linux/arch/x86
Andi Kleen e0a96129db x86: use early clobbers in usercopy*.c
Impact: fix rare (but currently harmless) miscompile with certain configs and gcc versions

Hugh Dickins noticed that strncpy_from_user() was miscompiled
in some circumstances with gcc 4.3.

Thanks to Hugh's excellent analysis it was easy to track down.

Hugh writes:

> Try building an x86_64 defconfig 2.6.29-rc1 kernel tree,
> except not quite defconfig, switch CONFIG_PREEMPT_NONE=y
> and CONFIG_PREEMPT_VOLUNTARY off (because it expands a
> might_fault() there, which hides the issue): using a
> gcc 4.3.2 (I've checked both openSUSE 11.1 and Fedora 10).
>
> It generates the following:
>
> 0000000000000000 <__strncpy_from_user>:
>    0:   48 89 d1                mov    %rdx,%rcx
>    3:   48 85 c9                test   %rcx,%rcx
>    6:   74 0e                   je     16 <__strncpy_from_user+0x16>
>    8:   ac                      lods   %ds:(%rsi),%al
>    9:   aa                      stos   %al,%es:(%rdi)
>    a:   84 c0                   test   %al,%al
>    c:   74 05                   je     13 <__strncpy_from_user+0x13>
>    e:   48 ff c9                dec    %rcx
>   11:   75 f5                   jne    8 <__strncpy_from_user+0x8>
>   13:   48 29 c9                sub    %rcx,%rcx
>   16:   48 89 c8                mov    %rcx,%rax
>   19:   c3                      retq
>
> Observe that "sub %rcx,%rcx; mov %rcx,%rax", whereas gcc 4.2.1
> (and many other configs) say "sub %rcx,%rdx; mov %rdx,%rax".
> Isn't it returning 0 when it ought to be returning strlen?

The asm constraints for the strncpy_from_user() result were missing an
early clobber, which tells gcc that the last output arguments
are written before all input arguments are read.

Also add more early clobbers in the rest of the file and fix 32-bit
usercopy.c in the same way.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
[ since this API is rarely used and no in-kernel user relies on a 'len'
  return value (they only rely on negative return values) this miscompile
  was never noticed in the field. But it's worth fixing it nevertheless. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-01-21 09:43:17 +01:00
..
boot Merge branches 'x86/apic', 'x86/cleanups', 'x86/cpufeature', 'x86/crashdump', 'x86/debug', 'x86/defconfig', 'x86/detect-hyper', 'x86/doc', 'x86/dumpstack', 'x86/early-printk', 'x86/fpu', 'x86/idle', 'x86/io', 'x86/memory-corruption-check', 'x86/microcode', 'x86/mm', 'x86/mtrr', 'x86/nmi-watchdog', 'x86/pat2', 'x86/pci-ioapic-boot-irq-quirks', 'x86/ptrace', 'x86/quirks', 'x86/reboot', 'x86/setup-memory', 'x86/signal', 'x86/sparse-fixes', 'x86/time', 'x86/uv' and 'x86/xen' into x86/core 2008-12-23 16:27:23 +01:00
configs x86: revert CONFIG_RELOCATABLE=y defconfig change 2008-12-18 20:57:29 +01:00
crypto crypto: crc32c-intel - Switch to shash 2008-12-25 11:01:37 +11:00
ia32 x86: introducing asm/sys_ia32.h 2008-12-29 13:18:40 +01:00
include/asm x86: fix assumed to be contiguous leaf page tables for kmap_atomic region (take 2) 2009-01-16 13:47:04 +01:00
kernel fix: crash: IP: __bitmap_intersects+0x48/0x73 2009-01-20 00:17:01 +01:00
kvm KVM: change KVM to use IOMMU API 2009-01-03 14:11:07 +01:00
lguest Merge branch 'cpus4096-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-01-02 11:44:09 -08:00
lib x86: use early clobbers in usercopy*.c 2009-01-21 09:43:17 +01:00
mach-default x86: mach-default setup.c cleanups 2008-12-29 13:18:39 +01:00
mach-generic x86: rename all fields of mpc_table mpc_X to X 2009-01-05 14:08:34 +01:00
mach-rdc321x removed unused #include <linux/version.h>'s 2008-08-23 12:14:12 -07:00
mach-voyager x86: cleanup some remaining usages of NR_CPUS where s/b nr_cpu_ids 2009-01-03 19:00:55 +01:00
math-emu
mm x86: remove kernel_physical_mapping_init() from init section 2009-01-20 00:31:43 +01:00
oprofile Merge branch 'oprofile/ring_buffer' into oprofile/oprofile-for-tip 2009-01-08 14:27:34 +01:00
pci x86/PCI: Do not use interrupt links for devices using MSI-X 2009-01-07 11:13:25 -08:00
power x86, hibernate: fix breakage on x86_32 with CONFIG_NUMA set 2008-11-12 23:28:51 +01:00
scripts allow stripping of generated symbols under CONFIG_KALLSYMS_ALL 2008-12-19 22:47:10 +01:00
vdso Merge branch 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6 2008-12-28 12:33:21 -08:00
video
xen Merge branch 'cputime' of git://git390.osdl.marist.edu/pub/scm/linux-2.6 2009-01-03 11:56:24 -08:00
Kconfig x86: offer frame pointers in all build modes 2009-01-07 11:18:59 +01:00
Kconfig.cpu X86_DEBUGCTLMSR won't work on uml 2009-01-05 17:41:45 -08:00
Kconfig.debug Merge branch 'tracing-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-28 12:21:10 -08:00
Makefile x86, um: ... and asm-x86 move 2008-10-22 22:55:20 -07:00
Makefile_32.cpu x86: merge winchip-2 and winchip-2a cpu choices 2008-10-13 10:22:48 +02:00