From 3e972394f9ee1511e5fdbcf50ac7d79e9cf563bd Mon Sep 17 00:00:00 2001 From: Josef 'Jeff' Sipek Date: Thu, 21 Aug 2008 19:46:31 +0200 Subject: [S390] Fix uninitialized spinlock use Ever since commit 43ca5c3a1cefdaa09231d64485b8f676118bf1e0 ([S390] Convert monitor calls to function calls.), the kernel refused to IPL with spinlock debugging enabled. BUG: spinlock bad magic on CPU#0, swapper/0 lock: 00000000003a4668, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 0 Not tainted 2.6.25 #1 Process swapper (pid: 0, task: 000000000034f958, ksp: 0000000000377d60) 0000000000377ab8 0000000000352628 0000000000377d60 0000000000377d60 0000000000016af4 00000000fffff7b5 0000000000377d60 0000000000000000 0000000000000000 0000000000377a18 0000000000000009 0000000000377a18 0000000000377a78 000000000023c920 0000000000016af4 0000000000377a18 0000000000000005 0000000000000000 0000000000377b58 0000000000377ab8 Call Trace: ([<0000000000016a60>] show_trace+0xdc/0x108) [<0000000000016b4e>] show_stack+0xc2/0xfc [<0000000000016c9a>] dump_stack+0xb2/0xc0 [<0000000000172dd4>] Signed-off-by: Josef 'Jeff' Sipek Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky --- arch/s390/kernel/process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'arch/s390/kernel') diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c index 9839767d0842..3e2c05cb6a87 100644 --- a/arch/s390/kernel/process.c +++ b/arch/s390/kernel/process.c @@ -75,7 +75,9 @@ unsigned long thread_saved_pc(struct task_struct *tsk) return sf->gprs[8]; } -DEFINE_PER_CPU(struct s390_idle_data, s390_idle); +DEFINE_PER_CPU(struct s390_idle_data, s390_idle) = { + .lock = __SPIN_LOCK_UNLOCKED(s390_idle.lock) +}; static int s390_idle_enter(void) { -- cgit v1.2.3 From 8853e505a15f31fe608cb50e038ba2f794eed923 Mon Sep 17 00:00:00 2001 From: Heiko Carstens Date: Thu, 21 Aug 2008 19:46:32 +0200 Subject: [S390] Remove unneeded spinlock initialization. Remove the now unneeded s390_idle.lock spinlock initialization after Josef Sipek did it the right way in arch/s390/kernel/process.c. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky --- arch/s390/kernel/smp.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'arch/s390/kernel') diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c index b795b3e24afd..00b9b4dec5eb 100644 --- a/arch/s390/kernel/smp.c +++ b/arch/s390/kernel/smp.c @@ -610,7 +610,6 @@ static void __init smp_create_idle(unsigned int cpu) if (IS_ERR(p)) panic("failed fork for CPU %u: %li", cpu, PTR_ERR(p)); current_set[cpu] = p; - spin_lock_init(&(&per_cpu(s390_idle, cpu))->lock); } static int __cpuinit smp_alloc_lowcore(int cpu) @@ -845,7 +844,6 @@ void __init smp_prepare_boot_cpu(void) current_set[0] = current; smp_cpu_state[0] = CPU_STATE_CONFIGURED; smp_cpu_polarization[0] = POLARIZATION_UNKNWN; - spin_lock_init(&(&__get_cpu_var(s390_idle))->lock); } void __init smp_cpus_done(unsigned int max_cpus) -- cgit v1.2.3 From 5453c1a575df6232f84fad1502b2d559909265cc Mon Sep 17 00:00:00 2001 From: Heiko Carstens Date: Mon, 25 Aug 2008 18:13:26 +0200 Subject: [S390] Fix linker script. 6360b1fbb4a939efd34fc770c2ebd927c55506e0 ("move BUG_TABLE into RODATA") causes this build bug (binutils 2.18.50.0.8.20080709, gcc 4.3.1): AS .tmp_kallsyms1.o LD .tmp_vmlinux2 KSYM .tmp_kallsyms2.S s390x-4.3.1-nm: .tmp_vmlinux2: File truncated No valid symbol. make: *** [.tmp_kallsyms2.S] Error 1 So fix this. Cc: Jan Beulich Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky --- arch/s390/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch/s390/kernel') diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S index 76c1e60c92f3..607bd67a18ce 100644 --- a/arch/s390/kernel/vmlinux.lds.S +++ b/arch/s390/kernel/vmlinux.lds.S @@ -55,7 +55,7 @@ SECTIONS __start___ex_table = .; *(__ex_table) __stop___ex_table = .; - } + } :data .data : { /* Data */ DATA_DATA -- cgit v1.2.3 From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001 From: Jarod Wilson Date: Tue, 9 Sep 2008 12:38:56 +0200 Subject: [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode When running a 31-bit ptrace, on either an s390 or s390x kernel, reads and writes into a padding area in struct user_regs_struct32 will result in a kernel panic. This is also known as CVE-2008-1514. Test case available here: http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap Steps to reproduce: 1) wget the above 2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31 3) ./user-area-padding-31bit Test status ----------- Without patch, both s390 and s390x kernels panic. With patch, the test case, as well as the gdb testsuite, pass without incident, padding area reads returning zero, writes ignored. Nb: original version returned -EINVAL on write attempts, which broke the gdb test and made the test case slightly unhappy, Jan Kratochvil suggested the change to return 0 on write attempts. Signed-off-by: Jarod Wilson Tested-by: Jan Kratochvil Signed-off-by: Martin Schwidefsky --- arch/s390/kernel/compat_ptrace.h | 1 + arch/s390/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) (limited to 'arch/s390/kernel') diff --git a/arch/s390/kernel/compat_ptrace.h b/arch/s390/kernel/compat_ptrace.h index cde81fa64f89..a2be3a978d5c 100644 --- a/arch/s390/kernel/compat_ptrace.h +++ b/arch/s390/kernel/compat_ptrace.h @@ -42,6 +42,7 @@ struct user_regs_struct32 u32 gprs[NUM_GPRS]; u32 acrs[NUM_ACRS]; u32 orig_gpr2; + /* nb: there's a 4-byte hole here */ s390_fp_regs fp_regs; /* * These per registers are in here so that gdb can modify them diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 2815bfe348a6..c8b08289eb87 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c @@ -170,6 +170,13 @@ static unsigned long __peek_user(struct task_struct *child, addr_t addr) */ tmp = (addr_t) task_pt_regs(child)->orig_gpr2; + } else if (addr < (addr_t) &dummy->regs.fp_regs) { + /* + * prevent reads of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + tmp = 0; + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure @@ -270,6 +277,13 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) */ task_pt_regs(child)->orig_gpr2 = data; + } else if (addr < (addr_t) &dummy->regs.fp_regs) { + /* + * prevent writes of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + return 0; + } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure @@ -428,6 +442,13 @@ static u32 __peek_user_compat(struct task_struct *child, addr_t addr) */ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); + } else if (addr < (addr_t) &dummy32->regs.fp_regs) { + /* + * prevent reads of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + tmp = 0; + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure @@ -514,6 +535,13 @@ static int __poke_user_compat(struct task_struct *child, */ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; + } else if (addr < (addr_t) &dummy32->regs.fp_regs) { + /* + * prevent writess of padding hole between + * orig_gpr2 and fp_regs on s390. + */ + return 0; + } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { /* * floating point regs. are stored in the thread structure -- cgit v1.2.3