Received: by 10.192.165.148 with SMTP id m20csp2467015imm; Sun, 22 Apr 2018 07:38:41 -0700 (PDT) X-Google-Smtp-Source: AIpwx49rbJ2KWwR/aPGVLuhuSM5MyPE26q9RREWCWPg/Ag8kBs8XacZ23gEk9IryVaYsnov7QYpZ X-Received: by 2002:a17:902:748b:: with SMTP id h11-v6mr18032973pll.45.1524407921138; Sun, 22 Apr 2018 07:38:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524407921; cv=none; d=google.com; s=arc-20160816; b=qKS5g2w2KurUUByqb83aMuQwH0qcLd+evUlh2uqSrIwYy+EOHR7SYl63f3gAFm71ZX cTsAIgAKUKTQGq6nAIYLxOAplLjDrwuHN0C41ANgoXQGGcOZAQz7RiGGG2ulosJYlJwa S86zj1Cha+rQuO+I5I6PiV8pEjC5dKOFQzuQ9xvSDIeuMH80ZzFsDut6TI3snj2QNyYl np7ywKk7fy5tghayP1pdT7ogYmDoqLGJ/nuhz8jNYQ9uhwgybBYo7VJmdzA7rweujE2x GRq60JAzJUxM3XBrfKxM5pPmNQEdY4qD8mPHtWz0xsZdwO+oB2o0e2QOvJ9obcLZ3Wt2 WHCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=fkndUVbHQNJHYsSJLUheH3+/YKqrr5ZUgcOxqFYU9QM=; b=bSzoynsMDoAnXVco+xx11ohwTtibY6q97jiPi6mcmAMJz+JBRSKHgtMZB4TEPO2uEs RZlz1IgzFcZgXjVglyMFsxEqu4HejqwzPjNWL6CE1Lhy3//7w4GFY4TzmV+N/Cooi3lv dItlnYDmH2ydahc+YydddtMPCMu67IsOfCqYS6mvuWnJSDfbC+Fh1WBaPfyOBxzBcrlz ZJyircPnkq1j3P7xJYlIh7vCru8JXhx7ht/31kvNe5+Jo/IhLgJAT0yWRlxy7F1Vvmhw XAQvGGTQ+r1OL+y79tZNUkGfcWowig3w6ANpaRnFei+7vvd2lZ/U+GEoLoKnfRUWwhMM ctFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w6si2542693pgb.481.2018.04.22.07.38.26; Sun, 22 Apr 2018 07:38:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932557AbeDVOTF (ORCPT + 99 others); Sun, 22 Apr 2018 10:19:05 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59206 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932517AbeDVOSz (ORCPT ); Sun, 22 Apr 2018 10:18:55 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 741EFD0B; Sun, 22 Apr 2018 14:18:54 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Hogan , Matt Redfearn , Ralf Baechle , linux-mips@linux-mips.org Subject: [PATCH 4.4 85/97] MIPS: memset.S: Fix clobber of v1 in last_fixup Date: Sun, 22 Apr 2018 15:54:03 +0200 Message-Id: <20180422135309.843519668@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135304.577223025@linuxfoundation.org> References: <20180422135304.577223025@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matt Redfearn commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -255,7 +255,7 @@ .Llast_fixup\@: jr ra - andi v1, a2, STORMASK + nop .Lsmall_fixup\@: PTR_SUBU a2, t1, a0