# git rev-parse -q --verify 8cb55a3daebd4b38330b706117e1c8203ffaf3f5^{commit} # git fetch -q -n -f git://gitlab.ozlabs.ibm.com/linuxppc/linux.git fixes-test # git rev-parse -q --verify 8cb55a3daebd4b38330b706117e1c8203ffaf3f5^{commit} 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # git checkout -q -f -B kisskb 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # git clean -qxdf # < git log -1 # commit 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # Author: Michael Ellerman # Date: Fri Feb 7 22:15:46 2020 +1100 # # powerpc/futex: Fix incorrect user access blocking # # The early versions of our kernel user access prevention (KUAP) were # written by Russell and Christophe, and didn't have separate # read/write access. # # At some point I picked up the series and added the read/write access, # but I failed to update the usages in futex.h to correctly allow read # and write. # # However we didn't notice because of another bug which was causing the # low-level code to always enable read and write. That bug was fixed # recently in commit 1d8f739b07bd ("powerpc/kuap: Fix set direction in # allow/prevent_user_access()"). # # futex_atomic_cmpxchg_inatomic() is passed the user address as %3 and # does: # # 1: lwarx %1, 0, %3 # cmpw 0, %1, %4 # bne- 3f # 2: stwcx. %5, 0, %3 # # Which clearly loads and stores from/to %3. The logic in # arch_futex_atomic_op_inuser() is similar, so fix both of them to use # allow_read_write_user(). # # Without this fix, and with PPC_KUAP_DEBUG=y, we see eg: # # Bug: Read fault blocked by AMR! # WARNING: CPU: 94 PID: 149215 at arch/powerpc/include/asm/book3s/64/kup-radix.h:126 __do_page_fault+0x600/0xf30 # CPU: 94 PID: 149215 Comm: futex_requeue_p Tainted: G W 5.5.0-rc7-gcc9x-g4c25df5640ae #1 # ... # NIP [c000000000070680] __do_page_fault+0x600/0xf30 # LR [c00000000007067c] __do_page_fault+0x5fc/0xf30 # Call Trace: # [c00020138e5637e0] [c00000000007067c] __do_page_fault+0x5fc/0xf30 (unreliable) # [c00020138e5638c0] [c00000000000ada8] handle_page_fault+0x10/0x30 # --- interrupt: 301 at cmpxchg_futex_value_locked+0x68/0xd0 # LR = futex_lock_pi_atomic+0xe0/0x1f0 # [c00020138e563bc0] [c000000000217b50] futex_lock_pi_atomic+0x80/0x1f0 (unreliable) # [c00020138e563c30] [c00000000021b668] futex_requeue+0x438/0xb60 # [c00020138e563d60] [c00000000021c6cc] do_futex+0x1ec/0x2b0 # [c00020138e563d90] [c00000000021c8b8] sys_futex+0x128/0x200 # [c00020138e563e20] [c00000000000b7ac] system_call+0x5c/0x68 # # Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") # Cc: stable@vger.kernel.org # v5.2+ # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20200207122145.11928-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/m68k-linux/bin/m68k-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/m68k-linux/bin/m68k-linux-ld --version # < git log --format=%s --max-count=1 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # < make -s -j 80 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/m68k-linux/bin/m68k-linux- defconfig # make -s -j 80 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/m68k-linux/bin/m68k-linux- In file included from /kisskb/src/arch/m68k/include/asm/amigayle.h:21, from /kisskb/src/arch/m68k/include/asm/io_mm.h:59, from /kisskb/src/arch/m68k/include/asm/io.h:8, from /kisskb/src/include/linux/clocksource.h:21, from /kisskb/src/arch/m68k/amiga/config.c:20: /kisskb/src/arch/m68k/amiga/config.c: In function 'amiga_identify': /kisskb/src/arch/m68k/include/asm/amigahw.h:42:50: warning: this statement may fall through [-Wimplicit-fallthrough=] #define AMIGAHW_SET(name) (amiga_hw_present.name = 1) ~~~~~~~~~~~~~~~~~~~~~~~^~~~ /kisskb/src/arch/m68k/amiga/config.c:223:3: note: in expansion of macro 'AMIGAHW_SET' AMIGAHW_SET(PCMCIA); ^~~~~~~~~~~ /kisskb/src/arch/m68k/amiga/config.c:224:2: note: here case AMI_500: ^~~~ /kisskb/src/arch/m68k/mvme147/config.c: In function 'mvme147_hwclk': /kisskb/src/arch/m68k/mvme147/config.c:175:2: warning: #warning check me! [-Wcpp] #warning check me! ^~~~~~~ /kisskb/src/arch/m68k/mvme16x/config.c: In function 'mvme16x_hwclk': /kisskb/src/arch/m68k/mvme16x/config.c:440:2: warning: #warning check me! [-Wcpp] #warning check me! ^~~~~~~ In file included from /kisskb/src/arch/m68k/include/asm/atomic.h:7, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/include/linux/spinlock.h:445, from /kisskb/src/include/linux/mmzone.h:8, from /kisskb/src/include/linux/gfp.h:6, from /kisskb/src/include/linux/mm.h:10, from /kisskb/src/kernel/acct.c:47: /kisskb/src/kernel/acct.c: In function 'acct_pin_kill': /kisskb/src/arch/m68k/include/asm/cmpxchg.h:137:3: warning: value computed is not used [-Wunused-value] ((__typeof__(*(ptr)))__cmpxchg_local_generic((ptr), (unsigned long)(o),\ ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (unsigned long)(n), sizeof(*(ptr)))) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/include/asm-generic/cmpxchg.h:106:28: note: in expansion of macro 'cmpxchg_local' #define cmpxchg(ptr, o, n) cmpxchg_local((ptr), (o), (n)) ^~~~~~~~~~~~~ /kisskb/src/kernel/acct.c:177:2: note: in expansion of macro 'cmpxchg' cmpxchg(&acct->ns->bacct, pin, NULL); ^~~~~~~ In file included from /kisskb/src/arch/m68k/include/asm/atomic.h:7, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/include/linux/spinlock.h:445, from /kisskb/src/include/linux/wait.h:9, from /kisskb/src/include/linux/wait_bit.h:8, from /kisskb/src/include/linux/fs.h:6, from /kisskb/src/fs/ocfs2/file.c:13: /kisskb/src/fs/ocfs2/file.c: In function 'ocfs2_file_write_iter': /kisskb/src/arch/m68k/include/asm/cmpxchg.h:79:22: warning: value computed is not used [-Wunused-value] #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/fs/ocfs2/file.c:2419:3: note: in expansion of macro 'xchg' xchg(&iocb->ki_complete, saved_ki_complete); ^~~~ In file included from /kisskb/src/arch/m68k/include/asm/atomic.h:7, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/include/linux/spinlock.h:445, from /kisskb/src/include/linux/seqlock.h:36, from /kisskb/src/include/linux/time.h:6, from /kisskb/src/include/linux/stat.h:19, from /kisskb/src/include/linux/module.h:13, from /kisskb/src/net/core/filter.c:20: /kisskb/src/net/core/filter.c: In function 'bpf_clear_redirect_map': /kisskb/src/arch/m68k/include/asm/cmpxchg.h:137:3: warning: value computed is not used [-Wunused-value] ((__typeof__(*(ptr)))__cmpxchg_local_generic((ptr), (unsigned long)(o),\ ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (unsigned long)(n), sizeof(*(ptr)))) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/include/asm-generic/cmpxchg.h:106:28: note: in expansion of macro 'cmpxchg_local' #define cmpxchg(ptr, o, n) cmpxchg_local((ptr), (o), (n)) ^~~~~~~~~~~~~ /kisskb/src/net/core/filter.c:3516:4: note: in expansion of macro 'cmpxchg' cmpxchg(&ri->map, map, NULL); ^~~~~~~ In file included from /kisskb/src/drivers/net/ethernet/8390/xsurf100.c:48: /kisskb/src/drivers/net/ethernet/8390/lib8390.c:988:27: warning: '____alloc_ei_netdev' defined but not used [-Wunused-function] static struct net_device *____alloc_ei_netdev(int size) ^~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:950:13: warning: '__ei_set_multicast_list' defined but not used [-Wunused-function] static void __ei_set_multicast_list(struct net_device *dev) ^~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:850:33: warning: '__ei_get_stats' defined but not used [-Wunused-function] static struct net_device_stats *__ei_get_stats(struct net_device *dev) ^~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:509:13: warning: '__ei_poll' defined but not used [-Wunused-function] static void __ei_poll(struct net_device *dev) ^~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:300:20: warning: '__ei_start_xmit' defined but not used [-Wunused-function] static netdev_tx_t __ei_start_xmit(struct sk_buff *skb, ^~~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:254:13: warning: '__ei_tx_timeout' defined but not used [-Wunused-function] static void __ei_tx_timeout(struct net_device *dev, unsigned int txqueue) ^~~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:230:12: warning: '__ei_close' defined but not used [-Wunused-function] static int __ei_close(struct net_device *dev) ^~~~~~~~~~ /kisskb/src/drivers/net/ethernet/8390/lib8390.c:201:12: warning: '__ei_open' defined but not used [-Wunused-function] static int __ei_open(struct net_device *dev) ^~~~~~~~~ In file included from /kisskb/src/arch/m68k/include/asm/atomic.h:7, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/include/linux/spinlock.h:445, from /kisskb/src/include/linux/mmzone.h:8, from /kisskb/src/include/linux/gfp.h:6, from /kisskb/src/include/linux/slab.h:15, from /kisskb/src/fs/posix_acl.c:15: /kisskb/src/fs/posix_acl.c: In function 'get_acl': /kisskb/src/arch/m68k/include/asm/cmpxchg.h:137:3: warning: value computed is not used [-Wunused-value] ((__typeof__(*(ptr)))__cmpxchg_local_generic((ptr), (unsigned long)(o),\ ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (unsigned long)(n), sizeof(*(ptr)))) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/include/asm-generic/cmpxchg.h:106:28: note: in expansion of macro 'cmpxchg_local' #define cmpxchg(ptr, o, n) cmpxchg_local((ptr), (o), (n)) ^~~~~~~~~~~~~ /kisskb/src/fs/posix_acl.c:148:3: note: in expansion of macro 'cmpxchg' cmpxchg(p, sentinel, ACL_NOT_CACHED); ^~~~~~~ Completed OK # rm -rf /kisskb/build/powerpc-fixes_m68k-defconfig_m68k # Build took: 0:02:08.262398