[REPOST PATCH 1/8] fence: dma-buf cross-device synchronization (v17)
James Bottomley
James.Bottomley at HansenPartnership.com
Thu Jun 19 16:08:08 PDT 2014
On Thu, 2014-06-19 at 15:39 -0700, H. Peter Anvin wrote:
> On 06/19/2014 01:01 PM, Greg KH wrote:
> > On Thu, Jun 19, 2014 at 09:15:36PM +0200, Daniel Vetter wrote:
> >> On Thu, Jun 19, 2014 at 7:00 PM, Greg KH <gregkh at linuxfoundation.org> wrote:
> >>>>>> + BUG_ON(f1->context != f2->context);
> >>>>>
> >>>>> Nice, you just crashed the kernel, making it impossible to debug or
> >>>>> recover :(
> >>>>
> >>>> agreed, that should probably be 'if (WARN_ON(...)) return NULL;'
> >>>>
> >>>> (but at least I wouldn't expect to hit that under console_lock so you
> >>>> should at least see the last N lines of the backtrace on the screen
> >>>> ;-))
> >>>
> >>> Lots of devices don't have console screens :)
> >>
> >> Aside: This is a pet peeve of mine and recently I've switched to
> >> rejecting all patch that have a BUG_ON, period.
> >
> > Please do, I have been for a few years now as well for the same reasons
> > you cite.
> >
>
> I'm actually concerned about this trend. Downgrading things to WARN_ON
> can allow a security bug in the kernel to continue to exist, for
> example, or make the error message disappear.
Me too. We use BUG_ON in the I/O subsystem where we're forced to
violate a guarantee. When the choice is corrupt something or panic the
system, I prefer the latter every time.
> I am wondering if the right thing here isn't to have a user (command
> line?) settable policy as to how to proceed on an assert violation,
> instead of hardcoding it at compile time.
I'd say it depends on the consequence of the assertion violation. We
have assertions that are largely theoretical, ones that govern process
internal state (so killing the process mostly sanitizes the system) and
a few that imply data loss or data corruption.
James
More information about the dri-devel
mailing list