# git rev-parse -q --verify d29dc5caf80d3cacbccb8f9c939f4c3a4f38d66b^{commit} d29dc5caf80d3cacbccb8f9c939f4c3a4f38d66b already have revision, skipping fetch # git checkout -q -f -B kisskb d29dc5caf80d3cacbccb8f9c939f4c3a4f38d66b # git clean -qxdf # < git log -1 # commit d29dc5caf80d3cacbccb8f9c939f4c3a4f38d66b # Author: Michael Ellerman # Date: Fri Feb 1 22:03:58 2019 +1100 # # powerpc/64: Fix memcmp reading past the end of src/dest # # Chandan reported that fstests' generic/026 test hit a crash: # # BUG: Unable to handle kernel data access at 0xc00000062ac40000 # Faulting instruction address: 0xc000000000092240 # Oops: Kernel access of bad area, sig: 11 [#1] # LE SMP NR_CPUS=2048 DEBUG_PAGEALLOC NUMA pSeries # CPU: 0 PID: 27828 Comm: chacl Not tainted 5.0.0-rc2-next-20190115-00001-g6de6dba64dda #1 # NIP: c000000000092240 LR: c00000000066a55c CTR: 0000000000000000 # REGS: c00000062c0c3430 TRAP: 0300 Not tainted (5.0.0-rc2-next-20190115-00001-g6de6dba64dda) # MSR: 8000000002009033 CR: 44000842 XER: 20000000 # CFAR: 00007fff7f3108ac DAR: c00000062ac40000 DSISR: 40000000 IRQMASK: 0 # GPR00: 0000000000000000 c00000062c0c36c0 c0000000017f4c00 c00000000121a660 # GPR04: c00000062ac3fff9 0000000000000004 0000000000000020 00000000275b19c4 # GPR08: 000000000000000c 46494c4500000000 5347495f41434c5f c0000000026073a0 # GPR12: 0000000000000000 c0000000027a0000 0000000000000000 0000000000000000 # GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 # GPR20: c00000062ea70020 c00000062c0c38d0 0000000000000002 0000000000000002 # GPR24: c00000062ac3ffe8 00000000275b19c4 0000000000000001 c00000062ac30000 # GPR28: c00000062c0c38d0 c00000062ac30050 c00000062ac30058 0000000000000000 # NIP memcmp+0x120/0x690 # LR xfs_attr3_leaf_lookup_int+0x53c/0x5b0 # Call Trace: # xfs_attr3_leaf_lookup_int+0x78/0x5b0 (unreliable) # xfs_da3_node_lookup_int+0x32c/0x5a0 # xfs_attr_node_addname+0x170/0x6b0 # xfs_attr_set+0x2ac/0x340 # __xfs_set_acl+0xf0/0x230 # xfs_set_acl+0xd0/0x160 # set_posix_acl+0xc0/0x130 # posix_acl_xattr_set+0x68/0x110 # __vfs_setxattr+0xa4/0x110 # __vfs_setxattr_noperm+0xac/0x240 # vfs_setxattr+0x128/0x130 # setxattr+0x248/0x600 # path_setxattr+0x108/0x120 # sys_setxattr+0x28/0x40 # system_call+0x5c/0x70 # Instruction dump: # 7d201c28 7d402428 7c295040 38630008 38840008 408201f0 4200ffe8 2c050000 # 4182ff6c 20c50008 54c61838 7d201c28 <7d402428> 7d293436 7d4a3436 7c295040 # # The instruction dump decodes as: # subfic r6,r5,8 # rlwinm r6,r6,3,0,28 # ldbrx r9,0,r3 # ldbrx r10,0,r4 <- # # Which shows us doing an 8 byte load from c00000062ac3fff9, which # crosses the page boundary at c00000062ac40000 and faults. # # It's not OK for memcmp to read past the end of the source or # destination buffers. # # The bug is in the code at the .Lcmp_rest_lt8bytes label. To fix it # test if we have at least 4 bytes to compare and if so do a 4 byte load # and compare. Otherwise, and/or if we have anything left, jump to the # existing code that does byte at a time comparison. # # Reported-by: Chandan Rajendra # Tested-by: Chandan Rajendra # Signed-off-by: Michael Ellerman # --- # # v2: Use cmpdi not cmpwi, it's a 64-bit reg even if we "know" the value # is less than 8. # < /opt/cross/kisskb/br-mipsel-o32-full-2016.08-613-ge98b4dd/bin/mipsel-linux-gcc --version # < /opt/cross/kisskb/br-mipsel-o32-full-2016.08-613-ge98b4dd/bin/mipsel-linux-ld --version # < git log --format=%s --max-count=1 d29dc5caf80d3cacbccb8f9c939f4c3a4f38d66b # < make -s -j 48 ARCH=mips O=/kisskb/build/powerpc-fixes_mips-defconfig_mipsel CROSS_COMPILE=/opt/cross/kisskb/br-mipsel-o32-full-2016.08-613-ge98b4dd/bin/mipsel-linux- defconfig # make -s -j 48 ARCH=mips O=/kisskb/build/powerpc-fixes_mips-defconfig_mipsel CROSS_COMPILE=/opt/cross/kisskb/br-mipsel-o32-full-2016.08-613-ge98b4dd/bin/mipsel-linux- /kisskb/src/arch/mips/boot/dts/xilfpga/nexys4ddr.dts:109.16-112.8: Warning (i2c_bus_reg): /i2c@10A00000/ad7420@4B: I2C bus unit address format error, expected "4b" FIT description: Linux 5.0.0-rc1-gd29dc5caf80d Created: Fri Feb 8 07:22:53 2019 Image 0 (kernel@0) Description: Linux 5.0.0-rc1-gd29dc5caf80d Created: Fri Feb 8 07:22:53 2019 Type: Kernel Image Compression: gzip compressed Data Size: 4500905 Bytes = 4395.42 KiB = 4.29 MiB Architecture: MIPS OS: Linux Load Address: 0x80100000 Entry Point: 0x808543b0 Hash algo: sha1 Hash value: 9c4b96a6d1738e92758c37e0798d9c924c23b80e Image 1 (fdt@boston) Description: img,boston Device Tree Created: Fri Feb 8 07:22:53 2019 Type: Flat Device Tree Compression: uncompressed Data Size: 3793 Bytes = 3.70 KiB = 0.00 MiB Architecture: MIPS Hash algo: sha1 Hash value: 4799f50d688573234da6e9d7701234d394759ef4 Image 2 (fdt@ni169445) Description: NI 169445 device tree Created: Fri Feb 8 07:22:53 2019 Type: Flat Device Tree Compression: uncompressed Data Size: 1871 Bytes = 1.83 KiB = 0.00 MiB Architecture: MIPS Hash algo: sha1 Hash value: 51b89b31605ee62038c8468c429af091dfc75ec7 Image 3 (fdt@xilfpga) Description: MIPSfpga (xilfpga) Device Tree Created: Fri Feb 8 07:22:53 2019 Type: Flat Device Tree Compression: uncompressed Data Size: 2708 Bytes = 2.64 KiB = 0.00 MiB Architecture: MIPS Hash algo: sha1 Hash value: 509ce58e44c561d54539e64e9d4b47054e696fc6 Default Configuration: 'conf@default' Configuration 0 (conf@default) Description: Generic Linux kernel Kernel: kernel@0 Configuration 1 (conf@boston) Description: Boston Linux kernel Kernel: kernel@0 FDT: fdt@boston Configuration 2 (conf@ni169445) Description: NI 169445 Linux Kernel Kernel: kernel@0 FDT: fdt@ni169445 Configuration 3 (conf@xilfpga) Description: MIPSfpga Linux kernel Kernel: kernel@0 FDT: fdt@xilfpga Completed OK # rm -rf /kisskb/build/powerpc-fixes_mips-defconfig_mipsel # Build took: 0:01:28.078328