ARM: fix uaccess_with_memcpy() with SW_DOMAIN_PAN

The uaccess_with_memcpy() code is currently incompatible with the SW PAN code: it takes locks within the region that we've changed the DACR, potentially sleeping as a result. As we do not save and restore the DACR across co-operative sleep events, can lead to an incorrect DACR value later in this code path. Reported-by: Peter Rosin <peda@axentia.se> Tested-by: Peter Rosin <peda@axentia.se> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
author: Russell King <rmk+kernel@arm.linux.org.uk> 2015-12-05 08:42:07 -0500
committer: Russell King <rmk+kernel@arm.linux.org.uk> 2015-12-15 06:51:02 -0500
commit: c014953d84ec21a4df9a43be2378861ea6e9246e (patch)
tree: 72af8d8752c59bc9c59c96c70616a911f4a107a1 /arch/arm/lib
parent: 77f1b959b0b6db7a7941b4b4f9d3d287c67d7c15 (diff)
1 files changed, 23 insertions, 6 deletions
diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
index d72b90905132..588bbc288396 100644
--- a/arch/arm/lib/uaccess_with_memcpy.c
+++ b/arch/arm/lib/uaccess_with_memcpy.c
@@ -88,6 +88,7 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
 static unsigned long noinline
 __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
 {
+        unsigned long ua_flags;
        int atomic;
        if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
@@ -118,7 +119,9 @@ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
                if (tocopy > n)
                        tocopy = n;
+                ua_flags = uaccess_save_and_enable();
                memcpy((void *)to, from, tocopy);
+                uaccess_restore(ua_flags);
                to += tocopy;
                from += tocopy;
                n -= tocopy;
@@ -145,14 +148,21 @@ arm_copy_to_user(void __user *to, const void *from, unsigned long n)
         * With frame pointer disabled, tail call optimization kicks in
         * as well making this test almost invisible.
         */
-        if (n < 64)
+        if (n < 64) {
-                return __copy_to_user_std(to, from, n);
+                unsigned long ua_flags = uaccess_save_and_enable();
-        return __copy_to_user_memcpy(to, from, n);
+                n = __copy_to_user_std(to, from, n);
+                uaccess_restore(ua_flags);
+        } else {
+                n = __copy_to_user_memcpy(to, from, n);
+        }
+        return n;
 }
        
 static unsigned long noinline
 __clear_user_memset(void __user *addr, unsigned long n)
 {
+        unsigned long ua_flags;
        if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
                memset((void *)addr, 0, n);
                return 0;
@@ -175,7 +185,9 @@ __clear_user_memset(void __user *addr, unsigned long n)
                if (tocopy > n)
                        tocopy = n;
+                ua_flags = uaccess_save_and_enable();
                memset((void *)addr, 0, tocopy);
+                uaccess_restore(ua_flags);
                addr += tocopy;
                n -= tocopy;
@@ -193,9 +205,14 @@ out:
 unsigned long arm_clear_user(void __user *addr, unsigned long n)
 {
        /* See rational for this in __copy_to_user() above. */
-        if (n < 64)
+        if (n < 64) {
-                return __clear_user_std(addr, n);
+                unsigned long ua_flags = uaccess_save_and_enable();
-        return __clear_user_memset(addr, n);
+                n = __clear_user_std(addr, n);
+                uaccess_restore(ua_flags);
+        } else {
+                n = __clear_user_memset(addr, n);
+        }
+        return n;
 }
 #if 0
author	Russell King <rmk+kernel@arm.linux.org.uk>	2015-12-05 08:42:07 -0500
committer	Russell King <rmk+kernel@arm.linux.org.uk>	2015-12-15 06:51:02 -0500
commit	c014953d84ec21a4df9a43be2378861ea6e9246e (patch)
tree	72af8d8752c59bc9c59c96c70616a911f4a107a1 /arch/arm/lib
parent	77f1b959b0b6db7a7941b4b4f9d3d287c67d7c15 (diff)