From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
linux-alpha@vger.kernel.org,
Sergei Trofimovich <slyfox@gentoo.org>,
Matt Turner <mattst88@gmail.com>,
"Dmitry V. Levin" <ldv@altlinux.org>
Subject: [PATCH 3.18 100/108] alpha: fix page fault handling for r16-r18 targets
Date: Mon, 18 Feb 2019 14:44:36 +0100 [thread overview]
Message-ID: <20190218133524.292841585@linuxfoundation.org> (raw)
In-Reply-To: <20190218133519.525507231@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Trofimovich <slyfox@gentoo.org>
commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
Fix page fault handling code to fixup r16-r18 registers.
Before the patch code had off-by-two registers bug.
This bug caused overwriting of ps,pc,gp registers instead
of fixing intended r16,r17,r18 (see `struct pt_regs`).
More details:
Initially Dmitry noticed a kernel bug as a failure
on strace test suite. Test passes unmapped userspace
pointer to io_submit:
```c
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <asm/unistd.h>
int main(void)
{
unsigned long ctx = 0;
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
const size_t page_size = sysconf(_SC_PAGESIZE);
const size_t size = page_size * 2;
void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (MAP_FAILED == ptr)
err(1, "mmap(%zu)", size);
if (munmap(ptr, size))
err(1, "munmap");
syscall(__NR_io_submit, ctx, 1, ptr + page_size);
syscall(__NR_io_destroy, ctx);
return 0;
}
```
Running this test causes kernel to crash when handling page fault:
```
Unable to handle kernel paging request at virtual address ffffffffffff9468
CPU 3
aio(26027): Oops 0
pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
pc is at sys_io_submit+0x108/0x200
ra is at sys_io_submit+0x6c/0x200
v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
s6 = fffffc00c58e6300
a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
gp = 0000000000000000 sp = 00000000265fd174
Disabling lock debugging due to kernel taint
Trace:
[<fffffc0000311404>] entSys+0xa4/0xc0
```
Here `gp` has invalid value. `gp is s overwritten by a fixup for the
following page fault handler in `io_submit` syscall handler:
```
__se_sys_io_submit
...
ldq a1,0(t1)
bne t0,4280 <__se_sys_io_submit+0x180>
```
After a page fault `t0` should contain -EFALUT and `a1` is 0.
Instead `gp` was overwritten in place of `a1`.
This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
(aka `a0-a2`).
I think the bug went unnoticed for a long time as `gp` is one
of scratch registers. Any kernel function call would re-calculate `gp`.
Dmitry tracked down the bug origin back to 2.1.32 kernel version
where trap_a{0,1,2} fields were inserted into struct pt_regs.
And even before that `dpf_reg()` contained off-by-one error.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: linux-alpha@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
Cc: stable@vger.kernel.org # v2.1.32+
Bug: https://bugs.gentoo.org/672040
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/alpha/mm/fault.c
+++ b/arch/alpha/mm/fault.c
@@ -78,7 +78,7 @@ __load_new_mm_context(struct mm_struct *
/* Macro for exception fixup code to access integer registers. */
#define dpf_reg(r) \
(((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
- (r) <= 18 ? (r)+8 : (r)-10])
+ (r) <= 18 ? (r)+10 : (r)-10])
asmlinkage void
do_page_fault(unsigned long address, unsigned long mmcsr,
next prev parent reply other threads:[~2019-02-18 13:44 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 13:42 [PATCH 3.18 000/108] 3.18.135-stable review Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 3.18 001/108] staging: iio: adc: ad7280a: handle error from __ad7280_read32() Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 3.18 002/108] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU Greg Kroah-Hartman
2019-02-18 13:42 ` [PATCH 3.18 003/108] dlm: Dont swamp the CPU with callbacks queued during recovery Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 004/108] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 005/108] powerpc/pseries: add of_node_put() in dlpar_detach_node() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 006/108] serial: fsl_lpuart: clear parity enable bit when disable parity Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 007/108] staging:iio:ad2s90: Make probe handle spi_setup failure Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 008/108] staging: iio: ad7780: update voltage on read Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 009/108] ARM: OMAP2+: hwmod: Fix some section annotations Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 010/108] modpost: validate symbol names also in find_elf_symbol Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 011/108] perf tools: Add Hygon Dhyana support Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 012/108] soc/tegra: Dont leak device tree node reference Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 013/108] f2fs: move dir data flush to write checkpoint process Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 014/108] nfsd4: fix crash on writing v4_end_grace before nfsd startup Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 015/108] arm64: ftrace: dont adjust the LR value Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 016/108] media: DaVinci-VPBE: fix error handling in vpbe_initialize() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 017/108] smack: fix access permissions for keyring Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 018/108] usb: hub: delay hub autosuspend if USB3 port is still link training Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 019/108] timekeeping: Use proper seqcount initializer Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 020/108] ARM: dts: Fix OMAP4430 SDP Ethernet startup Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 021/108] mips: bpf: fix encoding bug for mm_srlv32_op Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 022/108] sata_rcar: fix deferred probing Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 023/108] clk: imx6sl: ensure MMDC CH0 handshake is bypassed Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 024/108] cpuidle: big.LITTLE: fix refcount leak Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 025/108] udf: Fix BUG on corrupted inode Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 026/108] ARM: pxa: avoid section mismatch warning Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 027/108] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 028/108] memstick: Prevent memstick host from getting runtime suspended during card detection Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 029/108] arm64: KVM: Skip MMIO insn after emulation Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 030/108] powerpc/uaccess: fix warning/error with access_ok() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 031/108] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 032/108] drbd: narrow rcu_read_lock in drbd_sync_handshake Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 033/108] drbd: disconnect, if the wrong UUIDs are attached on a connected peer Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 034/108] drbd: skip spurious timeout (ping-timeo) when failing promote Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 035/108] drbd: Avoid Clang warning about pointless switch statment Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 036/108] video: clps711x-fb: release disp device node in probe() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 037/108] fbdev: fbmem: behave better with small rotated displays and many CPUs Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 038/108] igb: Fix an issue that PME is not enabled during runtime suspend Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 