Commit Graph

132235 Commits

Author SHA1 Message Date
Al Viro
2fefc97b21 HAVE_ARCH_HARDENED_USERCOPY is unconditional now
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-26 12:11:06 -04:00
Al Viro
701cac61d0 CONFIG_ARCH_HAS_RAW_COPY_USER is unconditional now
all architectures converted

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-26 12:11:01 -04:00
Al Viro
eea86b637a Merge branches 'uaccess.alpha', 'uaccess.arc', 'uaccess.arm', 'uaccess.arm64', 'uaccess.avr32', 'uaccess.bfin', 'uaccess.c6x', 'uaccess.cris', 'uaccess.frv', 'uaccess.h8300', 'uaccess.hexagon', 'uaccess.ia64', 'uaccess.m32r', 'uaccess.m68k', 'uaccess.metag', 'uaccess.microblaze', 'uaccess.mips', 'uaccess.mn10300', 'uaccess.nios2', 'uaccess.openrisc', 'uaccess.parisc', 'uaccess.powerpc', 'uaccess.s390', 'uaccess.score', 'uaccess.sh', 'uaccess.sparc', 'uaccess.tile', 'uaccess.um', 'uaccess.unicore32', 'uaccess.x86' and 'uaccess.xtensa' into work.uaccess 2017-04-26 12:06:59 -04:00
Al Viro
9a677341cd m32r: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-26 12:05:56 -04:00
Al Viro
ac4691fac8 hexagon: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-24 20:28:29 -04:00
Al Viro
d491afb865 microblaze: switch to RAW_COPY_USER
[kudos to Piotr Sroka for spotting a braino in the previous variant]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-11 09:30:55 -04:00
Al Viro
b3622d3217 get rid of padding, switch to RAW_COPY_USER
Merced is fucked, so what else is new?

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:51 -04:00
Al Viro
652c1aaca2 ia64: get rid of copy_in_user()
it hadn't been biarch for years

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:51 -04:00
Al Viro
7bb8a503e8 ia64: sanitize __access_ok()
turn into static inline, kill the 'segment' argument.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:50 -04:00
Al Viro
11836ecee9 ia64: get rid of 'segment' argument of __do_{get,put}_user()
it's only evaluated if the first argument is not 0, and in those
cases it's always equal to get_fs()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:50 -04:00
Al Viro
1bd5986bbc ia64: get rid of 'segment' argument of __{get,put}_user_check()
always equal to get_fs()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:49 -04:00
Al Viro
8bec271726 ia64: add extable.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 19:35:49 -04:00
Al Viro
fccfb99508 Merge commit 'b4fb8f66f1ae2e167d06c12d018025a8d4d3ba7e' into uaccess.ia64
backmerge of mainline ia64 fix
2017-04-06 19:35:03 -04:00
Al Viro
3448890c32 powerpc: get rid of zeroing, switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 15:08:42 -04:00
Al Viro
f2ed8bebee Merge commit 'a7d2475af7aedcb9b5c6343989a8bfadbf84429b' into uaccess.powerpc
backmerge of sorting the arch/powerpc/Kconfig
2017-04-06 15:08:10 -04:00
Al Viro
1c87ea4566 alpha: fix stack smashing in old_adjtimex(2)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:10:31 -04:00
Al Viro
2260ea86c0 mips: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:09 -04:00
Al Viro
1a4fded6d3 mips: get rid of tail-zeroing in primitives
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:08 -04:00
Al Viro
ab0aca27c4 mips: make copy_from_user() zero tail explicitly
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:08 -04:00
Al Viro
b0bb945c14 mips: clean and reorder the forest of macros...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:07 -04:00
Al Viro
c12a1d7ad9 mips: consolidate __invoke_... wrappers
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:07 -04:00
Al Viro
f0a955f4ee mips: sanitize __access_ok()
for one thing, the last argument is always __access_mask and had been such
since 2.4.0-test3pre8; for another, it can bloody well be a static inline -
-O2 or -Os, __builtin_constant_p() propagates through static inline calls.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-06 02:08:06 -04:00
Al Viro
054838bc01 Merge commit 'fc69910f329d' into uaccess.mips
backmerge of a build fix from mainline
2017-04-06 02:07:33 -04:00
James Hogan
840db3f938 metag/usercopy: Switch to RAW_COPY_USER
Switch to using raw user copy instead of providing metag specific
[__]copy_{to,from}_user[_inatomic](). This simplifies the metag
uaccess.h and allows us to take advantage of extra checking in the
generic versions.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-05 11:43:57 -04:00
Al Viro
a98bba563d Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag into uaccess.metag 2017-04-05 11:41:09 -04:00
James Hogan
b884a190af metag/usercopy: Add missing fixups
The rapf copy loops in the Meta usercopy code is missing some extable
entries for HTP cores with unaligned access checking enabled, where
faults occur on the instruction immediately after the faulting access.

Add the fixup labels and extable entries for these cases so that corner
case user copy failures don't cause kernel crashes.

Fixes: 373cd784d0 ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 15:25:07 +01:00
James Hogan
2c0b1df88b metag/usercopy: Fix src fixup in from user rapf loops
The fixup code to rewind the source pointer in
__asm_copy_from_user_{32,64}bit_rapf_loop() always rewound the source by
a single unit (4 or 8 bytes), however this is insufficient if the fault
didn't occur on the first load in the loop, as the source pointer will
have been incremented but nothing will have been stored until all 4
register [pairs] are loaded.

Read the LSM_STEP field of TXSTATUS (which is already loaded into a
register), a bit like the copy_to_user versions, to determine how many
iterations of MGET[DL] have taken place, all of which need rewinding.

Fixes: 373cd784d0 ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 15:25:07 +01:00
James Hogan
fd40eee129 metag/usercopy: Set flags before ADDZ
The fixup code for the copy_to_user rapf loops reads TXStatus.LSM_STEP
to decide how far to rewind the source pointer. There is a special case
for the last execution of an MGETL/MGETD, since it leaves LSM_STEP=0
even though the number of MGETLs/MGETDs attempted was 4. This uses ADDZ
which is conditional upon the Z condition flag, but the AND instruction
which masked the TXStatus.LSM_STEP field didn't set the condition flags
based on the result.

Fix that now by using ANDS which does set the flags, and also marking
the condition codes as clobbered by the inline assembly.

Fixes: 373cd784d0 ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 15:25:06 +01:00
James Hogan
563ddc1076 metag/usercopy: Zero rest of buffer from copy_from_user
Currently we try to zero the destination for a failed read from userland
in fixup code in the usercopy.c macros. The rest of the destination
buffer is then zeroed from __copy_user_zeroing(), which is used for both
copy_from_user() and __copy_from_user().

Unfortunately we fail to zero in the fixup code as D1Ar1 is set to 0
before the fixup code entry labels, and __copy_from_user() shouldn't even
be zeroing the rest of the buffer.

Move the zeroing out into copy_from_user() and rename
__copy_user_zeroing() to raw_copy_from_user() since it no longer does
any zeroing. This also conveniently matches the name needed for
RAW_COPY_USER support in a later patch.

Fixes: 373cd784d0 ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 15:25:02 +01:00
James Hogan
fb8ea062a8 metag/usercopy: Add early abort to copy_to_user
When copying to userland on Meta, if any faults are encountered
immediately abort the copy instead of continuing on and repeatedly
faulting, and worse potentially copying further bytes successfully to
subsequent valid pages.

Fixes: 373cd784d0 ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 14:49:42 +01:00
James Hogan
2257211942 metag/usercopy: Fix alignment error checking
Fix the error checking of the alignment adjustment code in
raw_copy_from_user(), which mistakenly considers it safe to skip the
error check when aligning the source buffer on a 2 or 4 byte boundary.

If the destination buffer was unaligned it may have started to copy
using byte or word accesses, which could well be at the start of a new
(valid) source page. This would result in it appearing to have copied 1
or 2 bytes at the end of the first (invalid) page rather than none at
all.

Fixes: 373cd784d0 ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 14:49:36 +01:00
James Hogan
ef62a2d81f metag/usercopy: Drop unused macros
Metag's lib/usercopy.c has a bunch of copy_from_user macros for larger
copies between 5 and 16 bytes which are completely unused. Before fixing
zeroing lets drop these macros so there is less to fix.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-metag@vger.kernel.org
Cc: stable@vger.kernel.org
2017-04-05 14:49:26 +01:00
Max Filippov
7d4914db8f xtensa: fix prefetch in the raw_copy_to_user
'from' is the input buffer, it should be prefetched with prefetch, not
prefetchw.

