From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB729C48BE8 for ; Fri, 11 Jun 2021 00:13:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8FD08613CF for ; Fri, 11 Jun 2021 00:13:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231312AbhFKAPk (ORCPT ); Thu, 10 Jun 2021 20:15:40 -0400 Received: from mail-oi1-f179.google.com ([209.85.167.179]:37615 "EHLO mail-oi1-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231271AbhFKAPj (ORCPT ); Thu, 10 Jun 2021 20:15:39 -0400 Received: by mail-oi1-f179.google.com with SMTP id h9so4051907oih.4 for ; Thu, 10 Jun 2021 17:13:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Kz2n5b2v/MrR2aG6nyGBznVusGFd//R5WAxR4m5f4UY=; b=kSlJUqApqgq9y7kLhxREybqwpjdGkuC2+/2KKCLpGoDQqCgi5yYIoOotp610xolNj3 VxcAxrJhKUN1jxbQONuSSJ4rbmlFLwflyCQ6Rui0s1jcZ0jq+VTmSPbcoBuHNm8530ua mIlUhfnwRd5QjlgigXp/UB0Mh3VslJcrGNwjBAsbZZkxpine9K27MG34V1oRhukYKpPj IBx4kCDuOF51WogxVZsEXov2vSxnK+1yzwlBXwe5MB7I2EU1WPrrTVuPneczk2/sJhWr dU5Ddcx5V2uiNQqGg0PVrWiWLM7vbgjrYNAKGvkMkdM4vRSdS1gluYobPK/FXhAD/0v4 IEiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Kz2n5b2v/MrR2aG6nyGBznVusGFd//R5WAxR4m5f4UY=; b=qzcqBgdpNKNMLCrjYWFI8AEC0CNOZEHSX2v1EF7MoVCeUy27LJ7NzAvH9ogOSPXL46 U9z1ZED6BD58vxGVa/tbF2Gv34+6l/eLxKaqOfcl5jHzs3WDDmrHf8ZRS6zlbCFXOyuW JYJludbozvJF0AprqWoSSwaYmejYOO7YwR7oy4+YkXAMcQESQ4syls7whtUgGFzA7dNI jRloR/ggQpJXfkK2g+MfrXDzoUCuUxGgTckpOkwSZpNF5rgHqmeyRskifLs0mxv6DEy/ 8cs/aymcUwQhXG2JlT6+SPx2pq/wi/KktyHR62uYkUOhdTssXks0ruXbttVuyCCgwOKx 7jtw== X-Gm-Message-State: AOAM532F9zUFIo4OhK8E8yO/ioSbgUUViMeOx2XYinSimEhJeIroqInv MVBg1T5F/oS7U+w1RkFdf6pgcnqVbtHEwD+UF6c= X-Google-Smtp-Source: ABdhPJy95zmdr37I+E23j/jbW+Ync4xEjf8dLqox3v1R4ePF/fYI+Bh74kauRsmyEeHgfbnlMplZiEqv/osBuyqYUZI= X-Received: by 2002:aca:53ca:: with SMTP id h193mr11535748oib.69.1623370345862; Thu, 10 Jun 2021 17:12:25 -0700 (PDT) MIME-Version: 1.0 References: <20200728152122.1292756-1-jean-philippe@linaro.org> In-Reply-To: From: Alexei Starovoitov Date: Thu, 10 Jun 2021 17:12:14 -0700 Message-ID: Subject: Re: [PATCH bpf-next 0/1] arm64: Add BPF exception tables To: Ravi Bangoria Cc: Daniel Borkmann , Alexei Starovoitov , Catalin Marinas , Will Deacon , Zi Shen Lim , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , John Fastabend , KP Singh , Jean-Philippe Brucker , linux-arm-kernel , bpf , "Naveen N. Rao" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Wed, Jun 9, 2021 at 5:05 AM Ravi Bangoria wrote: > > Hi Alexei, > > On 7/28/20 8:51 PM, Jean-Philippe Brucker wrote: > > The following patch adds support for BPF_PROBE_MEM on arm64. The > > implementation is simple but I wanted to give a bit of background first. > > If you're familiar with recent BPF development you can skip to the patch > > (or fact-check the following blurb). > > > > BPF programs used for tracing can inspect any of the traced function's > > arguments and follow pointers in struct members. Traditionally the BPF > > program would get a struct pt_regs as argument and cast the register > > values to the appropriate struct pointer. The BPF verifier would mandate > > that any memory access uses the bpf_probe_read() helper, to suppress > > page faults (see samples/bpf/tracex1_kern.c). > > > > With BPF Type Format embedded into the kernel (CONFIG_DEBUG_INFO_BTF), > > the verifier can now check the type of any access performed by a BPF > > program. It rejects for example programs that cast to a different > > structure and perform out-of-bounds accesses, or programs that attempt > > to dereference something that isn't a pointer, or that hasn't gone > > through a NULL check. > > > > As this makes tracing programs safer, the verifier now allows loading > > programs that access struct members without bpf_probe_read(). It is > > however still possible to trigger page faults. For example in the > > following example with which I've tested this patch, the verifier does > > not mandate a NULL check for the second-level pointer: > > > > /* > > * From tools/testing/selftests/bpf/progs/bpf_iter_task.c > > * dump_task() is called for each task. > > */ > > SEC("iter/task") > > int dump_task(struct bpf_iter__task *ctx) > > { > > struct seq_file *seq = ctx->meta->seq; > > struct task_struct *task = ctx->task; > > > > /* Program would be rejected without this check */ > > if (task == NULL) > > return 0; > > > > /* > > * However the verifier does not currently mandate > > * checking task->mm, and the following faults for kernel > > * threads. > > */ > > BPF_SEQ_PRINTF(seq, "pid=%d vm=%d", task->pid, task->mm->total_vm); > > return 0; > > } > > > > Even if it checked this case, the verifier couldn't guarantee that all > > accesses are safe since kernel structures could in theory contain > > garbage or error pointers. So to allow fast access without > > bpf_probe_read(), a JIT implementation must support BPF exception > > tables. For each access to a BTF pointer, the JIT generates an entry > > into an exception table appended to the BPF program. If the access > > faults at runtime, the handler skips the faulting instruction. The > > example above will display vm=0 for kernel threads. > > I'm trying with the example above (task->mm->total_vm) on x86 machine > with bpf/master (11fc79fc9f2e3) plus commit 4c5de127598e1 ("bpf: Emit > explicit NULL pointer checks for PROBE_LDX instructions.") *reverted*, > I'm seeing the app getting killed with error in dmesg. > > $ sudo bpftool iter pin bpf_iter_task.o /sys/fs/bpf/task > $ sudo cat /sys/fs/bpf/task > Killed > > $ dmesg > [ 188.810020] BUG: kernel NULL pointer dereference, address: 00000000000000c8 > [ 188.810030] #PF: supervisor read access in kernel mode > [ 188.810034] #PF: error_code(0x0000) - not-present page > > IIUC, this should be handled by bpf exception table rather than killing > the app. Am I missing anything? For PROBE_LDX the verifier guarantees that the address is either a very likely valid kernel address or NULL. On x86 the user and kernel address spaces are shared and NULL is a user address, so there cannot be an exception table for NULL. Hence x86-64 JIT inserts NULL check when it converts PROBE_LDX into load insn. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17407C48BD1 for ; Fri, 11 Jun 2021 00:19:47 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D64A561287 for ; Fri, 11 Jun 2021 00:19:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D64A561287 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=OSC9wpQnzBQNmReN3B5HxW787FKAKoFkwdmJe+54GwY=; b=ggb1N3J6mTtDTV 4R0Bdxi96BQYoQ8KL/aKBQMK+XaXUxU0p3PXc56iNaKKaWzaqC/Ep+6cg6afR/kVMFr/Kkf0e7G/R Y+grqy21zE5o2MXgiORXxWjpYCLBH4Du/mysK9mQlf0Raw7xwd9UV9j3DNUpeUbBt0c2qwQBgViny 2pbW+1yv+T4FLM5qd5HB34dvyZQ8Dqlqr7RAqMGDaZFWCTgWZ+DOxTf3BSA7pYGf1wecrpPTfB5Vt 9PC2eioOPpK0Sp28WN3rLRdAf2Dq3X1H764Rw8NwvB58DFYLwqPA6aoIFE1hG5064ggADVC40I/UP E2pDKsh8YhK3feifovdA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lrUpg-0030ng-2j; Fri, 11 Jun 2021 00:15:32 +0000 Received: from mail-oi1-f171.google.com ([209.85.167.171]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lrUpc-0030iD-Or for linux-arm-kernel@lists.infradead.org; Fri, 11 Jun 2021 00:15:30 +0000 Received: by mail-oi1-f171.google.com with SMTP id v22so4061162oic.2 for ; Thu, 10 Jun 2021 17:13:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Kz2n5b2v/MrR2aG6nyGBznVusGFd//R5WAxR4m5f4UY=; b=kSlJUqApqgq9y7kLhxREybqwpjdGkuC2+/2KKCLpGoDQqCgi5yYIoOotp610xolNj3 VxcAxrJhKUN1jxbQONuSSJ4rbmlFLwflyCQ6Rui0s1jcZ0jq+VTmSPbcoBuHNm8530ua mIlUhfnwRd5QjlgigXp/UB0Mh3VslJcrGNwjBAsbZZkxpine9K27MG34V1oRhukYKpPj IBx4kCDuOF51WogxVZsEXov2vSxnK+1yzwlBXwe5MB7I2EU1WPrrTVuPneczk2/sJhWr dU5Ddcx5V2uiNQqGg0PVrWiWLM7vbgjrYNAKGvkMkdM4vRSdS1gluYobPK/FXhAD/0v4 IEiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Kz2n5b2v/MrR2aG6nyGBznVusGFd//R5WAxR4m5f4UY=; b=AtEbUBGjuGVwvrR+UfSkhbbM+rnjLTWre/9MGb2nXvyiXIKjzs7AB1TVnxl7BbMGUU 3mTur376NtRVyUhFamWSKbqWJ4Clh6thq3mejBel+ySTY8uODSW0V/VSPwvj7vWhs0UV 9o8O5FCF8NsMZW+v1+GHU3+MwrX56IPfUsJ3iRLqgvDFYe9aIWWT2jxXUsJR1x7ZMhfe tabrjA1f7gtr/OKqvLTk6ed+xPkPYYIkepePdNeU2vtv25LwKPsfVEGRYSMrTstVx10X tM9SqkmGwDCn2yvXLFHQxvnnn1LJYGh+mXd8bUTgeGuX9C1VTfRjZbFMMvrJ47KaYObE ETuQ== X-Gm-Message-State: AOAM533f5ny/14WDPn61THlakXzAhxd1KnrmGbIUdz1y6H0J5zXe9AtZ LdnpQRLDT2sxXrS97osfXC7rqYtxb7qhHC9lbUA= X-Google-Smtp-Source: ABdhPJy95zmdr37I+E23j/jbW+Ync4xEjf8dLqox3v1R4ePF/fYI+Bh74kauRsmyEeHgfbnlMplZiEqv/osBuyqYUZI= X-Received: by 2002:aca:53ca:: with SMTP id h193mr11535748oib.69.1623370345862; Thu, 10 Jun 2021 17:12:25 -0700 (PDT) MIME-Version: 1.0 References: <20200728152122.1292756-1-jean-philippe@linaro.org> In-Reply-To: From: Alexei Starovoitov Date: Thu, 10 Jun 2021 17:12:14 -0700 Message-ID: Subject: Re: [PATCH bpf-next 0/1] arm64: Add BPF exception tables To: Ravi Bangoria Cc: Daniel Borkmann , Alexei Starovoitov , Catalin Marinas , Will Deacon , Zi Shen Lim , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , John Fastabend , KP Singh , Jean-Philippe Brucker , linux-arm-kernel , bpf , "Naveen N. Rao" X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210610_171528_838194_2A29DE19 X-CRM114-Status: GOOD ( 37.04 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Jun 9, 2021 at 5:05 AM Ravi Bangoria wrote: > > Hi Alexei, > > On 7/28/20 8:51 PM, Jean-Philippe Brucker wrote: > > The following patch adds support for BPF_PROBE_MEM on arm64. The > > implementation is simple but I wanted to give a bit of background first. > > If you're familiar with recent BPF development you can skip to the patch > > (or fact-check the following blurb). > > > > BPF programs used for tracing can inspect any of the traced function's > > arguments and follow pointers in struct members. Traditionally the BPF > > program would get a struct pt_regs as argument and cast the register > > values to the appropriate struct pointer. The BPF verifier would mandate > > that any memory access uses the bpf_probe_read() helper, to suppress > > page faults (see samples/bpf/tracex1_kern.c). > > > > With BPF Type Format embedded into the kernel (CONFIG_DEBUG_INFO_BTF), > > the verifier can now check the type of any access performed by a BPF > > program. It rejects for example programs that cast to a different > > structure and perform out-of-bounds accesses, or programs that attempt > > to dereference something that isn't a pointer, or that hasn't gone > > through a NULL check. > > > > As this makes tracing programs safer, the verifier now allows loading > > programs that access struct members without bpf_probe_read(). It is > > however still possible to trigger page faults. For example in the > > following example with which I've tested this patch, the verifier does > > not mandate a NULL check for the second-level pointer: > > > > /* > > * From tools/testing/selftests/bpf/progs/bpf_iter_task.c > > * dump_task() is called for each task. > > */ > > SEC("iter/task") > > int dump_task(struct bpf_iter__task *ctx) > > { > > struct seq_file *seq = ctx->meta->seq; > > struct task_struct *task = ctx->task; > > > > /* Program would be rejected without this check */ > > if (task == NULL) > > return 0; > > > > /* > > * However the verifier does not currently mandate > > * checking task->mm, and the following faults for kernel > > * threads. > > */ > > BPF_SEQ_PRINTF(seq, "pid=%d vm=%d", task->pid, task->mm->total_vm); > > return 0; > > } > > > > Even if it checked this case, the verifier couldn't guarantee that all > > accesses are safe since kernel structures could in theory contain > > garbage or error pointers. So to allow fast access without > > bpf_probe_read(), a JIT implementation must support BPF exception > > tables. For each access to a BTF pointer, the JIT generates an entry > > into an exception table appended to the BPF program. If the access > > faults at runtime, the handler skips the faulting instruction. The > > example above will display vm=0 for kernel threads. > > I'm trying with the example above (task->mm->total_vm) on x86 machine > with bpf/master (11fc79fc9f2e3) plus commit 4c5de127598e1 ("bpf: Emit > explicit NULL pointer checks for PROBE_LDX instructions.") *reverted*, > I'm seeing the app getting killed with error in dmesg. > > $ sudo bpftool iter pin bpf_iter_task.o /sys/fs/bpf/task > $ sudo cat /sys/fs/bpf/task > Killed > > $ dmesg > [ 188.810020] BUG: kernel NULL pointer dereference, address: 00000000000000c8 > [ 188.810030] #PF: supervisor read access in kernel mode > [ 188.810034] #PF: error_code(0x0000) - not-present page > > IIUC, this should be handled by bpf exception table rather than killing > the app. Am I missing anything? For PROBE_LDX the verifier guarantees that the address is either a very likely valid kernel address or NULL. On x86 the user and kernel address spaces are shared and NULL is a user address, so there cannot be an exception table for NULL. Hence x86-64 JIT inserts NULL check when it converts PROBE_LDX into load insn. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel