From: Linus Torvalds <torvalds@linux-foundation.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: David Hildenbrand <david@redhat.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
stable@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Axel Rasmussen <axelrasmussen@google.com>,
Peter Xu <peterx@redhat.com>, Hugh Dickins <hughd@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Vlastimil Babka <vbabka@suse.cz>,
John Hubbard <jhubbard@nvidia.com>
Subject: Re: [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
Date: Tue, 9 Aug 2022 12:21:17 -0700 [thread overview]
Message-ID: <CAHk-=wgF7K2gSSpy=m_=K3Nov4zaceUX9puQf1TjkTJLA2XC_g@mail.gmail.com> (raw)
In-Reply-To: <YvKwhrjnFQJ7trT1@nvidia.com>
On Tue, Aug 9, 2022 at 12:09 PM Jason Gunthorpe <jgg@nvidia.com> wrote:
>
> Since BUG_ON crashes the machine and Linus says that crashing the
> machine is bad, WARN_ON will also crash the machine if you set the
> panic_on_warn parameter, so it is also bad, thus we shouldn't use
> anything.
If you set 'panic_on_warn' you get to keep both pieces when something breaks.
The thing is, there are people who *do* want to stop immediately when
something goes wrong in the kernel.
Anybody doing large-scale virtualization presumably has all the
infrastructure to get debug info out of the virtual environment.
And people who run controlled loads in big server machine setups and
have a MIS department to manage said machines typically also prefer
for a machine to just crash over continuing.
So in those situations, a dead machine is still a dead machine, but
you get the information out, and panic_on_warn is fine, because panic
and reboot is fine.
And yes, that's actually a fairly common case. Things like syzkaller
etc *wants* to abort on the first warning, because that's kind of the
point.
But while that kind of virtualized automation machinery is very very
common, and is a big deal, it's by no means the only deal, and the
most important thing to the point where nothing else matters.
And if you are *not* in a farm, and if you are *not* using
virtualization, a dead machine is literally a useless brick. Nobody
has serial lines on individual machines any more. In most cases, the
hardware literally doesn't even exist any more.
So in that situation, you really cannot afford to take the approach of
"just kill the machine". If you are on a laptop and are doing power
management code, you generally cannot do that in a virtual
environment, and you already have enough problems with suspend and
resume being hard to debug, without people also going "oh, let's just
BUG_ON() and kill the machine".
Because the other side of that "we have a lot of machine farms doing
automated testing" is that those machine farms do not generally find a
lot of the exciting cases.
Almost every single merge window, I end up having to bisect and report
an oops or a WARN_ON(), because I actually run on real hardware. And
said problem was never seen in linux-next.
So we have two very different cases: the "virtual machine with good
logging where a dead machine is fine" - use 'panic_on_warn'. And the
actual real hardware with real drivers, running real loads by users.
Both are valid. But the second case means that BUG_ON() is basically
_never_ valid.
Linus
next prev parent reply other threads:[~2022-08-09 19:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-08 7:32 [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW David Hildenbrand
2022-08-08 16:02 ` David Hildenbrand
2022-08-09 18:27 ` Linus Torvalds
2022-08-09 18:45 ` David Hildenbrand
2022-08-09 18:59 ` Linus Torvalds
2022-08-09 19:07 ` Jason Gunthorpe
2022-08-09 19:21 ` Linus Torvalds [this message]
2022-08-09 21:16 ` David Laight
2022-08-11 7:13 ` [PATCH] sched/all: Change BUG_ON() instances to WARN_ON() Ingo Molnar
2022-08-11 20:43 ` Linus Torvalds
2022-08-11 21:28 ` Matthew Wilcox
2022-08-11 23:22 ` Jason Gunthorpe
2022-08-14 1:10 ` John Hubbard
2022-08-12 9:29 ` [PATCH v2] sched/all: Change all BUG_ON() instances in the scheduler to WARN_ON_ONCE() Ingo Molnar
[not found] ` <20220815144143.zjsiamw5y22bvgki@suse.de>
2022-08-15 22:12 ` John Hubbard
2022-08-21 11:28 ` Ingo Molnar
2022-08-09 18:40 ` [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW Linus Torvalds
2022-08-09 18:48 ` Jason Gunthorpe
2022-08-09 18:53 ` David Hildenbrand
2022-08-09 19:07 ` Linus Torvalds
2022-08-09 19:20 ` David Hildenbrand
2022-08-09 18:48 ` Linus Torvalds
2022-08-09 19:09 ` David Hildenbrand
2022-08-09 20:00 ` Linus Torvalds
2022-08-09 20:06 ` David Hildenbrand
2022-08-09 20:07 ` David Hildenbrand
2022-08-09 20:14 ` Linus Torvalds
2022-08-09 20:20 ` David Hildenbrand
2022-08-09 20:30 ` Linus Torvalds
2022-08-09 20:38 ` Linus Torvalds
2022-08-09 20:42 ` David Hildenbrand
2022-08-09 20:20 ` Linus Torvalds
2022-08-09 20:23 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wgF7K2gSSpy=m_=K3Nov4zaceUX9puQf1TjkTJLA2XC_g@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=david@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hughd@google.com \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=stable@vger.kernel.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).