From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Christian Marillat <marillat@debian.org>,
Romain Dolbeau <romain@dolbeau.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 5.4 046/104] powerpc/mm/hash: Fix sharing context ids between kernel & userspace
Date: Tue, 28 Jan 2020 15:00:07 +0100 [thread overview]
Message-ID: <20200128135824.089383317@linuxfoundation.org> (raw)
In-Reply-To: <20200128135817.238524998@linuxfoundation.org>
From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
commit 5d2e5dd5849b4ef5e8ec35e812cdb732c13cd27e upstream.
Commit 0034d395f89d ("powerpc/mm/hash64: Map all the kernel regions in
the same 0xc range") has a bug in the definition of MIN_USER_CONTEXT.
The result is that the context id used for the vmemmap and the lowest
context id handed out to userspace are the same. The context id is
essentially the process identifier as far as the first stage of the
MMU translation is concerned.
This can result in multiple SLB entries with the same VSID (Virtual
Segment ID), accessible to the kernel and some random userspace
process that happens to get the overlapping id, which is not expected
eg:
07 c00c000008000000 40066bdea7000500 1T ESID= c00c00 VSID= 66bdea7 LLP:100
12 0002000008000000 40066bdea7000d80 1T ESID= 200 VSID= 66bdea7 LLP:100
Even though the user process and the kernel use the same VSID, the
permissions in the hash page table prevent the user process from
reading or writing to any kernel mappings.
It can also lead to SLB entries with different base page size
encodings (LLP), eg:
05 c00c000008000000 00006bde0053b500 256M ESID=c00c00000 VSID= 6bde0053b LLP:100
09 0000000008000000 00006bde0053bc80 256M ESID= 0 VSID= 6bde0053b LLP: 0
Such SLB entries can result in machine checks, eg. as seen on a G5:
Oops: Machine check, sig: 7 [#1]
BE PAGE SIZE=64K MU-Hash SMP NR_CPUS=4 NUMA Power Mac
NIP: c00000000026f248 LR: c000000000295e58 CTR: 0000000000000000
REGS: c0000000erfd3d70 TRAP: 0200 Tainted: G M (5.5.0-rcl-gcc-8.2.0-00010-g228b667d8ea1)
MSR: 9000000000109032 <SF,HV,EE,ME,IR,DR,RI> CR: 24282048 XER: 00000000
DAR: c00c000000612c80 DSISR: 00000400 IRQMASK: 0
...
NIP [c00000000026f248] .kmem_cache_free+0x58/0x140
LR [c088000008295e58] .putname 8x88/0xa
Call Trace:
.putname+0xB8/0xa
.filename_lookup.part.76+0xbe/0x160
.do_faccessat+0xe0/0x380
system_call+0x5c/ex68
This happens with 256MB segments and 64K pages, as the duplicate VSID
is hit with the first vmemmap segment and the first user segment, and
older 32-bit userspace maps things in the first user segment.
On other CPUs a machine check is not seen. Instead the userspace
process can get stuck continuously faulting, with the fault never
properly serviced, due to the kernel not understanding that there is
already a HPTE for the address but with inaccessible permissions.
On machines with 1T segments we've not seen the bug hit other than by
deliberately exercising it. That seems to be just a matter of luck
though, due to the typical layout of the user virtual address space
and the ranges of vmemmap that are typically populated.
To fix it we add 2 to MIN_USER_CONTEXT. This ensures the lowest
context given to userspace doesn't overlap with the VMEMMAP context,
or with the context for INVALID_REGION_ID.
Fixes: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel regions in the same 0xc range")
Cc: stable@vger.kernel.org # v5.2+
Reported-by: Christian Marillat <marillat@debian.org>
Reported-by: Romain Dolbeau <romain@dolbeau.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
[mpe: Account for INVALID_REGION_ID, mostly rewrite change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200123102547.11623-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h
+++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
@@ -600,8 +600,11 @@ extern void slb_set_size(u16 size);
*
*/
#define MAX_USER_CONTEXT ((ASM_CONST(1) << CONTEXT_BITS) - 2)
+
+// The + 2 accounts for INVALID_REGION and 1 more to avoid overlap with kernel
#define MIN_USER_CONTEXT (MAX_KERNEL_CTX_CNT + MAX_VMALLOC_CTX_CNT + \
- MAX_IO_CTX_CNT + MAX_VMEMMAP_CTX_CNT)
+ MAX_IO_CTX_CNT + MAX_VMEMMAP_CTX_CNT + 2)
+
/*
* For platforms that support on 65bit VA we limit the context bits
*/
next prev parent reply other threads:[~2020-01-28 14:06 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 13:59 [PATCH 5.4 000/104] 5.4.16-stable review Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 001/104] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 002/104] firestream: fix memory leaks Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 003/104] gtp: make sure only SOCK_DGRAM UDP sockets are accepted Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 004/104] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 005/104] net: bcmgenet: Use netif_tx_napi_add() for TX NAPI Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 006/104] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 007/104] net: ip6_gre: fix moving ip6gre between namespaces Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 008/104] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 009/104] net, ip_tunnel: " Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 010/104] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 011/104] net_sched: fix datalen for ematch Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 012/104] net_sched: use validated TCA_KIND attribute in tc_new_tfilter() Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 013/104] net-sysfs: Fix reference count leak Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 014/104] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 015/104] Revert "udp: do rmem bulk free even if the rx sk queue is empty" Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 016/104] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 017/104] tcp: do not leave dangling pointers in tp->highest_sack Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 018/104] tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 019/104] airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 020/104] airo: Add missing CAP_NET_ADMIN check " Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 021/104] mlxsw: spectrum_acl: Fix use-after-free during reload Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 022/104] fou: Fix IPv6 netlink policy Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 023/104] net: Fix packet reordering caused by GRO and listified RX cooperation Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 024/104] net/mlx5: Fix lowest FDB pool size Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 025/104] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 026/104] net/mlx5: DR, Enable counter on non-fwd-dest objects Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 027/104] net/mlx5: E-Switch, Prevent ingress rate configuration of uplink rep Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 028/104] net/mlx5: DR, use non preemptible call to get the current cpu number Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 029/104] net/mlx5e: kTLS, Fix corner-case checks in TX resync flow Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 030/104] net/mlx5e: kTLS, Remove redundant posts " Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 031/104] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 032/104] ipv4: Detect rollover in specific fib table dump Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 033/104] Revert "io_uring: only allow submit from owning task" Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 034/104] afs: Fix characters allowed into cell names Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 035/104] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 036/104] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 037/104] ceph: hold extra reference to r_parent over life of request Greg Kroah-Hartman
2020-01-28 13:59 ` [PATCH 5.4 038/104] PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 039/104] drm/panfrost: Add the panfrost_gem_mapping concept Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 040/104] drm/i915: Align engine->uabi_class/instance with i915_drm.h Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 041/104] PM: hibernate: fix crashes with init_on_free=1 Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 042/104] tracing: trigger: Replace unneeded RCU-list traversals Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 043/104] tracing/uprobe: Fix double perf_event linking on multiprobe uprobe Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 044/104] tracing: Do not set trace clock if tracefs lockdown is in effect Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 045/104] tracing: Fix histogram code when expression has same var as value Greg Kroah-Hartman
2020-01-28 14:00 ` Greg Kroah-Hartman [this message]
2020-01-28 14:00 ` [PATCH 5.4 047/104] powerpc/xive: Discard ESB load value when interrupt is invalid Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 048/104] Revert "iwlwifi: mvm: fix scan config command size" Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 049/104] iwlwifi: mvm: dont send the IWL_MVM_RXQ_NSSN_SYNC notif to Rx queues Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 050/104] XArray: Fix infinite loop with entry at ULONG_MAX Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 051/104] XArray: Fix xa_find_after with multi-index entries Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 052/104] XArray: Fix xas_find returning too many entries Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 053/104] pinctrl: sunrisepoint: Add missing Interrupt Status register offset Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 054/104] iommu/vt-d: Call __dmar_remove_one_dev_info with valid pointer Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 055/104] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 056/104] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 057/104] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 058/104] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 059/104] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 060/104] mmc: sdhci_am654: Remove Inverted Write Protect flag Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 061/104] mmc: sdhci_am654: Reset Command and Data line after tuning Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 062/104] mlxsw: switchx2: Do not modify cloned SKBs during xmit Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 063/104] net/tls: fix async operation Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 064/104] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 065/104] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 066/104] Input: gtco - fix endpoint sanity check Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 067/104] Input: aiptek " Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 068/104] Input: pegasus_notetaker " Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 069/104] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 070/104] netfilter: nft_osf: add missing check for DREG attribute Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 071/104] lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 072/104] iommu/amd: Fix IOMMU perf counter clobbering during init Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 073/104] readdir: make user_access_begin() use the real access range Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 074/104] leds: gpio: Fix uninitialized gpio label for fwnode based probe Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 075/104] hsr: Fix a compilation error Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 076/104] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 077/104] hwmon: (nct7802) Fix non-working alarm on voltages Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 078/104] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 079/104] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 080/104] iwlwifi: mvm: fix SKB leak on invalid queue Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 081/104] iwlwifi: mvm: fix potential SKB leak on TXQ TX Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 082/104] drm/i915/userptr: fix size calculation Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 083/104] xfrm: support output_mark for offload ESP packets Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 084/104] net, sk_msg: Dont check if sock is locked when tearing down psock Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 085/104] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 086/104] readdir: be more conservative with directory entry names Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 087/104] net/sonic: Add mutual exclusion for accessing shared state Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 088/104] net/sonic: Clear interrupt flags immediately Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 089/104] net/sonic: Use MMIO accessors Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 090/104] net/sonic: Fix interface error stats collection Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 091/104] net/sonic: Fix receive buffer handling Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 092/104] net/sonic: Avoid needless receive descriptor EOL flag updates Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 093/104] net/sonic: Improve receive descriptor status flag check Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 094/104] net/sonic: Fix receive buffer replenishment Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 095/104] net/sonic: Quiesce SONIC before re-initializing descriptor memory Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 096/104] net/sonic: Fix command register usage Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 097/104] net/sonic: Fix CAM initialization Greg Kroah-Hartman
2020-01-28 14:00 ` [PATCH 5.4 098/104] net/sonic: Prevent tx watchdog timeout Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 099/104] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 100/104] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 101/104] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 102/104] netfilter: nf_tables: add __nft_chain_type_get() Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 103/104] netfilter: nf_tables: autoload modules from the abort path Greg Kroah-Hartman
2020-01-28 14:01 ` [PATCH 5.4 104/104] net/x25: fix nonblocking connect Greg Kroah-Hartman
2020-01-28 23:00 ` [PATCH 5.4 000/104] 5.4.16-stable review shuah
2020-01-29 6:17 ` Greg Kroah-Hartman
2020-01-29 4:57 ` Naresh Kamboju
2020-01-29 6:18 ` Greg Kroah-Hartman
2020-01-29 13:16 ` Jon Hunter
2020-01-29 13:43 ` Greg Kroah-Hartman
2020-01-29 14:43 ` Guenter Roeck
2020-01-29 15:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200128135824.089383317@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marillat@debian.org \
--cc=mpe@ellerman.id.au \
--cc=romain@dolbeau.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).