lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAhV-H7hCggw_zhQk89uvBrpAPxgHCS_BC5+twsyZdwWkF4A1g@mail.gmail.com>
Date: Tue, 2 Sep 2025 19:58:36 +0800
From: Huacai Chen <chenhuacai@...nel.org>
To: Bibo Mao <maobibo@...ngson.cn>
Cc: Xianglai Li <lixianglai@...ngson.cn>, WANG Xuerui <kernel@...0n.name>, kvm@...r.kernel.org, 
	loongarch@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/4] LoongArch: KVM: Avoid use copy_from_user with lock
 hold in kvm_eiointc_regs_access

Hi, Bibo,

On Tue, Sep 2, 2025 at 5:49 PM Bibo Mao <maobibo@...ngson.cn> wrote:
>
> Function copy_from_user() and copy_to_user() may sleep because of page
> fault, and they cannot be called in spin_lock hold context. Otherwise there
> will be possible warning such as:
>
> BUG: sleeping function called from invalid context at include/linux/uaccess.h:192
> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 6292, name: qemu-system-loo
> preempt_count: 1, expected: 0
> RCU nest depth: 0, expected: 0
> INFO: lockdep is turned off.
> irq event stamp: 0
> hardirqs last  enabled at (0): [<0000000000000000>] 0x0
> hardirqs last disabled at (0): [<9000000004c4a554>] copy_process+0x90c/0x1d40
> softirqs last  enabled at (0): [<9000000004c4a554>] copy_process+0x90c/0x1d40
> softirqs last disabled at (0): [<0000000000000000>] 0x0
> CPU: 41 UID: 0 PID: 6292 Comm: qemu-system-loo Tainted: G W 6.17.0-rc3+ #31 PREEMPT(full)
> Tainted: [W]=WARN
> Stack : 0000000000000076 0000000000000000 9000000004c28264 9000100092ff4000
>         9000100092ff7b80 9000100092ff7b88 0000000000000000 9000100092ff7cc8
>         9000100092ff7cc0 9000100092ff7cc0 9000100092ff7a00 0000000000000001
>         0000000000000001 9000100092ff7b88 947d2f9216a5e8b9 900010008773d880
>         00000000ffff8b9f fffffffffffffffe 0000000000000ba1 fffffffffffffffe
>         000000000000003e 900000000825a15b 000010007ad38000 9000100092ff7ec0
>         0000000000000000 0000000000000000 9000000006f3ac60 9000000007252000
>         0000000000000000 00007ff746ff2230 0000000000000053 9000200088a021b0
>         0000555556c9d190 0000000000000000 9000000004c2827c 000055556cfb5f40
>         00000000000000b0 0000000000000007 0000000000000007 0000000000071c1d
> Call Trace:
> [<9000000004c2827c>] show_stack+0x5c/0x180
> [<9000000004c20fac>] dump_stack_lvl+0x94/0xe4
> [<9000000004c99c7c>] __might_resched+0x26c/0x290
> [<9000000004f68968>] __might_fault+0x20/0x88
> [<ffff800002311de0>] kvm_eiointc_regs_access.isra.0+0x88/0x380 [kvm]
> [<ffff8000022f8514>] kvm_device_ioctl+0x194/0x290 [kvm]
> [<900000000506b0d8>] sys_ioctl+0x388/0x1010
> [<90000000063ed210>] do_syscall+0xb0/0x2d8
> [<9000000004c25ef8>] handle_syscall+0xb8/0x158
>
> Fixes: 1ad7efa552fd5 ("LoongArch: KVM: Add EIOINTC user mode read and write functions")
> Signed-off-by: Bibo Mao <maobibo@...ngson.cn>
> ---
>  arch/loongarch/kvm/intc/eiointc.c | 33 ++++++++++++++++++++-----------
>  1 file changed, 21 insertions(+), 12 deletions(-)
>
> diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c
> index 026b139dcff2..2fb5b9c6e8ad 100644
> --- a/arch/loongarch/kvm/intc/eiointc.c
> +++ b/arch/loongarch/kvm/intc/eiointc.c
> @@ -462,19 +462,17 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev,
>
>  static int kvm_eiointc_regs_access(struct kvm_device *dev,
>                                         struct kvm_device_attr *attr,
> -                                       bool is_write)
> +                                       bool is_write, int *data)
>  {
>         int addr, cpu, offset, ret = 0;
>         unsigned long flags;
>         void *p = NULL;
> -       void __user *data;
>         struct loongarch_eiointc *s;
>
>         s = dev->kvm->arch.eiointc;
>         addr = attr->attr;
>         cpu = addr >> 16;
>         addr &= 0xffff;
> -       data = (void __user *)attr->addr;
>         switch (addr) {
>         case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
>                 offset = (addr - EIOINTC_NODETYPE_START) / 4;
> @@ -513,13 +511,10 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev,
>         }
>
>         spin_lock_irqsave(&s->lock, flags);
> -       if (is_write) {
> -               if (copy_from_user(p, data, 4))
> -                       ret = -EFAULT;
> -       } else {
> -               if (copy_to_user(data, p, 4))
> -                       ret = -EFAULT;
> -       }
> +       if (is_write)
> +               memcpy(p, data, 4);
> +       else
> +               memcpy(data, p, 4);
p is a local variable, data is a parameter, they both have nothing to
do with s, why memcpy need to be protected?

After some thinking I found the code was wrong at the first time.  The
real code that needs to be protected is not copy_from_user() or
memcpy(), but the above switch block.

Other patches have similar problems.

Huacai

>         spin_unlock_irqrestore(&s->lock, flags);
>
>         return ret;
> @@ -576,9 +571,18 @@ static int kvm_eiointc_sw_status_access(struct kvm_device *dev,
>  static int kvm_eiointc_get_attr(struct kvm_device *dev,
>                                 struct kvm_device_attr *attr)
>  {
> +       int ret, data;
> +
>         switch (attr->group) {
>         case KVM_DEV_LOONGARCH_EXTIOI_GRP_REGS:
> -               return kvm_eiointc_regs_access(dev, attr, false);
> +               ret = kvm_eiointc_regs_access(dev, attr, false, &data);
> +               if (ret)
> +                       return ret;
> +
> +               if (copy_to_user((void __user *)attr->addr, &data, 4))
> +                       ret = -EFAULT;
> +
> +               return ret;
>         case KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS:
>                 return kvm_eiointc_sw_status_access(dev, attr, false);
>         default:
> @@ -589,11 +593,16 @@ static int kvm_eiointc_get_attr(struct kvm_device *dev,
>  static int kvm_eiointc_set_attr(struct kvm_device *dev,
>                                 struct kvm_device_attr *attr)
>  {
> +       int data;
> +
>         switch (attr->group) {
>         case KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL:
>                 return kvm_eiointc_ctrl_access(dev, attr);
>         case KVM_DEV_LOONGARCH_EXTIOI_GRP_REGS:
> -               return kvm_eiointc_regs_access(dev, attr, true);
> +               if (copy_from_user(&data, (void __user *)attr->addr, 4))
> +                       return -EFAULT;
> +
> +               return kvm_eiointc_regs_access(dev, attr, true, &data);
>         case KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS:
>                 return kvm_eiointc_sw_status_access(dev, attr, true);
>         default:
> --
> 2.39.3
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