Problem description:

Livepatches provide a way to update running systems without requiring a reboot. However, managing compatibility between multiple livepatches can be challenging, especially when they introduce changes that affect system behavior or memory management.

Cumulative livepatches simplify this process by completely replacing older versions with each update. This allows for the addition, modification, and removal of fixes while maintaining compatibility through atomic replacement. However, challenges can arise with callbacks and shadow variables.

Callbacks are functions that can alter system behavior when a livepatch is applied. Shadow variables associate additional memory with existing data structures. These modifications need to be reverted when a livepatch is disabled or replaced with a livepatch not supporting the same state to ensure system stability.

Unused shadow variables can lead to memory leaks and synchronization issues. If a livepatch is replaced with one that doesn't maintain these variables, their content may become outdated, potentially causing problems if a future livepatch attempts to use them again.

To address these challenges, the livepatch system employs state tracking. This mechanism offers several benefits:

• Callbacks associated with a specific state are called only when that state is introduced or removed.

• Shadow variables associated with a state are automatically freed when that state is no longer supported.

• When a livepatch is atomically replaced with another supporting the same state, associated callbacks are not called, and shadow variables are not freed, ensuring continuity.

• State tracking can prevent disabling a livepatch or proceeding with an atomic replacement if the current livepatch cannot revert the state. This safeguard is crucial when reverting modifications would be too complex or risky.

This approach ensures that changes introduced by livepatches are managed effectively, minimizing the risk of conflicts and maintaining system stability.

Goal:

The above is description of the proposed behavior. The current behavior is more complicated because the livepatch state API is not connected with the callbacks and shadow variables.

The proposal was result of a many discussions with Nicolai Stange and brainstorming session at SUSE Labs conference 2023.

A POC implementation has been sent as a proof of concept a year ago and has got a positive feedback.

There was still a lot of work to make the POC ready for upstream. Especially, it needed to process the feedback, improve commit messages, convert all existing selftests and eventually add new ones, write documentation.

I have made a lot of this when time permitted but I still need to convert sample modules, add documentation, and do the final review and clean up.