| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250826142406.GE1970008@nvidia.com> Date: Tue, 26 Aug 2025 11:24:06 -0300 From: Jason Gunthorpe <jgg@...dia.com> To: Pasha Tatashin <pasha.tatashin@...een.com> Cc: Pratyush Yadav <pratyush@...nel.org>, jasonmiu@...gle.com, graf@...zon.com, changyuanl@...gle.com, rppt@...nel.org, dmatlack@...gle.com, rientjes@...gle.com, corbet@....net, rdunlap@...radead.org, ilpo.jarvinen@...ux.intel.com, kanie@...ux.alibaba.com, ojeda@...nel.org, aliceryhl@...gle.com, masahiroy@...nel.org, akpm@...ux-foundation.org, tj@...nel.org, yoann.congal@...le.fr, mmaurer@...gle.com, roman.gushchin@...ux.dev, chenridong@...wei.com, axboe@...nel.dk, mark.rutland@....com, jannh@...gle.com, vincent.guittot@...aro.org, hannes@...xchg.org, dan.j.williams@...el.com, david@...hat.com, joel.granados@...nel.org, rostedt@...dmis.org, anna.schumaker@...cle.com, song@...nel.org, zhangguopeng@...inos.cn, linux@...ssschuh.net, linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org, linux-mm@...ck.org, gregkh@...uxfoundation.org, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, rafael@...nel.org, dakr@...nel.org, bartosz.golaszewski@...aro.org, cw00.choi@...sung.com, myungjoo.ham@...sung.com, yesanishhere@...il.com, Jonathan.Cameron@...wei.com, quic_zijuhu@...cinc.com, aleksander.lobakin@...el.com, ira.weiny@...el.com, andriy.shevchenko@...ux.intel.com, leon@...nel.org, lukas@...ner.de, bhelgaas@...gle.com, wagi@...nel.org, djeffery@...hat.com, stuart.w.hayes@...il.com, lennart@...ttering.net, brauner@...nel.org, linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org, saeedm@...dia.com, ajayachandra@...dia.com, parav@...dia.com, leonro@...dia.com, witu@...dia.com Subject: Re: [PATCH v3 00/30] Live Update Orchestrator On Tue, Aug 26, 2025 at 01:54:31PM +0000, Pasha Tatashin wrote: > > > https://github.com/googleprodkernel/linux-liveupdate/tree/luo/v3 > > > > > > Changelog from v2: > > > - Addressed comments from Mike Rapoport and Jason Gunthorpe > > > - Only one user agent (LiveupdateD) can open /dev/liveupdate > > > - With the above changes, sessions are not needed, and should be > > > maintained by the user-agent itself, so removed support for > > > sessions. > > > > If all the FDs are restored in the agent's context, this assigns all the > > resources to the agent. For example, if the agent restores a memfd, all > > the memory gets charged to the agent's cgroup, and the client gets none > > of it. This makes it impossible to do any kind of resource limits. > > > > This was one of the advantages of being able to pass around sessions > > instead of FDs. The agent can pass on the right session to the right > > client, and then the client does the restore, getting all the resources > > charged to it. > > > > If we don't allow this, I think we will make LUO/LiveupdateD unsuitable > > for many kinds of workloads. Do you have any ideas on how to do proper > > resource attribution with the current patches? If not, then perhaps we > > should reconsider this change? > > Hi Pratyush, > > That's an excellent point, and you're right that we must have a > solution for correct resource charging. > > I'd prefer to keep the session logic in the userspace agent (luod > https://tinyurl.com/luoddesign). > > For the charging problem, I believe there's a clear path forward with > the current ioctl-based API. The design of the ioctl commands (with a > size field in each struct) is intentionally extensible. In a follow-up > patch, we can extend the liveupdate_ioctl_fd_restore struct to include > a target pid field. The luod agent, would then be able to restore an > FD on behalf of a client and instruct the kernel to charge the > associated resources to that client's PID. This wasn't quite the idea though.. The sessions sub FD were intended to be passed directly to other processes though unix sockets and fd passing so they could run their own ioctls in their own context for both save and restore. The ioctls available on the sessions should be specifically narrowed to be safe for this. I can understand not implementing session FDs in the first version, but when sessions FD are available they should work like this and solve the namespace/cgroup/etc issues. Passing some PID in an ioctl is not a great idea... Jason
Powered by blists - more mailing lists