Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759077Ab2EUUAE (ORCPT ); Mon, 21 May 2012 16:00:04 -0400 Received: from mail-bk0-f46.google.com ([209.85.214.46]:42363 "EHLO mail-bk0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758833Ab2EUUAA convert rfc822-to-8bit (ORCPT ); Mon, 21 May 2012 16:00:00 -0400 MIME-Version: 1.0 In-Reply-To: <20120518222639.GN23089@lizard> References: <20120518222314.GA9425@lizard> <20120518222639.GN23089@lizard> Date: Mon, 21 May 2012 12:59:59 -0700 X-Google-Sender-Auth: J7-ezfM7m-Vk_6zBfzg4vkfeGYg Message-ID: Subject: Re: [PATCH 14/14] pstore/platform: Remove automatic updates From: Kees Cook To: Anton Vorontsov Cc: Greg Kroah-Hartman , Colin Cross , Tony Luck , Arnd Bergmann , John Stultz , Shuah Khan , arve@android.com, Rebecca Schultz Zavin , Jesper Juhl , Randy Dunlap , Stephen Boyd , Thomas Meyer , Andrew Morton , Marco Stornelli , WANG Cong , linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org, linaro-kernel@lists.linaro.org, patches@linaro.org, kernel-team@android.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-System-Of-Record: true Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1940 Lines: 49 On Fri, May 18, 2012 at 3:26 PM, Anton Vorontsov wrote: > Having automatic updates seems pointless, and even dangerous > and thus counter-productive: > > 1. If we can mount pstore, or read files, we can as well read > ? /proc/kmsg. So, there's little point in duplicating the > ? functionality and present the same information but via another > ? userland ABI; > > 2. Expecting the kernel to behave sanely after oops/panic is naive. > ? It might work, but you'd rather not try it. Screwed up kernel > ? can do rather bad things, like recursive faults[1]; and pstore > ? rather provoking bad things to happen. It uses: > > ? 1. Timers (assumes sane interrupts state); > ? 2. Workqueues and mutexes (assumes scheduler in a sane state); > ? 3. kzalloc (a working slab allocator); > > ? That's too much for a dead kernel, so the debugging facility > ? itself might just make debugging harder, which is not what > ? we want. > > So, let's remove the automatic updates, this keeps things simple > and safe. > > (Maybe for non-oops message types it would make sense to add > automatic updates, but so far I don't see any use case for this. > Even for tracing, it has its own run-time/normal ABI, so we're > only interested in pstore upon next boot, to retrieve what has > gone wrong with HW or SW.) Hrm. This complicates testing a bit. I need more convincing. :) Systems run with panic_on_oops=0, and plenty of failure paths will just kill "current" instead of bringing the entire system down. I would much rather allow for the possibility to get oopses when they happen than to have to wait a full reboot cycle to "notice" them. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/