lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1199859742.6424.44.camel@brick>
Date:	Tue, 08 Jan 2008 22:22:22 -0800
From:	Harvey Harrison <harvey.harrison@...il.com>
To:	Heiko Carstens <heiko.carstens@...ibm.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Masami Hiramatsu <mhiramat@...hat.com>,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	David Miller <davem@...emloft.net>, hskinnemoen@...el.com,
	schwidefsky@...ibm.com, tony.luck@...el.com,
	Ingo Molnar <mingo@...e.hu>, Paul Mackerras <paulus@...ba.org>
Subject: Re: [PATCHv3] kprobes: Introduce kprobe_handle_fault()

On Wed, 2008-01-09 at 07:14 +0100, Heiko Carstens wrote:
> > +/*
> > + * If it is a kprobe pagefault we can not be premptible so return before
> 
> Missing 'e' in preemptible.

OK.

> However, the old code you removed had a lot of preempt_disable/enable calls
> that you removed. Hope you checked that preemption was always disabled
> already and the calls were not necessary (true at least for s390).
> 
> Are there cases where this code could be called with preemption enabled?
> If so then that looks like a bug anyway. I'd say the preemptible check
> should be removed or turned into a WARN_ON.
> 
> I like this better (not including any other changes):
> 
> 	if (!user_mode(regs) && !preemptible() && kprobe_running())
> 		return kprobe_fault_handler(regs, trapnr);
> 	return 0;

I could live with that too, will defer to kprobes maintainers if they
prefer that as a follow-on.

Regarding the preempt_enable/disable, the reasoning behind it comes from
the following, I stole the changelog from x86.git which has a good
description of why this should be safe:

commit 6624c638928acce52fbe57d73284efcf9f86abd2
Author: Quentin Barnes <qbarnes@...il.com>
Date:   Wed Jan 9 02:32:57 2008 +0100

    Code clarification patch to Kprobes arch code
    
    When developing the Kprobes arch code for ARM, I ran across some
code
    found in x86 and s390 Kprobes arch code which I didn't consider as
    good as it could be.
    
    Once I figured out what the code was doing, I changed the code
    for ARM Kprobes to work the way I felt was more appropriate.
    I've tested the code this way in ARM for about a year and would
    like to push the same change to the other affected architectures.
    
    The code in question is in kprobe_exceptions_notify() which
    does:
    ====
              /* kprobe_running() needs smp_processor_id() */
              preempt_disable();
              if (kprobe_running() &&
                  kprobe_fault_handler(args->regs, args->trapnr))
                      ret = NOTIFY_STOP;
              preempt_enable();
    ====
    
    For the moment, ignore the code having the preempt_disable()/
    preempt_enable() pair in it.
    
    The problem is that kprobe_running() needs to call
smp_processor_id()
    which will assert if preemption is enabled.  That sanity check by
    smp_processor_id() makes perfect sense since calling it with
preemption
    enabled would return an unreliable result.
    
    But the function kprobe_exceptions_notify() can be called from a
    context where preemption could be enabled.  If that happens, the
    assertion in smp_processor_id() happens and we're dead.  So what
    the original author did (speculation on my part!) is put in the
    preempt_disable()/preempt_enable() pair to simply defeat the check.
    
    Once I figured out what was going on, I considered this an
    inappropriate approach.  If kprobe_exceptions_notify() is called
    from a preemptible context, we can't be in a kprobe processing
    context at that time anyways since kprobes requires preemption to
    already be disabled, so just check for preemption enabled, and if
    so, blow out before ever calling kprobe_running().  I wrote the ARM
    kprobe code like this:
    ====
              /* To be potentially processing a kprobe fault and to
               * trust the result from kprobe_running(), we have
               * be non-preemptible. */
              if (!preemptible() && kprobe_running() &&
                  kprobe_fault_handler(args->regs, args->trapnr))
                      ret = NOTIFY_STOP;
    ====
    
    The above code has been working fine for ARM Kprobes for a year.
    So I changed the x86 code (2.6.24-rc6) to be the same way and ran
    the Systemtap tests on that kernel.  As on ARM, Systemtap on x86
    comes up with the same test results either way, so it's a neutral
    external functional change (as expected).
    
    This issue has been discussed previously on linux-arm-kernel and the
    Systemtap mailing lists.  Pointers to the by base for the two
    discussions:

http://lists.arm.linux.org.uk/lurker/message/20071219.223225.1f5c2a5e.en.html
    http://sourceware.org/ml/systemtap/2007-q1/msg00251.html


Cheers,

Harvey

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