Message ID | 20230224021858.120078-1-chenzhongjin@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp661313wrd; Thu, 23 Feb 2023 18:36:39 -0800 (PST) X-Google-Smtp-Source: AK7set8vsO8Iwrsre8Xmyd5oR2/81LIYnyweM1bZTKGvUpVty74pVhnUOGwaPk2TvsBy5ywzR0YZ X-Received: by 2002:a17:906:16d9:b0:886:221b:44e5 with SMTP id t25-20020a17090616d900b00886221b44e5mr20835696ejd.62.1677206199488; Thu, 23 Feb 2023 18:36:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677206199; cv=none; d=google.com; s=arc-20160816; b=v0O+Fnfu9o+qpK7ayvukgQ7c+ui9IEzHWKOCITQD5eyxLYgv5X/6xqpJ2dW1jYqnTQ ErMgdMCNMK574+V7ck53+MIW/FZh7/Xwe2WUoPKn0QvGhdd/D0SiHlC1yljRlaAJusiy FBXiHOegOm2yY61Tbjp2vlBLyNNHmzO3zMqJUBGptPts73vxHEVgqf9yKraSHlJgU0hN TPtr/z2kP3NhEz0mGlA1/Bl79M4U4zxalBuGhtNRtbiYlT11CFXXB01cEBeuM4P0N5Kz CtLVf9PNCRKXMRY8H5w6SCh6aI2+fPvyKVS4MZqyUir5E9F/hCAR0cqdcFbfiAaO/ATw 3pCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=3hrQoDUy4+Ove3exLOL2G1slKS6dUTSrtwMJSuVE5Y0=; b=TyBuhCgBHDgu2y8VO2vXtqnZgMLX+Pv8GUyeflwh7RxX6BYsr/XwQ+OSYgi9Di8ct6 Bg2tBcXy7Y0VPPL92nyghoIB0MGqz0cRQYFQKXXT1W9ppjHaQAvDFMxUVtEryKlPP7qt +0XDquzA8c7U2CGWPgs4YwFQmpK/OvNR8HYATbJAMJvLp61l/tCTLA4lOmUBl6uXpNgA PVTsGJQrmFgC6cYYr/ck2TIiAmIoIygnDUH0EDK8gl/5uiHlvtwOnRIiArMIMepJxCAI YKP2ll8Ayj/nttLH4nIh1jjQu2i+3Es+qh5OZg+Ch4BqYGTE+AGbJ/2nrXv9ZQOOeBFE jBtQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 26-20020a170906025a00b008ddbe47ce72si13695555ejl.109.2023.02.23.18.36.16; Thu, 23 Feb 2023 18:36:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229576AbjBXCVO (ORCPT <rfc822;jeff.pang.chn@gmail.com> + 99 others); Thu, 23 Feb 2023 21:21:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbjBXCVN (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 23 Feb 2023 21:21:13 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36DAE5EEC8 for <linux-kernel@vger.kernel.org>; Thu, 23 Feb 2023 18:21:08 -0800 (PST) Received: from dggpemm500013.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4PND8C4f1WzRsGr; Fri, 24 Feb 2023 10:18:19 +0800 (CST) Received: from ubuntu1804.huawei.com (10.67.175.36) by dggpemm500013.china.huawei.com (7.185.36.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.17; Fri, 24 Feb 2023 10:21:05 +0800 From: Chen Zhongjin <chenzhongjin@huawei.com> To: <x86@kernel.org>, <linux-kernel@vger.kernel.org> CC: <tglx@linutronix.de>, <mingo@redhat.com>, <bp@alien8.de>, <dave.hansen@linux.intel.com>, <hpa@zytor.com>, <chenzhongjin@huawei.com>, <ak@linux.intel.com> Subject: [PATCH] x86: profiling: Using generic unwinding in profile_pc Date: Fri, 24 Feb 2023 10:18:58 +0800 Message-ID: <20230224021858.120078-1-chenzhongjin@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.175.36] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500013.china.huawei.com (7.185.36.172) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1758678168097529161?= X-GMAIL-MSGID: =?utf-8?q?1758678168097529161?= |
Series |
x86: profiling: Using generic unwinding in profile_pc
|
|
Commit Message
Chen Zhongjin
Feb. 24, 2023, 2:18 a.m. UTC
Syzbot has been reporting the problem of stack-out-of-bounds in
profile_pc for a long time:
https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3
profile_pc tries to get pc if current regs is inside lock function. For
!CONFIG_FRAME_POINTER it used a hack way to get the pc from stack, which
is not work with ORC. It makes profile_pc returns wrong result, and
frequently triggers KASAN.
