Re: [PATCH bpf] bpf: Take module reference for ip in module code

Jiri Olsa <jolsa@xxxxxxxxxx> · Wed, 24 Mar 2021 12:31:38 +0100

On Tue, Mar 23, 2021 at 06:22:37PM -0700, Alexei Starovoitov wrote:
> On Tue, Mar 23, 2021 at 10:15:33PM +0100, Jiri Olsa wrote:
> > Currently module can be unloaded even if there's a trampoline
> > register in it. It's easily reproduced by running in parallel:
> > 
> >   # while :; do ./test_progs -t module_attach; done
> >   # while :; do ./test_progs -t fentry_test; done
> > 
> > Taking the module reference in case the trampoline's ip is
> > within the module code. Releasing it when the trampoline's
> > ip is unregistered.
> > 
> > Signed-off-by: Jiri Olsa <jolsa@xxxxxxxxxx>
> > ---
> >  kernel/bpf/trampoline.c | 32 ++++++++++++++++++++++++++++++++
> >  1 file changed, 32 insertions(+)
> > 
> > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> > index 1f3a4be4b175..f6cb179842b2 100644
> > --- a/kernel/bpf/trampoline.c
> > +++ b/kernel/bpf/trampoline.c
> > @@ -87,6 +87,27 @@ static struct bpf_trampoline *bpf_trampoline_lookup(u64 key)
> >  	return tr;
> >  }
> >  
> > +static struct module *ip_module_get(unsigned long ip)
> > +{
> > +	struct module *mod;
> > +	int err = 0;
> > +
> > +	preempt_disable();
> > +	mod = __module_text_address(ip);
> > +	if (mod && !try_module_get(mod))
> > +		err = -ENOENT;
> > +	preempt_enable();
> > +	return err ? ERR_PTR(err) : mod;
> > +}
> > +
> > +static void ip_module_put(unsigned long ip)
> > +{
> > +	struct module *mod = __module_text_address(ip);
> 
> Conceptually looks correct, but how did you test it?!
> Just doing your reproducer:
> while :; do ./test_progs -t module_attach; done & while :; do ./test_progs -t fentry_test; done
> 
> I immediately hit:
> [   19.461162] WARNING: CPU: 1 PID: 232 at kernel/module.c:264 module_assert_mutex_or_preempt+0x2e/0x40
> [   19.477126] Call Trace:
> [   19.477464]  __module_address+0x28/0xf0
> [   19.477865]  ? __bpf_trace_bpf_testmod_test_write_bare+0x10/0x10 [bpf_testmod]
> [   19.478711]  __module_text_address+0xe/0x60
> [   19.479156]  bpf_trampoline_update+0x2ff/0x470

I don't have lockdep enabled.. ah the module_mutex is held
during module init, that's why all the code I was using as
a reference did not take it.. sorry, will fix

> 
> Which points to an obvious bug above.
> 
> How did you debug it to this module going away issue?
> Why does test_progs -t fentry_test help to repro?
> Or does it?
> It doesn't touch anything in modules.

test_prog also loads/unloads that module, but it could be
just insmod/rmmod instead, will change

jirka