Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp657182pxv; Thu, 15 Jul 2021 12:39:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMLqTAbMApzuGYDmKDWQ8jabByU9abklLLmL22ab9u7PKNd0pHcPb6ECmFoBFyni9dWt+l X-Received: by 2002:a05:6e02:1091:: with SMTP id r17mr3760075ilj.160.1626377998680; Thu, 15 Jul 2021 12:39:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626377998; cv=none; d=google.com; s=arc-20160816; b=tSH2ToMaow41ew3REJlyBrdSKUN4KhxYilbdeOIQYSc7CKB/UtqxbGl40DKOvPPGwV bgu7nBl0xYzyk0q5pO7gpDHgfrGHpbWmRGfra0sKZyhQIeJ9uclUZ4GZ7fZ8bSPRd/F8 2MS2vCeZADjFhdKzRPV7YtoaR1y9HnlhYvxvpZXNfOLegWDA6hQWpWS6VScQ0FyraHsi FNo8kWku+ulGCiVmjdBT+aVqQc8celEC0XCV2W4+WcgmV5njJVpMis7lP+LYI4qnSFby CejV/6h+QMW10UbZyCtf8IcC9+mMRFnSLsTznJYOBR6sa285y7tX6u9FgcSnWXgME7wn 9Brg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Y7tRW9Tr7AZ51usa0eGzi+OY1T0RuOO1pM5KB2crKPk=; b=jvlhImXsw9FnIvWnUaxr2qbEj8/jcFfjkk0XvCtlT2u1hdcj50acomxtz6cHHP8B0v wsytJVyj5fTiiuOg/Mpvy8yCNX+AiBvW98C4VJmO62nEG5TOnfhgF1kniKOqLaTozB4v lv8wDWKyv3WK1piCgOVq/FipkqathPvveWLNC/FB/aQf+XTzfHqbFdXBZgrwp1Yi/Whk IFW0IS2vLZDn8qeHvbhI8rezJDFBsc9Z5e3MHFFNqHNofVFHweZH3yFdFyjT42bdoNNL NkEhihwk7vcFi7cudF040B4oZTsA5EUepALF1dBKa1ibCqPzgVxtUXNrFRlutB16Bu9D kpTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="y1k8h/1d"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b8si8073570jav.94.2021.07.15.12.39.46; Thu, 15 Jul 2021 12:39:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="y1k8h/1d"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343776AbhGOTji (ORCPT + 99 others); Thu, 15 Jul 2021 15:39:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:50134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244362AbhGOTOp (ORCPT ); Thu, 15 Jul 2021 15:14:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 72021613F7; Thu, 15 Jul 2021 19:10:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626376224; bh=Si4Vxg9z75zViVvQUYU2DytxHKzMrElDWzYxqq+uDbg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y1k8h/1d5vwENOHVEaAGLnZMQMShu+HLx3zg4m4TG3KdhRmAa46Z7nHmyiDFnJieo ZaCWXUiCUcywHg4+aJpiz3+0MKKwMkE2pVv29FjIJxrgjN5jLR6hYIKS4KtOhc4PPS f8rYHD360zT1dzcpz7cIHM0fmEJahsSlKT3y6ZgM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Christophe Leroy , Nicholas Piggin , Michael Ellerman Subject: [PATCH 5.13 180/266] powerpc/mm: Fix lockup on kernel exec fault Date: Thu, 15 Jul 2021 20:38:55 +0200 Message-Id: <20210715182643.441378880@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182613.933608881@linuxfoundation.org> References: <20210715182613.933608881@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Christophe Leroy commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable@vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy Acked-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.1625138205.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/mm/fault.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -199,9 +199,7 @@ static bool bad_kernel_fault(struct pt_r { int is_exec = TRAP(regs) == INTERRUPT_INST_STORAGE; - /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */ - if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT | - DSISR_PROTFAULT))) { + if (is_exec) { pr_crit_ratelimited("kernel tried to execute %s page (%lx) - exploit attempt? (uid: %d)\n", address >= TASK_SIZE ? "exec-protected" : "user", address,