From: raschupkin.ri@gmail.com
To: live-patching@vger.kernel.org, joe.lawrence@redhat.com,
pmladek@suse.com, mbenes@suse.cz, jikos@kernel.org,
jpoimboe@kernel.org
Subject:
Date: Sun, 14 Jul 2024 21:59:32 +0200 [thread overview]
Message-ID: <20240714195958.692313-1-raschupkin.ri@gmail.com> (raw)
[PATCH] livepatch: support of modifying refcount_t without underflow after unpatch
CVE fixes sometimes add refcount_inc/dec() pairs to the code with existing refcount_t.
Two problems arise when applying live-patch in this case:
1) After refcount_t is being inc() during system is live-patched, after unpatch the counter value will not be valid, as corresponing dec() would never be called.
2) Underflows are possible in runtime in case dec() is called before corresponding inc() in the live-patched code.
Proposed kprefcount_t functions are using following approach to solve these two problems:
1) In addition to original refcount_t, temporary refcount_t is allocated, and after unpatch it is just removed. This way system is safe with correct refcounting while patch is applied, and no underflow would happend after unpatch.
2) For inc/dec() added by live-patch code, one bit in reference-holder structure is used (unsigned char *ref_holder, kprefholder_flag). In case dec() is called first, it is just ignored as ref_holder bit would still not be initialized.
API is defined include/linux/livepatch_refcount.h:
typedef struct kprefcount_struct {
refcount_t *refcount;
refcount_t kprefcount;
spinlock_t lock;
} kprefcount_t;
kprefcount_t *kprefcount_alloc(refcount_t *refcount, gfp_t flags);
void kprefcount_free(kprefcount_t *kp_ref);
int kprefcount_read(kprefcount_t *kp_ref);
void kprefcount_inc(kprefcount_t *kp_ref, unsigned char *ref_holder, int kprefholder_flag);
void kprefcount_dec(kprefcount_t *kp_ref, unsigned char *ref_holder, int kprefholder_flag);
bool kprefcount_dec_and_test(kprefcount_t *kp_ref, unsigned char *ref_holder, int kprefholder_flag);
next reply other threads:[~2024-07-14 20:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-14 19:59 raschupkin.ri [this message]
2024-07-14 19:59 ` [PATCH 1/2] [PATCH] livepatch: support of modifying refcount_t without underflow after unpatch raschupkin.ri
2024-07-14 22:07 ` Jeff Johnson
2024-07-14 19:59 ` [PATCH 2/2] selftests/livepatch: Add tests for kprefcount_t support raschupkin.ri
2024-07-15 20:20 ` Joe Lawrence
2024-07-15 22:45 ` Re: Roman Rashchupkin
2024-07-16 9:28 ` Re: Nicolai Stange
[not found] ` <66963d60.170a0220.70a9a.8866SMTPIN_ADDED_BROKEN@mx.google.com>
2024-07-16 9:53 ` Re: Roman Rashchupkin
2024-07-25 14:52 ` Re: Joe Lawrence
2024-07-16 17:33 ` Re: Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240714195958.692313-1-raschupkin.ri@gmail.com \
--to=raschupkin.ri@gmail.com \
--cc=jikos@kernel.org \
--cc=joe.lawrence@redhat.com \
--cc=jpoimboe@kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mbenes@suse.cz \
--cc=pmladek@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.