Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp5353205pxv;
        Wed, 7 Jul 2021 01:31:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxakX1BwOmmhfJ0qRTKyqSkqLPH7r5/T5Ymy+Ao/uCuX0x8tRnJfRiYdX6YMD937QLc5S/q
X-Received: by 2002:a6b:7e42:: with SMTP id k2mr7056147ioq.184.1625646681036;
        Wed, 07 Jul 2021 01:31:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1625646681; cv=none;
        d=google.com; s=arc-20160816;
        b=eyXX7xl3CCLJ/737kRfoMMzPVlr+g1xFd6GjfLNkZ4F8O/tVYzfgnOHlUO/8CkfpHP
         2ovwVdM2WqCjxZX7bdLuriL2WY0/PkGN1/bLUHpdepQBl60SCNVc0w40C/MDF042jpVi
         Fw7ucCRLUQvjH8yTS0NxR1BqF3/pVGD/VAk+rnybSYd43svnquxyxEW8MPtlpE19x6Lp
         rlw0D2giUhTW7+TAyvJBkG8i6j3YAPwreqp9iif92t5qfgVrzZANJXD0pCYGctTpFbk3
         slJVPusUFCoFKU0zzoHXP9mwtQIMbcJ1hMfNwrCTX8tZ2D9jVxi2S+iutQett0pt6D71
         2HgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=+n+CyprGuwpVeaGY9ewOedor8NA8WSBiAWuYu4jPD2o=;
        b=qhf3eWF3nM9IJ3dzddkF29ZoSczjQI2thu+qDQCJyHfPZ1zssVJKf+P0q4txGafFs+
         zCGCsOI5AZzZxS844xjOF/FnkIXUaMAKCIgL+m9xR4JzvZUfemiRKOyHnnaywpuuTUw5
         C5pGMMlrcxiFso4qGp07wXLEctUrIcj5Hp118JRGf0xQCOsvIDsKDTHMVG1aUdobyBoO
         KvFKLL2c7vZJEANWd/xnB7xraDAoNy/8nAI/juFzQsZt6RTQRdC/sdfRtncB/zSin9aA
         lDQbZPYCv4x9Af2QxCrA2/TTwl1ewmd/LVs9ptvfLWUfRsuuJOD365A1Ph9Nhm9rKVSb
         Rsig==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j23si20861207iog.79.2021.07.07.01.31.09;
        Wed, 07 Jul 2021 01:31:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230248AbhGGIdS (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Wed, 7 Jul 2021 04:33:18 -0400
Received: from foss.arm.com ([217.140.110.172]:59714 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230109AbhGGIdR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Jul 2021 04:33:17 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B58CBED1;
        Wed,  7 Jul 2021 01:30:37 -0700 (PDT)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id CF5683F694;
        Wed,  7 Jul 2021 01:30:36 -0700 (PDT)
From:   Mark Rutland <mark.rutland@arm.com>
To:     linux-kernel@vger.kernel.org, peterz@lists.infradead.org,
        davem@davemloft.net
Cc:     Mark Rutland <mark.rutland@arm.com>,
        Ingo Molnar <mingo@kernel.org>, sparclinux@vger.kernel.org
Subject: [PATCH] locking/atomic: sparc: fix arch_cmpxchg64_local()
Date:   Wed,  7 Jul 2021 09:30:32 +0100
Message-Id: <20210707083032.567-1-mark.rutland@arm.com>
X-Mailer: git-send-email 2.11.0
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Anatoly reports that since commit:

  ff5b4f1ed580c59d ("locking/atomic: sparc: move to ARCH_ATOMIC")

... it's possible to reliably trigger an oops by running:

  stress-ng -v --mmap 1 -t 30s

... which results in a NULL pointer dereference in
__split_huge_pmd_locked().

The underlying problem is that commit ff5b4f1ed580c59d left
arch_cmpxchg64_local() defined in terms of cmpxchg_local() rather than
arch_cmpxchg_local(). In <asm-generic/atomic-instrumented.h> we wrap
these with macros which use identically-named variables. When
cmpxchg_local() nests inside cmpxchg64_local(), this casues it to use an
unitialized variable as the pointer, which can be NULL.

This can also be seen in pmdp_establish(), where the compiler can
generate the pointer with a `clr` instruction:

0000000000000360 <pmdp_establish>:
 360:   9d e3 bf 50     save  %sp, -176, %sp
 364:   fa 5e 80 00     ldx  [ %i2 ], %i5
 368:   82 10 00 1b     mov  %i3, %g1
 36c:   84 10 20 00     clr  %g2
 370:   c3 f0 90 1d     casx  [ %g2 ], %i5, %g1
 374:   80 a7 40 01     cmp  %i5, %g1
 378:   32 6f ff fc     bne,a   %xcc, 368 <pmdp_establish+0x8>
 37c:   fa 5e 80 00     ldx  [ %i2 ], %i5
 380:   d0 5e 20 40     ldx  [ %i0 + 0x40 ], %o0
 384:   96 10 00 1b     mov  %i3, %o3
 388:   94 10 00 1d     mov  %i5, %o2
 38c:   92 10 00 19     mov  %i1, %o1
 390:   7f ff ff 84     call  1a0 <__set_pmd_acct>
 394:   b0 10 00 1d     mov  %i5, %i0
 398:   81 cf e0 08     return  %i7 + 8
 39c:   01 00 00 00     nop

This patch fixes the problem by defining arch_cmpxchg64_local() in terms
of arch_cmpxchg_local(), avoiding potential shadowing, and resulting in
working cmpxchg64_local() and variants, e.g.

0000000000000360 <pmdp_establish>:
 360:   9d e3 bf 50     save  %sp, -176, %sp
 364:   fa 5e 80 00     ldx  [ %i2 ], %i5
 368:   82 10 00 1b     mov  %i3, %g1
 36c:   c3 f6 90 1d     casx  [ %i2 ], %i5, %g1
 370:   80 a7 40 01     cmp  %i5, %g1
 374:   32 6f ff fd     bne,a   %xcc, 368 <pmdp_establish+0x8>
 378:   fa 5e 80 00     ldx  [ %i2 ], %i5
 37c:   d0 5e 20 40     ldx  [ %i0 + 0x40 ], %o0
 380:   96 10 00 1b     mov  %i3, %o3
 384:   94 10 00 1d     mov  %i5, %o2
 388:   92 10 00 19     mov  %i1, %o1
 38c:   7f ff ff 85     call  1a0 <__set_pmd_acct>
 390:   b0 10 00 1d     mov  %i5, %i0
 394:   81 cf e0 08     return  %i7 + 8
 398:   01 00 00 00     nop
 39c:   01 00 00 00     nop

Link: https://lore.kernel.org/r/CADxRZqzcrnSMzy50T+kWb_mQVguWDCMu6RoXsCc+-fNDPYXbaw@mail.gmail.com
Fixes: ff5b4f1ed580c59d ("locking/atomic: sparc: move to ARCH_ATOMIC")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Anatoly Pugachev <matorola@gmail.com>
Tested-by: Anatoly Pugachev <matorola@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@lists.infradead.org>
Cc: sparclinux@vger.kernel.org
---
 arch/sparc/include/asm/cmpxchg_64.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Peter, David, could one of you please apply this? It's an urgent fix for
fallout from the ARCH_ATOMIC conversion, and it'd be good to fix before -rc1.

Thanks,
Mark.

diff --git a/arch/sparc/include/asm/cmpxchg_64.h b/arch/sparc/include/asm/cmpxchg_64.h
index 8c39a9981187..12d00a42c0a3 100644
--- a/arch/sparc/include/asm/cmpxchg_64.h
+++ b/arch/sparc/include/asm/cmpxchg_64.h
@@ -201,7 +201,7 @@ static inline unsigned long __cmpxchg_local(volatile void *ptr,
 #define arch_cmpxchg64_local(ptr, o, n)					\
   ({									\
 	BUILD_BUG_ON(sizeof(*(ptr)) != 8);				\
-	cmpxchg_local((ptr), (o), (n));					\
+	arch_cmpxchg_local((ptr), (o), (n));					\
   })
 #define arch_cmpxchg64(ptr, o, n)	arch_cmpxchg64_local((ptr), (o), (n))
 
-- 
2.11.0