forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/arch/arm/include/asm
History
Lexi Shao 3ceaa85c33 ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images 
commit df909df077 upstream.

ARM: kasan: Fix __get_user_check failure with kasan

In macro __get_user_check defined in arch/arm/include/asm/uaccess.h,
error code is store in register int __e(r0). When kasan is
enabled, assigning value to kernel address might trigger kasan check,
which unexpectedly overwrites r0 and causes undefined behavior on arm
kasan images.

One example is failure in do_futex and results in process soft lockup.
Log:
watchdog: BUG: soft lockup - CPU#0 stuck for 62946ms! [rs:main
Q:Reg:1151]
...
(__asan_store4) from (futex_wait_setup+0xf8/0x2b4)
(futex_wait_setup) from (futex_wait+0x138/0x394)
(futex_wait) from (do_futex+0x164/0xe40)
(do_futex) from (sys_futex_time32+0x178/0x230)
(sys_futex_time32) from (ret_fast_syscall+0x0/0x50)

The soft lockup happens in function futex_wait_setup. The reason is
function get_futex_value_locked always return EINVAL, thus pc jump
back to retry label and causes looping.

This line in function get_futex_value_locked
	ret = __get_user(*dest, from);
is expanded to
	*dest = (typeof(*(p))) __r2; ,
in macro __get_user_check. Writing to pointer dest triggers kasan check
and overwrites the return value of __get_user_x function.
The assembly code of get_futex_value_locked in kernel/futex.c:
...
c01f6dc8:       eb0b020e        bl      c04b7608 <__get_user_4>
// "x = (typeof(*(p))) __r2;" triggers kasan check and r0 is overwritten
c01f6dCc:       e1a00007        mov     r0, r7
c01f6dd0:       e1a05002        mov     r5, r2
c01f6dd4:       eb04f1e6        bl      c0333574 <__asan_store4>
c01f6dd8:       e5875000        str     r5, [r7]
// save ret value of __get_user(*dest, from), which is dest address now
c01f6ddc:       e1a05000        mov     r5, r0
...
// checking return value of __get_user failed
c01f6e00:       e3550000        cmp     r5, #0
...
c01f6e0c:       01a00005        moveq   r0, r5
// assign return value to EINVAL
c01f6e10:       13e0000d        mvnne   r0, #13

Return value is the destination address of get_user thus certainly
non-zero, so get_futex_value_locked always return EINVAL.

Fix it by using a tmp vairable to store the error code before the
assignment. This fix has no effects to non-kasan images thanks to compiler
optimization. It only affects cases that overwrite r0 due to kasan check.

This should fix bug discussed in Link:
[1] https://lore.kernel.org/linux-arm-kernel/0ef7c2a5-5d8b-c5e0-63fa-31693fd4495c@gmail.com/

Fixes: 421015713b ("ARM: 9017/2: Enable KASan for ARM")
Signed-off-by: Lexi Shao <shaolexi@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-02 19:48:17 +01:00
..
hardware ARM: 8993/1: remove it8152 PCI controller driver 2020-07-21 16:33:41 +01:00
mach treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
vdso vdso/treewide: Add vdso_data pointer argument to __arch_get_hw_counter() 2020-08-06 10:57:30 +02:00
xen xen/arm: do not setup the runstate info page if kpti is enabled 2020-10-04 18:41:33 -05:00
arch_gicv3.h arm: Remove GICv3 vgic compatibility macros 2020-03-24 10:56:05 +00:00
arch_timer.h clocksource/drivers/arm_arch_timer: Extract elf_hwcap use to arch-helper 2019-06-25 19:49:18 +02:00
arm-cci.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 234 2019-06-19 17:09:07 +02:00
asm-offsets.h
assembler.h ARM: assembler: introduce adr_l, ldr_l and str_l macros 2021-03-17 17:06:26 +01:00
atomic.h locking/atomic: Move ATOMIC_INIT into linux/types.h 2020-07-29 16:14:18 +02:00
auxvec.h
barrier.h ARM: avoid Cortex-A9 livelock on tight dmb loops 2019-02-01 22:05:50 +00:00
bitops.h ARM: 8785/1: use compiler built-ins for ffs and fls 2018-07-30 11:45:53 +01:00
bitrev.h
bL_switcher.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
bug.h arm/asm: add loglvl to c_backtrace() 2020-06-09 09:39:10 -07:00
bugs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cache.h treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
cacheflush.h arm: rename flush_cache_user_range to flush_icache_user_range 2020-06-08 11:05:58 -07:00
cachetype.h
checksum.h arm: propagate the calling convention changes down to csum_partial_copy_from_user() 2020-08-20 15:45:16 -04:00
clocksource.h arm: Introduce asm/vdso/clocksource.h 2020-03-21 15:23:54 +01:00
cmpxchg.h
compiler.h
cp15.h arm: vdso: Enable arm to use common headers 2020-03-21 15:24:03 +01:00
cpu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cpufeature.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cpuidle.h ARM: cpuidle: Avoid orphan section warning 2021-06-16 12:01:44 +02:00
cputype.h Merge branches 'misc', 'sa1100-for-next' and 'spectre' into for-linus 2019-01-02 10:37:05 +00:00
cti.h
dcc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
delay.h
device.h arm: Remove dev->archdata.iommu pointer 2020-06-30 11:59:48 +02:00
div64.h
dma-direct.h ARM/omap1: switch to use dma_direct_set_offset for lbus DMA offsets 2020-09-25 06:15:32 +02:00
dma-iommu.h dma-mapping: move dma-debug.h to kernel/dma/ 2020-10-06 07:07:05 +02:00
dma-mapping.h dma-mapping: move dma-debug.h to kernel/dma/ 2020-10-06 07:07:05 +02:00
dma.h
dmi.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
domain.h ARM: 8908/1: add __always_inline to functions called from __get_user_check() 2019-10-10 22:23:19 +01:00
ecard.h
edac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
efi.h efi/libstub: arm32: Base FDT and initrd placement on image address 2020-09-16 18:53:42 +03:00
elf.h
entry-macro-multi.S
exception.h
fb.h
fiq.h
firmware.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
fixmap.h ARM: 9012/1: move device tree mapping out of linear region 2021-05-19 10:13:18 +02:00
floppy.h floppy: split the base port from the register in I/O accesses 2020-05-12 19:34:52 +03:00
fncpy.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
fpstate.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ftrace.h ARM: 9079/1: ftrace: Add MODULE_PLTS support 2021-09-26 14:08:56 +02:00
futex.h ARM: futex: Address build warning 2020-05-07 00:41:47 +02:00
glue-cache.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
glue-df.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
glue-pf.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
glue-proc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
glue.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
gpio.h
hardirq.h ARM: Remove custom IRQ stat accounting 2020-09-17 16:37:28 +01:00
highmem.h kmap: consolidate kmap_prot definitions 2020-06-04 19:06:22 -07:00
hugetlb-3level.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
hugetlb.h mm/hugetlb: define a generic fallback for arch_clear_hugepage_flags() 2020-06-03 20:09:46 -07:00
hw_breakpoint.h ARM: 8927/1: ARM/hw_breakpoint: add more ARMv8 debug architecture versions support 2019-11-15 22:21:08 +00:00
hw_irq.h
hwcap.h
hypervisor.h
ide.h
idmap.h treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
insn.h ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() 2021-09-26 14:08:56 +02:00
io.h remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
irq.h ARM: 8824/1: fix a migrating irq bug when hotplug cpu 2019-02-01 21:54:49 +00:00
irq_work.h
irqflags.h
jump_label.h
Kbuild local64.h: make <asm/local64.h> mandatory 2021-01-12 20:18:16 +01:00
kexec-internal.h ARM: kexec: fix oops after TLB are invalidated 2021-02-17 11:02:24 +01:00
kexec.h
kgdb.h
kmap_types.h
kprobes.h ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe template 2020-10-27 12:11:51 +00:00
krait-l2-accessors.h ARM: Add Krait L2 register accessor functions 2018-10-17 13:14:33 -07:00
linkage.h
mc146818rtc.h
mcpm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mcs_spinlock.h
memblock.h
memory.h ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address 2021-05-19 10:13:18 +02:00
mmu.h
mmu_context.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
module.h ARM: 9079/1: ftrace: Add MODULE_PLTS support 2021-09-26 14:08:56 +02:00
module.lds.h kbuild: preprocess module linker script 2020-09-25 00:36:41 +09:00
mpu.h
mtd-xip.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
neon.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nwflash.h misc: move FLASH_MINOR into miscdevice.h and fix conflicts 2020-03-18 12:27:04 +01:00
opcodes-sec.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
opcodes-virt.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
opcodes.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
outercache.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
page-nommu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
page.h mm/vma: define a default value for VM_DATA_DEFAULT_FLAGS 2020-04-10 15:36:21 -07:00
paravirt.h x86/paravirt: Use a single ops structure 2018-09-03 16:50:35 +02:00
patch.h
pci.h ARM: 8911/1: move pcibios_report_status to <asm/pci.h> 2019-10-27 21:14:40 +00:00
percpu.h ARM: percpu.h: fix build error 2020-07-30 13:01:04 -07:00
perf_event.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pgalloc.h asm-generic: pgalloc: provide generic pgd_free() 2020-08-07 11:33:26 -07:00
pgtable-2level-hwdef.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pgtable-2level-types.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pgtable-2level.h arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed 2020-11-16 16:57:18 +01:00
pgtable-3level-hwdef.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pgtable-3level-types.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pgtable-3level.h arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed 2020-11-16 16:57:18 +01:00
pgtable-hwdef.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pgtable-nommu.h mm: consolidate pte_index() and pte_offset_*() definitions 2020-06-09 09:39:14 -07:00
pgtable.h mm: consolidate pte_index() and pte_offset_*() definitions 2020-06-09 09:39:14 -07:00
probes.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
proc-fns.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
processor.h arm: vdso: Enable arm to use common headers 2020-03-21 15:24:03 +01:00
procinfo.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
prom.h ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address 2021-05-19 10:13:18 +02:00
psci.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
ptdump.h arm: dump: no need to check return value of debugfs_create functions 2019-06-03 15:49:07 +02:00
ptrace.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
sections.h arm: Remove HYP/Stage-2 page-table support 2020-03-24 10:56:05 +00:00
secure_cntvoff.h
set_memory.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
setup.h treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
shmparam.h
signal.h
smp.h treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
smp_plat.h
smp_scu.h
smp_twd.h ARM: 8822/1: smp_twd: Remove legacy TWD registration 2019-02-01 21:44:10 +00:00
sparsemem.h
spinlock.h ARM: 8829/1: spinlock: use unified assembler language syntax 2019-02-01 21:44:15 +00:00
spinlock_types.h
stackprotector.h ARM: smp: add support for per-task stack canaries 2018-12-12 13:20:07 -08:00
stacktrace.h
string.h
suspend.h ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used 2019-02-26 11:32:54 +00:00
swab.h
switch_to.h sched/rt, ARM: Use CONFIG_PREEMPTION 2019-12-08 14:37:32 +01:00
sync_bitops.h
syscall.h audit/stable-5.2 PR 20190507 2019-05-07 19:06:04 -07:00
system_info.h
system_misc.h KVM: arm/arm64: Add kvm_ras.h to collect kvm specific RAS plumbing 2019-02-07 23:10:45 +01:00
tcm.h treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
therm.h
thread_info.h arm: Break cyclic percpu include 2020-07-10 12:00:02 +02:00
thread_notify.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
timex.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
tlb.h mm: account PMD tables like PTE tables 2020-10-13 18:38:31 -07:00
tlbflush.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
tls.h
topology.h arm: disable frequency invariance for CONFIG_BL_SWITCHER 2020-10-08 17:17:27 +02:00
traps.h arm/asm: add loglvl to c_backtrace() 2020-06-09 09:39:10 -07:00
uaccess-asm.h ARM: uaccess: fix DACR mismatch with nested exceptions 2020-05-03 17:30:27 +01:00
uaccess.h ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images 2021-11-02 19:48:17 +01:00
ucontext.h
unaligned.h
unified.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
unistd.h clone3-v5.3 2019-07-11 10:09:44 -07:00
unwind.h arm: add loglvl to unwind_backtrace() 2020-06-09 09:39:10 -07:00
uprobes.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
user.h
v7m.h ARM: 8830/1: NOMMU: Toggle only bits in EXC_RETURN we are really care of 2019-02-01 21:44:19 +00:00
vdso.h
vdso_datapage.h ARM: 8930/1: Add support for generic vDSO 2019-11-15 22:21:12 +00:00
vermagic.h arch: split MODULE_ARCH_VERMAGIC definitions out to <asm/vermagic.h> 2020-04-23 10:50:26 +09:00
vfp.h ARM: 8991/1: use VFP assembler mnemonics if available 2020-07-21 16:33:39 +01:00
vfpmacros.h ARM: 8991/1: use VFP assembler mnemonics if available 2020-07-21 16:33:39 +01:00
vga.h
virt.h arm: Remove the ability to set HYP vectors outside of the decompressor 2020-03-24 10:56:05 +00:00
vmalloc.h mm/vmalloc: Add empty <asm/vmalloc.h> headers and use them from <linux/vmalloc.h> 2019-12-10 10:12:55 +01:00
vmlinux.lds.h arm/build: Assert for unwanted sections 2020-09-01 10:03:18 +02:00
word-at-a-time.h
xor.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00