From patchwork Wed Feb 15 11:54:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yang Jihong <yangjihong1@huawei.com>
X-Patchwork-Id: 57503
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp151950wrn;
        Wed, 15 Feb 2023 04:06:47 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set9sVMLKOTegnwnds+dOlVYiHFFKCCSviHZ0mZav0SKLdQT6B8N1Uq2JbQ+8BDvG73IxXoOf
X-Received: by 2002:a17:902:e741:b0:19a:7882:c1a9 with SMTP id
 p1-20020a170902e74100b0019a7882c1a9mr2363388plf.63.1676462807076;
        Wed, 15 Feb 2023 04:06:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676462807; cv=none;
        d=google.com; s=arc-20160816;
        b=YRdH+4ICAvEtG5hABkZp9mg7dfjRHVaUMVDH6Hi2rAo6zhyGdh6RydjcJ7+H1+ezqW
         UIzSu3CdGeA0u26r7TJPZC8NVFoPBfWIo6vNx3MOSnZCKM6YcfbP+bgLQTodQa2MaCGu
         PDpxvAhrWToDa5LXfYrVN/Z050soZ83F10LDopRfdLcZ1UG0HU+9/WpW/OEDcXaHfzgI
         pUmQJ6aC9HxaYyCvjOSfCkVDROYyRX0/TQ6gBA924h5YHc0nyvhrWMzrYc2g7qGzYyT1
         6wrnt4oN2QwZVs55ptHQ/FKWQS0hIoOKJJx4uR0vcVcbVYeGaXZ/xOo2U+26UyH7HeVQ
         yTVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=syds4WrikRA3CGkmc0bIAt17fnnYlCT4rerthLe8hHc=;
        b=FJ/4hDCA0w0XaM/cYyfzIleUf/RIl+1JmhPiEE0jolIUk39D5Vpz5swca7i9YCpF8z
         eN58xPUvspyYF6aY2WPI42Xb0InfcoTeNSXkIF+GTQLbi+vewDZWr8FO/PgrYx5R7Ljz
         nI/2ZNgdDRqvea0f/+3bObb8DtYtUkyxr0dirBwtY2x94sJJk8+XRno51A8LXvysmyl/
         01BR5qMMwYEGE8u+5OaAm2d6ajvIKgUwPZQpVSx1fku3twNhC1o6BrKOGwQZTjvcLr65
         cTiyUyf5buK4rD+kDmmcn6nOMxuFRLOzpv8Jnp3SsT2hGF6uxejJiZsmsMaHa/5W43FS
         i+iQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 bb10-20020a170902bc8a00b001960e5dcb99si14807355plb.223.2023.02.15.04.06.34;
        Wed, 15 Feb 2023 04:06:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233877AbjBOL4y (ORCPT <rfc822;tebrre53rla2o@gmail.com>
        + 99 others); Wed, 15 Feb 2023 06:56:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53114 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232544AbjBOL4q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Feb 2023 06:56:46 -0500
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D88628842;
        Wed, 15 Feb 2023 03:56:44 -0800 (PST)
Received: from kwepemm600003.china.huawei.com (unknown [172.30.72.56])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4PGxPD6f26zrRvN;
        Wed, 15 Feb 2023 19:56:16 +0800 (CST)
Received: from ubuntu1804.huawei.com (10.67.174.61) by
 kwepemm600003.china.huawei.com (7.193.23.202) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.17; Wed, 15 Feb 2023 19:56:40 +0800
From: Yang Jihong <yangjihong1@huawei.com>
To: <tglx@linutronix.de>, <mingo@redhat.com>, <bp@alien8.de>,
        <dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
        <naveen.n.rao@linux.ibm.com>, <anil.s.keshavamurthy@intel.com>,
        <davem@davemloft.net>, <mhiramat@kernel.org>, <ast@kernel.org>,
        <peterz@infradead.org>, <linux-kernel@vger.kernel.org>,
        <linux-trace-kernel@vger.kernel.org>
CC: <yangjihong1@huawei.com>
Subject: [PATCH 1/3] kprobes: Fixed probe nodes not correctly removed when
 forcibly unoptimized
Date: Wed, 15 Feb 2023 19:54:28 +0800
Message-ID: <20230215115430.236046-2-yangjihong1@huawei.com>
X-Mailer: git-send-email 2.30.GIT
In-Reply-To: <20230215115430.236046-1-yangjihong1@huawei.com>
References: <20230215115430.236046-1-yangjihong1@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.67.174.61]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemm600003.china.huawei.com (7.193.23.202)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1757898664375994835?=
X-GMAIL-MSGID: =?utf-8?q?1757898664375994835?=

When unoptimize_kprobe forcibly unoptimize the kprobe, simply queue it in
the freeing_list, and do_free_cleaned_kprobes directly reclaims the kprobe
if unoptimizing_list is empty (see do_unoptimize_kprobes), which may cause
WARN or UAF problems.

The specific scenarios are as follows:

                          Thread1
arm_kprobe(p)
  mutex_lock(&kprobe_mutex)
  __arm_kprobe(kp)
    p = get_optimized_kprobe(p->addr)
    if (unlikely(_p))
      unoptimize_kprobe(_p, true)  // now _p is queued in freeing_list
  mutex_unlock(&kprobe_mutex)

                           Thread2
kprobe_optimizer
  mutex_lock(&kprobe_mutex)
  do_unoptimize_kprobes
    if (list_empty(&unoptimizing_list))
      return;  // here directly returned and does not process freeing_list.
  ...
  do_free_cleaned_kprobes
    foreach op in freeing_list:
      WARN_ON_ONCE(!kprobe_unused(&op->kp))  // WANR will be triggered here.
      free_aggr_kprobe((&op->kp)  // Delete op->kp directly, if access hash
                                  // list later, UAF problem will be triggered.
  mutex_unlock(&kprobe_mutex)

The freeing_list needs to be processed in do_unoptimize_kprobes regardless
of whether unoptimizing_list is empty.

Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
---
 kernel/kprobes.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 1c18ecf9f98b..0730e595f4c1 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -556,10 +556,9 @@ static void do_unoptimize_kprobes(void)
 	lockdep_assert_cpus_held();
 
 	/* Unoptimization must be done anytime */
-	if (list_empty(&unoptimizing_list))
-		return;
+	if (!list_empty(&unoptimizing_list))
+		arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
 
-	arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
 	/* Loop on 'freeing_list' for disarming */
 	list_for_each_entry_safe(op, tmp, &freeing_list, list) {
 		/* Switching from detour code to origin */

From patchwork Wed Feb 15 11:54:29 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yang Jihong <yangjihong1@huawei.com>
X-Patchwork-Id: 57502
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp151894wrn;
        Wed, 15 Feb 2023 04:06:42 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set82HLu7slsb2quCO9xCOld8FB1a/lFvo5hl96OHoIz7PptVBlYWme8r5/86gPEf9fraNMc8
X-Received: by 2002:a05:6a20:b799:b0:b8:381d:6491 with SMTP id
 fh25-20020a056a20b79900b000b8381d6491mr1299813pzb.31.1676462802002;
        Wed, 15 Feb 2023 04:06:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676462801; cv=none;
        d=google.com; s=arc-20160816;
        b=GwGlH4I1ZYtSkTUSVGYeNJGyAv8Zn9OHoLNvK1GjSDZOD5wp0Jvq3yy9b72qbWwbFJ
         rVGsUrsFxil7d52xfhqoq3VmS/uDeOF2NSvsMGgcubeeqLKlkMK2rMfIFcx+VY3AiHxC
         V9GfNwCpega8Po9LzRADsDWekz7QxshuLXn6E6JAM3w6f+RnvLaxFaAyLlv7QTjEs9Q4
         9qQHSueU6OspuhKCJo8NRcy5tEba+nES+lMJwFGiRDAO5a/D4AHlYfyQFXibioQpC24c
         1GIt7q5OwjbuqiXQX9kj1JNh1fzJ/DPtIsCfx6MG/S18JOX2vPzd8ZBhMJUE+zkShD6N
         qdfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=XqeOG70J9fNFkugrGoH/KlZeeXPDy10fkscMhoRDLgg=;
        b=hubnsa4GmaQ154MZmzTrfuJPnI4dZqg09yl/SbQQDzPhXPdBFIeHP1X9ggTGO/TMNU
         HAmRfPfxtJTYxo22osuyoFJsC0FissZKC8W75Sy5DErUrBOlDJ8xbk7yYBJwHpwBizoP
         8FAqI6N2vooIw8028RsWyF9b2f4hRlqw5b/HBKwaGS1X2XpAmZUllXom5PZlIRLZKN2a
         lU1B0ywMoMzZjORGR26dcM0BgeIyuxnFM8jd7VgVyXJR+LLWPJYrd3vjC153sXM+HES8
         +FvJjd20koPLS8NIx6cSR3m0L3CVU0clnjGNjcRStTc96UtNmcz8EuutVEPgVe4pbHQL
         Q14A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 q85-20020a632a58000000b004fb7e7ef77fsi13278359pgq.536.2023.02.15.04.06.29;
        Wed, 15 Feb 2023 04:06:41 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233869AbjBOL4v (ORCPT <rfc822;tebrre53rla2o@gmail.com>
        + 99 others); Wed, 15 Feb 2023 06:56:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53116 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232100AbjBOL4q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Feb 2023 06:56:46 -0500
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50EFB360BE;
        Wed, 15 Feb 2023 03:56:45 -0800 (PST)
Received: from kwepemm600003.china.huawei.com (unknown [172.30.72.55])
        by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4PGxJF6NtszFqPf;
        Wed, 15 Feb 2023 19:51:57 +0800 (CST)
Received: from ubuntu1804.huawei.com (10.67.174.61) by
 kwepemm600003.china.huawei.com (7.193.23.202) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.17; Wed, 15 Feb 2023 19:56:41 +0800
From: Yang Jihong <yangjihong1@huawei.com>
To: <tglx@linutronix.de>, <mingo@redhat.com>, <bp@alien8.de>,
        <dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
        <naveen.n.rao@linux.ibm.com>, <anil.s.keshavamurthy@intel.com>,
        <davem@davemloft.net>, <mhiramat@kernel.org>, <ast@kernel.org>,
        <peterz@infradead.org>, <linux-kernel@vger.kernel.org>,
        <linux-trace-kernel@vger.kernel.org>
CC: <yangjihong1@huawei.com>
Subject: [PATCH 2/3] x86/kprobes: Fix __recover_optprobed_insn check
 optimizing logic
Date: Wed, 15 Feb 2023 19:54:29 +0800
Message-ID: <20230215115430.236046-3-yangjihong1@huawei.com>
X-Mailer: git-send-email 2.30.GIT
In-Reply-To: <20230215115430.236046-1-yangjihong1@huawei.com>
References: <20230215115430.236046-1-yangjihong1@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.67.174.61]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemm600003.china.huawei.com (7.193.23.202)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1757898659498890766?=
X-GMAIL-MSGID: =?utf-8?q?1757898659498890766?=

Since the following commit:

  commit f66c0447cca1 ("kprobes: Set unoptimized flag after unoptimizing code")

modified the update timing of the KPROBE_FLAG_OPTIMIZED, a optimized_kprobe
may be in the optimizing or unoptimizing state when op.kp->flags
has KPROBE_FLAG_OPTIMIZED and op->list is not empty.

The __recover_optprobed_insn check logic is incorrect, a kprobe in the
unoptimizing state may be incorrectly determined as unoptimizing.
As a result, incorrect instructions are copied.

The optprobe_queued_unopt function needs to be exported for invoking in
arch directory.

Fixes: f66c0447cca1 ("kprobes: Set unoptimized flag after unoptimizing code")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
---
 arch/x86/kernel/kprobes/opt.c | 4 ++--
 include/linux/kprobes.h       | 1 +
 kernel/kprobes.c              | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index e57e07b0edb6..3718d6863555 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -46,8 +46,8 @@ unsigned long __recover_optprobed_insn(kprobe_opcode_t *buf, unsigned long addr)
 		/* This function only handles jump-optimized kprobe */
 		if (kp && kprobe_optimized(kp)) {
 			op = container_of(kp, struct optimized_kprobe, kp);
-			/* If op->list is not empty, op is under optimizing */
-			if (list_empty(&op->list))
+			/* If op is [un]optimized or under unoptimizing */
+			if (list_empty(&op->list) || optprobe_queued_unopt(op))
 				goto found;
 		}
 	}
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index a0b92be98984..ab39285f71a6 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -378,6 +378,7 @@ extern void opt_pre_handler(struct kprobe *p, struct pt_regs *regs);
 DEFINE_INSN_CACHE_OPS(optinsn);
 
 extern void wait_for_kprobe_optimizer(void);
+bool optprobe_queued_unopt(struct optimized_kprobe *op);
 #else /* !CONFIG_OPTPROBES */
 static inline void wait_for_kprobe_optimizer(void) { }
 #endif /* CONFIG_OPTPROBES */
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 0730e595f4c1..bf60eb26c873 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -661,7 +661,7 @@ void wait_for_kprobe_optimizer(void)
 	mutex_unlock(&kprobe_mutex);
 }
 
-static bool optprobe_queued_unopt(struct optimized_kprobe *op)
+bool optprobe_queued_unopt(struct optimized_kprobe *op)
 {
 	struct optimized_kprobe *_op;
 

From patchwork Wed Feb 15 11:54:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yang Jihong <yangjihong1@huawei.com>
X-Patchwork-Id: 57501
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp151850wrn;
        Wed, 15 Feb 2023 04:06:36 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set/JLKSSC7ZNTC1wl/8dTLq2rWPoTmJcOaGU7s2seyKxKEM9hFBFF8ve0juZx6mWjfFC5Ks3
X-Received: by 2002:a17:902:9887:b0:19a:8e52:ce0 with SMTP id
 s7-20020a170902988700b0019a8e520ce0mr1696055plp.58.1676462796533;
        Wed, 15 Feb 2023 04:06:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676462796; cv=none;
        d=google.com; s=arc-20160816;
        b=hcbntLBK/qAZja1nkJPjRbVH1k4fDR1qjoKiBnwXxf6IpmOULATODE4lljNo7DoWhs
         Vg9i2H3cQ1A4JpZvloz+yv8O1tyGNOcmQcmFSVHjE0eSWrwSFL7vTKv7d9w7J44uDWsI
         IOq/S0YOsajfod38lpiuKpyl/prAn6g4l4AuVHJzxE1UT9A4ZdQVoo4Gx3Q46e6hMKKz
         gARknF8jiaE07FDNRA/TyyC46pgfckJcDNYfNUCp8A8Tp2rLpWM+XzaKVYyR+HDXrbnz
         CRvXryrwBCujS5dJwvrVytrBxDUpIXAaaQbET0ivWIWIZOCk2mpnNr2XppQohIafD3/j
         hCSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=SClK/zkhn744LBw1PMZknG61wsNQP8BWPwOdibhCp20=;
        b=YvsMbqpPyvDcHFo6kVuBe5Z6LEnlI/k1mEfjWq0TR6k6FLfJb2kOd6euS79ormML+z
         8CrC94MQa8ay3Y4WvR+OmoyNQ5FfLRS3/HOe+7a7PYbx0Wo3OLZRnE9KJbSLiZbE3zm+
         vEeOW7VGKo1mqd3jyrmHNHqxuQUBAVxz+UBatM4WTXWKk8La1q3RKP+HcGzXZbXu8lo8
         nT+fKXFJ6HXbNaPseu+RBPLySq1QLY/I2enkGiDgWH9O6nFj40sSTaBOaEo0LKqle9EW
         XyF371/L2yyKKEoMDrqnLEPXwPeeK/QpE8bkA7uoRXZIxSIpuhdfwaH4bjA1hoz74zCA
         bCHA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 e14-20020a170902cf4e00b0018e06732699si12634751plg.237.2023.02.15.04.06.23;
        Wed, 15 Feb 2023 04:06:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233850AbjBOL4t (ORCPT <rfc822;tebrre53rla2o@gmail.com>
        + 99 others); Wed, 15 Feb 2023 06:56:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53110 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230147AbjBOL4q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Feb 2023 06:56:46 -0500
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 79583A264;
        Wed, 15 Feb 2023 03:56:44 -0800 (PST)
Received: from kwepemm600003.china.huawei.com (unknown [172.30.72.54])
        by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4PGxM16qywz16NZb;
        Wed, 15 Feb 2023 19:54:21 +0800 (CST)
Received: from ubuntu1804.huawei.com (10.67.174.61) by
 kwepemm600003.china.huawei.com (7.193.23.202) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.17; Wed, 15 Feb 2023 19:56:41 +0800
From: Yang Jihong <yangjihong1@huawei.com>
To: <tglx@linutronix.de>, <mingo@redhat.com>, <bp@alien8.de>,
        <dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
        <naveen.n.rao@linux.ibm.com>, <anil.s.keshavamurthy@intel.com>,
        <davem@davemloft.net>, <mhiramat@kernel.org>, <ast@kernel.org>,
        <peterz@infradead.org>, <linux-kernel@vger.kernel.org>,
        <linux-trace-kernel@vger.kernel.org>
CC: <yangjihong1@huawei.com>
Subject: [PATCH 3/3] x86/kprobes: Fix arch_check_optimized_kprobe check within
 optimized_kprobe range
Date: Wed, 15 Feb 2023 19:54:30 +0800
Message-ID: <20230215115430.236046-4-yangjihong1@huawei.com>
X-Mailer: git-send-email 2.30.GIT
In-Reply-To: <20230215115430.236046-1-yangjihong1@huawei.com>
References: <20230215115430.236046-1-yangjihong1@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.67.174.61]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemm600003.china.huawei.com (7.193.23.202)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1757898653604062103?=
X-GMAIL-MSGID: =?utf-8?q?1757898653604062103?=

When arch_prepare_optimized_kprobe calculating jump destination address,
it copies original instructions from jmp-optimized kprobe (see
__recover_optprobed_insn), and calculated based on length of original
instruction.

arch_check_optimized_kprobe does not check KPROBE_FLAG_OPTIMATED when
checking whether jmp-optimized kprobe exists.
As a result, setup_detour_execution may jump to a range that has been
overwritten by jump destination address, resulting in an inval opcode error.

For example, assume that register two kprobes whose addresses are
<func+9> and <func+11> in "func" function.
The original code of "func" function is as follows:

   0xffffffff816cb5e9 <+9>:     push   %r12
   0xffffffff816cb5eb <+11>:    xor    %r12d,%r12d
   0xffffffff816cb5ee <+14>:    test   %rdi,%rdi
   0xffffffff816cb5f1 <+17>:    setne  %r12b
   0xffffffff816cb5f5 <+21>:    push   %rbp

1.Register the kprobe for <func+11>, assume that is kp1, corresponding optimized_kprobe is op1.
  After the optimization, "func" code changes to:

   0xffffffff816cc079 <+9>:     push   %r12
   0xffffffff816cc07b <+11>:    jmp    0xffffffffa0210000
   0xffffffff816cc080 <+16>:    incl   0xf(%rcx)
   0xffffffff816cc083 <+19>:    xchg   %eax,%ebp
   0xffffffff816cc084 <+20>:    (bad)
   0xffffffff816cc085 <+21>:    push   %rbp

Now op1->flags == KPROBE_FLAG_OPTIMATED;

2. Register the kprobe for <func+9>, assume that is kp2, corresponding optimized_kprobe is op2.

register_kprobe(kp2)
  register_aggr_kprobe
    alloc_aggr_kprobe
      __prepare_optimized_kprobe
        arch_prepare_optimized_kprobe
          __recover_optprobed_insn    // copy original bytes from kp1->optinsn.copied_insn,
                                      // jump address = <func+14>

3. disable kp1:

disable_kprobe(kp1)
  __disable_kprobe
    ...
    if (p == orig_p || aggr_kprobe_disabled(orig_p)) {
      ret = disarm_kprobe(orig_p, true)       // add op1 in unoptimizing_list, not unoptimized
      orig_p->flags |= KPROBE_FLAG_DISABLED;  // op1->flags ==  KPROBE_FLAG_OPTIMATED | KPROBE_FLAG_DISABLED
    ...

4. unregister kp2
__unregister_kprobe_top
  ...
  if (!kprobe_disabled(ap) && !kprobes_all_disarmed) {
    optimize_kprobe(op)
      ...
      if (arch_check_optimized_kprobe(op) < 0) // because op1 has KPROBE_FLAG_DISABLED, here not return
        return;
      p->kp.flags |= KPROBE_FLAG_OPTIMIZED;   //  now op2 has KPROBE_FLAG_OPTIMIZED
  }

"func" code now is:

   0xffffffff816cc079 <+9>:     int3
   0xffffffff816cc07a <+10>:    push   %rsp
   0xffffffff816cc07b <+11>:    jmp    0xffffffffa0210000
   0xffffffff816cc080 <+16>:    incl   0xf(%rcx)
   0xffffffff816cc083 <+19>:    xchg   %eax,%ebp
   0xffffffff816cc084 <+20>:    (bad)
   0xffffffff816cc085 <+21>:    push   %rbp

5. if call "func", int3 handler call setup_detour_execution:

  if (p->flags & KPROBE_FLAG_OPTIMIZED) {
    ...
    regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
    ...
  }

The code for the destination address is

   0xffffffffa021072c:  push   %r12
   0xffffffffa021072e:  xor    %r12d,%r12d
   0xffffffffa0210731:  jmp    0xffffffff816cb5ee <func+14>

However, <func+14> is not a valid start instruction address. As a result, an error occurs.

Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
---
 arch/x86/kernel/kprobes/opt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index 3718d6863555..e6d9bd038401 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -353,7 +353,7 @@ int arch_check_optimized_kprobe(struct optimized_kprobe *op)
 
 	for (i = 1; i < op->optinsn.size; i++) {
 		p = get_kprobe(op->kp.addr + i);
-		if (p && !kprobe_disabled(p))
+		if (p && (!kprobe_disabled(p) || kprobe_optimized(p)))
 			return -EEXIST;
 	}