diff options
| author | Petr Mladek <pmladek@suse.com> | 2019-01-09 07:43:23 -0500 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2019-01-11 14:51:24 -0500 |
| commit | 958ef1e39d24d6cb8bf2a7406130a98c9564230f (patch) | |
| tree | 07694df3fe9ac15dbfc1130ed5151f85f0d6a87c /Documentation/livepatch | |
| parent | 68007289bf3cd937a5b8fc4987d2787167bd06ca (diff) | |
livepatch: Simplify API by removing registration step
The possibility to re-enable a registered patch was useful for immediate
patches where the livepatch module had to stay until the system reboot.
The improved consistency model allows to achieve the same result by
unloading and loading the livepatch module again.
Also we are going to add a feature called atomic replace. It will allow
to create a patch that would replace all already registered patches.
The aim is to handle dependent patches more securely. It will obsolete
the stack of patches that helped to handle the dependencies so far.
Then it might be unclear when a cumulative patch re-enabling is safe.
It would be complicated to support the many modes. Instead we could
actually make the API and code easier to understand.
Therefore, remove the two step public API. All the checks and init calls
are moved from klp_register_patch() to klp_enabled_patch(). Also the patch
is automatically freed, including the sysfs interface when the transition
to the disabled state is completed.
As a result, there is never a disabled patch on the top of the stack.
Therefore we do not need to check the stack in __klp_enable_patch().
And we could simplify the check in __klp_disable_patch().
Also the API and logic is much easier. It is enough to call
klp_enable_patch() in module_init() call. The patch can be disabled
by writing '0' into /sys/kernel/livepatch/<patch>/enabled. Then the module
can be removed once the transition finishes and sysfs interface is freed.
The only problem is how to free the structures and kobjects safely.
The operation is triggered from the sysfs interface. We could not put
the related kobject from there because it would cause lock inversion
between klp_mutex and kernfs locks, see kn->count lockdep map.
Therefore, offload the free task to a workqueue. It is perfectly fine:
+ The patch can no longer be used in the livepatch operations.
+ The module could not be removed until the free operation finishes
and module_put() is called.
+ The operation is asynchronous already when the first
klp_try_complete_transition() fails and another call
is queued with a delay.
Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Acked-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'Documentation/livepatch')
| -rw-r--r-- | Documentation/livepatch/livepatch.txt | 135 |
1 files changed, 53 insertions, 82 deletions
diff --git a/Documentation/livepatch/livepatch.txt b/Documentation/livepatch/livepatch.txt index 2d7ed09dbd59..8f56490a4bb6 100644 --- a/Documentation/livepatch/livepatch.txt +++ b/Documentation/livepatch/livepatch.txt | |||
| @@ -12,12 +12,11 @@ Table of Contents: | |||
| 12 | 4. Livepatch module | 12 | 4. Livepatch module |
| 13 | 4.1. New functions | 13 | 4.1. New functions |
| 14 | 4.2. Metadata | 14 | 4.2. Metadata |
| 15 | 4.3. Livepatch module handling | ||
| 16 | 5. Livepatch life-cycle | 15 | 5. Livepatch life-cycle |
| 17 | 5.1. Registration | 16 | 5.1. Loading |
| 18 | 5.2. Enabling | 17 | 5.2. Enabling |
| 19 | 5.3. Disabling | 18 | 5.3. Disabling |
| 20 | 5.4. Unregistration | 19 | 5.4. Removing |
| 21 | 6. Sysfs | 20 | 6. Sysfs |
| 22 | 7. Limitations | 21 | 7. Limitations |
| 23 | 22 | ||
| @@ -298,117 +297,89 @@ into three levels: | |||
| 298 | see the "Consistency model" section. | 297 | see the "Consistency model" section. |
| 299 | 298 | ||
| 300 | 299 | ||
| 301 | 4.3. Livepatch module handling | ||
| 302 | ------------------------------ | ||
| 303 | |||
| 304 | The usual behavior is that the new functions will get used when | ||
| 305 | the livepatch module is loaded. For this, the module init() function | ||
| 306 | has to register the patch (struct klp_patch) and enable it. See the | ||
| 307 | section "Livepatch life-cycle" below for more details about these | ||
| 308 | two operations. | ||
| 309 | |||
| 310 | Module removal is only safe when there are no users of the underlying | ||
| 311 | functions. This is the reason why the force feature permanently disables | ||
| 312 | the removal. The forced tasks entered the functions but we cannot say | ||
| 313 | that they returned back. Therefore it cannot be decided when the | ||
| 314 | livepatch module can be safely removed. When the system is successfully | ||
| 315 | transitioned to a new patch state (patched/unpatched) without being | ||
| 316 | forced it is guaranteed that no task sleeps or runs in the old code. | ||
| 317 | |||
| 318 | |||
| 319 | 5. Livepatch life-cycle | 300 | 5. Livepatch life-cycle |
| 320 | ======================= | 301 | ======================= |
| 321 | 302 | ||
| 322 | Livepatching defines four basic operations that define the life cycle of each | 303 | Livepatching can be described by four basic operations: |
| 323 | live patch: registration, enabling, disabling and unregistration. There are | 304 | loading, enabling, disabling, removing. |
| 324 | several reasons why it is done this way. | ||
| 325 | |||
| 326 | First, the patch is applied only when all patched symbols for already | ||
| 327 | loaded objects are found. The error handling is much easier if this | ||
| 328 | check is done before particular functions get redirected. | ||
| 329 | 305 | ||
| 330 | Second, it might take some time until the entire system is migrated with | ||
| 331 | the hybrid consistency model being used. The patch revert might block | ||
| 332 | the livepatch module removal for too long. Therefore it is useful to | ||
| 333 | revert the patch using a separate operation that might be called | ||
| 334 | explicitly. But it does not make sense to remove all information until | ||
| 335 | the livepatch module is really removed. | ||
| 336 | 306 | ||
| 307 | 5.1. Loading | ||
| 308 | ------------ | ||
| 337 | 309 | ||
| 338 | 5.1. Registration | 310 | The only reasonable way is to enable the patch when the livepatch kernel |
| 339 | ----------------- | 311 | module is being loaded. For this, klp_enable_patch() has to be called |
| 312 | in the module_init() callback. There are two main reasons: | ||
| 340 | 313 | ||
| 341 | Each patch first has to be registered using klp_register_patch(). This makes | 314 | First, only the module has an easy access to the related struct klp_patch. |
| 342 | the patch known to the livepatch framework. Also it does some preliminary | ||
| 343 | computing and checks. | ||
| 344 | 315 | ||
| 345 | In particular, the patch is added into the list of known patches. The | 316 | Second, the error code might be used to refuse loading the module when |
| 346 | addresses of the patched functions are found according to their names. | 317 | the patch cannot get enabled. |
| 347 | The special relocations, mentioned in the section "New functions", are | ||
| 348 | applied. The relevant entries are created under | ||
| 349 | /sys/kernel/livepatch/<name>. The patch is rejected when any operation | ||
| 350 | fails. | ||
| 351 | 318 | ||
| 352 | 319 | ||
| 353 | 5.2. Enabling | 320 | 5.2. Enabling |
| 354 | ------------- | 321 | ------------- |
| 355 | 322 | ||
| 356 | Registered patches might be enabled either by calling klp_enable_patch() or | 323 | The livepatch gets enabled by calling klp_enable_patch() from |
| 357 | by writing '1' to /sys/kernel/livepatch/<name>/enabled. The system will | 324 | the module_init() callback. The system will start using the new |
| 358 | start using the new implementation of the patched functions at this stage. | 325 | implementation of the patched functions at this stage. |
| 359 | 326 | ||
| 360 | When a patch is enabled, livepatch enters into a transition state where | 327 | First, the addresses of the patched functions are found according to their |
| 361 | tasks are converging to the patched state. This is indicated by a value | 328 | names. The special relocations, mentioned in the section "New functions", |
| 362 | of '1' in /sys/kernel/livepatch/<name>/transition. Once all tasks have | 329 | are applied. The relevant entries are created under |
| 363 | been patched, the 'transition' value changes to '0'. For more | 330 | /sys/kernel/livepatch/<name>. The patch is rejected when any above |
| 364 | information about this process, see the "Consistency model" section. | 331 | operation fails. |
| 365 | 332 | ||
| 366 | If an original function is patched for the first time, a function | 333 | Second, livepatch enters into a transition state where tasks are converging |
| 367 | specific struct klp_ops is created and an universal ftrace handler is | 334 | to the patched state. If an original function is patched for the first |
| 368 | registered. | 335 | time, a function specific struct klp_ops is created and an universal |
| 336 | ftrace handler is registered[*]. This stage is indicated by a value of '1' | ||
