From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754483Ab3KEMfi (ORCPT ); Tue, 5 Nov 2013 07:35:38 -0500 Received: from mail7.hitachi.co.jp ([133.145.228.42]:50625 "EHLO mail7.hitachi.co.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957Ab3KEMfg (ORCPT ); Tue, 5 Nov 2013 07:35:36 -0500 Message-ID: <5278E610.2010202@hitachi.com> Date: Tue, 05 Nov 2013 21:35:28 +0900 From: Masami Hiramatsu Organization: Hitachi, Ltd., Japan User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Ingo Molnar Cc: Steven Rostedt , Ananth N Mavinakayanahalli , x86@kernel.org, lkml , =?UTF-8?B?VXdlIEtsZQ==?= =?UTF-8?B?aW5lLUvDtm5pZw==?= , Andrew Morton , Borislav Petkov Subject: Re: [PATCH -tip v2 3/3] [BUGFIX] kprobes: Prohibit probing on func_ptr_is_kernel_text References: <20131101112530.14657.87835.stgit@kbuild-fedora.novalocal> <20131101112537.14657.88496.stgit@kbuild-fedora.novalocal> <20131104210053.76c37210@gandalf.local.home> <20131105060901.GA29936@gmail.com> <5278973A.1010705@hitachi.com> <20131105070537.GA2007@gmail.com> <5278D89B.1070806@hitachi.com> In-Reply-To: <5278D89B.1070806@hitachi.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (2013/11/05 20:38), Masami Hiramatsu wrote: > (2013/11/05 16:05), Ingo Molnar wrote: >> >> * Masami Hiramatsu wrote: >> >>> (2013/11/05 15:09), Ingo Molnar wrote: >>>> >>>> * Steven Rostedt wrote: >>>> >>>>> On Fri, 01 Nov 2013 11:25:37 +0000 >>>>> Masami Hiramatsu wrote: >>>>> >>>>>> Prohibit probing on func_ptr_is_kernel_text(). >>>>>> Since the func_ptr_is_kernel_text() is called from >>>>>> notifier_call_chain() which is called from int3 handler, >>>>>> probing it may cause double int3 fault and kernel will >>>>>> reboot. >>>>>> >>>>>> This happenes when the kernel built with CONFIG_DEBUG_NOTIFIERS=y. >>>>>> >>>>>> Signed-off-by: Masami Hiramatsu >>>>>> Cc: Andrew Morton >>>>>> Cc: "Uwe Kleine-König" >>>>>> Cc: Borislav Petkov >>>>>> Cc: Ingo Molnar >>>>>> --- >>>>>> kernel/extable.c | 2 +- >>>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/kernel/extable.c b/kernel/extable.c >>>>>> index 832cb28..022fb25 100644 >>>>>> --- a/kernel/extable.c >>>>>> +++ b/kernel/extable.c >>>>>> @@ -129,7 +129,7 @@ int kernel_text_address(unsigned long addr) >>>>>> * pointer is part of the kernel text, we need to do some >>>>>> * special dereferencing first. >>>>>> */ >>>>>> -int func_ptr_is_kernel_text(void *ptr) >>>>>> +int nokprobe func_ptr_is_kernel_text(void *ptr) >>>>>> { >>>>>> unsigned long addr; >>>>>> addr = (unsigned long) dereference_function_descriptor(ptr); >>>>>> >>>>> >>>>> One thing I worry about the "nokprobe" annotation, is that it moves the >>>>> location of the function out of local. This function no exists in the >>>>> section with its users. Same with the debug functions in the other >>>>> patch. >>>> >>>> Well, it's a bit like noinline, that changes the position of the function >>>> as well. So it's not true that 'noxyz' attributes don't affect function >>>> placement - they often don't, but some do. >>>> >>>> The more important aspect is that 'noprobe' makes it really, really >>>> apparent what the tag is about, at first sight. >>>> >>>> _How_ the 'non probing' is achived is an implementational detail when >>>> kprobes are enabled: right now it puts a function into a separate section, >>>> but we could just a much build a list of function names and check against >>>> it at probe insertion time. >>> >>> Actually, kprobes already has it -- kprobes_blacklist. Currently the >>> list is manually maintained in kprobes.c separated from the function >>> definition. [...] >> >> Yes, I meant a list that is built automatically from the 'noprobe' >> annotations. > > Agreed. That makes maintenance work simple, and we can remove > ".kprobes.text" section. > >>> [...] I hope to build the list when the kernel build time if possible... >>> Would you have any idea to classify some annotated(but no side-effect) >>> functions? >> >> The macro magic I can think of would need to change the syntax of the >> function definition - for example that is how the SYSCALL_DEFINE*() macros >> work. > > Would you mean something like the below macro? :) > > NOKPROBE_SYMBOL(int, func_ptr_is_kernel_text)(void *ptr) > > which is expanded as; > > static struct nokprobe_entry __used > __nokprobe_entry_func_ptr_is_kernel_text = { > .name = "func_ptr_is_kernel_text" > }; > static struct kprobe_blacklist_entry __used > __attribute__((section("_nokprobe_list"))) > __p_nokprobe_entry_func_ptr_is_kernel_text = &__nokprobe_entry_func_ptr_is_kernel_text; > int func_ptr_is_kernel_text(void *ptr) > By the way, this method can be done in C file, but not in asm file. And there are many sensitive entries in the entry_*.S. I think we have two options. (A) keep the kprobes.text(or nokprobe.text) section for such assembler parts. (B) Put a starter symbol and end symbol in such region and make a list of symbols between them in build time by using nm. Anyway, until removing all __kprobes from kernel, we can not remove the kprobes.text section. So, at the first step I just try to introduce above macro and apply it to only the symbols in kprobes_blacklist. After that, I'll try to classify the real unsafe entries and apply the new macro. Eventually, I think I can remove all __kprobes. Thank you, -- Masami HIRAMATSU IT Management Research Dept. Linux Technology Center Hitachi, Ltd., Yokohama Research Laboratory E-mail: masami.hiramatsu.pt@hitachi.com