Received: by 10.223.164.202 with SMTP id h10csp384397wrb;
        Mon, 13 Nov 2017 07:59:00 -0800 (PST)
X-Google-Smtp-Source: AGs4zMaEZCz8G7CROvLpECx4ehE6m53zqEroXiH4rzjPBayVsrpERHqpCsTnxCaeAdpBhpETnnqY
X-Received: by 10.84.210.237 with SMTP id a100mr9211552pli.177.1510588740600;
        Mon, 13 Nov 2017 07:59:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510588740; cv=none;
        d=google.com; s=arc-20160816;
        b=wQLdRiLsvkXXZWGEUfKlA8H09MNYVnyxA4PdOogF/dMHEDHrBnZB9o0GK7bGu3tcE0
         g6hl5w190b33Uz7fuvL9MtW9EH1TJ2I8kfbXeJRYxd6qLhdyNtbMbjpuv8YEN2nSAxDv
         bsfDrOHqPgej1IIfbYWUrDPoxooXltPegzGRtdL/f6xPUsG61IrchTIMSy1E8mQPQ53N
         P5eqRcXAraJmA4L8uWsFOAfV7jK4JkEiS3iMNWQrZ1yOqihxrDc4ZjPh07EnoULdvEii
         L2dXGWfNvdoO0qDikzSr4g6i6OqWHrWVWAGcqmsrir4luwrdgKGJyPbSRsAqqcnjMwHa
         HHfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=;
        b=NnFWWmn3gQaTFq3uAA08QMWkHYOk3qmOhW3Q6288YmnimTXmevcoVoRWjCtpA2gTYg
         qJZn4bNtVY9fXXKcGXaSVZCnGUz9JdFHpxsMQUODylfsV45IZFQQyXLWba+BuMDUqUs2
         B6ezDr9FtiVMlN2tv1YGsYMtpv0HsCPin6Q3gRMVFaZNDK/51ergUIQK/E5vUBujdRfq
         IHF3bgayy+cz+oehHNRzg4CtVaGjnKoO9j/9JIHHuvth2wUPr+bGFUOYMX1SWtX/8cfP
         VEKL5mXzhsqD2ASuwGSD/OmlkhsyfYmxfYTOOW1sgNuJZ84xy48x8HbRoO6ElafewNpW
         6jag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=EuFthRxX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u17si11497769pge.390.2017.11.13.07.58.47;
        Mon, 13 Nov 2017 07:59:00 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=EuFthRxX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753529AbdKMP6A (ORCPT <rfc822;0330sisy@gmail.com> + 88 others);
        Mon, 13 Nov 2017 10:58:00 -0500
Received: from mail-qt0-f195.google.com ([209.85.216.195]:47909 "EHLO
        mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753504AbdKMP54 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Nov 2017 10:57:56 -0500
Received: by mail-qt0-f195.google.com with SMTP id y5so3807022qtk.4
        for <linux-kernel@vger.kernel.org>; Mon, 13 Nov 2017 07:57:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=;
        b=EuFthRxXu1kAHPb/NoTZu595lJiJPiMas8hn9ejRBZo+ZQs70m9VhQb/lzbJLSEiZo
         e+47rQrip9vfCe3pm/w2qy81F/8DRaSQZR0Og0dZn9oxXLfJ0iy2AdDK4QVi+pn+/m9K
         kOL8x3Zkdmo/heOaroOSLbHTqUltIYftxkwlLhGbhgPPca0PgjfSUUFMQF5y6q0yz5/t
         VzGogneKgnkN8mqfObKQEHHRhyUZPV+ho/MB4+8Qy54UJG+WpDN8XL8ALHdSRdqPuho+
         PTOLKR7eZY/Ar5KHHltmXxqv2K40gl0mZCPvLuzcyF0v5TtHMqYXKaqRII5zdp/etTZ0
         s0sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=;
        b=g6v0OVoyfbNtO6+R8fzMBejIoknBSpaJcaG/4bgw1yYbeQlepVQjTcsucOKODB46kv
         6mFw52NrIn0FJlJVfpK7xf0MgZt5kqvHxrb0rjNZshBxyYp5DrclpEbweFz+1F3B/I76
         FWkF8PVbWRwAO6B1tI2gbWvtCugW/heZJDNEkWNDFG1qRgT8lUNxEgKUgb6VJ+bf4u8V
         kdMRuAscXBappKup3LFUwuX84spv0rd/vIPslYDgv4RszL7h2OfgtRIyFmdEH17Ov2Nd
         itLWu6jROD8p+InPTQaGJYgaXBSaPyWAO0Y+7f9+yK4XrUXnW6XNcToAa7D/+IZ/kJG9
         FXfQ==
X-Gm-Message-State: AJaThX6Rp+lW9GXyH5iup+168Z+T2KMuR81W47yaxRhUcgtYGmKMNx3l
        0r9vFwfznEsvg8Y4LA79v9CJfA==
X-Received: by 10.200.17.133 with SMTP id d5mr15036937qtj.295.1510588675711;
        Mon, 13 Nov 2017 07:57:55 -0800 (PST)
Received: from localhost (cpe-2606-A000-4381-1201-225-22FF-FEB3-E51A.dyn6.twc.com. [2606:a000:4381:1201:225:22ff:feb3:e51a])
        by smtp.gmail.com with ESMTPSA id w142sm11154131qkw.61.2017.11.13.07.57.54
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 13 Nov 2017 07:57:54 -0800 (PST)
Date:   Mon, 13 Nov 2017 10:57:54 -0500
From:   Josef Bacik <josef@toxicpanda.com>
To:     Ingo Molnar <mingo@kernel.org>
Cc:     Alexei Starovoitov <ast@fb.com>,
        Josef Bacik <josef@toxicpanda.com>, rostedt@goodmis.org,
        mingo@redhat.com, davem@davemloft.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ast@kernel.org, kernel-team@fb.com,
        daniel@iogearbox.net, Josef Bacik <jbacik@fb.com>
Subject: Re: [PATCH 1/2] bpf: add a bpf_override_function helper
Message-ID: <20171113155752.yhzxm4kpihg4ns65@destiny>
References: <1510086523-8859-1-git-send-email-josef@toxicpanda.com>
 <1510086523-8859-2-git-send-email-josef@toxicpanda.com>
 <20171110093459.w2pvo3ntkwbmgnha@gmail.com>
 <20171110171428.hrw5cpxy4sgzf7mn@destiny>
 <20171111081455.qx4rodxldofbzypb@gmail.com>
 <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com>
 <20171112103824.433mm7caxsuhoj2g@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171112103824.433mm7caxsuhoj2g@gmail.com>
User-Agent: NeoMutt/20170714 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Nov 12, 2017 at 11:38:24AM +0100, Ingo Molnar wrote:
> 
> * Alexei Starovoitov <ast@fb.com> wrote:
> 
> > > One of the major advantages of having an in-kernel BPF sandbox is to never 
> > > crash the kernel - and allowing BPF programs to just randomly modify the 
> > > return value of kernel functions sounds immensely broken to me.
> > > 
> > > (And yes, I realize that kprobes are used here as a vehicle, but the point 
> > > remains.)
> > 
> > yeah. modifying arbitrary function return pushes bpf outside of
> > its safety guarantees and in that sense doing the same
> > override_return could be done from a kernel module if kernel
> > provides the x64 side of the facility introduced by this patch.
> > On the other side adding parts of this feature to the kernel only
> > to be used by external kernel module is quite ugly too and not
> > something that was ever done before.
> > How about we restrict this bpf_override_return() only to the functions
> > which callers expect to handle errors ?
> > We can add something similar to NOKPROBE_SYMBOL(). Like
> > ALLOW_RETURN_OVERRIDE() and on btrfs side mark the functions
> > we're going to test with this feature.
> >
> > Then 'not crashing kernel' requirement will be preserved.
> > btrfs or whatever else we will be testing with override_return
> > will be functioning in 'stress test' mode and if bpf program
> > is not careful and returns error all the time then one particular
> > subsystem (like btrfs) will not be functional, but the kernel
> > will not be crashing.
> > Thoughts?
> 
> Yeah, that approach sounds much better to me: it should be fundamentally be 
> opt-in, and should be documented that it should not be possible to crash the 
> kernel via changing the return value.
> 
> I'd make it a bit clearer in the naming what the purpose of the annotation is: for 
> example would BPF_ALLOW_ERROR_INJECTION() work for you guys? I.e. I think it 
> should generally be used to change actual integer error values - or at most user 
> pointers, but not kernel pointers. Not enforced in a type safe manner, but the 
> naming should give enough hints?
> 
> Such return-injection BFR programs can still totally confuse user-space obviously: 
> for example returning an IO error could corrupt application data - but that's the 
> nature of such facilities and similar results could already be achieved via ptrace 
> as well. But the result of a BPF program should never be _worse_ than ptrace, in 
> terms of kernel integrity.
> 
> Note that with such a safety mechanism in place no kernel message has to be 
> generated either I suspect.
> 
> In any case, my NAK would be lifted with such an approach.
> 

I'm going to want to annotate kmalloc, so it's still going to be possible to
make things go horribly wrong, is this still going to be ok with you?  Obviously
I want to use this for btrfs, but really what I used this for originally was an
NBD problem where I had to do special handling for getting EINTR back from
kernel_sendmsg, which was a pain to trigger properly without this patch.  Opt-in
is going to make it so we're just flagging important function calls anwyay
because those are the ones that fail rarely and that we want to test, which puts
us back in the same situation you are worried about, so it doesn't make much
sense to me to do it this way.  Thanks,

Josef

From 1583856423249027322@xxx Sun Nov 12 10:39:51 +0000 2017
X-GM-THRID: 1583463755336960738
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread