Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2386109pxj; Sun, 13 Jun 2021 19:08:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy42TdgiG5WyMwf49BHFNUdcC1M1MpkvX6NE/akh96xlJKvuQ4q+wyoHbDTMWdXoF2P62tv X-Received: by 2002:a17:907:92e:: with SMTP id au14mr12880250ejc.194.1623636538835; Sun, 13 Jun 2021 19:08:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623636538; cv=none; d=google.com; s=arc-20160816; b=yze99b/mTxW7mSdaCPwhUMDYxrywNC8J68eS21+91/D+/AWlWTWObYAsmcU818LrHJ flvsgKmfRZB1Vb+55QXN+o+AVm7t4P7EyrPwuErOku2XlZp/6F1m/zmx0rjlLo5PQ8wt 0Bk2GhDyUDw0lHPu2g8tWlN+f1XLozxxBG0ESkIm/azSLjqEApPb+GbNOF8einy/aoiL D6U6PFR3MqOquB/lVaMb8BheLaJNsJrNYrYVcYl7pywuA7Yi936F1NnKVF5AprkhAPjJ hb+lq3FnnuABEom7fzhmupNhhJZERNVig/yT4EhIMHAnXjXa1/LLGI1xd7u9kVVgM1En 9YYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=+U4GoEm12Mv2KWeNTFflh3iSMJxQvnIQYGnEBokeD3E=; b=mHF23obE0AI/vja8DOiKnXhi2/eAKYyhVd1UvrvsszgQbo5ZqqVc4ohfB9v++wX//E 3FpUZ0lRvztI/rKU/vgIJMwhQV86FPkcu4goFMJFu9un3mSVF8I01fdhqm85I0x7edWg Q3bg1XPGD4lqH0RSSKGyI6SfsSNmmx50BaM4pY75frXcOhZc91Hqy3eVqAvXDWHSoeKy Fso8c4lMvul4KKhJqJr0dIacrj7vL5jTdDRekPdHTa3ezzfL/tB2oDGKDd1ulhAB3gjL 57ferXnLmZhPGRUA8SxeyhxUrrU6D2OUxAj0DhK1dw27as27fkNCXWk4Vm1rWRLj98Ko 9G7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bAhH8lpY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c23si10101993ejc.734.2021.06.13.19.08.35; Sun, 13 Jun 2021 19:08:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bAhH8lpY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232320AbhFNCIC (ORCPT + 99 others); Sun, 13 Jun 2021 22:08:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232287AbhFNCIA (ORCPT ); Sun, 13 Jun 2021 22:08:00 -0400 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83983C061766; Sun, 13 Jun 2021 19:05:49 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id w14-20020a17090aea0eb029016e9e0e7983so2592607pjy.4; Sun, 13 Jun 2021 19:05:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=+U4GoEm12Mv2KWeNTFflh3iSMJxQvnIQYGnEBokeD3E=; b=bAhH8lpYP7l8LZwdKg5n4tzz+dADfCxOx1lDGRVuMMRc9dYcyt25Ixyes2Xr6G7IC9 mfqt9HfSdeD3+s0RfqxaiJtfYK6DS4SM83//4OdzNK1JLLOmJfCycZrx0BNJB6dnKIQ3 rU1NeM/syVD/5Y4VlJvwx4tJEJfBt93odbs4wxu6S9cXIP3nnpX4FO/0sUySL7C6vkJ1 OoJQcYG8axVj/JnaG/QzNKmFDKgJKtVwzz1IuijO/PepMZ6JFiyuG3blM3h+vUlvDOHm 7w7lLerUmE+wtEKzgHNOFs23F41k0r6Z2JKa3OG6nyoZPU6r41Xd5AZBkllpsWQFwfXD Ivzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=+U4GoEm12Mv2KWeNTFflh3iSMJxQvnIQYGnEBokeD3E=; b=pOoyTcjaTDSYaFii4XTj/XnANxJM2DAzGlx4w69Zral38gzXXghCbxxg/TtlTZQymm sb9nK72C3j9lgSaez1Jwcj5tjO7AsYAjaUjuduncC9LN15zv5MN+QCMSrSRUN56jVk4J CTuLz1+MSZMLeB3ZxGW75OblP8mPoHnxPhRTzlHypPmJhhG16uEnbhTf18UfpdSRXLes Q0hgrXfUAQSKbVuz4Qn/6dZv+4AVEa8C5UoaEjY35o/73orK7nvvz+uB9wuFfMS6RMxB DVMwlaVp1Dn9GpFyTnDUHH2OQ7LNBUxv+REATrZf2xpGAU2g30+/3esXYcB2fGj9jNJz UhHQ== X-Gm-Message-State: AOAM5338leM4CRU20y6CfmAD0RYcRS/eTGwbyfDKCpg1XxAE7XZBJVlO hqv8HTq9/6nVkwabhni/6zE= X-Received: by 2002:a17:902:bcc3:b029:11c:5ffb:61fb with SMTP id o3-20020a170902bcc3b029011c5ffb61fbmr215350pls.18.1623636348845; Sun, 13 Jun 2021 19:05:48 -0700 (PDT) Received: from ?IPv6:2001:df0:0:200c:9034:3fbe:cf28:988a? ([2001:df0:0:200c:9034:3fbe:cf28:988a]) by smtp.gmail.com with ESMTPSA id mr23sm10703299pjb.12.2021.06.13.19.05.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Jun 2021 19:05:48 -0700 (PDT) Subject: Re: Kernel stack read with PTRACE_EVENT_EXIT and io_uring threads To: Linus Torvalds , "Eric W. Biederman" Cc: linux-arch , Jens Axboe , Oleg Nesterov , Al Viro , Linux Kernel Mailing List , Richard Henderson , Ivan Kokshaysky , Matt Turner , alpha , Geert Uytterhoeven , linux-m68k , Arnd Bergmann , Ley Foon Tan , Tejun Heo , Daniel Jacobowitz , Kees Cook References: <87sg1p30a1.fsf@disp2133> <87pmwsytb3.fsf@disp2133> <87sg1lwhvm.fsf@disp2133> From: Michael Schmitz Message-ID: <6e47eff8-d0a4-8390-1222-e975bfbf3a65@gmail.com> Date: Mon, 14 Jun 2021 14:05:38 +1200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, On 14/06/21 10:18 am, Linus Torvalds wrote: > On Sun, Jun 13, 2021 at 2:55 PM Eric W. Biederman wrote: >> The alpha_switch_to will remove the extra registers from the stack and >> then call ret which if I understand alpha assembly correctly is >> equivalent to jumping to where $26 points. Which is >> ret_from_kernel_thread (as setup by copy_thread). >> >> Which leaves ret_from_kernel_thread and everything it calls without >> the extra context saved on the stack. > Uhhuh. Right you are, I think. It's been ages since I worked on that > code and my alpha handbook is somewhere else, but yes, when > alpha_switch_to() has context-switched to the new PCB state, it will > then pop those registers in the new context and return. > > So we do set up the right stack frame for the worker thread, but as > you point out, it then gets used up immediately when running. So by > the time the IO worker thread calls get_signal(), it's no longer > useful. > > How very annoying. > > The (obviously UNTESTED) patch might be something like the attached. > > I wouldn't be surprised if m68k has the exact same thing for the exact > same reason, but I didn't check.. m68k is indeed similar, it has:        if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {                 /* kernel thread */                 memset(frame, 0, sizeof(struct fork_frame));                 frame->regs.sr = PS_S;                 frame->sw.a3 = usp; /* function */                 frame->sw.d7 = arg;                 frame->sw.retpc = (unsigned long)ret_from_kernel_thread;                 p->thread.usp = 0;                 return 0;         } so a similar patch should be possible. Cheers,     Michael > > Linus