Bug#659485: [ia64] [regression 2.6.38->2.6.39-rc1] application crashes and general instability since "futex: Sanitize cmpxchg_futex_value_locked API"

To: Émeric Maschino <emeric.maschino@gmail.com>
Cc: 659485@bugs.debian.org
Subject: Bug#659485: [ia64] [regression 2.6.38->2.6.39-rc1] application crashes and general instability since "futex: Sanitize cmpxchg_futex_value_locked API"
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Sun, 15 Apr 2012 18:08:54 -0500
Message-id: <[🔎] 20120415230854.GE5813@burratino>
Reply-to: Jonathan Nieder <jrnieder@gmail.com>, 659485@bugs.debian.org
In-reply-to: <[🔎] CAA9xbM7oLtJi_v2Fk9rJ-GsoGabhiAmXpCsSPcyMMtORKOpE6A@mail.gmail.com>
References: <[🔎] CAA9xbM7oLtJi_v2Fk9rJ-GsoGabhiAmXpCsSPcyMMtORKOpE6A@mail.gmail.com>

found 659485 linux-2.6/3.2.14-1
tags 659485 + patch upstream
quit

Hi Émeric,

Émeric Maschino wrote:

> [Subject: Problem solved]

Please keep in mind that these appear as emails in a crowded inbox,
so the subject line can be a good place to put valuable context.

> Tony Luck proposed a patch to fix this issue in
> https://bugzilla.kernel.org/show_bug.cgi?id=42757.
>
> Current Debian Testing kernel 3.2-14 locally rebuilt including this
> patch works as expected :-)

Thanks for testing.

I think the assembler constraints should be tweaked to indicate that
the asm block affects r8 so gcc can continue not to clobber r8 by
mistake as this code is updated, but that is neither here nor there.
Will follow up upstream.

The patch is in Tony Luck's "next" branch[1] and should be in
linux-next the next time Stephen builds it.  A patch against the
packaging repo that applies it is attached for convenience.  (See [2]
if you would like to test.)

Regards,
Jonathan

[1] git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux.git
[2] http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s4.2.5
or the corresponding page in the debian-kernel-handbook package

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 18931)
+++ debian/changelog	(working copy)
@@ -1,3 +1,9 @@
+linux-2.6 (3.2.15-2) UNRELEASED; urgency=low
+
+  * [ia64] Fix futex_atomic_cmpxchg_inatomic (Closes: #659485)
+
+ -- Jonathan Nieder <jrnieder@gmail.com>  Sun, 15 Apr 2012 17:58:29 -0500
+
 linux-2.6 (3.2.15-1) unstable; urgency=high
 
   * New upstream stable update:
Index: debian/patches/series/base
===================================================================
--- debian/patches/series/base	(revision 18931)
+++ debian/patches/series/base	(working copy)
@@ -87,6 +87,7 @@
 + bugfix/all/net-fix-proc-net-dev-regression.patch
 + bugfix/arm/ARM-orion5x-Fix-GPIO-enable-bits-for-MPP9.patch
 + bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch
++ bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
 
 # Update all Hyper-V drivers to 3.4-rc1 (no longer staging)
 + features/x86/hyperv/0001-NLS-improve-UTF8-UTF16-string-conversion-routine.patch
Index: debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
===================================================================
--- debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch	(revision 0)
+++ debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch	(working copy)
@@ -0,0 +1,49 @@
+From: Tony Luck <tony.luck@intel.com>
+Date: Fri, 13 Apr 2012 11:32:44 -0700
+Subject: [IA64] Fix futex_atomic_cmpxchg_inatomic()
+
+commit 9d38e66bf07b6e57c8e60767c454e1db9aac4484 upstream.
+
+Michel Lespinasse cleaned up the futex calling conventions in
+commit 37a9d912b24f96a0591773e6e6c3642991ae5a70
+    futex: Sanitize cmpxchg_futex_value_locked API
+
+But the ia64 implementation was subtly broken. Gcc does not know
+that register "r8" will be updated by the fault handler if the
+cmpxchg instruction takes an exception. So it feels safe in letting
+the initialization of r8 slide to after the cmpxchg. Result: we
+always return 0 whether the user address faulted or not.
+
+Fix by moving the initialization of r8 into the __asm__ code so
+gcc won't move it.
+
+Addresses https://bugzilla.kernel.org/show_bug.cgi?id=42757
+
+Reported-by: <emeric.maschino@gmail.com>
+Cc: <stable@vger.kernel.org> (v2.6.39+)
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+---
+ arch/ia64/include/asm/futex.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
+index 8428525ddb22..71949a579e1e 100644
+--- a/arch/ia64/include/asm/futex.h
++++ b/arch/ia64/include/asm/futex.h
+@@ -107,10 +107,11 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+ 		return -EFAULT;
+ 
+ 	{
+-		register unsigned long r8 __asm ("r8") = 0;
++		register unsigned long r8 __asm ("r8");
+ 		unsigned long prev;
+ 		__asm__ __volatile__(
+ 			"	mf;;					\n"
++			"	mov r8=r0				\n"
+ 			"	mov ar.ccv=%3;;				\n"
+ 			"[1:]	cmpxchg4.acq %0=[%1],%2,ar.ccv		\n"
+ 			"	.xdata4 \"__ex_table\", 1b-., 2f-.	\n"
+-- 
+1.7.10
+

Reply to:

Follow-Ups:
- Processed: Re: [ia64] [regression 2.6.38->2.6.39-rc1] application crashes and general instability since "futex: Sanitize cmpxchg_futex_value_locked API"
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#659485: Problem solved
  - From: Émeric Maschino <emeric.maschino@gmail.com>

Prev by Date: Bug#665881: [3.1 -> 3.2.12 regression] module ath5k is blocking wlan-card
Next by Date: Processed: Re: [ia64] [regression 2.6.38->2.6.39-rc1] application crashes and general instability since "futex: Sanitize cmpxchg_futex_value_locked API"
Previous by thread: Bug#659485: Problem solved
Next by thread: Processed: Re: [ia64] [regression 2.6.38->2.6.39-rc1] application crashes and general instability since "futex: Sanitize cmpxchg_futex_value_locked API"
Index(es):
- Date
- Thread