On Sat, 10 Nov 2018 15:17:23 -0800 Nadav Amit <na...@vmware.com> wrote:
> text_mutex is currently expected to be held before text_poke() is > called, but we kgdb does not take the mutex, and instead *supposedly* > ensures the lock is not taken and will not be acquired by any other core > while text_poke() is running. > > The reason for the "supposedly" comment is that it is not entirely clear > that this would be the case if gdb_do_roundup is zero. > > This patch creates two wrapper functions, text_poke() and > text_poke_kgdb() which do or do not run the lockdep assertion > respectively. > > While we are at it, change the return code of text_poke() to something > meaningful. One day, callers might actually respect it and the existing > BUG_ON() when patching fails could be removed. For kgdb, the return > value can actually be used. Hm, this looks reasonable and good to me. Reviewed-by: Masami Hiramatsu <mhira...@kernel.org> Thank you! > > Cc: Jiri Kosina <jkos...@suse.cz> > Cc: Andy Lutomirski <l...@kernel.org> > Cc: Kees Cook <keesc...@chromium.org> > Cc: Dave Hansen <dave.han...@intel.com> > Cc: Masami Hiramatsu <mhira...@kernel.org> > Fixes: 9222f606506c ("x86/alternatives: Lockdep-enforce text_mutex in > text_poke*()") > Suggested-by: Peter Zijlstra <pet...@infradead.org> > Signed-off-by: Nadav Amit <na...@vmware.com> > --- > arch/x86/include/asm/text-patching.h | 3 +- > arch/x86/kernel/alternative.c | 72 +++++++++++++++++++++------- > arch/x86/kernel/kgdb.c | 15 ++++-- > 3 files changed, 66 insertions(+), 24 deletions(-) > > diff --git a/arch/x86/include/asm/text-patching.h > b/arch/x86/include/asm/text-patching.h > index e85ff65c43c3..5a2600370763 100644 > --- a/arch/x86/include/asm/text-patching.h > +++ b/arch/x86/include/asm/text-patching.h > @@ -34,7 +34,8 @@ extern void *text_poke_early(void *addr, const void > *opcode, size_t len); > * On the local CPU you need to be protected again NMI or MCE handlers > seeing an > * inconsistent instruction while you patch. > */ > -extern void *text_poke(void *addr, const void *opcode, size_t len); > +extern int text_poke(void *addr, const void *opcode, size_t len); > +extern int text_poke_kgdb(void *addr, const void *opcode, size_t len); > extern int poke_int3_handler(struct pt_regs *regs); > extern void *text_poke_bp(void *addr, const void *opcode, size_t len, void > *handler); > extern int after_bootmem; > diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c > index ebeac487a20c..ebe9210dc92e 100644 > --- a/arch/x86/kernel/alternative.c > +++ b/arch/x86/kernel/alternative.c > @@ -678,23 +678,12 @@ void *__init_or_module text_poke_early(void *addr, > const void *opcode, > return addr; > } > > -/** > - * text_poke - Update instructions on a live kernel > - * @addr: address to modify > - * @opcode: source of the copy > - * @len: length to copy > - * > - * Only atomic text poke/set should be allowed when not doing early patching. > - * It means the size must be writable atomically and the address must be > aligned > - * in a way that permits an atomic write. It also makes sure we fit on a > single > - * page. > - */ > -void *text_poke(void *addr, const void *opcode, size_t len) > +static int __text_poke(void *addr, const void *opcode, size_t len) > { > unsigned long flags; > char *vaddr; > struct page *pages[2]; > - int i; > + int i, r = 0; > > /* > * While boot memory allocator is runnig we cannot use struct > @@ -702,8 +691,6 @@ void *text_poke(void *addr, const void *opcode, size_t > len) > */ > BUG_ON(!after_bootmem); > > - lockdep_assert_held(&text_mutex); > - > if (!core_kernel_text((unsigned long)addr)) { > pages[0] = vmalloc_to_page(addr); > pages[1] = vmalloc_to_page(addr + PAGE_SIZE); > @@ -712,7 +699,8 @@ void *text_poke(void *addr, const void *opcode, size_t > len) > WARN_ON(!PageReserved(pages[0])); > pages[1] = virt_to_page(addr + PAGE_SIZE); > } > - BUG_ON(!pages[0]); > + if (!pages[0]) > + return -EFAULT; > local_irq_save(flags); > set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0])); > if (pages[1]) > @@ -727,9 +715,57 @@ void *text_poke(void *addr, const void *opcode, size_t > len) > /* Could also do a CLFLUSH here to speed up CPU recovery; but > that causes hangs on some VIA CPUs. */ > for (i = 0; i < len; i++) > - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > + if (((char *)addr)[i] != ((char *)opcode)[i]) > + r = -EFAULT; > local_irq_restore(flags); > - return addr; > + return r; > +} > + > +/** > + * text_poke - Update instructions on a live kernel > + * @addr: address to modify > + * @opcode: source of the copy > + * @len: length to copy > + * > + * Only atomic text poke/set should be allowed when not doing early patching. > + * It means the size must be writable atomically and the address must be > aligned > + * in a way that permits an atomic write. It also makes sure we fit on a > single > + * page. > + */ > +int text_poke(void *addr, const void *opcode, size_t len) > +{ > + int r; > + > + lockdep_assert_held(&text_mutex); > + > + r = __text_poke(addr, opcode, len); > + > + /* > + * TODO: change the callers to consider the return value and remove this > + * historical assertion. > + */ > + BUG_ON(r); > + > + return r; > +} > + > +/** > + * text_poke_kgdb - Update instructions on a live kernel by kgdb > + * @addr: address to modify > + * @opcode: source of the copy > + * @len: length to copy > + * > + * Only atomic text poke/set should be allowed when not doing early patching. > + * It means the size must be writable atomically and the address must be > aligned > + * in a way that permits an atomic write. It also makes sure we fit on a > single > + * page. > + * > + * Context: should only be used by kgdb, which ensures no other core is > running, > + * despite the fact it does not hold the text_mutex. > + */ > +int text_poke_kgdb(void *addr, const void *opcode, size_t len) > +{ > + return __text_poke(addr, opcode, len); > } > > static void do_sync_core(void *info) > diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c > index 8e36f249646e..8091b2e381d4 100644 > --- a/arch/x86/kernel/kgdb.c > +++ b/arch/x86/kernel/kgdb.c > @@ -763,13 +763,15 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt) > if (!err) > return err; > /* > - * It is safe to call text_poke() because normal kernel execution > + * It is safe to call text_poke_kgdb() because normal kernel execution > * is stopped on all cores, so long as the text_mutex is not locked. > */ > if (mutex_is_locked(&text_mutex)) > return -EBUSY; > - text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, > - BREAK_INSTR_SIZE); > + err = text_poke_kgdb((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, > + BREAK_INSTR_SIZE); > + if (err) > + return err; > err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); > if (err) > return err; > @@ -788,12 +790,15 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt) > if (bpt->type != BP_POKE_BREAKPOINT) > goto knl_write; > /* > - * It is safe to call text_poke() because normal kernel execution > + * It is safe to call text_poke_kgdb() because normal kernel execution > * is stopped on all cores, so long as the text_mutex is not locked. > */ > if (mutex_is_locked(&text_mutex)) > goto knl_write; > - text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE); > + err = text_poke_kgdb((void *)bpt->bpt_addr, bpt->saved_instr, > + BREAK_INSTR_SIZE); > + if (err) > + return err; > err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); > if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE)) > goto knl_write; > -- > 2.17.1 > -- Masami Hiramatsu <mhira...@kernel.org>