import kpatch-0.9.2-2.el8

.gitignore

@@ -1 +1,2 @@
-SOURCES/v0.6.1.tar.gz
+SOURCES/kpatch-dnf-v0.2.tar.gz
+SOURCES/v0.9.2.tar.gz

.kpatch.metadata

@@ -1 +1,2 @@
-7a0395e649f58026a3dd66dd13e3bcecdb9e97a4 SOURCES/v0.6.1.tar.gz
+74e3123e0edc694676a36994b23094be354f87b5 SOURCES/kpatch-dnf-v0.2.tar.gz
+c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz

SOURCES/0002-contrib-service-don-t-unload-modules-on-stop.patch

@@ -1,31 +0,0 @@
-From 8909e63c54adb34a0324200f99c63fcd7db5cbc5 Mon Sep 17 00:00:00 2001
-From: Joe Lawrence <joe.lawrence@redhat.com>
-Date: Mon, 10 Jun 2019 16:55:54 -0400
-Subject: [PATCH] contrib/service: don't unload modules on stop
-
-The kpatch.service file shouldn't unload patch modules on service stop
-(this is also executed by systemd on reboot).  Patch modules may not be
-designed to be safely unloaded and/or may patch kernel routines that
-need to continue to run throughout system bring down.
-
-Suggested-by: disaster123
-Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
----
- contrib/kpatch.service | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/contrib/kpatch.service b/contrib/kpatch.service
-index 5286f6c929e0..cf13f40105d9 100644
---- a/contrib/kpatch.service
-+++ b/contrib/kpatch.service
-@@ -6,7 +6,6 @@ ConditionKernelCommandLine=!kpatch.enable=0
- Type=oneshot
- RemainAfterExit=yes
- ExecStart=PREFIX/sbin/kpatch load --all
--ExecStop=PREFIX/sbin/kpatch unload --all
- 
- [Install]
- WantedBy=multi-user.target
--- 
-2.21.0
-

SOURCES/0002-kpatch-clarify-unload-unsupport.patch

@@ -10,8 +10,8 @@ RHEL-only.
 
 Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
 diff -Nupr kpatch-0.6.1.old/kpatch/kpatch kpatch-0.6.1/kpatch/kpatch
---- kpatch-0.6.1.old/kpatch/kpatch	2019-08-28 10:35:01.191259434 -0400
-+++ kpatch-0.6.1/kpatch/kpatch	2019-08-28 16:11:13.067926576 -0400
+--- kpatch-0.9.2.old/kpatch/kpatch	2019-08-28 10:35:01.191259434 -0400
++++ kpatch-0.9.2/kpatch/kpatch	2019-08-28 16:11:13.067926576 -0400
 @@ -49,8 +49,8 @@ usage () {
  	echo >&2
  	usage_cmd "load --all" "load all installed patch modules into the running kernel"
@@ -61,8 +61,8 @@ diff -Nupr kpatch-0.6.1.old/kpatch/kpatch kpatch-0.6.1/kpatch/kpatch
  "load")
  	[[ "$#" -ne 2 ]] && usage
 diff -Nupr kpatch-0.6.1.old/man/kpatch.1 kpatch-0.6.1/man/kpatch.1
---- kpatch-0.6.1.old/man/kpatch.1	2019-08-28 10:35:01.191259434 -0400
-+++ kpatch-0.6.1/man/kpatch.1	2019-08-28 14:51:23.268198897 -0400
+--- kpatch-0.9.2.old/man/kpatch.1	2019-08-28 10:35:01.191259434 -0400
++++ kpatch-0.9.2/man/kpatch.1	2019-08-28 14:51:23.268198897 -0400
 @@ -23,10 +23,10 @@ load --all
  load <module>
         load patch module into the running kernel

SOURCES/0003-kpatch-script-don-t-fail-if-module-already-loaded-en.patch

@@ -1,77 +0,0 @@
-From 1d2dffec7a6fad4a8daed9340cd42aada856d03f Mon Sep 17 00:00:00 2001
-From: Joe Lawrence <joe.lawrence@redhat.com>
-Date: Wed, 19 Jun 2019 15:29:43 -0400
-Subject: [PATCH] kpatch script: don't fail if module already loaded+enabled
-
-For "kpatch load" invocations, don't set failing return status if the
-kpatch module is already loaded and enabled.  Make note of the existing
-livepatch module and then verify that is has completed its transition
-before continuing.  This allows the user to more gracefully re-run
-"kpatch load" commands to pick up new kpatch modules.
-
-Fixes: #979
-Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
----
- kpatch/kpatch | 44 ++++++++++++++++++++++----------------------
- 1 file changed, 22 insertions(+), 22 deletions(-)
-
-diff --git a/kpatch/kpatch b/kpatch/kpatch
-index 328f1197259d..8ea6c80ca2d3 100755
---- a/kpatch/kpatch
-+++ b/kpatch/kpatch
-@@ -314,30 +314,30 @@ load_module () {
- 				die "error: cannot re-enable patch module $modname, cannot verify checksum match"
- 			fi
- 		else
--			die "error: module named $modname already loaded and enabled"
-+			echo "module named $modname already loaded and enabled"
- 		fi
--	fi
-+	else
-+		echo "loading patch module: $module"
-+		local i=0
-+		while true; do
-+			out="$(LC_ALL=C insmod "$module" 2>&1)"
-+			[[ -z "$out" ]] && break
-+			echo "$out" 1>&2
-+			[[ ! "$out" =~ "Device or resource busy" ]] &&
-+				die "failed to load module $module"
- 
--	echo "loading patch module: $module"
--	local i=0
--	while true; do
--		out="$(LC_ALL=C insmod "$module" 2>&1)"
--		[[ -z "$out" ]] && break
--		echo "$out" 1>&2
--		[[ ! "$out" =~ "Device or resource busy" ]] &&
--			die "failed to load module $module"
--
--		# "Device or resource busy" means the activeness safety check
--		# failed.  Retry in a few seconds.
--		i=$((i+1))
--		if [[ $i -eq $MAX_LOAD_ATTEMPTS ]]; then
--			die "failed to load module $module"
--			break
--		else
--			warn "retrying..."
--			sleep $RETRY_INTERVAL
--		fi
--	done
-+			# "Device or resource busy" means the activeness safety check
-+			# failed.  Retry in a few seconds.
-+			i=$((i+1))
-+			if [[ $i -eq $MAX_LOAD_ATTEMPTS ]]; then
-+				die "failed to load module $module"
-+				break
-+			else
-+				warn "retrying..."
-+				sleep $RETRY_INTERVAL
-+			fi
-+		done
-+	fi
- 
- 	if ! wait_for_patch_transition "$modname" ; then
- 		echo "module $modname did not complete its transition, unloading..."
--- 
-2.21.0
-

SOURCES/0005-Fix-livepatch-enabled-kernel-detection-in-kpatch-scr.patch

@@ -1,29 +0,0 @@
-From 54c3d6d8fef188da10a5040c9cc841f35e01bfbf Mon Sep 17 00:00:00 2001
-From: Artem Savkov <asavkov@redhat.com>
-Date: Tue, 7 May 2019 14:12:38 +0200
-Subject: [PATCH] Fix livepatch-enabled kernel detection in kpatch script
-
-We can no longer use klp_register_patch symbol to determine if the
-kernel is livepatch-enabled. Use klp_enable_patch instead.
-
-Signed-off-by: Artem Savkov <asavkov@redhat.com>
----
- kpatch/kpatch | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kpatch/kpatch b/kpatch/kpatch
-index 1d9f90c..bdceff1 100755
---- a/kpatch/kpatch
-+++ b/kpatch/kpatch
-@@ -126,7 +126,7 @@ find_core_module() {
- }
- 
- core_loaded () {
--	grep -q -e "T klp_register_patch" -e "T kpatch_register" /proc/kallsyms
-+	grep -q -e "T klp_enable_patch" -e "T kpatch_register" /proc/kallsyms
- }
- 
- get_module_name () {
--- 
-2.21.0
-

SOURCES/0100-kpatch-wait-for-module-ref-counts-on-unload.patch

@@ -0,0 +1,100 @@
+From cdee6bd650a35075515d4fe2bb67657811c9640c Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Mon, 16 Nov 2020 15:21:59 -0500
+Subject: [PATCH] kpatch: wait for module ref counts on unload
+
+There exists a very small timing window in which "kpatch unload" gets to
+its "rmmod" step before the kpatch-patch module's reference count has
+cleared and the "rmmod" fails.
+
+This is only a transient problem, but we can adopt code from upstream
+livepatch kselftests which wait for the module refcounts to settle
+before moving onto "rmmod".
+
+A small wrinkle is that this is not supported by the older kpatch.ko
+core.  The price for circumventing the activeness safety check via
+KPATCH_FORCE_UNSAFE is that it must leave the kpatch patch modules in
+place (see e1890e627a9b ("prevent rmmod of forced modules")).
+
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ kpatch/kpatch | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/kpatch/kpatch b/kpatch/kpatch
+index bca8f41..b35b742 100755
+--- a/kpatch/kpatch
++++ b/kpatch/kpatch
+@@ -28,6 +28,7 @@ SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
+ VERSION="0.9.2"
+ POST_ENABLE_WAIT=15	# seconds
+ POST_SIGNAL_WAIT=60	# seconds
++MODULE_REF_WAIT=15	# seconds
+ 
+ # How many times to try loading the patch if activeness safety check fails.
+ MAX_LOAD_ATTEMPTS=5
+@@ -125,6 +126,10 @@ find_core_module() {
+ 	return 1
+ }
+ 
++kpatch_core_loaded() {
++	grep -q -e "T kpatch_register" /proc/kallsyms
++}
++
+ core_loaded () {
+ 	grep -q -e "T klp_enable_patch" -e "T kpatch_register" /proc/kallsyms
+ }
+@@ -265,6 +270,31 @@ wait_for_patch_transition() {
+ 	return 1
+ }
+ 
++module_ref_count() {
++	local modname="$1"
++	[[ $(cat "/sys/module/$modname/refcnt" 2>/dev/null) != "0" ]]
++}
++
++wait_for_zero_module_ref_count() {
++	local modname="$1"
++	local i=0
++
++	# We can't rely on a zero refcount with kpatch.ko as it
++	# implements KPATCH_FORCE_UNSAFE with an additional reference on
++	# kpatch-patch modules to avoid potential crashes.
++	kpatch_core_loaded && return 0
++
++	module_ref_count "$modname" || return 0
++
++	echo "waiting (up to $MODULE_REF_WAIT seconds) for module refcount..."
++	for (( i=0; i<MODULE_REF_WAIT; i++ )); do
++		module_ref_count "$modname" || return 0
++		sleep 1s
++	done
++
++	return 1
++}
++
+ load_module () {
+ 	local module="$1"
+ 
+@@ -381,10 +411,16 @@ disable_patch_strict () {
+ }
+ 
+ remove_module () {
+-	echo "unloading patch module: $1"
++	local modname="$1"
++
++	if ! wait_for_zero_module_ref_count "$modname"; then
++		die "failed to unload module $modname (refcnt)"
++	fi
++
++	echo "unloading patch module: $modname"
+ 	# ignore any error here because rmmod can fail if the module used
+ 	# KPATCH_FORCE_UNSAFE.
+-	rmmod "$1" 2> /dev/null || return 0
++	rmmod "$modname" 2> /dev/null || return 0
+ }
+ 
+ unload_module () {
+-- 
+2.25.4
+

SOURCES/0200-Makefile-set-install-permission-modes.patch

@@ -0,0 +1,39 @@
+From 73f6d5cdb2a4ce78cec6f49517116a3c7616f393 Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Thu, 12 Nov 2020 15:15:47 -0500
+Subject: [PATCH] Makefile: set install permission modes
+
+By default, the install command will apply rwxr-xr-x permissions (how
+intuitive).  Give the command expected file modes to avoid rpmbuild
+complaints like this:
+
+  *** WARNING: ./usr/lib/python3.9/site-packages/dnf-plugins/kpatch.py is executable but has no shebang, removing executable bit
+  *** WARNING: ./etc/dnf/plugins/kpatch.conf is executable but has no shebang, removing executable bit
+
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ Makefile | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index fb92d06..77c8eb5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -23,11 +23,11 @@ all: $(TARGETS)
+ 
+ install: $(TARGETS)
+ 	install -d $(MANDIR)
+-	install man/dnf.kpatch.8.gz $(MANDIR)
++	install -m 644 man/dnf.kpatch.8.gz $(MANDIR)
+ 	install -d $(CONFDIR)
+-	install conf/kpatch.conf $(CONFDIR)
++	install -m 644 conf/kpatch.conf $(CONFDIR)
+ 	install -d $(DNFPLUGINDIR)
+-	install kpatch.py $(DNFPLUGINDIR)
++	install -m 644 kpatch.py $(DNFPLUGINDIR)
+ 
+ %.gz: %
+ 	gzip --keep $^
+-- 
+2.25.4
+

