Re: [PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
On Tue, 2020-02-18 at 19:38:27 UTC, Christophe Leroy wrote: > When a program check exception happens while MMU translation is > disabled, following Oops happens in kprobe_handler() in the following > code: > > } else if (*addr != BREAKPOINT_INSTRUCTION) { > > [ 33.098554] BUG: Unable to handle kernel data access on read at 0xe268 > [ 33.105091] Faulting instruction address: 0xc000ec34 > [ 33.110010] Oops: Kernel access of bad area, sig: 11 [#1] > [ 33.115348] BE PAGE_SIZE=16K PREEMPT CMPC885 > [ 33.119540] Modules linked in: > [ 33.122591] CPU: 0 PID: 429 Comm: cat Not tainted > 5.6.0-rc1-s3k-dev-00824-g84195dc6c58a #3267 > [ 33.131005] NIP: c000ec34 LR: c000ecd8 CTR: c019cab8 > [ 33.136002] REGS: ca4d3b58 TRAP: 0300 Not tainted > (5.6.0-rc1-s3k-dev-00824-g84195dc6c58a) > [ 33.144324] MSR: 1032 CR: 2a4d3c52 XER: > [ 33.150699] DAR: e268 DSISR: c000 > [ 33.150699] GPR00: c000b09c ca4d3c10 c66d0620 ca4d3c60 > 9032 > [ 33.150699] GPR08: 0002 c087de44 c000afe0 c66d0ad0 100d3dd6 > fff3 > [ 33.150699] GPR16: 0041 ca4d3d70 > 416d > [ 33.150699] GPR24: 0004 c53b6128 e268 c07c > c07bb6fc ca4d3c60 > [ 33.188015] NIP [c000ec34] kprobe_handler+0x128/0x290 > [ 33.192989] LR [c000ecd8] kprobe_handler+0x1cc/0x290 > [ 33.197854] Call Trace: > [ 33.200340] [ca4d3c30] [c000b09c] program_check_exception+0xbc/0x6fc > [ 33.206590] [ca4d3c50] [c000e43c] ret_from_except_full+0x0/0x4 > [ 33.212392] --- interrupt: 700 at 0xe268 > [ 33.270401] Instruction dump: > [ 33.273335] 913e0008 8122 3861 3929 9122 80010024 bb410008 > 7c0803a6 > [ 33.280992] 38210020 4e800020 3860 4e800020 <813b> 6d2a7fe0 > 2f8a0008 419e0154 > [ 33.288841] ---[ end trace 5b9152d4cdadd06d ]--- > > kprobe is not prepared to handle events in real mode and functions > running in real mode should have been blacklisted, so kprobe_handler() > can safely bail out telling 'this trap is not mine' for any trap that > happened while in real-mode. > > If the trap happened with MSR_IR or MSR_DR cleared, return 0 immediately. > > Reported-by: Larry Finger > Fixes: 6cc89bad60a6 ("powerpc/kprobes: Invoke handlers directly") > Cc: sta...@vger.kernel.org > Cc: Naveen N. Rao > Cc: Masami Hiramatsu > Signed-off-by: Christophe Leroy Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/21f8b2fa3ca5b01f7a2b51b89ce97a3705a15aa0 cheers
Re: [PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
Christophe Leroy writes: > ping > > > Le 18/02/2020 à 20:38, Christophe Leroy a écrit : >> When a program check exception happens while MMU translation is >> disabled, following Oops happens in kprobe_handler() in the following >> code: > > Michael, we have several traps in assembly while MMU is still disabled > (TRACE_IRQFLAGS, KUAP DEBUG, syscall from kernel, machine check in RTAS, > ...). > Without this fix, all of them trigger an Oops when CONFIG_KPROBE is set. Only on 32-bit. But I guess this fix is good, if someone really wants to handle kprobes in real mode they can tell us and do the work to make it solid. cheers >> } else if (*addr != BREAKPOINT_INSTRUCTION) { >> >> [ 33.098554] BUG: Unable to handle kernel data access on read at 0xe268 >> [ 33.105091] Faulting instruction address: 0xc000ec34 >> [ 33.110010] Oops: Kernel access of bad area, sig: 11 [#1] >> [ 33.115348] BE PAGE_SIZE=16K PREEMPT CMPC885 >> [ 33.119540] Modules linked in: >> [ 33.122591] CPU: 0 PID: 429 Comm: cat Not tainted >> 5.6.0-rc1-s3k-dev-00824-g84195dc6c58a #3267 >> [ 33.131005] NIP: c000ec34 LR: c000ecd8 CTR: c019cab8 >> [ 33.136002] REGS: ca4d3b58 TRAP: 0300 Not tainted >> (5.6.0-rc1-s3k-dev-00824-g84195dc6c58a) >> [ 33.144324] MSR: 1032 CR: 2a4d3c52 XER: >> [ 33.150699] DAR: e268 DSISR: c000 >> [ 33.150699] GPR00: c000b09c ca4d3c10 c66d0620 ca4d3c60 >> 9032 >> [ 33.150699] GPR08: 0002 c087de44 c000afe0 c66d0ad0 100d3dd6 >> fff3 >> [ 33.150699] GPR16: 0041 ca4d3d70 >> 416d >> [ 33.150699] GPR24: 0004 c53b6128 e268 c07c >> c07bb6fc ca4d3c60 >> [ 33.188015] NIP [c000ec34] kprobe_handler+0x128/0x290 >> [ 33.192989] LR [c000ecd8] kprobe_handler+0x1cc/0x290 >> [ 33.197854] Call Trace: >> [ 33.200340] [ca4d3c30] [c000b09c] program_check_exception+0xbc/0x6fc >> [ 33.206590] [ca4d3c50] [c000e43c] ret_from_except_full+0x0/0x4 >> [ 33.212392] --- interrupt: 700 at 0xe268 >> [ 33.270401] Instruction dump: >> [ 33.273335] 913e0008 8122 3861 3929 9122 80010024 >> bb410008 7c0803a6 >> [ 33.280992] 38210020 4e800020 3860 4e800020 <813b> 6d2a7fe0 >> 2f8a0008 419e0154 >> [ 33.288841] ---[ end trace 5b9152d4cdadd06d ]--- >> >> kprobe is not prepared to handle events in real mode and functions >> running in real mode should have been blacklisted, so kprobe_handler() >> can safely bail out telling 'this trap is not mine' for any trap that >> happened while in real-mode. >> >> If the trap happened with MSR_IR or MSR_DR cleared, return 0 immediately. >> >> Reported-by: Larry Finger >> Fixes: 6cc89bad60a6 ("powerpc/kprobes: Invoke handlers directly") >> Cc: sta...@vger.kernel.org >> Cc: Naveen N. Rao >> Cc: Masami Hiramatsu >> Signed-off-by: Christophe Leroy >> >> --- >> v3: Also bail out if MSR_DR is cleared. >> >> Resending v2 with a more appropriate name >> >> v2: bailing out instead of converting real-time address to virtual and >> continuing. >> >> The bug might have existed even before that commit from Naveen. >> >> Signed-off-by: Christophe Leroy >> --- >> arch/powerpc/kernel/kprobes.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c >> index 2d27ec4feee4..9b340af02c38 100644 >> --- a/arch/powerpc/kernel/kprobes.c >> +++ b/arch/powerpc/kernel/kprobes.c >> @@ -264,6 +264,9 @@ int kprobe_handler(struct pt_regs *regs) >> if (user_mode(regs)) >> return 0; >> >> +if (!(regs->msr & MSR_IR) || !(regs->msr & MSR_DR)) >> +return 0; >> + >> /* >> * We don't want to be preempted for the entire >> * duration of kprobe processing >>
Re: [PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
Christophe Leroy wrote: ping Le 18/02/2020 à 20:38, Christophe Leroy a écrit : When a program check exception happens while MMU translation is disabled, following Oops happens in kprobe_handler() in the following code: Michael, we have several traps in assembly while MMU is still disabled (TRACE_IRQFLAGS, KUAP DEBUG, syscall from kernel, machine check in RTAS, ...). Without this fix, all of them trigger an Oops when CONFIG_KPROBE is set. For this patch: Reviewed-by: Naveen N. Rao - Naveen
Re: [PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
ping Le 18/02/2020 à 20:38, Christophe Leroy a écrit : When a program check exception happens while MMU translation is disabled, following Oops happens in kprobe_handler() in the following code: Michael, we have several traps in assembly while MMU is still disabled (TRACE_IRQFLAGS, KUAP DEBUG, syscall from kernel, machine check in RTAS, ...). Without this fix, all of them trigger an Oops when CONFIG_KPROBE is set. Christophe } else if (*addr != BREAKPOINT_INSTRUCTION) { [ 33.098554] BUG: Unable to handle kernel data access on read at 0xe268 [ 33.105091] Faulting instruction address: 0xc000ec34 [ 33.110010] Oops: Kernel access of bad area, sig: 11 [#1] [ 33.115348] BE PAGE_SIZE=16K PREEMPT CMPC885 [ 33.119540] Modules linked in: [ 33.122591] CPU: 0 PID: 429 Comm: cat Not tainted 5.6.0-rc1-s3k-dev-00824-g84195dc6c58a #3267 [ 33.131005] NIP: c000ec34 LR: c000ecd8 CTR: c019cab8 [ 33.136002] REGS: ca4d3b58 TRAP: 0300 Not tainted (5.6.0-rc1-s3k-dev-00824-g84195dc6c58a) [ 33.144324] MSR: 1032 CR: 2a4d3c52 XER: [ 33.150699] DAR: e268 DSISR: c000 [ 33.150699] GPR00: c000b09c ca4d3c10 c66d0620 ca4d3c60 9032 [ 33.150699] GPR08: 0002 c087de44 c000afe0 c66d0ad0 100d3dd6 fff3 [ 33.150699] GPR16: 0041 ca4d3d70 416d [ 33.150699] GPR24: 0004 c53b6128 e268 c07c c07bb6fc ca4d3c60 [ 33.188015] NIP [c000ec34] kprobe_handler+0x128/0x290 [ 33.192989] LR [c000ecd8] kprobe_handler+0x1cc/0x290 [ 33.197854] Call Trace: [ 33.200340] [ca4d3c30] [c000b09c] program_check_exception+0xbc/0x6fc [ 33.206590] [ca4d3c50] [c000e43c] ret_from_except_full+0x0/0x4 [ 33.212392] --- interrupt: 700 at 0xe268 [ 33.270401] Instruction dump: [ 33.273335] 913e0008 8122 3861 3929 9122 80010024 bb410008 7c0803a6 [ 33.280992] 38210020 4e800020 3860 4e800020 <813b> 6d2a7fe0 2f8a0008 419e0154 [ 33.288841] ---[ end trace 5b9152d4cdadd06d ]--- kprobe is not prepared to handle events in real mode and functions running in real mode should have been blacklisted, so kprobe_handler() can safely bail out telling 'this trap is not mine' for any trap that happened while in real-mode. If the trap happened with MSR_IR or MSR_DR cleared, return 0 immediately. Reported-by: Larry Finger Fixes: 6cc89bad60a6 ("powerpc/kprobes: Invoke handlers directly") Cc: sta...@vger.kernel.org Cc: Naveen N. Rao Cc: Masami Hiramatsu Signed-off-by: Christophe Leroy --- v3: Also bail out if MSR_DR is cleared. Resending v2 with a more appropriate name v2: bailing out instead of converting real-time address to virtual and continuing. The bug might have existed even before that commit from Naveen. Signed-off-by: Christophe Leroy --- arch/powerpc/kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c index 2d27ec4feee4..9b340af02c38 100644 --- a/arch/powerpc/kernel/kprobes.c +++ b/arch/powerpc/kernel/kprobes.c @@ -264,6 +264,9 @@ int kprobe_handler(struct pt_regs *regs) if (user_mode(regs)) return 0; + if (!(regs->msr & MSR_IR) || !(regs->msr & MSR_DR)) + return 0; + /* * We don't want to be preempted for the entire * duration of kprobe processing
Re: [PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
On Tue, 18 Feb 2020 19:38:27 + (UTC) Christophe Leroy wrote: > When a program check exception happens while MMU translation is > disabled, following Oops happens in kprobe_handler() in the following > code: > > } else if (*addr != BREAKPOINT_INSTRUCTION) { > > [ 33.098554] BUG: Unable to handle kernel data access on read at 0xe268 > [ 33.105091] Faulting instruction address: 0xc000ec34 > [ 33.110010] Oops: Kernel access of bad area, sig: 11 [#1] > [ 33.115348] BE PAGE_SIZE=16K PREEMPT CMPC885 > [ 33.119540] Modules linked in: > [ 33.122591] CPU: 0 PID: 429 Comm: cat Not tainted > 5.6.0-rc1-s3k-dev-00824-g84195dc6c58a #3267 > [ 33.131005] NIP: c000ec34 LR: c000ecd8 CTR: c019cab8 > [ 33.136002] REGS: ca4d3b58 TRAP: 0300 Not tainted > (5.6.0-rc1-s3k-dev-00824-g84195dc6c58a) > [ 33.144324] MSR: 1032 CR: 2a4d3c52 XER: > [ 33.150699] DAR: e268 DSISR: c000 > [ 33.150699] GPR00: c000b09c ca4d3c10 c66d0620 ca4d3c60 > 9032 > [ 33.150699] GPR08: 0002 c087de44 c000afe0 c66d0ad0 100d3dd6 > fff3 > [ 33.150699] GPR16: 0041 ca4d3d70 > 416d > [ 33.150699] GPR24: 0004 c53b6128 e268 c07c > c07bb6fc ca4d3c60 > [ 33.188015] NIP [c000ec34] kprobe_handler+0x128/0x290 > [ 33.192989] LR [c000ecd8] kprobe_handler+0x1cc/0x290 > [ 33.197854] Call Trace: > [ 33.200340] [ca4d3c30] [c000b09c] program_check_exception+0xbc/0x6fc > [ 33.206590] [ca4d3c50] [c000e43c] ret_from_except_full+0x0/0x4 > [ 33.212392] --- interrupt: 700 at 0xe268 > [ 33.270401] Instruction dump: > [ 33.273335] 913e0008 8122 3861 3929 9122 80010024 bb410008 > 7c0803a6 > [ 33.280992] 38210020 4e800020 3860 4e800020 <813b> 6d2a7fe0 > 2f8a0008 419e0154 > [ 33.288841] ---[ end trace 5b9152d4cdadd06d ]--- > > kprobe is not prepared to handle events in real mode and functions > running in real mode should have been blacklisted, so kprobe_handler() > can safely bail out telling 'this trap is not mine' for any trap that > happened while in real-mode. > > If the trap happened with MSR_IR or MSR_DR cleared, return 0 immediately. > Looks good to me. Reviewed-by: Masami Hiramatsu Thank you! > Reported-by: Larry Finger > Fixes: 6cc89bad60a6 ("powerpc/kprobes: Invoke handlers directly") > Cc: sta...@vger.kernel.org > Cc: Naveen N. Rao > Cc: Masami Hiramatsu > Signed-off-by: Christophe Leroy > > --- > v3: Also bail out if MSR_DR is cleared. > > Resending v2 with a more appropriate name > > v2: bailing out instead of converting real-time address to virtual and > continuing. > > The bug might have existed even before that commit from Naveen. > > Signed-off-by: Christophe Leroy > --- > arch/powerpc/kernel/kprobes.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c > index 2d27ec4feee4..9b340af02c38 100644 > --- a/arch/powerpc/kernel/kprobes.c > +++ b/arch/powerpc/kernel/kprobes.c > @@ -264,6 +264,9 @@ int kprobe_handler(struct pt_regs *regs) > if (user_mode(regs)) > return 0; > > + if (!(regs->msr & MSR_IR) || !(regs->msr & MSR_DR)) > + return 0; > + > /* >* We don't want to be preempted for the entire >* duration of kprobe processing > -- > 2.25.0 > -- Masami Hiramatsu
[PATCH v3] powerpc/kprobes: Ignore traps that happened in real mode
When a program check exception happens while MMU translation is disabled, following Oops happens in kprobe_handler() in the following code: } else if (*addr != BREAKPOINT_INSTRUCTION) { [ 33.098554] BUG: Unable to handle kernel data access on read at 0xe268 [ 33.105091] Faulting instruction address: 0xc000ec34 [ 33.110010] Oops: Kernel access of bad area, sig: 11 [#1] [ 33.115348] BE PAGE_SIZE=16K PREEMPT CMPC885 [ 33.119540] Modules linked in: [ 33.122591] CPU: 0 PID: 429 Comm: cat Not tainted 5.6.0-rc1-s3k-dev-00824-g84195dc6c58a #3267 [ 33.131005] NIP: c000ec34 LR: c000ecd8 CTR: c019cab8 [ 33.136002] REGS: ca4d3b58 TRAP: 0300 Not tainted (5.6.0-rc1-s3k-dev-00824-g84195dc6c58a) [ 33.144324] MSR: 1032 CR: 2a4d3c52 XER: [ 33.150699] DAR: e268 DSISR: c000 [ 33.150699] GPR00: c000b09c ca4d3c10 c66d0620 ca4d3c60 9032 [ 33.150699] GPR08: 0002 c087de44 c000afe0 c66d0ad0 100d3dd6 fff3 [ 33.150699] GPR16: 0041 ca4d3d70 416d [ 33.150699] GPR24: 0004 c53b6128 e268 c07c c07bb6fc ca4d3c60 [ 33.188015] NIP [c000ec34] kprobe_handler+0x128/0x290 [ 33.192989] LR [c000ecd8] kprobe_handler+0x1cc/0x290 [ 33.197854] Call Trace: [ 33.200340] [ca4d3c30] [c000b09c] program_check_exception+0xbc/0x6fc [ 33.206590] [ca4d3c50] [c000e43c] ret_from_except_full+0x0/0x4 [ 33.212392] --- interrupt: 700 at 0xe268 [ 33.270401] Instruction dump: [ 33.273335] 913e0008 8122 3861 3929 9122 80010024 bb410008 7c0803a6 [ 33.280992] 38210020 4e800020 3860 4e800020 <813b> 6d2a7fe0 2f8a0008 419e0154 [ 33.288841] ---[ end trace 5b9152d4cdadd06d ]--- kprobe is not prepared to handle events in real mode and functions running in real mode should have been blacklisted, so kprobe_handler() can safely bail out telling 'this trap is not mine' for any trap that happened while in real-mode. If the trap happened with MSR_IR or MSR_DR cleared, return 0 immediately. Reported-by: Larry Finger Fixes: 6cc89bad60a6 ("powerpc/kprobes: Invoke handlers directly") Cc: sta...@vger.kernel.org Cc: Naveen N. Rao Cc: Masami Hiramatsu Signed-off-by: Christophe Leroy --- v3: Also bail out if MSR_DR is cleared. Resending v2 with a more appropriate name v2: bailing out instead of converting real-time address to virtual and continuing. The bug might have existed even before that commit from Naveen. Signed-off-by: Christophe Leroy --- arch/powerpc/kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c index 2d27ec4feee4..9b340af02c38 100644 --- a/arch/powerpc/kernel/kprobes.c +++ b/arch/powerpc/kernel/kprobes.c @@ -264,6 +264,9 @@ int kprobe_handler(struct pt_regs *regs) if (user_mode(regs)) return 0; + if (!(regs->msr & MSR_IR) || !(regs->msr & MSR_DR)) + return 0; + /* * We don't want to be preempted for the entire * duration of kprobe processing -- 2.25.0