From: Michael Schmitz <schmitzmic@gmail.com>
To: linux-m68k@vger.kernel.org, geert@linux-m68k.org
Cc: gerg@linux-m68k.org, Michael Schmitz <schmitzmic@gmail.com>,
Finn Thain <fthain@linux-m68k.org>,
linux-m68k@lists.linux-m68k.org
Subject: [PATCH v3 1/2] m68k: Handle __generic_copy_to_user faults more carefully
Date: Sat, 27 Apr 2024 20:48:14 +1200 [thread overview]
Message-ID: <20240427084815.1449-2-schmitzmic@gmail.com> (raw)
In-Reply-To: <20240427084815.1449-1-schmitzmic@gmail.com>
As mentioned by Finn Thain in his patch to improve put_user
exception handling on 040, a similar problem exists on 030
processors.
A moves instruction that crosses a page boundary from a
mapped page into an unmapped one will cause a mid-instruction
bus error exception (frame format b), with the PC pointing
(usually) two instructions past the faulting movesl instruction.
Our exception handling in __generic_copy_to_user only covers
the instruction immediately following the faulting one. As
a result, fixup_exception in send_fault_sig does not detect
this case, and cause send_fault_sig to oops.
Extend the exception table to cover one additional instruction
beyond the moves[lwb] instructions.
Tested on 68030 (Atari Falcon 030) with transfers beginning
at one to six bytes offset from the end of a mapped page,
followed by further bytes on an unmapped page (testcase
derived from stress-ng sysbadaddr stressor by Finn Thain).
Tested on 68040 (Mac Quadra) and 68030 (Mac IIci) by Finn Thain.
A similar problem is present in __clear_user(); modify the
exception table for that function in the same way (tested by
Finn Thain).
Cc: Finn Thain <fthain@linux-m68k.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-m68k@lists.linux-m68k.org
Tested-by: Finn Thain <fthain@linux-m68k.org>
Link: https://lore.kernel.org/all/e0f23460779e6d16e2633486ac4841790ef2aca0.1713176294.git.fthain@linux-m68k.org
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
---
Changes from RFC v2:
Finn Thain:
- add missing extension table entries and final NOP in
__generic_copy_to_user faults in 040 tests
Michael Schmitz:
- add yet another exception table entry in __clear_user
Changes from RFC v1:
Michael Schmitz:
- use extended exception table instead of additional NOPs
---
arch/m68k/lib/uaccess.c | 56 ++++++++++++++++++++++++-----------------
1 file changed, 33 insertions(+), 23 deletions(-)
diff --git a/arch/m68k/lib/uaccess.c b/arch/m68k/lib/uaccess.c
index 86b6fed5151c..e3ed893047f8 100644
--- a/arch/m68k/lib/uaccess.c
+++ b/arch/m68k/lib/uaccess.c
@@ -62,35 +62,42 @@ unsigned long __generic_copy_to_user(void __user *to, const void *from,
asm volatile ("\n"
" tst.l %0\n"
- " jeq 4f\n"
+ " jeq 5f\n"
"1: move.l (%1)+,%3\n"
"2: "MOVES".l %3,(%2)+\n"
"3: subq.l #1,%0\n"
- " jne 1b\n"
- "4: btst #1,%5\n"
- " jeq 6f\n"
- " move.w (%1)+,%3\n"
- "5: "MOVES".w %3,(%2)+\n"
- "6: btst #0,%5\n"
+ "4: jne 1b\n"
+ "5: btst #1,%5\n"
" jeq 8f\n"
- " move.b (%1)+,%3\n"
- "7: "MOVES".b %3,(%2)+\n"
- "8:\n"
+ "6: move.w (%1)+,%3\n"
+ "7: "MOVES".w %3,(%2)+\n"
+ "8: btst #0,%5\n"
+ "9: jeq 13f\n"
+ "10: move.b (%1)+,%3\n"
+ "11: "MOVES".b %3,(%2)+\n"
+ "12: nop\n"
+ "13:\n"
" .section .fixup,\"ax\"\n"
" .even\n"
"20: lsl.l #2,%0\n"
"50: add.l %5,%0\n"
- " jra 8b\n"
+ " jra 13b\n"
" .previous\n"
"\n"
" .section __ex_table,\"a\"\n"
" .align 4\n"
+ " .long 1b,20b\n"
" .long 2b,20b\n"
" .long 3b,20b\n"
- " .long 5b,50b\n"
+ " .long 4b,20b\n"
+ " .long 5b,20b\n"
" .long 6b,50b\n"
" .long 7b,50b\n"
" .long 8b,50b\n"
+ " .long 9b,50b\n"
+ " .long 10b,50b\n"
+ " .long 11b,50b\n"
+ " .long 12b,50b\n"
" .previous"
: "=d" (res), "+a" (from), "+a" (to), "=&d" (tmp)
: "0" (n / 4), "d" (n & 3));
@@ -109,32 +116,35 @@ unsigned long __clear_user(void __user *to, unsigned long n)
asm volatile ("\n"
" tst.l %0\n"
- " jeq 3f\n"
+ " jeq 4f\n"
"1: "MOVES".l %2,(%1)+\n"
"2: subq.l #1,%0\n"
- " jne 1b\n"
- "3: btst #1,%4\n"
- " jeq 5f\n"
- "4: "MOVES".w %2,(%1)+\n"
- "5: btst #0,%4\n"
- " jeq 7f\n"
- "6: "MOVES".b %2,(%1)\n"
- "7:\n"
+ "3: jne 1b\n"
+ "4: btst #1,%4\n"
+ " jeq 6f\n"
+ "5: "MOVES".w %2,(%1)+\n"
+ "6: btst #0,%4\n"
+ "7: jeq 9f\n"
+ "8: "MOVES".b %2,(%1)\n"
+ "9:\n"
" .section .fixup,\"ax\"\n"
" .even\n"
"10: lsl.l #2,%0\n"
"40: add.l %4,%0\n"
- " jra 7b\n"
+ " jra 9b\n"
" .previous\n"
"\n"
" .section __ex_table,\"a\"\n"
" .align 4\n"
" .long 1b,10b\n"
" .long 2b,10b\n"
- " .long 4b,40b\n"
+ " .long 3b,10b\n"
+ " .long 4b,10b\n"
" .long 5b,40b\n"
" .long 6b,40b\n"
" .long 7b,40b\n"
+ " .long 8b,40b\n"
+ " .long 9b,40b\n"
" .previous"
: "=d" (res), "+a" (to)
: "d" (0), "0" (n / 4), "d" (n & 3));
--
2.17.1
next prev parent reply other threads:[~2024-04-27 8:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-27 8:48 [PATCH v3 0/2] m68k uaccess fault handling fixes Michael Schmitz
2024-04-27 8:48 ` Michael Schmitz [this message]
2024-04-27 9:34 ` [PATCH v3 1/2] m68k: Handle __generic_copy_to_user faults more carefully Finn Thain
2024-04-27 23:16 ` Michael Schmitz
2024-04-28 3:28 ` Finn Thain
2024-04-28 3:51 ` Michael Schmitz
2024-04-28 8:03 ` Finn Thain
2024-04-27 8:48 ` [PATCH v3 2/2] m68k: improve __constant_copy_to_user_asm() fault handling Michael Schmitz
2024-04-27 9:24 ` Finn Thain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240427084815.1449-2-schmitzmic@gmail.com \
--to=schmitzmic@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=geert@linux-m68k.org \
--cc=gerg@linux-m68k.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-m68k@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.