From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B409DC433DB for ; Thu, 18 Mar 2021 12:56:09 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5701164E28 for ; Thu, 18 Mar 2021 12:56:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5701164E28 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C0C436B006C; Thu, 18 Mar 2021 08:56:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B81E16B0072; Thu, 18 Mar 2021 08:56:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9FBE46B0073; Thu, 18 Mar 2021 08:56:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0146.hostedemail.com [216.40.44.146]) by kanga.kvack.org (Postfix) with ESMTP id 7F6D76B006C for ; Thu, 18 Mar 2021 08:56:08 -0400 (EDT) Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 435885824 for ; Thu, 18 Mar 2021 12:56:08 +0000 (UTC) X-FDA: 77932992774.10.AE50A2A Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by imf01.hostedemail.com (Postfix) with ESMTP id CBE2D500152D for ; Thu, 18 Mar 2021 12:56:06 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 8637AAC1E; Thu, 18 Mar 2021 12:56:06 +0000 (UTC) Subject: Re: [PATCH] mm/slub: Add slub_debug option to panic on memory corruption To: Kees Cook Cc: Georgi Djakov , linux-mm@kvack.org, akpm@linux-foundation.org, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, corbet@lwn.net, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210309134720.29052-1-georgi.djakov@linaro.org> <390d8a2f-ead9-48a9-99eb-65c73bd18422@suse.cz> <6bfebf01-5f52-49bd-380b-04785c474c81@linaro.org> <8fd43de6-71e4-cfe7-8208-32753cf1c363@suse.cz> <202103172244.D5ADB06A96@keescook> From: Vlastimil Babka Message-ID: Date: Thu, 18 Mar 2021 13:56:05 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <202103172244.D5ADB06A96@keescook> Content-Type: text/plain; charset=utf-8 Content-Language: en-US X-Stat-Signature: 8qasmaf63o5mhfh34b6iqppjs98keecb X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: CBE2D500152D Received-SPF: none (suse.cz>: No applicable sender policy available) receiver=imf01; identity=mailfrom; envelope-from=""; helo=mx2.suse.de; client-ip=195.135.220.15 X-HE-DKIM-Result: none/none X-HE-Tag: 1616072166-58217 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/18/21 6:48 AM, Kees Cook wrote: > On Tue, Mar 09, 2021 at 07:18:32PM +0100, Vlastimil Babka wrote: >> On 3/9/21 7:14 PM, Georgi Djakov wrote: >> > Hi Vlastimil, >> >=20 >> > Thanks for the comment! >> >=20 >> > On 3/9/21 17:09, Vlastimil Babka wrote: >> >> On 3/9/21 2:47 PM, Georgi Djakov wrote: >> >>> Being able to stop the system immediately when a memory corruption >> >>> is detected is crucial to finding the source of it. This is very >> >>> useful when the memory can be inspected with kdump or other tools. >> >> >> >> Is this in some testing scenarios where you would also use e.g. pan= ic_on_warn? >> >> We could hook to that. If not, we could introduce a new >> >> panic_on_memory_corruption that would apply also for debug_pageallo= c and whatnot? >> >=20 >> > I would prefer that we not tie it with panic_on_warn - there might b= e lots of >> > new code in multiple subsystems, so hitting some WARNing while testi= ng is not >> > something unexpected. >> >=20 >> > Introducing an additional panic_on_memory_corruption would work, but= i noticed >> > that we already have slub_debug and thought to re-use that. But inde= ed, =D0=B0dding >> > an option to panic in for example bad_page() sounds also useful, if = that's what >> > you suggest. >>=20 >> Yes, that would be another example. >> Also CCing Kees for input, as besides the "kdump ASAP for debugging" c= ase, I can >> imagine security hardening folks could be interested in the "somebody = might have >> just failed to pwn the kernel, better panic than let them continue" an= gle. But >> I'm naive wrt security, so it might be a stupid idea :) >=20 > I've really wanted such things, but Linus has been pretty adamant about > not wanting to provide new "panic" paths (or even BUG usage[1]). It > seems that panic_on_warn remains the way to get this behavior, > with the understanding that WARN should only be produced on > expected-to-be-impossible situations[1]. >=20 > Hitting a WARN while testing should result in either finding and fixing > a real bug, or removing the WARN in favor of pr_warn(). :) I was going to suggest adding a panic_on_taint parameter... but turns out= it was already added last year! And various memory corruption detections already= use TAINT_BAD_PAGE, including SLUB. If anything's missing an add_taint() it can be added, and with the parame= ter you should get what you want. > -Kees >=20 > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-= and-bug-on >=20