Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp741474pxb; Tue, 14 Sep 2021 07:48:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzmMCWesaD+eYuURAznngtkdjzsEdMHVpwr6dDBYkuUaE1OD6hW+Xvblzbee/yBVj9NUe5c X-Received: by 2002:a05:6512:3341:: with SMTP id y1mr13461116lfd.6.1631630905123; Tue, 14 Sep 2021 07:48:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631630905; cv=none; d=google.com; s=arc-20160816; b=LYcZ55ZlvLUvJaVXaOGfsbFnGhr0WOccq3iu4Pa9t9M3KBmBzSm6lA6pblTaBsEFiy pMDMZ9Vhy9LnvaKWRCmCJrDgtGGAes67aYZUV0MlwHBFcfizJFjdPQfGu6Ie+NliDrDV 1zUDh412oiaP5ZQBQyYiVIvUUqJAICYLnkocIxbvpsRieQBbx6QHPO56FCcWQa8Fv7AC C1g0zRFUWhdMm0hE7KmbLIcKQ9g6nBpN4HVD7s52Mf1ie8XtUTVpA7wdlnp2QJqumArz /a4tl0zxMqHHHPcUMqelPPeOj/t61lbeXPpNP+aCM5SZ77HZJuP/oH3kyot8Fyu59RD8 jn6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YkwNn8/Rr01RdPrkEArAAbdKClc69CA7zVYYRT4Q+gs=; b=Ng0+FmA7j/1GjS3PLm/oFI5VRr9Go6OzmSAvJYjoUbxeeAxdNKlT6icIZpb2DEXVk6 xNVgq+GoVwGpnUmpLiGEROkWtTqlnfK4ukvFmsPjbSkoK0Wu5vWDT5LwHpnoCi0wjCmF GXb770DREBc7RvpYzf57qcf7BgnE23Uf16DOT3AeL5qSeUuein6cLzc7oo8BXoRZZOC3 McendRKrZZXfwfXX0udI1XjYqX7Xcw3lsxSvf1ZUGdKr5qCLlqwezNTQ8wF8oDtaQfu0 Cf1Lv7HympoyjjuD5dtvs0Nrs/SN3YhelwR6c6esrGyPDi0dj/5edVOVZbfOJeeIkrnv cmuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mCpDHh5L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si14749695ljp.225.2021.09.14.07.47.57; Tue, 14 Sep 2021 07:48:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mCpDHh5L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234879AbhINOox (ORCPT + 99 others); Tue, 14 Sep 2021 10:44:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:37716 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235303AbhINOoM (ORCPT ); Tue, 14 Sep 2021 10:44:12 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 746F460698; Tue, 14 Sep 2021 14:42:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631630574; bh=vq57kfNtne2ZkfDVHujGhteCErzVm2gfEbZS/xIziG0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mCpDHh5Lm+mE8XL6aKyUPTMVSL/FmzJvwE6mT8TZHhAJpdtudU+Fmdf1NYwCF5Wg/ yMtm1hNCW/FWvD3vxVtP3fhXfKuZYG5Xi5TKvvr7zQRH0QbMLxtsuHXJS40XbMg8sM Mef5EapdnXdCXxXMUbRjWrszEqbEe3a7Db7qc0qlvjFzLvaMpmyaKHEeWEzfupp21Z oC2ilE47cptRJ9JGw4vAc8qJkwTN2Evp7p7vvW3W9xBCNuyidi127/0gBlqFK0qC90 zg7nUjLhD7E+kmGoE9Auwsj36Gg35ieD7zmxDCdlwbQofBQ7TZP1fDI4/0DjH2Kco2 qi9yyeM8YK9Iw== From: Masami Hiramatsu To: Steven Rostedt , Josh Poimboeuf , Ingo Molnar Cc: X86 ML , Masami Hiramatsu , Daniel Xu , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kuba@kernel.org, mingo@redhat.com, ast@kernel.org, Thomas Gleixner , Borislav Petkov , Peter Zijlstra , kernel-team@fb.com, yhs@fb.com, linux-ia64@vger.kernel.org, Abhishek Sagar , Andrii Nakryiko , Paul McKenney Subject: [PATCH -tip v11 27/27] x86/kprobes: Fixup return address in generic trampoline handler Date: Tue, 14 Sep 2021 23:42:51 +0900 Message-Id: <163163057094.489837.9044470370440745866.stgit@devnote2> X-Mailer: git-send-email 2.25.1 In-Reply-To: <163163030719.489837.2236069935502195491.stgit@devnote2> References: <163163030719.489837.2236069935502195491.stgit@devnote2> User-Agent: StGit/0.19 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In x86, the fake return address on the stack saved by __kretprobe_trampoline() will be replaced with the real return address after returning from trampoline_handler(). Before fixing the return address, the real return address can be found in the 'current->kretprobe_instances'. However, since there is a window between updating the 'current->kretprobe_instances' and fixing the address on the stack, if an interrupt happens at that timing and the interrupt handler does stacktrace, it may fail to unwind because it can not get the correct return address from 'current->kretprobe_instances'. This will eliminate that window by fixing the return address right before updating 'current->kretprobe_instances'. Signed-off-by: Masami Hiramatsu Tested-by: Andrii Nakryiko --- Changes in v9: - Fixes the changelog. This can eliminate the window. - Add more comment how it works. Changes in v7: - Add a prototype for arch_kretprobe_fixup_return() --- arch/x86/kernel/kprobes/core.c | 18 ++++++++++++++++-- include/linux/kprobes.h | 3 +++ kernel/kprobes.c | 11 +++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index 7e1111c19605..fce99e249d61 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -1065,6 +1065,16 @@ NOKPROBE_SYMBOL(__kretprobe_trampoline); */ STACK_FRAME_NON_STANDARD_FP(__kretprobe_trampoline); +/* This is called from kretprobe_trampoline_handler(). */ +void arch_kretprobe_fixup_return(struct pt_regs *regs, + kprobe_opcode_t *correct_ret_addr) +{ + unsigned long *frame_pointer = ®s->sp + 1; + + /* Replace fake return address with real one. */ + *frame_pointer = (unsigned long)correct_ret_addr; +} + /* * Called from __kretprobe_trampoline */ @@ -1082,8 +1092,12 @@ __used __visible void trampoline_handler(struct pt_regs *regs) regs->sp += sizeof(long); frame_pointer = ®s->sp + 1; - /* Replace fake return address with real one. */ - *frame_pointer = kretprobe_trampoline_handler(regs, frame_pointer); + /* + * The return address at 'frame_pointer' is recovered by the + * arch_kretprobe_fixup_return() which called from the + * kretprobe_trampoline_handler(). + */ + kretprobe_trampoline_handler(regs, frame_pointer); /* * Copy FLAGS to 'pt_regs::sp' so that __kretprobe_trapmoline() diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h index 6d47a9da1e0a..e974caf39d3e 100644 --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -188,6 +188,9 @@ extern void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs); extern int arch_trampoline_kprobe(struct kprobe *p); +void arch_kretprobe_fixup_return(struct pt_regs *regs, + kprobe_opcode_t *correct_ret_addr); + void __kretprobe_trampoline(void); /* * Since some architecture uses structured function pointer, diff --git a/kernel/kprobes.c b/kernel/kprobes.c index ebc587b9a346..b62af9fc3607 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1922,6 +1922,15 @@ unsigned long kretprobe_find_ret_addr(struct task_struct *tsk, void *fp, } NOKPROBE_SYMBOL(kretprobe_find_ret_addr); +void __weak arch_kretprobe_fixup_return(struct pt_regs *regs, + kprobe_opcode_t *correct_ret_addr) +{ + /* + * Do nothing by default. Please fill this to update the fake return + * address on the stack with the correct one on each arch if possible. + */ +} + unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, void *frame_pointer) { @@ -1967,6 +1976,8 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, first = first->next; } + arch_kretprobe_fixup_return(regs, correct_ret_addr); + /* Unlink all nodes for this frame. */ first = current->kretprobe_instances.first; current->kretprobe_instances.first = node->next;