From patchwork Wed Dec 11 15:05:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 181224 Delivered-To: patch@linaro.org Received: by 2002:a92:3001:0:0:0:0:0 with SMTP id x1csp658917ile; Wed, 11 Dec 2019 07:09:30 -0800 (PST) X-Google-Smtp-Source: APXvYqx1BOIstzzi4t0WCGF+kwuRX9sIVgbLdyNHGlcrEHhqJET1147gH0yMk/47h4f+SKJoiBFM X-Received: by 2002:a05:6830:1b6a:: with SMTP id d10mr2739005ote.52.1576076970380; Wed, 11 Dec 2019 07:09:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576076970; cv=none; d=google.com; s=arc-20160816; b=tLa7RxbaDEQPmJ2eUBE2M1n//jcxCwOyJtuM9K1SXeSctoQnz21f5FH+9vAcsODn4Q 6qzZbMP+mQKTsSYscsJmQVuwYFZ7bWHs6tdDPV7hqhZgac+Ez3cYt+y6B43/oi0H26GL dZ75C3A1SkduJQY+u9kGyHbcWilOBOB6xonlhPfryAds2By/EpgcO5qARAqVQX+dVus9 48aTVJDAjHr/J7hLccpe2Li/rJj7d7tgkR8eoGPK8QKV6q6i7XQSaNE938/D1ei494d6 SOQihczqRCsVYFobUKolMray295P4pP1MFRtOWBJZldbWS9Ri/RJxE28P0tvNlQ+WD7d ScjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PlxxkkhDAN06rvl5SClKVwErWF6mWZYpt+9mb1lmYIU=; b=ZOesUpn5VBRezyZBj9a92IBIrFl0PkaiMJJreklZSD+Cy3csETlfL8WdCtR3ChGFIo b8ZYhIf9DJOMDjWfpKyc0Mq/TtxVtQNQ3jKufXTduzshBecvikF966eI9frTp6QEyaxn 0jBtNu3tHltf+z9o5yyUltOqQwkq51yMZWEZ0q+teH5+H2Ch9oGOMRyeJK1L5RF4T4rW t9eyj/dOjA9Jn9wbf5WLmUWM9dNUclg97jvDmBuLA5oMMPxKMbmjffOLJpuiXkhJ+qBh L5s3S88+cmVOftuagUJSs6zJMJnWZqz7/8HPVyrT7nS6tydIgkaKd8QVns5fuVL88uAx FeIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KFHH4tGX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l64si1326524oih.2.2019.12.11.07.09.30; Wed, 11 Dec 2019 07:09:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KFHH4tGX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730145AbfLKPJ2 (ORCPT + 27 others); Wed, 11 Dec 2019 10:09:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:57318 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729481AbfLKPJV (ORCPT ); Wed, 11 Dec 2019 10:09:21 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5A3BC222C4; Wed, 11 Dec 2019 15:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576076960; bh=rVwHSdF1S7JYEeKe0HR7QEXKgXHVfwcBcfN5qKNNnMQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KFHH4tGXt5Bhnmtn+9gPk8OmmF+a9WRnjHqNNy6CSFEgnRZlGE22ok4oiAk46l9QC WGHSd40gptVlaPjh8yGuJprdjV491FoS0V5Dtix+xzgLWBi3oGXJ7rk1q2fGvA/27Z wfuItKbdFv93kpOIO5VMd9Q1dp9Se03leHFKeXIM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Evgenii Stepanov , Catalin Marinas Subject: [PATCH 5.4 57/92] arm64: Validate tagged addresses in access_ok() called from kernel threads Date: Wed, 11 Dec 2019 16:05:48 +0100 Message-Id: <20191211150247.321136840@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.977775294@linuxfoundation.org> References: <20191211150221.977775294@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Catalin Marinas commit df325e05a682e9c624f471835c35bd3f870d5e8c upstream. __range_ok(), invoked from access_ok(), clears the tag of the user address only if CONFIG_ARM64_TAGGED_ADDR_ABI is enabled and the thread opted in to the relaxed ABI. The latter sets the TIF_TAGGED_ADDR thread flag. In the case of asynchronous I/O (e.g. io_submit()), the access_ok() may be called from a kernel thread. Since kernel threads don't have TIF_TAGGED_ADDR set, access_ok() will fail for valid tagged user addresses. Example from the ffs_user_copy_worker() thread: use_mm(io_data->mm); ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); unuse_mm(io_data->mm); Relax the __range_ok() check to always untag the user address if called in the context of a kernel thread. The user pointers would have already been checked via aio_setup_rw() -> import_{single_range,iovec}() at the time of the asynchronous I/O request. Fixes: 63f0c6037965 ("arm64: Introduce prctl() options to control the tagged user addresses ABI") Cc: # 5.4.x- Cc: Will Deacon Reported-by: Evgenii Stepanov Tested-by: Evgenii Stepanov Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/uaccess.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -62,8 +62,13 @@ static inline unsigned long __range_ok(c { unsigned long ret, limit = current_thread_info()->addr_limit; + /* + * Asynchronous I/O running in a kernel thread does not have the + * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag + * the user address before checking. + */ if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) && - test_thread_flag(TIF_TAGGED_ADDR)) + (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR))) addr = untagged_addr(addr); __chk_user_ptr(addr);