On Thu, 25 Aug 2016, Josh Poimboeuf wrote:
> On Thu, Aug 25, 2016 at 04:25:15PM +0200, Miroslav Benes wrote:
> > On Wed, 24 Aug 2016, Josh Poimboeuf wrote:
> >
> > > There's no reliable way to determine which module tainted the kernel
> > > with CONFIG_LIVEPATCH. For example, /sys/module/<klp module>/taint
> > > doesn't report it. Neither does the "mod -t" command in the crash tool.
> > >
> > > Make it crystal clear who the guilty party is by converting
> > > CONFIG_LIVEPATCH to a module taint flag.
> > >
> > > This changes the behavior a bit: now the the flag gets set when the
> > > module is loaded, rather than when it's enabled.
> > >
> > > Reviewed-by: Chunyu Hu <chuhu@xxxxxxxxxx>
> > > Signed-off-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> > > ---
> > > kernel/livepatch/core.c | 3 ---
> > > kernel/module.c | 35 ++++++++++++-----------------------
> > > 2 files changed, 12 insertions(+), 26 deletions(-)
> > >
> > > diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
> > > index 5fbabe0..af46438 100644
> > > --- a/kernel/livepatch/core.c
> > > +++ b/kernel/livepatch/core.c
> > > @@ -545,9 +545,6 @@ static int __klp_enable_patch(struct klp_patch *patch)
> > > list_prev_entry(patch, list)->state == KLP_DISABLED)
> > > return -EBUSY;
> > >
> > > - pr_notice_once("tainting kernel with TAINT_LIVEPATCH\n");
> > > - add_taint(TAINT_LIVEPATCH, LOCKDEP_STILL_OK);
> > > -
> > > pr_notice("enabling patch '%s'\n", patch->mod->name);
> > >
> > > klp_for_each_object(patch, obj) {
> > > diff --git a/kernel/module.c b/kernel/module.c
> > > index 529efae..fd5f95b 100644
> > > --- a/kernel/module.c
> > > +++ b/kernel/module.c
> > > @@ -1149,6 +1149,8 @@ static size_t module_flags_taint(struct module *mod, char *buf)
> > > buf[l++] = 'C';
> > > if (mod->taints & (1 << TAINT_UNSIGNED_MODULE))
> > > buf[l++] = 'E';
> > > + if (mod->taints & (1 << TAINT_LIVEPATCH))
> > > + buf[l++] = 'K';
> > > /*
> > > * TAINT_FORCED_RMMOD: could be added.
> > > * TAINT_CPU_OUT_OF_SPEC, TAINT_MACHINE_CHECK, TAINT_BAD_PAGE don't
> > > @@ -2791,26 +2793,6 @@ static int copy_chunked_from_user(void *dst, const void __user *usrc, unsigned l
> > > return 0;
> > > }
> > >
> > > -#ifdef CONFIG_LIVEPATCH
> > > -static int find_livepatch_modinfo(struct module *mod, struct load_info *info)
> > > -{
> > > - mod->klp = get_modinfo(info, "livepatch") ? true : false;
> > > -
> > > - return 0;
> > > -}
> > > -#else /* !CONFIG_LIVEPATCH */
> > > -static int find_livepatch_modinfo(struct module *mod, struct load_info *info)
> > > -{
> > > - if (get_modinfo(info, "livepatch")) {
> > > - pr_err("%s: module is marked as livepatch module, but livepatch support is disabled",
> > > - mod->name);
> > > - return -ENOEXEC;
> > > - }
> > > -
> > > - return 0;
> > > -}
> > > -#endif /* CONFIG_LIVEPATCH */
> > > -
> > > /* Sets info->hdr and info->len. */
> > > static int copy_module_from_user(const void __user *umod, unsigned long len,
> > > struct load_info *info)
> > > @@ -2969,9 +2951,16 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
> > > "is unknown, you have been warned.\n", mod->name);
> > > }
> > >
> > > - err = find_livepatch_modinfo(mod, info);
> > > - if (err)
> > > - return err;
> > > + if (get_modinfo(info, "livepatch")) {
> > > + if (!IS_ENABLED(CONFIG_LIVEPATCH)) {
> > > + pr_err("%s: module is marked as livepatch module, but livepatch support is disabled\n",
> > > + mod->name);
> > > + return -ENOEXEC;
> > > + }
> > > + mod->klp = true;
> > > + pr_warn("%s: loading livepatch module.\n", mod->name);
> > > + add_taint_module(mod, TAINT_LIVEPATCH, LOCKDEP_STILL_OK);
> > > + }
> >
> > The old code set mod->klp to false if get_modinfo(info, "livepatch"))
> > returned true. I think that we don't have to do it, because struct module
> > of a module is statically allocated (if I am not mistaken) and hence
> > mod->klp should be initialized to false. However maybe it'd better to do
> > it explicitly. What do you think?
>
> Rusty confirmed before that the module struct is initialized to zero:
>
> https://lkml.kernel.org/r/87mw3jxdea.fsf@xxxxxxxxxxxxxxx
>
> And I suspect a lot of module code relies on that fact. For example,
> see mod->async_probe_requested. So my preference would be to follow
> what seems to be the current convention in the code, and not explicitly
> initialize it to false.
Ah, right. Ok then.
Miroslav
--
To unsubscribe from this list: send the line "unsubscribe live-patching" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
