[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230818025255.GA2175@sol.localdomain>
Date: Thu, 17 Aug 2023 19:52:55 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Theodore Ts'o <tytso@....edu>
Cc: sandeen@...hat.com,
syzbot <syzbot+27eece6916b914a49ce7@...kaller.appspotmail.com>,
adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev, nathan@...nel.org, ndesaulniers@...gle.com,
syzkaller-bugs@...glegroups.com, trix@...hat.com
Subject: Re: [syzbot] [ext4?] kernel panic: EXT4-fs (device loop0): panic
forced after error (3)
On Thu, Aug 17, 2023 at 10:10:38PM -0400, Theodore Ts'o wrote:
> On Thu, Aug 17, 2023 at 09:47:39AM -0700, Eric Biggers wrote:
> >
> > Eric S. is correct that for a filesystem image to enable panic on error, support
> > for panic on error should have to be properly consented to by the kernel
> > configuration, for example through an fs.allow_panic_on_error sysctl.
>
> I disagree. It's up to the system administrator, not the kernel ---
> and the system adminsitrator is perfectly free to run e2fsck on a
> random file system, or to use tune2fs to adjust the panic on error
> setting on the file system, befure using their root powers to mount
> the file system.
>
> Root can do many things that cause the system to reboot. For example,
> the system adminsirtator could run /sbin/reboot. Should the kernel
> "consent" by setting fs.allow_reboot_system_call_to_work before the
> root user can run the /sbin/reboot binary? Hopefully it's obvious why
> this makes absolutely no sense.
>
> > It can be argued that this not important, or not worth implementing when the
> > default will need to remain 1 for backwards compatibility. Or even that
> > syzkaller should work around it in the mean time. But it is incorrect to write
> > "This is fundamentally a syzbot bug."
>
> Well, the current behaviour is Working as Intended. And if syzbot is
> going about whining about things that are Working as Intended, it's
> not fit for the upostream developers' purpose.
>
> As another example, root can set a real-time priority of a process to
> be at a level where it will prempt all other processes, including
> kernel threads. Do enough of these, and you *will* lock up the
> kernel. Again, should there be a sysctl that allows real-time
> priorities to work? Or do we teach syzbot that doing things that are
> documented to cause the kernel to lock up are not something that's
> worthy of a report. In the past, syzbot issued a *huge* amount of
> noise caused by precisely to this. Upstream developers complained
> that it was a false positive, and syzbot was adjusted to Stop Doing
> That.
Obviously it's up to the system administrator; that should have been clear since
I suggested a sysctl. Sorry if I wasn't clear. The point is that there are
certain conventions for what is allowed to break the safety guarantees that the
kernel provides to userspace, which includes causing a kernel panic. Panics on
various problems are configured by /proc/sys/kernel/panic_*. So having to
opt-in to panic-on-error, or at least being able to opt-out, by setting a sysctl
seems natural. Whereas having mount() being able to automatically panic the
kernel with no way to opt-out seems like a violation of broader kernel
conventions, even if it happens to be "working as intended" in the ext4 context.
Anyway, I'm not actually saying this issue is important. I just get frustrated
by the total denial that it could even possibly be considered something that
could be improved in the kernel...
- Eric
Powered by blists - more mailing lists