[RFC PATCH 2/2] kpatch: add kpatch core module
Add the kpatch core module. It's a self-contained module with a kernel patching infrastructure that enables patching a running kernel without rebooting or restarting any processes. Kernel modules ("patch modules") can call kpatch_register() to replace new functions with old ones. Before applying a patch, kpatch checks the stacks of all tasks in stop_machine() to ensure that the patch is applied atomically, to prevent any weird effects from function interface changes or data semantic changes that might occur between old and new versions of the functions running simultaneously. If any of the to-be-patched functions are on the stack, it fails with -EBUSY. ftrace is used to do the code modification. For each function to be patched, kpatch registers an ftrace ops handler. When called, the handler modifies regs->ip on the stack and returns back to ftrace, which restores the RIP and "returns" to the beginning of the new function. Other features: * Safe unpatching * Atomic repatching (replacing one patch module with another) * Support for multiple patch modules * kpatch_[register|unregister] are properly synchronized with kpatch_ftrace_handler() when it runs in NMI context (thanks to Masami for helping with this) Signed-off-by: Josh Poimboeuf Cc: Seth Jennings Cc: Masami Hiramatsu --- Documentation/kpatch.txt | 193 +++ MAINTAINERS | 9 + arch/Kconfig | 14 ++ include/linux/kpatch.h | 61 + kernel/Makefile | 1 + kernel/kpatch/Makefile | 1 + kernel/kpatch/kpatch.c | 615 +++ 7 files changed, 894 insertions(+) create mode 100644 Documentation/kpatch.txt create mode 100644 include/linux/kpatch.h create mode 100644 kernel/kpatch/Makefile create mode 100644 kernel/kpatch/kpatch.c diff --git a/Documentation/kpatch.txt b/Documentation/kpatch.txt new file mode 100644 index 000..697c054 --- /dev/null +++ b/Documentation/kpatch.txt @@ -0,0 +1,193 @@ +kpatch: dynamic kernel patching +=== + +kpatch is a Linux dynamic kernel patching infrastructure which allows you to +patch a running kernel without rebooting or restarting any processes. It +enables sysadmins to apply critical security patches to the kernel immediately, +without having to wait for long-running tasks to complete, users to log off, or +for scheduled reboot windows. It gives more control over uptime without +sacrificing security or stability. + +How it works + + +kpatch works at a function granularity: old functions are replaced with new +ones. It has four main components: + +- **kpatch-build**: a collection of tools which convert a source diff patch to + a patch module. They work by compiling the kernel both with and without + the source patch, comparing the binaries, and generating a patch module + which includes new binary versions of the functions to be replaced. + +- **patch module**: a kernel module (.ko file) which includes the + replacement functions and metadata about the original functions. + +- **kpatch core module**: the kernel infrastructure which provides an interface + for the patch modules to register new functions for replacement. It uses the + kernel ftrace subsystem to hook into the original function's mcount call + instruction, so that a call to the original function is redirected to the + replacement function. + +- **kpatch utility:** a command-line tool which allows a user to manage a + collection of patch modules. One or more patch modules may be + configured to load at boot time, so that a system can remain patched + even after a reboot into the same version of the kernel. + + +How to use it +- + +Currently, only the core module is in the kernel tree. The supporting +kpatch-build and kpatch utility tools can be found at: + + https://github.com/dynup/kpatch + +You can also find directions there for how to create binary patch modules and +load them into your kernel. + + +Limitations +--- + +- Patches which modify kernel modules are not supported (yet). Only + functions in the vmlinux file (listed in System.map) can be patched. + +- Patches to functions which are always on the stack of at least one + process in the system are not supported. Examples: schedule(), + sys_poll(), sys_select(), sys_read(), sys_nanosleep(). Attempting to + apply such a patch will cause the insmod of the patch module to return + an error. + +- Patches which modify init functions (annotated with `__init`) are not + supported. kpatch-build will return an error if the patch attempts + to do so. + +- Patches which modify statically allocated data are not supported. + kpatch-build will detect that and return an error. (In the future + we will add a facility to support it. It will probably require the + user to write code which runs at patch module loading time which manually + updates the data.) + +- Patches which change the way a
[RFC PATCH 2/2] kpatch: add kpatch core module
Add the kpatch core module. It's a self-contained module with a kernel patching infrastructure that enables patching a running kernel without rebooting or restarting any processes. Kernel modules (patch modules) can call kpatch_register() to replace new functions with old ones. Before applying a patch, kpatch checks the stacks of all tasks in stop_machine() to ensure that the patch is applied atomically, to prevent any weird effects from function interface changes or data semantic changes that might occur between old and new versions of the functions running simultaneously. If any of the to-be-patched functions are on the stack, it fails with -EBUSY. ftrace is used to do the code modification. For each function to be patched, kpatch registers an ftrace ops handler. When called, the handler modifies regs-ip on the stack and returns back to ftrace, which restores the RIP and returns to the beginning of the new function. Other features: * Safe unpatching * Atomic repatching (replacing one patch module with another) * Support for multiple patch modules * kpatch_[register|unregister] are properly synchronized with kpatch_ftrace_handler() when it runs in NMI context (thanks to Masami for helping with this) Signed-off-by: Josh Poimboeuf jpoim...@redhat.com Cc: Seth Jennings sjenn...@redhat.com Cc: Masami Hiramatsu masami.hiramatsu...@hitachi.com --- Documentation/kpatch.txt | 193 +++ MAINTAINERS | 9 + arch/Kconfig | 14 ++ include/linux/kpatch.h | 61 + kernel/Makefile | 1 + kernel/kpatch/Makefile | 1 + kernel/kpatch/kpatch.c | 615 +++ 7 files changed, 894 insertions(+) create mode 100644 Documentation/kpatch.txt create mode 100644 include/linux/kpatch.h create mode 100644 kernel/kpatch/Makefile create mode 100644 kernel/kpatch/kpatch.c diff --git a/Documentation/kpatch.txt b/Documentation/kpatch.txt new file mode 100644 index 000..697c054 --- /dev/null +++ b/Documentation/kpatch.txt @@ -0,0 +1,193 @@ +kpatch: dynamic kernel patching +=== + +kpatch is a Linux dynamic kernel patching infrastructure which allows you to +patch a running kernel without rebooting or restarting any processes. It +enables sysadmins to apply critical security patches to the kernel immediately, +without having to wait for long-running tasks to complete, users to log off, or +for scheduled reboot windows. It gives more control over uptime without +sacrificing security or stability. + +How it works + + +kpatch works at a function granularity: old functions are replaced with new +ones. It has four main components: + +- **kpatch-build**: a collection of tools which convert a source diff patch to + a patch module. They work by compiling the kernel both with and without + the source patch, comparing the binaries, and generating a patch module + which includes new binary versions of the functions to be replaced. + +- **patch module**: a kernel module (.ko file) which includes the + replacement functions and metadata about the original functions. + +- **kpatch core module**: the kernel infrastructure which provides an interface + for the patch modules to register new functions for replacement. It uses the + kernel ftrace subsystem to hook into the original function's mcount call + instruction, so that a call to the original function is redirected to the + replacement function. + +- **kpatch utility:** a command-line tool which allows a user to manage a + collection of patch modules. One or more patch modules may be + configured to load at boot time, so that a system can remain patched + even after a reboot into the same version of the kernel. + + +How to use it +- + +Currently, only the core module is in the kernel tree. The supporting +kpatch-build and kpatch utility tools can be found at: + + https://github.com/dynup/kpatch + +You can also find directions there for how to create binary patch modules and +load them into your kernel. + + +Limitations +--- + +- Patches which modify kernel modules are not supported (yet). Only + functions in the vmlinux file (listed in System.map) can be patched. + +- Patches to functions which are always on the stack of at least one + process in the system are not supported. Examples: schedule(), + sys_poll(), sys_select(), sys_read(), sys_nanosleep(). Attempting to + apply such a patch will cause the insmod of the patch module to return + an error. + +- Patches which modify init functions (annotated with `__init`) are not + supported. kpatch-build will return an error if the patch attempts + to do so. + +- Patches which modify statically allocated data are not supported. + kpatch-build will detect that and return an error. (In the future + we will add a facility to support it. It will probably require the + user to write code which runs at patch module loading time which manually +