On Wed, Aug 07, 2024 at 12:55:07AM +0200, Mateusz Guzik wrote:
> On Wed, Aug 7, 2024 at 12:51 AM Dave Chinner <david@xxxxxxxxxxxxx> wrote:
> >
> > On Tue, Aug 06, 2024 at 04:46:28PM +0200, Mateusz Guzik wrote:
> > > error = may_open(idmap, &nd->path, acc_mode, open_flag);
> > > - if (!error && !(file->f_mode & FMODE_OPENED))
> > > - error = vfs_open(&nd->path, file);
> > > + if (!error && !(file->f_mode & FMODE_OPENED)) {
> > > + BUG_ON(nd->state & ND_PATH_CONSUMED);
> >
> > Please don't litter new code with random BUG_ON() checks. If this
> > every happens, it will panic a production kernel and the fix will
> > generate a CVE.
> >
> > Given that these checks should never fire in a production kernel
> > unless something is corrupting memory (i.e. the end is already
> > near), these should be considered debug assertions and we should
> > treat them that way from the start.
> >
> > i.e. we really should have a VFS_ASSERT() or VFS_BUG_ON() (following
> > the VM_BUG_ON() pattern) masked by a CONFIG_VFS_DEBUG option so they
> > are only included into debug builds where there is a developer
> > watching to debug the system when one of these things fires.
> >
> > This is a common pattern for subsystem specific assertions. We do
> > this in all the major filesystems, the MM subsystem does this
> > (VM_BUG_ON), etc. Perhaps it is time to do this in the VFS code as
> > well....
>
> I agree, I have this at the bottom of my todo list.
Good to know.
> The only reason I BUG_ON'ed here is because proper debug macros are not present.
>
> fwiw v2 does not have any of this, so...
Yeah, I didn't notice there was a v2 patch before I wrote this.
-Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
