Commit Graph

62 Commits

Author SHA1 Message Date
Chih-En Lin
d81d968b0e vinput: Fix missing error code
Fix the missing error code when register_chrdev() failed.
The report is from Smatch:

Smatch failed: 1 warning(s), 0 error(s)
/home/runner/work/lkmpg/lkmpg/examples/vinput.c:372 vinput_init() warn: missing error code 'err'
2022-11-04 01:16:14 +08:00
Jim Huang
760df73743
Merge pull request #168 from linD026/master
Fix dereference NULL pointer with proc_lseek
2022-09-23 13:52:06 +08:00
linD026
0f9c72631c Fix dereference NULL pointer with proc_lseek
Since the operations are static storage duration, the pointer in
operation structures will initialize with NULL. But, the kernel
doesn't check whether the pointer is NULL or not when calling it.

Related Discussion:
- https://github.com/sysprog21/lkmpg/issues/165
- https://github.com/sysprog21/lkmpg/issues/160

Close #165
2022-09-21 16:57:23 +08:00
linD026
eb2c766da4 Improve the compatibility with kernel < v5.10
min()/max() splited from kernel.h to minmax.h since v5.10-rc1.
Before v5.10, minmax.h doesn't exist [1].

[1] b296a6d533
2022-09-21 13:53:06 +08:00
Jim Huang
c69eff9d1f
Merge pull request #163 from linD026/read-write
procfs{2, 3}: Change to use offset parameter
2022-09-08 22:24:20 +08:00
linD026
39a313dc20 procfs{2, 3}: Change to use offset parameter
To make sure the behavior of the read and write operations are correct
with offset, update it each time. Also, since it is using the offset,
modify the part of read for removing unnecessary variable.
2022-09-08 12:53:29 +08:00
linD026
95a7ca513f Fix the buffer length may cause a read error
Since The length of the message buffer is BUF_LEN. When writing the
BUF_LEN length of the string it will overwrite the last character
(usually it is '\0' from the initialization). And, because the read
operation uses the character in the message buffer ('\0') to stop the
read loop. It will cause the read operation will read out of the
message buffer when the length parameter of read() is not lower than
or equal to BUF_LEN. So add one more byte space to avoid this problem.
2022-09-08 06:08:04 +08:00
asas1asas200
04465b1a44 Add description of sysfs attribute
The description of the attribute was added in sysfs section and referenced in vinput section.

In vinput section, just described the class_attribute and some macros about sysfs class.

Add file name at vinput-related examples begin.
2022-04-19 01:54:24 +08:00
linD026
beb1ff1595 Fix potential concurrent problems in chardev2.c
After forking, Each file descriptor in the child refers to the same
open file description as the parent. So when calling open() before
fork(), the child can access the device file without checking by
exclusive access in device_open(). It may cause race conditions
in device_ioctl().

Because of that, it is unnecessary to check the multiple access
in device_open(). It just needs check in device_ioctl(), since
read(), write(), seek() system call are atomic [1][2].

Related discussion:
- https://github.com/sysprog21/lkmpg/issues/148

[1] https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/
[2] https://www.kernel.org/doc/html/latest/filesystems/files.html

Close #148
2022-04-17 02:41:25 +08:00
linD026
9f92fe4d6a Fix wrong regular expression of clang-format 2022-04-10 22:51:59 +08:00
linD026
636c1e702d Introduce Virtual Input Device Driver
Add the new section of input device driver, vinput[1].

Also, update the Acknowledgements.

[1] https://github.com/sysprog21/vinput
2022-04-06 17:13:29 +08:00
linD026
85ee0ec67b Improve the description of finding syscall table
Presently, the representation of showing which version will use the
method to find out the system call table is vague.

Related discussion:
* sysprog21/lkmpg: https://github.com/sysprog21/lkmpg/pull/142
2022-03-17 07:51:59 +08:00
Steven Lung
d771c50166 Fix grammar 2022-03-09 14:14:08 +08:00
Steven Lung
5ca9b642a4 Fix typo, grammar and remove duplicated words
Replaced 'a' with 'an' since a vowel sound is after.
2022-03-07 16:56:13 +08:00
Bob Lee
844beed5d7
Fix a logic error in examples/ioctl.c (#137)
Change the "alloc_ret" and "cdev_ret" initial values to non-zero.
According to the source code, "alloc_chrdev_region" and "cdev_add"
return zero on success, and negative code on failure.

So, if the "alloc_chrdev_region" failed, the if condition becomes true,
then we will jump to the label "error" by goto, checking each return
value whether is a success state from both functions mentioned above
and dealing with it properly for exiting the process.

However, it checks the success state by comparing the return value
with zero (means success), and we got "cdev_ret == 0" is true from
the initial value zero, while we didn't execute "cdev_add" yet.
Hence, there was a logic error when the initial value is zero.

Co-authored-by: NOVBobLee <defru04002@gamil.com>
2022-02-21 00:58:47 +08:00
linD026
d8216ff7b6
Fix incoherent ioctl examples (#139)
Previously ioctl.c is a userspace program for chardev2.c and chardev.h [1].
But now, this file is an independent kernel module, and the original code
disappear.
This patch adds back the original userspace code and renames it to
userspace_ioctl.c.

[1] https://tldp.org/LDP/lkmpg/2.4/html/x856.html
2022-02-21 00:53:29 +08:00
linD026
6b6b6635cf
CI: Introduce Smatch for static analysis (#125)
Smatch[1][2] is a pluggable static analysis for C. It may help us find
out the potential problem of the example code.

Doing with smatch, if set the --file-output flag, it will generate the
{}.c.smatch report for each c file. This will make a little bit
complicated to collect all the report messages. So, here we stay at the
default setting, stdout for the smatch messages.

For more information, see:
- https://lwn.net/Articles/696624/
- https://elinux.org/images/d/d3/Bargmann.pdf

Also, fix the warning from Smatch:

Smatch failed: 1 warning(s), 1 error(s)
lkmpg/examples/procfs2.c:57 procfile_write() error: buffer overflow 'procfs_buffer' 1024 <= 1024
lkmpg/examples/kbleds.c:58 kbleds_init() warn: argument 5 to %lx specifier is cast from pointer

Furthermore, the effect of the write operation in procfs2.c is too
implied. So after writing, print the buffer every time.

Close #122

[1] https://github.com/error27/smatch
[2] https://repo.or.cz/w/smatch.git
2021-11-01 08:20:41 +08:00
linD026
d6e1044aa7 CI: introduce GCC static analysis
Since GCC version 10, there has been a new option -fanalyzer for
static analysis. It can make the CI pipeline more comprehensive.

Also, the static analysis updates in GCC 11, but we cannot install
the GCC 11 in ubuntu 20.04 straightforwardly right now, which is
the GitHub workflow environment (see status-check.yaml).
For this reason, we stay at the GCC 10.

Close #117

Reference
- https://gcc.gnu.org/onlinedocs/gcc-10.1.0/gcc/Static-Analyzer-Options.html
- https://developers.redhat.com/blog/2020/03/26/static-analysis-in-gcc-10
- https://lwn.net/Articles/870290/
- https://developers.redhat.com/blog/2021/01/28/static-analysis-updates-in-gcc-11
- 7d73c3e9c5
2021-10-08 19:41:22 +08:00
linD026
1a6fb67cf2
Fix potential concurrent access problems with VFS (#108)
Since Linux v3.14, the read, write and seek operations of "struct file" are
guaranteed for thread safety [1][2]. This patch added an explanation.

Here are the potential problems:
chardev.c:
- Move the "msg_ptr" pointer into the read function to remove unnecessary usage.
- List the clear states of "already_open" by using mnemonic enumeration.

chardev2.c:
- The "buffer" in the write function is user space data. It cannot use in the
  kernel space.
- Reduce the redundant type transformation.
- List the states of "already_open". Same as chardev.c.

[1] https://lore.kernel.org/lkml/20140303210359.26624.qmail@science.horizon.com/T/#u
[2] 9c225f2655
2021-09-23 12:20:10 +08:00
linD026
5070fcd9d0
CI: Run static analysis with Cppcheck (#105)
Cppcheck[1] is integrated into CI pipeline for running static analysis.

However, Cppcheck is known to report false-positive, and we have to
suppress some warnings in advance.

[1] https://cppcheck.sourceforge.io/
2021-09-14 00:52:04 +08:00
linD026
fa035da36e ioctl.c: Remove unnecessary initialization
The "alloc_chrdev_region" function will dynamically choose the
major number and store it at "dev". It is unnecessary to initialize
the "dev" before the "alloc_chrdev_region" function.
2021-09-13 14:55:16 +08:00
linD026
62dbb1b7b8
Adapt the timer API Usage (#98)
Since v4.14 [1], the timer API has been changed to improve memory safety.
The series of improvements ended up at v4.15 [2].

Reference: https://lwn.net/Articles/735887/

Close #97

[1] 686fef928b
[2] 841b86f328
2021-09-10 12:29:48 +08:00
Jim Huang
4ef3d90ffe suppress warning: no newline at end of file 2021-09-08 22:23:02 +08:00
fennecJ
3fcbb8e182
Improve CI pipeline to automate module testing (#95)
The script executes insmod/rmmod twice with available kernel modules.

Close #72
2021-09-08 20:38:50 +08:00
linD026
148fb013ee
Avoid unexpected concurrent access (#94)
In file {chardev,chardev2,sleep}.c, the variable to determine
the exclusive access was of integer type, which led to race
condition.

This patch rewrote the above with atomic CAS respectively
to eliminate the race.

Close #93
2021-09-07 23:42:06 +08:00
linD026
9289bfe59c
Fix the warnings raised by Sparse (#92)
Sparse[1] is a semantic parser, capable of finding out the potential
problems of Linux kernel code. This patch fixed the warnings.

[1] https://www.kernel.org/doc/html/latest/dev-tools/sparse.html
2021-09-04 17:53:29 +08:00
linD026
d27203ef46
Enforce consistent style for directory "other" (#89) 2021-09-02 16:26:29 +08:00
linD026
eef2bc4395
Enforce Linux kernel coding style (#88)
The only exception is to indent with four spaces rather than tabs
for sticking to compact layout of source listing.

Close #87
2021-09-02 15:15:07 +08:00
linD026
cccc98ab2c
Fix disallowed cr0 write protection and close_fd (#80)
Since the commit 8dbec27a242cd3e2816eeb98d3237b9f57cf6232 [1]
(kernel version v5.3+ [2]) the sensitive CR0 bits in x86 is pinned,
we need to use the inline asm [3][4] to bypass it.

commit 8dbec27a242cd3e2816eeb98d3237b9f57cf6232 :
> With sensitive CR4 bits pinned now, it's possible that the WP bit for
> CR0 might become a target as well.
>
> Following the same reasoning for the CR4 pinning, pin CR0's WP
> bit. Contrary to the cpu feature dependend CR4 pinning this can be done
> with a constant value.

Also, getting "sys_call_table" [8] from the symbol lookup by using the address
of "close_fd" does not work for v5.11+ [5][6]. The reason is the entry of
"sys_call_table[__NR_close]" is not the address of "close_fd", actually
it is "__x64_sys_close" in x86.

Two solutions were proposed: using "kallsyms_lookup_name" [7] or just specifying
the address into the module. The symbol "kallsyms_lookup_name"  is unexported
since v5.7; the address of "sys_call_table" can be found in
"/boot/System.map" or "/proc/kallsyms".

Since v5.7, the manual symbol lookup is not guaranteed to work
because of control-flow integrity (or control-flow enforcement [9][10]) is added
[11] for x86, but it is disabled since v5.11 [12][13]. To make sure manual symbol
lookup work, it only uses up to v5.4.

Reference:
[1] 8dbec27a24
[2] https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/
[3] https://patchwork.kernel.org/project/linux-kbuild/patch/20200903203053.3411268-3-samitolvanen@google.com/
[4] https://stackoverflow.com/questions/58512430/how-to-write-to-protected-pages-in-the-linux-kernel
[5] https://lore.kernel.org/bpf/20201120231441.29911-21-ebiederm@xmission.com/
[6] https://lore.kernel.org/bpf/87blj83ysq.fsf@x220.int.ebiederm.org/
[7] 0bd476e6c6
[8] 8f27766a88
[9] https://lore.kernel.org/lkml/20200204171425.28073-1-yu-cheng.yu@intel.com/
[10] https://lore.kernel.org/linux-doc/20201110162211.9207-1-yu-cheng.yu@intel.com/T/
[11] 5790921bc1
[12] 20bf2b3787
[13] https://lore.kernel.org/bpf/20210128123842.c9e33949e62f504b84bfadf5@gmail.com/
2021-08-31 11:07:01 +08:00
Jim Huang
d3bde7daed print_string: Validate tty before accessing its operations
Close #81
2021-08-30 01:41:57 +08:00
linD026
06b75942cc
Fix incorrect major number registration in chardev (#77)
chardev2.c demonstrates the ioctl operation with static major
number MAJOR_NUM, but there also exists "Major," the dynamic
one, which results in registration and deregistration on different
device. Once the module remove, it cannot insert again:

  $ sudo insmod chardev2.ko
  $ sudo rmmod chardev2
  $ cat /proc/devices
  Character devices:
  ...
  100 char_dev
  $ sudo insmod chardev2.ko
  insmod: ERROR: could not insert module chardev2.ko: Device or resource busy

