Contributors: 2
Author Tokens Token Proportion Commits Commit Proportion
Kumar Kartikeya Dwivedi 200 99.50% 1 50.00%
Andrii Nakryiko 1 0.50% 1 50.00%
Total 201 2


// SPDX-License-Identifier: GPL-2.0
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>

const volatile struct {
	/* thread to activate trace programs for */
	pid_t tgid;
	/* return error from __init function */
	int inject_error;
	/* uffd monitored range start address */
	void *fault_addr;
} bpf_mod_race_config = { -1 };

int bpf_blocking = 0;
int res_try_get_module = -1;

static __always_inline bool check_thread_id(void)
{
	struct task_struct *task = bpf_get_current_task_btf();

	return task->tgid == bpf_mod_race_config.tgid;
}

/* The trace of execution is something like this:
 *
 * finit_module()
 *   load_module()
 *     prepare_coming_module()
 *       notifier_call(MODULE_STATE_COMING)
 *         btf_parse_module()
 *         btf_alloc_id()		// Visible to userspace at this point
 *         list_add(btf_mod->list, &btf_modules)
 *     do_init_module()
 *       freeinit = kmalloc()
 *       ret = mod->init()
 *         bpf_prog_widen_race()
 *           bpf_copy_from_user()
 *             ...<sleep>...
 *       if (ret < 0)
 *         ...
 *         free_module()
 * return ret
 *
 * At this point, module loading thread is blocked, we now load the program:
 *
 * bpf_check
 *   add_kfunc_call/check_pseudo_btf_id
 *     btf_try_get_module
 *       try_get_module_live == false
 *     return -ENXIO
 *
 * Without the fix (try_get_module_live in btf_try_get_module):
 *
 * bpf_check
 *   add_kfunc_call/check_pseudo_btf_id
 *     btf_try_get_module
 *       try_get_module == true
 *     <store module reference in btf_kfunc_tab or used_btf array>
 *   ...
 * return fd
 *
 * Now, if we inject an error in the blocked program, our module will be freed
 * (going straight from MODULE_STATE_COMING to MODULE_STATE_GOING).
 * Later, when bpf program is freed, it will try to module_put already freed
 * module. This is why try_get_module_live returns false if mod->state is not
 * MODULE_STATE_LIVE.
 */

SEC("fmod_ret.s/bpf_fentry_test1")
int BPF_PROG(widen_race, int a, int ret)
{
	char dst;

	if (!check_thread_id())
		return 0;
	/* Indicate that we will attempt to block */
	bpf_blocking = 1;
	bpf_copy_from_user(&dst, 1, bpf_mod_race_config.fault_addr);
	return bpf_mod_race_config.inject_error;
}

SEC("fexit/do_init_module")
int BPF_PROG(fexit_init_module, struct module *mod, int ret)
{
	if (!check_thread_id())
		return 0;
	/* Indicate that we finished blocking */
	bpf_blocking = 2;
	return 0;
}

SEC("fexit/btf_try_get_module")
int BPF_PROG(fexit_module_get, const struct btf *btf, struct module *mod)
{
	res_try_get_module = !!mod;
	return 0;
}

char _license[] SEC("license") = "GPL";