mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-06 05:06:29 +00:00
bpf: Fix attaching fentry/fexit/fmod_ret/lsm to modules
This resolves two problems with attachment of fentry/fexit/fmod_ret/lsm to functions located in modules: 1. The verifier tries to find the address to attach to in kallsyms. This is always done by searching the entire kallsyms, not respecting the module in which the function is located. Such approach causes an incorrect attachment address to be computed if the function to attach to is shadowed by a function of the same name located earlier in kallsyms. 2. If the address to attach to is located in a module, the module reference is only acquired in register_fentry. If the module is unloaded between the place where the address is found (bpf_check_attach_target in the verifier) and register_fentry, it is possible that another module is loaded to the same address which may lead to potential errors. Since the attachment must contain the BTF of the program to attach to, we extract the module from it and search for the function address in the correct module (resolving problem no. 1). Then, the module reference is taken directly in bpf_check_attach_target and stored in the bpf program (in bpf_prog_aux). The reference is only released when the program is unloaded (resolving problem no. 2). Signed-off-by: Viktor Malik <vmalik@redhat.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Link: https://lore.kernel.org/r/3f6a9d8ae850532b5ef864ef16327b0f7a669063.1678432753.git.vmalik@redhat.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
parent
b8a2e3f93d
commit
31bf1dbccf
@ -1103,6 +1103,7 @@ struct bpf_trampoline {
|
||||
struct bpf_attach_target_info {
|
||||
struct btf_func_model fmodel;
|
||||
long tgt_addr;
|
||||
struct module *tgt_mod;
|
||||
const char *tgt_name;
|
||||
const struct btf_type *tgt_type;
|
||||
};
|
||||
@ -1406,6 +1407,7 @@ struct bpf_prog_aux {
|
||||
* main prog always has linfo_idx == 0
|
||||
*/
|
||||
u32 linfo_idx;
|
||||
struct module *mod;
|
||||
u32 num_exentries;
|
||||
struct exception_table_entry *extable;
|
||||
union {
|
||||
|
@ -2067,6 +2067,7 @@ static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred)
|
||||
{
|
||||
bpf_prog_kallsyms_del_all(prog);
|
||||
btf_put(prog->aux->btf);
|
||||
module_put(prog->aux->mod);
|
||||
kvfree(prog->aux->jited_linfo);
|
||||
kvfree(prog->aux->linfo);
|
||||
kfree(prog->aux->kfunc_tab);
|
||||
@ -3113,6 +3114,11 @@ static int bpf_tracing_prog_attach(struct bpf_prog *prog,
|
||||
if (err)
|
||||
goto out_unlock;
|
||||
|
||||
if (tgt_info.tgt_mod) {
|
||||
module_put(prog->aux->mod);
|
||||
prog->aux->mod = tgt_info.tgt_mod;
|
||||
}
|
||||
|
||||
tr = bpf_trampoline_get(key, &tgt_info);
|
||||
if (!tr) {
|
||||
err = -ENOMEM;
|
||||
|
@ -9,7 +9,6 @@
|
||||
#include <linux/btf.h>
|
||||
#include <linux/rcupdate_trace.h>
|
||||
#include <linux/rcupdate_wait.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/static_call.h>
|
||||
#include <linux/bpf_verifier.h>
|
||||
#include <linux/bpf_lsm.h>
|
||||
@ -172,26 +171,6 @@ static struct bpf_trampoline *bpf_trampoline_lookup(u64 key)
|
||||
return tr;
|
||||
}
|
||||
|
||||
static int bpf_trampoline_module_get(struct bpf_trampoline *tr)
|
||||
{
|
||||
struct module *mod;
|
||||
int err = 0;
|
||||
|
||||
preempt_disable();
|
||||
mod = __module_text_address((unsigned long) tr->func.addr);
|
||||
if (mod && !try_module_get(mod))
|
||||
err = -ENOENT;
|
||||
preempt_enable();
|
||||
tr->mod = mod;
|
||||
return err;
|
||||
}
|
||||
|
||||
static void bpf_trampoline_module_put(struct bpf_trampoline *tr)
|
||||
{
|
||||
module_put(tr->mod);
|
||||
tr->mod = NULL;
|
||||
}
|
||||
|
||||
static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr)
|
||||
{
|
||||
void *ip = tr->func.addr;
|
||||
@ -202,8 +181,6 @@ static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr)
|
||||
else
|
||||
ret = bpf_arch_text_poke(ip, BPF_MOD_CALL, old_addr, NULL);
|
||||
|
||||
if (!ret)
|
||||
bpf_trampoline_module_put(tr);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -238,9 +215,6 @@ static int register_fentry(struct bpf_trampoline *tr, void *new_addr)
|
||||
tr->func.ftrace_managed = true;
|
||||
}
|
||||
|
||||
if (bpf_trampoline_module_get(tr))
|
||||
return -ENOENT;
|
||||
|
||||
if (tr->func.ftrace_managed) {
|
||||
ftrace_set_filter_ip(tr->fops, (unsigned long)ip, 0, 1);
|
||||
ret = register_ftrace_direct_multi(tr->fops, (long)new_addr);
|
||||
@ -248,8 +222,6 @@ static int register_fentry(struct bpf_trampoline *tr, void *new_addr)
|
||||
ret = bpf_arch_text_poke(ip, BPF_MOD_CALL, NULL, new_addr);
|
||||
}
|
||||
|
||||
if (ret)
|
||||
bpf_trampoline_module_put(tr);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -24,6 +24,7 @@
|
||||
#include <linux/bpf_lsm.h>
|
||||
#include <linux/btf_ids.h>
|
||||
#include <linux/poison.h>
|
||||
#include "../module/internal.h"
|
||||
|
||||
#include "disasm.h"
|
||||
|
||||
@ -18307,6 +18308,7 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
|
||||
const char *tname;
|
||||
struct btf *btf;
|
||||
long addr = 0;
|
||||
struct module *mod = NULL;
|
||||
|
||||
if (!btf_id) {
|
||||
bpf_log(log, "Tracing programs must provide btf_id\n");
|
||||
@ -18480,8 +18482,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
|
||||
else
|
||||
addr = (long) tgt_prog->aux->func[subprog]->bpf_func;
|
||||
} else {
|
||||
addr = kallsyms_lookup_name(tname);
|
||||
if (btf_is_module(btf)) {
|
||||
mod = btf_try_get_module(btf);
|
||||
if (mod)
|
||||
addr = find_kallsyms_symbol_value(mod, tname);
|
||||
else
|
||||
addr = 0;
|
||||
} else {
|
||||
addr = kallsyms_lookup_name(tname);
|
||||
}
|
||||
if (!addr) {
|
||||
module_put(mod);
|
||||
bpf_log(log,
|
||||
"The address of function %s cannot be found\n",
|
||||
tname);
|
||||
@ -18521,11 +18532,13 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
|
||||
break;
|
||||
}
|
||||
if (ret) {
|
||||
module_put(mod);
|
||||
bpf_log(log, "%s is not sleepable\n", tname);
|
||||
return ret;
|
||||
}
|
||||
} else if (prog->expected_attach_type == BPF_MODIFY_RETURN) {
|
||||
if (tgt_prog) {
|
||||
module_put(mod);
|
||||
bpf_log(log, "can't modify return codes of BPF programs\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
@ -18534,6 +18547,7 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
|
||||
!check_attach_modify_return(addr, tname))
|
||||
ret = 0;
|
||||
if (ret) {
|
||||
module_put(mod);
|
||||
bpf_log(log, "%s() is not modifiable\n", tname);
|
||||
return ret;
|
||||
}
|
||||
@ -18544,6 +18558,7 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
|
||||
tgt_info->tgt_addr = addr;
|
||||
tgt_info->tgt_name = tname;
|
||||
tgt_info->tgt_type = t;
|
||||
tgt_info->tgt_mod = mod;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -18623,6 +18638,7 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
|
||||
/* store info about the attachment target that will be used later */
|
||||
prog->aux->attach_func_proto = tgt_info.tgt_type;
|
||||
prog->aux->attach_func_name = tgt_info.tgt_name;
|
||||
prog->aux->mod = tgt_info.tgt_mod;
|
||||
|
||||
if (tgt_prog) {
|
||||
prog->aux->saved_dst_prog_type = tgt_prog->type;
|
||||
|
@ -256,6 +256,11 @@ static inline bool sect_empty(const Elf_Shdr *sect)
|
||||
static inline void init_build_id(struct module *mod, const struct load_info *info) { }
|
||||
static inline void layout_symtab(struct module *mod, struct load_info *info) { }
|
||||
static inline void add_kallsyms(struct module *mod, const struct load_info *info) { }
|
||||
static inline unsigned long find_kallsyms_symbol_value(struct module *mod,
|
||||
const char *name)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif /* CONFIG_KALLSYMS */
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
|
Loading…
Reference in New Issue
Block a user