Received: by 10.223.164.202 with SMTP id h10csp314352wrb; Tue, 14 Nov 2017 23:37:12 -0800 (PST) X-Google-Smtp-Source: AGs4zMbTKmaaWS2lwjE6IJjk8ffGHvQ5+PMaYMtJZWEajmH/WASvDbpDD5dMpbDIVhivwpUZtxuw X-Received: by 10.101.72.65 with SMTP id i1mr14674496pgs.436.1510731432133; Tue, 14 Nov 2017 23:37:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510731432; cv=none; d=google.com; s=arc-20160816; b=pfwK2Zj2xFiL8e/0m5I3LHAz+y+fMRfPko+whNV+lugHoTURNyBuoXhYVfAXoZ7B6s ND2u3Jfr1pUOe66QOkajNIg3LsM53cFxmfQRMktShWDItN3HuYcEes9V/lQR0cEz0W2g MgWtS7kOIWAgSmaVPHKmKf5Oi+/+JuYxnwYUuTjrVwjRK/29tGfEgMDCyA6GBgTVLIl0 Z3uPFcuRTUPOKi39RX8094Qe9leBMgfjhCV+npA4MtpPZXnZJllomu4eUZT8kcUi7UYk gkhGjIZlAmJgEM4fcNoIlXSQFXEGYTM11UtD8l1B9ZXmtQZpNDxmF0BhQriAVUbYCkd7 GnPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=B2JodpcfbQiLhJPkdym/EnXwoAuyOPljVVuiZCo7/+8=; b=sH8P/rtGna5+60jMz6JI3bGZ5lK2U66mtWL75WFbsvy/LRsRxma/mMPFeoxcJusId9 0sOtBftr4sPypgSzBY/Lal2J3NFs/NxhHBu2MOCuKnql9lyQ+oLHSr0eoMW+1DpVJkTV veGSpG2HjN8jpOBlLH5DclW0Kt2zWpiL5PcnW2Vo9ZlOogczuqZ253TigKhuFUN/D3ih fM5o7Btm3+DVILZQRG8Uf7o8FmxfT4fCA1QjK3GfeD41FY6bjUEBpuCwoYonAXJGeWQJ d3QbC+UAM5MRUDJ2bB/+3A+TIoUIGz4p+FCjqv1UqB9A5mUas5t0tKbd5s9tVFRtYq3F KFxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NB99YgLx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f6si16999567pgq.406.2017.11.14.23.36.56; Tue, 14 Nov 2017 23:37:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NB99YgLx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755421AbdKOHfI (ORCPT + 88 others); Wed, 15 Nov 2017 02:35:08 -0500 Received: from mail-wm0-f46.google.com ([74.125.82.46]:45400 "EHLO mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750962AbdKOHfA (ORCPT ); Wed, 15 Nov 2017 02:35:00 -0500 Received: by mail-wm0-f46.google.com with SMTP id 9so938180wme.4; Tue, 14 Nov 2017 23:35:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=B2JodpcfbQiLhJPkdym/EnXwoAuyOPljVVuiZCo7/+8=; b=NB99YgLxdTkqXWkBv9xD7nU5pNo7VG8V4M4xhCoL/1J8iDtmmPiyBDgzcL4Dxqd8+J P31taZblO3pYaM/epxhirDt5wOWwbO/lCetYliCWhjbLhjEomkPhoWWeOPqH3MH+EoCb f7J8dua+E6etbxy9P6lC6qhxXeSGxrG9w52wRdLizI/BY5BHxgbFkAOdLpYHgYIyGLE2 F6OqXmCgQZoDjSquZvZ4Hrp6NvFNbLnJvsYbvpfBAF1YYbIqa7PWEBTjTPkAoQ62gSHn 7dSudyd2RKj1Ugjyi1nqS7pX8ifJJXGMByKbrJfnaxVBfBCufHqgvNbyGRQyLwgY0oiK qhMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=B2JodpcfbQiLhJPkdym/EnXwoAuyOPljVVuiZCo7/+8=; b=bA4oKbGUMVlQ+MoEtoH0de3tTqeLZKioQrTvRSh2kc41ouM+RG/VgSU7r5ztNXkHLy eCR+KqpJ5olPUphVcQutquYmrqhd2eoqxlV/Zg6mA+KUYtf5S+UqpVi/XyB3lNnla4eo X8fRMT+H1o75B4ozcYmizh8b6cnGGcaZrYi/nDg+kZUg8Xk/Mu8ykCSoZVLHuDbcELzY i9Au5sSlbgHnK7DOGtyXlWDvm8MY5muRhs5t0Ot6xWIcfUjr0X6RK5ih5ZF/XZX6mDGY qrMto5cvo4Bs6IVGAisTS1ga4QzWxPLgr0zMwe9RoqvzEvUWOAMErTw6JAImMfksXZmv qsCg== X-Gm-Message-State: AJaThX6SN9LAdFXc+zwT+/0bU0PXpK1vBO+DBoK5bGt5breWG1qpDrac C/1Q2r3VGM8jd94LSEMoE9U= X-Received: by 10.28.66.144 with SMTP id k16mr11264159wmi.35.1510731299472; Tue, 14 Nov 2017 23:34:59 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id q13sm12969465wrg.97.2017.11.14.23.34.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 14 Nov 2017 23:34:58 -0800 (PST) Date: Wed, 15 Nov 2017 08:34:56 +0100 From: Ingo Molnar To: Josef Bacik Cc: Alexei Starovoitov , rostedt@goodmis.org, mingo@redhat.com, davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ast@kernel.org, kernel-team@fb.com, daniel@iogearbox.net, Josef Bacik Subject: Re: [PATCH 1/2] bpf: add a bpf_override_function helper Message-ID: <20171115073456.2dx4l2onbxn3ekzu@gmail.com> References: <1510086523-8859-1-git-send-email-josef@toxicpanda.com> <1510086523-8859-2-git-send-email-josef@toxicpanda.com> <20171110093459.w2pvo3ntkwbmgnha@gmail.com> <20171110171428.hrw5cpxy4sgzf7mn@destiny> <20171111081455.qx4rodxldofbzypb@gmail.com> <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com> <20171112103824.433mm7caxsuhoj2g@gmail.com> <20171113155752.yhzxm4kpihg4ns65@destiny> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171113155752.yhzxm4kpihg4ns65@destiny> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Josef Bacik wrote: > > > Then 'not crashing kernel' requirement will be preserved. > > > btrfs or whatever else we will be testing with override_return > > > will be functioning in 'stress test' mode and if bpf program > > > is not careful and returns error all the time then one particular > > > subsystem (like btrfs) will not be functional, but the kernel > > > will not be crashing. > > > Thoughts? > > > > Yeah, that approach sounds much better to me: it should be fundamentally be > > opt-in, and should be documented that it should not be possible to crash the > > kernel via changing the return value. > > > > I'd make it a bit clearer in the naming what the purpose of the annotation is: for > > example would BPF_ALLOW_ERROR_INJECTION() work for you guys? I.e. I think it > > should generally be used to change actual integer error values - or at most user > > pointers, but not kernel pointers. Not enforced in a type safe manner, but the > > naming should give enough hints? > > > > Such return-injection BFR programs can still totally confuse user-space obviously: > > for example returning an IO error could corrupt application data - but that's the > > nature of such facilities and similar results could already be achieved via ptrace > > as well. But the result of a BPF program should never be _worse_ than ptrace, in > > terms of kernel integrity. > > > > Note that with such a safety mechanism in place no kernel message has to be > > generated either I suspect. > > > > In any case, my NAK would be lifted with such an approach. > > I'm going to want to annotate kmalloc, so it's still going to be possible to > make things go horribly wrong, is this still going to be ok with you? Obviously > I want to use this for btrfs, but really what I used this for originally was an > NBD problem where I had to do special handling for getting EINTR back from > kernel_sendmsg, which was a pain to trigger properly without this patch. Opt-in > is going to make it so we're just flagging important function calls anwyay > because those are the ones that fail rarely and that we want to test, which puts > us back in the same situation you are worried about, so it doesn't make much > sense to me to do it this way. Thanks, I suppose - let's see how it goes? The important factor is the opt-in aspect I believe. Technically the kernel should never crash on a kmalloc() failure either, although obviously things can go horribly wrong from user-space's perspective. Thanks, Ingo From 1583967099133399127@xxx Mon Nov 13 15:59:00 +0000 2017 X-GM-THRID: 1583463755336960738 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread