193862e38SJoe Lawrence====================== 293862e38SJoe Lawrence(Un)patching Callbacks 393862e38SJoe Lawrence====================== 493862e38SJoe Lawrence 593862e38SJoe LawrenceLivepatch (un)patch-callbacks provide a mechanism for livepatch modules 693862e38SJoe Lawrenceto execute callback functions when a kernel object is (un)patched. They 7*d9defe44SPetr Mladekcan be considered a **power feature** that **extends livepatching abilities** 893862e38SJoe Lawrenceto include: 993862e38SJoe Lawrence 1093862e38SJoe Lawrence - Safe updates to global data 1193862e38SJoe Lawrence 1293862e38SJoe Lawrence - "Patches" to init and probe functions 1393862e38SJoe Lawrence 1493862e38SJoe Lawrence - Patching otherwise unpatchable code (i.e. assembly) 1593862e38SJoe Lawrence 1693862e38SJoe LawrenceIn most cases, (un)patch callbacks will need to be used in conjunction 1793862e38SJoe Lawrencewith memory barriers and kernel synchronization primitives, like 1893862e38SJoe Lawrencemutexes/spinlocks, or even stop_machine(), to avoid concurrency issues. 1993862e38SJoe Lawrence 20*d9defe44SPetr Mladek1. Motivation 21*d9defe44SPetr Mladek============= 22*d9defe44SPetr Mladek 2393862e38SJoe LawrenceCallbacks differ from existing kernel facilities: 2493862e38SJoe Lawrence 2593862e38SJoe Lawrence - Module init/exit code doesn't run when disabling and re-enabling a 2693862e38SJoe Lawrence patch. 2793862e38SJoe Lawrence 2893862e38SJoe Lawrence - A module notifier can't stop a to-be-patched module from loading. 2993862e38SJoe Lawrence 3093862e38SJoe LawrenceCallbacks are part of the klp_object structure and their implementation 3193862e38SJoe Lawrenceis specific to that klp_object. Other livepatch objects may or may not 3293862e38SJoe Lawrencebe patched, irrespective of the target klp_object's current state. 3393862e38SJoe Lawrence 34*d9defe44SPetr Mladek2. Callback types 35*d9defe44SPetr Mladek================= 36*d9defe44SPetr Mladek 3793862e38SJoe LawrenceCallbacks can be registered for the following livepatch actions: 3893862e38SJoe Lawrence 3989e33ea7SMauro Carvalho Chehab * Pre-patch 4089e33ea7SMauro Carvalho Chehab - before a klp_object is patched 4193862e38SJoe Lawrence 4289e33ea7SMauro Carvalho Chehab * Post-patch 4389e33ea7SMauro Carvalho Chehab - after a klp_object has been patched and is active 4493862e38SJoe Lawrence across all tasks 4593862e38SJoe Lawrence 4689e33ea7SMauro Carvalho Chehab * Pre-unpatch 4789e33ea7SMauro Carvalho Chehab - before a klp_object is unpatched (ie, patched code is 4893862e38SJoe Lawrence active), used to clean up post-patch callback 4993862e38SJoe Lawrence resources 5093862e38SJoe Lawrence 5189e33ea7SMauro Carvalho Chehab * Post-unpatch 5289e33ea7SMauro Carvalho Chehab - after a klp_object has been patched, all code has 5393862e38SJoe Lawrence been restored and no tasks are running patched code, 5493862e38SJoe Lawrence used to cleanup pre-patch callback resources 5593862e38SJoe Lawrence 56*d9defe44SPetr Mladek3. How it works 57*d9defe44SPetr Mladek=============== 58*d9defe44SPetr Mladek 5993862e38SJoe LawrenceEach callback is optional, omitting one does not preclude specifying any 6093862e38SJoe Lawrenceother. However, the livepatching core executes the handlers in 6193862e38SJoe Lawrencesymmetry: pre-patch callbacks have a post-unpatch counterpart and 6293862e38SJoe Lawrencepost-patch callbacks have a pre-unpatch counterpart. An unpatch 6393862e38SJoe Lawrencecallback will only be executed if its corresponding patch callback was 6493862e38SJoe Lawrenceexecuted. Typical use cases pair a patch handler that acquires and 6593862e38SJoe Lawrenceconfigures resources with an unpatch handler tears down and releases 6693862e38SJoe Lawrencethose same resources. 6793862e38SJoe Lawrence 6893862e38SJoe LawrenceA callback is only executed if its host klp_object is loaded. For 6993862e38SJoe Lawrencein-kernel vmlinux targets, this means that callbacks will always execute 7093862e38SJoe Lawrencewhen a livepatch is enabled/disabled. For patch target kernel modules, 7193862e38SJoe Lawrencecallbacks will only execute if the target module is loaded. When a 7293862e38SJoe Lawrencemodule target is (un)loaded, its callbacks will execute only if the 7393862e38SJoe Lawrencelivepatch module is enabled. 7493862e38SJoe Lawrence 7593862e38SJoe LawrenceThe pre-patch callback, if specified, is expected to return a status 7693862e38SJoe Lawrencecode (0 for success, -ERRNO on error). An error status code indicates 7793862e38SJoe Lawrenceto the livepatching core that patching of the current klp_object is not 7893862e38SJoe Lawrencesafe and to stop the current patching request. (When no pre-patch 7993862e38SJoe Lawrencecallback is provided, the transition is assumed to be safe.) If a 8093862e38SJoe Lawrencepre-patch callback returns failure, the kernel's module loader will: 8193862e38SJoe Lawrence 8293862e38SJoe Lawrence - Refuse to load a livepatch, if the livepatch is loaded after 8393862e38SJoe Lawrence targeted code. 8493862e38SJoe Lawrence 8593862e38SJoe Lawrence or: 8693862e38SJoe Lawrence 8793862e38SJoe Lawrence - Refuse to load a module, if the livepatch was already successfully 8893862e38SJoe Lawrence loaded. 8993862e38SJoe Lawrence 9093862e38SJoe LawrenceNo post-patch, pre-unpatch, or post-unpatch callbacks will be executed 9193862e38SJoe Lawrencefor a given klp_object if the object failed to patch, due to a failed 9293862e38SJoe Lawrencepre_patch callback or for any other reason. 9393862e38SJoe Lawrence 9493862e38SJoe LawrenceIf a patch transition is reversed, no pre-unpatch handlers will be run 9593862e38SJoe Lawrence(this follows the previously mentioned symmetry -- pre-unpatch callbacks 9693862e38SJoe Lawrencewill only occur if their corresponding post-patch callback executed). 9793862e38SJoe Lawrence 9893862e38SJoe LawrenceIf the object did successfully patch, but the patch transition never 9993862e38SJoe Lawrencestarted for some reason (e.g., if another object failed to patch), 10093862e38SJoe Lawrenceonly the post-unpatch callback will be called. 10193862e38SJoe Lawrence 102*d9defe44SPetr Mladek4. Use cases 103*d9defe44SPetr Mladek============ 10493862e38SJoe Lawrence 105*d9defe44SPetr MladekSample livepatch modules demonstrating the callback API can be found in 106*d9defe44SPetr Mladeksamples/livepatch/ directory. These samples were modified for use in 107*d9defe44SPetr Mladekkselftests and can be found in the lib/livepatch directory. 10893862e38SJoe Lawrence 109*d9defe44SPetr MladekGlobal data update 11093862e38SJoe Lawrence------------------ 11193862e38SJoe Lawrence 11293862e38SJoe LawrenceA pre-patch callback can be useful to update a global variable. For 11393862e38SJoe Lawrenceexample, 75ff39ccc1bd ("tcp: make challenge acks less predictable") 11493862e38SJoe Lawrencechanges a global sysctl, as well as patches the tcp_send_challenge_ack() 11593862e38SJoe Lawrencefunction. 11693862e38SJoe Lawrence 11793862e38SJoe LawrenceIn this case, if we're being super paranoid, it might make sense to 11893862e38SJoe Lawrencepatch the data *after* patching is complete with a post-patch callback, 11993862e38SJoe Lawrenceso that tcp_send_challenge_ack() could first be changed to read 12093862e38SJoe Lawrencesysctl_tcp_challenge_ack_limit with READ_ONCE. 12193862e38SJoe Lawrence 122*d9defe44SPetr Mladek__init and probe function patches support 12393862e38SJoe Lawrence----------------------------------------- 12493862e38SJoe Lawrence 12593862e38SJoe LawrenceAlthough __init and probe functions are not directly livepatch-able, it 12693862e38SJoe Lawrencemay be possible to implement similar updates via pre/post-patch 12793862e38SJoe Lawrencecallbacks. 12893862e38SJoe Lawrence 129*d9defe44SPetr MladekThe commit ``48900cb6af42 ("virtio-net: drop NETIF_F_FRAGLIST")`` change the way that 13093862e38SJoe Lawrencevirtnet_probe() initialized its driver's net_device features. A 13193862e38SJoe Lawrencepre/post-patch callback could iterate over all such devices, making a 13293862e38SJoe Lawrencesimilar change to their hw_features value. (Client functions of the 13393862e38SJoe Lawrencevalue may need to be updated accordingly.) 134