Message ID | 20211104170433.2206-3-beaub@linux.microsoft.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | user_events: Enable user processes to create and write to trace events | expand |
Hi Beau, Thank you for the patch! Yet something to improve: [auto build test ERROR on rostedt-trace/for-next] [also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 base: https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next config: powerpc-allmodconfig (attached as .config) compiler: powerpc-linux-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a # save the attached .config to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): kernel/trace/trace_events_user.c: In function 'user_event_parse': >> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add' 665 | dyn_event_add(&user->devent); | ^~~~~~~~~~~~~ In file included from kernel/trace/trace_events_user.c:23: kernel/trace/trace_dynevent.h:79:19: note: declared here 79 | static inline int dyn_event_add(struct dyn_event *ev, | ^~~~~~~~~~~~~ vim +/dyn_event_add +665 kernel/trace/trace_events_user.c 596 597 /* 598 * Parses the event name, arguments and flags then registers if successful. 599 */ 600 static int user_event_parse(char *name, char *args, char *flags, 601 struct user_event **newuser) 602 { 603 int ret; 604 int index; 605 u32 key; 606 struct user_event *user = find_user_event(name, &key); 607 608 if (user) { 609 *newuser = user; 610 ret = 0; 611 goto put_name; 612 } 613 614 index = find_first_zero_bit(page_bitmap, MAX_EVENTS); 615 616 if (index == MAX_EVENTS) { 617 ret = -EMFILE; 618 goto put_name; 619 } 620 621 user = kzalloc(sizeof(*user), GFP_KERNEL); 622 623 if (!user) { 624 ret = -ENOMEM; 625 goto put_name; 626 } 627 628 INIT_LIST_HEAD(&user->class.fields); 629 INIT_LIST_HEAD(&user->fields); 630 631 user->tracepoint.name = name; 632 633 user_event_parse_flags(user, flags); 634 635 ret = user_event_parse_fields(user, args); 636 637 if (ret) 638 goto put_user; 639 640 /* Minimal print format */ 641 user->call.print_fmt = "\"\""; 642 643 user->call.data = user; 644 user->call.class = &user->class; 645 user->call.name = name; 646 user->call.flags = TRACE_EVENT_FL_TRACEPOINT; 647 user->call.tp = &user->tracepoint; 648 user->call.event.funcs = &user_event_funcs; 649 650 user->class.system = USER_EVENTS_SYSTEM; 651 user->class.fields_array = user_event_fields_array; 652 user->class.get_fields = user_event_get_fields; 653 user->class.reg = user_event_reg; 654 user->class.probe = user_event_ftrace; 655 656 mutex_lock(&event_mutex); 657 ret = user_event_trace_register(user); 658 mutex_unlock(&event_mutex); 659 660 if (ret) 661 goto put_user; 662 663 user->index = index; 664 dyn_event_init(&user->devent, &user_event_dops); > 665 dyn_event_add(&user->devent); 666 set_bit(user->index, page_bitmap); 667 hash_add(register_table, &user->node, key); 668 669 *newuser = user; 670 return 0; 671 put_user: 672 user_event_destroy_fields(user); 673 kfree(user); 674 put_name: 675 kfree(name); 676 return ret; 677 } 678 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi Beau, At first, thanks for breaking down your patch into this series! Now I found that a suspicious security design issue in this patch. On Thu, 4 Nov 2021 10:04:25 -0700 Beau Belgrave <beaub@linux.microsoft.com> wrote: > + > +static enum print_line_t user_event_print_trace(struct trace_iterator *iter, > + int flags, > + struct trace_event *event) > +{ > + /* Unsafe to try to decode user provided print_fmt, use hex */ > + trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16, > + 1, iter->ent, iter->ent_size, true); You said this is "Unsafe to try to decode user provided" here, because this doesn't check the event data sanity, especially non-fixed size data. However, it is not enough that you don't decode it here. Because synthetic events (histograms) and event filters need to decode this recorded data entry using the event format information. This means this can cause a buffer overrun issue on the ring buffer, because __data_loc (and __rel_loc too) can be compromised by the user. If you want to just trace the user events with digit parameters, there is a way to close this issue - support only the fixed size types (IOW, drop __data_loc/rel_loc support) and always checks the 'length' of the written data size. This ensures that those filters/synthetic events can access those parameters as 'values'. Maybe eprobes still has to reject the user events but the other parts will work well. If you want to log some "string", it is hard. Maybe it needs a special check when writing the event (address, length, and null termination.), but it will increase the recording overhead. Thank you,
On Thu, 4 Nov 2021 10:04:25 -0700 Beau Belgrave <beaub@linux.microsoft.com> wrote: > index 000000000000..a68017ad7fdd > --- /dev/null > +++ b/kernel/trace/trace_events_user.c > @@ -0,0 +1,1140 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * Copyright (c) 2021, Microsoft Corporation. > + * > + * Authors: > + * Beau Belgrave <beaub@linux.microsoft.com> > + */ > + > +#include <linux/bitmap.h> > +#include <linux/cdev.h> > +#include <linux/hashtable.h> > +#include <linux/list.h> > +#include <linux/io.h> > +#include <linux/uio.h> > +#include <linux/ioctl.h> > +#include <linux/jhash.h> > +#include <linux/trace_events.h> > +#include <linux/tracefs.h> > +#include <linux/types.h> > +#include <linux/uaccess.h> > +#include <uapi/linux/user_events.h> > +#include "trace.h" > +#include "trace_dynevent.h" > + > +#define USER_EVENTS_PREFIX_LEN (sizeof(USER_EVENTS_PREFIX)-1) > + > +#define FIELD_DEPTH_TYPE 0 > +#define FIELD_DEPTH_NAME 1 > +#define FIELD_DEPTH_SIZE 2 > + > +/* > + * Limits how many trace_event calls user processes can create: > + * Must be multiple of PAGE_SIZE. > + */ > +#define MAX_PAGES 1 > +#define MAX_EVENTS (MAX_PAGES * PAGE_SIZE) > + > +/* Limit how long of an event name plus args within the subsystem. */ > +#define MAX_EVENT_DESC 512 > +#define EVENT_NAME(user_event) ((user_event)->tracepoint.name) > + > +static char *register_page_data; > + > +static DEFINE_MUTEX(reg_mutex); > +static DEFINE_HASHTABLE(register_table, 4); > +static DECLARE_BITMAP(page_bitmap, MAX_EVENTS); > + > +struct user_event { > + struct tracepoint tracepoint; > + struct trace_event_call call; > + struct trace_event_class class; > + struct dyn_event devent; > + struct hlist_node node; > + struct list_head fields; > + atomic_t refcnt; > + int index; > + int flags; > +}; > + > +struct user_event_refs { > + struct rcu_head rcu; > + int count; > + struct user_event *events[]; > +}; > + > +typedef void (*user_event_func_t) (struct user_event *user, > + void *data, u32 datalen, > + void *tpdata); > + > +static int user_event_parse(char *name, char *args, char *flags, > + struct user_event **newuser); > + > +static u32 user_event_key(char *name) > +{ > + return jhash(name, strlen(name), 0); > +} > + > +static struct list_head *user_event_get_fields(struct trace_event_call *call) > +{ > + struct user_event *user = (struct user_event *)call->data; > + > + return &user->fields; > +} > + > +/* > + * Parses a register command for user_events > + * Format: event_name[:FLAG1[,FLAG2...]] [field1[;field2...]] > + * > + * Example event named test with a 20 char msg field with a unsigned int after: > + * test char[20] msg;unsigned int id > + * > + * NOTE: Offsets are from the user data perspective, they are not from the > + * trace_entry/buffer perspective. We automatically add the common properties > + * sizes to the offset for the user. > + */ > +static int user_event_parse_cmd(char *raw_command, struct user_event **newuser) > +{ > + char *name = raw_command; > + char *args = strpbrk(name, " "); > + char *flags; > + > + if (args) > + *args++ = 0; > + > + flags = strpbrk(name, ":"); > + > + if (flags) > + *flags++ = 0; > + > + return user_event_parse(name, args, flags, newuser); > +} > + > +static int user_field_array_size(const char *type) > +{ > + const char *start = strchr(type, '['); > + int size = 0; > + > + if (start == NULL) > + return -EINVAL; > + > + start++; > + > + while (*start >= '0' && *start <= '9') The kernel has include/linux/ctype.h while (isdigit(*start)) > + size = (size * 10) + (*start++ - '0'); So you only allow decimal digits? No hex? Also, is there anything to check if the size overflows? I'm assuming that other patches will add checking if the size is greater than some amount? > + > + if (*start != ']') > + return -EINVAL; > + > + return size; > +} > + > +static int user_field_size(const char *type) > +{ > + /* long is not allowed from a user, since it's ambigious in size */ > + if (strcmp(type, "s64") == 0) > + return sizeof(s64); > + if (strcmp(type, "u64") == 0) > + return sizeof(u64); > + if (strcmp(type, "s32") == 0) > + return sizeof(s32); > + if (strcmp(type, "u32") == 0) > + return sizeof(u32); > + if (strcmp(type, "int") == 0) > + return sizeof(int); > + if (strcmp(type, "unsigned int") == 0) > + return sizeof(unsigned int); > + if (strcmp(type, "s16") == 0) > + return sizeof(s16); > + if (strcmp(type, "u16") == 0) > + return sizeof(u16); > + if (strcmp(type, "short") == 0) > + return sizeof(short); > + if (strcmp(type, "unsigned short") == 0) > + return sizeof(unsigned short); > + if (strcmp(type, "s8") == 0) > + return sizeof(s8); > + if (strcmp(type, "u8") == 0) > + return sizeof(u8); > + if (strcmp(type, "char") == 0) > + return sizeof(char); > + if (strcmp(type, "unsigned char") == 0) > + return sizeof(unsigned char); > + if (strstr(type, "char[") == type) > + return user_field_array_size(type); > + if (strstr(type, "unsigned char[") == type) > + return user_field_array_size(type); > + if (strstr(type, "__data_loc ") == type) > + return sizeof(u32); > + if (strstr(type, "__rel_loc ") == type) > + return sizeof(u32); > + > + /* Uknown basic type, error */ > + return -EINVAL; > +} > + > +static void user_event_destroy_fields(struct user_event *user) > +{ > + struct ftrace_event_field *field, *next; > + struct list_head *head = &user->fields; > + > + list_for_each_entry_safe(field, next, head, link) { > + list_del(&field->link); > + kfree(field); > + } > +} > + > +static int user_event_add_field(struct user_event *user, const char *type, > + const char *name, int offset, int size, > + int is_signed, int filter_type) > +{ > + struct ftrace_event_field *field; > + > + field = kmalloc(sizeof(*field), GFP_KERNEL); > + > + if (!field) > + return -ENOMEM; > + > + field->type = type; > + field->name = name; > + field->offset = offset; > + field->size = size; > + field->is_signed = is_signed; > + field->filter_type = filter_type; > + > + list_add(&field->link, &user->fields); > + > + return 0; > +} > + > +/* > + * Parses the values of a field within the description > + * Format: type name [size] > + */ > +static int user_event_parse_field(char *field, struct user_event *user, > + u32 *offset) > +{ > + char *part, *type, *name; > + u32 depth = 0, saved_offset = *offset; > + int size = -EINVAL; > + bool is_struct = false; > + > + field = skip_spaces(field); > + > + if (*field == 0) > + return 0; > + > + /* Handle types that have a space within */ > + if (strstr(field, "unsigned ") == field) { These should use str_has_prefix(field, "unsigned ") etc. It also returns the length of the prefix so you don't need to add sizeof() of the string you checked for. > + type = field; > + field = strpbrk(field + sizeof("unsigned"), " "); > + goto skip_next; > + } else if (strstr(field, "struct ") == field) { > + type = field; > + field = strpbrk(field + sizeof("struct"), " "); > + is_struct = true; > + goto skip_next; > + } else if (strstr(field, "__data_loc unsigned ") == field) { > + type = field; > + field = strpbrk(field + sizeof("__data_loc unsigned"), " "); > + goto skip_next; > + } else if (strstr(field, "__data_loc ") == field) { > + type = field; > + field = strpbrk(field + sizeof("__data_loc"), " "); > + goto skip_next; > + } else if (strstr(field, "__rel_loc unsigned ") == field) { > + type = field; > + field = strpbrk(field + sizeof("__rel_loc unsigned"), " "); > + goto skip_next; > + } else if (strstr(field, "__rel_loc ") == field) { > + type = field; > + field = strpbrk(field + sizeof("__rel_loc"), " "); > + goto skip_next; > + } > + goto parse; > +skip_next: > + if (field == NULL) > + return -EINVAL; > + > + *field++ = 0; > + depth++; > +parse: > + while ((part = strsep(&field, " ")) != NULL) { > + switch (depth++) { > + case FIELD_DEPTH_TYPE: > + type = part; > + break; > + case FIELD_DEPTH_NAME: > + name = part; > + break; > + case FIELD_DEPTH_SIZE: > + if (!is_struct) > + return -EINVAL; > + > + if (kstrtou32(part, 10, &size)) > + return -EINVAL; > + break; > + default: > + return -EINVAL; > + } > + } > + > + if (depth < FIELD_DEPTH_SIZE) > + return -EINVAL; > + > + if (depth == FIELD_DEPTH_SIZE) > + size = user_field_size(type); > + > + if (size == 0) > + return -EINVAL; > + > + if (size < 0) > + return size; > + > + *offset = saved_offset + size; > + > + return user_event_add_field(user, type, name, saved_offset, size, > + type[0] != 'u', FILTER_OTHER); > +} > + > +static void user_event_parse_flags(struct user_event *user, char *flags) > +{ > + char *flag; > + > + if (flags == NULL) > + return; > + > + while ((flag = strsep(&flags, ",")) != NULL) { > + if (strcmp(flag, "BPF_ITER") == 0) > + user->flags |= FLAG_BPF_ITER; > + } > +} > + > +static int user_event_parse_fields(struct user_event *user, char *args) > +{ > + char *field; > + u32 offset = sizeof(struct trace_entry); > + int ret = -EINVAL; > + > + if (args == NULL) > + return 0; > + > + while ((field = strsep(&args, ";")) != NULL) { > + ret = user_event_parse_field(field, user, &offset); > + > + if (ret) > + break; > + } > + > + return ret; > +} > + > +static struct trace_event_fields user_event_fields_array[] = { > + {} > +}; Isn't the above just a fancy way of writing: static struct trace_event_fields user_event_fields_array[1]; ? > + > +static enum print_line_t user_event_print_trace(struct trace_iterator *iter, > + int flags, > + struct trace_event *event) > +{ > + /* Unsafe to try to decode user provided print_fmt, use hex */ > + trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16, > + 1, iter->ent, iter->ent_size, true); Hmm, I need to look at this when I have time to apply the patches. (On weekends, I only look at the patches) I'm adding this to remind me to relook at this. ;-) > + > + return trace_handle_return(&iter->seq); > +} > + > +static struct trace_event_functions user_event_funcs = { > + .trace = user_event_print_trace, > +}; > + > +static int destroy_user_event(struct user_event *user) > +{ > + int ret = 0; > + > + /* Must destroy fields before call removal */ > + user_event_destroy_fields(user); > + > + ret = trace_remove_event_call(&user->call); > + > + if (ret) > + return ret; > + > + dyn_event_remove(&user->devent); > + > + register_page_data[user->index] = 0; > + clear_bit(user->index, page_bitmap); > + hash_del(&user->node); > + > + kfree(EVENT_NAME(user)); > + kfree(user); > + > + return ret; > +} > + > +static struct user_event *find_user_event(char *name, u32 *outkey) > +{ > + struct user_event *user; > + u32 key = user_event_key(name); > + > + *outkey = key; > + > + hash_for_each_possible(register_table, user, node, key) > + if (!strcmp(EVENT_NAME(user), name)) > + return user; > + > + return NULL; > +} > + > +/* > + * Writes the user supplied payload out to a trace file. > + */ > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen, > + void *tpdata) > +{ > + struct trace_event_file *file; > + struct trace_entry *entry; > + struct trace_event_buffer event_buffer; > + > + file = (struct trace_event_file *)tpdata; > + > + if (!file || > + !(file->flags & EVENT_FILE_FL_ENABLED) || > + trace_trigger_soft_disabled(file)) > + return; > + > + entry = trace_event_buffer_reserve(&event_buffer, file, > + sizeof(*entry) + datalen); > + > + if (unlikely(!entry)) > + return; > + Might want to add a comment here that the trace_event_buffer_reserve() will fill in the struct trace_entry, which explains the "entry+1" below. I also need to add comments to trace_event_buffer_reserve() that it does so :-p > + memcpy(entry + 1, data, datalen); > + > + trace_event_buffer_commit(&event_buffer); > +} > + > +/* > + * Update the register page that is shared between user processes. > + */ > +static void update_reg_page_for(struct user_event *user) > +{ > + struct tracepoint *tp = &user->tracepoint; > + char status = 0; > + > + if (atomic_read(&tp->key.enabled) > 0) { > + struct tracepoint_func *probe_func_ptr; > + user_event_func_t probe_func; > + > + rcu_read_lock_sched(); > + > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > + > + if (probe_func_ptr) { > + do { > + probe_func = probe_func_ptr->func; > + > + if (probe_func == user_event_ftrace) > + status |= EVENT_STATUS_FTRACE; > + else > + status |= EVENT_STATUS_OTHER; > + } while ((++probe_func_ptr)->func); > + } > + > + rcu_read_unlock_sched(); > + } > + > + register_page_data[user->index] = status; Should there be some kind of memory barriers here? That is, isn't this the page that user space sees? The user space code should probably have some kind of read memory barrier as well. > +} > + > +/* > + * Register callback for our events from tracing sub-systems. > + */ > +static int user_event_reg(struct trace_event_call *call, > + enum trace_reg type, > + void *data) > +{ > + struct user_event *user = (struct user_event *)call->data; > + int ret = 0; > + > + if (!user) > + return -ENOENT; > + > + switch (type) { > + case TRACE_REG_REGISTER: > + ret = tracepoint_probe_register(call->tp, > + call->class->probe, > + data); > + if (!ret) > + goto inc; > + break; > + > + case TRACE_REG_UNREGISTER: > + tracepoint_probe_unregister(call->tp, > + call->class->probe, > + data); > + goto dec; > + > +#ifdef CONFIG_PERF_EVENTS > + case TRACE_REG_PERF_REGISTER: > + case TRACE_REG_PERF_UNREGISTER: > + case TRACE_REG_PERF_OPEN: > + case TRACE_REG_PERF_CLOSE: > + case TRACE_REG_PERF_ADD: > + case TRACE_REG_PERF_DEL: > + break; > +#endif > + } > + > + return ret; > +inc: > + atomic_inc(&user->refcnt); > + update_reg_page_for(user); > + return 0; > +dec: > + update_reg_page_for(user); > + atomic_dec(&user->refcnt); > + return 0; > +} > + > +static int user_event_create(const char *raw_command) > +{ > + struct user_event *user; > + char *name; > + int ret; > + > + if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command) > + return -ECANCELED; > + > + raw_command += USER_EVENTS_PREFIX_LEN; > + raw_command = skip_spaces(raw_command); > + > + name = kstrdup(raw_command, GFP_KERNEL); name is allocated here, it really needs to be freed in this function as well. I see that user_event_parse() will free it, but that is extremely error prone to have a dependency like that. If name needs to be saved by user_event_parse_cmd() then that should be shown in the return value of that function. And if it fails the freeing of name should be in this function. Also, if it is saved, then there should be a comment in this function stating that. > + > + if (!name) > + return -ENOMEM; > + > + mutex_lock(®_mutex); > + ret = user_event_parse_cmd(name, &user); > + mutex_unlock(®_mutex); > + > + return ret; > +} > + > +static int user_event_show(struct seq_file *m, struct dyn_event *ev) > +{ > + struct user_event *user = container_of(ev, struct user_event, devent); > + struct ftrace_event_field *field, *next; > + struct list_head *head; > + int depth = 0; > + > + seq_printf(m, "%s%s", USER_EVENTS_PREFIX, EVENT_NAME(user)); > + > + head = trace_get_fields(&user->call); > + > + list_for_each_entry_safe_reverse(field, next, head, link) { > + if (depth == 0) > + seq_puts(m, " "); > + else > + seq_puts(m, "; "); > + seq_printf(m, "%s %s", field->type, field->name); > + depth++; > + } > + > + seq_puts(m, "\n"); > + > + return 0; > +} > + > +static bool user_event_is_busy(struct dyn_event *ev) > +{ > + struct user_event *user = container_of(ev, struct user_event, devent); > + > + return atomic_read(&user->refcnt) != 0; > +} > + > +static int user_event_free(struct dyn_event *ev) > +{ > + struct user_event *user = container_of(ev, struct user_event, devent); > + Shouldn't this check if the event is busy first? > + return destroy_user_event(user); > +} > + > +static bool user_event_match(const char *system, const char *event, > + int argc, const char **argv, struct dyn_event *ev) > +{ > + struct user_event *user = container_of(ev, struct user_event, devent); > + > + return strcmp(EVENT_NAME(user), event) == 0 && > + (!system || strcmp(system, USER_EVENTS_SYSTEM) == 0); > +} > + > +static struct dyn_event_operations user_event_dops = { > + .create = user_event_create, > + .show = user_event_show, > + .is_busy = user_event_is_busy, > + .free = user_event_free, > + .match = user_event_match, > +}; > + > +static int user_event_trace_register(struct user_event *user) > +{ > + int ret; > + > + ret = register_trace_event(&user->call.event); > + > + if (!ret) > + return -ENODEV; > + > + ret = trace_add_event_call(&user->call); > + > + if (ret) > + unregister_trace_event(&user->call.event); > + > + return ret; > +} > + > +/* > + * Parses the event name, arguments and flags then registers if successful. > + */ > +static int user_event_parse(char *name, char *args, char *flags, > + struct user_event **newuser) > +{ > + int ret; > + int index; > + u32 key; > + struct user_event *user = find_user_event(name, &key); > + > + if (user) { > + *newuser = user; > + ret = 0; > + goto put_name; > + } > + > + index = find_first_zero_bit(page_bitmap, MAX_EVENTS); > + > + if (index == MAX_EVENTS) { > + ret = -EMFILE; > + goto put_name; > + } > + > + user = kzalloc(sizeof(*user), GFP_KERNEL); > + > + if (!user) { > + ret = -ENOMEM; > + goto put_name; > + } > + > + INIT_LIST_HEAD(&user->class.fields); > + INIT_LIST_HEAD(&user->fields); > + > + user->tracepoint.name = name; > + > + user_event_parse_flags(user, flags); > + > + ret = user_event_parse_fields(user, args); > + > + if (ret) > + goto put_user; > + > + /* Minimal print format */ > + user->call.print_fmt = "\"\""; > + > + user->call.data = user; > + user->call.class = &user->class; > + user->call.name = name; > + user->call.flags = TRACE_EVENT_FL_TRACEPOINT; > + user->call.tp = &user->tracepoint; > + user->call.event.funcs = &user_event_funcs; > + > + user->class.system = USER_EVENTS_SYSTEM; > + user->class.fields_array = user_event_fields_array; > + user->class.get_fields = user_event_get_fields; > + user->class.reg = user_event_reg; > + user->class.probe = user_event_ftrace; > + > + mutex_lock(&event_mutex); > + ret = user_event_trace_register(user); > + mutex_unlock(&event_mutex); > + > + if (ret) > + goto put_user; > + > + user->index = index; > + dyn_event_init(&user->devent, &user_event_dops); > + dyn_event_add(&user->devent); > + set_bit(user->index, page_bitmap); > + hash_add(register_table, &user->node, key); > + > + *newuser = user; > + return 0; > +put_user: > + user_event_destroy_fields(user); > + kfree(user); > +put_name: > + kfree(name); > + return ret; > +} > + > +/* > + * Deletes a previously created event if it is no longer being used. > + */ > +static int delete_user_event(char *name) > +{ > + u32 key; > + int ret; > + struct user_event *user = find_user_event(name, &key); > + > + if (!user) > + return -ENOENT; > + > + if (atomic_read(&user->refcnt) != 0) > + return -EBUSY; > + > + mutex_lock(&event_mutex); > + ret = destroy_user_event(user); > + mutex_unlock(&event_mutex); > + > + return ret; > +} > + > +/* > + * Validates the user payload and writes via iterator. > + */ > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i) > +{ > + struct user_event_refs *refs; > + struct user_event *user = NULL; > + struct tracepoint *tp; > + ssize_t ret = i->count; > + int idx; > + > + if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx))) > + return -EFAULT; > + > + rcu_read_lock_sched(); > + > + refs = rcu_dereference_sched(file->private_data); > + > + if (likely(refs && idx < refs->count)) > + user = refs->events[idx]; > + > + rcu_read_unlock_sched(); > + > + if (unlikely(user == NULL)) > + return -ENOENT; > + > + tp = &user->tracepoint; What protects user here? You released the rcu lock. > + > + if (likely(atomic_read(&tp->key.enabled) > 0)) { > + struct tracepoint_func *probe_func_ptr; > + user_event_func_t probe_func; > + void *tpdata; > + void *kdata; > + u32 datalen; > + > + kdata = kmalloc(i->count, GFP_KERNEL); The allocation would need to be done first, before grabbing the rcu lock, and all this would need to be done within the rcu lock, because "tp" may not even exist anymore. > + > + if (unlikely(!kdata)) > + return -ENOMEM; > + > + datalen = copy_from_iter(kdata, i->count, i); > + > + rcu_read_lock_sched(); > + > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > + > + if (probe_func_ptr) { > + do { > + probe_func = probe_func_ptr->func; > + tpdata = probe_func_ptr->data; > + probe_func(user, kdata, datalen, tpdata); > + } while ((++probe_func_ptr)->func); > + } > + > + rcu_read_unlock_sched(); > + > + kfree(kdata); > + } > + > + return ret; > +} > + > +static ssize_t user_events_write(struct file *file, const char __user *ubuf, > + size_t count, loff_t *ppos) > +{ > + struct iovec iov; > + struct iov_iter i; > + > + if (unlikely(*ppos != 0)) > + return -EFAULT; > + > + if (unlikely(import_single_range(READ, (char *)ubuf, count, &iov, &i))) > + return -EFAULT; > + > + return user_events_write_core(file, &i); > +} > + > +static ssize_t user_events_write_iter(struct kiocb *kp, struct iov_iter *i) > +{ > + return user_events_write_core(kp->ki_filp, i); > +} > + > +static int user_events_ref_add(struct file *file, struct user_event *user) > +{ > + struct user_event_refs *refs, *new_refs; > + int i, size, count = 0; > + > + rcu_read_lock_sched(); rcu lock is not needed, but you may want to use: rcu_dereference_protected() and list the lock that protects the modifications here. > + refs = rcu_dereference_sched(file->private_data); > + rcu_read_unlock_sched(); > + > + if (refs) { > + count = refs->count; > + > + for (i = 0; i < count; ++i) > + if (refs->events[i] == user) > + return i; > + } > + > + size = sizeof(*refs) + (sizeof(struct user_event *) * (count + 1)); > + > + new_refs = kzalloc(size, GFP_KERNEL); > + > + if (!new_refs) > + return -ENOMEM; > + > + new_refs->count = count + 1; > + > + for (i = 0; i < count; ++i) > + new_refs->events[i] = refs->events[i]; > + > + new_refs->events[i] = user; > + > + atomic_inc(&user->refcnt); > + > + rcu_assign_pointer(file->private_data, new_refs); > + > + if (refs) > + kfree_rcu(refs, rcu); > + > + return i; > +} I just skimmed the rest, and didn't see anything that stuck out. But maybe I'll get time to look deeper at it later. -- Steve
On Fri, 5 Nov 2021 05:34:31 +0800 kernel test robot <lkp@intel.com> wrote: > Hi Beau, > > Thank you for the patch! Yet something to improve: > > [auto build test ERROR on rostedt-trace/for-next] > [also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104] > [If your patch is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch] > > url: https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 > base: https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next > config: powerpc-allmodconfig (attached as .config) > compiler: powerpc-linux-gcc (GCC) 11.2.0 > reproduce (this is a W=1 build): > wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross > chmod +x ~/bin/make.cross > # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a > git remote add linux-review https://github.com/0day-ci/linux > git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 > git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a > # save the attached .config to linux build tree > mkdir build_dir > COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/ > > If you fix the issue, kindly add following tag as appropriate > Reported-by: kernel test robot <lkp@intel.com> > > All errors (new ones prefixed by >>): > > kernel/trace/trace_events_user.c: In function 'user_event_parse': > >> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add' > 665 | dyn_event_add(&user->devent); > | ^~~~~~~~~~~~~ > In file included from kernel/trace/trace_events_user.c:23: > kernel/trace/trace_dynevent.h:79:19: note: declared here > 79 | static inline int dyn_event_add(struct dyn_event *ev, > | ^~~~~~~~~~~~~ You need to pass &user->call too :) Thank you,
On Mon, Nov 08, 2021 at 11:32:25AM +0900, Masami Hiramatsu wrote: > On Fri, 5 Nov 2021 05:34:31 +0800 > kernel test robot <lkp@intel.com> wrote: > > > Hi Beau, > > > > Thank you for the patch! Yet something to improve: > > > > [auto build test ERROR on rostedt-trace/for-next] > > [also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104] > > [If your patch is applied to the wrong git tree, kindly drop us a note. > > And when submitting patch, we suggest to use '--base' as documented in > > https://git-scm.com/docs/git-format-patch] > > > > url: https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 > > base: https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next > > config: powerpc-allmodconfig (attached as .config) > > compiler: powerpc-linux-gcc (GCC) 11.2.0 > > reproduce (this is a W=1 build): > > wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross > > chmod +x ~/bin/make.cross > > # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a > > git remote add linux-review https://github.com/0day-ci/linux > > git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650 > > git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a > > # save the attached .config to linux build tree > > mkdir build_dir > > COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/ > > > > If you fix the issue, kindly add following tag as appropriate > > Reported-by: kernel test robot <lkp@intel.com> > > > > All errors (new ones prefixed by >>): > > > > kernel/trace/trace_events_user.c: In function 'user_event_parse': > > >> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add' > > 665 | dyn_event_add(&user->devent); > > | ^~~~~~~~~~~~~ > > In file included from kernel/trace/trace_events_user.c:23: > > kernel/trace/trace_dynevent.h:79:19: note: declared here > > 79 | static inline int dyn_event_add(struct dyn_event *ev, > > | ^~~~~~~~~~~~~ > > You need to pass &user->call too :) > > Thank you, > > -- > Masami Hiramatsu <mhiramat@kernel.org> :) Yep, these so far have been based on perf/core branch of tip, I've moved the next iteration over to for-next branch off of linux-trace to ensure alignment. Thanks, -Beau
On Sun, Nov 07, 2021 at 11:31:15PM +0900, Masami Hiramatsu wrote: > Hi Beau, > > At first, thanks for breaking down your patch into this series! > > Now I found that a suspicious security design issue in this patch. > > On Thu, 4 Nov 2021 10:04:25 -0700 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > + > > +static enum print_line_t user_event_print_trace(struct trace_iterator *iter, > > + int flags, > > + struct trace_event *event) > > +{ > > + /* Unsafe to try to decode user provided print_fmt, use hex */ > > + trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16, > > + 1, iter->ent, iter->ent_size, true); > > You said this is "Unsafe to try to decode user provided" here, because > this doesn't check the event data sanity, especially non-fixed size data. > > However, it is not enough that you don't decode it here. Because synthetic > events (histograms) and event filters need to decode this recorded data entry > using the event format information. > > This means this can cause a buffer overrun issue on the ring buffer, because > __data_loc (and __rel_loc too) can be compromised by the user. > > If you want to just trace the user events with digit parameters, there is > a way to close this issue - support only the fixed size types (IOW, drop > __data_loc/rel_loc support) and always checks the 'length' of the written > data size. This ensures that those filters/synthetic events can access > those parameters as 'values'. Maybe eprobes still has to reject the user > events but the other parts will work well. > > If you want to log some "string", it is hard. Maybe it needs a special > check when writing the event (address, length, and null termination.), > but it will increase the recording overhead. > > Thank you, > > > -- > Masami Hiramatsu <mhiramat@kernel.org> Does that mean the decoders in eprobes/histogram don't check event record sizes before accessing the data? Shouldn't that get fix centrally? That would mean a loaded module could do the same thing (user_events only works if the user has access to tracefs, so it's not like it's open to all users). Is it possible to mark trace_events with a flag that says "don't trust this"? That way eBPF, ftrace and perf would still allow recording and decoding offline (in a safer context). From user_events code, an entry is always allocated with enough data and if it fails (either too big or alloc failure) the event is not written out. This appears to be purely in the decode logic that is not within this patch? Thanks, -Beau
On Mon, 8 Nov 2021 09:13:36 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > Does that mean the decoders in eprobes/histogram don't check event > record sizes before accessing the data? Shouldn't that get fix > centrally? That would mean a loaded module could do the same thing > (user_events only works if the user has access to tracefs, so it's not > like it's open to all users). There's checks to make sure everything fits in eprobes and kprobes. If it doesn't then the event is simply dropped. For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll see that it calls get_eprobe_size(), which goes through and just reads what it is about to accept. Then it reserves the amount of data on the ring buffer, and then calls store_trace_args() which also passes in the size that it found, in case things change. If it's too big, it only records what it originally intended. -- Steve
On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote: > On Thu, 4 Nov 2021 10:04:25 -0700 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > +static int user_field_array_size(const char *type) > > +{ > > + const char *start = strchr(type, '['); > > + int size = 0; > > + > > + if (start == NULL) > > + return -EINVAL; > > + > > + start++; > > + > > + while (*start >= '0' && *start <= '9') > > The kernel has include/linux/ctype.h > > while (isdigit(*start)) > > > + size = (size * 10) + (*start++ - '0'); > > So you only allow decimal digits? No hex? > Happy to change it, I only expected decimal to be allowed. Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)? > Also, is there anything to check if the size overflows? > > I'm assuming that other patches will add checking if the size is > greater than some amount? > I can switch to kstrtouint and use a max check, however: The max checks are weird here because eBPF has no limits, while ftrace and perf both do (and I believe they are different max sizes?) If someone really wanted a large array of characters and it can fit within perf but not ftrace, is it correct to block it here? My thinking was to allow each trace buffer reserve call to either work or not based on what the user requested depending on what was hooked. No strong opinion here though, just thoughts about what is a reasonable max given the 3 technologies. > > +/* > > + * Parses the values of a field within the description > > + * Format: type name [size] > > + */ > > +static int user_event_parse_field(char *field, struct user_event *user, > > + u32 *offset) > > +{ > > + char *part, *type, *name; > > + u32 depth = 0, saved_offset = *offset; > > + int size = -EINVAL; > > + bool is_struct = false; > > + > > + field = skip_spaces(field); > > + > > + if (*field == 0) > > + return 0; > > + > > + /* Handle types that have a space within */ > > + if (strstr(field, "unsigned ") == field) { > > These should use str_has_prefix(field, "unsigned ") etc. > > It also returns the length of the prefix so you don't need to add > sizeof() of the string you checked for. > Nice, will use that. > > + > > +static struct trace_event_fields user_event_fields_array[] = { > > + {} > > +}; > > Isn't the above just a fancy way of writing: > > static struct trace_event_fields user_event_fields_array[1]; > > ? > Yes, as long as it gets init'd to zero. My understanding was that {} would force zeroing, but I could totally be wrong. > > +/* > > + * Writes the user supplied payload out to a trace file. > > + */ > > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen, > > + void *tpdata) > > +{ > > + struct trace_event_file *file; > > + struct trace_entry *entry; > > + struct trace_event_buffer event_buffer; > > + > > + file = (struct trace_event_file *)tpdata; > > + > > + if (!file || > > + !(file->flags & EVENT_FILE_FL_ENABLED) || > > + trace_trigger_soft_disabled(file)) > > + return; > > + > > + entry = trace_event_buffer_reserve(&event_buffer, file, > > + sizeof(*entry) + datalen); > > + > > + if (unlikely(!entry)) > > + return; > > + > > Might want to add a comment here that the trace_event_buffer_reserve() > will fill in the struct trace_entry, which explains the "entry+1" below. > > I also need to add comments to trace_event_buffer_reserve() that it does so :-p > Will do. > > +/* > > + * Update the register page that is shared between user processes. > > + */ > > +static void update_reg_page_for(struct user_event *user) > > +{ > > + struct tracepoint *tp = &user->tracepoint; > > + char status = 0; > > + > > + if (atomic_read(&tp->key.enabled) > 0) { > > + struct tracepoint_func *probe_func_ptr; > > + user_event_func_t probe_func; > > + > > + rcu_read_lock_sched(); > > + > > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > > + > > + if (probe_func_ptr) { > > + do { > > + probe_func = probe_func_ptr->func; > > + > > + if (probe_func == user_event_ftrace) > > + status |= EVENT_STATUS_FTRACE; > > + else > > + status |= EVENT_STATUS_OTHER; > > + } while ((++probe_func_ptr)->func); > > + } > > + > > + rcu_read_unlock_sched(); > > + } > > + > > + register_page_data[user->index] = status; > > Should there be some kind of memory barriers here? That is, isn't this > the page that user space sees? The user space code should probably have > some kind of read memory barrier as well. > I'm glad you brought this up. I wanted to ensure a balance between eventual enablement of the event in the user mode process vs the cost of simultaneous enablement of the event (stalls, etc). We haven't seen this become an issue for our teams in our other telemetry sources (with no barriers), which seems to indicate eventual agreement of the page data works well as a tradeoff. > > +static int user_event_create(const char *raw_command) > > +{ > > + struct user_event *user; > > + char *name; > > + int ret; > > + > > + if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command) > > + return -ECANCELED; > > + > > + raw_command += USER_EVENTS_PREFIX_LEN; > > + raw_command = skip_spaces(raw_command); > > + > > + name = kstrdup(raw_command, GFP_KERNEL); > > name is allocated here, it really needs to be freed in this function as > well. I see that user_event_parse() will free it, but that is extremely > error prone to have a dependency like that. If name needs to be saved > by user_event_parse_cmd() then that should be shown in the return value > of that function. And if it fails the freeing of name should be in this > function. Also, if it is saved, then there should be a comment in this > function stating that. > It's a bit tricky, because if the event already exists, the name is freed. If the function fails, the name is freed. If the event has never been seen before then it is saved. I'll try to make this more clear, my thought is to add an explicit argument that gets set back to the caller if the string should be freed or not to make this clear while reading the code. > > +static bool user_event_is_busy(struct dyn_event *ev) > > +{ > > + struct user_event *user = container_of(ev, struct user_event, devent); > > + > > + return atomic_read(&user->refcnt) != 0; > > +} > > + > > +static int user_event_free(struct dyn_event *ev) > > +{ > > + struct user_event *user = container_of(ev, struct user_event, devent); > > + > > Shouldn't this check if the event is busy first? Yes, you are right. In the release all case busy is checked by dyn_events for me. However, in the individual case it is not. I'll fix this. > > +/* > > + * Validates the user payload and writes via iterator. > > + */ > > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i) > > +{ > > + struct user_event_refs *refs; > > + struct user_event *user = NULL; > > + struct tracepoint *tp; > > + ssize_t ret = i->count; > > + int idx; > > + > > + if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx))) > > + return -EFAULT; > > + > > + rcu_read_lock_sched(); > > + > > + refs = rcu_dereference_sched(file->private_data); > > + > > + if (likely(refs && idx < refs->count)) > > + user = refs->events[idx]; > > + > > + rcu_read_unlock_sched(); > > + > > + if (unlikely(user == NULL)) > > + return -ENOENT; > > + > > + tp = &user->tracepoint; > > What protects user here? You released the rcu lock. user is ref counted by the file, so before the final close all events linked to the file via the reg ioctl are ref'd and cannot go away. > > > + > > + if (likely(atomic_read(&tp->key.enabled) > 0)) { > > + struct tracepoint_func *probe_func_ptr; > > + user_event_func_t probe_func; > > + void *tpdata; > > + void *kdata; > > + u32 datalen; > > + > > + kdata = kmalloc(i->count, GFP_KERNEL); > > The allocation would need to be done first, before grabbing the rcu > lock, and all this would need to be done within the rcu lock, because > "tp" may not even exist anymore. The tracepoint can only get removed after all refs of an event become zero. It cannot happen when an outstanding write is occurring. The only way to delete the tracepoint is via the delete ioctl which explicitly checks the ref counts. Minus the bug you found in dyn_event free not checking busy, I don't believe this case is possible and does not require rcu lock since the ref count is protecting it from going away during this method. > > +static int user_events_ref_add(struct file *file, struct user_event *user) > > +{ > > + struct user_event_refs *refs, *new_refs; > > + int i, size, count = 0; > > + > > + rcu_read_lock_sched(); > > rcu lock is not needed, but you may want to use: > > rcu_dereference_protected() > > and list the lock that protects the modifications here. > Sure, I put them here to make it clear, I can change it up and add a comment instead. > > I just skimmed the rest, and didn't see anything that stuck out. > > But maybe I'll get time to look deeper at it later. > > -- Steve Thank you for the review, I appreciate it! Thanks, -Beau
On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote: > On Mon, 8 Nov 2021 09:13:36 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > Does that mean the decoders in eprobes/histogram don't check event > > record sizes before accessing the data? Shouldn't that get fix > > centrally? That would mean a loaded module could do the same thing > > (user_events only works if the user has access to tracefs, so it's not > > like it's open to all users). > > There's checks to make sure everything fits in eprobes and kprobes. If it > doesn't then the event is simply dropped. > > For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll > see that it calls get_eprobe_size(), which goes through and just reads what > it is about to accept. Then it reserves the amount of data on the ring > buffer, and then calls store_trace_args() which also passes in the size > that it found, in case things change. If it's too big, it only records what > it originally intended. > > -- Steve It seems there are 2 concerns: 1. If data comes in and it's not in the size that is specified, it's suspicious and should either be truncated or ignored. Maybe under ignore, over truncate. 2. If the data is more than specified, it must be checked to see if there are __data_loc / __rel_loc entries and they must be validated as within range of accepted limits. If there are no __data_loc / __rel_loc it should either be truncated or ignored. Is there more that I may have missed? I'd like to know if I do fix them that the features like filtering will still be available to user_events or if it's better to just add flags to disable kernel filtering? I'm still unsure this is limited to just user_events. For example, why doesn't filter_pred_strloc and filter_pred_pchar in trace_events_filter.c check the boundary it will be accessing? It seems like tracepoints from kernel modules, while more trusted, can also cause this kind of thing due to bugs, etc. Thanks, -Beau
On Mon, 8 Nov 2021 11:56:42 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote: > > On Thu, 4 Nov 2021 10:04:25 -0700 > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > +static int user_field_array_size(const char *type) > > > +{ > > > + const char *start = strchr(type, '['); > > > + int size = 0; > > > + > > > + if (start == NULL) > > > + return -EINVAL; > > > + > > > + start++; > > > + > > > + while (*start >= '0' && *start <= '9') > > > > The kernel has include/linux/ctype.h > > > > while (isdigit(*start)) > > > > > + size = (size * 10) + (*start++ - '0'); > > > > So you only allow decimal digits? No hex? > > > > Happy to change it, I only expected decimal to be allowed. I'm more worried that if the output of the "registered events" may have a hex number, and someone uses that output to recreate the event. > > Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)? > > > Also, is there anything to check if the size overflows? > > > > I'm assuming that other patches will add checking if the size is > > greater than some amount? > > > > I can switch to kstrtouint and use a max check, however: > The max checks are weird here because eBPF has no limits, while ftrace > and perf both do (and I believe they are different max sizes?) I'm not concerned about taking up more than ftrace or perf, but having some kind of DOS that is caused by hugh allocations. If you make a huge event and try to record it in ftrace, then ftrace will simply drop the event. No harm done (except you won't see the event). > > If someone really wanted a large array of characters and it can fit > within perf but not ftrace, is it correct to block it here? My thinking > was to allow each trace buffer reserve call to either work or not based > on what the user requested depending on what was hooked. > > No strong opinion here though, just thoughts about what is a reasonable > max given the 3 technologies. Again, I'm more worried about just a general 'this is way too big' thing. If anything, it could be simply to flag a bug where the event in created via some logic that goes crazy. > > > > +/* > > > + * Parses the values of a field within the description > > > + * Format: type name [size] > > > + */ > > > +static int user_event_parse_field(char *field, struct user_event *user, > > > + u32 *offset) > > > +{ > > > + char *part, *type, *name; > > > + u32 depth = 0, saved_offset = *offset; > > > + int size = -EINVAL; > > > + bool is_struct = false; > > > + > > > + field = skip_spaces(field); > > > + > > > + if (*field == 0) > > > + return 0; > > > + > > > + /* Handle types that have a space within */ > > > + if (strstr(field, "unsigned ") == field) { > > > > These should use str_has_prefix(field, "unsigned ") etc. > > > > It also returns the length of the prefix so you don't need to add > > sizeof() of the string you checked for. > > > > Nice, will use that. > > > > + > > > +static struct trace_event_fields user_event_fields_array[] = { > > > + {} > > > +}; > > > > Isn't the above just a fancy way of writing: > > > > static struct trace_event_fields user_event_fields_array[1]; > > > > ? > > > > Yes, as long as it gets init'd to zero. My understanding was that {} > would force zeroing, but I could totally be wrong. All static and global variables that are not assigned will be initialized to zero. No need to initialize anything that is zero by default. > > > > +/* > > > + * Writes the user supplied payload out to a trace file. > > > + */ > > > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen, > > > + void *tpdata) > > > +{ > > > + struct trace_event_file *file; > > > + struct trace_entry *entry; > > > + struct trace_event_buffer event_buffer; > > > + > > > + file = (struct trace_event_file *)tpdata; > > > + > > > + if (!file || > > > + !(file->flags & EVENT_FILE_FL_ENABLED) || > > > + trace_trigger_soft_disabled(file)) > > > + return; > > > + > > > + entry = trace_event_buffer_reserve(&event_buffer, file, > > > + sizeof(*entry) + datalen); > > > + > > > + if (unlikely(!entry)) > > > + return; > > > + > > > > Might want to add a comment here that the trace_event_buffer_reserve() > > will fill in the struct trace_entry, which explains the "entry+1" below. > > > > I also need to add comments to trace_event_buffer_reserve() that it does so :-p > > > > Will do. > > > > +/* > > > + * Update the register page that is shared between user processes. > > > + */ > > > +static void update_reg_page_for(struct user_event *user) > > > +{ > > > + struct tracepoint *tp = &user->tracepoint; > > > + char status = 0; > > > + > > > + if (atomic_read(&tp->key.enabled) > 0) { > > > + struct tracepoint_func *probe_func_ptr; > > > + user_event_func_t probe_func; > > > + > > > + rcu_read_lock_sched(); > > > + > > > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > > > + > > > + if (probe_func_ptr) { > > > + do { > > > + probe_func = probe_func_ptr->func; > > > + > > > + if (probe_func == user_event_ftrace) > > > + status |= EVENT_STATUS_FTRACE; > > > + else > > > + status |= EVENT_STATUS_OTHER; > > > + } while ((++probe_func_ptr)->func); > > > + } > > > + > > > + rcu_read_unlock_sched(); > > > + } > > > + > > > + register_page_data[user->index] = status; > > > > Should there be some kind of memory barriers here? That is, isn't this > > the page that user space sees? The user space code should probably have > > some kind of read memory barrier as well. > > > > I'm glad you brought this up. I wanted to ensure a balance between > eventual enablement of the event in the user mode process vs the cost > of simultaneous enablement of the event (stalls, etc). > > We haven't seen this become an issue for our teams in our other > telemetry sources (with no barriers), which seems to indicate eventual > agreement of the page data works well as a tradeoff. Another approach is if you know what tasks these events come from (who registered them), then you could simply send an IPI to the task if it happen to be running. An IPI will force a memory barrier, and since you only need to do this on changes (enable / disable event) it's not like it will happen often. > > > > +static int user_event_create(const char *raw_command) > > > +{ > > > + struct user_event *user; > > > + char *name; > > > + int ret; > > > + > > > + if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command) > > > + return -ECANCELED; > > > + > > > + raw_command += USER_EVENTS_PREFIX_LEN; > > > + raw_command = skip_spaces(raw_command); > > > + > > > + name = kstrdup(raw_command, GFP_KERNEL); > > > > name is allocated here, it really needs to be freed in this function as > > well. I see that user_event_parse() will free it, but that is extremely > > error prone to have a dependency like that. If name needs to be saved > > by user_event_parse_cmd() then that should be shown in the return value > > of that function. And if it fails the freeing of name should be in this > > function. Also, if it is saved, then there should be a comment in this > > function stating that. > > > > It's a bit tricky, because if the event already exists, the name is > freed. If the function fails, the name is freed. If the event has > never been seen before then it is saved. I would then suggest to free the name from the calling function only if it succeeds and the name already exists. With a comment stating that. But I would have the caller free it on failure. That is, you could change user_event_parse() to have: struct user_event *user = find_user_event(name, &key); if (user) { *newuser = user; /* * The name is allocated by the caller, but since it * already exists in user, simply free it here. */ kfree(name); return 0; } And remove all the "put_name" jumps. > > I'll try to make this more clear, my thought is to add an explicit > argument that gets set back to the caller if the string should be freed > or not to make this clear while reading the code. > > > > +static bool user_event_is_busy(struct dyn_event *ev) > > > +{ > > > + struct user_event *user = container_of(ev, struct user_event, devent); > > > + > > > + return atomic_read(&user->refcnt) != 0; > > > +} > > > + > > > +static int user_event_free(struct dyn_event *ev) > > > +{ > > > + struct user_event *user = container_of(ev, struct user_event, devent); > > > + > > > > Shouldn't this check if the event is busy first? > > Yes, you are right. In the release all case busy is checked by > dyn_events for me. However, in the individual case it is not. I'll fix > this. > > > > +/* > > > + * Validates the user payload and writes via iterator. > > > + */ > > > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i) > > > +{ > > > + struct user_event_refs *refs; > > > + struct user_event *user = NULL; > > > + struct tracepoint *tp; > > > + ssize_t ret = i->count; > > > + int idx; > > > + > > > + if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx))) > > > + return -EFAULT; > > > + > > > + rcu_read_lock_sched(); > > > + > > > + refs = rcu_dereference_sched(file->private_data); > > > + > > > + if (likely(refs && idx < refs->count)) > > > + user = refs->events[idx]; > > > + > > > + rcu_read_unlock_sched(); > > > + > > > + if (unlikely(user == NULL)) > > > + return -ENOENT; > > > + > > > + tp = &user->tracepoint; > > > > What protects user here? You released the rcu lock. > > user is ref counted by the file, so before the final close all events > linked to the file via the reg ioctl are ref'd and cannot go away. If that's the case, then why the rcu_read_lock_sched() around the assigment of user? -- Steve > > > > > > + > > > + if (likely(atomic_read(&tp->key.enabled) > 0)) { > > > + struct tracepoint_func *probe_func_ptr; > > > + user_event_func_t probe_func; > > > + void *tpdata; > > > + void *kdata; > > > + u32 datalen; > > > + > > > + kdata = kmalloc(i->count, GFP_KERNEL); >
On Mon, 8 Nov 2021 12:25:27 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > It seems there are 2 concerns: > 1. If data comes in and it's not in the size that is specified, it's > suspicious and should either be truncated or ignored. Maybe under > ignore, over truncate. > > 2. If the data is more than specified, it must be checked to see if > there are __data_loc / __rel_loc entries and they must be validated as > within range of accepted limits. If there are no __data_loc / __rel_loc > it should either be truncated or ignored. > > Is there more that I may have missed? > > I'd like to know if I do fix them that the features like filtering will still > be available to user_events or if it's better to just add flags to disable > kernel filtering? If these are "user defined" then perhaps we add a wrapper to the filtering that is called instead of the normal filtering for theses events that verify the fields of the events being filtered are located on the ring buffer. Although, strings and such are rare or just slow in filtering that we could make sure the content is still on the buffer that is being filtered. > > I'm still unsure this is limited to just user_events. > > For example, why doesn't filter_pred_strloc and filter_pred_pchar in > trace_events_filter.c check the boundary it will be accessing? > > It seems like tracepoints from kernel modules, while more trusted, can also > cause this kind of thing due to bugs, etc. Yes, it's the fact that the code is created in the kernel, and the only way that the filtering could be out of bounds is if there's a bug in the kernel. We rather not check for that if it slows down the tracing. But perhaps if we can show that the checks are only done for dynamic strings and arrays, that it doesn't cause noticeable overhead, it may be fine to keep for all events. -- Steve
On Mon, Nov 08, 2021 at 03:53:59PM -0500, Steven Rostedt wrote: > On Mon, 8 Nov 2021 11:56:42 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote: > > > On Thu, 4 Nov 2021 10:04:25 -0700 > > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > +static int user_field_array_size(const char *type) > > > > +{ > > > > + const char *start = strchr(type, '['); > > > > + int size = 0; > > > > + > > > > + if (start == NULL) > > > > + return -EINVAL; > > > > + > > > > + start++; > > > > + > > > > + while (*start >= '0' && *start <= '9') > > > > > > The kernel has include/linux/ctype.h > > > > > > while (isdigit(*start)) > > > > > > > + size = (size * 10) + (*start++ - '0'); > > > > > > So you only allow decimal digits? No hex? > > > > > > > Happy to change it, I only expected decimal to be allowed. > > I'm more worried that if the output of the "registered events" may have a > hex number, and someone uses that output to recreate the event. > It seems like there is precedent around this in synth, so I will go ahead and ensure hex works as well. > > > > Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)? > > > > > Also, is there anything to check if the size overflows? > > > > > > I'm assuming that other patches will add checking if the size is > > > greater than some amount? > > > > > > > I can switch to kstrtouint and use a max check, however: > > The max checks are weird here because eBPF has no limits, while ftrace > > and perf both do (and I believe they are different max sizes?) > > I'm not concerned about taking up more than ftrace or perf, but having some > kind of DOS that is caused by hugh allocations. If you make a huge event > and try to record it in ftrace, then ftrace will simply drop the event. No > harm done (except you won't see the event). > The later patches in the series avoid the alloc all together (and pass the iter through to the probes). eBPF still has an alloc there, but it is size limited to a single page to handle this case. The huge alloc case could happen if a user just put in a lot of data in the first patch. However, with alloc being removed in the later patches, this won't occur. > > > > If someone really wanted a large array of characters and it can fit > > within perf but not ftrace, is it correct to block it here? My thinking > > was to allow each trace buffer reserve call to either work or not based > > on what the user requested depending on what was hooked. > > > > No strong opinion here though, just thoughts about what is a reasonable > > max given the 3 technologies. > > Again, I'm more worried about just a general 'this is way too big' thing. > If anything, it could be simply to flag a bug where the event in created > via some logic that goes crazy. > Got it, I believe putting a large upper bound, like 2*PAGE_SIZE should cut that stuff out. > > > > > > +/* > > > > + * Parses the values of a field within the description > > > > + * Format: type name [size] > > > > + */ > > > > +static int user_event_parse_field(char *field, struct user_event *user, > > > > + u32 *offset) > > > > +{ > > > > + char *part, *type, *name; > > > > + u32 depth = 0, saved_offset = *offset; > > > > + int size = -EINVAL; > > > > + bool is_struct = false; > > > > + > > > > + field = skip_spaces(field); > > > > + > > > > + if (*field == 0) > > > > + return 0; > > > > + > > > > + /* Handle types that have a space within */ > > > > + if (strstr(field, "unsigned ") == field) { > > > > > > These should use str_has_prefix(field, "unsigned ") etc. > > > > > > It also returns the length of the prefix so you don't need to add > > > sizeof() of the string you checked for. > > > > > > > Nice, will use that. > > > > > > + > > > > +static struct trace_event_fields user_event_fields_array[] = { > > > > + {} > > > > +}; > > > > > > Isn't the above just a fancy way of writing: > > > > > > static struct trace_event_fields user_event_fields_array[1]; > > > > > > ? > > > > > > > Yes, as long as it gets init'd to zero. My understanding was that {} > > would force zeroing, but I could totally be wrong. > > All static and global variables that are not assigned will be initialized > to zero. No need to initialize anything that is zero by default. > > > > > > > +/* > > > > + * Writes the user supplied payload out to a trace file. > > > > + */ > > > > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen, > > > > + void *tpdata) > > > > +{ > > > > + struct trace_event_file *file; > > > > + struct trace_entry *entry; > > > > + struct trace_event_buffer event_buffer; > > > > + > > > > + file = (struct trace_event_file *)tpdata; > > > > + > > > > + if (!file || > > > > + !(file->flags & EVENT_FILE_FL_ENABLED) || > > > > + trace_trigger_soft_disabled(file)) > > > > + return; > > > > + > > > > + entry = trace_event_buffer_reserve(&event_buffer, file, > > > > + sizeof(*entry) + datalen); > > > > + > > > > + if (unlikely(!entry)) > > > > + return; > > > > + > > > > > > Might want to add a comment here that the trace_event_buffer_reserve() > > > will fill in the struct trace_entry, which explains the "entry+1" below. > > > > > > I also need to add comments to trace_event_buffer_reserve() that it does so :-p > > > > > > > Will do. > > > > > > +/* > > > > + * Update the register page that is shared between user processes. > > > > + */ > > > > +static void update_reg_page_for(struct user_event *user) > > > > +{ > > > > + struct tracepoint *tp = &user->tracepoint; > > > > + char status = 0; > > > > + > > > > + if (atomic_read(&tp->key.enabled) > 0) { > > > > + struct tracepoint_func *probe_func_ptr; > > > > + user_event_func_t probe_func; > > > > + > > > > + rcu_read_lock_sched(); > > > > + > > > > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > > > > + > > > > + if (probe_func_ptr) { > > > > + do { > > > > + probe_func = probe_func_ptr->func; > > > > + > > > > + if (probe_func == user_event_ftrace) > > > > + status |= EVENT_STATUS_FTRACE; > > > > + else > > > > + status |= EVENT_STATUS_OTHER; > > > > + } while ((++probe_func_ptr)->func); > > > > + } > > > > + > > > > + rcu_read_unlock_sched(); > > > > + } > > > > + > > > > + register_page_data[user->index] = status; > > > > > > Should there be some kind of memory barriers here? That is, isn't this > > > the page that user space sees? The user space code should probably have > > > some kind of read memory barrier as well. > > > > > > > I'm glad you brought this up. I wanted to ensure a balance between > > eventual enablement of the event in the user mode process vs the cost > > of simultaneous enablement of the event (stalls, etc). > > > > We haven't seen this become an issue for our teams in our other > > telemetry sources (with no barriers), which seems to indicate eventual > > agreement of the page data works well as a tradeoff. > > Another approach is if you know what tasks these events come from (who > registered them), then you could simply send an IPI to the task if it > happen to be running. An IPI will force a memory barrier, and since you > only need to do this on changes (enable / disable event) it's not like it > will happen often. > This is good to know, there might be a need for this in the future when we get around to more features of user_events from what some people are asking for. > > > > > > +static int user_event_create(const char *raw_command) > > > > +{ > > > > + struct user_event *user; > > > > + char *name; > > > > + int ret; > > > > + > > > > + if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command) > > > > + return -ECANCELED; > > > > + > > > > + raw_command += USER_EVENTS_PREFIX_LEN; > > > > + raw_command = skip_spaces(raw_command); > > > > + > > > > + name = kstrdup(raw_command, GFP_KERNEL); > > > > > > name is allocated here, it really needs to be freed in this function as > > > well. I see that user_event_parse() will free it, but that is extremely > > > error prone to have a dependency like that. If name needs to be saved > > > by user_event_parse_cmd() then that should be shown in the return value > > > of that function. And if it fails the freeing of name should be in this > > > function. Also, if it is saved, then there should be a comment in this > > > function stating that. > > > > > > > It's a bit tricky, because if the event already exists, the name is > > freed. If the function fails, the name is freed. If the event has > > never been seen before then it is saved. > > I would then suggest to free the name from the calling function only if it > succeeds and the name already exists. With a comment stating that. > > But I would have the caller free it on failure. That is, you could change > user_event_parse() to have: > > struct user_event *user = find_user_event(name, &key); > > if (user) { > *newuser = user; > /* > * The name is allocated by the caller, but since it > * already exists in user, simply free it here. > */ > kfree(name); > return 0; > } > > And remove all the "put_name" jumps. > Sure thing. > > > > I'll try to make this more clear, my thought is to add an explicit > > argument that gets set back to the caller if the string should be freed > > or not to make this clear while reading the code. > > > > > > +static bool user_event_is_busy(struct dyn_event *ev) > > > > +{ > > > > + struct user_event *user = container_of(ev, struct user_event, devent); > > > > + > > > > + return atomic_read(&user->refcnt) != 0; > > > > +} > > > > + > > > > +static int user_event_free(struct dyn_event *ev) > > > > +{ > > > > + struct user_event *user = container_of(ev, struct user_event, devent); > > > > + > > > > > > Shouldn't this check if the event is busy first? > > > > Yes, you are right. In the release all case busy is checked by > > dyn_events for me. However, in the individual case it is not. I'll fix > > this. > > > > > > +/* > > > > + * Validates the user payload and writes via iterator. > > > > + */ > > > > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i) > > > > +{ > > > > + struct user_event_refs *refs; > > > > + struct user_event *user = NULL; > > > > + struct tracepoint *tp; > > > > + ssize_t ret = i->count; > > > > + int idx; > > > > + > > > > + if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx))) > > > > + return -EFAULT; > > > > + > > > > + rcu_read_lock_sched(); > > > > + > > > > + refs = rcu_dereference_sched(file->private_data); > > > > + > > > > + if (likely(refs && idx < refs->count)) > > > > + user = refs->events[idx]; > > > > + > > > > + rcu_read_unlock_sched(); > > > > + > > > > + if (unlikely(user == NULL)) > > > > + return -ENOENT; > > > > + > > > > + tp = &user->tracepoint; > > > > > > What protects user here? You released the rcu lock. > > > > user is ref counted by the file, so before the final close all events > > linked to the file via the reg ioctl are ref'd and cannot go away. > > > If that's the case, then why the rcu_read_lock_sched() around the assigment > of user? > > -- Steve > Because the refs can change during the write, and we get the user assignment from the refs events array that is RCU protected. If a task registered another event during the write this has a timing window where we would deref a possibly freed array. User structs are shared across files, so they are ref counted. The user_event_refs are per-FD references that are RCU protected since tasks can share the same FD and cause synchronization windows that are bad without it. Thanks, -Beau
On Mon, Nov 08, 2021 at 04:00:27PM -0500, Steven Rostedt wrote: > On Mon, 8 Nov 2021 12:25:27 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > It seems there are 2 concerns: > > 1. If data comes in and it's not in the size that is specified, it's > > suspicious and should either be truncated or ignored. Maybe under > > ignore, over truncate. > > > > 2. If the data is more than specified, it must be checked to see if > > there are __data_loc / __rel_loc entries and they must be validated as > > within range of accepted limits. If there are no __data_loc / __rel_loc > > it should either be truncated or ignored. > > > > Is there more that I may have missed? > > > > I'd like to know if I do fix them that the features like filtering will still > > be available to user_events or if it's better to just add flags to disable > > kernel filtering? > > If these are "user defined" then perhaps we add a wrapper to the filtering > that is called instead of the normal filtering for theses events that > verify the fields of the events being filtered are located on the ring > buffer. Although, strings and such are rare or just slow in filtering that > we could make sure the content is still on the buffer that is being > filtered. > It seems like both histograms and filter both reference field flags to determine how to get the data. How would you feel about another FILTER_* flag on fields, like: FILTER_DYN_STRING_SAFE FILTER_PTR_STRING_SAFE user_events when parsing would instead of leaving FILTER_OTHER for __data_loc / __rel_loc switch to the above. The predicate filter method would then switch based on those types to safer versions. That way other parts could take advantage of this if needed beyond user_events. If this is addressed at the filter/histogram level, would then the write callsites still check bounds per-write? Or maybe only care about the undersized data cases? > > > > I'm still unsure this is limited to just user_events. > > > > For example, why doesn't filter_pred_strloc and filter_pred_pchar in > > trace_events_filter.c check the boundary it will be accessing? > > > > It seems like tracepoints from kernel modules, while more trusted, can also > > cause this kind of thing due to bugs, etc. > > Yes, it's the fact that the code is created in the kernel, and the only way > that the filtering could be out of bounds is if there's a bug in the > kernel. We rather not check for that if it slows down the tracing. But > perhaps if we can show that the checks are only done for dynamic strings > and arrays, that it doesn't cause noticeable overhead, it may be fine to > keep for all events. > > -- Steve Thanks, -Beau
On Mon, 8 Nov 2021 14:09:45 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > > It seems like both histograms and filter both reference field flags to > determine how to get the data. > > How would you feel about another FILTER_* flag on fields, like: > FILTER_DYN_STRING_SAFE > FILTER_PTR_STRING_SAFE You mean "UNSAFE" ? > > user_events when parsing would instead of leaving FILTER_OTHER for > __data_loc / __rel_loc switch to the above. > > The predicate filter method would then switch based on those types to > safer versions. > > That way other parts could take advantage of this if needed beyond > user_events. > > If this is addressed at the filter/histogram level, would then the write > callsites still check bounds per-write? Or maybe only care about the > undersized data cases? I'd have to look at the implementation of this. There's too many variables running around in my head right now. -- Steve
On Mon, Nov 08, 2021 at 05:30:53PM -0500, Steven Rostedt wrote: > On Mon, 8 Nov 2021 14:09:45 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > It seems like both histograms and filter both reference field flags to > > determine how to get the data. > > > > How would you feel about another FILTER_* flag on fields, like: > > FILTER_DYN_STRING_SAFE > > FILTER_PTR_STRING_SAFE > > You mean "UNSAFE" ? > Yes :) Unsafe data, safe filter method. > > > > user_events when parsing would instead of leaving FILTER_OTHER for > > __data_loc / __rel_loc switch to the above. > > > > The predicate filter method would then switch based on those types to > > safer versions. > > > > That way other parts could take advantage of this if needed beyond > > user_events. > > > > If this is addressed at the filter/histogram level, would then the write > > callsites still check bounds per-write? Or maybe only care about the > > undersized data cases? > > I'd have to look at the implementation of this. There's too many variables > running around in my head right now. > > -- Steve Understood, thanks for thinking about this. -Beau
On Mon, 8 Nov 2021 12:25:27 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote: > > On Mon, 8 Nov 2021 09:13:36 -0800 > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > > > > Does that mean the decoders in eprobes/histogram don't check event > > > record sizes before accessing the data? Shouldn't that get fix > > > centrally? That would mean a loaded module could do the same thing > > > (user_events only works if the user has access to tracefs, so it's not > > > like it's open to all users). > > > > There's checks to make sure everything fits in eprobes and kprobes. If it > > doesn't then the event is simply dropped. > > > > For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll > > see that it calls get_eprobe_size(), which goes through and just reads what > > it is about to accept. Then it reserves the amount of data on the ring > > buffer, and then calls store_trace_args() which also passes in the size > > that it found, in case things change. If it's too big, it only records what > > it originally intended. > > > > -- Steve > > It seems there are 2 concerns: > 1. If data comes in and it's not in the size that is specified, it's > suspicious and should either be truncated or ignored. Maybe under > ignore, over truncate. Yes, this is for the events which is defined with fixed-size parameters and what I suggested. > > 2. If the data is more than specified, it must be checked to see if > there are __data_loc / __rel_loc entries and they must be validated as > within range of accepted limits. If there are no __data_loc / __rel_loc > it should either be truncated or ignored. Yes, this is for the events, which is defined with variable length parameters, like null-terminated string. In this case, along with the __data/__rel_loc validation, it needs a null termination check. > > Is there more that I may have missed? > > I'd like to know if I do fix them that the features like filtering will still > be available to user_events or if it's better to just add flags to disable > kernel filtering? I would rather like that the filters will be available on the user_events. My question is that you need to log the dynamic data or strings via user- events or not. Since the other user-events, like SDT doesn't support the string variables to trace, I guess that is not a high priority. Moreover, since now we can use eprobes, if user event records the address of user-string, the eprobes can fetch it. So, my suggestion is implmenting with fixed-size parameters as the first step and keep filter/histograms/eprobes available on the user-events. If you find any performance issue, you can expand the user-events to support dynamic (array) data and strings. > > I'm still unsure this is limited to just user_events. > > For example, why doesn't filter_pred_strloc and filter_pred_pchar in > trace_events_filter.c check the boundary it will be accessing? Because all data is written from the kernel code. We can trust the data exists on the buffer. (If not, there is an actual BUG in the kenrel) We can add a verifieer for the debug purpose. > > It seems like tracepoints from kernel modules, while more trusted, can also > cause this kind of thing due to bugs, etc. Of course, and that must be fixed. And, the tracepoints (traceevents) should be automatically generated code, that is more trusted than the events crafted by user. Thank you,
On Mon, 8 Nov 2021 14:09:45 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > On Mon, Nov 08, 2021 at 04:00:27PM -0500, Steven Rostedt wrote: > > On Mon, 8 Nov 2021 12:25:27 -0800 > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > > It seems there are 2 concerns: > > > 1. If data comes in and it's not in the size that is specified, it's > > > suspicious and should either be truncated or ignored. Maybe under > > > ignore, over truncate. > > > > > > 2. If the data is more than specified, it must be checked to see if > > > there are __data_loc / __rel_loc entries and they must be validated as > > > within range of accepted limits. If there are no __data_loc / __rel_loc > > > it should either be truncated or ignored. > > > > > > Is there more that I may have missed? > > > > > > I'd like to know if I do fix them that the features like filtering will still > > > be available to user_events or if it's better to just add flags to disable > > > kernel filtering? > > > > If these are "user defined" then perhaps we add a wrapper to the filtering > > that is called instead of the normal filtering for theses events that > > verify the fields of the events being filtered are located on the ring > > buffer. Although, strings and such are rare or just slow in filtering that > > we could make sure the content is still on the buffer that is being > > filtered. > > > > It seems like both histograms and filter both reference field flags to > determine how to get the data. > > How would you feel about another FILTER_* flag on fields, like: > FILTER_DYN_STRING_SAFE > FILTER_PTR_STRING_SAFE > > user_events when parsing would instead of leaving FILTER_OTHER for > __data_loc / __rel_loc switch to the above. > > The predicate filter method would then switch based on those types to > safer versions. > > That way other parts could take advantage of this if needed beyond > user_events. > > If this is addressed at the filter/histogram level, would then the write > callsites still check bounds per-write? Or maybe only care about the > undersized data cases? Even with the unsafe flags, I think the callsites still needs the undersized check at least. It may have the maxsize and minsize for the events. If the event defined with dynamic data (__data_loc/__rel_loc), minsize is the sum of the field size and maxsize will be the PAGE_SIZE (or smaller than that). If the event has no dynamic data field, minsize == maxsize. Thank you,
On Tue, Nov 09, 2021 at 11:56:34AM +0900, Masami Hiramatsu wrote: > On Mon, 8 Nov 2021 12:25:27 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote: > > > On Mon, 8 Nov 2021 09:13:36 -0800 > > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > > > > > > > > Does that mean the decoders in eprobes/histogram don't check event > > > > record sizes before accessing the data? Shouldn't that get fix > > > > centrally? That would mean a loaded module could do the same thing > > > > (user_events only works if the user has access to tracefs, so it's not > > > > like it's open to all users). > > > > > > There's checks to make sure everything fits in eprobes and kprobes. If it > > > doesn't then the event is simply dropped. > > > > > > For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll > > > see that it calls get_eprobe_size(), which goes through and just reads what > > > it is about to accept. Then it reserves the amount of data on the ring > > > buffer, and then calls store_trace_args() which also passes in the size > > > that it found, in case things change. If it's too big, it only records what > > > it originally intended. > > > > > > -- Steve > > > > It seems there are 2 concerns: > > 1. If data comes in and it's not in the size that is specified, it's > > suspicious and should either be truncated or ignored. Maybe under > > ignore, over truncate. > > Yes, this is for the events which is defined with fixed-size > parameters and what I suggested. > Thanks. > > > > 2. If the data is more than specified, it must be checked to see if > > there are __data_loc / __rel_loc entries and they must be validated as > > within range of accepted limits. If there are no __data_loc / __rel_loc > > it should either be truncated or ignored. > > Yes, this is for the events, which is defined with variable length > parameters, like null-terminated string. In this case, along with the > __data/__rel_loc validation, it needs a null termination check. > Got it. > > > > Is there more that I may have missed? > > > > I'd like to know if I do fix them that the features like filtering will still > > be available to user_events or if it's better to just add flags to disable > > kernel filtering? > > I would rather like that the filters will be available on the user_events. > > My question is that you need to log the dynamic data or strings via user- > events or not. Since the other user-events, like SDT doesn't support the > string variables to trace, I guess that is not a high priority. > > Moreover, since now we can use eprobes, if user event records the address of > user-string, the eprobes can fetch it. > > So, my suggestion is implmenting with fixed-size parameters as the first step > and keep filter/histograms/eprobes available on the user-events. > If you find any performance issue, you can expand the user-events to support > dynamic (array) data and strings. > We need strings to be able to be emitted and recorded in eBPF, perf and ftrace. So I would rather go after a solution that lets us keep these in the ring buffers, even if it means a perf hit. Guess what's left is to where the best place to check is, checking in the filter with unsafe flags would let us keep most of the perf (we just check the undersize case, 1 branch). When these unsafe types are filtered then a perf tax is imposed to keep things safe. It sounded like Steven wanted to think about this a bit, so I'll wait a bit before poking again for consensus :) Do you have any strong feelings about where it goes? Thanks, -Beau
On Tue, 9 Nov 2021 11:08:44 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > We need strings to be able to be emitted and recorded in eBPF, perf and > ftrace. So I would rather go after a solution that lets us keep these in > the ring buffers, even if it means a perf hit. > > Guess what's left is to where the best place to check is, checking in > the filter with unsafe flags would let us keep most of the perf (we just > check the undersize case, 1 branch). When these unsafe types are > filtered then a perf tax is imposed to keep things safe. > > It sounded like Steven wanted to think about this a bit, so I'll wait a > bit before poking again for consensus :) > > Do you have any strong feelings about where it goes? IIUC, the writing into the trace event is done via one big blob, correct? That is this: + if (likely(atomic_read(&tp->key.enabled) > 0)) { + struct tracepoint_func *probe_func_ptr; + user_event_func_t probe_func; + void *tpdata; + void *kdata; + u32 datalen; + + kdata = kmalloc(i->count, GFP_KERNEL); + + if (unlikely(!kdata)) + return -ENOMEM; + + datalen = copy_from_iter(kdata, i->count, i); + + rcu_read_lock_sched(); + + probe_func_ptr = rcu_dereference_sched(tp->funcs); + + if (probe_func_ptr) { + do { + probe_func = probe_func_ptr->func; + tpdata = probe_func_ptr->data; + probe_func(user, kdata, datalen, tpdata); + } while ((++probe_func_ptr)->func); + } + + rcu_read_unlock_sched(); + + kfree(kdata); So we really are just interested in making sure that the output is correct? That is, the reading of the trace file? -- Steve
On Tue, Nov 09, 2021 at 02:25:06PM -0500, Steven Rostedt wrote: > On Tue, 9 Nov 2021 11:08:44 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > We need strings to be able to be emitted and recorded in eBPF, perf and > > ftrace. So I would rather go after a solution that lets us keep these in > > the ring buffers, even if it means a perf hit. > > > > Guess what's left is to where the best place to check is, checking in > > the filter with unsafe flags would let us keep most of the perf (we just > > check the undersize case, 1 branch). When these unsafe types are > > filtered then a perf tax is imposed to keep things safe. > > > > It sounded like Steven wanted to think about this a bit, so I'll wait a > > bit before poking again for consensus :) > > > > Do you have any strong feelings about where it goes? > > IIUC, the writing into the trace event is done via one big blob, correct? > Yes, the top 4 bytes get trimmed off as an index, then it's a big blob to all places except eBPF (when asking for the iterator directly). > That is this: > > + if (likely(atomic_read(&tp->key.enabled) > 0)) { > + struct tracepoint_func *probe_func_ptr; > + user_event_func_t probe_func; > + void *tpdata; > + void *kdata; > + u32 datalen; > + > + kdata = kmalloc(i->count, GFP_KERNEL); > + > + if (unlikely(!kdata)) > + return -ENOMEM; > + > + datalen = copy_from_iter(kdata, i->count, i); > + > + rcu_read_lock_sched(); > + > + probe_func_ptr = rcu_dereference_sched(tp->funcs); > + > + if (probe_func_ptr) { > + do { > + probe_func = probe_func_ptr->func; > + tpdata = probe_func_ptr->data; > + probe_func(user, kdata, datalen, tpdata); > + } while ((++probe_func_ptr)->func); > + } > + > + rcu_read_unlock_sched(); > + > + kfree(kdata); > > So we really are just interested in making sure that the output is correct? > Largely, yes. The optimization part of the patch moves the buffer copies into the probes to remove a double copy. I believe however that output can be checked either centrally before the probes or within each probe call if need be. For perf/eBPF we may not need to check things, however, for ftrace we will due to the filters. So we may be able to isolate to just the ftrace probe method. The ftrace probe will have a blob even after optimization due to the copy into the ring buffer (assuming we can discard it if it violates a policy). > That is, the reading of the trace file? > We really need to ensure that data can be analyzed on the machine directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf). The priorities to us are fast recording speed with accurate reading of trace files and event data. > -- Steve
On Tue, 9 Nov 2021 12:14:32 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > The ftrace probe will have a blob even after optimization due to the copy > into the ring buffer (assuming we can discard it if it violates a policy). Yes it can be discarded. In fact, when filtering is enabled, it tries to first use a temporary per cpu buffer to do the filtering and not write it into the ring buffer. Only when it passes the filter does it get injected. For user events that happen in user context, it will always use this temp buffer. But since there's only buffer per CPU, if an interrupt comes in and executes a filtered event, it will use the ring buffer itself, and discard it if it does not match. > > > That is, the reading of the trace file? > > > > We really need to ensure that data can be analyzed on the machine > directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf). > > The priorities to us are fast recording speed with accurate reading of trace > files and event data. OK, then it probably isn't an issue to add checks to the parsing of the dynamic arrays (including strings) that makes sure the string is within bounds for the filtering. -- Steve
On Tue, Nov 09, 2021 at 03:45:20PM -0500, Steven Rostedt wrote: > On Tue, 9 Nov 2021 12:14:32 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > The ftrace probe will have a blob even after optimization due to the copy > > into the ring buffer (assuming we can discard it if it violates a policy). > > Yes it can be discarded. In fact, when filtering is enabled, it tries to > first use a temporary per cpu buffer to do the filtering and not write it > into the ring buffer. Only when it passes the filter does it get injected. > > For user events that happen in user context, it will always use this temp > buffer. But since there's only buffer per CPU, if an interrupt comes in and > executes a filtered event, it will use the ring buffer itself, and discard > it if it does not match. > > > > > > That is, the reading of the trace file? > > > > > > > We really need to ensure that data can be analyzed on the machine > > directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf). > > > > The priorities to us are fast recording speed with accurate reading of trace > > files and event data. > > OK, then it probably isn't an issue to add checks to the parsing of the > dynamic arrays (including strings) that makes sure the string is within > bounds for the filtering. > > -- Steve Where were you thinking the filtering would occur? In the filter / histogram predicates or in user_events directly before buffer commit? Thanks, -Beau
On Tue, 9 Nov 2021 13:27:56 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > Where were you thinking the filtering would occur? In the filter / > histogram predicates or in user_events directly before buffer commit? In the predicates. But we only care about the dynamic array ones. -- Steve
On Tue, 9 Nov 2021 11:08:44 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > I'd like to know if I do fix them that the features like filtering will still > > > be available to user_events or if it's better to just add flags to disable > > > kernel filtering? > > > > I would rather like that the filters will be available on the user_events. > > > > My question is that you need to log the dynamic data or strings via user- > > events or not. Since the other user-events, like SDT doesn't support the > > string variables to trace, I guess that is not a high priority. > > > > Moreover, since now we can use eprobes, if user event records the address of > > user-string, the eprobes can fetch it. > > > > So, my suggestion is implmenting with fixed-size parameters as the first step > > and keep filter/histograms/eprobes available on the user-events. > > If you find any performance issue, you can expand the user-events to support > > dynamic (array) data and strings. > > > > We need strings to be able to be emitted and recorded in eBPF, perf and > ftrace. So I would rather go after a solution that lets us keep these in > the ring buffers, even if it means a perf hit. OK, my concern is based on the current implementation, so in that case you can add some additional verification. That is good. > Guess what's left is to where the best place to check is, checking in > the filter with unsafe flags would let us keep most of the perf (we just > check the undersize case, 1 branch). When these unsafe types are > filtered then a perf tax is imposed to keep things safe. I would like to keep verifying in writer side then we can ensure the data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe flag, you have to change all the code which access the ring buffer, not only the filter but also eprobes, histograms, perf-tools, and other user-space tracing tools which reads the tracing buffer directly. > It sounded like Steven wanted to think about this a bit, so I'll wait a > bit before poking again for consensus :) > > Do you have any strong feelings about where it goes? I recommend you to start verifying the writer side, it should make the change as small as possible. Unsafe flag idea may involve many other tools. And it is not fundamentary required for user-events. Thank you,
On Wed, Nov 10, 2021 at 10:56:30PM +0900, Masami Hiramatsu wrote: > On Tue, 9 Nov 2021 11:08:44 -0800 > Beau Belgrave <beaub@linux.microsoft.com> wrote: > I would like to keep verifying in writer side then we can ensure the > data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe > flag, you have to change all the code which access the ring buffer, not only > the filter but also eprobes, histograms, perf-tools, and other user-space > tracing tools which reads the tracing buffer directly. > > > It sounded like Steven wanted to think about this a bit, so I'll wait a > > bit before poking again for consensus :) > > > > Do you have any strong feelings about where it goes? > > I recommend you to start verifying the writer side, it should make the > change as small as possible. Unsafe flag idea may involve many other > tools. And it is not fundamentary required for user-events. > > Thank you, > > -- > Masami Hiramatsu <mhiramat@kernel.org> Ok, I will start there. Are static string buffers required as well for the null check? Or is this only for dyn strings that require the check? Also, I am assuming that __rel_loc offset is based after the __rel_loc payload, IE: Offset 0 of __rel_loc is immediately after the 4 byte __rel_loc description? Thanks, -Beau
On Thu, 11 Nov 2021 09:33:34 -0800 Beau Belgrave <beaub@linux.microsoft.com> wrote: > On Wed, Nov 10, 2021 at 10:56:30PM +0900, Masami Hiramatsu wrote: > > On Tue, 9 Nov 2021 11:08:44 -0800 > > Beau Belgrave <beaub@linux.microsoft.com> wrote: > > > I would like to keep verifying in writer side then we can ensure the > > data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe > > flag, you have to change all the code which access the ring buffer, not only > > the filter but also eprobes, histograms, perf-tools, and other user-space > > tracing tools which reads the tracing buffer directly. > > > > > It sounded like Steven wanted to think about this a bit, so I'll wait a > > > bit before poking again for consensus :) > > > > > > Do you have any strong feelings about where it goes? > > > > I recommend you to start verifying the writer side, it should make the > > change as small as possible. Unsafe flag idea may involve many other > > tools. And it is not fundamentary required for user-events. > > > > Thank you, > > > > -- > > Masami Hiramatsu <mhiramat@kernel.org> > > Ok, I will start there. > > Are static string buffers required as well for the null check? > > Or is this only for dyn strings that require the check? Good question! The dynamic strings is ensured to be null-terminated, but the static string is not because the size is fixed (at least event filter checked that.) BTW, I found that the hist_triger_elt_update() doesn't check the field size for fixed-size string (only use STR_VAR_LEN_MAX to limit.) It seems buggy if the fixed-size char [] field is not null terminated. (e.g. it is used for storing array-data) Let me fix that. > Also, I am assuming that __rel_loc offset is based after the __rel_loc > payload, IE: Offset 0 of __rel_loc is immediately after the 4 byte > __rel_loc description? Yes, so if the field is the last one, the offset can be 0. Thank you,
diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig index 3ee23f4d437f..deaaad421be4 100644 --- a/kernel/trace/Kconfig +++ b/kernel/trace/Kconfig @@ -725,6 +725,21 @@ config SYNTH_EVENTS If in doubt, say N. +config USER_EVENTS + bool "User trace events" + select TRACING + select DYNAMIC_EVENTS + default n + help + User trace events are user-defined trace events that + can be used like an existing kernel trace event. User trace + events are generated by writing to a tracefs file. User + processes can determine if their tracing events should be + generated by memory mapping a tracefs file and checking for + an associated byte being non-zero. + + If in doubt, say N. + config HIST_TRIGGERS bool "Histogram triggers" depends on ARCH_HAVE_NMI_SAFE_CMPXCHG diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile index b1c47ccf4f73..a653b255e89c 100644 --- a/kernel/trace/Makefile +++ b/kernel/trace/Makefile @@ -80,6 +80,7 @@ obj-$(CONFIG_EVENT_TRACING) += trace_events_trigger.o obj-$(CONFIG_TRACE_EVENT_INJECT) += trace_events_inject.o obj-$(CONFIG_SYNTH_EVENTS) += trace_events_synth.o obj-$(CONFIG_HIST_TRIGGERS) += trace_events_hist.o +obj-$(CONFIG_USER_EVENTS) += trace_events_user.o obj-$(CONFIG_BPF_EVENTS) += bpf_trace.o obj-$(CONFIG_KPROBE_EVENTS) += trace_kprobe.o obj-$(CONFIG_TRACEPOINTS) += error_report-traces.o diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c new file mode 100644 index 000000000000..a68017ad7fdd --- /dev/null +++ b/kernel/trace/trace_events_user.c @@ -0,0 +1,1140 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Copyright (c) 2021, Microsoft Corporation. + * + * Authors: + * Beau Belgrave <beaub@linux.microsoft.com> + */ + +#include <linux/bitmap.h> +#include <linux/cdev.h> +#include <linux/hashtable.h> +#include <linux/list.h> +#include <linux/io.h> +#include <linux/uio.h> +#include <linux/ioctl.h> +#include <linux/jhash.h> +#include <linux/trace_events.h> +#include <linux/tracefs.h> +#include <linux/types.h> +#include <linux/uaccess.h> +#include <uapi/linux/user_events.h> +#include "trace.h" +#include "trace_dynevent.h" + +#define USER_EVENTS_PREFIX_LEN (sizeof(USER_EVENTS_PREFIX)-1) + +#define FIELD_DEPTH_TYPE 0 +#define FIELD_DEPTH_NAME 1 +#define FIELD_DEPTH_SIZE 2 + +/* + * Limits how many trace_event calls user processes can create: + * Must be multiple of PAGE_SIZE. + */ +#define MAX_PAGES 1 +#define MAX_EVENTS (MAX_PAGES * PAGE_SIZE) + +/* Limit how long of an event name plus args within the subsystem. */ +#define MAX_EVENT_DESC 512 +#define EVENT_NAME(user_event) ((user_event)->tracepoint.name) + +static char *register_page_data; + +static DEFINE_MUTEX(reg_mutex); +static DEFINE_HASHTABLE(register_table, 4); +static DECLARE_BITMAP(page_bitmap, MAX_EVENTS); + +struct user_event { + struct tracepoint tracepoint; + struct trace_event_call call; + struct trace_event_class class; + struct dyn_event devent; + struct hlist_node node; + struct list_head fields; + atomic_t refcnt; + int index; + int flags; +}; + +struct user_event_refs { + struct rcu_head rcu; + int count; + struct user_event *events[]; +}; + +typedef void (*user_event_func_t) (struct user_event *user, + void *data, u32 datalen, + void *tpdata); + +static int user_event_parse(char *name, char *args, char *flags, + struct user_event **newuser); + +static u32 user_event_key(char *name) +{ + return jhash(name, strlen(name), 0); +} + +static struct list_head *user_event_get_fields(struct trace_event_call *call) +{ + struct user_event *user = (struct user_event *)call->data; + + return &user->fields; +} + +/* + * Parses a register command for user_events + * Format: event_name[:FLAG1[,FLAG2...]] [field1[;field2...]] + * + * Example event named test with a 20 char msg field with a unsigned int after: + * test char[20] msg;unsigned int id + * + * NOTE: Offsets are from the user data perspective, they are not from the + * trace_entry/buffer perspective. We automatically add the common properties + * sizes to the offset for the user. + */ +static int user_event_parse_cmd(char *raw_command, struct user_event **newuser) +{ + char *name = raw_command; + char *args = strpbrk(name, " "); + char *flags; + + if (args) + *args++ = 0; + + flags = strpbrk(name, ":"); + + if (flags) + *flags++ = 0; + + return user_event_parse(name, args, flags, newuser); +} + +static int user_field_array_size(const char *type) +{ + const char *start = strchr(type, '['); + int size = 0; + + if (start == NULL) + return -EINVAL; + + start++; + + while (*start >= '0' && *start <= '9') + size = (size * 10) + (*start++ - '0'); + + if (*start != ']') + return -EINVAL; + + return size; +} + +static int user_field_size(const char *type) +{ + /* long is not allowed from a user, since it's ambigious in size */ + if (strcmp(type, "s64") == 0) + return sizeof(s64); + if (strcmp(type, "u64") == 0) + return sizeof(u64); + if (strcmp(type, "s32") == 0) + return sizeof(s32); + if (strcmp(type, "u32") == 0) + return sizeof(u32); + if (strcmp(type, "int") == 0) + return sizeof(int); + if (strcmp(type, "unsigned int") == 0) + return sizeof(unsigned int); + if (strcmp(type, "s16") == 0) + return sizeof(s16); + if (strcmp(type, "u16") == 0) + return sizeof(u16); + if (strcmp(type, "short") == 0) + return sizeof(short); + if (strcmp(type, "unsigned short") == 0) + return sizeof(unsigned short); + if (strcmp(type, "s8") == 0) + return sizeof(s8); + if (strcmp(type, "u8") == 0) + return sizeof(u8); + if (strcmp(type, "char") == 0) + return sizeof(char); + if (strcmp(type, "unsigned char") == 0) + return sizeof(unsigned char); + if (strstr(type, "char[") == type) + return user_field_array_size(type); + if (strstr(type, "unsigned char[") == type) + return user_field_array_size(type); + if (strstr(type, "__data_loc ") == type) + return sizeof(u32); + if (strstr(type, "__rel_loc ") == type) + return sizeof(u32); + + /* Uknown basic type, error */ + return -EINVAL; +} + +static void user_event_destroy_fields(struct user_event *user) +{ + struct ftrace_event_field *field, *next; + struct list_head *head = &user->fields; + + list_for_each_entry_safe(field, next, head, link) { + list_del(&field->link); + kfree(field); + } +} + +static int user_event_add_field(struct user_event *user, const char *type, + const char *name, int offset, int size, + int is_signed, int filter_type) +{ + struct ftrace_event_field *field; + + field = kmalloc(sizeof(*field), GFP_KERNEL); + + if (!field) + return -ENOMEM; + + field->type = type; + field->name = name; + field->offset = offset; + field->size = size; + field->is_signed = is_signed; + field->filter_type = filter_type; + + list_add(&field->link, &user->fields); + + return 0; +} + +/* + * Parses the values of a field within the description + * Format: type name [size] + */ +static int user_event_parse_field(char *field, struct user_event *user, + u32 *offset) +{ + char *part, *type, *name; + u32 depth = 0, saved_offset = *offset; + int size = -EINVAL; + bool is_struct = false; + + field = skip_spaces(field); + + if (*field == 0) + return 0; + + /* Handle types that have a space within */ + if (strstr(field, "unsigned ") == field) { + type = field; + field = strpbrk(field + sizeof("unsigned"), " "); + goto skip_next; + } else if (strstr(field, "struct ") == field) { + type = field; + field = strpbrk(field + sizeof("struct"), " "); + is_struct = true; + goto skip_next; + } else if (strstr(field, "__data_loc unsigned ") == field) { + type = field; + field = strpbrk(field + sizeof("__data_loc unsigned"), " "); + goto skip_next; + } else if (strstr(field, "__data_loc ") == field) { + type = field; + field = strpbrk(field + sizeof("__data_loc"), " "); + goto skip_next; + } else if (strstr(field, "__rel_loc unsigned ") == field) { + type = field; + field = strpbrk(field + sizeof("__rel_loc unsigned"), " "); + goto skip_next; + } else if (strstr(field, "__rel_loc ") == field) { + type = field; + field = strpbrk(field + sizeof("__rel_loc"), " "); + goto skip_next; + } + goto parse; +skip_next: + if (field == NULL) + return -EINVAL; + + *field++ = 0; + depth++; +parse: + while ((part = strsep(&field, " ")) != NULL) { + switch (depth++) { + case FIELD_DEPTH_TYPE: + type = part; + break; + case FIELD_DEPTH_NAME: + name = part; + break; + case FIELD_DEPTH_SIZE: + if (!is_struct) + return -EINVAL; + + if (kstrtou32(part, 10, &size)) + return -EINVAL; + break; + default: + return -EINVAL; + } + } + + if (depth < FIELD_DEPTH_SIZE) + return -EINVAL; + + if (depth == FIELD_DEPTH_SIZE) + size = user_field_size(type); + + if (size == 0) + return -EINVAL; + + if (size < 0) + return size; + + *offset = saved_offset + size; + + return user_event_add_field(user, type, name, saved_offset, size, + type[0] != 'u', FILTER_OTHER); +} + +static void user_event_parse_flags(struct user_event *user, char *flags) +{ + char *flag; + + if (flags == NULL) + return; + + while ((flag = strsep(&flags, ",")) != NULL) { + if (strcmp(flag, "BPF_ITER") == 0) + user->flags |= FLAG_BPF_ITER; + } +} + +static int user_event_parse_fields(struct user_event *user, char *args) +{ + char *field; + u32 offset = sizeof(struct trace_entry); + int ret = -EINVAL; + + if (args == NULL) + return 0; + + while ((field = strsep(&args, ";")) != NULL) { + ret = user_event_parse_field(field, user, &offset); + + if (ret) + break; + } + + return ret; +} + +static struct trace_event_fields user_event_fields_array[] = { + {} +}; + +static enum print_line_t user_event_print_trace(struct trace_iterator *iter, + int flags, + struct trace_event *event) +{ + /* Unsafe to try to decode user provided print_fmt, use hex */ + trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16, + 1, iter->ent, iter->ent_size, true); + + return trace_handle_return(&iter->seq); +} + +static struct trace_event_functions user_event_funcs = { + .trace = user_event_print_trace, +}; + +static int destroy_user_event(struct user_event *user) +{ + int ret = 0; + + /* Must destroy fields before call removal */ + user_event_destroy_fields(user); + + ret = trace_remove_event_call(&user->call); + + if (ret) + return ret; + + dyn_event_remove(&user->devent); + + register_page_data[user->index] = 0; + clear_bit(user->index, page_bitmap); + hash_del(&user->node); + + kfree(EVENT_NAME(user)); + kfree(user); + + return ret; +} + +static struct user_event *find_user_event(char *name, u32 *outkey) +{ + struct user_event *user; + u32 key = user_event_key(name); + + *outkey = key; + + hash_for_each_possible(register_table, user, node, key) + if (!strcmp(EVENT_NAME(user), name)) + return user; + + return NULL; +} + +/* + * Writes the user supplied payload out to a trace file. + */ +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen, + void *tpdata) +{ + struct trace_event_file *file; + struct trace_entry *entry; + struct trace_event_buffer event_buffer; + + file = (struct trace_event_file *)tpdata; + + if (!file || + !(file->flags & EVENT_FILE_FL_ENABLED) || + trace_trigger_soft_disabled(file)) + return; + + entry = trace_event_buffer_reserve(&event_buffer, file, + sizeof(*entry) + datalen); + + if (unlikely(!entry)) + return; + + memcpy(entry + 1, data, datalen); + + trace_event_buffer_commit(&event_buffer); +} + +/* + * Update the register page that is shared between user processes. + */ +static void update_reg_page_for(struct user_event *user) +{ + struct tracepoint *tp = &user->tracepoint; + char status = 0; + + if (atomic_read(&tp->key.enabled) > 0) { + struct tracepoint_func *probe_func_ptr; + user_event_func_t probe_func; + + rcu_read_lock_sched(); + + probe_func_ptr = rcu_dereference_sched(tp->funcs); + + if (probe_func_ptr) { + do { + probe_func = probe_func_ptr->func; + + if (probe_func == user_event_ftrace) + status |= EVENT_STATUS_FTRACE; + else + status |= EVENT_STATUS_OTHER; + } while ((++probe_func_ptr)->func); + } + + rcu_read_unlock_sched(); + } + + register_page_data[user->index] = status; +} + +/* + * Register callback for our events from tracing sub-systems. + */ +static int user_event_reg(struct trace_event_call *call, + enum trace_reg type, + void *data) +{ + struct user_event *user = (struct user_event *)call->data; + int ret = 0; + + if (!user) + return -ENOENT; + + switch (type) { + case TRACE_REG_REGISTER: + ret = tracepoint_probe_register(call->tp, + call->class->probe, + data); + if (!ret) + goto inc; + break; + + case TRACE_REG_UNREGISTER: + tracepoint_probe_unregister(call->tp, + call->class->probe, + data); + goto dec; + +#ifdef CONFIG_PERF_EVENTS + case TRACE_REG_PERF_REGISTER: + case TRACE_REG_PERF_UNREGISTER: + case TRACE_REG_PERF_OPEN: + case TRACE_REG_PERF_CLOSE: + case TRACE_REG_PERF_ADD: + case TRACE_REG_PERF_DEL: + break; +#endif + } + + return ret; +inc: + atomic_inc(&user->refcnt); + update_reg_page_for(user); + return 0; +dec: + update_reg_page_for(user); + atomic_dec(&user->refcnt); + return 0; +} + +static int user_event_create(const char *raw_command) +{ + struct user_event *user; + char *name; + int ret; + + if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command) + return -ECANCELED; + + raw_command += USER_EVENTS_PREFIX_LEN; + raw_command = skip_spaces(raw_command); + + name = kstrdup(raw_command, GFP_KERNEL); + + if (!name) + return -ENOMEM; + + mutex_lock(®_mutex); + ret = user_event_parse_cmd(name, &user); + mutex_unlock(®_mutex); + + return ret; +} + +static int user_event_show(struct seq_file *m, struct dyn_event *ev) +{ + struct user_event *user = container_of(ev, struct user_event, devent); + struct ftrace_event_field *field, *next; + struct list_head *head; + int depth = 0; + + seq_printf(m, "%s%s", USER_EVENTS_PREFIX, EVENT_NAME(user)); + + head = trace_get_fields(&user->call); + + list_for_each_entry_safe_reverse(field, next, head, link) { + if (depth == 0) + seq_puts(m, " "); + else + seq_puts(m, "; "); + seq_printf(m, "%s %s", field->type, field->name); + depth++; + } + + seq_puts(m, "\n"); + + return 0; +} + +static bool user_event_is_busy(struct dyn_event *ev) +{ + struct user_event *user = container_of(ev, struct user_event, devent); + + return atomic_read(&user->refcnt) != 0; +} + +static int user_event_free(struct dyn_event *ev) +{ + struct user_event *user = container_of(ev, struct user_event, devent); + + return destroy_user_event(user); +} + +static bool user_event_match(const char *system, const char *event, + int argc, const char **argv, struct dyn_event *ev) +{ + struct user_event *user = container_of(ev, struct user_event, devent); + + return strcmp(EVENT_NAME(user), event) == 0 && + (!system || strcmp(system, USER_EVENTS_SYSTEM) == 0); +} + +static struct dyn_event_operations user_event_dops = { + .create = user_event_create, + .show = user_event_show, + .is_busy = user_event_is_busy, + .free = user_event_free, + .match = user_event_match, +}; + +static int user_event_trace_register(struct user_event *user) +{ + int ret; + + ret = register_trace_event(&user->call.event); + + if (!ret) + return -ENODEV; + + ret = trace_add_event_call(&user->call); + + if (ret) + unregister_trace_event(&user->call.event); + + return ret; +} + +/* + * Parses the event name, arguments and flags then registers if successful. + */ +static int user_event_parse(char *name, char *args, char *flags, + struct user_event **newuser) +{ + int ret; + int index; + u32 key; + struct user_event *user = find_user_event(name, &key); + + if (user) { + *newuser = user; + ret = 0; + goto put_name; + } + + index = find_first_zero_bit(page_bitmap, MAX_EVENTS); + + if (index == MAX_EVENTS) { + ret = -EMFILE; + goto put_name; + } + + user = kzalloc(sizeof(*user), GFP_KERNEL); + + if (!user) { + ret = -ENOMEM; + goto put_name; + } + + INIT_LIST_HEAD(&user->class.fields); + INIT_LIST_HEAD(&user->fields); + + user->tracepoint.name = name; + + user_event_parse_flags(user, flags); + + ret = user_event_parse_fields(user, args); + + if (ret) + goto put_user; + + /* Minimal print format */ + user->call.print_fmt = "\"\""; + + user->call.data = user; + user->call.class = &user->class; + user->call.name = name; + user->call.flags = TRACE_EVENT_FL_TRACEPOINT; + user->call.tp = &user->tracepoint; + user->call.event.funcs = &user_event_funcs; + + user->class.system = USER_EVENTS_SYSTEM; + user->class.fields_array = user_event_fields_array; + user->class.get_fields = user_event_get_fields; + user->class.reg = user_event_reg; + user->class.probe = user_event_ftrace; + + mutex_lock(&event_mutex); + ret = user_event_trace_register(user); + mutex_unlock(&event_mutex); + + if (ret) + goto put_user; + + user->index = index; + dyn_event_init(&user->devent, &user_event_dops); + dyn_event_add(&user->devent); + set_bit(user->index, page_bitmap); + hash_add(register_table, &user->node, key); + + *newuser = user; + return 0; +put_user: + user_event_destroy_fields(user); + kfree(user); +put_name: + kfree(name); + return ret; +} + +/* + * Deletes a previously created event if it is no longer being used. + */ +static int delete_user_event(char *name) +{ + u32 key; + int ret; + struct user_event *user = find_user_event(name, &key); + + if (!user) + return -ENOENT; + + if (atomic_read(&user->refcnt) != 0) + return -EBUSY; + + mutex_lock(&event_mutex); + ret = destroy_user_event(user); + mutex_unlock(&event_mutex); + + return ret; +} + +/* + * Validates the user payload and writes via iterator. + */ +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i) +{ + struct user_event_refs *refs; + struct user_event *user = NULL; + struct tracepoint *tp; + ssize_t ret = i->count; + int idx; + + if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx))) + return -EFAULT; + + rcu_read_lock_sched(); + + refs = rcu_dereference_sched(file->private_data); + + if (likely(refs && idx < refs->count)) + user = refs->events[idx]; + + rcu_read_unlock_sched(); + + if (unlikely(user == NULL)) + return -ENOENT; + + tp = &user->tracepoint; + + if (likely(atomic_read(&tp->key.enabled) > 0)) { + struct tracepoint_func *probe_func_ptr; + user_event_func_t probe_func; + void *tpdata; + void *kdata; + u32 datalen; + + kdata = kmalloc(i->count, GFP_KERNEL); + + if (unlikely(!kdata)) + return -ENOMEM; + + datalen = copy_from_iter(kdata, i->count, i); + + rcu_read_lock_sched(); + + probe_func_ptr = rcu_dereference_sched(tp->funcs); + + if (probe_func_ptr) { + do { + probe_func = probe_func_ptr->func; + tpdata = probe_func_ptr->data; + probe_func(user, kdata, datalen, tpdata); + } while ((++probe_func_ptr)->func); + } + + rcu_read_unlock_sched(); + + kfree(kdata); + } + + return ret; +} + +static ssize_t user_events_write(struct file *file, const char __user *ubuf, + size_t count, loff_t *ppos) +{ + struct iovec iov; + struct iov_iter i; + + if (unlikely(*ppos != 0)) + return -EFAULT; + + if (unlikely(import_single_range(READ, (char *)ubuf, count, &iov, &i))) + return -EFAULT; + + return user_events_write_core(file, &i); +} + +static ssize_t user_events_write_iter(struct kiocb *kp, struct iov_iter *i) +{ + return user_events_write_core(kp->ki_filp, i); +} + +static int user_events_ref_add(struct file *file, struct user_event *user) +{ + struct user_event_refs *refs, *new_refs; + int i, size, count = 0; + + rcu_read_lock_sched(); + refs = rcu_dereference_sched(file->private_data); + rcu_read_unlock_sched(); + + if (refs) { + count = refs->count; + + for (i = 0; i < count; ++i) + if (refs->events[i] == user) + return i; + } + + size = sizeof(*refs) + (sizeof(struct user_event *) * (count + 1)); + + new_refs = kzalloc(size, GFP_KERNEL); + + if (!new_refs) + return -ENOMEM; + + new_refs->count = count + 1; + + for (i = 0; i < count; ++i) + new_refs->events[i] = refs->events[i]; + + new_refs->events[i] = user; + + atomic_inc(&user->refcnt); + + rcu_assign_pointer(file->private_data, new_refs); + + if (refs) + kfree_rcu(refs, rcu); + + return i; +} + +static long user_reg_get(struct user_reg __user *ureg, struct user_reg *kreg) +{ + u32 size; + long ret; + + ret = get_user(size, &ureg->size); + + if (ret) + return ret; + + if (size > PAGE_SIZE) + return -E2BIG; + + return copy_struct_from_user(kreg, sizeof(*kreg), ureg, size); +} + +/* + * Registers a user_event on behalf of a user process. + */ +static long user_events_ioctl_reg(struct file *file, unsigned long uarg) +{ + struct user_reg __user *ureg = (struct user_reg __user *)uarg; + struct user_reg reg; + struct user_event *user; + char *name; + long ret; + + ret = user_reg_get(ureg, ®); + + if (ret) + return ret; + + name = strndup_user((const char __user *)(uintptr_t)reg.name_args, + MAX_EVENT_DESC); + + if (IS_ERR(name)) { + ret = PTR_ERR(name); + return ret; + } + + ret = user_event_parse_cmd(name, &user); + + if (ret < 0) + return ret; + + ret = user_events_ref_add(file, user); + + if (ret < 0) + return ret; + + put_user((u32)ret, &ureg->write_index); + put_user(user->index, &ureg->status_index); + + return 0; +} + +/* + * Deletes a user_event on behalf of a user process. + */ +static long user_events_ioctl_del(struct file *file, unsigned long uarg) +{ + void __user *ubuf = (void __user *)uarg; + char *name; + long ret; + + name = strndup_user(ubuf, MAX_EVENT_DESC); + + if (IS_ERR(name)) + return PTR_ERR(name); + + ret = delete_user_event(name); + + kfree(name); + + return ret; +} + +/* + * Handles the ioctl from user mode to register or alter operations. + */ +static long user_events_ioctl(struct file *file, unsigned int cmd, + unsigned long uarg) +{ + long ret = -ENOTTY; + + switch (cmd) { + case DIAG_IOCSREG: + mutex_lock(®_mutex); + ret = user_events_ioctl_reg(file, uarg); + mutex_unlock(®_mutex); + break; + + case DIAG_IOCSDEL: + mutex_lock(®_mutex); + ret = user_events_ioctl_del(file, uarg); + mutex_unlock(®_mutex); + break; + } + + return ret; +} + +/* + * Handles the final close of the file from user mode. + */ +static int user_events_release(struct inode *node, struct file *file) +{ + struct user_event_refs *refs; + struct user_event *user; + int i; + + rcu_read_lock_sched(); + refs = rcu_dereference_sched(file->private_data); + rcu_read_unlock_sched(); + + if (!refs) + goto out; + + for (i = 0; i < refs->count; ++i) { + user = refs->events[i]; + + if (user) + atomic_dec(&user->refcnt); + } + + kfree_rcu(refs, rcu); +out: + return 0; +} + +static const struct file_operations user_data_fops = { + .write = user_events_write, + .write_iter = user_events_write_iter, + .unlocked_ioctl = user_events_ioctl, + .release = user_events_release, +}; + +/* + * Maps the shared page into the user process for checking if event is enabled. + */ +static int user_status_mmap(struct file *file, struct vm_area_struct *vma) +{ + unsigned long size = vma->vm_end - vma->vm_start; + + if (size != MAX_EVENTS) + return -EINVAL; + + return remap_pfn_range(vma, vma->vm_start, + virt_to_phys(register_page_data) >> PAGE_SHIFT, + size, vm_get_page_prot(VM_READ)); +} + +static int user_status_show(struct seq_file *m, void *p) +{ + struct user_event *user; + char status; + int i, active = 0, busy = 0, flags; + + mutex_lock(®_mutex); + + hash_for_each(register_table, i, user, node) { + status = register_page_data[user->index]; + flags = user->flags; + + seq_printf(m, "%d:%s", user->index, EVENT_NAME(user)); + + if (flags != 0 || status != 0) + seq_puts(m, " #"); + + if (status != 0) { + seq_puts(m, " Used by"); + if (status & EVENT_STATUS_FTRACE) + seq_puts(m, " ftrace"); + if (status & EVENT_STATUS_PERF) + seq_puts(m, " perf"); + if (status & EVENT_STATUS_OTHER) + seq_puts(m, " other"); + busy++; + } + + if (flags & FLAG_BPF_ITER) + seq_puts(m, " FLAG:BPF_ITER"); + + seq_puts(m, "\n"); + active++; + } + + mutex_unlock(®_mutex); + + seq_puts(m, "\n"); + seq_printf(m, "Active: %d\n", active); + seq_printf(m, "Busy: %d\n", busy); + seq_printf(m, "Max: %ld\n", MAX_EVENTS); + + return 0; +} + +static ssize_t user_status_read(struct file *file, char __user *ubuf, + size_t count, loff_t *ppos) +{ + /* + * Delay allocation of seq data until requested, most callers + * will never read the status file. They will only mmap. + */ + if (file->private_data == NULL) { + int ret; + + if (*ppos != 0) + return -EINVAL; + + ret = single_open(file, user_status_show, NULL); + + if (ret) + return ret; + } + + return seq_read(file, ubuf, count, ppos); +} + +static loff_t user_status_seek(struct file *file, loff_t offset, int whence) +{ + if (file->private_data == NULL) + return 0; + + return seq_lseek(file, offset, whence); +} + +static int user_status_release(struct inode *node, struct file *file) +{ + if (file->private_data == NULL) + return 0; + + return single_release(node, file); +} + +static const struct file_operations user_status_fops = { + .mmap = user_status_mmap, + .read = user_status_read, + .llseek = user_status_seek, + .release = user_status_release, +}; + +/* + * Creates a set of tracefs files to allow user mode interactions. + */ +static int create_user_tracefs(void) +{ + struct dentry *edata, *emmap; + + edata = tracefs_create_file("user_events_data", 0644, NULL, + NULL, &user_data_fops); + + if (!edata) { + pr_warn("Could not create tracefs 'user_events_data' entry\n"); + goto err; + } + + /* mmap with MAP_SHARED requires writable fd */ + emmap = tracefs_create_file("user_events_status", 0644, NULL, + NULL, &user_status_fops); + + if (!emmap) { + tracefs_remove(edata); + pr_warn("Could not create tracefs 'user_events_mmap' entry\n"); + goto err; + } + + return 0; +err: + return -ENODEV; +} + +static void set_page_reservations(bool set) +{ + int page; + + for (page = 0; page < MAX_PAGES; ++page) { + void *addr = register_page_data + (PAGE_SIZE * page); + + if (set) + SetPageReserved(virt_to_page(addr)); + else + ClearPageReserved(virt_to_page(addr)); + } +} + +static int __init trace_events_user_init(void) +{ + int ret; + + /* Zero all bits beside 0 (which is reserved for failures) */ + bitmap_zero(page_bitmap, MAX_EVENTS); + set_bit(0, page_bitmap); + + register_page_data = kzalloc(MAX_EVENTS, GFP_KERNEL); + + if (!register_page_data) + return -ENOMEM; + + set_page_reservations(true); + + ret = create_user_tracefs(); + + if (ret) { + pr_warn("user_events could not register with tracefs\n"); + set_page_reservations(false); + kfree(register_page_data); + return ret; + } + + if (dyn_event_register(&user_event_dops)) + pr_warn("user_events could not register with dyn_events\n"); + + return 0; +} + +fs_initcall(trace_events_user_init);
Minimal support for interacting with dynamic events, trace_event and ftrace. Core outline of flow between user process, ioctl and trace_event APIs. Signed-off-by: Beau Belgrave <beaub@linux.microsoft.com> --- kernel/trace/Kconfig | 15 + kernel/trace/Makefile | 1 + kernel/trace/trace_events_user.c | 1140 ++++++++++++++++++++++++++++++ 3 files changed, 1156 insertions(+) create mode 100644 kernel/trace/trace_events_user.c