Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4198203imc; Mon, 25 Feb 2019 00:10:33 -0800 (PST) X-Google-Smtp-Source: AHgI3IY0d87XtGaBqwpBuimKkvosijwl0xlKk0aB5/Sr8KqfaZzTqr7idFjbJ1XAGzIulk3isP4t X-Received: by 2002:a17:902:9689:: with SMTP id n9mr19031701plp.8.1551082233009; Mon, 25 Feb 2019 00:10:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551082233; cv=none; d=google.com; s=arc-20160816; b=cCk3tCCpX4M4jGTWj2jJrIa+wXFGn1sXrzG9VlBtljX2r8PMr/FODUUsrhNxp/EQse yU+wJ9uzXLUunPzmJJYJ3DEuiMpdKko03tSc0oSqKlyU0QRIOBculejsVNESMw7aWA5X dmB6E4X8/jsgasC4o8wKtmBBNWygZqS9fF4kngzUMNxtapUMwFGrD9Lxwbh9s7mfsX2j 1mIGGS0IhjRJs32USJ/WuwYC0SfrsPxmLNi7yTYaUJ+DlWJcLonIzeF3tUaKTWZ2YI/a NKR1Kqi4gKjghUqEA8rtWYCxl8ZIeZ90cEPBR9mWG2/lW9pvvXdNj+xmjVKmp1CUq+T1 RNsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=ljSxrs4sS5cFxCuWYcupqZHIWYX8IkyL1w/WlyHFqsQ=; b=yrbdbOrFzriSC8xTS2X4llOeYtky3sTQFZpMoJjnmVJfpjzHpWAOITm8y+zWyxFr6r gMNhWuqE7wr64Y0GeRnYJEeD4xx1lVUAluuIqFitRIVHvxZpe/zLf6n0bpTp0AyzgXqn 9y1Vm2+V6/oJgpY2wAOPF7EhVD2YVlDb0TKEEaBtbKUJYnLiUD/qtYrEe5w9hPsYTVJx 7UxUhvHmS3WsXIbE8FbiwFMY3HEYbKBoFjg3DrzUW+qotiTbTYeCIEyMwGkmd4ksugFy /TaFiK9ya1Ddf2qq9DMUBMaJQ1/iXC7+IXNX2kzuvALwWFwxCoG2yWNZ56v2tTmcRbxJ 58pQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=P2fGdMyW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b17si9431676pfc.0.2019.02.25.00.10.16; Mon, 25 Feb 2019 00:10:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=P2fGdMyW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726131AbfBYIJv (ORCPT + 99 others); Mon, 25 Feb 2019 03:09:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:42416 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725863AbfBYIJu (ORCPT ); Mon, 25 Feb 2019 03:09:50 -0500 Received: from devnote (NE2965lan1.rev.em-net.ne.jp [210.141.244.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 60D6B2087C; Mon, 25 Feb 2019 08:09:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551082189; bh=uRyndvd+l+Gx0ROlkYS6UdiDJk9g630RqD8ruaRnU9w=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=P2fGdMyWpB29mQfI/skAkJ+xDxeqh+O+oObmvgBwirn/E31SC3r2RBJjdImfkyGMO y6uwohGaXxvpLhtqCzXIBDEdChs+QnJFDwAVdhmcnGtiyQ+TY+39xMyu9PBG20r3D+ ToEEINE45mqgPMSPIhgmbDROx8bUqG4NldcDAKQ0= Date: Mon, 25 Feb 2019 17:09:45 +0900 From: Masami Hiramatsu To: Andy Lutomirski Cc: Linus Torvalds , Steven Rostedt , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Peter Zijlstra Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault Message-Id: <20190225170945.d808659362b364298c3206e9@kernel.org> In-Reply-To: References: <20190215174712.372898450@goodmis.org> <20190219111802.1d6dbaa3@gandalf.local.home> <20190219140330.5dd9e876@gandalf.local.home> <20190220171019.5e81a4946b56982f324f7c45@kernel.org> <20190220094926.0ab575b3@gandalf.local.home> <20190222172745.2c7205d62003c0a858e33278@kernel.org> <20190222173509.88489b7c5d1bf0e2ec2382ee@kernel.org> <20190223124746.d021973004c7c892c3b3fde1@kernel.org> <20190223194421.725a03fd@oasis.local.home> <20190225001757.519f40cd088c05fdd00a9397@kernel.org> <20190225114025.902c9031075e2f1fc55369a3@kernel.org> X-Mailer: Sylpheed 3.5.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 24 Feb 2019 20:49:45 -0800 Andy Lutomirski wrote: > On Sun, Feb 24, 2019 at 6:40 PM Masami Hiramatsu wrote: > > > > On Sun, 24 Feb 2019 09:26:45 -0800 > > Linus Torvalds wrote: > > > > > On Sun, Feb 24, 2019 at 7:18 AM Masami Hiramatsu wrote: > > > > > > > > On Sat, 23 Feb 2019 20:38:03 -0800 > > > > Andy Lutomirski wrote: > > > > > > > > > > Can we just get rid of this might_sleep()? access_ok() doesn't sleep > > > > > as far as I know. > > > > > > > > Hmm, which might_sleep() would you pointed? What I talked was a > > > > WARN_ON_ONCE(!in_task()) in access_ok() on x86 (only!), and in_task() just > > > > checks preempt_count. > > > > > > So the in_task() check does kind of make sense. Using "access_ok()" > > > outside of task context is certainly an odd thing, for several > > > reasons. The main one being simply that outside of task context, the > > > whole "which task" question is open, and you don't know if the task is > > > the active one, and so it's not clear if whatever task you interrupt > > > might have done "set_fs()" or not. > > > > Ah I got it. Usual case access_ok() in IRQ handler is strange. > > > > > > > > So PeterZ isn't wrong: > > > > > > > I guess PeterZ assumed that access_ok() is used only with user space access > > > > APIs (e.g. copy_from_user) which can cause page-fault and locks mm (and might > > > > sleep :)), but now we are trying to use access_ok() with new functions which > > > > disables page-fault and just return -EFAULT. > > > > > > .. but in this case, if we do it all *within* code that saves and > > > restores the user access flag with get_fs/set_fs, access_ok() would be > > > ok and it doesn't have the above issue. > > > > > > So access_ok() in _general_ is absolutely not safe to do from > > > interrupts, but within the context of probing user memory from a > > > tracing event it just happens to be ok. > > > > Hmm, but user can specify user-memory access from the tracing event > > which is located in interrupt handler. So I understand that it is safe > > only if we correctly setup access flag with get_fs/set_fs, is that > > correct? > > > > > It would be lovely to have a special macro for this, and keep the > > > warning for the general case, but because this is a "every > > > architecture needs to build their own" it's probably too painful. > > > > Agreed. > > This should probably go with whatever effort makes nmi_uaccess_ok() > available on all architectures. That being said, how about just > making copy_from_user_nmi() work on all architectures, even if it just > fails unconditionally on some of them? I think even if we have copy_from_user_nmi(), we need something like nmi_uaccess_ok() because without it we can not correctly use __copy_from_user_inatomic()... Thank you, -- Masami Hiramatsu