[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tip-a15781b536293edc32bf374233f3b8ad77c3f72b@git.kernel.org>
Date: Tue, 20 Nov 2018 00:15:42 -0800
From: tip-bot for Andy Lutomirski <tipbot@...or.com>
To: linux-tip-commits@...r.kernel.org
Cc: tglx@...utronix.de, luto@...capital.net, bp@...en8.de,
torvalds@...ux-foundation.org, dvlasenk@...hat.com,
riel@...riel.com, linux-kernel@...r.kernel.org, mingo@...nel.org,
brgerst@...il.com, luto@...nel.org, peterz@...radead.org,
dave.hansen@...ux.intel.com, hpa@...or.com, yu-cheng.yu@...el.com
Subject: [tip:x86/mm] x86/fault: Fold smap_violation() into
do_user_addr_fault()
Commit-ID: a15781b536293edc32bf374233f3b8ad77c3f72b
Gitweb: https://git.kernel.org/tip/a15781b536293edc32bf374233f3b8ad77c3f72b
Author: Andy Lutomirski <luto@...nel.org>
AuthorDate: Mon, 19 Nov 2018 14:45:28 -0800
Committer: Ingo Molnar <mingo@...nel.org>
CommitDate: Tue, 20 Nov 2018 08:44:28 +0100
x86/fault: Fold smap_violation() into do_user_addr_fault()
smap_violation() has a single caller, and the contents are a bit
nonsensical. I'm going to fix it, but first let's fold it into its
caller for ease of comprehension.
In this particular case, the user_mode(regs) check is incorrect --
it will cause false positives in the case of a user-initiated
kernel-privileged access.
Signed-off-by: Andy Lutomirski <luto@...nel.org>
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Denys Vlasenko <dvlasenk@...hat.com>
Cc: H. Peter Anvin <hpa@...or.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Rik van Riel <riel@...riel.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Yu-cheng Yu <yu-cheng.yu@...el.com>
Link: http://lkml.kernel.org/r/806c366f6ca861152398ce2c01744d59d9aceb6d.1542667307.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@...nel.org>
---
arch/x86/mm/fault.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 39e39cd42097..9d092ab74f18 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1148,20 +1148,6 @@ static int fault_in_kernel_space(unsigned long address)
return address >= TASK_SIZE_MAX;
}
-static inline bool smap_violation(int error_code, struct pt_regs *regs)
-{
- if (!cpu_feature_enabled(X86_FEATURE_SMAP))
- return false;
-
- if (error_code & X86_PF_USER)
- return false;
-
- if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC))
- return false;
-
- return true;
-}
-
/*
* Called for all faults where 'address' is part of the kernel address
* space. Might get called for faults that originate from *code* that
@@ -1249,10 +1235,13 @@ void do_user_addr_fault(struct pt_regs *regs,
pgtable_bad(regs, hw_error_code, address);
/*
- * Check for invalid kernel (supervisor) access to user
- * pages in the user address space.
+ * If SMAP is on, check for invalid kernel (supervisor)
+ * access to user pages in the user address space.
*/
- if (unlikely(smap_violation(hw_error_code, regs))) {
+ if (unlikely(cpu_feature_enabled(X86_FEATURE_SMAP) &&
+ !(hw_error_code & X86_PF_USER) &&
+ (user_mode(regs) || !(regs->flags & X86_EFLAGS_AC))))
+ {
bad_area_nosemaphore(regs, hw_error_code, address);
return;
}
Powered by blists - more mailing lists