# git rev-parse -q --verify 6865920b3f27b31bb9280088f3a837fd2090a327^{commit} 6865920b3f27b31bb9280088f3a837fd2090a327 already have revision, skipping fetch # git checkout -q -f -B kisskb 6865920b3f27b31bb9280088f3a837fd2090a327 # git clean -qxdf # < git log -1 # commit 6865920b3f27b31bb9280088f3a837fd2090a327 # Author: Michael Ellerman # Date: Tue Oct 10 22:47:50 2023 +1100 # # powerpc/47x: Fix 47x syscall return crash # # Eddie reported that newer kernels were crashing during boot on his 476 # FSP2 system: # # kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) # BUG: Unable to handle kernel instruction fetch # Faulting instruction address: 0xb7ee2000 # Oops: Kernel access of bad area, sig: 11 [#1] # BE PAGE_SIZE=4K FSP-2 # Modules linked in: # CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 # Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 # NIP:  b7ee2000 LR: 8c008000 CTR: 00000000 # REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2) # MSR:  00000030   CR: 00001000  XER: 20000000 # GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 # GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 # GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 # GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 # NIP [b7ee2000] 0xb7ee2000 # LR [8c008000] 0x8c008000 # Call Trace: # Instruction dump: # XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX # XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX # ---[ end trace 0000000000000000 ]--- # # The problem is in ret_from_syscall where the check for # icache_44x_need_flush is done. When the flush is needed the code jumps # out-of-line to do the flush, and then intends to jump back to continue # the syscall return. # # However the branch back to label 1b doesn't return to the correct # location, instead branching back just prior to the return to userspace, # causing bogus register values to be used by the rfi. # # The breakage was introduced by commit 6f76a01173cc # ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which # inadvertently removed the "1" label and reused it elsewhere. # # Fix it by adding named local labels in the correct locations. Note that # the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n # compiles. # # Fixes: 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") # Cc: stable@vger.kernel.org # v5.12+ # Reported-by: Eddie James # Tested-by: Eddie James # Link: https://lore.kernel.org/linuxppc-dev/fdaadc46-7476-9237-e104-1d2168526e72@linux.ibm.com/ # Signed-off-by: Michael Ellerman # Link: https://msgid.link/20231010114750.847794-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 6865920b3f27b31bb9280088f3a837fd2090a327 # make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig+KVM_powerpc-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- mpc85xx_defconfig Using /kisskb/src/arch/powerpc/configs/mpc85xx_base.config as base Merging /kisskb/src/arch/powerpc/configs/85xx-32bit.config Merging /kisskb/src/arch/powerpc/configs/85xx-hw.config Merging /kisskb/src/arch/powerpc/configs/fsl-emb-nonhw.config # # merged configuration written to .config (needs make) # # Added to kconfig CONFIG_PPC_E500MC=y # Added to kconfig CONFIG_VIRTUALIZATION=y # Added to kconfig CONFIG_KVM_E500MC=y # Added to kconfig # < make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig+KVM_powerpc-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- help # make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig+KVM_powerpc-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- olddefconfig .config:4541:warning: override: reassigning to symbol PPC_E500MC .config:4542:warning: override: reassigning to symbol VIRTUALIZATION # make -s -j 24 ARCH=powerpc O=/kisskb/build/powerpc-fixes_mpc85xx_defconfig+KVM_powerpc-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/powerpc64-linux/bin/powerpc64-linux- In file included from /kisskb/src/include/linux/build_bug.h:5, from /kisskb/src/include/linux/container_of.h:5, from /kisskb/src/include/linux/list.h:5, from /kisskb/src/include/linux/module.h:12, from /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:15: /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c: In function 'allocate_bd': /kisskb/src/include/linux/err.h:28:49: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 28 | #define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) | ^ /kisskb/src/include/linux/compiler.h:77:45: note: in definition of macro 'unlikely' 77 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ /kisskb/src/drivers/net/ethernet/freescale/fs_enet/mac-scc.c:138:13: note: in expansion of macro 'IS_ERR_VALUE' 138 | if (IS_ERR_VALUE(fep->ring_mem_addr)) | ^~~~~~~~~~~~ Completed OK # rm -rf /kisskb/build/powerpc-fixes_mpc85xx_defconfig+KVM_powerpc-gcc13 # Build took: 0:04:45.791144