diff options
author | Vineet Gupta <vgupta@synopsys.com> | 2013-05-21 05:55:11 -0400 |
---|---|---|
committer | Vineet Gupta <vgupta@synopsys.com> | 2013-05-23 01:03:03 -0400 |
commit | a950549c675f2c8c504469dec7d780da8a6433dc (patch) | |
tree | 3716b540cedadd65c8ad2508ec3927386cddee42 /arch/arc/mm | |
parent | f538881cc672c1b049aa0a34a792d0953fcecba5 (diff) |
ARC: copy_(to|from)_user() to honor usermode-access permissions
This manifested as grep failing psuedo-randomly:
-------------->8---------------------
[ARCLinux]$ ip address show lo | grep inet
[ARCLinux]$ ip address show lo | grep inet
[ARCLinux]$ ip address show lo | grep inet
[ARCLinux]$
[ARCLinux]$ ip address show lo | grep inet
inet 127.0.0.1/8 scope host lo
-------------->8---------------------
ARC700 MMU provides fully orthogonal permission bits per page:
Ur, Uw, Ux, Kr, Kw, Kx
The user mode page permission templates used to have all Kernel mode
access bits enabled.
This caused a tricky race condition observed with uClibc buffered file
read and UNIX pipes.
1. Read access to an anon mapped page in libc .bss: write-protected
zero_page mapped: TLB Entry installed with Ur + K[rwx]
2. grep calls libc:getc() -> buffered read layer calls read(2) with the
internal read buffer in same .bss page.
The read() call is on STDIN which has been redirected to a pipe.
read(2) => sys_read() => pipe_read() => copy_to_user()
3. Since page has Kernel-write permission (despite being user-mode
write-protected), copy_to_user() suceeds w/o taking a MMU TLB-Miss
Exception (page-fault for ARC). core-MM is unaware that kernel
erroneously wrote to the reserved read-only zero-page (BUG #1)
4. Control returns to userspace which now does a write to same .bss page
Since Linux MM is not aware that page has been modified by kernel, it
simply reassigns a new writable zero-init page to mapping, loosing the
prior write by kernel - effectively zero'ing out the libc read buffer
under the hood - hence grep doesn't see right data (BUG #2)
The fix is to make all kernel-mode access permissions mirror the
user-mode ones. Note that the kernel still has full access to pages,
when accessed directly (w/o MMU) - this fix ensures that kernel-mode
access in copy_to_from() path uses the same faulting access model as for
pure user accesses to keep MM fully aware of page state.
The issue is peudo-random because it only shows up if the TLB entry
installed in #1 is present at the time of #3. If it is evicted out, due
to TLB pressure or some-such, then copy_to_user() does take a TLB Miss
Exception, with a routine write-to-anon COW processing installing a
fresh page for kernel writes and also usable as it is in userspace.
Further the issue was dormant for so long as it depends on where the
libc internal read buffer (in .bss) is mapped at runtime.
If it happens to reside in file-backed data mapping of libc (in the
page-aligned slack space trailing the file backed data), loader zero
padding the slack space, does the early cow page replacement, setting
things up at the very beginning itself.
With gcc 4.8 based builds, the libc buffer got pushed out to a real
anon mapping which triggers the issue.
Reported-by: Anton Kolesov <akolesov@synopsys.com>
Cc: <stable@vger.kernel.org> # 3.9
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Diffstat (limited to 'arch/arc/mm')
-rw-r--r-- | arch/arc/mm/tlbex.S | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S index 9df765dc7c3a..3357d26ffe54 100644 --- a/arch/arc/mm/tlbex.S +++ b/arch/arc/mm/tlbex.S | |||
@@ -277,7 +277,7 @@ ARC_ENTRY EV_TLBMissI | |||
277 | ;---------------------------------------------------------------- | 277 | ;---------------------------------------------------------------- |
278 | ; VERIFY_PTE: Check if PTE permissions approp for executing code | 278 | ; VERIFY_PTE: Check if PTE permissions approp for executing code |
279 | cmp_s r2, VMALLOC_START | 279 | cmp_s r2, VMALLOC_START |
280 | mov.lo r2, (_PAGE_PRESENT | _PAGE_READ | _PAGE_EXECUTE) | 280 | mov.lo r2, (_PAGE_PRESENT | _PAGE_U_READ | _PAGE_U_EXECUTE) |
281 | mov.hs r2, (_PAGE_PRESENT | _PAGE_K_READ | _PAGE_K_EXECUTE) | 281 | mov.hs r2, (_PAGE_PRESENT | _PAGE_K_READ | _PAGE_K_EXECUTE) |
282 | 282 | ||
283 | and r3, r0, r2 ; Mask out NON Flag bits from PTE | 283 | and r3, r0, r2 ; Mask out NON Flag bits from PTE |
@@ -320,9 +320,9 @@ ARC_ENTRY EV_TLBMissD | |||
320 | mov_s r2, 0 | 320 | mov_s r2, 0 |
321 | lr r3, [ecr] | 321 | lr r3, [ecr] |
322 | btst_s r3, ECR_C_BIT_DTLB_LD_MISS ; Read Access | 322 | btst_s r3, ECR_C_BIT_DTLB_LD_MISS ; Read Access |
323 | or.nz r2, r2, _PAGE_READ ; chk for Read flag in PTE | 323 | or.nz r2, r2, _PAGE_U_READ ; chk for Read flag in PTE |
324 | btst_s r3, ECR_C_BIT_DTLB_ST_MISS ; Write Access | 324 | btst_s r3, ECR_C_BIT_DTLB_ST_MISS ; Write Access |
325 | or.nz r2, r2, _PAGE_WRITE ; chk for Write flag in PTE | 325 | or.nz r2, r2, _PAGE_U_WRITE ; chk for Write flag in PTE |
326 | ; Above laddering takes care of XCHG access | 326 | ; Above laddering takes care of XCHG access |
327 | ; which is both Read and Write | 327 | ; which is both Read and Write |
328 | 328 | ||