[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tip-e50928d7213e72ee95507221a89ed07d2bb6517b@git.kernel.org>
Date: Tue, 20 Nov 2018 00:16:17 -0800
From: tip-bot for Andy Lutomirski <tipbot@...or.com>
To: linux-tip-commits@...r.kernel.org
Cc: riel@...riel.com, brgerst@...il.com, peterz@...radead.org,
hpa@...or.com, bp@...en8.de, yu-cheng.yu@...el.com,
linux-kernel@...r.kernel.org, luto@...capital.net,
dave.hansen@...ux.intel.com, dvlasenk@...hat.com,
torvalds@...ux-foundation.org, luto@...nel.org, tglx@...utronix.de,
mingo@...nel.org
Subject: [tip:x86/mm] x86/fault: Fix SMAP #PF handling buglet for implicit
supervisor accesses
Commit-ID: e50928d7213e72ee95507221a89ed07d2bb6517b
Gitweb: https://git.kernel.org/tip/e50928d7213e72ee95507221a89ed07d2bb6517b
Author: Andy Lutomirski <luto@...nel.org>
AuthorDate: Mon, 19 Nov 2018 14:45:29 -0800
Committer: Ingo Molnar <mingo@...nel.org>
CommitDate: Tue, 20 Nov 2018 08:44:29 +0100
x86/fault: Fix SMAP #PF handling buglet for implicit supervisor accesses
Currently, if a user program somehow triggers an implicit supervisor
access to a user address (e.g. if the kernel somehow sets LDTR to a
user address), it will be incorrectly detected as a SMAP violation
if AC is clear and SMAP is enabled. This is incorrect -- the error
has nothing to do with SMAP. Fix the condition so that only
accesses with the hardware USER bit set are diagnosed as SMAP
violations.
With the logic fixed, an implicit supervisor access to a user address
will hit the code lower in the function that is intended to handle it
even if SMAP is enabled. That logic is still a bit buggy, and later
patches will clean it up.
I *think* this code is still correct for WRUSS, and I've added a
comment to that effect.
Signed-off-by: Andy Lutomirski <luto@...nel.org>
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Denys Vlasenko <dvlasenk@...hat.com>
Cc: H. Peter Anvin <hpa@...or.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Rik van Riel <riel@...riel.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Yu-cheng Yu <yu-cheng.yu@...el.com>
Link: http://lkml.kernel.org/r/d1d1b2e66ef31f884dba172084486ea9423ddcdb.1542667307.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@...nel.org>
---
arch/x86/mm/fault.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 9d092ab74f18..7a69b66cf071 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1235,12 +1235,15 @@ void do_user_addr_fault(struct pt_regs *regs,
pgtable_bad(regs, hw_error_code, address);
/*
- * If SMAP is on, check for invalid kernel (supervisor)
- * access to user pages in the user address space.
+ * If SMAP is on, check for invalid kernel (supervisor) access to user
+ * pages in the user address space. The odd case here is WRUSS,
+ * which, according to the preliminary documentation, does not respect
+ * SMAP and will have the USER bit set so, in all cases, SMAP
+ * enforcement appears to be consistent with the USER bit.
*/
if (unlikely(cpu_feature_enabled(X86_FEATURE_SMAP) &&
!(hw_error_code & X86_PF_USER) &&
- (user_mode(regs) || !(regs->flags & X86_EFLAGS_AC))))
+ !(regs->flags & X86_EFLAGS_AC)))
{
bad_area_nosemaphore(regs, hw_error_code, address);
return;
Powered by blists - more mailing lists