Syzbot has been reporting the problem of stack-out-of-bounds in
profile_pc for a long time:
https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3
profile_pc will get return address for caller if current function
is lock function. For !CONFIG_FRAME_POINTER it uses a hack way to get
the caller by directly reading sp[0] or sp [1].
It not works when KASAN is enabled because KASAN pushes data on stack
which makes sp[0/1] become KASAN red zone. Then profile_pc reads wrong
memory and triggers KASAN warning frequently.
This hack might be ok when first added at 2006 but now it's different:
1. There are some lock functions which have frame longer than two stack
slots. For these functions sp[0/1] is not a legal return address even
KASAN is not enabled.
2. !CONFIG_FRAME_POINTER is more used today because UNWINDER_ORC.
3. Lock function caller information can be prfiled by perf better.
Since profile as a low level facility it's not proper to depend on
complex generic unwinder to get the next frame. As lock profiling is
no longer useful, it's fine to remove it.
Fixes: 0cb91a229364 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels")
Suggested-by: Andi Kleen <[email protected]>
Signed-off-by: Chen Zhongjin <[email protected]>
---
v1->v2:
Make a more detailed commit log.
v2->v3:
Also remove if for FRAME_POINTER case; slightly fix the commit log.
---
arch/x86/kernel/time.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
index e42faa792c07..52e1f3f0b361 100644
--- a/arch/x86/kernel/time.c
+++ b/arch/x86/kernel/time.c
@@ -27,25 +27,7 @@
unsigned long profile_pc(struct pt_regs *regs)
{
- unsigned long pc = instruction_pointer(regs);
-
- if (!user_mode(regs) && in_lock_functions(pc)) {
-#ifdef CONFIG_FRAME_POINTER
- return *(unsigned long *)(regs->bp + sizeof(long));
-#else
- unsigned long *sp = (unsigned long *)regs->sp;
- /*
- * Return address is either directly at stack pointer
- * or above a saved flags. Eflags has bits 22-31 zero,
- * kernel addresses don't.
- */
- if (sp[0] >> 22)
- return sp[0];
- if (sp[1] >> 22)
- return sp[1];
-#endif
- }
- return pc;
+ return instruction_pointer(regs);
}
EXPORT_SYMBOL(profile_pc);
--
2.17.1
On Sun, Apr 23, 2023 at 09:27:44AM +0800, Chen Zhongjin wrote:
> Syzbot has been reporting the problem of stack-out-of-bounds in
> profile_pc for a long time:
> https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3
>
> profile_pc will get return address for caller if current function
> is lock function. For !CONFIG_FRAME_POINTER it uses a hack way to get
> the caller by directly reading sp[0] or sp [1].
> It not works when KASAN is enabled because KASAN pushes data on stack
> which makes sp[0/1] become KASAN red zone. Then profile_pc reads wrong
> memory and triggers KASAN warning frequently.
>
> This hack might be ok when first added at 2006 but now it's different:
>
> 1. There are some lock functions which have frame longer than two stack
> slots. For these functions sp[0/1] is not a legal return address even
> KASAN is not enabled.
> 2. !CONFIG_FRAME_POINTER is more used today because UNWINDER_ORC.
> 3. Lock function caller information can be prfiled by perf better.
>
> Since profile as a low level facility it's not proper to depend on
> complex generic unwinder to get the next frame. As lock profiling is
> no longer useful, it's fine to remove it.
In that case we can remove the in_lock_functions() check from all the
other arches' implementations of profile_pc().
--
Josh