* [PATCH] module: Fix regression introduced by commit: b0d7290e85a5 "module: clean up RO/NX handling."
@ 2016-01-25 11:11 Lothar Waßmann
2016-01-25 23:41 ` Brian Norris
0 siblings, 1 reply; 3+ messages in thread
From: Lothar Waßmann @ 2016-01-25 11:11 UTC (permalink / raw)
To: Rusty Russell, linux-kernel; +Cc: Lothar Waßmann
commit b0d7290e85a5 ("module: clean up RO/NX handling.")
threw away the size checks which were in place before calling the
set_memory_*() functions.
This produces a kernel bug upon module load with
CONFIG_DEBUG_SET_MODULE_RONX=y:
kernel BUG at mm/memory.c:1898!
Internal error: Oops - BUG: 0 [#1] ARM
Modules linked in:
CPU: 0 PID: 825 Comm: modprobe Not tainted 4.4.0-next-20160121+ #53
Hardware name: Freescale MXS (Device Tree)
task: cef6c380 ti: ce93a000 task.ti: ce93a000
PC is at apply_to_page_range+0x190/0x1bc
LR is at change_memory_common+0x74/0xcc
pc : [<c0082d80>] lr : [<c0011ce0>] psr: 60000013
sp : ce93be40 ip : bf011000 fp : bf012000
r10: bf012000 r9 : bf0091d4 r8 : ce93be80
r7 : 00000000 r6 : bf012000 r5 : 00000001 r4 : bf012000
r3 : c0011d38 r2 : 00000000 r1 : bf012000 r0 : c0633458
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 0005317f Table: 4ef0c000 DAC: 00000051
Process modprobe (pid: 825, stack limit = 0xce93a190)
Stack: (0xce93be40 to 0xce93c000)
be40: c0633458 bf012000 00000000 bf012000 00000001 bf012000 00000000 00000080
be60: bf0091d4 ce93bef4 00000000 c0011ce0 ce93be80 00000000 bf0071dc bf0091e4
be80: 00000080 00000000 bf009100 ce93bf48 00000001 bf00910c bf009100 00000000
bea0: bf0091d4 c005d2a0 00000000 cfbd8de0 00000000 00000014 007fb980 00000000
bec0: d0a1d01c bf009250 bf00910c 00000000 d0a19000 b6e4b000 00000f80 755f6f74
bee0: 5f726573 bf007024 00000032 bf0071b4 00000006 00000000 00000000 00000000
bf00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bf20: c005da70 0000306c 00000000 b6e4f06c d0a1d06c ce93a000 007fb980 00000051
bf40: 007fbbd8 c005dae0 d0a0a000 0001306c d0a1c98c d0a13c07 d0a177c8 0000a000
bf60: 0000cbe0 00000000 00000000 00000000 0000002a 0000002b 00000020 00000024
bf80: 00000018 00000000 b6f83228 bec859f8 00000000 00000080 c000a4e4 ce93a000
bfa0: 00000000 c000a340 b6f83228 bec859f8 b6e3c000 0001306c 007fb980 00000000
bfc0: b6f83228 bec859f8 00000000 00000080 007fb980 00000008 00000000 007fbbd8
bfe0: b6f1fa70 bec856c8 0000aab4 b6f1fa80 60000010 b6e3c000 00000000 00000000
[<c0082d80>] (apply_to_page_range) from [<c0011ce0>] (change_memory_common+0x74/0xcc)
[<c0011ce0>] (change_memory_common) from [<c005d2a0>] (load_module+0x16c8/0x1e3c)
[<c005d2a0>] (load_module) from [<c005dae0>] (SyS_init_module+0xcc/0x138)
[<c005dae0>] (SyS_init_module) from [<c000a340>] (ret_fast_syscall+0x0/0x38)
Code: e0834104 eaffffc3 e5191008 eaffffbb (e7f001f2)
---[ end trace fbf287e335e94b28 ]---
This happens because the set_memory_*() functions are eventually being
called with a zero <size> parameter and thus apply_to_page_range() in
mm/memory.c barfs due to:
unsigned long end = addr + size;
...
BUG_ON(addr >= end);
Reinstate the size checks, as they were before the offending commit.
Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
---
kernel/module.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index 8358f46..40d8e42 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1863,8 +1863,9 @@ static void frob_text(const struct module_layout *layout,
{
BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
- set_memory((unsigned long)layout->base,
- layout->text_size >> PAGE_SHIFT);
+ if (layout->text_size)
+ set_memory((unsigned long)layout->base,
+ layout->text_size >> PAGE_SHIFT);
}
static void frob_rodata(const struct module_layout *layout,
@@ -1873,8 +1874,9 @@ static void frob_rodata(const struct module_layout *layout,
BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
- set_memory((unsigned long)layout->base + layout->text_size,
- (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
+ if (layout->ro_size > layout->text_size)
+ set_memory((unsigned long)layout->base + layout->text_size,
+ (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
}
static void frob_writable_data(const struct module_layout *layout,
@@ -1883,8 +1885,9 @@ static void frob_writable_data(const struct module_layout *layout,
BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
BUG_ON((unsigned long)layout->size & (PAGE_SIZE-1));
- set_memory((unsigned long)layout->base + layout->ro_size,
- (layout->size - layout->ro_size) >> PAGE_SHIFT);
+ if (layout->size > layout->ro_size)
+ set_memory((unsigned long)layout->base + layout->ro_size,
+ (layout->size - layout->ro_size) >> PAGE_SHIFT);
}
/* livepatching wants to disable read-only so it can frob module. */
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: module: Fix regression introduced by commit: b0d7290e85a5 "module: clean up RO/NX handling."
2016-01-25 11:11 [PATCH] module: Fix regression introduced by commit: b0d7290e85a5 "module: clean up RO/NX handling." Lothar Waßmann
@ 2016-01-25 23:41 ` Brian Norris
2016-01-26 8:39 ` Lothar Waßmann
0 siblings, 1 reply; 3+ messages in thread
From: Brian Norris @ 2016-01-25 23:41 UTC (permalink / raw)
To: Lothar Wassmann; +Cc: Rusty Russell, linux-kernel
On Mon, Jan 25, 2016 at 12:11:51PM +0100, Lothar Wassmann wrote:
> commit b0d7290e85a5 ("module: clean up RO/NX handling.")
> threw away the size checks which were in place before calling the
> set_memory_*() functions.
> This produces a kernel bug upon module load with
> CONFIG_DEBUG_SET_MODULE_RONX=y:
>
> kernel BUG at mm/memory.c:1898!
> Internal error: Oops - BUG: 0 [#1] ARM
> Modules linked in:
> CPU: 0 PID: 825 Comm: modprobe Not tainted 4.4.0-next-20160121+ #53
> Hardware name: Freescale MXS (Device Tree)
> task: cef6c380 ti: ce93a000 task.ti: ce93a000
> PC is at apply_to_page_range+0x190/0x1bc
> LR is at change_memory_common+0x74/0xcc
> pc : [<c0082d80>] lr : [<c0011ce0>] psr: 60000013
> sp : ce93be40 ip : bf011000 fp : bf012000
> r10: bf012000 r9 : bf0091d4 r8 : ce93be80
> r7 : 00000000 r6 : bf012000 r5 : 00000001 r4 : bf012000
> r3 : c0011d38 r2 : 00000000 r1 : bf012000 r0 : c0633458
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 0005317f Table: 4ef0c000 DAC: 00000051
> Process modprobe (pid: 825, stack limit = 0xce93a190)
> Stack: (0xce93be40 to 0xce93c000)
> be40: c0633458 bf012000 00000000 bf012000 00000001 bf012000 00000000 00000080
> be60: bf0091d4 ce93bef4 00000000 c0011ce0 ce93be80 00000000 bf0071dc bf0091e4
> be80: 00000080 00000000 bf009100 ce93bf48 00000001 bf00910c bf009100 00000000
> bea0: bf0091d4 c005d2a0 00000000 cfbd8de0 00000000 00000014 007fb980 00000000
> bec0: d0a1d01c bf009250 bf00910c 00000000 d0a19000 b6e4b000 00000f80 755f6f74
> bee0: 5f726573 bf007024 00000032 bf0071b4 00000006 00000000 00000000 00000000
> bf00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> bf20: c005da70 0000306c 00000000 b6e4f06c d0a1d06c ce93a000 007fb980 00000051
> bf40: 007fbbd8 c005dae0 d0a0a000 0001306c d0a1c98c d0a13c07 d0a177c8 0000a000
> bf60: 0000cbe0 00000000 00000000 00000000 0000002a 0000002b 00000020 00000024
> bf80: 00000018 00000000 b6f83228 bec859f8 00000000 00000080 c000a4e4 ce93a000
> bfa0: 00000000 c000a340 b6f83228 bec859f8 b6e3c000 0001306c 007fb980 00000000
> bfc0: b6f83228 bec859f8 00000000 00000080 007fb980 00000008 00000000 007fbbd8
> bfe0: b6f1fa70 bec856c8 0000aab4 b6f1fa80 60000010 b6e3c000 00000000 00000000
> [<c0082d80>] (apply_to_page_range) from [<c0011ce0>] (change_memory_common+0x74/0xcc)
> [<c0011ce0>] (change_memory_common) from [<c005d2a0>] (load_module+0x16c8/0x1e3c)
> [<c005d2a0>] (load_module) from [<c005dae0>] (SyS_init_module+0xcc/0x138)
> [<c005dae0>] (SyS_init_module) from [<c000a340>] (ret_fast_syscall+0x0/0x38)
> Code: e0834104 eaffffc3 e5191008 eaffffbb (e7f001f2)
> ---[ end trace fbf287e335e94b28 ]---
>
> This happens because the set_memory_*() functions are eventually being
> called with a zero <size> parameter and thus apply_to_page_range() in
> mm/memory.c barfs due to:
> unsigned long end = addr + size;
> ...
> BUG_ON(addr >= end);
Hit this BUG_ON() on a mt8173 platform with v4.5-rc1.
> Reinstate the size checks, as they were before the offending commit.
>
> Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
Gets me back to a prompt, so:
Tested-by: Brian Norris <computersforpeace@gmail.com>
> ---
> kernel/module.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 8358f46..40d8e42 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -1863,8 +1863,9 @@ static void frob_text(const struct module_layout *layout,
> {
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base,
> - layout->text_size >> PAGE_SHIFT);
> + if (layout->text_size)
> + set_memory((unsigned long)layout->base,
> + layout->text_size >> PAGE_SHIFT);
> }
>
> static void frob_rodata(const struct module_layout *layout,
> @@ -1873,8 +1874,9 @@ static void frob_rodata(const struct module_layout *layout,
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base + layout->text_size,
> - (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
> + if (layout->ro_size > layout->text_size)
> + set_memory((unsigned long)layout->base + layout->text_size,
> + (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
> }
>
> static void frob_writable_data(const struct module_layout *layout,
> @@ -1883,8 +1885,9 @@ static void frob_writable_data(const struct module_layout *layout,
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base + layout->ro_size,
> - (layout->size - layout->ro_size) >> PAGE_SHIFT);
> + if (layout->size > layout->ro_size)
> + set_memory((unsigned long)layout->base + layout->ro_size,
> + (layout->size - layout->ro_size) >> PAGE_SHIFT);
> }
>
> /* livepatching wants to disable read-only so it can frob module. */
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: module: Fix regression introduced by commit: b0d7290e85a5 "module: clean up RO/NX handling."
2016-01-25 23:41 ` Brian Norris
@ 2016-01-26 8:39 ` Lothar Waßmann
0 siblings, 0 replies; 3+ messages in thread
From: Lothar Waßmann @ 2016-01-26 8:39 UTC (permalink / raw)
To: Brian Norris; +Cc: Rusty Russell, linux-kernel
Hi,
On Mon, 25 Jan 2016 15:41:08 -0800 Brian Norris wrote:
> On Mon, Jan 25, 2016 at 12:11:51PM +0100, Lothar Wassmann wrote:
> > commit b0d7290e85a5 ("module: clean up RO/NX handling.")
> > threw away the size checks which were in place before calling the
> > set_memory_*() functions.
> > This produces a kernel bug upon module load with
> > CONFIG_DEBUG_SET_MODULE_RONX=y:
> >
> > kernel BUG at mm/memory.c:1898!
> > Internal error: Oops - BUG: 0 [#1] ARM
> > Modules linked in:
> > CPU: 0 PID: 825 Comm: modprobe Not tainted 4.4.0-next-20160121+ #53
> > Hardware name: Freescale MXS (Device Tree)
> > task: cef6c380 ti: ce93a000 task.ti: ce93a000
> > PC is at apply_to_page_range+0x190/0x1bc
> > LR is at change_memory_common+0x74/0xcc
> > pc : [<c0082d80>] lr : [<c0011ce0>] psr: 60000013
> > sp : ce93be40 ip : bf011000 fp : bf012000
> > r10: bf012000 r9 : bf0091d4 r8 : ce93be80
> > r7 : 00000000 r6 : bf012000 r5 : 00000001 r4 : bf012000
> > r3 : c0011d38 r2 : 00000000 r1 : bf012000 r0 : c0633458
> > Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> > Control: 0005317f Table: 4ef0c000 DAC: 00000051
> > Process modprobe (pid: 825, stack limit = 0xce93a190)
> > Stack: (0xce93be40 to 0xce93c000)
> > be40: c0633458 bf012000 00000000 bf012000 00000001 bf012000 00000000 00000080
> > be60: bf0091d4 ce93bef4 00000000 c0011ce0 ce93be80 00000000 bf0071dc bf0091e4
> > be80: 00000080 00000000 bf009100 ce93bf48 00000001 bf00910c bf009100 00000000
> > bea0: bf0091d4 c005d2a0 00000000 cfbd8de0 00000000 00000014 007fb980 00000000
> > bec0: d0a1d01c bf009250 bf00910c 00000000 d0a19000 b6e4b000 00000f80 755f6f74
> > bee0: 5f726573 bf007024 00000032 bf0071b4 00000006 00000000 00000000 00000000
> > bf00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > bf20: c005da70 0000306c 00000000 b6e4f06c d0a1d06c ce93a000 007fb980 00000051
> > bf40: 007fbbd8 c005dae0 d0a0a000 0001306c d0a1c98c d0a13c07 d0a177c8 0000a000
> > bf60: 0000cbe0 00000000 00000000 00000000 0000002a 0000002b 00000020 00000024
> > bf80: 00000018 00000000 b6f83228 bec859f8 00000000 00000080 c000a4e4 ce93a000
> > bfa0: 00000000 c000a340 b6f83228 bec859f8 b6e3c000 0001306c 007fb980 00000000
> > bfc0: b6f83228 bec859f8 00000000 00000080 007fb980 00000008 00000000 007fbbd8
> > bfe0: b6f1fa70 bec856c8 0000aab4 b6f1fa80 60000010 b6e3c000 00000000 00000000
> > [<c0082d80>] (apply_to_page_range) from [<c0011ce0>] (change_memory_common+0x74/0xcc)
> > [<c0011ce0>] (change_memory_common) from [<c005d2a0>] (load_module+0x16c8/0x1e3c)
> > [<c005d2a0>] (load_module) from [<c005dae0>] (SyS_init_module+0xcc/0x138)
> > [<c005dae0>] (SyS_init_module) from [<c000a340>] (ret_fast_syscall+0x0/0x38)
> > Code: e0834104 eaffffc3 e5191008 eaffffbb (e7f001f2)
> > ---[ end trace fbf287e335e94b28 ]---
> >
> > This happens because the set_memory_*() functions are eventually being
> > called with a zero <size> parameter and thus apply_to_page_range() in
> > mm/memory.c barfs due to:
> > unsigned long end = addr + size;
> > ...
> > BUG_ON(addr >= end);
>
> Hit this BUG_ON() on a mt8173 platform with v4.5-rc1.
>
I just found a patch that fixes this problem in a different way (making
the set_memory_*() functions accept a zero size argument):
<1453561543-14756-1-git-send-email-mika.penttila@nextfour.com>
http://lkml.iu.edu/hypermail/linux/kernel/1601.2/04934.html
So this patch is obsolete.
Lothar Waßmann
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-01-26 8:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-25 11:11 [PATCH] module: Fix regression introduced by commit: b0d7290e85a5 "module: clean up RO/NX handling." Lothar Waßmann
2016-01-25 23:41 ` Brian Norris
2016-01-26 8:39 ` Lothar Waßmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.