[Xen-devel] livepatch-build: What does getting no output from "readelf -wi xen-syms" usually mean?

[Xen-devel] livepatch-build: What does getting no output from "readelf -wi xen-syms" usually mean?

[Andy Smith]

Hi,

I've been looking into live patching for the first time.

Starting with a 4.12.1 build:

$ cd ~/dev
$ ls -l
total 8
drwxr-xr-x 3 andy andy 4096 Oct 25 16:11 xen
drwxr-xr-x 6 andy andy 4096 Dec  2 01:16 livepatch-build-tools

(there is already a 4.12.1 hypervisor built in /xen and is what's
running on this host with build_id
b18af774b56b0c98cfa6940a725ba2ba26066929)

$ cp -a xen xen-lptest
$ cd livepatch-build-tools
$ ./livepatch-build -j 1 -s /home/andy/dev/xen-lptest/xen-4.12.1 -c /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config -p ./lptest.patch -o lptest -d --depends b18af774b56b0c98cfa6940a725ba2ba26066929
Building LivePatch patch: lptest

Xen directory: /home/andy/dev/xen-lptest/xen-4.12.1
Patch file: /home/andy/dev/livepatch-build-tools/lptest.patch
.config file: /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config
Output directory: /home/andy/dev/livepatch-build-tools/xsa310
================================================

Perform full initial build with 1 CPU(s)...
Reading special section data
ERROR: can't find special struct size.

So it seems it completed the initial build without error but looking
at the livepatch-build script it runs readelf like this:

$ readelf -wi lptest/xen-syms
$

For me this produces no output. I've probably done something simple
wrong. Does that indicate some simple mistake in my process?

The patch was just a trivial addition of some logging as a test, but
I don't think it got as far as applying that.

$ readelf --version
GNU readelf (GNU Binutils for Debian) 2.31.1
Copyright (C) 2018 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
$ gcc --version
gcc (Debian 8.3.0-6) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Thanks,
Andy

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] livepatch-build: What does getting no output from "readelf -wi xen-syms" usually mean?

[Andrew Cooper]

On 02/12/2019 08:22, Andy Smith wrote:
> Hi,
>
> I've been looking into live patching for the first time.

CC'ing livepatch maintainers.

>
> Starting with a 4.12.1 build:
>
> $ cd ~/dev
> $ ls -l
> total 8
> drwxr-xr-x 3 andy andy 4096 Oct 25 16:11 xen
> drwxr-xr-x 6 andy andy 4096 Dec  2 01:16 livepatch-build-tools
>
> (there is already a 4.12.1 hypervisor built in /xen and is what's
> running on this host with build_id
> b18af774b56b0c98cfa6940a725ba2ba26066929)
>
> $ cp -a xen xen-lptest
> $ cd livepatch-build-tools
> $ ./livepatch-build -j 1 -s /home/andy/dev/xen-lptest/xen-4.12.1 -c /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config -p ./lptest.patch -o lptest -d --depends b18af774b56b0c98cfa6940a725ba2ba26066929
> Building LivePatch patch: lptest
>
> Xen directory: /home/andy/dev/xen-lptest/xen-4.12.1
> Patch file: /home/andy/dev/livepatch-build-tools/lptest.patch
> .config file: /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config
> Output directory: /home/andy/dev/livepatch-build-tools/xsa310

As a note, XSA-310 isn't safe to livepatch.

While (in general) you can build a livepatch, applying it is not safe
because the before/after logic is not symmetric with how references are
taken.

Depending on the exact interaction of applying the livepatch with
pagetable deferral operations (VM start,migrate,shutdown, or large
quantities of pagetable changes, e.g. a fork() system call), you can end
up with too few or many references dropped.  Too few generally results
in an unkillable zombie domain, while too many will hit various BUG()s
in the MM code and take the system down.

> ================================================
>
> Perform full initial build with 1 CPU(s)...
> Reading special section data
> ERROR: can't find special struct size.
>
> So it seems it completed the initial build without error but looking
> at the livepatch-build script it runs readelf like this:
>
> $ readelf -wi lptest/xen-syms
> $
>
> For me this produces no output. I've probably done something simple
> wrong. Does that indicate some simple mistake in my process?

My sample working command like is:

./livepatch-build -s /local/.livepatch-workdir -c
/local/.livepatch-workdir/xen/.config -p /local/xen.git/xen/live.patch
-o out --depends 843580efc22183b44108398b9aec97d99da2c29e --debug

which looks to be equivalent to yours.

What does `file` say?

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] livepatch-build: What does getting no output from "readelf -wi xen-syms" usually mean?

[Ross Lagerwall]

On 12/27/19 5:06 PM, Andrew Cooper wrote:
> On 02/12/2019 08:22, Andy Smith wrote:
>> Hi,
>>
>> I've been looking into live patching for the first time.
> 
> CC'ing livepatch maintainers.
> 
>>
>> Starting with a 4.12.1 build:
>>
>> $ cd ~/dev
>> $ ls -l
>> total 8
>> drwxr-xr-x 3 andy andy 4096 Oct 25 16:11 xen
>> drwxr-xr-x 6 andy andy 4096 Dec  2 01:16 livepatch-build-tools
>>
>> (there is already a 4.12.1 hypervisor built in /xen and is what's
>> running on this host with build_id
>> b18af774b56b0c98cfa6940a725ba2ba26066929)
>>
>> $ cp -a xen xen-lptest
>> $ cd livepatch-build-tools
>> $ ./livepatch-build -j 1 -s /home/andy/dev/xen-lptest/xen-4.12.1 -c /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config -p ./lptest.patch -o lptest -d --depends b18af774b56b0c98cfa6940a725ba2ba26066929
>> Building LivePatch patch: lptest
>>
>> Xen directory: /home/andy/dev/xen-lptest/xen-4.12.1
>> Patch file: /home/andy/dev/livepatch-build-tools/lptest.patch
>> .config file: /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config
>> Output directory: /home/andy/dev/livepatch-build-tools/xsa310
> 
> As a note, XSA-310 isn't safe to livepatch.
> 
> While (in general) you can build a livepatch, applying it is not safe
> because the before/after logic is not symmetric with how references are
> taken.
> 
> Depending on the exact interaction of applying the livepatch with
> pagetable deferral operations (VM start,migrate,shutdown, or large
> quantities of pagetable changes, e.g. a fork() system call), you can end
> up with too few or many references dropped.  Too few generally results
> in an unkillable zombie domain, while too many will hit various BUG()s
> in the MM code and take the system down.
> 
>> ================================================
>>
>> Perform full initial build with 1 CPU(s)...
>> Reading special section data
>> ERROR: can't find special struct size.
>>
>> So it seems it completed the initial build without error but looking
>> at the livepatch-build script it runs readelf like this:
>>
>> $ readelf -wi lptest/xen-syms
>> $
>>
>> For me this produces no output. I've probably done something simple
>> wrong. Does that indicate some simple mistake in my process?
> 

Your process looks correct. You need to use readelf from binutils. Are you
perhaps using some other readelf (e.g. from busybox) which gives unexpected
results? Even if lptest/xen-syms is invalid or empty, readelf should still
give some error output.

-- 
Ross Lagerwall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel