From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jens Axboe <axboe@kernel.dk>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 5.15 78/99] powerpc: Dont try to copy PPR for task with NULL pt_regs
Date: Mon, 3 Apr 2023 16:09:41 +0200 [thread overview]
Message-ID: <20230403140406.379803918@linuxfoundation.org> (raw)
In-Reply-To: <20230403140356.079638751@linuxfoundation.org>
From: Jens Axboe <axboe@kernel.dk>
commit fd7276189450110ed835eb0a334e62d2f1c4e3be upstream.
powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which
from my (arguably very short) checking is not commonly done for other
archs. This is fine, except when PF_IO_WORKER's have been created and
the task does something that causes a coredump to be generated. Then we
get this crash:
Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)
BUG: Kernel NULL pointer dereference on read at 0x00000160
Faulting instruction address: 0xc0000000000c3a60
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries
Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod
CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88
Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0
REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+)
MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 88082828 XER: 200400f8
...
NIP memcpy_power7+0x200/0x7d0
LR ppr_get+0x64/0xb0
Call Trace:
ppr_get+0x40/0xb0 (unreliable)
__regset_get+0x180/0x1f0
regset_get_alloc+0x64/0x90
elf_core_dump+0xb98/0x1b60
do_coredump+0x1c34/0x24a0
get_signal+0x71c/0x1410
do_notify_resume+0x140/0x6f0
interrupt_exit_user_prepare_main+0x29c/0x320
interrupt_exit_user_prepare+0x6c/0xa0
interrupt_return_srr_user+0x8/0x138
Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL
pt_regs.
Check for a valid pt_regs in both ppc_get/ppr_set, and return an error
if not set. The actual error value doesn't seem to be important here, so
just pick -EINVAL.
Fixes: fa439810cc1b ("powerpc/ptrace: Enable support for NT_PPPC_TAR, NT_PPC_PPR, NT_PPC_DSCR")
Cc: stable@vger.kernel.org # v4.8+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[mpe: Trim oops in change log, add Fixes & Cc stable]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/d9f63344-fe7c-56ae-b420-4a1a04a2ae4c@kernel.dk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/ptrace/ptrace-view.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/powerpc/kernel/ptrace/ptrace-view.c
+++ b/arch/powerpc/kernel/ptrace/ptrace-view.c
@@ -290,6 +290,9 @@ static int gpr_set(struct task_struct *t
static int ppr_get(struct task_struct *target, const struct user_regset *regset,
struct membuf to)
{
+ if (!target->thread.regs)
+ return -EINVAL;
+
return membuf_write(&to, &target->thread.regs->ppr, sizeof(u64));
}
@@ -297,6 +300,9 @@ static int ppr_set(struct task_struct *t
unsigned int pos, unsigned int count, const void *kbuf,
const void __user *ubuf)
{
+ if (!target->thread.regs)
+ return -EINVAL;
+
return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&target->thread.regs->ppr, 0, sizeof(u64));
}
next prev parent reply other threads:[~2023-04-03 14:34 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:08 [PATCH 5.15 00/99] 5.15.106-rc1 review Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 01/99] fsverity: dont drop pagecache at end of FS_IOC_ENABLE_VERITY Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 02/99] usb: dwc3: gadget: move cmd_endtransfer to extra function Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 03/99] usb: dwc3: gadget: Add 1ms delay after end transfer command without IOC Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 04/99] kernel: kcsan: kcsan_test: build without structleak plugin Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 05/99] kcsan: avoid passing -g for test Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 06/99] ksmbd: dont terminate inactive sessions after a few seconds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 07/99] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 08/99] xfrm: Zero padding when dumping algos and encap Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 09/99] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 10/99] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 11/99] x86/PVH: obtain VGA console info in Dom0 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 12/99] net: hsr: Dont log netdev_err message on unknown prp dst node Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 13/99] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 14/99] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 15/99] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 16/99] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 17/99] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 18/99] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 19/99] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 20/99] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 21/99] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 22/99] tools/power turbostat: fix decoding of HWP_STATUS Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 23/99] tracing: Fix wrong return in kprobe_event_gen_test.c Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 24/99] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 25/99] mips: bmips: BCM6358: disable RAC flush for TP1 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 26/99] ALSA: usb-audio: Fix recursive locking at XRUN during syncing Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 27/99] platform/x86: think-lmi: add missing type attribute Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 28/99] platform/x86: think-lmi: use correct possible_values delimiters Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 29/99] platform/x86: think-lmi: only display possible_values if available Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 30/99] platform/x86: think-lmi: Add possible_values for ThinkStation Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 31/99] mtd: rawnand: meson: invalidate cache on polling ECC bit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 32/99] SUNRPC: fix shutdown of NFS TCP client socket Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 33/99] sfc: ef10: dont overwrite offload features at NIC reset Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 34/99] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 35/99] scsi: mpt3sas: Dont print sense pool info twice Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 36/99] ptp_qoriq: fix memory leak in probe() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 37/99] net: dsa: microchip: ksz8863_smi: fix bulk access Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 38/99] r8169: fix RTL8168H and RTL8107E rx crc error Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 39/99] regulator: Handle deferred clk Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 40/99] net/net_failover: fix txq exceeding warning Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 41/99] net: stmmac: dont reject VLANs when IFF_PROMISC is set Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 42/99] drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 43/99] platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 44/99] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 45/99] s390/vfio-ap: fix memory leak in vfio_ap device driver Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 46/99] loop: suppress uevents while reconfiguring the device Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 47/99] loop: LOOP_CONFIGURE: send uevents for partitions Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 48/99] net: mvpp2: classifier flow fix fragmentation flags Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 49/99] net: mvpp2: parser fix QinQ Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 50/99] net: mvpp2: parser fix PPPoE Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 51/99] smsc911x: avoid PHY being resumed when interface is not up Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 52/99] ice: add profile conflict check for AVF FDIR Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 53/99] ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 54/99] ALSA: ymfpci: Create card with device-managed snd_devm_card_new() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 55/99] ALSA: ymfpci: Fix BUG_ON in probe function Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 56/99] net: ipa: compute DMA pool size properly Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 57/99] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 58/99] bnxt_en: Fix reporting of test result in ethtool selftest Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 59/99] bnxt_en: Fix typo in PCI id to device description string mapping Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 60/99] bnxt_en: Add missing 200G link speed reporting Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 61/99] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 62/99] net: ethernet: mtk_eth_soc: fix flow block refcounting logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 63/99] pinctrl: ocelot: Fix alt mode for ocelot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 64/99] iommu/vt-d: Allow zero SAGAW if second-stage not supported Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 65/99] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 66/99] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 67/99] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 68/99] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 69/99] Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 70/99] btrfs: fix race between quota disable and quota assign ioctls Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 71/99] btrfs: scan device in non-exclusive mode Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 72/99] zonefs: Always invalidate last cached page on append write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 73/99] can: j1939: prevent deadlock by moving j1939_sk_errqueue() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 74/99] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 75/99] net: phy: dp83869: fix default value for tx-/rx-internal-delay Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 76/99] pinctrl: amd: Disable and mask interrupts on resume Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 77/99] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 5.15 79/99] NFSv4: Fix hangs when recovering open state after a server reboot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 80/99] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 81/99] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 82/99] ALSA: hda/realtek: Add quirks for some Clevo laptops Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 83/99] ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 84/99] xtensa: fix KASAN report for show_stack Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 85/99] rcu: Fix rcu_torture_read ftrace event Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 86/99] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 87/99] drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 88/99] KVM: arm64: Disable interrupts while walking userspace PTs Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 89/99] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 90/99] KVM: VMX: Move preemption timer <=> hrtimer dance to common x86 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 91/99] KVM: x86: Inject #GP on x2APIC WRMSR that sets reserved bits 63:32 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 92/99] KVM: x86: Purge "highest ISR" cache when updating APICv state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 93/99] zonefs: Fix error message in zonefs_file_dio_append() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 94/99] selftests/bpf: Test btf dump for struct with padding only fields Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 95/99] libbpf: Fix BTF-to-C converters padding logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 96/99] selftests/bpf: Add few corner cases to test padding handling of btf_dump Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 97/99] libbpf: Fix btf_dumps packed struct determination Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 98/99] hsr: ratelimit only when errors are printed Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 99/99] x86/PVH: avoid 32-bit build warning when obtaining VGA console info Greg Kroah-Hartman
2023-04-03 22:59 ` [PATCH 5.15 00/99] 5.15.106-rc1 review Shuah Khan
2023-04-04 2:06 ` Florian Fainelli
2023-04-04 2:41 ` Bagas Sanjaya
2023-04-04 10:05 ` Naresh Kamboju
2023-04-04 10:55 ` Chris Paterson
2023-04-04 21:21 ` Guenter Roeck
2023-04-05 6:08 ` Harshit Mogalapalli
2023-04-05 8:49 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140406.379803918@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=mpe@ellerman.id.au \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox