Kprobes: pre-handler with interrupts enabled - is it possible?

Kprobes: pre-handler with interrupts enabled - is it possible?

[Eugene Shatokhin]

Hi,


First of all, many thanks to the developers of Kprobes! I use both 
Kprobes and parts of their code a lot in my projects these days.

As far as I can see, the pre-handlers of Kprobes run with interrupts and 
preemption disabled on the given CPU, at least on x86 without Kprobe 
optimization.

Is it possible, however, to use Kprobes to somehow execute my code 
before a given instruction but with the same restrictions as the 
original instruction, at least, w.r.t. the interrupts?

I mean, if the instruction is executed with interrupts enabled, my code 
would also execute with interrupts enabled, etc.

If it is possible, how would you recommend to do that? Without patching 
the implementation of Kprobes, I mean.

Same for preemption, but, it seems, Kprobes really need it disabled, at 
least to be able to use kprobe_running() and other per-cpu data.

In RaceHound project I am now working on 
(https://github.com/winnukem/racehound/tree/rh_rework), the breakpoints 
are used to detect data races in the kernel code in runtime. Software 
breakpoints for the code, hardware breakpoints for the data that is 
about to be accessed.

However, to make it all work, the detector introduces delays before the 
instructions of interest. I could do this in Kprobes' pre-handlers but 
the interrupts would always be disabled on the current CPU during the 
delays, which is no good.

So far, I implemented it using software breakpoints directly, without 
Kprobes. The pre-handlers are executed then in the same context as the 
original instructions.

Still the implementation becomes more and more like Kprobes in some 
places over time. If there is a way to avoid reinventing the wheel and 
just use Kprobes, I would do that.

So, any ideas?

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA
www.rosalab.com

Re: Kprobes: pre-handler with interrupts enabled - is it possible?

[Masami Hiramatsu]

Hello,

(2015/02/24 0:04), Eugene Shatokhin wrote:
> Hi,
> 
> 
> First of all, many thanks to the developers of Kprobes! I use both 
> Kprobes and parts of their code a lot in my projects these days.
> 
> As far as I can see, the pre-handlers of Kprobes run with interrupts and 
> preemption disabled on the given CPU, at least on x86 without Kprobe 
> optimization.

Even with kprobe optimization, I also disabled both since it must be
transparently optimized (this means both optimized/non-optiomized kprobes
have to have same behavior).
Note that x86 int3 trap handler automatically disables local interrupts.


> Is it possible, however, to use Kprobes to somehow execute my code 
> before a given instruction but with the same restrictions as the 
> original instruction, at least, w.r.t. the interrupts?

No, that is not allowed. I mean, you can do anything you want to do
on your handler (enabling preemption/irq etc.) but the result may be
not safe (it can crash your kernel, but it's not a kprobes' bug).

Actually, enable interrupts on kprobe handlers can cause reentering
kprobes (by kprobes on interrupt handlers), and currently kprobe skips
all those reentered kprobes.
Is it acceptable that some of your kprobe handlers are not fired when
hitting?

> I mean, if the instruction is executed with interrupts enabled, my code 
> would also execute with interrupts enabled, etc.
> 
> If it is possible, how would you recommend to do that? Without patching 
> the implementation of Kprobes, I mean.
> 
> Same for preemption, but, it seems, Kprobes really need it disabled, at 
> least to be able to use kprobe_running() and other per-cpu data.
> 
> In RaceHound project I am now working on 
> (https://github.com/winnukem/racehound/tree/rh_rework), the breakpoints 
> are used to detect data races in the kernel code in runtime. Software 
> breakpoints for the code, hardware breakpoints for the data that is 
> about to be accessed.
> 
> However, to make it all work, the detector introduces delays before the 
> instructions of interest. I could do this in Kprobes' pre-handlers but 
> the interrupts would always be disabled on the current CPU during the 
> delays, which is no good.

Would you mean sleep on your handler?? No, that is NOT possible. We are
in an exception context, that must not be preempted nor sleep.
How long you need to add delay? Can you use cpu_relax busy loops on it?

> So far, I implemented it using software breakpoints directly, without 
> Kprobes. The pre-handlers are executed then in the same context as the 
> original instructions.
> 
> Still the implementation becomes more and more like Kprobes in some 
> places over time. If there is a way to avoid reinventing the wheel and 
> just use Kprobes, I would do that.
> 
> So, any ideas?

As I said, I recommend you to use some kind of busy-loop wait for making
delays on it. Please don't try to enable irq.

Thank you,

> 
> Regards,
> Eugene
> 


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@hitachi.com

Re: Kprobes: pre-handler with interrupts enabled - is it possible?

[Eugene Shatokhin]

24.02.2015 06:47, Masami Hiramatsu пишет:
> No, that is not allowed. I mean, you can do anything you want to do
> on your handler (enabling preemption/irq etc.) but the result may be
> not safe (it can crash your kernel, but it's not a kprobes' bug).

Yes, that is why I am asking.

> Actually, enable interrupts on kprobe handlers can cause reentering
> kprobes (by kprobes on interrupt handlers), and currently kprobe skips
> all those reentered kprobes.
> Is it acceptable that some of your kprobe handlers are not fired when
> hitting?

I think, yes. When a software breakpoint hits, my system decodes the 
instruction, finds the address that is about to be accessed and tries to 
place a hardware breakpoint on that memory area.

There are only 4 hardware breakpoints a CPU can use on x86, so if the 
software breakpoint hits too often, the system will not be able to 
process all hits anyway because all HW breakpoints may be already in use.

> Would you mean sleep on your handler??

No, I use mdelay(). It is, in essence, a busy-wait loop as far as I 
know. The delay intervals may vary, the default is 5 jiffies.

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA
www.rosalab.com

Re: Re: Kprobes: pre-handler with interrupts enabled - is it possible?

[Masami Hiramatsu]

(2015/02/24 15:04), Eugene Shatokhin wrote:
> 24.02.2015 06:47, Masami Hiramatsu пишет:
>> No, that is not allowed. I mean, you can do anything you want to do
>> on your handler (enabling preemption/irq etc.) but the result may be
>> not safe (it can crash your kernel, but it's not a kprobes' bug).
> 
> Yes, that is why I am asking.
> 
>> Actually, enable interrupts on kprobe handlers can cause reentering
>> kprobes (by kprobes on interrupt handlers), and currently kprobe skips
>> all those reentered kprobes.
>> Is it acceptable that some of your kprobe handlers are not fired when
>> hitting?
> 
> I think, yes. When a software breakpoint hits, my system decodes the 
> instruction, finds the address that is about to be accessed and tries to 
> place a hardware breakpoint on that memory area.
> 
> There are only 4 hardware breakpoints a CPU can use on x86, so if the 
> software breakpoint hits too often, the system will not be able to 
> process all hits anyway because all HW breakpoints may be already in use.
> 
>> Would you mean sleep on your handler??
> 
> No, I use mdelay(). It is, in essence, a busy-wait loop as far as I 
> know. The delay intervals may vary, the default is 5 jiffies.

Hmm, here I couldn't understand. If mdelay() does busy-wait loop, why
would you like to enable irq??
Other code doesn't work on the core while waiting.

Thank you,


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@hitachi.com

Re: Kprobes: pre-handler with interrupts enabled - is it possible?

[Eugene Shatokhin]

Hi,

I am now working on an example to see if what I suggested earlier is
possible.

During this, I encountered a problem in Kprobes on x86 that prevents
placing them on the insns with %rip-relative addressing.

register_kprobe() returns -EINVAL in such cases because
__copy_instruction() returns 0 (arch/x86/kernel/kprobes/core.c). The
latter is due to the second call to kernel_insn_init() which zeroes the
struct insn instance, including insn.length.

I will send a patch shortly, please consider it for inclusion.

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA
www.rosalab.com

Re: Kprobes: pre-handler with interrupts enabled - is it possible?

[Eugene Shatokhin]

Hello,

It took a while to properly implement the technique I wrote about 
earlier but I have prepared a working example. Initially, I did not 
reset the Kprobe properly and that caused difficult-to-debug problems. 
Anyway, it works now.

In this example, Kprobes are used to execute my functions before and 
after the insn of interest, in the same context as the insn w.r.t. the 
interrupts and the preemption. There are some drawbacks and tricky 
points, but still.

I tested this code on my simple modules as well as on the network 
drivers (atl1c, e1000e, e1000) in Ubuntu 14.04 and ROSA R5 (x86, both 32 
and 64-bit).

If you are interested, the source code is here: 
https://abf.io/spectre/kernel-examples#?path=kprobe_lite. Most of the 
logic is in module.c, the details are in Readme.txt.

I will try now to reimplement the relevant parts of our RaceHound system 
using the Kprobes and the technique from the example.

By the way, while working on that code, I found that Kprobes consider 
the following insns as not boostable (can_boost() in 
arch/x86/kernel/kprobes/core.c):

* opcodes c0, c1, d0 - d3 with ModRM.reg != 110(b): ROL, ROR, RCL, RCR, 
SHL/SAL, SHR, SAR (Grp 2-1A)
* opcodes f6 and f7 with ModRM.reg != 001(b): TEST, NOT, NEG, MUL, IMUL, 
DIV, IDIV (Grp 3-1A)
* opcodes fe and ff with ModRM.reg being 000(b) or 001(b): INC, DEC (Grp 
4-1A and 5-1A)
* opcode 0f c7 with ModRM.reg == 001(b): CMPXCHG8B, CMPXCHG16B.

Not sure why Kprobes do so.

Regards,
Eugene