Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3228536pxb; Sun, 7 Feb 2021 02:11:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJzqDFE0gjr+jaNSmjFV3UBkQWrxL8NTvGwhW6OJIslO3KvPxKaObEWh0GxcCtCZ4XPJLoge X-Received: by 2002:a17:906:8617:: with SMTP id o23mr12019850ejx.289.1612692683933; Sun, 07 Feb 2021 02:11:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612692683; cv=none; d=google.com; s=arc-20160816; b=cjmSldwCxvHDA34wY5aVnZlkzdUI2L+Mt2r1ptyDgXViDEXJllY3mIUD4QfMhRMsBc 8LRdK6zvTppRUkSxdeZmO16AqDIDJsc01zOf0wmZYm21hLlBSSXZUgemQVUhVAOdoK/N U6k1206UQbhdewqWX/moOgKHWRfBf/wNa+kOisLhXDQvYNNUvnI//0iLe7kjZn5PGx// qA8RhFFoJubObwXIs1N0C5CQpE7iWjk0SClsfNsApj7+RNNzs57s7UylOxlZ7DYgW6I2 XYKek2/cH0+uPwvekEz/s8ddxzxt1ePvUt8/MWOasrK5PWUKXkcjm3GviZCIcgOC1I3c EAdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:cc:to:subject:from:message-id; bh=QGhZk6nAEpzWEk2XglL3w/vGnZoJQpu1+2RY0p9q3xQ=; b=0FNqGiKakTLP/m9bxmaSFUyn2wC5iTD4Y615j7vRNM5piEZmvuL6UAJMrl0xwMk50F L1ul0K6uXYL2KkN7/6TSEs3A76Ycgu+DIkyNRq7mwqNS/oaLuR4aNYKgvm7Fg3Vbfvtn wF4rcudixEuowrBOupdEgS2ToEqUZZO0oxX/RJpPHueabo9aZQRGHUElegjuqUy6HUjQ dFWnwhdNrQc/jCaZrjWVAQTYQ/PTEXbGxTawTCltJ7wslG58jMnhtLAuK35YfxDa6LSc 1Gyy7zmPFDlIvZLdh+EX/kTFAwZ4khkJtkn03wGW2bo9Ohd4sBLPVyCCOppUm0kLWW9m Fm3Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hx7si8604263ejc.316.2021.02.07.02.11.00; Sun, 07 Feb 2021 02:11:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229692AbhBGKJq (ORCPT + 99 others); Sun, 7 Feb 2021 05:09:46 -0500 Received: from pegase1.c-s.fr ([93.17.236.30]:20870 "EHLO pegase1.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229787AbhBGKJC (ORCPT ); Sun, 7 Feb 2021 05:09:02 -0500 Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 4DYPx466cDz9txrK; Sun, 7 Feb 2021 11:08:08 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id kzuzDFmCJECz; Sun, 7 Feb 2021 11:08:08 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 4DYPx45CBFz9txrJ; Sun, 7 Feb 2021 11:08:08 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id C15038B788; Sun, 7 Feb 2021 11:08:11 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id dp6qCZ_f1S0i; Sun, 7 Feb 2021 11:08:11 +0100 (CET) Received: from po16121vm.idsi0.si.c-s.fr (unknown [192.168.4.90]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 7D8698B766; Sun, 7 Feb 2021 11:08:11 +0100 (CET) Received: by po16121vm.idsi0.si.c-s.fr (Postfix, from userid 0) id 4A964672C0; Sun, 7 Feb 2021 10:08:11 +0000 (UTC) Message-Id: From: Christophe Leroy Subject: [PATCH] powerpc/uaccess: Perform barrier_nospec() in KUAP allowance helpers To: Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , cmr@codefail.de Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Date: Sun, 7 Feb 2021 10:08:11 +0000 (UTC) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org barrier_nospec() in uaccess helpers is there to protect against speculative accesses around access_ok(). When using user_access_begin() sequences together with unsafe_get_user() like macros, barrier_nospec() is called for every single read although we know the access_ok() is done onece. Since all user accesses must be granted by a call to either allow_read_from_user() or allow_read_write_user() which will always happen after the access_ok() check, move the barrier_nospec() there. Reported-by: Christopher M. Riedl Signed-off-by: Christophe Leroy --- arch/powerpc/include/asm/kup.h | 2 ++ arch/powerpc/include/asm/uaccess.h | 12 +----------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h index bf221a2a523e..7ec21af49a45 100644 --- a/arch/powerpc/include/asm/kup.h +++ b/arch/powerpc/include/asm/kup.h @@ -91,6 +91,7 @@ static __always_inline void setup_kup(void) static inline void allow_read_from_user(const void __user *from, unsigned long size) { + barrier_nospec(); allow_user_access(NULL, from, size, KUAP_READ); } @@ -102,6 +103,7 @@ static inline void allow_write_to_user(void __user *to, unsigned long size) static inline void allow_read_write_user(void __user *to, const void __user *from, unsigned long size) { + barrier_nospec(); allow_user_access(to, from, size, KUAP_READ_WRITE); } diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index 501c9a79038c..46123ae6a4c9 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -315,7 +315,6 @@ do { \ __chk_user_ptr(__gu_addr); \ if (!is_kernel_addr((unsigned long)__gu_addr)) \ might_fault(); \ - barrier_nospec(); \ if (do_allow) \ __get_user_size(__gu_val, __gu_addr, __gu_size, __gu_err); \ else \ @@ -333,10 +332,8 @@ do { \ __typeof__(size) __gu_size = (size); \ \ might_fault(); \ - if (access_ok(__gu_addr, __gu_size)) { \ - barrier_nospec(); \ + if (access_ok(__gu_addr, __gu_size)) \ __get_user_size(__gu_val, __gu_addr, __gu_size, __gu_err); \ - } \ (x) = (__force __typeof__(*(ptr)))__gu_val; \ \ __gu_err; \ @@ -350,7 +347,6 @@ do { \ __typeof__(size) __gu_size = (size); \ \ __chk_user_ptr(__gu_addr); \ - barrier_nospec(); \ __get_user_size(__gu_val, __gu_addr, __gu_size, __gu_err); \ (x) = (__force __typeof__(*(ptr)))__gu_val; \ \ @@ -395,7 +391,6 @@ raw_copy_in_user(void __user *to, const void __user *from, unsigned long n) { unsigned long ret; - barrier_nospec(); allow_read_write_user(to, from, n); ret = __copy_tofrom_user(to, from, n); prevent_read_write_user(to, from, n); @@ -412,19 +407,15 @@ static inline unsigned long raw_copy_from_user(void *to, switch (n) { case 1: - barrier_nospec(); __get_user_size(*(u8 *)to, from, 1, ret); break; case 2: - barrier_nospec(); __get_user_size(*(u16 *)to, from, 2, ret); break; case 4: - barrier_nospec(); __get_user_size(*(u32 *)to, from, 4, ret); break; case 8: - barrier_nospec(); __get_user_size(*(u64 *)to, from, 8, ret); break; } @@ -432,7 +423,6 @@ static inline unsigned long raw_copy_from_user(void *to, return 0; } - barrier_nospec(); allow_read_from_user(from, n); ret = __copy_tofrom_user((__force void __user *)to, from, n); prevent_read_from_user(from, n); -- 2.25.0