Merge pull request dynup#1203 from sumanthkorikkar/s390x-kpatch-support #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates of interest: v0.9.6: - Tue Apr 12 Joe Lawrence <joe.lawrence@redhat.com> - 0.9.6 - Allow OOT modules to be built with non-distro kernels - Add cross-arch unit testing support - Support ELF extended symbol section indexes - Allow setting kernel version if --sourcedir and --vmlinux are used - Cleanup and enhance __LINE__ macro detection for all arches - Fix segfault on .LCx string literal symbols - Include __dyndbg section when referenced by jump table - Honor user provided KBUILD_EXTRA_SYMBOLS - Support .retpoline_sites section - Add native compiler selection via CROSS_COMPILE Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Bump to version v0.9.6
Attempting to patch a syscall results in an error due to a missing fentry hook in the inner __do_sys##name() function. The fentry hook is missing because of the 'inline' annotation, which invokes 'notrace'. Add some kpatch-specific syscall definition macros which can be used for patching a syscall. These macros are copied almost verbatim from the kernel, the main difference being a 'kpatch' prefix added to the __do_sys##name() function name. This causes kpatch-build to treat it as a new function (due to its new name), and its caller __se_sys##name() function is inlined by its own caller __x64_sys##name() function, which has an fentry hook. To patch a syscall, just use replace the use of the SYSCALL_DEFINE1 (or similar) macro with the "KPATCH_" prefixed version. Fixes: #1171 Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Add ".kpatch" to the end of "uname -s". Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Mention that jump labels in patched functions are mostly supported for Linux 5.8+. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Update a lot of the old cruft and move the boring installation stuff to a separate file. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Oops, this somehow ended up with a reference to nonexistent commit. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
test/unit: bump
readme: bring README.md into the 21st century
Add syscall macros
The two versions are not the same (4.18.0-240.el8 vs. 4.18.0-284.el8). But I am not quite sure which one is accurate. Remove the first one as the second one is being used before this change. Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
* gcc-constprop.patch
In v4.20, 33e26418193f ("y2038: make do_gettimeofday() and get_seconds()
inline"), do_gettimeofdat() no longer exists as a stand alone function
in kernel/time/timekeeping.c.
* gcc-static-local-var-4.patch
Unlike on rhel-8.4, _always_inline put_aio_ring_file() is causing too
many inlines and results in modified, but not ftrace-able,
__do_sys_io_submit() and __do_sys_io_setup(). Remove the annotation
from this function.
* module.patch
In v4.20, 9ceddd9da134 ("knfsd: Allow lockless lookups of the exports"),
the nfs_exports_op seq_operations converted to RCU protected lookups.
Calling yield() from a kpatched e_show() results in a kernel warning,
"Voluntary context switch within RCU read-side critical section!"
Substitute with single_task_running(), which does not context switch or
have any other side effects.
In v5.10, ec6347bb4339 ("x86, powerpc: Rename memcpy_mcsafe() to
copy_mc_to_{user, kernel}()") did away with the mcsafe_key. Use
another exported static key like context_tracking_enabled.
In v5.13, a0e2bf7cb700 ("x86/paravirt: Switch time pvops functions to
use static_call()"), paravirt_sched_clock() was converted from a
paravirt call to a non-exported static call. Update the x86 code to
instead call __flush_tlb_local() (which is still a paravirt call).
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
kpatch-build: remove duplicated use_klp_arch
Signed-off-by: Yannick Cote <ycote@redhat.com>
doc: fix internal link to supported arches
As I noticed, commit eaaced1 has added partial support for openEuler. This patch enables usage in openEuler like: kpatch-build xxxx.patch I test it in openEuler 21.09, for people who want to use kpatch in openEuler, two more steps are needed. 1) add repo source source rpm package of openEuler kernel are put in two places. One is https://repo.openeuler.org/openEuler-21.09/source/ Another one is https://repo.openeuler.org/openEuler-21.09/update/source/ The latter one is not inclued in rpm repo lists by default. 2) compile kernel with CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY enabled openEuler has its own strategy when trying to apply patches. We can use the klp_enable_patch function only when CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY is enabled. Signed-off-by: anatasluo <luolongjuna@gmail.com>
test/integration/rhel-8.6: add kernel-4.18.0-372.9.1.el8 tests
Clean out any integration tests that no longer exercise their original use cases. Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com> Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: anatasluo <luolongjuna@gmail.com>
test/integration/rhel-9.0: add kernel-5.14.0-70.13.1.el9_0 tests
With '--debug', most of the xtrace output shows the reading of the .config and Module.symvers files, which isn't very useful and floods the rest of the xtrace output. Temporarily disable xtrace before reading the files. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
These functions are only called locally, convert them to static. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Several functions expect to take a ".rela" section as an argument. Make such cases more clear by renaming "sec" -> "relasec". Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Several functions have a boolean semantic, but don't actually return bool, which is confusing. Fix that. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
It doesn't make sense to disassemble a data section. That just happened to work by accident. PC-relative offsets only need adjusting when associated with an instruction. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
…syms() Add support for R_X86_64_NONE. With an upstream kernel, it's quite rare, only used for a few jump labels. With older kernels it was used for fentry hooks. Either way, it should be treated like a PC-relative relocation. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Error out if an unsupported rela is encountered. This is more robust than just ignoring it. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
…bols These sections don't have symbols. Don't even try to replace references to them with symbols. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
kpatch-build: add support for openEuler
If a section reference can't be converted to a symbol reference, error out to try to prevent unexpected behavior later on. There are a few sections for which a symbol is optional: .rodata and string literal sections. Don't warn about those. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
The current string extraction is broken for non-section symbols. Fix that. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Use rela_target_offset() to make the relocation bounds checking more precise. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Otherwise it fails the unit tests on an s390 host. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Currently "kpatch force unload <klp_some_version>" will fail to unload an old kernel live patch module that is no longer seeing any use, when the "enabled" file for that module is no longer present. Check for the presence of such modules by checking /sys/module, and return success from disable_patch() for a module that is already disabled. This allows "kpatch force unload <klp_some_version>" to succeed for already disabled modules. Signed-off-by: Rik van Riel <riel@surriel.com>
kpatch: also unload a loaded, but no longer enabled kernel live patch
Fix addend handling and other cleanups for s390
symtab_read tries to skip '.dynsym' symbol table and only
read '.symtab' symbol table. Newer readelf from binutils 2.37
now adds section names (see the diff):
--- vmlinux.symtab 2022-02-18 02:10:06.691220932 +0100
+++ vmlinux.symtab.new 2022-02-18 01:16:06.161210458 +0100
Symbol table '.dynsym' contains 1541 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000100000 0 SECTION LOCAL DEFAULT 1 .text
2: 00000000017a3ac0 4 OBJECT GLOBAL DEFAULT 19 sclp_console_pages
Symbol table '.symtab' contains 159980 entries:
Num: Value Size Type Bind Vis Ndx Name
- 41: 0000000001a93600 0 SECTION LOCAL DEFAULT 41
- 42: 0000000001a9c678 0 SECTION LOCAL DEFAULT 42
...
