Merge branch 'bpfilter-fixes'

Taehee Yoo says: ==================== net: bpfilter: fix two bugs in bpfilter This patches fix two bugs in the bpfilter_umh which are related in iptables command. The first patch adds an exit code for UMH process. This provides an opportunity to cleanup members of the umh_info to modules which use the UMH. In order to identify UMH processes, a new flag PF_UMH is added. The second patch makes the bpfilter_umh use UMH cleanup callback. The third patch adds re-start routine for the bpfilter_umh. The bpfilter_umh does not re-start after error occurred. because there is no re-start routine in the module. The fourth patch ensures that the bpfilter.ko module will not removed while it's being used. The bpfilter.ko is not protected by locks or module reference counter. Therefore that can be removed while module is being used. In order to protect that, mutex is used. The first and second patch are preparation patches for the third and fourth patch. TEST #1 while : do modprobe bpfilter kill -9 <pid of the bpfilter_umh> iptables -vnL done TEST #2 while : do iptables -I FORWARD -m string --string ap --algo kmp & iptables -F & modprobe -rv bpfilter & done TEST #3 while : do modprobe bpfilter & modprobe -rv bpfilter & done The TEST1 makes a failure of iptables command. This is fixed by the third patch. The TEST2 makes a panic because of a race condition in the bpfilter_umh module. This is fixed by the fourth patch. The TEST3 makes a double-create UMH process. This is fixed by the third and fourth patch. v4 : - declare the exit_umh() as static inline - check stop flag in the load_umh() to avoid a double-create UMH v3 : - Avoid unnecessary list lookup for non-UMH processes - Add a new PF_UMH flag v2 : add the first and second patch v1 : Initial patch ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2019-01-11 21:05:41 -0500
committer: David S. Miller <davem@davemloft.net> 2019-01-11 21:05:41 -0500
commit: 3f4261d4e62fb2fe7eb5238b12fb22f06aed6e21 (patch)
tree: 5b8a9885880eb260a2bf885af0e32ad0bc19a90d
parent: 2ff33d6637393fe9348357285931811b76e1402f (diff)
parent: 71a8508402b570127d6500c1ad456bbd33ccf187 (diff)
8 files changed, 146 insertions, 50 deletions
diff --git a/include/linux/bpfilter.h b/include/linux/bpfilter.h
index f02cee0225d4..d815622cd31e 100644
--- a/include/linux/bpfilter.h
+++ b/include/linux/bpfilter.h
@@ -3,13 +3,22 @@
 #define _LINUX_BPFILTER_H
 #include <uapi/linux/bpfilter.h>
+#include <linux/umh.h>
 struct sock;
 int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval,
                            unsigned int optlen);
 int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval,
                            int __user *optlen);
-extern int (*bpfilter_process_sockopt)(struct sock *sk, int optname,
+struct bpfilter_umh_ops {
-                                       char __user *optval,
+        struct umh_info info;
-                                       unsigned int optlen, bool is_set);
+        /* since ip_getsockopt() can run in parallel, serialize access to umh */
+        struct mutex lock;
+        int (*sockopt)(struct sock *sk, int optname,
+                       char __user *optval,
+                       unsigned int optlen, bool is_set);
+        int (*start)(void);
+        bool stop;
+};
+extern struct bpfilter_umh_ops bpfilter_ops;
 #endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 89541d248893..e35e35b9fc48 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1406,6 +1406,7 @@ extern struct pid *cad_pid;
 #define PF_RANDOMIZE            0x00400000      /* Randomize virtual address space */
 #define PF_SWAPWRITE            0x00800000      /* Allowed to write to swap */
 #define PF_MEMSTALL             0x01000000      /* Stalled due to lack of memory */
+#define PF_UMH                  0x02000000      /* I'm an Usermodehelper process */
 #define PF_NO_SETAFFINITY       0x04000000      /* Userland is not allowed to meddle with cpus_allowed */
 #define PF_MCE_EARLY            0x08000000      /* Early kill for mce process policy */
 #define PF_MUTEX_TESTER         0x20000000      /* Thread belongs to the rt mutex tester */
@@ -1904,6 +1905,14 @@ static inline void rseq_execve(struct task_struct *t)
 #endif
+void __exit_umh(struct task_struct *tsk);
+static inline void exit_umh(struct task_struct *tsk)
+{
+        if (unlikely(tsk->flags & PF_UMH))
+                __exit_umh(tsk);
+}
 #ifdef CONFIG_DEBUG_RSEQ
 void rseq_syscall(struct pt_regs *regs);
diff --git a/include/linux/umh.h b/include/linux/umh.h
index 235f51b62c71..0c08de356d0d 100644
--- a/include/linux/umh.h
+++ b/include/linux/umh.h
@@ -47,6 +47,8 @@ struct umh_info {
        const char *cmdline;
        struct file *pipe_to_umh;
        struct file *pipe_from_umh;
+        struct list_head list;
+        void (*cleanup)(struct umh_info *info);
        pid_t pid;
 };
 int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
diff --git a/kernel/exit.c b/kernel/exit.c
index 8a01b671dc1f..dad70419195c 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -866,6 +866,7 @@ void __noreturn do_exit(long code)
        exit_task_namespaces(tsk);
        exit_task_work(tsk);
        exit_thread(tsk);
+        exit_umh(tsk);
        /*
         * Flush inherited counters to the parent - before the parent
diff --git a/kernel/umh.c b/kernel/umh.c
index 0baa672e023c..d937cbad903a 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -37,6 +37,8 @@ static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
 static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
 static DEFINE_SPINLOCK(umh_sysctl_lock);
 static DECLARE_RWSEM(umhelper_sem);
+static LIST_HEAD(umh_list);
+static DEFINE_MUTEX(umh_list_lock);
 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
 {
@@ -100,10 +102,12 @@ static int call_usermodehelper_exec_async(void *data)
        commit_creds(new);
        sub_info->pid = task_pid_nr(current);
-        if (sub_info->file)
+        if (sub_info->file) {
                retval = do_execve_file(sub_info->file,
                                        sub_info->argv, sub_info->envp);
-        else
+                if (!retval)
+                        current->flags |= PF_UMH;
+        } else
                retval = do_execve(getname_kernel(sub_info->path),
                                   (const char __user *const __user *)sub_info->argv,
                                   (const char __user *const __user *)sub_info->envp);
@@ -517,6 +521,11 @@ int fork_usermode_blob(void *data, size_t len, struct umh_info *info)
                goto out;
        err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
+        if (!err) {
+                mutex_lock(&umh_list_lock);
+                list_add(&info->list, &umh_list);
+                mutex_unlock(&umh_list_lock);
+        }
 out:
        fput(file);
        return err;
@@ -679,6 +688,26 @@ static int proc_cap_handler(struct ctl_table *table, int write,
        return 0;
 }
+void __exit_umh(struct task_struct *tsk)
+{
+        struct umh_info *info;
+        pid_t pid = tsk->pid;
+        mutex_lock(&umh_list_lock);
+        list_for_each_entry(info, &umh_list, list) {
+                if (info->pid == pid) {
+                        list_del(&info->list);
+                        mutex_unlock(&umh_list_lock);
+                        goto out;
+                }
+        }
+        mutex_unlock(&umh_list_lock);
+        return;
+out:
+        if (info->cleanup)
+                info->cleanup(info);
+}
 struct ctl_table usermodehelper_table[] = {
        {
                .procname       = "bset",
diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c
index 7acfc83087d5..7ee4fea93637 100644
--- a/net/bpfilter/bpfilter_kern.c
+++ b/net/bpfilter/bpfilter_kern.c
@@ -13,39 +13,24 @@
 extern char bpfilter_umh_start;
 extern char bpfilter_umh_end;
-static struct umh_info info;
+static void shutdown_umh(void)
-/* since ip_getsockopt() can run in parallel, serialize access to umh */
-static DEFINE_MUTEX(bpfilter_lock);
-static void shutdown_umh(struct umh_info *info)
 {
        struct task_struct *tsk;
-        if (!info->pid)
+        if (bpfilter_ops.stop)
                return;
-        tsk = get_pid_task(find_vpid(info->pid), PIDTYPE_PID);
+        tsk = get_pid_task(find_vpid(bpfilter_ops.info.pid), PIDTYPE_PID);
        if (tsk) {
                force_sig(SIGKILL, tsk);
                put_task_struct(tsk);
        }
-        fput(info->pipe_to_umh);
-        fput(info->pipe_from_umh);
-        info->pid = 0;
 }
 static void __stop_umh(void)
 {
-        if (IS_ENABLED(CONFIG_INET)) {
+        if (IS_ENABLED(CONFIG_INET))
-                bpfilter_process_sockopt = NULL;
+                shutdown_umh();
-                shutdown_umh(&info);
-        }
-}
-static void stop_umh(void)
-{
-        mutex_lock(&bpfilter_lock);
-        __stop_umh();
-        mutex_unlock(&bpfilter_lock);
 }
 static int __bpfilter_process_sockopt(struct sock *sk, int optname,
@@ -63,10 +48,10 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
        req.cmd = optname;
        req.addr = (long __force __user)optval;
        req.len = optlen;
-        mutex_lock(&bpfilter_lock);
+        if (!bpfilter_ops.info.pid)
-        if (!info.pid)
                goto out;
-        n = __kernel_write(info.pipe_to_umh, &req, sizeof(req), &pos);
+        n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req),
+                           &pos);
        if (n != sizeof(req)) {
                pr_err("write fail %zd\n", n);
                __stop_umh();
@@ -74,7 +59,8 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
                goto out;
        }
        pos = 0;
-        n = kernel_read(info.pipe_from_umh, &reply, sizeof(reply), &pos);
+        n = kernel_read(bpfilter_ops.info.pipe_from_umh, &reply, sizeof(reply),
+                        &pos);
        if (n != sizeof(reply)) {
                pr_err("read fail %zd\n", n);
                __stop_umh();
@@ -83,37 +69,59 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
        }
        ret = reply.status;
 out:
-        mutex_unlock(&bpfilter_lock);
        return ret;
 }
-static int __init load_umh(void)
+static int start_umh(void)
 {
        int err;
        /* fork usermode process */
-        info.cmdline = "bpfilter_umh";
        err = fork_usermode_blob(&bpfilter_umh_start,
                                 &bpfilter_umh_end - &bpfilter_umh_start,
-                                 &info);
+                                 &bpfilter_ops.info);
        if (err)
                return err;
-        pr_info("Loaded bpfilter_umh pid %d\n", info.pid);
+        bpfilter_ops.stop = false;
+        pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid);
        /* health check that usermode process started correctly */
        if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) {
-                stop_umh();
+                shutdown_umh();
                return -EFAULT;
        }
-        if (IS_ENABLED(CONFIG_INET))
-                bpfilter_process_sockopt = &__bpfilter_process_sockopt;
        return 0;
 }
+static int __init load_umh(void)
+{
+        int err;
+        mutex_lock(&bpfilter_ops.lock);
+        if (!bpfilter_ops.stop) {
+                err = -EFAULT;
+                goto out;
+        }
+        err = start_umh();
+        if (!err && IS_ENABLED(CONFIG_INET)) {
+                bpfilter_ops.sockopt = &__bpfilter_process_sockopt;
+                bpfilter_ops.start = &start_umh;
+        }
+out:
+        mutex_unlock(&bpfilter_ops.lock);
+        return err;
+}
 static void __exit fini_umh(void)
 {
-        stop_umh();
+        mutex_lock(&bpfilter_ops.lock);
+        if (IS_ENABLED(CONFIG_INET)) {
+                shutdown_umh();
+                bpfilter_ops.start = NULL;
+                bpfilter_ops.sockopt = NULL;
+        }
+        mutex_unlock(&bpfilter_ops.lock);
 }
 module_init(load_umh);
 module_exit(fini_umh);
diff --git a/net/bpfilter/bpfilter_umh_blob.S b/net/bpfilter/bpfilter_umh_blob.S
index 40311d10d2f2..7f1c521dcc2f 100644
--- a/net/bpfilter/bpfilter_umh_blob.S
+++ b/net/bpfilter/bpfilter_umh_blob.S
@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: GPL-2.0 */
-        .section .init.rodata, "a"
+        .section .bpfilter_umh, "a"
        .global bpfilter_umh_start
 bpfilter_umh_start:
        .incbin "net/bpfilter/bpfilter_umh"
diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
index 5e04ed25bc0e..1e976bb93d99 100644
--- a/net/ipv4/bpfilter/sockopt.c
+++ b/net/ipv4/bpfilter/sockopt.c
@@ -1,28 +1,54 @@
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/init.h>
+#include <linux/module.h>
 #include <linux/uaccess.h>
 #include <linux/bpfilter.h>
 #include <uapi/linux/bpf.h>
 #include <linux/wait.h>
 #include <linux/kmod.h>
+#include <linux/fs.h>
+#include <linux/file.h>
-int (*bpfilter_process_sockopt)(struct sock *sk, int optname,
+struct bpfilter_umh_ops bpfilter_ops;
-                                char __user *optval,
+EXPORT_SYMBOL_GPL(bpfilter_ops);
-                                unsigned int optlen, bool is_set);
-EXPORT_SYMBOL_GPL(bpfilter_process_sockopt);
+static void bpfilter_umh_cleanup(struct umh_info *info)
+{
+        mutex_lock(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        fput(info->pipe_to_umh);
+        fput(info->pipe_from_umh);
+        info->pid = 0;
+        mutex_unlock(&bpfilter_ops.lock);
+}
 static int bpfilter_mbox_request(struct sock *sk, int optname,
                                 char __user *optval,
                                 unsigned int optlen, bool is_set)
 {
-        if (!bpfilter_process_sockopt) {
+        int err;
-                int err = request_module("bpfilter");
+        mutex_lock(&bpfilter_ops.lock);
+        if (!bpfilter_ops.sockopt) {
+                mutex_unlock(&bpfilter_ops.lock);
+                err = request_module("bpfilter");
+                mutex_lock(&bpfilter_ops.lock);
                if (err)
-                        return err;
+                        goto out;
-                if (!bpfilter_process_sockopt)
+                if (!bpfilter_ops.sockopt) {
-                        return -ECHILD;
+                        err = -ECHILD;
+                        goto out;
+                }
+        }
+        if (bpfilter_ops.stop) {
+                err = bpfilter_ops.start();
+                if (err)
+                        goto out;
        }
-        return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set);
+        err = bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set);
+out:
+        mutex_unlock(&bpfilter_ops.lock);
+        return err;
 }
 int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval,
@@ -41,3 +67,15 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval,
        return bpfilter_mbox_request(sk, optname, optval, len, false);
 }
+static int __init bpfilter_sockopt_init(void)
+{
+        mutex_init(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        bpfilter_ops.info.cmdline = "bpfilter_umh";
+        bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup;
+        return 0;
+}
+module_init(bpfilter_sockopt_init);
author	David S. Miller <davem@davemloft.net>	2019-01-11 21:05:41 -0500
committer	David S. Miller <davem@davemloft.net>	2019-01-11 21:05:41 -0500
commit	3f4261d4e62fb2fe7eb5238b12fb22f06aed6e21 (patch)
tree	5b8a9885880eb260a2bf885af0e32ad0bc19a90d
parent	2ff33d6637393fe9348357285931811b76e1402f (diff)
parent	71a8508402b570127d6500c1ad456bbd33ccf187 (diff)

diff --git a/include/linux/bpfilter.h b/include/linux/bpfilter.h index f02cee0225d4..d815622cd31e 100644 --- a/include/linux/bpfilter.h +++ b/include/linux/bpfilter.h
@@ -3,13 +3,22 @@
3	#define _LINUX_BPFILTER_H	3	#define _LINUX_BPFILTER_H
4		4
5	#include <uapi/linux/bpfilter.h>	5	#include <uapi/linux/bpfilter.h>
		6	#include <linux/umh.h>
6		7
7	struct sock;	8	struct sock;
8	int bpfilter_ip_set_sockopt(struct sock sk, int optname, char __user optval,	9	int bpfilter_ip_set_sockopt(struct sock sk, int optname, char __user optval,
9	unsigned int optlen);	10	unsigned int optlen);
10	int bpfilter_ip_get_sockopt(struct sock sk, int optname, char __user optval,	11	int bpfilter_ip_get_sockopt(struct sock sk, int optname, char __user optval,
11	int __user *optlen);	12	int __user *optlen);
12	extern int (bpfilter_process_sockopt)(struct sock sk, int optname,	13	struct bpfilter_umh_ops {
13	char __user *optval,	14	struct umh_info info;
14	unsigned int optlen, bool is_set);	15	/* since ip_getsockopt() can run in parallel, serialize access to umh */
		16	struct mutex lock;
		17	int (sockopt)(struct sock sk, int optname,
		18	char __user *optval,
		19	unsigned int optlen, bool is_set);
		20	int (*start)(void);
		21	bool stop;
		22	};
		23	extern struct bpfilter_umh_ops bpfilter_ops;
15	#endif	24	#endif


diff --git a/include/linux/sched.h b/include/linux/sched.h index 89541d248893..e35e35b9fc48 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h
@@ -1406,6 +1406,7 @@ extern struct pid *cad_pid;
1406	#define PF_RANDOMIZE 0x00400000 /* Randomize virtual address space */	1406	#define PF_RANDOMIZE 0x00400000 /* Randomize virtual address space */
1407	#define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */	1407	#define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */
1408	#define PF_MEMSTALL 0x01000000 /* Stalled due to lack of memory */	1408	#define PF_MEMSTALL 0x01000000 /* Stalled due to lack of memory */
		1409	#define PF_UMH 0x02000000 /* I'm an Usermodehelper process */
1409	#define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle with cpus_allowed */	1410	#define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle with cpus_allowed */
1410	#define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */	1411	#define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */
1411	#define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */	1412	#define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */
@@ -1904,6 +1905,14 @@ static inline void rseq_execve(struct task_struct *t)
1904		1905
1905	#endif	1906	#endif
1906		1907
		1908	void __exit_umh(struct task_struct *tsk);
		1909
		1910	static inline void exit_umh(struct task_struct *tsk)
		1911	{
		1912	if (unlikely(tsk->flags & PF_UMH))
		1913	__exit_umh(tsk);
		1914	}
		1915
1907	#ifdef CONFIG_DEBUG_RSEQ	1916	#ifdef CONFIG_DEBUG_RSEQ
1908		1917
1909	void rseq_syscall(struct pt_regs *regs);	1918	void rseq_syscall(struct pt_regs *regs);


diff --git a/include/linux/umh.h b/include/linux/umh.h index 235f51b62c71..0c08de356d0d 100644 --- a/include/linux/umh.h +++ b/include/linux/umh.h
@@ -47,6 +47,8 @@ struct umh_info {
47	const char *cmdline;	47	const char *cmdline;
48	struct file *pipe_to_umh;	48	struct file *pipe_to_umh;
49	struct file *pipe_from_umh;	49	struct file *pipe_from_umh;
		50	struct list_head list;
		51	void (cleanup)(struct umh_info info);
50	pid_t pid;	52	pid_t pid;
51	};	53	};
52	int fork_usermode_blob(void data, size_t len, struct umh_info info);	54	int fork_usermode_blob(void data, size_t len, struct umh_info info);


diff --git a/kernel/exit.c b/kernel/exit.c index 8a01b671dc1f..dad70419195c 100644 --- a/kernel/exit.c +++ b/kernel/exit.c
@@ -866,6 +866,7 @@ void __noreturn do_exit(long code)
866	exit_task_namespaces(tsk);	866	exit_task_namespaces(tsk);
867	exit_task_work(tsk);	867	exit_task_work(tsk);
868	exit_thread(tsk);	868	exit_thread(tsk);
		869	exit_umh(tsk);
869		870
870	/*	871	/*
871	* Flush inherited counters to the parent - before the parent	872	* Flush inherited counters to the parent - before the parent


diff --git a/kernel/umh.c b/kernel/umh.c index 0baa672e023c..d937cbad903a 100644 --- a/kernel/umh.c +++ b/kernel/umh.c
@@ -37,6 +37,8 @@ static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
37	static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;	37	static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
38	static DEFINE_SPINLOCK(umh_sysctl_lock);	38	static DEFINE_SPINLOCK(umh_sysctl_lock);
39	static DECLARE_RWSEM(umhelper_sem);	39	static DECLARE_RWSEM(umhelper_sem);
		40	static LIST_HEAD(umh_list);
		41	static DEFINE_MUTEX(umh_list_lock);
40		42
41	static void call_usermodehelper_freeinfo(struct subprocess_info *info)	43	static void call_usermodehelper_freeinfo(struct subprocess_info *info)
42	{	44	{
@@ -100,10 +102,12 @@ static int call_usermodehelper_exec_async(void *data)
100	commit_creds(new);	102	commit_creds(new);
101		103
102	sub_info->pid = task_pid_nr(current);	104	sub_info->pid = task_pid_nr(current);
103	if (sub_info->file)	105	if (sub_info->file) {
104	retval = do_execve_file(sub_info->file,	106	retval = do_execve_file(sub_info->file,
105	sub_info->argv, sub_info->envp);	107	sub_info->argv, sub_info->envp);
106	else	108	if (!retval)
		109	current->flags \|= PF_UMH;
		110	} else
107	retval = do_execve(getname_kernel(sub_info->path),	111	retval = do_execve(getname_kernel(sub_info->path),
108	(const char __user const __user )sub_info->argv,	112	(const char __user const __user )sub_info->argv,
109	(const char __user const __user )sub_info->envp);	113	(const char __user const __user )sub_info->envp);
@@ -517,6 +521,11 @@ int fork_usermode_blob(void data, size_t len, struct umh_info info)
517	goto out;	521	goto out;
518		522
519	err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);	523	err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
		524	if (!err) {
		525	mutex_lock(&umh_list_lock);
		526	list_add(&info->list, &umh_list);
		527	mutex_unlock(&umh_list_lock);
		528	}
520	out:	529	out:
521	fput(file);	530	fput(file);
522	return err;	531	return err;
@@ -679,6 +688,26 @@ static int proc_cap_handler(struct ctl_table *table, int write,
679	return 0;	688	return 0;
680	}	689	}
681		690
		691	void __exit_umh(struct task_struct *tsk)
		692	{
		693	struct umh_info *info;
		694	pid_t pid = tsk->pid;
		695
		696	mutex_lock(&umh_list_lock);
		697	list_for_each_entry(info, &umh_list, list) {
		698	if (info->pid == pid) {
		699	list_del(&info->list);
		700	mutex_unlock(&umh_list_lock);
		701	goto out;
		702	}
		703	}
		704	mutex_unlock(&umh_list_lock);
		705	return;
		706	out:
		707	if (info->cleanup)
		708	info->cleanup(info);
		709	}
		710
682	struct ctl_table usermodehelper_table[] = {	711	struct ctl_table usermodehelper_table[] = {
683	{	712	{
684	.procname = "bset",	713	.procname = "bset",


diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c index 7acfc83087d5..7ee4fea93637 100644 --- a/net/bpfilter/bpfilter_kern.c +++ b/net/bpfilter/bpfilter_kern.c
@@ -13,39 +13,24 @@
13	extern char bpfilter_umh_start;	13	extern char bpfilter_umh_start;
14	extern char bpfilter_umh_end;	14	extern char bpfilter_umh_end;
15		15
16	static struct umh_info info;	16	static void shutdown_umh(void)
17	/* since ip_getsockopt() can run in parallel, serialize access to umh */
18	static DEFINE_MUTEX(bpfilter_lock);
19
20	static void shutdown_umh(struct umh_info *info)
21	{	17	{
22	struct task_struct *tsk;	18	struct task_struct *tsk;
23		19
24	if (!info->pid)	20	if (bpfilter_ops.stop)
