<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/arch/x86/kernel/process_32.c, branch v2.6.26</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>x86: fix NULL pointer deref in __switch_to</title>
<updated>2008-06-19T08:08:45+00:00</updated>
<author>
<name>Suresh Siddha</name>
<email>suresh.b.siddha@intel.com</email>
</author>
<published>2008-06-13T22:47:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=75118a82e21cafb4a82b53bb85d1c7689787e046'/>
<id>75118a82e21cafb4a82b53bb85d1c7689787e046</id>
<content type='text'>
Patrick McHardy reported a crash:

&gt; &gt; I get this oops once a day, its apparently triggered by something
&gt; &gt; run by cron, but the process is a different one each time.
&gt; &gt;
&gt; &gt; Kernel is -git from yesterday shortly before the -rc6 release
&gt; &gt; (last commit is the usb-2.6 merge, the x86 patches are missing),
&gt; &gt; .config is attached.
&gt; &gt;
&gt; &gt; I'll retry with current -git, but the patches that have gone in
&gt; &gt; since I last updated don't look related.
&gt; &gt;
&gt; &gt; [62060.043009] BUG: unable to handle kernel NULL pointer dereference at
&gt; &gt; 000001ff
&gt; &gt; [62060.043009] IP: [&lt;c0102a9b&gt;] __switch_to+0x2f/0x118
&gt; &gt; [62060.043009] *pde = 00000000
&gt; &gt; [62060.043009] Oops: 0002 [#1] PREEMPT

Vegard Nossum analyzed it:

&gt; This decodes to
&gt;
&gt;    0:   0f ae 00                fxsave (%eax)
&gt;
&gt; so it's related to the floating-point context. This is the exact
&gt; location of the crash:
&gt;
&gt; $ addr2line -e arch/x86/kernel/process_32.o -i ab0
&gt; include/asm/i387.h:232
&gt; include/asm/i387.h:262
&gt; arch/x86/kernel/process_32.c:595
&gt;
&gt; ...so it looks like prev_task-&gt;thread.xstate-&gt;fxsave has become NULL.
&gt; Or maybe it never had any other value.

Somehow (as described below) TS_USEDFPU is set but the fpu is not
allocated or freed.

Another possible FPU pre-emption issue with the sleazy FPU optimization
which was benign before but not so anymore, with the dynamic FPU allocation
patch.

New task is getting exec'd and it is prempted at the below point.

flush_thread() {
	...
	/*
	* Forget coprocessor state..
	*/
	clear_fpu(tsk);
		&lt;----- Preemption point
	clear_used_math();
	...
}

Now when it context switches in again, as the used_math() is still set
and fpu_counter can be &gt; 5, we will do a math_state_restore() which sets
the task's TS_USEDFPU. After it continues from the above preemption point
it does clear_used_math() and much later free_thread_xstate().

Now, at the next context switch, it is quite possible that xstate is
null, used_math() is not set and TS_USEDFPU is still set. This will
trigger unlazy_fpu() causing kernel oops.

Fix this  by clearing tsk's fpu_counter before clearing task's fpu.

Reported-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Patrick McHardy reported a crash:

&gt; &gt; I get this oops once a day, its apparently triggered by something
&gt; &gt; run by cron, but the process is a different one each time.
&gt; &gt;
&gt; &gt; Kernel is -git from yesterday shortly before the -rc6 release
&gt; &gt; (last commit is the usb-2.6 merge, the x86 patches are missing),
&gt; &gt; .config is attached.
&gt; &gt;
&gt; &gt; I'll retry with current -git, but the patches that have gone in
&gt; &gt; since I last updated don't look related.
&gt; &gt;
&gt; &gt; [62060.043009] BUG: unable to handle kernel NULL pointer dereference at
&gt; &gt; 000001ff
&gt; &gt; [62060.043009] IP: [&lt;c0102a9b&gt;] __switch_to+0x2f/0x118
&gt; &gt; [62060.043009] *pde = 00000000
&gt; &gt; [62060.043009] Oops: 0002 [#1] PREEMPT

Vegard Nossum analyzed it:

&gt; This decodes to
&gt;
&gt;    0:   0f ae 00                fxsave (%eax)
&gt;
&gt; so it's related to the floating-point context. This is the exact
&gt; location of the crash:
&gt;
&gt; $ addr2line -e arch/x86/kernel/process_32.o -i ab0
&gt; include/asm/i387.h:232
&gt; include/asm/i387.h:262
&gt; arch/x86/kernel/process_32.c:595
&gt;
&gt; ...so it looks like prev_task-&gt;thread.xstate-&gt;fxsave has become NULL.
&gt; Or maybe it never had any other value.

Somehow (as described below) TS_USEDFPU is set but the fpu is not
allocated or freed.

Another possible FPU pre-emption issue with the sleazy FPU optimization
which was benign before but not so anymore, with the dynamic FPU allocation
patch.

New task is getting exec'd and it is prempted at the below point.

flush_thread() {
	...
	/*
	* Forget coprocessor state..
	*/
	clear_fpu(tsk);
		&lt;----- Preemption point
	clear_used_math();
	...
}

Now when it context switches in again, as the used_math() is still set
and fpu_counter can be &gt; 5, we will do a math_state_restore() which sets
the task's TS_USEDFPU. After it continues from the above preemption point
it does clear_used_math() and much later free_thread_xstate().

Now, at the next context switch, it is quite possible that xstate is
null, used_math() is not set and TS_USEDFPU is still set. This will
trigger unlazy_fpu() causing kernel oops.

Fix this  by clearing tsk's fpu_counter before clearing task's fpu.

Reported-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86, fpu: fix CONFIG_PREEMPT=y corruption of application's FPU stack</title>
<updated>2008-06-04T14:21:24+00:00</updated>
<author>
<name>Suresh Siddha</name>
<email>suresh.b.siddha@intel.com</email>
</author>
<published>2008-06-02T22:57:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=870568b39064cab2dd971fe57969916036982862'/>
<id>870568b39064cab2dd971fe57969916036982862</id>
<content type='text'>
Jürgen Mell reported an FPU state corruption bug under CONFIG_PREEMPT,
and bisected it to commit v2.6.19-1363-gacc2076, "i386: add sleazy FPU
optimization".

Add tsk_used_math() checks to prevent calling math_state_restore()
which can sleep in the case of !tsk_used_math(). This prevents
making a blocking call in __switch_to().

Apparently "fpu_counter &gt; 5" check is not enough, as in some signal handling
and fork/exec scenarios, fpu_counter &gt; 5 and !tsk_used_math() is possible.

It's a side effect though. This is the failing scenario:

process 'A' in save_i387_ia32() just after clear_used_math()

Got an interrupt and pre-empted out.

At the next context switch to process 'A' again, kernel tries to restore
the math state proactively and sees a fpu_counter &gt; 0 and !tsk_used_math()

This results in init_fpu() during the __switch_to()'s math_state_restore()

And resulting in fpu corruption which will be saved/restored
(save_i387_fxsave and restore_i387_fxsave) during the remaining
part of the signal handling after the context switch.

Bisected-by: Jürgen Mell &lt;j.mell@t-online.de&gt;
Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Tested-by: Jürgen Mell &lt;j.mell@t-online.de&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: stable@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Jürgen Mell reported an FPU state corruption bug under CONFIG_PREEMPT,
and bisected it to commit v2.6.19-1363-gacc2076, "i386: add sleazy FPU
optimization".

Add tsk_used_math() checks to prevent calling math_state_restore()
which can sleep in the case of !tsk_used_math(). This prevents
making a blocking call in __switch_to().

Apparently "fpu_counter &gt; 5" check is not enough, as in some signal handling
and fork/exec scenarios, fpu_counter &gt; 5 and !tsk_used_math() is possible.

It's a side effect though. This is the failing scenario:

process 'A' in save_i387_ia32() just after clear_used_math()

Got an interrupt and pre-empted out.

At the next context switch to process 'A' again, kernel tries to restore
the math state proactively and sees a fpu_counter &gt; 0 and !tsk_used_math()

This results in init_fpu() during the __switch_to()'s math_state_restore()

And resulting in fpu corruption which will be saved/restored
(save_i387_fxsave and restore_i387_fxsave) during the remaining
part of the signal handling after the context switch.

Bisected-by: Jürgen Mell &lt;j.mell@t-online.de&gt;
Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Tested-by: Jürgen Mell &lt;j.mell@t-online.de&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: stable@kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>fix idle (arch, acpi and apm) and lockdep</title>
<updated>2008-04-26T22:01:45+00:00</updated>
<author>
<name>Peter Zijlstra</name>
<email>peterz@infradead.org</email>
</author>
<published>2008-04-25T15:39:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7f424a8b08c26dc14ac5c17164014539ac9a5c65'/>
<id>7f424a8b08c26dc14ac5c17164014539ac9a5c65</id>
<content type='text'>
OK, so 25-mm1 gave a lockdep error which made me look into this.

The first thing that I noticed was the horrible mess; the second thing I
saw was hacks like: 71e93d15612c61c2e26a169567becf088e71b8ff

The problem is that arch idle routines are somewhat inconsitent with
their IRQ state handling and instead of fixing _that_, we go paper over
the problem.

So the thing I've tried to do is set a standard for idle routines and
fix them all up to adhere to that. So the rules are:

  idle routines are entered with IRQs disabled
  idle routines will exit with IRQs enabled

Nearly all already did this in one form or another.

Merge the 32 and 64 bit bits so they no longer have different bugs.

As for the actual lockdep warning; __sti_mwait() did a plainly un-annotated
irq-enable.

Signed-off-by: Peter Zijlstra &lt;a.p.zijlstra@chello.nl&gt;
Tested-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
OK, so 25-mm1 gave a lockdep error which made me look into this.

The first thing that I noticed was the horrible mess; the second thing I
saw was hacks like: 71e93d15612c61c2e26a169567becf088e71b8ff

The problem is that arch idle routines are somewhat inconsitent with
their IRQ state handling and instead of fixing _that_, we go paper over
the problem.

So the thing I've tried to do is set a standard for idle routines and
fix them all up to adhere to that. So the rules are:

  idle routines are entered with IRQs disabled
  idle routines will exit with IRQs enabled

Nearly all already did this in one form or another.

Merge the 32 and 64 bit bits so they no longer have different bugs.

As for the actual lockdep warning; __sti_mwait() did a plainly un-annotated
irq-enable.

Signed-off-by: Peter Zijlstra &lt;a.p.zijlstra@chello.nl&gt;
Tested-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>"make namespacecheck" fixes</title>
<updated>2008-04-24T21:15:44+00:00</updated>
<author>
<name>Ingo Molnar</name>
<email>mingo@elte.hu</email>
</author>
<published>2008-04-23T11:20:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a4928cffe6435caf427ae673131a633c1329dbf3'/>
<id>a4928cffe6435caf427ae673131a633c1329dbf3</id>
<content type='text'>
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86, fpu: lazy allocation of FPU area - v5</title>
<updated>2008-04-19T17:19:55+00:00</updated>
<author>
<name>Suresh Siddha</name>
<email>suresh.b.siddha@intel.com</email>
</author>
<published>2008-03-10T22:28:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aa283f49276e7d840a40fb01eee6de97eaa7e012'/>
<id>aa283f49276e7d840a40fb01eee6de97eaa7e012</id>
<content type='text'>
Only allocate the FPU area when the application actually uses FPU, i.e., in the
first lazy FPU trap. This could save memory for non-fpu using apps.

for example: on my system after boot, there are around 300 processes, with
only 17 using FPU.

Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Cc: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Only allocate the FPU area when the application actually uses FPU, i.e., in the
first lazy FPU trap. This could save memory for non-fpu using apps.

for example: on my system after boot, there are around 300 processes, with
only 17 using FPU.

Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Cc: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86, fpu: split FPU state from task struct - v5</title>
<updated>2008-04-19T17:19:55+00:00</updated>
<author>
<name>Suresh Siddha</name>
<email>suresh.b.siddha@intel.com</email>
</author>
<published>2008-03-10T22:28:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=61c4628b538608c1a85211ed8438136adfeb9a95'/>
<id>61c4628b538608c1a85211ed8438136adfeb9a95</id>
<content type='text'>
Split the FPU save area from the task struct. This allows easy migration
of FPU context, and it's generally cleaner. It also allows the following
two optimizations:

1) only allocate when the application actually uses FPU, so in the first
lazy FPU trap. This could save memory for non-fpu using apps. Next patch
does this lazy allocation.

2) allocate the right size for the actual cpu rather than 512 bytes always.
Patches enabling xsave/xrstor support (coming shortly) will take advantage
of this.

Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Signed-off-by: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Split the FPU save area from the task struct. This allows easy migration
of FPU context, and it's generally cleaner. It also allows the following
two optimizations:

1) only allocate when the application actually uses FPU, so in the first
lazy FPU trap. This could save memory for non-fpu using apps. Next patch
does this lazy allocation.

2) allocate the right size for the actual cpu rather than 512 bytes always.
Patches enabling xsave/xrstor support (coming shortly) will take advantage
of this.

Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Signed-off-by: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86: implement prctl PR_GET_TSC and PR_SET_TSC</title>
<updated>2008-04-19T17:19:55+00:00</updated>
<author>
<name>Erik Bosman</name>
<email>ejbosman@cs.vu.nl</email>
</author>
<published>2008-04-13T22:24:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=529e25f646e08901a6dad5768f681efffd77225e'/>
<id>529e25f646e08901a6dad5768f681efffd77225e</id>
<content type='text'>
This patch implements the PR_GET_TSC and PR_SET_TSC prctl()
commands on the x86 platform (both 32 and 64 bit.) These
commands control the ability to read the timestamp counter
from userspace (the RDTSC instruction.)

While the RDTSC instuction is a useful profiling tool,
it is also the source of some non-determinism in ring-3.
For deterministic replay applications it is useful to be
able to trap and emulate (and record the outcome of) this
instruction.

This patch uses code earlier used to disable the timestamp
counter for the SECCOMP framework. A side-effect of this
patch is that the SECCOMP environment will now also disable
the timestamp counter on x86_64 due to the addition of the
TIF_NOTSC define on this platform.

The code which enables/disables the RDTSC instruction during
context switches is in the __switch_to_xtra function, which
already handles other unusual conditions, so normal
performance should not have to suffer from this change.

Signed-off-by: Erik Bosman &lt;ejbosman@cs.vu.nl&gt;
Acked-by: Arjan van de Ven  &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch implements the PR_GET_TSC and PR_SET_TSC prctl()
commands on the x86 platform (both 32 and 64 bit.) These
commands control the ability to read the timestamp counter
from userspace (the RDTSC instruction.)

While the RDTSC instuction is a useful profiling tool,
it is also the source of some non-determinism in ring-3.
For deterministic replay applications it is useful to be
able to trap and emulate (and record the outcome of) this
instruction.

This patch uses code earlier used to disable the timestamp
counter for the SECCOMP framework. A side-effect of this
patch is that the SECCOMP environment will now also disable
the timestamp counter on x86_64 due to the addition of the
TIF_NOTSC define on this platform.

The code which enables/disables the RDTSC instruction during
context switches is in the __switch_to_xtra function, which
already handles other unusual conditions, so normal
performance should not have to suffer from this change.

Signed-off-by: Erik Bosman &lt;ejbosman@cs.vu.nl&gt;
Acked-by: Arjan van de Ven  &lt;arjan@linux.intel.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86: remove vm86.h inclusion from process_32.c</title>
<updated>2008-04-19T17:19:54+00:00</updated>
<author>
<name>Jacek Luczak</name>
<email>difrost.kernel@gmail.com</email>
</author>
<published>2008-04-09T20:53:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=120d5bf128906c790df810e159d2e1239d08fef1'/>
<id>120d5bf128906c790df810e159d2e1239d08fef1</id>
<content type='text'>
I've made a small investigation about vm86.h inclusion rules and it
looks like everything is more or less ok.

Files that rely on asm/vm86.h symbols are:

  - kprobes.c
  - process_32.c
  - signal_32.c
  - traps_32.c
  - vm86_32.c

File process_32.c includes vm86.h explicitly. We can remove that
include and it won't break anything.

Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I've made a small investigation about vm86.h inclusion rules and it
looks like everything is more or less ok.

Files that rely on asm/vm86.h symbols are:

  - kprobes.c
  - process_32.c
  - signal_32.c
  - traps_32.c
  - vm86_32.c

File process_32.c includes vm86.h explicitly. We can remove that
include and it won't break anything.

Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86: improve default idle</title>
<updated>2008-04-17T15:41:34+00:00</updated>
<author>
<name>Ingo Molnar</name>
<email>mingo@elte.hu</email>
</author>
<published>2008-04-02T11:23:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=13af4836b3914b23946f6a8982934e2c828c183f'/>
<id>13af4836b3914b23946f6a8982934e2c828c183f</id>
<content type='text'>
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>x86: always enable irqs when entering idle</title>
<updated>2008-04-17T15:41:00+00:00</updated>
<author>
<name>Glauber de Oliveira Costa</name>
<email>gcosta@redhat.com</email>
</author>
<published>2008-03-19T17:25:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3b22ec7b13cb31e0d87fbc0aabe14caaaad309e8'/>
<id>3b22ec7b13cb31e0d87fbc0aabe14caaaad309e8</id>
<content type='text'>
This matches x86_64 behaviour, which is a superior one IMHO

Signed-off-by: Glauber Costa &lt;gcosta@redhat.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This matches x86_64 behaviour, which is a superior one IMHO

Signed-off-by: Glauber Costa &lt;gcosta@redhat.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
</pre>
</div>
</content>
</entry>
</feed>
