[PATCH] x86: Add missing might_fault() from copy_{to,from}_user()

[PATCH] x86: Add missing might_fault() from copy_{to,from}_user()

[Frederic Weisbecker]

In x86-64, copy_to/from_user() rely on assembly routines that never
call might_fault(), making us missing various lockdep checks.

This doesn't apply to __copy_from,to_user() that explicitly handle
these calls, neither is it a problem in x86-32 where
copy_to,from_user() rely on the "__" prefixed versions that also call
might_fault().

Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
---
 arch/x86/include/asm/uaccess_64.h |   10 +++++++++-
 arch/x86/lib/copy_user_64.S       |    4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 7adebac..46324c6 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -19,7 +19,7 @@ __must_check unsigned long
 copy_user_generic(void *to, const void *from, unsigned len);
 
 __must_check unsigned long
-copy_to_user(void __user *to, const void *from, unsigned len);
+_copy_to_user(void __user *to, const void *from, unsigned len);
 __must_check unsigned long
 _copy_from_user(void *to, const void __user *from, unsigned len);
 __must_check unsigned long
@@ -32,6 +32,7 @@ static inline unsigned long __must_check copy_from_user(void *to,
 	int sz = __compiletime_object_size(to);
 	int ret = -EFAULT;
 
+	might_fault();
 	if (likely(sz == -1 || sz >= n))
 		ret = _copy_from_user(to, from, n);
 #ifdef CONFIG_DEBUG_VM
@@ -41,6 +42,13 @@ static inline unsigned long __must_check copy_from_user(void *to,
 	return ret;
 }
 
+static __always_inline __must_check
+int copy_to_user(void __user *dst, const void *src, unsigned size)
+{
+	might_fault();
+
+	return _copy_to_user(dst, src, size);
+}
 
 static __always_inline __must_check
 int __copy_from_user(void *dst, const void __user *src, unsigned size)
diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index 3936998..cf889d4 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -65,7 +65,7 @@
 	.endm
 
 /* Standard copy_to_user with segment limit checking */
-ENTRY(copy_to_user)
+ENTRY(_copy_to_user)
 	CFI_STARTPROC
 	GET_THREAD_INFO(%rax)
 	movq %rdi,%rcx
@@ -75,7 +75,7 @@ ENTRY(copy_to_user)
 	jae bad_to_user
 	ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
 	CFI_ENDPROC
-ENDPROC(copy_to_user)
+ENDPROC(_copy_to_user)
 
 /* Standard copy_from_user with segment limit checking */
 ENTRY(_copy_from_user)
-- 
1.6.2.3

Re: [PATCH] x86: Add missing might_fault() from copy_{to,from}_user()

[Ingo Molnar]

* Frederic Weisbecker <fweisbec@gmail.com> wrote:

> In x86-64, copy_to/from_user() rely on assembly routines that never
> call might_fault(), making us missing various lockdep checks.
> 
> This doesn't apply to __copy_from,to_user() that explicitly handle
> these calls, neither is it a problem in x86-32 where
> copy_to,from_user() rely on the "__" prefixed versions that also call
> might_fault().
> 
> Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
> ---
>  arch/x86/include/asm/uaccess_64.h |   10 +++++++++-
>  arch/x86/lib/copy_user_64.S       |    4 ++--
>  2 files changed, 11 insertions(+), 3 deletions(-)

Looks good - other than that you missed the renaming of the symbol 
export line in arch/x86/kernel/x8664_ksyms_64.c, which i fixed.

Thanks,

	Ingo

Re: [PATCH] x86: Add missing might_fault() from copy_{to,from}_user()

[Frederic Weisbecker]

On Mon, Nov 16, 2009 at 04:09:37PM +0100, Ingo Molnar wrote:
> 
> * Frederic Weisbecker <fweisbec@gmail.com> wrote:
> 
> > In x86-64, copy_to/from_user() rely on assembly routines that never
> > call might_fault(), making us missing various lockdep checks.
> > 
> > This doesn't apply to __copy_from,to_user() that explicitly handle
> > these calls, neither is it a problem in x86-32 where
> > copy_to,from_user() rely on the "__" prefixed versions that also call
> > might_fault().
> > 
> > Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
> > ---
> >  arch/x86/include/asm/uaccess_64.h |   10 +++++++++-
> >  arch/x86/lib/copy_user_64.S       |    4 ++--
> >  2 files changed, 11 insertions(+), 3 deletions(-)
> 
> Looks good - other than that you missed the renaming of the symbol 
> export line in arch/x86/kernel/x8664_ksyms_64.c, which i fixed.



Oops, sorry!

 
> Thanks,
> 
> 	Ingo

[tip:x86/asm] x86: Add missing might_fault() checks to copy_{to,from}_user()

[tip-bot for Frederic Weisbecker]

Commit-ID:  3c93ca00eeeb774c7dd666cc7286a9e90c53e998
Gitweb:     http://git.kernel.org/tip/3c93ca00eeeb774c7dd666cc7286a9e90c53e998
Author:     Frederic Weisbecker <fweisbec@gmail.com>
AuthorDate: Mon, 16 Nov 2009 15:42:18 +0100
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Mon, 16 Nov 2009 16:09:52 +0100

x86: Add missing might_fault() checks to copy_{to,from}_user()

On x86-64, copy_[to|from]_user() rely on assembly routines that
never call might_fault(), making us missing various lockdep
checks.

This doesn't apply to __copy_from,to_user() that explicitly
handle these calls, neither is it a problem in x86-32 where
copy_to,from_user() rely on the "__" prefixed versions that
also call might_fault().

Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nick Piggin <npiggin@suse.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <1258382538-30979-1-git-send-email-fweisbec@gmail.com>
[ v2: fix module export ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 arch/x86/include/asm/uaccess_64.h |   10 +++++++++-
 arch/x86/kernel/x8664_ksyms_64.c  |    2 +-
 arch/x86/lib/copy_user_64.S       |    4 ++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 7adebac..46324c6 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -19,7 +19,7 @@ __must_check unsigned long
 copy_user_generic(void *to, const void *from, unsigned len);
 
 __must_check unsigned long
-copy_to_user(void __user *to, const void *from, unsigned len);
+_copy_to_user(void __user *to, const void *from, unsigned len);
 __must_check unsigned long
 _copy_from_user(void *to, const void __user *from, unsigned len);
 __must_check unsigned long
@@ -32,6 +32,7 @@ static inline unsigned long __must_check copy_from_user(void *to,
 	int sz = __compiletime_object_size(to);
 	int ret = -EFAULT;
 
+	might_fault();
 	if (likely(sz == -1 || sz >= n))
 		ret = _copy_from_user(to, from, n);
 #ifdef CONFIG_DEBUG_VM
@@ -41,6 +42,13 @@ static inline unsigned long __must_check copy_from_user(void *to,
 	return ret;
 }
 
+static __always_inline __must_check
+int copy_to_user(void __user *dst, const void *src, unsigned size)
+{
+	might_fault();
+
+	return _copy_to_user(dst, src, size);
+}
 
 static __always_inline __must_check
 int __copy_from_user(void *dst, const void __user *src, unsigned size)
diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
index cd54276..a102976 100644
--- a/arch/x86/kernel/x8664_ksyms_64.c
+++ b/arch/x86/kernel/x8664_ksyms_64.c
@@ -31,7 +31,7 @@ EXPORT_SYMBOL(__put_user_8);
 EXPORT_SYMBOL(copy_user_generic);
 EXPORT_SYMBOL(__copy_user_nocache);
 EXPORT_SYMBOL(_copy_from_user);
-EXPORT_SYMBOL(copy_to_user);
+EXPORT_SYMBOL(_copy_to_user);
 
 EXPORT_SYMBOL(copy_page);
 EXPORT_SYMBOL(clear_page);
diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index 3936998..cf889d4 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -65,7 +65,7 @@
 	.endm
 
 /* Standard copy_to_user with segment limit checking */
-ENTRY(copy_to_user)
+ENTRY(_copy_to_user)
 	CFI_STARTPROC
 	GET_THREAD_INFO(%rax)
 	movq %rdi,%rcx
@@ -75,7 +75,7 @@ ENTRY(copy_to_user)
 	jae bad_to_user
 	ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
 	CFI_ENDPROC
-ENDPROC(copy_to_user)
+ENDPROC(_copy_to_user)
 
 /* Standard copy_from_user with segment limit checking */
 ENTRY(_copy_from_user)