diff --git a/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch b/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch new file mode 100644 index 0000000..8f9534e --- /dev/null +++ b/patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch @@ -0,0 +1,85 @@ +From fd7276189450110ed835eb0a334e62d2f1c4e3be Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 26 Mar 2023 16:15:57 -0600 +Subject: [PATCH] powerpc: Don't try to copy PPR for task with NULL pt_regs + +References: bsc#1065729 +Patch-mainline: v6.3-rc5 +Git-commit: fd7276189450110ed835eb0a334e62d2f1c4e3be + +powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which +from my (arguably very short) checking is not commonly done for other +archs. This is fine, except when PF_IO_WORKER's have been created and +the task does something that causes a coredump to be generated. Then we +get this crash: + + Kernel attempted to read user page (160) - exploit attempt? (uid: 1000) + BUG: Kernel NULL pointer dereference on read at 0x00000160 + Faulting instruction address: 0xc0000000000c3a60 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries + Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod + CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88 + Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries + NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0 + REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+) + MSR: 800000000280b033 CR: 88082828 XER: 200400f8 + ... + NIP memcpy_power7+0x200/0x7d0 + LR ppr_get+0x64/0xb0 + Call Trace: + ppr_get+0x40/0xb0 (unreliable) + __regset_get+0x180/0x1f0 + regset_get_alloc+0x64/0x90 + elf_core_dump+0xb98/0x1b60 + do_coredump+0x1c34/0x24a0 + get_signal+0x71c/0x1410 + do_notify_resume+0x140/0x6f0 + interrupt_exit_user_prepare_main+0x29c/0x320 + interrupt_exit_user_prepare+0x6c/0xa0 + interrupt_return_srr_user+0x8/0x138 + +Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL +pt_regs. + +Check for a valid pt_regs in both ppc_get/ppr_set, and return an error +if not set. The actual error value doesn't seem to be important here, so +just pick -EINVAL. + +Fixes: fa439810cc1b ("powerpc/ptrace: Enable support for NT_PPPC_TAR, NT_PPC_PPR, NT_PPC_DSCR") +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Jens Axboe +[mpe: Trim oops in change log, add Fixes & Cc stable] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/d9f63344-fe7c-56ae-b420-4a1a04a2ae4c@kernel.dk +Acked-by: Michal Suchanek +--- + arch/powerpc/kernel/ptrace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -290,6 +290,9 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &target->thread.ppr, 0, sizeof(u64)); + } +@@ -297,6 +300,9 @@ static int ppr_set(struct task_struct *target, const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &target->thread.ppr, 0, sizeof(u64)); + } +-- +2.40.0 + diff --git a/series.conf b/series.conf index 03c7f76..93332d0 100644 --- a/series.conf +++ b/series.conf @@ -63294,6 +63294,7 @@ patches.suse/usb-chipidea-core-fix-possible-concurrent-when-switc.patch patches.suse/s390-vfio-ap-fix-memory-leak-in-vfio_ap-device-drive.patch patches.suse/NFSv4-Fix-hangs-when-recovering-open-state-after-a-s.patch + patches.suse/powerpc-Don-t-try-to-copy-PPR-for-task-with-NULL-pt_.patch patches.suse/ring-buffer-Fix-race-while-reader-and-writer-are-on-the-same-page.patch patches.suse/ftrace-Mark-get_lock_parent_ip-__always_inline.patch patches.suse/scsi-qla2xxx-Fix-memory-leak-in-qla2x00_probe_one.patch