[patch 02/60] x86/unwinder/orc: Dont bail on stack overflow

From: Thomas Gleixner
Date: Mon Dec 04 2017 - 12:07:39 EST

Next message: Thomas Gleixner: "[patch 07/60] x86/dumpstack: Add get_stack_info() support for the SYSENTER stack"
Previous message: Thomas Gleixner: "[patch 08/60] x86/entry/gdt: Put per-CPU GDT remaps in ascending order"
In reply to: Thomas Gleixner: "[patch 08/60] x86/entry/gdt: Put per-CPU GDT remaps in ascending order"
Next in thread: Andy Lutomirski: "Re: [patch 02/60] x86/unwinder/orc: Dont bail on stack overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Lutomirski <luto@xxxxxxxxxx>

If the stack overflows into a guard page and the ORC unwinder should work
well: by construction, there can't be any meaningful data in the guard page
because no writes to the guard page will have succeeded.

But there is a bug that prevents unwinding from working correctly: if the
starting register state has RSP pointing into a stack guard page, the ORC
unwinder bails out immediately.

Instead of bailing out immediately check whether the next page up is a
valid check page and if so analyze that. As a result the ORC unwinder will
start the unwind.

Tested by intentionally overflowing the task stack. The result is an
accurate call trace instead of a trace consisting purely of '?' entries.

There are a few other bugs that are triggered if the unwinder encounters a
stack overflow after the first step, but they are outside the scope of this
fix.

Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Brian Gerst <brgerst@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: Borislav Petkov <bpetkov@xxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Link: http://lkml.kernel.org/r/927042950d7f1a7007dd0f58538966a593508f8b.1511715954.git.luto@xxxxxxxxxx

---
arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -553,8 +553,18 @@ void __unwind_start(struct unwind_state
}

if (get_stack_info((unsigned long *)state->sp, state->task,
- &state->stack_info, &state->stack_mask))
- return;
+ &state->stack_info, &state->stack_mask)) {
+ /*
+ * We weren't on a valid stack. It's possible that
+ * we overflowed a valid stack into a guard page.
+ * See if the next page up is valid so that we can
+ * generate some kind of backtrace if this happens.
+ */
+ void *next_page = (void *)PAGE_ALIGN((unsigned long)regs->sp);
+ if (get_stack_info(next_page, state->task, &state->stack_info,
+ &state->stack_mask))
+ return;
+ }

/*
* The caller can provide the address of the first frame directly

Next message: Thomas Gleixner: "[patch 07/60] x86/dumpstack: Add get_stack_info() support for the SYSENTER stack"
Previous message: Thomas Gleixner: "[patch 08/60] x86/entry/gdt: Put per-CPU GDT remaps in ascending order"
In reply to: Thomas Gleixner: "[patch 08/60] x86/entry/gdt: Put per-CPU GDT remaps in ascending order"
Next in thread: Andy Lutomirski: "Re: [patch 02/60] x86/unwinder/orc: Dont bail on stack overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]