From: zhouchengming <zhouchengming1@huawei.com>
To: Borislav Petkov <bp@suse.de>
Cc: <mhiramat@kernel.org>, <ananth@linux.vnet.ibm.com>,
<anil.s.keshavamurthy@intel.com>, <davem@davemloft.net>,
<hpa@zytor.com>, <tglx@linutronix.de>, <peterz@infradead.org>,
<jkosina@suse.cz>, <rostedt@goodmis.org>, <mjurczyk@google.com>,
<x86@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] kprobes, x86/alternatives: use text_mutex to protect smp_alt_modules
Date: Fri, 27 Oct 2017 21:30:24 +0800 [thread overview]
Message-ID: <59F334F0.2070900@huawei.com> (raw)
In-Reply-To: <20171027123348.GE1305@nazgul.tnic>
On 2017/10/27 20:33, Borislav Petkov wrote:
> On Fri, Oct 27, 2017 at 07:42:45PM +0800, zhouchengming wrote:
>> This is a real bug happened on one of our machines, below is the calltrace.
>> We can see the trigger is at alternatives_text_reserved+0x20/0x80, and
>> encounter a deleted (poisoned) list_head.
> Looks like some out-of-tree, old kernel thing. We don't have
> mlx4_stats_sysfs_create() upstream and looking at the boot timestamps,
> it could be that register_jprobe() is not ready yet.
Yes, it's an out-of-tree module, loaded when boot kernel. register_kprobe()
maybe not ready yet, but the bug is not caused by it obviously.
>
> Looking at the Code, though:
>
> 20: 74 59 je 0x7b
> 22: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
> 29: 00 00
> 2b:* 48 3b 71 20 cmp 0x20(%rcx),%rsi<-- trapping instruction
> 2f: 72 3a jb 0x6b
> 31: 48 3b 79 28 cmp 0x28(%rcx),%rdi
> 35: 77 34 ja 0x6b
>
> %rcx is 0xdead0000000000d0 and that is POISON_POINTER_DELTA + 0xd0 so
> that looks more like smp_alt_modules is not initialized yet but I could
> could very well be wrong because this is an old kernel. So trigger that
> with the upstream kernel without out of tree modules.
The smp_alt_modules is defined by LIST_HEAD, so it's initialized at start.
A deleted list_head->next = LIST_POISON1 = 0xdead000000000000 + 0x100, then
container_of() to get the struct smp_alt_module: -0x30 = 0xdead0000000000d0
Obviously, it's a deleted list_head, and I have explained clearly how it happen in
the patch comment.
Thanks.
> Thx.
>
next prev parent reply other threads:[~2017-10-27 13:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-27 9:34 [PATCH] kprobes, x86/alternatives: use text_mutex to protect smp_alt_modules Zhou Chengming
2017-10-27 11:15 ` Borislav Petkov
2017-10-27 11:42 ` zhouchengming
2017-10-27 12:33 ` Borislav Petkov
2017-10-27 13:30 ` zhouchengming [this message]
2017-10-28 8:43 ` Masami Hiramatsu
2017-10-28 9:51 ` zhouchengming
2017-10-27 14:15 ` Peter Zijlstra
2017-10-28 1:26 ` zhouchengming
2017-10-28 8:44 ` Masami Hiramatsu
2017-10-30 8:03 ` Masami Hiramatsu
2017-10-31 21:59 ` Steven Rostedt
2017-11-01 1:48 ` zhouchengming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59F334F0.2070900@huawei.com \
--to=zhouchengming1@huawei.com \
--cc=ananth@linux.vnet.ibm.com \
--cc=anil.s.keshavamurthy@intel.com \
--cc=bp@suse.de \
--cc=davem@davemloft.net \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mjurczyk@google.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.