lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 07 Jul 2021 12:18:45 -0400
From:   Jeff Layton <jlayton@...nel.org>
To:     Greg KH <gregkh@...uxfoundation.org>,
        "J. Bruce Fields" <bfields@...ldses.org>
Cc:     Desmond Cheong Zhi Xi <desmondcheongzx@...il.com>,
        viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        syzbot+e6d5398a02c516ce5e70@...kaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] fcntl: fix potential deadlocks for
 &fown_struct.lock

On Wed, 2021-07-07 at 17:46 +0200, Greg KH wrote:
> On Wed, Jul 07, 2021 at 11:34:17AM -0400, J. Bruce Fields wrote:
> > On Wed, Jul 07, 2021 at 05:31:06PM +0200, Greg KH wrote:
> > > On Wed, Jul 07, 2021 at 11:19:36AM -0400, J. Bruce Fields wrote:
> > > > On Wed, Jul 07, 2021 at 05:06:45PM +0200, Greg KH wrote:
> > > > > On Wed, Jul 07, 2021 at 09:51:29AM -0400, J. Bruce Fields wrote:
> > > > > > On Wed, Jul 07, 2021 at 07:40:47AM -0400, Jeff Layton wrote:
> > > > > > > On Wed, 2021-07-07 at 12:51 +0200, Greg KH wrote:
> > > > > > > > On Wed, Jul 07, 2021 at 06:44:42AM -0400, Jeff Layton wrote:
> > > > > > > > > On Wed, 2021-07-07 at 08:05 +0200, Greg KH wrote:
> > > > > > > > > > On Wed, Jul 07, 2021 at 10:35:47AM +0800, Desmond Cheong Zhi Xi wrote:
> > > > > > > > > > > +	WARN_ON_ONCE(irqs_disabled());
> > > > > > > > > > 
> > > > > > > > > > If this triggers, you just rebooted the box :(
> > > > > > > > > > 
> > > > > > > > > > Please never do this, either properly handle the problem and return an
> > > > > > > > > > error, or do not check for this.  It is not any type of "fix" at all,
> > > > > > > > > > and at most, a debugging aid while you work on the root problem.
> > > > > > > > > > 
> > > > > > > > > > thanks,
> > > > > > > > > > 
> > > > > > > > > > greg k-h
> > > > > > > > > 
> > > > > > > > > Wait, what? Why would testing for irqs being disabled and throwing a
> > > > > > > > > WARN_ON in that case crash the box?
> > > > > > > > 
> > > > > > > > If panic-on-warn is enabled, which is a common setting for systems these
> > > > > > > > days.
> > > > > > > 
> > > > > > > Ok, that makes some sense.
> > > > > > 
> > > > > > Wait, I don't get it.
> > > > > > 
> > > > > > How are we supposed to decide when to use WARN, when to use BUG, and
> > > > > > when to panic?  Do we really want to treat them all as equivalent?  And
> > > > > > who exactly is turning on panic-on-warn?
> > > > > 
> > > > > You never use WARN or BUG, unless the system is so messed up that you
> > > > > can not possibly recover from the issue.
> > > > 
> > > > I've heard similar advice for BUG before, but this is the first I've
> > > > heard it for WARN.  Do we have any guidelines for how to choose between
> > > > WARN and BUG?
> > > 
> > > Never use either :)
> > 
> > I can't tell if you're kidding.
> 
> I am not.
> 
> > Is there some plan to remove them?
> 
> Over time, yes.  And any WARN that userspace can ever hit should be
> removed today.
> 
> > There are definitely cases where I've been able to resolve a problem
> > more quickly because I got a backtrace from a WARN.
> 
> If you want a backtrace, ask for that, recover from the error, and move
> on.  Do not allow userspace to reboot a machine for no good reason as
> again, panic-on-warn is a common setting that people use now.
> 
> This is what all of the syzbot work has been doing, it triggers things
> that cause WARN() to be hit and so we have to fix them.
> 

This seems really draconian. Clearly we do want to fix things that show
a WARN (otherwise we wouldn't bother warning about it), but I don't
think that's a reason to completely avoid them. My understanding has
always been:

BUG: for when you reach some condition where the kernel (probably) can't
carry on

WARN: for when you reach some condition that is problematic but where
the machine can probably soldier on. 

Over the last several years, I've changed a lot of BUGs into WARNs to
avoid crashing the box unnecessarily. If someone is setting
panic_on_warn, then aren't they just getting what they asked for?

While I don't feel that strongly about this particular WARN in this
patch, it seems like a reasonable thing to do. If someone calls these
functions with IRQs disabled, then they might end up with some subtle
problems that could be hard to detect otherwise.
-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