| Message ID | 154502884653.30629.3172839440883293817.stgit@devbox (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm64: kprobes: Fix blacklist checking on arm64 | expand |
Hi! On 17/12/2018 06:40, Masami Hiramatsu wrote: > Move extable address check into arch_prepare_kprobe() from > arch_within_kprobe_blacklist(). I'm trying to work out the pattern for what should go in the blacklist, and what should be rejected by the arch code. It seems address-ranges should be blacklisted as the contents don't matter. easy-example: the idmap text. The arch code should also reject instructions that can't be probed from arch_prepare_kprobe(). easy-example: exclusive load or store. > Please do not blacklisting instructions on exception_table, > since it is a kind of architectural unsupported instruction. This doesn't fit the pattern, ... what should it be? The instructions in the exception_table don't matter, its the address that indicates there is a fixup for page-faults that occur here. We don't need to look at the instruction to determine this, why can't we treated these as a blacklisted range? Thanks, James > diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c > index 2a5b338b2542..b2d4b7428ebc 100644 > --- a/arch/arm64/kernel/probes/kprobes.c > +++ b/arch/arm64/kernel/probes/kprobes.c > @@ -102,6 +102,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) > > if (in_exception_text(probe_addr)) > return -EINVAL; > + > + if (search_exception_tables(probe_addr)) > + return -EINVAL; > + > if (probe_addr >= (unsigned long) __start_rodata && > probe_addr <= (unsigned long) __end_rodata) > return -EINVAL; > @@ -477,8 +481,7 @@ bool arch_within_kprobe_blacklist(unsigned long addr) > (addr >= (unsigned long)__entry_text_start && > addr < (unsigned long)__entry_text_end) || > (addr >= (unsigned long)__idmap_text_start && > - addr < (unsigned long)__idmap_text_end) || > - !!search_exception_tables(addr)) > + addr < (unsigned long)__idmap_text_end)) > return true; > > if (!is_kernel_in_hyp_mode()) { >
On Thu, 3 Jan 2019 17:05:18 +0000 James Morse <james.morse@arm.com> wrote: > Hi! > > On 17/12/2018 06:40, Masami Hiramatsu wrote: > > Move extable address check into arch_prepare_kprobe() from > > arch_within_kprobe_blacklist(). > > I'm trying to work out the pattern for what should go in the blacklist, and what > should be rejected by the arch code. > > It seems address-ranges should be blacklisted as the contents don't matter. > easy-example: the idmap text. Yes, more precisely, the code smaller than a function (symbol), it must be rejected by arch_prepare_kprobe(), since blacklist is poplated based on kallsyms. > The arch code should also reject instructions that can't be probed from > arch_prepare_kprobe(). easy-example: exclusive load or store. > > > > Please do not blacklisting instructions on exception_table, > > since it is a kind of architectural unsupported instruction. > > This doesn't fit the pattern, ... what should it be? Some kind of instructions can not be instrumented by kprobes, such instruction level rejection must be done in arch_prepare_kprobe(), instead of blacklist. > The instructions in the exception_table don't matter, its the address that > indicates there is a fixup for page-faults that occur here. We don't need to > look at the instruction to determine this, why can't we treated these as a > blacklisted range? Sorry for your confusion, it was my mis-describing. As I pointed, the exception_table contains some range of code which inside functions, must be smaller than function. Since those instructions are expected to cause exception (that is main reason why it can not be probed on arm64), I thought such situation was similar to the limitation of instruction. So I think below will be better. ---- Please do not blacklisting instructions on exception_table, since those are smaller than one function. ---- Thank you, > > > Thanks, > > James > > > > diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c > > index 2a5b338b2542..b2d4b7428ebc 100644 > > --- a/arch/arm64/kernel/probes/kprobes.c > > +++ b/arch/arm64/kernel/probes/kprobes.c > > @@ -102,6 +102,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) > > > > if (in_exception_text(probe_addr)) > > return -EINVAL; > > + > > + if (search_exception_tables(probe_addr)) > > + return -EINVAL; > > + > > if (probe_addr >= (unsigned long) __start_rodata && > > probe_addr <= (unsigned long) __end_rodata) > > return -EINVAL; > > @@ -477,8 +481,7 @@ bool arch_within_kprobe_blacklist(unsigned long addr) > > (addr >= (unsigned long)__entry_text_start && > > addr < (unsigned long)__entry_text_end) || > > (addr >= (unsigned long)__idmap_text_start && > > - addr < (unsigned long)__idmap_text_end) || > > - !!search_exception_tables(addr)) > > + addr < (unsigned long)__idmap_text_end)) > > return true; > > > > if (!is_kernel_in_hyp_mode()) { > > >
Hi! On 08/01/2019 02:39, Masami Hiramatsu wrote: > On Thu, 3 Jan 2019 17:05:18 +0000 > James Morse <james.morse@arm.com> wrote: >> On 17/12/2018 06:40, Masami Hiramatsu wrote: >>> Move extable address check into arch_prepare_kprobe() from >>> arch_within_kprobe_blacklist(). >> >> I'm trying to work out the pattern for what should go in the blacklist, and what >> should be rejected by the arch code. >> >> It seems address-ranges should be blacklisted as the contents don't matter. >> easy-example: the idmap text. > > Yes, more precisely, the code smaller than a function (symbol), it must be > rejected by arch_prepare_kprobe(), since blacklist is poplated based on > kallsyms. Ah, okay, so the pattern is the blacklist should only be for whole symbols, (which explains why its usually based on sections). I see kprobe_add_ksym_blacklist() would go wrong if you give it something like: platform_drv_probe+0x50/0xb0, as it will log platform_drv_probe+0x50 as the start_addr and platform_drv_probe+0x50+0xb0 as the end. But how does anything from the arch code's blacklist get into the kprobe_blacklist list? We don't have an arch_populate_kprobe_blacklist(), so rely on within_kprobe_blacklist() calling arch_within_kprobe_blacklist() with the address, as well as walking kprobe_blacklist. Is this cleanup ahead of a series that does away with arch_within_kprobe_blacklist() so that debugfs list is always complete? > As I pointed, the exception_table contains some range of code which inside > functions, must be smaller than function. > Since those instructions are expected to cause exception (that is main reason > why it can not be probed on arm64), I thought such situation was similar to > the limitation of instruction. > > So I think below will be better. > ---- > Please do not blacklisting instructions on exception_table, > since those are smaller than one function. > ---- I keep tripping over this because the exception_table lists addresses that are allowed to fault. Nothing looks at the instruction, and we happily kprobe the same instruction elsewhere. (based on my assumptions about where you are going next!,), How about: | The blacklist is exposed via debugfs as a list of symbols. extable entries are | smaller, so must be filtered out by arch_prepare_kprobe(). (only we currently have more than one blacklist...) Thanks, James
Hi James, On Tue, 8 Jan 2019 17:13:36 +0000 James Morse <james.morse@arm.com> wrote: > Hi! > > On 08/01/2019 02:39, Masami Hiramatsu wrote: > > On Thu, 3 Jan 2019 17:05:18 +0000 > > James Morse <james.morse@arm.com> wrote: > >> On 17/12/2018 06:40, Masami Hiramatsu wrote: > >>> Move extable address check into arch_prepare_kprobe() from > >>> arch_within_kprobe_blacklist(). > >> > >> I'm trying to work out the pattern for what should go in the blacklist, and what > >> should be rejected by the arch code. > >> > >> It seems address-ranges should be blacklisted as the contents don't matter. > >> easy-example: the idmap text. > > > > Yes, more precisely, the code smaller than a function (symbol), it must be > > rejected by arch_prepare_kprobe(), since blacklist is poplated based on > > kallsyms. > > Ah, okay, so the pattern is the blacklist should only be for whole symbols, > (which explains why its usually based on sections). Correct. Actually, the blacklist is generated based on the symbol info from symbol address. > I see kprobe_add_ksym_blacklist() would go wrong if you give it something like: > platform_drv_probe+0x50/0xb0, as it will log platform_drv_probe+0x50 as the > start_addr and platform_drv_probe+0x50+0xb0 as the end. Yes, it expects given address is the entry of a symbol. > > But how does anything from the arch code's blacklist get into the > kprobe_blacklist list? It should be done via arch_populate_kprobe_blacklist(). > > We don't have an arch_populate_kprobe_blacklist(), so rely on > within_kprobe_blacklist() calling arch_within_kprobe_blacklist() with the > address, as well as walking kprobe_blacklist. > > Is this cleanup ahead of a series that does away with > arch_within_kprobe_blacklist() so that debugfs list is always complete? Right, after this cleanup, I will send arch_populate_kprobe_blacklist() patch for arm64 and others. My plan is to move all arch_within_kprobe_blacklist() to arch_populate_kprobe_blacklist() so that user can get more precise blacklist via debugfs. > > As I pointed, the exception_table contains some range of code which inside > > functions, must be smaller than function. > > Since those instructions are expected to cause exception (that is main reason > > why it can not be probed on arm64), I thought such situation was similar to > > the limitation of instruction. > > > > So I think below will be better. > > ---- > > Please do not blacklisting instructions on exception_table, > > since those are smaller than one function. > > ---- > > I keep tripping over this because the exception_table lists addresses that are > allowed to fault. Nothing looks at the instruction, and we happily kprobe the > same instruction elsewhere. Thanks! > > (based on my assumptions about where you are going next!,), How about: > | The blacklist is exposed via debugfs as a list of symbols. extable entries are > | smaller, so must be filtered out by arch_prepare_kprobe(). This looks much better for me too :) Should I resend with the description? Thank you! > > (only we currently have more than one blacklist...) > > > Thanks, > > James
Hi, On 09/01/2019 02:05, Masami Hiramatsu wrote: > On Tue, 8 Jan 2019 17:13:36 +0000 > James Morse <james.morse@arm.com> wrote: >> On 08/01/2019 02:39, Masami Hiramatsu wrote: >>> On Thu, 3 Jan 2019 17:05:18 +0000 >>> James Morse <james.morse@arm.com> wrote: >>>> On 17/12/2018 06:40, Masami Hiramatsu wrote: >>>>> Move extable address check into arch_prepare_kprobe() from >>>>> arch_within_kprobe_blacklist(). >>>> >>>> I'm trying to work out the pattern for what should go in the blacklist, and what >>>> should be rejected by the arch code. >>>> >>>> It seems address-ranges should be blacklisted as the contents don't matter. >>>> easy-example: the idmap text. >>> >>> Yes, more precisely, the code smaller than a function (symbol), it must be >>> rejected by arch_prepare_kprobe(), since blacklist is poplated based on >>> kallsyms. >> >> Ah, okay, so the pattern is the blacklist should only be for whole symbols, >> (which explains why its usually based on sections). > > Correct. Actually, the blacklist is generated based on the symbol info > from symbol address. > >> I see kprobe_add_ksym_blacklist() would go wrong if you give it something like: >> platform_drv_probe+0x50/0xb0, as it will log platform_drv_probe+0x50 as the >> start_addr and platform_drv_probe+0x50+0xb0 as the end. > > Yes, it expects given address is the entry of a symbol. >> But how does anything from the arch code's blacklist get into the >> kprobe_blacklist list? > > It should be done via arch_populate_kprobe_blacklist(). >> We don't have an arch_populate_kprobe_blacklist(), so rely on >> within_kprobe_blacklist() calling arch_within_kprobe_blacklist() with the >> address, as well as walking kprobe_blacklist. >> >> Is this cleanup ahead of a series that does away with >> arch_within_kprobe_blacklist() so that debugfs list is always complete? > > Right, after this cleanup, I will send arch_populate_kprobe_blacklist() > patch for arm64 and others. My plan is to move all arch_within_kprobe_blacklist() > to arch_populate_kprobe_blacklist() so that user can get more precise blacklist > via debugfs. Thanks, now it all makes sense! Reviewed-by: James Morse <james.morse@arm.com> Could you include a paragraph like that in the cover-letter or commit-message? The 'fix' in the cover-letter subject had me looking for the bug! Thanks, James
On Fri, 11 Jan 2019 18:22:38 +0000 James Morse <james.morse@arm.com> wrote: > Hi, > > On 09/01/2019 02:05, Masami Hiramatsu wrote: > > On Tue, 8 Jan 2019 17:13:36 +0000 > > James Morse <james.morse@arm.com> wrote: > >> On 08/01/2019 02:39, Masami Hiramatsu wrote: > >>> On Thu, 3 Jan 2019 17:05:18 +0000 > >>> James Morse <james.morse@arm.com> wrote: > >>>> On 17/12/2018 06:40, Masami Hiramatsu wrote: > >>>>> Move extable address check into arch_prepare_kprobe() from > >>>>> arch_within_kprobe_blacklist(). > >>>> > >>>> I'm trying to work out the pattern for what should go in the blacklist, and what > >>>> should be rejected by the arch code. > >>>> > >>>> It seems address-ranges should be blacklisted as the contents don't matter. > >>>> easy-example: the idmap text. > >>> > >>> Yes, more precisely, the code smaller than a function (symbol), it must be > >>> rejected by arch_prepare_kprobe(), since blacklist is poplated based on > >>> kallsyms. > >> > >> Ah, okay, so the pattern is the blacklist should only be for whole symbols, > >> (which explains why its usually based on sections). > > > > Correct. Actually, the blacklist is generated based on the symbol info > > from symbol address. > > > >> I see kprobe_add_ksym_blacklist() would go wrong if you give it something like: > >> platform_drv_probe+0x50/0xb0, as it will log platform_drv_probe+0x50 as the > >> start_addr and platform_drv_probe+0x50+0xb0 as the end. > > > > Yes, it expects given address is the entry of a symbol. > > >> But how does anything from the arch code's blacklist get into the > >> kprobe_blacklist list? > > > > It should be done via arch_populate_kprobe_blacklist(). > > >> We don't have an arch_populate_kprobe_blacklist(), so rely on > >> within_kprobe_blacklist() calling arch_within_kprobe_blacklist() with the > >> address, as well as walking kprobe_blacklist. > >> > >> Is this cleanup ahead of a series that does away with > >> arch_within_kprobe_blacklist() so that debugfs list is always complete? > > > > Right, after this cleanup, I will send arch_populate_kprobe_blacklist() > > patch for arm64 and others. My plan is to move all arch_within_kprobe_blacklist() > > to arch_populate_kprobe_blacklist() so that user can get more precise blacklist > > via debugfs. > > Thanks, now it all makes sense! > > Reviewed-by: James Morse <james.morse@arm.com> Thanks! > > > Could you include a paragraph like that in the cover-letter or commit-message? > The 'fix' in the cover-letter subject had me looking for the bug! Ok, I'll update commit message with your reviewed-by. Thank you! > > > Thanks, > > James
diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c index 2a5b338b2542..b2d4b7428ebc 100644 --- a/arch/arm64/kernel/probes/kprobes.c +++ b/arch/arm64/kernel/probes/kprobes.c @@ -102,6 +102,10 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) if (in_exception_text(probe_addr)) return -EINVAL; + + if (search_exception_tables(probe_addr)) + return -EINVAL; + if (probe_addr >= (unsigned long) __start_rodata && probe_addr <= (unsigned long) __end_rodata) return -EINVAL; @@ -477,8 +481,7 @@ bool arch_within_kprobe_blacklist(unsigned long addr) (addr >= (unsigned long)__entry_text_start && addr < (unsigned long)__entry_text_end) || (addr >= (unsigned long)__idmap_text_start && - addr < (unsigned long)__idmap_text_end) || - !!search_exception_tables(addr)) + addr < (unsigned long)__idmap_text_end)) return true; if (!is_kernel_in_hyp_mode()) {
Move extable address check into arch_prepare_kprobe() from arch_within_kprobe_blacklist(). Please do not blacklisting instructions on exception_table, since it is a kind of architectural unsupported instruction. Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> --- arch/arm64/kernel/probes/kprobes.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)