[PATCH] arm64: uaccess: fix put_user() with TTBR0 PAN

Vincent Whitchurch vincent.whitchurch at axis.com
Thu Nov 18 08:34:17 PST 2021


The value argument to put_user() must be evaluated before the TTBR0
switch is done.  Otherwise, if it is a function and the function sleeps,
the reserved TTBR0 will be restored when the process is switched in
again and the process will end up in an infinite loop of faults.

This problem was seen with the put_user() in schedule_tail().  A similar
fix was done for RISC-V in commit 285a76bb2cf51b0c74c634 ("riscv:
evaluate put_user() arg before enabling user access").

Fixes: f253d827f33cb5a5990 ("arm64: uaccess: refactor __{get,put}_user")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch at axis.com>
---
 arch/arm64/include/asm/uaccess.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 6e2e0b7031ab..96b26fa9d3d0 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -362,10 +362,11 @@ do {									\
 #define __put_user_error(x, ptr, err)					\
 do {									\
 	__typeof__(*(ptr)) __user *__p = (ptr);				\
+	__typeof__(*(__p)) __val = (x);					\
 	might_fault();							\
 	if (access_ok(__p, sizeof(*__p))) {				\
 		__p = uaccess_mask_ptr(__p);				\
-		__raw_put_user((x), __p, (err));			\
+		__raw_put_user(__val, __p, (err));			\
 	} else	{							\
 		(err) = -EFAULT;					\
 	}								\
-- 
2.33.1




More information about the linux-arm-kernel mailing list