* a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? @ 2019-08-26 21:22 Nick Desaulniers 2019-08-26 22:57 ` Nick Desaulniers 0 siblings, 1 reply; 12+ messages in thread From: Nick Desaulniers @ 2019-08-26 21:22 UTC (permalink / raw) To: Ard Biesheuvel, Masahiro Yamada, Linus Torvalds, Greg KH, Will Deacon, Arnd Bergmann, Michal Marek Cc: LKML I'm looking into a linkage failure for one of our device kernels, and it seems that genksyms isn't producing a hash value correctly for aggregate definitions that contain __attribute__s like __attribute__((packed)). Example: $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d Defn for struct foo == <struct foo { int bar ; } > Hash table occupancy 1/4096 = 0.000244141 $ echo 'struct __attribute__((packed)) foo { int bar; };' | ./scripts/genksyms/genksyms -d Hash table occupancy 0/4096 = 0 I assume the __attribute__ part isn't being parsed correctly (looks like genksyms is a lex/yacc based C parser). The issue we have in our out of tree driver (*sadface*) is basically a EXPORT_SYMBOL'd function whose signature contains a packed struct. Theoretically, there should be nothing wrong with exporting a function that requires packed structs, and this is just a bug in the lex/yacc based parser, right? I assume that not having CONFIG_MODVERSIONS coverage of packed structs in particular could lead to potentially not-fun bugs? Or is using packed structs in exported function symbols with CONFIG_MODVERSIONS forbidden in some documentation somewhere I missed? -- Thanks, ~Nick Desaulniers ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-26 21:22 a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? Nick Desaulniers @ 2019-08-26 22:57 ` Nick Desaulniers 2019-08-27 9:58 ` Nicholas Piggin 0 siblings, 1 reply; 12+ messages in thread From: Nick Desaulniers @ 2019-08-26 22:57 UTC (permalink / raw) To: Ard Biesheuvel, Masahiro Yamada, Linus Torvalds, Greg KH, Will Deacon, Arnd Bergmann, Michal Marek, Nicholas Piggin Cc: LKML On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers <ndesaulniers@google.com> wrote: > > I'm looking into a linkage failure for one of our device kernels, and > it seems that genksyms isn't producing a hash value correctly for > aggregate definitions that contain __attribute__s like > __attribute__((packed)). > > Example: > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d > Defn for struct foo == <struct foo { int bar ; } > > Hash table occupancy 1/4096 = 0.000244141 > $ echo 'struct __attribute__((packed)) foo { int bar; };' | > ./scripts/genksyms/genksyms -d > Hash table occupancy 0/4096 = 0 > > I assume the __attribute__ part isn't being parsed correctly (looks > like genksyms is a lex/yacc based C parser). > > The issue we have in our out of tree driver (*sadface*) is basically a > EXPORT_SYMBOL'd function whose signature contains a packed struct. > > Theoretically, there should be nothing wrong with exporting a function > that requires packed structs, and this is just a bug in the lex/yacc > based parser, right? I assume that not having CONFIG_MODVERSIONS > coverage of packed structs in particular could lead to potentially > not-fun bugs? Or is using packed structs in exported function symbols > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I > missed? Ah, looks like I'm late to the party: https://lwn.net/Articles/707520/ -- Thanks, ~Nick Desaulniers ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-26 22:57 ` Nick Desaulniers @ 2019-08-27 9:58 ` Nicholas Piggin 2019-08-27 10:49 ` Masahiro Yamada 0 siblings, 1 reply; 12+ messages in thread From: Nicholas Piggin @ 2019-08-27 9:58 UTC (permalink / raw) To: Ard Biesheuvel, Arnd Bergmann, Greg KH, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon, Masahiro Yamada Cc: LKML Nick Desaulniers's on August 27, 2019 8:57 am: > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers > <ndesaulniers@google.com> wrote: >> >> I'm looking into a linkage failure for one of our device kernels, and >> it seems that genksyms isn't producing a hash value correctly for >> aggregate definitions that contain __attribute__s like >> __attribute__((packed)). >> >> Example: >> $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d >> Defn for struct foo == <struct foo { int bar ; } > >> Hash table occupancy 1/4096 = 0.000244141 >> $ echo 'struct __attribute__((packed)) foo { int bar; };' | >> ./scripts/genksyms/genksyms -d >> Hash table occupancy 0/4096 = 0 >> >> I assume the __attribute__ part isn't being parsed correctly (looks >> like genksyms is a lex/yacc based C parser). >> >> The issue we have in our out of tree driver (*sadface*) is basically a >> EXPORT_SYMBOL'd function whose signature contains a packed struct. >> >> Theoretically, there should be nothing wrong with exporting a function >> that requires packed structs, and this is just a bug in the lex/yacc >> based parser, right? I assume that not having CONFIG_MODVERSIONS >> coverage of packed structs in particular could lead to potentially >> not-fun bugs? Or is using packed structs in exported function symbols >> with CONFIG_MODVERSIONS forbidden in some documentation somewhere I >> missed? > > Ah, looks like I'm late to the party: > https://lwn.net/Articles/707520/ Yeah, would be nice to do something about this. IIRC (without re-reading it all), in theory distros would be okay without modversions if they could just provide their own explicit versioning. They take care about ABIs, so they can version things carefully if they had to change. I think we left that on hold because some of the bigger distros were heading into releases and we didn't care to cause pain. I wonder if we could try again. What's your requirement for versioning? Thanks, Nick ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 9:58 ` Nicholas Piggin @ 2019-08-27 10:49 ` Masahiro Yamada 2019-08-27 12:42 ` Nicholas Piggin 0 siblings, 1 reply; 12+ messages in thread From: Masahiro Yamada @ 2019-08-27 10:49 UTC (permalink / raw) To: Nicholas Piggin Cc: Ard Biesheuvel, Arnd Bergmann, Greg KH, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon, LKML, Ben Hutchings Hi. On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: > > Nick Desaulniers's on August 27, 2019 8:57 am: > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers > > <ndesaulniers@google.com> wrote: > >> > >> I'm looking into a linkage failure for one of our device kernels, and > >> it seems that genksyms isn't producing a hash value correctly for > >> aggregate definitions that contain __attribute__s like > >> __attribute__((packed)). > >> > >> Example: > >> $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d > >> Defn for struct foo == <struct foo { int bar ; } > > >> Hash table occupancy 1/4096 = 0.000244141 > >> $ echo 'struct __attribute__((packed)) foo { int bar; };' | > >> ./scripts/genksyms/genksyms -d > >> Hash table occupancy 0/4096 = 0 > >> > >> I assume the __attribute__ part isn't being parsed correctly (looks > >> like genksyms is a lex/yacc based C parser). > >> > >> The issue we have in our out of tree driver (*sadface*) is basically a > >> EXPORT_SYMBOL'd function whose signature contains a packed struct. > >> > >> Theoretically, there should be nothing wrong with exporting a function > >> that requires packed structs, and this is just a bug in the lex/yacc > >> based parser, right? I assume that not having CONFIG_MODVERSIONS > >> coverage of packed structs in particular could lead to potentially > >> not-fun bugs? Or is using packed structs in exported function symbols > >> with CONFIG_MODVERSIONS forbidden in some documentation somewhere I > >> missed? > > > > Ah, looks like I'm late to the party: > > https://lwn.net/Articles/707520/ > > Yeah, would be nice to do something about this. modversions is ugly, so it would be great if we could dump it. > IIRC (without re-reading it all), in theory distros would be okay > without modversions if they could just provide their own explicit > versioning. They take care about ABIs, so they can version things > carefully if they had to change. We have not provided any alternative solution for this, haven't we? In your patch (https://lwn.net/Articles/707729/), you proposed CONFIG_MODULE_ABI_EXPLICIT. If it is good enough for distros, we merge it first, give them time to migrate over to it, then finally remove modversions?? > I think we left that on hold because some of the bigger distros were > heading into releases and we didn't care to cause pain. I wonder if > we could try again. I agree. > > What's your requirement for versioning? I added Ben Hutchings to CC. > > Thanks, > Nick -- Best Regards Masahiro Yamada ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 10:49 ` Masahiro Yamada @ 2019-08-27 12:42 ` Nicholas Piggin 2019-08-27 15:34 ` Ben Hutchings 0 siblings, 1 reply; 12+ messages in thread From: Nicholas Piggin @ 2019-08-27 12:42 UTC (permalink / raw) To: Masahiro Yamada Cc: Ard Biesheuvel, Arnd Bergmann, Ben Hutchings, Greg KH, LKML, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon Masahiro Yamada's on August 27, 2019 8:49 pm: > Hi. > > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: >> >> Nick Desaulniers's on August 27, 2019 8:57 am: >> > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers >> > <ndesaulniers@google.com> wrote: >> >> >> >> I'm looking into a linkage failure for one of our device kernels, and >> >> it seems that genksyms isn't producing a hash value correctly for >> >> aggregate definitions that contain __attribute__s like >> >> __attribute__((packed)). >> >> >> >> Example: >> >> $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d >> >> Defn for struct foo == <struct foo { int bar ; } > >> >> Hash table occupancy 1/4096 = 0.000244141 >> >> $ echo 'struct __attribute__((packed)) foo { int bar; };' | >> >> ./scripts/genksyms/genksyms -d >> >> Hash table occupancy 0/4096 = 0 >> >> >> >> I assume the __attribute__ part isn't being parsed correctly (looks >> >> like genksyms is a lex/yacc based C parser). >> >> >> >> The issue we have in our out of tree driver (*sadface*) is basically a >> >> EXPORT_SYMBOL'd function whose signature contains a packed struct. >> >> >> >> Theoretically, there should be nothing wrong with exporting a function >> >> that requires packed structs, and this is just a bug in the lex/yacc >> >> based parser, right? I assume that not having CONFIG_MODVERSIONS >> >> coverage of packed structs in particular could lead to potentially >> >> not-fun bugs? Or is using packed structs in exported function symbols >> >> with CONFIG_MODVERSIONS forbidden in some documentation somewhere I >> >> missed? >> > >> > Ah, looks like I'm late to the party: >> > https://lwn.net/Articles/707520/ >> >> Yeah, would be nice to do something about this. > > modversions is ugly, so it would be great if we could dump it. > >> IIRC (without re-reading it all), in theory distros would be okay >> without modversions if they could just provide their own explicit >> versioning. They take care about ABIs, so they can version things >> carefully if they had to change. > > We have not provided any alternative solution for this, haven't we? > > In your patch (https://lwn.net/Articles/707729/), > you proposed CONFIG_MODULE_ABI_EXPLICIT. Right, that was just my first proposal, but I am not confident that I understood everybody's requirements. I don't think the distro people had much time to to test things out. One possible shortcoming with that patch is no per-symbol version. The distro may break an ABI for a security fix, but they don't want to break all out of tree modules if it's an obscure ABI. The counter argument to that is they should just rename the symbol in their kernel for such cases, so I didn't implement it without somebody describing a good requirement. > If it is good enough for distros, we merge it first, > give them time to migrate over to it, then finally remove modversions?? I guess. Do we really need to merge and wait? If they _really_ want it, and won't put in effort to convert their kernel packaging, then they can carry the patch and support it quite easily. The code doesn't change frequently so it should not be a big roadblock I'm more concerned about developer and hobbyists etc who don't have the resources. But IIRC we are satisfied that git version has superseded the benefits of modversions for that case now. Thanks, Nick ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 12:42 ` Nicholas Piggin @ 2019-08-27 15:34 ` Ben Hutchings 2019-08-27 17:09 ` Greg KH 2019-08-28 2:25 ` Nicholas Piggin 0 siblings, 2 replies; 12+ messages in thread From: Ben Hutchings @ 2019-08-27 15:34 UTC (permalink / raw) To: Nicholas Piggin, Masahiro Yamada Cc: Ard Biesheuvel, Arnd Bergmann, Greg KH, LKML, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon, Debian kernel maintainers [-- Attachment #1: Type: text/plain, Size: 4746 bytes --] On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: > Masahiro Yamada's on August 27, 2019 8:49 pm: > > Hi. > > > > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: > > > Nick Desaulniers's on August 27, 2019 8:57 am: > > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers > > > > <ndesaulniers@google.com> wrote: > > > > > I'm looking into a linkage failure for one of our device kernels, and > > > > > it seems that genksyms isn't producing a hash value correctly for > > > > > aggregate definitions that contain __attribute__s like > > > > > __attribute__((packed)). > > > > > > > > > > Example: > > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d > > > > > Defn for struct foo == <struct foo { int bar ; } > > > > > > Hash table occupancy 1/4096 = 0.000244141 > > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' | > > > > > ./scripts/genksyms/genksyms -d > > > > > Hash table occupancy 0/4096 = 0 > > > > > > > > > > I assume the __attribute__ part isn't being parsed correctly (looks > > > > > like genksyms is a lex/yacc based C parser). > > > > > > > > > > The issue we have in our out of tree driver (*sadface*) is basically a > > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct. > > > > > > > > > > Theoretically, there should be nothing wrong with exporting a function > > > > > that requires packed structs, and this is just a bug in the lex/yacc > > > > > based parser, right? I assume that not having CONFIG_MODVERSIONS > > > > > coverage of packed structs in particular could lead to potentially > > > > > not-fun bugs? Or is using packed structs in exported function symbols > > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I > > > > > missed? > > > > > > > > Ah, looks like I'm late to the party: > > > > https://lwn.net/Articles/707520/ > > > > > > Yeah, would be nice to do something about this. > > > > modversions is ugly, so it would be great if we could dump it. > > > > > IIRC (without re-reading it all), in theory distros would be okay > > > without modversions if they could just provide their own explicit > > > versioning. They take care about ABIs, so they can version things > > > carefully if they had to change. Debian doesn't currently have any other way of detecting ABI changes (other than eyeballing diffs). I know there have been proposals of using libabigail for this instead, but I'm not sure how far those progressed. > > We have not provided any alternative solution for this, haven't we? > > > > In your patch (https://lwn.net/Articles/707729/), > > you proposed CONFIG_MODULE_ABI_EXPLICIT. > > Right, that was just my first proposal, but I am not confident that I > understood everybody's requirements. I don't think the distro people > had much time to to test things out. > > One possible shortcoming with that patch is no per-symbol version. The > distro may break an ABI for a security fix, but they don't want to break > all out of tree modules if it's an obscure ABI. Right, for example the KVM kABI is only meant for in-tree modules (like kvm_intel) and in Debian we do not change the "ABI version" and require rebuilding out-of-tree modules just because that ABI changes. Currently we maintain explicit lists of exported symbols and exporting modules for which we ignore ABI changes at build time. > The counter argument to > that is they should just rename the symbol in their kernel for such > cases, so I didn't implement it without somebody describing a good > requirement. [...] Sometimes it is just a single function that changes, but often a structure change can affect large numbers of functions. For example, if KVM adds a member to an operations struct that can indirectly change the ABI for most of its exported functions. We wouldn't want to change the ABI version but would still want to prevent loading mismatched kvm and kvm_intel versions. It would be a lot more work to change all of the affected function names. An alternative to symbol version matching that I think would work for us is: if a module's exports or imports match the "changes ignored" list then the module can only be loaded on the exact version of the kernel, otherwise it only needs to match the ABI version. I think that would avoid the need for carrying symbol versions, but we would still need a build-time ABI check and a way of flagging which symbols need the tighter version match. Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 15:34 ` Ben Hutchings @ 2019-08-27 17:09 ` Greg KH 2019-08-27 21:11 ` Ben Hutchings 2019-08-28 2:25 ` Nicholas Piggin 1 sibling, 1 reply; 12+ messages in thread From: Greg KH @ 2019-08-27 17:09 UTC (permalink / raw) To: Ben Hutchings Cc: Nicholas Piggin, Masahiro Yamada, Ard Biesheuvel, Arnd Bergmann, LKML, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon, Debian kernel maintainers On Tue, Aug 27, 2019 at 04:34:15PM +0100, Ben Hutchings wrote: > On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: > > Masahiro Yamada's on August 27, 2019 8:49 pm: > > > Hi. > > > > > > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: > > > > Nick Desaulniers's on August 27, 2019 8:57 am: > > > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers > > > > > <ndesaulniers@google.com> wrote: > > > > > > I'm looking into a linkage failure for one of our device kernels, and > > > > > > it seems that genksyms isn't producing a hash value correctly for > > > > > > aggregate definitions that contain __attribute__s like > > > > > > __attribute__((packed)). > > > > > > > > > > > > Example: > > > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d > > > > > > Defn for struct foo == <struct foo { int bar ; } > > > > > > > Hash table occupancy 1/4096 = 0.000244141 > > > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' | > > > > > > ./scripts/genksyms/genksyms -d > > > > > > Hash table occupancy 0/4096 = 0 > > > > > > > > > > > > I assume the __attribute__ part isn't being parsed correctly (looks > > > > > > like genksyms is a lex/yacc based C parser). > > > > > > > > > > > > The issue we have in our out of tree driver (*sadface*) is basically a > > > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct. > > > > > > > > > > > > Theoretically, there should be nothing wrong with exporting a function > > > > > > that requires packed structs, and this is just a bug in the lex/yacc > > > > > > based parser, right? I assume that not having CONFIG_MODVERSIONS > > > > > > coverage of packed structs in particular could lead to potentially > > > > > > not-fun bugs? Or is using packed structs in exported function symbols > > > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I > > > > > > missed? > > > > > > > > > > Ah, looks like I'm late to the party: > > > > > https://lwn.net/Articles/707520/ > > > > > > > > Yeah, would be nice to do something about this. > > > > > > modversions is ugly, so it would be great if we could dump it. > > > > > > > IIRC (without re-reading it all), in theory distros would be okay > > > > without modversions if they could just provide their own explicit > > > > versioning. They take care about ABIs, so they can version things > > > > carefully if they had to change. > > Debian doesn't currently have any other way of detecting ABI changes > (other than eyeballing diffs). > > I know there have been proposals of using libabigail for this instead, > but I'm not sure how far those progressed. Google has started using libabigail to track api changes in AOSP, here's a patch that updates the ABI file after changing it: https://android-review.googlesource.com/c/kernel/common/+/1108662 Note, there are issues with it, and some rough edges, but I think it can work. But, it means nothing at module load time, this is only at build-check time. At least modversions would prevent module loading in some cases. thanks, greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 17:09 ` Greg KH @ 2019-08-27 21:11 ` Ben Hutchings 0 siblings, 0 replies; 12+ messages in thread From: Ben Hutchings @ 2019-08-27 21:11 UTC (permalink / raw) To: Greg KH Cc: Nicholas Piggin, Masahiro Yamada, Ard Biesheuvel, Arnd Bergmann, LKML, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon, Debian kernel maintainers [-- Attachment #1: Type: text/plain, Size: 1637 bytes --] On Tue, 2019-08-27 at 19:09 +0200, Greg KH wrote: > On Tue, Aug 27, 2019 at 04:34:15PM +0100, Ben Hutchings wrote: > > On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: > > > Masahiro Yamada's on August 27, 2019 8:49 pm: [...] > > > > modversions is ugly, so it would be great if we could dump it. > > > > > > > > > IIRC (without re-reading it all), in theory distros would be okay > > > > > without modversions if they could just provide their own explicit > > > > > versioning. They take care about ABIs, so they can version things > > > > > carefully if they had to change. > > > > Debian doesn't currently have any other way of detecting ABI changes > > (other than eyeballing diffs). > > > > I know there have been proposals of using libabigail for this instead, > > but I'm not sure how far those progressed. > > Google has started using libabigail to track api changes in AOSP, here's > a patch that updates the ABI file after changing it: > https://android-review.googlesource.com/c/kernel/common/+/1108662 > > Note, there are issues with it, and some rough edges, but I think it can > work. Thanks for the pointer. > But, it means nothing at module load time, this is only at build-check > time. At least modversions would prevent module loading in some cases. Right, but I *think* that would be enough if we could mark modules for strict (exact version) or loose ("ABI version") matching as I outlined. Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-27 15:34 ` Ben Hutchings 2019-08-27 17:09 ` Greg KH @ 2019-08-28 2:25 ` Nicholas Piggin 2019-08-28 17:17 ` Nick Desaulniers 1 sibling, 1 reply; 12+ messages in thread From: Nicholas Piggin @ 2019-08-28 2:25 UTC (permalink / raw) To: Ben Hutchings, Masahiro Yamada Cc: Ard Biesheuvel, Arnd Bergmann, Debian kernel maintainers, Greg KH, LKML, Michal Marek, Nick Desaulniers, Linus Torvalds, Will Deacon Ben Hutchings's on August 28, 2019 1:34 am: > On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: >> Masahiro Yamada's on August 27, 2019 8:49 pm: >> > Hi. >> > >> > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: >> > > Nick Desaulniers's on August 27, 2019 8:57 am: >> > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers >> > > > <ndesaulniers@google.com> wrote: >> > > > > I'm looking into a linkage failure for one of our device kernels, and >> > > > > it seems that genksyms isn't producing a hash value correctly for >> > > > > aggregate definitions that contain __attribute__s like >> > > > > __attribute__((packed)). >> > > > > >> > > > > Example: >> > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d >> > > > > Defn for struct foo == <struct foo { int bar ; } > >> > > > > Hash table occupancy 1/4096 = 0.000244141 >> > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' | >> > > > > ./scripts/genksyms/genksyms -d >> > > > > Hash table occupancy 0/4096 = 0 >> > > > > >> > > > > I assume the __attribute__ part isn't being parsed correctly (looks >> > > > > like genksyms is a lex/yacc based C parser). >> > > > > >> > > > > The issue we have in our out of tree driver (*sadface*) is basically a >> > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct. >> > > > > >> > > > > Theoretically, there should be nothing wrong with exporting a function >> > > > > that requires packed structs, and this is just a bug in the lex/yacc >> > > > > based parser, right? I assume that not having CONFIG_MODVERSIONS >> > > > > coverage of packed structs in particular could lead to potentially >> > > > > not-fun bugs? Or is using packed structs in exported function symbols >> > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I >> > > > > missed? >> > > > >> > > > Ah, looks like I'm late to the party: >> > > > https://lwn.net/Articles/707520/ >> > > >> > > Yeah, would be nice to do something about this. >> > >> > modversions is ugly, so it would be great if we could dump it. >> > >> > > IIRC (without re-reading it all), in theory distros would be okay >> > > without modversions if they could just provide their own explicit >> > > versioning. They take care about ABIs, so they can version things >> > > carefully if they had to change. > > Debian doesn't currently have any other way of detecting ABI changes > (other than eyeballing diffs). > > I know there have been proposals of using libabigail for this instead, > but I'm not sure how far those progressed. > >> > We have not provided any alternative solution for this, haven't we? >> > >> > In your patch (https://lwn.net/Articles/707729/), >> > you proposed CONFIG_MODULE_ABI_EXPLICIT. >> >> Right, that was just my first proposal, but I am not confident that I >> understood everybody's requirements. I don't think the distro people >> had much time to to test things out. >> >> One possible shortcoming with that patch is no per-symbol version. The >> distro may break an ABI for a security fix, but they don't want to break >> all out of tree modules if it's an obscure ABI. > > Right, for example the KVM kABI is only meant for in-tree modules (like > kvm_intel) and in Debian we do not change the "ABI version" and require > rebuilding out-of-tree modules just because that ABI changes. > Currently we maintain explicit lists of exported symbols and exporting > modules for which we ignore ABI changes at build time. > >> The counter argument to >> that is they should just rename the symbol in their kernel for such >> cases, so I didn't implement it without somebody describing a good >> requirement. > [...] > > Sometimes it is just a single function that changes, but often a > structure change can affect large numbers of functions. For example, > if KVM adds a member to an operations struct that can indirectly change > the ABI for most of its exported functions. We wouldn't want to change > the ABI version but would still want to prevent loading mismatched kvm > and kvm_intel versions. It would be a lot more work to change all of > the affected function names. You could change just a single symbol name though :) > An alternative to symbol version matching that I think would work for > us is: if a module's exports or imports match the "changes ignored" > list then the module can only be loaded on the exact version of the > kernel, otherwise it only needs to match the ABI version. I think that > would avoid the need for carrying symbol versions, but we would still > need a build-time ABI check and a way of flagging which symbols need > the tighter version match. Just trying to think how best to express that. [ Aside, the whole symbol name resolution linking stuff does matching on on any number of ~arbitrary strings that you can generate as you like, and symbol tables are something that all existing tools and libs understand. So I strongly favour using that as the back end for our "version" resolution system _if at all possible_ rather than adding these extra bits of crud that really just do the same thing. At least for a first pass, I don't want to over-engineer things. Then it hopefully becomes a matter of adding some helper macros and build facilities on top of that which can contain everyone's requirements mostly within .config and perhaps a very small patch. A bit more work with preprocessor macros etc is far preferable to linking and loading "features" IMO] Back to your case, is it sufficient to have just an internal and an external module version where the kernel provides both and your in-tree modules match on the internal, others match on external? Thanks, Nick ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-28 2:25 ` Nicholas Piggin @ 2019-08-28 17:17 ` Nick Desaulniers 2019-08-28 21:42 ` Matthias Maennich 0 siblings, 1 reply; 12+ messages in thread From: Nick Desaulniers @ 2019-08-28 17:17 UTC (permalink / raw) To: Nicholas Piggin Cc: Ben Hutchings, Masahiro Yamada, Ard Biesheuvel, Arnd Bergmann, Debian kernel maintainers, Greg KH, LKML, Michal Marek, Linus Torvalds, Will Deacon, Sandeep Patil, Matthias Männich, Steve Muckle, Alessio Balsini, Stephen Hines On Tue, Aug 27, 2019 at 7:26 PM Nicholas Piggin <npiggin@gmail.com> wrote: > > Ben Hutchings's on August 28, 2019 1:34 am: > > On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: > >> Masahiro Yamada's on August 27, 2019 8:49 pm: > >> > Hi. > >> > > >> > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: > >> > > Nick Desaulniers's on August 27, 2019 8:57 am: > >> > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers > >> > > > <ndesaulniers@google.com> wrote: > >> > > > > I'm looking into a linkage failure for one of our device kernels, and > >> > > > > it seems that genksyms isn't producing a hash value correctly for > >> > > > > aggregate definitions that contain __attribute__s like > >> > > > > __attribute__((packed)). > >> > > > > > >> > > > > Example: > >> > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d > >> > > > > Defn for struct foo == <struct foo { int bar ; } > > >> > > > > Hash table occupancy 1/4096 = 0.000244141 > >> > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' | > >> > > > > ./scripts/genksyms/genksyms -d > >> > > > > Hash table occupancy 0/4096 = 0 > >> > > > > > >> > > > > I assume the __attribute__ part isn't being parsed correctly (looks > >> > > > > like genksyms is a lex/yacc based C parser). > >> > > > > > >> > > > > The issue we have in our out of tree driver (*sadface*) is basically a > >> > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct. > >> > > > > > >> > > > > Theoretically, there should be nothing wrong with exporting a function > >> > > > > that requires packed structs, and this is just a bug in the lex/yacc > >> > > > > based parser, right? I assume that not having CONFIG_MODVERSIONS > >> > > > > coverage of packed structs in particular could lead to potentially > >> > > > > not-fun bugs? Or is using packed structs in exported function symbols > >> > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I > >> > > > > missed? > >> > > > > >> > > > Ah, looks like I'm late to the party: > >> > > > https://lwn.net/Articles/707520/ > >> > > > >> > > Yeah, would be nice to do something about this. > >> > > >> > modversions is ugly, so it would be great if we could dump it. > >> > > >> > > IIRC (without re-reading it all), in theory distros would be okay > >> > > without modversions if they could just provide their own explicit > >> > > versioning. They take care about ABIs, so they can version things > >> > > carefully if they had to change. > > > > Debian doesn't currently have any other way of detecting ABI changes > > (other than eyeballing diffs). > > > > I know there have been proposals of using libabigail for this instead, > > but I'm not sure how far those progressed. > > > >> > We have not provided any alternative solution for this, haven't we? > >> > > >> > In your patch (https://lwn.net/Articles/707729/), > >> > you proposed CONFIG_MODULE_ABI_EXPLICIT. > >> > >> Right, that was just my first proposal, but I am not confident that I > >> understood everybody's requirements. I don't think the distro people > >> had much time to to test things out. > >> > >> One possible shortcoming with that patch is no per-symbol version. The > >> distro may break an ABI for a security fix, but they don't want to break > >> all out of tree modules if it's an obscure ABI. > > > > Right, for example the KVM kABI is only meant for in-tree modules (like > > kvm_intel) and in Debian we do not change the "ABI version" and require > > rebuilding out-of-tree modules just because that ABI changes. > > Currently we maintain explicit lists of exported symbols and exporting > > modules for which we ignore ABI changes at build time. > > > >> The counter argument to > >> that is they should just rename the symbol in their kernel for such > >> cases, so I didn't implement it without somebody describing a good > >> requirement. > > [...] > > > > Sometimes it is just a single function that changes, but often a > > structure change can affect large numbers of functions. For example, > > if KVM adds a member to an operations struct that can indirectly change > > the ABI for most of its exported functions. We wouldn't want to change > > the ABI version but would still want to prevent loading mismatched kvm > > and kvm_intel versions. It would be a lot more work to change all of > > the affected function names. > > You could change just a single symbol name though :) > > > An alternative to symbol version matching that I think would work for > > us is: if a module's exports or imports match the "changes ignored" > > list then the module can only be loaded on the exact version of the > > kernel, otherwise it only needs to match the ABI version. I think that > > would avoid the need for carrying symbol versions, but we would still > > need a build-time ABI check and a way of flagging which symbols need > > the tighter version match. > > Just trying to think how best to express that. > > [ Aside, the whole symbol name resolution linking stuff does matching on > on any number of ~arbitrary strings that you can generate as you like, > and symbol tables are something that all existing tools and libs > understand. > > So I strongly favour using that as the back end for our "version" > resolution system _if at all possible_ rather than adding these extra > bits of crud that really just do the same thing. At least for a first > pass, I don't want to over-engineer things. > > Then it hopefully becomes a matter of adding some helper macros and > build facilities on top of that which can contain everyone's > requirements mostly within .config and perhaps a very small patch. > A bit more work with preprocessor macros etc is far preferable to > linking and loading "features" IMO] > > Back to your case, is it sufficient to have just an internal and an > external module version where the kernel provides both and your in-tree > modules match on the internal, others match on external? > > Thanks, > Nick > + some Android folks who are looking into libabigail (root thread for context: https://lore.kernel.org/lkml/CAKwvOdnJAApaUhTQs7w_VjSeYBQa0c-TNxRB4xPLi0Y0sOQMMQ@mail.gmail.com/) I'm only roughly aware of their issue/work, but hopefully they can collaborate and add their insights to a list of requirements we could collect, for any kind of replacement to CONFIG_MODVERSIONS/genksyms. I'm not sure if they were planning on presenting this work at Linux Plumber's Conference coming up or not, but I hope so. Hopefully that work will be a general solution for all kernel developers and distros, not just Android. This issue is now blocking my compiler upgrade, so I'm going to focus on just fixing the yacc based parser to understand __attribute__'s on struct/enum/union declarations. Speaking with Arnd about this issue, he came up with the test case: $ echo 'struct __attribute__((packed)) foo { char bar; int baz; };' | ./scripts/genksyms/genksyms -d Hash table occupancy 0/4096 = 0 $ echo 'struct __attribute__((packed)) foo { char bar; };' | ./scripts/genksyms/genksyms -d Hash table occupancy 0/4096 = 0 The implication being that because attributes don't parse correctly, these symbols get a hash value of 0x00 in Module.symvers, meaning we currently can't detect size changes of packed structs (or any other attribute-qualified type) and happily proceed loading modules with different ABIs than the kernel. I'll probably add some kind of script for unit tests for genksyms, too. Feels like overkill for something known to be broken where active replacements are being discussed, but it's blocking my compiler upgrade for our products, so I'm just going to fix it for now. -- Thanks, ~Nick Desaulniers ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? 