From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BA87C433E0 for ; Mon, 8 Feb 2021 14:08:23 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EC26564E2E for ; Mon, 8 Feb 2021 14:08:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EC26564E2E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4DZ7Cj6JJzzDqW6 for ; Tue, 9 Feb 2021 01:08:17 +1100 (AEDT) Received: from ozlabs.org (bilbo.ozlabs.org [IPv6:2401:3900:2:1::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4DZ6zM6NPMzDqNy for ; Tue, 9 Feb 2021 00:57:35 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ellerman.id.au header.i=@ellerman.id.au header.a=rsa-sha256 header.s=201909 header.b=ZYI8/1gy; dkim-atps=neutral Received: by ozlabs.org (Postfix, from userid 1034) id 4DZ6zL64vkz9sSC; Tue, 9 Feb 2021 00:57:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ellerman.id.au; s=201909; t=1612792654; bh=2VZptngGBPuTkFxDmYp0XxrovPwgzCToo4rDK2DhbRY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZYI8/1gy0eJNx6VVl0045W3Lt6xDcM6gxeNh1DKuzMf0q4iTGx3FcMoDniN7OxrgH YPlwtm2qyfTEBN/bKxWBJvtxx263N1tgGJyfU9SnluorOrPlBLRg9GvrTrj+LUQXLd UBtk9IdsMnPMcnkTqL85rJa8dXri9vJl5TBbTTIYttl8+IATMNYFT5L2RZzIxRIT3F 6DgoP2Xd+JYBxuBpsoHnjs7fSFGRfJbSEa2HG3mEQ3PcT3MwebmXo7RhG0X58RC/aX AjxcP0ADq9HtKMtpe32gRt8gUcnk2A40Y9C9vat64bW15EV6+zlCQ1cwiLlFsehVdg 7qlWiNH8XGIZA== From: Michael Ellerman To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH 2/2] powerpc/uaccess: Move might_fault() into user_access_begin() Date: Tue, 9 Feb 2021 00:57:17 +1100 Message-Id: <20210208135717.2618798-2-mpe@ellerman.id.au> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210208135717.2618798-1-mpe@ellerman.id.au> References: <20210208135717.2618798-1-mpe@ellerman.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: aik@ozlabs.ru Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" We have a might_fault() check in __unsafe_put_user_goto(), but that is dangerous as it potentially calls lots of code while user access is enabled. It also triggers the check Alexey added to the irq restore path to catch cases like that: WARNING: CPU: 30 PID: 1 at arch/powerpc/include/asm/book3s/64/kup.h:324 arch_local_irq_restore+0x160/0x190 NIP arch_local_irq_restore+0x160/0x190 LR lock_is_held_type+0x140/0x200 Call Trace: 0xc00000007f392ff8 (unreliable) ___might_sleep+0x180/0x320 __might_fault+0x50/0xe0 filldir64+0x2d0/0x5d0 call_filldir+0xc8/0x180 ext4_readdir+0x948/0xb40 iterate_dir+0x1ec/0x240 sys_getdents64+0x80/0x290 system_call_exception+0x160/0x280 system_call_common+0xf0/0x27c So remove the might fault check from unsafe_put_user(). Any call to unsafe_put_user() must be inside a region that's had user access enabled with user_access_begin(), so move the might_fault() in there. That also allows us to drop the is_kernel_addr() test, because there should be no code using user_access_begin() in order to access a kernel address. Signed-off-by: Michael Ellerman --- arch/powerpc/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index 70347ee34c94..71640eca7341 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -214,8 +214,6 @@ do { \ #define __unsafe_put_user_goto(x, ptr, size, label) \ do { \ __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ - if (!is_kernel_addr((unsigned long)__pu_addr)) \ - might_fault(); \ __chk_user_ptr(ptr); \ __put_user_size_goto((x), __pu_addr, (size), label); \ } while (0) @@ -494,6 +492,8 @@ extern void memcpy_page_flushcache(char *to, struct page *page, size_t offset, static __must_check inline bool user_access_begin(const void __user *ptr, size_t len) { + might_fault(); + if (unlikely(!access_ok(ptr, len))) return false; allow_read_write_user((void __user *)ptr, ptr, len); -- 2.25.1