kmod/core: fix crash with !CONFIG_DEBUG_SET_MODULE_RONX #544
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When loading a patch module on a kernel with !CONFIG_DEBUG_SET_MODULE_RONX, the following crash occurs: loading core module: /root/src/kpatch/kpatch/../kmod/core/kpatch.ko loading patch module: kpatch-meminfo-string.ko BUG: unable to handle kernel paging request at ffffffffa0010cc0 IP: [<ffffffff8125ecb0>] do_init_module+0x84/0x1af PGD 13d3067 PUD 13d4063 PMD 1e1ee067 PTE 1e1a0161 Oops: 0003 [#1] Modules linked in: kpatch_meminfo_string(O+) kpatch(O) CPU: 0 PID: 149 Comm: insmod Tainted: G O K 4.1.0+ #1 task: ffff88001e17b810 ti: ffff88001e1cc000 task.ti: ffff88001e1cc000 RIP: 0010:[<ffffffff8125ecb0>] [<ffffffff8125ecb0>] do_init_module+0x84/0x1af RSP: 0018:ffff88001e1cfda8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffa0010cc0 RCX: 0000000080a02001 RDX: 0000000000000024 RSI: 0000000000000000 RDI: ffffffff813fabe0 RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000d0000000 R10: ffffffffa000e000 R11: 0000000000000001 R12: ffff88001eb58638 R13: ffffffffa0010d10 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f0ae00aa700(0000) GS:ffffffff813e1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffffffa0010cc0 CR3: 000000001e181000 CR4: 00000000000006b0 Stack: ffff88001e1cfed8 0000000000000001 ffffffffa0010cc0 ffffffff81058aac ffff88001e207680 00000000810a462f ffffc90000096890 0000000000000e00 ffffffff00000016 ffffffff8126cd40 ffff88001eaa6a08 ffff88001e1cfe48 Call Trace: [<ffffffff81058aac>] ? load_module+0x18ad/0x18e9 [<ffffffff81056290>] ? copy_module_from_fd+0x86/0xdf [<ffffffff81058c1e>] ? SyS_finit_module+0x56/0x61 [<ffffffff81261854>] ? system_call_fastpath+0x12/0x6a Code: f8 00 00 00 74 23 49 c7 c0 80 ca 26 81 48 8d 53 18 89 c1 4c 89 c6 48 c7 c7 6d ef 36 81 31 c0 e8 16 fb ff ff e8 18 06 00 00 31 f6 <c7> 03 00 00 00 00 48 89 da 48 c7 c7 c0 c9 3f 81 e8 7e b3 dd ff RIP [<ffffffff8125ecb0>] do_init_module+0x84/0x1af RSP <ffff88001e1cfda8> CR2: ffffffffa0010cc0 With !CONFIG_DEBUG_SET_MODULE_RONX, module text and rodata pages are writable, and the debug_align() macro allows the module struct to share a page with executable text. When klp_write_module_reloc() calls set_memory_ro() on the page, it effectively turns the module struct into a read-only structure, resulting in a page fault when load_module() does "mod->state = MODULE_STATE_LIVE". Fixes: dynup#497
sjenning
added a commit
that referenced
this pull request
Nov 4, 2015
kmod/core: fix crash with !CONFIG_DEBUG_SET_MODULE_RONX
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When loading a patch module on a kernel with
!CONFIG_DEBUG_SET_MODULE_RONX, the following crash occurs:
loading core module: /root/src/kpatch/kpatch/../kmod/core/kpatch.ko
loading patch module: kpatch-meminfo-string.ko
BUG: unable to handle kernel paging request at ffffffffa0010cc0
IP: [] do_init_module+0x84/0x1af
PGD 13d3067 PUD 13d4063 PMD 1e1ee067 PTE 1e1a0161
Oops: 0003 [#1]
Modules linked in: kpatch_meminfo_string(O+) kpatch(O)
CPU: 0 PID: 149 Comm: insmod Tainted: G O K 4.1.0+ #1
task: ffff88001e17b810 ti: ffff88001e1cc000 task.ti: ffff88001e1cc000
RIP: 0010:[] [] do_init_module+0x84/0x1af
RSP: 0018:ffff88001e1cfda8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffa0010cc0 RCX: 0000000080a02001
RDX: 0000000000000024 RSI: 0000000000000000 RDI: ffffffff813fabe0
RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000d0000000
R10: ffffffffa000e000 R11: 0000000000000001 R12: ffff88001eb58638
R13: ffffffffa0010d10 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f0ae00aa700(0000) GS:ffffffff813e1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffffa0010cc0 CR3: 000000001e181000 CR4: 00000000000006b0
Stack:
ffff88001e1cfed8 0000000000000001 ffffffffa0010cc0 ffffffff81058aac
ffff88001e207680 00000000810a462f ffffc90000096890 0000000000000e00
ffffffff00000016 ffffffff8126cd40 ffff88001eaa6a08 ffff88001e1cfe48
Call Trace:
[] ? load_module+0x18ad/0x18e9
[] ? copy_module_from_fd+0x86/0xdf
[] ? SyS_finit_module+0x56/0x61
[] ? system_call_fastpath+0x12/0x6a
Code: f8 00 00 00 74 23 49 c7 c0 80 ca 26 81 48 8d 53 18 89 c1 4c 89 c6 48 c7 c7 6d ef 36 81 31 c0 e8 16 fb ff ff e8 18 06 00 00 31 f6 03 00 00 00 00 48 89 da 48 c7 c7 c0 c9 3f 81 e8 7e b3 dd ff
RIP [] do_init_module+0x84/0x1af
RSP
CR2: ffffffffa0010cc0
With !CONFIG_DEBUG_SET_MODULE_RONX, module text and rodata pages are
writable, and the debug_align() macro allows the module struct to share
a page with executable text. When klp_write_module_reloc() calls
set_memory_ro() on the page, it effectively turns the module struct into
a read-only structure, resulting in a page fault when load_module() does
"mod->state = MODULE_STATE_LIVE".
Fixes: #497