1. Patchew
  2. linux
  3. View series

[PATCH] csky: Fix a4/a5 restoration in syscall trace path

hlsong posted 1 patch 3 days, 10 hours ago
There is a newer version of this series
arch/csky/kernel/entry.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] csky: Fix a4/a5 restoration in syscall trace path
Posted by hlsong 3 days, 10 hours ago 
From: hlsong89 <pgeorge8929@gmail.com>

The syscall trace path reloads syscall arguments from pt_regs before
calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
arguments are prepared as stack arguments before invoking syscallid.

The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
those offsets are relative to the original pt_regs base, loading them
after changing sp fetches the wrong slots. As a result, traced syscalls
that use the 5th or 6th argument may receive corrupted arguments.

This is visible with mmap2(), which takes six arguments. A small
PTRACE_SYSCALL reproducer opens a file and maps one page with:

  mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)

Before the fix, the traced child fails the mmap and exits with 12.
After the fix, the mapping succeeds and the child exits with 0.

Fix the trace path by using the correct pt_regs offsets after adjusting sp.

Tested on: ck860f, linux-4.19.15, C-SKY abiv2

Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
---
 arch/csky/kernel/entry.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
index c68cdcc76..98692fc78 100644
--- a/arch/csky/kernel/entry.S
+++ b/arch/csky/kernel/entry.S
@@ -94,9 +94,9 @@ csky_syscall_trace:
 	ldw	a3, (sp, LSAVE_A3)
 #if defined(__CSKYABIV2__)
 	subi	sp, 8
-	ldw	r9, (sp, LSAVE_A4)
+	ldw	r9, (sp, LSAVE_A4 + 8)
 	stw	r9, (sp, 0x0)
-	ldw	r9, (sp, LSAVE_A5)
+	ldw	r9, (sp, LSAVE_A5 + 8)
 	stw	r9, (sp, 0x4)
 	jsr	syscallid                     /* Do system call */
 	addi	sp, 8
-- 
2.25.1
Re: [PATCH] csky: Fix a4/a5 restoration in syscall trace path
Posted by Guo Ren 3 days, 10 hours ago 
On Thu, May 21, 2026 at 6:00 PM hlsong <pgeorge8929@gmail.com> wrote:
>
> From: hlsong89 <pgeorge8929@gmail.com>
>
> The syscall trace path reloads syscall arguments from pt_regs before
> calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
> arguments are prepared as stack arguments before invoking syscallid.
>
> The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
> those offsets are relative to the original pt_regs base, loading them
> after changing sp fetches the wrong slots. As a result, traced syscalls
> that use the 5th or 6th argument may receive corrupted arguments.
>
> This is visible with mmap2(), which takes six arguments. A small
> PTRACE_SYSCALL reproducer opens a file and maps one page with:
>
>   mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)
>
> Before the fix, the traced child fails the mmap and exits with 12.
> After the fix, the mapping succeeds and the child exits with 0.
>
> Fix the trace path by using the correct pt_regs offsets after adjusting sp.
>
> Tested on: ck860f, linux-4.19.15, C-SKY abiv2
>
> Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
> ---
>  arch/csky/kernel/entry.S | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
> index c68cdcc76..98692fc78 100644
> --- a/arch/csky/kernel/entry.S
> +++ b/arch/csky/kernel/entry.S
> @@ -94,9 +94,9 @@ csky_syscall_trace:
>         ldw     a3, (sp, LSAVE_A3)
>  #if defined(__CSKYABIV2__)
>         subi    sp, 8
> -       ldw     r9, (sp, LSAVE_A4)
> +       ldw     r9, (sp, LSAVE_A4 + 8)
>         stw     r9, (sp, 0x0)
> -       ldw     r9, (sp, LSAVE_A5)
> +       ldw     r9, (sp, LSAVE_A5 + 8)
>         stw     r9, (sp, 0x4)
>         jsr     syscallid                     /* Do system call */
>         addi    sp, 8
> --
> 2.25.1
>

Thx for the fixup, but "LSAVE_A4 + 8" is really confusing for read. How about:

diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
index c68cdcc76d60..3261f46f2244 100644
--- a/arch/csky/kernel/entry.S
+++ b/arch/csky/kernel/entry.S
@@ -93,11 +93,11 @@ csky_syscall_trace:
        ldw     a2, (sp, LSAVE_A2)
        ldw     a3, (sp, LSAVE_A3)
 #if defined(__CSKYABIV2__)
-       subi    sp, 8
        ldw     r9, (sp, LSAVE_A4)
+       ldw     r10, (sp, LSAVE_A5)
+       subi    sp, 8
        stw     r9, (sp, 0x0)
-       ldw     r9, (sp, LSAVE_A5)
-       stw     r9, (sp, 0x4)
+       stw     r10, (sp, 0x4)
        jsr     syscallid                     /* Do system call */
        addi    sp, 8
 #else

-- 
Best Regards
 Guo Ren
[PATCH v2] csky: Fix a4/a5 restoration in syscall trace path
Posted by hlsong 3 days, 8 hours ago 
From: hlsong89 <pgeorge8929@gmail.com>

The syscall trace path reloads syscall arguments from pt_regs before
calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
arguments are prepared as stack arguments before invoking syscallid.

The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
those offsets are relative to the original pt_regs base, loading them
after changing sp fetches the wrong slots. As a result, traced syscalls
that use the 5th or 6th argument may receive corrupted arguments.

This is visible with mmap2(), which takes six arguments. A small
PTRACE_SYSCALL reproducer opens a file and maps one page with:

  mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)

Before the fix, the traced child fails the mmap and exits with 12.
After the fix, the mapping succeeds and the child exits with 0.

Fix the trace path by loading a4/a5 from pt_regs before changing sp.

Tested on: ck860f, linux-4.19.15, C-SKY abiv2

Suggested-by: Guo Ren <guoren@kernel.org>
Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
---
Changes in v2:
- Use Guo Ren's suggested approach to handle the ABIv2 stack arguments.
- Tested with the ptrace+mmap reproducer.

 arch/csky/kernel/entry.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
index c68cdcc76..3261f46f2 100644
--- a/arch/csky/kernel/entry.S
+++ b/arch/csky/kernel/entry.S
@@ -93,11 +93,11 @@ csky_syscall_trace:
 	ldw	a2, (sp, LSAVE_A2)
 	ldw	a3, (sp, LSAVE_A3)
 #if defined(__CSKYABIV2__)
-	subi	sp, 8
 	ldw	r9, (sp, LSAVE_A4)
+	ldw	r10, (sp, LSAVE_A5)
+	subi	sp, 8
 	stw	r9, (sp, 0x0)
-	ldw	r9, (sp, LSAVE_A5)
-	stw	r9, (sp, 0x4)
+	stw	r10, (sp, 0x4)
 	jsr	syscallid                     /* Do system call */
 	addi	sp, 8
 #else

base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
-- 
2.25.1
Re: [PATCH v2] csky: Fix a4/a5 restoration in syscall trace path
Posted by Guo Ren 3 days, 4 hours ago 
On Thu, May 21, 2026 at 7:34 PM hlsong <pgeorge8929@gmail.com> wrote:
>
> From: hlsong89 <pgeorge8929@gmail.com>
>
> The syscall trace path reloads syscall arguments from pt_regs before
> calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
> arguments are prepared as stack arguments before invoking syscallid.
>
> The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
> those offsets are relative to the original pt_regs base, loading them
> after changing sp fetches the wrong slots. As a result, traced syscalls
> that use the 5th or 6th argument may receive corrupted arguments.
>
> This is visible with mmap2(), which takes six arguments. A small
> PTRACE_SYSCALL reproducer opens a file and maps one page with:
>
>   mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)
>
> Before the fix, the traced child fails the mmap and exits with 12.
> After the fix, the mapping succeeds and the child exits with 0.
>
> Fix the trace path by loading a4/a5 from pt_regs before changing sp.
>
> Tested on: ck860f, linux-4.19.15, C-SKY abiv2
>
> Suggested-by: Guo Ren <guoren@kernel.org>
> Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
> ---
> Changes in v2:
> - Use Guo Ren's suggested approach to handle the ABIv2 stack arguments.
> - Tested with the ptrace+mmap reproducer.
>
>  arch/csky/kernel/entry.S | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
> index c68cdcc76..3261f46f2 100644
> --- a/arch/csky/kernel/entry.S
> +++ b/arch/csky/kernel/entry.S
> @@ -93,11 +93,11 @@ csky_syscall_trace:
>         ldw     a2, (sp, LSAVE_A2)
>         ldw     a3, (sp, LSAVE_A3)
>  #if defined(__CSKYABIV2__)
> -       subi    sp, 8
>         ldw     r9, (sp, LSAVE_A4)
> +       ldw     r10, (sp, LSAVE_A5)
> +       subi    sp, 8
>         stw     r9, (sp, 0x0)
> -       ldw     r9, (sp, LSAVE_A5)
> -       stw     r9, (sp, 0x4)
> +       stw     r10, (sp, 0x4)
>         jsr     syscallid                     /* Do system call */
>         addi    sp, 8
>  #else
>
> base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
> --
> 2.25.1
>
Applied, thx.

-- 
Best Regards
 Guo Ren
Re: [PATCH v2] csky: Fix a4/a5 restoration in syscall trace path
Posted by Hanlin Song 3 days, 10 hours ago 
Hi Guo,

Sorry for the noise. I noticed that the patch was submitted with my
short handle as the author / Signed-off-by name.

If it is still possible, could you please update it from:

hlsong <pgeorge8929@gmail.com>

to:

Hanlin Song <pgeorge8929@gmail.com>

Thanks,
Hanlin


Guo Ren <guoren@kernel.org> 于2026年5月21日周四 23:45写道:
>
> On Thu, May 21, 2026 at 7:34 PM hlsong <pgeorge8929@gmail.com> wrote:
> >
> > From: hlsong89 <pgeorge8929@gmail.com>
> >
> > The syscall trace path reloads syscall arguments from pt_regs before
> > calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
> > arguments are prepared as stack arguments before invoking syscallid.
> >
> > The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
> > those offsets are relative to the original pt_regs base, loading them
> > after changing sp fetches the wrong slots. As a result, traced syscalls
> > that use the 5th or 6th argument may receive corrupted arguments.
> >
> > This is visible with mmap2(), which takes six arguments. A small
> > PTRACE_SYSCALL reproducer opens a file and maps one page with:
> >
> >   mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)
> >
> > Before the fix, the traced child fails the mmap and exits with 12.
> > After the fix, the mapping succeeds and the child exits with 0.
> >
> > Fix the trace path by loading a4/a5 from pt_regs before changing sp.
> >
> > Tested on: ck860f, linux-4.19.15, C-SKY abiv2
> >
> > Suggested-by: Guo Ren <guoren@kernel.org>
> > Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
> > ---
> > Changes in v2:
> > - Use Guo Ren's suggested approach to handle the ABIv2 stack arguments.
> > - Tested with the ptrace+mmap reproducer.
> >
> >  arch/csky/kernel/entry.S | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
> > index c68cdcc76..3261f46f2 100644
> > --- a/arch/csky/kernel/entry.S
> > +++ b/arch/csky/kernel/entry.S
> > @@ -93,11 +93,11 @@ csky_syscall_trace:
> >         ldw     a2, (sp, LSAVE_A2)
> >         ldw     a3, (sp, LSAVE_A3)
> >  #if defined(__CSKYABIV2__)
> > -       subi    sp, 8
> >         ldw     r9, (sp, LSAVE_A4)
> > +       ldw     r10, (sp, LSAVE_A5)
> > +       subi    sp, 8
> >         stw     r9, (sp, 0x0)
> > -       ldw     r9, (sp, LSAVE_A5)
> > -       stw     r9, (sp, 0x4)
> > +       stw     r10, (sp, 0x4)
> >         jsr     syscallid                     /* Do system call */
> >         addi    sp, 8
> >  #else
> >
> > base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
> > --
> > 2.25.1
> >
> Applied, thx.
>
> --
> Best Regards
>  Guo Ren

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.