From: Brian Gerst <brgerst@gmail.com>
To: Ferry Toth <fntoth@gmail.com>
Cc: Andy Shevchenko <andriy.shevchenko@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Andy Lutomirski <luto@kernel.org>,
x86@kernel.org, LKML <linux-kernel@vger.kernel.org>,
Sedat Dilek <sedat.dilek@gmail.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Sean Christopherson <seanjc@google.com>,
Joerg Roedel <jroedel@suse.de>
Subject: Re: [PATCH v2 1/2] x86/stackprotector/32: Make the canary into a regular percpu variable
Date: Mon, 14 Nov 2022 16:43:07 -0500 [thread overview]
Message-ID: <CAMzpN2gYdwLmeqh+=MAkA2ALaB1PK_YD_5tpZMA09M6NCrvOjg@mail.gmail.com> (raw)
In-Reply-To: <d0d8d5ea-a752-d082-d8fe-68ff888afb59@gmail.com>
On Thu, Nov 10, 2022 at 2:36 PM Ferry Toth <fntoth@gmail.com> wrote:
>
> Hi,
>
> Op 09-11-2022 om 23:33 schreef Brian Gerst:
> > On Wed, Nov 9, 2022 at 9:50 AM Andy Shevchenko
> > <andriy.shevchenko@intel.com> wrote:
> >> On Fri, Sep 30, 2022 at 11:18:51PM +0200, Ferry Toth wrote:
> >>> Op 30-09-2022 om 22:30 schreef Ferry Toth:
> >>>> Op 29-09-2022 om 16:20 schreef Andy Shevchenko:
> >>>>> On Thu, Sep 29, 2022 at 04:56:07PM +0300, Andy Shevchenko wrote:
> >>>>>> On Sat, Feb 13, 2021 at 11:19:44AM -0800, Andy Lutomirski wrote:
> >>>>>>> On 32-bit kernels, the stackprotector canary is quite nasty -- it is
> >>>>>>> stored at %gs:(20), which is nasty because 32-bit kernels use %fs for
> >>>>>>> percpu storage. It's even nastier because it means that whether %gs
> >>>>>>> contains userspace state or kernel state while running kernel code
> >>>>>>> depends on whether stackprotector is enabled (this is
> >>>>>>> CONFIG_X86_32_LAZY_GS), and this setting radically changes the way
> >>>>>>> that segment selectors work. Supporting both variants is a
> >>>>>>> maintenance and testing mess.
> >>>>>>>
> >>>>>>> Merely rearranging so that percpu and the stack canary
> >>>>>>> share the same segment would be messy as the 32-bit percpu address
> >>>>>>> layout isn't currently compatible with putting a variable at a fixed
> >>>>>>> offset.
> >>>>>>>
> >>>>>>> Fortunately, GCC 8.1 added options that allow the stack canary to be
> >>>>>>> accessed as %fs:__stack_chk_guard, effectively turning it
> >>>>>>> into an ordinary
> >>>>>>> percpu variable. This lets us get rid of all of the code to
> >>>>>>> manage the
> >>>>>>> stack canary GDT descriptor and the CONFIG_X86_32_LAZY_GS mess.
> >>>>>>>
> >>>>>>> (That name is special. We could use any symbol we want for the
> >>>>>>> %fs-relative mode, but for CONFIG_SMP=n, gcc refuses to
> >>>>>>> let us use any
> >>>>>>> name other than __stack_chk_guard.)
> >>>>>>>
> >>>>>>> This patch forcibly disables stackprotector on older compilers that
> >>>>>>> don't support the new options and makes the stack canary into a
> >>>>>>> percpu variable. The "lazy GS" approach is now used for all 32-bit
> >>>>>>> configurations.
> >>>>>>>
> >>>>>>> This patch also makes load_gs_index() work on 32-bit kernels. On
> >>>>>>> 64-bit kernels, it loads the GS selector and updates the user
> >>>>>>> GSBASE accordingly. (This is unchanged.) On 32-bit kernels,
> >>>>>>> it loads the GS selector and updates GSBASE, which is now
> >>>>>>> always the user base. This means that the overall effect is
> >>>>>>> the same on 32-bit and 64-bit, which avoids some ifdeffery.
> >>>>>> This patch broke 32-bit boot on Intel Merrifield
> >>>>>>
> >>>>>> git bisect start
> >>>>>> # good: [9f4ad9e425a1d3b6a34617b8ea226d56a119a717] Linux 5.12
> >>>>>> git bisect good 9f4ad9e425a1d3b6a34617b8ea226d56a119a717
> >>>>>> # bad: [62fb9874f5da54fdb243003b386128037319b219] Linux 5.13
> >>>>>> git bisect bad 62fb9874f5da54fdb243003b386128037319b219
> >>>>>> # bad: [85f3f17b5db2dd9f8a094a0ddc665555135afd22] Merge branch
> >>>>>> 'md-fixes' of
> >>>>>> https://git.kernel.org/pub/scm/linux/kernel/git/song/md into
> >>>>>> block-5.13
> >>>>>> git bisect bad 85f3f17b5db2dd9f8a094a0ddc665555135afd22
> >>>>>> # good: [ca62e9090d229926f43f20291bb44d67897baab7] Merge tag
> >>>>>> 'regulator-v5.13' of
> >>>>>> git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
> >>>>>> git bisect good ca62e9090d229926f43f20291bb44d67897baab7
> >>>>>> # bad: [68a32ba14177d4a21c4a9a941cf1d7aea86d436f] Merge tag
> >>>>>> 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm
> >>>>>> git bisect bad 68a32ba14177d4a21c4a9a941cf1d7aea86d436f
> >>>>>> # good: [49c70ece54b0d1c51bc31b2b0c1070777c992c26]
> >>>>>> drm/amd/display: Change input parameter for set_drr
> >>>>>> git bisect good 49c70ece54b0d1c51bc31b2b0c1070777c992c26
> >>>>>> # good: [0b276e470a4d43e1365d3eb53c608a3d208cabd4] media: coda:
> >>>>>> fix macroblocks count control usage
> >>>>>> git bisect good 0b276e470a4d43e1365d3eb53c608a3d208cabd4
> >>>>>> # bad: [c6536676c7fe3f572ba55842e59c3c71c01e7fb3] Merge tag
> >>>>>> 'x86_core_for_v5.13' of
> >>>>>> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> >>>>>> git bisect bad c6536676c7fe3f572ba55842e59c3c71c01e7fb3
> >>>>>> # good: [d1466bc583a81830cef2399a4b8a514398351b40] Merge branch
> >>>>>> 'work.inode-type-fixes' of
> >>>>>> git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
> >>>>>> git bisect good d1466bc583a81830cef2399a4b8a514398351b40
> >>>>>> # good: [fafe1e39ed213221c0bce6b0b31669334368dc97] Merge tag
> >>>>>> 'afs-netfs-lib-20210426' of
> >>>>>> git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
> >>>>>> git bisect good fafe1e39ed213221c0bce6b0b31669334368dc97
> >>>>>> # bad: [b1f480bc0686e65d5413c035bd13af2ea4888784] Merge branch
> >>>>>> 'x86/cpu' into WIP.x86/core, to merge the NOP changes & resolve
> >>>>>> a semantic conflict
> >>>>>> git bisect bad b1f480bc0686e65d5413c035bd13af2ea4888784
> >>>>>> # bad: [0c925c61dae18ee3cb93a61cc9dd9562a066034d]
> >>>>>> x86/tools/insn_decoder_test: Convert to insn_decode()
> >>>>>> git bisect bad 0c925c61dae18ee3cb93a61cc9dd9562a066034d
> >>>>>> # bad: [514ef77607b9ff184c11b88e8f100bc27f07460d]
> >>>>>> x86/boot/compressed/sev-es: Convert to insn_decode()
> >>>>>> git bisect bad 514ef77607b9ff184c11b88e8f100bc27f07460d
> >>>>>> # bad: [9e761296c52dcdb1aaa151b65bd39accb05740d9] x86/insn:
> >>>>>> Rename insn_decode() to insn_decode_from_regs()
> >>>>>> git bisect bad 9e761296c52dcdb1aaa151b65bd39accb05740d9
> >>>>>> # bad: [d0962f2b24c99889a386f0658c71535f56358f77] x86/entry/32:
> >>>>>> Remove leftover macros after stackprotector cleanups
> >>>>>> git bisect bad d0962f2b24c99889a386f0658c71535f56358f77
> >>>>>> # bad: [3fb0fdb3bbe7aed495109b3296b06c2409734023]
> >>>>>> x86/stackprotector/32: Make the canary into a regular percpu
> >>>>>> variable
> >>>>>> git bisect bad 3fb0fdb3bbe7aed495109b3296b06c2409734023
> >>>>>> # first bad commit: [3fb0fdb3bbe7aed495109b3296b06c2409734023]
> >>>>>> x86/stackprotector/32: Make the canary into a regular percpu
> >>>>>> variable
> >>>> With the bad commit the last words in dmesg are:
> >>>>
> >>>> mem auto-init: stack:off, heap alloc:off, heap free:off
> >>>> Initializing HighMem for node 0 (00036ffe:0003f500)
> >>>> Initializing Movable for node 0 (00000000:00000000)
> >>>> Checking if this processor honours the WP bit even in supervisor
> >>>> mode...Ok.
> >>>> Memory: 948444K/1004124K available (12430K kernel code, 2167K rwdata,
> >>>> 4948K rodata, 716K init, 716K bss, 55680K reserved, 0K cma-reserved,
> >>>> 136200K highmem)
> >>>> SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
> >>>> trace event string verifier disabled
> >>>> Dynamic Preempt: voluntary
> >>>> rcu: Preemptible hierarchical RCU implementation.
