Received: by 10.192.165.148 with SMTP id m20csp2478542imm; Sun, 22 Apr 2018 07:54:01 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+SOnl5dhhXleleAovv19YNledKE9EO5sGWGzlb7oyTbmshsVzJ8GFMyv1JcerDKMez4VQd X-Received: by 10.98.107.138 with SMTP id g132mr16631395pfc.163.1524408841459; Sun, 22 Apr 2018 07:54:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524408841; cv=none; d=google.com; s=arc-20160816; b=ZCaFyg+vJ6cwYgPCgPEkDlWiE2hZUZM9SqhXQ/7inGLAfcB2nihLvFfOPuZvthuh6n hTCZKFRW2Fh+X4byeYYGyTXa7dXYiQKcNhSvr2ov7Y1d5tHjLRb93edhiJtdM4z9cyTG 7fAZqdfuiVDESt1YxHYT2aSzVkTWDpf1EwwnjzGOaoVB43DcWyRShsZD7hf9lHCI8xUF 1q0CsyXWtpqDMTLtCB7TfX64PFrlDTbsn8F1Pw0ALzY9JkDsG99IWUqm8q5Fgnm+y4lA gh7qlpvuTsAc34ZIsIDw8IKU3RmEnZUcaedB8ny+rIscQ62sAdRcwf4idOaE3CcFb83s QFuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=kn6k1H9w+aEWWdLgItIZGHu2+znAnCYtrqhrKy6AKQU=; b=ybJj8J1LRD/nZword8lauKBtAin3+7bT+WWcZ17BxOutpq6pz9Z6kYo30vbIh1nFTJ vn3PzKsc2+fclbeCVrhiF12c5rtSsg13mXO5kQVIgpYAK/8gv8c/kCuogOBWJ4eruPb2 w3TPS9g57vOtk/0wDsQOk8IvhGDRajyovpkCTE6ThL+5mCOrGcf/7UCM2VBT5SGKOV1J enI7DHVj62bntE/nO5pa8IvAKvh73FaDYO8wcSJn/r2URVnDXqqAFtNO277OMGFGJ/OL +97lSBnpP4AfA28d8LPloGS6FiNftqso6RvVQlsabasbwhK5cvqxTrZkniM4gKOlPixH kEzg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12-v6si10309054plg.180.2018.04.22.07.53.47; Sun, 22 Apr 2018 07:54:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757068AbeDVOOq (ORCPT + 99 others); Sun, 22 Apr 2018 10:14:46 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56416 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757008AbeDVOO2 (ORCPT ); Sun, 22 Apr 2018 10:14:28 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 575E484B; Sun, 22 Apr 2018 14:14:27 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Hogan , Matt Redfearn , Ralf Baechle , linux-mips@linux-mips.org Subject: [PATCH 4.9 82/95] MIPS: memset.S: Fix clobber of v1 in last_fixup Date: Sun, 22 Apr 2018 15:53:51 +0200 Message-Id: <20180422135213.782881483@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135210.432103639@linuxfoundation.org> References: <20180422135210.432103639@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matt Redfearn commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize("O0"))) test_clear_user(void) { register int t asm("v1"); char *test; int j, k; pr_info("\n\n\nTesting clear_user\n"); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -257,7 +257,7 @@ .Llast_fixup\@: jr ra - andi v1, a2, STORMASK + nop .Lsmall_fixup\@: PTR_SUBU a2, t1, a0