Hi David, On Sat, 27 Aug 2022 at 01:02, David Hildenbrand <david@xxxxxxxxxx> wrote: > > On 26.08.22 03:43, Dave Young wrote: > > Hi David, > > > > [Added more people in cc] > > > > Hi Dave, > > thanks for your input! You are welcome :) > > [...] > > >> Side note: especially with kdump() I feel like we might see much more > >> widespread use of panic_on_warn to be able to actually extract debug > >> information in a controlled manner -- for example on enterprise distros. > >> ... which would then make these systems more likely to crash, because > >> there is no way to distinguish a rather harmless warning from a severe > >> warning :/ . But let's see if some kdump() folks will share their > >> opinion as reply to the cover letter. > > > > I can understand the intention of this patch, and I totally agree that > > BUG() should be used carefully, this is a good proposal if we can > > clearly define the standard about when to use BUG(). But I do have > > Essentially, the general rule from Linus is "absolutely no new BUG_ON() > calls ever" -- but I think the consensus in that thread was that there > are corner cases when it comes to unavoidable data corruption/security > issues. And these are rare cases, not the usual case where we'd have > used BUG_ON()/VM_BUG_ON(). Yes, probably.. (say probably because those cases are hidden and not clear sometimes) > > > some worries, I think this standard is different for different sub > > components, it is not clear to me at least, so this may introduce an > > unstable running kernel and cause troubles (eg. data corruption) with > > a WARN instead of a BUG. Probably it would be better to say "Do not > > WARN lightly, and do not hesitate to use BUG if it is really needed"? > > > Well, I don't make the rules, I document them and share them for general > awareness/comments :) Documenting this is valuable, because there seem > to be quite some different opinions floating around in the community -- > and I've been learning different rules from different people over the years. Understand. > > > > > About "patch_on_warn", it will depend on the admin/end user to set it, > > it is not a good idea for distribution to set it. It seems we are > > leaving it to end users to take the risk of a kernel panic even with > > all kernel WARN even if it is sometimes not necessary. > > My question would be what we could add/improve to keep systems with > kdump armed running as expected for end users, that is most probably: > > 1) don't crash on harmless WARN() that can just be reported and the > machine will continue running mostly fine without real issues. > 2) crash on severe issues (previously BUG) such that we can properly > capture a system dump via kdump. The restart the machine. > > Of course, once one would run into 2), one could try reproducing with > "panic_on_warn" to get a reasonable system dump. But I guess that's not > what enterprise customers expect. > Sometimes the bug can not be easily reproduced again. So there seems no easy and good way to use.. > > One wild idea (in the cover letter) was to add something new that can be > configured by user space and that expresses that something is more > severe than just some warning that can be recovered easily. But it can > eventually be recovered to keep the system running to some degree. But > still, it's configurable if we want to trigger a panic or let the system > run. > > John mentioned PANIC_ON(). > I would vote for PANIC_ON(), it sounds like a good idea, because BUG_ON() is not obvious and, PANIC_ON() can alert the code author that this will cause a kernel panic and one will be more careful before using it. > > What would be your expectation for kdump users under which conditions we > want to trigger kdump and when not? > > Regarding panic_on_warn, how often do e.g., RHEL users observe warnings > that we're not able to catch during testing, such that "panic_on_warn" > would be a real no-go? Well, I'm not sure how to answer the questions, when to panic should be decided by kernel developers instead of kdump users, but I think the panic behaviour does impact the supporting team. I added Stephen who is from the RH supporting team, maybe he can have some inputs. BTW, I vaguely remember Prarit introduced the panic_on_warn, see if he has any comments here. Thanks Dave > > -- > Thanks, > > David / dhildenb >
