Le 28/09/2023 à 15:21, Joel Granados via B4 Relay a écrit : > From: Joel Granados <j.granados@xxxxxxxxxxx> Automatic test fails on powerpc, see https://patchwork.ozlabs.org/project/linuxppc-dev/patch/20230928-jag-sysctl_remove_empty_elem_drivers-v1-15-e59120fca9f9@xxxxxxxxxxx/ Kernel attempted to read user page (1a111316) - exploit attempt? (uid: 0) BUG: Unable to handle kernel data access on read at 0x1a111316 Faulting instruction address: 0xc0545338 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K PowerPC 44x Platform Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 6.5.0-rc6-gdef13277bacb #1 Hardware name: amcc,bamboo 440GR Rev. B 0x422218d3 PowerPC 44x Platform NIP: c0545338 LR: c0548468 CTR: ffffffff REGS: c084fae0 TRAP: 0300 Not tainted (6.5.0-rc6-gdef13277bacb) MSR: 00021000 <CE,ME> CR: 84004288 XER: 00000000 DEAR: 1a111316 ESR: 00000000 GPR00: c0548468 c084fbd0 c0888000 c084fc99 00000000 c084fc7c 1a110316 000affff GPR08: ffffffff c084fd18 1a111316 04ffffff 22000282 00000000 c00027c0 00000000 GPR16: 00000000 00000000 c0040000 c003d544 00000001 c003eb2c 096023d4 00000000 GPR24: c0636502 c0636502 c084fc74 c0588510 c084fc68 c084fc7c c084fc99 00000002 NIP [c0545338] string+0x78/0x148 LR [c0548468] vsnprintf+0x3d8/0x824 Call Trace: [c084fbd0] [c084fc7c] 0xc084fc7c (unreliable) [c084fbe0] [c0548468] vsnprintf+0x3d8/0x824 [c084fc30] [c0072dec] vprintk_store+0x17c/0x4c8 [c084fcc0] [c007322c] vprintk_emit+0xf4/0x2a0 [c084fd00] [c0073d04] _printk+0x60/0x88 [c084fd40] [c01ab63c] sysctl_err+0x78/0xa4 [c084fd80] [c01ab404] __register_sysctl_table+0x6a0/0x6c4 [c084fde0] [c06a585c] __register_sysctl_init+0x30/0x78 [c084fe00] [c06a8cc8] tty_init+0x44/0x168 [c084fe30] [c00023c4] do_one_initcall+0x64/0x2a0 [c084fea0] [c068f060] kernel_init_freeable+0x184/0x230 [c084fee0] [c00027e4] kernel_init+0x24/0x124 [c084ff00] [c000f1fc] ret_from_kernel_user_thread+0x14/0x1c --- interrupt: 0 at 0x0 NIP: 00000000 LR: 00000000 CTR: 00000000 REGS: c084ff10 TRAP: 0000 Not tainted (6.5.0-rc6-gdef13277bacb) MSR: 00000000 <> CR: 00000000 XER: 00000000 GPR00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR08: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR24: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 NIP [00000000] 0x0 LR [00000000] 0x0 --- interrupt: 0 Code: 91610008 90e1000c 4bffd0b5 80010014 38210010 7c0803a6 4e800020 409d0008 99230000 38630001 38840001 4240ffd0 <7d2a20ae> 7f851840 5528063e 2c080000 ---[ end trace 0000000000000000 ]--- note: swapper[1] exited with irqs disabled Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b > > What? > These commits remove the sentinel element (last empty element) from the > sysctl arrays of all the files under the "drivers/" directory that use a > sysctl array for registration. The merging of the preparation patches > (in https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@xxxxxxxxxxxxxxxxxxxxxx/) > to mainline allows us to just remove sentinel elements without changing > behavior (more info here [1]). > > These commits are part of a bigger set (here > https://github.com/Joelgranados/linux/tree/tag/sysctl_remove_empty_elem_V4) > that remove the ctl_table sentinel. Make the review process easier by > chunking the commits into manageable pieces. Each chunk can be reviewed > separately without noise from parallel sets. > > Now that the architecture chunk has been mostly reviewed [6], we send > the "drivers/" directory. Once this one is done, it will be follwed by > "fs/*", "kernel/*", "net/*" and miscellaneous. The final set will remove > the unneeded check for ->procname == NULL. > > Why? > By removing the sysctl sentinel elements we avoid kernel bloat as > ctl_table arrays