Received: by 10.223.185.111 with SMTP id b44csp611857wrg; Fri, 9 Mar 2018 10:16:44 -0800 (PST) X-Google-Smtp-Source: AG47ELsBuo1newmAMAVZkWdKWbQD1gXGMH7Mnpw0X290Hl2h7rNCBayKbkfmPhiRE5ss6P6I8P0J X-Received: by 2002:a17:902:8691:: with SMTP id g17-v6mr16704023plo.7.1520619404024; Fri, 09 Mar 2018 10:16:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520619403; cv=none; d=google.com; s=arc-20160816; b=CQMEDQdziczcHLUoOvHQjpkvA8Jce6McrNx5LTgB+AwTbwoCXCzSD390fxLvFeCRXY eueHpG6yhHAJs0PdYc4BF/dUelC8kZSVTGRIzUfzvVD0eRP+JOQ2GTutLDpR+sIzMYs7 JlRf6x4bf/V+qa9rCpeWMglkcfkaizWD+uMvtYekfSa/105uKwHHKoy9xsPZGmatIazi cm6NTU8ZqqTE2hWb5NazlvhA10MEICM+AHsxV9GQIhvzmOpJn1kSH/f2CCz+ZKWKwwEZ mzCtvveSa+Lpd0PQwePsjZptweiucaoD/J0l4rUB5QwUfa8h3FKyIS3VkAgGmMG0FBag o/TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=RQJ/aKC2EO/ms0z9UJ666CM9Zt3qzZcVQgIqgVRsq4U=; b=0ErGGQgEF+gjhl2O5qbBga4MsufMDr8MHMR08O4mVkf0TBWxtsls2fE/TsfxPAl3ym zn7WVZx79NST5Ys4IlFA25+ll+G4quMNa+kSH2s1kxOG1mMKt1D+DTnLS4Z8DzCZQtrT r0jrKxdnPknr133V0TdPBfdfAcFwFygwFDST8Sui0XAzhwgh9ylApgn47oznAPrKOEBn z2gl6nogAGGi53BGedm5hNCRMjEuR4q+i02flDorOWJwvWZndY4BDsOLyZmlASO9F6F1 +qkSYBYk9pSYiF0NybDtJDw7x/Quxvu3MZ3UI2J7FEj4Q2UfzDUjVWcSn1xASsgvmPDl b+Pg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k15si1227423pfi.174.2018.03.09.10.16.29; Fri, 09 Mar 2018 10:16:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932494AbeCISP2 (ORCPT + 99 others); Fri, 9 Mar 2018 13:15:28 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:46166 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932206AbeCISP0 (ORCPT ); Fri, 9 Mar 2018 13:15:26 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id AEC8DF07; Fri, 9 Mar 2018 18:15:25 +0000 (UTC) Date: Fri, 9 Mar 2018 10:15:27 -0800 From: Greg KH To: Alexei Starovoitov Cc: Andy Lutomirski , Linus Torvalds , Kees Cook , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries Message-ID: <20180309181527.GA15803@kroah.com> References: <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <6d2e31fa-d87b-fea6-c919-b7d066bb0385@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 09, 2018 at 09:32:36AM -0800, Alexei Starovoitov wrote: > On 3/9/18 8:24 AM, Andy Lutomirski wrote: > > On Fri, Mar 9, 2018 at 3:39 PM, Alexei Starovoitov wrote: > > > On 3/9/18 7:16 AM, Andy Lutomirski wrote: > > > > > > > > > > > > On Mar 8, 2018, at 9:08 PM, Alexei Starovoitov wrote: > > > > > > > > > > > > On 3/8/18 7:54 PM, Andy Lutomirski wrote: > > > > > > > > > > > > > > > > > > > > > > > > > On Mar 8, 2018, at 7:06 PM, Linus Torvalds > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Honestly, that "read twice" thing may be what scuttles this. > > > > > > > Initially, I thought it was a non-issue, because anybody who controls > > > > > > > the module subdirectory enough to rewrite files would be in a position > > > > > > > to just execute the file itself directly instead. > > > > > > > > > > > > > > > > > > On further consideration, I think there’s another showstopper. This > > > > > > patch is a potentially severe ABI break. Right now, loading a module > > > > > > *copies* it into memory and does not hold a reference to the underlying fs. > > > > > > With the patch applied, all kinds of use cases can break in gnarly ways. > > > > > > Initramfs is maybe okay, but initrd may be screwed. If you load an ET_EXEC > > > > > > module from initrd, then umount it, then clear the ramdisk, something will > > > > > > go horribly wrong. Exactly what goes wrong depends on whether userspace > > > > > > notices that umount() failed. Similarly, if you load one of these modules > > > > > > over a network and then lose your connection, you have a problem. > > > > > > > > > > > > > > > there is not abi breakage and file cannot disappear from running task. > > > > > One cannot umount fs while file is still being used. > > > > > > > > > > > > Sure it is. Without your patch, init_module doesn’t keep using the > > > > file, so it’s common practice to load a module and then delete or > > > > unmount it. With your patch, the unmount case breaks. This is likely > > > > to break existing userspace, so, in Linux speak it’s an ABI break. > > > > > > > > > please read the patch again. > > > file is only used in case of umh modules. > > > There is zero difference in default case. > > > > Say I'm running some distro or other working Linux setup. I upgrade > > my kernel to a kernel that uses umh modules. The user tooling > > generates some kind of boot entry that references the new kernel > > image, and it also generates a list of modules to be loaded at various > > times in the boot process. This list might, and probably should, > > include one or more umh modules. (You are being very careful to make > > sure that depmod keeps working, so umh modules are clearly intended to > > work with existing tooling.) So now I have a kernel image and some > > modules to be loaded from various places. And I have an init script > > (initramfs's '/init' or similar) that will call init_module() on that > > .ko file. That script was certainly written under the assumption > > that, once init_module() returns, the kernel is done with the .ko > > file. With your patch applied, that assumption is no longer true. > > There is no intent to use umh modules during boot process. For _your_ use case, yes. For mine and Andy's and someone else's in the future, it might be :) You are creating a very generic, new, user/kernel api that a whole bunch of people are going to want to use. Let's not hamper the ability for us all to use this right from the beginning please. > This is not a replacement for drivers and kernel modules. > From your earlier comments regarding usb driver as umh module > I suspect you're assuming that everything will sooner or later > will convert to umh model. We have userspace drivers for USB today, being able to drag that out-of-tree codebase into the kernel is a _HUGE_ bonus, and something that I would love to do for a lot of reasons. I also can see moving some of our existing in-kernel drivers out of the kernel in a way that provides "it just works" functionality by using this type of feature. So again, please don't prevent us from using this, otherwise you should be just calling this "bpf_usermode_helper" :) Oh, and for the record, I like Andy's proposal as well as dumping this into a kernel module "blob" with the exception that this now would take up unswapable memory, which isn't the nicest and is one big reason we removed the in-kernel-memory firmware blobs many years ago. thanks, greg k-h