From 5f27639196c3240810fbf30d367da0063a6612ff Mon Sep 17 00:00:00 2001 From: Ding Hui Date: Thu, 1 Dec 2022 15:01:45 +0800 Subject: [PATCH] arm64: fix backtraces of KASAN kernel dumpfile truncated We met "bt" command on KASAN kernel vmcore display truncated backtraces like this: crash> bt PID: 4131 TASK: ffff8001521df000 CPU: 3 COMMAND: "bash" #0 [ffff2000224b0cb0] machine_kexec_prepare at ffff2000200bff4c After digging the root cause, it turns out that arm64_in_kdump_text() found wrong bt->bptr at "machine_kexec" branch. Disassemble machine_kexec() of KASAN vmlinux (gcc 7.3.0): crash> dis -x machine_kexec 0xffff2000200bff50 : stp x29, x30, [sp,#-208]! 0xffff2000200bff54 : mov x29, sp 0xffff2000200bff58 : stp x19, x20, [sp,#16] 0xffff2000200bff5c : str x24, [sp,#56] 0xffff2000200bff60 : str x26, [sp,#72] 0xffff2000200bff64 : mov x2, #0x8ab3 0xffff2000200bff68 : add x1, x29, #0x70 0xffff2000200bff6c : lsr x1, x1, #3 0xffff2000200bff70 : movk x2, #0x41b5, lsl #16 0xffff2000200bff74 : mov x19, #0x200000000000 0xffff2000200bff78 : adrp x3, 0xffff2000224b0000 0xffff2000200bff7c : movk x19, #0xdfff, lsl #48 0xffff2000200bff80 : add x3, x3, #0xcb0 0xffff2000200bff84 : add x4, x1, x19 0xffff2000200bff88 : stp x2, x3, [x29,#112] 0xffff2000200bff8c : adrp x2, 0xffff2000200bf000 0xffff2000200bff90 : add x2, x2, #0xf50 0xffff2000200bff94 : str x2, [x29,#128] 0xffff2000200bff98 : mov w2, #0xf1f1f1f1 0xffff2000200bff9c : str w2, [x1,x19] 0xffff2000200bffa0 : mov w2, #0xf200 0xffff2000200bffa4 : mov w1, #0xf3f3f3f3 0xffff2000200bffa8 : movk w2, #0xf2f2, lsl #16 0xffff2000200bffac : stp w2, w1, [x4,#4] We notice that: 1. machine_kexec() start address is 0xffff2000200bff50 2. the instruction at machine_kexec+0x44 stores the same value 0xffff2000200bff50 (comes from 0xffff2000200bf000 + 0xf50) into stack postion [x29,#128]. When arm64_in_kdump_text() searches for LR from stack, it met 0xffff2000200bff50 firstly, so got wrong bt->bptr. We know that the real LR is always greater than the start address of a function, so let's fix it by changing the search conditon to (*ptr > xxx_start) && (*ptr < xxx_end). Signed-off-by: Ding Hui --- arm64.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/arm64.c b/arm64.c index c3e26a37..7e8a7db1 100644 --- a/arm64.c +++ b/arm64.c @@ -3479,7 +3479,7 @@ arm64_in_kdump_text(struct bt_info *bt, struct arm64_stackframe *frame) ms = machdep->machspec; for (ptr = start - 8; ptr >= base; ptr--) { if (bt->flags & BT_OPT_BACK_TRACE) { - if ((*ptr >= ms->crash_kexec_start) && + if ((*ptr > ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end) && INSTACK(*(ptr - 1), bt)) { bt->bptr = ((ulong)(ptr - 1) - (ulong)base) @@ -3488,7 +3488,7 @@ arm64_in_kdump_text(struct bt_info *bt, struct arm64_stackframe *frame) fprintf(fp, "%lx: %lx (crash_kexec)\n", bt->bptr, *ptr); return TRUE; } - if ((*ptr >= ms->crash_save_cpu_start) && + if ((*ptr > ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end) && INSTACK(*(ptr - 1), bt)) { bt->bptr = ((ulong)(ptr - 1) - (ulong)base) @@ -3498,14 +3498,14 @@ arm64_in_kdump_text(struct bt_info *bt, struct arm64_stackframe *frame) return TRUE; } } else { - if ((*ptr >= ms->machine_kexec_start) && (*ptr < ms->machine_kexec_end)) { + if ((*ptr > ms->machine_kexec_start) && (*ptr < ms->machine_kexec_end)) { bt->bptr = ((ulong)ptr - (ulong)base) + task_to_stackbase(bt->tc->task); if (CRASHDEBUG(1)) fprintf(fp, "%lx: %lx (machine_kexec)\n", bt->bptr, *ptr); return TRUE; } - if ((*ptr >= ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end)) { + if ((*ptr > ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end)) { /* * Stash the first crash_kexec frame in case the machine_kexec * frame is not found. @@ -3519,7 +3519,7 @@ arm64_in_kdump_text(struct bt_info *bt, struct arm64_stackframe *frame) } continue; } - if ((*ptr >= ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end)) { + if ((*ptr > ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end)) { bt->bptr = ((ulong)ptr - (ulong)base) + task_to_stackbase(bt->tc->task); if (CRASHDEBUG(1)) @@ -3566,7 +3566,7 @@ arm64_in_kdump_text_on_irq_stack(struct bt_info *bt) for (ptr = start - 8; ptr >= base; ptr--) { if (bt->flags & BT_OPT_BACK_TRACE) { - if ((*ptr >= ms->crash_kexec_start) && + if ((*ptr > ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end) && INSTACK(*(ptr - 1), bt)) { bt->bptr = ((ulong)(ptr - 1) - (ulong)base) + stackbase; @@ -3576,7 +3576,7 @@ arm64_in_kdump_text_on_irq_stack(struct bt_info *bt) FREEBUF(stackbuf); return TRUE; } - if ((*ptr >= ms->crash_save_cpu_start) && + if ((*ptr > ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end) && INSTACK(*(ptr - 1), bt)) { bt->bptr = ((ulong)(ptr - 1) - (ulong)base) + stackbase; @@ -3587,7 +3587,7 @@ arm64_in_kdump_text_on_irq_stack(struct bt_info *bt) return TRUE; } } else { - if ((*ptr >= ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end)) { + if ((*ptr > ms->crash_kexec_start) && (*ptr < ms->crash_kexec_end)) { bt->bptr = ((ulong)ptr - (ulong)base) + stackbase; if (CRASHDEBUG(1)) fprintf(fp, "%lx: %lx (crash_kexec on IRQ stack)\n", @@ -3595,7 +3595,7 @@ arm64_in_kdump_text_on_irq_stack(struct bt_info *bt) FREEBUF(stackbuf); return TRUE; } - if ((*ptr >= ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end)) { + if ((*ptr > ms->crash_save_cpu_start) && (*ptr < ms->crash_save_cpu_end)) { bt->bptr = ((ulong)ptr - (ulong)base) + stackbase; if (CRASHDEBUG(1)) fprintf(fp, "%lx: %lx (crash_save_cpu on IRQ stack)\n",