From: Amir Goldstein <amir73il@gmail.com>
To: Colin Walters <walters@verbum.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Eric Biggers <ebiggers@google.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: overlayfs: verity validation broken since f77f281b6118
Date: Sat, 2 May 2026 11:23:44 +0200 [thread overview]
Message-ID: <afXCoGk2Bu9rBKvJ@amir-ThinkPad-T480> (raw)
In-Reply-To: <bf0ba588-002b-4860-848e-e806b193840a@app.fastmail.com>
On Fri, May 01, 2026 at 01:14:54PM -0400, Colin Walters wrote:
> Hi Christoph & Eric,
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f77f281b6118 broke composefs's usage of overlayfs verity=require, this was reported originally in https://github.com/bootc-dev/bootc/issues/2174
>
> There's some output from an agent run I had in the <details> there, but here's an xfstests patch that passes on without that commit and fails with it.
>
> From 14231122bfd1e41337e4fb847acbbe038457c32a Mon Sep 17 00:00:00 2001
> From: Colin Walters <walters@verbum.org>
> Date: Fri, 1 May 2026 09:45:58 -0400
> Subject: [PATCH] overlay/118: test fsverity lazy load through metacopy overlay
>
> Reproduces the regression reported at:
> https://github.com/bootc-dev/bootc/issues/2174
>
> A recent change in how fsverity state was cached in memory
> I think caused inodes not in cache to appear to have
> missing verity=require for overlayfs.
>
> This test catches that.
>
> Generated-by: OpenCode (Claude Sonnet 4.5)
> Signed-off-by: Colin Walters <walters@verbum.org>
> ---
> tests/overlay/118 | 62 +++++++++++++++++++++++++++++++++++++++++++
> tests/overlay/118.out | 1 +
Please use free test numbers below 100
Is there a kernel fix for this? please mention it.
Thanks,
Amir.
> 2 files changed, 63 insertions(+)
> create mode 100755 tests/overlay/118
> create mode 100644 tests/overlay/118.out
>
> diff --git a/tests/overlay/118 b/tests/overlay/118
> new file mode 100755
> index 00000000..ca21e076
> --- /dev/null
> +++ b/tests/overlay/118
> @@ -0,0 +1,62 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (C) 2026 Red Hat, Inc. All Rights Reserved.
> +#
> +# FS QA Test No. 118
> +#
> +# Regression test for the overlayfs lazy fsverity load path.
> +#
> +# See also overlay/080 which builds a metacopy midlayer over a
> +# verity-enabled data lower layer (the composefs architecture).
> +#
> +. ./common/preamble
> +_begin_fstest auto quick metacopy redirect verity
> +
> +# Import common functions.
> +. ./common/filter
> +. ./common/verity
> +
> +# We use non-default scratch underlying overlay dirs, we need to check
> +# them explicitly after the test.
> +_require_scratch_nocheck
> +_require_scratch_overlay_features redirect_dir metacopy
> +_require_scratch_overlay_verity
> +
> +# remove all files from previous tests
> +_scratch_mkfs
> +
> +testfile="verityfile"
> +lowerdir=$OVL_BASE_SCRATCH_MNT/lower
> +midlayer=$OVL_BASE_SCRATCH_MNT/midlayer
> +upperdir=$OVL_BASE_SCRATCH_MNT/upper
> +workdir=$OVL_BASE_SCRATCH_MNT/workdir
> +workdir2=$OVL_BASE_SCRATCH_MNT/workdir2
> +
> +mkdir -p $lowerdir $midlayer $upperdir $workdir $workdir2
> +
> +# Create a verity-enabled file on the lower (data) layer.
> +echo -n "overlay verity lazy load test" > $lowerdir/$testfile
> +chmod 600 $lowerdir/$testfile
> +_fsv_enable $lowerdir/$testfile >> $seqres.full 2>&1 \
> + || _fail "failed to enable fsverity on $lowerdir/$testfile"
> +
> +# This is the same structure composefs creates at install time.
> +_overlay_scratch_mount_dirs $lowerdir $midlayer $workdir2 \
> + -o redirect_dir=on,index=on,metacopy=on,verity=on
> +chmod 400 $SCRATCH_MNT/$testfile
> +$UMOUNT_PROG $SCRATCH_MNT
> +
> +# Drop all caches to reproduce the bug.
> +echo 3 > /proc/sys/vm/drop_caches
> +
> +# Remount and verify we can read.
> +_overlay_scratch_mount_dirs "$midlayer:$lowerdir" $upperdir $workdir \
> + -o redirect_dir=on,index=on,metacopy=on,verity=require
> +cat $SCRATCH_MNT/$testfile > /dev/null 2>>$seqres.full \
> + || echo "verity file read failed through overlay (regression)"
> +
> +$UMOUNT_PROG $SCRATCH_MNT
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/overlay/118.out b/tests/overlay/118.out
> new file mode 100644
> index 00000000..881d8dcd
> --- /dev/null
> +++ b/tests/overlay/118.out
> @@ -0,0 +1 @@
> +QA output created by 118
> --
> 2.52.0
>
>
next prev parent reply other threads:[~2026-05-02 9:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 17:14 overlayfs: verity validation broken since f77f281b6118 Colin Walters
2026-05-01 18:07 ` Eric Biggers
2026-05-05 18:07 ` Andrey Albershteyn
2026-05-05 20:19 ` Colin Walters
2026-05-02 9:23 ` Amir Goldstein [this message]
2026-05-05 16:51 ` Colin Walters
2026-05-05 17:18 ` Eric Biggers
2026-05-05 18:44 ` Colin Walters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afXCoGk2Bu9rBKvJ@amir-ThinkPad-T480 \
--to=amir73il@gmail.com \
--cc=ebiggers@google.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox