Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2622758iog; Sun, 26 Jun 2022 22:16:32 -0700 (PDT) X-Google-Smtp-Source: AGRyM1snBuimj66v03X0NP73MRND2MpW11F6jdJ0jRbLvxPEyY12aIaUm7gzhCbN13nPgiWNIPDP X-Received: by 2002:a05:6a00:2356:b0:525:4e88:f792 with SMTP id j22-20020a056a00235600b005254e88f792mr12725305pfj.34.1656306992274; Sun, 26 Jun 2022 22:16:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656306992; cv=none; d=google.com; s=arc-20160816; b=ksqbmLAberY/Whp9UpSwpDRhZxDDLl0DGFia7FWJxH2X3ODg1VHm6yOG8QVfCZgFAC 4HvN76OCV/JDylI60EUw8tQ86LhQCGVagkZD2N7pCAaHZkjZTM9+T6ZNhIz2zpTJdbQD 74WHtxdyXAHy3jUDhxARhJmXpKVR6dA7wNq1sR4GSAX1tRC4aegYmKN8r0TSP6C7KJQv bkzGh7UgYvyxFmtVdnLqzksXQHPw9veW1Kg5jyNg9n2O6LgJ3QzR35ho0reJ/61jVOR3 BF/5ZOKoGm+aeniEqazeBM9g51+aBuSKp6L7HhFoxJo6fBZ8IkLBCg0GflgCXIyvX5WB zaEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=GclEd+a+AcJd6or40tVatWZ5FT0NcpQFrBrtcXQqOv8=; b=H+A72hzsaGASiRwW1UxckOHa4jx2gJJhTq4ed5Qa+Uw9E1PXf6mtArlv1yXU9QrTTM dFdL1U4MsRjn709WDVW/zqy98PW2z2QiScdlF9rDfd6NltlqvyNJOsKkRIpGRafZIWYM gcOfDtMjqIAefYqoIpBmhLZBcJlTasrdFGp2KCtVMLtb+9yQ5uQwQZzH2EX7Q80b3N5m g0pPaaexRQA0NudSth4Ve6ATrBLsOMoI6a/yfly7ViNdDGJHkPvgjWSiriNK+x2Vhvgg cqZUfSTmqLa4V9R07RkOcGXK3ecDpOjI4yzqx7gSi5PktQTrHRL9dz9gDtriPJgYcmqw 1pow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=nde9eygg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k22-20020a6568d6000000b0040ccab1f135si13125076pgt.130.2022.06.26.22.16.21; Sun, 26 Jun 2022 22:16:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=nde9eygg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232659AbiF0FEp (ORCPT + 99 others); Mon, 27 Jun 2022 01:04:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232463AbiF0FEJ (ORCPT ); Mon, 27 Jun 2022 01:04:09 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id F292B6144; Sun, 26 Jun 2022 22:01:57 -0700 (PDT) Received: from [192.168.254.32] (unknown [47.189.24.195]) by linux.microsoft.com (Postfix) with ESMTPSA id BC45420CD15B; Sun, 26 Jun 2022 22:01:56 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com BC45420CD15B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1656306117; bh=GclEd+a+AcJd6or40tVatWZ5FT0NcpQFrBrtcXQqOv8=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=nde9eyggtckRZ2iEFk7/lqxjwzqfDPU/MpjYF81hGvjklISDwlCXmoPOJtJmqcdWK oUpMO1LAFx5Cy5nE8uPLgZZ2PNgg0na6nxUK8Q23Qiijo7iDFKQU34yPsca4gvKvhn kEsTxaJvBwjtAkjcM1u5VzBcaFx+u6LCxQjm5FPo= Message-ID: Date: Mon, 27 Jun 2022 00:01:55 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: [PATCH v15 4/6] arm64: Introduce stack trace reliability checks in the unwinder Content-Language: en-US To: Mark Rutland Cc: broonie@kernel.org, jpoimboe@redhat.com, ardb@kernel.org, nobuta.keiya@fujitsu.com, sjitindarsingh@gmail.com, catalin.marinas@arm.com, will@kernel.org, jamorris@linux.microsoft.com, linux-arm-kernel@lists.infradead.org, live-patching@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220617210717.27126-1-madvenka@linux.microsoft.com> <20220617210717.27126-5-madvenka@linux.microsoft.com> From: "Madhavan T. Venkataraman" In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,T_FILL_THIS_FORM_SHORT, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/26/22 03:32, Mark Rutland wrote: > On Fri, Jun 17, 2022 at 04:07:15PM -0500, madvenka@linux.microsoft.com wrote: >> From: "Madhavan T. Venkataraman" >> >> There are some kernel features and conditions that make a stack trace >> unreliable. Callers may require the unwinder to detect these cases. >> E.g., livepatch. >> >> Introduce a new function called unwind_check_reliability() that will >> detect these cases and set a flag in the stack frame. Call >> unwind_check_reliability() for every frame in unwind(). >> >> Introduce the first reliability check in unwind_check_reliability() - If >> a return PC is not a valid kernel text address, consider the stack >> trace unreliable. It could be some generated code. Other reliability checks >> will be added in the future. >> >> Let unwind() return a boolean to indicate if the stack trace is >> reliable. >> >> Signed-off-by: Madhavan T. Venkataraman >> Reviewed-by: Mark Brown >> --- >> arch/arm64/kernel/stacktrace.c | 31 +++++++++++++++++++++++++++++-- >> 1 file changed, 29 insertions(+), 2 deletions(-) >> >> diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c >> index c749129aba5a..5ef2ce217324 100644 >> --- a/arch/arm64/kernel/stacktrace.c >> +++ b/arch/arm64/kernel/stacktrace.c >> @@ -44,6 +44,8 @@ >> * @final_fp: Pointer to the final frame. >> * >> * @failed: Unwind failed. >> + * >> + * @reliable: Stack trace is reliable. >> */ > > I would strongly prefer if we could have something like an > unwind_state_is_reliable() helper, and just use that directly, rather than > storing that into the state. > > That way, we can opt-into any expensive checks in the reliable unwinder (e.g. > __kernel_text_address), and can use them elsewhere for informative purposes > (e.g. when dumping a stacktrace out to the console). > >> struct unwind_state { >> unsigned long fp; >> @@ -57,6 +59,7 @@ struct unwind_state { >> struct task_struct *task; >> unsigned long final_fp; >> bool failed; >> + bool reliable; >> }; >> >> static void unwind_init_common(struct unwind_state *state, >> @@ -80,6 +83,7 @@ static void unwind_init_common(struct unwind_state *state, >> state->prev_fp = 0; >> state->prev_type = STACK_TYPE_UNKNOWN; >> state->failed = false; >> + state->reliable = true; >> >> /* Stack trace terminates here. */ >> state->final_fp = (unsigned long)task_pt_regs(task)->stackframe; >> @@ -242,11 +246,34 @@ static void notrace unwind_next(struct unwind_state *state) >> } >> NOKPROBE_SYMBOL(unwind_next); >> >> -static void notrace unwind(struct unwind_state *state, >> +/* >> + * Check the stack frame for conditions that make further unwinding unreliable. >> + */ >> +static void unwind_check_reliability(struct unwind_state *state) >> +{ >> + if (state->fp == state->final_fp) { >> + /* Final frame; no more unwind, no need to check reliability */ >> + return; >> + } >> + >> + /* >> + * If the PC is not a known kernel text address, then we cannot >> + * be sure that a subsequent unwind will be reliable, as we >> + * don't know that the code follows our unwind requirements. >> + */ >> + if (!__kernel_text_address(state->pc)) >> + state->reliable = false; >> +} > > I'd strongly prefer that we split this into two helpers, e.g. > > static inline bool unwind_state_is_final(struct unwind_state *state) > { > return state->fp == state->final_fp; > } > > static inline bool unwind_state_is_reliable(struct unwind_state *state) > { > return __kernel_text_address(state->pc); > } > >> + >> +static bool notrace unwind(struct unwind_state *state, >> stack_trace_consume_fn consume_entry, void *cookie) >> { >> - while (unwind_continue(state, consume_entry, cookie)) >> + unwind_check_reliability(state); >> + while (unwind_continue(state, consume_entry, cookie)) { >> unwind_next(state); >> + unwind_check_reliability(state); > > This is going to slow down regular unwinds even when the reliablity value is > not consumed (e.g. for KASAN traces on alloc and free), so I don't think this > should live here, and should be intreoduced with arch_stack_walk_reliable(). > So, I have been thinking about this whole reliability check thing. Instead of checking many different things for reliability, I believe that a single frame pointer validation check is sufficient. I am attempting to do that in my other frame pointer validation patch series. Hopefully, in that patch series, I can prove that that one check is sufficient. We will continue this discussion there. So, for now, I am dropping the reliability checks patches from the series. I will just send the unwind loop reorg in v16 and focus on getting that upstreamed. Thanks. Madhavan