* [for-linus][PATCH 2/5] tools/bootconfig: Fix a build error accroding to undefined fallthrough
[not found] <20210610003344.783752614@goodmis.org>
@ 2021-06-10 0:33 ` Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 3/5] ftrace: Do not blindly read the ip address in ftrace_bug() Steven Rostedt
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Steven Rostedt @ 2021-06-10 0:33 UTC (permalink / raw
To: linux-kernel; +Cc: Ingo Molnar, Andrew Morton, stable, Masami Hiramatsu
From: Masami Hiramatsu <mhiramat@kernel.org>
Since the "fallthrough" is defined only in the kernel, building
lib/bootconfig.c as a part of user-space tools causes a build
error.
Add a dummy fallthrough to avoid the build error.
Link: https://lkml.kernel.org/r/162087519356.442660.11385099982318160180.stgit@devnote2
Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 4c1ca831adb1 ("Revert "lib: Revert use of fallthrough pseudo-keyword in lib/"")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
tools/bootconfig/include/linux/bootconfig.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h
index 078cbd2ba651..de7f30f99af3 100644
--- a/tools/bootconfig/include/linux/bootconfig.h
+++ b/tools/bootconfig/include/linux/bootconfig.h
@@ -4,4 +4,8 @@
#include "../../../../include/linux/bootconfig.h"
+#ifndef fallthrough
+# define fallthrough
+#endif
+
#endif
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [for-linus][PATCH 3/5] ftrace: Do not blindly read the ip address in ftrace_bug()
[not found] <20210610003344.783752614@goodmis.org>
2021-06-10 0:33 ` [for-linus][PATCH 2/5] tools/bootconfig: Fix a build error accroding to undefined fallthrough Steven Rostedt
@ 2021-06-10 0:33 ` Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 4/5] tracing: Correct the length check which causes memory corruption Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling Steven Rostedt
3 siblings, 0 replies; 5+ messages in thread
From: Steven Rostedt @ 2021-06-10 0:33 UTC (permalink / raw
To: linux-kernel; +Cc: Ingo Molnar, Andrew Morton, stable, Mark-PK Tsai
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
It was reported that a bug on arm64 caused a bad ip address to be used for
updating into a nop in ftrace_init(), but the error path (rightfully)
returned -EINVAL and not -EFAULT, as the bug caused more than one error to
occur. But because -EINVAL was returned, the ftrace_bug() tried to report
what was at the location of the ip address, and read it directly. This
caused the machine to panic, as the ip was not pointing to a valid memory
address.
Instead, read the ip address with copy_from_kernel_nofault() to safely
access the memory, and if it faults, report that the address faulted,
otherwise report what was in that location.
Link: https://lore.kernel.org/lkml/20210607032329.28671-1-mark-pk.tsai@mediatek.com/
Cc: stable@vger.kernel.org
Fixes: 05736a427f7e1 ("ftrace: warn on failure to disable mcount callers")
Reported-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Tested-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
kernel/trace/ftrace.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 2e8a3fde7104..72ef4dccbcc4 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1967,12 +1967,18 @@ static int ftrace_hash_ipmodify_update(struct ftrace_ops *ops,
static void print_ip_ins(const char *fmt, const unsigned char *p)
{
+ char ins[MCOUNT_INSN_SIZE];
int i;
+ if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) {
+ printk(KERN_CONT "%s[FAULT] %px\n", fmt, p);
+ return;
+ }
+
printk(KERN_CONT "%s", fmt);
for (i = 0; i < MCOUNT_INSN_SIZE; i++)
- printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]);
+ printk(KERN_CONT "%s%02x", i ? ":" : "", ins[i]);
}
enum ftrace_bug_type ftrace_bug_type;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [for-linus][PATCH 4/5] tracing: Correct the length check which causes memory corruption
[not found] <20210610003344.783752614@goodmis.org>
2021-06-10 0:33 ` [for-linus][PATCH 2/5] tools/bootconfig: Fix a build error accroding to undefined fallthrough Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 3/5] ftrace: Do not blindly read the ip address in ftrace_bug() Steven Rostedt
@ 2021-06-10 0:33 ` Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling Steven Rostedt
3 siblings, 0 replies; 5+ messages in thread
From: Steven Rostedt @ 2021-06-10 0:33 UTC (permalink / raw
To: linux-kernel
Cc: Ingo Molnar, Andrew Morton, stable, Ingo Molnar, Xunlei Pang,
Greg Kroah-Hartman, yinbinbin, Wetp Zhang, James Wang, Liangyan
From: Liangyan <liangyan.peng@linux.alibaba.com>
We've suffered from severe kernel crashes due to memory corruption on
our production environment, like,
Call Trace:
[1640542.554277] general protection fault: 0000 [#1] SMP PTI
[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G
[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190
[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286
[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:
0000000006e931bf
[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:
ffff9a45ff004300
[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:
0000000000000000
[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:
ffffffff9a20608d
[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:
696c662f65636976
[1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)
knlGS:0000000000000000
[1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:
00000000003606e0
[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[1640542.566742] Call Trace:
[1640542.567009] anon_vma_clone+0x5d/0x170
[1640542.567417] __split_vma+0x91/0x1a0
[1640542.567777] do_munmap+0x2c6/0x320
[1640542.568128] vm_munmap+0x54/0x70
[1640542.569990] __x64_sys_munmap+0x22/0x30
[1640542.572005] do_syscall_64+0x5b/0x1b0
[1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[1640542.575642] RIP: 0033:0x7f45d6e61e27
James Wang has reproduced it stably on the latest 4.19 LTS.
After some debugging, we finally proved that it's due to ftrace
buffer out-of-bound access using a debug tool as follows:
[ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000
[ 86.780806] no_context+0xdf/0x3c0
[ 86.784327] __do_page_fault+0x252/0x470
[ 86.788367] do_page_fault+0x32/0x140
[ 86.792145] page_fault+0x1e/0x30
[ 86.795576] strncpy_from_unsafe+0x66/0xb0
[ 86.799789] fetch_memory_string+0x25/0x40
[ 86.804002] fetch_deref_string+0x51/0x60
[ 86.808134] kprobe_trace_func+0x32d/0x3a0
[ 86.812347] kprobe_dispatcher+0x45/0x50
[ 86.816385] kprobe_ftrace_handler+0x90/0xf0
[ 86.820779] ftrace_ops_assist_func+0xa1/0x140
[ 86.825340] 0xffffffffc00750bf
[ 86.828603] do_sys_open+0x5/0x1f0
[ 86.832124] do_syscall_64+0x5b/0x1b0
[ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9
commit b220c049d519 ("tracing: Check length before giving out
the filter buffer") adds length check to protect trace data
overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent
overflow entirely, the length check should also take the sizeof
entry->array[0] into account, since this array[0] is filled the
length of trace data and occupy addtional space and risk overflow.
Link: https://lkml.kernel.org/r/20210607125734.1770447-1-liangyan.peng@linux.alibaba.com
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Xunlei Pang <xlpang@linux.alibaba.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: b220c049d519 ("tracing: Check length before giving out the filter buffer")
Reviewed-by: Xunlei Pang <xlpang@linux.alibaba.com>
Reviewed-by: yinbinbin <yinbinbin@alibabacloud.com>
Reviewed-by: Wetp Zhang <wetp.zy@linux.alibaba.com>
Tested-by: James Wang <jnwang@linux.alibaba.com>
Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index a21ef9cd2aae..9299057feb56 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2736,7 +2736,7 @@ trace_event_buffer_lock_reserve(struct trace_buffer **current_rb,
(entry = this_cpu_read(trace_buffered_event))) {
/* Try to use the per cpu buffer first */
val = this_cpu_inc_return(trace_buffered_event_cnt);
- if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) {
+ if ((len < (PAGE_SIZE - sizeof(*entry) - sizeof(entry->array[0]))) && val == 1) {
trace_event_setup(entry, type, trace_ctx);
entry->array[0] = len;
return entry;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling
[not found] <20210610003344.783752614@goodmis.org>
` (2 preceding siblings ...)
2021-06-10 0:33 ` [for-linus][PATCH 4/5] tracing: Correct the length check which causes memory corruption Steven Rostedt
@ 2021-06-10 0:33 ` Steven Rostedt
2021-06-10 8:25 ` Peter Zijlstra
3 siblings, 1 reply; 5+ messages in thread
From: Steven Rostedt @ 2021-06-10 0:33 UTC (permalink / raw
To: linux-kernel
Cc: Ingo Molnar, Andrew Morton, stable, Mark-PK Tsai, Ard Biesheuvel,
Peter Zijlstra (Intel)
From: Peter Zijlstra <peterz@infradead.org>
One should only use st_shndx when >SHN_UNDEF and <SHN_LORESERVE. When
SHN_XINDEX, then use .symtab_shndx. Otherwise use 0.
This handles the case: st_shndx >= SHN_LORESERVE && st_shndx != SHN_XINDEX.
Link: https://lkml.kernel.org/r/YL9HxEc/l0yrl5o8@hirez.programming.kicks-ass.net
Cc: stable@vger.kernel.org
Fixes: 4ef57b21d6fb4 ("recordmcount: support >64k sections")
Reported-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Tested-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
scripts/recordmcount.h | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
index f9b19524da11..7e8a11ed5e2f 100644
--- a/scripts/recordmcount.h
+++ b/scripts/recordmcount.h
@@ -194,13 +194,18 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab,
unsigned long offset;
int index;
- if (sym->st_shndx != SHN_XINDEX)
+ if (sym->st_shndx > SHN_UNDEF &&
+ sym->st_shndx < SHN_LORESERVE)
return w2(sym->st_shndx);
- offset = (unsigned long)sym - (unsigned long)symtab;
- index = offset / sizeof(*sym);
+ if (sym->st_shndx == SHN_XINDEX) {
+ offset = (unsigned long)sym - (unsigned long)symtab;
+ index = offset / sizeof(*sym);
- return w(symtab_shndx[index]);
+ return w(symtab_shndx[index]);
+ }
+
+ return 0;
}
static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0)
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling
2021-06-10 0:33 ` [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling Steven Rostedt
@ 2021-06-10 8:25 ` Peter Zijlstra
0 siblings, 0 replies; 5+ messages in thread
From: Peter Zijlstra @ 2021-06-10 8:25 UTC (permalink / raw
To: Steven Rostedt
Cc: linux-kernel, Ingo Molnar, Andrew Morton, stable, Mark-PK Tsai,
Ard Biesheuvel
On Wed, Jun 09, 2021 at 08:33:49PM -0400, Steven Rostedt wrote:
> From: Peter Zijlstra <peterz@infradead.org>
>
> One should only use st_shndx when >SHN_UNDEF and <SHN_LORESERVE. When
> SHN_XINDEX, then use .symtab_shndx. Otherwise use 0.
>
> This handles the case: st_shndx >= SHN_LORESERVE && st_shndx != SHN_XINDEX.
>
> Link: https://lkml.kernel.org/r/YL9HxEc/l0yrl5o8@hirez.programming.kicks-ass.net
>
> Cc: stable@vger.kernel.org
> Fixes: 4ef57b21d6fb4 ("recordmcount: support >64k sections")
> Reported-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
> Tested-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
This is apperently causing trouble for Stephen in -next. Please hold.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-10 8:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210610003344.783752614@goodmis.org>
2021-06-10 0:33 ` [for-linus][PATCH 2/5] tools/bootconfig: Fix a build error accroding to undefined fallthrough Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 3/5] ftrace: Do not blindly read the ip address in ftrace_bug() Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 4/5] tracing: Correct the length check which causes memory corruption Steven Rostedt
2021-06-10 0:33 ` [for-linus][PATCH 5/5] recordmcount: Correct st_shndx handling Steven Rostedt
2021-06-10 8:25 ` Peter Zijlstra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).