From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7FBBC19F2D for ; Sat, 13 Aug 2022 12:41:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239448AbiHMMlS (ORCPT ); Sat, 13 Aug 2022 08:41:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232003AbiHMMlQ (ORCPT ); Sat, 13 Aug 2022 08:41:16 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 529F411448 for ; Sat, 13 Aug 2022 05:41:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E7795B80113 for ; Sat, 13 Aug 2022 12:41:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F08CC433D6; Sat, 13 Aug 2022 12:41:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660394472; bh=BwhmGEnUt6L/OGmm04bUsjiq95UO23/suSVbzYwlk1w=; h=Subject:To:Cc:From:Date:From; b=EWkaeBiQcq2vYo7gklEXK0dHfYXrYL41FjQxiqkcxT1XcunN1CzMOjx6kAHfWbSOt UvZkiB3ONsh+TbNQV/QXThOMjq8nib7u5/6DpQ3EEJ4oJLjjrV0hs3+2h72RSB50/8 yb6RJQmaySomOyXljf5BMXXSxj0jKoidiMuKrOz8= Subject: FAILED: patch "[PATCH] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit" failed to apply to 5.4-stable tree To: chenlifu@huawei.com, ben.dooks@codethink.co.uk, palmer@rivosinc.com Cc: From: Date: Sat, 13 Aug 2022 14:40:57 +0200 Message-ID: <1660394457110183@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c08b4848f596fd95543197463b5162bd7bab2442 Mon Sep 17 00:00:00 2001 From: Chen Lifu Date: Wed, 15 Jun 2022 09:47:14 +0800 Subject: [PATCH] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly") and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"), if __clear_user and __copy_user return from an fixup branch, CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that S-mode memory accesses to pages that are accessible by U-mode will success. Disable S-mode access to U-mode memory should clear SR_SUM bit. Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") Signed-off-by: Chen Lifu Reviewed-by: Ben Dooks Link: https://lore.kernel.org/r/20220615014714.1650349-1-chenlifu@huawei.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S index 8c475f4da308..ec486e5369d9 100644 --- a/arch/riscv/lib/uaccess.S +++ b/arch/riscv/lib/uaccess.S @@ -175,7 +175,7 @@ ENTRY(__asm_copy_from_user) /* Exception fixup code */ 10: /* Disable access to user memory */ - csrs CSR_STATUS, t6 + csrc CSR_STATUS, t6 mv a0, t5 ret ENDPROC(__asm_copy_to_user) @@ -227,7 +227,7 @@ ENTRY(__clear_user) /* Exception fixup code */ 11: /* Disable access to user memory */ - csrs CSR_STATUS, t6 + csrc CSR_STATUS, t6 mv a0, a1 ret ENDPROC(__clear_user)