]>
Commit | Line | Data |
---|---|---|
2cb7cef9 BS |
1 | From: Gerald Schaefer <geraldsc@de.ibm.com> |
2 | Subject: kernel: Fix user copy functions (pagetable walk) with KERNEL_DS. | |
3 | References: bnc#466462 | |
4 | ||
5 | Symptom: Kernel OOPS / system hang on user program core dump on pre z9 | |
6 | hardware. | |
7 | Problem: Passing incorrect addresses to user copy functions is not handled | |
8 | correctly when address spaces are switched and KERNEL_DS is set. | |
9 | Solution: Verify addresses by handling KERNEL_DS case in the same way as | |
10 | USER_DS (pagetable walk). Also disable switch_amode by default | |
11 | because pagetable walk has negative performance impact. | |
12 | ||
13 | Acked-by: John Jolly <jjolly@suse.de> | |
14 | --- | |
15 | arch/s390/kernel/setup.c | 4 ---- | |
16 | arch/s390/lib/uaccess_pt.c | 32 +++++++------------------------- | |
17 | arch/s390/mm/pgtable.c | 4 ++++ | |
18 | 3 files changed, 11 insertions(+), 29 deletions(-) | |
19 | ||
20 | Index: linux-sles11/arch/s390/kernel/setup.c | |
21 | =================================================================== | |
22 | --- linux-sles11.orig/arch/s390/kernel/setup.c | |
23 | +++ linux-sles11/arch/s390/kernel/setup.c | |
24 | @@ -285,11 +285,7 @@ static int __init early_parse_mem(char * | |
25 | early_param("mem", early_parse_mem); | |
26 | ||
27 | #ifdef CONFIG_S390_SWITCH_AMODE | |
28 | -#ifdef CONFIG_PGSTE | |
29 | -unsigned int switch_amode = 1; | |
30 | -#else | |
31 | unsigned int switch_amode = 0; | |
32 | -#endif | |
33 | EXPORT_SYMBOL_GPL(switch_amode); | |
34 | ||
35 | static int set_amode_and_uaccess(unsigned long user_amode, | |
36 | Index: linux-sles11/arch/s390/mm/pgtable.c | |
37 | =================================================================== | |
38 | --- linux-sles11.orig/arch/s390/mm/pgtable.c | |
39 | +++ linux-sles11/arch/s390/mm/pgtable.c | |
40 | @@ -256,6 +256,10 @@ int s390_enable_sie(void) | |
41 | struct task_struct *tsk = current; | |
42 | struct mm_struct *mm, *old_mm; | |
43 | ||
44 | + /* Do we have switched amode? If no, we cannot do sie */ | |
45 | + if (!switch_amode) | |
46 | + return -EINVAL; | |
47 | + | |
48 | /* Do we have pgstes? if yes, we are done */ | |
49 | if (tsk->mm->context.pgstes) | |
50 | return 0; | |
51 | Index: linux-sles11/arch/s390/lib/uaccess_pt.c | |
52 | =================================================================== | |
53 | --- linux-sles11.orig/arch/s390/lib/uaccess_pt.c | |
54 | +++ linux-sles11/arch/s390/lib/uaccess_pt.c | |
55 | @@ -43,8 +43,9 @@ static int __handle_fault(struct mm_stru | |
56 | int ret = -EFAULT; | |
57 | int fault; | |
58 | ||
59 | - if (in_atomic()) | |
60 | + if (in_atomic() || segment_eq(get_fs(), KERNEL_DS)) | |
61 | return ret; | |
62 | + | |
63 | down_read(&mm->mmap_sem); | |
64 | vma = find_vma(mm, address); | |
65 | if (unlikely(!vma)) | |
66 | @@ -109,6 +110,8 @@ static size_t __user_copy_pt(unsigned lo | |
67 | pte_t *pte; | |
68 | void *from, *to; | |
69 | ||
70 | + if (segment_eq(get_fs(), KERNEL_DS)) | |
71 | + mm = &init_mm; | |
72 | done = 0; | |
73 | retry: | |
74 | spin_lock(&mm->page_table_lock); | |
75 | @@ -182,10 +185,6 @@ size_t copy_from_user_pt(size_t n, const | |
76 | { | |
77 | size_t rc; | |
78 | ||
79 | - if (segment_eq(get_fs(), KERNEL_DS)) { | |
80 | - memcpy(to, (void __kernel __force *) from, n); | |
81 | - return 0; | |
82 | - } | |
83 | rc = __user_copy_pt((unsigned long) from, to, n, 0); | |
84 | if (unlikely(rc)) | |
85 | memset(to + n - rc, 0, rc); | |
86 | @@ -194,10 +193,6 @@ size_t copy_from_user_pt(size_t n, const | |
87 | ||
88 | size_t copy_to_user_pt(size_t n, void __user *to, const void *from) | |
89 | { | |
90 | - if (segment_eq(get_fs(), KERNEL_DS)) { | |
91 | - memcpy((void __kernel __force *) to, from, n); | |
92 | - return 0; | |
93 | - } | |
94 | return __user_copy_pt((unsigned long) to, (void *) from, n, 1); | |
95 | } | |
96 | ||
97 | @@ -205,10 +200,6 @@ static size_t clear_user_pt(size_t n, vo | |
98 | { | |
99 | long done, size, ret; | |
100 | ||
101 | - if (segment_eq(get_fs(), KERNEL_DS)) { | |
102 | - memset((void __kernel __force *) to, 0, n); | |
103 | - return 0; | |
104 | - } | |
105 | done = 0; | |
106 | do { | |
107 | if (n - done > PAGE_SIZE) | |
108 | @@ -234,7 +225,7 @@ static size_t strnlen_user_pt(size_t cou | |
109 | size_t len_str; | |
110 | ||
111 | if (segment_eq(get_fs(), KERNEL_DS)) | |
112 | - return strnlen((const char __kernel __force *) src, count) + 1; | |
113 | + mm = &init_mm; | |
114 | done = 0; | |
115 | retry: | |
116 | spin_lock(&mm->page_table_lock); | |
117 | @@ -276,13 +267,6 @@ static size_t strncpy_from_user_pt(size_ | |
118 | return -EFAULT; | |
119 | if (n > count) | |
120 | n = count; | |
121 | - if (segment_eq(get_fs(), KERNEL_DS)) { | |
122 | - memcpy(dst, (const char __kernel __force *) src, n); | |
123 | - if (dst[n-1] == '\0') | |
124 | - return n-1; | |
125 | - else | |
126 | - return n; | |
127 | - } | |
128 | if (__user_copy_pt((unsigned long) src, dst, n, 0)) | |
129 | return -EFAULT; | |
130 | if (dst[n-1] == '\0') | |
131 | @@ -302,10 +286,8 @@ static size_t copy_in_user_pt(size_t n, | |
132 | pte_t *pte_from, *pte_to; | |
133 | int write_user; | |
134 | ||
135 | - if (segment_eq(get_fs(), KERNEL_DS)) { | |
136 | - memcpy((void __force *) to, (void __force *) from, n); | |
137 | - return 0; | |
138 | - } | |
139 | + if (segment_eq(get_fs(), KERNEL_DS)) | |
140 | + mm = &init_mm; | |
141 | done = 0; | |
142 | retry: | |
143 | spin_lock(&mm->page_table_lock); |