Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX

From: Steven Rostedt
Date: Fri May 26 2017 - 09:37:25 EST

Next message: Bogdan Purcareata: "RE: [PATCH v3 2/2] dt-bindings: net: Add Cortina device tree bindings"
Previous message: Andrew Lunn: "Re: [PATCH v3 2/2] dt-bindings: net: Add Cortina device tree bindings"
In reply to: Masami Hiramatsu: "Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX"
Next in thread: Thomas Gleixner: "Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 May 2017 10:57:51 +0200 (CEST)
Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:

> ftrace use module_alloc() to allocate trampoline pages. The mapping of
> module_alloc() is RWX, which makes sense as the memory is written to right
> after allocation. But nothing makes these pages RO after writing to them.
>
> Add proper set_memory_rw/ro() calls to protect the trampolines after
> modification.
>
> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> ---

Unfortunately, this was triggered in my tests:

ftrace: allocating 54840 entries in 215 pages
Starting tracer 'function'
------------[ cut here ]------------
kernel BUG at /work/autotest/nobackup/linux-test.git/arch/x86/mm/pageattr.c:189!
invalid opcode: 0000 [#1] SMP
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 4.12.0-rc2-test+ #3
Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014
task: ffffffffb4222500 task.stack: ffffffffb4200000
RIP: 0010:change_page_attr_set_clr+0x269/0x302
RSP: 0000:ffffffffb4203c88 EFLAGS: 00010046
RAX: 0000000000000046 RBX: 0000000000000000 RCX: 00000001b6000000
RDX: ffffffffb4203d40 RSI: 0000000000000000 RDI: ffffffffb4240d60
RBP: ffffffffb4203d18 R08: 00000001b6000000 R09: 0000000000000001
R10: ffffffffb4203aa8 R11: 0000000000000003 R12: ffffffffc029b000
R13: ffffffffb4203d40 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff9a639ea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9a636b384000 CR3: 00000001ea21d000 CR4: 00000000000406b0
Call Trace:
change_page_attr_clear+0x1f/0x21
set_memory_ro+0x1e/0x20
arch_ftrace_update_trampoline+0x207/0x21c
? ftrace_caller+0x64/0x64
? 0xffffffffc029b000
ftrace_startup+0xf4/0x198
register_ftrace_function+0x26/0x3c
function_trace_init+0x5e/0x73
tracer_init+0x1e/0x23
tracing_set_tracer+0x127/0x15a
register_tracer+0x19b/0x1bc
init_function_trace+0x90/0x92
early_trace_init+0x236/0x2b3
start_kernel+0x200/0x3f5
x86_64_start_reservations+0x29/0x2b
x86_64_start_kernel+0x17c/0x18f
secondary_startup_64+0x9f/0x9f
? secondary_startup_64+0x9f/0x9f
Code: 89 df e8 79 f4 ff ff 48 85 c0 74 12 f6 00 01 74 0d be 00 10 00 00 48 89 df e8 84 e8 ff ff 49 ff c4 eb a4 9c 58 0f ba e0 09 72 02 <0f> 0b 49 8d 84 24 ff 0f 00 00 48 25 00 f0 ff ff 49 39 c4 74 02
RIP: change_page_attr_set_clr+0x269/0x302 RSP: ffffffffb4203c88
---[ end trace 418d67f4f812a298 ]---
Kernel panic - not syncing: Attempted to kill the idle task!
---[ end Kernel panic - not syncing: Attempted to kill the idle task!

It appears that if you enable function tracing at boot up, calling
set_memory_ro() with interrupts disabled can cause this. As pageattr.c
at line 189 has:

BUG_ON(irqs_disabled());

in cpa_flush_range()

-- Steve

Next message: Bogdan Purcareata: "RE: [PATCH v3 2/2] dt-bindings: net: Add Cortina device tree bindings"
Previous message: Andrew Lunn: "Re: [PATCH v3 2/2] dt-bindings: net: Add Cortina device tree bindings"
In reply to: Masami Hiramatsu: "Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX"
Next in thread: Thomas Gleixner: "Re: [PATCH V2] x86/ftrace: Make sure that ftrace trampolines are not RWX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]