| Message ID | 20200116012321.26254-6-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ubsan: Split out bounds checker | expand |
On Thu, Jan 16, 2020 at 2:24 AM Kees Cook <keescook@chromium.org> wrote: > > As done in the full WARN() handler, panic_on_warn needs to be cleared > before calling panic() to avoid recursive panics. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > mm/kasan/report.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index 621782100eaa..844554e78893 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) > pr_err("==================================================================\n"); > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > spin_unlock_irqrestore(&report_lock, *flags); > - if (panic_on_warn) > + if (panic_on_warn) { > + /* > + * This thread may hit another WARN() in the panic path. > + * Resetting this prevents additional WARN() from panicking the > + * system on this thread. Other threads are blocked by the > + * panic_mutex in panic(). I don't understand part about other threads. Other threads are not necessary inside of panic(). And in fact since we reset panic_on_warn, they will not get there even if they should. If I am reading this correctly, once one thread prints a warning and is going to panic, other threads may now print infinite amounts of warning and proceed past them freely. Why is this the behavior we want? > + */ > + panic_on_warn = 0; > panic("panic_on_warn set ...\n"); > + } > kasan_enable_current(); > }
On Thu, Jan 16, 2020 at 06:23:01AM +0100, Dmitry Vyukov wrote: > On Thu, Jan 16, 2020 at 2:24 AM Kees Cook <keescook@chromium.org> wrote: > > > > As done in the full WARN() handler, panic_on_warn needs to be cleared > > before calling panic() to avoid recursive panics. > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > mm/kasan/report.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > > index 621782100eaa..844554e78893 100644 > > --- a/mm/kasan/report.c > > +++ b/mm/kasan/report.c > > @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) > > pr_err("==================================================================\n"); > > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > > spin_unlock_irqrestore(&report_lock, *flags); > > - if (panic_on_warn) > > + if (panic_on_warn) { > > + /* > > + * This thread may hit another WARN() in the panic path. > > + * Resetting this prevents additional WARN() from panicking the > > + * system on this thread. Other threads are blocked by the > > + * panic_mutex in panic(). > > I don't understand part about other threads. > Other threads are not necessary inside of panic(). And in fact since > we reset panic_on_warn, they will not get there even if they should. > If I am reading this correctly, once one thread prints a warning and > is going to panic, other threads may now print infinite amounts of > warning and proceed past them freely. Why is this the behavior we > want? AIUI, the issue is the current thread hitting another WARN and blocking on trying to call panic again. WARNs encountered during the execution of panic() need to not attempt to call panic() again. -Kees > > > + */ > > + panic_on_warn = 0; > > panic("panic_on_warn set ...\n"); > > + } > > kasan_enable_current(); > > }
On Fri, Jan 17, 2020 at 12:49 AM Kees Cook <keescook@chromium.org> wrote: > > On Thu, Jan 16, 2020 at 06:23:01AM +0100, Dmitry Vyukov wrote: > > On Thu, Jan 16, 2020 at 2:24 AM Kees Cook <keescook@chromium.org> wrote: > > > > > > As done in the full WARN() handler, panic_on_warn needs to be cleared > > > before calling panic() to avoid recursive panics. > > > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > > --- > > > mm/kasan/report.c | 10 +++++++++- > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > > > index 621782100eaa..844554e78893 100644 > > > --- a/mm/kasan/report.c > > > +++ b/mm/kasan/report.c > > > @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) > > > pr_err("==================================================================\n"); > > > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > > > spin_unlock_irqrestore(&report_lock, *flags); > > > - if (panic_on_warn) > > > + if (panic_on_warn) { > > > + /* > > > + * This thread may hit another WARN() in the panic path. > > > + * Resetting this prevents additional WARN() from panicking the > > > + * system on this thread. Other threads are blocked by the > > > + * panic_mutex in panic(). > > > > I don't understand part about other threads. > > Other threads are not necessary inside of panic(). And in fact since > > we reset panic_on_warn, they will not get there even if they should. > > If I am reading this correctly, once one thread prints a warning and > > is going to panic, other threads may now print infinite amounts of > > warning and proceed past them freely. Why is this the behavior we > > want? > > AIUI, the issue is the current thread hitting another WARN and blocking > on trying to call panic again. WARNs encountered during the execution of > panic() need to not attempt to call panic() again. Yes, but the variable is global and affects other threads and the comment talks about other threads, and that's the part I am confused about (for both comment wording and the actual behavior). For the "same thread hitting another warning" case we need a per-task flag or something. > -Kees > > > > > > + */ > > > + panic_on_warn = 0; > > > panic("panic_on_warn set ...\n"); > > > + } > > > kasan_enable_current(); > > > } > > -- > Kees Cook
