From: Li Huafei <lihuafei1@huawei.com>
To: "Russell King (Oracle)" <linux@armlinux.org.uk>
Cc: Linus Walleij <linus.walleij@linaro.org>, <ardb@kernel.org>,
<will@kernel.org>, <mark.rutland@arm.com>, <broonie@kernel.org>,
<peterz@infradead.org>, <mingo@redhat.com>, <acme@kernel.org>,
<alexander.shishkin@linux.intel.com>, <jolsa@kernel.org>,
<namhyung@kernel.org>, <arnd@arndb.de>, <rostedt@goodmis.org>,
<nick.hawkins@hpe.com>, <john@phrozen.org>, <mhiramat@kernel.org>,
<ast@kernel.org>, <linyujun809@huawei.com>,
<ndesaulniers@google.com>, <linux-arm-kernel@lists.infradead.org>,
<linux-kernel@vger.kernel.org>,
<linux-perf-users@vger.kernel.org>
Subject: Re: [PATCH 3/5] ARM: stacktrace: Allow stack trace saving for non-current tasks
Date: Tue, 26 Jul 2022 20:08:14 +0800 [thread overview]
Message-ID: <d1605c5a-1dfb-65b6-f79f-9c92bb507d4b@huawei.com> (raw)
In-Reply-To: <Yt+4qSeIM0WbjcJj@shell.armlinux.org.uk>
On 2022/7/26 17:49, Russell King (Oracle) wrote:
> On Tue, Jul 26, 2022 at 05:12:39PM +0800, Li Huafei wrote:
>>
>>
>> On 2022/7/18 17:07, Linus Walleij wrote:
>>> On Tue, Jul 12, 2022 at 4:18 AM Li Huafei <lihuafei1@huawei.com> wrote:
>>>
>>>> The current ARM implementation of save_stack_trace_tsk() does not allow
>>>> saving stack trace for non-current tasks, which may limit the scenarios
>>>> in which stack_trace_save_tsk() can be used. Like other architectures,
>>>> or like ARM's unwind_backtrace(), we can leave it up to the caller to
>>>> ensure that the task that needs to be unwound is not running.
>>>>
>>>> Signed-off-by: Li Huafei <lihuafei1@huawei.com>
>>>
>>> That sounds good, but:
>>>
>>>> if (tsk != current) {
>>>> -#ifdef CONFIG_SMP
>>>> - /*
>>>> - * What guarantees do we have here that 'tsk' is not
>>>> - * running on another CPU? For now, ignore it as we
>>>> - * can't guarantee we won't explode.
>>>> - */
>>>> - return;
>>>> -#else
>>>> + /* task blocked in __switch_to */
>>>
>>> The commit text is not consistent with the comment you are removing.
>>>
>>> The commit is talking about "non-current" tasks which is one thing,
>>> but the code is avoiding any tasks under SMP because they may be
>>> running on another CPU. So you need to update the commit
>>> message to say something like "non-current or running on another CPU".
>>>
>>> If this condition will be checked at call sites in following patches,
>>> then mention
>>> that in the commit as well, so we know the end result is that we do
>>> not break it,
>>
>> The generic code stack_trace_save_tsk() does not have this check, and by
>> 'caller' I mean the caller of stack_trace_save_tsk(), expecting the
>> 'caller' to ensure that the task is not running. So in effect this check
>> has been dropped and there is no more guarantee. Sorry for not
>> clarifying the change here.
>
> Can you prove in every case that the thread we're being asked to unwind
> is not running? I don't think you can.
>
> There are things like proc_pid_stack() in procfs and the stack traces
> in sysrq-t which have attempted to unwind everything whether it's
> running or not.
>
> So no, there is no guarantee that the thread is blocked in
> __switch_to().
>
Yes, I agree.
>> But can we assume that the user should know that the stacktrace is
>> unreliable for a task that is running on another CPU? If not, I should
>> remove this patch and keep the check.
>
> It's not about "unreliable" stack traces, it's about the unwinder
> killing the kernel.
>
> The hint is this:
>
> frame.fp = thread_saved_fp(tsk);
> frame.sp = thread_saved_sp(tsk);
> frame.lr = 0; /* recovered from the stack */
> frame.pc = thread_saved_pc(tsk);
>
> These access the context saved by the scheduler when the task is
> sleeping. When the thread is running, these saved values will be
> the state when the thread last slept. However, with the thread
> running, the stack could now contain any data what so ever, and
> could change at any moment.
>
I get it. For example, since the data on the stack is changing,
'*(unsigned long *)fp' could access any illegal address and crash the
kernel.
> Whether the unwind-table unwinder is truely safe in such a
> situation is unknown - we try to ensure that it won't do anything
> stupid, but proving that is a hard task, and we've recently had
> issues with the unwinder even without that.
>
> So, allowing this feels like we're opening the door to DoS attacks
> from userspace, where userspace sits there reading /proc/*/stack of
> some thread running on a different CPU waiting for the kernel to
> oops itself, possibly holding a lock, resulting in the system
> dying.
>
> These decisions need to be made by architecture code not generic
> code, particularly where the method of unwinding is architecture
> specific and thus may have criteria defining when its safe to do so.
>
Thank you for your comments, I'll remove the patch and keep the check.
Thanks,
Huafei
next prev parent reply other threads:[~2022-07-26 12:08 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 2:15 [PATCH 0/5] ARM: Convert to ARCH_STACKWALK Li Huafei
2022-07-12 2:15 ` [PATCH 1/5] ARM: stacktrace: Skip frame pointer boundary check for call_with_stack() Li Huafei
2022-07-18 8:57 ` Linus Walleij
2022-07-26 8:10 ` Li Huafei
2022-07-12 2:15 ` [PATCH 2/5] ARM: stacktrace: Avoid duplicate saving of exception PC value Li Huafei
2022-07-18 9:01 ` Linus Walleij
2022-07-26 9:10 ` Li Huafei
2022-07-26 10:22 ` Russell King (Oracle)
2022-07-26 12:21 ` Li Huafei
2022-07-12 2:15 ` [PATCH 3/5] ARM: stacktrace: Allow stack trace saving for non-current tasks Li Huafei
2022-07-18 9:07 ` Linus Walleij
2022-07-26 9:12 ` Li Huafei
2022-07-26 9:49 ` Russell King (Oracle)
2022-07-26 12:08 ` Li Huafei [this message]
2022-07-12 2:15 ` [PATCH 4/5] ARM: stacktrace: Make stack walk callback consistent with generic code Li Huafei
2022-07-12 13:34 ` Mark Brown
2022-07-13 11:21 ` Li Huafei
2022-07-18 9:09 ` Linus Walleij
2022-07-26 9:19 ` Li Huafei
2022-07-12 2:15 ` [PATCH 5/5] ARM: stacktrace: Convert stacktrace to generic ARCH_STACKWALK Li Huafei
2022-07-18 9:12 ` Linus Walleij
2022-07-26 9:15 ` Li Huafei
2022-07-27 6:29 ` Li Huafei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d1605c5a-1dfb-65b6-f79f-9c92bb507d4b@huawei.com \
--to=lihuafei1@huawei.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=broonie@kernel.org \
--cc=john@phrozen.org \
--cc=jolsa@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linyujun809@huawei.com \
--cc=mark.rutland@arm.com \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nick.hawkins@hpe.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).