livepatch: introduce shadow variable API

Add exported API for livepatch modules:

  klp_shadow_get()
  klp_shadow_alloc()
  klp_shadow_get_or_alloc()
  klp_shadow_free()
  klp_shadow_free_all()

that implement "shadow" variables, which allow callers to associate new
shadow fields to existing data structures.  This is intended to be used
by livepatch modules seeking to emulate additions to data structure
definitions.

See Documentation/livepatch/shadow-vars.txt for a summary of the new
shadow variable API, including a few common use cases.

See samples/livepatch/livepatch-shadow-* for example modules that
demonstrate shadow variables.

[jkosina@suse.cz: fix __klp_shadow_get_or_alloc() comment as spotted by
 Josh]
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

5 files changed, 570 insertions, 3 deletions

diff --git a/samples/Kconfig b/samples/Kconfig
index 9cb63188d3ef..c332a3b9de05 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -71,11 +71,10 @@ config SAMPLE_RPMSG_CLIENT
           the rpmsg bus.
 
 config SAMPLE_LIVEPATCH
-        tristate "Build live patching sample -- loadable modules only"
+        tristate "Build live patching samples -- loadable modules only"
         depends on LIVEPATCH && m
         help
-          Builds a sample live patch that replaces the procfs handler
-          for /proc/cmdline to print "this has been live patched".
+          Build sample live patch demonstrations.
 
 config SAMPLE_CONFIGFS
         tristate "Build configfs patching sample -- loadable modules only"
diff --git a/samples/livepatch/Makefile b/samples/livepatch/Makefile
index 10319d7ea0b1..539e81d433cd 100644
--- a/samples/livepatch/Makefile
+++ b/samples/livepatch/Makefile
@@ -1 +1,4 @@
 obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-sample.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-mod.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix1.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix2.o
diff --git a/samples/livepatch/livepatch-shadow-fix1.c b/samples/livepatch/livepatch-shadow-fix1.c
new file mode 100644
index 000000000000..fbe0a1f3d99b
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix1.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix1.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Fixes the memory leak introduced in livepatch-shadow-mod through the
+ * use of a shadow variable.  This fix demonstrates the "extending" of
+ * short-lived data structures by patching its allocation and release
+ * functions.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+struct dummy *livepatch_fix1_dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /*
+         * Patch: save the extra memory location into a SV_LEAK shadow
+         * variable.  A patched dummy_free routine can later fetch this
+         * pointer to handle resource release.
+         */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+        klp_shadow_alloc(d, SV_LEAK, &leak, sizeof(leak), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+void livepatch_fix1_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+
+        /*
+         * Patch: fetch the saved SV_LEAK shadow variable, detach and
+         * free it.  Note: handle cases where this shadow variable does
+         * not exist (ie, dummy structures allocated before this livepatch
+         * was loaded.)
+         */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_alloc",
+                .new_func = livepatch_fix1_dummy_alloc,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix1_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix1_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix1_exit(void)
+{
+        /* Cleanup any existing SV_LEAK shadow variables */
+        klp_shadow_free_all(SV_LEAK);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix1_init);
+module_exit(livepatch_shadow_fix1_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-fix2.c b/samples/livepatch/livepatch-shadow-fix2.c
new file mode 100644
index 000000000000..53c1794bdc5f
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix2.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix2.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Adds functionality to livepatch-shadow-mod's in-flight data
+ * structures through a shadow variable.  The livepatch patches a
+ * routine that periodically inspects data structures, incrementing a
+ * per-data-structure counter, creating the counter if needed.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+#define SV_COUNTER      2
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+bool livepatch_fix2_dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        int *shadow_count;
+        int count;
+
+        /*
+         * Patch: handle in-flight dummy structures, if they do not
+         * already have a SV_COUNTER shadow variable, then attach a
+         * new one.
+         */
+        count = 0;
+        shadow_count = klp_shadow_get_or_alloc(d, SV_COUNTER,
+                                               &count, sizeof(count),
+                                               GFP_NOWAIT);
+        if (shadow_count)
+                *shadow_count += 1;
+
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+void livepatch_fix2_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+        int *shadow_count;
+
+        /* Patch: copy the memory leak patch from the fix1 module. */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        /*
+         * Patch: fetch the SV_COUNTER shadow variable and display
+         * the final count.  Detach the shadow variable.
+         */
+        shadow_count = klp_shadow_get(d, SV_COUNTER);
+        if (shadow_count) {
+                pr_info("%s: dummy @ %p, check counter = %d\n",
+                        __func__, d, *shadow_count);
+                klp_shadow_free(d, SV_COUNTER);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_check",
+                .new_func = livepatch_fix2_dummy_check,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix2_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix2_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix2_exit(void)
+{
+        /* Cleanup any existing SV_COUNTER shadow variables */
+        klp_shadow_free_all(SV_COUNTER);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix2_init);
+module_exit(livepatch_shadow_fix2_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-mod.c b/samples/livepatch/livepatch-shadow-mod.c
new file mode 100644
index 000000000000..4c54b250332d
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-mod.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-mod.c - Shadow variables, buggy module demo
+ *
+ * Purpose
+ * -------
+ *
+ * As a demonstration of livepatch shadow variable API, this module
+ * introduces memory leak behavior that livepatch modules
+ * livepatch-shadow-fix1.ko and livepatch-shadow-fix2.ko correct and
+ * enhance.
+ *
+ * WARNING - even though the livepatch-shadow-fix modules patch the
+ * memory leak, please load these modules at your own risk -- some
+ * amount of memory may leaked before the bug is patched.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * Step 1 - Load the buggy demonstration module:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-mod.ko
+ *
+ * Watch dmesg output for a few moments to see new dummy being allocated
+ * and a periodic cleanup check.  (Note: a small amount of memory is
+ * being leaked.)
+ *
+ *
+ * Step 2 - Load livepatch fix1:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix1.ko
+ *
+ * Continue watching dmesg and note that now livepatch_fix1_dummy_free()
+ * and livepatch_fix1_dummy_alloc() are logging messages about leaked
+ * memory and eventually leaks prevented.
+ *
+ *
+ * Step 3 - Load livepatch fix2 (on top of fix1):
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix2.ko
+ *
+ * This module extends functionality through shadow variables, as a new
+ * "check" counter is added to the dummy structure.  Periodic dmesg
+ * messages will log these as dummies are cleaned up.
+ *
+ *
+ * Step 4 - Cleanup
+ *
+ * Unwind the demonstration by disabling the livepatch fix modules, then
+ * removing them and the demo module:
+ *
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix2/enabled
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix1/enabled
+ *   rmmod livepatch-shadow-fix2
+ *   rmmod livepatch-shadow-fix1
+ *   rmmod livepatch-shadow-mod
+ */
+
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/stat.h>
+#include <linux/workqueue.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Joe Lawrence <joe.lawrence@redhat.com>");
+MODULE_DESCRIPTION("Buggy module for shadow variable demo");
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+/*
+ * Keep a list of all the dummies so we can clean up any residual ones
+ * on module exit
+ */
+LIST_HEAD(dummy_list);
+DEFINE_MUTEX(dummy_list_mutex);
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+noinline struct dummy *dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /* Oops, forgot to save leak! */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+noinline void dummy_free(struct dummy *d)
+{
+        pr_info("%s: dummy @ %p, expired = %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        kfree(d);
+}
+
+noinline bool dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+/*
+ * alloc_work_func: allocates new dummy structures, allocates additional
+ *                  memory, aptly named "leak", but doesn't keep
+ *                  permanent record of it.
+ */
+
+static void alloc_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(alloc_dwork, alloc_work_func);
+
+static void alloc_work_func(struct work_struct *work)
+{
+        struct dummy *d;
+
+        d = dummy_alloc();
+        if (!d)
+                return;
+
+        mutex_lock(&dummy_list_mutex);
+        list_add(&d->list, &dummy_list);
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+}
+
+/*
+ * cleanup_work_func: frees dummy structures.  Without knownledge of
+ *                    "leak", it leaks the additional memory that
+ *                    alloc_work_func created.
+ */
+
+static void cleanup_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(cleanup_dwork, cleanup_work_func);
+
+static void cleanup_work_func(struct work_struct *work)
+{
+        struct dummy *d, *tmp;
+        unsigned long j;
+
+        j = jiffies;
+        pr_info("%s: jiffies = %lx\n", __func__, j);
+
+        mutex_lock(&dummy_list_mutex);
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+
+                /* Kick out and free any expired dummies */
+                if (dummy_check(d, j)) {
+                        list_del(&d->list);
+                        dummy_free(d);
+                }
+        }
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+}
+
+static int livepatch_shadow_mod_init(void)
+{
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+
+        return 0;
+}
+
+static void livepatch_shadow_mod_exit(void)
+{
+        struct dummy *d, *tmp;
+
+        /* Wait for any dummies at work */
+        cancel_delayed_work_sync(&alloc_dwork);
+        cancel_delayed_work_sync(&cleanup_dwork);
+
+        /* Cleanup residual dummies */
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+                list_del(&d->list);
+                dummy_free(d);
+        }
+}
+
+module_init(livepatch_shadow_mod_init);
+module_exit(livepatch_shadow_mod_exit);