Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2018-01-12 16:12:14 +0100
committerJohannes Thumshirn <jthumshirn@suse.de>2018-01-12 16:12:17 +0100
commitadd9b931414c646634f384ae71a6409ba639d000 (patch)
tree3014a25036a8c7e710777f5528d14a74c662ca8a
parenta0468f30454621f6bd6c3b55f8ad4558d63761de (diff)
s390/disassembler: increase show_code buffer size (bnc#1072915,
LTC#161577).
-rw-r--r--patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch108
-rw-r--r--series.conf1
2 files changed, 109 insertions, 0 deletions
diff --git a/patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch b/patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch
new file mode 100644
index 0000000000..6c6e366557
--- /dev/null
+++ b/patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch
@@ -0,0 +1,108 @@
+From: Vasily Gorbik <gor@linux.vnet.ibm.com>
+Subject: s390/disassembler: increase show_code buffer size
+Patch-mainline: v4.15-rc1
+Git-commit: b192571d1ae375e0bbe0aa3ccfa1a3c3704454b9
+References: bnc#1072915, LTC#161577
+
+Description: disassembler: possible stack corruption during dump_stack
+Symptom: potential crash after the kernel stack trace
+Problem: Current buffer size of 64 is too small. objdump shows
+ that there are instructions which would require up to
+ 75 bytes buffer (with current formating).
+Solution: Increase the buffer size from 64 to 128 bytes,
+ replace some spaces with a tab.
+Reproduction: The issue has been noticed due to kasan report.
+ The core dump triggered via
+ 'echo c > /proc/sysrq-trigger' produces the kernel
+ stack trace log which overflows the buffer.
+
+Upstream-Description:
+
+ s390/disassembler: increase show_code buffer size
+
+ Current buffer size of 64 is too small. objdump shows that there are
+ instructions which would require up to 75 bytes buffer (with current
+ formating). 128 bytes "ought to be enough for anybody".
+
+ Also replaces 8 spaces with a single tab to reduce the memory footprint.
+
+ Fixes the following KASAN finding:
+
+ BUG: KASAN: stack-out-of-bounds in number+0x3fe/0x538
+ Write of size 1 at addr 000000005a4a75a0 by task bash/1282
+
+ CPU: 1 PID: 1282 Comm: bash Not tainted 4.14.0+ #215
+ Hardware name: IBM 2964 N96 702 (z/VM 6.4.0)
+ Call Trace:
+ ([<000000000011eeb6>] show_stack+0x56/0x88)
+ [<0000000000e1ce1a>] dump_stack+0x15a/0x1b0
+ [<00000000004e2994>] print_address_description+0xf4/0x288
+ [<00000000004e2cf2>] kasan_report+0x13a/0x230
+ [<0000000000e38ae6>] number+0x3fe/0x538
+ [<0000000000e3dfe4>] vsnprintf+0x194/0x948
+ [<0000000000e3ea42>] sprintf+0xa2/0xb8
+ [<00000000001198dc>] print_insn+0x374/0x500
+ [<0000000000119346>] show_code+0x4ee/0x538
+ [<000000000011f234>] show_registers+0x34c/0x388
+ [<000000000011f2ae>] show_regs+0x3e/0xa8
+ [<000000000011f502>] die+0x1ea/0x2e8
+ [<0000000000138f0e>] do_no_context+0x106/0x168
+ [<0000000000139a1a>] do_protection_exception+0x4da/0x7d0
+ [<0000000000e55914>] pgm_check_handler+0x16c/0x1c0
+ [<000000000090639e>] sysrq_handle_crash+0x46/0x58
+ ([<0000000000000007>] 0x7)
+ [<00000000009073fa>] __handle_sysrq+0x102/0x218
+ [<0000000000907c06>] write_sysrq_trigger+0xd6/0x100
+ [<000000000061d67a>] proc_reg_write+0xb2/0x128
+ [<0000000000520be6>] __vfs_write+0xee/0x368
+ [<0000000000521222>] vfs_write+0x21a/0x278
+ [<000000000052156a>] SyS_write+0xda/0x178
+ [<0000000000e555cc>] system_call+0xc4/0x270
+
+ The buggy address belongs to the page:
+ page:000003d1016929c0 count:0 mapcount:0 mapping: (null) index:0x0
+ flags: 0x0()
+ raw: 0000000000000000 0000000000000000 0000000000000000 ffffffff00000000
+ raw: 0000000000000100 0000000000000200 0000000000000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ 000000005a4a7480: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+ 000000005a4a7500: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
+ >000000005a4a7580: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
+ ^
+ 000000005a4a7600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8
+ 000000005a4a7680: f2 f2 f2 f2 f2 f2 f8 f8 f2 f2 f3 f3 f3 f3 00 00
+ ==================================================================
+
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Vasily Gorbik <gor@linux.vnet.ibm.com>
+ Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+
+Signed-off-by: Vasily Gorbik <gor@linux.vnet.ibm.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ arch/s390/kernel/dis.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -1953,7 +1953,7 @@ void show_code(struct pt_regs *regs)
+ {
+ char *mode = user_mode(regs) ? "User" : "Krnl";
+ unsigned char code[64];
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ mm_segment_t old_fs;
+ unsigned long addr;
+ int start, end, opsize, hops, i;
+@@ -2016,7 +2016,7 @@ void show_code(struct pt_regs *regs)
+ start += opsize;
+ pr_cont("%s", buffer);
+ ptr = buffer;
+- ptr += sprintf(ptr, "\n ");
++ ptr += sprintf(ptr, "\n\t ");
+ hops++;
+ }
+ pr_cont("\n");
diff --git a/series.conf b/series.conf
index a22163570c..6910ed4e37 100644
--- a/series.conf
+++ b/series.conf
@@ -6292,6 +6292,7 @@
patches.fixes/dax-fix-general-protection-fault-in-dax_alloc_inode.patch
patches.drivers/nvmet_fc-fix-better-length-checking.patch
patches.suse/bio-ensure-__bio_clone_fast-copies-bi_partno.patch
+ patches.arch/s390-sles15-02-01-s390-disassembler-increase-show_code-buffer-size.patch
patches.drivers/nfp-fix-flower-offload-metadata-flag-usage.patch
patches.drivers/nfp-fix-vlan-receive-MAC-statistics-typo.patch
patches.drivers/nfp-inherit-the-max_mtu-from-the-PF-netdev.patch