From: Andy Lutomirski <luto@kernel.org>
To: x86@kernel.org
Cc: LKML <linux-kernel@vger.kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Yonghong Song <yhs@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: [PATCH 06/11] x86/fault: Improve kernel-executing-user-memory handling
Date: Sun, 31 Jan 2021 09:24:37 -0800 [thread overview]
Message-ID: <05e787a0d0661d0bfb40e44db39bf5ead5f7e4ef.1612113550.git.luto@kernel.org> (raw)
In-Reply-To: <cover.1612113550.git.luto@kernel.org>
Right now we treat the case of the kernel trying to execute from user
memory more or less just like the kernel getting a page fault on a user
access. In the failure path, we check for erratum #93, try to otherwise
fix up the error, and then oops.
If we manage to jump to the user address space, with or without SMEP, we
should not try to resolve the page fault. This is an error, pure and
simple. Rearrange the code so that we catch this case early, check for
erratum #93, and bail out.
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
arch/x86/mm/fault.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 602cdf8e070a..1939e546beae 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -406,8 +406,11 @@ static void dump_pagetable(unsigned long address)
static int is_errata93(struct pt_regs *regs, unsigned long address)
{
#if defined(CONFIG_X86_64) && defined(CONFIG_CPU_SUP_AMD)
- if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD
- || boot_cpu_data.x86 != 0xf)
+ if (likely(boot_cpu_data.x86_vendor != X86_VENDOR_AMD
+ || boot_cpu_data.x86 != 0xf))
+ return 0;
+
+ if (user_mode(regs))
return 0;
if (address != regs->ip)
@@ -707,9 +710,6 @@ no_context(struct pt_regs *regs, unsigned long error_code,
if (is_prefetch(regs, error_code, address))
return;
- if (is_errata93(regs, address))
- return;
-
/*
* Buggy firmware could access regions which might page fault, try to
* recover from such faults.
@@ -1202,6 +1202,19 @@ void do_user_addr_fault(struct pt_regs *regs,
tsk = current;
mm = tsk->mm;
+ if (unlikely((error_code & (X86_PF_USER | X86_PF_INSTR)) == X86_PF_INSTR)) {
+ /*
+ * Whoops, this is kernel mode code trying to execute from
+ * user memory. Unless this is AMD erratum #93, we are toast.
+ * Don't even try to look up the VMA.
+ */
+ if (is_errata93(regs, address))
+ return;
+
+ bad_area_nosemaphore(regs, error_code, address);
+ return;
+ }
+
/* kprobes don't want to hook the spurious faults: */
if (unlikely(kprobe_page_fault(regs, X86_TRAP_PF)))
return;
--
2.29.2
next prev parent reply other threads:[~2021-01-31 23:22 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-31 17:24 [PATCH 00/11] x86/fault: Cleanups and robustifications Andy Lutomirski
2021-01-31 17:24 ` [PATCH 01/11] x86/fault: Fix AMD erratum #91 errata fixup for user code Andy Lutomirski
2021-02-01 9:05 ` Christoph Hellwig
2021-02-01 20:31 ` Borislav Petkov
2021-01-31 17:24 ` [PATCH 02/11] x86/fault: Fold mm_fault_error() into do_user_addr_fault() Andy Lutomirski
2021-01-31 17:24 ` [PATCH 03/11] x86/fault/32: Move is_f00f_bug() do do_kern_addr_fault() Andy Lutomirski
2021-02-03 14:44 ` Borislav Petkov
2021-01-31 17:24 ` [PATCH 04/11] x86/fault: Document the locking in the fault_signal_pending() path Andy Lutomirski
2021-01-31 17:24 ` [PATCH 05/11] x86/fault: Correct a few user vs kernel checks wrt WRUSS Andy Lutomirski
2021-02-03 15:48 ` Borislav Petkov
2021-01-31 17:24 ` Andy Lutomirski [this message]
2021-02-01 9:08 ` [PATCH 06/11] x86/fault: Improve kernel-executing-user-memory handling Christoph Hellwig
2021-02-02 1:00 ` Andy Lutomirski
2021-02-03 16:01 ` Borislav Petkov
2021-02-03 16:23 ` Borislav Petkov
2021-01-31 17:24 ` [PATCH 07/11] x86/fault: Split the OOPS code out from no_context() Andy Lutomirski
2021-02-03 18:56 ` Borislav Petkov
2021-02-03 19:29 ` Andy Lutomirski
2021-02-03 19:46 ` Borislav Petkov
2021-02-09 20:09 ` Andy Lutomirski
2021-01-31 17:24 ` [PATCH 08/11] x86/fault: Bypass no_context() for implicit kernel faults from usermode Andy Lutomirski
2021-01-31 17:24 ` [PATCH 09/11] x86/fault: Rename no_context() to kernelmode_fixup_or_oops() Andy Lutomirski
2021-02-01 9:14 ` Christoph Hellwig
2021-02-02 1:01 ` Andy Lutomirski
2021-02-03 19:39 ` Borislav Petkov
2021-02-03 19:53 ` Andy Lutomirski
2021-02-03 20:07 ` Borislav Petkov
2021-02-03 20:14 ` Andy Lutomirski
2021-02-03 20:25 ` Borislav Petkov
2021-01-31 17:24 ` [PATCH 10/11] x86/fault: Don't run fixups for SMAP violations Andy Lutomirski
2021-02-03 19:50 ` Borislav Petkov
2021-01-31 17:24 ` [PATCH 11/11] x86/fault: Don't look for extable entries for SMEP violations Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05e787a0d0661d0bfb40e44db39bf5ead5f7e4ef.1612113550.git.luto@kernel.org \
--to=luto@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.