On Wed, Oct 23, 2019 at 12:00:25PM -0500, Josh Poimboeuf wrote:
> > This then raises a number of questions:
> >
> > 1) why is that RELA (that obviously does not depend on any module)
> > applied so late?
>
> Good question. The 'pv_ops' symbol is exported by the core kernel, so I
> can't see any reason why we'd need to apply that rela late. In theory,
> kpatch-build isn't supposed to convert that to a klp rela. Maybe
> something went wrong in the patch creation code.
>
> I'm also questioning why we even need to apply the parainstructions
> section late. Maybe we can remove that apply_paravirt() call
> altogether, along with .klp.arch.parainstruction sections.
>
> I'll need to look into it...
Right, that really should be able to run early. Esp. after commit
11e86dc7f274 ("x86/paravirt: Detect over-sized patching bugs in paravirt_patch_call()")
paravirt patching is unconditional. We _never_ run with the indirect
call except very early boot, but modules should have them patched way
before their init section runs.
We rely on this for spectre-v2 and friends.
> > 3) Is there ever a possible module-dependent RELA to a paravirt /
> > alternative site?
>
> Good question...
> > Then for 3) we only have alternatives left, and I _think_ it unlikely to
> > be the case, but I'll have to have a hard look at that.
>
> I'm not sure about alternatives, but maybe we can enforce such
> limitations with tooling and/or kernel checks.
Right, so on IRC you implied you might have some additional details on
how alternatives were affected; did you manage to dig that up?
