Message ID | 20231010114750.847794-1-mpe@ellerman.id.au (mailing list archive) |
---|---|
State | Accepted |
Commit | f0eee815babed70a749d2496a7678be5b45b4c14 |
Headers | show |
Series | powerpc/47x: Fix 47x syscall return crash | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/github-powerpc_selftests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_ppctests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 6 jobs. |
snowpatch_ozlabs/github-powerpc_sparse | success | Successfully ran 4 jobs. |
snowpatch_ozlabs/github-powerpc_kernel_qemu | success | Successfully ran 23 jobs. |
Le 10/10/2023 à 13:47, Michael Ellerman a écrit : > Eddie reported that newer kernels were crashing during boot on his 476 > FSP2 system: > > kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) > BUG: Unable to handle kernel instruction fetch > Faulting instruction address: 0xb7ee2000 > Oops: Kernel access of bad area, sig: 11 [#1] > BE PAGE_SIZE=4K FSP-2 > Modules linked in: > CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 > Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 > NIP: b7ee2000 LR: 8c008000 CTR: 00000000 > REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2) > MSR: 00000030 <IR,DR> CR: 00001000 XER: 20000000 > GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 > GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 > GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 > GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 > NIP [b7ee2000] 0xb7ee2000 > LR [8c008000] 0x8c008000 > Call Trace: > Instruction dump: > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX > ---[ end trace 0000000000000000 ]--- > > The problem is in ret_from_syscall where the check for > icache_44x_need_flush is done. When the flush is needed the code jumps > out-of-line to do the flush, and then intends to jump back to continue > the syscall return. > > However the branch back to label 1b doesn't return to the correct > location, instead branching back just prior to the return to userspace, > causing bogus register values to be used by the rfi. > > The breakage was introduced by commit 6f76a01173cc > ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which > inadvertently removed the "1" label and reused it elsewhere. > > Fix it by adding named local labels in the correct locations. Note that > the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n > compiles. > > Fixes: 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") > Cc: stable@vger.kernel.org # v5.12+ > Reported-by: Eddie James <eajames@linux.ibm.com> > Link: https://lore.kernel.org/linuxppc-dev/fdaadc46-7476-9237-e104-1d2168526e72@linux.ibm.com/ > Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> > Tested-by: Eddie James <eajames@linux.ibm.com> Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> > --- > arch/powerpc/kernel/entry_32.S | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S > index 9692acb0361f..7eda33a24bb4 100644 > --- a/arch/powerpc/kernel/entry_32.S > +++ b/arch/powerpc/kernel/entry_32.S > @@ -137,8 +137,9 @@ ret_from_syscall: > lis r4,icache_44x_need_flush@ha > lwz r5,icache_44x_need_flush@l(r4) > cmplwi cr0,r5,0 > - bne- 2f > + bne- .L44x_icache_flush > #endif /* CONFIG_PPC_47x */ > +.L44x_icache_flush_return: > kuep_unlock > lwz r4,_LINK(r1) > lwz r5,_CCR(r1) > @@ -172,10 +173,11 @@ syscall_exit_finish: > b 1b > > #ifdef CONFIG_44x > -2: li r7,0 > +.L44x_icache_flush: > + li r7,0 > iccci r0,r0 > stw r7,icache_44x_need_flush@l(r4) > - b 1b > + b .L44x_icache_flush_return > #endif /* CONFIG_44x */ > > .globl ret_from_fork
On Tue, 10 Oct 2023 22:47:50 +1100, Michael Ellerman wrote: > Eddie reported that newer kernels were crashing during boot on his 476 > FSP2 system: > > kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) > BUG: Unable to handle kernel instruction fetch > Faulting instruction address: 0xb7ee2000 > Oops: Kernel access of bad area, sig: 11 [#1] > BE PAGE_SIZE=4K FSP-2 > Modules linked in: > CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 > Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 > NIP: b7ee2000 LR: 8c008000 CTR: 00000000 > REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2) > MSR: 00000030 <IR,DR> CR: 00001000 XER: 20000000 > GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 > GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 > GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 > GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 > NIP [b7ee2000] 0xb7ee2000 > LR [8c008000] 0x8c008000 > Call Trace: > Instruction dump: > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX > ---[ end trace 0000000000000000 ]--- > > [...] Applied to powerpc/fixes. [1/1] powerpc/47x: Fix 47x syscall return crash https://git.kernel.org/powerpc/c/f0eee815babed70a749d2496a7678be5b45b4c14 cheers
diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S index 9692acb0361f..7eda33a24bb4 100644 --- a/arch/powerpc/kernel/entry_32.S +++ b/arch/powerpc/kernel/entry_32.S @@ -137,8 +137,9 @@ ret_from_syscall: lis r4,icache_44x_need_flush@ha lwz r5,icache_44x_need_flush@l(r4) cmplwi cr0,r5,0 - bne- 2f + bne- .L44x_icache_flush #endif /* CONFIG_PPC_47x */ +.L44x_icache_flush_return: kuep_unlock lwz r4,_LINK(r1) lwz r5,_CCR(r1) @@ -172,10 +173,11 @@ syscall_exit_finish: b 1b #ifdef CONFIG_44x -2: li r7,0 +.L44x_icache_flush: + li r7,0 iccci r0,r0 stw r7,icache_44x_need_flush@l(r4) - b 1b + b .L44x_icache_flush_return #endif /* CONFIG_44x */ .globl ret_from_fork