On Wed, Aug 7, 2024 at 12:51 AM Dave Chinner <david@xxxxxxxxxxxxx> wrote:
>
> On Tue, Aug 06, 2024 at 04:46:28PM +0200, Mateusz Guzik wrote:
> > error = may_open(idmap, &nd->path, acc_mode, open_flag);
> > - if (!error && !(file->f_mode & FMODE_OPENED))
> > - error = vfs_open(&nd->path, file);
> > + if (!error && !(file->f_mode & FMODE_OPENED)) {
> > + BUG_ON(nd->state & ND_PATH_CONSUMED);
>
> Please don't litter new code with random BUG_ON() checks. If this
> every happens, it will panic a production kernel and the fix will
> generate a CVE.
>
> Given that these checks should never fire in a production kernel
> unless something is corrupting memory (i.e. the end is already
> near), these should be considered debug assertions and we should
> treat them that way from the start.
>
> i.e. we really should have a VFS_ASSERT() or VFS_BUG_ON() (following
> the VM_BUG_ON() pattern) masked by a CONFIG_VFS_DEBUG option so they
> are only included into debug builds where there is a developer
> watching to debug the system when one of these things fires.
>
> This is a common pattern for subsystem specific assertions. We do
> this in all the major filesystems, the MM subsystem does this
> (VM_BUG_ON), etc. Perhaps it is time to do this in the VFS code as
> well....
I agree, I have this at the bottom of my todo list.
The only reason I BUG_ON'ed here is because proper debug macros are not present.
fwiw v2 does not have any of this, so...
--
Mateusz Guzik <mjguzik gmail.com>
