[PATCH] powerpc/47x: Fix 47x syscall return crash
Christophe Leroy
christophe.leroy at csgroup.eu
Tue Oct 10 23:59:07 AEDT 2023
Le 10/10/2023 à 13:47, Michael Ellerman a écrit :
> Eddie reported that newer kernels were crashing during boot on his 476
> FSP2 system:
>
> kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
> BUG: Unable to handle kernel instruction fetch
> Faulting instruction address: 0xb7ee2000
> Oops: Kernel access of bad area, sig: 11 [#1]
> BE PAGE_SIZE=4K FSP-2
> Modules linked in:
> CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1
> Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2
> NIP: b7ee2000 LR: 8c008000 CTR: 00000000
> REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)
> MSR: 00000030 <IR,DR> CR: 00001000 XER: 20000000
> GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000
> GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000
> GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0
> GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0
> NIP [b7ee2000] 0xb7ee2000
> LR [8c008000] 0x8c008000
> Call Trace:
> Instruction dump:
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> ---[ end trace 0000000000000000 ]---
>
> The problem is in ret_from_syscall where the check for
> icache_44x_need_flush is done. When the flush is needed the code jumps
> out-of-line to do the flush, and then intends to jump back to continue
> the syscall return.
>
> However the branch back to label 1b doesn't return to the correct
> location, instead branching back just prior to the return to userspace,
> causing bogus register values to be used by the rfi.
>
> The breakage was introduced by commit 6f76a01173cc
> ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which
> inadvertently removed the "1" label and reused it elsewhere.
>
> Fix it by adding named local labels in the correct locations. Note that
> the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n
> compiles.
>
> Fixes: 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32")
> Cc: stable at vger.kernel.org # v5.12+
> Reported-by: Eddie James <eajames at linux.ibm.com>
> Link: https://lore.kernel.org/linuxppc-dev/fdaadc46-7476-9237-e104-1d2168526e72@linux.ibm.com/
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> Tested-by: Eddie James <eajames at linux.ibm.com>
Reviewed-by: Christophe Leroy <christophe.leroy at csgroup.eu>
> ---
> arch/powerpc/kernel/entry_32.S | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
> index 9692acb0361f..7eda33a24bb4 100644
> --- a/arch/powerpc/kernel/entry_32.S
> +++ b/arch/powerpc/kernel/entry_32.S
> @@ -137,8 +137,9 @@ ret_from_syscall:
> lis r4,icache_44x_need_flush at ha
> lwz r5,icache_44x_need_flush at l(r4)
> cmplwi cr0,r5,0
> - bne- 2f
> + bne- .L44x_icache_flush
> #endif /* CONFIG_PPC_47x */
> +.L44x_icache_flush_return:
> kuep_unlock
> lwz r4,_LINK(r1)
> lwz r5,_CCR(r1)
> @@ -172,10 +173,11 @@ syscall_exit_finish:
> b 1b
>
> #ifdef CONFIG_44x
> -2: li r7,0
> +.L44x_icache_flush:
> + li r7,0
> iccci r0,r0
> stw r7,icache_44x_need_flush at l(r4)
> - b 1b
> + b .L44x_icache_flush_return
> #endif /* CONFIG_44x */
>
> .globl ret_from_fork
More information about the Linuxppc-dev
mailing list