linux/arch/s390
Heiko Carstens 4784955a52 s390/bpf,jit: fix address randomization
Add misssing braces to hole calculation. This resulted in an addition
instead of an substraction. Which in turn means that the jit compiler
could try to write out of bounds of the allocated piece of memory.

This bug was introduced with aa2d2c73 "s390/bpf,jit: address randomize
and write protect jit code".

Fixes this one:

[   37.320956] Unable to handle kernel pointer dereference at virtual kernel address 000003ff80231000
[   37.320984] Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[   37.320993] Modules linked in: dm_multipath scsi_dh eadm_sch dm_mod ctcm fsm autofs4
[   37.321007] CPU: 28 PID: 6443 Comm: multipathd Not tainted 3.10.9-61.x.20130829-s390xdefault #1
[   37.321011] task: 0000004ada778000 ti: 0000004ae3304000 task.ti: 0000004ae3304000
[   37.321014] Krnl PSW : 0704c00180000000 000000000012d1de (bpf_jit_compile+0x198e/0x23d0)
[   37.321022]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
               Krnl GPRS: 000000004350207d 0000004a00000001 0000000000000007 000003ff80231002
[   37.321029]            0000000000000007 000003ff80230ffe 00000000a7740000 000003ff80230f76
[   37.321032]            000003ffffffffff 000003ff00000000 000003ff0000007d 000000000071e820
[   37.321035]            0000004adbe99950 000000000071ea18 0000004af3d9e7c0 0000004ae3307b80
[   37.321046] Krnl Code: 000000000012d1d0: 41305004            la      %r3,4(%r5)
                          000000000012d1d4: e330f0f80021        clg     %r3,248(%r15)
                         #000000000012d1da: a7240009            brc     2,12d1ec
                         >000000000012d1de: 50805000            st      %r8,0(%r5)
                          000000000012d1e2: e330f0f00004        lg      %r3,240(%r15)
                          000000000012d1e8: 41303004            la      %r3,4(%r3)
                          000000000012d1ec: e380f0e00004        lg      %r8,224(%r15)
                          000000000012d1f2: e330f0f00024        stg     %r3,240(%r15)
[   37.321074] Call Trace:
[   37.321077] ([<000000000012da78>] bpf_jit_compile+0x2228/0x23d0)
[   37.321083]  [<00000000006007c2>] sk_attach_filter+0xfe/0x214
[   37.321090]  [<00000000005d2d92>] sock_setsockopt+0x926/0xbdc
[   37.321097]  [<00000000005cbfb6>] SyS_setsockopt+0x8a/0xe8
[   37.321101]  [<00000000005ccaa8>] SyS_socketcall+0x264/0x364
[   37.321106]  [<0000000000713f1c>] sysc_nr_ok+0x22/0x28
[   37.321113]  [<000003fffce10ea8>] 0x3fffce10ea8
[   37.321118] INFO: lockdep is turned off.
[   37.321121] Last Breaking-Event-Address:
[   37.321124]  [<000000000012d192>] bpf_jit_compile+0x1942/0x23d0
[   37.321132]
[   37.321135] Kernel panic - not syncing: Fatal exception: panic_on_oops

Cc: stable@vger.kernel.org # v3.11
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2013-09-04 17:18:55 +02:00
..
appldata s390/appldata_net_sum: do not use static data 2013-06-26 21:10:31 +02:00
boot s390: add support for LZ4-compressed kernel 2013-07-26 13:25:19 +02:00
crypto s390/crypto: Don't panic after crypto instruction failures 2012-11-23 11:14:27 +01:00
hypfs s390/hypfs: Cocci spatch "ptr_ret.spatch" 2013-06-26 21:10:21 +02:00
include s390/pci: update function handle after resume from hibernate 2013-08-30 08:57:20 +02:00
kernel s390/pci: update function handle after resume from hibernate 2013-08-30 08:57:20 +02:00
kvm KVM: s390: fix pfmf non-quiescing control handling 2013-07-29 09:02:30 +02:00
lib s390/time: return with irqs disabled from psw_idle 2013-08-28 09:19:23 +02:00
math-emu s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
mm s390/mm: implement software referenced bits 2013-08-29 13:20:11 +02:00
net s390/bpf,jit: fix address randomization 2013-09-04 17:18:55 +02:00
oprofile s390: add support for IBM zBC12 machine 2013-07-26 13:25:21 +02:00
pci s390/pci: use virtual memory for iommu bitmap 2013-08-30 08:57:24 +02:00
defconfig s390: update defconfig 2012-09-26 15:45:29 +02:00
Kbuild s390/pci: base support 2012-11-30 15:40:45 +01:00
Kconfig s390: convert interrupt handling to use generic hardirq 2013-08-22 12:20:04 +02:00
Kconfig.debug Kconfig: consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS 2013-04-30 17:04:09 -07:00
Makefile s390: remove small stack config option 2013-04-26 09:07:08 +02:00