diff options
| author | Josh Poimboeuf <jpoimboe@redhat.com> | 2016-05-17 14:06:06 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2016-05-19 03:12:34 -0400 |
| commit | d4bf7078c43e11097e0d6f04d3fb999bf92c4fb0 (patch) | |
| tree | 95e203060439843e82f2a0121efcbfb15e626842 /arch | |
| parent | 683ad8092cd262a02d01377dd17a29d492438b90 (diff) | |
x86/entry/64: Fix stack return address retrieval in thunk
With CONFIG_FRAME_POINTER enabled, a thunk can pass a bad return address
value to the called function. '9*8(%rsp)' actually gets the frame
pointer, not the return address.
The only users of the 'put_ret_addr_in_rdi' option are two functions
which trace the enabling and disabling of interrupts, so this bug can
result in bad debug or tracing information with CONFIG_IRQSOFF_TRACER or
CONFIG_PROVE_LOCKING.
Fix this by implementing the suggestion of Linus: explicitly push
the frame pointer all the time and constify the stack offsets that
way. This is both correct and easier to read.
Reported-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
[ Extended the changelog a bit. ]
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alex Thorlton <athorlton@sgi.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 058fb73274f9 ("x86/asm/entry: Create stack frames in thunk functions")
Link: http://lkml.kernel.org/r/20160517180606.v5o7wcgdni7443ol@treble
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/x86/entry/thunk_64.S | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/arch/x86/entry/thunk_64.S b/arch/x86/entry/thunk_64.S index 98df1fa8825c..027aec4a74df 100644 --- a/arch/x86/entry/thunk_64.S +++ b/arch/x86/entry/thunk_64.S | |||
| @@ -8,16 +8,15 @@ | |||
| 8 | #include <linux/linkage.h> | 8 | #include <linux/linkage.h> |
| 9 | #include "calling.h" | 9 | #include "calling.h" |
| 10 | #include <asm/asm.h> | 10 | #include <asm/asm.h> |
| 11 | #include <asm/frame.h> | ||
| 12 | 11 | ||
| 13 | /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ | 12 | /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ |
| 14 | .macro THUNK name, func, put_ret_addr_in_rdi=0 | 13 | .macro THUNK name, func, put_ret_addr_in_rdi=0 |
| 15 | .globl \name | 14 | .globl \name |
| 16 | .type \name, @function | 15 | .type \name, @function |
| 17 | \name: | 16 | \name: |
| 18 | FRAME_BEGIN | 17 | pushq %rbp |
| 18 | movq %rsp, %rbp | ||
| 19 | 19 | ||
| 20 | /* this one pushes 9 elems, the next one would be %rIP */ | ||
| 21 | pushq %rdi | 20 | pushq %rdi |
| 22 | pushq %rsi | 21 | pushq %rsi |
| 23 | pushq %rdx | 22 | pushq %rdx |
| @@ -29,8 +28,8 @@ | |||
| 29 | pushq %r11 | 28 | pushq %r11 |
| 30 | 29 | ||
| 31 | .if \put_ret_addr_in_rdi | 30 | .if \put_ret_addr_in_rdi |
| 32 | /* 9*8(%rsp) is return addr on stack */ | 31 | /* 8(%rbp) is return addr on stack */ |
| 33 | movq 9*8(%rsp), %rdi | 32 | movq 8(%rbp), %rdi |
| 34 | .endif | 33 | .endif |
| 35 | 34 | ||
| 36 | call \func | 35 | call \func |
| @@ -65,7 +64,7 @@ restore: | |||
| 65 | popq %rdx | 64 | popq %rdx |
| 66 | popq %rsi | 65 | popq %rsi |
| 67 | popq %rdi | 66 | popq %rdi |
| 68 | FRAME_END | 67 | popq %rbp |
| 69 | ret | 68 | ret |
| 70 | _ASM_NOKPROBE(restore) | 69 | _ASM_NOKPROBE(restore) |
| 71 | #endif | 70 | #endif |