[kpatch] Safely replacing kmalloc+kfree with kvmalloc+kvfree in a live patch

Tue, 07 Aug 2018 08:18:20 -0700 

Hi,
If there are any ideas how to safely apply fixes like http://patchwork.ozlabs.org/patch/952304/ ("netfilter: ipset: fix ip_set_list allocation failure") via a live patch, it would be great. 


Essentially, the patch replaces the calls to kmalloc and kfree with 
kvmalloc and kvfree, respectively:

----------------------
@@ -2059,7 +2059,7 @@  ip_set_net_init(struct net *net)
        if (inst->ip_set_max >= IPSET_INVALID_ID)
                inst->ip_set_max = IPSET_INVALID_ID - 1;

-       list = kcalloc(inst->ip_set_max, sizeof(struct ip_set *), GFP_KERNEL);
+       list = kvcalloc(inst->ip_set_max, sizeof(struct ip_set *), GFP_KERNEL);
        if (!list)
                return -ENOMEM;
        inst->is_deleted = false;
@@ -2087,7 +2087,7 @@  ip_set_net_exit(struct net *net)
                }
        }
        nfnl_unlock(NFNL_SUBSYS_IPSET);
-       kfree(rcu_dereference_protected(inst->ip_set_list, 1));
+       kvfree(rcu_dereference_protected(inst->ip_set_list, 1));
 }

 static struct pernet_operations ip_set_net_ops = {
----------------------


However, this patch is unsafe to apply as is in runtime. Consider the 
following scenario:


1. The live patch is loaded.

2. The user creates a new net ns or whatever, so that the *patched* 
ip_set_net_init() is called and calls kvcalloc(). Let us assume 
kvcalloc() uses vmalloc() this time.

3. The live patch is unloaded for some reason.

4. The user destroys the net ns and the *original* ip_set_net_exit() is 
called. The address of the memory area allocated with vmalloc at step 2 
will be passed to kfree() here. The kernel will crash.



Currently, I cannot see how to provide such fixes in a live patch 
without additional hacks.



As for the hacks, I could probably add a pre-patch callback that finds 
the call to kfree() in the original ip_set_net_exit() and permanently 
replaces it with a call to kvfree(). This way, even after the live patch 
has been unloaded at step 3, the memory will be freed correctly at the 
step 4. Not very elegant, but might work.



As I am only interested in doing this on x86_64 right now, finding the 
needed call in the binary code of ip_set_net_exit() is not a problem. As 
for replacement itself - well, I guess something like text_poke* or a 
part of its implementation could be used here.



Still, I wonder if there is a better way to apply such fixes in runtime, 
ideally, without additional hacks.


Any ideas?

Regards,
Evgenii

_______________________________________________
kpatch mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/kpatch






















					Reply via email to