Received: by 2002:a05:7412:bb8d:b0:d7:7d3a:4fe2 with SMTP id js13csp2405519rdb; Thu, 17 Aug 2023 22:31:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE54HlLXHEEhFhruSuYv9J1/j00Nda3IRcBVIuTTBQrhhN/zS3SOarompPcxamqJW8mPJ7t X-Received: by 2002:a17:903:1cc:b0:1b3:b3c5:1d1f with SMTP id e12-20020a17090301cc00b001b3b3c51d1fmr1415259plh.8.1692336682458; Thu, 17 Aug 2023 22:31:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692336682; cv=none; d=google.com; s=arc-20160816; b=cs4arlB7rkkhF2/Zq/zBKj7r6sANPea7VRlojH/eaWoNpY+GTWKvf/DZzoBdylunVt 2CrUSnsLXhay0e4ar09dMCKX9TVFP/C0LbX5ZoXJKx+qNSliUfj2s6gLCObqnyXmPNIz cNLVl+O63FhZRenn7bZBlxDovEuGETZY4+nPLHXimVq4xfR5V1FyYs4PDH792zSTK9Dn nP6J7wZuA4u3OzwY5sj0OR+vNoz0IILILmLTP48WlRRydF/xd9mKULJYmGFo3b1PldGY EI5X4K6IfDjVBspBy6j1KccEnvdYhsSj+QxLJoACmBky9mkDP95TLD0/AfeTp4UR5jWz Ck2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :message-id:subject:references:in-reply-to:cc:to:from; bh=rGef5fRPpLKFmmNTmCdgXJVBVd8lSJM1yQfYji6Wjus=; fh=z0cHXStEaEC7w0W55N15QYo0PGAO8NYI6+YU7wt+MVk=; b=fLLLMLaaxyJI847Ek3gKBD0tqNVemVqQFmZtpX/AVBWXvS0hOxyL890h4xy+tNUM3E gtsIz064g1tuU5DrUL3cQ9iuAVxJZRkjaoVmVdKavd5Dpv/J4TnAw8PEjXRwaYP39gei u5zvDYiTR3TcH/tt3Mpn/Qg39qIcKNC6VP6JCZoWL7jHx7OgO/f0sNnrI9Urjtg29Jc3 Ebq37E+ic0P6vl7t9siTe7GDs1EO5UHaNqXL+zwnNaTX7lfAMi/N+fvAIZDwbKtIUQN9 IZQtRJ4oLD9TkGXXrHAXloyYaaRBl6qMTOR6vXQuhZ7ISgOTE6pfejtCM6U8xEkgBZH6 fpCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n4-20020a170903404400b001bdb34b67basi866081pla.369.2023.08.17.22.31.09; Thu, 17 Aug 2023 22:31:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347228AbjHQAMA (ORCPT + 99 others); Wed, 16 Aug 2023 20:12:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347225AbjHQAMA (ORCPT ); Wed, 16 Aug 2023 20:12:00 -0400 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F36F3119; Wed, 16 Aug 2023 17:11:56 -0700 (PDT) Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4RR55z4RDCz4wy3; Thu, 17 Aug 2023 10:11:51 +1000 (AEST) From: Michael Ellerman To: Nicholas Piggin , Christophe Leroy , Kees Cook , Nathan Lynch Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org In-Reply-To: <20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com> References: <20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com> Subject: Re: [PATCH v2] powerpc/rtas_flash: allow user copy to flash block cache objects Message-Id: <169223107895.375104.3687617958725578000.b4-ty@ellerman.id.au> Date: Thu, 17 Aug 2023 10:11:18 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 10 Aug 2023 22:37:55 -0500, Nathan Lynch wrote: > With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the > /proc/powerpc/rtas/firmware_update interface to prepare a system > firmware update yields a BUG(): > > kernel BUG at mm/usercopy.c:102! > Oops: Exception in kernel mode, sig: 5 [#1] > LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries > Modules linked in: > CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 > Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries > NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 > REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) > MSR: 8000000000029033 CR: 24002242 XER: 0000000c > CFAR: c0000000001fbd34 IRQMASK: 0 > [ ... GPRs omitted ... ] > NIP [c0000000005991d0] usercopy_abort+0xa0/0xb0 > LR [c0000000005991cc] usercopy_abort+0x9c/0xb0 > Call Trace: > [c0000000148c7940] [c0000000005991cc] usercopy_abort+0x9c/0xb0 (unreliable) > [c0000000148c79b0] [c000000000536814] __check_heap_object+0x1b4/0x1d0 > [c0000000148c79f0] [c000000000599080] __check_object_size+0x2d0/0x380 > [c0000000148c7a30] [c000000000045ed4] rtas_flash_write+0xe4/0x250 > [c0000000148c7a80] [c00000000068a0fc] proc_reg_write+0xfc/0x160 > [c0000000148c7ab0] [c0000000005a381c] vfs_write+0xfc/0x4e0 > [c0000000148c7b70] [c0000000005a3e10] ksys_write+0x90/0x160 > [c0000000148c7bc0] [c00000000002f2c8] system_call_exception+0x178/0x320 > [c0000000148c7e50] [c00000000000d520] system_call_common+0x160/0x2c4 > --- interrupt: c00 at 0x7fff9f17e5e4 > > [...] Applied to powerpc/fixes. [1/1] powerpc/rtas_flash: allow user copy to flash block cache objects https://git.kernel.org/powerpc/c/4f3175979e62de3b929bfa54a0db4b87d36257a7 cheers