Received: by 10.223.185.116 with SMTP id b49csp1692215wrg;
        Thu, 22 Feb 2018 01:17:03 -0800 (PST)
X-Google-Smtp-Source: AH8x224SfqqwCotKbHasDE4TdkKaTX2J4PQhhbuE4lrHPQVxX3lyS0Jq3N6v0/jgx6MHNVzCyXmT
X-Received: by 10.98.17.86 with SMTP id z83mr6245418pfi.207.1519291023095;
        Thu, 22 Feb 2018 01:17:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519291023; cv=none;
        d=google.com; s=arc-20160816;
        b=nGvX9VdOUor4O7HyxnfabKs52KlnCt8odVTQn65vIVSLPhrWVzUGw6P8+aRWYhoQ3Q
         Q551ewS7qEsmbLXGHvZJAMAH5S3qmRUq0QVJ+zucR2gwFZuZsSh7j/i/wBna48PhTxgn
         uaexMBNgnm5TM2Y1K87guGuEDfK/c3T4ysEn8I6VO9xvJjn84QdiowABeOCeKDUwseyY
         PJ0kslRqEoxzU129s6g6oKUzsYtaRvu+yxckjtw/4CUmQkbdNxYbIDZVdz8eFSZzUtrG
         sMUQmSZm/uhdGLzvX0vYg5sO3OxSudLGT8/q34gljuHzzOqK4kdKUs10Fijxy9oYAgtG
         E+7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=97ZZP2gy8bUyz6uV4DszVrW2xoOfYyBTWYvI2L/soaM=;
        b=F6Q/9eL+rUzJ3MG0c1oI9s7PIkXENtgeYOYCqISKxoHdW0jIeoFyPEa08uOJc/lqmF
         5CzWT2q4ij3N/xwATQlqIYd0nMa0AznoSCIwu7gTbX7wrMvUMIwJqyX3Kur07hHSRQqE
         70gkqiiysbeJjokTXY/IA0wKKtogy5ppG+R3A3l50JrlrbhXaYabtKKIDGFKbsufwjHu
         H4f2wAPJLImLBJC08Z2QgQ8rA53kRBMFukMHS7RClVYiSplkltyRt0XffAVOHIor0Iuv
         n3dhKc1Z7gD75LmSP2essbvsxMKm4PsQb0qLHCx1KZfPhrFRO/2L9YRsX2rQFrNJb1Mw
         lE/w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v6si4378236pfa.116.2018.02.22.01.16.48;
        Thu, 22 Feb 2018 01:17:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753032AbeBVJOz (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Thu, 22 Feb 2018 04:14:55 -0500
Received: from lhrrgout.huawei.com ([194.213.3.17]:27133 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752721AbeBVJOx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Feb 2018 04:14:53 -0500
Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106])
        by Forcepoint Email with ESMTP id 6F78F631079C7;
        Thu, 22 Feb 2018 09:14:50 +0000 (GMT)
Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com
 (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 22 Feb
 2018 09:14:50 +0000
Subject: Re: [PATCH 2/6] genalloc: selftest
To:     Kees Cook <keescook@chromium.org>
CC:     Matthew Wilcox <willy@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Michal Hocko <mhocko@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Jerome Glisse <jglisse@redhat.com>,
        Christoph Hellwig <hch@infradead.org>,
        "Christoph Lameter" <cl@linux.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
References: <20180212165301.17933-1-igor.stoppa@huawei.com>
 <20180212165301.17933-3-igor.stoppa@huawei.com>
 <CAGXu5jJNERp-yni1jdqJRYJ82xrP7=_O1vkxG1sJ-b8CxudP9g@mail.gmail.com>
 <f33112e4-608f-ae8c-bf88-80ef83b61398@huawei.com>
 <CAGXu5jLeC285BGDW29aHgFZRV6CnqBmmkZULW2pzYmqd0pe9UQ@mail.gmail.com>
From:   Igor Stoppa <igor.stoppa@huawei.com>
Message-ID: <fb001cd0-7f37-394f-f926-f5b98365b4b8@huawei.com>
Date:   Thu, 22 Feb 2018 11:14:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAGXu5jLeC285BGDW29aHgFZRV6CnqBmmkZULW2pzYmqd0pe9UQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.122.225.51]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 22/02/18 00:28, Kees Cook wrote:
> On Tue, Feb 20, 2018 at 8:59 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>>
>>
>> On 13/02/18 01:50, Kees Cook wrote:
>>> On Mon, Feb 12, 2018 at 8:52 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:

[...]

>>>> +       genalloc_selftest();
>>>
>>> I wonder if it's possible to make this module-loadable instead? That
>>> way it could be built and tested separately.
>>
>> In my case modules are not an option.
>> Of course it could be still built in, but what is the real gain?
> 
> The gain for it being a module is that it can be loaded and tested
> separately from the final kernel image and module collection. For
> example, Chrome OS builds lots of debugging test modules but doesn't
> include them on the final image. They're only used for testing, and
> can be separate from the kernel and "production" modules.

ok

> 
>> [...]
>>
>>>> +       BUG_ON(compare_bitmaps(pool, action->pattern));
>>>
>>> There's been a lot recently on BUG vs WARN. It does seem crazy to not
>>> BUG for an allocator selftest, but if we can avoid it, we should.
>>
>> If this fails, I would expect that memory corruption is almost guaranteed.
>> Do we really want to allow the boot to continue, possibly mounting a
>> filesystem, only to corrupt it? It seems very dangerous.
> 
> I would include the rationale in either a comment or the commit log.
> BUG() tends to need to be very well justified these days.

ok

> 
>>> Also, I wonder if it might make sense to split this series up a little
>>> more, as in:
>>>
>>> 1/n: add genalloc selftest
>>> 2/n: update bitmaps
>>> 3/n: add/change bitmap tests to selftest

[...]

> I'll leave it up to the -mm folks, but that was just my thought.

The reasons why I have doubts about your proposal are:

1) leaving 2/n and 3/n separate mean that the selftest could be broken,
if one does bisections with selftest enabled

2) since I would need to change the selftest, to make it work with the
updated bitmap, it would not really prove that the change is correct.

If there was a selftest that can work without changes, after the bitmap
update, I would definitely agree to introduce it first.

OTOH, as I wrote, the bitmap patch itself is already introducing
verification of the calculated value (from the bitmap) against the
provided value (from the call parameters).

This, unfortunately, cannot be split, because it still relies on the
"find end of the allocation" capability introduced by the very same patch.

Anyway, putting aside concerns about the verification of the correctness
of the patch, I still see point #1 as a problem: breaking bisectability.

Or did I not understand correctly how this works?

--
igor