lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230428052422.GB1969623@dread.disaster.area> Date: Fri, 28 Apr 2023 15:24:22 +1000 From: Dave Chinner <david@...morbit.com> To: Matthew Wilcox <willy@...radead.org> Cc: Dave Chinner <dchinner@...hat.com>, Ming Lei <ming.lei@...hat.com>, Theodore Ts'o <tytso@....edu>, linux-ext4@...r.kernel.org, Andreas Dilger <adilger.kernel@...ger.ca>, linux-block@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, Eric Sandeen <sandeen@...hat.com>, Christoph Hellwig <hch@....de>, Zhang Yi <yi.zhang@...hat.com> Subject: Re: [ext4 io hang] buffered write io hang in balance_dirty_pages On Fri, Apr 28, 2023 at 03:56:13AM +0100, Matthew Wilcox wrote: > On Fri, Apr 28, 2023 at 09:33:20AM +1000, Dave Chinner wrote: > > The block device needs to be shutting down the filesystem when it > > has some sort of fatal, unrecoverable error like this (e.g. hot > > unplug). We have the XFS_IOC_GOINGDOWN ioctl for telling the > > filesystem it can't function anymore. This ioctl > > (_IOR('X',125,__u32)) has also been replicated into ext4, f2fs and > > CIFS and it gets exercised heavily by fstests. Hence this isn't XFS > > specific functionality, nor is it untested functionality. > > > > The ioctl should be lifted to the VFS as FS_IOC_SHUTDOWN and a > > super_operations method added to trigger a filesystem shutdown. > > That way the block device removal code could simply call > > sb->s_ops->shutdown(sb, REASON) if it exists rather than > > sync_filesystem(sb) if there's a superblock associated with the > > block device. Then all these > > I think this is the wrong approach. Not that I've had any time to > work on my alternative approach: > > https://www.infradead.org/~willy/banbury.html While that looks interesting, I'm going to say straight out that re-attaching a storage device that was hot-unplugged from under a running filesystem and then resuming service as if nothing happened is going to be both a filesystem corruption vector and a major security hole. The moment a mounted device is unexpectedly unplugged, it becomes an untrusted device. We cannot trust that it's contents when plugged back in are identical to when it was unplugged. I can't wait for syzbot to learn that it can mount a filesystem, hot-unplug the device, fuzz the image on the device and then plug it back in and expect the filesystem to handle the in-memory vs on-disk inconsistencies that result from the fuzzing. it's basically no different to allowing someone to write to the block device while the filesystem is mounted. You do that, you get to keep all the broken bits to yourself. Even without image tampering considerations, there's no guarantee that the device caches are flushed properly when someone just pulls the plug on a storage device. Hence even without tampering, we cannot trust the image on the device to match what the in-memory state of the filesystem expects it to be. So, yeah, I just don't see this ever being something we'd support with filesystems like XFS - there's just too much risk associated with untrusted devices... -Dave. -- Dave Chinner david@...morbit.com
Powered by blists - more mailing lists