From: dave.long@linaro.org (David Long)
To: linux-arm-kernel@lists.infradead.org
Subject: [BUG] arm64 kprobe: Allow probing at rodata
Date: Wed, 13 Apr 2016 16:23:57 -0400 [thread overview]
Message-ID: <570EAADD.3050805@linaro.org> (raw)
In-Reply-To: <570659E7.3040408@huawei.com>
On 04/07/2016 09:00 AM, Wangnan (F) wrote:
> Hi,
>
> When testing kprobe v12 we find a bug
>
> # echo 'p:kprobes/mykprobe1 ftrace_enable_fops' >
> /sys/kernel/debug/tracing/kprobe_events
> # echo 1 > /sys/kernel/debug/tracing/events/kprobes/mykprobe1/enable
>
> Unable to handle kernel paging request at virtual address d42003f0
> pgd = ffffffc009f64000
> [d42003f0] *pgd=0000000000000000, *pud=0000000000000000
> Internal error: Oops: 94000005 [#1] SMP
> Modules linked in:
> ...
>
> ftrace_enable_fops resides in rodata section, kprobe should not
> allow user to put probe point on it.
>
> It seems arm64 intentionally puts rodata between _stext and _etext in
> arch/arm64/kernel/vmlinux.lds.S, so I think we should introduce a symbol
> before rodata and extra verification in kprobe on arm64.
>
> Thank you.
>
> Full output:
>
> # echo 'p:kprobes/mykprobe1 ftrace_enable_fops' >
> /sys/kernel/debug/tracing/kprobe_events
> # echo 1 > /sys/kernel/debug/tracing/events/kprobes/mykprobe1/enable
>
> Unable to handle kernel paging request at virtual address d42003f0
> pgd = ffffffc009f64000
> [d42003f0] *pgd=0000000000000000, *pud=0000000000000000
> Internal error: Oops: 94000005 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 99 Comm: sh Not tainted 4.5.0+ #105
> Hardware name: linux,dummy-virt (DT)
> task: ffffffc009fdc800 ti: ffffffc009ff4000 task.ti: ffffffc009ff4000
> PC is at module_put+0x38/0x218
> LR is at __fput+0xd4/0x1f4
> pc : [<ffffffc000121760>] lr : [<ffffffc0001d4c14>] pstate: 20000145
> sp : ffffffc009ff7db0
> x29: ffffffc009ff7db0 x28: ffffffc009ff4000
> x27: ffffffc00053c000 x26: 0000000000000018
> x25: ffffffc00a01c610 x24: ffffffc0755a4f60
> x23: ffffffc075569500 x22: ffffffc0001d4c14
> x21: ffffffc0755a4f60 x20: 0000000000000008
> x19: 00000000d4200080 x18: 0000007ffdfbc7f0
> x17: 0000007fa78e3340 x16: ffffffc0001f4b84
> x15: 0000007fa796b598 x14: 000000000000024e
> x13: 000000001b670000 x12: 0000000000000008
> x11: 0101010101010101 x10: ffffffc000fbdc88
> x9 : 0000000000000001 x8 : 0000000000001ffe
> x7 : ffffffc009fdcfc8 x6 : 0000000000000015
> x5 : 0000000000000000 x4 : 0000000000000000
> x3 : 0000000000000001 x2 : 0000000000000000
> x1 : ffffffc009ff4000 x0 : 0000000000000001
>
> Process sh (pid: 99, stack limit = 0xffffffc009ff4020)
> Stack: (0xffffffc009ff7db0 to 0xffffffc009ff8000)
> 7da0: ffffffc009ff7df0 ffffffc0001d4c14
> 7dc0: ffffffc00a01c600 0000000000000008 ffffffc0755a4f60 ffffffc0795f4c60
> 7de0: ffffffc075569500 ffffffc0755a4f60 ffffffc009ff7e50 ffffffc0001d4da8
> 7e00: ffffffc00a01c600 ffffffc009fdce68 ffffffc009fdc800 ffffffc0006614b0
> 7e20: ffffffc0009b3000 0000000000000015 000000000000011e 0000000000000000
> 7e40: 0000000000000058 0000000000000000 ffffffc009ff7e70 ffffffc0000ba5e0
> 7e60: 0000000000000000 ffffffc0001f4ca8 ffffffc009ff7eb0 ffffffc00008929c
> 7e80: 0000000000000004 ffffffc009ff4000 ffffffffffffffff 0000007fa78e336c
> 7ea0: 0000000020000000 0000000000000015 0000000000000000 ffffffc000085a9c
> 7ec0: 0000000000000000 000000001b679560 0000000000000001 0000000000000001
> 7ee0: 0000000000000000 0000000000000000 000000001b67c970 0000000000000000
> 7f00: 0000000000000010 fefefefefefefefe 0000000000000018 fefefeff1a65ff30
> 7f20: 7f7f7f7f7f7f7f7f 0101010101010101 0000000000000008 000000001b670000
> 7f40: 0000000000000000 0000007fa796b598 00000000004aeb48 0000007fa78e3340
> 7f60: 0000007ffdfbc7f0 000000000000000b 000000001b679560 000000001b67c890
> 7f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000002
> 7fa0: 000000001b679468 000000001b679430 000000000047edf0 0000007ffdfbca10
> 7fc0: 000000000042f770 0000007ffdfbca10 0000007fa78e336c 0000000020000000
> 7fe0: 000000000000000b 0000000000000018 0000000000000000 0000000000000000
> Call trace:
> Exception stack(0xffffffc009ff7bf0 to 0xffffffc009ff7d10)
> 7be0: 0000000000000000 0000000000000008
> 7c00: ffffffc009ff7db0 ffffffc000121760 ffffffc00a01c600 0000000000000015
> 7c20: ffffffc009ff7c50 ffffffc0000e7540 ffffffc0005319a8 ffffffc009fdc800
> 7c40: 0000000000000001 ffffffc0016a8000 ffffffc009ff7c90 ffffffc0000e73a4
> 7c60: ffffffc009ff7ca0 ffffffc0000e9e38 ffffffc009ff7ca0 ffffffc0000e9f70
> 7c80: 000000000000024d ffffffc009fdcf90 0000000000000001 ffffffc009ff4000
> 7ca0: 0000000000000000 0000000000000001 0000000000000000 0000000000000000
> 7cc0: 0000000000000015 ffffffc009fdcfc8 0000000000001ffe 0000000000000001
> 7ce0: ffffffc000fbdc88 0101010101010101 0000000000000008 000000001b670000
> 7d00: 000000000000024e 0000007fa796b598
> [<ffffffc000121760>] module_put+0x38/0x218
> [<ffffffc0001d4c14>] __fput+0xd4/0x1f4
> [<ffffffc0001d4da8>] ____fput+0x20/0x2c
> [<ffffffc0000ba5e0>] task_work_run+0xb8/0xec
> [<ffffffc00008929c>] do_notify_resume+0x5c/0x70
> [<ffffffc000085a9c>] work_pending+0x10/0x14
> Code: d5384101 b9401820 11000400 b9001820 (b9437263)
> ---[ end trace adc71e553dfc48ff ]---
> note: sh[99] exited with preempt_count 1
>
Thanks for the bug report. Symbols already exist bracketing rodata. I
have made the following change and it seems to achieve the desired
affect. Unless I hear objections I will add this to the v12 changes when
I post them (soon):
diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
index 13d3333..6b6ec28 100644
--- a/arch/arm64/kernel/kprobes.c
+++ b/arch/arm64/kernel/kprobes.c
@@ -81,12 +81,17 @@ static void __kprobes arch_simulate_insn(struct
kprobe *p, struct pt_regs *regs)
int __kprobes arch_prepare_kprobe(struct kprobe *p)
{
unsigned long probe_addr = (unsigned long)p->addr;
+ extern char __start_rodata[];
+ extern char __end_rodata[];
/* copy instruction */
p->opcode = le32_to_cpu(*p->addr);
if (in_exception_text(probe_addr))
return -EINVAL;
+ if (probe_addr >= (unsigned long) __start_rodata &&
+ probe_addr <= (unsigned long) __end_rodata)
+ return -EINVAL;
/* decode instruction */
switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) {
WARNING: multiple messages have this Message-ID (diff)
From: David Long <dave.long@linaro.org>
To: "Wangnan (F)" <wangnan0@huawei.com>,
sandeepa.s.prabhu@gmail.com, wcohen@redhat.com,
panand@redhat.com, Will Deacon <will.deacon@arm.com>,
catalin.marinas@arm.com
Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: Re: [BUG] arm64 kprobe: Allow probing at rodata
Date: Wed, 13 Apr 2016 16:23:57 -0400 [thread overview]
Message-ID: <570EAADD.3050805@linaro.org> (raw)
In-Reply-To: <570659E7.3040408@huawei.com>
On 04/07/2016 09:00 AM, Wangnan (F) wrote:
> Hi,
>
> When testing kprobe v12 we find a bug
>
> # echo 'p:kprobes/mykprobe1 ftrace_enable_fops' >
> /sys/kernel/debug/tracing/kprobe_events
> # echo 1 > /sys/kernel/debug/tracing/events/kprobes/mykprobe1/enable
>
> Unable to handle kernel paging request at virtual address d42003f0
> pgd = ffffffc009f64000
> [d42003f0] *pgd=0000000000000000, *pud=0000000000000000
> Internal error: Oops: 94000005 [#1] SMP
> Modules linked in:
> ...
>
> ftrace_enable_fops resides in rodata section, kprobe should not
> allow user to put probe point on it.
>
> It seems arm64 intentionally puts rodata between _stext and _etext in
> arch/arm64/kernel/vmlinux.lds.S, so I think we should introduce a symbol
> before rodata and extra verification in kprobe on arm64.
>
> Thank you.
>
> Full output:
>
> # echo 'p:kprobes/mykprobe1 ftrace_enable_fops' >
> /sys/kernel/debug/tracing/kprobe_events
> # echo 1 > /sys/kernel/debug/tracing/events/kprobes/mykprobe1/enable
>
> Unable to handle kernel paging request at virtual address d42003f0
> pgd = ffffffc009f64000
> [d42003f0] *pgd=0000000000000000, *pud=0000000000000000
> Internal error: Oops: 94000005 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 99 Comm: sh Not tainted 4.5.0+ #105
> Hardware name: linux,dummy-virt (DT)
> task: ffffffc009fdc800 ti: ffffffc009ff4000 task.ti: ffffffc009ff4000
> PC is at module_put+0x38/0x218
> LR is at __fput+0xd4/0x1f4
> pc : [<ffffffc000121760>] lr : [<ffffffc0001d4c14>] pstate: 20000145
> sp : ffffffc009ff7db0
> x29: ffffffc009ff7db0 x28: ffffffc009ff4000
> x27: ffffffc00053c000 x26: 0000000000000018
> x25: ffffffc00a01c610 x24: ffffffc0755a4f60
> x23: ffffffc075569500 x22: ffffffc0001d4c14
> x21: ffffffc0755a4f60 x20: 0000000000000008
> x19: 00000000d4200080 x18: 0000007ffdfbc7f0
> x17: 0000007fa78e3340 x16: ffffffc0001f4b84
> x15: 0000007fa796b598 x14: 000000000000024e
> x13: 000000001b670000 x12: 0000000000000008
> x11: 0101010101010101 x10: ffffffc000fbdc88
> x9 : 0000000000000001 x8 : 0000000000001ffe
> x7 : ffffffc009fdcfc8 x6 : 0000000000000015
> x5 : 0000000000000000 x4 : 0000000000000000
> x3 : 0000000000000001 x2 : 0000000000000000
> x1 : ffffffc009ff4000 x0 : 0000000000000001
>
> Process sh (pid: 99, stack limit = 0xffffffc009ff4020)
> Stack: (0xffffffc009ff7db0 to 0xffffffc009ff8000)
> 7da0: ffffffc009ff7df0 ffffffc0001d4c14
> 7dc0: ffffffc00a01c600 0000000000000008 ffffffc0755a4f60 ffffffc0795f4c60
> 7de0: ffffffc075569500 ffffffc0755a4f60 ffffffc009ff7e50 ffffffc0001d4da8
> 7e00: ffffffc00a01c600 ffffffc009fdce68 ffffffc009fdc800 ffffffc0006614b0
> 7e20: ffffffc0009b3000 0000000000000015 000000000000011e 0000000000000000
> 7e40: 0000000000000058 0000000000000000 ffffffc009ff7e70 ffffffc0000ba5e0
> 7e60: 0000000000000000 ffffffc0001f4ca8 ffffffc009ff7eb0 ffffffc00008929c
> 7e80: 0000000000000004 ffffffc009ff4000 ffffffffffffffff 0000007fa78e336c
> 7ea0: 0000000020000000 0000000000000015 0000000000000000 ffffffc000085a9c
> 7ec0: 0000000000000000 000000001b679560 0000000000000001 0000000000000001
> 7ee0: 0000000000000000 0000000000000000 000000001b67c970 0000000000000000
> 7f00: 0000000000000010 fefefefefefefefe 0000000000000018 fefefeff1a65ff30
> 7f20: 7f7f7f7f7f7f7f7f 0101010101010101 0000000000000008 000000001b670000
> 7f40: 0000000000000000 0000007fa796b598 00000000004aeb48 0000007fa78e3340
> 7f60: 0000007ffdfbc7f0 000000000000000b 000000001b679560 000000001b67c890
> 7f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000002
> 7fa0: 000000001b679468 000000001b679430 000000000047edf0 0000007ffdfbca10
> 7fc0: 000000000042f770 0000007ffdfbca10 0000007fa78e336c 0000000020000000
> 7fe0: 000000000000000b 0000000000000018 0000000000000000 0000000000000000
> Call trace:
> Exception stack(0xffffffc009ff7bf0 to 0xffffffc009ff7d10)
> 7be0: 0000000000000000 0000000000000008
> 7c00: ffffffc009ff7db0 ffffffc000121760 ffffffc00a01c600 0000000000000015
> 7c20: ffffffc009ff7c50 ffffffc0000e7540 ffffffc0005319a8 ffffffc009fdc800
> 7c40: 0000000000000001 ffffffc0016a8000 ffffffc009ff7c90 ffffffc0000e73a4
> 7c60: ffffffc009ff7ca0 ffffffc0000e9e38 ffffffc009ff7ca0 ffffffc0000e9f70
> 7c80: 000000000000024d ffffffc009fdcf90 0000000000000001 ffffffc009ff4000
> 7ca0: 0000000000000000 0000000000000001 0000000000000000 0000000000000000
> 7cc0: 0000000000000015 ffffffc009fdcfc8 0000000000001ffe 0000000000000001
> 7ce0: ffffffc000fbdc88 0101010101010101 0000000000000008 000000001b670000
> 7d00: 000000000000024e 0000007fa796b598
> [<ffffffc000121760>] module_put+0x38/0x218
> [<ffffffc0001d4c14>] __fput+0xd4/0x1f4
> [<ffffffc0001d4da8>] ____fput+0x20/0x2c
> [<ffffffc0000ba5e0>] task_work_run+0xb8/0xec
> [<ffffffc00008929c>] do_notify_resume+0x5c/0x70
> [<ffffffc000085a9c>] work_pending+0x10/0x14
> Code: d5384101 b9401820 11000400 b9001820 (b9437263)
> ---[ end trace adc71e553dfc48ff ]---
> note: sh[99] exited with preempt_count 1
>
Thanks for the bug report. Symbols already exist bracketing rodata. I
have made the following change and it seems to achieve the desired
affect. Unless I hear objections I will add this to the v12 changes when
I post them (soon):
diff --git a/arch/arm64/kernel/kprobes.c b/arch/arm64/kernel/kprobes.c
index 13d3333..6b6ec28 100644
--- a/arch/arm64/kernel/kprobes.c
+++ b/arch/arm64/kernel/kprobes.c
@@ -81,12 +81,17 @@ static void __kprobes arch_simulate_insn(struct
kprobe *p, struct pt_regs *regs)
int __kprobes arch_prepare_kprobe(struct kprobe *p)
{
unsigned long probe_addr = (unsigned long)p->addr;
+ extern char __start_rodata[];
+ extern char __end_rodata[];
/* copy instruction */
p->opcode = le32_to_cpu(*p->addr);
if (in_exception_text(probe_addr))
return -EINVAL;
+ if (probe_addr >= (unsigned long) __start_rodata &&
+ probe_addr <= (unsigned long) __end_rodata)
+ return -EINVAL;
/* decode instruction */
switch (arm_kprobe_decode_insn(p->addr, &p->ainsn)) {
next prev parent reply other threads:[~2016-04-13 20:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 13:00 [BUG] arm64 kprobe: Allow probing at rodata Wangnan (F)
2016-04-07 13:00 ` Wangnan (F)
2016-04-13 20:23 ` David Long [this message]
2016-04-13 20:23 ` David Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=570EAADD.3050805@linaro.org \
--to=dave.long@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.