Re: [PATCH] x86_64: Fix check for __per_cpu_offset initialisation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Lianbo,

On Wed, 11 Aug 2021 17:05:26 +0800
lijiang <lijiang@xxxxxxxxxx> wrote:

> >
> > Date: Thu,  5 Aug 2021 15:19:37 +0200
> > From: Philipp Rudo <prudo@xxxxxxxxxx>
> > To: crash-utility@xxxxxxxxxx
> > Subject:  [PATCH] x86_64: Fix check for
> >         __per_cpu_offset        initialisation
> > Message-ID: <20210805131937.5051-1-prudo@xxxxxxxxxx>
> >
> > Since at least kernel v2.6.30 the __per_cpu_offset gets initialized to
> > __per_cpu_load. So first check if the __per_cpu_offset was set to a
> > proper value before reading any per cpu variable to prevent potential
> > bugs.
> >
> >  
> Hi, Philipp
> 
> Thank you for the patch. Can you help to describe  more details about the
> potential risks? and what conditions might trigger the potential bugs?

the bug is always triggered during initialization of the per-cpu data
on x86_64. At least for kernels not using struct x8664_pda, which
AFAIK was also removed with kernel v2.6.30.

The risk for crash is low. Right after the superfluous read there is a
check if the read cpunumber matches the expected one. 

                         if (cpunumber != cpus)
                                 break;

So the worst case scenario I see is that crash initializes one
additional cpu with non-sense data. But given that the bug exists for
~12 years and nobody reported such an bug I assume that the check worked
well so far.

> Did you mean that it's related to the crash live analysis issue(1978032)? I
> tried to reproduce it, but so far I haven't reproduced it with the upstream
> kernel.

Yes, this bug is related to bz1978032. For whatever reason the
superfluous read triggered the panic.

I could reproduce the bug upstream with CONFIG_IO_URING _disabled_.
Unfortunately there is a RHEL-only patch [1] that tampers with the
Kconfig for IO_URING. So when you copy a kernel-ark config to the
upstream repo and run 'make oldconfig' the IO_URING will silently be
_enabled_.

BTW, I tried to reproduce the panic yesterday on kernel-5.14.0-0.rc4
but failed. Not sure if the bug was fixed in the meantime or I was
simply "lucky"...

Thanks
Philipp


[1]
https://gitlab.com/cki-project/kernel-ark/-/commit/50f8c7fb77c97617dbf32519a79a00621ea7d1a3

> 
> Thanks.
> Lianbo
> 
> 
> > Signed-off-by: Philipp Rudo <prudo@xxxxxxxxxx>
> > ---
> >  x86_64.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/x86_64.c b/x86_64.c
> > index 6eb7d67..0bb8705 100644
> > --- a/x86_64.c
> > +++ b/x86_64.c
> > @@ -1327,6 +1327,8 @@ x86_64_per_cpu_init(void)
> >                 ms->stkinfo.isize = 16384;
> >
> >         for (i = cpus = 0; i < NR_CPUS; i++) {
> > +               if (kt->__per_cpu_offset[i] ==
> > symbol_value("__per_cpu_load"))
> > +                       break;
> >                 if (!readmem(cpu_sp->value + kt->__per_cpu_offset[i],
> >                     KVADDR, &cpunumber, sizeof(int),
> >                     "cpu number (per_cpu)", QUIET|RETURN_ON_ERROR))
> > @@ -5602,7 +5604,7 @@ x86_64_get_smp_cpus(void)
> >                         return 1;
> >
> >                 for (i = cpus = 0; i < NR_CPUS; i++) {
> > -                       if (kt->__per_cpu_offset[i] == 0)
> > +                       if (kt->__per_cpu_offset[i] ==
> > symbol_value("__per_cpu_load"))
> >                                 break;
> >                         if (!readmem(sp->value + kt->__per_cpu_offset[i],
> >                             KVADDR, &cpunumber, sizeof(int),
> > --
> > 2.31.1
> >
> >  

--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/crash-utility




[Index of Archives]     [Fedora Development]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]

 

Powered by Linux