Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754406AbdDKKwt (ORCPT <rfc822;w@1wt.eu>);
        Tue, 11 Apr 2017 06:52:49 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42941 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1754427AbdDKKwd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Apr 2017 06:52:33 -0400
Subject: Re: [PATCH v2] ppc64/kprobe: Fix oops when kprobed on 'stdu'
 instruction
To: Balbir Singh <bsingharora@gmail.com>
References: <1491887293-3815-1-git-send-email-ravi.bangoria@linux.vnet.ibm.com>
 <1491900956.8380.5.camel@gmail.com>
Cc: mpe@ellerman.id.au, benh@kernel.crashing.org, paulus@samba.org,
        npiggin@gmail.com, aneesh.kumar@linux.vnet.ibm.com,
        chris@distroguy.com, viro@zeniv.linux.org.uk, christophe.leroy@c-s.fr,
        linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
        anton@samba.org, naveen.n.rao@linux.vnet.ibm.com,
        Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>,
        "ananth@in.ibm.com" <ananth@in.ibm.com>
From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Date: Tue, 11 Apr 2017 16:22:18 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <1491900956.8380.5.camel@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
x-cbid: 17041110-0044-0000-0000-0000030049C9
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00006916; HX=3.00000240; KW=3.00000007;
 PH=3.00000004; SC=3.00000208; SDB=6.00845991; UDB=6.00417238; IPR=6.00624425;
 BA=6.00005282; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000;
 ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015003; XFM=3.00000013;
 UTC=2017-04-11 10:52:31
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17041110-0045-0000-0000-0000072E4BD3
Message-Id: <58ECB562.8070903@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-04-11_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001
 definitions=main-1704110087
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1966
Lines: 46

Thanks Balbir for the review,

On Tuesday 11 April 2017 02:25 PM, Balbir Singh wrote:
> On Tue, 2017-04-11 at 10:38 +0530, Ravi Bangoria wrote:
>> If we set a kprobe on a 'stdu' instruction on powerpc64, we see a kernel 
>> OOPS:
>>
>>   [ 1275.165932] Bad kernel stack pointer cd93c840 at c000000000009868
>>   [ 1275.166378] Oops: Bad kernel stack pointer, sig: 6 [#1]
>>   ...
>>   GPR00: c000001fcd93cb30 00000000cd93c840 c0000000015c5e00 00000000cd93c840
>>   ...
>>   [ 1275.178305] NIP [c000000000009868] resume_kernel+0x2c/0x58
>>   [ 1275.178594] LR [c000000000006208] program_check_common+0x108/0x180
>>
>> Basically, on 64 bit system, when user probes on 'stdu' instruction,
>> kernel does not emulate actual store in emulate_step itself because it
>> may corrupt exception frame. So kernel does actual store operation in
>> exception return code i.e. resume_kernel().
>>
>> resume_kernel() loads the saved stack pointer from memory using lwz,
>> effectively loading a corrupt (32bit) address, causing the kernel crash.
>>
>> Fix this by loading the 64bit value instead.
>>
>> Fixes: be96f63375a1 ("powerpc: Split out instruction analysis part of emulate_step()") 
>> Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
>> Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com> 
>> ---
> The patch looks correct to me from the description and code. I have not
> validated that the write to GPR1(r1) via store of r8 to 0(r5) is indeed correct.
> I would assume r8 should contain regs->gpr[r1] with the updated ea that
> is written down to the GPR1(r1) which will be what we restore when we return
> from the exception.

emulate_step() updates regs->gpr[r1] with the new value. So,
regs->gpr[r1] and GPR(r1) both are same at resume_kernel.

At resume_kernel, r1 points to the exception frame. Address
of frame preceding exception frame gets loaded in r8 with:

    addi    r8,r1,INT_FRAME_SIZE

Let me know if you need more details.

Ravi