9 files changed, 1048 insertions, 4 deletions

diff --git a/Documentation/livepatch/shadow-vars.txt b/Documentation/livepatch/shadow-vars.txt
new file mode 100644
index 000000000000..89c66634d600
--- /dev/null
+++ b/Documentation/livepatch/shadow-vars.txt
@@ -0,0 +1,192 @@
+================
+Shadow Variables
+================
+
+Shadow variables are a simple way for livepatch modules to associate
+additional "shadow" data with existing data structures.  Shadow data is
+allocated separately from parent data structures, which are left
+unmodified.  The shadow variable API described in this document is used
+to allocate/add and remove/free shadow variables to/from their parents.
+
+The implementation introduces a global, in-kernel hashtable that
+associates pointers to parent objects and a numeric identifier of the
+shadow data.  The numeric identifier is a simple enumeration that may be
+used to describe shadow variable version, class or type, etc.  More
+specifically, the parent pointer serves as the hashtable key while the
+numeric id subsequently filters hashtable queries.  Multiple shadow
+variables may attach to the same parent object, but their numeric
+identifier distinguishes between them.
+
+
+1. Brief API summary
+====================
+
+(See the full API usage docbook notes in livepatch/shadow.c.)
+
+A hashtable references all shadow variables.  These references are
+stored and retrieved through a <obj, id> pair.
+
+* The klp_shadow variable data structure encapsulates both tracking
+meta-data and shadow-data:
+  - meta-data
+    - obj - pointer to parent object
+    - id - data identifier
+  - data[] - storage for shadow data
+
+It is important to note that the klp_shadow_alloc() and
+klp_shadow_get_or_alloc() calls, described below, store a *copy* of the
+data that the functions are provided.  Callers should provide whatever
+mutual exclusion is required of the shadow data.
+
+* klp_shadow_get() - retrieve a shadow variable data pointer
+  - search hashtable for <obj, id> pair
+
+* klp_shadow_alloc() - allocate and add a new shadow variable
+  - search hashtable for <obj, id> pair
+  - if exists
+    - WARN and return NULL
+  - if <obj, id> doesn't already exist
+    - allocate a new shadow variable
+    - copy data into the new shadow variable
+    - add <obj, id> to the global hashtable
+
+* klp_shadow_get_or_alloc() - get existing or alloc a new shadow variable
+  - search hashtable for <obj, id> pair
+  - if exists
+    - return existing shadow variable
+  - if <obj, id> doesn't already exist
+    - allocate a new shadow variable
+    - copy data into the new shadow variable
+    - add <obj, id> pair to the global hashtable
+
+* klp_shadow_free() - detach and free a <obj, id> shadow variable
+  - find and remove a <obj, id> reference from global hashtable
+    - if found, free shadow variable
+
+* klp_shadow_free_all() - detach and free all <*, id> shadow variables
+  - find and remove any <*, id> references from global hashtable
+    - if found, free shadow variable
+
+
+2. Use cases
+============
+
+(See the example shadow variable livepatch modules in samples/livepatch/
+for full working demonstrations.)
+
+For the following use-case examples, consider commit 1d147bfa6429
+("mac80211: fix AP powersave TX vs.  wakeup race"), which added a
+spinlock to net/mac80211/sta_info.h :: struct sta_info.  Each use-case
+example can be considered a stand-alone livepatch implementation of this
+fix.
+
+
+Matching parent's lifecycle
+---------------------------
+
+If parent data structures are frequently created and destroyed, it may
+be easiest to align their shadow variables lifetimes to the same
+allocation and release functions.  In this case, the parent data
+structure is typically allocated, initialized, then registered in some
+manner.  Shadow variable allocation and setup can then be considered
+part of the parent's initialization and should be completed before the
+parent "goes live" (ie, any shadow variable get-API requests are made
+for this <obj, id> pair.)
+
+For commit 1d147bfa6429, when a parent sta_info structure is allocated,
+allocate a shadow copy of the ps_lock pointer, then initialize it:
+
+#define PS_LOCK 1
+struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
+                                const u8 *addr, gfp_t gfp)
+{
+        struct sta_info *sta;
+        spinlock_t *ps_lock;
+
+        /* Parent structure is created */
+        sta = kzalloc(sizeof(*sta) + hw->sta_data_size, gfp);
+
+        /* Attach a corresponding shadow variable, then initialize it */
+        ps_lock = klp_shadow_alloc(sta, PS_LOCK, NULL, sizeof(*ps_lock), gfp);
+        if (!ps_lock)
+                goto shadow_fail;
+        spin_lock_init(ps_lock);
+        ...
+
+When requiring a ps_lock, query the shadow variable API to retrieve one
+for a specific struct sta_info:
+
+void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+{
+        spinlock_t *ps_lock;
+
+        /* sync with ieee80211_tx_h_unicast_ps_buf */
+        ps_lock = klp_shadow_get(sta, PS_LOCK);
+        if (ps_lock)
+                spin_lock(ps_lock);
+        ...
+
+When the parent sta_info structure is freed, first free the shadow
+variable:
+
+void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
+{
+        klp_shadow_free(sta, PS_LOCK);
+        kfree(sta);
+        ...
+
+
+In-flight parent objects
+------------------------
+
+Sometimes it may not be convenient or possible to allocate shadow
+variables alongside their parent objects.  Or a livepatch fix may
+require shadow varibles to only a subset of parent object instances.  In
+these cases, the klp_shadow_get_or_alloc() call can be used to attach
+shadow variables to parents already in-flight.
+
+For commit 1d147bfa6429, a good spot to allocate a shadow spinlock is
+inside ieee80211_sta_ps_deliver_wakeup():
+
+#define PS_LOCK 1
+void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+{
+        DEFINE_SPINLOCK(ps_lock_fallback);
+        spinlock_t *ps_lock;
+
+        /* sync with ieee80211_tx_h_unicast_ps_buf */
+        ps_lock = klp_shadow_get_or_alloc(sta, PS_LOCK,
+                        &ps_lock_fallback, sizeof(ps_lock_fallback),
+                        GFP_ATOMIC);
+        if (ps_lock)
+                spin_lock(ps_lock);
+        ...
+
+This usage will create a shadow variable, only if needed, otherwise it
+will use one that was already created for this <obj, id> pair.
+
+Like the previous use-case, the shadow spinlock needs to be cleaned up.
+A shadow variable can be freed just before its parent object is freed,
+or even when the shadow variable itself is no longer required.
+
+
+Other use-cases
+---------------
+
+Shadow variables can also be used as a flag indicating that a data
+structure was allocated by new, livepatched code.  In this case, it
+doesn't matter what data value the shadow variable holds, its existence
+suggests how to handle the parent object.
+
+
+3. References
+=============
+
+* https://github.com/dynup/kpatch
+The livepatch implementation is based on the kpatch version of shadow
+variables.
+
+* http://files.mkgnu.net/files/dynamos/doc/papers/dynamos_eurosys_07.pdf
+Dynamic and Adaptive Updates of Non-Quiescent Subsystems in Commodity
+Operating System Kernels (Kritis Makris, Kyung Dong Ryu 2007) presented
+a datatype update technique called "shadow data structures".
diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h
index 194991ef9347..d08eddc00497 100644
--- a/include/linux/livepatch.h
+++ b/include/linux/livepatch.h
@@ -164,6 +164,14 @@ static inline bool klp_have_reliable_stack(void)
                IS_ENABLED(CONFIG_HAVE_RELIABLE_STACKTRACE);
 }
 
+void *klp_shadow_get(void *obj, unsigned long id);
+void *klp_shadow_alloc(void *obj, unsigned long id, void *data,
+                       size_t size, gfp_t gfp_flags);
+void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+                              size_t size, gfp_t gfp_flags);
+void klp_shadow_free(void *obj, unsigned long id);
+void klp_shadow_free_all(unsigned long id);
+
 #else /* !CONFIG_LIVEPATCH */
 
 static inline int klp_module_coming(struct module *mod) { return 0; }
diff --git a/kernel/livepatch/Makefile b/kernel/livepatch/Makefile
index 2b8bdb1925da..b36ceda6488e 100644
--- a/kernel/livepatch/Makefile
+++ b/kernel/livepatch/Makefile
@@ -1,3 +1,3 @@
 obj-$(CONFIG_LIVEPATCH) += livepatch.o
 
-livepatch-objs := core.o patch.o transition.o
+livepatch-objs := core.o patch.o shadow.o transition.o
diff --git a/kernel/livepatch/shadow.c b/kernel/livepatch/shadow.c
new file mode 100644
index 000000000000..fdac27588d60
--- /dev/null
+++ b/kernel/livepatch/shadow.c
@@ -0,0 +1,277 @@
+/*
+ * shadow.c - Shadow Variables
+ *
+ * Copyright (C) 2014 Josh Poimboeuf <jpoimboe@redhat.com>
+ * Copyright (C) 2014 Seth Jennings <sjenning@redhat.com>
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * DOC: Shadow variable API concurrency notes:
+ *
+ * The shadow variable API provides a simple relationship between an
+ * <obj, id> pair and a pointer value.  It is the responsibility of the
+ * caller to provide any mutual exclusion required of the shadow data.
+ *
+ * Once a shadow variable is attached to its parent object via the
+ * klp_shadow_*alloc() API calls, it is considered live: any subsequent
+ * call to klp_shadow_get() may then return the shadow variable's data
+ * pointer.  Callers of klp_shadow_*alloc() should prepare shadow data
+ * accordingly.
+ *
+ * The klp_shadow_*alloc() API calls may allocate memory for new shadow
+ * variable structures.  Their implementation does not call kmalloc
+ * inside any spinlocks, but API callers should pass GFP flags according
+ * to their specific needs.
+ *
+ * The klp_shadow_hash is an RCU-enabled hashtable and is safe against
+ * concurrent klp_shadow_free() and klp_shadow_get() operations.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/hashtable.h>
+#include <linux/slab.h>
+#include <linux/livepatch.h>
+
+static DEFINE_HASHTABLE(klp_shadow_hash, 12);
+
+/*
+ * klp_shadow_lock provides exclusive access to the klp_shadow_hash and
+ * the shadow variables it references.
+ */
+static DEFINE_SPINLOCK(klp_shadow_lock);
+
+/**
+ * struct klp_shadow - shadow variable structure
+ * @node:       klp_shadow_hash hash table node
+ * @rcu_head:   RCU is used to safely free this structure
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ * @data:       data area
+ */
+struct klp_shadow {
+        struct hlist_node node;
+        struct rcu_head rcu_head;
+        void *obj;
+        unsigned long id;
+        char data[];
+};
+
+/**
+ * klp_shadow_match() - verify a shadow variable matches given <obj, id>
+ * @shadow:     shadow variable to match
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ *
+ * Return: true if the shadow variable matches.
+ */
+static inline bool klp_shadow_match(struct klp_shadow *shadow, void *obj,
+                                unsigned long id)
+{
+        return shadow->obj == obj && shadow->id == id;
+}
+
+/**
+ * klp_shadow_get() - retrieve a shadow variable data pointer
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ *
+ * Return: the shadow variable data element, NULL on failure.
+ */
+void *klp_shadow_get(void *obj, unsigned long id)
+{
+        struct klp_shadow *shadow;
+
+        rcu_read_lock();
+
+        hash_for_each_possible_rcu(klp_shadow_hash, shadow, node,
+                                   (unsigned long)obj) {
+
+                if (klp_shadow_match(shadow, obj, id)) {
+                        rcu_read_unlock();
+                        return shadow->data;
+                }
+        }
+
+        rcu_read_unlock();
+
+        return NULL;
+}
+EXPORT_SYMBOL_GPL(klp_shadow_get);
+
+static void *__klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+                       size_t size, gfp_t gfp_flags, bool warn_on_exist)
+{
+        struct klp_shadow *new_shadow;
+        void *shadow_data;
+        unsigned long flags;
+
+        /* Check if the shadow variable already exists */
+        shadow_data = klp_shadow_get(obj, id);
+        if (shadow_data)
+                goto exists;
+
+        /* Allocate a new shadow variable for use inside the lock below */
+        new_shadow = kzalloc(size + sizeof(*new_shadow), gfp_flags);
+        if (!new_shadow)
+                return NULL;
+
+        new_shadow->obj = obj;
+        new_shadow->id = id;
+
+        /* Initialize the shadow variable if data provided */
+        if (data)
+                memcpy(new_shadow->data, data, size);
+
+        /* Look for <obj, id> again under the lock */
+        spin_lock_irqsave(&klp_shadow_lock, flags);
+        shadow_data = klp_shadow_get(obj, id);
+        if (unlikely(shadow_data)) {
+                /*
+                 * Shadow variable was found, throw away speculative
+                 * allocation.
