From: Eric Biggers <ebiggers@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>
Subject: Re: [GIT PULL] fscrypt fix for v6.3-rc4
Date: Mon, 20 Mar 2023 15:59:34 -0700 [thread overview]
Message-ID: <20230320225934.GB21979@sol.localdomain> (raw)
In-Reply-To: <CAHk-=whefxRGyNGzCzG6BVeM=5vnvgb-XhSeFJVxJyAxAF8XRA@mail.gmail.com>
On Mon, Mar 20, 2023 at 03:16:48PM -0700, Linus Torvalds wrote:
> On Mon, Mar 20, 2023 at 1:56 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > fscrypt: check for NULL keyring in fscrypt_put_master_key_activeref()
>
> Side note: please just use WARN_ON_ONCE() for things like this, not WARN_ON.
>
> If it's triggerable, it should be triggered only once rather than
> flood the logs and possibly cause a DoS.
>
> And if it's not triggerable, the "ONCE" doesn't matter.
>
> I note that fscypt in general seems to be *way* too happy with
> WARN_ON() as some kind of debugging aid.
>
> It's not good in general (printf for debugging is wonderful, but
> shouldn't be left in the sources to rot for all eternity), but it's
> particularly not good in that form.
>
Yes, I agree that most of the WARN_ONs should be WARN_ON_ONCEs. I think I've
been assuming that WARN_ON is significantly more lightweight than WARN_ON_ONCE.
But that doesn't seem to be the case, especially since commit 19d436268dde
("debug: Add _ONCE() logic to report_bug()").
But besides that, I believe WARN* is generally being used appropriately in
fs/crypto/. It's used when assumptions made by the code are violated, but where
the hard crash of a BUG() is not necessary. I think this is a good thing to
have, versus the alternative of doing nothing and making it much harder to track
down bugs... Some particularly bad crypto bugs that we can easily WARN about,
such as IVs being truncated, may not even be detectable by users otherwise.
There are probably a few that should be removed, though. I'm also considering
whether the refcounting-related ones should use CHECK_DATA_CORRUPTION, though
that may run afoul of the "don't use BUG() unless absolutely needed" rule...
- Eric
next prev parent reply other threads:[~2023-03-20 22:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 20:56 [GIT PULL] fscrypt fix for v6.3-rc4 Eric Biggers
2023-03-20 22:16 ` Linus Torvalds
2023-03-20 22:59 ` Eric Biggers [this message]
2023-03-21 2:03 ` Theodore Ts'o
2023-03-21 19:03 ` Linus Torvalds
2023-03-20 22:40 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230320225934.GB21979@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox