Commit 0a62d527 authored Jun 13, 2016 by Mark Rutland Committed by Sami Tolvanen Nov 18, 2016

UPSTREAM: arm64: fix dump_instr when PAN and UAO are in use



If the kernel is set to show unhandled signals, and a user task does not
handle a SIGILL as a result of an instruction abort, we will attempt to
log the offending instruction with dump_instr before killing the task.

We use dump_instr to log the encoding of the offending userspace
instruction. However, dump_instr is also used to dump instructions from
kernel space, and internally always switches to KERNEL_DS before dumping
the instruction with get_user. When both PAN and UAO are in use, reading
a user instruction via get_user while in KERNEL_DS will result in a
permission fault, which leads to an Oops.

As we have regs corresponding to the context of the original instruction
abort, we can inspect this and only flip to KERNEL_DS if the original
abort was taken from the kernel, avoiding this issue. At the same time,
remove the redundant (and incorrect) comments regarding the order
dump_mem and dump_instr are called in.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: <stable@vger.kernel.org> #4.6+
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Vladimir Murzin <vladimir.murzin@arm.com>
Tested-by: Vladimir Murzin <vladimir.murzin@arm.com>
Fixes: 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override")
Signed-off-by: Will Deacon <will.deacon@arm.com>

Bug: 31432001
Change-Id: I3d8ce58ef76610492bbcf19e99398b8798c31802
(cherry picked from commit c5cea06be060f38e5400d796e61cfc8c36e52924)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

parent 3084f401

arch/arm64/kernel/traps.c

+13 −13

Original line number	Diff line number	Diff line
		@@ -60,8 +60,7 @@ static void dump_mem(const char lvl, const char str, unsigned long bottom,

		/*
		* We need to switch to kernel mode so that we can use __get_user
		* to safely read from kernel space. Note that we now dump the
		* code first, just in case the backtrace kills us.
		* to safely read from kernel space.
		*/
		fs = get_fs();
		set_fs(KERNEL_DS);
		@@ -98,21 +97,12 @@ static void dump_backtrace_entry(unsigned long where, unsigned long stack)
		stack + sizeof(struct pt_regs));
		}

		static void dump_instr(const char lvl, struct pt_regs regs)
		static void __dump_instr(const char lvl, struct pt_regs regs)
		{
		unsigned long addr = instruction_pointer(regs);
		mm_segment_t fs;
		char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
		int i;

		/*
		* We need to switch to kernel mode so that we can use __get_user
		* to safely read from kernel space. Note that we now dump the
		* code first, just in case the backtrace kills us.
		*/
		fs = get_fs();
		set_fs(KERNEL_DS);

		for (i = -4; i < 1; i++) {
		unsigned int val, bad;

		@@ -126,8 +116,18 @@ static void dump_instr(const char lvl, struct pt_regs regs)
		}
		}
		printk("%sCode: %s\n", lvl, str);
		}

		static void dump_instr(const char lvl, struct pt_regs regs)
		{
		if (!user_mode(regs)) {
		mm_segment_t fs = get_fs();
		set_fs(KERNEL_DS);
		__dump_instr(lvl, regs);
		set_fs(fs);
		} else {
		__dump_instr(lvl, regs);
		}
		}

		static void dump_backtrace(struct pt_regs regs, struct task_struct tsk)