From patchwork Wed Jan  2 09:31:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jason Yan <yanaijie@huawei.com>
X-Patchwork-Id: 10746287
Return-Path: 
 <kernel-hardening-return-14815-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6DF536C2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed,  2 Jan 2019 11:10:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E4692837D
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed,  2 Jan 2019 11:10:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 52CC4287C9; Wed,  2 Jan 2019 11:10:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 10D7E2837D
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed,  2 Jan 2019 11:10:48 +0000 (UTC)
Received: (qmail 22451 invoked by uid 550); 2 Jan 2019 11:10:45 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 9616 invoked from network); 2 Jan 2019 09:33:21 -0000
From: Jason Yan <yanaijie@huawei.com>
To: <keescook@chromium.org>, <kernel-hardening@lists.openwall.com>
CC: <zhaohongjiang@huawei.com>, <miaoxie@huawei.com>, Jason Yan
	<yanaijie@huawei.com>, Li Bin <huawei.libin@huawei.com>, Wei Yongjun
	<weiyongjun1@huawei.com>
Subject: [PATCH] usercopy: skip the check if not a real usercopy
Date: Wed, 2 Jan 2019 17:31:37 +0800
Message-ID: <20190102093137.17136-1-yanaijie@huawei.com>
X-Mailer: git-send-email 2.14.4
MIME-Version: 1.0
X-Originating-IP: [10.175.124.28]
X-CFilter-Loop: Reflected
X-Virus-Scanned: ClamAV using ClamSMTP

Some kernel codes use copy_to/from_user to copy data between kernel
buffers by calling set_fs(KERNEL_DS). Hardened usercopy will check these
objects and sometimes soft lockup may happen as follows:

[   96.314420] watchdog: BUG: soft lockup - CPU#4 stuck for 22s! [sh:356]
......
[   96.674904] Call Trace:
[   96.684489]  __check_object_size+0x1f1/0x460
[   96.691669]  __probe_kernel_write+0x195/0x390
[   96.696821]  ftrace_write+0x67/0xa0
[   96.709086]  ftrace_replace_code+0x3e2/0xa30
[   96.724418]  ? ftrace_int3_handler+0x100/0x100
[   96.731570]  ftrace_modify_all_code+0x1f6/0x2e0
[   96.741639]  ? function_stack_trace_call+0x340/0x340
[   96.751778]  arch_ftrace_update_code+0x3a/0x70
[   96.762062]  ftrace_run_update_code+0x35/0xf0
[   96.763874]  ftrace_startup_enable+0x7a/0xa0
[   96.770122]  ftrace_startup+0x405/0x6a0
[   96.782269]  register_ftrace_function+0x76/0x150
[   96.794676]  function_trace_init+0x1bb/0x250
[   96.805203]  tracing_set_tracer+0x4af/0xa10
[   96.817490]  tracing_set_trace_write+0x40e/0x660
[   96.832344]  ? tracing_set_tracer+0xa10/0xa10
[   96.843771]  ? kasan_check_read+0x1d/0x30
[   96.855433]  ? do_raw_spin_unlock+0x6c/0x300
[   96.864058]  ? _raw_spin_unlock+0x44/0x70
[   96.873790]  ? do_anonymous_page+0x6d3/0x1030
[   96.887520]  ? tracing_set_tracer+0xa10/0xa10
[   96.897393]  __vfs_write+0x11b/0x880
[   96.910798]  ? kernel_read+0x150/0x150
[   96.918995]  ? __lock_acquire+0x925/0x1770
[   96.925343]  ? __lock_acquire+0x925/0x1770
[   96.933334]  ? pmd_alloc+0x140/0x140
[   96.944556]  ? __lock_is_held+0xe3/0x1a0
[   96.954812]  ? kasan_check_read+0x1d/0x30
[   96.959380]  ? rcu_read_lock_sched_held+0x1dd/0x210
[   96.967383]  ? rcu_sync_lockdep_assert+0xf0/0x190
[   96.984740]  ? __sb_start_write+0x1b3/0x3e0
[   96.999405]  vfs_write+0x210/0x640
[   97.013153]  ksys_write+0xe6/0x210
[   97.023623]  ? __x64_sys_read+0xe0/0xe0
[   97.035021]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   97.044914]  ? do_syscall_64+0x98/0x2b0
[   97.050349]  ? do_syscall_64+0x98/0x2b0
[   97.058009]  __x64_sys_write+0x94/0xe0
[   97.063153]  do_syscall_64+0x161/0x2b0
[   97.069358]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
......

It's unnecessary to check these objects for copying between kernel buffers.
So skip all hardened usercopy tests.

Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: Li Bin <huawei.libin@huawei.com>
CC: Wei Yongjun <weiyongjun1@huawei.com>
---
 mm/usercopy.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mm/usercopy.c b/mm/usercopy.c
index 852eb4e53f06..8a0a1854f564 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -23,6 +23,7 @@
 #include <linux/atomic.h>
 #include <linux/jump_label.h>
 #include <asm/sections.h>
+#include <linux/uaccess.h>
 
 /*
  * Checks if a given pointer and length is contained by the current
@@ -255,6 +256,10 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
 	if (static_branch_unlikely(&bypass_usercopy_checks))
 		return;
 
+	/* Skip all tests if it is not a real usercopy. */
+	if (uaccess_kernel())
+		return;
+
 	/* Skip all tests if size is zero. */
 	if (!n)
 		return;