From patchwork Thu Mar 30 19:10:59 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Cabaj <john.cabaj@canonical.com>
X-Patchwork-Id: 1763412
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Mu/YX6Ph;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4PnY1P0R93z1yZ2
	for <incoming@patchwork.ozlabs.org>; Fri, 31 Mar 2023 06:11:20 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1phxg2-000312-SC; Thu, 30 Mar 2023 19:11:14 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <john.cabaj@canonical.com>) id 1phxfu-0002vj-LH
 for kernel-team@lists.ubuntu.com; Thu, 30 Mar 2023 19:11:06 +0000
Received: from mail-yb1-f197.google.com (mail-yb1-f197.google.com
 [209.85.219.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DB5EF3F20F
 for <kernel-team@lists.ubuntu.com>; Thu, 30 Mar 2023 19:11:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1680203465;
 bh=7GbaAfZkxoh3+xFNuhBK64zVGUQAXqGusGeaweHmte0=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Mu/YX6PhBeSv4RyWPw/to3v6bY7r5qhYaS8vr+cUifla+GUJEXlfjQws0EtTK8TaK
 3hUWF+PLkav+DF/r9N5JD3W/o8ketxXR0WxMUR2QCc2PuhltENxUWCcln7MNz2zK0w
 STrOnkvTONRztmXXDI+OnbOvy7f4SPD21y+ZEzkE6ReH+B6E8w0t2n30P7pds0Vd9n
 Rx1mUGhMXxCnToz0QgE1bjhr6M/keX/MS8YzArqzxuoYRxa8yN6qybwoSgGRS7csOA
 9tJPGIEbHIL/Fej7TB4QdchCScJXisa5oWflqKgL7uhwAy9dj7x4js9bYLRw7XAnS8
 4NcpppRft94ww==
Received: by mail-yb1-f197.google.com with SMTP id
 3-20020a251103000000b00b732e362449so19586980ybr.0
 for <kernel-team@lists.ubuntu.com>; Thu, 30 Mar 2023 12:11:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1680203464;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=7GbaAfZkxoh3+xFNuhBK64zVGUQAXqGusGeaweHmte0=;
 b=n8oPKGyZIxJuYC0+rjTtMCkBYbDMDwoAqWMY0Y4iABfrz8ScaRqCCUFLnegrfuOcfE
 g72JMoS7QZCWEX+bY+4eBeULW9kaZCWYHL4ltcQ482hBHPE6jiwqBCh5snwEHzIyK0Tp
 KpwvUZnpUrW7wHkjzvdpHSM8PcCHdNR+Qxk9MuEL0ajpPuy5Yeupyg8KK+dJNcEJBMWK
 wyHyCT1xomWTmDIp5pZReU9VFBzxccKFBjI9fow/c2U8EeOk3fcBNySE2cu4g0RA2SNa
 pLT/3ZEJrkUcvUiTPmSLTzgilqAcS8tR3F9fSt/WjAD3E8P9Km5Q4G6rCN30NxUAGcMG
 yWbg==
X-Gm-Message-State: AAQBX9dlcizXIVol7PWneLlD5Mub6pe/aEa5Ch7crPhTTJVbmh4jrnKj
 JUwjzRszBYpQOfk4tVevOYzPR3RoiFIArifYwjtsKUhe+PM4TRbpe9U3Er+nFfpENZ29xdi+C4L
 BjYoW8gbaxUiZxPck5+k77m0dFGhyL3NH9OBVWQ2XNRNApZuGaA==
X-Received: by 2002:a0d:d8c6:0:b0:545:62d9:deba with SMTP id
 a189-20020a0dd8c6000000b0054562d9debamr5154752ywe.25.1680203464563;
 Thu, 30 Mar 2023 12:11:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350acWlAzJRjVP189rBr6PSeAVW/w5nJQ1Jlb9Bcp0wtkAzGwY/YcwiGejVGj3Ylko1v/9aYumA==
X-Received: by 2002:a0d:d8c6:0:b0:545:62d9:deba with SMTP id
 a189-20020a0dd8c6000000b0054562d9debamr5154736ywe.25.1680203464201;
 Thu, 30 Mar 2023 12:11:04 -0700 (PDT)
Received: from smtp.gmail.com
 (h69-130-246-116.mdtnwi.broadband.dynamic.tds.net. [69.130.246.116])
 by smtp.gmail.com with ESMTPSA id
 k10-20020a81ff0a000000b00545a0818473sm42251ywn.3.2023.03.30.12.11.03
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 30 Mar 2023 12:11:03 -0700 (PDT)
From: John Cabaj <john.cabaj@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][jammy][PATCH 3/5] kprobes: Add kretprobe_find_ret_addr() for
 searching return address
Date: Thu, 30 Mar 2023 14:10:59 -0500
Message-Id: <20230330191101.2034512-4-john.cabaj@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230330191101.2034512-1-john.cabaj@canonical.com>
References: <20230330191101.2034512-1-john.cabaj@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Masami Hiramatsu <mhiramat@kernel.org>

BugLink: https://bugs.launchpad.net/bugs/1639924

Introduce kretprobe_find_ret_addr() and is_kretprobe_trampoline().
These APIs will be used by the ORC stack unwinder and ftrace, so that
they can check whether the given address points kretprobe trampoline
code and query the correct return address in that case.

Link: https://lkml.kernel.org/r/163163046461.489837.1044778356430293962.stgit@devnote2

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
(backported from commit 03bac0df2886882c43e6d0bfff9dee84a184fc7e)
[John Cabaj: cleaning-up kernel panic that was relocated to conditional]
Signed-off-by: John Cabaj <john.cabaj@canonical.com>
---
 include/linux/kprobes.h |  22 ++++++++
 kernel/kprobes.c        | 109 ++++++++++++++++++++++++++++++----------
 2 files changed, 105 insertions(+), 26 deletions(-)

diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index f6b0aef35f66..9e24d8b79100 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -511,6 +511,28 @@ static inline bool is_kprobe_optinsn_slot(unsigned long addr)
 }
 #endif
 
+#ifdef CONFIG_KRETPROBES
+static nokprobe_inline bool is_kretprobe_trampoline(unsigned long addr)
+{
+	return (void *)addr == kretprobe_trampoline_addr();
+}
+
+unsigned long kretprobe_find_ret_addr(struct task_struct *tsk, void *fp,
+				      struct llist_node **cur);
+#else
+static nokprobe_inline bool is_kretprobe_trampoline(unsigned long addr)
+{
+	return false;
+}
+
+static nokprobe_inline
+unsigned long kretprobe_find_ret_addr(struct task_struct *tsk, void *fp,
+				      struct llist_node **cur)
+{
+	return 0;
+}
+#endif
+
 /* Returns true if kprobes handled the fault */
 static nokprobe_inline bool kprobe_page_fault(struct pt_regs *regs,
 					      unsigned int trap)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 7da4a5048eb7..8e06a8d6516c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1866,45 +1866,87 @@ unsigned long __weak arch_deref_entry_point(void *entry)
 
 #ifdef CONFIG_KRETPROBES
 
-unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs,
-					     void *frame_pointer)
+/* This assumes the 'tsk' is the current task or the is not running. */
+static kprobe_opcode_t *__kretprobe_find_ret_addr(struct task_struct *tsk,
+						  struct llist_node **cur)
 {
-	kprobe_opcode_t *correct_ret_addr = NULL;
 	struct kretprobe_instance *ri = NULL;
-	struct llist_node *first, *node;
-	struct kretprobe *rp;
+	struct llist_node *node = *cur;
+
+	if (!node)
+		node = tsk->kretprobe_instances.first;
+	else
+		node = node->next;
 
-	/* Find all nodes for this frame. */
-	first = node = current->kretprobe_instances.first;
 	while (node) {
 		ri = container_of(node, struct kretprobe_instance, llist);
-
-		BUG_ON(ri->fp != frame_pointer);
-
 		if (ri->ret_addr != kretprobe_trampoline_addr()) {
-			correct_ret_addr = ri->ret_addr;
-			/*
-			 * This is the real return address. Any other
-			 * instances associated with this task are for
-			 * other calls deeper on the call stack
-			 */
-			goto found;
+			*cur = node;
+			return ri->ret_addr;
 		}
-
 		node = node->next;
 	}
-	pr_err("Oops! Kretprobe fails to find correct return address.\n");
-	BUG_ON(1);
+	return NULL;
+}
+NOKPROBE_SYMBOL(__kretprobe_find_ret_addr);
 
-found:
-	/* Unlink all nodes for this frame. */
-	current->kretprobe_instances.first = node->next;
-	node->next = NULL;
+/**
+ * kretprobe_find_ret_addr -- Find correct return address modified by kretprobe
+ * @tsk: Target task
+ * @fp: A frame pointer
+ * @cur: a storage of the loop cursor llist_node pointer for next call
+ *
+ * Find the correct return address modified by a kretprobe on @tsk in unsigned
+ * long type. If it finds the return address, this returns that address value,
+ * or this returns 0.
+ * The @tsk must be 'current' or a task which is not running. @fp is a hint
+ * to get the currect return address - which is compared with the
+ * kretprobe_instance::fp field. The @cur is a loop cursor for searching the
+ * kretprobe return addresses on the @tsk. The '*@cur' should be NULL at the
+ * first call, but '@cur' itself must NOT NULL.
+ */
+unsigned long kretprobe_find_ret_addr(struct task_struct *tsk, void *fp,
+				      struct llist_node **cur)
+{
+	struct kretprobe_instance *ri = NULL;
+	kprobe_opcode_t *ret;
+
+	if (WARN_ON_ONCE(!cur))
+		return 0;
+
+	do {
+		ret = __kretprobe_find_ret_addr(tsk, cur);
+		if (!ret)
+			break;
+		ri = container_of(*cur, struct kretprobe_instance, llist);
+	} while (ri->fp != fp);
 
-	/* Run them..  */
+	return (unsigned long)ret;
+}
+NOKPROBE_SYMBOL(kretprobe_find_ret_addr);
+
+unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs,
+					     void *frame_pointer)
+{
+	kprobe_opcode_t *correct_ret_addr = NULL;
+	struct kretprobe_instance *ri = NULL;
+	struct llist_node *first, *node = NULL;
+	struct kretprobe *rp;
+
+	/* Find correct address and all nodes for this frame. */
+	correct_ret_addr = __kretprobe_find_ret_addr(current, &node);
+	if (!correct_ret_addr) {
+		pr_err("kretprobe: Return address not found, not execute handler. Maybe there is a bug in the kernel.\n");
+		BUG_ON(1);
+	}
+
+	/* Run the user handler of the nodes. */
+	first = current->kretprobe_instances.first;
 	while (first) {
 		ri = container_of(first, struct kretprobe_instance, llist);
-		first = first->next;
+
+		if (WARN_ON_ONCE(ri->fp != frame_pointer))
+			break;
 
 		rp = get_kretprobe(ri);
 		if (rp && rp->handler) {
@@ -1915,6 +1957,21 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs,
 			rp->handler(ri, regs);
 			__this_cpu_write(current_kprobe, prev);
 		}
+		if (first == node)
+			break;
+
+		first = first->next;
+	}
+
+	/* Unlink all nodes for this frame. */
+	first = current->kretprobe_instances.first;
+	current->kretprobe_instances.first = node->next;
+	node->next = NULL;
+
+	/* Recycle free instances. */
+	while (first) {
+		ri = container_of(first, struct kretprobe_instance, llist);
+		first = first->next;
 
 		recycle_rp_inst(ri);
 	}