On 10/04/2021 14:30, Greg KH wrote: > On Mon, Mar 29, 2021 at 01:56:53PM +0300, Zidenberg, Tsahi wrote: >> arm64 access to userspace addresses in bpf and kprobes is broken, >> because kernelspace address accessors are always used, and won't work >> for userspace. > What does not work exactly? > > What is broken that is fixed in these changes? I can't seem to > understand that as it feels like bpf and kprobes works on 5.4.y unless > something broke it? > > confused, > > greg k-h The original bug that I was working on: command line parameters don't appear when snooping execve using bpf on arm64. This is true using either osquery (with --enable_bpf_events) or bcc (execsnoop-bpfcc). The reason, it seems, is that in arm64 userspace addresses cannot be accessed with kernelspace accessors. This bug is fixed with Patch 1. Since Patch 1 added ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, I thought it made sense to check what else uses this config. I did not verify kprobes are also broken in the same way, but it seems likely, and the fix is very small. If only Patch 1 is merged - I'll be happy :) Thank you! Tsahi.