+ 41: 0000000001a93600 0 SECTION LOCAL DEFAULT 41 .dynsym
+ 42: 0000000001a9c678 0 SECTION LOCAL DEFAULT 42 .rela.dyn
...
54: 0000000000000000 0 FILE LOCAL DEFAULT ABS main.c
Simple matching of ".dynsym" in the line buffer is not enough anymore,
because it hits not just
Symbol table '.dynsym' contains 1541 entries:
line, but also
41: 0000000001a93600 0 SECTION LOCAL DEFAULT 41 .dynsym
skipping the rest of the file and leading to an error:
create-diff-object: ERROR: *.o: find_local_syms: 189: couldn't find matching
*.c local symbols in vmlinux symbol table
Limit matching only to lines containing "Symbol table" header.
This works with readelf from the binutils, as well as readelf from
elfutils (its output looks slightly different).
Symbol table [41] '.dynsym' contains 1541 entries:
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
1. -mno-pic-data-is-text-relative prevents relative addressing between code and data. This is needed to avoid relocation error when klp text and data are too far apart 2. Avoid generation of LANCHOR symbols through -fno-section-anchors. kpatch-build does not handle it well. Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
* Add s390 specific checks * Identify patchable functions. * Dont mark expolines as dynrelas. These expolines are always included in final kernel module. This ensures that expoline functions and the kernel itself are not too far apart and avoids out of range relocation. However, this isnt a problem for other functions, as these relocations are performed via R_390_PLT32DBL using gcc option -mno-pic-data-is-text-relative. * s390 maintains expoline tables to locate the expoline thunks. If needed, the module loader could later replace these expoline thunks with normal indirect branch. Each element in the expoline table is of 4 bytes. If there is a changed function in rela.s390_return*, then mark that specific rela symbol as included. This is already performed in the processing of special sections. Hence include it. Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Add object exclusion for s390 Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
1. static const struct inet_sock fake_sk = {
/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
.sk.sk_bound_dev_if = 1,
.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
};
gcc can place fake_sk in .data.rel.ro.local:
ndx 38, data 0x3ffb3280a58, size 960, name .data.rel.ro.local.fake_sk.1
ndx 39, data 0x3ffb32be5e8, size 24, name .rela.data.rel.ro.local.fake_sk.1
2. static LIST_HEAD(patch_objects);
gcc can place patch_objects relocation in .data.rel.local:
sym 56, type 1, bind 0, ndx 34, name patch_objects -> .data.rel.local
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
EPEL ships an epel-release-latest-X.noarch.rpm per rhel-X major release. Install the package matching the system release. Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
The yum-builddep utility doesn't always install all the kernel build dependencies. Using the --skip-unavailable flag (rhel8+) lets us skip over packages that it can't find, but continue to install the ones it can. (Unavailable packages are usually platform-specific or not strictly necessary for kpatch-build's kernel build invocation.) Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
All three distributions work more or less the same, so just combine their dependency installs. Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Installing the dependencies should be a one-step operation for the user. Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
We've got a lot of top level Makefile targets, help out the user. Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
* Add s390 as supported. * Add backporting information for the distros. Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
…pendencies kpatch build dependency cleanup
Recent toolchains only create a section symbol if it's needed, i.e. if there's a reference to it. If there's a missing section symbol in kpatch_create_intermediate_sections(), create one instead of erroring out. Fixes #1272. Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
create-diff-object: Create missing section symbol
Add patches rebased on top of upstream 5.18.0. Integration tests for these can be ran as this: $ make PATCH_DIR="linux-5.18.0" KPATCH_BUILD_OPTS="--non-replace --sourcedir /path/to/src/linux-5.18.0" integration-slow Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Calling __flush_tlb_local() may result in a kernel warning:
STATIC_NOPV void native_flush_tlb_local(void)
{
/*
* Preemption or interrupts must be disabled to protect the access
* to the per CPU variable and to prevent being preempted between
* read_cr3() and write_cr3().
*/
WARN_ON_ONCE(preemptible());
so use another paravirt call like slow_down_io() instead.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Integration updates
S390x kpatch support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.