On Thu, Apr 12, 2018 at 12:11:06PM +0100, Mark Rutland wrote:
From: Will Deacon will.deacon@arm.com
commit 91b2d3442f6a44dce875670d702af22737ad5eff upstream.
The arm64 futex code has some explicit dereferencing of user pointers where performing atomic operations in response to a futex command. This patch uses masking to limit any speculative futex operations to within the user address space.
Signed-off-by: Will Deacon will.deacon@arm.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Mark Rutland mark.rutland@arm.com [v4.9 backport] Tested-by: Greg Hackmann ghackmann@google.com
arch/arm64/include/asm/futex.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h index f2585cdd32c2..1d123dd01ee0 100644 --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h @@ -51,13 +51,14 @@ : "memory") static inline int -futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) +futex_atomic_op_inuser (int encoded_op, u32 __user *_uaddr) { int op = (encoded_op >> 28) & 7; int cmp = (encoded_op >> 24) & 15; int oparg = (encoded_op << 8) >> 20; int cmparg = (encoded_op << 20) >> 20; int oldval = 0, ret, tmp;
- u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) oparg = 1 << oparg; @@ -109,15 +110,17 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) } static inline int -futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr, u32 oldval, u32 newval) { int ret = 0; u32 val, tmp;
- u32 __user *uaddr;
- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
- if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32))) return -EFAULT;
- uaddr = __uaccess_mask_ptr(_uaddr); asm volatile("// futex_atomic_cmpxchg_inatomic\n"
ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN) " prfm pstl1strm, %2\n"
This patch doesn't apply at all as it conflicts with commit d7c5f8c815466fc00785bbff20f25b39643abe01 which was commit 5f16a046f8e1 ("arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage") upstream.
Any chance you can provide a correct backport of this?
thanks,
greg k-h