lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <69df7421d50bec1e85ba1e7649326c33ef7226b0.camel@physik.fu-berlin.de>
Date: Wed, 27 Aug 2025 08:37:38 +0200
From: John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>
To: Michael Karcher <kernel@...rcher.dialup.fu-berlin.de>, 
	linux-kernel@...r.kernel.org
Cc: sparclinux@...r.kernel.org, Andreas Larsson <andreas@...sler.com>, 
 Anthony Yznaga <anthony.yznaga@...cle.com>
Subject: Re: [PATCH 4/4] sparc: fix accurate exception reporting in
 copy_{from_to}_user for Niagara 4

Hello Michael,

On Tue, 2025-08-26 at 18:03 +0200, Michael Karcher wrote:
> Fixes: 957077048009 ("sparc64: Convert NG4copy_{from,to}_user to accurate exception reporting.")
> Signed-off-by: Michael Karcher <kernel@...rcher.dialup.fu-berlin.de>
> ---
>  arch/sparc/lib/NG4memcpy.S | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
> index 7ad58ebe0d00..df0ec1bd1948 100644
> --- a/arch/sparc/lib/NG4memcpy.S
> +++ b/arch/sparc/lib/NG4memcpy.S
> @@ -281,7 +281,7 @@ FUNC_NAME:	/* %o0=dst, %o1=src, %o2=len */
>  	subcc		%o5, 0x20, %o5
>  	EX_ST(STORE(stx, %g1, %o0 + 0x00), memcpy_retl_o2_plus_o5_plus_32)
>  	EX_ST(STORE(stx, %g2, %o0 + 0x08), memcpy_retl_o2_plus_o5_plus_24)
> -	EX_ST(STORE(stx, GLOBAL_SPARE, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_24)
> +	EX_ST(STORE(stx, GLOBAL_SPARE, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_16)
>  	EX_ST(STORE(stx, %o4, %o0 + 0x18), memcpy_retl_o2_plus_o5_plus_8)
>  	bne,pt		%icc, 1b
>  	 add		%o0, 0x20, %o0

Applied this patch to Debian's kernel from unstable, got the following backtrace during boot:

[   11.109771] Unable to handle kernel paging request at virtual address fff80000c0000000
[   11.109824] tsk->{mm,active_mm}->context = 0000000000000139
[   11.109842] tsk->{mm,active_mm}->pgd = fff800001bb6c000
[   11.109859]               \|/ ____ \|/
[   11.109859]               "@'/ .. \`@"
[   11.109859]               /_| \__/ |_\
[   11.109859]                  \__U_/
[   11.109885] cryptomgr_test(411): Oops [#1]
[   11.109908] CPU: 0 UID: 0 PID: 411 Comm: cryptomgr_test Not tainted 6.16.3+1-sparc64-smp #1 NONE  Debian 6.16.3-1+sparc64 
[   11.109939] TSTATE: 0000008811001601 TPC: 000000001026a048 TNPC: 000000001026a04c Y: 00001000    Not tainted
[   11.109963] TPC: <sha512_sparc64_transform+0x48/0x160 [sha512_sparc64]>
[   11.109990] g0: 0000000000000000 g1: 0000000000000000 g2: 0000000000000000 g3: 0000000000000000
[   11.110010] g4: fff800001bcd7080 g5: fff800059cef6000 g6: fff8000018e68000 g7: 000000001026a000
[   11.110031] o0: fff8000018ada7e8 o1: fff80000c0000000 o2: fffffffffeb1cc80 o3: 00000000f70e5800
[   11.110052] o4: 0000000068581400 o5: 0000000000000000 sp: fff8000018e6af41 ret_pc: 000000001026a5c8
[   11.110072] RPC: <sha512_sparc64_update+0x48/0x60 [sha512_sparc64]>
[   11.110093] l0: 000000000000000a l1: 0000000000000000 l2: 0000000000000000 l3: 0000000000000000
[   11.110113] l4: 0000000000000000 l5: ffffffffffffffff l6: 0000000000000000 l7: fff8000014263c00
[   11.110133] i0: 0000000000000000 i1: fff8000018e64000 i2: 0000000000000000 i3: 00000000ffc00b31
[   11.110152] i4: 0000000068581511 i5: 0000000064f98fa7 i6: fff8000018e6aff1 i7: 0000000000980a1c
[   11.110173] I7: <crypto_shash_finup+0x17c/0x220>
[   11.110205] Call Trace:
[   11.110218] [<0000000000980a1c>] crypto_shash_finup+0x17c/0x220
[   11.110240] [<0000000000989104>] test_shash_vec_cfg+0x2a4/0x580
[   11.110270] [<000000000098d688>] __alg_test_hash.isra.0+0x1a8/0x360
[   11.110291] [<000000000098d920>] alg_test_hash+0xe0/0x140
[   11.110312] [<000000000098bf9c>] alg_test+0x17c/0x7a0
[   11.110332] [<0000000000987b98>] cryptomgr_test+0x18/0x60
[   11.110352] [<00000000004ac704>] kthread+0x104/0x280
[   11.110382] [<00000000004060c8>] ret_from_fork+0x1c/0x2c
[   11.110410] [<0000000000000000>] 0x0
[   11.110427] Disabling lock debugging due to kernel taint
[   11.110442] Caller[0000000000980a1c]: crypto_shash_finup+0x17c/0x220
[   11.110464] Caller[0000000000989104]: test_shash_vec_cfg+0x2a4/0x580
[   11.110485] Caller[000000000098d688]: __alg_test_hash.isra.0+0x1a8/0x360
[   11.110506] Caller[000000000098d920]: alg_test_hash+0xe0/0x140
[   11.110526] Caller[000000000098bf9c]: alg_test+0x17c/0x7a0
[   11.110545] Caller[0000000000987b98]: cryptomgr_test+0x18/0x60
[   11.110565] Caller[00000000004ac704]: kthread+0x104/0x280
[   11.110585] Caller[00000000004060c8]: ret_from_fork+0x1c/0x2c
[   11.110606] Caller[0000000000000000]: 0x0
[   11.110622] Instruction DUMP:
[   11.110626]  d91a2030 
[   11.110640]  12600020 
[   11.110653]  dd1a2038 
[   11.110666] <e11a6000>
[   11.110678]  e51a6008 
[   11.110691]  e91a6010 
[   11.110704]  ed1a6018 
[   11.110716]  f11a6020 
[   11.110728]  f51a6028 
[   11.110741] 
[   11.144051] Unable to handle kernel paging request at virtual address fff80000c0000000
[   11.144098] tsk->{mm,active_mm}->context = 0000000000000144
[   11.144113] tsk->{mm,active_mm}->pgd = fff800001c2d0000
[   11.144127]               \|/ ____ \|/
[   11.144127]               "@'/ .. \`@"
[   11.144127]               /_| \__/ |_\
[   11.144127]                  \__U_/
[   11.144150] cryptomgr_test(412): Oops [#2]
[   11.144171] CPU: 1 UID: 0 PID: 412 Comm: cryptomgr_test Tainted: G      D             6.16.3+1-sparc64-smp #1 NONE  Debian 6.16.3-1+sparc64 
[   11.144202] Tainted: [D]=DIE
[   11.144215] TSTATE: 0000008811001601 TPC: 000000001026a048 TNPC: 000000001026a04c Y: 00001000    Tainted: G      D            
[   11.144237] TPC: <sha512_sparc64_transform+0x48/0x160 [sha512_sparc64]>
[   11.144260] g0: 0000000000000000 g1: 0000000000000000 g2: 0000000000000000 g3: 0000000000000000
[   11.144278] g4: fff800001494ec40 g5: fff800059cf16000 g6: fff800001bcb4000 g7: 000000001026a000
[   11.144296] o0: fff8000018fbd328 o1: fff80000c0000000 o2: fffffffffeac0280 o3: 000000005f1d3400
[   11.144314] o4: 000000002b3e6c00 o5: 0000000000000000 sp: fff800001bcb6f41 ret_pc: 000000001026a5c8
[   11.144333] RPC: <sha512_sparc64_update+0x48/0x60 [sha512_sparc64]>
[   11.144352] l0: 000000000000000a l1: 0000000000000000 l2: 0000000000000000 l3: 0000000000000000
[   11.144370] l4: 0000000000000000 l5: ffffffffffffffff l6: 0000000000000000 l7: 00000000007c4ee0
[   11.144388] i0: 0000000000000000 i1: fff8000016014000 i2: 0000000000000000 i3: 00000000ade682d1
[   11.144406] i4: 000000002b3e6c1f i5: 00000000fb41bd6b i6: fff800001bcb6ff1 i7: 0000000000980a1c
[   11.144424] I7: <crypto_shash_finup+0x17c/0x220>
[   11.144448] Call Trace:
[   11.144460] [<0000000000980a1c>] crypto_shash_finup+0x17c/0x220
[   11.144480] [<0000000000989104>] test_shash_vec_cfg+0x2a4/0x580
[   11.144504] [<000000000098d688>] __alg_test_hash.isra.0+0x1a8/0x360
[   11.144523] [<000000000098d920>] alg_test_hash+0xe0/0x140
[   11.144542] [<000000000098bf9c>] alg_test+0x17c/0x7a0
[   11.144560] [<0000000000987b98>] cryptomgr_test+0x18/0x60
[   11.144579] [<00000000004ac704>] kthread+0x104/0x280
[   11.144601] [<00000000004060c8>] ret_from_fork+0x1c/0x2c
[   11.144624] [<0000000000000000>] 0x0
[   11.144640] Caller[0000000000980a1c]: crypto_shash_finup+0x17c/0x220
[   11.144658] Caller[0000000000989104]: test_shash_vec_cfg+0x2a4/0x580
[   11.144677] Caller[000000000098d688]: __alg_test_hash.isra.0+0x1a8/0x360
[   11.144695] Caller[000000000098d920]: alg_test_hash+0xe0/0x140
[   11.144714] Caller[000000000098bf9c]: alg_test+0x17c/0x7a0
[   11.144731] Caller[0000000000987b98]: cryptomgr_test+0x18/0x60
[   11.144749] Caller[00000000004ac704]: kthread+0x104/0x280
[   11.144767] Caller[00000000004060c8]: ret_from_fork+0x1c/0x2c
[   11.144785] Caller[0000000000000000]: 0x0
[   11.144800] Instruction DUMP:
[   11.144804]  d91a2030 
[   11.144816]  12600020 
[   11.144828]  dd1a2038 
[   11.144839] <e11a6000>
[   11.144851]  e51a6008 
[   11.144862]  e91a6010 
[   11.144874]  ed1a6018 
[   11.144885]  f11a6020 
[   11.144896]  f51a6028 
[   11.144908]

