linux-stable.git/arch/sh/kernel/entry-common.S, branch linux-4.3.y Linux kernel stable tree sh: push extra copy of r0-r2 for syscall parameters 2014-04-03T23:20:52+00:00 Bobby Bingham koorogi@koorogi.info 2014-04-03T21:46:39+00:00 abafe5d9b04648a2f699202e9ae2d15ffe44c3a3 When invoking syscall handlers on sh32, the saved userspace registers are at the top of the stack. This seems to have been intentional, as it is an easy way to pass r0, r1, ... to the handler as parameters 5, 6, ... It causes problems, however, because the compiler is allowed to generate code for a function which clobbers that function's own parameters. For example, gcc generates the following code for clone: <SyS_clone>: mov.l 8c020714 <SyS_clone+0xc>,r1 ! 8c020540 <do_fork> mov.l r7,@r15 mov r6,r7 jmp @r1 mov #0,r6 nop .word 0x0540 .word 0x8c02 The `mov.l r7,@r15` clobbers the saved value of r0 passed from userspace. For most system calls, this might not be a problem, because we'll be overwriting r0 with the return value anyway. But in the case of clone, copy_thread will need the original value of r0 if the CLONE_SETTLS flag was specified. The first patch in this series fixes this issue for system calls by pushing to the stack and extra copy of r0-r2 before invoking the handler. We discard this copy before restoring the userspace registers, so it is not a problem if they are clobbered. Exception handlers also receive the userspace register values in a similar manner, and may hit the same problem. The second patch removes the do_fpu_error handler, which looks susceptible to this problem and which, as far as I can tell, has not been used in some time. The third patch addresses other exception handlers. This patch (of 3): The userspace registers are stored at the top of the stack when the syscall handler is invoked, which allows r0-r2 to act as parameters 5-7. Parameters passed on the stack may be clobbered by the syscall handler. The solution is to push an extra copy of the registers which might be used as syscall parameters to the stack, so that the authoritative set of saved register values does not get clobbered. A few system call handlers are also updated to get the userspace registers using current_pt_regs() instead of from the stack. Signed-off-by: Bobby Bingham <koorogi@koorogi.info> Cc: Paul Mundt <paul.mundt@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
When invoking syscall handlers on sh32, the saved userspace registers
are at the top of the stack.  This seems to have been intentional, as it
is an easy way to pass r0, r1, ...  to the handler as parameters 5, 6,
...

It causes problems, however, because the compiler is allowed to generate
code for a function which clobbers that function's own parameters.  For
example, gcc generates the following code for clone:

    <SyS_clone>:
        mov.l   8c020714 <SyS_clone+0xc>,r1  ! 8c020540 <do_fork>
        mov.l   r7,@r15
        mov     r6,r7
        jmp     @r1
        mov     #0,r6
        nop
        .word 0x0540
        .word 0x8c02

The `mov.l r7,@r15` clobbers the saved value of r0 passed from
userspace.  For most system calls, this might not be a problem, because
we'll be overwriting r0 with the return value anyway.  But in the case
of clone, copy_thread will need the original value of r0 if the
CLONE_SETTLS flag was specified.

The first patch in this series fixes this issue for system calls by
pushing to the stack and extra copy of r0-r2 before invoking the
handler.  We discard this copy before restoring the userspace registers,
so it is not a problem if they are clobbered.

Exception handlers also receive the userspace register values in a
similar manner, and may hit the same problem.  The second patch removes
the do_fpu_error handler, which looks susceptible to this problem and
which, as far as I can tell, has not been used in some time.  The third
patch addresses other exception handlers.

This patch (of 3):

The userspace registers are stored at the top of the stack when the
syscall handler is invoked, which allows r0-r2 to act as parameters 5-7.
Parameters passed on the stack may be clobbered by the syscall handler.
The solution is to push an extra copy of the registers which might be
used as syscall parameters to the stack, so that the authoritative set
of saved register values does not get clobbered.

A few system call handlers are also updated to get the userspace
registers using current_pt_regs() instead of from the stack.

Signed-off-by: Bobby Bingham <koorogi@koorogi.info>
Cc: Paul Mundt <paul.mundt@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
preempt: Make PREEMPT_ACTIVE generic 2013-11-13T19:21:47+00:00 Thomas Gleixner tglx@linutronix.de 2013-09-17T18:53:09+00:00 00d1a39e69d5afa7523dad515a05b21abd17c389 No point in having this bit defined by architecture. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/20130917183629.090698799@linutronix.de 
No point in having this bit defined by architecture.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20130917183629.090698799@linutronix.de
sh: switch to generic kernel_thread()/kernel_execve() 2012-10-23T02:31:01+00:00 Al Viro viro@zeniv.linux.org.uk 2012-10-14T05:41:42+00:00 7147e215480323bb2617fcebf585c447188ff760 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
sh: Fix up TIF_NOTIFY_RESUME sans TIF_SIGPENDING handling. 2012-09-18T08:04:37+00:00 Al Viro viro@zeniv.linux.org.uk 2012-09-18T08:04:37+00:00 5e071e2b4b82599f07cce5e1d2d272feb462950c As Al notes, we missed a TIF_NOTIFY_RESUME check which caused any handlers without TIF_SIGPENDING also set to skip the notification: Looks like while it is in the relevant masks *and* checked in do_notify_resume() both on 32bit and 64bit variants since commit ab99c733ae73cce31f2a2434f7099564e5a73d95 ("sh: Make syscall tracer use tracehook notifiers, add TIF_NOTIFY_RESUME.") they are actually *not* reached without simulataneous SIGPENDING, since the actual glue in the callers had not been updated back then and still checks for _TIF_SIGPENDING alone when deciding whether to hit do_notify_resume() or not. Reported-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
As Al notes, we missed a TIF_NOTIFY_RESUME check which caused any
handlers without TIF_SIGPENDING also set to skip the notification:

	Looks like while it is in the relevant masks *and* checked in
	do_notify_resume() both on 32bit and 64bit variants since commit
	ab99c733ae73cce31f2a2434f7099564e5a73d95 ("sh: Make syscall tracer
	use tracehook notifiers, add TIF_NOTIFY_RESUME.") they are
	actually *not* reached without simulataneous SIGPENDING, since
	the actual glue in the callers had not been updated back then and
	still checks for _TIF_SIGPENDING alone when deciding whether to
	hit do_notify_resume() or not.

Reported-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: Ensure IRQs are enabled across do_notify_resume(). 2012-01-10T07:30:37+00:00 Paul Mundt lethal@linux-sh.org 2012-01-10T07:30:37+00:00 6330c04bb455e10eb6cc6d2552a593af54c6dd96 do_notify_resume() can trigger the freezer via the try_to_freeze() path (both explicitly through a redundant call in do_signal() or via get_signal_to_deliver()). That IRQs were disabled across this callsite became apparent with the might_sleep() introduction in try_to_freeze() by Tejun in a0acae0e886d44bd5ce6d2f173c1ace0fcf0d9f6, resulting in: BUG: sleeping function called from invalid context at include/linux/freezer.h:45 in_atomic(): 0, irqs_disabled(): 1, pid: 819, name: ntpd no locks held by ntpd/819. Stack: (0x9c81be80 to 0x9c81c000) ... Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
do_notify_resume() can trigger the freezer via the try_to_freeze() path
(both explicitly through a redundant call in do_signal() or via
get_signal_to_deliver()). That IRQs were disabled across this callsite
became apparent with the might_sleep() introduction in try_to_freeze() by
Tejun in a0acae0e886d44bd5ce6d2f173c1ace0fcf0d9f6, resulting in:

	BUG: sleeping function called from invalid context at include/linux/freezer.h:45
	in_atomic(): 0, irqs_disabled(): 1, pid: 819, name: ntpd
	no locks held by ntpd/819.
	Stack: (0x9c81be80 to 0x9c81c000)
	...

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: Correct the offset of the return address in ret_from_exception 2010-02-08T01:46:46+00:00 Matt Fleming matt@console-pimps.org 2010-01-27T20:05:20+00:00 142698282ceb6811ad3482c218b7292037cb67ff The address that ret_from_exception and ret_from_irq will return to is found in the stack slot for SPC, not PR. This error was causing the DWARF unwinder to pick up the wrong return address on the stack and then unwind using the unwind tables for the wrong function. While I'm here I might as well add CFI annotations for the other registers since they could be useful when unwinding. Signed-off-by: Matt Fleming <matt@console-pimps.org> Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
The address that ret_from_exception and ret_from_irq will return to is
found in the stack slot for SPC, not PR. This error was causing the
DWARF unwinder to pick up the wrong return address on the stack and then
unwind using the unwind tables for the wrong function.

While I'm here I might as well add CFI annotations for the other
registers since they could be useful when unwinding.

Signed-off-by: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: TS_RESTORE_SIGMASK conversion. 2009-10-14T07:05:42+00:00 Paul Mundt lethal@linux-sh.org 2009-10-14T07:05:42+00:00 56bfc42f6cba3e831094c01a23fbbb17a20bbdf8 Replace TIF_RESTORE_SIGMASK with TS_RESTORE_SIGMASK and define our own set_restore_sigmask() function. This saves the costly SMP-safe set_bit operation, which we do not need for the sigmask flag since TIF_SIGPENDING always has to be set too. Based on the x86 and powerpc change. Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
Replace TIF_RESTORE_SIGMASK with TS_RESTORE_SIGMASK and define our own
set_restore_sigmask() function.  This saves the costly SMP-safe set_bit
operation, which we do not need for the sigmask flag since TIF_SIGPENDING
always has to be set too.

Based on the x86 and powerpc change.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: Fix a TRACE_IRQS_OFF typo. 2009-10-14T06:50:28+00:00 Paul Mundt lethal@linux-sh.org 2009-10-14T06:50:28+00:00 457b646189e47f9d48588809da3e806ec363f219 The resume_userspace path had TRACE_IRQS_OFF written incorrectly and so never handled the transition properly. This was fixed once before but seems to have made it back in the tree. Fix it for good. Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
The resume_userspace path had TRACE_IRQS_OFF written incorrectly and so
never handled the transition properly. This was fixed once before but
seems to have made it back in the tree. Fix it for good.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: Remove implicit sign extension from assembler immediates 2009-08-24T08:09:53+00:00 Stuart Menefy stuart.menefy@st.com 2009-08-24T08:09:53+00:00 fea966f7564205fcf5919af9bde031e753419c96 The SH instruction set has several instructions which accept an 8 bit immediate operand. For logical instructions this operand is zero extended, for arithmetic instructions the operand is sign extended. After adding an option to the assembler to check this, it was found that several pieces of assembly code were assuming this behaviour, and in one case getting it wrong. So this patch explicitly sign extends any immediate operands, which makes it obvious what is happening, and fixes the one case which got it wrong. Signed-off-by: Stuart Menefy <stuart.menefy@st.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
The SH instruction set has several instructions which accept an 8 bit
immediate operand. For logical instructions this operand is zero extended,
for arithmetic instructions the operand is sign extended. After adding an
option to the assembler to check this, it was found that several pieces
of assembly code were assuming this behaviour, and in one case
getting it wrong.

So this patch explicitly sign extends any immediate operands, which makes
it obvious what is happening, and fixes the one case which got it wrong.

Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
sh: Add a few missing irqflags tracing markers. 2009-08-18T02:35:09+00:00 Matt Fleming matt@console-pimps.org 2009-08-18T02:35:09+00:00 f3a8308864f920d2babe76921733d76ec4a11fb8 save_regs contains an SR modification without an irqflags annotation, which resulted in a missing TRACE_IRQS_OFF in the interrupt exception path on SH-3/SH4. I've also moved the TRACE_IRQS_OFF/ON annotation when returning from the interrupt to just before we call __restore_all. This seems like the most logical place to put this because the annotation is for when we restore the SR register so we should delay the annotation until as last as possible. We were also missing a TRACE_IRQS_OFF in resume_kernel when CONFIG_PREEMPT is enabled. The end result is that this fixes up the lockdep engine debugging support with CONFIG_PREEMPT enabled on all SH-3/4 parts. Signed-off-by: Matt Fleming <matt@console-pimps.org> Signed-off-by: Paul Mundt <lethal@linux-sh.org> 
save_regs contains an SR modification without an irqflags annotation,
which resulted in a missing TRACE_IRQS_OFF in the interrupt exception
path on SH-3/SH4.

I've also moved the TRACE_IRQS_OFF/ON annotation when returning from the
interrupt to just before we call __restore_all. This seems like the most
logical place to put this because the annotation is for when we restore
the SR register so we should delay the annotation until as last as
possible.

We were also missing a TRACE_IRQS_OFF in resume_kernel when
CONFIG_PREEMPT is enabled.

The end result is that this fixes up the lockdep engine debugging support
with CONFIG_PREEMPT enabled on all SH-3/4 parts.

Signed-off-by: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>