From owner-svn-src-all@FreeBSD.ORG Fri Mar 13 10:26:36 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3F42E91; Fri, 13 Mar 2015 10:26:36 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AB2EA16A; Fri, 13 Mar 2015 10:26:36 +0000 (UTC) Received: from ralph.baldwin.cx (pool-173-54-116-245.nwrknj.fios.verizon.net [173.54.116.245]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 8D923B94E; Fri, 13 Mar 2015 06:26:35 -0400 (EDT) From: John Baldwin To: src-committers@freebsd.org Subject: Re: svn commit: r279949 - in head: lib/libstand sys/boot/amd64 sys/boot/efi/libefi sys/boot/ficl Date: Fri, 13 Mar 2015 06:19:45 -0400 Message-ID: <3051169.gdTC0jACmW@ralph.baldwin.cx> User-Agent: KMail/4.14.2 (FreeBSD/10.1-STABLE; KDE/4.14.2; amd64; ; ) In-Reply-To: <201503130938.t2D9cGYU077146@svn.freebsd.org> References: <201503130938.t2D9cGYU077146@svn.freebsd.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Fri, 13 Mar 2015 06:26:35 -0400 (EDT) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 10:26:36 -0000 On Friday, March 13, 2015 09:38:16 AM John Baldwin wrote: > Author: jhb > Date: Fri Mar 13 09:38:16 2015 > New Revision: 279949 > URL: https://svnweb.freebsd.org/changeset/base/279949 > > Log: > The System V ABI for amd64 allows functions to use space in a 128 byte > redzone below the stack pointer for scratch space and requires > interrupt and signal frames to avoid overwriting it. However, EFI uses > the Windows ABI which does not support this. As a result, interrupt > handlers in EFI push their interrupt frames directly on top of the > stack pointer. If the compiler used the red zone in a function in the > EFI loader, then a device interrupt that occurred while that function > was running could trash its local variables. In practice this happens > fairly reliable when using gzipfs as an interrupt during decompression > can trash the local variables in the inflate_table() function > resulting in corrupted output or hangs. > > Fix this by disabling the redzone for amd64 EFI binaries. This > requires building not only the loader but any libraries used by the > loader without redzone support. > > Thanks to Jilles for pointing me at the redzone once I found the stack > corruption. Note that without this, gzipfs was effectively useless in the EFI loader for any non-trivial cases (it was even useless in my trivial cases during testing, but there might be some trivial case (zero-byte file or some such) that can be decompressed quickly enough to not trigger a device interrupt). Also, while the redzone is cute and all, it seems to me that it is very impractical for any ring 0 context. Specifically, the CPU doesn't know anything about it, and any interrupt or exception in ring 0 is going to push the hardware-defined bits of the frame (%rip, etc.) on top of the stack pointer overwriting part of the redzone. (Our kernel is built with -mno-red-zone as well.) You could perhaps always use a dedicated stack for all interrupts and faults via IST, but any nesting there would result in reusing a stack if you aren't careful (e.g. a fault in interrupt context). I suppose it might work to have one IST entry for device interrupts, a second for most faults / exceptions, and a third for double faults (double faults generally need a dedicated stack regardless). Of course, all these dedicated stacks would have to be per-CPU (as the double fault stack is) and any fault or interrupt would have to implicitly pin the thread for the duration (probably not a big deal). -- John Baldwin