On Fri, Jun 12, 2020 at 07:13:49PM +0900, Masami Hiramatsu wrote:
> On Thu, 11 Jun 2020 15:32:40 +0100
> Daniel Thompson <daniel.thomp...@linaro.org> wrote:
>
> > On Thu, Jun 11, 2020 at 09:42:09PM +0900, Masami Hiramatsu wrote:
> > > On Fri, 5 Jun 2020 16:29:53 +0200
> > > Peter Zijlstra <pet...@infradead.org> wrote:
> > >
> > > > On Fri, Jun 05, 2020 at 02:21:26PM +0100, Daniel Thompson wrote:
> > > > > kgdb has traditionally adopted a no safety rails approach to
> > > > > breakpoint
> > > > > placement. If the debugger is commanded to place a breakpoint at an
> > > > > address then it will do so even if that breakpoint results in kgdb
> > > > > becoming inoperable.
> > > > >
> > > > > A stop-the-world debugger with memory peek/poke does intrinsically
> > > > > provide its operator with the means to hose their system in all manner
> > > > > of exciting ways (not least because stopping-the-world is already a
> > > > > DoS
> > > > > attack ;-) ) but the current no safety rail approach is not easy to
> > > > > defend, especially given kprobes provides us with plenty of machinery
> > > > > to
> > > > > mark parts of the kernel where breakpointing is discouraged.
> > > > >
> > > > > This patchset introduces some safety rails by using the existing
> > > > > kprobes infrastructure. It does not cover all locations where
> > > > > breakpoints can cause trouble but it will definitely block off several
> > > > > avenues, including the architecture specific parts that are handled by
> > > > > arch_within_kprobe_blacklist().
> > > > >
> > > > > This patch is an RFC because:
> > > > >
> > > > > 1. My workstation is still chugging through the compile testing.
> > > > >
> > > > > 2. Patch 4 needs more runtime testing.
> > > > >
> > > > > 3. The code to extract the kprobe blacklist code (patch 4 again) needs
> > > > > more review especially for its impact on arch specific code.
> > > > >
> > > > > To be clear I do plan to do the detailed review of the kprobe
> > > > > blacklist
> > > > > stuff but would like to check the direction of travel first since the
> > > > > change is already surprisingly big and maybe there's a better way to
> > > > > organise things.
> > > >
> > > > Thanks for doing these patches, esp 1-3 look very good to me.
> > > >
> > > > I've taken the liberty to bounce the entire set to Masami-San, who is
> > > > the kprobes maintainer for comments as well.
> > >
> > > Thanks Peter to Cc me.
> > >
> > > Reusing kprobe blacklist is good to me as far as it doesn't expand it
> > > only for kgdb. For example, if a function which can cause a recursive
> > > trap issue only when the kgdb puts a breakpoint, it should be covered
> > > by kgdb blacklist, or we should make a "noinstr-list" including
> > > both :)
> >
> > Recursion is what focuses the mind but I don't think we'd need
> > recursion for there to be problems.
> >
> > For example taking a kprobe trap whilst executing the kgdb trap handler
> > (or vice versa) is already likely to be fragile and is almost certainly
> > untested on most or all architectures.
>
> Ah, OK. Actually, on x86 that is not a problem (it can handle recursive int3
> if software handles it correctly), but other arch may not accept it.
> Hmm, then using NOKPROBE_SYMBOL() is reasonable.
>
> > Further if I understood Peter's
> > original nudge correctly then, in addition, x86 plans to explicitly
> > prohibit this anyway.
> >
> > On other words I think there will only be one blacklist.
>
> Agreed.
>
> > > Thus, Nack for PATCH 4/4, that seems a bit selfish change. If kgdb wants
> > > to use the "kprobes blacklist", we should make CONFIG_KGDB depending on
> > > CONFIG_KPROBES.
> >
> > Some of the architectures currently have kgdb support but do not have
> > kprobes...
>
> "depends on KPROBES if HAVE_KPROBES" ? :-)
I'm personally be OK with something like:
#ifndef CONFIG_KGDB_ALLOW_UNSAFE_BREAKPOINTS
if (within_kprobe_blacklist())
...
#endif
And then setup Kconfig so that KGDB_ALLOW_UNSAFE_BREAKPOINTS
defaults to n and add a extra check to put a warning in dmesg
that breakpoints are disabled.
> (Anyway, it is a good chance to port kprobe on such arch...)
I like kprobes very much... but not quite enough to want to
implement it on architectures I don't use ;-).
Daniel.
_______________________________________________
Kgdb-bugreport mailing list
Kgdb-bugreport@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/kgdb-bugreport
