lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 18 Feb 2016 16:18:59 +0100
From:	Arnd Bergmann <arnd@...db.de>
To:	Russell King - ARM Linux <linux@....linux.org.uk>
Cc:	linux-arm-kernel@...ts.infradead.org,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Nicolas Pitre <nico@...aro.org>,
	Jon Medhurst <tixy@...aro.org>,
	Marc Zyngier <marc.zyngier@....com>,
	Daniel Thompson <daniel.thompson@...aro.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/9] ARM: change NR_IPIS to 8

On Thursday 18 February 2016 14:37:09 Russell King - ARM Linux wrote:
> On Thu, Feb 18, 2016 at 03:01:54PM +0100, Arnd Bergmann wrote:
> > When function tracing for IPIs is enabled, we get a warning for an
> > overflow of the ipi_types array with the IPI_CPU_BACKTRACE type
> > as triggered by raise_nmi():
> > 
> > arch/arm/kernel/smp.c: In function 'raise_nmi':
> > arch/arm/kernel/smp.c:489:2: error: array subscript is above array bounds [-Werror=array-bounds]
> >   trace_ipi_raise(target, ipi_types[ipinr]);
> 
> We really don't want to treat the backtrace IPI as a normal IPI at all -
> we want it to invoke the least amount of code possible.  Hence this code
> which avoids the issue:
> 
>         if ((unsigned)ipinr < NR_IPI) {
>                 trace_ipi_entry_rcuidle(ipi_types[ipinr]);
>                 __inc_irq_stat(cpu, ipi_irqs[ipinr]);
>         }
> 
> However, what's missing is that the addition of tracing here missed
> that CPU_BACKTRACE is not to be traced.  The call in raise_nmi()
> should have been converted to __smp_cross_call() to avoid the
> tracing code.

I've replaced the patch locally with the version below now, and
will throw it into the randconfig build test infrastructure to
make sure I didn't screw up in an obvious way here.

	Arnd

>From 7528c9b0558fdf4de785e62e61f0dd2ffe874110 Mon Sep 17 00:00:00 2001
From: Arnd Bergmann <arnd@...db.de>
Date: Sun, 31 Jan 2016 22:26:21 +0100
Subject: [PATCH] ARM: prevent tracing IPI_CPU_BACKTRACE

When function tracing for IPIs is enabled, we get a warning for an
overflow of the ipi_types array with the IPI_CPU_BACKTRACE type
as triggered by raise_nmi():

arch/arm/kernel/smp.c: In function 'raise_nmi':
arch/arm/kernel/smp.c:489:2: error: array subscript is above array bounds [-Werror=array-bounds]
  trace_ipi_raise(target, ipi_types[ipinr]);

This is a correct warning as we actually overflow the array here.

This patch raise_nmi() to call __smp_cross_call() instead of
smp_cross_call(), to avoid calling into ftrace. For clarification,
I'm also adding a two new code comments describing how this one
is special.

The warning appears to have shown up after patch e7273ff49acf
("ARM: 8488/1: Make IPI_CPU_BACKTRACE a "non-secure" SGI"), which
changed the number assignment from '15' to '8', but as far as I can
tell has existed since the IPI tracepoints were first introduced.
If we decide to backport this patch to stable kernels, we probably
need to backport e7273ff49acf as well.

Signed-off-by: Arnd Bergmann <arnd@...db.de>
Fixes: e7273ff49acf ("ARM: 8488/1: Make IPI_CPU_BACKTRACE a "non-secure" SGI")
Fixes: 365ec7b17327 ("ARM: add IPI tracepoints") # v3.17
Signed-off-by: Arnd Bergmann <arnd@...db.de>

diff --git a/arch/arm/include/asm/hardirq.h b/arch/arm/include/asm/hardirq.h
index 3d7351c844aa..2fd0a2619b0b 100644
--- a/arch/arm/include/asm/hardirq.h
+++ b/arch/arm/include/asm/hardirq.h
@@ -5,6 +5,7 @@
 #include <linux/threads.h>
 #include <asm/irq.h>
 
+/* number of IPIS _not_ including IPI_CPU_BACKTRACE */
 #define NR_IPI	7
 
 typedef struct {
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
index b4048e370730..9802a94260db 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -72,6 +72,10 @@ enum ipi_msg_type {
 	IPI_CPU_STOP,
 	IPI_IRQ_WORK,
 	IPI_COMPLETION,
+	/*
+	 * CPU_BACKTRACE is special and not included in NR_IPI
+	 * or tracable with trace_ipi_*
+	 */
 	IPI_CPU_BACKTRACE,
 	/*
 	 * SGI8-15 can be reserved by secure firmware, and thus may
@@ -757,7 +761,7 @@ static void raise_nmi(cpumask_t *mask)
 	if (cpumask_test_cpu(smp_processor_id(), mask) && irqs_disabled())
 		nmi_cpu_backtrace(NULL);
 
-	smp_cross_call(mask, IPI_CPU_BACKTRACE);
+	__smp_cross_call(mask, IPI_CPU_BACKTRACE);
 }
 
 void arch_trigger_all_cpu_backtrace(bool include_self)

Powered by blists - more mailing lists