On Tue, 20 Aug 2024 12:17:31 +0200 Jiri Olsa <olsajiri@xxxxxxxxx> wrote: > > Could it be possible that the verifier could add to the exception table for > > all accesses to tracepoint arguments? Then if there's a NULL pointer > > dereference, the kernel will not crash but the exception can be sent to the > > user space process instead? That is, it sends SIGSEV to the task accessing > > NULL when it shouldn't. > > hm, but that would mean random process that would happened to trigger > the tracepoint would segfault, right? I don't think we can do that Better than a kernel crash, isn't it? I thought the guarantee of BPF was not to ever crash the kernel. Crashing user space may be bad, but not always fatal, and something that can be fixed by fixng the BPF program that was loaded. > > it seems better to teach verifier which tracepoint arguments can be NULL > and deny load of the bpf program that would not check such argument properly These are not mutually exclusive. I think you want both. Adding annotation is going to be a whack-a-mole game as new tracepoints will always be created with new possibly NULL parameters and even old tracepoints can add that too. There's nothing to stop that. The exception table logic will prevent any missed checks from causing a kernel crash, and your annotations will keep user space from crashing. -- Steve
