Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <20191223130834.GA102399@zx2c4.com> <20191223232945.a3sbzfj6uw2sokba@lantea.localdomain>
 <CAHmME9qg8+xdM7Uo=XydwsOV27BWYK8fV44oimqiosBvH_-UDg@mail.gmail.com>
In-Reply-To: <CAHmME9qg8+xdM7Uo=XydwsOV27BWYK8fV44oimqiosBvH_-UDg@mail.gmail.com>
From:   Arnd Bergmann <arnd@arndb.de>
Date:   Mon, 30 Dec 2019 16:58:31 +0100
Message-ID: <CAK8P3a0ojj7mYg0-gBG8a=CWubBE-0XtDSw-B4nqmqHcmE34pw@mail.gmail.com>
Subject: Re: vdso-related userspace crashes on 5.5 mips64
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     Paul Burton <paulburton@kernel.org>,
        "open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Christian Brauner <christian.brauner@canonical.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Tue, Dec 24, 2019 at 2:37 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> More details forthcoming, but I just bisected this to:
>
> commit 942437c97fd9ff23a17c13118f50bd0490f6868c (refs/bisect/bad)
> Author: Arnd Bergmann <arnd@arndb.de>
> Date:   Mon Jul 15 11:46:10 2019 +0200
>
>    y2038: allow disabling time32 system calls
>
>    At the moment, the compilation of the old time32 system calls depends
>    purely on the architecture. As systems with new libc based on 64-bit
>    time_t are getting deployed, even architectures that previously supported
>    these (notably x86-32 and arm32 but also many others) no longer depend on
>    them, and removing them from a kernel image results in a smaller kernel
>    binary, the same way we can leave out many other optional system calls.

My best guess right now is that there is a bug in the error handling
inside the mips vdso: clock_gettime32_fallback() is defined like

static __always_inline long clock_gettime32_fallback(
                                        clockid_t _clkid,
                                        struct old_timespec32 *_ts)
{
        register struct old_timespec32 *ts asm("a1") = _ts;
        register clockid_t clkid asm("a0") = _clkid;
        register long ret asm("v0");
        register long nr asm("v0") = __NR_clock_gettime;
        register long error asm("a3");

        asm volatile(
        "       syscall\n"
        : "=r" (ret), "=r" (error)
        : "r" (clkid), "r" (ts), "r" (nr)
        : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
          "$14", "$15", "$24", "$25", "hi", "lo", "memory");

        return error ? -ret : ret;
}

and it's possible that this does not work correctly when the system
call fails. With my patch, the __NR_clock_gettime syscall always
fails, and this may end up corrupting the registers or the stack
in some way.

One thing you could try is to use a working kernel version (before
my patch, with my patch reverted, or with your workaround applied)
and pass an invalid _clkid argument to make the system call
fail in a different way. Does this cause the same crash?

I see that the previous vdso implementation (added in
180902e08f05, fixed in b399ee28c29c07, removed in
90800281e761) had an issue with the clobber list originally,
but the current version looks identical to the version after
the fix.

        Arnd