[Bug runtime/24408] New: using @kregister(0) in kernel tracepoint probe handler will cause a kernel crash on linux 5.x.x kernel

[Bug runtime/24408] New: using @kregister(0) in kernel tracepoint probe handler will cause a kernel crash on linux 5.x.x kernel

[wcohen at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24408

            Bug ID: 24408
           Summary: using @kregister(0) in kernel tracepoint probe handler
                    will cause a kernel crash on linux 5.x.x kernel
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
          Assignee: systemtap at sourceware dot org
          Reporter: wcohen at redhat dot com
  Target Milestone: ---

Initially, noticed this problem because the systemtap.base/at_register.exp test
on arm64 ended up using the fallback tracepoint for syscall.getpid probe.  Have
a simple reproducer that also triggers the problem on x86_64.  Below is example
running on arm64:

sudo ../install/bin/stap -kvge 'probe kernel.trace("sys_enter") {
printf("%x\n", @kregister(0));exit() }'
sudo: unable to resolve host rock960
Pass 1: parsed user script and 458 library scripts using
90148virt/86512res/4304shr/82676data kb, in 1350usr/90sys/1439real ms.
Pass 2: analyzed script: 1 probe, 1 function, 0 embeds, 0 globals using
95320virt/92800res/5184shr/87848data kb, in 670usr/1490sys/2167real ms.
Pass 3: translated to C into "/tmp/stapdBUjrk/stap_9242_src.c" using
95320virt/92800res/5184shr/87848data kb, in 0usr/0sys/45real ms.
Pass 4: compiled C into "stap_9242.ko" in 49560usr/6750sys/55703real ms.
Pass 5: starting run.
[ 3668.640620] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[ 3668.641393] Mem abort info:
[ 3668.641640]   ESR = 0x96000006
[ 3668.641911]   Exception class = DABT (current EL), IL = 32 bits
[ 3668.642428]   SET = 0, FnV = 0
[ 3668.642698]   EA = 0, S1PTW = 0
[ 3668.642975] Data abort info:
[ 3668.643230]   ISV = 0, ISS = 0x00000006
[ 3668.643616]   CM = 0, WnR = 0
[ 3668.643708] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[ 3668.643806] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[ 3668.643809] Mem abort info:
[ 3668.643811]   ESR = 0x96000006
[ 3668.643813]   Exception class = DABT (current EL), IL = 32 bits
[ 3668.643815]   SET = 0, FnV = 0
[ 3668.643817]   EA = 0, S1PTW = 0
[ 3668.643818] Data abort info:
[ 3668.643820]   ISV = 0, ISS = 0x00000006
[ 3668.643822]   CM = 0, WnR = 0
[ 3668.643826] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000cf199ef5
[ 3668.643829] [0000000000000000] pgd=00000000ededd003, pud=00000000e9e69003,
pmd=0000000000000000
[ 3668.643838] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 3668.643842] Modules linked in: stap_9869(O) cpufreq_userspace rockchipdrm
phy_rockchip_pcie analogix_dp dw_mipi_dsi pcie_rockchip_host
[ 3668.643859] CPU: 2 PID: 4204 Comm: in:imklog Tainted: G           O     
5.1.0-rc2-00247-g9936328 #28
[ 3668.643862] Hardware name: 96boards Rock960 (DT)
[ 3668.643866] pstate: 20000005 (nzCv daif -PAN -UAO)
[ 3668.643881] pc : probe_6177+0x50/0x1e8 [stap_9869]
[ 3668.643886] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000001e64e07f
[ 3668.643893] lr : enter_real_tracepoint_probe_0+0x160/0x2d8 [stap_9869]
[ 3668.643895] sp : ffff000012f1bd80
[ 3668.643897] x29: ffff000012f1bd80 x28: ffff8000ebd98000 
[ 3668.643902] x27: 0000000000000000 x26: 0000000000000000 
[ 3668.643906] x25: 0000000056000000 x24: 0000000000000015 
[ 3668.643910] x23: ffff000011f5f000 x22: ffff00000950d000 
[ 3668.643914] x21: ffff00000950d3c0 x20: ffff0000122d3000 
[ 3668.643919] x19: ffff000011f37000 x18: 0000000000000000 
[ 3668.643923] x17: 0000000000000001 x16: 0000000000000000 
[ 3668.643927] x15: 0000000000000000 x14: 0000000000000000 
[ 3668.643930] x13: 0000000000000000 x12: 0000000000000000 
[ 3668.643934] x11: 0000000000000000 x10: 0000000000000000 
[ 3668.643938] x9 : 0000000000000000 x8 : 0000000000000000 
[ 3668.643942] x7 : 0000000000000000 x6 : 00000000ffffffff 
[ 3668.643946] x5 : ffff000009508968 x4 : 0000000000000000 
[ 3668.643949] x3 : 00000000ffffffff x2 : 00000000ffffffff 
[ 3668.643953] x1 : 0000000000000010 x0 : 0000000000000000 
[ 3668.643958] Process in:imklog (pid: 4204, stack limit = 0x00000000f23c36a6)
[ 3668.643961] Call trace:
[ 3668.643969]  probe_6177+0x50/0x1e8 [stap_9869]
[ 3668.643976]  enter_real_tracepoint_probe_0+0x160/0x2d8 [stap_9869]
[ 3668.643984]  enter_tracepoint_probe_0+0x14/0x20 [stap_9869]
[ 3668.643994]  syscall_trace_enter+0x150/0x1c8
[ 3668.644001]  el0_svc_common+0x108/0x128
[ 3668.644005]  el0_svc_handler+0x38/0x78
[ 3668.644010]  el0_svc+0x8/0xc
[ 3668.644016] Code: 52800201 f0045173 f00452b7 b0000036 (f9400005) 
[ 3668.644021] ---[ end trace 03548ac161d4d8f3 ]---

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/24408] using @kregister(0) in kernel tracepoint probe handler will cause a kernel crash on linux 5.x.x kernel

[fche at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24408

Frank Ch. Eigler <fche at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fche at redhat dot com
           Assignee|systemtap at sourceware dot org    |fche at redhat dot com

--- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> ---
Reproduced.  Nasty bug.  We can probably avoid construeing this as a bad
security bug because @kregister() may only be mentioned in guru-mode scripts.

-- 
You are receiving this mail because:
You are the assignee for the bug.