Received: by 10.223.164.202 with SMTP id h10csp2147072wrb; Sun, 12 Nov 2017 02:39:52 -0800 (PST) X-Google-Smtp-Source: AGs4zMYYEBaDlQloKx13rwX3IXSN1B35DzqkdVIypiufBwmCkspLRP1j5i/z33T40/O1AhhpObwW X-Received: by 10.101.100.77 with SMTP id s13mr5514460pgv.15.1510483191852; Sun, 12 Nov 2017 02:39:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510483191; cv=none; d=google.com; s=arc-20160816; b=sukrEbIEPaAfUFv3+tim3vzSWRYwgpp2HoEhvNRKQJ/UaDTvHgfh12hh75AsEL/9rB rUNVkPNQZViBGH4wOn7H7BaMtCDm43bFY/y0mG6gJYINOLvxl+lmoQjamE13HuPc1+5V 8qJF+KPXOWtWRoCy29seZv5sHoCZyuuiean/jioG48ixCOTm9PAj0AjWg35r/2KirRSe 6Ih2StuLm1t7zImrqt1L5TgQz/JBtg7s9iOpZphwJ2A0c0CU92h7wYSoFvJfzQcviKG/ LHYqGvYuR5setEJDc87erFx/3UuM9xsK7v1psRfDr8ZjKwpfS7mgFFa0zS25rFz1zagF mG1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=F/bZ7boCFS5P8F2nzx2ny1p082D64bq2xq0Dl+vSSv8=; b=z5Vsaun6TWuyzKS05WcVm7DTy6KJtpOoZsQtQAyURmi2pkKd2th7yDSBntqgoTHICs 21Izn5FIafJrf7baq8MBaXAaahEpTrtrxxwsL2Ic0TndMTGBqVP8dVoX7W1Q48yASZhV Ak186py1MPz4Psvf7I627EvB/c+TQEl04s6jhDcWbgEGkK2/BT/aLgLppWyLidIR6p35 3AGV3qw88epTh35afTtONkM61Hr7gNj3xXfDjDcCUfR1heCQvu06c5ntYzR/ID8jVz/7 xlOzSVmDlpTADmLqjSIMWPR8q0DCXKoBY8X9p5GZD5Ktrhb7HjSjF5tpE5UK+2HytqcZ wrfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Es4/R0Zu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si12599443pli.43.2017.11.12.02.39.28; Sun, 12 Nov 2017 02:39:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Es4/R0Zu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750869AbdKLKic (ORCPT + 87 others); Sun, 12 Nov 2017 05:38:32 -0500 Received: from mail-wm0-f50.google.com ([74.125.82.50]:53537 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750704AbdKLKi3 (ORCPT ); Sun, 12 Nov 2017 05:38:29 -0500 Received: by mail-wm0-f50.google.com with SMTP id g141so9894125wmg.2; Sun, 12 Nov 2017 02:38:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=F/bZ7boCFS5P8F2nzx2ny1p082D64bq2xq0Dl+vSSv8=; b=Es4/R0ZuXELPZxDxUWiw5FFPTsByVIuA37wQwT8y2IdQababnmBQhIj8L3xXnAHcXJ NZgIkliXlehzNhFlp/6BfBteUcvUZtxfXYgXUZvV9BE/9MeWG8fiIoI+491V7gglqEpf w+tZ+s8sA5hZXCEjiOXFSv6V9g8xtDbcgge6dLjvDL+Kd/NdjTypZyh4NwQeHQQViWhy G/nyujF2WnKgLWruoDA07qOAuXZVRFni8RhAdJ749CRJq7ioj4ORaJ9TJWLDWXjC/b5i q6spZBIEZrClt0CTgikOsbzrbSFboNSGE/VTjnGXSMINbLTwymeY46WS2vN2cIaS80DK cqdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=F/bZ7boCFS5P8F2nzx2ny1p082D64bq2xq0Dl+vSSv8=; b=Np3zBfz4fRJ1X4eDpc/bQTBS8OVPQsSX4Kd+jm6O3SJZsCCtJ871GoJ99iTI5/MVGE a8roKdhZps0+RtmraNAfe+DHarqS1I+i0GuEN+ZMMTkD2aY6kg0ll1FHQ6uhF+3ZJVIh axPP+iAgLKb1jvUKiz8cRVO79OBi5dBgDg+EuuBmC8K+rgxX3abnYpQa/qaeFUACpSJA EshODcoa38IZGVWYTnTdIQ8MMbrg9vUN7Vu8KksBgpHoDkhP4czag5rye0LatRZJd5QD w/S1+oG2Edrzk9krRzwqj63CTPyDBQimDsXL1S2y/4djUw4ZGeX5PShsh45LZxlQIk3m T2uQ== X-Gm-Message-State: AJaThX4PRCG/epC/wTDINFXdpefJgFh3ukKswXRtPg5jdwF35ieqQnd+ QyNPFS/MbqQO5qoBufbXda4= X-Received: by 10.28.218.14 with SMTP id r14mr3681312wmg.14.1510483107675; Sun, 12 Nov 2017 02:38:27 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id v23sm2079971wmh.8.2017.11.12.02.38.