~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/filesystems/fuse.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/filesystems/fuse.rst (Architecture m68k) and /Documentation/filesystems/fuse.rst (Architecture alpha)


  1 .. SPDX-License-Identifier: GPL-2.0                 1 .. SPDX-License-Identifier: GPL-2.0
  2                                                     2 
  3 ====                                                3 ====
  4 FUSE                                                4 FUSE
  5 ====                                                5 ====
  6                                                     6 
  7 Definitions                                         7 Definitions
  8 ===========                                         8 ===========
  9                                                     9 
 10 Userspace filesystem:                              10 Userspace filesystem:
 11   A filesystem in which data and metadata are      11   A filesystem in which data and metadata are provided by an ordinary
 12   userspace process.  The filesystem can be ac     12   userspace process.  The filesystem can be accessed normally through
 13   the kernel interface.                            13   the kernel interface.
 14                                                    14 
 15 Filesystem daemon:                                 15 Filesystem daemon:
 16   The process(es) providing the data and metad     16   The process(es) providing the data and metadata of the filesystem.
 17                                                    17 
 18 Non-privileged mount (or user mount):              18 Non-privileged mount (or user mount):
 19   A userspace filesystem mounted by a non-priv     19   A userspace filesystem mounted by a non-privileged (non-root) user.
 20   The filesystem daemon is running with the pr     20   The filesystem daemon is running with the privileges of the mounting
 21   user.  NOTE: this is not the same as mounts      21   user.  NOTE: this is not the same as mounts allowed with the "user"
 22   option in /etc/fstab, which is not discussed     22   option in /etc/fstab, which is not discussed here.
 23                                                    23 
 24 Filesystem connection:                             24 Filesystem connection:
 25   A connection between the filesystem daemon a     25   A connection between the filesystem daemon and the kernel.  The
 26   connection exists until either the daemon di     26   connection exists until either the daemon dies, or the filesystem is
 27   umounted.  Note that detaching (or lazy umou     27   umounted.  Note that detaching (or lazy umounting) the filesystem
 28   does *not* break the connection, in this cas     28   does *not* break the connection, in this case it will exist until
 29   the last reference to the filesystem is rele     29   the last reference to the filesystem is released.
 30                                                    30 
 31 Mount owner:                                       31 Mount owner:
 32   The user who does the mounting.                  32   The user who does the mounting.
 33                                                    33 
 34 User:                                              34 User:
 35   The user who is performing filesystem operat     35   The user who is performing filesystem operations.
 36                                                    36 
 37 What is FUSE?                                      37 What is FUSE?
 38 =============                                      38 =============
 39                                                    39 
 40 FUSE is a userspace filesystem framework.  It      40 FUSE is a userspace filesystem framework.  It consists of a kernel
 41 module (fuse.ko), a userspace library (libfuse     41 module (fuse.ko), a userspace library (libfuse.*) and a mount utility
 42 (fusermount).                                      42 (fusermount).
 43                                                    43 
 44 One of the most important features of FUSE is      44 One of the most important features of FUSE is allowing secure,
 45 non-privileged mounts.  This opens up new poss     45 non-privileged mounts.  This opens up new possibilities for the use of
 46 filesystems.  A good example is sshfs: a secur     46 filesystems.  A good example is sshfs: a secure network filesystem
 47 using the sftp protocol.                           47 using the sftp protocol.
 48                                                    48 
 49 The userspace library and utilities are availa     49 The userspace library and utilities are available from the
 50 `FUSE homepage: <https://github.com/libfuse/>`     50 `FUSE homepage: <https://github.com/libfuse/>`_
 51                                                    51 
 52 Filesystem type                                    52 Filesystem type
 53 ===============                                    53 ===============
 54                                                    54 
 55 The filesystem type given to mount(2) can be o     55 The filesystem type given to mount(2) can be one of the following:
 56                                                    56 
 57     fuse                                           57     fuse
 58       This is the usual way to mount a FUSE fi     58       This is the usual way to mount a FUSE filesystem.  The first
 59       argument of the mount system call may co     59       argument of the mount system call may contain an arbitrary string,
 60       which is not interpreted by the kernel.      60       which is not interpreted by the kernel.
 61                                                    61 
 62     fuseblk                                        62     fuseblk
 63       The filesystem is block device based.  T     63       The filesystem is block device based.  The first argument of the
 64       mount system call is interpreted as the      64       mount system call is interpreted as the name of the device.
 65                                                    65 
 66 Mount options                                      66 Mount options
 67 =============                                      67 =============
 68                                                    68 
 69 fd=N                                               69 fd=N
 70   The file descriptor to use for communication     70   The file descriptor to use for communication between the userspace
 71   filesystem and the kernel.  The file descrip     71   filesystem and the kernel.  The file descriptor must have been
 72   obtained by opening the FUSE device ('/dev/f     72   obtained by opening the FUSE device ('/dev/fuse').
 73                                                    73 
 74 rootmode=M                                         74 rootmode=M
 75   The file mode of the filesystem's root in oc     75   The file mode of the filesystem's root in octal representation.
 76                                                    76 
 77 user_id=N                                          77 user_id=N
 78   The numeric user id of the mount owner.          78   The numeric user id of the mount owner.
 79                                                    79 
 80 group_id=N                                         80 group_id=N
 81   The numeric group id of the mount owner.         81   The numeric group id of the mount owner.
 82                                                    82 
 83 default_permissions                                83 default_permissions
 84   By default FUSE doesn't check file access pe     84   By default FUSE doesn't check file access permissions, the
 85   filesystem is free to implement its access p     85   filesystem is free to implement its access policy or leave it to
 86   the underlying file access mechanism (e.g. i     86   the underlying file access mechanism (e.g. in case of network
 87   filesystems).  This option enables permissio     87   filesystems).  This option enables permission checking, restricting
 88   access based on file mode.  It is usually us     88   access based on file mode.  It is usually useful together with the
 89   'allow_other' mount option.                      89   'allow_other' mount option.
 90                                                    90 
 91 allow_other                                        91 allow_other
 92   This option overrides the security measure r     92   This option overrides the security measure restricting file access
 93   to the user mounting the filesystem.  This o     93   to the user mounting the filesystem.  This option is by default only
 94   allowed to root, but this restriction can be     94   allowed to root, but this restriction can be removed with a
 95   (userspace) configuration option.                95   (userspace) configuration option.
 96                                                    96 
 97 max_read=N                                         97 max_read=N
 98   With this option the maximum size of read op     98   With this option the maximum size of read operations can be set.
 99   The default is infinite.  Note that the size     99   The default is infinite.  Note that the size of read requests is
100   limited anyway to 32 pages (which is 128kbyt    100   limited anyway to 32 pages (which is 128kbyte on i386).
101                                                   101 
102 blksize=N                                         102 blksize=N
103   Set the block size for the filesystem.  The     103   Set the block size for the filesystem.  The default is 512.  This
104   option is only valid for 'fuseblk' type moun    104   option is only valid for 'fuseblk' type mounts.
105                                                   105 
106 Control filesystem                                106 Control filesystem
107 ==================                                107 ==================
108                                                   108 
109 There's a control filesystem for FUSE, which c    109 There's a control filesystem for FUSE, which can be mounted by::
110                                                   110 
111   mount -t fusectl none /sys/fs/fuse/connectio    111   mount -t fusectl none /sys/fs/fuse/connections
112                                                   112 
113 Mounting it under the '/sys/fs/fuse/connection    113 Mounting it under the '/sys/fs/fuse/connections' directory makes it
114 backwards compatible with earlier versions.       114 backwards compatible with earlier versions.
115                                                   115 
116 Under the fuse control filesystem each connect    116 Under the fuse control filesystem each connection has a directory
117 named by a unique number.                         117 named by a unique number.
118                                                   118 
119 For each connection the following files exist     119 For each connection the following files exist within this directory:
120                                                   120 
121         waiting                                   121         waiting
122           The number of requests which are wai    122           The number of requests which are waiting to be transferred to
123           userspace or being processed by the     123           userspace or being processed by the filesystem daemon.  If there is
124           no filesystem activity and 'waiting'    124           no filesystem activity and 'waiting' is non-zero, then the
125           filesystem is hung or deadlocked.       125           filesystem is hung or deadlocked.
126                                                   126 
127         abort                                     127         abort
128           Writing anything into this file will    128           Writing anything into this file will abort the filesystem
129           connection.  This means that all wai    129           connection.  This means that all waiting requests will be aborted an
130           error returned for all aborted and n    130           error returned for all aborted and new requests.
131                                                   131 
132 Only the owner of the mount may read or write     132 Only the owner of the mount may read or write these files.
133                                                   133 
134 Interrupting filesystem operations                134 Interrupting filesystem operations
135 ##################################                135 ##################################
136                                                   136 
137 If a process issuing a FUSE filesystem request    137 If a process issuing a FUSE filesystem request is interrupted, the
138 following will happen:                            138 following will happen:
139                                                   139 
140   -  If the request is not yet sent to userspa    140   -  If the request is not yet sent to userspace AND the signal is
141      fatal (SIGKILL or unhandled fatal signal)    141      fatal (SIGKILL or unhandled fatal signal), then the request is
142      dequeued and returns immediately.            142      dequeued and returns immediately.
143                                                   143 
144   -  If the request is not yet sent to userspa    144   -  If the request is not yet sent to userspace AND the signal is not
145      fatal, then an interrupted flag is set fo    145      fatal, then an interrupted flag is set for the request.  When
146      the request has been successfully transfe    146      the request has been successfully transferred to userspace and
147      this flag is set, an INTERRUPT request is    147      this flag is set, an INTERRUPT request is queued.
148                                                   148 
149   -  If the request is already sent to userspa    149   -  If the request is already sent to userspace, then an INTERRUPT
150      request is queued.                           150      request is queued.
151                                                   151 
152 INTERRUPT requests take precedence over other     152 INTERRUPT requests take precedence over other requests, so the
153 userspace filesystem will receive queued INTER    153 userspace filesystem will receive queued INTERRUPTs before any others.
154                                                   154 
155 The userspace filesystem may ignore the INTERR    155 The userspace filesystem may ignore the INTERRUPT requests entirely,
156 or may honor them by sending a reply to the *o    156 or may honor them by sending a reply to the *original* request, with
157 the error set to EINTR.                           157 the error set to EINTR.
158                                                   158 
159 It is also possible that there's a race betwee    159 It is also possible that there's a race between processing the
160 original request and its INTERRUPT request.  T    160 original request and its INTERRUPT request.  There are two possibilities:
161                                                   161 
162   1. The INTERRUPT request is processed before    162   1. The INTERRUPT request is processed before the original request is
163      processed                                    163      processed
164                                                   164 
165   2. The INTERRUPT request is processed after     165   2. The INTERRUPT request is processed after the original request has
166      been answered                                166      been answered
167                                                   167 
168 If the filesystem cannot find the original req    168 If the filesystem cannot find the original request, it should wait for
169 some timeout and/or a number of new requests t    169 some timeout and/or a number of new requests to arrive, after which it
170 should reply to the INTERRUPT request with an     170 should reply to the INTERRUPT request with an EAGAIN error.  In case
171 1) the INTERRUPT request will be requeued.  In    171 1) the INTERRUPT request will be requeued.  In case 2) the INTERRUPT
172 reply will be ignored.                            172 reply will be ignored.
173                                                   173 
174 Aborting a filesystem connection                  174 Aborting a filesystem connection
175 ================================                  175 ================================
176                                                   176 
177 It is possible to get into certain situations     177 It is possible to get into certain situations where the filesystem is
178 not responding.  Reasons for this may be:         178 not responding.  Reasons for this may be:
179                                                   179 
180   a) Broken userspace filesystem implementatio    180   a) Broken userspace filesystem implementation
181                                                   181 
182   b) Network connection down                      182   b) Network connection down
183                                                   183 
184   c) Accidental deadlock                          184   c) Accidental deadlock
185                                                   185 
186   d) Malicious deadlock                           186   d) Malicious deadlock
187                                                   187 
188 (For more on c) and d) see later sections)        188 (For more on c) and d) see later sections)
189                                                   189 
190 In either of these cases it may be useful to a    190 In either of these cases it may be useful to abort the connection to
191 the filesystem.  There are several ways to do     191 the filesystem.  There are several ways to do this:
192                                                   192 
193   - Kill the filesystem daemon.  Works in case    193   - Kill the filesystem daemon.  Works in case of a) and b)
194                                                   194 
195   - Kill the filesystem daemon and all users o    195   - Kill the filesystem daemon and all users of the filesystem.  Works
196     in all cases except some malicious deadloc    196     in all cases except some malicious deadlocks
197                                                   197 
198   - Use forced umount (umount -f).  Works in a    198   - Use forced umount (umount -f).  Works in all cases but only if
199     filesystem is still attached (it hasn't be    199     filesystem is still attached (it hasn't been lazy unmounted)
200                                                   200 
201   - Abort filesystem through the FUSE control     201   - Abort filesystem through the FUSE control filesystem.  Most
202     powerful method, always works.                202     powerful method, always works.
203                                                   203 
204 How do non-privileged mounts work?                204 How do non-privileged mounts work?
205 ==================================                205 ==================================
206                                                   206 
207 Since the mount() system call is a privileged     207 Since the mount() system call is a privileged operation, a helper
208 program (fusermount) is needed, which is insta    208 program (fusermount) is needed, which is installed setuid root.
209                                                   209 
210 The implication of providing non-privileged mo    210 The implication of providing non-privileged mounts is that the mount
211 owner must not be able to use this capability     211 owner must not be able to use this capability to compromise the
212 system.  Obvious requirements arising from thi    212 system.  Obvious requirements arising from this are:
213                                                   213 
214  A) mount owner should not be able to get elev    214  A) mount owner should not be able to get elevated privileges with the
215     help of the mounted filesystem                215     help of the mounted filesystem
216                                                   216 
217  B) mount owner should not get illegitimate ac    217  B) mount owner should not get illegitimate access to information from
218     other users' and the super user's processe    218     other users' and the super user's processes
219                                                   219 
220  C) mount owner should not be able to induce u    220  C) mount owner should not be able to induce undesired behavior in
221     other users' or the super user's processes    221     other users' or the super user's processes
222                                                   222 
223 How are requirements fulfilled?                   223 How are requirements fulfilled?
224 ===============================                   224 ===============================
225                                                   225 
226  A) The mount owner could gain elevated privil    226  A) The mount owner could gain elevated privileges by either:
227                                                   227 
228     1. creating a filesystem containing a devi    228     1. creating a filesystem containing a device file, then opening this device
229                                                   229 
230     2. creating a filesystem containing a suid    230     2. creating a filesystem containing a suid or sgid application, then executing this application
231                                                   231 
232     The solution is not to allow opening devic    232     The solution is not to allow opening device files and ignore
233     setuid and setgid bits when executing prog    233     setuid and setgid bits when executing programs.  To ensure this
234     fusermount always adds "nosuid" and "nodev    234     fusermount always adds "nosuid" and "nodev" to the mount options
235     for non-privileged mounts.                    235     for non-privileged mounts.
236                                                   236 
237  B) If another user is accessing files or dire    237  B) If another user is accessing files or directories in the
238     filesystem, the filesystem daemon serving     238     filesystem, the filesystem daemon serving requests can record the
239     exact sequence and timing of operations pe    239     exact sequence and timing of operations performed.  This
240     information is otherwise inaccessible to t    240     information is otherwise inaccessible to the mount owner, so this
241     counts as an information leak.                241     counts as an information leak.
242                                                   242 
243     The solution to this problem will be prese    243     The solution to this problem will be presented in point 2) of C).
244                                                   244 
245  C) There are several ways in which the mount     245  C) There are several ways in which the mount owner can induce
246     undesired behavior in other users' process    246     undesired behavior in other users' processes, such as:
247                                                   247 
248      1) mounting a filesystem over a file or d    248      1) mounting a filesystem over a file or directory which the mount
249         owner could otherwise not be able to m    249         owner could otherwise not be able to modify (or could only
250         make limited modifications).              250         make limited modifications).
251                                                   251 
252         This is solved in fusermount, by check    252         This is solved in fusermount, by checking the access
253         permissions on the mountpoint and only    253         permissions on the mountpoint and only allowing the mount if
254         the mount owner can do unlimited modif    254         the mount owner can do unlimited modification (has write
255         access to the mountpoint, and mountpoi    255         access to the mountpoint, and mountpoint is not a "sticky"
256         directory)                                256         directory)
257                                                   257 
258      2) Even if 1) is solved the mount owner c    258      2) Even if 1) is solved the mount owner can change the behavior
259         of other users' processes.                259         of other users' processes.
260                                                   260 
261          i) It can slow down or indefinitely d    261          i) It can slow down or indefinitely delay the execution of a
262             filesystem operation creating a Do    262             filesystem operation creating a DoS against the user or the
263             whole system.  For example a suid     263             whole system.  For example a suid application locking a
264             system file, and then accessing a     264             system file, and then accessing a file on the mount owner's
265             filesystem could be stopped, and t    265             filesystem could be stopped, and thus causing the system
266             file to be locked forever.            266             file to be locked forever.
267                                                   267 
268          ii) It can present files or directori    268          ii) It can present files or directories of unlimited length, or
269              directory structures of unlimited    269              directory structures of unlimited depth, possibly causing a
270              system process to eat up diskspac    270              system process to eat up diskspace, memory or other
271              resources, again causing *DoS*.      271              resources, again causing *DoS*.
272                                                   272 
273         The solution to this as well as B) is     273         The solution to this as well as B) is not to allow processes
274         to access the filesystem, which could     274         to access the filesystem, which could otherwise not be
275         monitored or manipulated by the mount     275         monitored or manipulated by the mount owner.  Since if the
276         mount owner can ptrace a process, it c    276         mount owner can ptrace a process, it can do all of the above
277         without using a FUSE mount, the same c    277         without using a FUSE mount, the same criteria as used in
278         ptrace can be used to check if a proce    278         ptrace can be used to check if a process is allowed to access
279         the filesystem or not.                    279         the filesystem or not.
280                                                   280 
281         Note that the *ptrace* check is not st    281         Note that the *ptrace* check is not strictly necessary to
282         prevent C/2/i, it is enough to check i    282         prevent C/2/i, it is enough to check if mount owner has enough
283         privilege to send signal to the proces    283         privilege to send signal to the process accessing the
284         filesystem, since *SIGSTOP* can be use    284         filesystem, since *SIGSTOP* can be used to get a similar effect.
285                                                   285 
286 I think these limitations are unacceptable?       286 I think these limitations are unacceptable?
287 ===========================================       287 ===========================================
288                                                   288 
289 If a sysadmin trusts the users enough, or can     289 If a sysadmin trusts the users enough, or can ensure through other
290 measures, that system processes will never ent    290 measures, that system processes will never enter non-privileged
291 mounts, it can relax the last limitation in se    291 mounts, it can relax the last limitation in several ways:
292                                                   292 
293   - With the 'user_allow_other' config option.    293   - With the 'user_allow_other' config option. If this config option is
294     set, the mounting user can add the 'allow_    294     set, the mounting user can add the 'allow_other' mount option which
295     disables the check for other users' proces    295     disables the check for other users' processes.
296                                                   296 
297     User namespaces have an unintuitive intera    297     User namespaces have an unintuitive interaction with 'allow_other':
298     an unprivileged user - normally restricted    298     an unprivileged user - normally restricted from mounting with
299     'allow_other' - could do so in a user name    299     'allow_other' - could do so in a user namespace where they're
300     privileged. If any process could access su    300     privileged. If any process could access such an 'allow_other' mount
301     this would give the mounting user the abil    301     this would give the mounting user the ability to manipulate
302     processes in user namespaces where they're    302     processes in user namespaces where they're unprivileged. For this
303     reason 'allow_other' restricts access to u    303     reason 'allow_other' restricts access to users in the same userns
304     or a descendant.                              304     or a descendant.
305                                                   305 
306   - With the 'allow_sys_admin_access' module o    306   - With the 'allow_sys_admin_access' module option. If this option is
307     set, super user's processes have unrestric    307     set, super user's processes have unrestricted access to mounts
308     irrespective of allow_other setting or use    308     irrespective of allow_other setting or user namespace of the
309     mounting user.                                309     mounting user.
310                                                   310 
311 Note that both of these relaxations expose the    311 Note that both of these relaxations expose the system to potential
312 information leak or *DoS* as described in poin    312 information leak or *DoS* as described in points B and C/2/i-ii in the
313 preceding section.                                313 preceding section.
314                                                   314 
315 Kernel - userspace interface                      315 Kernel - userspace interface
316 ============================                      316 ============================
317                                                   317 
318 The following diagram shows how a filesystem o    318 The following diagram shows how a filesystem operation (in this
319 example unlink) is performed in FUSE. ::          319 example unlink) is performed in FUSE. ::
320                                                   320 
321                                                   321 
322  |  "rm /mnt/fuse/file"               |  FUSE     322  |  "rm /mnt/fuse/file"               |  FUSE filesystem daemon
323  |                                    |           323  |                                    |
324  |                                    |  >sys_    324  |                                    |  >sys_read()
325  |                                    |    >fu    325  |                                    |    >fuse_dev_read()
326  |                                    |      >    326  |                                    |      >request_wait()
327  |                                    |           327  |                                    |        [sleep on fc->waitq]
328  |                                    |           328  |                                    |
329  |  >sys_unlink()                     |           329  |  >sys_unlink()                     |
330  |    >fuse_unlink()                  |           330  |    >fuse_unlink()                  |
331  |      [get request from             |           331  |      [get request from             |
332  |       fc->unused_list]             |           332  |       fc->unused_list]             |
333  |      >request_send()               |           333  |      >request_send()               |
334  |        [queue req on fc->pending]  |           334  |        [queue req on fc->pending]  |
335  |        [wake up fc->waitq]         |           335  |        [wake up fc->waitq]         |        [woken up]
336  |        >request_wait_answer()      |           336  |        >request_wait_answer()      |
337  |          [sleep on req->waitq]     |           337  |          [sleep on req->waitq]     |
338  |                                    |      <    338  |                                    |      <request_wait()
339  |                                    |      [    339  |                                    |      [remove req from fc->pending]
340  |                                    |      [    340  |                                    |      [copy req to read buffer]
341  |                                    |      [    341  |                                    |      [add req to fc->processing]
342  |                                    |    <fu    342  |                                    |    <fuse_dev_read()
343  |                                    |  <sys_    343  |                                    |  <sys_read()
344  |                                    |           344  |                                    |
345  |                                    |  [perf    345  |                                    |  [perform unlink]
346  |                                    |           346  |                                    |
347  |                                    |  >sys_    347  |                                    |  >sys_write()
348  |                                    |    >fu    348  |                                    |    >fuse_dev_write()
349  |                                    |      [    349  |                                    |      [look up req in fc->processing]
350  |                                    |      [    350  |                                    |      [remove from fc->processing]
351  |                                    |      [    351  |                                    |      [copy write buffer to req]
352  |          [woken up]                |      [    352  |          [woken up]                |      [wake up req->waitq]
353  |                                    |    <fu    353  |                                    |    <fuse_dev_write()
354  |                                    |  <sys_    354  |                                    |  <sys_write()
355  |        <request_wait_answer()      |           355  |        <request_wait_answer()      |
356  |      <request_send()               |           356  |      <request_send()               |
357  |      [add request to               |           357  |      [add request to               |
358  |       fc->unused_list]             |           358  |       fc->unused_list]             |
359  |    <fuse_unlink()                  |           359  |    <fuse_unlink()                  |
360  |  <sys_unlink()                     |           360  |  <sys_unlink()                     |
361                                                   361 
362 .. note:: Everything in the description above     362 .. note:: Everything in the description above is greatly simplified
363                                                   363 
364 There are a couple of ways in which to deadloc    364 There are a couple of ways in which to deadlock a FUSE filesystem.
365 Since we are talking about unprivileged usersp    365 Since we are talking about unprivileged userspace programs,
366 something must be done about these.               366 something must be done about these.
367                                                   367 
368 **Scenario 1 -  Simple deadlock**::               368 **Scenario 1 -  Simple deadlock**::
369                                                   369 
370  |  "rm /mnt/fuse/file"               |  FUSE     370  |  "rm /mnt/fuse/file"               |  FUSE filesystem daemon
371  |                                    |           371  |                                    |
372  |  >sys_unlink("/mnt/fuse/file")     |           372  |  >sys_unlink("/mnt/fuse/file")     |
373  |    [acquire inode semaphore        |           373  |    [acquire inode semaphore        |
374  |     for "file"]                    |           374  |     for "file"]                    |
375  |    >fuse_unlink()                  |           375  |    >fuse_unlink()                  |
376  |      [sleep on req->waitq]         |           376  |      [sleep on req->waitq]         |
377  |                                    |  <sys_    377  |                                    |  <sys_read()
378  |                                    |  >sys_    378  |                                    |  >sys_unlink("/mnt/fuse/file")
379  |                                    |    [ac    379  |                                    |    [acquire inode semaphore
380  |                                    |     fo    380  |                                    |     for "file"]
381  |                                    |    *DE    381  |                                    |    *DEADLOCK*
382                                                   382 
383 The solution for this is to allow the filesyst    383 The solution for this is to allow the filesystem to be aborted.
384                                                   384 
385 **Scenario 2 - Tricky deadlock**                  385 **Scenario 2 - Tricky deadlock**
386                                                   386 
387                                                   387 
388 This one needs a carefully crafted filesystem.    388 This one needs a carefully crafted filesystem.  It's a variation on
389 the above, only the call back to the filesyste    389 the above, only the call back to the filesystem is not explicit,
390 but is caused by a pagefault. ::                  390 but is caused by a pagefault. ::
391                                                   391 
392  |  Kamikaze filesystem thread 1      |  Kamik    392  |  Kamikaze filesystem thread 1      |  Kamikaze filesystem thread 2
393  |                                    |           393  |                                    |
394  |  [fd = open("/mnt/fuse/file")]     |  [requ    394  |  [fd = open("/mnt/fuse/file")]     |  [request served normally]
395  |  [mmap fd to 'addr']               |           395  |  [mmap fd to 'addr']               |
396  |  [close fd]                        |  [FLUS    396  |  [close fd]                        |  [FLUSH triggers 'magic' flag]
397  |  [read a byte from addr]           |           397  |  [read a byte from addr]           |
398  |    >do_page_fault()                |           398  |    >do_page_fault()                |
399  |      [find or create page]         |           399  |      [find or create page]         |
400  |      [lock page]                   |           400  |      [lock page]                   |
401  |      >fuse_readpage()              |           401  |      >fuse_readpage()              |
402  |         [queue READ request]       |           402  |         [queue READ request]       |
403  |         [sleep on req->waitq]      |           403  |         [sleep on req->waitq]      |
404  |                                    |  [read    404  |                                    |  [read request to buffer]
405  |                                    |  [crea    405  |                                    |  [create reply header before addr]
406  |                                    |  >sys_    406  |                                    |  >sys_write(addr - headerlength)
407  |                                    |    >fu    407  |                                    |    >fuse_dev_write()
408  |                                    |      [    408  |                                    |      [look up req in fc->processing]
409  |                                    |      [    409  |                                    |      [remove from fc->processing]
410  |                                    |      [    410  |                                    |      [copy write buffer to req]
411  |                                    |           411  |                                    |        >do_page_fault()
412  |                                    |           412  |                                    |           [find or create page]
413  |                                    |           413  |                                    |           [lock page]
414  |                                    |           414  |                                    |           * DEADLOCK *
415                                                   415 
416 The solution is basically the same as above.      416 The solution is basically the same as above.
417                                                   417 
418 An additional problem is that while the write     418 An additional problem is that while the write buffer is being copied
419 to the request, the request must not be interr    419 to the request, the request must not be interrupted/aborted.  This is
420 because the destination address of the copy ma    420 because the destination address of the copy may not be valid after the
421 request has returned.                             421 request has returned.
422                                                   422 
423 This is solved with doing the copy atomically,    423 This is solved with doing the copy atomically, and allowing abort
424 while the page(s) belonging to the write buffe    424 while the page(s) belonging to the write buffer are faulted with
425 get_user_pages().  The 'req->locked' flag indi    425 get_user_pages().  The 'req->locked' flag indicates when the copy is
426 taking place, and abort is delayed until this     426 taking place, and abort is delayed until this flag is unset.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php