 8b3c569a39
			
		
	
	
	8b3c569a39
	
	
	
		
			
			Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
per task) was merged in v3.11 and introduced assembly in the MIPS resume
functions to update the value of the current canary in
__stack_chk_guard. However it used PTR_L resulting in a load of the
canary value, instead of PTR_LA to construct its address. The value is
intended to be random but is then treated as an address in the
subsequent LONG_S (store).
This was observed to cause a fault and panic:
CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
Oops[#1]:
...
$24   : 139fea20 1e1f7cb6
...
Call Trace:
[<8000cc0c>] resume+0xac/0x118
[<8034f2a4>] __schedule+0x5f8/0x78c
[<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
[<80348eec>] rest_init+0x74/0x84
[<804dc990>] start_kernel+0x43c/0x454
Code: 3c18804b  8f184030  8cb901f8 <af190000> 00c0e021  8cb002f0 8cb102f4  8cb202f8  8cb302fc
This can also be forced by modifying
arch/mips/include/asm/stackprotector.h so that the default
__stack_chk_guard value is more likely to be a bad (or unaligned)
pointer.
Fix it to use PTR_LA instead, to load the address of the canary value,
which the LONG_S can then use to write into it.
Reported-by: bobjones (via #mipslinux on IRC)
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Gregory Fong <gregory.0xf0@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/6026/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
		
	
			
		
			
				
	
	
		
			251 lines
		
	
	
	
		
			5.1 KiB
			
		
	
	
	
		
			ArmAsm
		
	
	
	
	
	
			
		
		
	
	
			251 lines
		
	
	
	
		
			5.1 KiB
			
		
	
	
	
		
			ArmAsm
		
	
	
	
	
	
| /*
 | |
|  * This file is subject to the terms and conditions of the GNU General Public
 | |
|  * License.  See the file "COPYING" in the main directory of this archive
 | |
|  * for more details.
 | |
|  *
 | |
|  * Copyright (C) 1994, 1995, 1996, 1998, 1999, 2002, 2003 Ralf Baechle
 | |
|  * Copyright (C) 1996 David S. Miller (davem@davemloft.net)
 | |
|  * Copyright (C) 1994, 1995, 1996, by Andreas Busse
 | |
|  * Copyright (C) 1999 Silicon Graphics, Inc.
 | |
|  * Copyright (C) 2000 MIPS Technologies, Inc.
 | |
|  *    written by Carsten Langgaard, carstenl@mips.com
 | |
|  */
 | |
| #include <asm/asm.h>
 | |
| #include <asm/cachectl.h>
 | |
| #include <asm/fpregdef.h>
 | |
| #include <asm/mipsregs.h>
 | |
| #include <asm/asm-offsets.h>
 | |
| #include <asm/pgtable-bits.h>
 | |
| #include <asm/regdef.h>
 | |
| #include <asm/stackframe.h>
 | |
| #include <asm/thread_info.h>
 | |
| 
 | |
| #include <asm/asmmacro.h>
 | |
| 
 | |
| /*
 | |
|  * Offset to the current process status flags, the first 32 bytes of the
 | |
|  * stack are not used.
 | |
|  */
 | |
| #define ST_OFF (_THREAD_SIZE - 32 - PT_SIZE + PT_STATUS)
 | |
| 
 | |
| /*
 | |
|  * FPU context is saved iff the process has used it's FPU in the current
 | |
|  * time slice as indicated by _TIF_USEDFPU.  In any case, the CU1 bit for user
 | |
|  * space STATUS register should be 0, so that a process *always* starts its
 | |
|  * userland with FPU disabled after each context switch.
 | |
|  *
 | |
|  * FPU will be enabled as soon as the process accesses FPU again, through
 | |
|  * do_cpu() trap.
 | |
|  */
 | |
| 
 | |
| /*
 | |
|  * task_struct *resume(task_struct *prev, task_struct *next,
 | |
|  *		       struct thread_info *next_ti, int usedfpu)
 | |
|  */
 | |
| 	.align	5
 | |
| 	LEAF(resume)
 | |
| 	mfc0	t1, CP0_STATUS
 | |
| 	LONG_S	t1, THREAD_STATUS(a0)
 | |
| 	cpu_save_nonscratch a0
 | |
| 	LONG_S	ra, THREAD_REG31(a0)
 | |
| 
 | |
| 	/*
 | |
| 	 * check if we need to save FPU registers
 | |
| 	 */
 | |
| 
 | |
| 	beqz	a3, 1f
 | |
| 
 | |
| 	PTR_L	t3, TASK_THREAD_INFO(a0)
 | |
| 	/*
 | |
| 	 * clear saved user stack CU1 bit
 | |
| 	 */
 | |
| 	LONG_L	t0, ST_OFF(t3)
 | |
| 	li	t1, ~ST0_CU1
 | |
| 	and	t0, t0, t1
 | |
| 	LONG_S	t0, ST_OFF(t3)
 | |
| 
 | |
| 	fpu_save_double a0 t0 t1		# c0_status passed in t0
 | |
| 						# clobbers t1
 | |
| 1:
 | |
| 
 | |
| #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
 | |
| 	PTR_LA	t8, __stack_chk_guard
 | |
| 	LONG_L	t9, TASK_STACK_CANARY(a1)
 | |
| 	LONG_S	t9, 0(t8)
 | |
| #endif
 | |
| 
 | |
| 	/*
 | |
| 	 * The order of restoring the registers takes care of the race
 | |
| 	 * updating $28, $29 and kernelsp without disabling ints.
 | |
| 	 */
 | |
| 	move	$28, a2
 | |
| 	cpu_restore_nonscratch a1
 | |
| 
 | |
| 	PTR_ADDU	t0, $28, _THREAD_SIZE - 32
 | |
| 	set_saved_sp	t0, t1, t2
 | |
| #ifdef CONFIG_MIPS_MT_SMTC
 | |
| 	/* Read-modify-writes of Status must be atomic on a VPE */
 | |
| 	mfc0	t2, CP0_TCSTATUS
 | |
| 	ori	t1, t2, TCSTATUS_IXMT
 | |
| 	mtc0	t1, CP0_TCSTATUS
 | |
| 	andi	t2, t2, TCSTATUS_IXMT
 | |
| 	_ehb
 | |
| 	DMT	8				# dmt	t0
 | |
| 	move	t1,ra
 | |
| 	jal	mips_ihb
 | |
| 	move	ra,t1
 | |
| #endif /* CONFIG_MIPS_MT_SMTC */
 | |
| 	mfc0	t1, CP0_STATUS		/* Do we really need this? */
 | |
| 	li	a3, 0xff01
 | |
| 	and	t1, a3
 | |
| 	LONG_L	a2, THREAD_STATUS(a1)
 | |
| 	nor	a3, $0, a3
 | |
| 	and	a2, a3
 | |
| 	or	a2, t1
 | |
| 	mtc0	a2, CP0_STATUS
 | |
| #ifdef CONFIG_MIPS_MT_SMTC
 | |
| 	_ehb
 | |
| 	andi	t0, t0, VPECONTROL_TE
 | |
| 	beqz	t0, 1f
 | |
| 	emt
 | |
| 1:
 | |
| 	mfc0	t1, CP0_TCSTATUS
 | |
| 	xori	t1, t1, TCSTATUS_IXMT
 | |
| 	or	t1, t1, t2
 | |
| 	mtc0	t1, CP0_TCSTATUS
 | |
| 	_ehb
 | |
| #endif /* CONFIG_MIPS_MT_SMTC */
 | |
| 	move	v0, a0
 | |
| 	jr	ra
 | |
| 	END(resume)
 | |
| 
 | |
| /*
 | |
|  * Save a thread's fp context.
 | |
|  */
 | |
| LEAF(_save_fp)
 | |
| #ifdef CONFIG_64BIT
 | |
| 	mfc0	t0, CP0_STATUS
 | |
| #endif
 | |
| 	fpu_save_double a0 t0 t1		# clobbers t1
 | |
| 	jr	ra
 | |
| 	END(_save_fp)
 | |
| 
 | |
| /*
 | |
|  * Restore a thread's fp context.
 | |
|  */
 | |
| LEAF(_restore_fp)
 | |
| #ifdef CONFIG_64BIT
 | |
| 	mfc0	t0, CP0_STATUS
 | |
| #endif
 | |
| 	fpu_restore_double a0 t0 t1		# clobbers t1
 | |
| 	jr	ra
 | |
| 	END(_restore_fp)
 | |
| 
 | |
| /*
 | |
|  * Load the FPU with signalling NANS.  This bit pattern we're using has
 | |
|  * the property that no matter whether considered as single or as double
 | |
|  * precision represents signaling NANS.
 | |
|  *
 | |
|  * We initialize fcr31 to rounding to nearest, no exceptions.
 | |
|  */
 | |
| 
 | |
| #define FPU_DEFAULT  0x00000000
 | |
| 
 | |
| LEAF(_init_fpu)
 | |
| #ifdef CONFIG_MIPS_MT_SMTC
 | |
| 	/* Rather than manipulate per-VPE Status, set per-TC bit in TCStatus */
 | |
| 	mfc0	t0, CP0_TCSTATUS
 | |
| 	/* Bit position is the same for Status, TCStatus */
 | |
| 	li	t1, ST0_CU1
 | |
| 	or	t0, t1
 | |
| 	mtc0	t0, CP0_TCSTATUS
 | |
| #else /* Normal MIPS CU1 enable */
 | |
| 	mfc0	t0, CP0_STATUS
 | |
| 	li	t1, ST0_CU1
 | |
| 	or	t0, t1
 | |
| 	mtc0	t0, CP0_STATUS
 | |
| #endif /* CONFIG_MIPS_MT_SMTC */
 | |
| 	enable_fpu_hazard
 | |
| 
 | |
| 	li	t1, FPU_DEFAULT
 | |
| 	ctc1	t1, fcr31
 | |
| 
 | |
| 	li	t1, -1				# SNaN
 | |
| 
 | |
| #ifdef CONFIG_64BIT
 | |
| 	sll	t0, t0, 5
 | |
| 	bgez	t0, 1f				# 16 / 32 register mode?
 | |
| 
 | |
| 	dmtc1	t1, $f1
 | |
| 	dmtc1	t1, $f3
 | |
| 	dmtc1	t1, $f5
 | |
| 	dmtc1	t1, $f7
 | |
| 	dmtc1	t1, $f9
 | |
| 	dmtc1	t1, $f11
 | |
| 	dmtc1	t1, $f13
 | |
| 	dmtc1	t1, $f15
 | |
| 	dmtc1	t1, $f17
 | |
| 	dmtc1	t1, $f19
 | |
| 	dmtc1	t1, $f21
 | |
| 	dmtc1	t1, $f23
 | |
| 	dmtc1	t1, $f25
 | |
| 	dmtc1	t1, $f27
 | |
| 	dmtc1	t1, $f29
 | |
| 	dmtc1	t1, $f31
 | |
| 1:
 | |
| #endif
 | |
| 
 | |
| #ifdef CONFIG_CPU_MIPS32
 | |
| 	mtc1	t1, $f0
 | |
| 	mtc1	t1, $f1
 | |
| 	mtc1	t1, $f2
 | |
| 	mtc1	t1, $f3
 | |
| 	mtc1	t1, $f4
 | |
| 	mtc1	t1, $f5
 | |
| 	mtc1	t1, $f6
 | |
| 	mtc1	t1, $f7
 | |
| 	mtc1	t1, $f8
 | |
| 	mtc1	t1, $f9
 | |
| 	mtc1	t1, $f10
 | |
| 	mtc1	t1, $f11
 | |
| 	mtc1	t1, $f12
 | |
| 	mtc1	t1, $f13
 | |
| 	mtc1	t1, $f14
 | |
| 	mtc1	t1, $f15
 | |
| 	mtc1	t1, $f16
 | |
| 	mtc1	t1, $f17
 | |
| 	mtc1	t1, $f18
 | |
| 	mtc1	t1, $f19
 | |
| 	mtc1	t1, $f20
 | |
| 	mtc1	t1, $f21
 | |
| 	mtc1	t1, $f22
 | |
| 	mtc1	t1, $f23
 | |
| 	mtc1	t1, $f24
 | |
| 	mtc1	t1, $f25
 | |
| 	mtc1	t1, $f26
 | |
| 	mtc1	t1, $f27
 | |
| 	mtc1	t1, $f28
 | |
| 	mtc1	t1, $f29
 | |
| 	mtc1	t1, $f30
 | |
| 	mtc1	t1, $f31
 | |
| #else
 | |
| 	.set	mips3
 | |
| 	dmtc1	t1, $f0
 | |
| 	dmtc1	t1, $f2
 | |
| 	dmtc1	t1, $f4
 | |
| 	dmtc1	t1, $f6
 | |
| 	dmtc1	t1, $f8
 | |
| 	dmtc1	t1, $f10
 | |
| 	dmtc1	t1, $f12
 | |
| 	dmtc1	t1, $f14
 | |
| 	dmtc1	t1, $f16
 | |
| 	dmtc1	t1, $f18
 | |
| 	dmtc1	t1, $f20
 | |
| 	dmtc1	t1, $f22
 | |
| 	dmtc1	t1, $f24
 | |
| 	dmtc1	t1, $f26
 | |
| 	dmtc1	t1, $f28
 | |
| 	dmtc1	t1, $f30
 | |
| #endif
 | |
| 	jr	ra
 | |
| 	END(_init_fpu)
 |