Thread (10 messages) 10 messages, 3 authors, 2019-10-28

Re: [PATCH v4 15/16] module: Move where we mark modules RO,X

From: Petr Mladek <pmladek@suse.com>
Date: 2019-10-25 06:45:02
Also in: lkml 

On Thu 2019-10-24 15:16:34, Peter Zijlstra wrote:
On Wed, Oct 23, 2019 at 12:00:25PM -0500, Josh Poimboeuf wrote:
quoted
quoted
This then raises a number of questions:

 1) why is that RELA (that obviously does not depend on any module)
    applied so late?
Good question.  The 'pv_ops' symbol is exported by the core kernel, so I
can't see any reason why we'd need to apply that rela late.  In theory,
kpatch-build isn't supposed to convert that to a klp rela.  Maybe
something went wrong in the patch creation code.

I'm also questioning why we even need to apply the parainstructions
section late.  Maybe we can remove that apply_paravirt() call
altogether, along with .klp.arch.parainstruction sections.
Hmm, the original bug report against livepatching was actually about
paravirt ops, see below.
quoted
I'll need to look into it...
Right, that really should be able to run early. Esp. after commit

  11e86dc7f274 ("x86/paravirt: Detect over-sized patching bugs in paravirt_patch_call()")

paravirt patching is unconditional. We _never_ run with the indirect
call except very early boot, but modules should have them patched way
before their init section runs.

We rely on this for spectre-v2 and friends.
Livepatching has the same requirement. The module code has to be fully
livepatched before the module gets actually used. It means before
mod->init() is called and before the module is moved into
MODULE_STATE_LIVE state.
quoted
quoted
 3) Is there ever a possible module-dependent RELA to a paravirt /
    alternative site?
Good question...
quoted
quoted
Then for 3) we only have alternatives left, and I _think_ it unlikely to
be the case, but I'll have to have a hard look at that.
I'm not sure about alternatives, but maybe we can enforce such
limitations with tooling and/or kernel checks.
Right, so on IRC you implied you might have some additional details on
how alternatives were affected; did you manage to dig that up?
I am not sure what Josh had in mind. But the problem with livepatches,
paravort ops, and alternatives was described in the related patchset, see
https://lkml.kernel.org/r/1471481911-5003-1-git-send-email-jeyu@redhat.com

The original bug report is
https://lkml.kernel.org/r/20160329120518.GA21252@canonical.com

Best Regards,
Petr
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help