From: Stephen Brennan <stephen.s.brennan@oracle.com>
To: Masami Hiramatsu <mhiramat@kernel.org>, Guo Ren <guoren@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Huacai Chen <chenhuacai@kernel.org>,
WANG Xuerui <kernel@xen0n.name>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
linux-csky@vger.kernel.org, loongarch@lists.linux.dev,
linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org
Subject: Re: [PATCH v3] kprobe/ftrace: bail out if ftrace was killed
Date: Wed, 15 May 2024 15:18:08 -0700 [thread overview]
Message-ID: <87r0e2pvmn.fsf@oracle.com> (raw)
In-Reply-To: <20240502110348.016f190e0b0565b7e9ecdb48@kernel.org>
Masami Hiramatsu (Google) <mhiramat@kernel.org> writes:
> On Thu, 2 May 2024 01:35:16 +0800
> Guo Ren <guoren@kernel.org> wrote:
>
>> On Thu, May 2, 2024 at 12:30 AM Stephen Brennan
>> <stephen.s.brennan@oracle.com> wrote:
>> >
>> > If an error happens in ftrace, ftrace_kill() will prevent disarming
>> > kprobes. Eventually, the ftrace_ops associated with the kprobes will be
>> > freed, yet the kprobes will still be active, and when triggered, they
>> > will use the freed memory, likely resulting in a page fault and panic.
>> >
>> > This behavior can be reproduced quite easily, by creating a kprobe and
>> > then triggering a ftrace_kill(). For simplicity, we can simulate an
>> > ftrace error with a kernel module like [1]:
>> >
>> > [1]: https://github.com/brenns10/kernel_stuff/tree/master/ftrace_killer
>> >
>> > sudo perf probe --add commit_creds
>> > sudo perf trace -e probe:commit_creds
>> > # In another terminal
>> > make
>> > sudo insmod ftrace_killer.ko # calls ftrace_kill(), simulating bug
>> > # Back to perf terminal
>> > # ctrl-c
>> > sudo perf probe --del commit_creds
>> >
>> > After a short period, a page fault and panic would occur as the kprobe
>> > continues to execute and uses the freed ftrace_ops. While ftrace_kill()
>> > is supposed to be used only in extreme circumstances, it is invoked in
>> > FTRACE_WARN_ON() and so there are many places where an unexpected bug
>> > could be triggered, yet the system may continue operating, possibly
>> > without the administrator noticing. If ftrace_kill() does not panic the
>> > system, then we should do everything we can to continue operating,
>> > rather than leave a ticking time bomb.
>> >
>> > Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
>> > ---
>> > Changes in v3:
>> > Don't expose ftrace_is_dead(). Create a "kprobe_ftrace_disabled"
>> > variable and check it directly in the kprobe handlers.
>> > Link to v1/v2 discussion:
>> > https://lore.kernel.org/all/20240426225834.993353-1-stephen.s.brennan@oracle.com/
>> >
>> > arch/csky/kernel/probes/ftrace.c | 3 +++
>> > arch/loongarch/kernel/ftrace_dyn.c | 3 +++
>> > arch/parisc/kernel/ftrace.c | 3 +++
>> > arch/powerpc/kernel/kprobes-ftrace.c | 3 +++
>> > arch/riscv/kernel/probes/ftrace.c | 3 +++
>> > arch/s390/kernel/ftrace.c | 3 +++
>> > arch/x86/kernel/kprobes/ftrace.c | 3 +++
>> > include/linux/kprobes.h | 7 +++++++
>> > kernel/kprobes.c | 6 ++++++
>> > kernel/trace/ftrace.c | 1 +
>> > 10 files changed, 35 insertions(+)
>> >
>> > diff --git a/arch/csky/kernel/probes/ftrace.c b/arch/csky/kernel/probes/ftrace.c
>> > index 834cffcfbce3..7ba4b98076de 100644
>> > --- a/arch/csky/kernel/probes/ftrace.c
>> > +++ b/arch/csky/kernel/probes/ftrace.c
>> > @@ -12,6 +12,9 @@ void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
>> > struct kprobe_ctlblk *kcb;
>> > struct pt_regs *regs;
>> >
>> > + if (unlikely(kprobe_ftrace_disabled))
>> > + return;
>> > +
>> For csky part.
>> Acked-by: Guo Ren <guoren@kernel.org>
>
> Thanks Stephen, Guo and Steve!
>
> Let me pick this to probes/for-next!
Thank you Masami!
I did want to check, is this the correct git tree to be watching?
https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git/log/?h=probes/for-next
( I'm not trying to pressure on timing, as I know the merge window is
hectic. Just making sure I'm watching the correct place! )
Thanks,
Stephen
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Brennan <stephen.s.brennan@oracle.com>
To: Masami Hiramatsu <mhiramat@kernel.org>, Guo Ren <guoren@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Huacai Chen <chenhuacai@kernel.org>,
WANG Xuerui <kernel@xen0n.name>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
linux-csky@vger.kernel.org, loongarch@lists.linux.dev,
linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org
Subject: Re: [PATCH v3] kprobe/ftrace: bail out if ftrace was killed
Date: Wed, 15 May 2024 15:18:08 -0700 [thread overview]
Message-ID: <87r0e2pvmn.fsf@oracle.com> (raw)
In-Reply-To: <20240502110348.016f190e0b0565b7e9ecdb48@kernel.org>
Masami Hiramatsu (Google) <mhiramat@kernel.org> writes:
> On Thu, 2 May 2024 01:35:16 +0800
> Guo Ren <guoren@kernel.org> wrote:
>
>> On Thu, May 2, 2024 at 12:30 AM Stephen Brennan
>> <stephen.s.brennan@oracle.com> wrote:
>> >
>> > If an error happens in ftrace, ftrace_kill() will prevent disarming
>> > kprobes. Eventually, the ftrace_ops associated with the kprobes will be
>> > freed, yet the kprobes will still be active, and when triggered, they
>> > will use the freed memory, likely resulting in a page fault and panic.
>> >
>> > This behavior can be reproduced quite easily, by creating a kprobe and
>> > then triggering a ftrace_kill(). For simplicity, we can simulate an
>> > ftrace error with a kernel module like [1]:
>> >
>> > [1]: https://github.com/brenns10/kernel_stuff/tree/master/ftrace_killer
>> >
>> > sudo perf probe --add commit_creds
>> > sudo perf trace -e probe:commit_creds
>> > # In another terminal
>> > make
>> > sudo insmod ftrace_killer.ko # calls ftrace_kill(), simulating bug
>> > # Back to perf terminal
>> > # ctrl-c
>> > sudo perf probe --del commit_creds
>> >
>> > After a short period, a page fault and panic would occur as the kprobe
>> > continues to execute and uses the freed ftrace_ops. While ftrace_kill()
>> > is supposed to be used only in extreme circumstances, it is invoked in
>> > FTRACE_WARN_ON() and so there are many places where an unexpected bug
>> > could be triggered, yet the system may continue operating, possibly
>> > without the administrator noticing. If ftrace_kill() does not panic the
>> > system, then we should do everything we can to continue operating,
>> > rather than leave a ticking time bomb.
>> >
>> > Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
>> > ---
>> > Changes in v3:
>> > Don't expose ftrace_is_dead(). Create a "kprobe_ftrace_disabled"
>> > variable and check it directly in the kprobe handlers.
>> > Link to v1/v2 discussion:
>> > https://lore.kernel.org/all/20240426225834.993353-1-stephen.s.brennan@oracle.com/
>> >
>> > arch/csky/kernel/probes/ftrace.c | 3 +++
>> > arch/loongarch/kernel/ftrace_dyn.c | 3 +++
>> > arch/parisc/kernel/ftrace.c | 3 +++
>> > arch/powerpc/kernel/kprobes-ftrace.c | 3 +++
>> > arch/riscv/kernel/probes/ftrace.c | 3 +++
>> > arch/s390/kernel/ftrace.c | 3 +++
>> > arch/x86/kernel/kprobes/ftrace.c | 3 +++
>> > include/linux/kprobes.h | 7 +++++++
>> > kernel/kprobes.c | 6 ++++++
>> > kernel/trace/ftrace.c | 1 +
>> > 10 files changed, 35 insertions(+)
>> >
>> > diff --git a/arch/csky/kernel/probes/ftrace.c b/arch/csky/kernel/probes/ftrace.c
>> > index 834cffcfbce3..7ba4b98076de 100644
>> > --- a/arch/csky/kernel/probes/ftrace.c
>> > +++ b/arch/csky/kernel/probes/ftrace.c
>> > @@ -12,6 +12,9 @@ void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
>> > struct kprobe_ctlblk *kcb;
>> > struct pt_regs *regs;
>> >
>> > + if (unlikely(kprobe_ftrace_disabled))
>> > + return;
>> > +
>> For csky part.
>> Acked-by: Guo Ren <guoren@kernel.org>
>
> Thanks Stephen, Guo and Steve!
>
> Let me pick this to probes/for-next!
Thank you Masami!
I did want to check, is this the correct git tree to be watching?
https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git/log/?h=probes/for-next
( I'm not trying to pressure on timing, as I know the merge window is
hectic. Just making sure I'm watching the correct place! )
Thanks,
Stephen
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Brennan <stephen.s.brennan@oracle.com>
To: Masami Hiramatsu <mhiramat@kernel.org>, Guo Ren <guoren@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
x86@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
linux-csky@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
WANG Xuerui <kernel@xen0n.name>,
linux-s390@vger.kernel.org, Helge Deller <deller@gmx.de>,
Huacai Chen <chenhuacai@kernel.org>,
"Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Vasily Gorbik <gor@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Nicholas Piggin <npiggin@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Steven Rostedt <rostedt@goodmis.org>,
loongarch@lists.linux.dev,
Paul Walmsley <paul.walmsley@sifive.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-parisc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-riscv@lists.infradead.org,
Palmer Dabbelt <palmer@dabbelt.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
linux-tra ce-kernel@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v3] kprobe/ftrace: bail out if ftrace was killed
Date: Wed, 15 May 2024 15:18:08 -0700 [thread overview]
Message-ID: <87r0e2pvmn.fsf@oracle.com> (raw)
In-Reply-To: <20240502110348.016f190e0b0565b7e9ecdb48@kernel.org>
Masami Hiramatsu (Google) <mhiramat@kernel.org> writes:
> On Thu, 2 May 2024 01:35:16 +0800
> Guo Ren <guoren@kernel.org> wrote:
>
>> On Thu, May 2, 2024 at 12:30 AM Stephen Brennan
>> <stephen.s.brennan@oracle.com> wrote:
>> >
>> > If an error happens in ftrace, ftrace_kill() will prevent disarming
>> > kprobes. Eventually, the ftrace_ops associated with the kprobes will be
>> > freed, yet the kprobes will still be active, and when triggered, they
>> > will use the freed memory, likely resulting in a page fault and panic.
>> >
>> > This behavior can be reproduced quite easily, by creating a kprobe and
>> > then triggering a ftrace_kill(). For simplicity, we can simulate an
>> > ftrace error with a kernel module like [1]:
>> >
>> > [1]: https://github.com/brenns10/kernel_stuff/tree/master/ftrace_killer
>> >
>> > sudo perf probe --add commit_creds
>> > sudo perf trace -e probe:commit_creds
>> > # In another terminal
>> > make
>> > sudo insmod ftrace_killer.ko # calls ftrace_kill(), simulating bug
>> > # Back to perf terminal
>> > # ctrl-c
>> > sudo perf probe --del commit_creds
>> >
>> > After a short period, a page fault and panic would occur as the kprobe
>> > continues to execute and uses the freed ftrace_ops. While ftrace_kill()
>> > is supposed to be used only in extreme circumstances, it is invoked in
>> > FTRACE_WARN_ON() and so there are many places where an unexpected bug
>> > could be triggered, yet the system may continue operating, possibly
>> > without the administrator noticing. If ftrace_kill() does not panic the
>> > system, then we should do everything we can to continue operating,
>> > rather than leave a ticking time bomb.
>> >
>> > Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
>> > ---
>> > Changes in v3:
>> > Don't expose ftrace_is_dead(). Create a "kprobe_ftrace_disabled"
>> > variable and check it directly in the kprobe handlers.
>> > Link to v1/v2 discussion:
>> > https://lore.kernel.org/all/20240426225834.993353-1-stephen.s.brennan@oracle.com/
>> >
>> > arch/csky/kernel/probes/ftrace.c | 3 +++
>> > arch/loongarch/kernel/ftrace_dyn.c | 3 +++
>> > arch/parisc/kernel/ftrace.c | 3 +++
>> > arch/powerpc/kernel/kprobes-ftrace.c | 3 +++
>> > arch/riscv/kernel/probes/ftrace.c | 3 +++
>> > arch/s390/kernel/ftrace.c | 3 +++
>> > arch/x86/kernel/kprobes/ftrace.c | 3 +++
>> > include/linux/kprobes.h | 7 +++++++
>> > kernel/kprobes.c | 6 ++++++
>> > kernel/trace/ftrace.c | 1 +
>> > 10 files changed, 35 insertions(+)
>> >
>> > diff --git a/arch/csky/kernel/probes/ftrace.c b/arch/csky/kernel/probes/ftrace.c
>> > index 834cffcfbce3..7ba4b98076de 100644
>> > --- a/arch/csky/kernel/probes/ftrace.c
>> > +++ b/arch/csky/kernel/probes/ftrace.c
>> > @@ -12,6 +12,9 @@ void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
>> > struct kprobe_ctlblk *kcb;
>> > struct pt_regs *regs;
>> >
>> > + if (unlikely(kprobe_ftrace_disabled))
>> > + return;
>> > +
>> For csky part.
>> Acked-by: Guo Ren <guoren@kernel.org>
>
> Thanks Stephen, Guo and Steve!
>
> Let me pick this to probes/for-next!
Thank you Masami!
I did want to check, is this the correct git tree to be watching?
https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git/log/?h=probes/for-next
( I'm not trying to pressure on timing, as I know the merge window is
hectic. Just making sure I'm watching the correct place! )
Thanks,
Stephen
next prev parent reply other threads:[~2024-05-15 22:19 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-01 16:29 [PATCH v3] kprobe/ftrace: bail out if ftrace was killed Stephen Brennan
2024-05-01 16:29 ` Stephen Brennan
2024-05-01 16:29 ` Stephen Brennan
2024-05-01 17:24 ` Steven Rostedt
2024-05-01 17:24 ` Steven Rostedt
2024-05-01 17:24 ` Steven Rostedt
2024-05-01 17:35 ` Guo Ren
2024-05-01 17:35 ` Guo Ren
2024-05-01 17:35 ` Guo Ren
2024-05-02 2:03 ` Masami Hiramatsu
2024-05-02 2:03 ` Masami Hiramatsu
2024-05-02 2:03 ` Masami Hiramatsu
2024-05-15 22:18 ` Stephen Brennan [this message]
2024-05-15 22:18 ` Stephen Brennan
2024-05-15 22:18 ` Stephen Brennan
2024-05-16 0:23 ` Masami Hiramatsu
2024-05-16 0:23 ` Masami Hiramatsu
2024-05-16 0:23 ` Masami Hiramatsu
2024-05-06 14:46 ` Christophe Leroy
2024-05-06 14:46 ` Christophe Leroy
2024-05-06 14:46 ` Christophe Leroy
2024-05-06 22:50 ` Steven Rostedt
2024-05-06 22:50 ` Steven Rostedt
2024-05-06 22:50 ` Steven Rostedt
2024-05-07 18:36 ` Stephen Brennan
2024-05-07 18:36 ` Stephen Brennan
2024-05-07 18:36 ` Stephen Brennan
2024-05-22 23:32 ` patchwork-bot+linux-riscv
2024-05-22 23:32 ` patchwork-bot+linux-riscv
2024-05-22 23:32 ` patchwork-bot+linux-riscv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0e2pvmn.fsf@oracle.com \
--to=stephen.s.brennan@oracle.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=agordeev@linux.ibm.com \
--cc=aneesh.kumar@kernel.org \
--cc=aou@eecs.berkeley.edu \
--cc=borntraeger@linux.ibm.com \
--cc=bp@alien8.de \
--cc=chenhuacai@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave.hansen@linux.intel.com \
--cc=deller@gmx.de \
--cc=gor@linux.ibm.com \
--cc=guoren@kernel.org \
--cc=hca@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=kernel@xen0n.name \
--cc=linux-csky@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=loongarch@lists.linux.dev \
--cc=mark.rutland@arm.com \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rostedt@goodmis.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.