From: Pavel Machek <pavel@ucw.cz>
To: Miroslav Benes <mbenes@suse.cz>
Cc: jpoimboe@redhat.com, jeyu@kernel.org, jikos@kernel.org,
pmladek@suse.com, lpechacek@suse.cz,
live-patching@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 3/3] livepatch: force transition process to finish
Date: Wed, 30 Aug 2017 09:24:36 +0200 [thread overview]
Message-ID: <20170830072436.GA14796@amd> (raw)
In-Reply-To: <20170810104815.14727-4-mbenes@suse.cz>
[-- Attachment #1: Type: text/plain, Size: 2475 bytes --]
On Thu 2017-08-10 12:48:15, Miroslav Benes wrote:
> If a task sleeps in a set of patched functions uninterruptibly, it could
> block the whole transition process indefinitely. Thus it may be useful
> to clear its TIF_PATCH_PENDING to allow the process to finish.
>
> Admin can do that now by writing to force sysfs attribute in livepatch
> sysfs directory. TIF_PATCH_PENDING is then cleared for all tasks and the
> transition can finish successfully.
>
> Important note! Use wisely. Admin must be sure that it is safe to
> execute such action. This means that it must be checked that by doing so
> the consistency model guarantees are not violated.
Yes, that's what admins are good for. Magically determining what state
their machine is in, and deciding if all the processes are in the sane
state and what the consequences are. They have all the tools they need
to do that, like JTAG connection to the CPU and about 10 years of
time... do they?
This should taint the kernel at the very least.
It should also require capabilities beyond "normal root", because it
allows malicious admin to do "bad things (tm)" to the kernel.
Pavel
> diff --git a/Documentation/livepatch/livepatch.txt b/Documentation/livepatch/livepatch.txt
> index 343b0bfa1b9f..7626d1b947c2 100644
> --- a/Documentation/livepatch/livepatch.txt
> +++ b/Documentation/livepatch/livepatch.txt
> @@ -183,7 +183,11 @@ attribute. Reading from the file returns all available operations. Writing one
> of the strings to the file executes the operation. "signal" is available for
> signalling all remaining blocking tasks. This is an alternative for
> SIGSTOP/SIGCONT approach mentioned in the previous paragraph. It should also be
> -less harmful to the system.
> +less harmful to the system. "force" clears TIF_PATCH_PENDING flag of all tasks
> +and thus forces the tasks to the patched state. Important note! Use "force"
> +wisely. Administrator must be sure that it is safe to execute such action. This
> +means that it must be checked that by doing so the consistency model guarantees
> +are not violated.
You may want to elaborate here a lot. If you want to pretend
administrator can decide this, you need to describe what the model is,
and how administrator get enough information about the system state.
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2017-08-30 7:24 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-10 10:48 [PATCH v2 0/3] livepatch: Introduce force sysfs attribute Miroslav Benes
2017-08-10 10:48 ` [PATCH v2 1/3] livepatch: Add " Miroslav Benes
2017-08-11 21:13 ` Josh Poimboeuf
2017-08-14 14:03 ` Miroslav Benes
2017-08-16 13:15 ` Petr Mladek
2017-08-28 14:58 ` Miroslav Benes
2017-10-02 11:05 ` Petr Mladek
2017-08-10 10:48 ` [PATCH v2 2/3] livepatch: send a fake signal to all blocking tasks Miroslav Benes
2017-08-11 21:30 ` Josh Poimboeuf
2017-08-12 20:03 ` Jiri Kosina
2017-08-14 14:29 ` Miroslav Benes
2017-08-16 14:37 ` Petr Mladek
2017-08-10 10:48 ` [PATCH v2 3/3] livepatch: force transition process to finish Miroslav Benes
2017-08-30 7:24 ` Pavel Machek [this message]
2017-08-30 12:48 ` Miroslav Benes
2017-08-30 15:29 ` Josh Poimboeuf
2017-08-11 21:11 ` [PATCH v2 0/3] livepatch: Introduce force sysfs attribute Josh Poimboeuf
2017-08-14 8:49 ` Miroslav Benes
2017-08-16 14:50 ` Petr Mladek
2017-08-16 15:26 ` Josh Poimboeuf
2017-08-30 12:51 ` Miroslav Benes
2017-10-02 11:18 ` Petr Mladek
2017-08-16 13:31 ` Petr Mladek
2017-08-30 12:52 ` Miroslav Benes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170830072436.GA14796@amd \
--to=pavel@ucw.cz \
--cc=jeyu@kernel.org \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=lpechacek@suse.cz \
--cc=mbenes@suse.cz \
--cc=pmladek@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox