livepatch: force transition to finish

If a task sleeps in a set of patched functions uninterruptedly, it could
block the whole transition indefinitely.  Thus it may be useful to clear
its TIF_PATCH_PENDING to allow the process to finish.

Admin can do that now by writing to force sysfs attribute in livepatch
sysfs directory. TIF_PATCH_PENDING is then cleared for all tasks and the
transition can finish successfully.

Important note! Administrator should not use this feature without a
clearance from a patch distributor. It must be checked that by doing so
the consistency model guarantees are not violated. Removal (rmmod) of
patch modules is permanently disabled when the feature is used. It
cannot be guaranteed there is no task sleeping in such module.

Signed-off-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

3 files changed, 65 insertions, 2 deletions

diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 88766bd91803..1c3c9b27c916 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -455,6 +455,7 @@ EXPORT_SYMBOL_GPL(klp_enable_patch);
  * /sys/kernel/livepatch/<patch>/enabled
  * /sys/kernel/livepatch/<patch>/transition
  * /sys/kernel/livepatch/<patch>/signal
+ * /sys/kernel/livepatch/<patch>/force
  * /sys/kernel/livepatch/<patch>/<object>
  * /sys/kernel/livepatch/<patch>/<object>/<function,sympos>
  */
@@ -556,13 +557,42 @@ static ssize_t signal_store(struct kobject *kobj, struct kobj_attribute *attr,
         return count;
 }
 
+static ssize_t force_store(struct kobject *kobj, struct kobj_attribute *attr,
+                           const char *buf, size_t count)
+{
+        struct klp_patch *patch;
+        int ret;
+        bool val;
+
+        patch = container_of(kobj, struct klp_patch, kobj);
+
+        /*
+         * klp_mutex lock is not grabbed here intentionally. It is not really
+         * needed. The race window is harmless and grabbing the lock would only
+         * hold the action back.
+         */
+        if (patch != klp_transition_patch)
+                return -EINVAL;
+
+        ret = kstrtobool(buf, &val);
+        if (ret)
+                return ret;
+
+        if (val)
+                klp_force_transition();
+
+        return count;
+}
+
 static struct kobj_attribute enabled_kobj_attr = __ATTR_RW(enabled);
 static struct kobj_attribute transition_kobj_attr = __ATTR_RO(transition);
 static struct kobj_attribute signal_kobj_attr = __ATTR_WO(signal);
+static struct kobj_attribute force_kobj_attr = __ATTR_WO(force);
 static struct attribute *klp_patch_attrs[] = {
         &enabled_kobj_attr.attr,
         &transition_kobj_attr.attr,
         &signal_kobj_attr.attr,
+        &force_kobj_attr.attr,
         NULL
 };
 
diff --git a/kernel/livepatch/transition.c b/kernel/livepatch/transition.c
index edcfcb8ebb2d..be5bfa533ee8 100644
--- a/kernel/livepatch/transition.c
+++ b/kernel/livepatch/transition.c
@@ -33,6 +33,8 @@ struct klp_patch *klp_transition_patch;
 
 static int klp_target_state = KLP_UNDEFINED;
 
+static bool klp_forced = false;
+
 /*
  * This work can be performed periodically to finish patching or unpatching any
  * "straggler" tasks which failed to transition in the first attempt.
@@ -146,9 +148,12 @@ done:
         /*
          * See complementary comment in __klp_enable_patch() for why we
          * keep the module reference for immediate patches.
+         *
+         * klp_forced or immediate_func set implies unbounded increase of
+         * module's ref count if the module is disabled/enabled in a loop.
          */
-        if (!klp_transition_patch->immediate && !immediate_func &&
-            klp_target_state == KLP_UNPATCHED) {
+        if (!klp_forced && !klp_transition_patch->immediate &&
+                !immediate_func && klp_target_state == KLP_UNPATCHED) {
                 module_put(klp_transition_patch->mod);
         }
 
@@ -649,3 +654,30 @@ void klp_send_signals(void)
         }
         read_unlock(&tasklist_lock);
 }
+
+/*
+ * Drop TIF_PATCH_PENDING of all tasks on admin's request. This forces an
+ * existing transition to finish.
+ *
+ * NOTE: klp_update_patch_state(task) requires the task to be inactive or
+ * 'current'. This is not the case here and the consistency model could be
+ * broken. Administrator, who is the only one to execute the
+ * klp_force_transitions(), has to be aware of this.
+ */
+void klp_force_transition(void)
+{
+        struct task_struct *g, *task;
+        unsigned int cpu;
+
+        pr_warn("forcing remaining tasks to the patched state\n");
+
+        read_lock(&tasklist_lock);
+        for_each_process_thread(g, task)
+                klp_update_patch_state(task);
+        read_unlock(&tasklist_lock);
+
+        for_each_possible_cpu(cpu)
+                klp_update_patch_state(idle_task(cpu));
+
+        klp_forced = true;
+}
diff --git a/kernel/livepatch/transition.h b/kernel/livepatch/transition.h
index 40522795a5f6..f9d0bc016067 100644
--- a/kernel/livepatch/transition.h
+++ b/kernel/livepatch/transition.h
@@ -12,5 +12,6 @@ void klp_start_transition(void);
 void klp_try_complete_transition(void);
 void klp_reverse_transition(void);
 void klp_send_signals(void);
+void klp_force_transition(void);
 
 #endif /* _LIVEPATCH_TRANSITION_H */