crash with shadow variables on kpatch module unload #468
Description
I was trying "shadow variables" and found my system crashing, presumably on kpatch module unload. As a shortcut I modified kpatch core module:
diff --git a/kmod/core/core.c b/kmod/core/core.c
index bd50d3d..02556d6 100644
--- a/kmod/core/core.c
+++ b/kmod/core/core.c
@@ -1073,6 +1073,12 @@ static int kpatch_init(void)
if (ret)
goto err_patches_kobj;
+ struct task_struct *c = current;
+ if (c) {
+ creation_time = kpatch_shadow_alloc(c, "creation_time", sizeof(*creation_time), GFP_KERNEL);
+ kpatch_shadow_free(c, "creation_time");
+ }
+
return 0;
err_patches_kobj:
}}
Then insmod/rmmod would crash my system quite reliably.
[ 414.066893] CPU: 3 PID: 65 Comm: rcuos/7 Tainted: GF O-------------- 3.10.0-205.el7.x86_64 #1
[ 414.077477] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.1.2 01/20/2014
[ 414.085836] task: ffff880223fc6660 ti: ffff880223ff8000 task.ti: ffff880223ff8000
[ 414.094189] RIP: 0010:[<ffffffffa0330c80>] [<ffffffffa0330c80>] kpatch_exit+0x70/0x70 [kpatch]
[ 414.103917] RSP: 0018:ffff880223ffbe10 EFLAGS: 00010296
[ 414.109844] RAX: ffff880223ffbfd8 RBX: ffff8800c32acb10 RCX: 0000000180200009
[ 414.117808] RDX: ffffffffa0330c80 RSI: ffffea0000d84f00 RDI: ffff8800c32acb10
[ 414.125777] RBP: ffff880223ffbec0 R08: ffff88003613cc80 R09: 0000000180200009
[ 414.133740] R10: ffffea0000d84f00 R11: ffffffff81112f90 R12: 0000000000000002
[ 414.141703] R13: ffff8800c716c300 R14: 000000000000000a R15: ffff880216f3c238
[ 414.149667] FS: 0000000000000000(0000) GS:ffff880227060000(0000) knlGS:0000000000000000
[ 414.158701] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 414.165112] CR2: ffffffffa0330c80 CR3: 000000000190a000 CR4: 00000000000407e0
[ 414.173077] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 414.181039] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 414.189003] Stack:
[ 414.191259] ffffffff81112f69 ffff880223fc6660 ffff880223fc6660 ffff8802270eef50
[ 414.199556] ffff880223ffbe80 ffff880223fc6660 ffff8802270eef28 ffff8802270eef38
[ 414.207851] ffff8802270eef40 ffff880223fc6660 ffff8802270eee00 0000000000000000
[ 414.216148] Call Trace:
[ 414.218895] [<ffffffff81112f69>] ? rcu_nocb_kthread+0x229/0x370
[ 414.225603] [<ffffffff810981a0>] ? wake_up_bit+0x30/0x30
[ 414.231631] [<ffffffff81112d40>] ? rcu_start_gp+0x40/0x40
[ 414.237746] [<ffffffff810971cf>] kthread+0xcf/0xe0
[ 414.243190] [<ffffffff81097100>] ? kthread_create_on_node+0x140/0x140
[ 414.250488] [<ffffffff81613b7c>] ret_from_fork+0x7c/0xb0
[ 414.256514] [<ffffffff81097100>] ? kthread_create_on_node+0x140/0x140
I assume this is because hash table has been unloaded while there were still outstanding free requests. Following patch appears to fix that for me:
@@ -1084,6 +1090,8 @@ err_root_kobj:
static void kpatch_exit(void)
{
+ rcu_barrier();
+
WARN_ON(kpatch_num_patched != 0);
WARN_ON(unregister_module_notifier(&kpatch_module_nb));
kobject_put(kpatch_patches_kobj);
I'm not sure if this can be reproduced with a separate kpatch module.