[PATCH] powerpc: Never handle VSX alignment exceptions from kernel

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] powerpc: Never handle VSX alignment exceptions from kernel
@ 2013-08-20  6:05 Anton Blanchard
  2013-08-20 10:04 ` Michael Neuling
  0 siblings, 1 reply; 3+ messages in thread
From: Anton Blanchard @ 2013-08-20  6:05 UTC (permalink / raw)
  To: benh, paulus, mikey, amodra; +Cc: linuxppc-dev

The VSX alignment handler needs to write out the existing VSX
state to memory before operating on it (flush_vsx_to_thread()).
If we take a VSX alignment exception in the kernel bad things
will happen. It looks like we could write the kernel state out
to the user process, or we could handle the kernel exception
using data from the user process (depending if MSR_VSX is set
or not).

Worse still, if the code to read or write the VSX state causes an
alignment exception, we will recurse forever. I ended up with
hundreds of megabytes of kernel stack to look through as a result.

Floating point and SPE code have similar issues but already include
a user check. Add the same check to emulate_vsx().

Signed-off-by: Anton Blanchard <anton@samba.org>
---

Index: b/arch/powerpc/kernel/align.c
===================================================================
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -651,6 +651,10 @@ static int emulate_vsx(unsigned char __u
 	int sw = 0;
 	int i, j;

+	/* userland only */
+	if (unlikely(!user_mode(regs)))
+		return 0;
+
 	flush_vsx_to_thread(current);

 	if (reg < 32)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] powerpc: Never handle VSX alignment exceptions from kernel
  2013-08-20  6:05 [PATCH] powerpc: Never handle VSX alignment exceptions from kernel Anton Blanchard
@ 2013-08-20 10:04 ` Michael Neuling
  2013-08-20 10:30   ` Anton Blanchard
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Neuling @ 2013-08-20 10:04 UTC (permalink / raw)
  To: Anton Blanchard; +Cc: Paul Mackerras, linuxppc-dev, amodra

On Tue, Aug 20, 2013 at 4:05 PM, Anton Blanchard <anton@samba.org> wrote:
>
> The VSX alignment handler needs to write out the existing VSX
> state to memory before operating on it (flush_vsx_to_thread()).
> If we take a VSX alignment exception in the kernel bad things
> will happen. It looks like we could write the kernel state out
> to the user process, or we could handle the kernel exception
> using data from the user process (depending if MSR_VSX is set
> or not).
>
> Worse still, if the code to read or write the VSX state causes an
> alignment exception, we will recurse forever. I ended up with
> hundreds of megabytes of kernel stack to look through as a result.
>
> Floating point and SPE code have similar issues but already include
> a user check. Add the same check to emulate_vsx().
>

Can you say what will happen when you apply this patch.  ie It
produces one oops rather than megabytes of crap making it easier
to debug.

Also, can you give a clue as to how you can hit this since it should
never happen in the first place.  I assume it's some LE corner case...

Mikey


> Signed-off-by: Anton Blanchard <anton@samba.org>
> ---
>
> Index: b/arch/powerpc/kernel/align.c
> ===================================================================
> --- a/arch/powerpc/kernel/align.c
> +++ b/arch/powerpc/kernel/align.c
> @@ -651,6 +651,10 @@ static int emulate_vsx(unsigned char __u
>         int sw = 0;
>         int i, j;
>
> +       /* userland only */
> +       if (unlikely(!user_mode(regs)))
> +               return 0;
> +
>         flush_vsx_to_thread(current);
>
>         if (reg < 32)
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] powerpc: Never handle VSX alignment exceptions from kernel
  2013-08-20 10:04 ` Michael Neuling
@ 2013-08-20 10:30   ` Anton Blanchard
  0 siblings, 0 replies; 3+ messages in thread
From: Anton Blanchard @ 2013-08-20 10:30 UTC (permalink / raw)
  To: Michael Neuling; +Cc: Paul Mackerras, linuxppc-dev, amodra

Hi,

> Can you say what will happen when you apply this patch.  ie It
> produces one oops rather than megabytes of crap making it easier
> to debug.

Good point, updated.

> Also, can you give a clue as to how you can hit this since it should
> never happen in the first place.  I assume it's some LE corner case...

While it was found on LE, after reading the POWER7 docs I think we can
hit it pretty easily on BE. All it takes is a 4 byte aligned VSX load
or store. Misaligning the FPR array in the thread struct would be
enough to do it and we'd end up scribbling over memory until we self
destruct.

Anton
--

The VSX alignment handler needs to write out the existing VSX
state to memory before operating on it (flush_vsx_to_thread()).
If we take a VSX alignment exception in the kernel bad things
will happen. It looks like we could write the kernel state out
to the user process, or we could handle the kernel exception
using data from the user process (depending if MSR_VSX is set
or not).

Worse still, if the code to read or write the VSX state causes an
alignment exception, we will recurse forever. I ended up with
hundreds of megabytes of kernel stack to look through as a result.

Floating point and SPE code have similar issues but already include
a user check. Add the same check to emulate_vsx().

With this patch any unaligned VSX loads and stores in the kernel
will show up as a clear oops rather than silent corruption of
kernel or userspace VSX state, or worse, corruption of a potentially
unlimited amount of kernel memory.

Signed-off-by: Anton Blanchard <anton@samba.org>
---

Index: b/arch/powerpc/kernel/align.c
===================================================================
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -651,6 +651,10 @@ static int emulate_vsx(unsigned char __u
 	int sw = 0;
 	int i, j;

+	/* userland only */
+	if (unlikely(!user_mode(regs)))
+		return 0;
+
 	flush_vsx_to_thread(current);

 	if (reg < 32)

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-08-20 10:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-20  6:05 [PATCH] powerpc: Never handle VSX alignment exceptions from kernel Anton Blanchard
2013-08-20 10:04 ` Michael Neuling
2013-08-20 10:30   ` Anton Blanchard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).