From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44041C433B4 for ; Tue, 4 May 2021 19:03:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 234F5613BC for ; Tue, 4 May 2021 19:03:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232032AbhEDTEP (ORCPT ); Tue, 4 May 2021 15:04:15 -0400 Received: from linux.microsoft.com ([13.77.154.182]:56760 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231274AbhEDTEL (ORCPT ); Tue, 4 May 2021 15:04:11 -0400 Received: from [192.168.254.32] (unknown [47.187.223.33]) by linux.microsoft.com (Postfix) with ESMTPSA id 9A8B320B7178; Tue, 4 May 2021 12:03:15 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9A8B320B7178 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1620154996; bh=G1MDDuSShGgHKhquMWPybcW/dZj2nj7krvY28tTDDAg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=YEM0YiG3Y6RfRByGkVUn4qkAjaF38zJ5ZbXjCkm/aUUvaeQfn2Oy2a/IX3c/9+rJU 9W/yO/tfIV3HJhSWtpp01oKqwxF0yvgkLRNu/GhogI8DSw0u45YcpHrcRBuc1rBnrC bsyM2fAVSxntr+UItts08y0jn9IKLRyt6Vyznsuc= Subject: Re: [RFC PATCH v3 2/4] arm64: Check the return PC against unreliable code sections To: Mark Brown Cc: jpoimboe@redhat.com, mark.rutland@arm.com, jthierry@redhat.com, catalin.marinas@arm.com, will@kernel.org, jmorris@namei.org, pasha.tatashin@soleen.com, linux-arm-kernel@lists.infradead.org, live-patching@vger.kernel.org, linux-kernel@vger.kernel.org References: <65cf4dfbc439b010b50a0c46ec500432acde86d6> <20210503173615.21576-1-madvenka@linux.microsoft.com> <20210503173615.21576-3-madvenka@linux.microsoft.com> <20210504160508.GC7094@sirena.org.uk> From: "Madhavan T. Venkataraman" Message-ID: <1bd2b177-509a-21d9-e349-9b2388db45eb@linux.microsoft.com> Date: Tue, 4 May 2021 14:03:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20210504160508.GC7094@sirena.org.uk> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/4/21 11:05 AM, Mark Brown wrote: > On Mon, May 03, 2021 at 12:36:13PM -0500, madvenka@linux.microsoft.com wrote: >> From: "Madhavan T. Venkataraman" >> >> Create a sym_code_ranges[] array to cover the following text sections that >> contain functions defined as SYM_CODE_*(). These functions are low-level > > This makes sense to me - a few of bikesheddy comments below but nothing > really substantive. > OK. >> +static struct code_range *lookup_range(unsigned long pc) > > This feels like it should have a prefix on the name (eg, unwinder_) > since it looks collision prone. Or lookup_code_range() rather than just > plain lookup_range(). > I will add the prefix. >> +{ > + struct code_range *range; > + > + for (range = sym_code_ranges; range->start; range++) { > > It seems more idiomatic to use ARRAY_SIZE() rather than a sentinel here, > the array can't be empty. > If there is a match, I return the matched range. Else, I return the sentinel. This is just so I don't have to check for range == NULL after calling lookup_range(). I will change it to what you have suggested and check for NULL explicitly. It is not a problem. >> + range = lookup_range(frame->pc); >> + >> #ifdef CONFIG_FUNCTION_GRAPH_TRACER >> if (tsk->ret_stack && >> frame->pc == (unsigned long)return_to_handler) { >> @@ -118,9 +160,21 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame) >> return -EINVAL; >> frame->pc = ret_stack->ret; >> frame->pc = ptrauth_strip_insn_pac(frame->pc); >> + return 0; >> } > > Do we not need to look up the range of the restored pc and validate > what's being pointed to here? It's not immediately obvious why we do > the lookup before handling the function graph tracer, especially given > that we never look at the result and there's now a return added skipping > further reliability checks. At the very least I think this needs some > additional comments so the code is more obvious. I want sym_code_ranges[] to contain both unwindable and non-unwindable ranges. Unwindable ranges will be special ranges such as the return_to_handler() and kretprobe_trampoline() functions for which the unwinder has (or will have) special code to unwind. So, the lookup_range() has to happen before the function graph code. Please look at the last patch in the series for the fix for the above function graph code. On the question of "should the original return address be checked against sym_code_ranges[]?" - I assumed that if there is a function graph trace on a function, it had to be an ftraceable function. It would not be a part of sym_code_ranges[]. Is that a wrong assumption on my part? Madhavan