This repository has been archived by the owner on Jul 16, 2024. It is now read-only.
test: Enable and run LKFT with 5.4 LTS kernel on Altra #1
Labels
Comments
bobolmw
pushed a commit
to bobolmw/ampere-lts-kernel
that referenced
this issue
Jan 24, 2022
hulk inclusion category: feature bugzilla: 51921 CVE: NA --------------------------- After commit d556e1b ("livepatch: Remove module_disable_ro() usage") and commit 0d9fbf7 ("module: Remove module_disable_ro()") and commit e6eff43 ("module: Make module_enable_ro() static again") merged, the module_disable_ro is removed and module_enable_ro is make static. It's ok for x86/ppc platform because the livepatch module relocation is done by text poke func which internally modify the text addr by remap to high virtaddr which has write permission. However for arm/arm64 platform, it's apply_relocate[_add] still directly modify the text code so we should change the module text permission before relocation. Otherwise it will lead to following problem: Unable to handle kernel write to read-only memory at virtual address ffff800008a95288 Mem abort info: ESR = 0x9600004f EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x0000004f CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000004133c000 [ffff800008a95288] pgd=00000000bdfff003, p4d=00000000bdfff003, pud=00000000bdffe003, pmd=0000000080ce7003, pte=0040000080d5d783 Internal error: Oops: 9600004f [AmpereComputing#1] PREEMPT SMP Modules linked in: livepatch_testmod_drv(OK+) testmod_drv(O) CPU: 0 PID: 139 Comm: insmod Tainted: G O K 5.10.0-01131-gf6b4602e09b2-dirty AmpereComputing#35 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) pc : reloc_insn_imm+0x54/0x78 lr : reloc_insn_imm+0x50/0x78 sp : ffff800011cf3910 ... Call trace: reloc_insn_imm+0x54/0x78 apply_relocate_add+0x464/0x680 klp_apply_section_relocs+0x11c/0x148 klp_enable_patch+0x338/0x998 patch_init+0x338/0x1000 [livepatch_testmod_drv] do_one_initcall+0x60/0x1d8 do_init_module+0x58/0x1e0 load_module+0x1fb4/0x2688 __do_sys_finit_module+0xc0/0x128 __arm64_sys_finit_module+0x20/0x30 do_el0_svc+0x84/0x1b0 el0_svc+0x14/0x20 el0_sync_handler+0x90/0xc8 el0_sync+0x158/0x180 Code: 2a0503e0 9ad42a73 97d6a499 91000673 (b90002a0) ---[ end trace 67dd2ef1203ed335 ]--- Though the permission change is not necessary to x86/ppc platform, consider that the jump_label_register api may modify the text code either, we just put the change handle here instead of putting it in arch-specific relocate. Besides, the jump_label_module_nb callback called in jump_label_register also maybe need motify the module code either, it sort and swap the jump entries if necessary. So just disable ro before jump_label handling and restore it back. Signed-off-by: Dong Kai <[email protected]> Signed-off-by: Ye Weihua <[email protected]> Reviewed-by: Yang Jihong <[email protected]> Signed-off-by: Zheng Zengkai <[email protected]>
bobolmw
pushed a commit
to bobolmw/ampere-lts-kernel
that referenced
this issue
Jan 24, 2022
hulk inclusion category: bugfix bugzilla: 34578/46793/51924 CVE: NA ------------------------------------------------------------------------- When we make a livepatch, since we did not save the stack frame according to the call requirementsthen, we can't see that the caller function in the stack after the patch is activated. At this time, if we also patch the caller function, because it's is not seen in the stack, then this patch can be enabled normally without being checked by the stack check. This is very dangerous. If there are other processes running or sleeping in the context of the first patched callee function, then after the caller function is patched, we have changed the first few instructions of the caller to bstub to jump directly, so the context of the process will be destroyed, after he returns to the caller, the wrong instruction will be executed. The following problems can occur in our testcase: Unrecoverable FP Unavailable Exception 800 at 80000000000c80d8 Oops: Unrecoverable FP Unavailable Exception, sig: 6 [AmpereComputing#1] PREEMPT SMP NR_CPUS=4 QEMU e500 Modules linked in: level2_delay_patch(O) delay_patch(O) delay(O) CPU: 1 PID: 328 Comm: cat Tainted: G O K 4.4.222 #334 task: c0000000f02da100 task.stack: c00000007a52c000 NIP: 80000000000c80d8 LR: 80000000000c80d8 CTR: c0000000003cef10 REGS: c00000007a52eea0 TRAP: 0800 Tainted: G O K (4.4.222) MSR: 0000000080009000 <EE,ME> CR: 28022882 XER: 00000000 NIP [80000000000c80d8] .foo_show+0x18/0x48 [delay] LR [80000000000c80d8] .foo_show+0x18/0x48 [delay] Call Trace: [c00000007a52f120] [c00000007e015af8] 0xc00000007e015af8(unreliable) [c00000007a52f1a0] [c00000000032d11c].kobj_attr_show+0x2c/0x50 [c00000007a52f210] [c000000000230b74].sysfs_kf_seq_show+0xf4/0x1d0 [c00000007a52f2b0] [c00000000022ea2c].kernfs_seq_show+0x3c/0x50 [c00000007a52f320] [c0000000001c1f88].seq_read+0x118/0x5c0 [c00000007a52f420] [c00000000022fa04].kernfs_fop_read+0x194/0x240 [c00000007a52f4c0] [c00000000018e27c].do_loop_readv_writev+0xac/0x100 [c00000007a52f560] [c00000000018f284].do_readv_writev+0x2a4/0x2f0 [c00000007a52f6d0] [c0000000001cf3cc].default_file_splice_read+0x22c/0x490 [c00000007a52fa60] [c0000000001cd704].do_splice_to+0x94/0xe0 [c00000007a52fb00] [c0000000001cd814].splice_direct_to_actor+0xc4/0x320 [c00000007a52fbd0] [c0000000001cdb14].do_splice_direct+0xa4/0x120 [c00000007a52fc90] [c00000000018f9fc].do_sendfile+0x27c/0x440 [c00000007a52fd80] [c0000000001910f4].compat_SyS_sendfile64+0xe4/0x140 [c00000007a52fe30] [c00000000000058c]system_call+0x40/0xc8 Instruction dump: ebe1fff8 7c0803a6 4e800020 60000000 60000000 60000000 3d62ffff 396b7bf0 e98b0018 7d8903a6 4e800420 73747563 <c0000000> f030a948 7fe3fb78 38a00001 ---[ end trace 07a14bdffccc341f ]--- We solve this problem by disguising the stack frame, so that the caller function will appear in the stack, which can be detected by the stack check, so that when the patch is enabled, it will be found Ather this patch, when enable the second livepatch, we will find the caller on the stack. livepatch_64: func .foo_show is in use! livepatch_64: PID: 328 Comm: cat Call Trace: [c00000007a596bd0] [c00000007a596cd0] 0xc00000007a596cd0(unreliable) [c00000007a596da0] [c000000000008b20].__switch_to+0x70/0xa0 [c00000007a596e20] [c000000000557a5c].__schedule+0x2fc/0x830 [c00000007a596ed0] [c0000000005581b8] .schedule+0x38/0xc0 [c00000007a596f40] [c00000000055c7e8].schedule_timeout+0x148/0x210 [c00000007a597030] [80000000000ff054].new_stack_func+0x54/0x90 [delay_patch] [c00000007a5970b0] [c0000000f025d67c] 0xc0000000f025d67c [c00000007a597120] [80000000000c80d8] .foo_show+0x18/0x48 [delay] [c00000007a5971a0] [c00000000032d11c].kobj_attr_show+0x2c/0x50 [c00000007a597210] [c000000000230b74].sysfs_kf_seq_show+0xf4/0x1d0 [c00000007a5972b0] [c00000000022ea2c].kernfs_seq_show+0x3c/0x50 [c00000007a597320] [c0000000001c1f88].seq_read+0x118/0x5c0 [c00000007a597420] [c00000000022fa04].kernfs_fop_read+0x194/0x240 [c00000007a5974c0] [c00000000018e27c].do_loop_readv_writev+0xac/0x100 [c00000007a597560] [c00000000018f284].do_readv_writev+0x2a4/0x2f0 [c00000007a5976d0] [c0000000001cf3cc].default_file_splice_read+0x22c/0x490 [c00000007a597a60] [c0000000001cd704].do_splice_to+0x94/0xe0 [c00000007a597b00] [c0000000001cd814].splice_direct_to_actor+0xc4/0x320 [c00000007a597bd0] [c0000000001cdb14].do_splice_direct+0xa4/0x120 [c00000007a597c90] [c00000000018f9fc].do_sendfile+0x27c/0x440 [c00000007a597d80] [c0000000001910f4].compat_SyS_sendfile64+0xe4/0x140 [c00000007a597e30] [c00000000000058c]system_call+0x40/0xc8 Signed-off-by: Cheng Jian <[email protected]> Reviewed-by: Xie XiuQi <[email protected]> Signed-off-by: yangerkun <[email protected]> Signed-off-by: Dong Kai <[email protected]> Signed-off-by: Ye Weihua <[email protected]> Reviewed-by: Yang Jihong <[email protected]> Signed-off-by: Zheng Zengkai <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Enable and run test cases in LKFT( https://lkft.linaro.org/tests/ ).
Refer to: https://git.linaro.org/qa/test-definitions.git/tree/automated/linux
LKFT has already been used to test upstream 5.4 LTS kernel. This task will run the tests on kernel with Ampere kernel patches.
The text was updated successfully, but these errors were encountered: