[PATCH] kernel panic during kernel module load (powerpc specific part)

Steffen Rumler steffen.rumler.ext at nsn.com
Thu Jun 7 00:37:17 EST 2012 

Hi,

The patch below is intended to fix the following problem.

According to the PowerPC EABI specification, the GPR r11 is assigned
the dedicated function to point to the previous stack frame.
In the powerpc-specific kernel module loader, do_plt_call()
(in arch/powerpc/kernel/module_32.c), the GPR r11 is also used
to generate trampoline code.

This combination crashes the kernel, in the following case:

   + The compiler has been generated the prologue and epilogue,
     which is part of the .text section.
   + The compiler has been generated the code for the module init entry point,
     part of the .init.text section (in the case it is marked with __init).
   + By returning from the module init entry point, the epilogue is called by doing
     a branch instruction.
   + If the epilogue is too far away, a relative branch instruction cannot be applied.
     Instead trampoline code is generated in do_plt_call(), in order to jump via register.
     Unfortunately the code generated by do_plt_call() destroys the content of GPR r11.
   + Because GPR r11 does not more keep the right stack frame pointer,
     the kernel crashes right after the epilogue.

The fix just uses GPR r12 instead of GPR r11 for generating the trampoline code.
According to the statements from Freescale, this is also save from EABI perspective.

I've tested the fix for kernel 2.6.33 on MPC8541.

Signed-off-by: Steffen Rumler <steffen.rumler.ext at nsn.com>
---

--- orig/arch/powerpc/kernel/module_32.c	2012-06-06 16:04:28.956446788 +0200
+++ new/arch/powerpc/kernel/module_32.c		2012-06-06 16:04:17.746290683 +0200
@@ -187,8 +187,8 @@

  static inline int entry_matches(struct ppc_plt_entry *entry, Elf32_Addr val)
  {
-	if (entry->jump[0] == 0x3d600000 + ((val + 0x8000) >> 16)
-	    && entry->jump[1] == 0x396b0000 + (val & 0xffff))
+	if (entry->jump[0] == 0x3d800000 + ((val + 0x8000) >> 16)
+	    && entry->jump[1] == 0x398c0000 + (val & 0xffff))
  		return 1;
  	return 0;
  }
@@ -215,10 +215,9 @@
  		entry++;
  	}

-	/* Stolen from Paul Mackerras as well... */
-	entry->jump[0] = 0x3d600000+((val+0x8000)>>16);	/* lis r11,sym at ha */
-	entry->jump[1] = 0x396b0000 + (val&0xffff);	/* addi r11,r11,sym at l*/
-	entry->jump[2] = 0x7d6903a6;			/* mtctr r11 */
+	entry->jump[0] = 0x3d800000+((val+0x8000)>>16); /* lis r12,sym at ha */
+	entry->jump[1] = 0x398c0000 + (val&0xffff);     /* addi r12,r12,sym at l*/
+	entry->jump[2] = 0x7d8903a6;                    /* mtctr r12 */
  	entry->jump[3] = 0x4e800420;			/* bctr */

  	DEBUGP("Initialized plt for 0x%x at %p\n", val, entry);

More information about the Linuxppc-dev mailing list