lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 22 Jan 2019 11:06:56 +0100 (CET)
From:   Miroslav Benes <mbenes@...e.cz>
To:     Petr Mladek <pmladek@...e.com>
cc:     Jiri Kosina <jikos@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Jason Baron <jbaron@...mai.com>,
        Joe Lawrence <joe.lawrence@...hat.com>,
        Evgenii Shatokhin <eshatokhin@...tuozzo.com>,
        live-patching@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4/4] livepatch: Remove the redundant enabled flag in
 struct klp_patch

On Wed, 16 Jan 2019, Petr Mladek wrote:

> diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
> index 684766d306ad..8e644837e668 100644
> --- a/kernel/livepatch/core.c
> +++ b/kernel/livepatch/core.c
> @@ -59,6 +59,17 @@ static bool klp_is_module(struct klp_object *obj)
>  	return obj->name;
>  }
>  
> +static bool klp_patch_enabled(struct klp_patch *patch)
> +{
> +	if (patch == klp_transition_patch) {
> +		WARN_ON_ONCE(klp_target_state == KLP_UNDEFINED);

I think we'd have a race in the code then. enabled_show() does not take 
klp_mutex() when calling klp_patch_enabled().

A patch sysfs attributes are added quite early during its enablement. 
klp_init_transition() first sets klp_transition_patch, then 
klp_target_state. It means one can call enabled_show() with patch == 
klp_transition_patch and klp_target_state == KLP_UNDEFINED. No?

The similar applies the disablement. klp_complete_transition() first 
clears klp_target_state (sets it to KLP_UNDEFINED), then it clears 
klp_transition_patch.

We could add locking to enabled_show() or swap the assignments with some 
barriers on top.

Or we could remove WARN_ON_ONCE() and live with false results in 
enabled_show(). It does not matter much, I think. All the other call sites 
of klp_patch_enabled() should be fine.

> +		return klp_target_state == KLP_PATCHED;
> +	}
> +
> +	return !list_empty(&patch->list);
> +}

Shouldn't we also change list_del(&patch->list) in klp_free_patch_start() 
to list_del_init(&patch->list)?

[...]

> @@ -955,7 +964,7 @@ static int __klp_enable_patch(struct klp_patch *patch)
>  	if (klp_transition_patch)
>  		return -EBUSY;
>  
> -	if (WARN_ON(patch->enabled))
> +	if (list_empty(&patch->list))
>  		return -EINVAL;

I wanted to ask why there is list_empty() and not klp_patch_enabled(), so 
just to be sure... the patch was added to klp_patches list, so patch->list 
is not empty (should not be). We could achieve the same by calling 
!klp_patch_enabled() given its implementation, but it would look 
counter-intuitive here.

The rest looks fine.

However, I am not sure if the outcome is better than what we have. Yes, 
patch->enabled is not technically necessary and we can live with that (as 
the patch proves). On the other hand, it gives the reader clear guidance 
about the patch's state. klp_patch_enabled() is not a complete 
replacement. We have to call list_empty() in __klp_enable_patch() or check 
the original klp_target_state in klp_try_complete_transition().

I am not against the change, I am glad to see it is achievable, but I am 
not sure if the code is better with it. Joe acked it. What do the others 
think?

Thanks,
Miroslav

Powered by blists - more mailing lists