Blame view
Documentation/livepatch/callbacks.rst
5.07 KB
93862e385
|
1 2 3 4 5 6 |
====================== (Un)patching Callbacks ====================== Livepatch (un)patch-callbacks provide a mechanism for livepatch modules to execute callback functions when a kernel object is (un)patched. They |
d9defe448
|
7 |
can be considered a **power feature** that **extends livepatching abilities** |
93862e385
|
8 9 10 11 12 13 14 15 16 17 18 |
to include: - Safe updates to global data - "Patches" to init and probe functions - Patching otherwise unpatchable code (i.e. assembly) In most cases, (un)patch callbacks will need to be used in conjunction with memory barriers and kernel synchronization primitives, like mutexes/spinlocks, or even stop_machine(), to avoid concurrency issues. |
d9defe448
|
19 20 |
1. Motivation ============= |
93862e385
|
21 22 23 24 25 26 27 28 29 30 |
Callbacks differ from existing kernel facilities: - Module init/exit code doesn't run when disabling and re-enabling a patch. - A module notifier can't stop a to-be-patched module from loading. Callbacks are part of the klp_object structure and their implementation is specific to that klp_object. Other livepatch objects may or may not be patched, irrespective of the target klp_object's current state. |
d9defe448
|
31 32 |
2. Callback types ================= |
93862e385
|
33 |
Callbacks can be registered for the following livepatch actions: |
89e33ea73
|
34 35 |
* Pre-patch - before a klp_object is patched |
93862e385
|
36 |
|
89e33ea73
|
37 38 |
* Post-patch - after a klp_object has been patched and is active |
93862e385
|
39 |
across all tasks |
89e33ea73
|
40 41 |
* Pre-unpatch - before a klp_object is unpatched (ie, patched code is |
93862e385
|
42 43 |
active), used to clean up post-patch callback resources |
89e33ea73
|
44 45 |
* Post-unpatch - after a klp_object has been patched, all code has |
93862e385
|
46 47 |
been restored and no tasks are running patched code, used to cleanup pre-patch callback resources |
d9defe448
|
48 49 |
3. How it works =============== |
93862e385
|
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
Each callback is optional, omitting one does not preclude specifying any other. However, the livepatching core executes the handlers in symmetry: pre-patch callbacks have a post-unpatch counterpart and post-patch callbacks have a pre-unpatch counterpart. An unpatch callback will only be executed if its corresponding patch callback was executed. Typical use cases pair a patch handler that acquires and configures resources with an unpatch handler tears down and releases those same resources. A callback is only executed if its host klp_object is loaded. For in-kernel vmlinux targets, this means that callbacks will always execute when a livepatch is enabled/disabled. For patch target kernel modules, callbacks will only execute if the target module is loaded. When a module target is (un)loaded, its callbacks will execute only if the livepatch module is enabled. The pre-patch callback, if specified, is expected to return a status code (0 for success, -ERRNO on error). An error status code indicates to the livepatching core that patching of the current klp_object is not safe and to stop the current patching request. (When no pre-patch callback is provided, the transition is assumed to be safe.) If a pre-patch callback returns failure, the kernel's module loader will: - Refuse to load a livepatch, if the livepatch is loaded after targeted code. or: - Refuse to load a module, if the livepatch was already successfully loaded. No post-patch, pre-unpatch, or post-unpatch callbacks will be executed for a given klp_object if the object failed to patch, due to a failed pre_patch callback or for any other reason. If a patch transition is reversed, no pre-unpatch handlers will be run (this follows the previously mentioned symmetry -- pre-unpatch callbacks will only occur if their corresponding post-patch callback executed). If the object did successfully patch, but the patch transition never started for some reason (e.g., if another object failed to patch), only the post-unpatch callback will be called. |
d9defe448
|
92 93 |
4. Use cases ============ |
93862e385
|
94 |
|
d9defe448
|
95 96 97 |
Sample livepatch modules demonstrating the callback API can be found in samples/livepatch/ directory. These samples were modified for use in kselftests and can be found in the lib/livepatch directory. |
93862e385
|
98 |
|
d9defe448
|
99 |
Global data update |
93862e385
|
100 101 102 103 104 105 106 107 108 109 110 |
------------------ A pre-patch callback can be useful to update a global variable. For example, 75ff39ccc1bd ("tcp: make challenge acks less predictable") changes a global sysctl, as well as patches the tcp_send_challenge_ack() function. In this case, if we're being super paranoid, it might make sense to patch the data *after* patching is complete with a post-patch callback, so that tcp_send_challenge_ack() could first be changed to read sysctl_tcp_challenge_ack_limit with READ_ONCE. |
d9defe448
|
111 |
__init and probe function patches support |
93862e385
|
112 113 114 115 116 |
----------------------------------------- Although __init and probe functions are not directly livepatch-able, it may be possible to implement similar updates via pre/post-patch callbacks. |
d9defe448
|
117 |
The commit ``48900cb6af42 ("virtio-net: drop NETIF_F_FRAGLIST")`` change the way that |
93862e385
|
118 119 120 121 |
virtnet_probe() initialized its driver's net_device features. A pre/post-patch callback could iterate over all such devices, making a similar change to their hw_features value. (Client functions of the value may need to be updated accordingly.) |