SPECS/kpatch.spec

@@ -1,19 +1,28 @@
+%define kpatch_dnf_ver	0.2
+
 Name:		kpatch
-Version:	0.6.1
-Release:	6%{?dist}
+Version:	0.9.2
+Release:	2%{?dist}
 Summary:	Dynamic kernel patch manager
 
 Group:		System Environment/Kernel
 License:	GPLv2
 URL:		https://github.com/dynup/kpatch
 Source0:	https://github.com/dynup/kpatch/archive/v%{version}.tar.gz
+Source1:	kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
+
+# RHEL-only
 Patch0:		0001-contrib-disable-upstart-kpatch.conf-install.patch
-Patch1:		0002-contrib-service-don-t-unload-modules-on-stop.patch
-Patch2:		0003-kpatch-script-don-t-fail-if-module-already-loaded-en.patch
-Patch3:		0004-kpatch-clarify-unload-unsupport.patch
-Patch4:		0005-Fix-livepatch-enabled-kernel-detection-in-kpatch-scr.patch
+Patch1:		0002-kpatch-clarify-unload-unsupport.patch
+
+# Upstream backports
+Patch100:	0100-kpatch-wait-for-module-ref-counts-on-unload.patch
+
+# kpatch-dnf backports
+Patch200:	0200-Makefile-set-install-permission-modes.patch
 
 Requires:	bash kmod binutils
+Recommends:	kpatch-dnf
 
 BuildArch:	noarch
 
@@ -24,18 +33,34 @@ a collection of binary kernel patch modules which can be used to dynamically
 patch the kernel without rebooting.
 
 
+%package -n kpatch-dnf
+Summary:	kpatch-patch manager plugin for DNF
+Version:	%kpatch_dnf_ver
+Release:	2%{?dist}
+BuildRequires:	python3-devel python3-dnf
+Requires:	python3 python3-dnf python3-hawkey
+Provides:	kpatch-dnf
+
+%description -n kpatch-dnf
+kpatch-dnf is a DNF plugin than manages subcription to kpatch-patch updates.
+When enabled, kernel packages are automatically subscribed to corresponding
+kpatch-patch packages updates.
+
 %prep
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%patch100 -p1
 
+%setup -D -T -a 1
+cd kpatch-dnf-%{kpatch_dnf_ver}
+%patch200 -p1
+cd ..
 
 %build
 make -C man
 
+make -C kpatch-dnf-%{kpatch_dnf_ver}
 
 %install
 make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch
@@ -43,14 +68,35 @@ make install PREFIX=/usr DESTDIR=%{buildroot} -C man
 make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib
 rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz
 
+make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver}
 
 %files
 %{_sbindir}/kpatch
 %{_usr}/lib/systemd/system/kpatch.service
 %doc %{_mandir}/man1/kpatch.1.gz
 
+%files -n kpatch-dnf
+%{python3_sitelib}/dnf-plugins/kpatch.py
+%{python3_sitelib}/dnf-plugins/__pycache__
+%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf
+%doc %{_mandir}/man8/dnf.kpatch.8.gz
+
+%post -n kpatch-dnf
+echo "To enable automatic kpatch-patch subscription, run:"
+echo -e "\t$ dnf kpatch auto"
 
 %changelog
+* Fri Nov 20 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-2
+- Fix unload issue under stress (rhbz#1883238)
+- Fix dnf-kpatch man file permissions (rhbz#1899341)
+- Do not replace dnf kpatch configuration file when reinstalling (rhbz#1898191)
+
+* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
+- Add kpatch-dnf subpackage (rhbz#1798711)
+
+* Thu Sep 24 2020 Julien Thierry <jthierry@redhat.com> 0.9.2-1
+- update to 0.9.2 (rhbz#1877857)
+
 * Tue Oct 22 2019 Yannick Cote <ycote@redhat.com> 0.6.1-6
 - fix patch loading issue caused by recent kernel rebase (rhbz#1754679)