Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3419842pxf; Mon, 29 Mar 2021 01:31:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0iMh95F+QU3deJJBnJaRZxVZ3WkRGG04y0zdj1PFx/9FErOOe8wgkHhscpjhvPvd54nG/ X-Received: by 2002:a05:6402:c:: with SMTP id d12mr26911683edu.100.1617006676789; Mon, 29 Mar 2021 01:31:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617006676; cv=none; d=google.com; s=arc-20160816; b=vIbKzz577xhxtvfBOOQxrSEBidcgix8/RwmJQTp+Un7AKm9Br5zkj70iTtOOs2O/FD JBj/bzdWEK/POlF71lqdj62RqOzTOiCMW+mZe/9CGScbIuQ6yqmW4g2r0/I5cABqUmZG n6AtU68+r82cTiWVC1n3/o911Ogw3AzB/SzzbDXoz3DIfjC0AuJ8Hvdqr+3TG7QTBdWs wW/0+GpicyYFtJKLG8H3aY0BhO58qs8gK4geF2iUinCUYHaySPuNzw6E4zJZINbCmdQ/ gjHaFhFcywl/PqVRGn58NScXQ7PzgC1DXJ2rq5CdKfO+hYaf3zjRlfKCtv7dile02Csy IYzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3bxEu2va7k11phMJlZi7EyZRQIJrqFcUMI0x2i6t1/c=; b=NYPUY9I0D+XO1d22I/RDIBtPNL5NKuTqJ9RyQ/6G52/jWjSanyBLih+etG+pkYxMQV zPTXuiug5P4MW5YPTATIPcLlaaZn5D14YYo8DVSR8fToHD0hLCLN11fQ5BRF9tVG2Ekz 12A4n3Pc0Pax7GNNCqgZ+KWY5UcM8WUYW0wQnWpvmK4khj6IQg3sw3g8RxREzZpyfewh wHyHDTdPxcZjSsXQ//sm/2FClUZ0d4xzS6G5Tt7GrBSTZjp4snAWM99tp3BA61jKqJYe LRtgOuNVmsvZU1DBrTb6iKaudMC7oNwpsNX/MFLEyTEXStSePPzYsBgaIkCuOgldeT8f EM3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iiHO+hZa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si12478413ejx.287.2021.03.29.01.30.54; Mon, 29 Mar 2021 01:31:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iiHO+hZa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234381AbhC2I2Q (ORCPT + 99 others); Mon, 29 Mar 2021 04:28:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:33678 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232164AbhC2IRv (ORCPT ); Mon, 29 Mar 2021 04:17:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id ED2EA6044F; Mon, 29 Mar 2021 08:17:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617005870; bh=7UBMc4X3Jzz8xGANcBroRUpjrifXZzex4w0Bq7V40Ng=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iiHO+hZaOxj2hMBclhiMURuxcJq0efZyWQ4qt28HrIKBLvWZ9ZlOBEHGf2Yafrz8d tCV3ygaJy0RFwzfVSJNzFLaPJ4zIEQVV1tIb0J5FCnotLDgO0f0yQ6dBfe/rD5UDfN S9Xiqu5ATj42Gsfo/R/1KSHeDRIO3W1Jk3553XaA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rob Gardner , Anatoly Pugachev , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 035/221] sparc64: Fix opcode filtering in handling of no fault loads Date: Mon, 29 Mar 2021 09:56:06 +0200 Message-Id: <20210329075630.336945600@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rob Gardner [ Upstream commit e5e8b80d352ec999d2bba3ea584f541c83f4ca3f ] is_no_fault_exception() has two bugs which were discovered via random opcode testing with stress-ng. Both are caused by improper filtering of opcodes. The first bug can be triggered by a floating point store with a no-fault ASI, for instance "sta %f0, [%g0] #ASI_PNF", opcode C1A01040. The code first tests op3[5] (0x1000000), which denotes a floating point instruction, and then tests op3[2] (0x200000), which denotes a store instruction. But these bits are not mutually exclusive, and the above mentioned opcode has both bits set. The intent is to filter out stores, so the test for stores must be done first in order to have any effect. The second bug can be triggered by a floating point load with one of the invalid ASI values 0x8e or 0x8f, which pass this check in is_no_fault_exception(): if ((asi & 0xf2) == ASI_PNF) An example instruction is "ldqa [%l7 + %o7] #ASI 0x8f, %f38", opcode CF95D1EF. Asi values greater than 0x8b (ASI_SNFL) are fatal in handle_ldf_stq(), and is_no_fault_exception() must not allow these invalid asi values to make it that far. In both of these cases, handle_ldf_stq() reacts by calling sun4v_data_access_exception() or spitfire_data_access_exception(), which call is_no_fault_exception() and results in an infinite recursion. Signed-off-by: Rob Gardner Tested-by: Anatoly Pugachev Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- arch/sparc/kernel/traps_64.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c index d92e5eaa4c1d..a850dccd78ea 100644 --- a/arch/sparc/kernel/traps_64.c +++ b/arch/sparc/kernel/traps_64.c @@ -275,14 +275,13 @@ bool is_no_fault_exception(struct pt_regs *regs) asi = (regs->tstate >> 24); /* saved %asi */ else asi = (insn >> 5); /* immediate asi */ - if ((asi & 0xf2) == ASI_PNF) { - if (insn & 0x1000000) { /* op3[5:4]=3 */ - handle_ldf_stq(insn, regs); - return true; - } else if (insn & 0x200000) { /* op3[2], stores */ + if ((asi & 0xf6) == ASI_PNF) { + if (insn & 0x200000) /* op3[2], stores */ return false; - } - handle_ld_nf(insn, regs); + if (insn & 0x1000000) /* op3[5:4]=3 (fp) */ + handle_ldf_stq(insn, regs); + else + handle_ld_nf(insn, regs); return true; } } -- 2.30.1