![Taehee Yoo](/assets/img/avatar_default.png)
The bpfilter.ko module can be removed while functions of the bpfilter.ko
are executing. so panic can occurred. in order to protect that, locks can
be used. a bpfilter_lock protects routines in the
__bpfilter_process_sockopt() but it's not enough because __exit routine
can be executed concurrently.
Now, the bpfilter_umh can not run in parallel.
So, the module do not removed while it's being used and it do not
double-create UMH process.
The members of the umh_info and the bpfilter_umh_ops are protected by
the bpfilter_umh_ops.lock.
test commands:
while :
do
iptables -I FORWARD -m string --string ap --algo kmp &
modprobe -rv bpfilter &
done
splat looks like:
[ 298.623435] BUG: unable to handle kernel paging request at fffffbfff807440b
[ 298.628512] #PF error: [normal kernel read fault]
[ 298.633018] PGD 124327067 P4D 124327067 PUD 11c1a3067 PMD 119eb2067 PTE 0
[ 298.638859] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 298.638859] CPU: 0 PID: 2997 Comm: iptables Not tainted 4.20.0+ #154
[ 298.638859] RIP: 0010:__mutex_lock+0x6b9/0x16a0
[ 298.638859] Code: c0 00 00 e8 89 82 ff ff 80 bd 8f fc ff ff 00 0f 85 d9 05 00 00 48 8b 85 80 fc ff ff 48 bf 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 38 00 0f 85 1d 0e 00 00 48 8b 85 c8 fc ff ff 49 39 47 58 c6
[ 298.638859] RSP: 0018:ffff88810e7777a0 EFLAGS: 00010202
[ 298.638859] RAX: 1ffffffff807440b RBX: ffff888111bd4d80 RCX: 0000000000000000
[ 298.638859] RDX: 1ffff110235ff806 RSI: ffff888111bd5538 RDI: dffffc0000000000
[ 298.638859] RBP: ffff88810e777b30 R08: 0000000080000002 R09: 0000000000000000
[ 298.638859] R10: 0000000000000000 R11: 0000000000000000 R12: fffffbfff168a42c
[ 298.638859] R13: ffff888111bd4d80 R14: ffff8881040e9a05 R15: ffffffffc03a2000
[ 298.638859] FS: 00007f39e3758700(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000
[ 298.638859] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 298.638859] CR2: fffffbfff807440b CR3: 000000011243e000 CR4: 00000000001006f0
[ 298.638859] Call Trace:
[ 298.638859] ? mutex_lock_io_nested+0x1560/0x1560
[ 298.638859] ? kasan_kmalloc+0xa0/0xd0
[ 298.638859] ? kmem_cache_alloc+0x1c2/0x260
[ 298.638859] ? __alloc_file+0x92/0x3c0
[ 298.638859] ? alloc_empty_file+0x43/0x120
[ 298.638859] ? alloc_file_pseudo+0x220/0x330
[ 298.638859] ? sock_alloc_file+0x39/0x160
[ 298.638859] ? __sys_socket+0x113/0x1d0
[ 298.638859] ? __x64_sys_socket+0x6f/0xb0
[ 298.638859] ? do_syscall_64+0x138/0x560
[ 298.638859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 298.638859] ? __alloc_file+0x92/0x3c0
[ 298.638859] ? init_object+0x6b/0x80
[ 298.638859] ? cyc2ns_read_end+0x10/0x10
[ 298.638859] ? cyc2ns_read_end+0x10/0x10
[ 298.638859] ? hlock_class+0x140/0x140
[ 298.638859] ? sched_clock_local+0xd4/0x140
[ 298.638859] ? sched_clock_local+0xd4/0x140
[ 298.638859] ? check_flags.part.37+0x440/0x440
[ 298.638859] ? __lock_acquire+0x4f90/0x4f90
[ 298.638859] ? set_rq_offline.part.89+0x140/0x140
[ ... ]
Fixes: d2ba09c17a
("net: add skeleton of bpfilter kernel module")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
129 lines
2.6 KiB
C
129 lines
2.6 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/umh.h>
|
|
#include <linux/bpfilter.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/file.h>
|
|
#include "msgfmt.h"
|
|
|
|
extern char bpfilter_umh_start;
|
|
extern char bpfilter_umh_end;
|
|
|
|
static void shutdown_umh(void)
|
|
{
|
|
struct task_struct *tsk;
|
|
|
|
if (bpfilter_ops.stop)
|
|
return;
|
|
|
|
tsk = get_pid_task(find_vpid(bpfilter_ops.info.pid), PIDTYPE_PID);
|
|
if (tsk) {
|
|
force_sig(SIGKILL, tsk);
|
|
put_task_struct(tsk);
|
|
}
|
|
}
|
|
|
|
static void __stop_umh(void)
|
|
{
|
|
if (IS_ENABLED(CONFIG_INET))
|
|
shutdown_umh();
|
|
}
|
|
|
|
static int __bpfilter_process_sockopt(struct sock *sk, int optname,
|
|
char __user *optval,
|
|
unsigned int optlen, bool is_set)
|
|
{
|
|
struct mbox_request req;
|
|
struct mbox_reply reply;
|
|
loff_t pos;
|
|
ssize_t n;
|
|
int ret = -EFAULT;
|
|
|
|
req.is_set = is_set;
|
|
req.pid = current->pid;
|
|
req.cmd = optname;
|
|
req.addr = (long __force __user)optval;
|
|
req.len = optlen;
|
|
if (!bpfilter_ops.info.pid)
|
|
goto out;
|
|
n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req),
|
|
&pos);
|
|
if (n != sizeof(req)) {
|
|
pr_err("write fail %zd\n", n);
|
|
__stop_umh();
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
pos = 0;
|
|
n = kernel_read(bpfilter_ops.info.pipe_from_umh, &reply, sizeof(reply),
|
|
&pos);
|
|
if (n != sizeof(reply)) {
|
|
pr_err("read fail %zd\n", n);
|
|
__stop_umh();
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
ret = reply.status;
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
static int start_umh(void)
|
|
{
|
|
int err;
|
|
|
|
/* fork usermode process */
|
|
err = fork_usermode_blob(&bpfilter_umh_start,
|
|
&bpfilter_umh_end - &bpfilter_umh_start,
|
|
&bpfilter_ops.info);
|
|
if (err)
|
|
return err;
|
|
bpfilter_ops.stop = false;
|
|
pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid);
|
|
|
|
/* health check that usermode process started correctly */
|
|
if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) {
|
|
shutdown_umh();
|
|
return -EFAULT;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int __init load_umh(void)
|
|
{
|
|
int err;
|
|
|
|
mutex_lock(&bpfilter_ops.lock);
|
|
if (!bpfilter_ops.stop) {
|
|
err = -EFAULT;
|
|
goto out;
|
|
}
|
|
err = start_umh();
|
|
if (!err && IS_ENABLED(CONFIG_INET)) {
|
|
bpfilter_ops.sockopt = &__bpfilter_process_sockopt;
|
|
bpfilter_ops.start = &start_umh;
|
|
}
|
|
out:
|
|
mutex_unlock(&bpfilter_ops.lock);
|
|
return err;
|
|
}
|
|
|
|
static void __exit fini_umh(void)
|
|
{
|
|
mutex_lock(&bpfilter_ops.lock);
|
|
if (IS_ENABLED(CONFIG_INET)) {
|
|
shutdown_umh();
|
|
bpfilter_ops.start = NULL;
|
|
bpfilter_ops.sockopt = NULL;
|
|
}
|
|
mutex_unlock(&bpfilter_ops.lock);
|
|
}
|
|
module_init(load_umh);
|
|
module_exit(fini_umh);
|
|
MODULE_LICENSE("GPL");
|