From: Greg KH <gregkh@linuxfoundation.org>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
patches@lists.linux.dev
Subject: Re: [PATCH 3/3] rust: error: replace `WARN_ON_ONCE` comment with `debug_assert!`
Date: Wed, 3 Sep 2025 11:45:58 +0200 [thread overview]
Message-ID: <2025090325-drinking-illusion-ef3d@gregkh> (raw)
In-Reply-To: <CANiq72nAagBBPhyU3XdETMKBuFPbMMRaSTStWPpyLnByYPP=+A@mail.gmail.com>
On Sat, Aug 30, 2025 at 01:07:52PM +0200, Miguel Ojeda wrote:
> On Sat, Aug 30, 2025 at 8:28 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > If you wish to state that CONFIG_RUST_DEBUG_ASSERTIONS=y should NEVER be
> > used in ANY shipping Linux system, then yes, we can carve out an
> > exception for this (we do that if lockdep is enabled as that should
> > never be in a running system, only a development one).
>
> The config option is meant for development purposes ("debug"). We
> don't control all its behavior anyway, because the compiler/stdlib
> will also add many assertions (e.g. for unsafe preconditions). So, for
> instance, it could easily have a non-trivial performance impact.
>
> For the same reason, it will also change behavior depending on the
> compiler version. So, for instance, new assertions in new compiler
> versions could have an impact that is not seen in previous versions.
>
> Thus, for this particular config option, we cannot guarantee much, and
> the help text already states "This can be used to enable extra
> debugging code in development but not in production.".
>
> Having said that, I regularly CI-test our main branches with the
> option enabled, and it has worked fine so far.
>
> So if a user actually run with such kind of asserts in production,
> because they really want to crash on anything and everything, I don't
> see why they couldn't. It may really be that it actually stops an
> important exploit from going on. Of course, it may also be that it
> elevates a trivial bug into a denial of service elsewhere, but that
> risk may be worth it for certain users.
>
> In fact, I would say it is a good thing that certain specialized users
> run with it enabled, because then it means they may find potential
> bugs for others, and that makes everyone safer in practice.
>
> But I don't know what exact constraints the CVE system puts on you, so
> it is hard to assess what the best wording for such an option would
> be.
There are no "constraints" only a definition of a vulnerability that we
must follow. And for that, any way that a user could cause a reboot or
panic, without having root privileges, gets assigned a CVE.
One exception being if lockdep or a few other "debugging only" options
are enabled. Those are explicitly stated by their maintainers that they
should NEVER be enabled in a real system. For those we do not assign
CVEs as they should never be actually triggered by a user.
So I don't know what to recommend here. I strongly advise against
adding code to the kernel that can cause users to reboot their boxes if
they do something. But hey, if developers want to do that, I'll gladly
assign CVEs for when it happens :)
thanks,
greg k-h
next prev parent reply other threads:[~2025-09-03 9:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 19:22 [PATCH 0/3] Error improvements Miguel Ojeda
2025-08-29 19:22 ` [PATCH 1/3] rust: error: improve `Error::from_errno` documentation Miguel Ojeda
2025-08-30 12:17 ` Alexandre Courbot
2025-08-30 13:00 ` Miguel Ojeda
2025-08-30 13:31 ` Alexandre Courbot
2025-09-01 9:11 ` Benno Lossin
2025-08-29 19:22 ` [PATCH 2/3] rust: error: improve `to_result` documentation Miguel Ojeda
2025-08-30 12:18 ` Alexandre Courbot
2025-09-01 9:10 ` Benno Lossin
2025-08-29 19:22 ` [PATCH 3/3] rust: error: replace `WARN_ON_ONCE` comment with `debug_assert!` Miguel Ojeda
2025-08-29 19:43 ` Miguel Ojeda
2025-08-30 6:28 ` Greg KH
2025-08-30 11:07 ` Miguel Ojeda
2025-09-03 9:45 ` Greg KH [this message]
2025-09-03 10:03 ` Miguel Ojeda
2025-09-09 22:22 ` [PATCH 0/3] Error improvements Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025090325-drinking-illusion-ef3d@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=ojeda@kernel.org \
--cc=patches@lists.linux.dev \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).