bpf/progs/bpf_mod_race.c

*46565696SKumar Kartikeya Dwivedi// SPDX-License-Identifier: GPL-2.0
*46565696SKumar Kartikeya Dwivedi#include <vmlinux.h>
*46565696SKumar Kartikeya Dwivedi#include <bpf/bpf_helpers.h>
*46565696SKumar Kartikeya Dwivedi#include <bpf/bpf_tracing.h>
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivediconst volatile struct {
*46565696SKumar Kartikeya Dwivedi	/* thread to activate trace programs for */
*46565696SKumar Kartikeya Dwivedi	pid_t tgid;
*46565696SKumar Kartikeya Dwivedi	/* return error from __init function */
*46565696SKumar Kartikeya Dwivedi	int inject_error;
*46565696SKumar Kartikeya Dwivedi	/* uffd monitored range start address */
*46565696SKumar Kartikeya Dwivedi	void *fault_addr;
*46565696SKumar Kartikeya Dwivedi} bpf_mod_race_config = { -1 };
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivediint bpf_blocking = 0;
*46565696SKumar Kartikeya Dwivediint res_try_get_module = -1;
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivedistatic __always_inline bool check_thread_id(void)
*46565696SKumar Kartikeya Dwivedi{
*46565696SKumar Kartikeya Dwivedi	struct task_struct *task = bpf_get_current_task_btf();
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivedi	return task->tgid == bpf_mod_race_config.tgid;
*46565696SKumar Kartikeya Dwivedi}
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivedi/* The trace of execution is something like this:
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * finit_module()
*46565696SKumar Kartikeya Dwivedi *   load_module()
*46565696SKumar Kartikeya Dwivedi *     prepare_coming_module()
*46565696SKumar Kartikeya Dwivedi *       notifier_call(MODULE_STATE_COMING)
*46565696SKumar Kartikeya Dwivedi *         btf_parse_module()
*46565696SKumar Kartikeya Dwivedi *         btf_alloc_id()		// Visible to userspace at this point
*46565696SKumar Kartikeya Dwivedi *         list_add(btf_mod->list, &btf_modules)
*46565696SKumar Kartikeya Dwivedi *     do_init_module()
*46565696SKumar Kartikeya Dwivedi *       freeinit = kmalloc()
*46565696SKumar Kartikeya Dwivedi *       ret = mod->init()
*46565696SKumar Kartikeya Dwivedi *         bpf_prog_widen_race()
*46565696SKumar Kartikeya Dwivedi *           bpf_copy_from_user()
*46565696SKumar Kartikeya Dwivedi *             ...<sleep>...
*46565696SKumar Kartikeya Dwivedi *       if (ret < 0)
*46565696SKumar Kartikeya Dwivedi *         ...
*46565696SKumar Kartikeya Dwivedi *         free_module()
*46565696SKumar Kartikeya Dwivedi * return ret
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * At this point, module loading thread is blocked, we now load the program:
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * bpf_check
*46565696SKumar Kartikeya Dwivedi *   add_kfunc_call/check_pseudo_btf_id
*46565696SKumar Kartikeya Dwivedi *     btf_try_get_module
*46565696SKumar Kartikeya Dwivedi *       try_get_module_live == false
*46565696SKumar Kartikeya Dwivedi *     return -ENXIO
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * Without the fix (try_get_module_live in btf_try_get_module):
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * bpf_check
*46565696SKumar Kartikeya Dwivedi *   add_kfunc_call/check_pseudo_btf_id
*46565696SKumar Kartikeya Dwivedi *     btf_try_get_module
*46565696SKumar Kartikeya Dwivedi *       try_get_module == true
*46565696SKumar Kartikeya Dwivedi *     <store module reference in btf_kfunc_tab or used_btf array>
*46565696SKumar Kartikeya Dwivedi *   ...
*46565696SKumar Kartikeya Dwivedi * return fd
*46565696SKumar Kartikeya Dwivedi *
*46565696SKumar Kartikeya Dwivedi * Now, if we inject an error in the blocked program, our module will be freed
*46565696SKumar Kartikeya Dwivedi * (going straight from MODULE_STATE_COMING to MODULE_STATE_GOING).
*46565696SKumar Kartikeya Dwivedi * Later, when bpf program is freed, it will try to module_put already freed
*46565696SKumar Kartikeya Dwivedi * module. This is why try_get_module_live returns false if mod->state is not
*46565696SKumar Kartikeya Dwivedi * MODULE_STATE_LIVE.
*46565696SKumar Kartikeya Dwivedi */
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya DwivediSEC("fmod_ret.s/bpf_fentry_test1")
*46565696SKumar Kartikeya Dwivediint BPF_PROG(widen_race, int a, int ret)
*46565696SKumar Kartikeya Dwivedi{
*46565696SKumar Kartikeya Dwivedi	char dst;
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivedi	if (!check_thread_id())
*46565696SKumar Kartikeya Dwivedi		return 0;
*46565696SKumar Kartikeya Dwivedi	/* Indicate that we will attempt to block */
*46565696SKumar Kartikeya Dwivedi	bpf_blocking = 1;
*46565696SKumar Kartikeya Dwivedi	bpf_copy_from_user(&dst, 1, bpf_mod_race_config.fault_addr);
*46565696SKumar Kartikeya Dwivedi	return bpf_mod_race_config.inject_error;
*46565696SKumar Kartikeya Dwivedi}
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya DwivediSEC("fexit/do_init_module")
*46565696SKumar Kartikeya Dwivediint BPF_PROG(fexit_init_module, struct module *mod, int ret)
*46565696SKumar Kartikeya Dwivedi{
*46565696SKumar Kartikeya Dwivedi	if (!check_thread_id())
*46565696SKumar Kartikeya Dwivedi		return 0;
*46565696SKumar Kartikeya Dwivedi	/* Indicate that we finished blocking */
*46565696SKumar Kartikeya Dwivedi	bpf_blocking = 2;
*46565696SKumar Kartikeya Dwivedi	return 0;
*46565696SKumar Kartikeya Dwivedi}
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya DwivediSEC("fexit/btf_try_get_module")
*46565696SKumar Kartikeya Dwivediint BPF_PROG(fexit_module_get, const struct btf *btf, struct module *mod)
*46565696SKumar Kartikeya Dwivedi{
*46565696SKumar Kartikeya Dwivedi	res_try_get_module = !!mod;
*46565696SKumar Kartikeya Dwivedi	return 0;
*46565696SKumar Kartikeya Dwivedi}
*46565696SKumar Kartikeya Dwivedi
*46565696SKumar Kartikeya Dwivedichar _license[] SEC("license") = "GPL";