lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150218204444.GA7416@suse.com>
Date:	Wed, 18 Feb 2015 21:44:44 +0100
From:	Vojtech Pavlik <vojtech@...e.com>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Jiri Kosina <jkosina@...e.cz>,
	Peter Zijlstra <peterz@...radead.org>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Ingo Molnar <mingo@...hat.com>,
	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	live-patching@...r.kernel.org, linux-kernel@...r.kernel.org,
	Seth Jennings <sjenning@...hat.com>
Subject: Re: [RFC PATCH 6/9] livepatch: create per-task consistency model

On Wed, Feb 18, 2015 at 09:17:55PM +0100, Ingo Molnar wrote:
> 
> * Jiri Kosina <jkosina@...e.cz> wrote:
> 
> > On Thu, 12 Feb 2015, Peter Zijlstra wrote:
> > 
> > > And what's wrong with using known good spots like the freezer?
> > 
> > Quoting Tejun from the thread Jiri Slaby likely had on 
> > mind:
> > 
> > "The fact that they may coincide often can be useful as a 
> > guideline or whatever but I'm completely against just 
> > mushing it together when it isn't correct.  This kind of 
> > things quickly lead to ambiguous situations where people 
> > are not sure about the specific semantics or guarantees 
> > of the construct and implement weird voodoo code followed 
> > by voodoo fixes.  We already had a full round of that 
> > with the kernel freezer itself, where people thought that 
> > the freezer magically makes PM work properly for a 
> > subsystem.  Let's please not do that again."
> 
> I don't follow this vague argument.
> 
> The concept of 'freezing' all userspace execution is pretty 
> unambiguous: tasks that are running are trapped out at 
> known safe points such as context switch points or syscall 
> entry. Once all tasks have stopped, the system is frozen in 
> the sense that only the code we want is running, so you can 
> run special code without worrying about races.
> 
> What's the problem with that? Why would it be fundamentally 
> unsuitable for live patching?

For live patching it doesn't matter whether code is running, sleeping or
frozen.

What matters is whether there is state before patching that may not be
valid after patching.

For userspace tasks, the exit from a syscall is a perfect moment for
switching to the "after" state, as all stacks, and thus all local
variables are gone and no local state exists in the kernel for the
thread.

The freezer is a logical choice for kernel threads, however, given that
kernel threads have no defined entry/exit point and execute within a
single main function, local variables stay and thus local state persists
from before to after freezing.

Defining that no local state within a kernel thread may be relied upon
after exiting from the freezer is certainly possible, and is already
true for many kernel threads.

It isn't a given property of the freezer itself, though. And isn't
obvious for author of new kernel threads either.

The ideal solution would be to convert the majority of kernel threads to
workqueues, because then there is a defined entry/exit point over which
state isn't transferred. That is a lot of work, though, and has other
drawbacks, particularly in the realtime space.

-- 
Vojtech Pavlik
Director SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