Re: [PATCH] dm-verity: restart or panic on an I/O error

Mikulas Patocka <mpatocka@xxxxxxxxxx> · Tue, 24 Sep 2024 20:10:47 +0200 (CEST)

On Tue, 24 Sep 2024, Sami Tolvanen wrote:

> Hi Mikulas,
> 
> On Tue, Sep 24, 2024 at 6:18 AM Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:
> >
> > Maxim Suhanov reported that dm-verity doesn't crash if an I/O error
> > happens. In theory, this could be used to subvert security, because an
> > attacker can create sectors that return error with the Write Uncorrectable
> > command. Some programs may misbehave if they have to deal with EIO.
> 
> I seem to recall that this was intentional. We used to restart/panic
> on I/O errors with FEC enabled, but the behavior was changed in commit
> 2c0468e054c0 ("dm verity: skip redundant verity_handle_err() on I/O
> errors"). Akilesh, do you remember what exactly was the issue here?

> > Index: linux-2.6/drivers/md/dm-verity-target.c
> > ===================================================================
> > --- linux-2.6.orig/drivers/md/dm-verity-target.c        2024-09-23 17:48:08.000000000 +0200
> > +++ linux-2.6/drivers/md/dm-verity-target.c     2024-09-24 11:34:08.000000000 +0200
> > @@ -273,7 +273,7 @@ out:
> >                 return 0;
> >
> >         if (v->mode == DM_VERITY_MODE_RESTART)
> > -               kernel_restart("dm-verity device corrupted");
> > +               emergency_restart();
> 
> Can we still log the reason for the restart? I remember some folks
> used to rely on the "dm-verity device corrupted" message in the kernel
> log.
> 
> Sami

OK. I've applied this on the top of my patch.

Mikulas

diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 88012845bced..c9451df72c5a 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -272,8 +272,10 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type,
 	if (v->mode == DM_VERITY_MODE_LOGGING)
 		return 0;
 
-	if (v->mode == DM_VERITY_MODE_RESTART)
+	if (v->mode == DM_VERITY_MODE_RESTART) {
+		pr_emerg("dm-verity device corrupted\n");
 		emergency_restart();
+	}
 
 	if (v->mode == DM_VERITY_MODE_PANIC)
 		panic("dm-verity device corrupted");
@@ -602,11 +604,13 @@ static void verity_finish_io(struct dm_verity_io *io, blk_status_t status)
 			DMERR_LIMIT("%s has error: %s", v->data_dev->name,
 					blk_status_to_str(status));
 
-		if (v->mode == DM_VERITY_MODE_RESTART)
+		if (v->mode == DM_VERITY_MODE_RESTART) {
+			pr_emerg("dm-verity device corrupted\n");
 			emergency_restart();
+		}
 
 		if (v->mode == DM_VERITY_MODE_PANIC)
-			panic("dm-verity device has I/O error");
+			panic("dm-verity device corrupted");
 	}
 
 	bio_endio(bio);



