diff mbox series

[v4,02/10] user_events: Add minimal support for trace_event into ftrace

Message ID 20211104170433.2206-3-beaub@linux.microsoft.com (mailing list archive)
State Superseded
Headers show
Series user_events: Enable user processes to create and write to trace events | expand

Commit Message

Beau Belgrave Nov. 4, 2021, 5:04 p.m. UTC 
Minimal support for interacting with dynamic events, trace_event and
ftrace. Core outline of flow between user process, ioctl and trace_event
APIs.

Signed-off-by: Beau Belgrave <beaub@linux.microsoft.com>
---
 kernel/trace/Kconfig             |   15 +
 kernel/trace/Makefile            |    1 +
 kernel/trace/trace_events_user.c | 1140 ++++++++++++++++++++++++++++++
 3 files changed, 1156 insertions(+)
 create mode 100644 kernel/trace/trace_events_user.c

Comments

kernel test robot Nov. 4, 2021, 9:34 p.m. UTC | #1 
Hi Beau,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on rostedt-trace/for-next]
[also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
base:   https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next
config: powerpc-allmodconfig (attached as .config)
compiler: powerpc-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
        git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   kernel/trace/trace_events_user.c: In function 'user_event_parse':
>> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add'
     665 |         dyn_event_add(&user->devent);
         |         ^~~~~~~~~~~~~
   In file included from kernel/trace/trace_events_user.c:23:
   kernel/trace/trace_dynevent.h:79:19: note: declared here
      79 | static inline int dyn_event_add(struct dyn_event *ev,
         |                   ^~~~~~~~~~~~~


vim +/dyn_event_add +665 kernel/trace/trace_events_user.c

   596	
   597	/*
   598	 * Parses the event name, arguments and flags then registers if successful.
   599	 */
   600	static int user_event_parse(char *name, char *args, char *flags,
   601				    struct user_event **newuser)
   602	{
   603		int ret;
   604		int index;
   605		u32 key;
   606		struct user_event *user = find_user_event(name, &key);
   607	
   608		if (user) {
   609			*newuser = user;
   610			ret = 0;
   611			goto put_name;
   612		}
   613	
   614		index = find_first_zero_bit(page_bitmap, MAX_EVENTS);
   615	
   616		if (index == MAX_EVENTS) {
   617			ret = -EMFILE;
   618			goto put_name;
   619		}
   620	
   621		user = kzalloc(sizeof(*user), GFP_KERNEL);
   622	
   623		if (!user) {
   624			ret = -ENOMEM;
   625			goto put_name;
   626		}
   627	
   628		INIT_LIST_HEAD(&user->class.fields);
   629		INIT_LIST_HEAD(&user->fields);
   630	
   631		user->tracepoint.name = name;
   632	
   633		user_event_parse_flags(user, flags);
   634	
   635		ret = user_event_parse_fields(user, args);
   636	
   637		if (ret)
   638			goto put_user;
   639	
   640		/* Minimal print format */
   641		user->call.print_fmt = "\"\"";
   642	
   643		user->call.data = user;
   644		user->call.class = &user->class;
   645		user->call.name = name;
   646		user->call.flags = TRACE_EVENT_FL_TRACEPOINT;
   647		user->call.tp = &user->tracepoint;
   648		user->call.event.funcs = &user_event_funcs;
   649	
   650		user->class.system = USER_EVENTS_SYSTEM;
   651		user->class.fields_array = user_event_fields_array;
   652		user->class.get_fields = user_event_get_fields;
   653		user->class.reg = user_event_reg;
   654		user->class.probe = user_event_ftrace;
   655	
   656		mutex_lock(&event_mutex);
   657		ret = user_event_trace_register(user);
   658		mutex_unlock(&event_mutex);
   659	
   660		if (ret)
   661			goto put_user;
   662	
   663		user->index = index;
   664		dyn_event_init(&user->devent, &user_event_dops);
 > 665		dyn_event_add(&user->devent);
   666		set_bit(user->index, page_bitmap);
   667		hash_add(register_table, &user->node, key);
   668	
   669		*newuser = user;
   670		return 0;
   671	put_user:
   672		user_event_destroy_fields(user);
   673		kfree(user);
   674	put_name:
   675		kfree(name);
   676		return ret;
   677	}
   678	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Masami Hiramatsu (Google) Nov. 7, 2021, 2:31 p.m. UTC | #2 
Hi Beau,

At first, thanks for breaking down your patch into this series!

Now I found that a suspicious security design issue in this patch.

On Thu,  4 Nov 2021 10:04:25 -0700
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> +
> +static enum print_line_t user_event_print_trace(struct trace_iterator *iter,
> +						int flags,
> +						struct trace_event *event)
> +{
> +	/* Unsafe to try to decode user provided print_fmt, use hex */
> +	trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16,
> +				 1, iter->ent, iter->ent_size, true);

You said this is "Unsafe to try to decode user provided" here, because
this doesn't check the event data sanity, especially non-fixed size data.

However, it is not enough that you don't decode it here. Because synthetic
events (histograms) and event filters need to decode this recorded data entry
using the event format information.

This means this can cause a buffer overrun issue on the ring buffer, because
__data_loc (and __rel_loc too) can be compromised by the user.

If you want to just trace the user events with digit parameters, there is
a way to close this issue - support only the fixed size types (IOW, drop
__data_loc/rel_loc support) and always checks the 'length' of the written
data size. This ensures that those filters/synthetic events can access
those parameters as 'values'. Maybe eprobes still has to reject the user
events but the other parts will work well.

If you want to log some "string", it is hard. Maybe it needs a special
check when writing the event (address, length, and null termination.),
but it will increase the recording overhead.

Thank you,
Steven Rostedt Nov. 7, 2021, 6:18 p.m. UTC | #3 
On Thu,  4 Nov 2021 10:04:25 -0700
Beau Belgrave <beaub@linux.microsoft.com> wrote:
> index 000000000000..a68017ad7fdd
> --- /dev/null
> +++ b/kernel/trace/trace_events_user.c
> @@ -0,0 +1,1140 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Copyright (c) 2021, Microsoft Corporation.
> + *
> + * Authors:
> + *   Beau Belgrave <beaub@linux.microsoft.com>
> + */
> +
> +#include <linux/bitmap.h>
> +#include <linux/cdev.h>
> +#include <linux/hashtable.h>
> +#include <linux/list.h>
> +#include <linux/io.h>
> +#include <linux/uio.h>
> +#include <linux/ioctl.h>
> +#include <linux/jhash.h>
> +#include <linux/trace_events.h>
> +#include <linux/tracefs.h>
> +#include <linux/types.h>
> +#include <linux/uaccess.h>
> +#include <uapi/linux/user_events.h>
> +#include "trace.h"
> +#include "trace_dynevent.h"
> +
> +#define USER_EVENTS_PREFIX_LEN (sizeof(USER_EVENTS_PREFIX)-1)
> +
> +#define FIELD_DEPTH_TYPE 0
> +#define FIELD_DEPTH_NAME 1
> +#define FIELD_DEPTH_SIZE 2
> +
> +/*
> + * Limits how many trace_event calls user processes can create:
> + * Must be multiple of PAGE_SIZE.
> + */
> +#define MAX_PAGES 1
> +#define MAX_EVENTS (MAX_PAGES * PAGE_SIZE)
> +
> +/* Limit how long of an event name plus args within the subsystem. */
> +#define MAX_EVENT_DESC 512
> +#define EVENT_NAME(user_event) ((user_event)->tracepoint.name)
> +
> +static char *register_page_data;
> +
> +static DEFINE_MUTEX(reg_mutex);
> +static DEFINE_HASHTABLE(register_table, 4);
> +static DECLARE_BITMAP(page_bitmap, MAX_EVENTS);
> +
> +struct user_event {
> +	struct tracepoint tracepoint;
> +	struct trace_event_call call;
> +	struct trace_event_class class;
> +	struct dyn_event devent;
> +	struct hlist_node node;
> +	struct list_head fields;
> +	atomic_t refcnt;
> +	int index;
> +	int flags;
> +};
> +
> +struct user_event_refs {
> +	struct rcu_head rcu;
> +	int count;
> +	struct user_event *events[];
> +};
> +
> +typedef void (*user_event_func_t) (struct user_event *user,
> +				   void *data, u32 datalen,
> +				   void *tpdata);
> +
> +static int user_event_parse(char *name, char *args, char *flags,
> +			    struct user_event **newuser);
> +
> +static u32 user_event_key(char *name)
> +{
> +	return jhash(name, strlen(name), 0);
> +}
> +
> +static struct list_head *user_event_get_fields(struct trace_event_call *call)
> +{
> +	struct user_event *user = (struct user_event *)call->data;
> +
> +	return &user->fields;
> +}
> +
> +/*
> + * Parses a register command for user_events
> + * Format: event_name[:FLAG1[,FLAG2...]] [field1[;field2...]]
> + *
> + * Example event named test with a 20 char msg field with a unsigned int after:
> + * test char[20] msg;unsigned int id
> + *
> + * NOTE: Offsets are from the user data perspective, they are not from the
> + * trace_entry/buffer perspective. We automatically add the common properties
> + * sizes to the offset for the user.
> + */
> +static int user_event_parse_cmd(char *raw_command, struct user_event **newuser)
> +{
> +	char *name = raw_command;
> +	char *args = strpbrk(name, " ");
> +	char *flags;
> +
> +	if (args)
> +		*args++ = 0;
> +
> +	flags = strpbrk(name, ":");
> +
> +	if (flags)
> +		*flags++ = 0;
> +
> +	return user_event_parse(name, args, flags, newuser);
> +}
> +
> +static int user_field_array_size(const char *type)
> +{
> +	const char *start = strchr(type, '[');
> +	int size = 0;
> +
> +	if (start == NULL)
> +		return -EINVAL;
> +
> +	start++;
> +
> +	while (*start >= '0' && *start <= '9')

The kernel has include/linux/ctype.h

	while (isdigit(*start))

> +		size = (size * 10) + (*start++ - '0');

So you only allow decimal digits? No hex?

Also, is there anything to check if the size overflows?

I'm assuming that other patches will add checking if the size is
greater than some amount?

> +
> +	if (*start != ']')
> +		return -EINVAL;
> +
> +	return size;
> +}
> +
> +static int user_field_size(const char *type)
> +{
> +	/* long is not allowed from a user, since it's ambigious in size */
> +	if (strcmp(type, "s64") == 0)
> +		return sizeof(s64);
> +	if (strcmp(type, "u64") == 0)
> +		return sizeof(u64);
> +	if (strcmp(type, "s32") == 0)
> +		return sizeof(s32);
> +	if (strcmp(type, "u32") == 0)
> +		return sizeof(u32);
> +	if (strcmp(type, "int") == 0)
> +		return sizeof(int);
> +	if (strcmp(type, "unsigned int") == 0)
> +		return sizeof(unsigned int);
> +	if (strcmp(type, "s16") == 0)
> +		return sizeof(s16);
> +	if (strcmp(type, "u16") == 0)
> +		return sizeof(u16);
> +	if (strcmp(type, "short") == 0)
> +		return sizeof(short);
> +	if (strcmp(type, "unsigned short") == 0)
> +		return sizeof(unsigned short);
> +	if (strcmp(type, "s8") == 0)
> +		return sizeof(s8);
> +	if (strcmp(type, "u8") == 0)
> +		return sizeof(u8);
> +	if (strcmp(type, "char") == 0)
> +		return sizeof(char);
> +	if (strcmp(type, "unsigned char") == 0)
> +		return sizeof(unsigned char);
> +	if (strstr(type, "char[") == type)
> +		return user_field_array_size(type);
> +	if (strstr(type, "unsigned char[") == type)
> +		return user_field_array_size(type);
> +	if (strstr(type, "__data_loc ") == type)
> +		return sizeof(u32);
> +	if (strstr(type, "__rel_loc ") == type)
> +		return sizeof(u32);
> +
> +	/* Uknown basic type, error */
> +	return -EINVAL;
> +}
> +
> +static void user_event_destroy_fields(struct user_event *user)
> +{
> +	struct ftrace_event_field *field, *next;
> +	struct list_head *head = &user->fields;
> +
> +	list_for_each_entry_safe(field, next, head, link) {
> +		list_del(&field->link);
> +		kfree(field);
> +	}
> +}
> +
> +static int user_event_add_field(struct user_event *user, const char *type,
> +				const char *name, int offset, int size,
> +				int is_signed, int filter_type)
> +{
> +	struct ftrace_event_field *field;
> +
> +	field = kmalloc(sizeof(*field), GFP_KERNEL);
> +
> +	if (!field)
> +		return -ENOMEM;
> +
> +	field->type = type;
> +	field->name = name;
> +	field->offset = offset;
> +	field->size = size;
> +	field->is_signed = is_signed;
> +	field->filter_type = filter_type;
> +
> +	list_add(&field->link, &user->fields);
> +
> +	return 0;
> +}
> +
> +/*
> + * Parses the values of a field within the description
> + * Format: type name [size]
> + */
> +static int user_event_parse_field(char *field, struct user_event *user,
> +				  u32 *offset)
> +{
> +	char *part, *type, *name;
> +	u32 depth = 0, saved_offset = *offset;
> +	int size = -EINVAL;
> +	bool is_struct = false;
> +
> +	field = skip_spaces(field);
> +
> +	if (*field == 0)
> +		return 0;
> +
> +	/* Handle types that have a space within */
> +	if (strstr(field, "unsigned ") == field) {

These should use str_has_prefix(field, "unsigned ") etc.

It also returns the length of the prefix so you don't need to add
sizeof() of the string you checked for.


> +		type = field;
> +		field = strpbrk(field + sizeof("unsigned"), " ");
> +		goto skip_next;
> +	} else if (strstr(field, "struct ") == field) {
> +		type = field;
> +		field = strpbrk(field + sizeof("struct"), " ");
> +		is_struct = true;
> +		goto skip_next;
> +	} else if (strstr(field, "__data_loc unsigned ") == field) {
> +		type = field;
> +		field = strpbrk(field + sizeof("__data_loc unsigned"), " ");
> +		goto skip_next;
> +	} else if (strstr(field, "__data_loc ") == field) {
> +		type = field;
> +		field = strpbrk(field + sizeof("__data_loc"), " ");
> +		goto skip_next;
> +	} else if (strstr(field, "__rel_loc unsigned ") == field) {
> +		type = field;
> +		field = strpbrk(field + sizeof("__rel_loc unsigned"), " ");
> +		goto skip_next;
> +	} else if (strstr(field, "__rel_loc ") == field) {
> +		type = field;
> +		field = strpbrk(field + sizeof("__rel_loc"), " ");
> +		goto skip_next;
> +	}
> +	goto parse;
> +skip_next:
> +	if (field == NULL)
> +		return -EINVAL;
> +
> +	*field++ = 0;
> +	depth++;
> +parse:
> +	while ((part = strsep(&field, " ")) != NULL) {
> +		switch (depth++) {
> +		case FIELD_DEPTH_TYPE:
> +			type = part;
> +			break;
> +		case FIELD_DEPTH_NAME:
> +			name = part;
> +			break;
> +		case FIELD_DEPTH_SIZE:
> +			if (!is_struct)
> +				return -EINVAL;
> +
> +			if (kstrtou32(part, 10, &size))
> +				return -EINVAL;
> +			break;
> +		default:
> +			return -EINVAL;
> +		}
> +	}
> +
> +	if (depth < FIELD_DEPTH_SIZE)
> +		return -EINVAL;
> +
> +	if (depth == FIELD_DEPTH_SIZE)
> +		size = user_field_size(type);
> +
> +	if (size == 0)
> +		return -EINVAL;
> +
> +	if (size < 0)
> +		return size;
> +
> +	*offset = saved_offset + size;
> +
> +	return user_event_add_field(user, type, name, saved_offset, size,
> +				    type[0] != 'u', FILTER_OTHER);
> +}
> +
> +static void user_event_parse_flags(struct user_event *user, char *flags)
> +{
> +	char *flag;
> +
> +	if (flags == NULL)
> +		return;
> +
> +	while ((flag = strsep(&flags, ",")) != NULL) {
> +		if (strcmp(flag, "BPF_ITER") == 0)
> +			user->flags |= FLAG_BPF_ITER;
> +	}
> +}
> +
> +static int user_event_parse_fields(struct user_event *user, char *args)
> +{
> +	char *field;
> +	u32 offset = sizeof(struct trace_entry);
> +	int ret = -EINVAL;
> +
> +	if (args == NULL)
> +		return 0;
> +
> +	while ((field = strsep(&args, ";")) != NULL) {
> +		ret = user_event_parse_field(field, user, &offset);
> +
> +		if (ret)
> +			break;
> +	}
> +
> +	return ret;
> +}
> +
> +static struct trace_event_fields user_event_fields_array[] = {
> +	{}
> +};

Isn't the above just a fancy way of writing:

static struct trace_event_fields user_event_fields_array[1];

?

> +
> +static enum print_line_t user_event_print_trace(struct trace_iterator *iter,
> +						int flags,
> +						struct trace_event *event)
> +{
> +	/* Unsafe to try to decode user provided print_fmt, use hex */
> +	trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16,
> +				 1, iter->ent, iter->ent_size, true);

Hmm, I need to look at this when I have time to apply the patches. (On
weekends, I only look at the patches) I'm adding this to remind me to
relook at this. ;-)

> +
> +	return trace_handle_return(&iter->seq);
> +}
> +
> +static struct trace_event_functions user_event_funcs = {
> +	.trace = user_event_print_trace,
> +};
> +
> +static int destroy_user_event(struct user_event *user)
> +{
> +	int ret = 0;
> +
> +	/* Must destroy fields before call removal */
> +	user_event_destroy_fields(user);
> +
> +	ret = trace_remove_event_call(&user->call);
> +
> +	if (ret)
> +		return ret;
> +
> +	dyn_event_remove(&user->devent);
> +
> +	register_page_data[user->index] = 0;
> +	clear_bit(user->index, page_bitmap);
> +	hash_del(&user->node);
> +
> +	kfree(EVENT_NAME(user));
> +	kfree(user);
> +
> +	return ret;
> +}
> +
> +static struct user_event *find_user_event(char *name, u32 *outkey)
> +{
> +	struct user_event *user;
> +	u32 key = user_event_key(name);
> +
> +	*outkey = key;
> +
> +	hash_for_each_possible(register_table, user, node, key)
> +		if (!strcmp(EVENT_NAME(user), name))
> +			return user;
> +
> +	return NULL;
> +}
> +
> +/*
> + * Writes the user supplied payload out to a trace file.
> + */
> +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen,
> +			      void *tpdata)
> +{
> +	struct trace_event_file *file;
> +	struct trace_entry *entry;
> +	struct trace_event_buffer event_buffer;
> +
> +	file = (struct trace_event_file *)tpdata;
> +
> +	if (!file ||
> +	    !(file->flags & EVENT_FILE_FL_ENABLED) ||
> +	    trace_trigger_soft_disabled(file))
> +		return;
> +
> +	entry = trace_event_buffer_reserve(&event_buffer, file,
> +					   sizeof(*entry) + datalen);
> +
> +	if (unlikely(!entry))
> +		return;
> +

Might want to add a comment here that the trace_event_buffer_reserve()
will fill in the struct trace_entry, which explains the "entry+1" below.

I also need to add comments to trace_event_buffer_reserve() that it does so :-p

> +	memcpy(entry + 1, data, datalen);
> +
> +	trace_event_buffer_commit(&event_buffer);
> +}
> +
> +/*
> + * Update the register page that is shared between user processes.
> + */
> +static void update_reg_page_for(struct user_event *user)
> +{
> +	struct tracepoint *tp = &user->tracepoint;
> +	char status = 0;
> +
> +	if (atomic_read(&tp->key.enabled) > 0) {
> +		struct tracepoint_func *probe_func_ptr;
> +		user_event_func_t probe_func;
> +
> +		rcu_read_lock_sched();
> +
> +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> +
> +		if (probe_func_ptr) {
> +			do {
> +				probe_func = probe_func_ptr->func;
> +
> +				if (probe_func == user_event_ftrace)
> +					status |= EVENT_STATUS_FTRACE;
> +				else
> +					status |= EVENT_STATUS_OTHER;
> +			} while ((++probe_func_ptr)->func);
> +		}
> +
> +		rcu_read_unlock_sched();
> +	}
> +
> +	register_page_data[user->index] = status;

Should there be some kind of memory barriers here? That is, isn't this
the page that user space sees? The user space code should probably have
some kind of read memory barrier as well.

> +}
> +
> +/*
> + * Register callback for our events from tracing sub-systems.
> + */
> +static int user_event_reg(struct trace_event_call *call,
> +			  enum trace_reg type,
> +			  void *data)
> +{
> +	struct user_event *user = (struct user_event *)call->data;
> +	int ret = 0;
> +
> +	if (!user)
> +		return -ENOENT;
> +
> +	switch (type) {
> +	case TRACE_REG_REGISTER:
> +		ret = tracepoint_probe_register(call->tp,
> +						call->class->probe,
> +						data);
> +		if (!ret)
> +			goto inc;
> +		break;
> +
> +	case TRACE_REG_UNREGISTER:
> +		tracepoint_probe_unregister(call->tp,
> +					    call->class->probe,
> +					    data);
> +		goto dec;
> +
> +#ifdef CONFIG_PERF_EVENTS
> +	case TRACE_REG_PERF_REGISTER:
> +	case TRACE_REG_PERF_UNREGISTER:
> +	case TRACE_REG_PERF_OPEN:
> +	case TRACE_REG_PERF_CLOSE:
> +	case TRACE_REG_PERF_ADD:
> +	case TRACE_REG_PERF_DEL:
> +		break;
> +#endif
> +	}
> +
> +	return ret;
> +inc:
> +	atomic_inc(&user->refcnt);
> +	update_reg_page_for(user);
> +	return 0;
> +dec:
> +	update_reg_page_for(user);
> +	atomic_dec(&user->refcnt);
> +	return 0;
> +}
> +
> +static int user_event_create(const char *raw_command)
> +{
> +	struct user_event *user;
> +	char *name;
> +	int ret;
> +
> +	if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command)
> +		return -ECANCELED;
> +
> +	raw_command += USER_EVENTS_PREFIX_LEN;
> +	raw_command = skip_spaces(raw_command);
> +
> +	name = kstrdup(raw_command, GFP_KERNEL);

name is allocated here, it really needs to be freed in this function as
well. I see that user_event_parse() will free it, but that is extremely
error prone to have a dependency like that. If name needs to be saved
by user_event_parse_cmd() then that should be shown in the return value
of that function. And if it fails the freeing of name should be in this
function. Also, if it is saved, then there should be a comment in this
function stating that.

> +
> +	if (!name)
> +		return -ENOMEM;
> +
> +	mutex_lock(&reg_mutex);
> +	ret = user_event_parse_cmd(name, &user);
> +	mutex_unlock(&reg_mutex);
> +
> +	return ret;
> +}
> +
> +static int user_event_show(struct seq_file *m, struct dyn_event *ev)
> +{
> +	struct user_event *user = container_of(ev, struct user_event, devent);
> +	struct ftrace_event_field *field, *next;
> +	struct list_head *head;
> +	int depth = 0;
> +
> +	seq_printf(m, "%s%s", USER_EVENTS_PREFIX, EVENT_NAME(user));
> +
> +	head = trace_get_fields(&user->call);
> +
> +	list_for_each_entry_safe_reverse(field, next, head, link) {
> +		if (depth == 0)
> +			seq_puts(m, " ");
> +		else
> +			seq_puts(m, "; ");
> +		seq_printf(m, "%s %s", field->type, field->name);
> +		depth++;
> +	}
> +
> +	seq_puts(m, "\n");
> +
> +	return 0;
> +}
> +
> +static bool user_event_is_busy(struct dyn_event *ev)
> +{
> +	struct user_event *user = container_of(ev, struct user_event, devent);
> +
> +	return atomic_read(&user->refcnt) != 0;
> +}
> +
> +static int user_event_free(struct dyn_event *ev)
> +{
> +	struct user_event *user = container_of(ev, struct user_event, devent);
> +

Shouldn't this check if the event is busy first?

> +	return destroy_user_event(user);
> +}
> +
> +static bool user_event_match(const char *system, const char *event,
> +			     int argc, const char **argv, struct dyn_event *ev)
> +{
> +	struct user_event *user = container_of(ev, struct user_event, devent);
> +
> +	return strcmp(EVENT_NAME(user), event) == 0 &&
> +		(!system || strcmp(system, USER_EVENTS_SYSTEM) == 0);
> +}
> +
> +static struct dyn_event_operations user_event_dops = {
> +	.create = user_event_create,
> +	.show = user_event_show,
> +	.is_busy = user_event_is_busy,
> +	.free = user_event_free,
> +	.match = user_event_match,
> +};
> +
> +static int user_event_trace_register(struct user_event *user)
> +{
> +	int ret;
> +
> +	ret = register_trace_event(&user->call.event);
> +
> +	if (!ret)
> +		return -ENODEV;
> +
> +	ret = trace_add_event_call(&user->call);
> +
> +	if (ret)
> +		unregister_trace_event(&user->call.event);
> +
> +	return ret;
> +}
> +
> +/*
> + * Parses the event name, arguments and flags then registers if successful.
> + */
> +static int user_event_parse(char *name, char *args, char *flags,
> +			    struct user_event **newuser)
> +{
> +	int ret;
> +	int index;
> +	u32 key;
> +	struct user_event *user = find_user_event(name, &key);
> +
> +	if (user) {
> +		*newuser = user;
> +		ret = 0;
> +		goto put_name;
> +	}
> +
> +	index = find_first_zero_bit(page_bitmap, MAX_EVENTS);
> +
> +	if (index == MAX_EVENTS) {
> +		ret = -EMFILE;
> +		goto put_name;
> +	}
> +
> +	user = kzalloc(sizeof(*user), GFP_KERNEL);
> +
> +	if (!user) {
> +		ret = -ENOMEM;
> +		goto put_name;
> +	}
> +
> +	INIT_LIST_HEAD(&user->class.fields);
> +	INIT_LIST_HEAD(&user->fields);
> +
> +	user->tracepoint.name = name;
> +
> +	user_event_parse_flags(user, flags);
> +
> +	ret = user_event_parse_fields(user, args);
> +
> +	if (ret)
> +		goto put_user;
> +
> +	/* Minimal print format */
> +	user->call.print_fmt = "\"\"";
> +
> +	user->call.data = user;
> +	user->call.class = &user->class;
> +	user->call.name = name;
> +	user->call.flags = TRACE_EVENT_FL_TRACEPOINT;
> +	user->call.tp = &user->tracepoint;
> +	user->call.event.funcs = &user_event_funcs;
> +
> +	user->class.system = USER_EVENTS_SYSTEM;
> +	user->class.fields_array = user_event_fields_array;
> +	user->class.get_fields = user_event_get_fields;
> +	user->class.reg = user_event_reg;
> +	user->class.probe = user_event_ftrace;
> +
> +	mutex_lock(&event_mutex);
> +	ret = user_event_trace_register(user);
> +	mutex_unlock(&event_mutex);
> +
> +	if (ret)
> +		goto put_user;
> +
> +	user->index = index;
> +	dyn_event_init(&user->devent, &user_event_dops);
> +	dyn_event_add(&user->devent);
> +	set_bit(user->index, page_bitmap);
> +	hash_add(register_table, &user->node, key);
> +
> +	*newuser = user;
> +	return 0;
> +put_user:
> +	user_event_destroy_fields(user);
> +	kfree(user);
> +put_name:
> +	kfree(name);
> +	return ret;
> +}
> +
> +/*
> + * Deletes a previously created event if it is no longer being used.
> + */
> +static int delete_user_event(char *name)
> +{
> +	u32 key;
> +	int ret;
> +	struct user_event *user = find_user_event(name, &key);
> +
> +	if (!user)
> +		return -ENOENT;
> +
> +	if (atomic_read(&user->refcnt) != 0)
> +		return -EBUSY;
> +
> +	mutex_lock(&event_mutex);
> +	ret = destroy_user_event(user);
> +	mutex_unlock(&event_mutex);
> +
> +	return ret;
> +}
> +
> +/*
> + * Validates the user payload and writes via iterator.
> + */
> +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i)
> +{
> +	struct user_event_refs *refs;
> +	struct user_event *user = NULL;
> +	struct tracepoint *tp;
> +	ssize_t ret = i->count;
> +	int idx;
> +
> +	if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx)))
> +		return -EFAULT;
> +
> +	rcu_read_lock_sched();
> +
> +	refs = rcu_dereference_sched(file->private_data);
> +
> +	if (likely(refs && idx < refs->count))
> +		user = refs->events[idx];
> +
> +	rcu_read_unlock_sched();
> +
> +	if (unlikely(user == NULL))
> +		return -ENOENT;
> +
> +	tp = &user->tracepoint;

What protects user here? You released the rcu lock.

> +
> +	if (likely(atomic_read(&tp->key.enabled) > 0)) {
> +		struct tracepoint_func *probe_func_ptr;
> +		user_event_func_t probe_func;
> +		void *tpdata;
> +		void *kdata;
> +		u32 datalen;
> +
> +		kdata = kmalloc(i->count, GFP_KERNEL);

The allocation would need to be done first, before grabbing the rcu
lock, and all this would need to be done within the rcu lock, because
"tp" may not even exist anymore.

> +
> +		if (unlikely(!kdata))
> +			return -ENOMEM;
> +
> +		datalen = copy_from_iter(kdata, i->count, i);
> +
> +		rcu_read_lock_sched();
> +
> +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> +
> +		if (probe_func_ptr) {
> +			do {
> +				probe_func = probe_func_ptr->func;
> +				tpdata = probe_func_ptr->data;
> +				probe_func(user, kdata, datalen, tpdata);
> +			} while ((++probe_func_ptr)->func);
> +		}
> +
> +		rcu_read_unlock_sched();
> +
> +		kfree(kdata);
> +	}
> +
> +	return ret;
> +}
> +
> +static ssize_t user_events_write(struct file *file, const char __user *ubuf,
> +				 size_t count, loff_t *ppos)
> +{
> +	struct iovec iov;
> +	struct iov_iter i;
> +
> +	if (unlikely(*ppos != 0))
> +		return -EFAULT;
> +
> +	if (unlikely(import_single_range(READ, (char *)ubuf, count, &iov, &i)))
> +		return -EFAULT;
> +
> +	return user_events_write_core(file, &i);
> +}
> +
> +static ssize_t user_events_write_iter(struct kiocb *kp, struct iov_iter *i)
> +{
> +	return user_events_write_core(kp->ki_filp, i);
> +}
> +
> +static int user_events_ref_add(struct file *file, struct user_event *user)
> +{
> +	struct user_event_refs *refs, *new_refs;
> +	int i, size, count = 0;
> +
> +	rcu_read_lock_sched();

rcu lock is not needed, but you may want to use:

  rcu_dereference_protected()

and list the lock that protects the modifications here.

> +	refs = rcu_dereference_sched(file->private_data);
> +	rcu_read_unlock_sched();
> +
> +	if (refs) {
> +		count = refs->count;
> +
> +		for (i = 0; i < count; ++i)
> +			if (refs->events[i] == user)
> +				return i;
> +	}
> +
> +	size = sizeof(*refs) + (sizeof(struct user_event *) * (count + 1));
> +
> +	new_refs = kzalloc(size, GFP_KERNEL);
> +
> +	if (!new_refs)
> +		return -ENOMEM;
> +
> +	new_refs->count = count + 1;
> +
> +	for (i = 0; i < count; ++i)
> +		new_refs->events[i] = refs->events[i];
> +
> +	new_refs->events[i] = user;
> +
> +	atomic_inc(&user->refcnt);
> +
> +	rcu_assign_pointer(file->private_data, new_refs);
> +
> +	if (refs)
> +		kfree_rcu(refs, rcu);
> +
> +	return i;
> +}

I just skimmed the rest, and didn't see anything that stuck out.

But maybe I'll get time to look deeper at it later.

