[PATCH 00/24] vfs: require filesystems to explicitly opt-in to lease support

David Laight david.laight.linux at gmail.com
Thu Jan 15 00:39:55 AEDT 2026 

On Wed, 14 Jan 2026 10:34:04 +0100
Amir Goldstein <amir73il at gmail.com> wrote:

> On Wed, Jan 14, 2026 at 7:28 AM Christoph Hellwig <hch at infradead.org> wrote:
> >
> > On Tue, Jan 13, 2026 at 12:06:42PM -0500, Jeff Layton wrote:  
> > > Fair point, but it's not that hard to conceive of a situation where
> > > someone inadvertantly exports cgroupfs or some similar filesystem:  
> >
> > Sure.  But how is this worse than accidentally exporting private data
> > or any other misconfiguration?
> >  
> 
> My POV is that it is less about security (as your question implies), and
> more about correctness.
> 
> The special thing about NFS export, as opposed to, say, ksmbd, is
> open by file handle, IOW, the export_operations.
> 
> I perceive this as a very strange and undesired situation when NFS
> file handles do not behave as persistent file handles.
> 
> FUSE will gladly open a completely different object, sometimes
> a different object type from an NFS client request after server restart.
> 
> I suppose that the same could happen with tmpfs and probably some
> other fs.
...

You really shouldn't be allowed to nfs export a fs that doesn't have
persistent file handles.

Even file handles containing 'random' numbers can be problematic.
The default used to be 'hard mounts' (not sure it is any more) which
caused the client (not Linux - too long ago) to loop in kernel
forever waiting for the server to recover the filesystem export.
The only resolution on that system was to reboot the client.

At least nfs can now use variable size file-ids.
When I was fixing some code that exported a layered fs (I pretty
much rewrote the fs at the same time) I did randomise the file-ids
so they (hopefully) became invalid after a reboot (only after suffering
some very corrupt filesystems!)
I found nfs (over udp) had some interesting 'features':
- If you export part of a fs you export all of it.
  (Especially since this predated the randomisation of the inode
  generation number.)
- If you give anyone access you give everyone access.
- If you give anyone write access you give everyone write access.
The latter two because the 'mount' protocol wasn't really needed
and the server didn't care where requests came from.

	David

More information about the Linux-erofs mailing list