This can be fixed by using the unwind_start, it will skip the first
regs frame and get the caller of lock function directly, or 0 if
unwind_get_return_address finds the unwinding failed. For all of FP, ORC
and guess unwinders it works.
Fixes: 0cb91a229364 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels")
Reported-by: syzbot+84fe685c02cd112a2ac3@syzkaller.appspotmail.com
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
---
arch/x86/kernel/time.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
Comments
Just ping... Or has profile code already been obsoleted? On 2023/2/24 10:18, chenzhongjin wrote: > Syzbot has been reporting the problem of stack-out-of-bounds in > profile_pc for a long time: > https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 > > profile_pc tries to get pc if current regs is inside lock function. For > !CONFIG_FRAME_POINTER it used a hack way to get the pc from stack, which > is not work with ORC. It makes profile_pc returns wrong result, and > frequently triggers KASAN. > > This can be fixed by using the unwind_start, it will skip the first > regs frame and get the caller of lock function directly, or 0 if > unwind_get_return_address finds the unwinding failed. For all of FP, ORC > and guess unwinders it works. > > Fixes: 0cb91a229364 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels") > Reported-by: syzbot+84fe685c02cd112a2ac3@syzkaller.appspotmail.com > Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com> > --- > arch/x86/kernel/time.c | 20 ++++++-------------- > 1 file changed, 6 insertions(+), 14 deletions(-) > > diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c > index e42faa792c07..5e0446f49906 100644 > --- a/arch/x86/kernel/time.c > +++ b/arch/x86/kernel/time.c > @@ -24,26 +24,18 @@ > #include <asm/timer.h> > #include <asm/hpet.h> > #include <asm/time.h> > +#include <asm/unwind.h> > > unsigned long profile_pc(struct pt_regs *regs) > { > unsigned long pc = instruction_pointer(regs); > > if (!user_mode(regs) && in_lock_functions(pc)) { > -#ifdef CONFIG_FRAME_POINTER > - return *(unsigned long *)(regs->bp + sizeof(long)); > -#else > - unsigned long *sp = (unsigned long *)regs->sp; > - /* > - * Return address is either directly at stack pointer > - * or above a saved flags. Eflags has bits 22-31 zero, > - * kernel addresses don't. > - */ > - if (sp[0] >> 22) > - return sp[0]; > - if (sp[1] >> 22) > - return sp[1]; > -#endif > + struct unwind_state state; > + > + /* unwind_start will skip the first regs frame */ > + unwind_start(&state, current, regs, NULL); > + pc = unwind_get_return_address(&state); > } > return pc; > }
On 4/2/2023 6:24 PM, Chen Zhongjin wrote:
> Just ping... Or has profile code already been obsoleted?
I think it would be reasonable to remove the locked functions hack since
lock profiling can be handled with much better other tools these days.
I wouldn't make it depend on the generic unwinder since such a low level
facility is likely better off without complex dependencies that could break.
-Andi
On 2023/4/4 2:29, Andi Kleen wrote: > > On 4/2/2023 6:24 PM, Chen Zhongjin wrote: >> Just ping... Or has profile code already been obsoleted? > > > I think it would be reasonable to remove the locked functions hack > since lock profiling can be handled with much better other tools these > days. > > I wouldn't make it depend on the generic unwinder since such a low > level facility is likely better off without complex dependencies that > could break. > > -Andi > > Although now the generic unwinder on x86 is quite stable... I think it's acceptable to remove the locked functions unwinding for !FP case and leave the FP part as is. I'll send a new patch for this with another bugfix. Thanks for review and best, Chen
diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c index e42faa792c07..5e0446f49906 100644 --- a/arch/x86/kernel/time.c +++ b/arch/x86/kernel/time.c @@ -24,26 +24,18 @@ #include <asm/timer.h> #include <asm/hpet.h> #include <asm/time.h> +#include <asm/unwind.h> unsigned long profile_pc(struct pt_regs *regs) { unsigned long pc = instruction_pointer(regs); if (!user_mode(regs) && in_lock_functions(pc)) { -#ifdef CONFIG_FRAME_POINTER - return *(unsigned long *)(regs->bp + sizeof(long)); -#else - unsigned long *sp = (unsigned long *)regs->sp; - /* - * Return address is either directly at stack pointer - * or above a saved flags. Eflags has bits 22-31 zero, - * kernel addresses don't. - */ - if (sp[0] >> 22) - return sp[0]; - if (sp[1] >> 22) - return sp[1]; -#endif + struct unwind_state state; + + /* unwind_start will skip the first regs frame */ + unwind_start(&state, current, regs, NULL); + pc = unwind_get_return_address(&state); } return pc; }