| 1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
|---|
| 2 | /* |
|---|
| 3 | * kmod dups - the kernel module autoloader duplicate suppressor |
|---|
| 4 | * |
|---|
| 5 | * Copyright (C) 2023 Luis Chamberlain <mcgrof@kernel.org> |
|---|
| 6 | */ |
|---|
| 7 | |
|---|
| 8 | #define pr_fmt(fmt) "module: " fmt |
|---|
| 9 | |
|---|
| 10 | #include <linux/module.h> |
|---|
| 11 | #include <linux/sched.h> |
|---|
| 12 | #include <linux/sched/task.h> |
|---|
| 13 | #include <linux/binfmts.h> |
|---|
| 14 | #include <linux/syscalls.h> |
|---|
| 15 | #include <linux/unistd.h> |
|---|
| 16 | #include <linux/kmod.h> |
|---|
| 17 | #include <linux/slab.h> |
|---|
| 18 | #include <linux/completion.h> |
|---|
| 19 | #include <linux/cred.h> |
|---|
| 20 | #include <linux/file.h> |
|---|
| 21 | #include <linux/fdtable.h> |
|---|
| 22 | #include <linux/workqueue.h> |
|---|
| 23 | #include <linux/security.h> |
|---|
| 24 | #include <linux/mount.h> |
|---|
| 25 | #include <linux/kernel.h> |
|---|
| 26 | #include <linux/init.h> |
|---|
| 27 | #include <linux/resource.h> |
|---|
| 28 | #include <linux/notifier.h> |
|---|
| 29 | #include <linux/suspend.h> |
|---|
| 30 | #include <linux/rwsem.h> |
|---|
| 31 | #include <linux/ptrace.h> |
|---|
| 32 | #include <linux/async.h> |
|---|
| 33 | #include <linux/uaccess.h> |
|---|
| 34 | |
|---|
| 35 | #include "internal.h" |
|---|
| 36 | |
|---|
| 37 | #undef MODULE_PARAM_PREFIX |
|---|
| 38 | #define MODULE_PARAM_PREFIX "module." |
|---|
| 39 | static bool enable_dups_trace = IS_ENABLED(CONFIG_MODULE_DEBUG_AUTOLOAD_DUPS_TRACE); |
|---|
| 40 | module_param(enable_dups_trace, bool_enable_only, 0644); |
|---|
| 41 | |
|---|
| 42 | /* |
|---|
| 43 | * Protects dup_kmod_reqs list, adds / removals with RCU. |
|---|
| 44 | */ |
|---|
| 45 | static DEFINE_MUTEX(kmod_dup_mutex); |
|---|
| 46 | static LIST_HEAD(dup_kmod_reqs); |
|---|
| 47 | |
|---|
| 48 | struct kmod_dup_req { |
|---|
| 49 | struct list_head list; |
|---|
| 50 | char name[MODULE_NAME_LEN]; |
|---|
| 51 | struct completion first_req_done; |
|---|
| 52 | struct work_struct complete_work; |
|---|
| 53 | struct delayed_work delete_work; |
|---|
| 54 | int dup_ret; |
|---|
| 55 | }; |
|---|
| 56 | |
|---|
| 57 | static struct kmod_dup_req *kmod_dup_request_lookup(char *module_name) |
|---|
| 58 | { |
|---|
| 59 | struct kmod_dup_req *kmod_req; |
|---|
| 60 | |
|---|
| 61 | list_for_each_entry_rcu(kmod_req, &dup_kmod_reqs, list, |
|---|
| 62 | lockdep_is_held(&kmod_dup_mutex)) { |
|---|
| 63 | if (strlen(kmod_req->name) == strlen(module_name) && |
|---|
| 64 | !memcmp(p: kmod_req->name, q: module_name, strlen(module_name))) { |
|---|
| 65 | return kmod_req; |
|---|
| 66 | } |
|---|
| 67 | } |
|---|
| 68 | |
|---|
| 69 | return NULL; |
|---|
| 70 | } |
|---|
| 71 | |
|---|
| 72 | static void kmod_dup_request_delete(struct work_struct *work) |
|---|
| 73 | { |
|---|
| 74 | struct kmod_dup_req *kmod_req; |
|---|
| 75 | kmod_req = container_of(to_delayed_work(work), struct kmod_dup_req, delete_work); |
|---|
| 76 | |
|---|
| 77 | /* |
|---|
| 78 | * The typical situation is a module successully loaded. In that |
|---|
| 79 | * situation the module will be present already in userspace. If |
|---|
| 80 | * new requests come in after that, userspace will already know the |
|---|
| 81 | * module is loaded so will just return 0 right away. There is still |
|---|
| 82 | * a small chance right after we delete this entry new request_module() |
|---|
| 83 | * calls may happen after that, they can happen. These heuristics |
|---|
| 84 | * are to protect finit_module() abuse for auto-loading, if modules |
|---|
| 85 | * are still tryign to auto-load even if a module is already loaded, |
|---|
| 86 | * that's on them, and those inneficiencies should not be fixed by |
|---|
| 87 | * kmod. The inneficies there are a call to modprobe and modprobe |
|---|
| 88 | * just returning 0. |
|---|
| 89 | */ |
|---|
| 90 | mutex_lock(&kmod_dup_mutex); |
|---|
| 91 | list_del_rcu(entry: &kmod_req->list); |
|---|
| 92 | synchronize_rcu(); |
|---|
| 93 | mutex_unlock(lock: &kmod_dup_mutex); |
|---|
| 94 | kfree(objp: kmod_req); |
|---|
| 95 | } |
|---|
| 96 | |
|---|
| 97 | static void kmod_dup_request_complete(struct work_struct *work) |
|---|
| 98 | { |
|---|
| 99 | struct kmod_dup_req *kmod_req; |
|---|
| 100 | |
|---|
| 101 | kmod_req = container_of(work, struct kmod_dup_req, complete_work); |
|---|
| 102 | |
|---|
| 103 | /* |
|---|
| 104 | * This will ensure that the kernel will let all the waiters get |
|---|
| 105 | * informed its time to check the return value. It's time to |
|---|
| 106 | * go home. |
|---|
| 107 | */ |
|---|
| 108 | complete_all(&kmod_req->first_req_done); |
|---|
| 109 | |
|---|
| 110 | /* |
|---|
| 111 | * Now that we have allowed prior request_module() calls to go on |
|---|
| 112 | * with life, let's schedule deleting this entry. We don't have |
|---|
| 113 | * to do it right away, but we *eventually* want to do it so to not |
|---|
| 114 | * let this linger forever as this is just a boot optimization for |
|---|
| 115 | * possible abuses of vmalloc() incurred by finit_module() thrashing. |
|---|
| 116 | */ |
|---|
| 117 | queue_delayed_work(wq: system_wq, dwork: &kmod_req->delete_work, delay: 60 * HZ); |
|---|
| 118 | } |
|---|
| 119 | |
|---|
| 120 | bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret) |
|---|
| 121 | { |
|---|
| 122 | struct kmod_dup_req *kmod_req, *new_kmod_req; |
|---|
| 123 | int ret; |
|---|
| 124 | |
|---|
| 125 | /* |
|---|
| 126 | * Pre-allocate the entry in case we have to use it later |
|---|
| 127 | * to avoid contention with the mutex. |
|---|
| 128 | */ |
|---|
| 129 | new_kmod_req = kzalloc(size: sizeof(*new_kmod_req), GFP_KERNEL); |
|---|
| 130 | if (!new_kmod_req) |
|---|
| 131 | return false; |
|---|
| 132 | |
|---|
| 133 | memcpy(new_kmod_req->name, module_name, strlen(module_name)); |
|---|
| 134 | INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete); |
|---|
| 135 | INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete); |
|---|
| 136 | init_completion(x: &new_kmod_req->first_req_done); |
|---|
| 137 | |
|---|
| 138 | mutex_lock(&kmod_dup_mutex); |
|---|
| 139 | |
|---|
| 140 | kmod_req = kmod_dup_request_lookup(module_name); |
|---|
| 141 | if (!kmod_req) { |
|---|
| 142 | /* |
|---|
| 143 | * If the first request that came through for a module |
|---|
| 144 | * was with request_module_nowait() we cannot wait for it |
|---|
| 145 | * and share its return value with other users which may |
|---|
| 146 | * have used request_module() and need a proper return value |
|---|
| 147 | * so just skip using them as an anchor. |
|---|
| 148 | * |
|---|
| 149 | * If a prior request to this one came through with |
|---|
| 150 | * request_module() though, then a request_module_nowait() |
|---|
| 151 | * would benefit from duplicate detection. |
|---|
| 152 | */ |
|---|
| 153 | if (!wait) { |
|---|
| 154 | kfree(objp: new_kmod_req); |
|---|
| 155 | pr_debug("New request_module_nowait() for %s -- cannot track duplicates for this request\n" , module_name); |
|---|
| 156 | mutex_unlock(lock: &kmod_dup_mutex); |
|---|
| 157 | return false; |
|---|
| 158 | } |
|---|
| 159 | |
|---|
| 160 | /* |
|---|
| 161 | * There was no duplicate, just add the request so we can |
|---|
| 162 | * keep tab on duplicates later. |
|---|
| 163 | */ |
|---|
| 164 | pr_debug("New request_module() for %s\n" , module_name); |
|---|
| 165 | list_add_rcu(new: &new_kmod_req->list, head: &dup_kmod_reqs); |
|---|
| 166 | mutex_unlock(lock: &kmod_dup_mutex); |
|---|
| 167 | return false; |
|---|
| 168 | } |
|---|
| 169 | mutex_unlock(lock: &kmod_dup_mutex); |
|---|
| 170 | |
|---|
| 171 | /* We are dealing with a duplicate request now */ |
|---|
| 172 | kfree(objp: new_kmod_req); |
|---|
| 173 | |
|---|
| 174 | /* |
|---|
| 175 | * To fix these try to use try_then_request_module() instead as that |
|---|
| 176 | * will check if the component you are looking for is present or not. |
|---|
| 177 | * You could also just queue a single request to load the module once, |
|---|
| 178 | * instead of having each and everything you need try to request for |
|---|
| 179 | * the module. |
|---|
| 180 | * |
|---|
| 181 | * Duplicate request_module() calls can cause quite a bit of wasted |
|---|
| 182 | * vmalloc() space when racing with userspace. |
|---|
| 183 | */ |
|---|
| 184 | if (enable_dups_trace) |
|---|
| 185 | WARN(1, "module-autoload: duplicate request for module %s\n" , module_name); |
|---|
| 186 | else |
|---|
| 187 | pr_warn("module-autoload: duplicate request for module %s\n" , module_name); |
|---|
| 188 | |
|---|
| 189 | if (!wait) { |
|---|
| 190 | /* |
|---|
| 191 | * If request_module_nowait() was used then the user just |
|---|
| 192 | * wanted to issue the request and if another module request |
|---|
| 193 | * was already its way with the same name we don't care for |
|---|
| 194 | * the return value either. Let duplicate request_module_nowait() |
|---|
| 195 | * calls bail out right away. |
|---|
| 196 | */ |
|---|
| 197 | *dup_ret = 0; |
|---|
| 198 | return true; |
|---|
| 199 | } |
|---|
| 200 | |
|---|
| 201 | /* |
|---|
| 202 | * If a duplicate request_module() was used they *may* care for |
|---|
| 203 | * the return value, so we have no other option but to wait for |
|---|
| 204 | * the first caller to complete. If the first caller used |
|---|
| 205 | * the request_module_nowait() call, subsquent callers will |
|---|
| 206 | * deal with the comprmise of getting a successful call with this |
|---|
| 207 | * optimization enabled ... |
|---|
| 208 | */ |
|---|
| 209 | ret = wait_for_completion_state(x: &kmod_req->first_req_done, |
|---|
| 210 | TASK_KILLABLE); |
|---|
| 211 | if (ret) { |
|---|
| 212 | *dup_ret = ret; |
|---|
| 213 | return true; |
|---|
| 214 | } |
|---|
| 215 | |
|---|
| 216 | /* Now the duplicate request has the same exact return value as the first request */ |
|---|
| 217 | *dup_ret = kmod_req->dup_ret; |
|---|
| 218 | |
|---|
| 219 | return true; |
|---|
| 220 | } |
|---|
| 221 | |
|---|
| 222 | void kmod_dup_request_announce(char *module_name, int ret) |
|---|
| 223 | { |
|---|
| 224 | struct kmod_dup_req *kmod_req; |
|---|
| 225 | |
|---|
| 226 | mutex_lock(&kmod_dup_mutex); |
|---|
| 227 | |
|---|
| 228 | kmod_req = kmod_dup_request_lookup(module_name); |
|---|
| 229 | if (!kmod_req) |
|---|
| 230 | goto out; |
|---|
| 231 | |
|---|
| 232 | kmod_req->dup_ret = ret; |
|---|
| 233 | |
|---|
| 234 | /* |
|---|
| 235 | * If we complete() here we may allow duplicate threads |
|---|
| 236 | * to continue before the first one that submitted the |
|---|
| 237 | * request. We're in no rush also, given that each and |
|---|
| 238 | * every bounce back to userspace is slow we avoid that |
|---|
| 239 | * with a slight delay here. So queueue up the completion |
|---|
| 240 | * and let duplicates suffer, just wait a tad bit longer. |
|---|
| 241 | * There is no rush. But we also don't want to hold the |
|---|
| 242 | * caller up forever or introduce any boot delays. |
|---|
| 243 | */ |
|---|
| 244 | queue_work(wq: system_wq, work: &kmod_req->complete_work); |
|---|
| 245 | |
|---|
| 246 | out: |
|---|
| 247 | mutex_unlock(lock: &kmod_dup_mutex); |
|---|
| 248 | } |
|---|
| 249 | |
|---|
