This is a note to let you know that I've just added the patch titled
sparc64: Fix race in signal instruction flushing.
to the 2.6.32-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
sparc64-fix-race-in-signal-instruction-flushing.patch
and it can be found in the queue-2.6.32 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From e0832e5ad62316d6b64b73c69dd13abdf76e0ffa Mon Sep 17 00:00:00 2001
From: David S. Miller <[email protected]>
Date: Mon, 20 Sep 2010 23:24:52 -0700
Subject: sparc64: Fix race in signal instruction flushing.
From: David S. Miller <[email protected]>
[ Upstream commit 05c5e7698bdc54b3079a3517d86077f49ebcc788 ]
If another cpu does a very wide munmap() on the signal frame area,
it can tear down the page table hierarchy from underneath us.
Borrow an idea from the 64-bit fault path's get_user_insn(), and
disable cross call interrupts during the page table traversal
to lock them in place while we operate.
Reported-by: Al Viro <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/sparc/kernel/signal32.c | 102 +++++++++++++++++++++++++------------------
1 file changed, 60 insertions(+), 42 deletions(-)
--- a/arch/sparc/kernel/signal32.c
+++ b/arch/sparc/kernel/signal32.c
@@ -453,6 +453,64 @@ static int save_fpu_state32(struct pt_re
return err;
}
+/* The I-cache flush instruction only works in the primary ASI, which
+ * right now is the nucleus, aka. kernel space.
+ *
+ * Therefore we have to kick the instructions out using the kernel
+ * side linear mapping of the physical address backing the user
+ * instructions.
+ */
+static void flush_signal_insns(unsigned long address)
+{
+ unsigned long pstate, paddr;
+ pte_t *ptep, pte;
+ pgd_t *pgdp;
+ pud_t *pudp;
+ pmd_t *pmdp;
+
+ /* Commit all stores of the instructions we are about to flush. */
+ wmb();
+
+ /* Disable cross-call reception. In this way even a very wide
+ * munmap() on another cpu can't tear down the page table
+ * hierarchy from underneath us, since that can't complete
+ * until the IPI tlb flush returns.
+ */
+
+ __asm__ __volatile__("rdpr %%pstate, %0" : "=r" (pstate));
+ __asm__ __volatile__("wrpr %0, %1, %%pstate"
+ : : "r" (pstate), "i" (PSTATE_IE));
+
+ pgdp = pgd_offset(current->mm, address);
+ if (pgd_none(*pgdp))
+ goto out_irqs_on;
+ pudp = pud_offset(pgdp, address);
+ if (pud_none(*pudp))
+ goto out_irqs_on;
+ pmdp = pmd_offset(pudp, address);
+ if (pmd_none(*pmdp))
+ goto out_irqs_on;
+
+ ptep = pte_offset_map(pmdp, address);
+ pte = *ptep;
+ if (!pte_present(pte))
+ goto out_unmap;
+
+ paddr = (unsigned long) page_address(pte_page(pte));
+
+ __asm__ __volatile__("flush %0 + %1"
+ : /* no outputs */
+ : "r" (paddr),
+ "r" (address & (PAGE_SIZE - 1))
+ : "memory");
+
+out_unmap:
+ pte_unmap(ptep);
+out_irqs_on:
+ __asm__ __volatile__("wrpr %0, 0x0, %%pstate" : : "r" (pstate));
+
+}
+
static void setup_frame32(struct k_sigaction *ka, struct pt_regs *regs,
int signo, sigset_t *oldset)
{
@@ -547,13 +605,7 @@ static void setup_frame32(struct k_sigac
if (ka->ka_restorer) {
regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer;
} else {
- /* Flush instruction space. */
unsigned long address = ((unsigned long)&(sf->insns[0]));
- pgd_t *pgdp = pgd_offset(current->mm, address);
- pud_t *pudp = pud_offset(pgdp, address);
- pmd_t *pmdp = pmd_offset(pudp, address);
- pte_t *ptep;
- pte_t pte;
regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2);
@@ -562,22 +614,7 @@ static void setup_frame32(struct k_sigac
if (err)
goto sigsegv;
- preempt_disable();
- ptep = pte_offset_map(pmdp, address);
- pte = *ptep;
- if (pte_present(pte)) {
- unsigned long page = (unsigned long)
- page_address(pte_page(pte));
-
- wmb();
- __asm__ __volatile__("flush %0 + %1"
- : /* no outputs */
- : "r" (page),
- "r" (address & (PAGE_SIZE - 1))
- : "memory");
- }
- pte_unmap(ptep);
- preempt_enable();
+ flush_signal_insns(address);
}
return;
@@ -687,12 +724,7 @@ static void setup_rt_frame32(struct k_si
if (ka->ka_restorer)
regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer;
else {
- /* Flush instruction space. */
unsigned long address = ((unsigned long)&(sf->insns[0]));
- pgd_t *pgdp = pgd_offset(current->mm, address);
- pud_t *pudp = pud_offset(pgdp, address);
- pmd_t *pmdp = pmd_offset(pudp, address);
- pte_t *ptep;
regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2);
@@ -704,21 +736,7 @@ static void setup_rt_frame32(struct k_si
if (err)
goto sigsegv;
- preempt_disable();
- ptep = pte_offset_map(pmdp, address);
- if (pte_present(*ptep)) {
- unsigned long page = (unsigned long)
- page_address(pte_page(*ptep));
-
- wmb();
- __asm__ __volatile__("flush %0 + %1"
- : /* no outputs */
- : "r" (page),
- "r" (address & (PAGE_SIZE - 1))
- : "memory");
- }
- pte_unmap(ptep);
- preempt_enable();
+ flush_signal_insns(address);
}
return;
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.32/net-limit-socket-i-o-iovec-total-length-to-int_max.patch
queue-2.6.32/can-bcm-fix-minor-heap-overflow.patch
queue-2.6.32/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
queue-2.6.32/gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch
queue-2.6.32/jme-fix-phy-power-off-error.patch
queue-2.6.32/net-sched-fix-kernel-leak-in-act_police.patch
queue-2.6.32/limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch
queue-2.6.32/decnet-don-t-leak-uninitialized-stack-byte.patch
queue-2.6.32/x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch
queue-2.6.32/sparc-prevent-no-handler-signal-syscall-restart-recursion.patch
queue-2.6.32/net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch
queue-2.6.32/net-clear-heap-allocation-for-ethtool_grxclsrlall.patch
queue-2.6.32/sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch
queue-2.6.32/net-truncate-recvfrom-and-sendto-length-to-int_max.patch
queue-2.6.32/sparc64-fix-race-in-signal-instruction-flushing.patch
queue-2.6.32/memory-corruption-in-x.25-facilities-parsing.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
