From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from akranes.kaiser.cx (akranes.kaiser.cx [152.53.16.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5836367B93; Tue, 30 Jun 2026 19:40:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=152.53.16.207 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782848437; cv=none; b=NkUx0R6hOKeRk6QHgHJ+m/8JvEQEHiUjk8im+h2HC6xtSDqNfGrOlYzBYnqwnzbSd6L5Thptoe1VIDgT7yzN1XyyXkcYysWIk8WdieUgBW857tA2Y3fzkadCOWfJj0x8t70v4jPjItJtOzmtzxAxOnBz2pvvQ/4voXURcf30mJM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782848437; c=relaxed/simple; bh=49cqVh3ZOMWTGLShKywpytH2SU4T6ij54ucJdqwrcfA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hSlYKvkoeTEq8gdYE6/pcw+umR4A2A/SKdfEN30LrHJGjl6EAU8EUsgSKNgfCw6GsrgXs0xzV4TCSzRqd/grDe8jLUTiMdMhDjtyCzzGib1bz/tWIFP/FXXj4nzO3lUTKY5mm9EYUujyPs+sDQ3PgpRewCgVt4dZ7ytDGqJd2CA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=kaiser.cx; spf=pass smtp.mailfrom=kaiser.cx; arc=none smtp.client-ip=152.53.16.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=kaiser.cx Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaiser.cx Received: from ipservice-092-209-184-216.092.209.pools.vodafone-ip.de ([92.209.184.216] helo=nb282.user.codasip.com) by akranes.kaiser.cx with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1weeJh-00000000L6w-0jpc; Tue, 30 Jun 2026 21:40:21 +0200 From: Martin Kaiser To: Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Steven Rostedt , Masami Hiramatsu , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, Martin Kaiser Subject: [PATCH] riscv: probes: save original sp in rethook trampoline Date: Tue, 30 Jun 2026 21:40:03 +0200 Message-ID: <20260630194010.1824039-1-martin@kaiser.cx> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-trace-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Reading a word from the stack in a kretprobe crashes a risc-v kernel. $ cd /sys/kernel/tracing/ $ echo 'r n_tty_write $stack0' > dynamic_events $ echo 1 > events/kprobes/enable Unable to handle kernel paging request at virtual address 0000000200000128 ... [] regs_get_kernel_stack_nth+0x26/0x38 [] process_fetch_insn+0x3ee/0x760 [] kretprobe_trace_func+0x116/0x1f0 [] kretprobe_dispatcher+0x4a/0x58 [] kretprobe_rethook_handler+0x5e/0x90 [] rethook_trampoline_handler+0x70/0x108 [] arch_rethook_trampoline_callback+0x12/0x1c [] arch_rethook_trampoline+0x48/0x94 [] tty_write+0x1a/0x30 In regs_get_kernel_stack_nth, regs->sp contains an arbitrary value. arch_rethook_trampoline saves the registers from the probed function in a struct pt_regs. sp is not saved. Instead, sp is decremented for arch_rethook_trampoline's local stack. Fix this crash and save the original sp along with the other registers. Use a0 as a temporary register, it is overwritten anyway. Signed-off-by: Martin Kaiser --- arch/riscv/kernel/probes/rethook_trampoline.S | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/riscv/kernel/probes/rethook_trampoline.S b/arch/riscv/kernel/probes/rethook_trampoline.S index f2cd83d9b0f0..c3aa8d8cf5af 100644 --- a/arch/riscv/kernel/probes/rethook_trampoline.S +++ b/arch/riscv/kernel/probes/rethook_trampoline.S @@ -41,6 +41,9 @@ REG_S x29, PT_T4(sp) REG_S x30, PT_T5(sp) REG_S x31, PT_T6(sp) + /* save original sp */ + addi a0, sp, PT_SIZE_ON_STACK + REG_S a0, PT_SP(sp) .endm .macro restore_all_base_regs -- 2.43.7