Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4717543rwb;
        Sun, 13 Nov 2022 12:00:33 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5cRczMXVs5OcJpP6ZMq//0w9/yX0tEQKtgL6ve6xC0PfaX/9AI6h7JZz+2BlkuV2qRRMyn
X-Received: by 2002:a17:906:498b:b0:7ad:f270:c128 with SMTP id p11-20020a170906498b00b007adf270c128mr8297150eju.84.1668369632833;
        Sun, 13 Nov 2022 12:00:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668369632; cv=none;
        d=google.com; s=arc-20160816;
        b=i2G3gGsRXjuRe5coMUCaEWD3dplOb+Zg3ot+ParLEknyq51Sy4ze8f8RbPNWRSphZO
         Um2bdhPbMwAEpNLgSxfDGOAWK0MoInqs3eSdCiwyXpspYVQeKe5aFCvWtkv4O4RwKUug
         hVGO2gOhbe9WPzZtkBG/um5eBWfLMJPE2634vLIIkBSnodi4+5EhZi49pztEP5K/ZE9K
         wc+5C9jdDFvq7/3NKY3Hk89exJGPB3v3miDgHkI2B0frIC3CyDlM1a92XwtHjYUfJd/C
         ZffdB1X69Ck2KSRriKHMmXWEJkpde6N126jhHiuzKL7uwHIFHBZjX+wefbb/jeN3Ts8d
         k0qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=9a5qcwWH8ZIuMyGJBIwd8hit4jlNEfZge8xd0LPFA4w=;
        b=I4350OkC9C58cUrPCcXXk8Q2ioeg+JkWYCLHEBBdvHhlE/uVnWDNgwFoebwBWZ1125
         QetDNY+1lhKyL6MOesvpblzGrf4NXNGW9EGkSNaYrWTDeXyhU2IUoEFgcWXXciaiVrz0
         zrDZkms/9vi24udjAQfpkRhUVle5qc2JLmmg0dyY3zIzR1K5BCaQ4rauIFjP1zGYydKe
         i69Yo0GS8OZXlOU5Q9cTo49xGgFnSiJ6lcijdVpN8yfS912/KHxhWuWoj9JYnTEpIk4e
         CSlusUyaua65EoOYtBZNss0ykoW+FIFzqcoaWNEMCZi3OiEWweU2dbOYPWK/dHLKtv49
         DKnw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="DB7X/kDK";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i15-20020a1709061e4f00b0073d6c0facdcsi5553310ejj.259.2022.11.13.12.00.11;
        Sun, 13 Nov 2022 12:00:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="DB7X/kDK";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235354AbiKMSvp (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 89 others); Sun, 13 Nov 2022 13:51:45 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39806 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235223AbiKMSvo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 13 Nov 2022 13:51:44 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 089D226C7;
        Sun, 13 Nov 2022 10:51:43 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id A6013B80C99;
        Sun, 13 Nov 2022 18:51:41 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1709FC433D6;
        Sun, 13 Nov 2022 18:51:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1668365500;
        bh=U7MTYtRq7SXKMf781DEf7kOdL//W2sns95S2QvHfGK4=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=DB7X/kDKTWUFvqFqIFTLaxTGMLylnMhGw+D0DxGkakFobpXia06r/wJ/TwhQ1MHfb
         JEecZlXS+pIo81u1WgbwX37LvHi3tZz1wjk/4+6NaFAxbGGSCRMajRyUmooRqlancn
         oSkRZ8Pjo9U/HdrITn3gVz4x6bc/9bVHn3dNTHE14RjYOxRXs+MivGDTOEoJeiWdR0
         UjRsYuX0zudBTYkfgsizL2h3oel7a7WrUv9idrWank+AxGaAXj+fRDWKuVZmy7cRjp
         +Q2srlFNIw9MlbdtXXe3zuO7UHzSw/chfISjgdk1eYr+ksrQDOvFCBjRqAo2kJR3V8
         B1mY2QbWkerig==
Date:   Sun, 13 Nov 2022 10:51:38 -0800
From:   Josh Poimboeuf <jpoimboe@kernel.org>
To:     Petr Mladek <pmladek@suse.com>
Cc:     Nicolai Stange <nstange@suse.de>,
        Marcos Paulo de Souza <mpdesouza@suse.com>,
        linux-kernel@vger.kernel.org, live-patching@vger.kernel.org,
        jpoimboe@redhat.com, joe.lawrence@redhat.com
Subject: Re: [PATCH v2 4/4] livepatch/shadow: Add garbage collection of
 shadow variables
Message-ID: <20221113185138.oob2o3sevbgud5vs@treble>
References: <20221026194122.11761-1-mpdesouza@suse.com>
 <20221026194122.11761-5-mpdesouza@suse.com>
 <20221104010327.wa256pos75dczt4x@treble>
 <Y2TooogxxLTIkBcj@alley>
 <878rkhyhhv.fsf@linux.fritz.box>
 <Y24cGpeO8UHeiKGl@alley>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <Y24cGpeO8UHeiKGl@alley>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Nov 11, 2022 at 10:55:38AM +0100, Petr Mladek wrote:
> > >From my experience, there are basically two relevant usage patterns of
