From: Greg KH <greg@kroah.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: stable@vger.kernel.org, mark.brown@linaro.org,
ard.biesheuvel@linaro.org, marc.zyngier@arm.com,
will.deacon@arm.com, catalin.marinas@arm.com,
ghackmann@google.com, shankerd@codeaurora.org
Subject: Re: [PATCH v4.9.y 10/42] arm64: futex: Mask __user pointers prior to dereference
Date: Tue, 17 Apr 2018 14:10:03 +0200 [thread overview]
Message-ID: <20180417121003.GA10401@kroah.com> (raw)
In-Reply-To: <20180412111138.40990-11-mark.rutland@arm.com>
On Thu, Apr 12, 2018 at 12:11:06PM +0100, Mark Rutland wrote:
> From: Will Deacon <will.deacon@arm.com>
>
> commit 91b2d3442f6a44dce875670d702af22737ad5eff upstream.
>
> The arm64 futex code has some explicit dereferencing of user pointers
> where performing atomic operations in response to a futex command. This
> patch uses masking to limit any speculative futex operations to within
> the user address space.
>
> Signed-off-by: Will Deacon <will.deacon@arm.com>
> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
> Tested-by: Greg Hackmann <ghackmann@google.com>
> ---
> arch/arm64/include/asm/futex.h | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
> index f2585cdd32c2..1d123dd01ee0 100644
> --- a/arch/arm64/include/asm/futex.h
> +++ b/arch/arm64/include/asm/futex.h
> @@ -51,13 +51,14 @@
> : "memory")
>
> static inline int
> -futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
> +futex_atomic_op_inuser (int encoded_op, u32 __user *_uaddr)
> {
> int op = (encoded_op >> 28) & 7;
> int cmp = (encoded_op >> 24) & 15;
> int oparg = (encoded_op << 8) >> 20;
> int cmparg = (encoded_op << 20) >> 20;
> int oldval = 0, ret, tmp;
> + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
>
> if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
> oparg = 1 << oparg;
> @@ -109,15 +110,17 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
> }
>
> static inline int
> -futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
> +futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr,
> u32 oldval, u32 newval)
> {
> int ret = 0;
> u32 val, tmp;
> + u32 __user *uaddr;
>
> - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
> + if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32)))
> return -EFAULT;
>
> + uaddr = __uaccess_mask_ptr(_uaddr);
> asm volatile("// futex_atomic_cmpxchg_inatomic\n"
> ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
> " prfm pstl1strm, %2\n"
This patch doesn't apply at all as it conflicts with commit
d7c5f8c815466fc00785bbff20f25b39643abe01 which was commit 5f16a046f8e1
("arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT
usage") upstream.
Any chance you can provide a correct backport of this?
thanks,
greg k-h
next prev parent reply other threads:[~2018-04-17 12:10 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-12 11:10 [PATCH v4.9.y 00/42] arm64 spectre patches Mark Rutland
2018-04-12 11:10 ` [PATCH v4.9.y 01/42] arm64: barrier: Add CSDB macros to control data-value prediction Mark Rutland
2018-04-12 11:10 ` [PATCH v4.9.y 02/42] arm64: Implement array_index_mask_nospec() Mark Rutland
2018-04-12 11:10 ` [PATCH v4.9.y 03/42] arm64: move TASK_* definitions to <asm/processor.h> Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 04/42] arm64: Make USER_DS an inclusive limit Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 05/42] arm64: Use pointer masking to limit uaccess speculation Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 06/42] arm64: entry: Ensure branch through syscall table is bounded under speculation Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 07/42] arm64: uaccess: Prevent speculative use of the current addr_limit Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 08/42] arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 09/42] arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 10/42] arm64: futex: Mask __user pointers prior to dereference Mark Rutland
2018-04-17 12:10 ` Greg KH [this message]
2018-04-18 10:56 ` Mark Rutland
2018-04-19 7:02 ` Greg KH
2018-04-12 11:11 ` [PATCH v4.9.y 11/42] arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 12/42] arm64: Run enable method for errata work arounds on late CPUs Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 13/42] arm64: cpufeature: Pass capability structure to ->enable callback Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 14/42] drivers/firmware: Expose psci_get_version through psci_ops structure Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 15/42] arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 16/42] arm64: Move post_ttbr_update_workaround to C code Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 17/42] arm64: Add skeleton to harden the branch predictor against aliasing attacks Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 18/42] arm64: Move BP hardening to check_and_switch_context Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 19/42] mm: Introduce lm_alias Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 20/42] arm64: KVM: Use per-CPU vector when BP hardening is enabled Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 21/42] arm64: entry: Apply BP hardening for high-priority synchronous exceptions Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 22/42] arm64: entry: Apply BP hardening for suspicious interrupts from EL0 Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 23/42] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 24/42] arm64: cpu_errata: Allow an erratum to be match for all revisions of a core Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 25/42] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 26/42] arm64: Branch predictor hardening for Cavium ThunderX2 Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 27/42] arm64: KVM: Increment PC after handling an SMC trap Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 28/42] arm/arm64: KVM: Consolidate the PSCI include files Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 29/42] arm/arm64: KVM: Add PSCI_VERSION helper Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 30/42] arm/arm64: KVM: Add smccc accessors to PSCI code Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 31/42] arm/arm64: KVM: Implement PSCI 1.0 support Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 32/42] arm/arm64: KVM: Advertise SMCCC v1.1 Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 33/42] arm64: KVM: Make PSCI_VERSION a fast path Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 34/42] arm/arm64: KVM: Turn kvm_psci_version into a static inline Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 35/42] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 36/42] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 37/42] firmware/psci: Expose PSCI conduit Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 38/42] firmware/psci: Expose SMCCC version through psci_ops Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 39/42] arm/arm64: smccc: Make function identifiers an unsigned quantity Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 40/42] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 41/42] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support Mark Rutland
2018-04-12 11:11 ` [PATCH v4.9.y 42/42] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround Mark Rutland
2018-04-12 16:39 ` [PATCH v4.9.y 00/42] arm64 spectre patches Greg Hackmann
2018-04-17 12:15 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417121003.GA10401@kroah.com \
--to=greg@kroah.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=ghackmann@google.com \
--cc=marc.zyngier@arm.com \
--cc=mark.brown@linaro.org \
--cc=mark.rutland@arm.com \
--cc=shankerd@codeaurora.org \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.