From: Greg Kroah-Hartman Date: Mon, 5 Apr 2021 08:27:33 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.265~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2fa29faae52feee1374cd587c0cc9d3310eeb532;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: riscv-evaluate-put_user-arg-before-enabling-user-access.patch --- diff --git a/queue-5.10/riscv-evaluate-put_user-arg-before-enabling-user-access.patch b/queue-5.10/riscv-evaluate-put_user-arg-before-enabling-user-access.patch new file mode 100644 index 00000000000..aea74bd4eff --- /dev/null +++ b/queue-5.10/riscv-evaluate-put_user-arg-before-enabling-user-access.patch @@ -0,0 +1,86 @@ +From 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Mon, 29 Mar 2021 10:57:49 +0100 +Subject: riscv: evaluate put_user() arg before enabling user access + +From: Ben Dooks + +commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream. + +The header has a problem with put_user(a, ptr) if +the 'a' is not a simple variable, such as a function. This can lead +to the compiler producing code as so: + +1: enable_user_access() +2: evaluate 'a' into register 'r' +3: put 'r' to 'ptr' +4: disable_user_acess() + +The issue is that 'a' is now being evaluated with the user memory +protections disabled. So we try and force the evaulation by assigning +'x' to __val at the start, and hoping the compiler barriers in + enable_user_access() do the job of ordering step 2 before step 1. + +This has shown up in a bug where 'a' sleeps and thus schedules out +and loses the SR_SUM flag. This isn't sufficient to fully fix, but +should reduce the window of opportunity. The first instance of this +we found is in scheudle_tail() where the code does: + +$ less -N kernel/sched/core.c + +4263 if (current->set_child_tid) +4264 put_user(task_pid_vnr(current), current->set_child_tid); + +Here, the task_pid_vnr(current) is called within the block that has +enabled the user memory access. This can be made worse with KASAN +which makes task_pid_vnr() a rather large call with plenty of +opportunity to sleep. + +Signed-off-by: Ben Dooks +Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com +Suggested-by: Arnd Bergman +Signed-off-by: Greg Kroah-Hartman + +-- +Changes since v1: +- fixed formatting and updated the patch description with more info + +Changes since v2: +- fixed commenting on __put_user() (schwab@linux-m68k.org) + +Change since v3: +- fixed RFC in patch title. Should be ready to merge. + +Signed-off-by: Palmer Dabbelt +--- + arch/riscv/include/asm/uaccess.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -306,7 +306,9 @@ do { \ + * data types like structures or arrays. + * + * @ptr must have pointer-to-simple-variable type, and @x must be assignable +- * to the result of dereferencing @ptr. ++ * to the result of dereferencing @ptr. The value of @x is copied to avoid ++ * re-ordering where @x is evaluated inside the block that enables user-space ++ * access (thus bypassing user space protection if @x is a function). + * + * Caller must check the pointer with access_ok() before calling this + * function. +@@ -316,12 +318,13 @@ do { \ + #define __put_user(x, ptr) \ + ({ \ + __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ ++ __typeof__(*__gu_ptr) __val = (x); \ + long __pu_err = 0; \ + \ + __chk_user_ptr(__gu_ptr); \ + \ + __enable_user_access(); \ +- __put_user_nocheck(x, __gu_ptr, __pu_err); \ ++ __put_user_nocheck(__val, __gu_ptr, __pu_err); \ + __disable_user_access(); \ + \ + __pu_err; \ diff --git a/queue-5.10/series b/queue-5.10/series index 9784cb0bf32..d594ba39ada 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -121,3 +121,4 @@ staging-rtl8192e-fix-incorrect-source-in-memcpy.patch staging-rtl8192e-change-state-information-from-u16-to-u8.patch driver-core-clear-deferred-probe-reason-on-probe-retry.patch drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch +riscv-evaluate-put_user-arg-before-enabling-user-access.patch