MIME-Version: 1.0
In-Reply-To: <CA+55aFzWvHAFnn9fm0qaPuuZ3gCJ5PaUXKLNROEK4oGAyKQOMQ@mail.gmail.com>
References: <CA+55aFwyNTLuZgOWMTRuabWobF27ygskuxvFd-P0n-3UNT=0Og@mail.gmail.com>
 <CAP=VYLrEqciiV-DiqR35bV9bDE47v6Ww-N4JnohvYaLWXc40UA@mail.gmail.com>
 <CA+55aFycvN=3DvsnRNpZbQ8z3893EK-nJA+V=Fx8o8yaviW7VA@mail.gmail.com>
 <20161005054407.GC7297@1wt.eu> <CA+55aFxeamjJmckjA_n_BMwpGKkxd51Tint0z7E9CDHAnRZJAw@mail.gmail.com>
 <20161005190604.GA8116@1wt.eu> <CA+55aFxMf+-0B4oEqAiRcNm5A=S1eFu0ugRJUJX02K4yA_xNjg@mail.gmail.com>
 <CAGXu5j+zH2cr408tmoXcCE8NzZtxkHinThUqSd9pYgHuwyprBQ@mail.gmail.com>
 <CA+55aFxEbtVpT0rJyfpLmXOzCe4i4VO1s=M2Q9mq8XbUBNopCQ@mail.gmail.com>
 <CAGXu5jJ9sAXauDMeW262qX_42TS2gmJBsR1yq2XDeHzn+54PoA@mail.gmail.com>
 <CA+55aFwmH=VL+8COPBUeiTzG8U-UD57pcZr1iG4BGyP99feTgA@mail.gmail.com>
 <CAGXu5jKwPjOikfTqr1YX-5wFAdpW=XsMsjuERkjHP=mzokLNCw@mail.gmail.com> <CA+55aFzWvHAFnn9fm0qaPuuZ3gCJ5PaUXKLNROEK4oGAyKQOMQ@mail.gmail.com>
From: Kees Cook <keescook@chromium.org>
Date: Thu, 6 Oct 2016 16:05:59 -0700
Message-ID: <CAGXu5jL=0pJMx5qASXnF1zAzw2CJVvn09siLLgaFBY_57VmH-w@mail.gmail.com>
Subject: Re: BUG_ON() in workingset_node_shadows_dec() triggers
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>,
        Paul Gortmaker <paul.gortmaker@windriver.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Antonio SJ Musumeci <trapexit@spawn.link>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1966
Lines: 45

On Thu, Oct 6, 2016 at 3:29 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Oct 6, 2016 at 3:07 PM, Kees Cook <keescook@chromium.org> wrote:
>> The "cleanest" way to handle it seemed to be the lock-busting logic
>> already built into BUG, so I moved to that.
>
> Heh. The lock-busting logic in BUG() has always been broken. It's been
> random hacks. It doesn't actually work in any general case, it just
> occasionally happens to get things right. Mostly it tries to handle
> the console locking (the whole "oops_in_progress" magic) so that if
> you have a BUG_ON() in bad areas, at least you still end up getting
> output.

It seems to handle other things too, file descriptors, I think? Some
giant warning, I think about fds, went away when I switched from
do_exit() to BUG(). I'd have to go look more closely.

> But no, it's not reliable in any way, shape or form. That's really why
> you want to continue after a BUG().

Yeah, agreed about the unreliability. It's why I'm a fan of
panic_on_oops. :P (Except when doing lots of tests under lkdtm, then I
like having multiple Oopses without rebooting, but perhaps that is
literally the only use-case...)

>> By far the most problematic is "stop kernel execution from
>> continuing", but that's currently the behavior that BUG depends on, so
>> replacing BUG with anything needs to either fix the surrounding logic
>> to fail sanely or we have the keep the feature.
>
> Well, I'm not sure how much we actually end up depending on it,
> considering that we now have two examples of BUG() implementations
> that actually do _not_ depend on stopping execution: both the sound
> subsystem and the XFS version of BUG_ON() end up not actually doing
> the BUG() thing.

Yeah, for sure. I didn't mean to imply they all depended on it, just
that finding those that do will require manual inspection. We'll not
be able to do a flag-day on BUG until we fix everything.

-Kees

-- 
Kees Cook
Nexus Security