Received: by 10.192.165.148 with SMTP id m20csp2459666imm; Sun, 22 Apr 2018 07:29:46 -0700 (PDT) X-Google-Smtp-Source: AIpwx49kb5oC1A5k6APhrR2GoXrgy0lXc8O8qZaQNoAIP/VRVuXw0BYMjbxaDLUip7fPmrTbxhmN X-Received: by 10.101.71.132 with SMTP id e4mr11357551pgs.196.1524407386508; Sun, 22 Apr 2018 07:29:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524407386; cv=none; d=google.com; s=arc-20160816; b=IiYMxWtN+qard6e8j5WxHJnA4c57tyy0F+PS0yYKJRAjesEHabikzMagjpQdDfXc4R 7vrlV56eqO6QyPcNYzXMOXi4fXxbJsfllXSaJKKq4Svy9HkHjmbcnajz19anyBmZhhXO XsU9ETM+fHUOyVl+WIh/iy8UjkruWrR2iGQLe5DlMWNBp/M1SPCtXTgA+rXQY3y+2+ou Swyg+nV1yc9wQ66p4wdRkjYdru37XBnnxCbamMwhEloKo49krKNbmDZQBynWHnkCJnbv zw4RELJ662pXxCwU/RSkzXvFZzVQ7MDCEoNPOdbCDWx/m0qOY52ueY+cC3/sNBDKHL6G /RKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SGjyjEJ49kmRu2vhi/+BZK5MQBKLsO3TI3RSqNu/Ek0=; b=fQUv5LalgtTqCzAus8/8gWKl7MQCEWgZ7+gzJbqpql0yew+jLd/p+Ca26iadGHF53h XUYiyFRu76c1IVTNTJsFssoMId782m2MVzWXwlI0yGUF4mVrmffep9tRSaBbHyyhV8sV KJMKSlWRJKGGJxomK1Z2JjDzLWhUJLxfrA7nbJcNDgAZ22jhJndAs9ZnKuFIYsACY/n7 Oi4yI248Tfb/2AQJn5WEtEzIin0LLNkK604Nroe3x/jGv2nMF1rzaFAPVJsdAlPp4jCB JvkyCZi9zeFb413rHpRlyT4BAa08TXML++p3/eIxU0L6v4rIyd6bYVPcTUoz7X7WsAxX Gbdg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b62si3439934pgc.505.2018.04.22.07.29.09; Sun, 22 Apr 2018 07:29:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757693AbeDVO0S (ORCPT + 99 others); Sun, 22 Apr 2018 10:26:18 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:32992 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756005AbeDVOVk (ORCPT ); Sun, 22 Apr 2018 10:21:40 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 721EFCB8; Sun, 22 Apr 2018 14:21:39 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Hogan , Matt Redfearn , Ralf Baechle , linux-mips@linux-mips.org Subject: [PATCH 3.18 45/52] MIPS: memset.S: Fix clobber of v1 in last_fixup Date: Sun, 22 Apr 2018 15:54:18 +0200 Message-Id: <20180422135317.436671003@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135315.254787616@linuxfoundation.org> References: <20180422135315.254787616@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matt Redfearn commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -210,7 +210,7 @@ .Llast_fixup\@: jr ra - andi v1, a2, STORMASK + nop .Lsmall_fixup\@: PTR_SUBU a2, t1, a0