Re: [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW

From: Jason Gunthorpe
Date: Tue Aug 09 2022 - 15:15:27 EST


On Tue, Aug 09, 2022 at 11:59:45AM -0700, Linus Torvalds wrote:

> But as a very good approximation, the rule is "absolutely no new
> BUG_ON() calls _ever_". Because I really cannot see a single case
> where "proper error handling and WARN_ON_ONCE()" isn't the right
> thing.

Parallel to this discussion I've had ones where people more or less
say

Since BUG_ON crashes the machine and Linus says that crashing the
machine is bad, WARN_ON will also crash the machine if you set the
panic_on_warn parameter, so it is also bad, thus we shouldn't use
anything.

I've generally maintained that people who set the panic_on_warn *want*
these crashes, because that is the entire point of it. So we should
use WARN_ON with an error recovery for "can't happen" assertions like
these. I think it is what you are saying here.

Jason