Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752229AbdHQKYn (ORCPT ); Thu, 17 Aug 2017 06:24:43 -0400 Received: from terminus.zytor.com ([65.50.211.136]:41793 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751055AbdHQKYm (ORCPT ); Thu, 17 Aug 2017 06:24:42 -0400 Date: Thu, 17 Aug 2017 03:19:04 -0700 From: tip-bot for Alexander Potapenko Message-ID: Cc: hpa@zytor.com, linux-kernel@vger.kernel.org, dvyukov@google.com, mingo@kernel.org, peterz@infradead.org, torvalds@linux-foundation.org, tglx@linutronix.de, kirill.shutemov@linux.intel.com, md@google.com, glider@google.com Reply-To: tglx@linutronix.de, torvalds@linux-foundation.org, md@google.com, glider@google.com, kirill.shutemov@linux.intel.com, dvyukov@google.com, mingo@kernel.org, linux-kernel@vger.kernel.org, hpa@zytor.com, peterz@infradead.org In-Reply-To: <20170816190808.131748-1-glider@google.com> References: <20170816190808.131748-1-glider@google.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/urgent] x86/boot/64/clang: Use fixup_pointer() to access 'next_early_pgt' Git-Commit-ID: 187e91fe5e915f4b7f39b824aa422493463e443d X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2430 Lines: 57 Commit-ID: 187e91fe5e915f4b7f39b824aa422493463e443d Gitweb: http://git.kernel.org/tip/187e91fe5e915f4b7f39b824aa422493463e443d Author: Alexander Potapenko AuthorDate: Wed, 16 Aug 2017 21:08:08 +0200 Committer: Ingo Molnar CommitDate: Thu, 17 Aug 2017 09:53:00 +0200 x86/boot/64/clang: Use fixup_pointer() to access 'next_early_pgt' __startup_64() is normally using fixup_pointer() to access globals in a position-independent fashion. However 'next_early_pgt' was accessed directly, which wasn't guaranteed to work. Luckily GCC was generating a R_X86_64_PC32 PC-relative relocation for 'next_early_pgt', but Clang emitted a R_X86_64_32S, which led to accessing invalid memory and rebooting the kernel. Signed-off-by: Alexander Potapenko Acked-by: Kirill A. Shutemov Cc: Dmitry Vyukov Cc: Kirill A. Shutemov Cc: Linus Torvalds Cc: Michael Davidson Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: c88d71508e36 ("x86/boot/64: Rewrite startup_64() in C") Link: http://lkml.kernel.org/r/20170816190808.131748-1-glider@google.com Signed-off-by: Ingo Molnar --- arch/x86/kernel/head64.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c index 46c3c73..9ba7954 100644 --- a/arch/x86/kernel/head64.c +++ b/arch/x86/kernel/head64.c @@ -53,6 +53,7 @@ void __head __startup_64(unsigned long physaddr) pudval_t *pud; pmdval_t *pmd, pmd_entry; int i; + unsigned int *next_pgt_ptr; /* Is the address too large? */ if (physaddr >> MAX_PHYSMEM_BITS) @@ -91,9 +92,9 @@ void __head __startup_64(unsigned long physaddr) * creates a bunch of nonsense entries but that is fine -- * it avoids problems around wraparound. */ - - pud = fixup_pointer(early_dynamic_pgts[next_early_pgt++], physaddr); - pmd = fixup_pointer(early_dynamic_pgts[next_early_pgt++], physaddr); + next_pgt_ptr = fixup_pointer(&next_early_pgt, physaddr); + pud = fixup_pointer(early_dynamic_pgts[(*next_pgt_ptr)++], physaddr); + pmd = fixup_pointer(early_dynamic_pgts[(*next_pgt_ptr)++], physaddr); if (IS_ENABLED(CONFIG_X86_5LEVEL)) { p4d = fixup_pointer(early_dynamic_pgts[next_early_pgt++], physaddr);