On 02/12/2019 08:22, Andy Smith wrote: > Hi, > > I've been looking into live patching for the first time.
CC'ing livepatch maintainers. > > Starting with a 4.12.1 build: > > $ cd ~/dev > $ ls -l > total 8 > drwxr-xr-x 3 andy andy 4096 Oct 25 16:11 xen > drwxr-xr-x 6 andy andy 4096 Dec 2 01:16 livepatch-build-tools > > (there is already a 4.12.1 hypervisor built in /xen and is what's > running on this host with build_id > b18af774b56b0c98cfa6940a725ba2ba26066929) > > $ cp -a xen xen-lptest > $ cd livepatch-build-tools > $ ./livepatch-build -j 1 -s /home/andy/dev/xen-lptest/xen-4.12.1 -c > /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config -p ./lptest.patch -o lptest > -d --depends b18af774b56b0c98cfa6940a725ba2ba26066929 > Building LivePatch patch: lptest > > Xen directory: /home/andy/dev/xen-lptest/xen-4.12.1 > Patch file: /home/andy/dev/livepatch-build-tools/lptest.patch > .config file: /home/andy/dev/xen-lptest/xen-4.12.1/xen/.config > Output directory: /home/andy/dev/livepatch-build-tools/xsa310 As a note, XSA-310 isn't safe to livepatch. While (in general) you can build a livepatch, applying it is not safe because the before/after logic is not symmetric with how references are taken. Depending on the exact interaction of applying the livepatch with pagetable deferral operations (VM start,migrate,shutdown, or large quantities of pagetable changes, e.g. a fork() system call), you can end up with too few or many references dropped. Too few generally results in an unkillable zombie domain, while too many will hit various BUG()s in the MM code and take the system down. > ================================================ > > Perform full initial build with 1 CPU(s)... > Reading special section data > ERROR: can't find special struct size. > > So it seems it completed the initial build without error but looking > at the livepatch-build script it runs readelf like this: > > $ readelf -wi lptest/xen-syms > $ > > For me this produces no output. I've probably done something simple > wrong. Does that indicate some simple mistake in my process? My sample working command like is: ./livepatch-build -s /local/.livepatch-workdir -c /local/.livepatch-workdir/xen/.config -p /local/xen.git/xen/live.patch -o out --depends 843580efc22183b44108398b9aec97d99da2c29e --debug which looks to be equivalent to yours. What does `file` say? ~Andrew _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
