From: Kees Cook <keescook@chromium.org>
To: Mike Galbraith <efault@gmx.de>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH][DEBUG] x86/refcount: split up refcount saturation handling
Date: Thu, 31 Aug 2017 12:27:28 -0700 [thread overview]
Message-ID: <20170831192728.GA135568@beast> (raw)
In support of debugging the problems Mike Galbraith has seen with
x86-refcount vs gcc vs network refcounts...
This minimizes the differences between unchecked-refcount and x86-refcount
by changing the refcount_dec() failure case to not saturate. The reporting
of negative values is reduced to pr_warn from WARN to avoid spamming dmesg
(which may impact race conditions). Ratelimiting is disabled just to be
sure no reports are being dropped.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/mm/extable.c | 51 ++++++++++++++++++++++++++++++++++-----------------
kernel/panic.c | 2 +-
2 files changed, 35 insertions(+), 18 deletions(-)
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index c076f710de4c..dcb498668370 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -1,6 +1,7 @@
#include <linux/extable.h>
#include <linux/uaccess.h>
#include <linux/sched/debug.h>
+#include <linux/ratelimit.h>
#include <asm/traps.h>
#include <asm/kdebug.h>
@@ -43,19 +44,7 @@ EXPORT_SYMBOL_GPL(ex_handler_fault);
bool ex_handler_refcount(const struct exception_table_entry *fixup,
struct pt_regs *regs, int trapnr)
{
- /* First unconditionally saturate the refcount. */
- *(int *)regs->cx = INT_MIN / 2;
-
- /*
- * Strictly speaking, this reports the fixup destination, not
- * the fault location, and not the actually overflowing
- * instruction, which is the instruction before the "js", but
- * since that instruction could be a variety of lengths, just
- * report the location after the overflow, which should be close
- * enough for finding the overflow, as it's at least back in
- * the function, having returned from .text.unlikely.
- */
- regs->ip = ex_fixup_addr(fixup);
+ const char *msg;
/*
* This function has been called because either a negative refcount
@@ -68,12 +57,40 @@ bool ex_handler_refcount(const struct exception_table_entry *fixup,
* these cases we want a report, since it's a boundary condition.
*
*/
- if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_ZF)) {
- bool zero = regs->flags & X86_EFLAGS_ZF;
-
- refcount_error_report(regs, zero ? "hit zero" : "overflow");
+ if (regs->flags & X86_EFLAGS_OF) {
+ /* Always saturate on overflow detection. */
+ *(int *)regs->cx = INT_MIN / 2;
+ msg = "saturated due to overflow";
+ } else if (regs->flags & X86_EFLAGS_SF) {
+ /* Do not generate traceback on re-saturation. */
+ *(int *)regs->cx = INT_MIN / 2;
+ regs->ip = ex_fixup_addr(fixup);
+ pr_warn("refcount_t saturated due to negative result at %pB in %s[%d]\n",
+ (void *)instruction_pointer(regs),
+ current->comm, task_pid_nr(current));
+ return true;
+ } else if (regs->flags & X86_EFLAGS_ZF) {
+ /* An unchecked dec-to-zero happened. WARN only. */
+ msg = "hit zero without test";
+ } else {
+ /* Impossible state. */
+ *(int *)regs->cx = INT_MIN / 2;
+ msg = "saturated due to unknown state";
}
+ /*
+ * Strictly speaking, this reports the fixup destination, not
+ * the fault location, and not the actually overflowing
+ * instruction, which is the instruction before the "js", but
+ * since that instruction could be a variety of lengths, just
+ * report the location after the overflow, which should be close
+ * enough for finding the overflow, as it's at least back in
+ * the function, having returned from .text.unlikely.
+ */
+ regs->ip = ex_fixup_addr(fixup);
+
+ refcount_error_report(regs, msg);
+
return true;
}
EXPORT_SYMBOL_GPL(ex_handler_refcount);
diff --git a/kernel/panic.c b/kernel/panic.c
index bdd18afa19a4..966ade491543 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail);
#ifdef CONFIG_ARCH_HAS_REFCOUNT
void refcount_error_report(struct pt_regs *regs, const char *err)
{
- WARN_RATELIMIT(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
+ WARN(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
err, (void *)instruction_pointer(regs),
current->comm, task_pid_nr(current),
from_kuid_munged(&init_user_ns, current_uid()),
--
2.7.4
--
Kees Cook
Pixel Security
next reply other threads:[~2017-08-31 19:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-31 19:27 Kees Cook [this message]
2017-09-02 10:35 ` [PATCH][DEBUG] x86/refcount: split up refcount saturation handling Ingo Molnar
2017-09-02 19:51 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170831192728.GA135568@beast \
--to=keescook@chromium.org \
--cc=efault@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox