[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230415050556.isimfnqnsgwmerkf@treble>
Date: Fri, 14 Apr 2023 22:05:56 -0700
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com>
Cc: Mark Rutland <mark.rutland@....com>, jpoimboe@...hat.com,
peterz@...radead.org, chenzhongjin@...wei.com, broonie@...nel.org,
nobuta.keiya@...itsu.com, sjitindarsingh@...il.com,
catalin.marinas@....com, will@...nel.org,
jamorris@...ux.microsoft.com, linux-arm-kernel@...ts.infradead.org,
live-patching@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-toolchains@...r.kernel.org
Subject: Re: [RFC PATCH v3 00/22] arm64: livepatch: Use ORC for dynamic frame
pointer validation
On Fri, Apr 14, 2023 at 11:27:44PM -0500, Madhavan T. Venkataraman wrote:
> >> What I meant is - if SFrame is implemented by simply extracting unwind info from
> >> DWARF data and placing it in a separate section (as it is probably implemented now),
> >> then what you say is totally true. But if the compiler folks agree to make SFrame reliable,
> >> then either they have to make DWARF reliable. Or, they have to implement SFrame as a
> >> separate feature and make it reliable. The former is tough to do as DWARF has a lot of complexity.
> >> The latter is a lot easier to do.
> >
> > [ adding linux-toolchains ]
> >
> > I don't think ensuring reliability is an easy task, regardless of the
> > complexity of the unwinding format.
> >
> > Whether it's SFrame or DWARF/eh_frame, the question would be how to
> > ensure it's always reliable for a compiler "power user" like the kernel
> > which has many edge cases (including lots of inline asm which the
> > compiler has no visibility to) and which uses unwinding for more than
> > just debugging.
> >
> > It would need some kind of black-box testing on a complex code base.
> > (hint: kind of like what objtool already does today)
> >
>
> I could use the ORC data I generate by using the decoder against the SFrame data.
> A function is reliable only if both data sources agree for the whole function.
This is somewhat similar to what I'm saying in another thread:
https://lore.kernel.org/live-patching/20230415043949.7y4tvshe26zday3e@treble/
If objtool and DWARF/SFrame agree, all is well.
> Also, in my approach, the actual frame pointer is dynamically checked against the
> frame pointer computed from the unwind data. Any mismatch indicates an unreliable stack trace.
>
> IMHO, this is sufficient to provide livepatch. Do you agree?
The dynamic reliable stacktrace checks for CONFIG_FRAME_POINTER on x86
are much simpler, as they don't require ORC or any other metadata. They
just need to detect preemption and page faults on the stack, and to
identify the end of the stack. Those simple dynamic checks, combined
with objtool's build-time frame pointer validation, worked very well
until we switched to ORC.
So I'm not sure I see the benefit of the additional complexity involved
in cross-checking frame pointers with ORC at runtime. But I'm just a
bystander. What really matters is what the arm64 folks think ;-)
--
Josh
Powered by blists - more mailing lists