On Tue, Sep 24, 2024 at 10:44 AM Sami Tolvanen <samitolvanen@xxxxxxxxxx> wrote: > > Hi Mikulas, > > On Tue, Sep 24, 2024 at 6:18 AM Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote: > > > > Maxim Suhanov reported that dm-verity doesn't crash if an I/O error > > happens. In theory, this could be used to subvert security, because an > > attacker can create sectors that return error with the Write Uncorrectable > > command. Some programs may misbehave if they have to deal with EIO. > > I seem to recall that this was intentional. We used to restart/panic > on I/O errors with FEC enabled, but the behavior was changed in commit > 2c0468e054c0 ("dm verity: skip redundant verity_handle_err() on I/O > errors"). Akilesh, do you remember what exactly was the issue here? > I looked at the history and the original intent and the idea stems from this patch: https://lore.kernel.org/dm-devel/b004e7c7-f795-77ed-19b9-983785780e92@xxxxxxxxx/T/#mec4df1ba3f3cb63846875fb2bfc1f8b3100f31f1 I think the EIO should be propagated back up the stack; I think this will trigger panic even for genuine I/O errors. > > This commit fixes dm-verity, so that if "panic_on_corruption" or > > "restart_on_corruption" was specified and an I/O error happens, the > > machine will panic or restart. > > > > This commit also changes kernel_restart to emergency_restart - > > kernel_restart calls reboot notifiers and these reboot notifiers may wait > > for the bio that failed. emergency_restart doesn't call the notifiers. > > > > Reported-by: Maxim Suhanov <dfirblog@xxxxxxxxx> > > Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx> > > Cc: stable@xxxxxxxxxxxxxxx > > > > --- > > drivers/md/dm-verity-target.c | 15 ++++++++++++++- > > 1 file changed, 14 insertions(+), 1 deletion(-) > > > > Index: linux-2.6/drivers/md/dm-verity-target.c > > =================================================================== > > --- linux-2.6.orig/drivers/md/dm-verity-target.c 2024-09-23 17:48:08.000000000 +0200 > > +++ linux-2.6/drivers/md/dm-verity-target.c 2024-09-24 11:34:08.000000000 +0200 > > @@ -273,7 +273,7 @@ out: > > return 0; > > > > if (v->mode == DM_VERITY_MODE_RESTART) > > - kernel_restart("dm-verity device corrupted"); > > + emergency_restart(); > > Can we still log the reason for the restart? I remember some folks > used to rely on the "dm-verity device corrupted" message in the kernel > log. > > Sami