releases/4.9.104/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sun May 27 17:33:38 CEST 2018
 From: Jia Zhang <zhang.jia@linux.alibaba.com>
 Date: Mon, 12 Feb 2018 22:44:53 +0800
 Subject: vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall user page

 From: Jia Zhang <zhang.jia@linux.alibaba.com>

 [ Upstream commit 595dd46ebfc10be041a365d0a3fa99df50b6ba73 ]

 Commit:

   df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")

 ... introduced a bounce buffer to work around CONFIG_HARDENED_USERCOPY=y.
 However, accessing the vsyscall user page will cause an SMAP fault.

 Replace memcpy() with copy_from_user() to fix this bug works, but adding
 a common way to handle this sort of user page may be useful for future.

 Currently, only vsyscall page requires KCORE_USER.

 Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
 Reviewed-by: Jiri Olsa <jolsa@kernel.org>
 Cc: Al Viro <viro@zeniv.linux.org.uk>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: jolsa@redhat.com
 Link: http://lkml.kernel.org/r/1518446694-21124-2-git-send-email-zhang.jia@linux.alibaba.com
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  arch/x86/mm/init_64.c |    3 +--
  fs/proc/kcore.c       |    4 ++++
  include/linux/kcore.h |    1 +
  3 files changed, 6 insertions(+), 2 deletions(-)

 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -1014,8 +1014,7 @@ void __init mem_init(void)
  	after_bootmem = 1;

  	/* Register memory areas for /proc/kcore */
 -	kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR,
 -			 PAGE_SIZE, KCORE_OTHER);
 +	kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, PAGE_SIZE, KCORE_USER);

  	mem_init_print_info(NULL);
  }
 --- a/fs/proc/kcore.c
 +++ b/fs/proc/kcore.c
 @@ -505,6 +505,10 @@ read_kcore(struct file *file, char __use
  			/* we have to zero-fill user buffer even if no read */
  			if (copy_to_user(buffer, buf, tsz))
  				return -EFAULT;
 +		} else if (m->type == KCORE_USER) {
 +			/* User page is handled prior to normal kernel page: */
 +			if (copy_to_user(buffer, (char *)start, tsz))
 +				return -EFAULT;
  		} else {
  			if (kern_addr_valid(start)) {
  				/*
 --- a/include/linux/kcore.h
 +++ b/include/linux/kcore.h
 @@ -9,6 +9,7 @@ enum kcore_type {
  	KCORE_VMALLOC,
  	KCORE_RAM,
  	KCORE_VMEMMAP,
 +	KCORE_USER,
  	KCORE_OTHER,
  };
	From foo@baz Sun May 27 17:33:38 CEST 2018
	From: Jia Zhang <zhang.jia@linux.alibaba.com>
	Date: Mon, 12 Feb 2018 22:44:53 +0800
	Subject: vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall user page

	From: Jia Zhang <zhang.jia@linux.alibaba.com>

	[ Upstream commit 595dd46ebfc10be041a365d0a3fa99df50b6ba73 ]

	Commit:

	df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")

	... introduced a bounce buffer to work around CONFIG_HARDENED_USERCOPY=y.
	However, accessing the vsyscall user page will cause an SMAP fault.

	Replace memcpy() with copy_from_user() to fix this bug works, but adding
	a common way to handle this sort of user page may be useful for future.

	Currently, only vsyscall page requires KCORE_USER.

	Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
	Reviewed-by: Jiri Olsa <jolsa@kernel.org>
	Cc: Al Viro <viro@zeniv.linux.org.uk>
	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: jolsa@redhat.com
	Link: http://lkml.kernel.org/r/1518446694-21124-2-git-send-email-zhang.jia@linux.alibaba.com
	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	arch/x86/mm/init_64.c \| 3 +--
	fs/proc/kcore.c \| 4 ++++
	include/linux/kcore.h \| 1 +
	3 files changed, 6 insertions(+), 2 deletions(-)

	--- a/arch/x86/mm/init_64.c
	+++ b/arch/x86/mm/init_64.c
	@@ -1014,8 +1014,7 @@ void __init mem_init(void)
	after_bootmem = 1;

	/* Register memory areas for /proc/kcore */
	- kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR,
	- PAGE_SIZE, KCORE_OTHER);
	+ kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, PAGE_SIZE, KCORE_USER);

	mem_init_print_info(NULL);
	}
	--- a/fs/proc/kcore.c
	+++ b/fs/proc/kcore.c
	@@ -505,6 +505,10 @@ read_kcore(struct file *file, char __use
	/* we have to zero-fill user buffer even if no read */
	if (copy_to_user(buffer, buf, tsz))
	return -EFAULT;
	+ } else if (m->type == KCORE_USER) {
	+ /* User page is handled prior to normal kernel page: */
	+ if (copy_to_user(buffer, (char *)start, tsz))
	+ return -EFAULT;
	} else {
	if (kern_addr_valid(start)) {
	/*
	--- a/include/linux/kcore.h
	+++ b/include/linux/kcore.h
	@@ -9,6 +9,7 @@ enum kcore_type {
	KCORE_VMALLOC,
	KCORE_RAM,
	KCORE_VMEMMAP,
	+ KCORE_USER,
	KCORE_OTHER,
	};