On 2018-11-02, Masami Hiramatsu mhiramat@kernel.org wrote:

Please split the test case as an independent patch.

Will do. Should the Documentation/ change also be a separate patch?

...

new file mode 100644 index 000000000000..03146c6a1a3c --- /dev/null +++ b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc @@ -0,0 +1,25 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# description: Kretprobe dynamic event with a stacktrace

+[ -f kprobe_events ] || exit_unsupported # this is configurable

+echo 0 > events/enable +echo 1 > options/stacktrace

+echo 'r:teststackprobe sched_fork $retval' > kprobe_events +grep teststackprobe kprobe_events +test -d events/kprobes/teststackprobe

Hmm, what happen if we have 2 or more kretprobes on same stack? It seems you just save stack in pre_handler, but that stack can already includes another kretprobe's trampline address...

Yeah, you're quite right...

My first instinct was to do something awful like iterate over the set of "kretprobe_instance"s with ->task == current, and then correct kretprobe_trampoline entries using ->ret_addr. (I think this would be correct because each task can only be in one context at once, and in order to get to a particular kretprobe all of your caller kretprobes were inserted before you and any sibling or later kretprobe_instances will have been removed. But I might be insanely wrong on this front.)

However (as I noted in the other thread), there is a problem where kretprobe_trampoline actually stops the unwinder in its tracks and thus you only get the first kretprobe_trampoline. This is something I'm going to look into some more (despite not having made progress on it last time) since now it's something that actually needs to be fixed (and as I mentioned in the other thread, show_stack() actually works on x86 in this context unlike the other stack_trace users).

On 2018-11-02, Masami Hiramatsu mhiramat@kernel.org wrote:

On Fri, 2 Nov 2018 08:13:43 +1100 Aleksa Sarai cyphar@cyphar.com wrote:

...

On 2018-11-02, Masami Hiramatsu mhiramat@kernel.org wrote:

...

Please split the test case as an independent patch.

Will do. Should the Documentation/ change also be a separate patch?

I think the Documentation change can be coupled with code change if the change is small. But selftests is different, that can be backported soon for testing the stable kernels.

...

...

...

new file mode 100644 index 000000000000..03146c6a1a3c --- /dev/null +++ b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc @@ -0,0 +1,25 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# description: Kretprobe dynamic event with a stacktrace

+[ -f kprobe_events ] || exit_unsupported # this is configurable

+echo 0 > events/enable +echo 1 > options/stacktrace

+echo 'r:teststackprobe sched_fork $retval' > kprobe_events +grep teststackprobe kprobe_events +test -d events/kprobes/teststackprobe

Hmm, what happen if we have 2 or more kretprobes on same stack? It seems you just save stack in pre_handler, but that stack can already includes another kretprobe's trampline address...

Yeah, you're quite right...

My first instinct was to do something awful like iterate over the set of "kretprobe_instance"s with ->task == current, and then correct kretprobe_trampoline entries using ->ret_addr. (I think this would be correct because each task can only be in one context at once, and in order to get to a particular kretprobe all of your caller kretprobes were inserted before you and any sibling or later kretprobe_instances will have been removed. But I might be insanely wrong on this front.)

yeah, you are right.

...

However (as I noted in the other thread), there is a problem where kretprobe_trampoline actually stops the unwinder in its tracks and thus you only get the first kretprobe_trampoline. This is something I'm going to look into some more (despite not having made progress on it last time) since now it's something that actually needs to be fixed (and as I mentioned in the other thread, show_stack() actually works on x86 in this context unlike the other stack_trace users).

I should read the unwinder code, but anyway, fixing it up in kretprobe handler context is not hard. Since each instance is on an hlist, so when we hit the kretprobe_trampoline, we can search it.

As in, find the stored stack and merge the two? Interesting idea, though Steven has shot this down because of the associated cost (I was considering making it a kprobe flag, but that felt far too dirty).

However, the problem is the case where the out of kretprobe handler context. In that context we need to try to lock the hlist and search the list, which will be a costful operation.

I think the best solution would be to unify all of the kretprobe-like things so that we don't need to handle non-kretprobe contexts for basically the same underlying idea. If we wanted to do it like this.

I think a potentially better option would be to just fix the unwinder to correctly handle kretprobes (like it handles ftrace today).

On the other hand, func-graph tracer introduces a shadow return address stack for each task (thread), and when we hit its trampoline on the stack, we can easily search the entry from "current" task without locking the shadow stack (and we already did it). This may need to pay a cost (1 page) for each task, but smarter than kretprobe, which makes a system-wide hash-table and need to search from hlist which has return addresses of other context coexist.

Probably a silly question (I've been staring at the function_graph code trying to understand how it handles return addresses -- and I'm really struggling), is this what ->ret_stack (and ->curr_ret_stack) do?

Can you explain how the .retp handling works, because I'm really missing how the core arch/ hooks know to pass the correct retp value.

On Thu, 1 Nov 2018 19:35:50 +1100 Aleksa Sarai cyphar@cyphar.com wrote:

Historically, kretprobe has always produced unusable stack traces (kretprobe_trampoline is the only entry in most cases, because of the funky stack pointer overwriting). This has caused quite a few annoyances when using tracing to debug problems[1] -- since return values are only available with kretprobes but stack traces were only usable for kprobes, users had to probe both and then manually associate them.

With the advent of bpf_trace, users would have been able to do this association in bpf, but this was less than ideal (because bpf_get_stackid would still produce rubbish and programs that didn't know better would get silly results). The main usecase for stack traces (at least with bpf_trace) is for DTrace-style aggregation on stack traces (both entry and exit). Therefore we cannot simply correct the stack trace on exit -- we must stash away the stack trace and return the entry stack trace when it is requested.

Cc: Brendan Gregg bgregg@netflix.com Cc: Christian Brauner christian@brauner.io Signed-off-by: Aleksa Sarai cyphar@cyphar.com

---

Documentation/kprobes.txt | 6 +- include/linux/kprobes.h | 27 +++++ kernel/events/callchain.c | 8 +- kernel/kprobes.c | 101 +++++++++++++++++- kernel/trace/trace.c | 11 +- .../test.d/kprobe/kretprobe_stacktrace.tc | 25 +++++ 6 files changed, 173 insertions(+), 5 deletions(-) create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc

diff --git a/Documentation/kprobes.txt b/Documentation/kprobes.txt index 10f4499e677c..1965585848f4 100644 --- a/Documentation/kprobes.txt +++ b/Documentation/kprobes.txt @@ -597,7 +597,11 @@ address with the trampoline's address, stack backtraces and calls to __builtin_return_address() will typically yield the trampoline's address instead of the real return address for kretprobed functions. (As far as we can tell, __builtin_return_address() is used only -for instrumentation and error reporting.) +for instrumentation and error reporting.) However, since return probes +are used extensively in tracing (where stack backtraces are useful), +return probes will stash away the stack backtrace during function entry +so that return probe handlers can use the entry backtrace instead of +having a trace with just kretprobe_trampoline. If the number of times a function is called does not match the number of times it returns, registering a return probe on that function may diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h index e909413e4e38..1a1629544e56 100644 --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -40,6 +40,8 @@ #include <linux/rcupdate.h> #include <linux/mutex.h> #include <linux/ftrace.h> +#include <linux/stacktrace.h> +#include <linux/perf_event.h> #include <asm/kprobes.h> #ifdef CONFIG_KPROBES @@ -168,11 +170,18 @@ struct kretprobe { raw_spinlock_t lock; }; +#define KRETPROBE_TRACE_SIZE 127 +struct kretprobe_trace {

• int nr_entries;
• unsigned long entries[KRETPROBE_TRACE_SIZE];

+};

struct kretprobe_instance { struct hlist_node hlist; struct kretprobe *rp; kprobe_opcode_t *ret_addr; struct task_struct *task;

• struct kretprobe_trace entry; char data[0];

}; @@ -371,6 +380,12 @@ void unregister_kretprobe(struct kretprobe *rp); int register_kretprobes(struct kretprobe **rps, int num); void unregister_kretprobes(struct kretprobe **rps, int num); +struct kretprobe_instance *current_kretprobe_instance(void); +void kretprobe_save_stack_trace(struct kretprobe_instance *ri,

• 		struct stack_trace *trace);
  

+void kretprobe_perf_callchain_kernel(struct kretprobe_instance *ri,

• 		     struct perf_callchain_entry_ctx *ctx);
  

void kprobe_flush_task(struct task_struct *tk); void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head); @@ -397,6 +412,18 @@ static inline struct kprobe *kprobe_running(void) { return NULL; } +static inline struct kretprobe_instance *current_kretprobe_instance(void) +{

• return NULL;

+} +static inline void kretprobe_save_stack_trace(struct kretprobe_instance *ri,

• 			      struct stack_trace *trace)
  

+{ +} +static inline void kretprobe_perf_callchain_kernel(struct kretprobe_instance *ri,

• 				   struct perf_callchain_entry_ctx *ctx)
  

+{ +} static inline int register_kprobe(struct kprobe *p) { return -ENOSYS; diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c index 24a77c34e9ad..98edcd8a6987 100644 --- a/kernel/events/callchain.c +++ b/kernel/events/callchain.c @@ -12,6 +12,7 @@ #include <linux/perf_event.h> #include <linux/slab.h> #include <linux/sched/task_stack.h> +#include <linux/kprobes.h> #include "internal.h" @@ -197,9 +198,14 @@ get_perf_callchain(struct pt_regs *regs, u32 init_nr, bool kernel, bool user, ctx.contexts_maxed = false; if (kernel && !user_mode(regs)) {

• struct kretprobe_instance *ri = current_kretprobe_instance();
  

• if (add_mark) perf_callchain_store_context(&ctx, PERF_CONTEXT_KERNEL);

• perf_callchain_kernel(&ctx, regs);
  

• if (ri)
  

• 	kretprobe_perf_callchain_kernel(ri, &ctx);
  

• else
  

• 	perf_callchain_kernel(&ctx, regs);
  

  }

if (user) { diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 90e98e233647..fca3964d18cd 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1206,6 +1206,16 @@ __releases(hlist_lock) } NOKPROBE_SYMBOL(kretprobe_table_unlock); +static bool kretprobe_hash_is_locked(struct task_struct *tsk) +{

• unsigned long hash = hash_ptr(tsk, KPROBE_HASH_BITS);
• raw_spinlock_t *hlist_lock;
• hlist_lock = kretprobe_table_lock_ptr(hash);
• return raw_spin_is_locked(hlist_lock);

+} +NOKPROBE_SYMBOL(kretprobe_hash_is_locked);

/*

• This function is called from finish_task_switch when task tk becomes dead,
• so that we can recycle any function-return probe instances associated

@@ -1800,6 +1810,13 @@ unsigned long __weak arch_deref_entry_point(void *entry) return (unsigned long)entry; } +static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs);

+static inline bool kprobe_is_retprobe(struct kprobe *kp) +{

• return kp->pre_handler == pre_handler_kretprobe;

+}

#ifdef CONFIG_KRETPROBES /*

• This kprobe pre_handler is registered with every kretprobe. When probe

@@ -1826,6 +1843,8 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) hash = hash_ptr(current, KPROBE_HASH_BITS); raw_spin_lock_irqsave(&rp->lock, flags); if (!hlist_empty(&rp->free_instances)) {

• struct stack_trace trace = {};
  

• ri = hlist_entry(rp->free_instances.first, struct kretprobe_instance, hlist); hlist_del(&ri->hlist);

@@ -1834,6 +1853,11 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) ri->rp = rp; ri->task = current;

• trace.entries = &ri->entry.entries[0];
  

• trace.max_entries = KRETPROBE_TRACE_SIZE;
  

• save_stack_trace_regs(regs, &trace);
  

• ri->entry.nr_entries = trace.nr_entries;
  

So basically your saving a copy of the stack trace for each probe, for something that may not ever be used?

This adds quite a lot of overhead for something not used often.

I think the real answer is to fix kretprobes (and I just checked, the return call of function graph tracer stack trace doesn't go past the return_to_handler function either. It's just that a stack trace was never done on the return side).

The more I look at this patch, the less I like it.

-- Steve

if (rp->entry_handler && rp->entry_handler(ri, regs)) {
	raw_spin_lock_irqsave(&rp->lock, flags);
	hlist_add_head(&ri->hlist, &rp->free_instances);

@@ -1856,6 +1880,65 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) } NOKPROBE_SYMBOL(pre_handler_kretprobe); +/*

• • Return the kretprobe_instance associated with the current_kprobe. Calling
• • this is only reasonable from within a kretprobe handler context (otherwise
• • return NULL).
• • Must be called within a kretprobe_hash_lock(current, ...) context.
• */

+struct kretprobe_instance *current_kretprobe_instance(void) +{

• struct kprobe *kp;
• struct kretprobe *rp;
• struct kretprobe_instance *ri;
• struct hlist_head *head;
• unsigned long hash = hash_ptr(current, KPROBE_HASH_BITS);
• kp = kprobe_running();
• if (!kp || !kprobe_is_retprobe(kp))

• return NULL;
  

• if (WARN_ON(!kretprobe_hash_is_locked(current)))

• return NULL;
  

• rp = container_of(kp, struct kretprobe, kp);
• head = &kretprobe_inst_table[hash];
• hlist_for_each_entry(ri, head, hlist) {

• if (ri->task == current && ri->rp == rp)
  

• 	return ri;
  

• }
• return NULL;

+} +EXPORT_SYMBOL_GPL(current_kretprobe_instance); +NOKPROBE_SYMBOL(current_kretprobe_instance);

+void kretprobe_save_stack_trace(struct kretprobe_instance *ri,

• 		struct stack_trace *trace)
  

+{

• int i;
• struct kretprobe_trace *krt = &ri->entry;
• for (i = trace->skip; i < krt->nr_entries; i++) {

• if (trace->nr_entries >= trace->max_entries)
  

• 	break;
  

• trace->entries[trace->nr_entries++] = krt->entries[i];
  

• }

+}

+void kretprobe_perf_callchain_kernel(struct kretprobe_instance *ri,

• 		     struct perf_callchain_entry_ctx *ctx)
  

+{

• int i;
• struct kretprobe_trace *krt = &ri->entry;
• for (i = 0; i < krt->nr_entries; i++) {

• if (krt->entries[i] == ULONG_MAX)
  

• 	break;
  

• perf_callchain_store(ctx, (u64) krt->entries[i]);
  

• }

+}

bool __weak arch_kprobe_on_func_entry(unsigned long offset) { return !offset; @@ -2005,6 +2088,22 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) } NOKPROBE_SYMBOL(pre_handler_kretprobe); +struct kretprobe_instance *current_kretprobe_instance(void) +{

• return NULL;

+} +EXPORT_SYMBOL_GPL(current_kretprobe_instance); +NOKPROBE_SYMBOL(current_kretprobe_instance);

+void kretprobe_save_stack_trace(struct kretprobe_instance *ri,

• 		struct stack_trace *trace)
  

+{ +}

+void kretprobe_perf_callchain_kernel(struct kretprobe_instance *ri,

• 		     struct perf_callchain_entry_ctx *ctx)
  

+{ +} #endif /* CONFIG_KRETPROBES */ /* Set the kprobe gone and remove its instruction buffer. */ @@ -2241,7 +2340,7 @@ static void report_probe(struct seq_file *pi, struct kprobe *p, char *kprobe_type; void *addr = p->addr;

• if (p->pre_handler == pre_handler_kretprobe)

• if (kprobe_is_retprobe(p)) kprobe_type = "r"; else kprobe_type = "k";

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index bf6f1d70484d..2210d38a4dbf 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -42,6 +42,7 @@ #include <linux/nmi.h> #include <linux/fs.h> #include <linux/trace.h> +#include <linux/kprobes.h> #include <linux/sched/clock.h> #include <linux/sched/rt.h> @@ -2590,6 +2591,7 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer, struct ring_buffer_event *event; struct stack_entry *entry; struct stack_trace trace;

• struct kretprobe_instance *ri = current_kretprobe_instance(); int use_stack; int size = FTRACE_STACK_ENTRIES;

@@ -2626,7 +2628,9 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer, trace.entries = this_cpu_ptr(ftrace_stack.calls); trace.max_entries = FTRACE_STACK_MAX_ENTRIES;

• if (regs)
  

• if (ri)
  

• 	kretprobe_save_stack_trace(ri, &trace);
  

• else if (regs)
  save_stack_trace_regs(regs, &trace);
  

  else save_stack_trace(&trace);

@@ -2653,7 +2657,10 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer, else { trace.max_entries = FTRACE_STACK_ENTRIES; trace.entries = entry->caller;

• if (regs)
  

• if (ri)
  

• 	kretprobe_save_stack_trace(ri, &trace);
  

• else if (regs)
  save_stack_trace_regs(regs, &trace);
  

  else save_stack_trace(&trace);

diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc new file mode 100644 index 000000000000..03146c6a1a3c --- /dev/null +++ b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_stacktrace.tc @@ -0,0 +1,25 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# description: Kretprobe dynamic event with a stacktrace

+[ -f kprobe_events ] || exit_unsupported # this is configurable

+echo 0 > events/enable +echo 1 > options/stacktrace

+echo 'r:teststackprobe sched_fork $retval' > kprobe_events +grep teststackprobe kprobe_events +test -d events/kprobes/teststackprobe

+clear_trace +echo 1 > events/kprobes/teststackprobe/enable +( echo "forked") +echo 0 > events/kprobes/teststackprobe/enable

+# Make sure we don't see kretprobe_trampoline and we see _do_fork. +! grep 'kretprobe' trace +grep '_do_fork' trace

+echo '-:teststackprobe' >> kprobe_events +clear_trace +test -d events/kprobes/teststackprobe && exit_fail || exit_pass

On Sun, 4 Nov 2018 22:59:13 +1100 Aleksa Sarai cyphar@cyphar.com wrote:

The same issue is present in __save_stack_trace (arch/x86/kernel/stacktrace.c). This is likely the only reason that -- as Steven said -- stacktraces wouldn't work with ftrace-graph (and thus with the refactor both of you are discussing).

By the way, I was playing with the the orc unwinder and stack traces from the function graph tracer return code, and got it working with the below patch. Caution, that patch also has a stack trace hardcoded in the return path of the function graph tracer, so you don't want to run function graph tracing without filtering.

You can apply the patch and do:

# cd /sys/kernel/debug/tracing # echo schedule > set_ftrace_filter # echo function_graph > current_tracer # cat trace

3) | schedule() { rcu_preempt-10 [003] .... 91.160297: <stack trace> => ftrace_return_to_handler => return_to_handler => schedule_timeout => rcu_gp_kthread => kthread => ret_from_fork 3) # 4009.085 us | } 3) | schedule() { kworker/1:0-17 [001] .... 91.163288: <stack trace> => ftrace_return_to_handler => return_to_handler => worker_thread => kthread => ret_from_fork 1) # 7000.070 us | } 1) | schedule() { rcu_preempt-10 [003] .... 91.164311: <stack trace> => ftrace_return_to_handler => return_to_handler => schedule_timeout => rcu_gp_kthread => kthread => ret_from_fork 3) # 4006.540 us | }

Where just adding the stack trace without the other code, these traces ended at "return_to_handler".

This patch is not for inclusion, it was just a test to see how to make this work.

