hyperfile/sysctl: reject unregisterable sysctl paths (fixes aarch64 boot panic)#829
Merged
Conversation
Auto-generated pseudofile models scrape binary strings and emit bogus
/proc/sys/* entries (e.g. /proc/sys/fs/binfmt_misc/WSLInteropos/signal).
Registering them is useless, and for filesystem-backed nodes such as
/proc/sys/fs/binfmt_misc it is fatal on older guest kernels: the kernel
fails to create the ctl_table and then panics in register_sysctl's
cleanup path (drop_sysctl_table -> rb_erase), killing init. This took
down aarch64 guests (4.10 kernel) ~5s into boot.
Skip such paths at the registration chokepoint: empty paths, paths with
empty components ("//"), and the binfmt_misc subtree (a mounted
filesystem, not a sysctl). The igloo driver enforces the same invariant
as a kernel-side backstop (rehosting/igloo_driver companion PR).
0.0.78 includes the portal_sysctl create-guard (rehosting/igloo_driver#76), the kernel-side backstop for the bogus-sysctl boot panic this PR also guards against from the Python side.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Auto-generated pseudofile models scrape binary strings and emit bogus
/proc/sys/*entries that get registered as sysctls, e.g.:Registering these is useless at best. At worst it is fatal: for filesystem-backed nodes such as
/proc/sys/fs/binfmt_misc, the guest kernel can't create actl_tablethere, and on older kernels (e.g. 4.10) the failedregister_sysctl()panics in its cleanup path (drop_sysctl_table→rb_erase), killinginit. This reliably crashed aarch64 guests ~5s into boot.Fix
Reject unregisterable sysctl paths at the registration chokepoint (
Sysctl.register_sysctl), with a logged warning instead of queueing them://),fs/binfmt_miscsubtree — it's a mounted filesystem, not a sysctl, so modeling it as one is always wrong.Testing
Ran the GL.iNet Beryl AX (GL-MT3000, aarch64/4.10) firmware under Penguin:
Attempted to kill init!), 99-line console, no services.Companion
rehosting/igloo_driver#76 hardens the kernel module so a doomed registration can never panic the guest (it refuses to create a sysctl under a non-existent parent directory on old kernels). This PR is the upstream half: don't emit the bogus models in the first place. Defense in depth — either alone prevents the panic.
Note: the deeper aarch64 fidelity issue (Penguin ships a 4.10 kernel for aarch64 while the firmware's own modules target 5.4) is separate and tracked elsewhere; this PR only addresses the sysctl-registration crash.