fuse_set_conn_flag() collects the libfuse-side connection hints that are
not negotiated with the kernel. no_interrupt was the one such hint still
set only by direct field assignment.
Define FUSE_CONN_FLAG_NO_INTERRUPT alongside FUSE_CONN_FLAG_SINGLE_ISSUER
and map it onto conn->no_interrupt in the same switch, and convert the
example init() handlers to set it through the setter.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
For single-issuer queues only fuse_uring_thread() ever issues
io_uring_enter() on the ring, so the per-thread registered ring-fd index
is always valid. Registering it lets io_uring skip the fd grab/put on
every enter, which is measurable with libfuse's shared, threaded file
table.
A ring shared between separate submit and reap threads cannot use this
(each issuing thread would need its own index), so it stays gated on
io_uring_single_issuer. Registration needs kernel >= 5.18 and is
non-fatal: on failure the queue simply keeps using the normal ring fd.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Part 1 dropped cqe_processing and made the serving loop wait-only, so
the default path now issues one io_uring_submit() per inline reply
instead of coalescing a cqe batch into a single submit.
Restore the batching: the loop splits submit_and_wait so the flush
stays under ring_lock (part 1's race fix), and cqe_processing - now an
_Atomic bool set lock-free around handle_cqes() - again gates the
per-reply submit. The SQ stays serialised, so a batched reply is always
flushed before the next wait, never stranded.
Add a conn flag, io_uring_single_issuer, for a filesystem that replies
only from the per-queue uring thread: it skips ring_lock entirely and
runs the combined io_uring_submit_and_wait() loop, sound because only
that thread touches the ring. The flag reuses a reserved padding bit
(ABI unchanged; flag 0 keeps the multi-issuer path) and is mirrored
into the ring pool after op.init(), before serving starts.
A filesystem enables it with fuse_set_conn_flag(conn,
FUSE_CONN_FLAG_SINGLE_ISSUER), a new exported setter modelled on
fuse_set_feature_flag(); the io_uring_single_issuer bitfield is the
internal storage.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
The per-queue uring thread flushed the submission queue from
io_uring_submit_and_wait() in its serving loop outside ring_lock, while
off-thread repliers flushed it from io_uring_submit() under ring_lock in
fuse_uring_commit_sqe(). liburing's SQ is single-producer in userspace,
so two concurrent flushes corrupt sqe_head/ktail: when a filesystem
replies from a thread other than the per-queue uring thread this shows
up as spurious "Failed to get a ring SQEs", a doubled commit/fetch for
one commit_id, or an eventual hang. The commit path also keyed locking
on pthread_self() != queue->tid, a fragile proxy for lock ownership.
This serialisation is required, not just prudent: io_uring_setup_flags.7
documents that sharing a ring between threads "requires additional
synchronization". It is orthogonal to IORING_SETUP_SINGLE_ISSUER, which
only makes the kernel reject a second submitter task with -EEXIST and
does nothing for the userspace SQ bookkeeping; the flush race exists
with or without that flag.
Make the rule uniform: every submission-side SQ access takes ring_lock,
in commit_sqe() and resubmit() alike, replacing the pthread_self()
guess. ring_lock can no longer wrap handle_cqes() - an inline commit on
the uring thread would self-deadlock on the non-recursive mutex - so it
is taken only around the individual SQ accesses.
Submission stays batched via the cqe_processing flag, now _Atomic: while
the uring thread runs handle_cqes() it is set, so replies fill their SQE
under ring_lock but defer the submit; the thread flushes them with one
io_uring_submit() when it clears it. A reply that sees the flag clear -
the uring thread idle in io_uring_wait_cqe() - submits at once to wake
it. CQ access stays lock-free, as only the uring thread reaps.
Closes: https://github.com/libfuse/libfuse/issues/1443
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Replies are not submitted as they are produced: while a queue thread is
in fuse_uring_queue_handle_cqes() (cqe_processing set), each reply only
prepares a COMMIT_AND_FETCH SQE and the per-reply io_uring_submit() is
skipped. The whole batch, plus the eventfd poll re-arm, is flushed by the
next io_uring_submit_and_wait().
Without IORING_SETUP_SUBMIT_ALL the kernel aborts io_submit_sqes() at the
first SQE whose prep fails, leaving the rest of the batch unconsumed until
the following loop iteration -- head-of-line blocking the other in-flight
replies behind one bad commit. Set the flag so the kernel drains the whole
batch and only the failing SQE gets an error CQE.
This might have resulted in fuse-over-io-uring stalls, if applications
were waiting for results and libfuse was waiting for CQEs, but
not all SQEs had been submitted yet.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Mirror the fuse-side change commit abdd45f83c
("Make ioctl prototype conditional on FUSE_USE_VERSION. (#482)")'
for cuse too.
Crank versions to 3.19 as this is an ABI change.
Also increase the default FUSE_USE_VERSION to 30 in
include/cuse_lowlevel.h, 29 was below the libfuse3
min version.
Closes: https://github.com/libfuse/libfuse/issues/1406
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
cuse_prep_data() copied sizeof(struct cuse_lowlevel_ops) bytes from the
caller's clop using the library's struct size, so any field appended to
cuse_lowlevel_ops would make the library read past an older application's
struct. The libfuse version recorded in the session was also the
library's, not the application's, defeating the runtime ABI-fixup hook.
Add size/version-aware entry points cuse_lowlevel_{new,setup,main}_319
that thread the caller's sizeof(struct cuse_lowlevel_ops) and
libfuse_version into a clamped memcpy and fuse_session_new_versioned().
Header macros inject both at the call site, exactly as fuse_session_new()
does, so application source is unchanged. The bare FUSE_3.0 symbols
remain as compat forwarders passing the frozen 3.0 struct size and an
unknown version. No symbol versioning (FUSE_SYMVER) is required.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
add_mount(), exec_umount() and remove_mount() returned waitpid()'s pid
on success rather than 0, contradicting the documented '0 or -1' contract
(harmless today only because every caller tests == -1). They also tested
the raw wait status, and read it uninitialized when waitpid() itself
failed.
Read the status only on the success path and decode it with
WIFEXITED()/WEXITSTATUS(), matching how check_is_mount() in fusermount.c
already does it, so these helpers return 0 or -1 as advertised.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
This completes commit bb9cecbf67
("Use posix_spawn instead of fork+exec") and replaces remaining
fork by posix_spawn.
Not modified is mount_bsd.d as I cannot test it.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
The strtok_r(opts, ",", ...) based option splitter does not understand
double-quoted values. SELinux MLS labels can contain commas inside
quotes (e.g., context="system_u:object_r:root_t:s0:c0,c1"), which
would be incorrectly split into separate tokens.
Replace strtok_r with a quote-aware next_mount_opt() helper that skips
commas inside double-quoted regions.
Signed-off-by: Jingbo Xu <jingbo.xu@linux.alibaba.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
With the old mount(2) syscall, the kernel's SELinux code
(selinux_sb_eat_lsm_opts) internally strips double quotes from context
option values like context="system_u:object_r:root_t:s0". However, with
the new fsconfig() API the value is passed through verbatim, causing
SELinux to reject the mount with ENODEV.
Strip enclosing double quotes from key=value option values in
apply_opt_key_value() before passing them to fsconfig().
Signed-off-by: Jingbo Xu <jingbo.xu@linux.alibaba.com>
As discussed on https://github.com/libfuse/libfuse/issues/1515, libfuse has
a very light dependency on libnuma, only using very light wrappers over
mmap, mbind, and munmap. Remove the libnuma dependency by calling those
syscalls directly.
Populate memory after mmap to avoid SIGBUS later.
Signed-off-by: Benjamin Peterson <benjamin@python.org>
Bernd received a complaint via github that the "unmount" command in the
new fuse service API is prone to malicious symlink creation races
because the umount2 call doesn't use UMOUNT_NOFOLLOW. Therefore, if you
can trick a fuse service into asking the mount service helper to undo
the mount just after you've replaced the mount with a symlink to a
sensitive mount (e.g. /sys) then you whack a system hard.
I don't know why this unmounting functionality exists in libfuse, and
apparently Bernd doesn't like it. Since the fuse service API has not
yet been released, let's just rip out the command and pretend it never
existed.
Fixes: 5d8b9a39a1 ("mount_service: add systemd socket service mounting helper")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Amazingly, permission for the use of the "blkdev" mount option (aka
mounting with fuseblk.SUBTYPE instead of fuse.SUBTYPE) rests solely on a
getuid()==0 check in userspace. That /might/ be an indication that the
kernel also won't allow this, but as that's the criteria, let's
advertise fuseblk explicitly so that a fuse server can discover the
capability before calling fuse_service_session_mount().
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Codex complains that the protocol checking here is too stringent. For
example, if the mount helper advertises min=1,max=2 but libfuse inside
the container is older and only supports protocol version 1, the second
check results in service mount failure when we could just use v1.
Fix this by requiring that maxver >= minver, and then looking for a lack
of overlap between what libfuse supports and what the helper advertised.
Fixes: 5d8b9a39a1 ("mount_service: add systemd socket service mounting helper")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Codex noticed a discrepancy between the new fsmount code that Bernd
wrote and my port of the even newer mount service code to use the
helpers that Bernd wrote. Specifically, set_fsconfig_ms_flags only
clears bits from MS_FLAGS if there's no corresponding MOUNT_ATTR_ flag,
whereas ms_flags_to_mount_attrs always clears them.
In other words, set_fsconfig_ms_flags MUST be called before
ms_flags_to_mount_attrs or we can lose the 'ro' option. Fix this.
Fixes: 7211953256 ("mount_service: use the fsmount API helpers from mount_fsmount.c")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
The mount(2) flags (i.e. MS_*) are unsigned long. Don't truncate them
in this function by assigning to int.
Fixes: 14cb7b93bb ("Add support for the new linux mount API")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
The header buffer is described by "struct fuse_uring_req_header" rather
than "struct fuse_ring_ent".
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
The --sync-init code path validates the mountpoint in
mount_fuse_prepare() (check_perm() chdir()s into the directory and
rewrites the path to ".", or opens a regular-file mountpoint and
rewrites it to /proc/self/fd/N), but that pinned reference is a local
variable that is discarded. mount_fuse_finish_fsmount() later mounts
using the original path string, which move_mount() re-resolves through
whatever the symlinks now say.
An unprivileged user controls the sync-init socket, so
wait_for_signal() gives an unbounded check-to-use window: validate an
attacker-owned directory, swap a parent component to a symlink into
/etc, then signal -- the mount lands on a root-owned directory,
defeating check_nonroot_dir_access(). With user_allow_other this yields
local root via a fake sudoers drop-in.
Pin the validated inode as a single fd (mount_context.mnt_fd) obtained
from the already-chdir'd CWD or the open mountpoint fd, mount onto it
via move_mount() with MOVE_MOUNT_T_EMPTY_PATH (no path re-resolution),
and assert at the mount site that fstat(mnt_fd) still matches the stat
captured during validation. The legacy mount() path and the library
direct-mount path are unchanged (mnt_fd == -1 keeps path resolution).
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
fuse_session_loop_mt_312() unconditionally destroys se->mt_lock before
returning. The caller then invokes fuse_session_destroy(), which
destroys the same mutex again. This is undefined behavior per POSIX
on every MT shutdown.
fuse_session_reset() does not re-initialize mt_lock between these
calls, so the second destroy always operates on an already-destroyed
mutex.
Remove the destroy from fuse_session_loop_mt_312 and let
fuse_session_destroy remain the sole owner of mutex teardown,
consistent with how se->mt_finish (the semaphore) is already handled.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
If fuse_session_mount() succeeds but fuse_session_unmount() is never
called (e.g., on an error path), the mountpoint string allocated by
strdup in fuse_session_mount() is leaked. Free it in
fuse_session_destroy() using the same atomic_exchange pattern as
fuse_session_unmount() to handle concurrent access safely.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
grow_pipe_to_max() opens /proc/sys/fs/pipe-max-size without O_CLOEXEC.
In a multi-threaded FUSE daemon, a concurrent fork+exec (e.g., to
invoke fusermount) between the open() and close() calls would leak this
fd into the child process.
Add the same O_CLOEXEC fallback guard used in mount.c and
fuse_loop_mt.c for portability to older headers.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
fuse_req_getgroups() uses sprintf() to write into a fixed 128-byte
buffer. While the current format string cannot overflow in practice,
using snprintf() with sizeof(path) provides bounds safety as a
defense-in-depth measure.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
fuse_uring_stop() frees the ring pool via fuse_session_destruct_uring()
but does not null se->uring.pool afterwards, leaving a dangling pointer.
While no current code path dereferences the pool after stop, this is a
latent maintenance hazard — any future access would hit freed memory.
The error path in fuse_uring_start() already nulls se->uring.pool on
failure; apply the same discipline in the normal teardown path.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
After opening the fromfs iconv descriptor, the error check on line 725
tests ic->tofs (already verified above) instead of ic->fromfs. A failed
iconv_open for the fromfs direction is silently ignored, leaving an
invalid descriptor that causes undefined behavior in iconv_convpath.
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
Documentation for poll() callback says that:
> The callee is responsible for destroying ph with
> fuse_pollhandle_destroy() when no longer in use.
In fuse_lib_poll() ((struct fuse_lowlevel_ops*)->poll) we need to be more
careful:
1. If get_path_nullok() fails, we need to free fuse_pollhandle
2. If we passed execution down to fuse_fs_poll(), then
it must release fuse_pollhandle resources when no
(struct fuse_operations*)->poll provided by the filesystem driver.
Found this by myself while reading the code as a part of [1] review.
This is not critical at all, because once we return ENOSYS once,
kernel never sends FUSE_POLL again. So memleak is unnoticable in practice.
Alternatively, we can leak if get_path_nullok() fails all the time, but
then we are in a much more serious troubles...
Link: https://github.com/lxc/lxcfs/pull/726 [1]
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Add support for parsing FUSE_SECCTX extensions sent by the kernel
during file creation operations. This allows userspace filesystems
to receive and persist SELinux/AppArmor security labels on newly
created files.
Add example in passthrough_hp: When creating a file, iterates the fuse
req extension security contexts to find the SELinux security label and
apply it.
Signed-off-by: Kevin Chen <kchen@ddn.com>
Came up on the container branch and not sure why it triggers there
only, but malloc is not needed and snprintf should check for the
max size.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
* master:
Change use_subtype_prefix type to bool in fuse_mnt_build_source()
lib mount: fix fsfd leakage on error
lib mount: include linux/mount.h in mount_i_linux.h
lib mount: no need to fsconfig mtab options
Fix ENODEV fallback logic for block devices with fsname
Update the condition when to use synchronous init
fuse_daemonize_early: Rename is_active to is_used, add new is_active
Add a missing NULL check for x_mtab_opts in mount_fuse()
fusermount: Fix heap buffer overflow in perform_mount()
lib/mount.c: Restore "subtype#fsname" format for legacy kernel fallback
fuse: No need to call strlen
Just a minor API cleanup from yesterday, change type from int to
bool and add comment why the argument is needed.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Clean up fsfd and related resources before falling back to old
mount API if ms_flags_to_mount_attrs() fails. Otherwise the created
detached fuse connection will hang there and won't be freed.
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
mtab options is a superset of kernel options (passed to kernel via
mount(2) or fsconfig(2)), with additional mtab-only options like
"user=" or "-n".
After switching to the new mount API, kernel options are already
configured by fsconfig. Re-running fsconfig on mtab options causes
options to be configured twice.
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
The ENODEV fallback logic in both lib/mount.c and util/fusermount.c
incorrectly combined two conditions, causing block devices with fsname
to be treated as if they had no fsname.
Original behavior (before commit 50fa7f0bc2):
if (mo->fsname) {
if (!mo->blkdev)
sprintf(source, "%s#%s", mo->subtype, mo->fsname);
// else: keep existing source (fsname for blkdev)
} else {
strcpy(source, type);
}
This handled three cases:
1. fsname + non-blkdev -> "subtype#fsname"
2. fsname + blkdev -> fsname (unchanged)
3. no fsname -> type
Previous patches incorrectly changed this to:
if (mo->fsname && !mo->blkdev) {
source = fuse_mnt_build_source()
} else {
source = strdup(type);
}
This only handled two cases, causing case 2 (fsname + blkdev) to be
treated as case 3 (no fsname).
This patch restores the three-way logic.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
The previous condition in session_start_sync_init() if to
use synchronous init was not right yet - we actually want
sync-init by default when fuse_daemonize_earl_start is
used. But users also need to able to override (at least
we need to be able to override for our own tests).
So add an enum with the values of auto (default),
enabled and disabled.
Noticed due to a PR from Jingbo Xu <jefflexu@linux.alibaba.com>
that added the workaround to enable, which not supposed to be
needed. The logic should work on its own when fuse_daemonize_early_start
is used.
This also exports fuse_session_set_sync_init (and renames it from
fuse_session_want_sync_init()).
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
In passthrough_hp.cc in main() the err_out4 condition would
have printed an invalid warning and program exit even
under regular umount, because the underlying check acted
on daemonize.active and daemonize.daemonized, although it
was supposed to act on daemonize.active only.
Fix that by renaming the current _is_active() to _is_used()
and by introducing a new fuse_daemonize_is_active(), which
only checks for 'daemonize.daemonized'.
Suggested-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
Commit 50fa7f0bc2 ("Move fuse_mnt_build_{source,type} to mount_util.c"
changed the ENODEV fallback behavior from using
"subtype#fsname" format to just "fsname" for the mount source.
This adds a use_subtype_prefix parameter to fuse_mnt_build_source() to
control whether the legacy "subtype#fsname" format should be used. This
centralizes the source string building logic and avoids code duplication
in the ENODEV fallback paths.
Original behavior (before 50fa7f0bc2):
if (mo->fsname) {
if (!mo->blkdev)
sprintf(source, "%s#%s", mo->subtype, mo->fsname);
} else {
strcpy(source, type);
}
Behavior after 50fa7f0bc2 (unintended change):
source = fuse_mnt_build_source(mo->fsname, NULL, devname);
// Returns just fsname, not "subtype#fsname"
Behavior before 50fa7f0bc2 is restored again.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
This only checks for "." and "..". This can be done cheaper than
calling strlen. According to godbolt not much code is required for
this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Remove dangerous strcpy calls with memcpy based on the lengths we used
to compute the dynamic structure size.
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Initialize the sockaddr_un variable so that subsequent comparisons won't
fail in weird ways if getsockname doesn't fill out the object.
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
The new fsmount API code in mount_service.c should use the new helper
functions that were recently added to mount_fsmount.c.
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
The flags parameter of mount() is an unsigned long on Linux, which means
that the return type of type of ms_flags_to_mount_attrs must also be
unsigned long to avoid possible truncation of unconverted MS_* flags.
However, the attr_flags parameter of fsmount() is unsigned int, so
there's no need to use an unnecessarily large type. Why the kernel ABI
didn't specify this as u64 is beyond me, but there it is.
Fix both problems with the function signature and caller.
Fixes: 14cb7b93bb ("Add support for the new linux mount API")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Commit f0e08cc700 ("/dev/fuse splice pipe grow: Only grow ...")
introduced a pipe grow to max - this only makes sense for
splice write, because if a pipe cannot be grown now, it won't be possible
to grow it later either. Also, /dev/fuse device read always requires the
max buffer size, as kernel code checks very early for the required buffer.
For splice write a dynamic size / max size can be used.
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>