From patchwork Thu Nov 18 16:34:17 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vincent Whitchurch <vincent.whitchurch@axis.com>
X-Patchwork-Id: 12693066
Return-Path: 
 <SRS0=mfZn=QF=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D56CDC433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 18 Nov 2021 16:35:51 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id A209661175
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 18 Nov 2021 16:35:51 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A209661175
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=axis.com
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=ToGPfnH/7SwR7pp5nN0cDglw6h6Xqujg82Gy7IfqkOw=; b=ir8ryDlM/luK5b
	aBEjcvll2eRU45v0o6yv5ujlIhprKtpyu5E40tY2lIPFeH4xYnkJLVAXiAshHzgVkGednepRR8AHn
	ey3vmrH7bI7Ng3+o9VD9S0Pq3D70jcE0WMVoBYcs0nnxj0Jir7fJrjOcGTGIWSea7YQeUoTQMsgoK
	6W/iVVBqzzUGb81YQLfeFIUpJqDWQChseI4G28dJzGRRti9WNq7EpE7G7iN7q3F/3w6BwrliC30JS
	etBInglhUkgY0znl+SXV9beGQmKsZu3EFW/8SdVIOL0hjWZfrCUdfkIP8GORN1FEQkllGi8CNddt+
	WDMQAElDOddbfeBmIQeQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mnkMn-008MaS-2v; Thu, 18 Nov 2021 16:34:29 +0000
Received: from smtp1.axis.com ([195.60.68.17])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mnkMj-008MYx-08
 for linux-arm-kernel@lists.infradead.org; Thu, 18 Nov 2021 16:34:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=axis.com; q=dns/txt; s=axis-central1; t=1637253265;
 x=1668789265;
 h=from:to:cc:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=fgixBB9fzWHHYd6pk0F6KCPvRNJYPGIKx4FByoZWSnQ=;
 b=mhCL+LdsovyFRW4Wq5rQMpO9SBHfKKOMuk1iAg73ki2Iv15YLviNWpNq
 /KQAwwKWYGKOHpmEEFzKtAj2EJVQ8JPBXCSqsbZRlf5pHOXYHTkpjAIN5
 c5hjcQ+SsyghN5p57g+63SnUNznZTCUU5E9O1kA/nB48n87wtYNepHJpO
 EpTnqhUsne3JMS+axo+pedTxOj7x+r9yDXiYm8bVrPS2nRG/dJS0iWCdc
 VraK7Tze1a/5aFoBnaTQSL794qvCgt+5MoSebfYLdAZktb9q06GfnrKJJ
 eM7c9WUp6Z6i9LO+JcyoPYBQgdlIegSFHlRIsqSp+bawyq3jsuyAGrQEZ g==;
From: Vincent Whitchurch <vincent.whitchurch@axis.com>
To: <catalin.marinas@arm.com>, <will@kernel.org>, <mark.rutland@arm.com>
CC: <kernel@axis.com>, <linux-arm-kernel@lists.infradead.org>,
 <linux-kernel@vger.kernel.org>, Vincent Whitchurch
 <vincent.whitchurch@axis.com>
Subject: [PATCH] arm64: uaccess: fix put_user() with TTBR0 PAN
Date: Thu, 18 Nov 2021 17:34:17 +0100
Message-ID: <20211118163417.21617-1-vincent.whitchurch@axis.com>
X-Mailer: git-send-email 2.33.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20211118_083425_535766_FB7B4162 
X-CRM114-Status: UNSURE (   9.43  )
X-CRM114-Notice: Please train this message.
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

The value argument to put_user() must be evaluated before the TTBR0
switch is done.  Otherwise, if it is a function and the function sleeps,
the reserved TTBR0 will be restored when the process is switched in
again and the process will end up in an infinite loop of faults.

This problem was seen with the put_user() in schedule_tail().  A similar
fix was done for RISC-V in commit 285a76bb2cf51b0c74c634 ("riscv:
evaluate put_user() arg before enabling user access").

Fixes: f253d827f33cb5a5990 ("arm64: uaccess: refactor __{get,put}_user")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
---
 arch/arm64/include/asm/uaccess.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 6e2e0b7031ab..96b26fa9d3d0 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -362,10 +362,11 @@ do {									\
 #define __put_user_error(x, ptr, err)					\
 do {									\
 	__typeof__(*(ptr)) __user *__p = (ptr);				\
+	__typeof__(*(__p)) __val = (x);					\
 	might_fault();							\
 	if (access_ok(__p, sizeof(*__p))) {				\
 		__p = uaccess_mask_ptr(__p);				\
-		__raw_put_user((x), __p, (err));			\
+		__raw_put_user(__val, __p, (err));			\
 	} else	{							\
 		(err) = -EFAULT;					\
 	}								\