Panic on loading module for /proc/meminfo example on vanilla 4.1 #497
Description
Hello!
Still on the same vanilla 4.1 kernel, I get this when loading the patch with kpatch load:
loading core module: /root/src/kpatch/kpatch/../kmod/core/kpatch.ko
loading patch module: kpatch-meminfo-string.ko
BUG: unable to handle kernel paging request at ffffffffa0010cc0
IP: [<ffffffff8125ecb0>] do_init_module+0x84/0x1af
PGD 13d3067 PUD 13d4063 PMD 1e1ee067 PTE 1e1a0161
Oops: 0003 [#1]
Modules linked in: kpatch_meminfo_string(O+) kpatch(O)
CPU: 0 PID: 149 Comm: insmod Tainted: G O K 4.1.0+ #1
task: ffff88001e17b810 ti: ffff88001e1cc000 task.ti: ffff88001e1cc000
RIP: 0010:[<ffffffff8125ecb0>] [<ffffffff8125ecb0>] do_init_module+0x84/0x1af
RSP: 0018:ffff88001e1cfda8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffa0010cc0 RCX: 0000000080a02001
RDX: 0000000000000024 RSI: 0000000000000000 RDI: ffffffff813fabe0
RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000d0000000
R10: ffffffffa000e000 R11: 0000000000000001 R12: ffff88001eb58638
R13: ffffffffa0010d10 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f0ae00aa700(0000) GS:ffffffff813e1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffffa0010cc0 CR3: 000000001e181000 CR4: 00000000000006b0
Stack:
ffff88001e1cfed8 0000000000000001 ffffffffa0010cc0 ffffffff81058aac
ffff88001e207680 00000000810a462f ffffc90000096890 0000000000000e00
ffffffff00000016 ffffffff8126cd40 ffff88001eaa6a08 ffff88001e1cfe48
Call Trace:
[<ffffffff81058aac>] ? load_module+0x18ad/0x18e9
[<ffffffff81056290>] ? copy_module_from_fd+0x86/0xdf
[<ffffffff81058c1e>] ? SyS_finit_module+0x56/0x61
[<ffffffff81261854>] ? system_call_fastpath+0x12/0x6a
Code: f8 00 00 00 74 23 49 c7 c0 80 ca 26 81 48 8d 53 18 89 c1 4c 89 c6 48 c7 c7 6d ef 36 81 31 c0 e8 16 fb ff ff e8 18 06 00 00 31 f6 <c7> 03 00 00 00 00 48 89 da 48 c7 c7 c0 c9 3f 81 e8 7e b3 dd ff
RIP [<ffffffff8125ecb0>] do_init_module+0x84/0x1af
RSP <ffff88001e1cfda8>
CR2: ffffffffa0010cc0
---[ end trace 559a193e6db7735e ]---
I have tried to debug a bit, but I have no clue on how to load the symbols from the module while I can't get .text and .data from sysfs. Is there another way to get the address the .text section was loaded?
If I casually trace with gdb, the kernel doesn't panic when initializing the module per-se, but a bit latter:
(gdb) b do_init_module
Note: breakpoints 1 and 2 also set at pc 0xffffffff8125ec2c.
Breakpoint 3 at 0xffffffff8125ec2c: file kernel/module.c, line 3056.
(gdb) continue
Continuing.
Breakpoint 1, do_init_module (mod=0xffffffffa0001cc0) at kernel/module.c:3056
3056 {
(gdb) continue
Continuing.
Breakpoint 1, do_init_module (mod=0xffffffffa0010cc0) at kernel/module.c:3056
3056 {
(gdb) n
3060 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL);
(gdb)
3056 {
(gdb)
3060 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL);
(gdb)
3061 if (!freeinit) {
(gdb)
3060 freeinit = kmalloc(sizeof(*freeinit), GFP_KERNEL);
(gdb)
3061 if (!freeinit) {
(gdb)
3065 freeinit->module_init = mod->module_init;
(gdb)
3071 current->flags &= ~PF_USED_ASYNC;
(gdb)
3075 if (mod->init != NULL)
(gdb)
3076 ret = do_one_initcall(mod->init);
(gdb) print mod->init
$3 = (int (*)(void)) 0xffffffffa0013000
(gdb) print *mod
$4 = {
state = MODULE_STATE_COMING,
list = {
next = 0xffffffffa0001cc8,
prev = 0xffffffff813fc9f0 <modules>
},
name = "kpatch_meminfo_string", '\000' <repeats 34 times>,
mkobj = {
kobj = {
name = 0xffff88001e183a20 "kpatch_meminfo_string",
entry = {
next = 0xffff880000151cb0,
prev = 0xffffffffa0001d18
},
parent = 0xffff880000151cc0,
kset = 0xffff880000151cb0,
ktype = 0xffffffff813f76c0 <module_ktype>,
sd = 0xffff88001e183f80,
kref = {
refcount = {
counter = 3
}
},
state_initialized = 1,
state_in_sysfs = 1,
state_add_uevent_sent = 1,
state_remove_uevent_sent = 0,
uevent_suppress = 0
},
mod = 0xffffffffa0010cc0,
drivers_dir = 0x0,
mp = 0x0,
kobj_completion = 0x0
},
modinfo_attrs = 0xffff88001e1ea668,
version = 0x0,
srcversion = 0x0,
holders_dir = 0xffff88001e9aef98,
syms = 0x0,
crcs = 0x0,
num_syms = 0,
kp = 0x0,
num_kp = 0,
num_gpl_syms = 0,
gpl_syms = 0x0,
gpl_crcs = 0x0,
gpl_future_syms = 0x0,
gpl_future_crcs = 0x0,
num_gpl_future_syms = 0,
num_exentries = 0,
extable = 0x0,
init = 0xffffffffa0013000,
module_init = 0xffffffffa0013000,
module_core = 0xffffffffa0010000,
init_size = 3181,
core_size = 4790,
init_text_size = 687,
core_text_size = 1602,
init_ro_size = 687,
core_ro_size = 3153,
arch = {<No data fields>},
taints = 4096,
symtab = 0xffffffffa00132b0,
core_symtab = 0xffffffffa0010ef0,
num_symtab = 76,
core_num_syms = 23,
strtab = 0xffffffffa00139d0 "",
core_strtab = 0xffffffffa0011118 "",
sect_attrs = 0xffff88001e21e838,
notes_attrs = 0xffff88001e01be78,
args = 0xffff88001e183248 "",
num_tracepoints = 0,
tracepoints_ptrs = 0x0,
num_trace_bprintk_fmt = 0,
trace_bprintk_fmt_start = 0x0,
trace_events = 0x0,
num_trace_events = 0,
trace_enums = 0x0,
num_trace_enums = 0,
num_ftrace_callsites = 1,
ftrace_callsites = 0xffffffffa0010c28,
klp_alive = true,
source_list = {
next = 0xffffffffa0010eb0,
prev = 0xffffffffa0010eb0
},
target_list = {
next = 0xffffffffa0010ec0,
prev = 0xffffffffa0010ec0
},
exit = 0xffffffffa0010215,
refcnt = {
counter = 2
}
}
(gdb) n
3077 if (ret < 0) {
(gdb)
3076 ret = do_one_initcall(mod->init);
(gdb)
3077 if (ret < 0) {
(gdb)
3080 if (ret > 0) {
(gdb)
3090 blocking_notifier_call_chain(&module_notify_list,
(gdb)
3089 mod->state = MODULE_STATE_LIVE;
(gdb) n
Remote connection closed