On Fri, Jan 17, 2020 at 10:54:36AM +0100, Dmitry Vyukov wrote: > On Fri, Jan 17, 2020 at 12:49 AM Kees Cook <keescook@chromium.org> wrote: > > > > On Thu, Jan 16, 2020 at 06:23:01AM +0100, Dmitry Vyukov wrote: > > > On Thu, Jan 16, 2020 at 2:24 AM Kees Cook <keescook@chromium.org> wrote: > > > > > > > > As done in the full WARN() handler, panic_on_warn needs to be cleared > > > > before calling panic() to avoid recursive panics. > > > > > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > > > --- > > > > mm/kasan/report.c | 10 +++++++++- > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > > > > index 621782100eaa..844554e78893 100644 > > > > --- a/mm/kasan/report.c > > > > +++ b/mm/kasan/report.c > > > > @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) > > > > pr_err("==================================================================\n"); > > > > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > > > > spin_unlock_irqrestore(&report_lock, *flags); > > > > - if (panic_on_warn) > > > > + if (panic_on_warn) { > > > > + /* > > > > + * This thread may hit another WARN() in the panic path. > > > > + * Resetting this prevents additional WARN() from panicking the > > > > + * system on this thread. Other threads are blocked by the > > > > + * panic_mutex in panic(). > > > > > > I don't understand part about other threads. > > > Other threads are not necessary inside of panic(). And in fact since > > > we reset panic_on_warn, they will not get there even if they should. > > > If I am reading this correctly, once one thread prints a warning and > > > is going to panic, other threads may now print infinite amounts of > > > warning and proceed past them freely. Why is this the behavior we > > > want? > > > > AIUI, the issue is the current thread hitting another WARN and blocking > > on trying to call panic again. WARNs encountered during the execution of > > panic() need to not attempt to call panic() again. > > Yes, but the variable is global and affects other threads and the > comment talks about other threads, and that's the part I am confused > about (for both comment wording and the actual behavior). For the > "same thread hitting another warning" case we need a per-task flag or > something. This is duplicating the common panic-on-warn logic (see the generic bug code), so I'd like to just have the same behavior between the three implementations of panic-on-warn (generic bug, kasan, ubsan), and then work to merge them into a common handler, and then perhaps fix the details of the behavior. I think it's more correct to allow the panicing thread to complete than to care about what the other threads are doing. Right now, a WARN within the panic code will either a) hang the machine, or b) not panic, allowing the rest of the threads to continue, maybe then hitting other WARNs and hanging. The generic bug code does not suffer from this. -Kees > > > -Kees > > > > > > > > > + */ > > > > + panic_on_warn = 0; > > > > panic("panic_on_warn set ...\n"); > > > > + } > > > > kasan_enable_current(); > > > > } > > > > -- > > Kees Cook
On Fri, Jan 17, 2020 at 10:20 PM Kees Cook <keescook@chromium.org> wrote: > > On Fri, Jan 17, 2020 at 10:54:36AM +0100, Dmitry Vyukov wrote: > > On Fri, Jan 17, 2020 at 12:49 AM Kees Cook <keescook@chromium.org> wrote: > > > > > > On Thu, Jan 16, 2020 at 06:23:01AM +0100, Dmitry Vyukov wrote: > > > > On Thu, Jan 16, 2020 at 2:24 AM Kees Cook <keescook@chromium.org> wrote: > > > > > > > > > > As done in the full WARN() handler, panic_on_warn needs to be cleared > > > > > before calling panic() to avoid recursive panics. > > > > > > > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > > > > --- > > > > > mm/kasan/report.c | 10 +++++++++- > > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > > > > > index 621782100eaa..844554e78893 100644 > > > > > --- a/mm/kasan/report.c > > > > > +++ b/mm/kasan/report.c > > > > > @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) > > > > > pr_err("==================================================================\n"); > > > > > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > > > > > spin_unlock_irqrestore(&report_lock, *flags); > > > > > - if (panic_on_warn) > > > > > + if (panic_on_warn) { > > > > > + /* > > > > > + * This thread may hit another WARN() in the panic path. > > > > > + * Resetting this prevents additional WARN() from panicking the > > > > > + * system on this thread. Other threads are blocked by the > > > > > + * panic_mutex in panic(). > > > > > > > > I don't understand part about other threads. > > > > Other threads are not necessary inside of panic(). And in fact since > > > > we reset panic_on_warn, they will not get there even if they should. > > > > If I am reading this correctly, once one thread prints a warning and > > > > is going to panic, other threads may now print infinite amounts of > > > > warning and proceed past them freely. Why is this the behavior we > > > > want? > > > > > > AIUI, the issue is the current thread hitting another WARN and blocking > > > on trying to call panic again. WARNs encountered during the execution of > > > panic() need to not attempt to call panic() again. > > > > Yes, but the variable is global and affects other threads and the > > comment talks about other threads, and that's the part I am confused > > about (for both comment wording and the actual behavior). For the > > "same thread hitting another warning" case we need a per-task flag or > > something. > > This is duplicating the common panic-on-warn logic (see the generic bug > code), so I'd like to just have the same behavior between the three > implementations of panic-on-warn (generic bug, kasan, ubsan), and then > work to merge them into a common handler, and then perhaps fix the > details of the behavior. I think it's more correct to allow the panicing > thread to complete than to care about what the other threads are doing. > Right now, a WARN within the panic code will either a) hang the machine, > or b) not panic, allowing the rest of the threads to continue, maybe > then hitting other WARNs and hanging. The generic bug code does not > suffer from this. I see. Then: Acked-by: Dmitry Vyukov <dvyukov@google.com>
diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 621782100eaa..844554e78893 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -92,8 +92,16 @@ static void end_report(unsigned long *flags) pr_err("==================================================================\n"); add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); spin_unlock_irqrestore(&report_lock, *flags); - if (panic_on_warn) + if (panic_on_warn) { + /* + * This thread may hit another WARN() in the panic path. + * Resetting this prevents additional WARN() from panicking the + * system on this thread. Other threads are blocked by the + * panic_mutex in panic(). + */ + panic_on_warn = 0; panic("panic_on_warn set ...\n"); + } kasan_enable_current(); }
As done in the full WARN() handler, panic_on_warn needs to be cleared before calling panic() to avoid recursive panics. Signed-off-by: Kees Cook <keescook@chromium.org> --- mm/kasan/report.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)