All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>,
	Paul Gortmaker <paul.gortmaker@windriver.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Antonio SJ Musumeci <trapexit@spawn.link>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	stable <stable@vger.kernel.org>
Subject: Re: BUG_ON() in workingset_node_shadows_dec() triggers
Date: Wed, 5 Oct 2016 15:17:02 -0700	[thread overview]
Message-ID: <CAGXu5jJ9sAXauDMeW262qX_42TS2gmJBsR1yq2XDeHzn+54PoA@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFxEbtVpT0rJyfpLmXOzCe4i4VO1s=M2Q9mq8XbUBNopCQ@mail.gmail.com>

On Wed, Oct 5, 2016 at 2:46 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Wed, Oct 5, 2016 at 2:14 PM, Kees Cook <keescook@chromium.org> wrote:
>> Now, it can be argued that killing the process part should be
>> configurable and that the code should be written to handle a WARN and
>> clean up and error out nicely. But I still want to retain the "kill
>> the process immediately" behavior in some capacity.
>
> If "some capacity" is "can't do user space accesses", we could easily
> force a SIGKILL of the current process. It won't die immediately in
> the kernel, but it won't be returning to user space either.

With my more paranoid desires, I would prefer to keep "stop kernel
execution with the state set up by this process", not just "make the
process never return to user-space". I would need to meditate on
whether what I really want is just "panic on Oops" or not, though.
Right now, for example, I don't use panic-on-oops when running lkdtm
tests since each test gets (correctly) killed and the Oops can be
examined for the expected failure mode, all without bringing down the
entire system.

> The problem with the immediate kill is that it can be in interrupt
> context, or just holding arbitrary locks. And it's hard to even tell
> dynamically (sometimes you can see it: with preemption enabled you can
> tell "am I in a non-preempt area", for example, but it ends up
> depending on config options).

Yeah, I've seen some hilarious failure modes while building lkdtm
tests for various kernel self-protections.

> And *if* we make BUG() actually do something sane (non-trapping), we
> can easily make it be generic, not arch-specific. In fact, I'd
> implement it by just adding a "handle_bug()" in kernel/panic.c...

Yeah, I'm not sure what the right next step would be. Do we need a new
set of functions between WARN and BUG? Or maybe extract the
process-killing logic on a per-arch level and make it a specific API
so that it can be explicitly called as part of error-handling? Hmm

-Kees

-- 
Kees Cook
Nexus Security

  reply	other threads:[~2016-10-05 22:17 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-04  4:00 BUG_ON() in workingset_node_shadows_dec() triggers Linus Torvalds
2016-10-04  4:07 ` Andrew Morton
2016-10-04  4:12   ` Linus Torvalds
2016-10-04  7:03     ` Raymond Jennings
2016-10-04 16:03       ` Linus Torvalds
2016-10-04  8:02 ` Greg KH
2016-10-04  9:32 ` Johannes Weiner
2016-10-05  1:21   ` Linus Torvalds
2016-10-05  9:25     ` Johannes Weiner
2016-10-05  9:31       ` Johannes Weiner
2016-10-05 10:40       ` Jan Kara
2016-10-05 16:10       ` Linus Torvalds
2016-10-05 17:00         ` [PATCH] checkpatch: extend BUG warning Joe Perches
2016-10-05 17:00           ` Joe Perches
2016-10-05 17:07           ` Linus Torvalds
2016-10-05  2:43 ` BUG_ON() in workingset_node_shadows_dec() triggers Paul Gortmaker
2016-10-05  3:29   ` Linus Torvalds
2016-10-05  5:44     ` Willy Tarreau
2016-10-05 15:52       ` Linus Torvalds
2016-10-05 19:06         ` Willy Tarreau
2016-10-05 19:18           ` Linus Torvalds
2016-10-05 21:09             ` Willy Tarreau
2016-10-05 21:14             ` Kees Cook
2016-10-05 21:46               ` Linus Torvalds
2016-10-05 22:17                 ` Kees Cook [this message]
2016-10-05 22:29                   ` Linus Torvalds
2016-10-06 22:07                     ` Kees Cook
2016-10-06 22:29                       ` Linus Torvalds
2016-10-06 23:05                         ` Kees Cook
2016-10-06 23:59                           ` Linus Torvalds
2016-10-07  5:48                             ` Willy Tarreau
2016-10-07 17:16                               ` Kees Cook
2016-10-07 17:21                                 ` Linus Torvalds
2016-10-07 17:33                                   ` Kees Cook
2016-10-07 18:26                                     ` Willy Tarreau
2016-10-06  1:59     ` Dave Chinner
2016-10-06  2:12       ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jJ9sAXauDMeW262qX_42TS2gmJBsR1yq2XDeHzn+54PoA@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=hannes@cmpxchg.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=paul.gortmaker@windriver.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=trapexit@spawn.link \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.