linux/arch/powerpc/lib
Paul Mackerras 4716e488ab powerpc: Fix kernel crash in emulation of vector loads and stores
Commit 350779a29f ("powerpc: Handle most loads and stores in
instruction emulation code", 2017-08-30) changed the register usage
in get_vr and put_vr with the aim of leaving the register number in
r3 untouched on return.  Unfortunately, r6 was not a good choice, as
the callers as of 350779a29f store a MSR value in r6.  Then, in
commit c22435a5f3 ("powerpc: Emulate FP/vector/VSX loads/stores
correctly when regs not live", 2017-08-30), the saving and restoring
of the MSR got moved into get_vr and put_vr.  Either way, the effect
is that we put a value in MSR that only has the 0x3f8 bits non-zero,
meaning that we are switching to 32-bit mode.  That leads to a crash
like this:

Unable to handle kernel paging request for instruction fetch
Faulting instruction address: 0x0007bea0
Oops: Kernel access of bad area, sig: 11 [#12]
LE SMP NR_CPUS=2048 NUMA PowerNV
Modules linked in: vmx_crypto binfmt_misc ip_tables x_tables autofs4 crc32c_vpmsum
CPU: 6 PID: 32659 Comm: trashy_testcase Tainted: G      D         4.13.0-rc2-00313-gf3026f57e6ed-dirty #23
task: c000000f1bb9e780 task.stack: c000000f1ba98000
NIP:  000000000007bea0 LR: c00000000007b054 CTR: c00000000007be70
REGS: c000000f1ba9b960 TRAP: 0400   Tainted: G      D          (4.13.0-rc2-00313-gf3026f57e6ed-dirty)
MSR:  10000000400010a1 <HV,ME,IR,LE>  CR: 48000228  XER: 00000000
CFAR: c00000000007be74 SOFTE: 1
GPR00: c00000000007b054 c000000f1ba9bbe0 c000000000e6e000 000000000000001d
GPR04: c000000f1ba9bc00 c00000000007be70 00000000000000e8 9000000002009033
GPR08: 0000000002000000 100000000282f033 000000000b0a0900 0000000000001009
GPR12: 0000000000000000 c00000000fd42100 0706050303020100 a5a5a5a5a5a5a5a5
GPR16: 2e2e2e2e2e2de70c 2e2e2e2e2e2e2e2d 0000000000ff00ff 0606040202020000
GPR20: 000000000000005b ffffffffffffffff 0000000003020100 0000000000000000
GPR24: c000000f1ab90020 c000000f1ba9bc00 0000000000000001 0000000000000001
GPR28: c000000f1ba9bc90 c000000f1ba9bea0 000000000b0a0908 0000000000000001
NIP [000000000007bea0] 0x7bea0
LR [c00000000007b054] emulate_loadstore+0x1044/0x1280
Call Trace:
[c000000f1ba9bbe0] [c000000000076b80] analyse_instr+0x60/0x34f0 (unreliable)
[c000000f1ba9bc70] [c00000000007b7ec] emulate_step+0x23c/0x544
[c000000f1ba9bce0] [c000000000053424] arch_uprobe_skip_sstep+0x24/0x40
[c000000f1ba9bd00] [c00000000024b2f8] uprobe_notify_resume+0x598/0xba0
[c000000f1ba9be00] [c00000000001c284] do_notify_resume+0xd4/0xf0
[c000000f1ba9be30] [c00000000000bd44] ret_from_except_lite+0x70/0x74
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace a7ae7a7f3e0256b5 ]---

To fix this, we just revert to using r3 as before, since the callers
don't rely on r3 being left unmodified.

Fortunately, this can't be triggered by a misaligned load or store,
because vector loads and stores truncate misaligned addresses rather
than taking an alignment interrupt.  It can be triggered using
uprobes.

Fixes: 350779a29f ("powerpc: Handle most loads and stores in instruction emulation code")
Reported-by: Anton Blanchard <anton@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Tested-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-09-04 19:38:07 +10:00
..
Makefile powerpc: Use instruction emulation infrastructure to handle alignment faults 2017-09-01 16:42:43 +10:00
alloc.c treewide: replace obsolete _refok by __ref 2016-08-02 17:31:41 -04:00
checksum_32.S powerpc: EX_TABLE macro for exception tables 2016-11-14 11:11:51 +11:00
checksum_64.S powerpc/64: Use optimized checksum routines on little-endian 2017-01-25 13:34:18 +11:00
checksum_wrappers.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
code-patching.c powerpc/lib/code-patching: Use alternate map for patch_instruction() 2017-07-03 23:12:19 +10:00
copy_32.S powerpc/32: remove a NOP from memset() 2017-09-01 16:42:46 +10:00
copypage_64.S powerpc/64: Fix naming of cache block vs. cache line 2017-02-06 19:46:04 +11:00
copypage_power7.S powerpc: Fix invalid use of register expressions 2017-08-10 22:29:41 +10:00
copyuser_64.S powerpc: get rid of zeroing, switch to RAW_COPY_USER 2017-04-06 15:08:42 -04:00
copyuser_power7.S powerpc: Fix invalid use of register expressions 2017-08-10 22:29:41 +10:00
crtsavres.S powerpc/64: Do not create new section for save/restore functions 2017-05-30 14:59:51 +10:00
div64.S powerpc: Fix a corner case in __div64_32 2005-10-20 09:37:02 +10:00
feature-fixups-test.S powerpc: Ensure the else case of feature sections will fit 2011-01-21 14:08:33 +11:00
feature-fixups.c powerpc: make feature-fixup tests fortify-safe 2017-07-12 16:26:03 -07:00
hweight_64.S ppc: move exports to definitions 2016-08-07 23:50:09 -04:00
ldstfp.S powerpc: Fix kernel crash in emulation of vector loads and stores 2017-09-04 19:38:07 +10:00
locks.c powerpc/spinlock: Fix spin_unlock_wait() 2016-06-14 16:05:44 +10:00
mem_64.S powerpc/string: Implement optimized memset variants 2017-08-17 23:04:35 +10:00
memcmp_64.S ppc: move exports to definitions 2016-08-07 23:50:09 -04:00
memcpy_64.S ppc: move exports to definitions 2016-08-07 23:50:09 -04:00
memcpy_power7.S powerpc: Fix invalid use of register expressions 2017-08-10 22:29:41 +10:00
quad.S powerpc: Handle most loads and stores in instruction emulation code 2017-09-01 16:39:48 +10:00
rheap.c powerpc: Various typo fixes 2016-06-14 13:58:26 +10:00
sstep.c powerpc/sstep: Avoid used uninitialized error 2017-09-02 08:04:26 +10:00
string.S powerpc: EX_TABLE macro for exception tables 2016-11-14 11:11:51 +11:00
string_64.S powerpc: Fix invalid use of register expressions 2017-08-10 22:29:41 +10:00
test_emulate_step.c powerpc: emulate_step() tests for load/store instructions 2017-03-03 11:24:50 +11:00
vmx-helper.c powerpc: Introduce asm-prototypes.h 2016-06-16 22:39:54 +10:00
xor_vmx.c powerpc/lib/xor_vmx: Ensure no altivec code executes before enable_kernel_altivec() 2017-06-02 20:17:52 +10:00
xor_vmx.h powerpc/lib/xor_vmx: Ensure no altivec code executes before enable_kernel_altivec() 2017-06-02 20:17:52 +10:00
xor_vmx_glue.c powerpc/lib/xor_vmx: Ensure no altivec code executes before enable_kernel_altivec() 2017-06-02 20:17:52 +10:00