| 337 | in /sys/kernel/livepatch/<name>/transition. For more information about | ||
| 338 | this process, see the "Consistency model" section. | ||
| 369 | 339 | ||
| 370 | Functions might be patched multiple times. The ftrace handler is registered | 340 | Finally, once all tasks have been patched, the 'transition' value changes |
| 371 | only once for the given function. Further patches just add an entry to the | 341 | to '0'. |
| 372 | list (see field `func_stack`) of the struct klp_ops. The last added | ||
| 373 | entry is chosen by the ftrace handler and becomes the active function | ||
| 374 | replacement. | ||
| 375 | 342 | ||
| 376 | Note that the patches might be enabled in a different order than they were | 343 | [*] Note that functions might be patched multiple times. The ftrace handler |
| 377 | registered. | 344 | is registered only once for a given function. Further patches just add |
| 345 | an entry to the list (see field `func_stack`) of the struct klp_ops. | ||
| 346 | The right implementation is selected by the ftrace handler, see | ||
| 347 | the "Consistency model" section. | ||
| 378 | 348 | ||
| 379 | 349 | ||
| 380 | 5.3. Disabling | 350 | 5.3. Disabling |
| 381 | -------------- | 351 | -------------- |
| 382 | 352 | ||
| 383 | Enabled patches might get disabled either by calling klp_disable_patch() or | 353 | Enabled patches might get disabled by writing '0' to |
| 384 | by writing '0' to /sys/kernel/livepatch/<name>/enabled. At this stage | 354 | /sys/kernel/livepatch/<name>/enabled. |
| 385 | either the code from the previously enabled patch or even the original | ||
| 386 | code gets used. | ||
| 387 | 355 | ||
| 388 | When a patch is disabled, livepatch enters into a transition state where | 356 | First, livepatch enters into a transition state where tasks are converging |
| 389 | tasks are converging to the unpatched state. This is indicated by a | 357 | to the unpatched state. The system starts using either the code from |
| 390 | value of '1' in /sys/kernel/livepatch/<name>/transition. Once all tasks | 358 | the previously enabled patch or even the original one. This stage is |
| 391 | have been unpatched, the 'transition' value changes to '0'. For more | 359 | indicated by a value of '1' in /sys/kernel/livepatch/<name>/transition. |
| 392 | information about this process, see the "Consistency model" section. | 360 | For more information about this process, see the "Consistency model" |
| 361 | section. | ||
| 393 | 362 | ||
| 394 | Here all the functions (struct klp_func) associated with the to-be-disabled | 363 | Second, once all tasks have been unpatched, the 'transition' value changes |
| 364 | to '0'. All the functions (struct klp_func) associated with the to-be-disabled | ||
| 395 | patch are removed from the corresponding struct klp_ops. The ftrace handler | 365 | patch are removed from the corresponding struct klp_ops. The ftrace handler |
| 396 | is unregistered and the struct klp_ops is freed when the func_stack list | 366 | is unregistered and the struct klp_ops is freed when the func_stack list |
| 397 | becomes empty. | 367 | becomes empty. |
| 398 | 368 | ||
| 399 | Patches must be disabled in exactly the reverse order in which they were | 369 | Third, the sysfs interface is destroyed. |
| 400 | enabled. It makes the problem and the implementation much easier. | ||
| 401 | 370 | ||
| 371 | Note that patches must be disabled in exactly the reverse order in which | ||
| 372 | they were enabled. It makes the problem and the implementation much easier. | ||
| 402 | 373 | ||
| 403 | 5.4. Unregistration | ||
| 404 | ------------------- | ||
| 405 | 374 | ||
| 406 | Disabled patches might be unregistered by calling klp_unregister_patch(). | 375 | 5.4. Removing |
| 407 | This can be done only when the patch is disabled and the code is no longer | 376 | ------------- |
| 408 | used. It must be called before the livepatch module gets unloaded. | ||
| 409 | 377 | ||
| 410 | At this stage, all the relevant sys-fs entries are removed and the patch | 378 | Module removal is only safe when there are no users of functions provided |
| 411 | is removed from the list of known patches. | 379 | by the module. This is the reason why the force feature permanently |
| 380 | disables the removal. Only when the system is successfully transitioned | ||
| 381 | to a new patch state (patched/unpatched) without being forced it is | ||
| 382 | guaranteed that no task sleeps or runs in the old code. | ||
| 412 | 383 | ||
| 413 | 384 | ||
| 414 | 6. Sysfs | 385 | 6. Sysfs |