From: Dmitry Vyukov <dvyukov@google.com>
To: Dave Chinner <david@fromorbit.com>
Cc: "Darrick J. Wong" <djwong@kernel.org>, Jan Kara <jack@suse.cz>,
Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>, Ted Tso <tytso@mit.edu>,
yebin <yebin@huaweicloud.com>,
linux-fsdevel@vger.kernel.org, Kees Cook <keescook@google.com>,
Alexander Popov <alex.popov@linux.com>,
syzkaller <syzkaller@googlegroups.com>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH] block: Add config option to not allow writing to mounted devices
Date: Thu, 15 Jun 2023 11:14:53 +0200 [thread overview]
Message-ID: <CACT4Y+aqL_woqyGuxVGc-F2TEbk7i4OguiudDrA1cWpOi-n50Q@mail.gmail.com> (raw)
In-Reply-To: <ZIpPgC57bhb1cMNL@dread.disaster.area>
On Thu, 15 Jun 2023 at 01:38, Dave Chinner <david@fromorbit.com> wrote:
> > > > CONFIG_INSECURE description can say something along the lines of "this
> > > > kernel includes subsystems with known bugs that may cause security and
> > > > data integrity issues". When a subsystem adds "depends on INSECURE",
> > > > the commit should list some of the known issues.
> > > >
> > > > Then I see how trading disabling things on syzbot in exchange for
> > > > "depends on INSECURE" becomes reasonable and satisfies all parties to
> > > > some degree.
> > >
> > > Well in that case, post a patchset adding "depends on INSECURE" for
> > > every subsystem that syzbot files bugs against, if the maintainers do
> > > not immediately drop what they're doing to resolve the bug.
> >
> > Hi Darrick,
> >
> > Open unfixed bugs are fine (for some definition of fine).
> > What's discussed here is different. It's not having any filed bugs at
> > all due to not testing a thing and then not having any visibility into
> > the state of things.
>
> Just because syzbot doesn't test something, it does not mean the
> code is not tested, nor does it mean the developers who are
> responsible for the code have no visibility into the state of their
> code.
>
> The reason they want to avoid this sort of corruption injection
> testing in syzbot is that it *does not provide a net benefit* to
> anyone. The number (and value) of real bugs it might find are vastly
> outweighed by the cost of filtering out the many, many false
> positives the testing methodology raises.
>
> Keep in mind that syzbot does not provide useful unit and functional
> test coverage. We have to run tests suites like fstests to provide
> this sort of functionality and visibility into the *correct
> operation of the code*.
>
> However, alongside all the unit/functional tests in fstests, we also
> have non-deterministic stress and fuzzer tests that are similar in
> nature to syzbot. They often flush out weird integration level bugs
> before we even get to merging the code. These non-deterministic
> stress tests in fstests have found *hundreds* of bugs over the
> *couple of decades* we have been running them, and they also have a
> history of uncovering entire new classes of bugs we've had to
> address.
>
> At this point, syzbot is yet to do prove it is more than a one-trick
> pony - it typically only finds a single class of filesystem bug.
> That is, it only finds bugs that are related to undetected physical
> structure corruption of the filesystem that result in macro level
> failures (crash, warn, hang).
>
> Syzbot does nothing to ensure correct behaviour is occuring, that
> data integrity is maintained by the filesystem, that crash recovery
> after failures works correctly, etc. These things are *by far* the
> most important things we have to ensure during filesystem
> development.
>
> IOWs, the sorts of problems that syzbot finds in filesystems are way
> down the list of important things we need to validate. Yes,
> structural validation testing is something we should be
> running, and it's clear that is does get run (both from fstests and
> syzbot).
>
> Hence the claim that "because syzbot doesn't run we don't have
> visibility of code bugs" is naive, conceited, incredibly
> narcissistic and demonstratable false. It also indicates a very
> poor understanding of where syzbot actually fits into the overall
> engineering processes.
Hi Dave, Ted,
We are currently looking into options of how to satisfy all parties.
I am not saying that all of these bugs need to be fixed, nor that they
are more important than bugs in supported parts. And we are very much
interested in testing supported parts as well as we can do.
By CONFIG_INSECURE I just meant something similar to kernel taint
bits. A user is free to continue after any bad thing has happened/they
did, but some warranties are void. And if a kernel developer receives
a bug report on a tainted kernel, they will take it with a grain of
salt. So it's important to note the fact and inform about it.
Something similar here: bugs in deprecated parts do not need to be
fixed, and distros are still free to enable them, but this fact is
acknowledged by distros and made visible to users.
But we are looking into other options that won't require even CONFIG_INSECURE.
next prev parent reply other threads:[~2023-06-15 9:15 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 16:16 [PATCH] block: Add config option to not allow writing to mounted devices Jan Kara
2023-06-12 16:25 ` Jan Kara
2023-06-12 17:39 ` Bart Van Assche
2023-06-12 17:47 ` Theodore Ts'o
2023-06-12 18:52 ` Colin Walters
2023-06-13 11:34 ` Jan Kara
2023-06-14 1:55 ` Darrick J. Wong
2023-06-14 7:14 ` Christoph Hellwig
2023-06-14 7:05 ` Christian Brauner
2023-06-14 7:07 ` Christoph Hellwig
2023-06-14 7:10 ` Christoph Hellwig
2023-06-14 10:12 ` Jan Kara
2023-06-14 14:30 ` Christoph Hellwig
2023-06-14 14:46 ` Matthew Wilcox
2023-06-13 4:56 ` kernel test robot
2023-06-13 5:10 ` Christoph Hellwig
2023-06-13 6:09 ` Dmitry Vyukov
2023-06-14 7:17 ` Christoph Hellwig
2023-06-14 8:18 ` Christian Brauner
2023-06-14 10:36 ` Jan Kara
2023-06-14 12:48 ` Christian Brauner
2023-06-15 14:39 ` Jan Kara
2023-06-14 14:31 ` Christoph Hellwig
2023-06-13 20:56 ` Jan Kara
2023-06-14 7:20 ` Christoph Hellwig
2023-06-20 10:41 ` Jan Kara
2023-06-20 11:29 ` Christoph Hellwig
2023-06-14 7:35 ` Christian Brauner
2023-06-13 6:49 ` Dmitry Vyukov
2023-06-13 19:22 ` Theodore Ts'o
2023-06-14 0:26 ` Dave Chinner
2023-06-14 2:04 ` Darrick J. Wong
2023-06-14 2:57 ` Theodore Ts'o
2023-06-14 12:27 ` Dmitry Vyukov
2023-06-14 23:38 ` Dave Chinner
2023-06-15 9:14 ` Dmitry Vyukov [this message]
2023-06-18 23:35 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+aqL_woqyGuxVGc-F2TEbk7i4OguiudDrA1cWpOi-n50Q@mail.gmail.com \
--to=dvyukov@google.com \
--cc=alex.popov@linux.com \
--cc=axboe@kernel.dk \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=ebiggers@google.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=keescook@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tytso@mit.edu \
--cc=yebin@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).