Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp2595699pxb; Mon, 18 Apr 2022 04:23:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIC9KR9czdI/zSI0c1pVNUS7sc4Odxw5Fnf06nBV4KxpH7Cu1tq+DYHXqc3qrZ6WvPXDvq X-Received: by 2002:a17:907:d06:b0:6e0:e2f5:4f55 with SMTP id gn6-20020a1709070d0600b006e0e2f54f55mr8992799ejc.618.1650281019719; Mon, 18 Apr 2022 04:23:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650281019; cv=none; d=google.com; s=arc-20160816; b=PTwWs2oeeBxZMrDhSw/dkQAkxQysUuOfE+DRpdC2UpDNGcqZJPjP8UpgVJoHp+TqWo piqFnrTS8ovbQ5ZzkNhN2v6mGfjQAZ+KXu/FzRfQKgm0N4O7D24Ur8io4iALcZ0O7Dg+ DfKNPWGn2jBekMSllyOm1CGpJiVOYjEFQpPlwqSYWQTfbOj3VSkD89qaxuKc2P9UguqV v9eVIyU2+urMNsXtMipywRCPyS32FiVBAMWTk4eRcKPq8lI1VzfLapAMPXHK87KU/JaJ wY7o/jp87HKPF7s0cj955D46BCh7uxDiqg1i6iacAOpiFAoHvLL1HNyoxFOGTB91P4zP 9LCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=leYTfUBStXbCy7xmoJTBaeSIDatzEF7reDyVFdwh/cc=; b=lyv9ecogC2nLh6u85Mmvr4Axdg6bSLPhe6pQMmg40xb8ZzY8eBHSKZwj1+R3ApA0sv jUt/Uyw8NHwWcLvVTy9OcMry2wHHNK3KYIPvVR+zY6dWRe2GCgCtcAzqAiEh+TK1C4iw kmkJrmSYLJpVKq/S813KfTxPkFfNLF6Tu60poKfB6FovkE/wZ3UyLp6VJGgE4UBkCzhW /i2nztL/wMTuzUox1qg/2xNxMbWiIxC9chVL3wA7U0NPYosveWQ9DAwxLWTnQTeVmoKw tLEWkbyGs+csExauz3y++NEBMvzNqdAjrzf/nLsO1bpT/stO76swngGQQoBImSKQKXQn lYxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bi7-20020a170906a24700b006e881dba1c1si5897128ejb.458.2022.04.18.04.23.15; Mon, 18 Apr 2022 04:23:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234178AbiDQNdb (ORCPT + 99 others); Sun, 17 Apr 2022 09:33:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229496AbiDQNd3 (ORCPT ); Sun, 17 Apr 2022 09:33:29 -0400 X-Greylist: delayed 439 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 17 Apr 2022 06:30:52 PDT Received: from forward300j.mail.yandex.net (forward300j.mail.yandex.net [5.45.198.244]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B053DFE8 for ; Sun, 17 Apr 2022 06:30:52 -0700 (PDT) Received: from iva5-7aaec7404f99.qloud-c.yandex.net (iva5-7aaec7404f99.qloud-c.yandex.net [IPv6:2a02:6b8:c0c:74a5:0:640:7aae:c740]) by forward300j.mail.yandex.net (Yandex) with ESMTP id 27FC17E4755; Sun, 17 Apr 2022 16:23:31 +0300 (MSK) Received: from kernel1.search.yandex.net (kernel1.search.yandex.net [2a02:6b8:c02:550:0:604:9094:6282]) by iva5-7aaec7404f99.qloud-c.yandex.net (yaback/Yandex) with ESMTP id 5s9z81sXYH-NTs08ZEu; Sun, 17 Apr 2022 16:23:29 +0300 X-Yandex-Fwd: 1 Authentication-Results: iva5-7aaec7404f99.qloud-c.yandex.net; dkim=pass Received: by kernel1.search.yandex.net (Postfix, from userid 55271) id AA27856006C; Sun, 17 Apr 2022 16:23:29 +0300 (MSK) From: Dmitry Monakhov To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, mingo@redhat.com, jpoimboe@redhat.com, Dmitry Monakhov Subject: [PATCH] x86/unwind/orc: recheck address range after stack info was updated V2 Date: Sun, 17 Apr 2022 16:23:11 +0300 Message-Id: <1650201791-356270-1-git-send-email-dmtrmonakhov@yandex-team.ru> X-Mailer: git-send-email 2.7.4 X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HK_RANDOM_ENVFROM,HK_RANDOM_FROM, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org get_stack_info() detects stack type only by begin address, so we must check that address range in question is fully covered by detected stack Otherwise following crash is possible: -> unwind_next_frame case ORC_TYPE_REGS: if (!deref_stack_regs(state, sp, &state->ip, &state->sp)) -> deref_stack_regs -> stack_access_ok <- addr is ok, but addr+len-1 is not, exit with success *ip = READ_ONCE_NOCHECK(regs->ip); <- Here we hit stack guard fault Original OOPS log: BUG: stack guard page was hit at 000000000dd984a2 (stack is 00000000d1caafca..00000000613712f0) kernel stack overflow (page fault): 0000 [#1] SMP NOPTI CPU: 93 PID: 23787 Comm: context_switch1 Not tainted 5.4.145 #1 RIP: 0010:unwind_next_frame Call Trace: perf_callchain_kernel .. get_perf_callchain perf_callchain perf_prepare_sample perf_event_output_forward ... __perf_event_overflow perf_ibs_handle_irq .... perf_ibs_nmi_handler nmi_handle default_do_nmi do_nmi end_repeat_nmi Changes since v1: - Do not call on_stack() twice for valid range. Signed-off-by: Dmitry Monakhov diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c index 794fdef2501a..38185aedf7d1 100644 --- a/arch/x86/kernel/unwind_orc.c +++ b/arch/x86/kernel/unwind_orc.c @@ -339,11 +339,11 @@ static bool stack_access_ok(struct unwind_state *state, unsigned long _addr, struct stack_info *info = &state->stack_info; void *addr = (void *)_addr; - if (!on_stack(info, addr, len) && - (get_stack_info(addr, state->task, info, &state->stack_mask))) - return false; + if (on_stack(info, addr, len)) + return true; - return true; + return !get_stack_info(addr, state->task, info, &state->stack_mask) && + on_stack(info, addr, len); } static bool deref_stack_reg(struct unwind_state *state, unsigned long addr, -- 2.7.4