From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
To: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Steven Rostedt <rostedt@kernel.org>,
Menglong Dong <menglong8.dong@gmail.com>,
jolsa@kernel.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, kees@kernel.org, samitolvanen@google.com,
rppt@kernel.org, luto@kernel.org, ast@kernel.org,
andrii@kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org
Subject: Re: [PATCH v2 1/2] tracing: fgraph: Protect return handler from recursion loop
Date: Thu, 25 Sep 2025 00:34:10 +0900 [thread overview]
Message-ID: <20250925003410.de2ef839f6ef3921ee08a955@kernel.org> (raw)
In-Reply-To: <175852292275.307379.9040117316112640553.stgit@devnote2>
Hi Steve,
Can you pick this ? Or I will do?
Thanks,
On Mon, 22 Sep 2025 15:35:22 +0900
"Masami Hiramatsu (Google)" <mhiramat@kernel.org> wrote:
> From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
>
> function_graph_enter_regs() prevents itself from recursion by
> ftrace_test_recursion_trylock(), but __ftrace_return_to_handler(),
> which is called at the exit, does not prevent such recursion.
> Therefore, while it can prevent recursive calls from
> fgraph_ops::entryfunc(), it is not able to prevent recursive calls
> to fgraph from fgraph_ops::retfunc(), resulting in a recursive loop.
> This can lead an unexpected recursion bug reported by Menglong.
>
> is_endbr() is called in __ftrace_return_to_handler -> fprobe_return
> -> kprobe_multi_link_exit_handler -> is_endbr.
>
> To fix this issue, acquire ftrace_test_recursion_trylock() in the
> __ftrace_return_to_handler() after unwind the shadow stack to mark
> this section must prevent recursive call of fgraph inside user-defined
> fgraph_ops::retfunc().
>
> This is essentially a fix to commit 4346ba160409 ("fprobe: Rewrite
> fprobe on function-graph tracer"), because before that fgraph was
> only used from the function graph tracer. Fprobe allowed user to run
> any callbacks from fgraph after that commit.
>
> Reported-by: Menglong Dong <menglong8.dong@gmail.com>
> Closes: https://lore.kernel.org/all/20250918120939.1706585-1-dongml2@chinatelecom.cn/
> Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> Acked-by: Jiri Olsa <jolsa@kernel.org>
> ---
> Changes in v2:
> - Do not warn on failing ftrace_test_recursion_trylock() because it
> allows one-level nest.
> ---
> kernel/trace/fgraph.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c
> index 1e3b32b1e82c..484ad7a18463 100644
> --- a/kernel/trace/fgraph.c
> +++ b/kernel/trace/fgraph.c
> @@ -815,6 +815,7 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
> unsigned long bitmap;
> unsigned long ret;
> int offset;
> + int bit;
> int i;
>
> ret_stack = ftrace_pop_return_trace(&trace, &ret, frame_pointer, &offset);
> @@ -829,6 +830,15 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
> if (fregs)
> ftrace_regs_set_instruction_pointer(fregs, ret);
>
> + bit = ftrace_test_recursion_trylock(trace.func, ret);
> + /*
> + * This can fail because ftrace_test_recursion_trylock() allows one nest
> + * call. If we are already in a nested call, then we don't probe this and
> + * just return the original return address.
> + */
> + if (unlikely(bit < 0))
> + goto out;
> +
> #ifdef CONFIG_FUNCTION_GRAPH_RETVAL
> trace.retval = ftrace_regs_get_return_value(fregs);
> #endif
> @@ -852,6 +862,8 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
> }
> }
>
> + ftrace_test_recursion_unlock(bit);
> +out:
> /*
> * The ftrace_graph_return() may still access the current
> * ret_stack structure, we need to make sure the update of
>
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>
next prev parent reply other threads:[~2025-09-24 15:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-22 6:35 [PATCH v2 0/2] tracing: fprobe: Protect return handler from recursion loop Masami Hiramatsu (Google)
2025-09-22 6:35 ` [PATCH v2 1/2] tracing: fgraph: " Masami Hiramatsu (Google)
2025-09-22 8:01 ` menglong.dong
2025-09-24 15:34 ` Masami Hiramatsu [this message]
2025-09-25 7:26 ` Steven Rostedt
2025-09-27 12:57 ` Steven Rostedt
2025-09-28 12:56 ` Steven Rostedt
2025-09-29 0:02 ` Masami Hiramatsu
2025-09-22 6:35 ` [PATCH v2 2/2] lib/test_fprobe: Add recursion check test cases Masami Hiramatsu (Google)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250925003410.de2ef839f6ef3921ee08a955@kernel.org \
--to=mhiramat@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=menglong8.dong@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@kernel.org \
--cc=rppt@kernel.org \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.