From patchwork Fri Sep 23 11:34:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Hildenbrand X-Patchwork-Id: 12986475 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C57DC6FA8E for ; Fri, 23 Sep 2022 11:34:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B946480009; Fri, 23 Sep 2022 07:34:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B1C5380007; Fri, 23 Sep 2022 07:34:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 995D780009; Fri, 23 Sep 2022 07:34:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 88E6E80007 for ; Fri, 23 Sep 2022 07:34:43 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 5B7181C682D for ; Fri, 23 Sep 2022 11:34:43 +0000 (UTC) X-FDA: 79943142846.30.AC67DA2 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf08.hostedemail.com (Postfix) with ESMTP id E7BEF160014 for ; Fri, 23 Sep 2022 11:34:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663932882; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZyNBxWgFoArZ2NuuMCWnr7T1TxVSCSMUVgndhDD4Izo=; b=PmtnKdF651/Nm6kR/Cs1uih3Rh6oQAV9MT1+KrFSLs4bD/83YyZV1L5tjhWlJoCLZsk6GT pZ5VdFVWkpxRZ4xCgew9wRb3RO8htDAnuHALP+H1NQwIMVS9PWOSH61RJMO3JB1M5Ere+v PxOiuo16aeG/t5wqdG34v2IT5EJ4E34= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-137-FN5GlbaTPdGdXsoQkpQlRA-1; Fri, 23 Sep 2022 07:34:39 -0400 X-MC-Unique: FN5GlbaTPdGdXsoQkpQlRA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EF86429AA3BB; Fri, 23 Sep 2022 11:34:37 +0000 (UTC) Received: from t480s.redhat.com (unknown [10.39.192.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 05FCC492B06; Fri, 23 Sep 2022 11:34:32 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, linux-doc@vger.kernel.org, David Hildenbrand , Linus Torvalds , Andrew Morton , Ingo Molnar , David Laight , Jonathan Corbet , Andy Whitcroft , Joe Perches , Dwaipayan Ray , Lukas Bulwahn , Baoquan He , Vivek Goyal , Dave Young , Jani Nikula , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Akira Yokosawa , Kalle Valo , "Daniel K ." , John Hubbard Subject: [PATCH v2 1/2] coding-style.rst: document BUG() and WARN() rules ("do not crash the kernel") Date: Fri, 23 Sep 2022 13:34:24 +0200 Message-Id: <20220923113426.52871-2-david@redhat.com> In-Reply-To: <20220923113426.52871-1-david@redhat.com> References: <20220923113426.52871-1-david@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663932883; a=rsa-sha256; cv=none; b=dg8OgRteu3eYIJSBKIqweB9QdVXE+2Obx0dRqZ7Tjp6zGJiuqEHppXJIx9/MY7s8DX70R5 iuwUHn/uXaR1dcopMkOb/P81LlSKp3KPS1xH69FzFLnROc2SvpVfBP7ESIsGFbFEUFXC+x xgFZpoEaYZa7b97GIxTtmrlb1vVrCY4= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=PmtnKdF6; spf=pass (imf08.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1663932883; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ZyNBxWgFoArZ2NuuMCWnr7T1TxVSCSMUVgndhDD4Izo=; b=spQAvT0Afi6EO351xWgWFQiaGEwL5hQzmTufKPJJ7dIFwPS440O4LoA0UwEQihOQpQDt7c mhe/iGH7k2uKqd57cRHzD2nwFb3edtJbMFmw2sSfbPG9YihDPR8UTw0RX8B9GggVd52JAM itH9qpqoo1gj0d4aOz0v8grddHcqqMQ= X-Stat-Signature: b7mqbopunkh7xetf7h8e3gpc6wx1555z X-Rspamd-Queue-Id: E7BEF160014 X-Rspam-User: X-Rspamd-Server: rspam08 Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=PmtnKdF6; spf=pass (imf08.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-HE-Tag: 1663932882-119921 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Linus notes [1] that the introduction of new code that uses VM_BUG_ON() is just as bad as BUG_ON(), because it will crash the kernel on distributions that enable CONFIG_DEBUG_VM (like Fedora): VM_BUG_ON() has the exact same semantics as BUG_ON. It is literally no different, the only difference is "we can make the code smaller because these are less important". [2] This resulted in a more generic discussion about usage of BUG() and friends. While there might be corner cases that still deserve a BUG_ON(), most BUG_ON() cases should simply use WARN_ON_ONCE() and implement a recovery path if reasonable: The only possible case where BUG_ON can validly be used is "I have some fundamental data corruption and cannot possibly return an error". [2] As a very good approximation is the general rule: "absolutely no new BUG_ON() calls _ever_" [2] ... not even if something really shouldn't ever happen and is merely for documenting that an invariant always has to hold. However, there are sill exceptions where BUG_ON() may be used: If you have a "this is major internal corruption, there's no way we can continue", then BUG_ON() is appropriate. [3] There is only one good BUG_ON(): Now, that said, there is one very valid sub-form of BUG_ON(): BUILD_BUG_ON() is absolutely 100% fine. [2] While WARN will also crash the machine with panic_on_warn set, that's exactly to be expected: So we have two very different cases: the "virtual machine with good logging where a dead machine is fine" - use 'panic_on_warn'. And the actual real hardware with real drivers, running real loads by users. [4] The basic idea is that warnings will similarly get reported by users and be found during testing. However, in contrast to a BUG(), there is a way to actually influence the expected behavior (e.g., panic_on_warn) and to eventually keep the machine alive to extract some debug info. Ingo notes that not all WARN_ON_ONCE cases need recovery. If we don't ever expect this code to trigger in any case, recovery code is not really helpful. I'd prefer to keep all these warnings 'simple' - i.e. no attempted recovery & control flow, unless we ever expect these to trigger. [5] There have been different rules floating around that were never properly documented. Let's try to clarify. [1] https://lkml.kernel.org/r/CAHk-=wiEAH+ojSpAgx_Ep=NKPWHU8AdO3V56BXcCsU97oYJ1EA@mail.gmail.com [2] https://lore.kernel.org/r/CAHk-=wg40EAZofO16Eviaj7mfqDhZ2gVEbvfsMf6gYzspRjYvw@mail.gmail.com [3] https://lkml.kernel.org/r/CAHk-=wit-DmhMfQErY29JSPjFgebx_Ld+pnerc4J2Ag990WwAA@mail.gmail.com [4] https://lore.kernel.org/r/CAHk-=wgF7K2gSSpy=m_=K3Nov4zaceUX9puQf1TjkTJLA2XC_g@mail.gmail.com [5] https://lore.kernel.org/r/YwIW+mVeZoTOxn%2F4@gmail.com Reviewed-by: John Hubbard Signed-off-by: David Hildenbrand --- Documentation/process/coding-style.rst | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst index 03eb53fd029a..007e49ef6cec 100644 --- a/Documentation/process/coding-style.rst +++ b/Documentation/process/coding-style.rst @@ -1186,6 +1186,68 @@ expression used. For instance: #endif /* CONFIG_SOMETHING */ +22) Do not crash the kernel +--------------------------- + +In general, the decision to crash the kernel belongs to the user, rather +than to the kernel developer. + +Avoid panic() +************* + +panic() should be used with care and primarily only during system boot. +panic() is, for example, acceptable when running out of memory during boot and +not being able to continue. + +Use WARN() rather than BUG() +**************************** + +Do not add new code that uses any of the BUG() variants, such as BUG(), +BUG_ON(), or VM_BUG_ON(). Instead, use a WARN*() variant, preferably +WARN_ON_ONCE(), and possibly with recovery code. Recovery code is not +required if there is no reasonable way to at least partially recover. + +"I'm too lazy to do error handling" is not an excuse for using BUG(). Major +internal corruptions with no way of continuing may still use BUG(), but need +good justification. + +Use WARN_ON_ONCE() rather than WARN() or WARN_ON() +************************************************** + +WARN_ON_ONCE() is generally preferred over WARN() or WARN_ON(), because it +is common for a given warning condition, if it occurs at all, to occur +multiple times. This can fill up and wrap the kernel log, and can even slow +the system enough that the excessive logging turns into its own, additional +problem. + +Do not WARN lightly +******************* + +WARN*() is intended for unexpected, this-should-never-happen situations. +WARN*() macros are not to be used for anything that is expected to happen +during normal operation. These are not pre- or post-condition asserts, for +example. Again: WARN*() must not be used for a condition that is expected +to trigger easily, for example, by user space actions. pr_warn_once() is a +possible alternative, if you need to notify the user of a problem. + +Do not worry about panic_on_warn users +************************************** + +A few more words about panic_on_warn: Remember that ``panic_on_warn`` is an +available kernel option, and that many users set this option. This is why +there is a "Do not WARN lightly" writeup, above. However, the existence of +panic_on_warn users is not a valid reason to avoid the judicious use +WARN*(). That is because, whoever enables panic_on_warn has explicitly +asked the kernel to crash if a WARN*() fires, and such users must be +prepared to deal with the consequences of a system that is somewhat more +likely to crash. + +Use BUILD_BUG_ON() for compile-time assertions +********************************************** + +The use of BUILD_BUG_ON() is acceptable and encouraged, because it is a +compile-time assertion that has no effect at runtime. + Appendix I) References ---------------------- From patchwork Fri Sep 23 11:34:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Hildenbrand X-Patchwork-Id: 12986476 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 048A8C6FA8E for ; Fri, 23 Sep 2022 11:34:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9979D8000A; Fri, 23 Sep 2022 07:34:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9200080007; Fri, 23 Sep 2022 07:34:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 773628000A; Fri, 23 Sep 2022 07:34:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 6585180007 for ; Fri, 23 Sep 2022 07:34:47 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 321E41415FF for ; Fri, 23 Sep 2022 11:34:47 +0000 (UTC) X-FDA: 79943143014.11.1ECD3DB Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf12.hostedemail.com (Postfix) with ESMTP id E113340020 for ; Fri, 23 Sep 2022 11:34:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663932886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zm4C72SW81Cbx3tNeB9UTn3z5INQ0ekYL1eCBmS/H58=; b=X/n5ihwIXGrGcdwP5IhJC0nyLS1bV2LtlFI6ZtLqhr7T2SyADfdeVyKmEAshvfKac0UKuT oNvWa6uCmZutSxDmW8/xkCQJ4c5e0gOVzc1WwFfQSPxkCCI1MkYaG/zSfz7o1dNhfi/L++ Zin352YQpnSZWu0Mzstz8WM7/7jF6sI= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-225-q_Vg4V3iMAWbmNFQHcW4Cw-1; Fri, 23 Sep 2022 07:34:43 -0400 X-MC-Unique: q_Vg4V3iMAWbmNFQHcW4Cw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5AAA7811E67; Fri, 23 Sep 2022 11:34:42 +0000 (UTC) Received: from t480s.redhat.com (unknown [10.39.192.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 55027492B06; Fri, 23 Sep 2022 11:34:38 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, linux-doc@vger.kernel.org, David Hildenbrand , Linus Torvalds , Andrew Morton , Ingo Molnar , David Laight , Jonathan Corbet , Andy Whitcroft , Joe Perches , Dwaipayan Ray , Lukas Bulwahn , Baoquan He , Vivek Goyal , Dave Young , Jani Nikula , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Akira Yokosawa , Kalle Valo , "Daniel K ." Subject: [PATCH v2 2/2] checkpatch: warn on usage of VM_BUG_ON() and other BUG variants Date: Fri, 23 Sep 2022 13:34:25 +0200 Message-Id: <20220923113426.52871-3-david@redhat.com> In-Reply-To: <20220923113426.52871-1-david@redhat.com> References: <20220923113426.52871-1-david@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663932886; a=rsa-sha256; cv=none; b=i/6VzJQhRXi0NO/3H9JIFqHvv+Qzl368fVts0WNNob9ozy/4Ke+LR//IE7dqS1AwnX0lJa 4kxcR1lmBERRyZoG9gxx4Kj1dBC5yHV12rMvjeBMh/UfjDIeiBRz6T10GW9JNc93482M9I lOvzufVXpDTb3S/V47q7bHk9JEHmwmM= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="X/n5ihwI"; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1663932886; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=zm4C72SW81Cbx3tNeB9UTn3z5INQ0ekYL1eCBmS/H58=; b=5wBPDpWSCkd6tqmyXAv0A6NRl0GO0cglDxIs8qT1LRIHCyeQsLc+5/KtPUUJQHdHUTcTFs t0tDz5LkVJku7+As+ZcCgcdD7GeiKyoqlU4Wf6lLjPP8OVRjIXa3wxcAAGG5XgFf8/rIcm HzZeKsH91lqbt2Jrs2iGjBKLOIGfPrc= X-Stat-Signature: a8b6q4dj87pm4t7cdjupf9k65u765xq3 X-Rspamd-Queue-Id: E113340020 X-Rspam-User: X-Rspamd-Server: rspam11 Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="X/n5ihwI"; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-HE-Tag: 1663932886-464074 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: checkpatch does not point out that VM_BUG_ON() and friends should be avoided, however, Linus notes: VM_BUG_ON() has the exact same semantics as BUG_ON. It is literally no different, the only difference is "we can make the code smaller because these are less important". [1] So let's warn on VM_BUG_ON() and other BUG variants as well. While at it, make it clearer that the kernel really shouldn't be crashed. As there are some subsystem BUG macros that actually don't end up crashing the kernel -- for example, KVM_BUG_ON() -- exclude these manually. [1] https://lore.kernel.org/r/CAHk-=wg40EAZofO16Eviaj7mfqDhZ2gVEbvfsMf6gYzspRjYvw@mail.gmail.com Signed-off-by: David Hildenbrand --- scripts/checkpatch.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index 79e759aac543..5ca0039f216a 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -4695,12 +4695,12 @@ sub process { } } -# avoid BUG() or BUG_ON() - if ($line =~ /\b(?:BUG|BUG_ON)\b/) { +# do not use BUG() or variants + if ($line =~ /\b(?!AA_|BUILD_|DCCP_|IDA_|KVM_|RWLOCK_|snd_|SPIN_)(?:[a-zA-Z_]*_)?BUG(?:_ON)?(?:_[A-Z_]+)?\s*\(/) { my $msg_level = \&WARN; $msg_level = \&CHK if ($file); &{$msg_level}("AVOID_BUG", - "Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON()\n" . $herecurr); + "Do not crash the kernel unless it is absolutely unavoidable--use WARN_ON_ONCE() plus recovery code (if feasible) instead of BUG() or variants\n" . $herecurr); } # avoid LINUX_VERSION_CODE