From: Oleg Nesterov <oleg@redhat.com>
To: Eyal Birger <eyal.birger@gmail.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Jiri Olsa <olsajiri@gmail.com>, Aleksa Sarai <cyphar@cyphar.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-trace-kernel <linux-trace-kernel@vger.kernel.org>,
BPF-dev-list <bpf@vger.kernel.org>,
Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>, X86 ML <x86@kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
rafi@rbk.io, Shmulik Ladkani <shmulik.ladkani@gmail.com>
Subject: Re: Crash when attaching uretprobes to processes running in Docker
Date: Thu, 16 Jan 2025 15:39:57 +0100 [thread overview]
Message-ID: <20250116143956.GD21801@redhat.com> (raw)
In-Reply-To: <CAHsH6Gtd5kYPife3hK+uKafjBMx=-23UzvQgnOnqNDzSZgHyqw@mail.gmail.com>
On 01/15, Eyal Birger wrote:
>
> On Wed, Jan 15, 2025 at 11:03 AM Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > On 01/15, Eyal Birger wrote:
> > >
> > > --- a/kernel/seccomp.c
> > > +++ b/kernel/seccomp.c
> > > @@ -1359,6 +1359,9 @@ int __secure_computing(const struct seccomp_data *sd)
> > > this_syscall = sd ? sd->nr :
> > > syscall_get_nr(current, current_pt_regs());
> > >
> > > + if (this_syscall == __NR_uretprobe)
> > > + return 0;
> > > +
> >
> > Yes, this is what I meant. But we need the new arch-dependent helper.
>
> Do you mean because __NR_uretprobe is not defined for other architectures?
Yes, and see below,
> Is there an existing helper? I wasn't able to find one...
No,
> If not, would it just make sense to just wrap this check in
> #ifdef __NR_uretprobe ?
Given that we need a simple fix for -stable, I won't argue.
Up to seccomp maintainers.
But please note that this_syscall == __NR_uretprobe can be false
positive if is_compat_task().
__NR_uretprobe == __NR_ia32_rt_tgsigqueueinfo, so I guess we need
#ifdef CONFIG_X86_64
if (this_syscall == __NR_uretprobe && !in_ia32_syscall())
return 0;
#endif
I don't think we need to worry about the X86_X32 tasks...
Oleg.
next prev parent reply other threads:[~2025-01-16 14:40 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 15:12 Crash when attaching uretprobes to processes running in Docker Eyal Birger
2025-01-10 15:25 ` Aleksa Sarai
2025-01-11 18:40 ` Jiri Olsa
2025-01-14 9:22 ` Jiri Olsa
2025-01-14 10:05 ` Masami Hiramatsu
2025-01-14 11:21 ` Oleg Nesterov
2025-01-14 14:21 ` Jiri Olsa
2025-01-17 1:23 ` Masami Hiramatsu
2025-01-17 1:57 ` Oleg Nesterov
2025-01-14 10:42 ` Peter Zijlstra
2025-01-14 11:01 ` Oleg Nesterov
2025-01-14 12:02 ` Peter Zijlstra
2025-01-14 12:32 ` Oleg Nesterov
2025-01-14 14:07 ` Peter Zijlstra
2025-01-14 17:43 ` Oleg Nesterov
2025-01-14 10:58 ` Oleg Nesterov
2025-01-14 14:19 ` Jiri Olsa
2025-01-14 19:21 ` Andrii Nakryiko
2025-01-14 20:39 ` Oleg Nesterov
2025-01-14 21:45 ` Andrii Nakryiko
2025-01-14 22:10 ` Oleg Nesterov
2025-01-14 23:52 ` Andrii Nakryiko
2025-01-15 0:09 ` Eyal Birger
2025-01-15 0:50 ` Oleg Nesterov
2025-01-15 5:45 ` Shmulik Ladkani
2025-01-15 15:51 ` Oleg Nesterov
2025-01-17 11:41 ` Peter Zijlstra
2025-01-17 17:53 ` Andrii Nakryiko
2025-01-14 14:08 ` Eyal Birger
2025-01-14 14:33 ` Oleg Nesterov
2025-01-14 14:56 ` Jiri Olsa
2025-01-14 17:25 ` Oleg Nesterov
2025-01-15 9:36 ` Jiri Olsa
2025-01-15 13:24 ` Eyal Birger
2025-01-15 13:25 ` Jiri Olsa
2025-01-15 15:06 ` Oleg Nesterov
2025-01-15 17:56 ` Alexei Starovoitov
2025-01-15 18:20 ` Andrii Nakryiko
2025-01-15 18:40 ` Oleg Nesterov
2025-01-15 18:48 ` Eyal Birger
2025-01-15 19:03 ` Oleg Nesterov
2025-01-15 21:14 ` Eyal Birger
2025-01-16 14:39 ` Oleg Nesterov [this message]
2025-01-16 14:47 ` Eyal Birger
2025-01-16 15:31 ` Oleg Nesterov
2025-01-16 17:11 ` Eyal Birger
2025-01-17 0:48 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250116143956.GD21801@redhat.com \
--to=oleg@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=eyal.birger@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=olsajiri@gmail.com \
--cc=peterz@infradead.org \
--cc=rafi@rbk.io \
--cc=rostedt@goodmis.org \
--cc=shmulik.ladkani@gmail.com \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.