| Age | Commit message (Collapse) | Author | Lines |
|---|
|
Fixes: #538.
|
|
On uclibc and MacOS we don't use versioned symbols. Hence,
there's no definition for fuse_session_loop_mt on those cases
and the linker won't be able to resolve calls to fuse_session_loop_mt()
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
|
|
setlocale() can fail, returning NULL, if the user has an invalid (or
missing) locale set in the LANG environment variable.
In my case, this happens when using VS Code's integrated terminal to
launch a fuse-based filesystem. A bug (fix upcoming) results in VS Code
setting an invalid locale.
iconv_help() currently passes the return value of setlocale(...)
directly to strdup() without checking if it is NULL, resulting in a
crash.
To reproduce, simply set LANG="something_invalid" and call
fuse_lib_help().
Stack trace when the process receives `SIGSEGV`:
(gdb) bt
#0 0x00007fabd0fcc4b5 in __strlen_avx2 () from /usr/lib/libc.so.6
#1 0x00007fabd0ef9233 in strdup () from /usr/lib/libc.so.6
#2 0x00007fabd13b8128 in iconv_help () at ../lib/modules/iconv.c:641
#3 0x00007fabd13b81a8 in iconv_opt_proc (data=0x55580a6ee850, arg=0x55580a6edfb0 "-h", key=0, outargs=0x7ffeeb1a8ec8) at ../lib/modules/iconv.c:658
#4 0x00007fabd13af7d5 in call_proc (ctx=0x7ffeeb1a8ea0, arg=0x55580a6edfb0 "-h", key=0, iso=0) at ../lib/fuse_opt.c:161
#5 0x00007fabd13afaf1 in process_opt (ctx=0x7ffeeb1a8ea0, opt=0x7fabd13c3d40 <iconv_opts>, sep=0, arg=0x55580a6edfb0 "-h", iso=0) at ../lib/fuse_opt.c:233
#6 0x00007fabd13afd5a in process_gopt (ctx=0x7ffeeb1a8ea0, arg=0x55580a6edfb0 "-h", iso=0) at ../lib/fuse_opt.c:285
#7 0x00007fabd13b0117 in process_one (ctx=0x7ffeeb1a8ea0, arg=0x55580a6edfb0 "-h") at ../lib/fuse_opt.c:368
#8 0x00007fabd13b0190 in opt_parse (ctx=0x7ffeeb1a8ea0) at ../lib/fuse_opt.c:379
#9 0x00007fabd13b03d3 in fuse_opt_parse (args=0x7ffeeb1a8f70, data=0x55580a6ee850, opts=0x7fabd13c3d40 <iconv_opts>, proc=0x7fabd13b8186 <iconv_opt_proc>)
at ../lib/fuse_opt.c:414
#10 0x00007fabd13b8226 in iconv_new (args=0x7ffeeb1a8f70, next=0x0) at ../lib/modules/iconv.c:680
#11 0x00007fabd13a5627 in print_module_help (name=0x7fabd13b9e1c "iconv", fac=0x7fabd13d48e0 <fuse_module_iconv_factory>) at ../lib/fuse.c:4692
#12 0x00007fabd13a56aa in fuse_lib_help (args=0x7ffeeb1a9238) at ../lib/fuse.c:4721
iconv_help() is modified to print an error when setlocale() fails.
It then carries on printing the iconv module's help.
Reading setlocale(3), it seems that the strdup() of the result was
not necessary.
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@gmail.com>
|
|
Move assert for se before dereferencing it with se->debug.
Signed-off-by: Liao Pingfang <liao.pingfang@zte.com.cn>
Co-authored-by: Liao Pingfang <liao.pingfang@zte.com.cn>
|
|
(#519)
|
|
Assign NULL to "old" at the first free(), to avoid the possible 2nd free() for it.
Signed-off-by: Liao Pingfang <liao.pingfang@zte.com.cn>
Co-authored-by: Liao Pingfang <liao.pingfang@zte.com.cn>
|
|
If fuse_session_unmount is called before fuse_session_destroy, both
would try to close(se->fd). Avoid that by resetting it in
fuse_session_unmount.
|
|
Context: SPLICE_WRITE is not used with regular buffers
(i.e. when they are not file-descriptor backed buffers).
There is a bug which assumes file descriptors are used.
If the amount of data associated with those FD is lower
than twice the page size, SPLICE_WRITE is not utilized.
With regular buffers the aggregated size was always 0.
Because vmsplice (splice user pages to/from a pipe) is
called before splice in fuse_lowlevel.c, regular buffers
would also work with splice.
This patch prevents to fallback to non-splice enabled
copies when itheir is no FD involved.
|
|
|
|
Fixes #467.
|
|
Define FUSE_USE_VERSION < 35 to get old ioctl prototype
with int commands; define FUSE_USE_VERSION >= 35 to get
new ioctl prototype with unsigned int commands.
Fixes #463.
|
|
fuse_init already refuses to start if we're on major < 7 ,
so we can kill off checks for old major versions.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
|
Local variable args is not freed on cuse_lowlevel_setup success.
Signed-off-by: Tomasz Kulasek <tomaszx.kulasek@intel.com>
|
|
|
|
FUSE file systems normally indicate their interruptibility by returning
ENOSYS to the first FUSE_INTERRUPT operation. But that causes two
problems for file systems that aren't interruptible:
1) A process may block on a signal, even if another thread could've
handled the signal. The kernel must know whether the FUSE thread is
interruptible before deciding which thread should receive a signal.
2) The protocol allows a FUSE daemon to simply ignore FUSE_INTERRUPT
operations. From the kernel's point of view, that is indistinguishable
from a FUSE_INTERRUPT operation arriving after the original operation
had already completed. Thus, the kernel can't interpret an ignored
FUSE_INTERRUPT as an indication that the daemon is non-interruptible.
With the -o nointr mount option, no FUSE_INTERRUPT operations will ever
be sent. Most FUSE file systems should require no modifications to take
advantage of this mount option.
|
|
Applications may wish to call fuse_log() for unified logging. This way
they don't need to define their own wrappers to invoke the log message
handler function installed by fuse_set_log_func().
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Introduce an API for custom log handler functions. This allows libfuse
applications to send messages to syslog(3) or other logging systems.
See include/fuse_log.h for details.
Convert libfuse from fprintf(stderr, ...) to log_fuse(level, ...). Most
messages are error messages with FUSE_LOG_ERR log level. There are also
some debug messages which now use the FUSE_LOG_DEBUG log level.
Note that lib/mount_util.c is used by both libfuse and fusermount3.
Since fusermount3 does not link against libfuse, we cannot call
fuse_log() from lib/mount_util.c. This file will continue to use
fprintf(stderr, ...) until someone figures out how to split it up.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Recent GCC releases have warnings related to common strncpy(3) bugs.
These warnings can be avoided by explicitly NUL-terminating the buffer
or using memcpy(3) when the intention is to copy just the characters
without the NUL terminator.
This commit fixes the following warnings:
[1/27] Compiling C object 'test/9f86d08@@test_syscalls@exe/test_syscalls.c.o'.
In function ‘test_socket’,
inlined from ‘main’ at ../test/test_syscalls.c:1899:9:
../test/test_syscalls.c:1760:2: warning: ‘strncpy’ output may be truncated copying 108 bytes from a string of length 1023 [-Wstringop-truncation]
1760 | strncpy(su.sun_path, testsock, sizeof(su.sun_path));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[2/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse.c.o'.
../lib/fuse.c: In function ‘add_name’:
../lib/fuse.c:968:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
968 | strncpy(s, name, len);
| ^~~~~~~~~~~~~~~~~~~~~
../lib/fuse.c:944:15: note: length computed here
944 | size_t len = strlen(name);
| ^~~~~~~~~~~~
[3/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse_lowlevel.c.o'.
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry’:
../lib/fuse_lowlevel.c:288:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
288 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:276:12: note: length computed here
276 | namelen = strlen(name);
| ^~~~~~~~~~~~
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry_plus’:
../lib/fuse_lowlevel.c:381:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
381 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:366:12: note: length computed here
366 | namelen = strlen(name);
| ^~~~~~~~~~~~
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
on failure to set the pipe size, set it to the maximum allowed by the
kernel.
If the first request required more than the maximum allowed, the
can_grow flag would be reset thus preventing any further resize.
Grow the pipe to the maximum allowed to increase the likelihood of
using splice for successive requests instead of falling back to
read/write.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Starting with kernel version 4.20 fuse supports a new property
'max_pages' which is the maximum number of pages that can be used per
request. This can be set via an argument during initialization.
This new property allows writes to be larger than 128k.
This patch sets the property if the matching capability is set
(FUSE_MAX_PAGES). It will also set max_write to 1MiB. Filesystems have
the possibility to decrease this size by setting max_write to a smaller
size. The max_pages and bufsize fields are adjusted accordingly.
