--- /dev/null
+From 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 Mon Sep 17 00:00:00 2001
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+Date: Mon, 29 Mar 2021 10:57:49 +0100
+Subject: riscv: evaluate put_user() arg before enabling user access
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream.
+
+The <asm/uaccess.h> header has a problem with put_user(a, ptr) if
+the 'a' is not a simple variable, such as a function. This can lead
+to the compiler producing code as so:
+
+1: enable_user_access()
+2: evaluate 'a' into register 'r'
+3: put 'r' to 'ptr'
+4: disable_user_acess()
+
+The issue is that 'a' is now being evaluated with the user memory
+protections disabled. So we try and force the evaulation by assigning
+'x' to __val at the start, and hoping the compiler barriers in
+ enable_user_access() do the job of ordering step 2 before step 1.
+
+This has shown up in a bug where 'a' sleeps and thus schedules out
+and loses the SR_SUM flag. This isn't sufficient to fully fix, but
+should reduce the window of opportunity. The first instance of this
+we found is in scheudle_tail() where the code does:
+
+$ less -N kernel/sched/core.c
+
+4263 if (current->set_child_tid)
+4264 put_user(task_pid_vnr(current), current->set_child_tid);
+
+Here, the task_pid_vnr(current) is called within the block that has
+enabled the user memory access. This can be made worse with KASAN
+which makes task_pid_vnr() a rather large call with plenty of
+opportunity to sleep.
+
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
+Suggested-by: Arnd Bergman <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+--
+Changes since v1:
+- fixed formatting and updated the patch description with more info
+
+Changes since v2:
+- fixed commenting on __put_user() (schwab@linux-m68k.org)
+
+Change since v3:
+- fixed RFC in patch title. Should be ready to merge.
+
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ arch/riscv/include/asm/uaccess.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/uaccess.h
++++ b/arch/riscv/include/asm/uaccess.h
+@@ -306,7 +306,9 @@ do { \
+ * data types like structures or arrays.
+ *
+ * @ptr must have pointer-to-simple-variable type, and @x must be assignable
+- * to the result of dereferencing @ptr.
++ * to the result of dereferencing @ptr. The value of @x is copied to avoid
++ * re-ordering where @x is evaluated inside the block that enables user-space
++ * access (thus bypassing user space protection if @x is a function).
+ *
+ * Caller must check the pointer with access_ok() before calling this
+ * function.
+@@ -316,12 +318,13 @@ do { \
+ #define __put_user(x, ptr) \
+ ({ \
+ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
++ __typeof__(*__gu_ptr) __val = (x); \
+ long __pu_err = 0; \
+ \
+ __chk_user_ptr(__gu_ptr); \
+ \
+ __enable_user_access(); \
+- __put_user_nocheck(x, __gu_ptr, __pu_err); \
++ __put_user_nocheck(__val, __gu_ptr, __pu_err); \
+ __disable_user_access(); \
+ \
+ __pu_err; \
projects / thirdparty / kernel / stable-queue.git / commitdiff
