From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751879AbdKLGuR (ORCPT ); Sun, 12 Nov 2017 01:50:17 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:45766 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750862AbdKLGuO (ORCPT ); Sun, 12 Nov 2017 01:50:14 -0500 Subject: Re: [PATCH 1/2] bpf: add a bpf_override_function helper To: Ingo Molnar , Josef Bacik References: <1510086523-8859-1-git-send-email-josef@toxicpanda.com> <1510086523-8859-2-git-send-email-josef@toxicpanda.com> <20171110093459.w2pvo3ntkwbmgnha@gmail.com> <20171110171428.hrw5cpxy4sgzf7mn@destiny> <20171111081455.qx4rodxldofbzypb@gmail.com> CC: , , , , , , , , Josef Bacik From: Alexei Starovoitov Message-ID: <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com> Date: Sun, 12 Nov 2017 14:49:22 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20171111081455.qx4rodxldofbzypb@gmail.com> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [2620:10d:c094:180::1:a36d] X-ClientProxiedBy: HK2PR02CA0194.apcprd02.prod.outlook.com (2603:1096:201:21::30) To SN2PR15MB0974.namprd15.prod.outlook.com (2603:10b6:804:20::24) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7762d912-6b4c-4de4-3597-08d529998af2 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:SN2PR15MB0974; X-Microsoft-Exchange-Diagnostics: 1;SN2PR15MB0974;3:0BY+jBVJCdR7IDAlloFME4ERSn5xnPL3GMnwh5Oj0J6VRAdagwYDWfWmxpsbVZ+sjEiy6rj430ZZXt/csg0Vk4H+iqy6kcq9F77+j/HMFjizGDZr/LRE8vmtjsGmKxnjJbRXHL0M6AAPA6xFdJHk6zmHX9skYUEv2k+wHMjU7r/N2VFYMzNeKUYQrPUb5yeB+3KjfywrjdS1o9w7h3Pq6tbNr9nkj00r7aPzJ47Tr7O5hpd5WpHgH53ty7a2Qiq4;25:WnBeviyNt1pxymyeRKFnlPTuaHJXIOvovREbSnjRJKG+zvJplhiabPq+3wiS9BNr4QjuxsKZ0U7z/nzrgBh3Vpv5xtevZYHAEWYqXz25UkVYilUCVE1z1SsKaEPEVgiNIKgrAeGGyut6g6adNQjcKvxtMr+XXxmLXuV1VjB7SDCc6Sq4DoMZcXKfl016O+PMBdelzMBBbIAkAnVFidKdHr6XvIMma2p8XNbGvIefrJvIetTBKvFx3JJCNl9O47Ipc2/t1Vu4/foitYsX9oez6FOpswpTYSNY+Uw+ZdY9Ohud6JRKtSWzY+qcueoQaD7KJy72u76VZ9ZCIPJHPCzAww==;31:c2plAOXKi+r1ao2JNnJN2zD9+tJh77tsQ6znhH9xA6OaMhcVsyi4zsvrgDIeyaV4i/Z4f8Wc0nKhZBKIq2QzFQScwW4xAlX39vYaE+SyQ53WAyynQBxpxAXcWEXuK43UvQiJSLITJAvDwOSlrYjDL1LJGlJeiBgZvEArKczqd8bXnA0XB6vwx10kN6S1DCfYB/un8ra0YOLFNN2kQY4YEqtfK8FT//FR+Q/rbBc4V9U= X-MS-TrafficTypeDiagnostic: SN2PR15MB0974: X-Microsoft-Exchange-Diagnostics: 