system call hook triggers kernel panic

From: Yi Li <adamliyi@msn.com>
To: "linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: system call hook triggers kernel panic
Date: Thu, 17 Oct 2019 02:00:38 +0000	[thread overview]
Message-ID: <HK0PR02MB3283E73F2AA72D7EFA4350A3D96D0@HK0PR02MB3283.apcprd02.prod.outlook.com> (raw)

Hi,

We tried to replace the umount system call with our own code. Bellow is the simplified test case.
When doing umount, there is kernel panic (on centos7 4.14.0-115.10.1.el7a.ppc64le kernel) on P9 OpenPOWER machine.
Could you please give suggestions on how to make the system call hook work properly on powerpc?

"
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/kallsyms.h>

static void** sct;

static asmlinkage long (*orig_umount)(char __user *, int);

static asmlinkage long umount_hook(char __user *name, int flags)
{
	char *dir_name;
	long ret;

	dir_name = strndup_user(name, 512); 
	printk(KERN_NOTICE "umount %s 0x%x\n", dir_name, flags);
	kfree(dir_name);

	ret = orig_umount(name, flags);

	printk("umount2 returned %ld\n", ret);

	return ret;
}

static int __init poc_init(void)
{
	sct = (void**)kallsyms_lookup_name("sys_call_table");

#ifdef CONFIG_PPC64
	orig_umount = sct[__NR_umount2 * 2];
	sct[__NR_umount2 * 2] = umount_hook;
#else
	/*
	 * For recent kernel on x86, we would need remove memory protection
	 * before modify syscall table, let's ignore the work for a PoC.
	 *
	 * The stock kernel for CentOS 7.4 or lower should be just fine.
	 */
	orig_umount = sct[__NR_umount2];
	sct[__NR_umount2] = umount_hook;
#endif

	printk("syscall.__NR_umount2 replaced\n");

	return 0;
}

static void poc_exit(void)
{
#ifdef CONFIG_PPC64
	sct[__NR_umount2 * 2] = orig_umount;
#else
	sct[__NR_umount2] = orig_umount;
#endif

	printk("syscall.__NR_umount2 restored\n");
}

module_init(poc_init);
module_exit(poc_exit);

MODULE_DESCRIPTION("syscall hook poc.  load it, umount something, then dmesg to"
	" check its activities.");
MODULE_VERSION("1.0");
MODULE_LICENSE("GPL v2");
MODULE_AUTHOR("Huang Le");
"

The kernel module can be insert correctly, and we mount a tmpfs, then umount.
Kernel panic when doing umount:
"
[  148.569777] umount /home/adam/test 0x0
[  148.608227] umount2 returned 0
[  148.608268] Unable to handle kernel paging request for data at address 0xc00800001625a288
[  148.608320] Faulting instruction address: 0xc00000000001d610
[  148.608387] Oops: Kernel access of bad area, sig: 11 [#1]
[  148.608418] LE SMP NR_CPUS=2048 NUMA PowerNV
[  148.608460] Modules linked in: poc(OE) rpcrdma sunrpc ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core i2c_dev ses ipmi_powernv enclosure scsi_transport_sas sg ipmi_devintf at24 ofpart powernv_flash ipmi_msghandler mtd shpchp uio_pdrv_genirq opal_prd ibmpowernv uio ip_tables ext4 mbcache jbd2 sd_mod ast i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm tg3 megaraid_sas be2net aacraid ptp pps_core
[  148.608946] CPU: 5 PID: 15540 Comm: umount Tainted: G           OE  ------------   4.14.0-115.10.1.el7a.ppc64le #1
[  148.609075] task: c000003fc4017000 task.stack: c000003fbae9c000
[  148.609159] NIP:  c00000000001d610 LR: c00000000000dd00 CTR: 000000000000004e
[  148.609239] REGS: c000003fbae9fb70 TRAP: 0300   Tainted: G           OE  ------------    (4.14.0-115.10.1.el7a.ppc64le)
[  148.609339] MSR:  9000000002803033 <SF,HV,VEC,VSX,FP,ME,IR,DR,RI,LE>  CR: 22000844  XER: 20040000
[  148.609391] CFAR: c00000000001d5f8 DAR: c00800001625a288 DSISR: 40000000 SOFTE: 1
[  148.609391] GPR00: c00000000000dd00 c000003fbae9fdf0 c0080000161c8400 c000003fbae9fea0
[  148.609391] GPR04: 0000000000040080 0000000000000000 0000000000000001 0000000000000000
[  148.609391] GPR08: c008000016258400 0000000000000002 0000000000000002 0000000000000c00
[  148.609391] GPR12: 0000000000000000 c00000000fa83700 0000000000000000 0000000000000000
[  148.609391] GPR16: 0000000000000000 0000000000000000 0000000000000000 00007fffe86f3234
[  148.609391] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  148.609391] GPR24: 000000012a7d6468 000000012a7d6590 0000000000000001 0000000163a574f0
[  148.609391] GPR28: 00002000000e1d54 0000000000000000 c000003fbae9fea0 900000000280f033
[  148.610016] NIP [c00000000001d610] restore_math+0x60/0x200
[  148.610079] LR [c00000000000dd00] ret_from_except_lite+0x2c/0x74
[  148.610143] Call Trace:
[  148.610186] [c000003fbae9fdf0] [c000003fbae9fe30] 0xc000003fbae9fe30 (unreliable)
[  148.610287] [c000003fbae9fe30] [c00000000000dd00] ret_from_except_lite+0x2c/0x74
[  148.610378] Instruction dump:
[  148.610414] 7be7e8a4 78e71f87 40820024 e92d0260 89290e78 2f890000 409e0014 e92d0260
[  148.610471] 89290e79 2f890000 419e0074 3d020009 <e9081e88> 7d4000a6 7d494378 60000000
[  148.610568] ---[ end trace 1ec6b39ae7531745 ]---
[  149.593561]
[  150.593628] Kernel panic - not syncing: Fatal exception
"

Thanks,
-Yi Li