On Wed, Apr 15, 2026 at 10:12:54AM -0700, Joanne Koong wrote: > On Wed, Apr 15, 2026 at 8:32 AM Gregory Price <[email protected]> wrote: > > > > My initial take is that it's a real concern a "bug" in a BPF program > > could let userland map arbitrary memory into userland page tables, and > > such an extension would not be a quick fix to the FAMFS problem. > > If you're concerned about arbitrary addresses in the bpf path, you > should be equally concerned about the FUSE_GET_FMAP path that's in > this series, because they're functionally identical. The kernel trusts > userspace-provided addresses in both cases. If that's acceptable for > this series then it's acceptable for bpf too. You can't reject bpf on > security grounds without also rejecting the current approach. >
To be clear, i'm not rejecting it. I'm saying (!) that's something that needs a careful look. It's a novel interaction and a new ops structure. I don't think it's in any way unfair to point out there will (and should) be questions outside the scope of FAMFS. > Please take a look at the famfs bpf program [1] and compare that to > the logic in patch 6 in this series [2]. In both cases, iomap->addr > gets set to the address that was earlier specified by the userspace > famfs server. In the non-bpf path, the userspace server passes this > address through a FUSE_GET_FMAP request. In the bpf path, the > userspace server passes this address by updating the bpf hashmap from > userspace. There is no functional difference. Also btw, this is one of > the cases that I was referring to about the bpf path being more > helpful - in the bpf path, we avoid having to add a FUSE_FMAP opcode > to fuse (which will be used by no other server) and famfs gets to skip > 2 extra context-switches that the FUSE_FMAP path otherwise entails. > The question isn't about the functional differences between the FAMFS static code or a BPF blob doing the same thing - the question is what the new ops structure introduces for the general case that wasn't there before. We have to reason about the BPF extension separately from the context of FAMFS - as it's a general interface now (forever :P). ~Gregory