1;SN2PR15MB0974;20:y1m8BPrN5m2USS/lXO236dIkF+ZchTRBzTGr/elX3pO73dpdm3lLlErYVjTBJhXBwKskgjHanZjRwmLum1easzzIO6XO3403G+KyGpRxr11xxhgSfqEAF70YfFbdw/GlHKIBMVoUxSqyxB6UD+m4dKU961eY0uPGzgeB4qPNBzfXH9itr/DIVGSdzOJHFqOVcXAWKJkqhgtS9Mx6zY7V/CRxl4R0Ybaz+Vzm91GgtYkl+jhX7Oo46NP0StLu+bS46tNAKaLStsre2/Vc4VnVAX7hxKMf76GoKnQBTWAZgqQUwseavAV0H4GN4VskPillSf7wxg4jixRjmZdB0gMJYA/557+Vy4w9xRRA078WWWss3ZOl90z96UIExOIiTcAPQVwsHYQLtQPgUJesuCTj5feLGeJS05Slrl1hc+5xxeHUSyebbEVzy1LAHf27WuSlCy0TQmpqET9XZYMZu/qxjE/JYyuHjGF+gCM44ac68Upc4gD6hqYSf/GCSF1Uu2YY;4:NwqbcNk5zYMxz3H4aZQamnawmZ0lSZtP+V9eQuRxXFeaxq+1I+tGM7UWHBLj19TrdAv+X/TU6yGR10cpW5HwPLyox/8AcCArkBa0k8J/2JVjs9MPTo89z0VHSxYJyfOPbIDeKf1TJIjG6SC0wd8exq275cUBhixbgipuEgVs64NRW/USW2uaxHtT/CPiZEjhGjtWaZK/jxfUYgh0i7hTW1FmA2iQhPZFovrShspF32tUJDQXvEvPWKk36PfKzr35J7i6+NkZAy+in8LVGTSU+A== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231022)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:SN2PR15MB0974;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:SN2PR15MB0974; X-Forefront-PRVS: 0489CFBAC9 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(376002)(346002)(189002)(199003)(24454002)(81166006)(229853002)(67846002)(305945005)(7736002)(25786009)(110136005)(81156014)(6116002)(8936002)(1706002)(230700001)(97736004)(2906002)(83506002)(6486002)(316002)(189998001)(58126008)(8676002)(68736007)(478600001)(53546010)(31696002)(23746002)(106356001)(36756003)(5660300001)(33646002)(6246003)(93886005)(105586002)(86362001)(65806001)(53936002)(50986999)(2950100002)(6666003)(64126003)(47776003)(65956001)(50466002)(54356999)(76176999)(31686004)(101416001)(4326008)(65826007)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:SN2PR15MB0974;H:[IPv6:2620:10d:c0e1:1110::101f];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;SN2PR15MB0974;23:2V09c/lJzR8vyosXwX9rNb2Tz1vi6zz+2vQMf?= =?Windows-1252?Q?M4kjQ9A35hVQikVrqDlyT5I1noYXgVYnICkOT8YFekHzqCXMjlrv/Mgd?= =?Windows-1252?Q?Rx00kXjyvv2Lfhg6ftihm7Ig3Nol27pJ4PxjiUJn4LBPtERLXS4yCbeN?= =?Windows-1252?Q?oWOmjRpibLpcZc7L0btLWJCJR+LekgZNP6zq9uv+JPHGw9MRVWEU+PC8?= =?Windows-1252?Q?VLY/M5YGQLXLAWpA8rzz9lJc4A0hi5cKebsgCBNUmP7y+duPuHiog86A?= =?Windows-1252?Q?iJ2ETElH5o57yjwnfHk0O6ZrKD0ooYfP81DmN+tZ+JOY9HaayojCCwop?= =?Windows-1252?Q?OrUiNVh+GmKcvYaBOwHh2wc1FOp/80dlFQt3v/In3X9iWbPQfG2v/VvE?= =?Windows-1252?Q?VGdxCrKdsAnrgYnzdLZhGoCPUJ4a/ax9Jlj310gxGYblUW8Bx3HiaoFz?= =?Windows-1252?Q?T9+MFOxz5OupVh/uezprg5EtE0leJ3gDlqFr0hGDHflxAkgX5qve021q?= =?Windows-1252?Q?5REt83zLxlJZz4QddHt5gl0DlhrIsV9i+JgQdOcOtRY+MamWws03mPGW?= =?Windows-1252?Q?/TWcI+QPW3EUDImr8jI/pTuIdXYneBJn52/Ry52RNmhHNXD50NtRNym5?= =?Windows-1252?Q?+9HVFUPVaDf7H1M11eUEOuJ7TLIvVCZLnNxLIEADFacM3J72xu1fFVzC?= =?Windows-1252?Q?vrQC+mXVZsZujVNJL+nqWbrJxmYlB1eolBetweVd625f97Yr+Xf3lw54?= =?Windows-1252?Q?E3FatuWYT5hmqt9HqrA19ZhnikrM339wIgLT2B13tCI5yrWXemhPyuul?= =?Windows-1252?Q?r9FCN9KtEsMYpJA8OEu9w+BkZKYpeGJqBZD7DsdJiKJAez4wrLNQuMHH?= =?Windows-1252?Q?e0VbRC3/+knqav6MxEvafxCctUNXzJJd7cKdFD6hRLDngZCRSY8vbRWf?= =?Windows-1252?Q?tl454qwSBUH34QyuvZPeIqaW91Eb5ogq913WnOvs+ikU8FHqqT9fqurc?= =?Windows-1252?Q?2DlP8jgcke8U+mfi57a5bjQ4BMtpDYpf76gf2MGzyXrp33G4ag5RSq1v?= =?Windows-1252?Q?UO/ldQzmc571CiYeuLij1ir2ZjIWC6PWGLS0Wp1XAd3LB+gWsl93LYI2?= =?Windows-1252?Q?yMWQ0sNgCPMqj9RUKOIIEsxPzc1qIX3OfCabNxZUr9bzygNGz2mfk/US?= =?Windows-1252?Q?O9RyUqpdjIwBTpjpLs7S0SkXSHsx47mC0sRFgb1JU51Ul4bJ9X0w8LjX?= =?Windows-1252?Q?8myYxU3RKzVT+d6kESQOmqKzKloZ0ld6TYUhp2lai4q0gRRJIV+Cge0j?= =?Windows-1252?Q?wiV7M0BImIIWpgIJ6sFwIAbEpl/pFyp6DhUffzNUB1X704jtwEuna0AD?= =?Windows-1252?Q?4pVg9c5pJgy?= X-Microsoft-Exchange-Diagnostics: 1;SN2PR15MB0974;6:uqiJlYnTdirjjN2ciiHRhUEJ/BAAf/QATSifC5lgm/2y3Au2ZdKG40bUII552zMG5mgn9u29HOO90hW2RCQcGrcHCQsGndrQ0IL9hXhChlZukWTsbRDVXyuTZ48yYtWRFyoWauHO8yxHX5XDHpLBv5gqc1Ts7gUJecqgCZq0jehH0dgJ8XTW3swchPHvHMvNuXBBbW/fFpDD8srZ5EYqCA4HjtKBExJkQV0eZIrLgo/ypqWGVtnW79/JjSSB3N6/o08uj4N56uTwsjF7Xebd3SdBY8vuncJQSLcQ3V82mPU3c10ZIuQRQQ7p4TRh26uh+CjQ2Ux4XueFJYsWXs4gH+TQ4p40987lA/sJYo6o7as=;5:YzTx5dytDUzNolysqp0ouSnw2EujCDvWXYcZaw/cSx7f4UgWuOrMH1bMfuLLVOWJYp1wFtC15Jbxa7c/ifi7lZGsmqYkMVCLW9qrYEEqDtt2itu+xVs/d+uaD0hiO+FVoXaUNo5ccCEeJSfj1hNJGZuGavbaLAEIGGJP6+4+G/I=;24:MF5K2tMnhYMmKlKh4RYPOZIijDlRr0qfw9vTdDwY051IASvj+uj2/JRO9EbAinl+2LbIPvA971KBhlNiwpcycRi4x4I0e82Gw1LTNTfZCZM=;7:FeqPrIXpKIB2aXxpHSI77h7qK8NdmsgSsKrYP2ykpvDDC+KplNhJgdFm1TfVo3pYs8qfIUN7aShNLnUL41qHg9ympl0XYtBS1tzO9NQCn2fkxKMX962Z1tTRBLNakPl2nbbnpskeAnH4cb2XbwYd5HSK/PyVRpeiHExDiepBu1yoBFSrolyzw+pCX5XUdk0XL3usELCsiK9CNpWcyRbjydb8eQHA6awKRrqpvIKs8VIhl40Lctz5F2LySoX0VvfD SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;SN2PR15MB0974;20:KBxRXgYx9cH1fZkDFV18zCJCMR58N8esiI56b4KfjUx+QKVlhoW0/XenCSX88d5Q97q4BPXO0hqqzhF1zWzT/pqcvI4zx1Hgt4L0VBnIvIqKSuft5U7LxdVTxqptHM1iEjsBLIT+5xGc1m/isfIhZadHLNIpkPgs7n20n8lmo6c= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Nov 2017 06:49:35.3156 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7762d912-6b4c-4de4-3597-08d529998af2 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR15MB0974 X-OriginatorOrg: fb.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-12_02:,, signatures=0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/11/17 4:14 PM, Ingo Molnar wrote: > > * Josef Bacik wrote: > >> On Fri, Nov 10, 2017 at 10:34:59AM +0100, Ingo Molnar wrote: >>> >>> * Josef Bacik wrote: >>> >>>> @@ -551,6 +578,10 @@ static const struct bpf_func_proto *kprobe_prog_func_proto(enum bpf_func_id func >>>> return &bpf_get_stackid_proto; >>>> case BPF_FUNC_perf_event_read_value: >>>> return &bpf_perf_event_read_value_proto; >>>> + case BPF_FUNC_override_return: >>>> + pr_warn_ratelimited("%s[%d] is installing a program with bpf_override_return helper that may cause unexpected behavior!", >>>> + current->comm, task_pid_nr(current)); >>>> + return &bpf_override_return_proto; >>> >>> So if this new functionality is used we'll always print this into the syslog? >>> >>> The warning is also a bit passive aggressive about informing the user: what >>> unexpected behavior can happen, what is the worst case? >>> >> >> It's modeled after the other warnings bpf will spit out, but with this feature >> you are skipping a function and instead returning some arbitrary value, so >> anything could go wrong if you mess something up. For instance I screwed up my >> initial test case and made every IO submitted return an error instead of just on >> the one file system I was attempting to test, so all sorts of hilarity ensued. > > Ok, then for the x86 bits: > > NAK-ed-by: Ingo Molnar > > One of the major advantages of having an in-kernel BPF sandbox is to never crash > the kernel - and allowing BPF programs to just randomly modify the return value of > kernel functions sounds immensely broken to me. > > (And yes, I realize that kprobes are used here as a vehicle, but the point > remains.) yeah. modifying arbitrary function return pushes bpf outside of its safety guarantees and in that sense doing the same override_return could be done from a kernel module if kernel provides the x64 side of the facility introduced by this patch. On the other side adding parts of this feature to the kernel only to be used by external kernel module is quite ugly too and not something that was ever done before. How about we restrict this bpf_override_return() only to the functions which callers expect to handle errors ? We can add something similar to NOKPROBE_SYMBOL(). Like ALLOW_RETURN_OVERRIDE() and on btrfs side mark the functions we're going to test with this feature. Then 'not crashing kernel' requirement will be preserved. btrfs or whatever else we will be testing with override_return will be functioning in 'stress test' mode and if bpf program is not careful and returns error all the time then one particular subsystem (like btrfs) will not be functional, but the kernel will not be crashing. Thoughts?