Commit Graph

2533 Commits

Author SHA1 Message Date
Darrick J. Wong 6ef101c808 fsmount: don't truncate ms_flags in set_fsconfig_ms_flags
The mount(2) flags (i.e. MS_*) are unsigned long.  Don't truncate them
in this function by assigning to int.

Fixes: 14cb7b93bb ("Add support for the new linux mount API")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-06-12 12:57:19 +02:00
Bernd Schubert 1fbf44e06c fusermount: restrict pin_mountpoint owner check to sticky directories
The pinned-fd TOCTOU fix rejected any mountpoint not owned by the
mounting user, but check_nonroot_dir_access() only enforces ownership
for sticky directories. Restrict the pinned-inode check to match.

Fixes: bad8b22c91 ("fusermount: fix sync-init TOCTOU by mounting on a pinned mountpoint fd")
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-12 12:08:57 +02:00
Bernd Schubert 3fedbac9b6 mount.fuse: clear error and test skip when binary unreachable after privilege drop
With drop_privileges, mount.fuse3 execs the file system binary only
after dropping all capabilities (CAP_DAC_OVERRIDE included) while
keeping uid 0. The kernel then applies plain DAC checks to the exec, so
a binary under a directory the capability-less process cannot traverse
(e.g. a user-owned mode-0700 home) fails with EACCES and /bin/sh prints
a bare 'Permission denied', surfacing in the tests as 'file system
process terminated prematurely'.

Resolving and opening the binary before the drop was rejected: it would
perform a privileged path resolution and open() on invoker-influenced
input (confused-deputy / privilege-escalation risk). The drop-first,
resolve-after order is preserved.

Instead, pre-flight the upcoming PATH lookup after the drop and fail
with a diagnostic that names the binary and points at mount.fuse3(8).
The check runs with the final credentials, so it is deny-only. The test
detects the same situation up front (uid/gid-aware traversal check) and
skips with a precise reason; root-owned CI checkouts keep running.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-12 12:08:57 +02:00
Bernd Schubert 4633c30df6 checkpatch: Disable LINE_SPACING
I disagree with this style annotation - just takes another line
without gaining much.

WARNING:LINE_SPACING: Missing a blank line after declarations
+			int ret = access_executable(test_path);
+			if (ret == 0)

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-12 12:08:57 +02:00
Jingbo Xu a59ffa424f fuse-io-uring: fix req_header_sz size calculation
The header buffer is described by "struct fuse_uring_req_header" rather
than "struct fuse_ring_ent".

Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
2026-06-12 09:10:38 +02:00
Bernd Schubert bad8b22c91 fusermount: fix sync-init TOCTOU by mounting on a pinned mountpoint fd
The --sync-init code path validates the mountpoint in
mount_fuse_prepare() (check_perm() chdir()s into the directory and
rewrites the path to ".", or opens a regular-file mountpoint and
rewrites it to /proc/self/fd/N), but that pinned reference is a local
variable that is discarded. mount_fuse_finish_fsmount() later mounts
using the original path string, which move_mount() re-resolves through
whatever the symlinks now say.

An unprivileged user controls the sync-init socket, so
wait_for_signal() gives an unbounded check-to-use window: validate an
attacker-owned directory, swap a parent component to a symlink into
/etc, then signal -- the mount lands on a root-owned directory,
defeating check_nonroot_dir_access(). With user_allow_other this yields
local root via a fake sudoers drop-in.

Pin the validated inode as a single fd (mount_context.mnt_fd) obtained
from the already-chdir'd CWD or the open mountpoint fd, mount onto it
via move_mount() with MOVE_MOUNT_T_EMPTY_PATH (no path re-resolution),
and assert at the mount site that fstat(mnt_fd) still matches the stat
captured during validation. The legacy mount() path and the library
direct-mount path are unchanged (mnt_fd == -1 keeps path resolution).

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-11 15:38:47 +02:00
Abhinav Agarwal b6cb345591 fuse_loop_mt: Remove duplicate pthread_mutex_destroy of mt_lock
fuse_session_loop_mt_312() unconditionally destroys se->mt_lock before
returning. The caller then invokes fuse_session_destroy(), which
destroys the same mutex again. This is undefined behavior per POSIX
on every MT shutdown.

fuse_session_reset() does not re-initialize mt_lock between these
calls, so the second destroy always operates on an already-destroyed
mutex.

Remove the destroy from fuse_session_loop_mt_312 and let
fuse_session_destroy remain the sole owner of mutex teardown,
consistent with how se->mt_finish (the semaphore) is already handled.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 6c055dddf7 fuse_lowlevel: Free mountpoint in fuse_session_destroy
If fuse_session_mount() succeeds but fuse_session_unmount() is never
called (e.g., on an error path), the mountpoint string allocated by
strdup in fuse_session_mount() is leaked. Free it in
fuse_session_destroy() using the same atomic_exchange pattern as
fuse_session_unmount() to handle concurrent access safely.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 79aefd4fd9 fuse_lowlevel: Add O_CLOEXEC to pipe-max-size procfs open
grow_pipe_to_max() opens /proc/sys/fs/pipe-max-size without O_CLOEXEC.
In a multi-threaded FUSE daemon, a concurrent fork+exec (e.g., to
invoke fusermount) between the open() and close() calls would leak this
fd into the child process.

Add the same O_CLOEXEC fallback guard used in mount.c and
fuse_loop_mt.c for portability to older headers.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 349b83231b fusermount: Check fstat return value for comm fd validation
The fstat() call on the communication fd from _FUSE_COMMFD was not
checking its return value. On failure (e.g., invalid fd number),
statbuf remains uninitialized and the subsequent S_ISSOCK check
operates on garbage stack data, potentially bypassing the socket
type validation.

Check the return value and fail closed on error.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 42e57a8019 fuse_lowlevel: Use snprintf for /proc status path construction
fuse_req_getgroups() uses sprintf() to write into a fixed 128-byte
buffer. While the current format string cannot overflow in practice,
using snprintf() with sizeof(path) provides bounds safety as a
defense-in-depth measure.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 137e6dc718 fuse_uring: Null pool pointer after fuse_uring_stop
fuse_uring_stop() frees the ring pool via fuse_session_destruct_uring()
but does not null se->uring.pool afterwards, leaving a dangling pointer.
While no current code path dereferences the pool after stop, this is a
latent maintenance hazard — any future access would hit freed memory.

The error path in fuse_uring_start() already nulls se->uring.pool on
failure; apply the same discipline in the normal teardown path.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-11 10:45:20 +02:00
Abhinav Agarwal 5e3f016bef fusermount: Reject invalid negative mount_max in fuse.conf
mount_max is parsed with %i (signed) from /etc/fuse.conf. The value
-1 is the documented sentinel for "no limit", but any other negative
value (e.g., -2 from a typo) passes the mount_max != -1 guard and
makes the mount_count >= mount_max comparison always true, blocking
all non-root FUSE mounts.

Reject values below -1 with a warning rather than silently accepting
them.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-10 11:02:18 +02:00
Abhinav Agarwal 8eda8f9566 fusermount: Guard trailing comma removal against empty string
get_mnt_opts() accesses (*mnt_optsp)[l-1] without checking that
l > 0. If the option string is empty (reachable via read-only mount
with no additional options), this is an out-of-bounds read at
index -1.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-10 11:02:18 +02:00
Abhinav Agarwal ee093d226c iconv: Fix copy-paste error checking wrong iconv descriptor
After opening the fromfs iconv descriptor, the error check on line 725
tests ic->tofs (already verified above) instead of ic->fromfs. A failed
iconv_open for the fromfs direction is silently ignored, leaving an
invalid descriptor that causes undefined behavior in iconv_convpath.

Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
2026-06-10 11:02:18 +02:00
Bernd Schubert efa6c4c8be Fix BaseException catch in test files
Replace bare except clauses with 'except Exception' to avoid
catching system-exiting exceptions like KeyboardInterrupt and
SystemExit, which should not be suppressed.

Fixes: GitHub CodeQL Alerts #15, #16, #17
Rule: py/catch-base-exception
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Bernd Schubert 0d037dbe2b Fix file not closed in test_examples.py
Use 'with' statements to ensure files are properly closed even
when exceptions are raised during pytest.raises() contexts.

Fixes: GitHub CodeQL Alerts #18, #19
Rule: py/file-not-closed
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Bernd Schubert 80a6fb3e22 Fix mixed returns in test/util.py
Add explicit return statement to test_printcap() to avoid mixing
implicit and explicit returns. This improves code clarity.

Fixes: GitHub CodeQL Alert #20
Rule: py/mixed-returns
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Bernd Schubert 2ac23c29e0 Fix default parameter mutation in test_examples.py
Replace mutable default parameter with function attribute to avoid
modifying default value. This prevents unexpected behavior and
follows Python best practices.

Fixes: GitHub CodeQL Alert #21
Rule: py/modification-of-default-value
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Bernd Schubert 5f2e14d8c6 Fix assert statements with side effects in test_examples.py
Move subprocess.check_output() and proc.wait() calls out of assert
statements to avoid side effects being optimized away when running
with Python optimization enabled.

Fixes: GitHub CodeQL Alerts #22-27
Rule: py/side-effect-in-assert
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Bernd Schubert 65afaab71a Fix unbounded strcpy/strcat in mount.fuse.c
Replace strcpy() with strncpy() and strcat() with strncat().
Ensure null-termination after bounded operations.

Fixes: GitHub CodeQL Alert #104, #105
CWE-120, CWE-787, CWE-805

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Alexander Mikhalitsyn baebe3cde9 fuse: prevent possible fuse_pollhandle leak
Documentation for poll() callback says that:
> The callee is responsible for destroying ph with
> fuse_pollhandle_destroy() when no longer in use.

In fuse_lib_poll() ((struct fuse_lowlevel_ops*)->poll) we need to be more
careful:

1. If get_path_nullok() fails, we need to free fuse_pollhandle
2. If we passed execution down to fuse_fs_poll(), then
it must release fuse_pollhandle resources when no
(struct fuse_operations*)->poll provided by the filesystem driver.

Found this by myself while reading the code as a part of [1] review.

This is not critical at all, because once we return ENOSYS once,
kernel never sends FUSE_POLL again. So memleak is unnoticable in practice.
Alternatively, we can leak if get_path_nullok() fails all the time, but
then we are in a much more serious troubles...

Link: https://github.com/lxc/lxcfs/pull/726 [1]
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
2026-06-09 13:13:19 +02:00
kchen 6b3123617b fuse_lowlevel: add security context extension parsing and iterator API
Add support for parsing FUSE_SECCTX extensions sent by the kernel
during file creation operations. This allows userspace filesystems
to receive and persist SELinux/AppArmor security labels on newly
created files.

Add example in passthrough_hp: When creating a file, iterates the fuse
req extension security contexts to find the SELinux security label and
apply it.

Signed-off-by: Kevin Chen <kchen@ddn.com>
2026-06-09 11:53:41 +02:00
mannkafai 0b1cd7b5e7 test: Use pytest tmpdir on non-FreeBSD platforms (#1516)
test: Make short_tmpdir respect pytest --basetemp

When running libfuse tests in a QEMU-based vmtest environment,
test_passthrough fails with a PermissionError because the guest
restricts operations under /tmp:

  FAILED test/test_examples.py::test_passthrough[False-passthrough-False]
  PermissionError: [Errno 1] Operation not permitted:
  '/tmp/tmp4veumkm0/mnt/tmp/tmp4veumkm0/src/testfile_16'

The short_tmpdir fixture used the custom raii_tmpdir wrapper which
calls tempfile.mkdtemp() and always places directories under /tmp,
ignoring pytest's --basetemp option. Since --basetemp is used to
relocate temporary directories to a writable location in QEMU guests,
the fixture prevents the workaround from taking effect.

Fix it by making raii_tmpdir accept an optional dir argument and
having short_tmpdir check whether --basetemp was passed. When
--basetemp is set, create the temporary directory under its resolved
path obtained via tmp_path_factory.getbasetemp(). Without --basetemp,
fall back to the original behavior to keep paths short enough for
AF_UNIX sun_path limits (104 bytes on FreeBSD/macOS, 108 on Linux).

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
2026-06-07 21:24:40 +02:00
Bernd Schubert 183e21e23b Document security and other extension format
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-06 10:15:20 +02:00
wilkis 1cb5878d26 Update homepage at man page (#1511)
Signed-off-by: wilkis <marvin@alruno.eu>
2026-06-06 10:09:15 +02:00
Benjamin Peterson 44a1f759c2 fuse_uring: remove unused numa_node struct member
Signed-off-by: Benjamin Peterson <benjamin@engflow.com>
2026-06-05 19:09:46 +02:00
dependabot[bot] 66b74e90ec build(deps): bump actions/checkout from 6.0.2 to 6.0.3
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-03 14:32:51 +02:00
dependabot[bot] 0a257c0b90 build(deps): bump vmactions/freebsd-vm from 1.4.5 to 1.4.6
Bumps [vmactions/freebsd-vm](https://github.com/vmactions/freebsd-vm) from 1.4.5 to 1.4.6.
- [Release notes](https://github.com/vmactions/freebsd-vm/releases)
- [Commits](https://github.com/vmactions/freebsd-vm/compare/d1e65811565151536c0c894fff74f06351ed26e6...a6de9343ef5747433d9c25784c90e84998b9d69a)

---
updated-dependencies:
- dependency-name: vmactions/freebsd-vm
  dependency-version: 1.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-03 14:32:21 +02:00
Ashish Ahuja ba68751e56 fix typo in comments; FUSE_LOOP_MT_DEF_IDLE_THREADS is -1, not 10
Signed-off-by: Ashish Ahuja <shivashish.ahuja@gmail.com>
2026-06-03 14:32:00 +02:00
Bernd Schubert b71dd2629f Merge pull request #1444 from bsbernd/fuse-service-container
libfuse: run fuse servers as a contained service
2026-05-26 19:56:02 +02:00
Bernd Schubert 204cf0fb27 Merge branch 'master' into fuse-service-container
* master:
  Fix a codeql report in add_default_subtype()
2026-05-26 18:19:19 +02:00
Bernd Schubert 5c308fba82 Fix a codeql report in add_default_subtype()
Came up on the container branch and not sure why it triggers there
only, but malloc is not needed and snprintf should check for the
max size.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-26 18:18:43 +02:00
Bernd Schubert 5785b202e9 Fix a codeql report in add_default_subtype()
Came up on the container branch and not sure why it triggers there
only, but malloc is not needed and snprintf should check for the
max size.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-26 17:26:53 +02:00
Bernd Schubert d799270b76 mount_service.c: Remove an argc > 0 check (CodeQL)
As annotated by CodeQL, argc already test for above and cannot be
smaller than 3, no need to check again.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-26 14:45:38 +02:00
Bernd Schubert c17960b337 fuse_service: Avoid modifying counters in for loop
CodeQL annotates that and I personally prefer while loops for such loops
as well.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-26 14:38:28 +02:00
Bernd Schubert e2f7c7d990 Merge branch 'master' into fuse-service-container
* master:
  Change use_subtype_prefix type to bool in fuse_mnt_build_source()
  lib mount: fix fsfd leakage on error
  lib mount: include linux/mount.h in mount_i_linux.h
  lib mount: no need to fsconfig mtab options
  Fix ENODEV fallback logic for block devices with fsname
  Update the condition when to use synchronous init
  fuse_daemonize_early: Rename is_active to is_used, add new is_active
  Add a missing NULL check for x_mtab_opts in mount_fuse()
  fusermount: Fix heap buffer overflow in perform_mount()
  lib/mount.c: Restore "subtype#fsname" format for legacy kernel fallback
  fuse: No need to call strlen
2026-05-26 14:18:51 +02:00
Bernd Schubert e3fe270d74 Change use_subtype_prefix type to bool in fuse_mnt_build_source()
Just a minor API cleanup from yesterday, change type from int to
bool and add comment why the argument is needed.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-26 14:13:51 +02:00
Jingbo Xu 82a39851ef lib mount: fix fsfd leakage on error
Clean up fsfd and related resources before falling back to old
mount API if ms_flags_to_mount_attrs() fails.  Otherwise the created
detached fuse connection will hang there and won't be freed.

Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
2026-05-26 12:32:41 +02:00
Jingbo Xu 27fc208463 lib mount: include linux/mount.h in mount_i_linux.h
... otherwise MOUNT_ATTR_* would be defined as 0 unexpectedly.

Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
2026-05-26 12:32:41 +02:00
Jingbo Xu 7ba4bad144 lib mount: no need to fsconfig mtab options
mtab options is a superset of kernel options (passed to kernel via
mount(2) or fsconfig(2)), with additional mtab-only options like
"user=" or "-n".

After switching to the new mount API, kernel options are already
configured by fsconfig. Re-running fsconfig on mtab options causes
options to be configured twice.

Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
2026-05-26 12:32:41 +02:00
Bernd Schubert 1d70e30b52 Fix ENODEV fallback logic for block devices with fsname
The ENODEV fallback logic in both lib/mount.c and util/fusermount.c
incorrectly combined two conditions, causing block devices with fsname
to be treated as if they had no fsname.

Original behavior (before commit 50fa7f0bc2):
    if (mo->fsname) {
        if (!mo->blkdev)
            sprintf(source, "%s#%s", mo->subtype, mo->fsname);
        // else: keep existing source (fsname for blkdev)
    } else {
        strcpy(source, type);
    }

This handled three cases:
1. fsname + non-blkdev -> "subtype#fsname"
2. fsname + blkdev     -> fsname (unchanged)
3. no fsname           -> type

Previous patches incorrectly changed this to:
    if (mo->fsname && !mo->blkdev) {
        source = fuse_mnt_build_source()
    } else {
        source = strdup(type);
    }

This only handled two cases, causing case 2 (fsname + blkdev) to be
treated as case 3 (no fsname).

This patch restores the three-way logic.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Bernd Schubert fadb479bdc Update the condition when to use synchronous init
The previous condition in session_start_sync_init() if to
use synchronous init was not right yet - we actually want
sync-init by default when fuse_daemonize_earl_start is
used. But users also need to able to override (at least
we need to be able to override for our own tests).
So add an enum with the values of auto (default),
enabled and disabled.

Noticed due to a PR from Jingbo Xu <jefflexu@linux.alibaba.com>
that added the workaround to enable, which not supposed to be
needed. The logic should work on its own when fuse_daemonize_early_start
is used.

This also exports fuse_session_set_sync_init (and renames it from
fuse_session_want_sync_init()).

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Bernd Schubert 9f573330ad fuse_daemonize_early: Rename is_active to is_used, add new is_active
In passthrough_hp.cc in main() the err_out4 condition would
have printed an invalid warning and program exit even
under regular umount, because the underlying check acted
on daemonize.active and daemonize.daemonized, although it
was supposed to act on daemonize.active only.
Fix that by renaming the current _is_active() to _is_used()
and by introducing a new fuse_daemonize_is_active(), which
only checks for 'daemonize.daemonized'.

Suggested-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Bernd Schubert e4a4a3a135 Add a missing NULL check for x_mtab_opts in mount_fuse()
There might be have been null-ptr derefences.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Bernd Schubert 5b205b6d3f fusermount: Fix heap buffer overflow in perform_mount()
Commit 50fa7f0bc2 ("Move fuse_mnt_build_{source,type} to mount_util.c"
introduced a heap buffer overflow in the ENODEV fallback
path in fusermount.c. The prepare_mount() function now allocates source
with only strlen(fsname) + 1 bytes via fuse_mnt_build_source(), but
perform_mount() writes strlen(subtype) + 1 + strlen(fsname) + 1 bytes
when building the legacy "subtype#fsname" format.

Fix by removing source/type from struct mount_params and building them
as local variables in perform_mount() with correct allocation using the
new use_subtype_prefix parameter added in the previous commit.

The source and type strings are now:
- Built in perform_mount() with proper size allocation
- Returned via output parameters to the caller
- No longer stored in the mount_params structure

Fixes: 50fa7f0bc2 ("Move fuse_mnt_build_{source,type} to mount_util.c")
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Bernd Schubert 4e0f7cbc43 lib/mount.c: Restore "subtype#fsname" format for legacy kernel fallback
Commit 50fa7f0bc2 ("Move fuse_mnt_build_{source,type} to mount_util.c"
changed the ENODEV fallback behavior from using
"subtype#fsname" format to just "fsname" for the mount source.

This adds a use_subtype_prefix parameter to fuse_mnt_build_source() to
control whether the legacy "subtype#fsname" format should be used. This
centralizes the source string building logic and avoids code duplication
in the ENODEV fallback paths.

Original behavior (before 50fa7f0bc2):
    if (mo->fsname) {
        if (!mo->blkdev)
            sprintf(source, "%s#%s", mo->subtype, mo->fsname);
    } else {
        strcpy(source, type);
    }

Behavior after 50fa7f0bc2 (unintended change):
    source = fuse_mnt_build_source(mo->fsname, NULL, devname);
    // Returns just fsname, not "subtype#fsname"

Behavior before 50fa7f0bc2 is restored again.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-25 23:48:40 +02:00
Volker Lendecke e465536dc9 fuse: No need to call strlen
This only checks for "." and "..". This can be done cheaper than
calling strlen. According to godbolt not much code is required for
this.

Signed-off-by: Volker Lendecke <vl@samba.org>
2026-05-24 10:12:29 +02:00
Darrick J. Wong acb5e53dab mount/fuse_service: replace strcpy calls with memcpy
Remove dangerous strcpy calls with memcpy based on the lengths we used
to compute the dynamic structure size.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-05-21 12:11:06 -07:00
Darrick J. Wong 0f8157e72f mount_service: fix null pointer deref in mount_service_init
In theory, fuservicemount can be called with argv[0] == NULL, so let's
protect ourselves against that.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-05-21 12:11:06 -07:00