From patchwork Tue Apr 18 20:46:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 13216153 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA7EBC77B76 for ; Tue, 18 Apr 2023 20:46:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 197AE8E0002; Tue, 18 Apr 2023 16:46:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 148948E0001; Tue, 18 Apr 2023 16:46:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F2ADF8E0002; Tue, 18 Apr 2023 16:46:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E14288E0001 for ; Tue, 18 Apr 2023 16:46:50 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id AEC181C64C1 for ; Tue, 18 Apr 2023 20:46:50 +0000 (UTC) X-FDA: 80695695780.13.D165152 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) by imf19.hostedemail.com (Postfix) with ESMTP id 8E3FC1A0017 for ; Tue, 18 Apr 2023 20:46:47 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=infradead.org header.s=bombadil.20210309 header.b=OIwoIbgC; dmarc=fail reason="No valid SPF, DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=none (imf19.hostedemail.com: domain of mcgrof@infradead.org has no SPF policy when checking 198.137.202.133) smtp.mailfrom=mcgrof@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1681850808; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=dvxTOt6soO4QHXgBHypmVeoUAcAHomPErZOJFnnFmIA=; b=cqJsfqPTLfORubPsYe2uvK6EAi60p5RxgLywoM1gXGSTmZS5tID327lply4IBoylfrWpjM TjR1SHmPUYFhWP6SYbXq2OUj3lE/gLPZAJ16hEncTMHzDrdgBJIbdOJs1jzgXrjyQQ907J mXt6LA2usiSZ3DQQu+ypDzDbPqpY69k= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=infradead.org header.s=bombadil.20210309 header.b=OIwoIbgC; dmarc=fail reason="No valid SPF, DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=none (imf19.hostedemail.com: domain of mcgrof@infradead.org has no SPF policy when checking 198.137.202.133) smtp.mailfrom=mcgrof@infradead.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1681850808; a=rsa-sha256; cv=none; b=1P7Ij8oAUJi5VPz/Hg6a1iF5x4odwZMhijDWK0RefWU7pLEE9Es4vv3uYKxZGJNGspD71h AI5aVFkJLsgSzPxqHJTe7NjdlQShm6+DuZJASUIkRwGj3dEGVKZNuHCaJGeqv/6L6X952Y W7dwo6XZbixNL705Tx0a7xt54+aT1gc= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-Type: Content-ID:Content-Description:In-Reply-To:References; bh=dvxTOt6soO4QHXgBHypmVeoUAcAHomPErZOJFnnFmIA=; b=OIwoIbgChhDfkuyQaysTl9tQ8r w176AbT4GduV9FtGaPP4Oue8H8hcd/AYPS9+AtssZhriVTGrqBBnVQPZesMEqBqVw/ET3nj5QuR4l rnf7f3wsov0ZpGjinRwLzfybaoRF+d9H/m0DNkRDR7Duemz6T3OBNQ3Zpsqywb8dNYSrQqsTzVK5N 87Eq+WRPjrzDYXNMVZXAIctCzwutluHbJ8OjiKI7vtw3Kqqbbk/ODs8aEmtLN/X58s9vaEeo3Kcjt dNGuZgNcPvG0cbfGIXZwMu3hjqSc52XpXVhggf5MCiO77y/d0R59OIyaQgF5s433i2WJkdI4ohG/c 2O1lTCFw==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.96 #2 (Red Hat Linux)) id 1posDn-003Jy8-00; Tue, 18 Apr 2023 20:46:39 +0000 From: Luis Chamberlain To: david@redhat.com, patches@lists.linux.dev, linux-modules@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, pmladek@suse.com, petr.pavlu@suse.com, prarit@redhat.com, torvalds@linux-foundation.org, gregkh@linuxfoundation.org, rafael@kernel.org Cc: christophe.leroy@csgroup.eu, tglx@linutronix.de, peterz@infradead.org, song@kernel.org, rppt@kernel.org, dave@stgolabs.net, willy@infradead.org, vbabka@suse.cz, mhocko@suse.com, dave.hansen@linux.intel.com, colin.i.king@gmail.com, jim.cromie@gmail.com, catalin.marinas@arm.com, jbaron@akamai.com, rick.p.edgecombe@intel.com, mcgrof@kernel.org Subject: [PATCH] module: add debugging auto-load duplicate module support Date: Tue, 18 Apr 2023 13:46:36 -0700 Message-Id: <20230418204636.791699-1-mcgrof@kernel.org> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 8E3FC1A0017 X-Stat-Signature: smnscxqhsa7ogix7ukmp8hqpqfb47gk8 X-HE-Tag: 1681850807-128772 X-HE-Meta: U2FsdGVkX19BAFfJ3OirZ1iJp7SUxgJ3mf0CtMQqjkkZMhvzEGJZgzQN1uOdA3UpOK8qqCF0Re0ISru4PsrDbCxwQV2dPqy9jFJF84wMXEiSjQtKp4qkP8JyTs71zsMEd9wToU8eFHc54ElikO6aX3cJ85vj9gUZ83xEUx3VvD4WbSBI/GwwmRqq9kbigkRlI+ZfGpXTDlbPo0OOV49lLfvpCMoIc0k4JBKrRPwoa4hFAmO4QJM8dIIR2hGNnbbwajrHTbQYGy1I8WE7iNn9iYo7KkXARPJidvMu/hoAs7g6hr7J4o4JAIH8kfx866HziazKVV1r961M/Eu0gL7tB2MWwJkYpeB2cI3ELmNQIG75uz14x77pl8yKnjv3OCZZ1fO0D7mwWCwfHZDg3P1VGc57COrsgExPLfOC3NwR+oD5rmvIybOOcUuAE9lnBB/kZ6ZOPfQpMncR3yCNLJyb2ZW5ZxEuQIrn2+/6pUloktsopFU/hNbGspRWIC7Wl+oGO9/G0fXqC8fqguE0LbOdwfcSKOg+RqHVo0BS5LU1F1Q2waGu3G5Erpid1dOPBYkxjis56be9ihTAoeoB/St1rqtJJz7/a6UlRULK9YRtJsPPsA/4ryK62jXwN1b4XeftTh8zfh3fas6Iuq9MY3cWwGmpSfHZ4hRkwgb6G2kEQxCntBgKFwUYQNjXWTzRoTHi2l96tRD1JYE4FvI4FcCnYfMCwWPhnZZgVaY+LiCU6NHVAdn8PQRwXtTBS2QjMEtPW+4Eav7iBnj/8i1/CWxW8V9lqmMjLnS+LLfRrg8lIa1dYaswgjcM791Z8fvCTNVupkMIm5ZmPqnSl8kVA3a2wzo32d9Qidp20EqptQMzBd1OtdAiQHjVbBoscjzSuaoyF/P/Ck648EAzJfmx1RsqM5PfMYpxgjmBw/KgYs8eJ4jrqVWA6gLVgXE6HxDHy5fLM9zSPs/MW1PxWgYzZ9z xNyVV8lx n9vwmCUojqPPESsm5UvB/Ykua8KMDAz+GMWyt3wuVg/xMmO77pJs7bA5Hr3VFjqs8wWj74f+y4TaS4GQv2CXAkmn6tbEbFZjKbcoQ/fgH+8wzumuVH2g/+LMwYXlfQYliIv+4fTxQRXgWdLH5uwt4EYei3U0E7QUvXst2/wF0VfHIu+sJF1Hzo1XeWfZsqQsB2S2Fp44rk3ogRA8gbszuEwRn/CqlBJ2n3a4J19ssOjYdSpscqIhty9+pH+njOJH87vsnur4CqBTLICAbaVY8OsSrQP/+BRdzwo/4rm/h8/rH60kipSG2Pgr4zbYoiuK3VfPRx2K06hMkp7extnScUbvH1rQVyqK6TgDpYbQadMIJHgEGyJ8t8e9JnNdaB3k6ER5dTcNDeCGDS/U3fv2WF58ADG4M9HkrtLm8gLf24BYLsiGHEaph4Xr8nruk1vedo2he5jHi9PcI4htzj1f68cQ7yPKXQApdTLId1O3iTjeyp/1vaP7mAn2HcqJ/OTXrFEDq X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This adds debugging support to the kernel module auto-loader to easily detect and deal with duplicate module requests. To aid with possible bootup failure issues it will supress the waste in virtual memory when races happen before userspace loads a module and the kernel is still issuing requests for the same module. Folks debugging virtual memory abuse on bootup can and should enable this to see what WARN()s come on, to see if module auto-loading is to blame for their woes. Signed-off-by: Luis Chamberlain --- Changes on this patch since the last RFC: o dropped the kernel_read*() patch from this series moving to punt the issues as a udev issue now that we have proof auto-loading is not the issue o some spell checks kernel/module/Kconfig | 40 +++++++ kernel/module/Makefile | 1 + kernel/module/dups.c | 234 +++++++++++++++++++++++++++++++++++++++ kernel/module/internal.h | 15 +++ kernel/module/kmod.c | 23 +++- 5 files changed, 309 insertions(+), 4 deletions(-) create mode 100644 kernel/module/dups.c diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index e6df183e2c80..cc146ef4a6ac 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -59,6 +59,46 @@ config MODULE_STATS If unsure, say N. +config MODULE_AUTOLOAD_SUPRESS_DUPS + bool "Debug duplicate modules with auto-loading" + help + Module autoloading allows in-kernel code to request modules through + the *request_module*() API calls. This in turn just calls userspace + modprobe. Although modprobe checks to see if a module is already + loaded before trying to load a module there is a small time window in + which multiple duplicate requests can end up in userspace and multiple + modprobe calls race calling finit_module() around the same time for + duplicate modules. The finit_module() system call can consume in the + worst case more than twice the respective module size in virtual + memory for each duplicate module requests. Although duplicate module + requests are non-fatal virtual memory is a limited resource and each + duplicate module request ends up just wasting virtual memory. + + This debugging facility will create WARN() splats for duplicate module + requests to help identify if module auto-loading is the culprit to your + woes. Since virtual memory abuse caused by duplicate