From: Christoffer Dall <christoffer.dall@arm.com>
To: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 1/4] KVM: arm64: Forbid kprobing of the VHE world-switch code
Date: Fri, 1 Feb 2019 09:04:06 +0100 [thread overview]
Message-ID: <20190201080406.GR13482@e113682-lin.lund.arm.com> (raw)
In-Reply-To: <2711e333-bbe2-a207-604c-43c2c84cef38@arm.com>
On Thu, Jan 31, 2019 at 06:53:06PM +0000, James Morse wrote:
> Hey Christoffer,
>
> On 31/01/2019 08:08, Christoffer Dall wrote:
> > On Thu, Jan 24, 2019 at 04:32:54PM +0000, James Morse wrote:
> >> On systems with VHE the kernel and KVM's world-switch code run at the
> >> same exception level. Code that is only used on a VHE system does not
> >> need to be annotated as __hyp_text as it can reside anywhere in the
> >> kernel text.
> >>
> >> __hyp_text was also used to prevent kprobes from patching breakpoint
> >> instructions into this region, as this code runs at a different
> >> exception level. While this is no longer true with VHE, KVM still
> >> switches VBAR_EL1, meaning a kprobe's breakpoint executed in the
> >> world-switch code will cause a hyp-panic.
> >
> > Forgive potentially very stupid questions here, but:
> >
> > (1) Would it make sense to move the save/restore VBAR_EL1 to the last
> > possible moment, and would that actually allow kprobes to work for
> > the world-switch code, or does that just result in other weird
> > problems?
>
> This would work for taking the debug exception. But next kprobes wants to
> single-step the probed instruction in an out-of-line slot. I don't think we can
> do this if we've already configured the debug hardware for the guest.
> (If could at least turn single-step off when we return to guest-EL0, which
> guest-EL1 was single-stepping)
>
>
I suspected something like that, let's not go there.
> > (2) Are we sure that this catches every call path of every non-inlined
> > function called after switchign VBAR_EL1? Can kprobes only be
> > called on exported symbols, or can you (if you know the address
> > somehow) put a kprobe on a static function as well. If there are
> > any concerns in this area, we might want to consider (1) more
> > closely.
>
> Hmmm, good question. The blacklisting applies to whole symbols as seen by
> kallsyms, the compiler has no idea what is going on.
>
> If it chose not to inline something, it would be kprobe'able yes.
>
> __kprobes uses a section function-attribute instead. The gcc manual[0] doesn't
> say what happens when inline and the section attributes are used together. (or
> at least I couldn't find it)
>
> A quick experiment with gcc 8.2.0 shows adding __kprobes on the inlines gets
> discarded when they are inlined. I'm not sure how to trick the compiler into
> not-inlining it to see what happens, but adding 'noinline' to the header file
> causes it to duplicate the function everywhere, but puts it in the __kprobes
> section.
>
> (For KVM we could use the 'flatten' attribute, but that does say 'if possible'.
> Alternatively we can decorate all the inline helpers we know we use with
> __kprobes as a safety net.)
>
> I think this is a wider problem with kprobes.
>
Sounds like it. Probably in the "you did something crazy, and your
kernel is going to suffer from it" category.
Let's stick to your approach.
Thanks for the explanation.
Christoffer
next prev parent reply other threads:[~2019-02-01 8:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 16:32 [PATCH v2 0/4] Fix some KVM/HYP interactions with kprobes James Morse
2019-01-24 16:32 ` [PATCH v2 1/4] KVM: arm64: Forbid kprobing of the VHE world-switch code James Morse
2019-01-25 1:28 ` Masami Hiramatsu
2019-01-31 8:08 ` Christoffer Dall
2019-01-31 18:53 ` James Morse
2019-02-01 8:04 ` Christoffer Dall [this message]
2019-02-01 13:34 ` Marc Zyngier
2019-01-24 16:32 ` [PATCH v2 2/4] arm64: kprobe: Always blacklist the KVM " James Morse
2019-01-31 8:08 ` Christoffer Dall
2019-01-24 16:32 ` [PATCH v2 3/4] arm64: hyp-stub: Forbid kprobing of the hyp-stub James Morse
2019-01-31 8:04 ` Christoffer Dall
2019-02-01 12:02 ` James Morse
2019-01-24 16:32 ` [PATCH v2 4/4] arm64: hibernate: Clean the __hyp_text to PoC after resume James Morse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190201080406.GR13482@e113682-lin.lund.arm.com \
--to=christoffer.dall@arm.com \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=mhiramat@kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox