On Mon, Nov 27, 2017 at 3:25 PM, David Howells <[email protected]> wrote: > Linus Torvalds <[email protected]> wrote: > >> I'm not seeing why it would ever be ok to do BUG_ON() instead of just >> returning an error, though. > > This function has a list of requisite parameters for the caller: > > BUG_ON(!pkey); <-- You need the public key to use, > BUG_ON(!sig); > BUG_ON(!sig->digest); <-- the message digest to check > BUG_ON(!sig->s); <-- and you need the signature. > > If you fail to obtain any one of these parameters, you can't use this function > and you should have errored out before calling this function. It seems > reasonable for the function to assume that you've provided them - they're kind > of essential to the operation. If you want, I can just remove the checks > entirely. Many of the kernel's functions don't perform argument checking, but > just assume you've done it right and will oops if you haven't. > > I could just return -EINVAL, yes, but I'm not sure that's really the right > thing to do, at least not without printing an error message, since it's a > kernel programming error not a userspace error or data error.
The preference even in these cases has been to keep things recoverable unless there is a very good reason to immediately stop the kernel's thread of execution. If all callers already check for return values, replacing BUG_ON() with WARN() and returning -EINVAL would be best. -Kees -- Kees Cook Pixel Security
