From: Lecopzer Chen <lecopzer.chen@mediatek.com>
To: <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>
Cc: <akpm@linux-foundation.org>, <peterx@redhat.com>,
<rppt@kernel.org>, <walken@google.com>, <marc.zyngier@arm.com>,
<linux@armlinux.org.uk>,
Lecopzer Chen <lecopzer.chen@mediatek.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
YJ Chiang <yj.chiang@mediatek.com>
Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault
Date: Thu, 3 Dec 2020 17:27:38 +0800 [thread overview]
Message-ID: <20201203092738.11866-1-lecopzer.chen@mediatek.com> (raw)
This patch was send by "Sebastian Andrzej Siewior <bigeasy@linutronix.de>"
in [1] and rebase in v5.10-rc6.
The original commit message:
> On non-LPAE systems a write to 0xbffffff0 (modules area) from userland
> results in:
> | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521
> | caller is __do_user_fault.constprop.2+0x4c/0x74
> | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4
> | [<c04614e4>] (debug_smp_processor_id) from [<c0116378>] (__do_user_fault.constprop.2+0x4c/0x74)
> | [<c0116378>] (__do_user_fault.constprop.2) from [<c011668c>] (do_page_fault+0x278/0x37c)
> | [<c011668c>] (do_page_fault) from [<c0116904>] (do_DataAbort+0x3c/0xa8)
> | [<c0116904>] (do_DataAbort) from [<c0101e1c>] (__dabt_usr+0x3c/0x40)
>
> Move harden_branch_predictor() from __do_user_fault() to its both
> callers (do_bad_area() and do_page_fault()). The invocation in
> do_page_fault() is added before interrupst are enabled. The invocation
> in do_bad_area() is added just before __do_user_fault() is invoked.
The BUG still exists in v5.10-rc, and the previous disscussion was [2].
This issue can be easily reproduced in ARM with CONFIG_DEBUG_PREEMPT and
CONFIG_HARDEN_BRANCH_PREDICTOR by the following userspace program:
int *p = 0xffff3ff4;
*p = 123;
[1]:
https://patchwork.kernel.org/project/linux-arm-kernel/patch/20190319203239.gl46fxnfz6gzeeic@linutronix.de/
[2]:
https://lkml.org/lkml/2019/6/3/426
Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space")
Reported-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
Cc: YJ Chiang <yj.chiang@mediatek.com>
---
arch/arm/mm/fault.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index efa402025031..f1b57b7d5a0c 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -138,9 +138,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
{
struct task_struct *tsk = current;
- if (addr > TASK_SIZE)
- harden_branch_predictor();
-
#ifdef CONFIG_DEBUG_USER
if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
@@ -173,8 +170,11 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
* If we are in kernel mode at this point, we
* have no context to handle this fault with.
*/
- if (user_mode(regs))
+ if (user_mode(regs)) {
+ if (addr > TASK_SIZE)
+ harden_branch_predictor();
__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+ }
else
__do_kernel_fault(mm, addr, fsr, regs);
}
@@ -251,6 +251,9 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
tsk = current;
mm = tsk->mm;
+ if (addr > TASK_SIZE && user_mode(regs))
+ harden_branch_predictor();
+
/* Enable interrupts if they were enabled in the parent context. */
if (interrupts_enabled(regs))
local_irq_enable();
--
2.18.0
WARNING: multiple messages have this Message-ID (diff)
From: Lecopzer Chen <lecopzer.chen@mediatek.com>
To: <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>
Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>,
marc.zyngier@arm.com,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
linux@armlinux.org.uk, peterx@redhat.com,
akpm@linux-foundation.org, walken@google.com,
YJ Chiang <yj.chiang@mediatek.com>,
rppt@kernel.org
Subject: [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault
Date: Thu, 3 Dec 2020 17:27:38 +0800 [thread overview]
Message-ID: <20201203092738.11866-1-lecopzer.chen@mediatek.com> (raw)
This patch was send by "Sebastian Andrzej Siewior <bigeasy@linutronix.de>"
in [1] and rebase in v5.10-rc6.
