# git rev-parse -q --verify 8cb55a3daebd4b38330b706117e1c8203ffaf3f5^{commit} 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 already have revision, skipping fetch # git checkout -q -f -B kisskb 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # git clean -qxdf # < git log -1 # commit 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # Author: Michael Ellerman # Date: Fri Feb 7 22:15:46 2020 +1100 # # powerpc/futex: Fix incorrect user access blocking # # The early versions of our kernel user access prevention (KUAP) were # written by Russell and Christophe, and didn't have separate # read/write access. # # At some point I picked up the series and added the read/write access, # but I failed to update the usages in futex.h to correctly allow read # and write. # # However we didn't notice because of another bug which was causing the # low-level code to always enable read and write. That bug was fixed # recently in commit 1d8f739b07bd ("powerpc/kuap: Fix set direction in # allow/prevent_user_access()"). # # futex_atomic_cmpxchg_inatomic() is passed the user address as %3 and # does: # # 1: lwarx %1, 0, %3 # cmpw 0, %1, %4 # bne- 3f # 2: stwcx. %5, 0, %3 # # Which clearly loads and stores from/to %3. The logic in # arch_futex_atomic_op_inuser() is similar, so fix both of them to use # allow_read_write_user(). # # Without this fix, and with PPC_KUAP_DEBUG=y, we see eg: # # Bug: Read fault blocked by AMR! # WARNING: CPU: 94 PID: 149215 at arch/powerpc/include/asm/book3s/64/kup-radix.h:126 __do_page_fault+0x600/0xf30 # CPU: 94 PID: 149215 Comm: futex_requeue_p Tainted: G W 5.5.0-rc7-gcc9x-g4c25df5640ae #1 # ... # NIP [c000000000070680] __do_page_fault+0x600/0xf30 # LR [c00000000007067c] __do_page_fault+0x5fc/0xf30 # Call Trace: # [c00020138e5637e0] [c00000000007067c] __do_page_fault+0x5fc/0xf30 (unreliable) # [c00020138e5638c0] [c00000000000ada8] handle_page_fault+0x10/0x30 # --- interrupt: 301 at cmpxchg_futex_value_locked+0x68/0xd0 # LR = futex_lock_pi_atomic+0xe0/0x1f0 # [c00020138e563bc0] [c000000000217b50] futex_lock_pi_atomic+0x80/0x1f0 (unreliable) # [c00020138e563c30] [c00000000021b668] futex_requeue+0x438/0xb60 # [c00020138e563d60] [c00000000021c6cc] do_futex+0x1ec/0x2b0 # [c00020138e563d90] [c00000000021c8b8] sys_futex+0x128/0x200 # [c00020138e563e20] [c00000000000b7ac] system_call+0x5c/0x68 # # Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") # Cc: stable@vger.kernel.org # v5.2+ # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20200207122145.11928-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 8cb55a3daebd4b38330b706117e1c8203ffaf3f5 # < make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- mpc85xx_defconfig # make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- In file included from /kisskb/src/include/linux/kernel.h:11:0, from /kisskb/src/include/linux/list.h:9, from /kisskb/src/include/linux/module.h:12, from /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:15: /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c: In function 'allocate_bd': /kisskb/src/include/linux/err.h:22:49: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] #define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) ^ /kisskb/src/include/linux/compiler.h:78:42: note: in definition of macro 'unlikely' # define unlikely(x) __builtin_expect(!!(x), 0) ^ /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:139:6: note: in expansion of macro 'IS_ERR_VALUE' if (IS_ERR_VALUE(fep->ring_mem_addr)) ^ /kisskb/src/arch/powerpc/boot/dts/fsl/mpc8541cds.dts:330.3-21: Warning (pci_device_bus_num): /pci@e0008000/i8259@19000:bus-range: PCI bus number 1 out of range, expected (0 - 0) /kisskb/src/arch/powerpc/boot/dts/fsl/mpc8555cds.dts:330.3-21: Warning (pci_device_bus_num): /pci@e0008000/i8259@19000:bus-range: PCI bus number 1 out of range, expected (0 - 0) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc8a6b8) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) INFO: Uncompressed kernel (size 0xc79eb4) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xd00000) Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:00 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6129906 Bytes = 5986.24 KiB = 5.85 MiB Load Address: 00000000 Entry Point: 00000000 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6161853 Bytes = 6017.43 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160587 Bytes = 6016.20 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d00314 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160306 Bytes = 6015.92 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d00314 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160151 Bytes = 6015.77 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160585 Bytes = 6016.20 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d00314 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160749 Bytes = 6016.36 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:03 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6162261 Bytes = 6017.83 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160186 Bytes = 6015.81 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d00314 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160595 Bytes = 6016.21 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160607 Bytes = 6016.22 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d00314 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160215 Bytes = 6015.83 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160304 Bytes = 6015.92 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160298 Bytes = 6015.92 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160298 Bytes = 6015.92 KiB = 5.87 MiB Load Address: 00d00000 Entry Point: 00d002a4 Image Name: Linux-5.5.0-g8cb55a3daebd Created: Sat Feb 8 00:37:04 2020 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 6160602 Bytes = 6016.21 KiB = 5.88 MiB Load Address: 00d00000 Entry Point: 00d002a4 Completed OK # rm -rf /kisskb/build/powerpc-fixes_mpc85xx_defconfig_powerpc-gcc5 # Build took: 0:02:00.700552