From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A054C6FD18 for ; Fri, 31 Mar 2023 09:16:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230500AbjCaJQ0 (ORCPT ); Fri, 31 Mar 2023 05:16:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231721AbjCaJQN (ORCPT ); Fri, 31 Mar 2023 05:16:13 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B78530ED for ; Fri, 31 Mar 2023 02:16:00 -0700 (PDT) Received: from dggpemm500006.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4PnvlL1QbczKq7P; Fri, 31 Mar 2023 17:15:26 +0800 (CST) Received: from [10.174.178.55] (10.174.178.55) by dggpemm500006.china.huawei.com (7.185.36.236) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 31 Mar 2023 17:15:56 +0800 Subject: Re: [PATCH bpf-next v6 1/2] bpf: Fix attaching fentry/fexit/fmod_ret/lsm to modules To: Petr Mladek , Jiri Olsa CC: Alexei Starovoitov , Viktor Malik , bpf , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Luis Chamberlain References: <1992d09a-0ef8-66e3-1da0-5d13c2fecc3d@redhat.com> <98077109-02be-a708-cde7-5dc827e1f3ea@huawei.com> From: "Leizhen (ThunderTown)" Message-ID: <7b396cbb-f977-0fa0-f5a9-0b16cef418b9@huawei.com> Date: Fri, 31 Mar 2023 17:15:56 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.178.55] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpemm500006.china.huawei.com (7.185.36.236) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On 2023/3/31 16:31, Petr Mladek wrote: > On Thu 2023-03-30 22:59:12, Jiri Olsa wrote: >> On Thu, Mar 30, 2023 at 08:26:41PM +0800, Leizhen (ThunderTown) wrote: >>> >>> >>> On 2023/3/30 15:29, Jiri Olsa wrote: >>>> ping, >>>> >>>> Petr, Zhen, any comment on discussion below? >>>> >>>> thanks, >>>> jirka >>>> >>>> On Thu, Mar 23, 2023 at 03:00:25PM +0100, Jiri Olsa wrote: >>>>> On Wed, Mar 22, 2023 at 09:03:46AM -0700, Alexei Starovoitov wrote: >>>>>> On Wed, Mar 22, 2023 at 5:14 AM Jiri Olsa wrote: >>>>>>> >>>>>>> On Wed, Mar 22, 2023 at 10:49:38AM +0100, Artem Savkov wrote: >>>>>>> >>>>>>> SNIP >>>>>>> >>>>>>>>>> Hm, do we even need to preempt_disable? IIUC, preempt_disable is used >>>>>>>>>> in module kallsyms to prevent taking the module lock b/c kallsyms are >>>>>>>>>> used in the oops path. That shouldn't be an issue here, is that correct? >>>>>>>>> >>>>>>>>> btf_try_get_module calls try_module_get which disables the preemption, >>>>>>>>> so no need to call it in here >>>>>>>> >>>>>>>> It does, but it reenables preemption right away so it is enabled by the >>>>>>>> time we call find_kallsyms_symbol_value(). I am getting the following >>>>>>>> lockdep splat while running module_fentry_shadow test from test_progs. >>>>>>>> >>>>>>>> [ 12.017973][ T488] ============================= >>>>>>>> [ 12.018529][ T488] WARNING: suspicious RCU usage >>>>>>>> [ 12.018987][ T488] 6.2.0.bpf-test-13063-g6a9f5cdba3c5 #804 Tainted: G OE >>>>>>>> [ 12.019898][ T488] ----------------------------- >>>>>>>> [ 12.020391][ T488] kernel/module/kallsyms.c:448 suspicious rcu_dereference_check() usage! >>>>>>>> [ 12.021335][ T488] >>>>>>>> [ 12.021335][ T488] other info that might help us debug this: >>>>>>>> [ 12.021335][ T488] >>>>>>>> [ 12.022416][ T488] >>>>>>>> [ 12.022416][ T488] rcu_scheduler_active = 2, debug_locks = 1 >>>>>>>> [ 12.023297][ T488] no locks held by test_progs/488. >>>>>>>> [ 12.023854][ T488] >>>>>>>> [ 12.023854][ T488] stack backtrace: >>>>>>>> [ 12.024336][ T488] CPU: 0 PID: 488 Comm: test_progs Tainted: G OE 6.2.0.bpf-test-13063-g6a9f5cdba3c5 #804 >>>>>>>> [ 12.025290][ T488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 >>>>>>>> [ 12.026108][ T488] Call Trace: >>>>>>>> [ 12.026381][ T488] >>>>>>>> [ 12.026649][ T488] dump_stack_lvl+0xb4/0x110 >>>>>>>> [ 12.027060][ T488] lockdep_rcu_suspicious+0x158/0x1f0 >>>>>>>> [ 12.027541][ T488] find_kallsyms_symbol_value+0xe8/0x110 >>>>>>>> [ 12.028028][ T488] bpf_check_attach_target+0x838/0xa20 >>>>>>>> [ 12.028511][ T488] check_attach_btf_id+0x144/0x3f0 >>>>>>>> [ 12.028957][ T488] ? __pfx_cmp_subprogs+0x10/0x10 >>>>>>>> [ 12.029408][ T488] bpf_check+0xeec/0x1850 >>>>>>>> [ 12.029799][ T488] ? ktime_get_with_offset+0x124/0x1d0 >>>>>>>> [ 12.030247][ T488] bpf_prog_load+0x87a/0xed0 >>>>>>>> [ 12.030627][ T488] ? __lock_release+0x5f/0x160 >>>>>>>> [ 12.031010][ T488] ? __might_fault+0x53/0xb0 >>>>>>>> [ 12.031394][ T488] ? selinux_bpf+0x6c/0xa0 >>>>>>>> [ 12.031756][ T488] __sys_bpf+0x53c/0x1240 >>>>>>>> [ 12.032115][ T488] __x64_sys_bpf+0x27/0x40 >>>>>>>> [ 12.032476][ T488] do_syscall_64+0x3e/0x90 >>>>>>>> [ 12.032835][ T488] entry_SYSCALL_64_after_hwframe+0x72/0xdc >>>>>>> >>>>>>> --- a/kernel/module/kallsyms.c >>>>>>> +++ b/kernel/module/kallsyms.c >>> Commit 91fb02f31505 ("module: Move kallsyms support into a separate file") hides >>> the answer. find_kallsyms_symbol_value() was originally a static function, and it >>> is only called by module_kallsyms_lookup_name() and is preemptive-protected. >>> >>> Now that we've added a call to function find_kallsyms_symbol_value(), it seems like >>> we should do the same thing as function module_kallsyms_lookup_name(). >>> >>> Like this? >>> + mod = btf_try_get_module(btf); >>> + if (mod) { >>> + preempt_disable(); >>> + addr = find_kallsyms_symbol_value(mod, tname); >>> + preempt_enable(); >>> + } else >>> + addr = 0; >> >> yes, that's what I did above, but I was just curious about the strange >> RCU usage Alexei commented on earlier: >> >> >>> +unsigned long find_kallsyms_symbol_value(struct module *mod, const char *name) >> >>> +{ >> >>> + unsigned long ret; >> >>> + >> >>> + preempt_disable(); >> >>> + ret = __find_kallsyms_symbol_value(mod, name); >> >>> + preempt_enable(); >> >>> + return ret; >> >>> +} >> >> >> >> That doesn't look right. >> >> I think the issue is misuse of rcu_dereference_sched in >> >> find_kallsyms_symbol_value. >> > >> > it seems to be using rcu pointer to keep symbols for module init time and >> > then core symbols for after init.. and switch between them when module is >> > loaded, hence the strange rcu usage I think load_module post_relocation add_kallsyms mod->kallsyms = (void __rcu *)mod->init_layout.base + info->mod_kallsyms_init_off; (1) do_init_module freeinit->module_init = mod->init_layout.base; rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); (2) if (llist_add(&freeinit->node, &init_free_list)) schedule_work(&init_free_wq); do_free_init synchronize_rcu(); module_memfree(initfree->module_init); IIUC, the RCU can help synchronize_rcu() in do_free_init() to make sure that no one is still using the first mod->kallsyms (1). If find_kallsyms_symbol_value() is executed between (1) and (2). > > My understanding is that rcu is needed to prevent module from being freed. > It should be related to: > > static void free_module(struct module *mod) > { > [...] > /* Now we can delete it from the lists */ > mutex_lock(&module_mutex); > /* Unlink carefully: kallsyms could be walking list. */ > list_del_rcu(&mod->list); > [...] > } > > I am sorry for the late reply. I was busy and I thought that it was > related to the refactoring. I hoped that peopled doing the refactoring > would answer. > > Best Regards, > Petr > . > -- Regards, Zhen Lei