From: James Bottomley <jbottomley@parallels.com>
To: "bvanassche@acm.org" <bvanassche@acm.org>
Cc: "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"hch@infradead.org" <hch@infradead.org>,
"hare@suse.de" <hare@suse.de>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
"jdl1291@gmail.com" <jdl1291@gmail.com>
Subject: Re: [PATCH 1/3] Remove two cancel_delayed_work() calls from the error handler
Date: Tue, 27 May 2014 08:56:22 +0000 [thread overview]
Message-ID: <1401180980.14454.31.camel@dabdike> (raw)
In-Reply-To: <53844E8E.7010404@acm.org>
On Tue, 2014-05-27 at 10:36 +0200, Bart Van Assche wrote:
> On 05/27/14 10:09, James Bottomley wrote:
> > On Tue, 2014-05-27 at 10:06 +0200, Bart Van Assche wrote:
> >> As you probably know scsi_put_command() can get called from softirq
> >> context. A BUG_ON() in that context might make it unnecessary hard for a
> >> user to collect call traces.
> >
> > Why? The messages dumped are the same, the trace just starts from the
> > IRQ context ... I don't see what the problem is.
> >
> > The question isn't ease of gathering the data, it's correctness. The
> > point is that if the assert fails we have a free of an in-use command
> > leading to a nasty use after free ... the machine state is hosed at that
> > point.
>
> Please keep in mind that even if the SCSI mid-layer functions correctly
> it is still possible that another driver in the system could cause these
> tests to fail if it triggers e.g. a use-after-free.
>
> If BUG_ON() is invoked the dumped message will be displayed on the
> screen but will not be saved in the system log. This is inconvenient
> because it means that if someone wants to capture the dumped message a
> camera is necessary and one has to step to the physical console to
> capture this message. Using WARN_ON() or WARN_ON_ONCE() makes it a lot
> easier for users to capture any message that is displayed.
This isn't debatable: we code for the safety of the user not for some
academic need to capture data; if you don't understand that, you might
like to re-review systems design. If this assertion fails, the system
state is corrupt and if we let it continue, that corruption will
propagate. The *only* safe course that protects the user is to stop it
as fast as possible, hopefully before the corruption penetrates to the
permanent storage.
The whole reason BUG_ON doesn't leave a log trace is to try to prevent
corruption propagating to the data storage devices. What you propose
would be inviting that corruption in the name of getting a log entry.
If I prioritise getting log information over protecting user data, no
user would, quite rightly, ever trust Linux to store their vital
information.
James
next prev parent reply other threads:[~2014-05-27 8:56 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-26 15:12 Make SCSI error handler code easier to understand Bart Van Assche
2014-05-26 15:14 ` [PATCH 1/3] Remove two cancel_delayed_work() calls from the error handler Bart Van Assche
2014-05-26 15:15 ` [PATCH 2/3] block: Introduce blk_rq_completed() Bart Van Assche
2014-05-26 15:27 ` James Bottomley
2014-05-27 7:49 ` Bart Van Assche
2014-05-27 7:52 ` hch
2014-05-27 8:00 ` James Bottomley
2014-05-27 8:23 ` James Bottomley
2014-05-27 9:00 ` Bart Van Assche
2014-05-27 10:21 ` James Bottomley
2014-05-27 10:47 ` Paolo Bonzini
2014-05-27 10:59 ` James Bottomley
2014-05-27 11:13 ` Paolo Bonzini
2014-05-27 11:26 ` James Bottomley
2014-05-27 11:52 ` Paolo Bonzini
2014-05-27 11:57 ` James Bottomley
2014-05-27 5:40 ` Hannes Reinecke
2014-05-26 15:23 ` [PATCH 1/3] Remove two cancel_delayed_work() calls from the error handler Paolo Bonzini
2014-05-26 15:25 ` James Bottomley
2014-05-27 8:06 ` Bart Van Assche
2014-05-27 8:09 ` James Bottomley
2014-05-27 8:36 ` Bart Van Assche
2014-05-27 8:56 ` James Bottomley [this message]
2014-05-27 9:06 ` Paolo Bonzini
2014-05-27 5:40 ` Hannes Reinecke
2014-05-27 6:08 ` Bart Van Assche
2014-05-27 6:22 ` Hannes Reinecke
2014-05-26 15:15 ` [PATCH 3/3] Make SCSI error handler code easier to understand Bart Van Assche
2014-05-27 5:42 ` Hannes Reinecke
2014-05-28 20:15 ` Joe Lawrence
2014-05-29 11:33 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1401180980.14454.31.camel@dabdike \
--to=jbottomley@parallels.com \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=hch@infradead.org \
--cc=jdl1291@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.