From: john.l.byrne@compaq.com
To: torvalds@transmeta.com
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] 2.4.x i386 SMP interrupts can corrupt registers
Date: Wed, 29 Aug 2001 11:47:30 -0700 (PDT) [thread overview]
Message-ID: <200108291847.f7TIlUh13144@kahuna.cag.cpqcorp.net> (raw)
Currently, the SMP interrupt code generated by the macros
BUILD_SMP_INTERRUPT and BUILD_SMP_TIMER_INTERRUPT push the positive
interrupt vector number on the stack. If the correct signal is pending
on the process and %eax happens to have the correct value, do_signal()
can be spoofed into adjusting %eax and %eip with almost certainly bad
results. For example, trying to do a "strace -p" the following program
will result in its dumping core with an illegal instruction.
int
main(void)
{
int i;
asm (
"mov %1,%0\n\t"
"1:\t"
"cmp %1,%0\n\t"
"rep;nop\n\t"
"je 1b\n\t"
:"=&a" (i)
:"i" (-512));
return i;
}
I suspect what was wanted was to subtract 256, as is done in BUILD_IRQ,
to make the values negative, but leave the vector available in %al, so
I offer the following patch against 2.4.10-pre2 to do so. (The 2.2.x
code simply pushes -1. I don't see anything that uses the vector for
these interrupt, so this should work. However, I assume the change was
made so the vector number would be available on the stack, perhaps for
debugging.)
This has only been tested by me on my SMP box, but... (I don't want to
complete that sentence with words I might be forced to regret for some
reason.)
John Byrne
diff -Nar -u4 orig/include/asm-i386/hw_irq.h linux/include/asm-i386/hw_irq.h
--- orig/include/asm-i386/hw_irq.h Mon Jul 9 13:28:00 2001
+++ linux/include/asm-i386/hw_irq.h Wed Aug 29 09:48:38 2001
@@ -129,9 +129,9 @@
asmlinkage void call_##x(void); \
__asm__( \
"\n"__ALIGN_STR"\n" \
SYMBOL_NAME_STR(x) ":\n\t" \
- "pushl $"#v"\n\t" \
+ "pushl $"#v"-256\n\t" \
SAVE_ALL \
SYMBOL_NAME_STR(call_##x)":\n\t" \
"call "SYMBOL_NAME_STR(smp_##x)"\n\t" \
"jmp ret_from_intr\n");
@@ -142,9 +142,9 @@
asmlinkage void call_##x(void); \
__asm__( \
"\n"__ALIGN_STR"\n" \
SYMBOL_NAME_STR(x) ":\n\t" \
- "pushl $"#v"\n\t" \
+ "pushl $"#v"-256\n\t" \
SAVE_ALL \
"movl %esp,%eax\n\t" \
"pushl %eax\n\t" \
SYMBOL_NAME_STR(call_##x)":\n\t" \
next reply other threads:[~2001-08-29 18:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-08-29 18:47 john.l.byrne [this message]
2001-08-30 3:39 ` [PATCH] 2.4.x i386 SMP interrupts can corrupt registers Linus Torvalds
2001-08-30 18:41 ` John Byrne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200108291847.f7TIlUh13144@kahuna.cag.cpqcorp.net \
--to=john.l.byrne@compaq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).