Re: [RFC PATCH 6/9] livepatch: create per-task consistency model

[Josh Poimboeuf <jpoimboe@redhat.com>]

On Mon, Feb 16, 2015 at 03:19:10PM +0100, Miroslav Benes wrote:
> On Mon, 9 Feb 2015, Josh Poimboeuf wrote:
> 
> > Add a basic per-task consistency model.  This is the foundation which
> > will eventually enable us to patch those ~10% of security patches which
> > change function prototypes and/or data semantics.
> > 
> > When a patch is enabled, livepatch enters into a transition state where
> > tasks are converging from the old universe to the new universe.  If a
> > given task isn't using any of the patched functions, it's switched to
> > the new universe.  Once all the tasks have been converged to the new
> > universe, patching is complete.
> > 
> > The same sequence occurs when a patch is disabled, except the tasks
> > converge from the new universe to the old universe.
> > 
> > The /sys/kernel/livepatch/<patch>/transition file shows whether a patch
> > is in transition.  Only a single patch (the topmost patch on the stack)
> > can be in transition at a given time.  A patch can remain in the
> > transition state indefinitely, if any of the tasks are stuck in the
> > previous universe.
> > 
> > A transition can be reversed and effectively canceled by writing the
> > opposite value to the /sys/kernel/livepatch/<patch>/enabled file while
> > the transition is in progress.  Then all the tasks will attempt to
> > converge back to the original universe.
> 
> I finally managed to go through this patch and I have only few comments 
> apart from what Jiri has already written...
> 
> I think it would be useful to add more comments throughout the code.

Ok, I'll try to add more comments throughout.

> sysfs documentation (Documentation/ABI/testing/sysfs-kernel-livepatch) 
> should be updated as well. Also the meaning of enabled attribute was 
> changed a bit (by different patch of the set though).

Ok.

> > +
> > +void klp_unpatch_objects(struct klp_patch *patch)
> > +{
> > +	struct klp_object *obj;
> > +
> > +	for (obj = patch->objs; obj->funcs; obj++)
> > +		if (obj->patched)
> > +			klp_unpatch_object(obj);
> > +}
> 
> Maybe we should introduce for_each_* macros which could be used in the 
> code and avoid such functions. I do not have strong opinion about it.

Yeah, but each such loop seems to differ a little bit, so I'm not quite
sure how to structure the macros such that they'd be useful.  Maybe for
a future patch.

> > diff --git a/kernel/livepatch/patch.h b/kernel/livepatch/patch.h
> > index bb34bd3..1648259 100644
> > --- a/kernel/livepatch/patch.h
> > +++ b/kernel/livepatch/patch.h
> > @@ -23,3 +23,4 @@ struct klp_ops *klp_find_ops(unsigned long old_addr);
> >  
> >  extern int klp_patch_object(struct klp_object *obj);
> >  extern void klp_unpatch_object(struct klp_object *obj);
> > +extern void klp_unpatch_objects(struct klp_patch *patch);
> 
> [...]
> 
> > diff --git a/kernel/livepatch/transition.h b/kernel/livepatch/transition.h
> > new file mode 100644
> > index 0000000..ba9a55c
> > --- /dev/null
> > +++ b/kernel/livepatch/transition.h
> > @@ -0,0 +1,16 @@
> > +#include <linux/livepatch.h>
> > +
> > +enum {
> > +	KLP_UNIVERSE_UNDEFINED = -1,
> > +	KLP_UNIVERSE_OLD,
> > +	KLP_UNIVERSE_NEW,
> > +};
> > +
> > +extern struct mutex klp_mutex;
> > +extern struct klp_patch *klp_transition_patch;
> > +
> > +extern void klp_init_transition(struct klp_patch *patch, int universe);
> > +extern void klp_start_transition(int universe);
> > +extern void klp_reverse_transition(void);
> > +extern void klp_try_complete_transition(void);
> > +extern void klp_complete_transition(void);
> 
> Double inclusion protection is missing

Ok.

> and externs for functions are redundant.

I agree, but it seems to be the norm in Linux.  I have no idea why.  I'm
just following the existing convention.

> Otherwise it looks quite ok.

Thanks!

-- 
Josh