From: Kees Cook <keescook@chromium.org>
To: Michal Hocko <mhocko@kernel.org>
Cc: Christoph Lameter <cl@linux.com>,
Andrew Morton <akpm@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: Add additional consistency check
Date: Tue, 4 Apr 2017 09:02:48 -0700 [thread overview]
Message-ID: <CAGXu5jKrs1xxfpNv9ta8XL=ii1N3uEfJMCXWkLTcoR4JMPw=kA@mail.gmail.com> (raw)
In-Reply-To: <20170404155856.GP15132@dhcp22.suse.cz>
On Tue, Apr 4, 2017 at 8:58 AM, Michal Hocko <mhocko@kernel.org> wrote:
> On Tue 04-04-17 08:46:02, Kees Cook wrote:
>> On Tue, Apr 4, 2017 at 8:16 AM, Michal Hocko <mhocko@kernel.org> wrote:
>> > On Tue 04-04-17 10:07:23, Cristopher Lameter wrote:
>> >> On Tue, 4 Apr 2017, Michal Hocko wrote:
>> >>
>> >> > NAK without a proper changelog. Seriously, we do not blindly apply
>> >> > changes from other projects without a deep understanding of all
>> >> > consequences.
>> >>
>> >> Functionalitywise this is trivial. A page must be a slab page in order to
>> >> be able to determine the slab cache of an object. Its definitely not ok if
>> >> the page is not a slab page.
>> >
>> > Yes, but we do not have to blow the kernel, right? Why cannot we simply
>> > leak that memory?
>>
>> I can put this behind CHECK_DATA_CORRUPTION() instead of BUG(), which
>> allows the system builder to choose between WARN and BUG. Some people
>> absolutely want the kernel to BUG on data corruption as it could be an
>> attack.
>
> CHECK_DATA_CORRUPTION sounds as better fit to me. This would, however
> require to handle the potenial corruption by returning and leaking the
> memory.
IIUC, that would be the "return s" path? I should likely change the
WARN_ON_ONCE there to be CHECK_DATA_CORRUPTION too. I'll add this to
my series.
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Michal Hocko <mhocko@kernel.org>
Cc: Christoph Lameter <cl@linux.com>,
Andrew Morton <akpm@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: Add additional consistency check
Date: Tue, 4 Apr 2017 09:02:48 -0700 [thread overview]
Message-ID: <CAGXu5jKrs1xxfpNv9ta8XL=ii1N3uEfJMCXWkLTcoR4JMPw=kA@mail.gmail.com> (raw)
In-Reply-To: <20170404155856.GP15132@dhcp22.suse.cz>
On Tue, Apr 4, 2017 at 8:58 AM, Michal Hocko <mhocko@kernel.org> wrote:
> On Tue 04-04-17 08:46:02, Kees Cook wrote:
>> On Tue, Apr 4, 2017 at 8:16 AM, Michal Hocko <mhocko@kernel.org> wrote:
>> > On Tue 04-04-17 10:07:23, Cristopher Lameter wrote:
>> >> On Tue, 4 Apr 2017, Michal Hocko wrote:
>> >>
>> >> > NAK without a proper changelog. Seriously, we do not blindly apply
>> >> > changes from other projects without a deep understanding of all
>> >> > consequences.
>> >>
>> >> Functionalitywise this is trivial. A page must be a slab page in order to
>> >> be able to determine the slab cache of an object. Its definitely not ok if
>> >> the page is not a slab page.
>> >
>> > Yes, but we do not have to blow the kernel, right? Why cannot we simply
>> > leak that memory?
>>
>> I can put this behind CHECK_DATA_CORRUPTION() instead of BUG(), which
>> allows the system builder to choose between WARN and BUG. Some people
>> absolutely want the kernel to BUG on data corruption as it could be an
>> attack.
>
> CHECK_DATA_CORRUPTION sounds as better fit to me. This would, however
> require to handle the potenial corruption by returning and leaking the
> memory.
IIUC, that would be the "return s" path? I should likely change the
WARN_ON_ONCE there to be CHECK_DATA_CORRUPTION too. I'll add this to
my series.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-04-04 16:02 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 16:40 [PATCH] mm: Add additional consistency check Kees Cook
2017-03-31 16:40 ` Kees Cook
2017-03-31 21:33 ` Andrew Morton
2017-03-31 21:33 ` Andrew Morton
2017-04-01 0:04 ` Kees Cook
2017-04-01 0:04 ` Kees Cook
2017-04-03 3:40 ` Michael Ellerman
2017-04-03 3:40 ` Michael Ellerman
2017-04-03 14:03 ` Christoph Lameter
2017-04-03 14:03 ` Christoph Lameter
2017-04-03 14:53 ` Matthew Wilcox
2017-04-03 14:53 ` Matthew Wilcox
2017-04-04 11:30 ` Michal Hocko
2017-04-04 11:30 ` Michal Hocko
2017-04-04 15:07 ` Christoph Lameter
2017-04-04 15:07 ` Christoph Lameter
2017-04-04 15:16 ` Michal Hocko
2017-04-04 15:16 ` Michal Hocko
2017-04-04 15:46 ` Kees Cook
2017-04-04 15:46 ` Kees Cook
2017-04-04 15:58 ` Michal Hocko
2017-04-04 15:58 ` Michal Hocko
2017-04-04 16:02 ` Kees Cook [this message]
2017-04-04 16:02 ` Kees Cook
2017-04-04 19:13 ` Christoph Lameter
2017-04-04 19:13 ` Christoph Lameter
2017-04-04 19:42 ` Michal Hocko
2017-04-04 19:42 ` Michal Hocko
2017-04-04 19:58 ` Christoph Lameter
2017-04-04 19:58 ` Christoph Lameter
2017-04-04 20:13 ` Michal Hocko
2017-04-04 20:13 ` Michal Hocko
2017-04-11 4:58 ` Kees Cook
2017-04-11 4:58 ` Kees Cook
2017-04-11 13:46 ` Michal Hocko
2017-04-11 13:46 ` Michal Hocko
2017-04-11 14:14 ` Kees Cook
2017-04-11 14:14 ` Kees Cook
2017-04-11 14:19 ` Michal Hocko
2017-04-11 14:19 ` Michal Hocko
2017-04-11 16:05 ` Kees Cook
2017-04-11 16:05 ` Kees Cook
2017-04-11 16:16 ` Christoph Lameter
2017-04-11 16:16 ` Christoph Lameter
2017-04-11 16:19 ` Kees Cook
2017-04-11 16:19 ` Kees Cook
2017-04-11 16:23 ` Christoph Lameter
2017-04-11 16:23 ` Christoph Lameter
2017-04-11 16:30 ` Kees Cook
2017-04-11 16:30 ` Kees Cook
2017-04-11 16:26 ` Christoph Lameter
2017-04-11 16:26 ` Christoph Lameter
2017-04-11 16:41 ` Michal Hocko
2017-04-11 16:41 ` Michal Hocko
2017-04-11 18:03 ` Christoph Lameter
2017-04-11 18:03 ` Christoph Lameter
2017-04-11 18:30 ` Michal Hocko
2017-04-11 18:30 ` Michal Hocko
2017-04-11 18:44 ` Christoph Lameter
2017-04-11 18:44 ` Christoph Lameter
2017-04-11 18:55 ` Michal Hocko
2017-04-11 18:55 ` Michal Hocko
2017-04-11 18:59 ` Christoph Lameter
2017-04-11 18:59 ` Christoph Lameter
2017-04-11 19:39 ` Michal Hocko
2017-04-11 19:39 ` Michal Hocko
2017-04-17 15:22 ` Christoph Lameter
2017-04-17 15:22 ` Christoph Lameter
2017-04-18 6:41 ` Michal Hocko
2017-04-18 6:41 ` Michal Hocko
2017-04-18 13:31 ` Christoph Lameter
2017-04-18 13:31 ` Christoph Lameter
2017-04-18 13:37 ` Christoph Lameter
2017-04-18 13:37 ` Christoph Lameter
2017-04-28 1:11 ` Kees Cook
2017-04-28 1:11 ` Kees Cook
2017-04-28 6:16 ` Michal Hocko
2017-04-28 6:16 ` Michal Hocko
2017-04-27 12:06 ` Michal Hocko
2017-04-27 12:06 ` Michal Hocko
2017-04-11 18:30 ` Christoph Lameter
2017-04-11 18:30 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKrs1xxfpNv9ta8XL=ii1N3uEfJMCXWkLTcoR4JMPw=kA@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.