Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3585268imm; Wed, 5 Sep 2018 02:36:00 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZih0Ex4PxjSB9C+djAbrvw/ch+GBld3zMLDVzPLRD+/XHYyp0V6uTztT8NkHMsAbw00x0S X-Received: by 2002:a17:902:788a:: with SMTP id q10-v6mr1296215pll.104.1536140159959; Wed, 05 Sep 2018 02:35:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536140159; cv=none; d=google.com; s=arc-20160816; b=flXwSBLlr0qqFa8xJmf8sOoTU3RZUHbcASpDtwBhxS1lbpJtNsYyN8gqpuobE4/QID 6Y86lWaeeQ1jMQeVKpyKZ7OxQ3Iz4j2fxlUOZpktKBGtADhKhquy2zqxf0bK54Rvs9Px rvq9TolScbf8sOoiC6D16tNs33I/kNtEgjkd2uj7SkvzUNlOWZ/r0toD1NOh6BZ0ZqsE /Jr6aF3dhlJFaIL31LOmyhm/fRXUqB33fmWmft8H+l8W4BracRZMAcFnszYHiV2qsePC khdcIsCgjBidrs3NF7EZUEVTaiCBTjagwCwgjY6TXfx847AjeZ1n0C2h3R2lyM3RirU8 bFag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=wxLKxISPJHo4h/sV6r7WzOxZPjH8Id3InigpekpP9mA=; b=m9bwkUTwRpFGj9kss1zHhgoY8JikwL5J9WoYUeab67cNQD2+tQrX3FVYrM0oExImaM CQz8ioOu74C7Ak4+eKOYWwwK5J1z3CJ9kzRUEVPjyvpR0clNFdOndUxmtYqly7uttwhR 7ZSaMMRihiZ/m2dAlWfmiROdDHX6W2kybo7P1boXoQYdost0wLewYTPMB50oHNbCjKjn l3mMWdAqb5QotZ2iaM+NVa7cDKIkwgnBabXBq/9GVTdDP6uXWjiKt8rmn8S0/V9s3P2q uEWk2f7PD+b9hTWgYbvuO36jy32uzYiR1EJ9XnS74hhwF8a9JRwLpiE8Gguv/YfpswD+ vt0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n19-v6si1472402pfi.360.2018.09.05.02.35.44; Wed, 05 Sep 2018 02:35:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728186AbeIEODb (ORCPT + 99 others); Wed, 5 Sep 2018 10:03:31 -0400 Received: from mx2.suse.de ([195.135.220.15]:39778 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725862AbeIEODb (ORCPT ); Wed, 5 Sep 2018 10:03:31 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 24991AE98; Wed, 5 Sep 2018 09:34:07 +0000 (UTC) Date: Wed, 5 Sep 2018 11:34:06 +0200 (CEST) From: Miroslav Benes To: Petr Mladek cc: Jiri Kosina , Josh Poimboeuf , Jason Baron , Joe Lawrence , Jessica Yu , Evgenii Shatokhin , live-patching@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v12 06/12] livepatch: Simplify API by removing registration step In-Reply-To: <20180828143603.4442-7-pmladek@suse.com> Message-ID: References: <20180828143603.4442-1-pmladek@suse.com> <20180828143603.4442-7-pmladek@suse.com> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 28 Aug 2018, Petr Mladek wrote: > The possibility to re-enable a registered patch was useful for immediate > patches where the livepatch module had to stay until the system reboot. > The improved consistency model allows to achieve the same result by > unloading and loading the livepatch module again. > > Also we are going to add a feature called atomic replace. It will allow > to create a patch that would replace all already registered patches. The > aim is to handle dependent patches a more secure way. It will obsolete "in a more secure way", or "more securely" is maybe even better. > the stack of patches that helped to handle the dependencies so far. > Then it might be unclear when a cumulative patch re-enabling is safe. > > It would be complicated to support the many modes. Instead we could > actually make the API and code easier. s/easier/simpler/ ? or "easier to understand" ? > This patch removes the two step public API. All the checks and init calls > are moved from klp_register_patch() to klp_enabled_patch(). Also the patch > is automatically freed, including the sysfs interface when the transition > to the disabled state is completed. > > As a result, there is newer a disabled patch on the top of the stack. s/newer/never/ > Therefore we do not need to check the stack in __klp_enable_patch(). > And we could simplify the check in __klp_disable_patch(). > > Also the API and logic is much easier. It is enough to call > klp_enable_patch() in module_init() call. The patch patch can be disabled > by writing '0' into /sys/kernel/livepatch//enabled. Then the module > can be removed once the transition finishes and sysfs interface is freed. I think it would be good to discuss our sysfs interface here as well. Writing '1' to enabled attribute now makes sense only when you need to reverse