Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Message-ID: <dccc55b4-9f45-4b1c-2166-184a8979bdc6@fb.com>
Date:   Mon, 1 Nov 2021 10:31:38 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.2.1
Subject: Re: [PATCH bpf-next] bpf: Allow bpf_d_path in perf_event_mmap
Content-Language: en-US
To:     Florent Revest <revest@chromium.org>,
        Hengqi Chen <hengqi.chen@gmail.com>
CC:     Martin KaFai Lau <kafai@fb.com>, <bpf@vger.kernel.org>,
        <ast@kernel.org>, <daniel@iogearbox.net>, <andrii@kernel.org>,
        <kpsingh@kernel.org>, <jackmanb@google.com>,
        <linux-kernel@vger.kernel.org>
References: <20211028164357.1439102-1-revest@chromium.org>
 <20211028224653.qhuwkp75fridkzpw@kafai-mbp.dhcp.thefacebook.com>
 <CABRcYmLWAp6kYJBA2g+DvNQcg-5NaAz7u51ucBMPfW0dGykZAg@mail.gmail.com>
 <204584e8-7817-f445-1e73-b23552f54c2f@gmail.com>
 <CABRcYmJxp6-GSDRZfBQ-_7MbaJWTM_W4Ok=nSxLVEJ3+Sn7Fpw@mail.gmail.com>
From:   Yonghong Song <yhs@fb.com>
In-Reply-To: <CABRcYmJxp6-GSDRZfBQ-_7MbaJWTM_W4Ok=nSxLVEJ3+Sn7Fpw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YlZHdTlYM29xOU8vSEdvd2NkeGFtbUkweEUwN1BhWkZObnhJZThsV2ZGSHVG?=
 =?utf-8?B?NUtaMzZsNzREM0wzSmdFdVpmZmU4R0pCT3Y1T1NoRlI5YThXWDdCTDkzYXBr?=
 =?utf-8?B?eE53YWxmQ3dPRDR4V1luWGFEZFR5N3k2YXBiUGhjUThEOVVqV1E3Qm9pL1Zq?=
 =?utf-8?B?NXJwRHRiT214czlDOHFIRHh5SEN0b1Z3V2d4Z051cUVKY09ZVkJpWk1hZGxp?=
 =?utf-8?B?dTVKRWdnWVJSQmJHeHFVVlFtU2RTeFdaUTlnYmNteEtHU2M5dUVMcVZQSGVS?=
 =?utf-8?B?NHE3dlZTdUw5ZEJNWUpGalgyTndmNHhLTGVGSGdJVHpvWTJVT2xkdE0vYnJ0?=
 =?utf-8?B?YlhSbHpUOFM5SHEyVlZwTXJkNEMxYW5kditzUGZBMDJoWUpMR054Rmw3bXdn?=
 =?utf-8?B?TVJaelBKN1o3RTVibkxFcUZSMGl4MU9pMEcvMHRkbS9QT1llQ1dwZDVScm1h?=
 =?utf-8?B?TDlIY1gzK3RDNFkwWTNmVUhTUEZBaEFWMmlxaHk1TUdCVEh5TmQ4UmxIclh6?=
 =?utf-8?B?Nk5ybkM5dTBJNU9UaUdjbFJka2JyRGlzUmdZTnllTDE2QS9McG5nd2xPZUN5?=
 =?utf-8?B?Ny9valJpdGg4SmFMQzUzYjY5V0E4RkMwc0xRZ2UvdVJ4WitlYXM5b3duUmM5?=
 =?utf-8?B?aUQ2RkR1YzdNVXFTTHhIWjBFaTdhZ05GUWFOSEorQ05uQnhET0xlbnMrbzBH?=
 =?utf-8?B?OU1ZSnpWVFpPUmRWUHJteU5ZdXdPcFlpdGdXVE5ZTGU1NUV5RXhiMU5YNFRz?=
 =?utf-8?B?KzQ0bDltQzg2dDRKdXhHS1RyNXhkem9HTlJHS3hxRFdvU1J1aFE1ZjNWcXlt?=
 =?utf-8?B?YnBWUnNzaDRRdU4rMU9JMGlVendReDd5c0lkbjZOWnhxV0haR1J5cVBwc2Zr?=
 =?utf-8?B?T3d5eVQralZEczZuZFV4Ri9yZmJtTnd3c0tITnNrTWtEUVcvM3lLNHFvancv?=
 =?utf-8?B?Z2J3OUJrZVQ0WmxXaDVIL0htNGNCcUdWK1lxNU1LNGtKSEQ0ZG9aSHlwYVJC?=
 =?utf-8?B?NFpwUUk2Y3FrVDlKMGdMMHA2QkR5SEJCV0hlamljR29YQ3FNWjNoSkVGVWVO?=
 =?utf-8?B?VHNDOUpORk1TYWNUdGNhWStoTW83SWVhQlhqclZldHhsalM5NVVxbDFQNzZ6?=
 =?utf-8?B?RnNrZllRRTNlUVdXTWhDVkFFRVRvZnZTZVJYUGZPamhHMzE0Zk5hZHFhY0NC?=
 =?utf-8?B?UzN4NlFpZXpIanBqZndNVUw3blN6UTkyR2dXWUhkSGpPOVRvWjVKQ1AwSnh5?=
 =?utf-8?B?TjVVMDVrMU91UUx1Z2NkOUdGY21DaUdrc3FvMkUzWEhWR0p3bXN6WUFiUElp?=
 =?utf-8?B?dThIWVJVVVVFRGh4ZEMyOVE0alFUaXZHNGhwdzhGNGNVb3hBSW5kWlZoNndW?=
 =?utf-8?B?YS93Qk5ockd4MlhrUDVRNUZXeEU4ZU9QY3ZuOTRrUGpoY1gxUjdUZVllVjRX?=
 =?utf-8?B?S1JodWhnTENxNWRrbmpIdU1xV05xdHZjRVdzZ3BUQXFrZkd4cFZzUWZ0WDFH?=
 =?utf-8?B?WVhaSFZMQkpSdVVyRGl2YlFrUEwvMkdJZXZiQUtjUWxYZnZ6VUhoNnRQcXJQ?=
 =?utf-8?B?bjZLUXlMVlBYYk85T3BlQ0plY3BPZ3drTzc3RWs3akdDZkFXM1Y2dm9jRTNP?=
 =?utf-8?B?d21nMXpLdThkS0FmR2xmdU9aVnlZd1UwMGNPdTcvYndOQ1Fyc25iUU9RQzE0?=
 =?utf-8?B?Q3F6WWp2VEJ2S24zVi9XSlFIOHpzYUx0NmJnbEtyQmF6Nk9YUVdDMXgrTThk?=
 =?utf-8?B?VHFWQ2xtYUF1a1A2aytDYlZYT2c0cTlJblNCZEQxcC9JaGw5dnVyK0hwODBL?=
 =?utf-8?B?RWpRaHRPYlBhejhJKzBxN2lnSE9wa0VIYXZzSFJRTFUxLzE2TVpPd0VSQi8r?=
 =?utf-8?B?NTg3dFI4U1lBNGVubHk0SnRmb3Bsd0lUWGhxdjlTaStVQ2d3ZFVMeXJTWDNh?=
 =?utf-8?B?YjcyelgxZjgrRG5mdk5VVGp2Z2pKMDE5M0tGL202Y3MySnZwVlEwcWN3V2tS?=
 =?utf-8?B?ZmdFTTU3QW5zYkg0U3QvSFhUWHpKYjY3MU0wZVdWcVBXQ3E0NWhadDdSaFZK?=
 =?utf-8?B?K3ZPOTh0TGxYZ3N5Sncya2pmWnQvUHp0bnBERzArdVRPbGF3UzQ5elBvOVI3?=
 =?utf-8?Q?F/9jDr0YoIwRoOaLA/7MumYKd?=
X-MS-Exchange-CrossTenant-Network-Message-Id: 93da8e0b-10bf-47cb-70cf-08d99d5d7759
X-MS-Exchange-CrossTenant-AuthSource: SN6PR1501MB2064.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2021 17:31:41.0654
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: LH/LPeCfr4OIQlhtNBICatD6wzFoidoLxqQp/mz8V5CCMnjx03ZEh+aIkASiSBA7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR15MB3982
X-OriginatorOrg: fb.com
X-Proofpoint-GUID: o43A6PqkaWF50jFCjfYCNdSpnj94pj-u
X-Proofpoint-ORIG-GUID: o43A6PqkaWF50jFCjfYCNdSpnj94pj-u
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475
 definitions=2021-11-01_06,2021-11-01_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 spamscore=0
 malwarescore=0 priorityscore=1501 phishscore=0 bulkscore=0 suspectscore=0
 adultscore=0 mlxlogscore=728 impostorscore=0 clxscore=1011 mlxscore=0
 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2110150000 definitions=main-2111010095
X-FB-Internal: deliver
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 11/1/21 8:01 AM, Florent Revest wrote:
> On Mon, Nov 1, 2021 at 2:17 PM Hengqi Chen <hengqi.chen@gmail.com> wrote:
>>
>> Hi,
>>
>>
>> On 2021/10/30 1:02 AM, Florent Revest wrote:
>>> On Fri, Oct 29, 2021 at 12:47 AM Martin KaFai Lau <kafai@fb.com> wrote:
>>>>
>>>> On Thu, Oct 28, 2021 at 06:43:57PM +0200, Florent Revest wrote:
>>>>> Allow the helper to be called from the perf_event_mmap hook. This is
>>>>> convenient to lookup vma->vm_file and implement a similar logic as
>>>>> perf_event_mmap_event in BPF.
>>>>  From struct vm_area_struct:
>>>>          struct file * vm_file;          /* File we map to (can be NULL). */
>>>>
>>>> Under perf_event_mmap, vm_file won't be NULL or bpf_d_path can handle it?
>>>
>>> Thanks Martin, this is a very good point. :) Yes, vm_file can be NULL
>>> in perf_event_mmap.
>>> I wonder what would happen (and what we could do about it? :|).
>>> bpf_d_path is called on &vma->vm_file->f_path So without NULL checks
>>> (of vm_file) in BPF, the helper wouldn't be called with a NULL pointer
>>> but rather with an address that is offsetof(struct file, f_path).
>>>
>>
>> I tested this patch with the following BCC script:
>>
>>      bpf_text = '''
>>      #include <linux/mm_types.h>
>>
>>      KFUNC_PROBE(perf_event_mmap, struct vm_area_struct *vma)
>>      {
>>          char path[256] = {};
>>
>>          bpf_d_path(&vma->vm_file->f_path, path, sizeof(path));
>>          bpf_trace_printk("perf_event_mmap %s", path);
>>          return 0;
>>      }
>>      '''
>>
>>      b = BPF(text=bpf_text)
>>      print("BPF program loaded")
>>      b.trace_print()
>>
>> This change causes kernel panic. I think it's because of this NULL pointer.
> 
> Thank you for the testing and repro Hengqi :)
> Indeed, I was able to reproduce this panic. When vma->vm_file is NULL,
> &vma->vm_file->f_path ends up being 0x18 so d_path causes a panic.
> I suppose that this sort of issue must be relatively common in helpers
> that take a PTR_TO_BTF_ID though ? I wonder if there is anything that

Most non-tracing ARG_PTR_TO_BTF_ID argument has strict helper/prog_type
protection and should be okay although I didn't check them 100%.

For some tracing helpers with ARG_PTR_TO_BTF_ID argument, we have
bpf_seq_printf/bpf_seq_write which has strict context as well and should 
not be NULL.

For helper bpf_task_pt_regs() which can attach to ANY kernel function, 
we kind of assume "task" is not NULL which should be the case in "almost 
all* cases from kernel internal data structure.

> the verifier could do about this ? For example if vma->vm_file could
> be PTR_TO_BTF_ID_OR_NULL and therefore vma->vm_file->f_path somehow
> considered invalid ?

Verifier has no way to know whether vma->vm_file is NULL or not during
verification time. So in your case, if we have to be conservative, that
means verifier will reject the program.

One possible way could be add a mode in verifier, we still *go through* 
the process for direct memory access but we require user explicit 
checking NULL pointers. This way, user will be forced to write code like

    FILE *vm_file = vma->vm_file; /* no checking is needed, vma from 
parameter which is not NULL */
    if (vm_file)
      bpf_d_path(&vm_file->f_path, path, sizeof(path));