCT limitation isn't needed when all sources get compiled with kbuild. Guard it like that. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The grsecurity kernel patch changes the return type and 'len' argument type to ssize_t and size_t respectively. Add a test for this to add support for grsecurity. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The grsecurity kernel patch makes used of "unchecked" variants of the various atomic* types to lower instrumentation overhead. Add a test for the type and make use of it, where required. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Mark the anonumous *ops union of uvm_hal_class_ops_t '__no_const' to fix the build for grsecurity kernels which try to enforce making types of only function pointers const. This won't be possible for uvm_hal_class_ops_t as it has non-function-pointer members too. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
…ompatibility grsecurity's private kernel stack feature demands 'struct nv_kthread_q_item' objects to be moved off the stack as different threads cannot access each other's kernel stacks. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Make "HAL" types which are either embedded in larger types that often get modified 'no_const' or 'mutable_const' if they're only rarely written to, to fix build errors for grsecurity kernels which try to enforce making instances of these types const otherwise. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The following gcc plugins in grsecurity are incompatible with C++ code as of now: - SIZE_OVERFLOW: lacks METHOD_TYPE handling and likely many other tree types, - RESPECTRE: similar reasons as for SIZE_OVERFLOW, just too complex, - AUTOSLAB: same, but also not needed, as C++ memory allocations get proxied by DisplayPort::Object::new which calls dpMalloc() which is implemented in C and therefore does get instrumented by AUTOSLAB. Forcibly disable these plugins for C++ code. The lack of instrumenting C++ code has no impact on the reset of the kernel. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Using --gc-sections for dropping unused sections also removes crucial secions like .alt_instructions or .return_sites which are needed for instrumenting code on module load accordingly to the CPU mitigations and features supported / needed by a given system. Disable --gc-sections and related linker and compiler flags for kbuild builds. Disabling --gc-sections also prevents the symbol localization trick for memset and memcpy from working, leaving these symbols defined in the final object instead of getting dropped. This prevents them from getting replaced by the kernel's implementation, causing endless loops at runtime, as memset() is implemented to call os_mem_set() which itself just calls memset(). The fix for this is to just skip gcc_helper.o from getting linked and leaving memset / memcpy undefined. The module loader will resolve them. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Make "IFACES" types which are embedded in larger types that often get modified 'no_const' to fix build errors for grsecurity kernels which try to enforce making instances of these types const otherwise. TODO: Implement this as a cocci script, as this is touching generated code. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
nv_work_item_t is embedding a function pointer union, grsecurity tries to constify. Mark it 'no_const' to fix the build. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
MMU_WALK_CALLBACKS would normaly be forcibly constified. However, gvaspaceExternalRootDirCommit_IMPL() wants to modify such objects to override certain members. Make the type 'mutable_const' to allow that under grsecurity kernels. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
…ompatible The compiler warns about mismatched function pointer types for 'pTimeProc'. Use a union for the temporary type punning. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Make 'pioFuncs' and 'memFuncs' static const instances and use designated initializers, avoiding build breakage under grsecurity kernels. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
grsecurity's private kernel stack feature demands 'struct THREAD_STATE_NODE' objects to be moved off the stack as different threads cannot access each other's kernel stacks. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The sources below src/nvidia/generated/ violate type constraints enforced by grsecurity's RANDSTRUCT or PaX's RAP. Support preprocessing these via coccinelle scripts to fix these prior to compiling them. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
The 'rcp_hal_init' filter needs recountdiff from patchutils! Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Hook up the various coccinelle scripts so they're actually used. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
We lack the generation of the thunks. Signed-off-by: Mathias Krause <minipli@grsecurity.net>
minipli-oss
force-pushed
the
grsec_compat
branch
from
5e3d6b1 to
6be9dae
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Building atop of the kbuild changes (#1069), this branch contains changes required for grsecurity compatibility. It adds compatibility for KERNEXEC, CONSTIFY, PRIVATE_KSTACKS, RESPECTRE, AUTOSLAB and SIZE_OVERFLOW.
Some of the features need to be disabled when compiling C++ code. However, it either doesn't matter (AUTOSLAB wouldn't instrument anything as all allocations get mapped to a single C-wrapper function anyway) or can be handled by a post-processing step in objtool (adding missing
.return_sitessection and alike).As grsecurity makes use of ASM alternatives also for its compiler plugin based instrumentation,
--gc-sectionsneeds to be dropped (and as a consequence-ffunction-sections -fdata-sectionsas well), as otherwise critical sections would be dropped as well (.alt_instructions,.return_sites,...). This leads to bigger modules but seems to have no other negative effect beside the "neat symbol localization trick" formemcpy()andmemset()no longer working, causing endless loops inos_mem_set()callingmemset()from gcc_helper.c callingos_mem_set()calling…. I fixed that by simply not linking gcc_helper.o at all and leaving these symbols unresolved, ready for the module loader to pick them up.The biggest change, however, is making the code base compatible with RAP, grsecurity's implementation of a CFI scheme. RAP is quite picky when it comes to function (pointer) signatures and mismatches of such either during function pointer assignments or calls at runtime. Lots of the function signature mismatches are in code below
src/nvidia/generated/which seems to be, well, generated code. Patching it by hand makes no sense, so I implemented support for mangling sources prior to compilation using coccinelle to apply semantic patches that will fix these (commits 5f55948 and following up to 308485f as yes, the pFunc mangling patches aren't ready yet :/). They're incomplete and probably shouldn't be integrated anyway as the better solution would be generating clean code from the beginning instead of trying to retroactively mangle it further. That, however, is a change you guys have to do on your side.Finally, 6be9dae is just a note about a memory leak we noticed via AUTOSLAB. But as this is referring to some internal bug 4292180, I didn't "fix" it.
Therefore this is just an RFC, how to get changes in or workflows adapted on your side.