tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

x86/sev-es: Use __put_user()/__get_user() for data accesses

The put_user() and get_user() functions do checks on the address which is
passed to them. They check whether the address is actually a user-space
address and whether its fine to access it. They also call might_fault()
to indicate that they could fault and possibly sleep.

All of these checks are neither wanted nor needed in the #VC exception
handler, which can be invoked from almost any context and also for MMIO
instructions from kernel space on kernel memory. All the #VC handler
wants to know is whether a fault happened when the access was tried.

This is provided by __put_user()/__get_user(), which just do the access
no matter what. Also add comments explaining why __get_user() and
__put_user() are the best choice here and why it is safe to use them
in this context. Also explain why copy_to/from_user can't be used.

In addition, also revert commit

7024f60d6552 ("x86/sev-es: Handle string port IO to kernel memory properly")

because using __get_user()/__put_user() fixes the same problem while
the above commit introduced several problems:

1) It uses access_ok() which is only allowed in task context.

2) It uses memcpy() which has no fault handling at all and is
thus unsafe to use here.

[ bp: Fix up commit ID of the reverted commit above. ]

Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org # v5.10+
Link: https://lkml.kernel.org/r/20210519135251.30093-4-joro@8bytes.org

authored by Joerg Roedel and committed by Borislav Petkov 4954f5b8 c25bbdb5

options
unified split
Changed files
+46 -20
arch
x86
kernel
sev.c
+46 -20
arch/x86/kernel/sev.c
··· 315 315 u16 d2; 316 316 u8 d1; 317 317 318 - /* If instruction ran in kernel mode and the I/O buffer is in kernel space */ 319 - if (!user_mode(ctxt->regs) && !access_ok(target, size)) { 320 - memcpy(dst, buf, size); 321 - return ES_OK; 322 - } 323 - 318 + /* 319 + * This function uses __put_user() independent of whether kernel or user 320 + * memory is accessed. This works fine because __put_user() does no 321 + * sanity checks of the pointer being accessed. All that it does is 322 + * to report when the access failed. 323 + * 324 + * Also, this function runs in atomic context, so __put_user() is not 325 + * allowed to sleep. The page-fault handler detects that it is running 326 + * in atomic context and will not try to take mmap_sem and handle the 327 + * fault, so additional pagefault_enable()/disable() calls are not 328 + * needed. 329 + * 330 + * The access can't be done via copy_to_user() here because 331 + * vc_write_mem() must not use string instructions to access unsafe 332 + * memory. The reason is that MOVS is emulated by the #VC handler by 333 + * splitting the move up into a read and a write and taking a nested #VC 334 + * exception on whatever of them is the MMIO access. Using string 335 + * instructions here would cause infinite nesting. 336 + */ 324 337 switch (size) { 325 338 case 1: 326 339 memcpy(&d1, buf, 1); 327 - if (put_user(d1, target)) 340 + if (__put_user(d1, target)) 328 341 goto fault; 329 342 break; 330 343 case 2: 331 344 memcpy(&d2, buf, 2); 332 - if (put_user(d2, target)) 345 + if (__put_user(d2, target)) 333 346 goto fault; 334 347 break; 335 348 case 4: 336 349 memcpy(&d4, buf, 4); 337 - if (put_user(d4, target)) 350 + if (__put_user(d4, target)) 338 351 goto fault; 339 352 break; 340 353 case 8: 341 354 memcpy(&d8, buf, 8); 342 - if (put_user(d8, target)) 355 + if (__put_user(d8, target)) 343 356 goto fault; 344 357 break; 345 358 default: ··· 383 370 u16 d2; 384 371 u8 d1; 385 372 386 - /* If instruction ran in kernel mode and the I/O buffer is in kernel space */ 387 - if (!user_mode(ctxt->regs) && !access_ok(s, size)) { 388 - memcpy(buf, src, size); 389 - return ES_OK; 390 - } 391 - 373 + /* 374 + * This function uses __get_user() independent of whether kernel or user 375 + * memory is accessed. This works fine because __get_user() does no 376 + * sanity checks of the pointer being accessed. All that it does is 377 + * to report when the access failed. 378 + * 379 + * Also, this function runs in atomic context, so __get_user() is not 380 + * allowed to sleep. The page-fault handler detects that it is running 381 + * in atomic context and will not try to take mmap_sem and handle the 382 + * fault, so additional pagefault_enable()/disable() calls are not 383 + * needed. 384 + * 385 + * The access can't be done via copy_from_user() here because 386 + * vc_read_mem() must not use string instructions to access unsafe 387 + * memory. The reason is that MOVS is emulated by the #VC handler by 388 + * splitting the move up into a read and a write and taking a nested #VC 389 + * exception on whatever of them is the MMIO access. Using string 390 + * instructions here would cause infinite nesting. 391 + */ 392 392 switch (size) { 393 393 case 1: 394 - if (get_user(d1, s)) 394 + if (__get_user(d1, s)) 395 395 goto fault; 396 396 memcpy(buf, &d1, 1); 397 397 break; 398 398 case 2: 399 - if (get_user(d2, s)) 399 + if (__get_user(d2, s)) 400 400 goto fault; 401 401 memcpy(buf, &d2, 2); 402 402 break; 403 403 case 4: 404 - if (get_user(d4, s)) 404 + if (__get_user(d4, s)) 405 405 goto fault; 406 406 memcpy(buf, &d4, 4); 407 407 break; 408 408 case 8: 409 - if (get_user(d8, s)) 409 + if (__get_user(d8, s)) 410 410 goto fault; 411 411 memcpy(buf, &d8, 8); 412 412 break;