From: Gao Xiang <hsiangkao@linux.alibaba.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-erofs@lists.ozlabs.org, Chao Yu <chao@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
oliver.yang@linux.alibaba.com,
Carlos Llamas <cmllamas@google.com>,
Sandeep Dhavale <dhavale@google.com>,
Christian Brauner <brauner@kernel.org>,
linux-fsdevel@vger.kernel.org,
Tatsuyuki Ishi <ishitatsuyuki@google.com>,
Matthew Wilcox <willy@infradead.org>
Subject: Re: [PATCH] erofs: use the opener's credential when verifing metadata accesses
Date: Fri, 8 May 2026 17:10:21 +0800 [thread overview]
Message-ID: <50668994-b6cf-4288-9ee2-0264bad2b271@linux.alibaba.com> (raw)
In-Reply-To: <af2kDfHe0B3LnvVm@infradead.org>
On 2026/5/8 16:51, Christoph Hellwig wrote:
> On Fri, May 08, 2026 at 04:39:15PM +0800, Gao Xiang wrote:
>> Currently EROFS file-backed mount metadata is directly using underlay
>> fs page cache, which is mainly used for composefs, etc. to avoid
>> different EROFS instances have their own EROFS page cache for the
>> same underlay backing file and avoid unnecessary copies into them.
>> --- That is also what composefs once did in their codebase.
>>
>> Since EROFS just read the underlayfs page cache and does _not_
>> touch anything inside the underlay page cache itself, so I guess
>> it's fine?
>
> At the micro-level this does mean erofs needs to do the checks itself.
> OTOH it means this whole scheme is completely broken. The page cache
> is owned by the file system, so erofs can't simply poke into it.
The page cache is indeed owned by the underlay file system
instead, but erofs doesn't poke into it: it just needs some
temporary metadata read usage without extra allocated buffers.
On the one side, I hope if there could be some interface for
such temporary usage rather than just one vfs_iter_read model.
>
> Now for reads it mostly works on the most common disk-based file systems,
> but it does create lots of problem for slightly more complex ones like
> network/clustered or synthetic file systems. It also really breaks
Just out of curiousity, could you point out one specific path
so I can look into that.
> layering, so we need to fix it. Not sure what would be best, but I'd be
> tempted to have a cross-instance cache maintained by erofs and filled
> using in-kernel direct I/O. IFF the page policies work great for you
Direct I/O may be improper for many cases, since users will use
buffer I/Os to download the images from remotes just now, and
direct I/O just makes it worse (invalidate the cache, and reread
from disk) and double caching if underlay file is also read.
> that even could be a synthetic inode/mapping.
I expect the similar comments, if we really need to work out such
cross-instance cache, I'm fine to implement for Linux 7.2. It will
increase the complexity of the codebase and also it won't share the
cache with the underlay fs.
But could we just fix this issue first for previous linux versions?
>
>> On the other hand, we talked a bit commit f2fed441c69b ("loop:
>> stop using vfs_iter_{read,write} for buffered I/O") in another
>> private thread related to fanotify, which lacks proper
>> rw_verify_area() as well, since it called into raw read/write
>> iter methods instead of using the previous vfs_iter_{read,write}.
>
> Note that this does not add the bypass, just extends it to both I/O
> types. But yes, this breaks fanotify. We actually have quite a few
> raw ->read_iter/->write_iter calls, so this might need more structured
> treatment.
It also bypasses the security hooks I think.
Thanks,
Gao Xiang
next prev parent reply other threads:[~2026-05-08 9:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 15:56 [PATCH] erofs: use the opener's credential when verifing metadata accesses Gao Xiang
2026-05-05 20:15 ` Carlos Llamas
2026-05-07 4:28 ` [PATCH v2] erofs: use the opener's credential when verifying " Gao Xiang
2026-05-08 8:20 ` [PATCH] erofs: use the opener's credential when verifing " Christoph Hellwig
2026-05-08 8:25 ` Tatsuyuki Ishi
[not found] ` <CABqzrSOaCMPD_QrSq_y_6bXLC3ecm3FZsE_ACrdNbTHG8baMCw@mail.gmail.com>
2026-05-08 8:39 ` Gao Xiang
2026-05-08 8:51 ` Christoph Hellwig
2026-05-08 9:10 ` Gao Xiang [this message]
2026-05-11 6:18 ` Christoph Hellwig
2026-05-11 6:52 ` Gao Xiang
2026-05-11 13:51 ` Christian Brauner
2026-05-11 14:42 ` Gao Xiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50668994-b6cf-4288-9ee2-0264bad2b271@linux.alibaba.com \
--to=hsiangkao@linux.alibaba.com \
--cc=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=cmllamas@google.com \
--cc=dhavale@google.com \
--cc=hch@infradead.org \
--cc=ishitatsuyuki@google.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.yang@linux.alibaba.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox