| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Feb 2015 08:20:35 -0600
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Jiri Kosina <jkosina@...e.cz>
Cc: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
live-patching@...r.kernel.org, linux-kernel@...r.kernel.org,
Seth Jennings <sjenning@...hat.com>,
Vojtech Pavlik <vojtech@...e.cz>
Subject: Re: [RFC PATCH 6/9] livepatch: create per-task consistency model
On Thu, Feb 12, 2015 at 02:16:07PM +0100, Jiri Kosina wrote:
> On Thu, 12 Feb 2015, Peter Zijlstra wrote:
>
> > > The short answer is: I need a way to ensure that a task isn't sleeping
> > > on any of the functions we're trying to patch. If it's not, then I can
> > > switch the task over to start using new versions of functions.
> > >
> > > Obviously, there are many more details than that. If you have specific
> > > questions I can try to answer them.
> >
> > How can one task run new and another task old functions? Once you patch
> > any indirect function pointer any task will see the new call.
>
> Patched functions are redirected through ftrace trampoline, and decision
> is being made there which function (old or new) to redirect to.
>
> Function calls through pointer always go first to the original function,
> and get redirected from its __fentry__ site.
>
> Once the system is in fully patched state, the overhead of the trampoline
> is reduced (no expensive decision-making to be made there, etc) to
> minimum.
>
> Sure, you will never be on a 100% of performance of the unpatched kernel
> for redirected functions, the indirect call through the trampoline will
> always be there (although ftrace with dynamic trampolines is really
> minimizing this penalty to few extra instructions, one extra call and one
> extra ret being the expensive ones).
>
> > And what's wrong with using known good spots like the freezer?
>
> It has undefined semantics when it comes to what you want to achieve here.
>
> Say for example you have a kernel thread which does something like
>
> while (some_condition) {
> ret = foo();
> ...
> try_to_freeze();
> ...
> }
>
> and you have a livepatch patching foo() and changing its return value
> semantics. Then freezer doesn't really help.
Don't we have the same issue with livepatch? For example:
while (some_condition) {
ret = foo();
...
schedule(); <-- switch to the new universe while it's sleeps
...
// use ret in an unexpected way
}
I think it's not really a problem, just something the patch author needs
to be aware of regardless. It should be part of the checklist. You
always need to be extremely careful when changing a function's return
semantics.
IIRC, when I looked at the freezer before, the biggest problems I found
were that it's too disruptive to the process, and that not all kthreads
are freezable. And I don't see anything inherently safer about it
compared to just stack checking.
--
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists