From: Alexander Popov <alex.popov@linux.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Paul McKenney <paulmck@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Joerg Roedel <jroedel@suse.de>,
Maciej Rozycki <macro@orcam.me.uk>,
Muchun Song <songmuchun@bytedance.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
Robin Murphy <robin.murphy@arm.com>,
Randy Dunlap <rdunlap@infradead.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
Petr Mladek <pmladek@suse.com>, Kees Cook <keescook@chromium.org>,
Luis Chamberlain <mcgrof@kernel.org>, Wei Liu <wl@xen.org>,
John Ogness <john.ogness@linutronix.de>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Alexey Kardashevskiy <aik@ozlabs.ru>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Jann Horn <jannh@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mark Rutland <mark.rutland@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Steven Rostedt <rostedt@goodmis.org>,
Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>,
Laura Abbott <labbott@kernel.org>,
David S Miller <davem@davemloft.net>,
Borislav Petkov <bp@alien8.de>, Arnd Bergmann <arnd@arndb.de>,
Andrew Scull <ascull@google.com>, Marc Zyngier <maz@kernel.org>,
Jessica Yu <jeyu@kernel.org>, Iurii Zaikin <yzaikin@google.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Wang Qing <wangqing@vivo.com>, Mel Gorman <mgorman@suse.de>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Andrew Klychkov <andrew.a.klychkov@gmail.com>,
Mathieu Chouquet-Stringer <me@mathieu.digital>,
Daniel Borkmann <daniel@iogearbox.net>,
Stephen Kitt <steve@sk2.org>, Stephen Boyd <sboyd@kernel.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Mike Rapoport <rppt@kernel.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
linux-hardening@vger.kernel.org,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
notify@kernel.org, main@lists.elisa.tech,
safety-architecture@lists.elisa.tech, devel@lists.elisa.tech,
Shuah Khan <shuah@kernel.org>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>
Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter
Date: Sat, 13 Nov 2021 21:14:39 +0300 [thread overview]
Message-ID: <77b79f0c-48f2-16dd-1d00-22f3a1b1f5a6@linux.com> (raw)
In-Reply-To: <CAHk-=wgRmjkP3+32XPULMLTkv24AkA=nNLa7xxvSg-F0G1sJ9g@mail.gmail.com>
On 13.11.2021 00:26, Linus Torvalds wrote:
> On Fri, Nov 12, 2021 at 10:52 AM Alexander Popov <alex.popov@linux.com> wrote:
>>
>> Hello everyone!
>> Friendly ping for your feedback.
>
> I still haven't heard a compelling _reason_ for this all, and why
> anybody should ever use this or care?
Ok, to sum up:
Killing the process that hit a kernel warning complies with the Fail-Fast
principle [1]. pkill_on_warn sysctl allows the kernel to stop the process when
the **first signs** of wrong behavior are detected.
By default, the Linux kernel ignores a warning and proceeds the execution from
the flawed state. That is opposite to the Fail-Fast principle.
A kernel warning may be followed by memory corruption or other negative effects,
like in CVE-2019-18683 exploit [2] or many other cases detected by the SyzScope
project [3]. pkill_on_warn would prevent the system from the errors going after
a warning in the process context.
At the same time, pkill_on_warn does not kill the entire system like
panic_on_warn. That is the middle way of handling kernel warnings.
Linus, it's similar to your BUG_ON() policy [4]. The process hitting BUG_ON() is
killed, and the system proceeds to work. pkill_on_warn just brings a similar
policy to WARN_ON() handling.
I believe that many Linux distros (which don't hit WARN_ON() here and there)
will enable pkill_on_warn because it's reasonable from the safety and security
points of view.
And I'm sure that the ELISA project by the Linux Foundation (Enabling Linux In
Safety Applications [5]) would support the pkill_on_warn sysctl.
[Adding people from this project to CC]
I hope that I managed to show the rationale.
Best regards,
Alexander
[1]: https://en.wikipedia.org/wiki/Fail-fast
[2]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
[3]: https://www.usenix.org/system/files/sec22summer_zou.pdf
[4]: http://lkml.iu.edu/hypermail/linux/kernel/1610.0/01217.html
[5]: https://elisa.tech/
next prev parent reply other threads:[~2021-11-13 18:14 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 23:32 [PATCH v2 0/2] Introduce the pkill_on_warn parameter Alexander Popov
2021-10-27 23:32 ` [PATCH v2 1/2] bug: do refactoring allowing to add a warning handling action Alexander Popov
2021-10-27 23:32 ` [PATCH v2 2/2] sysctl: introduce kernel.pkill_on_warn Alexander Popov
2021-11-12 21:24 ` Steven Rostedt
2021-11-12 18:52 ` [PATCH v2 0/2] Introduce the pkill_on_warn parameter Alexander Popov
2021-11-12 21:26 ` Linus Torvalds
2021-11-13 18:14 ` Alexander Popov [this message]
2021-11-13 19:58 ` Linus Torvalds
2021-11-14 14:21 ` Marco Elver
2021-11-15 13:59 ` Lukas Bulwahn
2021-11-15 15:51 ` [ELISA Safety Architecture WG] " Gabriele Paoloni
2021-11-16 7:52 ` Alexander Popov
2021-11-16 8:01 ` Lukas Bulwahn
2021-11-16 8:41 ` Petr Mladek
2021-11-16 9:19 ` Lukas Bulwahn
2021-11-16 13:20 ` James Bottomley
2021-11-15 16:06 ` Steven Rostedt
2021-11-15 22:06 ` Kees Cook
2021-11-16 9:12 ` Alexander Popov
2021-11-16 18:41 ` Kees Cook
2021-11-16 19:00 ` Casey Schaufler
2021-11-18 17:32 ` Kees Cook
2021-11-18 18:30 ` Casey Schaufler
2021-11-18 20:29 ` Kees Cook
2021-11-16 13:07 ` James Bottomley
2021-11-20 12:17 ` Marco Elver
2021-11-22 16:21 ` Steven Rostedt
2021-11-16 6:37 ` Christophe Leroy
2021-11-16 8:34 ` Alexander Popov
2021-11-16 8:57 ` Lukas Bulwahn
2021-11-15 8:12 ` Kaiwan N Billimoria
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77b79f0c-48f2-16dd-1d00-22f3a1b1f5a6@linux.com \
--to=alex.popov@linux.com \
--cc=aik@ozlabs.ru \
--cc=akpm@linux-foundation.org \
--cc=andrew.a.klychkov@gmail.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ascull@google.com \
--cc=baolu.lu@linux.intel.com \
--cc=bjorn.andersson@linaro.org \
--cc=bp@alien8.de \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=devel@lists.elisa.tech \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jeyu@kernel.org \
--cc=john.ogness@linutronix.de \
--cc=jroedel@suse.de \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=lukas.bulwahn@gmail.com \
--cc=luto@kernel.org \
--cc=macro@orcam.me.uk \
--cc=main@lists.elisa.tech \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=mcgrof@kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=me@mathieu.digital \
--cc=mgorman@suse.de \
--cc=notify@kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rdunlap@infradead.org \
--cc=robin.murphy@arm.com \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=safety-architecture@lists.elisa.tech \
--cc=sboyd@kernel.org \
--cc=shuah@kernel.org \
--cc=songmuchun@bytedance.com \
--cc=steve@sk2.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tsbogend@alpha.franken.de \
--cc=viresh.kumar@linaro.org \
--cc=wangqing@vivo.com \
--cc=will@kernel.org \
--cc=wl@xen.org \
--cc=yzaikin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).