Changes in sysfs-kernel-livepatch

3dae09de - livepatch: Add stack_order sysfs attribute

Tue, 08 Oct 2024 01:48:56 +0000

livepatch: Add stack_order sysfs attributeAdd "stack_order" sysfs attribute which holds the order in which a livepatch module was loaded into the system. A user can then determine anactive live patched version of a function.cat /sys/kernel/livepatch/livepatch_1/stack_order -> 1means that livepatch_1 is the first live patch appliedcat /sys/kernel/livepatch/livepatch_module/stack_order -> Nmeans that livepatch_module is the Nth live patch appliedSuggested-by: Petr Mladek Suggested-by: Miroslav Benes Suggested-by: Josh Poimboeuf Signed-off-by: Wardenjohn Acked-by: Josh Poimboeuf Reviewed-by: Petr Mladek Tested-by: Petr Mladek Reviewed-by: Miroslav Benes Link: https://lore.kernel.org/r/20241008014856.3729-2-zhangwarden@gmail.com[pmladek@suse.com: Updated kernel version and date in the ABI documentation.]Signed-off-by: Petr Mladek List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

adb68ed2 - livepatch: Add "replace" sysfs attribute

Tue, 25 Jun 2024 15:11:21 +0000

livepatch: Add "replace" sysfs attributeThere are situations when it might make sense to combine livepatcheswith and without the atomic replace on the same system. For example,the livepatch without the atomic replace might provide a hotfixor extra tuning.Managing livepatches on such systems might be challenging. And theinformation which of the installed livepatches do not use the atomicreplace would be useful.Add new sysfs interface 'replace'. It works as follows: $ cat /sys/kernel/livepatch/livepatch-non_replace/replace 0 $ cat /sys/kernel/livepatch/livepatch-replace/replace 1[ commit log improved by Petr ]Signed-off-by: Yafang Shao Reviewed-by: Petr Mladek Acked-by: Miroslav Benes Link: https://lore.kernel.org/r/20240625151123.2750-2-laoar.shao@gmail.comSigned-off-by: Petr Mladek List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

bb26cfd9 - livepatch: add sysfs entry "patched" for each klp_object

Fri, 02 Sep 2022 20:52:07 +0000

livepatch: add sysfs entry "patched" for each klp_objectAdd per klp_object sysfs entry "patched". It makes it easier to debugtypos in the module name.Signed-off-by: Song Liu Reviewed-by: Joe Lawrence [pmladek@suse.com: Updated kernel version when the sysfs file will be introduced]Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220902205208.3117798-2-song@kernel.org List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

89e33ea7 - docs: livepatch: convert docs to ReST and rename to *.rst

Fri, 03 May 2019 14:30:23 +0000

docs: livepatch: convert docs to ReST and rename to *.rstConvert livepatch documentation to ReST format. The changesare mostly trivial, as the documents are already on a goodshape. Just a few markup changes are needed for Sphinx toproperly parse the docs.The conversion is actually: - add blank lines and identation in order to identify paragraphs; - fix tables markups; - add some lists markups; - mark literal blocks; - The in-file TOC becomes a comment, in order to skip it from the output, as Sphinx already generates an index there. - adjust title markups.At its new index.rst, let's add a :orphan: while this is not linked tothe main index.rst file, in order to avoid build warnings.Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Petr Mladek Acked-by: Miroslav Benes Acked-by: Josh Poimboeuf Acked-by: Joe Lawrence Reviewed-by: Kamalesh Babulal Signed-off-by: Jonathan Corbet List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

0b3d5279 - livepatch: Remove signal sysfs attribute

Tue, 15 Jan 2019 16:45:07 +0000

livepatch: Remove signal sysfs attributeThe fake signal is send automatically now. We can rely on it completelyand remove the sysfs attribute.Signed-off-by: Miroslav Benes Signed-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

c99a2be7 - livepatch: force transition to finish

Wed, 22 Nov 2017 10:29:21 +0000

livepatch: force transition to finishIf a task sleeps in a set of patched functions uninterruptedly, it couldblock the whole transition indefinitely. Thus it may be useful to clearits TIF_PATCH_PENDING to allow the process to finish.Admin can do that now by writing to force sysfs attribute in livepatchsysfs directory. TIF_PATCH_PENDING is then cleared for all tasks and thetransition can finish successfully.Important note! Administrator should not use this feature without aclearance from a patch distributor. It must be checked that by doing sothe consistency model guarantees are not violated. Removal (rmmod) ofpatch modules is permanently disabled when the feature is used. Itcannot be guaranteed there is no task sleeping in such module.Signed-off-by: Miroslav Benes Acked-by: Josh Poimboeuf Reviewed-by: Petr Mladek Signed-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

43347d56 - livepatch: send a fake signal to all blocking tasks

Wed, 15 Nov 2017 13:50:13 +0000

livepatch: send a fake signal to all blocking tasksLive patching consistency model is of LEAVE_PATCHED_SET andSWITCH_THREAD. This means that all tasks in the system have to be markedone by one as safe to call a new patched function. Safe means when atask is not (sleeping) in a set of patched functions. That is, nopatched function is on the task's stack. Another clearly safe place isthe boundary between kernel and userspace. The patching waits for alltasks to get outside of the patched set or to cross the boundary. Thetransition is completed afterwards.The problem is that a task can block the transition for quite a longtime, if not forever. It could sleep in a set of patched functions, forexample. Luckily we can force the task to leave the set by sending it afake signal, that is a signal with no data in signal pending structures(no handler, no sign of proper signal delivered). Suspend/freezer usethis to freeze the tasks as well. The task gets TIF_SIGPENDING set andis woken up (if it has been sleeping in the kernel before) or kicked byrescheduling IPI (if it was running on other CPU). This causes the taskto go to kernel/userspace boundary where the signal would be handled andthe task would be marked as safe in terms of live patching.There are tasks which are not affected by this technique though. Thefake signal is not sent to kthreads. They should be handled differently.They can be woken up so they leave the patched set and theirTIF_PATCH_PENDING can be cleared thanks to stack checking.For the sake of completeness, if the task is in TASK_RUNNING state butnot currently running on some CPU it doesn't get the IPI, but it wouldeventually handle the signal anyway. Second, if the task runs in thekernel (in TASK_RUNNING state) it gets the IPI, but the signal is nothandled on return from the interrupt. It would be handled on return tothe userspace in the future when the fake signal is sent again. Stackchecking deals with these cases in a better way.If the task was sleeping in a syscall it would be woken by our fakesignal, it would check if TIF_SIGPENDING is set (by callingsignal_pending() predicate) and return ERESTART* or EINTR. Syscalls withERESTART* return values are restarted in case of the fake signal (seedo_signal()). EINTR is propagated back to the userspace program. Thiscould disturb the program, but...* each process dealing with signals should react accordingly to EINTR return values.* syscalls returning EINTR happen to be quite common situation in the system even if no fake signal is sent.* freezer sends the fake signal and does not deal with EINTR anyhow. Thus EINTR values are returned when the system is resumed.The very safe marking is done in architectures' "entry" on syscall andinterrupt/exception exit paths, and in a stack checking functions oflivepatch. TIF_PATCH_PENDING is cleared and the nextrecalc_sigpending() drops TIF_SIGPENDING. In connection with this, alsocall klp_update_patch_state() before do_signal(), so thatrecalc_sigpending() in dequeue_signal() can clear TIF_PATCH_PENDINGimmediately and thus prevent a double call of do_signal().Note that the fake signal is not sent to stopped/traced tasks. Such taskprevents the patching to finish till it continues again (is not tracedanymore).Last, sending the fake signal is not automatic. It is done only whenadmin requests it by writing 1 to signal sysfs attribute in livepatchsysfs directory.Signed-off-by: Miroslav Benes Cc: Oleg Nesterov Cc: Michael Ellerman Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Andy Lutomirski Cc: linuxppc-dev@lists.ozlabs.orgCc: x86@kernel.orgAcked-by: Michael Ellerman (powerpc)Signed-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

