ARM: Incorrect prefetch abort handling can cause a spin instead of SIGSEGV

Bug #567956 reported by Dave Martin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
New
Undecided
Unassigned
linux-fsl-imx51 (Ubuntu)
New
Undecided
Unassigned

Bug Description

http://article.gmane.org/gmane.linux.kernel.commits.head/213639

" ARM: 5728/1: Proper prefetch abort handling on ARMv6 and ARMv7

    Currently, on ARMv6 and ARMv7, if an application tries to execute
    code (or garbage) on non-executable page it hangs. It caused by
    incorrect prefetch abort handling. Now every prefetch abort
    processes as a translation fault. "

I believe the patch was merges in 2.6.32, so it is _probably_ already applied in the dove tree (but it might be worth checking)
[update: This bug does *not* affect the dove tree— confirmed]

This patch doesn't appear critical; it just affects cases where processes are already crashing by trying to execute in invalid address space. I'm not aware of any real problems in lucid caused by this at present.

Test case:

int main(void)
{
 ((void (*)(void))0xc0000000)();
}

Desired result is SIGSEGV.

Tags: armel
Revision history for this message
Dave Martin (dave-martin-arm) wrote :

From alkml:

Jamie Lokier [jamie at shareable.org] wrote:
[...]
The above patch addresses ARMv6/v7 with NX mappings - and probably only those > TASK_SIZE; NX mappings < TASK_SIZE should have been caught by the PROT_EXEC check already in fault.c.
If I'm right, the NX one is more serious if you can trip a kernel bug into doing this, because it'll result in an unkillable process, stuck in kernel mode and spinning. But only if you trip a kernel bug.

So it looks like it cound be worth pulling this patch in but SRU is probably good enough— this only becomes a problem if there is already a kernel bug somewhere involving a jump to a random address.

description: updated
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.