| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Mar 2021 14:47:40 +0100
From: Jiri Olsa <jolsa@...hat.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Jiri Olsa <jolsa@...nel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andriin@...com>, netdev@...r.kernel.org,
bpf@...r.kernel.org, Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...omium.org>,
Steven Rostedt <rostedt@...dmis.org>
Subject: Re: [PATCH bpf] bpf: Take module reference for ip in module code
On Wed, Mar 24, 2021 at 12:31:42PM +0100, Jiri Olsa wrote:
> On Tue, Mar 23, 2021 at 06:22:37PM -0700, Alexei Starovoitov wrote:
> > On Tue, Mar 23, 2021 at 10:15:33PM +0100, Jiri Olsa wrote:
> > > Currently module can be unloaded even if there's a trampoline
> > > register in it. It's easily reproduced by running in parallel:
> > >
> > > # while :; do ./test_progs -t module_attach; done
> > > # while :; do ./test_progs -t fentry_test; done
> > >
> > > Taking the module reference in case the trampoline's ip is
> > > within the module code. Releasing it when the trampoline's
> > > ip is unregistered.
> > >
> > > Signed-off-by: Jiri Olsa <jolsa@...nel.org>
> > > ---
> > > kernel/bpf/trampoline.c | 32 ++++++++++++++++++++++++++++++++
> > > 1 file changed, 32 insertions(+)
> > >
> > > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> > > index 1f3a4be4b175..f6cb179842b2 100644
> > > --- a/kernel/bpf/trampoline.c
> > > +++ b/kernel/bpf/trampoline.c
> > > @@ -87,6 +87,27 @@ static struct bpf_trampoline *bpf_trampoline_lookup(u64 key)
> > > return tr;
> > > }
> > >
> > > +static struct module *ip_module_get(unsigned long ip)
> > > +{
> > > + struct module *mod;
> > > + int err = 0;
> > > +
> > > + preempt_disable();
> > > + mod = __module_text_address(ip);
> > > + if (mod && !try_module_get(mod))
> > > + err = -ENOENT;
> > > + preempt_enable();
> > > + return err ? ERR_PTR(err) : mod;
> > > +}
> > > +
> > > +static void ip_module_put(unsigned long ip)
> > > +{
> > > + struct module *mod = __module_text_address(ip);
> >
> > Conceptually looks correct, but how did you test it?!
> > Just doing your reproducer:
> > while :; do ./test_progs -t module_attach; done & while :; do ./test_progs -t fentry_test; done
> >
> > I immediately hit:
> > [ 19.461162] WARNING: CPU: 1 PID: 232 at kernel/module.c:264 module_assert_mutex_or_preempt+0x2e/0x40
> > [ 19.477126] Call Trace:
> > [ 19.477464] __module_address+0x28/0xf0
> > [ 19.477865] ? __bpf_trace_bpf_testmod_test_write_bare+0x10/0x10 [bpf_testmod]
> > [ 19.478711] __module_text_address+0xe/0x60
> > [ 19.479156] bpf_trampoline_update+0x2ff/0x470
>
> I don't have lockdep enabled.. ah the module_mutex is held
> during module init, that's why all the code I was using as
> a reference did not take it.. sorry, will fix
ah it's the missing preempt_disable ;-) ok
jirka
>
> >
> > Which points to an obvious bug above.
> >
> > How did you debug it to this module going away issue?
> > Why does test_progs -t fentry_test help to repro?
> > Or does it?
> > It doesn't touch anything in modules.
>
> test_prog also loads/unloads that module, but it could be
> just insmod/rmmod instead, will change
>
> jirka
Powered by blists - more mailing lists