Message ID | 20200730205112.2099429-3-ndesaulniers@google.com |
---|---|
State | New |
Headers | show |
Series | [1/4] ARM: backtrace-clang: check for NULL lr | expand |
Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). The bot has tested the following trees: v5.7.11, v5.4.54. v5.7.11: Failed to apply! Possible dependencies: 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") v5.4.54: Failed to apply! Possible dependencies: 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha
On Sat, Aug 1, 2020 at 4:18 PM Sasha Levin <sashal@kernel.org> wrote: > > Hi > > [This is an automated email] > > This commit has been processed because it contains a "Fixes:" tag > fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). > > The bot has tested the following trees: v5.7.11, v5.4.54. > > v5.7.11: Failed to apply! Possible dependencies: > 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") > 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") > > v5.4.54: Failed to apply! Possible dependencies: > 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") > 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") > 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") > > > NOTE: The patch will not be queued to stable trees until it is upstream. > > How should we proceed with this patch? Ah, ok, I'll provide manual backports then once this hits mainline. In that case, should I drop the explicit `Cc: stable...` tag? (I don't think the dependency on the loglvl should be backported, which is the source of conflict) -- Thanks, ~Nick Desaulniers
On Mon, Aug 03, 2020 at 11:13:04AM -0700, Nick Desaulniers wrote: > On Sat, Aug 1, 2020 at 4:18 PM Sasha Levin <sashal@kernel.org> wrote: > > > > Hi > > > > [This is an automated email] > > > > This commit has been processed because it contains a "Fixes:" tag > > fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). > > > > The bot has tested the following trees: v5.7.11, v5.4.54. > > > > v5.7.11: Failed to apply! Possible dependencies: > > 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") > > 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") > > > > v5.4.54: Failed to apply! Possible dependencies: > > 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") > > 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") > > 99c56f602183 ("ARM: backtrace-clang: check for NULL lr") > > > > > > NOTE: The patch will not be queued to stable trees until it is upstream. > > > > How should we proceed with this patch? > > Ah, ok, I'll provide manual backports then once this hits mainline. > In that case, should I drop the explicit `Cc: stable...` tag? No, it's good to have it there as then you get the automatic email saying it failed to apply :) thanks, greg k-h
Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). The bot has tested the following trees: v5.7.11, v5.4.54. v5.7.11: Failed to apply! Possible dependencies: 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") e6902a275517 ("ARM: backtrace-clang: check for NULL lr") v5.4.54: Failed to apply! Possible dependencies: 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") e6902a275517 ("ARM: backtrace-clang: check for NULL lr") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha
Mostly looks good to me. Just a minor nit. On Thu, Jul 30, 2020 at 3:51 PM Nick Desaulniers <ndesaulniers@google.com> wrote: > > If the value of the link register is not correct (tail call from asm > that didn't set it, stack corruption, memory no longer mapped), then > using it for an address calculation may trigger an exception. Without a > fixup handler, this will lead to a panic, which will unwind, which will > trigger the fault repeatedly in an infinite loop. > > We don't observe such failures currently, but we have. Just to be safe, > add a fixup handler here so that at least we don't have an infinite > loop. > > Cc: stable@vger.kernel.org > Fixes: commit 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang") > Reported-by: Miles Chen <miles.chen@mediatek.com> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > --- > arch/arm/lib/backtrace-clang.S | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/lib/backtrace-clang.S b/arch/arm/lib/backtrace-clang.S > index 5388ac664c12..40eb2215eaf4 100644 > --- a/arch/arm/lib/backtrace-clang.S > +++ b/arch/arm/lib/backtrace-clang.S > @@ -146,7 +146,7 @@ for_each_frame: tst frame, mask @ Check for address exceptions > > tst sv_lr, #0 @ If there's no previous lr, > beq finished_setup @ we're done. > - ldr r0, [sv_lr, #-4] @ get call instruction > +prev_call: ldr r0, [sv_lr, #-4] @ get call instruction > ldr r3, .Lopcode+4 > and r2, r3, r0 @ is this a bl call > teq r2, r3 > @@ -206,6 +206,13 @@ finished_setup: > mov r2, frame > bl printk > no_frame: ldmfd sp!, {r4 - r9, fp, pc} > +/* > + * Accessing the address pointed to by the link register triggered an > + * exception, don't try to unwind through it. > + */ > +bad_lr: mov sv_fp, #0 It might be nice to emit a warning here since we'll only hit this case if something fishy is going on with the saved lr. > + mov sv_lr, #0 > + b finished_setup > ENDPROC(c_backtrace) > .pushsection __ex_table,"a" > .align 3 > @@ -214,6 +221,7 @@ ENDPROC(c_backtrace) > .long 1003b, 1006b > .long 1004b, 1006b > .long 1005b, 1006b > + .long prev_call, bad_lr > .popsection > > .Lbad: .asciz "%sBacktrace aborted due to bad frame pointer <%p>\n" > -- > 2.28.0.163.g6104cc2f0b6-goog > Thanks, Huck
On Thu, Aug 6, 2020 at 3:39 PM Nathan Huckleberry <nhuck15@gmail.com> wrote: > > Mostly looks good to me. Just a minor nit. > > On Thu, Jul 30, 2020 at 3:51 PM Nick Desaulniers > <ndesaulniers@google.com> wrote: > > > > If the value of the link register is not correct (tail call from asm > > that didn't set it, stack corruption, memory no longer mapped), then > > using it for an address calculation may trigger an exception. Without a > > fixup handler, this will lead to a panic, which will unwind, which will > > trigger the fault repeatedly in an infinite loop. > > > > We don't observe such failures currently, but we have. Just to be safe, > > add a fixup handler here so that at least we don't have an infinite > > loop. > > > > Cc: stable@vger.kernel.org > > Fixes: commit 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang") > > Reported-by: Miles Chen <miles.chen@mediatek.com> > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > > --- > > arch/arm/lib/backtrace-clang.S | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/lib/backtrace-clang.S b/arch/arm/lib/backtrace-clang.S > > index 5388ac664c12..40eb2215eaf4 100644 > > --- a/arch/arm/lib/backtrace-clang.S > > +++ b/arch/arm/lib/backtrace-clang.S > > @@ -146,7 +146,7 @@ for_each_frame: tst frame, mask @ Check for address exceptions > > > > tst sv_lr, #0 @ If there's no previous lr, > > beq finished_setup @ we're done. > > - ldr r0, [sv_lr, #-4] @ get call instruction > > +prev_call: ldr r0, [sv_lr, #-4] @ get call instruction > > ldr r3, .Lopcode+4 > > and r2, r3, r0 @ is this a bl call > > teq r2, r3 > > @@ -206,6 +206,13 @@ finished_setup: > > mov r2, frame > > bl printk > > no_frame: ldmfd sp!, {r4 - r9, fp, pc} > > +/* > > + * Accessing the address pointed to by the link register triggered an > > + * exception, don't try to unwind through it. > > + */ > > +bad_lr: mov sv_fp, #0 > > It might be nice to emit a warning here since we'll > only hit this case if something fishy is going on > with the saved lr. Yeah, something fishy is going on if that ever happens. Let me create a V2 with an additional print. > > > + mov sv_lr, #0 > > + b finished_setup > > ENDPROC(c_backtrace) > > .pushsection __ex_table,"a" > > .align 3 > > @@ -214,6 +221,7 @@ ENDPROC(c_backtrace) > > .long 1003b, 1006b > > .long 1004b, 1006b > > .long 1005b, 1006b > > + .long prev_call, bad_lr > > .popsection > > > > .Lbad: .asciz "%sBacktrace aborted due to bad frame pointer <%p>\n" > > -- > > 2.28.0.163.g6104cc2f0b6-goog > > > > Thanks, > Huck -- Thanks, ~Nick Desaulniers
Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). The bot has tested the following trees: v5.8, v5.7.14, v5.4.57. v5.8: Failed to apply! Possible dependencies: 90c11fed93ca ("ARM: backtrace-clang: check for NULL lr") v5.7.14: Failed to apply! Possible dependencies: 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 90c11fed93ca ("ARM: backtrace-clang: check for NULL lr") v5.4.57: Failed to apply! Possible dependencies: 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 90c11fed93ca ("ARM: backtrace-clang: check for NULL lr") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha
Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang"). The bot has tested the following trees: v5.8.1, v5.7.15, v5.4.58. v5.8.1: Failed to apply! Possible dependencies: 8e8b31494db7 ("ARM: backtrace-clang: check for NULL lr") v5.7.15: Failed to apply! Possible dependencies: 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 8e8b31494db7 ("ARM: backtrace-clang: check for NULL lr") v5.4.58: Failed to apply! Possible dependencies: 40ff1ddb5570 ("ARM: 8948/1: Prevent OOB access in stacktrace") 5489ab50c227 ("arm/asm: add loglvl to c_backtrace()") 8e8b31494db7 ("ARM: backtrace-clang: check for NULL lr") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch? -- Thanks Sasha
On Mon, Aug 10, 2020 at 3:33 PM Nick Desaulniers <ndesaulniers@google.com> wrote: > > On Thu, Aug 6, 2020 at 3:39 PM Nathan Huckleberry <nhuck15@gmail.com> wrote: > > > > Mostly looks good to me. Just a minor nit. > > > > On Thu, Jul 30, 2020 at 3:51 PM Nick Desaulniers > > <ndesaulniers@google.com> wrote: > > > +/* > > > + * Accessing the address pointed to by the link register triggered an > > > + * exception, don't try to unwind through it. > > > + */ > > > +bad_lr: mov sv_fp, #0 > > > > It might be nice to emit a warning here since we'll > > only hit this case if something fishy is going on > > with the saved lr. > > Yeah, something fishy is going on if that ever happens. Let me create > a V2 with an additional print. FWIW, I ran into another bug on -next when trying to update this. Report: https://lore.kernel.org/lkml/20200811204729.1116341-1-ndesaulniers@google.com/ Fix: https://lore.kernel.org/lkml/20200814212525.6118-1-john.ogness@linutronix.de/T/#t Then I got bogged down in planning for plumbers and other fires. I hope to revisit the series after plumbers. -- Thanks, ~Nick Desaulniers
diff --git a/arch/arm/lib/backtrace-clang.S b/arch/arm/lib/backtrace-clang.S index 5388ac664c12..40eb2215eaf4 100644 --- a/arch/arm/lib/backtrace-clang.S +++ b/arch/arm/lib/backtrace-clang.S @@ -146,7 +146,7 @@ for_each_frame: tst frame, mask @ Check for address exceptions tst sv_lr, #0 @ If there's no previous lr, beq finished_setup @ we're done. - ldr r0, [sv_lr, #-4] @ get call instruction +prev_call: ldr r0, [sv_lr, #-4] @ get call instruction ldr r3, .Lopcode+4 and r2, r3, r0 @ is this a bl call teq r2, r3 @@ -206,6 +206,13 @@ finished_setup: mov r2, frame bl printk no_frame: ldmfd sp!, {r4 - r9, fp, pc} +/* + * Accessing the address pointed to by the link register triggered an + * exception, don't try to unwind through it. + */ +bad_lr: mov sv_fp, #0 + mov sv_lr, #0 + b finished_setup ENDPROC(c_backtrace) .pushsection __ex_table,"a" .align 3 @@ -214,6 +221,7 @@ ENDPROC(c_backtrace) .long 1003b, 1006b .long 1004b, 1006b .long 1005b, 1006b + .long prev_call, bad_lr .popsection .Lbad: .asciz "%sBacktrace aborted due to bad frame pointer <%p>\n"
If the value of the link register is not correct (tail call from asm that didn't set it, stack corruption, memory no longer mapped), then using it for an address calculation may trigger an exception. Without a fixup handler, this will lead to a panic, which will unwind, which will trigger the fault repeatedly in an infinite loop. We don't observe such failures currently, but we have. Just to be safe, add a fixup handler here so that at least we don't have an infinite loop. Cc: stable@vger.kernel.org Fixes: commit 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang") Reported-by: Miles Chen <miles.chen@mediatek.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> --- arch/arm/lib/backtrace-clang.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.28.0.163.g6104cc2f0b6-goog