Re: [PATCH 1/1] tracing, bpf: Implement function bpf_probe_write

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sargun Dhillon <sargun@sargun.me>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	Daniel Borkmann <daniel@iogearbox.net>
Subject: Re: [PATCH 1/1] tracing, bpf: Implement function bpf_probe_write
Date: Mon, 18 Jul 2016 03:57:17 -0700 (PDT)	[thread overview]
Message-ID: <alpine.DEB.2.02.1607180330330.5362@ircssh.c.rugged-nimbus-611.internal> (raw)
In-Reply-To: <20160718041105.GA36253@ast-mbp.thefacebook.com>



On Sun, 17 Jul 2016, Alexei Starovoitov wrote:

> On Sun, Jul 17, 2016 at 03:19:13AM -0700, Sargun Dhillon wrote:
>>
>> +static u64 bpf_copy_to_user(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
>> +{
>> +	void *to = (void *) (long) r1;
>> +	void *from = (void *) (long) r2;
>> +	int  size = (int) r3;
>> +
>> +	/* check if we're in a user context */
>> +	if (unlikely(in_interrupt()))
>> +		return -EINVAL;
>> +	if (unlikely(!current->pid))
>> +		return -EINVAL;
>> +
>> +	return copy_to_user(to, from, size);
>> +}
>
> thanks for the patch, unfortunately it's not that straightforward.
> copy_to_user might fault. Try enabling CONFIG_DEBUG_ATOMIC_SLEEP and
> you'll see the splat since bpf programs are protected by rcu.
> Also 'current' can be null and I'm not sure what current->pid does.
> So the writing to user memory either has to be verified to avoid
> sleeping and faults or we need to use something like task_work_add
> mechanism. Ideas are certainly welcome.
>
>
>From casual inspection, I can't find where current can be null when 
in_interrupt() is false. Although, we can check before dereferencing it. 
When not in a user context, the pid of the task struct returns 0.

As far as preventing sleep, would the following alteration do? Or do we 
actually need something more sophisticated?
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index be89c148..45878f3 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -86,14 +86,19 @@ static u64 bpf_copy_to_user(u64 r1, u64 r2, u64 r3, 
u64 r4, u64 r5)
         void *to = (void *) (long) r1;
         void *from = (void *) (long) r2;
         int  size = (int) r3;
+       struct task_struct *task = current;

         /* check if we're in a user context */
         if (unlikely(in_interrupt()))
                 return -EINVAL;
-       if (unlikely(!current->pid))
+       if (unlikely(!task || !task->pid))
                 return -EINVAL;

-       return copy_to_user(to, from, size);
+       /* Is this a user address, or a kernel address? */
+       if (!access_ok(VERIFY_WRITE, to, size))
+               return -EINVAL;
+
+       return probe_kernel_write(to, from, size);
  }

  static const struct bpf_func_proto bpf_copy_to_user_proto = {


probe_kernel_write doesn't block, and this will disallow BPF programs to 
write to kernel memory. This turns off the pagefault handler under the 
hood, unblocking us.

next prev parent reply	other threads:[~2016-07-18 10:57 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAMp4zn8ygXFg7kvjShm77zmK2dYVMY2zS8i2mUKwhbfXcyVyig@mail.gmail.com>
2016-07-13 17:08 ` [PATCH 1/1] tracing, bpf: Implement function bpf_probe_write Alexei Starovoitov
2016-07-13 20:31   ` Sargun Dhillon
2016-07-15  5:40     ` Alexei Starovoitov
2016-07-16  2:16       ` Sargun Dhillon
2016-07-16  2:30         ` Alexei Starovoitov
2016-07-17 10:19           ` Sargun Dhillon
2016-07-18  4:11             ` Alexei Starovoitov
2016-07-18 10:57               ` Sargun Dhillon [this message]
2016-07-19  6:13                 ` Alexei Starovoitov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:be89c14 dfblob:45878f3 )
 OR (
bs:"Re: [PATCH 1/1] tracing, bpf: Implement function bpf_probe_write" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.02.1607180330330.5362@ircssh.c.rugged-nimbus-611.internal \
    --to=sargun@sargun.me \
    --cc=alexei.starovoitov@gmail.com \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).