189e33ea7SMauro Carvalho Chehab====================== 289e33ea7SMauro Carvalho Chehab(Un)patching Callbacks 389e33ea7SMauro Carvalho Chehab====================== 489e33ea7SMauro Carvalho Chehab 589e33ea7SMauro Carvalho ChehabLivepatch (un)patch-callbacks provide a mechanism for livepatch modules 689e33ea7SMauro Carvalho Chehabto execute callback functions when a kernel object is (un)patched. They 7d9defe44SPetr Mladekcan be considered a **power feature** that **extends livepatching abilities** 889e33ea7SMauro Carvalho Chehabto include: 989e33ea7SMauro Carvalho Chehab 1089e33ea7SMauro Carvalho Chehab - Safe updates to global data 1189e33ea7SMauro Carvalho Chehab 1289e33ea7SMauro Carvalho Chehab - "Patches" to init and probe functions 1389e33ea7SMauro Carvalho Chehab 1489e33ea7SMauro Carvalho Chehab - Patching otherwise unpatchable code (i.e. assembly) 1589e33ea7SMauro Carvalho Chehab 1689e33ea7SMauro Carvalho ChehabIn most cases, (un)patch callbacks will need to be used in conjunction 1789e33ea7SMauro Carvalho Chehabwith memory barriers and kernel synchronization primitives, like 1889e33ea7SMauro Carvalho Chehabmutexes/spinlocks, or even stop_machine(), to avoid concurrency issues. 1989e33ea7SMauro Carvalho Chehab 20d9defe44SPetr Mladek1. Motivation 21d9defe44SPetr Mladek============= 22d9defe44SPetr Mladek 2389e33ea7SMauro Carvalho ChehabCallbacks differ from existing kernel facilities: 2489e33ea7SMauro Carvalho Chehab 2589e33ea7SMauro Carvalho Chehab - Module init/exit code doesn't run when disabling and re-enabling a 2689e33ea7SMauro Carvalho Chehab patch. 2789e33ea7SMauro Carvalho Chehab 2889e33ea7SMauro Carvalho Chehab - A module notifier can't stop a to-be-patched module from loading. 2989e33ea7SMauro Carvalho Chehab 3089e33ea7SMauro Carvalho ChehabCallbacks are part of the klp_object structure and their implementation 3189e33ea7SMauro Carvalho Chehabis specific to that klp_object. Other livepatch objects may or may not 3289e33ea7SMauro Carvalho Chehabbe patched, irrespective of the target klp_object's current state. 3389e33ea7SMauro Carvalho Chehab 34d9defe44SPetr Mladek2. Callback types 35d9defe44SPetr Mladek================= 36d9defe44SPetr Mladek 3789e33ea7SMauro Carvalho ChehabCallbacks can be registered for the following livepatch actions: 3889e33ea7SMauro Carvalho Chehab 3989e33ea7SMauro Carvalho Chehab * Pre-patch 4089e33ea7SMauro Carvalho Chehab - before a klp_object is patched 4189e33ea7SMauro Carvalho Chehab 4289e33ea7SMauro Carvalho Chehab * Post-patch 4389e33ea7SMauro Carvalho Chehab - after a klp_object has been patched and is active 4489e33ea7SMauro Carvalho Chehab across all tasks 4589e33ea7SMauro Carvalho Chehab 4689e33ea7SMauro Carvalho Chehab * Pre-unpatch 4789e33ea7SMauro Carvalho Chehab - before a klp_object is unpatched (ie, patched code is 4889e33ea7SMauro Carvalho Chehab active), used to clean up post-patch callback 4989e33ea7SMauro Carvalho Chehab resources 5089e33ea7SMauro Carvalho Chehab 5189e33ea7SMauro Carvalho Chehab * Post-unpatch 5289e33ea7SMauro Carvalho Chehab - after a klp_object has been patched, all code has 5389e33ea7SMauro Carvalho Chehab been restored and no tasks are running patched code, 5489e33ea7SMauro Carvalho Chehab used to cleanup pre-patch callback resources 5589e33ea7SMauro Carvalho Chehab 56d9defe44SPetr Mladek3. How it works 57d9defe44SPetr Mladek=============== 58d9defe44SPetr Mladek 5989e33ea7SMauro Carvalho ChehabEach callback is optional, omitting one does not preclude specifying any 6089e33ea7SMauro Carvalho Chehabother. However, the livepatching core executes the handlers in 6189e33ea7SMauro Carvalho Chehabsymmetry: pre-patch callbacks have a post-unpatch counterpart and 6289e33ea7SMauro Carvalho Chehabpost-patch callbacks have a pre-unpatch counterpart. An unpatch 6389e33ea7SMauro Carvalho Chehabcallback will only be executed if its corresponding patch callback was 6489e33ea7SMauro Carvalho Chehabexecuted. Typical use cases pair a patch handler that acquires and 6589e33ea7SMauro Carvalho Chehabconfigures resources with an unpatch handler tears down and releases 6689e33ea7SMauro Carvalho Chehabthose same resources. 6789e33ea7SMauro Carvalho Chehab 6889e33ea7SMauro Carvalho ChehabA callback is only executed if its host klp_object is loaded. For 6989e33ea7SMauro Carvalho Chehabin-kernel vmlinux targets, this means that callbacks will always execute 7089e33ea7SMauro Carvalho Chehabwhen a livepatch is enabled/disabled. For patch target kernel modules, 7189e33ea7SMauro Carvalho Chehabcallbacks will only execute if the target module is loaded. When a 7289e33ea7SMauro Carvalho Chehabmodule target is (un)loaded, its callbacks will execute only if the 7389e33ea7SMauro Carvalho Chehablivepatch module is enabled. 7489e33ea7SMauro Carvalho Chehab 7589e33ea7SMauro Carvalho ChehabThe pre-patch callback, if specified, is expected to return a status 7689e33ea7SMauro Carvalho Chehabcode (0 for success, -ERRNO on error). An error status code indicates 7789e33ea7SMauro Carvalho Chehabto the livepatching core that patching of the current klp_object is not 7889e33ea7SMauro Carvalho Chehabsafe and to stop the current patching request. (When no pre-patch 7989e33ea7SMauro Carvalho Chehabcallback is provided, the transition is assumed to be safe.) If a 8089e33ea7SMauro Carvalho Chehabpre-patch callback returns failure, the kernel's module loader will: 8189e33ea7SMauro Carvalho Chehab 8289e33ea7SMauro Carvalho Chehab - Refuse to load a livepatch, if the livepatch is loaded after 8389e33ea7SMauro Carvalho Chehab targeted code. 8489e33ea7SMauro Carvalho Chehab 8589e33ea7SMauro Carvalho Chehab or: 8689e33ea7SMauro Carvalho Chehab 8789e33ea7SMauro Carvalho Chehab - Refuse to load a module, if the livepatch was already successfully 8889e33ea7SMauro Carvalho Chehab loaded. 8989e33ea7SMauro Carvalho Chehab 9089e33ea7SMauro Carvalho ChehabNo post-patch, pre-unpatch, or post-unpatch callbacks will be executed 9189e33ea7SMauro Carvalho Chehabfor a given klp_object if the object failed to patch, due to a failed 9289e33ea7SMauro Carvalho Chehabpre_patch callback or for any other reason. 9389e33ea7SMauro Carvalho Chehab 9489e33ea7SMauro Carvalho ChehabIf a patch transition is reversed, no pre-unpatch handlers will be run 9589e33ea7SMauro Carvalho Chehab(this follows the previously mentioned symmetry -- pre-unpatch callbacks 9689e33ea7SMauro Carvalho Chehabwill only occur if their corresponding post-patch callback executed). 9789e33ea7SMauro Carvalho Chehab 9889e33ea7SMauro Carvalho ChehabIf the object did successfully patch, but the patch transition never 9989e33ea7SMauro Carvalho Chehabstarted for some reason (e.g., if another object failed to patch), 10089e33ea7SMauro Carvalho Chehabonly the post-unpatch callback will be called. 10189e33ea7SMauro Carvalho Chehab 102d9defe44SPetr Mladek4. Use cases 103d9defe44SPetr Mladek============ 10489e33ea7SMauro Carvalho Chehab 105d9defe44SPetr MladekSample livepatch modules demonstrating the callback API can be found in 106d9defe44SPetr Mladeksamples/livepatch/ directory. These samples were modified for use in 107d9defe44SPetr Mladekkselftests and can be found in the lib/livepatch directory. 10889e33ea7SMauro Carvalho Chehab 109d9defe44SPetr MladekGlobal data update 11089e33ea7SMauro Carvalho Chehab------------------ 11189e33ea7SMauro Carvalho Chehab 11289e33ea7SMauro Carvalho ChehabA pre-patch callback can be useful to update a global variable. For 113*86b17aafSVegard Nossumexample, commit 75ff39ccc1bd ("tcp: make challenge acks less predictable") 11489e33ea7SMauro Carvalho Chehabchanges a global sysctl, as well as patches the tcp_send_challenge_ack() 11589e33ea7SMauro Carvalho Chehabfunction. 11689e33ea7SMauro Carvalho Chehab 11789e33ea7SMauro Carvalho ChehabIn this case, if we're being super paranoid, it might make sense to 11889e33ea7SMauro Carvalho Chehabpatch the data *after* patching is complete with a post-patch callback, 11989e33ea7SMauro Carvalho Chehabso that tcp_send_challenge_ack() could first be changed to read 12089e33ea7SMauro Carvalho Chehabsysctl_tcp_challenge_ack_limit with READ_ONCE. 12189e33ea7SMauro Carvalho Chehab 122d9defe44SPetr Mladek__init and probe function patches support 12389e33ea7SMauro Carvalho Chehab----------------------------------------- 12489e33ea7SMauro Carvalho Chehab 12589e33ea7SMauro Carvalho ChehabAlthough __init and probe functions are not directly livepatch-able, it 12689e33ea7SMauro Carvalho Chehabmay be possible to implement similar updates via pre/post-patch 12789e33ea7SMauro Carvalho Chehabcallbacks. 12889e33ea7SMauro Carvalho Chehab 129*86b17aafSVegard NossumThe commit 48900cb6af42 ("virtio-net: drop NETIF_F_FRAGLIST") change the way that 13089e33ea7SMauro Carvalho Chehabvirtnet_probe() initialized its driver's net_device features. A 13189e33ea7SMauro Carvalho Chehabpre/post-patch callback could iterate over all such devices, making a 13289e33ea7SMauro Carvalho Chehabsimilar change to their hw_features value. (Client functions of the 13389e33ea7SMauro Carvalho Chehabvalue may need to be updated accordingly.) 134