[Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Kees Cook]

If there is time at the summit, I'd like to quickly discuss best
practices for the mechanics of doing security defense development in
the kernel. This has always been a bit tricky and I've done my best to
navigate it, but it still feels like there are glitches that could be
ironed out with a more clearly declared process (or ownership).

The specific problem I (and others doing this sort of work) face is
that changes tend to be needed across a very wide area of the kernel,
especially across architectures (e.g. hardened usercopy, fortify) and
subsystems (e.g. refcount_t). For kernel-wide defenses (e.g.
randstruct), things get even more complex. Landing things in a
coordinated fashion across multiple maintainers seems overly
difficult, and leads to dependencies between trees which complicates
merges.

For usercopy, I just carried the changes in a separate tree and got
Acks from the various maintainers as needed (the arch changes were
small, though we still collided with KASan changes). This was,
comparatively, a small series.

For refcount_t, the conversions have been going per-maintainer, and
while this is likely the right way to do things, there are
dependencies that are crossing releases, which seems inefficient. For
example, obviously doing a refcount_t conversion requires the
refcount_t implementation first (which landed in v4.11), but then
later conversions wanted an option for a light implementation
(expected for v4.13), but in both cases most maintainers wanted the
implementations entirely landed, not just in -next (vast majority of
refcount_t conversions currently in the kernel landed in v4.12, so the
next wave will have to wait until v4.14 it seems). This appears mostly
to be about avoiding tree dependencies, IIUC, but is an awfully slow
way to do things.

For the randstruct gcc plugin there have been multiple kernel-wide
fixes needed (e.g. designated initializers and sorting out various
"unusual" cross-structure casts). I followed the pattern of sending
these to maintainers, but ended up in tree dependency hell (the gcc
plugin tree must be merged at the end of -next to see all the required
changes in various trees), and faced cases where changes needed to
made in sources maintained outside the kernel itself (i.e. ACPICA)
before they'd be accepted back into the kernel. Making tree-wide
zero-binary changes (e.g. designated initializer updates) shouldn't be
that hard.

For fortify source, I was sending stand-alone fixes to maintainers
(e.g. memcpy to strncpy changes) while staging the fortify changes in
a tree not intended for -next yet (as it had more features pending)
but it got cherry-picked "early" into -mm. This lead to several days
of confusion that was mostly solved by dumping all the pending fixes
(that hadn't already been picked up by other maintainers) into the -mm
tree. The -mm tree has an implicit "merged after all other -next
trees" dependency, so it worked there, but it seems odd to gate this
kind of development entirely via -mm.

So, I'm left wondering what the best approach for doing kernel-wide
development is. The existing heuristic ("break up the changes by
maintainer and send them") doesn't recognize dependencies (e.g.
coccinelle identified code pattern fixes rarely depend on each other,
so those kinds of things work fine), or don't care too much about
changes spanning time (e.g. switching to a new API to avoid open-coded
versions result in equivalent code and can land independently).

The other heuristic is "carry it all in your own tree" but this tends
to run afoul of maintainers not wanting changes to their area living
in your tree (e.g. arch/x86 changes not in the tip tree), or a lack of
review (e.g. I don't want to carry a patch to mm/slub.c without
_someone_ giving an Ack).

Another approach appears to be a multi-phase merge heuristic (similar
to -mm) for things that have multi-tree dependencies. (This is going
to be the case for the randstruct merge in v4.13, since later patches
in its series depend on other trees. I'll send it in two parts and
pray than Linus doesn't murder me.) However, this breaks things like
0-day that have no idea that some tree is designed to be applied on
top of -next, and gives sfr a headache since there is an implicit
dependency on other trees in -next.

So, if I'm missing something obvious, we can quickly solve this over
email. :) If this is all "operating as expected" I can go cry in my
beer, but if there are other ideas, I'd love to discuss them at the
summit (assuming I can actually hear people through the monitor
speaker on the stage this year).

Thanks!

-Kees

-- 
Kees Cook
Pixel Security

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Christoph Hellwig]

On Wed, Jun 28, 2017 at 04:01:34PM -0700, Kees Cook wrote:
> If there is time at the summit, I'd like to quickly discuss best
> practices for the mechanics of doing security defense development in
> the kernel. This has always been a bit tricky and I've done my best to
> navigate it, but it still feels like there are glitches that could be
> ironed out with a more clearly declared process (or ownership).

It's pretty hard as a general rule.  As someone who does a lot of
cross-subsystem work I usually try to find a "lead" subsystem to
funnel thing through, and if there isn't one yet I create it
(see the new uuid and dma-mappings ones for the next merge window).

> made in sources maintained outside the kernel itself (i.e. ACPICA)
> before they'd be accepted back into the kernel. Making tree-wide

And that's crap we just need to stop.  While I'm too some extent
ok with maintainers having their own little quirky requirements
on code style and organization that's simply a step too much.
Every subsystem in the kernel MUST accept suitable patches on the
proper, open mailing list.

And for ACPICA in general I think we'd reduce code size by 50%
and the bug amount by probably the same by stopping to treat it
special and apply the normal kernel rules to it.

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[James Bottomley]

On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
> For refcount_t, the conversions have been going per-maintainer, and
> while this is likely the right way to do things, there are
> dependencies that are crossing releases, which seems inefficient. For
> example, obviously doing a refcount_t conversion requires the
> refcount_t implementation first (which landed in v4.11), but then
> later conversions wanted an option for a light implementation
> (expected for v4.13), but in both cases most maintainers wanted the
> implementations entirely landed, not just in -next (vast majority of
> refcount_t conversions currently in the kernel landed in v4.12, so
> the next wave will have to wait until v4.14 it seems). This appears
> mostly to be about avoiding tree dependencies, IIUC, but is an
> awfully slow way to do things.

Given the performance concerns of the first implementation, this
timetable and the interactions that went with it seem to be pretty much
textbook correct, especially as none of the hot paths seemed
susceptible to overflow attacks.

Any other way would have produced a lot more friction: imagine if it
had been done tree at once for 4.12 and then performance had tanked and
we'd got reversions all over the place ... you'd be spending a lot more
than a couple of kernel releases trying to persuade maintainers to take
the new improved stuff.

James

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Kees Cook]

On Thu, Jun 29, 2017 at 9:36 AM, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
> On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
>> For refcount_t, the conversions have been going per-maintainer, and
>> while this is likely the right way to do things, there are
>> dependencies that are crossing releases, which seems inefficient. For
>> example, obviously doing a refcount_t conversion requires the
>> refcount_t implementation first (which landed in v4.11), but then
>> later conversions wanted an option for a light implementation
>> (expected for v4.13), but in both cases most maintainers wanted the
>> implementations entirely landed, not just in -next (vast majority of
>> refcount_t conversions currently in the kernel landed in v4.12, so
>> the next wave will have to wait until v4.14 it seems). This appears
>> mostly to be about avoiding tree dependencies, IIUC, but is an
>> awfully slow way to do things.
>
> Given the performance concerns of the first implementation, this
> timetable and the interactions that went with it seem to be pretty much
> textbook correct, especially as none of the hot paths seemed
> susceptible to overflow attacks.
>
> Any other way would have produced a lot more friction: imagine if it
> had been done tree at once for 4.12 and then performance had tanked and
> we'd got reversions all over the place ... you'd be spending a lot more
> than a couple of kernel releases trying to persuade maintainers to take
> the new improved stuff.

Right, I've got no objection to the performance concerns and how that
played out, but it's API-to-conversion steps that seem inefficient.
E.g., instead of API 1 in v4.11, conversion wave 1 in v4.12, API 2 in
v4.13, conversion wave 2 in v4.14, it looks like tree dependencies was
the only reason we couldn't have had: API 1 and conversion wave 1 in
v4.11, API 2 and conversion wave 2 in v4.12 (e.g. btrfs couldn't
compile their tree with the API living in tip, so they had to wait
until the API was in a release).

-Kees

-- 
Kees Cook
Pixel Security

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[James Bottomley]

On Thu, 2017-06-29 at 09:51 -0700, Kees Cook wrote:
> On Thu, Jun 29, 2017 at 9:36 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > 
> > On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
> > > 
> > > For refcount_t, the conversions have been going per-maintainer,
> > > and while this is likely the right way to do things, there are
> > > dependencies that are crossing releases, which seems inefficient.
> > > For example, obviously doing a refcount_t conversion requires the
> > > refcount_t implementation first (which landed in v4.11), but then
> > > later conversions wanted an option for a light implementation
> > > (expected for v4.13), but in both cases most maintainers wanted
> > > the implementations entirely landed, not just in -next (vast
> > > majority of refcount_t conversions currently in the kernel landed
> > > in v4.12, so the next wave will have to wait until v4.14 it
> > > seems). This appears mostly to be about avoiding tree
> > > dependencies, IIUC, but is an awfully slow way to do things.
> > 
> > Given the performance concerns of the first implementation, this
> > timetable and the interactions that went with it seem to be pretty
> > much textbook correct, especially as none of the hot paths seemed
> > susceptible to overflow attacks.
> > 
> > Any other way would have produced a lot more friction: imagine if
> > it had been done tree at once for 4.12 and then performance had
> > tanked and we'd got reversions all over the place ... you'd be
> > spending a lot more than a couple of kernel releases trying to
> > persuade maintainers to take the new improved stuff.
> 
> Right, I've got no objection to the performance concerns and how that
> played out, but it's API-to-conversion steps that seem inefficient.
> E.g., instead of API 1 in v4.11, conversion wave 1 in v4.12, API 2 in
> v4.13, conversion wave 2 in v4.14, it looks like tree dependencies
> was the only reason we couldn't have had: API 1 and conversion wave 1
> in v4.11, API 2 and conversion wave 2 in v4.12 (e.g. btrfs couldn't
> compile their tree with the API living in tip, so they had to wait
> until the API was in a release).

Well don't discount tree merge problems, having seen a few caused by
API plus conversion all at once.  However, by putting them through the
maintainer trees you got the review that would otherwise have been
missing which highlighted the performance concerns.  Even this time
around the affected trees have a whole merge window to run performance
regressions to verify everything is OK.  Based on this I think the rule
should be API in release R - 1 and conversion in release R through the
affected trees with the only exception being changes that are trivial
enough (for some value of trivial).

James

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Kees Cook]

On Thu, Jun 29, 2017 at 10:42 AM, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
> On Thu, 2017-06-29 at 09:51 -0700, Kees Cook wrote:
>> On Thu, Jun 29, 2017 at 9:36 AM, James Bottomley
>> <James.Bottomley@hansenpartnership.com> wrote:
>> >
>> > On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
>> > >
>> > > For refcount_t, the conversions have been going per-maintainer,
>> > > and while this is likely the right way to do things, there are
>> > > dependencies that are crossing releases, which seems inefficient.
>> > > For example, obviously doing a refcount_t conversion requires the
>> > > refcount_t implementation first (which landed in v4.11), but then
>> > > later conversions wanted an option for a light implementation
>> > > (expected for v4.13), but in both cases most maintainers wanted
>> > > the implementations entirely landed, not just in -next (vast
>> > > majority of refcount_t conversions currently in the kernel landed
>> > > in v4.12, so the next wave will have to wait until v4.14 it
>> > > seems). This appears mostly to be about avoiding tree
>> > > dependencies, IIUC, but is an awfully slow way to do things.
>> >
>> > Given the performance concerns of the first implementation, this
>> > timetable and the interactions that went with it seem to be pretty
>> > much textbook correct, especially as none of the hot paths seemed
>> > susceptible to overflow attacks.
>> >
>> > Any other way would have produced a lot more friction: imagine if
>> > it had been done tree at once for 4.12 and then performance had
>> > tanked and we'd got reversions all over the place ... you'd be
>> > spending a lot more than a couple of kernel releases trying to
>> > persuade maintainers to take the new improved stuff.
>>
>> Right, I've got no objection to the performance concerns and how that
>> played out, but it's API-to-conversion steps that seem inefficient.
>> E.g., instead of API 1 in v4.11, conversion wave 1 in v4.12, API 2 in
>> v4.13, conversion wave 2 in v4.14, it looks like tree dependencies
>> was the only reason we couldn't have had: API 1 and conversion wave 1
>> in v4.11, API 2 and conversion wave 2 in v4.12 (e.g. btrfs couldn't
>> compile their tree with the API living in tip, so they had to wait
>> until the API was in a release).
>
> Well don't discount tree merge problems, having seen a few caused by
> API plus conversion all at once.  However, by putting them through the
> maintainer trees you got the review that would otherwise have been
> missing which highlighted the performance concerns.  Even this time
> around the affected trees have a whole merge window to run performance
> regressions to verify everything is OK.  Based on this I think the rule
> should be API in release R - 1 and conversion in release R through the
> affected trees with the only exception being changes that are trivial
> enough (for some value of trivial).

I'd argue that's what -next is for, but we lack a way to have people
base their trees on -next sanely. Regardless, I will commence
beer-crying. :)

-Kees

-- 
Kees Cook
Pixel Security

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Luis R. Rodriguez]

On Thu, Jun 29, 2017 at 10:52:51AM -0700, Kees Cook wrote:
> On Thu, Jun 29, 2017 at 10:42 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Thu, 2017-06-29 at 09:51 -0700, Kees Cook wrote:
> >> On Thu, Jun 29, 2017 at 9:36 AM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
> >> Right, I've got no objection to the performance concerns and how that
> >> played out, but it's API-to-conversion steps that seem inefficient.
> >
> > Well don't discount tree merge problems, having seen a few caused by
> > API plus conversion all at once.  However, by putting them through the
> > maintainer trees you got the review that would otherwise have been
> > missing which highlighted the performance concerns.  Even this time
> > around the affected trees have a whole merge window to run performance
> > regressions to verify everything is OK.  Based on this I think the rule
> > should be API in release R - 1 and conversion in release R through the
> > affected trees with the only exception being changes that are trivial
> > enough (for some value of trivial).

Do you mean add API with no users? If so perhaps test drivers can be the
first users for it then. Then they are not naked APIs.

> I'd argue that's what -next is for, but we lack a way to have people
> base their trees on -next sanely.

Linus has said before cross-tree collateral evolutions *could* just be sent to
him as a set of scripts he could run. It might sound easier said than done
though, but we can improve on the process by practicing it daily.

We could just mimic this on linux-next as either a last step as part of its
scripts and a new tag issued, or this could be done on a separate tree.

Its perhaps easier to think about it first as a separate tree, let's call it a
linux-oven [0] -- it would reset itself daily based on linux-next's latest tag,
and as a secondary step just run the tooling to do the API conversions.

An agreed upon set of tools can be supported for the API conversion tasks.  The
rules for what goes in and how would need to be decided. The above rules James
proposed for instance seem to make sense to me, modulo the test driver on R-1
as well.

Just a thought of course.

[0] https://kernelnewbies.org/KernelProjects/linux-oven

  Luis

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Linus Torvalds]

On Thu, Jun 29, 2017 at 11:20 AM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
>
> Linus has said before cross-tree collateral evolutions *could* just be sent to
> him as a set of scripts he could run. It might sound easier said than done
> though, but we can improve on the process by practicing it daily.

I do take cross-tree stuff, and in particular don't mind things if
they are obviously scripted cleanups (with the extreme case of that
being to just send me the script - that makes it *really* obvious to
me that it's scripted ;).

That said, I generally end up considering it a last option. And that's
not because I can't do it, but because things like that tend to be
really painful for stable backporting etc. Cross-tree stuff has a
tendency to also be large and invasive in other ways.

If it's *small* and just cross-tree, that's fine, and I take it all
the time, although because of general laziness I certainly prefer when
it goes through somebody else (often the tip tree or Andrew Morton).

In fact, the real problem with cross-tree things is often not that it
affects multiple maintainers, but that it by definition doesn't have a
maintainer AT ALL that tracks it and pushes it. So the "random
occasional cross-tree updates" often end up languishing because nobody
takes ownership of them.

                        Linus

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Kees Cook]

On Thu, Jun 29, 2017 at 11:20 AM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Thu, Jun 29, 2017 at 10:52:51AM -0700, Kees Cook wrote:
>> On Thu, Jun 29, 2017 at 10:42 AM, James Bottomley
>> <James.Bottomley@hansenpartnership.com> wrote:
>> > On Thu, 2017-06-29 at 09:51 -0700, Kees Cook wrote:
>> >> On Thu, Jun 29, 2017 at 9:36 AM, James Bottomley
>> >> <James.Bottomley@hansenpartnership.com> wrote:
>> >> > On Wed, 2017-06-28 at 16:01 -0700, Kees Cook wrote:
>> >> Right, I've got no objection to the performance concerns and how that
>> >> played out, but it's API-to-conversion steps that seem inefficient.
>> >
>> > Well don't discount tree merge problems, having seen a few caused by
>> > API plus conversion all at once.  However, by putting them through the
>> > maintainer trees you got the review that would otherwise have been
>> > missing which highlighted the performance concerns.  Even this time
>> > around the affected trees have a whole merge window to run performance
>> > regressions to verify everything is OK.  Based on this I think the rule
>> > should be API in release R - 1 and conversion in release R through the
>> > affected trees with the only exception being changes that are trivial
>> > enough (for some value of trivial).
>
> Do you mean add API with no users? If so perhaps test drivers can be the
> first users for it then. Then they are not naked APIs.
>
>> I'd argue that's what -next is for, but we lack a way to have people
>> base their trees on -next sanely.
>
> Linus has said before cross-tree collateral evolutions *could* just be sent to
> him as a set of scripts he could run. It might sound easier said than done
> though, but we can improve on the process by practicing it daily.

Yeah, though my concern doesn't tend to be limited to scriptable
evolutions. (In fact, I think the closest is atomic_t -> refcount_t,
but that usually requires a case-by-case analysis, so it's not really
scriptable.)

I think the fortify changes might best describe the situation. Adding
CONFIG_FORTIFY_SOURCE created build-time checks for obviously bad
states in str* and mem* functions (buffer overflows, information
exposures, etc). As such, when fortify encounters these states it will
fail a build since we should not allow them to exist in the resulting
kernel image. As it was still under development and it was unclear how
long it was going to take to stabilize, I started sending fixes for
the issues it found, and those were picked up into various
maintainer's trees (since they were legitimate, though minor, security
bugs).

When it was starting to stabilize, it got sent to a wider audience,
and I created a tree with all the fixes and fortify itself. I had to
keep the maintainer-picked patches in my tree or I couldn't compile
it. As such, that's not a tree I can include in -next because sfr ends
up with duplicated commits[1]. When akpm picked fortify to go into
-mm, he didn't also take the remaining fixes that I had sent but
maintainers hadn't applied yet. Since my tree wasn't in -next, both
-mm and -next would fail to build with fortify enabled since the fixes
were missing. The specific solution here was to have akpm pick up all
the remaining fixes into -mm.

So, perhaps I'm creating my own problems (by sending the fixes
"early"), but it's not clear to me that carrying such fixes in my own
tree would be looked favorably upon. But I really didn't want the
fixes to languish outside of -next, in case fortify development didn't
finish before the next merge window. Perhaps I should, in fact, carry
these kinds of changes and be more clear about sending such patches,
instead of "here's a fix for your subsystem", I should say "here's a
fix for your subsystem. I'm going to carry in my fortify tree, please
Ack" and then boldly carry them for -next? (A variation of this
successfully happened for randstruct fixes were hch urged me to just
ask Linus to pick up the stragglers during the v4.12 merge window.)

-Kees

[1] If the solution for this is to merge other -next trees into mine,
I guess I can do that, though it can be very messy if any of them are
forced to make their commits unstable. It also creates headaches,
AIUI, for sfr if my tree suddenly gains a bunch of other trees so it's
not clear where something came from.

-- 
Kees Cook
Pixel Security

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Stephen Rothwell]

Hi Kees,

On Thu, 29 Jun 2017 13:16:40 -0700 Kees Cook <keescook@chromium.org> wrote:
>
> [1] If the solution for this is to merge other -next trees into mine,
> I guess I can do that, though it can be very messy if any of them are
> forced to make their commits unstable. It also creates headaches,
> AIUI, for sfr if my tree suddenly gains a bunch of other trees so it's
> not clear where something came from.

I don't have a problem with trees in linux-next sharing *commits* - I
have problems when they share *patches* that are different commits
(that affect files that get changed in other commits).

For the "create a new API" case, if you put that in an immutable
tree/branch, then other maintainers can merge that branch as they
change to use the new API ...

Immutable doesn't mean that fixes can't be applied, it just means that
the part that has already been merged by some other tree cannot
change.  I guess it is useful to track who is merging that immutable
branch so that they can be informed if relevant changes are added to it.

-- 
Cheers,
Stephen Rothwell

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Daniel Vetter]

On Thu, Jun 29, 2017 at 3:39 PM, Christoph Hellwig <hch@infradead.org> wrote:
> On Wed, Jun 28, 2017 at 04:01:34PM -0700, Kees Cook wrote:
>> If there is time at the summit, I'd like to quickly discuss best
>> practices for the mechanics of doing security defense development in
>> the kernel. This has always been a bit tricky and I've done my best to
>> navigate it, but it still feels like there are glitches that could be
>> ironed out with a more clearly declared process (or ownership).
>
> It's pretty hard as a general rule.  As someone who does a lot of
> cross-subsystem work I usually try to find a "lead" subsystem to
> funnel thing through, and if there isn't one yet I create it
> (see the new uuid and dma-mappings ones for the next merge window).

I've only done cross-subsystem with 2-3 subsystems maybe for driver
work, and there the "topic branch in lead subsystem" plus maybe "send
pull requests to other subsystems when they insist they merge their
own patches through there tree" seems to work fairly well. Needs all
maintainers to understand the flow, but we've got that now scripted
entirely in drm so easy to do.

Large-scale cross-subsystem API stuff probably always needs multiple
releases, since you'll have some new usage grown no matter what. If
the current pace is too slow I guess we should think about shrinking
the release cycle maybe, to be able to sync up more often across
trees.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Leon Romanovsky]

[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]

On Fri, Jun 30, 2017 at 06:27:17AM +1000, Stephen Rothwell wrote:
> Hi Kees,
>
> On Thu, 29 Jun 2017 13:16:40 -0700 Kees Cook <keescook@chromium.org> wrote:
> >
> > [1] If the solution for this is to merge other -next trees into mine,
> > I guess I can do that, though it can be very messy if any of them are
> > forced to make their commits unstable. It also creates headaches,
> > AIUI, for sfr if my tree suddenly gains a bunch of other trees so it's
> > not clear where something came from.
>
> I don't have a problem with trees in linux-next sharing *commits* - I
> have problems when they share *patches* that are different commits
> (that affect files that get changed in other commits).

Do we have any sane way to overcome this limitation?

I tried to add my tree [1] to participate in linux-next. My tree
includes my submission queue and important patches posted to the mailing list
to the RDMA subsystem.

The absence of ability to add parallel tree with same commits doesn't allow us
effectively test the RDMA patches.

The reasons to it are combination of mostly two factors: my tree is not
official one [2] (all patches in my tree are not officially final) and very
sporadic update very close and/or during merge window [3].

In this cycle, we missed merge window [4] because lack of ready for pull tree [5].

Thanks

[1] https://git.kernel.org/pub/scm/linux/kernel/git/leon/linux-rdma.git/
[2] https://git.kernel.org/cgit/linux/kernel/git/dledford/rdma.git/
[3] http://marc.info/?l=linux-next&m=149999488214297&w=2
[4] http://marc.info/?l=linux-rdma&m=149980130008834&w=2
[5] http://marc.info/?l=linux-rdma&m=149987945120683&w=2

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Greg KH]

On Fri, Jul 14, 2017 at 07:04:47AM +0300, Leon Romanovsky wrote:
> On Fri, Jun 30, 2017 at 06:27:17AM +1000, Stephen Rothwell wrote:
> > Hi Kees,
> >
> > On Thu, 29 Jun 2017 13:16:40 -0700 Kees Cook <keescook@chromium.org> wrote:
> > >
> > > [1] If the solution for this is to merge other -next trees into mine,
> > > I guess I can do that, though it can be very messy if any of them are
> > > forced to make their commits unstable. It also creates headaches,
> > > AIUI, for sfr if my tree suddenly gains a bunch of other trees so it's
> > > not clear where something came from.
> >
> > I don't have a problem with trees in linux-next sharing *commits* - I
> > have problems when they share *patches* that are different commits
> > (that affect files that get changed in other commits).
> 
> Do we have any sane way to overcome this limitation?
> 
> I tried to add my tree [1] to participate in linux-next. My tree
> includes my submission queue and important patches posted to the mailing list
> to the RDMA subsystem.
> 
> The absence of ability to add parallel tree with same commits doesn't allow us
> effectively test the RDMA patches.

Why do you need "parallel" trees in linux-next?  What is that going to
help with?

> The reasons to it are combination of mostly two factors: my tree is not
> official one [2] (all patches in my tree are not officially final) and very
> sporadic update very close and/or during merge window [3].

If it's not "official", why should it be in linux-next?

thanks,

greg k-h

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Leon Romanovsky]

[-- Attachment #1: Type: text/plain, Size: 3238 bytes --]

On Fri, Jul 14, 2017 at 11:54:09AM +0200, Greg KH wrote:
> On Fri, Jul 14, 2017 at 07:04:47AM +0300, Leon Romanovsky wrote:
> > On Fri, Jun 30, 2017 at 06:27:17AM +1000, Stephen Rothwell wrote:
> > > Hi Kees,
> > >
> > > On Thu, 29 Jun 2017 13:16:40 -0700 Kees Cook <keescook@chromium.org> wrote:
> > > >
> > > > [1] If the solution for this is to merge other -next trees into mine,
> > > > I guess I can do that, though it can be very messy if any of them are
> > > > forced to make their commits unstable. It also creates headaches,
> > > > AIUI, for sfr if my tree suddenly gains a bunch of other trees so it's
> > > > not clear where something came from.
> > >
> > > I don't have a problem with trees in linux-next sharing *commits* - I
> > > have problems when they share *patches* that are different commits
> > > (that affect files that get changed in other commits).
> >
> > Do we have any sane way to overcome this limitation?
> >
> > I tried to add my tree [1] to participate in linux-next. My tree
> > includes my submission queue and important patches posted to the mailing list
> > to the RDMA subsystem.
> >
> > The absence of ability to add parallel tree with same commits doesn't allow us
> > effectively test the RDMA patches.
>
> Why do you need "parallel" trees in linux-next?  What is that going to
> help with?

We are developing against two subsystems at the same time (netdev vs. RDMA) and need
to ensure that combination of them is working. Currently me (RDMA) and Saeed (netdev)
are merging out trees by ourselves [1] and instructs our verification (end-to-end and
QA) to run from that tree.

It means that we are missing a lot of stuff related to PCI, nvme, vitalization and storage
where our technology is used.

The difference in maintainers style between netdev and RDMA causes to have long queue
(100+) of patches posted to the ML [2], which are not cross-checked in various CIs.

And the situation is worse when someone posts patches which has potential to break
other vendors.

Ability to have "parallel" trees will allow us to run our (other vendors expressed the same
desire) verification on top of linux-next with all goodies of automatic regression systems
which we have as a hardware vendor.

So I would like to have "parallel" tree where I can put all my RDMA patches + important patches
from other parties and run from linux-next.

>
> > The reasons to it are combination of mostly two factors: my tree is not
> > official one [2] (all patches in my tree are not officially final) and very
> > sporadic update very close and/or during merge window [3].
>
> If it's not "official", why should it be in linux-next?

Because, official updates occur mostly twice in the cycle on -rc3 (for fixes)
and before merge window, while it is too late for us because we are preparing
our submission queues for next cycle (Linus's requirement for Mellanox's
submissions) and verification is busy with that.

Thanks

[1] https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux.git/ branches:queue-next and queue-rc
[2] https://git.kernel.org/pub/scm/linux/kernel/git/leon/linux-rdma.git/log/?h=testing/queue-next
>
> thanks,
>
> greg k-h

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Andrew Lunn]

> The difference in maintainers style between netdev and RDMA causes to have long queue
> (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.

It is possible to get 0-day to run against any arbitrary git tree, if
you ask nicely. If same is true for the kernel-ci project. So if you
are willing to do the merge work, you can get it tested.

    Andrew

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 615 bytes --]

On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > The difference in maintainers style between netdev and RDMA causes to have long queue
> > (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.

> It is possible to get 0-day to run against any arbitrary git tree, if
> you ask nicely. If same is true for the kernel-ci project. So if you
> are willing to do the merge work, you can get it tested.

Trees can be added to kernelci, yes.  Another approach would be to work
out a workflow with the upstreams that makes this better, if they'd take
pull requests for example.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Leon Romanovsky]

[-- Attachment #1: Type: text/plain, Size: 1029 bytes --]

On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > The difference in maintainers style between netdev and RDMA causes to have long queue
> > (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.
>
> It is possible to get 0-day to run against any arbitrary git tree, if
> you ask nicely. If same is true for the kernel-ci project. So if you
> are willing to do the merge work, you can get it tested.

0-day is checking my tree, so it is not the problem.

I don't see how kernel-ci can help me, because RDMA requires special
hardware to run it and it usually requires more than two endpoints (servers)
connected together.

My problem is related to changes in other trees for example netdev, which
can break RDMA functionality.

Technology wise, there are:
1. RoCE - RDMA over Converged Ethernet - netdev is below RDMA
2. IPoIB - IP over Infiniband - netdev is above RDMA
3. HFI-VNIC - Ethernet over OmniPath - netdev is above RDMA
4. iWARP - RDMA over IP networks
e.t.c.

>
>     Andrew

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[James Bottomley]

[-- Attachment #1: Type: text/plain, Size: 1702 bytes --]

On Fri, 2017-07-14 at 18:35 +0300, Leon Romanovsky wrote:
> On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > 
> > > 
> > > The difference in maintainers style between netdev and RDMA
> > > causes to have long queue
> > > (100+) of patches posted to the ML [2], which are not cross-
> > > checked in various CIs.
> > 
> > It is possible to get 0-day to run against any arbitrary git tree,
> > if you ask nicely. If same is true for the kernel-ci project. So if
> > you are willing to do the merge work, you can get it tested.
> 
> 0-day is checking my tree, so it is not the problem.
> 
> I don't see how kernel-ci can help me, because RDMA requires special
> hardware to run it and it usually requires more than two endpoints
> (servers) connected together.
> 
> My problem is related to changes in other trees for example netdev,
> which can break RDMA functionality.
> 
> Technology wise, there are:
> 1. RoCE - RDMA over Converged Ethernet - netdev is below RDMA
> 2. IPoIB - IP over Infiniband - netdev is above RDMA
> 3. HFI-VNIC - Ethernet over OmniPath - netdev is above RDMA
> 4. iWARP - RDMA over IP networks
> e.t.c.

So I think your goal is to get your tree and the one above you (Doug's
tree) into linux-next without causing a mismerge nightmare?

I still didn't get why you can't change workflow to share commits? If
you can do that, linux-next can be based on both your tree and the one
above it. You can do this either by you sending pull requests or by you
basing on the upstream tree and rebasing when the patches are accepted
(rebase is very good at recognizing and discarding the same patch with
a different commit id).

James

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Leon Romanovsky]

[-- Attachment #1: Type: text/plain, Size: 880 bytes --]

On Fri, Jul 14, 2017 at 04:05:50PM +0100, Mark Brown wrote:
> On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > > The difference in maintainers style between netdev and RDMA causes to have long queue
> > > (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.
>
> > It is possible to get 0-day to run against any arbitrary git tree, if
> > you ask nicely. If same is true for the kernel-ci project. So if you
> > are willing to do the merge work, you can get it tested.
>
> Trees can be added to kernelci, yes.  Another approach would be to work
> out a workflow with the upstreams that makes this better, if they'd take
> pull requests for example.

Isn't the goal of this topic in maintainers summit? Improving workflows :)

So, my way to overcome my issues was to add "parallel" tree and to stop
crying about "long queues".

Thanks

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Leon Romanovsky]

[-- Attachment #1: Type: text/plain, Size: 2416 bytes --]

On Fri, Jul 14, 2017 at 08:43:58AM -0700, James Bottomley wrote:
> On Fri, 2017-07-14 at 18:35 +0300, Leon Romanovsky wrote:
> > On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > >
> > > >
> > > > The difference in maintainers style between netdev and RDMA
> > > > causes to have long queue
> > > > (100+) of patches posted to the ML [2], which are not cross-
> > > > checked in various CIs.
> > >
> > > It is possible to get 0-day to run against any arbitrary git tree,
> > > if you ask nicely. If same is true for the kernel-ci project. So if
> > > you are willing to do the merge work, you can get it tested.
> >
> > 0-day is checking my tree, so it is not the problem.
> >
> > I don't see how kernel-ci can help me, because RDMA requires special
> > hardware to run it and it usually requires more than two endpoints
> > (servers) connected together.
> >
> > My problem is related to changes in other trees for example netdev,
> > which can break RDMA functionality.
> >
> > Technology wise, there are:
> > 1. RoCE - RDMA over Converged Ethernet - netdev is below RDMA
> > 2. IPoIB - IP over Infiniband - netdev is above RDMA
> > 3. HFI-VNIC - Ethernet over OmniPath - netdev is above RDMA
> > 4. iWARP - RDMA over IP networks
> > e.t.c.
>
> So I think your goal is to get your tree and the one above you (Doug's
> tree) into linux-next without causing a mismerge nightmare?

Yeah, exactly, I acknowledge Doug's work and just want to be sure that
all other tress are not breaking our technology and want to see it as soon as
possible.

In regards, of my submissions, I'm pretty confident with it. The patches are
backed by verification teams and don't got public without approval.

>
> I still didn't get why you can't change workflow to share commits? If
> you can do that, linux-next can be based on both your tree and the one
> above it. You can do this either by you sending pull requests or by you
> basing on the upstream tree and rebasing when the patches are accepted
> (rebase is very good at recognizing and discarding the same patch with
> a different commit id).

1. I would like to send pull requests, but It doesn't depend on me to honor
or not pull request.
2. In my early days, I tried to base on upstream and rebase, but it caused
to emails from Stephen [2], maybe I need to try it again.

[1] http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1302627.html

>
> James



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Andrew Lunn]

On Fri, Jul 14, 2017 at 06:35:44PM +0300, Leon Romanovsky wrote:
> On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > > The difference in maintainers style between netdev and RDMA causes to have long queue
> > > (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.
> >
> > It is possible to get 0-day to run against any arbitrary git tree, if
> > you ask nicely. If same is true for the kernel-ci project. So if you
> > are willing to do the merge work, you can get it tested.
> 
> 0-day is checking my tree, so it is not the problem.
> 
> I don't see how kernel-ci can help me, because RDMA requires special
> hardware to run it and it usually requires more than two endpoints (servers)
> connected together.

kernel-ci are happy to receive hardware. I've sent them boards in the
past which have been added to their test farm. Kernel-ci is mostly
about boot testing, but they do do some tests post boot. So if you can
supply tests as well, they may run them for you.

> My problem is related to changes in other trees for example netdev, which
> can break RDMA functionality.
> 
> Technology wise, there are:
> 1. RoCE - RDMA over Converged Ethernet - netdev is below RDMA
> 2. IPoIB - IP over Infiniband - netdev is above RDMA
> 3. HFI-VNIC - Ethernet over OmniPath - netdev is above RDMA
> 4. iWARP - RDMA over IP networks

How much of this do you already have automated test for?  You can also
setup your own test farm, using the kernels kernel-ci builds.

      Andrew

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 670 bytes --]

On Fri, Jul 14, 2017 at 06:51:42PM +0300, Leon Romanovsky wrote:
> On Fri, Jul 14, 2017 at 04:05:50PM +0100, Mark Brown wrote:

> > Trees can be added to kernelci, yes.  Another approach would be to work
> > out a workflow with the upstreams that makes this better, if they'd take
> > pull requests for example.

> Isn't the goal of this topic in maintainers summit? Improving workflows :)

It's also the goal here!

> So, my way to overcome my issues was to add "parallel" tree and to stop
> crying about "long queues".

So I guess what everyone is suggesting here is changing this from being
a parallel tree to a tree that's part of the normal workflow for this
code.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] Developing across multiple areas of the kernel

[Bart Van Assche]

On Fri, 2017-07-14 at 18:18 +0200, Andrew Lunn wrote:
> On Fri, Jul 14, 2017 at 06:35:44PM +0300, Leon Romanovsky wrote:
> > On Fri, Jul 14, 2017 at 04:10:57PM +0200, Andrew Lunn wrote:
> > > > The difference in maintainers style between netdev and RDMA causes to have long queue
> > > > (100+) of patches posted to the ML [2], which are not cross-checked in various CIs.
> > > 
> > > It is possible to get 0-day to run against any arbitrary git tree, if
> > > you ask nicely. If same is true for the kernel-ci project. So if you
> > > are willing to do the merge work, you can get it tested.
> > 
> > 0-day is checking my tree, so it is not the problem.
> > 
> > I don't see how kernel-ci can help me, because RDMA requires special
> > hardware to run it and it usually requires more than two endpoints (servers)
> > connected together.
> 
> kernel-ci are happy to receive hardware. I've sent them boards in the
> past which have been added to their test farm. Kernel-ci is mostly
> about boot testing, but they do do some tests post boot. So if you can
> supply tests as well, they may run them for you.
> 
> > My problem is related to changes in other trees for example netdev, which
> > can break RDMA functionality.
> > 
> > Technology wise, there are:
> > 1. RoCE - RDMA over Converged Ethernet - netdev is below RDMA
> > 2. IPoIB - IP over Infiniband - netdev is above RDMA
> > 3. HFI-VNIC - Ethernet over OmniPath - netdev is above RDMA
> > 4. iWARP - RDMA over IP networks
> 
> How much of this do you already have automated test for?  You can also
> setup your own test farm, using the kernels kernel-ci builds.

Hello Andrew,

The srp-test software is fully automated. It requires IB hardware today but does
not require a second server because it uses IB loopback. As soon as I have the time
I will add RoCE support to the upstream SRP initiator and target drivers such that
these tests can be run on top of Ethernet hardware. Please let me know if you would
like to start using this software and if you need help. See also
https://github.com/bvanassche/srp-test.

Bart.