From: Kefeng Wang <wangkefeng.wang@huawei.com> To: Russell King <linux@armlinux.org.uk>, <linux-arm-kernel@lists.infradead.org> Cc: Catalin Marinas <catalin.marinas@arm.com>, <linux-kernel@vger.kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Jungseung Lee <js07.lee@gmail.com>, Will Deacon <will@kernel.org>, Kefeng Wang <wangkefeng.wang@huawei.com> Subject: [PATCH v3 6/6] ARM: mm: Fix PXN process with LPAE feature Date: Thu, 10 Jun 2021 20:35:56 +0800 [thread overview] Message-ID: <20210610123556.171328-7-wangkefeng.wang@huawei.com> (raw) In-Reply-To: <20210610123556.171328-1-wangkefeng.wang@huawei.com> When user code execution with privilege mode, it will lead to infinite loop in the page fault handler if ARM_LPAE enabled, The issue could be reproduced with "echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT" As Permission fault shows in ARM spec, IFSR format when using the Short-descriptor translation table format Permission fault: 01101 First level 01111 Second level IFSR format when using the Long-descriptor translation table format Permission fault: 0011LL LL bits indicate levelb. Add is_permission_fault() function to check permission fault and die if permission fault occurred under instruction fault in do_page_fault(). Fixes: 1d4d37159d01 ("ARM: 8235/1: Support for the PXN CPU feature on ARMv7") Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> --- arch/arm/mm/fault.c | 20 +++++++++++++++++++- arch/arm/mm/fault.h | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index 82bcfe57de20..bc8779d54a64 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -194,6 +194,19 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) #define VM_FAULT_BADMAP 0x010000 #define VM_FAULT_BADACCESS 0x020000 +static inline bool is_permission_fault(unsigned int fsr) +{ + int fs = fsr_fs(fsr); +#ifdef CONFIG_ARM_LPAE + if ((fs & FS_PERM_NOLL_MASK) == FS_PERM_NOLL) + return true; +#else + if (fs == FS_L1_PERM || fs == FS_L2_PERM) + return true; +#endif + return false; +} + static vm_fault_t __kprobes __do_page_fault(struct mm_struct *mm, unsigned long addr, unsigned int flags, unsigned long vma_flags, struct pt_regs *regs) @@ -253,9 +266,14 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) vm_flags = VM_WRITE; } - if (fsr & FSR_LNX_PF) + if (fsr & FSR_LNX_PF) { vm_flags = VM_EXEC; + if (is_permission_fault(fsr) && !user_mode(regs)) + die_kernel_fault("execution of memory", + mm, addr, fsr, regs); + } + perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); /* diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h index 9ecc2097a87a..83b5ab32d7a4 100644 --- a/arch/arm/mm/fault.h +++ b/arch/arm/mm/fault.h @@ -14,6 +14,8 @@ #ifdef CONFIG_ARM_LPAE #define FSR_FS_AEA 17 +#define FS_PERM_NOLL 0xC +#define FS_PERM_NOLL_MASK 0x3C static inline int fsr_fs(unsigned int fsr) { @@ -21,6 +23,8 @@ static inline int fsr_fs(unsigned int fsr) } #else #define FSR_FS_AEA 22 +#define FS_L1_PERM 0xD +#define FS_L2_PERM 0xF static inline int fsr_fs(unsigned int fsr) { -- 2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Kefeng Wang <wangkefeng.wang@huawei.com> To: Russell King <linux@armlinux.org.uk>, <linux-arm-kernel@lists.infradead.org> Cc: Catalin Marinas <catalin.marinas@arm.com>, <linux-kernel@vger.kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Jungseung Lee <js07.lee@gmail.com>, Will Deacon <will@kernel.org>, Kefeng Wang <wangkefeng.wang@huawei.com> Subject: [PATCH v3 6/6] ARM: mm: Fix PXN process with LPAE feature Date: Thu, 10 Jun 2021 20:35:56 +0800 [thread overview] Message-ID: <20210610123556.171328-7-wangkefeng.wang@huawei.com> (raw) In-Reply-To: <20210610123556.171328-1-wangkefeng.wang@huawei.com> When user code execution with privilege mode, it will lead to infinite loop in the page fault handler if ARM_LPAE enabled, The issue could be reproduced with "echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT" As Permission fault shows in ARM spec, IFSR format when using the Short-descriptor translation table format Permission fault: 01101 First level 01111 Second level IFSR format when using the Long-descriptor translation table format Permission fault: 0011LL LL bits indicate levelb. Add is_permission_fault() function to check permission fault and die if permission fault occurred under instruction fault in do_page_fault(). Fixes: 1d4d37159d01 ("ARM: 8235/1: Support for the PXN CPU feature on ARMv7") Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> --- arch/arm/mm/fault.c | 20 +++++++++++++++++++- arch/arm/mm/fault.h | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index 82bcfe57de20..bc8779d54a64 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -194,6 +194,19 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) #define VM_FAULT_BADMAP 0x010000 #define VM_FAULT_BADACCESS 0x020000 +static inline bool is_permission_fault(unsigned int fsr) +{ + int fs = fsr_fs(fsr); +#ifdef CONFIG_ARM_LPAE + if ((fs & FS_PERM_NOLL_MASK) == FS_PERM_NOLL) + return true; +#else + if (fs == FS_L1_PERM || fs == FS_L2_PERM) + return true; +#endif + return false; +} + static vm_fault_t __kprobes __do_page_fault(struct mm_struct *mm, unsigned long addr, unsigned int flags, unsigned long vma_flags, struct pt_regs *regs) @@ -253,9 +266,14 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) vm_flags = VM_WRITE; } - if (fsr & FSR_LNX_PF) + if (fsr & FSR_LNX_PF) { vm_flags = VM_EXEC; + if (is_permission_fault(fsr) && !user_mode(regs)) + die_kernel_fault("execution of memory", + mm, addr, fsr, regs); + } + perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); /* diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h index 9ecc2097a87a..83b5ab32d7a4 100644 --- a/arch/arm/mm/fault.h +++ b/arch/arm/mm/fault.h @@ -14,6 +14,8 @@ #ifdef CONFIG_ARM_LPAE #define FSR_FS_AEA 17 +#define FS_PERM_NOLL 0xC +#define FS_PERM_NOLL_MASK 0x3C static inline int fsr_fs(unsigned int fsr) { @@ -21,6 +23,8 @@ static inline int fsr_fs(unsigned int fsr) } #else #define FSR_FS_AEA 22 +#define FS_L1_PERM 0xD +#define FS_L2_PERM 0xF static inline int fsr_fs(unsigned int fsr) { -- 2.26.2 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-06-10 12:28 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-10 12:35 [PATCH v3 0/6] ARM: mm: cleanup page fault and fix pxn process issue Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` [PATCH v3 1/6] ARM: mm: Rafactor the __do_page_fault() Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` [PATCH v3 2/6] ARM: mm: Kill task_struct argument for __do_page_fault() Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` [PATCH v3 3/6] ARM: mm: Cleanup access_error() Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` [PATCH v3 4/6] ARM: mm: Kill page table base print in show_pte() Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` [PATCH v3 5/6] ARM: mm: Provide die_kernel_fault() helper Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang 2021-06-10 12:35 ` Kefeng Wang [this message] 2021-06-10 12:35 ` [PATCH v3 6/6] ARM: mm: Fix PXN process with LPAE feature Kefeng Wang 2021-06-15 2:15 ` [PATCH v3 0/6] ARM: mm: cleanup page fault and fix pxn process issue Kefeng Wang 2021-06-15 2:15 ` Kefeng Wang 2021-07-19 12:19 ` Kefeng Wang 2021-07-19 12:19 ` Kefeng Wang 2021-07-31 6:42 ` Kefeng Wang 2021-07-31 6:42 ` Kefeng Wang 2021-08-12 13:51 ` Kefeng Wang 2021-08-12 13:51 ` Kefeng Wang 2021-10-12 1:41 ` Kefeng Wang 2021-10-12 1:41 ` Kefeng Wang 2021-10-14 16:28 ` Russell King (Oracle) 2021-10-14 16:28 ` Russell King (Oracle) 2021-10-15 1:05 ` Kefeng Wang 2021-10-15 1:05 ` Kefeng Wang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210610123556.171328-7-wangkefeng.wang@huawei.com \ --to=wangkefeng.wang@huawei.com \ --cc=akpm@linux-foundation.org \ --cc=catalin.marinas@arm.com \ --cc=js07.lee@gmail.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@armlinux.org.uk \ --cc=will@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.