Received: by 10.223.185.116 with SMTP id b49csp858921wrg; Tue, 20 Feb 2018 09:00:34 -0800 (PST) X-Google-Smtp-Source: AH8x224eK8YYGa5BW1XTaBHTkQ3k0MgXn0/Nx+BkHjwRF/YExFXseLN8O5ezGzIs8Wk8qCNMzsBp X-Received: by 2002:a17:902:6686:: with SMTP id e6-v6mr260480plk.334.1519146034607; Tue, 20 Feb 2018 09:00:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519146034; cv=none; d=google.com; s=arc-20160816; b=RsK4hUktlh9Z82zU4Tg3MjSkGPyEZUKfcJ/jfRkEydCv9ePHO5hPzAfxWdhNnpPp2n IIr7IWeUYVXuHhWr2w4aH/3Yav2h6z1xXrAZyeDZWXyGyYncskOeQwV5khuXT6C/iy/2 QGoRNp8S60KqbT/R1a/KlQTfivro0iyMNKskhYjuoP+MJnQ5OQ6IbvOr4MWd4epsD7Cj NAm9xUeOMc6BhZ+W1vjXf20dxFp0zBpo/iUgSoSdM7rOb0g+/+Z2QYDRd6MrcrSIqQMU inc4vXCQnK38j+NMnZe5N7yz6+TgH5+H5Iu6a8Hx7pQ6ssMj0tUDEH/VmxJNSFe5jB4e wh0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=FKp05taS4LAMWyHiWjQ1ONH596CrIW0jrqNvdZzES5g=; b=fG7ABPZauVje0RALKakL4bUuD7rpb9JzVUxjt+3l8LyqKM+Z5PIz1DOUK3uX4CF8Tv AkS/PZzwbrQH6tPSlzoRCZQI/DWAyysSLM/sb1A1fjUyhTwdbvM87tofLieqUrlMXWYh teRYOZPW7TFvzWbAeF1tv+o9VHBTcNzDf4eFvY81U7hB0RvNhiCsvmyFYEodMU9r9NMg BJFYlt8RWEW80VX1eqa8Puwmul39tPZpXeSU07GsnUpP0wzjhdAwEcm2+S1WSoaAqG81 YmY9K8wqClkFPS9J1tg1cXryzcIg6fA6TH6p3LsY83cYlUTn6ny25krJuggH6dTEY3kR xEZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x23-v6si4102944pln.423.2018.02.20.09.00.18; Tue, 20 Feb 2018 09:00:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752882AbeBTQ7e (ORCPT + 99 others); Tue, 20 Feb 2018 11:59:34 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:26894 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752491AbeBTQ7d (ORCPT ); Tue, 20 Feb 2018 11:59:33 -0500 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id ECD50E1E942E9; Tue, 20 Feb 2018 16:59:29 +0000 (GMT) Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 20 Feb 2018 16:59:28 +0000 Subject: Re: [PATCH 2/6] genalloc: selftest To: Kees Cook CC: Matthew Wilcox , Randy Dunlap , Jonathan Corbet , Michal Hocko , Laura Abbott , Jerome Glisse , Christoph Hellwig , "Christoph Lameter" , linux-security-module , Linux-MM , LKML , Kernel Hardening References: <20180212165301.17933-1-igor.stoppa@huawei.com> <20180212165301.17933-3-igor.stoppa@huawei.com> From: Igor Stoppa Message-ID: Date: Tue, 20 Feb 2018 18:59:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/02/18 01:50, Kees Cook wrote: > On Mon, Feb 12, 2018 at 8:52 AM, Igor Stoppa wrote: [...] >> lib/genalloc-selftest.c | 400 ++++++++++++++++++++++++++++++++++++++ > > Nit: make this test_genalloc.c instead. ok [...] >> + genalloc_selftest(); > > I wonder if it's possible to make this module-loadable instead? That > way it could be built and tested separately. In my case modules are not an option. Of course it could be still built in, but what is the real gain? [...] >> +config GENERIC_ALLOCATOR_SELFTEST > > Like the other lib/test_*.c targets, I'd call this TEST_GENERIC_ALLOCATOR. ok [...] >> + BUG_ON(compare_bitmaps(pool, action->pattern)); > > There's been a lot recently on BUG vs WARN. It does seem crazy to not > BUG for an allocator selftest, but if we can avoid it, we should. If this fails, I would expect that memory corruption is almost guaranteed. Do we really want to allow the boot to continue, possibly mounting a filesystem, only to corrupt it? It seems very dangerous. > Also, I wonder if it might make sense to split this series up a little > more, as in: > > 1/n: add genalloc selftest > 2/n: update bitmaps > 3/n: add/change bitmap tests to selftest > > Maybe I'm over-thinking it, but the great thing about this self test > is that it's checking much more than just the bitmap changes you're > making, and that can be used to "prove" that genalloc continues to > work after the changes (i.e. the selftest passes before the changes, > and after, rather than just after). If I really have to ... but to me the evidence that the changes to the bitmaps do really work is already provided by the bitmap patch itself. Since the patch doesn't remove the parameter indicating the space to be freed, it can actually compare what the kernel passes to it vs. what it thinks the space should be. If the values were different, it would complain, but it doesn't ... Isn't that even stronger evidence that the bitmap changes work as expected? (eventually the parameter can be removed, but I intentionally left it, for facilitating the merge) -- igor