From: Lee Jones <lee.jones@linaro.org>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [PATCH 1/1] Revert "iomap: fall back to buffered writes for invalidation failures"
Date: Thu, 10 Feb 2022 10:15:52 +0000 [thread overview]
Message-ID: <YgTl2Lm9Vk50WNSj@google.com> (raw)
In-Reply-To: <20220210045911.GF8338@magnolia>
On Wed, 09 Feb 2022, Darrick J. Wong wrote:
> On Wed, Feb 09, 2022 at 08:52:43AM +0000, Lee Jones wrote:
> > This reverts commit 60263d5889e6dc5987dc51b801be4955ff2e4aa7.
> >
> > Reverting since this commit opens a potential avenue for abuse.
>
> What kind of abuse? Did you conclude there's an avenue solely because
> some combination of userspace rigging produced a BUG warning? Or is
> this a real problem that someone found?
Genuine question: Is the ability for userspace to crash the kernel
not enough to cause concern? I would have thought that we'd want to
prevent this.
If by 'real problem' you mean; privilege escalation, memory corruption
or data leakage, then no, I haven't found any evidence of that.
However, that's not to say these aren't possible as a result of this
issue, just that I do not have the skills or knowledge to be able to
turn this into a demonstrable attack vector.
However, if you say there is no issue, I'm happy to take your word.
> > The C-reproducer and more information can be found at the link below.
>
> No. Post the information and your analysis here. I'm not going to dig
> into some Google site to find out what happened, and I'm not going to
> assume that future developers will be able to access that URL to learn
> why this patch was created.
The link provided doesn't contain any further analysis. Only the
reproducer and kernel configuration used, which are both too large to
enter into a Git commit.
> > kernel BUG at fs/ext4/inode.c:2647!
> > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 459 Comm: syz-executor359 Tainted: G W 5.10.93-syzkaller-01028-g0347b1658399 #0
>
> What BUG on fs/ext4/inode.c:2647?
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/ext4/inode.c?h=v5.10.93#n2647
>
> All I see is a call to pagevec_release()? There's a BUG_ON further up
> if we wait for page writeback but then it still has Writeback set. But
> I don't see anything in pagevec_release that would actually result in a
> BUG warning.
Right, this BUG back-trace was taken from the kernel I received the
bug report for. I should have used the one I triggered in Mainline,
apologies for that.
The real source of the BUG is in the inlined call to page_buffers().
Here is the link for the latest release kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/ext4/inode.c?h=v5.16#n2620
#define page_buffers(page) \
({ \
BUG_ON(!PagePrivate(page)); \
((struct buffer_head *)page_private(page)); \
})
> Oh, right, this is one of those inscrutable syzkaller things, where a
> person can spend hours figuring out what the hell it set up.
A link to the config used (again too big to enter into a commit
message), can be easily sourced from the link provided.
> Yeah...no, you don't get to submit patches to core kernel code, claim
> it's not your responsibility to know anything about a subsystem that you
> want to patch, and then expect us to do the work for you. If you pick
> up a syzkaller report, you get to figure out what broke, why, and how to
> fix it in a reasonable manner.
>
> You're a maintainer, would you accept a patch like this?
No. I would share my knowledge to provide a helpful review and work
with the contributor to find a solution (if applicable).
> OH WAIT, you're running this on the Android 5.10 kernel, aren't you?
> The BUG report came from page_buffers failing to find any buffer heads
> attached to the page.
> https://android.googlesource.com/kernel/common/+/refs/heads/android12-5.10-2022-02/fs/ext4/inode.c#2647
Yes, the H/W I have to prototype these on is a phone and the report
that came in was specifically built against the aforementioned
kernel.
> Yeah, don't care.
"There is nothing to worry about, as it's intended behaviour"?
--
Lee Jones [???]
Principal Technical Lead - Developer Services
Linaro.org ? Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
WARNING: multiple messages have this Message-ID (diff)
From: Lee Jones <lee.jones@linaro.org>
To: "Darrick J. Wong" <djwong@kernel.org>
Cc: linux-kernel@vger.kernel.org, Stable <stable@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>,
Dave Chinner <dchinner@redhat.com>,
Goldwyn Rodrigues <rgoldwyn@suse.com>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
Bob Peterson <rpeterso@redhat.com>,
Damien Le Moal <damien.lemoal@wdc.com>,
Theodore Ts'o <tytso@mit.edu>,
Andreas Gruenbacher <agruenba@redhat.com>,
Ritesh Harjani <riteshh@linux.ibm.com>,
Johannes Thumshirn <jth@kernel.org>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org, cluster-devel@redhat.com,
syzbot+0ed9f769264276638893@syzkaller.appspotmail.com
Subject: Re: [PATCH 1/1] Revert "iomap: fall back to buffered writes for invalidation failures"
Date: Thu, 10 Feb 2022 10:15:52 +0000 [thread overview]
Message-ID: <YgTl2Lm9Vk50WNSj@google.com> (raw)
In-Reply-To: <20220210045911.GF8338@magnolia>
On Wed, 09 Feb 2022, Darrick J. Wong wrote:
> On Wed, Feb 09, 2022 at 08:52:43AM +0000, Lee Jones wrote:
> > This reverts commit 60263d5889e6dc5987dc51b801be4955ff2e4aa7.
> >
> > Reverting since this commit opens a potential avenue for abuse.
>
> What kind of abuse? Did you conclude there's an avenue solely because
> some combination of userspace rigging produced a BUG warning? Or is
> this a real problem that someone found?
Genuine question: Is the ability for userspace to crash the kernel
not enough to cause concern? I would have thought that we'd want to
prevent this.
If by 'real problem' you mean; privilege escalation, memory corruption
or data leakage, then no, I haven't found any evidence of that.
However, that's not to say these aren't possible as a result of this
issue, just that I do not have the skills or knowledge to be able to
turn this into a demonstrable attack vector.
However, if you say there is no issue, I'm happy to take your word.
> > The C-reproducer and more information can be found at the link below.
>
> No. Post the information and your analysis here. I'm not going to dig
> into some Google site to find out what happened, and I'm not going to
> assume that future developers will be able to access that URL to learn
> why this patch was created.
The link provided doesn't contain any further analysis. Only the
reproducer and kernel configuration used, which are both too large to
enter into a Git commit.
> > kernel BUG at fs/ext4/inode.c:2647!
> > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 459 Comm: syz-executor359 Tainted: G W 5.10.93-syzkaller-01028-g0347b1658399 #0
>
> What BUG on fs/ext4/inode.c:2647?
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/ext4/inode.c?h=v5.10.93#n2647
>
> All I see is a call to pagevec_release()? There's a BUG_ON further up
> if we wait for page writeback but then it still has Writeback set. But
> I don't see anything in pagevec_release that would actually result in a
> BUG warning.
Right, this BUG back-trace was taken from the kernel I received the
bug report for. I should have used the one I triggered in Mainline,
apologies for that.
The real source of the BUG is in the inlined call to page_buffers().
Here is the link for the latest release kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/ext4/inode.c?h=v5.16#n2620
#define page_buffers(page) \
({ \
BUG_ON(!PagePrivate(page)); \
((struct buffer_head *)page_private(page)); \
})
> Oh, right, this is one of those inscrutable syzkaller things, where a
> person can spend hours figuring out what the hell it set up.
A link to the config used (again too big to enter into a commit
message), can be easily sourced from the link provided.
> Yeah...no, you don't get to submit patches to core kernel code, claim
> it's not your responsibility to know anything about a subsystem that you
> want to patch, and then expect us to do the work for you. If you pick
> up a syzkaller report, you get to figure out what broke, why, and how to
> fix it in a reasonable manner.
>
> You're a maintainer, would you accept a patch like this?
No. I would share my knowledge to provide a helpful review and work
with the contributor to find a solution (if applicable).
> OH WAIT, you're running this on the Android 5.10 kernel, aren't you?
> The BUG report came from page_buffers failing to find any buffer heads
> attached to the page.
> https://android.googlesource.com/kernel/common/+/refs/heads/android12-5.10-2022-02/fs/ext4/inode.c#2647
Yes, the H/W I have to prototype these on is a phone and the report
that came in was specifically built against the aforementioned
kernel.
> Yeah, don't care.
"There is nothing to worry about, as it's intended behaviour"?
--
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
next prev parent reply other threads:[~2022-02-10 10:15 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 8:52 [Cluster-devel] [PATCH 1/1] Revert "iomap: fall back to buffered writes for invalidation failures" Lee Jones
2022-02-09 8:52 ` Lee Jones
2022-02-09 10:45 ` [Cluster-devel] " Damien Le Moal
2022-02-09 10:45 ` Damien Le Moal
2022-02-09 15:09 ` [Cluster-devel] " Christoph Hellwig
2022-02-09 15:09 ` Christoph Hellwig
2022-02-09 15:20 ` [Cluster-devel] " Andreas Gruenbacher
2022-02-09 15:20 ` Andreas Gruenbacher
2022-02-09 15:59 ` [Cluster-devel] " Lee Jones
2022-02-09 15:59 ` Lee Jones
2022-02-09 19:12 ` [Cluster-devel] " Matthew Wilcox
2022-02-09 19:12 ` Matthew Wilcox
2022-02-09 19:25 ` [Cluster-devel] " Lee Jones
2022-02-09 19:25 ` Lee Jones
2022-02-10 5:47 ` [Cluster-devel] " Christoph Hellwig
2022-02-10 5:47 ` Christoph Hellwig
2022-02-10 4:59 ` [Cluster-devel] " Darrick J. Wong
2022-02-10 4:59 ` Darrick J. Wong
2022-02-10 10:15 ` Lee Jones [this message]
2022-02-10 10:15 ` Lee Jones
2022-02-11 14:37 ` [Cluster-devel] " Matthew Wilcox
2022-02-11 14:37 ` Matthew Wilcox
2022-02-14 10:33 ` [Cluster-devel] " Lee Jones
2022-02-14 10:33 ` Lee Jones
2022-02-14 13:42 ` [Cluster-devel] " Christoph Hellwig
2022-02-14 13:42 ` Christoph Hellwig
2022-02-14 14:11 ` [Cluster-devel] " Lee Jones
2022-02-14 14:11 ` Lee Jones
2022-02-14 14:24 ` [Cluster-devel] " Matthew Wilcox
2022-02-14 14:24 ` Matthew Wilcox
2022-02-14 14:43 ` [Cluster-devel] " Lee Jones
2022-02-14 14:43 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YgTl2Lm9Vk50WNSj@google.com \
--to=lee.jones@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.