From: Pavel Machek <pavel@denx.de>
To: Thomas Garnier <thgarnie@google.com>
Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>,
linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
keescook@chromium.org, kernel-hardening@lists.openwall.com,
jikos@kernel.org, bpetkov@suse.de, yinghai@kernel.org
Subject: [kernel-hardening] Re: [PATCH v1] x86/power/64: Restore processor state before using per-cpu variables
Date: Fri, 12 Aug 2016 08:29:19 +0200 [thread overview]
Message-ID: <20160812062919.GC30992@amd> (raw)
In-Reply-To: <1470952169-39061-1-git-send-email-thgarnie@google.com>
Hi!
> Restore the processor state before calling any other function to ensure
> per-cpu variables can be used with KASLR memory randomization.
>
> Tracing functions use per-cpu variables (gs based) and one was called
> just before restoring the processor state fully. It resulted in a double
> fault when both the tracing & the exception handler functions tried to
> use a per-cpu variable.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> ---
> Based on next-20160808
>
> Thanks to Rafael, Jiri & Borislav in tracking down this bug.
> ---
> kernel/power/hibernate.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> index a881c6a..33c79b6 100644
> --- a/kernel/power/hibernate.c
> +++ b/kernel/power/hibernate.c
> @@ -300,12 +300,12 @@ static int create_image(int platform_mode)
> save_processor_state();
> trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
> error = swsusp_arch_suspend();
> + /* Restore control flow magically appears here */
> + restore_processor_state();
> trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
> if (error)
> printk(KERN_ERR "PM: Error %d creating hibernation image\n",
> error);
> - /* Restore control flow magically appears here */
> - restore_processor_state();
> if (!in_suspend)
> events_check_enabled = false;
>
Ugh. Plus it also fixes very confusing situation where /* Restore
control flow magically appears here */ comment was 4 lines away from
where it _actually_ magically appeared. Good catch.
Acked-by: Pavel Machek <pavel@ucw.cz>
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel@denx.de>
To: Thomas Garnier <thgarnie@google.com>
Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>,
linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
keescook@chromium.org, kernel-hardening@lists.openwall.com,
jikos@kernel.org, bpetkov@suse.de, yinghai@kernel.org
Subject: Re: [PATCH v1] x86/power/64: Restore processor state before using per-cpu variables
Date: Fri, 12 Aug 2016 08:29:19 +0200 [thread overview]
Message-ID: <20160812062919.GC30992@amd> (raw)
In-Reply-To: <1470952169-39061-1-git-send-email-thgarnie@google.com>
Hi!
> Restore the processor state before calling any other function to ensure
> per-cpu variables can be used with KASLR memory randomization.
>
> Tracing functions use per-cpu variables (gs based) and one was called
> just before restoring the processor state fully. It resulted in a double
> fault when both the tracing & the exception handler functions tried to
> use a per-cpu variable.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> ---
> Based on next-20160808
>
> Thanks to Rafael, Jiri & Borislav in tracking down this bug.
> ---
> kernel/power/hibernate.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> index a881c6a..33c79b6 100644
> --- a/kernel/power/hibernate.c
> +++ b/kernel/power/hibernate.c
> @@ -300,12 +300,12 @@ static int create_image(int platform_mode)
> save_processor_state();
> trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
> error = swsusp_arch_suspend();
> + /* Restore control flow magically appears here */
> + restore_processor_state();
> trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
> if (error)
> printk(KERN_ERR "PM: Error %d creating hibernation image\n",
> error);
> - /* Restore control flow magically appears here */
> - restore_processor_state();
> if (!in_suspend)
> events_check_enabled = false;
>
Ugh. Plus it also fixes very confusing situation where /* Restore
control flow magically appears here */ comment was 4 lines away from
where it _actually_ magically appeared. Good catch.
Acked-by: Pavel Machek <pavel@ucw.cz>
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2016-08-12 6:29 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-11 21:49 [kernel-hardening] [PATCH v1] x86/power/64: Restore processor state before using per-cpu variables Thomas Garnier
2016-08-11 21:49 ` Thomas Garnier
2016-08-12 5:49 ` [kernel-hardening] " Borislav Petkov
2016-08-12 5:49 ` Borislav Petkov
2016-08-12 11:14 ` [kernel-hardening] " Rafael J. Wysocki
2016-08-12 11:14 ` Rafael J. Wysocki
2016-08-12 16:03 ` [kernel-hardening] " Thomas Garnier
2016-08-12 16:03 ` Thomas Garnier
2016-08-12 17:45 ` [kernel-hardening] " Borislav Petkov
2016-08-12 17:45 ` Borislav Petkov
2016-08-12 6:01 ` [kernel-hardening] " Jiri Kosina
2016-08-12 6:01 ` Jiri Kosina
2016-08-12 9:23 ` [kernel-hardening] " Jiri Kosina
2016-08-12 9:23 ` Jiri Kosina
2016-08-12 16:03 ` [kernel-hardening] " Thomas Garnier
2016-08-12 16:03 ` Thomas Garnier
2016-08-12 6:29 ` Pavel Machek [this message]
2016-08-12 6:29 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160812062919.GC30992@amd \
--to=pavel@denx.de \
--cc=bpetkov@suse.de \
--cc=jikos@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=rjw@rjwysocki.net \
--cc=thgarnie@google.com \
--cc=yinghai@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.