[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <530B841F.5050803@zytor.com>
Date: Mon, 24 Feb 2014 09:40:47 -0800
From: "H. Peter Anvin" <hpa@...or.com>
To: Vince Weaver <vincent.weaver@...ne.edu>,
Peter Zijlstra <peterz@...radead.org>
CC: Linux Kernel <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>,
Steven Rostedt <rostedt@...dmis.org>
Subject: Re: perf_fuzzer compiled for x32 causes reboot
On 02/24/2014 09:32 AM, Vince Weaver wrote:
>>
>> Peter, does x32 have a slightly different ABI/calling convention that
>> would make any of these patches just slightly 'off'?
>
> I do note that
> perf_callchain_user();
>
> Does
> fp = (void __user *)regs->bp;
>
> ...
>
> bytes = copy_from_user_nmi(&frame, fp, sizeof(frame));
>
>
> And in my particular executable RBP has nothing to do with a frame
> pointer, but is instead being used as a general purpose register.
>
> Am I missing something here? Though in that case I'm not sure why this
> wouldn't be easier to trigger.
>
Neither x86-64 nor x32 are typically compiled with fixed frame pointers
(which would be %rbp if they are). So I'm guessing the perf_callchain
logic is only applicable to a user-space binary explicitly compiled with
frame pointers turned on.
So copy_from_user_nmi() stumbles onto a nonexistent page and takes a
page fault. This isn't a big deal, because perf_callchain_user() is set
up to handle that (and just terminates the trace), *except* now CR2 is
corrupt, and we took this event while handling a page fault already...
and apparently before we even did read_cr2() in __do_page_fault.
The description of copy_from_user_nmi() states:
/*
* We rely on the nested NMI work to allow atomic faults from the NMI
path; the
* nested NMI paths are careful to preserve CR2.
*/
... but that doesn't seem to happen here for whatever reason.
There is no hint in your trace what happens after the kernel page fault
so that makes it hard to know.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists