linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [RFC][PATCH] x86: Verify access_ok() context
Date: Tue, 22 Nov 2016 09:28:01 -0800	[thread overview]
Message-ID: <CALCETrW2mdAo59OW0+VfqTg8OAXe9qmiq23dex62a1ry0u2=Vw@mail.gmail.com> (raw)
In-Reply-To: <20161122095715.GN3092@twins.programming.kicks-ass.net>

On Tue, Nov 22, 2016 at 1:57 AM, Peter Zijlstra <peterz@infradead.org> wrote:
>
> I recently encountered wreckage because access_ok() was used where it
> should not be, add an explicit WARN when access_ok() is used wrongly.
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> ---
>  arch/x86/include/asm/uaccess.h |  7 +++++--
>  include/linux/preempt.h        | 21 +++++++++++++--------
>  2 files changed, 18 insertions(+), 10 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index faf3687f1035..b139c46ba122 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -88,8 +88,11 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
>   * checks that the pointer is in the user space range - after calling
>   * this function, memory access functions may still return -EFAULT.
>   */
> -#define access_ok(type, addr, size) \
> -       likely(!__range_not_ok(addr, size, user_addr_max()))
> +#define access_ok(type, addr, size)                                    \
> +({                                                                     \
> +       WARN_ON_ONCE(!in_task());                                       \

Should this be guarded by some debug option?  This may hurt
performance on production systems quite a bit.

> diff --git a/include/linux/preempt.h b/include/linux/preempt.h
> index 75e4e30677f1..7eeceac52dea 100644
> --- a/include/linux/preempt.h
> +++ b/include/linux/preempt.h
> @@ -65,19 +65,24 @@
>
>  /*
>   * Are we doing bottom half or hardware interrupt processing?
> - * Are we in a softirq context? Interrupt context?
> - * in_softirq - Are we currently processing softirq or have bh disabled?
> - * in_serving_softirq - Are we currently processing softirq?
> + *
> + * in_irq()       - We're in (hard) IRQ context
> + * in_softirq()   - We have BH disabled, or are processing softirqs
> + * in_interrupt() - We're in NMI,IRQ,SoftIRQ context or have BH disabled
> + * in_serving_softirq() - We're in softirq context
> + * in_nmi()       - We're in NMI context
> + * in_task()     - We're in task context
> + *
> + * Note: due to the BH disabled confusion: in_softirq(),in_interrupt() really
> + *       should not be used in new code.
>   */
>  #define in_irq()               (hardirq_count())
>  #define in_softirq()           (softirq_count())
>  #define in_interrupt()         (irq_count())
>  #define in_serving_softirq()   (softirq_count() & SOFTIRQ_OFFSET)
> -
> -/*
> - * Are we in NMI context?
> - */
> -#define in_nmi()       (preempt_count() & NMI_MASK)
> +#define in_nmi()               (preempt_count() & NMI_MASK)
> +#define in_task()              (!(preempt_count() & \
> +                                  (NMI_MASK | HARDIRQ_MASK | SOFTIRQ_OFFSET)))

LGTM.

For what it's worth, I think ARM recently started saving the address
limit and resetting it to USER_DS on NMI entry.

--Andy

  reply	other threads:[~2016-11-22 17:28 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-22  9:57 [RFC][PATCH] x86: Verify access_ok() context Peter Zijlstra
2016-11-22 17:28 ` Andy Lutomirski [this message]
2016-11-22 19:37   ` Peter Zijlstra
2016-11-22 19:42     ` Linus Torvalds
2016-12-05 10:27       ` Peter Zijlstra
2017-01-16 20:27         ` David Smith
2017-01-16 21:14           ` Thomas Gleixner
2017-01-18 22:16             ` David Smith
2017-01-19  0:19               ` Andy Lutomirski
2017-01-19 15:37                 ` David Smith
2017-01-20  8:24                 ` Peter Zijlstra
2017-01-20  8:50                   ` Thomas Gleixner
2017-01-19 18:12               ` Thomas Gleixner
2017-01-19 20:22                 ` Frank Ch. Eigler
2017-01-19 20:50                   ` Thomas Gleixner
2017-01-19 21:27                     ` Frank Ch. Eigler
2017-01-19 22:20                       ` Peter Zijlstra
2017-01-19 23:04                       ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALCETrW2mdAo59OW0+VfqTg8OAXe9qmiq23dex62a1ry0u2=Vw@mail.gmail.com' \
    --to=luto@amacapital.net \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).