On Thu, Jul 24, 2025 at 04:21:47PM +0200, Mikulas Patocka wrote: > > > On Tue, 22 Jul 2025, Antoni Pokusinski wrote: > > > > If you get a KASAN warning when using "check=normal" or "check=strict", > > > report it and I will fix it; with "check=none" it is not supposed to work. > > > > > > Mikulas > > > > > > > I'm just wondering what should be the expected kernel behaviour in the situation where > > "check=none" and the "ea_offs", "acl_size_s", "ea_size_s" fields of fnode are corrupt? > > If we assume that in such case running into some undefined behavior (which is accessing > > an unknown memory area) is alright, then the code does not need any changes. > > But if we'd like to prevent it, then I think we should always check the extended > > attribute address regardless of the "check" parameter, as demonstrated > > in the patch. > > > > Kind regards, > > Antoni > > There is a trade-off between speed and resiliency. If the user wants > maximum speed and uses the filesystem only on trusted input, he can choose > "check=none". If the user wants less performance and uses the filesystem > on untrusted input, he can select "check=normal" (the default). If the > user is modifying the code and wants maximum safeguards, he should select > "check=strict" (that will degrade performance significantly, but it will > stop the filesystem as soon as possible if something goes wrong). > > I think there is no need to add some middle ground where "check=none" > would check some structures and won't check others. > > Mikulas > Thanks for the explanation. Yeah I think I agree with your point, I guess that the patch is not necessary then. Kind regards, Antoni
