| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Feb 2020 15:57:21 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Kees Cook <keescook@...omium.org>
Cc: Andy Lutomirski <luto@...capital.net>,
Peter Zijlstra <peterz@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Jens Axboe <axboe@...nel.dk>, Jann Horn <jannh@...gle.com>,
Will Deacon <will@...nel.org>
Subject: Re: [PATCH] mm/tlb: Fix use_mm() vs TLB invalidate
On Fri, Feb 21, 2020 at 3:10 PM Kees Cook <keescook@...omium.org> wrote:
>
> Why not just fail after the WARN -- I wrote the patch for the (very few)
> callers to handle the errors, clean up, and carry on.
Can it actually fail? Or is this all just "let's add new error
conditions that make the code harder to read because they make no
actual sense"?
It's not clear that it's worth handling "cannot happen" situations. It
might be worth warning about them (that's questionable too, but at
least there's an argument that you "verify that it can't happen").
But having the error condition of a "cannot happen" situation then
percolate down and make other code more complex seems to be only a
downside.
It's not even security or "avoid data corruption" at that point. At
the point where you start adding more complexity for things that
aren't supposed to be possible in the first place, you're only going
to cause bugs.
Maybe not immediately. But "illegible code" ends up being "buggy code"
a decade later.
Linus
Powered by blists - more mailing lists