diff options
| author | Jason Baron <jbaron@akamai.com> | 2019-01-09 07:43:25 -0500 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2019-01-11 14:51:24 -0500 |
| commit | e1452b607c48c642caf57299f4da83aa002f8533 (patch) | |
| tree | 487267602c0c6cfaeb247950df4cbb24f435ae6a /kernel/livepatch/core.c | |
| parent | 20e55025958e18e671d92c7adea00c301ac93c43 (diff) | |
livepatch: Add atomic replace
Sometimes we would like to revert a particular fix. Currently, this
is not easy because we want to keep all other fixes active and we
could revert only the last applied patch.
One solution would be to apply new patch that implemented all
the reverted functions like in the original code. It would work
as expected but there will be unnecessary redirections. In addition,
it would also require knowing which functions need to be reverted at
build time.
Another problem is when there are many patches that touch the same
functions. There might be dependencies between patches that are
not enforced on the kernel side. Also it might be pretty hard to
actually prepare the patch and ensure compatibility with the other
patches.
Atomic replace && cumulative patches:
A better solution would be to create cumulative patch and say that
it replaces all older ones.
This patch adds a new "replace" flag to struct klp_patch. When it is
enabled, a set of 'nop' klp_func will be dynamically created for all
functions that are already being patched but that will no longer be
modified by the new patch. They are used as a new target during
the patch transition.
The idea is to handle Nops' structures like the static ones. When
the dynamic structures are allocated, we initialize all values that
are normally statically defined.
The only exception is "new_func" in struct klp_func. It has to point
to the original function and the address is known only when the object
(module) is loaded. Note that we really need to set it. The address is
used, for example, in klp_check_stack_func().
Nevertheless we still need to distinguish the dynamically allocated
structures in some operations. For this, we add "nop" flag into
struct klp_func and "dynamic" flag into struct klp_object. They
need special handling in the following situations:
+ The structures are added into the lists of objects and functions
immediately. In fact, the lists were created for this purpose.
+ The address of the original function is known only when the patched
object (module) is loaded. Therefore it is copied later in
klp_init_object_loaded().
+ The ftrace handler must not set PC to func->new_func. It would cause
infinite loop because the address points back to the beginning of
the original function.
+ The various free() functions must free the structure itself.
Note that other ways to detect the dynamic structures are not considered
safe. For example, even the statically defined struct klp_object might
include empty funcs array. It might be there just to run some callbacks.
Also note that the safe iterator must be used in the free() functions.
Otherwise already freed structures might get accessed.
Special callbacks handling:
The callbacks from the replaced patches are _not_ called by intention.
It would be pretty hard to define a reasonable semantic and implement it.
It might even be counter-productive. The new patch is cumulative. It is
supposed to include most of the changes from older patches. In most cases,
it will not want to call pre_unpatch() post_unpatch() callbacks from
the replaced patches. It would disable/break things for no good reasons.
Also it should be easier to handle various scenarios in a single script
in the new patch than think about interactions caused by running many
scripts from older patches. Not to say that the old scripts even would
not expect to be called in this situation.
Removing replaced patches:
One nice effect of the cumulative patches is that the code from the
older patches is no longer used. Therefore the replaced patches can
be removed. It has several advantages:
+ Nops' structs will no longer be necessary and might be removed.
This would save memory, restore performance (no ftrace handler),
allow clear view on what is really patched.
+ Disabling the patch will cause using the original code everywhere.
Therefore the livepatch callbacks could handle only one scenario.
Note that the complication is already complex enough when the patch
gets enabled. It is currently solved by calling callbacks only from
the new cumulative patch.
+ The state is clean in both the sysfs interface and lsmod. The modules
with the replaced livepatches might even get removed from the system.
Some people actually expected this behavior from the beginning. After all
a cumulative patch is supposed to "completely" replace an existing one.
It is like when a new version of an application replaces an older one.
This patch does the first step. It removes the replaced patches from
the list of patches. It is safe. The consistency model ensures that
they are no longer used. By other words, each process works only with
the structures from klp_transition_patch.
The removal is done by a special function. It combines actions done by
__disable_patch() and klp_complete_transition(). But it is a fast
track without all the transaction-related stuff.
Signed-off-by: Jason Baron <jbaron@akamai.com>
[pmladek@suse.com: Split, reuse existing code, simplified]
Signed-off-by: Petr Mladek <pmladek@suse.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Jessica Yu <jeyu@kernel.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Miroslav Benes <mbenes@suse.cz>
Acked-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'kernel/livepatch/core.c')
| -rw-r--r-- | kernel/livepatch/core.c | 232 |
1 files changed, 224 insertions, 8 deletions
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index 37d0d3645fa6..ecb7660f1d8b 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c | |||
| @@ -92,6 +92,40 @@ static bool klp_initialized(void) | |||
| 92 | return !!klp_root_kobj; | 92 | return !!klp_root_kobj; |
| 93 | } | 93 | } |
| 94 | 94 | ||
| 95 | static struct klp_func *klp_find_func(struct klp_object *obj, | ||
| 96 | struct klp_func *old_func) | ||
| 97 | { | ||
| 98 | struct klp_func *func; | ||
| 99 | |||
| 100 | klp_for_each_func(obj, func) { | ||
| 101 | if ((strcmp(old_func->old_name, func->old_name) == 0) && | ||
| 102 | (old_func->old_sympos == func->old_sympos)) { | ||
| 103 | return func; | ||
| 104 | } | ||
| 105 | } | ||
| 106 | |||
| 107 | return NULL; | ||
| 108 | } | ||
| 109 | |||
| 110 | static struct klp_object *klp_find_object(struct klp_patch *patch, | ||
| 111 | struct klp_object *old_obj) | ||
| 112 | { | ||
| 113 | struct klp_object *obj; | ||
| 114 | |||
| 115 | klp_for_each_object(patch, obj) { | ||
| 116 | if (klp_is_module(old_obj)) { | ||
| 117 | if (klp_is_module(obj) && | ||
| 118 | strcmp(old_obj->name, obj->name) == 0) { | ||
| 119 | return obj; | ||
| 120 | } | ||
| 121 | } else if (!klp_is_module(obj)) { | ||
| 122 | return obj; | ||
| 123 | } | ||
| 124 | } | ||
| 125 | |||
| 126 | return NULL; | ||
| 127 | } | ||
| 128 | |||
| 95 | struct klp_find_arg { | 129 | struct klp_find_arg { |
| 96 | const char *objname; | 130 | const char *objname; |
| 97 | const char *name; | 131 | const char *name; |
| @@ -418,6 +452,121 @@ static struct attribute *klp_patch_attrs[] = { | |||
| 418 | NULL | 452 | NULL |
| 419 | }; | 453 | }; |
| 420 | 454 | ||
| 455 | static void klp_free_object_dynamic(struct klp_object *obj) | ||
| 456 | { | ||
| 457 | kfree(obj->name); | ||
| 458 | kfree(obj); | ||
| 459 | } | ||
| 460 | |||
| 461 | static struct klp_object *klp_alloc_object_dynamic(const char *name) | ||
| 462 | { | ||
| 463 | struct klp_object *obj; | ||
| 464 | |||
| 465 | obj = kzalloc(sizeof(*obj), GFP_KERNEL); | ||
| 466 | if (!obj) | ||
| 467 | return NULL; | ||
| 468 | |||
| 469 | if (name) { | ||
| 470 | obj->name = kstrdup(name, GFP_KERNEL); | ||
| 471 | if (!obj->name) { | ||
| 472 | kfree(obj); | ||
| 473 | return NULL; | ||
| 474 | } | ||
| 475 | } | ||
| 476 | |||
| 477 | INIT_LIST_HEAD(&obj->func_list); | ||
| 478 | obj->dynamic = true; | ||
| 479 | |||
| 480 | return obj; | ||
| 481 | } | ||
| 482 | |||
| 483 | static void klp_free_func_nop(struct klp_func *func) | ||
| 484 | { | ||
| 485 | kfree(func->old_name); | ||
| 486 | kfree(func); | ||
| 487 | } | ||
| 488 | |||
| 489 | static struct klp_func *klp_alloc_func_nop(struct klp_func *old_func, | ||
| 490 | struct klp_object *obj) | ||
| 491 | { | ||
| 492 | struct klp_func *func; | ||
| 493 | |||
| 494 | func = kzalloc(sizeof(*func), GFP_KERNEL); | ||
| 495 | if (!func) | ||
| 496 | return NULL; | ||
| 497 | |||
| 498 | if (old_func->old_name) { | ||
| 499 | func->old_name = kstrdup(old_func->old_name, GFP_KERNEL); | ||
| 500 | if (!func->old_name) { | ||
| 501 | kfree(func); | ||
| 502 | return NULL; | ||
| 503 | } | ||
| 504 | } | ||
| 505 | |||
| 506 | /* | ||
| 507 | * func->new_func is same as func->old_func. These addresses are | ||
| 508 | * set when the object is loaded, see klp_init_object_loaded(). | ||
| 509 | */ | ||
| 510 | func->old_sympos = old_func->old_sympos; | ||
| 511 | func->nop = true; | ||
| 512 | |||
| 513 | return func; | ||
| 514 | } | ||
| 515 | |||
| 516 | static int klp_add_object_nops(struct klp_patch *patch, | ||
| 517 | struct klp_object *old_obj) | ||
| 518 | { | ||
| 519 | struct klp_object *obj; | ||
| 520 | struct klp_func *func, *old_func; | ||
| 521 | |||
| 522 | obj = klp_find_object(patch, old_obj); | ||
| 523 | |||
| 524 | if (!obj) { | ||
| 525 | obj = klp_alloc_object_dynamic(old_obj->name); | ||
| 526 | if (!obj) | ||
| 527 | return -ENOMEM; | ||
| 528 | |||
| 529 | list_add_tail(&obj->node, &patch->obj_list); | ||
| 530 | } | ||
| 531 | |||
| 532 | klp_for_each_func(old_obj, old_func) { | ||
| 533 | func = klp_find_func(obj, old_func); | ||
| 534 | if (func) | ||
| 535 | continue; | ||
| 536 | |||
| 537 | func = klp_alloc_func_nop(old_func, obj); | ||
| 538 | if (!func) | ||
| 539 | return -ENOMEM; | ||
| 540 | |||
| 541 | list_add_tail(&func->node, &obj->func_list); | ||
| 542 | } | ||
| 543 | |||
| 544 | return 0; | ||
| 545 | } | ||
| 546 | |||
| 547 | /* | ||
| 548 | * Add 'nop' functions which simply return to the caller to run | ||
| 549 | * the original function. The 'nop' functions are added to a | ||
| 550 | * patch to facilitate a 'replace' mode. | ||
| 551 | */ | ||
| 552 | static int klp_add_nops(struct klp_patch *patch) | ||
| 553 | { | ||
| 554 | struct klp_patch *old_patch; | ||
| 555 | struct klp_object *old_obj; | ||
| 556 | |||
| 557 | list_for_each_entry(old_patch, &klp_patches, list) { | ||
| 558 | klp_for_each_object(old_patch, old_obj) { | ||
| 559 | int err; | ||
| 560 | |||
| 561 | err = klp_add_object_nops(patch, old_obj); | ||
| 562 | if (err) | ||
| 563 | return err; | ||
| 564 | } | ||
| 565 | } | ||
| 566 | |||
| 567 | return 0; | ||
| 568 | } | ||
| 569 | |||
| 421 | static void klp_kobj_release_patch(struct kobject *kobj) | 570 | static void klp_kobj_release_patch(struct kobject *kobj) |
| 422 | { | 571 | { |
| 423 | struct klp_patch *patch; | 572 | struct klp_patch *patch; |
| @@ -434,6 +583,12 @@ static struct kobj_type klp_ktype_patch = { | |||
| 434 | 583 | ||
| 435 | static void klp_kobj_release_object(struct kobject *kobj) | 584 | static void klp_kobj_release_object(struct kobject *kobj) |
| 436 | { | 585 | { |
| 586 | struct klp_object *obj; | ||
| 587 | |||
| 588 | obj = container_of(kobj, struct klp_object, kobj); | ||
| 589 | |||
| 590 | if (obj->dynamic) | ||
| 591 | klp_free_object_dynamic(obj); | ||
| 437 | } | 592 | } |
| 438 | 593 | ||
| 439 | static struct kobj_type klp_ktype_object = { | 594 | static struct kobj_type klp_ktype_object = { |
| @@ -443,6 +598,12 @@ static struct kobj_type klp_ktype_object = { | |||
| 443 | 598 | ||
| 444 | static void klp_kobj_release_func(struct kobject *kobj) | 599 | static void klp_kobj_release_func(struct kobject *kobj) |
| 445 | { | 600 | { |
| 601 | struct klp_func *func; | ||
| 602 | |||
| 603 | func = container_of(kobj, struct klp_func, kobj); | ||
| 604 | |||
| 605 | if (func->nop) | ||
| 606 | klp_free_func_nop(func); | ||
| 446 | } | 607 | } |
| 447 | 608 | ||
| 448 | static struct kobj_type klp_ktype_func = { | 609 | static struct kobj_type klp_ktype_func = { |
| @@ -452,12 +613,15 @@ static struct kobj_type klp_ktype_func = { | |||
| 452 | 613 | ||
| 453 | static void klp_free_funcs(struct klp_object *obj) | 614 | static void klp_free_funcs(struct klp_object *obj) |
| 454 | { | 615 | { |
| 455 | struct klp_func *func; | 616 | struct klp_func *func, *tmp_func; |
| 456 | 617 | ||
| 457 | klp_for_each_func(obj, func) { | 618 | klp_for_each_func_safe(obj, func, tmp_func) { |
| 458 | /* Might be called from klp_init_patch() error path. */ | 619 | /* Might be called from klp_init_patch() error path. */ |
| 459 | if (func->kobj_added) | 620 | if (func->kobj_added) { |
| 460 | kobject_put(&func->kobj); | 621 | kobject_put(&func->kobj); |
| 622 | } else if (func->nop) { | ||
| 623 | klp_free_func_nop(func); | ||
| 624 | } | ||
| 461 | } | 625 | } |
| 462 | } | 626 | } |
| 463 | 627 | ||
| @@ -468,20 +632,27 @@ static void klp_free_object_loaded(struct klp_object *obj) | |||
| 468 | 632 | ||
| 469 | obj->mod = NULL; | 633 | obj->mod = NULL; |
| 470 | 634 | ||
| 471 | klp_for_each_func(obj, func) | 635 | klp_for_each_func(obj, func) { |
| 472 | func->old_func = NULL; | 636 | func->old_func = NULL; |
| 637 | |||
| 638 | if (func->nop) | ||
| 639 | func->new_func = NULL; | ||
| 640 | } | ||
| 473 | } | 641 | } |
| 474 | 642 | ||
| 475 | static void klp_free_objects(struct klp_patch *patch) | 643 | static void klp_free_objects(struct klp_patch *patch) |
| 476 | { | 644 | { |
| 477 | struct klp_object *obj; | 645 | struct klp_object *obj, *tmp_obj; |
| 478 | 646 | ||
| 479 | klp_for_each_object(patch, obj) { | 647 | klp_for_each_object_safe(patch, obj, tmp_obj) { |
| 480 | klp_free_funcs(obj); | 648 | klp_free_funcs(obj); |
| 481 | 649 | ||
| 482 | /* Might be called from klp_init_patch() error path. */ | 650 | /* Might be called from klp_init_patch() error path. */ |
| 483 | if (obj->kobj_added) | 651 | if (obj->kobj_added) { |
| 484 | kobject_put(&obj->kobj); | 652 | kobject_put(&obj->kobj); |
| 653 | } else if (obj->dynamic) { | ||
| 654 | klp_free_object_dynamic(obj); | ||
| 655 | } | ||
| 485 | } | 656 | } |
| 486 | } | 657 | } |
| 487 | 658 | ||
| @@ -543,7 +714,14 @@ static int klp_init_func(struct klp_object *obj, struct klp_func *func) | |||
| 543 | { | 714 | { |
| 544 | int ret; | 715 | int ret; |
| 545 | 716 | ||
| 546 | if (!func->old_name || !func->new_func) | 717 | if (!func->old_name) |
| 718 | return -EINVAL; | ||
| 719 | |||
| 720 | /* | ||
| 721 | * NOPs get the address later. The patched module must be loaded, | ||
| 722 | * see klp_init_object_loaded(). | ||
| 723 | */ | ||
| 724 | if (!func->new_func && !func->nop) | ||
| 547 | return -EINVAL; | 725 | return -EINVAL; |
| 548 | 726 | ||
| 549 | if (strlen(func->old_name) >= KSYM_NAME_LEN) | 727 | if (strlen(func->old_name) >= KSYM_NAME_LEN) |
| @@ -605,6 +783,9 @@ static int klp_init_object_loaded(struct klp_patch *patch, | |||
| 605 | return -ENOENT; | 783 | return -ENOENT; |
| 606 | } | 784 | } |
| 607 | 785 | ||
| 786 | if (func->nop) | ||
| 787 | func->new_func = func->old_func; | ||
| 788 | |||
| 608 | ret = kallsyms_lookup_size_offset((unsigned long)func->new_func, | 789 | ret = kallsyms_lookup_size_offset((unsigned long)func->new_func, |
| 609 | &func->new_size, NULL); | 790 | &func->new_size, NULL); |
| 610 | if (!ret) { | 791 | if (!ret) { |
| @@ -697,6 +878,12 @@ static int klp_init_patch(struct klp_patch *patch) | |||
| 697 | return ret; | 878 | return ret; |
| 698 | patch->kobj_added = true; | 879 | patch->kobj_added = true; |
| 699 | 880 | ||
| 881 | if (patch->replace) { | ||
| 882 | ret = klp_add_nops(patch); | ||
| 883 | if (ret) | ||
| 884 | return ret; | ||
| 885 | } | ||
| 886 | |||
| 700 | klp_for_each_object(patch, obj) { | 887 | klp_for_each_object(patch, obj) { |
| 701 | ret = klp_init_object(patch, obj); | 888 | ret = klp_init_object(patch, obj); |
| 702 | if (ret) | 889 | if (ret) |
| @@ -869,6 +1056,35 @@ err: | |||
| 869 | EXPORT_SYMBOL_GPL(klp_enable_patch); | 1056 | EXPORT_SYMBOL_GPL(klp_enable_patch); |
| 870 | 1057 | ||
| 871 | /* | 1058 | /* |
| 1059 | * This function removes replaced patches. | ||
| 1060 | * | ||
| 1061 | * We could be pretty aggressive here. It is called in the situation where | ||
| 1062 | * these structures are no longer accessible. All functions are redirected | ||
| 1063 | * by the klp_transition_patch. They use either a new code or they are in | ||
| 1064 | * the original code because of the special nop function patches. | ||
| 1065 | * | ||
| 1066 | * The only exception is when the transition was forced. In this case, | ||
| 1067 | * klp_ftrace_handler() might still see the replaced patch on the stack. | ||
| 1068 | * Fortunately, it is carefully designed to work with removed functions | ||
| 1069 | * thanks to RCU. We only have to keep the patches on the system. Also | ||
| 1070 | * this is handled transparently by patch->module_put. | ||
| 1071 | */ | ||
| 1072 | void klp_discard_replaced_patches(struct klp_patch *new_patch) | ||
| 1073 | { | ||
| 1074 | struct klp_patch *old_patch, *tmp_patch; | ||
| 1075 | |||
| 1076 | list_for_each_entry_safe(old_patch, tmp_patch, &klp_patches, list) { | ||
| 1077 | if (old_patch == new_patch) | ||
| 1078 | return; | ||
| 1079 | |||
| 1080 | old_patch->enabled = false; | ||
| 1081 | klp_unpatch_objects(old_patch); | ||
| 1082 | klp_free_patch_start(old_patch); | ||
| 1083 | schedule_work(&old_patch->free_work); | ||
| 1084 | } | ||
| 1085 | } | ||
| 1086 | |||
| 1087 | /* | ||
| 872 | * Remove parts of patches that touch a given kernel module. The list of | 1088 | * Remove parts of patches that touch a given kernel module. The list of |
| 873 | * patches processed might be limited. When limit is NULL, all patches | 1089 | * patches processed might be limited. When limit is NULL, all patches |
| 874 | * will be handled. | 1090 | * will be handled. |