Re: [PATCH] erofs: verify metadata accesses for file-backed mounts

[Chunhai Guo]

On 3/30/2026 10:20 AM, Gao Xiang wrote:
> For file-backed mounts, metadata is fetched via the page cache of
> backing inodes to avoid double caching and redundant copy ops, which is
> currently used by Android APEXes, ComposeFS and containerd for example.
> However, rw_verify_area() was missing prior to metadata accesses.
>
> Similar to vfs_iocb_iter_read(), fix this by:
>   - Enabling fanotify pre-content hooks on metadata accesses;
>   - security_file_permission() for security modules.
>
> Verified that fanotify pre-content hooks now works correctly.
>
> Fixes: fb176750266a ("erofs: add file-backed mount support")
> Acked-by: Amir Goldstein <amir73il@xxxxxxxxx>
> Signed-off-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
> ---

Reviewed-by: Chunhai Guo <guochunhai@xxxxxxxx>


Thanks,