From patchwork Fri Jun 14 03:08:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 166783 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp1506605ilk; Thu, 13 Jun 2019 20:13:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqwF0+7gm/0b3rLxn0WLasBod8FfFmbMXaumxcns8m6mfMtETOP/FBQmO9ug9K6C9Z7nG5Vp X-Received: by 2002:a17:902:70cb:: with SMTP id l11mr30092798plt.343.1560482033420; Thu, 13 Jun 2019 20:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560482033; cv=none; d=google.com; s=arc-20160816; b=lneX/mZBh9RubAYB5gTHAUg5anbLUQa/VoJhDLlXR6t5e5NlUzyY31XyQrqEAJ7xIP 1rzyCnXUMMZNGzs4Ahm2E+F00neMe1wHIZHFWEgJtVy38p3nEw7MOUfrtTeyrK3Kmv0v kvnjKq74HsmtF3nKEWx+c0wWXRKyrrqaWiI/v4Ubccpj+lFjzsVtZHpW/o9+DdmMygq7 bb21kKjQ2zBNqmTbFOgGvwBRZTDNvBhlHKK1KZe1K0N90W8PYTIj6u1mkW1w2AsOuNCg Pz0YCgu3oqn1nAA02D+ZCzVjwH6/USfC6UjmR5ykau8UK2V2Pq2F9KfMaQZp+pHOjDBp KDGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PDeednBQHQCWJxR0NKh3z84Gd8kBTabHNB90hamsE18=; b=b5ZLN8+XuGD0XSZOpOrxl995z/w3BmpE3e+E73ZYu+H3IGW+DKvCDMxZgRNeuZ9yVn YwKdVf8kC8mbUZdV4P0e4zp9ht14h7FS3CGuCVwPVY3TUlTNFlgXgkDkXkuQewBmOh8d 0btJc/1whz/ufLweh+BqYVbqSMfvj/s9wxLVJO+jxua8n+GHZHsUIfeN/oxnzhP0a4pw 1Lqv/+2lQjOQUgB6AA3zCafKUW5fgzZFLmWkeKKxEEOC3X8z/snZJA/fRfACOlolykM8 I0Bpx9cz5gqQqHHZUoWWzHLQD4nYuEdUUnHwHEPnUp/APnTKEgjI2gk4Nb7955EUr1YA E1wg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=h4QWP2mv; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e8si1073936plb.420.2019.06.13.20.13.53; Thu, 13 Jun 2019 20:13:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=h4QWP2mv; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726777AbfFNDNw (ORCPT + 14 others); Thu, 13 Jun 2019 23:13:52 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:43940 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726705AbfFNDNw (ORCPT ); Thu, 13 Jun 2019 23:13:52 -0400 Received: by mail-pg1-f194.google.com with SMTP id f25so664066pgv.10 for ; Thu, 13 Jun 2019 20:13:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=PDeednBQHQCWJxR0NKh3z84Gd8kBTabHNB90hamsE18=; b=h4QWP2mvAS916s6auJJfFzviYDDjb+PpuiP6IFws5Q2EJ2uXczHMoheg4jezvSjnWr IJZk2FdXIdxz4vVreKM+jSnz4myExFPgAWxesJ/pE5wWSokxF95skddVsLWzPAFq2qBa rWImiMAK2fNA0OmFptcJ3wBYFUWzhWTrrdjce/uktXZQsjpCDqQr+9KgdFG8HvaxatBa dldxbR/0B1pKiGZFbiisf23ByiGrVPy4yxKyj4SQtn3SLEwGY6B/MqLfsRWtZ1Y79LDF G069q0y5MeHuXEEZZlup4NZcn5SOiaCUZOD1Ayqbx3h0mCWmJuDIykLZNpm1YUL0O0cp P4+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PDeednBQHQCWJxR0NKh3z84Gd8kBTabHNB90hamsE18=; b=mtUBkbgUI6KQXtnE9e81AmNyEM0FXVuZLTyxpod4MQOq+ST27qgJKEtIWoVbW9ayMG tJp/lhTdqW/kiulv/j63MbPKoMLuCwNLBZDKdLPvJVPP+aZj+RgN/LzJSBlEwuQKbOok YEU4Rlpa52m+4so11sGfAMjMxrewV4kF34qt09C2IRKejV3w1td1h1Yd7gaXbxc71Nh6 N/MF51unxlI836B5b7Gp7QLWq49pjI/Et9F0rb78I7K1W0WRd1QbH2w89uvU06VCbjqz LUMAmYxC8kjUZ/HkEKkrfMiN99oAkGKA+zBtvM3udpRdlxRg7faHtszXGyivTy0rvrp9 RFkA== X-Gm-Message-State: APjAAAV6n15dcqZ4tgp783yt36G519FWdbo0XH/8Lv/eiAMrJdmBieMZ rbw358S8+VCnbNYuSI4M4uyp+A== X-Received: by 2002:a63:a056:: with SMTP id u22mr33204122pgn.318.1560482031830; Thu, 13 Jun 2019 20:13:51 -0700 (PDT) Received: from localhost ([122.172.66.84]) by smtp.gmail.com with ESMTPSA id s12sm1032837pfe.143.2019.06.13.20.13.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jun 2019 20:13:51 -0700 (PDT) From: Viresh Kumar To: linux-arm-kernel@lists.infradead.org, Julien Thierry Cc: Viresh Kumar , stable@vger.kernel.org, Catalin Marinas , Marc Zyngier , Mark Rutland , Will Deacon , Russell King , Vincent Guittot , mark.brown@arm.com Subject: [PATCH v4.4 45/45] arm64: futex: Mask __user pointers prior to dereference Date: Fri, 14 Jun 2019 08:38:28 +0530 Message-Id: <1e0218d2ca5026bccbad88acba998349fe2195f1.1560480942.git.viresh.kumar@linaro.org> X-Mailer: git-send-email 2.21.0.rc0.269.g1a574e7a288b In-Reply-To: References: MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Will Deacon commit 91b2d3442f6a44dce875670d702af22737ad5eff upstream. The arm64 futex code has some explicit dereferencing of user pointers where performing atomic operations in response to a futex command. This patch uses masking to limit any speculative futex operations to within the user address space. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Viresh Kumar --- arch/arm64/include/asm/futex.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.21.0.rc0.269.g1a574e7a288b diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h index 34d4d2e2f561..8ab6e83cb629 100644 --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h @@ -53,9 +53,10 @@ : "memory") static inline int -arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) +arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) { int oldval = 0, ret, tmp; + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); pagefault_disable(); @@ -93,15 +94,17 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) } static inline int -futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr, u32 oldval, u32 newval) { int ret = 0; u32 val, tmp; + u32 __user *uaddr; - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32))) return -EFAULT; + uaddr = __uaccess_mask_ptr(_uaddr); asm volatile("// futex_atomic_cmpxchg_inatomic\n" ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN) " prfm pstl1strm, %2\n"