From: Ingo Molnar <mingo@elte.hu>
To: Justin Madru <jdm64@gawab.com>,
Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Testers List <kernel-testers@vger.kernel.org>,
"Justin P. Mattock" <justinmattock@gmail.com>
Subject: Re: [Bug #12505] 2.6.29-rc1 Firefox crashing on page load
Date: Tue, 20 Jan 2009 08:43:12 +0100 [thread overview]
Message-ID: <20090120074312.GD16426@elte.hu> (raw)
In-Reply-To: <49756F3E.6050304@gawab.com>
(added Cc:s)
* Justin Madru <jdm64@gawab.com> wrote:
> Rafael J. Wysocki wrote:
>> This message has been generated automatically as a part of a report
>> of recent regressions.
>>
>> The following bug entry is on the current list of known regressions
>> from 2.6.28. Please verify if it still should be listed and let me know
>> (either way).
>>
>>
>> Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12505
>> Subject : 2.6.29-rc1 Firefox crashing on page load
>> Submitter : Justin Madru <jdm64@gawab.com>
>> Date : 2009-01-16 20:56 (4 days old)
>> References : http://marc.info/?l=linux-kernel&m=123213941914274&w=4
>> Handled-By : Justin P. Mattock <justinmattock@gmail.com>
>>
>>
>>
>>
> Yes, still a regression sofar, but I've bisected it and checked it with
> a revert of the bad commit.
> The revert does fix the bug, but we've yet to figure out why, or come up
> with a patch.
>
> commit 4217458dafaa57d8e26a46f5d05ab8c53cf64191
> Author: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> Date: Fri Dec 5 17:17:09 2008 -0800
>
> x86: signal: change type of paramter for sys_rt_sigreturn()
>
> Impact: cleanup on 32-bit
>
> Peter pointed this parameter can be changed.
>
> Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> Signed-off-by: Ingo Molnar <mingo@elte.hu>
>
> :040000 040000 f5fba48247ff200092c38a54e334f495917229d5
> b901159897e5d85e0dc2a0c9d904d9a73c1d58a2 M arch
>
> arch/x86/include/asm/syscalls.h
> arch/x86/kernel/signal.c
>
> diff --git a/arch/x86/include/asm/syscalls.h
> b/arch/x86/include/asm/syscalls.h
> index 87803da..3a5252c 100644 (file)
> --- a/arch/x86/include/asm/syscalls.h
> +++ b/arch/x86/include/asm/syscalls.h
> @@ -33,7 +33,7 @@ asmlinkage int sys_sigaction(int, const struct
> old_sigaction __user *,
> struct old_sigaction __user *);
> asmlinkage int sys_sigaltstack(unsigned long);
> asmlinkage unsigned long sys_sigreturn(unsigned long);
> -asmlinkage int sys_rt_sigreturn(unsigned long);
> +asmlinkage int sys_rt_sigreturn(struct pt_regs);
>
> /* kernel/ioport.c */
> asmlinkage long sys_iopl(unsigned long);
> diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
> index b1f4d34..b1cc6da 100644 (file)
> --- a/arch/x86/kernel/signal.c
> +++ b/arch/x86/kernel/signal.c
> @@ -642,11 +642,9 @@ badframe:
> }
>
> #ifdef CONFIG_X86_32
> -asmlinkage int sys_rt_sigreturn(unsigned long __unused)
> +asmlinkage int sys_rt_sigreturn(struct pt_regs regs)
> {
> - struct pt_regs *regs = (struct pt_regs *)&__unused;
> -
> - return do_rt_sigreturn(regs);
> + return do_rt_sigreturn(®s);
> }
> #else /* !CONFIG_X86_32 */
> asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
hm, this looks like a compiler bug: GCC might assume above that the 'regs'
parameter is the callee's (while in reality they are the caller's and we
rely on GCC not clobbering them on the stack).
Justin, does it work if you apply the patch below instead of the revert?
Thanks,
Ingo
-------------------->
>From c401278356e4eae139e4c15695b6c1cdb63e7376 Mon Sep 17 00:00:00 2001
From: Ingo Molnar <mingo@elte.hu>
Date: Tue, 20 Jan 2009 08:38:47 +0100
Subject: [PATCH] x86: prevent tail call optimization in signal.c
Impact: fix firefox crash
Another victim of GCC believing that on-stack function arguments are
owned by the callee - while in reality for asmlinkage functions they
are very much owned by the caller. Stomping on them can corrupt the
user-space register state, causing weird crashes.
Reported-by: Justin Madru <jdm64@gawab.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
arch/x86/kernel/signal.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 89bb766..dee83af 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -634,7 +634,11 @@ badframe:
#ifdef CONFIG_X86_32
asmlinkage int sys_rt_sigreturn(struct pt_regs regs)
{
- return do_rt_sigreturn(®s);
+ int ret = do_rt_sigreturn(®s);
+
+ asmlinkage_protect(1, ret, regs);
+
+ return ret;
}
#else /* !CONFIG_X86_32 */
asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
next prev parent reply other threads:[~2009-01-20 7:44 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-19 21:28 2.6.29-rc2-git1: Reported regressions from 2.6.28 Rafael J. Wysocki
2009-01-19 21:28 ` [Bug #12399] USB wakeup problem on multiple machines Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12414] iwl4965 cannot use "ap auto" on latest 2.6.28/29? Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12416] Recent change to kernel spikes out ccache/distcc Rafael J. Wysocki
2009-01-20 10:31 ` [PATCH] " Jan Beulich
2009-01-19 21:32 ` [Bug #12400] git-latest: kernel oops in IOMMU setup Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12415] WARNING: at drivers/net/wireless/iwlwifi/iwl-sta.c:689 Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12402] 2.6.29-rc: kernel BUG at fs/xfs/support/debug.c:108 Rafael J. Wysocki
2009-01-28 23:39 ` Alexander Beregalov
2009-02-03 22:56 ` Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12417] glx performance drop with: "x86: PAT: implement track/untrack of pfnmap regions for x86 - v3" Rafael J. Wysocki
2009-01-20 7:47 ` Ingo Molnar
2009-01-20 9:09 ` Alexey Fisher
2009-01-20 13:45 ` Alexey Fisher
2009-01-19 21:32 ` [Bug #12419] possible circular locking dependency on i915 dma Rafael J. Wysocki
2009-01-20 0:29 ` Wang Chen
2009-01-19 21:32 ` [Bug #12422] 2.6.28-git can't resume from str Rafael J. Wysocki
2009-01-20 0:39 ` Harvey Harrison
2009-01-20 1:46 ` Jeff Chua
2009-01-19 21:32 ` [Bug #12418] Repeated ioctl(4, 0x40046445, ..) loop in glxgears Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12427] cpumask change causes sparc build bustage Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12441] Xorg can't use dri on radeon X1950 AGP Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12444] X hangs following switch from radeonfb console - Bisected Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12469] XFS : Corruption of in-memory data Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12490] ath5k related kernel panic in 2.6.29-rc1 Rafael J. Wysocki
2009-01-20 22:44 ` Bob Copeland
2009-01-19 21:32 ` [Bug #12491] i915 lockdep warning Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12468] Crash in acpi_cpufreq_init Rafael J. Wysocki
2009-01-20 0:33 ` Alex Riesen
2009-01-20 14:23 ` Ingo Molnar
2009-01-20 22:35 ` Alex Riesen
2009-01-21 11:59 ` Ingo Molnar
2009-01-19 21:32 ` [Bug #12494] Sony backlight regression from 2.6.28 to 29-rc Rafael J. Wysocki
2009-01-20 16:46 ` Norbert Preining
2009-01-19 21:32 ` [Bug #12496] swsusp cannot find resume device (sometimes) Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12493] ACPI related kernel panic when booting 2.6.29-rc2 Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12495] thinkpad problems during resume Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12501] build bug in eeepc-laptop.c Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12499] Problem with using bluetooth adaper connected to usb port Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12498] OOPS and panic on 2.6.29-rc1 on xen-x86 Rafael J. Wysocki
2009-01-20 0:35 ` Nick Piggin
2009-01-19 21:32 ` [Bug #12497] new barrier warnings in 2.6.29-rc1 Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12502] pipe_read oops on sh Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12503] [slab corruption] BUG key_jar: Poison overwritten Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12504] 2.6.29-rc1 vs selinux Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12505] 2.6.29-rc1 Firefox crashing on page load Rafael J. Wysocki
2009-01-20 6:29 ` Justin Madru
2009-01-20 7:43 ` Ingo Molnar [this message]
2009-01-20 8:16 ` Ingo Molnar
2009-01-20 8:37 ` Ingo Molnar
2009-01-21 9:31 ` Justin Madru
2009-01-21 9:40 ` Justin P. Mattock
2009-01-19 21:32 ` [Bug #12506] Undefined symbols when CONFIG_MFD_PCF50633 is enabled Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12507] e100: netconsole not functional because of missing firmware Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12510] 2.6.29-rc2 dies on startup Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12508] "powerpc/pci: Reserve legacy regions on PCI" broke my G3 Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12509] lockdep report. fb_mmap vs sys_mmap2 Rafael J. Wysocki
2009-01-19 21:32 ` [Bug #12511] WARNING: at drivers/dma/dmaengine.c:352 Rafael J. Wysocki
-- strict thread matches above, loose matches on Subject: below --
2009-02-04 10:21 2.6.29-rc3-git6: Reported regressions from 2.6.28 Rafael J. Wysocki
2009-02-04 10:24 ` [Bug #12505] 2.6.29-rc1 Firefox crashing on page load Rafael J. Wysocki
2009-02-04 15:23 ` Justin Mattock
2009-02-04 16:46 ` Ingo Molnar
2009-02-04 18:15 ` Justin Mattock
2009-02-05 1:08 ` Rafael J. Wysocki
2009-02-05 1:37 ` Justin Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090120074312.GD16426@elte.hu \
--to=mingo@elte.hu \
--cc=h-shimamoto@ct.jp.nec.com \
--cc=hpa@zytor.com \
--cc=jdm64@gawab.com \
--cc=justinmattock@gmail.com \
--cc=kernel-testers@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rjw@sisk.pl \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).