Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp2133137imc; Fri, 22 Feb 2019 19:07:02 -0800 (PST) X-Google-Smtp-Source: AHgI3IZIqb0+GMF3UQbghbB1yTBPhNijeSUF3Z2QkWuzKhcqcREj0A7yE7TxyRF5QhdHxjscSy4S X-Received: by 2002:a62:6ec3:: with SMTP id j186mr7733916pfc.89.1550891222531; Fri, 22 Feb 2019 19:07:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550891222; cv=none; d=google.com; s=arc-20160816; b=apPvQ6a9F1rx4B+oTjV7PwJecGjiLAjgDnzgXBMsGh0KF/JV69jN2fZVrnAHITp+2h VObE+ilS4aa1fogmJ9r2GXgyuRhAe/oOISWoZwd14nprzDJXwD1xBaq87YPfeybFVdfk FhUPpgZWx+/WsMPsdIlx8fpYgnwP1mz1EpanK+piGKndETLQ3tQVTHF3Uqm7FTM6aXoy d2nxfIIsaMOCvbPgcj7nlKh9jXDkVIuwM2Uvvoix8SUfUw+A+BmDaukrUskZqp5YDpo8 pmMFuGDBWTGIPmHIo/V2N+6KcRfgivlcY75IC0s197xKUE5EM9EOtx95xinkedsWKZiP BYUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=/ht5x8VLRiZ6XRVQyia9FhIE01OOyI2xs/gYqYKGHxk=; b=HTCgChkI8pjxhJ5mkgU8wXfvXPoemtdiLiCINLrvoFODB+uCnLmdYzhD6aKwyj+QKd /PMYLGkUB2MMaMNX1NMEdAIBHAvGnix5h3khC1gBK3sXIZq6tRUo4a6AKa+awuKB5Bi+ eT7CHh0bANDE/hO8ZCKHGXOfA0/wMksJNkWILPCYz6igLfDDK5jZzeMzw97UirfJ2UYe rmVvCMAqcVUvXEM+lhPwy6l6hp2sBELi921TKVpu+yJh9DKjsubVzLGeIKkWMYzS/Jzl mPCuS7TOsgbFUQxX5bWvQNxA6Pe1hL2+dCMLn3GbGgMhX5q6DxcR0BsUPW8VMkvVqMg0 kpPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s18si2839697plr.186.2019.02.22.19.05.55; Fri, 22 Feb 2019 19:07:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727610AbfBWDCs (ORCPT + 99 others); Fri, 22 Feb 2019 22:02:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:36776 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725821AbfBWDCr (ORCPT ); Fri, 22 Feb 2019 22:02:47 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4248120645; Sat, 23 Feb 2019 03:02:45 +0000 (UTC) Date: Fri, 22 Feb 2019 22:02:43 -0500 From: Steven Rostedt To: Alexei Starovoitov Cc: Linus Torvalds , David Miller , Masami Hiramatsu , Andy Lutomirski , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Andrew Lutomirski , Daniel Borkmann , Netdev , bpf@vger.kernel.org Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault Message-ID: <20190222220243.633bbf48@gandalf.local.home> In-Reply-To: <20190223022850.nv4hnweueetprbot@ast-mbp.dhcp.thefacebook.com> References: <20190222192703.epvgxghwybte7gxs@ast-mbp.dhcp.thefacebook.com> <20190222.133842.1637029078039923178.davem@davemloft.net> <20190222225103.o5rr5zr4fq77jdg4@ast-mbp.dhcp.thefacebook.com> <20190222235618.dxewmv5dukltaoxl@ast-mbp.dhcp.thefacebook.com> <20190223022850.nv4hnweueetprbot@ast-mbp.dhcp.thefacebook.com> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 22 Feb 2019 18:28:53 -0800 Alexei Starovoitov wrote: > First we introduce bpf_probe_kernel_read and bpf_probe_user_read and > introduce clang/gcc tooling to catch the mistakes. > Going over this 400+ places and manually grepping kernel sources > for __user keyword is not a great proposal if we want to keep those users. > Once we have this working we can remove bpf_probe_read() altogether. > Rejecting bpf prog at load time is a clear signal that user has to fix it > (instead of changing run-time behavior). > When the verifier gets even smarter it could potentially replace prob_read > with probe_kernel_read and probe_user_read when it has that type info. I was about to suggest this approach. Document that bpf_probe_read() is known to be buggy and will be deprecated in the future, and that all new bpf scripts should start using bpf_probe_kernel/user_read() instead (after they have been implemented of course). And give time for people to fix their current scripts. Perhaps in the near future, trigger some kind of warning for users that use bpf_probe_read(). -- Steve