Re: [PATCH 1/2] livepatch: Remove immediate feature

From: Petr Mladek
Date: Thu Dec 21 2017 - 08:30:24 EST


On Wed 2017-12-20 11:09:37, Josh Poimboeuf wrote:
> On Wed, Dec 20, 2017 at 03:35:12PM +0100, Petr Mladek wrote:
> > On Fri 2017-12-08 18:25:22, Miroslav Benes wrote:
> > > immediate flag has been used to disable per-task consistency and patch
> > > all tasks immediately. It could be useful if the patch doesn't change any
> > > function or data semantics.
> > >
> > > However, it causes problems on its own. The consistency problem is
> > > currently broken with respect to immediate patches.
> > >
> > > func a
> > > patches 1i
> > > 2i
> > > 3
> > >
> > > When the patch 3 is applied, only 2i function is checked (by stack
> > > checking facility). There might be a task sleeping in 1i though. Such
> > > task is migrated to 3, because we do not check 1i in
> > > klp_check_stack_func() at all.
> > >
> >
> > Sigh, the force feature actually have the same problem. We would use
> > it when a process never has a reliable stack or when it is endlessly
> > sleeping in a function that might have been patched immediately.
> >
> > I see two possibilities. We could either refuse loading new
> > livepatches after using the force flag. Or we would need
> > to check all variants of the function "a" that might still
> > be in use.
>
> "Using the force" is a nuclear option. User beware. If you use it (or
> recommend that others use it), be prepared for the consequences. That
> means anticipating how forcing this patch might affect future patches,
> and planning accordingly.
>
> >From a livepatch code standpoint, let's avoid adding complexity (or
> limitations) where none are needed. I think all we need to do is
> permanently disable patch module unloading when somebody forces a patch,
> which we already do. Otherwise the user is on their own.

This looks like a rather weak protection against nuclear diseases ;-)

If we want to keep it simple and safe, we should either print
a big fact warning about this danger when the option is used.
Or we should allow to load new patches only with yet another
force flag.

Anyway, I agree that we should keep it simple. The fact is
that the immediate flag removal makes the code better
readable.

Best Regards,
Petr