On Mon, Apr 08, 2019 at 03:47:04PM -0400, Mathieu Desnoyers wrote: > ----- On Apr 8, 2019, at 3:35 PM, Joel Fernandes, Google > [email protected] wrote: > > > On Mon, Apr 08, 2019 at 01:25:49PM -0400, Mathieu Desnoyers wrote: > >> ----- On Apr 8, 2019, at 1:10 PM, paulmck [email protected] wrote: > >> > >> > On Mon, Apr 08, 2019 at 01:06:56PM -0400, Mathieu Desnoyers wrote: > >> >> ----- On Apr 8, 2019, at 11:21 AM, paulmck [email protected] wrote: > >> >> > >> >> > On Mon, Apr 08, 2019 at 10:57:50PM +0800, Rong Chen wrote: > >> >> >> On Mon, Apr 08, 2019 at 07:30:37AM -0700, Paul E. McKenney wrote: > >> >> >> > On Mon, Apr 08, 2019 at 09:56:10PM +0800, kernel test robot wrote: > >> >> >> > > FYI, we noticed the following commit (built with gcc-7): > >> >> >> > > > >> >> >> > > commit: a365bb5f6eafb220a1448674054b05c250829313 ("srcu: > >> >> >> > > Allocate per-CPU data > >> >> >> > > for DEFINE_SRCU() in modules") > >> >> >> > > https://git.kernel.org/cgit/linux/kernel/git/paulmck/linux-rcu.git > >> >> >> > > tmp.2019.04.07a > >> >> >> > > > >> >> >> > > in testcase: leaking_addresses > >> >> >> > > with following parameters: > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge > >> >> >> > > -smp 2 -m 2G > >> >> >> > > > >> >> >> > > caused below changes (please refer to attached dmesg/kmsg for > >> >> >> > > entire > >> >> >> > > log/backtrace): > >> >> >> > > > >> >> >> > > > >> >> >> > > +-------------------------------------------------+------------+------------+ > >> >> >> > > | | a44a55abae | > >> >> >> > > a365bb5f6e | > >> >> >> > > +-------------------------------------------------+------------+------------+ > >> >> >> > > | boot_successes | 0 | > >> >> >> > > 3 | > >> >> >> > > | boot_failures | 4 | > >> >> >> > > 6 | > >> >> >> > > | BUG:kernel_reboot-without-warning_in_test_stage | 4 | > >> >> >> > > 6 | > >> >> >> > > | leaking_addresses.proc.___srcu_struct_ptrs. | 0 | > >> >> >> > > 6 | > >> >> >> > > +-------------------------------------------------+------------+------------+ > >> >> >> > > >> >> >> > Please help me out here. Without this commit, the kernel never > >> >> >> > succeeds > >> >> >> > in booting, but with it the kernel sometimes succeeds in booting? > >> >> >> > Or am > >> >> >> > I misinterpreting the above table? > >> >> >> > > >> >> >> > Thanx, Paul > >> >> >> > >> >> >> Hi Paul, > >> >> >> > >> >> >> The message "kernel_reboot-without-warning_in_test_stage" is from > >> >> >> 0day, > >> >> >> leaking addresses generated many dmesgs, so 0day thought some > >> >> >> bootings may > >> >> >> failed. > >> >> > > >> >> [...] > >> >> >> > > >> >> >> > > [1 .rodata.cst16.POLY] 0xffffffffc0498360 > >> >> >> > > [1 .rodata.cst32.byteshift_table] 0xffffffffc03f50f0 > >> >> >> > > [19 __bug_table] 0xffffffffc02be184 > >> >> >> > > [2 __tracepoints_ptrs] 0xffffffffc02f1cd0 > >> >> >> > > [15 .smp_locks] 0xffffffffc042b2cc > >> >> >> > > [1 .rodata.cst16.enc] 0xffffffffc0498420 > >> >> >> > > [11 __ksymtab_gpl] 0xffffffffc042b028 > >> >> >> > > [8 __ex_table] 0xffffffffc04f13f4 > >> >> >> > > [1 .init.rodata] 0xffffffffc0316000 > >> >> >> > > [36 .note.gnu.build-id] 0xffffffffc03ed000 > >> >> >> > > [1 .rodata.cst16.dec] 0xffffffffc0498410 > >> >> >> > > [16 .parainstructions] 0xffffffffc03ed940 > >> >> >> > > [8 .text..refcount] 0xffffffffc04e2aaa > >> >> >> > > [36 .gnu.linkonce.this_module] 0xffffffffc03f12c0 > >> >> >> > > [2 __bpf_raw_tp_map] 0xffffffffc03054a0 > >> >> >> > > [30 .orc_unwind_ip] 0xffffffffc03ee9f9 > >> >> >> > > [8 .altinstr_replacement] 0xffffffffc0497372 > >> >> >> > > [26 .rodata.str1.8] 0xffffffffc03ed1f0 > >> >> >> > > [11 __verbose] 0xffffffffc05c9398 > >> >> >> > > [1 .rodata.cst16.TWOONE] 0xffffffffc0498380 > >> >> >> > > [1 uevent] KEY=402000000 3803078f800d001 feffffdfffefffff > >> >> >> > > fffffffffffffffe > >> >> >> > > [1 .rodata.cst16.ONE] 0xffffffffc04983e0 > >> >> >> > > [8 .altinstructions] 0xffffffffc0498430 > >> >> >> > > [36 modules] crct10dif_pclmul 16384 1 - Live 0xffffffffc03f4000 > >> >> >> > > [1 ___srcu_struct_ptrs] 0xffffffffc03840d0 > >> >> >> > > > >> >> > >> >> This list of "leaked" memory seems to include the __tracepoint_ptrs > >> >> as well. So at least you seem to have the same behavior as the > >> >> tracepoint > >> >> code, which was your source of inspiration for this implementation, > >> >> which is a good start. > >> >> > >> >> So the remaining question is: is this memory allocated for module > >> >> sections > >> >> really leaked for each module, or is it an issue with memory allocation > >> >> tracking ? > >> > > > > > It looks to me like this has nothing to do with memory allocation. This is > > the leaking_addresses.pl script isn't it? It basically finds out if > > any /proc filesystem entries or dmesg lines have kernel addresses which > > could > > be "leaking" into userspace. I have no idea which filesystem entries leak > > these addresses. > > > > This commit that introduced the script is: > > > > commit 136fc5c41f349296db1910677bb7402b0eeff376 > > Author: Tobin C. Harding <[email protected]> > > Date: Mon Nov 6 16:19:27 2017 +1100 > > > > scripts: add leaking_addresses.pl > > > > Currently we are leaking addresses from the kernel to user space. This > > script is an attempt to find some of those leakages. Script parses > > `dmesg` output and /proc and /sys files for hex strings that look like > > kernel addresses. > > Then I suspect we have a likely culprit here: > > root@thinkos:/sys# cat /sys/module/*/sections/__tracepoints_ptrs > 0xffffffffc07865c0 > 0xffffffffc0bad3e8 > 0xffffffffc0b19808 > 0xffffffffc0847b80 > 0xffffffffc0ea7078 > 0xffffffffc07cb260 > 0xffffffffc0f32038 > 0xffffffffc055cc68 > 0xffffffffc10b1970 > 0xffffffffc0a209f0 > 0xffffffffc0612a00 > 0xffffffffc041df40 > 0xffffffffc0abe6a8 > 0xffffffffc09fb688 > 0xffffffffc0ce8c58 > 0xffffffffc08b7660 > 0xffffffffc092bd28 > 0xffffffffc04ccc90 > > Which seems to be a "feature" from module.c. >
Aha, it is a feature not a bug then ;-) In Android, our security team disables access to all of these through selinux. thanks, - Joel