25	return;	21	return;
26	tsk = get_pid_task(find_vpid(info->pid), PIDTYPE_PID);	22
		23	tsk = get_pid_task(find_vpid(bpfilter_ops.info.pid), PIDTYPE_PID);
27	if (tsk) {	24	if (tsk) {
28	force_sig(SIGKILL, tsk);	25	force_sig(SIGKILL, tsk);
29	put_task_struct(tsk);	26	put_task_struct(tsk);
30	}	27	}
31	fput(info->pipe_to_umh);
32	fput(info->pipe_from_umh);
33	info->pid = 0;
34	}	28	}
35		29
36	static void __stop_umh(void)	30	static void __stop_umh(void)
37	{	31	{
38	if (IS_ENABLED(CONFIG_INET)) {	32	if (IS_ENABLED(CONFIG_INET))
39	bpfilter_process_sockopt = NULL;	33	shutdown_umh();
40	shutdown_umh(&info);
41	}
42	}
43
44	static void stop_umh(void)
45	{
46	mutex_lock(&bpfilter_lock);
47	__stop_umh();
48	mutex_unlock(&bpfilter_lock);
49	}	34	}
50		35
51	static int __bpfilter_process_sockopt(struct sock *sk, int optname,	36	static int __bpfilter_process_sockopt(struct sock *sk, int optname,
@@ -63,10 +48,10 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
63	req.cmd = optname;	48	req.cmd = optname;
64	req.addr = (long __force __user)optval;	49	req.addr = (long __force __user)optval;
65	req.len = optlen;	50	req.len = optlen;
66	mutex_lock(&bpfilter_lock);	51	if (!bpfilter_ops.info.pid)
67	if (!info.pid)
68	goto out;	52	goto out;
69	n = __kernel_write(info.pipe_to_umh, &req, sizeof(req), &pos);	53	n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req),
		54	&pos);
70	if (n != sizeof(req)) {	55	if (n != sizeof(req)) {
71	pr_err("write fail %zd\n", n);	56	pr_err("write fail %zd\n", n);
72	__stop_umh();	57	__stop_umh();
@@ -74,7 +59,8 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
74	goto out;	59	goto out;
75	}	60	}
76	pos = 0;	61	pos = 0;
77	n = kernel_read(info.pipe_from_umh, &reply, sizeof(reply), &pos);	62	n = kernel_read(bpfilter_ops.info.pipe_from_umh, &reply, sizeof(reply),
		63	&pos);
78	if (n != sizeof(reply)) {	64	if (n != sizeof(reply)) {
79	pr_err("read fail %zd\n", n);	65	pr_err("read fail %zd\n", n);
80	__stop_umh();	66	__stop_umh();
@@ -83,37 +69,59 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
83	}	69	}
84	ret = reply.status;	70	ret = reply.status;
85	out:	71	out:
86	mutex_unlock(&bpfilter_lock);
87	return ret;	72	return ret;
88	}	73	}
89		74
90	static int __init load_umh(void)	75	static int start_umh(void)
91	{	76	{
92	int err;	77	int err;
93		78
94	/* fork usermode process */	79	/* fork usermode process */
95	info.cmdline = "bpfilter_umh";
96	err = fork_usermode_blob(&bpfilter_umh_start,	80	err = fork_usermode_blob(&bpfilter_umh_start,
97	&bpfilter_umh_end - &bpfilter_umh_start,	81	&bpfilter_umh_end - &bpfilter_umh_start,
98	&info);	82	&bpfilter_ops.info);
99	if (err)	83	if (err)
100	return err;	84	return err;
101	pr_info("Loaded bpfilter_umh pid %d\n", info.pid);	85	bpfilter_ops.stop = false;
		86	pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid);
102		87
103	/* health check that usermode process started correctly */	88	/* health check that usermode process started correctly */
104	if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) {	89	if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) {
105	stop_umh();	90	shutdown_umh();
106	return -EFAULT;	91	return -EFAULT;
107	}	92	}
108	if (IS_ENABLED(CONFIG_INET))
109	bpfilter_process_sockopt = &__bpfilter_process_sockopt;
110		93
111	return 0;	94	return 0;
112	}	95	}
113		96
		97	static int __init load_umh(void)
		98	{
		99	int err;
		100
		101	mutex_lock(&bpfilter_ops.lock);
		102	if (!bpfilter_ops.stop) {
		103	err = -EFAULT;
		104	goto out;
		105	}
		106	err = start_umh();
		107	if (!err && IS_ENABLED(CONFIG_INET)) {
		108	bpfilter_ops.sockopt = &__bpfilter_process_sockopt;
		109	bpfilter_ops.start = &start_umh;
		110	}
		111	out:
		112	mutex_unlock(&bpfilter_ops.lock);
		113	return err;
		114	}
		115
114	static void __exit fini_umh(void)	116	static void __exit fini_umh(void)
115	{	117	{
116	stop_umh();	118	mutex_lock(&bpfilter_ops.lock);
		119	if (IS_ENABLED(CONFIG_INET)) {
		120	shutdown_umh();
		121	bpfilter_ops.start = NULL;
		122	bpfilter_ops.sockopt = NULL;
		123	}
		124	mutex_unlock(&bpfilter_ops.lock);
117	}	125	}
118	module_init(load_umh);	126	module_init(load_umh);
119	module_exit(fini_umh);	127	module_exit(fini_umh);


diff --git a/net/bpfilter/bpfilter_umh_blob.S b/net/bpfilter/bpfilter_umh_blob.S index 40311d10d2f2..7f1c521dcc2f 100644 --- a/net/bpfilter/bpfilter_umh_blob.S +++ b/net/bpfilter/bpfilter_umh_blob.S
@@ -1,5 +1,5 @@
1	/* SPDX-License-Identifier: GPL-2.0 */	1	/* SPDX-License-Identifier: GPL-2.0 */
2	.section .init.rodata, "a"	2	.section .bpfilter_umh, "a"
3	.global bpfilter_umh_start	3	.global bpfilter_umh_start
4	bpfilter_umh_start:	4	bpfilter_umh_start:
5	.incbin "net/bpfilter/bpfilter_umh"	5	.incbin "net/bpfilter/bpfilter_umh"


diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c index 5e04ed25bc0e..1e976bb93d99 100644 --- a/net/ipv4/bpfilter/sockopt.c +++ b/net/ipv4/bpfilter/sockopt.c
@@ -1,28 +1,54 @@
1	// SPDX-License-Identifier: GPL-2.0	1	// SPDX-License-Identifier: GPL-2.0
		2	#include <linux/init.h>
		3	#include <linux/module.h>
2	#include <linux/uaccess.h>	4	#include <linux/uaccess.h>
3	#include <linux/bpfilter.h>	5	#include <linux/bpfilter.h>
4	#include <uapi/linux/bpf.h>	6	#include <uapi/linux/bpf.h>
5	#include <linux/wait.h>	7	#include <linux/wait.h>
6	#include <linux/kmod.h>	8	#include <linux/kmod.h>
		9	#include <linux/fs.h>
		10	#include <linux/file.h>
7		11
8	int (bpfilter_process_sockopt)(struct sock sk, int optname,	12	struct bpfilter_umh_ops bpfilter_ops;
9	char __user *optval,	13	EXPORT_SYMBOL_GPL(bpfilter_ops);
10	unsigned int optlen, bool is_set);	14
11	EXPORT_SYMBOL_GPL(bpfilter_process_sockopt);	15	static void bpfilter_umh_cleanup(struct umh_info *info)
		16	{
		17	mutex_lock(&bpfilter_ops.lock);
		18	bpfilter_ops.stop = true;
		19	fput(info->pipe_to_umh);
		20	fput(info->pipe_from_umh);
		21	info->pid = 0;
		22	mutex_unlock(&bpfilter_ops.lock);
		23	}
12		24
13	static int bpfilter_mbox_request(struct sock *sk, int optname,	25	static int bpfilter_mbox_request(struct sock *sk, int optname,
14	char __user *optval,	26	char __user *optval,
15	unsigned int optlen, bool is_set)	27	unsigned int optlen, bool is_set)
16	{	28	{
17	if (!bpfilter_process_sockopt) {	29	int err;
18	int err = request_module("bpfilter");	30	mutex_lock(&bpfilter_ops.lock);
		31	if (!bpfilter_ops.sockopt) {
		32	mutex_unlock(&bpfilter_ops.lock);
		33	err = request_module("bpfilter");
		34	mutex_lock(&bpfilter_ops.lock);
19		35
20	if (err)	36	if (err)
21	return err;	37	goto out;
22	if (!bpfilter_process_sockopt)	38	if (!bpfilter_ops.sockopt) {
23	return -ECHILD;	39	err = -ECHILD;
		40	goto out;
		41	}
		42	}
		43	if (bpfilter_ops.stop) {
		44	err = bpfilter_ops.start();
		45	if (err)
		46	goto out;
24	}	47	}
25	return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set);	48	err = bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set);
		49	out:
		50	mutex_unlock(&bpfilter_ops.lock);
		51	return err;
26	}	52	}
27		53
28	int bpfilter_ip_set_sockopt(struct sock sk, int optname, char __user optval,	54	int bpfilter_ip_set_sockopt(struct sock sk, int optname, char __user optval,
@@ -41,3 +67,15 @@ int bpfilter_ip_get_sockopt(struct sock sk, int optname, char __user optval,
41		67
42	return bpfilter_mbox_request(sk, optname, optval, len, false);	68	return bpfilter_mbox_request(sk, optname, optval, len, false);
43	}	69	}
		70
		71	static int __init bpfilter_sockopt_init(void)
		72	{
		73	mutex_init(&bpfilter_ops.lock);
		74	bpfilter_ops.stop = true;
		75	bpfilter_ops.info.cmdline = "bpfilter_umh";
		76	bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup;
		77
		78	return 0;
		79	}
		80
		81	module_init(bpfilter_sockopt_init);