Project

General

Profile

Bug #10907

hot_patch_kernel_text() has no respect for boundaries

Added by John Levon 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-03
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

History

#1

Updated by John Levon 6 months ago

I was getting a very weird failure, rather sporadically, that I managed to track as far as hot_patch_kernel_text() as used by disable_smap(). Skip to the end of the story and we find this situation:

323         vaddr = vmem_alloc(heap_arena, PAGESIZE, VM_SLEEP);                      
324                                                                                  
325         (void) as_pagelock(&kas, &ppp, iaddr - off, PAGESIZE, S_WRITE);          
326                                                                                  
327         hat_devload(kas.a_hat, vaddr, PAGESIZE,                                  
328             hat_getpfnum(kas.a_hat, iaddr - off),                                
329             PROT_READ | PROT_WRITE, HAT_LOAD_LOCK | HAT_LOAD_NOCONSIST);         
...
335         case 2:                                                                  
336                 *(uint16_t *)(vaddr + off) = new_instr;                          
337                 break;                                                           

where line 336 is as follows:

hot_patch_kernel_text+0x15b:    movl   %eax,(%rbx,%r15)

[0]> <rax=i
                clac   
[0]> <rbx=K
                fffffe257ed7c000 
[0]> <r15=K
                ffe             

We thus try to write to 0xfffffe257ed7d00 (and, in fact, to one past that). But we don't have that mapped.

#2

Updated by Electric Monk 5 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit d40b79472b226a0f5d07f5f202995894b1fbbb53

commit  d40b79472b226a0f5d07f5f202995894b1fbbb53
Author: John Levon <john.levon@joyent.com>
Date:   2019-05-14T10:08:38.000Z

    10907 hot_patch_kernel_text() has no respect for boundaries
    Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
    Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Andy Stormont <astormont@racktopsystems.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF