[POC 19/23] module/livepatch: Allow to use exported symbols from livepatch module for "vmlinux"

From: Petr Mladek
Date: Fri Jan 17 2020 - 10:04:11 EST

Next message: Petr Mladek: "[POC 23/23] module: Remove obsolete module_disable_ro()"
Previous message: Petr Mladek: "[POC 20/23] module/livepatch: Relocate local variables in the module loaded when the livepatch is being loaded"
In reply to: kbuild test robot: "Re: [POC 20/23] module/livepatch: Relocate local variables in the module loaded when the livepatch is being loaded"
Next in thread: Petr Mladek: "[POC 23/23] module: Remove obsolete module_disable_ro()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HINT: Get some coffee before reading this commit message.

Stop reading when it gets too complicated. It is possible that we
will need to resolve symbols from livepatch modules another way.
Livepatches need to access also non-exported symbols anyway.

Or just ask me to explain the problem a better way. I have
ended in many cycles when thinking about it. And it might
be much easier from another point of view.

The split per-object livepatches brings even more types of module
dependencies. Let's split them into few categories:

A. Livepatch module using an exported symbol from "vmlinux".

It is quite common and works by definition. Livepatch module is just
a module from this point of view.

B. Livepatch module using an exported symbol from the patched module.

It should be avoided even with the non-split livepatch module. The module
loader automatically takes reference to make sure the modules are
unloaded in the right order. This would basically prevent the livepatched
module from unloading.

Note that it would be perfectly safe to remove this automatic
dependency. The livepatch framework makes sure that the livepatch
module is loaded only when the patched one is loaded. But it cannot
be implemented easily, see below.

C. Livepatch module using an exported symbol from the main livepatch module
for "vmlinux".

It is the 2nd most realistic variant. It even exists in current
selftests. Namely, test_klp_callback_demo* modules share
the implementation of callbacks. It avoids code duplication.
And it is actually needed to make module parameters working.

Note that the current implementation allows to pass module parameters
only to the main livepatch module for "vmlinux". It should not be a real
life problem. The parameters are used in selftests. But they are
not used in practice.

D. Livepatch modules might depend on each other. Note that dependency on
the main livepatch module for "vmlinux" has got a separate category 'C'.

The dependencies between modules are quite rare. But they exist.
One can assume that this might be useful also on the livepatching
level.

To keep it sane, the livepatch modules should just follow
the dependencies of the related patched modules. By other words,
the livepatch modules might or should have the same dependencies
as the patched counter parts but nothing more.

Do these dependencies need some special handling?

Yes, the livepatch module load might get blocked in the following
situations:

1. Recursion caused by dependency of type B:

If a livepatch module uses a symbol from the patched module and
the livepatch module is loaded by klp_module_coming().
The module loader will then automatically try to load the patched module
once again while it is blocked in the klp_module_coming() callback
and STATE_COMING.

2. Recursion caused by dependency of type C:

Livepatch for "vmlinux" loads other livepatch modules from
klp_enabled_patch() in mod->init(). If any of these other
modules use symbol from the main module for "vmlinux" the module
loaded will automatically try to load the main module once
again. The first instance is waiting in klp_enable_patch()
and STATE_COMING.

3. Deadlock caused by dependency of type D:

Random dependencies between livepatch and patched modules might
create a cycle. It need not be obvious and detected by the existing
code because some dependencies are created by livepatching code.
It loads the livepatches automatically for patched modules.

What can be done?

First, put aside the problems with random dependencies of type D:

They are not much realistic. Livepatches follow upstream changes.
As a result livepatch modules should have the same of less
dependencies than the related patched modules.

Note that the existing code is able to handle non-cyclic dependencies
between livepatch modules. The module loader is able to load more
modules in parallel. Also klp_add_object() can be called more times
in parallel.

Second, let's look more at the recursion problems. They might cause
deadlock on two locations in the module loader:

i. The recursive instance waits in add_unformed_module() until the first
instance reaches STATE_LIVE. But this never happens because the first
instance waits until the recursive instance finishes.

ii. resolve_symbol() wants to get reference of the module where
the symbol comes from. But strong_try_module_get() refuses
to get reference when the module is still in STATE_COMING.
It does not want to block removing the module when the load
eventually fails later.

Is it possible to avoid the recursion?

1. It might be possible to avoid calling exported symbols directly
from the livepatch. For example, using kallsyms lookup. Or some
special relocation. This would require some extra action when
preparing the livepatchi.

2. Hide these dependencies to depmod and the module loader. This
would require changes in the user space tools.

And what about breaking the cycle?

It seems acceptable to return immediately from the nested load
if we are able to guarantee:

+ The recursion is clearly caused by one the of above described
livepatch dependency type.

+ The code from affected modules will be used only after the modules
are successfully loaded in the end.

+ The modules will get unloaded when there are other errors
on the way.

+ The original caller will get the right error code. By other
words, only the automatically triggered loads will be finished
prematurely.

OK, this patch provides the solution for the dependency of type C. It is when
other livepatch modules use symbols from the livepatch module for vmlinux.

The recursive load returns -EEXIST immediately when the recursive module
tries to load the same livepatch that is already being loaded. It is
safe because:

+ Only one livepatch can be enabled at a time. Any attempt to enable
another livepatch would return -EBUSY.

+ The livepatch module for "vmlinux" is never loaded automatically
because of any dependency. Other livepatch modules for other objects
might depend on it but the module for "vmlinux" must always be loaded
explicitly by the system administrator.

By other words, the recursion of the livepatch module for "vmlinux" that
is just being enabled is always caused by dependency of type C.
The recursive instance can and actually must return immediately. It will
allow to proceed. The entire operation will succeed only when the outer
load succeeds.

But there is still the problem that strong_try_module_get() could
not get reference. Isn't it?

Yes, it is solved by not taking references from livepatch modules.
The reference is needed to make sure that the module will not get
removed prematurely. But this is guaranteed by the livepatch code:

+ Livepatch module for "vmlinux" is always loaded first.

+ Livepatch modules for other objects can't be loaded before
the module for "vmlinux" is loaded, see the checks
in klp_add_object().

+ Livepatch module is always loaded and removed automatically
together with the patched module. The dependencies between
the patched modules are enough as long as the dependencies
of livepatch modules are symmetric.

Finally. dependency of type B will still cause deadlock. It happens
when a livepatch module uses a symbols from the patched module.
It cannot be solved easily because:

+ The patched module is loaded recursively (not the livepatch one).
There is no clear way how to make sure that the recursive
module load is the one triggered by "modprobe" called from
klp_module_coming().

As a result, -EEXIST might be returned also to modprobe
called by the user. It would force the user to double
check that the patched module has really been loaded.

+ If the above problem is not fixed then the result from
modprobe is not reliable. The livepatch code might need
to double check that request_module() really added the
klp_object into the related klp_patch structure.

Signed-off-by: Petr Mladek <pmladek@xxxxxxxx>
---
include/linux/livepatch.h | 2 ++
kernel/livepatch/core.c | 16 ++++++++++++++++
kernel/module.c | 16 ++++++++++++++++
3 files changed, 34 insertions(+)

diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h
index 4afb7f3a5a36..4776deb7418c 100644
--- a/include/linux/livepatch.h
+++ b/include/linux/livepatch.h
@@ -207,6 +207,7 @@ int klp_add_object(struct klp_object *);
void arch_klp_init_object_loaded(struct klp_object *obj);

/* Called from the module loader during module coming/going states */
+bool klp_break_recursion(struct module *mod);
int klp_module_coming(struct module *mod);
void klp_module_going(struct module *mod);

@@ -244,6 +245,7 @@ struct klp_state *klp_get_prev_state(unsigned long id);

#else /* !CONFIG_LIVEPATCH */

+static inline bool klp_break_recursion(struct module *mod) { return false; }
static inline int klp_module_coming(struct module *mod) { return 0; }
static inline void klp_module_going(struct module *mod) {}
static inline bool klp_patch_pending(struct task_struct *task) { return false; }
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 6d4ec7642908..9e00871fbc06 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -1416,6 +1416,22 @@ static bool klp_is_object_module_alive(const char *patch_name,
return alive;
}

+bool klp_break_recursion(struct module *mod)
+{
+ bool ret = false;
+
+ if (!mod->klp)
+ return false;
+
+ mutex_lock(&klp_mutex);
+ if (klp_loading_patch &&
+ !strcmp(klp_loading_patch->obj->mod->name, mod->name))
+ ret = true;
+ mutex_unlock(&klp_mutex);
+
+ return ret;
+}
+
int klp_module_coming(struct module *mod)
{
char patch_name[MODULE_NAME_LEN];
diff --git a/kernel/module.c b/kernel/module.c
index ac45d465ff23..bd92854b42c2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -867,6 +867,13 @@ int ref_module(struct module *a, struct module *b)
{
int err;

+ /*
+ * Livepatch modules have their own dependency handling.
+ * Implicit dependencies might cause cycles.
+ */
+ if (is_livepatch_module(a))
+ return 0;
+
if (b == NULL || already_uses(a, b))
return 0;

@@ -3730,6 +3737,15 @@ static int add_unformed_module(struct module *mod)

/* Wait in case it fails to load. */
mutex_unlock(&module_mutex);
+
+ /*
+ * Livepatch modules might use exported symbols from vmlinux.
+ * It creates automatic dependencies and recursive module load.
+ * Livepatch core handles the consistency on its own.
+ */
+ if (klp_break_recursion(mod))
+ return -EEXIST;
+
err = wait_event_interruptible(module_wq,
finished_loading(mod->name));
if (err)
--
2.16.4

Next message: Petr Mladek: "[POC 23/23] module: Remove obsolete module_disable_ro()"
Previous message: Petr Mladek: "[POC 20/23] module/livepatch: Relocate local variables in the module loaded when the livepatch is being loaded"
In reply to: kbuild test robot: "Re: [POC 20/23] module/livepatch: Relocate local variables in the module loaded when the livepatch is being loaded"
Next in thread: Petr Mladek: "[POC 23/23] module: Remove obsolete module_disable_ro()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]