From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
linux-alpha@vger.kernel.org,
Sergei Trofimovich <slyfox@gentoo.org>,
Matt Turner <mattst88@gmail.com>,
"Dmitry V. Levin" <ldv@altlinux.org>
Subject: [PATCH 4.20 73/92] alpha: fix page fault handling for r16-r18 targets
Date: Mon, 18 Feb 2019 14:43:16 +0100 [thread overview]
Message-ID: <20190218133501.704873176@linuxfoundation.org> (raw)
In-Reply-To: <20190218133454.668268457@linuxfoundation.org>
4.20-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Trofimovich <slyfox@gentoo.org>
commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
Fix page fault handling code to fixup r16-r18 registers.
Before the patch code had off-by-two registers bug.
This bug caused overwriting of ps,pc,gp registers instead
of fixing intended r16,r17,r18 (see `struct pt_regs`).
More details:
Initially Dmitry noticed a kernel bug as a failure
on strace test suite. Test passes unmapped userspace
pointer to io_submit:
```c
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <asm/unistd.h>
int main(void)
{
unsigned long ctx = 0;
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
const size_t page_size = sysconf(_SC_PAGESIZE);
const size_t size = page_size * 2;
void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (MAP_FAILED == ptr)
err(1, "mmap(%zu)", size);
if (munmap(ptr, size))
err(1, "munmap");
syscall(__NR_io_submit, ctx, 1, ptr + page_size);
syscall(__NR_io_destroy, ctx);
return 0;
}
```
Running this test causes kernel to crash when handling page fault:
```
Unable to handle kernel paging request at virtual address ffffffffffff9468
CPU 3
aio(26027): Oops 0
pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
pc is at sys_io_submit+0x108/0x200
ra is at sys_io_submit+0x6c/0x200
v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
s6 = fffffc00c58e6300
a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
gp = 0000000000000000 sp = 00000000265fd174
Disabling lock debugging due to kernel taint
Trace:
[<fffffc0000311404>] entSys+0xa4/0xc0
```
Here `gp` has invalid value. `gp is s overwritten by a fixup for the
following page fault handler in `io_submit` syscall handler:
```
__se_sys_io_submit
...
ldq a1,0(t1)
bne t0,4280 <__se_sys_io_submit+0x180>
```
After a page fault `t0` should contain -EFALUT and `a1` is 0.
Instead `gp` was overwritten in place of `a1`.
This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
(aka `a0-a2`).
I think the bug went unnoticed for a long time as `gp` is one
of scratch registers. Any kernel function call would re-calculate `gp`.
Dmitry tracked down the bug origin back to 2.1.32 kernel version
where trap_a{0,1,2} fields were inserted into struct pt_regs.
And even before that `dpf_reg()` contained off-by-one error.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: linux-alpha@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
Cc: stable@vger.kernel.org # v2.1.32+
Bug: https://bugs.gentoo.org/672040
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/alpha/mm/fault.c
+++ b/arch/alpha/mm/fault.c
@@ -78,7 +78,7 @@ __load_new_mm_context(struct mm_struct *
/* Macro for exception fixup code to access integer registers. */
#define dpf_reg(r) \
(((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
- (r) <= 18 ? (r)+8 : (r)-10])
+ (r) <= 18 ? (r)+10 : (r)-10])
asmlinkage void
do_page_fault(unsigned long address, unsigned long mmcsr,
next prev parent reply other threads:[~2019-02-18 13:49 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 13:42 [PATCH 4.20 00/92] 4.20.11-stable review Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 01/92] dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 02/92] eeprom: at24: add support for 24c2048 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 03/92] blk-mq: fix a hung issue when fsync Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 04/92] drm/amdgpu/sriov:Correct pfvf exchange logic Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 05/92] ACPI: NUMA: Use correct type for printing addresses on i386-PAE Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 06/92] perf stat: Fix endless wait for child process Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 07/92] perf report: Fix wrong iteration count in --branch-history Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 08/92] perf test shell: Use a fallback to get the pathname in vfs_getname Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 09/92] soc: renesas: r8a774c0-sysc: Fix initialization order of 3DG-{A,B} Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 10/92] tools uapi: fix RISC-V 64-bit support Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 11/92] riscv: fix trace_sys_exit hook Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 12/92] cpufreq: check if policy is inactive early in __cpufreq_get() Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 13/92] csky: fixup relocation error with 807 & 860 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 14/92] csky: fixup CACHEV1 store instruction fast retire Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 15/92] csky: fixup compile error with pte_alloc Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 16/92] irqchip/csky: fixup handle_irq_perbit break irq Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 17/92] drm/amd/powerplay: avoid possible buffer overflow Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 18/92] drm/bridge: tc358767: add bus flags Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 19/92] drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 20/92] drm/bridge: tc358767: fix single lane configuration Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 21/92] drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 22/92] drm/bridge: tc358767: reject modes which require too much BW Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 23/92] drm/bridge: tc358767: fix output H/V syncs Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 24/92] nvme-pci: use the same attributes when freeing host_mem_desc_bufs Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 25/92] nvme-pci: fix out of bounds access in nvme_cqe_pending Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 26/92] nvme-multipath: zero out ANA log buffer Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 27/92] nvme: pad fake subsys NQN vid and ssvid with zeros Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 28/92] nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 29/92] drm/amdgpu: fix CPDMA hang in PRT mode for VEGA20 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 30/92] drm/amdgpu: set WRITE_BURST_LENGTH to 64B to workaround SDMA1 hang Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 31/92] drm/amdgpu: disable system memory page tables for now Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 32/92] ARM: dts: da850-evm: Correct the audio codec regulators Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 33/92] ARM: dts: da850-evm: Correct the sound card name Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 34/92] ARM: dts: da850-lcdk: Correct the audio codec regulators Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 35/92] ARM: dts: da850-lcdk: Correct the sound card name Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 36/92] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 37/92] csky: fixup compile error with CPU 810 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 38/92] gpio: pl061: handle failed allocations Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 39/92] drm/nouveau: Dont disable polling in fallback mode Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 40/92] drm/nouveau/falcon: avoid touching registers if engine is off Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 41/92] cifs: Limit memory used by lock request calls to a page Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 42/92] CIFS: Fix credits calculation for cancelled requests Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 43/92] CIFS: Move credit processing to mid callbacks for SMB3 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 44/92] CIFS: Fix error paths in writeback code Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 45/92] kvm: sev: Fail KVM_SEV_INIT if already initialized Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 46/92] CIFS: Fix credit calculations in compound mid callback Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 47/92] CIFS: Do not assume one credit for async responses Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 48/92] CIFS: Fix mounts if the client is low on credits Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 49/92] gpio: mxc: move gpio noirq suspend/resume to syscore phase Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 50/92] Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 51/92] Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 52/92] arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64 Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 53/92] ARM: OMAP5+: Fix inverted nirq pin interrupts with irq_set_type Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 54/92] perf/core: Fix impossible ring-buffer sizes warning Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 55/92] perf/x86: Add check_period PMU callback Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 4.20 56/92] ALSA: hda - Add quirk for HP EliteBook 840 G5 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 57/92] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 58/92] ALSA: pcm: Revert capture stream behavior change in blocking mode Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 59/92] ASoC: hdmi-codec: fix oops on re-probe Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 60/92] tools uapi: fix Alpha support Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 61/92] riscv: Add pte bit to distinguish swap from invalid Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 62/92] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 63/92] kvm: vmx: Fix entry number check for add_atomic_switch_msr() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 64/92] mmc: sunxi: Disable HS-DDR mode for H5 eMMC controller by default Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 65/92] mmc: sunxi: Filter out unsupported modes declared in the device tree Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 66/92] mmc: block: handle complete_work on separate workqueue Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 67/92] Input: bma150 - register input device after setting private data Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 68/92] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 69/92] Revert "nfsd4: return default lease period" Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 70/92] Revert "mm: dont reclaim inodes with many attached pages" Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 71/92] Revert "mm: slowly shrink slabs with a relatively small number of objects" Greg Kroah-Hartman
2019-02-18 15:30 ` Rik van Riel
2019-02-18 16:16 ` Greg Kroah-Hartman
2019-02-18 17:38 ` Michal Hocko
2019-02-18 18:57 ` Roman Gushchin
2019-02-18 19:14 ` Michal Hocko
2019-02-18 19:30 ` Roman Gushchin
2019-02-18 19:34 ` Sasha Levin
2019-02-19 18:43 ` Wolfgang Walter
2019-02-18 13:43 ` [PATCH 4.20 72/92] mm: proc: smaps_rollup: fix pss_locked calculation Greg Kroah-Hartman
2019-02-18 13:43 ` Greg Kroah-Hartman [this message]
2019-02-18 13:43 ` [PATCH 4.20 74/92] alpha: Fix Eiger NR_IRQS to 128 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 75/92] s390/suspend: fix stack setup in swsusp_arch_suspend Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 76/92] s390/zcrypt: fix specification exception on z196 during ap probe Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 77/92] tracing: probeevent: Correctly update remaining space in dynamic area Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 78/92] x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 79/92] powerpc/64s: Fix possible corruption on big endian due to pgd/pud_present() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 80/92] scsi: sd: fix entropy gathering for most rotational disks Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 81/92] signal: Restore the stop PTRACE_EVENT_EXIT Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 82/92] crypto: ccree - fix resume race condition on init Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 83/92] md/raid1: dont clear bitmap bits on interrupted recovery Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 84/92] x86/a.out: Clear the dump structure initially Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 85/92] sunrpc: fix 4 more call sites that were using stack memory with a scatterlist Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 86/92] dm crypt: dont overallocate the integrity tag space Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 87/92] dm thin: fix bug where bio that overwrites thin block ignores FUA Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 88/92] drm: Use array_size() when creating lease Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 89/92] drm/vkms: Fix license inconsistent Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 90/92] drm/sched: Always trace the dependencies we wait on, to fix a race Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 91/92] drm/i915: Block fbdev HPD processing during suspend Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 4.20 92/92] drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set Greg Kroah-Hartman
2019-02-19 5:48 ` [PATCH 4.20 00/92] 4.20.11-stable review Naresh Kamboju
2019-02-19 12:47 ` Greg Kroah-Hartman
2019-02-19 17:39 ` Guenter Roeck
2019-02-20 9:04 ` Greg Kroah-Hartman
2019-02-20 0:16 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218133501.704873176@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ink@jurassic.park.msu.ru \
--cc=ldv@altlinux.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=rth@twiddle.net \
--cc=slyfox@gentoo.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.