From nobody Sun May 24 20:33:24 2026
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com
 [209.85.215.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC5873264E3
	for <linux-kernel@vger.kernel.org>; Thu, 21 May 2026 11:34:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779363265; cv=none;
 b=Dw23gGBudl+pg0L7+oT0jT//uKB1g9IBB5F98tj+iUzKf/libS1ydRyjxiR+m/Z6yjHijIxhaz4Xoj3UTSxjleRbhSZ/rV9e+rLi1c1oz2CpKUGNBMJQK8Qj4kMDMWDWcX84AdZLEkjb3PrSjYIxx+FdzRSULuhN8768zZY/QBs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779363265; c=relaxed/simple;
	bh=rzT/dBLoa0GG8EcIF0iNv2ScA4Vdm7Z9GhGYqWbVfdU=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=TAd7EZOmWy0KI2mztLxREzXfYwflhDoGLIYgtcb1aKt7doGs4JvnUuyynYPuZnVCrzwKaOeRQdQJ1gpdiSVjeM1lK299dx5Xv5y/vOMQ1aofEZd9VCC9z5q3c8H3kOk2wcP1EE3q7xZl/boJuqcfzewQund47Awp4N2eiElW4cI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=NEWsKjfp; arc=none smtp.client-ip=209.85.215.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="NEWsKjfp"
Received: by mail-pg1-f179.google.com with SMTP id
 41be03b00d2f7-c8028fa6039so4178512a12.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 21 May 2026 04:34:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779363264; x=1779968064;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jzmWF/hlXwUiSZ7NxihUHfM0DXYIRom+DE+saGOZMlA=;
        b=NEWsKjfpUD3/EvNSiX9akXmraOQejBv+BT4UuVcLipL+HhYyg8SFdiGGp7y/KJySqL
         rAEp4LrlY0MbaPWCR/bEuVr94g2AR0mV5iR84RhKAvXIFpUPNtAZx4Lh6jntXyEVy62x
         l6pFG0sz2FQskMea++oKnlpwUyt6xzGXEfT9N3oN9lWUg49JRGN9Wfo2LL6mkprTlfpd
         dVfMXhc0WZ7VPuq5oaa5OXzc7PWqzEnRhtB7bqo1HPaHwKe9476Wjp4Gd/y5NdmJOy7w
         MM1Goqv9Vz+Ep6SoSNkRnXPa2Jnb93TD1o2jaksIySMq1cc0JRGpWxbonNXFKK5YYdt2
         wxvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779363264; x=1779968064;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=jzmWF/hlXwUiSZ7NxihUHfM0DXYIRom+DE+saGOZMlA=;
        b=pDGrkzML8sKaxwYQPWTyI8K3hRJmMoWTmZe7xFiPZ3pk0l13GyaflSpora+4dISOjk
         R2UQLqnG5HZBlmqzfRUkTgKGfSPUMnfPdkyyR+h7YNT5ANDldQiiJQF8iYAqMByNo2ZZ
         96mnbOJzJ2kwBhLsjK/CPI6vFt6FdJhMsZ3wWlImW55uMVBNt//C0lLCVdrPdZPlve34
         9LdSrPEZwh89tiTBn3nv44QH98oHP0qndNEZTTHS0Ymi1hgLOhOIy9AcjULvXC5livVt
         VSEzuYE4dGD9Nf267b5sy8vw6CD4Dnv8gS6OsTwCz+qeuumS/vDaL4Tj/DrQY0mcYvXX
         BQ+A==
X-Forwarded-Encrypted: i=1;
 AFNElJ/EGIc7Uy+JeG7kmnPjxBAUeykPCjOEh2y7PKkwucsEKbhcJ2wW9JPjPefunhe/1bJdevnlXDOlEXxYGT8=@vger.kernel.org
X-Gm-Message-State: AOJu0YzhHqKWPDNvm4aqCUcZZTZbIxqOi0/g9Ym2O7A/c78dJFWQmf5J
	4fb6KrN3mI66x4fMgz4fDSr9XRIdN7ChrQ2BJEXscdxdK4VJKlFIvrOE
X-Gm-Gg: Acq92OGFxWThC+CsD9PZ4fxSd2gS4oAcTDNC3SK+g1PteHqkXtlJ4Wd7eZbPeHL9ZSx
	grth5Zn3IsPes/2xQAPLNVayL42mOXRMxl9NccZTZSS8q41alsW6H8Zrr6cycXqrrrTUSuFXXdh
	HDZuL/dTsyOlPXLDqqcI6lyZXqwLLQzcOzlCsdpMPhcBSiKfn4KdoL7+qCwZB8VwqXxfgY9ubtF
	ueZP7UalCftfLOB7PMahLF2aLvfPR+IT2Km8SDlHe+RXLMhoe8cq8+LsvDaLrI+N8QNWTcDh5Se
	uT9CvzT6UvVECJoxXaPnmFwtL85RJWCw1PSRJODydDp+c7QNta2a0idWlfxwAXxPgq+jE5S+Za2
	EALQ9YyOByvU+HB9wortY+NZxvyHCiNpEN+wq3rLFFMcIDLxi3QUFPkB1w59R3evYnRAR9Yc4m/
	kOqPrcblMzgunrHQ1CWMDwjGSG6cIACMgyO7EsGMJh7aAvoLOSNA==
X-Received: by 2002:a17:903:32c9:b0:2bd:4d9e:ab27 with SMTP id
 d9443c01a7336-2bea33437d4mr27519405ad.17.1779363263764;
        Thu, 21 May 2026 04:34:23 -0700 (PDT)
Received: from gmail.com (42-200-231-193.static.imsbiz.com. [42.200.231.193])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2bea9a38c0csm9228495ad.77.2026.05.21.04.34.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 May 2026 04:34:23 -0700 (PDT)
From: hlsong <pgeorge8929@gmail.com>
To: Guo Ren <guoren@kernel.org>
Cc: linux-csky@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	hlsong89 <pgeorge8929@gmail.com>
Subject: [PATCH v2] csky: Fix a4/a5 restoration in syscall trace path
Date: Thu, 21 May 2026 19:33:56 +0800
Message-Id: <20260521113356.58513-1-pgeorge8929@gmail.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: 
 <CAJF2gTRumJwDi19nCmKZa+6KvvNvRSo=Jhyd7f6=5pe9J5Q0nQ@mail.gmail.com>
References: 
 <CAJF2gTRumJwDi19nCmKZa+6KvvNvRSo=Jhyd7f6=5pe9J5Q0nQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: hlsong89 <pgeorge8929@gmail.com>

The syscall trace path reloads syscall arguments from pt_regs before
calling the syscall handler. On C-SKY ABIv2, the 5th and 6th syscall
arguments are prepared as stack arguments before invoking syscallid.

The current code adjusts sp before loading LSAVE_A4 and LSAVE_A5. Since
those offsets are relative to the original pt_regs base, loading them
after changing sp fetches the wrong slots. As a result, traced syscalls
that use the 5th or 6th argument may receive corrupted arguments.

This is visible with mmap2(), which takes six arguments. A small
PTRACE_SYSCALL reproducer opens a file and maps one page with:

  mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0)

Before the fix, the traced child fails the mmap and exits with 12.
After the fix, the mapping succeeds and the child exits with 0.

Fix the trace path by loading a4/a5 from pt_regs before changing sp.

Tested on: ck860f, linux-4.19.15, C-SKY abiv2

Suggested-by: Guo Ren <guoren@kernel.org>
Signed-off-by: hlsong89 <pgeorge8929@gmail.com>
---
Changes in v2:
- Use Guo Ren's suggested approach to handle the ABIv2 stack arguments.
- Tested with the ptrace+mmap reproducer.

 arch/csky/kernel/entry.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/csky/kernel/entry.S b/arch/csky/kernel/entry.S
index c68cdcc76..3261f46f2 100644
--- a/arch/csky/kernel/entry.S
+++ b/arch/csky/kernel/entry.S
@@ -93,11 +93,11 @@ csky_syscall_trace:
 	ldw	a2, (sp, LSAVE_A2)
 	ldw	a3, (sp, LSAVE_A3)
 #if defined(__CSKYABIV2__)
-	subi	sp, 8
 	ldw	r9, (sp, LSAVE_A4)
+	ldw	r10, (sp, LSAVE_A5)
+	subi	sp, 8
 	stw	r9, (sp, 0x0)
-	ldw	r9, (sp, LSAVE_A5)
-	stw	r9, (sp, 0x4)
+	stw	r10, (sp, 0x4)
 	jsr	syscallid                     /* Do system call */
 	addi	sp, 8
 #else

base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
--=20
2.25.1