Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1975245imm;
        Thu, 7 Jun 2018 03:28:14 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKI4WU/vdDRy4Y3HblixmIi+n8tDbS623hcz6fXmj6P+xmryPjBk9igRSGBSY4kmzrhnrq1/
X-Received: by 2002:a62:f407:: with SMTP id r7-v6mr1233027pff.47.1528367294353;
        Thu, 07 Jun 2018 03:28:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528367294; cv=none;
        d=google.com; s=arc-20160816;
        b=E0cfmoFp7SLgCpQPTDajhocGCGRvATO5rPDV2xAbhmhAODSMQ0yNA4VprVdNAI6mVd
         FYW4Ntu90eVejRzrN9s/6zvg5XM2MKTQIfV4/ULcPxBF3ttavPRaiFaHqS0NH23rJjas
         paXOsYQTW+Di4R5pys1LzP8u1K+mBeHIe5yXsJtwgtXB8zOleYAlUtmzaYSfl9AICKmL
         r/qDkPFDxs/xNBpvD4kojqsNr7yMdhjbvL+gcDXfwxLGhrTwDxKZFaicapAKDSvoWkdS
         qwjwGXXPah20X+ck4Ab4hH3/eb2jaUcWTITOFqp1yH8zXOgT2I6l6SPp5yxzYL3QG7JJ
         MKcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=9Xigf//LxT5p7Tr+CUVqUJXhIgnz2J+XXLeUtBHbxVo=;
        b=sF1I7bvNiQALVo3mE1MrJZnzeF2zdzmdDMJBb3rF26HH3OODY7i/FM64JgyKUbT8dc
         EDpngKM/aJhDJPqtT4KLAOS3DWEOeHwAk0V2dHUfj1PjinwrlSX7jlEMaBwDkRv9d76M
         w2WSpV/Ct1mqfsMpAO22fg9R2RCjNCUnkeE5/3pPj/9y+lhlZDKNmKWMVT0PaZs/DHuZ
         RLXBwx++QJ+cq11MefLqDTcCj70Q5b++MQ9e2xhXMl0tcDRmmiDo+msvG5QPI5KSlcWw
         pmBg0tagUrONZaRMLwWVcTEa8tQo5+tyowBOVxj1GvfU6nIg5kf7dP9ueeefFtm9c/3O
         RjeA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g8-v6si42082322pgv.151.2018.06.07.03.27.59;
        Thu, 07 Jun 2018 03:28:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932129AbeFGJad (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Thu, 7 Jun 2018 05:30:33 -0400
Received: from mx2.suse.de ([195.135.220.15]:54615 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753001AbeFGJ3x (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 05:29:53 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext-too.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 571C0AEF5;
        Thu,  7 Jun 2018 09:29:52 +0000 (UTC)
From:   Miroslav Benes <mbenes@suse.cz>
To:     jikos@kernel.org, jpoimboe@redhat.com, jeyu@kernel.org
Cc:     pmladek@suse.com, live-patching@vger.kernel.org,
        linux-kernel@vger.kernel.org, Miroslav Benes <mbenes@suse.cz>
Subject: [PATCH 2/3] livepatch: Deny the patched modules to be removed
Date:   Thu,  7 Jun 2018 11:29:48 +0200
Message-Id: <20180607092949.1706-3-mbenes@suse.cz>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180607092949.1706-1-mbenes@suse.cz>
References: <20180607092949.1706-1-mbenes@suse.cz>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Josh reported a bug:

  When the object to be patched is a module, and that module is
  rmmod'ed and reloaded, it fails to load with:

  module: x86/modules: Skipping invalid relocation target, existing value is nonzero for type 2, loc 00000000ba0302e9, val ffffffffa03e293c
  livepatch: failed to initialize patch 'livepatch_nfsd' for module 'nfsd' (-8)
  livepatch: patch 'livepatch_nfsd' failed for module 'nfsd', refusing to load module 'nfsd'

  The livepatch module has a relocation which references a symbol
  in the _previous_ loading of nfsd. When apply_relocate_add()
  tries to replace the old relocation with a new one, it sees that
  the previous one is nonzero and it errors out.

  On ppc64le, we have a similar issue:

  module_64: livepatch_nfsd: Expected nop after call, got e8410018 at e_show+0x60/0x548 [livepatch_nfsd]
  livepatch: failed to initialize patch 'livepatch_nfsd' for module 'nfsd' (-8)
  livepatch: patch 'livepatch_nfsd' failed for module 'nfsd', refusing to load module 'nfsd'

He also proposed three different solutions. We could remove the error
check in apply_relocate_add() introduced by commit eda9cec4c9a1
("x86/module: Detect and skip invalid relocations"). However the check
is useful for detecting corrupted modules.

We could also reverse the relocation patching (clear all relocation
targets on x86_64, or return back nops on powerpc) in
klp_unpatch_object(). The solution is not universal and is too much
arch-specific.

We decided to deny the patched modules to be removed. If it proves to be
a major drawback for users, we can still implement a different approach.

The reference of a patched module has to be taken regardless of a
patch's state. Thus it is not taken and dropped in enable/disable paths,
but in register/unregister paths.

The new behaviour should not collide with mod->klp_alive variable.

Reported-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
---
 kernel/livepatch/core.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 36eb5cf38766..2fa9eaee7bb5 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -645,6 +645,10 @@ static void klp_free_object_loaded(struct klp_object *obj)
 {
 	struct klp_func *func;
 
+	/*
+	 * Drop the reference from klp_init_object_loaded()
+	 */
+	module_put(obj->mod);
 	obj->mod = NULL;
 
 	klp_for_each_func(obj, func)
@@ -663,6 +667,9 @@ static void klp_free_objects_limited(struct klp_patch *patch,
 	for (obj = patch->objs; obj->funcs && obj != limit; obj++) {
 		klp_free_funcs_limited(obj, NULL);
 		kobject_put(&obj->kobj);
+
+		if (klp_is_module(obj) && klp_is_object_loaded(obj))
+			module_put(obj->mod);
 	}
 }
 
@@ -739,6 +746,14 @@ static int klp_init_object_loaded(struct klp_patch *patch,
 		}
 	}
 
+	/*
+	 * Do not allow patched modules to be removed.
+	 *
+	 * All callers of klp_init_object_loaded() set obj->mod.
+	 */
+	if (klp_is_module(obj) && !try_module_get(obj->mod))
+		return -ENODEV;
+
 	return 0;
 }
 
@@ -984,7 +999,7 @@ int klp_module_coming(struct module *mod)
 			if (ret) {
 				pr_warn("pre-patch callback failed for object '%s'\n",
 					obj->name);
-				goto err;
+				goto err_after_init;
 			}
 
 			ret = klp_patch_object(obj);
@@ -993,7 +1008,7 @@ int klp_module_coming(struct module *mod)
 					patch->mod->name, obj->mod->name, ret);
 
 				klp_post_unpatch_callback(obj);
-				goto err;
+				goto err_after_init;
 			}
 
 			if (patch != klp_transition_patch)
@@ -1007,6 +1022,11 @@ int klp_module_coming(struct module *mod)
 
 	return 0;
 
+err_after_init:
+	/*
+	 * Drop the reference from klp_init_object_loaded().
+	 */
+	module_put(obj->mod);
 err:
 	/*
 	 * If a patch is unsuccessfully applied, return
-- 
2.17.0