Received: by 10.192.165.156 with SMTP id m28csp198130imm; Tue, 17 Apr 2018 08:41:35 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+RxkSH6ppA67AzoMxsShhSWUCA9kH1IjjWtkJX1DAA4Ibik8nGQq0QO/QX5aVs3Go0O0Qx X-Received: by 2002:a17:902:6e08:: with SMTP id u8-v6mr2498297plk.96.1523979694978; Tue, 17 Apr 2018 08:41:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523979694; cv=none; d=google.com; s=arc-20160816; b=jpKkk4b8mXDwyhSpbTZ+8eUOsKPp7L+v0+JnA+DdlxpuEyCPCKTzzv8c6NX9TbpRNr QBfhwVHYuUESfnX9HojrEDrbOsMf1sFvaTGDVZDu/wzbc14Yo4aaDaumkLDzUdfaW4MP mPv/Phh8NEZ1xxuIUyM7sPCN1AvuTp8tHxsI5IykufmP8O5uSQLFeb6Gej2H0ncOqiKI StrIwjfPBeRL04rt+jNfQdYHnOSUwPTNJ74oIiDeaxs7VFMjck6B6jsbVFQjF7AT3Phj UrGXVAzyDX9UVrvoxFLhUICFSKiwCqiUpUzTrw1KXO0q47oUsSrPo+F+0kEZO8Q9Z8qo Wygg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=cgquiRe//D89IitZiNOW/XkIQ/UIKnSjT9aZajOvfiY=; b=gQePPrjpVmYxroDNBhh+XjepBnJaUm43KswfcpBrGWgeYsiksR37gcSwVzlXFsExan oIaH8A6TUhcnnydsTiEFF4ko/9NVw6wIv78AjGLYhVKzyJCBIJPT2pp0Zw6ldwEoQJfh E1dLp1gi/7snjkBh+61B/JpGB7Y3yKXhPrhO6HkL1YItGnUs3kmT7CBC9CjRlOq1x6Se YsijqMYjeGwYc7Bj8DyJSnOemFdSWuqcQIveqtMbWr4MwDKuxsjbXviywBSKg+A6hZys zzK03L1P3Pt+lt6D5OKskMCUMJc/tPz1iTNJPktA7Zfxilm8X6kL+DtEwNUPLmwXvDH/ e37A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4-v6si9661238plf.543.2018.04.17.08.41.18; Tue, 17 Apr 2018 08:41:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752617AbeDQPkL (ORCPT + 99 others); Tue, 17 Apr 2018 11:40:11 -0400 Received: from 9pmail.ess.barracuda.com ([64.235.150.224]:35876 "EHLO 9pmail.ess.barracuda.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751187AbeDQPkK (ORCPT ); Tue, 17 Apr 2018 11:40:10 -0400 Received: from MIPSMAIL01.mipstec.com (mailrelay.mips.com [12.201.5.28]) by mx2.ess.sfj.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Tue, 17 Apr 2018 15:39:59 +0000 Received: from mredfearn-linux.mipstec.com (192.168.155.41) by MIPSMAIL01.mipstec.com (10.20.43.31) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 17 Apr 2018 08:40:11 -0700 From: Matt Redfearn To: James Hogan , Ralf Baechle CC: , Matt Redfearn , , Subject: [PATCH v2 1/4] MIPS: memset.S: Fix clobber of v1 in last_fixup Date: Tue, 17 Apr 2018 16:40:00 +0100 Message-ID: <1523979603-492-1-git-send-email-matt.redfearn@mips.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [192.168.155.41] X-BESS-ID: 1523979597-298553-5506-31410-1 X-BESS-VER: 2018.4-r1804121647 X-BESS-Apparent-Source-IP: 12.201.5.28 X-BESS-Outbound-Spam-Score: 0.00 X-BESS-Outbound-Spam-Report: Code version 3.2, rules version 3.2.2.192083 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 BSF_BESS_OUTBOUND META: BESS Outbound X-BESS-Outbound-Spam-Status: SCORE=0.00 using account:ESS59374 scores of KILL_LEVEL=7.0 tests=BSF_BESS_OUTBOUND X-BESS-BRTS-Status: 1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reported-by: James Hogan Signed-off-by: Matt Redfearn --- Changes in v2: None arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S index 184819c1d5c8..f7327979a8f8 100644 --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -258,7 +258,7 @@ .Llast_fixup\@: jr ra - andi v1, a2, STORMASK + nop .Lsmall_fixup\@: PTR_SUBU a2, t1, a0 -- 2.7.4