Re: a bug in genksysms/CONFIG_MODVERSIONS w/ __attribute__((foo))?

[Ben Hutchings]

On Tue, 2019-08-27 at 22:42 +1000, Nicholas Piggin wrote:
> Masahiro Yamada's on August 27, 2019 8:49 pm:
> > Hi.
> > 
> > On Tue, Aug 27, 2019 at 6:59 PM Nicholas Piggin <npiggin@xxxxxxxxx> wrote:
> > > Nick Desaulniers's on August 27, 2019 8:57 am:
> > > > On Mon, Aug 26, 2019 at 2:22 PM Nick Desaulniers
> > > > <ndesaulniers@xxxxxxxxxx> wrote:
> > > > > I'm looking into a linkage failure for one of our device kernels, and
> > > > > it seems that genksyms isn't producing a hash value correctly for
> > > > > aggregate definitions that contain __attribute__s like
> > > > > __attribute__((packed)).
> > > > > 
> > > > > Example:
> > > > > $ echo 'struct foo { int bar; };' | ./scripts/genksyms/genksyms -d
> > > > > Defn for struct foo == <struct foo { int bar ; } >
> > > > > Hash table occupancy 1/4096 = 0.000244141
> > > > > $ echo 'struct __attribute__((packed)) foo { int bar; };' |
> > > > > ./scripts/genksyms/genksyms -d
> > > > > Hash table occupancy 0/4096 = 0
> > > > > 
> > > > > I assume the __attribute__ part isn't being parsed correctly (looks
> > > > > like genksyms is a lex/yacc based C parser).
> > > > > 
> > > > > The issue we have in our out of tree driver (*sadface*) is basically a
> > > > > EXPORT_SYMBOL'd function whose signature contains a packed struct.
> > > > > 
> > > > > Theoretically, there should be nothing wrong with exporting a function
> > > > > that requires packed structs, and this is just a bug in the lex/yacc
> > > > > based parser, right?  I assume that not having CONFIG_MODVERSIONS
> > > > > coverage of packed structs in particular could lead to potentially
> > > > > not-fun bugs?  Or is using packed structs in exported function symbols
> > > > > with CONFIG_MODVERSIONS forbidden in some documentation somewhere I
> > > > > missed?
> > > > 
> > > > Ah, looks like I'm late to the party:
> > > > https://lwn.net/Articles/707520/
> > > 
> > > Yeah, would be nice to do something about this.
> > 
> > modversions is ugly, so it would be great if we could dump it.
> > 
> > > IIRC (without re-reading it all), in theory distros would be okay
> > > without modversions if they could just provide their own explicit
> > > versioning. They take care about ABIs, so they can version things
> > > carefully if they had to change.

Debian doesn't currently have any other way of detecting ABI changes
(other than eyeballing diffs).

I know there have been proposals of using libabigail for this instead,
but I'm not sure how far those progressed.

> > We have not provided any alternative solution for this, haven't we?
> > 
> > In your patch (https://lwn.net/Articles/707729/),
> > you proposed CONFIG_MODULE_ABI_EXPLICIT.
> 
> Right, that was just my first proposal, but I am not confident that I
> understood everybody's requirements. I don't think the distro people
> had much time to to test things out.
> 
> One possible shortcoming with that patch is no per-symbol version. The 
> distro may break an ABI for a security fix, but they don't want to break
> all out of tree modules if it's an obscure ABI.

Right, for example the KVM kABI is only meant for in-tree modules (like
kvm_intel) and in Debian we do not change the "ABI version" and require
rebuilding out-of-tree modules just because that ABI changes. 
Currently we maintain explicit lists of exported symbols and exporting
modules for which we ignore ABI changes at build time.

> The counter argument to 
> that is they should just rename the symbol in their kernel for such 
> cases, so I didn't implement it without somebody describing a good
> requirement.
[...]

Sometimes it is just a single function that changes, but often a
structure change can affect large numbers of functions.  For example,
if KVM adds a member to an operations struct that can indirectly change
the ABI for most of its exported functions.  We wouldn't want to change
the ABI version but would still want to prevent loading mismatched kvm
and kvm_intel versions.  It would be a lot more work to change all of
the affected function names.

An alternative to symbol version matching that I think would work for
us is: if a module's exports or imports match the "changes ignored"
list then the module can only be loaded on the exact version of the
kernel, otherwise it only needs to match the ABI version.  I think that
would avoid the need for carrying symbol versions, but we would still
need a build-time ABI check and a way of flagging which symbols need
the tighter version match.

Ben.

-- 
Ben Hutchings
I'm always amazed by the number of people who take up solipsism because
they heard someone else explain it. - E*Borg on alt.fan.pratchett

Attachment: signature.asc
Description: This is a digitally signed message part