The KPATCH_SYSCALL_DEFINEn macros in kpatch-syscall.h do not provide the
same syscall metadata (saved in the __syscalls_metadata and
_ftrace_events ELF sections) as the kernel. These same macros also
instruct kpatch-build to ignore changes to these sections. This works
fine as long as there are other unmodified syscalls present in the
object file. However, if not, the kpatch syscall macros may result in
either metadata ELF sections not appearing in the patched object file.
The create-diff-object program expects to encounter any ELF section that
has been marked by KPATCH_IGNORE_SECTION in the patched object file.
To avoid this limitation, create dummy __syscalls_metadata and
_ftrace_events entries for the kpatch-modified syscall. The specific
values shouldn't matter since their sections will still be marked with
KPATCH_IGNORE_SECTION and now their presence will be guarenteed for
create-diff-object.
Closes: #1375 ("kpatch-build error when modifying an object file's only syscall")
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Since linux 'commit 2213d44e140f ("s390/syscalls: get rid of system call alias
functions")', s390 syscall wrappers are modified. Adjust it accordingly
for kpatch
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Kernel v6.1+ commit 7e92e01b7245 ("powerpc: Provide syscall wrapper")
introduced PowerPC specific macros. Add them to kpatch-syscall.h.
WIP: the syscall.patch integration test required
-fno-optimize-sibling-calls for sys_newuname() ... should we move the
attribute out to the patch?
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Kernel version specific __KPATCH_SYSCALL_DEFINEx macros were added to
kpatch-syscall.h for x86, but only single versions for other arches.
This works out for s390x, but not ppc64le for which kpatch-build support
goes back to kernel versions that require slightly different macros.
Reorder the __KPATCH_SYSCALL_DEFINEx macros to define the arch-specific
ones first (arch/.../include/asm/syscall_wrapper.h) and then fall back
to using generic ones (include/linux/syscalls.h versions).
Fixes: #1278
Fixes: 9c0b678621b9 ("macros: add syscall patching macros")
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Attempting to patch a syscall results in an error due to a missing
fentry hook in the inner __do_sys##name() function. The fentry hook is
missing because of the 'inline' annotation, which invokes 'notrace'.
Add some kpatch-specific syscall definition macros which can be used for
patching a syscall.
These macros are copied almost verbatim from the kernel, the main
difference being a 'kpatch' prefix added to the __do_sys##name()
function name. This causes kpatch-build to treat it as a new function
(due to its new name), and its caller __se_sys##name() function is
inlined by its own caller __x64_sys##name() function, which has an
fentry hook.
To patch a syscall, just use replace the use of the SYSCALL_DEFINE1 (or
similar) macro with the "KPATCH_" prefixed version.
Fixes: #1171
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Relax the clean target to leave the kpatch-build generated output.o file.
This is helpful after invoking kpatch-build in debug mode and rebuilding
$CACHEDIR/tmp/patch in a debugging session.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
In PR #1205, Kamalesh reports:
... I see that the -mcmodel=large flag is being passed twice with
KBUILD_CFLAGS_MODULE set:
gcc -Wp,-MMD,/root/.kpatch/tmp/patch/.livepatch-meminfo.mod.o.d ............ -mcmodel=medium .... -I/root/kpatch/kmod/patch -mcmodel=large -fplugin=/root/kpatch/kpatch-build/gcc-plugins/ppc64le-plugin.so ... -DMODULE -mno-save-toc-indirect -mcmodel=large -mcmodel=large -DKBUILD_BASENAME='"livepatch_meminfo.mod"' -DKBUILD_MODNAME='"livepatch_meminfo"' -D__KBUILD_MODNAME=kmod_livepatch_meminfo -c -o /root/.kpatch/tmp/patch/livepatch-meminfo.mod.o /root/.kpatch/tmp/patch/livepatch-meminfo.mod.c.
I loaded the module built without the KBUILD_CFLAGS_MODULE +=
-mcmodel=large flag and seems to okay. I guess, we can remove the arch
specific flag from the Makefile.
Suggested-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
The kmod/patch/Makefile defines KBUILD_CFLAGS_MODULE, but it seems that
kbuild doesn't honor it as environment variable. This is noticed when
attempting to use the kpatch-build --non-replace option: the flag is
added to KBUILD_CFLAGS_MODULE, yet the kernel module build ignores it.
At the same time, the kernel docs suggest passing CFLAGS_MODULE [1], not
KBUILD_CFLAGS_MODULE, from the commandline. Setup KPATCH_MAKE to pass
these options through that variable.
[1] https://www.kernel.org/doc/Documentation/kbuild/makefiles.txt
Fixes: c14e6e9118 ("kpatch-build: Add PPC64le livepatch support")
Fixes: 17dcebf077 ("kpatch-build: enable klp with replace option by default")
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Since 5.1 kernel, klp_patch supports a "replace" option, which does atomic
replace of cumulative patches. Enable building such patch by default. If
replace behavior is not desired, the user can use -R|--non-replace option
to disable it.
Signed-off-by: Song Liu <song@kernel.org>
Starting with v5.10 kbuild no longer builds built-in targets for
external modules (including extra-y). Further it wasn't guaranteed that
extra-y targets were going to be built before linking.
Do a proper thing and add kpatch.lds as a dependency for $(KPATCH_NAME).o.
Upstream discussion for reference: https://lore.kernel.org/linux-kbuild/20201103054425.59251-1-chao.wang@ucloud.cn/Fixes: #1148
Signed-off-by: Artem Savkov <asavkov@redhat.com>
Convert __section to __kpatch_section to fix compile errors since
Linux 5.10, commit 33def8498fdd ("treewide: Convert macro and uses of
__section(foo) to __section("foo")").
Signed-off-by: WANG Chao <chao.wang@ucloud.cn>
Make sure we don't set HAVE_SIMPLE_ENABLE on rhel8 before rhel8.2
Fixes: b913b4b ("livepatch-patch-hook: skip klp_(un)register_patch() for RHEL-7.8+ kernels")
Fixes: #1031
Signed-off-by: Artem Savkov <asavkov@redhat.com>
RHEL-7.8 backported upstream kernel commit 958ef1e39d24 ("livepatch:
Simplify API by removing registration step"), so add it to the kernels
using the simple registration API.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
In v5.1, upstream kernel commit 958ef1e39d24 ("livepatch: Simplify API
by removing registration step") removed klp_(un)register_patch(). We
only need to call klp_enable_patch() now.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
reason: after the function klp_unregister_patch, the lpatch must
be freed, otherwise, it would cause memory leak.
Signed-off-by: chenzefeng <chenzefeng2@huawei.com>
While adding proper linker script option my previous patch left the
linker script in the list of source files (on pre-4.20 kernels) for
ld somehow breaking kpatch callback sections. For this to work
properly kpatch.lds needs to be added to 'extra-y' instead of objs. And
for kbuild to process this option properly we need to call make without
the .ko target, i.e. let kbuild decide what to build.
Fixes: 17a97b4 ("kmod/patch: fix patch linking with 4.20")
Signed-off-by: Artem Savkov <asavkov@redhat.com>
4.20 includes commit 69ea912fda74 "kbuild: remove unneeded link_multi_deps"
which changes kbuild so that only '.o' files are given to ld as targets
for linking, leaving out our linker script. Even before this commit we
were still doing this wrong and were succeeding just because ld is smart
enough to detect the script, it even throws a warning:
ld: warning: kpatch.lds contains output sections; did you forget -T?
The right thing to do is to add the script to ldflags either through
kbuilds 'ldflags-y' or by adding it to LDFLAGS/KPATCH_LDFLAGS directly.
Signed-off-by: Artem Savkov <asavkov@redhat.com>
Since the codeset supports just the 64 bit variant, lets move
to __powerpc64__ and use it. I checked the ABI doc as well
and the kernel/gcc.
Signed-off-by: Balbir singh <bsingharora@gmail.com>
Deal with a few RHEL kernel-alt quirks for ppc64le:
- The RPM and spec names are "kernel-alt".
- 7.6 ALT is based on 4.14 but it doesn't have the 'immediate' flag.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Preprocessor doesn't stop unwinding macroses in #if clauses if one of
the conditions is false resulting in the following error when trying to
build on non-rhel system:
patch/livepatch-patch-hook.c:53:48: error: missing binary operator before token "("
RHEL_RELEASE_CODE <= RHEL_RELEASE_VERSION(7, 5))
Fix by using 2 levels of #ifs instead of &&. The same way HAVE_CALLBACKS
does.
Signed-off-by: Artem Savkov <asavkov@redhat.com>
Since commit 926e4e0c7d ("kmod: add support
for in-kernel livepatch hooks") livepatch-patch-hook.c unconditionally
creates callbacks. This causes build error for kernels older than 4.15:
make -C /home/rppt/git/linux M=/home/rppt/.kpatch/tmp/patch livepatch-proc-vmalloc-live.ko
make[1]: Entering directory '/home/rppt/git/linux'
CC [M] /home/rppt/.kpatch/tmp/patch/patch-hook.o
In file included from /home/rppt/.kpatch/tmp/patch/patch-hook.c:21:0:
/home/rppt/.kpatch/tmp/patch/livepatch-patch-hook.c:82:23: error: field ‘callbacks’ has incomplete type
struct klp_callbacks callbacks;
^
/home/rppt/.kpatch/tmp/patch/livepatch-patch-hook.c: In function ‘patch_init’:
/home/rppt/.kpatch/tmp/patch/livepatch-patch-hook.c:395:10: error: ‘struct klp_object’ has no member named ‘callbacks’
lobject->callbacks = object->callbacks;
^
scripts/Makefile.build:302: recipe for target '/home/rppt/.kpatch/tmp/patch/patch-hook.o' failed
make[2]: *** [/home/rppt/.kpatch/tmp/patch/patch-hook.o] Error 1
Makefile:1687: recipe for target 'livepatch-proc-vmalloc-live.ko' failed
make[1]: *** [livepatch-proc-vmalloc-live.ko] Error 2
make[1]: Leaving directory '/home/rppt/git/linux'
Makefile:20: recipe for target 'livepatch-proc-vmalloc-live.ko' failed
make: *** [livepatch-proc-vmalloc-live.ko] Error 2
Introduce HAVE_CALLBACKS to allow conditional compilation of the callbacks
addition.
Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
Fixes sparse warnings:
kmod/core/core.c:142:20: warning: symbol 'trace' was not declared. Should it be static?
livepatch-patch-hook.c:73:18: warning: symbol 'lpatch' was not declared. Should it be static?
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Upstream 4.15 kernels provide support for pre and post (un)patch
callbacks, inspired by the kpatch load hooks. Add support for them
in the livepatch-patch-hook.
At the same time, convert the kpatch hooks to use the same API.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Effective Kernel v4.16, the immediate flag is removed by upstream
kernel commit d0807da78e11 ("livepatch: Remove immediate feature").
Add an upper bound kernel version check for inclusion of the
immediate flag.
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Fix the version checks for when we enable CONFIG_LIVEPATCH on RHEL. It
will be based on the latest upstream code.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Use kpatch-<modname>.ko or livepatch-<modname>.ko depending on the type
of module we're building.
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
This patch adds support for livepatch hook based module
creation for PPC64le. It introduces PPC64le architecture
bits:
- Add relocation type of R_PPC64_ADDR64 while parsing powerpc ELF.
- Introduce .toc sections mainpulation.
- Skip kpatch specific details for livepatch hook.
Also remove the definition of rela_insn() for powerpc. The only
call site is been guarded by #ifdef x86.
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Restructure kpatch's sysfs interface and mirror the sysfs tree after
livepatch's sysfs layout. With the current sysfs layout, we cannot
distinguish which object a function belongs to, and we cannot tell which
modules/objects are patched. Therefore, restructure the kpatch sysfs tree
such that module/object information is available. With the new layout, each
patched object has its own directory, with each function being a
subdirectory of its object.
Implement this by embedding a kobject struct within the kpatch_module,
kpatch_func, and kpatch_object structs and supplying their ktypes and
kobject release methods.
Before:
/sys/kernel/kpatch
└── patches
└── <patch_module>
├── checksum
├── enabled
└── functions
├── <function> # from <object1>
│ ├── new_addr
│ └── old_addr
├── <function> # from <object2>
│ ├── new_addr
│ └── old_addr
└─── <function> # from <object3>
├── new_addr
└── old_addr
After:
/sys/kernel/kpatch
└── <patch_module>
├── <object1>
│ └── <function,sympos>
│ ├── new_addr
│ └── old_addr
├── <object2>
│ └── <function,sympos>
│ ├── new_addr
│ └── old_addr
├── checksum
├── enabled
└── <object3>
└── <function,sympos>
├── new_addr
└── old_addr
Previous commit "kmod: let kernel apply TAINT_LIVEPATCH" modified the
kpatch patch module to set the "livepatch" module info. This breaks
module loading for kernel config CONFIG_LIVEPATCH=n
kpatch_kmalloc: module is marked as livepatch module, but livepatch support is disabled
kpatch modules can still use TAINT_LIVEPATCH as a per-module taint flag,
but only if it is set after the module loads.
Fixes: 660.
Introduce a second phase in the kpatch-build process that creates kpatch
modules or livepatch modules that use the new klp rela sections depending on
the kernel version being worked on. This change uses the two new programs to
either create a patch module that uses dynrelas (create-kpatch-module) or a
patch module that uses klp rela and arch sections + klp symbols marked with the
correct Elf flags (create-klp-module).
For klp patch modules, the --unique flag for ld is needed to prevent
.parainstructions and .altinstructions sections from different objects
from being merged, as arch_klp_init_object_loaded() applies these sections
per-object.
Upstream commit 2992ef29ae01 ("livepatch/module: make TAINT_LIVEPATCH
module-specific") v4.9+ modified the kernel to add the TAINT_LIVEPATCH
flag on module load. To support this feature, add the "livepatch"
module info in the {k,live}patch modules and drop the add_taint() in the
core module.
Some features were backported into the 4.4 kernel which change the fields
of the livepatch structures. Ensure we can work with either v4.5 or greater,
or Ubuntu 4.4.0-7 or greater.
Backport the symbol lookup and checking code from upstream livepatch
code that relies on a symbol position enumeration rather than a fixed
memory address.
Fixes#617.
Support patching objects that have duplicated function names. This feature was
introduced upstream in Linux v4.5.
This patch appends the symbol position to the symbol structure when
lookup_local_symbol is called. This pos variable is then used when creating the
funcs and dynrelas sections. Finally, incorporate sympos into the livepatch
patch hook only if the kernel version is greater than v4.5. In other cases the
older format is used.
Fixes: #493
Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
Fixes issue #494. A null pointer dereference can result with patch
modules for multiple objects since the "vmlinux" patch object's "name"
field is null. strcmp therefore crashes trying to compare object->name
if the current object is vmlinux and the supplied "name" argument is
not. Check that object->name is not null before invoking strcmp.
Adds a new patch module scaffold for use when building against a kernel
with CONFIG_LIVE_PATCHING=y.
Signed-off-by: Seth Jennings <sjenning@redhat.com>
Joe Lawrence
Sumanth Korikkar
Josh Poimboeuf
Song Liu
Artem Savkov
WANG Chao
Kamalesh Babulal
chenzefeng
Balbir singh
Mike Rapoport
Joe Lawrence
Simon Ruderich
Jessica Yu
Chris J Arges
Chris J Arges
Jessica Yu
Seth Jennings
Seth Jennings