Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3363250pxp; Mon, 14 Mar 2022 17:51:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyRhpSDFIc5TYXkjAeSQsrDUCVijxTCRw1kkwBXpPuRN0j9+A7csJrpR3IzTUyYDAkfR00t X-Received: by 2002:a17:902:e5d1:b0:153:9dcf:de77 with SMTP id u17-20020a170902e5d100b001539dcfde77mr27196plf.34.1647305488673; Mon, 14 Mar 2022 17:51:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647305488; cv=none; d=google.com; s=arc-20160816; b=J3fxwjZVwr/1qY/4zO3v/T8JkJvFHIT3AgKmhp1xajUCGRp6KXpkkmuUwf1Fwx7sik Kx+onqVukIHteo3fHN9Qhpz40ORRjPVD+7J8CUsOcmLGFoWzVMWchISogtITlnrQnjuY J190pzebbZSQvBDKv30f0ko1tvW8ZM1RxanzW+0vmZR4CjjQl4JgubTewvrOBtYPuGZ0 wh9+2YbyapxA3Ik1ZdBUChmCQ/NJ41/aOIAR7nwNJtZb6ESx+ONxuPPlAEAJrqBHm5S0 jgy9qidAdWs35IWFME9iND600XpzsRMIJO/734XcpZwzuL9v/KmQnyMiADiDKX5pSnPH P1sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZdseBjDtcKpkE4YsmqiyiOp0DZiunIZMb+Q1OK825oU=; b=xcO/d0CqkZULQKGBb5LmVjORScY0cXVpPcERf8tF58HjmMBUEcoXflsWu6GJzqftWp 6AFrY2rVDWaF9vsC2So7/nHtGtVwBtxxC9jkLVIpVmsScQCzmh2KkIDAKGrYb6PMDQFY IK7r5ds7Far5tj7jUU1+ep9j4oMBVq0tT9tBjzoCzJhWZzjCf+VRyF0y0jDD7FcHEhAF Ewng8W7pkIf+6ZGop4wn1TBssZeqT+To4OqUS3uNgS3D1O5G7cdAqo/3ujPGVhNTYqAK q8P+2ICaa2+jmimNiNLpW0xETvr1LvlH1PhUKgSx2fKNcQrp/zsUdWqCEwq7Zva42ykq MDUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u2uTBAYG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a12-20020a65604c000000b00376ae198334si17213279pgp.638.2022.03.14.17.51.14; Mon, 14 Mar 2022 17:51:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=u2uTBAYG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241685AbiCNMX2 (ORCPT + 99 others); Mon, 14 Mar 2022 08:23:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240974AbiCNMOy (ORCPT ); Mon, 14 Mar 2022 08:14:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B59C483A3; Mon, 14 Mar 2022 05:11:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4F6E661314; Mon, 14 Mar 2022 12:11:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 69D8EC340EC; Mon, 14 Mar 2022 12:11:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647259897; bh=+iu3YEJGg0Ei9nx0UmPyifith2WwxThQTTrvu8AqV/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=u2uTBAYGIqIkbiIVxlI1aq0s61zFb4NEPBEffXwKuY0OT2QCt5wv7eZ2PECRz1ZK1 tTi2B3br5lst+IP8bOeaqCz6D+fjBSubFyYORWEHzFXVIXzZbbSyE87eEMc00AeEdj lMFGcX3gmb9zDpm+RyPCw/vSp8GSoDgtAl3tI55A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Emil Renner Berthing , Palmer Dabbelt Subject: [PATCH 5.15 082/110] riscv: Fix auipc+jalr relocation range checks Date: Mon, 14 Mar 2022 12:54:24 +0100 Message-Id: <20220314112745.319490791@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112743.029192918@linuxfoundation.org> References: <20220314112743.029192918@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Emil Renner Berthing commit 0966d385830de3470b7131db8e86c0c5bc9c52dc upstream. RISC-V can do PC-relative jumps with a 32bit range using the following two instructions: auipc t0, imm20 ; t0 = PC + imm20 * 2^12 jalr ra, t0, imm12 ; ra = PC + 4, PC = t0 + imm12 Crucially both the 20bit immediate imm20 and the 12bit immediate imm12 are treated as two's-complement signed values. For this reason the immediates are usually calculated like this: imm20 = (offset + 0x800) >> 12 imm12 = offset & 0xfff ..where offset is the signed offset from the auipc instruction. When the 11th bit of offset is 0 the addition of 0x800 doesn't change the top 20 bits and imm12 considered positive. When the 11th bit is 1 the carry of the addition by 0x800 means imm20 is one higher, but since imm12 is then considered negative the two's complement representation means it all cancels out nicely. However, this addition by 0x800 (2^11) means an offset greater than or equal to 2^31 - 2^11 would overflow so imm20 is considered negative and result in a backwards jump. Similarly the lower range of offset is also moved down by 2^11 and hence the true 32bit range is [-2^31 - 2^11, 2^31 - 2^11) Signed-off-by: Emil Renner Berthing Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman --- arch/riscv/kernel/module.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) --- a/arch/riscv/kernel/module.c +++ b/arch/riscv/kernel/module.c @@ -13,6 +13,19 @@ #include #include +/* + * The auipc+jalr instruction pair can reach any PC-relative offset + * in the range [-2^31 - 2^11, 2^31 - 2^11) + */ +static bool riscv_insn_valid_32bit_offset(ptrdiff_t val) +{ +#ifdef CONFIG_32BIT + return true; +#else + return (-(1L << 31) - (1L << 11)) <= val && val < ((1L << 31) - (1L << 11)); +#endif +} + static int apply_r_riscv_32_rela(struct module *me, u32 *location, Elf_Addr v) { if (v != (u32)v) { @@ -95,7 +108,7 @@ static int apply_r_riscv_pcrel_hi20_rela ptrdiff_t offset = (void *)v - (void *)location; s32 hi20; - if (offset != (s32)offset) { + if (!riscv_insn_valid_32bit_offset(offset)) { pr_err( "%s: target %016llx can not be addressed by the 32-bit offset from PC = %p\n", me->name, (long long)v, location); @@ -197,10 +210,9 @@ static int apply_r_riscv_call_plt_rela(s Elf_Addr v) { ptrdiff_t offset = (void *)v - (void *)location; - s32 fill_v = offset; u32 hi20, lo12; - if (offset != fill_v) { + if (!riscv_insn_valid_32bit_offset(offset)) { /* Only emit the plt entry if offset over 32-bit range */ if (IS_ENABLED(CONFIG_MODULE_SECTIONS)) { offset = module_emit_plt_entry(me, v); @@ -224,10 +236,9 @@ static int apply_r_riscv_call_rela(struc Elf_Addr v) { ptrdiff_t offset = (void *)v - (void *)location; - s32 fill_v = offset; u32 hi20, lo12; - if (offset != fill_v) { + if (!riscv_insn_valid_32bit_offset(offset)) { pr_err( "%s: target %016llx can not be addressed by the 32-bit offset from PC = %p\n", me->name, (long long)v, location);