1 // SPDX-License-Identifier: GPL-2.0 2 #include <vmlinux.h> 3 #include <bpf/bpf_helpers.h> 4 #include <bpf/bpf_tracing.h> 5 6 const volatile struct { 7 /* thread to activate trace programs for */ 8 pid_t tgid; 9 /* return error from __init function */ 10 int inject_error; 11 /* uffd monitored range start address */ 12 void *fault_addr; 13 } bpf_mod_race_config = { -1 }; 14 15 int bpf_blocking = 0; 16 int res_try_get_module = -1; 17 18 static __always_inline bool check_thread_id(void) 19 { 20 struct task_struct *task = bpf_get_current_task_btf(); 21 22 return task->tgid == bpf_mod_race_config.tgid; 23 } 24 25 /* The trace of execution is something like this: 26 * 27 * finit_module() 28 * load_module() 29 * prepare_coming_module() 30 * notifier_call(MODULE_STATE_COMING) 31 * btf_parse_module() 32 * btf_alloc_id() // Visible to userspace at this point 33 * list_add(btf_mod->list, &btf_modules) 34 * do_init_module() 35 * freeinit = kmalloc() 36 * ret = mod->init() 37 * bpf_prog_widen_race() 38 * bpf_copy_from_user() 39 * ...<sleep>... 40 * if (ret < 0) 41 * ... 42 * free_module() 43 * return ret 44 * 45 * At this point, module loading thread is blocked, we now load the program: 46 * 47 * bpf_check 48 * add_kfunc_call/check_pseudo_btf_id 49 * btf_try_get_module 50 * try_get_module_live == false 51 * return -ENXIO 52 * 53 * Without the fix (try_get_module_live in btf_try_get_module): 54 * 55 * bpf_check 56 * add_kfunc_call/check_pseudo_btf_id 57 * btf_try_get_module 58 * try_get_module == true 59 * <store module reference in btf_kfunc_tab or used_btf array> 60 * ... 61 * return fd 62 * 63 * Now, if we inject an error in the blocked program, our module will be freed 64 * (going straight from MODULE_STATE_COMING to MODULE_STATE_GOING). 65 * Later, when bpf program is freed, it will try to module_put already freed 66 * module. This is why try_get_module_live returns false if mod->state is not 67 * MODULE_STATE_LIVE. 68 */ 69 70 SEC("fmod_ret.s/bpf_fentry_test1") 71 int BPF_PROG(widen_race, int a, int ret) 72 { 73 char dst; 74 75 if (!check_thread_id()) 76 return 0; 77 /* Indicate that we will attempt to block */ 78 bpf_blocking = 1; 79 bpf_copy_from_user(&dst, 1, bpf_mod_race_config.fault_addr); 80 return bpf_mod_race_config.inject_error; 81 } 82 83 SEC("fexit/do_init_module") 84 int BPF_PROG(fexit_init_module, struct module *mod, int ret) 85 { 86 if (!check_thread_id()) 87 return 0; 88 /* Indicate that we finished blocking */ 89 bpf_blocking = 2; 90 return 0; 91 } 92 93 SEC("fexit/btf_try_get_module") 94 int BPF_PROG(fexit_module_get, const struct btf *btf, struct module *mod) 95 { 96 res_try_get_module = !!mod; 97 return 0; 98 } 99 100 char _license[] SEC("license") = "GPL"; 101