[bug] stack protector panics on v4.10-rc1+
Jan Stancek
jstancek at redhat.com
Tue Jan 24 11:10:00 AEDT 2017
Hi,
I'm running into panics with stack protector enabled on ppc64le
lpar (IBM,8408-E8E), starting with:
commit 6533b7c16ee5712041b4e324100550e02a9a5dda
Author: Christophe Leroy <christophe.leroy at c-s.fr>
Date: Tue Nov 22 11:49:30 2016 +0100
powerpc: Initial stack protector (-fstack-protector) support
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y
For example (it crashes at various places):
[ 1.028466] systemd[1]: Set hostname to <localhost.localdomain>.
[ 1.036105] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c000000000ad2250
[ 1.036105]
[ 1.036124] CPU: 5 PID: 168 Comm: dracut-rootfs-g Tainted: G W 4.0.0+ #11
[ 1.036131] Call Trace:
[ 1.036141] [c0000000fe113a80] [c000000000af13e8] dump_stack+0xa0/0xdc (unreliable)
[ 1.036153] [c0000000fe113ab0] [c000000000ae5138] panic+0x110/0x2bc
[ 1.036163] [c0000000fe113b40] [c0000000000dd664] __stack_chk_fail+0x24/0x30
[ 1.036172] [c0000000fe113ba0] [c000000000ad2250] wait_for_completion+0x190/0x1a0
[ 1.036182] [c0000000fe113c20] [c000000000221920] stop_one_cpu+0x110/0x1b0
[ 1.036191] [c0000000fe113d00] [c000000000134a58] sched_exec+0xf8/0x180
[ 1.036200] [c0000000fe113d60] [c0000000003b0f74] SyS_execve+0x414/0xb10
[ 1.036210] [c0000000fe113e30] [c000000000009308] system_call+0x38/0xb4
[ 1.052902] Rebooting in 10 seconds..
I tried applying this commit on older kernels, and every kernel I tried, going
back as far as 3.10 was panic-ing early during boot on stack corruption.
I tried gcc-4.8.5-11.el7, and Fedora 25's gcc-6.3.1-1.fc25 with same result.
(gdb) disassemble wait_for_completion
Dump of assembler code for function wait_for_completion:
...
0xc000000000c6642c <+140>: ld r9,-28688(r13)
0xc000000000c66430 <+144>: xor. r8,r8,r9
0xc000000000c66434 <+148>: li r9,0
0xc000000000c66438 <+152>: bne- 0xc000000000c665d8 <wait_for_completion+568>
...
0xc000000000c665d8 <+568>: bl 0xc0000000000f5c68 <__stack_chk_fail+8>
I came across following gcc commit:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=0d55f4d0aeaeb16629a2c07c96a190695b83a7e6
which mentions offset above:
"If TARGET_THREAD_SSP_OFFSET is defined, use -0x7010(13) resp.
-0x7008(2) instead of reading __stack_chk_guard variable."
It looks like it's not reading canary value from __stack_chk_guard variable.
atm. I'm not sure where -28688(r13) falls in ppc kernel (somewhere near paca struct?).
Is anyone else seeing these panics?
Regards,
Jan
More information about the Linuxppc-dev
mailing list