Commit Graph

25 Commits

Author SHA1 Message Date
Helge Deller
186ecf14e5 parisc: Avoid compiler warnings with access_ok()
Commit 09b871ffd4 (parisc: Define access_ok() as macro) missed to mark uaddr
as used, which then gives compiler warnings about unused variables.

Fix it by comparing uaddr to uaddr which then gets optimized away by the
compiler.

Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: 09b871ffd4 ("parisc: Define access_ok() as macro")
2017-03-15 21:51:17 +01:00
Helge Deller
09b871ffd4 parisc: Define access_ok() as macro
Define access_ok() as macro instead of static function. This fixes build
warnings in code where the second parameter is given as unsigned long.

Signed-off-by: Helge Deller <deller@gmx.de>
2017-02-25 22:22:54 +01:00
Helge Deller
9e91db6b4a parisc: Add hardened usercopy feature
Add hardened usercopy checks to parisc architecture and clean up
indenting.

Signed-off-by: Helge Deller <deller@gmx.de>
2016-10-06 22:10:19 +02:00
Linus Torvalds
77e5bdf9f7 Merge branch 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull uaccess fixes from Al Viro:
 "Fixes for broken uaccess primitives - mostly lack of proper zeroing
  in copy_from_user()/get_user()/__get_user(), but for several
  architectures there's more (broken clear_user() on frv and
  strncpy_from_user() on hexagon)"

* 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (28 commits)
  avr32: fix copy_from_user()
  microblaze: fix __get_user()
  microblaze: fix copy_from_user()
  m32r: fix __get_user()
  blackfin: fix copy_from_user()
  sparc32: fix copy_from_user()
  sh: fix copy_from_user()
  sh64: failing __get_user() should zero
  score: fix copy_from_user() and friends
  score: fix __get_user/get_user
  s390: get_user() should zero on failure
  ppc32: fix copy_from_user()
  parisc: fix copy_from_user()
  openrisc: fix copy_from_user()
  nios2: fix __get_user()
  nios2: copy_from_user() should zero the tail of destination
  mn10300: copy_from_user() should zero on access_ok() failure...
  mn10300: failing __get_user() and get_user() should zero
  mips: copy_from_user() must zero the destination on access_ok() failure
  ARC: uaccess: get_user to zero out dest in cause of fault
  ...
2016-09-14 09:35:05 -07:00
Al Viro
aace880fee parisc: fix copy_from_user()
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-13 17:49:44 -04:00
Josh Poimboeuf
0d025d271e mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:

1) "copy_from_user() buffer size is too small" compile warning/error

   This is a static warning which happens when object size and copy size
   are both const, and copy size > object size.  I didn't see any false
   positives for this one.  So the function warning attribute seems to
   be working fine here.

   Note this scenario is always a bug and so I think it should be
   changed to *always* be an error, regardless of
   CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.

2) "copy_from_user() buffer size is not provably correct" compile warning

   This is another static warning which happens when I enable
   __compiletime_object_size() for new compilers (and
   CONFIG_DEBUG_STRICT_USER_COPY_CHECKS).  It happens when object size
   is const, but copy size is *not*.  In this case there's no way to
   compare the two at build time, so it gives the warning.  (Note the
   warning is a byproduct of the fact that gcc has no way of knowing
   whether the overflow function will be called, so the call isn't dead
   code and the warning attribute is activated.)

   So this warning seems to only indicate "this is an unusual pattern,
   maybe you should check it out" rather than "this is a bug".

   I get 102(!) of these warnings with allyesconfig and the
   __compiletime_object_size() gcc check removed.  I don't know if there
   are any real bugs hiding in there, but from looking at a small
   sample, I didn't see any.  According to Kees, it does sometimes find
   real bugs.  But the false positive rate seems high.

3) "Buffer overflow detected" runtime warning

   This is a runtime warning where object size is const, and copy size >
   object size.

All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:

  2fb0815c9e ("gcc4: disable __compiletime_object_size for GCC 4.6+")

That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size().  But in fact,
__compiletime_object_size() seems to be working fine.  The false
positives were instead triggered by #2 above.  (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)

So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.

Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.

Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 10:10:21 -07:00
Helge Deller
d2ad824f4b parisc: Add 64bit get_user() and put_user() for 32bit kernel
Allow accessing 64-bit values in userspace from a 32-bit kernel.
The access is not atomic.

Signed-off-by: Helge Deller <deller@gmx.de>
2016-05-22 21:39:04 +02:00
Helge Deller
06bff6b9d7 parisc: Simplify and speed up get_user() and put_user()
This patch simplifies the code for get_user() and put_user() a lot.

Instead of accessing kernel memory (%sr0) and userspace memory (%sr3)
hard-coded in the assembler instruction, we now preload %sr2 with either
%sr0 (for accessing KERNEL_DS) or with sr3 (to access USER_DS) and
use %sr2 in the load directly.

The generated code avoids a branch and speeds up execution by generating
less assembler instructions.

Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
2016-05-22 21:38:56 +02:00
Helge Deller
cb910c1714 parisc: Update comment regarding relative extable support
Update the comment to reflect the changes of commit 0de7985 (parisc: Use
generic extable search and sort routines).

Signed-off-by: Helge Deller <deller@gmx.de>
2016-04-08 22:14:26 +02:00
Helge Deller
2ef4dfd9d9 parisc: Unbreak handling exceptions from kernel modules
Handling exceptions from modules never worked on parisc.
It was just masked by the fact that exceptions from modules
don't happen during normal use.

When a module triggers an exception in get_user() we need to load the
main kernel dp value before accessing the exception_data structure, and
afterwards restore the original dp value of the module on exit.

Noticed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
2016-04-08 22:14:14 +02:00
Helge Deller
0de798584b parisc: Use generic extable search and sort routines
Switch to the generic extable search and sort routines which were introduced
with commit a272858 from Ard Biesheuvel. This saves quite some memory in the
vmlinux binary with the 64bit kernel.

Signed-off-by: Helge Deller <deller@gmx.de>
2016-03-23 16:00:46 +01:00
Michael S. Tsirkin
b9762e7b77 parisc: macro whitespace fixes
While working on arch/parisc/include/asm/uaccess.h, I noticed that some
macros within this header are made harder to read because they violate a
coding style rule: space is missing after comma.

Fix it up.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Helge Deller <deller@gmx.de>
2015-02-17 10:39:14 +01:00
Michael S. Tsirkin
876b2a0083 parisc/uaccess: fix sparse errors
virtio wants to read bitwise types from userspace using get_user.  At the
moment this triggers sparse errors, since the value is passed through an
integer.

Fix that up using __force.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
2015-02-16 22:41:27 +01:00
Helge Deller
8dd95c68f3 parisc: Use BUILD_BUG() instead of undefined functions
Signed-off-by: Helge Deller <deller@gmx.de>
2014-11-10 22:22:42 +01:00
Helge Deller
a0ffa8f06f Revert "parisc: implement full version of access_ok()"
This reverts commit 63379c1353.

It broke userspace and adding more checking is not needed.
Even checking if a syscall would access memory in page zero doesn't
makes sense since it may lead to some syscalls returning -EFAULT
where we would return other error codes on other platforms.
In summary, just drop this change and return to always return 1.

Signed-off-by: Helge Deller <deller@gmx.de>
2013-11-19 23:31:35 +01:00
Helge Deller
63379c1353 parisc: implement full version of access_ok()
Up to now PA-RISC could live with a trivial version of access_ok().
Our fault handlers can correctly handle fault cases.

But testcases showed that we need a better access check else we won't
always return correct errno failure codes to userspace.

Problem showed up during 32bit userspace tests in which writev() used a
32bit memory area and length which would then wrap around on 64bit
kernel.

Signed-off-by: Helge Deller <deller@gmx.de>
2013-11-07 22:29:14 +01:00
Helge Deller
61dbbaeb86 parisc: provide macro to create exception table entries
Provide a macro ASM_EXCEPTIONTABLE_ENTRY() to create exception table
entries and convert all open-coded places to use that macro.

This patch is a first step toward creating a exception table which only
holds 32bit pointers even on a 64bit kernel. That way in my own kernel
I was able to reduce the in-kernel exception table from 44kB to 22kB.

Signed-off-by: Helge Deller <deller@gmx.de>
2013-11-07 22:25:33 +01:00
Will Deacon
0f28b62890 parisc: uaccess: fix compiler warnings caused by __put_user casting
When targetting 32-bit processors, __put_user emits a pair of stw
instructions for the 8-byte case. If the type of __val is a pointer, the
marshalling code casts it to the wider integer type of u64, resulting
in the following compiler warnings:

  kernel/signal.c: In function 'copy_siginfo_to_user':
  kernel/signal.c:2752:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
  kernel/signal.c:2752:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
  [...]

This patch fixes the warnings by removing the marshalling code and using
the correct output modifiers in the __put_{user,kernel}_asm64 macros
so that GCC will allocate the right registers without the need to
extract the two words explicitly.

Cc: Helge Deller <deller@gmx.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Helge Deller <deller@gmx.de>
2013-04-25 22:36:42 +02:00
James Bottomley
b1195c0e3e [PARISC] update parisc to use generic strncpy_from_user()
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2012-05-31 11:14:37 +01:00
David Howells
527dcdccd6 Disintegrate asm/system.h for PA-RISC
Disintegrate asm/system.h for PA-RISC.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-parisc@vger.kernel.org
2012-03-28 18:30:02 +01:00
Helge Deller
888c31fc83 parisc: add strict copy size checks (v2)
Add CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, copied from the x86
implementation. Tested with 32 and 64bit kernel.

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
2010-03-06 22:54:09 +00:00
Arnd Bergmann
5b17e1cd89 asm-generic: rename page.h and uaccess.h
The current asm-generic/page.h only contains the get_order
function, and asm-generic/uaccess.h only implements
unaligned accesses. This renames the file to getorder.h
and uaccess-unaligned.h to make room for new page.h
and uaccess.h file that will be usable by all simple
(e.g. nommu) architectures.

Signed-off-by: Remis Lima Baima <remis.developer@googlemail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2009-06-11 21:02:17 +02:00
Helge Deller
e448372c79 parisc: fix `struct pt_regs' declared inside parameter list warning
Fix those compile warnings:
uaccess.h:244: warning: `struct pt_regs' declared inside parameter list
uaccess.h:244: warning: its scope is only this definition or declaration, which is probably not what you want

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
2009-03-13 01:17:37 -04:00
Kyle McMartin
c61c25eb02 parisc: fix kernel crash (protection id trap) when compiling ruby1.9
On Wed, Dec 17, 2008 at 11:46:05PM +0100, Helge Deller wrote:
>

Honestly, I can't decide whether to apply this. It really should never
happen in the kernel, since the kernel can guarantee it won't get the
access rights failure (highest privilege level, and can set %sr and
%protid to whatever it wants.)

It really genuinely is a bug that probably should panic the kernel. The
only precedent I can easily see is x86 fixing up a bad iret with a
general protection fault, which is more or less analogous to code 27
here.

On the other hand, taking the exception on a userspace access really
isn't all that critical, and there's fundamentally little reason for the
kernel not to SIGSEGV the process, and continue...

Argh.

(btw, I've instrumented my do_sys_poll with a pile of assertions that
 %cr8 << 1 == %sr3 == current->mm.context... let's see if where we're
 getting corrupted is deterministic, though, I would guess that it won't
 be.)

Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
2009-01-05 19:16:46 +00:00
Kyle McMartin
deae26bf6a parisc: move include/asm-parisc to arch/parisc/include/asm 2008-10-10 16:32:29 +00:00