From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alex Smith <alex.smith@imgtec.com>,
Aurelien Jarno <aurelien@aurel32.net>,
linux-mips@linux-mips.org, Ralf Baechle <ralf@linux-mips.org>
Subject: [PATCH 3.16 061/158] MIPS: O32/32-bit: Fix bug which can cause incorrect system call restarts
Date: Mon, 15 Sep 2014 12:25:00 -0700 [thread overview]
Message-ID: <20140915192544.722247014@linuxfoundation.org> (raw)
In-Reply-To: <20140915192542.872134685@linuxfoundation.org>
3.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Smith <alex.smith@imgtec.com>
commit e90e6fddc57055c4c6b57f92787fea1c065d440b upstream.
On 32-bit/O32, pt_regs has a padding area at the beginning into which the
syscall arguments passed via the user stack are copied. 4 arguments
totalling 16 bytes are copied to offset 16 bytes into this area, however
the area is only 24 bytes long. This means the last 2 arguments overwrite
pt_regs->regs[{0,1}].
If a syscall function returns an error, handle_sys stores the original
syscall number in pt_regs->regs[0] for syscall restart. signal.c checks
whether regs[0] is non-zero, if it is it will check whether the syscall
return value is one of the ERESTART* codes to see if it must be
restarted.
Should a syscall be made that results in a non-zero value being copied
off the user stack into regs[0], and then returns a positive (non-error)
value that matches one of the ERESTART* error codes, this can be mistaken
for requiring a syscall restart.
While the possibility for this to occur has always existed, it is made
much more likely to occur by commit 46e12c07b3b9 ("MIPS: O32 / 32-bit:
Always copy 4 stack arguments."), since now every syscall will copy 4
arguments and overwrite regs[0], rather than just those with 7 or 8
arguments.
Since that commit, booting Debian under a 32-bit MIPS kernel almost
always results in a hang early in boot, due to a wait4 syscall returning
a PID that matches one of the ERESTART* codes, which then causes an
incorrect restart of the syscall.
The problem is fixed by increasing the size of the padding area so that
arguments copied off the stack will not overwrite pt_regs->regs[{0,1}].
Signed-off-by: Alex Smith <alex.smith@imgtec.com>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7454/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/include/asm/ptrace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/include/asm/ptrace.h
+++ b/arch/mips/include/asm/ptrace.h
@@ -23,7 +23,7 @@
struct pt_regs {
#ifdef CONFIG_32BIT
/* Pad bytes for argument save space on the stack. */
- unsigned long pad0[6];
+ unsigned long pad0[8];
#endif
/* Saved main processor registers. */
next prev parent reply other threads:[~2014-09-15 19:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20140915192542.872134685@linuxfoundation.org>
2014-09-15 19:24 ` [PATCH 3.16 060/158] MIPS: GIC: Prevent array overrun Greg Kroah-Hartman
2014-09-15 19:25 ` Greg Kroah-Hartman [this message]
2014-09-15 19:25 ` [PATCH 3.16 062/158] MIPS: ptrace: Test correct tasks flags in task_user_regset_view() Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 063/158] MIPS: ptrace: Change GP regset to use correct core dump register layout Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 064/158] MIPS: ptrace: Avoid smp_processor_id() when retrieving FPU IR Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 065/158] MIPS: smp-mt: Fix link error when PROC_FS=n Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 066/158] MIPS: Prevent user from setting FCSR cause bits Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 067/158] MIPS: tlbex: Fix a missing statement for HUGETLB Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 068/158] MIPS: Remove BUG_ON(!is_fpu_owner()) in do_ade() Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 069/158] MIPS: asm/reg.h: Make 32- and 64-bit definitions available at the same time Greg Kroah-Hartman
2014-09-15 19:25 ` [PATCH 3.16 072/158] MIPS: Malta: Improve system memory detection for {e, }memsize >= 2G Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140915192544.722247014@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alex.smith@imgtec.com \
--cc=aurelien@aurel32.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=ralf@linux-mips.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox