From: Ingo Molnar <mingo@kernel.org>
To: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>,
Sandeepa Prabhu <sandeepa.prabhu@linaro.org>,
x86@kernel.org, lkml <linux-kernel@vger.kernel.org>,
"Steven Rostedt (Red Hat)" <rostedt@goodmis.org>,
systemtap@sourceware.org, "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH -tip v4 0/6] kprobes: introduce NOKPROBE_SYMBOL() and fixes crash bugs
Date: Thu, 12 Dec 2013 15:03:47 +0100 [thread overview]
Message-ID: <20131212140347.GA17059@gmail.com> (raw)
In-Reply-To: <52A9515E.5050505@hitachi.com>
* Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> wrote:
> (2013/12/11 22:34), Ingo Molnar wrote:
> >
> > * Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> wrote:
> >
> >>> So why are annotations needed at all? What can happen if an
> >>> annotation is missing and a piece of code is probed which is also
> >>> used by the kprobes code internally - do we crash, lock up,
> >>> misbehave or handle it safely?
> >>
> >> The kprobe has recursion detector, [...]
> >
> > It's the 'current_kprobe' percpu variable, checked via
> > kprobe_running(), right?
>
> Right. :)
So that recursion detection runs a bit late:
/*
* Interrupts are disabled on entry as trap3 is an interrupt gate and they
* remain disabled throughout this function.
*/
static int __kprobes kprobe_handler(struct pt_regs *regs)
{
kprobe_opcode_t *addr;
struct kprobe *p;
struct kprobe_ctlblk *kcb;
addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
/*
* We don't want to be preempted for the entire
* duration of kprobe processing. We conditionally
* re-enable preemption at the end of this function,
* and also in reenter_kprobe() and setup_singlestep().
*/
preempt_disable();
kcb = get_kprobe_ctlblk();
p = get_kprobe(addr);
if (p) {
if (kprobe_running()) {
this flag should be checked first - the kprobe handler should already
run in non-preemptible context if it comes from an exception.
For that reason I don't understand the whole
preempt_disable()/enable() dance - it looks entirely superfluous to
me. The comment above the preempt_disable() looks mostly bogus.
( The flow of logic in the function is rather confusing as well -
lots of places return from the middle of the function - instead they
should have the usual 'goto out' kind of code pattern. )
> >> [...] but it is detected in the kprobe exception(int3) handler,
> >> this means that if we put a probe before detecting the recursion,
> >> we'll do an infinite recursion.
> >
> > So only the (presumably rather narrow) code path leading to the
> > recursion detection code has to be annotated, correct?
>
> Yes, correct.
So, another thing I find confusing is the whole kprobes notifier
block. Why doesn't it call back specific kprobes handlers, directly
from do_int3() and do_debug()? That's much more readable and it also
allows the kprobes code to go earlier in the handler, running its
recursion code earlier!
Another question I have here is: how does the kprobes code protect
against interrupts arriving in before the recursion check and running
a probe recursively?
> >> And also, even if we can detect the recursion, we can't stop the
> >> kernel, we need to skip the probe. This means that we need to
> >> recover to the main execution path by doing single step. As you
> >> may know, since the single stepping involves the debug exception,
> >> we have to avoid proving on that path too. Or we'll have an
> >> infinite recursion again.
> >
> > I don't see why this is needed: if a "probing is disabled"
> > recursion flag is set the moment the first probe fires, and if
> > it's only cleared once all processing is finished, then any
> > intermediate probes should simply return early from int3 and not
> > fire.
>
> No, because the int3 already changes the original instruction.
> This means that you cannot skip singlestep(or emulate) the
> instruction which is copied to execution buffer (ainsn->insn),
> even if you have such the flag.
> So, kprobe requires the annotations on the singlestep path.
I don't understand this reasoning.
Lets assume we allow a probe to be inserted in the single-step path.
Such a probe will be an INT3 instruction and if it hits we get a
recursive INT3 invocation. In that case the INT3 handler should simply
restore the original instruction and _leave it so_. There's no
single-stepping needed - the probe is confused and must be discarded.
Once the original instruction is restored we simply return from the
int3 exception and the single-step handling execution can continue.
This would be _way_ more robust as we wouldn't have to precisely
annotate anything but the very narrow int3 exception code path and the
'restore original instruction in case of recursion' code path.
Thanks,
Ingo
next prev parent reply other threads:[~2013-12-12 14:03 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-04 1:28 [PATCH -tip v4 0/6] kprobes: introduce NOKPROBE_SYMBOL() and fixes crash bugs Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 1/6] kprobes: Prohibit probing on .entry.text code Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 2/6] kprobes: Introduce NOKPROBE_SYMBOL() macro for blacklist Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 3/6] [BUGFIX] kprobes/x86: Prohibit probing on debug_stack_* Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 4/6] [BUGFIX] x86: Prohibit probing on native_set_debugreg Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 5/6] [BUGFIX] x86: Prohibit probing on thunk functions and restore Masami Hiramatsu
2013-12-04 1:28 ` [PATCH -tip v4 6/6] [RFC] kprobes/x86: Call exception handlers directly from do_int3/do_debug Masami Hiramatsu
2013-12-04 2:39 ` Steven Rostedt
2013-12-11 13:31 ` Jiri Kosina
2013-12-12 4:40 ` Masami Hiramatsu
2013-12-12 9:59 ` Jiri Kosina
2013-12-12 10:31 ` Masami Hiramatsu
2013-12-04 2:54 ` [PATCH -tip v4 0/6] kprobes: introduce NOKPROBE_SYMBOL() and fixes crash bugs Sandeepa Prabhu
2013-12-04 7:39 ` Masami Hiramatsu
2013-12-04 8:46 ` Sandeepa Prabhu
2013-12-04 23:32 ` Masami Hiramatsu
2013-12-04 8:45 ` Ingo Molnar
2013-12-04 23:27 ` Masami Hiramatsu
2013-12-05 10:21 ` Ingo Molnar
2013-12-06 2:34 ` Masami Hiramatsu
2013-12-10 15:28 ` Ingo Molnar
2013-12-11 2:12 ` Masami Hiramatsu
2013-12-11 13:34 ` Ingo Molnar
2013-12-12 6:02 ` Masami Hiramatsu
2013-12-12 14:03 ` Ingo Molnar [this message]
2013-12-12 20:42 ` Josh Stone
2013-12-13 5:34 ` Masami Hiramatsu
2013-12-13 6:06 ` Masami Hiramatsu
2013-12-16 10:53 ` Masami Hiramatsu
2013-12-05 13:08 ` Sandeepa Prabhu
2013-12-06 6:23 ` Masami Hiramatsu
2013-12-06 6:54 ` Sandeepa Prabhu
2013-12-06 23:25 ` Masami Hiramatsu
2013-12-05 14:49 ` Frank Ch. Eigler
2013-12-06 6:12 ` Masami Hiramatsu
2013-12-06 19:07 ` Frank Ch. Eigler
2013-12-06 23:19 ` Masami Hiramatsu
2013-12-07 1:32 ` Frank Ch. Eigler
2013-12-07 2:34 ` Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131212140347.GA17059@gmail.com \
--to=mingo@kernel.org \
--cc=ananth@in.ibm.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=masami.hiramatsu.pt@hitachi.com \
--cc=rostedt@goodmis.org \
--cc=sandeepa.prabhu@linaro.org \
--cc=systemtap@sourceware.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).