From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965044AbcJGRQ6 (ORCPT <rfc822;w@1wt.eu>);
        Fri, 7 Oct 2016 13:16:58 -0400
Received: from mail-wm0-f53.google.com ([74.125.82.53]:38062 "EHLO
        mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S941301AbcJGRQv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 7 Oct 2016 13:16:51 -0400
MIME-Version: 1.0
In-Reply-To: <20161007054824.GA9917@1wt.eu>
References: <20161005190604.GA8116@1wt.eu> <CA+55aFxMf+-0B4oEqAiRcNm5A=S1eFu0ugRJUJX02K4yA_xNjg@mail.gmail.com>
 <CAGXu5j+zH2cr408tmoXcCE8NzZtxkHinThUqSd9pYgHuwyprBQ@mail.gmail.com>
 <CA+55aFxEbtVpT0rJyfpLmXOzCe4i4VO1s=M2Q9mq8XbUBNopCQ@mail.gmail.com>
 <CAGXu5jJ9sAXauDMeW262qX_42TS2gmJBsR1yq2XDeHzn+54PoA@mail.gmail.com>
 <CA+55aFwmH=VL+8COPBUeiTzG8U-UD57pcZr1iG4BGyP99feTgA@mail.gmail.com>
 <CAGXu5jKwPjOikfTqr1YX-5wFAdpW=XsMsjuERkjHP=mzokLNCw@mail.gmail.com>
 <CA+55aFzWvHAFnn9fm0qaPuuZ3gCJ5PaUXKLNROEK4oGAyKQOMQ@mail.gmail.com>
 <CAGXu5jL=0pJMx5qASXnF1zAzw2CJVvn09siLLgaFBY_57VmH-w@mail.gmail.com>
 <CA+55aFzWrHmpp54YkqaCKc-UPWm59_9AXmENNtqqgpj6zWOxsQ@mail.gmail.com> <20161007054824.GA9917@1wt.eu>
From: Kees Cook <keescook@chromium.org>
Date: Fri, 7 Oct 2016 10:16:42 -0700
X-Google-Sender-Auth: vEGAaSFYl_Ir6nFfNfE6biZ_zmI
Message-ID: <CAGXu5jLTo+QY9YuEKYbACXdnAXgnQdPPnPejYtiSeg4j5XW-Fw@mail.gmail.com>
Subject: Re: BUG_ON() in workingset_node_shadows_dec() triggers
To: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Paul Gortmaker <paul.gortmaker@windriver.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Antonio SJ Musumeci <trapexit@spawn.link>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Oct 6, 2016 at 10:48 PM, Willy Tarreau <w@1wt.eu> wrote:
> On Thu, Oct 06, 2016 at 04:59:20PM -0700, Linus Torvalds wrote:
>> We should just switch BUG() over and be done with it. The whole point
>> it that since it should never trigger in the first place, the
>> semantics on BUG() should never matter.
>>
>> And if you have some code that depends on the semantics of BUG(), that
>> code is buggy crap *by*definition*.
>
> I totally agree with this. If a developer writes BUG() somewhere, it
> means he doesn't see how it is possible to end up in this situation.
> Thus we cannot hope that the BUG() call is doing anything right to
> fix what the code author didn't expect to happen. It just means
> "try to limit the risks but I don't really know which ones".
>
> Also we won't make things worse. Where people currently have an oops,
> they'll get one or more warnings. The side effects (lockups, panic,
> etc) will more or less be the same, but many of us already don't want
> to continue after an oops and despite this our systems work fine, so
> I don't see why anyone would suffer from such a change. However some
> developers may get more details about issues than what they could get
> in the past.

Fair enough. I'll put something together for at least my use-cases and
see how ugly it gets in testing. :) I actually started on something
like this for the CONFIG_DEBUG_LIST, which had to deal with the logic
of "continue after WARN or abort after BUG" etc...

Regardless, I still think that we can't let BUG continue kernel
execution though, since it may lead to entirely unexpected behavior
(possibly security-sensitive) by still running. Upgrading BUG to
panic(), though, I'd be fine with, as a way to get people to convert
to WARN.

-Kees

-- 
Kees Cook
Nexus Security