| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jul 2019 10:22:53 -0700
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
LKML <linux-kernel@...r.kernel.org>,
Nathan Chancellor <natechancellor@...il.com>,
clang-built-linux <clang-built-linux@...glegroups.com>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
Arnd Bergmann <arnd@...db.de>,
Sedat Dilek <sedat.dilek@...il.com>,
Peter Zijlstra <peterz@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: x86 - clang / objtool status
On Tue, Jul 23, 2019 at 7:43 PM Josh Poimboeuf <jpoimboe@...hat.com> wrote:
>
> On Thu, Jul 18, 2019 at 10:40:09PM +0200, Thomas Gleixner wrote:
>
> > drivers/gpu/drm/i915/gem/i915_gem_execbuffer.o: warning: objtool: .altinstr_replacement+0x86: redundant UACCESS disable
>
> Looking at this one, I think I agree with objtool.
>
> PeterZ, Linus, I know y'all discussed this code a few months ago.
>
> __copy_from_user() already does a CLAC in its error path. So isn't the
> user_access_end() redundant for the __copy_from_user() error path?
>
> Untested fix:
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> index 5fae0e50aad0..41dab9ea33cd 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
> @@ -1628,6 +1628,7 @@ static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
>
> static int eb_copy_relocations(const struct i915_execbuffer *eb)
> {
> + struct drm_i915_gem_relocation_entry *relocs;
> const unsigned int count = eb->buffer_count;
> unsigned int i;
> int err;
> @@ -1635,7 +1636,6 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
> for (i = 0; i < count; i++) {
> const unsigned int nreloc = eb->exec[i].relocation_count;
> struct drm_i915_gem_relocation_entry __user *urelocs;
> - struct drm_i915_gem_relocation_entry *relocs;
> unsigned long size;
> unsigned long copied;
>
> @@ -1663,14 +1663,8 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
>
> if (__copy_from_user((char *)relocs + copied,
> (char __user *)urelocs + copied,
> - len)) {
> -end_user:
> - user_access_end();
> -end:
> - kvfree(relocs);
> - err = -EFAULT;
> - goto err;
> - }
> + len))
> + goto end;
>
> copied += len;
> } while (copied < size);
> @@ -1699,10 +1693,14 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
>
> return 0;
>
> +end_user:
> + user_access_end();
> +end:
> + kvfree(relocs);
> + err = -EFAULT;
> err:
> while (i--) {
> - struct drm_i915_gem_relocation_entry *relocs =
> - u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
> + relocs = u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
> if (eb->exec[i].relocation_count)
> kvfree(relocs);
> }
Thanks for this patch.
Tested-by: Nick Desaulniers <ndesaulniers@...gle.com>
Reported-by: Sedat Dilek <sedat.dilek@...il.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/617
Fixes: 2889caa92321 ("drm/i915: Eliminate lots of iterations over the
execobjects array")
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists