Re: [RFC PATCH 6/9] livepatch: create per-task consistency model

From: Josh Poimboeuf
Date: Thu Feb 12 2015 - 07:52:30 EST


On Thu, Feb 12, 2015 at 12:56:28PM +0100, Peter Zijlstra wrote:
> On Wed, Feb 11, 2015 at 09:21:21PM -0600, Josh Poimboeuf wrote:
> > Ingo, Peter,
> >
> > Would you have any objections to making task_rq_lock/unlock() non-static
> > (or moving them to kernel/sched/sched.h) so they can be called by the
> > livepatch code?
>
> Basically yes. I really don't want to expose that. And
> kernel/sched/sched.h is very much not intended for use outside of
> kernel/sched/ so even that is a no go.
>
> > To provide some background, I'm looking for a way to temporarily prevent
> > a sleeping task from running while its stack is examined, to decide
> > whether it can be safely switched to the new patching "universe". For
> > more details see klp_transition_task() in the patch below.
> >
> > Using task_rq_lock() is the most straightforward way I could find to
> > achieve that.
>
> Its not at all clear how all this would work to me. And I'm not
> motivated enough to go try and reverse engineer your patch;

The short answer is: I need a way to ensure that a task isn't sleeping
on any of the functions we're trying to patch. If it's not, then I can
switch the task over to start using new versions of functions.

Obviously, there are many more details than that. If you have specific
questions I can try to answer them.

> IMO livepatching is utter fail.
>
> If your infrastructure relies on the uptime of a single machine you've
> lost already.

It's not always about uptime. IMO it's usually more about decoupling
your reboot schedule from your distro's kernel release schedule.

Most users want to plan in advance when they're going to reboot, rather
than being at the mercy of when CVEs and kernel fixes are released.

Rebooting is costly and risky, even (or often especially) for large
systems for which you have to stagger the reboots. You want to do it at
a time when you're ready for something bad to happen, without having to
also worry about security in the mean time while you're waiting for your
reboot window.

> FWIW, the barriers in klp_update_task_universe() and
> klp_set_universe_goal() look like complete crack, and their comments are
> seriously deficient.

Ok, I'll try to improve the comments for the barriers.

--
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/