# git rev-parse -q --verify 006b445f18fa152c8e375abf4c68eab6d0b4afae^{commit} 006b445f18fa152c8e375abf4c68eab6d0b4afae already have revision, skipping fetch # git checkout -q -f -B kisskb 006b445f18fa152c8e375abf4c68eab6d0b4afae # git clean -qxdf # < git log -1 # commit 006b445f18fa152c8e375abf4c68eab6d0b4afae # Author: Alexey Kardashevskiy # Date: Tue Feb 2 20:15:41 2021 +1100 # # powerpc/kuap: Restore AMR after replaying soft interrupts # # Since de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace # Access Protection"), user access helpers call user_{read|write}_access_{begin|end} # when user space access is allowed. # # Commit 890274c2dc4c ("powerpc/64s: Implement KUAP for Radix MMU") made # the mentioned helpers program a AMR special register to allow such # access for a short period of time, most of the time AMR is expected to # block user memory access by the kernel. # # Since the code accesses the user space memory, unsafe_get_user() calls # might_fault() which calls arch_local_irq_restore() if either # CONFIG_PROVE_LOCKING or CONFIG_DEBUG_ATOMIC_SLEEP is enabled. # arch_local_irq_restore() then attempts to replay pending soft # interrupts as KUAP regions have hardware interrupts enabled. # # If a pending interrupt happens to do user access (performance # interrupts do that), it enables access for a short period of time so # after returning from the replay, the user access state remains blocked # and if a user page fault happens - "Bug: Read fault blocked by AMR!" # appears and SIGSEGV is sent. # # An example trace: # Bug: Read fault blocked by AMR! # WARNING: CPU: 0 PID: 1603 at /home/aik/p/kernel/arch/powerpc/include/asm/book3s/64/kup-radix.h:145 # CPU: 0 PID: 1603 Comm: amr Not tainted 5.10.0-rc6_v5.10-rc6_a+fstn1 #24 # NIP: c00000000009ece8 LR: c00000000009ece4 CTR: 0000000000000000 # REGS: c00000000dc63560 TRAP: 0700 Not tainted (5.10.0-rc6_v5.10-rc6_a+fstn1) # MSR: 8000000000021033 CR: 28002888 XER: 20040000 # CFAR: c0000000001fa928 IRQMASK: 1 # GPR00: c00000000009ece4 c00000000dc637f0 c000000002397600 000000000000001f # GPR04: c0000000020eb318 0000000000000000 c00000000dc63494 0000000000000027 # GPR08: c00000007fe4de68 c00000000dfe9180 0000000000000000 0000000000000001 # GPR12: 0000000000002000 c0000000030a0000 0000000000000000 0000000000000000 # GPR16: 0000000000000000 0000000000000000 0000000000000000 bfffffffffffffff # GPR20: 0000000000000000 c0000000134a4020 c0000000019c2218 0000000000000fe0 # GPR24: 0000000000000000 0000000000000000 c00000000d106200 0000000040000000 # GPR28: 0000000000000000 0000000000000300 c00000000dc63910 c000000001946730 # NIP __do_page_fault+0xb38/0xde0 # LR __do_page_fault+0xb34/0xde0 # Call Trace: # __do_page_fault+0xb34/0xde0 (unreliable) # handle_page_fault+0x10/0x2c # --- interrupt: 300 at strncpy_from_user+0x290/0x440 # LR = strncpy_from_user+0x284/0x440 # strncpy_from_user+0x2f0/0x440 (unreliable) # getname_flags+0x88/0x2c0 # do_sys_openat2+0x2d4/0x5f0 # do_sys_open+0xcc/0x140 # system_call_exception+0x160/0x240 # system_call_common+0xf0/0x27c # # To fix it save/restore the AMR when replaying interrupts, and also # add a check if AMR was not blocked prior to replaying interrupts. # # Originally found by syzkaller. # # Fixes: 890274c2dc4c ("powerpc/64s: Implement KUAP for Radix MMU") # Signed-off-by: Alexey Kardashevskiy # Reviewed-by: Nicholas Piggin # [mpe: Use normal commit citation format and add full oops log to change log] # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20210202091541.36499-1-aik@ozlabs.ru # < /opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 006b445f18fa152c8e375abf4c68eab6d0b4afae # < make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-next_mpc85xx_defconfig+KVM_powerpc-gcc9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux- mpc85xx_defconfig # Added to kconfig CONFIG_PPC_E500MC=y # Added to kconfig CONFIG_VIRTUALIZATION=y # Added to kconfig CONFIG_KVM_E500MC=y # Added to kconfig # < make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-next_mpc85xx_defconfig+KVM_powerpc-gcc9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux- help # make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-next_mpc85xx_defconfig+KVM_powerpc-gcc9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux- olddefconfig .config:4185:warning: override: reassigning to symbol PPC_E500MC .config:4186:warning: override: reassigning to symbol VIRTUALIZATION # make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-next_mpc85xx_defconfig+KVM_powerpc-gcc9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-9.2.0-nolibc/powerpc64-linux/bin/powerpc64-linux- In file included from /kisskb/src/include/linux/kernel.h:10, from /kisskb/src/include/linux/list.h:9, from /kisskb/src/include/linux/module.h:12, from /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:15: /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c: In function 'allocate_bd': /kisskb/src/include/linux/err.h:22:49: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 22 | #define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) | ^ /kisskb/src/include/linux/compiler.h:78:42: note: in definition of macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:139:6: note: in expansion of macro 'IS_ERR_VALUE' 139 | if (IS_ERR_VALUE(fep->ring_mem_addr)) | ^~~~~~~~~~~~ /kisskb/src/arch/powerpc/boot/dts/fsl/mpc8541cds.dts:330.3-21: Warning (pci_device_bus_num): /pci@e0008000/i8259@19000:bus-range: PCI bus number 1 out of range, expected (0 - 0) /kisskb/src/arch/powerpc/boot/dts/fsl/mpc8555cds.dts:330.3-21: Warning (pci_device_bus_num): /pci@e0008000/i8259@19000:bus-range: PCI bus number 1 out of range, expected (0 - 0) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf38cb0) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) INFO: Uncompressed kernel (size 0xf28584) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0x1000000) Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7059845 Bytes = 6894.38 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060081 Bytes = 6894.61 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 0100031c Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060100 Bytes = 6894.63 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060169 Bytes = 6894.70 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7058853 Bytes = 6893.41 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7059981 Bytes = 6894.51 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 0100031c Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7058849 Bytes = 6893.41 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060094 Bytes = 6894.62 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7058753 Bytes = 6893.31 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 0100031c Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060228 Bytes = 6894.75 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7058716 Bytes = 6893.28 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7059488 Bytes = 6894.03 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060637 Bytes = 6895.15 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 010002cc Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7025181 Bytes = 6860.53 KiB = 6.70 MiB Load Address: 00000000 Entry Point: 00000000 Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060083 Bytes = 6894.61 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 0100031c Image Name: Linux-5.11.0-rc2-g006b445f18fa Created: Thu Feb 4 00:24:17 2021 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 7060052 Bytes = 6894.58 KiB = 6.73 MiB Load Address: 01000000 Entry Point: 0100031c Completed OK # rm -rf /kisskb/build/powerpc-next_mpc85xx_defconfig+KVM_powerpc-gcc9 # Build took: 0:01:46.323179