Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/livepatch/callbacks.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) ======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) (Un)patching Callbacks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) ======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) Livepatch (un)patch-callbacks provide a mechanism for livepatch modules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6) to execute callback functions when a kernel object is (un)patched.  They
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) can be considered a **power feature** that **extends livepatching abilities**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) to include:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)   - Safe updates to global data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)   - "Patches" to init and probe functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)   - Patching otherwise unpatchable code (i.e. assembly)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) In most cases, (un)patch callbacks will need to be used in conjunction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) with memory barriers and kernel synchronization primitives, like
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) mutexes/spinlocks, or even stop_machine(), to avoid concurrency issues.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 1. Motivation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) =============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) Callbacks differ from existing kernel facilities:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25)   - Module init/exit code doesn't run when disabling and re-enabling a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26)     patch.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28)   - A module notifier can't stop a to-be-patched module from loading.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) Callbacks are part of the klp_object structure and their implementation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) is specific to that klp_object.  Other livepatch objects may or may not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) be patched, irrespective of the target klp_object's current state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 2. Callback types
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) =================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) Callbacks can be registered for the following livepatch actions:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39)   * Pre-patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40)                  - before a klp_object is patched
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42)   * Post-patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43)                  - after a klp_object has been patched and is active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44)                    across all tasks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46)   * Pre-unpatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47)                  - before a klp_object is unpatched (ie, patched code is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48)                    active), used to clean up post-patch callback
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49)                    resources
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51)   * Post-unpatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52)                  - after a klp_object has been patched, all code has
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53)                    been restored and no tasks are running patched code,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54)                    used to cleanup pre-patch callback resources
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 3. How it works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) ===============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) Each callback is optional, omitting one does not preclude specifying any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) other.  However, the livepatching core executes the handlers in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) symmetry: pre-patch callbacks have a post-unpatch counterpart and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) post-patch callbacks have a pre-unpatch counterpart.  An unpatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) callback will only be executed if its corresponding patch callback was
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) executed.  Typical use cases pair a patch handler that acquires and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) configures resources with an unpatch handler tears down and releases
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) those same resources.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) A callback is only executed if its host klp_object is loaded.  For
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) in-kernel vmlinux targets, this means that callbacks will always execute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) when a livepatch is enabled/disabled.  For patch target kernel modules,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) callbacks will only execute if the target module is loaded.  When a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) module target is (un)loaded, its callbacks will execute only if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) livepatch module is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) The pre-patch callback, if specified, is expected to return a status
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) code (0 for success, -ERRNO on error).  An error status code indicates
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) to the livepatching core that patching of the current klp_object is not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) safe and to stop the current patching request.  (When no pre-patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) callback is provided, the transition is assumed to be safe.)  If a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) pre-patch callback returns failure, the kernel's module loader will:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82)   - Refuse to load a livepatch, if the livepatch is loaded after
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83)     targeted code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85)     or:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87)   - Refuse to load a module, if the livepatch was already successfully
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88)     loaded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) No post-patch, pre-unpatch, or post-unpatch callbacks will be executed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) for a given klp_object if the object failed to patch, due to a failed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) pre_patch callback or for any other reason.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) If a patch transition is reversed, no pre-unpatch handlers will be run
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) (this follows the previously mentioned symmetry -- pre-unpatch callbacks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) will only occur if their corresponding post-patch callback executed).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) If the object did successfully patch, but the patch transition never
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) started for some reason (e.g., if another object failed to patch),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) only the post-unpatch callback will be called.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 4. Use cases
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) Sample livepatch modules demonstrating the callback API can be found in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) samples/livepatch/ directory.  These samples were modified for use in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) kselftests and can be found in the lib/livepatch directory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) Global data update
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) ------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) A pre-patch callback can be useful to update a global variable.  For
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) example, 75ff39ccc1bd ("tcp: make challenge acks less predictable")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) changes a global sysctl, as well as patches the tcp_send_challenge_ack()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) In this case, if we're being super paranoid, it might make sense to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) patch the data *after* patching is complete with a post-patch callback,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) so that tcp_send_challenge_ack() could first be changed to read
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) sysctl_tcp_challenge_ack_limit with READ_ONCE.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) __init and probe function patches support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) -----------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) Although __init and probe functions are not directly livepatch-able, it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) may be possible to implement similar updates via pre/post-patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) callbacks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) The commit ``48900cb6af42 ("virtio-net: drop NETIF_F_FRAGLIST")`` change the way that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) virtnet_probe() initialized its driver's net_device features.  A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) pre/post-patch callback could iterate over all such devices, making a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) similar change to their hw_features value.  (Client functions of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) value may need to be updated accordingly.)
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.