On Thu, Nov 22, 2018 at 4:42 PM Andy Lutomirski <l...@kernel.org> wrote:
>
> On Thu, Nov 22, 2018 at 12:56 PM Ingo Molnar <mi...@kernel.org> wrote:
> >
> >
> > * Andy Lutomirski <l...@kernel.org> wrote:
> >
> > > On Fri, Nov 16, 2018 at 3:27 PM Chang S. Bae <chang.seok....@intel.com>
> > > wrote:
> > > >
> > > > The helper functions that purport to write the base should just write it
> > > > only. It shouldn't have magic optimizations to change the index.
> > > >
> > > > Make the index explicitly changed from the caller, instead of including
> > > > the code in the helpers.
> > > >
> > > > Subsequently, the task write helpers do not handle for the current task
> > > > anymore. The range check for a base value is also factored out, to
> > > > minimize code redundancy from the caller.
> > > >
> > > > v2: Fix further on the task write functions. Revert the changes on the
> > > > task read helpers.
> > > >
> > > > v3: Fix putreg(). Edit the changelog.
> > > >
> > > > v4: Update the task write helper functions and do_arch_prctl_64(). Fix
> > > > the comment in putreg().
> > > >
> > > > v5: Fix preempt_disable() calls in do_arch_prctl_64()
> > >
> > > Reviewed-by: Andy Lutomirski <l...@kernel.org>
> > >
> > > Ingo, Thomas: can we get this in x86/urgent, please?
> >
> > Sadly this commit introduced a boot failure on both an Intel and an AMD
> > 64-bit testbox.
> >
> > Symptoms range from silent bootup hang in early userspace to segfaults
> > like this:
> >
> > [ 21.885741] random: systemd: uninitialized urandom read (16 bytes read)
> > [ 21.964778] systemd[1]: segfault at 28 ip 00005584d8d8247d sp
> > 00007ffc7a05aed0 error 4 in systemd[5584d8d0d000+137000]
> > [ 21.977664] Code: c3 4c 89 ff e8 94 78 fa ff eb bb 48 89 c3 eb f1 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 41 55 41 54 55 53 48 89 fd 48 83 ec 28
> > <64> 48 8b 04 25 28 00 00 00 48 89 44 24 18 31 c0 48 85 ff 74 6e 48
> > [ 22.000004] systemd[1]: segfault at 28 ip 00005584d8db0a3d sp
> > 00007ffc7a05a7e0 error 4 in systemd[5584d8d0d000+137000]
> > [ 22.012869] Code: 49 89 e9 ba 67 01 00 00 bf 04 00 00 00 31 c0 e8 c9 1c
> > 03 00 59 31 c0 5e e9 ff fa ff ff 41 54 55 53 89 fb 48 81 ec 40 01 00 00
> > <64> 48 8b 04 25 28 00 00 00 48 89 84 24 38 01 00 00 31 c0 e8 fb 92
> >
> > I've zapped the commit from x86/urgent because it's clearly not ready
> > yet.
> >
> > I used a fairly regular distro .config and a fairly regular distro -
> > nothing fancy.
> >
>
> I can reproduce it. Off the top of my head, maybe 0day is using a
> different, weird glibc configuration? I think it runs some ancient
> version of Yocto.
>
> And I think I've almost root-caused the problem, and I think it's a
> preexisting bug exposed by this patch. Lemme double-check and I'll
> send a fix.
Nope, I'm wrong. Delta fix attached. Want to just fold this in?
commit a5f99bc80c9bdacf3a1902f8922ca9b939d52723
Author: Andy Lutomirski <l...@kernel.org>
Date: Thu Nov 22 16:53:57 2018 -0800
x86/fsgsbase/64: Fix do_arch_prctl_64() to work correctly wrt save_base_legacy()
Signed-off-by: Andy Lutomirski <l...@kernel.org>
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 74035c2a85b3..fcf528df5b8d 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -733,6 +733,13 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
if (task == current) {
loadseg(GS, 0);
x86_gsbase_write_cpu_inactive(arg2);
+
+ /*
+ * On non-FSGSBASE systems, save_base_legacy() expects
+ * that we also fill in thread.gsbase.
+ */
+ task->thread.gsbase = arg2;
+
} else {
task->thread.gsindex = 0;
x86_gsbase_write_task(task, arg2);
@@ -756,6 +763,12 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
if (task == current) {
loadseg(FS, 0);
x86_fsbase_write_cpu(arg2);
+
+ /*
+ * On non-FSGSBASE systems, save_base_legacy() expects
+ * that we also fill in thread.fsbase.
+ */
+ task->thread.fsbase = arg2;
} else {
task->thread.fsindex = 0;
x86_fsbase_write_task(task, arg2);
