From 84ed30538b5d9a29a9612b93dd0a45d561624f82 Mon Sep 17 00:00:00 2001 From: Marc Gauthier Date: Mon, 15 Oct 2012 03:55:35 +0400 Subject: xtensa: copy_thread with CLONE_VM must not copy live parent AR windows When doing a fork (new VM), the new task has a mirror image of the parent's stack, so keeps the same live register windows etc. However when doing a clone with CLONE_VM, keeping the same VM (eg. when creating a new thread), the child starts afresh on a new stack -- it cannot share any part of the parent stack. It especially cannot have the same live AR windows as the parent, otherwise it will overwrite the parent stack on overflow, likely causing corruption. (and so it did...) Effectively, the register windows need to be spilled. Turns out it's much easier to simply not copy parent register windows when CLONE_VM is set. Signed-off-by: Marc Gauthier Signed-off-by: Max Filippov Signed-off-by: Chris Zankel --- arch/xtensa/kernel/process.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) (limited to 'arch/xtensa/kernel/process.c') diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index bc020825cce5..7901ee76b9be 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -173,6 +173,16 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) * * Note: This is a pristine frame, so we don't need any spill region on top of * childregs. + * + * The fun part: if we're keeping the same VM (i.e. cloning a thread, + * not an entire process), we're normally given a new usp, and we CANNOT share + * any live address register windows. If we just copy those live frames over, + * the two threads (parent and child) will overflow the same frames onto the + * parent stack at different times, likely corrupting the parent stack (esp. + * if the parent returns from functions that called clone() and calls new + * ones, before the child overflows its now old copies of its parent windows). + * One solution is to spill windows to the parent stack, but that's fairly + * involved. Much simpler to just not copy those live frames across. */ int copy_thread(unsigned long clone_flags, unsigned long usp, @@ -191,13 +201,14 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, else childregs = (struct pt_regs*)tos - 1; + /* This does not copy all the regs. In a bout of brilliance or madness, + ARs beyond a0-a15 exist past the end of the struct. */ *childregs = *regs; /* Create a call4 dummy-frame: a0 = 0, a1 = childregs. */ *((int*)childregs - 3) = (unsigned long)childregs; *((int*)childregs - 4) = 0; - childregs->areg[1] = tos; childregs->areg[2] = 0; p->set_child_tid = p->clear_child_tid = NULL; p->thread.ra = MAKE_RA_FOR_CALL((unsigned long)ret_from_fork, 0x1); @@ -205,10 +216,14 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, if (user_mode(regs)) { - int len = childregs->wmask & ~0xf; childregs->areg[1] = usp; - memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], - ®s->areg[XCHAL_NUM_AREGS - len/4], len); + if (clone_flags & CLONE_VM) { + childregs->wmask = 1; /* can't share live windows */ + } else { + int len = childregs->wmask & ~0xf; + memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], + ®s->areg[XCHAL_NUM_AREGS - len/4], len); + } // FIXME: we need to set THREADPTR in thread_info... if (clone_flags & CLONE_SETTLS) childregs->areg[2] = childregs->areg[6]; @@ -216,6 +231,7 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, } else { /* In kernel space, we start a new thread with a new stack. */ childregs->wmask = 1; + childregs->areg[1] = tos; } #if (XTENSA_HAVE_COPROCESSORS || XTENSA_HAVE_IO_PORTS) -- cgit v1.2.3 From 39070cb8a39a84f3379dd8d1dab489e06f3a50a7 Mon Sep 17 00:00:00 2001 From: Chris Zankel Date: Wed, 17 Oct 2012 23:08:20 -0700 Subject: xtensa: minor compiler warning fix Fix two compiler warnings complaining about truncating a value on a 64-bit host, and about declaring an unused variable that is only used for a specific configuration. Signed-off-by: Chris Zankel --- arch/xtensa/kernel/entry.S | 2 +- arch/xtensa/kernel/process.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'arch/xtensa/kernel/process.c') diff --git a/arch/xtensa/kernel/entry.S b/arch/xtensa/kernel/entry.S index 30b5c5f7b7eb..18453067c258 100644 --- a/arch/xtensa/kernel/entry.S +++ b/arch/xtensa/kernel/entry.S @@ -1542,7 +1542,7 @@ ENTRY(fast_second_level_miss) * pteval = ((pmdval - PAGE_OFFSET) & PAGE_MASK) | PAGE_DIRECTORY */ - movi a1, -PAGE_OFFSET + movi a1, (-PAGE_OFFSET) & 0xffffffff add a0, a0, a1 # pmdval - PAGE_OFFSET extui a1, a0, 0, PAGE_SHIFT # ... & PAGE_MASK xor a0, a0, a1 diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index 7901ee76b9be..1908f6642d31 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -190,10 +190,13 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, struct task_struct * p, struct pt_regs * regs) { struct pt_regs *childregs; - struct thread_info *ti; unsigned long tos; int user_mode = user_mode(regs); +#if (XTENSA_HAVE_COPROCESSORS || XTENSA_HAVE_IO_PORTS) + struct thread_info *ti; +#endif + /* Set up new TSS. */ tos = (unsigned long)task_stack_page(p) + THREAD_SIZE; if (user_mode) -- cgit v1.2.3 From 6ebe7da25b7879194fdb5c43ea67b383dd9014d6 Mon Sep 17 00:00:00 2001 From: Chris Zankel Date: Wed, 24 Oct 2012 13:15:21 -0700 Subject: xtensa: reset windowbase/windowstart when cloning the VM When we copy a user thread with CLONE_VM, we also have to reset windowbase and windowstart to start a pristine stack frame. Otherwise, overflows can happen using the address 0 as the stack pointer. Also add a special case for vfork, which continues on the parent stack until it calls execve. Because this could be a call8, we need to spill the stack pointer of the previus frame (if still 'live' in the register file). Signed-off-by: Chris Zankel --- arch/xtensa/kernel/process.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'arch/xtensa/kernel/process.c') diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index 1908f6642d31..341c151af919 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -220,8 +220,32 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, if (user_mode(regs)) { childregs->areg[1] = usp; + + /* When sharing memory with the parent thread, the child + usually starts on a pristine stack, so we have to reset + windowbase, windowstart and wmask. + (Note that such a new thread is required to always create + an initial call4 frame) + The exception is vfork, where the new thread continues to + run on the parent's stack until it calls execve. This could + be a call8 or call12, which requires a legal stack frame + of the previous caller for the overflow handlers to work. + (Note that it's always legal to overflow live registers). + In this case, ensure to spill at least the stack pointer + of that frame. */ + if (clone_flags & CLONE_VM) { - childregs->wmask = 1; /* can't share live windows */ + /* check that caller window is live and same stack */ + int len = childregs->wmask & ~0xf; + if (regs->areg[1] == usp && len != 0) { + int callinc = (regs->areg[0] >> 30) & 3; + int caller_ars = XCHAL_NUM_AREGS - callinc * 4; + put_user(regs->areg[caller_ars+1], + (unsigned __user*)(usp - 12)); + } + childregs->wmask = 1; + childregs->windowstart = 1; + childregs->windowbase = 0; } else { int len = childregs->wmask & ~0xf; memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], -- cgit v1.2.3 From 3306a72669a2af23b324540b08e68e82ac5b7dab Mon Sep 17 00:00:00 2001 From: Max Filippov Date: Thu, 25 Oct 2012 11:10:50 +0400 Subject: xtensa: switch to generic kernel_thread() Signed-off-by: Max Filippov Signed-off-by: Chris Zankel --- arch/xtensa/Kconfig | 1 + arch/xtensa/include/asm/processor.h | 4 +- arch/xtensa/kernel/entry.S | 41 +++++++------------- arch/xtensa/kernel/process.c | 77 ++++++++++++++++++++++--------------- arch/xtensa/kernel/xtensa_ksyms.c | 1 - 5 files changed, 61 insertions(+), 63 deletions(-) (limited to 'arch/xtensa/kernel/process.c') diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig index cdcb48adee4c..9525b70a13a1 100644 --- a/arch/xtensa/Kconfig +++ b/arch/xtensa/Kconfig @@ -13,6 +13,7 @@ config XTENSA select GENERIC_CPU_DEVICES select MODULES_USE_ELF_RELA select GENERIC_PCI_IOMAP + select GENERIC_KERNEL_THREAD select ARCH_WANT_OPTIONAL_GPIOLIB help Xtensa processors are 32-bit RISC machines designed by Tensilica diff --git a/arch/xtensa/include/asm/processor.h b/arch/xtensa/include/asm/processor.h index 5c371d8d4528..2d630e7399ca 100644 --- a/arch/xtensa/include/asm/processor.h +++ b/arch/xtensa/include/asm/processor.h @@ -152,6 +152,7 @@ struct thread_struct { /* Clearing a0 terminates the backtrace. */ #define start_thread(regs, new_pc, new_sp) \ + memset(regs, 0, sizeof(*regs)); \ regs->pc = new_pc; \ regs->ps = USER_PS_VALUE; \ regs->areg[1] = new_sp; \ @@ -168,9 +169,6 @@ struct mm_struct; /* Free all resources held by a thread. */ #define release_thread(thread) do { } while(0) -/* Create a kernel thread without removing it from tasklists */ -extern int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags); - /* Copy and release all segment info associated with a VM */ #define copy_segments(p, mm) do { } while(0) #define release_segments(mm) do { } while(0) diff --git a/arch/xtensa/kernel/entry.S b/arch/xtensa/kernel/entry.S index 18453067c258..d4ec1381aebc 100644 --- a/arch/xtensa/kernel/entry.S +++ b/arch/xtensa/kernel/entry.S @@ -1832,34 +1832,6 @@ ENTRY(system_call) retw -/* - * Create a kernel thread - * - * int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) - * a2 a2 a3 a4 - */ - -ENTRY(kernel_thread) - entry a1, 16 - - mov a5, a2 # preserve fn over syscall - mov a7, a3 # preserve args over syscall - - movi a3, _CLONE_VM | _CLONE_UNTRACED - movi a2, __NR_clone - or a6, a4, a3 # arg0: flags - mov a3, a1 # arg1: sp - syscall - - beq a3, a1, 1f # branch if parent - mov a6, a7 # args - callx4 a5 # fn(args) - - movi a2, __NR_exit - syscall # return value of fn(args) still in a6 - -1: retw - /* * Do a system call from kernel instead of calling sys_execve, so we end up * with proper pt_regs. @@ -1958,3 +1930,16 @@ ENTRY(ret_from_fork) j common_exception_return +/* + * Kernel thread creation helper + * On entry, set up by copy_thread: a2 = thread_fn, a3 = thread_fn arg + * left from _switch_to: a6 = prev + */ +ENTRY(ret_from_kernel_thread) + + call4 schedule_tail + mov a6, a3 + callx4 a2 + call4 do_exit + +ENDPROC(ret_from_kernel_thread) diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index 341c151af919..be52fe437c1b 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -45,6 +45,7 @@ #include extern void ret_from_fork(void); +extern void ret_from_kernel_thread(void); struct task_struct *current_set[NR_CPUS] = {&init_task, }; @@ -158,18 +159,30 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) /* * Copy thread. * + * There are two modes in which this function is called: + * 1) Userspace thread creation, + * regs != NULL, usp_thread_fn is userspace stack pointer. + * It is expected to copy parent regs (in case CLONE_VM is not set + * in the clone_flags) and set up passed usp in the childregs. + * 2) Kernel thread creation, + * regs == NULL, usp_thread_fn is the function to run in the new thread + * and thread_fn_arg is its parameter. + * childregs are not used for the kernel threads. + * * The stack layout for the new thread looks like this: * - * +------------------------+ <- sp in childregs (= tos) + * +------------------------+ * | childregs | * +------------------------+ <- thread.sp = sp in dummy-frame * | dummy-frame | (saved in dummy-frame spill-area) * +------------------------+ * - * We create a dummy frame to return to ret_from_fork: - * a0 points to ret_from_fork (simulating a call4) + * We create a dummy frame to return to either ret_from_fork or + * ret_from_kernel_thread: + * a0 points to ret_from_fork/ret_from_kernel_thread (simulating a call4) * sp points to itself (thread.sp) - * a2, a3 are unused. + * a2, a3 are unused for userspace threads, + * a2 points to thread_fn, a3 holds thread_fn arg for kernel threads. * * Note: This is a pristine frame, so we don't need any spill region on top of * childregs. @@ -185,41 +198,37 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) * involved. Much simpler to just not copy those live frames across. */ -int copy_thread(unsigned long clone_flags, unsigned long usp, - unsigned long unused, - struct task_struct * p, struct pt_regs * regs) +int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, + unsigned long thread_fn_arg, + struct task_struct *p, struct pt_regs *unused) { - struct pt_regs *childregs; - unsigned long tos; - int user_mode = user_mode(regs); + struct pt_regs *childregs = task_pt_regs(p); #if (XTENSA_HAVE_COPROCESSORS || XTENSA_HAVE_IO_PORTS) struct thread_info *ti; #endif - /* Set up new TSS. */ - tos = (unsigned long)task_stack_page(p) + THREAD_SIZE; - if (user_mode) - childregs = (struct pt_regs*)(tos - PT_USER_SIZE); - else - childregs = (struct pt_regs*)tos - 1; - - /* This does not copy all the regs. In a bout of brilliance or madness, - ARs beyond a0-a15 exist past the end of the struct. */ - *childregs = *regs; - /* Create a call4 dummy-frame: a0 = 0, a1 = childregs. */ *((int*)childregs - 3) = (unsigned long)childregs; *((int*)childregs - 4) = 0; - childregs->areg[2] = 0; - p->set_child_tid = p->clear_child_tid = NULL; - p->thread.ra = MAKE_RA_FOR_CALL((unsigned long)ret_from_fork, 0x1); p->thread.sp = (unsigned long)childregs; - if (user_mode(regs)) { + if (!(p->flags & PF_KTHREAD)) { + struct pt_regs *regs = current_pt_regs(); + unsigned long usp = usp_thread_fn ? + usp_thread_fn : regs->areg[1]; + + p->thread.ra = MAKE_RA_FOR_CALL( + (unsigned long)ret_from_fork, 0x1); + /* This does not copy all the regs. + * In a bout of brilliance or madness, + * ARs beyond a0-a15 exist past the end of the struct. + */ + *childregs = *regs; childregs->areg[1] = usp; + childregs->areg[2] = 0; /* When sharing memory with the parent thread, the child usually starts on a pristine stack, so we have to reset @@ -254,11 +263,19 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, // FIXME: we need to set THREADPTR in thread_info... if (clone_flags & CLONE_SETTLS) childregs->areg[2] = childregs->areg[6]; - } else { - /* In kernel space, we start a new thread with a new stack. */ - childregs->wmask = 1; - childregs->areg[1] = tos; + p->thread.ra = MAKE_RA_FOR_CALL( + (unsigned long)ret_from_kernel_thread, 1); + + /* pass parameters to ret_from_kernel_thread: + * a2 = thread_fn, a3 = thread_fn arg + */ + *((int *)childregs - 1) = thread_fn_arg; + *((int *)childregs - 2) = usp_thread_fn; + + /* Childregs are only used when we're going to userspace + * in which case start_thread will set them up. + */ } #if (XTENSA_HAVE_COPROCESSORS || XTENSA_HAVE_IO_PORTS) @@ -354,8 +371,6 @@ long xtensa_clone(unsigned long clone_flags, unsigned long newsp, void __user *child_tid, long a5, struct pt_regs *regs) { - if (!newsp) - newsp = regs->areg[1]; return do_fork(clone_flags, newsp, regs, 0, parent_tid, child_tid); } diff --git a/arch/xtensa/kernel/xtensa_ksyms.c b/arch/xtensa/kernel/xtensa_ksyms.c index a8b9f1fd1e17..afe058b24e6e 100644 --- a/arch/xtensa/kernel/xtensa_ksyms.c +++ b/arch/xtensa/kernel/xtensa_ksyms.c @@ -43,7 +43,6 @@ EXPORT_SYMBOL(__strncpy_user); EXPORT_SYMBOL(clear_page); EXPORT_SYMBOL(copy_page); -EXPORT_SYMBOL(kernel_thread); EXPORT_SYMBOL(empty_zero_page); /* -- cgit v1.2.3 From dc241f2c1761bfdec85915f4bbf7e750663f3442 Mon Sep 17 00:00:00 2001 From: Max Filippov Date: Thu, 25 Oct 2012 11:10:52 +0400 Subject: xtensa: switch to generic sys_execve() Signed-off-by: Max Filippov Signed-off-by: Chris Zankel --- arch/xtensa/include/asm/syscall.h | 2 +- arch/xtensa/include/asm/unistd.h | 1 + arch/xtensa/include/uapi/asm/unistd.h | 2 +- arch/xtensa/kernel/process.c | 25 ------------------------- 4 files changed, 3 insertions(+), 27 deletions(-) (limited to 'arch/xtensa/kernel/process.c') diff --git a/arch/xtensa/include/asm/syscall.h b/arch/xtensa/include/asm/syscall.h index c1dacca312f3..124aeee0d381 100644 --- a/arch/xtensa/include/asm/syscall.h +++ b/arch/xtensa/include/asm/syscall.h @@ -10,7 +10,7 @@ struct pt_regs; struct sigaction; -asmlinkage long xtensa_execve(char*, char**, char**, struct pt_regs*); +asmlinkage long sys_execve(char*, char**, char**, struct pt_regs*); asmlinkage long xtensa_clone(unsigned long, unsigned long, struct pt_regs*); asmlinkage long xtensa_ptrace(long, long, long, long); asmlinkage long xtensa_sigreturn(struct pt_regs*); diff --git a/arch/xtensa/include/asm/unistd.h b/arch/xtensa/include/asm/unistd.h index d9fa52dbfba0..f4e6eaa40d1c 100644 --- a/arch/xtensa/include/asm/unistd.h +++ b/arch/xtensa/include/asm/unistd.h @@ -1,6 +1,7 @@ #ifndef _XTENSA_UNISTD_H #define _XTENSA_UNISTD_H +#define __ARCH_WANT_SYS_EXECVE #include /* diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h index 1fd157f31211..9f36d0e3e0ac 100644 --- a/arch/xtensa/include/uapi/asm/unistd.h +++ b/arch/xtensa/include/uapi/asm/unistd.h @@ -262,7 +262,7 @@ __SYSCALL(115, sys_sendmmsg, 4) #define __NR_clone 116 __SYSCALL(116, xtensa_clone, 5) #define __NR_execve 117 -__SYSCALL(117, xtensa_execve, 3) +__SYSCALL(117, sys_execve, 3) #define __NR_exit 118 __SYSCALL(118, sys_exit, 1) #define __NR_exit_group 119 diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index be52fe437c1b..09ae7bfab9a7 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -373,28 +373,3 @@ long xtensa_clone(unsigned long clone_flags, unsigned long newsp, { return do_fork(clone_flags, newsp, regs, 0, parent_tid, child_tid); } - -/* - * xtensa_execve() executes a new program. - */ - -asmlinkage -long xtensa_execve(const char __user *name, - const char __user *const __user *argv, - const char __user *const __user *envp, - long a3, long a4, long a5, - struct pt_regs *regs) -{ - long error; - struct filename *filename; - - filename = getname(name); - error = PTR_ERR(filename); - if (IS_ERR(filename)) - goto out; - error = do_execve(filename->name, argv, envp, regs); - putname(filename); -out: - return error; -} - -- cgit v1.2.3