Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1552655pxb; Mon, 12 Apr 2021 00:20:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz+sH7doUbAsKdPNgKgFmxWSSLZYr3N+J3cXC2dP/A2oYQY1H7hlqWqbVXgskeAR7v4J8fb X-Received: by 2002:a17:906:b2cd:: with SMTP id cf13mr16957309ejb.419.1618212051631; Mon, 12 Apr 2021 00:20:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618212051; cv=none; d=google.com; s=arc-20160816; b=PCylD3LYxAnJ0EXusy8zvYBIpnwaTlwCXRzGs8BCoCrYnRf6PjGUAMm7ex6rTOoIK9 quIN40CR+xDHKJzhe1BXzN7S7l1o0obhg/fxHS9uYm+EVWmTc/HXb29CwH85qx9nz5dJ cz0bOt26vlElq9Asbw5JUA7jd+Tl001xYsANXu6Co2w9c1alu1FBV17rWu6njKJowV1o ogMMrUd8bA5y0byGlCiNFOY42QtyHpZhQ6lLmjn//NjZglbfwSiXvl1bl+qQDcMs7Bl7 iyK22AeTUxWBesMQb57bYM/xcMHDCu1klL5QEA7QoZ4YXS1q3KL5GFt1Vt+c0HssPptf nswQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=iK3pFQSMfdjaIw6C85kupS39EXXroGdWjGyAHc+el5M=; b=u5mn+vtKKwf6MTjMM823rOI89l2ZX3CXRY7OSOPGaC5U2gFaGovbwHoY/DVCa74+GG +ttTFUNjUuUmoqk/qkhIQy1o+lnLMwJfwmZN28jsQ/uP6gzPqVcFaLGO7+BbQlPBGPPI RkBfr5bmRri6TVndTAQXz+/w32WZcJa1K8IBQnCZD1iz+mxv9tI0uNRmJd9hHW18N/kF qfe/wZ/JnN5PppwJD6OX9vMkicEJG2NyBaCYXjUUy5X/lOlASjOIgk5r3HhQyq050ZcX 86d+/5EJEdIPFmIeqlyrAFoPjq0W9D+vgLXlG0C+qWN1QZqY1tsdq/nr/DrT9vOnYFPp F04Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i11si7035800edy.97.2021.04.12.00.20.26; Mon, 12 Apr 2021 00:20:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236786AbhDLHIy (ORCPT + 99 others); Mon, 12 Apr 2021 03:08:54 -0400 Received: from mail.loongson.cn ([114.242.206.163]:40948 "EHLO loongson.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S236774AbhDLHIv (ORCPT ); Mon, 12 Apr 2021 03:08:51 -0400 Received: from [10.130.0.135] (unknown [113.200.148.30]) by mail.loongson.cn (Coremail) with SMTP id AQAAf9AxLcnU8XNgIgEHAA--.9126S3; Mon, 12 Apr 2021 15:08:05 +0800 (CST) Subject: Re: [PATCH] MIPS: Fix strnlen_user access check To: Jinyang He , Thomas Bogendoerfer References: <1618139092-4018-1-git-send-email-hejinyang@loongson.cn> Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org From: Tiezhu Yang Message-ID: <1634fae6-4a39-0e60-2cd1-b41ee4bc3996@loongson.cn> Date: Mon, 12 Apr 2021 15:08:03 +0800 User-Agent: Mozilla/5.0 (X11; Linux mips64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-CM-TRANSID: AQAAf9AxLcnU8XNgIgEHAA--.9126S3 X-Coremail-Antispam: 1UD129KBjvJXoWxCrykKryruFWfWw1fCFW3Wrg_yoWrJrW3pF Z3AFnIkFs5KrWxCa42y392gFyrGr45Gr1vgw12gw1rZan8Z3W8JrWfKrn0934kJF4kAa4I 9FyxJwn8uw4jv3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvG14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26r xl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVW8JVWxJwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7Mxk0xIA0c2IEe2xFo4CE bIxvr21lc2xSY4AK67AK6r4xMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_WFyUJVCq3wCI42IY 6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa 73UjIFyTuYvjfU8J5oDUUUU X-CM-SenderInfo: p1dqw3xlh2x3gn0dqz5rrqw2lrqou0/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/12/2021 11:02 AM, Tiezhu Yang wrote: > On 04/11/2021 07:04 PM, Jinyang He wrote: >> Commit 04324f44cb69 ("MIPS: Remove get_fs/set_fs") brought a problem for >> strnlen_user(). Jump out when checking access_ok() with condition that >> (s + strlen(s)) < __UA_LIMIT <= (s + n). The old __strnlen_user_asm() >> just checked (ua_limit & s) without checking (ua_limit & (s + n)). >> Therefore, find strlen form s to __UA_LIMIT - 1 in that condition. >> >> Signed-off-by: Jinyang He >> --- >> arch/mips/include/asm/uaccess.h | 11 +++++++++-- >> 1 file changed, 9 insertions(+), 2 deletions(-) >> >> diff --git a/arch/mips/include/asm/uaccess.h >> b/arch/mips/include/asm/uaccess.h >> index 91bc7fb..85ba0c8 100644 >> --- a/arch/mips/include/asm/uaccess.h >> +++ b/arch/mips/include/asm/uaccess.h >> @@ -630,8 +630,15 @@ static inline long strnlen_user(const char >> __user *s, long n) >> { >> long res; >> - if (!access_ok(s, n)) >> - return -0; >> + if (unlikely(n <= 0)) >> + return 0; >> + >> + if (!access_ok(s, n)) { >> + if (!access_ok(s, 0)) >> + return 0; >> + >> + n = __UA_LIMIT - (unsigned long)s - 1; >> + } >> might_fault(); >> __asm__ __volatile__( > > The following simple changes are OK to fix this issue? > > diff --git a/arch/mips/include/asm/uaccess.h > b/arch/mips/include/asm/uaccess.h > index 91bc7fb..eafc99b 100644 > --- a/arch/mips/include/asm/uaccess.h > +++ b/arch/mips/include/asm/uaccess.h > @@ -630,8 +630,8 @@ static inline long strnlen_user(const char __user > *s, long n) > { > long res; > > - if (!access_ok(s, n)) > - return -0; > + if (!access_ok(s, 1)) > + return 0; > > might_fault(); > __asm__ __volatile__( > > Thanks, > Tiezhu > Hi all, Here is some detail info about background and analysis process, I hope it is useful to understand this issue. When update kernel with the latest mips-next, we can not login through a graphical interface, this is because drm radeon GPU driver does not work, we can not see the boot message "[drm] radeon kernel modesetting enabled." through the serial console. drivers/gpu/drm/radeon/radeon_drv.c static int __init radeon_module_init(void) { [...] DRM_INFO("radeon kernel modesetting enabled.\n"); [...] } I use git bisect to find commit 04324f44cb69 ("MIPS: Remove get_fs/set_fs") is the first bad commit: $ git bisect log git bisect start # good: [666c1fc90cd82184624d4cc5d124c66025f89a47] mips: bmips: bcm63268: populate device tree nodes git bisect good 666c1fc90cd82184624d4cc5d124c66025f89a47 # bad: [e86e75596623e1ce5d784db8214687326712a8ae] MIPS: octeon: Add __raw_copy_[from|to|in]_user symbols git bisect bad e86e75596623e1ce5d784db8214687326712a8ae # good: [45deb5faeb9e02951361ceba5ffee721745661c3] MIPS: uaccess: Remove get_fs/set_fs call sites git bisect good 45deb5faeb9e02951361ceba5ffee721745661c3 # bad: [5e65c52ec716af6e8f51dacdaeb4a4d872249af1] MIPS: Loongson64: Use _CACHE_UNCACHED instead of _CACHE_UNCACHED_ACCELERATED git bisect bad 5e65c52ec716af6e8f51dacdaeb4a4d872249af1 # bad: [04324f44cb69a03fdc8f2ee52386a4fdf6a0043b] MIPS: Remove get_fs/set_fs git bisect bad 04324f44cb69a03fdc8f2ee52386a4fdf6a0043b # first bad commit: [04324f44cb69a03fdc8f2ee52386a4fdf6a0043b] MIPS: Remove get_fs/set_fs I analysis and test the changes in the above first bad commit and find out the following obvious difference which leads to the login issue. arch/mips/include/asm/uaccess.h static inline long strnlen_user(const char __user *s, long n) { [...] if (!access_ok(s, n)) return -0; [...] } Thanks, Tiezhu