From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, T_DKIMWL_WL_MED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BC22C1B0F2 for ; Wed, 20 Jun 2018 15:26:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CBCDC208B7 for ; Wed, 20 Jun 2018 15:26:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="P4QMe9eU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CBCDC208B7 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754275AbeFTP0f (ORCPT ); Wed, 20 Jun 2018 11:26:35 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:52236 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754142AbeFTPYf (ORCPT ); Wed, 20 Jun 2018 11:24:35 -0400 Received: by mail-wm0-f68.google.com with SMTP id p126-v6so207714wmb.2 for ; Wed, 20 Jun 2018 08:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=m9bM2usci+57xc3zRMgpKMd80JVfANdAQuqRMxrSXbE=; b=P4QMe9eUNQNmUEDFBBlBegREw9qogy95KBK5zhWridJ7KAYuu4P4qoJ4RSKpU9A9uj 5fca0DIDVpiHr/mfdFgE3ofA/Enl3ijcfpPqVwDoidv/ZBmJd3UfR+UiNCeMZof4XCST 4C/1T1Yp+k36uWBvPwnzfbw0QykFayqOyUY5ncoD2eTJsW/QASmCkGs/GutEvLYzNuJj 869lLy8dgvSAUBlgEVAbePvzExXpPUkKx6xwcWa6d2c6HPYOArGLmbtV9voMXMuXOIDR Yv0PUDda2BBkNvrXOwhUkwNT0fQrGVD3726M/2PMhCspWsSHXdrSHi0Ge+6EaYp8cb5d tjdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=m9bM2usci+57xc3zRMgpKMd80JVfANdAQuqRMxrSXbE=; b=R7jyMC+dI+9EZbMnk8WZm5lHHKsws60+sYJd7XPPwunXbEUySyM3h/El1zagDQUg1X jg5J4lQo9kPAe7XP3ALuy+OEg+zohX3dh7D5OiQ2jS5Gih3JtDKFwqZY6cuxBNXaEQjZ EPbQWPTBfi1wfbFphSvR2fBDD56Qz5YX2V3grhBaicCxluvgyCtAQQbJnu+WljorpqXx SebYuXE76sNpqyJWKCCDSr3LaV6tUGBDaCIHqyhG9mfWXseVREXHSwkG5W0QVIu/KT+5 6CqdrpA4XHqLfcYv3dC2Kz7vjMRM4JR3LgeLwWMAdIsRnMQ6Y0FyrfsWwbWR21nWVdDO CYjA== X-Gm-Message-State: APt69E1MUiT1hrnPjm+4iTei7Xe9nTMUVhzPoYqiJmaYrfdhrheJq+lB 2rVqV8WDHXEv94PqU4SkD2F2og== X-Google-Smtp-Source: ADUXVKLQqaSurFJRIyHjy++pghmW5yD8Wq8MdxfPzk2iZvkneLGTJmoAUuaWj2bOKS5adHS07hEvOA== X-Received: by 2002:a1c:9015:: with SMTP id s21-v6mr2104314wmd.20.1529508274166; Wed, 20 Jun 2018 08:24:34 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:84be:a42a:826d:c530]) by smtp.gmail.com with ESMTPSA id c11-v6sm3959244wrm.65.2018.06.20.08.24.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jun 2018 08:24:33 -0700 (PDT) From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Mark Rutland , Robin Murphy , Al Viro , Andrey Konovalov , Kees Cook , Kate Stewart , Greg Kroah-Hartman , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Shuah Khan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan , Chintan Pandya Subject: [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Date: Wed, 20 Jun 2018 17:24:22 +0200 Message-Id: <69573b1f821c5068be21fdff556cef11f03a09b4.1529507994.git.andreyknvl@google.com> X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..fa7318d3d7d5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -237,7 +238,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -245,10 +247,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.18.0.rc1.244.gcf134e6275-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-5.6 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id 2D68D7DF8A for ; Wed, 20 Jun 2018 15:26:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754261AbeFTP0f (ORCPT ); Wed, 20 Jun 2018 11:26:35 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:51514 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754144AbeFTPYf (ORCPT ); Wed, 20 Jun 2018 11:24:35 -0400 Received: by mail-wm0-f67.google.com with SMTP id r15-v6so220811wmc.1 for ; Wed, 20 Jun 2018 08:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=m9bM2usci+57xc3zRMgpKMd80JVfANdAQuqRMxrSXbE=; b=P4QMe9eUNQNmUEDFBBlBegREw9qogy95KBK5zhWridJ7KAYuu4P4qoJ4RSKpU9A9uj 5fca0DIDVpiHr/mfdFgE3ofA/Enl3ijcfpPqVwDoidv/ZBmJd3UfR+UiNCeMZof4XCST 4C/1T1Yp+k36uWBvPwnzfbw0QykFayqOyUY5ncoD2eTJsW/QASmCkGs/GutEvLYzNuJj 869lLy8dgvSAUBlgEVAbePvzExXpPUkKx6xwcWa6d2c6HPYOArGLmbtV9voMXMuXOIDR Yv0PUDda2BBkNvrXOwhUkwNT0fQrGVD3726M/2PMhCspWsSHXdrSHi0Ge+6EaYp8cb5d tjdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=m9bM2usci+57xc3zRMgpKMd80JVfANdAQuqRMxrSXbE=; b=o1VSplRKLrPdxZ5H/71WJU1VFFTF2FAlPXfdGmTZSbfulJqfGRB2AvqLs/KR97pIdR wdSWnAuYFH6ot8X8kq9Ca5GVCyIjDSHZFxL3ttgvKTyMZZRhwFXQvcAbC+PsqN7YMRDz ogvpGicUL8nk7OilMCWA8tlRJ19XPwgW3wHyohRX+sRy9FMTtT0XBqyQvpQs1WZj1YMp tgS8Zr7lEchSu0dhqqcyn6p6qBjjt31SaaOZ4CrnUsZUkkV5VN6fXRIssv4GJ1Sr5Lp9 yQAsKLgBM7ZNwwTcV5P+q9hO9421xK++BOtWbjEPD2sIMHUlWmjCWKpmHT8kEXdWftY9 D5Zw== X-Gm-Message-State: APt69E15HX46JLbH9DO3Gy0mk/YdErHpkcUQq/AeQ2wkdgc98Cw36TUr /NOHWN9cc/GwzLa1E7CMyty+aw== X-Google-Smtp-Source: ADUXVKLQqaSurFJRIyHjy++pghmW5yD8Wq8MdxfPzk2iZvkneLGTJmoAUuaWj2bOKS5adHS07hEvOA== X-Received: by 2002:a1c:9015:: with SMTP id s21-v6mr2104314wmd.20.1529508274166; Wed, 20 Jun 2018 08:24:34 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:84be:a42a:826d:c530]) by smtp.gmail.com with ESMTPSA id c11-v6sm3959244wrm.65.2018.06.20.08.24.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jun 2018 08:24:33 -0700 (PDT) From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Mark Rutland , Robin Murphy , Al Viro , Andrey Konovalov , Kees Cook , Kate Stewart , Greg Kroah-Hartman , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Shuah Khan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan , Chintan Pandya Subject: [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Date: Wed, 20 Jun 2018 17:24:22 +0200 Message-Id: <69573b1f821c5068be21fdff556cef11f03a09b4.1529507994.git.andreyknvl@google.com> X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog In-Reply-To: References: Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..fa7318d3d7d5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -237,7 +238,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -245,10 +247,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.18.0.rc1.244.gcf134e6275-goog -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: andreyknvl at google.com (Andrey Konovalov) Date: Wed, 20 Jun 2018 17:24:22 +0200 Subject: [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr In-Reply-To: References: Message-ID: <69573b1f821c5068be21fdff556cef11f03a09b4.1529507994.git.andreyknvl@google.com> copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..fa7318d3d7d5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -237,7 +238,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -245,10 +247,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.18.0.rc1.244.gcf134e6275-goog -- To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: andreyknvl@google.com (Andrey Konovalov) Date: Wed, 20 Jun 2018 17:24:22 +0200 Subject: [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr In-Reply-To: References: Message-ID: <69573b1f821c5068be21fdff556cef11f03a09b4.1529507994.git.andreyknvl@google.com> Content-Type: text/plain; charset="UTF-8" Message-ID: <20180620152422.lA3n1uXUZMpAD3am4Ih6ntE_N0EmvgYvcDV187wa8Jk@z> copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..fa7318d3d7d5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -237,7 +238,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -245,10 +247,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.18.0.rc1.244.gcf134e6275-goog -- To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: andreyknvl@google.com (Andrey Konovalov) Date: Wed, 20 Jun 2018 17:24:22 +0200 Subject: [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr In-Reply-To: References: Message-ID: <69573b1f821c5068be21fdff556cef11f03a09b4.1529507994.git.andreyknvl@google.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..fa7318d3d7d5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -237,7 +238,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -245,10 +247,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.18.0.rc1.244.gcf134e6275-goog