get moved out of kernel/sysctl.c into their own > respective subsystems. This move was started long ago to avoid merge > conflicts; the sentinel removal bit came after Mathew Wilcox suggested > it to avoid bloating the kernel by one element as arrays moved out. This > patchset will reduce the overall build time size of the kernel and run > time memory bloat by about ~64 bytes per declared ctl_table array. I > have consolidated some links that shed light on the history of this > effort [2]. > > Testing: > * Ran sysctl selftests (./tools/testing/selftests/sysctl/sysctl.sh) > * Ran this through 0-day with no errors or warnings > > Size saving after removing all sentinels: > These are the bytes that we save after removing all the sentinels > (this plus all the other chunks). I included them to get an idea of > how much memory we are talking about. > * bloat-o-meter: > - The "yesall" configuration results save 9158 bytes > https://lore.kernel.org/all/20230621091000.424843-1-j.granados@xxxxxxxxxxx/ > - The "tiny" config + CONFIG_SYSCTL save 1215 bytes > https://lore.kernel.org/all/20230809105006.1198165-1-j.granados@xxxxxxxxxxx/ > * memory usage: > In memory savings are measured to be 7296 bytes. (here is how to > measure [3]) > > Size saving after this patchset: > * bloat-o-meter > - The "yesall" config saves 2432 bytes [4] > - The "tiny" config saves 64 bytes [5] > * memory usage: > In this case there were no bytes saved because I do not have any > of the drivers in the patch. To measure it comment the printk in > `new_dir` and uncomment the if conditional in `new_links` [3]. > > Comments/feedback greatly appreciated > > Best > Joel > > [1] > We are able to remove a sentinel table without behavioral change by > introducing a table_size argument in the same place where procname is > checked for NULL. The idea is for it to keep stopping when it hits > ->procname == NULL, while the sentinel is still present. And when the > sentinel is removed, it will stop on the table_size. You can go to > (https://lore.kernel.org/all/20230809105006.1198165-1-j.granados@xxxxxxxxxxx/) > for more information. > > [2] > Links Related to the ctl_table sentinel removal: > * Good summary from Luis sent with the "pull request" for the > preparation patches. > https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@xxxxxxxxxxxxxxxxxxxxxx/ > * Another very good summary from Luis. > https://lore.kernel.org/all/ZMFizKFkVxUFtSqa@xxxxxxxxxxxxxxxxxxxxxx/ > * This is a patch set that replaces register_sysctl_table with register_sysctl > https://lore.kernel.org/all/20230302204612.782387-1-mcgrof@xxxxxxxxxx/ > * Patch set to deprecate register_sysctl_paths() > https://lore.kernel.org/all/20230302202826.776286-1-mcgrof@xxxxxxxxxx/ > * Here there is an explicit expectation for the removal of the sentinel element. > https://lore.kernel.org/all/20230321130908.6972-1-frank.li@xxxxxxxx > * The "ARRAY_SIZE" approach was mentioned (proposed?) in this thread > https://lore.kernel.org/all/20220220060626.15885-1-tangmeng@xxxxxxxxxxxxx > > [3] > To measure the in memory savings apply this on top of this patchset. > > " > diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c > index c88854df0b62..e0073a627bac 100644 > --- a/fs/proc/proc_sysctl.c > +++ b/fs/proc/proc_sysctl.c > @@ -976,6 +976,8 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set, > table[0].procname = new_name; > table[0].mode = S_IFDIR|S_IRUGO|S_IXUGO; > init_header(&new->header, set->dir.header.root, set, node, table, 1); > + // Counts additional sentinel used for each new dir. > + printk("%ld sysctl saved mem kzalloc \n", sizeof(struct ctl_table)); > > return new; > } > @@ -1199,6 +1201,9 