+                 */
+                spin_unlock_irqrestore(&klp_shadow_lock, flags);
+                kfree(new_shadow);
+                goto exists;
+        }
+
+        /* No <obj, id> found, so attach the newly allocated one */
+        hash_add_rcu(klp_shadow_hash, &new_shadow->node,
+                     (unsigned long)new_shadow->obj);
+        spin_unlock_irqrestore(&klp_shadow_lock, flags);
+
+        return new_shadow->data;
+
+exists:
+        if (warn_on_exist) {
+                WARN(1, "Duplicate shadow variable <%p, %lx>\n", obj, id);
+                return NULL;
+        }
+
+        return shadow_data;
+}
+
+/**
+ * klp_shadow_alloc() - allocate and add a new shadow variable
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ * @data:       pointer to data to attach to parent
+ * @size:       size of attached data
+ * @gfp_flags:  GFP mask for allocation
+ *
+ * Allocates @size bytes for new shadow variable data using @gfp_flags
+ * and copies @size bytes from @data into the new shadow variable's own
+ * data space.  If @data is NULL, @size bytes are still allocated, but
+ * no copy is performed.  The new shadow variable is then added to the
+ * global hashtable.
+ *
+ * If an existing <obj, id> shadow variable can be found, this routine
+ * will issue a WARN, exit early and return NULL.
+ *
+ * Return: the shadow variable data element, NULL on duplicate or
+ * failure.
+ */
+void *klp_shadow_alloc(void *obj, unsigned long id, void *data,
+                       size_t size, gfp_t gfp_flags)
+{
+        return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, true);
+}
+EXPORT_SYMBOL_GPL(klp_shadow_alloc);
+
+/**
+ * klp_shadow_get_or_alloc() - get existing or allocate a new shadow variable
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ * @data:       pointer to data to attach to parent
+ * @size:       size of attached data
+ * @gfp_flags:  GFP mask for allocation
+ *
+ * Returns a pointer to existing shadow data if an <obj, id> shadow
+ * variable is already present.  Otherwise, it creates a new shadow
+ * variable like klp_shadow_alloc().
+ *
+ * This function guarantees that only one shadow variable exists with
+ * the given @id for the given @obj.  It also guarantees that the shadow
+ * variable will be initialized by the given @data only when it did not
+ * exist before.
+ *
+ * Return: the shadow variable data element, NULL on failure.
+ */
+void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data,
+                               size_t size, gfp_t gfp_flags)
+{
+        return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, false);
+}
+EXPORT_SYMBOL_GPL(klp_shadow_get_or_alloc);
+
+/**
+ * klp_shadow_free() - detach and free a <obj, id> shadow variable
+ * @obj:        pointer to parent object
+ * @id:         data identifier
+ *
+ * This function releases the memory for this <obj, id> shadow variable
+ * instance, callers should stop referencing it accordingly.
+ */
+void klp_shadow_free(void *obj, unsigned long id)
+{
+        struct klp_shadow *shadow;
+        unsigned long flags;
+
+        spin_lock_irqsave(&klp_shadow_lock, flags);
+
+        /* Delete <obj, id> from hash */
+        hash_for_each_possible(klp_shadow_hash, shadow, node,
+                               (unsigned long)obj) {
+
+                if (klp_shadow_match(shadow, obj, id)) {
+                        hash_del_rcu(&shadow->node);
+                        kfree_rcu(shadow, rcu_head);
+                        break;
+                }
+        }
+
+        spin_unlock_irqrestore(&klp_shadow_lock, flags);
+}
+EXPORT_SYMBOL_GPL(klp_shadow_free);
+
+/**
+ * klp_shadow_free_all() - detach and free all <*, id> shadow variables
+ * @id:         data identifier
+ *
+ * This function releases the memory for all <*, id> shadow variable
+ * instances, callers should stop referencing them accordingly.
+ */
+void klp_shadow_free_all(unsigned long id)
+{
+        struct klp_shadow *shadow;
+        unsigned long flags;
+        int i;
+
+        spin_lock_irqsave(&klp_shadow_lock, flags);
+
+        /* Delete all <*, id> from hash */
+        hash_for_each(klp_shadow_hash, i, shadow, node) {
+                if (klp_shadow_match(shadow, shadow->obj, id)) {
+                        hash_del_rcu(&shadow->node);
+                        kfree_rcu(shadow, rcu_head);
+                }
+        }
+
+        spin_unlock_irqrestore(&klp_shadow_lock, flags);
+}
+EXPORT_SYMBOL_GPL(klp_shadow_free_all);
diff --git a/samples/Kconfig b/samples/Kconfig
index 9cb63188d3ef..c332a3b9de05 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -71,11 +71,10 @@ config SAMPLE_RPMSG_CLIENT
           the rpmsg bus.
 
 config SAMPLE_LIVEPATCH
-        tristate "Build live patching sample -- loadable modules only"
+        tristate "Build live patching samples -- loadable modules only"
         depends on LIVEPATCH && m
         help
-          Builds a sample live patch that replaces the procfs handler
-          for /proc/cmdline to print "this has been live patched".
+          Build sample live patch demonstrations.
 
 config SAMPLE_CONFIGFS
         tristate "Build configfs patching sample -- loadable modules only"
diff --git a/samples/livepatch/Makefile b/samples/livepatch/Makefile
index 10319d7ea0b1..539e81d433cd 100644
--- a/samples/livepatch/Makefile
+++ b/samples/livepatch/Makefile
@@ -1 +1,4 @@
 obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-sample.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-mod.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix1.o
+obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch-shadow-fix2.o
diff --git a/samples/livepatch/livepatch-shadow-fix1.c b/samples/livepatch/livepatch-shadow-fix1.c
new file mode 100644
index 000000000000..fbe0a1f3d99b
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix1.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix1.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Fixes the memory leak introduced in livepatch-shadow-mod through the
+ * use of a shadow variable.  This fix demonstrates the "extending" of
+ * short-lived data structures by patching its allocation and release
+ * functions.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+struct dummy *livepatch_fix1_dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /*
+         * Patch: save the extra memory location into a SV_LEAK shadow
+         * variable.  A patched dummy_free routine can later fetch this
+         * pointer to handle resource release.
+         */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+        klp_shadow_alloc(d, SV_LEAK, &leak, sizeof(leak), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+void livepatch_fix1_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+
+        /*
+         * Patch: fetch the saved SV_LEAK shadow variable, detach and
+         * free it.  Note: handle cases where this shadow variable does
+         * not exist (ie, dummy structures allocated before this livepatch
+         * was loaded.)
+         */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_alloc",
+                .new_func = livepatch_fix1_dummy_alloc,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix1_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix1_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix1_exit(void)
+{
+        /* Cleanup any existing SV_LEAK shadow variables */
+        klp_shadow_free_all(SV_LEAK);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix1_init);
+module_exit(livepatch_shadow_fix1_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-fix2.c b/samples/livepatch/livepatch-shadow-fix2.c
new file mode 100644
index 000000000000..53c1794bdc5f
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-fix2.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-fix2.c - Shadow variables, livepatch demo
+ *
+ * Purpose
+ * -------
+ *
+ * Adds functionality to livepatch-shadow-mod's in-flight data
+ * structures through a shadow variable.  The livepatch patches a
+ * routine that periodically inspects data structures, incrementing a
+ * per-data-structure counter, creating the counter if needed.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * This module is not intended to be standalone.  See the "Usage"
+ * section of livepatch-shadow-mod.c.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/livepatch.h>
+#include <linux/slab.h>
+
+/* Shadow variable enums */
+#define SV_LEAK         1
+#define SV_COUNTER      2
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+bool livepatch_fix2_dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        int *shadow_count;
+        int count;
+
+        /*
+         * Patch: handle in-flight dummy structures, if they do not
+         * already have a SV_COUNTER shadow variable, then attach a
+         * new one.
+         */
+        count = 0;
+        shadow_count = klp_shadow_get_or_alloc(d, SV_COUNTER,
+                                               &count, sizeof(count),
+                                               GFP_NOWAIT);
+        if (shadow_count)
+                *shadow_count += 1;
+
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+void livepatch_fix2_dummy_free(struct dummy *d)
+{
+        void **shadow_leak, *leak;
+        int *shadow_count;
+
+        /* Patch: copy the memory leak patch from the fix1 module. */
+        shadow_leak = klp_shadow_get(d, SV_LEAK);
+        if (shadow_leak) {
+                leak = *shadow_leak;
+                klp_shadow_free(d, SV_LEAK);
+                kfree(leak);
+                pr_info("%s: dummy @ %p, prevented leak @ %p\n",
+                         __func__, d, leak);
+        } else {
+                pr_info("%s: dummy @ %p leaked!\n", __func__, d);
+        }
+
+        /*
+         * Patch: fetch the SV_COUNTER shadow variable and display
+         * the final count.  Detach the shadow variable.
+         */
+        shadow_count = klp_shadow_get(d, SV_COUNTER);
+        if (shadow_count) {
+                pr_info("%s: dummy @ %p, check counter = %d\n",
+                        __func__, d, *shadow_count);
+                klp_shadow_free(d, SV_COUNTER);
+        }
+
+        kfree(d);
+}
+
+static struct klp_func funcs[] = {
+        {
+                .old_name = "dummy_check",
+                .new_func = livepatch_fix2_dummy_check,
+        },
+        {
+                .old_name = "dummy_free",
+                .new_func = livepatch_fix2_dummy_free,
+        }, { }
+};
+
+static struct klp_object objs[] = {
+        {
+                .name = "livepatch_shadow_mod",
+                .funcs = funcs,
+        }, { }
+};
+
+static struct klp_patch patch = {
+        .mod = THIS_MODULE,
+        .objs = objs,
+};
+
+static int livepatch_shadow_fix2_init(void)
+{
+        int ret;
+
+        if (!klp_have_reliable_stack() && !patch.immediate) {
+                /*
+                 * WARNING: Be very careful when using 'patch.immediate' in
+                 * your patches.  It's ok to use it for simple patches like
+                 * this, but for more complex patches which change function
+                 * semantics, locking semantics, or data structures, it may not
+                 * be safe.  Use of this option will also prevent removal of
+                 * the patch.
+                 *
+                 * See Documentation/livepatch/livepatch.txt for more details.
+                 */
+                patch.immediate = true;
+                pr_notice("The consistency model isn't supported for your architecture.  Bypassing safety mechanisms and applying the patch immediately.\n");
+        }
+
+        ret = klp_register_patch(&patch);
+        if (ret)
+                return ret;
+        ret = klp_enable_patch(&patch);
+        if (ret) {
+                WARN_ON(klp_unregister_patch(&patch));
+                return ret;
+        }
+        return 0;
+}
+
+static void livepatch_shadow_fix2_exit(void)
+{
+        /* Cleanup any existing SV_COUNTER shadow variables */
+        klp_shadow_free_all(SV_COUNTER);
+
+        WARN_ON(klp_unregister_patch(&patch));
+}
+
+module_init(livepatch_shadow_fix2_init);
+module_exit(livepatch_shadow_fix2_exit);
+MODULE_LICENSE("GPL");
+MODULE_INFO(livepatch, "Y");
diff --git a/samples/livepatch/livepatch-shadow-mod.c b/samples/livepatch/livepatch-shadow-mod.c
new file mode 100644
index 000000000000..4c54b250332d
--- /dev/null
+++ b/samples/livepatch/livepatch-shadow-mod.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2017 Joe Lawrence <joe.lawrence@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * livepatch-shadow-mod.c - Shadow variables, buggy module demo
+ *
+ * Purpose
+ * -------
+ *
+ * As a demonstration of livepatch shadow variable API, this module
+ * introduces memory leak behavior that livepatch modules
+ * livepatch-shadow-fix1.ko and livepatch-shadow-fix2.ko correct and
+ * enhance.
+ *
+ * WARNING - even though the livepatch-shadow-fix modules patch the
+ * memory leak, please load these modules at your own risk -- some
+ * amount of memory may leaked before the bug is patched.
+ *
+ *
+ * Usage
+ * -----
+ *
+ * Step 1 - Load the buggy demonstration module:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-mod.ko
+ *
+ * Watch dmesg output for a few moments to see new dummy being allocated
+ * and a periodic cleanup check.  (Note: a small amount of memory is
+ * being leaked.)
+ *
+ *
+ * Step 2 - Load livepatch fix1:
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix1.ko
+ *
+ * Continue watching dmesg and note that now livepatch_fix1_dummy_free()
+ * and livepatch_fix1_dummy_alloc() are logging messages about leaked
+ * memory and eventually leaks prevented.
+ *
+ *
+ * Step 3 - Load livepatch fix2 (on top of fix1):
+ *
+ *   insmod samples/livepatch/livepatch-shadow-fix2.ko
+ *
+ * This module extends functionality through shadow variables, as a new
+ * "check" counter is added to the dummy structure.  Periodic dmesg
+ * messages will log these as dummies are cleaned up.
+ *
+ *
+ * Step 4 - Cleanup
+ *
+ * Unwind the demonstration by disabling the livepatch fix modules, then
+ * removing them and the demo module:
+ *
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix2/enabled
+ *   echo 0 > /sys/kernel/livepatch/livepatch_shadow_fix1/enabled
+ *   rmmod livepatch-shadow-fix2
+ *   rmmod livepatch-shadow-fix1
+ *   rmmod livepatch-shadow-mod
+ */
+
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/stat.h>
+#include <linux/workqueue.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Joe Lawrence <joe.lawrence@redhat.com>");
+MODULE_DESCRIPTION("Buggy module for shadow variable demo");
+
+/* Allocate new dummies every second */
+#define ALLOC_PERIOD    1
+/* Check for expired dummies after a few new ones have been allocated */
+#define CLEANUP_PERIOD  (3 * ALLOC_PERIOD)
+/* Dummies expire after a few cleanup instances */
+#define EXPIRE_PERIOD   (4 * CLEANUP_PERIOD)
+
+/*
+ * Keep a list of all the dummies so we can clean up any residual ones
+ * on module exit
+ */
+LIST_HEAD(dummy_list);
+DEFINE_MUTEX(dummy_list_mutex);
+
+struct dummy {
+        struct list_head list;
+        unsigned long jiffies_expire;
+};
+
+noinline struct dummy *dummy_alloc(void)
+{
+        struct dummy *d;
+        void *leak;
+
+        d = kzalloc(sizeof(*d), GFP_KERNEL);
+        if (!d)
+                return NULL;
+
+        d->jiffies_expire = jiffies +
+                msecs_to_jiffies(1000 * EXPIRE_PERIOD);
+
+        /* Oops, forgot to save leak! */
+        leak = kzalloc(sizeof(int), GFP_KERNEL);
+
+        pr_info("%s: dummy @ %p, expires @ %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        return d;
+}
+
+noinline void dummy_free(struct dummy *d)
+{
+        pr_info("%s: dummy @ %p, expired = %lx\n",
+                __func__, d, d->jiffies_expire);
+
+        kfree(d);
+}
+
+noinline bool dummy_check(struct dummy *d, unsigned long jiffies)
+{
+        return time_after(jiffies, d->jiffies_expire);
+}
+
+/*
+ * alloc_work_func: allocates new dummy structures, allocates additional
+ *                  memory, aptly named "leak", but doesn't keep
+ *                  permanent record of it.
+ */
+
+static void alloc_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(alloc_dwork, alloc_work_func);
+
+static void alloc_work_func(struct work_struct *work)
+{
+        struct dummy *d;
+
+        d = dummy_alloc();
+        if (!d)
+                return;
+
+        mutex_lock(&dummy_list_mutex);
+        list_add(&d->list, &dummy_list);
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+}
+
+/*
+ * cleanup_work_func: frees dummy structures.  Without knownledge of
+ *                    "leak", it leaks the additional memory that
+ *                    alloc_work_func created.
+ */
+
+static void cleanup_work_func(struct work_struct *work);
+static DECLARE_DELAYED_WORK(cleanup_dwork, cleanup_work_func);
+
+static void cleanup_work_func(struct work_struct *work)
+{
+        struct dummy *d, *tmp;
+        unsigned long j;
+
+        j = jiffies;
+        pr_info("%s: jiffies = %lx\n", __func__, j);
+
+        mutex_lock(&dummy_list_mutex);
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+
+                /* Kick out and free any expired dummies */
+                if (dummy_check(d, j)) {
+                        list_del(&d->list);
+                        dummy_free(d);
+                }
+        }
+        mutex_unlock(&dummy_list_mutex);
+
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+}
+
+static int livepatch_shadow_mod_init(void)
+{
+        schedule_delayed_work(&alloc_dwork,
+                msecs_to_jiffies(1000 * ALLOC_PERIOD));
+        schedule_delayed_work(&cleanup_dwork,
+                msecs_to_jiffies(1000 * CLEANUP_PERIOD));
+
+        return 0;
+}
+
+static void livepatch_shadow_mod_exit(void)
+{
+        struct dummy *d, *tmp;
+
+        /* Wait for any dummies at work */
+        cancel_delayed_work_sync(&alloc_dwork);
+        cancel_delayed_work_sync(&cleanup_dwork);
+
+        /* Cleanup residual dummies */
+        list_for_each_entry_safe(d, tmp, &dummy_list, list) {
+                list_del(&d->list);
+                dummy_free(d);
+        }
+}
+
+module_init(livepatch_shadow_mod_init);
+module_exit(livepatch_shadow_mod_exit);