Unsigned oot modules are wrongly tainted and trace events disabled

Bug #1359670 reported by Jack Leigh on 2014-08-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Andy Whitcroft
Trusty
Medium
Andy Whitcroft
Utopic
Medium
Andy Whitcroft

Bug Description

[Impact]

Developers are unable to unable to use kernel tracing functions on kernel modules they have themselves compiled. This makes Ubuntu a poor platform for module developement and debugging.

[Test Case]

Build an OOT or modified version of a module, insert it and notice that tracing becomes disabled. Apply updated kernel and confirm the same does not occur.

[Regression Potential]

This only changes the taint infrastructure to introduce a single new flag. Should be very low risk.

===

The issue is explained in detail at http://lwn.net/Articles/588799/

I am trying to load a backported drm module using dkms.
It is not signed so is listed as tainted and trace points are disabled.
As explained in the above article this is because the TAINT_FORCED MODULE flag is incorrectly set for unsigned modules.

The final patch to fix this and add a TAINT_UNSIGNED_MODULE that does not disable trace points can be found at http://lwn.net/Articles/588803/ (fixed in 3.15)

Please consider shipping this patch.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-34-generic 3.13.0-34.60
ProcVersionSignature: Ubuntu 3.13.0-34.60-generic 3.13.11.4
Uname: Linux 3.13.0-34-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.3
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: badger 2013 F.... pulseaudio
CurrentDesktop: Unity
Date: Thu Aug 21 11:28:15 2014
HibernationDevice: RESUME=UUID=21f8f6b4-495d-4bc6-8dec-1f78435d4b95
InstallationDate: Installed on 2014-06-30 (51 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
MachineType: LENOVO 0301CTO
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-34-generic root=UUID=d56caf05-a203-436f-8497-b8a37294fe8a ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-34-generic N/A
 linux-backports-modules-3.13.0-34-generic N/A
 linux-firmware 1.127.5
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 10/14/2010
dmi.bios.vendor: LENOVO
dmi.bios.version: 80ET42WW (1.19 )
dmi.board.name: 0301CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr80ET42WW(1.19):bd10/14/2010:svnLENOVO:pn0301CTO:pvrThinkPadEdge:rvnLENOVO:rn0301CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 0301CTO
dmi.product.version: ThinkPad Edge
dmi.sys.vendor: LENOVO

Jack Leigh (leighman) wrote :
Andy Whitcroft (apw) wrote :

This was fixed up in:

  commit 66cc69e34e86a231fbe68d8918c6119e3b7549a3
  Author: Mathieu Desnoyers <email address hidden>
  Date: Thu Mar 13 12:11:30 2014 +1030

    Fix: module signature vs tracepoints: add new TAINT_UNSIGNED_MODULE

  In: v3.15-rc1~67^2~6

Changed in linux (Ubuntu Utopic):
status: New → Fix Released
Changed in linux (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu Utopic):
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) wrote :

I have built test kernels with the above patch applied, could you test those and confirm it differentiates the taint type and that tracing is now possible. Kernels are at the URL below:

    http://people.canonical.com/~apw/lp1359670-trusty/

Please report any testing back here.

Andy Whitcroft (apw) on 2014-08-21
description: updated
Jack Leigh (leighman) wrote :

With the above kernel loaded there are no warning messages in dmesg and /proc/sys/kernel/tainted lists the correct taint flags (12288)

Andy Whitcroft (apw) on 2014-08-21
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package linux - 3.13.0-36.63

---------------
linux (3.13.0-36.63) trusty; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1365052

  [ Feng Kan ]

  * SAUCE: (no-up) irqchip:gic: change access of gicc_ctrl register to read
    modify write.
    - LP: #1357527
  * SAUCE: (no-up) arm64: optimized copy_to_user and copy_from_user
    assembly code
    - LP: #1358949

  [ Ming Lei ]

  * SAUCE: (no-up) Drop APM X-Gene SoC Ethernet driver
    - LP: #1360140
  * [Config] Drop XGENE entries
    - LP: #1360140
  * [Config] CONFIG_NET_XGENE=m for arm64
    - LP: #1360140

  [ Stefan Bader ]

  * SAUCE: Add compat macro for skb_get_hash
    - LP: #1358162
  * SAUCE: bcache: prevent crash on changing writeback_running
    - LP: #1357295

  [ Suman Tripathi ]

  * SAUCE: (no-up) arm64: Fix the csr-mask for APM X-Gene SoC AHCI SATA PHY
    clock DTS node.
    - LP: #1359489
  * SAUCE: (no-up) ahci_xgene: Skip the PHY and clock initialization if
    already configured by the firmware.
    - LP: #1359501
  * SAUCE: (no-up) ahci_xgene: Fix the link down in first attempt for the
    APM X-Gene SoC AHCI SATA host controller driver.
    - LP: #1359507

  [ Tuan Phan ]

  * SAUCE: (no-up) pci-xgene-msi: fixed deadlock in irq_set_affinity
    - LP: #1359514

  [ Upstream Kernel Changes ]

  * iwlwifi: mvm: Add a missed beacons threshold
    - LP: #1349572
  * mac80211: reset probe_send_count also in HW_CONNECTION_MONITOR case
    - LP: #1349572
  * genirq: Add an accessor for IRQ_PER_CPU flag
    - LP: #1357527
  * arm64: perf: add support for percpu pmu interrupt
    - LP: #1357527
  * cifs: sanity check length of data to send before sending
    - LP: #1283101
  * KVM: nVMX: Pass vmexit parameters to nested_vmx_vmexit
    - LP: #1329434
  * KVM: nVMX: Rework interception of IRQs and NMIs
    - LP: #1329434
  * KVM: vmx: disable APIC virtualization in nested guests
    - LP: #1329434
  * HID: Add transport-driver functions to the USB HID interface.
    - LP: #1353021
  * ahci_xgene: Removing NCQ support from the APM X-Gene SoC AHCI SATA Host
    Controller driver.
    - LP: #1358498
  * fold d_kill() and d_free()
    - LP: #1354234
  * fold try_prune_one_dentry()
    - LP: #1354234
  * new helper: dentry_free()
    - LP: #1354234
  * expand the call of dentry_lru_del() in dentry_kill()
    - LP: #1354234
  * dentry_kill(): don't try to remove from shrink list
    - LP: #1354234
  * don't remove from shrink list in select_collect()
    - LP: #1354234
  * more graceful recovery in umount_collect()
    - LP: #1354234
  * dcache: don't need rcu in shrink_dentry_list()
    - LP: #1354234
  * lift the "already marked killed" case into shrink_dentry_list()
  * split dentry_kill()
    - LP: #1354234
  * expand dentry_kill(dentry, 0) in shrink_dentry_list()
    - LP: #1354234
  * shrink_dentry_list(): take parent's ->d_lock earlier
    - LP: #1354234
  * dealing with the rest of shrink_dentry_list() livelock
    - LP: #1354234
  * dentry_kill() doesn't need the second argument now
    - LP: #1354234
  * dcache: add missing lockdep annotation
    - LP: #1354234
  * fs: convert use of typedef ctl_table to struct ctl_table
 ...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) on 2014-10-01
tags: added: verification-done-trusty
removed: verification-needed-trusty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers