On Tue, 19 Feb 2019 14:03:30 -0500 Steven Rostedt <rostedt@xxxxxxxxxxx> wrote: > > > Basically, a kprobe is mostly used for debugging what's happening in a > > > live kernel, to read any address. > > > > My point is that "any address" is not sufficient to begin with. You > > need "kernel or user". > > > > Having a flag for what _kind_ of kernel address is ok might then be > > required for other cases if they might not be ok with following page > > tables to IO space.. > > > > Good point. Looks like we should add a new flag for kprobe > trace parameters, that tell kprobes if the address is expected to be > user or kernel. That would be good regardless of the duplicate > meanings, as we could use copy_from_user without touching KERNEL_DS, if > the probe argument specifically states "this is user space". For > example, when probing do_sys_open, and you want to read what path string > was passed into the kernel. > > Masami, thoughts? Let me ensure what you want. So you want to access a "string" in user-space, not a data structure? In that case, it is very easy to me. It is enough to add a "ustring" type to kprobe events. For example, do_sys_opsn's path variable is one example. That will be +0(+0(%si)):ustring, and fetcher finally copy the string using strncpy_from_user() instead of strncpy_from_unsafe(). (*) But if you consider to access a field in a data-structure in user space, it might need some more work (E.g. ioctl's parameter), becase if the __user pointer to the data structure is on the memory, we have to dereference the address inside kernel using probe_kernel_read(), but after getting the data strucutre address, we have to dereference the address with copy_from_user(). At this moment, we have no such strong syntax... To solve that, maybe we need to introduce something like "back reference" of arguments in the event, e.g. p somewhere user_data=+0(%si) field_val=+8(\user_data):u32:user or p somewhere +0(%si) field_val=+8(\1):u32:user This ":user" additional suffix tells kprobe events to change fetching method to fetch the data by copy_from_user(). (*) BTW, there is another concern to use _from_user APIs in kprobe. Are those APIs might sleep?? Thank you, -- Masami Hiramatsu <mhiramat@xxxxxxxxxx>
