1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
2 | /* |
3 | * kmod dups - the kernel module autoloader duplicate suppressor |
4 | * |
5 | * Copyright (C) 2023 Luis Chamberlain <mcgrof@kernel.org> |
6 | */ |
7 | |
8 | #define pr_fmt(fmt) "module: " fmt |
9 | |
10 | #include <linux/module.h> |
11 | #include <linux/sched.h> |
12 | #include <linux/sched/task.h> |
13 | #include <linux/binfmts.h> |
14 | #include <linux/syscalls.h> |
15 | #include <linux/unistd.h> |
16 | #include <linux/kmod.h> |
17 | #include <linux/slab.h> |
18 | #include <linux/completion.h> |
19 | #include <linux/cred.h> |
20 | #include <linux/file.h> |
21 | #include <linux/fdtable.h> |
22 | #include <linux/workqueue.h> |
23 | #include <linux/security.h> |
24 | #include <linux/mount.h> |
25 | #include <linux/kernel.h> |
26 | #include <linux/init.h> |
27 | #include <linux/resource.h> |
28 | #include <linux/notifier.h> |
29 | #include <linux/suspend.h> |
30 | #include <linux/rwsem.h> |
31 | #include <linux/ptrace.h> |
32 | #include <linux/async.h> |
33 | #include <linux/uaccess.h> |
34 | |
35 | #include "internal.h" |
36 | |
37 | #undef MODULE_PARAM_PREFIX |
38 | #define MODULE_PARAM_PREFIX "module." |
39 | static bool enable_dups_trace = IS_ENABLED(CONFIG_MODULE_DEBUG_AUTOLOAD_DUPS_TRACE); |
40 | module_param(enable_dups_trace, bool_enable_only, 0644); |
41 | |
42 | /* |
43 | * Protects dup_kmod_reqs list, adds / removals with RCU. |
44 | */ |
45 | static DEFINE_MUTEX(kmod_dup_mutex); |
46 | static LIST_HEAD(dup_kmod_reqs); |
47 | |
48 | struct kmod_dup_req { |
49 | struct list_head list; |
50 | char name[MODULE_NAME_LEN]; |
51 | struct completion first_req_done; |
52 | struct work_struct complete_work; |
53 | struct delayed_work delete_work; |
54 | int dup_ret; |
55 | }; |
56 | |
57 | static struct kmod_dup_req *kmod_dup_request_lookup(char *module_name) |
58 | { |
59 | struct kmod_dup_req *kmod_req; |
60 | |
61 | list_for_each_entry_rcu(kmod_req, &dup_kmod_reqs, list, |
62 | lockdep_is_held(&kmod_dup_mutex)) { |
63 | if (strlen(kmod_req->name) == strlen(module_name) && |
64 | !memcmp(p: kmod_req->name, q: module_name, strlen(module_name))) { |
65 | return kmod_req; |
66 | } |
67 | } |
68 | |
69 | return NULL; |
70 | } |
71 | |
72 | static void kmod_dup_request_delete(struct work_struct *work) |
73 | { |
74 | struct kmod_dup_req *kmod_req; |
75 | kmod_req = container_of(to_delayed_work(work), struct kmod_dup_req, delete_work); |
76 | |
77 | /* |
78 | * The typical situation is a module successully loaded. In that |
79 | * situation the module will be present already in userspace. If |
80 | * new requests come in after that, userspace will already know the |
81 | * module is loaded so will just return 0 right away. There is still |
82 | * a small chance right after we delete this entry new request_module() |
83 | * calls may happen after that, they can happen. These heuristics |
84 | * are to protect finit_module() abuse for auto-loading, if modules |
85 | * are still tryign to auto-load even if a module is already loaded, |
86 | * that's on them, and those inneficiencies should not be fixed by |
87 | * kmod. The inneficies there are a call to modprobe and modprobe |
88 | * just returning 0. |
89 | */ |
90 | mutex_lock(&kmod_dup_mutex); |
91 | list_del_rcu(entry: &kmod_req->list); |
92 | synchronize_rcu(); |
93 | mutex_unlock(lock: &kmod_dup_mutex); |
94 | kfree(objp: kmod_req); |
95 | } |
96 | |
97 | static void kmod_dup_request_complete(struct work_struct *work) |
98 | { |
99 | struct kmod_dup_req *kmod_req; |
100 | |
101 | kmod_req = container_of(work, struct kmod_dup_req, complete_work); |
102 | |
103 | /* |
104 | * This will ensure that the kernel will let all the waiters get |
105 | * informed its time to check the return value. It's time to |
106 | * go home. |
107 | */ |
108 | complete_all(&kmod_req->first_req_done); |
109 | |
110 | /* |
111 | * Now that we have allowed prior request_module() calls to go on |
112 | * with life, let's schedule deleting this entry. We don't have |
113 | * to do it right away, but we *eventually* want to do it so to not |
114 | * let this linger forever as this is just a boot optimization for |
115 | * possible abuses of vmalloc() incurred by finit_module() thrashing. |
116 | */ |
117 | queue_delayed_work(wq: system_wq, dwork: &kmod_req->delete_work, delay: 60 * HZ); |
118 | } |
119 | |
120 | bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret) |
121 | { |
122 | struct kmod_dup_req *kmod_req, *new_kmod_req; |
123 | int ret; |
124 | |
125 | /* |
126 | * Pre-allocate the entry in case we have to use it later |
127 | * to avoid contention with the mutex. |
128 | */ |
129 | new_kmod_req = kzalloc(size: sizeof(*new_kmod_req), GFP_KERNEL); |
130 | if (!new_kmod_req) |
131 | return false; |
132 | |
133 | memcpy(new_kmod_req->name, module_name, strlen(module_name)); |
134 | INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete); |
135 | INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete); |
136 | init_completion(x: &new_kmod_req->first_req_done); |
137 | |
138 | mutex_lock(&kmod_dup_mutex); |
139 | |
140 | kmod_req = kmod_dup_request_lookup(module_name); |
141 | if (!kmod_req) { |
142 | /* |
143 | * If the first request that came through for a module |
144 | * was with request_module_nowait() we cannot wait for it |
145 | * and share its return value with other users which may |
146 | * have used request_module() and need a proper return value |
147 | * so just skip using them as an anchor. |
148 | * |
149 | * If a prior request to this one came through with |
150 | * request_module() though, then a request_module_nowait() |
151 | * would benefit from duplicate detection. |
152 | */ |
153 | if (!wait) { |
154 | kfree(objp: new_kmod_req); |
155 | pr_debug("New request_module_nowait() for %s -- cannot track duplicates for this request\n" , module_name); |
156 | mutex_unlock(lock: &kmod_dup_mutex); |
157 | return false; |
158 | } |
159 | |
160 | /* |
161 | * There was no duplicate, just add the request so we can |
162 | * keep tab on duplicates later. |
163 | */ |
164 | pr_debug("New request_module() for %s\n" , module_name); |
165 | list_add_rcu(new: &new_kmod_req->list, head: &dup_kmod_reqs); |
166 | mutex_unlock(lock: &kmod_dup_mutex); |
167 | return false; |
168 | } |
169 | mutex_unlock(lock: &kmod_dup_mutex); |
170 | |
171 | /* We are dealing with a duplicate request now */ |
172 | kfree(objp: new_kmod_req); |
173 | |
174 | /* |
175 | * To fix these try to use try_then_request_module() instead as that |
176 | * will check if the component you are looking for is present or not. |
177 | * You could also just queue a single request to load the module once, |
178 | * instead of having each and everything you need try to request for |
179 | * the module. |
180 | * |
181 | * Duplicate request_module() calls can cause quite a bit of wasted |
182 | * vmalloc() space when racing with userspace. |
183 | */ |
184 | if (enable_dups_trace) |
185 | WARN(1, "module-autoload: duplicate request for module %s\n" , module_name); |
186 | else |
187 | pr_warn("module-autoload: duplicate request for module %s\n" , module_name); |
188 | |
189 | if (!wait) { |
190 | /* |
191 | * If request_module_nowait() was used then the user just |
192 | * wanted to issue the request and if another module request |
193 | * was already its way with the same name we don't care for |
194 | * the return value either. Let duplicate request_module_nowait() |
195 | * calls bail out right away. |
196 | */ |
197 | *dup_ret = 0; |
198 | return true; |
199 | } |
200 | |
201 | /* |
202 | * If a duplicate request_module() was used they *may* care for |
203 | * the return value, so we have no other option but to wait for |
204 | * the first caller to complete. If the first caller used |
205 | * the request_module_nowait() call, subsquent callers will |
206 | * deal with the comprmise of getting a successful call with this |
207 | * optimization enabled ... |
208 | */ |
209 | ret = wait_for_completion_state(x: &kmod_req->first_req_done, |
210 | TASK_KILLABLE); |
211 | if (ret) { |
212 | *dup_ret = ret; |
213 | return true; |
214 | } |
215 | |
216 | /* Now the duplicate request has the same exact return value as the first request */ |
217 | *dup_ret = kmod_req->dup_ret; |
218 | |
219 | return true; |
220 | } |
221 | |
222 | void kmod_dup_request_announce(char *module_name, int ret) |
223 | { |
224 | struct kmod_dup_req *kmod_req; |
225 | |
226 | mutex_lock(&kmod_dup_mutex); |
227 | |
228 | kmod_req = kmod_dup_request_lookup(module_name); |
229 | if (!kmod_req) |
230 | goto out; |
231 | |
232 | kmod_req->dup_ret = ret; |
233 | |
234 | /* |
235 | * If we complete() here we may allow duplicate threads |
236 | * to continue before the first one that submitted the |
237 | * request. We're in no rush also, given that each and |
238 | * every bounce back to userspace is slow we avoid that |
239 | * with a slight delay here. So queueue up the completion |
240 | * and let duplicates suffer, just wait a tad bit longer. |
241 | * There is no rush. But we also don't want to hold the |
242 | * caller up forever or introduce any boot delays. |
243 | */ |
244 | queue_work(wq: system_wq, work: &kmod_req->complete_work); |
245 | |
246 | out: |
247 | mutex_unlock(lock: &kmod_dup_mutex); |
248 | } |
249 | |