Re: live patching design (was: Re: [PATCH 1/3] sched: add sched_task_call())

From: Jiri Kosina
Date: Sat Feb 21 2015 - 15:53:44 EST

To make sure that this thread doesn't conclude in void, here's my take on

- what's currently alredy there is the simplest-of-simplest methods; it
allows you to apply context-less patches (such as adding bounds checking
to the beginning of syscall, etc), which turns out to cover vast portion
of applicable CVEs

- it can always be made more clever; patch author always has to know the
version of the kernel he's preparing the patch for anyway (the live
patch and the kernel is closely tied together)

- the proposal to force sleeping or CPU-hogging tasks through a defined
safe checkpoint using a fake sort-of signal without any other
sideeffects might be useful even for kGraft and also for other proposed
aproaches. I think we'll try to implement this as an optimization for
kGraft and we'll see how (a) fast (b) non-intrusive we would be able to
make it. If it turns out to be successful, we can then just reuse it in
the upstream solution (whatever that would be)


Jiri Kosina
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at