Home Explore Help
Sign In
RISCI_ATOM
/
librecmc-gitorious
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 4dadd9eb6d
Branches Tags
librecmc-gitori...
/
target
/
linux
/
generic
/
patches-3.8
/
001-ARM-7668-1-fix-memset-related-crashes-caused-by-rece.patch

001-ARM-7668-1-fix-memset-related-crashes-caused-by-rece.patch 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250 
  1. From 455bd4c430b0c0a361f38e8658a0d6cb469942b5 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Ivan Djelic <ivan.djelic@parrot.com>
    3. 

  3. Date: Wed, 6 Mar 2013 20:09:27 +0100
    4. 

  4. Subject: [PATCH] ARM: 7668/1: fix memset-related crashes caused by recent GCC
    5. 

  5.  (4.7.2) optimizations
    6. 

  6. 

  7. Recent GCC versions (e.g. GCC-4.7.2) perform optimizations based on
    8. 

  8. assumptions about the implementation of memset and similar functions.
    9. 

  9. The current ARM optimized memset code does not return the value of
    10. 

  10. its first argument, as is usually expected from standard implementations.
    11. 

  11. 

  12. For instance in the following function:
    13. 

  13. 

  14. void debug_mutex_lock_common(struct mutex *lock, struct mutex_waiter *waiter)
    15. 

  15. {
    16. 

  16. 	memset(waiter, MUTEX_DEBUG_INIT, sizeof(*waiter));
    17. 

  17. 	waiter->magic = waiter;
    18. 

  18. 	INIT_LIST_HEAD(&waiter->list);
    19. 

  19. }
    20. 

  20. 

  21. compiled as:
    22. 

  22. 

  23. 800554d0 <debug_mutex_lock_common>:
    24. 

  24. 800554d0:       e92d4008        push    {r3, lr}
    25. 

  25. 800554d4:       e1a00001        mov     r0, r1
    26. 

  26. 800554d8:       e3a02010        mov     r2, #16 ; 0x10
    27. 

  27. 800554dc:       e3a01011        mov     r1, #17 ; 0x11
    28. 

  28. 800554e0:       eb04426e        bl      80165ea0 <memset>
    29. 

  29. 800554e4:       e1a03000        mov     r3, r0
    30. 

  30. 800554e8:       e583000c        str     r0, [r3, #12]
    31. 

  31. 800554ec:       e5830000        str     r0, [r3]
    32. 

  32. 800554f0:       e5830004        str     r0, [r3, #4]
    33. 

  33. 800554f4:       e8bd8008        pop     {r3, pc}
    34. 

  34. 

  35. GCC assumes memset returns the value of pointer 'waiter' in register r0; causing
    36. 

  36. register/memory corruptions.
    37. 

  37. 

  38. This patch fixes the return value of the assembly version of memset.
    39. 

  39. It adds a 'mov' instruction and merges an additional load+store into
    40. 

  40. existing load/store instructions.
    41. 

  41. For ease of review, here is a breakdown of the patch into 4 simple steps:
    42. 

  42. 

  43. Step 1
    44. 

  44. ======
    45. 

  45. Perform the following substitutions:
    46. 

  46. ip -> r8, then
    47. 

  47. r0 -> ip,
    48. 

  48. and insert 'mov ip, r0' as the first statement of the function.
    49. 

  49. At this point, we have a memset() implementation returning the proper result,
    50. 

  50. but corrupting r8 on some paths (the ones that were using ip).
    51. 

  51. 

  52. Step 2
    53. 

  53. ======
    54. 

  54. Make sure r8 is saved and restored when (! CALGN(1)+0) == 1:
    55. 

  55. 

  56. save r8:
    57. 

  57. -       str     lr, [sp, #-4]!
    58. 

  58. +       stmfd   sp!, {r8, lr}
    59. 

  59. 

  60. and restore r8 on both exit paths:
    61. 

  61. -       ldmeqfd sp!, {pc}               @ Now <64 bytes to go.
    62. 

  62. +       ldmeqfd sp!, {r8, pc}           @ Now <64 bytes to go.
    63. 

  63. (...)
    64. 

  64.         tst     r2, #16
    65. 

  65.         stmneia ip!, {r1, r3, r8, lr}
    66. 

  66. -       ldr     lr, [sp], #4
    67. 

  67. +       ldmfd   sp!, {r8, lr}
    68. 

  68. 

  69. Step 3
    70. 

  70. ======
    71. 

  71. Make sure r8 is saved and restored when (! CALGN(1)+0) == 0:
    72. 

  72. 

  73. save r8:
    74. 

  74. -       stmfd   sp!, {r4-r7, lr}
    75. 

  75. +       stmfd   sp!, {r4-r8, lr}
    76. 

  76. 

  77. and restore r8 on both exit paths:
    78. 

  78.         bgt     3b
    79. 

  79. -       ldmeqfd sp!, {r4-r7, pc}
    80. 

  80. +       ldmeqfd sp!, {r4-r8, pc}
    81. 

  81. (...)
    82. 

  82.         tst     r2, #16
    83. 

  83.         stmneia ip!, {r4-r7}
    84. 

  84. -       ldmfd   sp!, {r4-r7, lr}
    85. 

  85. +       ldmfd   sp!, {r4-r8, lr}
    86. 

  86. 

  87. Step 4
    88. 

  88. ======
    89. 

  89. Rewrite register list "r4-r7, r8" as "r4-r8".
    90. 

  90. 

  91. Signed-off-by: Ivan Djelic <ivan.djelic@parrot.com>
    92. 

  92. Reviewed-by: Nicolas Pitre <nico@linaro.org>
    93. 

  93. Signed-off-by: Dirk Behme <dirk.behme@gmail.com>
    94. 

  94. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    95. 

  95. ---
    96. 

  96.  arch/arm/lib/memset.S | 85 ++++++++++++++++++++++++++-------------------------
    97. 

  97.  1 file changed, 44 insertions(+), 41 deletions(-)
    98. 

  98. 

  99. --- a/arch/arm/lib/memset.S
    100. 

  100. +++ b/arch/arm/lib/memset.S
    101. 

  101. @@ -19,9 +19,9 @@
    102. 

  102.  1:	subs	r2, r2, #4		@ 1 do we have enough
    103. 

  103.  	blt	5f			@ 1 bytes to align with?
    104. 

  104.  	cmp	r3, #2			@ 1
    105. 

  105. -	strltb	r1, [r0], #1		@ 1
    106. 

  106. -	strleb	r1, [r0], #1		@ 1
    107. 

  107. -	strb	r1, [r0], #1		@ 1
    108. 

  108. +	strltb	r1, [ip], #1		@ 1
    109. 

  109. +	strleb	r1, [ip], #1		@ 1
    110. 

  110. +	strb	r1, [ip], #1		@ 1
    111. 

  111.  	add	r2, r2, r3		@ 1 (r2 = r2 - (4 - r3))
    112. 

  112.  /*
    113. 

  113.   * The pointer is now aligned and the length is adjusted.  Try doing the
    114. 

  114. @@ -29,10 +29,14 @@
    115. 

  115.   */
    116. 

  116.  
    117. 

  117.  ENTRY(memset)
    118. 

  118. -	ands	r3, r0, #3		@ 1 unaligned?
    119. 

  119. +/*
    120. 

  120. + * Preserve the contents of r0 for the return value.
    121. 

  121. + */
    122. 

  122. +	mov	ip, r0
    123. 

  123. +	ands	r3, ip, #3		@ 1 unaligned?
    124. 

  124.  	bne	1b			@ 1
    125. 

  125.  /*
    126. 

  126. - * we know that the pointer in r0 is aligned to a word boundary.
    127. 

  127. + * we know that the pointer in ip is aligned to a word boundary.
    128. 

  128.   */
    129. 

  129.  	orr	r1, r1, r1, lsl #8
    130. 

  130.  	orr	r1, r1, r1, lsl #16
    131. 

  131. @@ -43,29 +47,28 @@ ENTRY(memset)
    132. 

  132.  #if ! CALGN(1)+0
    133. 

  133.  
    134. 

  134.  /*
    135. 

  135. - * We need an extra register for this loop - save the return address and
    136. 

  136. - * use the LR
    137. 

  137. + * We need 2 extra registers for this loop - use r8 and the LR
    138. 

  138.   */
    139. 

  139. -	str	lr, [sp, #-4]!
    140. 

  140. -	mov	ip, r1
    141. 

  141. +	stmfd	sp!, {r8, lr}
    142. 

  142. +	mov	r8, r1
    143. 

  143.  	mov	lr, r1
    144. 

  144.  
    145. 

  145.  2:	subs	r2, r2, #64
    146. 

  146. -	stmgeia	r0!, {r1, r3, ip, lr}	@ 64 bytes at a time.
    147. 

  147. -	stmgeia	r0!, {r1, r3, ip, lr}
    148. 

  148. -	stmgeia	r0!, {r1, r3, ip, lr}
    149. 

  149. -	stmgeia	r0!, {r1, r3, ip, lr}
    150. 

  150. +	stmgeia	ip!, {r1, r3, r8, lr}	@ 64 bytes at a time.
    151. 

  151. +	stmgeia	ip!, {r1, r3, r8, lr}
    152. 

  152. +	stmgeia	ip!, {r1, r3, r8, lr}
    153. 

  153. +	stmgeia	ip!, {r1, r3, r8, lr}
    154. 

  154.  	bgt	2b
    155. 

  155. -	ldmeqfd	sp!, {pc}		@ Now <64 bytes to go.
    156. 

  156. +	ldmeqfd	sp!, {r8, pc}		@ Now <64 bytes to go.
    157. 

  157.  /*
    158. 

  158.   * No need to correct the count; we're only testing bits from now on
    159. 

  159.   */
    160. 

  160.  	tst	r2, #32
    161. 

  161. -	stmneia	r0!, {r1, r3, ip, lr}
    162. 

  162. -	stmneia	r0!, {r1, r3, ip, lr}
    163. 

  163. +	stmneia	ip!, {r1, r3, r8, lr}
    164. 

  164. +	stmneia	ip!, {r1, r3, r8, lr}
    165. 

  165.  	tst	r2, #16
    166. 

  166. -	stmneia	r0!, {r1, r3, ip, lr}
    167. 

  167. -	ldr	lr, [sp], #4
    168. 

  168. +	stmneia	ip!, {r1, r3, r8, lr}
    169. 

  169. +	ldmfd	sp!, {r8, lr}
    170. 

  170.  
    171. 

  171.  #else
    172. 

  172.  
    173. 

  173. @@ -74,54 +77,54 @@ ENTRY(memset)
    174. 

  174.   * whole cache lines at once.
    175. 

  175.   */
    176. 

  176.  
    177. 

  177. -	stmfd	sp!, {r4-r7, lr}
    178. 

  178. +	stmfd	sp!, {r4-r8, lr}
    179. 

  179.  	mov	r4, r1
    180. 

  180.  	mov	r5, r1
    181. 

  181.  	mov	r6, r1
    182. 

  182.  	mov	r7, r1
    183. 

  183. -	mov	ip, r1
    184. 

  184. +	mov	r8, r1
    185. 

  185.  	mov	lr, r1
    186. 

  186.  
    187. 

  187.  	cmp	r2, #96
    188. 

  188. -	tstgt	r0, #31
    189. 

  189. +	tstgt	ip, #31
    190. 

  190.  	ble	3f
    191. 

  191.  
    192. 

  192. -	and	ip, r0, #31
    193. 

  193. -	rsb	ip, ip, #32
    194. 

  194. -	sub	r2, r2, ip
    195. 

  195. -	movs	ip, ip, lsl #(32 - 4)
    196. 

  196. -	stmcsia	r0!, {r4, r5, r6, r7}
    197. 

  197. -	stmmiia	r0!, {r4, r5}
    198. 

  198. -	tst	ip, #(1 << 30)
    199. 

  199. -	mov	ip, r1
    200. 

  200. -	strne	r1, [r0], #4
    201. 

  201. +	and	r8, ip, #31
    202. 

  202. +	rsb	r8, r8, #32
    203. 

  203. +	sub	r2, r2, r8
    204. 

  204. +	movs	r8, r8, lsl #(32 - 4)
    205. 

  205. +	stmcsia	ip!, {r4, r5, r6, r7}
    206. 

  206. +	stmmiia	ip!, {r4, r5}
    207. 

  207. +	tst	r8, #(1 << 30)
    208. 

  208. +	mov	r8, r1
    209. 

  209. +	strne	r1, [ip], #4
    210. 

  210.  
    211. 

  211.  3:	subs	r2, r2, #64
    212. 

  212. -	stmgeia	r0!, {r1, r3-r7, ip, lr}
    213. 

  213. -	stmgeia	r0!, {r1, r3-r7, ip, lr}
    214. 

  214. +	stmgeia	ip!, {r1, r3-r8, lr}
    215. 

  215. +	stmgeia	ip!, {r1, r3-r8, lr}
    216. 

  216.  	bgt	3b
    217. 

  217. -	ldmeqfd	sp!, {r4-r7, pc}
    218. 

  218. +	ldmeqfd	sp!, {r4-r8, pc}
    219. 

  219.  
    220. 

  220.  	tst	r2, #32
    221. 

  221. -	stmneia	r0!, {r1, r3-r7, ip, lr}
    222. 

  222. +	stmneia	ip!, {r1, r3-r8, lr}
    223. 

  223.  	tst	r2, #16
    224. 

  224. -	stmneia	r0!, {r4-r7}
    225. 

  225. -	ldmfd	sp!, {r4-r7, lr}
    226. 

  226. +	stmneia	ip!, {r4-r7}
    227. 

  227. +	ldmfd	sp!, {r4-r8, lr}
    228. 

  228.  
    229. 

  229.  #endif
    230. 

  230.  
    231. 

  231.  4:	tst	r2, #8
    232. 

  232. -	stmneia	r0!, {r1, r3}
    233. 

  233. +	stmneia	ip!, {r1, r3}
    234. 

  234.  	tst	r2, #4
    235. 

  235. -	strne	r1, [r0], #4
    236. 

  236. +	strne	r1, [ip], #4
    237. 

  237.  /*
    238. 

  238.   * When we get here, we've got less than 4 bytes to zero.  We
    239. 

  239.   * may have an unaligned pointer as well.
    240. 

  240.   */
    241. 

  241.  5:	tst	r2, #2
    242. 

  242. -	strneb	r1, [r0], #1
    243. 

  243. -	strneb	r1, [r0], #1
    244. 

  244. +	strneb	r1, [ip], #1
    245. 

  245. +	strneb	r1, [ip], #1
    246. 

  246.  	tst	r2, #1
    247. 

  247. -	strneb	r1, [r0], #1
    248. 

  248. +	strneb	r1, [ip], #1
    249. 

  249.  	mov	pc, lr
    250. 

  250.  ENDPROC(memset)
    251.