Message ID | f0e171cbae576758d9387cee374dd65088e75b07.1725223574.git.osandov@fb.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Headers | show |
Series | mm: make copy_to_kernel_nofault() not fault on user addresses | expand |
Hi, Le 02/09/2024 à 07:31, Omar Sandoval a écrit : > [Vous ne recevez pas souvent de courriers de osandov@osandov.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ] > > From: Omar Sandoval <osandov@fb.com> > > I found that on x86, copy_to_kernel_nofault() still faults on addresses > outside of the kernel address range (including NULL): > > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc > # echo g > /proc/sysrq-trigger > ... > [15]kdb> mm 0 1234 > [ 94.652476] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... > > Note that copy_to_kernel_nofault() uses pagefault_disable(), but it > still faults. This is because with Supervisor Mode Access Prevention > (SMAP) enabled, do_user_addr_fault() Oopses on a fault for a user > address from kernel space _before_ checking faulthandler_disabled(). > > copy_from_kernel_nofault() avoids this by checking that the address is > in the kernel before doing the actual memory access. Do the same in > copy_to_kernel_nofault() so that we get an error as expected: > > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc > # echo g > /proc/sysrq-trigger > ... > [17]kdb> mm 0 1234 > kdb_putarea_size: Bad address 0x0 > diag: -21: Invalid address > > Signed-off-by: Omar Sandoval <osandov@fb.com> > --- > mm/maccess.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/mm/maccess.c b/mm/maccess.c > index 72e9c03ea37f..d67dee51a1cc 100644 > --- a/mm/maccess.c > +++ b/mm/maccess.c > @@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size) > if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) > align = (unsigned long)dst | (unsigned long)src; > > + if (!copy_kernel_nofault_allowed(dst, size)) > + return -ERANGE; > + > pagefault_disable(); > if (!(align & 7)) > copy_to_kernel_nofault_loop(dst, src, size, u64, Efault); > -- > 2.46.0 > This patch leads to the following errors on ppc64le_defconfig: [ 2.423930][ T1] Running code patching self-tests ... [ 2.428912][ T1] code-patching: test failed at line 395 [ 2.429085][ T1] code-patching: test failed at line 398 [ 2.429561][ T1] code-patching: test failed at line 432 [ 2.429679][ T1] code-patching: test failed at line 435 This seems to be linked to commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU"), copy_from_kernel_nofault_allowed() returns false for the patching area. Christophe
On Wed, Sep 04, 2024 at 09:50:56AM +0200, Christophe Leroy wrote: > Hi, > > Le 02/09/2024 à 07:31, Omar Sandoval a écrit : > > [Vous ne recevez pas souvent de courriers de osandov@osandov.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ] > > > > From: Omar Sandoval <osandov@fb.com> > > > > I found that on x86, copy_to_kernel_nofault() still faults on addresses > > outside of the kernel address range (including NULL): > > > > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc > > # echo g > /proc/sysrq-trigger > > ... > > [15]kdb> mm 0 1234 > > [ 94.652476] BUG: kernel NULL pointer dereference, address: 0000000000000000 > ... > > > > Note that copy_to_kernel_nofault() uses pagefault_disable(), but it > > still faults. This is because with Supervisor Mode Access Prevention > > (SMAP) enabled, do_user_addr_fault() Oopses on a fault for a user > > address from kernel space _before_ checking faulthandler_disabled(). > > > > copy_from_kernel_nofault() avoids this by checking that the address is > > in the kernel before doing the actual memory access. Do the same in > > copy_to_kernel_nofault() so that we get an error as expected: > > > > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc > > # echo g > /proc/sysrq-trigger > > ... > > [17]kdb> mm 0 1234 > > kdb_putarea_size: Bad address 0x0 > > diag: -21: Invalid address > > > > Signed-off-by: Omar Sandoval <osandov@fb.com> > > --- > > mm/maccess.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/mm/maccess.c b/mm/maccess.c > > index 72e9c03ea37f..d67dee51a1cc 100644 > > --- a/mm/maccess.c > > +++ b/mm/maccess.c > > @@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size) > > if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) > > align = (unsigned long)dst | (unsigned long)src; > > > > + if (!copy_kernel_nofault_allowed(dst, size)) > > + return -ERANGE; > > + > > pagefault_disable(); > > if (!(align & 7)) > > copy_to_kernel_nofault_loop(dst, src, size, u64, Efault); > > -- > > 2.46.0 > > > > This patch leads to the following errors on ppc64le_defconfig: > > [ 2.423930][ T1] Running code patching self-tests ... > [ 2.428912][ T1] code-patching: test failed at line 395 > [ 2.429085][ T1] code-patching: test failed at line 398 > [ 2.429561][ T1] code-patching: test failed at line 432 > [ 2.429679][ T1] code-patching: test failed at line 435 > > This seems to be linked to commit c28c15b6d28a ("powerpc/code-patching: Use > temporary mm for Radix MMU"), copy_from_kernel_nofault_allowed() returns > false for the patching area. Thanks for testing. This patch isn't worth the trouble, so we can drop it. Thanks, Omar
diff --git a/mm/maccess.c b/mm/maccess.c index 72e9c03ea37f..d67dee51a1cc 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size) if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) align = (unsigned long)dst | (unsigned long)src; + if (!copy_kernel_nofault_allowed(dst, size)) + return -ERANGE; + pagefault_disable(); if (!(align & 7)) copy_to_kernel_nofault_loop(dst, src, size, u64, Efault);