linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 0/2] Let illegal access to user-space memory die
@ 2020-12-03  6:48 Eric Lin
  2020-12-03  6:48 ` [PATCH v2 1/2] riscv/mm: Introduce a die_kernel_fault() helper function Eric Lin
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Eric Lin @ 2020-12-03  6:48 UTC (permalink / raw)
  To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
	aou, palmer, paul.walmsley, hch
  Cc: Eric Lin

Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.

Changes in v2:
    -Add a die_kernel_fault() helper
    -Split one long line code into two

Eric Lin (2):
  riscv/mm: Introduce a die_kernel_fault() helper function
  riscv/mm: Prevent kernel module to access user memory without uaccess
    routines

 arch/riscv/mm/fault.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

-- 
2.17.0


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH v2 1/2] riscv/mm: Introduce a die_kernel_fault() helper function
  2020-12-03  6:48 [PATCH v2 0/2] Let illegal access to user-space memory die Eric Lin
@ 2020-12-03  6:48 ` Eric Lin
  2020-12-03  6:48 ` [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines Eric Lin
  2020-12-03  7:29 ` [PATCH v2 0/2] Let illegal access to user-space memory die Pekka Enberg
  2 siblings, 0 replies; 5+ messages in thread
From: Eric Lin @ 2020-12-03  6:48 UTC (permalink / raw)
  To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
	aou, palmer, paul.walmsley, hch
  Cc: Eric Lin, Alan Kao

Like arm64, this patch adds a die_kernel_fault() helper
to ensure the same semantics for the different kernel faults.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
---
 arch/riscv/mm/fault.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 3c8b9e433c67..0bcfd0e1b39e 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -19,6 +19,19 @@
 
 #include "../kernel/head.h"
 
+static void die_kernel_fault(const char *msg, unsigned long addr,
+		struct pt_regs *regs)
+{
+	bust_spinlocks(1);
+
+	pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n", msg,
+			addr);
+
+	bust_spinlocks(0);
+	die(regs, "Oops");
+	do_exit(SIGKILL);
+}
+
 static inline void no_context(struct pt_regs *regs, unsigned long addr)
 {
 	/* Are we prepared to handle this kernel fault? */
-- 
2.17.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines
  2020-12-03  6:48 [PATCH v2 0/2] Let illegal access to user-space memory die Eric Lin
  2020-12-03  6:48 ` [PATCH v2 1/2] riscv/mm: Introduce a die_kernel_fault() helper function Eric Lin
@ 2020-12-03  6:48 ` Eric Lin
  2020-12-03  7:29 ` [PATCH v2 0/2] Let illegal access to user-space memory die Pekka Enberg
  2 siblings, 0 replies; 5+ messages in thread
From: Eric Lin @ 2020-12-03  6:48 UTC (permalink / raw)
  To: linux-kernel, linux-riscv, walken, vbabka, peterx, akpm, penberg,
	aou, palmer, paul.walmsley, hch
  Cc: Eric Lin, Alan Kao

We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
---
 arch/riscv/mm/fault.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0bcfd0e1b39e..00884c1bac28 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -245,6 +245,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
 	if (user_mode(regs))
 		flags |= FAULT_FLAG_USER;
 
+	if (!user_mode(regs) && addr < TASK_SIZE &&
+			unlikely(!(regs->status & SR_SUM)))
+		die_kernel_fault("access to user memory without uaccess routines",
+				addr, regs);
+
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
 
 	if (cause == EXC_STORE_PAGE_FAULT)
-- 
2.17.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] Let illegal access to user-space memory die
  2020-12-03  6:48 [PATCH v2 0/2] Let illegal access to user-space memory die Eric Lin
  2020-12-03  6:48 ` [PATCH v2 1/2] riscv/mm: Introduce a die_kernel_fault() helper function Eric Lin
  2020-12-03  6:48 ` [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines Eric Lin
@ 2020-12-03  7:29 ` Pekka Enberg
  2020-12-03  8:16   ` Eric Lin
  2 siblings, 1 reply; 5+ messages in thread
From: Pekka Enberg @ 2020-12-03  7:29 UTC (permalink / raw)
  To: Eric Lin
  Cc: LKML, linux-riscv, Michel Lespinasse, Vlastimil Babka, Peter Xu,
	Andrew Morton, Albert Ou, Palmer Dabbelt, Paul Walmsley,
	Christoph Hellwig

Hi Eric,

On Thu, Dec 3, 2020 at 8:51 AM Eric Lin <tesheng@andestech.com> wrote:
>
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v2:
>     -Add a die_kernel_fault() helper
>     -Split one long line code into two

Please also make no_context() use the new helper. Other than that:

Reviewed-by: Pekka Enberg <penberg@kernel.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] Let illegal access to user-space memory die
  2020-12-03  7:29 ` [PATCH v2 0/2] Let illegal access to user-space memory die Pekka Enberg
@ 2020-12-03  8:16   ` Eric Lin
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Lin @ 2020-12-03  8:16 UTC (permalink / raw)
  To: Pekka Enberg
  Cc: LKML, linux-riscv, Michel Lespinasse, Vlastimil Babka, Peter Xu,
	Andrew Morton, Albert Ou, Palmer Dabbelt, Paul Walmsley,
	Christoph Hellwig

On Thu, Dec 03, 2020 at 03:29:57PM +0800, Pekka Enberg wrote:

Hi Pekka, 

> Hi Eric,
> 
> On Thu, Dec 3, 2020 at 8:51 AM Eric Lin <tesheng@andestech.com> wrote:
> >
> > Accesses to user-space memory without calling uaccess routine
> > leads to hanging in page fault handler. Like arm64, we let it
> > die earlier in page fault handler.
> >
> > Changes in v2:
> >     -Add a die_kernel_fault() helper
> >     -Split one long line code into two
> 
> Please also make no_context() use the new helper. Other than that:
> 

OK, I'll make no_context() use the new helper in v3.
Thanks for your review.

> Reviewed-by: Pekka Enberg <penberg@kernel.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-03  8:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-03  6:48 [PATCH v2 0/2] Let illegal access to user-space memory die Eric Lin
2020-12-03  6:48 ` [PATCH v2 1/2] riscv/mm: Introduce a die_kernel_fault() helper function Eric Lin
2020-12-03  6:48 ` [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines Eric Lin
2020-12-03  7:29 ` [PATCH v2 0/2] Let illegal access to user-space memory die Pekka Enberg
2020-12-03  8:16   ` Eric Lin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).