mirror of https://gitee.com/openkylin/linux.git
x86/alternatives: Fix int3_emulate_call() selftest stack corruption
KASAN shows the following splat during boot:
BUG: KASAN: unknown-crash in unwind_next_frame+0x3f6/0x490
Read of size 8 at addr ffffffff84007db0 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Tainted: G T 5.2.0-rc6-00013-g7457c0d #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
dump_stack+0x19/0x1b
print_address_description+0x1b0/0x2b2
__kasan_report+0x10f/0x171
kasan_report+0x12/0x1c
__asan_load8+0x54/0x81
unwind_next_frame+0x3f6/0x490
unwind_next_frame+0x1b/0x23
arch_stack_walk+0x68/0xa5
stack_trace_save+0x7b/0xa0
save_trace+0x3c/0x93
mark_lock+0x1ef/0x9b1
lock_acquire+0x122/0x221
__mutex_lock+0xb6/0x731
mutex_lock_nested+0x16/0x18
_vm_unmap_aliases+0x141/0x183
vm_unmap_aliases+0x14/0x16
change_page_attr_set_clr+0x15e/0x2f2
set_memory_4k+0x2a/0x2c
check_bugs+0x11fd/0x1298
start_kernel+0x793/0x7eb
x86_64_start_reservations+0x55/0x76
x86_64_start_kernel+0x87/0xaa
secondary_startup_64+0xa4/0xb0
Memory state around the buggy address:
ffffffff84007c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
ffffffff84007d00: f1 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
>ffffffff84007d80: f3 79 be 52 49 79 be 00 00 00 00 00 00 00 00 f1
It turns out that int3_selftest() is corrupting the stack. The problem is
that the KASAN-ified version of int3_magic() is much less trivial than the
C code appears. It clobbers several unexpected registers. So when the
selftest's INT3 is converted to an emulated call to int3_magic(), the
registers are clobbered and Bad Things happen when the function returns.
Fix this by converting int3_magic() to the trivial ASM function it should
be, avoiding all calling convention issues. Also add ASM_CALL_CONSTRAINT to
the INT3 ASM, since it contains a 'CALL'.
[peterz: cribbed changelog from josh]
Fixes: 7457c0da02
("x86/alternatives: Add int3_emulate_call() selftest")
Reported-by: kernel test robot <rong.a.chen@intel.com>
Debugged-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Link: https://lkml.kernel.org/r/20190709125744.GB3402@hirez.programming.kicks-ass.net
This commit is contained in:
parent
1cbec37b3f
commit
ecc6061038
|
@ -625,10 +625,23 @@ extern struct paravirt_patch_site __start_parainstructions[],
|
|||
*
|
||||
* See entry_{32,64}.S for more details.
|
||||
*/
|
||||
static void __init int3_magic(unsigned int *ptr)
|
||||
{
|
||||
*ptr = 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* We define the int3_magic() function in assembly to control the calling
|
||||
* convention such that we can 'call' it from assembly.
|
||||
*/
|
||||
|
||||
extern void int3_magic(unsigned int *ptr); /* defined in asm */
|
||||
|
||||
asm (
|
||||
" .pushsection .init.text, \"ax\", @progbits\n"
|
||||
" .type int3_magic, @function\n"
|
||||
"int3_magic:\n"
|
||||
" movl $1, (%" _ASM_ARG1 ")\n"
|
||||
" ret\n"
|
||||
" .size int3_magic, .-int3_magic\n"
|
||||
" .popsection\n"
|
||||
);
|
||||
|
||||
extern __initdata unsigned long int3_selftest_ip; /* defined in asm below */
|
||||
|
||||
|
@ -676,7 +689,9 @@ static void __init int3_selftest(void)
|
|||
"int3_selftest_ip:\n\t"
|
||||
__ASM_SEL(.long, .quad) " 1b\n\t"
|
||||
".popsection\n\t"
|
||||
: : __ASM_SEL_RAW(a, D) (&val) : "memory");
|
||||
: ASM_CALL_CONSTRAINT
|
||||
: __ASM_SEL_RAW(a, D) (&val)
|
||||
: "memory");
|
||||
|
||||
BUG_ON(val != 1);
|
||||
|
||||
|
|
Loading…
Reference in New Issue