From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=w0qW=SZ=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D8D6BC282DD
	for <stable@archiver.kernel.org>; Tue, 23 Apr 2019 20:44:54 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A4F7A21773
	for <stable@archiver.kernel.org>; Tue, 23 Apr 2019 20:44:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1556052294;
	bh=MJwTy3BP4x82DLlTrNlqkV8rQNS1ZU4SwetPfz8IjO4=;
	h=Subject:To:Cc:From:Date:List-ID:From;
	b=jlyDHiRA0xX5Xql1+DAK5QYVEvrHzdQ1mtUgqg9TFrQZ1hMWS2nwnzzyikF299B6h
	 S1sd2VYVmtpu01Dv5pl0HONV6+cFqpBhbnVksHL+zW6INrmsxfX9bwuZh1YB8Xjt1X
	 9vvnTLguVfwAKD9oUKq3PB0MLe8s3Y9sUnEHTm+8=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726665AbfDWUoy (ORCPT <rfc822;stable@archiver.kernel.org>);
        Tue, 23 Apr 2019 16:44:54 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:56769 "EHLO
        out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726075AbfDWUox (ORCPT
        <rfc822;stable@vger.kernel.org>); Tue, 23 Apr 2019 16:44:53 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
        by mailout.nyi.internal (Postfix) with ESMTP id 0177B21C57;
        Tue, 23 Apr 2019 16:44:53 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute6.internal (MEProxy); Tue, 23 Apr 2019 16:44:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:message-id:mime-version:subject:to:x-me-proxy
        :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=GpWz2e
        f4FDcABigy4vv1+/6ZTaoGjM/yvO9LOsS8XCk=; b=WRazFKMrQEEUDiJApbN/Xe
        2lsz8tdLpvv+eoZgnBz44X8PovZ5KHCeU8J4kraHI/pE2N4+JnaSkFNLPa+vifTo
        L+wzLfKrfI8brR0kWfrZESPPhBdiR9u5FzVA2rEA2huJtEHgoTKPJKTvKcHNKmE8
        Admdy0+KGti23U3GhJKS3/7LsiyonkcHfDmiaowzLjWEaSnP0ANhNtmWME3lF5eQ
        BDoFSdSVELvNpOPp/MNZM8uISUzlHAPQmArD8IvA/D9UJNTuQ9Fs0+plx2MLrfr4
        rMANAYQg5Nd6hqLbvOmycjpqi9bjE47GgvDufBLo6bkqv8ah2hWJsQgGmky2u4Dg
        ==
X-ME-Sender: <xms:RHm_XIoT59xAI-duOBj4b81hWgYY9PNTqCEa-0Cc0caZNrsSjzCLdw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrgeekgddufeelucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucgoufhorhhtvggutfgvtghiphdvucdlgedtmdenuc
    fjughrpefuvffhfffkgggtgfesthekredttddtlfenucfhrhhomhepoehgrhgvghhkhhes
    lhhinhhugihfohhunhgurghtihhonhdrohhrgheqnecuffhomhgrihhnpehkvghrnhgvlh
    drohhrghenucfkphepiedvrdduleefrdehtddrvddvleenucfrrghrrghmpehmrghilhhf
    rhhomhepghhrvghgsehkrhhorghhrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:RHm_XDMvXmYBO4R2VzkRzjZ4V9NNDh77d3JW1vamM4NT2FQossudxg>
    <xmx:RHm_XJHbbGiM-7l6MDAclqeGkbu1K84NGYPrSUlJOY0T7e-mGa8liQ>
    <xmx:RHm_XMnyvUK6hoEIDQgfrM_iCSIFFhE0SIQMmpKBiFHypQ5ipN-UCg>
    <xmx:RHm_XLcdti-BR8rAe5x6CoNpIm5Jh81HTMhlXQgghgn9Fst-i-0Wgg>
Received: from localhost (62-193-50-229.as16211.net [62.193.50.229])
        by mail.messagingengine.com (Postfix) with ESMTPA id 4437F103C8;
        Tue, 23 Apr 2019 16:44:52 -0400 (EDT)
Subject: FAILED: patch "[PATCH] x86/kprobes: Avoid kretprobe recursion bug" failed to apply to 4.4-stable tree
To:     mhiramat@kernel.org, mathieu.desnoyers@efficios.com,
        mingo@kernel.org, peterz@infradead.org, righi.andrea@gmail.com,
        rostedt@goodmis.org, tglx@linutronix.de,
        torvalds@linux-foundation.org
Cc:     <stable@vger.kernel.org>
From:   <gregkh@linuxfoundation.org>
Date:   Tue, 23 Apr 2019 22:44:49 +0200
Message-ID: <1556052289119131@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org


The patch below does not apply to the 4.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From b191fa96ea6dc00d331dcc28c1f7db5e075693a0 Mon Sep 17 00:00:00 2001
From: Masami Hiramatsu <mhiramat@kernel.org>
Date: Sun, 24 Feb 2019 01:50:49 +0900
Subject: [PATCH] x86/kprobes: Avoid kretprobe recursion bug

Avoid kretprobe recursion loop bg by setting a dummy
kprobes to current_kprobe per-CPU variable.

This bug has been introduced with the asm-coded trampoline
code, since previously it used another kprobe for hooking
the function return placeholder (which only has a nop) and
trampoline handler was called from that kprobe.

This revives the old lost kprobe again.

With this fix, we don't see deadlock anymore.

And you can see that all inner-called kretprobe are skipped.

  event_1                                  235               0
  event_2                                19375           19612

The 1st column is recorded count and the 2nd is missed count.
Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed)
(some difference are here because the counter is racy)

Reported-by: Andrea Righi <righi.andrea@gmail.com>
Tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster")
Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>

diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 18fbe9be2d68..fed46ddb1eef 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -749,11 +749,16 @@ asm(
 NOKPROBE_SYMBOL(kretprobe_trampoline);
 STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
 
+static struct kprobe kretprobe_kprobe = {
+	.addr = (void *)kretprobe_trampoline,
+};
+
 /*
  * Called from kretprobe_trampoline
  */
 static __used void *trampoline_handler(struct pt_regs *regs)
 {
+	struct kprobe_ctlblk *kcb;
 	struct kretprobe_instance *ri = NULL;
 	struct hlist_head *head, empty_rp;
 	struct hlist_node *tmp;
@@ -763,6 +768,17 @@ static __used void *trampoline_handler(struct pt_regs *regs)
 	void *frame_pointer;
 	bool skipped = false;
 
+	preempt_disable();
+
+	/*
+	 * Set a dummy kprobe for avoiding kretprobe recursion.
+	 * Since kretprobe never run in kprobe handler, kprobe must not
+	 * be running at this point.
+	 */
+	kcb = get_kprobe_ctlblk();
+	__this_cpu_write(current_kprobe, &kretprobe_kprobe);
+	kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+
 	INIT_HLIST_HEAD(&empty_rp);
 	kretprobe_hash_lock(current, &head, &flags);
 	/* fixup registers */
@@ -838,10 +854,9 @@ static __used void *trampoline_handler(struct pt_regs *regs)
 		orig_ret_address = (unsigned long)ri->ret_addr;
 		if (ri->rp && ri->rp->handler) {
 			__this_cpu_write(current_kprobe, &ri->rp->kp);
-			get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
 			ri->ret_addr = correct_ret_addr;
 			ri->rp->handler(ri, regs);
-			__this_cpu_write(current_kprobe, NULL);
+			__this_cpu_write(current_kprobe, &kretprobe_kprobe);
 		}
 
 		recycle_rp_inst(ri, &empty_rp);
@@ -857,6 +872,9 @@ static __used void *trampoline_handler(struct pt_regs *regs)
 
 	kretprobe_hash_unlock(current, &flags);
 
+	__this_cpu_write(current_kprobe, NULL);
+	preempt_enable();
+
 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
 		hlist_del(&ri->hlist);
 		kfree(ri);