* [PATCH 1/1] arm64: print alloc free paths for address in registers
[not found] <CGME20210319111755epcas5p3d40683c22af11626a221ca494e8298f8@epcas5p3.samsung.com>
@ 2021-03-19 11:17 ` Maninder Singh
2021-03-19 14:14 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Maninder Singh @ 2021-03-19 11:17 UTC (permalink / raw)
To: catalin.marinas, will, pcc, mark.rutland
Cc: akpm, 0x7f454c46, amit.kachhap, linux-arm-kernel, linux-kernel,
a.sahrawat, Maninder Singh, Vaneet Narang
In case of a use after free kernel OOPs, freed path of the object is
required to debug futher. In most of cases the object address is present
in one of the registers.
Thus check the register's address and if it belongs to slab, print its
alloc and free path.
commit a02a25709155 ("mm/slub: add support for free path information of an object")
provides free path along with alloc path of object in mem_dump_obj().
Thus call it with register values same as in ARM with
commit 14c0508adcdb ("arm: print alloc free paths for address in registers")
e.g. in the below issue register x20 belongs to slab, and a use after free
issue occurred on one of its dereferenced values:
[ 19.516507] Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b73
..
..
[ 19.528784] Register x10 information: 0-page vmalloc region starting at 0xffff800011bb0000 allocated at paging_init+0x1d8/0x544
[ 19.529143] Register x11 information: 0-page vmalloc region starting at 0xffff800011bb0000 allocated at paging_init+0x1d8/0x544
[ 19.529513] Register x12 information: non-paged memory
..
[ 19.544953] Register x20 information: slab kmalloc-128 start ffff0000c3a34280 data offset 128 pointer offset 0 size 128 allocated at meminfo_proc_show+0x44/0x588
[ 19.545432] ___slab_alloc+0x638/0x658
[ 19.545576] __slab_alloc.isra.0+0x2c/0x58
[ 19.545728] kmem_cache_alloc+0x584/0x598
[ 19.545877] meminfo_proc_show+0x44/0x588
[ 19.546022] seq_read_iter+0x258/0x460
[ 19.546160] proc_reg_read_iter+0x90/0xd0
[ 19.546308] generic_file_splice_read+0xd0/0x188
[ 19.546474] do_splice_to+0x90/0xe0
[ 19.546609] splice_direct_to_actor+0xbc/0x240
[ 19.546768] do_splice_direct+0x8c/0xe8
[ 19.546911] do_sendfile+0x2c4/0x500
[ 19.547048] __arm64_sys_sendfile64+0x160/0x168
[ 19.547205] el0_svc_common.constprop.0+0x60/0x120
[ 19.547377] do_el0_svc_compat+0x1c/0x40
[ 19.547524] el0_svc_compat+0x24/0x38
[ 19.547660] el0_sync_compat_handler+0x90/0x158
[ 19.547821] Free path:
[ 19.547906] __slab_free+0x3dc/0x538
[ 19.548051] kfree+0x2d8/0x310
[ 19.548176] meminfo_proc_show+0x60/0x588
[ 19.548322] seq_read_iter+0x258/0x460
[ 19.548459] proc_reg_read_iter+0x90/0xd0
[ 19.548602] generic_file_splice_read+0xd0/0x188
[ 19.548761] do_splice_to+0x90/0xe0
[ 19.548889] splice_direct_to_actor+0xbc/0x240
[ 19.549040] do_splice_direct+0x8c/0xe8
[ 19.549183] do_sendfile+0x2c4/0x500
[ 19.549319] __arm64_sys_sendfile64+0x160/0x168
[ 19.549477] el0_svc_common.constprop.0+0x60/0x120
[ 19.549646] do_el0_svc_compat+0x1c/0x40
[ 19.549782] el0_svc_compat+0x24/0x38
[ 19.549913] el0_sync_compat_handler+0x90/0x158
[ 19.550067] el0_sync_compat+0x174/0x180
..
Signed-off-by: Vaneet Narang <v.narang@samsung.com>
Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
---
arch/arm64/include/asm/system_misc.h | 1 +
arch/arm64/kernel/process.c | 11 +++++++++++
arch/arm64/kernel/traps.c | 1 +
3 files changed, 13 insertions(+)
diff --git a/arch/arm64/include/asm/system_misc.h b/arch/arm64/include/asm/system_misc.h
index 673be2d1263c..84d5204cdb80 100644
--- a/arch/arm64/include/asm/system_misc.h
+++ b/arch/arm64/include/asm/system_misc.h
@@ -31,6 +31,7 @@ void hook_debug_fault_code(int nr, int (*fn)(unsigned long, unsigned int,
struct mm_struct;
extern void __show_regs(struct pt_regs *);
+extern void __show_regs_alloc_free(struct pt_regs *regs);
extern void (*arm_pm_restart)(enum reboot_mode reboot_mode, const char *cmd);
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 325c83b1a24d..a21761cee3dc 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -304,6 +304,17 @@ void __show_regs(struct pt_regs *regs)
}
}
+void __show_regs_alloc_free(struct pt_regs *regs)
+{
+ int i;
+
+ /* check for x0 - x29 only */
+ for (i = 0; i <= 29; i++) {
+ pr_alert("Register x%d information:", i);
+ mem_dump_obj((void *)regs->regs[i]);
+ }
+}
+
void show_regs(struct pt_regs *regs)
{
__show_regs(regs);
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index a05d34f0e82a..cb4858c6e57b 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -104,6 +104,7 @@ static int __die(const char *str, int err, struct pt_regs *regs)
print_modules();
show_regs(regs);
+ __show_regs_alloc_free(regs);
dump_kernel_instr(KERN_EMERG, regs);
--
2.17.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/1] arm64: print alloc free paths for address in registers
2021-03-19 11:17 ` [PATCH 1/1] arm64: print alloc free paths for address in registers Maninder Singh
@ 2021-03-19 14:14 ` kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2021-03-19 14:14 UTC (permalink / raw)
To: Maninder Singh, catalin.marinas, will, pcc, mark.rutland
Cc: kbuild-all, akpm, 0x7f454c46, amit.kachhap, linux-arm-kernel,
linux-kernel, a.sahrawat
[-- Attachment #1: Type: text/plain, Size: 4275 bytes --]
Hi Maninder,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on arm64/for-next/core]
[also build test WARNING on v5.12-rc3 next-20210319]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Maninder-Singh/arm64-print-alloc-free-paths-for-address-in-registers/20210319-192241
base: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core
config: arm64-randconfig-r013-20210318 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/80431a06fb1d63d8cca96411426b612ce049f545
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Maninder-Singh/arm64-print-alloc-free-paths-for-address-in-registers/20210319-192241
git checkout 80431a06fb1d63d8cca96411426b612ce049f545
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arm64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
arch/arm64/kernel/process.c:261:6: warning: no previous prototype for '__show_regs' [-Wmissing-prototypes]
261 | void __show_regs(struct pt_regs *regs)
| ^~~~~~~~~~~
>> arch/arm64/kernel/process.c:307:6: warning: no previous prototype for '__show_regs_alloc_free' [-Wmissing-prototypes]
307 | void __show_regs_alloc_free(struct pt_regs *regs)
| ^~~~~~~~~~~~~~~~~~~~~~
arch/arm64/kernel/process.c:365:5: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes]
365 | int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
| ^~~~~~~~~~~~~~~~~~~~
arch/arm64/kernel/process.c:546:41: warning: no previous prototype for '__switch_to' [-Wmissing-prototypes]
546 | __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev,
| ^~~~~~~~~~~
arch/arm64/kernel/process.c:710:25: warning: no previous prototype for 'arm64_preempt_schedule_irq' [-Wmissing-prototypes]
710 | asmlinkage void __sched arm64_preempt_schedule_irq(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/__show_regs_alloc_free +307 arch/arm64/kernel/process.c
260
> 261 void __show_regs(struct pt_regs *regs)
262 {
263 int i, top_reg;
264 u64 lr, sp;
265
266 if (compat_user_mode(regs)) {
267 lr = regs->compat_lr;
268 sp = regs->compat_sp;
269 top_reg = 12;
270 } else {
271 lr = regs->regs[30];
272 sp = regs->sp;
273 top_reg = 29;
274 }
275
276 show_regs_print_info(KERN_DEFAULT);
277 print_pstate(regs);
278
279 if (!user_mode(regs)) {
280 printk("pc : %pS\n", (void *)regs->pc);
281 printk("lr : %pS\n", (void *)ptrauth_strip_insn_pac(lr));
282 } else {
283 printk("pc : %016llx\n", regs->pc);
284 printk("lr : %016llx\n", lr);
285 }
286
287 printk("sp : %016llx\n", sp);
288
289 if (system_uses_irq_prio_masking())
290 printk("pmr_save: %08llx\n", regs->pmr_save);
291
292 i = top_reg;
293
294 while (i >= 0) {
295 printk("x%-2d: %016llx ", i, regs->regs[i]);
296 i--;
297
298 if (i % 2 == 0) {
299 pr_cont("x%-2d: %016llx ", i, regs->regs[i]);
300 i--;
301 }
302
303 pr_cont("\n");
304 }
305 }
306
> 307 void __show_regs_alloc_free(struct pt_regs *regs)
308 {
309 int i;
310
311 /* check for x0 - x29 only */
312 for (i = 0; i <= 29; i++) {
313 pr_alert("Register x%d information:", i);
314 mem_dump_obj((void *)regs->regs[i]);
315 }
316 }
317
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 26579 bytes --]
[-- Attachment #3: Type: text/plain, Size: 176 bytes --]
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-19 14:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20210319111755epcas5p3d40683c22af11626a221ca494e8298f8@epcas5p3.samsung.com>
2021-03-19 11:17 ` [PATCH 1/1] arm64: print alloc free paths for address in registers Maninder Singh
2021-03-19 14:14 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).