lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 23 Jan 2024 17:37:01 +0800
From: Jingbo Xu <jefflexu@...ux.alibaba.com>
To: miklos@...redi.hu,
	linux-fsdevel@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Subject: [RFC] fuse: disable support for file handle when FUSE_EXPORT_SUPPORT not configured

I think this is more of an issue reporter.

I'm not sure if it's a known issue, but we found that following a
successful name_to_handle_at(2), open_by_handle_at(2) fails (-ESTALE,
Stale file handle) with the given file handle when the fuse daemon is in
"cache= none" mode.

It can be reproduced by the examples from the man page of
name_to_handle_at(2) and open_by_handle_at(2) [1], along with the
virtiofsd daemon (C implementation) in "cache= none" mode.

```
/t_name_to_handle_at t_open_by_handle_at.c > /tmp/fh
/t_open_by_handle_at < /tmp/fh
t_open_by_handle_at: open_by_handle_at: Stale file handle
```

After investigation into this issue, I found the root cause is that,
when virtiofsd is in "cache= none" mode, the entry_valid_timeout is
configured as 0.  Thus the dput() called when name_to_handle_at(2)
finishes will trigger iput -> evict(), in which FUSE_FORGET will be sent
to the daemon.  The following open_by_handle_at(2) will trigger a new
FUSE_LOOKUP request when no cached inode is found with the given file
handle.  And then the fuse daemon fails the FUSE_LOOKUP request with
-ENOENT as the cached metadata of the requested inode has already been
cleaned up among the previous FUSE_FORGET.

This indeed confuses the application, as open_by_handle_at(2) fails in
the condition of the previous name_to_handle_at(2) succeeds, given the
requested file is not deleted and ready there.  It is acceptable for the
application folks to fail name_to_handle_at(2) early in this case, in
which they will fallback to open(2) to access files.


As for this RFC patch, the idea is that if the fuse daemon is configured
with "cache=none" mode, FUSE_EXPORT_SUPPORT should also be explicitly
disabled and the following name_to_handle_at(2) will all fail as a
workaround of this issue.

[1] https://man7.org/linux/man-pages/man2/open_by_handle_at.2.html

Signed-off-by: Jingbo Xu <jefflexu@...ux.alibaba.com>
---
 fs/fuse/inode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 2a6d44f91729..9fed63be60fe 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1025,6 +1025,7 @@ static struct dentry *fuse_get_dentry(struct super_block *sb,
 static int fuse_encode_fh(struct inode *inode, u32 *fh, int *max_len,
 			   struct inode *parent)
 {
+	struct fuse_conn *fc = get_fuse_conn(inode);
 	int len = parent ? 6 : 3;
 	u64 nodeid;
 	u32 generation;
@@ -1034,6 +1035,9 @@ static int fuse_encode_fh(struct inode *inode, u32 *fh, int *max_len,
 		return  FILEID_INVALID;
 	}
 
+	if (!fc->export_support)
+		return -EOPNOTSUPP;
+
 	nodeid = get_fuse_inode(inode)->nodeid;
 	generation = inode->i_generation;
 
-- 
2.19.1.6.gb485710b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