Commit 3121bb17 authored May 29, 2024 by Chen Zhongjin

x86: profiling: Using generic unwinding in profile_pc

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9T4EM

--------------------------------

Syzbot has been reporting the problem of stack-out-of-bounds in
profile_pc for a long time:
https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3



profile_pc tries to get pc if current regs is inside lock function. For
!CONFIG_FRAME_POINTER it used a hack way to get the pc from stack, which
is not work with ORC. It makes profile_pc returns wrong result, and
frequently triggers KASAN.

This can be fixed by using the unwind_start, it will skip the first
regs frame and get the caller of lock function directly, or 0 if
unwind_get_return_address finds the unwinding failed. For all of FP, ORC
and guess unwinders it works.

Fixes: 0cb91a22 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels")
Reported-by:  <syzbot+84fe685c02cd112a2ac3@syzkaller.appspotmail.com>
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>

parent 43993247

arch/x86/kernel/time.c

+6 −14

Original line number	Diff line number	Diff line
		@@ -24,26 +24,18 @@
		#include <asm/timer.h>
		#include <asm/hpet.h>
		#include <asm/time.h>
		#include <asm/unwind.h>

		unsigned long profile_pc(struct pt_regs *regs)
		{
		unsigned long pc = instruction_pointer(regs);

		if (!user_mode(regs) && in_lock_functions(pc)) {
		#ifdef CONFIG_FRAME_POINTER
		return (unsigned long )(regs->bp + sizeof(long));
		#else
		unsigned long sp = (unsigned long )regs->sp;
		/*
		* Return address is either directly at stack pointer
		* or above a saved flags. Eflags has bits 22-31 zero,
		* kernel addresses don't.
		*/
		if (sp[0] >> 22)
		return sp[0];
		if (sp[1] >> 22)
		return sp[1];
		#endif
		struct unwind_state state;

		/* unwind_start will skip the first regs frame */
		unwind_start(&state, current, regs, NULL);
		pc = unwind_get_return_address(&state);
		}
		return pc;
		}