Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1033735ybh; Tue, 21 Jul 2020 14:05:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKfKS8p5VEFJp+w+05vP+PyP4+HCgwCKo3UsffXpcXTJ/Crx0AsvYBlbHJJRtR75KmJgCY X-Received: by 2002:a17:906:a252:: with SMTP id bi18mr24931288ejb.151.1595365526935; Tue, 21 Jul 2020 14:05:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595365526; cv=none; d=google.com; s=arc-20160816; b=DAvBMVBkOI+fFJcAeB5fiUxAbZQuKfeoK8F80Vlit3F/k9iqgHUbRFS1q2z1D1O+rm 53StnZboFHH6sNKrWt/fSClltkAf5VRxYbwVwAotMepfOu9e9Om/FsuxWwZqbWMuyaJU wkycG3cYPPKFD3NxGYfIL44RnL0KJ82osq4sX7mfHerZBjzHSsehfqKAcSxIinlAPnTb //oV1DgNWQ5bcFm/aNnIisXJoXxOm/7vFaWFrM4grm3Jz1udbtfxtK67S7ng9dVk2a7g qoa1oKAQoYfXT0lWcj9bXszEMD9J7+WsVjl/uho5m8Brav974n0umODm/ZHMd4wGt5EN o1tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=jJhbzVDa9nePxgAcv9hRGTSaFk2PPisZtuGmQbqXq4M=; b=GkgozK25cuPYuqauXeXR4rx+IZpkvARMD0AToyhdYlGBwQaUIztL6887yWjcz06kmY EZNJyDZrqxIr2rP0EOb/T4PEe66/bqtDzOypoml2jna0nCUTYC315TEHdGHivdmoHmtr 1XghQIy6NRgNucjb3c+L/P3g42qMPNBvDIWk4m6pMdTvCUviHEVBkjhzi8nl4aHqJRVB y7z6wE4Obc306qPhdFdxqZHp9xBD0UMqDu39Ik2Oq4K4R7zqhxYCDte5xpJcx2vUsgw0 lH2G2mC1IEYTksRlrE6zeFRKVcvjgkfO3qWlYGsUSu8I50dJx5kE8h+Tf7oe3QNLGkjF hOGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=G2NWfIyU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d23si13629937ejz.145.2020.07.21.14.05.04; Tue, 21 Jul 2020 14:05:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=G2NWfIyU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730567AbgGUVFA (ORCPT + 99 others); Tue, 21 Jul 2020 17:05:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728606AbgGUVFA (ORCPT ); Tue, 21 Jul 2020 17:05:00 -0400 Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B512C061794 for ; Tue, 21 Jul 2020 14:05:00 -0700 (PDT) Received: by mail-vs1-xe41.google.com with SMTP id b77so5063vsd.8 for ; Tue, 21 Jul 2020 14:05:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jJhbzVDa9nePxgAcv9hRGTSaFk2PPisZtuGmQbqXq4M=; b=G2NWfIyUsyvk7iqL8Y7G25VX3J5N1E5bZULjMHl9k6T+YkX8MSsjLfVSTNpw2Sl+Uo pMFA/3oH9PDppJbYTdVpPInv0V/MNW9w2iTGnWfnlyxIoH6x4b5KjFdpFDWwXK6TC0h/ 4qpnv+b2YuXE1frsbcWunmMf/5SVUx1/zTeTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jJhbzVDa9nePxgAcv9hRGTSaFk2PPisZtuGmQbqXq4M=; b=NeYDqahrdEwODSDYvgYxW4ClBp4xxFc3sBHuLNLshzGb9qbW60lwRX4RBDimZra9y+ XbbdwdcT3a7Ih7c8P48zRtoh/fQpSvXOuYMu/NjTHRr1U2NS9PV10TltX/shdbmown3Z jNr1n9R+X6Kr5aFAS/e8XCJVmsF7bwI69TrOxveG1VL2ZSEAfewqzF9o5FraU/MQtpzh DKCgfDkg0tNywwP8WLN1QJRaF/B0GxxXfcugJkt+FI0n5k+bL7PQnrCiPOlpg67T0cpu 6Ay4NmLLV1IK6oSNS/TwZ70nj45EajWiF4UIo0a9cetXfrYOCfd9dlKrL6iU/XmwCNP9 r+xw== X-Gm-Message-State: AOAM533Swa3ZaJJ5NXIo11AEaw4Mjk0agtk9sx30x9CE1HQx0BqrgTs5 BULRdGnIE5GMTaqXGC2ns9Y7LmSsV+g= X-Received: by 2002:a67:6c84:: with SMTP id h126mr20530999vsc.181.1595365498824; Tue, 21 Jul 2020 14:04:58 -0700 (PDT) Received: from mail-vk1-f177.google.com (mail-vk1-f177.google.com. [209.85.221.177]) by smtp.gmail.com with ESMTPSA id d3sm3534814vko.51.2020.07.21.14.04.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Jul 2020 14:04:57 -0700 (PDT) Received: by mail-vk1-f177.google.com with SMTP id m21so74541vkp.1 for ; Tue, 21 Jul 2020 14:04:57 -0700 (PDT) X-Received: by 2002:a1f:4e81:: with SMTP id c123mr12718651vkb.100.1595365497257; Tue, 21 Jul 2020 14:04:57 -0700 (PDT) MIME-Version: 1.0 References: <20200716151943.2167652-1-daniel.thompson@linaro.org> <20200716151943.2167652-3-daniel.thompson@linaro.org> <20200720080759.tyq4rq4qxmkwdk2g@holly.lan> In-Reply-To: <20200720080759.tyq4rq4qxmkwdk2g@holly.lan> From: Doug Anderson Date: Tue, 21 Jul 2020 14:04:45 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 2/3] kgdb: Use the kprobe blocklist to limit single stepping To: Daniel Thompson Cc: Jason Wessel , Peter Zijlstra , Sumit Garg , Petr Mladek , Sergey Senozhatsky , Will Deacon , Masami Hiramatsu , kgdb-bugreport@lists.sourceforge.net, LKML , Patch Tracking Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Mon, Jul 20, 2020 at 1:08 AM Daniel Thompson wrote: > > On Fri, Jul 17, 2020 at 03:39:51PM -0700, Doug Anderson wrote: > > Hi, > > > > On Thu, Jul 16, 2020 at 8:20 AM Daniel Thompson > > wrote: > > > > > > If we are running in a part of the kernel that dislikes breakpoint > > > debugging then it is very unlikely to be safe to single step. Add > > > some safety rails to prevent stepping through anything on the kprobe > > > blocklist. > > > > > > As part of this kdb_ss() will no longer set the DOING_SS flags when it > > > requests a step. This is safe because this flag is already redundant, > > > returning KDB_CMD_SS is all that is needed to request a step (and this > > > saves us from having to unset the flag if the safety check fails). > > > > > > Signed-off-by: Daniel Thompson > > > --- > > > include/linux/kgdb.h | 1 + > > > kernel/debug/debug_core.c | 13 +++++++++++++ > > > kernel/debug/gdbstub.c | 10 +++++++++- > > > kernel/debug/kdb/kdb_bp.c | 8 ++------ > > > kernel/debug/kdb/kdb_main.c | 10 ++++++++-- > > > 5 files changed, 33 insertions(+), 9 deletions(-) > > > > > > diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h > > > index 7caba4604edc..aefe823998cb 100644 > > > --- a/include/linux/kgdb.h > > > +++ b/include/linux/kgdb.h > > > @@ -214,6 +214,7 @@ extern void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc); > > > > > > /* Optional functions. */ > > > extern int kgdb_validate_break_address(unsigned long addr); > > > +extern int kgdb_validate_single_step_address(unsigned long addr); > > > extern int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt); > > > extern int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt); > > > > > > diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c > > > index 133a361578dc..4b59bcc90c5d 100644 > > > --- a/kernel/debug/debug_core.c > > > +++ b/kernel/debug/debug_core.c > > > @@ -208,6 +208,19 @@ int __weak kgdb_validate_break_address(unsigned long addr) > > > return err; > > > } > > > > > > +int __weak kgdb_validate_single_step_address(unsigned long addr) > > > +{ > > > + /* > > > + * Disallow stepping when we are executing code that is marked > > > + * as unsuitable for breakpointing... stepping won't be safe > > > + * either! > > > + */ > > > + if (kgdb_within_blocklist(addr)) > > > + return -EINVAL; > > > + > > > + return 0; > > > +} > > > + > > > unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs) > > > { > > > return instruction_pointer(regs); > > > diff --git a/kernel/debug/gdbstub.c b/kernel/debug/gdbstub.c > > > index 61774aec46b4..f1c88007cc2b 100644 > > > --- a/kernel/debug/gdbstub.c > > > +++ b/kernel/debug/gdbstub.c > > > @@ -1041,8 +1041,16 @@ int gdb_serial_stub(struct kgdb_state *ks) > > > if (tmp == 0) > > > break; > > > /* Fall through - on tmp < 0 */ > > > - case 'c': /* Continue packet */ > > > case 's': /* Single step packet */ > > > + error = kgdb_validate_single_step_address( > > > + kgdb_arch_pc(ks->ex_vector, > > > + ks->linux_regs)); > > > > I'm a little confused. Isn't this like saying "if > > (i_am_standing_in_acid) dont_step_into_acid"? > > I describe it more as: > > if (we_know_there_is_acid_nearby) > dont_step_forward > > It is possible we are currently stepping in acid but it is also possible > (and reasonably likely) that we haven't stepped in it yet but will do so > soon. > > > > Specifically you're checking the _current_ PC to see if it's in the > > blocklist, right? ...but you've already (effectively) dropped into > > the debugger at that location, so if it really was a problem wouldn't > > we already be in trouble? > > The basic use case is where someone is stepping and we reach a PC that > would be blocked for a breakpoint. This will typically be due (although > I think it does generalize) to a function call and the safety rail will > be reached after we have jumped to the blocked function but before we > actually execute any instructions within it. > > Or putting it another way, there is no reason to worry if we start > somewhere "safe" and start stepping towards something on the blocklist. > We won't melt our shoes! I guess I still don't totally get it. So let's say we have: void dont_trace_this(...) { thing_not_to_trace_1(); thing_not_to_trace_2(); don_t_trace = this; } NOKPROBE_SYMBOL(dont_trace_this); void trace_me() { sing(); dance(); dont_trace_this(); party(); } So presumably the dont_trace_this() function is marked as NOKPROBE_SYMBOL because it's called by the kprobe handling code or by kgdb, right? So if we had a breakpoint there then we'd just have infinite recursion. Thus we want to prevent putting breakpoints anywhere in this function. Even though dont_trace_this() is also called from the trace_me() function it doesn't matter--we still can't put breakpoints in it because it would cause problems with the debugger. Now, I guess the question is: why exactly do we need to prevent single stepping in dont_trace_this(). In the case above where dont_trace_this() is called from trace_me() it would actually be OK to single step it, right? ...unless this is on a CPU that doesn't have a "single step mode" and has to implement stepping by breakpoints, of course. ...but maybe I'm confused and there is a reason that we shouldn't allow single stepping into dont_trace_this() when called from trace_me(). If that is the case, I'm wondering why it's OK to step and stop on the first instruction of the function but it's not OK to step and stop through the other instructions in the function. -Doug