Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp515025pxb; Wed, 15 Sep 2021 07:15:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx3f1NslRh3tbAbMnjj3Ua6j/SR02u3Uz6vlr8OSB+MrEhz2inl+lA5ctduOG1IkdcGTQaq X-Received: by 2002:a2e:6c09:: with SMTP id h9mr164542ljc.30.1631715330198; Wed, 15 Sep 2021 07:15:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631715330; cv=none; d=google.com; s=arc-20160816; b=xXdSf55fUxZjO8HJReLa8xA4vudeCLW/zxPwJf74hwEGUNCTdZKu1GzvsAmEEBwND2 CEn64kBfTPKlOnK9RCCuKD+jzUmEr2qNkvgWAVkyJczLXI82oJgCzHl25whkraSJIPSs 5tnRhdTiVqS04tkYfGuUCOg7RZ9PofSLzICqSNqvkeZ7RcO3GGx/RKLfAi0EP8ync7Cf WZDZ88wSO65vLJG7Tu58L/TxQUPCDoPE21RGIY311W2ySyD9enTsyo2b7WbC/l93Luyw iVox/S2XVe5kLnqpSoYxe+zVzoQsoa7z2L/df/gH/Qs1ewDk4fKridmU31ruuQkA22/p DNtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=weA4PjGS60LzTMq5eLQtLkDF/6TMsa8M0pxrwIGAdb4=; b=oOLIVon7qhxq/08JGBEzcPSPV1CZFqyoo/HWCDJD0L6/SEblDXhe1feYFXP5NmwG5o bg7D4qzVracrryjdDMZWAHs2quNOFH2wcsjASMjStscQVz9rteB2U6FA+kpAIa61lqi7 NjdvJQDDnsCph0nw+E7JCRWLBg15N22p2qiZs4Wz4dgiILp4r60HMr68VpSE8OfDlGoH SMK+m3r4higGjeWp0DloSwimMJFM9db7gCNpOI32qB6wp32qI7rAGfrTbDcF5Ew2agte 4JLxwSDUri0JZgI5FzvjD8/wOWqybee1q8JX9JB0MvFg85+Pa34reEE25QOeo6QChzos OUMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s3si56270lfr.75.2021.09.15.07.15.01; Wed, 15 Sep 2021 07:15:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237830AbhIOOOA (ORCPT + 99 others); Wed, 15 Sep 2021 10:14:00 -0400 Received: from pegase2.c-s.fr ([93.17.235.10]:50049 "EHLO pegase2.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237845AbhIOON7 (ORCPT ); Wed, 15 Sep 2021 10:13:59 -0400 Received: from localhost (mailhub3.si.c-s.fr [172.26.127.67]) by localhost (Postfix) with ESMTP id 4H8hxg4d5vz9sTD; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) X-Virus-Scanned: amavisd-new at c-s.fr Received: from pegase2.c-s.fr ([172.26.127.65]) by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7i1wJ0LF9qy; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase2.c-s.fr (Postfix) with ESMTP id 4H8hxg3k5Dz9sT4; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 6E4398B77B; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id rBxWki4HbjZi; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) Received: from PO20335.IDSI0.si.c-s.fr (unknown [172.25.230.108]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 562828B763; Wed, 15 Sep 2021 16:12:39 +0200 (CEST) Received: from PO20335.IDSI0.si.c-s.fr (localhost [127.0.0.1]) by PO20335.IDSI0.si.c-s.fr (8.16.1/8.16.1) with ESMTPS id 18FECPxG375762 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 15 Sep 2021 16:12:25 +0200 Received: (from chleroy@localhost) by PO20335.IDSI0.si.c-s.fr (8.16.1/8.16.1/Submit) id 18FECPPO375759; Wed, 15 Sep 2021 16:12:25 +0200 X-Authentication-Warning: PO20335.IDSI0.si.c-s.fr: chleroy set sender to christophe.leroy@csgroup.eu using -f From: Christophe Leroy To: Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman Cc: Christophe Leroy , linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, Stan Johnson , Finn Thain Subject: [PATCH] powerpc/32s: Fix kuap_kernel_restore() Date: Wed, 15 Sep 2021 16:12:24 +0200 Message-Id: <0d0c4d0f050a637052287c09ba521bad960a2790.1631715131.git.christophe.leroy@csgroup.eu> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org At interrupt exit, kuap_kernel_restore() calls kuap_unclok() with the value contained in regs->kuap. However, when regs->kuap contains 0xffffffff it means that KUAP was not unlocked so calling kuap_unlock() is unrelevant and results in jeopardising the contents of kernel space segment registers. So check that regs->kuap doesn't contain KUAP_NONE before calling kuap_unlock(). In the meantime it also means that if KUAP has not been correcly locked back at interrupt exit, it must be locked before continuing. This is done by checking the content of current->thread.kuap which was returned by kuap_get_and_assert_locked() Fixes: 16132529cee5 ("powerpc/32s: Rework Kernel Userspace Access Protection") Reported-by: Stan Johnson Cc: Finn Thain Signed-off-by: Christophe Leroy --- arch/powerpc/include/asm/book3s/32/kup.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h index d4b145b279f6..9f38040f0641 100644 --- a/arch/powerpc/include/asm/book3s/32/kup.h +++ b/arch/powerpc/include/asm/book3s/32/kup.h @@ -136,6 +136,14 @@ static inline void kuap_kernel_restore(struct pt_regs *regs, unsigned long kuap) if (kuap_is_disabled()) return; + if (unlikely(kuap != KUAP_NONE)) { + current->thread.kuap = KUAP_NONE; + kuap_lock(kuap, false); + } + + if (likely(regs->kuap == KUAP_NONE)) + return; + current->thread.kuap = regs->kuap; kuap_unlock(regs->kuap, false); -- 2.31.1