Message ID | 20250107153507.14733-1-petr.pavlu@suse.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | module: Fix writing of livepatch relocations in ROX text | expand |
On Tue 2025-01-07 16:34:57, Petr Pavlu wrote: > A livepatch module can contain a special relocation section > .klp.rela.<objname>.<secname> to apply its relocations at the appropriate > time and to additionally access local and unexported symbols. When > <objname> points to another module, such relocations are processed > separately from the regular module relocation process. For instance, only > when the target <objname> actually becomes loaded. > > With CONFIG_STRICT_MODULE_RWX, when the livepatch core decides to apply > these relocations, their processing results in the following bug: > > [ 25.827238] BUG: unable to handle page fault for address: 00000000000012ba > [ 25.827819] #PF: supervisor read access in kernel mode > [ 25.828153] #PF: error_code(0x0000) - not-present page > [ 25.828588] PGD 0 P4D 0 > [ 25.829063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI > [ 25.829742] CPU: 2 UID: 0 PID: 452 Comm: insmod Tainted: G O K 6.13.0-rc4-00078-g059dd502b263 #7820 > [ 25.830417] Tainted: [O]=OOT_MODULE, [K]=LIVEPATCH > [ 25.830768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 > [ 25.831651] RIP: 0010:memcmp+0x24/0x60 > [ 25.832190] Code: [...] > [ 25.833378] RSP: 0018:ffffa40b403a3ae8 EFLAGS: 00000246 > [ 25.833637] RAX: 0000000000000000 RBX: ffff93bc81d8e700 RCX: ffffffffc0202000 > [ 25.834072] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000000012ba > [ 25.834548] RBP: ffffa40b403a3b68 R08: ffffa40b403a3b30 R09: 0000004a00000002 > [ 25.835088] R10: ffffffffffffd222 R11: f000000000000000 R12: 0000000000000000 > [ 25.835666] R13: ffffffffc02032ba R14: ffffffffc007d1e0 R15: 0000000000000004 > [ 25.836139] FS: 00007fecef8c3080(0000) GS:ffff93bc8f900000(0000) knlGS:0000000000000000 > [ 25.836519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 25.836977] CR2: 00000000000012ba CR3: 0000000002f24000 CR4: 00000000000006f0 > [ 25.837442] Call Trace: > [ 25.838297] <TASK> > [ 25.841083] __write_relocate_add.constprop.0+0xc7/0x2b0 > [ 25.841701] apply_relocate_add+0x75/0xa0 > [ 25.841973] klp_write_section_relocs+0x10e/0x140 > [ 25.842304] klp_write_object_relocs+0x70/0xa0 > [ 25.842682] klp_init_object_loaded+0x21/0xf0 > [ 25.842972] klp_enable_patch+0x43d/0x900 > [ 25.843572] do_one_initcall+0x4c/0x220 > [ 25.844186] do_init_module+0x6a/0x260 > [ 25.844423] init_module_from_file+0x9c/0xe0 > [ 25.844702] idempotent_init_module+0x172/0x270 > [ 25.845008] __x64_sys_finit_module+0x69/0xc0 > [ 25.845253] do_syscall_64+0x9e/0x1a0 > [ 25.845498] entry_SYSCALL_64_after_hwframe+0x77/0x7f > [ 25.846056] RIP: 0033:0x7fecef9eb25d > [ 25.846444] Code: [...] > [ 25.847563] RSP: 002b:00007ffd0c5d6de8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 > [ 25.848082] RAX: ffffffffffffffda RBX: 000055b03f05e470 RCX: 00007fecef9eb25d > [ 25.848456] RDX: 0000000000000000 RSI: 000055b001e74e52 RDI: 0000000000000003 > [ 25.848969] RBP: 00007ffd0c5d6ea0 R08: 0000000000000040 R09: 0000000000004100 > [ 25.849411] R10: 00007fecefac7b20 R11: 0000000000000246 R12: 000055b001e74e52 > [ 25.849905] R13: 0000000000000000 R14: 000055b03f05e440 R15: 0000000000000000 > [ 25.850336] </TASK> > [ 25.850553] Modules linked in: deku(OK+) uinput > [ 25.851408] CR2: 00000000000012ba > [ 25.852085] ---[ end trace 0000000000000000 ]--- > > The problem is that the .klp.rela.<objname>.<secname> relocations are > processed after the module was already formed and mod->rw_copy was reset. > However, the code in __write_relocate_add() calls module_writable_address() > which translates the target address 'loc' still to > 'loc + (mem->rw_copy - mem->base)', with mem->rw_copy now being 0. > > Fix the problem by returning directly 'loc' in module_writable_address() > when the module is already formed. Function __write_relocate_add() knows to > use text_poke() in such a case. > > Fixes: 0c133b1e78cd ("module: prepare to handle ROX allocations for text") > Reported-by: Marek Maslanka <mmaslanka@google.com> > Closes: https://lore.kernel.org/linux-modules/CAGcaFA2hdThQV6mjD_1_U+GNHThv84+MQvMWLgEuX+LVbAyDxg@mail.gmail.com/ > Signed-off-by: Petr Pavlu <petr.pavlu@suse.com> The fix makes sense. I could confirm that it fixes the problem and the livepatch relocations works again. I have tested it on x86_64 with current Linus' origin/master and the selftest from the patchset adding klp-convert tool, see https://lore.kernel.org/r/20240827123052.9002-7-lhruska@suse.cz Reviewed-by: Petr Mladek <pmladek@suse.com> Tested-by: Petr Mladek <pmladek@suse.com> Best Regards, Petr
diff --git a/include/linux/module.h b/include/linux/module.h index 94acbacdcdf1..b3a643435357 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -773,7 +773,8 @@ void *__module_writable_address(struct module *mod, void *loc); static inline void *module_writable_address(struct module *mod, void *loc) { - if (!IS_ENABLED(CONFIG_ARCH_HAS_EXECMEM_ROX) || !mod) + if (!IS_ENABLED(CONFIG_ARCH_HAS_EXECMEM_ROX) || !mod || + mod->state != MODULE_STATE_UNFORMED) return loc; return __module_writable_address(mod, loc); }
A livepatch module can contain a special relocation section .klp.rela.<objname>.<secname> to apply its relocations at the appropriate time and to additionally access local and unexported symbols. When <objname> points to another module, such relocations are processed separately from the regular module relocation process. For instance, only when the target <objname> actually becomes loaded. With CONFIG_STRICT_MODULE_RWX, when the livepatch core decides to apply these relocations, their processing results in the following bug: [ 25.827238] BUG: unable to handle page fault for address: 00000000000012ba [ 25.827819] #PF: supervisor read access in kernel mode [ 25.828153] #PF: error_code(0x0000) - not-present page [ 25.828588] PGD 0 P4D 0 [ 25.829063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 25.829742] CPU: 2 UID: 0 PID: 452 Comm: insmod Tainted: G O K 6.13.0-rc4-00078-g059dd502b263 #7820 [ 25.830417] Tainted: [O]=OOT_MODULE, [K]=LIVEPATCH [ 25.830768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 [ 25.831651] RIP: 0010:memcmp+0x24/0x60 [ 25.832190] Code: [...] [ 25.833378] RSP: 0018:ffffa40b403a3ae8 EFLAGS: 00000246 [ 25.833637] RAX: 0000000000000000 RBX: ffff93bc81d8e700 RCX: ffffffffc0202000 [ 25.834072] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000000012ba [ 25.834548] RBP: ffffa40b403a3b68 R08: ffffa40b403a3b30 R09: 0000004a00000002 [ 25.835088] R10: ffffffffffffd222 R11: f000000000000000 R12: 0000000000000000 [ 25.835666] R13: ffffffffc02032ba R14: ffffffffc007d1e0 R15: 0000000000000004 [ 25.836139] FS: 00007fecef8c3080(0000) GS:ffff93bc8f900000(0000) knlGS:0000000000000000 [ 25.836519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.836977] CR2: 00000000000012ba CR3: 0000000002f24000 CR4: 00000000000006f0 [ 25.837442] Call Trace: [ 25.838297] <TASK> [ 25.841083] __write_relocate_add.constprop.0+0xc7/0x2b0 [ 25.841701] apply_relocate_add+0x75/0xa0 [ 25.841973] klp_write_section_relocs+0x10e/0x140 [ 25.842304] klp_write_object_relocs+0x70/0xa0 [ 25.842682] klp_init_object_loaded+0x21/0xf0 [ 25.842972] klp_enable_patch+0x43d/0x900 [ 25.843572] do_one_initcall+0x4c/0x220 [ 25.844186] do_init_module+0x6a/0x260 [ 25.844423] init_module_from_file+0x9c/0xe0 [ 25.844702] idempotent_init_module+0x172/0x270 [ 25.845008] __x64_sys_finit_module+0x69/0xc0 [ 25.845253] do_syscall_64+0x9e/0x1a0 [ 25.845498] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 25.846056] RIP: 0033:0x7fecef9eb25d [ 25.846444] Code: [...] [ 25.847563] RSP: 002b:00007ffd0c5d6de8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 25.848082] RAX: ffffffffffffffda RBX: 000055b03f05e470 RCX: 00007fecef9eb25d [ 25.848456] RDX: 0000000000000000 RSI: 000055b001e74e52 RDI: 0000000000000003 [ 25.848969] RBP: 00007ffd0c5d6ea0 R08: 0000000000000040 R09: 0000000000004100 [ 25.849411] R10: 00007fecefac7b20 R11: 0000000000000246 R12: 000055b001e74e52 [ 25.849905] R13: 0000000000000000 R14: 000055b03f05e440 R15: 0000000000000000 [ 25.850336] </TASK> [ 25.850553] Modules linked in: deku(OK+) uinput [ 25.851408] CR2: 00000000000012ba [ 25.852085] ---[ end trace 0000000000000000 ]--- The problem is that the .klp.rela.<objname>.<secname> relocations are processed after the module was already formed and mod->rw_copy was reset. However, the code in __write_relocate_add() calls module_writable_address() which translates the target address 'loc' still to 'loc + (mem->rw_copy - mem->base)', with mem->rw_copy now being 0. Fix the problem by returning directly 'loc' in module_writable_address() when the module is already formed. Function __write_relocate_add() knows to use text_poke() in such a case. Fixes: 0c133b1e78cd ("module: prepare to handle ROX allocations for text") Reported-by: Marek Maslanka <mmaslanka@google.com> Closes: https://lore.kernel.org/linux-modules/CAGcaFA2hdThQV6mjD_1_U+GNHThv84+MQvMWLgEuX+LVbAyDxg@mail.gmail.com/ Signed-off-by: Petr Pavlu <petr.pavlu@suse.com> --- include/linux/module.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) base-commit: 9d89551994a430b50c4fffcb1e617a057fa76e20