| Message ID | 20130820160516.596a85a4@kryten (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Commit | 5c2e08231b68a3c8082716a7ed4e972dde406e4a |
| Headers | show |
On Tue, Aug 20, 2013 at 4:05 PM, Anton Blanchard <anton@samba.org> wrote: > > The VSX alignment handler needs to write out the existing VSX > state to memory before operating on it (flush_vsx_to_thread()). > If we take a VSX alignment exception in the kernel bad things > will happen. It looks like we could write the kernel state out > to the user process, or we could handle the kernel exception > using data from the user process (depending if MSR_VSX is set > or not). > > Worse still, if the code to read or write the VSX state causes an > alignment exception, we will recurse forever. I ended up with > hundreds of megabytes of kernel stack to look through as a result. > > Floating point and SPE code have similar issues but already include > a user check. Add the same check to emulate_vsx(). > Can you say what will happen when you apply this patch. ie It produces one oops rather than megabytes of crap making it easier to debug. Also, can you give a clue as to how you can hit this since it should never happen in the first place. I assume it's some LE corner case... Mikey > Signed-off-by: Anton Blanchard <anton@samba.org> > --- > > Index: b/arch/powerpc/kernel/align.c > =================================================================== > --- a/arch/powerpc/kernel/align.c > +++ b/arch/powerpc/kernel/align.c > @@ -651,6 +651,10 @@ static int emulate_vsx(unsigned char __u > int sw = 0; > int i, j; > > + /* userland only */ > + if (unlikely(!user_mode(regs))) > + return 0; > + > flush_vsx_to_thread(current); > > if (reg < 32) >
Index: b/arch/powerpc/kernel/align.c =================================================================== --- a/arch/powerpc/kernel/align.c +++ b/arch/powerpc/kernel/align.c @@ -651,6 +651,10 @@ static int emulate_vsx(unsigned char __u int sw = 0; int i, j; + /* userland only */ + if (unlikely(!user_mode(regs))) + return 0; + flush_vsx_to_thread(current); if (reg < 32)
The VSX alignment handler needs to write out the existing VSX state to memory before operating on it (flush_vsx_to_thread()). If we take a VSX alignment exception in the kernel bad things will happen. It looks like we could write the kernel state out to the user process, or we could handle the kernel exception using data from the user process (depending if MSR_VSX is set or not). Worse still, if the code to read or write the VSX state causes an alignment exception, we will recurse forever. I ended up with hundreds of megabytes of kernel stack to look through as a result. Floating point and SPE code have similar issues but already include a user check. Add the same check to emulate_vsx(). Signed-off-by: Anton Blanchard <anton@samba.org> ---