All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Holger Hoffstätte" <holger@applied-asynchrony.com>,
	"Qi Zheng" <zhengqi.arch@bytedance.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Justin Forbes" <jmforbes@linuxtx.org>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Guenter Roeck" <linux@roeck-us.net>,
	"Shuah Khan" <shuah@kernel.org>,
	patches@kernelci.org, lkft-triage@lists.linaro.org,
	"Pavel Machek" <pavel@denx.de>,
	"Jon Hunter" <jonathanh@nvidia.com>,
	"Florian Fainelli" <f.fainelli@gmail.com>,
	stable <stable@vger.kernel.org>,
	"Josh Poimboeuf" <jpoimboe@redhat.com>
Subject: Re: [PATCH 5.15 000/923] 5.15.3-rc3 review
Date: Thu, 18 Nov 2021 10:39:44 +0100	[thread overview]
Message-ID: <YZYfYOcqNqOyZ8Yo@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20211118081852.GM174730@worktop.programming.kicks-ass.net>

On Thu, Nov 18, 2021 at 09:18:52AM +0100, Peter Zijlstra wrote:
> On Thu, Nov 18, 2021 at 09:06:27AM +0100, Peter Zijlstra wrote:
> > On Wed, Nov 17, 2021 at 03:50:17PM -0800, Linus Torvalds wrote:
> > 
> > > I really don't think the WCHAN code should use unwinders at all. It's
> > > too damn fragile, and it's too easily triggered from user space.
> > 
> > On x86, esp. with ORC, it pretty much has to. The thing is, the ORC
> > unwinder has been very stable so far. I'm guessing there's some really
> > stupid thing going on, like for example trying to unwind a freed stack.
> > 
> > I *just* managed to reproduce, so let me go have a poke.
> 
> Confirmed, with the below it no longer reproduces. Now, let me go undo
> that and fix the unwinder to not explode while trying to unwind nothing.

OK, so the bug is firmly with 5d1ceb3969b6 ("x86: Fix __get_wchan() for
!STACKTRACE") which lost the try_get_task_stack() that stack_trace_*()
does.

We can ofc trivially re-instate that, but I'm now running with the
below which I suppose is a better fix, hmm?

(obv I still need to look a the other two unwinders)

---
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index e6f7592790af..9261ff1343cf 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -352,8 +352,14 @@ static bool deref_stack_reg(struct unwind_state *state, unsigned long addr,
 	if (!stack_access_ok(state, addr, sizeof(long)))
 		return false;
 
-	*val = READ_ONCE_NOCHECK(*(unsigned long *)addr);
+	pagefault_disable();
+	__get_kernel_nofault(val, addr, unsigned long, Efault);
+	pagefault_enable();
 	return true;
+
+Efault:
+	pagefault_enable();
+	return false;
 }
 
 static bool deref_stack_regs(struct unwind_state *state, unsigned long addr,
@@ -367,9 +373,16 @@ static bool deref_stack_regs(struct unwind_state *state, unsigned long addr,
 	if (!stack_access_ok(state, addr, sizeof(struct pt_regs)))
 		return false;
 
-	*ip = READ_ONCE_NOCHECK(regs->ip);
-	*sp = READ_ONCE_NOCHECK(regs->sp);
+	pagefault_disable();
+	__get_kernel_nofault(ip, &regs->ip, unsigned long, Efault);
+	__get_kernel_nofault(sp, &regs->sp, unsigned long, Efault);
+	pagefault_enable();
+
 	return true;
+
+Efault:
+	pagefault_enable();
+	return false;
 }
 
 static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr,
@@ -380,9 +393,16 @@ static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr
 	if (!stack_access_ok(state, addr, IRET_FRAME_SIZE))
 		return false;
 
-	*ip = READ_ONCE_NOCHECK(regs->ip);
-	*sp = READ_ONCE_NOCHECK(regs->sp);
+	pagefault_disable();
+	__get_kernel_nofault(ip, &regs->ip, unsigned long, Efault);
+	__get_kernel_nofault(sp, &regs->sp, unsigned long, Efault);
+	pagefault_enable();
+
 	return true;
+
+Efault:
+	pagefault_enable();
+	return false;
 }
 
 /*
@@ -396,22 +416,27 @@ static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr
 static bool get_reg(struct unwind_state *state, unsigned int reg_off,
 		    unsigned long *val)
 {
-	unsigned int reg = reg_off/8;
-
 	if (!state->regs)
 		return false;
 
+	pagefault_disable();
 	if (state->full_regs) {
-		*val = READ_ONCE_NOCHECK(((unsigned long *)state->regs)[reg]);
+		__get_kernel_nofault(val, (void *)state->regs + reg_off, unsigned long, Efault);
+		pagefault_enable();
 		return true;
 	}
 
 	if (state->prev_regs) {
-		*val = READ_ONCE_NOCHECK(((unsigned long *)state->prev_regs)[reg]);
+		__get_kernel_nofault(val, (void *)state->regs + reg_off, unsigned long, Efault);
+		pagefault_enable();
 		return true;
 	}
 
 	return false;
+
+Efault:
+	pagefault_enable();
+	return false;
 }
 
 bool unwind_next_frame(struct unwind_state *state)
@@ -673,8 +698,12 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
 		struct inactive_task_frame *frame = (void *)task->thread.sp;
 
 		state->sp = task->thread.sp + sizeof(*frame);
-		state->bp = READ_ONCE_NOCHECK(frame->bp);
-		state->ip = READ_ONCE_NOCHECK(frame->ret_addr);
+
+		pagefault_disable();
+		__get_kernel_nofault(&state->bp, &frame->bp, unsigned long, Efault);
+		__get_kernel_nofault(&state->ip, &frame->ret_addr, unsigned long, Efault);
+		pagefault_enable();
+
 		state->signal = (void *)state->ip == ret_from_fork;
 	}
 
@@ -713,6 +742,8 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
 
 	return;
 
+Efault:
+	pagefault_enable();
 err:
 	state->error = true;
 the_end:

  reply	other threads:[~2021-11-18  9:40 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-17 10:19 [PATCH 5.15 000/923] 5.15.3-rc3 review Greg Kroah-Hartman
2021-11-17 13:37 ` Fox Chen
2021-11-17 14:13 ` Guenter Roeck
2021-11-17 14:43   ` Greg Kroah-Hartman
2021-11-17 14:54     ` Guenter Roeck
2021-11-17 17:34 ` Jon Hunter
2021-11-17 18:51 ` Florian Fainelli
2021-11-17 20:25 ` Holger Kiehl
2021-11-18  8:14   ` Greg Kroah-Hartman
2021-11-18 14:08     ` Holger Kiehl
2021-11-18 17:08       ` Greg Kroah-Hartman
2021-11-17 20:35 ` Guenter Roeck
2021-11-17 21:32 ` Justin Forbes
2021-11-17 23:32   ` Holger Hoffstätte
2021-11-17 23:50     ` Linus Torvalds
2021-11-18  0:16       ` Kees Cook
2021-11-18  6:26         ` Guenter Roeck
2021-11-18  8:14           ` Greg Kroah-Hartman
2021-11-18  8:12         ` Greg Kroah-Hartman
2021-11-18 17:17           ` Kees Cook
2021-11-18  8:06       ` Peter Zijlstra
2021-11-18  8:18         ` Peter Zijlstra
2021-11-18  9:39           ` Peter Zijlstra [this message]
2021-11-18 10:12             ` Peter Zijlstra
2021-11-18 12:11             ` Peter Zijlstra
2021-11-19  2:04               ` Josh Poimboeuf
2021-11-19  9:29                 ` [PATCH] x86: Pin task-stack in __get_wchan() Peter Zijlstra
2021-11-19 10:02                   ` Qi Zheng
2021-11-19 10:22                     ` Peter Zijlstra
2021-11-19 10:26                       ` Qi Zheng
2021-11-19 18:16                   ` Linus Torvalds
2021-11-19 18:35                   ` Josh Poimboeuf
2021-11-22  9:32                     ` Peter Zijlstra
2021-11-22 16:14                       ` Josh Poimboeuf
2021-11-18  5:45 ` [PATCH 5.15 000/923] 5.15.3-rc3 review Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YZYfYOcqNqOyZ8Yo@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=f.fainelli@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=holger@applied-asynchrony.com \
    --cc=jmforbes@linuxtx.org \
    --cc=jonathanh@nvidia.com \
    --cc=jpoimboe@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=lkft-triage@lists.linaro.org \
    --cc=patches@kernelci.org \
    --cc=pavel@denx.de \
    --cc=shuah@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=zhengqi.arch@bytedance.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.