New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(driver): fix potential deadlock #1629
Conversation
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
Please double check driver/API_VERSION file. See versioning. /hold |
LGTM label has been added. Git tree hash: 0153e4deaeaa7ba976b741c7eebf6afb5633c7bb
|
/hold |
https://github.com/falcosecurity/libs/actions/runs/7573675028 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of remarks:
- The function f_proc_startupdate(), in this same file, has the same logic, and needs the same fix. In fact, it is the code in f_proc_startupdate() that is causing the problem at the customer site.
- I also checked to see if the BPF code has the same logic. But in that code, there is just a comment that says "Basic file permission check -- may not work in all cases, cannot inspect in eBPF". I guess it is possible to have the kernel module do the same thing as the eBPF logic? Because we are trying to move customers to eBPF, and if this safer approach is good enough in eBPF, maybe it is good enough for the kernel module too?
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
Ops, I missed the other function. Sorry! Just fixed. |
Thanks @jcpittman144 ! We are actually doing this in two different places, makes sense. Re. the eBPF code: I believe the approach we use in the kmod for this kind of things should work better because we are in a position to use locks, while with eBPF we are more limited (read only, no loops...) and we sometimes need to implement workarounds. @therealbobo : were you able to test if the flag behaves properly after your latest patch? Thanks! |
Hey @LucaGuerra! Sorry for the delay 😅 I just tested the new patch and it works correctly! 😄 |
Kernel tests are finally fixed; going to run them against this branch ;) |
ARM64:
AMD64:
No changes from master. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: f419b49af1a9d2113a82df26eff1ded87eb061a0
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, LucaGuerra, therealbobo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@therealbobo can you bump the patch API_VERSION? |
why do we need to bump the API_VERSION? we are not touching the userspace-driver APIs 🤔 |
I think we decided to always bump driver versioning even for this kind of changes. |
uhm IIRC we never did it :/ it seems like we are in this case:
More in detail:
IMO these kinds of changes don't touch the API/DRIVER versions but if we need to tag a new driver version they cause a patch increase in the overall driver version |
oh it always confuses me, thanks! |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area driver-kmod
Does this PR require a change in the driver versions?
What this PR does / why we need it:
Kernels < 3.1.0 doesn't support the
exe_writable
flags due to theMAY_NOT_BLOCK
not being available. This limitation is related to the fact that thef_sched_prog_exec
function is in a RCU critical section: this means that this function (and its callee) MUST NOT call functions that can yield the processor (e.g.inode_permission
that deep down in its call stack calls a down_read()). This is addressed after the Kernel 3.1.0 where the MAY_OT_BLOCK flag is introduced and avoids the processor to being yield.Given all of that does make sense to avoid filling the
exe_writable
flag in Kernels <3.1.0.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: