On Wed, Apr 21, 2021 at 04:05:32PM +0300, Zidenberg, Tsahi wrote:
In arm64, kernelspace address accessors cannot be used to access userspace addresses, which means bpf_probe_read{,str}() cannot access userspace addresses. That causes e.g. command-line parameters to not appear when snooping execve using bpf.
Again, this really feels like a new feature, not a regression or bugfix at all. And in looking at these patches, that feeling really gets stronger.
This patch series takes the upstream solution. This solution also changes user API in the following ways:
- Add probe_read_{user, kernel}{,_str} bpf helpers
- Add skb_output helper to the enum only (calling it not supported)
- Add support for %pks, %pus specifiers
An alternative fix only takes the required logic to existing API without adding new API, was suggested here: https://www.spinics.net/lists/stable/msg454945.html
Another option is to only take patches [1-4] of this patchset, and add on top of them commit 8d92db5c04d1 ("bpf: rework the compat kernel probe handling"). In that case, the last patch would require function renames and conflict resolutions that were avoided in this patchset by pulling patches [5-7].
The other option is to move your system to a newer kernel release that has this new feature, right? :)
What prevents you from doing that today? What bug is this solving that worked in previous kernel releases and was broken in 5.4.y?
thanks,
greg k-h