From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
Andrea Righi <righi.andrea@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.19 81/81] x86/kprobes: Avoid kretprobe recursion bug
Date: Tue, 7 May 2019 01:35:52 -0400 [thread overview]
Message-ID: <20190507053554.30848-81-sashal@kernel.org> (raw)
In-Reply-To: <20190507053554.30848-1-sashal@kernel.org>
From: Masami Hiramatsu <mhiramat@kernel.org>
[ Upstream commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 ]
Avoid kretprobe recursion loop bg by setting a dummy
kprobes to current_kprobe per-CPU variable.
This bug has been introduced with the asm-coded trampoline
code, since previously it used another kprobe for hooking
the function return placeholder (which only has a nop) and
trampoline handler was called from that kprobe.
This revives the old lost kprobe again.
With this fix, we don't see deadlock anymore.
And you can see that all inner-called kretprobe are skipped.
event_1 235 0
event_2 19375 19612
The 1st column is recorded count and the 2nd is missed count.
Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed)
(some difference are here because the counter is racy)
Reported-by: Andrea Righi <righi.andrea@gmail.com>
Tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster")
Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
arch/x86/kernel/kprobes/core.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index acb901b43ce4..544bc2dfe408 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -749,11 +749,16 @@ asm(
NOKPROBE_SYMBOL(kretprobe_trampoline);
STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
+static struct kprobe kretprobe_kprobe = {
+ .addr = (void *)kretprobe_trampoline,
+};
+
/*
* Called from kretprobe_trampoline
*/
__visible __used void *trampoline_handler(struct pt_regs *regs)
{
+ struct kprobe_ctlblk *kcb;
struct kretprobe_instance *ri = NULL;
struct hlist_head *head, empty_rp;
struct hlist_node *tmp;
@@ -763,6 +768,17 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
void *frame_pointer;
bool skipped = false;
+ preempt_disable();
+
+ /*
+ * Set a dummy kprobe for avoiding kretprobe recursion.
+ * Since kretprobe never run in kprobe handler, kprobe must not
+ * be running at this point.
+ */
+ kcb = get_kprobe_ctlblk();
+ __this_cpu_write(current_kprobe, &kretprobe_kprobe);
+ kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+
INIT_HLIST_HEAD(&empty_rp);
kretprobe_hash_lock(current, &head, &flags);
/* fixup registers */
@@ -838,10 +854,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
orig_ret_address = (unsigned long)ri->ret_addr;
if (ri->rp && ri->rp->handler) {
__this_cpu_write(current_kprobe, &ri->rp->kp);
- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
ri->ret_addr = correct_ret_addr;
ri->rp->handler(ri, regs);
- __this_cpu_write(current_kprobe, NULL);
+ __this_cpu_write(current_kprobe, &kretprobe_kprobe);
}
recycle_rp_inst(ri, &empty_rp);
@@ -857,6 +872,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
kretprobe_hash_unlock(current, &flags);
+ __this_cpu_write(current_kprobe, NULL);
+ preempt_enable();
+
hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
hlist_del(&ri->hlist);
kfree(ri);
--
2.20.1
prev parent reply other threads:[~2019-05-07 5:54 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-07 5:34 [PATCH AUTOSEL 4.19 01/81] iio: adc: xilinx: fix potential use-after-free on remove Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 02/81] iio: adc: xilinx: fix potential use-after-free on probe Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 03/81] iio: adc: xilinx: prevent touching unclocked h/w on remove Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 04/81] acpi/nfit: Always dump _DSM output payload Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 05/81] libnvdimm/namespace: Fix a potential NULL pointer dereference Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 06/81] HID: input: add mapping for Expose/Overview key Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 07/81] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 08/81] HID: input: add mapping for "Toggle Display" key Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 09/81] libnvdimm/btt: Fix a kmemdup failure check Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 10/81] s390/dasd: Fix capacity calculation for large volumes Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 11/81] mac80211: fix unaligned access in mesh table hash function Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 12/81] mac80211: Increase MAX_MSG_LEN Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 13/81] cfg80211: Handle WMM rules in regulatory domain intersection Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 14/81] mac80211: fix memory accounting with A-MSDU aggregation Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 15/81] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 16/81] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 17/81] libnvdimm/pmem: fix a possible OOB access when read and write pmem Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 18/81] mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 19/81] s390/3270: fix lockdep false positive on view->lock Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 20/81] drm/amd/display: extending AUX SW Timeout Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 21/81] clocksource/drivers/npcm: select TIMER_OF Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 22/81] clocksource/drivers/oxnas: Fix OX820 compatible Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 23/81] selftests: fib_tests: Fix 'Command line is not complete' errors Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 24/81] mISDN: Check address length before reading address family Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 25/81] vxge: fix return of a free'd memblock on a failed dma mapping Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 26/81] qede: fix write to free'd pointer error and double free of ptp Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 27/81] afs: Unlock pages for __pagevec_release() Sasha Levin
2019-05-07 5:34 ` [PATCH AUTOSEL 4.19 28/81] drm/amd/display: If one stream full updates, full update all planes Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 29/81] s390/pkey: add one more argument space for debug feature entry Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 30/81] x86/build/lto: Fix truncated .bss with -fdata-sections Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 31/81] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 32/81] x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info" Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 33/81] KVM: x86: Raise #GP when guest vCPU do not support PMU Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 34/81] KVM: fix spectrev1 gadgets Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 35/81] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 36/81] tools lib traceevent: Fix missing equality check for strcmp Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 37/81] ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 38/81] ocelot: Don't sleep in atomic context (irqs_disabled()) Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 39/81] x86/mm/KASLR: Fix the size of the direct mapping section Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 40/81] scsi: aic7xxx: fix EISA support Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 41/81] mm: fix inactive list balancing between NUMA nodes and cgroups Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 42/81] init: initialize jump labels before command line option parsing Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 43/81] selftests: netfilter: check icmp pkttoobig errors are set as related Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 44/81] ipvs: do not schedule icmp errors from tunnels Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 45/81] netfilter: ctnetlink: don't use conntrack/expect object addresses as id Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 46/81] netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 47/81] MIPS: perf: ath79: Fix perfcount IRQ assignment Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 48/81] s390: ctcm: fix ctcm_new_device error return code Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 49/81] drm/sun4i: Set device driver data at bind time for use in unbind Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 50/81] drm/sun4i: Fix component unbinding and component master deletion Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 51/81] selftests/net: correct the return value for run_netsocktests Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 52/81] netfilter: fix nf_l4proto_log_invalid to log invalid packets Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 53/81] gpu: ipu-v3: dp: fix CSC handling Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 54/81] drm/imx: don't skip DP channel disable for background plane Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 55/81] ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 56/81] spi: Micrel eth switch: declare missing of table Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 57/81] spi: ST ST95HF NFC: " Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 58/81] x86/mm: Fix a crash with kmemleak_scan() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 59/81] drm/sun4i: Unbind components before releasing DRM and memory Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 60/81] Input: synaptics-rmi4 - fix possible double free Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 61/81] btrfs: Switch memory allocations in async csum calculation path to kvmalloc Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 62/81] RDMA/hns: Bugfix for mapping user db Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 63/81] mm/memory_hotplug.c: drop memory device reference after find_memory_block() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 64/81] powerpc/smp: Fix NMI IPI timeout Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 65/81] powerpc/smp: Fix NMI IPI xmon timeout Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 66/81] net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 67/81] mm/memory.c: fix modifying of page protection by insert_pfn() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 68/81] usb: typec: Fix unchecked return value Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 69/81] f2fs: fix to data block override node segment by mistake Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 70/81] netfilter: nf_tables: use-after-free in dynamic operations Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 71/81] netfilter: nf_tables: add missing ->release_ops() in error path of newrule() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 72/81] net: fec: manage ahb clock in runtime pm Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 73/81] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 74/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 75/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 76/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 77/81] net/tls: fix the IV leaks Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 78/81] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 79/81] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Sasha Levin
2019-05-07 5:35 ` [PATCH AUTOSEL 4.19 80/81] nfc: nci: Potential off by one in ->pipes[] array Sasha Levin
2019-05-07 5:35 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507053554.30848-81-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=righi.andrea@gmail.com \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).