Re: [LTP] mmstress[1309]: segfault at 7f3d71a36ee8 ip 00007f3d77132bdf sp 00007f3d71a36ee8 error 4 in libc-2.27.so[7f3d77058000+1aa000]

From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Daniel Díaz" <daniel.diaz@linaro.org>
Cc: Naresh Kamboju <naresh.kamboju@linaro.org>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	 "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	zenglg.jy@cn.fujitsu.com,
	 "Peter Zijlstra (Intel)" <peterz@infradead.org>,
	Viresh Kumar <viresh.kumar@linaro.org>, X86 ML <x86@kernel.org>,
	 open list <linux-kernel@vger.kernel.org>,
	lkft-triage@lists.linaro.org,
	 "Eric W. Biederman" <ebiederm@xmission.com>,
	linux-mm <linux-mm@kvack.org>,
	 linux-m68k <linux-m68k@lists.linux-m68k.org>,
	 Linux-Next Mailing List <linux-next@vger.kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	 kasan-dev <kasan-dev@googlegroups.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	 Geert Uytterhoeven <geert@linux-m68k.org>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	 Ingo Molnar <mingo@redhat.com>, LTP List <ltp@lists.linux.it>,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [LTP] mmstress[1309]: segfault at 7f3d71a36ee8 ip 00007f3d77132bdf sp 00007f3d71a36ee8 error 4 in libc-2.27.so[7f3d77058000+1aa000]
Date: Thu, 22 Oct 2020 20:05:05 -0700	[thread overview]
Message-ID: <CAHk-=wgqAp5B46SWzgBt6UkheVGFPs2rrE6H4aqLExXE1TXRfQ@mail.gmail.com> (raw)
In-Reply-To: <CAEUSe78A4fhsyF6+jWKVjd4isaUeuFWLiWqnhic87BF6cecN3w@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]

On Thu, Oct 22, 2020 at 6:36 PM Daniel Díaz <daniel.diaz@linaro.org> wrote:
>
> The kernel Naresh originally referred to is here:
>   https://builds.tuxbuild.com/SCI7Xyjb7V2NbfQ2lbKBZw/

Thanks.

And when I started looking at it, I realized that my original idea
("just look for __put_user_nocheck_X calls, there aren't so many of
those") was garbage, and that I was just being stupid.

Yes, the commit that broke was about __put_user(), but in order to not
duplicate all the code, it re-used the regular put_user()
infrastructure, and so all the normal put_user() calls are potential
problem spots too if this is about the compiler interaction with KASAN
and the asm changes.

So it's not just a couple of special cases to look at, it's all the
normal cases too.

Ok, back to the drawing board, but I think reverting it is probably
the right thing to do if I can't think of something smart.

That said, since you see this on x86-64, where the whole ugly trick with that

   register asm("%"_ASM_AX)

is unnecessary (because the 8-byte case is still just a single
register, no %eax:%edx games needed), it would be interesting to hear
if the attached patch fixes it. That would confirm that the problem
really is due to some register allocation issue interaction (or,
alternatively, it would tell me that there's something else going on).

                  Linus

[-- Attachment #2: patch --]
[-- Type: application/octet-stream, Size: 880 bytes --]

 arch/x86/include/asm/uaccess.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index f13659523108..0f3e202d9eea 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -211,14 +211,14 @@ extern void __put_user_nocheck_8(void);
 #define do_put_user_call(fn,x,ptr)					\
 ({									\
 	int __ret_pu;							\
-	register __typeof__(*(ptr)) __val_pu asm("%"_ASM_AX);		\
+	__typeof__(*(ptr)) __val_pu;					\
 	__chk_user_ptr(ptr);						\
 	__val_pu = (x);							\
 	asm volatile("call __" #fn "_%P[size]"				\
 		     : "=c" (__ret_pu),					\
 			ASM_CALL_CONSTRAINT				\
 		     : "0" (ptr),					\
-		       "r" (__val_pu),					\
+		       "a" (__val_pu),					\
 		       [size] "i" (sizeof(*(ptr)))			\
 		     :"ebx");						\
 	__builtin_expect(__ret_pu, 0);					\
