mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-19 09:04:57 +00:00
Code Issues Releases Wiki Activity
linux-stable/arch/sparc/kernel
History
Rob Gardner a7c5724b5c sparc64: fix FP corruption in user copy functions 
Short story: Exception handlers used by some copy_to_user() and
copy_from_user() functions do not diligently clean up floating point
register usage, and this can result in a user process seeing invalid
values in floating point registers. This sometimes makes the process
fail.

Long story: Several cpu-specific (NG4, NG2, U1, U3) memcpy functions
use floating point registers and VIS alignaddr/faligndata to
accelerate data copying when source and dest addresses don't align
well. Linux uses a lazy scheme for saving floating point registers; It
is not done upon entering the kernel since it's a very expensive
operation. Rather, it is done only when needed. If the kernel ends up
not using FP regs during the course of some trap or system call, then
it can return to user space without saving or restoring them.

The various memcpy functions begin their FP code with VISEntry (or a
variation thereof), which saves the FP regs. They conclude their FP
code with VISExit (or a variation) which essentially marks the FP regs
"clean", ie, they contain no unsaved values. fprs.FPRS_FEF is turned
off so that a lazy restore will be triggered when/if the user process
accesses floating point regs again.

The bug is that the user copy variants of memcpy, copy_from_user() and
copy_to_user(), employ an exception handling mechanism to detect faults
when accessing user space addresses, and when this handler is invoked,
an immediate return from the function is forced, and VISExit is not
executed, thus leaving the fprs register in an indeterminate state,
but often with fprs.FPRS_FEF set and one or more dirty bits. This
results in a return to user space with invalid values in the FP regs,
and since fprs.FPRS_FEF is on, no lazy restore occurs.

This bug affects copy_to_user() and copy_from_user() for NG4, NG2,
U3, and U1. All are fixed by using a new exception handler for those
loads and stores that are done during the time between VISEnter and
VISExit.

n.b. In NG4memcpy, the problematic code can be triggered by a copy
size greater than 128 bytes and an unaligned source address.  This bug
is known to be the cause of random user process memory corruptions
while perf is running with the callgraph option (ie, perf record -g).
This occurs because perf uses copy_from_user() to read user stacks,
and may fault when it follows a stack frame pointer off to an
invalid page. Validation checks on the stack address just obscure
the underlying problem.

Signed-off-by: Rob Gardner <rob.gardner@oracle.com>
Signed-off-by: Dave Aldridge <david.j.aldridge@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-24 12:13:18 -05:00
..
.gitignore
apc.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
asm-offsets.c [PATCH] sparc32: vm_area_struct access for old Sun SPARCs. 2013-07-10 13:56:10 -07:00
audit.c sparc64: fix sparse warnings in compat_audit.c 2014-05-18 19:01:34 -07:00
auxio_32.c sparc32: fix sparse warning in auxio_32.c 2014-05-18 19:01:27 -07:00
auxio_64.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
btext.c sparc64: fix sparse warning in btext.c 2014-05-18 19:01:30 -07:00
central.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
cherrs.S
chmc.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
compat_audit.c sparc64: fix sparse warnings in compat_audit.c 2014-05-18 19:01:34 -07:00
cpu.c sparc64: correctly recognise M6 and M7 cpu type 2014-09-09 15:24:10 -07:00
cpumap.c sparc64: support M6 and M7 for building CPU distribution map 2014-09-09 15:24:10 -07:00
cpumap.h sparc: drop use of extern for prototypes in arch/sparc/* 2014-05-18 19:01:29 -07:00
devices.c sparc32: drop tadpole specific code 2014-05-18 19:01:29 -07:00
dma.c
ds.c sparc64: Move request_irq() from ldc_bind() to ldc_alloc() 2014-09-16 18:31:31 -07:00
dtlb_miss.S
dtlb_prot.S sparc64: Fix corrupted thread fault code. 2014-10-18 23:03:09 -04:00
ebus.c sparc: delete non-required instances of include <linux/init.h> 2014-01-28 23:38:23 -08:00
entry.h sparc: Resolve conflict between sparc v9 and M7 on usage of bit 9 of TTE 2015-05-31 22:15:01 -07:00
entry.S sparc32: Fix exit flag passed from traced sys_sigreturn 2013-07-31 19:10:04 -07:00
etrap_32.S
etrap_64.S sparc64: clear syscall_noerror on the entry to syscall, not on the exit 2012-10-14 19:26:52 -04:00
fpu_traps.S
ftrace.c ftrace: Do not pass data to ftrace_dyn_arch_init 2014-03-07 10:06:14 -05:00
getsetcc.S
head_32.S
head_64.S sparc64: fix FP corruption in user copy functions 2015-12-24 12:13:18 -05:00
helpers.S
hvapi.c sparc: perf: Add support M7 processor 2015-03-19 18:54:49 -07:00
hvcalls.S sparc: perf: Add support M7 processor 2015-03-19 18:54:49 -07:00
hvtramp.S sparc64: Fix register corruption in top-most kernel stack frame during boot. 2014-10-24 09:52:49 -07:00
idprom.c
iommu.c iommu-common: Fix error code used in iommu_tbl_range_{alloc,free}(). 2015-11-04 11:30:57 -08:00
iommu_common.h remove <asm/scatterlist.h> 2015-05-05 13:35:39 -06:00
ioport.c sparc32: dma_alloc_coherent must honour gfp flags 2014-09-10 14:03:28 -07:00
irq.h sparc: drop use of extern for prototypes in arch/sparc/* 2014-05-18 19:01:29 -07:00
irq_32.c sparc32: fix sparse warnings in irq_32.c 2014-04-29 01:12:25 -04:00
irq_64.c sparc/irq: Use access helper irq_data_get_affinity_mask() 2015-07-31 22:20:05 +02:00
itlb_miss.S
ivec.S
jump_label.c jump_label: Rename JUMP_LABEL_{EN,DIS}ABLE to JUMP_LABEL_{JMP,NOP} 2015-08-03 11:34:12 +02:00
kernel.h sparc64: fix sparse warning in kgdb_64.c 2014-05-18 19:01:34 -07:00
kgdb_32.c sparc: explicitly include sched.h to get task_thread_info declaration 2013-02-06 11:04:10 -08:00
kgdb_64.c sparc64: fix sparse warning in kgdb_64.c 2014-05-18 19:01:34 -07:00
kprobes.c sparc: Replace __get_cpu_var uses 2014-08-26 13:45:55 -04:00
kstack.h
ktlb.S sparc64: Adjust vmalloc region size based upon available virtual address bits. 2014-10-05 16:53:40 -07:00
ldc.c iommu-common: Fix error code used in iommu_tbl_range_{alloc,free}(). 2015-11-04 11:30:57 -08:00
led.c
leon_kernel.c genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
leon_pci.c PCI: Cleanup control flow 2015-03-19 10:17:22 -05:00
leon_pci_grpci1.c genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
leon_pci_grpci2.c genirq: Remove irq argument from irq flow handlers 2015-09-16 15:47:51 +02:00
leon_pmc.c sparc32: fix sparse warnings in leon_pmc.c 2014-04-29 01:12:27 -04:00
leon_smp.c sparc32, leon: Align ccall_info to prevent unaligned traps on crosscall 2014-12-11 18:51:56 -08:00
Makefile sparc32: drop tadpole specific code 2014-05-18 19:01:29 -07:00
mdesc.c sparc64: Setup sysfs to mark LDOM sockets, cores and threads correctly 2015-04-22 15:42:56 -04:00
misctrap.S
module.c mm: vmalloc: pass additional vm_flags to __vmalloc_node_range() 2015-02-13 21:21:42 -08:00
nmi.c sparc: Replace __get_cpu_var uses 2014-08-26 13:45:55 -04:00
of_device_32.c
of_device_64.c
of_device_common.c sparc: fix sparse warnings in of_device_common.c 2014-04-29 01:12:27 -04:00
of_device_common.h
pci.c sparc/PCI: Add mem64 resource parsing for root bus 2015-10-29 17:35:46 -05:00
pci_common.c sparc/PCI: Add mem64 resource parsing for root bus 2015-10-29 17:35:46 -05:00
pci_fire.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
pci_impl.h sparc/PCI: Add mem64 resource parsing for root bus 2015-10-29 17:35:46 -05:00
pci_msi.c PCI/MSI: Rename mask/unmask_msi_irq treewide 2014-11-23 13:01:45 +01:00
pci_psycho.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
pci_sabre.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
pci_schizo.c Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
pci_sun4v.c iommu-common: Fix error code used in iommu_tbl_range_{alloc,free}(). 2015-11-04 11:30:57 -08:00
pci_sun4v.h sparc: drop use of extern for prototypes in arch/sparc/* 2014-05-18 19:01:29 -07:00
pci_sun4v_asm.S
pcic.c PCI: Assign resources before drivers claim devices (pci_scan_bus()) 2015-03-12 15:04:01 -05:00
pcr.c sparc: perf: Add support M7 processor 2015-03-19 18:54:49 -07:00
perf_event.c sparc64: Perf should save/restore fault info 2015-12-24 12:12:46 -05:00
pmc.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
power.c sparc: kernel: drop owner assignment from platform_drivers 2014-10-20 16:20:15 +02:00
process_32.c sched, sparc32: Update scheduler comments in copy_thread() 2015-08-04 09:48:12 +02:00
process_64.c sparc: Touch NMI watchdog when walking cpus and calling printk 2015-03-19 18:54:50 -07:00
prom.h sparc: drop use of extern for prototypes in arch/sparc/* 2014-05-18 19:01:29 -07:00
prom_32.c
prom_64.c sparc64: fix sparse warning in prom_64.c 2014-05-18 19:01:31 -07:00
prom_common.c of: Fix locking vs. interrupts 2013-06-13 22:12:14 +01:00
prom_irqtrans.c
psycho_common.c
psycho_common.h sparc: drop use of extern for prototypes in arch/sparc/* 2014-05-18 19:01:29 -07:00
ptrace_32.c sparc32: fix sparse warning in ptrace_32.c 2014-04-29 01:12:26 -04:00
ptrace_64.c ARCH: AUDIT: audit_syscall_entry() should not require the arch 2014-09-23 16:21:26 -04:00
reboot.c
rtrap_32.S
rtrap_64.S sparc64: Don't set %pil in rtrap_nmi too early 2015-12-24 12:07:16 -05:00
sbus.c sparc: kernel/sbus.c: fix memory leakage 2013-01-21 14:33:00 -08:00
setup_32.c sparc32: fix sparse warnings in setup_32.c 2014-04-29 01:12:25 -04:00
setup_64.c sparc64: Add ADI capability to cpu capabilities 2015-12-24 12:05:06 -05:00
signal32.c all arches, signal: move restart_block to struct task_struct 2015-02-12 18:54:12 -08:00
signal_32.c all arches, signal: move restart_block to struct task_struct 2015-02-12 18:54:12 -08:00
signal_64.c all arches, signal: move restart_block to struct task_struct 2015-02-12 18:54:12 -08:00
sigutil.h
sigutil_32.c
sigutil_64.c
smp_32.c sparc: fix decimal printf format specifiers prefixed with 0x 2014-08-06 14:41:10 -07:00
smp_64.c sparc64: Setup sysfs to mark LDOM sockets, cores and threads correctly 2015-04-22 15:42:56 -04:00
sparc_ksyms_32.c sparc: delete non-required instances of include <linux/init.h> 2014-01-28 23:38:23 -08:00
sparc_ksyms_64.c sparc: delete non-required instances of include <linux/init.h> 2014-01-28 23:38:23 -08:00
spiterrs.S
sstate.c
stacktrace.c
starfire.c arch: sparc: kernel: starfire.c: Remove unused function 2015-03-01 21:33:58 -08:00
sun4d_irq.c sparc/irq: Use helper irq_data_get_irq_handler_data() 2015-07-31 22:20:05 +02:00
sun4d_smp.c sparc: Replace __get_cpu_var uses 2014-08-26 13:45:55 -04:00
sun4m_irq.c sparc/irq: Use helper irq_data_get_irq_handler_data() 2015-07-31 22:20:05 +02:00
sun4m_smp.c sparc/time: Migrate to new 'set-state' interface 2015-08-10 11:41:05 +02:00
sun4v_ivec.S
sun4v_tlb_miss.S sparc64: sun4v TLB error power off events 2014-09-16 17:46:44 -07:00
sys32.S sparc: Hook up renameat2 syscall. 2014-07-21 22:27:56 -07:00
sys_sparc32.c sparc64: fix sparse warnings in sys_sparc32.c 2014-05-18 19:01:31 -07:00
sys_sparc_32.c sparc32: fix sparse warnings in sys_sparc_32.c 2014-05-18 19:01:28 -07:00
sys_sparc_64.c sparc: semtimedop() unreachable due to comparison error 2015-03-03 14:05:48 -08:00
syscalls.S sparc: hook up execveat system call 2014-12-13 12:42:51 -08:00
sysfs.c sparc64: fix format string mismatch in arch/sparc/kernel/sysfs.c 2014-05-21 12:54:42 -07:00
systbls.h sparc64: fix sparse warnings in sys_sparc32.c 2014-05-18 19:01:31 -07:00
systbls_32.S sparc: Hook up userfaultfd system call 2015-12-23 15:41:13 -05:00
systbls_64.S sparc: Hook up userfaultfd system call 2015-12-23 15:41:13 -05:00
time_32.c sparc/time: Migrate to new 'set-state' interface 2015-08-10 11:41:05 +02:00
time_64.c sparc/time: Migrate to new 'set-state' interface 2015-08-10 11:41:05 +02:00
trampoline_32.S sparc: delete non-required instances of include <linux/init.h> 2014-01-28 23:38:23 -08:00
trampoline_64.S sparc64: Fix register corruption in top-most kernel stack frame during boot. 2014-10-24 09:52:49 -07:00
traps_32.c sparc: Remove signal translation and exec_domain 2015-04-12 21:03:21 +02:00
traps_64.c sparc: Remove signal translation and exec_domain 2015-04-12 21:03:21 +02:00
tsb.S sparc64: Fix corrupted thread fault code. 2014-10-18 23:03:09 -04:00
ttable_32.S
ttable_64.S
una_asm_32.S
una_asm_64.S
unaligned_32.c sparc: use %s for unaligned panic 2014-07-21 21:37:06 -07:00
unaligned_64.c sparc64: Don't restrict fp regs for no-fault loads 2015-11-04 15:00:49 -05:00
utrap.S
vio.c sparc64: Add vio_set_intr() to enable/disable Rx interrupts 2014-09-30 14:40:45 -07:00
viohs.c sparc: VIO protocol version 1.6 2014-09-30 14:17:08 -07:00
visemul.c sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
vmlinux.lds.S sparc: Resolve conflict between sparc v9 and M7 on usage of bit 9 of TTE 2015-05-31 22:15:01 -07:00
windows.c sparc32: fix sparse warnings in windows.c 2014-04-29 01:12:25 -04:00
winfixup.S sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
wof.S
wuf.S