Tested-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-04 16:53:13 -04:00
Al Viro
31af2f36d5 sparc: switch to RAW_COPY_USER
... and drop zeroing in sparc32.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-02 12:53:15 -04:00
Al Viro
f64fd180ec parisc: switch to RAW_COPY_USER
... and remove dead declarations, while we are at it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-02 12:07:21 -04:00
Al Viro
bee3f412d6 Merge branch 'parisc-4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux into uaccess.parisc 2017-04-02 10:33:48 -04:00
Al Viro
37096003c8 s390: get rid of zeroing, switch to RAW_COPY_USER
[folded a fix from Martin]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-30 10:47:28 -04:00
Vineet Gupta
e13909a4ac ARC: uaccess: enable INLINE_COPY_{TO,FROM}_USER ...
... and switch to generic out of line version in lib/usercopy.c

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-30 00:07:48 -04:00
Helge Deller
476e75a44b parisc: Avoid stalled CPU warnings after system shutdown
Commit 73580dac76 ("parisc: Fix system shutdown halt") introduced an endless
loop for systems which don't provide a software power off function.  But the
soft lockup detector will detect this and report stalled CPUs after some time.
Avoid those unwanted warnings by disabling the soft lockup detector.

Fixes: 73580dac76 ("parisc: Fix system shutdown halt")
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # 4.9+
2017-03-29 21:50:38 +02:00
Helge Deller
d19f5e41b3 parisc: Clean up fixup routines for get_user()/put_user()
Al Viro noticed that userspace accesses via get_user()/put_user() can be
simplified a lot with regard to usage of the exception handling.

This patch implements a fixup routine for get_user() and put_user() in such
that the exception handler will automatically load -EFAULT into the register
%r8 (the error value) in case on a fault on userspace.  Additionally the fixup
routine will zero the target register on fault in case of a get_user() call.
The target register is extracted out of the faulting assembly instruction.

This patch brings a few benefits over the old implementation:
1. Exception handling gets much cleaner, easier and smaller in size.
2. Helper functions like fixup_get_user_skip_1 (all of fixup.S) can be dropped.
3. No need to hardcode %r9 as target register for get_user() any longer. This
   helps the compiler register allocator and thus creates less assembler
   statements.
4. No dependency on the exception_data contents any longer.
5. Nested faults will be handled cleanly.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Helge Deller <deller@gmx.de>
2017-03-29 21:50:36 +02:00
Helge Deller
554bfeceb8 parisc: Fix access fault handling in pa_memcpy()
pa_memcpy() is the major memcpy implementation in the parisc kernel which is
used to do any kind of userspace/kernel memory copies.

Al Viro noticed various bugs in the implementation of pa_mempcy(), most notably
that in case of faults it may report back to have copied more bytes than it
actually did.

Fixing those bugs is quite hard in the C-implementation, because the compiler
is messing around with the registers and we are not guaranteed that specific
variables are always in the same processor registers. This makes proper fault
handling complicated.

This patch implements pa_memcpy() in assembler. That way we have correct fault
handling and adding a 64-bit copy routine was quite easy.

Runtime tested with 32- and 64bit kernels.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
2017-03-29 21:49:02 +02:00
Al Viro
beba3a20bf x86: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-29 12:06:28 -04:00
Al Viro
a41e0d7542 x86: don't wank with magical size in __copy_in_user()
... especially since copy_in_user() doesn't

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-29 12:04:35 -04:00
Al Viro
839cc2954c arc: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 23:41:31 -04:00
Al Viro
3a0e75adec xtensa: get rid of zeroing, use RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:07 -04:00
Al Viro
0b46a94e84 xtensa: switch to generic extable.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:07 -04:00
Al Viro
3f763453e6 kill __copy_from_user_nocache()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:05 -04:00
Al Viro
2ef59f2856 unicore32: get rid of zeroing and switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:04 -04:00
Al Viro
122b05ddf5 amd64: get rid of zeroing
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:04 -04:00
Al Viro
a668ce3a00 um: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-03-28 18:24:03 -04:00