From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E0F5C433DF for ; Wed, 13 May 2020 23:20:39 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id F069820659 for ; Wed, 13 May 2020 23:20:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="cD3d6Z8O" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F069820659 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 3D53D900136; Wed, 13 May 2020 19:20:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 38672900022; Wed, 13 May 2020 19:20:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2732E900136; Wed, 13 May 2020 19:20:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0254.hostedemail.com [216.40.44.254]) by kanga.kvack.org (Postfix) with ESMTP id 0CF73900022 for ; Wed, 13 May 2020 19:20:38 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id C13D840F4 for ; Wed, 13 May 2020 23:20:37 +0000 (UTC) X-FDA: 76813267314.20.metal45_5744217ce34e X-HE-Tag: metal45_5744217ce34e X-Filterd-Recvd-Size: 5089 Received: from mail-lj1-f196.google.com (mail-lj1-f196.google.com [209.85.208.196]) by imf39.hostedemail.com (Postfix) with ESMTP for ; Wed, 13 May 2020 23:20:37 +0000 (UTC) Received: by mail-lj1-f196.google.com with SMTP id j3so1432676ljg.8 for ; Wed, 13 May 2020 16:20:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=phWq6l4aTvr/C2K/X4+k/YrVnCjrPXRTWTh12+oYaOk=; b=cD3d6Z8Oy8/Dx9WXsRuTcoa6/5Rh9rx4ZXh8joWvH4poHn6SlmiaIW98FjAPsN6Nbh x66jaomRN8ZljFVlOmAhCKb3qMEmAXGGOLhPnCxRlO2Vc19b0KxaWqaBnUOu9g5IgaPv XmTXcJb6msXzq5HV1afcp377hyESwqrNggFac= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=phWq6l4aTvr/C2K/X4+k/YrVnCjrPXRTWTh12+oYaOk=; b=Fa4HhJRgXppZ8KefOXnF+YiQAbQcMJopjx9b89aMr8+5XCNV7eRka8QCXa4OTXaAdF FVP80xgxCaL5eMrf/DqauiLQ01zTNb1n2uyB0otdHdoa4S0qb/v/82iRoo7plgBUaBWQ BXztiJpCDIT7Q0HArz5mafgIWU7x8pzUZzlqy64tG48G1EePW8V7l4drm+t+Y9wFERHa GEDiKXii+Lup22ywSMLiJD+7Z6WSzI2F/AZdgw7r+PsZg4vrOnS8UKHZY8wXCcN+cM4m pgg54I979T8eDxBpzUBESubtgbBk0nH4XM4oQ0zf6dmygWIHJVwSF8Nb+/jGY7nHJe42 LMnA== X-Gm-Message-State: AOAM530AcMyUpW/XzIteJP7usScraCGlhdRsGnM7hLql1FmaFi9j5cI9 is0qo/db492O1KfzmTwlKzOGYoVcfmw= X-Google-Smtp-Source: ABdhPJwzo0pi0sFVfWSlM5huO1hdHc/8X1VoogDnsHxlGmL8ZhkQ68bAwY1XK2TPQ5Q4ZeF13fO/Bw== X-Received: by 2002:a2e:96cd:: with SMTP id d13mr811095ljj.219.1589412035086; Wed, 13 May 2020 16:20:35 -0700 (PDT) Received: from mail-lf1-f54.google.com (mail-lf1-f54.google.com. [209.85.167.54]) by smtp.gmail.com with ESMTPSA id 66sm28672lfk.54.2020.05.13.16.20.33 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 May 2020 16:20:34 -0700 (PDT) Received: by mail-lf1-f54.google.com with SMTP id z22so1016919lfd.0 for ; Wed, 13 May 2020 16:20:33 -0700 (PDT) X-Received: by 2002:a19:ed07:: with SMTP id y7mr1180765lfy.31.1589412033540; Wed, 13 May 2020 16:20:33 -0700 (PDT) MIME-Version: 1.0 References: <20200513160038.2482415-1-hch@lst.de> <10c58b09-5ece-e49f-a7c8-2aa6dfd22fb4@iogearbox.net> In-Reply-To: <10c58b09-5ece-e49f-a7c8-2aa6dfd22fb4@iogearbox.net> From: Linus Torvalds Date: Wed, 13 May 2020 16:20:17 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: clean up and streamline probe_kernel_* and friends v2 To: Daniel Borkmann Cc: Christoph Hellwig , "the arch/x86 maintainers" , Alexei Starovoitov , Masami Hiramatsu , Andrew Morton , linux-parisc@vger.kernel.org, linux-um , Netdev , bpf@vger.kernel.org, Linux-MM , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, May 13, 2020 at 4:04 PM Daniel Borkmann wrote: > > Aside from comments on list, the series looks reasonable to me. For BPF > the bpf_probe_read() helper would be slightly penalized for probing user > memory given we now test on copy_from_kernel_nofault() first and if that > fails only then fall back to copy_from_user_nofault(), Again, no. If you can't tell that one or the other is always the right thing, then that function is simply buggy and wrong. On sparc and on s390, address X can be _both_ a kernel address and a user address. You need to specify which it is (by using the proper function). The whole "try one first, then the other" doesn't work. They may both "work", and by virtue of that, unless you can state "yes, we always want user space" or "yes, we always want kernel", that "try one or the other" isn't valid. And it can be a real security issue. If a user program can be made to read kernel memory when BPF validated things as a user pointer, it's an obvious security issue. But it can be a security issue the other way around too: if the BPF code expects to get a kernel string, but user space can fool it into reading a user string instead by mapping something of its own into the user space address that aliases the kernel space address, then you can presumably fool the BPF program to do bad things too (eg mess up any BPF packet switching routines?). So BPF really really really needs to specify which one it is. Not specifying it and saying "whichever" is a bug, and a security issue. Linus