From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED,USER_AGENT_NEOMUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0054BC04AB1 for ; Thu, 9 May 2019 14:06:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C87982053B for ; Thu, 9 May 2019 14:06:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726727AbfEIOGQ (ORCPT ); Thu, 9 May 2019 10:06:16 -0400 Received: from mx2.suse.de ([195.135.220.15]:60536 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726192AbfEIOGP (ORCPT ); Thu, 9 May 2019 10:06:15 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 9158BAC31; Thu, 9 May 2019 14:06:12 +0000 (UTC) Date: Thu, 9 May 2019 16:06:09 +0200 From: Petr Mladek To: Steven Rostedt Cc: Linus Torvalds , Andy Shevchenko , Rasmus Villemoes , "Tobin C . Harding" , Michal Hocko , Sergey Senozhatsky , Sergey Senozhatsky , linux-kernel@vger.kernel.org, Michael Ellerman , linuxppc-dev@lists.ozlabs.org, Russell Currey , Christophe Leroy , Stephen Rothwell , Heiko Carstens , linux-arch@vger.kernel.org, linux-s390@vger.kernel.org, Martin Schwidefsky Subject: Re: [PATCH] vsprintf: Do not break early boot with probing addresses Message-ID: <20190509140609.n44v6kj27wb77jck@pathway.suse.cz> References: <20190509121923.8339-1-pmladek@suse.com> <20190509091357.0af3fcd7@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190509091357.0af3fcd7@gandalf.local.home> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 2019-05-09 09:13:57, Steven Rostedt wrote: > On Thu, 9 May 2019 14:19:23 +0200 > Petr Mladek wrote: > > > The commit 3e5903eb9cff70730 ("vsprintf: Prevent crash when dereferencing > > invalid pointers") broke boot on several architectures. The common > > pattern is that probe_kernel_read() is not working during early > > boot because userspace access framework is not ready. > > > > The check is only the best effort. Let's not rush with it during > > the early boot. > > > > Details: > > > > 1. Report on Power: > > > > Kernel crashes very early during boot with with CONFIG_PPC_KUAP and > > CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG > > > > The problem is the combination of some new code called via printk(), > > check_pointer() which calls probe_kernel_read(). That then calls > > allow_user_access() (PPC_KUAP) and that uses mmu_has_feature() too early > > (before we've patched features). With the JUMP_LABEL debug enabled that > > causes us to call printk() & dump_stack() and we end up recursing and > > overflowing the stack. > > > > Because it happens so early you don't get any output, just an apparently > > dead system. > > > > The stack trace (which you don't see) is something like: > > > > ... > > dump_stack+0xdc > > probe_kernel_read+0x1a4 > > check_pointer+0x58 > > string+0x3c > > vsnprintf+0x1bc > > vscnprintf+0x20 > > printk_safe_log_store+0x7c > > printk+0x40 > > dump_stack_print_info+0xbc > > dump_stack+0x8 > > probe_kernel_read+0x1a4 > > probe_kernel_read+0x19c > > check_pointer+0x58 > > string+0x3c > > vsnprintf+0x1bc > > vscnprintf+0x20 > > vprintk_store+0x6c > > vprintk_emit+0xec > > vprintk_func+0xd4 > > printk+0x40 > > cpufeatures_process_feature+0xc8 > > scan_cpufeatures_subnodes+0x380 > > of_scan_flat_dt_subnodes+0xb4 > > dt_cpu_ftrs_scan_callback+0x158 > > of_scan_flat_dt+0xf0 > > dt_cpu_ftrs_scan+0x3c > > early_init_devtree+0x360 > > early_setup+0x9c > > > > 2. Report on s390: > > > > vsnprintf invocations, are broken on s390. For example, the early boot > > output now looks like this where the first (efault) should be > > the linux_banner: > > > > [ 0.099985] (efault) > > [ 0.099985] setup: Linux is running as a z/VM guest operating system in 64-bit mode > > [ 0.100066] setup: The maximum memory size is 8192MB > > [ 0.100070] cma: Reserved 4 MiB at (efault) > > [ 0.100100] numa: NUMA mode: (efault) > > > > The reason for this, is that the code assumes that > > probe_kernel_address() works very early. This however is not true on > > at least s390. Uaccess on KERNEL_DS works only after page tables have > > been setup on s390, which happens with setup_arch()->paging_init(). > > > > Any probe_kernel_address() invocation before that will return -EFAULT. > > Hmm, this sounds to me that probe_kernel_address() is broken for these > architectures. Perhaps the system_state check should be in > probe_kernel_address() for those architectures? Yeah. Well, these problems are hard to debug. It left a dead power system with a blank screen. I am not sure if the added check is worth the pain. I hope that the check would help to debug problems. But it is yet another complexity in printk() path. I think that it is fine to keep it enabled only on the booted system for a while and get some more feedback. Best Regards, Petr From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_NEOMUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACB62C04AB1 for ; Thu, 9 May 2019 14:09:33 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3799421479 for ; Thu, 9 May 2019 14:09:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3799421479 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 450FZz4qQlzDqGb for ; Fri, 10 May 2019 00:09:31 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=suse.com (client-ip=195.135.220.15; helo=mx1.suse.de; envelope-from=pmladek@suse.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.com Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 450FWF5XQXzDqRP for ; Fri, 10 May 2019 00:06:15 +1000 (AEST) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 9158BAC31; Thu, 9 May 2019 14:06:12 +0000 (UTC) Date: Thu, 9 May 2019 16:06:09 +0200 From: Petr Mladek To: Steven Rostedt Subject: Re: [PATCH] vsprintf: Do not break early boot with probing addresses Message-ID: <20190509140609.n44v6kj27wb77jck@pathway.suse.cz> References: <20190509121923.8339-1-pmladek@suse.com> <20190509091357.0af3fcd7@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190509091357.0af3fcd7@gandalf.local.home> User-Agent: NeoMutt/20170912 (1.9.0) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-arch@vger.kernel.org, Sergey Senozhatsky , Heiko Carstens , linux-s390@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, Rasmus Villemoes , linux-kernel@vger.kernel.org, Michal Hocko , Sergey Senozhatsky , Stephen Rothwell , Andy Shevchenko , Linus Torvalds , Martin Schwidefsky , "Tobin C . Harding" Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Thu 2019-05-09 09:13:57, Steven Rostedt wrote: > On Thu, 9 May 2019 14:19:23 +0200 > Petr Mladek wrote: > > > The commit 3e5903eb9cff70730 ("vsprintf: Prevent crash when dereferencing > > invalid pointers") broke boot on several architectures. The common > > pattern is that probe_kernel_read() is not working during early > > boot because userspace access framework is not ready. > > > > The check is only the best effort. Let's not rush with it during > > the early boot. > > > > Details: > > > > 1. Report on Power: > > > > Kernel crashes very early during boot with with CONFIG_PPC_KUAP and > > CONFIG_JUMP_LABEL_FEATURE_CHECK_DEBUG > > > > The problem is the combination of some new code called via printk(), > > check_pointer() which calls probe_kernel_read(). That then calls > > allow_user_access() (PPC_KUAP) and that uses mmu_has_feature() too early > > (before we've patched features). With the JUMP_LABEL debug enabled that > > causes us to call printk() & dump_stack() and we end up recursing and > > overflowing the stack. > > > > Because it happens so early you don't get any output, just an apparently > > dead system. > > > > The stack trace (which you don't see) is something like: > > > > ... > > dump_stack+0xdc > > probe_kernel_read+0x1a4 > > check_pointer+0x58 > > string+0x3c > > vsnprintf+0x1bc > > vscnprintf+0x20 > > printk_safe_log_store+0x7c > > printk+0x40 > > dump_stack_print_info+0xbc > > dump_stack+0x8 > > probe_kernel_read+0x1a4 > > probe_kernel_read+0x19c > > check_pointer+0x58 > > string+0x3c > > vsnprintf+0x1bc > > vscnprintf+0x20 > > vprintk_store+0x6c > > vprintk_emit+0xec > > vprintk_func+0xd4 > > printk+0x40 > > cpufeatures_process_feature+0xc8 > > scan_cpufeatures_subnodes+0x380 > > of_scan_flat_dt_subnodes+0xb4 > > dt_cpu_ftrs_scan_callback+0x158 > > of_scan_flat_dt+0xf0 > > dt_cpu_ftrs_scan+0x3c > > early_init_devtree+0x360 > > early_setup+0x9c > > > > 2. Report on s390: > > > > vsnprintf invocations, are broken on s390. For example, the early boot > > output now looks like this where the first (efault) should be > > the linux_banner: > > > > [ 0.099985] (efault) > > [ 0.099985] setup: Linux is running as a z/VM guest operating system in 64-bit mode > > [ 0.100066] setup: The maximum memory size is 8192MB > > [ 0.100070] cma: Reserved 4 MiB at (efault) > > [ 0.100100] numa: NUMA mode: (efault) > > > > The reason for this, is that the code assumes that > > probe_kernel_address() works very early. This however is not true on > > at least s390. Uaccess on KERNEL_DS works only after page tables have > > been setup on s390, which happens with setup_arch()->paging_init(). > > > > Any probe_kernel_address() invocation before that will return -EFAULT. > > Hmm, this sounds to me that probe_kernel_address() is broken for these > architectures. Perhaps the system_state check should be in > probe_kernel_address() for those architectures? Yeah. Well, these problems are hard to debug. It left a dead power system with a blank screen. I am not sure if the added check is worth the pain. I hope that the check would help to debug problems. But it is yet another complexity in printk() path. I think that it is fine to keep it enabled only on the booted system for a while and get some more feedback. Best Regards, Petr