[S390] vdso: clock_gettime of CLOCK_THREAD_CPUTIME_ID with noexec=on (1277580f) · Commits · e / devices / android_kernel_sony_msm8994

The combination of noexec=on and a clock_gettime call with clock id CLOCK_THREAD_CPUTIME_ID is broken. The vdso code switches to the access register mode to get access to the per-cpu data structure to execute the magic ectg instruction. After the ectg instruction the code always switches back to the primary mode but for noexec=on the correct mode is the secondary mode. The effect of the bug is that the user space program looses the access to all mappings without PROT_EXEC, e.g. the stack. The problem is fixed by restoring the mode that has been active before the switch to the access register mode. Signed-off-by:

Martin Schwidefsky <schwidefsky@de.ibm.com>

arch/s390/kernel/vdso64/clock_gettime.S

+9 −2

Original line number	Original line	Diff line number	Diff line
	@@ -88,10 +88,17 @@ __kernel_clock_gettime:
	llilh %r4,0x0100		llilh %r4,0x0100
	sar %a4,%r4		sar %a4,%r4
	lghi %r4,0		lghi %r4,0
			epsw %r5,0
	sacf 512 /* Magic ectg instruction */		sacf 512 /* Magic ectg instruction */
	.insn ssf,0xc80100000000,__VDSO_ECTG_BASE(4),__VDSO_ECTG_USER(4),4		.insn ssf,0xc80100000000,__VDSO_ECTG_BASE(4),__VDSO_ECTG_USER(4),4
	sacf 0		tml %r5,0x4000
	sar %a4,%r2		jo 11f
			tml %r5,0x8000
			jno 10f
			sacf 256
			j 11f
			10: sacf 0
			11: sar %a4,%r2
	algr %r1,%r0 /* r1 = cputime as TOD value */		algr %r1,%r0 /* r1 = cputime as TOD value */
	mghi %r1,1000 /* convert to nanoseconds */		mghi %r1,1000 /* convert to nanoseconds */
	srlg %r1,%r1,12 /* r1 = cputime in nanosec */		srlg %r1,%r1,12 /* r1 = cputime in nanosec */