1. 26 Sep, 2013 3 commits
    • Miklos Szeredi's avatar
      fuse: readdir: check for slash in names · 459c331d
      Miklos Szeredi authored
      commit efeb9e60
      
       upstream.
      
      Userspace can add names containing a slash character to the directory
      listing.  Don't allow this as it could cause all sorts of trouble.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      459c331d
    • Maxim Patlasov's avatar
      fuse: hotfix truncate_pagecache() issue · 125fe73b
      Maxim Patlasov authored
      commit 06a7c3c2
      
       upstream.
      
      The way how fuse calls truncate_pagecache() from fuse_change_attributes()
      is completely wrong. Because, w/o i_mutex held, we never sure whether
      'oldsize' and 'attr->size' are valid by the time of execution of
      truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we
      released fc->lock in the middle of fuse_change_attributes(), we completely
      loose control of actions which may happen with given inode until we reach
      truncate_pagecache. The list of potentially dangerous actions includes
      mmap-ed reads and writes, ftruncate(2) and write(2) extending file size.
      
      The typical outcome of doing truncate_pagecache() with outdated arguments
      is data corruption from user point of view. This is (in some sense)
      acceptable in cases when the issue is triggered by a change of the file on
      the server (i.e. externally wrt fuse operation), but it is absolutely
      intolerable in scenarios when a single fuse client modifies a file without
      any external intervention. A real life case I discovered by fsx-linux
      looked like this:
      
      1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends
      FUSE_SETATTR to the server synchronously, but before getting fc->lock ...
      2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP
      to the server synchronously, then calls fuse_change_attributes(). The
      latter updates i_size, releases fc->lock, but before comparing oldsize vs
      attr->size..
      3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and
      updating attributes and i_size, but now oldsize is equal to
      outarg.attr.size because i_size has just been updated (step 2). Hence,
      fuse_do_setattr() returns w/o calling truncate_pagecache().
      4. As soon as ftruncate(2) completes, the user extends file size by
      write(2) making a hole in the middle of file, then reads data from the hole
      either by read(2) or mmap-ed read. The user expects to get zero data from
      the hole, but gets stale data because truncate_pagecache() is not executed
      yet.
      
      The scenario above illustrates one side of the problem: not truncating the
      page cache even though we should. Another side corresponds to truncating
      page cache too late, when the state of inode changed significantly.
      Theoretically, the following is possible:
      
      1. As in the previous scenario fuse_dentry_revalidate() discovered that
      i_size changed (due to our own fuse_do_setattr()) and is going to call
      truncate_pagecache() for some 'new_size' it believes valid right now. But
      by the time that particular truncate_pagecache() is called ...
      2. fuse_do_setattr() returns (either having called truncate_pagecache() or
      not -- it doesn't matter).
      3. The file is extended either by write(2) or ftruncate(2) or fallocate(2).
      4. mmap-ed write makes a page in the extended region dirty.
      
      The result will be the lost of data user wrote on the fourth step.
      
      The patch is a hotfix resolving the issue in a simplistic way: let's skip
      dangerous i_size update and truncate_pagecache if an operation changing
      file size is in progress. This simplistic approach looks correct for the
      cases w/o external changes. And to handle them properly, more sophisticated
      and intrusive techniques (e.g. NFS-like one) would be required. I'd like to
      postpone it until the issue is well discussed on the mailing list(s).
      
      Changed in v2:
       - improved patch description to cover both sides of the issue.
      Signed-off-by: default avatarMaxim Patlasov <mpatlasov@parallels.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      125fe73b
    • Anand Avati's avatar
      fuse: invalidate inode attributes on xattr modification · d3ab0e6f
      Anand Avati authored
      commit d331a415
      
       upstream.
      
      Calls like setxattr and removexattr result in updation of ctime.
      Therefore invalidate inode attributes to force a refresh.
      Signed-off-by: default avatarAnand Avati <avati@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3ab0e6f
  2. 17 Jul, 2013 5 commits
  3. 29 Jun, 2013 1 commit
  4. 03 Jun, 2013 1 commit
    • Miklos Szeredi's avatar
      fuse: fix readdirplus Oops in fuse_dentry_revalidate · 28420dad
      Miklos Szeredi authored
      Fix bug introduced by commit 4582a4ab
      
       "FUSE: Adapt readdirplus to application
      usage patterns".
      
      We need to check for a positive dentry; negative dentries are not added by
      readdirplus.  Secondly we need to advise the use of readdirplus on the *parent*,
      otherwise the whole thing is useless.  Thirdly all this is only relevant if
      "readdirplus_auto" mode is selected by the filesystem.
      
      We advise the use of readdirplus only if the dentry was still valid.  If we had
      to redo the lookup then there was no use in doing the -plus version.
      Reported-by: default avatarBernd Schubert <bernd.schubert@itwm.fraunhofer.de>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      CC: Feng Shuo <steve.shuo.feng@gmail.com>
      CC: stable@vger.kernel.org
      28420dad
  5. 18 Apr, 2013 1 commit
  6. 22 Feb, 2013 1 commit
  7. 07 Feb, 2013 1 commit
    • Eric Wong's avatar
      fuse: allow control of adaptive readdirplus use · 634734b6
      Eric Wong authored
      
      
      For some filesystems (e.g. GlusterFS), the cost of performing a
      normal readdir and readdirplus are identical.  Since adaptively
      using readdirplus has no benefit for those systems, give
      users/filesystems the option to control adaptive readdirplus use.
      
      v2 of this patch incorporates Miklos's suggestion to simplify the code,
      as well as improving consistency of macro names and documentation.
      Signed-off-by: default avatarEric Wong <normalperson@yhbt.net>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      634734b6
  8. 04 Feb, 2013 1 commit
  9. 31 Jan, 2013 2 commits
  10. 24 Jan, 2013 3 commits
    • Maxim Patlasov's avatar
      fuse: use req->page_descs[] for argpages cases · 85f40aec
      Maxim Patlasov authored
      
      
      Previously, anyone who set flag 'argpages' only filled req->pages[] and set
      per-request page_offset. This patch re-works all cases where argpages=1 to
      fill req->page_descs[] properly.
      
      Having req->page_descs[] filled properly allows to re-work fuse_copy_pages()
      to copy page fragments described by req->page_descs[]. This will be useful
      for next patches optimizing direct_IO.
      Signed-off-by: default avatarMaxim Patlasov <mpatlasov@parallels.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      85f40aec
    • Maxim Patlasov's avatar
      fuse: categorize fuse_get_req() · b111c8c0
      Maxim Patlasov authored
      
      
      The patch categorizes all fuse_get_req() invocations into two categories:
       - fuse_get_req_nopages(fc) - when caller doesn't care about req->pages
       - fuse_get_req(fc, n) - when caller need n page pointers (n > 0)
      
      Adding fuse_get_req_nopages() helps to avoid numerous fuse_get_req(fc, 0)
      scattered over code. Now it's clear from the first glance when a caller need
      fuse_req with page pointers.
      
      The patch doesn't make any logic changes. In multi-page case, it silly
      allocates array of FUSE_MAX_PAGES_PER_REQ page pointers. This will be amended
      by future patches.
      Signed-off-by: default avatarMaxim Patlasov <mpatlasov@parallels.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      b111c8c0
    • Anand V. Avati's avatar
      fuse: implement NFS-like readdirplus support · 0b05b183
      Anand V. Avati authored
      
      
      This patch implements readdirplus support in FUSE, similar to NFS.
      The payload returned in the readdirplus call contains
      'fuse_entry_out' structure thereby providing all the necessary inputs
      for 'faking' a lookup() operation on the spot.
      
      If the dentry and inode already existed (for e.g. in a re-run of ls -l)
      then just the inode attributes timeout and dentry timeout are refreshed.
      
      With a simple client->network->server implementation of a FUSE based
      filesystem, the following performance observations were made:
      
      Test: Performing a filesystem crawl over 20,000 files with
      
      sh# time ls -lR /mnt
      
      Without readdirplus:
      Run 1: 18.1s
      Run 2: 16.0s
      Run 3: 16.2s
      
      With readdirplus:
      Run 1: 4.1s
      Run 2: 3.8s
      Run 3: 3.8s
      
      The performance improvement is significant as it avoided 20,000 upcalls
      calls (lookup). Cache consistency is no worse than what already is.
      Signed-off-by: default avatarAnand V. Avati <avati@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      0b05b183
  11. 14 Nov, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Support fuse interacting with multiple user namespaces · 499dcf20
      Eric W. Biederman authored
      
      
      Use kuid_t and kgid_t in struct fuse_conn and struct fuse_mount_data.
      
      The connection between between a fuse filesystem and a fuse daemon is
      established when a fuse filesystem is mounted and provided with a file
      descriptor the fuse daemon created by opening /dev/fuse.
      
      For now restrict the communication of uids and gids between the fuse
      filesystem and the fuse daemon to the initial user namespace.  Enforce
      this by verifying the file descriptor passed to the mount of fuse was
      opened in the initial user namespace.  Ensuring the mount happens in
      the initial user namespace is not necessary as mounts from non-initial
      user namespaces are not yet allowed.
      
      In fuse_req_init_context convert the currrent fsuid and fsgid into the
      initial user namespace for the request that will be sent to the fuse
      daemon.
      
      In fuse_fill_attr convert the uid and gid passed from the fuse daemon
      from the initial user namespace into kuids and kgids.
      
      In iattr_to_fattr called from fuse_setattr convert kuids and kgids
      into the uids and gids in the initial user namespace before passing
      them to the fuse filesystem.
      
      In fuse_change_attributes_common called from fuse_dentry_revalidate,
      fuse_permission, fuse_geattr, and fuse_setattr, and fuse_iget convert
      the uid and gid from the fuse daemon into a kuid and a kgid to store
      on the fuse inode.
      
      By default fuse mounts are restricted to task whose uid, suid, and
      euid matches the fuse user_id and whose gid, sgid, and egid matches
      the fuse group id.  Convert the user_id and group_id mount options
      into kuids and kgids at mount time, and use uid_eq and gid_eq to
      compare the in fuse_allow_task.
      
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      499dcf20
  12. 15 Aug, 2012 1 commit
  13. 14 Jul, 2012 9 commits
  14. 14 May, 2012 2 commits
  15. 05 Mar, 2012 2 commits
    • Anand Avati's avatar
      fuse: O_DIRECT support for files · 4273b793
      Anand Avati authored
      
      
      Implement ->direct_IO() method in aops. The ->direct_IO() method combines
      the existing fuse_direct_read/fuse_direct_write methods to implement
      O_DIRECT functionality.
      
      Reaching ->direct_IO() in the read path via generic_file_aio_read ensures
      proper synchronization with page cache with its existing framework.
      
      Reaching ->direct_IO() in the write path via fuse_file_aio_write is made
      to come via generic_file_direct_write() which makes it play nice with
      the page cache w.r.t other mmap pages etc.
      
      On files marked 'direct_io' by the filesystem server, IO always follows
      the fuse_direct_read/write path. There is no effect of fcntl(O_DIRECT)
      and it always succeeds.
      
      On files not marked with 'direct_io' by the filesystem server, the IO
      path depends on O_DIRECT flag by the application. This can be passed
      at the time of open() as well as via fcntl().
      
      Note that asynchronous O_DIRECT iocb jobs are completed synchronously
      always (this has been the case with FUSE even before this patch)
      Signed-off-by: default avatarAnand Avati <avati@redhat.com>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      4273b793
    • Miklos Szeredi's avatar
      fuse: fix nlink after unlink · ac45d613
      Miklos Szeredi authored
      
      
      Anand Avati reports that the following sequence of system calls fail on a fuse
      filesystem:
      
      
       	create("filename") => 0
       	link("filename", "linkname") => 0
       	unlink("filename") => 0
       	link("linkname", "filename") => -ENOENT ### BUG ###
      
      vfs_link() fails with ENOENT if i_nlink is zero, this is done to prevent
      resurrecting already deleted files.
      
      Fuse clears i_nlink on unlink even if there are other links pointing to the
      file.
      Reported-by: default avatarAnand Avati <avati@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      ac45d613
  16. 03 Jan, 2012 4 commits
  17. 13 Dec, 2011 2 commits
    • John Muir's avatar
      FUSE: Notifying the kernel of deletion. · 451d0f59
      John Muir authored
      
      
      Allows a FUSE file-system to tell the kernel when a file or directory is
      deleted. If the specified dentry has the specified inode number, the kernel will
      unhash it.
      
      The current 'fuse_notify_inval_entry' does not cause the kernel to clean up
      directories that are in use properly, and as a result the users of those
      directories see incorrect semantics from the file-system. The error condition
      seen when 'fuse_notify_inval_entry' is used to notify of a deleted directory is
      avoided when 'fuse_notify_delete' is used instead.
      
      The following scenario demonstrates the difference:
      1. User A chdirs into 'testdir' and starts reading 'testfile'.
      2. User B rm -rf 'testdir'.
      3. User B creates 'testdir'.
      4. User C chdirs into 'testdir'.
      
      If you run the above within the same machine on any file-system (including fuse
      file-systems), there is no problem: user C is able to chdir into the new
      testdir. The old testdir is removed from the dentry tree, but still open by user
      A.
      
      If operations 2 and 3 are performed via the network such that the fuse
      file-system uses one of the notify functions to tell the kernel that the nodes
      are gone, then the following error occurs for user C while user A holds the
      original directory open:
      
      muirj@empacher:~> ls /test/testdir
      ls: cannot access /test/testdir: No such file or directory
      
      The issue here is that the kernel still has a dentry for testdir, and so it is
      requesting the attributes for the old directory, while the file-system is
      responding that the directory no longer exists.
      
      If on the other hand, if the file-system can notify the kernel that the
      directory is deleted using the new 'fuse_notify_delete' function, then the above
      ls will find the new directory as expected.
      Signed-off-by: default avatarJohn Muir <john@jmuir.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      451d0f59
    • Miklos Szeredi's avatar
      fuse: support ioctl on directories · b18da0c5
      Miklos Szeredi authored
      
      
      Multiplexing filesystems may want to support ioctls on the underlying
      files and directores (e.g. FS_IOC_{GET,SET}FLAGS).
      
      Ioctl support on directories was missing so add it now.
      Reported-by: default avatarAntonio SJ Musumeci <bile@landofbile.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      b18da0c5