Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1415054pxb; Fri, 21 Jan 2022 18:09:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJwWWdyinO+XgLtYYg9Lw4gZJXq6SpRnZPSvy5wgwqEpIY5zZo9gYObrnVmPK0HTHv9f8rxI X-Received: by 2002:a05:6a00:22d0:b0:4c7:5639:51e9 with SMTP id f16-20020a056a0022d000b004c7563951e9mr3805508pfj.40.1642817360924; Fri, 21 Jan 2022 18:09:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642817360; cv=none; d=google.com; s=arc-20160816; b=dJig1uPAHOFTZyfaMTuF0+jWESPnp0s/U+MlJtP1C/w4DnR2NdWgLzwJptDIRuh6WA QtfaJ7/S5ENXcQgAkCAkN4n28zzwr69I4EgOuH/31YcAIomYiHLCPQ7UoHnOFoz8G+4J O7KQSqa54v0fZDpJ64+YdZ7goCNgnaVWUiRkITQHPxsH2mbiSlGetmZxifDjNkyCEbX2 yQroNFleSYLB/rhdlkOAd2vk3i/fYIvGEgpH6I1/lhqK3EY/iR9/bKUGoomBszYYbOtd AVOknqvAEp7ANy72DX+sySmeYo/W9Sy1Pl9K+dXYWzyPJU2secy4+xv5Kn2gjUG9PJsH 9+YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=qJqfOISO6T+iTDW/zdzr5qhydNTWknW2VivfkJ9v0+E=; b=JxUepjUg8UV/KN0w34j9VdDANHs5IauT+P2Fzaa5+qSVmcHGkMOO6/W/W95WkXen2R GRRaSExZ23FOM8L0vx+7bIM7HSnyulm/fn+efZ32XaoRV3UQo0vwCrdbEFkfjtT/JY3C I45Yh853atur2bU+NPp1CJFbvpgbSxdIQdSKTTu7vuLw4ZWPcUerwcFsRbD8toRrNio2 J08VoyVDmYzcdblYhw8zQHTaw6vmklDj314Tevhks/nzc2YIpGLnEl/SxkJwrcYkf/kp IvKKybKqAf7pn909/2gIpmv97fzaEz+pf1BlM8Y9Q27GR4bkpZRbQ1YLvP/5PmUoljGZ NKKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=Tu6isNws; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w6si2431635plg.17.2022.01.21.18.08.50; Fri, 21 Jan 2022 18:09:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=Tu6isNws; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382074AbiAUSSD (ORCPT + 99 others); Fri, 21 Jan 2022 13:18:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1381873AbiAUSSC (ORCPT ); Fri, 21 Jan 2022 13:18:02 -0500 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1926C06173B for ; Fri, 21 Jan 2022 10:18:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:Content-Type :In-Reply-To:From:References:To:Subject:MIME-Version:Date:Message-ID:Sender: Reply-To:Cc:Content-ID:Content-Description; bh=qJqfOISO6T+iTDW/zdzr5qhydNTWknW2VivfkJ9v0+E=; b=Tu6isNws4GCX25N3emOB/9+wpp 6605E4FcMUiCdqO+kQNnAi+mpKRDXRXbDjOzdCV/K1Pg1YyYLYvxl7VsoO+t0X0wVHR0iElqah5NA JmGQnn4rwnjk1H9CMSrb/wmFGWpLhCyl+y4LOIc1JudT/Rrno6n+1gj1eBqM06G2560nZjHX5mj3w hx24JH/YIzpwsOapyTk45EhYuqxqooo4LwKaVM/pqsIZHKkgAdDMtm8iq3pW1lWrvVCi4RRuR3DB8 5xzelTmkiNdKFh/pOyJXaUqhFcD9TCh06bbXXTP9UafBqd9XF/8KrL1YVGeUCw4Fw06oM1J3UJ9y1 VS4EGP3A==; Received: from [2601:1c0:6280:3f0::aa0b] by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nAyU2-002cnK-Ri; Fri, 21 Jan 2022 18:17:59 +0000 Message-ID: <2e7a440f-b942-2794-6c15-66baf81801ae@infradead.org> Date: Fri, 21 Jan 2022 10:17:53 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: Issue With Kernel Changes To Core Dump Collection (Kernel Bug...?) Content-Language: en-US To: Bill Messmer , "linux-kernel@vger.kernel.org" , Jann Horn References: From: Randy Dunlap In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [add the patch author, Jann] On 1/20/22 17:31, Bill Messmer wrote: > Hello, > > It has been my understanding for some time that the kernel config option CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS (and the corresponding bit 4 of the coredump filter) was, at one point, added for the purpose of ensuring that the GNU build-id of ELF objects was included in core dumps.  The config description in Kconfig.binfmt even alludes to this in its description. > > I am trying to understand why in the 5.10+ kernels, there was a change in the kernel that, instead of checking whether a given memory mapping had an ELF header in order to determine whether to include the page to checking whether the inode is executable.  The change in question: > > github.com/torvalds/linux/commit/429a22e776a2b9f85a2b9c53d8e647598b553dd1 > Bill, You should send email(s) to the relevant people if you can identify them. LKML is a huge pipe (hose) and people don't normally browse it. :) > In many distributions (e.g.: Ubuntu), the shared objects in /usr/lib and elsewhere are not marked as executable.  One of the net effects here is that the first page of shared objects on these distributions are no longer captured in core dumps. > > A core dump taken on Ubuntu 21.10 (with the 5.13 kernel) will, by default, not include these pages: > >   LOAD           0x0000000000007000 0x00007f375855f000 0x0000000000000000 >                  0x0000000000000000 0x000000000002c000  R      0x1000 > >    0x00007f375855f000  0x00007f375858b000  0x0000000000000000 >         /usr/lib/x86_64-linux-gnu/libc.so.6 > > Doing a quick "sudo chmod +x /usr/lib/x86_64-linux-gnu/libc.so.6" and repeating shows that it is: > >   LOAD           0x0000000000007000 0x00007fefd5282000 0x0000000000000000 >                  0x0000000000001000 0x000000000002c000  R      0x1000 > >     0x00007fefd5282000  0x00007fefd52ae000  0x0000000000000000 >         /usr/lib/x86_64-linux-gnu/libc.so.6 > > Prior to running with 5.10+ kernels, I was always seeing the first page of shared objects (and the contained build-id) within core dumps (assuming the proper kernel config and core dump filter bits).  Not any longer. > > The reason I ask this is that, as more teams here at Microsoft have products running on Linux (or in Linux containers), we have been pushing the crash reports for those up through the same post-mortem crash analysis infrastructure that we do for Windows.  That means that what has traditionally been the Windows debugger (e.g.: WinDbg) has, for some time, been able to open, debug, and analyze various Linux post-mortem crash formats.  Part of doing this on a post-mortem basis requires finding the original images and debug information for the executables and shared objects referenced in those core dumps.  Whether we do that via our own symbol servers or via a debuginfod service -- the post-mortem debugger needs access to the build-ids of those objects. > > Until recently, finding these from a core dump has been stable and working quite well.  Of late, however, we have been seeing a number of crash reports (e.g.: from Debian or Ubuntu containers) where we can no longer find images & symbols based on the core dumps because this kernel change has caused the first page of shared object files to not be captured in core dumps.  I don't know how many post-mortem Linux crash analysis solutions this is affecting...  > > Was the change here really the intent...?  or is this a kernel bug? > > Sincerely, > > Bill Messmer > wmessmer@microsoft.com -- ~Randy