On 01-Apr 17:09, Alexei Starovoitov wrote: > On Sat, Mar 28, 2020 at 5:44 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote: > > +int BPF_PROG(test_int_hook, struct vm_area_struct *vma, > > + unsigned long reqprot, unsigned long prot, int ret) > > +{ > > + if (ret != 0) > > + return ret; > > + > > + __u32 pid = bpf_get_current_pid_tgid() >> 32; > > + int is_heap = 0; > > + > > + is_heap = (vma->vm_start >= vma->vm_mm->start_brk && > > + vma->vm_end <= vma->vm_mm->brk); > > This test fails for me. Trying this from bpf/master: b9258a2cece4 ("slcan: Don't transmit uninitialized stack data in padding") also from bpf-next/master: 1a323ea5356e ("x86: get rid of 'errret' argument to __get_user_xyz() macross") and I am unable to reproduce the failure (the output when using bpf/master): ./test_progs -t test_lsm #70 test_lsm:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED cat /sys/kernel/debug/tracing/trace # tracer: nop # # entries-in-buffer/entries-written: 10/10 #P:4 # # _-----=> irqs-off # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / delay # TASK-PID CPU# |||| TIMESTAMP FUNCTION # | | | |||| | | true-322 [001] ...2 187.127231: 0: start 7fc7ffccc000 556a623be000 true-322 [001] ...2 187.127238: 0: end 7fc7ffe8c000 556a623be000 true-322 [001] ...2 187.128233: 0: start 7fc7ffe82000 556a623be000 true-322 [001] ...2 187.128237: 0: end 7fc7ffe88000 556a623be000 true-322 [001] ...2 187.128306: 0: start 556a604f7000 556a623be000 true-322 [001] ...2 187.128309: 0: end 556a604f9000 556a623be000 true-322 [001] ...2 187.128372: 0: start 7fc7ffebf000 556a623be000 true-322 [001] ...2 187.128375: 0: end 7fc7ffec1000 556a623be000 test_progs-321 [000] ...2 187.129952: 0: start 55dc6e8df000 55dc6e8df000 test_progs-321 [000] ...2 187.129955: 0: end 55dc6e906000 55dc6e906000 The full run also works for me: ./test_progs [...] #70 test_lsm:OK #71 test_overhead:OK #72 tp_attach_query:OK My config is: https://gist.githubusercontent.com/sinkap/cb24b955e1b6e6c1dc736054a774fb41/raw/ and the kernel commandline is (on a QEMU VM): cat /proc/cmdline console=ttyS0,115200 root=/dev/sda rw nokaslr Could you share your config and cmdline? Also, I am wondering if this happens just in the BPF program or also in the kernel as the other variable I can think of is the compiled bpf program itself which might be reading a different value thinking it's vm->vma_start, possible something to do with BTF / CO RE due to a compiler bug: Here's the version of clang I am using: clang version 10.0.0 (https://github.com/llvm/llvm-project.git 2026d7b80a1a5534b5e263683c85aa95e7593b98) - KP > I've added: > bpf_printk("start %llx %llx\n", vma->vm_start, vma->vm_mm->start_brk); > bpf_printk("end %llx %llx\n", vma->vm_end, vma->vm_mm->brk); > and see > cat /sys/kernel/debug/tracing/trace_pipe > true-2285 [001] ...2 858.717432: 0: start 7f66470a2000 607000 > true-2285 [001] ...2 858.717440: 0: end 7f6647443000 607000 > true-2285 [001] ...2 858.717658: 0: start 7f6647439000 607000 > true-2285 [001] ...2 858.717659: 0: end 7f664743f000 607000 > true-2285 [001] ...2 858.717691: 0: start 605000 607000 > true-2285 [001] ...2 858.717692: 0: end 607000 607000 > true-2285 [001] ...2 858.717700: 0: start 7f6647666000 607000 > true-2285 [001] ...2 858.717701: 0: end 7f6647668000 607000 > test_progs-2283 [000] ...2 858.718030: 0: start 523000 39b9000 > test_progs-2283 [000] ...2 858.718033: 0: end 39e0000 39e0000 > > 523000 is not >= 39b9000. > 523000 is higher than vm_mm->end_data, but lower than vm_mm->start_brk. > No idea why this addr is passed into security_file_mprotect(). > The address user space is passing to mprotect() is 0x39c0000 which is correct. > Could you please help debug?