Fwd: [kernel] Add patch to fix aarch64 KVM bug with module loading (rhbz 1194366).

Josh Boyer jwboyer at fedoraproject.org
Tue Feb 24 18:29:17 UTC 2015 

Please fast-forward merge this change to the f22 branch and push that out.

josh


---------- Forwarded message ----------
From: Richard W.M. Jones <rjones at fedoraproject.org>
Date: Tue, Feb 24, 2015 at 1:26 PM
Subject: [kernel] Add patch to fix aarch64 KVM bug with module loading
(rhbz 1194366).
To: kernel-owner at fedoraproject.org, scm-commits at lists.fedoraproject.org


commit f7bbaa5ad931357b0e53974dd4ebca385802366e
Author: Richard W.M. Jones <rjones at redhat.com>
Date:   Tue Feb 24 18:25:10 2015 +0000

    Add patch to fix aarch64 KVM bug with module loading (rhbz 1194366).

 ...Fix-text-patching-logic-when-using-fixmap.patch | 68 ++++++++++++++++++++++
 kernel.spec                                        | 10 +++-
 2 files changed, 77 insertions(+), 1 deletion(-)
---
diff --git a/0001-arm64-Fix-text-patching-logic-when-using-fixmap.patch
b/0001-arm64-Fix-text-patching-logic-when-using-fixmap.patch
new file mode 100644
index 0000000..27784b5
--- /dev/null
+++ b/0001-arm64-Fix-text-patching-logic-when-using-fixmap.patch
@@ -0,0 +1,68 @@
+From a79ebe4eb65331733803df4a7fd634d3b709af7b Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier at arm.com>
+Date: Tue, 24 Feb 2015 16:30:21 +0000
+Subject: [PATCH] arm64: Fix text patching logic when using fixmap
+
+Patch 2f896d586610 ("arm64: use fixmap for text patching") changed
+the way we patch the kernel text, using a fixmap when the kernel or
+modules are flagged as read only.
+
+Unfortunately, a flaw in the logic makes it fall over when patching
+modules without CONFIG_DEBUG_SET_MODULE_RONX enabled:
+
+[...]
+[   32.032636] Call trace:
+[   32.032716] [<fffffe00003da0dc>] __copy_to_user+0x2c/0x60
+[   32.032837] [<fffffe0000099f08>] __aarch64_insn_write+0x94/0xf8
+[   32.033027] [<fffffe000009a0a0>] aarch64_insn_patch_text_nosync+0x18/0x58
+[   32.033200] [<fffffe000009c3ec>] ftrace_modify_code+0x58/0x84
+[   32.033363] [<fffffe000009c4e4>] ftrace_make_nop+0x3c/0x58
+[   32.033532] [<fffffe0000164420>] ftrace_process_locs+0x3d0/0x5c8
+[   32.033709] [<fffffe00001661cc>] ftrace_module_init+0x28/0x34
+[   32.033882] [<fffffe0000135148>] load_module+0xbb8/0xfc4
+[   32.034044] [<fffffe0000135714>] SyS_finit_module+0x94/0xc4
+[...]
+
+This is triggered by the use of virt_to_page() on a module address,
+which ends to pointing to Nowhereland if you're lucky, or corrupt
+your precious data if not.
+
+This patch fixes the logic by mimicking what is done on arm:
+- If we're patching a module and CONFIG_DEBUG_SET_MODULE_RONX is set,
+  use vmalloc_to_page().
+- If we're patching the kernel and CONFIG_DEBUG_RODATA is set,
+  use virt_to_page().
+- Otherwise, use the provided address, as we can write to it directly.
+
+Tested on 4.0-rc1 as a KVM guest.
+
+Reported-by: Richard W.M. Jones <rjones at redhat.com>
+Cc: Kees Cook <keescook at chromium.org>
+Cc: Mark Rutland <mark.rutland at arm.com>
+Cc: Laura Abbott <lauraa at codeaurora.org>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Cc: Will Deacon <will.deacon at arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier at arm.com>
+---
+ arch/arm64/kernel/insn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
+index 27d4864..c8eca88 100644
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -87,8 +87,10 @@ static void __kprobes *patch_map(void *addr, int fixmap)
+
+       if (module && IS_ENABLED(CONFIG_DEBUG_SET_MODULE_RONX))
+               page = vmalloc_to_page(addr);
+-      else
++      else if (!module && IS_ENABLED(CONFIG_DEBUG_RODATA))
+               page = virt_to_page(addr);
++      else
++              return addr;
+
+       BUG_ON(!page);
+       set_fixmap(fixmap, page_to_phys(page));
+--
+2.3.0
+
diff --git a/kernel.spec b/kernel.spec
index 16ca947..43146ce 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@@ -627,6 +627,9 @@ Patch26139:
HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
 Patch30000: kernel-arm64.patch
 Patch30001: kernel-arm64-fix-psci-when-pg.patch

+# Not yet upstream, for https://bugzilla.redhat.com/show_bug.cgi?id=1194366#c12
+Patch30002: 0001-arm64-Fix-text-patching-logic-when-using-fixmap.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@@ -1359,6 +1362,8 @@ ApplyPatch kernel-arm64.patch -R
 %endif
 %endif
 ApplyPatch kernel-arm64-fix-psci-when-pg.patch
+# Not yet upstream, for https://bugzilla.redhat.com/show_bug.cgi?id=1194366#c12
+ApplyPatch 0001-arm64-Fix-text-patching-logic-when-using-fixmap.patch

 # END OF PATCH APPLICATIONS

@@ -2210,6 +2215,9 @@ fi
 #
 #
 %changelog
+* Tue Feb 24 2015 Richard W.M. Jones <rjones at redhat.com> - 4.0.0-0.rc1.git0.2
+- Add patch to fix aarch64 KVM bug with module loading (rhbz 1194366).
+
 * Tue Feb 24 2015 Peter Robinson <pbrobinson at fedoraproject.org>
 - Minor ARM config update

More information about the kernel mailing list