From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linus Torvalds Subject: Re: [PATCH 1/7] userfaultfd: require UFFDIO_API before other ioctls Date: Mon, 15 Jun 2015 08:11:50 -1000 Message-ID: References: <1434388931-24487-1-git-send-email-aarcange@redhat.com> <1434388931-24487-2-git-send-email-aarcange@redhat.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a113feefc6280fe05189264ce Cc: "Huangpeng (Peter)" , Paolo Bonzini , qemu-devel@nongnu.org, Pavel Emelyanov , Hugh Dickins , Andrew Morton , "Dr. David Alan Gilbert" , Andres Lagar-Cavilla , Andy Lutomirski , linux-mm@kvack.org, Johannes Weiner , Rik van Riel , "Kirill A. Shutemov" , linux-kernel@vger.kernel.org, zhang.zhanghailiang@huawei.com, Sanidhya Kashyap , Dave Hansen , Peter Feiner , Mel Gorman , kvm@vger.kernel.org To: Andrea Arcangeli Return-path: In-Reply-To: <1434388931-24487-2-git-send-email-aarcange@redhat.com> Sender: owner-linux-mm@kvack.org List-Id: kvm.vger.kernel.org --001a113feefc6280fe05189264ce Content-Type: text/plain; charset=UTF-8 On Jun 15, 2015 7:22 AM, "Andrea Arcangeli" wrote: > > + if (cmd != UFFDIO_API) { > + if (ctx->state == UFFD_STATE_WAIT_API) > + return -EINVAL; > + BUG_ON(ctx->state != UFFD_STATE_RUNNING); > + } NAK. Once again: we don't add BUG_ON() as some kind of assert. If your non-critical code has s bug in it, you do WARN_ONCE() and you return. You don't kill the machine just because of some "this can't happen" situation. It turns out "this can't happen" happens way too often, just because code changes, or programmers didn't think all the cases through. And killing the machine is just NOT ACCEPTABLE. People need to stop adding machine-killing checks to code that just doesn't merit killing the machine. And if you are so damn sure that it really cannot happen ever, then you damn well had better remove the test too! BUG_ON is not a debugging tool, or a "I think this would be bad" helper. Linus --001a113feefc6280fe05189264ce Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Jun 15, 2015 7:22 AM, "Andrea Arcangeli" <aarcange@redhat.com> wrote:
>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0if (cmd !=3D UFFDIO_API) {
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (ctx->st= ate =3D=3D UFFD_STATE_WAIT_API)
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0return -EINVAL;
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0BUG_ON(ctx->= ;state !=3D UFFD_STATE_RUNNING);
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0}

NAK.

Once again: we don't add BUG_ON() as some kind of assert= . If your non-critical code has s bug in it, you do WARN_ONCE() and you ret= urn. You don't kill the machine just because of some "this can'= ;t happen" situation.

It turns out "this can't happen" happens way t= oo often, just because code changes, or programmers didn't think all th= e cases through. And killing the machine is just NOT ACCEPTABLE.

People need to stop adding machine-killing checks to code th= at just doesn't merit killing the machine.

And if you are so damn sure that it really cannot happen eve= r, then you damn well had better remove the test too!

BUG_ON is not a debugging tool, or a "I think this woul= d be bad" helper.

=C2=A0=C2=A0=C2=A0 Linus

--001a113feefc6280fe05189264ce-- -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58033) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z4YrW-0002Uj-27 for qemu-devel@nongnu.org; Mon, 15 Jun 2015 14:11:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z4YrR-00050V-4Z for qemu-devel@nongnu.org; Mon, 15 Jun 2015 14:11:58 -0400 Received: from mail-ie0-x235.google.com ([2607:f8b0:4001:c03::235]:34010) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z4YrQ-0004y4-Pv for qemu-devel@nongnu.org; Mon, 15 Jun 2015 14:11:53 -0400 Received: by iebmu5 with SMTP id mu5so68031950ieb.1 for ; Mon, 15 Jun 2015 11:11:52 -0700 (PDT) MIME-Version: 1.0 Sender: linus971@gmail.com In-Reply-To: <1434388931-24487-2-git-send-email-aarcange@redhat.com> References: <1434388931-24487-1-git-send-email-aarcange@redhat.com> <1434388931-24487-2-git-send-email-aarcange@redhat.com> Date: Mon, 15 Jun 2015 08:11:50 -1000 Message-ID: From: Linus Torvalds Content-Type: multipart/alternative; boundary=001a113feefc6280fe05189264ce Subject: Re: [Qemu-devel] [PATCH 1/7] userfaultfd: require UFFDIO_API before other ioctls List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Andrea Arcangeli Cc: Dave Hansen , zhang.zhanghailiang@huawei.com, kvm@vger.kernel.org, Pavel Emelyanov , linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Hugh Dickins , "Huangpeng (Peter)" , qemu-devel@nongnu.org, Sanidhya Kashyap , linux-mm@kvack.org, Andres Lagar-Cavilla , Mel Gorman , Johannes Weiner , Paolo Bonzini , Andrew Morton , Andy Lutomirski , "Dr. David Alan Gilbert" , Peter Feiner --001a113feefc6280fe05189264ce Content-Type: text/plain; charset=UTF-8 On Jun 15, 2015 7:22 AM, "Andrea Arcangeli" wrote: > > + if (cmd != UFFDIO_API) { > + if (ctx->state == UFFD_STATE_WAIT_API) > + return -EINVAL; > + BUG_ON(ctx->state != UFFD_STATE_RUNNING); > + } NAK. Once again: we don't add BUG_ON() as some kind of assert. If your non-critical code has s bug in it, you do WARN_ONCE() and you return. You don't kill the machine just because of some "this can't happen" situation. It turns out "this can't happen" happens way too often, just because code changes, or programmers didn't think all the cases through. And killing the machine is just NOT ACCEPTABLE. People need to stop adding machine-killing checks to code that just doesn't merit killing the machine. And if you are so damn sure that it really cannot happen ever, then you damn well had better remove the test too! BUG_ON is not a debugging tool, or a "I think this would be bad" helper. Linus --001a113feefc6280fe05189264ce Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Jun 15, 2015 7:22 AM, "Andrea Arcangeli" <aarcange@redhat.com> wrote:
>
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0if (cmd !=3D UFFDIO_API) {
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (ctx->st= ate =3D=3D UFFD_STATE_WAIT_API)
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0return -EINVAL;
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0BUG_ON(ctx->= ;state !=3D UFFD_STATE_RUNNING);
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0}

NAK.

Once again: we don't add BUG_ON() as some kind of assert= . If your non-critical code has s bug in it, you do WARN_ONCE() and you ret= urn. You don't kill the machine just because of some "this can'= ;t happen" situation.

It turns out "this can't happen" happens way t= oo often, just because code changes, or programmers didn't think all th= e cases through. And killing the machine is just NOT ACCEPTABLE.

People need to stop adding machine-killing checks to code th= at just doesn't merit killing the machine.

And if you are so damn sure that it really cannot happen eve= r, then you damn well had better remove the test too!

BUG_ON is not a debugging tool, or a "I think this woul= d be bad" helper.

=C2=A0=C2=A0=C2=A0 Linus

--001a113feefc6280fe05189264ce--