On Wed, Jul 13, 2022 at 09:46:58AM -0700, KernelCI bot wrote:
The KernelCI bisection bot found a boot failure on x86-64 on at least a
qemu system with 32 bit EDK2 firmware triggered by a backport of upstream
commit aa3d480315ba6c30 ("x86: Use return-thunk in asm code"). The boot
fails with:
<6>[ 0.324425] Calibrating delay loop (skipped), value calculated using timer frequency.. 3592.02 BogoMIPS (lpj=1796010)
<6>[ 0.325417] pid_max: default: 32768 minimum: 301
<2>[ 0.326744] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
<1>[ 0.327415] BUG: unable to handle page fault for address: 000000000e6038c0
<1>[ 0.327415] #PF: supervisor instruction fetch in kernel mode
<1>[ 0.327415] #PF: error_code(0x0011) - permissions violation
...
<4>[ 0.327415] Call Trace:
<4>[ 0.327415] <TASK>
<4>[ 0.327415] ? efi_set_virtual_address_map+0x65/0x103
<4>[ 0.327415] ? efi_enter_virtual_mode+0x39e/0x3f9
<4>[ 0.327415] ? start_kernel+0x5be/0x65a
<4>[ 0.327415] ? secondary_startup_64_no_verify+0xc2/0xcb
<4>[ 0.327415] </TASK>
The full boot log from a failed boot can be seen at:
https://storage.kernelci.org/stable-rc/queue-5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.txt
I've left the full report below with more details (including a log of
the bisection) and a tag from the bot below. The 32 bit EFI on x86-64
combination is unfortunately a thing some physical systems do.
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * This automated bisection report was sent to you on the basis *
> * that you may be involved with the breaking commit it has *
> * found. No manual investigation has been done to verify it, *
> * and the root cause of the problem may be somewhere else. *
> * *
> * If you do send a fix, please include this trailer: *
> * Reported-by: "kernelci.org bot" <bot@xxxxxxxxxxxx> *
> * *
> * Hope this helps! *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
> stable-rc/queue/5.15 bisection: baseline.login on qemu_x86_64-uefi-mixed
>
> Summary:
> Start: a5f899726e592 x86/static_call: Serialize __static_call_fixup() properly
> Plain log: https://storage.kernelci.org/stable-rc/queue/5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.txt
> HTML log: https://storage.kernelci.org/stable-rc/queue/5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.html
> Result: a02ac6ab73cc3 x86: Use return-thunk in asm code
>
> Checks:
> revert: PASS
> verify: PASS
>
> Parameters:
> Tree: stable-rc
> URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> Branch: queue/5.15
> Target: qemu_x86_64-uefi-mixed
> CPU arch: x86_64
> Lab: lab-baylibre
> Compiler: gcc-10
> Config: x86_64_defconfig
> Test case: baseline.login
>
> Breaking commit found:
>
> -------------------------------------------------------------------------------
> commit a02ac6ab73cc327552cb12e13b740e3c8a118bf6
> Author: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Date: Tue Jun 14 23:15:45 2022 +0200
>
> x86: Use return-thunk in asm code
>
> commit aa3d480315ba6c3025a60958e1981072ea37c3df upstream.
>
> Use the return thunk in asm code. If the thunk isn't needed, it will
> get patched into a RET instruction during boot by apply_returns().
>
> Since alternatives can't handle relocations outside of the first
> instruction, putting a 'jmp __x86_return_thunk' in one is not valid,
> therefore carve out the memmove ERMS path into a separate label and jump
> to it.
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Signed-off-by: Borislav Petkov <bp@xxxxxxx>
> Reviewed-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> Signed-off-by: Borislav Petkov <bp@xxxxxxx>
> [cascardo: no RANDSTRUCT_CFLAGS]
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
> index a2dddcc189f69..c8891d3b38d30 100644
> --- a/arch/x86/entry/vdso/Makefile
> +++ b/arch/x86/entry/vdso/Makefile
> @@ -92,6 +92,7 @@ endif
> endif
>
> $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL)
> +$(vobjs): KBUILD_AFLAGS += -DBUILD_VDSO
>
> #
> # vDSO code runs in userspace and -pg doesn't help with profiling anyway.
> diff --git a/arch/x86/include/asm/linkage.h b/arch/x86/include/asm/linkage.h
> index 030907922bd07..d04e61c2f863c 100644
> --- a/arch/x86/include/asm/linkage.h
> +++ b/arch/x86/include/asm/linkage.h
> @@ -18,19 +18,27 @@
> #define __ALIGN_STR __stringify(__ALIGN)
> #endif
>
> +#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
> +#define RET jmp __x86_return_thunk
> +#else /* CONFIG_RETPOLINE */
> #ifdef CONFIG_SLS
> #define RET ret; int3
> #else
> #define RET ret
> #endif
> +#endif /* CONFIG_RETPOLINE */
>
> #else /* __ASSEMBLY__ */
>
> +#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
> +#define ASM_RET "jmp __x86_return_thunk\n\t"
> +#else /* CONFIG_RETPOLINE */
> #ifdef CONFIG_SLS
> #define ASM_RET "ret; int3\n\t"
> #else
> #define ASM_RET "ret\n\t"
> #endif
> +#endif /* CONFIG_RETPOLINE */
>
> #endif /* __ASSEMBLY__ */
>
> diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
> index 50ea390df7128..4b8ee3a2fcc37 100644
> --- a/arch/x86/lib/memmove_64.S
> +++ b/arch/x86/lib/memmove_64.S
> @@ -40,7 +40,7 @@ SYM_FUNC_START(__memmove)
> /* FSRM implies ERMS => no length checks, do the copy directly */
> .Lmemmove_begin_forward:
> ALTERNATIVE "cmp $0x20, %rdx; jb 1f", "", X86_FEATURE_FSRM
> - ALTERNATIVE "", __stringify(movq %rdx, %rcx; rep movsb; RET), X86_FEATURE_ERMS
> + ALTERNATIVE "", "jmp .Lmemmove_erms", X86_FEATURE_ERMS
>
> /*
> * movsq instruction have many startup latency
> @@ -206,6 +206,11 @@ SYM_FUNC_START(__memmove)
> movb %r11b, (%rdi)
> 13:
> RET
> +
> +.Lmemmove_erms:
> + movq %rdx, %rcx
> + rep movsb
> + RET
> SYM_FUNC_END(__memmove)
> SYM_FUNC_END_ALIAS(memmove)
> EXPORT_SYMBOL(__memmove)
> -------------------------------------------------------------------------------
>
>
> Git bisection log:
>
> -------------------------------------------------------------------------------
> git bisect start
> # good: [8bb7eca972ad531c9b149c0a51ab43a417385813] Linux 5.15
> git bisect good 8bb7eca972ad531c9b149c0a51ab43a417385813
> # bad: [a5f899726e5928dd5640ec76f6d35bbefc7d19b4] x86/static_call: Serialize __static_call_fixup() properly
> git bisect bad a5f899726e5928dd5640ec76f6d35bbefc7d19b4
> # good: [39738a2346b270e8f72f88d8856de2c167bd2899] ibmvnic: free reset-work-item when flushing
> git bisect good 39738a2346b270e8f72f88d8856de2c167bd2899
> # good: [11f5f236dbd6e685356e10f158e306e592cb70ff] kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
> git bisect good 11f5f236dbd6e685356e10f158e306e592cb70ff
> # good: [0b011b408f349e76f7903a477870051f94c7e119] tty: goldfish: Introduce gf_ioread32()/gf_iowrite32()
> git bisect good 0b011b408f349e76f7903a477870051f94c7e119
> # good: [f7fa3263079c55e2bbdcd5ff763c19b665e329ed] drm/msm: Fix double pm_runtime_disable() call
> git bisect good f7fa3263079c55e2bbdcd5ff763c19b665e329ed
> # good: [16b7cb2803bf088ed08e026f70fa9ac04f3c9800] memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash
> git bisect good 16b7cb2803bf088ed08e026f70fa9ac04f3c9800
> # good: [3b9f491386698a7e39680cb3c375e62d0cae457d] btrfs: fix use of uninitialized variable at rm device ioctl
> git bisect good 3b9f491386698a7e39680cb3c375e62d0cae457d
> # good: [445d1c4b5642518587808c59f0faec9b7b4d3fe2] x86/asm: Fix register order
> git bisect good 445d1c4b5642518587808c59f0faec9b7b4d3fe2
> # bad: [e9acb6c4a96ae59548659eca7d1c95e2ff892658] x86/bugs: Enable STIBP for JMP2RET
> git bisect bad e9acb6c4a96ae59548659eca7d1c95e2ff892658
> # good: [3319d4d152b047d01ddea3094f72d26e601a817b] x86/retpoline: Swizzle retpoline thunk
> git bisect good 3319d4d152b047d01ddea3094f72d26e601a817b
> # good: [ae13a2bad9d648d4ebf05511a9f606ca2fd27de3] x86/kvm: Fix SETcc emulation for return thunks
> git bisect good ae13a2bad9d648d4ebf05511a9f606ca2fd27de3
> # bad: [18de59c1eee14fcb121422919f51a47a449c812e] x86/entry: Avoid very early RET
> git bisect bad 18de59c1eee14fcb121422919f51a47a449c812e
> # good: [2c90fcb95d0ad54074480cf6b9c601348180da59] x86/sev: Avoid using __x86_return_thunk
> git bisect good 2c90fcb95d0ad54074480cf6b9c601348180da59
> # bad: [a02ac6ab73cc327552cb12e13b740e3c8a118bf6] x86: Use return-thunk in asm code
> git bisect bad a02ac6ab73cc327552cb12e13b740e3c8a118bf6
> # first bad commit: [a02ac6ab73cc327552cb12e13b740e3c8a118bf6] x86: Use return-thunk in asm code
> -------------------------------------------------------------------------------
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#29281): https://groups.io/g/kernelci-results/message/29281
> Mute This Topic: https://groups.io/mt/92361801/1131744
> Group Owner: kernelci-results+owner@xxxxxxxxx
> Unsubscribe: https://groups.io/g/kernelci-results/unsub [broonie@xxxxxxxxxx]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Attachment:
signature.asc
Description: PGP signature
