Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching

Pull livepatching updates from Jiri Kosina:

 - shadow variables support, allowing livepatches to associate new
   "shadow" fields to existing data structures, from Joe Lawrence

 - pre/post patch callbacks API, allowing livepatch writers to register
   callbacks to be called before and after patch application, from Joe
   Lawrence

* 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
  livepatch: __klp_disable_patch() should never be called for disabled patches
  livepatch: Correctly call klp_post_unpatch_callback() in error paths
  livepatch: add transition notices
  livepatch: move transition "complete" notice into klp_complete_transition()
  livepatch: add (un)patch callbacks
  livepatch: Small shadow variable documentation fixes
  livepatch: __klp_shadow_get_or_alloc() is local to shadow.c
  livepatch: introduce shadow variable API

8 files changed, 932 insertions, 3 deletions

diff --git a/samples/Kconfig b/samples/Kconfig
index 9cb63188d3ef..c332a3b9de05 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -71,11 +71,10 @@ config SAMPLE_RPMSG_CLIENT
           the rpmsg bus.
 
 config SAMPLE_LIVEPATCH
-        tristate "Build live patching sample -- loadable modules only"
+        tristate "Build live patching samples -- loadable modules only"
         depends on LIVEPATCH && m
         help
-          Builds a sample live patch that replaces the procfs handler
-          for /proc/cmdline to print "this has been live patched".
+          Build sample live patch demonstrations.
 
 config SAMPLE_CONFIGFS
         tristate "Build configfs patching sample -- loadable modules only"
diff --git a/samples/livepatch/Makefile b/samples/livepatch/Makefile
index 10319d7ea0b1..2472ce39a18d 100644
--- a/samples/livepatch/Makefile
+++ b/samples/livepatch/Makefile
@@ -1 +1,7 @@
 obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-sample.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-mod.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix1.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix2.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-callbacks-demo.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-callbacks-mod.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-callbacks-busymod.o
diff --git a/samples/livepatch/livepatch-callbacks-busymod.c b/samples/livepatch/livepatch-callbacks-busymod.c
new file mode 100644
index 000000000000..80d06e103f1b
--- /dev/null
+++ b/samples/livepatch/livepatch-callbacks-busymod.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-callbacks-busymod.c - (un)patching callbacks demo support module
+ *
+ *
+ * Purpose
+ * -------
+ *
+ * Simple module to demonstrate livepatch (un)patching callbacks.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-callbacks-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/workqueue.h>
+#include <linux/delay.h>
+
+static int sleep_secs;
+module_param(sleep_secs, int, 0644);
+MODULE_PARM_DESC(sleep_secs, "sleep_secs (default=0)");
+
+static void busymod_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(work, busymod_work_func);
+
+static void busymod_work_func(struct work_struct *work)
+{
+        pr_info("%s, sleeping %d seconds ...\n", __func__, sleep_secs);
+        msleep(sleep_secs * 1000);
+        pr_info("%s exit\n", __func__);
+}
+
+static int livepatch_callbacks_mod_init(void)
+{
+        pr_info("%s\n", __func__);
+        schedule_delayed_work(&work,
+                msecs_to_jiffies(1000 * 0));
+        return 0;
+}
+
+static void livepatch_callbacks_mod_exit(void)
+{
+        cancel_delayed_work_sync(&work);
+        pr_info("%s\n", __func__);
+}
+
+module_init(livepatch_callbacks_mod_init);
+module_exit(livepatch_callbacks_mod_exit);
+MODULE_LICENSE("GPL");
diff --git a/samples/livepatch/livepatch-callbacks-demo.c b/samples/livepatch/livepatch-callbacks-demo.c
new file mode 100644
index 000000000000..3d115bd68442
--- /dev/null
+++ b/samples/livepatch/livepatch-callbacks-demo.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-callbacks-demo.c - (un)patching callbacks livepatch demo
+ *
+ *
+ * Purpose
+ * -------
+ *
+ * Demonstration of registering livepatch (un)patching callbacks.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * Step 1 - load the simple module
+ *
+ *   insmod samples/livepatch/livepatch-callbacks-mod.ko
+ *
+ *
+ * Step 2 - load the demonstration livepatch (with callbacks)
+ *
+ *   insmod samples/livepatch/livepatch-callbacks-demo.ko
+ *
+ *
+ * Step 3 - cleanup
+ *
+ *   echo 0 > /sys/kernel/livepatch/livepatch_callbacks_demo/enabled
+ *   rmmod livepatch_callbacks_demo
+ *   rmmod livepatch_callbacks_mod
+ *
+ * Watch dmesg output to see livepatch enablement, callback execution
+ * and patching operations for both vmlinux and module targets.
+ *
+ * NOTE: swap the insmod order of livepatch-callbacks-mod.ko and
+ *       livepatch-callbacks-demo.ko to observe what happens when a
+ *       target module is loaded after a livepatch with callbacks.
+ *
+ * NOTE: 'pre_patch_ret' is a module parameter that sets the pre-patch
+ *       callback return status.  Try setting up a non-zero status
+ *       such as -19 (-ENODEV):
+ *
+ *       # Load demo livepatch, vmlinux is patched
+ *       insmod samples/livepatch/livepatch-callbacks-demo.ko
+ *
+ *       # Setup next pre-patch callback to return -ENODEV
+ *       echo -19 > /sys/module/livepatch_callbacks_demo/parameters/pre_patch_ret
+ *
+ *       # Module loader refuses to load the target module
+ *       insmod samples/livepatch/livepatch-callbacks-mod.ko
+ *       insmod: ERROR: could not insert module samples/livepatch/livepatch-callbacks-mod.ko: No such device
+ *
+ * NOTE: There is a second target module,
+ *       livepatch-callbacks-busymod.ko, available for experimenting
+ *       with livepatch (un)patch callbacks.  This module contains
+ *       a 'sleep_secs' parameter that parks the module on one of the
+ *       functions that the livepatch demo module wants to patch.
+ *       Modifying this value and tweaking the order of module loads can
+ *       effectively demonstrate stalled patch transitions:
+ *
+ *       # Load a target module, let it park on 'busymod_work_func' for
+ *       # thirty seconds
+ *       insmod samples/livepatch/livepatch-callbacks-busymod.ko sleep_secs=30
+ *
+ *       # Meanwhile load the livepatch
+ *       insmod samples/livepatch/livepatch-callbacks-demo.ko
+ *
+ *       # ... then load and unload another target module while the
+ *       # transition is in progress
+ *       insmod samples/livepatch/livepatch-callbacks-mod.ko
+ *       rmmod samples/livepatch/livepatch-callbacks-mod.ko
+ *
+ *       # Finally cleanup
+ *       echo 0 > /sys/kernel/livepatch/livepatch_callbacks_demo/enabled
+ *       rmmod samples/livepatch/livepatch-callbacks-demo.ko
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+
+static int pre_patch_ret;
+module_param(pre_patch_ret, int, 0644);
+MODULE_PARM_DESC(pre_patch_ret, "pre_patch_ret (default=0)");
+
+static const char *const module_state[] = {
+        [MODULE_STATE_LIVE]     = "[MODULE_STATE_LIVE] Normal state",
+        [MODULE_STATE_COMING]   = "[MODULE_STATE_COMING] Full formed, running module_init",
+        [MODULE_STATE_GOING]    = "[MODULE_STATE_GOING] Going away",
+        [MODULE_STATE_UNFORMED] = "[MODULE_STATE_UNFORMED] Still setting it up",
+};
+
+static void callback_info(const char *callback, struct klp_object *obj)
+{
+        if (obj->mod)
+                pr_info("%s: %s -> %s\n", callback, obj->mod->name,
+                        module_state[obj->mod->state]);
+        else
+                pr_info("%s: vmlinux\n", callback);
+}
+
+/* Executed on object patching (ie, patch enablement) */
+static int pre_patch_callback(struct klp_object *obj)
+{
+        callback_info(__func__, obj);
+        return pre_patch_ret;
