lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOQ4uxh2C_mh2Zgr=s8jXh0pk=UGWJxLijTWBGEL5cZfyFUzbQ@mail.gmail.com>
Date: Fri, 26 Jan 2024 09:33:47 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Jingbo Xu <jefflexu@...ux.alibaba.com>
Cc: miklos@...redi.hu, linux-fsdevel@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fuse: add support for explicit export disabling

On Fri, Jan 26, 2024 at 9:21 AM Jingbo Xu <jefflexu@...ux.alibaba.com> wrote:
>
> open_by_handle_at(2) can fail with -ESTALE with a valid handle returned
> by a previous name_to_handle_at(2) for evicted fuse inodes, which is
> especially common when entry_valid_timeout is 0, e.g. when the fuse
> daemon is in "cache=none" mode.
>
> The time sequence is like:
>
>         name_to_handle_at(2)    # succeed
>         evict fuse inode
>         open_by_handle_at(2)    # fail
>
> The root cause is that, with 0 entry_valid_timeout, the dput() called in
> name_to_handle_at(2) will trigger iput -> evict(), which will send
> FUSE_FORGET to the daemon.  The following open_by_handle_at(2) will send
> a new FUSE_LOOKUP request upon inode cache miss since the previous inode
> eviction.  Then the fuse daemon may fail the FUSE_LOOKUP request with
> -ENOENT as the cached metadata of the requested inode has already been
> cleaned up during the previous FUSE_FORGET.  The returned -ENOENT is
> treated as -ESTALE when open_by_handle_at(2) returns.
>
> This confuses the application somehow, as open_by_handle_at(2) fails
> when the previous name_to_handle_at(2) succeeds.  The returned errno is
> also confusing as the requested file is not deleted and already there.
> It is reasonable to fail name_to_handle_at(2) early in this case, after
> which the application can fallback to open(2) to access files.
>
> Since this issue typically appears when entry_valid_timeout is 0 which
> is configured by the fuse daemon, the fuse daemon is the right person to
> explicitly disable the export when required.
>
> Also considering FUSE_EXPORT_SUPPORT actually indicates the support for
> lookups of "." and "..", and there are existing fuse daemons supporting
> export without FUSE_EXPORT_SUPPORT set, for compatibility, we add a new
> INIT flag for such purpose.
>
> Signed-off-by: Jingbo Xu <jefflexu@...ux.alibaba.com>

Reviewed-by: Amir Goldstein <amir73il@...il.com>

> ---
> v2:
> - rename to "fuse_export_fid_operations"
> - bump FUSE_KERNEL_MINOR_VERSION
>
> v1: https://lore.kernel.org/linux-fsdevel/20240124113042.44300-1-jefflexu@linux.alibaba.com/
> RFC: https://lore.kernel.org/all/20240123093701.94166-1-jefflexu@linux.alibaba.com/
> ---
>  fs/fuse/inode.c           | 11 ++++++++++-
>  include/uapi/linux/fuse.h |  7 ++++++-
>  2 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 2a6d44f91729..eee200308482 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1110,6 +1110,11 @@ static struct dentry *fuse_get_parent(struct dentry *child)
>         return parent;
>  }
>
> +/* only for fid encoding; no support for file handle */
> +static const struct export_operations fuse_export_fid_operations = {
> +       .encode_fh      = fuse_encode_fh,
> +};
> +
>  static const struct export_operations fuse_export_operations = {
>         .fh_to_dentry   = fuse_fh_to_dentry,
>         .fh_to_parent   = fuse_fh_to_parent,
> @@ -1284,6 +1289,8 @@ static void process_init_reply(struct fuse_mount *fm, struct fuse_args *args,
>                                 fc->create_supp_group = 1;
>                         if (flags & FUSE_DIRECT_IO_ALLOW_MMAP)
>                                 fc->direct_io_allow_mmap = 1;
> +                       if (flags & FUSE_NO_EXPORT_SUPPORT)
> +                               fm->sb->s_export_op = &fuse_export_fid_operations;
>                 } else {
>                         ra_pages = fc->max_read / PAGE_SIZE;
>                         fc->no_lock = 1;
> @@ -1330,7 +1337,8 @@ void fuse_send_init(struct fuse_mount *fm)
>                 FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
>                 FUSE_HANDLE_KILLPRIV_V2 | FUSE_SETXATTR_EXT | FUSE_INIT_EXT |
>                 FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP |
> -               FUSE_HAS_EXPIRE_ONLY | FUSE_DIRECT_IO_ALLOW_MMAP;
> +               FUSE_HAS_EXPIRE_ONLY | FUSE_DIRECT_IO_ALLOW_MMAP |
> +               FUSE_NO_EXPORT_SUPPORT;
>  #ifdef CONFIG_FUSE_DAX
>         if (fm->fc->dax)
>                 flags |= FUSE_MAP_ALIGNMENT;
> @@ -1527,6 +1535,7 @@ static int fuse_fill_super_submount(struct super_block *sb,
>         sb->s_bdi = bdi_get(parent_sb->s_bdi);
>
>         sb->s_xattr = parent_sb->s_xattr;
> +       sb->s_export_op = parent_sb->s_export_op;
>         sb->s_time_gran = parent_sb->s_time_gran;
>         sb->s_blocksize = parent_sb->s_blocksize;
>         sb->s_blocksize_bits = parent_sb->s_blocksize_bits;
> diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
> index e7418d15fe39..38d9f285a599 100644
> --- a/include/uapi/linux/fuse.h
> +++ b/include/uapi/linux/fuse.h
> @@ -211,6 +211,9 @@
>   *  7.39
>   *  - add FUSE_DIRECT_IO_ALLOW_MMAP
>   *  - add FUSE_STATX and related structures
> + *
> + *  7.40
> + *  - add FUSE_NO_EXPORT_SUPPORT
>   */
>
>  #ifndef _LINUX_FUSE_H
> @@ -246,7 +249,7 @@
>  #define FUSE_KERNEL_VERSION 7
>
>  /** Minor version number of this interface */
> -#define FUSE_KERNEL_MINOR_VERSION 39
> +#define FUSE_KERNEL_MINOR_VERSION 40
>
>  /** The node ID of the root inode */
>  #define FUSE_ROOT_ID 1
> @@ -410,6 +413,7 @@ struct fuse_file_lock {
>   *                     symlink and mknod (single group that matches parent)
>   * FUSE_HAS_EXPIRE_ONLY: kernel supports expiry-only entry invalidation
>   * FUSE_DIRECT_IO_ALLOW_MMAP: allow shared mmap in FOPEN_DIRECT_IO mode.
> + * FUSE_NO_EXPORT_SUPPORT: explicitly disable export support
>   */
>  #define FUSE_ASYNC_READ                (1 << 0)
>  #define FUSE_POSIX_LOCKS       (1 << 1)
> @@ -449,6 +453,7 @@ struct fuse_file_lock {
>  #define FUSE_CREATE_SUPP_GROUP (1ULL << 34)
>  #define FUSE_HAS_EXPIRE_ONLY   (1ULL << 35)
>  #define FUSE_DIRECT_IO_ALLOW_MMAP (1ULL << 36)
> +#define FUSE_NO_EXPORT_SUPPORT (1ULL << 37)
>
>  /* Obsolete alias for FUSE_DIRECT_IO_ALLOW_MMAP */
>  #define FUSE_DIRECT_IO_RELAX   FUSE_DIRECT_IO_ALLOW_MMAP
> --
> 2.19.1.6.gb485710b
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