Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp468406pxb; Wed, 3 Mar 2021 07:40:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJw+pRDzn7MkojQmS8siie4auZZGNEIMJkaww+MogfP1pe2+GGwPCVVJNACet/RPtyx7+bR9 X-Received: by 2002:a50:e80c:: with SMTP id e12mr26214504edn.229.1614786038610; Wed, 03 Mar 2021 07:40:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614786038; cv=none; d=google.com; s=arc-20160816; b=N1ryYiKkIIT9zePF4ZPPJNFPu8GL1BGV4qRjx6npP014IThcrGoCBXrUTl4E0ci8L6 7/lveVY4RximrbUtI8Qmu8T3+1bg9kJugKB/Xt2FaFs5Cjr1HA5xSKr8+cprHhg9FpPa 0/D3Bv8I3fSCJctuo8VkTPpjzpz4+zhIc4QxMltrnMQK8inpmWX510xKyUYjUOqfCiff EsVoCYLCBBwyi4G4+J3Yj+G+GviFZ6R1B4RGbuqvbfuC3pG6Ap7Rxjm0XYiIqnkihfba evSJPnt2W/5DQiJCvqAO5m+O1YK+DoMKQzTu0H5L/wr5NDJVKfJ4HCvvYwQMhQUWC2gN RaFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=nCkYN5sZJ4uPiw07qostomX0w1H/+Y0zCokrLZTe+7c=; b=FJqC85rL7PA40+VSVkYtinuG14595usyhNizDhYEYDGL3I6Nswr7I25xOzBgv2A3N9 j2Nne8zsW0h/nkIwCaqh7BnnzS8u/HaaYuqvstoyRBq9QuTB7bn7kDUUPJVe3Qoguc2o q/eLqg4GM5kq5xqJuAPX+sLZrLe2HcOasQCRhAfUna//4npgTOooMqRW2BO+RVN0N52N c6Bf5ipvwkdAUop4ubnK1nzLPxIWSAa/QZaLSwxhoQ5hQ+nhKIjuRb2PqhbVyU0/7uq1 VvM0NIBFA7MhiOuQmNlimpKqbHpIpxr8SYUa6Ocx9tFt8hIrf15RzAsNN1DEKXwCi9WS 08MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ufvWaP0v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s3si8797764edx.251.2021.03.03.07.39.47; Wed, 03 Mar 2021 07:40:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ufvWaP0v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344893AbhCAXJa (ORCPT + 99 others); Mon, 1 Mar 2021 18:09:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:49712 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238834AbhCAR4Z (ORCPT ); Mon, 1 Mar 2021 12:56:25 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6899765053; Mon, 1 Mar 2021 17:21:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614619266; bh=/6DgLW5qA0JxQ2bSEwc6oQ+ExbQqEPZfOPn9vpkTUiw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ufvWaP0vkWG3P4OKmAYsM7Sfk0irJeoqAkEwp92EmOKJNBcJxtctwVM8GF/HTtk7K DXd49L/GwzBK9yNI/xUzvj2Pzho3uudVD6lV641IC+gcu3OhcfjJWB2cLIGTp0rFG3 PxlbkLz8BWw8WOCXjW+zMqL5roG2eoZ6cNA2mXfc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kardashevskiy , Michael Ellerman , Sasha Levin Subject: [PATCH 5.10 362/663] powerpc/uaccess: Avoid might_fault() when user access is enabled Date: Mon, 1 Mar 2021 17:10:10 +0100 Message-Id: <20210301161159.754306241@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161141.760350206@linuxfoundation.org> References: <20210301161141.760350206@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexey Kardashevskiy [ Upstream commit 7d506ca97b665b95e698a53697dad99fae813c1a ] The amount of code executed with enabled user space access (unlocked KUAP) should be minimal. However with CONFIG_PROVE_LOCKING or CONFIG_DEBUG_ATOMIC_SLEEP enabled, might_fault() calls into various parts of the kernel, and may even end up replaying interrupts which in turn may access user space and forget to restore the KUAP state. The problem places are: 1. strncpy_from_user (and similar) which unlock KUAP and call unsafe_get_user -> __get_user_allowed -> __get_user_nocheck() with do_allow=false to skip KUAP as the caller took care of it. 2. __unsafe_put_user_goto() which is called with unlocked KUAP. eg: WARNING: CPU: 30 PID: 1 at arch/powerpc/include/asm/book3s/64/kup.h:324 arch_local_irq_restore+0x160/0x190 NIP arch_local_irq_restore+0x160/0x190 LR lock_is_held_type+0x140/0x200 Call Trace: 0xc00000007f392ff8 (unreliable) ___might_sleep+0x180/0x320 __might_fault+0x50/0xe0 filldir64+0x2d0/0x5d0 call_filldir+0xc8/0x180 ext4_readdir+0x948/0xb40 iterate_dir+0x1ec/0x240 sys_getdents64+0x80/0x290 system_call_exception+0x160/0x280 system_call_common+0xf0/0x27c Change __get_user_nocheck() to look at `do_allow` to decide whether to skip might_fault(). Since strncpy_from_user/etc call might_fault() anyway before unlocking KUAP, there should be no visible change. Drop might_fault() in __unsafe_put_user_goto() as it is only called from unsafe_put_user(), which already has KUAP unlocked. Since keeping might_fault() is still desirable for debugging, add calls to it in user_[read|write]_access_begin(). That also allows us to drop the is_kernel_addr() test, because there should be no code using user_[read|write]_access_begin() in order to access a kernel address. Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") Signed-off-by: Alexey Kardashevskiy [mpe: Combine with related patch from myself, merge change logs] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210204121612.32721-1-aik@ozlabs.ru Signed-off-by: Sasha Levin --- arch/powerpc/include/asm/uaccess.h | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index 501c9a79038c0..f53bfefb4a577 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -216,8 +216,6 @@ do { \ #define __put_user_nocheck_goto(x, ptr, size, label) \ do { \ __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ - if (!is_kernel_addr((unsigned long)__pu_addr)) \ - might_fault(); \ __chk_user_ptr(ptr); \ __put_user_size_goto((x), __pu_addr, (size), label); \ } while (0) @@ -313,7 +311,7 @@ do { \ __typeof__(size) __gu_size = (size); \ \ __chk_user_ptr(__gu_addr); \ - if (!is_kernel_addr((unsigned long)__gu_addr)) \ + if (do_allow && !is_kernel_addr((unsigned long)__gu_addr)) \ might_fault(); \ barrier_nospec(); \ if (do_allow) \ @@ -508,6 +506,9 @@ static __must_check inline bool user_access_begin(const void __user *ptr, size_t { if (unlikely(!access_ok(ptr, len))) return false; + + might_fault(); + allow_read_write_user((void __user *)ptr, ptr, len); return true; } @@ -521,6 +522,9 @@ user_read_access_begin(const void __user *ptr, size_t len) { if (unlikely(!access_ok(ptr, len))) return false; + + might_fault(); + allow_read_from_user(ptr, len); return true; } @@ -532,6 +536,9 @@ user_write_access_begin(const void __user *ptr, size_t len) { if (unlikely(!access_ok(ptr, len))) return false; + + might_fault(); + allow_write_to_user((void __user *)ptr, len); return true; } -- 2.27.0