The original commit message:
> On non-LPAE systems a write to 0xbffffff0 (modules area) from userland
> results in:
> | BUG: using smp_processor_id() in preemptible [00000000] code: mem-tc/521
> | caller is __do_user_fault.constprop.2+0x4c/0x74
> | CPU: 1 PID: 521 Comm: mem-tc Not tainted 5.1.0-rc1 #4
> | [<c04614e4>] (debug_smp_processor_id) from [<c0116378>] (__do_user_fault.constprop.2+0x4c/0x74)
> | [<c0116378>] (__do_user_fault.constprop.2) from [<c011668c>] (do_page_fault+0x278/0x37c)
> | [<c011668c>] (do_page_fault) from [<c0116904>] (do_DataAbort+0x3c/0xa8)
> | [<c0116904>] (do_DataAbort) from [<c0101e1c>] (__dabt_usr+0x3c/0x40)
>
> Move harden_branch_predictor() from __do_user_fault() to its both
> callers (do_bad_area() and do_page_fault()). The invocation in
> do_page_fault() is added before interrupst are enabled. The invocation
> in do_bad_area() is added just before __do_user_fault() is invoked.
The BUG still exists in v5.10-rc, and the previous disscussion was [2].
This issue can be easily reproduced in ARM with CONFIG_DEBUG_PREEMPT and
CONFIG_HARDEN_BRANCH_PREDICTOR by the following userspace program:
int *p = 0xffff3ff4;
*p = 123;
[1]:
https://patchwork.kernel.org/project/linux-arm-kernel/patch/20190319203239.gl46fxnfz6gzeeic@linutronix.de/
[2]:
https://lkml.org/lkml/2019/6/3/426
Fixes: f5fe12b1eaee2 ("ARM: spectre-v2: harden user aborts in kernel space")
Reported-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
Cc: YJ Chiang <yj.chiang@mediatek.com>
---
arch/arm/mm/fault.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index efa402025031..f1b57b7d5a0c 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -138,9 +138,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
{
struct task_struct *tsk = current;
- if (addr > TASK_SIZE)
- harden_branch_predictor();
-
#ifdef CONFIG_DEBUG_USER
if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
@@ -173,8 +170,11 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
* If we are in kernel mode at this point, we
* have no context to handle this fault with.
*/
- if (user_mode(regs))
+ if (user_mode(regs)) {
+ if (addr > TASK_SIZE)
+ harden_branch_predictor();
__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+ }
else
__do_kernel_fault(mm, addr, fsr, regs);
}
@@ -251,6 +251,9 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
tsk = current;
mm = tsk->mm;
+ if (addr > TASK_SIZE && user_mode(regs))
+ harden_branch_predictor();
+
/* Enable interrupts if they were enabled in the parent context. */
if (interrupts_enabled(regs))
local_irq_enable();
--
2.18.0
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2020-12-03 9:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 9:27 Lecopzer Chen [this message]
2020-12-03 9:27 ` [PATCH] ARM: mm: harden branch predictor before opening interrupts during fault Lecopzer Chen
2021-01-26 9:17 ` Lecopzer Chen
2021-01-26 9:17 ` Lecopzer Chen
2021-01-26 10:59 ` Russell King - ARM Linux admin
2021-01-26 10:59 ` Russell King - ARM Linux admin
2021-01-26 11:07 ` Sebastian Andrzej Siewior
2021-01-26 11:07 ` Sebastian Andrzej Siewior
2021-01-26 15:01 ` Lecopzer Chen
2021-01-26 15:01 ` Lecopzer Chen
2021-01-26 15:29 ` Russell King - ARM Linux admin
2021-01-26 15:29 ` Russell King - ARM Linux admin
2021-01-26 16:03 ` Lecopzer Chen
2021-01-26 16:03 ` Lecopzer Chen
-- strict thread matches above, loose matches on Subject: below --
2019-03-19 20:32 Sebastian Andrzej Siewior
2019-04-15 11:08 ` Sebastian Andrzej Siewior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201203092738.11866-1-lecopzer.chen@mediatek.com \
--to=lecopzer.chen@mediatek.com \
--cc=akpm@linux-foundation.org \
--cc=bigeasy@linutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=walken@google.com \
--cc=yj.chiang@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.