| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fe42c7b8-5144-4aeb-9513-9f5aae751475@ustc.edu> Date: Fri, 16 Jan 2026 09:57:12 +0800 From: Chunsheng Luo <luochunsheng@...c.edu> To: Amir Goldstein <amir73il@...il.com> Cc: miklos@...redi.hu, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC 0/2] fuse/passthrough: simplify daemon crash recovery On 1/15/26 11:43 PM, Amir Goldstein wrote: > On Thu, Jan 15, 2026 at 03:20:29PM +0800, Chunsheng Luo wrote: >> To simplify FUSE daemon crash recovery and reduce performance overhead, >> passthrough backing_id information is not persisted. However, this >> approach introduces two challenges after daemon restart: >> >> 1. Non-persistent backing_ids prevent proper resource cleanup, leading >> to resource leaks. >> 2. New backing_ids allocated for the same FUSE file cause -EIO errors >> due to strict fuse_backing validation in >> fuse_inode_uncached_io_start(), even when accessing the same >> backing file. This persists until all previously opened files are >> closed. >> >> There are common scenarios where reusing the cached fuse_inode->fb is >> safe: >> >> Scenario 1: The same backing file (with identical inode) is >> re-registered after recovery. >> Scenario 2: In a read-only FUSE filesystem, the backing file may be >> cleaned up and re-downloaded (resulting in a different >> inode, but identical content). > > That is just not acceptable by design, regardless of server restart. > > fuse passthrough may be configured per individual file open, but > all fd referring to the same fuse inode need to passthrough to the > same backing inode. > > If your server want to serve different fd of same fuse inode from > different backing files (no matter if they claim to have the same content), > server needs to do that with FOPEN_DIRECT_IO, it cannot do that with > FOPEN_PASSTHROUGH. > > Thanks, > Amir. > That's correct. A reference count for the backing files is certainly maintained before crash to prevent them from being garbage collected and to avoid different opens of the same fuse_inode from using different backing files. However, this count does not survive the crash recovery process. Consequently, the disk's garbage collection mechanism could subsequently delete these files. In this situation, we should consider how to prevent these files from being mistakenly garbage collected after a crash recovery. Thanks. Chunsheng Luo >> >> Proposed Solution: >> >> 1. Enhance fuse_dev_ioctl_backing_close() to support closing all >> backing_ids at once, enabling comprehensive resource cleanup after >> restart. >> >> 2. Introduce the FOPEN_PASSTHROUGH_INODE_CACHE flag. When set during >> fuse_open(), the kernel prioritizes reusing the existing >> fuse_backing cached in fuse_inode, falling back to the >> backing_id-associated fb only if the cache is empty. >> >> I'd appreciate any feedback on whether there are better approaches or >> potential improvements to this solution. >> >> Thanks. >> --- >> Chunsheng Luo (2): >> fuse: add close all in passthrough backing close for crash recovery >> fuse: Add new flag to reuse the backing file of fuse_inode >> >> fs/fuse/backing.c | 14 ++++++++++++++ >> fs/fuse/dev.c | 5 +++++ >> fs/fuse/fuse_i.h | 1 + >> fs/fuse/iomode.c | 2 +- >> fs/fuse/passthrough.c | 11 +++++++++++ >> include/uapi/linux/fuse.h | 2 ++ >> 6 files changed, 34 insertions(+), 1 deletion(-) >> >> -- >> 2.43.0 >> > >
Powered by blists - more mailing lists