However, I made the observation that the Debian kernel started to cause backtraces
even without the patch with newer kernels:

[    1.764073] ------------[ cut here ]------------
[    1.764113] WARNING: CPU: 23 PID: 194 at lib/kobject.c:734 kobject_put+0x64/0x240
[    1.764150] kobject: '(null)' ((____ptrval____)): is not initialized, yet kobject_put() is being called.
[    1.764169] Modules linked in:
[    1.764190] CPU: 23 UID: 0 PID: 194 Comm: kworker/u256:16 Not tainted 6.12.38+deb13-sparc64-smp #1  Debian 6.12.38-1
[    1.764203] Workqueue: async async_run_entry_fn
[    1.764218] Call Trace:
[    1.764221] [<0000000000f11864>] dump_stack+0x8/0x18
[    1.764234] [<000000000046e15c>] __warn+0xdc/0x140
[    1.764244] [<000000000046e2d8>] warn_slowpath_fmt+0x118/0x140
[    1.764251] [<0000000000ec8024>] kobject_put+0x64/0x240
[    1.764260] [<000000000072d98c>] sysfs_slab_release+0xc/0x20
[    1.764273] [<00000000006dc91c>] kmem_cache_destroy+0xdc/0x1a0
[    1.764286] [<00000000009593c4>] bioset_exit+0x144/0x1e0
[    1.764299] [<000000000097a8d4>] disk_release+0x54/0x120
[    1.764311] [<0000000000b94a0c>] device_release+0x2c/0xa0
[    1.764322] [<0000000000ec8088>] kobject_put+0xc8/0x240
[    1.764330] [<0000000000b94c74>] put_device+0x14/0x40
[    1.764337] [<000000000097ac58>] put_disk+0x18/0x40
[    1.764346] [<000000000140c2c8>] floppy_async_init+0xbec/0xd10
[    1.764357] [<00000000004a0cc8>] async_run_entry_fn+0x28/0x160
[    1.764364] [<000000000049091c>] process_one_work+0x15c/0x3c0
[    1.764375] [<0000000000490f24>] worker_thread+0x164/0x3e0
[    1.764384] ---[ end trace 0000000000000000 ]---
[    1.764546] ------------[ cut here ]------------
[    1.764557] WARNING: CPU: 23 PID: 194 at lib/refcount.c:28 refcount_warn_saturate+0x18c/0x1a0
[    1.764581] refcount_t: underflow; use-after-free.
[    1.764592] Modules linked in:
[    1.764608] CPU: 23 UID: 0 PID: 194 Comm: kworker/u256:16 Tainted: G        W          6.12.38+deb13-sparc64-smp #1  Debian 6.12.38-1
[    1.764618] Tainted: [W]=WARN
[    1.764621] Workqueue: async async_run_entry_fn
[    1.764629] Call Trace:
[    1.764631] [<0000000000f11864>] dump_stack+0x8/0x18
[    1.764639] [<000000000046e15c>] __warn+0xdc/0x140
[    1.764646] [<000000000046e2d8>] warn_slowpath_fmt+0x118/0x140
[    1.764652] [<00000000009d4d2c>] refcount_warn_saturate+0x18c/0x1a0
[    1.764659] [<0000000000ec8134>] kobject_put+0x174/0x240
[    1.764667] [<000000000072d98c>] sysfs_slab_release+0xc/0x20
[    1.764676] [<00000000006dc91c>] kmem_cache_destroy+0xdc/0x1a0
[    1.764684] [<00000000009593c4>] bioset_exit+0x144/0x1e0
[    1.764691] [<000000000097a8d4>] disk_release+0x54/0x120
[    1.764699] [<0000000000b94a0c>] device_release+0x2c/0xa0
[    1.764707] [<0000000000ec8088>] kobject_put+0xc8/0x240
[    1.764714] [<0000000000b94c74>] put_device+0x14/0x40
[    1.764721] [<000000000097ac58>] put_disk+0x18/0x40
[    1.764729] [<000000000140c2c8>] floppy_async_init+0xbec/0xd10
[    1.764737] [<00000000004a0cc8>] async_run_entry_fn+0x28/0x160
[    1.764744] [<000000000049091c>] process_one_work+0x15c/0x3c0
[    1.764752] ---[ end trace 0000000000000000 ]---

Upstream kernels don't show this problem. This is either related to the compiler version
being used or some Debian-specific patches or configuration options.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer
`. `'   Physicist
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