Received: by 10.223.185.116 with SMTP id b49csp1222379wrg;
        Wed, 21 Feb 2018 14:29:07 -0800 (PST)
X-Google-Smtp-Source: AH8x224wHb0lyRcO+8nWl5thqR+xnt34X76e7sy6OF/ab7OvGCA0CZt69DJpWi97mU38aS1lrNqT
X-Received: by 2002:a17:902:594c:: with SMTP id e12-v6mr4551316plj.323.1519252147614;
        Wed, 21 Feb 2018 14:29:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519252147; cv=none;
        d=google.com; s=arc-20160816;
        b=Yuz8fEumZswEkGmvVcyojEdtXyDkF4KWxOfojxlKbtdlfW9vFC+Uq4oAeqUhgk9fpE
         IF+TI/nmt2BqNwNjDKHCUoOXW9uJF0kSIgMu9SlUSdwxBZf2owRz3+/YQ1RY1T2z0haW
         A+p6F5vN4qw+vk3bDAnrOmb8g+1g/Fmu2m8YviccU4Au2m9M4yaA5QtYKcMI3a0Acz3g
         W0Iebk4I+EWmGnUA+vQ6vab7JhJ4GRVWU/1kyZMoSAgp9ByAqLmBTdM7SpHRcQcg/FCd
         IS/1mgqt9iynFwT7SHSFqvrmKOtObOQu9VFa7GdAUFGK2AMqSeiOPGqCOzXxsLDS2UL4
         I+dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=rJHru9O2xpb1JCzx5LFnVyzJS1EriUu/Modk1V8t3UI=;
        b=eoPXBb6hEXJ1Z2OHubZayDJZubrc6QqLv7qrcN54xLpjR1DbDmzMz2+n4iEmcuLSvk
         ZTPhKCU0tQXRKkvCqz0rLqvXheHm2CW4Jy4V5xfz5qlLm+6uqEiqDwCb6Kwby8ypNqg1
         Dy7OeMzkclVlVBz8O556NVHSM72WBcL+cIIm8oVmpqhGXrh0ekYzFytbmEps+9/VPaib
         G+Ty6fYtyvv2RakZejDj6cBNBBRMnD85ET7RjApyzwjZ75Pjm1hSYjFEKwybZErGKqtb
         dZKUfXJLBNa3kQv0rsBVZ2/adN1CcswxTzBNijiVWG+8Y0X72ddeb3HdE5rLSddNLoub
         qJGA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=S3+541gy;
       dkim=fail header.i=@chromium.org header.s=google header.b=GcMxDhD1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a12si11518358pgv.672.2018.02.21.14.28.53;
        Wed, 21 Feb 2018 14:29:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=S3+541gy;
       dkim=fail header.i=@chromium.org header.s=google header.b=GcMxDhD1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751336AbeBUW2G (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 21 Feb 2018 17:28:06 -0500
Received: from mail-ua0-f193.google.com ([209.85.217.193]:36156 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750741AbeBUW2F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Feb 2018 17:28:05 -0500
Received: by mail-ua0-f193.google.com with SMTP id i15so2094432uak.3
        for <linux-kernel@vger.kernel.org>; Wed, 21 Feb 2018 14:28:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=rJHru9O2xpb1JCzx5LFnVyzJS1EriUu/Modk1V8t3UI=;
        b=S3+541gyOyH7qYiU0mMNs35sy/obR4naZZhwM5mKRfxK+Hi1tX92RMeQL5RAzmyCpm
         v2RAEZmNORaXnmtBcdU5Prda5qYqtXD1m3XHwLafzb86kA18Ay8/WLgCgPHdZjjKT2Jp
         DbjSe/PbtQQmdpHY1hpnkI90ILft49/quaQI/ZpoEMlWk4gBzw7BP1N0ZcyRjSgqPyt0
         61JqV71aAYWDnYSAhbdXj8p/ZBM1BG7S/1TNImPvutgzO1s04pblumeIvCiQr5f+lX37
         kqkzFYRubm0FF5b4zoxzy09S/Lgmx6kG2Y95rzPXwo6+MnJepYfYqQm9+wL023zwGyp/
         qWRA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=rJHru9O2xpb1JCzx5LFnVyzJS1EriUu/Modk1V8t3UI=;
        b=GcMxDhD17qMq+3n9lYvZx/ELpuiZKVos4M5lF1cua48//Foyv4xzFYS9G/dEIQaM4E
         +0OqunC3EfAXFSF9rZ2TAbaRSgZKUi2N6pzFG7ORPk2V8mqB7ftJUxC6LU3Cg0j1tMyj
         MO4FDWzqgnNzRRep2z2f4D2bMa9QBwhDyMikk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=rJHru9O2xpb1JCzx5LFnVyzJS1EriUu/Modk1V8t3UI=;
        b=RGLFb8A8AlcZsjhR+2Fm0YHcSoF1xVOsqGOkMEVX+SaWCDR2C6CjC/IUIuuT+Pzx8q
         K104c9X6XvxCtdewRsh2MpW5AA4KxYukQBXed8wIvP6X+jG/lsINWnnqiByrHLZGDSjE
         et6PbcfmrbH4kraXK42ESX1EHkkjPYDJtJM6sL2VQya9doSykmFbF6Aic/FxgV2oK/Ws
         AyzC3d4/PaiVx2erj4vsgGoSZggChaZYOJajwhFy7oiOKIrNPKU69LAGBisMnctYxA2h
         zuq4No2ViO7I7SF283WD9NR5IhOtS5b3Id6B/cgzE9JJ4rwSeuRN8Bab1WS1GEoaZvYh
         9u0Q==
X-Gm-Message-State: APf1xPCVLHnCRQ33ItrjM1y0lfPYKCDOz50sdyTFnfW0/5al3GajVuZZ
        4dOqdYP3bQxFbfrV7/K5KdztoJybAutWTDvHW8amBA==
X-Received: by 10.176.93.35 with SMTP id u35mr3730941uaf.74.1519252083924;
 Wed, 21 Feb 2018 14:28:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.242.140 with HTTP; Wed, 21 Feb 2018 14:28:03 -0800 (PST)
In-Reply-To: <f33112e4-608f-ae8c-bf88-80ef83b61398@huawei.com>
References: <20180212165301.17933-1-igor.stoppa@huawei.com>
 <20180212165301.17933-3-igor.stoppa@huawei.com> <CAGXu5jJNERp-yni1jdqJRYJ82xrP7=_O1vkxG1sJ-b8CxudP9g@mail.gmail.com>
 <f33112e4-608f-ae8c-bf88-80ef83b61398@huawei.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 21 Feb 2018 14:28:03 -0800
X-Google-Sender-Auth: A28LW73r4A5RNy3dN_wk6URMMMo
Message-ID: <CAGXu5jLeC285BGDW29aHgFZRV6CnqBmmkZULW2pzYmqd0pe9UQ@mail.gmail.com>
Subject: Re: [PATCH 2/6] genalloc: selftest
To:     Igor Stoppa <igor.stoppa@huawei.com>
Cc:     Matthew Wilcox <willy@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Michal Hocko <mhocko@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Jerome Glisse <jglisse@redhat.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Lameter <cl@linux.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 20, 2018 at 8:59 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>
>
> On 13/02/18 01:50, Kees Cook wrote:
>> On Mon, Feb 12, 2018 at 8:52 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>
> [...]
>
>>>  lib/genalloc-selftest.c           | 400 ++++++++++++++++++++++++++++++++++++++
>>
>> Nit: make this test_genalloc.c instead.
>
> ok
>
> [...]
>
>>> +       genalloc_selftest();
>>
>> I wonder if it's possible to make this module-loadable instead? That
>> way it could be built and tested separately.
>
> In my case modules are not an option.
> Of course it could be still built in, but what is the real gain?

The gain for it being a module is that it can be loaded and tested
separately from the final kernel image and module collection. For
example, Chrome OS builds lots of debugging test modules but doesn't
include them on the final image. They're only used for testing, and
can be separate from the kernel and "production" modules.

> [...]
>
>>> +       BUG_ON(compare_bitmaps(pool, action->pattern));
>>
>> There's been a lot recently on BUG vs WARN. It does seem crazy to not
>> BUG for an allocator selftest, but if we can avoid it, we should.
>
> If this fails, I would expect that memory corruption is almost guaranteed.
> Do we really want to allow the boot to continue, possibly mounting a
> filesystem, only to corrupt it? It seems very dangerous.

I would include the rationale in either a comment or the commit log.
BUG() tends to need to be very well justified these days.

>> Also, I wonder if it might make sense to split this series up a little
>> more, as in:
>>
>> 1/n: add genalloc selftest
>> 2/n: update bitmaps
>> 3/n: add/change bitmap tests to selftest
>>
>> Maybe I'm over-thinking it, but the great thing about this self test
>> is that it's checking much more than just the bitmap changes you're
>> making, and that can be used to "prove" that genalloc continues to
>> work after the changes (i.e. the selftest passes before the changes,
>> and after, rather than just after).
>
> If I really have to ... but to me the evidence that the changes to the
> bitmaps do really work is already provided by the bitmap patch itself.
>
> Since the patch doesn't remove the parameter indicating the space to be
> freed, it can actually compare what the kernel passes to it vs. what it
> thinks the space should be.
>
> If the values were different, it would complain, but it doesn't ...
> Isn't that even stronger evidence that the bitmap changes work as expected?
>
> (eventually the parameter can be removed, but I intentionally left it,
> for facilitating the merge)

I'll leave it up to the -mm folks, but that was just my thought.

-Kees

-- 
Kees Cook
Pixel Security