lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191006222046.GA18027@roeck-us.net>
Date:   Sun, 6 Oct 2019 15:20:46 -0700
From:   Guenter Roeck <linux@...ck-us.net>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org,
        Alexander Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to
 unsafe_put_user()

On Sat, May 21, 2016 at 09:59:07PM -0700, Linus Torvalds wrote:
> We really should avoid the "__{get,put}_user()" functions entirely,
> because they can easily be mis-used and the original intent of being
> used for simple direct user accesses no longer holds in a post-SMAP/PAN
> world.
> 
> Manually optimizing away the user access range check makes no sense any
> more, when the range check is generally much cheaper than the "enable
> user accesses" code that the __{get,put}_user() functions still need.
> 
> So instead of __put_user(), use the unsafe_put_user() interface with
> user_access_{begin,end}() that really does generate better code these
> days, and which is generally a nicer interface.  Under some loads, the
> multiple user writes that filldir() does are actually quite noticeable.
> 
> This also makes the dirent name copy use unsafe_put_user() with a couple
> of macros.  We do not want to make function calls with SMAP/PAN
> disabled, and the code this generates is quite good when the
> architecture uses "asm goto" for unsafe_put_user() like x86 does.
> 
> Note that this doesn't bother with the legacy cases.  Nobody should use
> them anyway, so performance doesn't really matter there.
> 
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>

Linus,

this patch causes all my sparc64 emulations to stall during boot. It causes
all alpha emulations to crash with [1a] and [1b] when booting from a virtual
disk, and one of the xtensa emulations to crash with [2].

Reverting this patch fixes the problem.

Guenter

---
[1a]

Unable to handle kernel paging request at virtual address 0000000000000004
rcS(47): Oops -1
pc = [<0000000000000004>]  ra = [<fffffc00004512e4>]  ps = 0000    Not tainted
pc is at 0x4
ra is at filldir64+0x64/0x320
v0 = 0000000000000000  t0 = 0000000000000000  t1 = 0000000120117e8b
t2 = 646e617275303253  t3 = 646e617275300000  t4 = 0000000000007fe8
t5 = 0000000120117e78  t6 = 0000000000000000  t7 = fffffc0007ec8000
s0 = fffffc0007dbca56  s1 = 000000000000000a  s2 = 0000000000000020
s3 = fffffc0007ecbec8  s4 = 0000000000000008  s5 = 0000000000000021
s6 = 1cd2631fe897bf5a
a0 = fffffc0007dbca56  a1 = 2f2f2f2f2f2f2f2f  a2 = 000000000000000a
a3 = 1cd2631fe897bf5a  a4 = 0000000000000021  a5 = 0000000000000008
t8 = 0000000000000020  t9 = 0000000000000000  t10= fffffc0007dbca60
t11= 0000000000000001  pv = fffffc0000b9a810  at = 0000000000000001
gp = fffffc0000f03930  sp = (____ptrval____)
Disabling lock debugging due to kernel taint
Trace:
[<fffffc00004e7a08>] call_filldir+0xe8/0x1b0
[<fffffc00004e8684>] ext4_readdir+0x924/0xa70
[<fffffc0000ba3088>] _raw_spin_unlock+0x18/0x30
[<fffffc00003f751c>] __handle_mm_fault+0x9fc/0xc30
[<fffffc0000450c68>] iterate_dir+0x198/0x240
[<fffffc0000450b2c>] iterate_dir+0x5c/0x240
[<fffffc00004518b8>] ksys_getdents64+0xa8/0x160
[<fffffc0000451990>] sys_getdents64+0x20/0x40
[<fffffc0000451280>] filldir64+0x0/0x320
[<fffffc0000311634>] entSys+0xa4/0xc0

---
[1b]

Unable to handle kernel paging request at virtual address 0000000000000004
reboot(50): Oops -1
pc = [<0000000000000004>]  ra = [<fffffc00004512e4>]  ps = 0000    Tainted: G      D
pc is at 0x4
ra is at filldir64+0x64/0x320
v0 = 0000000000000000  t0 = 0000000067736d6b  t1 = 000000012011445b
t2 = 0000000000000000  t3 = 0000000000000000  t4 = 0000000000007ef8
t5 = 0000000120114448  t6 = 0000000000000000  t7 = fffffc0007eec000
s0 = fffffc000792b5c3  s1 = 0000000000000004  s2 = 0000000000000018
s3 = fffffc0007eefec8  s4 = 0000000000000008  s5 = 00000000f00000a3
s6 = 000000000000000b
a0 = fffffc000792b5c3  a1 = 2f2f2f2f2f2f2f2f  a2 = 0000000000000004
a3 = 000000000000000b  a4 = 00000000f00000a3  a5 = 0000000000000008
t8 = 0000000000000018  t9 = 0000000000000000  t10= 0000000022e1d02a
t11= 000000011f8fd3b8  pv = fffffc0000b9a810  at = 0000000022e1ccf8
gp = fffffc0000f03930  sp = (____ptrval____)
Trace:
[<fffffc00004ccba0>] proc_readdir_de+0x170/0x300
[<fffffc0000451280>] filldir64+0x0/0x320
[<fffffc00004c565c>] proc_root_readdir+0x3c/0x80
[<fffffc0000450c68>] iterate_dir+0x198/0x240
[<fffffc00004518b8>] ksys_getdents64+0xa8/0x160
[<fffffc0000451990>] sys_getdents64+0x20/0x40
[<fffffc0000451280>] filldir64+0x0/0x320
[<fffffc0000311634>] entSys+0xa4/0xc0

---
[2]

Unable to handle kernel paging request at virtual address 0000000000000004
reboot(50): Oops -1
pc = [<0000000000000004>]  ra = [<fffffc00004512e4>]  ps = 0000    Tainted: G      D
pc is at 0x4
ra is at filldir64+0x64/0x320
v0 = 0000000000000000  t0 = 0000000067736d6b  t1 = 000000012011445b
t2 = 0000000000000000  t3 = 0000000000000000  t4 = 0000000000007ef8
t5 = 0000000120114448  t6 = 0000000000000000  t7 = fffffc0007eec000
s0 = fffffc000792b5c3  s1 = 0000000000000004  s2 = 0000000000000018
s3 = fffffc0007eefec8  s4 = 0000000000000008  s5 = 00000000f00000a3
s6 = 000000000000000b
a0 = fffffc000792b5c3  a1 = 2f2f2f2f2f2f2f2f  a2 = 0000000000000004
a3 = 000000000000000b  a4 = 00000000f00000a3  a5 = 0000000000000008
t8 = 0000000000000018  t9 = 0000000000000000  t10= 0000000022e1d02a
t11= 000000011fd6f3b8  pv = fffffc0000b9a810  at = 0000000022e1ccf8
gp = fffffc0000f03930  sp = (____ptrval____)
Trace:
[<fffffc00004ccba0>] proc_readdir_de+0x170/0x300
[<fffffc0000451280>] filldir64+0x0/0x320
[<fffffc00004c565c>] proc_root_readdir+0x3c/0x80
[<fffffc0000450c68>] iterate_dir+0x198/0x240
[<fffffc00004518b8>] ksys_getdents64+0xa8/0x160
[<fffffc0000451990>] sys_getdents64+0x20/0x40
[<fffffc0000451280>] filldir64+0x0/0x320
[<fffffc0000311634>] entSys+0xa4/0xc0

Code:
 00000000
 00063301
 000007a3
 00001111
 00003f64

Segmentation fault

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