Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4314974imu;
        Mon, 7 Jan 2019 20:48:14 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7OM5IY4b1EDT4y203XnkZY9QyaS+ymLDYdbabuA9/To5uqRLqE/te4k5sqgAIWpW9egPyu
X-Received: by 2002:a63:9809:: with SMTP id q9mr235943pgd.109.1546922894509;
        Mon, 07 Jan 2019 20:48:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546922894; cv=none;
        d=google.com; s=arc-20160816;
        b=cWnehaonQeqbB9U8ivgSRVp/THbXjZHJg/Riu2DireDiXrqUqhgMFUp5WPVowr2xe9
         NR+h+gjKEO09B5yIOszMp3dCNq38T9wiENoDmQD7DxClsaw5elIMSRFCJk3VaWWOVrg6
         RznysUGHxg9AF+tUkvu2PA1tu7Gs5gD5WCpNVqz2vmvgHhsMT7HxYRZjo9roqTw4P4fl
         g2coBrxjMEtrRPJA4ZF+Gxc9H+qcVSMWnsfBA33qzm9gnMtMGxirpHWGuUtZMB7IDrHC
         jAq5nxnOSh01EGmrRAK07ydaS5SEEy7uCacc7DP9GwM0f6hi6ngclJsI6BHsvlHvPlPl
         bRBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:message-id:date:subject:cc:to:from:dkim-signature;
        bh=QkAUo8p5Acx0GjPfWCS6o90CIPlNmP5BeB0S/WQ01do=;
        b=v4olfJyeXbAAjgtXGc+fqCq5VWYtvMBNtajatx0V32ONwmnkIcbkbfLWegCbHkjpTs
         BP3PoM0I9I8+hpwqvUUmmkIfKXZIyaZS+BuVgBK9mmuSNtGDXpbZJBwxxrEpveH6cs9f
         77Ej1mxvy2XEamAl1RdJdpxnyg4FUEysER+5yyyTAFKoO9p1JfdBBAJn0VPq1An6U/0b
         2O3bSo1EyXyJn0iuoAZA0K47LLHUy4dfOtlpAyhdOnLVoi6t3It1gnkADFDeMDfK9cv5
         z9eAUcfkTNCAAXebd2JXlyUgpOUVxJFGFhWOv1fiOyq12pW3YckhOKBftVfBdjt8j1cw
         G4Og==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JFSQIBfs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w12si19310351ply.404.2019.01.07.20.47.59;
        Mon, 07 Jan 2019 20:48:14 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JFSQIBfs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727551AbfAHEoV (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Mon, 7 Jan 2019 23:44:21 -0500
Received: from mail.kernel.org ([198.145.29.99]:52428 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727374AbfAHEoV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jan 2019 23:44:21 -0500
Received: from localhost.localdomain (NE2965lan1.rev.em-net.ne.jp [210.141.244.193])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D2C1B2087F;
        Tue,  8 Jan 2019 04:44:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1546922660;
        bh=v5nU2a3xaCgrR9VGbQtPWzhpekPikp+rMRzB33VfNAw=;
        h=From:To:Cc:Subject:Date:From;
        b=JFSQIBfsDpFw4G2lZTEV2TxIsT2yF/BaYWAb0Y1mxqAddtHLENw0B/Cn33eM80PzJ
         lfjlZl2BVeii3pblL1QBQa5FgzOPn8wYKTGEPjD20ojxMUx6j1rl51q24sU8WouCb5
         Pbyx6HN0XuD9Pc6It2D1UCyCUaMm6zgnLbt6j/CQ=
From:   Masami Hiramatsu <mhiramat@kernel.org>
To:     Ingo Molnar <mingo@redhat.com>
Cc:     Masami Hiramatsu <mhiramat@kernel.org>, peterz@infradead.org,
        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Andrea Righi <righi.andrea@gmail.com>,
        Steven Rostedt <rostedt@goodmis.org>, stable@vger.kernel.org
Subject: [PATCH v2 0/3] kprobes: Fix kretprobe issues
Date:   Tue,  8 Jan 2019 13:43:55 +0900
Message-Id: <154692263564.1133.17363562046971295490.stgit@devbox>
X-Mailer: git-send-email 2.13.6
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

This is v2 series of fixing kretprobe incorrect stacking order patches.
In this version, I fixed a lack of kprobes.h including and added new
patch for kretprobe trampoline recursion issue. (and add Cc:stable)

(1) kprobe incorrct stacking order problem

On recent talk with Andrea, I started more precise investigation on
the kernel panic with kretprobes on notrace functions, which Francis
had been reported last year ( https://lkml.org/lkml/2017/7/14/466 ).

See the investigation details in 
https://lkml.kernel.org/r/154686789378.15479.2886543882215785247.stgit@devbox

When we put a kretprobe on ftrace_ops_assist_func() and put another
kretprobe on probed-function, below happens

<caller>
 -><probed-function>
   ->fentry
    ->ftrace_ops_assist_func()
     ->int3
      ->kprobe_int3_handler()
      ...->pre_handler_kretprobe()
           push the return address (*fentry*) of ftrace_ops_assist_func() to
           top of the kretprobe list and replace it with kretprobe_trampoline.
      <-kprobe_int3_handler()
     <-(int3)
     ->kprobe_ftrace_handler()
      ...->pre_handler_kretprobe()
           push the return address (caller) of probed-function to top of the
           kretprobe list and replace it with kretprobe_trampoline.
     <-(kprobe_ftrace_handler())
    <-(ftrace_ops_assist_func())
    [kretprobe_trampoline]
     ->tampoline_handler()
       pop the return address (caller) from top of the kretprobe list
     <-(trampoline_handler())
    <caller>
    [run caller with incorrect stack information]
   <-(<caller>)
  !!KERNEL PANIC!!

Therefore, this kernel panic happens only when we put 2 k*ret*probes on
ftrace_ops_assist_func() and other functions. If we put kprobes, it
doesn't cause any issue, since it doesn't change the return address.

To fix (or just avoid) this issue, we can introduce a frame pointer
verification to skip wrong order entries. And I also would like to
blacklist those functions because those are part of ftrace-based 
kprobe handling routine.

(2) kretprobe trampoline recursion problem

This was found by Andrea in the previous thread
https://lkml.kernel.org/r/20190107183444.GA5966@xps-13

----
 echo "r:event_1 __fdget" >> kprobe_events
 echo "r:event_2 _raw_spin_lock_irqsave" >> kprobe_events
 echo 1 > events/kprobes/enable
 [DEADLOCK]
----

Because kretprobe trampoline_handler uses spinlock for protecting
hash table, if we probe the spinlock itself, it causes deadlock.
Thank you Andrea and Steve for discovering this root cause!!

This bug has been introduced with the asm-coded trampoline
code, since previously it used another kprobe for hooking
the function return placeholder (which only has a nop) and
trampoline handler was called from that kprobe.

To fix this bug, I introduced a dummy kprobe and set it in
current_kprobe as we did in old days.

Thank you,

---

Masami Hiramatsu (3):
      x86/kprobes: Verify stack frame on kretprobe
      kprobes: Mark ftrace mcount handler functions nokprobe
      x86/kprobes: Fix to avoid kretprobe recursion


 arch/x86/kernel/kprobes/core.c |   48 ++++++++++++++++++++++++++++++++++++++--
 include/linux/kprobes.h        |    1 +
 kernel/trace/ftrace.c          |    6 ++++-
 3 files changed, 52 insertions(+), 3 deletions(-)

--
Masami Hiramatsu (Linaro) <mhiramat@kernel.org>