| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.21.1904162047180.9731@pobox.suse.cz>
Date: Tue, 16 Apr 2019 20:52:12 +0200 (CEST)
From: Miroslav Benes <mbenes@...e.cz>
To: Josh Poimboeuf <jpoimboe@...hat.com>
cc: Jiri Kosina <jikos@...nel.org>, Petr Mladek <pmladek@...e.com>,
Kamalesh Babulal <kamalesh@...ux.vnet.ibm.com>,
live-patching@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] livepatch: Enforce reliable stack trace as config
dependency
On Tue, 16 Apr 2019, Josh Poimboeuf wrote:
> On Tue, Apr 16, 2019 at 01:47:30PM +0200, Jiri Kosina wrote:
> > On Tue, 12 Feb 2019, Petr Mladek wrote:
> >
> > > > I think I'd rather go in the opposite direction: allow the patches to be
> > > > loaded. Then they can be forced, if needed. That enables both compile
> > > > and runtime testing. That way we don't make any backward progress,
> > > > until such arches get reliable stacktraces.
> > >
> > > Do you mean to convert the error into warning?
> > >
> > > For example, the change below. Note that I did not mention
> > > the possibility to force the transition by intention. It is risky
> > > and people should not get used to it.
> > >
> > > Heh, I think that this was the main reason why it was the error.
> > > We did not want to get people used to forcing livepatches.
> > >
> > >
> > > diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
> > > index d1af69e9f0e3..8d9bce251516 100644
> > > --- a/kernel/livepatch/core.c
> > > +++ b/kernel/livepatch/core.c
> > > @@ -1035,11 +1035,10 @@ int klp_enable_patch(struct klp_patch *patch)
> > > return -ENODEV;
> > >
> > > if (!klp_have_reliable_stack()) {
> > > - pr_err("This architecture doesn't have support for the livepatch consistency model.\n");
> > > - return -EOPNOTSUPP;
> > > + pr_warn("This architecture doesn't have support for the livepatch consistency model.\n");
> > > + pr_warn("Only one livepatch can be installed.\n");
> > > }
> > >
> > > -
> >
> > This seems to have been lost.
>
> Sorry, this must have gotten lost in my inbox - yes, something like the
> above is what I had in mind. Though instead of "one livepatch can be
> installed" it might say that the patch transition may never complete.
Sounds better to me too.
> BTW, might we want to consider adding a way to say "this patch doesn't
> need the consistency model", which just applies the patch immediately
> like we used to? Like patch->simple = true? Then we could easily
> support all arches for basic patches.
I'd rather not return to immediate. There was a bug (commit d0807da78e11
("livepatch: Remove immediate feature") explains it), it made the code
complicated and it was impossible to disable patches/remove modules with
that. After all, the consistency model gives us not only the consistency,
but also assurance that all tasks were migrated outside of patched
functions.
> > I think we should take this aproach before Miroslav is ready with
> > realiable stack traces for s390. At the same time, I'd suggest issuing a
> > proper WARN() there instead of just pr_warn(). The kernel might be in a
> > potentially funky state, so let's at least get the 'W' taint in place.
>
> I don't think it would be in a dangerous state, because
> save_stack_trace_tsk_reliable() will return -ENOSYS and the patch will
> remain in transition forever because the signaling doesn't work for
> kthreads. So I don't think a warning is necessary. In fact we may want
> to remove the warning in the generic version of
> save_stack_trace_tsk_reliable().
I would not mind.
Miroslav
Powered by blists - more mailing lists