Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp273697pxu;
        Wed, 2 Dec 2020 22:54:30 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxyc/GNqP+Rtiu1SAHZ0Z1brDB9p9fU4Q4/t8K7mx/nRopdeptzNthB4m0FytEbg2Z2YCT7
X-Received: by 2002:a50:e882:: with SMTP id f2mr1525669edn.76.1606978470235;
        Wed, 02 Dec 2020 22:54:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606978470; cv=none;
        d=google.com; s=arc-20160816;
        b=WhDX4FipxFCg9rYgkGFc5i41GIva+ZUh5R2d/CgcmDzkBvKyd5d0/cngCEuUVveQDS
         kiv7gO+GSqU9exXBVYZ29D8uPq4FaPBIEeeBzOPKpG8x4leCVO1lW2obiXz1nzffdAWV
         /AKDRDmtlQiMWrY1C1mmR7qw5ySVCbg42MZHoc6KiuH5wWaazuef2XOwVv6MzbfWp4OR
         Rn+Tt65qfeHVSCTPd1PGl4JF/4F3DMmno1Sli+tLSgCgIzL6CNsDWlzrYkP/jRL3SCwZ
         Tkdbpz4dWstCzy9ciGKLqMTjbjir3C6gt3l0Vafh1iBe+Y/VR7N+ZENRLhYGalrKfk+j
         Ykwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=GHP6w6KVIGEA1NsNuyvujYcmUyLV/owt73/A0XFG9GY=;
        b=kTKrrHenrN0y3PeOXTPPUX9vvFaiwDX3kycYofTmRW6vn65rnhbVsvCiTbmPbovbw9
         CI0diPe3BbSX77bUI0vovSG9VQsVNaVg3EJbeYMsi3cf4x55drHlTX75itJREF+5poK7
         kpowGvfwxQ/nCiHSulW+5CJcoO9vyzp+qWePK01K134qw54OrAf5qQzGLzsd8wW/IPvA
         AI6U3ehYCENfRsgi5cQC4BrylHPAcv2lk6BNa+uvWL7Khh+qYzXNykGIoq1HZhi2pbA8
         mlAkdPYJpkHqH/CPfN4RBB1wztrIi0WtxC2eTya3sy8Nh+HQeIWYt48JQp/cb/7EwzyD
         TYvQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o14si554189ejm.610.2020.12.02.22.54.07;
        Wed, 02 Dec 2020 22:54:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729837AbgLCGuX (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Thu, 3 Dec 2020 01:50:23 -0500
Received: from atcsqr.andestech.com ([60.248.187.195]:36379 "EHLO
        ATCSQR.andestech.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729114AbgLCGuW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Dec 2020 01:50:22 -0500
Received: from mail.andestech.com (atcpcs16.andestech.com [10.0.1.222])
        by ATCSQR.andestech.com with ESMTP id 0B36noOo099128;
        Thu, 3 Dec 2020 14:49:50 +0800 (GMT-8)
        (envelope-from tesheng@andestech.com)
Received: from atcfdc88.andestech.com (10.0.15.120) by ATCPCS16.andestech.com
 (10.0.1.222) with Microsoft SMTP Server id 14.3.487.0; Thu, 3 Dec 2020
 14:49:38 +0800
From:   Eric Lin <tesheng@andestech.com>
To:     <linux-kernel@vger.kernel.org>, <linux-riscv@lists.infradead.org>,
        <walken@google.com>, <vbabka@suse.cz>, <peterx@redhat.com>,
        <akpm@linux-foundation.org>, <penberg@kernel.org>,
        <aou@eecs.berkeley.edu>, <palmer@dabbelt.com>,
        <paul.walmsley@sifive.com>, <hch@infradead.org>
CC:     Eric Lin <tesheng@andestech.com>, Alan Kao <alankao@andestech.com>
Subject: [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines
Date:   Thu, 3 Dec 2020 14:48:26 +0800
Message-ID: <20201203064826.30832-3-tesheng@andestech.com>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20201203064826.30832-1-tesheng@andestech.com>
References: <20201203064826.30832-1-tesheng@andestech.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.0.15.120]
X-DNSRBL: 
X-MAIL: ATCSQR.andestech.com 0B36noOo099128
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
---
 arch/riscv/mm/fault.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0bcfd0e1b39e..00884c1bac28 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -245,6 +245,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
 	if (user_mode(regs))
 		flags |= FAULT_FLAG_USER;
 
+	if (!user_mode(regs) && addr < TASK_SIZE &&
+			unlikely(!(regs->status & SR_SUM)))
+		die_kernel_fault("access to user memory without uaccess routines",
+				addr, regs);
+
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
 
 	if (cause == EXC_STORE_PAGE_FAULT)
-- 
2.17.0