2019-04-18 00:51:24 -06:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
#ifndef _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H
|
|
|
|
#define _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H
|
|
|
|
|
|
|
|
#include <linux/const.h>
|
|
|
|
|
|
|
|
#define AMR_KUAP_BLOCK_READ UL(0x4000000000000000)
|
|
|
|
#define AMR_KUAP_BLOCK_WRITE UL(0x8000000000000000)
|
|
|
|
#define AMR_KUAP_BLOCKED (AMR_KUAP_BLOCK_READ | AMR_KUAP_BLOCK_WRITE)
|
|
|
|
#define AMR_KUAP_SHIFT 62
|
|
|
|
|
|
|
|
#ifdef __ASSEMBLY__
|
|
|
|
|
|
|
|
#ifdef CONFIG_PPC_KUAP
|
2020-11-19 16:35:15 -07:00
|
|
|
.macro kuap_restore_amr gpr
|
2019-04-18 00:51:24 -06:00
|
|
|
BEGIN_MMU_FTR_SECTION_NESTED(67)
|
|
|
|
ld \gpr, STACK_REGS_KUAP(r1)
|
|
|
|
mtspr SPRN_AMR, \gpr
|
|
|
|
END_MMU_FTR_SECTION_NESTED_IFSET(MMU_FTR_RADIX_KUAP, 67)
|
|
|
|
.endm
|
|
|
|
|
|
|
|
.macro kuap_check_amr gpr1, gpr2
|
|
|
|
#ifdef CONFIG_PPC_KUAP_DEBUG
|
|
|
|
BEGIN_MMU_FTR_SECTION_NESTED(67)
|
|
|
|
mfspr \gpr1, SPRN_AMR
|
|
|
|
li \gpr2, (AMR_KUAP_BLOCKED >> AMR_KUAP_SHIFT)
|
|
|
|
sldi \gpr2, \gpr2, AMR_KUAP_SHIFT
|
|
|
|
999: tdne \gpr1, \gpr2
|
|
|
|
EMIT_BUG_ENTRY 999b, __FILE__, __LINE__, (BUGFLAG_WARNING | BUGFLAG_ONCE)
|
|
|
|
END_MMU_FTR_SECTION_NESTED_IFSET(MMU_FTR_RADIX_KUAP, 67)
|
|
|
|
#endif
|
|
|
|
.endm
|
2020-11-19 16:35:15 -07:00
|
|
|
#endif
|
2019-04-18 00:51:24 -06:00
|
|
|
|
|
|
|
.macro kuap_save_amr_and_lock gpr1, gpr2, use_cr, msr_pr_cr
|
|
|
|
#ifdef CONFIG_PPC_KUAP
|
|
|
|
BEGIN_MMU_FTR_SECTION_NESTED(67)
|
|
|
|
.ifnb \msr_pr_cr
|
|
|
|
bne \msr_pr_cr, 99f
|
|
|
|
.endif
|
|
|
|
mfspr \gpr1, SPRN_AMR
|
|
|
|
std \gpr1, STACK_REGS_KUAP(r1)
|
|
|
|
li \gpr2, (AMR_KUAP_BLOCKED >> AMR_KUAP_SHIFT)
|
|
|
|
sldi \gpr2, \gpr2, AMR_KUAP_SHIFT
|
|
|
|
cmpd \use_cr, \gpr1, \gpr2
|
|
|
|
beq \use_cr, 99f
|
|
|
|
// We don't isync here because we very recently entered via rfid
|
|
|
|
mtspr SPRN_AMR, \gpr2
|
|
|
|
isync
|
|
|
|
99:
|
|
|
|
END_MMU_FTR_SECTION_NESTED_IFSET(MMU_FTR_RADIX_KUAP, 67)
|
|
|
|
#endif
|
|
|
|
.endm
|
|
|
|
|
|
|
|
#else /* !__ASSEMBLY__ */
|
|
|
|
|
2020-11-23 00:40:16 -07:00
|
|
|
#include <linux/jump_label.h>
|
|
|
|
|
2020-11-19 16:35:14 -07:00
|
|
|
DECLARE_STATIC_KEY_FALSE(uaccess_flush_key);
|
|
|
|
|
2019-04-18 00:51:24 -06:00
|
|
|
#ifdef CONFIG_PPC_KUAP
|
|
|
|
|
|
|
|
#include <asm/reg.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We support individually allowing read or write, but we don't support nesting
|
|
|
|
* because that would require an expensive read/modify write of the AMR.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline void set_kuap(unsigned long value)
|
|
|
|
{
|
powerpc/64s: Use early_mmu_has_feature() in set_kuap()
When implementing the KUAP support on Radix we fixed one case where
mmu_has_feature() was being called too early in boot via
__put_user_size().
However since then some new code in linux-next has created a new path
via which we can end up calling mmu_has_feature() too early.
On P9 this leads to crashes early in boot if we have both PPC_KUAP and
CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG enabled. Our early boot code
calls printk() which calls probe_kernel_read(), that does a
__copy_from_user_inatomic() which calls into set_kuap() and that uses
mmu_has_feature().
At that point in boot we haven't patched MMU features yet so the debug
code in mmu_has_feature() complains, and calls printk(). At that point
we recurse, eg:
...
dump_stack+0xdc
probe_kernel_read+0x1a4
check_pointer+0x58
...
printk+0x40
dump_stack_print_info+0xbc
dump_stack+0x8
probe_kernel_read+0x1a4
probe_kernel_read+0x19c
check_pointer+0x58
...
printk+0x40
cpufeatures_process_feature+0xc8
scan_cpufeatures_subnodes+0x380
of_scan_flat_dt_subnodes+0xb4
dt_cpu_ftrs_scan_callback+0x158
of_scan_flat_dt+0xf0
dt_cpu_ftrs_scan+0x3c
early_init_devtree+0x360
early_setup+0x9c
And so on for infinity, symptom is a dead system.
Even more fun is what happens when using the hash MMU (ie. p8 or p9
with Radix disabled), and when we don't have
CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG enabled. With the debug disabled
we don't check if static keys have been initialised, we just rely on
the jump label. But the jump label defaults to true so we just whack
the AMR even though Radix is not enabled.
Clearing the AMR is fine, but after we've done the user copy we write
(0b11 << 62) into AMR. When using hash that makes all pages with key
zero no longer readable or writable. All kernel pages implicitly have
key zero, and so all of a sudden the kernel can't read or write any of
its memory. Again dead system.
In the medium term we have several options for fixing this.
probe_kernel_read() doesn't need to touch AMR at all, it's not doing a
user access after all, but it uses __copy_from_user_inatomic() just
because it's easy, we could fix that.
It would also be safe to default to not writing to the AMR during
early boot, until we've detected features. But it's not clear that
flipping all the MMU features to static_key_false won't introduce
other bugs.
But for now just switch to early_mmu_has_feature() in set_kuap(), that
avoids all the problems with jump labels. It adds the overhead of a
global lookup and test, but that's probably trivial compared to the
writes to the AMR anyway.
Fixes: 890274c2dc4c ("powerpc/64s: Implement KUAP for Radix MMU")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Russell Currey <ruscur@russell.cc>
2019-05-07 21:06:42 -06:00
|
|
|
if (!early_mmu_has_feature(MMU_FTR_RADIX_KUAP))
|
2019-04-18 00:51:24 -06:00
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ISA v3.0B says we need a CSI (Context Synchronising Instruction) both
|
|
|
|
* before and after the move to AMR. See table 6 on page 1134.
|
|
|
|
*/
|
|
|
|
isync();
|
|
|
|
mtspr(SPRN_AMR, value);
|
|
|
|
isync();
|
|
|
|
}
|
|
|
|
|
2020-11-19 16:35:14 -07:00
|
|
|
static inline bool
|
|
|
|
bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
|
|
|
|
{
|
|
|
|
return WARN(mmu_has_feature(MMU_FTR_RADIX_KUAP) &&
|
|
|
|
(regs->kuap & (is_write ? AMR_KUAP_BLOCK_WRITE : AMR_KUAP_BLOCK_READ)),
|
|
|
|
"Bug: %s fault blocked by AMR!", is_write ? "Write" : "Read");
|
|
|
|
}
|
|
|
|
#else /* CONFIG_PPC_KUAP */
|
2020-11-19 16:35:15 -07:00
|
|
|
static inline void kuap_restore_amr(struct pt_regs *regs, unsigned long amr) { }
|
2020-11-19 16:35:14 -07:00
|
|
|
static inline void set_kuap(unsigned long value) { }
|
|
|
|
#endif /* !CONFIG_PPC_KUAP */
|
|
|
|
|
powerpc/kuap: Fix set direction in allow/prevent_user_access()
[ Upstream commit 1d8f739b07bd538f272f60bf53f10e7e6248d295 ]
__builtin_constant_p() always return 0 for pointers, so on RADIX
we always end up opening both direction (by writing 0 in SPR29):
0000000000000170 <._copy_to_user>:
...
1b0: 4c 00 01 2c isync
1b4: 39 20 00 00 li r9,0
1b8: 7d 3d 03 a6 mtspr 29,r9
1bc: 4c 00 01 2c isync
1c0: 48 00 00 01 bl 1c0 <._copy_to_user+0x50>
1c0: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000220 <._copy_from_user>:
...
2ac: 4c 00 01 2c isync
2b0: 39 20 00 00 li r9,0
2b4: 7d 3d 03 a6 mtspr 29,r9
2b8: 4c 00 01 2c isync
2bc: 7f c5 f3 78 mr r5,r30
2c0: 7f 83 e3 78 mr r3,r28
2c4: 48 00 00 01 bl 2c4 <._copy_from_user+0xa4>
2c4: R_PPC64_REL24 .__copy_tofrom_user
...
Use an explicit parameter for direction selection, so that GCC
is able to see it is a constant:
00000000000001b0 <._copy_to_user>:
...
1f0: 4c 00 01 2c isync
1f4: 3d 20 40 00 lis r9,16384
1f8: 79 29 07 c6 rldicr r9,r9,32,31
1fc: 7d 3d 03 a6 mtspr 29,r9
200: 4c 00 01 2c isync
204: 48 00 00 01 bl 204 <._copy_to_user+0x54>
204: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000260 <._copy_from_user>:
...
2ec: 4c 00 01 2c isync
2f0: 39 20 ff ff li r9,-1
2f4: 79 29 00 04 rldicr r9,r9,0,0
2f8: 7d 3d 03 a6 mtspr 29,r9
2fc: 4c 00 01 2c isync
300: 7f c5 f3 78 mr r5,r30
304: 7f 83 e3 78 mr r3,r28
308: 48 00 00 01 bl 308 <._copy_from_user+0xa8>
308: R_PPC64_REL24 .__copy_tofrom_user
...
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
[mpe: Spell out the directions, s/KUAP_R/KUAP_READ/ etc.]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/f4e88ec4941d5facb35ce75026b0112f980086c3.1579866752.git.christophe.leroy@c-s.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-24 04:54:41 -07:00
|
|
|
static __always_inline void allow_user_access(void __user *to, const void __user *from,
|
|
|
|
unsigned long size, unsigned long dir)
|
2019-04-18 00:51:24 -06:00
|
|
|
{
|
|
|
|
// This is written so we can resolve to a single case at build time
|
powerpc/kuap: Fix set direction in allow/prevent_user_access()
[ Upstream commit 1d8f739b07bd538f272f60bf53f10e7e6248d295 ]
__builtin_constant_p() always return 0 for pointers, so on RADIX
we always end up opening both direction (by writing 0 in SPR29):
0000000000000170 <._copy_to_user>:
...
1b0: 4c 00 01 2c isync
1b4: 39 20 00 00 li r9,0
1b8: 7d 3d 03 a6 mtspr 29,r9
1bc: 4c 00 01 2c isync
1c0: 48 00 00 01 bl 1c0 <._copy_to_user+0x50>
1c0: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000220 <._copy_from_user>:
...
2ac: 4c 00 01 2c isync
2b0: 39 20 00 00 li r9,0
2b4: 7d 3d 03 a6 mtspr 29,r9
2b8: 4c 00 01 2c isync
2bc: 7f c5 f3 78 mr r5,r30
2c0: 7f 83 e3 78 mr r3,r28
2c4: 48 00 00 01 bl 2c4 <._copy_from_user+0xa4>
2c4: R_PPC64_REL24 .__copy_tofrom_user
...
Use an explicit parameter for direction selection, so that GCC
is able to see it is a constant:
00000000000001b0 <._copy_to_user>:
...
1f0: 4c 00 01 2c isync
1f4: 3d 20 40 00 lis r9,16384
1f8: 79 29 07 c6 rldicr r9,r9,32,31
1fc: 7d 3d 03 a6 mtspr 29,r9
200: 4c 00 01 2c isync
204: 48 00 00 01 bl 204 <._copy_to_user+0x54>
204: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000260 <._copy_from_user>:
...
2ec: 4c 00 01 2c isync
2f0: 39 20 ff ff li r9,-1
2f4: 79 29 00 04 rldicr r9,r9,0,0
2f8: 7d 3d 03 a6 mtspr 29,r9
2fc: 4c 00 01 2c isync
300: 7f c5 f3 78 mr r5,r30
304: 7f 83 e3 78 mr r3,r28
308: 48 00 00 01 bl 308 <._copy_from_user+0xa8>
308: R_PPC64_REL24 .__copy_tofrom_user
...
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
[mpe: Spell out the directions, s/KUAP_R/KUAP_READ/ etc.]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/f4e88ec4941d5facb35ce75026b0112f980086c3.1579866752.git.christophe.leroy@c-s.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-24 04:54:41 -07:00
|
|
|
BUILD_BUG_ON(!__builtin_constant_p(dir));
|
|
|
|
if (dir == KUAP_READ)
|
2019-04-18 00:51:24 -06:00
|
|
|
set_kuap(AMR_KUAP_BLOCK_WRITE);
|
powerpc/kuap: Fix set direction in allow/prevent_user_access()
[ Upstream commit 1d8f739b07bd538f272f60bf53f10e7e6248d295 ]
__builtin_constant_p() always return 0 for pointers, so on RADIX
we always end up opening both direction (by writing 0 in SPR29):
0000000000000170 <._copy_to_user>:
...
1b0: 4c 00 01 2c isync
1b4: 39 20 00 00 li r9,0
1b8: 7d 3d 03 a6 mtspr 29,r9
1bc: 4c 00 01 2c isync
1c0: 48 00 00 01 bl 1c0 <._copy_to_user+0x50>
1c0: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000220 <._copy_from_user>:
...
2ac: 4c 00 01 2c isync
2b0: 39 20 00 00 li r9,0
2b4: 7d 3d 03 a6 mtspr 29,r9
2b8: 4c 00 01 2c isync
2bc: 7f c5 f3 78 mr r5,r30
2c0: 7f 83 e3 78 mr r3,r28
2c4: 48 00 00 01 bl 2c4 <._copy_from_user+0xa4>
2c4: R_PPC64_REL24 .__copy_tofrom_user
...
Use an explicit parameter for direction selection, so that GCC
is able to see it is a constant:
00000000000001b0 <._copy_to_user>:
...
1f0: 4c 00 01 2c isync
1f4: 3d 20 40 00 lis r9,16384
1f8: 79 29 07 c6 rldicr r9,r9,32,31
1fc: 7d 3d 03 a6 mtspr 29,r9
200: 4c 00 01 2c isync
204: 48 00 00 01 bl 204 <._copy_to_user+0x54>
204: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000260 <._copy_from_user>:
...
2ec: 4c 00 01 2c isync
2f0: 39 20 ff ff li r9,-1
2f4: 79 29 00 04 rldicr r9,r9,0,0
2f8: 7d 3d 03 a6 mtspr 29,r9
2fc: 4c 00 01 2c isync
300: 7f c5 f3 78 mr r5,r30
304: 7f 83 e3 78 mr r3,r28
308: 48 00 00 01 bl 308 <._copy_from_user+0xa8>
308: R_PPC64_REL24 .__copy_tofrom_user
...
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
[mpe: Spell out the directions, s/KUAP_R/KUAP_READ/ etc.]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/f4e88ec4941d5facb35ce75026b0112f980086c3.1579866752.git.christophe.leroy@c-s.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-24 04:54:41 -07:00
|
|
|
else if (dir == KUAP_WRITE)
|
2019-04-18 00:51:24 -06:00
|
|
|
set_kuap(AMR_KUAP_BLOCK_READ);
|
|
|
|
else
|
|
|
|
set_kuap(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void prevent_user_access(void __user *to, const void __user *from,
|
powerpc/kuap: Fix set direction in allow/prevent_user_access()
[ Upstream commit 1d8f739b07bd538f272f60bf53f10e7e6248d295 ]
__builtin_constant_p() always return 0 for pointers, so on RADIX
we always end up opening both direction (by writing 0 in SPR29):
0000000000000170 <._copy_to_user>:
...
1b0: 4c 00 01 2c isync
1b4: 39 20 00 00 li r9,0
1b8: 7d 3d 03 a6 mtspr 29,r9
1bc: 4c 00 01 2c isync
1c0: 48 00 00 01 bl 1c0 <._copy_to_user+0x50>
1c0: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000220 <._copy_from_user>:
...
2ac: 4c 00 01 2c isync
2b0: 39 20 00 00 li r9,0
2b4: 7d 3d 03 a6 mtspr 29,r9
2b8: 4c 00 01 2c isync
2bc: 7f c5 f3 78 mr r5,r30
2c0: 7f 83 e3 78 mr r3,r28
2c4: 48 00 00 01 bl 2c4 <._copy_from_user+0xa4>
2c4: R_PPC64_REL24 .__copy_tofrom_user
...
Use an explicit parameter for direction selection, so that GCC
is able to see it is a constant:
00000000000001b0 <._copy_to_user>:
...
1f0: 4c 00 01 2c isync
1f4: 3d 20 40 00 lis r9,16384
1f8: 79 29 07 c6 rldicr r9,r9,32,31
1fc: 7d 3d 03 a6 mtspr 29,r9
200: 4c 00 01 2c isync
204: 48 00 00 01 bl 204 <._copy_to_user+0x54>
204: R_PPC64_REL24 .__copy_tofrom_user
...
0000000000000260 <._copy_from_user>:
...
2ec: 4c 00 01 2c isync
2f0: 39 20 ff ff li r9,-1
2f4: 79 29 00 04 rldicr r9,r9,0,0
2f8: 7d 3d 03 a6 mtspr 29,r9
2fc: 4c 00 01 2c isync
300: 7f c5 f3 78 mr r5,r30
304: 7f 83 e3 78 mr r3,r28
308: 48 00 00 01 bl 308 <._copy_from_user+0xa8>
308: R_PPC64_REL24 .__copy_tofrom_user
...
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
[mpe: Spell out the directions, s/KUAP_R/KUAP_READ/ etc.]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/f4e88ec4941d5facb35ce75026b0112f980086c3.1579866752.git.christophe.leroy@c-s.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-24 04:54:41 -07:00
|
|
|
unsigned long size, unsigned long dir)
|
2019-04-18 00:51:24 -06:00
|
|
|
{
|
|
|
|
set_kuap(AMR_KUAP_BLOCKED);
|
2020-11-19 16:35:14 -07:00
|
|
|
if (static_branch_unlikely(&uaccess_flush_key))
|
|
|
|
do_uaccess_flush();
|
2019-04-18 00:51:24 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* __ASSEMBLY__ */
|
|
|
|
|
|
|
|
#endif /* _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H */
|