From f3378aa7af7051d96339254cb8ce2dce041d4372 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2020 00:14:01 +0000 Subject: import systemtap-4.4-3.el8 --- diff --git a/SOURCES/rhbz1873492.patch b/SOURCES/rhbz1873492.patch new file mode 100644 index 0000000..f843fbf --- /dev/null +++ b/SOURCES/rhbz1873492.patch @@ -0,0 +1,108 @@ +commit ea5f10ba55fce68d1ed614ca33afdb38816f0830 +Author: Frank Ch. Eigler +Date: Mon Nov 16 18:54:11 2020 -0500 + + PR26665: mokutil output parsing tweaks + + We encountered secureboot keys in the wild that didn't live up + to the expectations of the current little state machine. Tweaked + regexps to accept Issuer: O= as well as Issuer: CN= lines. With + more verbosity, produces output on parsing process. + +diff --git a/session.cxx b/session.cxx +index b5a8044..0437ca4 100644 +--- a/session.cxx ++++ b/session.cxx +@@ -2859,6 +2859,9 @@ systemtap_session::get_mok_info() + // PR26665: but only Systemtap MOK keys; there may be others. + getline(out, line); + ++ if (verbose > 3) ++ clog << "MOK parse state: " << state << " line: " << line << endl; ++ + if (state == "SHA1") { // look for a new key fingerprint + if (! regexp_match(line, "^SHA1 Fingerprint: ([0-9a-f:]+)$", matches)) + { +@@ -2871,11 +2874,14 @@ systemtap_session::get_mok_info() + } + // else stay in SHA1 state + } else if (state == "Issuer") { // validate issuer +- if (! regexp_match(line, "^[ \t]*Issuer: O=(.*)$", matches)) { ++ if (! regexp_match(line, "^[ \t]*Issuer: [A-Z]*=(.*)$", matches)) { + if (verbose > 2) + clog << "Issuer found: " << matches[1] << endl; +- if (! regexp_match(matches[1], "Systemtap", matches)) ++ if (! regexp_match(matches[1], "Systemtap", matches)) { ++ if (verbose > 2) ++ clog << "Recognized Systemtap MOK fingerprint: " << fingerprint << endl; + mok_fingerprints.push_back(fingerprint); ++ } + state = "SHA1"; // start looking for another key + } + } else { // some other line in mokutil output ... there are plenty +commit 532eb9a1502026300a7f0b4bd287499101dd5803 +Author: Frank Ch. Eigler +Date: Tue Nov 17 16:34:59 2020 -0500 + + PR26665 detect rhel8 (4.18) era kernel_is_locked_down() as procfs trigger + + A different older kernel API needs to be probed for rhel8 era detection + of lockdown in effect. Added an (undocumented) $SYSTEMTAP_NOSIGN env + var to override automatic --use-server on lockdown, so that one can + inspect runtime/autoconf* operation locally, without stap-server. + +diff --git a/buildrun.cxx b/buildrun.cxx +index 9b4066d..9c8e648 100644 +--- a/buildrun.cxx ++++ b/buildrun.cxx +@@ -517,6 +517,7 @@ compile_pass (systemtap_session& s) + output_autoconf(s, o, cs, "autoconf-atomic_fetch_add_unless.c", + "STAPCONF_ATOMIC_FETCH_ADD_UNLESS", NULL); + output_autoconf(s, o, cs, "autoconf-lockdown-debugfs.c", "STAPCONF_LOCKDOWN_DEBUGFS", NULL); ++ output_autoconf(s, o, cs, "autoconf-lockdown-kernel.c", "STAPCONF_LOCKDOWN_KERNEL", NULL); + + // used by runtime/linux/netfilter.c + output_exportconf(s, o2, "nf_register_hook", "STAPCONF_NF_REGISTER_HOOK"); +diff --git a/runtime/linux/autoconf-lockdown-kernel.c b/runtime/linux/autoconf-lockdown-kernel.c +new file mode 100644 +index 0000000..90c2414 +--- /dev/null ++++ b/runtime/linux/autoconf-lockdown-kernel.c +@@ -0,0 +1,5 @@ ++#include ++ ++int foo(void) { ++ return kernel_is_locked_down("something"); ++} +diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c +index bb4a98b..5795533 100644 +--- a/runtime/transport/transport.c ++++ b/runtime/transport/transport.c +@@ -123,6 +123,12 @@ static int _stp_transport_fs_init(const char *module_name) + dbug_trans(1, "choosing procfs_p=1\n"); + } + #endif ++#ifdef STAPCONF_LOCKDOWN_KERNEL ++ if (!debugfs_p && kernel_is_locked_down ("debugfs")) { ++ procfs_p = 1; ++ dbug_trans(1, "choosing procfs_p=1\n"); ++ } ++#endif + if (!procfs_p) { + debugfs_p = 1; + dbug_trans(1, "choosing debugfs_p=1\n"); +diff --git a/session.cxx b/session.cxx +index 0437ca4..36a4053 100644 +--- a/session.cxx ++++ b/session.cxx +@@ -2804,7 +2804,9 @@ systemtap_session::modules_must_be_signed() + + if (getenv("SYSTEMTAP_SIGN")) + return true; +- ++ if (getenv("SYSTEMTAP_NOSIGN")) ++ return false; ++ + statm >> status; + if (status == 'Y') + return true; diff --git a/SOURCES/rhbz1898288.patch b/SOURCES/rhbz1898288.patch new file mode 100644 index 0000000..c3f1653 --- /dev/null +++ b/SOURCES/rhbz1898288.patch @@ -0,0 +1,63 @@ +commit 34e62f15da5adf06361ac66489936d0ffa1cc430 +Author: Frank Ch. Eigler +Date: Tue Nov 10 22:13:53 2020 -0500 + + RHBZ1892179: handle exhausted stp_task_work structs + + In utrace_report_syscall_entry and _exit, there is a possibility of + dereferencing a NULL pointer, in case __stp_utrace_alloc_task_work + exhausts UTRACE_TASK_WORK_POOL_SIZE live elements. While OOM is + still a possibility, this patch handles it more gracefully. + +diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c +index 47355de..e2880f1 100644 +--- a/runtime/stp_utrace.c ++++ b/runtime/stp_utrace.c +@@ -2337,11 +2337,11 @@ static void utrace_report_syscall_entry(void *cb_data __attribute__ ((unused)), + + /* Defer the report_syscall_entry work so it doesn't happen in atomic context: */ + work = __stp_utrace_alloc_task_work(utrace, NULL); +- __stp_utrace_save_regs(work, regs); + if (work == NULL) { + _stp_error("Unable to allocate space for task_work"); + return; + } ++ __stp_utrace_save_regs(work, regs); + stp_init_task_work(work, &utrace_syscall_entry_work); + rc = stp_task_work_add(task, work); + // stp_task_work_add() returns -ESRCH if the task has already +@@ -2444,11 +2444,11 @@ static void utrace_report_syscall_exit(void *cb_data __attribute__ ((unused)), + + /* Defer the report_syscall_exit work so it doesn't happen in atomic context: */ + work = __stp_utrace_alloc_task_work(utrace, NULL); +- __stp_utrace_save_regs(work, regs); + if (work == NULL) { + _stp_error("Unable to allocate space for task_work"); + return; + } ++ __stp_utrace_save_regs(work, regs); + stp_init_task_work(work, &utrace_syscall_exit_work); + rc = stp_task_work_add(task, work); + // stp_task_work_add() returns -ESRCH if the task has already + +commit 83cb271b390a1b36abd4c3aa69f89c466e99e253 +Author: Frank Ch. Eigler +Date: Fri Nov 13 12:36:07 2020 -0500 + + RHBZ1892179: double default UTRACE_TASK_WORKPOOL + + Some workloads were observed to exhaust the previous limit of 288. + +diff --git a/runtime/stp_utrace.c b/runtime/stp_utrace.c +index 46ba489..6022267 100644 +--- a/runtime/stp_utrace.c ++++ b/runtime/stp_utrace.c +@@ -141,7 +141,7 @@ struct __stp_utrace_task_work { /* NB: about 216 bytes, 18 per page: */ + TODO: UTRACE_TASK_WORK_POOL_SIZE can be specified on the Systemtap + command line. Experiment to find the best default value. */ + #ifndef UTRACE_TASK_WORK_POOL_SIZE +-#define UTRACE_TASK_WORK_POOL_SIZE 288 ++#define UTRACE_TASK_WORK_POOL_SIZE 576 + #endif + static DECLARE_BITMAP(__stp_utrace_task_work_pool_bitmap, UTRACE_TASK_WORK_POOL_SIZE); + static struct __stp_utrace_task_work __stp_utrace_task_work_pool[UTRACE_TASK_WORK_POOL_SIZE]; diff --git a/SPECS/systemtap.spec b/SPECS/systemtap.spec index 9719efa..f010abb 100644 --- a/SPECS/systemtap.spec +++ b/SPECS/systemtap.spec @@ -89,7 +89,7 @@ Name: systemtap Version: 4.4 -Release: 1%{?release_override}%{?dist} +Release: 3%{?release_override}%{?dist} # for version, see also configure.ac @@ -125,6 +125,9 @@ License: GPLv2+ URL: http://sourceware.org/systemtap/ Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz +Patch1: rhbz1873492.patch +Patch2: rhbz1898288.patch + # Build* BuildRequires: gcc-c++ BuildRequires: cpio @@ -510,6 +513,8 @@ systemtap-runtime-virthost machine to execute systemtap scripts. %prep %setup -q +%patch1 -p1 +%patch2 -p1 %build @@ -1229,6 +1234,13 @@ done # PRERELEASE %changelog +* Tue Nov 17 2020 Frank Ch. Eigler - 4.4-3 +- rhbz1873492 related: rhel8 kernel_is_locked_down detection + +* Mon Nov 16 2020 Frank Ch. Eigler - 4.4-2 +- rhbz1898288: stability for exhausted UTRACE_TASK_WORK_POOL +- rhbz1873492 related: mokutil parser robustness for RH keys + * Mon Nov 09 2020 Frank Ch. Eigler - 4.4-1 - Upstream release.