mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 1a7d0890dd
			
		
	
	
		1a7d0890dd
		
	
	
	
	
		
			
			If an error happens in ftrace, ftrace_kill() will prevent disarming kprobes. Eventually, the ftrace_ops associated with the kprobes will be freed, yet the kprobes will still be active, and when triggered, they will use the freed memory, likely resulting in a page fault and panic. This behavior can be reproduced quite easily, by creating a kprobe and then triggering a ftrace_kill(). For simplicity, we can simulate an ftrace error with a kernel module like [1]: [1]: https://github.com/brenns10/kernel_stuff/tree/master/ftrace_killer sudo perf probe --add commit_creds sudo perf trace -e probe:commit_creds # In another terminal make sudo insmod ftrace_killer.ko # calls ftrace_kill(), simulating bug # Back to perf terminal # ctrl-c sudo perf probe --del commit_creds After a short period, a page fault and panic would occur as the kprobe continues to execute and uses the freed ftrace_ops. While ftrace_kill() is supposed to be used only in extreme circumstances, it is invoked in FTRACE_WARN_ON() and so there are many places where an unexpected bug could be triggered, yet the system may continue operating, possibly without the administrator noticing. If ftrace_kill() does not panic the system, then we should do everything we can to continue operating, rather than leave a ticking time bomb. Link: https://lore.kernel.org/all/20240501162956.229427-1-stephen.s.brennan@oracle.com/ Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Acked-by: Guo Ren <guoren@kernel.org> Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
		
			
				
	
	
		
			71 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			71 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| 
 | |
| #include <linux/kprobes.h>
 | |
| 
 | |
| /* Ftrace callback handler for kprobes -- called under preepmt disabled */
 | |
| void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
 | |
| 			   struct ftrace_ops *ops, struct ftrace_regs *fregs)
 | |
| {
 | |
| 	int bit;
 | |
| 	bool lr_saver = false;
 | |
| 	struct kprobe *p;
 | |
| 	struct kprobe_ctlblk *kcb;
 | |
| 	struct pt_regs *regs;
 | |
| 
 | |
| 	if (unlikely(kprobe_ftrace_disabled))
 | |
| 		return;
 | |
| 
 | |
| 	bit = ftrace_test_recursion_trylock(ip, parent_ip);
 | |
| 	if (bit < 0)
 | |
| 		return;
 | |
| 
 | |
| 	regs = ftrace_get_regs(fregs);
 | |
| 	p = get_kprobe((kprobe_opcode_t *)ip);
 | |
| 	if (!p) {
 | |
| 		p = get_kprobe((kprobe_opcode_t *)(ip - MCOUNT_INSN_SIZE));
 | |
| 		if (unlikely(!p) || kprobe_disabled(p))
 | |
| 			goto out;
 | |
| 		lr_saver = true;
 | |
| 	}
 | |
| 
 | |
| 	kcb = get_kprobe_ctlblk();
 | |
| 	if (kprobe_running()) {
 | |
| 		kprobes_inc_nmissed_count(p);
 | |
| 	} else {
 | |
| 		unsigned long orig_ip = instruction_pointer(regs);
 | |
| 
 | |
| 		if (lr_saver)
 | |
| 			ip -= MCOUNT_INSN_SIZE;
 | |
| 		instruction_pointer_set(regs, ip);
 | |
| 		__this_cpu_write(current_kprobe, p);
 | |
| 		kcb->kprobe_status = KPROBE_HIT_ACTIVE;
 | |
| 		if (!p->pre_handler || !p->pre_handler(p, regs)) {
 | |
| 			/*
 | |
| 			 * Emulate singlestep (and also recover regs->pc)
 | |
| 			 * as if there is a nop
 | |
| 			 */
 | |
| 			instruction_pointer_set(regs,
 | |
| 				(unsigned long)p->addr + MCOUNT_INSN_SIZE);
 | |
| 			if (unlikely(p->post_handler)) {
 | |
| 				kcb->kprobe_status = KPROBE_HIT_SSDONE;
 | |
| 				p->post_handler(p, regs, 0);
 | |
| 			}
 | |
| 			instruction_pointer_set(regs, orig_ip);
 | |
| 		}
 | |
| 		/*
 | |
| 		 * If pre_handler returns !0, it changes regs->pc. We have to
 | |
| 		 * skip emulating post_handler.
 | |
| 		 */
 | |
| 		__this_cpu_write(current_kprobe, NULL);
 | |
| 	}
 | |
| out:
 | |
| 	ftrace_test_recursion_unlock(bit);
 | |
| }
 | |
| NOKPROBE_SYMBOL(kprobe_ftrace_handler);
 | |
| 
 | |
| int arch_prepare_kprobe_ftrace(struct kprobe *p)
 | |
| {
 | |
| 	p->ainsn.api.insn = NULL;
 | |
| 	return 0;
 | |
| }
 |