Re: [PATCH v1 1/1] m68k: Move signal frame following exception on 68020/030

From: Geert Uytterhoeven
Date: Mon May 22 2023 - 07:42:02 EST

Next message: Jesper Dangaard Brouer: "Re: [PATCH RESEND bpf-next 14/15] net, xdp: allow metadata > 32"
Previous message: Qi Zheng: "Re: [PATCH 08/31] mm/page_vma_mapped: pte_offset_map_nolock() not pte_lockptr()"
Next in thread: Michael Schmitz: "Re: [PATCH v1 1/1] m68k: Move signal frame following exception on 68020/030"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, May 6, 2023 at 11:36 AM Finn Thain <fthain@xxxxxxxxxxxxxx> wrote:
> On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause
> a stack page fault during instruction execution (i.e. not at an
> instruction boundary) and produce a format 0xB exception frame.
>
> In this situation, the value of USP will be unreliable. If a signal is to
> be delivered following the exception, this USP value is used to calculate
> the location for a signal frame. This can result in a corrupted user
> stack.
>
> The corruption was detected in dash (actually in glibc) where it showed
> up as an intermittent "stack smashing detected" message and crash
> following signal delivery for SIGCHLD.
>
> It was hard to reproduce that failure because delivery of the signal
> raced with the page fault and because the kernel places an unpredictable
> gap of up to 7 bytes between the USP and the signal frame.
>
> A format 0xB exception frame can be produced by a bus error or an address
> error. The 68030 Users Manual says that address errors occur immediately
> upon detection during instruction prefetch. The instruction pipeline
> allows prefetch to overlap with other instructions, which means an
> address error can arise during the execution of a different instruction.
> So it seems likely that this patch may help in the address error case also.
>
> Reported-and-tested-by: Stan Johnson <userm57@xxxxxxxxx>
> Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@xxxxxxxxxxxxxx/
> Cc: Michael Schmitz <schmitzmic@xxxxxxxxx>
> Cc: Andreas Schwab <schwab@xxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Co-developed-by: Michael Schmitz <schmitzmic@xxxxxxxxx>
> Signed-off-by: Michael Schmitz <schmitzmic@xxxxxxxxx>
> Signed-off-by: Finn Thain <fthain@xxxxxxxxxxxxxx>

Reviewed-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
i.e. will queue as a fix in the m68k for-v6.4 branch.

I plan to send this upstream later this week, so any additional
testing would be appreciated.

Thanks!

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

Next message: Jesper Dangaard Brouer: "Re: [PATCH RESEND bpf-next 14/15] net, xdp: allow metadata > 32"
Previous message: Qi Zheng: "Re: [PATCH 08/31] mm/page_vma_mapped: pte_offset_map_nolock() not pte_lockptr()"
Next in thread: Michael Schmitz: "Re: [PATCH v1 1/1] m68k: Move signal frame following exception on 68020/030"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]