From: Heiko Carstens <hca@linux.ibm.com>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
linux-s390@vger.kernel.org,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
linux-kernel@vger.kernel.org,
Sumanth Korikkar <sumanthk@linux.ibm.com>
Subject: Re: [PATCH RFC] s390: Fix nospec table alignments
Date: Sun, 28 Aug 2022 18:51:02 +0200 [thread overview]
Message-ID: <Ywuc9hxvLIlY516G@osiris> (raw)
In-Reply-To: <20220827225937.b2mcmvxs7kbrtjda@treble>
On Sat, Aug 27, 2022 at 03:59:37PM -0700, Josh Poimboeuf wrote:
> > > While working on another s390 issue, I was getting intermittent boot
> > > failures in __nospec_revert() when it tried to access 'instr[0]'. I
> > > noticed the __nospec_call_start address ended in 'ff'. This patch
> > > seemed to fix it. I have no idea why it was (only sometimes) failing in
> > > the first place.
...
> > > + . = ALIGN(4);
> > > .nospec_call_table : {
> > > __nospec_call_start = . ;
> > > *(.s390_indirect*)
> >
...
> > Unfortunately I was unable to let any compiler generate code, that
> > would use the larl instruction. Instead the address of
> > nospec_call_table was loaded indirectly via the GOT, which again works
> > always, regardless if the table starts at an even or uneven address.
> >
> > This needs to be fixed anyway, and your patch certainly is correct.
> >
> > Could you maybe share your kernel config + compiler version, if you
> > are still able to reproduce this?
>
> I think the trick is to disable CONFIG_RELOCATABLE. When I compile with
> CONFIG_RELOCATABLE=n and "gcc version 11.3.1 20220421 (Red Hat 11.3.1-2)
> (GCC)", I get the following in nospec_init_branches():
>
> 2a8: c0 20 00 00 00 00 larl %r2,2a8 <nospec_init_branches+0x30> 2aa: R_390_PC32DBL __nospec_call_start+0x2
>
> That said, I still haven't been able to figure out how to recreate the
> program check in __nospec_revert(), even when the nospec_call_table
> starts at an odd offset.
Right, CONFIG_RELOCATABLE=n will do the trick.
I don't know why you cannot recreate it, however on my system it
crashes instantly when I make sure that __nospec_call_start starts at
an odd address.
Apparently 'instr = (u8 *) epo + *epo;' in __nospec_revert() may
result in a very large address, since without KASLR the kernel is
located at a low address, and it only takes one entry within the
incorrectly accessed nospec_call_table which results in a large
negative value for '*epo' and we end up with an overflow and a very
large address for 'instr'.
This will then result in the program check / addressing exception
you've seen when the kernel tried to access 'instr[0]'.
I'll apply your patch. Thanks a lot for debugging and reporting!
prev parent reply other threads:[~2022-08-28 16:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-26 23:55 [PATCH RFC] s390: Fix nospec table alignments Josh Poimboeuf
2022-08-27 18:23 ` Heiko Carstens
2022-08-27 22:59 ` Josh Poimboeuf
2022-08-28 16:51 ` Heiko Carstens [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ywuc9hxvLIlY516G@osiris \
--to=hca@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=jpoimboe@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sumanthk@linux.ibm.com \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.