-- Steve
Masami Hiramatsu (Google) Nov. 8, 2021, 2:32 a.m. UTC | #4 
On Fri, 5 Nov 2021 05:34:31 +0800
kernel test robot <lkp@intel.com> wrote:

> Hi Beau,
> 
> Thank you for the patch! Yet something to improve:
> 
> [auto build test ERROR on rostedt-trace/for-next]
> [also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch]
> 
> url:    https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next
> config: powerpc-allmodconfig (attached as .config)
> compiler: powerpc-linux-gcc (GCC) 11.2.0
> reproduce (this is a W=1 build):
>         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>         chmod +x ~/bin/make.cross
>         # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a
>         git remote add linux-review https://github.com/0day-ci/linux
>         git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
>         git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a
>         # save the attached .config to linux build tree
>         mkdir build_dir
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> 
> All errors (new ones prefixed by >>):
> 
>    kernel/trace/trace_events_user.c: In function 'user_event_parse':
> >> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add'
>      665 |         dyn_event_add(&user->devent);
>          |         ^~~~~~~~~~~~~
>    In file included from kernel/trace/trace_events_user.c:23:
>    kernel/trace/trace_dynevent.h:79:19: note: declared here
>       79 | static inline int dyn_event_add(struct dyn_event *ev,
>          |                   ^~~~~~~~~~~~~

You need to pass &user->call too :)

Thank you,
Beau Belgrave Nov. 8, 2021, 4:59 p.m. UTC | #5 
On Mon, Nov 08, 2021 at 11:32:25AM +0900, Masami Hiramatsu wrote:
> On Fri, 5 Nov 2021 05:34:31 +0800
> kernel test robot <lkp@intel.com> wrote:
> 
> > Hi Beau,
> > 
> > Thank you for the patch! Yet something to improve:
> > 
> > [auto build test ERROR on rostedt-trace/for-next]
> > [also build test ERROR on shuah-kselftest/next linux/master linus/master v5.15 next-20211104]
> > [If your patch is applied to the wrong git tree, kindly drop us a note.
> > And when submitting patch, we suggest to use '--base' as documented in
> > https://git-scm.com/docs/git-format-patch]
> > 
> > url:    https://github.com/0day-ci/linux/commits/Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
> > base:   https://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git for-next
> > config: powerpc-allmodconfig (attached as .config)
> > compiler: powerpc-linux-gcc (GCC) 11.2.0
> > reproduce (this is a W=1 build):
> >         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> >         chmod +x ~/bin/make.cross
> >         # https://github.com/0day-ci/linux/commit/da0961ad45aa1192b47b8a80de6b17437434ae4a
> >         git remote add linux-review https://github.com/0day-ci/linux
> >         git fetch --no-tags linux-review Beau-Belgrave/user_events-Enable-user-processes-to-create-and-write-to-trace-events/20211105-010650
> >         git checkout da0961ad45aa1192b47b8a80de6b17437434ae4a
> >         # save the attached .config to linux build tree
> >         mkdir build_dir
> >         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash kernel/trace/
> > 
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> > 
> > All errors (new ones prefixed by >>):
> > 
> >    kernel/trace/trace_events_user.c: In function 'user_event_parse':
> > >> kernel/trace/trace_events_user.c:665:9: error: too few arguments to function 'dyn_event_add'
> >      665 |         dyn_event_add(&user->devent);
> >          |         ^~~~~~~~~~~~~
> >    In file included from kernel/trace/trace_events_user.c:23:
> >    kernel/trace/trace_dynevent.h:79:19: note: declared here
> >       79 | static inline int dyn_event_add(struct dyn_event *ev,
> >          |                   ^~~~~~~~~~~~~
> 
> You need to pass &user->call too :)
> 
> Thank you,
> 
> -- 
> Masami Hiramatsu <mhiramat@kernel.org>

:)

Yep, these so far have been based on perf/core branch of tip, I've moved the
next iteration over to for-next branch off of linux-trace to ensure alignment.

Thanks,
-Beau
Beau Belgrave Nov. 8, 2021, 5:13 p.m. UTC | #6 
On Sun, Nov 07, 2021 at 11:31:15PM +0900, Masami Hiramatsu wrote:
> Hi Beau,
> 
> At first, thanks for breaking down your patch into this series!
> 
> Now I found that a suspicious security design issue in this patch.
> 
> On Thu,  4 Nov 2021 10:04:25 -0700
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > +
> > +static enum print_line_t user_event_print_trace(struct trace_iterator *iter,
> > +						int flags,
> > +						struct trace_event *event)
> > +{
> > +	/* Unsafe to try to decode user provided print_fmt, use hex */
> > +	trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16,
> > +				 1, iter->ent, iter->ent_size, true);
> 
> You said this is "Unsafe to try to decode user provided" here, because
> this doesn't check the event data sanity, especially non-fixed size data.
> 
> However, it is not enough that you don't decode it here. Because synthetic
> events (histograms) and event filters need to decode this recorded data entry
> using the event format information.
> 
> This means this can cause a buffer overrun issue on the ring buffer, because
> __data_loc (and __rel_loc too) can be compromised by the user.
> 
> If you want to just trace the user events with digit parameters, there is
> a way to close this issue - support only the fixed size types (IOW, drop
> __data_loc/rel_loc support) and always checks the 'length' of the written
> data size. This ensures that those filters/synthetic events can access
> those parameters as 'values'. Maybe eprobes still has to reject the user
> events but the other parts will work well.
> 
> If you want to log some "string", it is hard. Maybe it needs a special
> check when writing the event (address, length, and null termination.),
> but it will increase the recording overhead.
> 
> Thank you,
> 
> 
> -- 
> Masami Hiramatsu <mhiramat@kernel.org>

Does that mean the decoders in eprobes/histogram don't check event
record sizes before accessing the data? Shouldn't that get fix
centrally? That would mean a loaded module could do the same thing
(user_events only works if the user has access to tracefs, so it's not
like it's open to all users).

Is it possible to mark trace_events with a flag that says "don't trust
this"? That way eBPF, ftrace and perf would still allow recording and
decoding offline (in a safer context).

From user_events code, an entry is always allocated with enough data and
if it fails (either too big or alloc failure) the event is not written
out. This appears to be purely in the decode logic that is not within
this patch?

Thanks,
-Beau
Steven Rostedt Nov. 8, 2021, 6:16 p.m. UTC | #7 
On Mon, 8 Nov 2021 09:13:36 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:


> Does that mean the decoders in eprobes/histogram don't check event
> record sizes before accessing the data? Shouldn't that get fix
> centrally? That would mean a loaded module could do the same thing
> (user_events only works if the user has access to tracefs, so it's not
> like it's open to all users).

There's checks to make sure everything fits in eprobes and kprobes. If it
doesn't then the event is simply dropped.

For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll
see that it calls get_eprobe_size(), which goes through and just reads what
it is about to accept. Then it reserves the amount of data on the ring
buffer, and then calls store_trace_args() which also passes in the size
that it found, in case things change. If it's too big, it only records what
it originally intended.

-- Steve
Beau Belgrave Nov. 8, 2021, 7:56 p.m. UTC | #8 
On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote:
> On Thu,  4 Nov 2021 10:04:25 -0700
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > +static int user_field_array_size(const char *type)
> > +{
> > +	const char *start = strchr(type, '[');
> > +	int size = 0;
> > +
> > +	if (start == NULL)
> > +		return -EINVAL;
> > +
> > +	start++;
> > +
> > +	while (*start >= '0' && *start <= '9')
> 
> The kernel has include/linux/ctype.h
> 
> 	while (isdigit(*start))
> 
> > +		size = (size * 10) + (*start++ - '0');
> 
> So you only allow decimal digits? No hex?
> 

Happy to change it, I only expected decimal to be allowed.

Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)?

> Also, is there anything to check if the size overflows?
> 
> I'm assuming that other patches will add checking if the size is
> greater than some amount?
> 

I can switch to kstrtouint and use a max check, however:
The max checks are weird here because eBPF has no limits, while ftrace 
and perf both do (and I believe they are different max sizes?)

If someone really wanted a large array of characters and it can fit
within perf but not ftrace, is it correct to block it here? My thinking
was to allow each trace buffer reserve call to either work or not based
on what the user requested depending on what was hooked.

No strong opinion here though, just thoughts about what is a reasonable
max given the 3 technologies.

> > +/*
> > + * Parses the values of a field within the description
> > + * Format: type name [size]
> > + */
> > +static int user_event_parse_field(char *field, struct user_event *user,
> > +				  u32 *offset)
> > +{
> > +	char *part, *type, *name;
> > +	u32 depth = 0, saved_offset = *offset;
> > +	int size = -EINVAL;
> > +	bool is_struct = false;
> > +
> > +	field = skip_spaces(field);
> > +
> > +	if (*field == 0)
> > +		return 0;
> > +
> > +	/* Handle types that have a space within */
> > +	if (strstr(field, "unsigned ") == field) {
> 
> These should use str_has_prefix(field, "unsigned ") etc.
> 
> It also returns the length of the prefix so you don't need to add
> sizeof() of the string you checked for.
> 

Nice, will use that.

> > +
> > +static struct trace_event_fields user_event_fields_array[] = {
> > +	{}
> > +};
> 
> Isn't the above just a fancy way of writing:
> 
> static struct trace_event_fields user_event_fields_array[1];
> 
> ?
> 

Yes, as long as it gets init'd to zero. My understanding was that {}
would force zeroing, but I could totally be wrong.

> > +/*
> > + * Writes the user supplied payload out to a trace file.
> > + */
> > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen,
> > +			      void *tpdata)
> > +{
> > +	struct trace_event_file *file;
> > +	struct trace_entry *entry;
> > +	struct trace_event_buffer event_buffer;
> > +
> > +	file = (struct trace_event_file *)tpdata;
> > +
> > +	if (!file ||
> > +	    !(file->flags & EVENT_FILE_FL_ENABLED) ||
> > +	    trace_trigger_soft_disabled(file))
> > +		return;
> > +
> > +	entry = trace_event_buffer_reserve(&event_buffer, file,
> > +					   sizeof(*entry) + datalen);
> > +
> > +	if (unlikely(!entry))
> > +		return;
> > +
> 
> Might want to add a comment here that the trace_event_buffer_reserve()
> will fill in the struct trace_entry, which explains the "entry+1" below.
> 
> I also need to add comments to trace_event_buffer_reserve() that it does so :-p
> 

Will do.

> > +/*
> > + * Update the register page that is shared between user processes.
> > + */
> > +static void update_reg_page_for(struct user_event *user)
> > +{
> > +	struct tracepoint *tp = &user->tracepoint;
> > +	char status = 0;
> > +
> > +	if (atomic_read(&tp->key.enabled) > 0) {
> > +		struct tracepoint_func *probe_func_ptr;
> > +		user_event_func_t probe_func;
> > +
> > +		rcu_read_lock_sched();
> > +
> > +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> > +
> > +		if (probe_func_ptr) {
> > +			do {
> > +				probe_func = probe_func_ptr->func;
> > +
> > +				if (probe_func == user_event_ftrace)
> > +					status |= EVENT_STATUS_FTRACE;
> > +				else
> > +					status |= EVENT_STATUS_OTHER;
> > +			} while ((++probe_func_ptr)->func);
> > +		}
> > +
> > +		rcu_read_unlock_sched();
> > +	}
> > +
> > +	register_page_data[user->index] = status;
> 
> Should there be some kind of memory barriers here? That is, isn't this
> the page that user space sees? The user space code should probably have
> some kind of read memory barrier as well.
> 

I'm glad you brought this up. I wanted to ensure a balance between
eventual enablement of the event in the user mode process vs the cost
of simultaneous enablement of the event (stalls, etc).

We haven't seen this become an issue for our teams in our other
telemetry sources (with no barriers), which seems to indicate eventual
agreement of the page data works well as a tradeoff.

> > +static int user_event_create(const char *raw_command)
> > +{
> > +	struct user_event *user;
> > +	char *name;
> > +	int ret;
> > +
> > +	if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command)
> > +		return -ECANCELED;
> > +
> > +	raw_command += USER_EVENTS_PREFIX_LEN;
> > +	raw_command = skip_spaces(raw_command);
> > +
> > +	name = kstrdup(raw_command, GFP_KERNEL);
> 
> name is allocated here, it really needs to be freed in this function as
> well. I see that user_event_parse() will free it, but that is extremely
> error prone to have a dependency like that. If name needs to be saved
> by user_event_parse_cmd() then that should be shown in the return value
> of that function. And if it fails the freeing of name should be in this
> function. Also, if it is saved, then there should be a comment in this
> function stating that.
> 

It's a bit tricky, because if the event already exists, the name is
freed. If the function fails, the name is freed. If the event has
never been seen before then it is saved.

I'll try to make this more clear, my thought is to add an explicit
argument that gets set back to the caller if the string should be freed
or not to make this clear while reading the code.

> > +static bool user_event_is_busy(struct dyn_event *ev)
> > +{
> > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > +
> > +	return atomic_read(&user->refcnt) != 0;
> > +}
> > +
> > +static int user_event_free(struct dyn_event *ev)
> > +{
> > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > +
> 
> Shouldn't this check if the event is busy first?

Yes, you are right. In the release all case busy is checked by
dyn_events for me. However, in the individual case it is not. I'll fix
this.

> > +/*
> > + * Validates the user payload and writes via iterator.
> > + */
> > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i)
> > +{
> > +	struct user_event_refs *refs;
> > +	struct user_event *user = NULL;
> > +	struct tracepoint *tp;
> > +	ssize_t ret = i->count;
> > +	int idx;
> > +
> > +	if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx)))
> > +		return -EFAULT;
> > +
> > +	rcu_read_lock_sched();
> > +
> > +	refs = rcu_dereference_sched(file->private_data);
> > +
> > +	if (likely(refs && idx < refs->count))
> > +		user = refs->events[idx];
> > +
> > +	rcu_read_unlock_sched();
> > +
> > +	if (unlikely(user == NULL))
> > +		return -ENOENT;
> > +
> > +	tp = &user->tracepoint;
> 
> What protects user here? You released the rcu lock.

user is ref counted by the file, so before the final close all events
linked to the file via the reg ioctl are ref'd and cannot go away.

> 
> > +
> > +	if (likely(atomic_read(&tp->key.enabled) > 0)) {
> > +		struct tracepoint_func *probe_func_ptr;
> > +		user_event_func_t probe_func;
> > +		void *tpdata;
> > +		void *kdata;
> > +		u32 datalen;
> > +
> > +		kdata = kmalloc(i->count, GFP_KERNEL);
> 
> The allocation would need to be done first, before grabbing the rcu
> lock, and all this would need to be done within the rcu lock, because
> "tp" may not even exist anymore.

The tracepoint can only get removed after all refs of an event become
zero. It cannot happen when an outstanding write is occurring. The only
way to delete the tracepoint is via the delete ioctl which explicitly
checks the ref counts.

Minus the bug you found in dyn_event free not checking busy, I don't
believe this case is possible and does not require rcu lock since the
ref count is protecting it from going away during this method.

> > +static int user_events_ref_add(struct file *file, struct user_event *user)
> > +{
> > +	struct user_event_refs *refs, *new_refs;
> > +	int i, size, count = 0;
> > +
> > +	rcu_read_lock_sched();
> 
> rcu lock is not needed, but you may want to use:
> 
>   rcu_dereference_protected()
> 
> and list the lock that protects the modifications here.
> 

Sure, I put them here to make it clear, I can change it up and add a
comment instead.

> 
> I just skimmed the rest, and didn't see anything that stuck out.
> 
> But maybe I'll get time to look deeper at it later.
> 
> -- Steve

Thank you for the review, I appreciate it!

Thanks,
-Beau
Beau Belgrave Nov. 8, 2021, 8:25 p.m. UTC | #9 
On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote:
> On Mon, 8 Nov 2021 09:13:36 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> 
> > Does that mean the decoders in eprobes/histogram don't check event
> > record sizes before accessing the data? Shouldn't that get fix
> > centrally? That would mean a loaded module could do the same thing
> > (user_events only works if the user has access to tracefs, so it's not
> > like it's open to all users).
> 
> There's checks to make sure everything fits in eprobes and kprobes. If it
> doesn't then the event is simply dropped.
> 
> For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll
> see that it calls get_eprobe_size(), which goes through and just reads what
> it is about to accept. Then it reserves the amount of data on the ring
> buffer, and then calls store_trace_args() which also passes in the size
> that it found, in case things change. If it's too big, it only records what
> it originally intended.
> 
> -- Steve

It seems there are 2 concerns:
1. If data comes in and it's not in the size that is specified, it's
suspicious and should either be truncated or ignored. Maybe under
ignore, over truncate.

2. If the data is more than specified, it must be checked to see if
there are __data_loc / __rel_loc entries and they must be validated as
within range of accepted limits. If there are no __data_loc / __rel_loc
it should either be truncated or ignored.

Is there more that I may have missed?

I'd like to know if I do fix them that the features like filtering will still
be available to user_events or if it's better to just add flags to disable
kernel filtering?

I'm still unsure this is limited to just user_events.

For example, why doesn't filter_pred_strloc and filter_pred_pchar in
trace_events_filter.c check the boundary it will be accessing?

It seems like tracepoints from kernel modules, while more trusted, can also
cause this kind of thing due to bugs, etc.

Thanks,
-Beau
Steven Rostedt Nov. 8, 2021, 8:53 p.m. UTC | #10 
On Mon, 8 Nov 2021 11:56:42 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote:
> > On Thu,  4 Nov 2021 10:04:25 -0700
> > Beau Belgrave <beaub@linux.microsoft.com> wrote:  
> > > +static int user_field_array_size(const char *type)
> > > +{
> > > +	const char *start = strchr(type, '[');
> > > +	int size = 0;
> > > +
> > > +	if (start == NULL)
> > > +		return -EINVAL;
> > > +
> > > +	start++;
> > > +
> > > +	while (*start >= '0' && *start <= '9')  
> > 
> > The kernel has include/linux/ctype.h
> > 
> > 	while (isdigit(*start))
> >   
> > > +		size = (size * 10) + (*start++ - '0');  
> > 
> > So you only allow decimal digits? No hex?
> >   
> 
> Happy to change it, I only expected decimal to be allowed.

I'm more worried that if the output of the "registered events" may have a
hex number, and someone uses that output to recreate the event.

> 
> Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)?
> 
> > Also, is there anything to check if the size overflows?
> > 
> > I'm assuming that other patches will add checking if the size is
> > greater than some amount?
> >   
> 
> I can switch to kstrtouint and use a max check, however:
> The max checks are weird here because eBPF has no limits, while ftrace 
> and perf both do (and I believe they are different max sizes?)

I'm not concerned about taking up more than ftrace or perf, but having some
kind of DOS that is caused by hugh allocations. If you make a huge event
and try to record it in ftrace, then ftrace will simply drop the event. No
harm done (except you won't see the event).

> 
> If someone really wanted a large array of characters and it can fit
> within perf but not ftrace, is it correct to block it here? My thinking
> was to allow each trace buffer reserve call to either work or not based
> on what the user requested depending on what was hooked.
> 
> No strong opinion here though, just thoughts about what is a reasonable
> max given the 3 technologies.

Again, I'm more worried about just a general 'this is way too big' thing.
If anything, it could be simply to flag a bug where the event in created
via some logic that goes crazy.

> 
> > > +/*
> > > + * Parses the values of a field within the description
> > > + * Format: type name [size]
> > > + */
> > > +static int user_event_parse_field(char *field, struct user_event *user,
> > > +				  u32 *offset)
> > > +{
> > > +	char *part, *type, *name;
> > > +	u32 depth = 0, saved_offset = *offset;
> > > +	int size = -EINVAL;
> > > +	bool is_struct = false;
> > > +
> > > +	field = skip_spaces(field);
> > > +
> > > +	if (*field == 0)
> > > +		return 0;
> > > +
> > > +	/* Handle types that have a space within */
> > > +	if (strstr(field, "unsigned ") == field) {  
> > 
> > These should use str_has_prefix(field, "unsigned ") etc.
> > 
> > It also returns the length of the prefix so you don't need to add
> > sizeof() of the string you checked for.
> >   
> 
> Nice, will use that.
> 
> > > +
> > > +static struct trace_event_fields user_event_fields_array[] = {
> > > +	{}
> > > +};  
> > 
> > Isn't the above just a fancy way of writing:
> > 
> > static struct trace_event_fields user_event_fields_array[1];
> > 
> > ?
> >   
> 
> Yes, as long as it gets init'd to zero. My understanding was that {}
> would force zeroing, but I could totally be wrong.

All static and global variables that are not assigned will be initialized
to zero. No need to initialize anything that is zero by default.

> 
> > > +/*
> > > + * Writes the user supplied payload out to a trace file.
> > > + */
> > > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen,
> > > +			      void *tpdata)
> > > +{
> > > +	struct trace_event_file *file;
> > > +	struct trace_entry *entry;
> > > +	struct trace_event_buffer event_buffer;
> > > +
> > > +	file = (struct trace_event_file *)tpdata;
> > > +
> > > +	if (!file ||
> > > +	    !(file->flags & EVENT_FILE_FL_ENABLED) ||
> > > +	    trace_trigger_soft_disabled(file))
> > > +		return;
> > > +
> > > +	entry = trace_event_buffer_reserve(&event_buffer, file,
> > > +					   sizeof(*entry) + datalen);
> > > +
> > > +	if (unlikely(!entry))
> > > +		return;
> > > +  
> > 
> > Might want to add a comment here that the trace_event_buffer_reserve()
> > will fill in the struct trace_entry, which explains the "entry+1" below.
> > 
> > I also need to add comments to trace_event_buffer_reserve() that it does so :-p
> >   
> 
> Will do.
> 
> > > +/*
> > > + * Update the register page that is shared between user processes.
> > > + */
> > > +static void update_reg_page_for(struct user_event *user)
> > > +{
> > > +	struct tracepoint *tp = &user->tracepoint;
> > > +	char status = 0;
> > > +
> > > +	if (atomic_read(&tp->key.enabled) > 0) {
> > > +		struct tracepoint_func *probe_func_ptr;
> > > +		user_event_func_t probe_func;
> > > +
> > > +		rcu_read_lock_sched();
> > > +
> > > +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> > > +
> > > +		if (probe_func_ptr) {
> > > +			do {
> > > +				probe_func = probe_func_ptr->func;
> > > +
> > > +				if (probe_func == user_event_ftrace)
> > > +					status |= EVENT_STATUS_FTRACE;
> > > +				else
> > > +					status |= EVENT_STATUS_OTHER;
> > > +			} while ((++probe_func_ptr)->func);
> > > +		}
> > > +
> > > +		rcu_read_unlock_sched();
> > > +	}
> > > +
> > > +	register_page_data[user->index] = status;  
> > 
> > Should there be some kind of memory barriers here? That is, isn't this
> > the page that user space sees? The user space code should probably have
> > some kind of read memory barrier as well.
> >   
> 
> I'm glad you brought this up. I wanted to ensure a balance between
> eventual enablement of the event in the user mode process vs the cost
> of simultaneous enablement of the event (stalls, etc).
> 
> We haven't seen this become an issue for our teams in our other
> telemetry sources (with no barriers), which seems to indicate eventual
> agreement of the page data works well as a tradeoff.

Another approach is if you know what tasks these events come from (who
registered them), then you could simply send an IPI to the task if it
happen to be running. An IPI will force a memory barrier, and since you
only need to do this on changes (enable / disable event) it's not like it
will happen often.

> 
> > > +static int user_event_create(const char *raw_command)
> > > +{
> > > +	struct user_event *user;
> > > +	char *name;
> > > +	int ret;
> > > +
> > > +	if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command)
> > > +		return -ECANCELED;
> > > +
> > > +	raw_command += USER_EVENTS_PREFIX_LEN;
> > > +	raw_command = skip_spaces(raw_command);
> > > +
> > > +	name = kstrdup(raw_command, GFP_KERNEL);  
> > 
> > name is allocated here, it really needs to be freed in this function as
> > well. I see that user_event_parse() will free it, but that is extremely
> > error prone to have a dependency like that. If name needs to be saved
> > by user_event_parse_cmd() then that should be shown in the return value
> > of that function. And if it fails the freeing of name should be in this
> > function. Also, if it is saved, then there should be a comment in this
> > function stating that.
> >   
> 
> It's a bit tricky, because if the event already exists, the name is
> freed. If the function fails, the name is freed. If the event has
> never been seen before then it is saved.

I would then suggest to free the name from the calling function only if it
succeeds and the name already exists. With a comment stating that.

But I would have the caller free it on failure. That is, you could change
user_event_parse() to have:

	struct user_event *user = find_user_event(name, &key);

	if (user) {
		*newuser = user;
		/*
		 * The name is allocated by the caller, but since it
		 * already exists in user, simply free it here.
		 */
		kfree(name);
		return 0;
	}

And remove all the "put_name" jumps.

> 
> I'll try to make this more clear, my thought is to add an explicit
> argument that gets set back to the caller if the string should be freed
> or not to make this clear while reading the code.
> 
> > > +static bool user_event_is_busy(struct dyn_event *ev)
> > > +{
> > > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > > +
> > > +	return atomic_read(&user->refcnt) != 0;
> > > +}
> > > +
> > > +static int user_event_free(struct dyn_event *ev)
> > > +{
> > > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > > +  
> > 
> > Shouldn't this check if the event is busy first?  
> 
> Yes, you are right. In the release all case busy is checked by
> dyn_events for me. However, in the individual case it is not. I'll fix
> this.
> 
> > > +/*
> > > + * Validates the user payload and writes via iterator.
> > > + */
> > > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i)
> > > +{
> > > +	struct user_event_refs *refs;
> > > +	struct user_event *user = NULL;
> > > +	struct tracepoint *tp;
> > > +	ssize_t ret = i->count;
> > > +	int idx;
> > > +
> > > +	if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx)))
> > > +		return -EFAULT;
> > > +
> > > +	rcu_read_lock_sched();
> > > +
> > > +	refs = rcu_dereference_sched(file->private_data);
> > > +
> > > +	if (likely(refs && idx < refs->count))
> > > +		user = refs->events[idx];
> > > +
> > > +	rcu_read_unlock_sched();
> > > +
> > > +	if (unlikely(user == NULL))
> > > +		return -ENOENT;
> > > +
> > > +	tp = &user->tracepoint;  
> > 
> > What protects user here? You released the rcu lock.  
> 
> user is ref counted by the file, so before the final close all events
> linked to the file via the reg ioctl are ref'd and cannot go away.


If that's the case, then why the rcu_read_lock_sched() around the assigment
of user?

-- Steve


> 
> >   
> > > +
> > > +	if (likely(atomic_read(&tp->key.enabled) > 0)) {
> > > +		struct tracepoint_func *probe_func_ptr;
> > > +		user_event_func_t probe_func;
> > > +		void *tpdata;
> > > +		void *kdata;
> > > +		u32 datalen;
> > > +
> > > +		kdata = kmalloc(i->count, GFP_KERNEL);  
>
Steven Rostedt Nov. 8, 2021, 9 p.m. UTC | #11 
On Mon, 8 Nov 2021 12:25:27 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> It seems there are 2 concerns:
> 1. If data comes in and it's not in the size that is specified, it's
> suspicious and should either be truncated or ignored. Maybe under
> ignore, over truncate.
> 
> 2. If the data is more than specified, it must be checked to see if
> there are __data_loc / __rel_loc entries and they must be validated as
> within range of accepted limits. If there are no __data_loc / __rel_loc
> it should either be truncated or ignored.
> 
> Is there more that I may have missed?
> 
> I'd like to know if I do fix them that the features like filtering will still
> be available to user_events or if it's better to just add flags to disable
> kernel filtering?

If these are "user defined" then perhaps we add a wrapper to the filtering
that is called instead of the normal filtering for theses events that
verify the fields of the events being filtered are located on the ring
buffer. Although, strings and such are rare or just slow in filtering that
we could make sure the content is still on the buffer that is being
filtered.

> 
> I'm still unsure this is limited to just user_events.
> 
> For example, why doesn't filter_pred_strloc and filter_pred_pchar in
> trace_events_filter.c check the boundary it will be accessing?
> 
> It seems like tracepoints from kernel modules, while more trusted, can also
> cause this kind of thing due to bugs, etc.

Yes, it's the fact that the code is created in the kernel, and the only way
that the filtering could be out of bounds is if there's a bug in the
kernel. We rather not check for that if it slows down the tracing. But
perhaps if we can show that the checks are only done for dynamic strings
and arrays, that it doesn't cause noticeable overhead, it may be fine to
keep for all events.

-- Steve
Beau Belgrave Nov. 8, 2021, 9:15 p.m. UTC | #12 
On Mon, Nov 08, 2021 at 03:53:59PM -0500, Steven Rostedt wrote:
> On Mon, 8 Nov 2021 11:56:42 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > On Sun, Nov 07, 2021 at 01:18:50PM -0500, Steven Rostedt wrote:
> > > On Thu,  4 Nov 2021 10:04:25 -0700
> > > Beau Belgrave <beaub@linux.microsoft.com> wrote:  
> > > > +static int user_field_array_size(const char *type)
> > > > +{
> > > > +	const char *start = strchr(type, '[');
> > > > +	int size = 0;
> > > > +
> > > > +	if (start == NULL)
> > > > +		return -EINVAL;
> > > > +
> > > > +	start++;
> > > > +
> > > > +	while (*start >= '0' && *start <= '9')  
> > > 
> > > The kernel has include/linux/ctype.h
> > > 
> > > 	while (isdigit(*start))
> > >   
> > > > +		size = (size * 10) + (*start++ - '0');  
> > > 
> > > So you only allow decimal digits? No hex?
> > >   
> > 
> > Happy to change it, I only expected decimal to be allowed.
> 
> I'm more worried that if the output of the "registered events" may have a
> hex number, and someone uses that output to recreate the event.
> 

It seems like there is precedent around this in synth, so I will go
ahead and ensure hex works as well.

> > 
> > Is there a strong need for hex? (IE: kstrtouint(start, 0, ...)?
> > 
> > > Also, is there anything to check if the size overflows?
> > > 
> > > I'm assuming that other patches will add checking if the size is
> > > greater than some amount?
> > >   
> > 
> > I can switch to kstrtouint and use a max check, however:
> > The max checks are weird here because eBPF has no limits, while ftrace 
> > and perf both do (and I believe they are different max sizes?)
> 
> I'm not concerned about taking up more than ftrace or perf, but having some
> kind of DOS that is caused by hugh allocations. If you make a huge event
> and try to record it in ftrace, then ftrace will simply drop the event. No
> harm done (except you won't see the event).
> 

The later patches in the series avoid the alloc all together (and pass
the iter through to the probes). eBPF still has an alloc there, but it
is size limited to a single page to handle this case.

The huge alloc case could happen if a user just put in a lot of data in
the first patch. However, with alloc being removed in the later patches,
this won't occur.

> > 
> > If someone really wanted a large array of characters and it can fit
> > within perf but not ftrace, is it correct to block it here? My thinking
> > was to allow each trace buffer reserve call to either work or not based
> > on what the user requested depending on what was hooked.
> > 
> > No strong opinion here though, just thoughts about what is a reasonable
> > max given the 3 technologies.
> 
> Again, I'm more worried about just a general 'this is way too big' thing.
> If anything, it could be simply to flag a bug where the event in created
> via some logic that goes crazy.
> 

Got it, I believe putting a large upper bound, like 2*PAGE_SIZE should
cut that stuff out.

> > 
> > > > +/*
> > > > + * Parses the values of a field within the description
> > > > + * Format: type name [size]
> > > > + */
> > > > +static int user_event_parse_field(char *field, struct user_event *user,
> > > > +				  u32 *offset)
> > > > +{
> > > > +	char *part, *type, *name;
> > > > +	u32 depth = 0, saved_offset = *offset;
> > > > +	int size = -EINVAL;
> > > > +	bool is_struct = false;
> > > > +
> > > > +	field = skip_spaces(field);
> > > > +
> > > > +	if (*field == 0)
> > > > +		return 0;
> > > > +
> > > > +	/* Handle types that have a space within */
> > > > +	if (strstr(field, "unsigned ") == field) {  
> > > 
> > > These should use str_has_prefix(field, "unsigned ") etc.
> > > 
> > > It also returns the length of the prefix so you don't need to add
> > > sizeof() of the string you checked for.
> > >   
> > 
> > Nice, will use that.
> > 
> > > > +
> > > > +static struct trace_event_fields user_event_fields_array[] = {
> > > > +	{}
> > > > +};  
> > > 
> > > Isn't the above just a fancy way of writing:
> > > 
> > > static struct trace_event_fields user_event_fields_array[1];
> > > 
> > > ?
> > >   
> > 
> > Yes, as long as it gets init'd to zero. My understanding was that {}
> > would force zeroing, but I could totally be wrong.
> 
> All static and global variables that are not assigned will be initialized
> to zero. No need to initialize anything that is zero by default.
> 
> > 
> > > > +/*
> > > > + * Writes the user supplied payload out to a trace file.
> > > > + */
> > > > +static void user_event_ftrace(struct user_event *user, void *data, u32 datalen,
> > > > +			      void *tpdata)
> > > > +{
> > > > +	struct trace_event_file *file;
> > > > +	struct trace_entry *entry;
> > > > +	struct trace_event_buffer event_buffer;
> > > > +
> > > > +	file = (struct trace_event_file *)tpdata;
> > > > +
> > > > +	if (!file ||
> > > > +	    !(file->flags & EVENT_FILE_FL_ENABLED) ||
> > > > +	    trace_trigger_soft_disabled(file))
> > > > +		return;
> > > > +
> > > > +	entry = trace_event_buffer_reserve(&event_buffer, file,
> > > > +					   sizeof(*entry) + datalen);
> > > > +
> > > > +	if (unlikely(!entry))
> > > > +		return;
> > > > +  
> > > 
> > > Might want to add a comment here that the trace_event_buffer_reserve()
> > > will fill in the struct trace_entry, which explains the "entry+1" below.
> > > 
> > > I also need to add comments to trace_event_buffer_reserve() that it does so :-p
> > >   
> > 
> > Will do.
> > 
> > > > +/*
> > > > + * Update the register page that is shared between user processes.
> > > > + */
> > > > +static void update_reg_page_for(struct user_event *user)
> > > > +{
> > > > +	struct tracepoint *tp = &user->tracepoint;
> > > > +	char status = 0;
> > > > +
> > > > +	if (atomic_read(&tp->key.enabled) > 0) {
> > > > +		struct tracepoint_func *probe_func_ptr;
> > > > +		user_event_func_t probe_func;
> > > > +
> > > > +		rcu_read_lock_sched();
> > > > +
> > > > +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> > > > +
> > > > +		if (probe_func_ptr) {
> > > > +			do {
> > > > +				probe_func = probe_func_ptr->func;
> > > > +
> > > > +				if (probe_func == user_event_ftrace)
> > > > +					status |= EVENT_STATUS_FTRACE;
> > > > +				else
> > > > +					status |= EVENT_STATUS_OTHER;
> > > > +			} while ((++probe_func_ptr)->func);
> > > > +		}
> > > > +
> > > > +		rcu_read_unlock_sched();
> > > > +	}
> > > > +
> > > > +	register_page_data[user->index] = status;  
> > > 
> > > Should there be some kind of memory barriers here? That is, isn't this
> > > the page that user space sees? The user space code should probably have
> > > some kind of read memory barrier as well.
> > >   
> > 
> > I'm glad you brought this up. I wanted to ensure a balance between
> > eventual enablement of the event in the user mode process vs the cost
> > of simultaneous enablement of the event (stalls, etc).
> > 
> > We haven't seen this become an issue for our teams in our other
> > telemetry sources (with no barriers), which seems to indicate eventual
> > agreement of the page data works well as a tradeoff.
> 
> Another approach is if you know what tasks these events come from (who
> registered them), then you could simply send an IPI to the task if it
> happen to be running. An IPI will force a memory barrier, and since you
> only need to do this on changes (enable / disable event) it's not like it
> will happen often.
> 

This is good to know, there might be a need for this in the future when
we get around to more features of user_events from what some people are
asking for.

> > 
> > > > +static int user_event_create(const char *raw_command)
> > > > +{
> > > > +	struct user_event *user;
> > > > +	char *name;
> > > > +	int ret;
> > > > +
> > > > +	if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command)
> > > > +		return -ECANCELED;
> > > > +
> > > > +	raw_command += USER_EVENTS_PREFIX_LEN;
> > > > +	raw_command = skip_spaces(raw_command);
> > > > +
> > > > +	name = kstrdup(raw_command, GFP_KERNEL);  
> > > 
> > > name is allocated here, it really needs to be freed in this function as
> > > well. I see that user_event_parse() will free it, but that is extremely
> > > error prone to have a dependency like that. If name needs to be saved
> > > by user_event_parse_cmd() then that should be shown in the return value
> > > of that function. And if it fails the freeing of name should be in this
> > > function. Also, if it is saved, then there should be a comment in this
> > > function stating that.
> > >   
> > 
> > It's a bit tricky, because if the event already exists, the name is
> > freed. If the function fails, the name is freed. If the event has
> > never been seen before then it is saved.
> 
> I would then suggest to free the name from the calling function only if it
> succeeds and the name already exists. With a comment stating that.
> 
> But I would have the caller free it on failure. That is, you could change
> user_event_parse() to have:
> 
> 	struct user_event *user = find_user_event(name, &key);
> 
> 	if (user) {
> 		*newuser = user;
> 		/*
> 		 * The name is allocated by the caller, but since it
> 		 * already exists in user, simply free it here.
> 		 */
> 		kfree(name);
> 		return 0;
> 	}
> 
> And remove all the "put_name" jumps.
> 

Sure thing.

> > 
> > I'll try to make this more clear, my thought is to add an explicit
> > argument that gets set back to the caller if the string should be freed
> > or not to make this clear while reading the code.
> > 
> > > > +static bool user_event_is_busy(struct dyn_event *ev)
> > > > +{
> > > > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > > > +
> > > > +	return atomic_read(&user->refcnt) != 0;
> > > > +}
> > > > +
> > > > +static int user_event_free(struct dyn_event *ev)
> > > > +{
> > > > +	struct user_event *user = container_of(ev, struct user_event, devent);
> > > > +  
> > > 
> > > Shouldn't this check if the event is busy first?  
> > 
> > Yes, you are right. In the release all case busy is checked by
> > dyn_events for me. However, in the individual case it is not. I'll fix
> > this.
> > 
> > > > +/*
> > > > + * Validates the user payload and writes via iterator.
> > > > + */
> > > > +static ssize_t user_events_write_core(struct file *file, struct iov_iter *i)
> > > > +{
> > > > +	struct user_event_refs *refs;
> > > > +	struct user_event *user = NULL;
> > > > +	struct tracepoint *tp;
> > > > +	ssize_t ret = i->count;
> > > > +	int idx;
> > > > +
> > > > +	if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx)))
> > > > +		return -EFAULT;
> > > > +
> > > > +	rcu_read_lock_sched();
> > > > +
> > > > +	refs = rcu_dereference_sched(file->private_data);
> > > > +
> > > > +	if (likely(refs && idx < refs->count))
> > > > +		user = refs->events[idx];
> > > > +
> > > > +	rcu_read_unlock_sched();
> > > > +
> > > > +	if (unlikely(user == NULL))
> > > > +		return -ENOENT;
> > > > +
> > > > +	tp = &user->tracepoint;  
> > > 
> > > What protects user here? You released the rcu lock.  
> > 
> > user is ref counted by the file, so before the final close all events
> > linked to the file via the reg ioctl are ref'd and cannot go away.
> 
> 
> If that's the case, then why the rcu_read_lock_sched() around the assigment
> of user?
> 
> -- Steve
> 

Because the refs can change during the write, and we get the user
assignment from the refs events array that is RCU protected. If a task
registered another event during the write this has a timing window where
we would deref a possibly freed array.

User structs are shared across files, so they are ref counted. The
user_event_refs are per-FD references that are RCU protected since tasks
can share the same FD and cause synchronization windows that are bad
without it.

Thanks,
-Beau
Beau Belgrave Nov. 8, 2021, 10:09 p.m. UTC | #13 
On Mon, Nov 08, 2021 at 04:00:27PM -0500, Steven Rostedt wrote:
> On Mon, 8 Nov 2021 12:25:27 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > It seems there are 2 concerns:
> > 1. If data comes in and it's not in the size that is specified, it's
> > suspicious and should either be truncated or ignored. Maybe under
> > ignore, over truncate.
> > 
> > 2. If the data is more than specified, it must be checked to see if
> > there are __data_loc / __rel_loc entries and they must be validated as
> > within range of accepted limits. If there are no __data_loc / __rel_loc
> > it should either be truncated or ignored.
> > 
> > Is there more that I may have missed?
> > 
> > I'd like to know if I do fix them that the features like filtering will still
> > be available to user_events or if it's better to just add flags to disable
> > kernel filtering?
> 
> If these are "user defined" then perhaps we add a wrapper to the filtering
> that is called instead of the normal filtering for theses events that
> verify the fields of the events being filtered are located on the ring
> buffer. Although, strings and such are rare or just slow in filtering that
> we could make sure the content is still on the buffer that is being
> filtered.
> 

It seems like both histograms and filter both reference field flags to
determine how to get the data.

How would you feel about another FILTER_* flag on fields, like:
FILTER_DYN_STRING_SAFE
FILTER_PTR_STRING_SAFE

user_events when parsing would instead of leaving FILTER_OTHER for
__data_loc / __rel_loc switch to the above.

The predicate filter method would then switch based on those types to
safer versions.

That way other parts could take advantage of this if needed beyond
user_events.

If this is addressed at the filter/histogram level, would then the write
callsites still check bounds per-write? Or maybe only care about the
undersized data cases?

> > 
> > I'm still unsure this is limited to just user_events.
> > 
> > For example, why doesn't filter_pred_strloc and filter_pred_pchar in
> > trace_events_filter.c check the boundary it will be accessing?
> > 
> > It seems like tracepoints from kernel modules, while more trusted, can also
> > cause this kind of thing due to bugs, etc.
> 
> Yes, it's the fact that the code is created in the kernel, and the only way
> that the filtering could be out of bounds is if there's a bug in the
> kernel. We rather not check for that if it slows down the tracing. But
> perhaps if we can show that the checks are only done for dynamic strings
> and arrays, that it doesn't cause noticeable overhead, it may be fine to
> keep for all events.
> 
> -- Steve

Thanks,
-Beau
Steven Rostedt Nov. 8, 2021, 10:30 p.m. UTC | #14 
On Mon, 8 Nov 2021 14:09:45 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> It seems like both histograms and filter both reference field flags to
> determine how to get the data.
> 
> How would you feel about another FILTER_* flag on fields, like:
> FILTER_DYN_STRING_SAFE
> FILTER_PTR_STRING_SAFE

You mean "UNSAFE" ?

> 
> user_events when parsing would instead of leaving FILTER_OTHER for
> __data_loc / __rel_loc switch to the above.
> 
> The predicate filter method would then switch based on those types to
> safer versions.
> 
> That way other parts could take advantage of this if needed beyond
> user_events.
> 
> If this is addressed at the filter/histogram level, would then the write
> callsites still check bounds per-write? Or maybe only care about the
> undersized data cases?

I'd have to look at the implementation of this. There's too many variables
running around in my head right now.

-- Steve
Beau Belgrave Nov. 8, 2021, 10:59 p.m. UTC | #15 
On Mon, Nov 08, 2021 at 05:30:53PM -0500, Steven Rostedt wrote:
> On Mon, 8 Nov 2021 14:09:45 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > 
> > It seems like both histograms and filter both reference field flags to
> > determine how to get the data.
> > 
> > How would you feel about another FILTER_* flag on fields, like:
> > FILTER_DYN_STRING_SAFE
> > FILTER_PTR_STRING_SAFE
> 
> You mean "UNSAFE" ?
> 

Yes :) Unsafe data, safe filter method.

> > 
> > user_events when parsing would instead of leaving FILTER_OTHER for
> > __data_loc / __rel_loc switch to the above.
> > 
> > The predicate filter method would then switch based on those types to
> > safer versions.
> > 
> > That way other parts could take advantage of this if needed beyond
> > user_events.
> > 
> > If this is addressed at the filter/histogram level, would then the write
> > callsites still check bounds per-write? Or maybe only care about the
> > undersized data cases?
> 
> I'd have to look at the implementation of this. There's too many variables
> running around in my head right now.
> 
> -- Steve

Understood, thanks for thinking about this.

-Beau
Masami Hiramatsu (Google) Nov. 9, 2021, 2:56 a.m. UTC | #16 
On Mon, 8 Nov 2021 12:25:27 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote:
> > On Mon, 8 Nov 2021 09:13:36 -0800
> > Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > 
> > 
> > > Does that mean the decoders in eprobes/histogram don't check event
> > > record sizes before accessing the data? Shouldn't that get fix
> > > centrally? That would mean a loaded module could do the same thing
> > > (user_events only works if the user has access to tracefs, so it's not
> > > like it's open to all users).
> > 
> > There's checks to make sure everything fits in eprobes and kprobes. If it
> > doesn't then the event is simply dropped.
> > 
> > For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll
> > see that it calls get_eprobe_size(), which goes through and just reads what
> > it is about to accept. Then it reserves the amount of data on the ring
> > buffer, and then calls store_trace_args() which also passes in the size
> > that it found, in case things change. If it's too big, it only records what
> > it originally intended.
> > 
> > -- Steve
> 
> It seems there are 2 concerns:
> 1. If data comes in and it's not in the size that is specified, it's
> suspicious and should either be truncated or ignored. Maybe under
> ignore, over truncate.

Yes, this is for the events which is defined with fixed-size
parameters and what I suggested.

> 
> 2. If the data is more than specified, it must be checked to see if
> there are __data_loc / __rel_loc entries and they must be validated as
> within range of accepted limits. If there are no __data_loc / __rel_loc
> it should either be truncated or ignored.

Yes, this is for the events, which is defined with variable length
parameters, like null-terminated string. In this case, along with the
__data/__rel_loc validation, it needs a null termination check.

> 
> Is there more that I may have missed?
> 
> I'd like to know if I do fix them that the features like filtering will still
> be available to user_events or if it's better to just add flags to disable
> kernel filtering?

I would rather like that the filters will be available on the user_events.

My question is that you need to log the dynamic data or strings via user-
events or not. Since the other user-events, like SDT doesn't support the
string variables to trace, I guess that is not a high priority.

Moreover, since now we can use eprobes, if user event records the address of
user-string, the eprobes can fetch it.

So, my suggestion is implmenting with fixed-size parameters as the first step
and keep filter/histograms/eprobes available on the user-events.
If you find any performance issue, you can expand the user-events to support
dynamic (array) data and strings.

> 
> I'm still unsure this is limited to just user_events.
> 
> For example, why doesn't filter_pred_strloc and filter_pred_pchar in
> trace_events_filter.c check the boundary it will be accessing?

Because all data is written from the kernel code. We can trust the data
exists on the buffer. (If not, there is an actual BUG in the kenrel)
We can add a verifieer for the debug purpose.

> 
> It seems like tracepoints from kernel modules, while more trusted, can also
> cause this kind of thing due to bugs, etc.

Of course, and that must be fixed. And, the tracepoints (traceevents) should
be automatically generated code, that is more trusted than the events crafted
by user.

Thank you,
Masami Hiramatsu (Google) Nov. 9, 2021, 4:58 a.m. UTC | #17 
On Mon, 8 Nov 2021 14:09:45 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> On Mon, Nov 08, 2021 at 04:00:27PM -0500, Steven Rostedt wrote:
> > On Mon, 8 Nov 2021 12:25:27 -0800
> > Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > 
> > > It seems there are 2 concerns:
> > > 1. If data comes in and it's not in the size that is specified, it's
> > > suspicious and should either be truncated or ignored. Maybe under
> > > ignore, over truncate.
> > > 
> > > 2. If the data is more than specified, it must be checked to see if
> > > there are __data_loc / __rel_loc entries and they must be validated as
> > > within range of accepted limits. If there are no __data_loc / __rel_loc
> > > it should either be truncated or ignored.
> > > 
> > > Is there more that I may have missed?
> > > 
> > > I'd like to know if I do fix them that the features like filtering will still
> > > be available to user_events or if it's better to just add flags to disable
> > > kernel filtering?
> > 
> > If these are "user defined" then perhaps we add a wrapper to the filtering
> > that is called instead of the normal filtering for theses events that
> > verify the fields of the events being filtered are located on the ring
> > buffer. Although, strings and such are rare or just slow in filtering that
> > we could make sure the content is still on the buffer that is being
> > filtered.
> > 
> 
> It seems like both histograms and filter both reference field flags to
> determine how to get the data.
> 
> How would you feel about another FILTER_* flag on fields, like:
> FILTER_DYN_STRING_SAFE
> FILTER_PTR_STRING_SAFE
> 
> user_events when parsing would instead of leaving FILTER_OTHER for
> __data_loc / __rel_loc switch to the above.
> 
> The predicate filter method would then switch based on those types to
> safer versions.
> 
> That way other parts could take advantage of this if needed beyond
> user_events.
> 
> If this is addressed at the filter/histogram level, would then the write
> callsites still check bounds per-write? Or maybe only care about the
> undersized data cases?

Even with the unsafe flags, I think the callsites still needs
the undersized check at least. It may have the maxsize and minsize
for the events. If the event defined with dynamic data
(__data_loc/__rel_loc), minsize is the sum of the field size and
maxsize will be the PAGE_SIZE (or smaller than that). If the event
has no dynamic data field, minsize == maxsize.

Thank you,
Beau Belgrave Nov. 9, 2021, 7:08 p.m. UTC | #18 
On Tue, Nov 09, 2021 at 11:56:34AM +0900, Masami Hiramatsu wrote:
> On Mon, 8 Nov 2021 12:25:27 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > On Mon, Nov 08, 2021 at 01:16:39PM -0500, Steven Rostedt wrote:
> > > On Mon, 8 Nov 2021 09:13:36 -0800
> > > Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > > 
> > > 
> > > > Does that mean the decoders in eprobes/histogram don't check event
> > > > record sizes before accessing the data? Shouldn't that get fix
> > > > centrally? That would mean a loaded module could do the same thing
> > > > (user_events only works if the user has access to tracefs, so it's not
> > > > like it's open to all users).
> > > 
> > > There's checks to make sure everything fits in eprobes and kprobes. If it
> > > doesn't then the event is simply dropped.
> > > 
> > > For example, if you look at __eprobe_trace_func() in trace_eprobe.c, you'll
> > > see that it calls get_eprobe_size(), which goes through and just reads what
> > > it is about to accept. Then it reserves the amount of data on the ring
> > > buffer, and then calls store_trace_args() which also passes in the size
> > > that it found, in case things change. If it's too big, it only records what
> > > it originally intended.
> > > 
> > > -- Steve
> > 
> > It seems there are 2 concerns:
> > 1. If data comes in and it's not in the size that is specified, it's
> > suspicious and should either be truncated or ignored. Maybe under
> > ignore, over truncate.
> 
> Yes, this is for the events which is defined with fixed-size
> parameters and what I suggested.
> 

Thanks.

> > 
> > 2. If the data is more than specified, it must be checked to see if
> > there are __data_loc / __rel_loc entries and they must be validated as
> > within range of accepted limits. If there are no __data_loc / __rel_loc
> > it should either be truncated or ignored.
> 
> Yes, this is for the events, which is defined with variable length
> parameters, like null-terminated string. In this case, along with the
> __data/__rel_loc validation, it needs a null termination check.
> 

Got it.

> > 
> > Is there more that I may have missed?
> > 
> > I'd like to know if I do fix them that the features like filtering will still
> > be available to user_events or if it's better to just add flags to disable
> > kernel filtering?
> 
> I would rather like that the filters will be available on the user_events.
> 
> My question is that you need to log the dynamic data or strings via user-
> events or not. Since the other user-events, like SDT doesn't support the
> string variables to trace, I guess that is not a high priority.
> 
> Moreover, since now we can use eprobes, if user event records the address of
> user-string, the eprobes can fetch it.
> 
> So, my suggestion is implmenting with fixed-size parameters as the first step
> and keep filter/histograms/eprobes available on the user-events.
> If you find any performance issue, you can expand the user-events to support
> dynamic (array) data and strings.
> 

We need strings to be able to be emitted and recorded in eBPF, perf and
ftrace. So I would rather go after a solution that lets us keep these in
the ring buffers, even if it means a perf hit.

Guess what's left is to where the best place to check is, checking in
the filter with unsafe flags would let us keep most of the perf (we just
check the undersize case, 1 branch). When these unsafe types are
filtered then a perf tax is imposed to keep things safe.

It sounded like Steven wanted to think about this a bit, so I'll wait a
bit before poking again for consensus :)

Do you have any strong feelings about where it goes?

Thanks,
-Beau
Steven Rostedt Nov. 9, 2021, 7:25 p.m. UTC | #19 
On Tue, 9 Nov 2021 11:08:44 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> We need strings to be able to be emitted and recorded in eBPF, perf and
> ftrace. So I would rather go after a solution that lets us keep these in
> the ring buffers, even if it means a perf hit.
> 
> Guess what's left is to where the best place to check is, checking in
> the filter with unsafe flags would let us keep most of the perf (we just
> check the undersize case, 1 branch). When these unsafe types are
> filtered then a perf tax is imposed to keep things safe.
> 
> It sounded like Steven wanted to think about this a bit, so I'll wait a
> bit before poking again for consensus :)
> 
> Do you have any strong feelings about where it goes?

IIUC, the writing into the trace event is done via one big blob, correct?

That is this:

+	if (likely(atomic_read(&tp->key.enabled) > 0)) {
+		struct tracepoint_func *probe_func_ptr;
+		user_event_func_t probe_func;
+		void *tpdata;
+		void *kdata;
+		u32 datalen;
+
+		kdata = kmalloc(i->count, GFP_KERNEL);
+
+		if (unlikely(!kdata))
+			return -ENOMEM;
+
+		datalen = copy_from_iter(kdata, i->count, i);
+
+		rcu_read_lock_sched();
+
+		probe_func_ptr = rcu_dereference_sched(tp->funcs);
+
+		if (probe_func_ptr) {
+			do {
+				probe_func = probe_func_ptr->func;
+				tpdata = probe_func_ptr->data;
+				probe_func(user, kdata, datalen, tpdata);
+			} while ((++probe_func_ptr)->func);
+		}
+
+		rcu_read_unlock_sched();
+
+		kfree(kdata);

So we really are just interested in making sure that the output is correct?

That is, the reading of the trace file?

-- Steve
Beau Belgrave Nov. 9, 2021, 8:14 p.m. UTC | #20 
On Tue, Nov 09, 2021 at 02:25:06PM -0500, Steven Rostedt wrote:
> On Tue, 9 Nov 2021 11:08:44 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > We need strings to be able to be emitted and recorded in eBPF, perf and
> > ftrace. So I would rather go after a solution that lets us keep these in
> > the ring buffers, even if it means a perf hit.
> > 
> > Guess what's left is to where the best place to check is, checking in
> > the filter with unsafe flags would let us keep most of the perf (we just
> > check the undersize case, 1 branch). When these unsafe types are
> > filtered then a perf tax is imposed to keep things safe.
> > 
> > It sounded like Steven wanted to think about this a bit, so I'll wait a
> > bit before poking again for consensus :)
> > 
> > Do you have any strong feelings about where it goes?
> 
> IIUC, the writing into the trace event is done via one big blob, correct?
> 

Yes, the top 4 bytes get trimmed off as an index, then it's a big blob
to all places except eBPF (when asking for the iterator directly).

> That is this:
> 
> +	if (likely(atomic_read(&tp->key.enabled) > 0)) {
> +		struct tracepoint_func *probe_func_ptr;
> +		user_event_func_t probe_func;
> +		void *tpdata;
> +		void *kdata;
> +		u32 datalen;
> +
> +		kdata = kmalloc(i->count, GFP_KERNEL);
> +
> +		if (unlikely(!kdata))
> +			return -ENOMEM;
> +
> +		datalen = copy_from_iter(kdata, i->count, i);
> +
> +		rcu_read_lock_sched();
> +
> +		probe_func_ptr = rcu_dereference_sched(tp->funcs);
> +
> +		if (probe_func_ptr) {
> +			do {
> +				probe_func = probe_func_ptr->func;
> +				tpdata = probe_func_ptr->data;
> +				probe_func(user, kdata, datalen, tpdata);
> +			} while ((++probe_func_ptr)->func);
> +		}
> +
> +		rcu_read_unlock_sched();
> +
> +		kfree(kdata);
> 
> So we really are just interested in making sure that the output is correct?
> 

Largely, yes.

The optimization part of the patch moves the buffer copies into the
probes to remove a double copy. I believe however that output can be
checked either centrally before the probes or within each probe call if
need be.

For perf/eBPF we may not need to check things, however, for ftrace
we will due to the filters. So we may be able to isolate to just the
ftrace probe method.

The ftrace probe will have a blob even after optimization due to the copy
into the ring buffer (assuming we can discard it if it violates a policy).

> That is, the reading of the trace file?
> 

We really need to ensure that data can be analyzed on the machine
directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf).

The priorities to us are fast recording speed with accurate reading of trace
files and event data.

> -- Steve
Steven Rostedt Nov. 9, 2021, 8:45 p.m. UTC | #21 
On Tue, 9 Nov 2021 12:14:32 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> The ftrace probe will have a blob even after optimization due to the copy
> into the ring buffer (assuming we can discard it if it violates a policy).

Yes it can be discarded. In fact, when filtering is enabled, it tries to
first use a temporary per cpu buffer to do the filtering and not write it
into the ring buffer. Only when it passes the filter does it get injected.

For user events that happen in user context, it will always use this temp
buffer. But since there's only buffer per CPU, if an interrupt comes in and
executes a filtered event, it will use the ring buffer itself, and discard
it if it does not match.

> 
> > That is, the reading of the trace file?
> >   
> 
> We really need to ensure that data can be analyzed on the machine
> directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf).
> 
> The priorities to us are fast recording speed with accurate reading of trace
> files and event data.

OK, then it probably isn't an issue to add checks to the parsing of the
dynamic arrays (including strings) that makes sure the string is within
bounds for the filtering.

-- Steve
Beau Belgrave Nov. 9, 2021, 9:27 p.m. UTC | #22 
On Tue, Nov 09, 2021 at 03:45:20PM -0500, Steven Rostedt wrote:
> On Tue, 9 Nov 2021 12:14:32 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > The ftrace probe will have a blob even after optimization due to the copy
> > into the ring buffer (assuming we can discard it if it violates a policy).
> 
> Yes it can be discarded. In fact, when filtering is enabled, it tries to
> first use a temporary per cpu buffer to do the filtering and not write it
> into the ring buffer. Only when it passes the filter does it get injected.
> 
> For user events that happen in user context, it will always use this temp
> buffer. But since there's only buffer per CPU, if an interrupt comes in and
> executes a filtered event, it will use the ring buffer itself, and discard
> it if it does not match.
> 
> > 
> > > That is, the reading of the trace file?
> > >   
> > 
> > We really need to ensure that data can be analyzed on the machine
> > directly (eBPF, ftrace, perf) as well as outside of the machine (ftrace, perf).
> > 
> > The priorities to us are fast recording speed with accurate reading of trace
> > files and event data.
> 
> OK, then it probably isn't an issue to add checks to the parsing of the
> dynamic arrays (including strings) that makes sure the string is within
> bounds for the filtering.
> 
> -- Steve

Where were you thinking the filtering would occur? In the filter /
histogram predicates or in user_events directly before buffer commit?

Thanks,
-Beau
Steven Rostedt Nov. 9, 2021, 9:39 p.m. UTC | #23 
On Tue, 9 Nov 2021 13:27:56 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> Where were you thinking the filtering would occur? In the filter /
> histogram predicates or in user_events directly before buffer commit?

In the predicates. But we only care about the dynamic array ones.

-- Steve
Masami Hiramatsu (Google) Nov. 10, 2021, 1:56 p.m. UTC | #24 
On Tue, 9 Nov 2021 11:08:44 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> > > I'd like to know if I do fix them that the features like filtering will still
> > > be available to user_events or if it's better to just add flags to disable
> > > kernel filtering?
> > 
> > I would rather like that the filters will be available on the user_events.
> > 
> > My question is that you need to log the dynamic data or strings via user-
> > events or not. Since the other user-events, like SDT doesn't support the
> > string variables to trace, I guess that is not a high priority.
> > 
> > Moreover, since now we can use eprobes, if user event records the address of
> > user-string, the eprobes can fetch it.
> > 
> > So, my suggestion is implmenting with fixed-size parameters as the first step
> > and keep filter/histograms/eprobes available on the user-events.
> > If you find any performance issue, you can expand the user-events to support
> > dynamic (array) data and strings.
> > 
> 
> We need strings to be able to be emitted and recorded in eBPF, perf and
> ftrace. So I would rather go after a solution that lets us keep these in
> the ring buffers, even if it means a perf hit.

OK, my concern is based on the current implementation, so in that case
you can add some additional verification. That is good.

> Guess what's left is to where the best place to check is, checking in
> the filter with unsafe flags would let us keep most of the perf (we just
> check the undersize case, 1 branch). When these unsafe types are
> filtered then a perf tax is imposed to keep things safe.

I would like to keep verifying in writer side then we can ensure the
data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe
flag, you have to change all the code which access the ring buffer, not only
the filter but also eprobes, histograms, perf-tools, and other user-space
tracing tools which reads the tracing buffer directly.

> It sounded like Steven wanted to think about this a bit, so I'll wait a
> bit before poking again for consensus :)
> 
> Do you have any strong feelings about where it goes?

I recommend you to start verifying the writer side, it should make the
change as small as possible. Unsafe flag idea may involve many other
tools. And it is not fundamentary required for user-events.

Thank you,
Beau Belgrave Nov. 11, 2021, 5:33 p.m. UTC | #25 
On Wed, Nov 10, 2021 at 10:56:30PM +0900, Masami Hiramatsu wrote:
> On Tue, 9 Nov 2021 11:08:44 -0800
> Beau Belgrave <beaub@linux.microsoft.com> wrote:

> I would like to keep verifying in writer side then we can ensure the
> data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe
> flag, you have to change all the code which access the ring buffer, not only
> the filter but also eprobes, histograms, perf-tools, and other user-space
> tracing tools which reads the tracing buffer directly.
> 
> > It sounded like Steven wanted to think about this a bit, so I'll wait a
> > bit before poking again for consensus :)
> > 
> > Do you have any strong feelings about where it goes?
> 
> I recommend you to start verifying the writer side, it should make the
> change as small as possible. Unsafe flag idea may involve many other
> tools. And it is not fundamentary required for user-events.
> 
> Thank you,
> 
> -- 
> Masami Hiramatsu <mhiramat@kernel.org>

Ok, I will start there.

Are static string buffers required as well for the null check?

Or is this only for dyn strings that require the check?

Also, I am assuming that __rel_loc offset is based after the __rel_loc
payload, IE: Offset 0 of __rel_loc is immediately after the 4 byte
__rel_loc description?

Thanks,
-Beau
Masami Hiramatsu (Google) Nov. 12, 2021, 1:40 p.m. UTC | #26 
On Thu, 11 Nov 2021 09:33:34 -0800
Beau Belgrave <beaub@linux.microsoft.com> wrote:

> On Wed, Nov 10, 2021 at 10:56:30PM +0900, Masami Hiramatsu wrote:
> > On Tue, 9 Nov 2021 11:08:44 -0800
> > Beau Belgrave <beaub@linux.microsoft.com> wrote:
> 
> > I would like to keep verifying in writer side then we can ensure the
> > data on ring buffer (of perf and of ftrace) is sane. If you add the unsafe
> > flag, you have to change all the code which access the ring buffer, not only
> > the filter but also eprobes, histograms, perf-tools, and other user-space
> > tracing tools which reads the tracing buffer directly.
> > 
> > > It sounded like Steven wanted to think about this a bit, so I'll wait a
> > > bit before poking again for consensus :)
> > > 
> > > Do you have any strong feelings about where it goes?
> > 
> > I recommend you to start verifying the writer side, it should make the
> > change as small as possible. Unsafe flag idea may involve many other
> > tools. And it is not fundamentary required for user-events.
> > 
> > Thank you,
> > 
> > -- 
> > Masami Hiramatsu <mhiramat@kernel.org>
> 
> Ok, I will start there.
> 
> Are static string buffers required as well for the null check?
> 
> Or is this only for dyn strings that require the check?

Good question! The dynamic strings is ensured to be null-terminated,
but the static string is not because the size is fixed (at least
event filter checked that.)

BTW, I found that the hist_triger_elt_update() doesn't check the
field size for fixed-size string (only use STR_VAR_LEN_MAX to limit.)
It seems buggy if the fixed-size char [] field is not null terminated.
(e.g. it is used for storing array-data)
Let me fix that.

> Also, I am assuming that __rel_loc offset is based after the __rel_loc
> payload, IE: Offset 0 of __rel_loc is immediately after the 4 byte
> __rel_loc description?

Yes, so if the field is the last one, the offset can be 0.

Thank you,
diff mbox series

Patch

diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
index 3ee23f4d437f..deaaad421be4 100644
--- a/kernel/trace/Kconfig
+++ b/kernel/trace/Kconfig
@@ -725,6 +725,21 @@  config SYNTH_EVENTS
 
 	  If in doubt, say N.
 
+config USER_EVENTS
+	bool "User trace events"
+	select TRACING
+	select DYNAMIC_EVENTS
+	default n
+	help
+	  User trace events are user-defined trace events that
+	  can be used like an existing kernel trace event.  User trace
+	  events are generated by writing to a tracefs file.  User
+	  processes can determine if their tracing events should be
+	  generated by memory mapping a tracefs file and checking for
+	  an associated byte being non-zero.
+
+	  If in doubt, say N.
+
 config HIST_TRIGGERS
 	bool "Histogram triggers"
 	depends on ARCH_HAVE_NMI_SAFE_CMPXCHG
diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile
index b1c47ccf4f73..a653b255e89c 100644
--- a/kernel/trace/Makefile
+++ b/kernel/trace/Makefile
@@ -80,6 +80,7 @@  obj-$(CONFIG_EVENT_TRACING) += trace_events_trigger.o
 obj-$(CONFIG_TRACE_EVENT_INJECT) += trace_events_inject.o
 obj-$(CONFIG_SYNTH_EVENTS) += trace_events_synth.o
 obj-$(CONFIG_HIST_TRIGGERS) += trace_events_hist.o
+obj-$(CONFIG_USER_EVENTS) += trace_events_user.o
 obj-$(CONFIG_BPF_EVENTS) += bpf_trace.o
 obj-$(CONFIG_KPROBE_EVENTS) += trace_kprobe.o
 obj-$(CONFIG_TRACEPOINTS) += error_report-traces.o
diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c
new file mode 100644
index 000000000000..a68017ad7fdd
--- /dev/null
+++ b/kernel/trace/trace_events_user.c
@@ -0,0 +1,1140 @@ 
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (c) 2021, Microsoft Corporation.
+ *
+ * Authors:
+ *   Beau Belgrave <beaub@linux.microsoft.com>
+ */
+
+#include <linux/bitmap.h>
+#include <linux/cdev.h>
+#include <linux/hashtable.h>
+#include <linux/list.h>
+#include <linux/io.h>
+#include <linux/uio.h>
+#include <linux/ioctl.h>
+#include <linux/jhash.h>
+#include <linux/trace_events.h>
+#include <linux/tracefs.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <uapi/linux/user_events.h>
+#include "trace.h"
+#include "trace_dynevent.h"
+
+#define USER_EVENTS_PREFIX_LEN (sizeof(USER_EVENTS_PREFIX)-1)
+
+#define FIELD_DEPTH_TYPE 0
+#define FIELD_DEPTH_NAME 1
+#define FIELD_DEPTH_SIZE 2
+
+/*
+ * Limits how many trace_event calls user processes can create:
+ * Must be multiple of PAGE_SIZE.
+ */
+#define MAX_PAGES 1
+#define MAX_EVENTS (MAX_PAGES * PAGE_SIZE)
+
+/* Limit how long of an event name plus args within the subsystem. */
+#define MAX_EVENT_DESC 512
+#define EVENT_NAME(user_event) ((user_event)->tracepoint.name)
+
+static char *register_page_data;
+
+static DEFINE_MUTEX(reg_mutex);
+static DEFINE_HASHTABLE(register_table, 4);
+static DECLARE_BITMAP(page_bitmap, MAX_EVENTS);
+
+struct user_event {
+	struct tracepoint tracepoint;
+	struct trace_event_call call;
+	struct trace_event_class class;
+	struct dyn_event devent;
+	struct hlist_node node;
+	struct list_head fields;
+	atomic_t refcnt;
+	int index;
+	int flags;
+};
+
+struct user_event_refs {
+	struct rcu_head rcu;
+	int count;
+	struct user_event *events[];
+};
+
+typedef void (*user_event_func_t) (struct user_event *user,
+				   void *data, u32 datalen,
+				   void *tpdata);
+
+static int user_event_parse(char *name, char *args, char *flags,
+			    struct user_event **newuser);
+
+static u32 user_event_key(char *name)
+{
+	return jhash(name, strlen(name), 0);
+}
+
+static struct list_head *user_event_get_fields(struct trace_event_call *call)
+{
+	struct user_event *user = (struct user_event *)call->data;
+
+	return &user->fields;
+}
+
+/*
+ * Parses a register command for user_events
+ * Format: event_name[:FLAG1[,FLAG2...]] [field1[;field2...]]
+ *
+ * Example event named test with a 20 char msg field with a unsigned int after:
+ * test char[20] msg;unsigned int id
+ *
+ * NOTE: Offsets are from the user data perspective, they are not from the
+ * trace_entry/buffer perspective. We automatically add the common properties
+ * sizes to the offset for the user.
+ */
+static int user_event_parse_cmd(char *raw_command, struct user_event **newuser)
+{
+	char *name = raw_command;
+	char *args = strpbrk(name, " ");
+	char *flags;
+
+	if (args)
+		*args++ = 0;
+
+	flags = strpbrk(name, ":");
+
+	if (flags)
+		*flags++ = 0;
+
+	return user_event_parse(name, args, flags, newuser);
+}
+
+static int user_field_array_size(const char *type)
+{
+	const char *start = strchr(type, '[');
+	int size = 0;
+
+	if (start == NULL)
+		return -EINVAL;
+
+	start++;
+
+	while (*start >= '0' && *start <= '9')
+		size = (size * 10) + (*start++ - '0');
+
+	if (*start != ']')
+		return -EINVAL;
+
+	return size;
+}
+
+static int user_field_size(const char *type)
+{
+	/* long is not allowed from a user, since it's ambigious in size */
+	if (strcmp(type, "s64") == 0)
+		return sizeof(s64);
+	if (strcmp(type, "u64") == 0)
+		return sizeof(u64);
+	if (strcmp(type, "s32") == 0)
+		return sizeof(s32);
+	if (strcmp(type, "u32") == 0)
+		return sizeof(u32);
+	if (strcmp(type, "int") == 0)
+		return sizeof(int);
+	if (strcmp(type, "unsigned int") == 0)
+		return sizeof(unsigned int);
+	if (strcmp(type, "s16") == 0)
+		return sizeof(s16);
+	if (strcmp(type, "u16") == 0)
+		return sizeof(u16);
+	if (strcmp(type, "short") == 0)
+		return sizeof(short);
+	if (strcmp(type, "unsigned short") == 0)
+		return sizeof(unsigned short);
+	if (strcmp(type, "s8") == 0)
+		return sizeof(s8);
+	if (strcmp(type, "u8") == 0)
+		return sizeof(u8);
+	if (strcmp(type, "char") == 0)
+		return sizeof(char);
+	if (strcmp(type, "unsigned char") == 0)
+		return sizeof(unsigned char);
+	if (strstr(type, "char[") == type)
+		return user_field_array_size(type);
+	if (strstr(type, "unsigned char[") == type)
+		return user_field_array_size(type);
+	if (strstr(type, "__data_loc ") == type)
+		return sizeof(u32);
+	if (strstr(type, "__rel_loc ") == type)
+		return sizeof(u32);
+
+	/* Uknown basic type, error */
+	return -EINVAL;
+}
+
+static void user_event_destroy_fields(struct user_event *user)
+{
+	struct ftrace_event_field *field, *next;
+	struct list_head *head = &user->fields;
+
+	list_for_each_entry_safe(field, next, head, link) {
+		list_del(&field->link);
+		kfree(field);
+	}
+}
+
+static int user_event_add_field(struct user_event *user, const char *type,
+				const char *name, int offset, int size,
+				int is_signed, int filter_type)
+{
+	struct ftrace_event_field *field;
+
+	field = kmalloc(sizeof(*field), GFP_KERNEL);
+
+	if (!field)
+		return -ENOMEM;
+
+	field->type = type;
+	field->name = name;
+	field->offset = offset;
+	field->size = size;
+	field->is_signed = is_signed;
+	field->filter_type = filter_type;
+
+	list_add(&field->link, &user->fields);
+
+	return 0;
+}
+
+/*
+ * Parses the values of a field within the description
+ * Format: type name [size]
+ */
+static int user_event_parse_field(char *field, struct user_event *user,
+				  u32 *offset)
+{
+	char *part, *type, *name;
+	u32 depth = 0, saved_offset = *offset;
+	int size = -EINVAL;
+	bool is_struct = false;
+
+	field = skip_spaces(field);
+
+	if (*field == 0)
+		return 0;
+
+	/* Handle types that have a space within */
+	if (strstr(field, "unsigned ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("unsigned"), " ");
+		goto skip_next;
+	} else if (strstr(field, "struct ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("struct"), " ");
+		is_struct = true;
+		goto skip_next;
+	} else if (strstr(field, "__data_loc unsigned ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("__data_loc unsigned"), " ");
+		goto skip_next;
+	} else if (strstr(field, "__data_loc ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("__data_loc"), " ");
+		goto skip_next;
+	} else if (strstr(field, "__rel_loc unsigned ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("__rel_loc unsigned"), " ");
+		goto skip_next;
+	} else if (strstr(field, "__rel_loc ") == field) {
+		type = field;
+		field = strpbrk(field + sizeof("__rel_loc"), " ");
+		goto skip_next;
+	}
+	goto parse;
+skip_next:
+	if (field == NULL)
+		return -EINVAL;
+
+	*field++ = 0;
+	depth++;
+parse:
+	while ((part = strsep(&field, " ")) != NULL) {
+		switch (depth++) {
+		case FIELD_DEPTH_TYPE:
+			type = part;
+			break;
+		case FIELD_DEPTH_NAME:
+			name = part;
+			break;
+		case FIELD_DEPTH_SIZE:
+			if (!is_struct)
+				return -EINVAL;
+
+			if (kstrtou32(part, 10, &size))
+				return -EINVAL;
+			break;
+		default:
+			return -EINVAL;
+		}
+	}
+
+	if (depth < FIELD_DEPTH_SIZE)
+		return -EINVAL;
+
+	if (depth == FIELD_DEPTH_SIZE)
+		size = user_field_size(type);
+
+	if (size == 0)
+		return -EINVAL;
+
+	if (size < 0)
+		return size;
+
+	*offset = saved_offset + size;
+
+	return user_event_add_field(user, type, name, saved_offset, size,
+				    type[0] != 'u', FILTER_OTHER);
+}
+
+static void user_event_parse_flags(struct user_event *user, char *flags)
+{
+	char *flag;
+
+	if (flags == NULL)
+		return;
+
+	while ((flag = strsep(&flags, ",")) != NULL) {
+		if (strcmp(flag, "BPF_ITER") == 0)
+			user->flags |= FLAG_BPF_ITER;
+	}
+}
+
+static int user_event_parse_fields(struct user_event *user, char *args)
+{
+	char *field;
+	u32 offset = sizeof(struct trace_entry);
+	int ret = -EINVAL;
+
+	if (args == NULL)
+		return 0;
+
+	while ((field = strsep(&args, ";")) != NULL) {
+		ret = user_event_parse_field(field, user, &offset);
+
+		if (ret)
+			break;
+	}
+
+	return ret;
+}
+
+static struct trace_event_fields user_event_fields_array[] = {
+	{}
+};
+
+static enum print_line_t user_event_print_trace(struct trace_iterator *iter,
+						int flags,
+						struct trace_event *event)
+{
+	/* Unsafe to try to decode user provided print_fmt, use hex */
+	trace_print_hex_dump_seq(&iter->seq, "", DUMP_PREFIX_OFFSET, 16,
+				 1, iter->ent, iter->ent_size, true);
+
+	return trace_handle_return(&iter->seq);
+}
+
+static struct trace_event_functions user_event_funcs = {
+	.trace = user_event_print_trace,
+};
+
+static int destroy_user_event(struct user_event *user)
+{
+	int ret = 0;
+
+	/* Must destroy fields before call removal */
+	user_event_destroy_fields(user);
+
+	ret = trace_remove_event_call(&user->call);
+
+	if (ret)
+		return ret;
+
+	dyn_event_remove(&user->devent);
+
+	register_page_data[user->index] = 0;
+	clear_bit(user->index, page_bitmap);
+	hash_del(&user->node);
+
+	kfree(EVENT_NAME(user));
+	kfree(user);
+
+	return ret;
+}
+
+static struct user_event *find_user_event(char *name, u32 *outkey)
+{
+	struct user_event *user;
+	u32 key = user_event_key(name);
+
+	*outkey = key;
+
+	hash_for_each_possible(register_table, user, node, key)
+		if (!strcmp(EVENT_NAME(user), name))
+			return user;
+
+	return NULL;
+}
+
+/*
+ * Writes the user supplied payload out to a trace file.
+ */
+static void user_event_ftrace(struct user_event *user, void *data, u32 datalen,
+			      void *tpdata)
+{
+	struct trace_event_file *file;
+	struct trace_entry *entry;
+	struct trace_event_buffer event_buffer;
+
+	file = (struct trace_event_file *)tpdata;
+
+	if (!file ||
+	    !(file->flags & EVENT_FILE_FL_ENABLED) ||
+	    trace_trigger_soft_disabled(file))
+		return;
+
+	entry = trace_event_buffer_reserve(&event_buffer, file,
+					   sizeof(*entry) + datalen);
+
+	if (unlikely(!entry))
+		return;
+
+	memcpy(entry + 1, data, datalen);
+
+	trace_event_buffer_commit(&event_buffer);
+}
+
+/*
+ * Update the register page that is shared between user processes.
+ */
+static void update_reg_page_for(struct user_event *user)
+{
+	struct tracepoint *tp = &user->tracepoint;
+	char status = 0;
+
+	if (atomic_read(&tp->key.enabled) > 0) {
+		struct tracepoint_func *probe_func_ptr;
+		user_event_func_t probe_func;
+
+		rcu_read_lock_sched();
+
+		probe_func_ptr = rcu_dereference_sched(tp->funcs);
+
+		if (probe_func_ptr) {
+			do {
+				probe_func = probe_func_ptr->func;
+
+				if (probe_func == user_event_ftrace)
+					status |= EVENT_STATUS_FTRACE;
+				else
+					status |= EVENT_STATUS_OTHER;
+			} while ((++probe_func_ptr)->func);
+		}
+
+		rcu_read_unlock_sched();
+	}
+
+	register_page_data[user->index] = status;
+}
+
+/*
+ * Register callback for our events from tracing sub-systems.
+ */
+static int user_event_reg(struct trace_event_call *call,
+			  enum trace_reg type,
+			  void *data)
+{
+	struct user_event *user = (struct user_event *)call->data;
+	int ret = 0;
+
+	if (!user)
+		return -ENOENT;
+
+	switch (type) {
+	case TRACE_REG_REGISTER:
+		ret = tracepoint_probe_register(call->tp,
+						call->class->probe,
+						data);
+		if (!ret)
+			goto inc;
+		break;
+
+	case TRACE_REG_UNREGISTER:
+		tracepoint_probe_unregister(call->tp,
+					    call->class->probe,
+					    data);
+		goto dec;
+
+#ifdef CONFIG_PERF_EVENTS
+	case TRACE_REG_PERF_REGISTER:
+	case TRACE_REG_PERF_UNREGISTER:
+	case TRACE_REG_PERF_OPEN:
+	case TRACE_REG_PERF_CLOSE:
+	case TRACE_REG_PERF_ADD:
+	case TRACE_REG_PERF_DEL:
+		break;
+#endif
+	}
+
+	return ret;
+inc:
+	atomic_inc(&user->refcnt);
+	update_reg_page_for(user);
+	return 0;
+dec:
+	update_reg_page_for(user);
+	atomic_dec(&user->refcnt);
+	return 0;
+}
+
+static int user_event_create(const char *raw_command)
+{
+	struct user_event *user;
+	char *name;
+	int ret;
+
+	if (strstr(raw_command, USER_EVENTS_PREFIX) != raw_command)
+		return -ECANCELED;
+
+	raw_command += USER_EVENTS_PREFIX_LEN;
+	raw_command = skip_spaces(raw_command);
+
+	name = kstrdup(raw_command, GFP_KERNEL);
+
+	if (!name)
+		return -ENOMEM;
+
+	mutex_lock(&reg_mutex);
+	ret = user_event_parse_cmd(name, &user);
+	mutex_unlock(&reg_mutex);
+
+	return ret;
+}
+
+static int user_event_show(struct seq_file *m, struct dyn_event *ev)
+{
+	struct user_event *user = container_of(ev, struct user_event, devent);
+	struct ftrace_event_field *field, *next;
+	struct list_head *head;
+	int depth = 0;
+
+	seq_printf(m, "%s%s", USER_EVENTS_PREFIX, EVENT_NAME(user));
+
+	head = trace_get_fields(&user->call);
+
+	list_for_each_entry_safe_reverse(field, next, head, link) {
+		if (depth == 0)
+			seq_puts(m, " ");
+		else
+			seq_puts(m, "; ");
+		seq_printf(m, "%s %s", field->type, field->name);
+		depth++;
+	}
+
+	seq_puts(m, "\n");
+
+	return 0;
+}
+
+static bool user_event_is_busy(struct dyn_event *ev)
+{
+	struct user_event *user = container_of(ev, struct user_event, devent);
+
+	return atomic_read(&user->refcnt) != 0;
+}
+
+static int user_event_free(struct dyn_event *ev)
+{
+	struct user_event *user = container_of(ev, struct user_event, devent);
+
+	return destroy_user_event(user);
+}
+
+static bool user_event_match(const char *system, const char *event,
+			     int argc, const char **argv, struct dyn_event *ev)
+{
+	struct user_event *user = container_of(ev, struct user_event, devent);
+
+	return strcmp(EVENT_NAME(user), event) == 0 &&
+		(!system || strcmp(system, USER_EVENTS_SYSTEM) == 0);
+}
+
+static struct dyn_event_operations user_event_dops = {
+	.create = user_event_create,
+	.show = user_event_show,
+	.is_busy = user_event_is_busy,
+	.free = user_event_free,
+	.match = user_event_match,
+};
+
+static int user_event_trace_register(struct user_event *user)
+{
+	int ret;
+
+	ret = register_trace_event(&user->call.event);
+
+	if (!ret)
+		return -ENODEV;
+
+	ret = trace_add_event_call(&user->call);
+
+	if (ret)
+		unregister_trace_event(&user->call.event);
+
+	return ret;
+}
+
+/*
+ * Parses the event name, arguments and flags then registers if successful.
+ */
+static int user_event_parse(char *name, char *args, char *flags,
+			    struct user_event **newuser)
+{
+	int ret;
+	int index;
+	u32 key;
+	struct user_event *user = find_user_event(name, &key);
+
+	if (user) {
+		*newuser = user;
+		ret = 0;
+		goto put_name;
+	}
+
+	index = find_first_zero_bit(page_bitmap, MAX_EVENTS);
+
+	if (index == MAX_EVENTS) {
+		ret = -EMFILE;
+		goto put_name;
+	}
+
+	user = kzalloc(sizeof(*user), GFP_KERNEL);
+
+	if (!user) {
+		ret = -ENOMEM;
+		goto put_name;
+	}
+
+	INIT_LIST_HEAD(&user->class.fields);
+	INIT_LIST_HEAD(&user->fields);
+
+	user->tracepoint.name = name;
+
+	user_event_parse_flags(user, flags);
+
+	ret = user_event_parse_fields(user, args);
+
+	if (ret)
+		goto put_user;
+
+	/* Minimal print format */
+	user->call.print_fmt = "\"\"";
+
+	user->call.data = user;
+	user->call.class = &user->class;
+	user->call.name = name;
+	user->call.flags = TRACE_EVENT_FL_TRACEPOINT;
+	user->call.tp = &user->tracepoint;
+	user->call.event.funcs = &user_event_funcs;
+
+	user->class.system = USER_EVENTS_SYSTEM;
+	user->class.fields_array = user_event_fields_array;
+	user->class.get_fields = user_event_get_fields;
+	user->class.reg = user_event_reg;
+	user->class.probe = user_event_ftrace;
+
+	mutex_lock(&event_mutex);
+	ret = user_event_trace_register(user);
+	mutex_unlock(&event_mutex);
+
+	if (ret)
+		goto put_user;
+
+	user->index = index;
+	dyn_event_init(&user->devent, &user_event_dops);
+	dyn_event_add(&user->devent);
+	set_bit(user->index, page_bitmap);
+	hash_add(register_table, &user->node, key);
+
+	*newuser = user;
+	return 0;
+put_user:
+	user_event_destroy_fields(user);
+	kfree(user);
+put_name:
+	kfree(name);
+	return ret;
+}
+
+/*
+ * Deletes a previously created event if it is no longer being used.
+ */
+static int delete_user_event(char *name)
+{
+	u32 key;
+	int ret;
+	struct user_event *user = find_user_event(name, &key);
+
+	if (!user)
+		return -ENOENT;
+
+	if (atomic_read(&user->refcnt) != 0)
+		return -EBUSY;
+
+	mutex_lock(&event_mutex);
+	ret = destroy_user_event(user);
+	mutex_unlock(&event_mutex);
+
+	return ret;
+}
+
+/*
+ * Validates the user payload and writes via iterator.
+ */
+static ssize_t user_events_write_core(struct file *file, struct iov_iter *i)
+{
+	struct user_event_refs *refs;
+	struct user_event *user = NULL;
+	struct tracepoint *tp;
+	ssize_t ret = i->count;
+	int idx;
+
+	if (unlikely(copy_from_iter(&idx, sizeof(idx), i) != sizeof(idx)))
+		return -EFAULT;
+
+	rcu_read_lock_sched();
+
+	refs = rcu_dereference_sched(file->private_data);
+
+	if (likely(refs && idx < refs->count))
+		user = refs->events[idx];
+
+	rcu_read_unlock_sched();
+
+	if (unlikely(user == NULL))
+		return -ENOENT;
+
+	tp = &user->tracepoint;
+
+	if (likely(atomic_read(&tp->key.enabled) > 0)) {
+		struct tracepoint_func *probe_func_ptr;
+		user_event_func_t probe_func;
+		void *tpdata;
+		void *kdata;
+		u32 datalen;
+
+		kdata = kmalloc(i->count, GFP_KERNEL);
+
+		if (unlikely(!kdata))
+			return -ENOMEM;
+
+		datalen = copy_from_iter(kdata, i->count, i);
+
+		rcu_read_lock_sched();
+
+		probe_func_ptr = rcu_dereference_sched(tp->funcs);
+
+		if (probe_func_ptr) {
+			do {
+				probe_func = probe_func_ptr->func;
+				tpdata = probe_func_ptr->data;
+				probe_func(user, kdata, datalen, tpdata);
+			} while ((++probe_func_ptr)->func);
+		}
+
+		rcu_read_unlock_sched();
+
+		kfree(kdata);
+	}
+
+	return ret;
+}
+
+static ssize_t user_events_write(struct file *file, const char __user *ubuf,
+				 size_t count, loff_t *ppos)
+{
+	struct iovec iov;
+	struct iov_iter i;
+
+	if (unlikely(*ppos != 0))
+		return -EFAULT;
+
+	if (unlikely(import_single_range(READ, (char *)ubuf, count, &iov, &i)))
+		return -EFAULT;
+
+	return user_events_write_core(file, &i);
+}
+
+static ssize_t user_events_write_iter(struct kiocb *kp, struct iov_iter *i)
+{
+	return user_events_write_core(kp->ki_filp, i);
+}
+
+static int user_events_ref_add(struct file *file, struct user_event *user)
+{
+	struct user_event_refs *refs, *new_refs;
+	int i, size, count = 0;
+
+	rcu_read_lock_sched();
+	refs = rcu_dereference_sched(file->private_data);
+	rcu_read_unlock_sched();
+
+	if (refs) {
+		count = refs->count;
+
+		for (i = 0; i < count; ++i)
+			if (refs->events[i] == user)
+				return i;
+	}
+
+	size = sizeof(*refs) + (sizeof(struct user_event *) * (count + 1));
+
+	new_refs = kzalloc(size, GFP_KERNEL);
+
+	if (!new_refs)
+		return -ENOMEM;
+
+	new_refs->count = count + 1;
+
+	for (i = 0; i < count; ++i)
+		new_refs->events[i] = refs->events[i];
+
+	new_refs->events[i] = user;
+
+	atomic_inc(&user->refcnt);
+
+	rcu_assign_pointer(file->private_data, new_refs);
+
+	if (refs)
+		kfree_rcu(refs, rcu);
+
+	return i;
+}
+
+static long user_reg_get(struct user_reg __user *ureg, struct user_reg *kreg)
+{
+	u32 size;
+	long ret;
+
+	ret = get_user(size, &ureg->size);
+
+	if (ret)
+		return ret;
+
+	if (size > PAGE_SIZE)
+		return -E2BIG;
+
+	return copy_struct_from_user(kreg, sizeof(*kreg), ureg, size);
+}
+
+/*
+ * Registers a user_event on behalf of a user process.
+ */
+static long user_events_ioctl_reg(struct file *file, unsigned long uarg)
+{
+	struct user_reg __user *ureg = (struct user_reg __user *)uarg;
+	struct user_reg reg;
+	struct user_event *user;
+	char *name;
+	long ret;
+
+	ret = user_reg_get(ureg, &reg);
+
+	if (ret)
+		return ret;
+
+	name = strndup_user((const char __user *)(uintptr_t)reg.name_args,
+			    MAX_EVENT_DESC);
+
+	if (IS_ERR(name)) {
+		ret = PTR_ERR(name);
+		return ret;
+	}
+
+	ret = user_event_parse_cmd(name, &user);
+
+	if (ret < 0)
+		return ret;
+
+	ret = user_events_ref_add(file, user);
+
+	if (ret < 0)
+		return ret;
+
+	put_user((u32)ret, &ureg->write_index);
+	put_user(user->index, &ureg->status_index);
+
+	return 0;
+}
+
+/*
+ * Deletes a user_event on behalf of a user process.
+ */
+static long user_events_ioctl_del(struct file *file, unsigned long uarg)
+{
+	void __user *ubuf = (void __user *)uarg;
+	char *name;
+	long ret;
+
+	name = strndup_user(ubuf, MAX_EVENT_DESC);
+
+	if (IS_ERR(name))
+		return PTR_ERR(name);
+
+	ret = delete_user_event(name);
+
+	kfree(name);
+
+	return ret;
+}
+
+/*
+ * Handles the ioctl from user mode to register or alter operations.
+ */
+static long user_events_ioctl(struct file *file, unsigned int cmd,
+			      unsigned long uarg)
+{
+	long ret = -ENOTTY;
+
+	switch (cmd) {
+	case DIAG_IOCSREG:
+		mutex_lock(&reg_mutex);
+		ret = user_events_ioctl_reg(file, uarg);
+		mutex_unlock(&reg_mutex);
+		break;
+
+	case DIAG_IOCSDEL:
+		mutex_lock(&reg_mutex);
+		ret = user_events_ioctl_del(file, uarg);
+		mutex_unlock(&reg_mutex);
+		break;
+	}
+
+	return ret;
+}
+
+/*
+ * Handles the final close of the file from user mode.
+ */
+static int user_events_release(struct inode *node, struct file *file)
+{
+	struct user_event_refs *refs;
+	struct user_event *user;
+	int i;
+
+	rcu_read_lock_sched();
+	refs = rcu_dereference_sched(file->private_data);
+	rcu_read_unlock_sched();
+
+	if (!refs)
+		goto out;
+
+	for (i = 0; i < refs->count; ++i) {
+		user = refs->events[i];
+
+		if (user)
+			atomic_dec(&user->refcnt);
+	}
+
+	kfree_rcu(refs, rcu);
+out:
+	return 0;
+}
+
+static const struct file_operations user_data_fops = {
+	.write = user_events_write,
+	.write_iter = user_events_write_iter,
+	.unlocked_ioctl	= user_events_ioctl,
+	.release = user_events_release,
+};
+
+/*
+ * Maps the shared page into the user process for checking if event is enabled.
+ */
+static int user_status_mmap(struct file *file, struct vm_area_struct *vma)
+{
+	unsigned long size = vma->vm_end - vma->vm_start;
+
+	if (size != MAX_EVENTS)
+		return -EINVAL;
+
+	return remap_pfn_range(vma, vma->vm_start,
+			       virt_to_phys(register_page_data) >> PAGE_SHIFT,
+			       size, vm_get_page_prot(VM_READ));
+}
+
+static int user_status_show(struct seq_file *m, void *p)
+{
+	struct user_event *user;
+	char status;
+	int i, active = 0, busy = 0, flags;
+
+	mutex_lock(&reg_mutex);
+
+	hash_for_each(register_table, i, user, node) {
+		status = register_page_data[user->index];
+		flags = user->flags;
+
+		seq_printf(m, "%d:%s", user->index, EVENT_NAME(user));
+
+		if (flags != 0 || status != 0)
+			seq_puts(m, " #");
+
+		if (status != 0) {
+			seq_puts(m, " Used by");
+			if (status & EVENT_STATUS_FTRACE)
+				seq_puts(m, " ftrace");
+			if (status & EVENT_STATUS_PERF)
+				seq_puts(m, " perf");
+			if (status & EVENT_STATUS_OTHER)
+				seq_puts(m, " other");
+			busy++;
+		}
+
+		if (flags & FLAG_BPF_ITER)
+			seq_puts(m, " FLAG:BPF_ITER");
+
+		seq_puts(m, "\n");
+		active++;
+	}
+
+	mutex_unlock(&reg_mutex);
+
+	seq_puts(m, "\n");
+	seq_printf(m, "Active: %d\n", active);
+	seq_printf(m, "Busy: %d\n", busy);
+	seq_printf(m, "Max: %ld\n", MAX_EVENTS);
+
+	return 0;
+}
+
+static ssize_t user_status_read(struct file *file, char __user *ubuf,
+				size_t count, loff_t *ppos)
+{
+	/*
+	 * Delay allocation of seq data until requested, most callers
+	 * will never read the status file. They will only mmap.
+	 */
+	if (file->private_data == NULL) {
+		int ret;
+
+		if (*ppos != 0)
+			return -EINVAL;
+
+		ret = single_open(file, user_status_show, NULL);
+
+		if (ret)
+			return ret;
+	}
+
+	return seq_read(file, ubuf, count, ppos);
+}
+
+static loff_t user_status_seek(struct file *file, loff_t offset, int whence)
+{
+	if (file->private_data == NULL)
+		return 0;
+
+	return seq_lseek(file, offset, whence);
+}
+
+static int user_status_release(struct inode *node, struct file *file)
+{
+	if (file->private_data == NULL)
+		return 0;
+
+	return single_release(node, file);
+}
+
+static const struct file_operations user_status_fops = {
+	.mmap = user_status_mmap,
+	.read = user_status_read,
+	.llseek  = user_status_seek,
+	.release = user_status_release,
+};
+
+/*
+ * Creates a set of tracefs files to allow user mode interactions.
+ */
+static int create_user_tracefs(void)
+{
+	struct dentry *edata, *emmap;
+
+	edata = tracefs_create_file("user_events_data", 0644, NULL,
+				    NULL, &user_data_fops);
+
+	if (!edata) {
+		pr_warn("Could not create tracefs 'user_events_data' entry\n");
+		goto err;
+	}
+
+	/* mmap with MAP_SHARED requires writable fd */
+	emmap = tracefs_create_file("user_events_status", 0644, NULL,
+				    NULL, &user_status_fops);
+
+	if (!emmap) {
+		tracefs_remove(edata);
+		pr_warn("Could not create tracefs 'user_events_mmap' entry\n");
+		goto err;
+	}
+
+	return 0;
+err:
+	return -ENODEV;
+}
+
+static void set_page_reservations(bool set)
+{
+	int page;
+
+	for (page = 0; page < MAX_PAGES; ++page) {
+		void *addr = register_page_data + (PAGE_SIZE * page);
+
+		if (set)
+			SetPageReserved(virt_to_page(addr));
+		else
+			ClearPageReserved(virt_to_page(addr));
+	}
+}
+
+static int __init trace_events_user_init(void)
+{
+	int ret;
+
+	/* Zero all bits beside 0 (which is reserved for failures) */
+	bitmap_zero(page_bitmap, MAX_EVENTS);
+	set_bit(0, page_bitmap);
+
+	register_page_data = kzalloc(MAX_EVENTS, GFP_KERNEL);
+
+	if (!register_page_data)
+		return -ENOMEM;
+
+	set_page_reservations(true);
+
+	ret = create_user_tracefs();
+
+	if (ret) {
+		pr_warn("user_events could not register with tracefs\n");
+		set_page_reservations(false);
+		kfree(register_page_data);
+		return ret;
+	}
+
+	if (dyn_event_register(&user_event_dops))
+		pr_warn("user_events could not register with dyn_events\n");
+
+	return 0;
+}
+
+fs_initcall(trace_events_user_init);