Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching

From: Josh Poimboeuf
Date: Wed May 07 2014 - 11:41:39 EST

Next message: Jan Kara: "Re: blktrace: NULL ptr deref in sysfs_blk_trace_attr_store"
Previous message: Paolo Bonzini: "Re: KVM Nested L2 guest startup problems"
In reply to: Ingo Molnar: "Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching"
Next in thread: Ingo Molnar: "Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 07, 2014 at 02:24:44PM +0200, Ingo Molnar wrote:
>
> * Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:
>
> > > Ah this reminds me when we chased kprobes dangerous spots and we
> > > tried to declare __kprobes the functions which were too dangerous
> > > to hot patch.
> > >
> > > We eventually gave up because it was impossible to fix everything.
> > > And that was only for kprobes!
> > >
> > > So you can never tell if a given patch will impact a given
> > > kthread.
> >
> > If the user (or the person creating the patch for them) doesn't
> > understand all impacts of the patch, they have no business patching
> > their kernel with it.
>
> I think what is being somewhat lost is this discussion is the
> distinction between:
>
> 1) is the patch safe
> 2) is the _live patching_ safe
>
> It's really two different things. We should absolutely strive for live
> patching to be safe under all circumstances, as long as the patch
> being fed to it is safe in itself when building a new kernel the old
> fashioned way.
>
> I.e. it's natural that a kernel can be messed up via a patch, but this
> subsystem should absolutely make sure that it will safely reject
> totally fine patches that are unsafe to live patch.

Thanks, that's a very succinct way to put it. They are indeed two
different things, but at the same time they're interrelated: determining
whether a patch is safe requires making assumptions about how it will be
applied.

Here's how kpatch draws the lines:

1) Is the patch safe?

Determined by the user (and partially enforced by the kpatch-build
tools).

The user can assume that the old function(s) will not be in use by
any task at the time of replacement, so there's no risk of unexpected
interactions between the old and the new. There is no guarantee that
all tasks will be frozen.

2) Is the live patching safe?

Determined by the kernel. The kernel only needs to ensure that the
old function(s) are not in use. We do this with stop_machine() and
backtrace checks of all tasks.

It's a very simple contract between user and kernel.

I think the proposal was that we change this contract such that the user
can additionally assume that all tasks will be frozen. I could be
missing something but I don't see a real benefit from it.

--
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Kara: "Re: blktrace: NULL ptr deref in sysfs_blk_trace_attr_store"
Previous message: Paolo Bonzini: "Re: KVM Nested L2 guest startup problems"
In reply to: Ingo Molnar: "Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching"
Next in thread: Ingo Molnar: "Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]