| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Nov 2021 13:52:29 +0100
From: Petr Mladek <pmladek@...e.com>
To: Ming Lei <ming.lei@...hat.com>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>,
Jiri Kosina <jikos@...nel.org>,
Miroslav Benes <mbenes@...e.cz>, live-patching@...r.kernel.org,
linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Luis Chamberlain <mcgrof@...nel.org>,
Joe Lawrence <joe.lawrence@...hat.com>
Subject: Re: [PATCH V4 1/3] livepatch: remove 'struct completion finish' from
klp_patch
On Wed 2021-11-03 08:51:32, Ming Lei wrote:
> On Tue, Nov 02, 2021 at 04:56:10PM +0100, Petr Mladek wrote:
> > On Tue 2021-11-02 22:59:30, Ming Lei wrote:
> > > The completion finish is just for waiting release of the klp_patch
> > > object, then releases module refcnt. We can simply drop the module
> > > refcnt in the kobject release handler of klp_patch.
> > >
> > > This way also helps to support allocating klp_patch from heap.
First, I am sorry for confusion. The above description is correct.
I does not say anything about that kobject_put() is synchronous.
> > IMHO, this is wrong assumption. kobject_put() might do everyting
> > asynchronously, see:
I see that you are aware of this behavior.
> > kobject_put()
> > kobject_release()
> > INIT_DELAYED_WORK(&kobj->release, kobject_delayed_cleanup);
> > schedule_delayed_work(&kobj->release, delay);
> >
> > asynchronously:
> >
> > kobject_delayed_cleanup()
> > kobject_cleanup()
> > __kobject_del()
>
> OK, this is one generic kobject release vs. module unloading issue to
> solve, not unique for klp module, and there should be lots of drivers
> suffering from it.
Yup, the problem is generic. It would be nice to have a generic
solution. For example, add kobject_release_sync() that would return
only when the object is really released.
> > > --- a/kernel/livepatch/core.c
> > > +++ b/kernel/livepatch/core.c
> > > @@ -678,11 +678,6 @@ static void klp_free_patch_finish(struct klp_patch *patch)
> > > * cannot get enabled again.
> > > */
> > > kobject_put(&patch->kobj);
> > > - wait_for_completion(&patch->finish);
> > > -
> > > - /* Put the module after the last access to struct klp_patch. */
> > > - if (!patch->forced)
> > > - module_put(patch->mod);
> >
> > klp_free_patch_finish() does not longer wait until the release
> > callbacks are called.
> >
> > klp_free_patch_finish() is called also in klp_enable_patch() error
> > path.
> >
> > klp_enable_patch() is called in module_init(). For example, see
> > samples/livepatch/livepatch-sample.c
> >
> > The module must not get removed until the release callbacks are called.
> > Does the module loader check the module reference counter when
> > module_init() fails?
>
> Good catch, that is really one corner case, in which the kobject has to
> be cleaned up before returning from mod->init(), cause there can't be
> module unloading in case of mod->init() failure.
Just to be sure. We want to keep the safe behavior in this case.
There are many situations when klp_enable() might fail. And the error
handling must be safe.
In general, livepatch developers are very conservative.
Livepatches are not easy to create. They are used only by people
who really want to avoid reboot. We want to keep the livepatch kernel
framework as safe as possible to avoid any potential damage.
> Yeah, it should be more related with async kobject_put().
Yup, it would be nice to have some sychronous variant provided
by kobject API.
> Also looks it is reasonable to add check when cleaning module loading
> failure.
Which means that the completion has to stay until there is any generic
solution. And this patch should be dropped for now.
Best Regards,
Petr
Powered by blists - more mailing lists