This patch removed the use of dynamic major number.
2021-08-26 03:16:17 +08:00
Tucker Polomik
a183cc72f0 Fix: errno assignment should be comparison. 2021-08-24 11:16:25 -04:00
fennecJ
870b26fa2d Update several example code for newer kernel
Known issues with current example code:
If you using newer kernel(e.g linux 5.11.x) to compile the example code,
you may meet following error:
1. syscall.c:83:50: error: ‘ksys_close’ undeclared;
2. cryptosk.c:17:24: error: field ‘sg’ has incomplete type
3. cryptosk.c:143:9: error: implicit declaration of function
‘get_random_bytes’
4. error: macro "DECLARE_TASKLET" passed 3 arguments, but takes just 2

Solutions/workaround:
1. In syscall.c, replace #include <linux/syscalls.h> with
#include <linux/fdtable.h> and replace  ksys_close with close_fd
if the kernel version >= 5.11. [1][2]
2. Add #include <linux/scatterlist.h> into cryptosk.c
3. Add #include <linux/random.h> into cryptosk.c
4. In bottomhalf.c and example_tasklet.c, replace DECLARE_TASKLET
with DECLARE_TASKLET_OLD and dispose third argument(0L). [3]

[1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783
[2] - https://www.mail-archive.com/meta-arago@arago-project.org//msg11939.html
[3] - https://patchwork.kernel.org/project/kernel-hardening/patch/20200716030847.1564131-3-keescook@chromium.org/
2021-08-23 21:30:43 +08:00
gagachang
9827e32e4d Update some file path to kernel v5.x+ in example/kbleds.c
1. drivers/char/vt_ioctl.c -> drivers/tty/vt/vt_ioctl.c
2. drivers/char/keyboard.c -> drivers/tty/vt/keyboard.c
2021-08-21 14:51:37 +08:00
Cyril Brulebois
d85944d107 Mention pr_info() rather than KERN_INFO
The latter might have been used along with printk() in an earlier
version, but pr_info() is getting used consistently so adjust the
#include comments accordingly.

For the avoidance of doubt, pr_info() actually comes from printk.h,
which gets #include'd by kernel.h.
2021-08-16 21:53:22 +02:00
Jim Huang
b497b6a34e Remove never implemented MODULE_SUPPORTED_DEVICE
MODULE_SUPPORTED_DEVICE is remove from upstream since March 17, 2021.
See linux.git commit 6417f03

Reported by Niklas Lantau <niklaslantau@gmail.com>
Close #61
2021-08-16 20:19:35 +08:00
Benno Bielmeier
8ba0b0085d
Fix typo: concurent -> concurrent 2021-08-12 07:43:38 +00:00
ChinYikMing
ad4ac48eec Fix init message 2021-08-10 00:48:19 +08:00
Jim Huang
8c12c8dce1 Make program style consistent again 2021-08-08 01:50:42 +08:00
Hsin-Hsiang Peng
8f32341bee
Fix alignment problem in code block (#45)
In rendered HTML, the line number should be right aligned, and
code should be left aligned accordingly.

In addition, this patch added the basic build instructions, so that
someone can generated the PDF and HTML files.

Close #44
2021-08-08 01:29:50 +08:00
Jim Huang
10c7a9433a Apply editorial changes
This patch makes source listing shorter and more compact, that helps
when browsing.
2021-08-08 01:24:59 +08:00
Jim Huang
d43259c553 Drop the deprecated init_module() and cleanup_module() 2021-08-08 00:29:24 +08:00
Jim Huang
a26d93037e Enforce consistent style
Execute "make indent" before submitting patches.
2021-08-07 23:33:37 +08:00
Jim Huang
1ac7bacfb8 Shorten chardev 2021-08-07 18:29:39 +08:00
Jim Huang
40e83aa14b Tidy section: The Device Model 2021-08-07 10:59:15 +08:00
Jim Huang
f8adcdb3c1 procfs4: Shorten and indent 2021-08-07 10:54:19 +08:00
Jim Huang
466e8a00fd cat_nonblock: Use canonical name scheme and fix unintended assignment 2021-08-05 14:28:12 +08:00
RinHizakura
5940dd9faa
Revise hello-5 and its output (#38)
For the example module hello_5, the book showed the incorrect output
in corresponding with its execution results.

In addition, this patch changes from myintArray[2] = {-1, -1} to
myintArray[2] = {420, 420}, which help the readers distinguish from
the kernel messages.
2021-08-04 23:42:10 +08:00
demonsome
50e9d9176f
chardev: Revise comment on device node (#23)
The device file create in this example is "chardev". 
So input command "sudo cat /dev/chardev" will get a valid message
"I already told you %d times Hello world!"
2021-07-31 23:03:16 +08:00
linD026
c7a7a667cf
Avoid strlen by assigning explicit length of string for proc_read (#18)
Since the address of buffer is userspace address, it may trigger an unexpected fault on strlen(buffer).

On Ubuntu 20.04.2 LTS ( 5.8.0-63-generic ), using strlen(buffer) will result in the following:
[ 2168.010930] /proc/buffer1k created
[ 2177.014347] BUG: unable to handle page fault for address: 00007fbbc2a17000
[ 2177.014355] #PF: supervisor read access in kernel mode
[ 2177.014358] #PF: error_code(0x0000) - not-present page
[ 2177.014361] PGD 80000003c61d0067 P4D 80000003c61d0067 PUD 3ee6c5067 PMD 40e1ff067 PTE 0
[ 2177.014369] Oops: 0000 [#1] SMP PTI
[ 2177.014376] CPU: 7 PID: 4750 Comm: cat Tainted: P        W  OE     5.8.0-63-generic #71~20.04.1-Ubuntu

[ 2177.014387] RIP: 0010:procfile_read+0xb/0x20 [procfs2]
[ 2177.014393] Code: Unable to access opcode bytes at RIP 0xffffffffc1253fe1.
[ 2177.014396] RSP: 0018:ffffbc84412cbe78 EFLAGS: 00010286
[ 2177.014400] RAX: ffffffffc1254000 RBX: 0000000000020000 RCX: ffffbc84412cbef0
[ 2177.014403] RDX: 0000000000020000 RSI: 00007fbbc2a17000 RDI: ffffa057d2708f00
[ 2177.014406] RBP: ffffbc84412cbe80 R08: 0000000000000001 R09: 0000000000000000
[ 2177.014409] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0581de8ccc0
[ 2177.014411] R13: ffffa057d2708f00 R14: ffffbc84412cbef0 R15: 00007fbbc2a17000
[ 2177.014415] FS:  00007fbbc3bfa580(0000) GS:ffffa0582dbc0000(0000) knlGS:0000000000000000
[ 2177.014418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2177.014421] CR2: ffffffffc1253fe1 CR3: 00000003c611c004 CR4: 00000000003606e0
[ 2177.014424] Call Trace:
[ 2177.014435]  proc_reg_read+0x66/0x90
[ 2177.014441]  vfs_read+0xaa/0x190
[ 2177.014446]  ksys_read+0x67/0xe0
[ 2177.014451]  __x64_sys_read+0x1a/0x20
[ 2177.014458]  do_syscall_64+0x49/0xc0
[ 2177.014464]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 2177.014467] RIP: 0033:0x7fbbc3b18142
[ 2177.014472] Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 2177.014476] RSP: 002b:00007ffcf2d20d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 2177.014479] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fbbc3b18142
[ 2177.014482] RDX: 0000000000020000 RSI: 00007fbbc2a17000 RDI: 0000000000000003
[ 2177.014485] RBP: 00007fbbc2a17000 R08: 00007fbbc2a16010 R09: 0000000000000000
[ 2177.014487] R10: 0000000000000022 R11: 0000000000000246 R12: 0000560f8ff081f0
[ 2177.014490] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000

[ 2177.014635] CR2: 00007fbbc2a17000
[ 2177.014639] ---[ end trace b71ff05c1b0a10f6 ]---
[ 2177.184174] RIP: 0010:procfile_read+0xb/0x20 [procfs2]
[ 2177.184176] Code: Unable to access opcode bytes at RIP 0xffffffffc1253fe1.
[ 2177.184177] RSP: 0018:ffffbc84412cbe78 EFLAGS: 00010286
[ 2177.184178] RAX: ffffffffc1254000 RBX: 0000000000020000 RCX: ffffbc84412cbef0
[ 2177.184179] RDX: 0000000000020000 RSI: 00007fbbc2a17000 RDI: ffffa057d2708f00
[ 2177.184180] RBP: ffffbc84412cbe80 R08: 0000000000000001 R09: 0000000000000000
[ 2177.184180] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0581de8ccc0
[ 2177.184181] R13: ffffa057d2708f00 R14: ffffbc84412cbef0 R15: 00007fbbc2a17000
[ 2177.184182] FS:  00007fbbc3bfa580(0000) GS:ffffa0582dbc0000(0000) knlGS:0000000000000000
[ 2177.184182] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2177.184183] CR2: ffffffffc1253fe1 CR3: 00000003c611c004 CR4: 00000000003606e0
2021-07-29 16:10:52 +08:00