mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-02-25 22:27:21 +07:00
6ae5eaee1e
commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream. The <asm/uaccess.h> header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com> |
||
|---|---|---|
| .. | ||
| vdso | ||
| asm-offsets.h | ||
| asm-prototypes.h | ||
| asm.h | ||
| atomic.h | ||
| barrier.h | ||
| bitops.h | ||
| bug.h | ||
| cache.h | ||
| cacheflush.h | ||
| cacheinfo.h | ||
| clint.h | ||
| clocksource.h | ||
| cmpxchg.h | ||
| cpu_ops.h | ||
| csr.h | ||
| current.h | ||
| delay.h | ||
| efi.h | ||
| elf.h | ||
| fence.h | ||
| fixmap.h | ||
| ftrace.h | ||
| futex.h | ||
| gdb_xml.h | ||
| hugetlb.h | ||
| hwcap.h | ||
| image.h | ||
| io.h | ||
| irq_work.h | ||
| irq.h | ||
| irqflags.h | ||
| jump_label.h | ||
| kasan.h | ||
| Kbuild | ||
| kdebug.h | ||
| kgdb.h | ||
| kprobes.h | ||
| linkage.h | ||
| mmio.h | ||
| mmiowb.h | ||
| mmu_context.h | ||
| mmu.h | ||
| module.h | ||
| module.lds.h | ||
| page.h | ||
| parse_asm.h | ||
| patch.h | ||
| pci.h | ||
| perf_event.h | ||
| pgalloc.h | ||
| pgtable-32.h | ||
| pgtable-64.h | ||
| pgtable-bits.h | ||
| pgtable.h | ||
| processor.h | ||
| ptdump.h | ||
| ptrace.h | ||
| sbi.h | ||
| seccomp.h | ||
| sections.h | ||
| set_memory.h | ||
| smp.h | ||
| soc.h | ||
| sparsemem.h | ||
| spinlock_types.h | ||
| spinlock.h | ||
| stackprotector.h | ||
| string.h | ||
| switch_to.h | ||
| syscall.h | ||
| thread_info.h | ||
| timex.h | ||
| tlb.h | ||
| tlbflush.h | ||
| uaccess.h | ||
| unistd.h | ||
| vdso.h | ||
| vermagic.h | ||
| vmalloc.h | ||
| word-at-a-time.h | ||