Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752246AbbBWNnh (ORCPT <rfc822;w@1wt.eu>);
	Mon, 23 Feb 2015 08:43:37 -0500
Received: from mail-la0-f50.google.com ([209.85.215.50]:33578 "EHLO
	mail-la0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751787AbbBWNnf (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 23 Feb 2015 08:43:35 -0500
MIME-Version: 1.0
From: Jamie Garside <jamie.garside@york.ac.uk>
Date: Mon, 23 Feb 2015 13:43:11 +0000
Message-ID: <CAC9v5qED72F7EjiYNXL1bd-c_QVKHvdWgJE3eJ5HwjdqfAqt8w@mail.gmail.com>
Subject: [PATCH] /arch/microblaze/kernel/entry.S kernel 3.14 Fix crash when
 calling invalid syscall ID
To: linux-kernel@vger.kernel.org
Content-Type: multipart/mixed; boundary=001a11c3488c82e1b1050fc19619
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4354
Lines: 84

--001a11c3488c82e1b1050fc19619
Content-Type: text/plain; charset=UTF-8

There appears to be a couple of bugs in the initial syscall handler on
Microblaze when passing an invalid syscall ID.

The code at line 351 should check for a syscall ID above __NR_syscalls,
then jump to the error exit routine. In this case, _user_exception returns
using the wrong register (r15 instead of r14), and doesn't clean up the
stack, causing the running user-land to hang.

Additionally, it does not cause an error if the syscall ID is negative (as
can be returned from do_syscall_trace_enter), causing the kernel to attempt
to jump to an invalid syscall handler and cause a kernel oops.

This patch adds a check for negative syscall ID, and modifies the error
exit to jump to ret_from_trap instead (as would happen after a successful
syscall) to perform cleanup, returning -ENOSYS. I believe this should be
safe in this condition.

This patch has been edited against the Linux 3.14 code, but a glance over
the git logs shows this file has not been changed in the past two years,
hence this patch should be safe for the most recent kernel version.

Thanks,
Jamie

-- 
Jamie Garside
Department of Computer Science
University of York
United Kingdom

Disclaimer: http://www.york.ac.uk/about/legal-statements/email-disclaimer/

--001a11c3488c82e1b1050fc19619
Content-Type: application/octet-stream; name="entry.S.patch"
Content-Disposition: attachment; filename="entry.S.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i6hwzbz30

KioqIGVudHJ5LlMgICAgIDIwMTUtMDItMjMgMTE6NTU6NDkuMjA5NTA3Mzc0ICswMDAwCi0tLSBl
bnRyeS5TLm5ldyAyMDE1LTAyLTIzIDExOjU1OjQyLjUyNTQ2MDAwNSArMDAwMAoqKioqKioqKioq
KioqKioKKioqIDM0OCwzNTUgKioqKgogICAqIFRoZSBMUCByZWdpc3RlciBzaG91bGQgcG9pbnQg
dG8gdGhlIGxvY2F0aW9uIHdoZXJlIHRoZSBjYWxsZWQgZnVuY3Rpb24KICAgKiBzaG91bGQgcmV0
dXJuLiAgW25vdGUgdGhhdCBNQUtFX1NZU19DQUxMIHVzZXMgbGFiZWwgMV0gKi8KICAgICAgICAv
KiBTZWUgaWYgdGhlIHN5c3RlbSBjYWxsIG51bWJlciBpcyB2YWxpZCAqLwogICAgICAgIGFkZGkg
ICAgcjExLCByMTIsIC1fX05SX3N5c2NhbGxzOwohICAgICAgIGJnZWkgICAgcjExLDVmOwogICAg
ICAgIC8qIEZpZ3VyZSBvdXQgd2hpY2ggZnVuY3Rpb24gdG8gdXNlIGZvciB0aGlzIHN5c3RlbSBj
YWxsLiAgKi8KICAgICAgICAvKiBOb3RlIE1pY3JvYmxhemUgYmFycmVsIHNoaWZ0IGlzIG9wdGlv
bmFsLCBzbyBkb24ndCByZWx5IG9uIGl0ICovCiAgICAgICAgYWRkICAgICByMTIsIHIxMiwgcjEy
OyAgICAgICAgICAgICAgICAgIC8qIGNvbnZlcnQgbnVtIC0+IHB0ciAqLwotLS0gMzQ4LDM1NiAt
LS0tCiAgICogVGhlIExQIHJlZ2lzdGVyIHNob3VsZCBwb2ludCB0byB0aGUgbG9jYXRpb24gd2hl
cmUgdGhlIGNhbGxlZCBmdW5jdGlvbgogICAqIHNob3VsZCByZXR1cm4uICBbbm90ZSB0aGF0IE1B
S0VfU1lTX0NBTEwgdXNlcyBsYWJlbCAxXSAqLwogICAgICAgIC8qIFNlZSBpZiB0aGUgc3lzdGVt
IGNhbGwgbnVtYmVyIGlzIHZhbGlkICovCisgICAgICAgYmx0aSAgICByMTIsIDVmOwogICAgICAg
IGFkZGkgICAgcjExLCByMTIsIC1fX05SX3N5c2NhbGxzOwohICAgICAgIGJnZWkgICAgcjExLCA1
ZjsKICAgICAgICAvKiBGaWd1cmUgb3V0IHdoaWNoIGZ1bmN0aW9uIHRvIHVzZSBmb3IgdGhpcyBz
eXN0ZW0gY2FsbC4gICovCiAgICAgICAgLyogTm90ZSBNaWNyb2JsYXplIGJhcnJlbCBzaGlmdCBp
cyBvcHRpb25hbCwgc28gZG9uJ3QgcmVseSBvbiBpdCAqLwogICAgICAgIGFkZCAgICAgcjEyLCBy
MTIsIHIxMjsgICAgICAgICAgICAgICAgICAvKiBjb252ZXJ0IG51bSAtPiBwdHIgKi8KKioqKioq
KioqKioqKioqCioqKiAzNzUsMzgxICoqKioKICAKICAgICAgICAvKiBUaGUgc3lzY2FsbCBudW1i
ZXIgaXMgaW52YWxpZCwgcmV0dXJuIGFuIGVycm9yLiAgKi8KICA1OgohICAgICAgIHJ0c2QgICAg
cjE1LCA4OyAgICAgICAgIC8qIGxvb2tzIGxpa2UgYSBub3JtYWwgc3Vicm91dGluZSByZXR1cm4g
Ki8KICAgICAgICBhZGRpICAgIHIzLCByMCwgLUVOT1NZUzsKICAKICAvKiBFbnRyeSBwb2ludCB1
c2VkIHRvIHJldHVybiBmcm9tIGEgc3lzY2FsbC90cmFwICovCi0tLSAzNzYsMzgyIC0tLS0KICAK
ICAgICAgICAvKiBUaGUgc3lzY2FsbCBudW1iZXIgaXMgaW52YWxpZCwgcmV0dXJuIGFuIGVycm9y
LiAgKi8KICA1OgohICAgICAgIGJyYWQgcmV0X2Zyb21fdHJhcDsgICAgICAvKiBHbyB0byBjbGVh
bnVwIHJvdXRpbmUgKi8KICAgICAgICBhZGRpICAgIHIzLCByMCwgLUVOT1NZUzsKICAKICAvKiBF
bnRyeSBwb2ludCB1c2VkIHRvIHJldHVybiBmcm9tIGEgc3lzY2FsbC90cmFwICovCg==
--001a11c3488c82e1b1050fc19619
Content-Type: application/octet-stream; name=README
Content-Disposition: attachment; filename=README
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i6hwzh8d1

Rml4ZWQgTWljcm9ibGF6ZSBzeXNjYWxsIGhhbmRsaW5nIG9uIGludmFsaWQgc3lzY2FsbCBJRHMK
SmFtaWUgR2Fyc2lkZSA8amFtaWUuZ2Fyc2lkZUB5b3JrLmFjLnVrPgo=
--001a11c3488c82e1b1050fc19619--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/