Re: [RFC PATCH v2 0/4] arm64: Implement stack trace reliability checks
From: Madhavan T. Venkataraman
Date: Wed Apr 14 2021 - 06:24:34 EST
On 4/13/21 6:02 AM, Mark Brown wrote:
> On Mon, Apr 12, 2021 at 02:55:35PM -0500, Madhavan T. Venkataraman wrote:
>
>>
>> OK. Just so I am clear on the whole picture, let me state my understanding so far.
>> Correct me if I am wrong.
>
>> 1. We are hoping that we can convert a significant number of SYM_CODE functions to
>> SYM_FUNC functions by providing them with a proper FP prolog and epilog so that
>> we can get objtool coverage for them. These don't need any blacklisting.
>
> I wouldn't expect to be converting lots of SYM_CODE to SYM_FUNC. I'd
> expect the overwhelming majority of SYM_CODE to be SYM_CODE because it's
> required to be non standard due to some external interface - things like
> the exception vectors, ftrace, and stuff around suspend/hibernate. A
> quick grep seems to confirm this.
>
OK. Fair enough.
>> 3. We are going to assume that the reliable unwinder is only for livepatch purposes
>> and will only be invoked on a task that is not currently running. The task either
>
> The reliable unwinder can also be invoked on itself.
>
I have not called out the self-directed case because I am assuming that the reliable unwinder
is only used for livepatch. So, AFAICT, this is applicable to the task that performs the
livepatch operation itself. In this case, there should be no unreliable functions on the
self-directed stack trace (otherwise, livepatching would always fail).
>> 4. So, the only functions that will need blacklisting are the remaining SYM_CODE functions
>> that might give up the CPU voluntarily. At this point, I am not even sure how
>> many of these will exist. One hopes that all of these would have ended up as
>> SYM_FUNC functions in (1).
>
> There's stuff like ret_from_fork there.
>
OK. There would be a few functions that fit this category. I agree.
>> I suggest we do (3) first. Then, review the assembly functions to do (1). Then, review the
>> remaining ones to see which ones must be blacklisted, if any.
>
> I'm not clear what the concrete steps you're planning to do first are
> there - your 3 seems like a statement of assumptions. For flagging
> functions I do think it'd be safer to default to assuming that all
> SYM_CODE functions can't be unwound reliably rather than only explicitly
> listing ones that cause problems.
>
They are not assumptions. They are true statements. But I probably did not do a good
job of explaining. But Josh sent out a patch that updates the documentation that
explains what I said a lot better.
In any case, I have absolutely no problems in implementing your section idea. I will
make an attempt to do that in version 3 of my patch series.
Stay tuned.
And, thanks for all the input. It is very helpful.
Madhavan