From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qian Cai <cai@lca.pw>, Christophe Leroy <christophe.leroy@c-s.fr>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>,
linuxppc-dev@lists.ozlabs.org
Subject: [PATCH AUTOSEL 4.14 068/108] powerpc/64s/pgtable: fix an undefined behaviour
Date: Wed, 17 Jun 2020 21:25:20 -0400 [thread overview]
Message-ID: <20200618012600.608744-68-sashal@kernel.org> (raw)
In-Reply-To: <20200618012600.608744-1-sashal@kernel.org>
From: Qian Cai <cai@lca.pw>
[ Upstream commit c2e929b18cea6cbf71364f22d742d9aad7f4677a ]
Booting a power9 server with hash MMU could trigger an undefined
behaviour because pud_offset(p4d, 0) will do,
0 >> (PAGE_SHIFT:16 + PTE_INDEX_SIZE:8 + H_PMD_INDEX_SIZE:10)
Fix it by converting pud_index() and friends to static inline
functions.
UBSAN: shift-out-of-bounds in arch/powerpc/mm/ptdump/ptdump.c:282:15
shift exponent 34 is too large for 32-bit type 'int'
CPU: 6 PID: 1 Comm: swapper/0 Not tainted 5.6.0-rc4-next-20200303+ #13
Call Trace:
dump_stack+0xf4/0x164 (unreliable)
ubsan_epilogue+0x18/0x78
__ubsan_handle_shift_out_of_bounds+0x160/0x21c
walk_pagetables+0x2cc/0x700
walk_pud at arch/powerpc/mm/ptdump/ptdump.c:282
(inlined by) walk_pagetables at arch/powerpc/mm/ptdump/ptdump.c:311
ptdump_check_wx+0x8c/0xf0
mark_rodata_ro+0x48/0x80
kernel_init+0x74/0x194
ret_from_kernel_thread+0x5c/0x74
Suggested-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
Link: https://lore.kernel.org/r/20200306044852.3236-1-cai@lca.pw
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/book3s/64/pgtable.h | 23 ++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h
index bcb79a96a6c8..618ee2c0ed53 100644
--- a/arch/powerpc/include/asm/book3s/64/pgtable.h
+++ b/arch/powerpc/include/asm/book3s/64/pgtable.h
@@ -898,10 +898,25 @@ extern struct page *pgd_page(pgd_t pgd);
#define pud_page_vaddr(pud) __va(pud_val(pud) & ~PUD_MASKED_BITS)
#define pgd_page_vaddr(pgd) __va(pgd_val(pgd) & ~PGD_MASKED_BITS)
-#define pgd_index(address) (((address) >> (PGDIR_SHIFT)) & (PTRS_PER_PGD - 1))
-#define pud_index(address) (((address) >> (PUD_SHIFT)) & (PTRS_PER_PUD - 1))
-#define pmd_index(address) (((address) >> (PMD_SHIFT)) & (PTRS_PER_PMD - 1))
-#define pte_index(address) (((address) >> (PAGE_SHIFT)) & (PTRS_PER_PTE - 1))
+static inline unsigned long pgd_index(unsigned long address)
+{
+ return (address >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1);
+}
+
+static inline unsigned long pud_index(unsigned long address)
+{
+ return (address >> PUD_SHIFT) & (PTRS_PER_PUD - 1);
+}
+
+static inline unsigned long pmd_index(unsigned long address)
+{
+ return (address >> PMD_SHIFT) & (PTRS_PER_PMD - 1);
+}
+
+static inline unsigned long pte_index(unsigned long address)
+{
+ return (address >> PAGE_SHIFT) & (PTRS_PER_PTE - 1);
+}
/*
* Find an entry in a page-table-directory. We combine the address region
--
2.25.1
next prev parent reply other threads:[~2020-06-18 1:50 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-18 1:24 [PATCH AUTOSEL 4.14 001/108] power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 002/108] clk: sunxi: Fix incorrect usage of round_down() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 003/108] i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 004/108] iio: pressure: bmp280: Tolerate IRQ before registering Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 005/108] iio: light: isl29125: fix iio_triggered_buffer_{predisable,postenable} positions Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 006/108] remoteproc: Fix IDR initialisation in rproc_alloc() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 007/108] clk: qcom: msm8916: Fix the address location of pll->config_reg Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 008/108] backlight: lp855x: Ensure regulators are disabled on probe failure Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 009/108] ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 010/108] ARM: integrator: Add some Kconfig selections Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 011/108] scsi: qedi: Check for buffer overflow in qedi_set_path() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 012/108] ALSA: isa/wavefront: prevent out of bounds write in ioctl Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 013/108] Smack: slab-out-of-bounds in vsscanf Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 014/108] scsi: qla2xxx: Fix issue with adapter's stopping state Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 015/108] iio: bmp280: fix compensation of humidity Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 016/108] f2fs: report delalloc reserve as non-free in statfs for project quota Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 017/108] i2c: pxa: clear all master action bits in i2c_pxa_stop_message() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 018/108] usblp: poison URBs upon disconnect Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 019/108] dm mpath: switch paths in dm_blk_ioctl() code path Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 020/108] PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 021/108] ps3disk: use the default segment boundary Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 022/108] vfio/pci: fix memory leaks in alloc_perm_bits() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 023/108] m68k/PCI: Fix a memory leak in an error handling path Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 024/108] mfd: wm8994: Fix driver operation if loaded as modules Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 025/108] scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 026/108] clk: clk-flexgen: fix clock-critical handling Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 027/108] powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 028/108] nfsd: Fix svc_xprt refcnt leak when setup callback client failed Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 029/108] powerpc/crashkernel: Take "mem=" option into account Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 030/108] yam: fix possible memory leak in yam_init_driver Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 031/108] fat: don't allow to mount if the FAT length == 0 Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 032/108] NTB: Fix the default port and peer numbers for legacy drivers Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 033/108] mksysmap: Fix the mismatch of '.L' symbols in System.map Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 034/108] apparmor: fix introspection of of task mode for unconfined tasks Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 035/108] scsi: sr: Fix sr_probe() missing deallocate of device minor Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 036/108] scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 037/108] staging: greybus: fix a missing-check bug in gb_lights_light_config() Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 038/108] staging: rtl8712: fix multiline derefernce warnings Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 039/108] scsi: qedi: Do not flush offload work if ARP not resolved Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 040/108] iio: buffer: Don't allow buffers without any channels enabled to be activated Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 041/108] ALSA: usb-audio: Improve frames size computation Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 042/108] s390/qdio: put thinint indicator after early error Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 043/108] tty: hvc: Fix data abort due to race in hvc_open Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 044/108] thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 045/108] staging: sm750fb: add missing case while setting FB_VISUAL Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 046/108] i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output Sasha Levin
2020-06-18 1:24 ` [PATCH AUTOSEL 4.14 047/108] serial: amba-pl011: Make sure we initialize the port.lock spinlock Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 048/108] drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 049/108] PCI: rcar: Fix incorrect programming of OB windows Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 050/108] PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 051/108] scsi: qla2xxx: Fix warning after FC target reset Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 052/108] power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 053/108] power: supply: smb347-charger: IRQSTAT_D is volatile Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 054/108] scsi: mpt3sas: Fix double free warnings Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 055/108] dlm: remove BUG() before panic() Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 056/108] clk: ti: composite: fix memory leak Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 057/108] PCI: Fix pci_register_host_bridge() device_register() error handling Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 058/108] tty: n_gsm: Fix SOF skipping Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 059/108] tty: n_gsm: Fix waking up upper tty layer when room available Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 060/108] powerpc/pseries/ras: Fix FWNMI_VALID off by one Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 061/108] powerpc/ps3: Fix kexec shutdown hang Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 062/108] vfio-pci: Mask cap zero Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 063/108] usb/ohci-platform: Fix a warning when hibernating Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 064/108] drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 065/108] USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 066/108] tty: n_gsm: Fix bogus i++ in gsm_data_kick Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 067/108] clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 Sasha Levin
2020-06-18 1:25 ` Sasha Levin [this message]
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 069/108] dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 070/108] PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 071/108] IB/cma: Fix ports memory leak in cma_configfs Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 072/108] watchdog: da9062: No need to ping manually before setting timeout Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 073/108] usb: dwc2: gadget: move gadget resume after the core is in L0 state Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 074/108] USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 075/108] usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 076/108] usb: gadget: fix potential double-free in m66592_probe Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 077/108] usb: gadget: Fix issue with config_ep_by_speed function Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 078/108] x86/apic: Make TSC deadline timer detection message visible Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 079/108] vfio/pci: fix memory leaks of eventfd ctx Sasha Levin
2020-06-18 1:33 ` Alex Williamson
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 080/108] clk: bcm2835: Fix return type of bcm2835_register_gate Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 081/108] scsi: ufs-qcom: Fix scheduling while atomic issue Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 082/108] net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 083/108] NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 084/108] powerpc/4xx: Don't unmap NULL mbase Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 085/108] extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 086/108] ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 087/108] vfio/mdev: Fix reference count leak in add_mdev_supported_type Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 088/108] openrisc: Fix issue with argument clobbering for clone/fork Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 089/108] gfs2: Allow lock_nolock mount to specify jid=X Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 090/108] ovl: verify permissions in ovl_path_open() Sasha Levin
2020-06-23 15:25 ` Naresh Kamboju
2020-06-23 17:16 ` Sasha Levin
2020-06-23 18:28 ` Naresh Kamboju
2020-06-23 18:59 ` Amir Goldstein
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 091/108] scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 092/108] scsi: ufs: Don't update urgent bkops level when toggling auto bkops Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 093/108] pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 094/108] pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 095/108] crypto: omap-sham - add proper load balancing support for multicore Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 096/108] geneve: change from tx_error to tx_dropped on missing metadata Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 097/108] lib/zlib: remove outdated and incorrect pre-increment optimization Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 098/108] include/linux/bitops.h: avoid clang shift-count-overflow warnings Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 099/108] elfnote: mark all .note sections SHF_ALLOC Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 100/108] selftests/vm/pkeys: fix alloc_random_pkey() to make it really random Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 101/108] blktrace: use errno instead of bi_status Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 102/108] blktrace: fix endianness in get_pdu_int() Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 103/108] blktrace: fix endianness for blk_log_remap() Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 104/108] gfs2: fix use-after-free on transaction ail lists Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 105/108] selftests/net: in timestamping, strncpy needs to preserve null byte Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 106/108] selftests/net: in rxtimestamp getopt_long needs terminating null entry Sasha Levin
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 107/108] drm/sun4i: hdmi ddc clk: Fix size of m divider Sasha Levin
2020-06-18 1:26 ` [PATCH AUTOSEL 4.14 108/108] scsi: acornscsi: Fix an error handling path in acornscsi_probe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618012600.608744-68-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=cai@lca.pw \
--cc=christophe.leroy@c-s.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox