From: Guenter Roeck <linux@roeck-us.net>
To: Borislav Petkov <bp@suse.de>, Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Cc: "linux-next@vger.kernel.org" <linux-next@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] x86/rwsem: Save and restore all callee-clobbered regs in 32-bit ____down_write()
Date: Thu, 12 May 2016 19:49:42 -0700 [thread overview]
Message-ID: <573540C6.20505@roeck-us.net> (raw)
In-Reply-To: <20160512172938.GB14245@pd.tnic>
On 05/12/2016 10:29 AM, Borislav Petkov wrote:
> Anyway, here's an actual patch with a commit message. Guenter, can you
> give it a run please?
>
> It does fix the issue here with your .config but I'd appreciate a
> confirmation.
>
> Thanks.
>
> ---
> From: Borislav Petkov <bp@suse.de>
>
> ____down_write() calls a function to handle the slow path when the lock
> is contended. But in order to be able to call a C function, one has to
> stash all callee-clobbered registers. The 32-bit path saves only %ecx
> for a reason unknown to me. However, after
>
> 71c01930b42e ("locking/rwsem, x86: Clean up ____down_write()")
>
> the useless dependency on edx was removed and this caused the following
> splat:
>
> BUG: unable to handle kernel NULL pointer dereference at 00000015
> IP: [<c185e094>] down_write+0x24/0x30
> *pde = 00000000
> Oops: 0002 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 0 PID: 1 Comm: swapper/0 Tainted: G S W 4.6.0-rc7-next-20160511-yocto-standard #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
> task: f4d00000 ti: f4d08000 task.ti: f4d08000
> EIP: 0060:[<c185e094>] EFLAGS: 00210282 CPU: 0
> EIP is at down_write+0x24/0x30
> EAX: f4d00000 EBX: f4f6d600 ECX: ffff0001 EDX: 00000001
> ESI: 00000168 EDI: c1c2eb68 EBP: f4d09ef4 ESP: f4d09eec
> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> CR0: 80050033 CR2: 00000015 CR3: 01ccb000 CR4: 000406d0
>
> This happens because gcc decided to stash the pointer to @sem in edx (it
> is not used in the inline asm anymore, thus free):
>
> movl %eax, %edx # sem, sem
>
> lock; xadd %ecx,(%eax) # tmp91, sem
> test ...
>
> call call_rwsem_down_write_failed
>
> mov %eax,0x14(%edx)
>
> *before* the slow path happens and if we hit it on 32-bit, it can
> clobber edx and we're staring at garbage value at deref time.
>
> The simple fix is to save/restore edx too, around the slow path. We
> don't need to stash eax because it is used in the slow path as the @sem
> arg.
>
> Reported-by: Guenter Roeck <linux@roeck-us.net>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: x86@kernel.org
> Signed-off-by: Borislav Petkov <bp@suse.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
> ---
> arch/x86/lib/rwsem.S | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S
> index a37462a23546..02240807e97a 100644
> --- a/arch/x86/lib/rwsem.S
> +++ b/arch/x86/lib/rwsem.S
> @@ -33,10 +33,12 @@
> * value or just clobbered..
> */
>
> -#define save_common_regs \
> - pushl %ecx
> +#define save_common_regs \
> + pushl %ecx; \
> + pushl %edx
>
> -#define restore_common_regs \
> +#define restore_common_regs \
> + popl %edx; \
> popl %ecx
>
> /* Avoid uglifying the argument copying x86-64 needs to do. */
>
next prev parent reply other threads:[~2016-05-13 2:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-12 13:34 next: Crashes in x86 images due to 'locking/rwsem, x86: Clean up ____down_write()' Guenter Roeck
2016-05-12 13:51 ` Borislav Petkov
2016-05-12 14:46 ` Borislav Petkov
2016-05-12 17:29 ` [PATCH] x86/rwsem: Save and restore all callee-clobbered regs in 32-bit ____down_write() Borislav Petkov
2016-05-12 17:29 ` Borislav Petkov
2016-05-13 2:49 ` Guenter Roeck [this message]
2016-05-13 9:21 ` [tip:locking/rwsem] " tip-bot for Borislav Petkov
2016-05-13 17:03 ` [PATCH] " Linus Torvalds
2016-05-13 17:19 ` Borislav Petkov
2016-05-16 9:34 ` [PATCH] locking/rwsem: Fix comment on register clobbering Borislav Petkov
2016-05-16 10:39 ` [tip:locking/rwsem] " tip-bot for Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=573540C6.20505@roeck-us.net \
--to=linux@roeck-us.net \
--cc=bp@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.