lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 29 Aug 2020 16:37:32 +0200
From:   Hauke Mehrtens <>
To:     Sasha Levin <>
        Victor Kamensky <>,
        Bruce Ashfield <>,
        Paul Burton <>,, Ralf Baechle <>,
        James Hogan <>,
        Vincenzo Frascino <>,,
        Tony Ambardar <>
Subject: Re: [PATCH AUTOSEL 5.4 10/58] mips: vdso: fix 'jalr t9' crash in vdso

On 8/29/20 3:56 PM, Sasha Levin wrote:
> On Sat, Aug 29, 2020 at 03:08:01PM +0200, Hauke Mehrtens wrote:
>> On 3/5/20 6:13 PM, Sasha Levin wrote:
>>> From: Victor Kamensky <>
>>> [ Upstream commit d3f703c4359ff06619b2322b91f69710453e6b6d ]
>>> Observed that when kernel is built with Yocto mips64-poky-linux-gcc,
>>> and mips64-poky-linux-gnun32-gcc toolchain, resulting vdso contains
>>> 'jalr t9' instructions in its code and since in vdso case nobody
>>> sets GOT table code crashes when instruction reached. On other hand
>>> observed that when kernel is built mips-poky-linux-gcc toolchain, the
>>> same 'jalr t9' instruction are replaced with PC relative function
>>> calls using 'bal' instructions.
>>> The difference boils down to -mrelax-pic-calls and -mexplicit-relocs
>>> gcc options that gets different default values depending on gcc
>>> target triplets and corresponding binutils. -mrelax-pic-calls got
>>> enabled by default only in mips-poky-linux-gcc case. MIPS binutils
>>> ld relies on R_MIPS_JALR relocation to convert 'jalr t9' into 'bal'
>>> and such relocation is generated only if -mrelax-pic-calls option
>>> is on.
>>> Please note 'jalr t9' conversion to 'bal' can happen only to static
>>> functions. These static PIC calls use mips local GOT entries that
>>> are supposed to be filled with start of DSO value by run-time linker
>>> (missing in VDSO case) and they do not have dynamic relocations.
>>> Global mips GOT entries must have dynamic relocations and they should
>>> be prevented by cmd_vdso_check Makefile rule.
>>> Solution call out -mrelax-pic-calls and -mexplicit-relocs options
>>> explicitly while compiling MIPS vdso code. That would get correct
>>> and consistent between different toolchains behaviour.
>>> Reported-by: Bruce Ashfield <>
>>> Signed-off-by: Victor Kamensky <>
>>> Signed-off-by: Paul Burton <>
>>> Cc:
>>> Cc: Ralf Baechle <>
>>> Cc: James Hogan <>
>>> Cc: Vincenzo Frascino <>
>>> Cc:
>>> Signed-off-by: Sasha Levin <>
>>> ---
>>>  arch/mips/vdso/Makefile | 1 +
>>>  1 file changed, 1 insertion(+)
>> Hi Sasha,
>> Why was this not added to the 5.4 stable branch?
>> Some OpenWrt users ran into this problem with kernel 5.4 on MIPS64 [0].
>> We backported this patch on our own in OpenWrt [1], but it should be
>> added to the sable branch in my opinion as it fixes a real problem.
>> @Sasha: Can you add it to the 5.4 stable branch or should I send some
>> special email?
> It failed building on 5.4. If you'd like it included, please send me a
> tested backport for 5.4.

I successfully compiled a kernel 5.4.61 with this patch on top with GCC
8.4 for MIPS 64 big and little Endian.

What was broken in your compile test?

Someone complained that it does not compile with LLVM any more, there is
this additional fix to solve that problem:
OpenWrt does not support LLVM, so we did not see this problem.

Could you please backport these two commits to kernel 5.4:

We haven't seen this problem with kernel 4.19 or older, but I am not
sure if this was luck.


Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists