From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CC8E6C433F5
	for <linux-mm@archiver.kernel.org>; Sat,  8 Jan 2022 16:44:37 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 90BA86B0080; Sat,  8 Jan 2022 11:44:30 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7F8D86B0082; Sat,  8 Jan 2022 11:44:30 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 698756B0083; Sat,  8 Jan 2022 11:44:30 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0220.hostedemail.com [216.40.44.220])
	by kanga.kvack.org (Postfix) with ESMTP id 4F3156B0080
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 11:44:30 -0500 (EST)
Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 032F098C3A
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 16:44:30 +0000 (UTC)
X-FDA: 79007693100.13.A00FDBA
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf05.hostedemail.com (Postfix) with ESMTP id 7D87510000D
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 16:44:29 +0000 (UTC)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id D819160DEB;
	Sat,  8 Jan 2022 16:44:28 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2958AC36AED;
	Sat,  8 Jan 2022 16:44:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1641660268;
	bh=VqXWDLIfda9ix4PWEeLYbN3dci4eLEKG08Nxx9ltxEQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=V06V1fGQjBCtMex/IKqEz4AHKdynLFyK3aQUjFL0aKgqnf1YsnJ1zg2qxfMeCD8ug
	 0JPMCzf64J/EySSFm6y+aFNu7gDoWMJchLOwmCYqRoNo3aHS0KvE4lp3+kCLKvScl7
	 9bH6pg+3W/7DM458zXR4DeDoYsnMrmy5BqAxl5Js80ikuPr52CTsxL9522fwgpupws
	 0f2kEsr8yvkLXVFi0xkE2KF+X7ASPKnrk04DnPaZTObMEI8pzPa3b87vvn93oosNSI
	 /evFyjTSD3kaPNgHHtReWbZze8AejSQJ0m7GmeOnmIT/LwfvwYQ0DeGbS6Iwbt34A4
	 dhWglnickt2dw==
From: Andy Lutomirski <luto@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>,
	Linux-MM <linux-mm@kvack.org>
Cc: Nicholas Piggin <npiggin@gmail.com>,
	Anton Blanchard <anton@ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Paul Mackerras <paulus@ozlabs.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-arch <linux-arch@vger.kernel.org>,
	x86@kernel.org,
	Rik van Riel <riel@surriel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Nadav Amit <nadav.amit@gmail.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Andy Lutomirski <luto@kernel.org>,
	Joerg Roedel <jroedel@suse.de>,
	Masami Hiramatsu <mhiramat@kernel.org>
Subject: [PATCH 10/23] x86/events, x86/insn-eval: Remove incorrect active_mm references
Date: Sat,  8 Jan 2022 08:43:55 -0800
Message-Id: <d456e7da9dbd271aacd14812d4b9b74e7d7edd52.1641659630.git.luto@kernel.org>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <cover.1641659630.git.luto@kernel.org>
References: <cover.1641659630.git.luto@kernel.org>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 7D87510000D
X-Stat-Signature: j8gjj46pfuiacqrwbgkfyr3eida9z9dg
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=V06V1fGQ;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf05.hostedemail.com: domain of luto@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=luto@kernel.org
X-Rspamd-Server: rspam11
X-HE-Tag: 1641660269-108754
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

When decoding an instruction or handling a perf event that references an
LDT segment, if we don't have a valid user context, trying to access the
LDT by any means other than SLDT is racy.  Certainly, using
current->active_mm is wrong, as active_mm can point to a real user mm whe=
n
CR3 and LDTR no longer reference that mm.

Clean up the code.  If nmi_uaccess_okay() says we don't have a valid
context, just fail.  Otherwise use current->mm.

Cc: Joerg Roedel <jroedel@suse.de>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 arch/x86/events/core.c   |  9 ++++++++-
 arch/x86/lib/insn-eval.c | 13 ++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 6dfa8ddaa60f..930082f0eba5 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -2800,8 +2800,15 @@ static unsigned long get_segment_base(unsigned int=
 segment)
 #ifdef CONFIG_MODIFY_LDT_SYSCALL
 		struct ldt_struct *ldt;
=20
+		/*
+		 * If we're not in a valid context with a real (not just lazy)
+		 * user mm, then don't even try.
+		 */
+		if (!nmi_uaccess_okay())
+			return 0;
+
 		/* IRQs are off, so this synchronizes with smp_store_release */
-		ldt =3D READ_ONCE(current->active_mm->context.ldt);
+		ldt =3D smp_load_acquire(&current->mm->context.ldt);
 		if (!ldt || idx >=3D ldt->nr_entries)
 			return 0;
=20
diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
index a1d24fdc07cf..87a85a9dcdc4 100644
--- a/arch/x86/lib/insn-eval.c
+++ b/arch/x86/lib/insn-eval.c
@@ -609,14 +609,21 @@ static bool get_desc(struct desc_struct *out, unsig=
ned short sel)
 		/* Bits [15:3] contain the index of the desired entry. */
 		sel >>=3D 3;
=20
-		mutex_lock(&current->active_mm->context.lock);
-		ldt =3D current->active_mm->context.ldt;
+		/*
+		 * If we're not in a valid context with a real (not just lazy)
+		 * user mm, then don't even try.
+		 */
+		if (!nmi_uaccess_okay())
+			return false;
+
+		mutex_lock(&current->mm->context.lock);
+		ldt =3D current->mm->context.ldt;
 		if (ldt && sel < ldt->nr_entries) {
 			*out =3D ldt->entries[sel];
 			success =3D true;
 		}
=20
-		mutex_unlock(&current->active_mm->context.lock);
+		mutex_unlock(&current->mm->context.lock);
=20
 		return success;
 	}
--=20
2.33.1