From: Paolo Bonzini <pbonzini@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: xen-devel <Xen-devel@lists.xen.org>,
Arjan van de Ven <arjan@linux.intel.com>, X86 ML <x86@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
KVM list <kvm@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr
Date: Tue, 15 Mar 2016 09:49:26 +0100 [thread overview]
Message-ID: <56E7CC96.7080301@redhat.com> (raw)
In-Reply-To: <CALCETrWYmJdOeHqjR6-Uyqiyym35DOjFpsB1xhgTHO_JB==EMA@mail.gmail.com>
On 14/03/2016 18:02, Andy Lutomirski wrote:
> On Mon, Mar 14, 2016 at 9:58 AM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> On Mar 14, 2016 9:53 AM, "Andy Lutomirski" <luto@amacapital.net> wrote:
>>>
>>> Can you clarify? KVM uses the native version, and the native version
>>> only oopses with this series applied if panic_on_oops is set.
>>
>> Can we please remove that idiocy?
>>
>> There is no reason to panic whatsoever. Seriously. What's the upside of that
>> logic?
>
> I imagine that people who set panic_on_oops want their systems to stop
> running user code if something happens that could corrupt the state or
> if there's any sign that user code is trying some non-deterministic
> exploit. So I'm guessing that they'd want this type of "the kernel
> screwed up -- abort" to actually result in a panic.
>
> As a concrete, although somewhat silly, example, suppose that a write
> to MSR_SYSENTER_STACK fails. If that happened, then user code could
> subsequently try to take over the kernel by evil manipulation of TF
> and/or perf.
>
> I'd be okay with removing this too, though, since arranging for MSR
> access to fail seems unlikely as an exploit vector.
>
> Borislav: SUSE actually uses panic_on_oops, right? What's their goal?
RHEL also does, and it's mostly to trap kernel page faults before they
do more damage such as filesystem corruption. The debug kernel has
panic_on_oops=0, while the production kernel has panic_on_oops=1.
Paolo
next prev parent reply other threads:[~2016-03-15 8:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-11 19:06 [PATCH v3 0/5] Improve non-"safe" MSR access failure handling Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 1/5] x86/paravirt: Add _safe to the read_msr and write_msr PV hooks Andy Lutomirski
2016-03-11 19:06 ` Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 2/5] x86/msr: Carry on after a non-"safe" MSR access fails without !panic_on_oops Andy Lutomirski
2016-03-12 15:31 ` Ingo Molnar
2016-03-12 15:31 ` Ingo Molnar
2016-03-12 15:36 ` Ingo Molnar
2016-03-12 15:36 ` Ingo Molnar
2016-03-12 17:32 ` Andy Lutomirski
2016-03-12 17:32 ` Andy Lutomirski
2016-03-11 19:06 ` Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read, write}_msr Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Andy Lutomirski
2016-03-14 14:02 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read, write}_msr Paolo Bonzini
2016-03-14 14:02 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Paolo Bonzini
2016-03-14 16:53 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read, write}_msr Andy Lutomirski
2016-03-14 16:53 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Andy Lutomirski
2016-03-14 16:58 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read, write}_msr Linus Torvalds
2016-03-14 17:02 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Andy Lutomirski
2016-03-15 8:49 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read, write}_msr Paolo Bonzini
2016-03-15 8:49 ` Paolo Bonzini [this message]
2016-03-14 17:02 ` Andy Lutomirski
2016-03-15 8:56 ` Paolo Bonzini
2016-03-15 8:56 ` [PATCH v3 3/5] x86/paravirt: Add paravirt_{read,write}_msr Paolo Bonzini
2016-03-11 19:06 ` [PATCH v3 4/5] x86/paravirt: Make "unsafe" MSR accesses unsafe even if PARAVIRT=y Andy Lutomirski
2016-03-11 19:06 ` Andy Lutomirski
2016-03-11 19:06 ` [PATCH v3 5/5] x86/msr: Set the return value to zero when native_rdmsr_safe fails Andy Lutomirski
2016-03-11 19:06 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56E7CC96.7080301@redhat.com \
--to=pbonzini@redhat.com \
--cc=Xen-devel@lists.xen.org \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.