From: Gao Xiang <hsiangkao@linux.alibaba.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-erofs@lists.ozlabs.org, Chao Yu <chao@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
oliver.yang@linux.alibaba.com,
Carlos Llamas <cmllamas@google.com>,
Sandeep Dhavale <dhavale@google.com>,
Christian Brauner <brauner@kernel.org>,
linux-fsdevel@vger.kernel.org,
Tatsuyuki Ishi <ishitatsuyuki@google.com>
Subject: Re: [PATCH] erofs: use the opener's credential when verifing metadata accesses
Date: Fri, 8 May 2026 16:39:15 +0800 [thread overview]
Message-ID: <188c33e2-331f-4362-8475-b8cea7a8fe7d@linux.alibaba.com> (raw)
In-Reply-To: <CABqzrSOaCMPD_QrSq_y_6bXLC3ecm3FZsE_ACrdNbTHG8baMCw@mail.gmail.com>
Hi Christiph,
On 2026/5/8 16:24, Tatsuyuki Ishi wrote:
> On Fri, May 8, 2026 at 5:20 PM Christoph Hellwig <hch@infradead.org> wrote:
>
>> On Tue, May 05, 2026 at 11:56:15PM +0800, Gao Xiang wrote:
>>> Similar to commit 905eeb2b7c33 ("erofs: impersonate the opener's
>>> credentials when accessing backing file"), rw_verify_area() needs
>>> the same too.
>>
>> Two things here:
Let me use Tatsuyuki's reply to address your two comments.
>>
>> - rw_verify_area is a helper for use inside the VFS and file system
>> read/write method implementation. Erofs as a user of the VFS should
>> not use it at all.
Currently EROFS file-backed mount metadata is directly using underlay
fs page cache, which is mainly used for composefs, etc. to avoid
different EROFS instances have their own EROFS page cache for the
same underlay backing file and avoid unnecessary copies into them.
--- That is also what composefs once did in their codebase.
Since EROFS just read the underlayfs page cache and does _not_
touch anything inside the underlay page cache itself, so I guess
it's fine?
On the other hand, we talked a bit commit f2fed441c69b ("loop:
stop using vfs_iter_{read,write} for buffered I/O") in another
private thread related to fanotify, which lacks proper
rw_verify_area() as well, since it called into raw read/write
iter methods instead of using the previous vfs_iter_{read,write}.
>> - using the opener credentials when accessing the backing file seems
>> wrong. The entity accessing it is the file system, so it should
>> have system or mounter credentials, not that of someone causing
>> metadata / fs data access. And this applies to all access by
>> a file system backed by a backing file.
>>
>
> I think there's probably some confusion of terminology here. buf->file is
> opened with the mounter's credentials, so we are impersonating the mounter
> here. Perhaps the commit message could describe that more clearly. Same for
> the previous patches mentioned.
Here "opener" means the mounter as Tatsuyuki mentioned, I just
follows Tatsuyuki's term, but it just means mounter credentials
indeed.
Thanks,
Gao Xiang
>
next prev parent reply other threads:[~2026-05-08 8:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 15:56 [PATCH] erofs: use the opener's credential when verifing metadata accesses Gao Xiang
2026-05-05 20:15 ` Carlos Llamas
2026-05-07 4:28 ` [PATCH v2] erofs: use the opener's credential when verifying " Gao Xiang
2026-05-08 8:20 ` [PATCH] erofs: use the opener's credential when verifing " Christoph Hellwig
2026-05-08 8:25 ` Tatsuyuki Ishi
[not found] ` <CABqzrSOaCMPD_QrSq_y_6bXLC3ecm3FZsE_ACrdNbTHG8baMCw@mail.gmail.com>
2026-05-08 8:39 ` Gao Xiang [this message]
2026-05-08 8:51 ` Christoph Hellwig
2026-05-08 9:10 ` Gao Xiang
2026-05-11 6:18 ` Christoph Hellwig
2026-05-11 6:52 ` Gao Xiang
2026-05-11 13:51 ` Christian Brauner
2026-05-11 14:42 ` Gao Xiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=188c33e2-331f-4362-8475-b8cea7a8fe7d@linux.alibaba.com \
--to=hsiangkao@linux.alibaba.com \
--cc=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=cmllamas@google.com \
--cc=dhavale@google.com \
--cc=hch@infradead.org \
--cc=ishitatsuyuki@google.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.yang@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox