[CRIU] [PATCH 1/4] pie/x86_64: syscall clobbers rcx and r11

Tycho Andersen tycho.andersen at canonical.com
Tue Jun 16 06:20:56 PDT 2015 

On Tue, Jun 16, 2015 at 03:32:12PM +0300, Cyrill Gorcunov wrote:
> On Mon, Jun 15, 2015 at 03:50:34PM -0600, Tycho Andersen wrote:
> > o_O this is one of those "how has nobody ever hit this" bugs.
> > 
> > According to:
> > 
> > http://stackoverflow.com/questions/2535989/what-are-the-calling-conventions-for-unix-linux-system-calls-on-x86-64
> > 
> > syscall on x86_64 clobbers rcx and r11. We should mark these registers as
> > clobbered in RUN_CLONE_RESTORE_FN so that gcc avoids using them, e.g.:
> > 
> > ...<__export_restore_task>
> >     ...
> >     1894: 49 89 db              mov    r11,rbx
> >     1897: 4c 8d 4c 24 60        lea    r9,[rsp+0x60]
> >     189c: 48 89 eb              mov    rbx,rbp
> >     189f: 48 89 44 24 10        mov    QWORD PTR [rsp+0x10],rax
> >     18a4: 48 8d 44 24 30        lea    rax,[rsp+0x30]
> >     18a9: 48 89 44 24 18        mov    QWORD PTR [rsp+0x18],rax
> >     18ae: eb 53                 jmp    1903 <clone_end+0x15>
> > 
> > 00000000000018b0 <clone_emul>:
> >     18b0: 48 8b 74 24 08        mov    rsi,QWORD PTR [rsp+0x8]
> >     18b5: 48 83 ee 10           sub    rsi,0x10
> >     18b9: 48 89 ef              mov    rdi,rbp
> >     18bc: 48 89 7e 08           mov    QWORD PTR [rsi+0x8],rdi
> >     18c0: 49 8b 7b 20           mov    rdi,QWORD PTR [r11+0x20]
> >     18c4: 48 89 3e              mov    QWORD PTR [rsi],rdi
> >     18c7: 48 c7 c7 00 0d 05 00  mov    rdi,0x50d00
> >     18ce: 48 8b 54 24 18        mov    rdx,QWORD PTR [rsp+0x18]
> >     18d3: 4d 89 fa              mov    r10,r15
> >     18d6: b8 38 00 00 00        mov    eax,0x38
> >     18db: 0f 05                 syscall
> >     18dd: 48 85 c0              test   rax,rax
> >     18e0: 74 05                 je     18e7 <thread_run>
> >     18e2: 48 89 c5              mov    rbp,rax
> >     18e5: eb 07                 jmp    18ee <clone_end>
> > 
> > 00000000000018e7 <thread_run>:
> >     18e7: 48 31 ed              xor    rbp,rbp
> >     18ea: 58                    pop    rax
> >     18eb: 5f                    pop    rdi
> >     18ec: ff d0                 call   rax
> > 
> > 00000000000018ee <clone_end>:
> >     18ee: 41 83 c5 01           add    r13d,0x1
> >     18f2: 49 81 c7 00 8c 00 00  add    r15,0x8c00
> >     18f9: 45 39 6b 14           cmp    DWORD PTR [r11+0x14],r13d
> > 
> > will cause a seg fault because r11 is clobbered.
> 
> have you actually got sygsev here ever?

Yep :)

> this is a clone
> emulation which makes the kernel to allocate new registers
> set, iow once syscall is complete there will be two tasks
> one with former r11 and one with copy, the caller access
> unmodified/former r11 (upon syscall enter the kernel
> saves former pt-regs).

No, I don't think the caller has an unmodified r11 (or at least, given
the link above the interface is to clobber it).

> same time strictly speaking
> r11 is a temp register which is not callee saved
> so to be on safe side lets stick with your patch
> (rcx clobbering is useless here but let it be).

Ok, I just added rcx because the above link said it could be clobbered
too, but I can send a patch to remove it if you want.

Tycho

More information about the CRIU mailing list