2020-11-23 13:10

kpatch-build: find_local_syms for mpls_gso.c: found_none

patch.txt symbols.orig.txt symbols.patched.txt

I'm testing a patch (see attached) for CVE-2016-7039 against RHEL7.3 GA + kernel-3.10.0-500.el7.x86_64 (rebuilt by RHEL7.3 GA toolset) and was running into the following kpatch-build error:

Skipping cleanup
Fedora/Red Hat distribution detected
Downloading kernel source for 3.10.0-500.el7.x86_64
Unpacking kernel source
Testing patch file
checking file drivers/net/geneve.c
checking file drivers/net/vxlan.c
checking file include/linux/netdevice.h
checking file net/8021q/vlan.c
checking file net/core/dev.c
checking file net/core/skbuff.c
checking file net/ethernet/eth.c
checking file net/ipv4/af_inet.c
checking file net/ipv4/fou.c
checking file net/ipv4/gre_offload.c
checking file net/ipv4/udp_offload.c
checking file net/ipv6/ip6_offload.c
Reading special section data
Building original kernel
Building patched kernel
Extracting new and modified ELF sections
vlan.o: changed function: vlan_gro_receive
eth.o: changed function: eth_gro_receive
skbuff.o: changed function: consume_skb
skbuff.o: changed function: kfree_skb
skbuff.o: changed function: kfree_skb_partial
skbuff.o: changed function: napi_consume_skb
skbuff.o: changed function: __kfree_skb
dev.o: changed function: rollback_registered_many
dev.o: changed function: dev_gro_receive
dev.o: changed function: __netdev_upper_dev_link
dev.o: changed function: __dev_set_promiscuity
dev.o: changed function: __dev_set_allmulti
dev.o: changed function: unregister_netdevice_queue
dev.o: changed function: __dev_change_flags
dev.o: changed function: netdev_upper_dev_unlink
dev.o: changed function: netdev_has_upper_dev
dev.o: changed function: netdev_master_upper_dev_get
dev.o: changed function: netdev_has_any_upper_dev
dev.o: changed function: dev_change_net_namespace
dev.o: changed function: dev_get_nest_level
dev.o: changed function: __netdev_update_features
dev.o: changed function: register_netdevice
/usr/local/libexec/kpatch/create-diff-object: ERROR: mpls_gso.o: find_local_syms: 136: find_local_syms for mpls_gso.c: found_none
udp_offload.o: changed function: udp_gro_receive
af_inet.o: changed function: inet_gro_receive
gre_offload.o: changed function: gre_gro_receive
ip6_offload.o: changed function: ipv6_gro_receive
vxlan.o: changed function: vxlan_gro_receive
geneve.o: changed function: geneve_gro_receive
ERROR: 1 error(s) encountered. Check /root/.kpatch/build.log for more details.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39992760 weixin_39992760 5月前

    While looking at issue #706, I ran into this again. What I figured out, on RHEL7 at least, is that mpls_gso.c's Makefile and the RHEL7 kernel configuration conflict on whether it should be a vmlinux built-in or a module. In this case, the Makefile specifies obj-y, so mpls_gso.o is built and linked into a built-in.o. The kernel configuration however states CONFIG_NET_MPLS_GSO=m. No such kernel module is created and I don't see any mpls* symbols in the generated vmlinux image. I have an email out to the RHEL subsystem maintainer about this, so the RHEL kernel can fix this going forward.

    The kpatch-build error message was very generic, but I don't think there is anything we can really do to improve it for this situation.

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 5月前

    Sounds like this will need to be fixed in RHEL, so I'm closing the issue.

    点赞 评论 复制链接分享
  • weixin_39637700 weixin_39637700 5月前

    I run into the same problem and it also happens with lloop.o. How is it related to the packaging?

    From what I understand, the Makefile forces the use of built-in, but since the module is declared as module, this doesn't make its way to vmlinux. Maybe we should add a way to exclude such a module? This has been fixed in 3.18.

    点赞 评论 复制链接分享
  • weixin_39992760 weixin_39992760 5月前

    kpatch-build contains a for i in $FILES; do loop in which we already skip usr/initramfs_data.o. Maybe we could add something in there to handle an IGNORE_OBJS environment variable list of user-specified objects. (My fear though is that folks might start ignoring objects instead of reporting real kpatch-build bugs.)

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 5月前

    As -lawrence mentioned, you can edit the loop in kpatch-build as a workaround, though I think kpatch-gcc is where we normally put such workarounds.

    Another workaround would be to modify the patch such that it doesn't change any header files. That way it doesn't try to recompile the entire tree and get these false positive changes.

    点赞 评论 复制链接分享
  • weixin_39637700 weixin_39637700 5月前

    Good idea. In my case, I am using this patch and as it modifies an inline function declared in flow.h, it is not totally trivial, but I should be able to do that nonetheless.

    点赞 评论 复制链接分享