9:34 p.m.
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
It was writing over %esp/pt_regs semi-randomly on i686 with the expected
"system can't boot" results. As noted in:
https://bugs.freedesktop.org/show_bug.cgi?id=85277
This patch stops fscking with pt_regs. Instead it sets up the registers
for the call to __audit_syscall_entry in the most obvious conceivable
way. It then does just a tiny tiny touch of magic. We need to get what
started in PT_EDX into 0(%esp) and PT_ESI into 4(%esp). This is as easy
as a pair of pushes using the values still in those registers.
After the call to __audit_syscall_entry all we need to do is get that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Reported-by: Paulo Zanoni <przanoni(a)gmail.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: x86(a)kernel.org
Cc: linux-kernel(a)vger.kernel.org
Cc: linux-audit(a)redhat.com
---
On 14/10/25, Thomas Gleixner wrote:
Why are we grabbing that from the stack? AFAICT all arguments are in
the registers still.
Right, re-arranging the instructions slightly to avoid overwriting %edx
with %ebx before needing it to push onto the stack, how does this look?
arch/x86/kernel/entry_32.S | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed8..344b63f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
sysenter_audit:
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
jnz syscall_trace_entry
- addl $4,%esp
- CFI_ADJUST_CFA_OFFSET -4
- movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
- movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
- /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
- movl %ebx,%edx /* 2nd arg: 1st syscall arg */
- /* %eax already in %eax 1st arg: syscall number */
+ /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
+ /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
+ pushl_cfi %esi /* a3: 5th arg */
+ pushl_cfi %edx /* a2: 4th arg */
+ movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
call __audit_syscall_entry
- pushl_cfi %ebx
+ popl_cfi %ecx /* get that remapped edx off the stack */
+ popl_cfi %ecx /* get that remapped esi off the stack */
movl PT_EAX(%esp),%eax /* reload syscall number */
jmp sysenter_do_call
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
8:55 a.m.
My patch was already committed to the -tip urgent branch. I believe any
optimization should be based on that branch, Richard. If you are trying
to wrangle every bit of speed out of this, should you
push %esi;
push %edi;
CFI_ADJUST_CFA_OFFSET 8
call __audit_syscall_entry
pop;
pop;
CFI_ADJUST_CFA_OFFSET -8
Instead of using the pushl_cfi and popl_cfi macros?
I wrote my patch to be obviously correct, but agree there are certainly
some speedups possible.
-Eric
On Sun, 2014-10-26 at 22:34 -0400, Richard Guy Briggs wrote:
git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very
dumb.
It was writing over %esp/pt_regs semi-randomly on i686 with the expected
"system can't boot" results. As noted in:
https://bugs.freedesktop.org/show_bug.cgi?id=85277
This patch stops fscking with pt_regs. Instead it sets up the registers
for the call to __audit_syscall_entry in the most obvious conceivable
way. It then does just a tiny tiny touch of magic. We need to get what
started in PT_EDX into 0(%esp) and PT_ESI into 4(%esp). This is as easy
as a pair of pushes using the values still in those registers.
After the call to __audit_syscall_entry all we need to do is get that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Reported-by: Paulo Zanoni <przanoni(a)gmail.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: "H. Peter Anvin" <hpa(a)zytor.com>
Cc: x86(a)kernel.org
Cc: linux-kernel(a)vger.kernel.org
Cc: linux-audit(a)redhat.com
---
On 14/10/25, Thomas Gleixner wrote:
> Why are we grabbing that from the stack? AFAICT all arguments are in
> the registers still.
Right, re-arranging the instructions slightly to avoid overwriting %edx
with %ebx before needing it to push onto the stack, how does this look?
arch/x86/kernel/entry_32.S | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed8..344b63f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
sysenter_audit:
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
jnz syscall_trace_entry
- addl $4,%esp
- CFI_ADJUST_CFA_OFFSET -4
- movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
- movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
- /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
- movl %ebx,%edx /* 2nd arg: 1st syscall arg */
- /* %eax already in %eax 1st arg: syscall number */
+ /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
+ /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
+ pushl_cfi %esi /* a3: 5th arg */
+ pushl_cfi %edx /* a2: 4th arg */
+ movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
call __audit_syscall_entry
- pushl_cfi %ebx
+ popl_cfi %ecx /* get that remapped edx off the stack */
+ popl_cfi %ecx /* get that remapped esi off the stack */
movl PT_EAX(%esp),%eax /* reload syscall number */
jmp sysenter_do_call
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
12:02 p.m.
On 10/27/2014 06:55 AM, Eric Paris wrote:
My patch was already committed to the -tip urgent branch. I believe
any
optimization should be based on that branch, Richard. If you are trying
to wrangle every bit of speed out of this, should you
push %esi;
push %edi;
CFI_ADJUST_CFA_OFFSET 8
call __audit_syscall_entry
pop;
pop;
CFI_ADJUST_CFA_OFFSET -8
Instead of using the pushl_cfi and popl_cfi macros?
I wrote my patch to be obviously correct, but agree there are certainly
some speedups possible.
Uh... not only is that plain wrong (the CFI should be adjusted after
each instruction that changes the stack pointer), but what the heck is
wrong with using the macros?
-hpa
12:29 p.m.
On Mon, 2014-10-27 at 10:02 -0700, H. Peter Anvin wrote:
On 10/27/2014 06:55 AM, Eric Paris wrote:
> My patch was already committed to the -tip urgent branch. I believe any
> optimization should be based on that branch, Richard. If you are trying
> to wrangle every bit of speed out of this, should you
>
> push %esi;
> push %edi;
> CFI_ADJUST_CFA_OFFSET 8
> call __audit_syscall_entry
> pop;
> pop;
> CFI_ADJUST_CFA_OFFSET -8
>
> Instead of using the pushl_cfi and popl_cfi macros?
>
> I wrote my patch to be obviously correct, but agree there are certainly
> some speedups possible.
>
Uh... not only is that plain wrong (the CFI should be adjusted after
each instruction that changes the stack pointer),
Sure, things would be screwed up between the two push's
but what the heck is
wrong with using the macros?
I was asking if that would save an instruction or two by consolidating
the CFI update and if so would that tradeoff be worth it, given the
regularity of this code being run.
-hpa
1:30 a.m.
* Eric Paris <eparis(a)redhat.com> wrote:
On Mon, 2014-10-27 at 10:02 -0700, H. Peter Anvin wrote:
> On 10/27/2014 06:55 AM, Eric Paris wrote:
> > My patch was already committed to the -tip urgent branch. I believe any
> > optimization should be based on that branch, Richard. If you are trying
> > to wrangle every bit of speed out of this, should you
> >
> > push %esi;
> > push %edi;
> > CFI_ADJUST_CFA_OFFSET 8
> > call __audit_syscall_entry
> > pop;
> > pop;
> > CFI_ADJUST_CFA_OFFSET -8
> >
> > Instead of using the pushl_cfi and popl_cfi macros?
> >
> > I wrote my patch to be obviously correct, but agree there are certainly
> > some speedups possible.
> >
>
> Uh... not only is that plain wrong (the CFI should be adjusted after
> each instruction that changes the stack pointer),
Sure, things would be screwed up between the two push's
> but what the heck is
> wrong with using the macros?
I was asking if that would save an instruction or two by
consolidating the CFI update and if so would that tradeoff be
worth it, given the regularity of this code being run.
CFI updates have no effect on runtime behavior whatsoever (they
don't emit any instructions), they only affect the debug info
being constructed.
Thanks,
Ingo
12:38 p.m.
On 14/10/27, Eric Paris wrote:
My patch was already committed to the -tip urgent branch. I believe
any
optimization should be based on that branch, Richard. If you are trying
to wrangle every bit of speed out of this, should you
push %esi;
push %edi;
CFI_ADJUST_CFA_OFFSET 8
call __audit_syscall_entry
pop;
pop;
CFI_ADJUST_CFA_OFFSET -8
Instead of using the pushl_cfi and popl_cfi macros?
I wrote my patch to be obviously correct, but agree there are certainly
some speedups possible.
I was just more surprised that you didn't use the assumptions and
approach of the original code before I botched it, which simply re-used
values in registers that were already there, rather than fetching them
from the pt_regs struct on the stack and adjusting the reference with an
offset on the fly as you're pushing items onto the stack.
-Eric
On Sun, 2014-10-26 at 22:34 -0400, Richard Guy Briggs wrote:
> git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
> It was writing over %esp/pt_regs semi-randomly on i686 with the expected
> "system can't boot" results. As noted in:
>
> https://bugs.freedesktop.org/show_bug.cgi?id=85277
>
> This patch stops fscking with pt_regs. Instead it sets up the registers
> for the call to __audit_syscall_entry in the most obvious conceivable
> way. It then does just a tiny tiny touch of magic. We need to get what
> started in PT_EDX into 0(%esp) and PT_ESI into 4(%esp). This is as easy
> as a pair of pushes using the values still in those registers.
>
> After the call to __audit_syscall_entry all we need to do is get that
> now useless junk off the stack (pair of pops) and reload %eax with the
> original syscall so other stuff can keep going about it's business.
>
> Reported-by: Paulo Zanoni <przanoni(a)gmail.com>
> Signed-off-by: Eric Paris <eparis(a)redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> Cc: Thomas Gleixner <tglx(a)linutronix.de>
> Cc: Ingo Molnar <mingo(a)redhat.com>
> Cc: "H. Peter Anvin" <hpa(a)zytor.com>
> Cc: x86(a)kernel.org
> Cc: linux-kernel(a)vger.kernel.org
> Cc: linux-audit(a)redhat.com
>
> ---
> On 14/10/25, Thomas Gleixner wrote:
> > Why are we grabbing that from the stack? AFAICT all arguments are in
> > the registers still.
>
> Right, re-arranging the instructions slightly to avoid overwriting %edx
> with %ebx before needing it to push onto the stack, how does this look?
>
> arch/x86/kernel/entry_32.S | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index b553ed8..344b63f 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -447,15 +447,14 @@ sysenter_exit:
> sysenter_audit:
> testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
> jnz syscall_trace_entry
> - addl $4,%esp
> - CFI_ADJUST_CFA_OFFSET -4
> - movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
> - movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
> - /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
> - movl %ebx,%edx /* 2nd arg: 1st syscall arg */
> - /* %eax already in %eax 1st arg: syscall number */
> + /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
> + /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
> + pushl_cfi %esi /* a3: 5th arg */
> + pushl_cfi %edx /* a2: 4th arg */
> + movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
> call __audit_syscall_entry
> - pushl_cfi %ebx
> + popl_cfi %ecx /* get that remapped edx off the stack */
> + popl_cfi %ecx /* get that remapped esi off the stack */
> movl PT_EAX(%esp),%eax /* reload syscall number */
> jmp sysenter_do_call
>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs(a)redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
4:18 p.m.
On Mon, 27 Oct 2014, Eric Paris wrote:
My patch was already committed to the -tip urgent branch. I believe
any
optimization should be based on that branch, Richard. If you are trying
to wrangle every bit of speed out of this, should you
push %esi;
push %edi;
CFI_ADJUST_CFA_OFFSET 8
Wrong. You want to use pushl_cfi as you need the CFI adjustment after
each modification of esp.
call __audit_syscall_entry
pop;
pop;
CFI_ADJUST_CFA_OFFSET -8
Instead of using the pushl_cfi and popl_cfi macros?
Wrong again. See above. Aside of that, why do you want to use pop at
all? All we care about is adjusting esp, right?
Thanks,
tglx
4:22 p.m.
On 14/10/27, Thomas Gleixner wrote:
On Mon, 27 Oct 2014, Eric Paris wrote:
> My patch was already committed to the -tip urgent branch. I believe any
> optimization should be based on that branch, Richard. If you are trying
> to wrangle every bit of speed out of this, should you
>
> push %esi;
> push %edi;
> CFI_ADJUST_CFA_OFFSET 8
Wrong. You want to use pushl_cfi as you need the CFI adjustment after
each modification of esp.
> call __audit_syscall_entry
> pop;
> pop;
> CFI_ADJUST_CFA_OFFSET -8
>
> Instead of using the pushl_cfi and popl_cfi macros?
Wrong again. See above. Aside of that, why do you want to use pop at
all? All we care about is adjusting esp, right?
Right. We don't care about those two values on the bottom of the stack.
Just move the extended stack pointer and adjust CFI.
Thanks,
tglx
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
3:52 p.m.
On Sun, 26 Oct 2014, Richard Guy Briggs wrote:
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed8..344b63f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
sysenter_audit:
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
jnz syscall_trace_entry
- addl $4,%esp
- CFI_ADJUST_CFA_OFFSET -4
- movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
- movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
- /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
- movl %ebx,%edx /* 2nd arg: 1st syscall arg */
- /* %eax already in %eax 1st arg: syscall number */
+ /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
+ /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
+ pushl_cfi %esi /* a3: 5th arg */
+ pushl_cfi %edx /* a2: 4th arg */
+ movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
call __audit_syscall_entry
- pushl_cfi %ebx
+ popl_cfi %ecx /* get that remapped edx off the stack */
+ popl_cfi %ecx /* get that remapped esi off the stack */
Why use pop instead of simply adjusting esp and CFI by 8?
Thanks,
tglx
4:13 p.m.
On Mon, 2014-10-27 at 21:52 +0100, Thomas Gleixner wrote:
On Sun, 26 Oct 2014, Richard Guy Briggs wrote:
> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> index b553ed8..344b63f 100644
> --- a/arch/x86/kernel/entry_32.S
> +++ b/arch/x86/kernel/entry_32.S
> @@ -447,15 +447,14 @@ sysenter_exit:
> sysenter_audit:
> testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
> jnz syscall_trace_entry
> - addl $4,%esp
> - CFI_ADJUST_CFA_OFFSET -4
> - movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
> - movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
> - /* %ecx already in %ecx 3rd arg: 2nd syscall arg */
> - movl %ebx,%edx /* 2nd arg: 1st syscall arg */
> - /* %eax already in %eax 1st arg: syscall number */
> + /* movl PT_ECX(%esp), %ecx already set, a1: 3nd arg to audit */
> + /* movl PT_EAX(%esp), %eax already set, syscall number: 1st arg to audit */
> + pushl_cfi %esi /* a3: 5th arg */
> + pushl_cfi %edx /* a2: 4th arg */
> + movl %ebx, %edx /* ebx/a0: 2nd arg to audit */
> call __audit_syscall_entry
> - pushl_cfi %ebx
> + popl_cfi %ecx /* get that remapped edx off the stack */
> + popl_cfi %ecx /* get that remapped esi off the stack */
Why use pop instead of simply adjusting esp and CFI by 8?
Certainly seems like a good idea for RGB's perf improvement patch to go
on top of -tip urgent.
-Eric
3708
days inactive
3709
days old
linux-audit@lists.linux-audit.osci.io
9 comments
5 participants
participants (5)
-
Eric Paris -
H. Peter Anvin -
Ingo Molnar -
Richard Guy Briggs -
Thomas Gleixner