+}
+
+/* Executed on object unpatching (ie, patch disablement) */
+static void post_patch_callback(struct klp_object *obj)
+{
+        callback_info(__func__, obj);
+}
+
+/* Executed on object unpatching (ie, patch disablement) */
+static void pre_unpatch_callback(struct klp_object *obj)
+{
+        callback_info(__func__, obj);
+}
+
+/* Executed on object unpatching (ie, patch disablement) */
+static void post_unpatch_callback(struct klp_object *obj)
+{
+        callback_info(__func__, obj);
+}
+
+static void patched_work_func(struct work_struct *work)
+{
+        pr_info("%s\n", __func__);
+}
+
+static struct klp_func no_funcs[] = {
+        { }
+};
+
+static struct klp_func busymod_funcs[] = {
+        {
+                .old_name = "busymod_work_func",
+                .new_func = patched_work_func,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = NULL,   /* vmlinux */
+                .funcs = no_funcs,
+                .callbacks = {
+                        .pre_patch = pre_patch_callback,
+                        .post_patch = post_patch_callback,
+                        .pre_unpatch = pre_unpatch_callback,
+                        .post_unpatch = post_unpatch_callback,
+                },
+        },      {
+                .name = "livepatch_callbacks_mod",
+                .funcs = no_funcs,
+                .callbacks = {
+                        .pre_patch = pre_patch_callback,
+                        .post_patch = post_patch_callback,
+                        .pre_unpatch = pre_unpatch_callback,
+                        .post_unpatch = post_unpatch_callback,
+                },
+        },      {
+                .name = "livepatch_callbacks_busymod",
+                .funcs = busymod_funcs,
+                .callbacks = {
+                        .pre_patch = pre_patch_callback,
+                        .post_patch = post_patch_callback,
+                        .pre_unpatch = pre_unpatch_callback,
+                        .post_unpatch = post_unpatch_callback,
+                },
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_callbacks_demo_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_callbacks_demo_exit(void)
+{
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_callbacks_demo_init);
+module_exit(livepatch_callbacks_demo_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-callbacks-mod.c b/samples/livepatch/livepatch-callbacks-mod.c
new file mode 100644
index 000000000000..e610ce29ba44
--- /dev/null
+++ b/samples/livepatch/livepatch-callbacks-mod.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-callbacks-mod.c - (un)patching callbacks demo support module
+ *
+ *
+ * Purpose
+ * -------
+ *
+ * Simple module to demonstrate livepatch (un)patching callbacks.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-callbacks-demo.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+
+static int livepatch_callbacks_mod_init(void)
+{
+        pr_info("%s\n", __func__);
+        return 0;
+}
+
+static void livepatch_callbacks_mod_exit(void)
+{
+        pr_info("%s\n", __func__);
+}
+
+module_init(livepatch_callbacks_mod_init);
+module_exit(livepatch_callbacks_mod_exit);
+MODULE_LICENSE("GPL");
diff --git a/samples/livepatch/livepatch-shadow-fix1.c b/samples/livepatch/livepatch-shadow-fix1.c
new file mode 100644
index 000000000000..fbe0a1f3d99b
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix1.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix1.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Fixes the memory leak introduced in livepatch-shadow-mod through the
+ * use of a shadow variable.  This fix demonstrates the "extending" of
+ * short-lived data structures by patching its allocation and release
+ * functions.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+struct dummy *livepatch_fix1_dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /*
+         * Patch: save the extra memory location into a SV_LEAK shadow
+         * variable.  A patched dummy_free routine can later fetch this
+         * pointer to handle resource release.
+         */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+        klp_shadow_alloc(d, SV_LEAK, &leak, sizeof(leak), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+void livepatch_fix1_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+
+        /*
+         * Patch: fetch the saved SV_LEAK shadow variable, detach and
+         * free it.  Note: handle cases where this shadow variable does
+         * not exist (ie, dummy structures allocated before this livepatch
+         * was loaded.)
+         */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_alloc",
+                .new_func = livepatch_fix1_dummy_alloc,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix1_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix1_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix1_exit(void)
+{
+        /* Cleanup any existing SV_LEAK shadow variables */
+        klp_shadow_free_all(SV_LEAK);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix1_init);
+module_exit(livepatch_shadow_fix1_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-fix2.c b/samples/livepatch/livepatch-shadow-fix2.c
new file mode 100644
index 000000000000..53c1794bdc5f
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix2.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix2.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Adds functionality to livepatch-shadow-mod's in-flight data
+ * structures through a shadow variable.  The livepatch patches a
+ * routine that periodically inspects data structures, incrementing a
+ * per-data-structure counter, creating the counter if needed.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+#define SV_COUNTER      2
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+bool livepatch_fix2_dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        int *shadow_count;
+        int count;
+
+        /*
+         * Patch: handle in-flight dummy structures, if they do not
+         * already have a SV_COUNTER shadow variable, then attach a
+         * new one.
+         */
+        count = 0;
+        shadow_count = klp_shadow_get_or_alloc(d, SV_COUNTER,
+                                               &count, sizeof(count),
+                                               GFP_NOWAIT);
+        if (shadow_count)
+                *shadow_count += 1;
+
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+void livepatch_fix2_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+        int *shadow_count;
+
+        /* Patch: copy the memory leak patch from the fix1 module. */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        /*
+         * Patch: fetch the SV_COUNTER shadow variable and display
+         * the final count.  Detach the shadow variable.
+         */
+        shadow_count = klp_shadow_get(d, SV_COUNTER);
+        if (shadow_count) {
+                pr_info("%s: dummy @ %p, check counter = %d\n",
+                        __func__, d, *shadow_count);
+                klp_shadow_free(d, SV_COUNTER);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_check",
+                .new_func = livepatch_fix2_dummy_check,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix2_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix2_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix2_exit(void)
+{
+        /* Cleanup any existing SV_COUNTER shadow variables */
+        klp_shadow_free_all(SV_COUNTER);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix2_init);
+module_exit(livepatch_shadow_fix2_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-mod.c b/samples/livepatch/livepatch-shadow-mod.c
new file mode 100644
index 000000000000..4c54b250332d
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-mod.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-mod.c - Shadow variables, buggy module demo
+ *
+ * Purpose
+ * -------
+ *
+ * As a demonstration of livepatch shadow variable API, this module
+ * introduces memory leak behavior that livepatch modules
+ * livepatch-shadow-fix1.ko and livepatch-shadow-fix2.ko correct and
+ * enhance.
+ *
+ * WARNING - even though the livepatch-shadow-fix modules patch the
+ * memory leak, please load these modules at your own risk -- some
+ * amount of memory may leaked before the bug is patched.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * Step 1 - Load the buggy demonstration module:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-mod.ko
+ *
+ * Watch dmesg output for a few moments to see new dummy being allocated
+ * and a periodic cleanup check.  (Note: a small amount of memory is
+ * being leaked.)
+ *
+ *
+ * Step 2 - Load livepatch fix1:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix1.ko
+ *
+ * Continue watching dmesg and note that now livepatch_fix1_dummy_free()
+ * and livepatch_fix1_dummy_alloc() are logging messages about leaked
+ * memory and eventually leaks prevented.
+ *
+ *
+ * Step 3 - Load livepatch fix2 (on top of fix1):
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix2.ko
+ *
+ * This module extends functionality through shadow variables, as a new
+ * "check" counter is added to the dummy structure.  Periodic dmesg
+ * messages will log these as dummies are cleaned up.
+ *
+ *
+ * Step 4 - Cleanup
+ *
+ * Unwind the demonstration by disabling the livepatch fix modules, then
+ * removing them and the demo module:
+ *
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix2/enabled
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix1/enabled
+ *   rmmod livepatch-shadow-fix2
+ *   rmmod livepatch-shadow-fix1
+ *   rmmod livepatch-shadow-mod
+ */
+
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/stat.h>
+#include <linux/workqueue.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Joe Lawrence <joe.lawrence@redhat.com>");
+MODULE_DESCRIPTION("Buggy module for shadow variable demo");
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+/*
+ * Keep a list of all the dummies so we can clean up any residual ones
+ * on module exit
+ */
+LIST_HEAD(dummy_list);
+DEFINE_MUTEX(dummy_list_mutex);
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+noinline struct dummy *dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /* Oops, forgot to save leak! */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+noinline void dummy_free(struct dummy *d)
+{
+        pr_info("%s: dummy @ %p, expired = %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        kfree(d);
+}
+
+noinline bool dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+/*
+ * alloc_work_func: allocates new dummy structures, allocates additional
+ *                  memory, aptly named "leak", but doesn't keep
+ *                  permanent record of it.
+ */
+
+static void alloc_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(alloc_dwork, alloc_work_func);
+
+static void alloc_work_func(struct work_struct *work)
+{
+        struct dummy *d;
+
+        d = dummy_alloc();
+        if (!d)
+                return;
+
+        mutex_lock(&dummy_list_mutex);
+        list_add(&d->list, &dummy_list);
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+}
+
+/*
+ * cleanup_work_func: frees dummy structures.  Without knownledge of
+ *                    "leak", it leaks the additional memory that
+ *                    alloc_work_func created.
+ */
+
+static void cleanup_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(cleanup_dwork, cleanup_work_func);
+
+static void cleanup_work_func(struct work_struct *work)
+{
+        struct dummy *d, *tmp;
+        unsigned long j;
+
+        j = jiffies;
+        pr_info("%s: jiffies = %lx\n", __func__, j);
+
+        mutex_lock(&dummy_list_mutex);
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+
+                /* Kick out and free any expired dummies */
+                if (dummy_check(d, j)) {
+                        list_del(&d->list);
+                        dummy_free(d);
+                }
+        }
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+}
+
+static int livepatch_shadow_mod_init(void)
+{
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+
+        return 0;
+}
+
+static void livepatch_shadow_mod_exit(void)
+{
+        struct dummy *d, *tmp;
+
+        /* Wait for any dummies at work */
+        cancel_delayed_work_sync(&alloc_dwork);
+        cancel_delayed_work_sync(&cleanup_dwork);
+
+        /* Cleanup residual dummies */
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+                list_del(&d->list);
+                dummy_free(d);
+        }
+}
+
+module_init(livepatch_shadow_mod_init);
+module_exit(livepatch_shadow_mod_exit);