Received: by 10.223.164.202 with SMTP id h10csp384397wrb; Mon, 13 Nov 2017 07:59:00 -0800 (PST) X-Google-Smtp-Source: AGs4zMaEZCz8G7CROvLpECx4ehE6m53zqEroXiH4rzjPBayVsrpERHqpCsTnxCaeAdpBhpETnnqY X-Received: by 10.84.210.237 with SMTP id a100mr9211552pli.177.1510588740600; Mon, 13 Nov 2017 07:59:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510588740; cv=none; d=google.com; s=arc-20160816; b=wQLdRiLsvkXXZWGEUfKlA8H09MNYVnyxA4PdOogF/dMHEDHrBnZB9o0GK7bGu3tcE0 g6hl5w190b33Uz7fuvL9MtW9EH1TJ2I8kfbXeJRYxd6qLhdyNtbMbjpuv8YEN2nSAxDv bsfDrOHqPgej1IIfbYWUrDPoxooXltPegzGRtdL/f6xPUsG61IrchTIMSy1E8mQPQ53N P5eqRcXAraJmA4L8uWsFOAfV7jK4JkEiS3iMNWQrZ1yOqihxrDc4ZjPh07EnoULdvEii L2dXGWfNvdoO0qDikzSr4g6i6OqWHrWVWAGcqmsrir4luwrdgKGJyPbSRsAqqcnjMwHa HHfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=; b=NnFWWmn3gQaTFq3uAA08QMWkHYOk3qmOhW3Q6288YmnimTXmevcoVoRWjCtpA2gTYg qJZn4bNtVY9fXXKcGXaSVZCnGUz9JdFHpxsMQUODylfsV45IZFQQyXLWba+BuMDUqUs2 B6ezDr9FtiVMlN2tv1YGsYMtpv0HsCPin6Q3gRMVFaZNDK/51ergUIQK/E5vUBujdRfq IHF3bgayy+cz+oehHNRzg4CtVaGjnKoO9j/9JIHHuvth2wUPr+bGFUOYMX1SWtX/8cfP VEKL5mXzhsqD2ASuwGSD/OmlkhsyfYmxfYTOOW1sgNuJZ84xy48x8HbRoO6ElafewNpW 6jag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=EuFthRxX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u17si11497769pge.390.2017.11.13.07.58.47; Mon, 13 Nov 2017 07:59:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=EuFthRxX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753529AbdKMP6A (ORCPT + 88 others); Mon, 13 Nov 2017 10:58:00 -0500 Received: from mail-qt0-f195.google.com ([209.85.216.195]:47909 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753504AbdKMP54 (ORCPT ); Mon, 13 Nov 2017 10:57:56 -0500 Received: by mail-qt0-f195.google.com with SMTP id y5so3807022qtk.4 for ; Mon, 13 Nov 2017 07:57:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=; b=EuFthRxXu1kAHPb/NoTZu595lJiJPiMas8hn9ejRBZo+ZQs70m9VhQb/lzbJLSEiZo e+47rQrip9vfCe3pm/w2qy81F/8DRaSQZR0Og0dZn9oxXLfJ0iy2AdDK4QVi+pn+/m9K kOL8x3Zkdmo/heOaroOSLbHTqUltIYftxkwlLhGbhgPPca0PgjfSUUFMQF5y6q0yz5/t VzGogneKgnkN8mqfObKQEHHRhyUZPV+ho/MB4+8Qy54UJG+WpDN8XL8ALHdSRdqPuho+ PTOLKR7eZY/Ar5KHHltmXxqv2K40gl0mZCPvLuzcyF0v5TtHMqYXKaqRII5zdp/etTZ0 s0sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Du4gKjc1SKlbiaK9K8gT+1Pvsgwrc4+wRV4EMOUz4aQ=; b=g6v0OVoyfbNtO6+R8fzMBejIoknBSpaJcaG/4bgw1yYbeQlepVQjTcsucOKODB46kv 6mFw52NrIn0FJlJVfpK7xf0MgZt5kqvHxrb0rjNZshBxyYp5DrclpEbweFz+1F3B/I76 FWkF8PVbWRwAO6B1tI2gbWvtCugW/heZJDNEkWNDFG1qRgT8lUNxEgKUgb6VJ+bf4u8V kdMRuAscXBappKup3LFUwuX84spv0rd/vIPslYDgv4RszL7h2OfgtRIyFmdEH17Ov2Nd itLWu6jROD8p+InPTQaGJYgaXBSaPyWAO0Y+7f9+yK4XrUXnW6XNcToAa7D/+IZ/kJG9 FXfQ== X-Gm-Message-State: AJaThX6Rp+lW9GXyH5iup+168Z+T2KMuR81W47yaxRhUcgtYGmKMNx3l 0r9vFwfznEsvg8Y4LA79v9CJfA== X-Received: by 10.200.17.133 with SMTP id d5mr15036937qtj.295.1510588675711; Mon, 13 Nov 2017 07:57:55 -0800 (PST) Received: from localhost (cpe-2606-A000-4381-1201-225-22FF-FEB3-E51A.dyn6.twc.com. [2606:a000:4381:1201:225:22ff:feb3:e51a]) by smtp.gmail.com with ESMTPSA id w142sm11154131qkw.61.2017.11.13.07.57.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Nov 2017 07:57:54 -0800 (PST) Date: Mon, 13 Nov 2017 10:57:54 -0500 From: Josef Bacik To: Ingo Molnar Cc: Alexei Starovoitov , Josef Bacik , rostedt@goodmis.org, mingo@redhat.com, davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ast@kernel.org, kernel-team@fb.com, daniel@iogearbox.net, Josef Bacik Subject: Re: [PATCH 1/2] bpf: add a bpf_override_function helper Message-ID: <20171113155752.yhzxm4kpihg4ns65@destiny> References: <1510086523-8859-1-git-send-email-josef@toxicpanda.com> <1510086523-8859-2-git-send-email-josef@toxicpanda.com> <20171110093459.w2pvo3ntkwbmgnha@gmail.com> <20171110171428.hrw5cpxy4sgzf7mn@destiny> <20171111081455.qx4rodxldofbzypb@gmail.com> <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com> <20171112103824.433mm7caxsuhoj2g@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171112103824.433mm7caxsuhoj2g@gmail.com> User-Agent: NeoMutt/20170714 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 12, 2017 at 11:38:24AM +0100, Ingo Molnar wrote: > > * Alexei Starovoitov wrote: > > > > One of the major advantages of having an in-kernel BPF sandbox is to never > > > crash the kernel - and allowing BPF programs to just randomly modify the > > > return value of kernel functions sounds immensely broken to me. > > > > > > (And yes, I realize that kprobes are used here as a vehicle, but the point > > > remains.) > > > > yeah. modifying arbitrary function return pushes bpf outside of > > its safety guarantees and in that sense doing the same > > override_return could be done from a kernel module if kernel > > provides the x64 side of the facility introduced by this patch. > > On the other side adding parts of this feature to the kernel only > > to be used by external kernel module is quite ugly too and not > > something that was ever done before. > > How about we restrict this bpf_override_return() only to the functions > > which callers expect to handle errors ? > > We can add something similar to NOKPROBE_SYMBOL(). Like > > ALLOW_RETURN_OVERRIDE() and on btrfs side mark the functions > > we're going to test with this feature. > > > > Then 'not crashing kernel' requirement will be preserved. > > btrfs or whatever else we will be testing with override_return > > will be functioning in 'stress test' mode and if bpf program > > is not careful and returns error all the time then one particular > > subsystem (like btrfs) will not be functional, but the kernel > > will not be crashing. > > Thoughts? > > Yeah, that approach sounds much better to me: it should be fundamentally be > opt-in, and should be documented that it should not be possible to crash the > kernel via changing the return value. > > I'd make it a bit clearer in the naming what the purpose of the annotation is: for > example would BPF_ALLOW_ERROR_INJECTION() work for you guys? I.e. I think it > should generally be used to change actual integer error values - or at most user > pointers, but not kernel pointers. Not enforced in a type safe manner, but the > naming should give enough hints? > > Such return-injection BFR programs can still totally confuse user-space obviously: > for example returning an IO error could corrupt application data - but that's the > nature of such facilities and similar results could already be achieved via ptrace > as well. But the result of a BPF program should never be _worse_ than ptrace, in > terms of kernel integrity. > > Note that with such a safety mechanism in place no kernel message has to be > generated either I suspect. > > In any case, my NAK would be lifted with such an approach. > I'm going to want to annotate kmalloc, so it's still going to be possible to make things go horribly wrong, is this still going to be ok with you? Obviously I want to use this for btrfs, but really what I used this for originally was an NBD problem where I had to do special handling for getting EINTR back from kernel_sendmsg, which was a pain to trigger properly without this patch. Opt-in is going to make it so we're just flagging important function calls anwyay because those are the ones that fail rarely and that we want to test, which puts us back in the same situation you are worried about, so it doesn't make much sense to me to do it this way. Thanks, Josef From 1583856423249027322@xxx Sun Nov 12 10:39:51 +0000 2017 X-GM-THRID: 1583463755336960738 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread