On 10/04/2021 14:30, Greg KH wrote:
On Mon, Mar 29, 2021 at 01:56:53PM +0300, Zidenberg, Tsahi wrote:
arm64 access to userspace addresses in bpf and kprobes is broken, because kernelspace address accessors are always used, and won't work for userspace.
What does not work exactly?
What is broken that is fixed in these changes? I can't seem to understand that as it feels like bpf and kprobes works on 5.4.y unless something broke it?
confused,
greg k-h
The original bug that I was working on: command line parameters don't appear when snooping execve using bpf on arm64. This is true using either osquery (with --enable_bpf_events) or bcc (execsnoop-bpfcc). The reason, it seems, is that in arm64 userspace addresses cannot be accessed with kernelspace accessors. This bug is fixed with Patch 1.
Since Patch 1 added ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, I thought it made sense to check what else uses this config. I did not verify kprobes are also broken in the same way, but it seems likely, and the fix is very small. If only Patch 1 is merged - I'll be happy :)
Thank you! Tsahi.