Re: perf_fuzzer compiled for x32 causes reboot

From: Steven Rostedt
Date: Fri Feb 28 2014 - 11:29:57 EST

Next message: Vivek Goyal: "Re: [PATCH 08/11] kexec-bzImage: Support for loading bzImage using 64bit entry"
Previous message: Florian Vaussard: "[PATCH v2 2/2] checkpatch: fix spurious vendor compatible warnings"
In reply to: H. Peter Anvin: "Re: perf_fuzzer compiled for x32 causes reboot"
Next in thread: Steven Rostedt: "[PATCH] x86: Rename copy_from_user_nmi() to copy_from_user_trace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 28 Feb 2014 08:15:11 -0800
"H. Peter Anvin" <hpa@xxxxxxxxx> wrote:

> Well, I was talking about the assumption spelled out in the comment
> above copy_from_user_nmi() which pretty much states "cr2 is safe because
> cr2 is saved/restored in the NMI wrappers."

Yeah, it seems that the name "copy_from_user_nmi()" is a misnomer. As
it can be called outside of nmi context. Perhaps we should have a
copy_from_user_trace() that does the save and restore of the cr2.

As that's the only place that faults, it may be the best answer.

Arnaldo,

Can you test this patch and see if it fixes the bug for you too. Vince
already said it fixes it for him.

I'm attaching it below (it's from H. Peter).

Peter Z., as both Jiri's and my patch fixed the callers of the problem
area, and as we have been discussing, there may be more problem areas,
I'm thinking the best solution is to just use H. Peter's patch instead.
And then we should rename it to copy_from_user_trace().

-- Steve

diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
index ddf9ecb..938e45c 100644
--- a/arch/x86/lib/usercopy.c
+++ b/arch/x86/lib/usercopy.c
@@ -10,6 +10,8 @@
#include <asm/word-at-a-time.h>
#include <linux/sched.h>

+#include <asm/processor.h>
+
/*
* We rely on the nested NMI work to allow atomic faults from the NMI path; the
* nested NMI paths are careful to preserve CR2.
@@ -18,6 +20,7 @@ unsigned long
copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
{
unsigned long ret;
+ unsigned long cr2;

if (__range_not_ok(from, n, TASK_SIZE))
return 0;
@@ -27,9 +30,11 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
* disable pagefaults so that its behaviour is consistent even when
* called form other contexts.
*/
+ cr2 = read_cr2();
pagefault_disable();
ret = __copy_from_user_inatomic(to, from, n);
pagefault_enable();
+ write_cr2(cr2);

return ret;
}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vivek Goyal: "Re: [PATCH 08/11] kexec-bzImage: Support for loading bzImage using 64bit entry"
Previous message: Florian Vaussard: "[PATCH v2 2/2] checkpatch: fix spurious vendor compatible warnings"
In reply to: H. Peter Anvin: "Re: perf_fuzzer compiled for x32 causes reboot"
Next in thread: Steven Rostedt: "[PATCH] x86: Rename copy_from_user_nmi() to copy_from_user_trace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]