* [PATCH v3 0/2] Let illegal access to user-space memory die
@ 2020-12-04 5:42 ` Eric Lin
0 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin
Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.
Changes in v3:
-Let no_context() use die_kernel_fault() helper
Changes in v2:
-Add a die_kernel_fault() helper
-Split one long line code into two
Eric Lin (2):
riscv/mm: Introduce a die_kernel_fault() helper function
riscv/mm: Prevent kernel module to access user memory without uaccess
routines
arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
--
2.17.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v3 0/2] Let illegal access to user-space memory die
@ 2020-12-04 5:42 ` Eric Lin
0 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin
Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.
Changes in v3:
-Let no_context() use die_kernel_fault() helper
Changes in v2:
-Add a die_kernel_fault() helper
-Split one long line code into two
Eric Lin (2):
riscv/mm: Introduce a die_kernel_fault() helper function
riscv/mm: Prevent kernel module to access user memory without uaccess
routines
arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
--
2.17.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v3 1/2] riscv/mm: Introduce a die_kernel_fault() helper function
2020-12-04 5:42 ` Eric Lin
@ 2020-12-04 5:42 ` Eric Lin
-1 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin, Alan Kao
Like arm64, this patch adds a die_kernel_fault() helper
to ensure the same semantics for the different kernel faults.
Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
arch/riscv/mm/fault.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 3c8b9e433c67..0d5f06d6e3c7 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -19,8 +19,23 @@
#include "../kernel/head.h"
+static void die_kernel_fault(const char *msg, unsigned long addr,
+ struct pt_regs *regs)
+{
+ bust_spinlocks(1);
+
+ pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n", msg,
+ addr);
+
+ bust_spinlocks(0);
+ die(regs, "Oops");
+ do_exit(SIGKILL);
+}
+
static inline void no_context(struct pt_regs *regs, unsigned long addr)
{
+ const char *msg;
+
/* Are we prepared to handle this kernel fault? */
if (fixup_exception(regs))
return;
@@ -29,12 +44,8 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)
* Oops. The kernel tried to access some bad page. We'll have to
* terminate things with extreme prejudice.
*/
- bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
- die(regs, "Oops");
- do_exit(SIGKILL);
+ msg = (addr < PAGE_SIZE) ? "NULL pointer dereference" : "paging request";
+ die_kernel_fault(msg, addr, regs);
}
static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
--
2.17.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 1/2] riscv/mm: Introduce a die_kernel_fault() helper function
@ 2020-12-04 5:42 ` Eric Lin
0 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin, Alan Kao
Like arm64, this patch adds a die_kernel_fault() helper
to ensure the same semantics for the different kernel faults.
Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
arch/riscv/mm/fault.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 3c8b9e433c67..0d5f06d6e3c7 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -19,8 +19,23 @@
#include "../kernel/head.h"
+static void die_kernel_fault(const char *msg, unsigned long addr,
+ struct pt_regs *regs)
+{
+ bust_spinlocks(1);
+
+ pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n", msg,
+ addr);
+
+ bust_spinlocks(0);
+ die(regs, "Oops");
+ do_exit(SIGKILL);
+}
+
static inline void no_context(struct pt_regs *regs, unsigned long addr)
{
+ const char *msg;
+
/* Are we prepared to handle this kernel fault? */
if (fixup_exception(regs))
return;
@@ -29,12 +44,8 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)
* Oops. The kernel tried to access some bad page. We'll have to
* terminate things with extreme prejudice.
*/
- bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
- die(regs, "Oops");
- do_exit(SIGKILL);
+ msg = (addr < PAGE_SIZE) ? "NULL pointer dereference" : "paging request";
+ die_kernel_fault(msg, addr, regs);
}
static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
--
2.17.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines
2020-12-04 5:42 ` Eric Lin
@ 2020-12-04 5:42 ` Eric Lin
-1 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin, Alan Kao
We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.
Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
arch/riscv/mm/fault.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0d5f06d6e3c7..33d284188f9a 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -243,6 +243,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
if (user_mode(regs))
flags |= FAULT_FLAG_USER;
+ if (!user_mode(regs) && addr < TASK_SIZE &&
+ unlikely(!(regs->status & SR_SUM)))
+ die_kernel_fault("access to user memory without uaccess routines",
+ addr, regs);
+
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
if (cause == EXC_STORE_PAGE_FAULT)
--
2.17.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines
@ 2020-12-04 5:42 ` Eric Lin
0 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-04 5:42 UTC (permalink / raw)
To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, palmer, paul.walmsley
Cc: Eric Lin, Alan Kao
We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.
Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
arch/riscv/mm/fault.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0d5f06d6e3c7..33d284188f9a 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -243,6 +243,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
if (user_mode(regs))
flags |= FAULT_FLAG_USER;
+ if (!user_mode(regs) && addr < TASK_SIZE &&
+ unlikely(!(regs->status & SR_SUM)))
+ die_kernel_fault("access to user memory without uaccess routines",
+ addr, regs);
+
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
if (cause == EXC_STORE_PAGE_FAULT)
--
2.17.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v3 0/2] Let illegal access to user-space memory die
2020-12-04 5:42 ` Eric Lin
` (2 preceding siblings ...)
(?)
@ 2020-12-18 4:03 ` Eric Lin
-1 siblings, 0 replies; 11+ messages in thread
From: Eric Lin @ 2020-12-18 4:03 UTC (permalink / raw)
To: linux-riscv, penberg, aou, palmer, paul.walmsley
On Fri, Dec 04, 2020 at 01:42:57PM +0800, Eric Te-Sheng Lin(?L?w??) wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
Hi Palmer, kindly ping.
Thanks.
>
> Changes in v3:
> -Let no_context() use die_kernel_fault() helper
>
> Changes in v2:
> -Add a die_kernel_fault() helper
> -Split one long line code into two
>
> Eric Lin (2):
> riscv/mm: Introduce a die_kernel_fault() helper function
> riscv/mm: Prevent kernel module to access user memory without uaccess
> routines
>
> arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
> 1 file changed, 22 insertions(+), 6 deletions(-)
>
> --
> 2.17.0
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v3 0/2] Let illegal access to user-space memory die
2020-12-04 5:42 ` Eric Lin
@ 2020-12-22 2:35 ` Palmer Dabbelt
-1 siblings, 0 replies; 11+ messages in thread
From: Palmer Dabbelt @ 2020-12-22 2:35 UTC (permalink / raw)
To: tesheng
Cc: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
aou, Paul Walmsley, tesheng
On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v3:
> -Let no_context() use die_kernel_fault() helper
>
> Changes in v2:
> -Add a die_kernel_fault() helper
> -Split one long line code into two
>
> Eric Lin (2):
> riscv/mm: Introduce a die_kernel_fault() helper function
> riscv/mm: Prevent kernel module to access user memory without uaccess
> routines
>
> arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
> 1 file changed, 22 insertions(+), 6 deletions(-)
Thanks, these will be on for-next when the merge window ends.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v3 0/2] Let illegal access to user-space memory die
@ 2020-12-22 2:35 ` Palmer Dabbelt
0 siblings, 0 replies; 11+ messages in thread
From: Palmer Dabbelt @ 2020-12-22 2:35 UTC (permalink / raw)
To: tesheng
Cc: aou, linux-kernel, peterx, penberg, tesheng, Paul Walmsley, akpm,
walken, linux-riscv, vbabka
On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v3:
> -Let no_context() use die_kernel_fault() helper
>
> Changes in v2:
> -Add a die_kernel_fault() helper
> -Split one long line code into two
>
> Eric Lin (2):
> riscv/mm: Introduce a die_kernel_fault() helper function
> riscv/mm: Prevent kernel module to access user memory without uaccess
> routines
>
> arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
> 1 file changed, 22 insertions(+), 6 deletions(-)
Thanks, these will be on for-next when the merge window ends.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v3 0/2] Let illegal access to user-space memory die
2020-12-22 2:35 ` Palmer Dabbelt
@ 2021-02-01 13:18 ` Ben Dooks
-1 siblings, 0 replies; 11+ messages in thread
From: Ben Dooks @ 2021-02-01 13:18 UTC (permalink / raw)
To: Palmer Dabbelt, tesheng
Cc: aou, linux-kernel, peterx, penberg, Paul Walmsley, akpm, walken,
linux-riscv, vbabka
On 22/12/2020 02:35, Palmer Dabbelt wrote:
> On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
>> Accesses to user-space memory without calling uaccess routine
>> leads to hanging in page fault handler. Like arm64, we let it
>> die earlier in page fault handler.
>>
>> Changes in v3:
>> -Let no_context() use die_kernel_fault() helper
>>
>> Changes in v2:
>> -Add a die_kernel_fault() helper
>> -Split one long line code into two
>>
>> Eric Lin (2):
>> riscv/mm: Introduce a die_kernel_fault() helper function
>> riscv/mm: Prevent kernel module to access user memory without uaccess
>> routines
>>
>> arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>> 1 file changed, 22 insertions(+), 6 deletions(-)
>
> Thanks, these will be on for-next when the merge window ends.
Just tested this and it seems to be working.
--
Ben Dooks http://www.codethink.co.uk/
Senior Engineer Codethink - Providing Genius
https://www.codethink.co.uk/privacy.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v3 0/2] Let illegal access to user-space memory die
@ 2021-02-01 13:18 ` Ben Dooks
0 siblings, 0 replies; 11+ messages in thread
From: Ben Dooks @ 2021-02-01 13:18 UTC (permalink / raw)
To: Palmer Dabbelt, tesheng
Cc: aou, linux-kernel, peterx, penberg, Paul Walmsley, akpm, walken,
linux-riscv, vbabka
On 22/12/2020 02:35, Palmer Dabbelt wrote:
> On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
>> Accesses to user-space memory without calling uaccess routine
>> leads to hanging in page fault handler. Like arm64, we let it
>> die earlier in page fault handler.
>>
>> Changes in v3:
>> -Let no_context() use die_kernel_fault() helper
>>
>> Changes in v2:
>> -Add a die_kernel_fault() helper
>> -Split one long line code into two
>>
>> Eric Lin (2):
>> riscv/mm: Introduce a die_kernel_fault() helper function
>> riscv/mm: Prevent kernel module to access user memory without uaccess
>> routines
>>
>> arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>> 1 file changed, 22 insertions(+), 6 deletions(-)
>
> Thanks, these will be on for-next when the merge window ends.
Just tested this and it seems to be working.
--
Ben Dooks http://www.codethink.co.uk/
Senior Engineer Codethink - Providing Genius
https://www.codethink.co.uk/privacy.html
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-02-01 13:21 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-04 5:42 [PATCH v3 0/2] Let illegal access to user-space memory die Eric Lin
2020-12-04 5:42 ` Eric Lin
2020-12-04 5:42 ` [PATCH v3 1/2] riscv/mm: Introduce a die_kernel_fault() helper function Eric Lin
2020-12-04 5:42 ` Eric Lin
2020-12-04 5:42 ` [PATCH v3 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines Eric Lin
2020-12-04 5:42 ` Eric Lin
2020-12-18 4:03 ` [PATCH v3 0/2] Let illegal access to user-space memory die Eric Lin
2020-12-22 2:35 ` Palmer Dabbelt
2020-12-22 2:35 ` Palmer Dabbelt
2021-02-01 13:18 ` Ben Dooks
2021-02-01 13:18 ` Ben Dooks
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.