Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp1800007rdg;
        Sat, 12 Aug 2023 18:05:21 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHZj2NkHBwkEyV1t5ISZ6lTsiVCyfNt2TwYUIw8VJrEw8FyZubEK+5wZJd7jxp0pZgqpHCv
X-Received: by 2002:a17:907:7716:b0:99c:5623:a2f1 with SMTP id kw22-20020a170907771600b0099c5623a2f1mr4091239ejc.48.1691888720871;
        Sat, 12 Aug 2023 18:05:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691888720; cv=none;
        d=google.com; s=arc-20160816;
        b=JTEuNQbuHl7okpwOn0phsW3t8N6UTSf5Ndiz+yk2OtIhlTNJjKy8Po6YXugQ8WAGS9
         dy3A+UocUIMNuT6DqguZMgqb/Syf3g7uibKZYWx6kPns1rAbWL8fC6V09FdZhzQsSQeS
         myrVkuJ2tPmk6zRQ5ZS6UUhXVXBMUCypiAcWrkL0TuIoExmfydWGjwO29mdfGtfRvBE1
         KKycBAmz0aifIyWQSaP75hIK5faGLDuSdAOhoVZTo9LWAphEszMCRvhBeCO7GNCH+w1a
         tBB8Vr2cHpI/hh0a1BYjooI17gUjaQOgUltufjryKnm5KRZBS8+c4gYlZA0IPiXidZHe
         4spA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=/tHGhZWgZXSIv9bxvdxO7eexOAlVlRct1eDYgp0VEp8=;
        fh=tf4NABHIIYb7xNe0Qu7rXeVjLGxtM8UiWyXEfLovdz0=;
        b=j3U4WY4CGx8DykO77PFPL1v2cMm1h2x6INI7VrZ4lsYwWIUgi6Tw6BXQ3JW9ARFyxD
         V9FSO2FRl2TS1PyYhzyXe9TQ5wAL/it9C1LZ2385L81KbYjlOkgmPTvxCmYjrHenC5VB
         yvJJ2wQaLR1adwm8imjE6moj9aFYpDfZpXzSimHXB4aSdU5ypxnO2DPqeCMU0Y59oUUE
         S5GXh6dOfo+M/LzoEDgfTtjYUUhYqkIsaz4iXxZ1SmQ+BiUfjky8IwWw5L2qQ+E9Pix6
         CuL7v+8E7WCriJIYpJQKt0D0p88KC3+6j0GFw0E8pCWjqCEeM2owHnuEW5wo2nv651RH
         cRxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dStYOOzt;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ss13-20020a170907038d00b009930d4e327dsi5934498ejb.880.2023.08.12.18.04.57;
        Sat, 12 Aug 2023 18:05:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dStYOOzt;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229562AbjHMAMF (ORCPT <rfc822;jacky.szu.edu.cn@gmail.com>
        + 99 others); Sat, 12 Aug 2023 20:12:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49374 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229461AbjHMAMF (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Sat, 12 Aug 2023 20:12:05 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FA861BF;
        Sat, 12 Aug 2023 17:12:05 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 6468760C0D;
        Sun, 13 Aug 2023 00:12:05 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 77D50C433C8;
        Sun, 13 Aug 2023 00:12:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1691885524;
        bh=bwqubNE/BEVz53GnFxj6+8ZGHKYg4LZCw5dTVbguT4U=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=dStYOOztzsFwc0Qxjkol+hoJsqrvN/bQsOHfhIXkdK9duUiOYzqcqT0zIJZNxpdnh
         D2Ph2T6XFQWMqLw4+FVLn7NN/sgwRslI2716muY8y/1bb8oytaHU7zvKY4zsCDRUpC
         XoAXgxaCgDMeBw2NOpbLB/jd6mKiQfFK5uXhuaatW8B6F7uos14KklFd7D49b8e39J
         VGnJ18n685UlW0I1M0RwOe7aYF6T+AcTQYFdc/k0DmXyZp0UMFZxEiO9FZ2CcDRx0h
         FgPwOW0w1/J7WqcfSVISdbRbGNnnC+couVhqrr2zt4qF1by1eQA9oWwgoYUGVYK31x
         0mZOdTAWbYf5Q==
Date:   Sat, 12 Aug 2023 17:12:02 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Theodore Ts'o <tytso@mit.edu>
Cc:     Gabriel Krisman Bertazi <krisman@suse.de>, viro@zeniv.linux.org.uk,
        brauner@kernel.org, jaegeuk@kernel.org,
        linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
        linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [PATCH v5 01/10] fs: Expose helper to check if a directory needs
 casefolding
Message-ID: <20230813001202.GE41642@sol.localdomain>
References: <20230812004146.30980-1-krisman@suse.de>
 <20230812004146.30980-2-krisman@suse.de>
 <20230812015915.GA971@sol.localdomain>
 <20230812230647.GB2247938@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230812230647.GB2247938@mit.edu>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

On Sat, Aug 12, 2023 at 07:06:47PM -0400, Theodore Ts'o wrote:
> On Fri, Aug 11, 2023 at 06:59:15PM -0700, Eric Biggers wrote:
> > 
> > To be honest I've always been confused about why the ->s_encoding check is
> > there.  It looks like Ted added it in 6456ca6520ab ("ext4: fix kernel oops
> > caused by spurious casefold flag") to address a fuzzing report for a filesystem
> > that had a casefolded directory but didn't have the casefold feature flag set.
> > It seems like an unnecessarily complex fix, though.  The filesystem should just
> > reject the inode earlier, in __ext4_iget().  And likewise for f2fs.  Then no
> > other code has to worry about this problem.
> 
> the casefold flag can get set *after* the inode has been fetched, but before
> you try to use it.  This can happen because syzbot has opened the block device
> for writing, and edits the superblock while it is mounted.

I don't see how that is relevant here.

I think the actual problem you're hinting at is that checking the casefold
feature after the filesystem has been mounted is not guaranteed to work
properly, as ->s_encoding will be NULL if the casefold feature was not present
at mount time.  If we'd like to be robust in the event of the casefold feature
being concurrently enabled by a write to the block device, then all we need to
do is avoid checking the casefold feature after mount time, and instead check
->s_encoding.  I believe __ext4_iget() is still the only place it's needed.

> One could say that this is an insane threat model, but the syzbot team
> thinks that this can be used to break out of a kernel lockdown after a
> UEFI secure boot.  Which is fine, except I don't think I've been able
> to get any company (including Google) to pay for headcount to fix
> problems like this, and the unremitting stream of these sorts of
> syzbot reports have already caused one major file system developer to
> burn out and step down.
> 
> So problems like this get fixed on my own time, and when I have some
> free time.  And if we "simplify" the code, it will inevitably cause
> more syzbot reports, which I will then have to ignore, and the syzbot
> team will write more "kernel security disaster" slide deck
> presentations to senior VP's, although I'll note this has never
> resulted in my getting any additional SWE's to help me fix the
> problem...
> 
> > So just __ext4_iget() needs to be fixed.  I think we should consider doing that
> > before further entrenching all the extra ->s_encoding checks.
> 
> If we can get an upstream kernel consensus that syzbot reports caused
> by writing to a mounted file system aren't important, and we can
> publish this somewhere where hopefully the syzbot team will pay
> attention to it, sure...

But, more generally, I think it's clear that concurrent writes to the block
device's page cache is not something that filesystems can be robust against.  I
think this needs to be solved by providing an option to forbid this, as Jan
Kara's patchset "block: Add config option to not allow writing to mounted
devices" does, and then transitioning legacy use cases to new APIs.

Yes, "transitioning legacy use cases" will be a lot of work.  And if The Linux
Filesystem Maintainers(TM) do not have time for it, that's the way it is.
Someone who cares about it (such as someone who actually cares about the
potential impact on the Lockdown feature) will need to come along and do it.

But I think that should be the plan, and The Linux Filesystem Maintainers(TM) do
not need to try to play whack-a-mole with "fixing" filesystem code to be
consistently revalidating already-validated cached metadata.

- Eric