-- Steve

diff --git a/arch/x86/kernel/ftrace_64.S b/arch/x86/kernel/ftrace_64.S index 91b2cff4b79a..4bcd646ae1f4 100644 --- a/arch/x86/kernel/ftrace_64.S +++ b/arch/x86/kernel/ftrace_64.S @@ -320,13 +320,15 @@ ENTRY(ftrace_graph_caller) ENDPROC(ftrace_graph_caller)

ENTRY(return_to_handler) - UNWIND_HINT_EMPTY - subq $24, %rsp + subq $8, %rsp + UNWIND_HINT_FUNC + subq $16, %rsp

/* Save the return values */ movq %rax, (%rsp) movq %rdx, 8(%rsp) movq %rbp, %rdi + leaq 16(%rsp), %rsi

call ftrace_return_to_handler

diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c index 169b3c44ee97..aaeca73218cc 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -242,13 +242,16 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret, trace->calltime = current->ret_stack[index].calltime; trace->overrun = atomic_read(&current->trace_overrun); trace->depth = index; + + trace_dump_stack(0); }

/* * Send the trace to the ring-buffer. * @return the original return address. */ -unsigned long ftrace_return_to_handler(unsigned long frame_pointer) +unsigned long ftrace_return_to_handler(unsigned long frame_pointer, + unsigned long *ptr) { struct ftrace_graph_ret trace; unsigned long ret; @@ -257,6 +260,8 @@ unsigned long ftrace_return_to_handler(unsigned long frame_pointer) trace.rettime = trace_clock_local(); barrier(); current->curr_ret_stack--; + *ptr = ret; + /* * The curr_ret_stack can be less than -1 only if it was * filtered out and it's about to return from the function.

On 2018-11-08, Aleksa Sarai cyphar@cyphar.com wrote:

I will attach what I have at the moment to hopefully explain what the issue I've found is (re-using the kretprobe architecture but with the shadow-stack idea).

Here is the patch I have at the moment (it works, except for the question I have about how to handle the top-level pt_regs -- I've marked that code with XXX).

On Thu, 8 Nov 2018 19:04:48 +1100 Aleksa Sarai cyphar@cyphar.com wrote:

On 2018-11-08, Aleksa Sarai cyphar@cyphar.com wrote:

...

I will attach what I have at the moment to hopefully explain what the issue I've found is (re-using the kretprobe architecture but with the shadow-stack idea).

Here is the patch I have at the moment (it works, except for the question I have about how to handle the top-level pt_regs -- I've marked that code with XXX).

-- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/

--8<---------------------------------------------------------------------

Since the return address is modified by kretprobe, the various unwinders can produce invalid and confusing stack traces. ftrace mostly solved this problem by teaching each unwinder how to find the original return address for stack trace purposes. This same technique can be applied to kretprobes by simply adding a pointer to where the return address was replaced in the stack, and then looking up the relevant kretprobe_instance when a stack trace is requested.

[WIP: This is currently broken because the *first entry* will not be overwritten since it looks like the stack pointer is different when we are provided pt_regs. All other addresses are correctly handled.]

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

arch/x86/events/core.c | 6 +++- arch/x86/include/asm/ptrace.h | 1 + arch/x86/kernel/kprobes/core.c | 5 ++-- arch/x86/kernel/stacktrace.c | 10 +++++-- arch/x86/kernel/unwind_frame.c | 2 ++ arch/x86/kernel/unwind_guess.c | 5 +++- arch/x86/kernel/unwind_orc.c | 2 ++ include/linux/kprobes.h | 15 +++++++++- kernel/kprobes.c | 55 ++++++++++++++++++++++++++++++++++ 9 files changed, 93 insertions(+), 8 deletions(-)

diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c index de32741d041a..d71062702179 100644 --- a/arch/x86/events/core.c +++ b/arch/x86/events/core.c @@ -2371,7 +2371,11 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re return; }

• if (perf_callchain_store(entry, regs->ip))

• /* XXX: Currently broken -- stack_addr(regs) doesn't match entry. */
• addr = regs->ip;
• //addr = ftrace_graph_ret_addr(current, &state.graph_idx, addr, stack_addr(regs));
• addr = kretprobe_ret_addr(current, addr, stack_addr(regs));
• if (perf_callchain_store(entry, addr)) return;

for (unwind_start(&state, current, regs, NULL); !unwind_done(&state); diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index ee696efec99f..c4dfafd43e11 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -172,6 +172,7 @@ static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) return regs->sp; } #endif +#define stack_addr(regs) ((unsigned long *) kernel_stack_pointer(regs))

No, you should use kernel_stack_pointer(regs) itself instead of stack_addr().

#define GET_IP(regs) ((regs)->ip) #define GET_FP(regs) ((regs)->bp) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index b0d1e81c96bb..eb4da885020c 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -69,8 +69,6 @@ DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); -#define stack_addr(regs) ((unsigned long *)kernel_stack_pointer(regs))

I don't like keeping this meaningless macro... this should be replaced with generic kernel_stack_pointer() macro.

#define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\ (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \ (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \ @@ -568,7 +566,8 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) { unsigned long *sara = stack_addr(regs);

• ri->ret_addr = (kprobe_opcode_t *) *sara;

• ri->ret_addrp = (kprobe_opcode_t **) sara;
• ri->ret_addr = *ri->ret_addrp;

/* Replace the return addr with trampoline addr */ *sara = (unsigned long) &kretprobe_trampoline; diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c index 7627455047c2..8a4fb3109d6b 100644 --- a/arch/x86/kernel/stacktrace.c +++ b/arch/x86/kernel/stacktrace.c @@ -8,6 +8,7 @@ #include <linux/sched/task_stack.h> #include <linux/stacktrace.h> #include <linux/export.h> +#include <linux/kprobes.h> #include <linux/uaccess.h> #include <asm/stacktrace.h> #include <asm/unwind.h> @@ -37,8 +38,13 @@ static void noinline __save_stack_trace(struct stack_trace *trace, struct unwind_state state; unsigned long addr;

• if (regs)

• save_stack_address(trace, regs->ip, nosched);
  

• if (regs) {

• /* XXX: Currently broken -- stack_addr(regs) doesn't match entry. */
  

• addr = regs->ip;
  

Since this part is for storing regs->ip as a top of call-stack, this seems correct code. Stack unwind will be done next block.

• //addr = ftrace_graph_ret_addr(current, &state.graph_idx, addr, stack_addr(regs));
  

so func graph return trampoline address will be shown only when unwinding stack entries. I mean func-graph tracer is not used as an event, so it never kicks stackdump.

• addr = kretprobe_ret_addr(current, addr, stack_addr(regs));
  

But since kretprobe will be an event, which can kick the stackdump. BTW, from kretprobe, regs->ip should always be the trampoline handler, see arch/x86/kernel/kprobes/core.c:772 :-) So it must be fixed always.

• save_stack_address(trace, addr, nosched);
  

• }

for (unwind_start(&state, task, regs, NULL); !unwind_done(&state); unwind_next_frame(&state)) { diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c index 3dc26f95d46e..47062427e9a3 100644 --- a/arch/x86/kernel/unwind_frame.c +++ b/arch/x86/kernel/unwind_frame.c @@ -1,4 +1,5 @@ #include <linux/sched.h> +#include <linux/kprobes.h> #include <linux/sched/task.h> #include <linux/sched/task_stack.h> #include <linux/interrupt.h> @@ -270,6 +271,7 @@ static bool update_stack_state(struct unwind_state *state, addr = READ_ONCE_TASK_STACK(state->task, *addr_p); state->ip = ftrace_graph_ret_addr(state->task, &state->graph_idx, addr, addr_p);

• state->ip = kretprobe_ret_addr(state->task, state->ip, addr_p);
  

  }

/* Save the original stack pointer for unwind_dump(): */ diff --git a/arch/x86/kernel/unwind_guess.c b/arch/x86/kernel/unwind_guess.c index 4f0e17b90463..554fd7c5c331 100644 --- a/arch/x86/kernel/unwind_guess.c +++ b/arch/x86/kernel/unwind_guess.c @@ -1,5 +1,6 @@ #include <linux/sched.h> #include <linux/ftrace.h> +#include <linux/kprobes.h> #include <asm/ptrace.h> #include <asm/bitops.h> #include <asm/stacktrace.h> @@ -14,8 +15,10 @@ unsigned long unwind_get_return_address(struct unwind_state *state) addr = READ_ONCE_NOCHECK(*state->sp);

• return ftrace_graph_ret_addr(state->task, &state->graph_idx,

• addr = ftrace_graph_ret_addr(state->task, &state->graph_idx, addr, state->sp);
• addr = kretprobe_ret_addr(state->task, addr, state->sp);
• return addr;

} EXPORT_SYMBOL_GPL(unwind_get_return_address); diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c index 26038eacf74a..b6393500d505 100644 --- a/arch/x86/kernel/unwind_orc.c +++ b/arch/x86/kernel/unwind_orc.c @@ -1,5 +1,6 @@ #include <linux/module.h> #include <linux/sort.h> +#include <linux/kprobes.h> #include <asm/ptrace.h> #include <asm/stacktrace.h> #include <asm/unwind.h> @@ -462,6 +463,7 @@ bool unwind_next_frame(struct unwind_state *state) state->ip = ftrace_graph_ret_addr(state->task, &state->graph_idx, state->ip, (void *)ip_p);

• state->ip = kretprobe_ret_addr(state->task, state->ip, (void *)ip_p);
  

state->sp = sp; state->regs = NULL; diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h index e909413e4e38..3a01f9998064 100644 --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -172,6 +172,7 @@ struct kretprobe_instance { struct hlist_node hlist; struct kretprobe *rp; kprobe_opcode_t *ret_addr;

• kprobe_opcode_t **ret_addrp; struct task_struct *task; char data[0];

}; @@ -203,6 +204,7 @@ static inline int kprobes_built_in(void) extern void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs); extern int arch_trampoline_kprobe(struct kprobe *p); +extern void kretprobe_trampoline(void); #else /* CONFIG_KRETPROBES */ static inline void arch_prepare_kretprobe(struct kretprobe *rp, struct pt_regs *regs) @@ -212,6 +214,9 @@ static inline int arch_trampoline_kprobe(struct kprobe *p) { return 0; } +static inline void kretprobe_trampoline(void) +{ +} #endif /* CONFIG_KRETPROBES */ extern struct kretprobe_blackpoint kretprobe_blacklist[]; @@ -341,7 +346,7 @@ struct kprobe *get_kprobe(void *addr); void kretprobe_hash_lock(struct task_struct *tsk, struct hlist_head **head, unsigned long *flags); void kretprobe_hash_unlock(struct task_struct *tsk, unsigned long *flags); -struct hlist_head * kretprobe_inst_table_head(struct task_struct *tsk); +struct hlist_head *kretprobe_inst_table_head(struct task_struct *tsk); /* kprobe_running() will just return the current_kprobe on this CPU */ static inline struct kprobe *kprobe_running(void) @@ -371,6 +376,9 @@ void unregister_kretprobe(struct kretprobe *rp); int register_kretprobes(struct kretprobe **rps, int num); void unregister_kretprobes(struct kretprobe **rps, int num); +unsigned long kretprobe_ret_addr(struct task_struct *tsk, unsigned long ret,

• 		 unsigned long *retp);
  

void kprobe_flush_task(struct task_struct *tk); void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head); @@ -425,6 +433,11 @@ static inline void unregister_kretprobe(struct kretprobe *rp) static inline void unregister_kretprobes(struct kretprobe **rps, int num) { } +unsigned long kretprobe_ret_addr(struct task_struct *task, unsigned long ret,

• 		 unsigned long *retp)
  

+{

• return ret;

+} static inline void kprobe_flush_task(struct task_struct *tk) { } diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 90e98e233647..ed78141664ec 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -83,6 +83,11 @@ static raw_spinlock_t *kretprobe_table_lock_ptr(unsigned long hash) return &(kretprobe_table_locks[hash].lock); } +struct hlist_head *kretprobe_inst_table_head(struct task_struct *tsk) +{

• return &kretprobe_inst_table[hash_ptr(tsk, KPROBE_HASH_BITS)];

+}

/* Blacklist -- list of struct kprobe_blacklist_entry */ static LIST_HEAD(kprobe_blacklist); @@ -1206,6 +1211,15 @@ __releases(hlist_lock) } NOKPROBE_SYMBOL(kretprobe_table_unlock); +static bool kretprobe_hash_is_locked(struct task_struct *tsk) +{

• unsigned long hash = hash_ptr(tsk, KPROBE_HASH_BITS);
• raw_spinlock_t *hlist_lock = kretprobe_table_lock_ptr(hash);
• return raw_spin_is_locked(hlist_lock);

+} +NOKPROBE_SYMBOL(kretprobe_hash_is_locked);

/*

• This function is called from finish_task_switch when task tk becomes dead,
• so that we can recycle any function-return probe instances associated

@@ -1856,6 +1870,41 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) } NOKPROBE_SYMBOL(pre_handler_kretprobe); +unsigned long kretprobe_ret_addr(struct task_struct *tsk, unsigned long ret,

• 		 unsigned long *retp)
  

+{

• struct kretprobe_instance *ri;
• unsigned long flags = 0;
• struct hlist_head *head;
• bool need_lock;
• if (likely(ret != (unsigned long) &kretprobe_trampoline))

• return ret;
  

• need_lock = !kretprobe_hash_is_locked(tsk);
• if (WARN_ON(need_lock))

• kretprobe_hash_lock(tsk, &head, &flags);
  

• else

• head = kretprobe_inst_table_head(tsk);
  

This may not work unless this is called from the kretprobe handler context, since if we are out of kretprobe handler context, another CPU can lock the hash table and it can be detected by kretprobe_hash_is_locked();.

So, we should check we are in the kretprobe handler context if tsk == current, if not, we definately can lock the hash lock without any warning. This can be something like;

if (is_kretprobe_handler_context()) { // kretprobe_hash_lock(current == tsk) has been locked by caller if (tsk != current && kretprobe_hash(tsk) != kretprobe_hash(current)) // the hash of tsk and current can be same. need_lock = true; } else // we should take a lock for tsk. need_lock = true;

Thank you,

• hlist_for_each_entry(ri, head, hlist) {

• if (ri->task != current)
  

• 	continue;
  

• if (ri->ret_addr == (kprobe_opcode_t *) &kretprobe_trampoline)
  

• 	continue;
  

• if (ri->ret_addrp == (kprobe_opcode_t **) retp) {
  

• 	ret = (unsigned long) ri->ret_addr;
  

• 	goto out;
  

• }
  

• }

+out:

• if (need_lock)

• kretprobe_hash_unlock(tsk, &flags);
  

• return ret;

+} +NOKPROBE_SYMBOL(kretprobe_ret_addr);

bool __weak arch_kprobe_on_func_entry(unsigned long offset) { return !offset; @@ -2005,6 +2054,12 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) } NOKPROBE_SYMBOL(pre_handler_kretprobe); +unsigned long kretprobe_ret_addr(struct task_struct *tsk, unsigned long ret,

• 		 unsigned long *retp)
  

+{

• return ret;

+} +NOKPROBE_SYMBOL(kretprobe_ret_addr); #endif /* CONFIG_KRETPROBES */ /* Set the kprobe gone and remove its instruction buffer. */ -- 2.19.1

On Sat, 10 Nov 2018 02:06:29 +1100 Aleksa Sarai asarai@suse.de wrote:

On 2018-11-09, Masami Hiramatsu mhiramat@kernel.org wrote:

...

...

diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index ee696efec99f..c4dfafd43e11 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -172,6 +172,7 @@ static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) return regs->sp; } #endif +#define stack_addr(regs) ((unsigned long *) kernel_stack_pointer(regs))

No, you should use kernel_stack_pointer(regs) itself instead of stack_addr().

...

#define GET_IP(regs) ((regs)->ip) #define GET_FP(regs) ((regs)->bp) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index b0d1e81c96bb..eb4da885020c 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -69,8 +69,6 @@ DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); -#define stack_addr(regs) ((unsigned long *)kernel_stack_pointer(regs))

I don't like keeping this meaningless macro... this should be replaced with generic kernel_stack_pointer() macro.

Sure. This patch was just an example -- I can remove stack_addr() all over.

...

...

• if (regs)

• save_stack_address(trace, regs->ip, nosched);
  

• if (regs) {

• /* XXX: Currently broken -- stack_addr(regs) doesn't match entry. */
  

• addr = regs->ip;
  

Since this part is for storing regs->ip as a top of call-stack, this seems correct code. Stack unwind will be done next block.

This comment was referring to the usage of stack_addr(). stack_addr() doesn't give you the right result (it isn't the address of the return address -- it's slightly wrong). This is the main issue I was having -- am I doing something wrong here?

Of course stack_addr() actually just returns where the stack is. It should not return address, but maybe a return address from this event happens. Note that the "regs != NULL" means you will be in the interrupt handler and it will be returned to the regs->ip.

...

...

• //addr = ftrace_graph_ret_addr(current, &state.graph_idx, addr, stack_addr(regs));
  

so func graph return trampoline address will be shown only when unwinding stack entries. I mean func-graph tracer is not used as an event, so it never kicks stackdump.

Just to make sure I understand what you're saying -- func-graph trace will never actually call __ftrace_stack_trace? Because if it does, then this code will be necessary (and then I'm a bit confused why the unwinder has func-graph trace code -- if stack traces are never taken under func-graph then the code in the unwinder is not necessary)

You seems misunderstanding. Even if this is not called from func-graph tracer, the stack entries are already replaced with func-graph trampoline. However, regs->ip (IRQ return address) is never replaced by the func-graph trampoline.

My reason for commenting this out is because at this point "state" isn't initialised and thus .graph_idx would not be correctly handled during unwind (and it's the same reason I commented it out later).

OK, but anyway, I think we don't need it.

...

...

• addr = kretprobe_ret_addr(current, addr, stack_addr(regs));
  

But since kretprobe will be an event, which can kick the stackdump. BTW, from kretprobe, regs->ip should always be the trampoline handler, see arch/x86/kernel/kprobes/core.c:772 :-) So it must be fixed always.

Right, but kretprobe_ret_addr() is returning the *original* return address (and we need to do an (addr == kretprobe_trampoline)). The real problem is that stack_addr(regs) isn't the same as it is during kretprobe setup (but kretprobe_ret_addr() works everywhere else).

I think stack_addr(regs) should be same when this is called from kretprobe handler context. Otherwise, yes, it is not same, but in that case, regs->ip is not kretprobe_trampoline too.

If you find kretprobe_trampoline on the "stack", of course it's address should be same as it is during kretprobe setup, but if you find kretprobe_trampoline on the regs->ip, that should always happen on kretprobe handler context. Otherwise, some critical violation happens on kretprobe_trampoline. In that case, we should dump the kretprobe_trampoline address itself, should not recover it.

...

...

@@ -1856,6 +1870,41 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs) } NOKPROBE_SYMBOL(pre_handler_kretprobe); +unsigned long kretprobe_ret_addr(struct task_struct *tsk, unsigned long ret,

• 		 unsigned long *retp)
  

+{

• struct kretprobe_instance *ri;
• unsigned long flags = 0;
• struct hlist_head *head;
• bool need_lock;
• if (likely(ret != (unsigned long) &kretprobe_trampoline))

• return ret;
  

• need_lock = !kretprobe_hash_is_locked(tsk);
• if (WARN_ON(need_lock))

• kretprobe_hash_lock(tsk, &head, &flags);
  

• else

• head = kretprobe_inst_table_head(tsk);
  

This may not work unless this is called from the kretprobe handler context, since if we are out of kretprobe handler context, another CPU can lock the hash table and it can be detected by kretprobe_hash_is_locked();.

Yeah, I noticed this as well when writing it (but needed a quick impl that I could test). I will fix this, thanks!

By is_kretprobe_handler_context() I imagine you are referring to checking is_kretprobe(current_kprobe())?

yes, that's correct :)

Thank you,

...

So, we should check we are in the kretprobe handler context if tsk == current, if not, we definately can lock the hash lock without any warning. This can be something like;

if (is_kretprobe_handler_context()) { // kretprobe_hash_lock(current == tsk) has been locked by caller if (tsk != current && kretprobe_hash(tsk) != kretprobe_hash(current)) // the hash of tsk and current can be same. need_lock = true; } else // we should take a lock for tsk. need_lock = true;

-- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/