From: Daniel Xu <dxu@dxuuu.xyz>
To: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@kernel.org>, X86 ML <x86@kernel.org>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
kuba@kernel.org, mingo@redhat.com, ast@kernel.org,
tglx@linutronix.de, kernel-team@fb.com, yhs@fb.com,
Josh Poimboeuf <jpoimboe@redhat.com>
Subject: Re: [PATCH -tip 0/5] kprobes: Fix stacktrace in kretprobes
Date: Sun, 7 Mar 2021 13:23:33 -0800 [thread overview]
Message-ID: <20210307212333.7jqmdnahoohpxabn@maharaja.localdomain> (raw)
In-Reply-To: <20210306101357.6f947b063a982da9c949f1ba@kernel.org>
On Sat, Mar 06, 2021 at 10:13:57AM +0900, Masami Hiramatsu wrote:
> On Fri, 5 Mar 2021 11:16:45 -0800
> Daniel Xu <dxu@dxuuu.xyz> wrote:
>
> > Hi Masami,
> >
> > On Sat, Mar 06, 2021 at 12:38:57AM +0900, Masami Hiramatsu wrote:
> > > Hello,
> > >
> > > Here is a series of patches for kprobes and stacktracer to fix the kretprobe
> > > entries in the kernel stack. This was reported by Daniel Xu. I thought that
> > > was in the bpftrace, but it is actually more generic issue.
> > > So I decided to fix the issue in arch independent part.
> > >
> > > While fixing the issue, I found a bug in ia64 related to kretprobe, which is
> > > fixed by [1/5]. [2/5] and [3/5] is a kind of cleanup before fixing the main
> > > issue. [4/5] is the patch to fix the stacktrace, which involves kretprobe
> > > internal change. And [5/5] removing the stacktrace kretprobe fixup code in
> > > ftrace.
> > >
> > > Daniel, can you also check that this fixes your issue too? I hope it is.
> >
> > Unfortunately, this patch series does not fix the issue I reported.
>
> Ah, OK. This was my mistake I didn't choose ORC unwinder for test kernel.
>
> >
> > I think the reason your tests work is because you're using ftrace and
> > the ORC unwinder is aware of ftrace trampolines (see
> > arch/x86/kernel/unwind_orc.c:orc_ftrace_find).
>
> OK, so it has to be fixed in ORC unwinder.
>
> >
> > bpftrace kprobes go through perf event subsystem (ie not ftrace) so
> > naturally orc_ftrace_find() does not find an associated trampoline. ORC
> > unwinding fails in this case because
> > arch/x86/kernel/kprobes/core.c:trampoline_handler sets
> >
> > regs->ip = (unsigned long)&kretprobe_trampoline;
> >
> > and `kretprobe_trampoline` is marked
> >
> > STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
> >
> > so it doesn't have a valid ORC entry. Thus, ORC immediately bails when
> > trying to unwind past the first frame.
>
> Hm, in ftrace case, it decode kretprobe's stackframe and stoped right
> after kretprobe_trampoline callsite.
>
> => kretprobe_trace_func+0x21f/0x340
> => kretprobe_dispatcher+0x73/0xb0
> => __kretprobe_trampoline_handler+0xcd/0x1a0
> => trampoline_handler+0x3d/0x50
> => kretprobe_trampoline+0x25/0x50
> => 0
>
> kretprobe replaces the real return address with kretprobe_trampoline
> and kretprobe_trampoline *calls* trampoline_handler (this part depends
> on architecture implementation).
> Thus, if kretprobe_trampoline has no stack frame information, ORC may
> fails at the first kretprobe_trampoline+0x25, that is different from
> the kretprobe_trampoline+0, so the hack doesn't work.
I'm not sure I follow 100% what you're saying, but assuming you're
asking why bpftrace fails at `kretprobe_trampoline+0` instead of
`kretprobe_trampoline+0x25`:
`regs` is set to &kretprobe_trampoline:
regs->ip = (unsigned long)&kretprobe_trampoline;
Then the kretprobe event is dispatched like this:
kretprobe_trampoline_handler
__kretprobe_trampoline_handler
rp->handler // ie kernel/trace/trace_kprobe.c:kretprobe_dispatcher
kretprobe_perf_func
trace_bpf_call(.., regs)
BPF_PROG_RUN_ARRAY_CHECK
bpf_get_stackid(regs, .., ..) // in bpftrace prog
And then `bpf_get_stackid` unwinds the stack via:
bpf_get_stackid
get_perf_callchain(regs, ...)
perf_callchain_kernel(.., regs)
perf_callchain_store(.., regs->ip) // !!! first unwound entry
unwind_start
unwind_next_frame
In summary: unwinding via BPF begins at regs->ip, which
`trampoline_handler` sets to `&kretprobe_trampoline+0x0`.
> Hmm, how the other inline-asm function makes its stackframe info?
> If I get the kretprobe_trampoline+0, I can fix it up.
So I think I misunderstood the mechanics before. I think `call
trampoline_handler` does set up a new frame. My current guess is that
ftrace doesn't thread through `regs` like the bpf code path does. I'm
not very familiar with ftrace internals so I haven't looked.
>
> > The only way I can think of to fix this issue is to make the ORC
> > unwinder aware of kretprobe (ie the patch I sent earlier). I'm hoping
> > you have another idea if my patch isn't acceptable.
>
> OK, anyway, your patch doesn't care the case that the multiple functions
> are probed by kretprobes. In that case, you'll see several entries are
> replaced by the kretprobe_trampoline. To find it correctly, you have
> to pass a state-holder (@cur of the kretprobe_find_ret_addr())
> to the fixup entries.
I'll see if I can figure something out tomorrow.
Thanks,
Daniel
next prev parent reply other threads:[~2021-03-07 21:24 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 15:38 [PATCH -tip 0/5] kprobes: Fix stacktrace in kretprobes Masami Hiramatsu
2021-03-05 15:39 ` [PATCH -tip 1/5] ia64: kprobes: Fix to pass correct trampoline address to the handler Masami Hiramatsu
2021-03-05 15:39 ` [PATCH -tip 2/5] kprobes: treewide: Replace arch_deref_entry_point() with dereference_function_descriptor() Masami Hiramatsu
2021-03-05 15:39 ` [PATCH -tip 3/5] kprobes: treewide: Remove trampoline_address from kretprobe_trampoline_handler() Masami Hiramatsu
2021-03-10 14:21 ` Miroslav Benes
2021-03-10 15:42 ` Masami Hiramatsu
2021-03-11 13:37 ` Masami Hiramatsu
2021-03-05 15:39 ` [PATCH -tip 4/5] kprobes: stacktrace: Recover the address changed by kretprobe Masami Hiramatsu
2021-03-05 15:39 ` [PATCH -tip 5/5] tracing: Remove kretprobe unknown indicator from stacktrace Masami Hiramatsu
2021-03-05 15:44 ` Steven Rostedt
2021-03-05 19:16 ` [PATCH -tip 0/5] kprobes: Fix stacktrace in kretprobes Daniel Xu
2021-03-06 1:13 ` Masami Hiramatsu
2021-03-07 21:23 ` Daniel Xu [this message]
2021-03-08 2:52 ` Masami Hiramatsu
2021-03-08 13:05 ` Masami Hiramatsu
2021-03-09 1:19 ` Josh Poimboeuf
2021-03-10 9:57 ` Masami Hiramatsu
2021-03-10 15:08 ` Josh Poimboeuf
2021-03-10 15:55 ` Masami Hiramatsu
2021-03-10 18:31 ` Josh Poimboeuf
2021-03-11 0:20 ` Masami Hiramatsu
2021-03-11 1:06 ` Josh Poimboeuf
2021-03-11 1:54 ` Masami Hiramatsu
2021-03-11 16:51 ` Josh Poimboeuf
2021-03-12 3:22 ` Masami Hiramatsu
2021-03-10 22:46 ` Daniel Xu
2021-03-09 21:34 ` Daniel Xu
2021-03-10 10:50 ` Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210307212333.7jqmdnahoohpxabn@maharaja.localdomain \
--to=dxu@dxuuu.xyz \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jpoimboe@redhat.com \
--cc=kernel-team@fb.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).