d83a7cb3 - livepatch: change to a per-task consistency model

Tue, 14 Feb 2017 01:42:40 +0000

livepatch: change to a per-task consistency modelChange livepatch to use a basic per-task consistency model. This is thefoundation which will eventually enable us to patch those ~10% ofsecurity patches which change function or data semantics. This is thebiggest remaining piece needed to make livepatch more generally useful.This code stems from the design proposal made by Vojtech [1] in November2014. It's a hybrid of kGraft and kpatch: it uses kGraft's per-taskconsistency and syscall barrier switching combined with kpatch's stacktrace switching. There are also a number of fallback options which makeit quite flexible.Patches are applied on a per-task basis, when the task is deemed safe toswitch over. When a patch is enabled, livepatch enters into atransition state where tasks are converging to the patched state.Usually this transition state can complete in a few seconds. The samesequence occurs when a patch is disabled, except the tasks converge fromthe patched state to the unpatched state.An interrupt handler inherits the patched state of the task itinterrupts. The same is true for forked tasks: the child inherits thepatched state of the parent.Livepatch uses several complementary approaches to determine when it'ssafe to patch tasks:1. The first and most effective approach is stack checking of sleeping tasks. If no affected functions are on the stack of a given task, the task is patched. In most cases this will patch most or all of the tasks on the first try. Otherwise it'll keep trying periodically. This option is only available if the architecture has reliable stacks (HAVE_RELIABLE_STACKTRACE).2. The second approach, if needed, is kernel exit switching. A task is switched when it returns to user space from a system call, a user space IRQ, or a signal. It's useful in the following cases: a) Patching I/O-bound user tasks which are sleeping on an affected function. In this case you have to send SIGSTOP and SIGCONT to force it to exit the kernel and be patched. b) Patching CPU-bound user tasks. If the task is highly CPU-bound then it will get patched the next time it gets interrupted by an IRQ. c) In the future it could be useful for applying patches for architectures which don't yet have HAVE_RELIABLE_STACKTRACE. In this case you would have to signal most of the tasks on the system. However this isn't supported yet because there's currently no way to patch kthreads without HAVE_RELIABLE_STACKTRACE.3. For idle "swapper" tasks, since they don't ever exit the kernel, they instead have a klp_update_patch_state() call in the idle loop which allows them to be patched before the CPU enters the idle state. (Note there's not yet such an approach for kthreads.)All the above approaches may be skipped by setting the 'immediate' flagin the 'klp_patch' struct, which will disable per-task consistency andpatch all tasks immediately. This can be useful if the patch doesn'tchange any function or data semantics. Note that, even with this flagset, it's possible that some tasks may still be running with an oldversion of the function, until that function returns.There's also an 'immediate' flag in the 'klp_func' struct which allowsyou to specify that certain functions in the patch can be appliedwithout per-task consistency. This might be useful if you want to patcha common function like schedule(), and the function change doesn't needconsistency but the rest of the patch does.For architectures which don't have HAVE_RELIABLE_STACKTRACE, the usermust set patch->immediate which causes all tasks to be patchedimmediately. This option should be used with care, only when the patchdoesn't change any function or data semantics.In the future, architectures which don't have HAVE_RELIABLE_STACKTRACEmay be allowed to use per-task consistency if we can come up withanother way to patch kthreads.The /sys/kernel/livepatch//transition file shows whether a patchis in transition. Only a single patch (the topmost patch on the stack)can be in transition at a given time. A patch can remain in transitionindefinitely, if any of the tasks are stuck in the initial patch state.A transition can be reversed and effectively canceled by writing theopposite value to the /sys/kernel/livepatch//enabled file whilethe transition is in progress. Then all the tasks will attempt toconverge back to the original patch state.[1] https://lkml.kernel.org/r/20141107140458.GA21774@suse.czSigned-off-by: Josh Poimboeuf Acked-by: Miroslav Benes Acked-by: Ingo Molnar # for the scheduler changesSigned-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

444f9e99 - livepatch: function,sympos scheme in livepatch sysfs directory

Wed, 02 Dec 2015 02:40:56 +0000

livepatch: function,sympos scheme in livepatch sysfs directoryThe following directory structure will allow for cases when the samefunction name exists in a single object. /sys/kernel/livepatch///The sympos number corresponds to the nth occurrence of the symbol name inkallsyms for the patched object.An example of patching multiple symbols can be found here: https://github.com/dynup/kpatch/issues/493Signed-off-by: Chris J Arges Reviewed-by: Petr Mladek Acked-by: Josh Poimboeuf Signed-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch

b700e7f0 - livepatch: kernel: add support for live patching

Tue, 16 Dec 2014 17:58:19 +0000

livepatch: kernel: add support for live patchingThis commit introduces code for the live patching core. It implementsan ftrace-based mechanism and kernel interface for doing live patchingof kernel and kernel module functions.It represents the greatest common functionality set between kpatch andkgraft and can accept patches built using either method.This first version does not implement any consistency mechanism thatensures that old and new code do not run together. In practice, ~90% ofCVEs are safe to apply in this way, since they simply add a conditionalcheck. However, any function change that can not execute safely withthe old version of the function can _not_ be safely applied in thisversion.[ jkosina@suse.cz: due to the number of contributions that got folded into this original patch from Seth Jennings, add SUSE's copyright as well, as discussed via e-mail ]Signed-off-by: Seth Jennings Signed-off-by: Josh Poimboeuf Reviewed-by: Miroslav Benes Reviewed-by: Petr Mladek Reviewed-by: Masami Hiramatsu Signed-off-by: Miroslav Benes Signed-off-by: Petr Mladek Signed-off-by: Jiri Kosina List of files: /linux-6.15/Documentation/ABI/testing/sysfs-kernel-livepatch