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table_ > link_name += len; > link++; > } > + // Counts additional sentinel used for each new registration > + //if ((head->ctl_table + head->ctl_table_size)->procname) > + printk("%ld sysctl saved mem kzalloc \n", sizeof(struct ctl_table)); > init_header(links, dir->header.root, dir->header.set, node, link_table, > head->ctl_table_size); > links->nreg = nr_entries; > " > and then run the following bash script in the kernel: > > accum=0 > for n in $(dmesg | grep kzalloc | awk '{print $3}') ; do > echo $n > accum=$(calc "$accum + $n") > done > echo $accum > > [4] > add/remove: 0/0 grow/shrink: 0/21 up/down: 0/-2432 (-2432) > Function old new delta > xpc_sys_xpc_hb 192 128 -64 > xpc_sys_xpc 128 64 -64 > vrf_table 128 64 -64 > ucma_ctl_table 128 64 -64 > tty_table 192 128 -64 > sg_sysctls 128 64 -64 > scsi_table 128 64 -64 > random_table 448 384 -64 > raid_table 192 128 -64 > oa_table 192 128 -64 > mac_hid_files 256 192 -64 > iwcm_ctl_table 128 64 -64 > ipmi_table 128 64 -64 > hv_ctl_table 128 64 -64 > hpet_table 128 64 -64 > firmware_config_table 192 128 -64 > cdrom_table 448 384 -64 > balloon_table 128 64 -64 > parport_sysctl_template 912 720 -192 > parport_default_sysctl_table 584 136 -448 > parport_device_sysctl_template 776 136 -640 > Total: Before=429940038, After=429937606, chg -0.00% > > [5] > add/remove: 0/0 grow/shrink: 0/1 up/down: 0/-64 (-64) > Function old new delta > random_table 448 384 -64 > Total: Before=1885527, After=1885463, chg -0.00% > > [6] https://lore.kernel.org/all/20230913-jag-sysctl_remove_empty_elem_arch-v2-0-d1bd13a29bae@xxxxxxxxxxx/ > > Signed-off-by: Joel Granados <j.granados@xxxxxxxxxxx> > > --- > > --- > Joel Granados (15): > cdrom: Remove now superfluous sentinel element from ctl_table array > hpet: Remove now superfluous sentinel element from ctl_table array > xen: Remove now superfluous sentinel element from ctl_table array > tty: Remove now superfluous sentinel element from ctl_table array > scsi: Remove now superfluous sentinel element from ctl_table array > parport: Remove the now superfluous sentinel element from ctl_table array > macintosh: Remove the now superfluous sentinel element from ctl_table array > infiniband: Remove the now superfluous sentinel element from ctl_table array > char-misc: Remove the now superfluous sentinel element from ctl_table array > vrf: Remove the now superfluous sentinel element from ctl_table array > sgi-xp: Remove the now superfluous sentinel element from ctl_table array > fw loader: Remove the now superfluous sentinel element from ctl_table array > raid: Remove now superfluous sentinel element from ctl_table array > hyper-v/azure: Remove now superfluous sentinel element from ctl_table array > intel drm: Remove now superfluous sentinel element from ctl_table array > > drivers/base/firmware_loader/fallback_table.c | 3 +- > drivers/cdrom/cdrom.c | 3 +- > drivers/char/hpet.c | 3 +- > drivers/char/ipmi/ipmi_poweroff.c | 3 +- > drivers/char/random.c | 3 +- > drivers/gpu/drm/i915/i915_perf.c | 3 +- > drivers/hv/hv_common.c | 3 +- > drivers/infiniband/core/iwcm.c | 3 +- > drivers/infiniband/core/ucma.c | 3 +- > drivers/macintosh/mac_hid.c | 3 +- > drivers/md/md.c | 3 +- > drivers/misc/sgi-xp/xpc_main.c | 6 ++-- > drivers/net/vrf.c | 3 +- > drivers/parport/procfs.c | 42 ++++++++++++--------------- > drivers/scsi/scsi_sysctl.c | 3 +- > drivers/scsi/sg.c | 3 +- > drivers/tty/tty_io.c | 3 +- > drivers/xen/balloon.c | 3 +- > 18 files changed, 36 insertions(+), 60 deletions(-) > --- > base-commit: 0e945134b680040b8613e962f586d91b6d40292d > change-id: 20230927-jag-sysctl_remove_empty_elem_drivers-f034962a0d8c > > Best regards,