Add more documentation for FUSE_CAP_EXPORT_SUPPORT (#917)

Add more documentation for FUSE_CAP_EXPORT_SUPPORT

Also remove the flag from passthrough_ll.c and passthrough_hp.cc
as these implementations do _not_ handle that flag. They just
cast fuse_ino_t to an inode and cause a heap buffer overflow
for unknown objects (simplest reproducer are the examples
in "man 2 open_by_handle_at", but to unmount/mount the file
system after name_to_handle_at and before open_by_handle_at).

Fixes https://github.com/libfuse/libfuse/issues/838

---------

Co-authored-by: Nikolaus Rath <Nikolaus@rath.org>

4 files changed, 16 insertions, 6 deletions

diff --git a/doc/README.NFS b/doc/README.NFS
index 239dcb2..edf5482 100644
--- a/doc/README.NFS
+++ b/doc/README.NFS
@@ -21,6 +21,17 @@ be requested on any inode, including non-directories, while the latter
 is only requested for directories.  Otherwise these special lookups
 should behave identically to ordinary lookups.
 
+Furthermore, setting FUSE_CAP_EXPORT_SUPPORT requires the file system
+to handle node-ids (fuse_ino_t) that the file system may does not know
+about - e.g. a fuse FORGET request might have been received or the node-id
+was used in a previous instance of the file system daemon. The node-id might
+not be valid at all when an invalid handle is passed to open_by_handle_at(). 
+This implies that the filesystem *must not* reuse node-ids even if
+generation numbers are set correctly. This is because generation numbers
+are not provided by the kernel to e.g. the getattr() handler, so the
+handler would be unable to tell if the provided node-id refers to the
+"known" current one, or a previous one that has been forgotten and re-used.
+
 2) high-level interface
 
 Because the high-level interface is path based, it is not possible to
diff --git a/example/passthrough_hp.cc b/example/passthrough_hp.cc
index 7f83a7b..7c1dadf 100644
--- a/example/passthrough_hp.cc
+++ b/example/passthrough_hp.cc
@@ -190,9 +190,6 @@ static int get_fs_fd(fuse_ino_t ino) {
 
 static void sfs_init(void *userdata, fuse_conn_info *conn) {
     (void)userdata;
-    if (conn->capable & FUSE_CAP_EXPORT_SUPPORT)
-        conn->want |= FUSE_CAP_EXPORT_SUPPORT;
-
     if (fs.timeout && conn->capable & FUSE_CAP_WRITEBACK_CACHE)
         conn->want |= FUSE_CAP_WRITEBACK_CACHE;
 
diff --git a/example/passthrough_ll.c b/example/passthrough_ll.c
index 46cc8e0..4a597f2 100644
--- a/example/passthrough_ll.c
+++ b/example/passthrough_ll.c
@@ -170,9 +170,6 @@ static void lo_init(void *userdata,
 {
 	struct lo_data *lo = (struct lo_data*) userdata;
 
-	if(conn->capable & FUSE_CAP_EXPORT_SUPPORT)
-		conn->want |= FUSE_CAP_EXPORT_SUPPORT;
-
 	if (lo->writeback &&
 	    conn->capable & FUSE_CAP_WRITEBACK_CACHE) {
 		if (lo->debug)
diff --git a/include/fuse_common.h b/include/fuse_common.h
index f052b67..6a060fd 100644
--- a/include/fuse_common.h
+++ b/include/fuse_common.h
@@ -183,6 +183,11 @@ struct fuse_loop_config_v1 {
 /**
  * Indicates that the filesystem supports lookups of "." and "..".
  *
+ * When this flag is set, the filesystem must be prepared to receive requests
+ * for invalid inodes (i.e., for which a FORGET request was received or
+ * which have been used in a previous instance of the filesystem daemon) and
+ * must not reuse node-ids (even when setting generation numbers).
+ *
  * This feature is disabled by default.
  */
 #define FUSE_CAP_EXPORT_SUPPORT		(1 << 4)