Livepatching APIs¶
Livepatch Enablement¶
Parameters
structklp_patch*patchpatch to be enabled
Description
Initializes the data structure associated with the patch, creates the sysfsinterface, performs the needed symbol lookups and code relocations,registers the patched functions with ftrace.
This function is supposed to be called from the livepatchmodule_init()callback.
Return
0 on success, otherwise error
Shadow Variables¶
- void*klp_shadow_get(void*obj,unsignedlongid)¶
retrieve a shadow variable data pointer
Parameters
void*objpointer to parent object
unsignedlongiddata identifier
Return
the shadow variable data element, NULL on failure.
- void*klp_shadow_alloc(void*obj,unsignedlongid,size_tsize,gfp_tgfp_flags,klp_shadow_ctor_tctor,void*ctor_data)¶
allocate and add a new shadow variable
Parameters
void*objpointer to parent object
unsignedlongiddata identifier
size_tsizesize of attached data
gfp_tgfp_flagsGFP mask for allocation
klp_shadow_ctor_tctorcustom constructor to initialize the shadow data (optional)
void*ctor_datapointer to any data needed byctor (optional)
Description
Allocatessize bytes for new shadow variable data usinggfp_flags.The data are zeroed by default. They are further initialized byctorfunction if it is not NULL. The new shadow variable is then addedto the global hashtable.
If an existing <obj, id> shadow variable can be found, this routine willissue a WARN, exit early and return NULL.
This function guarantees that the constructor function is called only whenthe variable did not exist before. The cost is thatctor is calledin atomic context under a spin lock.
Return
the shadow variable data element, NULL on duplicate orfailure.
- void*klp_shadow_get_or_alloc(void*obj,unsignedlongid,size_tsize,gfp_tgfp_flags,klp_shadow_ctor_tctor,void*ctor_data)¶
get existing or allocate a new shadow variable
Parameters
void*objpointer to parent object
unsignedlongiddata identifier
size_tsizesize of attached data
gfp_tgfp_flagsGFP mask for allocation
klp_shadow_ctor_tctorcustom constructor to initialize the shadow data (optional)
void*ctor_datapointer to any data needed byctor (optional)
Description
Returns a pointer to existing shadow data if an <obj, id> shadowvariable is already present. Otherwise, it creates a new shadowvariable likeklp_shadow_alloc().
This function guarantees that only one shadow variable exists with the givenid for the givenobj. It also guarantees that the constructor functionwill be called only when the variable did not exist before. The cost isthatctor is called in atomic context under a spin lock.
Return
the shadow variable data element, NULL on failure.
- voidklp_shadow_free(void*obj,unsignedlongid,klp_shadow_dtor_tdtor)¶
detach and free a <obj, id> shadow variable
Parameters
void*objpointer to parent object
unsignedlongiddata identifier
klp_shadow_dtor_tdtorcustom callback that can be used to unregister the variableand/or free data that the shadow variable points to (optional)
Description
This function releases the memory for this <obj, id> shadow variableinstance, callers should stop referencing it accordingly.
- voidklp_shadow_free_all(unsignedlongid,klp_shadow_dtor_tdtor)¶
detach and free all <_, id> shadow variables
Parameters
unsignedlongiddata identifier
klp_shadow_dtor_tdtorcustom callback that can be used to unregister the variableand/or free data that the shadow variable points to (optional)
Description
This function releases the memory for all <_, id> shadow variableinstances, callers should stop referencing them accordingly.
System State Changes¶
- structklp_state*klp_get_state(structklp_patch*patch,unsignedlongid)¶
get information about system state modified by the given patch
Parameters
structklp_patch*patchlivepatch that modifies the given system state
unsignedlongidcustom identifier of the modified system state
Description
Checks whether the given patch modifies the given system state.
The function can be called either from pre/post (un)patchcallbacks or from the kernel code added by the livepatch.
Return
pointer tostructklp_state when found, otherwise NULL.
- structklp_state*klp_get_prev_state(unsignedlongid)¶
get information about system state modified by the already installed livepatches
Parameters
unsignedlongidcustom identifier of the modified system state
Description
Checks whether already installed livepatches modify the givensystem state.
The same system state can be modified by more non-cumulativelivepatches. It is expected that the latest livepatch hasthe most up-to-date information.
The function can be called only during transition when a newlivepatch is being enabled or when such a transition is reverted.It is typically called only from pre/post (un)patchcallbacks.
Return
pointer to the lateststructklp_state from alreadyinstalled livepatches, NULL when not found.
Object Types¶
- structklp_func¶
function structure for live patching
Definition:
struct klp_func { const char *old_name; void *new_func; unsigned long old_sympos; void *old_func; struct kobject kobj; struct list_head node; struct list_head stack_node; unsigned long old_size, new_size; bool nop; bool patched; bool transition;};Members
old_namename of the function to be patched
new_funcpointer to the patched function code
old_symposa hint indicating which symbol position the old functioncan be found (optional)
old_funcpointer to the function being patched
kobjkobject for sysfs resources
nodelist node for klp_object func_list
stack_nodelist node for klp_ops func_stack list
old_sizesize of the old function
new_sizesize of the new function
noptemporary patch to use the original code again; dyn. allocated
patchedthe func has been added to the klp_ops list
transitionthe func is currently being applied or reverted
Description
The patched and transition variables define the func’s patching state. Whenpatching, a func is always in one of the following states:
patched=0 transition=0: unpatchedpatched=0 transition=1: unpatched, temporary starting statepatched=1 transition=1: patched, may be visible to some taskspatched=1 transition=0: patched, visible to all tasks
And when unpatching, it goes in the reverse order:
patched=1 transition=0: patched, visible to all taskspatched=1 transition=1: patched, may be visible to some taskspatched=0 transition=1: unpatched, temporary ending statepatched=0 transition=0: unpatched
- structklp_object¶
kernel object structure for live patching
Definition:
struct klp_object { const char *name; struct klp_func *funcs; struct klp_callbacks callbacks; struct kobject kobj; struct list_head func_list; struct list_head node; struct module *mod; bool dynamic; bool patched;};Members
namemodule name (or NULL for vmlinux)
funcsfunction entries for functions to be patched in the object
callbacksfunctions to be executed pre/post (un)patching
kobjkobject for sysfs resources
func_listdynamic list of the function entries
nodelist node for klp_patch obj_list
modkernel module associated with the patched object(NULL for vmlinux)
dynamictemporary object for nop functions; dynamically allocated
patchedthe object’s funcs have been added to the klp_ops list
- structklp_state¶
state of the system modified by the livepatch
Definition:
struct klp_state { unsigned long id; unsigned int version; void *data;};Members
idsystem state identifier (non-zero)
versionversion of the change
datacustom data
- structklp_patch¶
patch structure for live patching
Definition:
struct klp_patch { struct module *mod; struct klp_object *objs; struct klp_state *states; bool replace; struct list_head list; struct kobject kobj; struct list_head obj_list; bool enabled; bool forced; struct work_struct free_work; struct completion finish;};Members
modreference to the live patch module
objsobject entries for kernel objects to be patched
statessystem states that can get modified
replacereplace all actively used patches
listlist node for global list of actively used patches
kobjkobject for sysfs resources
obj_listdynamic list of the object entries
enabledthe patch is enabled (but operation may be incomplete)
forcedwas involved in a forced transition
free_workpatch cleanup from workqueue-context
finishfor waiting till it is safe to remove the patch module