Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKXUXMxqg3MpwBMUSrjNS222C=MptrLiE5VXTVpVwXSQjSgKrA@mail.gmail.com>
Date: Tue, 16 Nov 2021 09:57:28 +0100
From: Lukas Bulwahn <lukas.bulwahn@...il.com>
To: Christophe Leroy <christophe.leroy@...roup.eu>
Cc: Steven Rostedt <rostedt@...dmis.org>, Alexander Popov <alex.popov@...ux.com>, 
	Linus Torvalds <torvalds@...ux-foundation.org>, Jonathan Corbet <corbet@....net>, 
	Paul McKenney <paulmck@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, 
	Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>, 
	Joerg Roedel <jroedel@...e.de>, Maciej Rozycki <macro@...am.me.uk>, 
	Muchun Song <songmuchun@...edance.com>, Viresh Kumar <viresh.kumar@...aro.org>, 
	Robin Murphy <robin.murphy@....com>, Randy Dunlap <rdunlap@...radead.org>, 
	Lu Baolu <baolu.lu@...ux.intel.com>, Petr Mladek <pmladek@...e.com>, 
	Kees Cook <keescook@...omium.org>, Luis Chamberlain <mcgrof@...nel.org>, Wei Liu <wl@....org>, 
	John Ogness <john.ogness@...utronix.de>, 
	Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, Alexey Kardashevskiy <aik@...abs.ru>, 
	Jann Horn <jannh@...gle.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Mark Rutland <mark.rutland@....com>, Andy Lutomirski <luto@...nel.org>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, Will Deacon <will@...nel.org>, 
	Ard Biesheuvel <ardb@...nel.org>, Laura Abbott <labbott@...nel.org>, 
	David S Miller <davem@...emloft.net>, Borislav Petkov <bp@...en8.de>, Arnd Bergmann <arnd@...db.de>, 
	Andrew Scull <ascull@...gle.com>, Marc Zyngier <maz@...nel.org>, Jessica Yu <jeyu@...nel.org>, 
	Iurii Zaikin <yzaikin@...gle.com>, Rasmus Villemoes <linux@...musvillemoes.dk>, 
	Wang Qing <wangqing@...o.com>, Mel Gorman <mgorman@...e.de>, 
	Mauro Carvalho Chehab <mchehab+huawei@...nel.org>, Andrew Klychkov <andrew.a.klychkov@...il.com>, 
	Mathieu Chouquet-Stringer <me@...hieu.digital>, Daniel Borkmann <daniel@...earbox.net>, Stephen Kitt <steve@....org>, 
	Stephen Boyd <sboyd@...nel.org>, Thomas Bogendoerfer <tsbogend@...ha.franken.de>, 
	Mike Rapoport <rppt@...nel.org>, Bjorn Andersson <bjorn.andersson@...aro.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, linux-hardening@...r.kernel.org, 
	"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>, linux-arch <linux-arch@...r.kernel.org>, 
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, 
	linux-fsdevel <linux-fsdevel@...r.kernel.org>, notify@...nel.org, main@...ts.elisa.tech, 
	safety-architecture@...ts.elisa.tech, devel@...ts.elisa.tech, 
	Shuah Khan <shuah@...nel.org>
Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter

On Tue, Nov 16, 2021 at 7:37 AM Christophe Leroy
<christophe.leroy@...roup.eu> wrote:
>
>
>
> Le 15/11/2021 à 17:06, Steven Rostedt a écrit :
> > On Mon, 15 Nov 2021 14:59:57 +0100
> > Lukas Bulwahn <lukas.bulwahn@...il.com> wrote:
> >
> >> 1. Allow a reasonably configured kernel to boot and run with
> >> panic_on_warn set. Warnings should only be raised when something is
> >> not configured as the developers expect it or the kernel is put into a
> >> state that generally is _unexpected_ and has been exposed little to
> >> the critical thought of the developer, to testing efforts and use in
> >> other systems in the wild. Warnings should not be used for something
> >> informative, which still allows the kernel to continue running in a
> >> proper way in a generally expected environment. Up to my knowledge,
> >> there are some kernels in production that run with panic_on_warn; so,
> >> IMHO, this requirement is generally accepted (we might of course
> >
> > To me, WARN*() is the same as BUG*(). If it gets hit, it's a bug in the
> > kernel and needs to be fixed. I have several WARN*() calls in my code, and
> > it's all because the algorithms used is expected to prevent the condition
> > in the warning from happening. If the warning triggers, it means either that
> > the algorithm is wrong or my assumption about the algorithm is wrong. In
> > either case, the kernel needs to be updated. All my tests fail if a WARN*()
> > gets hit (anywhere in the kernel, not just my own).
> >
> > After reading all the replies and thinking about this more, I find the
> > pkill_on_warning actually worse than not doing anything. If you are
> > concerned about exploits from warnings, the only real solution is a
> > panic_on_warning. Yes, it brings down the system, but really, it has to be
> > brought down anyway, because it is in need of a kernel update.
> >
>
> We also have LIVEPATCH to avoid bringing down the system for a kernel
> update, don't we ? So I wouldn't expect bringing down a vital system
> just for a WARN.
>
> As far as I understand from
> https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on,
> WARN() and WARN_ON() are meant to deal with those situations as
> gracefull as possible, allowing the system to continue running the best
> it can until a human controled action is taken.
>
> So I'd expect the WARN/WARN_ON to be handled and I agree that that
> pkill_on_warning seems dangerous and unrelevant, probably more dangerous
> than doing nothing, especially as the WARN may trigger for a reason
> which has nothing to do with the running thread.
>

Christophe,

I agree with a reasonable goal that WARN() should allow users "to deal
with those situations as gracefull as possible, allowing the system to
continue running the best it can until a human controled action is
taken."

However, that makes me wonder even more: what does the system after a
WARN() invocation still need to provide as properly working
functionality, so that the human can take action, and how can the
kernel indicate to the whole user applications that a certain
functionality is not working anymore and how adaptive can those user
application really be here? Making that explicit for every WARN()
invocation seems to be tricky and probably also quite error-prone. So,
in the end, after a WARN(), you end up running a system where you have
this uncomfortable feeling of a running system where some things work
and some things do not and it might be insecure (the whole system
security concept is invalidated, because security features do not
work, security holes are opened etc.) or other surprises happen.

The panic_on_warn implements a simple policy of that "run as graceful
as possible": We assume stopping the kernel is _graceful_, and we just
assume that the functionality "panic shuts down the system" still
works properly after any WARN() invocation. Once the system is shut
down, the human can take action and switch it into some (remote)
diagnostic mode for further analysis and repair.

I am wondering if that policy and that assumption holds for all WARN()
invocations in the kernel? I would hope that we can answer this
question, which is much simpler than getting the precise answer on
"what as graceful as possible actually means".

Lukas

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.