2019-08-28 17:17 ` Nick Desaulniers @ 2019-08-28 21:42 ` Matthias Maennich 0 siblings, 0 replies; 12+ messages in thread From: Matthias Maennich @ 2019-08-28 21:42 UTC (permalink / raw) To: Nick Desaulniers Cc: Nicholas Piggin, Ben Hutchings, Masahiro Yamada, Ard Biesheuvel, Arnd Bergmann, Debian kernel maintainers, Greg KH, LKML, Michal Marek, Linus Torvalds, Will Deacon, Sandeep Patil, Steve Muckle, Alessio Balsini, Stephen Hines, Jessica Yu, Dodji Seketeli On Wed, Aug 28, 2019 at 10:17:27AM -0700, Nick Desaulniers wrote: >On Tue, Aug 27, 2019 at 7:26 PM Nicholas Piggin <npiggin@gmail.com> wrote: >> >> Ben Hutchings's on August 28, 2019 1:34 am: >> > On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote: >> >> Masahiro Yamada's on August 27, 2019 8:49 pm: >> >> > Hi. >> >> > >> >> > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@gmail.com> wrote: >> >> > > Nick Desaulniers's on August 27, 2019 8:57 am: >> >> > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers >> >> > > > <ndesaulniers@google.com> wrote: >> >> > > > > I'm looking into a linkage failure for one of our device kernels, and >> >> > > > > it seems that genksyms isn't producing a hash value correctly for >> >> > > > > aggregate definitions that contain __attribute__s like >> >> > > > > __attribute__((packed)). >> >> > > > > >> >> > > > > Example: >> >> > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d >> >> > > > > Defn for struct foo == <struct foo { int bar ; } > >> >> > > > > Hash table occupancy 1/4096 = 0.000244141 >> >> > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' | >> >> > > > > ./scripts/genksyms/genksyms -d >> >> > > > > Hash table occupancy 0/4096 = 0 >> >> > > > > >> >> > > > > I assume the __attribute__ part isn't being parsed correctly (looks >> >> > > > > like genksyms is a lex/yacc based C parser). >> >> > > > > >> >> > > > > The issue we have in our out of tree driver (*sadface*) is basically a >> >> > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct. >> >> > > > > >> >> > > > > Theoretically, there should be nothing wrong with exporting a function >> >> > > > > that requires packed structs, and this is just a bug in the lex/yacc >> >> > > > > based parser, right? I assume that not having CONFIG_MODVERSIONS >> >> > > > > coverage of packed structs in particular could lead to potentially >> >> > > > > not-fun bugs? Or is using packed structs in exported function symbols >> >> > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I >> >> > > > > missed? >> >> > > > >> >> > > > Ah, looks like I'm late to the party: >> >> > > > https://lwn.net/Articles/707520/ >> >> > > >> >> > > Yeah, would be nice to do something about this. >> >> > >> >> > modversions is ugly, so it would be great if we could dump it. >> >> > >> >> > > IIRC (without re-reading it all), in theory distros would be okay >> >> > > without modversions if they could just provide their own explicit >> >> > > versioning. They take care about ABIs, so they can version things >> >> > > carefully if they had to change. >> > >> > Debian doesn't currently have any other way of detecting ABI changes >> > (other than eyeballing diffs). >> > >> > I know there have been proposals of using libabigail for this instead, >> > but I'm not sure how far those progressed. >> > >> >> > We have not provided any alternative solution for this, haven't we? >> >> > >> >> > In your patch (https://lwn.net/Articles/707729/), >> >> > you proposed CONFIG_MODULE_ABI_EXPLICIT. >> >> >> >> Right, that was just my first proposal, but I am not confident that I >> >> understood everybody's requirements. I don't think the distro people >> >> had much time to to test things out. >> >> >> >> One possible shortcoming with that patch is no per-symbol version. The >> >> distro may break an ABI for a security fix, but they don't want to break >> >> all out of tree modules if it's an obscure ABI. >> > >> > Right, for example the KVM kABI is only meant for in-tree modules (like >> > kvm_intel) and in Debian we do not change the "ABI version" and require >> > rebuilding out-of-tree modules just because that ABI changes. >> > Currently we maintain explicit lists of exported symbols and exporting >> > modules for which we ignore ABI changes at build time. >> > >> >> The counter argument to >> >> that is they should just rename the symbol in their kernel for such >> >> cases, so I didn't implement it without somebody describing a good >> >> requirement. >> > [...] >> > >> > Sometimes it is just a single function that changes, but often a >> > structure change can affect large numbers of functions. For example, >> > if KVM adds a member to an operations struct that can indirectly change >> > the ABI for most of its exported functions. We wouldn't want to change >> > the ABI version but would still want to prevent loading mismatched kvm >> > and kvm_intel versions. It would be a lot more work to change all of >> > the affected function names. >> >> You could change just a single symbol name though :) >> >> > An alternative to symbol version matching that I think would work for >> > us is: if a module's exports or imports match the "changes ignored" >> > list then the module can only be loaded on the exact version of the >> > kernel, otherwise it only needs to match the ABI version. I think that >> > would avoid the need for carrying symbol versions, but we would still >> > need a build-time ABI check and a way of flagging which symbols need >> > the tighter version match. >> >> Just trying to think how best to express that. >> >> [ Aside, the whole symbol name resolution linking stuff does matching on >> on any number of ~arbitrary strings that you can generate as you like, >> and symbol tables are something that all existing tools and libs >> understand. >> >> So I strongly favour using that as the back end for our "version" >> resolution system _if at all possible_ rather than adding these extra >> bits of crud that really just do the same thing. At least for a first >> pass, I don't want to over-engineer things. >> >> Then it hopefully becomes a matter of adding some helper macros and >> build facilities on top of that which can contain everyone's >> requirements mostly within .config and perhaps a very small patch. >> A bit more work with preprocessor macros etc is far preferable to >> linking and loading "features" IMO] >> >> Back to your case, is it sufficient to have just an internal and an >> external module version where the kernel provides both and your in-tree >> modules match on the internal, others match on external? >> >> Thanks, >> Nick >> > >+ some Android folks who are looking into libabigail > >(root thread for context: >https://lore.kernel.org/lkml/CAKwvOdnJAApaUhTQs7w_VjSeYBQa0c-TNxRB4xPLi0Y0sOQMMQ@mail.gmail.com/) > >I'm only roughly aware of their issue/work, but hopefully they can >collaborate and add their insights to a list of requirements we could >collect, for any kind of replacement to CONFIG_MODVERSIONS/genksyms. >I'm not sure if they were planning on presenting this work at Linux >Plumber's Conference coming up or not, but I hope so. Hopefully that >work will be a general solution for all kernel developers and distros, >not just Android. Several people are currently working on improving libabigail's capabilities to deal with the kernel binaries. That ranges from fixes for newer kernel versions or fixes for binaries built with clang to performance improvements to better integrate the tool into build processes etc. There is still some work to do to be an actual replacement for what is used right now to detect ABI incompatibilities. But things look promising. The work that is done there is supposed to address general issues, not just Android. In particular, libabigail should be able to reliably keep track of the observable in-kernel ABI of the kernel binaries to detect potential incompatibilities with previously released kernel binaries. Please note, that this all happens after the build by inspecting binaries. As opposed to other solutions, in its current form, libabigail does not introduce any checks at runtime (i.e. module load time). There are discussions about this topic scheduled at Plumber's in the Distro MC and the Android MC. Cheers, Matthias >This issue is now blocking my compiler upgrade, so I'm going to focus >on just fixing the yacc based parser to understand __attribute__'s on >struct/enum/union declarations. > >Speaking with Arnd about this issue, he came up with the test case: >$ echo 'struct __attribute__((packed)) foo { char bar; int baz; };' | >./scripts/genksyms/genksyms -d >Hash table occupancy 0/4096 = 0 >$ echo 'struct __attribute__((packed)) foo { char bar; };' | >./scripts/genksyms/genksyms -d >Hash table occupancy 0/4096 = 0 > >The implication being that because attributes don't parse correctly, >these symbols get a hash value of 0x00 in Module.symvers, meaning we >currently can't detect size changes of packed structs (or any other >attribute-qualified type) and happily proceed loading modules with >different ABIs than the kernel. > >I'll probably add some kind of script for unit tests for genksyms, >too. Feels like overkill for something known to be broken where >active replacements are being discussed, but it's blocking my compiler >upgrade for our products, so I'm just going to fix it for now. ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <CAOGTHR7wWaS+CdA9aR-8wWXa-AC47WBuLe5BEg01pFoKwKBpAw@mail.gmail.com>]
* Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? [not found] <CAOGTHR7wWaS+CdA9aR-8wWXa-AC47WBuLe5BEg01pFoKwKBpAw@mail.gmail.com> @ 2020-07-27 18:03 ` Nick Desaulniers 0 siblings, 0 replies; 12+ messages in thread From: Nick Desaulniers @ 2020-07-27 18:03 UTC (permalink / raw) To: Rob Simmons Cc: Ard Biesheuvel, Arnd Bergmann, Greg KH, LKML, Michal Marek, Linus Torvalds, Will Deacon, Masahiro Yamada On Sun, Jul 26, 2020 at 4:31 PM Rob Simmons <rsimmons514@gmail.com> wrote: You may have forgotten to send a body; but yes genksysms is brittle and upstream development on it stopped years ago. Put an attribute someplace unexpected and the parser will silently fail, making the modversions hash all zeros, which doesn't protect you from loading a potentially harmful module with different function signature. If you're planning on attending plumbers, I plan to put together a brief talk on the subject. -- Thanks, ~Nick Desaulniers ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-07-27 18:03 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-26 21:22 a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))? Nick Desaulniers 2019-08-26 22:57 ` Nick Desaulniers 2019-08-27 9:58 ` Nicholas Piggin 2019-08-27 10:49 ` Masahiro Yamada 2019-08-27 12:42 ` Nicholas Piggin 2019-08-27 15:34 ` Ben Hutchings 2019-08-27 17:09 ` Greg KH 2019-08-27 21:11 ` Ben Hutchings 2019-08-28 2:25 ` Nicholas Piggin 2019-08-28 17:17 ` Nick Desaulniers 2019-08-28 21:42 ` Matthias Maennich [not found] <CAOGTHR7wWaS+CdA9aR-8wWXa-AC47WBuLe5BEg01pFoKwKBpAw@mail.gmail.com> 2020-07-27 18:03 ` Nick Desaulniers
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.