diff options
| author | Josh Poimboeuf <jpoimboe@redhat.com> | 2017-03-06 12:20:29 -0500 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2017-03-08 03:38:43 -0500 |
| commit | 3ec24776bfd09668079df7dca0c0136d80820ab4 (patch) | |
| tree | b9b1a65ff9a91a0f724d033f60645d2a78df47a3 /Documentation/livepatch | |
| parent | 7c23b330011690705613a66a8239d2ca64a41d4d (diff) | |
livepatch: allow removal of a disabled patch
Currently we do not allow patch module to unload since there is no
method to determine if a task is still running in the patched code.
The consistency model gives us the way because when the unpatching
finishes we know that all tasks were marked as safe to call an original
function. Thus every new call to the function calls the original code
and at the same time no task can be somewhere in the patched code,
because it had to leave that code to be marked as safe.
We can safely let the patch module go after that.
Completion is used for synchronization between module removal and sysfs
infrastructure in a similar way to commit 942e443127e9 ("module: Fix
mod->mkobj.kobj potentially freed too early").
Note that we still do not allow the removal for immediate model, that is
no consistency model. The module refcount may increase in this case if
somebody disables and enables the patch several times. This should not
cause any harm.
With this change a call to try_module_get() is moved to
__klp_enable_patch from klp_register_patch to make module reference
counting symmetric (module_put() is in a patch disable path) and to
allow to take a new reference to a disabled module when being enabled.
Finally, we need to be very careful about possible races between
klp_unregister_patch(), kobject_put() functions and operations
on the related sysfs files.
kobject_put(&patch->kobj) must be called without klp_mutex. Otherwise,
it might be blocked by enabled_store() that needs the mutex as well.
In addition, enabled_store() must check if the patch was not
unregisted in the meantime.
There is no need to do the same for other kobject_put() callsites
at the moment. Their sysfs operations neither take the lock nor
they access any data that might be freed in the meantime.
There was an attempt to use kobjects the right way and prevent these
races by design. But it made the patch definition more complicated
and opened another can of worms. See
https://lkml.kernel.org/r/1464018848-4303-1-git-send-email-pmladek@suse.com
[Thanks to Petr Mladek for improving the commit message.]
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Acked-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'Documentation/livepatch')
| -rw-r--r-- | Documentation/livepatch/livepatch.txt | 28 |
1 files changed, 9 insertions, 19 deletions
diff --git a/Documentation/livepatch/livepatch.txt b/Documentation/livepatch/livepatch.txt index 4f2aec8d4c12..ecdb18104ab0 100644 --- a/Documentation/livepatch/livepatch.txt +++ b/Documentation/livepatch/livepatch.txt | |||
| @@ -316,8 +316,15 @@ section "Livepatch life-cycle" below for more details about these | |||
| 316 | two operations. | 316 | two operations. |
| 317 | 317 | ||
| 318 | Module removal is only safe when there are no users of the underlying | 318 | Module removal is only safe when there are no users of the underlying |
| 319 | functions. The immediate consistency model is not able to detect this; | 319 | functions. The immediate consistency model is not able to detect this. The |
| 320 | therefore livepatch modules cannot be removed. See "Limitations" below. | 320 | code just redirects the functions at the very beginning and it does not |
| 321 | check if the functions are in use. In other words, it knows when the | ||
| 322 | functions get called but it does not know when the functions return. | ||
| 323 | Therefore it cannot be decided when the livepatch module can be safely | ||
| 324 | removed. This is solved by a hybrid consistency model. When the system is | ||
| 325 | transitioned to a new patch state (patched/unpatched) it is guaranteed that | ||
| 326 | no task sleeps or runs in the old code. | ||
| 327 | |||
| 321 | 328 | ||
| 322 | 5. Livepatch life-cycle | 329 | 5. Livepatch life-cycle |
| 323 | ======================= | 330 | ======================= |
| @@ -469,23 +476,6 @@ The current Livepatch implementation has several limitations: | |||
| 469 | by "notrace". | 476 | by "notrace". |
| 470 | 477 | ||
| 471 | 478 | ||
| 472 | + Livepatch modules can not be removed. | ||
| 473 | |||
| 474 | The current implementation just redirects the functions at the very | ||
| 475 | beginning. It does not check if the functions are in use. In other | ||
| 476 | words, it knows when the functions get called but it does not | ||
| 477 | know when the functions return. Therefore it can not decide when | ||
| 478 | the livepatch module can be safely removed. | ||
| 479 | |||
| 480 | This will get most likely solved once a more complex consistency model | ||
| 481 | is supported. The idea is that a safe state for patching should also | ||
| 482 | mean a safe state for removing the patch. | ||
| 483 | |||
| 484 | Note that the patch itself might get disabled by writing zero | ||
| 485 | to /sys/kernel/livepatch/<patch>/enabled. It causes that the new | ||
| 486 | code will not longer get called. But it does not guarantee | ||
| 487 | that anyone is not sleeping anywhere in the new code. | ||
| 488 | |||
| 489 | 479 | ||
| 490 | + Livepatch works reliably only when the dynamic ftrace is located at | 480 | + Livepatch works reliably only when the dynamic ftrace is located at |
| 491 | the very beginning of the function. | 481 | the very beginning of the function. |