From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.5 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99B45C433E0 for ; Wed, 13 May 2020 16:16:36 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9A6902053B for ; Wed, 13 May 2020 16:16:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="MJg6IDqo" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A6902053B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lst.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E13B88001D; Wed, 13 May 2020 12:16:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D9C3A8000B; Wed, 13 May 2020 12:16:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CB3578001D; Wed, 13 May 2020 12:16:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0063.hostedemail.com [216.40.44.63]) by kanga.kvack.org (Postfix) with ESMTP id B02A68000B for ; Wed, 13 May 2020 12:16:35 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 7589740C0 for ; Wed, 13 May 2020 16:16:35 +0000 (UTC) X-FDA: 76812198750.12.face44_5696fa469f837 X-HE-Tag: face44_5696fa469f837 X-Filterd-Recvd-Size: 10452 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) by imf18.hostedemail.com (Postfix) with ESMTP for ; Wed, 13 May 2020 16:16:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender :Reply-To:Content-Type:Content-ID:Content-Description; bh=KIuEtIuVTTaP7PWLUSqSXwErp3yBeo2bpzocb9q+81M=; b=MJg6IDqoltCp5S5DkhYmIDw6Uz oRZ8ANvsDl1zddba/MuDVNxWL0hqTB5eWVe3Oy/B3pdtmVLSMv58lJOJ4BjdTt3dlkrKKddsxIi6Y F87bTbNvjPqAbBzF65HF196Ck3b5OaHn9D9sku+v/vL0m53Jb+T6WBFwyIen5W8tDMeWOfTrWhTay DzobmfcGc5kN9kQI9j1KOLujRvEDqk92JbcQJJNJ+SPweSXNz+8lqMSHEdhAPdGQu1qVIprkwJKMl WG/VgRXV4itKteuF/NQeIYLSdENuvktXPH4e+4REU4VfsNk/zwEZ/sMQiISYYkBLsCDy5P/ZQG2aC qa1pSciQ==; Received: from [2001:4bb8:180:9d3f:c70:4a89:bc61:2] (helo=localhost) by bombadil.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jYtog-0004tA-Sc; Wed, 13 May 2020 16:01:07 +0000 From: Christoph Hellwig To: x86@kernel.org, Alexei Starovoitov , Daniel Borkmann , Masami Hiramatsu , Linus Torvalds , Andrew Morton Cc: linux-parisc@vger.kernel.org, linux-um@lists.infradead.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH 10/18] maccess: unify the probe kernel arch hooks Date: Wed, 13 May 2020 18:00:30 +0200 Message-Id: <20200513160038.2482415-11-hch@lst.de> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513160038.2482415-1-hch@lst.de> References: <20200513160038.2482415-1-hch@lst.de> MIME-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Currently architectures have to override every routine that probes kernel memory, which includes a pure read and strcpy, both in strict and not strict variants. Just provide a single arch hooks instead to make sure all architectures cover all the cases. Signed-off-by: Christoph Hellwig --- arch/parisc/lib/memcpy.c | 13 ++++------- arch/um/kernel/maccess.c | 11 ++++----- arch/x86/mm/maccess.c | 18 ++++----------- include/linux/uaccess.h | 6 +++-- mm/maccess.c | 49 ++++++++++++++++++++++++++++++---------- 5 files changed, 56 insertions(+), 41 deletions(-) diff --git a/arch/parisc/lib/memcpy.c b/arch/parisc/lib/memcpy.c index beceaab34ecb7..5ef648bd33119 100644 --- a/arch/parisc/lib/memcpy.c +++ b/arch/parisc/lib/memcpy.c @@ -57,14 +57,11 @@ void * memcpy(void * dst,const void *src, size_t coun= t) EXPORT_SYMBOL(raw_copy_in_user); EXPORT_SYMBOL(memcpy); =20 -long probe_kernel_read(void *dst, const void *src, size_t size) +bool probe_kernel_read_allowed(void *dst, const void *unsafe_src, size_t= size, + bool strict) { - unsigned long addr =3D (unsigned long)src; - - if (addr < PAGE_SIZE) - return -EFAULT; - + if ((unsigned long)unsafe_src < PAGE_SIZE) + return false; /* check for I/O space F_EXTEND(0xfff00000) access as well? */ - - return __probe_kernel_read(dst, src, size); + return true; } diff --git a/arch/um/kernel/maccess.c b/arch/um/kernel/maccess.c index 67b2e0fa92bba..90a1bec923158 100644 --- a/arch/um/kernel/maccess.c +++ b/arch/um/kernel/maccess.c @@ -7,15 +7,14 @@ #include #include =20 -long probe_kernel_read(void *dst, const void *src, size_t size) +bool probe_kernel_read_allowed(void *dst, const void *src, size_t size, + bool strict) { void *psrc =3D (void *)rounddown((unsigned long)src, PAGE_SIZE); =20 if ((unsigned long)src < PAGE_SIZE || size <=3D 0) - return -EFAULT; - + return false; if (os_mincore(psrc, size + src - psrc) <=3D 0) - return -EFAULT; - - return __probe_kernel_read(dst, src, size); + return false; + return true; } diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c index 62c4017a2473d..5c323ab187b27 100644 --- a/arch/x86/mm/maccess.c +++ b/arch/x86/mm/maccess.c @@ -26,18 +26,10 @@ static __always_inline bool invalid_probe_range(u64 v= addr) } #endif =20 -long probe_kernel_read_strict(void *dst, const void *src, size_t size) +bool probe_kernel_read_allowed(void *dst, const void *unsafe_src, size_t= size, + bool strict) { - if (unlikely(invalid_probe_range((unsigned long)src))) - return -EFAULT; - - return __probe_kernel_read(dst, src, size); -} - -long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, lon= g count) -{ - if (unlikely(invalid_probe_range((unsigned long)unsafe_addr))) - return -EFAULT; - - return __strncpy_from_unsafe(dst, unsafe_addr, count); + if (!strict) + return true; + return !invalid_probe_range((unsigned long)unsafe_src); } diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index d8366f8468664..7cfc10eb09c60 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -301,9 +301,11 @@ copy_struct_from_user(void *dst, size_t ksize, const= void __user *src, return 0; } =20 +bool probe_kernel_read_allowed(void *dst, const void *unsafe_src, + size_t size, bool strict); + extern long probe_kernel_read(void *dst, const void *src, size_t size); extern long probe_kernel_read_strict(void *dst, const void *src, size_t = size); -extern long __probe_kernel_read(void *dst, const void *src, size_t size)= ; extern long probe_user_read(void *dst, const void __user *src, size_t si= ze); =20 extern long notrace probe_kernel_write(void *dst, const void *src, size_= t size); @@ -312,7 +314,7 @@ extern long notrace probe_user_write(void __user *dst= , const void *src, size_t s extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long= count); long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count); -extern long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, lo= ng count); + long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr= , long count); long strnlen_user_nofault(const void __user *unsafe_addr, long count); diff --git a/mm/maccess.c b/mm/maccess.c index 31cf6604e7fff..483a933b7d241 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -6,6 +6,17 @@ #include #include =20 +static long __probe_kernel_read(void *dst, const void *src, size_t size, + bool strict); +static long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, + long count, bool strict); + +bool __weak probe_kernel_read_allowed(void *dst, const void *unsafe_src, + size_t size, bool strict) +{ + return true; +} + /** * probe_kernel_read(): safely attempt to read from any location * @dst: pointer to the buffer that shall take the data @@ -19,8 +30,11 @@ * DO NOT USE THIS FUNCTION - it is broken on architectures with entirel= y * separate kernel and user address spaces, and also a bad idea otherwis= e. */ -long __weak probe_kernel_read(void *dst, const void *src, size_t size) - __attribute__((alias("__probe_kernel_read"))); +long probe_kernel_read(void *dst, const void *src, size_t size) +{ + return __probe_kernel_read(dst, src, size, false); +} +EXPORT_SYMBOL_GPL(probe_kernel_read); =20 /** * probe_kernel_read_strict(): safely attempt to read from kernel-space @@ -36,14 +50,20 @@ long __weak probe_kernel_read(void *dst, const void *= src, size_t size) * probe_kernel_read() suitable for use within regions where the caller * already holds mmap_sem, or other locks which nest inside mmap_sem. */ -long __weak probe_kernel_read_strict(void *dst, const void *src, size_t = size) - __attribute__((alias("__probe_kernel_read"))); +long probe_kernel_read_strict(void *dst, const void *src, size_t size) +{ + return __probe_kernel_read(dst, src, size, true); +} =20 -long __probe_kernel_read(void *dst, const void *src, size_t size) +static long __probe_kernel_read(void *dst, const void *src, size_t size, + bool strict) { long ret; mm_segment_t old_fs =3D get_fs(); =20 + if (!probe_kernel_read_allowed(dst, src, size, strict)) + return -EFAULT; + set_fs(KERNEL_DS); pagefault_disable(); ret =3D __copy_from_user_inatomic(dst, (__force const void __user *)src= , @@ -55,7 +75,6 @@ long __probe_kernel_read(void *dst, const void *src, si= ze_t size) return -EFAULT; return 0; } -EXPORT_SYMBOL_GPL(probe_kernel_read); =20 /** * probe_user_read(): safely attempt to read from a user-space location @@ -161,8 +180,10 @@ long probe_user_write(void __user *dst, const void *= src, size_t size) * DO NOT USE THIS FUNCTION - it is broken on architectures with entirel= y * separate kernel and user address spaces, and also a bad idea otherwis= e. */ -long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long= count) - __attribute__((alias("__strncpy_from_unsafe"))); +long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count) +{ + return __strncpy_from_unsafe(dst, unsafe_addr, count, false); +} =20 /** * strncpy_from_kernel_nofault: - Copy a NUL terminated string from unsa= fe @@ -182,11 +203,13 @@ long __weak strncpy_from_unsafe(char *dst, const vo= id *unsafe_addr, long count) * If @count is smaller than the length of the string, copies @count-1 b= ytes, * sets the last byte of @dst buffer to NUL and returns @count. */ -long __weak strncpy_from_kernel_nofault(char *dst, const void *unsafe_ad= dr, - long count) - __attribute__((alias("__strncpy_from_unsafe"))); +long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, lon= g count) +{ + return __strncpy_from_unsafe(dst, unsafe_addr, count, true); +} =20 -long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long coun= t) +static long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, + long count, bool strict) { mm_segment_t old_fs =3D get_fs(); const void *src =3D unsafe_addr; @@ -194,6 +217,8 @@ long __strncpy_from_unsafe(char *dst, const void *uns= afe_addr, long count) =20 if (unlikely(count <=3D 0)) return 0; + if (!probe_kernel_read_allowed(dst, unsafe_addr, count, strict)) + return -EFAULT; =20 set_fs(KERNEL_DS); pagefault_disable(); --=20 2.26.2