[RFC] x86/fpu: Use get_user_pages_unlocked() to fault-in pages

Commit Message

Sebastian Andrzej Siewior May 1, 2019, 9 a.m. UTC

Using get_user_pages() seems to be problematic: KASAN reports
use-after-free in LTP's signal06 testcase.
The test invokes the signal handler with a provided stack and changes
the RW/WO page flags of the stack while the signal is invoked.  A crash
due to a NULL pointer has also been observed.

get_user_pages() may be invoked (or so I assumed) without holding the
mmap_sem for pre-faulting. KASAN probably slows down processing that we
can observe the user-after-free while page-flags are changed. It does
not happen without KASAN.

Use get_user_pages_unlocked() which holds the mm_sem around while
paging-in user memory.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---

While this fixes the problem and the crash later on, I would like to
hear from MM folks if it is intended to invoke get_user_pages() without
holding the mmap_sem. Without passing lockde & pages we only do:
  __get_user_pages_locked()
    - __get_user_pages()
    - if (!pages)
	/* If it's a prefault don't insist harder
	 */
	return ret;
Which was my intention. 
The comment above faultin_page() says "mmap_sem must be held on entry"
so this makes me thing that one must hold it…

 arch/x86/kernel/fpu/signal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index eaddb185cac95..3a94e3d2e3bdf 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -172,8 +172,8 @@  int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
 		aligned_size = offset_in_page(buf_fx) + fpu_user_xstate_size;
 		nr_pages = DIV_ROUND_UP(aligned_size, PAGE_SIZE);
 
-		ret = get_user_pages((unsigned long)buf_fx, nr_pages,
-				     FOLL_WRITE, NULL, NULL);
+		ret = get_user_pages_unlocked((unsigned long)buf_fx, nr_pages,
+					      NULL, FOLL_WRITE);
 		if (ret == nr_pages)
 			goto retry;
 		return -EFAULT;