Re: strace-4.18 test suite oopses sparc64 4.12 and 4.13-rc kernels

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sam Ravnborg <sam@ravnborg.org>
To: Mikael Pettersson <mikpelinux@gmail.com>
Cc: David Miller <davem@davemloft.net>,
	matorola@gmail.com, sparclinux@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: strace-4.18 test suite oopses sparc64 4.12 and 4.13-rc kernels
Date: Wed, 2 Aug 2017 23:36:47 +0200	[thread overview]
Message-ID: <20170802213647.GA5506@ravnborg.org> (raw)
In-Reply-To: <20170801205829.GA7496@ravnborg.org>

On Tue, Aug 01, 2017 at 10:58:29PM +0200, Sam Ravnborg wrote:
> Hi Mikael.
> 
> I think this translates to the following code
> from linux/uaccess.h
> 
> first part is the inlined _copy_from_user()
> 
> > 
> > (gdb) x/10i do_sys_poll+0x80-16
> >    0x516ed0 <do_sys_poll+112>:  brz  %o0, 0x5170fc <do_sys_poll+668>
> if (unlikely(res))
> 
> >    0x516ed4 <do_sys_poll+116>:  mov  %o0, %o2
> >    0x516ed8 <do_sys_poll+120>:  sub  %i4, %o0, %i4
> >    0x516edc <do_sys_poll+124>:  clr  %o1
> >    0x516ee0 <do_sys_poll+128>:  call  0x7570b8 <memset>
> >    0x516ee4 <do_sys_poll+132>:  add  %l3, %i4, %o0
> memset(to + (n - res), 0, res);

And memset calls down to bzero, where %o0=buf, %o1=len

%o0 = 0xc
%o1 = 0xfff000123c897a80
%o2 = 0x0
%o3 = 0xc

So from this we know that:
res = 0xfff000123c897a80
to + (n - 0xfff000123c897a80)) = 0xc

The value "fff000123c897a80" really looks like a constructed address
from somewhere in the strace code, and where this constructed address
is used to provoke some unusual behaviour.
The "fff0" part may be a sparc thing.

So far the analysis seems to match the intial conclusion that
we in this special case try to zero out the remaining memory
based on the return value of raw_copy_from_user.
And therefore we use the return value (res) which triggers the oops.

So rather than manipulating with the assembler code as suggested
in the previous mail this simpler patch could be tested:

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index acdd6f915a8d..13d299ff1f21 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -115,7 +115,7 @@ _copy_from_user(void *to, const void __user *from, unsigned long n)
 		res = raw_copy_from_user(to, from, n);
 	}
 	if (unlikely(res))
-		memset(to + (n - res), 0, res);
+		void: /*memset(to + (n - res), 0, res);*/
 	return res;
 }
 #else

It would be good to know if this makes the opps go away.

And maybe you could try to print the parameters
supplied to _copy_from_user in case memset would be called,
so we have an idea what error path is taken.

I have tried to dechiper U3memcpy.S - but that is non-trivial.
So it would be good with a bit more data to verify the theory.

	Sam

next prev parent reply	other threads:[~2017-08-02 21:36 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-27 19:45 strace-4.18 test suite oopses sparc64 4.12 and 4.13-rc kernels Mikael Pettersson
2017-07-28  5:10 ` David Miller
2017-07-28  8:45   ` Mikael Pettersson
2017-07-28 18:27     ` David Miller
2017-07-28 18:37       ` David Miller
2017-07-29 10:52     ` Anatoly Pugachev
2017-07-29 12:02       ` Mikael Pettersson
2017-07-31 17:14         ` Mikael Pettersson
2017-07-31 21:48           ` Anatoly Pugachev
2017-07-31 21:51             ` David Miller
2017-07-31 22:01               ` Anatoly Pugachev
2017-07-31 22:06                 ` David Miller
2017-08-01  7:29                   ` Mikael Pettersson
2017-08-01 20:58                     ` Sam Ravnborg
2017-08-02 21:36                       ` Sam Ravnborg [this message]
2017-08-02 23:27                         ` David Miller
2017-08-03 20:02                         ` Mikael Pettersson
2017-08-03 21:57                           ` David Miller
2017-08-04  5:44                             ` Sam Ravnborg
2017-08-04  8:02                             ` Mikael Pettersson
2017-08-04 16:48                               ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:acdd6f915a8 dfblob:13d299ff1f2 )
 OR (
bs:"Re: strace-4.18 test suite oopses sparc64 4.12 and 4.13-rc kernels" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170802213647.GA5506@ravnborg.org \
    --to=sam@ravnborg.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matorola@gmail.com \
    --cc=mikpelinux@gmail.com \
    --cc=sparclinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).