Re: kprobes vs __ex_table[]

[Peter Zijlstra <peterz@infradead.org>]

On Sat, Feb 25, 2017 at 01:34:15AM +0900, Masami Hiramatsu wrote:
> > Ah, but that is only #PF, we also use __ex_table on other faults/traps,
> > like #GP which would need help in do_general_protection(),
> 
> #GP is also handled via kprobe_exceptions_notify().

Ah! that's where its hidden :-) Thanks!

> > It looks like it rewrites regs->ip, which would make return from fault
> > return to the wrong place, no?
> 
> Hmm, when regs->ip is reset to the original place, kprobe_fault_handler()
> returns 0 and normal #PF handler fixup pages etc. and retry from the
> original place. This might kick kprobes again and do singlestep.
> 
> So, yes, it may not enough for other faults if those will not only check
> regs->ip, but read the instruction pointed by regs->ip (as your patch).
> In that case you need to use recover_probed_instruction() instead of
> probe_kernel_address(). (BTW, recover_probed_instruction() uses memcpy()
> without checking kernel_text, it should use probe_kernel_address().)

> > One more complication with __ex_table and optimized kprobes is that we
> > need to be careful not to clobber __ex_table[].fixup. It would be very
> > bad if the optimized probe were to clobber the address we let the fixup
> > return to -- or that needs fixups too, _after_ running
> > __ex_table[].handler().
> 
> can_optimize() takes care about that case. If the probe target function
> (not only probed address) includes an exception address, it rejects
> optimizing probes.

Ah, so it does search_exception_tables(), which avoids clobbering actual
exception instructions, and most fixups live in .text.fixup and I cannot
actually find if that is excluded.

In any case, thanks for the pointers, I'll see if I can spot any actual
holes.