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 12 Nov 2017 02:38:26 -0800 (PST) Date: Sun, 12 Nov 2017 11:38:24 +0100 From: Ingo Molnar To: Alexei Starovoitov Cc: Josef Bacik , rostedt@goodmis.org, mingo@redhat.com, davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ast@kernel.org, kernel-team@fb.com, daniel@iogearbox.net, Josef Bacik Subject: Re: [PATCH 1/2] bpf: add a bpf_override_function helper Message-ID: <20171112103824.433mm7caxsuhoj2g@gmail.com> References: <1510086523-8859-1-git-send-email-josef@toxicpanda.com> <1510086523-8859-2-git-send-email-josef@toxicpanda.com> <20171110093459.w2pvo3ntkwbmgnha@gmail.com> <20171110171428.hrw5cpxy4sgzf7mn@destiny> <20171111081455.qx4rodxldofbzypb@gmail.com> <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <23fd1b7a-5c7d-8b11-adc5-7e6679b6e61e@fb.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Alexei Starovoitov wrote: > > One of the major advantages of having an in-kernel BPF sandbox is to never > > crash the kernel - and allowing BPF programs to just randomly modify the > > return value of kernel functions sounds immensely broken to me. > > > > (And yes, I realize that kprobes are used here as a vehicle, but the point > > remains.) > > yeah. modifying arbitrary function return pushes bpf outside of > its safety guarantees and in that sense doing the same > override_return could be done from a kernel module if kernel > provides the x64 side of the facility introduced by this patch. > On the other side adding parts of this feature to the kernel only > to be used by external kernel module is quite ugly too and not > something that was ever done before. > How about we restrict this bpf_override_return() only to the functions > which callers expect to handle errors ? > We can add something similar to NOKPROBE_SYMBOL(). Like > ALLOW_RETURN_OVERRIDE() and on btrfs side mark the functions > we're going to test with this feature. > > Then 'not crashing kernel' requirement will be preserved. > btrfs or whatever else we will be testing with override_return > will be functioning in 'stress test' mode and if bpf program > is not careful and returns error all the time then one particular > subsystem (like btrfs) will not be functional, but the kernel > will not be crashing. > Thoughts? Yeah, that approach sounds much better to me: it should be fundamentally be opt-in, and should be documented that it should not be possible to crash the kernel via changing the return value. I'd make it a bit clearer in the naming what the purpose of the annotation is: for example would BPF_ALLOW_ERROR_INJECTION() work for you guys? I.e. I think it should generally be used to change actual integer error values - or at most user pointers, but not kernel pointers. Not enforced in a type safe manner, but the naming should give enough hints? Such return-injection BFR programs can still totally confuse user-space obviously: for example returning an IO error could corrupt application data - but that's the nature of such facilities and similar results could already be achieved via ptrace as well. But the result of a BPF program should never be _worse_ than ptrace, in terms of kernel integrity. Note that with such a safety mechanism in place no kernel message has to be generated either I suspect. In any case, my NAK would be lifted with such an approach. Thanks, Ingo From 1583842032885975307@xxx Sun Nov 12 06:51:08 +0000 2017 X-GM-THRID: 1583463755336960738 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread