From bab72af9a5d5d9f715c351cdc5de51eabc3f7727 Mon Sep 17 00:00:00 2001
From: "Mahadasyam, Shashank (SGC)" <shashank.mahadasyam@sony.com>
Date: Mon, 18 Aug 2025 01:03:39 +0900
Subject: [PATCH] vma: introduce --allow-uprobes option

This commit teaches criu to deal with processes which have a "[uprobes]" vma.

This vma is mapped by the kernel when execution hits a uprobe location. This
is done so as to execute the uprobe'd instruciton out-of-line in the special
vma. The uprobe'd location is replaced by a software breakpoint instruction,
which is int3 on x86. When execution reaches that location, control is
transferred over to the kernel, which then executes whatever handler code
it has to, for the uprobe, and then executed the replaced instruction out-of-line
in the special vma. For more details, refer to this commit:
https://github.com/torvalds/linux/commit/d4b3b6384f98f8692ad0209891ccdbc7e78bbefe

Reason for adding a new option
------------------------------

A new option is added instead of making the uprobes vma handling transparent
to the user, so that when a dump is attempted on a process tree in which a
process has the uprobes vma, criu will error, asking the user to use this option.
This gives the user a chance to check what uprobes are attached to the processes
being dumped, and try to ensure that those uprobes are active on restore as well.

Again, the same reason for requiring this option on restore as well. Because
if a process is dumped with an active uprobe, and on restore if the uprobe
is not active, then if execution reaches the uprobe location, then the process
will be sent a SIGTRAP, whose default behaviour will terminate and core dump
the process. This is because the code pages are dumped with the software
breakpoint instruction replacement at the uprobe'd locations. On restore, if
execution reaches these locations and the kernel sees no associated active
uprobes, then it'll send a SIGTRAP.

So, using this option is on dump and restore is an implicit guarantee on the
user's behalf that they'll take care of the active uprobes and that any future
SIGTRAPs because of this are not on us! :)

Handling uprobes vma on dump
----------------------------

We don't need to store any information about the uprobes vma because it's
completely handled by the kernel, transparent to userspace. So, when a uprobes
vma is detected, we check if the --allow-uprobes option was specified or not.
If so, then the allow_uprobes boolean in the inventory image is set (this is
used on restore). The uprobes vma is skipped from being added to the vma list.

Handling uprobes vma on restore
-------------------------------

If allow_uprobes is set in the inventory image, then check if --allow-uprobes
is specified or not. Restoring the vma is not required.

Fixes: checkpoint-restore#1961
Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
---
 criu/config.c             |  2 ++
 criu/cr-dump.c            |  4 ++++
 criu/crtools.c            |  2 ++
 criu/image.c              |  5 +++++
 criu/include/cr_options.h |  1 +
 criu/include/image.h      |  2 ++
 criu/include/proc_parse.h |  2 ++
 criu/proc_parse.c         | 24 +++++++++++++++++++++++-
 images/inventory.proto    |  1 +
 9 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/criu/config.c b/criu/config.c
index 1322a490a..d7ef3f8e8 100644
--- a/criu/config.c
+++ b/criu/config.c
@@ -18,6 +18,7 @@
 #include "cr_options.h"
 #include "filesystems.h"
 #include "file-lock.h"
+#include "image.h"
 #include "irmap.h"
 #include "mount.h"
 #include "mount-v2.h"
@@ -703,6 +704,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 		BOOL_OPT("mntns-compat-mode", &opts.mntns_compat_mode),
 		BOOL_OPT("unprivileged", &opts.unprivileged),
 		BOOL_OPT("ghost-fiemap", &opts.ghost_fiemap),
+		BOOL_OPT(OPT_ALLOW_UPROBES, &opts.allow_uprobes),
 		{},
 	};
 
diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 10c485cbe..60b8e793c 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -2319,6 +2319,10 @@ int cr_dump_tasks(pid_t pid)
 		goto err;
 
 	he.has_pre_dump_mode = false;
+	if (found_uprobes_vma()) {
+		he.has_allow_uprobes = true;
+		he.allow_uprobes = true;
+	}
 
 	ret = write_img_inventory(&he);
 	if (ret)
diff --git a/criu/crtools.c b/criu/crtools.c
index 509e73d74..203bded81 100644
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -427,6 +427,8 @@ usage:
 	       "                        can be 'nftables' or 'iptables' (default).\n"
 	       "  --unprivileged        accept limitations when running as non-root\n"
 	       "                        consult documentation for further details\n"
+	       "  --allow-uprobes       allow dump/restore with uprobes vma\n"
+	       "                        consult documentation for further details\n"
 	       "\n"
 	       "* External resources support:\n"
 	       "  --external RES        dump objects from this list as external resources:\n"
diff --git a/criu/image.c b/criu/image.c
index f3747d6ff..c4f05e159 100644
--- a/criu/image.c
+++ b/criu/image.c
@@ -95,6 +95,11 @@ int check_img_inventory(bool restore)
 		goto out_err;
 	}
 
+	if (restore && he->allow_uprobes && !opts.allow_uprobes) {
+		pr_err("Dumped with --" OPT_ALLOW_UPROBES ". Need to set it on restore as well.\n");
+		goto out_err;
+	}
+
 	if (restore) {
 		if (!he->has_network_lock_method) {
 			/*
diff --git a/criu/include/cr_options.h b/criu/include/cr_options.h
index 4df8056b7..8c5707b41 100644
--- a/criu/include/cr_options.h
+++ b/criu/include/cr_options.h
@@ -196,6 +196,7 @@ struct cr_options {
 	char *work_dir;
 	int network_lock_method;
 	int skip_file_rwx_check;
+	int allow_uprobes;
 
 	/*
 	 * When we scheduler for removal some functionality we first
diff --git a/criu/include/image.h b/criu/include/image.h
index b5951d3d4..b06dbf706 100644
--- a/criu/include/image.h
+++ b/criu/include/image.h
@@ -114,6 +114,8 @@
 
 #define CR_PARENT_LINK "parent"
 
+#define OPT_ALLOW_UPROBES "allow-uprobes"
+
 extern bool ns_per_id;
 extern bool img_common_magic;
 
diff --git a/criu/include/proc_parse.h b/criu/include/proc_parse.h
index 0bd79bf55..76d3242d2 100644
--- a/criu/include/proc_parse.h
+++ b/criu/include/proc_parse.h
@@ -105,4 +105,6 @@ extern int parse_uptime(uint64_t *upt);
 
 extern int parse_timens_offsets(struct timespec *boff, struct timespec *moff);
 
+extern bool found_uprobes_vma(void);
+
 #endif /* __CR_PROC_PARSE_H__ */
diff --git a/criu/proc_parse.c b/criu/proc_parse.c
index d7eb25662..0d3b5b23f 100644
--- a/criu/proc_parse.c
+++ b/criu/proc_parse.c
@@ -74,6 +74,8 @@ struct buffer {
 
 static struct buffer __buf;
 static char *buf = __buf.buf;
+/* only ever goes from false to true, if at all */
+static bool uprobes_vma_exists = false;
 
 /*
  * This is how AIO ring buffers look like in proc
@@ -202,8 +204,11 @@ static void parse_vma_vmflags(char *buf, struct vma_area *vma_area)
 	 * vmsplice doesn't work for VM_IO and VM_PFNMAP mappings, the
 	 * only exception is VVAR area that mapped by the kernel as
 	 * VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP
+	 *
+	 * The uprobes vma is also mapped by the kernel with VM_IO, among other flags
 	 */
-	if (io_pf && !vma_area_is(vma_area, VMA_AREA_VVAR) && !vma_entry_is(vma_area->e, VMA_FILE_SHARED))
+	if (io_pf && !vma_area_is(vma_area, VMA_AREA_VVAR) && !vma_entry_is(vma_area->e, VMA_FILE_SHARED)
+		  && !vma_area_is(vma_area, VMA_AREA_UPROBES))
 		vma_area->e->status |= VMA_UNSUPP;
 
 	if (vma_area->e->madv)
@@ -603,6 +608,14 @@ static int handle_vma(pid_t pid, struct vma_area *vma_area, const char *file_pat
 			goto err;
 	} else if (!strcmp(file_path, "[heap]")) {
 		vma_area->e->status |= VMA_AREA_REGULAR | VMA_AREA_HEAP;
+	} else if (!strcmp(file_path, "[uprobes]")) {
+		uprobes_vma_exists = true;
+		if (!opts.allow_uprobes) {
+			pr_err("PID %d has uprobes vma. Consider using --" OPT_ALLOW_UPROBES ".\n",
+				pid);
+			goto err;
+		}
+		vma_area->e->status |= VMA_AREA_UPROBES;
 	} else {
 		vma_area->e->status = VMA_AREA_REGULAR;
 	}
@@ -739,6 +752,10 @@ static int vma_list_add(struct vma_area *vma_area, struct vm_area_list *vma_area
 		 */
 		pr_debug("Device file mapping %016" PRIx64 "-%016" PRIx64 " supported via device plugins\n",
 			 vma_area->e->start, vma_area->e->end);
+	} else if (vma_area->e->status & VMA_AREA_UPROBES) {
+		pr_debug("Skipping uprobes vma %016" PRIx64 "-%016" PRIx64 "\n", vma_area->e->start,
+		         vma_area->e->end);
+		return 0;
 	} else if (vma_area->e->status & VMA_UNSUPP) {
 		pr_err("Unsupported mapping found %016" PRIx64 "-%016" PRIx64 "\n", vma_area->e->start,
 		       vma_area->e->end);
@@ -2929,3 +2946,8 @@ int parse_uptime(uint64_t *upt)
 	fclose(f);
 	return 0;
 }
+
+bool found_uprobes_vma(void)
+{
+	return uprobes_vma_exists;
+}
diff --git a/images/inventory.proto b/images/inventory.proto
index 1e18815bb..feed5b850 100644
--- a/images/inventory.proto
+++ b/images/inventory.proto
@@ -33,4 +33,5 @@ message inventory_entry {
 	// This is currently used to delete the correct nftables
 	// network locking rule.
 	optional string                 dump_criu_run_id        = 13;
+	optional bool			allow_uprobes	= 14;
 }