From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ben Dooks <ben.dooks@codethink.co.uk>, syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com, Arnd Bergman <arnd@arndb.de>, Palmer Dabbelt <palmerdabbelt@google.com>, Sasha Levin <sashal@kernel.org>, linux-riscv@lists.infradead.org Subject: [PATCH AUTOSEL 5.10 20/22] riscv: evaluate put_user() arg before enabling user access Date: Mon, 5 Apr 2021 12:04:29 -0400 [thread overview] Message-ID: <20210405160432.268374-20-sashal@kernel.org> (raw) In-Reply-To: <20210405160432.268374-1-sashal@kernel.org> From: Ben Dooks <ben.dooks@codethink.co.uk> [ Upstream commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 ] The <asm/uaccess.h> header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman <arnd@arndb.de> -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- arch/riscv/include/asm/uaccess.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h index 824b2c9da75b..f944062c9d99 100644 --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -306,7 +306,9 @@ do { \ * data types like structures or arrays. * * @ptr must have pointer-to-simple-variable type, and @x must be assignable - * to the result of dereferencing @ptr. + * to the result of dereferencing @ptr. The value of @x is copied to avoid + * re-ordering where @x is evaluated inside the block that enables user-space + * access (thus bypassing user space protection if @x is a function). * * Caller must check the pointer with access_ok() before calling this * function. @@ -316,12 +318,13 @@ do { \ #define __put_user(x, ptr) \ ({ \ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ + __typeof__(*__gu_ptr) __val = (x); \ long __pu_err = 0; \ \ __chk_user_ptr(__gu_ptr); \ \ __enable_user_access(); \ - __put_user_nocheck(x, __gu_ptr, __pu_err); \ + __put_user_nocheck(__val, __gu_ptr, __pu_err); \ __disable_user_access(); \ \ __pu_err; \ -- 2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ben Dooks <ben.dooks@codethink.co.uk>, syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com, Arnd Bergman <arnd@arndb.de>, Palmer Dabbelt <palmerdabbelt@google.com>, Sasha Levin <sashal@kernel.org>, linux-riscv@lists.infradead.org Subject: [PATCH AUTOSEL 5.10 20/22] riscv: evaluate put_user() arg before enabling user access Date: Mon, 5 Apr 2021 12:04:29 -0400 [thread overview] Message-ID: <20210405160432.268374-20-sashal@kernel.org> (raw) In-Reply-To: <20210405160432.268374-1-sashal@kernel.org> From: Ben Dooks <ben.dooks@codethink.co.uk> [ Upstream commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 ] The <asm/uaccess.h> header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman <arnd@arndb.de> -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- arch/riscv/include/asm/uaccess.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h index 824b2c9da75b..f944062c9d99 100644 --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -306,7 +306,9 @@ do { \ * data types like structures or arrays. * * @ptr must have pointer-to-simple-variable type, and @x must be assignable - * to the result of dereferencing @ptr. + * to the result of dereferencing @ptr. The value of @x is copied to avoid + * re-ordering where @x is evaluated inside the block that enables user-space + * access (thus bypassing user space protection if @x is a function). * * Caller must check the pointer with access_ok() before calling this * function. @@ -316,12 +318,13 @@ do { \ #define __put_user(x, ptr) \ ({ \ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ + __typeof__(*__gu_ptr) __val = (x); \ long __pu_err = 0; \ \ __chk_user_ptr(__gu_ptr); \ \ __enable_user_access(); \ - __put_user_nocheck(x, __gu_ptr, __pu_err); \ + __put_user_nocheck(__val, __gu_ptr, __pu_err); \ __disable_user_access(); \ \ __pu_err; \ -- 2.30.2 _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2021-04-05 16:06 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-04-05 16:04 [PATCH AUTOSEL 5.10 01/22] interconnect: core: fix error return code of icc_link_destroy() Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 02/22] gfs2: Flag a withdraw if init_threads() fails Sasha Levin 2021-04-05 16:04 ` [Cluster-devel] " Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 03/22] KVM: arm64: Hide system instruction access to Trace registers Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 04/22] KVM: arm64: Disable guest access to trace filter controls Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 05/22] drm/imx: imx-ldb: fix out of bounds array access warning Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 06/22] gfs2: report "already frozen/thawed" errors Sasha Levin 2021-04-05 16:04 ` [Cluster-devel] " Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 07/22] scsi: iscsi: Fix race condition between login and sync thread Sasha Levin 2021-04-06 17:24 ` Mike Christie 2021-04-06 19:22 ` Greg KH 2021-04-14 12:14 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 08/22] ftrace: Check if pages were allocated before calling free_pages() Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 09/22] tools/kvm_stat: Add restart delay Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 10/22] drm/tegra: dc: Don't set PLL clock to 0Hz Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 11/22] gpu: host1x: Use different lock classes for each client Sasha Levin 2021-04-05 16:04 ` Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 12/22] XArray: Fix splitting to non-zero orders Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 13/22] radix tree test suite: Fix compilation Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 14/22] block: only update parent bi_status when bio fail Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 15/22] radix tree test suite: Register the main thread with the RCU library Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 16/22] idr test suite: Take RCU read lock in idr_find_test_1 Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 17/22] idr test suite: Create anchor before launching throbber Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 18/22] null_blk: fix command timeout completion handling Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 19/22] io_uring: don't mark S_ISBLK async work as unbounded Sasha Levin 2021-04-05 16:04 ` Sasha Levin [this message] 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 20/22] riscv: evaluate put_user() arg before enabling user access Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 21/22] riscv,entry: fix misaligned base for excp_vect_table Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 21/22] riscv, entry: " Sasha Levin 2021-04-05 16:04 ` [PATCH AUTOSEL 5.10 22/22] block: don't ignore REQ_NOWAIT for direct IO Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210405160432.268374-20-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=arnd@arndb.de \ --cc=ben.dooks@codethink.co.uk \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-riscv@lists.infradead.org \ --cc=palmerdabbelt@google.com \ --cc=stable@vger.kernel.org \ --cc=syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.