module requests + could render a system unusable this functionality will also suppresses + the waste in virtual memory caused by duplicate requests by sharing + races in requests for the same module to a single unified request. + Once a non-wait request_module() call completes a module should be + loaded and modprobe should simply not allow new finit_module() calls. + + Enable this functionality to try to debug virtual memory abuse during + boot on systems and identify if the abuse was due to module + auto-loading. + + If the first module request used request_module_nowait() we cannot + use that as the anchor to wait for duplicate module requests, since + users of request_module() do want a proper return value. If a call + for the same module happened earlier with request_module() though, + then a duplicate request_module_nowait() would be detected. + + You want to enable this if you want to debug and see if duplicate + module auto-loading might be causing virtual memory abuse during + bootup. A kernel trace will be provided for each duplicate request. + + Disable this if you are on production. + endif # MODULE_DEBUG config MODULE_FORCE_LOAD diff --git a/kernel/module/Makefile b/kernel/module/Makefile index 52340bce497e..e8b121ac39cf 100644 --- a/kernel/module/Makefile +++ b/kernel/module/Makefile @@ -10,6 +10,7 @@ KCOV_INSTRUMENT_module.o := n obj-y += main.o obj-y += strict_rwx.o obj-y += kmod.o +obj-$(CONFIG_MODULE_AUTOLOAD_SUPRESS_DUPS) += dups.o obj-$(CONFIG_MODULE_DECOMPRESS) += decompress.o obj-$(CONFIG_MODULE_SIG) += signing.o obj-$(CONFIG_LIVEPATCH) += livepatch.o diff --git a/kernel/module/dups.c b/kernel/module/dups.c new file mode 100644 index 000000000000..903ab7c7e8f4 --- /dev/null +++ b/kernel/module/dups.c @@ -0,0 +1,234 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * kmod dups - the kernel module autoloader duplicate suppressor + * + * Copyright (C) 2023 Luis Chamberlain + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +DEFINE_MUTEX(kmod_dup_mutex); +static LIST_HEAD(dup_kmod_reqs); + +struct kmod_dup_req { + struct list_head list; + char name[MODULE_NAME_LEN]; + struct completion first_req_done; + struct work_struct complete_work; + struct delayed_work delete_work; + int dup_ret; +}; + +static struct kmod_dup_req *kmod_dup_request_lookup(char *module_name) +{ + struct kmod_dup_req *kmod_req; + + list_for_each_entry_rcu(kmod_req, &dup_kmod_reqs, list, + lockdep_is_held(&kmod_dup_mutex)) { + if (strlen(kmod_req->name) == strlen(module_name) && + !memcmp(kmod_req->name, module_name, strlen(module_name))) { + return kmod_req; + } + } + + return NULL; +} + +static void kmod_dup_request_delete(struct work_struct *work) +{ + struct kmod_dup_req *kmod_req; + kmod_req = container_of(to_delayed_work(work), struct kmod_dup_req, delete_work); + + /* + * The typical situation is a module successully loaded. In that + * situation the module will be present already in userspace. If + * new requests come in after that, userspace will already know the + * module is loaded so will just return 0 right away. There is still + * a small chance right after we delete this entry new request_module() + * calls may happen after that, they can happen. These heuristics + * are to protect finit_module() abuse for auto-loading, if modules + * are still tryign to auto-load even if a module is already loaded, + * that's on them, and those inneficiencies should not be fixed by + * kmod. The inneficies there are a call to modprobe and modprobe + * just returning 0. + */ + mutex_lock(&kmod_dup_mutex); + list_del_rcu(&kmod_req->list); + synchronize_rcu(); + mutex_unlock(&kmod_dup_mutex); + kfree(kmod_req); +} + +static void kmod_dup_request_complete(struct work_struct *work) +{ + struct kmod_dup_req *kmod_req; + + kmod_req = container_of(work, struct kmod_dup_req, complete_work); + + /* + * This will ensure that the kernel will let all the waiters get + * informed its time to check the return value. It's time to + * go home. + */ + complete_all(&kmod_req->first_req_done); + + /* + * Now that we have allowed prior request_module() calls to go on + * with life, let's schedule deleting this entry. We don't have + * to do it right away, but we *eventually* want to do it so to not + * let this linger forever as this is just a boot optimization for + * possible abuses of vmalloc() incurred by finit_module() thrashing. + */ + queue_delayed_work(system_wq, &kmod_req->delete_work, 60 * HZ); +} + +bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret) +{ + struct kmod_dup_req *kmod_req, *new_kmod_req; + int ret; + + /* + * Pre-allocate the entry in case we have to use it later + * to avoid contention with the mutex. + */ + new_kmod_req = kzalloc(sizeof(*new_kmod_req), GFP_KERNEL); + if (!new_kmod_req) + return false; + + memcpy(new_kmod_req->name, module_name, strlen(module_name)); + INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete); + INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete); + init_completion(&new_kmod_req->first_req_done); + + mutex_lock(&kmod_dup_mutex); + + kmod_req = kmod_dup_request_lookup(module_name); + if (!kmod_req) { + /* + * If the first request that came through for a module + * was with request_module_nowait() we cannot wait for it + * and share its return value with other users which may + * have used request_module() and need a proper return value + * so just skip using them as an anchor. + * + * If a prior request to this one came through with + * request_module() though, then a request_module_nowait() + * would benefit from duplicate detection. + */ + if (!wait) { + kfree(new_kmod_req); + pr_warn("New request_module_nowait() for %s -- cannot track duplicates for this request\n", module_name); + mutex_unlock(&kmod_dup_mutex); + return false; + } + + /* + * There was no duplicate, just add the request so we can + * keep tab on duplicates later. + */ + pr_info("New request_module() for %s\n", module_name); + list_add_rcu(&new_kmod_req->list, &dup_kmod_reqs); + mutex_unlock(&kmod_dup_mutex); + return false; + } + mutex_unlock(&kmod_dup_mutex); + + /* We are dealing with a duplicate request now */ + + kfree(new_kmod_req); + + /* + * To fix these try to use try_then_request_module() instead as that + * will check if the component you are looking for is present or not. + * You could also just queue a single request to load the module once, + * instead of having each and everything you need try to request for + * the module. + * + * Duplicate request_module() calls can cause quite a bit of wasted + * vmalloc() space when racing with userspace. + */ + WARN(1, "module-autoload: duplicate request for module %s\n", module_name); + + if (!wait) { + /* + * If request_module_nowait() was used then the user just + * wanted to issue the request and if another module request + * was already its way with the same name we don't care for + * the return value either. Let duplicate request_module_nowait() + * calls bail out right away. + */ + *dup_ret = 0; + return true; + } + + /* + * If a duplicate request_module() was used they *may* care for + * the return value, so we have no other option but to wait for + * the first caller to complete. If the first caller used + * the request_module_nowait() call, subsquent callers will + * deal with the comprmise of getting a successful call with this + * optimization enabled ... + */ + ret = wait_for_completion_state(&kmod_req->first_req_done, + TASK_UNINTERRUPTIBLE | TASK_KILLABLE); + if (ret) { + *dup_ret = ret; + return true; + } + + /* Now