• Christophe Leroy's avatar
    powerpc/mm: Fix lockup on kernel exec fault · cd5d5e60
    Christophe Leroy authored
    The powerpc kernel is not prepared to handle exec faults from kernel.
    Especially, the function is_exec_fault() will return 'false' when an
    exec fault is taken by kernel, because the check is based on reading
    current->thread.regs->trap which contains the trap from user.
    
    For instance, when provoking a LKDTM EXEC_USERSPACE test,
    current->thread.regs->trap is set to SYSCALL trap (0xc00), and
    the fault taken by the kernel is not seen as an exec fault by
    set_access_flags_filter().
    
    Commit d7df2443 ("powerpc/mm: Fix spurious segfaults on radix
    with autonuma") made it clear and handled it properly. But later on
    commit d3ca5874 ("powerpc/mm: Fix reporting of kernel execute
    faults") removed that handling, introducing test based on error_code.
    And here is the problem, because on the 603 all upper bits of SRR1
    get cleared when the TLB instruction miss handler bails out to ISI.
    
    Until commit cbd7e6ca ("powerpc/fault: Avoid heavy
    search_exception_tables() verification"), an exec fault from kernel
    at a userspace address was indirectly caught by the lack of entry for
    that address in the exception tables. But after that commit the
    kernel mainly relies on KUAP or on core mm handling to catch wrong
    user accesses. Here the access is not wrong, so mm handles it.
    It is a minor fault because PAGE_EXEC is not set,
    set_access_flags_filter() should set PAGE_EXEC and voila.
    But as is_exec_fault() returns false as explained in the beginning,
    set_access_flags_filter() bails out without setting PAGE_EXEC flag,
    which leads to a forever minor exec fault.
    
    As the kernel is not prepared to handle such exec faults, the thing to
    do is to fire in bad_kernel_fault() for any exec fault taken by the
    kernel, as it was prior to commit d3ca5874.
    
    Fixes: d3ca5874 ("powerpc/mm: Fix reporting of kernel execute faults")
    Cc: stable@vger.kernel.org # v4.14+
    Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
    Acked-by: default avatarNicholas Piggin <npiggin@gmail.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.1625138205.git.christophe.leroy@csgroup.eu
    cd5d5e60
fault.c 17.7 KB