Re: Resume Issues :Exec of NX page, Synaptics Botchup

From: Linus Torvalds <torvalds@linux-foundation.org>
To: Parag Warudkar <parag.lkml@gmail.com>,
	Fenghua Yu <fenghua.yu@intel.com>,
	"H. Peter Anvin" <hpa@linux.intel.com>,
	Ingo Molnar <mingo@elte.hu>, Dmitry Torokhov <dtor@mail.ru>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Resume Issues :Exec of NX page, Synaptics Botchup
Date: Sun, 22 May 2011 14:56:40 -0700	[thread overview]
Message-ID: <BANLkTik9ZmQz1A0PBC4P-9XF-hB6Ywr3uQ@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1105221720040.2065@natty-nar>

[-- Attachment #1: Type: text/plain, Size: 2095 bytes --]

On Sun, May 22, 2011 at 2:36 PM, Parag Warudkar <parag.lkml@gmail.com> wrote:
>
> So on an otherwise working system, with today's git resume from suspend
> goes awry. Distro kernel 2.6.38-8 has no issues and
> CONFIG_DEBUG_SET_MODULE_RONX=y is set for both kernels.
>
> 1) setup_disablecpuid seems to result in executing a NX page -
> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [ 2762.672126] BUG: unable to handle kernel paging request at
> ffffffff81aaf74d
> [ 2762.672131] IP: [<ffffffff81aaf74d>] setup_disablecpuid+0x40/0x40

Hmm. The "Code: " line is just full of complete garbage, so I think
the real issue is that you really are trying to execute data.

And that in turn seems to be because "setup_disablecpuid()" has
actually been free'd, because it is marked as __init.

Which is fine at the initial bootup, but not so fine at resume time,
since it was free'd long long ago by then.

And it definitely shouldn' t be called at resume time. There's
something wrong there. That call trace is odd:

  Call Trace:
   [<ffffffff8148a119>] ? identify_cpu+0xd8/0x2d8
   [<ffffffff8148a32d>] identify_secondary_cpu+0x14/0x1b
   [<ffffffff8148bf0f>] smp_store_cpu_info+0x3c/0x3e
   [<ffffffff8148c2ef>] start_secondary+0xf7/0x1d2

because none of those should be calling "setup_disablecpuid()" at all.

Hmm. In fact, RIP is "setup_disablecpuid+0x40/0x40", ie it is one past
the _end_ of setup_disablecpuid.

I suspect that is actually "setup_smep()" that got called, an dthat
there was some garbage data in there that caused it to jump back a
bit.

Does the attached patch fix it?

> 2) Synaptics touchpad which work fine with two fingure gestures etc before
> resume - goes into ps2 mode after resume -
> [ 2783.323947] Synaptics claims to have extended capabilities, but I'm not able to read them.
> [ 2783.774740] Synaptics hardware appears to be different: id(149271-149271), model(114865-114865), caps(d04733-d04733), ext(a40000-0).
> [ 2788.880575] Unable to query Synaptics hardware.

Hmm. I have no idea about this one. Dmitry?

                       Linus

[-- Attachment #2: patch.diff --]
[-- Type: text/x-patch, Size: 572 bytes --]

 arch/x86/kernel/cpu/common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index cbc70a27430c..b93da5d5f5a2 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -262,7 +262,7 @@ static __init int setup_disable_smep(char *arg)
 }
 __setup("nosmep", setup_disable_smep);
 
-static __init void setup_smep(struct cpuinfo_x86 *c)
+static __cpuinit void setup_smep(struct cpuinfo_x86 *c)
 {
 	if (cpu_has(c, X86_FEATURE_SMEP)) {
 		if (unlikely(disable_smep)) {
