# git rev-parse -q --verify d9470757398a700d9450a43508000bcfd010c7a4^{commit} d9470757398a700d9450a43508000bcfd010c7a4 already have revision, skipping fetch # git checkout -q -f -B kisskb d9470757398a700d9450a43508000bcfd010c7a4 # git clean -qxdf # < git log -1 # commit d9470757398a700d9450a43508000bcfd010c7a4 # Author: Michael Ellerman # Date: Fri Mar 22 23:37:24 2019 +1100 # # powerpc/64: Fix memcmp reading past the end of src/dest # # Chandan reported that fstests' generic/026 test hit a crash: # # BUG: Unable to handle kernel data access at 0xc00000062ac40000 # Faulting instruction address: 0xc000000000092240 # Oops: Kernel access of bad area, sig: 11 [#1] # LE SMP NR_CPUS=2048 DEBUG_PAGEALLOC NUMA pSeries # CPU: 0 PID: 27828 Comm: chacl Not tainted 5.0.0-rc2-next-20190115-00001-g6de6dba64dda #1 # NIP: c000000000092240 LR: c00000000066a55c CTR: 0000000000000000 # REGS: c00000062c0c3430 TRAP: 0300 Not tainted (5.0.0-rc2-next-20190115-00001-g6de6dba64dda) # MSR: 8000000002009033 CR: 44000842 XER: 20000000 # CFAR: 00007fff7f3108ac DAR: c00000062ac40000 DSISR: 40000000 IRQMASK: 0 # GPR00: 0000000000000000 c00000062c0c36c0 c0000000017f4c00 c00000000121a660 # GPR04: c00000062ac3fff9 0000000000000004 0000000000000020 00000000275b19c4 # GPR08: 000000000000000c 46494c4500000000 5347495f41434c5f c0000000026073a0 # GPR12: 0000000000000000 c0000000027a0000 0000000000000000 0000000000000000 # GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 # GPR20: c00000062ea70020 c00000062c0c38d0 0000000000000002 0000000000000002 # GPR24: c00000062ac3ffe8 00000000275b19c4 0000000000000001 c00000062ac30000 # GPR28: c00000062c0c38d0 c00000062ac30050 c00000062ac30058 0000000000000000 # NIP memcmp+0x120/0x690 # LR xfs_attr3_leaf_lookup_int+0x53c/0x5b0 # Call Trace: # xfs_attr3_leaf_lookup_int+0x78/0x5b0 (unreliable) # xfs_da3_node_lookup_int+0x32c/0x5a0 # xfs_attr_node_addname+0x170/0x6b0 # xfs_attr_set+0x2ac/0x340 # __xfs_set_acl+0xf0/0x230 # xfs_set_acl+0xd0/0x160 # set_posix_acl+0xc0/0x130 # posix_acl_xattr_set+0x68/0x110 # __vfs_setxattr+0xa4/0x110 # __vfs_setxattr_noperm+0xac/0x240 # vfs_setxattr+0x128/0x130 # setxattr+0x248/0x600 # path_setxattr+0x108/0x120 # sys_setxattr+0x28/0x40 # system_call+0x5c/0x70 # Instruction dump: # 7d201c28 7d402428 7c295040 38630008 38840008 408201f0 4200ffe8 2c050000 # 4182ff6c 20c50008 54c61838 7d201c28 <7d402428> 7d293436 7d4a3436 7c295040 # # The instruction dump decodes as: # subfic r6,r5,8 # rlwinm r6,r6,3,0,28 # ldbrx r9,0,r3 # ldbrx r10,0,r4 <- # # Which shows us doing an 8 byte load from c00000062ac3fff9, which # crosses the page boundary at c00000062ac40000 and faults. # # It's not OK for memcmp to read past the end of the source or # destination buffers if that would cross a page boundary, because we # don't know that the next page is mapped. # # As pointed out by Segher, we can read past the end of the source or # destination as long as we don't cross a 4K boundary, because that's # our minimum page size on all platforms. # # The bug is in the code at the .Lcmp_rest_lt8bytes label. When we get # there we know that s1 is 8-byte aligned and we have at least 1 byte to # read, so a single 8-byte load won't read past the end of s1 and cross # a page boundary. # # But we have to be more careful with s2. So check if it's within 8 # bytes of a 4K boundary and if so go to the byte-by-byte loop. # # Fixes: 2d9ee327adce ("powerpc/64: Align bytes before fall back to .Lshort in powerpc64 memcmp()") # Cc: stable@vger.kernel.org # v4.19+ # Reported-by: Chandan Rajendra # Signed-off-by: Michael Ellerman # Reviewed-by: Segher Boessenkool # Tested-by: Chandan Rajendra # Signed-off-by: Michael Ellerman # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 d9470757398a700d9450a43508000bcfd010c7a4 # < make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc5200_defconfig_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- mpc5200_defconfig # make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc5200_defconfig_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- :1478:2: warning: #warning syscall pidfd_send_signal not implemented [-Wcpp] :1481:2: warning: #warning syscall io_uring_setup not implemented [-Wcpp] :1484:2: warning: #warning syscall io_uring_enter not implemented [-Wcpp] :1487:2: warning: #warning syscall io_uring_register not implemented [-Wcpp] /kisskb/src/arch/powerpc/platforms/52xx/lite5200_sleep.S: Assembler messages: /kisskb/src/arch/powerpc/platforms/52xx/lite5200_sleep.S:184: Warning: invalid register expression In file included from /kisskb/src/include/linux/printk.h:7:0, from /kisskb/src/include/linux/kernel.h:15, from /kisskb/src/include/linux/fs_context.h:15, from /kisskb/src/fs/fs_parser.c:13: /kisskb/src/fs/fs_parser.c: In function 'fs_validate_description': /kisskb/src/include/linux/kern_levels.h:5:18: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'int' [-Wformat=] #define KERN_SOH "\001" /* ASCII Start Of Header */ ^ /kisskb/src/include/linux/kern_levels.h:11:18: note: in expansion of macro 'KERN_SOH' #define KERN_ERR KERN_SOH "3" /* error conditions */ ^ /kisskb/src/include/linux/printk.h:302:9: note: in expansion of macro 'KERN_ERR' printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) ^ /kisskb/src/fs/fs_parser.c:413:6: note: in expansion of macro 'pr_err' pr_err("VALIDATE %s: e[%lu] enum val for %s\n", ^ /kisskb/src/net/sunrpc/xprtsock.c: In function 'xs_stream_data_receive_workfn': /kisskb/src/net/sunrpc/xprtsock.c:498:15: warning: 'read' may be used uninitialized in this function [-Wmaybe-uninitialized] size_t want, read; ^ /kisskb/src/net/sunrpc/xprtsock.c:529:9: warning: 'ret' may be used uninitialized in this function [-Wmaybe-uninitialized] return ret < 0 ? ret : read; ^ /kisskb/src/net/sunrpc/xprtsock.c:499:10: note: 'ret' was declared here ssize_t ret; ^ INFO: Uncompressed kernel (size 0x6d0300) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x700000) INFO: Uncompressed kernel (size 0x6d0300) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x700000) INFO: Uncompressed kernel (size 0x6d0300) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x700000) INFO: Uncompressed kernel (size 0x6bfc1c) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x700000) Image Name: Linux-5.1.0-rc2-gd9470757398a Created: Tue Mar 26 00:32:37 2019 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 3452065 Bytes = 3371.16 KiB = 3.29 MiB Load Address: 00000000 Entry Point: 00000000 Image Name: Linux-5.1.0-rc2-gd9470757398a Created: Tue Mar 26 00:32:37 2019 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 3481449 Bytes = 3399.85 KiB = 3.32 MiB Load Address: 00700000 Entry Point: 00700284 Image Name: Linux-5.1.0-rc2-gd9470757398a Created: Tue Mar 26 00:32:37 2019 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 3481470 Bytes = 3399.87 KiB = 3.32 MiB Load Address: 00700000 Entry Point: 00700284 Image Name: Linux-5.1.0-rc2-gd9470757398a Created: Tue Mar 26 00:32:37 2019 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 3481208 Bytes = 3399.62 KiB = 3.32 MiB Load Address: 00700000 Entry Point: 00700284 Completed OK # rm -rf /kisskb/build/powerpc-fixes_mpc5200_defconfig_powerpc-gcc5 # Build took: 0:01:09.216005