Re: [PATCH RFC 2/8] fs/ext4: Disallow verity if inode is DAX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 15, 2020 at 11:55:25AM -0400, Theodore Y. Ts'o wrote:
> On Wed, Apr 15, 2020 at 02:00:02PM +0200, Jan Kara wrote:
> > On Mon 13-04-20 21:00:24, ira.weiny@xxxxxxxxx wrote:
> > > From: Ira Weiny <ira.weiny@xxxxxxxxx>
> > > 
> > > Verity and DAX are incompatible.  Changing the DAX mode due to a verity
> > > flag change is wrong without a corresponding address_space_operations
> > > update.
> > > 
> > > Make the 2 options mutually exclusive by returning an error if DAX was
> > > set first.
> > > 
> > > (Setting DAX is already disabled if Verity is set first.)
> > > 
> > > Signed-off-by: Ira Weiny <ira.weiny@xxxxxxxxx>
> > > ---
> > >  fs/ext4/verity.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c
> > > index dc5ec724d889..ce3f9a198d3b 100644
> > > --- a/fs/ext4/verity.c
> > > +++ b/fs/ext4/verity.c
> > > @@ -113,6 +113,9 @@ static int ext4_begin_enable_verity(struct file *filp)
> > >  	handle_t *handle;
> > >  	int err;
> > >  
> > > +	if (WARN_ON_ONCE(IS_DAX(inode)))
> > > +		return -EINVAL;
> > > +
> > 
> > Hum, one question, is there a reason for WARN_ON_ONCE()? If I understand
> > correctly, user could normally trigger this, couldn't he?
> 
> Tes, the WARN_ON_ONCE isn't appropriate here.  We should also disallow
> setting the DAX flag if the inode has the verity flag set already.

This is taken care of and is part of ext4_enable_dax() after this series.

> 
> And if we need to decide what to if the file system is mounted with
> "-o dax=always" and the verity file system feature is enabled.  We
> could either (a) reject the mount with if the mount option is given
> and the file system can have verity files, or (b) make "-o dax=always"
> mean "-o dax=mostly_always" and treat verity files as not using dax
> even when dax=always is selected.

The later is implemented in this series...  Not the most explicit thing.  :-(

> 
> Also, in theory, we *could* support dax and verity files, but
> verifying the crypto checksums of all of the pages when the file is
> first accessed, and then marking that in a flag in the in-inode flag.
> Or we could have a per-page flag stored somewhere that indicates that
> the page has been verified, so that we can on-demand verify the
> integrity of the page.  Given that verity files are read-only, the
> main reason why someone might want to use dax && verity would be to
> reduce page cache overhead of system files; if executing out of dax
> pages doesn't have significant performance impacts, this might be
> something which might be a nice-to-have.  I don't think we need to
> worry about this for now; if there are use cases where mobile devices
> want to use dax && verity, we can let them figure out how to make it
> work.  I'm just pointing out that it's not really a completely insane
> combination.

Fair enough.  The main issue I need to correct here is to keep the 2 mutually
exclusive.  Which AFAICT is not true today.  This makes it so even without the
per-file enablement.

Ira

> 
> Cheers,
> 
> 						- Ted



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux