On Fri, Aug 28, 2020 at 01:11:15PM +0000, Eddy_Wu@xxxxxxxxxxxxxx wrote:
> > -----Original Message-----
> > From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> > Sent: Friday, August 28, 2020 12:13 AM
> > To: linux-kernel@xxxxxxxxxxxxxxx; mhiramat@xxxxxxxxxx
> > Cc: Eddy Wu (RD-TW) <Eddy_Wu@xxxxxxxxxxxxxx>; x86@xxxxxxxxxx; davem@xxxxxxxxxxxxx; rostedt@xxxxxxxxxxx;
> > naveen.n.rao@xxxxxxxxxxxxx; anil.s.keshavamurthy@xxxxxxxxx; linux-arch@xxxxxxxxxxxxxxx; cameron@xxxxxxxxxxxxxx;
> > oleg@xxxxxxxxxx; will@xxxxxxxxxx; paulmck@xxxxxxxxxx; peterz@xxxxxxxxxxxxx
> > Subject: [RFC][PATCH 3/7] kprobes: Remove kretprobe hash
> >
> > @@ -1935,71 +1932,45 @@ unsigned long __kretprobe_trampoline_han
> > unsigned long trampoline_address,
> > void *frame_pointer)
> > {
> > // ... removed
> > // NULL here
> > + first = node = current->kretprobe_instances.first;
> > + while (node) {
> > + ri = container_of(node, struct kretprobe_instance, llist);
> >
> > - orig_ret_address = (unsigned long)ri->ret_addr;
> > - if (skipped)
> > - pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
> > - ri->rp->kp.addr);
> > + BUG_ON(ri->fp != frame_pointer);
> >
> > - if (orig_ret_address != trampoline_address)
> > + orig_ret_address = (unsigned long)ri->ret_addr;
> > + if (orig_ret_address != trampoline_address) {
> > /*
> > * This is the real return address. Any other
> > * instances associated with this task are for
> > * other calls deeper on the call stack
> > */
> > break;
> > + }
> > +
> > + node = node->next;
> > }
> >
>
> Hi, I found a NULL pointer dereference here, where
> current->kretprobe_instances.first == NULL in these two scenario:
Hurmph, that would mean hitting the trampoline and not having a
kretprobe_instance, weird. Let me try and reproduce.
