Received: by 10.192.165.148 with SMTP id m20csp2435039imm; Sun, 22 Apr 2018 07:03:48 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+AasQRmIFo1SJSQAsluiLnF7/XADqcqHy3z3XyS3btI2rt/kbJYL5kM6zbpgSVfrBjfWlA X-Received: by 2002:a17:902:6f16:: with SMTP id w22-v6mr17271399plk.216.1524405828159; Sun, 22 Apr 2018 07:03:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524405828; cv=none; d=google.com; s=arc-20160816; b=EVGrOv22wkwSN0x0SFGcMwu0InyAiSAy1wfyaO+sIzuUVqP1Uv3HTEjJDfx7TaraaM v4NzYjyPTJSw1UJ625cc3oYeUDJ/vdYs+zBL0QtdpbH6M7a8/zjSNqIC/edjBk6wOZbS OGbu2dwoifpX8RbuLAkbFn3o8zMdL2HZn9bgdQwc5h24e3eupSPAzh+kDHUa88HFOrDm P+wMPeDjdgnd97zfhyvECwFaUdCAdmRHHhDFoqbtub+YLZQYJLEiESgAYMxnNtapoTKt vCEsgiPprUqB9A7Xm2c+MD3NO9YVKf4zxoCOlx946xxCLs03ttqPUOcYyvsJdf+q8jf1 A0iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=XIWpio5y3QSzVEFHbzePsMAfFjAbhbu3sbyRgIMsZtA=; b=G1jpeTRB9kNymMi99Ug+U2awSKwsDm7pSYXh9qRcATAyoIoqZgS77S1WKhIKG3fcvR 2w0PNgYYpEvnAntfmkopREw7UOrVYDZukBr7YsWCQjEMQb29tmDSJNvRsCHNv5yyIatW g6KMDATpvU7cMaIrmZBNn9zPS3Lf8hpcxlUpkJHUZuP5PF2cr1U/NXUxxijBe0hFDcNm x7t1I65fVAFOujku9cQfQeaS6XQcZ7vB7OpC5oQ6109Sl1lRT0WiFaE0vpg0UAE0cUbO zZYdcRAi9eq212gl+F6O/9EM4x1QvZmM6X2yXoiCgDtqM80rHpDLC3iHuT/posnTg3eH 7Ygg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a64-v6si8192509pla.530.2018.04.22.07.03.33; Sun, 22 Apr 2018 07:03:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754837AbeDVOCV (ORCPT + 99 others); Sun, 22 Apr 2018 10:02:21 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48442 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753879AbeDVOCR (ORCPT ); Sun, 22 Apr 2018 10:02:17 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E595CC9B; Sun, 22 Apr 2018 14:02:16 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Hogan , Matt Redfearn , Ralf Baechle , linux-mips@linux-mips.org Subject: [PATCH 4.16 176/196] MIPS: memset.S: Fix clobber of v1 in last_fixup Date: Sun, 22 Apr 2018 15:53:16 +0200 Message-Id: <20180422135113.353179384@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135104.278511750@linuxfoundation.org> References: <20180422135104.278511750@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matt Redfearn commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -258,7 +258,7 @@ .Llast_fixup\@: jr ra - andi v1, a2, STORMASK + nop .Lsmall_fixup\@: PTR_SUBU a2, t1, a0