From: Peter Zijlstra <peterz@infradead.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [RFC][PATCH] x86: Verify access_ok() context
Date: Mon, 5 Dec 2016 11:27:47 +0100 [thread overview]
Message-ID: <20161205102747.GT3092@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <CA+55aFzUq8uqsJyZRdNy4Rt11L561YcahwtTkHNU3Y2LeXGJEw@mail.gmail.com>
On Tue, Nov 22, 2016 at 11:42:19AM -0800, Linus Torvalds wrote:
> On Tue, Nov 22, 2016 at 11:37 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > CONFIG_DEBUG_VM seems somehow inappropriate.
>
> The usual might_fault() logic? That uses
>
> defined(CONFIG_PROVE_LOCKING) || defined(CONFIG_DEBUG_ATOMIC_SLEEP)
>
> (and "might_sleep()" uses just CONFIG_DEBUG_ATOMIC_SLEEP, maybe that's fine).
>
Fair enough; something like so then?
---
Subject: x86: Verify access_ok() context
From: Peter Zijlstra <peterz@infradead.org>
Date: Tue, 22 Nov 2016 10:57:15 +0100
I recently encountered wreckage because access_ok() was used where it
should not be, add an explicit WARN when access_ok() is used wrongly.
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
arch/x86/include/asm/uaccess.h | 13 +++++++++++--
include/linux/preempt.h | 21 +++++++++++++--------
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -68,6 +68,12 @@ static inline bool __chk_range_not_ok(un
__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
})
+#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
+#define ACCESS_OK_WARN() WARN_ON_ONCE(!in_task())
+#else
+#define ACCESS_OK_WARN()
+#endif
+
/**
* access_ok: - Checks if a user space pointer is valid
* @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
@@ -88,8 +94,11 @@ static inline bool __chk_range_not_ok(un
* checks that the pointer is in the user space range - after calling
* this function, memory access functions may still return -EFAULT.
*/
-#define access_ok(type, addr, size) \
- likely(!__range_not_ok(addr, size, user_addr_max()))
+#define access_ok(type, addr, size) \
+({ \
+ ACCESS_OK_WARN(); \
+ likely(!__range_not_ok(addr, size, user_addr_max())); \
+})
/*
* These are the main single-value transfer routines. They automatically
--- a/include/linux/preempt.h
+++ b/include/linux/preempt.h
@@ -65,19 +65,24 @@
/*
* Are we doing bottom half or hardware interrupt processing?
- * Are we in a softirq context? Interrupt context?
- * in_softirq - Are we currently processing softirq or have bh disabled?
- * in_serving_softirq - Are we currently processing softirq?
+ *
+ * in_irq() - We're in (hard) IRQ context
+ * in_softirq() - We have BH disabled, or are processing softirqs
+ * in_interrupt() - We're in NMI,IRQ,SoftIRQ context or have BH disabled
+ * in_serving_softirq() - We're in softirq context
+ * in_nmi() - We're in NMI context
+ * in_task() - We're in task context
+ *
+ * Note: due to the BH disabled confusion: in_softirq(),in_interrupt() really
+ * should not be used in new code.
*/
#define in_irq() (hardirq_count())
#define in_softirq() (softirq_count())
#define in_interrupt() (irq_count())
#define in_serving_softirq() (softirq_count() & SOFTIRQ_OFFSET)
-
-/*
- * Are we in NMI context?
- */
-#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_task() (!(preempt_count() & \
+ (NMI_MASK | HARDIRQ_MASK | SOFTIRQ_OFFSET)))
/*
* The preempt_count offset after preempt_disable();
next prev parent reply other threads:[~2016-12-05 10:28 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-22 9:57 [RFC][PATCH] x86: Verify access_ok() context Peter Zijlstra
2016-11-22 17:28 ` Andy Lutomirski
2016-11-22 19:37 ` Peter Zijlstra
2016-11-22 19:42 ` Linus Torvalds
2016-12-05 10:27 ` Peter Zijlstra [this message]
2017-01-16 20:27 ` David Smith
2017-01-16 21:14 ` Thomas Gleixner
2017-01-18 22:16 ` David Smith
2017-01-19 0:19 ` Andy Lutomirski
2017-01-19 15:37 ` David Smith
2017-01-20 8:24 ` Peter Zijlstra
2017-01-20 8:50 ` Thomas Gleixner
2017-01-19 18:12 ` Thomas Gleixner
2017-01-19 20:22 ` Frank Ch. Eigler
2017-01-19 20:50 ` Thomas Gleixner
2017-01-19 21:27 ` Frank Ch. Eigler
2017-01-19 22:20 ` Peter Zijlstra
2017-01-19 23:04 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161205102747.GT3092@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).