Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752857AbdGMVn3 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 13 Jul 2017 17:43:29 -0400
Received: from mail-pf0-f169.google.com ([209.85.192.169]:35060 "EHLO
        mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752446AbdGMVn2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Jul 2017 17:43:28 -0400
Date: Thu, 13 Jul 2017 14:43:26 -0700
From: Matthias Kaehlcke <mka@chromium.org>
To: Andrey Rybainin <ryabinin.a.a@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
        Chris J Arges <chris.j.arges@canonical.com>,
        Borislav Petkov <bp@suse.de>, Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
        x86@kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Douglas Anderson <dianders@chromium.org>,
        Michael Davidson <md@google.com>, Greg Hackmann <ghackmann@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Stephen Hines <srhines@google.com>, Kees Cook <keescook@chromium.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Bernhard =?utf-8?Q?Rosenkr=C3=A4nzer?= 
        <Bernhard.Rosenkranzer@linaro.org>
Subject: Re: [PATCH] Revert "x86/uaccess: Add stack frame output operand in
 get_user() inline asm"
Message-ID: <20170713214326.GI95735@google.com>
References: <20170712221242.puv5illztsla4nph@treble>
 <20170712222040.GD95735@google.com>
 <20170712223547.fyra43dizqooosbs@treble>
 <20170712223630.gb237t4vhrqeu5zd@treble>
 <20170712232213.GE95735@google.com>
 <20170713180001.mvwzdmudht56hdk5@treble>
 <20170713184748.GF95735@google.com>
 <75850bb7-a60e-057d-d88b-afa0c79e94a0@gmail.com>
 <20170713211414.GH95735@google.com>
 <b2875614-7562-4dd6-29ee-99c0e4184837@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <b2875614-7562-4dd6-29ee-99c0e4184837@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3605
Lines: 88

El Fri, Jul 14, 2017 at 12:25:42AM +0300 Andrey Rybainin ha dit:

> 
> 
> On 07/14/2017 12:14 AM, Matthias Kaehlcke wrote:
> > El Thu, Jul 13, 2017 at 11:20:04PM +0300 Andrey Rybainin ha dit:
> > 
> >> On 07/13/2017 09:47 PM, Matthias Kaehlcke wrote:
> >>
> >>> Thanks for your analysis!
> >>>
> >>>> What happens if you try the below patch instead of the revert?  Any
> >>>> chance the offending instruction goes away?
> >>>>
> >>>> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> >>>> index 11433f9..beac907 100644
> >>>> --- a/arch/x86/include/asm/uaccess.h
> >>>> +++ b/arch/x86/include/asm/uaccess.h
> >>>> @@ -171,7 +171,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
> >>>>   might_fault(); \
> >>>>   asm volatile("call __get_user_%P4" \
> >>>>       : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \
> >>>> -     : "0" (ptr), "i" (sizeof(*(ptr)))); \
> >>>> +     : "0" (ptr), "i" (sizeof(*(ptr))), "r" (__sp)); \
> >>>>   (x) = (__force __typeof__(*(ptr))) __val_gu; \
> >>>>   __builtin_expect(__ret_gu, 0); \
> >>>>  })
> >>>
> >>> The generated code is basically the same, only that now the value from
> >>> the stack is stored in a register and written twice to RSP:
> >>>
> >>
> >> AFAIR clang works much better with global named registers.
> >> Could you check if the patch bellow helps?
> >>
> >>
> >> ---
> >>  arch/x86/include/asm/uaccess.h | 7 +++++--
> >>  1 file changed, 5 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> >> index a059aac9e937..121204387978 100644
> >> --- a/arch/x86/include/asm/uaccess.h
> >> +++ b/arch/x86/include/asm/uaccess.h
> >> @@ -157,15 +157,18 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
> >>   * Clang/LLVM cares about the size of the register, but still wants
> >>   * the base register for something that ends up being a pair.
> >>   */
> >> +
> >> +register unsigned long __current_sp asm(_ASM_SP);
> >> +
> >>  #define get_user(x, ptr) \
> >>  ({ \
> >>   int __ret_gu; \
> >>   register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
> >> - register void *__sp asm(_ASM_SP); \
> >>   __chk_user_ptr(ptr); \
> >>   might_fault(); \
> >>   asm volatile("call __get_user_%P4" \
> >> -     : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \
> >> +     : "=a" (__ret_gu), "=r" (__val_gu), \
> >> +       "+r" (__current_sp) \
> >>       : "0" (ptr), "i" (sizeof(*(ptr)))); \
> >>   (x) = (__force __typeof__(*(ptr))) __val_gu; \
> >>   __builtin_expect(__ret_gu, 0); \
> > 
> > Thanks for the suggestion, however it fails to build with both gcc and clang:
> > 
> > fs/ioctl.c:585:6: error: use of undeclared identifier '__current_sp'
> >         if (get_user(count, &argp->dest_count)) {
> >             ^
> > arch/x86/include/asm/uaccess.h:168:16: note: expanded from macro 'get_user'
> >                        "+r" (__current_sp)
> >       \
> > 
> > The references I found refer to __current_sp as an intrinsic function
> > for ARM32.
> 
> What? __current_sp declared right above get_user() as "register unsigned long __current_sp asm(_ASM_SP);" 
> Did you actually applied my patch or you just modified the code yourself but have missed
> "register unsigned long __current_sp asm(_ASM_SP);" ?

Indeed, since the patch is only a few lines and I had the function
already open in the editor it seemed easier to change the affected
lines than to apply the patch and I missed the definition <:‑|

After adding the missing line the code builds with clang and the stack
pointer is not corrupted.