Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp3883614pxy; Tue, 4 May 2021 12:04:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0hHX7KtUE9Pe/5wZHW/80p7b3jRMURgJ7NnGyZMyyWNS9XsIJL1/cuosYsIDTvTA1Lpqu X-Received: by 2002:a05:6402:447:: with SMTP id p7mr27775100edw.89.1620155082165; Tue, 04 May 2021 12:04:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620155082; cv=none; d=google.com; s=arc-20160816; b=EXyvzoCr5nyh7PoJS1ZJfljN4EYdKU/YmkVR7GkKiD67tDqflI6UgxvFKhUNafLG00 eUETL+a7vbAgT/tTG67LqFNXD0h0GdQBcR4TPZ8l+XTU0ub3mWqZz6pN0AvT9OmF7laF 0iwvdDHtYLwM3qJO9Y0Jm940fGGiODX4CrcFJRagyzgPQUtll580fF8L+ZoKOnWrPj1T 9QsTT7IWpZ+VjfpqppyRdEbF/X5qKDoLl9iA1jO/ZbNB8kEKgAsNPzy/zu20BGAE9JSQ rWgrTtxPWmI7VeMTbOepRvuV3aO3z2sZvVJoDY4Xpuf01aMCiL8ffx7l65wnPbyDVgQs 1WSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature:dkim-filter; bh=G1MDDuSShGgHKhquMWPybcW/dZj2nj7krvY28tTDDAg=; b=KR5j4Z28u6ih0bzGGFQ6WPdAOFSjFUMdwAGGEbHoQdyTQnJfr/TcAXa0tIf4gO3aVZ HSZbDqfRSnswCN4wqvZRGjmOoELn6LMm3PwvKd+D2s17tLPDlVINbG6pGjV+v2kZaFiV +wdUFVVWACx5K8M8fH1kr/OMqf2H51Jytn8mCLlRfE9qUWGDsj66NdsKWOUqOtV73R24 QRUyJsLhgCnz5H8St3Hb5CJJ7mU+xT4/DvJZZhCZkPp4gnu9uusguYqkfP4ASn06sNsF y4JLE1RRN4ClfpaChMg3MIcjnJ/EoY0WjGwb0B/Lrv16ku9fAuiNEix1u2GZlp+44v1B 7pNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YEM0YiG3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v7si15928479edj.328.2021.05.04.12.04.16; Tue, 04 May 2021 12:04:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YEM0YiG3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232016AbhEDTEO (ORCPT + 99 others); Tue, 4 May 2021 15:04:14 -0400 Received: from linux.microsoft.com ([13.77.154.182]:56760 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231274AbhEDTEL (ORCPT ); Tue, 4 May 2021 15:04:11 -0400 Received: from [192.168.254.32] (unknown [47.187.223.33]) by linux.microsoft.com (Postfix) with ESMTPSA id 9A8B320B7178; Tue, 4 May 2021 12:03:15 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9A8B320B7178 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1620154996; bh=G1MDDuSShGgHKhquMWPybcW/dZj2nj7krvY28tTDDAg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=YEM0YiG3Y6RfRByGkVUn4qkAjaF38zJ5ZbXjCkm/aUUvaeQfn2Oy2a/IX3c/9+rJU 9W/yO/tfIV3HJhSWtpp01oKqwxF0yvgkLRNu/GhogI8DSw0u45YcpHrcRBuc1rBnrC bsyM2fAVSxntr+UItts08y0jn9IKLRyt6Vyznsuc= Subject: Re: [RFC PATCH v3 2/4] arm64: Check the return PC against unreliable code sections To: Mark Brown Cc: jpoimboe@redhat.com, mark.rutland@arm.com, jthierry@redhat.com, catalin.marinas@arm.com, will@kernel.org, jmorris@namei.org, pasha.tatashin@soleen.com, linux-arm-kernel@lists.infradead.org, live-patching@vger.kernel.org, linux-kernel@vger.kernel.org References: <65cf4dfbc439b010b50a0c46ec500432acde86d6> <20210503173615.21576-1-madvenka@linux.microsoft.com> <20210503173615.21576-3-madvenka@linux.microsoft.com> <20210504160508.GC7094@sirena.org.uk> From: "Madhavan T. Venkataraman" Message-ID: <1bd2b177-509a-21d9-e349-9b2388db45eb@linux.microsoft.com> Date: Tue, 4 May 2021 14:03:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20210504160508.GC7094@sirena.org.uk> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/4/21 11:05 AM, Mark Brown wrote: > On Mon, May 03, 2021 at 12:36:13PM -0500, madvenka@linux.microsoft.com wrote: >> From: "Madhavan T. Venkataraman" >> >> Create a sym_code_ranges[] array to cover the following text sections that >> contain functions defined as SYM_CODE_*(). These functions are low-level > > This makes sense to me - a few of bikesheddy comments below but nothing > really substantive. > OK. >> +static struct code_range *lookup_range(unsigned long pc) > > This feels like it should have a prefix on the name (eg, unwinder_) > since it looks collision prone. Or lookup_code_range() rather than just > plain lookup_range(). > I will add the prefix. >> +{ > + struct code_range *range; > + > + for (range = sym_code_ranges; range->start; range++) { > > It seems more idiomatic to use ARRAY_SIZE() rather than a sentinel here, > the array can't be empty. > If there is a match, I return the matched range. Else, I return the sentinel. This is just so I don't have to check for range == NULL after calling lookup_range(). I will change it to what you have suggested and check for NULL explicitly. It is not a problem. >> + range = lookup_range(frame->pc); >> + >> #ifdef CONFIG_FUNCTION_GRAPH_TRACER >> if (tsk->ret_stack && >> frame->pc == (unsigned long)return_to_handler) { >> @@ -118,9 +160,21 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame) >> return -EINVAL; >> frame->pc = ret_stack->ret; >> frame->pc = ptrauth_strip_insn_pac(frame->pc); >> + return 0; >> } > > Do we not need to look up the range of the restored pc and validate > what's being pointed to here? It's not immediately obvious why we do > the lookup before handling the function graph tracer, especially given > that we never look at the result and there's now a return added skipping > further reliability checks. At the very least I think this needs some > additional comments so the code is more obvious. I want sym_code_ranges[] to contain both unwindable and non-unwindable ranges. Unwindable ranges will be special ranges such as the return_to_handler() and kretprobe_trampoline() functions for which the unwinder has (or will have) special code to unwind. So, the lookup_range() has to happen before the function graph code. Please look at the last patch in the series for the fix for the above function graph code. On the question of "should the original return address be checked against sym_code_ranges[]?" - I assumed that if there is a function graph trace on a function, it had to be an ftraceable function. It would not be a part of sym_code_ranges[]. Is that a wrong assumption on my part? Madhavan