Re: [dm-devel] [PATCH] dm verity: fix error handling for check_at_most_once

[Eric Biggers <ebiggers@kernel.org>]

Hi Yeongjin,

On Thu, Mar 16, 2023 at 12:18:42PM +0900, Yeongjin Gil wrote:
> In verity_work(), the return value of verity_verify_io() is converted to
> blk_status and passed to verity_finish_io(). BTW, when a bit is set in
> v->validated_blocks, verity_verify_io() skips verification regardless of
> I/O error for the corresponding bio. In this case, the I/O error could
> not be returned properly, and as a result, there is a problem that
> abnormal data could be read for the corresponding block.
> 
> To fix this problem, when an I/O error occurs, do not skip verification
> even if the bit related is set in v->validated_blocks.
> 
> Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once")
> 
> Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
> Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
> ---
>  drivers/md/dm-verity-target.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
> index ade83ef3b439..9316399b920e 100644
> --- a/drivers/md/dm-verity-target.c
> +++ b/drivers/md/dm-verity-target.c
> @@ -523,7 +523,7 @@ static int verity_verify_io(struct dm_verity_io *io)
>  		sector_t cur_block = io->block + b;
>  		struct ahash_request *req = verity_io_hash_req(v, io);
>  
> -		if (v->validated_blocks &&
> +		if (v->validated_blocks && bio->bi_status == BLK_STS_OK &&
>  		    likely(test_bit(cur_block, v->validated_blocks))) {
>  			verity_bv_skip_block(v, io, iter);
>  			continue;

Thanks for sending this patch!  This looks like a correct fix, but I have some
comments:

* Using "check_at_most_once" is strongly discouraged, as it reduces security.
  If you are using check_at_most_once to improve performance at the cost of
  reduced security, please consider that very recently, dm-verity performance
  has significantly improved due to the removal of the WQ_UNBOUND workqueue flag
  which was causing significant I/O latency.  See commit c25da5b7baf1
  ("dm verity: stop using WQ_UNBOUND for verify_wq").

* I think your commit message does not explain a key aspect of the problem which
  is why is verity even attempted when the underlying I/O has failed?  This
  appears to be because of the Forward Error Correction (FEC) feature.  So, this
  issue is specific to the case where both FEC and check_at_most_once is used.
  Can you make your commit message explain this?

* This patch does not appear to have been received by the dm-devel mailing list,
  which is the list where dm-verity patches should be reviewed on.  It doesn't
  show up in the archive at https://lore.kernel.org/dm-devel.  Also, I'm
  subscribed to dm-devel and I didn't receive this patch in my inbox.  (I had to
  download it from https://lore.kernel.org/lkml instead.)  Did you receive a
  bounce message when you sent this patch?

* Please add 'Cc: stable@vger.kernel.org' to the commit message, just below the
  Fixes line, as per Documentation/process/stable-kernel-rules.rst.  This will
  ensure that the fix will be backported to the stable kernels.

* "Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>" does not have a
  corresponding Author or Co-developed-line, which is not allowed.  Did you mean
  to list Sungjong as the Author or as a co-author?

* No blank line between Fixes and the Signed-off-by line(s), please.

Thanks!

- Eric

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel