From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Vishal Chourasia <vishalc@linux.ibm.com>,
Anjali K <anjalik@linux.ibm.com>,
Srikar Dronamraju <srikar@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 35/59] powerpc/pseries: Whitelist dtl slub object for copying to userspace
Date: Thu, 25 Jul 2024 16:37:25 +0200 [thread overview]
Message-ID: <20240725142734.591357943@linuxfoundation.org> (raw)
In-Reply-To: <20240725142733.262322603@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anjali K <anjalik@linux.ibm.com>
[ Upstream commit 1a14150e1656f7a332a943154fc486504db4d586 ]
Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*
results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as
shown below.
kernel BUG at mm/usercopy.c:102!
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc
scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse
CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85
Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries
NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8
REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)
MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e
CFAR: c0000000001fdc80 IRQMASK: 0
[ ... GPRs omitted ... ]
NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0
LR [c0000000005d23d0] usercopy_abort+0x74/0xb0
Call Trace:
usercopy_abort+0x74/0xb0 (unreliable)
__check_heap_object+0xf8/0x120
check_heap_object+0x218/0x240
__check_object_size+0x84/0x1a4
dtl_file_read+0x17c/0x2c4
full_proxy_read+0x8c/0x110
vfs_read+0xdc/0x3a0
ksys_read+0x84/0x144
system_call_exception+0x124/0x330
system_call_vectored_common+0x15c/0x2ec
--- interrupt: 3000 at 0x7fff81f3ab34
Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
requires that only whitelisted areas in slab/slub objects can be copied to
userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.
Dtl contains hypervisor dispatch events which are expected to be read by
privileged users. Hence mark this safe for user access.
Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the
entire object.
Co-developed-by: Vishal Chourasia <vishalc@linux.ibm.com>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Signed-off-by: Anjali K <anjalik@linux.ibm.com>
Reviewed-by: Srikar Dronamraju <srikar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240614173844.746818-1-anjalik@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index 822be2680b792..8e4a2e8aee114 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -312,8 +312,8 @@ static int alloc_dispatch_log_kmem_cache(void)
{
void (*ctor)(void *) = get_dtl_cache_ctor();
- dtl_cache = kmem_cache_create("dtl", DISPATCH_LOG_BYTES,
- DISPATCH_LOG_BYTES, 0, ctor);
+ dtl_cache = kmem_cache_create_usercopy("dtl", DISPATCH_LOG_BYTES,
+ DISPATCH_LOG_BYTES, 0, 0, DISPATCH_LOG_BYTES, ctor);
if (!dtl_cache) {
pr_warn("Failed to create dispatch trace log buffer cache\n");
pr_warn("Stolen time statistics will be unreliable\n");
--
2.43.0
next prev parent reply other threads:[~2024-07-25 14:48 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:36 [PATCH 5.10 00/59] 5.10.223-rc1 review Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 01/59] gcc-plugins: Rename last_stmt() for GCC 14+ Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 02/59] filelock: Remove locks reliably when fcntl/close race is detected Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 03/59] scsi: qedf: Set qed_slowpath_params to zero before use Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 04/59] ACPI: EC: Abort address space access upon error Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 05/59] ACPI: EC: Avoid returning AE_OK on errors in address space handler Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 06/59] wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 07/59] wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 08/59] selftests/openat2: Fix build warnings on ppc64 Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.10 09/59] Input: silead - Always support 10 fingers Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 10/59] net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 11/59] ila: block BH in ila_output() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 12/59] arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 13/59] null_blk: fix validation of block size Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 14/59] kconfig: gconf: give a proper initial state to the Save button Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 15/59] kconfig: remove wrong expr_trans_bool() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 16/59] fs/file: fix the check in find_next_fd() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 17/59] mei: demote client disconnect warning on suspend to debug Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 18/59] wifi: cfg80211: wext: add extra SIOCSIWSCAN data check Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 19/59] KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 20/59] ALSA: hda/realtek: Add more codec ID to no shutup pins list Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 21/59] mips: fix compat_sys_lseek syscall Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 22/59] Input: elantech - fix touchpad state on resume for Lenovo N24 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 23/59] Input: i8042 - add Ayaneo Kun to i8042 quirk table Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 24/59] bytcr_rt5640 : inverse jack detect for Archos 101 cesium Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 25/59] ALSA: dmaengine: Synchronize dma channel after drop() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 26/59] ASoC: ti: davinci-mcasp: Set min period size using FIFO config Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 27/59] ASoC: ti: omap-hdmi: Fix too long driver name Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 28/59] can: kvaser_usb: fix return value for hif_usb_send_regout Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 29/59] s390/sclp: Fix sclp_init() cleanup on failure Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 30/59] btrfs: qgroup: fix quota root leak after quota disable failure Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 31/59] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 32/59] ALSA: dmaengine_pcm: terminate dmaengine before synchronize Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 33/59] net: usb: qmi_wwan: add Telit FN912 compositions Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 34/59] net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() Greg Kroah-Hartman
2024-07-25 14:37 ` Greg Kroah-Hartman [this message]
2024-07-25 14:37 ` [PATCH 5.10 36/59] powerpc/eeh: avoid possible crash when edev->pdev changes Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 37/59] scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 38/59] Bluetooth: hci_core: cancel all works upon hci_unregister_dev() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 39/59] fs: better handle deep ancestor chains in is_subdir() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 40/59] spi: imx: Dont expect DMA for i.MX{25,35,50,51,53} cspi devices Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 41/59] selftests/vDSO: fix clang build errors and warnings Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 42/59] hfsplus: fix uninit-value in copy_name Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 43/59] spi: mux: set ctlr->bits_per_word_mask Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 44/59] ARM: 9324/1: fix get_user() broken with veneer Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 45/59] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 46/59] bpf: Fix overrunning reservations in ringbuf Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 47/59] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 48/59] scsi: core: Fix a use-after-free Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 49/59] ext4: fix error code saved on super block during file system abort Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 50/59] ext4: Send notifications on error Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 51/59] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 52/59] net: relax socket state check at accept time Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 53/59] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 54/59] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 55/59] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 56/59] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 57/59] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 58/59] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.10 59/59] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 17:36 ` [PATCH 5.10 00/59] 5.10.223-rc1 review ChromeOS Kernel Stable Merge
2024-07-26 4:19 ` Dominique Martinet
2024-07-26 8:10 ` Pavel Machek
2024-07-26 11:35 ` Mark Brown
2024-07-26 17:12 ` Jon Hunter
2024-07-26 17:27 ` Florian Fainelli
2024-07-26 17:33 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142734.591357943@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anjalik@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=srikar@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=vishalc@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.