On Mon, May 08, 2017 at 08:58:29PM -0500, Josh Poimboeuf wrote: > On Mon, May 08, 2017 at 04:31:11PM -0700, Kees Cook wrote: > > On Mon, May 8, 2017 at 3:53 PM, Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote: > > > On Mon, May 08, 2017 at 12:32:52PM -0700, Kees Cook wrote: > > >> +#define REFCOUNT_EXCEPTION \ > > >> + "movl $0x7fffffff, %[counter]\n\t" \ > > >> + "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ > > >> + "0:\n\t" \ > > >> + _ASM_EXTABLE(0b, 0b) > > > > > > Despite the objtool warnings going away, this still uses the exception > > > table in a new way, which will confuse objtool. I need to do some more > > > thinking about the best way to fix it, either as a change to your patch > > > or a change to objtool. > > > > In that it's not a "true" exception? > > Right. And also that it doesn't need the "fixup" since it would return > to the same address anyway. How about the following on top of your patch? It uses #UD (invalid opcode). Notice it's mostly code deletions :-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index bba6976..50bc269 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -789,15 +789,6 @@ ENTRY(spurious_interrupt_bug) jmp common_exception END(spurious_interrupt_bug) -#ifdef CONFIG_FAST_REFCOUNT -ENTRY(refcount_error) - ASM_CLAC - pushl $0 - pushl $do_refcount_error - jmp common_exception -ENDPROC(refcount_error) -#endif - #ifdef CONFIG_XEN ENTRY(xen_hypervisor_callback) pushl $-1 /* orig_ax = -1 => not a system call */ diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 783045d..607d72c 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -855,9 +855,6 @@ idtentry coprocessor_error do_coprocessor_error has_error_code=0 idtentry alignment_check do_alignment_check has_error_code=1 idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0 -#ifdef CONFIG_FAST_REFCOUNT -idtentry refcount_error do_refcount_error has_error_code=0 -#endif /* * Reload gs selector with exception handling diff --git a/arch/x86/include/asm/irq_vectors.h b/arch/x86/include/asm/irq_vectors.h index d117776..6ca9fd6 100644 --- a/arch/x86/include/asm/irq_vectors.h +++ b/arch/x86/include/asm/irq_vectors.h @@ -48,9 +48,6 @@ #define IA32_SYSCALL_VECTOR 0x80 -/* Refcount overflow reporting exception. */ -#define X86_REFCOUNT_VECTOR 0x81 - /* * Vectors 0x30-0x3f are used for ISA interrupts. * round up to the next 16-vector boundary diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h index 6e8bbd7..653a985 100644 --- a/arch/x86/include/asm/refcount.h +++ b/arch/x86/include/asm/refcount.h @@ -8,15 +8,16 @@ */ #include <linux/refcount.h> #include <asm/irq_vectors.h> +#include <asm/bug.h> #define REFCOUNT_EXCEPTION \ "movl $0x7fffffff, %[counter]\n\t" \ - "int $"__stringify(X86_REFCOUNT_VECTOR)"\n" \ - "0:\n\t" \ - _ASM_EXTABLE(0b, 0b) + "1:\t" ASM_UD0 "\n" \ + "2:\n\t" \ + _ASM_EXTABLE(1b, 2b) #define REFCOUNT_CHECK \ - "jns 0f\n\t" \ + "jns 2f\n\t" \ REFCOUNT_EXCEPTION static __always_inline void refcount_add(unsigned int i, refcount_t *r) diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h index e4d8db7..01fd0a7 100644 --- a/arch/x86/include/asm/traps.h +++ b/arch/x86/include/asm/traps.h @@ -38,10 +38,6 @@ asmlinkage void machine_check(void); #endif /* CONFIG_X86_MCE */ asmlinkage void simd_coprocessor_error(void); -#ifdef CONFIG_FAST_REFCOUNT -asmlinkage void refcount_error(void); -#endif - #ifdef CONFIG_TRACING asmlinkage void trace_page_fault(void); #define trace_stack_segment stack_segment @@ -58,7 +54,6 @@ asmlinkage void trace_page_fault(void); #define trace_alignment_check alignment_check #define trace_simd_coprocessor_error simd_coprocessor_error #define trace_async_page_fault async_page_fault -#define trace_refcount_error refcount_error #endif dotraplinkage void do_divide_error(struct pt_regs *, long); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 0b2dbcc..7de95b7 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -220,8 +220,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, if (!user_mode(regs)) { if (fixup_exception(regs, trapnr)) { if (IS_ENABLED(CONFIG_FAST_REFCOUNT) && - trapnr == X86_REFCOUNT_VECTOR) - refcount_error_report(regs, str); + trapnr == X86_TRAP_UD) + refcount_error_report(regs); return 0; } @@ -332,10 +332,6 @@ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present) DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment) DO_ERROR(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check) -#ifdef CONFIG_FAST_REFCOUNT -DO_ERROR(X86_REFCOUNT_VECTOR, SIGILL, "refcount overflow", refcount_error) -#endif - #ifdef CONFIG_VMAP_STACK __visible void __noreturn handle_stack_overflow(const char *message, struct pt_regs *regs, @@ -1026,11 +1022,6 @@ void __init trap_init(void) set_bit(IA32_SYSCALL_VECTOR, used_vectors); #endif -#ifdef CONFIG_FAST_REFCOUNT - set_intr_gate(X86_REFCOUNT_VECTOR, refcount_error); - set_bit(X86_REFCOUNT_VECTOR, used_vectors); -#endif - /* * Set the IDT descriptor to a fixed read-only location, so that the * "sidt" instruction will not leak the location of the kernel, and diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 94f87d5..53c9326 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,7 +276,7 @@ extern int oops_may_print(void); void do_exit(long error_code) __noreturn; void complete_and_exit(struct completion *, long) __noreturn; -void refcount_error_report(struct pt_regs *regs, const char *kind); +void refcount_error_report(struct pt_regs *regs); /* Internal, do not use. */ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); diff --git a/kernel/panic.c b/kernel/panic.c index c95b919..2c4ce79 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail); #ifdef CONFIG_FAST_REFCOUNT static DEFINE_RATELIMIT_STATE(refcount_ratelimit, 15 * HZ, 3); -void refcount_error_report(struct pt_regs *regs, const char *kind) +void refcount_error_report(struct pt_regs *regs) { /* Always make sure triggering process will be terminated. */ do_send_sig_info(SIGKILL, SEND_SIG_FORCED, current, true); @@ -613,8 +613,7 @@ void refcount_error_report(struct pt_regs *regs, const char *kind) if (!__ratelimit(&refcount_ratelimit)) return; - pr_emerg("%s detected in: %s:%d, uid/euid: %u/%u\n", - kind ? kind : "refcount error", + pr_emerg("refcount error detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));