the duplicate request has the same exact return value as the first request */ + *dup_ret = kmod_req->dup_ret; + + return true; +} + +void kmod_dup_request_announce(char *module_name, int ret) +{ + struct kmod_dup_req *kmod_req; + + mutex_lock(&kmod_dup_mutex); + + kmod_req = kmod_dup_request_lookup(module_name); + if (!kmod_req) + goto out; + + kmod_req->dup_ret = ret; + + /* + * If we complete() here we may allow duplicate threads + * to continue before the first one that submitted the + * request. We're in no rush also, given that each and + * every bounce back to userspace is slow we avoid that + * with a slight delay here. So queueue up the completion + * and let duplicates suffer, just wait a tad bit longer. + * There is no rush. But we also don't want to hold the + * caller up forever or introduce any boot delays. + */ + queue_work(system_wq, &kmod_req->complete_work); + +out: + mutex_unlock(&kmod_dup_mutex); +} diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 1fd75dd346dc..962f146336e9 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -3,6 +3,7 @@ * * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) + * Copyright (C) 2023 Luis Chamberlain */ #include @@ -221,6 +222,20 @@ static inline void mod_stat_bump_becoming(struct load_info *info, int flags) #endif /* CONFIG_MODULE_STATS */ +#ifdef CONFIG_MODULE_AUTOLOAD_SUPRESS_DUPS +bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret); +void kmod_dup_request_announce(char *module_name, int ret); +#else +static inline bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret) +{ + return false; +} + +static inline void kmod_dup_request_announce(char *module_name, int ret) +{ +} +#endif + #ifdef CONFIG_MODULE_UNLOAD_TAINT_TRACKING struct mod_unload_taint { struct list_head list; diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c index 5899083436a3..0800d9891692 100644 --- a/kernel/module/kmod.c +++ b/kernel/module/kmod.c @@ -1,6 +1,9 @@ /* * kmod - the kernel module loader + * + * Copyright (C) 2023 Luis Chamberlain */ + #include #include #include @@ -27,6 +30,7 @@ #include #include +#include "internal.h" /* * Assuming: @@ -65,7 +69,7 @@ static void free_modprobe_argv(struct subprocess_info *info) kfree(info->argv); } -static int call_modprobe(char *module_name, int wait) +static int call_modprobe(char *orig_module_name, int wait) { struct subprocess_info *info; static char *envp[] = { @@ -74,12 +78,14 @@ static int call_modprobe(char *module_name, int wait) "PATH=/sbin:/usr/sbin:/bin:/usr/bin", NULL }; + char *module_name; + int ret; char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL); if (!argv) goto out; - module_name = kstrdup(module_name, GFP_KERNEL); + module_name = kstrdup(orig_module_name, GFP_KERNEL); if (!module_name) goto free_argv; @@ -94,13 +100,16 @@ static int call_modprobe(char *module_name, int wait) if (!info) goto free_module_name; - return call_usermodehelper_exec(info, wait | UMH_KILLABLE); + ret = call_usermodehelper_exec(info, wait | UMH_KILLABLE); + kmod_dup_request_announce(orig_module_name, ret); + return ret; free_module_name: kfree(module_name); free_argv: kfree(argv); out: + kmod_dup_request_announce(orig_module_name, -ENOMEM); return -ENOMEM; } @@ -124,7 +133,7 @@ int __request_module(bool wait, const char *fmt, ...) { va_list args; char module_name[MODULE_NAME_LEN]; - int ret; + int ret, dup_ret; /* * We don't allow synchronous module loading from async. Module @@ -156,8 +165,14 @@ int __request_module(bool wait, const char *fmt, ...) trace_module_request(module_name, wait, _RET_IP_); + if (kmod_dup_request_exists_wait(module_name, wait, &dup_ret)) { + ret = dup_ret; + goto out; + } + ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC); +out: up(&kmod_concurrent_max); return ret;