Re: [PATCH v3 16/16] objtool,x86: Rewrite retpoline thunk calls

From: Peter Zijlstra <peterz@infradead.org>
To: Lukasz Majczak <lma@semihalf.com>
Cc: "Josh Poimboeuf" <jpoimboe@redhat.com>,
	x86@kernel.org, jgross@suse.com, mbenes@suse.com,
	linux-kernel@vger.kernel.org, upstream@semihalf.com,
	"Radosław Biernacki" <rad@semihalf.com>,
	"Łukasz Bartosik" <lb@semihalf.com>,
	"Guenter Roeck" <groeck@google.com>
Subject: Re: [PATCH v3 16/16] objtool,x86: Rewrite retpoline thunk calls
Date: Wed, 2 Jun 2021 18:56:51 +0200	[thread overview]
Message-ID: <YLe4U9FgmMlYu/JN@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <CAFJ_xbq06nfaEWtVNLtg7XCJrQeQ9wCs4Zsoi5Y_HP3Dx0iTRA@mail.gmail.com>

On Wed, Jun 02, 2021 at 05:51:01PM +0200, Lukasz Majczak wrote:
> Hi Peter,
> 
> This patch seems to crash on Tigerlake platform (Chromebook delbin), I
> got the following error:
> 
> [    2.103054] pcieport 0000:00:1c.0: PME: Signaling with IRQ 122
> [    2.110148] pcieport 0000:00:1c.0: pciehp: Slot #7 AttnBtn-
> PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+
> IbPresDis- LLActRep+
> [    2.126754] pcieport 0000:00:1d.0: PME: Signaling with IRQ 123
> [    2.133946] ACPI: \_SB_.CP00: Found 3 idle states
> [    2.139708] BUG: kernel NULL pointer dereference, address: 000000000000012b
> [    2.140704] #PF: supervisor read access in kernel mode
> [    2.140704] #PF: error_code(0x0000) - not-present page
> [    2.140704] PGD 0 P4D 0
> [    2.140704] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [    2.140704] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G     U
>   5.13.0-rc1 #31
> [    2.140704] Hardware name: Google Delbin/Delbin, BIOS
> Google_Delbin.13672.156.3 05/14/2021
> [    2.140704] RIP: 0010:cpuidle_poll_time+0x9/0x6a
> [    2.140704] Code: 44 00 00 85 f6 78 19 55 48 89 e5 48 8b 05 16 44
> 44 01 4c 8b 58 40 4d 85 db 5d 41 ff d3 66 90 00 c3 0f 1f 44 00 00 55
> 48 89 e5 <48> 8b 46 20 48 85 c0 75 56 4c 63 87 28 04 00 00 b8 24 f49

All code
========
 0:   44 00 00                add    %r8b,(%rax)
 3:   85 f6                   test   %esi,%esi
 5:   78 19                   js     0x20
 7:   55                      push   %rbp
 8:   48 89 e5                mov    %rsp,%rbp
 b:   48 8b 05 16 44 44 01    mov    0x1444416(%rip),%rax        # 0x1444428
12:   4c 8b 58 40             mov    0x40(%rax),%r11
16:   4d 85 db                test   %r11,%r11
19:   5d                      pop    %rbp
1a:   41 ff d3                callq  *%r11
1d:   66 90                   xchg   %ax,%ax
1f:   00 c3                   add    %al,%bl
21:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
26:   55                      push   %rbp
27:   48 89 e5                mov    %rsp,%rbp
2a:*  48 8b 46 20             mov    0x20(%rsi),%rax          <-- trapping instruction
2e:   48 85 c0                test   %rax,%rax
31:   75 56                   jne    0x89
33:   4c 63 87 28 04 00 00    movslq 0x428(%rdi),%r8
3a:   b8                      .byte 0xb8
3b:   24 49                   and    $0x49,%al

What does something like:

OBJ=vmlinux.o FUNC=0010:cpuidle_poll_time objdump -wdr $@ $OBJ | awk "/^\$/ { P=0; } /$FUNC[^>]*>:\$/ { P=1; O=strtonum(\"0x\" \$1); } { if (P) { o=strtonum(\"0x\" \$1); printf(\"%04x \", o-O); print \$0; } }"

look like for that build?

The 1d,1f instructions look exactly like what the alternative would've
written.

> [    2.140704] RSP: 0000:ffffffff9cc03ea8 EFLAGS: 00010282
> [    2.140704] RAX: 0000000000008e7d RBX: ffffffff9cc1c5fd RCX: 000000007f894e5a
> [    2.140704] RDX: 000000007f894d4f RSI: 000000000000010b RDI: 0000000002fa1cf6

That said, your RSI is buggered, and 0x20(%rsi) rightfully blows up.