Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2362343pxu; Mon, 7 Dec 2020 04:50:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJwZWrZyU4M0rQv9jzS/Q6rv1bfBKIhVuYouz85S8lF/aHa8e2veCBk8ndN1/HdEa/WnHpHV X-Received: by 2002:aa7:d75a:: with SMTP id a26mr19282119eds.230.1607345416701; Mon, 07 Dec 2020 04:50:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607345416; cv=none; d=google.com; s=arc-20160816; b=E8gjXBYzUq5TqPnrdY9FMwGhydy/dUKAD7ckZ932xWUOt/9AYfJGN9JR3tD+xHoZu4 lRlOZLG5u+ivPCQIXhRP3t2hu2fIf/hhmanWU+hMkny2vmOYQh5bueK3Bsxeu/6lCc3U 0t1Noiy+ueJld77mKKUJ0UEvYFjuZXCWahVzpvvb/5eVblXi73UFjm9XsLkgyEFz4xeD dB34uIz6Nsh9rRtCyNK6b9/qQw3TshIxXQzf5FZS6k+e8at3J5j/s0+QCSuTycyQ/qHw HSiXMF0vztuqlEstdP7wkSldZVfk/PLdvhf1NnAKayaK75juEh/DpABj4+dY/1VrdgbG tTqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=+OzmdLy4l1qcDbKLBJeB0AhFH/UQZCnycICg0FjH51M=; b=qi7q0Q1HSoxfTWCKnLw9Cmw8bUk3B2PHmnPMelp0wbENsnOCkl/7H+R7sRw7Ng3DOm HsMpJgRmCSnrGwbUCya0sKGzH8pVotoyrMvrC80BvYzfhWTO6P21U4dky4IjFPgS3dau vxnUWP3/GkBpjQZl1z6gTZM8gMMw1WKs4zbvWxQR1sApETI/hKR5pZiKwpZaIIfXPLw6 rFT6uHVdmh37KTfQaW7CmSXSXgQfrrdZyScidrJljvn0g9YxRP03hRISgiL5+kcnpioy xYa8U0ShwxRQkDV4SH+YKWN+NbYzX4LYGYDhB/ED930W1y4x1HTlyADhHX9jitjTuAz7 uMAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v19si8411724edr.303.2020.12.07.04.49.53; Mon, 07 Dec 2020 04:50:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725885AbgLGMqf (ORCPT + 99 others); Mon, 7 Dec 2020 07:46:35 -0500 Received: from mga11.intel.com ([192.55.52.93]:13302 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725550AbgLGMqe (ORCPT ); Mon, 7 Dec 2020 07:46:34 -0500 IronPort-SDR: cnOsql8PLSohbGzBapKpFP6nayEoxa6CkOJHFuqQETKJEu7nEEIu4Zn98+m3oSV7M0APoSC45s l7sNfi6Y4lSw== X-IronPort-AV: E=McAfee;i="6000,8403,9827"; a="170182999" X-IronPort-AV: E=Sophos;i="5.78,399,1599548400"; d="scan'208";a="170182999" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2020 04:44:48 -0800 IronPort-SDR: KIcPa1m/tdFSrCCg+HZ9wcNpGF/RBbY/5Xg1Ca101JRRKwiOb/+WF10Wk62CakzdO2ew9KNkf3 A/QkDatczTeA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.78,399,1599548400"; d="scan'208";a="436691903" Received: from cvg-ubt08.iil.intel.com (HELO cvg-ubt08.me-corp.lan) ([10.185.176.12]) by fmsmga001.fm.intel.com with ESMTP; 07 Dec 2020 04:44:41 -0800 From: Vladimir Kondratiev To: Jonathan Corbet , Luis Chamberlain , Kees Cook , Iurii Zaikin , "Paul E. McKenney" , Andrew Morton , Randy Dunlap , Thomas Gleixner , Mauro Carvalho Chehab , Mike Kravetz , "Guilherme G. Piccoli" , Andy Shevchenko , Kars Mulder , Lorenzo Pieralisi , Kishon Vijay Abraham I , Arvind Sankar , Joe Perches , Rafael Aquini , "Eric W. Biederman" , Christian Brauner , Alexei Starovoitov , "Peter Zijlstra (Intel)" , Davidlohr Bueso , Michel Lespinasse , Jann Horn , chenqiwu , Minchan Kim , Christophe Leroy Cc: Vladimir Kondratiev , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [RFC PATCH v2] do_exit(): panic() recursion detected Date: Mon, 7 Dec 2020 14:44:33 +0200 Message-Id: <20201207124433.4017265-1-vladimir.kondratiev@linux.intel.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Recursive do_exit() is symptom of compromised kernel integrity. For safety critical systems, it may be better to panic() in this case to minimize risk. Signed-off-by: Vladimir Kondratiev Change-Id: I42f45900a08c4282c511b05e9e6061360d07db60 --- Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ include/linux/kernel.h | 1 + kernel/exit.c | 7 +++++++ kernel/sysctl.c | 9 +++++++++ 4 files changed, 23 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 44fde25bb221..6e12a6804557 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3508,6 +3508,12 @@ bit 4: print ftrace buffer bit 5: print all printk messages in buffer + panic_on_exit_recursion + panic() when do_exit() recursion detected, rather then + try to stay running whenever possible. + Useful on safety critical systems; re-entry in do_exit + is a symptom of compromised kernel integrity. + panic_on_taint= Bitmask for conditionally calling panic() in add_taint() Format: [,nousertaint] Hexadecimal bitmask representing the set of TAINT flags diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 2f05e9128201..5afb20534cb2 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -539,6 +539,7 @@ extern int sysctl_panic_on_rcu_stall; extern int sysctl_panic_on_stackoverflow; extern bool crash_kexec_post_notifiers; +extern int panic_on_exit_recursion; /* * panic_cpu is used for synchronizing panic() and crash_kexec() execution. It diff --git a/kernel/exit.c b/kernel/exit.c index 1f236ed375f8..162799a8b539 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -68,6 +68,9 @@ #include #include +int panic_on_exit_recursion __read_mostly; +core_param(panic_on_exit_recursion, panic_on_exit_recursion, int, 0644); + static void __unhash_process(struct task_struct *p, bool group_dead) { nr_threads--; @@ -757,6 +760,10 @@ void __noreturn do_exit(long code) */ if (unlikely(tsk->flags & PF_EXITING)) { pr_alert("Fixing recursive fault but reboot is needed!\n"); + if (panic_on_exit_recursion) + panic("Recursive do_exit() detected in %s[%d]\n", + current->comm, task_pid_nr(current)); + futex_exit_recursive(tsk); set_current_state(TASK_UNINTERRUPTIBLE); schedule(); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index afad085960b8..bb397fba2c42 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2600,6 +2600,15 @@ static struct ctl_table kern_table[] = { .extra2 = &one_thousand, }, #endif + { + .procname = "panic_on_exit_recursion", + .data = &panic_on_exit_recursion, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, { .procname = "panic_on_warn", .data = &panic_on_warn, -- 2.27.0