From: Kees Cook <keescook@chromium.org>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Georgi Djakov <georgi.djakov@linaro.org>,
linux-mm@kvack.org, akpm@linux-foundation.org, cl@linux.com,
penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com,
corbet@lwn.net, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/slub: Add slub_debug option to panic on memory corruption
Date: Wed, 17 Mar 2021 22:48:58 -0700 [thread overview]
Message-ID: <202103172244.D5ADB06A96@keescook> (raw)
In-Reply-To: <8fd43de6-71e4-cfe7-8208-32753cf1c363@suse.cz>
On Tue, Mar 09, 2021 at 07:18:32PM +0100, Vlastimil Babka wrote:
> On 3/9/21 7:14 PM, Georgi Djakov wrote:
> > Hi Vlastimil,
> >
> > Thanks for the comment!
> >
> > On 3/9/21 17:09, Vlastimil Babka wrote:
> >> On 3/9/21 2:47 PM, Georgi Djakov wrote:
> >>> Being able to stop the system immediately when a memory corruption
> >>> is detected is crucial to finding the source of it. This is very
> >>> useful when the memory can be inspected with kdump or other tools.
> >>
> >> Is this in some testing scenarios where you would also use e.g. panic_on_warn?
> >> We could hook to that. If not, we could introduce a new
> >> panic_on_memory_corruption that would apply also for debug_pagealloc and whatnot?
> >
> > I would prefer that we not tie it with panic_on_warn - there might be lots of
> > new code in multiple subsystems, so hitting some WARNing while testing is not
> > something unexpected.
> >
> > Introducing an additional panic_on_memory_corruption would work, but i noticed
> > that we already have slub_debug and thought to re-use that. But indeed, аdding
> > an option to panic in for example bad_page() sounds also useful, if that's what
> > you suggest.
>
> Yes, that would be another example.
> Also CCing Kees for input, as besides the "kdump ASAP for debugging" case, I can
> imagine security hardening folks could be interested in the "somebody might have
> just failed to pwn the kernel, better panic than let them continue" angle. But
> I'm naive wrt security, so it might be a stupid idea :)
I've really wanted such things, but Linus has been pretty adamant about
not wanting to provide new "panic" paths (or even BUG usage[1]). It
seems that panic_on_warn remains the way to get this behavior,
with the understanding that WARN should only be produced on
expected-to-be-impossible situations[1].
Hitting a WARN while testing should result in either finding and fixing
a real bug, or removing the WARN in favor of pr_warn(). :)
-Kees
[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on
--
Kees Cook
next prev parent reply other threads:[~2021-03-18 5:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-09 13:47 [PATCH] mm/slub: Add slub_debug option to panic on memory corruption Georgi Djakov
2021-03-09 14:56 ` Christoph Lameter
2021-03-09 14:56 ` Christoph Lameter
2021-03-09 18:12 ` Georgi Djakov
2021-03-09 15:09 ` Vlastimil Babka
2021-03-09 18:14 ` Georgi Djakov
2021-03-09 18:18 ` Vlastimil Babka
2021-03-18 5:48 ` Kees Cook [this message]
2021-03-18 12:56 ` Vlastimil Babka
2021-03-18 17:08 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202103172244.D5ADB06A96@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=georgi.djakov@linaro.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.