Message ID | 20241112073421.GD1458936@google.com |
---|---|
State | New |
Headers | show |
Series | ext4: possible circular locking dependency at ext4_xattr_inode_create | expand |
On Tue, Nov 12, 2024 at 04:34:21PM +0900, Sergey Senozhatsky wrote: > > I've a following syzkaller report (no reproducer); the report is > against 5.15, but the same call-chain seems possible in current > upstream as well. So I suspect that maybe ext4_xattr_inode_create() > should take nested inode_lock (I_MUTEX_XATTR) instead. Does the > patch below make any sense? These syzkaller reports result from mounting a corrupted (fuzzed) file system typically when an inode is used in multiple contexts (e.g., as a directory and an EA inode, etc.) at the same time. I'd have to take a closer look to see if it makes sense, but in general, very often whenever we try to fix one of these it ends up triggering some other syzkaller failure. And, these sorts of things don't actually result in actual security problems (at worst, a hang / denial of service attack), and the right thing to do is to just run fsck on the !@#?!? file system before mounting the thing. The best way to protect systems against threat model of users picking up a random USB stick dropped in a parking lot that contains a maliciously fuzzed file system is to either (a) run fsck before allowing the file system to be mounted, (b) enable the enterprise policy that prohibits USB thumb drives from being automounted, or (c) mount USB stick in some kind of VM (e.g., CrosVM) and then use a reverse virtiofs / 9pfs / fuse to make the file system be available in the host system. The last would be best solution, but it would require development work. So I mention it in the hopes that at some point I can convince some company to pick it up, since it would significantly improve security for all desktops, laptops, and mobile systems that want to support mounting removeable storage. In any case, trying to fix these sorts of syzkaller warnings is essentially playing whack-a-mole, and so while I don't have objections to these sorts of fixes, if it causes any kind of regression or worse, *two* new syzkaller failures, it just makes life harder for overworked ext4 developers. :-) Cheers, - Ted
Hi Ted, On (24/11/12 10:29), Theodore Ts'o wrote: > > I've a following syzkaller report (no reproducer); the report is > > against 5.15, but the same call-chain seems possible in current > > upstream as well. So I suspect that maybe ext4_xattr_inode_create() > > should take nested inode_lock (I_MUTEX_XATTR) instead. Does the > > patch below make any sense? > > These syzkaller reports result from mounting a corrupted (fuzzed) file > system typically when an inode is used in multiple contexts (e.g., as > a directory and an EA inode, etc.) at the same time. I certainly see your point, and I don't argue. > I'd have to take a closer look to see if it makes sense, but in > general, very often whenever we try to fix one of these it ends up > triggering some other syzkaller failure. I see, the one-liner that I posted sort of looks like an addition to d1bc560e9a9c7 which landed in ext4 recently. > And, these sorts of things don't actually result in actual security > problems (at worst, a hang / denial of service attack), and the right > thing to do is to just run fsck on the !@#?!? file system before > mounting the thing. So in our particular case reboot is a bad scenario. Looking at reports from the fleet I see a bunch of hung-task reboots with ext4 frames, e.g. ext4_update_i_disksize()->down_write()->schedule() /* forever */, but I can't claim that this is the deadlock that syzkaller has reported, it very well might not be.
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 7647e9f6e190..db3c68fbbadf 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1511,7 +1511,7 @@ static struct inode *ext4_xattr_inode_create(handle_t *handle, */ dquot_free_inode(ea_inode); dquot_drop(ea_inode); - inode_lock(ea_inode); + inode_lock_nested(inode, I_MUTEX_XATTR); ea_inode->i_flags |= S_NOQUOTA; inode_unlock(ea_inode); }