Add more documentation for FUSE_CAP_EXPORT_SUPPORT (#917)

Add more documentation for FUSE_CAP_EXPORT_SUPPORT

Also remove the flag from passthrough_ll.c and passthrough_hp.cc
as these implementations do _not_ handle that flag. They just
cast fuse_ino_t to an inode and cause a heap buffer overflow
for unknown objects (simplest reproducer are the examples
in "man 2 open_by_handle_at", but to unmount/mount the file
system after name_to_handle_at and before open_by_handle_at).

Fixes https://github.com/libfuse/libfuse/issues/838

---------

Co-authored-by: Nikolaus Rath <Nikolaus@rath.org>

diff --git a/doc/README.NFS b/doc/README.NFS
index 239dcb28b0cb5dfec9fe28c94dd42a0e89e1d8f2..edf5482625488854cbc99e325632e3c8900c1812 100644 (file)
--- a/doc/README.NFS
+++ b/doc/README.NFS
@@ -21,6 +21,17 @@ be requested on any inode, including non-directories, while the latter
 is only requested for directories.  Otherwise these special lookups
 should behave identically to ordinary lookups.
 
+Furthermore, setting FUSE_CAP_EXPORT_SUPPORT requires the file system
+to handle node-ids (fuse_ino_t) that the file system may does not know
+about - e.g. a fuse FORGET request might have been received or the node-id
+was used in a previous instance of the file system daemon. The node-id might
+not be valid at all when an invalid handle is passed to open_by_handle_at(). 
+This implies that the filesystem *must not* reuse node-ids even if
+generation numbers are set correctly. This is because generation numbers
+are not provided by the kernel to e.g. the getattr() handler, so the
+handler would be unable to tell if the provided node-id refers to the
+"known" current one, or a previous one that has been forgotten and re-used.
+
 2) high-level interface
 
 Because the high-level interface is path based, it is not possible to

diff --git a/example/passthrough_hp.cc b/example/passthrough_hp.cc
index 7f83a7ba6a83cae4518244d7ad5d13a438a2b03c..7c1dadf7a38d5f5410eec5321065289bc9a3c2cc 100644 (file)
--- a/example/passthrough_hp.cc
+++ b/example/passthrough_hp.cc
@@ -190,9 +190,6 @@ static int get_fs_fd(fuse_ino_t ino) {
 
 static void sfs_init(void *userdata, fuse_conn_info *conn) {
     (void)userdata;
-    if (conn->capable & FUSE_CAP_EXPORT_SUPPORT)
-        conn->want |= FUSE_CAP_EXPORT_SUPPORT;
-
     if (fs.timeout && conn->capable & FUSE_CAP_WRITEBACK_CACHE)
         conn->want |= FUSE_CAP_WRITEBACK_CACHE;
 

diff --git a/example/passthrough_ll.c b/example/passthrough_ll.c
index 46cc8e0736a69ab5adbaeb5b8db400b4d3878020..4a597f2d3fa8df076b5e37a5f26c4bb4779f8ee2 100644 (file)
--- a/example/passthrough_ll.c
+++ b/example/passthrough_ll.c
@@ -170,9 +170,6 @@ static void lo_init(void *userdata,
 {
        struct lo_data *lo = (struct lo_data*) userdata;
 
-       if(conn->capable & FUSE_CAP_EXPORT_SUPPORT)
-               conn->want |= FUSE_CAP_EXPORT_SUPPORT;
-
        if (lo->writeback &&
            conn->capable & FUSE_CAP_WRITEBACK_CACHE) {
                if (lo->debug)

diff --git a/include/fuse_common.h b/include/fuse_common.h
index f052b67ddb496b94fb7050e99e85a5045f610bfc..6a060fd989329f90aa000ea0030b911902fea337 100644 (file)
--- a/include/fuse_common.h
+++ b/include/fuse_common.h
@@ -183,6 +183,11 @@ struct fuse_loop_config_v1 {
 /**
  * Indicates that the filesystem supports lookups of "." and "..".
  *
+ * When this flag is set, the filesystem must be prepared to receive requests
+ * for invalid inodes (i.e., for which a FORGET request was received or
+ * which have been used in a previous instance of the filesystem daemon) and
+ * must not reuse node-ids (even when setting generation numbers).
+ *
  * This feature is disabled by default.
  */
 #define FUSE_CAP_EXPORT_SUPPORT                (1 << 4)