From: Michael Matz <matz@suse.de>
To: Borislav Petkov <bp@alien8.de>
Cc: Jakub Jelinek <jakub@redhat.com>,
Sergei Trofimovich <slyfox@gentoo.org>,
linux-kernel@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
x86@kernel.org
Subject: Re: [PATCH v2] x86: fix early boot crash on gcc-10
Date: Tue, 14 Apr 2020 13:50:29 +0000 (UTC) [thread overview]
Message-ID: <alpine.LSU.2.21.2004141343370.11688@wotan.suse.de> (raw)
In-Reply-To: <20200413163540.GD3772@zn.tnic>
Hello,
On Mon, 13 Apr 2020, Borislav Petkov wrote:
> > @@ -207,8 +207,11 @@ static int cpu0_logical_apicid;
> > static int enable_start_cpu0;
> > /*
> > * Activate a secondary processor.
> > + *
> > + * Note: 'boot_init_stack_canary' changes canary value. Omit
> > + * stack protection to avoid canary check (and boot) failure.
> > */
> > -static void notrace start_secondary(void *unused)
> > +static void __no_stack_protector notrace start_secondary(void *unused)
>
> Hmm, so we did this per-function marking only but that explodes on
> 32-bit, see splat at the end. gcc guys, any ideas?
>
> The null pointer deref happens this way:
>
> The __no_stack_protector annotated function start_secondary() calls
> trace_hardirqs_on(). On entry, that function pushes the frame pointer on
> the stack:
>
> trace_hardirqs_on:
> pushl %ebp #
> movl %esp, %ebp #,
> subl $20, %esp #,
> movl %ebx, -12(%ebp) #,
> movl %esi, -8(%ebp) #,
> movl %edi, -4(%ebp) #,
>
>
> Singlestepping the whole thing in gdb looks like this:
>
> Dump of assembler code from 0xc1158610 to 0xc1158624:
> => 0xc1158610 <trace_hardirqs_on+0>: 55 push %ebp <---
> 0xc1158611 <trace_hardirqs_on+1>: 89 e5 mov %esp,%ebp
>
> and ebp has:
>
> ...
> ebp 0x0 0x0 <---
> esi 0x200002 2097154
> edi 0x1 1
> eip 0xc1158610
> ...
>
> Later in the function, it will do __builtin_return_address(n), which
> turns into:
>
> # kernel/trace/trace_preemptirq.c:26: trace_irq_enable_rcuidle(CALLER_ADDR0, CALLER_ADDR1);
> movl 0(%ebp), %eax #, tmp133
> # kernel/trace/trace_preemptirq.c:27: tracer_hardirqs_on(CALLER_ADDR0, CALLER_ADDR1);
> movl 4(%eax), %edx #, tmp130
So this part expects that the caller (!) of trace_hardirqs_on was compiled
with a frame pointer (in %ebp). Obviously that's not the case as you
traced above. Is start_secondary the immediate caller in the above
case?
> <--- derefs it here. Boom.
>
> So, could it be that marking this one function like this:
>
> static void __attribute__((optimize("-fno-stack-protector"))) __attribute__((no_instrument_function)) start_secondary(void *unused)
> {
>
> would cause %ebp to be 0 for whatever reason on 32-bit?
Look at it's disassembly. If it doesn't have the usual push
%ebp/mov%esp,%ebp prologue it probably doesn't use a frame pointer. In
that case I would speculate that having a frame pointer was (before the
change above) only a side-effect of being compiled with -fstack-protector,
which got now disabled. But I was under the impression that the upstream
kernels build with -fno-omit-frame-pointer, so that sounds unexpected.
But I have no better explanation at the moment. If the above speculation
doesn't make you progress: preprocessed file and a note of what the
immediate caller of trace_hardirqs_on is in the above case, please.
Ciao,
Michael.
next prev parent reply other threads:[~2020-04-14 13:51 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-14 16:44 [PATCH] x86: fix early boot crash on gcc-10 Sergei Trofimovich
2020-03-16 13:04 ` Peter Zijlstra
2020-03-16 13:26 ` Jakub Jelinek
2020-03-16 13:42 ` Peter Zijlstra
2020-03-16 17:54 ` Borislav Petkov
2020-03-16 18:03 ` Jakub Jelinek
2020-03-17 14:36 ` Borislav Petkov
2020-03-17 14:39 ` Jakub Jelinek
2020-03-17 14:49 ` Borislav Petkov
2020-03-17 16:35 ` David Laight
2020-03-25 13:31 ` Borislav Petkov
2020-03-26 21:54 ` Sergei Trofimovich
2020-03-26 22:35 ` Borislav Petkov
2020-03-28 8:48 ` [PATCH v2] " Sergei Trofimovich
2020-04-13 14:15 ` [tip: x86/urgent] x86: Fix " tip-bot2 for Sergei Trofimovich
2020-04-13 16:35 ` [PATCH v2] x86: fix " Borislav Petkov
2020-04-14 13:50 ` Michael Matz [this message]
2020-04-15 7:48 ` Borislav Petkov
2020-04-15 14:53 ` Michael Matz
2020-04-15 22:19 ` Sergei Trofimovich
2020-04-17 7:57 ` Borislav Petkov
2020-04-17 8:07 ` Jakub Jelinek
2020-04-17 8:42 ` Borislav Petkov
2020-04-17 8:58 ` Jakub Jelinek
2020-04-17 9:09 ` Borislav Petkov
2020-04-17 18:15 ` Nick Desaulniers
2020-04-17 18:22 ` Nick Desaulniers
2020-04-17 19:06 ` Jakub Jelinek
2020-04-17 19:49 ` Nick Desaulniers
2020-04-17 19:53 ` Nick Desaulniers
2020-04-20 14:04 ` Michael Matz
2020-04-22 10:23 ` Borislav Petkov
2020-04-22 11:40 ` Peter Zijlstra
2020-04-22 13:49 ` Borislav Petkov
2020-04-22 13:55 ` Jakub Jelinek
2020-04-22 14:16 ` Martin Liška
2020-04-22 15:06 ` Michael Matz
2020-04-22 16:53 ` Borislav Petkov
2020-04-22 17:02 ` Jakub Jelinek
2020-04-22 18:47 ` Nick Desaulniers
2020-04-22 18:55 ` Nick Desaulniers
2020-04-22 19:21 ` Borislav Petkov
2020-04-22 21:05 ` Nick Desaulniers
2020-04-22 21:26 ` Borislav Petkov
2020-04-22 22:57 ` Nick Desaulniers
2020-04-23 12:53 ` Borislav Petkov
2020-04-23 16:12 ` [PATCH] x86: Fix early boot crash on gcc-10, next try Borislav Petkov
2020-04-23 17:30 ` Borislav Petkov
2020-04-23 18:02 ` Nick Desaulniers
2020-04-23 18:27 ` Borislav Petkov
2020-04-27 11:37 ` [tip: x86/build] x86/build: Check whether the compiler is sane tip-bot2 for Borislav Petkov
2020-04-23 19:40 ` [PATCH] x86: Fix early boot crash on gcc-10, next try Kees Cook
2020-04-25 1:46 ` Arvind Sankar
2020-04-25 8:57 ` Borislav Petkov
2020-04-25 11:09 ` Jürgen Groß
2020-04-25 15:04 ` Arvind Sankar
2020-04-25 15:04 ` Arvind Sankar
2020-04-25 17:31 ` Borislav Petkov
2020-04-25 17:31 ` Borislav Petkov
2020-04-25 17:52 ` Borislav Petkov
2020-04-25 17:52 ` Borislav Petkov
2020-04-27 17:07 ` David Laight
2020-04-27 17:07 ` David Laight
2020-04-25 18:37 ` Segher Boessenkool
2020-04-25 18:37 ` Segher Boessenkool
2020-04-25 18:53 ` Borislav Petkov
2020-04-25 18:53 ` Borislav Petkov
2020-04-25 19:15 ` Segher Boessenkool
2020-04-25 19:15 ` Segher Boessenkool
2020-04-25 22:17 ` Borislav Petkov
2020-04-25 22:17 ` Borislav Petkov
2020-04-25 22:25 ` Arvind Sankar
2020-04-25 22:25 ` Arvind Sankar
2020-04-17 10:38 ` [PATCH v2] x86: fix early boot crash on gcc-10 Peter Zijlstra
2020-04-18 13:12 ` David Laight
2020-04-17 10:41 ` Peter Zijlstra
2020-03-16 18:20 ` [PATCH] " Arvind Sankar
2020-03-16 18:54 ` Arvind Sankar
2020-03-16 19:53 ` Arvind Sankar
2020-03-16 20:08 ` Jakub Jelinek
2020-03-16 20:40 ` Arvind Sankar
2020-03-16 22:12 ` Sergei Trofimovich
2020-03-17 11:46 ` Jakub Jelinek
2020-03-17 18:10 ` Sergei Trofimovich
2020-03-16 18:22 ` Arvind Sankar
2020-03-26 23:16 ` [PATCH v2] " Sergei Trofimovich
2020-04-27 11:37 ` [tip: x86/build] x86: Fix early boot crash on gcc-10, next try tip-bot2 for Borislav Petkov
2020-05-15 11:20 ` [tip: x86/urgent] x86: Fix early boot crash on gcc-10, third try tip-bot2 for Borislav Petkov
2020-05-19 11:49 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LSU.2.21.2004141343370.11688@wotan.suse.de \
--to=matz@suse.de \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jakub@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=slyfox@gentoo.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.