lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 11 Jun 2018 10:45:21 +0200
From:   Petr Mladek <pmladek@...e.com>
To:     Miroslav Benes <mbenes@...e.cz>
Cc:     Josh Poimboeuf <jpoimboe@...hat.com>, jikos@...nel.org,
        jeyu@...nel.org, live-patching@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] livepatch: Send a fake signal periodically

On Wed 2018-06-06 09:49:50, Miroslav Benes wrote:
> On Tue, 5 Jun 2018, Josh Poimboeuf wrote:
> 
> > On Tue, Jun 05, 2018 at 09:17:52AM +0200, Miroslav Benes wrote:
> > > On Mon, 4 Jun 2018, Josh Poimboeuf wrote:
> > > 
> > > > On Mon, Jun 04, 2018 at 04:16:35PM +0200, Miroslav Benes wrote:
> > > > > An administrator may send a fake signal to all remaining blocking tasks
> > > > > of a running transition by writing to
> > > > > /sys/kernel/livepatch/<patch>/signal attribute. Let's do it
> > > > > automatically after 10 seconds. The timeout is chosen deliberately. It
> > > > > gives the tasks enough time to transition themselves.
> > > > > 
> > > > > Theoretically, sending it once should be more than enough. Better be safe
> > > > > than sorry, so send it periodically.
> > > > 
> > > > This is the part I don't understand.  Why do it periodically?
> > > 
> > > I met (rare!) cases when doing it once was not enough due to a race and 
> > > the signal was missed. However involved testcases were really artificial.
> > >  
> > > > Instead, might it make sense to just send the signals once, and if that
> > > > doesn't work, reverse the transition?  Then we could make patching a
> > > > synchronous operation.  But then, it might be remotely possible that the
> > > > reverse operation also stalls (e.g., on a kthread).  So, maybe it's best
> > > > to just leave all these controls in the hands of the user.
> > > 
> > > And there is 'force' option...
> > > 
> > > So given all this, I'd call klp_send_signals() once and then leave it up 
> > > to the user. Would that work for you?
> > 
> > Well, I don't know.  Since the patching process will already need to be
> > managed by user space, what's the benefit of having the kernel doing
> > only this part of it?
> 
> I'm not sure about 'will already need to be managed by user space' part. 
> Sending the fake signal would unblock transition in certain cases "for 
> free". No user interaction is really needed and we can do it 
> automatically. That's why I find it beneficial.

I wonder if several kicks might be necessary to get a kthread patched.

BTW: This approach has a bit different effect in compare with kGraft.
In kGraft, it was enough to force kthread going over an explicitly
defined safe point where it migrated itself. In upstream, the kthread
must get scheduled outside any patched function. The chance might
be a bit random.

To make it clear. I believe that sending signal once makes sense for
sure. And it would make sense to even repeat it.

BTW: If we allow to repeat it, we should reset the counter in
klp_reverse_transition().

Best Regards,
Petr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