Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3542988pxj;
        Mon, 24 May 2021 09:02:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzmK3zA6c62weZTCUmHP/qslEQHspota7OwkXFyTYt5PNAXZcbZ/6fKp1877CPrIfXhSnVN
X-Received: by 2002:a02:7f57:: with SMTP id r84mr27029731jac.108.1621872144634;
        Mon, 24 May 2021 09:02:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621872144; cv=none;
        d=google.com; s=arc-20160816;
        b=hmc24A3jat7iaRC4ICpPU8PRro663iTHQI2fRebpRHh+gAXevmZLXwmzFfQdBoYoBh
         JeYMwp4pKD7RoJ2AT0QimC0XtpBQ+SLMBBJ1SZpNvTz+b2lGGKMQzI6A4/BLoKOH03De
         ezqmxEQLFNVNjw9HcvvMF9gtyn0m1yO9MEcXD4H0EWbOjXw6Xeli4GRQSeKYJsltHQUa
         rGXah5i9IJJfJfptsTHWHIG5XCTxOocMFl/U/XV/UTqjyDjPa3MtyMp7Da5d6HCDJSxU
         8/cK/xzuDxmVWOKKH0foCbZd0B3WZ/eVgCg+hrSjMXtWgOtetmyBqlyB24wybLk3ohWF
         9QfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=FDY4e+X6KhJH7KcxFixToQ1F6cmlDdfKtsADuYm/j9I=;
        b=qOpyvpQYKHwlLbTO5lMy+BlSLcXu3fDRC1VY137SZutFgFAvPuMFwHIuGuqi4fM6l1
         SI8D+L/Iu6LeAwc3AcbUWwQfmMluvAFB0GrXtOrABIC1YLHcBCBE9//sppjT4U5XSv7N
         e/ZnhvDSP4p7UrgGNyj6J5xx32sDtkPBdLR3sUknRv7KnRimt0MU6vPpTB91ETgC4ots
         9Mqm3mQEP+xPIDeU3D4aPSs8peZ3MjTmvphN7n1OGZuZIiI6act3LPX1HE+F6wpNEh+V
         K1dZoFBq4vbcl+mG6nzNWvLQA5tOOKjhL7nQlzGGoao9z7Gsdn1YLL8ca//GPRebk2dJ
         dmBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=osuoNBun;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o1si15470179jat.48.2021.05.24.09.02.09;
        Mon, 24 May 2021 09:02:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=osuoNBun;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232918AbhEXQB4 (ORCPT <rfc822;lstoakes@gmail.com> + 99 others);
        Mon, 24 May 2021 12:01:56 -0400
Received: from mail.kernel.org ([198.145.29.99]:41186 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234427AbhEXPza (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 May 2021 11:55:30 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id B73CE61445;
        Mon, 24 May 2021 15:41:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621870914;
        bh=6LlI/WolxupHlz9B/VtgcQD5lFbpjlG7zI70KKiUago=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=osuoNBunzhwcYPwjxxkWWvUxOyB1SMpF68jt5+ERgTj7SK7Sk0WMWYGYMzvWiiklj
         SVfc1ENZPTK28FtrusThtGVY+GwHc+TOLLTQFCa7vYtPISOJdP81rRFGFIAXASqO/i
         gf9rDkjmIihsHRWNnAK7a/KOcK62McMOwbyEurec=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Joerg Roedel <jroedel@suse.de>,
        Borislav Petkov <bp@suse.de>
Subject: [PATCH 5.10 058/104] x86/sev-es: Use __put_user()/__get_user() for data accesses
Date:   Mon, 24 May 2021 17:25:53 +0200
Message-Id: <20210524152334.782450622@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210524152332.844251980@linuxfoundation.org>
References: <20210524152332.844251980@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Joerg Roedel <jroedel@suse.de>

commit 4954f5b8ef0baf70fe978d1a99a5f70e4dd5c877 upstream.

The put_user() and get_user() functions do checks on the address which is
passed to them. They check whether the address is actually a user-space
address and whether its fine to access it. They also call might_fault()
to indicate that they could fault and possibly sleep.

All of these checks are neither wanted nor needed in the #VC exception
handler, which can be invoked from almost any context and also for MMIO
instructions from kernel space on kernel memory. All the #VC handler
wants to know is whether a fault happened when the access was tried.

This is provided by __put_user()/__get_user(), which just do the access
no matter what. Also add comments explaining why __get_user() and
__put_user() are the best choice here and why it is safe to use them
in this context. Also explain why copy_to/from_user can't be used.

