Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2358568pxu; Mon, 7 Dec 2020 04:46:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwY3mWKd/U6IadkxZzKewdiOjlcLdSHVhiEkC+1q1/iwuBgvDlh2eVBvjH55TjnzpFgas/S X-Received: by 2002:a17:906:b143:: with SMTP id bt3mr18885342ejb.318.1607345204194; Mon, 07 Dec 2020 04:46:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607345204; cv=none; d=google.com; s=arc-20160816; b=NHq+v6ayQrzXglxyf4rWf9JELYRlcxQLjYhAjGRlshod5GmbkjJ6zIUKoV4GDaPmCk 9WCi9bs10do/ynLwpcUOS1ISZtScjrpPobtcAWdsoViVgpP8WCn3q1zX9YDjyKdwSGh1 6t7AyOZaWrKDsBoWZxdniIwpu6+mhG4I9dPXXo3b2/ZHfiz8dtWcMJEYKFzHHaecAasY vaHou0BjwZI7ONVxCzrWU7DJaAfM0JjWuAbqxYDgB7OiUKPhcm2sdsqtTVUlehk+ZLNf ckfnBsP5xrmln3kmcCHN8jb4wHTjJWFor1ziXe6MCuHEUCHf/hnLo9Pl4ZsO3Ev/FM5Y QLIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=q5Ass/W4pGtLvv8Cg58aLM5COvs93EdDtLxjq4j4s6Y=; b=PwPw3e3Q0NJZDnkCzdA0fNK9mYZWxpzqy6WFryg8q5akrRZm/+oBGTghuV1ibEzRXR hrGBOM7AI8hYKcSmRoiMiUzlUwu8BjpDOuuOAQea7GdzIT+EBJlrD+B/plx5i+nEnt40 HI/HhFYAfoPPhhpGK3dbVJquO5y6PY1PKufSVDv+kg8Av92GaOYXASbY5oRLGxbDnyFK 8lbAEulaiVP+G23rJpSYabN8gF5/cUblXINUWwyZfYoHUBJ4xPWqXsr7McsxCRQwv8kh ZMsuUUConHYU2hQU6H9NjofwFb6lNBpNB771hzPytzqFOorGqnuVNPKEbhpr1gZ4dL46 2uhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t6si7793768edq.353.2020.12.07.04.46.21; Mon, 07 Dec 2020 04:46:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726012AbgLGMm5 (ORCPT + 99 others); Mon, 7 Dec 2020 07:42:57 -0500 Received: from mga14.intel.com ([192.55.52.115]:15333 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725800AbgLGMm4 (ORCPT ); Mon, 7 Dec 2020 07:42:56 -0500 IronPort-SDR: NwKsJYqCGuxKQtb9zd0h1YiGCSctX/Ja+NVwnTjKZhUOEBBedaEasPEgL0tiZsHfyG4vdCVPrQ BSAWwAKL7p+g== X-IronPort-AV: E=McAfee;i="6000,8403,9827"; a="172922724" X-IronPort-AV: E=Sophos;i="5.78,399,1599548400"; d="scan'208";a="172922724" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2020 04:41:10 -0800 IronPort-SDR: RmizyXwkCxua/9wtRcZCto72X8vzcxMWV+1akbE26zitpQabM9j1cTq0UfJS6o8NeVl9ulKFuj ful9N+D91wHw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.78,399,1599548400"; d="scan'208";a="436691055" Received: from cvg-ubt08.iil.intel.com (HELO cvg-ubt08.me-corp.lan) ([10.185.176.12]) by fmsmga001.fm.intel.com with ESMTP; 07 Dec 2020 04:41:04 -0800 From: Vladimir Kondratiev To: Jonathan Corbet , Luis Chamberlain , Kees Cook , Iurii Zaikin , "Paul E. McKenney" , Andrew Morton , Randy Dunlap , Thomas Gleixner , Mauro Carvalho Chehab , Mike Kravetz , "Guilherme G. Piccoli" , Andy Shevchenko , Kars Mulder , Lorenzo Pieralisi , Kishon Vijay Abraham I , Arvind Sankar , Joe Perches , Rafael Aquini , "Eric W. Biederman" , Christian Brauner , Alexei Starovoitov , "Peter Zijlstra (Intel)" , Davidlohr Bueso , Michel Lespinasse , Jann Horn , chenqiwu , Minchan Kim , Christophe Leroy Cc: Vladimir Kondratiev , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [RFC PATCH] do_exit(): panic() recursion detected Date: Mon, 7 Dec 2020 14:40:49 +0200 Message-Id: <20201207124050.4016994-1-vladimir.kondratiev@linux.intel.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vladimir Kondratiev Recursive do_exit() is symptom of compromised kernel integrity. For safety critical systems, it may be better to panic() in this case to minimize risk. Signed-off-by: Vladimir Kondratiev Change-Id: I42f45900a08c4282c511b05e9e6061360d07db60 --- Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ include/linux/kernel.h | 1 + kernel/exit.c | 7 +++++++ kernel/sysctl.c | 9 +++++++++ 4 files changed, 23 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 44fde25bb221..6e12a6804557 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3508,6 +3508,12 @@ bit 4: print ftrace buffer bit 5: print all printk messages in buffer + panic_on_exit_recursion + panic() when do_exit() recursion detected, rather then + try to stay running whenever possible. + Useful on safety critical systems; re-entry in do_exit + is a symptom of compromised kernel integrity. + panic_on_taint= Bitmask for conditionally calling panic() in add_taint() Format: [,nousertaint] Hexadecimal bitmask representing the set of TAINT flags diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 2f05e9128201..5afb20534cb2 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -539,6 +539,7 @@ extern int sysctl_panic_on_rcu_stall; extern int sysctl_panic_on_stackoverflow; extern bool crash_kexec_post_notifiers; +extern int panic_on_exit_recursion; /* * panic_cpu is used for synchronizing panic() and crash_kexec() execution. It diff --git a/kernel/exit.c b/kernel/exit.c index 1f236ed375f8..162799a8b539 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -68,6 +68,9 @@ #include #include +int panic_on_exit_recursion __read_mostly; +core_param(panic_on_exit_recursion, panic_on_exit_recursion, int, 0644); + static void __unhash_process(struct task_struct *p, bool group_dead) { nr_threads--; @@ -757,6 +760,10 @@ void __noreturn do_exit(long code) */ if (unlikely(tsk->flags & PF_EXITING)) { pr_alert("Fixing recursive fault but reboot is needed!\n"); + if (panic_on_exit_recursion) + panic("Recursive do_exit() detected in %s[%d]\n", + current->comm, task_pid_nr(current)); + futex_exit_recursive(tsk); set_current_state(TASK_UNINTERRUPTIBLE); schedule(); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index afad085960b8..bb397fba2c42 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2600,6 +2600,15 @@ static struct ctl_table kern_table[] = { .extra2 = &one_thousand, }, #endif + { + .procname = "panic_on_exit_recursion", + .data = &panic_on_exit_recursion, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, { .procname = "panic_on_warn", .data = &panic_on_warn, -- 2.27.0