[PATCH] kallsyms: strip LTO suffixes from static functions

[Nick Desaulniers]

Similar to:
commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
functions")

It's very common for compilers to modify the symbol name for static
functions as part of optimizing transformations. That makes hooking
static functions (that weren't inlined or DCE'd) with kprobes difficult.

Full LTO uses a different mangling scheme than thin LTO; full LTO
imports all code into effectively one big translation unit. It must
rename static functions to prevent collisions. Strip off these suffixes
so that we can continue to hook such static functions.

Reported-by: KE.LI(Lieke) <li...@oppo.com>
Tested-by: KE.LI(Lieke) <li...@oppo.com>
Signed-off-by: Nick Desaulniers <ndesau...@google.com>
---
kernel/kallsyms.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 4067564ec59f..14cf3a6474de 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -188,6 +188,24 @@ static inline bool cleanup_symbol_name(char *s)

return res != NULL;
}
+#elif defined(CONFIG_LTO_CLANG_FULL)
+/*
+ * LLVM mangles static functions for full LTO so that two static functions with
+ * the same identifier do not collide when all code is combined into one
+ * module. The scheme used converts references to foo into
+ * foo.llvm.974640843467629774, for example. This can break hooking of static
+ * functions with kprobes.
+ */
+static inline bool cleanup_symbol_name(char *s)
+{
+ char *res;
+
+ res = strstr(s, ".llvm.");
+ if (res)
+ *res = '\0';
+
+ return res != NULL;
+}
#else
static inline bool cleanup_symbol_name(char *s) { return false; }
#endif
--
2.32.0.288.g62a8d224e6-goog

[Fangrui Song]

On 2021-06-22, 'Nick Desaulniers' via Clang Built Linux wrote:
>Similar to:
>commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
>functions")
>
>It's very common for compilers to modify the symbol name for static
>functions as part of optimizing transformations. That makes hooking
>static functions (that weren't inlined or DCE'd) with kprobes difficult.
>
>Full LTO uses a different mangling scheme than thin LTO; full LTO
>imports all code into effectively one big translation unit. It must
>rename static functions to prevent collisions. Strip off these suffixes
>so that we can continue to hook such static functions.

See below. The message needs a change.

I can comment on the LTO side thing, but a maintainer needs to check
about the kernel side logic.

Reviewed-by: Fangrui Song <mas...@google.com>

>Reported-by: KE.LI(Lieke) <li...@oppo.com>
>Tested-by: KE.LI(Lieke) <li...@oppo.com>
>Signed-off-by: Nick Desaulniers <ndesau...@google.com>
>---
> kernel/kallsyms.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
>diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
>index 4067564ec59f..14cf3a6474de 100644
>--- a/kernel/kallsyms.c
>+++ b/kernel/kallsyms.c
>@@ -188,6 +188,24 @@ static inline bool cleanup_symbol_name(char *s)
>
> return res != NULL;
> }
>+#elif defined(CONFIG_LTO_CLANG_FULL)
>+/*
>+ * LLVM mangles static functions for full LTO so that two static functions with
>+ * the same identifier do not collide when all code is combined into one
>+ * module. The scheme used converts references to foo into
>+ * foo.llvm.974640843467629774, for example. This can break hooking of static
>+ * functions with kprobes.
>+ */

The comment should say ThinLTO instead.

The .llvm.123 suffix is for global scope promotion for local linkage
symbols. The scheme is ThinLTO specific. This ensures that a local
linkage symbol, when imported into multiple translation units, then
compiled into different object files, during linking, the copies can be
deduplicated. This matters for code size and for correctness when the
function address is taken.

Regular LTO (sometimes called full LTO) uses the regular name.\d+
scheme.

>+static inline bool cleanup_symbol_name(char *s)
>+{
>+ char *res;
>+
>+ res = strstr(s, ".llvm.");
>+ if (res)
>+ *res = '\0';
>+
>+ return res != NULL;
>+}
> #else
> static inline bool cleanup_symbol_name(char *s) { return false; }
> #endif
>--
>2.32.0.288.g62a8d224e6-goog

I wonder whether it makes sense to strip all `.something` suffixes.
For example, the recent -funique-internal-linkage-name (which can
improve sample profile accuracy) uses the `.__uniq.1234` scheme.

Function specialization/clones can create arbitrary `.123` suffixes.

>--
>You received this message because you are subscribed to the Google Groups "Clang Built Linux" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-li...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20210622183858.2962637-1-ndesaulniers%40google.com.

[Nick Desaulniers]

Oh, boy. Indeed. I had identified the mangling coming from
getGlobalNameForLocal(), but looking at the call chain now I see:

FunctionImportGlobalProcessing::processGlobalForThinLTO()
-> FunctionImportGlobalProcessing::getPromotedName()
-> ModuleSummaryIndex::getGlobalNameForLocal()

I'm not sure then how I figured it was specific to full LTO.

Android recently switched from thin LTO to full LTO, which is what I
assumed was the cause of the bug report. Rereading our internal bug
report, it was tested against a prior version that did the symbol
truncation for thinLTO. I then assumed this was full LTO specific for
whatever reason, and modified the patch to only apply to full LTO. I
see via the above call chain that this patch is not correct. Let me
send my original patch as a v2. b/189560201 if you're interested.

I definitely don't see hooking static functions via kprobes as being
scalable. There are numerous different mangling schemes different
compilers apply to different static functions.

--
Thanks,
~Nick Desaulniers

[Nick Desaulniers]

I can even see the .llvm.<number> symbol names via `llvm-nm` on
vmlinux for thinLTO builds. No such symbols exist for full LTO.

--
Thanks,
~Nick Desaulniers

[Nick Desaulniers]

Similar to:
commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
functions")

It's very common for compilers to modify the symbol name for static
functions as part of optimizing transformations. That makes hooking
static functions (that weren't inlined or DCE'd) with kprobes difficult.

LLVM has yet another name mangling scheme used by thin LTO. Strip off

these suffixes so that we can continue to hook such static functions.

Reported-by: KE.LI(Lieke) <li...@oppo.com>

Signed-off-by: Nick Desaulniers <ndesau...@google.com>
---

Changes v1 -> v2:
* Both mangling schemes can occur for thinLTO + CFI, this new scheme can
also occur for thinLTO without CFI. Split cleanup_symbol_name() into
two function calls.
* Drop KE.LI's tested by tag.
* Do not carry Fangrui's Reviewed by tag.
* Drop the inline keyword; it is meaningless.

kernel/kallsyms.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 4067564ec59f..fbce4a1ec700 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -171,14 +171,30 @@ static unsigned long kallsyms_sym_address(int idx)
return kallsyms_relative_base - 1 - kallsyms_offsets[idx];
}

-#if defined(CONFIG_CFI_CLANG) && defined(CONFIG_LTO_CLANG_THIN)
+#ifdef CONFIG_LTO_CLANG_THIN
+/*
+ * LLVM appends a suffix for local variables that must be promoted to global
+ * scope as part of thin LTO. foo() becomes foo.llvm.974640843467629774. This
+ * can break hooking of static functions with kprobes.
+ */
+static bool cleanup_symbol_name_thinlto(char *s)

+{
+ char *res;
+
+ res = strstr(s, ".llvm.");
+ if (res)
+ *res = '\0';
+
+ return res != NULL;
+}

+#ifdef CONFIG_CFI_CLANG
/*
* LLVM appends a hash to static function names when ThinLTO and CFI are
* both enabled, i.e. foo() becomes foo$707af9a22804d33c81801f27dcfe489b.
* This causes confusion and potentially breaks user space tools, so we
* strip the suffix from expanded symbol names.
*/
-static inline bool cleanup_symbol_name(char *s)
+static bool cleanup_symbol_name_thinlto_cfi(char *s)
{
char *res;

@@ -189,8 +205,17 @@ static inline bool cleanup_symbol_name(char *s)
return res != NULL;
}
#else
-static inline bool cleanup_symbol_name(char *s) { return false; }
-#endif
+static bool cleanup_symbol_name_thinlto_cfi(char *s) { return false; }
+#endif /* CONFIG_CFI_CLANG */
+#else
+static bool cleanup_symbol_name_thinlto(char *s) { return false; }
+#endif /* CONFIG_LTO_CLANG_THIN */
+
+static bool cleanup_symbol_name(char *s)
+{
+ return cleanup_symbol_name_thinlto(s) &&
+ cleanup_symbol_name_thinlto_cfi(s);
+}

/* Lookup the address for this symbol. Returns 0 if not found. */
unsigned long kallsyms_lookup_name(const char *name)
--
2.32.0.93.g670b81a890-goog

[Nathan Chancellor]

Won't this be a build error when CONFIG_LTO_CLANG_THIN=n and
CONFIG_CFI_CLANG=n because cleanup_symbol_name_thinlto_cfi() will not be
defined? Should the cleanup_symbol_name_thinlto_cfi() stub be in the
last else block?

Cheers,
Nathan

[Nick Desaulniers]

Similar to:
commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
functions")

It's very common for compilers to modify the symbol name for static
functions as part of optimizing transformations. That makes hooking
static functions (that weren't inlined or DCE'd) with kprobes difficult.

LLVM has yet another name mangling scheme used by thin LTO. Strip off
these suffixes so that we can continue to hook such static functions.

Reported-by: KE.LI(Lieke) <li...@oppo.com>
Signed-off-by: Nick Desaulniers <ndesau...@google.com>
---

Changes v2 -> V3:
* Un-nest preprocessor checks, as per Nathan.

Changes v1 -> v2:
* Both mangling schemes can occur for thinLTO + CFI, this new scheme can
also occur for thinLTO without CFI. Split cleanup_symbol_name() into
two function calls.
* Drop KE.LI's tested by tag.
* Do not carry Fangrui's Reviewed by tag.
* Drop the inline keyword; it is meaningless.

kernel/kallsyms.c | 32 +++++++++++++++++++++++++++++---
1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 4067564ec59f..143c69e7e75d 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -171,6 +171,26 @@ static unsigned long kallsyms_sym_address(int idx)

return kallsyms_relative_base - 1 - kallsyms_offsets[idx];
}

+#ifdef CONFIG_LTO_CLANG_THIN
+/*
+ * LLVM appends a suffix for local variables that must be promoted to global
+ * scope as part of thin LTO. foo() becomes foo.llvm.974640843467629774. This
+ * can break hooking of static functions with kprobes.
+ */
+static bool cleanup_symbol_name_thinlto(char *s)
+{
+ char *res;
+
+ res = strstr(s, ".llvm.");
+ if (res)
+ *res = '\0';
+
+ return res != NULL;
+}

+#else
+static bool cleanup_symbol_name_thinlto(char *s) { return false; }
+#endif /* CONFIG_LTO_CLANG_THIN */
+

#if defined(CONFIG_CFI_CLANG) && defined(CONFIG_LTO_CLANG_THIN)

/*
* LLVM appends a hash to static function names when ThinLTO and CFI are

@@ -178,7 +198,7 @@ static unsigned long kallsyms_sym_address(int idx)

* This causes confusion and potentially breaks user space tools, so we
* strip the suffix from expanded symbol names.
*/
-static inline bool cleanup_symbol_name(char *s)
+static bool cleanup_symbol_name_thinlto_cfi(char *s)
{
char *res;

@@ -189,8 +209,14 @@ static inline bool cleanup_symbol_name(char *s)

return res != NULL;
}
#else
-static inline bool cleanup_symbol_name(char *s) { return false; }
-#endif
+static bool cleanup_symbol_name_thinlto_cfi(char *s) { return false; }

+#endif /* CONFIG_CFI_CLANG && CONFIG_LTO_CLANG_THIN */

+
+static bool cleanup_symbol_name(char *s)
+{
+ return cleanup_symbol_name_thinlto(s) &&
+ cleanup_symbol_name_thinlto_cfi(s);

+}

/* Lookup the address for this symbol. Returns 0 if not found. */
unsigned long kallsyms_lookup_name(const char *name)

--
2.32.0.93.g670b81a890-goog

[Nathan Chancellor]

Is there any reason that we cannot eliminate the stubs and combine the
functions, or am I missing something? Completely untested diff.

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index c851ca0ed357..014b59ad68a3 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -161,26 +161,36 @@ static unsigned long kallsyms_sym_address(int idx)

return kallsyms_relative_base - 1 - kallsyms_offsets[idx];
}

-#if defined(CONFIG_CFI_CLANG) && defined(CONFIG_LTO_CLANG_THIN)
-/*
- * LLVM appends a hash to static function names when ThinLTO and CFI are
- * both enabled, i.e. foo() becomes foo$707af9a22804d33c81801f27dcfe489b.
- * This causes confusion and potentially breaks user space tools, so we
- * strip the suffix from expanded symbol names.
- */

-static inline bool cleanup_symbol_name(char *s)

+static inline bool cleanup_symbol_name_thinlto(char *s)
{
char *res;

- res = strrchr(s, '$');
+ if (!IS_ENABLED(CONFIG_LTO_CLANG_THIN))
+ return false;
+
+ /*

+ * LLVM appends a suffix for local variables that must be promoted to global

+ * scope as part of ThinLTO. foo() becomes foo.llvm.974640843467629774. This

+ * can break hooking of static functions with kprobes.
+ */

+ res = strstr(s, ".llvm.");

if (res)
*res = '\0';

+ /*
+ * LLVM appends a hash to static function names when ThinLTO and CFI are
+ * both enabled, i.e. foo() becomes foo$707af9a22804d33c81801f27dcfe489b.
+ * This causes confusion and potentially breaks user space tools, so we
+ * strip the suffix from expanded symbol names.
+ */
+ if (IS_ENABLED(CONFIG_CFI_CLANG)) {
+ res = strrchr(s, '$');

+ if (res)
+ *res = '\0';
+ }
+
return res != NULL;
}

-#else

-static inline bool cleanup_symbol_name(char *s) { return false; }
-#endif

/* Lookup the address for this symbol. Returns 0 if not found. */
unsigned long kallsyms_lookup_name(const char *name)

@@ -195,7 +205,7 @@ unsigned long kallsyms_lookup_name(const char *name)
if (strcmp(namebuf, name) == 0)
return kallsyms_sym_address(i);

- if (cleanup_symbol_name(namebuf) && strcmp(namebuf, name) == 0)
+ if (cleanup_symbol_name_thinlto(namebuf) && strcmp(namebuf, name) == 0)
return kallsyms_sym_address(i);
}
return module_kallsyms_lookup_name(name);

[Nick Desaulniers]

Drop inline while touching this line.

> {
> char *res;
>
> - res = strrchr(s, '$');
> + if (!IS_ENABLED(CONFIG_LTO_CLANG_THIN))
> + return false;
> +
> + /*
> + * LLVM appends a suffix for local variables that must be promoted to global
> + * scope as part of ThinLTO. foo() becomes foo.llvm.974640843467629774. This
> + * can break hooking of static functions with kprobes.
> + */
> + res = strstr(s, ".llvm.");
> if (res)
> *res = '\0';

Sure, this is nicer though within the true block we should `return
true;` early rather than additionally check the $ mangling, I suppose.

--
Thanks,
~Nick Desaulniers

[Nathan Chancellor]

Sure.

>> {
>> char *res;
>>
>> - res = strrchr(s, '$');
>> + if (!IS_ENABLED(CONFIG_LTO_CLANG_THIN))
>> + return false;
>> +
>> + /*
>> + * LLVM appends a suffix for local variables that must be promoted to global
>> + * scope as part of ThinLTO. foo() becomes foo.llvm.974640843467629774. This
>> + * can break hooking of static functions with kprobes.
>> + */
>> + res = strstr(s, ".llvm.");
>> if (res)
>> *res = '\0';
>
> Sure, this is nicer though within the true block we should `return
> true;` early rather than additionally check the $ mangling, I suppose.

I am not sure I follow? Are you talking about moving this into an else
block in the if statement below this?

This should probably be two separate patches, with the first one
eliminating the stub, dropping the inline, and renaming the function
then the second patch do what this one does but I do not have a strong
opinion.

I do not mind if you take ownership of this diff, with or without
attribution.

[Nick Desaulniers]

Similar to:
commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
functions")

It's very common for compilers to modify the symbol name for static
functions as part of optimizing transformations. That makes hooking
static functions (that weren't inlined or DCE'd) with kprobes difficult.

LLVM has yet another name mangling scheme used by thin LTO. Strip off
these suffixes so that we can continue to hook such static functions.

Reported-by: KE.LI(Lieke) <li...@oppo.com>

Suggested-by: Nathan Chancellor <nat...@kernel.org>

Signed-off-by: Nick Desaulniers <ndesau...@google.com>
---

Changes v3 -> v4:
* Convert this function to use IS_ENABLED rather than provide multiple
definitions based on preprocessor checks.
* Add Nathan's suggested-by.

Changes v2 -> v3:

* Un-nest preprocessor checks, as per Nathan.

Changes v1 -> v2:
* Both mangling schemes can occur for thinLTO + CFI, this new scheme can
also occur for thinLTO without CFI. Split cleanup_symbol_name() into
two function calls.
* Drop KE.LI's tested by tag.
* Do not carry Fangrui's Reviewed by tag.
* Drop the inline keyword; it is meaningless.

kernel/kallsyms.c | 43 ++++++++++++++++++++++++++++++-------------
1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 4067564ec59f..a10dab216f4f 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -171,26 +171,43 @@ static unsigned long kallsyms_sym_address(int idx)

return kallsyms_relative_base - 1 - kallsyms_offsets[idx];
}

-#if defined(CONFIG_CFI_CLANG) && defined(CONFIG_LTO_CLANG_THIN)
-/*
- * LLVM appends a hash to static function names when ThinLTO and CFI are
- * both enabled, i.e. foo() becomes foo$707af9a22804d33c81801f27dcfe489b.
- * This causes confusion and potentially breaks user space tools, so we
- * strip the suffix from expanded symbol names.
- */
-static inline bool cleanup_symbol_name(char *s)

+static bool cleanup_symbol_name(char *s)
{
char *res;

+ /*
+ * LLVM appends a suffix for local variables that must be promoted to

+ * global scope as part of ThinLTO. foo() becomes
+ * foo.llvm.974640843467629774. This can break hooking of static
+ * functions with kprobes.
+ */

+ if (!IS_ENABLED(CONFIG_LTO_CLANG_THIN))
+ return false;
+

+ res = strstr(s, ".llvm.");
+ if (res) {
+ *res = '\0';

+ return true;
+ }
+
+ /*
+ * LLVM appends a hash to static function names when ThinLTO and CFI
+ * are both enabled, i.e. foo() becomes
+ * foo$707af9a22804d33c81801f27dcfe489b. This causes confusion and
+ * potentially breaks user space tools, so we strip the suffix from
+ * expanded symbol names.
+ */
+ if (!IS_ENABLED(CONFIG_CFI_CLANG))
+ return false;

+
res = strrchr(s, '$');

- if (res)
+ if (res) {
*res = '\0';
+ return true;
+ }

- return res != NULL;
+ return false;

}
-#else
-static inline bool cleanup_symbol_name(char *s) { return false; }
-#endif

/* Lookup the address for this symbol. Returns 0 if not found. */
unsigned long kallsyms_lookup_name(const char *name)

--
2.32.0.93.g670b81a890-goog

[Nathan Chancellor]

On 7/7/2021 11:18 AM, Nick Desaulniers wrote:
> Similar to:
> commit 8b8e6b5d3b01 ("kallsyms: strip ThinLTO hashes from static
> functions")
>
> It's very common for compilers to modify the symbol name for static
> functions as part of optimizing transformations. That makes hooking
> static functions (that weren't inlined or DCE'd) with kprobes difficult.
>
> LLVM has yet another name mangling scheme used by thin LTO. Strip off
> these suffixes so that we can continue to hook such static functions.
>
> Reported-by: KE.LI(Lieke) <li...@oppo.com>
> Suggested-by: Nathan Chancellor <nat...@kernel.org>
> Signed-off-by: Nick Desaulniers <ndesau...@google.com>

Code looks fine, small comment about a comment below.

Reviewed-by: Nathan Chancellor <nat...@kernel.org>

This says local variables but the example uses a function? Is that correct?

[Fāng-ruì Sòng]

local functions/variables.

Both functions and variables can have a .llvm.[0-9]+ suffix.


Aside from this, the updated description looks good to me

Reviewed-by: Fangrui Song <mas...@google.com>

[Sami Tolvanen]

Note that starting with https://reviews.llvm.org/D97484, the hash
separator is '.' instead of '$'. It looks like this change will be in
Clang 13.

Sami