d4ffd5df9d
The function __bad_area_nosemaphore() calls kernelmode_fixup_or_oops()
with the parameter @signal being actually @pkey, which will send a
signal numbered with the argument in @pkey.
This bug can be triggered when the kernel fails to access user-given
memory pages that are protected by a pkey, so it can go down the
do_user_addr_fault() path and pass the !user_mode() check in
__bad_area_nosemaphore().
Most cases will simply run the kernel fixup code to make an -EFAULT. But
when another condition current->thread.sig_on_uaccess_err is met, which
is only used to emulate vsyscall, the kernel will generate the wrong
signal.
Add a new parameter @pkey to kernelmode_fixup_or_oops() to fix this.
[ bp: Massage commit message, fix build error as reported by the 0day
bot: https://lkml.kernel.org/r/202109202245.APvuT8BX-lkp@intel.com ]
Fixes:
|
||
|---|---|---|
| .. | ||
| pat | ||
| Makefile | ||
| amdtopology.c | ||
| cpu_entry_area.c | ||
| debug_pagetables.c | ||
| dump_pagetables.c | ||
| extable.c | ||
| fault.c | ||
| highmem_32.c | ||
| hugetlbpage.c | ||
| ident_map.c | ||
| init.c | ||
| init_32.c | ||
| init_64.c | ||
| iomap_32.c | ||
| ioremap.c | ||
| kasan_init_64.c | ||
| kaslr.c | ||
| kmmio.c | ||
| maccess.c | ||
| mem_encrypt.c | ||
| mem_encrypt_boot.S | ||
| mem_encrypt_identity.c | ||
| mm_internal.h | ||
| mmap.c | ||
| mmio-mod.c | ||
| numa.c | ||
| numa_32.c | ||
| numa_64.c | ||
| numa_emulation.c | ||
| numa_internal.h | ||
| pf_in.c | ||
| pf_in.h | ||
| pgtable.c | ||
| pgtable_32.c | ||
| physaddr.c | ||
| physaddr.h | ||
| pkeys.c | ||
| pti.c | ||
| setup_nx.c | ||
| srat.c | ||
| testmmiotrace.c | ||
| tlb.c | ||