On 2026/1/22 23:34, Hongbo Li wrote:
Either the existing fscache usecase or the upcoming page
cache sharing case, the `domain_id` should be protected as
sensitive information, so we use the safer helpers to allocate,
free and display domain_id.
Signed-off-by: Hongbo Li <[email protected]>
---
Documentation/filesystems/erofs.rst | 5 +++--
fs/erofs/fscache.c | 6 +++---
fs/erofs/super.c | 8 ++++----
3 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/Documentation/filesystems/erofs.rst
b/Documentation/filesystems/erofs.rst
index 08194f194b94..40dbf3b6a35f 100644
--- a/Documentation/filesystems/erofs.rst
+++ b/Documentation/filesystems/erofs.rst
@@ -126,8 +126,9 @@ dax={always,never} Use direct access (no page cache).
See
dax A legacy option which is an alias for ``dax=always``.
device=%s Specify a path to an extra device to be used together.
fsid=%s Specify a filesystem image ID for Fscache back-end.
-domain_id=%s Specify a domain ID in fscache mode so that different
images
- with the same blobs under a given domain ID can share
storage.
+domain_id=%s Specify a trusted domain ID for fscache mode so that
+ different images with the same blobs, identified by
blob IDs,
+ can share storage within the same trusted domain.
fsoffset=%llu Specify block-aligned filesystem offset for the
primary device.
===================
=========================================================
diff --git a/fs/erofs/fscache.c b/fs/erofs/fscache.c
index f4937b025038..cd7847fd2670 100644
--- a/fs/erofs/fscache.c
+++ b/fs/erofs/fscache.c
@@ -379,7 +379,7 @@ static void erofs_fscache_domain_put(struct erofs_domain
*domain)
}
fscache_relinquish_volume(domain->volume, NULL, false);
mutex_unlock(&erofs_domain_list_lock);
- kfree(domain->domain_id);
+ kfree_sensitive(domain->domain_id);
kfree(domain);
return;
}
@@ -407,7 +407,7 @@ static int erofs_fscache_register_volume(struct super_block
*sb)
}
sbi->volume = volume;
- kfree(name);
+ domain_id ? kfree_sensitive(name) : kfree(name);
I really don't want to touch fscache anymore, and this line
should just use if else instead, but I can live with that.
return ret;
}
@@ -446,7 +446,7 @@ static int erofs_fscache_init_domain(struct super_block *sb)
sbi->domain = domain;
return 0;
out:
- kfree(domain->domain_id);
+ kfree_sensitive(domain->domain_id);
kfree(domain);
return err;
}
diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index dca1445f6c92..6fbe9220303a 100644
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -525,8 +525,8 @@ static int erofs_fc_parse_param(struct fs_context *fc,
return -ENOMEM;
break;
case Opt_domain_id:
- kfree(sbi->domain_id);
- sbi->domain_id = kstrdup(param->string, GFP_KERNEL);
+ kfree_sensitive(sbi->domain_id);
+ sbi->domain_id = no_free_ptr(param->string);
if (!sbi->domain_id)
return -ENOMEM;
I don't think
```
if (!sbi->domain_id)
return -ENOMEM;
```
is needed anymore if no_free_ptr is used.
Otherwise it looks good to me:
Reviewed-by: Gao Xiang <[email protected]>
Thanks,
Gao Xiang
