From: Steven Rostedt <rostedt@goodmis.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
x86@kernel.org, Masami Hiramatsu <mhiramat@kernel.org>,
"Luis R. Rodriguez" <mcgrof@kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX
Date: Fri, 26 May 2017 09:37:17 -0400
Message-ID: <20170526093717.0be3b849@gandalf.local.home> (raw)
In-Reply-To: <alpine.DEB.2.20.1705251056410.1862@nanos>
On Thu, 25 May 2017 10:57:51 +0200 (CEST)
Thomas Gleixner <tglx@linutronix.de> wrote:
> ftrace use module_alloc() to allocate trampoline pages. The mapping of
> module_alloc() is RWX, which makes sense as the memory is written to right
> after allocation. But nothing makes these pages RO after writing to them.
>
> Add proper set_memory_rw/ro() calls to protect the trampolines after
> modification.
>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> ---
Unfortunately, this was triggered in my tests:
ftrace: allocating 54840 entries in 215 pages
Starting tracer 'function'
------------[ cut here ]------------
kernel BUG at /work/autotest/nobackup/linux-test.git/arch/x86/mm/pageattr.c:189!
invalid opcode: 0000 [#1] SMP
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 4.12.0-rc2-test+ #3
Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014
task: ffffffffb4222500 task.stack: ffffffffb4200000
RIP: 0010:change_page_attr_set_clr+0x269/0x302
RSP: 0000:ffffffffb4203c88 EFLAGS: 00010046
RAX: 0000000000000046 RBX: 0000000000000000 RCX: 00000001b6000000
RDX: ffffffffb4203d40 RSI: 0000000000000000 RDI: ffffffffb4240d60
RBP: ffffffffb4203d18 R08: 00000001b6000000 R09: 0000000000000001
R10: ffffffffb4203aa8 R11: 0000000000000003 R12: ffffffffc029b000
R13: ffffffffb4203d40 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff9a639ea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9a636b384000 CR3: 00000001ea21d000 CR4: 00000000000406b0
Call Trace:
change_page_attr_clear+0x1f/0x21
set_memory_ro+0x1e/0x20
arch_ftrace_update_trampoline+0x207/0x21c
? ftrace_caller+0x64/0x64
? 0xffffffffc029b000
ftrace_startup+0xf4/0x198
register_ftrace_function+0x26/0x3c
function_trace_init+0x5e/0x73
tracer_init+0x1e/0x23
tracing_set_tracer+0x127/0x15a
register_tracer+0x19b/0x1bc
init_function_trace+0x90/0x92
early_trace_init+0x236/0x2b3
start_kernel+0x200/0x3f5
x86_64_start_reservations+0x29/0x2b
x86_64_start_kernel+0x17c/0x18f
secondary_startup_64+0x9f/0x9f
? secondary_startup_64+0x9f/0x9f
Code: 89 df e8 79 f4 ff ff 48 85 c0 74 12 f6 00 01 74 0d be 00 10 00 00 48 89 df e8 84 e8 ff ff 49 ff c4 eb a4 9c 58 0f ba e0 09 72 02 <0f> 0b 49 8d 84 24 ff 0f 00 00 48 25 00 f0 ff ff 49 39 c4 74 02
RIP: change_page_attr_set_clr+0x269/0x302 RSP: ffffffffb4203c88
---[ end trace 418d67f4f812a298 ]---
Kernel panic - not syncing: Attempted to kill the idle task!
---[ end Kernel panic - not syncing: Attempted to kill the idle task!
It appears that if you enable function tracing at boot up, calling
set_memory_ro() with interrupts disabled can cause this. As pageattr.c
at line 189 has:
BUG_ON(irqs_disabled());
in cpa_flush_range()
-- Steve
next prev parent reply index
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-24 13:47 [PATCH] " Thomas Gleixner
2017-05-24 14:33 ` Masami Hiramatsu
2017-05-24 15:04 ` Steven Rostedt
2017-05-24 17:47 ` Steven Rostedt
2017-05-24 18:16 ` Luis R. Rodriguez
2017-05-24 18:53 ` Thomas Gleixner
2017-05-24 19:34 ` Luis R. Rodriguez
2017-05-24 19:13 ` Thomas Gleixner
2017-05-24 22:25 ` Steven Rostedt
2017-05-24 23:18 ` Luis R. Rodriguez
2017-05-25 6:25 ` Thomas Gleixner
2017-05-25 8:57 ` [PATCH V2] " Thomas Gleixner
2017-05-25 15:15 ` Steven Rostedt
2017-05-25 17:46 ` Luis R. Rodriguez
2017-05-25 19:51 ` Kees Cook
2017-05-26 7:03 ` Thomas Gleixner
2017-05-26 9:27 ` Heiko Carstens
2017-05-26 9:56 ` Thomas Gleixner
2017-05-26 11:40 ` Michael Ellerman
2017-05-26 9:49 ` Masami Hiramatsu
2017-05-26 13:37 ` Steven Rostedt [this message]
2017-05-26 13:50 ` Thomas Gleixner
2017-05-26 13:58 ` Steven Rostedt
2017-05-25 9:09 ` [PATCH] " Masami Hiramatsu
2017-05-25 10:34 ` Masami Hiramatsu
2017-05-25 15:18 ` Steven Rostedt
2017-05-26 1:34 ` Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170526093717.0be3b849@gandalf.local.home \
--to=rostedt@goodmis.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mhiramat@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
LKML Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
linux-kernel@vger.kernel.org
public-inbox-index lkml
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git