5 This document outlines basic information about kernel livepatching.
10 2. Kprobes, Ftrace, Livepatching
15 4.3. Livepatch module handling
16 5. Livepatch life-cycle
28 There are many situations where users are reluctant to reboot a system. It may
29 be because their system is performing complex scientific computations or under
30 heavy load during peak usage. In addition to keeping systems up and running,
31 users want to also have a stable and secure system. Livepatching gives users
32 both by allowing for function calls to be redirected; thus, fixing critical
33 functions without a system reboot.
36 2. Kprobes, Ftrace, Livepatching
37 ================================
39 There are multiple mechanisms in the Linux kernel that are directly related
40 to redirection of code execution; namely: kernel probes, function tracing,
43 + The kernel probes are the most generic. The code can be redirected by
44 putting a breakpoint instruction instead of any instruction.
46 + The function tracer calls the code from a predefined location that is
47 close to the function entry point. This location is generated by the
48 compiler using the '-pg' gcc option.
50 + Livepatching typically needs to redirect the code at the very beginning
51 of the function entry before the function parameters or the stack
52 are in any way modified.
54 All three approaches need to modify the existing code at runtime. Therefore
55 they need to be aware of each other and not step over each other's toes.
56 Most of these problems are solved by using the dynamic ftrace framework as
57 a base. A Kprobe is registered as a ftrace handler when the function entry
58 is probed, see CONFIG_KPROBES_ON_FTRACE. Also an alternative function from
59 a live patch is called with the help of a custom ftrace handler. But there are
60 some limitations, see below.
66 Functions are there for a reason. They take some input parameters, get or
67 release locks, read, process, and even write some data in a defined way,
68 have return values. In other words, each function has a defined semantic.
70 Many fixes do not change the semantic of the modified functions. For
71 example, they add a NULL pointer or a boundary check, fix a race by adding
72 a missing memory barrier, or add some locking around a critical section.
73 Most of these changes are self contained and the function presents itself
74 the same way to the rest of the system. In this case, the functions might
75 be updated independently one by one.
77 But there are more complex fixes. For example, a patch might change
78 ordering of locking in multiple functions at the same time. Or a patch
79 might exchange meaning of some temporary structures and update
80 all the relevant functions. In this case, the affected unit
81 (thread, whole kernel) need to start using all new versions of
82 the functions at the same time. Also the switch must happen only
83 when it is safe to do so, e.g. when the affected locks are released
84 or no data are stored in the modified structures at the moment.
86 The theory about how to apply functions a safe way is rather complex.
87 The aim is to define a so-called consistency model. It attempts to define
88 conditions when the new implementation could be used so that the system
89 stays consistent. The theory is not yet finished. See the discussion at
90 http://thread.gmane.org/gmane.linux.kernel/1823033/focus=1828189
92 The current consistency model is very simple. It guarantees that either
93 the old or the new function is called. But various functions get redirected
94 one by one without any synchronization.
96 In other words, the current implementation _never_ modifies the behavior
97 in the middle of the call. It is because it does _not_ rewrite the entire
98 function in the memory. Instead, the function gets redirected at the
99 very beginning. But this redirection is used immediately even when
100 some other functions from the same patch have not been redirected yet.
102 See also the section "Limitations" below.
108 Livepatches are distributed using kernel modules, see
109 samples/livepatch/livepatch-sample.c.
111 The module includes a new implementation of functions that we want
112 to replace. In addition, it defines some structures describing the
113 relation between the original and the new implementation. Then there
114 is code that makes the kernel start using the new code when the livepatch
115 module is loaded. Also there is code that cleans up before the
116 livepatch module is removed. All this is explained in more details in
123 New versions of functions are typically just copied from the original
124 sources. A good practice is to add a prefix to the names so that they
125 can be distinguished from the original ones, e.g. in a backtrace. Also
126 they can be declared as static because they are not called directly
127 and do not need the global visibility.
129 The patch contains only functions that are really modified. But they
130 might want to access functions or data from the original source file
131 that may only be locally accessible. This can be solved by a special
132 relocation section in the generated livepatch module, see
133 Documentation/livepatch/module-elf-format.txt for more details.
139 The patch is described by several structures that split the information
142 + struct klp_func is defined for each patched function. It describes
143 the relation between the original and the new implementation of a
146 The structure includes the name, as a string, of the original function.
147 The function address is found via kallsyms at runtime.
149 Then it includes the address of the new function. It is defined
150 directly by assigning the function pointer. Note that the new
151 function is typically defined in the same source file.
153 As an optional parameter, the symbol position in the kallsyms database can
154 be used to disambiguate functions of the same name. This is not the
155 absolute position in the database, but rather the order it has been found
156 only for a particular object ( vmlinux or a kernel module ). Note that
157 kallsyms allows for searching symbols according to the object name.
159 + struct klp_object defines an array of patched functions (struct
160 klp_func) in the same object. Where the object is either vmlinux
161 (NULL) or a module name.
163 The structure helps to group and handle functions for each object
164 together. Note that patched modules might be loaded later than
165 the patch itself and the relevant functions might be patched
166 only when they are available.
169 + struct klp_patch defines an array of patched objects (struct
172 This structure handles all patched functions consistently and eventually,
173 synchronously. The whole patch is applied only when all patched
174 symbols are found. The only exception are symbols from objects
175 (kernel modules) that have not been loaded yet. Also if a more complex
176 consistency model is supported then a selected unit (thread,
177 kernel as a whole) will see the new code from the entire patch
178 only when it is in a safe state.
181 4.3. Livepatch module handling
182 ------------------------------
184 The usual behavior is that the new functions will get used when
185 the livepatch module is loaded. For this, the module init() function
186 has to register the patch (struct klp_patch) and enable it. See the
187 section "Livepatch life-cycle" below for more details about these
190 Module removal is only safe when there are no users of the underlying
191 functions. The immediate consistency model is not able to detect this;
192 therefore livepatch modules cannot be removed. See "Limitations" below.
194 5. Livepatch life-cycle
195 =======================
197 Livepatching defines four basic operations that define the life cycle of each
198 live patch: registration, enabling, disabling and unregistration. There are
199 several reasons why it is done this way.
201 First, the patch is applied only when all patched symbols for already
202 loaded objects are found. The error handling is much easier if this
203 check is done before particular functions get redirected.
205 Second, the immediate consistency model does not guarantee that anyone is not
206 sleeping in the new code after the patch is reverted. This means that the new
207 code needs to stay around "forever". If the code is there, one could apply it
208 again. Therefore it makes sense to separate the operations that might be done
209 once and those that need to be repeated when the patch is enabled (applied)
212 Third, it might take some time until the entire system is migrated
213 when a more complex consistency model is used. The patch revert might
214 block the livepatch module removal for too long. Therefore it is useful
215 to revert the patch using a separate operation that might be called
216 explicitly. But it does not make sense to remove all information
217 until the livepatch module is really removed.
223 Each patch first has to be registered using klp_register_patch(). This makes
224 the patch known to the livepatch framework. Also it does some preliminary
225 computing and checks.
227 In particular, the patch is added into the list of known patches. The
228 addresses of the patched functions are found according to their names.
229 The special relocations, mentioned in the section "New functions", are
230 applied. The relevant entries are created under
231 /sys/kernel/livepatch/<name>. The patch is rejected when any operation
238 Registered patches might be enabled either by calling klp_enable_patch() or
239 by writing '1' to /sys/kernel/livepatch/<name>/enabled. The system will
240 start using the new implementation of the patched functions at this stage.
242 In particular, if an original function is patched for the first time, a
243 function specific struct klp_ops is created and an universal ftrace handler
246 Functions might be patched multiple times. The ftrace handler is registered
247 only once for the given function. Further patches just add an entry to the
248 list (see field `func_stack`) of the struct klp_ops. The last added
249 entry is chosen by the ftrace handler and becomes the active function
252 Note that the patches might be enabled in a different order than they were
259 Enabled patches might get disabled either by calling klp_disable_patch() or
260 by writing '0' to /sys/kernel/livepatch/<name>/enabled. At this stage
261 either the code from the previously enabled patch or even the original
264 Here all the functions (struct klp_func) associated with the to-be-disabled
265 patch are removed from the corresponding struct klp_ops. The ftrace handler
266 is unregistered and the struct klp_ops is freed when the func_stack list
269 Patches must be disabled in exactly the reverse order in which they were
270 enabled. It makes the problem and the implementation much easier.
276 Disabled patches might be unregistered by calling klp_unregister_patch().
277 This can be done only when the patch is disabled and the code is no longer
278 used. It must be called before the livepatch module gets unloaded.
280 At this stage, all the relevant sys-fs entries are removed and the patch
281 is removed from the list of known patches.
287 Information about the registered patches can be found under
288 /sys/kernel/livepatch. The patches could be enabled and disabled
291 See Documentation/ABI/testing/sysfs-kernel-livepatch for more details.
297 The current Livepatch implementation has several limitations:
300 + The patch must not change the semantic of the patched functions.
302 The current implementation guarantees only that either the old
303 or the new function is called. The functions are patched one
304 by one. It means that the patch must _not_ change the semantic
308 + Data structures can not be patched.
310 There is no support to version data structures or anyhow migrate
311 one structure into another. Also the simple consistency model does
312 not allow to switch more functions atomically.
314 Once there is more complex consistency mode, it will be possible to
315 use some workarounds. For example, it will be possible to use a hole
316 for a new member because the data structure is aligned. Or it will
317 be possible to use an existing member for something else.
319 There are no plans to add more generic support for modified structures
323 + Only functions that can be traced could be patched.
325 Livepatch is based on the dynamic ftrace. In particular, functions
326 implementing ftrace or the livepatch ftrace handler could not be
327 patched. Otherwise, the code would end up in an infinite loop. A
328 potential mistake is prevented by marking the problematic functions
332 + Anything inlined into __schedule() can not be patched.
334 The switch_to macro is inlined into __schedule(). It switches the
335 context between two processes in the middle of the macro. It does
336 not save RIP in x86_64 version (contrary to 32-bit version). Instead,
337 the currently used __schedule()/switch_to() handles both processes.
339 Now, let's have two different tasks. One calls the original
340 __schedule(), its registers are stored in a defined order and it
341 goes to sleep in the switch_to macro and some other task is restored
342 using the original __schedule(). Then there is the second task which
343 calls patched__schedule(), it goes to sleep there and the first task
344 is picked by the patched__schedule(). Its RSP is restored and now
345 the registers should be restored as well. But the order is different
346 in the new patched__schedule(), so...
348 There is work in progress to remove this limitation.
351 + Livepatch modules can not be removed.
353 The current implementation just redirects the functions at the very
354 beginning. It does not check if the functions are in use. In other
355 words, it knows when the functions get called but it does not
356 know when the functions return. Therefore it can not decide when
357 the livepatch module can be safely removed.
359 This will get most likely solved once a more complex consistency model
360 is supported. The idea is that a safe state for patching should also
361 mean a safe state for removing the patch.
363 Note that the patch itself might get disabled by writing zero
364 to /sys/kernel/livepatch/<patch>/enabled. It causes that the new
365 code will not longer get called. But it does not guarantee
366 that anyone is not sleeping anywhere in the new code.
369 + Livepatch works reliably only when the dynamic ftrace is located at
370 the very beginning of the function.
372 The function need to be redirected before the stack or the function
373 parameters are modified in any way. For example, livepatch requires
374 using -fentry gcc compiler option on x86_64.
376 One exception is the PPC port. It uses relative addressing and TOC.
377 Each function has to handle TOC and save LR before it could call
378 the ftrace handler. This operation has to be reverted on return.
379 Fortunately, the generic ftrace code has the same problem and all
380 this is is handled on the ftrace level.
383 + Kretprobes using the ftrace framework conflict with the patched
386 Both kretprobes and livepatches use a ftrace handler that modifies
387 the return address. The first user wins. Either the probe or the patch
388 is rejected when the handler is already in use by the other.
391 + Kprobes in the original function are ignored when the code is
392 redirected to the new implementation.
394 There is a work in progress to add warnings about this situation.