From: James Hogan <jhogan@kernel.org>
To: Matt Redfearn <matt.redfearn@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>,
linux-mips@linux-mips.org, stable@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/4] MIPS: memset.S: Fix clobber of v1 in last_fixup
Date: Wed, 18 Apr 2018 23:02:37 +0100 [thread overview]
Message-ID: <20180418220237.GC16439@saruman> (raw)
In-Reply-To: <1523979603-492-1-git-send-email-matt.redfearn@mips.com>
[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]
On Tue, Apr 17, 2018 at 04:40:00PM +0100, Matt Redfearn wrote:
> The label .Llast_fixup\@ is jumped to on page fault within the final
> byte set loop of memset (on < MIPSR6 architectures). For some reason, in
> this fault handler, the v1 register is randomly set to a2 & STORMASK.
> This clobbers v1 for the calling function. This can be observed with the
> following test code:
>
> static int __init __attribute__((optimize("O0"))) test_clear_user(void)
> {
> register int t asm("v1");
> char *test;
> int j, k;
>
> pr_info("\n\n\nTesting clear_user\n");
> test = vmalloc(PAGE_SIZE);
>
> for (j = 256; j < 512; j++) {
> t = 0xa5a5a5a5;
> if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) {
> pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k);
> }
> if (t != 0xa5a5a5a5) {
> pr_err("v1 was clobbered to 0x%x!\n", t);
> }
> }
>
> return 0;
> }
> late_initcall(test_clear_user);
>
> Which demonstrates that v1 is indeed clobbered (MIPS64):
>
> Testing clear_user
> v1 was clobbered to 0x1!
> v1 was clobbered to 0x2!
> v1 was clobbered to 0x3!
> v1 was clobbered to 0x4!
> v1 was clobbered to 0x5!
> v1 was clobbered to 0x6!
> v1 was clobbered to 0x7!
>
> Since the number of bytes that could not be set is already contained in
> a2, the andi placing a value in v1 is not necessary and actively
> harmful in clobbering v1.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Reported-by: James Hogan <jhogan@kernel.org>
> Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
Thanks, Patches 1 & 2 applied to my fixes branch.
Cheers
James
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2018-04-18 22:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 15:40 [PATCH v2 1/4] MIPS: memset.S: Fix clobber of v1 in last_fixup Matt Redfearn
2018-04-17 15:40 ` [PATCH v2 2/4] MIPS: uaccess: Add micromips clobbers to bzero invocation Matt Redfearn
2018-04-18 22:02 ` James Hogan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180418220237.GC16439@saruman \
--to=jhogan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=matt.redfearn@mips.com \
--cc=ralf@linux-mips.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).