039/108] fbdev: fbcon: Fix unregister crash when more than one framebuffer Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 040/108] NFS: nfs_compare_mount_options always compare auth flavors Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 041/108] hwmon: (lm80) fix a missing check of the status of SMBus read Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 042/108] hwmon: (lm80) fix a missing check of bus read in lm80 probe Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 043/108] crypto: ux500 - Use proper enum in cryp_set_dma_transfer Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 044/108] crypto: ux500 - Use proper enum in hash_set_dma_transfer Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 045/108] cifs: check ntwrk_buf_start for NULL before dereferencing it Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 046/108] um: Avoid marking pages with "changed protection" Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 047/108] niu: fix missing checks of niu_pci_eeprom_read Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 048/108] scripts/decode_stacktrace: only strip base path when a prefix of the path Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 049/108] ocfs2: dont clear bh uptodate for block read Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 050/108] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 051/108] gdrom: fix a memory leak bug Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 052/108] block/swim3: Fix -EBUSY error when re-opening device after unmount Greg Kroah-Hartman
2019-02-18 13:43 ` Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 053/108] kernel/hung_task.c: break RCU locks based on jiffies Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 054/108] fs/epoll: drop ovflist branch prediction Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 055/108] exec: load_script: dont blindly truncate shebang string Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 056/108] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 057/108] dccp: fool proof ccid_hc_[rt]x_parse_options() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 058/108] skge: potential memory corruption in skge_get_regs() Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 059/108] net: systemport: Fix WoL with password after deep sleep Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 060/108] net: dsa: slave: Dont propagate flag changes on down slave interfaces Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 061/108] enic: fix checksum validation for IPv6 Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 062/108] ALSA: compress: Fix stop handling on compressed capture streams Greg Kroah-Hartman
2019-02-18 13:43 ` [PATCH 3.18 063/108] fuse: call pipe_buf_release() under pipe lock Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 064/108] fuse: decrement NR_WRITEBACK_TEMP on the right page Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 065/108] fuse: handle zero sized retrieve correctly Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 066/108] dmaengine: imx-dma: fix wrong callback invoke Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 067/108] usb: phy: am335x: fix race condition in _probe Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 068/108] usb: gadget: udc: net2272: Fix bitwise and boolean operations Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 069/108] scsi: aic94xx: fix module loading Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 070/108] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 071/108] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 072/108] perf/x86/intel/uncore: Add Node ID mask Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 073/108] perf/core: Dont WARN() for impossible ring-buffer sizes Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 074/108] perf tests evsel-tp-sched: Fix bitwise operator Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 075/108] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 076/108] signal: Always notice exiting tasks Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 077/108] signal: Better detection of synchronous signals Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 078/108] misc: vexpress: Off by one in vexpress_syscfg_exec() Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 079/108] debugfs: fix debugfs_rename parameter checking Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 080/108] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 081/108] ARM: iop32x/n2100: fix PCI IRQ mapping Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 082/108] drm/modes: Prevent division by zero htotal Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 083/108] drm/vmwgfx: Fix setting of dma masks Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 084/108] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 085/108] HID: debug: fix the ring buffer implementation Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 086/108] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 087/108] xfrm: refine validation of template and selector families Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 088/108] batman-adv: Avoid WARN on net_device without parent in netns Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 089/108] batman-adv: Force mac header to start of data on xmit Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 090/108] usb: host: ehci-msm: fix handling platform_get_irq result Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 091/108] Revert "exec: load_script: dont blindly truncate shebang string" Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 092/108] ARM: dts: da850-evm: Correct the sound card name Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 093/108] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 094/108] gpio: pl061: handle failed allocations Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 095/108] cifs: Limit memory used by lock request calls to a page Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 096/108] perf/core: Fix impossible ring-buffer sizes warning Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 097/108] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 098/108] Input: bma150 - register input device after setting private data Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 099/108] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Greg Kroah-Hartman
2019-02-18 13:44 ` Greg Kroah-Hartman [this message]
2019-02-18 13:44 ` [PATCH 3.18 101/108] alpha: Fix Eiger NR_IRQS to 128 Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 102/108] tracing/uprobes: Fix output for multiple string arguments Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 103/108] signal: Restore the stop PTRACE_EVENT_EXIT Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 104/108] x86/a.out: Clear the dump structure initially Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 105/108] smsc95xx: Use skb_cow_head to deal with cloned skbs Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 106/108] kaweth: use skb_cow_head() " Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 107/108] usb: dwc2: Remove unnecessary kfree Greg Kroah-Hartman
2019-02-18 13:44 ` [PATCH 3.18 108/108] pinctrl: msm: fix gpio-hog related boot issues Greg Kroah-Hartman
2019-02-18 19:19 ` [PATCH 3.18 000/108] 3.18.135-stable review kernelci.org bot
2019-02-19 16:53 ` Guenter Roeck
2019-02-20 0:18 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218133524.292841585@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ink@jurassic.park.msu.ru \
--cc=ldv@altlinux.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=rth@twiddle.net \
--cc=slyfox@gentoo.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.