Re: [PATCH v10 2/2] livepatch,x86: Clear relocation targets on a module removal

From: Petr Mladek
Date: Tue Jan 24 2023 - 07:25:16 EST


On Fri 2023-01-20 16:49:45, Song Liu wrote:
> Josh reported a bug:
>
> When the object to be patched is a module, and that module is
> rmmod'ed and reloaded, it fails to load with:
>
> module: x86/modules: Skipping invalid relocation target, existing value is nonzero for type 2, loc 00000000ba0302e9, val ffffffffa03e293c
> livepatch: failed to initialize patch 'livepatch_nfsd' for module 'nfsd' (-8)
> livepatch: patch 'livepatch_nfsd' failed for module 'nfsd', refusing to load module 'nfsd'
>
> The livepatch module has a relocation which references a symbol
> in the _previous_ loading of nfsd. When apply_relocate_add()
> tries to replace the old relocation with a new one, it sees that
> the previous one is nonzero and it errors out.
>
> He also proposed three different solutions. We could remove the error
> check in apply_relocate_add() introduced by commit eda9cec4c9a1
> ("x86/module: Detect and skip invalid relocations"). However the check
> is useful for detecting corrupted modules.
>
> We could also deny the patched modules to be removed. If it proved to be
> a major drawback for users, we could still implement a different
> approach. The solution would also complicate the existing code a lot.
>
> We thus decided to reverse the relocation patching (clear all relocation
> targets on x86_64). The solution is not
> universal and is too much arch-specific, but it may prove to be simpler
> in the end.
>
> Reported-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> Originally-by: Miroslav Benes <mbenes@xxxxxxx>
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> Acked-by: Miroslav Benes <mbenes@xxxxxxx>
>
> --- a/arch/x86/kernel/module.c
> +++ b/arch/x86/kernel/module.c
> @@ -129,22 +129,27 @@ int apply_relocate(Elf32_Shdr *sechdrs,
> return 0;
> }
> #else /*X86_64*/
> -static int __apply_relocate_add(Elf64_Shdr *sechdrs,
> +static int __write_relocate_add(Elf64_Shdr *sechdrs,
> const char *strtab,
> unsigned int symindex,
> unsigned int relsec,
> struct module *me,
> - void *(*write)(void *dest, const void *src, size_t len))
> + void *(*write)(void *dest, const void *src, size_t len),
> + bool apply)
> {
> unsigned int i;
> Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
> Elf64_Sym *sym;
> void *loc;
> u64 val;
> + u64 zero = 0ULL;
>
> - DEBUGP("Applying relocate section %u to %u\n",
> + DEBUGP("%s relocate section %u to %u\n",
> + apply ? "Applying" : "Clearing",
> relsec, sechdrs[relsec].sh_info);
> for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
> + int size = 0;

The value 0 should never be used. It is better to do not initialize
it at all so that the compiler would warn when the variable might be
used uninitialized.

Note that this warning is not enabled by default. It can be enabled
with

$> make W=2 arch/x86/kernel/module.o

> +
> /* This is where to make the change */
> loc = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
> + rel[i].r_offset;

Otherwise, it looks good.

With the removed initialization, feel free to use:

Reviewed-by: Petr Mladek <pmladek@xxxxxxxx>

Best Regards,
Petr