git.baikalelectronics.ru Git - kernel.git/commit

author	Nicholas Piggin <npiggin@gmail.com>
	Tue, 7 Apr 2020 04:12:45 +0000 (14:12 +1000)
committer	Michael Ellerman <mpe@ellerman.id.au>
	Thu, 30 Apr 2020 10:21:44 +0000 (20:21 +1000)
commit	fcf7299adc0fff79670bacd4d8e57073fa9a5e44
tree	b5442b7075d809bf030795350e967a6c67ae1f86	tree \| snapshot
parent	0e6c92ce1d170795a396f8108369eb2c8412797f	commit \| diff

powerpc/uaccess: Evaluate macro arguments once, before user access is allowed

get/put_user() can be called with nontrivial arguments. fs/proc/page.c
has a good example:

if (put_user(stable_page_flags(ppage), out)) {

stable_page_flags() is quite a lot of code, including spin locks in
the page allocator.

Ensure these arguments are evaluated before user access is allowed.

This improves security by reducing code with access to userspace, but
it also fixes a PREEMPT bug with KUAP on powerpc/64s:
stable_page_flags() is currently called with AMR set to allow writes,
it ends up calling spin_unlock(), which can call preempt_schedule. But
the task switch code can not be called with AMR set (it relies on
interrupts saving the register), so this blows up.

It's fine if the code inside allow_user_access() is preemptible,
because a timer or IPI will save the AMR, but it's not okay to
explicitly cause a reschedule.

Fixes: edab3a5d9fbd ("powerpc: Add a framework for Kernel Userspace Access Protection")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200407041245.600651-1-npiggin@gmail.com