| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Jan 2017 15:59:52 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzkaller <syzkaller@...glegroups.com>
Cc: Andrey Konovalov <andreyknvl@...gle.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
kasan-dev <kasan-dev@...glegroups.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org" <x86@...nel.org>,
Kostya Serebryany <kcc@...gle.com>
Subject: Re: x86: warning in unwind_get_return_address
On Thu, Jan 5, 2017 at 3:49 PM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> On Tue, Dec 27, 2016 at 05:38:59PM +0100, Dmitry Vyukov wrote:
>> On Thu, Dec 22, 2016 at 6:17 AM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
>> > On Wed, Dec 21, 2016 at 01:46:36PM +0100, Andrey Konovalov wrote:
>> >> On Wed, Dec 21, 2016 at 12:36 AM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
>> >> >
>> >> > Thanks. Looking at the stack trace, my guess is that an interrupt hit
>> >> > while running in generated BPF code, and the unwinder got confused
>> >> > because regs->ip points to the generated code. I may need to disable
>> >> > that warning until we figure out a better solution.
>> >> >
>> >> > Can you share your .config file?
>> >>
>> >> Sure, attached.
>> >
>> > Ok, I was able to recreate with your config. The culprit was generated
>> > code, as I suspected, though it wasn't BPF, it was a kprobe (created by
>> > dccpprobe_init()).
>> >
>> > I'll make a patch to disable the warning.
>>
>> Hi,
>>
>> I am also seeing the following warnings:
>>
>> [ 281.889259] WARNING: kernel stack regs at ffff8801c29a7ea8 in
>> syz-executor8:1302 has bad 'bp' value ffff8801c29a7f28
>> [ 833.994878] WARNING: kernel stack regs at ffff8801c4e77ea8 in
>> syz-executor1:13094 has bad 'bp' value ffff8801c4e77f28
>>
>> Can it also be caused by bpf/kprobe?
>
> This is a different warning. I suspect it's due to unwinding the stack
> of another CPU while it's running, which is still possible in a few
> places. I'm going to have to disable all these warnings for now.
I also have the following diff locally. These loads trigger episodic
KASAN warnings about stack-of-bounds reads on rcu stall warnings when
it does backtrace of all cpus.
If it looks correct to you, can you please also incorporate it into your patch?
diff --git a/arch/x86/include/asm/stacktrace.h
b/arch/x86/include/asm/stacktrace.h
index a3269c897ec5..d8d4fc66ffec 100644
--- a/arch/x86/include/asm/stacktrace.h
+++ b/arch/x86/include/asm/stacktrace.h
@@ -58,7 +58,7 @@ get_frame_pointer(struct task_struct *task, struct
pt_regs *regs)
if (task == current)
return __builtin_frame_address(0);
- return (unsigned long *)((struct inactive_task_frame
*)task->thread.sp)->bp;
+ return (unsigned long *)READ_ONCE_NOCHECK(((struct
inactive_task_frame *)task->thread.sp)->bp);
}
#else
static inline unsigned long *
diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c
index 4443e499f279..f3a225ffa231 100644
--- a/arch/x86/kernel/unwind_frame.c
+++ b/arch/x86/kernel/unwind_frame.c
@@ -162,7 +162,7 @@ bool unwind_next_frame(struct unwind_state *state)
if (state->regs)
next_bp = (unsigned long *)state->regs->bp;
else
- next_bp = (unsigned long *)*state->bp;
+ next_bp = (unsigned long *)READ_ONCE_NOCHECK(*state->bp);
/* is the next frame pointer an encoded pointer to pt_regs? */
regs = decode_frame_pointer(next_bp);
Powered by blists - more mailing lists