On Wed, Apr 15, 2020 at 11:55:25AM -0400, Theodore Y. Ts'o wrote: > On Wed, Apr 15, 2020 at 02:00:02PM +0200, Jan Kara wrote: > > On Mon 13-04-20 21:00:24, ira.weiny@xxxxxxxxx wrote: > > > From: Ira Weiny <ira.weiny@xxxxxxxxx> > > > > > > Verity and DAX are incompatible. Changing the DAX mode due to a verity > > > flag change is wrong without a corresponding address_space_operations > > > update. > > > > > > Make the 2 options mutually exclusive by returning an error if DAX was > > > set first. > > > > > > (Setting DAX is already disabled if Verity is set first.) > > > > > > Signed-off-by: Ira Weiny <ira.weiny@xxxxxxxxx> > > > --- > > > fs/ext4/verity.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c > > > index dc5ec724d889..ce3f9a198d3b 100644 > > > --- a/fs/ext4/verity.c > > > +++ b/fs/ext4/verity.c > > > @@ -113,6 +113,9 @@ static int ext4_begin_enable_verity(struct file *filp) > > > handle_t *handle; > > > int err; > > > > > > + if (WARN_ON_ONCE(IS_DAX(inode))) > > > + return -EINVAL; > > > + > > > > Hum, one question, is there a reason for WARN_ON_ONCE()? If I understand > > correctly, user could normally trigger this, couldn't he? > > Tes, the WARN_ON_ONCE isn't appropriate here. We should also disallow > setting the DAX flag if the inode has the verity flag set already. This is taken care of and is part of ext4_enable_dax() after this series. > > And if we need to decide what to if the file system is mounted with > "-o dax=always" and the verity file system feature is enabled. We > could either (a) reject the mount with if the mount option is given > and the file system can have verity files, or (b) make "-o dax=always" > mean "-o dax=mostly_always" and treat verity files as not using dax > even when dax=always is selected. The later is implemented in this series... Not the most explicit thing. :-( > > Also, in theory, we *could* support dax and verity files, but > verifying the crypto checksums of all of the pages when the file is > first accessed, and then marking that in a flag in the in-inode flag. > Or we could have a per-page flag stored somewhere that indicates that > the page has been verified, so that we can on-demand verify the > integrity of the page. Given that verity files are read-only, the > main reason why someone might want to use dax && verity would be to > reduce page cache overhead of system files; if executing out of dax > pages doesn't have significant performance impacts, this might be > something which might be a nice-to-have. I don't think we need to > worry about this for now; if there are use cases where mobile devices > want to use dax && verity, we can let them figure out how to make it > work. I'm just pointing out that it's not really a completely insane > combination. Fair enough. The main issue I need to correct here is to keep the 2 mutually exclusive. Which AFAICT is not true today. This makes it so even without the per-file enablement. Ira > > Cheers, > > - Ted
