lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ccb32c576cc4ebf943d5ec35e3d7ba4ae8892acd.camel@kernel.org>
Date: Wed, 21 Jan 2026 06:56:22 -0500
From: Jeff Layton <jlayton@...nel.org>
To: NeilBrown <neil@...wn.name>
Cc: Christian Brauner <brauner@...nel.org>, Christoph Hellwig	
 <hch@...radead.org>, Amir Goldstein <amir73il@...il.com>, Alexander Viro	
 <viro@...iv.linux.org.uk>, Chuck Lever <chuck.lever@...cle.com>, Olga
 Kornievskaia <okorniev@...hat.com>, Dai Ngo <Dai.Ngo@...cle.com>, Tom
 Talpey <tom@...pey.com>, Hugh Dickins	 <hughd@...gle.com>, Baolin Wang
 <baolin.wang@...ux.alibaba.com>, Andrew Morton	
 <akpm@...ux-foundation.org>, Theodore Ts'o <tytso@....edu>, Andreas Dilger	
 <adilger.kernel@...ger.ca>, Jan Kara <jack@...e.com>, Gao Xiang
 <xiang@...nel.org>,  Chao Yu <chao@...nel.org>, Yue Hu
 <zbestahu@...il.com>, Jeffle Xu <jefflexu@...ux.alibaba.com>,  Sandeep
 Dhavale <dhavale@...gle.com>, Hongbo Li <lihongbo22@...wei.com>, Chunhai
 Guo <guochunhai@...o.com>,  Carlos Maiolino	 <cem@...nel.org>, Ilya Dryomov
 <idryomov@...il.com>, Alex Markuze	 <amarkuze@...hat.com>, Viacheslav
 Dubeyko <slava@...eyko.com>, Chris Mason	 <clm@...com>, David Sterba
 <dsterba@...e.com>, Luis de Bethencourt	 <luisbg@...nel.org>, Salah Triki
 <salah.triki@...il.com>, Phillip Lougher	 <phillip@...ashfs.org.uk>, Steve
 French <sfrench@...ba.org>, Paulo Alcantara	 <pc@...guebit.org>, Ronnie
 Sahlberg <ronniesahlberg@...il.com>, Shyam Prasad N	
 <sprasad@...rosoft.com>, Bharath SM <bharathsm@...rosoft.com>, Miklos
 Szeredi	 <miklos@...redi.hu>, Mike Marshall <hubcap@...ibond.com>, Martin
 Brandenburg	 <martin@...ibond.com>, Mark Fasheh <mark@...heh.com>, Joel
 Becker	 <jlbec@...lplan.org>, Joseph Qi <joseph.qi@...ux.alibaba.com>,
 Konstantin Komarov <almaz.alexandrovich@...agon-software.com>, Ryusuke
 Konishi <konishi.ryusuke@...il.com>,  Trond Myklebust <trondmy@...nel.org>,
 Anna Schumaker <anna@...nel.org>, Dave Kleikamp <shaggy@...nel.org>, David
 Woodhouse <dwmw2@...radead.org>, Richard Weinberger <richard@....at>, Jan
 Kara <jack@...e.cz>,  Andreas Gruenbacher	 <agruenba@...hat.com>, OGAWA
 Hirofumi <hirofumi@...l.parknet.co.jp>, Jaegeuk Kim <jaegeuk@...nel.org>,
 linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
 linux-ext4@...r.kernel.org, 	linux-erofs@...ts.ozlabs.org,
 linux-xfs@...r.kernel.org, 	ceph-devel@...r.kernel.org,
 linux-btrfs@...r.kernel.org, 	linux-cifs@...r.kernel.org,
 linux-unionfs@...r.kernel.org, 	devel@...ts.orangefs.org,
 ocfs2-devel@...ts.linux.dev, ntfs3@...ts.linux.dev, 
	linux-nilfs@...r.kernel.org, jfs-discussion@...ts.sourceforge.net, 
	linux-mtd@...ts.infradead.org, gfs2@...ts.linux.dev, 
	linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [PATCH 00/29] fs: require filesystems to explicitly opt-in to
 nfsd export support

On Wed, 2026-01-21 at 14:58 +1100, NeilBrown wrote:
> On Tue, 20 Jan 2026, Jeff Layton wrote:
> > On Tue, 2026-01-20 at 11:31 +0100, Christian Brauner wrote:
> > > On Tue, Jan 20, 2026 at 08:41:50PM +1100, NeilBrown wrote:
> > > > On Tue, 20 Jan 2026, Christian Brauner wrote:
> > > > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote:
> > > > > > On Mon, 19 Jan 2026, Christian Brauner wrote:
> > > > > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote:
> > > > > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote:
> > > > > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote:
> > > > > > > > > > > This was Chuck's suggested name. His point was that STABLE means that
> > > > > > > > > > > the FH's don't change during the lifetime of the file.
> > > > > > > > > > > 
> > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT
> > > > > > > > > > > better I'll roll with that.
> > > > > > > > > > 
> > > > > > > > > > I don't like PERSISTENT.
> > > > > > > > > > I'd rather call a spade a spade.
> > > > > > > > > > 
> > > > > > > > > >   EXPORT_OP_SUPPORTS_NFS_EXPORT
> > > > > > > > > > or
> > > > > > > > > >   EXPORT_OP_NOT_NFS_COMPATIBLE
> > > > > > > > > > 
> > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits.
> > > > > > > > > 
> > > > > > > > > No, it absolutely is not.  And the whole concept of calling something
> > > > > > > > > after the initial or main use is a recipe for a mess.
> > > > > > > > 
> > > > > > > > We are calling it for it's only use.  If there was ever another use, we
> > > > > > > > could change the name if that made sense.  It is not a public name, it
> > > > > > > > is easy to change.
> > > > > > > > 
> > > > > > > > > 
> > > > > > > > > Pick a name that conveys what the flag is about, and document those
> > > > > > > > > semantics well.  This flag is about the fact that for a given file,
> > > > > > > > > as long as that file exists in the file system the handle is stable.
> > > > > > > > > Both stable and persistent are suitable for that, nfs is everything
> > > > > > > > > but.
> > > > > > > > 
> > > > > > > > My understanding is that kernfs would not get the flag.
> > > > > > > > kernfs filehandles do not change as long as the file exist.
> > > > > > > > But this is not sufficient for the files to be usefully exported.
> > > > > > > > 
> > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the
> > > > > > > > file/object has been destroyed.  Maybe that is the real problem here:
> > > > > > > > filehandle reuse, not filehandle stability.
> > > > > > > > 
> > > > > > > > Jeff: could you please give details (and preserve them in future cover
> > > > > > > > letters) of which filesystems are known to have problems and what
> > > > > > > > exactly those problems are?
> > > > > > > > 
> > > > > > > > > 
> > > > > > > > > Remember nfs also support volatile file handles, and other applications
> > > > > > > > > might rely on this (I know of quite a few user space applications that
> > > > > > > > > do, but they are kinda hardwired to xfs anyway).
> > > > > > > > 
> > > > > > > > The NFS protocol supports volatile file handles.  knfsd does not.
> > > > > > > > So maybe
> > > > > > > >   EXPORT_OP_NOT_NFSD_COMPATIBLE
> > > > > > > > might be better.  or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE.
> > > > > > > > (I prefer opt-out rather than opt-in because nfsd export was the
> > > > > > > > original purpose of export_operations, but it isn't something
> > > > > > > > I would fight for)
> > > > > > > 
> > > > > > > I prefer one of the variants you proposed here but I don't particularly
> > > > > > > care. It's not a hill worth dying on. So if Christoph insists on the
> > > > > > > other name then I say let's just go with it.
> > > > > > > 
> > > > > > 
> > > > > > This sounds like you are recommending that we give in to bullying.
> > > > > > I would rather the decision be made based on the facts of the case, not
> > > > > > the opinions that are stated most bluntly.
> > > > > > 
> > > > > > I actually think that what Christoph wants is actually quite different
> > > > > > from what Jeff wants, and maybe two flags are needed.  But I don't yet
> > > > > > have a clear understanding of what Christoph wants, so I cannot be sure.
> > > > > 
> > > > > I've tried to indirectly ask whether you would be willing to compromise
> > > > > here or whether you want to insist on your alternative name. Apparently
> > > > > that didn't come through.
> > > > 
> > > > This would be the "not a hill worthy dying on" part of your statement.
> > > > I think I see that implication now.
> > > > But no, I don't think compromise is relevant.  I think the problem
> > > > statement as originally given by Jeff is misleading, and people have
> > > > been misled to an incorrect name.
> > > > 
> > > > > 
> > > > > I'm unclear what your goal is in suggesting that I recommend "we" give
> > > > > into bullying. All it achieved was to further derail this thread.
> > > > > 
> > > > 
> > > > The "We" is the same as the "us" in "let's just go with it".
> > > > 
> > > > 
> > > > > I also think it's not very helpful at v6 of the discussion to start
> > > > > figuring out what the actual key rift between Jeff's and Christoph's
> > > > > position is. If you've figured it out and gotten an agreement and this
> > > > > is already in, send a follow-up series.
> > > > 
> > > > v6?  v2 was posted today.  But maybe you are referring the some other
> > > > precursors.
> > > > 
> > > > The introductory statement in v2 is
> > > > 
> > > >    This patchset adds a flag that indicates whether the filesystem supports
> > > >    stable filehandles (i.e. that they don't change over the life of the
> > > >    file). It then makes any filesystem that doesn't set that flag
> > > >    ineligible for nfsd export.
> > > > 
> > > > Nobody else questioned the validity of that.  I do.
> > > > No evidence was given that there are *any* filesystems that don't
> > > > support stable filehandles.  The only filesystem mentioned is cgroups
> > > > and it DOES provide stable filehandles.
> > > 
> > 
> > Across reboot? Not really.
> 
> Across reboot all the files are deleted and then new ones are created.
> So there is nothing that needs to be stable.
> 
> > 
> > It's quite possible that we may end up with the same "id" numbers in
> > cgroupfs on a new incarnation of the filesystem after a reboot. The
> > files in there are not the same ones as the ones before, but their
> > filehandles may match because kernfs doesn't factor in an i_generation
> > number.
> 
> That is is about filehandle re-use, not about filehandle stability.
> 
> > 
> > Could we fix it by adding a random i_generation value or something?
> > Possibly, but there really isn't a good use-case that I can see for
> > allowing cgroupfs to be exported via nfsd. Best to disallow it until
> > someone comes up with one.
> 
> 100% agree.
> 
> > 
> > > Oh yes we did. And this is a merry-go-round.
> > > 
> > > It is very much fine for a filesystems to support file handles without
> > > wanting to support exporting via NFS. That is especially true for
> > > in-kernel pseudo filesystems.
> > > 
> > > As I've said before multiple times I want a way to allow filesystems
> > > such as pidfs and nsfs to use file handles without supporting export.
> > > Whatever that fscking flag is called at this point I fundamentally don't
> > > care. And we are reliving the same arguments over and over.
> > > 
> > > I will _hard NAK_ anything that starts mandating that export of
> > > filesystems must be allowed simply because their file handles fit export
> > > criteria. I do not care whether pidfs or nsfs file handles fit the bill.
> > > They will not be exported.
> > 
> > I don't really care what we call the flag. I do care a little about
> > what its semantics are, but the effect should be to ensure that fs
> > maintainers make a conscious decision about whether nfsd export should
> > be allowed on the filesystem. 
> 
> Why do you need a conscious decision so much that you want to try to
> force it.

As I said before, filesystems are growing export_operations for other
reasons than nfs export. I simply want to the fs maintainers to take a
conscious step to say "yes, this should be available via nfsd if it's
exported". Hopefully they'll also validate that it actually _works_
too.

> Of course we want conscious decisions and hope they are always made, but
> trying to manipulate people to doing things often fails.  How sure are
> you that fs developers won't just copy-paste some other implementation
> and not think about the implications of the flag?
>
> What is the down side?  What is the harm from allowing export (should the
> admin attempt it)?
> If there were serious security concerns - then sure, make it harder to
> do the dangerous thing.
> But if it is just "it doesn't make sense", then there is no harm in
> letting people get away with not reading the documentation, and fixing
> things later as complaints arrive.  That is generally how the process
> works.
> 

Some of the more exotic filesystems could end up causing kernel panics
or something if exported when they haven't been validated to actually
work with nfsd. That's mostly FUD though -- I don't have any examples.

> But if you really really want to set this new flag on almost every
> export_operations, can I ask that you please set it on EVERY export
> operations, then allow maintainers to remove it as they see fit.
> I think that approach would be much easier to review.
> 

We could probably do that, but I think the main ones that excludes it
are kernfs, pidfs and nsfs. ovl and fuse also have export ops in
certain modes that exclude NFS access, so the flag was left off of
those as well.

> With your current series it is non-trivial to determine which
> export_operations you have chosen not to set the flag on.  If you had
> one patch that set it everywhere, then individual patches to remove it,
> that would be a lot easier to review.

Noted. At this point I'm debating whether to pursue this further, or
just drop this for now until we can come to a better consensus. Maybe
we need a discussion about this at LSF?

-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