From: hlsong <pgeorge8929@gmail.com>
To: Guo Ren <guoren@kernel.org>
Cc: linux-csky@vger.kernel.org, linux-kernel@vger.kernel.org,
hlsong89 <pgeorge8929@gmail.com>
Subject: [PATCH v2] csky: Fix a4/a5 restoration in syscall trace path
Date: Thu, 21 May 2026 19:33:56 +0800 [thread overview]
Message-ID: <20260521113356.58513-1-pgeorge8929@gmail.com> (raw)
In-Reply-To: <CAJF2gTRumJwDi19nCmKZa+6KvvNvRSo=Jhyd7f6=5pe9J5Q0nQ@mail.gmail.com>
From: hlsong89 <pgeorge8929@gmail.com>
The syscall trace path reloads syscall arguments from pt_regs before
calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
arguments are prepared as stack arguments before invoking syscallid.
The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
those offsets are relative to the original pt_regs base, loading them
after changing sp fetches the wrong slots. As a result, traced syscalls
that use the 5th or 6th argument may receive corrupted arguments.
This is visible with mmap2(), which takes six arguments. A small
PTRACE_SYSCALL reproducer opens a file and maps one page with:
mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)
Before the fix, the traced child fails the mmap and exits with 12.
After the fix, the mapping succeeds and the child exits with 0.
Fix the trace path by loading a4/a5 from pt_regs before changing sp.
Tested on: ck860f, linux-4.19.15, C-SKY abiv2
Suggested-by: Guo Ren <guoren@kernel.org>
Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
---
Changes in v2:
- Use Guo Ren's suggested approach to handle the ABIv2 stack arguments.
- Tested with the ptrace+mmap reproducer.
arch/csky/kernel/entry.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
index c68cdcc76..3261f46f2 100644
--- a/arch/csky/kernel/entry.S
+++ b/arch/csky/kernel/entry.S
@@ -93,11 +93,11 @@ csky_syscall_trace:
ldw a2, (sp, LSAVE_A2)
ldw a3, (sp, LSAVE_A3)
#if defined(__CSKYABIV2__)
- subi sp, 8
ldw r9, (sp, LSAVE_A4)
+ ldw r10, (sp, LSAVE_A5)
+ subi sp, 8
stw r9, (sp, 0x0)
- ldw r9, (sp, LSAVE_A5)
- stw r9, (sp, 0x4)
+ stw r10, (sp, 0x4)
jsr syscallid /* Do system call */
addi sp, 8
#else
base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
--
2.25.1
next prev parent reply other threads:[~2026-05-21 11:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 9:59 [PATCH] csky: Fix a4/a5 restoration in syscall trace path hlsong
2026-05-21 10:15 ` Guo Ren
2026-05-21 11:33 ` hlsong [this message]
2026-05-21 15:44 ` [PATCH v2] " Guo Ren
2026-05-21 10:29 ` Hanlin Song
[not found] ` <CABvmTk2+kd9n7xwSK=nnDBK4nC62sS7Du-MVeY17XV-p9pRufQ@mail.gmail.com>
2026-05-22 0:53 ` Guo Ren
2026-05-22 3:18 ` [PATCH v3] " Hanlin Song
2026-06-04 3:59 ` Hanlin Song
2026-06-04 11:44 ` Guo Ren
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521113356.58513-1-pgeorge8929@gmail.com \
--to=pgeorge8929@gmail.com \
--cc=guoren@kernel.org \
--cc=linux-csky@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox