From: Alexander Popov <alex.popov@linux.com>
To: Kees Cook <keescook@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Paul McKenney <paulmck@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Joerg Roedel <jroedel@suse.de>,
Maciej Rozycki <macro@orcam.me.uk>,
Muchun Song <songmuchun@bytedance.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
Robin Murphy <robin.murphy@arm.com>,
Randy Dunlap <rdunlap@infradead.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
Petr Mladek <pmladek@suse.com>,
Luis Chamberlain <mcgrof@kernel.org>, Wei Liu <wl@xen.org>,
John Ogness <john.ogness@linutronix.de>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Alexey Kardashevskiy <aik@ozlabs.ru>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Jann Horn <jannh@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mark Rutland <mark.rutland@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>,
Laura Abbott <labbott@kernel.org>,
David S Miller <davem@davemloft.net>,
Borislav Petkov <bp@alien8.de>, Arnd Bergmann <arnd@arndb.de>,
Andrew Scull <ascull@google.com>, Marc Zyngier <maz@kernel.org>,
Jessica Yu <jeyu@kernel.org>, Iurii Zaikin <yzaikin@google.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Wang Qing <wangqing@vivo.com>, Mel Gorman <mgorman@suse.de>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Andrew Klychkov <andrew.a.klychkov@gmail.com>,
Mathieu Chouquet-Stringer <me@mathieu.digital>,
Daniel Borkmann <daniel@iogearbox.net>,
Stephen Kitt <steve@sk2.org>, Stephen Boyd <sboyd@kernel.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Mike Rapoport <rppt@kernel.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
linux-hardening@vger.kernel.org,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
notify@kernel.org, main@lists.elisa.tech,
safety-architecture@lists.elisa.tech, devel@lists.elisa.tech,
Shuah Khan <shuah@kernel.org>
Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter
Date: Tue, 16 Nov 2021 12:12:16 +0300 [thread overview]
Message-ID: <59534db5-b251-c0c8-791f-58aca5c00a2b@linux.com> (raw)
In-Reply-To: <202111151116.933184F716@keescook>
On 16.11.2021 01:06, Kees Cook wrote:
> Hmm, yes. What it originally boiled down to, which is why Linus first
> objected to BUG(), was that we don't know what other parts of the system
> have been disrupted. The best example is just that of locking: if we
> BUG() or do_exit() in the middle of holding a lock, we'll wreck whatever
> subsystem that was attached to. Without a deterministic system state
> unwinder, there really isn't a "safe" way to just stop a kernel thread.
>
> With this pkill_on_warn, we avoid the BUG problem (since the thread of
> execution continues and stops at an 'expected' place: the signal
> handler).
>
> However, now we have the newer objection from Linus, which is one of
> attribution: the WARN might be hit during an "unrelated" thread of
> execution and "current" gets blamed, etc. And beyond that, if we take
> down a portion of userspace, what in userspace may be destabilized? In
> theory, we get a case where any required daemons would be restarted by
> init, but that's not "known".
>
> The safest version of this I can think of is for processes to opt into
> this mitigation. That would also cover the "special cases" we've seen
> exposed too. i.e. init and kthreads would not opt in.
>
> However, that's a lot to implement when Marco's tracing suggestion might
> be sufficient and policy could be entirely implemented in userspace. It
> could be as simple as this (totally untested):
I don't think that this userspace warning handling can work as pkill_on_warn.
1. The kernel code execution continues after WARN_ON(), it will not wait some
userspace daemon that is polling trace events. That's not different from
ignoring and having all negative effects after WARN_ON().
2. This userspace policy will miss WARN_ON_ONCE(), WARN_ONCE() and
WARN_TAINT_ONCE() after the first hit.
Oh, wait...
I got a crazy idea that may bring more consistency in the error handling mess.
What if the Linux kernel had a LSM module responsible for error handling policy?
That would require adding LSM hooks to BUG*(), WARN*(), KERN_EMERG, etc.
In such LSM policy we can decide immediately how to react on the kernel error.
We can even decide depending on the subsystem and things like that.
(idea for brainstorming)
Best regards,
Alexander
next prev parent reply other threads:[~2021-11-16 9:12 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 23:32 [PATCH v2 0/2] Introduce the pkill_on_warn parameter Alexander Popov
2021-10-27 23:32 ` [PATCH v2 1/2] bug: do refactoring allowing to add a warning handling action Alexander Popov
2021-10-27 23:32 ` [PATCH v2 2/2] sysctl: introduce kernel.pkill_on_warn Alexander Popov
2021-11-12 21:24 ` Steven Rostedt
2021-11-12 18:52 ` [PATCH v2 0/2] Introduce the pkill_on_warn parameter Alexander Popov
2021-11-12 21:26 ` Linus Torvalds
2021-11-13 18:14 ` Alexander Popov
2021-11-13 19:58 ` Linus Torvalds
2021-11-14 14:21 ` Marco Elver
2021-11-15 13:59 ` Lukas Bulwahn
2021-11-15 15:51 ` [ELISA Safety Architecture WG] " Gabriele Paoloni
2021-11-16 7:52 ` Alexander Popov
2021-11-16 8:01 ` Lukas Bulwahn
2021-11-16 8:41 ` Petr Mladek
2021-11-16 9:19 ` Lukas Bulwahn
2021-11-16 13:20 ` James Bottomley
2021-11-15 16:06 ` Steven Rostedt
2021-11-15 22:06 ` Kees Cook
2021-11-16 9:12 ` Alexander Popov [this message]
2021-11-16 18:41 ` Kees Cook
2021-11-16 19:00 ` Casey Schaufler
2021-11-18 17:32 ` Kees Cook
2021-11-18 18:30 ` Casey Schaufler
2021-11-18 20:29 ` Kees Cook
2021-11-16 13:07 ` James Bottomley
2021-11-20 12:17 ` Marco Elver
2021-11-22 16:21 ` Steven Rostedt
2021-11-16 6:37 ` Christophe Leroy
2021-11-16 8:34 ` Alexander Popov
2021-11-16 8:57 ` Lukas Bulwahn
2021-11-15 8:12 ` Kaiwan N Billimoria
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59534db5-b251-c0c8-791f-58aca5c00a2b@linux.com \
--to=alex.popov@linux.com \
--cc=aik@ozlabs.ru \
--cc=akpm@linux-foundation.org \
--cc=andrew.a.klychkov@gmail.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ascull@google.com \
--cc=baolu.lu@linux.intel.com \
--cc=bjorn.andersson@linaro.org \
--cc=bp@alien8.de \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=devel@lists.elisa.tech \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jeyu@kernel.org \
--cc=john.ogness@linutronix.de \
--cc=jroedel@suse.de \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=lukas.bulwahn@gmail.com \
--cc=luto@kernel.org \
--cc=macro@orcam.me.uk \
--cc=main@lists.elisa.tech \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=mcgrof@kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=me@mathieu.digital \
--cc=mgorman@suse.de \
--cc=notify@kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rdunlap@infradead.org \
--cc=robin.murphy@arm.com \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=safety-architecture@lists.elisa.tech \
--cc=sboyd@kernel.org \
--cc=shuah@kernel.org \
--cc=songmuchun@bytedance.com \
--cc=steve@sk2.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tsbogend@alpha.franken.de \
--cc=viresh.kumar@linaro.org \
--cc=wangqing@vivo.com \
--cc=will@kernel.org \
--cc=wl@xen.org \
--cc=yzaikin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox