On-disk format robustness requirements for new filesystems

The "Extendable Read-Only File System" (or "EROFS") was first posted by Gao Xiang in May 2018; it was merged into the staging tree for the 4.19 release. There has been a steady stream of work on EROFS since then, and its author now thinks that it is ready to move out of staging and join the other official filesystems in the kernel. It would seem, though, that there is one final hurdle that it may have to clear: robustness in the face of a corrupted on-disk filesystem image. That raises an interesting question: to what extent do new filesystems have to exhibit a level of robustness that is not met by the filesystems that are currently in heavy use?

As suggested by its name (and its acronym), EROFS is a read-only filesystem. It was developed at Huawei, and is intended for use in Android systems. EROFS is meant to differ from existing read-only filesystems in the area of performance; it uses a special compression algorithm that creates fixed-length blocks that, it is claimed, allows random access to compressed data with a minimum of excess I/O and decompression work. Details can be found in this USENIX paper [PDF] published in July.

Gao has made several requests in recent times to move EROFS out of the staging tree; the latest was posted on August 17. It read:

(EMUI is Huawei's version of Android.)

It would seem that there is little opposition to this move in general. As part of reviewing the code, though, Richard Weinberger noticed that the code generally trusts the data it reads from disks, often failing to check it for reasonableness. He quickly found a way to create a malformed filesystem that would put the kernel into an infinite loop, creating a system that is a bit more read-only than anybody had in mind. The problem was fixed just as quickly, but not before starting a discussion on whether robustness against hostile filesystem images should be a requirement for new filesystems entering the kernel.

Nobody disagrees that it would be a good thing if a filesystem implementation would do the right thing when faced with a hostile (or merely corrupt) filesystem image; that would make it possible to allow unprivileged users to mount filesystems without fear of handing over the keys to the entire system, for example. But, as Ted Ts'o pointed out, heavily used, in-kernel filesystems like ext4 and XFS don't meet that standard now, so requiring new filesystems to reach that level of robustness is presenting them with a higher bar:

In the case of EROFS, as Chao Yu pointed out, the intended use case makes this kind of robustness less important. The Android system images shipped in this filesystem format will be verified with a system like dm-verity, so the filesystem implementation should not be confronted with anything other than signed and verified images. Even so, the EROFS developers agree that this kind of bug should be actively sought out and fixed.

It seems that views about robustness against bad images vary somewhat among filesystem developers. With regard to these bugs in ext4, Ts'o said that "while I try to address them, it is by no means considered a high priority work item". He characterized the approach of the XFS developers as being similar. Christoph Hellwig disagreed strongly with that claim, though, saying that XFS developers work hard to handle corrupt filesystem images, "although there are of course no guarantees". Eric Biggers asserted that dealing with robustness issues should be mandatory, "but I can understand that we don't do a good job at it, so we shouldn't hold a new filesystem to an unfairly high standard relative to other filesystems".

Hellwig arguably took the strongest position with regard to the standards that should be applied to new filesystems:

What those higher standards should be was not spelled out. They probably do not extend to absolute robustness against corrupt filesystem images, but it seems that developers would like to see at least an effort made in that direction. As Biggers put it:

Whether EROFS meets the "looks robust" standard is a bit controversial at the moment. On the other hand, there is little doubt that the EROFS developers are willing and able to fix bugs quickly as they are reported. For the purposes of moving EROFS into the kernel proper, chances are that will be good enough. Unless some other show-stopping issue comes up, this little snag seems unlikely to keep this code from graduating out of the staging tree. Future filesystem developers will want to take notice, though, that reviewers will be paying more attention to robustness against on-disk image corruption than they have in the past.

Index entries for this article
Kernel	Filesystems

---

to post comments

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 3:55 UTC (Tue) by dvdeug (subscriber, #10998) [Link] (8 responses)

As for "That's the only way to get the average quality up.", who cares? Maybe it helps Huawei, or maybe not, but making EROFS better doesn't make Linux better for all the users out there who aren't running EROFS. This can work for replacing core parts or even primary filesystems like EXT2 to EXT3 to EXT4, but increasing the average quality by insisting that new filesystems and drivers be better then the ones that are used by most users does little service to most users.

Yes, it's a volunteer system. But if you're concerned about Linux filesystem quality, I'm sure they'll take patches or at least bug reports for existing filesystems. You can push for better quality in core features without taking it out on the new features.

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 7:52 UTC (Tue) by rsidd (subscriber, #2582) [Link] (2 responses)

I think this is important. If the FS is important for Android, yes, it should be upstreamed. Is there interest from the larger Android community? Are they pushing for upstreaming? If it is only for Huawei's particular fork of Android, why should it be upstreamed?

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 8:05 UTC (Tue) by hsiangkao (subscriber, #123981) [Link] (1 responses)

We will definitely upstream to AOSP as well.

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 8:11 UTC (Tue) by hsiangkao (subscriber, #123981) [Link]

You can see some prerequisite commits:
https://android-review.googlesource.com/c/platform/system...

and there are some Android commits mentioned about this staging EROFS:
https://android-review.googlesource.com/c/kernel/configs/...

We'd like to upstream to AOSP, and gain wider use of course.

On-disk format robustness requirements for new filesystems

Posted Aug 24, 2019 6:12 UTC (Sat) by buck (subscriber, #55985) [Link] (3 responses)

> As for "That's the only way to get the average quality up.", who cares? Maybe it helps Huawei, or maybe not, but making EROFS better doesn't make Linux better for all the users out there who aren't running EROFS.

If a user plugs a USB drive in his/her machine and it causes the machine to lock up because it has a broken EROFS filesystem on it, that's not cool. It may not be fair, but there's an argument that can be made for not allowing in additional filesystems that widen the gamut of such problems.

That said, i've never written code for a filesystem or anything else nearly as complex that's supposed to deliver as much functionality, so, yes, i can imagine it may put an unrealistic damper on the possibilities for future awesomeness. I'll trust the LKML arbiters to figure it out.

On-disk format robustness requirements for new filesystems

Posted Aug 24, 2019 17:45 UTC (Sat) by alonz (subscriber, #815) [Link] (1 responses)

One could argue that the behavior of mount(8) (automatically trying all filesystem types) is the actual bug, and that its "auto" mode should restrict itself to using filesystems that are actually suitable for use with the current media. (Many filesystem types, EROFS included, could then be defined as supported only on non-removable media by default.)

Alternatively, the filesystem driver may itself verify that the media type is suitable before even reading the superblock.

(Personally I would love it if we could just use lklfuse for all filesystems on removable media… But it looks like nobody support it.)

On-disk format robustness requirements for new filesystems

Posted Aug 25, 2019 1:04 UTC (Sun) by pabs (subscriber, #43278) [Link]

Is lklfuse merged into mainline Linux yet?

On-disk format robustness requirements for new filesystems

Posted Aug 24, 2019 19:04 UTC (Sat) by hsiangkao (subscriber, #123981) [Link]

> If a user plugs a USB drive in his/her machine and it causes the machine to lock up because it has a broken EROFS filesystem on it, that's not cool.

We think that's not cool as well, so we are now addressing and will continue actively addressing it.
But that is not absolute standard on this field ---- one hour, two hours, a day, a month, or forever? by some tool? and that is not filesystem-specific issue, but for all on-disk new features...

Again, please give us some time, not long before it resists almost all malformed images (it can already resist more malformed images than weeks before, and we will fix those reports as quick as what we can... that is our attitude on this...)

On-disk format robustness requirements for new filesystems

Posted Sep 4, 2019 6:42 UTC (Wed) by holgerschurig (guest, #6714) [Link]

> Maybe it helps Huawei,

I think you think too short.

Some of the android things are too specific for android. But some of the concepts needed there are also things that you need in other problem domains (e.g. embedded). And if EROFS is in Linux, then other projects (often in Embedded) might use it as well. It might actually already in use today :-)

> or at least bug reports for existing filesystems.

They are. Hellwig said for XFS that they make great strides for the v5 version, T'so said that for ext4 they work on this, just not with high priority. So warm up your fuzzer and start submitting bug reports :-)

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 6:15 UTC (Tue) by post-factum (subscriber, #53836) [Link] (3 responses)

> There seems to be a very unfortunate tendency for us to hold new file systems to impossibly high standards

Somewhere out there Hans Reiser cries loudly.

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 10:19 UTC (Tue) by kmeyer (subscriber, #50720) [Link] (1 responses)

Tux3? Bcachefs? Linux has a long tradition of this.

On-disk format robustness requirements for new filesystems

Posted Aug 21, 2019 5:56 UTC (Wed) by rsidd (subscriber, #2582) [Link]

Tux3's author never submitted it for upstreaming, AFAIK. In 2018 he said "For the time being we will continue to develop out-of-tree". There seem to be no updates after that.

On-disk format robustness requirements for new filesystems

Posted Nov 26, 2019 3:31 UTC (Tue) by Trammael (guest, #101173) [Link]

>Somewhere out there Hans Reiser cries loudly.

California Dept of Corrections, Correctional Training Facility, Soledad Prison Road, Soledad, CA

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 9:57 UTC (Tue) by tao (subscriber, #17563) [Link] (1 responses)

I have a hard time accepting the "It's unfair to expect better of new contributions than of pre-existing code (paraphrasing here)" argument.

Pre-existing file-system code can be hard to fix because a.) it might necessitate breaking on-disk format, which is usually a no-go, b.) regressions have a real-world impact.

Ensuring a high level of robustness on the get-go before merging rather than trying to fix it afterwards is practically guaranteeing that these issues won't ever get fixed.

TL;DR: I totally agree with Christoph Hellwig.

On-disk format robustness requirements for new filesystems

Posted Aug 21, 2019 6:20 UTC (Wed) by dvdeug (subscriber, #10998) [Link]

At its worst, it could mean a lack of new filesystems, because they were all held to unrealistic standards, and the current filesystems all bitrotten out, because it's just expected they aren't robust.

Again, for "That's the only way to get the average quality up", this does not seem to be a viable way to get the average quality of Linux up for most users.

On-disk format robustness requirements for new filesystems

Posted Aug 20, 2019 11:06 UTC (Tue) by Freeaqingme (guest, #103259) [Link] (2 responses)

Are there any fuzzing projects specifically for file systems? This seems like a perfect candidate for fuzzing(?).

AFL for filesystems, fsfuzzer

Posted Aug 20, 2019 21:17 UTC (Tue) by sitsofe (guest, #104576) [Link]

Yes, people have built fuzzers for filesystem images (there are even more if you mean things like syscalls - see fsx, trinity, syzkaller etc). Several years ago an Oracle developer applied afl to a number of different filesystem images and found bugs could be triggered within a few minutes of fuzing (but I don't know if the code for this was ever released). Going back further, the month of kernel bugs introduced the fsfuzzer back in 2006.

On-disk format robustness requirements for new filesystems

Posted Aug 21, 2019 8:18 UTC (Wed) by dgc (subscriber, #6611) [Link]

There are a *lot* of fuzzing tests for XFS in xfstests:

$ git grep fuzz tests/xfs/group |wc -l
156
$

156 separate on-disk format fuzzing tests, quite a few (~40) of which also test the ability of the under-development online repair code to fix the fuzzing damage automatically. These fuzzers know the on-disk format, so they defeat all the CRC checking by recalculating the CRC after the structures have been corrupted. That's why we have our own fuzzers - at the time nobody had a fuzzer capable of defeating CRCs, so we extended our own tools to do it....

So the truth is that XFS developers have a very high standard for on-disk format robustness and we have both the toolchain and runtime verification in place to find and fix bugs and areas we don't validate as well as we should. It's an ongoing process of improvement....

-Dave.

On-disk format robustness requirements for new filesystems

Posted Aug 22, 2019 11:35 UTC (Thu) by mina86 (guest, #68442) [Link] (1 responses)

To rephrase, it’s unfair to demand that new system calls have a “flags” field which allow for painless future expansion because existing system calls often lack that field.

On-disk format robustness requirements for new filesystems

Posted Aug 23, 2019 19:42 UTC (Fri) by k8to (guest, #15413) [Link]

Perhaps it makes sense for replacement calls that have shown a lot of pressure over time?

But globally it seems burdensome.

On-disk format robustness requirements for new filesystems

Posted Aug 31, 2019 13:17 UTC (Sat) by eduard.munteanu (guest, #66641) [Link]

I recently discovered one can craft FAT32 filesystems containing filenames which break POSIX guarantees, and they'll be gladly accepted by the Linux driver. For instance, you can get a file named ../../dev/sda that'll break just about every userspace tool acting on it. And no, that's not even a symlink, so typical countermeasures will fail to reject it. Imagine mounting that from a USB drive into /mnt/stick and something privileged comes along writing into /mnt/stick/../../dev/sda, because it totally looks like a regular file.

On-disk format robustness requirements for new filesystems

Posted Sep 5, 2019 13:46 UTC (Thu) by polyp (guest, #53146) [Link] (1 responses)

EROFS apparently stands for Enhanced Read-Only File System, not Extendable.

On-disk format robustness requirements for new filesystems

Posted Sep 9, 2019 2:08 UTC (Mon) by hsiangkao (subscriber, #123981) [Link]

In the first RFC patch last year, it was written in Extendable Read-Only File System suggested by some colleague.
I'd prefer the original name Enhanced Read-Only File System though, so change back again...
maybe full name is not important though..