erofs: using domain_id in the safer way

Hongbo Li · hsiangkao · commit e77762e8966c · 2026-01-23T20:02:09.000+08:00
Either the existing fscache usecase or the upcoming page
cache sharing case, the `domain_id` should be protected as
sensitive information, so we use the safer helpers to allocate,
free and display domain_id.

Signed-off-by: Hongbo Li &lt;lihongbo22@huawei.com&gt;
Reviewed-by: Gao Xiang &lt;hsiangkao@linux.alibaba.com&gt;
Signed-off-by: Gao Xiang &lt;hsiangkao@linux.alibaba.com&gt;
diff --git a/Documentation/filesystems/erofs.rst b/Documentation/filesystems/erofs.rst
@@ -128,8 +128,9 @@ device=%s              Specify a path to an extra device to be used together.
 directio               (For file-backed mounts) Use direct I/O to access backing
                        files, and asynchronous I/O will be enabled if supported.
 fsid=%s                Specify a filesystem image ID for Fscache back-end.
-domain_id=%s           Specify a domain ID in fscache mode so that different images
-                       with the same blobs under a given domain ID can share storage.
+domain_id=%s           Specify a trusted domain ID for fscache mode so that
+                       different images with the same blobs, identified by blob IDs,
+                       can share storage within the same trusted domain.
 fsoffset=%llu          Specify block-aligned filesystem offset for the primary device.
 ===================    =========================================================
 
diff --git a/fs/erofs/fscache.c b/fs/erofs/fscache.c
@@ -379,7 +379,7 @@ static void erofs_fscache_domain_put(struct erofs_domain *domain)
 		}
 		fscache_relinquish_volume(domain->volume, NULL, false);
 		mutex_unlock(&erofs_domain_list_lock);
-		kfree(domain->domain_id);
+		kfree_sensitive(domain->domain_id);
 		kfree(domain);
 		return;
 	}
@@ -446,7 +446,7 @@ static int erofs_fscache_init_domain(struct super_block *sb)
 	sbi->domain = domain;
 	return 0;
 out:
-	kfree(domain->domain_id);
+	kfree_sensitive(domain->domain_id);
 	kfree(domain);
 	return err;
 }
diff --git a/fs/erofs/super.c b/fs/erofs/super.c
@@ -527,10 +527,8 @@ static int erofs_fc_parse_param(struct fs_context *fc,
 			return -ENOMEM;
 		break;
 	case Opt_domain_id:
-		kfree(sbi->domain_id);
-		sbi->domain_id = kstrdup(param->string, GFP_KERNEL);
-		if (!sbi->domain_id)
-			return -ENOMEM;
+		kfree_sensitive(sbi->domain_id);
+		sbi->domain_id = no_free_ptr(param->string);
 		break;
 #else
 	case Opt_fsid:
@@ -626,7 +624,7 @@ static void erofs_set_sysfs_name(struct super_block *sb)
 {
 	struct erofs_sb_info *sbi = EROFS_SB(sb);
 
-	if (sbi->domain_id)
+	if (sbi->domain_id && sbi->fsid)
 		super_set_sysfs_name_generic(sb, "%s,%s", sbi->domain_id,
 					     sbi->fsid);
 	else if (sbi->fsid)
@@ -861,7 +859,7 @@ static void erofs_sb_free(struct erofs_sb_info *sbi)
 {
 	erofs_free_dev_context(sbi->devs);
 	kfree(sbi->fsid);
-	kfree(sbi->domain_id);
+	kfree_sensitive(sbi->domain_id);
 	if (sbi->dif0.file)
 		fput(sbi->dif0.file);
 	kfree(sbi->volume_name);

Original file line number	Diff line number	Diff line change
`@@ -379,7 +379,7 @@ static void erofs_fscache_domain_put(struct erofs_domain *domain)`
`379`	`379`	`}`
`380`	`380`	`fscache_relinquish_volume(domain->volume, NULL, false);`
`381`	`381`	`mutex_unlock(&erofs_domain_list_lock);`
`382`		`- kfree(domain->domain_id);`
	`382`	`+ kfree_sensitive(domain->domain_id);`
`383`	`383`	`kfree(domain);`
`384`	`384`	`return;`
`385`	`385`	`}`
`@@ -446,7 +446,7 @@ static int erofs_fscache_init_domain(struct super_block *sb)`
`446`	`446`	`sbi->domain = domain;`
`447`	`447`	`return 0;`
`448`	`448`	`out:`
`449`		`- kfree(domain->domain_id);`
	`449`	`+ kfree_sensitive(domain->domain_id);`
`450`	`450`	`kfree(domain);`
`451`	`451`	`return err;`
`452`	`452`	`}`