Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3908974rwb; Tue, 8 Nov 2022 09:40:38 -0800 (PST) X-Google-Smtp-Source: AMsMyM42I8hDYAwzbLltJn96BHZ7b80+VXV6xPru/W/sYfQcy36oS69yB/2AUtEZ3+/h7QPCc/OV X-Received: by 2002:a05:6402:50c:b0:461:bc01:1828 with SMTP id m12-20020a056402050c00b00461bc011828mr57592617edv.64.1667929238380; Tue, 08 Nov 2022 09:40:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667929238; cv=none; d=google.com; s=arc-20160816; b=TD/pMl7q6V+R3G5u+fAF9y93lHetQPCVxme38WesqrtCyew0L3/VDvBre4qu3Dl7Am CVmUKzbFB65gg4F4qYnYUW0WVzbAVUlSWqFqKwBxmdrX+0BIAymuBktYkaGqGoFiHdLN MhEuoo0rD6THBgp+8qPl3p8fEteupST/1rvLV2KQZmJeu9cScIVeSGEOlA+iYM1Ret+u gvLqSXPjf4DN6zU6oiPKQL1/uDGrYQtTIE6nCl3LQooxgM/N6sC0RJhxlpElOqCl5Elr W/97xmfXmAja+3If0q70U0q9JRY8TO2cjEGTgmer0Lrl5O/6pqAq5arcTON2X1I4+YxJ Y97A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=2jXnwrdOctEAg+6kVY9hCNzqeQ8ppwfCq8v7ax8XLyc=; b=zu9wONGiUOqQmZghV/ze/9A4gQpDl5xue8Ci767fM446hrveNlZpII6XlaaIRy4Wgo t5hJsWOuF6ha+jApGw0u7aCxaNHK4LvpKFZJ+Q3U7uYByzL3BCQEn47JC0fIo/SbeZPj 6fZo66RwWSlC+XWPeWvXpbfVHNhsBMXCMkSvJwbjJKIyDRWFLOWOI8kKAMAVY4G9pr3a NQD8YNucgrN9R3GHiyEmW+v8j2llto1WbxydUDGuJibgl2uQny//GH6UMaZLdTxoFhkm tGCdYC1/tcvuBxoY14yHNq6ZRm3Xz8Xu9lm2jGFzQ8LeqzjpcCv+b1B7MVYIm63Px5/v pRqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="h6D/IhT6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dt7-20020a170907728700b007973c84ba55si13975027ejc.298.2022.11.08.09.40.14; Tue, 08 Nov 2022 09:40:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="h6D/IhT6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234151AbiKHRYp (ORCPT + 91 others); Tue, 8 Nov 2022 12:24:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234454AbiKHRYm (ORCPT ); Tue, 8 Nov 2022 12:24:42 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 090DE1DA72 for ; Tue, 8 Nov 2022 09:24:42 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id v4-20020a17090a088400b00212cb0ed97eso14003186pjc.5 for ; Tue, 08 Nov 2022 09:24:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=2jXnwrdOctEAg+6kVY9hCNzqeQ8ppwfCq8v7ax8XLyc=; b=h6D/IhT6OiuD6Oz+6iB4e635Qux6H+f6qBbBPVTGtHvODhDFB2CnQs8vlNB+Nsbafg 03RtBAuw9ByoFQs980ux+z2LmzPfeAtYXLRCq6JM5hxHViWryYtF8bTcTb7X1FEzY/K6 UORYYY6hBNReHXNzkYb6gfgK1E2XkcDT9Na40= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2jXnwrdOctEAg+6kVY9hCNzqeQ8ppwfCq8v7ax8XLyc=; b=vASO1pYww3EpgB4bmVxn1Gpid9GvqYo3hax5ZDmEg/zyRzlHHtlci816/jPNi9lMqb F7h68siVqbylZ/UBkL4+cYGybQnCRN0YF5c4TDgANrUYZvpup8ziRx0OmKmLAl2PoVVI VR/rTMkvSrD/ZJ8fkRaSyM0YIM9+oK3ebKIjtrp0rdSwyg9Eh+opa1KBn4jy2oJqQdhm I4sbT7sFM2XfBaAc3gaZ8+3fYYPv25eHHCfQZnMMfyvuZ0h9Z08wNUfURT3mR5GazNla 0ZgnHlIG9mkMePX8kg7nnjz3nxTX30vxdgLrsjnrMgllIfYnkYLavs616gIdOxbegayb A0eA== X-Gm-Message-State: ACrzQf1D9VSuYuuHPMxoSUkuc6ek7VOv/FTrJCQGfTEcU2i91cxlyZoP m6i9ZmXYiLF3O8hLGJFmWBXzWQ== X-Received: by 2002:a17:90a:d24d:b0:213:d3e4:677a with SMTP id o13-20020a17090ad24d00b00213d3e4677amr49640405pjw.101.1667928281513; Tue, 08 Nov 2022 09:24:41 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g12-20020aa796ac000000b00561b02e3118sm6611648pfk.106.2022.11.08.09.24.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Nov 2022 09:24:41 -0800 (PST) Date: Tue, 8 Nov 2022 09:24:40 -0800 From: Kees Cook To: Jann Horn Cc: Solar Designer , linux-hardening@vger.kernel.org, kernel-hardening@lists.openwall.com, Greg KH , Linus Torvalds , Seth Jenkins , "Eric W . Biederman" , Andy Lutomirski , linux-kernel@vger.kernel.org Subject: Re: [PATCH] exit: Put an upper limit on how often we can oops Message-ID: <202211080923.8BAEA9980@keescook> References: <20221107201317.324457-1-jannh@google.com> <20221107211440.GA4233@openwall.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 07, 2022 at 10:48:20PM +0100, Jann Horn wrote: > On Mon, Nov 7, 2022 at 10:15 PM Solar Designer wrote: > > On Mon, Nov 07, 2022 at 09:13:17PM +0100, Jann Horn wrote: > > > +oops_limit > > > +========== > > > + > > > +Number of kernel oopses after which the kernel should panic when > > > +``panic_on_oops`` is not set. > > > > Rather than introduce this separate oops_limit, how about making > > panic_on_oops (and maybe all panic_on_*) take the limit value(s) instead > > of being Boolean? I think this would preserve the current behavior at > > panic_on_oops = 0 and panic_on_oops = 1, but would introduce your > > desired behavior at panic_on_oops = 10000. We can make 10000 the new > > default. If a distro overrides panic_on_oops, it probably sets it to 1 > > like RHEL does. > > > > Are there distros explicitly setting panic_on_oops to 0? If so, that > > could be a reason to introduce the separate oops_limit. > > > > I'm not advocating one way or the other - I just felt this should be > > explicitly mentioned and decided on. > > I think at least internally in the kernel, it probably works better to > keep those two concepts separate? For example, sparc has a function > die_nmi() that uses panic_on_oops to determine whether the system > should panic when a watchdog detects a lockup. Internally, yes, the kernel should keep "panic_on_oops" to mean "panic _NOW_ on oops?" but I would agree with Solar -- this is a counter as far as userspace is concerned. "Panic on Oops" after 1 oops, 2, oopses, etc. I would like to see this for panic_on_warn too, actually. -- Kees Cook