> >>>> rcu: RCU event tracing is enabled.
> >>>> rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
> >>>> Trampoline variant of Tasks RCU enabled.
> >>>> Tracing variant of Tasks RCU enabled.
> >>>> rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
> >>>> rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
> >>>> NR_IRQS: 2304, nr_irqs: 512, preallocated irqs: 0
> >>>>
> >>>> without the bad commit dmesg continues:
> >>>>
> >>>> random: get_random_bytes called from start_kernel+0x492/0x65a with
> >>>> crng_init=0
> >>>> Console: colour dummy device 80x25
> >>>> printk: console [tty0] enabled
> >>>> printk: bootconsole [uart0] disabled
> >>>>
> >>>> ....
> >>>>
> >>>>>> Any suggestions how to fix are welcome!
> >>>>>>
> >>> Interesting. I added the following fragment to the kernel config:
> >>>
> >>> # CONFIG_STACKPROTECTOR is not set
> >>>
> >>> And this resolves the boot issue (tested with v5.17 i686 on Intel
> >>> Merrifield)
> >> I'm not sure that's the correct approach.
> I didn't intend as a resolution, merely as a workaround. And since
> revert was not possible, as proof issue is localized in stack protector.
> >> Any answer from the Andy Lutomirski?
> >>
> >> And in general to x86 maintainers, do we support all features on x86 32-bit? If
> >> no, can it be said explicitly, please?
> > What compiler version are you using?
>
> I built with Yocto Honister which builds it's own cross-compiler gcc
> 11.2. For completeness:
>
> root@yuna:~# uname -a
> Linux yuna 5.17.0-edison-acpi-standard #1 SMP PREEMPT Sun Mar 20
> 20:14:17 UTC 2022 i686 i686 i386 GNU/Linux
>
> root@yuna:~# cat /proc/version
> Linux version 5.17.0-edison-acpi-standard (oe-user@oe-host)
> (i686-poky-linux-gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37.20210721)
> #1 SMP PREEMPT Sun Mar 20 20:14:17 UTC 2022
>
> root@yuna:~# cat /etc/os-release
> ID=poky-edison
> NAME="Poky (Yocto Project Reference Distro)"
> VERSION="3.4.4 (honister)"
> VERSION_ID=3.4.4
> PRETTY_NAME="Poky (Yocto Project Reference Distro) 3.4.4 (honister)"
>
> > --
> > Brian Gerst
What exactly happens when it fails (hang/reboot/oops)?
Does removing the call to boot_init_stack_canary() in init/main.c fix
the problem?
--
Brian Gerst
next prev parent reply other threads:[~2022-11-14 21:43 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-13 19:19 [PATCH v2 0/2] Clean up x86_32 stackprotector Andy Lutomirski
2021-02-13 19:19 ` [PATCH v2 1/2] x86/stackprotector/32: Make the canary into a regular percpu variable Andy Lutomirski
2021-02-13 19:49 ` Sedat Dilek
2021-02-16 16:21 ` Sean Christopherson
2021-02-16 20:23 ` Sedat Dilek
2021-02-16 18:45 ` Nick Desaulniers
2021-02-16 20:29 ` Sedat Dilek
2021-03-08 13:14 ` [tip: x86/core] " tip-bot2 for Andy Lutomirski
2022-09-29 13:56 ` [PATCH v2 1/2] " Andy Shevchenko
2022-09-29 14:20 ` Andy Shevchenko
2022-09-30 20:30 ` Ferry Toth
2022-09-30 21:18 ` Ferry Toth
2022-11-09 14:50 ` Andy Shevchenko
2022-11-09 22:33 ` Brian Gerst
2022-11-10 14:02 ` Andy Shevchenko
2022-11-10 19:36 ` Ferry Toth
2022-11-14 21:43 ` Brian Gerst [this message]
2022-11-14 22:16 ` Ferry Toth
2022-11-17 19:28 ` Ferry Toth
2021-02-13 19:19 ` [PATCH v2 2/2] x86/entry/32: Remove leftover macros after stackprotector cleanups Andy Lutomirski
2021-03-08 13:14 ` [tip: x86/core] " tip-bot2 for Andy Lutomirski
2021-02-13 19:33 ` [PATCH v2 0/2] Clean up x86_32 stackprotector Sedat Dilek
2021-02-14 14:42 ` Sedat Dilek
2021-02-16 18:13 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMzpN2gYdwLmeqh+=MAkA2ALaB1PK_YD_5tpZMA09M6NCrvOjg@mail.gmail.com' \
--to=brgerst@gmail.com \
--cc=andriy.shevchenko@intel.com \
--cc=dave.hansen@intel.com \
--cc=fntoth@gmail.com \
--cc=jroedel@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=ndesaulniers@google.com \
--cc=seanjc@google.com \
--cc=sedat.dilek@gmail.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.