Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3336302yba; Mon, 6 May 2019 22:43:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUisgJNVir+/BAz1CiwC7WfjVKiLyoCFBIfI9uYp2jNiBKi+4ckLWsjbS2xIvAfafGjPHI X-Received: by 2002:a17:902:bc83:: with SMTP id bb3mr35835097plb.303.1557207819457; Mon, 06 May 2019 22:43:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557207819; cv=none; d=google.com; s=arc-20160816; b=emWqiGT2jCSXOUPdwSwZ+fEKrkqGnxjtj4xhXEOikMyOK4R9Qkm2ss/nGpbUtUbP3E OFfAZoAYQKcc1A4jSR/U2OwuFYl80aFd9EArt0ZqDwNnTpTUdr2C2PM1U6Zi9bnhDein zzlzRXuGYCW4bs0Bca7ihtA53DkwWovYGH9uLXcP2M4COufg7RB/O8/jgqj6RSL5Qq/D o/qerGo1VFqphjss20xRqHTzU+puAKxS03HXXUKju+tEKwkcoSSmmK4CwAY9fT9mZUPG vPPVeD0BMAfpYfAfefQT/Pxuaj56v6qZ4jeQS6sgzV99XzuxXY9ljCfJZ3BTZRaI0CbX RKXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ATssfmEUuN0IFsEXxbsLwrvTa3Jw5WyujhniyYsbED8=; b=vo7SAYbvF97ikRGMY51MIdIJ4Au5nQEFVXllZVxsaG2A//QaKigUsBYsQgiwgOhJ3z jBdigggIcal2S1uDDssKjVGTdbam/wl8diCN7cxMinmR09HS271rnxR8apxmN31gJHKJ HuukHScpre8TthDCiyA8wmTrWG/I9jPPMCHBAxCNQU/k5MqS4D1bfH2+YbEeuB4petzY RQy+P0uFINoKFDSNZQYlIceqtgW4stL+Eql07PI0Z7bEW+yVsmxbZWUqPuOwQDWnhBeQ 2CicYqxFwoXp0aAupYkqOPR3CXm/jbIwLj1EbX7K5aTbfEyP5DlpSZ2nkM9Ym6GKOfXb 0jvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="bCB/lpus"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f62si18683477plb.339.2019.05.06.22.43.24; Mon, 06 May 2019 22:43:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="bCB/lpus"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729323AbfEGFl0 (ORCPT + 99 others); Tue, 7 May 2019 01:41:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:60834 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729319AbfEGFlX (ORCPT ); Tue, 7 May 2019 01:41:23 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D56352087F; Tue, 7 May 2019 05:41:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557207682; bh=Oj2v2buur2eU7P4+bPDv0if7rp7WFxj8ACGboeyinH4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bCB/lpus75u8l8453zL3prgzsMXUbPzyBuwGc1nGJThPYuBq51dz90PSTXsIhBTLj 1KqO3CezbxRSmvoK+/B2L6eDqbCl8GWpSRKwQ/nH2m5UrKqI7ibQtGlRQc+rHDs/Z3 dgdJnw8GmHhitZm/BG1Ox+c9k3IVmDvRtPADS+us= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Masami Hiramatsu , Andrea Righi , Steven Rostedt , Linus Torvalds , Mathieu Desnoyers , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH AUTOSEL 4.14 95/95] x86/kprobes: Avoid kretprobe recursion bug Date: Tue, 7 May 2019 01:38:24 -0400 Message-Id: <20190507053826.31622-95-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190507053826.31622-1-sashal@kernel.org> References: <20190507053826.31622-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Masami Hiramatsu [ Upstream commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 ] Avoid kretprobe recursion loop bg by setting a dummy kprobes to current_kprobe per-CPU variable. This bug has been introduced with the asm-coded trampoline code, since previously it used another kprobe for hooking the function return placeholder (which only has a nop) and trampoline handler was called from that kprobe. This revives the old lost kprobe again. With this fix, we don't see deadlock anymore. And you can see that all inner-called kretprobe are skipped. event_1 235 0 event_2 19375 19612 The 1st column is recorded count and the 2nd is missed count. Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed) (some difference are here because the counter is racy) Reported-by: Andrea Righi Tested-by: Andrea Righi Signed-off-by: Masami Hiramatsu Acked-by: Steven Rostedt Cc: Linus Torvalds Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster") Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin --- arch/x86/kernel/kprobes/core.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index 56cf6c263254..9d7bb8de2917 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -744,11 +744,16 @@ asm( NOKPROBE_SYMBOL(kretprobe_trampoline); STACK_FRAME_NON_STANDARD(kretprobe_trampoline); +static struct kprobe kretprobe_kprobe = { + .addr = (void *)kretprobe_trampoline, +}; + /* * Called from kretprobe_trampoline */ __visible __used void *trampoline_handler(struct pt_regs *regs) { + struct kprobe_ctlblk *kcb; struct kretprobe_instance *ri = NULL; struct hlist_head *head, empty_rp; struct hlist_node *tmp; @@ -758,6 +763,17 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) void *frame_pointer; bool skipped = false; + preempt_disable(); + + /* + * Set a dummy kprobe for avoiding kretprobe recursion. + * Since kretprobe never run in kprobe handler, kprobe must not + * be running at this point. + */ + kcb = get_kprobe_ctlblk(); + __this_cpu_write(current_kprobe, &kretprobe_kprobe); + kcb->kprobe_status = KPROBE_HIT_ACTIVE; + INIT_HLIST_HEAD(&empty_rp); kretprobe_hash_lock(current, &head, &flags); /* fixup registers */ @@ -833,10 +849,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) orig_ret_address = (unsigned long)ri->ret_addr; if (ri->rp && ri->rp->handler) { __this_cpu_write(current_kprobe, &ri->rp->kp); - get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; ri->ret_addr = correct_ret_addr; ri->rp->handler(ri, regs); - __this_cpu_write(current_kprobe, NULL); + __this_cpu_write(current_kprobe, &kretprobe_kprobe); } recycle_rp_inst(ri, &empty_rp); @@ -852,6 +867,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) kretprobe_hash_unlock(current, &flags); + __this_cpu_write(current_kprobe, NULL); + preempt_enable(); + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { hlist_del(&ri->hlist); kfree(ri); -- 2.20.1