Cc: Constantine Shulyupin <const@MakeLinux.com>
Signed-off-by: Markus Pargmann <scosu@quobyte.com>
|
|
The pointer operand to the binary `+` operator must be to a complete
object type. Since we are working with byte sizes, use `char *` instead.
|
|
This is a constraint violation in ISO C[0].
[0] http://port70.net/~nsz/c/c11/n1570.html#6.8.6.4p1
|
|
This is a GNU C extension.
|
|
|
|
|
|
Fixes: #394.
|
|
This constant is not defined in the kernel, so it will be lost when
fuse_kernel.h is not synchronized. Instead, the kernel just passes a
flag value of "1", so for now we also use a literal in userspace.
|
|
Instead of the Posix ioctl(2) command, Linux uses its own variant of ioctl()
in which the commands are requested as "unsigned long" and truncated to
32 bits by the fuse kernel module. Transmitting the commands to user space
file systems as "unsigned int" is a workaround for processing ioctl()
commands which do not fit into a signed int.
|
|
|
|
|
|
Fixes: #360
|
|
70e25ea74e("Fix build on non-Linux") broke build on DragonFly BSD,
or likely anything other than FreeBSD and NetBSD that is not Linux.
Signed-off-by: Tomohiro Kusumi <kusumi.tomohiro@gmail.com>
|
|
|
|
The passthrough example filesystem can be used for validating the API
and the implementation in the FUSE kernel module.
|
|
Add support for the relatively new copy_file_range() syscall. Backend
filesystems can now implement an efficient way of cloning/duplicating
data ranges within files. See 'man 2 copy_file_range' for more details.
|
|
Currently, mounting on FreeBSD fails like this:
mount_fusefs: ZZZZ<snip> on /mountpoint: No such file or directory
This happens because right after doing argv[a++] = fdnam it's
getting freed before calling execvp().
So move this free() call after execvp(). Also, when asprintf()
fails for fdnam, close device fd before calling exit().
|
|
* Update meson.build to add mount_util.c to libfuse_sources
unconditionally, it's non Linux-only
* FreeBSD, like NetBSD, doesn't have mntent.h, so don't include
that and define IGNORE_MTAB for both
* FreeBSD, like NetBSD, has no umount2() sysctl, so similarly define
it to unmount()
|
|
This reverts commit 161983e2416bc6e26bbbe89664fff62c48c70858,
because this causes resource leaks when threads are terminated
by pthread_cancel().
Fixes: #313.
|
|
The unprivileged option allows to run the FUSE file system process
without privileges by dropping capabilities and preventing them from
being re-acquired via setuid / fscaps etc. To accomplish this,
mount.fuse sets up the `/dev/fuse` file descriptor and mount itself
and passes the file descriptor via the `/dev/fd/%u` mountpoint syntax
to the FUSE file system.
|
|
This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.
The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.
Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.
```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted
\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
exec 17<>/dev/fuse
mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
'
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```
|
|
|
|
This is only used in fuse_do_work(), so we can put it on
the stack.
|
|
Return different error codes from fuse_main()
|
|
|
|
|
|
Multiple meson build scripts improvements including:
* Bump meson requirement to 0.40.1 (0.40 already required)
* Declare a dependency object for main library
* Stop using add_global_arguments()
* Various minor style fixes
|
|
|
|
The bug occurs when a filesystem client reads a directory until the end,
seeks using seekdir() to some valid non-zero position and calls
readdir(). A valid 'struct dirent *' is expected, but NULL is returned
instead. Pseudocode demonstrating the bug:
DIR *dp = opendir("some_dir");
struct dirent *de = readdir(dp);
/* Get offset of the second entry */
long offset = telldir(dp);
/* Read directory until the end */
while (de)
de = readdir(de);
seekdir(dp, offset);
de = readdir(dp);
/* de must contain the second entry, but NULL is returned instead */
The reason of the bug is that when the end of directory is reached, the
kernel calls FUSE_READDIR op with an offset at the end of directory, so
the filesystem's .readdir callback never calls the filler function, and
we end up with dh->filled set to 1. After seekdir(), FUSE_READDIR is
called again with a new offset, but this time the filesystem's .readdir
callback is never called, and an empty reply is returned.
Fix by setting dh->filled to 1 only when zero offsets are given to
filler function.
|
|
Fix conditionals as per maintainer's request.
|
