Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/livepatch/livepatch.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) =========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) Livepatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) =========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) This document outlines basic information about kernel livepatching.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) .. Table of Contents:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)     1. Motivation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)     2. Kprobes, Ftrace, Livepatching
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)     3. Consistency model
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)     4. Livepatch module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13)        4.1. New functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)        4.2. Metadata
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)     5. Livepatch life-cycle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16)        5.1. Loading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17)        5.2. Enabling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18)        5.3. Replacing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19)        5.4. Disabling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20)        5.5. Removing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21)     6. Sysfs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22)     7. Limitations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) 1. Motivation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) =============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) There are many situations where users are reluctant to reboot a system. It may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) be because their system is performing complex scientific computations or under
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) heavy load during peak usage. In addition to keeping systems up and running,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) users want to also have a stable and secure system. Livepatching gives users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) both by allowing for function calls to be redirected; thus, fixing critical
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) functions without a system reboot.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 2. Kprobes, Ftrace, Livepatching
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) ================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) There are multiple mechanisms in the Linux kernel that are directly related
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) to redirection of code execution; namely: kernel probes, function tracing,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) and livepatching:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43)   - The kernel probes are the most generic. The code can be redirected by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44)     putting a breakpoint instruction instead of any instruction.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46)   - The function tracer calls the code from a predefined location that is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47)     close to the function entry point. This location is generated by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48)     compiler using the '-pg' gcc option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50)   - Livepatching typically needs to redirect the code at the very beginning
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51)     of the function entry before the function parameters or the stack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52)     are in any way modified.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) All three approaches need to modify the existing code at runtime. Therefore
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) they need to be aware of each other and not step over each other's toes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) Most of these problems are solved by using the dynamic ftrace framework as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) a base. A Kprobe is registered as a ftrace handler when the function entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) is probed, see CONFIG_KPROBES_ON_FTRACE. Also an alternative function from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) a live patch is called with the help of a custom ftrace handler. But there are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) some limitations, see below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 3. Consistency model
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) ====================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) Functions are there for a reason. They take some input parameters, get or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) release locks, read, process, and even write some data in a defined way,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) have return values. In other words, each function has a defined semantic.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) Many fixes do not change the semantic of the modified functions. For
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) example, they add a NULL pointer or a boundary check, fix a race by adding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) a missing memory barrier, or add some locking around a critical section.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) Most of these changes are self contained and the function presents itself
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) the same way to the rest of the system. In this case, the functions might
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) be updated independently one by one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) But there are more complex fixes. For example, a patch might change
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) ordering of locking in multiple functions at the same time. Or a patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) might exchange meaning of some temporary structures and update
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) all the relevant functions. In this case, the affected unit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) (thread, whole kernel) need to start using all new versions of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) the functions at the same time. Also the switch must happen only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) when it is safe to do so, e.g. when the affected locks are released
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) or no data are stored in the modified structures at the moment.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) The theory about how to apply functions a safe way is rather complex.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) The aim is to define a so-called consistency model. It attempts to define
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) conditions when the new implementation could be used so that the system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) stays consistent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) Livepatch has a consistency model which is a hybrid of kGraft and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) kpatch:  it uses kGraft's per-task consistency and syscall barrier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) switching combined with kpatch's stack trace switching.  There are also
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) a number of fallback options which make it quite flexible.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) Patches are applied on a per-task basis, when the task is deemed safe to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) switch over.  When a patch is enabled, livepatch enters into a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) transition state where tasks are converging to the patched state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) Usually this transition state can complete in a few seconds.  The same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) sequence occurs when a patch is disabled, except the tasks converge from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) the patched state to the unpatched state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) An interrupt handler inherits the patched state of the task it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) interrupts.  The same is true for forked tasks: the child inherits the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) patched state of the parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) Livepatch uses several complementary approaches to determine when it's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) safe to patch tasks:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 1. The first and most effective approach is stack checking of sleeping
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)    tasks.  If no affected functions are on the stack of a given task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)    the task is patched.  In most cases this will patch most or all of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)    the tasks on the first try.  Otherwise it'll keep trying
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)    periodically.  This option is only available if the architecture has
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)    reliable stacks (HAVE_RELIABLE_STACKTRACE).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 2. The second approach, if needed, is kernel exit switching.  A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118)    task is switched when it returns to user space from a system call, a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)    user space IRQ, or a signal.  It's useful in the following cases:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)    a) Patching I/O-bound user tasks which are sleeping on an affected
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)       function.  In this case you have to send SIGSTOP and SIGCONT to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)       force it to exit the kernel and be patched.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)    b) Patching CPU-bound user tasks.  If the task is highly CPU-bound
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)       then it will get patched the next time it gets interrupted by an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)       IRQ.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 3. For idle "swapper" tasks, since they don't ever exit the kernel, they
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)    instead have a klp_update_patch_state() call in the idle loop which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)    allows them to be patched before the CPU enters the idle state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)    (Note there's not yet such an approach for kthreads.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) Architectures which don't have HAVE_RELIABLE_STACKTRACE solely rely on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) the second approach. It's highly likely that some tasks may still be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) running with an old version of the function, until that function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) returns. In this case you would have to signal the tasks. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) especially applies to kthreads. They may not be woken up and would need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) to be forced. See below for more information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) Unless we can come up with another way to patch kthreads, architectures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) without HAVE_RELIABLE_STACKTRACE are not considered fully supported by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) the kernel livepatching.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) The /sys/kernel/livepatch/<patch>/transition file shows whether a patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) is in transition.  Only a single patch can be in transition at a given
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) time.  A patch can remain in transition indefinitely, if any of the tasks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) are stuck in the initial patch state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) A transition can be reversed and effectively canceled by writing the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) opposite value to the /sys/kernel/livepatch/<patch>/enabled file while
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) the transition is in progress.  Then all the tasks will attempt to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) converge back to the original patch state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) There's also a /proc/<pid>/patch_state file which can be used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) determine which tasks are blocking completion of a patching operation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) If a patch is in transition, this file shows 0 to indicate the task is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) unpatched and 1 to indicate it's patched.  Otherwise, if no patch is in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) transition, it shows -1.  Any tasks which are blocking the transition
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) can be signaled with SIGSTOP and SIGCONT to force them to change their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) patched state. This may be harmful to the system though. Sending a fake signal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) to all remaining blocking tasks is a better alternative. No proper signal is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) actually delivered (there is no data in signal pending structures). Tasks are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) interrupted or woken up, and forced to change their patched state. The fake
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) signal is automatically sent every 15 seconds.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) Administrator can also affect a transition through
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) /sys/kernel/livepatch/<patch>/force attribute. Writing 1 there clears
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) TIF_PATCH_PENDING flag of all tasks and thus forces the tasks to the patched
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) state. Important note! The force attribute is intended for cases when the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) transition gets stuck for a long time because of a blocking task. Administrator
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) is expected to collect all necessary data (namely stack traces of such blocking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) tasks) and request a clearance from a patch distributor to force the transition.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) Unauthorized usage may cause harm to the system. It depends on the nature of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) patch, which functions are (un)patched, and which functions the blocking tasks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) are sleeping in (/proc/<pid>/stack may help here). Removal (rmmod) of patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) modules is permanently disabled when the force feature is used. It cannot be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) guaranteed there is no task sleeping in such module. It implies unbounded
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) reference count if a patch module is disabled and enabled in a loop.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) Moreover, the usage of force may also affect future applications of live
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) patches and cause even more harm to the system. Administrator should first
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) consider to simply cancel a transition (see above). If force is used, reboot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) should be planned and no more live patches applied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 3.1 Adding consistency model support to new architectures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) ---------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) For adding consistency model support to new architectures, there are a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) few options:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 1) Add CONFIG_HAVE_RELIABLE_STACKTRACE.  This means porting objtool, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)    for non-DWARF unwinders, also making sure there's a way for the stack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)    tracing code to detect interrupts on the stack.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 2) Alternatively, ensure that every kthread has a call to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)    klp_update_patch_state() in a safe location.  Kthreads are typically
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)    in an infinite loop which does some action repeatedly.  The safe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)    location to switch the kthread's patch state would be at a designated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)    point in the loop where there are no locks taken and all data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)    structures are in a well-defined state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)    The location is clear when using workqueues or the kthread worker
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)    API.  These kthreads process independent actions in a generic loop.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)    It's much more complicated with kthreads which have a custom loop.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)    There the safe location must be carefully selected on a case-by-case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)    basis.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210)    In that case, arches without HAVE_RELIABLE_STACKTRACE would still be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)    able to use the non-stack-checking parts of the consistency model:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213)    a) patching user tasks when they cross the kernel/user space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214)       boundary; and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216)    b) patching kthreads and idle tasks at their designated patch points.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218)    This option isn't as good as option 1 because it requires signaling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)    user tasks and waking kthreads to patch them.  But it could still be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220)    a good backup option for those architectures which don't have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)    reliable stack traces yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 4. Livepatch module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) ===================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) Livepatches are distributed using kernel modules, see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) samples/livepatch/livepatch-sample.c.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) The module includes a new implementation of functions that we want
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) to replace. In addition, it defines some structures describing the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) relation between the original and the new implementation. Then there
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) is code that makes the kernel start using the new code when the livepatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) module is loaded. Also there is code that cleans up before the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) livepatch module is removed. All this is explained in more details in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) the next sections.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 4.1. New functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) ------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) New versions of functions are typically just copied from the original
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) sources. A good practice is to add a prefix to the names so that they
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) can be distinguished from the original ones, e.g. in a backtrace. Also
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) they can be declared as static because they are not called directly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) and do not need the global visibility.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) The patch contains only functions that are really modified. But they
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) might want to access functions or data from the original source file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) that may only be locally accessible. This can be solved by a special
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) relocation section in the generated livepatch module, see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) Documentation/livepatch/module-elf-format.rst for more details.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 4.2. Metadata
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) -------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) The patch is described by several structures that split the information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) into three levels:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)   - struct klp_func is defined for each patched function. It describes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)     the relation between the original and the new implementation of a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)     particular function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265)     The structure includes the name, as a string, of the original function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)     The function address is found via kallsyms at runtime.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268)     Then it includes the address of the new function. It is defined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)     directly by assigning the function pointer. Note that the new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)     function is typically defined in the same source file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272)     As an optional parameter, the symbol position in the kallsyms database can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)     be used to disambiguate functions of the same name. This is not the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274)     absolute position in the database, but rather the order it has been found
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275)     only for a particular object ( vmlinux or a kernel module ). Note that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)     kallsyms allows for searching symbols according to the object name.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278)   - struct klp_object defines an array of patched functions (struct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)     klp_func) in the same object. Where the object is either vmlinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)     (NULL) or a module name.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282)     The structure helps to group and handle functions for each object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283)     together. Note that patched modules might be loaded later than
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)     the patch itself and the relevant functions might be patched
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285)     only when they are available.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)   - struct klp_patch defines an array of patched objects (struct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)     klp_object).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291)     This structure handles all patched functions consistently and eventually,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)     synchronously. The whole patch is applied only when all patched
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293)     symbols are found. The only exception are symbols from objects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294)     (kernel modules) that have not been loaded yet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296)     For more details on how the patch is applied on a per-task basis,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)     see the "Consistency model" section.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 5. Livepatch life-cycle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) =======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) Livepatching can be described by five basic operations:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) loading, enabling, replacing, disabling, removing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) Where the replacing and the disabling operations are mutually
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) exclusive. They have the same result for the given patch but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) not for the system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 5.1. Loading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) ------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) The only reasonable way is to enable the patch when the livepatch kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) module is being loaded. For this, klp_enable_patch() has to be called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) in the module_init() callback. There are two main reasons:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) First, only the module has an easy access to the related struct klp_patch.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) Second, the error code might be used to refuse loading the module when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) the patch cannot get enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 5.2. Enabling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) -------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) The livepatch gets enabled by calling klp_enable_patch() from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) the module_init() callback. The system will start using the new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) implementation of the patched functions at this stage.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) First, the addresses of the patched functions are found according to their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) names. The special relocations, mentioned in the section "New functions",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) are applied. The relevant entries are created under
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) /sys/kernel/livepatch/<name>. The patch is rejected when any above
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) operation fails.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) Second, livepatch enters into a transition state where tasks are converging
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) to the patched state. If an original function is patched for the first
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) time, a function specific struct klp_ops is created and an universal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) ftrace handler is registered\ [#]_. This stage is indicated by a value of '1'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) in /sys/kernel/livepatch/<name>/transition. For more information about
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) this process, see the "Consistency model" section.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) Finally, once all tasks have been patched, the 'transition' value changes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) to '0'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) .. [#]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349)     Note that functions might be patched multiple times. The ftrace handler
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)     is registered only once for a given function. Further patches just add
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351)     an entry to the list (see field `func_stack`) of the struct klp_ops.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)     The right implementation is selected by the ftrace handler, see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353)     the "Consistency model" section.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355)     That said, it is highly recommended to use cumulative livepatches
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)     because they help keeping the consistency of all changes. In this case,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357)     functions might be patched two times only during the transition period.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) 5.3. Replacing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) All enabled patches might get replaced by a cumulative patch that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) has the .replace flag set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) Once the new patch is enabled and the 'transition' finishes then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) all the functions (struct klp_func) associated with the replaced
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) patches are removed from the corresponding struct klp_ops. Also
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) the ftrace handler is unregistered and the struct klp_ops is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) freed when the related function is not modified by the new patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) and func_stack list becomes empty.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) See Documentation/livepatch/cumulative-patches.rst for more details.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 5.4. Disabling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) Enabled patches might get disabled by writing '0' to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) /sys/kernel/livepatch/<name>/enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) First, livepatch enters into a transition state where tasks are converging
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) to the unpatched state. The system starts using either the code from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) the previously enabled patch or even the original one. This stage is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) indicated by a value of '1' in /sys/kernel/livepatch/<name>/transition.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) For more information about this process, see the "Consistency model"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) section.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) Second, once all tasks have been unpatched, the 'transition' value changes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) to '0'. All the functions (struct klp_func) associated with the to-be-disabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) patch are removed from the corresponding struct klp_ops. The ftrace handler
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) is unregistered and the struct klp_ops is freed when the func_stack list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) becomes empty.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) Third, the sysfs interface is destroyed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) 5.5. Removing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) -------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) Module removal is only safe when there are no users of functions provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) by the module. This is the reason why the force feature permanently
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) disables the removal. Only when the system is successfully transitioned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) to a new patch state (patched/unpatched) without being forced it is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) guaranteed that no task sleeps or runs in the old code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) 6. Sysfs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) ========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) Information about the registered patches can be found under
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) /sys/kernel/livepatch. The patches could be enabled and disabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) by writing there.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) /sys/kernel/livepatch/<patch>/force attributes allow administrator to affect a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) patching operation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) See Documentation/ABI/testing/sysfs-kernel-livepatch for more details.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 7. Limitations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) ==============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) The current Livepatch implementation has several limitations:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426)   - Only functions that can be traced could be patched.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428)     Livepatch is based on the dynamic ftrace. In particular, functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429)     implementing ftrace or the livepatch ftrace handler could not be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430)     patched. Otherwise, the code would end up in an infinite loop. A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431)     potential mistake is prevented by marking the problematic functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432)     by "notrace".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436)   - Livepatch works reliably only when the dynamic ftrace is located at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437)     the very beginning of the function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439)     The function need to be redirected before the stack or the function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440)     parameters are modified in any way. For example, livepatch requires
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441)     using -fentry gcc compiler option on x86_64.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443)     One exception is the PPC port. It uses relative addressing and TOC.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444)     Each function has to handle TOC and save LR before it could call
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445)     the ftrace handler. This operation has to be reverted on return.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446)     Fortunately, the generic ftrace code has the same problem and all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447)     this is handled on the ftrace level.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450)   - Kretprobes using the ftrace framework conflict with the patched
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451)     functions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453)     Both kretprobes and livepatches use a ftrace handler that modifies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454)     the return address. The first user wins. Either the probe or the patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455)     is rejected when the handler is already in use by the other.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458)   - Kprobes in the original function are ignored when the code is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459)     redirected to the new implementation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)     There is a work in progress to add warnings about this situation.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.