> > shadow variables.
> > 1.) To hand over global state from one sublivepatch to its pendant in
> >     the to-be-applied livepatch module. Example: a new global mutex or
> >     alike.
> > 2.) The "regular" intended usage, attaching schadow variables to real
> >     (data) objects.
> > 
> > To manage lifetime for 1.), we usually implement some refcount scheme,
> > managed from the livepatches' module_init()/_exit(): the next livepatch
> > would subscribe to the shared state before the previous one got a chance
> > to release it. This works in practice, but the code related to it is
> > tedious to write and quite verbose.
> > 
> > The second usage pattern is much more difficult to implement correctly
> > in light of possible livepatch downgrades to a subset of
> > sublivepatches. Usually a sublivepatch making use of a shadow variable
> > attached to real objects would livepatch the associated object's
> > destruction code to free up the associated shadow, if any. If the next
> > livepatch to be applied happened to not contain this sublivepatch in
> > question as well, the destruction code would effectively become
> > unpatched, and any existing shadows leaked. Depending on the object type
> > in question, this memory leakage might or might not be an actual
> > problem, but it isn't nice either way.
> > 
> > Often, there's a more subtle issue with the latter usecase though: the
> > shadow continues to exist, but becomes unmaintained once the transitions
> > has started. If said sublivepatch happens to become reactivated later
> > on, it would potentially find stale shadows, and these could even get
> > wrongly associated with a completely different object which happened to
> > get allocated at the same memory address. Depending on the shadow type,
> > this might or might not be Ok. New per-object locks or a "TLB flush
> > needed" boolean would probably be Ok, but some kind of refcount would
> > certainly not. There's not much which could be done from the pre-unpatch
> > callbacks, because these aren't getting invoked for atomic-replace
> > downgrades.
> > 
> > We had quite some discussion internally on how to best approach these
> > limitations, the outcome being (IIRC), that a more versatile callbacks
> > support would perhaps quickly become too complex or error-prone to use
> > correctly. So Petr proposed this garbage collection/refcounting
> > mechanism posted here, which would solve the memory leakage issue as a
> > first step (and would make shadow variable usage less verbose IMO).
> > 
> > The consistency problem would still not be fully solved: consider a
> > refcount-like shadow, where during the transition some acquirer had been
> > unpatched already, while a releaser has not yet. But my hope is that we
> > can later build on this work here and somehow resolve this as well.

It would be great to have all this motivation for the new feature
documented in shadow-vars.rst.

> > > Nicolai, your have the practical experience. Should the reference
> > > counting be per-livepatched object or per-livepatch, please?
> > 
> > See above, I think it won't matter much from a functionality POV.
> 
> I would personally keep it tied together with the livepatched object
> just to be on the safe side.

If downgrades are going to be commonplace then I agree my automatic
detection idea wouldn't work so well.  And ref counting does make sense.

However I'm still not convinced that per-object is the way to go.
Doesn't that create more room for human error?  There's no way to
detect-and-warn if the wrong object is used, or if the variable is used
by multiple objects but only one of them is listed.

Per-patch shadow variable types would be easy to detect and warn on
misuse.  And easy to automate in patch author tooling.

Also, I'm not crazy about the new API.  It's even more confusing than
before.

-- 
Josh