From patchwork Thu May 18 16:11:34 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Russell King (Oracle)" <linux@armlinux.org.uk>
X-Patchwork-Id: 9734729
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A0F6A600CC for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 18 May 2017 16:12:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7BFF8286EE
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 18 May 2017 16:12:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6FF9C28899; Thu, 18 May 2017 16:12:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8354E286EE
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 18 May 2017 16:12:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:
	Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=vibu8OtQGeG83MSh3c25oD6vZ+X00/mYFWnpITSb+0c=;
	b=gdKXaJZZDbQOkH
	l4HTKVzLHxSQGvQe9PE+/0pIDNfqi7o1vpDi4baVfSVKPHSSGLrFzSX3e+k8V47wuifxgyyQe3sxf
	+THsEosDok22t8hyn/zENdvNHDbfVJiFnGJoxX+w+bU+aAXp8wgc7Na2mTLrk90b34wJF0qMTJ7jJ
	mt/N1oerqjTWn68ZSQMwGL+dfOJoRWH3ISHPwWc3GiCSNyQRsgt7IMRzXzoVh5NZukYzd96OZmBEi
	J0I9x4eQw7wyKzc5HyytYw7aFZIa9SmndxOeqHqSIjrfcLjx+lnNDPfipiAMM83zYO9dlJwXoO3hL
	iloj2QggYeo460hvvYYA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1dBO27-0000rS-GI; Thu, 18 May 2017 16:12:11 +0000
Received: from pandora.armlinux.org.uk
	([2001:4d48:ad52:3201:214:fdff:fe10:1be6])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1dBO23-0000qO-Ph for linux-arm-kernel@lists.infradead.org;
	Thu, 18 May 2017 16:12:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=armlinux.org.uk; s=pandora-2014;
	h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date;
	bh=JzUBvxtjXkw3FL47kt9xnFg+h4h58A4vOLR5c+Ai0D4=;
	b=Xb6/z6qnHWVaC0EStm5GeL8jjCwZ2zpWtUmuTcC6GsE0wQhJTDw4+REfedCDUe7WXbSet9O2HP0c0P24cUTyObEFhkmLz51mlEpVchCmuyPYlT51wT2zcL8/zH/5bsrf5rptr+8maREXiXgNDTu+EJdZgI24tdBaQ1Su1WllEuc=;
Received: from n2100.armlinux.org.uk
	([2002:4e20:1eda:1:214:fdff:fe10:4f86]:43302)
	by pandora.armlinux.org.uk with esmtpsa
	(TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82_1-5b7a7c0-XX) (envelope-from <linux@armlinux.org.uk>)
	id 1dBO1a-0006KD-E0; Thu, 18 May 2017 17:11:38 +0100
Received: from linux by n2100.armlinux.org.uk with local (Exim 4.76)
	(envelope-from <linux@n2100.armlinux.org.uk>)
	id 1dBO1W-00034R-Rg; Thu, 18 May 2017 17:11:34 +0100
Date: Thu, 18 May 2017 17:11:34 +0100
From: Russell King - ARM Linux <linux@armlinux.org.uk>
To: David Mosberger <davidm@egauge.net>
Subject: Re: crash after receiving SIGCHLD during system call
Message-ID: <20170518161134.GO22219@n2100.armlinux.org.uk>
References: 
 <CALnQHM3wjH1CWwUUJX7KhGOOhoW-0r22nyBWmBUJYCUFe-JEtw@mail.gmail.com>
	<20170517170940.GJ22219@n2100.armlinux.org.uk>
	<CALnQHM0tUDkjbX+oBW5pEeuBWUoX2eOmA9Qrc9V2-RsnDV3d6Q@mail.gmail.com>
	<20170517230236.GK22219@n2100.armlinux.org.uk>
	<CALnQHM2ocw5ETbwsRF_c43tweHruunOjsfaBOT5Qxgt2K6Ww1g@mail.gmail.com>
	<CALnQHM1WpXmvkK8eCqd8G=6Ny-O=PD=nSaa1kwQBAB6dNwa1Hg@mail.gmail.com>
	<CALnQHM23aTPcmWy0p6=ffdZUX1jb7H-mKmZJ6L7GyvXWikhPAg@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: 
 <CALnQHM23aTPcmWy0p6=ffdZUX1jb7H-mKmZJ6L7GyvXWikhPAg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170518_091208_333026_BD6F9BF4 
X-CRM114-Status: GOOD (  19.68  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: linux-arm-kernel@lists.infradead.org
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Thu, May 18, 2017 at 09:28:00AM -0600, David Mosberger wrote:
> On Wed, May 17, 2017 at 11:34 PM, David Mosberger <davidm@egauge.net> wrote:
> 
> > I also confirmed that at the end of sys_rt_sigreturn(), the T bit in
> > regs->ARM_cpsr is NEVER set.
> 
> Similarly, regs->ARM_lr does not have bit 0 set (expect when it's
> obviously used as a scratch registers, with values of 0x1 or 0x10d).

Yea, that'll possibly matter for when the function returns, rather than
the execution of the function itself.

> To me, it looks like bit 0 of a return address gets corrupted
> (possibly a register state corruption or an on-stack corruption).
> That would in turn cause the "bx rl" instruction to turn on Thumb mode
> and things go south from there.  It's interesting that only one bit
> get corrupted since the address overall looks plausible.

The bit 0 value of the mcontext PC shouldn't matter, as we're restoring
the full system state including the PSR value, rather than performing
a normal function return.  The return sequence is:

	mov     r2, sp				@ save current svc stack pointer
	ldr     r1, [r2, #\offset + S_PSR]	@ get calling cpsr
	ldr     lr, [r2, #\offset + S_PC]!	@ get pc
	msr     spsr_cxsf, r1			@ save in spsr_svc
	ldmdb   r2, {r0 - lr}^			@ get calling r0 - lr
	add     sp, sp, #\offset + PT_REGS_SIZE	@ balance svc stack
	movs    pc, lr                          @ return & move spsr_svc into cpsr

The only possible issue there is that ARMv7 deprecates "movs pc, lr"
preferring "subs pc, lr, #0" instead.  May be worth seeing whether
that makes any difference:

 arch/arm/kernel/entry-header.S   | 4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
index 6391728c8f03..9ee5825b4507 100644
--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -312,7 +312,7 @@
 	mov	r0, r0				@ ARMv5T and earlier require a nop
 						@ after ldm {}^
 	add	sp, sp, #\offset + PT_REGS_SIZE
-	movs	pc, lr				@ return & move spsr_svc into cpsr
+	subs	pc, lr, #0			@ return & move spsr_svc into cpsr
 #elif defined(CONFIG_CPU_V7M)
 	@ V7M restore.
 	@ Note that we don't need to do clrex here as clearing the local
@@ -339,7 +339,7 @@
 	ldmdb	sp, {r0 - r12}			@ get calling r0 - r12
 	.endif
 	add	sp, sp, #PT_REGS_SIZE - S_SP
-	movs	pc, lr				@ return & move spsr_svc into cpsr
+	subs	pc, lr, #0			@ return & move spsr_svc into cpsr
 #endif	/* !CONFIG_THUMB2_KERNEL */
 	.endm