Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp5750586rwp; Mon, 17 Jul 2023 08:56:57 -0700 (PDT) X-Google-Smtp-Source: APBJJlEcjvooL1cMyetzGszdmHVsVSz2T7btY0ZHeJp0WSIjFZTyNU08toBFiEKAD4uW0IZrwj1a X-Received: by 2002:a05:6a20:8e0b:b0:134:b28f:b58a with SMTP id y11-20020a056a208e0b00b00134b28fb58amr4770440pzj.7.1689609417273; Mon, 17 Jul 2023 08:56:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689609417; cv=none; d=google.com; s=arc-20160816; b=STo6tDT1mnVEYrfdSgTtHigf5EK+GAHLyTXTCtI33YsV57LP/P4NlhxDQkfn5Ga+9G ZzvKAy1R2IAz568oZmqSk9g6de5T/LqBQh8ycUnAS/Hm02+rhsHoo5MbfV82qlW6GPCx 1NeXMHjqxc3GB2pZZi/ojc6NyVEWAv+uhlPUM5BijBH8pfILdG1f81n2uyrYOVBA+97D 1mjLfP0e/nfPsk88Tt0zu5G2gqVHs1dI2qz6NRjlOcr7+sgTbIBAhq7h+di/yt3ba8mh 9ryLzqN2cGQ/1KvTTvbTvRTuyVQurwVlilH07bnWMf042uWTZBh0WqeolnbSN9g58fwZ 2e0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8Eolh0FsuD/eQ+/q5kl6yqxqWxQ5FuB2Fnv8oaLKmtc=; fh=qhs8yc7hC2li4/eV5jocCoV9SHyuC9yTwN+zuRUwHkQ=; b=X8NIb1ztIJCqvO5WY/5jaqMKFWufiEGDYQpTnnHCYQU8EdewGprgQqv5d+0E8lRzDx kZNcuMnMfRROLc8doC7H8h9RfOKoQsdRom48iahv7/s2c2ie3H5RlbcR1bbFbG+uGiAW bFJuWR7Lpi0niAxsais4ULEG3rC5nYZrQqt89db1yY8k9jX++GGmRNfdUCVcSbZgZhSw k2BWJQ9tfNv38Sc2n7m+rSb0M7pZPQU6XB3TqT7NpX/qxvRQ6Y0bkpXEHrffS+yaE1Yu QAReV0fMhjzvvCj6TKrrnzNVBm/7x0LpGfnNK7feb1K0Xr9ocH8fE7RaZvhREci1UEOT Rqkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=sm10JQNh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c3-20020a637243000000b0055fe651e9d1si1243242pgn.754.2023.07.17.08.56.44; Mon, 17 Jul 2023 08:56:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=sm10JQNh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232222AbjGQP3D (ORCPT + 99 others); Mon, 17 Jul 2023 11:29:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232420AbjGQP2R (ORCPT ); Mon, 17 Jul 2023 11:28:17 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C721E7F; Mon, 17 Jul 2023 08:28:00 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id BEFBE1FDAC; Mon, 17 Jul 2023 15:27:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1689607678; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8Eolh0FsuD/eQ+/q5kl6yqxqWxQ5FuB2Fnv8oaLKmtc=; b=sm10JQNhNdUjIvVZNY6FohisPjy37AXDAdn+rXbc15xn945SmqfOdc+0Qn41FMCgqH2/3a vggClwFc7Chj9VxVYJq48Ivo501bDXPlBpHijIWK6CLMsio1PPITyeB84fS0UijTLlguOF n/cfcQu14LEkYkDFB6KgKRzqeNugZks= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 9E48A13276; Mon, 17 Jul 2023 15:27:58 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id UlHRI/5dtWQ4DwAAMHmgww (envelope-from ); Mon, 17 Jul 2023 15:27:58 +0000 Date: Mon, 17 Jul 2023 17:27:57 +0200 From: Michal Hocko To: Jean Delvare Cc: Luis Chamberlain , linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] module: print module name on refcount error Message-ID: References: <20230717171428.1b229215@endymion.delvare> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230717171428.1b229215@endymion.delvare> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 17-07-23 17:14:28, Jean Delvare wrote: > If module_put() triggers a refcount error, and the module data is > still readable, include the culprit module name in the warning > message, to easy further investigation of the issue. > > If the module name can't be read, this means the module has already > been removed while references to it still exist. This is a > user-after-free situation, so report it as such. > > Signed-off-by: Jean Delvare > Suggested-by: Michal Hocko > Cc: Luis Chamberlain > --- > Hi Luis, this is a different approach to my initial proposal. We no > longer assume that struct module is still available and instead check > that the expected module name string is a valid string before printing > it. > > This is safer, and lets us print a better diagnostics message: include > the module name if struct module is still there (the most likely case > IMHO, as rmmod is a relatively rare operation) else explicitly report a > use after free. > > The downside is that this requires more code, but I think it's worth > it. What do you think? Quite honestly, I do not think that extra ode is worth the risk. If the module could have been removed then we are in a bigger problem and trying to do some cosmetic checks doesn't help all that much IMHO. It is good idea to cap the name to MODULE_NAME_LEN to be bound on a garbage output. > > kernel/module/main.c | 31 ++++++++++++++++++++++++++++++- > 1 file changed, 30 insertions(+), 1 deletion(-) > > --- linux-6.3.orig/kernel/module/main.c > +++ linux-6.3/kernel/module/main.c > @@ -55,6 +55,7 @@ > #include > #include > #include > +#include > #include > #include "internal.h" > > @@ -850,7 +851,35 @@ void module_put(struct module *module) > if (module) { > preempt_disable(); > ret = atomic_dec_if_positive(&module->refcnt); > - WARN_ON(ret < 0); /* Failed to put refcount */ > + if (ret < 0) { > + unsigned char modname_copy[MODULE_NAME_LEN]; > + unsigned char *p, *end; > + bool sane; > + > + /* > + * Report faulty module if name is still readable. > + * We must be careful here as the module may have > + * been already freed. > + */ > + memcpy(modname_copy, module->name, MODULE_NAME_LEN); > + end = memchr(modname_copy, '\0', MODULE_NAME_LEN); > + sane = end != NULL; > + if (sane) { > + for (p = modname_copy; p < end; p++) > + if (!isgraph(*p)) { > + sane = false; > + break; > + } > + } > + > + if (sane) > + WARN(1, > + KERN_WARNING "Failed to put refcount for module %s\n", > + modname_copy); > + else > + WARN(1, > + KERN_WARNING "Failed to put refcount, use-after-free detected\n"); > + } > trace_module_put(module, _RET_IP_); > preempt_enable(); > } > > > -- > Jean Delvare > SUSE L3 Support -- Michal Hocko SUSE Labs