Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp836903lqs; Tue, 5 Mar 2024 20:00:26 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWPha/K6IjdEoFqXMDm1SAizAICvW6SxllIjFS1uxbunMbrXSWB7JUz0LAgY18xpPAr3o4hyTK+4pRZBp1ZM7tASaO1BbzCKx5p2hD/Xw== X-Google-Smtp-Source: AGHT+IEvN38sj4jxSBldFSHAMeMENXpdXGCNRsUX5XEH+wLYWdC2H+Zuy8m8zzmvLNe1Sd/jkhe8 X-Received: by 2002:a05:6214:8d4:b0:690:96ac:7999 with SMTP id da20-20020a05621408d400b0069096ac7999mr289601qvb.64.1709697626413; Tue, 05 Mar 2024 20:00:26 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709697626; cv=pass; d=google.com; s=arc-20160816; b=vJu0y1KgPsoyjRwqmYDHkrCr/UEmrQ7uoUPR5RyE5VbbV7uvHjN/nalH+gmneq6z8t BW17k1OHFl88dO/QBh07RuB8mtdzmdeRt57+nfIVba2RAI+B4/D0yhBIEqjuvdrCa7IB 6uDO9+fdsASEBwf9ON8vk3zPuv/g1bOQ+unoQAo/S1chyltQ9zCK/E5asjMVYwFXfbDt KJjXBJIVNVDoorBs5RYVbu91gzm+UJcOU2VpbKTCGK8ndnIT7Ktv79ux+16CoueeXb7q yr7Wu7rg0SFhLOqITzexScKFZpLJGYgbbiVmjs3yX6rZSeWDnxSvey7sxnafiME8EBi+ NmGQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:date:message-id:from :cc:references:to:subject; bh=DgU1E9FoRQ3hQ0SjAJkzMwl2IqjCcRdJZaXUC9zZ6bU=; fh=i7RSls4kt+XeGunlfb6qGU5Mp8k7CKWyMZaGm3HBbU8=; b=wZBCTeRF9hFxpLh3rgadhbPoQreXyAFeUmxDRpddkTF5uRHlj/Ae0RfEuONBMP8SJp hABHFJOFIil8Q2ehpBDz58BmJvKVFZKlO8rfWP87o1jX6PX15QsvLmnpYQiln+TUrynZ s4xAX4wQ8GoFFMs9R1z69yxW1KnTXcWfzo7Oh8SHqfsAZaSb8d2axNW3dWDXHCaPrBWA yuEFgA5hEJyV+yUrmkm+eul1M/96QcbA1J8wSGG4C8er2uXp6JKFqTGFfd/friXJhKWF peFDtRMXgozdOHjxNRzamjzATm+PFw2Xo31u8ZZm+3cQPZdyg1dh2Bk/6WizLjdTdFXd 2dQQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-93303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-93303-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id a2-20020a0562140c2200b0068f533c6dc2si13701722qvd.261.2024.03.05.20.00.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 20:00:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-93303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-93303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-93303-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1907C1C22452 for ; Wed, 6 Mar 2024 04:00:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E26B915ACB; Wed, 6 Mar 2024 04:00:18 +0000 (UTC) Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 538E214280; Wed, 6 Mar 2024 04:00:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.190 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709697618; cv=none; b=n74GRQISFDNueVaS1YO/RTuY4okC1O+/zQMs8oEHI1SgyBIcEl+nxrcMLyJImsOOydNCZVY5kwfz0yPGWao4gCYnsXidcjJPEAu3Nu6ER3fhMm6/gKkuVfw0ijkeINkDi+HPlaiRFzNj2lkYTxMnLLIfJsO38T80Yyp2Q3Y8W30= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709697618; c=relaxed/simple; bh=18I9mupyrBGOFzaf8UoK03PmTIbkKPxV4//j3ENYo2Q=; h=Subject:To:References:CC:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type; b=Zdux9A7j8wifnT0/GoLsfIyHmgqY8AH2AI8NbP72fTIja2WwO8PfuY4tdDc+mOMfVbCxyAfncR4xECYL52yQ1H0h0Gt6Wrh7SAbHw9XZQDpmw4xbvuJ6qGDnt2EbNMZgRY+31wjm+gtqxmhtN7frOVmIuGDPqBJ8HRpa8n4wpN4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.190 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.234]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4TqJYS5MLvz2BfN5; Wed, 6 Mar 2024 11:57:48 +0800 (CST) Received: from canpemm500010.china.huawei.com (unknown [7.192.105.118]) by mail.maildlp.com (Postfix) with ESMTPS id A006014011A; Wed, 6 Mar 2024 12:00:09 +0800 (CST) Received: from [10.67.111.82] (10.67.111.82) by canpemm500010.china.huawei.com (7.192.105.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 6 Mar 2024 12:00:09 +0800 Subject: Re: [PATCH] usercopy: delete __noreturn from usercopy_abort To: Josh Poimboeuf References: <1709516385-7778-1-git-send-email-xiaojiangfeng@huawei.com> <202403040938.D770633@keescook> <77bb0d81-f496-7726-9495-57088a4c0bfc@huawei.com> <202403050129.5B72ACAA0D@keescook> <20240305175846.qnyiru7uaa7itqba@treble> CC: Kees Cook , Jann Horn , , , , , , , , , , , , , , Russell King , , Ard Biesheuvel From: Jiangfeng Xiao Message-ID: Date: Wed, 6 Mar 2024 12:00:04 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In-Reply-To: <20240305175846.qnyiru7uaa7itqba@treble> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500010.china.huawei.com (7.192.105.118) On 2024/3/6 1:58, Josh Poimboeuf wrote: >>>> For the usercopy_abort function, whether '__noreturn' is added >>>> does not affect the internal behavior of the usercopy_abort function. >>>> Therefore, it is recommended that '__noreturn' be deleted >>>> so that backtrace can work properly. >>> >>> This isn't acceptable. Removing __noreturn this will break >>> objtool's processing of execution flow for livepatching, IBT, and >>> KCFI instrumentation. These all depend on an accurate control flow >>> descriptions, and usercopy_abort is correctly marked __noreturn. > > __noreturn also has the benefit of enabling the compiler to produce more > compact code for callees. > >> Thank you for providing this information. >> I'll go back to further understand how __noreturn is used >> in features such as KCFI and livepatching. > > Adding ARM folks -- see > https://lkml.kernel.org/lkml/1709516385-7778-1-git-send-email-xiaojiangfeng@huawei.com > for the original bug report. > > This is an off-by-one bug which is common in unwinders, due to the fact > that the address on the stack points to the return address rather than > the call address. > Thanks for your advice. I think I understand. To solve this problem, I need to fix the off-by-one bug which is common in unwinders. I'll try to fix it later by referring to your patch. > So, for example, when the last instruction of a function is a function > call (e.g., to a noreturn function), it can cause the unwinder to > incorrectly try to unwind from the function *after* the callee. > > For ORC (x86), we fixed this by decrementing the PC for call frames (but > not exception frames). I've seen user space unwinders do similar, for > non-signal frames. > > Something like the following might fix your issue (completely untested): > > diff --git a/arch/arm/include/asm/stacktrace.h b/arch/arm/include/asm/stacktrace.h > index 360f0d2406bf..4891e38cdc1f 100644 > --- a/arch/arm/include/asm/stacktrace.h > +++ b/arch/arm/include/asm/stacktrace.h > @@ -21,9 +21,7 @@ struct stackframe { > struct llist_node *kr_cur; > struct task_struct *tsk; > #endif > -#ifdef CONFIG_UNWINDER_FRAME_POINTER > bool ex_frame; > -#endif > }; > > static __always_inline > @@ -37,9 +35,8 @@ void arm_get_current_stackframe(struct pt_regs *regs, struct stackframe *frame) > frame->kr_cur = NULL; > frame->tsk = current; > #endif > -#ifdef CONFIG_UNWINDER_FRAME_POINTER > - frame->ex_frame = in_entry_text(frame->pc); > -#endif > + frame->ex_frame = !!regs; > + > } > > extern int unwind_frame(struct stackframe *frame); > diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c > index 620aa82e3bdd..caed7436da09 100644 > --- a/arch/arm/kernel/stacktrace.c > +++ b/arch/arm/kernel/stacktrace.c > @@ -154,9 +154,6 @@ static void start_stack_trace(struct stackframe *frame, struct task_struct *task > frame->kr_cur = NULL; > frame->tsk = task; > #endif > -#ifdef CONFIG_UNWINDER_FRAME_POINTER > - frame->ex_frame = in_entry_text(frame->pc); > -#endif > } > > void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, > @@ -167,6 +164,7 @@ void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, > if (regs) { > start_stack_trace(&frame, NULL, regs->ARM_fp, regs->ARM_sp, > regs->ARM_lr, regs->ARM_pc); > + frame.ex_frame = true; > } else if (task != current) { > #ifdef CONFIG_SMP > /* > @@ -180,6 +178,7 @@ void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, > thread_saved_sp(task), 0, > thread_saved_pc(task)); > #endif > + frame.ex_frame = false; > } else { > here: > start_stack_trace(&frame, task, > @@ -187,6 +186,7 @@ void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, > current_stack_pointer, > (unsigned long)__builtin_return_address(0), > (unsigned long)&&here); > + frame.ex_frame = false; > /* skip this function */ > if (unwind_frame(&frame)) > return; > diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c > index 3bad79db5d6e..46a5b1eb3f0a 100644 > --- a/arch/arm/kernel/traps.c > +++ b/arch/arm/kernel/traps.c > @@ -84,10 +84,10 @@ void dump_backtrace_entry(unsigned long where, unsigned long from, > printk("%sFunction entered at [<%08lx>] from [<%08lx>]\n", > loglvl, where, from); > #elif defined CONFIG_BACKTRACE_VERBOSE > - printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", > + printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pB)\n", > loglvl, where, (void *)where, from, (void *)from); > #else > - printk("%s %ps from %pS\n", loglvl, (void *)where, (void *)from); > + printk("%s %ps from %pB\n", loglvl, (void *)where, (void *)from); > #endif > > if (in_entry_text(from) && end <= ALIGN(frame, THREAD_SIZE)) > diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c > index 9d2192156087..99ded32196af 100644 > --- a/arch/arm/kernel/unwind.c > +++ b/arch/arm/kernel/unwind.c > @@ -407,7 +407,7 @@ int unwind_frame(struct stackframe *frame) > { > const struct unwind_idx *idx; > struct unwind_ctrl_block ctrl; > - unsigned long sp_low; > + unsigned long sp_low, pc; > > /* store the highest address on the stack to avoid crossing it*/ > sp_low = frame->sp; > @@ -417,19 +417,22 @@ int unwind_frame(struct stackframe *frame) > pr_debug("%s(pc = %08lx lr = %08lx sp = %08lx)\n", __func__, > frame->pc, frame->lr, frame->sp); > > - idx = unwind_find_idx(frame->pc); > + pc = frame->ex_frame ? frame->pc : frame->pc - 4; > + > + idx = unwind_find_idx(pc); > if (!idx) { > - if (frame->pc && kernel_text_address(frame->pc)) { > - if (in_module_plt(frame->pc) && frame->pc != frame->lr) { > + if (kernel_text_address(pc)) { > + if (in_module_plt(pc) && frame->pc != frame->lr) { > /* > * Quoting Ard: Veneers only set PC using a > * PC+immediate LDR, and so they don't affect > * the state of the stack or the register file > */ > frame->pc = frame->lr; > + frame->ex_frame = false; > return URC_OK; > } > - pr_warn("unwind: Index not found %08lx\n", frame->pc); > + pr_warn("unwind: Index not found %08lx\n", pc); > } > return -URC_FAILURE; > } > @@ -442,7 +445,7 @@ int unwind_frame(struct stackframe *frame) > if (idx->insn == 1) > /* can't unwind */ > return -URC_FAILURE; > - else if (frame->pc == prel31_to_addr(&idx->addr_offset)) { > + else if (frame->ex_frame && pc == prel31_to_addr(&idx->addr_offset)) { > /* > * Unwinding is tricky when we're halfway through the prologue, > * since the stack frame that the unwinder expects may not be > @@ -451,9 +454,10 @@ int unwind_frame(struct stackframe *frame) > * a function, we are still effectively in the stack frame of > * the caller, and the unwind info has no relevance yet. > */ > - if (frame->pc == frame->lr) > + if (pc == frame->lr) > return -URC_FAILURE; > frame->pc = frame->lr; > + frame->ex_frame = false; > return URC_OK; > } else if ((idx->insn & 0x80000000) == 0) > /* prel31 to the unwind table */ > @@ -515,6 +519,7 @@ int unwind_frame(struct stackframe *frame) > frame->lr = ctrl.vrs[LR]; > frame->pc = ctrl.vrs[PC]; > frame->lr_addr = ctrl.lr_addr; > + frame->ex_frame = false; > > return URC_OK; > } > @@ -544,6 +549,7 @@ void unwind_backtrace(struct pt_regs *regs, struct task_struct *tsk, > */ > here: > frame.pc = (unsigned long)&&here; > + frame.ex_frame = false; > } else { > /* task blocked in __switch_to */ > frame.fp = thread_saved_fp(tsk); > @@ -554,11 +560,12 @@ void unwind_backtrace(struct pt_regs *regs, struct task_struct *tsk, > */ > frame.lr = 0; > frame.pc = thread_saved_pc(tsk); > + frame.ex_frame = false; > } > > while (1) { > int urc; > - unsigned long where = frame.pc; > + unsigned long where = frame.ex_frame ? frame.pc : frame.pc - 4; > > urc = unwind_frame(&frame); > if (urc < 0) > . >