In addition, also revert commit

  7024f60d6552 ("x86/sev-es: Handle string port IO to kernel memory properly")

because using __get_user()/__put_user() fixes the same problem while
the above commit introduced several problems:

  1) It uses access_ok() which is only allowed in task context.

  2) It uses memcpy() which has no fault handling at all and is
     thus unsafe to use here.

  [ bp: Fix up commit ID of the reverted commit above. ]

Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org # v5.10+
Link: https://lkml.kernel.org/r/20210519135251.30093-4-joro@8bytes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/sev-es.c |   66 ++++++++++++++++++++++++++++++++---------------
 1 file changed, 46 insertions(+), 20 deletions(-)

--- a/arch/x86/kernel/sev-es.c
+++ b/arch/x86/kernel/sev-es.c
@@ -288,31 +288,44 @@ static enum es_result vc_write_mem(struc
 	u16 d2;
 	u8  d1;
 
-	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
-	if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
-		memcpy(dst, buf, size);
-		return ES_OK;
-	}
-
+	/*
+	 * This function uses __put_user() independent of whether kernel or user
+	 * memory is accessed. This works fine because __put_user() does no
+	 * sanity checks of the pointer being accessed. All that it does is
+	 * to report when the access failed.
+	 *
+	 * Also, this function runs in atomic context, so __put_user() is not
+	 * allowed to sleep. The page-fault handler detects that it is running
+	 * in atomic context and will not try to take mmap_sem and handle the
+	 * fault, so additional pagefault_enable()/disable() calls are not
+	 * needed.
+	 *
+	 * The access can't be done via copy_to_user() here because
+	 * vc_write_mem() must not use string instructions to access unsafe
+	 * memory. The reason is that MOVS is emulated by the #VC handler by
+	 * splitting the move up into a read and a write and taking a nested #VC
+	 * exception on whatever of them is the MMIO access. Using string
+	 * instructions here would cause infinite nesting.
+	 */
 	switch (size) {
 	case 1:
 		memcpy(&d1, buf, 1);
-		if (put_user(d1, target))
+		if (__put_user(d1, target))
 			goto fault;
 		break;
 	case 2:
 		memcpy(&d2, buf, 2);
-		if (put_user(d2, target))
+		if (__put_user(d2, target))
 			goto fault;
 		break;
 	case 4:
 		memcpy(&d4, buf, 4);
-		if (put_user(d4, target))
+		if (__put_user(d4, target))
 			goto fault;
 		break;
 	case 8:
 		memcpy(&d8, buf, 8);
-		if (put_user(d8, target))
+		if (__put_user(d8, target))
 			goto fault;
 		break;
 	default:
@@ -343,30 +356,43 @@ static enum es_result vc_read_mem(struct
 	u16 d2;
 	u8  d1;
 
-	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
-	if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
-		memcpy(buf, src, size);
-		return ES_OK;
-	}
-
+	/*
+	 * This function uses __get_user() independent of whether kernel or user
+	 * memory is accessed. This works fine because __get_user() does no
+	 * sanity checks of the pointer being accessed. All that it does is
+	 * to report when the access failed.
+	 *
+	 * Also, this function runs in atomic context, so __get_user() is not
+	 * allowed to sleep. The page-fault handler detects that it is running
+	 * in atomic context and will not try to take mmap_sem and handle the
+	 * fault, so additional pagefault_enable()/disable() calls are not
+	 * needed.
+	 *
+	 * The access can't be done via copy_from_user() here because
+	 * vc_read_mem() must not use string instructions to access unsafe
+	 * memory. The reason is that MOVS is emulated by the #VC handler by
+	 * splitting the move up into a read and a write and taking a nested #VC
+	 * exception on whatever of them is the MMIO access. Using string
+	 * instructions here would cause infinite nesting.
+	 */
 	switch (size) {
 	case 1:
-		if (get_user(d1, s))
+		if (__get_user(d1, s))
 			goto fault;
 		memcpy(buf, &d1, 1);
 		break;
 	case 2:
-		if (get_user(d2, s))
+		if (__get_user(d2, s))
 			goto fault;
 		memcpy(buf, &d2, 2);
 		break;
 	case 4:
-		if (get_user(d4, s))
+		if (__get_user(d4, s))
 			goto fault;
 		memcpy(buf, &d4, 4);
 		break;
 	case 8:
-		if (get_user(d8, s))
+		if (__get_user(d8, s))
 			goto fault;
 		memcpy(buf, &d8, 8);
 		break;