linux

mirror of https://github.com/torvalds/linux.git synced 2024-12-27 13:22:23 +00:00

History

Athira Rajeev 3b678768c0 powerpc/pseries: Fix STK_PARAM access in the hcall tracing code In powerpc pseries system, below behaviour is observed while enabling tracing on hcall: # cd /sys/kernel/debug/tracing/ # cat events/powerpc/hcall_exit/enable 0 # echo 1 > events/powerpc/hcall_exit/enable # ls -bash: fork: Bad address Above is from power9 lpar with latest kernel. Past this, softlockup is observed. Initially while attempting via perf_event_open to use "PERF_TYPE_TRACEPOINT", kernel panic was observed. perf config used: ================ memset(&pe[1],0,sizeof(struct perf_event_attr)); pe[1].type=PERF_TYPE_TRACEPOINT; pe[1].size=96; pe[1].config=0x26ULL; /* 38 raw_syscalls/sys_exit / pe[1].sample_type=0; / 0 / pe[1].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED\|PERF_FORMAT_TOTAL_TIME_RUNNING\|PERF_FORMAT_ID\|PERF_FORMAT_GROUP\|0x10ULL; / 1f / pe[1].inherit=1; pe[1].precise_ip=0; / arbitrary skid */ pe[1].wakeup_events=0; pe[1].bp_type=HW_BREAKPOINT_EMPTY; pe[1].config1=0x1ULL; Kernel panic logs: ================== Kernel attempted to read user page (8) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000008 Faulting instruction address: 0xc0000000004c2814 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: nfnetlink bonding tls rfkill sunrpc dm_service_time dm_multipath pseries_rng xts vmx_crypto xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ibmvfc scsi_transport_fc ibmveth dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 0 PID: 1431 Comm: login Not tainted 6.4.0+ #1 Hardware name: IBM,8375-42A POWER9 (raw) 0x4e0202 0xf000005 of:IBM,FW950.30 (VL950_892) hv:phyp pSeries NIP page_remove_rmap+0x44/0x320 LR wp_page_copy+0x384/0xec0 Call Trace: 0xc00000001416e400 (unreliable) wp_page_copy+0x384/0xec0 __handle_mm_fault+0x9d4/0xfb0 handle_mm_fault+0xf0/0x350 ___do_page_fault+0x48c/0xc90 hash__do_page_fault+0x30/0x70 do_hash_fault+0x1a4/0x330 data_access_common_virt+0x198/0x1f0 --- interrupt: 300 at 0x7fffae971abc git bisect tracked this down to below commit: 'commit `baa49d81a9` ("powerpc/pseries: hvcall stack frame overhead")' This commit changed STACK_FRAME_OVERHEAD (112 ) to STACK_FRAME_MIN_SIZE (32 ) since 32 bytes is the minimum size for ELFv2 stack. With the latest kernel, when running on ELFv2, STACK_FRAME_MIN_SIZE is used to allocate stack size. During plpar_hcall_trace, first call is made to HCALL_INST_PRECALL which saves the registers and allocates new stack frame. In the plpar_hcall_trace code, STK_PARAM is accessed at two places. 1. To save r4: std r4,STK_PARAM(R4)(r1) 2. To access r4 back: ld r12,STK_PARAM(R4)(r1) HCALL_INST_PRECALL precall allocates a new stack frame. So all the stack parameter access after the precall, needs to be accessed with +STACK_FRAME_MIN_SIZE. So the store instruction should be: std r4,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) If the "std" is not updated with STACK_FRAME_MIN_SIZE, we will end up with overwriting stack contents and cause corruption. But instead of updating 'std', we can instead remove it since HCALL_INST_PRECALL already saves it to the correct location. similarly load instruction should be: ld r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) Fix the load instruction to correctly access the stack parameter with +STACK_FRAME_MIN_SIZE and remove the store of r4 since the precall saves it correctly. Cc: stable@vger.kernel.org # v6.2+ Fixes: `baa49d81a9` ("powerpc/pseries: hvcall stack frame overhead") Co-developed-by: Naveen N Rao <naveen@kernel.org> Signed-off-by: Naveen N Rao <naveen@kernel.org> Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://msgid.link/20230929172337.7906-1-atrajeev@linux.vnet.ibm.com		2023-09-30 22:48:36 +10:00
..
4xx	powerpc/4xx: Add missing includes to fix no previous prototype errors	2023-08-18 17:03:15 +10:00
8xx	TTY/Serial driver changes for 6.6-rc1	2023-09-01 09:38:00 -07:00
40x	powerpc updates for 6.4	2023-04-28 16:24:32 -07:00
44x	powerpc/4xx: Remove pika_dtm_[un]register_shutdown() to fix no previous prototype	2023-08-18 17:03:14 +10:00
52xx	powerpc: Explicitly include correct DT includes	2023-08-02 22:22:19 +10:00
82xx	powerpc/82xx: Select FSL_SOC	2023-09-18 12:23:48 +10:00
83xx	powerpc/83xx: Split usb.c	2023-08-18 17:03:14 +10:00
85xx	powerpc updates for 6.6	2023-08-31 12:43:10 -07:00
86xx	powerpc: address missing-prototypes warnings	2023-08-02 22:22:19 +10:00
512x	powerpc/512x: Make mpc512x_select_reset_compat() static	2023-08-18 17:02:40 +10:00
amigaone	powerpc: Make generic_calibrate_decr() the default	2023-03-16 08:56:48 +11:00
book3s	driver core: class: remove module * from class_create()	2023-03-17 15:16:33 +01:00
cell	powerpc updates for 6.6	2023-08-31 12:43:10 -07:00
chrp	powerpc: Make generic_calibrate_decr() the default	2023-03-16 08:56:48 +11:00
embedded6xx	powerpc: Explicitly include correct DT includes	2023-08-02 22:22:19 +10:00
maple	powerpc: Explicitly include correct DT includes	2023-08-02 22:22:19 +10:00
microwatt	powerpc: Make generic_calibrate_decr() the default	2023-03-16 08:56:48 +11:00
pasemi	powerpc: address missing-prototypes warnings	2023-08-02 22:22:19 +10:00
powermac	powerpc updates for 6.6	2023-08-31 12:43:10 -07:00
powernv	powerpc/eeh: Use pci_dev_id() to simplify the code	2023-08-25 08:39:30 +10:00
ps3	powerpc/ps3: refactor strncpy usage	2023-08-18 11:48:42 +10:00
pseries	powerpc/pseries: Fix STK_PARAM access in the hcall tracing code	2023-09-30 22:48:36 +10:00
fsl_uli1575.c	powerpc/fsl_uli1575: Mark uli_exclude_device() as static	2023-04-20 10:20:50 +10:00
Kconfig	powerpc/82xx: Remove CONFIG_8260 and CONFIG_8272	2023-08-18 17:03:14 +10:00
Kconfig.cputype	powerpc updates for 6.6	2023-08-31 12:43:10 -07:00
Makefile	powerpc: Add Microwatt platform	2021-06-21 21:15:26 +10:00