From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 05/20] hns: avoid stack overflow with CONFIG_KASAN
Date: Mon, 13 Feb 2017 05:04:50 -0800 [thread overview]
Message-ID: <20170213130403.755701944@linuxfoundation.org> (raw)
In-Reply-To: <20170213130403.531813333@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit b3f2d07f4649adcf6905953a10d217b5683e4077 upstream.
The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use
an indexed load for the register address, but it has an absolutely detrimental
effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely
kernel stack overflow aside from very complex object code:
hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats':
hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common':
hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs':
hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs':
hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs':
hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs':
hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init':
hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs':
hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats':
hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs':
hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE
seems safe anyway and it avoids a serious issue for some people. I have verified
that with gcc-5.3.1, the object code we get is better in the new version
both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte
stack frame for hns_dsaf_get_regs() but otherwise have practically identical
object code.
With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already
good either way.
This patch is probably not urgent to get into 4.11 as only KASAN=y builds
with certain compilers are affected, but I still think it makes sense to
backport into older kernels.
Fixes: 511e6bc ("net: add Hisilicon Network Subsystem DSAF support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
@@ -900,9 +900,7 @@
static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value)
{
- u8 __iomem *reg_addr = ACCESS_ONCE(base);
-
- writel(value, reg_addr + reg);
+ writel(value, base + reg);
}
#define dsaf_write_dev(a, reg, value) \
@@ -910,9 +908,7 @@ static inline void dsaf_write_reg(void _
static inline u32 dsaf_read_reg(u8 __iomem *base, u32 reg)
{
- u8 __iomem *reg_addr = ACCESS_ONCE(base);
-
- return readl(reg_addr + reg);
+ return readl(base + reg);
}
#define dsaf_read_dev(a, reg) \
next prev parent reply other threads:[~2017-02-13 13:05 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 13:04 [PATCH 4.4 00/20] 4.4.49-stable review Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 01/20] ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 02/20] selinux: fix off-by-one in setprocattr Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 03/20] Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback" Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 04/20] cpumask: use nr_cpumask_bits for parsing functions Greg Kroah-Hartman
2017-02-13 13:04 ` Greg Kroah-Hartman [this message]
2017-02-13 13:04 ` [PATCH 4.4 06/20] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 07/20] target: Dont BUG_ON during NodeACL dynamic -> explicit conversion Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 08/20] target: Use correct SCSI status during EXTENDED_COPY exception Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 09/20] target: Fix early transport_generic_handle_tmr abort scenario Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 10/20] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 11/20] ARM: 8642/1: LPAE: catch pending imprecise abort on unmask Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 12/20] mac80211: Fix adding of mesh vendor IEs Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 13/20] [PATCH] netvsc: Set maximum GSO size in the right place Greg Kroah-Hartman
2017-02-13 13:04 ` [PATCH 4.4 14/20] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 15/20] scsi: aacraid: Fix INTx/MSI-x issue with older controllers Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 16/20] scsi: mpt3sas: disable ASPM for MPI2 controllers Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 17/20] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 18/20] ALSA: seq: Fix race at creating a queue Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 19/20] ALSA: seq: Dont handle loop timeout at snd_seq_pool_done() Greg Kroah-Hartman
2017-02-13 13:05 ` [PATCH 4.4 20/20] drm/i915: fix use-after-free in page_flip_completed() Greg Kroah-Hartman
2017-02-13 17:09 ` [PATCH 4.4 00/20] 4.4.49-stable review Shuah Khan
2017-02-13 20:04 ` Guenter Roeck
2017-02-15 11:41 ` Sudip Mukherjee
2017-02-15 16:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170213130403.755701944@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox