lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wjS8MG+xcHgjx-BTcAdyh7fugbHQkdJFcwBk=6QEGVKnw@mail.gmail.com>
Date:   Fri, 28 Dec 2018 13:08:49 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Wanpeng Li <kernellwp@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        dledford@...hat.com, KVM list <kvm@...r.kernel.org>,
        Radim Krčmář <rkrcmar@...hat.com>,
        Wei Wu <ww9210@...il.com>, Kostya Serebryany <kcc@...gle.com>,
        Daniel Vetter <daniel@...ll.ch>,
        syzkaller <syzkaller@...glegroups.com>,
        Dan Williams <dan.j.williams@...el.com>,
        Chris Mason <clm@...com>, Jonathan Corbet <corbet@....net>,
        Kees Cook <keescook@...gle.com>,
        Laura Abbott <labbott@...hat.com>,
        Olof Johansson <olofj@...gle.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Theodore Tso <tytso@...gle.com>, Tim.Bird@...y.com
Subject: Re: [PATCH] KVM: X86: Fix scan ioapic use-before-initialization

On Fri, Dec 28, 2018 at 1:43 AM Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
> > Nobody reads the kernel mailing list directly - there's just too much traffic.
>
> As the result bug reports and patches got lots and this is bad and it
> would be useful to stop it from happening and there are known ways for
> this.

Well, let me be a  bit more specific: you will find that people read
the very _targeted_ mailing lists, because they not only tend to be
more specific to some particular interest, but also aren't the flood
of hundreds of emails a day.

And don't get me wrong: I'm not saying that lkml is useless. Not at
all. It's just that it's really more of an archival model than a
"people read it" - so you send your emails to a group of people, and
then you cc lkml so that when that group gets expanded people can be
pointed at the whole thread. Or, obviously, so that commit messages
etc can point to discussion.

But that does mean that any lkml cc shouldn't be expected to cause a
reaction in itself. It's about other things.

> syzbot not doing bisection is not the root cause of this

Root case? No. But if you do bisection, it means that you can now
target things much better. So then it's not lkml and "random
collection of maintainers", but a much more targeted group.

And that targeted group also ends up being a lot more receptive to it.

Again, look at the raw syzbot email and the email by Wanpeng Li. Yes,
the syzbot email did bring in a reasonable set of people just based on
the oops (I think it did "get_mainainter" on kvm_ioapic_scan_entry()).
But Wangpeng ended up sending it to the *particular* people who were
directly responsible.

> 2. syzbot reports are not worse then average human reports, frequently better.

No, they really aren't.

They are better in a *technical* sense, but they are also very much
obviously automated, which makes the target people take them much less
seriously.

When you see lots of syzbot emails, and there are lots of more or less
random recipients that may or may not be correct, what's the natural
reaction to that?

Look up "bystander effect".

> 3. Bisection is useful, but not important in most cases.

No.

Exactly because of the problem syzbot has. It's too scatter-shot.
People clearly ignore it, because people feel it's not _their_ issue.

The advantage of bisection is that it makes the problem much more
specific. Right now, you'll find that many developers ignore syzbot
simply because it's not worth their time to chase down whether it's
even their problem.

See what I'm saying?

It's the whole "data vs information" issue. Particularly when cc'ing
maintainers, who get hundreds of emails a day, you need to convince
them that this email is _relevant_.

                  Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