an unpatching transition. Writing '0' means "disable" or a reversion again. Wouldn't be better to split it to two different attributes? Something like "disable" and "reverse"? It could be more intuitive. Maybe we'd also find out that even patch->enabled member is not useful anymore in such case. > diff --git a/Documentation/livepatch/livepatch.txt b/Documentation/livepatch/livepatch.txt > index 2d7ed09dbd59..7fb01d27d81d 100644 > --- a/Documentation/livepatch/livepatch.txt > +++ b/Documentation/livepatch/livepatch.txt > @@ -14,10 +14,8 @@ Table of Contents: [...] > -5.2. Enabling > +5.1. Enabling > ------------- > > -Registered patches might be enabled either by calling klp_enable_patch() or > -by writing '1' to /sys/kernel/livepatch//enabled. The system will > -start using the new implementation of the patched functions at this stage. > +Livepatch modules have to call klp_enable_patch() in module_init() callback. > +This function is rather complex and might even fail in the early phase. > > -When a patch is enabled, livepatch enters into a transition state where > -tasks are converging to the patched state. This is indicated by a value > -of '1' in /sys/kernel/livepatch//transition. Once all tasks have > -been patched, the 'transition' value changes to '0'. For more > -information about this process, see the "Consistency model" section. > +First, the addresses of the patched functions are found according to their > +names. The special relocations, mentioned in the section "New functions", > +are applied. The relevant entries are created under > +/sys/kernel/livepatch/. The patch is rejected when any above > +operation fails. > > -If an original function is patched for the first time, a function > -specific struct klp_ops is created and an universal ftrace handler is > -registered. > +Third, livepatch enters into a transition state where tasks are converging s/Third/Second/ ? [...] > @@ -655,116 +660,38 @@ static int klp_init_patch(struct klp_patch *patch) > struct klp_object *obj; > int ret; > > - if (!patch->objs) > - return -EINVAL; > - > - mutex_lock(&klp_mutex); > - > patch->enabled = false; > - patch->forced = false; > + patch->module_put = false; > INIT_LIST_HEAD(&patch->list); > init_completion(&patch->finish); > > + if (!patch->objs) > + return -EINVAL; > + > + /* > + * A reference is taken on the patch module to prevent it from being > + * unloaded. > + */ > + if (!try_module_get(patch->mod)) > + return -ENODEV; > + patch->module_put = true; > + > ret = kobject_init_and_add(&patch->kobj, &klp_ktype_patch, > klp_root_kobj, "%s", patch->mod->name); > if (ret) { > - mutex_unlock(&klp_mutex); > return ret; > } { } are not necessary after the change. [...] > static int __klp_enable_patch(struct klp_patch *patch) > { > struct klp_object *obj; > @@ -846,17 +740,8 @@ static int __klp_enable_patch(struct klp_patch *patch) > if (WARN_ON(patch->enabled)) > return -EINVAL; > > - /* enforce stacking: only the first disabled patch can be enabled */ > - if (patch->list.prev != &klp_patches && > - !list_prev_entry(patch, list)->enabled) > - return -EBUSY; > - > - /* > - * A reference is taken on the patch module to prevent it from being > - * unloaded. > - */ > - if (!try_module_get(patch->mod)) > - return -ENODEV; > + if (!patch->kobj.state_initialized) > + return -EINVAL; I think the check is not needed here. __klp_enable_patch() is called right after klp_init_patch() in klp_enable_patch(). > pr_notice("enabling patch '%s'\n", patch->mod->name); > [...] > @@ -405,7 +399,11 @@ void klp_try_complete_transition(void) > } > > /* we're done, now cleanup the data structures */ > + patch = klp_transition_patch; > klp_complete_transition(); > + > + if (!patch->enabled) > + klp_free_patch_nowait(patch); > } I'd welcome a comment here. I thought it was more logical to call klp_free_patch_nowait() in klp_complete_transition(). It's not possible though. klp_complete_transition() is also called from klp_cancel_transition() which has its own freeing in klp_enable_patch()'s error path. Regards, Miroslav