Re: [syzbot] [ext4?] kernel panic: EXT4-fs (device loop0): panic forced after error (3)

[Eric Biggers <ebiggers@kernel.org>]

On Thu, Aug 17, 2023 at 10:10:38PM -0400, Theodore Ts'o wrote:
> On Thu, Aug 17, 2023 at 09:47:39AM -0700, Eric Biggers wrote:
> > 
> > Eric S. is correct that for a filesystem image to enable panic on error, support
> > for panic on error should have to be properly consented to by the kernel
> > configuration, for example through an fs.allow_panic_on_error sysctl.
> 
> I disagree.  It's up to the system administrator, not the kernel ---
> and the system adminsitrator is perfectly free to run e2fsck on a
> random file system, or to use tune2fs to adjust the panic on error
> setting on the file system, befure using their root powers to mount
> the file system.
> 
> Root can do many things that cause the system to reboot.  For example,
> the system adminsirtator could run /sbin/reboot.  Should the kernel
> "consent" by setting fs.allow_reboot_system_call_to_work before the
> root user can run the /sbin/reboot binary?  Hopefully it's obvious why
> this makes absolutely no sense.
> 
> > It can be argued that this not important, or not worth implementing when the
> > default will need to remain 1 for backwards compatibility.  Or even that
> > syzkaller should work around it in the mean time.  But it is incorrect to write
> > "This is fundamentally a syzbot bug."
> 
> Well, the current behaviour is Working as Intended.  And if syzbot is
> going about whining about things that are Working as Intended, it's
> not fit for the upostream developers' purpose.
> 
> As another example, root can set a real-time priority of a process to
> be at a level where it will prempt all other processes, including
> kernel threads.  Do enough of these, and you *will* lock up the
> kernel.  Again, should there be a sysctl that allows real-time
> priorities to work?  Or do we teach syzbot that doing things that are
> documented to cause the kernel to lock up are not something that's
> worthy of a report.  In the past, syzbot issued a *huge* amount of
> noise caused by precisely to this.  Upstream developers complained
> that it was a false positive, and syzbot was adjusted to Stop Doing
> That.

Obviously it's up to the system administrator; that should have been clear since
I suggested a sysctl.  Sorry if I wasn't clear.  The point is that there are
certain conventions for what is allowed to break the safety guarantees that the
kernel provides to userspace, which includes causing a kernel panic.  Panics on
various problems are configured by /proc/sys/kernel/panic_*.  So having to
opt-in to panic-on-error, or at least being able to opt-out, by setting a sysctl
seems natural.  Whereas having mount() being able to automatically panic the
kernel with no way to opt-out seems like a violation of broader kernel
conventions, even if it happens to be "working as intended" in the ext4 context.

Anyway, I'm not actually saying this issue is important.  I just get frustrated
by the total denial that it could even possibly be considered something that
could be improved in the kernel...

- Eric